diff options
| author |  netblue30 <netblue30@yahoo.com> | 2015-10-16 13:30:50 -0400 |
|---|---|---|
| committer | netblue30 <netblue30@yahoo.com> | 2015-10-16 13:30:50 -0400 |
| commit | 1eaa68fb0c03113ba01d8696f7c8c6ddbffa8488 (patch) | |
| tree | b7fa247213e094e1be224597e8f53edaac685ccd /todo | |
| parent | fix 32bit compilation (diff) | |
| download | firejail-1eaa68fb0c03113ba01d8696f7c8c6ddbffa8488.tar.gz firejail-1eaa68fb0c03113ba01d8696f7c8c6ddbffa8488.tar.zst firejail-1eaa68fb0c03113ba01d8696f7c8c6ddbffa8488.zip | |
debian 32bit fixes
Diffstat (limited to 'todo')
| -rw-r--r-- | todo | 120 |
1 files changed, 2 insertions, 118 deletions
| @@ -31,65 +31,10 @@ $ | |||
| 31 | 31 | ||
| 32 | 4. Remove exclude-token from profile include in 0.9.34 (deprecated in 0.9.30) | 32 | 4. Remove exclude-token from profile include in 0.9.34 (deprecated in 0.9.30) |
| 33 | 33 | ||
| 34 | 5. Debian 32bit compile with --enable-fatal-warnings | 34 | 5. Add IRC clients: KVIrc (KDE), BitchX (CLI), Smuxi, Konversation (KDE), HexChat, Irssi (CLI), WeeChat (CLI) |
| 35 | make[1]: Entering directory `/home/netblue/work/firejail-0.9.30/src/firejail' | ||
| 36 | cc -ggdb -W -Wall -Werror -O2 -DVERSION='"0.9.30"' -DPREFIX='"/usr"' -DHAVE_SECCOMP -DHAVE_CHROOT -DHAVE_BIND -fstack-protector-all -D_FORTIFY_SOURCE=2 -fPIE -pie -Wformat -Wformat-security -c seccomp.c -o seccomp.o | ||
| 37 | seccomp.c: In function ‘write_seccomp_file’: | ||
| 38 | seccomp.c:337:81: error: format ‘%lu’ expects argument of type ‘long unsigned int’, but argument 2 has type ‘unsigned int’ [-Werror=format] | ||
| 39 | seccomp.c: In function ‘read_seccomp_file’: | ||
| 40 | seccomp.c:391:81: error: format ‘%lu’ expects argument of type ‘long unsigned int’, but argument 2 has type ‘unsigned int’ [-Werror=format] | ||
| 41 | cc1: all warnings being treated as errors | ||
| 42 | make[1]: *** [seccomp.o] Error 1 | ||
| 43 | |||
| 44 | 6. Debian 32bit - multiple problems with the testing utility | ||
| 45 | |||
| 46 | 7. Add IRC clients: KVIrc (KDE), BitchX (CLI), Smuxi, Konversation (KDE), HexChat, Irssi (CLI), WeeChat (CLI) | ||
| 47 | RSS: Liferea, akregator (KDE), newsbeuter (CLI), rawdog, | 35 | RSS: Liferea, akregator (KDE), newsbeuter (CLI), rawdog, |
| 48 | 36 | ||
| 49 | 8. To investigate | 37 | 6. To investigate |
| 50 | void SupervisorMain::setupSeccomp() { | ||
| 51 | // Install a rudimentary seccomp blacklist. | ||
| 52 | // TODO(security): Change this to a whitelist. | ||
| 53 | |||
| 54 | scmp_filter_ctx ctx = seccomp_init(SCMP_ACT_ALLOW); | ||
| 55 | if (ctx == nullptr) | ||
| 56 | KJ_FAIL_SYSCALL("seccomp_init", 0); // No real error code | ||
| 57 | KJ_DEFER(seccomp_release(ctx)); | ||
| 58 | |||
| 59 | #define CHECK_SECCOMP(call) \ | ||
| 60 | do { \ | ||
| 61 | if (auto result = (call)) { \ | ||
| 62 | KJ_FAIL_SYSCALL(#call, -result); \ | ||
| 63 | } \ | ||
| 64 | } while (0) | ||
| 65 | |||
| 66 | // Native code only for now, so there are no seccomp_arch_add calls. | ||
| 67 | |||
| 68 | // Redundant, but this is standard and harmless. | ||
| 69 | CHECK_SECCOMP(seccomp_attr_set(ctx, SCMP_FLTATR_CTL_NNP, 1)); | ||
| 70 | |||
| 71 | // It's easy to inadvertently issue an x32 syscall (e.g. syscall(-1)). Such syscalls | ||
| 72 | // should fail, but there's no need to kill the issuer. | ||
| 73 | CHECK_SECCOMP(seccomp_attr_set(ctx, SCMP_FLTATR_ACT_BADARCH, SCMP_ACT_ERRNO(ENOSYS))); | ||
| 74 | |||
| 75 | #pragma GCC diagnostic push | ||
| 76 | #pragma GCC diagnostic ignored "-Wmissing-field-initializers" // SCMP_* macros produce these | ||
| 77 | // Disable some things that seem scary. | ||
| 78 | if (!devmode) { | ||
| 79 | // ptrace is scary | ||
| 80 | CHECK_SECCOMP(seccomp_rule_add(ctx, SCMP_ACT_ERRNO(EPERM), SCMP_SYS(ptrace), 0)); | ||
| 81 | } else { | ||
| 82 | // Try to be somewhat safe with ptrace in dev mode. Note that the ability to modify | ||
| 83 | // orig_ax using ptrace allows a complete seccomp bypass. | ||
| 84 | CHECK_SECCOMP(seccomp_rule_add(ctx, SCMP_ACT_ERRNO(EPERM), SCMP_SYS(ptrace), 1, | ||
| 85 | SCMP_A0(SCMP_CMP_EQ, PTRACE_POKEUSER))); | ||
| 86 | CHECK_SECCOMP(seccomp_rule_add(ctx, SCMP_ACT_ERRNO(EPERM), SCMP_SYS(ptrace), 1, | ||
| 87 | SCMP_A0(SCMP_CMP_EQ, PTRACE_SETREGS))); | ||
| 88 | CHECK_SECCOMP(seccomp_rule_add(ctx, SCMP_ACT_ERRNO(EPERM), SCMP_SYS(ptrace), 1, | ||
| 89 | SCMP_A0(SCMP_CMP_EQ, PTRACE_SETFPREGS))); | ||
| 90 | CHECK_SECCOMP(seccomp_rule_add(ctx, SCMP_ACT_ERRNO(EPERM), SCMP_SYS(ptrace), 1, | ||
| 91 | SCMP_A0(SCMP_CMP_EQ, PTRACE_SETREGSET))); | ||
| 92 | } | ||
| 93 | 38 | ||
| 94 | // Restrict the set of allowable network protocol families | 39 | // Restrict the set of allowable network protocol families |
| 95 | CHECK_SECCOMP(seccomp_rule_add(ctx, SCMP_ACT_ERRNO(EAFNOSUPPORT), SCMP_SYS(socket), 1, | 40 | CHECK_SECCOMP(seccomp_rule_add(ctx, SCMP_ACT_ERRNO(EAFNOSUPPORT), SCMP_SYS(socket), 1, |
| @@ -118,64 +63,3 @@ void SupervisorMain::setupSeccomp() { | |||
| 118 | SCMP_A0(SCMP_CMP_EQ, AF_SECURITY))); | 63 | SCMP_A0(SCMP_CMP_EQ, AF_SECURITY))); |
| 119 | CHECK_SECCOMP(seccomp_rule_add(ctx, SCMP_ACT_ERRNO(EAFNOSUPPORT), SCMP_SYS(socket), 1, | 64 | CHECK_SECCOMP(seccomp_rule_add(ctx, SCMP_ACT_ERRNO(EAFNOSUPPORT), SCMP_SYS(socket), 1, |
| 120 | SCMP_A0(SCMP_CMP_EQ, AF_KEY))); | 65 | SCMP_A0(SCMP_CMP_EQ, AF_KEY))); |
| 121 | #pragma GCC diagnostic pop | ||
| 122 | |||
| 123 | CHECK_SECCOMP(seccomp_rule_add(ctx, SCMP_ACT_ERRNO(ENOSYS), SCMP_SYS(add_key), 0)); | ||
| 124 | CHECK_SECCOMP(seccomp_rule_add(ctx, SCMP_ACT_ERRNO(ENOSYS), SCMP_SYS(request_key), 0)); | ||
| 125 | CHECK_SECCOMP(seccomp_rule_add(ctx, SCMP_ACT_ERRNO(ENOSYS), SCMP_SYS(keyctl), 0)); | ||
| 126 | CHECK_SECCOMP(seccomp_rule_add(ctx, SCMP_ACT_ERRNO(ENOSYS), SCMP_SYS(syslog), 0)); | ||
| 127 | CHECK_SECCOMP(seccomp_rule_add(ctx, SCMP_ACT_ERRNO(ENOSYS), SCMP_SYS(uselib), 0)); | ||
| 128 | CHECK_SECCOMP(seccomp_rule_add(ctx, SCMP_ACT_ERRNO(ENOSYS), SCMP_SYS(personality), 0)); | ||
| 129 | CHECK_SECCOMP(seccomp_rule_add(ctx, SCMP_ACT_ERRNO(ENOSYS), SCMP_SYS(acct), 0)); | ||
| 130 | |||
| 131 | // 16-bit code is unnecessary in the sandbox, and modify_ldt is a historic source | ||
| 132 | // of interesting information leaks. | ||
| 133 | CHECK_SECCOMP(seccomp_rule_add(ctx, SCMP_ACT_ERRNO(ENOSYS), SCMP_SYS(modify_ldt), 0)); | ||
| 134 | |||
| 135 | // Despite existing at a 64-bit syscall, set_thread_area is only useful | ||
| 136 | // for 32-bit programs. 64-bit programs use arch_prctl instead. | ||
| 137 | CHECK_SECCOMP(seccomp_rule_add(ctx, SCMP_ACT_ERRNO(ENOSYS), SCMP_SYS(set_thread_area), 0)); | ||
| 138 | |||
| 139 | // Disable namespaces. Nested sandboxing could be useful but the attack surface is large. | ||
| 140 | CHECK_SECCOMP(seccomp_rule_add(ctx, SCMP_ACT_ERRNO(ENOSYS), SCMP_SYS(unshare), 0)); | ||
| 141 | CHECK_SECCOMP(seccomp_rule_add(ctx, SCMP_ACT_ERRNO(ENOSYS), SCMP_SYS(mount), 0)); | ||
| 142 | CHECK_SECCOMP(seccomp_rule_add(ctx, SCMP_ACT_ERRNO(ENOSYS), SCMP_SYS(pivot_root), 0)); | ||
| 143 | CHECK_SECCOMP(seccomp_rule_add(ctx, SCMP_ACT_ERRNO(ENOSYS), SCMP_SYS(quotactl), 0)); | ||
| 144 | CHECK_SECCOMP(seccomp_rule_add(ctx, SCMP_ACT_ERRNO(EPERM), SCMP_SYS(clone), 1, | ||
| 145 | SCMP_A0(SCMP_CMP_MASKED_EQ, CLONE_NEWUSER, CLONE_NEWUSER))); | ||
| 146 | |||
| 147 | // AIO is scary. | ||
| 148 | CHECK_SECCOMP(seccomp_rule_add(ctx, SCMP_ACT_ERRNO(ENOSYS), SCMP_SYS(io_setup), 0)); | ||
| 149 | CHECK_SECCOMP(seccomp_rule_add(ctx, SCMP_ACT_ERRNO(ENOSYS), SCMP_SYS(io_destroy), 0)); | ||
| 150 | CHECK_SECCOMP(seccomp_rule_add(ctx, SCMP_ACT_ERRNO(ENOSYS), SCMP_SYS(io_getevents), 0)); | ||
| 151 | CHECK_SECCOMP(seccomp_rule_add(ctx, SCMP_ACT_ERRNO(ENOSYS), SCMP_SYS(io_submit), 0)); | ||
| 152 | CHECK_SECCOMP(seccomp_rule_add(ctx, SCMP_ACT_ERRNO(ENOSYS), SCMP_SYS(io_cancel), 0)); | ||
| 153 | |||
| 154 | // Scary vm syscalls | ||
| 155 | CHECK_SECCOMP(seccomp_rule_add(ctx, SCMP_ACT_ERRNO(ENOSYS), SCMP_SYS(remap_file_pages), 0)); | ||
| 156 | CHECK_SECCOMP(seccomp_rule_add(ctx, SCMP_ACT_ERRNO(ENOSYS), SCMP_SYS(mbind), 0)); | ||
| 157 | CHECK_SECCOMP(seccomp_rule_add(ctx, SCMP_ACT_ERRNO(ENOSYS), SCMP_SYS(get_mempolicy), 0)); | ||
| 158 | CHECK_SECCOMP(seccomp_rule_add(ctx, SCMP_ACT_ERRNO(ENOSYS), SCMP_SYS(set_mempolicy), 0)); | ||
| 159 | CHECK_SECCOMP(seccomp_rule_add(ctx, SCMP_ACT_ERRNO(ENOSYS), SCMP_SYS(migrate_pages), 0)); | ||
| 160 | CHECK_SECCOMP(seccomp_rule_add(ctx, SCMP_ACT_ERRNO(ENOSYS), SCMP_SYS(move_pages), 0)); | ||
| 161 | CHECK_SECCOMP(seccomp_rule_add(ctx, SCMP_ACT_ERRNO(ENOSYS), SCMP_SYS(vmsplice), 0)); | ||
| 162 | |||
| 163 | // Scary futex operations | ||
| 164 | CHECK_SECCOMP(seccomp_rule_add(ctx, SCMP_ACT_ERRNO(ENOSYS), SCMP_SYS(set_robust_list), 0)); | ||
| 165 | CHECK_SECCOMP(seccomp_rule_add(ctx, SCMP_ACT_ERRNO(ENOSYS), SCMP_SYS(get_robust_list), 0)); | ||
| 166 | |||
| 167 | // Utterly terrifying profiling operations | ||
| 168 | CHECK_SECCOMP(seccomp_rule_add(ctx, SCMP_ACT_ERRNO(ENOSYS), SCMP_SYS(perf_event_open), 0)); | ||
| 169 | |||
| 170 | // TOOD(someday): See if we can get away with turning off mincore, madvise, sysinfo etc. | ||
| 171 | |||
| 172 | // TODO(someday): Turn off POSIX message queues and other such esoteric features. | ||
| 173 | |||
| 174 | if (seccompDumpPfc) { | ||
| 175 | seccomp_export_pfc(ctx, 1); | ||
| 176 | } | ||
| 177 | |||
| 178 | CHECK_SECCOMP(seccomp_load(ctx)); | ||
| 179 | |||
| 180 | #undef CHECK_SECCOMP | ||
| 181 | } | ||