diff options
-rw-r--r-- | Makefile.in | 5 | ||||
-rw-r--r-- | src/firejail/firejail.h | 2 | ||||
-rw-r--r-- | src/firejail/preproc.c | 1 | ||||
-rw-r--r-- | src/firejail/sandbox.c | 9 | ||||
-rw-r--r-- | src/firejail/seccomp.c | 16 | ||||
-rw-r--r-- | src/fseccomp/main.c | 2 | ||||
-rw-r--r-- | src/fseccomp/seccomp_secondary.c | 65 | ||||
-rwxr-xr-x | test/filters/fseccomp.exp | 17 |
8 files changed, 4 insertions, 113 deletions
diff --git a/Makefile.in b/Makefile.in index ce79a1181..fef544267 100644 --- a/Makefile.in +++ b/Makefile.in | |||
@@ -2,7 +2,7 @@ all: apps man filters | |||
2 | MYLIBS = src/lib | 2 | MYLIBS = src/lib |
3 | APPS = src/firejail src/firemon src/fsec-print src/fsec-optimize src/firecfg src/fnetfilter src/libtrace src/libtracelog src/ftee src/faudit src/fnet src/fseccomp src/fbuilder src/fcopy src/fldd src/libpostexecseccomp | 3 | APPS = src/firejail src/firemon src/fsec-print src/fsec-optimize src/firecfg src/fnetfilter src/libtrace src/libtracelog src/ftee src/faudit src/fnet src/fseccomp src/fbuilder src/fcopy src/fldd src/libpostexecseccomp |
4 | MANPAGES = firejail.1 firemon.1 firecfg.1 firejail-profile.5 firejail-login.5 firejail-users.5 | 4 | MANPAGES = firejail.1 firemon.1 firecfg.1 firejail-profile.5 firejail-login.5 firejail-users.5 |
5 | SECCOMP_FILTERS = seccomp seccomp.debug seccomp.32 seccomp.64 seccomp.block_secondary seccomp.mdwx | 5 | SECCOMP_FILTERS = seccomp seccomp.debug seccomp.32 seccomp.block_secondary seccomp.mdwx |
6 | 6 | ||
7 | prefix=@prefix@ | 7 | prefix=@prefix@ |
8 | exec_prefix=@exec_prefix@ | 8 | exec_prefix=@exec_prefix@ |
@@ -47,8 +47,6 @@ ifeq ($(HAVE_SECCOMP),-DHAVE_SECCOMP) | |||
47 | src/fsec-optimize/fsec-optimize seccomp.debug | 47 | src/fsec-optimize/fsec-optimize seccomp.debug |
48 | src/fseccomp/fseccomp secondary 32 seccomp.32 | 48 | src/fseccomp/fseccomp secondary 32 seccomp.32 |
49 | src/fsec-optimize/fsec-optimize seccomp.32 | 49 | src/fsec-optimize/fsec-optimize seccomp.32 |
50 | src/fseccomp/fseccomp secondary 64 seccomp.64 | ||
51 | src/fsec-optimize/fsec-optimize seccomp.64 | ||
52 | src/fseccomp/fseccomp secondary block seccomp.block_secondary | 50 | src/fseccomp/fseccomp secondary block seccomp.block_secondary |
53 | src/fseccomp/fseccomp memory-deny-write-execute seccomp.mdwx | 51 | src/fseccomp/fseccomp memory-deny-write-execute seccomp.mdwx |
54 | endif | 52 | endif |
@@ -110,7 +108,6 @@ ifeq ($(HAVE_SECCOMP),-DHAVE_SECCOMP) | |||
110 | install -c -m 0644 seccomp $(DESTDIR)/$(libdir)/firejail/. | 108 | install -c -m 0644 seccomp $(DESTDIR)/$(libdir)/firejail/. |
111 | install -c -m 0644 seccomp.debug $(DESTDIR)/$(libdir)/firejail/. | 109 | install -c -m 0644 seccomp.debug $(DESTDIR)/$(libdir)/firejail/. |
112 | install -c -m 0644 seccomp.32 $(DESTDIR)/$(libdir)/firejail/. | 110 | install -c -m 0644 seccomp.32 $(DESTDIR)/$(libdir)/firejail/. |
113 | install -c -m 0644 seccomp.64 $(DESTDIR)/$(libdir)/firejail/. | ||
114 | install -c -m 0644 seccomp.block_secondary $(DESTDIR)/$(libdir)/firejail/. | 111 | install -c -m 0644 seccomp.block_secondary $(DESTDIR)/$(libdir)/firejail/. |
115 | install -c -m 0644 seccomp.mdwx $(DESTDIR)/$(libdir)/firejail/. | 112 | install -c -m 0644 seccomp.mdwx $(DESTDIR)/$(libdir)/firejail/. |
116 | endif | 113 | endif |
diff --git a/src/firejail/firejail.h b/src/firejail/firejail.h index 7544b642a..2db171070 100644 --- a/src/firejail/firejail.h +++ b/src/firejail/firejail.h | |||
@@ -59,14 +59,12 @@ | |||
59 | 59 | ||
60 | #define RUN_SECCOMP_PROTOCOL "/run/firejail/mnt/seccomp.protocol" // protocol filter | 60 | #define RUN_SECCOMP_PROTOCOL "/run/firejail/mnt/seccomp.protocol" // protocol filter |
61 | #define RUN_SECCOMP_CFG "/run/firejail/mnt/seccomp" // configured filter | 61 | #define RUN_SECCOMP_CFG "/run/firejail/mnt/seccomp" // configured filter |
62 | #define RUN_SECCOMP_64 "/run/firejail/mnt/seccomp.64" // 64bit arch filter installed on 32bit architectures | ||
63 | #define RUN_SECCOMP_32 "/run/firejail/mnt/seccomp.32" // 32bit arch filter installed on 64bit architectures | 62 | #define RUN_SECCOMP_32 "/run/firejail/mnt/seccomp.32" // 32bit arch filter installed on 64bit architectures |
64 | #define RUN_SECCOMP_MDWX "/run/firejail/mnt/seccomp.mdwx" // filter for memory-deny-write-execute | 63 | #define RUN_SECCOMP_MDWX "/run/firejail/mnt/seccomp.mdwx" // filter for memory-deny-write-execute |
65 | #define RUN_SECCOMP_BLOCK_SECONDARY "/run/firejail/mnt/seccomp.block_secondary" // secondary arch blocking filter | 64 | #define RUN_SECCOMP_BLOCK_SECONDARY "/run/firejail/mnt/seccomp.block_secondary" // secondary arch blocking filter |
66 | #define RUN_SECCOMP_POSTEXEC "/run/firejail/mnt/seccomp.postexec" // filter for post-exec library | 65 | #define RUN_SECCOMP_POSTEXEC "/run/firejail/mnt/seccomp.postexec" // filter for post-exec library |
67 | #define PATH_SECCOMP_DEFAULT (LIBDIR "/firejail/seccomp") // default filter built during make | 66 | #define PATH_SECCOMP_DEFAULT (LIBDIR "/firejail/seccomp") // default filter built during make |
68 | #define PATH_SECCOMP_DEFAULT_DEBUG (LIBDIR "/firejail/seccomp.debug") // default filter built during make | 67 | #define PATH_SECCOMP_DEFAULT_DEBUG (LIBDIR "/firejail/seccomp.debug") // default filter built during make |
69 | #define PATH_SECCOMP_64 (LIBDIR "/firejail/seccomp.64") // 64bit arch filter built during make | ||
70 | #define PATH_SECCOMP_32 (LIBDIR "/firejail/seccomp.32") // 32bit arch filter built during make | 68 | #define PATH_SECCOMP_32 (LIBDIR "/firejail/seccomp.32") // 32bit arch filter built during make |
71 | #define PATH_SECCOMP_MDWX (LIBDIR "/firejail/seccomp.mdwx") // filter for memory-deny-write-execute built during make | 69 | #define PATH_SECCOMP_MDWX (LIBDIR "/firejail/seccomp.mdwx") // filter for memory-deny-write-execute built during make |
72 | #define PATH_SECCOMP_BLOCK_SECONDARY (LIBDIR "/firejail/seccomp.block_secondary") // secondary arch blocking filter built during make | 70 | #define PATH_SECCOMP_BLOCK_SECONDARY (LIBDIR "/firejail/seccomp.block_secondary") // secondary arch blocking filter built during make |
diff --git a/src/firejail/preproc.c b/src/firejail/preproc.c index 45399bd48..9fb4840c6 100644 --- a/src/firejail/preproc.c +++ b/src/firejail/preproc.c | |||
@@ -87,7 +87,6 @@ void preproc_mount_mnt_dir(void) { | |||
87 | else { | 87 | else { |
88 | //copy default seccomp files | 88 | //copy default seccomp files |
89 | copy_file(PATH_SECCOMP_32, RUN_SECCOMP_32, getuid(), getgid(), 0644); // root needed | 89 | copy_file(PATH_SECCOMP_32, RUN_SECCOMP_32, getuid(), getgid(), 0644); // root needed |
90 | copy_file(PATH_SECCOMP_64, RUN_SECCOMP_64, getuid(), getgid(), 0644); // root needed | ||
91 | } | 90 | } |
92 | if (arg_allow_debuggers) | 91 | if (arg_allow_debuggers) |
93 | copy_file(PATH_SECCOMP_DEFAULT_DEBUG, RUN_SECCOMP_CFG, getuid(), getgid(), 0644); // root needed | 92 | copy_file(PATH_SECCOMP_DEFAULT_DEBUG, RUN_SECCOMP_CFG, getuid(), getgid(), 0644); // root needed |
diff --git a/src/firejail/sandbox.c b/src/firejail/sandbox.c index 8abdf6b2c..1498007eb 100644 --- a/src/firejail/sandbox.c +++ b/src/firejail/sandbox.c | |||
@@ -1017,18 +1017,9 @@ int sandbox(void* sandbox_arg) { | |||
1017 | else | 1017 | else |
1018 | seccomp_filter_drop(); | 1018 | seccomp_filter_drop(); |
1019 | 1019 | ||
1020 | // clean unused filters | ||
1021 | #if defined(__LP64__) | ||
1022 | int rv = unlink(RUN_SECCOMP_64); | ||
1023 | #endif | ||
1024 | #if defined(__ILP32__) | ||
1025 | int rv = unlink(RUN_SECCOMP_32); | ||
1026 | #endif | ||
1027 | (void) rv; | ||
1028 | } | 1020 | } |
1029 | else { // clean seccomp files under /run/firejail/mnt | 1021 | else { // clean seccomp files under /run/firejail/mnt |
1030 | int rv = unlink(RUN_SECCOMP_CFG); | 1022 | int rv = unlink(RUN_SECCOMP_CFG); |
1031 | rv |= unlink(RUN_SECCOMP_64); | ||
1032 | rv |= unlink(RUN_SECCOMP_32); | 1023 | rv |= unlink(RUN_SECCOMP_32); |
1033 | (void) rv; | 1024 | (void) rv; |
1034 | } | 1025 | } |
diff --git a/src/firejail/seccomp.c b/src/firejail/seccomp.c index 1ee6256d4..3da0206e1 100644 --- a/src/firejail/seccomp.c +++ b/src/firejail/seccomp.c | |||
@@ -138,6 +138,7 @@ errexit: | |||
138 | } | 138 | } |
139 | 139 | ||
140 | // 32 bit arch filter installed on 64 bit architectures | 140 | // 32 bit arch filter installed on 64 bit architectures |
141 | #if defined(__x86_64__) | ||
141 | #if defined(__LP64__) | 142 | #if defined(__LP64__) |
142 | static void seccomp_filter_32(void) { | 143 | static void seccomp_filter_32(void) { |
143 | if (seccomp_load(RUN_SECCOMP_32) == 0) { | 144 | if (seccomp_load(RUN_SECCOMP_32) == 0) { |
@@ -146,15 +147,6 @@ static void seccomp_filter_32(void) { | |||
146 | } | 147 | } |
147 | } | 148 | } |
148 | #endif | 149 | #endif |
149 | |||
150 | // 64 bit arch filter installed on 32 bit architectures | ||
151 | #if defined(__ILP32__) | ||
152 | static void seccomp_filter_64(void) { | ||
153 | if (seccomp_load(RUN_SECCOMP_64) == 0) { | ||
154 | if (arg_debug) | ||
155 | printf("Dual 32/64 bit seccomp filter configured\n"); | ||
156 | } | ||
157 | } | ||
158 | #endif | 150 | #endif |
159 | 151 | ||
160 | static void seccomp_filter_block_secondary(void) { | 152 | static void seccomp_filter_block_secondary(void) { |
@@ -177,11 +169,10 @@ int seccomp_filter_drop(void) { | |||
177 | if (arg_seccomp_block_secondary) | 169 | if (arg_seccomp_block_secondary) |
178 | seccomp_filter_block_secondary(); | 170 | seccomp_filter_block_secondary(); |
179 | else { | 171 | else { |
172 | #if defined(__x86_64__) | ||
180 | #if defined(__LP64__) | 173 | #if defined(__LP64__) |
181 | seccomp_filter_32(); | 174 | seccomp_filter_32(); |
182 | #endif | 175 | #endif |
183 | #if defined(__ILP32__) | ||
184 | seccomp_filter_64(); | ||
185 | #endif | 176 | #endif |
186 | } | 177 | } |
187 | } | 178 | } |
@@ -190,11 +181,10 @@ int seccomp_filter_drop(void) { | |||
190 | if (arg_seccomp_block_secondary) | 181 | if (arg_seccomp_block_secondary) |
191 | seccomp_filter_block_secondary(); | 182 | seccomp_filter_block_secondary(); |
192 | else { | 183 | else { |
184 | #if defined(__x86_64__) | ||
193 | #if defined(__LP64__) | 185 | #if defined(__LP64__) |
194 | seccomp_filter_32(); | 186 | seccomp_filter_32(); |
195 | #endif | 187 | #endif |
196 | #if defined(__ILP32__) | ||
197 | seccomp_filter_64(); | ||
198 | #endif | 188 | #endif |
199 | } | 189 | } |
200 | if (arg_debug) | 190 | if (arg_debug) |
diff --git a/src/fseccomp/main.c b/src/fseccomp/main.c index ab6683065..7fd96bc43 100644 --- a/src/fseccomp/main.c +++ b/src/fseccomp/main.c | |||
@@ -70,8 +70,6 @@ printf("\n"); | |||
70 | protocol_print(); | 70 | protocol_print(); |
71 | else if (argc == 5 && strcmp(argv[1], "protocol") == 0 && strcmp(argv[2], "build") == 0) | 71 | else if (argc == 5 && strcmp(argv[1], "protocol") == 0 && strcmp(argv[2], "build") == 0) |
72 | protocol_build_filter(argv[3], argv[4]); | 72 | protocol_build_filter(argv[3], argv[4]); |
73 | else if (argc == 4 && strcmp(argv[1], "secondary") == 0 && strcmp(argv[2], "64") == 0) | ||
74 | seccomp_secondary_64(argv[3]); | ||
75 | else if (argc == 4 && strcmp(argv[1], "secondary") == 0 && strcmp(argv[2], "32") == 0) | 73 | else if (argc == 4 && strcmp(argv[1], "secondary") == 0 && strcmp(argv[2], "32") == 0) |
76 | seccomp_secondary_32(argv[3]); | 74 | seccomp_secondary_32(argv[3]); |
77 | else if (argc == 4 && strcmp(argv[1], "secondary") == 0 && strcmp(argv[2], "block") == 0) | 75 | else if (argc == 4 && strcmp(argv[1], "secondary") == 0 && strcmp(argv[2], "block") == 0) |
diff --git a/src/fseccomp/seccomp_secondary.c b/src/fseccomp/seccomp_secondary.c index ebda1b938..e398f94d0 100644 --- a/src/fseccomp/seccomp_secondary.c +++ b/src/fseccomp/seccomp_secondary.c | |||
@@ -42,71 +42,6 @@ static void write_filter(const char *fname, size_t size, const void *filter) { | |||
42 | close(dst); | 42 | close(dst); |
43 | } | 43 | } |
44 | 44 | ||
45 | void seccomp_secondary_64(const char *fname) { | ||
46 | // hardcoded syscall values | ||
47 | struct sock_filter filter[] = { | ||
48 | VALIDATE_ARCHITECTURE_64, | ||
49 | EXAMINE_SYSCALL, | ||
50 | BLACKLIST(165), // mount | ||
51 | BLACKLIST(166), // umount2 | ||
52 | // todo: implement --allow-debuggers | ||
53 | BLACKLIST(101), // ptrace | ||
54 | BLACKLIST(246), // kexec_load | ||
55 | BLACKLIST(304), // open_by_handle_at | ||
56 | BLACKLIST(303), // name_to_handle_at | ||
57 | BLACKLIST(174), // create_module | ||
58 | BLACKLIST(175), // init_module | ||
59 | BLACKLIST(313), // finit_module | ||
60 | BLACKLIST(176), // delete_module | ||
61 | BLACKLIST(172), // iopl | ||
62 | BLACKLIST(173), // ioperm | ||
63 | BLACKLIST(251), // ioprio_set | ||
64 | BLACKLIST(167), // swapon | ||
65 | BLACKLIST(168), // swapoff | ||
66 | BLACKLIST(103), // syslog | ||
67 | BLACKLIST(310), // process_vm_readv | ||
68 | BLACKLIST(311), // process_vm_writev | ||
69 | BLACKLIST(139), // sysfs | ||
70 | BLACKLIST(156), // _sysctl | ||
71 | BLACKLIST(159), // adjtimex | ||
72 | BLACKLIST(305), // clock_adjtime | ||
73 | BLACKLIST(212), // lookup_dcookie | ||
74 | BLACKLIST(298), // perf_event_open | ||
75 | BLACKLIST(300), // fanotify_init | ||
76 | BLACKLIST(312), // kcmp | ||
77 | BLACKLIST(248), // add_key | ||
78 | BLACKLIST(249), // request_key | ||
79 | BLACKLIST(250), // keyctl | ||
80 | BLACKLIST(134), // uselib | ||
81 | BLACKLIST(163), // acct | ||
82 | BLACKLIST(154), // modify_ldt | ||
83 | BLACKLIST(155), // pivot_root | ||
84 | BLACKLIST(206), // io_setup | ||
85 | BLACKLIST(207), // io_destroy | ||
86 | BLACKLIST(208), // io_getevents | ||
87 | BLACKLIST(209), // io_submit | ||
88 | BLACKLIST(210), // io_cancel | ||
89 | BLACKLIST(216), // remap_file_pages | ||
90 | BLACKLIST(237), // mbind | ||
91 | // breaking Firefox nightly when playing youtube videos | ||
92 | // TODO: test again when firefox sandbox is finally released | ||
93 | // BLACKLIST(239), // get_mempolicy | ||
94 | BLACKLIST(238), // set_mempolicy | ||
95 | BLACKLIST(256), // migrate_pages | ||
96 | BLACKLIST(279), // move_pages | ||
97 | BLACKLIST(278), // vmsplice | ||
98 | BLACKLIST(161), // chroot | ||
99 | BLACKLIST(184), // tuxcall | ||
100 | BLACKLIST(169), // reboot | ||
101 | BLACKLIST(180), // nfsservctl | ||
102 | BLACKLIST(177), // get_kernel_syms | ||
103 | |||
104 | RETURN_ALLOW | ||
105 | }; | ||
106 | |||
107 | // save filter to file | ||
108 | write_filter(fname, sizeof(filter), filter); | ||
109 | } | ||
110 | 45 | ||
111 | // 32 bit arch filter installed on 64 bit architectures | 46 | // 32 bit arch filter installed on 64 bit architectures |
112 | void seccomp_secondary_32(const char *fname) { | 47 | void seccomp_secondary_32(const char *fname) { |
diff --git a/test/filters/fseccomp.exp b/test/filters/fseccomp.exp index 93f24ba71..87c5932ae 100755 --- a/test/filters/fseccomp.exp +++ b/test/filters/fseccomp.exp | |||
@@ -38,23 +38,6 @@ expect { | |||
38 | } | 38 | } |
39 | 39 | ||
40 | after 100 | 40 | after 100 |
41 | send -- "fseccomp secondary 64 seccomp-test-file\r" | ||
42 | after 100 | ||
43 | send -- "fsec-print seccomp-test-file\r" | ||
44 | expect { | ||
45 | timeout {puts "TESTING ERROR 5.1\n";exit} | ||
46 | "jeq mount" | ||
47 | } | ||
48 | expect { | ||
49 | timeout {puts "TESTING ERROR 5.2\n";exit} | ||
50 | "jeq umount2" | ||
51 | } | ||
52 | expect { | ||
53 | timeout {puts "TESTING ERROR 5.3\n";exit} | ||
54 | "ret ALLOW" | ||
55 | } | ||
56 | |||
57 | after 100 | ||
58 | send -- "fseccomp default seccomp-test-file\r" | 41 | send -- "fseccomp default seccomp-test-file\r" |
59 | after 100 | 42 | after 100 |
60 | send -- "fsec-print seccomp-test-file\r" | 43 | send -- "fsec-print seccomp-test-file\r" |