diff options
Diffstat (limited to 'src/firejail/seccomp.c')
| -rw-r--r-- | src/firejail/seccomp.c | 43 |
1 files changed, 26 insertions, 17 deletions
diff --git a/src/firejail/seccomp.c b/src/firejail/seccomp.c index 4678f366b..dd133b2ba 100644 --- a/src/firejail/seccomp.c +++ b/src/firejail/seccomp.c | |||
| @@ -52,44 +52,53 @@ char *seccomp_check_list(const char *str) { | |||
| 52 | 52 | ||
| 53 | int seccomp_load(const char *fname) { | 53 | int seccomp_load(const char *fname) { |
| 54 | assert(fname); | 54 | assert(fname); |
| 55 | |||
| 56 | // open filter file | ||
| 57 | int fd = open(fname, O_RDONLY); | ||
| 58 | if (fd == -1) | ||
| 59 | goto errexit; | ||
| 55 | 60 | ||
| 56 | // check file | 61 | // calculate the number of entries |
| 57 | struct stat s; | 62 | int size = lseek(fd, 0, SEEK_END); |
| 58 | if (stat(fname, &s) == -1) { | 63 | if (size == -1) |
| 59 | fprintf(stderr, "Error: cannot read protocol filter file\n"); | 64 | goto errexit; |
| 60 | exit(1); | 65 | if (lseek(fd, 0 , SEEK_SET) == -1) |
| 61 | } | 66 | goto errexit; |
| 62 | int size = s.st_size; | ||
| 63 | unsigned short entries = (unsigned short) size / (unsigned short) sizeof(struct sock_filter); | 67 | unsigned short entries = (unsigned short) size / (unsigned short) sizeof(struct sock_filter); |
| 64 | //printf("size %d, entries %d\n", s.st_size, entries); | 68 | if (arg_debug) |
| 69 | printf("reading %d seccomp entries from %s\n", entries, fname); | ||
| 65 | 70 | ||
| 66 | // read filter | 71 | // read filter |
| 67 | struct sock_filter filter[entries]; | 72 | struct sock_filter *filter = malloc(size); |
| 73 | if (filter == NULL) | ||
| 74 | goto errexit; | ||
| 68 | memset(&filter[0], 0, sizeof(filter)); | 75 | memset(&filter[0], 0, sizeof(filter)); |
| 69 | int src = open(fname, O_RDONLY); | ||
| 70 | int rd = 0; | 76 | int rd = 0; |
| 71 | while (rd < size) { | 77 | while (rd < size) { |
| 72 | int rv = read(src, (unsigned char *) filter + rd, size - rd); | 78 | int rv = read(fd, (unsigned char *) filter + rd, size - rd); |
| 73 | if (rv == -1) { | 79 | if (rv == -1) |
| 74 | fprintf(stderr, "Error: cannot read %s file\n", fname); | 80 | goto errexit; |
| 75 | exit(1); | ||
| 76 | } | ||
| 77 | rd += rv; | 81 | rd += rv; |
| 78 | } | 82 | } |
| 79 | close(src); | 83 | |
| 84 | // close file | ||
| 85 | close(fd); | ||
| 80 | 86 | ||
| 81 | // install filter | 87 | // install filter |
| 82 | struct sock_fprog prog = { | 88 | struct sock_fprog prog = { |
| 83 | .len = entries, | 89 | .len = entries, |
| 84 | .filter = filter, | 90 | .filter = filter, |
| 85 | }; | 91 | }; |
| 86 | |||
| 87 | if (prctl(PR_SET_SECCOMP, SECCOMP_MODE_FILTER, &prog) || prctl(PR_SET_NO_NEW_PRIVS, 1, 0, 0, 0)) { | 92 | if (prctl(PR_SET_SECCOMP, SECCOMP_MODE_FILTER, &prog) || prctl(PR_SET_NO_NEW_PRIVS, 1, 0, 0, 0)) { |
| 88 | fprintf(stderr, "Warning: seccomp disabled, it requires a Linux kernel version 3.5 or newer.\n"); | 93 | fprintf(stderr, "Warning: seccomp disabled, it requires a Linux kernel version 3.5 or newer.\n"); |
| 89 | return 1; | 94 | return 1; |
| 90 | } | 95 | } |
| 91 | 96 | ||
| 92 | return 0; | 97 | return 0; |
| 98 | |||
| 99 | errexit: | ||
| 100 | fprintf(stderr, "Error: cannot read %s\n", fname); | ||
| 101 | exit(1); | ||
| 93 | } | 102 | } |
| 94 | 103 | ||
| 95 | // i386 filter installed on amd64 architectures | 104 | // i386 filter installed on amd64 architectures |