diff options
-rw-r--r-- | src/firejail/seccomp.c | 83 | ||||
-rw-r--r-- | src/firejail/seccomp.h | 5 | ||||
-rw-r--r-- | src/man/firejail.txt | 9 |
3 files changed, 86 insertions, 11 deletions
diff --git a/src/firejail/seccomp.c b/src/firejail/seccomp.c index b0c960754..57f483b1c 100644 --- a/src/firejail/seccomp.c +++ b/src/firejail/seccomp.c | |||
@@ -324,7 +324,7 @@ static void read_seccomp_file(const char *fname) { | |||
324 | filter_debug(); | 324 | filter_debug(); |
325 | } | 325 | } |
326 | 326 | ||
327 | // i386t filter installed on amd64 architectures | 327 | // i386 filter installed on amd64 architectures |
328 | void seccomp_filter_32(void) { | 328 | void seccomp_filter_32(void) { |
329 | // hardcoded syscall values | 329 | // hardcoded syscall values |
330 | struct sock_filter filter[] = { | 330 | struct sock_filter filter[] = { |
@@ -373,7 +373,6 @@ void seccomp_filter_32(void) { | |||
373 | BLACKLIST(317), // move_pages | 373 | BLACKLIST(317), // move_pages |
374 | BLACKLIST(316), // vmsplice | 374 | BLACKLIST(316), // vmsplice |
375 | BLACKLIST(61), // chroot | 375 | BLACKLIST(61), // chroot |
376 | BLACKLIST(243), // set_thread_area | ||
377 | BLACKLIST(88), // reboot | 376 | BLACKLIST(88), // reboot |
378 | BLACKLIST(169), // nfsservctl | 377 | BLACKLIST(169), // nfsservctl |
379 | BLACKLIST(130), // get_kernel_syms | 378 | BLACKLIST(130), // get_kernel_syms |
@@ -393,6 +392,76 @@ void seccomp_filter_32(void) { | |||
393 | } | 392 | } |
394 | } | 393 | } |
395 | 394 | ||
395 | // amd64 filter installed on i386 architectures | ||
396 | void seccomp_filter_64(void) { | ||
397 | // hardcoded syscall values | ||
398 | struct sock_filter filter[] = { | ||
399 | VALIDATE_ARCHITECTURE_64, | ||
400 | EXAMINE_SYSCALL, | ||
401 | BLACKLIST(165), // mount | ||
402 | BLACKLIST(166), // umount2 | ||
403 | BLACKLIST(101), // ptrace | ||
404 | BLACKLIST(246), // kexec_load | ||
405 | BLACKLIST(304), // open_by_handle_at | ||
406 | BLACKLIST(175), // init_module | ||
407 | BLACKLIST(313), // finit_module | ||
408 | BLACKLIST(176), // delete_module | ||
409 | BLACKLIST(172), // iopl | ||
410 | BLACKLIST(173), // ioperm | ||
411 | BLACKLIST(167), // swapon | ||
412 | BLACKLIST(168), // swapoff | ||
413 | BLACKLIST(103), // syslog | ||
414 | BLACKLIST(310), // process_vm_readv | ||
415 | BLACKLIST(311), // process_vm_writev | ||
416 | BLACKLIST(139), // sysfs | ||
417 | BLACKLIST(156), // _sysctl | ||
418 | BLACKLIST(159), // adjtimex | ||
419 | BLACKLIST(305), // clock_adjtime | ||
420 | BLACKLIST(212), // lookup_dcookie | ||
421 | BLACKLIST(298), // perf_event_open | ||
422 | BLACKLIST(300), // fanotify_init | ||
423 | BLACKLIST(312), // kcmp | ||
424 | BLACKLIST(248), // add_key | ||
425 | BLACKLIST(249), // request_key | ||
426 | BLACKLIST(250), // keyctl | ||
427 | BLACKLIST(134), // uselib | ||
428 | BLACKLIST(163), // acct | ||
429 | BLACKLIST(154), // modify_ldt | ||
430 | BLACKLIST(155), // pivot_root | ||
431 | BLACKLIST(206), // io_setup | ||
432 | BLACKLIST(207), // io_destroy | ||
433 | BLACKLIST(208), // io_getevents | ||
434 | BLACKLIST(209), // io_submit | ||
435 | BLACKLIST(210), // io_cancel | ||
436 | BLACKLIST(216), // remap_file_pages | ||
437 | BLACKLIST(237), // mbind | ||
438 | BLACKLIST(239), // get_mempolicy | ||
439 | BLACKLIST(238), // set_mempolicy | ||
440 | BLACKLIST(256), // migrate_pages | ||
441 | BLACKLIST(279), // move_pages | ||
442 | BLACKLIST(278), // vmsplice | ||
443 | BLACKLIST(161), // chroot | ||
444 | BLACKLIST(184), // tuxcall | ||
445 | BLACKLIST(169), // reboot | ||
446 | BLACKLIST(180), // nfsservctl | ||
447 | BLACKLIST(177), // get_kernel_syms | ||
448 | RETURN_ALLOW | ||
449 | }; | ||
450 | |||
451 | struct sock_fprog prog = { | ||
452 | .len = (unsigned short)(sizeof(filter) / sizeof(filter[0])), | ||
453 | .filter = filter, | ||
454 | }; | ||
455 | |||
456 | if (prctl(PR_SET_SECCOMP, SECCOMP_MODE_FILTER, &prog) || prctl(PR_SET_NO_NEW_PRIVS, 1, 0, 0, 0)) { | ||
457 | ; | ||
458 | } | ||
459 | else if (arg_debug) { | ||
460 | printf("Dual i386/amd64 seccomp filter configured\n"); | ||
461 | } | ||
462 | } | ||
463 | |||
464 | |||
396 | // drop filter for seccomp option | 465 | // drop filter for seccomp option |
397 | int seccomp_filter_drop(int enforce_seccomp) { | 466 | int seccomp_filter_drop(int enforce_seccomp) { |
398 | filter_init(); | 467 | filter_init(); |
@@ -402,6 +471,9 @@ int seccomp_filter_drop(int enforce_seccomp) { | |||
402 | #if defined(__x86_64__) | 471 | #if defined(__x86_64__) |
403 | seccomp_filter_32(); | 472 | seccomp_filter_32(); |
404 | #endif | 473 | #endif |
474 | #if defined(__i386__) | ||
475 | seccomp_filter_64(); | ||
476 | #endif | ||
405 | 477 | ||
406 | #ifdef SYS_mount | 478 | #ifdef SYS_mount |
407 | filter_add_blacklist(SYS_mount, 0); | 479 | filter_add_blacklist(SYS_mount, 0); |
@@ -563,14 +635,7 @@ int seccomp_filter_drop(int enforce_seccomp) { | |||
563 | // CHECK_SECCOMP(seccomp_rule_add(ctx, SCMP_ACT_ERRNO(EPERM), SCMP_SYS(clone), 1, | 635 | // CHECK_SECCOMP(seccomp_rule_add(ctx, SCMP_ACT_ERRNO(EPERM), SCMP_SYS(clone), 1, |
564 | // SCMP_A0(SCMP_CMP_MASKED_EQ, CLONE_NEWUSER, CLONE_NEWUSER))); | 636 | // SCMP_A0(SCMP_CMP_MASKED_EQ, CLONE_NEWUSER, CLONE_NEWUSER))); |
565 | 637 | ||
566 | // 32bit | ||
567 | // filter_add_blacklist(SYS_personality, 0); // test wine | ||
568 | // filter_add_blacklist(SYS_set_thread_area, 0); // test wine | ||
569 | |||
570 | // 0.9.39 | 638 | // 0.9.39 |
571 | #ifdef SYS_set_thread_area | ||
572 | filter_add_blacklist(SYS_set_thread_area, 0); | ||
573 | #endif | ||
574 | #ifdef SYS_tuxcall | 639 | #ifdef SYS_tuxcall |
575 | filter_add_blacklist(SYS_tuxcall, 0); | 640 | filter_add_blacklist(SYS_tuxcall, 0); |
576 | #endif | 641 | #endif |
diff --git a/src/firejail/seccomp.h b/src/firejail/seccomp.h index 555baa14f..7d646dd9e 100644 --- a/src/firejail/seccomp.h +++ b/src/firejail/seccomp.h | |||
@@ -105,6 +105,11 @@ struct seccomp_data { | |||
105 | BPF_JUMP(BPF_JMP+BPF_JEQ+BPF_K, ARCH_NR, 1, 0), \ | 105 | BPF_JUMP(BPF_JMP+BPF_JEQ+BPF_K, ARCH_NR, 1, 0), \ |
106 | BPF_STMT(BPF_RET+BPF_K, SECCOMP_RET_ALLOW) | 106 | BPF_STMT(BPF_RET+BPF_K, SECCOMP_RET_ALLOW) |
107 | 107 | ||
108 | #define VALIDATE_ARCHITECTURE_64 \ | ||
109 | BPF_STMT(BPF_LD+BPF_W+BPF_ABS, (offsetof(struct seccomp_data, arch))), \ | ||
110 | BPF_JUMP(BPF_JMP+BPF_JEQ+BPF_K, AUDIT_ARCH_X86_64, 1, 0), \ | ||
111 | BPF_STMT(BPF_RET+BPF_K, SECCOMP_RET_ALLOW) | ||
112 | |||
108 | #define VALIDATE_ARCHITECTURE_32 \ | 113 | #define VALIDATE_ARCHITECTURE_32 \ |
109 | BPF_STMT(BPF_LD+BPF_W+BPF_ABS, (offsetof(struct seccomp_data, arch))), \ | 114 | BPF_STMT(BPF_LD+BPF_W+BPF_ABS, (offsetof(struct seccomp_data, arch))), \ |
110 | BPF_JUMP(BPF_JMP+BPF_JEQ+BPF_K, AUDIT_ARCH_I386, 1, 0), \ | 115 | BPF_JUMP(BPF_JMP+BPF_JEQ+BPF_K, AUDIT_ARCH_I386, 1, 0), \ |
diff --git a/src/man/firejail.txt b/src/man/firejail.txt index bdd1bb1f6..00f4cb367 100644 --- a/src/man/firejail.txt +++ b/src/man/firejail.txt | |||
@@ -1135,8 +1135,13 @@ add_key, request_key, keyctl, uselib, acct, modify_ldt, pivot_root, io_setup, | |||
1135 | io_destroy, io_getevents, io_submit, io_cancel, | 1135 | io_destroy, io_getevents, io_submit, io_cancel, |
1136 | remap_file_pages, mbind, get_mempolicy, set_mempolicy, | 1136 | remap_file_pages, mbind, get_mempolicy, set_mempolicy, |
1137 | migrate_pages, move_pages, vmsplice, perf_event_open, chroot, | 1137 | migrate_pages, move_pages, vmsplice, perf_event_open, chroot, |
1138 | set_thread_area, tuxcall, reboot, mfsservctl and get_kernel_syms. When running on AMD64 architecture, | 1138 | tuxcall, reboot, mfsservctl and get_kernel_syms. |
1139 | an equivalent 32-bit seccomp filter is also installed. | 1139 | .br |
1140 | |||
1141 | .br | ||
1142 | System architecture is not strictly imposed. The filter is applied | ||
1143 | at run time only if the correct architecture was detected. For the case of I386 and AMD64 | ||
1144 | both 32-bit and 64-bit filters are installed. | ||
1140 | .br | 1145 | .br |
1141 | 1146 | ||
1142 | .br | 1147 | .br |