diff options
Diffstat (limited to 'src/firejail/seccomp.c')
-rw-r--r-- | src/firejail/seccomp.c | 75 |
1 files changed, 58 insertions, 17 deletions
diff --git a/src/firejail/seccomp.c b/src/firejail/seccomp.c index 10a2a5665..b0a48591e 100644 --- a/src/firejail/seccomp.c +++ b/src/firejail/seccomp.c | |||
@@ -191,7 +191,17 @@ static void seccomp_filter_block_secondary(void) { | |||
191 | } | 191 | } |
192 | 192 | ||
193 | // drop filter for seccomp option | 193 | // drop filter for seccomp option |
194 | int seccomp_filter_drop(void) { | 194 | int seccomp_filter_drop(bool native) { |
195 | const char *filter, *postexec_filter; | ||
196 | |||
197 | if (native) { | ||
198 | filter = RUN_SECCOMP_CFG; | ||
199 | postexec_filter = RUN_SECCOMP_POSTEXEC; | ||
200 | } else { | ||
201 | filter = RUN_SECCOMP_32; | ||
202 | postexec_filter = RUN_SECCOMP_POSTEXEC_32; | ||
203 | } | ||
204 | |||
195 | // if we have multiple seccomp commands, only one of them is executed | 205 | // if we have multiple seccomp commands, only one of them is executed |
196 | // in the following order: | 206 | // in the following order: |
197 | // - seccomp.drop list | 207 | // - seccomp.drop list |
@@ -224,19 +234,28 @@ int seccomp_filter_drop(void) { | |||
224 | if (arg_debug) | 234 | if (arg_debug) |
225 | printf("Build default+drop seccomp filter\n"); | 235 | printf("Build default+drop seccomp filter\n"); |
226 | 236 | ||
237 | const char *command, *list; | ||
238 | if (native) { | ||
239 | command = "default"; | ||
240 | list = cfg.seccomp_list; | ||
241 | } else { | ||
242 | command = "default32"; | ||
243 | list = cfg.seccomp_list32; | ||
244 | } | ||
245 | |||
227 | // build the seccomp filter as a regular user | 246 | // build the seccomp filter as a regular user |
228 | int rv; | 247 | int rv; |
229 | if (arg_allow_debuggers) | 248 | if (arg_allow_debuggers) |
230 | rv = sbox_run(SBOX_USER | SBOX_CAPS_NONE | SBOX_SECCOMP, 7, | 249 | rv = sbox_run(SBOX_USER | SBOX_CAPS_NONE | SBOX_SECCOMP, 7, |
231 | PATH_FSECCOMP, "default", "drop", RUN_SECCOMP_CFG, RUN_SECCOMP_POSTEXEC, cfg.seccomp_list, "allow-debuggers"); | 250 | PATH_FSECCOMP, command, "drop", filter, postexec_filter, list, "allow-debuggers"); |
232 | else | 251 | else |
233 | rv = sbox_run(SBOX_USER | SBOX_CAPS_NONE | SBOX_SECCOMP, 6, | 252 | rv = sbox_run(SBOX_USER | SBOX_CAPS_NONE | SBOX_SECCOMP, 6, |
234 | PATH_FSECCOMP, "default", "drop", RUN_SECCOMP_CFG, RUN_SECCOMP_POSTEXEC, cfg.seccomp_list); | 253 | PATH_FSECCOMP, command, "drop", filter, postexec_filter, list); |
235 | if (rv) | 254 | if (rv) |
236 | exit(rv); | 255 | exit(rv); |
237 | 256 | ||
238 | // optimize the new filter | 257 | // optimize the new filter |
239 | rv = sbox_run(SBOX_USER | SBOX_CAPS_NONE | SBOX_SECCOMP, 2, PATH_FSEC_OPTIMIZE, RUN_SECCOMP_CFG); | 258 | rv = sbox_run(SBOX_USER | SBOX_CAPS_NONE | SBOX_SECCOMP, 2, PATH_FSEC_OPTIMIZE, filter); |
240 | if (rv) | 259 | if (rv) |
241 | exit(rv); | 260 | exit(rv); |
242 | } | 261 | } |
@@ -250,36 +269,45 @@ int seccomp_filter_drop(void) { | |||
250 | if (arg_debug) | 269 | if (arg_debug) |
251 | printf("Build drop seccomp filter\n"); | 270 | printf("Build drop seccomp filter\n"); |
252 | 271 | ||
272 | const char *command, *list; | ||
273 | if (native) { | ||
274 | command = "drop"; | ||
275 | list = cfg.seccomp_list_drop; | ||
276 | } else { | ||
277 | command = "drop32"; | ||
278 | list = cfg.seccomp_list_drop32; | ||
279 | } | ||
280 | |||
253 | // build the seccomp filter as a regular user | 281 | // build the seccomp filter as a regular user |
254 | int rv; | 282 | int rv; |
255 | if (arg_allow_debuggers) | 283 | if (arg_allow_debuggers) |
256 | rv = sbox_run(SBOX_USER | SBOX_CAPS_NONE | SBOX_SECCOMP, 6, | 284 | rv = sbox_run(SBOX_USER | SBOX_CAPS_NONE | SBOX_SECCOMP, 6, |
257 | PATH_FSECCOMP, "drop", RUN_SECCOMP_CFG, RUN_SECCOMP_POSTEXEC, cfg.seccomp_list_drop, "allow-debuggers"); | 285 | PATH_FSECCOMP, command, filter, postexec_filter, list, "allow-debuggers"); |
258 | else | 286 | else |
259 | rv = sbox_run(SBOX_USER | SBOX_CAPS_NONE | SBOX_SECCOMP, 5, | 287 | rv = sbox_run(SBOX_USER | SBOX_CAPS_NONE | SBOX_SECCOMP, 5, |
260 | PATH_FSECCOMP, "drop", RUN_SECCOMP_CFG, RUN_SECCOMP_POSTEXEC, cfg.seccomp_list_drop); | 288 | PATH_FSECCOMP, command, filter, postexec_filter, list); |
261 | 289 | ||
262 | if (rv) | 290 | if (rv) |
263 | exit(rv); | 291 | exit(rv); |
264 | 292 | ||
265 | // optimize the drop filter | 293 | // optimize the drop filter |
266 | rv = sbox_run(SBOX_USER | SBOX_CAPS_NONE | SBOX_SECCOMP, 2, PATH_FSEC_OPTIMIZE, RUN_SECCOMP_CFG); | 294 | rv = sbox_run(SBOX_USER | SBOX_CAPS_NONE | SBOX_SECCOMP, 2, PATH_FSEC_OPTIMIZE, filter); |
267 | if (rv) | 295 | if (rv) |
268 | exit(rv); | 296 | exit(rv); |
269 | } | 297 | } |
270 | 298 | ||
271 | // load the filter | 299 | // load the filter |
272 | if (seccomp_load(RUN_SECCOMP_CFG) == 0) { | 300 | if (seccomp_load(filter) == 0) { |
273 | if (arg_debug) | 301 | if (arg_debug) |
274 | printf("seccomp filter configured\n"); | 302 | printf("seccomp filter configured\n"); |
275 | } | 303 | } |
276 | 304 | ||
277 | if (arg_debug && access(PATH_FSEC_PRINT, X_OK) == 0) { | 305 | if (arg_debug && access(PATH_FSEC_PRINT, X_OK) == 0) { |
278 | struct stat st; | 306 | struct stat st; |
279 | if (stat(RUN_SECCOMP_POSTEXEC, &st) != -1 && st.st_size != 0) { | 307 | if (stat(postexec_filter, &st) != -1 && st.st_size != 0) { |
280 | printf("configuring postexec seccomp filter in %s\n", RUN_SECCOMP_POSTEXEC); | 308 | printf("configuring postexec seccomp filter in %s\n", postexec_filter); |
281 | sbox_run(SBOX_USER | SBOX_CAPS_NONE | SBOX_SECCOMP, 2, | 309 | sbox_run(SBOX_USER | SBOX_CAPS_NONE | SBOX_SECCOMP, 2, |
282 | PATH_FSEC_PRINT, RUN_SECCOMP_POSTEXEC); | 310 | PATH_FSEC_PRINT, postexec_filter); |
283 | } | 311 | } |
284 | } | 312 | } |
285 | 313 | ||
@@ -287,7 +315,7 @@ int seccomp_filter_drop(void) { | |||
287 | } | 315 | } |
288 | 316 | ||
289 | // keep filter for seccomp option | 317 | // keep filter for seccomp option |
290 | int seccomp_filter_keep(void) { | 318 | int seccomp_filter_keep(bool native) { |
291 | // secondary filters are not installed except when secondary | 319 | // secondary filters are not installed except when secondary |
292 | // architectures are explicitly blocked | 320 | // architectures are explicitly blocked |
293 | if (arg_seccomp_block_secondary) | 321 | if (arg_seccomp_block_secondary) |
@@ -296,9 +324,22 @@ int seccomp_filter_keep(void) { | |||
296 | if (arg_debug) | 324 | if (arg_debug) |
297 | printf("Build keep seccomp filter\n"); | 325 | printf("Build keep seccomp filter\n"); |
298 | 326 | ||
327 | const char *command, *filter, *postexec_filter, *list; | ||
328 | if (native) { | ||
329 | command = "keep"; | ||
330 | filter = RUN_SECCOMP_CFG; | ||
331 | postexec_filter = RUN_SECCOMP_POSTEXEC; | ||
332 | list = cfg.seccomp_list_keep; | ||
333 | } else { | ||
334 | command = "keep32"; | ||
335 | filter = RUN_SECCOMP_32; | ||
336 | postexec_filter = RUN_SECCOMP_POSTEXEC_32; | ||
337 | list = cfg.seccomp_list_keep32; | ||
338 | } | ||
339 | |||
299 | // build the seccomp filter as a regular user | 340 | // build the seccomp filter as a regular user |
300 | int rv = sbox_run(SBOX_USER | SBOX_CAPS_NONE | SBOX_SECCOMP, 5, | 341 | int rv = sbox_run(SBOX_USER | SBOX_CAPS_NONE | SBOX_SECCOMP, 5, |
301 | PATH_FSECCOMP, "keep", RUN_SECCOMP_CFG, RUN_SECCOMP_POSTEXEC, cfg.seccomp_list_keep); | 342 | PATH_FSECCOMP, "keep", filter, postexec_filter, list); |
302 | 343 | ||
303 | if (rv) { | 344 | if (rv) { |
304 | fprintf(stderr, "Error: cannot configure seccomp filter\n"); | 345 | fprintf(stderr, "Error: cannot configure seccomp filter\n"); |
@@ -309,17 +350,17 @@ int seccomp_filter_keep(void) { | |||
309 | printf("seccomp filter configured\n"); | 350 | printf("seccomp filter configured\n"); |
310 | 351 | ||
311 | // load the filter | 352 | // load the filter |
312 | if (seccomp_load(RUN_SECCOMP_CFG) == 0) { | 353 | if (seccomp_load(filter) == 0) { |
313 | if (arg_debug) | 354 | if (arg_debug) |
314 | printf("seccomp filter configured\n"); | 355 | printf("seccomp filter configured\n"); |
315 | } | 356 | } |
316 | 357 | ||
317 | if (arg_debug && access(PATH_FSEC_PRINT, X_OK) == 0) { | 358 | if (arg_debug && access(PATH_FSEC_PRINT, X_OK) == 0) { |
318 | struct stat st; | 359 | struct stat st; |
319 | if (stat(RUN_SECCOMP_POSTEXEC, &st) != -1 && st.st_size != 0) { | 360 | if (stat(postexec_filter, &st) != -1 && st.st_size != 0) { |
320 | printf("configuring postexec seccomp filter in %s\n", RUN_SECCOMP_POSTEXEC); | 361 | printf("configuring postexec seccomp filter in %s\n", postexec_filter); |
321 | sbox_run(SBOX_USER | SBOX_CAPS_NONE | SBOX_SECCOMP, 2, | 362 | sbox_run(SBOX_USER | SBOX_CAPS_NONE | SBOX_SECCOMP, 2, |
322 | PATH_FSEC_PRINT, RUN_SECCOMP_POSTEXEC); | 363 | PATH_FSEC_PRINT, postexec_filter); |
323 | } | 364 | } |
324 | } | 365 | } |
325 | 366 | ||