diff options
Diffstat (limited to 'src/firejail/seccomp.c')
-rw-r--r-- | src/firejail/seccomp.c | 49 |
1 files changed, 34 insertions, 15 deletions
diff --git a/src/firejail/seccomp.c b/src/firejail/seccomp.c index 516c97fa0..e855ce7ed 100644 --- a/src/firejail/seccomp.c +++ b/src/firejail/seccomp.c | |||
@@ -23,6 +23,13 @@ | |||
23 | #include "../include/seccomp.h" | 23 | #include "../include/seccomp.h" |
24 | #include <sys/mman.h> | 24 | #include <sys/mman.h> |
25 | 25 | ||
26 | typedef struct filter_list { | ||
27 | struct filter_list *next; | ||
28 | struct sock_fprog prog; | ||
29 | } FilterList; | ||
30 | |||
31 | static FilterList *filter_list_head = NULL; | ||
32 | |||
26 | static int err_printed = 0; | 33 | static int err_printed = 0; |
27 | 34 | ||
28 | char *seccomp_check_list(const char *str) { | 35 | char *seccomp_check_list(const char *str) { |
@@ -52,6 +59,24 @@ char *seccomp_check_list(const char *str) { | |||
52 | return rv; | 59 | return rv; |
53 | } | 60 | } |
54 | 61 | ||
62 | // install seccomp filters | ||
63 | int seccomp_install_filters(void) { | ||
64 | int r = 0; | ||
65 | FilterList *fl = filter_list_head; | ||
66 | if (fl) { | ||
67 | prctl(PR_SET_NO_NEW_PRIVS, 1, 0, 0, 0); | ||
68 | |||
69 | for (; fl; fl = fl->next) { | ||
70 | if (prctl(PR_SET_SECCOMP, SECCOMP_MODE_FILTER, &fl->prog)) { | ||
71 | if (!err_printed) | ||
72 | fwarning("seccomp disabled, it requires a Linux kernel version 3.5 or newer.\n"); | ||
73 | err_printed = 1; | ||
74 | r = 1; | ||
75 | } | ||
76 | } | ||
77 | } | ||
78 | return r; | ||
79 | } | ||
55 | 80 | ||
56 | int seccomp_load(const char *fname) { | 81 | int seccomp_load(const char *fname) { |
57 | assert(fname); | 82 | assert(fname); |
@@ -77,22 +102,16 @@ int seccomp_load(const char *fname) { | |||
77 | // close file | 102 | // close file |
78 | close(fd); | 103 | close(fd); |
79 | 104 | ||
80 | // install filter | 105 | FilterList *fl = malloc(sizeof(FilterList)); |
81 | struct sock_fprog prog = { | 106 | if (!fl) { |
82 | .len = entries, | 107 | fprintf(stderr, "Error: cannot allocate memory\n"); |
83 | .filter = filter, | 108 | exit(1); |
84 | }; | ||
85 | int r = 0; | ||
86 | if (prctl(PR_SET_SECCOMP, SECCOMP_MODE_FILTER, &prog) || prctl(PR_SET_NO_NEW_PRIVS, 1, 0, 0, 0)) { | ||
87 | if (!err_printed) | ||
88 | fwarning("seccomp disabled, it requires a Linux kernel version 3.5 or newer.\n"); | ||
89 | err_printed = 1; | ||
90 | r = 1; | ||
91 | } | 109 | } |
92 | 110 | fl->next = filter_list_head; | |
93 | munmap(filter, size); | 111 | fl->prog.len = entries; |
94 | return r; | 112 | fl->prog.filter = filter; |
95 | 113 | filter_list_head = fl; | |
114 | return 0; | ||
96 | errexit: | 115 | errexit: |
97 | fprintf(stderr, "Error: cannot read %s\n", fname); | 116 | fprintf(stderr, "Error: cannot read %s\n", fname); |
98 | exit(1); | 117 | exit(1); |