aboutsummaryrefslogtreecommitdiffstats
path: root/src/firejail/seccomp.c
diff options
context:
space:
mode:
Diffstat (limited to 'src/firejail/seccomp.c')
-rw-r--r--src/firejail/seccomp.c75
1 files changed, 58 insertions, 17 deletions
diff --git a/src/firejail/seccomp.c b/src/firejail/seccomp.c
index 10a2a5665..b0a48591e 100644
--- a/src/firejail/seccomp.c
+++ b/src/firejail/seccomp.c
@@ -191,7 +191,17 @@ static void seccomp_filter_block_secondary(void) {
191} 191}
192 192
193// drop filter for seccomp option 193// drop filter for seccomp option
194int seccomp_filter_drop(void) { 194int seccomp_filter_drop(bool native) {
195 const char *filter, *postexec_filter;
196
197 if (native) {
198 filter = RUN_SECCOMP_CFG;
199 postexec_filter = RUN_SECCOMP_POSTEXEC;
200 } else {
201 filter = RUN_SECCOMP_32;
202 postexec_filter = RUN_SECCOMP_POSTEXEC_32;
203 }
204
195 // if we have multiple seccomp commands, only one of them is executed 205 // if we have multiple seccomp commands, only one of them is executed
196 // in the following order: 206 // in the following order:
197 // - seccomp.drop list 207 // - seccomp.drop list
@@ -224,19 +234,28 @@ int seccomp_filter_drop(void) {
224 if (arg_debug) 234 if (arg_debug)
225 printf("Build default+drop seccomp filter\n"); 235 printf("Build default+drop seccomp filter\n");
226 236
237 const char *command, *list;
238 if (native) {
239 command = "default";
240 list = cfg.seccomp_list;
241 } else {
242 command = "default32";
243 list = cfg.seccomp_list32;
244 }
245
227 // build the seccomp filter as a regular user 246 // build the seccomp filter as a regular user
228 int rv; 247 int rv;
229 if (arg_allow_debuggers) 248 if (arg_allow_debuggers)
230 rv = sbox_run(SBOX_USER | SBOX_CAPS_NONE | SBOX_SECCOMP, 7, 249 rv = sbox_run(SBOX_USER | SBOX_CAPS_NONE | SBOX_SECCOMP, 7,
231 PATH_FSECCOMP, "default", "drop", RUN_SECCOMP_CFG, RUN_SECCOMP_POSTEXEC, cfg.seccomp_list, "allow-debuggers"); 250 PATH_FSECCOMP, command, "drop", filter, postexec_filter, list, "allow-debuggers");
232 else 251 else
233 rv = sbox_run(SBOX_USER | SBOX_CAPS_NONE | SBOX_SECCOMP, 6, 252 rv = sbox_run(SBOX_USER | SBOX_CAPS_NONE | SBOX_SECCOMP, 6,
234 PATH_FSECCOMP, "default", "drop", RUN_SECCOMP_CFG, RUN_SECCOMP_POSTEXEC, cfg.seccomp_list); 253 PATH_FSECCOMP, command, "drop", filter, postexec_filter, list);
235 if (rv) 254 if (rv)
236 exit(rv); 255 exit(rv);
237 256
238 // optimize the new filter 257 // optimize the new filter
239 rv = sbox_run(SBOX_USER | SBOX_CAPS_NONE | SBOX_SECCOMP, 2, PATH_FSEC_OPTIMIZE, RUN_SECCOMP_CFG); 258 rv = sbox_run(SBOX_USER | SBOX_CAPS_NONE | SBOX_SECCOMP, 2, PATH_FSEC_OPTIMIZE, filter);
240 if (rv) 259 if (rv)
241 exit(rv); 260 exit(rv);
242 } 261 }
@@ -250,36 +269,45 @@ int seccomp_filter_drop(void) {
250 if (arg_debug) 269 if (arg_debug)
251 printf("Build drop seccomp filter\n"); 270 printf("Build drop seccomp filter\n");
252 271
272 const char *command, *list;
273 if (native) {
274 command = "drop";
275 list = cfg.seccomp_list_drop;
276 } else {
277 command = "drop32";
278 list = cfg.seccomp_list_drop32;
279 }
280
253 // build the seccomp filter as a regular user 281 // build the seccomp filter as a regular user
254 int rv; 282 int rv;
255 if (arg_allow_debuggers) 283 if (arg_allow_debuggers)
256 rv = sbox_run(SBOX_USER | SBOX_CAPS_NONE | SBOX_SECCOMP, 6, 284 rv = sbox_run(SBOX_USER | SBOX_CAPS_NONE | SBOX_SECCOMP, 6,
257 PATH_FSECCOMP, "drop", RUN_SECCOMP_CFG, RUN_SECCOMP_POSTEXEC, cfg.seccomp_list_drop, "allow-debuggers"); 285 PATH_FSECCOMP, command, filter, postexec_filter, list, "allow-debuggers");
258 else 286 else
259 rv = sbox_run(SBOX_USER | SBOX_CAPS_NONE | SBOX_SECCOMP, 5, 287 rv = sbox_run(SBOX_USER | SBOX_CAPS_NONE | SBOX_SECCOMP, 5,
260 PATH_FSECCOMP, "drop", RUN_SECCOMP_CFG, RUN_SECCOMP_POSTEXEC, cfg.seccomp_list_drop); 288 PATH_FSECCOMP, command, filter, postexec_filter, list);
261 289
262 if (rv) 290 if (rv)
263 exit(rv); 291 exit(rv);
264 292
265 // optimize the drop filter 293 // optimize the drop filter
266 rv = sbox_run(SBOX_USER | SBOX_CAPS_NONE | SBOX_SECCOMP, 2, PATH_FSEC_OPTIMIZE, RUN_SECCOMP_CFG); 294 rv = sbox_run(SBOX_USER | SBOX_CAPS_NONE | SBOX_SECCOMP, 2, PATH_FSEC_OPTIMIZE, filter);
267 if (rv) 295 if (rv)
268 exit(rv); 296 exit(rv);
269 } 297 }
270 298
271 // load the filter 299 // load the filter
272 if (seccomp_load(RUN_SECCOMP_CFG) == 0) { 300 if (seccomp_load(filter) == 0) {
273 if (arg_debug) 301 if (arg_debug)
274 printf("seccomp filter configured\n"); 302 printf("seccomp filter configured\n");
275 } 303 }
276 304
277 if (arg_debug && access(PATH_FSEC_PRINT, X_OK) == 0) { 305 if (arg_debug && access(PATH_FSEC_PRINT, X_OK) == 0) {
278 struct stat st; 306 struct stat st;
279 if (stat(RUN_SECCOMP_POSTEXEC, &st) != -1 && st.st_size != 0) { 307 if (stat(postexec_filter, &st) != -1 && st.st_size != 0) {
280 printf("configuring postexec seccomp filter in %s\n", RUN_SECCOMP_POSTEXEC); 308 printf("configuring postexec seccomp filter in %s\n", postexec_filter);
281 sbox_run(SBOX_USER | SBOX_CAPS_NONE | SBOX_SECCOMP, 2, 309 sbox_run(SBOX_USER | SBOX_CAPS_NONE | SBOX_SECCOMP, 2,
282 PATH_FSEC_PRINT, RUN_SECCOMP_POSTEXEC); 310 PATH_FSEC_PRINT, postexec_filter);
283 } 311 }
284 } 312 }
285 313
@@ -287,7 +315,7 @@ int seccomp_filter_drop(void) {
287} 315}
288 316
289// keep filter for seccomp option 317// keep filter for seccomp option
290int seccomp_filter_keep(void) { 318int seccomp_filter_keep(bool native) {
291 // secondary filters are not installed except when secondary 319 // secondary filters are not installed except when secondary
292 // architectures are explicitly blocked 320 // architectures are explicitly blocked
293 if (arg_seccomp_block_secondary) 321 if (arg_seccomp_block_secondary)
@@ -296,9 +324,22 @@ int seccomp_filter_keep(void) {
296 if (arg_debug) 324 if (arg_debug)
297 printf("Build keep seccomp filter\n"); 325 printf("Build keep seccomp filter\n");
298 326
327 const char *command, *filter, *postexec_filter, *list;
328 if (native) {
329 command = "keep";
330 filter = RUN_SECCOMP_CFG;
331 postexec_filter = RUN_SECCOMP_POSTEXEC;
332 list = cfg.seccomp_list_keep;
333 } else {
334 command = "keep32";
335 filter = RUN_SECCOMP_32;
336 postexec_filter = RUN_SECCOMP_POSTEXEC_32;
337 list = cfg.seccomp_list_keep32;
338 }
339
299 // build the seccomp filter as a regular user 340 // build the seccomp filter as a regular user
300 int rv = sbox_run(SBOX_USER | SBOX_CAPS_NONE | SBOX_SECCOMP, 5, 341 int rv = sbox_run(SBOX_USER | SBOX_CAPS_NONE | SBOX_SECCOMP, 5,
301 PATH_FSECCOMP, "keep", RUN_SECCOMP_CFG, RUN_SECCOMP_POSTEXEC, cfg.seccomp_list_keep); 342 PATH_FSECCOMP, "keep", filter, postexec_filter, list);
302 343
303 if (rv) { 344 if (rv) {
304 fprintf(stderr, "Error: cannot configure seccomp filter\n"); 345 fprintf(stderr, "Error: cannot configure seccomp filter\n");
@@ -309,17 +350,17 @@ int seccomp_filter_keep(void) {
309 printf("seccomp filter configured\n"); 350 printf("seccomp filter configured\n");
310 351
311 // load the filter 352 // load the filter
312 if (seccomp_load(RUN_SECCOMP_CFG) == 0) { 353 if (seccomp_load(filter) == 0) {
313 if (arg_debug) 354 if (arg_debug)
314 printf("seccomp filter configured\n"); 355 printf("seccomp filter configured\n");
315 } 356 }
316 357
317 if (arg_debug && access(PATH_FSEC_PRINT, X_OK) == 0) { 358 if (arg_debug && access(PATH_FSEC_PRINT, X_OK) == 0) {
318 struct stat st; 359 struct stat st;
319 if (stat(RUN_SECCOMP_POSTEXEC, &st) != -1 && st.st_size != 0) { 360 if (stat(postexec_filter, &st) != -1 && st.st_size != 0) {
320 printf("configuring postexec seccomp filter in %s\n", RUN_SECCOMP_POSTEXEC); 361 printf("configuring postexec seccomp filter in %s\n", postexec_filter);
321 sbox_run(SBOX_USER | SBOX_CAPS_NONE | SBOX_SECCOMP, 2, 362 sbox_run(SBOX_USER | SBOX_CAPS_NONE | SBOX_SECCOMP, 2,
322 PATH_FSEC_PRINT, RUN_SECCOMP_POSTEXEC); 363 PATH_FSEC_PRINT, postexec_filter);
323 } 364 }
324 } 365 }
325 366
generated by cgit v1.2.3-70-g09d2 (git 2.46.0) at 2024-09-08 14:32:50 +0000