diff options
-rw-r--r-- | .gitignore | 4 | ||||
-rw-r--r-- | Makefile.in | 10 | ||||
-rwxr-xr-x | platform/rpm/old-mkrpm.sh | 8 | ||||
-rw-r--r-- | src/firejail/firejail.h | 8 | ||||
-rw-r--r-- | src/firejail/preproc.c | 4 | ||||
-rw-r--r-- | src/firejail/seccomp.c | 24 | ||||
-rw-r--r-- | src/fseccomp/seccomp_print.c | 4 | ||||
-rw-r--r-- | src/fseccomp/seccomp_secondary.c | 2 | ||||
-rw-r--r-- | src/include/seccomp.h | 58 | ||||
-rwxr-xr-x | test/filters/seccomp-debug-32.exp | 16 | ||||
-rwxr-xr-x | test/filters/seccomp-debug.exp | 28 |
11 files changed, 110 insertions, 56 deletions
diff --git a/.gitignore b/.gitignore index 30793847c..554d1985b 100644 --- a/.gitignore +++ b/.gitignore | |||
@@ -28,7 +28,7 @@ src/fldd/fldd | |||
28 | uids.h | 28 | uids.h |
29 | seccomp | 29 | seccomp |
30 | seccomp.debug | 30 | seccomp.debug |
31 | seccomp.i386 | 31 | seccomp.32 |
32 | seccomp.amd64 | 32 | seccomp.64 |
33 | seccomp.block_secondary | 33 | seccomp.block_secondary |
34 | seccomp.mdwx | 34 | seccomp.mdwx |
diff --git a/Makefile.in b/Makefile.in index 9111a3c95..e20aa5b62 100644 --- a/Makefile.in +++ b/Makefile.in | |||
@@ -2,7 +2,7 @@ all: apps man filters | |||
2 | MYLIBS = src/lib | 2 | MYLIBS = src/lib |
3 | APPS = src/firejail src/firemon src/firecfg src/libtrace src/libtracelog src/ftee src/faudit src/fnet src/fseccomp src/fcopy src/fldd src/libpostexecseccomp | 3 | APPS = src/firejail src/firemon src/firecfg src/libtrace src/libtracelog src/ftee src/faudit src/fnet src/fseccomp src/fcopy src/fldd src/libpostexecseccomp |
4 | MANPAGES = firejail.1 firemon.1 firecfg.1 firejail-profile.5 firejail-login.5 | 4 | MANPAGES = firejail.1 firemon.1 firecfg.1 firejail-profile.5 firejail-login.5 |
5 | SECCOMP_FILTERS = seccomp seccomp.debug seccomp.i386 seccomp.amd64 seccomp.block_secondary seccomp.mdwx | 5 | SECCOMP_FILTERS = seccomp seccomp.debug seccomp.32 seccomp.64 seccomp.block_secondary seccomp.mdwx |
6 | 6 | ||
7 | prefix=@prefix@ | 7 | prefix=@prefix@ |
8 | exec_prefix=@exec_prefix@ | 8 | exec_prefix=@exec_prefix@ |
@@ -43,8 +43,8 @@ filters: src/fseccomp | |||
43 | ifeq ($(HAVE_SECCOMP),-DHAVE_SECCOMP) | 43 | ifeq ($(HAVE_SECCOMP),-DHAVE_SECCOMP) |
44 | src/fseccomp/fseccomp default seccomp | 44 | src/fseccomp/fseccomp default seccomp |
45 | src/fseccomp/fseccomp default seccomp.debug allow-debuggers | 45 | src/fseccomp/fseccomp default seccomp.debug allow-debuggers |
46 | src/fseccomp/fseccomp secondary 32 seccomp.i386 | 46 | src/fseccomp/fseccomp secondary 32 seccomp.32 |
47 | src/fseccomp/fseccomp secondary 64 seccomp.amd64 | 47 | src/fseccomp/fseccomp secondary 64 seccomp.64 |
48 | src/fseccomp/fseccomp secondary block seccomp.block_secondary | 48 | src/fseccomp/fseccomp secondary block seccomp.block_secondary |
49 | src/fseccomp/fseccomp memory-deny-write-execute seccomp.mdwx | 49 | src/fseccomp/fseccomp memory-deny-write-execute seccomp.mdwx |
50 | endif | 50 | endif |
@@ -103,8 +103,8 @@ ifeq ($(HAVE_SECCOMP),-DHAVE_SECCOMP) | |||
103 | install -c -m 0755 src/fseccomp/fseccomp $(DESTDIR)/$(libdir)/firejail/. | 103 | install -c -m 0755 src/fseccomp/fseccomp $(DESTDIR)/$(libdir)/firejail/. |
104 | install -c -m 0644 seccomp $(DESTDIR)/$(libdir)/firejail/. | 104 | install -c -m 0644 seccomp $(DESTDIR)/$(libdir)/firejail/. |
105 | install -c -m 0644 seccomp.debug $(DESTDIR)/$(libdir)/firejail/. | 105 | install -c -m 0644 seccomp.debug $(DESTDIR)/$(libdir)/firejail/. |
106 | install -c -m 0644 seccomp.i386 $(DESTDIR)/$(libdir)/firejail/. | 106 | install -c -m 0644 seccomp.32 $(DESTDIR)/$(libdir)/firejail/. |
107 | install -c -m 0644 seccomp.amd64 $(DESTDIR)/$(libdir)/firejail/. | 107 | install -c -m 0644 seccomp.64 $(DESTDIR)/$(libdir)/firejail/. |
108 | install -c -m 0644 seccomp.block_secondary $(DESTDIR)/$(libdir)/firejail/. | 108 | install -c -m 0644 seccomp.block_secondary $(DESTDIR)/$(libdir)/firejail/. |
109 | install -c -m 0644 seccomp.mdwx $(DESTDIR)/$(libdir)/firejail/. | 109 | install -c -m 0644 seccomp.mdwx $(DESTDIR)/$(libdir)/firejail/. |
110 | endif | 110 | endif |
diff --git a/platform/rpm/old-mkrpm.sh b/platform/rpm/old-mkrpm.sh index 505171d1c..7d817c7e2 100755 --- a/platform/rpm/old-mkrpm.sh +++ b/platform/rpm/old-mkrpm.sh | |||
@@ -36,9 +36,9 @@ install -m 644 /usr/lib/firejail/libtracelog.so firejail-$VERSION/usr/lib/firej | |||
36 | install -m 644 /usr/lib/firejail/libtrace.so firejail-$VERSION/usr/lib/firejail/. | 36 | install -m 644 /usr/lib/firejail/libtrace.so firejail-$VERSION/usr/lib/firejail/. |
37 | install -m 644 /usr/lib/firejail/libpostexecseccomp.so firejail-$VERSION/usr/lib/firejail/. | 37 | install -m 644 /usr/lib/firejail/libpostexecseccomp.so firejail-$VERSION/usr/lib/firejail/. |
38 | install -m 644 /usr/lib/firejail/seccomp firejail-$VERSION/usr/lib/firejail/. | 38 | install -m 644 /usr/lib/firejail/seccomp firejail-$VERSION/usr/lib/firejail/. |
39 | install -m 644 /usr/lib/firejail/seccomp.amd64 firejail-$VERSION/usr/lib/firejail/. | 39 | install -m 644 /usr/lib/firejail/seccomp.64 firejail-$VERSION/usr/lib/firejail/. |
40 | install -m 644 /usr/lib/firejail/seccomp.debug firejail-$VERSION/usr/lib/firejail/. | 40 | install -m 644 /usr/lib/firejail/seccomp.debug firejail-$VERSION/usr/lib/firejail/. |
41 | install -m 644 /usr/lib/firejail/seccomp.i386 firejail-$VERSION/usr/lib/firejail/. | 41 | install -m 644 /usr/lib/firejail/seccomp.32 firejail-$VERSION/usr/lib/firejail/. |
42 | install -m 644 /usr/lib/firejail/seccomp.block_secondary firejail-$VERSION/usr/lib/firejail/. | 42 | install -m 644 /usr/lib/firejail/seccomp.block_secondary firejail-$VERSION/usr/lib/firejail/. |
43 | install -m 644 /usr/lib/firejail/seccomp.mdwx firejail-$VERSION/usr/lib/firejail/. | 43 | install -m 644 /usr/lib/firejail/seccomp.mdwx firejail-$VERSION/usr/lib/firejail/. |
44 | 44 | ||
@@ -492,9 +492,9 @@ rm -rf %{buildroot} | |||
492 | /usr/lib/firejail/fnet | 492 | /usr/lib/firejail/fnet |
493 | /usr/lib/firejail/fseccomp | 493 | /usr/lib/firejail/fseccomp |
494 | /usr/lib/firejail/seccomp | 494 | /usr/lib/firejail/seccomp |
495 | /usr/lib/firejail/seccomp.amd64 | 495 | /usr/lib/firejail/seccomp.64 |
496 | /usr/lib/firejail/seccomp.debug | 496 | /usr/lib/firejail/seccomp.debug |
497 | /usr/lib/firejail/seccomp.i386 | 497 | /usr/lib/firejail/seccomp.32 |
498 | /usr/lib/firejail/seccomp.block_secondary | 498 | /usr/lib/firejail/seccomp.block_secondary |
499 | /usr/lib/firejail/seccomp.mdwx | 499 | /usr/lib/firejail/seccomp.mdwx |
500 | 500 | ||
diff --git a/src/firejail/firejail.h b/src/firejail/firejail.h index 435b9527d..60a43a600 100644 --- a/src/firejail/firejail.h +++ b/src/firejail/firejail.h | |||
@@ -54,15 +54,15 @@ | |||
54 | 54 | ||
55 | #define RUN_SECCOMP_PROTOCOL "/run/firejail/mnt/seccomp.protocol" // protocol filter | 55 | #define RUN_SECCOMP_PROTOCOL "/run/firejail/mnt/seccomp.protocol" // protocol filter |
56 | #define RUN_SECCOMP_CFG "/run/firejail/mnt/seccomp" // configured filter | 56 | #define RUN_SECCOMP_CFG "/run/firejail/mnt/seccomp" // configured filter |
57 | #define RUN_SECCOMP_AMD64 "/run/firejail/mnt/seccomp.amd64" // amd64 filter installed on i386 architectures | 57 | #define RUN_SECCOMP_64 "/run/firejail/mnt/seccomp.64" // 64bit arch filter installed on 32bit architectures |
58 | #define RUN_SECCOMP_I386 "/run/firejail/mnt/seccomp.i386" // i386 filter installed on amd64 architectures | 58 | #define RUN_SECCOMP_32 "/run/firejail/mnt/seccomp.32" // 32bit arch filter installed on 64bit architectures |
59 | #define RUN_SECCOMP_MDWX "/run/firejail/mnt/seccomp.mdwx" // filter for memory-deny-write-execute | 59 | #define RUN_SECCOMP_MDWX "/run/firejail/mnt/seccomp.mdwx" // filter for memory-deny-write-execute |
60 | #define RUN_SECCOMP_BLOCK_SECONDARY "/run/firejail/mnt/seccomp.block_secondary" // secondary arch blocking filter | 60 | #define RUN_SECCOMP_BLOCK_SECONDARY "/run/firejail/mnt/seccomp.block_secondary" // secondary arch blocking filter |
61 | #define RUN_SECCOMP_POSTEXEC "/run/firejail/mnt/seccomp.postexec" // filter for post-exec library | 61 | #define RUN_SECCOMP_POSTEXEC "/run/firejail/mnt/seccomp.postexec" // filter for post-exec library |
62 | #define PATH_SECCOMP_DEFAULT (LIBDIR "/firejail/seccomp") // default filter built during make | 62 | #define PATH_SECCOMP_DEFAULT (LIBDIR "/firejail/seccomp") // default filter built during make |
63 | #define PATH_SECCOMP_DEFAULT_DEBUG (LIBDIR "/firejail/seccomp.debug") // default filter built during make | 63 | #define PATH_SECCOMP_DEFAULT_DEBUG (LIBDIR "/firejail/seccomp.debug") // default filter built during make |
64 | #define PATH_SECCOMP_AMD64 (LIBDIR "/firejail/seccomp.amd64") // amd64 filter built during make | 64 | #define PATH_SECCOMP_64 (LIBDIR "/firejail/seccomp.64") // 64bit arch filter built during make |
65 | #define PATH_SECCOMP_I386 (LIBDIR "/firejail/seccomp.i386") // i386 filter built during make | 65 | #define PATH_SECCOMP_32 (LIBDIR "/firejail/seccomp.32") // 32bit arch filter built during make |
66 | #define PATH_SECCOMP_MDWX (LIBDIR "/firejail/seccomp.mdwx") // filter for memory-deny-write-execute built during make | 66 | #define PATH_SECCOMP_MDWX (LIBDIR "/firejail/seccomp.mdwx") // filter for memory-deny-write-execute built during make |
67 | #define PATH_SECCOMP_BLOCK_SECONDARY (LIBDIR "/firejail/seccomp.block_secondary") // secondary arch blocking filter built during make | 67 | #define PATH_SECCOMP_BLOCK_SECONDARY (LIBDIR "/firejail/seccomp.block_secondary") // secondary arch blocking filter built during make |
68 | 68 | ||
diff --git a/src/firejail/preproc.c b/src/firejail/preproc.c index bf1ef0469..0b447e03b 100644 --- a/src/firejail/preproc.c +++ b/src/firejail/preproc.c | |||
@@ -79,8 +79,8 @@ void preproc_mount_mnt_dir(void) { | |||
79 | copy_file(PATH_SECCOMP_BLOCK_SECONDARY, RUN_SECCOMP_BLOCK_SECONDARY, getuid(), getgid(), 0644); // root needed | 79 | copy_file(PATH_SECCOMP_BLOCK_SECONDARY, RUN_SECCOMP_BLOCK_SECONDARY, getuid(), getgid(), 0644); // root needed |
80 | else { | 80 | else { |
81 | //copy default seccomp files | 81 | //copy default seccomp files |
82 | copy_file(PATH_SECCOMP_I386, RUN_SECCOMP_I386, getuid(), getgid(), 0644); // root needed | 82 | copy_file(PATH_SECCOMP_32, RUN_SECCOMP_32, getuid(), getgid(), 0644); // root needed |
83 | copy_file(PATH_SECCOMP_AMD64, RUN_SECCOMP_AMD64, getuid(), getgid(), 0644); // root needed | 83 | copy_file(PATH_SECCOMP_64, RUN_SECCOMP_64, getuid(), getgid(), 0644); // root needed |
84 | } | 84 | } |
85 | if (arg_allow_debuggers) | 85 | if (arg_allow_debuggers) |
86 | copy_file(PATH_SECCOMP_DEFAULT_DEBUG, RUN_SECCOMP_CFG, getuid(), getgid(), 0644); // root needed | 86 | copy_file(PATH_SECCOMP_DEFAULT_DEBUG, RUN_SECCOMP_CFG, getuid(), getgid(), 0644); // root needed |
diff --git a/src/firejail/seccomp.c b/src/firejail/seccomp.c index 7b45e2574..e75863c3a 100644 --- a/src/firejail/seccomp.c +++ b/src/firejail/seccomp.c | |||
@@ -137,22 +137,22 @@ errexit: | |||
137 | exit(1); | 137 | exit(1); |
138 | } | 138 | } |
139 | 139 | ||
140 | // i386 filter installed on amd64 architectures | 140 | // 32 bit arch filter installed on 64 bit architectures |
141 | #if defined(__x86_64__) | 141 | #if defined(__LP64__) |
142 | static void seccomp_filter_32(void) { | 142 | static void seccomp_filter_32(void) { |
143 | if (seccomp_load(RUN_SECCOMP_I386) == 0) { | 143 | if (seccomp_load(RUN_SECCOMP_32) == 0) { |
144 | if (arg_debug) | 144 | if (arg_debug) |
145 | printf("Dual i386/amd64 seccomp filter configured\n"); | 145 | printf("Dual 32/64 bit seccomp filter configured\n"); |
146 | } | 146 | } |
147 | } | 147 | } |
148 | #endif | 148 | #endif |
149 | 149 | ||
150 | // amd64 filter installed on i386 architectures | 150 | // 64 bit arch filter installed on 32 bit architectures |
151 | #if defined(__i386__) | 151 | #if defined(__ILP32__) |
152 | static void seccomp_filter_64(void) { | 152 | static void seccomp_filter_64(void) { |
153 | if (seccomp_load(RUN_SECCOMP_AMD64) == 0) { | 153 | if (seccomp_load(RUN_SECCOMP_64) == 0) { |
154 | if (arg_debug) | 154 | if (arg_debug) |
155 | printf("Dual i386/amd64 seccomp filter configured\n"); | 155 | printf("Dual 32/64 bit seccomp filter configured\n"); |
156 | } | 156 | } |
157 | } | 157 | } |
158 | #endif | 158 | #endif |
@@ -177,10 +177,10 @@ int seccomp_filter_drop(void) { | |||
177 | if (arg_seccomp_block_secondary) | 177 | if (arg_seccomp_block_secondary) |
178 | seccomp_filter_block_secondary(); | 178 | seccomp_filter_block_secondary(); |
179 | else { | 179 | else { |
180 | #if defined(__x86_64__) | 180 | #if defined(__LP64__) |
181 | seccomp_filter_32(); | 181 | seccomp_filter_32(); |
182 | #endif | 182 | #endif |
183 | #if defined(__i386__) | 183 | #if defined(__ILP32__) |
184 | seccomp_filter_64(); | 184 | seccomp_filter_64(); |
185 | #endif | 185 | #endif |
186 | } | 186 | } |
@@ -190,10 +190,10 @@ int seccomp_filter_drop(void) { | |||
190 | if (arg_seccomp_block_secondary) | 190 | if (arg_seccomp_block_secondary) |
191 | seccomp_filter_block_secondary(); | 191 | seccomp_filter_block_secondary(); |
192 | else { | 192 | else { |
193 | #if defined(__x86_64__) | 193 | #if defined(__LP64__) |
194 | seccomp_filter_32(); | 194 | seccomp_filter_32(); |
195 | #endif | 195 | #endif |
196 | #if defined(__i386__) | 196 | #if defined(__ILP32__) |
197 | seccomp_filter_64(); | 197 | seccomp_filter_64(); |
198 | #endif | 198 | #endif |
199 | } | 199 | } |
diff --git a/src/fseccomp/seccomp_print.c b/src/fseccomp/seccomp_print.c index 3793e125d..e8df2bda5 100644 --- a/src/fseccomp/seccomp_print.c +++ b/src/fseccomp/seccomp_print.c | |||
@@ -90,7 +90,7 @@ static int detect_filter_type(void) { | |||
90 | } | 90 | } |
91 | 91 | ||
92 | 92 | ||
93 | // testing for secondare amd64 filter | 93 | // testing for secondary 64 bit filter |
94 | const struct sock_filter start_secondary_64[] = { | 94 | const struct sock_filter start_secondary_64[] = { |
95 | VALIDATE_ARCHITECTURE_64, | 95 | VALIDATE_ARCHITECTURE_64, |
96 | EXAMINE_SYSCALL, | 96 | EXAMINE_SYSCALL, |
@@ -102,7 +102,7 @@ static int detect_filter_type(void) { | |||
102 | return sizeof(start_secondary_64) / sizeof(struct sock_filter); | 102 | return sizeof(start_secondary_64) / sizeof(struct sock_filter); |
103 | } | 103 | } |
104 | 104 | ||
105 | // testing for secondare i386 filter | 105 | // testing for secondary 32 bit filter |
106 | const struct sock_filter start_secondary_32[] = { | 106 | const struct sock_filter start_secondary_32[] = { |
107 | VALIDATE_ARCHITECTURE_32, | 107 | VALIDATE_ARCHITECTURE_32, |
108 | EXAMINE_SYSCALL, | 108 | EXAMINE_SYSCALL, |
diff --git a/src/fseccomp/seccomp_secondary.c b/src/fseccomp/seccomp_secondary.c index dd69b58cc..da6a693e6 100644 --- a/src/fseccomp/seccomp_secondary.c +++ b/src/fseccomp/seccomp_secondary.c | |||
@@ -108,7 +108,7 @@ void seccomp_secondary_64(const char *fname) { | |||
108 | write_filter(fname, sizeof(filter), filter); | 108 | write_filter(fname, sizeof(filter), filter); |
109 | } | 109 | } |
110 | 110 | ||
111 | // i386 filter installed on amd64 architectures | 111 | // 32 bit arch filter installed on 64 bit architectures |
112 | void seccomp_secondary_32(const char *fname) { | 112 | void seccomp_secondary_32(const char *fname) { |
113 | // hardcoded syscall values | 113 | // hardcoded syscall values |
114 | struct sock_filter filter[] = { | 114 | struct sock_filter filter[] = { |
diff --git a/src/include/seccomp.h b/src/include/seccomp.h index 2f2b2384d..133b6ce72 100644 --- a/src/include/seccomp.h +++ b/src/include/seccomp.h | |||
@@ -91,10 +91,64 @@ struct seccomp_data { | |||
91 | 91 | ||
92 | #if defined(__i386__) | 92 | #if defined(__i386__) |
93 | # define ARCH_NR AUDIT_ARCH_I386 | 93 | # define ARCH_NR AUDIT_ARCH_I386 |
94 | # define ARCH_32 AUDIT_ARCH_I386 | ||
95 | # define ARCH_64 AUDIT_ARCH_X86_64 | ||
94 | #elif defined(__x86_64__) | 96 | #elif defined(__x86_64__) |
95 | # define ARCH_NR AUDIT_ARCH_X86_64 | 97 | # define ARCH_NR AUDIT_ARCH_X86_64 |
98 | # define ARCH_32 AUDIT_ARCH_I386 | ||
99 | # define ARCH_64 AUDIT_ARCH_X86_64 | ||
100 | #elif defined(__aarch64__) | ||
101 | # define ARCH_NR AUDIT_ARCH_AARCH64 | ||
102 | # define ARCH_32 AUDIT_ARCH_ARM | ||
103 | # define ARCH_64 AUDIT_ARCH_AARCH64 | ||
96 | #elif defined(__arm__) | 104 | #elif defined(__arm__) |
97 | # define ARCH_NR AUDIT_ARCH_ARM | 105 | # define ARCH_NR AUDIT_ARCH_ARM |
106 | # define ARCH_32 AUDIT_ARCH_ARM | ||
107 | # define ARCH_64 AUDIT_ARCH_AARCH64 | ||
108 | #elif defined(__mips__) && __BYTE_ORDER == __BIG_ENDIAN && _MIPS_SIM == _MIPS_SIM_ABI32 | ||
109 | # define ARCH_NR AUDIT_ARCH_MIPS | ||
110 | # define ARCH_32 AUDIT_ARCH_MIPS | ||
111 | # define ARCH_64 AUDIT_ARCH_MIPS64 | ||
112 | #elif defined(__mips__) && __BYTE_ORDER == __LITTLE_ENDIAN && _MIPS_SIM == _MIPS_SIM_ABI32 | ||
113 | # define ARCH_NR AUDIT_ARCH_MIPSEL | ||
114 | # define ARCH_32 AUDIT_ARCH_MIPSEL | ||
115 | # define ARCH_64 AUDIT_ARCH_MIPSEL64 | ||
116 | #elif defined(__mips__) && __BYTE_ORDER == __BIG_ENDIAN && _MIPS_SIM == _MIPS_SIM_ABI64 | ||
117 | # define ARCH_NR AUDIT_ARCH_MIPS64 | ||
118 | # define ARCH_32 AUDIT_ARCH_MIPS | ||
119 | # define ARCH_64 AUDIT_ARCH_MIPS64 | ||
120 | #elif defined(__mips__) && __BYTE_ORDER == __LITTLE_ENDIAN && _MIPS_SIM == _MIPS_SIM_ABI64 | ||
121 | # define ARCH_NR AUDIT_ARCH_MIPSEL64 | ||
122 | # define ARCH_32 AUDIT_ARCH_MIPSEL | ||
123 | # define ARCH_64 AUDIT_ARCH_MIPSEL64 | ||
124 | #elif defined(__mips__) && __BYTE_ORDER == __BIG_ENDIAN && _MIPS_SIM == _MIPS_SIM_NABI32 | ||
125 | # define ARCH_NR AUDIT_ARCH_MIPS64N32 | ||
126 | # define ARCH_32 AUDIT_ARCH_MIPS64N32 | ||
127 | # define ARCH_64 AUDIT_ARCH_MIPS64 | ||
128 | #elif defined(__mips__) && __BYTE_ORDER == __LITTLE_ENDIAN && _MIPS_SIM == _MIPS_SIM_NABI32 | ||
129 | # define ARCH_NR AUDIT_ARCH_MIPSEL64N32 | ||
130 | # define ARCH_32 AUDIT_ARCH_MIPSEL64N32 | ||
131 | # define ARCH_64 AUDIT_ARCH_MIPSEL64 | ||
132 | #elif defined(__powerpc64__) && __BYTE_ORDER == __BIG_ENDIAN | ||
133 | # define ARCH_NR AUDIT_ARCH_PPC64 | ||
134 | # define ARCH_32 AUDIT_ARCH_PPC | ||
135 | # define ARCH_64 AUDIT_ARCH_PPC64 | ||
136 | #elif defined(__powerpc64__) && __BYTE_ORDER == __LITTLE_ENDIAN | ||
137 | # define ARCH_NR AUDIT_ARCH_PPC64LE | ||
138 | # define ARCH_32 AUDIT_ARCH_PPC | ||
139 | # define ARCH_64 AUDIT_ARCH_PPC64LE | ||
140 | #elif defined(__powerpc__) | ||
141 | # define ARCH_NR AUDIT_ARCH_PPC | ||
142 | # define ARCH_32 AUDIT_ARCH_PPC | ||
143 | # define ARCH_64 AUDIT_ARCH_PPC64LE | ||
144 | #elif defined(__s390x__) | ||
145 | # define ARCH_NR AUDIT_ARCH_S390X | ||
146 | # define ARCH_32 AUDIT_ARCH_S390 | ||
147 | # define ARCH_64 AUDIT_ARCH_S390X | ||
148 | #elif defined(__s390__) | ||
149 | # define ARCH_NR AUDIT_ARCH_S390 | ||
150 | # define ARCH_32 AUDIT_ARCH_S390 | ||
151 | # define ARCH_64 AUDIT_ARCH_S390X | ||
98 | #else | 152 | #else |
99 | # warning "Platform does not support seccomp filter yet" | 153 | # warning "Platform does not support seccomp filter yet" |
100 | # define ARCH_NR 0 | 154 | # define ARCH_NR 0 |
@@ -112,12 +166,12 @@ struct seccomp_data { | |||
112 | 166 | ||
113 | #define VALIDATE_ARCHITECTURE_64 \ | 167 | #define VALIDATE_ARCHITECTURE_64 \ |
114 | BPF_STMT(BPF_LD+BPF_W+BPF_ABS, (offsetof(struct seccomp_data, arch))), \ | 168 | BPF_STMT(BPF_LD+BPF_W+BPF_ABS, (offsetof(struct seccomp_data, arch))), \ |
115 | BPF_JUMP(BPF_JMP+BPF_JEQ+BPF_K, AUDIT_ARCH_X86_64, 1, 0), \ | 169 | BPF_JUMP(BPF_JMP+BPF_JEQ+BPF_K, ARCH_64, 1, 0), \ |
116 | BPF_STMT(BPF_RET+BPF_K, SECCOMP_RET_ALLOW) | 170 | BPF_STMT(BPF_RET+BPF_K, SECCOMP_RET_ALLOW) |
117 | 171 | ||
118 | #define VALIDATE_ARCHITECTURE_32 \ | 172 | #define VALIDATE_ARCHITECTURE_32 \ |
119 | BPF_STMT(BPF_LD+BPF_W+BPF_ABS, (offsetof(struct seccomp_data, arch))), \ | 173 | BPF_STMT(BPF_LD+BPF_W+BPF_ABS, (offsetof(struct seccomp_data, arch))), \ |
120 | BPF_JUMP(BPF_JMP+BPF_JEQ+BPF_K, AUDIT_ARCH_I386, 1, 0), \ | 174 | BPF_JUMP(BPF_JMP+BPF_JEQ+BPF_K, ARCH_32, 1, 0), \ |
121 | BPF_STMT(BPF_RET+BPF_K, SECCOMP_RET_ALLOW) | 175 | BPF_STMT(BPF_RET+BPF_K, SECCOMP_RET_ALLOW) |
122 | 176 | ||
123 | #if defined(__x86_64__) | 177 | #if defined(__x86_64__) |
diff --git a/test/filters/seccomp-debug-32.exp b/test/filters/seccomp-debug-32.exp index 6983758c3..098b309f5 100755 --- a/test/filters/seccomp-debug-32.exp +++ b/test/filters/seccomp-debug-32.exp | |||
@@ -43,7 +43,7 @@ expect { | |||
43 | } | 43 | } |
44 | expect { | 44 | expect { |
45 | timeout {puts "TESTING ERROR 7\n";exit} | 45 | timeout {puts "TESTING ERROR 7\n";exit} |
46 | "Installing /run/firejail/mnt/seccomp.amd64 seccomp filter" | 46 | "Installing /run/firejail/mnt/seccomp.64 seccomp filter" |
47 | } | 47 | } |
48 | expect { | 48 | expect { |
49 | timeout {puts "TESTING ERROR 9\n";exit} | 49 | timeout {puts "TESTING ERROR 9\n";exit} |
@@ -56,13 +56,13 @@ send -- "firejail --debug --ignore=seccomp sleep 1; echo done\r" | |||
56 | expect { | 56 | expect { |
57 | timeout {puts "TESTING ERROR 10\n";exit} | 57 | timeout {puts "TESTING ERROR 10\n";exit} |
58 | "Installing /run/firejail/mnt/seccomp seccomp filter" {puts "TESTING ERROR 11\n";exit} | 58 | "Installing /run/firejail/mnt/seccomp seccomp filter" {puts "TESTING ERROR 11\n";exit} |
59 | "Installing /run/firejail/mnt/seccomp.amd64 seccomp filter" {puts "TESTING ERROR 12\n";exit} | 59 | "Installing /run/firejail/mnt/seccomp.64 seccomp filter" {puts "TESTING ERROR 12\n";exit} |
60 | "Child process initialized" | 60 | "Child process initialized" |
61 | } | 61 | } |
62 | expect { | 62 | expect { |
63 | timeout {puts "TESTING ERROR 13\n";exit} | 63 | timeout {puts "TESTING ERROR 13\n";exit} |
64 | "Installing /run/firejail/mnt/seccomp seccomp filter" {puts "TESTING ERROR 14\n";exit} | 64 | "Installing /run/firejail/mnt/seccomp seccomp filter" {puts "TESTING ERROR 14\n";exit} |
65 | "Installing /run/firejail/mnt/seccomp.amd64 seccomp filter" {puts "TESTING ERROR 15\n";exit} | 65 | "Installing /run/firejail/mnt/seccomp.64 seccomp filter" {puts "TESTING ERROR 15\n";exit} |
66 | "done" | 66 | "done" |
67 | } | 67 | } |
68 | after 100 | 68 | after 100 |
@@ -82,7 +82,7 @@ expect { | |||
82 | expect { | 82 | expect { |
83 | timeout {puts "TESTING ERROR 21\n";exit} | 83 | timeout {puts "TESTING ERROR 21\n";exit} |
84 | "Installing /run/firejail/mnt/seccomp.protocol seccomp filter" {puts "TESTING ERROR 22\n";exit} | 84 | "Installing /run/firejail/mnt/seccomp.protocol seccomp filter" {puts "TESTING ERROR 22\n";exit} |
85 | "Installing /run/firejail/mnt/seccomp.amd64 seccomp filter" | 85 | "Installing /run/firejail/mnt/seccomp.64 seccomp filter" |
86 | } | 86 | } |
87 | expect { | 87 | expect { |
88 | timeout {puts "TESTING ERROR 23\n";exit} | 88 | timeout {puts "TESTING ERROR 23\n";exit} |
@@ -110,12 +110,12 @@ expect { | |||
110 | send -- "firejail --debug --seccomp.block-secondary sleep 1; echo done\r" | 110 | send -- "firejail --debug --seccomp.block-secondary sleep 1; echo done\r" |
111 | expect { | 111 | expect { |
112 | timeout {puts "TESTING ERROR 27\n";exit} | 112 | timeout {puts "TESTING ERROR 27\n";exit} |
113 | "Installing /run/firejail/mnt/seccomp.amd64 seccomp filter" {puts "TESTING ERROR 28\n";exit} | 113 | "Installing /run/firejail/mnt/seccomp.64 seccomp filter" {puts "TESTING ERROR 28\n";exit} |
114 | "Child process initialized" | 114 | "Child process initialized" |
115 | } | 115 | } |
116 | expect { | 116 | expect { |
117 | timeout {puts "TESTING ERROR 29\n";exit} | 117 | timeout {puts "TESTING ERROR 29\n";exit} |
118 | "Installing /run/firejail/mnt/seccomp.amd64 seccomp filter" {puts "TESTING ERROR 30\n";exit} | 118 | "Installing /run/firejail/mnt/seccomp.64 seccomp filter" {puts "TESTING ERROR 30\n";exit} |
119 | "Installing /run/firejail/mnt/seccomp seccomp filter" | 119 | "Installing /run/firejail/mnt/seccomp seccomp filter" |
120 | } | 120 | } |
121 | expect { | 121 | expect { |
@@ -128,12 +128,12 @@ after 100 | |||
128 | send -- "firejail --debug --profile=block-secondary.profile sleep 1; echo done\r" | 128 | send -- "firejail --debug --profile=block-secondary.profile sleep 1; echo done\r" |
129 | expect { | 129 | expect { |
130 | timeout {puts "TESTING ERROR 33\n";exit} | 130 | timeout {puts "TESTING ERROR 33\n";exit} |
131 | "Installing /run/firejail/mnt/seccomp.amd64 seccomp filter" {puts "TESTING ERROR 34\n";exit} | 131 | "Installing /run/firejail/mnt/seccomp.64 seccomp filter" {puts "TESTING ERROR 34\n";exit} |
132 | "Child process initialized" | 132 | "Child process initialized" |
133 | } | 133 | } |
134 | expect { | 134 | expect { |
135 | timeout {puts "TESTING ERROR 35\n";exit} | 135 | timeout {puts "TESTING ERROR 35\n";exit} |
136 | "Installing /run/firejail/mnt/seccomp.amd64 seccomp filter" {puts "TESTING ERROR 35\n";exit} | 136 | "Installing /run/firejail/mnt/seccomp.64 seccomp filter" {puts "TESTING ERROR 35\n";exit} |
137 | "Installing /run/firejail/mnt/seccomp seccomp filter" | 137 | "Installing /run/firejail/mnt/seccomp seccomp filter" |
138 | } | 138 | } |
139 | expect { | 139 | expect { |
diff --git a/test/filters/seccomp-debug.exp b/test/filters/seccomp-debug.exp index 7a4a13991..4986a6bf6 100755 --- a/test/filters/seccomp-debug.exp +++ b/test/filters/seccomp-debug.exp | |||
@@ -31,7 +31,7 @@ expect { | |||
31 | after 100 | 31 | after 100 |
32 | 32 | ||
33 | 33 | ||
34 | # amd64 architecture | 34 | # 64 bit architecture |
35 | send -- "firejail --debug sleep 1; echo done\r" | 35 | send -- "firejail --debug sleep 1; echo done\r" |
36 | expect { | 36 | expect { |
37 | timeout {puts "TESTING ERROR 5\n";exit} | 37 | timeout {puts "TESTING ERROR 5\n";exit} |
@@ -43,7 +43,7 @@ expect { | |||
43 | } | 43 | } |
44 | expect { | 44 | expect { |
45 | timeout {puts "TESTING ERROR 7\n";exit} | 45 | timeout {puts "TESTING ERROR 7\n";exit} |
46 | "Installing /run/firejail/mnt/seccomp.i386 seccomp filter" | 46 | "Installing /run/firejail/mnt/seccomp.32 seccomp filter" |
47 | } | 47 | } |
48 | expect { | 48 | expect { |
49 | timeout {puts "TESTING ERROR 8\n";exit} | 49 | timeout {puts "TESTING ERROR 8\n";exit} |
@@ -55,18 +55,18 @@ expect { | |||
55 | } | 55 | } |
56 | after 100 | 56 | after 100 |
57 | 57 | ||
58 | # amd64 architecture - ignore seccomp | 58 | # 64 bit architecture - ignore seccomp |
59 | send -- "firejail --debug --ignore=seccomp sleep 1; echo done\r" | 59 | send -- "firejail --debug --ignore=seccomp sleep 1; echo done\r" |
60 | expect { | 60 | expect { |
61 | timeout {puts "TESTING ERROR 10\n";exit} | 61 | timeout {puts "TESTING ERROR 10\n";exit} |
62 | "Installing /run/firejail/mnt/seccomp seccomp filter" {puts "TESTING ERROR 11\n";exit} | 62 | "Installing /run/firejail/mnt/seccomp seccomp filter" {puts "TESTING ERROR 11\n";exit} |
63 | "Installing /run/firejail/mnt/seccomp.i386 seccomp filter" {puts "TESTING ERROR 12\n";exit} | 63 | "Installing /run/firejail/mnt/seccomp.32 seccomp filter" {puts "TESTING ERROR 12\n";exit} |
64 | "Child process initialized" | 64 | "Child process initialized" |
65 | } | 65 | } |
66 | expect { | 66 | expect { |
67 | timeout {puts "TESTING ERROR 13\n";exit} | 67 | timeout {puts "TESTING ERROR 13\n";exit} |
68 | "Installing /run/firejail/mnt/seccomp seccomp filter" {puts "TESTING ERROR 14\n";exit} | 68 | "Installing /run/firejail/mnt/seccomp seccomp filter" {puts "TESTING ERROR 14\n";exit} |
69 | "Installing /run/firejail/mnt/seccomp.i386 seccomp filter" {puts "TESTING ERROR 15\n";exit} | 69 | "Installing /run/firejail/mnt/seccomp.32 seccomp filter" {puts "TESTING ERROR 15\n";exit} |
70 | "Installing /run/firejail/mnt/seccomp.protocol seccomp filter" | 70 | "Installing /run/firejail/mnt/seccomp.protocol seccomp filter" |
71 | } | 71 | } |
72 | expect { | 72 | expect { |
@@ -75,7 +75,7 @@ expect { | |||
75 | } | 75 | } |
76 | after 100 | 76 | after 100 |
77 | 77 | ||
78 | # amd64 architecture - ignore protocol | 78 | # 64 bit architecture - ignore protocol |
79 | send -- "firejail --debug --ignore=protocol sleep 1; echo done\r" | 79 | send -- "firejail --debug --ignore=protocol sleep 1; echo done\r" |
80 | expect { | 80 | expect { |
81 | timeout {puts "TESTING ERROR 17\n";exit} | 81 | timeout {puts "TESTING ERROR 17\n";exit} |
@@ -90,7 +90,7 @@ expect { | |||
90 | expect { | 90 | expect { |
91 | timeout {puts "TESTING ERROR 21\n";exit} | 91 | timeout {puts "TESTING ERROR 21\n";exit} |
92 | "Installing /run/firejail/mnt/seccomp.protocol seccomp filter" {puts "TESTING ERROR 22\n";exit} | 92 | "Installing /run/firejail/mnt/seccomp.protocol seccomp filter" {puts "TESTING ERROR 22\n";exit} |
93 | "Installing /run/firejail/mnt/seccomp.i386 seccomp filter" | 93 | "Installing /run/firejail/mnt/seccomp.32 seccomp filter" |
94 | } | 94 | } |
95 | expect { | 95 | expect { |
96 | timeout {puts "TESTING ERROR 23\n";exit} | 96 | timeout {puts "TESTING ERROR 23\n";exit} |
@@ -114,21 +114,21 @@ expect { | |||
114 | } | 114 | } |
115 | 115 | ||
116 | 116 | ||
117 | # amd64 architecture - seccomp.block-secondary | 117 | # 64 bit architecture - seccomp.block-secondary |
118 | send -- "firejail --debug --seccomp.block-secondary sleep 1; echo done\r" | 118 | send -- "firejail --debug --seccomp.block-secondary sleep 1; echo done\r" |
119 | expect { | 119 | expect { |
120 | timeout {puts "TESTING ERROR 27\n";exit} | 120 | timeout {puts "TESTING ERROR 27\n";exit} |
121 | "Installing /run/firejail/mnt/seccomp.i386 seccomp filter" {puts "TESTING ERROR 28\n";exit} | 121 | "Installing /run/firejail/mnt/seccomp.32 seccomp filter" {puts "TESTING ERROR 28\n";exit} |
122 | "Child process initialized" | 122 | "Child process initialized" |
123 | } | 123 | } |
124 | expect { | 124 | expect { |
125 | timeout {puts "TESTING ERROR 29\n";exit} | 125 | timeout {puts "TESTING ERROR 29\n";exit} |
126 | "Installing /run/firejail/mnt/seccomp.i386 seccomp filter" {puts "TESTING ERROR 30\n";exit} | 126 | "Installing /run/firejail/mnt/seccomp.32 seccomp filter" {puts "TESTING ERROR 30\n";exit} |
127 | "Installing /run/firejail/mnt/seccomp seccomp filter" | 127 | "Installing /run/firejail/mnt/seccomp seccomp filter" |
128 | } | 128 | } |
129 | expect { | 129 | expect { |
130 | timeout {puts "TESTING ERROR 31\n";exit} | 130 | timeout {puts "TESTING ERROR 31\n";exit} |
131 | "Installing /run/firejail/mnt/seccomp.i386 seccomp filter" {puts "TESTING ERROR 32\n";exit} | 131 | "Installing /run/firejail/mnt/seccomp.32 seccomp filter" {puts "TESTING ERROR 32\n";exit} |
132 | "Installing /run/firejail/mnt/seccomp.protocol seccomp filter" | 132 | "Installing /run/firejail/mnt/seccomp.protocol seccomp filter" |
133 | } | 133 | } |
134 | expect { | 134 | expect { |
@@ -137,16 +137,16 @@ expect { | |||
137 | } | 137 | } |
138 | after 100 | 138 | after 100 |
139 | 139 | ||
140 | # amd64 architecture - seccomp.block-secondary, profile | 140 | # 64 bit architecture - seccomp.block-secondary, profile |
141 | send -- "firejail --debug --profile=block-secondary.profile sleep 1; echo done\r" | 141 | send -- "firejail --debug --profile=block-secondary.profile sleep 1; echo done\r" |
142 | expect { | 142 | expect { |
143 | timeout {puts "TESTING ERROR 33\n";exit} | 143 | timeout {puts "TESTING ERROR 33\n";exit} |
144 | "Installing /run/firejail/mnt/seccomp.i386 seccomp filter" {puts "TESTING ERROR 34\n";exit} | 144 | "Installing /run/firejail/mnt/seccomp.32 seccomp filter" {puts "TESTING ERROR 34\n";exit} |
145 | "Child process initialized" | 145 | "Child process initialized" |
146 | } | 146 | } |
147 | expect { | 147 | expect { |
148 | timeout {puts "TESTING ERROR 35\n";exit} | 148 | timeout {puts "TESTING ERROR 35\n";exit} |
149 | "Installing /run/firejail/mnt/seccomp.i386 seccomp filter" {puts "TESTING ERROR 35\n";exit} | 149 | "Installing /run/firejail/mnt/seccomp.32 seccomp filter" {puts "TESTING ERROR 35\n";exit} |
150 | "Installing /run/firejail/mnt/seccomp seccomp filter" | 150 | "Installing /run/firejail/mnt/seccomp seccomp filter" |
151 | } | 151 | } |
152 | expect { | 152 | expect { |