aboutsummaryrefslogtreecommitdiffstats
diff options
context:
space:
mode:
Diffstat
-rw-r--r--src/firejail/firejail.h10
-rw-r--r--src/firejail/main.c34
-rw-r--r--src/firejail/profile.c12
-rw-r--r--src/firejail/sandbox.c16
-rw-r--r--src/firejail/seccomp.c18
5 files changed, 44 insertions, 46 deletions
diff --git a/src/firejail/firejail.h b/src/firejail/firejail.h
index ab2fedbd8..91bb420b6 100644
--- a/src/firejail/firejail.h
+++ b/src/firejail/firejail.h
@@ -107,6 +107,12 @@ typedef struct config_t {
107 uint32_t dns2; 107 uint32_t dns2;
108 uint32_t dns3; 108 uint32_t dns3;
109 109
110 // seccomp
111 char *seccomp_list;// optional seccomp list on top of default filter
112 char *seccomp_list_drop; // seccomp drop list
113 char *seccomp_list_keep; // seccomp keep list
114 char **seccomp_list_errno; // seccomp errno[nr] lists
115
110 // rlimits 116 // rlimits
111 unsigned rlimit_nofile; 117 unsigned rlimit_nofile;
112 unsigned rlimit_nproc; 118 unsigned rlimit_nproc;
@@ -152,10 +158,6 @@ extern int arg_zsh; // use zsh as default shell
152extern int arg_csh; // use csh as default shell 158extern int arg_csh; // use csh as default shell
153 159
154extern int arg_seccomp; // enable default seccomp filter 160extern int arg_seccomp; // enable default seccomp filter
155extern char *arg_seccomp_list;// optional seccomp list on top of default filter
156extern char *arg_seccomp_list_drop; // seccomp drop list
157extern char *arg_seccomp_list_keep; // seccomp keep list
158extern char **arg_seccomp_list_errno; // seccomp errno[nr] lists
159 161
160extern int arg_caps_default_filter; // enable default capabilities filter 162extern int arg_caps_default_filter; // enable default capabilities filter
161extern int arg_caps_drop; // drop list 163extern int arg_caps_drop; // drop list
diff --git a/src/firejail/main.c b/src/firejail/main.c
index 8d11caef3..b59ff699c 100644
--- a/src/firejail/main.c
+++ b/src/firejail/main.c
@@ -58,10 +58,6 @@ int arg_zsh = 0; // use zsh as default shell
58int arg_csh = 0; // use csh as default shell 58int arg_csh = 0; // use csh as default shell
59 59
60int arg_seccomp = 0; // enable default seccomp filter 60int arg_seccomp = 0; // enable default seccomp filter
61char *arg_seccomp_list = NULL; // optional seccomp list on top of default filter
62char *arg_seccomp_list_drop = NULL; // seccomp drop list
63char *arg_seccomp_list_keep = NULL; // seccomp keep list
64char **arg_seccomp_list_errno = NULL; // seccomp errno[nr] lists
65 61
66int arg_caps_default_filter = 0; // enable default capabilities filter 62int arg_caps_default_filter = 0; // enable default capabilities filter
67int arg_caps_drop = 0; // drop list 63int arg_caps_drop = 0; // drop list
@@ -468,8 +464,8 @@ int main(int argc, char **argv) {
468 exit(1); 464 exit(1);
469 } 465 }
470 arg_seccomp = 1; 466 arg_seccomp = 1;
471 arg_seccomp_list = strdup(argv[i] + 10); 467 cfg.seccomp_list = strdup(argv[i] + 10);
472 if (!arg_seccomp_list) 468 if (!cfg.seccomp_list)
473 errExit("strdup"); 469 errExit("strdup");
474 } 470 }
475 else if (strncmp(argv[i], "--seccomp.drop=", 15) == 0) { 471 else if (strncmp(argv[i], "--seccomp.drop=", 15) == 0) {
@@ -478,8 +474,8 @@ int main(int argc, char **argv) {
478 exit(1); 474 exit(1);
479 } 475 }
480 arg_seccomp = 1; 476 arg_seccomp = 1;
481 arg_seccomp_list_drop = strdup(argv[i] + 15); 477 cfg.seccomp_list_drop = strdup(argv[i] + 15);
482 if (!arg_seccomp_list_drop) 478 if (!cfg.seccomp_list_drop)
483 errExit("strdup"); 479 errExit("strdup");
484 } 480 }
485 else if (strncmp(argv[i], "--seccomp.keep=", 15) == 0) { 481 else if (strncmp(argv[i], "--seccomp.keep=", 15) == 0) {
@@ -488,12 +484,12 @@ int main(int argc, char **argv) {
488 exit(1); 484 exit(1);
489 } 485 }
490 arg_seccomp = 1; 486 arg_seccomp = 1;
491 arg_seccomp_list_keep = strdup(argv[i] + 15); 487 cfg.seccomp_list_keep = strdup(argv[i] + 15);
492 if (!arg_seccomp_list_keep) 488 if (!cfg.seccomp_list_keep)
493 errExit("strdup"); 489 errExit("strdup");
494 } 490 }
495 else if (strncmp(argv[i], "--seccomp.e", 11) == 0 && strchr(argv[i], '=')) { 491 else if (strncmp(argv[i], "--seccomp.e", 11) == 0 && strchr(argv[i], '=')) {
496 if (arg_seccomp && !arg_seccomp_list_errno) { 492 if (arg_seccomp && !cfg.seccomp_list_errno) {
497 fprintf(stderr, "Error: seccomp already enabled\n"); 493 fprintf(stderr, "Error: seccomp already enabled\n");
498 exit(1); 494 exit(1);
499 } 495 }
@@ -506,17 +502,17 @@ int main(int argc, char **argv) {
506 exit(1); 502 exit(1);
507 } 503 }
508 504
509 if (!arg_seccomp_list_errno) 505 if (!cfg.seccomp_list_errno)
510 arg_seccomp_list_errno = calloc(highest_errno+1, sizeof(arg_seccomp_list_errno[0])); 506 cfg.seccomp_list_errno = calloc(highest_errno+1, sizeof(cfg.seccomp_list_errno[0]));
511 507
512 if (arg_seccomp_list_errno[nr]) { 508 if (cfg.seccomp_list_errno[nr]) {
513 fprintf(stderr, "Error: errno %s already configured\n", errnoname); 509 fprintf(stderr, "Error: errno %s already configured\n", errnoname);
514 free(errnoname); 510 free(errnoname);
515 exit(1); 511 exit(1);
516 } 512 }
517 arg_seccomp = 1; 513 arg_seccomp = 1;
518 arg_seccomp_list_errno[nr] = strdup(eq+1); 514 cfg.seccomp_list_errno[nr] = strdup(eq+1);
519 if (!arg_seccomp_list_errno[nr]) 515 if (!cfg.seccomp_list_errno[nr])
520 errExit("strdup"); 516 errExit("strdup");
521 free(errnoname); 517 free(errnoname);
522 } 518 }
@@ -1393,10 +1389,10 @@ int main(int argc, char **argv) {
1393 1389
1394 // free globals 1390 // free globals
1395#ifdef HAVE_SECCOMP 1391#ifdef HAVE_SECCOMP
1396 if (arg_seccomp_list_errno) { 1392 if (cfg.seccomp_list_errno) {
1397 for (i = 0; i < highest_errno; i++) 1393 for (i = 0; i < highest_errno; i++)
1398 free(arg_seccomp_list_errno[i]); 1394 free(cfg.seccomp_list_errno[i]);
1399 free(arg_seccomp_list_errno); 1395 free(cfg.seccomp_list_errno);
1400 } 1396 }
1401#endif 1397#endif
1402 1398
diff --git a/src/firejail/profile.c b/src/firejail/profile.c
index 3edeabee9..1fadab1fa 100644
--- a/src/firejail/profile.c
+++ b/src/firejail/profile.c
@@ -160,8 +160,8 @@ int profile_check_line(char *ptr, int lineno) {
160 if (strncmp(ptr, "seccomp ", 8) == 0) { 160 if (strncmp(ptr, "seccomp ", 8) == 0) {
161 arg_seccomp = 1; 161 arg_seccomp = 1;
162#ifdef HAVE_SECCOMP 162#ifdef HAVE_SECCOMP
163 arg_seccomp_list = strdup(ptr + 8); 163 cfg.seccomp_list = strdup(ptr + 8);
164 if (!arg_seccomp_list) 164 if (!cfg.seccomp_list)
165 errExit("strdup"); 165 errExit("strdup");
166#endif 166#endif
167 return 0; 167 return 0;
@@ -171,8 +171,8 @@ int profile_check_line(char *ptr, int lineno) {
171 if (strncmp(ptr, "seccomp.drop ", 13) == 0) { 171 if (strncmp(ptr, "seccomp.drop ", 13) == 0) {
172 arg_seccomp = 1; 172 arg_seccomp = 1;
173#ifdef HAVE_SECCOMP 173#ifdef HAVE_SECCOMP
174 arg_seccomp_list_drop = strdup(ptr + 13); 174 cfg.seccomp_list_drop = strdup(ptr + 13);
175 if (!arg_seccomp_list_drop) 175 if (!cfg.seccomp_list_drop)
176 errExit("strdup"); 176 errExit("strdup");
177#endif 177#endif
178 return 0; 178 return 0;
@@ -182,8 +182,8 @@ int profile_check_line(char *ptr, int lineno) {
182 if (strncmp(ptr, "seccomp.keep ", 13) == 0) { 182 if (strncmp(ptr, "seccomp.keep ", 13) == 0) {
183 arg_seccomp = 1; 183 arg_seccomp = 1;
184#ifdef HAVE_SECCOMP 184#ifdef HAVE_SECCOMP
185 arg_seccomp_list_keep= strdup(ptr + 13); 185 cfg.seccomp_list_keep= strdup(ptr + 13);
186 if (!arg_seccomp_list_keep) 186 if (!cfg.seccomp_list_keep)
187 errExit("strdup"); 187 errExit("strdup");
188#endif 188#endif
189 return 0; 189 return 0;
diff --git a/src/firejail/sandbox.c b/src/firejail/sandbox.c
index 3c5a176e6..d2c943ea1 100644
--- a/src/firejail/sandbox.c
+++ b/src/firejail/sandbox.c
@@ -190,13 +190,13 @@ int sandbox(void* sandbox_arg) {
190 // force default seccomp inside the chroot, no keep or drop list 190 // force default seccomp inside the chroot, no keep or drop list
191 // the list build on top of the default drop list is kept intact 191 // the list build on top of the default drop list is kept intact
192 arg_seccomp = 1; 192 arg_seccomp = 1;
193 if (arg_seccomp_list_drop) { 193 if (cfg.seccomp_list_drop) {
194 free(arg_seccomp_list_drop); 194 free(cfg.seccomp_list_drop);
195 arg_seccomp_list_drop = NULL; 195 cfg.seccomp_list_drop = NULL;
196 } 196 }
197 if (arg_seccomp_list_keep) { 197 if (cfg.seccomp_list_keep) {
198 free(arg_seccomp_list_keep); 198 free(cfg.seccomp_list_keep);
199 arg_seccomp_list_keep = NULL; 199 cfg.seccomp_list_keep = NULL;
200 } 200 }
201 201
202 // disable all capabilities 202 // disable all capabilities
@@ -428,9 +428,9 @@ int sandbox(void* sandbox_arg) {
428#ifdef HAVE_SECCOMP 428#ifdef HAVE_SECCOMP
429 // if a keep list is available, disregard the drop list 429 // if a keep list is available, disregard the drop list
430 if (arg_seccomp == 1) { 430 if (arg_seccomp == 1) {
431 if (arg_seccomp_list_keep) 431 if (cfg.seccomp_list_keep)
432 seccomp_filter_keep(); // this will also save the fmyilter to MNT_DIR/seccomp file 432 seccomp_filter_keep(); // this will also save the fmyilter to MNT_DIR/seccomp file
433 else if (arg_seccomp_list_errno) 433 else if (cfg.seccomp_list_errno)
434 seccomp_filter_errno(); // this will also save the filter to MNT_DIR/seccomp file 434 seccomp_filter_errno(); // this will also save the filter to MNT_DIR/seccomp file
435 else 435 else
436 seccomp_filter_drop(); // this will also save the filter to MNT_DIR/seccomp file 436 seccomp_filter_drop(); // this will also save the filter to MNT_DIR/seccomp file
diff --git a/src/firejail/seccomp.c b/src/firejail/seccomp.c
index 29c87b18b..dd7b8d344 100644
--- a/src/firejail/seccomp.c
+++ b/src/firejail/seccomp.c
@@ -343,7 +343,7 @@ int seccomp_filter_drop(void) {
343 filter_init(); 343 filter_init();
344 344
345 // default seccomp 345 // default seccomp
346 if (arg_seccomp_list_drop == NULL) { 346 if (cfg.seccomp_list_drop == NULL) {
347#ifdef SYS_mount 347#ifdef SYS_mount
348 filter_add_blacklist(SYS_mount, 0); 348 filter_add_blacklist(SYS_mount, 0);
349#endif 349#endif
@@ -507,15 +507,15 @@ int seccomp_filter_drop(void) {
507 } 507 }
508 508
509 // default seccomp filter with additional drop list 509 // default seccomp filter with additional drop list
510 if (arg_seccomp_list && arg_seccomp_list_drop == NULL) { 510 if (cfg.seccomp_list && cfg.seccomp_list_drop == NULL) {
511 if (syscall_check_list(arg_seccomp_list, filter_add_blacklist, 0)) { 511 if (syscall_check_list(cfg.seccomp_list, filter_add_blacklist, 0)) {
512 fprintf(stderr, "Error: cannot load seccomp filter\n"); 512 fprintf(stderr, "Error: cannot load seccomp filter\n");
513 exit(1); 513 exit(1);
514 } 514 }
515 } 515 }
516 // drop list 516 // drop list
517 else if (arg_seccomp_list == NULL && arg_seccomp_list_drop) { 517 else if (cfg.seccomp_list == NULL && cfg.seccomp_list_drop) {
518 if (syscall_check_list(arg_seccomp_list_drop, filter_add_blacklist, 0)) { 518 if (syscall_check_list(cfg.seccomp_list_drop, filter_add_blacklist, 0)) {
519 fprintf(stderr, "Error: cannot load seccomp filter\n"); 519 fprintf(stderr, "Error: cannot load seccomp filter\n");
520 exit(1); 520 exit(1);
521 } 521 }
@@ -558,8 +558,8 @@ int seccomp_filter_keep(void) {
558 filter_add_whitelist(SYS_dup, 0); 558 filter_add_whitelist(SYS_dup, 0);
559 559
560 // apply keep list 560 // apply keep list
561 if (arg_seccomp_list_keep) { 561 if (cfg.seccomp_list_keep) {
562 if (syscall_check_list(arg_seccomp_list_keep, filter_add_whitelist, 0)) { 562 if (syscall_check_list(cfg.seccomp_list_keep, filter_add_whitelist, 0)) {
563 fprintf(stderr, "Error: cannot load seccomp filter\n"); 563 fprintf(stderr, "Error: cannot load seccomp filter\n");
564 exit(1); 564 exit(1);
565 } 565 }
@@ -599,8 +599,8 @@ int seccomp_filter_errno(void) {
599 // apply errno list 599 // apply errno list
600 600
601 for (i = 0; i < higest_errno; i++) { 601 for (i = 0; i < higest_errno; i++) {
602 if (arg_seccomp_list_errno[i]) { 602 if (cfg.seccomp_list_errno[i]) {
603 if (syscall_check_list(arg_seccomp_list_errno[i], filter_add_errno, i)) { 603 if (syscall_check_list(cfg.seccomp_list_errno[i], filter_add_errno, i)) {
604 fprintf(stderr, "Error: cannot load seccomp filter\n"); 604 fprintf(stderr, "Error: cannot load seccomp filter\n");
605 exit(1); 605 exit(1);
606 } 606 }
generated by cgit v1.2.3-54-g00ecf (git 2.45.2) at 2024-07-20 17:43:00 +0000