diff options
-rw-r--r-- | src/firejail/sandbox.c | 33 | ||||
-rw-r--r-- | src/firejail/sbox.c | 3 | ||||
-rwxr-xr-x | test/filters/filters.sh | 3 | ||||
-rwxr-xr-x | test/filters/seccomp-run-files.exp | 98 |
4 files changed, 131 insertions, 6 deletions
diff --git a/src/firejail/sandbox.c b/src/firejail/sandbox.c index 709ce96b6..5c7f73fc1 100644 --- a/src/firejail/sandbox.c +++ b/src/firejail/sandbox.c | |||
@@ -997,6 +997,10 @@ int sandbox(void* sandbox_arg) { | |||
997 | seccomp_load(RUN_SECCOMP_PROTOCOL); // install filter | 997 | seccomp_load(RUN_SECCOMP_PROTOCOL); // install filter |
998 | protocol_filter_save(); // save filter in RUN_PROTOCOL_CFG | 998 | protocol_filter_save(); // save filter in RUN_PROTOCOL_CFG |
999 | } | 999 | } |
1000 | else { | ||
1001 | int rv = unlink(RUN_SECCOMP_PROTOCOL); | ||
1002 | (void) rv; | ||
1003 | } | ||
1000 | #endif | 1004 | #endif |
1001 | 1005 | ||
1002 | // if a keep list is available, disregard the drop list | 1006 | // if a keep list is available, disregard the drop list |
@@ -1005,13 +1009,21 @@ int sandbox(void* sandbox_arg) { | |||
1005 | seccomp_filter_keep(); | 1009 | seccomp_filter_keep(); |
1006 | else | 1010 | else |
1007 | seccomp_filter_drop(); | 1011 | seccomp_filter_drop(); |
1008 | } | ||
1009 | 1012 | ||
1010 | if (arg_debug) { | 1013 | // clean unused filters |
1011 | printf("\nSeccomp files:\n"); | 1014 | #if defined(__LP64__) |
1012 | int rv = system("ls -l /run/firejail/mnt/seccomp*\n"); | 1015 | int rv = unlink(RUN_SECCOMP_64); |
1016 | #endif | ||
1017 | #if defined(__ILP32__) | ||
1018 | int rv = unlink(RUN_SECCOMP_32); | ||
1019 | #endif | ||
1020 | (void) rv; | ||
1021 | } | ||
1022 | else { // clean seccomp files under /run/firejail/mnt | ||
1023 | int rv = unlink(RUN_SECCOMP_CFG); | ||
1024 | rv |= unlink(RUN_SECCOMP_64); | ||
1025 | rv |= unlink(RUN_SECCOMP_32); | ||
1013 | (void) rv; | 1026 | (void) rv; |
1014 | printf("\n"); | ||
1015 | } | 1027 | } |
1016 | 1028 | ||
1017 | if (arg_memory_deny_write_execute) { | 1029 | if (arg_memory_deny_write_execute) { |
@@ -1019,6 +1031,17 @@ int sandbox(void* sandbox_arg) { | |||
1019 | printf("Install memory write&execute filter\n"); | 1031 | printf("Install memory write&execute filter\n"); |
1020 | seccomp_load(RUN_SECCOMP_MDWX); // install filter | 1032 | seccomp_load(RUN_SECCOMP_MDWX); // install filter |
1021 | } | 1033 | } |
1034 | else { | ||
1035 | int rv = unlink(RUN_SECCOMP_MDWX); | ||
1036 | (void) rv; | ||
1037 | } | ||
1038 | |||
1039 | if (arg_debug) { | ||
1040 | printf("\nSeccomp files:\n"); | ||
1041 | int rv = system("ls -l /run/firejail/mnt/seccomp*\n"); | ||
1042 | (void) rv; | ||
1043 | printf("\n"); | ||
1044 | } | ||
1022 | #endif | 1045 | #endif |
1023 | 1046 | ||
1024 | //**************************************** | 1047 | //**************************************** |
diff --git a/src/firejail/sbox.c b/src/firejail/sbox.c index fed1f7ba7..cc2b08542 100644 --- a/src/firejail/sbox.c +++ b/src/firejail/sbox.c | |||
@@ -153,12 +153,13 @@ int sbox_run(unsigned filter, int num, ...) { | |||
153 | for (i = 3; i < max; i++) | 153 | for (i = 3; i < max; i++) |
154 | close(i); // close open files | 154 | close(i); // close open files |
155 | 155 | ||
156 | #if 0 | ||
156 | if (arg_debug) { | 157 | if (arg_debug) { |
157 | printf("sbox file descriptors:\n"); | 158 | printf("sbox file descriptors:\n"); |
158 | int rv = system("ls -l /proc/self/fd"); | 159 | int rv = system("ls -l /proc/self/fd"); |
159 | (void) rv; | 160 | (void) rv; |
160 | } | 161 | } |
161 | 162 | #endif | |
162 | umask(027); | 163 | umask(027); |
163 | 164 | ||
164 | // apply filters | 165 | // apply filters |
diff --git a/test/filters/filters.sh b/test/filters/filters.sh index 45b1d0459..12f13606b 100755 --- a/test/filters/filters.sh +++ b/test/filters/filters.sh | |||
@@ -28,6 +28,9 @@ fi | |||
28 | echo "TESTING: debug options (test/filters/debug.exp)" | 28 | echo "TESTING: debug options (test/filters/debug.exp)" |
29 | ./debug.exp | 29 | ./debug.exp |
30 | 30 | ||
31 | echo "TESTING: seccomp run files (test/filters/seccomp-run-files.exp)" | ||
32 | ./seccomp-run-files.exp | ||
33 | |||
31 | echo "TESTING: noroot (test/filters/noroot.exp)" | 34 | echo "TESTING: noroot (test/filters/noroot.exp)" |
32 | ./noroot.exp | 35 | ./noroot.exp |
33 | 36 | ||
diff --git a/test/filters/seccomp-run-files.exp b/test/filters/seccomp-run-files.exp new file mode 100755 index 000000000..a72b9aef7 --- /dev/null +++ b/test/filters/seccomp-run-files.exp | |||
@@ -0,0 +1,98 @@ | |||
1 | #!/usr/bin/expect -f | ||
2 | # This file is part of Firejail project | ||
3 | # Copyright (C) 2014-2018 Firejail Authors | ||
4 | # License GPL v2 | ||
5 | |||
6 | set timeout 10 | ||
7 | spawn $env(SHELL) | ||
8 | match_max 100000 | ||
9 | |||
10 | send -- "firejail --debug\r" | ||
11 | expect { | ||
12 | timeout {puts "TESTING ERROR 0\n";exit} | ||
13 | "/run/firejail/mnt/seccomp seccomp filter" | ||
14 | } | ||
15 | expect { | ||
16 | timeout {puts "TESTING ERROR 1\n";exit} | ||
17 | "/run/firejail/mnt/seccomp.32 seccomp filter" | ||
18 | } | ||
19 | expect { | ||
20 | timeout {puts "TESTING ERROR 2\n";exit} | ||
21 | "/run/firejail/mnt/seccomp.protocol seccomp filter" | ||
22 | } | ||
23 | after 100 | ||
24 | send -- "ls -l /run/firejail/mnt | grep seccomp | wc -l\r" | ||
25 | expect { | ||
26 | timeout {puts "TESTING ERROR 3\n";exit} | ||
27 | "4" | ||
28 | } | ||
29 | send -- "exit\r" | ||
30 | sleep 1 | ||
31 | |||
32 | send -- "firejail --ignore=seccomp --debug\r" | ||
33 | expect { | ||
34 | timeout {puts "TESTING ERROR 4\n";exit} | ||
35 | "/run/firejail/mnt/seccomp seccomp filter" {puts "TESTING ERROR 5\n";exit} | ||
36 | "/run/firejail/mnt/seccomp.32 seccomp filter" {puts "TESTING ERROR 6\n";exit} | ||
37 | "/run/firejail/mnt/seccomp.64 seccomp filter" {puts "TESTING ERROR 7\n";exit} | ||
38 | "/run/firejail/mnt/seccomp.protocol seccomp filter" | ||
39 | } | ||
40 | after 100 | ||
41 | send -- "ls -l /run/firejail/mnt | grep seccomp | wc -l\r" | ||
42 | expect { | ||
43 | timeout {puts "TESTING ERROR 8\n";exit} | ||
44 | "1" | ||
45 | } | ||
46 | send -- "exit\r" | ||
47 | sleep 1 | ||
48 | |||
49 | send -- "firejail --ignore=protocol --debug\r" | ||
50 | expect { | ||
51 | timeout {puts "TESTING ERROR 9\n";exit} | ||
52 | "/run/firejail/mnt/seccomp seccomp filter" | ||
53 | } | ||
54 | expect { | ||
55 | timeout {puts "TESTING ERROR 10\n";exit} | ||
56 | "/run/firejail/mnt/seccomp.32 seccomp filter" | ||
57 | } | ||
58 | expect { | ||
59 | timeout {puts "TESTING ERROR 11\n";exit} | ||
60 | "/run/firejail/mnt/seccomp.protocol seccomp filter" {puts "TESTING ERROR 12\n";exit} | ||
61 | "monitoring" | ||
62 | } | ||
63 | after 100 | ||
64 | send -- "ls -l /run/firejail/mnt | grep seccomp | wc -l\r" | ||
65 | expect { | ||
66 | timeout {puts "TESTING ERROR 13\n";exit} | ||
67 | "3" | ||
68 | } | ||
69 | send -- "exit\r" | ||
70 | sleep 1 | ||
71 | |||
72 | send -- "firejail --memory-deny-write-execute --debug\r" | ||
73 | expect { | ||
74 | timeout {puts "TESTING ERROR 14\n";exit} | ||
75 | "/run/firejail/mnt/seccomp.mdwx seccomp filter" | ||
76 | } | ||
77 | expect { | ||
78 | timeout {puts "TESTING ERROR 15\n";exit} | ||
79 | "/run/firejail/mnt/seccomp seccomp filter" | ||
80 | } | ||
81 | expect { | ||
82 | timeout {puts "TESTING ERROR 16\n";exit} | ||
83 | "/run/firejail/mnt/seccomp.32 seccomp filter" | ||
84 | } | ||
85 | expect { | ||
86 | timeout {puts "TESTING ERROR 17\n";exit} | ||
87 | "/run/firejail/mnt/seccomp.protocol seccomp filter" | ||
88 | } | ||
89 | after 100 | ||
90 | send -- "ls -l /run/firejail/mnt | grep seccomp | wc -l\r" | ||
91 | expect { | ||
92 | timeout {puts "TESTING ERROR 18\n";exit} | ||
93 | "5" | ||
94 | } | ||
95 | send -- "exit\r" | ||
96 | sleep 1 | ||
97 | |||
98 | puts "all done\n" | ||