3 files changed, 86 insertions, 11 deletions
diff --git a/src/firejail/seccomp.c b/src/firejail/seccomp.c
index b0c960754..57f483b1c 100644
--- a/src/firejail/seccomp.c
+++ b/src/firejail/seccomp.c
@@ -324,7 +324,7 @@ static void read_seccomp_file(const char *fname) {
                filter_debug();
 }
-// i386t filter installed on amd64 architectures
+// i386 filter installed on amd64 architectures
 void seccomp_filter_32(void) {
        // hardcoded syscall values
        struct sock_filter filter[] = {
@@ -373,7 +373,6 @@ void seccomp_filter_32(void) {
                BLACKLIST(317), // move_pages
                BLACKLIST(316), // vmsplice
                BLACKLIST(61),  // chroot
-                BLACKLIST(243), // set_thread_area
                BLACKLIST(88), // reboot
                BLACKLIST(169), // nfsservctl
                BLACKLIST(130), // get_kernel_syms
@@ -393,6 +392,76 @@ void seccomp_filter_32(void) {
        }
 }
+// amd64 filter installed on i386 architectures
+void seccomp_filter_64(void) {
+        // hardcoded syscall values
+        struct sock_filter filter[] = {
+                VALIDATE_ARCHITECTURE_64,
+                EXAMINE_SYSCALL,
+                BLACKLIST(165), // mount
+                BLACKLIST(166), // umount2
+                BLACKLIST(101), // ptrace
+                BLACKLIST(246), // kexec_load
+                BLACKLIST(304), // open_by_handle_at
+                BLACKLIST(175), // init_module
+                BLACKLIST(313), // finit_module
+                BLACKLIST(176), // delete_module
+                BLACKLIST(172), // iopl
+                BLACKLIST(173), // ioperm
+                BLACKLIST(167), // swapon
+                BLACKLIST(168), // swapoff
+                BLACKLIST(103), // syslog
+                BLACKLIST(310), // process_vm_readv
+                BLACKLIST(311), // process_vm_writev
+                BLACKLIST(139), // sysfs
+                BLACKLIST(156), // _sysctl
+                BLACKLIST(159), // adjtimex
+                BLACKLIST(305), // clock_adjtime
+                BLACKLIST(212), // lookup_dcookie
+                BLACKLIST(298), // perf_event_open
+                BLACKLIST(300), // fanotify_init
+                BLACKLIST(312), // kcmp
+                BLACKLIST(248), // add_key
+                BLACKLIST(249), // request_key
+                BLACKLIST(250), // keyctl
+                BLACKLIST(134), // uselib
+                BLACKLIST(163), // acct
+                BLACKLIST(154), // modify_ldt
+                BLACKLIST(155), // pivot_root
+                BLACKLIST(206), // io_setup
+                BLACKLIST(207), // io_destroy
+                BLACKLIST(208), // io_getevents
+                BLACKLIST(209), // io_submit
+                BLACKLIST(210), // io_cancel
+                BLACKLIST(216), // remap_file_pages
+                BLACKLIST(237), // mbind
+                BLACKLIST(239), // get_mempolicy
+                BLACKLIST(238), // set_mempolicy
+                BLACKLIST(256), // migrate_pages
+                BLACKLIST(279), // move_pages
+                BLACKLIST(278), // vmsplice
+                BLACKLIST(161), // chroot
+                BLACKLIST(184), // tuxcall
+                BLACKLIST(169), // reboot
+                BLACKLIST(180), // nfsservctl
+                BLACKLIST(177), // get_kernel_syms
+                RETURN_ALLOW
+        };
+        struct sock_fprog prog = {
+                .len = (unsigned short)(sizeof(filter) / sizeof(filter[0])),
+                .filter = filter,
+        };
+        if (prctl(PR_SET_SECCOMP, SECCOMP_MODE_FILTER, &prog) || prctl(PR_SET_NO_NEW_PRIVS, 1, 0, 0, 0)) {
+                ;
+        }
+        else if (arg_debug) {
+                printf("Dual i386/amd64 seccomp filter configured\n");
+        }
+}
 // drop filter for seccomp option
 int seccomp_filter_drop(int enforce_seccomp) {
        filter_init();
@@ -402,6 +471,9 @@ int seccomp_filter_drop(int enforce_seccomp) {
 #if defined(__x86_64__)
                seccomp_filter_32();
 #endif
+#if defined(__i386__)
+                seccomp_filter_64();
+#endif
 #ifdef SYS_mount                
                filter_add_blacklist(SYS_mount, 0);
@@ -563,14 +635,7 @@ int seccomp_filter_drop(int enforce_seccomp) {
 // CHECK_SECCOMP(seccomp_rule_add(ctx, SCMP_ACT_ERRNO(EPERM), SCMP_SYS(clone), 1,
 //     SCMP_A0(SCMP_CMP_MASKED_EQ, CLONE_NEWUSER, CLONE_NEWUSER)));
-// 32bit
-//              filter_add_blacklist(SYS_personality, 0); // test wine
-//              filter_add_blacklist(SYS_set_thread_area, 0); // test wine
 // 0.9.39
-#ifdef SYS_set_thread_area
-                filter_add_blacklist(SYS_set_thread_area, 0);
-#endif
 #ifdef SYS_tuxcall
                filter_add_blacklist(SYS_tuxcall, 0);
 #endif
diff --git a/src/firejail/seccomp.h b/src/firejail/seccomp.h
index 555baa14f..7d646dd9e 100644
--- a/src/firejail/seccomp.h
+++ b/src/firejail/seccomp.h
@@ -105,6 +105,11 @@ struct seccomp_data {
     BPF_JUMP(BPF_JMP+BPF_JEQ+BPF_K, ARCH_NR, 1, 0), \
     BPF_STMT(BPF_RET+BPF_K, SECCOMP_RET_ALLOW)
+#define VALIDATE_ARCHITECTURE_64 \
+     BPF_STMT(BPF_LD+BPF_W+BPF_ABS, (offsetof(struct seccomp_data, arch))), \
+     BPF_JUMP(BPF_JMP+BPF_JEQ+BPF_K, AUDIT_ARCH_X86_64, 1, 0), \
+     BPF_STMT(BPF_RET+BPF_K, SECCOMP_RET_ALLOW)
 #define VALIDATE_ARCHITECTURE_32 \
     BPF_STMT(BPF_LD+BPF_W+BPF_ABS, (offsetof(struct seccomp_data, arch))), \
     BPF_JUMP(BPF_JMP+BPF_JEQ+BPF_K, AUDIT_ARCH_I386, 1, 0), \
diff --git a/src/man/firejail.txt b/src/man/firejail.txt
index bdd1bb1f6..00f4cb367 100644
--- a/src/man/firejail.txt
+++ b/src/man/firejail.txt
@@ -1135,8 +1135,13 @@ add_key, request_key, keyctl, uselib, acct, modify_ldt, pivot_root, io_setup,
 io_destroy, io_getevents, io_submit, io_cancel,
 remap_file_pages, mbind, get_mempolicy, set_mempolicy,
 migrate_pages, move_pages, vmsplice, perf_event_open, chroot,
-set_thread_area, tuxcall, reboot, mfsservctl and get_kernel_syms. When running on AMD64 architecture,
+tuxcall, reboot, mfsservctl and get_kernel_syms.
-an equivalent 32-bit seccomp filter is also installed.
+.br
+.br
+System architecture is not strictly imposed. The filter is applied
+at run time only if the correct architecture was detected. For the case of I386 and AMD64
+both 32-bit and 64-bit filters are installed.
 .br
 .br

diff --git a/src/firejail/seccomp.c b/src/firejail/seccomp.c index b0c960754..57f483b1c 100644 --- a/src/firejail/seccomp.c +++ b/src/firejail/seccomp.c
@@ -324,7 +324,7 @@ static void read_seccomp_file(const char *fname) {
324	filter_debug();	324	filter_debug();
325	}	325	}
326		326
327	// i386t filter installed on amd64 architectures	327	// i386 filter installed on amd64 architectures
328	void seccomp_filter_32(void) {	328	void seccomp_filter_32(void) {
329	// hardcoded syscall values	329	// hardcoded syscall values
330	struct sock_filter filter[] = {	330	struct sock_filter filter[] = {
@@ -373,7 +373,6 @@ void seccomp_filter_32(void) {
373	BLACKLIST(317), // move_pages	373	BLACKLIST(317), // move_pages
374	BLACKLIST(316), // vmsplice	374	BLACKLIST(316), // vmsplice
375	BLACKLIST(61), // chroot	375	BLACKLIST(61), // chroot
376	BLACKLIST(243), // set_thread_area
377	BLACKLIST(88), // reboot	376	BLACKLIST(88), // reboot
378	BLACKLIST(169), // nfsservctl	377	BLACKLIST(169), // nfsservctl
379	BLACKLIST(130), // get_kernel_syms	378	BLACKLIST(130), // get_kernel_syms
@@ -393,6 +392,76 @@ void seccomp_filter_32(void) {
393	}	392	}
394	}	393	}
395		394
		395	// amd64 filter installed on i386 architectures
		396	void seccomp_filter_64(void) {
		397	// hardcoded syscall values
		398	struct sock_filter filter[] = {
		399	VALIDATE_ARCHITECTURE_64,
		400	EXAMINE_SYSCALL,
		401	BLACKLIST(165), // mount
		402	BLACKLIST(166), // umount2
		403	BLACKLIST(101), // ptrace
		404	BLACKLIST(246), // kexec_load
		405	BLACKLIST(304), // open_by_handle_at
		406	BLACKLIST(175), // init_module
		407	BLACKLIST(313), // finit_module
		408	BLACKLIST(176), // delete_module
		409	BLACKLIST(172), // iopl
		410	BLACKLIST(173), // ioperm
		411	BLACKLIST(167), // swapon
		412	BLACKLIST(168), // swapoff
		413	BLACKLIST(103), // syslog
		414	BLACKLIST(310), // process_vm_readv
		415	BLACKLIST(311), // process_vm_writev
		416	BLACKLIST(139), // sysfs
		417	BLACKLIST(156), // _sysctl
		418	BLACKLIST(159), // adjtimex
		419	BLACKLIST(305), // clock_adjtime
		420	BLACKLIST(212), // lookup_dcookie
		421	BLACKLIST(298), // perf_event_open
		422	BLACKLIST(300), // fanotify_init
		423	BLACKLIST(312), // kcmp
		424	BLACKLIST(248), // add_key
		425	BLACKLIST(249), // request_key
		426	BLACKLIST(250), // keyctl
		427	BLACKLIST(134), // uselib
		428	BLACKLIST(163), // acct
		429	BLACKLIST(154), // modify_ldt
		430	BLACKLIST(155), // pivot_root
		431	BLACKLIST(206), // io_setup
		432	BLACKLIST(207), // io_destroy
		433	BLACKLIST(208), // io_getevents
		434	BLACKLIST(209), // io_submit
		435	BLACKLIST(210), // io_cancel
		436	BLACKLIST(216), // remap_file_pages
		437	BLACKLIST(237), // mbind
		438	BLACKLIST(239), // get_mempolicy
		439	BLACKLIST(238), // set_mempolicy
		440	BLACKLIST(256), // migrate_pages
		441	BLACKLIST(279), // move_pages
		442	BLACKLIST(278), // vmsplice
		443	BLACKLIST(161), // chroot
		444	BLACKLIST(184), // tuxcall
		445	BLACKLIST(169), // reboot
		446	BLACKLIST(180), // nfsservctl
		447	BLACKLIST(177), // get_kernel_syms
		448	RETURN_ALLOW
		449	};
		450
		451	struct sock_fprog prog = {
		452	.len = (unsigned short)(sizeof(filter) / sizeof(filter[0])),
		453	.filter = filter,
		454	};
		455
		456	if (prctl(PR_SET_SECCOMP, SECCOMP_MODE_FILTER, &prog) \|\| prctl(PR_SET_NO_NEW_PRIVS, 1, 0, 0, 0)) {
		457	;
		458	}
		459	else if (arg_debug) {
		460	printf("Dual i386/amd64 seccomp filter configured\n");
		461	}
		462	}
		463
		464
396	// drop filter for seccomp option	465	// drop filter for seccomp option
397	int seccomp_filter_drop(int enforce_seccomp) {	466	int seccomp_filter_drop(int enforce_seccomp) {
398	filter_init();	467	filter_init();
@@ -402,6 +471,9 @@ int seccomp_filter_drop(int enforce_seccomp) {
402	#if defined(__x86_64__)	471	#if defined(__x86_64__)
403	seccomp_filter_32();	472	seccomp_filter_32();
404	#endif	473	#endif
		474	#if defined(__i386__)
		475	seccomp_filter_64();
		476	#endif
405		477
406	#ifdef SYS_mount	478	#ifdef SYS_mount
407	filter_add_blacklist(SYS_mount, 0);	479	filter_add_blacklist(SYS_mount, 0);
@@ -563,14 +635,7 @@ int seccomp_filter_drop(int enforce_seccomp) {
563	// CHECK_SECCOMP(seccomp_rule_add(ctx, SCMP_ACT_ERRNO(EPERM), SCMP_SYS(clone), 1,	635	// CHECK_SECCOMP(seccomp_rule_add(ctx, SCMP_ACT_ERRNO(EPERM), SCMP_SYS(clone), 1,
564	// SCMP_A0(SCMP_CMP_MASKED_EQ, CLONE_NEWUSER, CLONE_NEWUSER)));	636	// SCMP_A0(SCMP_CMP_MASKED_EQ, CLONE_NEWUSER, CLONE_NEWUSER)));
565		637
566	// 32bit
567	// filter_add_blacklist(SYS_personality, 0); // test wine
568	// filter_add_blacklist(SYS_set_thread_area, 0); // test wine
569
570	// 0.9.39	638	// 0.9.39
571	#ifdef SYS_set_thread_area
572	filter_add_blacklist(SYS_set_thread_area, 0);
573	#endif
574	#ifdef SYS_tuxcall	639	#ifdef SYS_tuxcall
575	filter_add_blacklist(SYS_tuxcall, 0);	640	filter_add_blacklist(SYS_tuxcall, 0);
576	#endif	641	#endif


diff --git a/src/firejail/seccomp.h b/src/firejail/seccomp.h index 555baa14f..7d646dd9e 100644 --- a/src/firejail/seccomp.h +++ b/src/firejail/seccomp.h
@@ -105,6 +105,11 @@ struct seccomp_data {
105	BPF_JUMP(BPF_JMP+BPF_JEQ+BPF_K, ARCH_NR, 1, 0), \	105	BPF_JUMP(BPF_JMP+BPF_JEQ+BPF_K, ARCH_NR, 1, 0), \
106	BPF_STMT(BPF_RET+BPF_K, SECCOMP_RET_ALLOW)	106	BPF_STMT(BPF_RET+BPF_K, SECCOMP_RET_ALLOW)
107		107
		108	#define VALIDATE_ARCHITECTURE_64 \
		109	BPF_STMT(BPF_LD+BPF_W+BPF_ABS, (offsetof(struct seccomp_data, arch))), \
		110	BPF_JUMP(BPF_JMP+BPF_JEQ+BPF_K, AUDIT_ARCH_X86_64, 1, 0), \
		111	BPF_STMT(BPF_RET+BPF_K, SECCOMP_RET_ALLOW)
		112
108	#define VALIDATE_ARCHITECTURE_32 \	113	#define VALIDATE_ARCHITECTURE_32 \
109	BPF_STMT(BPF_LD+BPF_W+BPF_ABS, (offsetof(struct seccomp_data, arch))), \	114	BPF_STMT(BPF_LD+BPF_W+BPF_ABS, (offsetof(struct seccomp_data, arch))), \
110	BPF_JUMP(BPF_JMP+BPF_JEQ+BPF_K, AUDIT_ARCH_I386, 1, 0), \	115	BPF_JUMP(BPF_JMP+BPF_JEQ+BPF_K, AUDIT_ARCH_I386, 1, 0), \


diff --git a/src/man/firejail.txt b/src/man/firejail.txt index bdd1bb1f6..00f4cb367 100644 --- a/src/man/firejail.txt +++ b/src/man/firejail.txt
@@ -1135,8 +1135,13 @@ add_key, request_key, keyctl, uselib, acct, modify_ldt, pivot_root, io_setup,
1135	io_destroy, io_getevents, io_submit, io_cancel,	1135	io_destroy, io_getevents, io_submit, io_cancel,
1136	remap_file_pages, mbind, get_mempolicy, set_mempolicy,	1136	remap_file_pages, mbind, get_mempolicy, set_mempolicy,
1137	migrate_pages, move_pages, vmsplice, perf_event_open, chroot,	1137	migrate_pages, move_pages, vmsplice, perf_event_open, chroot,
1138	set_thread_area, tuxcall, reboot, mfsservctl and get_kernel_syms. When running on AMD64 architecture,	1138	tuxcall, reboot, mfsservctl and get_kernel_syms.
1139	an equivalent 32-bit seccomp filter is also installed.	1139	.br
		1140
		1141	.br
		1142	System architecture is not strictly imposed. The filter is applied
		1143	at run time only if the correct architecture was detected. For the case of I386 and AMD64
		1144	both 32-bit and 64-bit filters are installed.
1140	.br	1145	.br
1141		1146
1142	.br	1147	.br