summaryrefslogtreecommitdiffstats
path: root/src/fseccomp/seccomp.c
diff options
context:
space:
mode:
Diffstat (limited to 'src/fseccomp/seccomp.c')
-rw-r--r--src/fseccomp/seccomp.c118
1 files changed, 94 insertions, 24 deletions
diff --git a/src/fseccomp/seccomp.c b/src/fseccomp/seccomp.c
index a3db46aad..577f3fdc9 100644
--- a/src/fseccomp/seccomp.c
+++ b/src/fseccomp/seccomp.c
@@ -27,9 +27,9 @@
27static void add_default_list(int fd, int allow_debuggers) { 27static void add_default_list(int fd, int allow_debuggers) {
28 int r; 28 int r;
29 if (!allow_debuggers) 29 if (!allow_debuggers)
30 r = syscall_check_list("@default-nodebuggers", filter_add_blacklist, fd, 0); 30 r = syscall_check_list("@default-nodebuggers", filter_add_blacklist, fd, 0, NULL);
31 else 31 else
32 r = syscall_check_list("@default", filter_add_blacklist, fd, 0); 32 r = syscall_check_list("@default", filter_add_blacklist, fd, 0, NULL);
33 33
34 assert(r == 0); 34 assert(r == 0);
35//#ifdef SYS_mknod - emoved in 0.9.29 - it breaks Zotero extension 35//#ifdef SYS_mknod - emoved in 0.9.29 - it breaks Zotero extension
@@ -56,7 +56,7 @@ void seccomp_default(const char *fname, int allow_debuggers) {
56 exit(1); 56 exit(1);
57 } 57 }
58 58
59 // build filter 59 // build filter (no post-exec filter needed because default list is fine for us)
60 filter_init(fd); 60 filter_init(fd);
61 add_default_list(fd, allow_debuggers); 61 add_default_list(fd, allow_debuggers);
62 filter_end_blacklist(fd); 62 filter_end_blacklist(fd);
@@ -66,44 +66,94 @@ void seccomp_default(const char *fname, int allow_debuggers) {
66} 66}
67 67
68// drop list 68// drop list
69void seccomp_drop(const char *fname, char *list, int allow_debuggers) { 69void seccomp_drop(const char *fname1, const char *fname2, char *list, int allow_debuggers) {
70 assert(fname); 70 assert(fname1);
71 assert(fname2);
71 (void) allow_debuggers; // todo: to implemnet it 72 (void) allow_debuggers; // todo: to implemnet it
72 73
73 // open file 74 // open file for pre-exec filter
74 int fd = open(fname, O_CREAT|O_WRONLY|O_TRUNC, S_IRUSR | S_IWUSR | S_IRGRP | S_IROTH); 75 int fd = open(fname1, O_CREAT|O_WRONLY|O_TRUNC, S_IRUSR | S_IWUSR | S_IRGRP | S_IROTH);
75 if (fd < 0) { 76 if (fd < 0) {
76 fprintf(stderr, "Error fseccomp: cannot open %s file\n", fname); 77 fprintf(stderr, "Error fseccomp: cannot open %s file\n", fname1);
77 exit(1); 78 exit(1);
78 } 79 }
79 80
80 // build filter 81 // build pre-exec filter: don't blacklist any syscalls in @default-keep
82 filter_init(fd);
83 char *prelist, *postlist;
84 syscalls_in_list(list, "@default-keep", fd, &prelist, &postlist);
85 if (prelist)
86 if (syscall_check_list(prelist, filter_add_blacklist, fd, 0, NULL)) {
87 fprintf(stderr, "Error fseccomp: cannot build seccomp filter\n");
88 exit(1);
89 }
90 filter_end_whitelist(fd);
91 // close file
92 close(fd);
93
94 if (!postlist)
95 return;
96
97 // open file for post-exec filter
98 fd = open(fname2, O_CREAT|O_WRONLY|O_TRUNC, S_IRUSR | S_IWUSR | S_IRGRP | S_IROTH);
99 if (fd < 0) {
100 fprintf(stderr, "Error fseccomp: cannot open %s file\n", fname2);
101 exit(1);
102 }
103
104 // build post-exec filter: blacklist remaining syscalls
81 filter_init(fd); 105 filter_init(fd);
82 if (syscall_check_list(list, filter_add_blacklist, fd, 0)) { 106 if (syscall_check_list(postlist, filter_add_blacklist, fd, 0, NULL)) {
83 fprintf(stderr, "Error fseccomp: cannot build seccomp filter\n"); 107 fprintf(stderr, "Error fseccomp: cannot build seccomp filter\n");
84 exit(1); 108 exit(1);
85 } 109 }
86 filter_end_blacklist(fd); 110 filter_end_whitelist(fd);
87 111
88 // close file 112 // close file
89 close(fd); 113 close(fd);
90} 114}
91 115
92// default+drop 116// default+drop
93void seccomp_default_drop(const char *fname, char *list, int allow_debuggers) { 117void seccomp_default_drop(const char *fname1, const char *fname2, char *list, int allow_debuggers) {
94 assert(fname); 118 assert(fname1);
119 assert(fname2);
95 120
96 // open file 121 // open file
97 int fd = open(fname, O_CREAT|O_WRONLY|O_TRUNC, S_IRUSR | S_IWUSR | S_IRGRP | S_IROTH); 122 int fd = open(fname1, O_CREAT|O_WRONLY|O_TRUNC, S_IRUSR | S_IWUSR | S_IRGRP | S_IROTH);
98 if (fd < 0) { 123 if (fd < 0) {
99 fprintf(stderr, "Error fseccomp: cannot open %s file\n", fname); 124 fprintf(stderr, "Error fseccomp: cannot open %s file\n", fname1);
100 exit(1); 125 exit(1);
101 } 126 }
102 127
103 // build filter 128 // build pre-exec filter: blacklist @default, don't blacklist
129 // any listed syscalls in @default-keep
104 filter_init(fd); 130 filter_init(fd);
105 add_default_list(fd, allow_debuggers); 131 add_default_list(fd, allow_debuggers);
106 if (syscall_check_list(list, filter_add_blacklist, fd, 0)) { 132 char *prelist, *postlist;
133 syscalls_in_list(list, "@default-keep", fd, &prelist, &postlist);
134 if (prelist)
135 if (syscall_check_list(prelist, filter_add_blacklist, fd, 0, NULL)) {
136 fprintf(stderr, "Error fseccomp: cannot build seccomp filter\n");
137 exit(1);
138 }
139 filter_end_blacklist(fd);
140
141 // close file
142 close(fd);
143
144 if (!postlist)
145 return;
146
147 // open file for post-exec filter
148 fd = open(fname2, O_CREAT|O_WRONLY|O_TRUNC, S_IRUSR | S_IWUSR | S_IRGRP | S_IROTH);
149 if (fd < 0) {
150 fprintf(stderr, "Error fseccomp: cannot open %s file\n", fname2);
151 exit(1);
152 }
153
154 // build post-exec filter: blacklist remaining syscalls
155 filter_init(fd);
156 if (syscall_check_list(postlist, filter_add_blacklist, fd, 0, NULL)) {
107 fprintf(stderr, "Error fseccomp: cannot build seccomp filter\n"); 157 fprintf(stderr, "Error fseccomp: cannot build seccomp filter\n");
108 exit(1); 158 exit(1);
109 } 159 }
@@ -113,22 +163,42 @@ void seccomp_default_drop(const char *fname, char *list, int allow_debuggers) {
113 close(fd); 163 close(fd);
114} 164}
115 165
116void seccomp_keep(const char *fname, char *list) { 166void seccomp_keep(const char *fname1, const char *fname2, char *list) {
117 // open file 167 // open file for pre-exec filter
118 int fd = open(fname, O_CREAT|O_WRONLY|O_TRUNC, S_IRUSR | S_IWUSR | S_IRGRP | S_IROTH); 168 int fd = open(fname1, O_CREAT|O_WRONLY|O_TRUNC, S_IRUSR | S_IWUSR | S_IRGRP | S_IROTH);
119 if (fd < 0) { 169 if (fd < 0) {
120 fprintf(stderr, "Error fseccomp: cannot open %s file\n", fname); 170 fprintf(stderr, "Error fseccomp: cannot open %s file\n", fname1);
121 exit(1); 171 exit(1);
122 } 172 }
123 173
124 // build filter 174 // build pre-exec filter: whitelist also @default-keep
125 filter_init(fd); 175 filter_init(fd);
126 // these syscalls are used by firejail after the seccomp filter is initialized 176 // these syscalls are used by firejail after the seccomp filter is initialized
127 int r; 177 int r;
128 r = syscall_check_list("@default-keep", filter_add_whitelist, fd, 0); 178 r = syscall_check_list("@default-keep", filter_add_whitelist, fd, 0, NULL);
129 assert(r == 0); 179 assert(r == 0);
130 180
131 if (syscall_check_list(list, filter_add_whitelist, fd, 0)) { 181 if (syscall_check_list(list, filter_add_whitelist, fd, 0, NULL)) {
182 fprintf(stderr, "Error fseccomp: cannot build seccomp filter\n");
183 exit(1);
184 }
185
186 filter_end_whitelist(fd);
187
188 // close file
189 close(fd);
190
191 // open file for post-exec filter
192 fd = open(fname2, O_CREAT|O_WRONLY|O_TRUNC, S_IRUSR | S_IWUSR | S_IRGRP | S_IROTH);
193 if (fd < 0) {
194 fprintf(stderr, "Error fseccomp: cannot open %s file\n", fname2);
195 exit(1);
196 }
197
198 // build post-exec filter: whitelist without @default-keep
199 filter_init(fd);
200
201 if (syscall_check_list(list, filter_add_whitelist, fd, 0, NULL)) {
132 fprintf(stderr, "Error fseccomp: cannot build seccomp filter\n"); 202 fprintf(stderr, "Error fseccomp: cannot build seccomp filter\n");
133 exit(1); 203 exit(1);
134 } 204 }
generated by cgit v1.2.3-54-g00ecf (git 2.45.2) at 2024-06-30 20:30:21 +0000