diff options
Diffstat (limited to 'src/fsec-optimize')
-rw-r--r-- | src/fsec-optimize/Makefile.in | 45 | ||||
-rw-r--r-- | src/fsec-optimize/fsec_optimize.h | 30 | ||||
-rw-r--r-- | src/fsec-optimize/main.c | 94 | ||||
-rw-r--r-- | src/fsec-optimize/optimizer.c | 136 |
4 files changed, 305 insertions, 0 deletions
diff --git a/src/fsec-optimize/Makefile.in b/src/fsec-optimize/Makefile.in new file mode 100644 index 000000000..6ddbfc075 --- /dev/null +++ b/src/fsec-optimize/Makefile.in | |||
@@ -0,0 +1,45 @@ | |||
1 | all: fsec-optimize | ||
2 | |||
3 | CC=@CC@ | ||
4 | prefix=@prefix@ | ||
5 | exec_prefix=@exec_prefix@ | ||
6 | libdir=@libdir@ | ||
7 | sysconfdir=@sysconfdir@ | ||
8 | |||
9 | VERSION=@PACKAGE_VERSION@ | ||
10 | NAME=@PACKAGE_NAME@ | ||
11 | HAVE_SECCOMP_H=@HAVE_SECCOMP_H@ | ||
12 | HAVE_SECCOMP=@HAVE_SECCOMP@ | ||
13 | HAVE_CHROOT=@HAVE_CHROOT@ | ||
14 | HAVE_BIND=@HAVE_BIND@ | ||
15 | HAVE_FATAL_WARNINGS=@HAVE_FATAL_WARNINGS@ | ||
16 | HAVE_NETWORK=@HAVE_NETWORK@ | ||
17 | HAVE_USERNS=@HAVE_USERNS@ | ||
18 | HAVE_X11=@HAVE_X11@ | ||
19 | HAVE_FILE_TRANSFER=@HAVE_FILE_TRANSFER@ | ||
20 | HAVE_WHITELIST=@HAVE_WHITELIST@ | ||
21 | HAVE_GLOBALCFG=@HAVE_GLOBALCFG@ | ||
22 | HAVE_APPARMOR=@HAVE_APPARMOR@ | ||
23 | HAVE_OVERLAYFS=@HAVE_OVERLAYFS@ | ||
24 | HAVE_PRIVATE_HOME=@HAVE_PRIVATE_HOME@ | ||
25 | EXTRA_LDFLAGS +=@EXTRA_LDFLAGS@ | ||
26 | HAVE_GCOV=@HAVE_GCOV@ | ||
27 | EXTRA_LDFLAGS +=@EXTRA_LDFLAGS@ | ||
28 | |||
29 | H_FILE_LIST = $(sort $(wildcard *.[h])) | ||
30 | C_FILE_LIST = $(sort $(wildcard *.c)) | ||
31 | OBJS = $(C_FILE_LIST:.c=.o) | ||
32 | BINOBJS = $(foreach file, $(OBJS), $file) | ||
33 | CFLAGS += -ggdb $(HAVE_FATAL_WARNINGS) -O2 -DVERSION='"$(VERSION)"' $(HAVE_GCOV) -DPREFIX='"$(prefix)"' -DSYSCONFDIR='"$(sysconfdir)/firejail"' -DLIBDIR='"$(libdir)"' $(HAVE_X11) $(HAVE_PRIVATE_HOME) $(HAVE_APPARMOR) $(HAVE_OVERLAYFS) $(HAVE_SECCOMP) $(HAVE_GLOBALCFG) $(HAVE_SECCOMP_H) $(HAVE_CHROOT) $(HAVE_NETWORK) $(HAVE_USERNS) $(HAVE_BIND) $(HAVE_FILE_TRANSFER) $(HAVE_WHITELIST) -fstack-protector-all -D_FORTIFY_SOURCE=2 -fPIE -pie -Wformat -Wformat-security | ||
34 | LDFLAGS += -pie -Wl,-z,relro -Wl,-z,now -lpthread | ||
35 | |||
36 | %.o : %.c $(H_FILE_LIST) ../include/common.h ../include/seccomp.h ../include/syscall.h | ||
37 | $(CC) $(CFLAGS) $(INCLUDE) -c $< -o $@ | ||
38 | |||
39 | fsec-optimize: $(OBJS) ../lib/libnetlink.o | ||
40 | $(CC) $(LDFLAGS) -o $@ $(OBJS) $(LIBS) $(EXTRA_LDFLAGS) | ||
41 | |||
42 | clean:; rm -f *.o fsec-optimize *.gcov *.gcda *.gcno | ||
43 | |||
44 | distclean: clean | ||
45 | rm -fr Makefile | ||
diff --git a/src/fsec-optimize/fsec_optimize.h b/src/fsec-optimize/fsec_optimize.h new file mode 100644 index 000000000..ff4d53ab2 --- /dev/null +++ b/src/fsec-optimize/fsec_optimize.h | |||
@@ -0,0 +1,30 @@ | |||
1 | /* | ||
2 | * Copyright (C) 2014-2017 Firejail Authors | ||
3 | * | ||
4 | * This file is part of firejail project | ||
5 | * | ||
6 | * This program is free software; you can redistribute it and/or modify | ||
7 | * it under the terms of the GNU General Public License as published by | ||
8 | * the Free Software Foundation; either version 2 of the License, or | ||
9 | * (at your option) any later version. | ||
10 | * | ||
11 | * This program is distributed in the hope that it will be useful, | ||
12 | * but WITHOUT ANY WARRANTY; without even the implied warranty of | ||
13 | * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the | ||
14 | * GNU General Public License for more details. | ||
15 | * | ||
16 | * You should have received a copy of the GNU General Public License along | ||
17 | * with this program; if not, write to the Free Software Foundation, Inc., | ||
18 | * 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA. | ||
19 | */ | ||
20 | #ifndef FSEC_OPTIMIZE_H | ||
21 | #define FSEC_OPTIMIZE_H | ||
22 | #include "../include/common.h" | ||
23 | #include "../include/seccomp.h" | ||
24 | #include <sys/mman.h> | ||
25 | |||
26 | // optimize.c | ||
27 | struct sock_filter *duplicate(struct sock_filter *filter, int entries); | ||
28 | int optimize(struct sock_filter * filter, int entries); | ||
29 | |||
30 | #endif \ No newline at end of file | ||
diff --git a/src/fsec-optimize/main.c b/src/fsec-optimize/main.c new file mode 100644 index 000000000..2c11b91ef --- /dev/null +++ b/src/fsec-optimize/main.c | |||
@@ -0,0 +1,94 @@ | |||
1 | /* | ||
2 | * Copyright (C) 2014-2017 Firejail Authors | ||
3 | * | ||
4 | * This file is part of firejail project | ||
5 | * | ||
6 | * This program is free software; you can redistribute it and/or modify | ||
7 | * it under the terms of the GNU General Public License as published by | ||
8 | * the Free Software Foundation; either version 2 of the License, or | ||
9 | * (at your option) any later version. | ||
10 | * | ||
11 | * This program is distributed in the hope that it will be useful, | ||
12 | * but WITHOUT ANY WARRANTY; without even the implied warranty of | ||
13 | * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the | ||
14 | * GNU General Public License for more details. | ||
15 | * | ||
16 | * You should have received a copy of the GNU General Public License along | ||
17 | * with this program; if not, write to the Free Software Foundation, Inc., | ||
18 | * 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA. | ||
19 | */ | ||
20 | #include "fsec_optimize.h" | ||
21 | |||
22 | static void usage(void) { | ||
23 | printf("Usage:\n"); | ||
24 | printf("\tfsec-optimize file - optimize seccomp filter\n"); | ||
25 | } | ||
26 | |||
27 | int main(int argc, char **argv) { | ||
28 | #if 0 | ||
29 | { | ||
30 | //system("cat /proc/self/status"); | ||
31 | int i; | ||
32 | for (i = 0; i < argc; i++) | ||
33 | printf("*%s* ", argv[i]); | ||
34 | printf("\n"); | ||
35 | } | ||
36 | #endif | ||
37 | if (argc != 2) { | ||
38 | usage(); | ||
39 | return 1; | ||
40 | } | ||
41 | |||
42 | if (strcmp(argv[1], "-h") == 0 || strcmp(argv[1], "--help") == 0 || strcmp(argv[1], "-?") == 0) { | ||
43 | usage(); | ||
44 | return 0; | ||
45 | } | ||
46 | |||
47 | char *fname = argv[1]; | ||
48 | |||
49 | // open input file | ||
50 | int fd = open(fname, O_RDONLY); | ||
51 | if (fd == -1) | ||
52 | goto errexit; | ||
53 | |||
54 | // calculate the number of entries | ||
55 | int size = lseek(fd, 0, SEEK_END); | ||
56 | if (size == -1) // todo: check maximum size of seccomp filter (4KB?) | ||
57 | goto errexit; | ||
58 | unsigned short entries = (unsigned short) size / (unsigned short) sizeof(struct sock_filter); | ||
59 | |||
60 | // read filter | ||
61 | struct sock_filter *filter = mmap(NULL, size, PROT_READ, MAP_PRIVATE, fd, 0); | ||
62 | if (filter == MAP_FAILED) | ||
63 | goto errexit; | ||
64 | close(fd); | ||
65 | |||
66 | // duplicate the filter memory and unmap the file | ||
67 | struct sock_filter *outfilter = duplicate(filter, entries); | ||
68 | if (munmap(filter, size) == -1) | ||
69 | perror("Error un-mmapping the file"); | ||
70 | |||
71 | // optimize filter | ||
72 | entries = optimize(outfilter, entries); | ||
73 | |||
74 | // write the new file and free memory | ||
75 | fd = open(argv[1], O_WRONLY | O_TRUNC | O_CREAT, 0755); | ||
76 | if (fd == -1) { | ||
77 | fprintf(stderr, "Error: cannot open output file\n"); | ||
78 | return 1; | ||
79 | } | ||
80 | size = write(fd, outfilter, entries * sizeof(struct sock_filter)); | ||
81 | if (size != entries * sizeof(struct sock_filter)) { | ||
82 | fprintf(stderr, "Error: cannot write output file\n"); | ||
83 | return 1; | ||
84 | } | ||
85 | close(fd); | ||
86 | free(outfilter); | ||
87 | |||
88 | return 0; | ||
89 | errexit: | ||
90 | close(fd); | ||
91 | fprintf(stderr, "Error: cannot read %s\n", fname); | ||
92 | exit(1); | ||
93 | |||
94 | } | ||
diff --git a/src/fsec-optimize/optimizer.c b/src/fsec-optimize/optimizer.c new file mode 100644 index 000000000..8e61935d3 --- /dev/null +++ b/src/fsec-optimize/optimizer.c | |||
@@ -0,0 +1,136 @@ | |||
1 | /* | ||
2 | * Copyright (C) 2014-2017 Firejail Authors | ||
3 | * | ||
4 | * This file is part of firejail project | ||
5 | * | ||
6 | * This program is free software; you can redistribute it and/or modify | ||
7 | * it under the terms of the GNU General Public License as published by | ||
8 | * the Free Software Foundation; either version 2 of the License, or | ||
9 | * (at your option) any later version. | ||
10 | * | ||
11 | * This program is distributed in the hope that it will be useful, | ||
12 | * but WITHOUT ANY WARRANTY; without even the implied warranty of | ||
13 | * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the | ||
14 | * GNU General Public License for more details. | ||
15 | * | ||
16 | * You should have received a copy of the GNU General Public License along | ||
17 | * with this program; if not, write to the Free Software Foundation, Inc., | ||
18 | * 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA. | ||
19 | */ | ||
20 | #include "fsec_optimize.h" | ||
21 | |||
22 | // From /usr/include/linux/filter.h | ||
23 | //struct sock_filter { /* Filter block */ | ||
24 | // __u16 code; /* Actual filter code */ | ||
25 | // __u8 jt; /* Jump true */ | ||
26 | // __u8 jf; /* Jump false */ | ||
27 | // __u32 k; /* Generic multiuse field */ | ||
28 | //}; | ||
29 | |||
30 | |||
31 | #define LIMIT_BLACKLISTS 4 // we optimize blacklists only if we have more than | ||
32 | |||
33 | static inline int is_blacklist(struct sock_filter *bpf) { | ||
34 | if (bpf->code == BPF_JMP + BPF_JEQ + BPF_K && | ||
35 | (bpf + 1)->code == BPF_RET + BPF_K && | ||
36 | (bpf + 1)->k == SECCOMP_RET_KILL ) | ||
37 | return 1; | ||
38 | return 0; | ||
39 | } | ||
40 | |||
41 | static int count_blacklists(struct sock_filter *filter, int entries) { | ||
42 | int cnt = 0; | ||
43 | int i; | ||
44 | |||
45 | for (i = 0; i < (entries - 1); i++, filter++) { // is_blacklist works on two consecutive lines; using entries - 1 | ||
46 | if (is_blacklist(filter)) | ||
47 | cnt++; | ||
48 | } | ||
49 | |||
50 | return cnt; | ||
51 | } | ||
52 | |||
53 | typedef struct { | ||
54 | int to_remove; | ||
55 | int to_fix_jumps; | ||
56 | } Action; | ||
57 | |||
58 | static int optimize_blacklists(struct sock_filter *filter, int entries) { | ||
59 | assert(entries); | ||
60 | assert(filter); | ||
61 | int i; | ||
62 | int j; | ||
63 | |||
64 | // step1: extract information | ||
65 | Action action[entries]; | ||
66 | memset(&action[0], 0, sizeof(Action) * entries); | ||
67 | int remove_cnt = 0; | ||
68 | for (i = 0; i < (entries - 1); i++) { // is_blacklist works on two consecutive lines; using entries - 1 | ||
69 | if (is_blacklist(filter + i)) { | ||
70 | action[i]. to_fix_jumps = 1; | ||
71 | i++; | ||
72 | action[i].to_remove = 1; | ||
73 | remove_cnt++; | ||
74 | } | ||
75 | } | ||
76 | |||
77 | // step2: remove lines | ||
78 | struct sock_filter *filter_step2 = duplicate(filter, entries); | ||
79 | Action action_step2[entries]; | ||
80 | memset(&action_step2[0], 0, sizeof(Action) * entries); | ||
81 | for (i = 0, j = 0; i < entries; i++) { | ||
82 | if (!action[i].to_remove) { | ||
83 | memcpy(&filter_step2[j], &filter[i], sizeof(struct sock_filter)); | ||
84 | memcpy(&action_step2[j], &action[i], sizeof(Action)); | ||
85 | j++; | ||
86 | } | ||
87 | else { | ||
88 | // do nothing, we are removing this line | ||
89 | } | ||
90 | } | ||
91 | |||
92 | // step 3: add the new ret KILL, and recalculate entries | ||
93 | filter_step2[j].code = BPF_RET + BPF_K; | ||
94 | filter_step2[j].k == SECCOMP_RET_KILL; | ||
95 | entries = j + 1; | ||
96 | |||
97 | // step 4: recalculate jumps | ||
98 | for (i = 0; i < entries; i++) { | ||
99 | if (action_step2[i].to_fix_jumps) { | ||
100 | filter_step2[i].jt = entries - i - 2; | ||
101 | filter_step2[i].jf = 0; | ||
102 | } | ||
103 | } | ||
104 | |||
105 | // update | ||
106 | memcpy(filter, filter_step2, entries * sizeof(struct sock_filter)); | ||
107 | free(filter_step2); | ||
108 | return entries; | ||
109 | } | ||
110 | |||
111 | int optimize(struct sock_filter *filter, int entries) { | ||
112 | assert(filter); | ||
113 | assert(entries); | ||
114 | |||
115 | //********************************** | ||
116 | // optimize blacklist statements | ||
117 | //********************************** | ||
118 | // count "ret KILL" | ||
119 | int cnt = count_blacklists(filter, entries); | ||
120 | if (cnt > LIMIT_BLACKLISTS) | ||
121 | entries = optimize_blacklists(filter, entries); | ||
122 | return entries; | ||
123 | } | ||
124 | |||
125 | struct sock_filter *duplicate(struct sock_filter *filter, int entries) { | ||
126 | int len = sizeof(struct sock_filter) * entries; | ||
127 | struct sock_filter *rv = malloc(len); | ||
128 | if (!rv) { | ||
129 | errExit("malloc"); | ||
130 | exit(1); | ||
131 | } | ||
132 | |||
133 | memcpy(rv, filter, len); | ||
134 | return rv; | ||
135 | } | ||
136 | |||