1 files changed, 70 insertions, 0 deletions
diff --git a/src/firejail/main.c b/src/firejail/main.c
index 78717ab41..922ba2edb 100644
--- a/src/firejail/main.c
+++ b/src/firejail/main.c
@@ -20,6 +20,7 @@
 #include "firejail.h"
 #include "../include/pid.h"
 #include "../include/firejail_user.h"
+#include "../include/syscall.h"
 #define _GNU_SOURCE
 #include <sys/utsname.h>
 #include <sched.h>
@@ -72,6 +73,7 @@ int arg_overlay_keep = 0;			// place overlay diff in a known directory
 int arg_overlay_reuse = 0;                      // allow the reuse of overlays
 int arg_seccomp = 0;                            // enable default seccomp filter
+int arg_seccomp32 = 0;                          // enable default seccomp filter for 32 bit arch
 int arg_seccomp_postexec = 0;                   // need postexec ld.preload library?
 int arg_seccomp_block_secondary = 0;            // block any secondary architectures
@@ -548,6 +550,14 @@ static void run_cmd_and_exit(int i, int argc, char **argv) {
                else
                        exit_err_feature("seccomp");
        }
+        else if (strcmp(argv[i], "--debug-syscalls32") == 0) {
+                if (checkcfg(CFG_SECCOMP)) {
+                        int rv = sbox_run(SBOX_USER | SBOX_CAPS_NONE | SBOX_SECCOMP, 2, PATH_FSECCOMP_MAIN, "debug-syscalls32");
+                        exit(rv);
+                }
+                else
+                        exit_err_feature("seccomp");
+        }
        else if (strcmp(argv[i], "--debug-errnos") == 0) {
                if (checkcfg(CFG_SECCOMP)) {
                        int rv = sbox_run(SBOX_USER | SBOX_CAPS_NONE | SBOX_SECCOMP, 2, PATH_FSECCOMP_MAIN, "debug-errnos");
@@ -956,6 +966,18 @@ static void run_builder(int argc, char **argv) {
        exit(1);
 }
+void filter_add_errno(int fd, int syscall, int arg, void *ptrarg, bool native) {}
+static int check_postexec(const char *list) {
+        char *prelist, *postlist;
+        if (list) {
+                syscalls_in_list(list, "@default-keep", -1, &prelist, &postlist, true);
+                if (postlist)
+                        return 1;
+        }
+        return 0;
+}
 //*******************************************
 // Main program
@@ -1263,6 +1285,18 @@ int main(int argc, char **argv) {
                        else
                                exit_err_feature("seccomp");
                }
+                else if (strncmp(argv[i], "--seccomp.32=", 13) == 0) {
+                        if (checkcfg(CFG_SECCOMP)) {
+                                if (arg_seccomp32) {
+                                        fprintf(stderr, "Error: seccomp.32 already enabled\n");
+                                        exit(1);
+                                }
+                                arg_seccomp32 = 1;
+                                cfg.seccomp_list32 = seccomp_check_list(argv[i] + 13);
+                        }
+                        else
+                                exit_err_feature("seccomp");
+                }
                else if (strncmp(argv[i], "--seccomp.drop=", 15) == 0) {
                        if (checkcfg(CFG_SECCOMP)) {
                                if (arg_seccomp) {
@@ -1275,6 +1309,18 @@ int main(int argc, char **argv) {
                        else
                                exit_err_feature("seccomp");
                }
+                else if (strncmp(argv[i], "--seccomp.32.drop=", 18) == 0) {
+                        if (checkcfg(CFG_SECCOMP)) {
+                                if (arg_seccomp32) {
+                                        fprintf(stderr, "Error: seccomp.32 already enabled\n");
+                                        exit(1);
+                                }
+                                arg_seccomp32 = 1;
+                                cfg.seccomp_list_drop32 = seccomp_check_list(argv[i] + 18);
+                        }
+                        else
+                                exit_err_feature("seccomp");
+                }
                else if (strncmp(argv[i], "--seccomp.keep=", 15) == 0) {
                        if (checkcfg(CFG_SECCOMP)) {
                                if (arg_seccomp) {
@@ -1287,8 +1333,24 @@ int main(int argc, char **argv) {
                        else
                                exit_err_feature("seccomp");
                }
+                else if (strncmp(argv[i], "--seccomp.32.keep=", 18) == 0) {
+                        if (checkcfg(CFG_SECCOMP)) {
+                                if (arg_seccomp32) {
+                                        fprintf(stderr, "Error: seccomp.32 already enabled\n");
+                                        exit(1);
+                                }
+                                arg_seccomp32 = 1;
+                                cfg.seccomp_list_keep32 = seccomp_check_list(argv[i] + 18);
+                        }
+                        else
+                                exit_err_feature("seccomp");
+                }
                else if (strcmp(argv[i], "--seccomp.block-secondary") == 0) {
                        if (checkcfg(CFG_SECCOMP)) {
+                                if (arg_seccomp32) {
+                                        fprintf(stderr, "Error: seccomp.32 conflicts with block-secondary\n");
+                                        exit(1);
+                                }
                                arg_seccomp_block_secondary = 1;
                        }
                        else
@@ -2542,6 +2604,14 @@ int main(int argc, char **argv) {
        // check network configuration options - it will exit if anything went wrong
        net_check_cfg();
+#ifdef HAVE_SECCOMP
+        if (arg_seccomp)
+                arg_seccomp_postexec = check_postexec(cfg.seccomp_list) || check_postexec(cfg.seccomp_list_drop);
+#endif
+        bool need_preload = arg_trace || arg_tracelog || arg_seccomp_postexec;
+        if (need_preload && (cfg.seccomp_list32 || cfg.seccomp_list_drop32 || cfg.seccomp_list_keep32))
+                fwarning("preload libraries (trace, tracelog, postexecseccomp due to seccomp.drop=execve etc.) are incompatible with 32 bit filters\n");
        // check and assign an IP address - for macvlan it will be done again in the sandbox!
        if (any_bridge_configured()) {
                EUID_ROOT();

diff --git a/src/firejail/main.c b/src/firejail/main.c index 78717ab41..922ba2edb 100644 --- a/src/firejail/main.c +++ b/src/firejail/main.c
@@ -20,6 +20,7 @@
20	#include "firejail.h"	20	#include "firejail.h"
21	#include "../include/pid.h"	21	#include "../include/pid.h"
22	#include "../include/firejail_user.h"	22	#include "../include/firejail_user.h"
		23	#include "../include/syscall.h"
23	#define _GNU_SOURCE	24	#define _GNU_SOURCE
24	#include <sys/utsname.h>	25	#include <sys/utsname.h>
25	#include <sched.h>	26	#include <sched.h>
@@ -72,6 +73,7 @@ int arg_overlay_keep = 0; // place overlay diff in a known directory
72	int arg_overlay_reuse = 0; // allow the reuse of overlays	73	int arg_overlay_reuse = 0; // allow the reuse of overlays
73		74
74	int arg_seccomp = 0; // enable default seccomp filter	75	int arg_seccomp = 0; // enable default seccomp filter
		76	int arg_seccomp32 = 0; // enable default seccomp filter for 32 bit arch
75	int arg_seccomp_postexec = 0; // need postexec ld.preload library?	77	int arg_seccomp_postexec = 0; // need postexec ld.preload library?
76	int arg_seccomp_block_secondary = 0; // block any secondary architectures	78	int arg_seccomp_block_secondary = 0; // block any secondary architectures
77		79
@@ -548,6 +550,14 @@ static void run_cmd_and_exit(int i, int argc, char **argv) {
548	else	550	else
549	exit_err_feature("seccomp");	551	exit_err_feature("seccomp");
550	}	552	}
		553	else if (strcmp(argv[i], "--debug-syscalls32") == 0) {
		554	if (checkcfg(CFG_SECCOMP)) {
		555	int rv = sbox_run(SBOX_USER \| SBOX_CAPS_NONE \| SBOX_SECCOMP, 2, PATH_FSECCOMP_MAIN, "debug-syscalls32");
		556	exit(rv);
		557	}
		558	else
		559	exit_err_feature("seccomp");
		560	}
551	else if (strcmp(argv[i], "--debug-errnos") == 0) {	561	else if (strcmp(argv[i], "--debug-errnos") == 0) {
552	if (checkcfg(CFG_SECCOMP)) {	562	if (checkcfg(CFG_SECCOMP)) {
553	int rv = sbox_run(SBOX_USER \| SBOX_CAPS_NONE \| SBOX_SECCOMP, 2, PATH_FSECCOMP_MAIN, "debug-errnos");	563	int rv = sbox_run(SBOX_USER \| SBOX_CAPS_NONE \| SBOX_SECCOMP, 2, PATH_FSECCOMP_MAIN, "debug-errnos");
@@ -956,6 +966,18 @@ static void run_builder(int argc, char **argv) {
956	exit(1);	966	exit(1);
957	}	967	}
958		968
		969	void filter_add_errno(int fd, int syscall, int arg, void *ptrarg, bool native) {}
		970
		971	static int check_postexec(const char *list) {
		972	char prelist, postlist;
		973
		974	if (list) {
		975	syscalls_in_list(list, "@default-keep", -1, &prelist, &postlist, true);
		976	if (postlist)
		977	return 1;
		978	}
		979	return 0;
		980	}
959		981
960	//*******************************************	982	//*******************************************
961	// Main program	983	// Main program
@@ -1263,6 +1285,18 @@ int main(int argc, char **argv) {
1263	else	1285	else
1264	exit_err_feature("seccomp");	1286	exit_err_feature("seccomp");
1265	}	1287	}
		1288	else if (strncmp(argv[i], "--seccomp.32=", 13) == 0) {
		1289	if (checkcfg(CFG_SECCOMP)) {
		1290	if (arg_seccomp32) {
		1291	fprintf(stderr, "Error: seccomp.32 already enabled\n");
		1292	exit(1);
		1293	}
		1294	arg_seccomp32 = 1;
		1295	cfg.seccomp_list32 = seccomp_check_list(argv[i] + 13);
		1296	}
		1297	else
		1298	exit_err_feature("seccomp");
		1299	}
1266	else if (strncmp(argv[i], "--seccomp.drop=", 15) == 0) {	1300	else if (strncmp(argv[i], "--seccomp.drop=", 15) == 0) {
1267	if (checkcfg(CFG_SECCOMP)) {	1301	if (checkcfg(CFG_SECCOMP)) {
1268	if (arg_seccomp) {	1302	if (arg_seccomp) {
@@ -1275,6 +1309,18 @@ int main(int argc, char **argv) {
1275	else	1309	else
1276	exit_err_feature("seccomp");	1310	exit_err_feature("seccomp");
1277	}	1311	}
		1312	else if (strncmp(argv[i], "--seccomp.32.drop=", 18) == 0) {
		1313	if (checkcfg(CFG_SECCOMP)) {
		1314	if (arg_seccomp32) {
		1315	fprintf(stderr, "Error: seccomp.32 already enabled\n");
		1316	exit(1);
		1317	}
		1318	arg_seccomp32 = 1;
		1319	cfg.seccomp_list_drop32 = seccomp_check_list(argv[i] + 18);
		1320	}
		1321	else
		1322	exit_err_feature("seccomp");
		1323	}
1278	else if (strncmp(argv[i], "--seccomp.keep=", 15) == 0) {	1324	else if (strncmp(argv[i], "--seccomp.keep=", 15) == 0) {
1279	if (checkcfg(CFG_SECCOMP)) {	1325	if (checkcfg(CFG_SECCOMP)) {
1280	if (arg_seccomp) {	1326	if (arg_seccomp) {
@@ -1287,8 +1333,24 @@ int main(int argc, char **argv) {
1287	else	1333	else
1288	exit_err_feature("seccomp");	1334	exit_err_feature("seccomp");
1289	}	1335	}
		1336	else if (strncmp(argv[i], "--seccomp.32.keep=", 18) == 0) {
		1337	if (checkcfg(CFG_SECCOMP)) {
		1338	if (arg_seccomp32) {
		1339	fprintf(stderr, "Error: seccomp.32 already enabled\n");
		1340	exit(1);
		1341	}
		1342	arg_seccomp32 = 1;
		1343	cfg.seccomp_list_keep32 = seccomp_check_list(argv[i] + 18);
		1344	}
		1345	else
		1346	exit_err_feature("seccomp");
		1347	}
1290	else if (strcmp(argv[i], "--seccomp.block-secondary") == 0) {	1348	else if (strcmp(argv[i], "--seccomp.block-secondary") == 0) {
1291	if (checkcfg(CFG_SECCOMP)) {	1349	if (checkcfg(CFG_SECCOMP)) {
		1350	if (arg_seccomp32) {
		1351	fprintf(stderr, "Error: seccomp.32 conflicts with block-secondary\n");
		1352	exit(1);
		1353	}
1292	arg_seccomp_block_secondary = 1;	1354	arg_seccomp_block_secondary = 1;
1293	}	1355	}
1294	else	1356	else
@@ -2542,6 +2604,14 @@ int main(int argc, char **argv) {
2542	// check network configuration options - it will exit if anything went wrong	2604	// check network configuration options - it will exit if anything went wrong
2543	net_check_cfg();	2605	net_check_cfg();
2544		2606
		2607	#ifdef HAVE_SECCOMP
		2608	if (arg_seccomp)
		2609	arg_seccomp_postexec = check_postexec(cfg.seccomp_list) \|\| check_postexec(cfg.seccomp_list_drop);
		2610	#endif
		2611	bool need_preload = arg_trace \|\| arg_tracelog \|\| arg_seccomp_postexec;
		2612	if (need_preload && (cfg.seccomp_list32 \|\| cfg.seccomp_list_drop32 \|\| cfg.seccomp_list_keep32))
		2613	fwarning("preload libraries (trace, tracelog, postexecseccomp due to seccomp.drop=execve etc.) are incompatible with 32 bit filters\n");
		2614
2545	// check and assign an IP address - for macvlan it will be done again in the sandbox!	2615	// check and assign an IP address - for macvlan it will be done again in the sandbox!
2546	if (any_bridge_configured()) {	2616	if (any_bridge_configured()) {
2547	EUID_ROOT();	2617	EUID_ROOT();