diff options
| -rw-r--r-- | Makefile.in | 5 | ||||
| -rw-r--r-- | src/firejail/firejail.h | 2 | ||||
| -rw-r--r-- | src/firejail/preproc.c | 1 | ||||
| -rw-r--r-- | src/firejail/sandbox.c | 9 | ||||
| -rw-r--r-- | src/firejail/seccomp.c | 16 | ||||
| -rw-r--r-- | src/fseccomp/main.c | 2 | ||||
| -rw-r--r-- | src/fseccomp/seccomp_secondary.c | 65 | ||||
| -rwxr-xr-x | test/filters/fseccomp.exp | 17 |
8 files changed, 4 insertions, 113 deletions
diff --git a/Makefile.in b/Makefile.in index ce79a1181..fef544267 100644 --- a/Makefile.in +++ b/Makefile.in | |||
| @@ -2,7 +2,7 @@ all: apps man filters | |||
| 2 | MYLIBS = src/lib | 2 | MYLIBS = src/lib |
| 3 | APPS = src/firejail src/firemon src/fsec-print src/fsec-optimize src/firecfg src/fnetfilter src/libtrace src/libtracelog src/ftee src/faudit src/fnet src/fseccomp src/fbuilder src/fcopy src/fldd src/libpostexecseccomp | 3 | APPS = src/firejail src/firemon src/fsec-print src/fsec-optimize src/firecfg src/fnetfilter src/libtrace src/libtracelog src/ftee src/faudit src/fnet src/fseccomp src/fbuilder src/fcopy src/fldd src/libpostexecseccomp |
| 4 | MANPAGES = firejail.1 firemon.1 firecfg.1 firejail-profile.5 firejail-login.5 firejail-users.5 | 4 | MANPAGES = firejail.1 firemon.1 firecfg.1 firejail-profile.5 firejail-login.5 firejail-users.5 |
| 5 | SECCOMP_FILTERS = seccomp seccomp.debug seccomp.32 seccomp.64 seccomp.block_secondary seccomp.mdwx | 5 | SECCOMP_FILTERS = seccomp seccomp.debug seccomp.32 seccomp.block_secondary seccomp.mdwx |
| 6 | 6 | ||
| 7 | prefix=@prefix@ | 7 | prefix=@prefix@ |
| 8 | exec_prefix=@exec_prefix@ | 8 | exec_prefix=@exec_prefix@ |
| @@ -47,8 +47,6 @@ ifeq ($(HAVE_SECCOMP),-DHAVE_SECCOMP) | |||
| 47 | src/fsec-optimize/fsec-optimize seccomp.debug | 47 | src/fsec-optimize/fsec-optimize seccomp.debug |
| 48 | src/fseccomp/fseccomp secondary 32 seccomp.32 | 48 | src/fseccomp/fseccomp secondary 32 seccomp.32 |
| 49 | src/fsec-optimize/fsec-optimize seccomp.32 | 49 | src/fsec-optimize/fsec-optimize seccomp.32 |
| 50 | src/fseccomp/fseccomp secondary 64 seccomp.64 | ||
| 51 | src/fsec-optimize/fsec-optimize seccomp.64 | ||
| 52 | src/fseccomp/fseccomp secondary block seccomp.block_secondary | 50 | src/fseccomp/fseccomp secondary block seccomp.block_secondary |
| 53 | src/fseccomp/fseccomp memory-deny-write-execute seccomp.mdwx | 51 | src/fseccomp/fseccomp memory-deny-write-execute seccomp.mdwx |
| 54 | endif | 52 | endif |
| @@ -110,7 +108,6 @@ ifeq ($(HAVE_SECCOMP),-DHAVE_SECCOMP) | |||
| 110 | install -c -m 0644 seccomp $(DESTDIR)/$(libdir)/firejail/. | 108 | install -c -m 0644 seccomp $(DESTDIR)/$(libdir)/firejail/. |
| 111 | install -c -m 0644 seccomp.debug $(DESTDIR)/$(libdir)/firejail/. | 109 | install -c -m 0644 seccomp.debug $(DESTDIR)/$(libdir)/firejail/. |
| 112 | install -c -m 0644 seccomp.32 $(DESTDIR)/$(libdir)/firejail/. | 110 | install -c -m 0644 seccomp.32 $(DESTDIR)/$(libdir)/firejail/. |
| 113 | install -c -m 0644 seccomp.64 $(DESTDIR)/$(libdir)/firejail/. | ||
| 114 | install -c -m 0644 seccomp.block_secondary $(DESTDIR)/$(libdir)/firejail/. | 111 | install -c -m 0644 seccomp.block_secondary $(DESTDIR)/$(libdir)/firejail/. |
| 115 | install -c -m 0644 seccomp.mdwx $(DESTDIR)/$(libdir)/firejail/. | 112 | install -c -m 0644 seccomp.mdwx $(DESTDIR)/$(libdir)/firejail/. |
| 116 | endif | 113 | endif |
diff --git a/src/firejail/firejail.h b/src/firejail/firejail.h index 7544b642a..2db171070 100644 --- a/src/firejail/firejail.h +++ b/src/firejail/firejail.h | |||
| @@ -59,14 +59,12 @@ | |||
| 59 | 59 | ||
| 60 | #define RUN_SECCOMP_PROTOCOL "/run/firejail/mnt/seccomp.protocol" // protocol filter | 60 | #define RUN_SECCOMP_PROTOCOL "/run/firejail/mnt/seccomp.protocol" // protocol filter |
| 61 | #define RUN_SECCOMP_CFG "/run/firejail/mnt/seccomp" // configured filter | 61 | #define RUN_SECCOMP_CFG "/run/firejail/mnt/seccomp" // configured filter |
| 62 | #define RUN_SECCOMP_64 "/run/firejail/mnt/seccomp.64" // 64bit arch filter installed on 32bit architectures | ||
| 63 | #define RUN_SECCOMP_32 "/run/firejail/mnt/seccomp.32" // 32bit arch filter installed on 64bit architectures | 62 | #define RUN_SECCOMP_32 "/run/firejail/mnt/seccomp.32" // 32bit arch filter installed on 64bit architectures |
| 64 | #define RUN_SECCOMP_MDWX "/run/firejail/mnt/seccomp.mdwx" // filter for memory-deny-write-execute | 63 | #define RUN_SECCOMP_MDWX "/run/firejail/mnt/seccomp.mdwx" // filter for memory-deny-write-execute |
| 65 | #define RUN_SECCOMP_BLOCK_SECONDARY "/run/firejail/mnt/seccomp.block_secondary" // secondary arch blocking filter | 64 | #define RUN_SECCOMP_BLOCK_SECONDARY "/run/firejail/mnt/seccomp.block_secondary" // secondary arch blocking filter |
| 66 | #define RUN_SECCOMP_POSTEXEC "/run/firejail/mnt/seccomp.postexec" // filter for post-exec library | 65 | #define RUN_SECCOMP_POSTEXEC "/run/firejail/mnt/seccomp.postexec" // filter for post-exec library |
| 67 | #define PATH_SECCOMP_DEFAULT (LIBDIR "/firejail/seccomp") // default filter built during make | 66 | #define PATH_SECCOMP_DEFAULT (LIBDIR "/firejail/seccomp") // default filter built during make |
| 68 | #define PATH_SECCOMP_DEFAULT_DEBUG (LIBDIR "/firejail/seccomp.debug") // default filter built during make | 67 | #define PATH_SECCOMP_DEFAULT_DEBUG (LIBDIR "/firejail/seccomp.debug") // default filter built during make |
| 69 | #define PATH_SECCOMP_64 (LIBDIR "/firejail/seccomp.64") // 64bit arch filter built during make | ||
| 70 | #define PATH_SECCOMP_32 (LIBDIR "/firejail/seccomp.32") // 32bit arch filter built during make | 68 | #define PATH_SECCOMP_32 (LIBDIR "/firejail/seccomp.32") // 32bit arch filter built during make |
| 71 | #define PATH_SECCOMP_MDWX (LIBDIR "/firejail/seccomp.mdwx") // filter for memory-deny-write-execute built during make | 69 | #define PATH_SECCOMP_MDWX (LIBDIR "/firejail/seccomp.mdwx") // filter for memory-deny-write-execute built during make |
| 72 | #define PATH_SECCOMP_BLOCK_SECONDARY (LIBDIR "/firejail/seccomp.block_secondary") // secondary arch blocking filter built during make | 70 | #define PATH_SECCOMP_BLOCK_SECONDARY (LIBDIR "/firejail/seccomp.block_secondary") // secondary arch blocking filter built during make |
diff --git a/src/firejail/preproc.c b/src/firejail/preproc.c index 45399bd48..9fb4840c6 100644 --- a/src/firejail/preproc.c +++ b/src/firejail/preproc.c | |||
| @@ -87,7 +87,6 @@ void preproc_mount_mnt_dir(void) { | |||
| 87 | else { | 87 | else { |
| 88 | //copy default seccomp files | 88 | //copy default seccomp files |
| 89 | copy_file(PATH_SECCOMP_32, RUN_SECCOMP_32, getuid(), getgid(), 0644); // root needed | 89 | copy_file(PATH_SECCOMP_32, RUN_SECCOMP_32, getuid(), getgid(), 0644); // root needed |
| 90 | copy_file(PATH_SECCOMP_64, RUN_SECCOMP_64, getuid(), getgid(), 0644); // root needed | ||
| 91 | } | 90 | } |
| 92 | if (arg_allow_debuggers) | 91 | if (arg_allow_debuggers) |
| 93 | copy_file(PATH_SECCOMP_DEFAULT_DEBUG, RUN_SECCOMP_CFG, getuid(), getgid(), 0644); // root needed | 92 | copy_file(PATH_SECCOMP_DEFAULT_DEBUG, RUN_SECCOMP_CFG, getuid(), getgid(), 0644); // root needed |
diff --git a/src/firejail/sandbox.c b/src/firejail/sandbox.c index 8abdf6b2c..1498007eb 100644 --- a/src/firejail/sandbox.c +++ b/src/firejail/sandbox.c | |||
| @@ -1017,18 +1017,9 @@ int sandbox(void* sandbox_arg) { | |||
| 1017 | else | 1017 | else |
| 1018 | seccomp_filter_drop(); | 1018 | seccomp_filter_drop(); |
| 1019 | 1019 | ||
| 1020 | // clean unused filters | ||
| 1021 | #if defined(__LP64__) | ||
| 1022 | int rv = unlink(RUN_SECCOMP_64); | ||
| 1023 | #endif | ||
| 1024 | #if defined(__ILP32__) | ||
| 1025 | int rv = unlink(RUN_SECCOMP_32); | ||
| 1026 | #endif | ||
| 1027 | (void) rv; | ||
| 1028 | } | 1020 | } |
| 1029 | else { // clean seccomp files under /run/firejail/mnt | 1021 | else { // clean seccomp files under /run/firejail/mnt |
| 1030 | int rv = unlink(RUN_SECCOMP_CFG); | 1022 | int rv = unlink(RUN_SECCOMP_CFG); |
| 1031 | rv |= unlink(RUN_SECCOMP_64); | ||
| 1032 | rv |= unlink(RUN_SECCOMP_32); | 1023 | rv |= unlink(RUN_SECCOMP_32); |
| 1033 | (void) rv; | 1024 | (void) rv; |
| 1034 | } | 1025 | } |
diff --git a/src/firejail/seccomp.c b/src/firejail/seccomp.c index 1ee6256d4..3da0206e1 100644 --- a/src/firejail/seccomp.c +++ b/src/firejail/seccomp.c | |||
| @@ -138,6 +138,7 @@ errexit: | |||
| 138 | } | 138 | } |
| 139 | 139 | ||
| 140 | // 32 bit arch filter installed on 64 bit architectures | 140 | // 32 bit arch filter installed on 64 bit architectures |
| 141 | #if defined(__x86_64__) | ||
| 141 | #if defined(__LP64__) | 142 | #if defined(__LP64__) |
| 142 | static void seccomp_filter_32(void) { | 143 | static void seccomp_filter_32(void) { |
| 143 | if (seccomp_load(RUN_SECCOMP_32) == 0) { | 144 | if (seccomp_load(RUN_SECCOMP_32) == 0) { |
| @@ -146,15 +147,6 @@ static void seccomp_filter_32(void) { | |||
| 146 | } | 147 | } |
| 147 | } | 148 | } |
| 148 | #endif | 149 | #endif |
| 149 | |||
| 150 | // 64 bit arch filter installed on 32 bit architectures | ||
| 151 | #if defined(__ILP32__) | ||
| 152 | static void seccomp_filter_64(void) { | ||
| 153 | if (seccomp_load(RUN_SECCOMP_64) == 0) { | ||
| 154 | if (arg_debug) | ||
| 155 | printf("Dual 32/64 bit seccomp filter configured\n"); | ||
| 156 | } | ||
| 157 | } | ||
| 158 | #endif | 150 | #endif |
| 159 | 151 | ||
| 160 | static void seccomp_filter_block_secondary(void) { | 152 | static void seccomp_filter_block_secondary(void) { |
| @@ -177,11 +169,10 @@ int seccomp_filter_drop(void) { | |||
| 177 | if (arg_seccomp_block_secondary) | 169 | if (arg_seccomp_block_secondary) |
| 178 | seccomp_filter_block_secondary(); | 170 | seccomp_filter_block_secondary(); |
| 179 | else { | 171 | else { |
| 172 | #if defined(__x86_64__) | ||
| 180 | #if defined(__LP64__) | 173 | #if defined(__LP64__) |
| 181 | seccomp_filter_32(); | 174 | seccomp_filter_32(); |
| 182 | #endif | 175 | #endif |
| 183 | #if defined(__ILP32__) | ||
| 184 | seccomp_filter_64(); | ||
| 185 | #endif | 176 | #endif |
| 186 | } | 177 | } |
| 187 | } | 178 | } |
| @@ -190,11 +181,10 @@ int seccomp_filter_drop(void) { | |||
| 190 | if (arg_seccomp_block_secondary) | 181 | if (arg_seccomp_block_secondary) |
| 191 | seccomp_filter_block_secondary(); | 182 | seccomp_filter_block_secondary(); |
| 192 | else { | 183 | else { |
| 184 | #if defined(__x86_64__) | ||
| 193 | #if defined(__LP64__) | 185 | #if defined(__LP64__) |
| 194 | seccomp_filter_32(); | 186 | seccomp_filter_32(); |
| 195 | #endif | 187 | #endif |
| 196 | #if defined(__ILP32__) | ||
| 197 | seccomp_filter_64(); | ||
| 198 | #endif | 188 | #endif |
| 199 | } | 189 | } |
| 200 | if (arg_debug) | 190 | if (arg_debug) |
diff --git a/src/fseccomp/main.c b/src/fseccomp/main.c index ab6683065..7fd96bc43 100644 --- a/src/fseccomp/main.c +++ b/src/fseccomp/main.c | |||
| @@ -70,8 +70,6 @@ printf("\n"); | |||
| 70 | protocol_print(); | 70 | protocol_print(); |
| 71 | else if (argc == 5 && strcmp(argv[1], "protocol") == 0 && strcmp(argv[2], "build") == 0) | 71 | else if (argc == 5 && strcmp(argv[1], "protocol") == 0 && strcmp(argv[2], "build") == 0) |
| 72 | protocol_build_filter(argv[3], argv[4]); | 72 | protocol_build_filter(argv[3], argv[4]); |
| 73 | else if (argc == 4 && strcmp(argv[1], "secondary") == 0 && strcmp(argv[2], "64") == 0) | ||
| 74 | seccomp_secondary_64(argv[3]); | ||
| 75 | else if (argc == 4 && strcmp(argv[1], "secondary") == 0 && strcmp(argv[2], "32") == 0) | 73 | else if (argc == 4 && strcmp(argv[1], "secondary") == 0 && strcmp(argv[2], "32") == 0) |
| 76 | seccomp_secondary_32(argv[3]); | 74 | seccomp_secondary_32(argv[3]); |
| 77 | else if (argc == 4 && strcmp(argv[1], "secondary") == 0 && strcmp(argv[2], "block") == 0) | 75 | else if (argc == 4 && strcmp(argv[1], "secondary") == 0 && strcmp(argv[2], "block") == 0) |
diff --git a/src/fseccomp/seccomp_secondary.c b/src/fseccomp/seccomp_secondary.c index ebda1b938..e398f94d0 100644 --- a/src/fseccomp/seccomp_secondary.c +++ b/src/fseccomp/seccomp_secondary.c | |||
| @@ -42,71 +42,6 @@ static void write_filter(const char *fname, size_t size, const void *filter) { | |||
| 42 | close(dst); | 42 | close(dst); |
| 43 | } | 43 | } |
| 44 | 44 | ||
| 45 | void seccomp_secondary_64(const char *fname) { | ||
| 46 | // hardcoded syscall values | ||
| 47 | struct sock_filter filter[] = { | ||
| 48 | VALIDATE_ARCHITECTURE_64, | ||
| 49 | EXAMINE_SYSCALL, | ||
| 50 | BLACKLIST(165), // mount | ||
| 51 | BLACKLIST(166), // umount2 | ||
| 52 | // todo: implement --allow-debuggers | ||
| 53 | BLACKLIST(101), // ptrace | ||
| 54 | BLACKLIST(246), // kexec_load | ||
| 55 | BLACKLIST(304), // open_by_handle_at | ||
| 56 | BLACKLIST(303), // name_to_handle_at | ||
| 57 | BLACKLIST(174), // create_module | ||
| 58 | BLACKLIST(175), // init_module | ||
| 59 | BLACKLIST(313), // finit_module | ||
| 60 | BLACKLIST(176), // delete_module | ||
| 61 | BLACKLIST(172), // iopl | ||
| 62 | BLACKLIST(173), // ioperm | ||
| 63 | BLACKLIST(251), // ioprio_set | ||
| 64 | BLACKLIST(167), // swapon | ||
| 65 | BLACKLIST(168), // swapoff | ||
| 66 | BLACKLIST(103), // syslog | ||
| 67 | BLACKLIST(310), // process_vm_readv | ||
| 68 | BLACKLIST(311), // process_vm_writev | ||
| 69 | BLACKLIST(139), // sysfs | ||
| 70 | BLACKLIST(156), // _sysctl | ||
| 71 | BLACKLIST(159), // adjtimex | ||
| 72 | BLACKLIST(305), // clock_adjtime | ||
| 73 | BLACKLIST(212), // lookup_dcookie | ||
| 74 | BLACKLIST(298), // perf_event_open | ||
| 75 | BLACKLIST(300), // fanotify_init | ||
| 76 | BLACKLIST(312), // kcmp | ||
| 77 | BLACKLIST(248), // add_key | ||
| 78 | BLACKLIST(249), // request_key | ||
| 79 | BLACKLIST(250), // keyctl | ||
| 80 | BLACKLIST(134), // uselib | ||
| 81 | BLACKLIST(163), // acct | ||
| 82 | BLACKLIST(154), // modify_ldt | ||
| 83 | BLACKLIST(155), // pivot_root | ||
| 84 | BLACKLIST(206), // io_setup | ||
| 85 | BLACKLIST(207), // io_destroy | ||
| 86 | BLACKLIST(208), // io_getevents | ||
| 87 | BLACKLIST(209), // io_submit | ||
| 88 | BLACKLIST(210), // io_cancel | ||
| 89 | BLACKLIST(216), // remap_file_pages | ||
| 90 | BLACKLIST(237), // mbind | ||
| 91 | // breaking Firefox nightly when playing youtube videos | ||
| 92 | // TODO: test again when firefox sandbox is finally released | ||
| 93 | // BLACKLIST(239), // get_mempolicy | ||
| 94 | BLACKLIST(238), // set_mempolicy | ||
| 95 | BLACKLIST(256), // migrate_pages | ||
| 96 | BLACKLIST(279), // move_pages | ||
| 97 | BLACKLIST(278), // vmsplice | ||
| 98 | BLACKLIST(161), // chroot | ||
| 99 | BLACKLIST(184), // tuxcall | ||
| 100 | BLACKLIST(169), // reboot | ||
| 101 | BLACKLIST(180), // nfsservctl | ||
| 102 | BLACKLIST(177), // get_kernel_syms | ||
| 103 | |||
| 104 | RETURN_ALLOW | ||
| 105 | }; | ||
| 106 | |||
| 107 | // save filter to file | ||
| 108 | write_filter(fname, sizeof(filter), filter); | ||
| 109 | } | ||
| 110 | 45 | ||
| 111 | // 32 bit arch filter installed on 64 bit architectures | 46 | // 32 bit arch filter installed on 64 bit architectures |
| 112 | void seccomp_secondary_32(const char *fname) { | 47 | void seccomp_secondary_32(const char *fname) { |
diff --git a/test/filters/fseccomp.exp b/test/filters/fseccomp.exp index 93f24ba71..87c5932ae 100755 --- a/test/filters/fseccomp.exp +++ b/test/filters/fseccomp.exp | |||
| @@ -38,23 +38,6 @@ expect { | |||
| 38 | } | 38 | } |
| 39 | 39 | ||
| 40 | after 100 | 40 | after 100 |
| 41 | send -- "fseccomp secondary 64 seccomp-test-file\r" | ||
| 42 | after 100 | ||
| 43 | send -- "fsec-print seccomp-test-file\r" | ||
| 44 | expect { | ||
| 45 | timeout {puts "TESTING ERROR 5.1\n";exit} | ||
| 46 | "jeq mount" | ||
| 47 | } | ||
| 48 | expect { | ||
| 49 | timeout {puts "TESTING ERROR 5.2\n";exit} | ||
| 50 | "jeq umount2" | ||
| 51 | } | ||
| 52 | expect { | ||
| 53 | timeout {puts "TESTING ERROR 5.3\n";exit} | ||
| 54 | "ret ALLOW" | ||
| 55 | } | ||
| 56 | |||
| 57 | after 100 | ||
| 58 | send -- "fseccomp default seccomp-test-file\r" | 41 | send -- "fseccomp default seccomp-test-file\r" |
| 59 | after 100 | 42 | after 100 |
| 60 | send -- "fsec-print seccomp-test-file\r" | 43 | send -- "fsec-print seccomp-test-file\r" |