diff options
| -rw-r--r-- | etc/firejail.config | 4 | ||||
| -rw-r--r-- | src/firejail/checkcfg.c | 5 | ||||
| -rw-r--r-- | src/firejail/firejail.h | 1 | ||||
| -rw-r--r-- | src/firejail/main.c | 11 | ||||
| -rw-r--r-- | src/firejail/seccomp.c | 5 | ||||
| -rw-r--r-- | src/man/firejail.txt | 6 |
6 files changed, 29 insertions, 3 deletions
diff --git a/etc/firejail.config b/etc/firejail.config index c671efef9..4b59f8955 100644 --- a/etc/firejail.config +++ b/etc/firejail.config | |||
| @@ -101,6 +101,10 @@ | |||
| 101 | # Enable or disable seccomp support, default enabled. | 101 | # Enable or disable seccomp support, default enabled. |
| 102 | # seccomp yes | 102 | # seccomp yes |
| 103 | 103 | ||
| 104 | # Add rules to the default seccomp filter. Same syntax as for --seccomp= | ||
| 105 | # None by default; this is an example. | ||
| 106 | # seccomp-filter-add !chroot,kcmp,mincore | ||
| 107 | |||
| 104 | # Seccomp error action, kill, log or errno (EPERM, ENOSYS etc) | 108 | # Seccomp error action, kill, log or errno (EPERM, ENOSYS etc) |
| 105 | # seccomp-error-action EPERM | 109 | # seccomp-error-action EPERM |
| 106 | 110 | ||
diff --git a/src/firejail/checkcfg.c b/src/firejail/checkcfg.c index 6726abdc8..12b5fc683 100644 --- a/src/firejail/checkcfg.c +++ b/src/firejail/checkcfg.c | |||
| @@ -35,6 +35,7 @@ char *xvfb_extra_params = ""; | |||
| 35 | char *netfilter_default = NULL; | 35 | char *netfilter_default = NULL; |
| 36 | unsigned long join_timeout = 5000000; // microseconds | 36 | unsigned long join_timeout = 5000000; // microseconds |
| 37 | char *config_seccomp_error_action_str = "EPERM"; | 37 | char *config_seccomp_error_action_str = "EPERM"; |
| 38 | char *config_seccomp_filter_add = NULL; | ||
| 38 | char **whitelist_reject_topdirs = NULL; | 39 | char **whitelist_reject_topdirs = NULL; |
| 39 | 40 | ||
| 40 | int checkcfg(int val) { | 41 | int checkcfg(int val) { |
| @@ -222,6 +223,10 @@ int checkcfg(int val) { | |||
| 222 | else if (strncmp(ptr, "join-timeout ", 13) == 0) | 223 | else if (strncmp(ptr, "join-timeout ", 13) == 0) |
| 223 | join_timeout = strtoul(ptr + 13, NULL, 10) * 1000000; // seconds to microseconds | 224 | join_timeout = strtoul(ptr + 13, NULL, 10) * 1000000; // seconds to microseconds |
| 224 | 225 | ||
| 226 | // add rules to default seccomp filter | ||
| 227 | else if (strncmp(ptr, "seccomp-filter-add ", 19) == 0) | ||
| 228 | config_seccomp_filter_add = seccomp_check_list(ptr + 19); | ||
| 229 | |||
| 225 | // seccomp error action | 230 | // seccomp error action |
| 226 | else if (strncmp(ptr, "seccomp-error-action ", 21) == 0) { | 231 | else if (strncmp(ptr, "seccomp-error-action ", 21) == 0) { |
| 227 | if (strcmp(ptr + 21, "kill") == 0) | 232 | if (strcmp(ptr + 21, "kill") == 0) |
diff --git a/src/firejail/firejail.h b/src/firejail/firejail.h index 1da70fd54..60d178f1e 100644 --- a/src/firejail/firejail.h +++ b/src/firejail/firejail.h | |||
| @@ -789,6 +789,7 @@ extern char *xvfb_extra_params; | |||
| 789 | extern char *netfilter_default; | 789 | extern char *netfilter_default; |
| 790 | extern unsigned long join_timeout; | 790 | extern unsigned long join_timeout; |
| 791 | extern char *config_seccomp_error_action_str; | 791 | extern char *config_seccomp_error_action_str; |
| 792 | extern char *config_seccomp_filter_add; | ||
| 792 | extern char **whitelist_reject_topdirs; | 793 | extern char **whitelist_reject_topdirs; |
| 793 | 794 | ||
| 794 | int checkcfg(int val); | 795 | int checkcfg(int val); |
diff --git a/src/firejail/main.c b/src/firejail/main.c index 089d80a68..d46a56627 100644 --- a/src/firejail/main.c +++ b/src/firejail/main.c | |||
| @@ -961,7 +961,7 @@ void filter_add_blacklist_override(int fd, int syscall, int arg, void *ptrarg, b | |||
| 961 | static int check_postexec(const char *list) { | 961 | static int check_postexec(const char *list) { |
| 962 | char *prelist, *postlist; | 962 | char *prelist, *postlist; |
| 963 | 963 | ||
| 964 | if (list) { | 964 | if (list && list[0]) { |
| 965 | syscalls_in_list(list, "@default-keep", -1, &prelist, &postlist, true); | 965 | syscalls_in_list(list, "@default-keep", -1, &prelist, &postlist, true); |
| 966 | if (postlist) | 966 | if (postlist) |
| 967 | return 1; | 967 | return 1; |
| @@ -2855,6 +2855,15 @@ int main(int argc, char **argv, char **envp) { | |||
| 2855 | // check network configuration options - it will exit if anything went wrong | 2855 | // check network configuration options - it will exit if anything went wrong |
| 2856 | net_check_cfg(); | 2856 | net_check_cfg(); |
| 2857 | 2857 | ||
| 2858 | // customization of default seccomp filter | ||
| 2859 | if (config_seccomp_filter_add) { | ||
| 2860 | if (arg_seccomp && !cfg.seccomp_list_keep && !cfg.seccomp_list_drop) | ||
| 2861 | profile_list_augment(&cfg.seccomp_list, config_seccomp_filter_add); | ||
| 2862 | |||
| 2863 | if (arg_seccomp32 && !cfg.seccomp_list_keep32 && !cfg.seccomp_list_drop32) | ||
| 2864 | profile_list_augment(&cfg.seccomp_list32, config_seccomp_filter_add); | ||
| 2865 | } | ||
| 2866 | |||
| 2858 | if (arg_seccomp) | 2867 | if (arg_seccomp) |
| 2859 | arg_seccomp_postexec = check_postexec(cfg.seccomp_list) || check_postexec(cfg.seccomp_list_drop); | 2868 | arg_seccomp_postexec = check_postexec(cfg.seccomp_list) || check_postexec(cfg.seccomp_list_drop); |
| 2860 | 2869 | ||
diff --git a/src/firejail/seccomp.c b/src/firejail/seccomp.c index 9670fe816..3d9bf9082 100644 --- a/src/firejail/seccomp.c +++ b/src/firejail/seccomp.c | |||
| @@ -208,7 +208,8 @@ int seccomp_filter_drop(bool native) { | |||
| 208 | // - seccomp | 208 | // - seccomp |
| 209 | if (cfg.seccomp_list_drop == NULL) { | 209 | if (cfg.seccomp_list_drop == NULL) { |
| 210 | // default seccomp if error action is not changed | 210 | // default seccomp if error action is not changed |
| 211 | if (cfg.seccomp_list == NULL && arg_seccomp_error_action == DEFAULT_SECCOMP_ERROR_ACTION) { | 211 | if ((cfg.seccomp_list == NULL || cfg.seccomp_list[0] == '\0') |
| 212 | && arg_seccomp_error_action == DEFAULT_SECCOMP_ERROR_ACTION) { | ||
| 212 | if (arg_seccomp_block_secondary) | 213 | if (arg_seccomp_block_secondary) |
| 213 | seccomp_filter_block_secondary(); | 214 | seccomp_filter_block_secondary(); |
| 214 | else { | 215 | else { |
| @@ -261,7 +262,7 @@ int seccomp_filter_drop(bool native) { | |||
| 261 | } | 262 | } |
| 262 | 263 | ||
| 263 | // build the seccomp filter as a regular user | 264 | // build the seccomp filter as a regular user |
| 264 | if (list) | 265 | if (list && list[0]) |
| 265 | if (arg_allow_debuggers) | 266 | if (arg_allow_debuggers) |
| 266 | rv = sbox_run(SBOX_USER | SBOX_CAPS_NONE | SBOX_SECCOMP, 7, | 267 | rv = sbox_run(SBOX_USER | SBOX_CAPS_NONE | SBOX_SECCOMP, 7, |
| 267 | PATH_FSECCOMP, command, "drop", filter, postexec_filter, list, "allow-debuggers"); | 268 | PATH_FSECCOMP, command, "drop", filter, postexec_filter, list, "allow-debuggers"); |
diff --git a/src/man/firejail.txt b/src/man/firejail.txt index 3212a88e4..7d7a1eb31 100644 --- a/src/man/firejail.txt +++ b/src/man/firejail.txt | |||
| @@ -2209,6 +2209,12 @@ Firejail will print seccomp violations to the audit log if the kernel was compil | |||
| 2209 | Example: | 2209 | Example: |
| 2210 | .br | 2210 | .br |
| 2211 | $ firejail \-\-seccomp | 2211 | $ firejail \-\-seccomp |
| 2212 | .br | ||
| 2213 | |||
| 2214 | .br | ||
| 2215 | The default list can be customized, see \-\-seccomp= for a description. It can be customized | ||
| 2216 | also globally in /etc/firejail/firejail.config file. | ||
| 2217 | |||
| 2212 | .TP | 2218 | .TP |
| 2213 | \fB\-\-seccomp=syscall,@group,!syscall2 | 2219 | \fB\-\-seccomp=syscall,@group,!syscall2 |
| 2214 | Enable seccomp filter, whitelist "syscall2", but blacklist the default | 2220 | Enable seccomp filter, whitelist "syscall2", but blacklist the default |