diff options
Diffstat (limited to 'src/fseccomp/seccomp.c')
-rw-r--r-- | src/fseccomp/seccomp.c | 118 |
1 files changed, 94 insertions, 24 deletions
diff --git a/src/fseccomp/seccomp.c b/src/fseccomp/seccomp.c index a3db46aad..577f3fdc9 100644 --- a/src/fseccomp/seccomp.c +++ b/src/fseccomp/seccomp.c | |||
@@ -27,9 +27,9 @@ | |||
27 | static void add_default_list(int fd, int allow_debuggers) { | 27 | static void add_default_list(int fd, int allow_debuggers) { |
28 | int r; | 28 | int r; |
29 | if (!allow_debuggers) | 29 | if (!allow_debuggers) |
30 | r = syscall_check_list("@default-nodebuggers", filter_add_blacklist, fd, 0); | 30 | r = syscall_check_list("@default-nodebuggers", filter_add_blacklist, fd, 0, NULL); |
31 | else | 31 | else |
32 | r = syscall_check_list("@default", filter_add_blacklist, fd, 0); | 32 | r = syscall_check_list("@default", filter_add_blacklist, fd, 0, NULL); |
33 | 33 | ||
34 | assert(r == 0); | 34 | assert(r == 0); |
35 | //#ifdef SYS_mknod - emoved in 0.9.29 - it breaks Zotero extension | 35 | //#ifdef SYS_mknod - emoved in 0.9.29 - it breaks Zotero extension |
@@ -56,7 +56,7 @@ void seccomp_default(const char *fname, int allow_debuggers) { | |||
56 | exit(1); | 56 | exit(1); |
57 | } | 57 | } |
58 | 58 | ||
59 | // build filter | 59 | // build filter (no post-exec filter needed because default list is fine for us) |
60 | filter_init(fd); | 60 | filter_init(fd); |
61 | add_default_list(fd, allow_debuggers); | 61 | add_default_list(fd, allow_debuggers); |
62 | filter_end_blacklist(fd); | 62 | filter_end_blacklist(fd); |
@@ -66,44 +66,94 @@ void seccomp_default(const char *fname, int allow_debuggers) { | |||
66 | } | 66 | } |
67 | 67 | ||
68 | // drop list | 68 | // drop list |
69 | void seccomp_drop(const char *fname, char *list, int allow_debuggers) { | 69 | void seccomp_drop(const char *fname1, const char *fname2, char *list, int allow_debuggers) { |
70 | assert(fname); | 70 | assert(fname1); |
71 | assert(fname2); | ||
71 | (void) allow_debuggers; // todo: to implemnet it | 72 | (void) allow_debuggers; // todo: to implemnet it |
72 | 73 | ||
73 | // open file | 74 | // open file for pre-exec filter |
74 | int fd = open(fname, O_CREAT|O_WRONLY|O_TRUNC, S_IRUSR | S_IWUSR | S_IRGRP | S_IROTH); | 75 | int fd = open(fname1, O_CREAT|O_WRONLY|O_TRUNC, S_IRUSR | S_IWUSR | S_IRGRP | S_IROTH); |
75 | if (fd < 0) { | 76 | if (fd < 0) { |
76 | fprintf(stderr, "Error fseccomp: cannot open %s file\n", fname); | 77 | fprintf(stderr, "Error fseccomp: cannot open %s file\n", fname1); |
77 | exit(1); | 78 | exit(1); |
78 | } | 79 | } |
79 | 80 | ||
80 | // build filter | 81 | // build pre-exec filter: don't blacklist any syscalls in @default-keep |
82 | filter_init(fd); | ||
83 | char *prelist, *postlist; | ||
84 | syscalls_in_list(list, "@default-keep", fd, &prelist, &postlist); | ||
85 | if (prelist) | ||
86 | if (syscall_check_list(prelist, filter_add_blacklist, fd, 0, NULL)) { | ||
87 | fprintf(stderr, "Error fseccomp: cannot build seccomp filter\n"); | ||
88 | exit(1); | ||
89 | } | ||
90 | filter_end_whitelist(fd); | ||
91 | // close file | ||
92 | close(fd); | ||
93 | |||
94 | if (!postlist) | ||
95 | return; | ||
96 | |||
97 | // open file for post-exec filter | ||
98 | fd = open(fname2, O_CREAT|O_WRONLY|O_TRUNC, S_IRUSR | S_IWUSR | S_IRGRP | S_IROTH); | ||
99 | if (fd < 0) { | ||
100 | fprintf(stderr, "Error fseccomp: cannot open %s file\n", fname2); | ||
101 | exit(1); | ||
102 | } | ||
103 | |||
104 | // build post-exec filter: blacklist remaining syscalls | ||
81 | filter_init(fd); | 105 | filter_init(fd); |
82 | if (syscall_check_list(list, filter_add_blacklist, fd, 0)) { | 106 | if (syscall_check_list(postlist, filter_add_blacklist, fd, 0, NULL)) { |
83 | fprintf(stderr, "Error fseccomp: cannot build seccomp filter\n"); | 107 | fprintf(stderr, "Error fseccomp: cannot build seccomp filter\n"); |
84 | exit(1); | 108 | exit(1); |
85 | } | 109 | } |
86 | filter_end_blacklist(fd); | 110 | filter_end_whitelist(fd); |
87 | 111 | ||
88 | // close file | 112 | // close file |
89 | close(fd); | 113 | close(fd); |
90 | } | 114 | } |
91 | 115 | ||
92 | // default+drop | 116 | // default+drop |
93 | void seccomp_default_drop(const char *fname, char *list, int allow_debuggers) { | 117 | void seccomp_default_drop(const char *fname1, const char *fname2, char *list, int allow_debuggers) { |
94 | assert(fname); | 118 | assert(fname1); |
119 | assert(fname2); | ||
95 | 120 | ||
96 | // open file | 121 | // open file |
97 | int fd = open(fname, O_CREAT|O_WRONLY|O_TRUNC, S_IRUSR | S_IWUSR | S_IRGRP | S_IROTH); | 122 | int fd = open(fname1, O_CREAT|O_WRONLY|O_TRUNC, S_IRUSR | S_IWUSR | S_IRGRP | S_IROTH); |
98 | if (fd < 0) { | 123 | if (fd < 0) { |
99 | fprintf(stderr, "Error fseccomp: cannot open %s file\n", fname); | 124 | fprintf(stderr, "Error fseccomp: cannot open %s file\n", fname1); |
100 | exit(1); | 125 | exit(1); |
101 | } | 126 | } |
102 | 127 | ||
103 | // build filter | 128 | // build pre-exec filter: blacklist @default, don't blacklist |
129 | // any listed syscalls in @default-keep | ||
104 | filter_init(fd); | 130 | filter_init(fd); |
105 | add_default_list(fd, allow_debuggers); | 131 | add_default_list(fd, allow_debuggers); |
106 | if (syscall_check_list(list, filter_add_blacklist, fd, 0)) { | 132 | char *prelist, *postlist; |
133 | syscalls_in_list(list, "@default-keep", fd, &prelist, &postlist); | ||
134 | if (prelist) | ||
135 | if (syscall_check_list(prelist, filter_add_blacklist, fd, 0, NULL)) { | ||
136 | fprintf(stderr, "Error fseccomp: cannot build seccomp filter\n"); | ||
137 | exit(1); | ||
138 | } | ||
139 | filter_end_blacklist(fd); | ||
140 | |||
141 | // close file | ||
142 | close(fd); | ||
143 | |||
144 | if (!postlist) | ||
145 | return; | ||
146 | |||
147 | // open file for post-exec filter | ||
148 | fd = open(fname2, O_CREAT|O_WRONLY|O_TRUNC, S_IRUSR | S_IWUSR | S_IRGRP | S_IROTH); | ||
149 | if (fd < 0) { | ||
150 | fprintf(stderr, "Error fseccomp: cannot open %s file\n", fname2); | ||
151 | exit(1); | ||
152 | } | ||
153 | |||
154 | // build post-exec filter: blacklist remaining syscalls | ||
155 | filter_init(fd); | ||
156 | if (syscall_check_list(postlist, filter_add_blacklist, fd, 0, NULL)) { | ||
107 | fprintf(stderr, "Error fseccomp: cannot build seccomp filter\n"); | 157 | fprintf(stderr, "Error fseccomp: cannot build seccomp filter\n"); |
108 | exit(1); | 158 | exit(1); |
109 | } | 159 | } |
@@ -113,22 +163,42 @@ void seccomp_default_drop(const char *fname, char *list, int allow_debuggers) { | |||
113 | close(fd); | 163 | close(fd); |
114 | } | 164 | } |
115 | 165 | ||
116 | void seccomp_keep(const char *fname, char *list) { | 166 | void seccomp_keep(const char *fname1, const char *fname2, char *list) { |
117 | // open file | 167 | // open file for pre-exec filter |
118 | int fd = open(fname, O_CREAT|O_WRONLY|O_TRUNC, S_IRUSR | S_IWUSR | S_IRGRP | S_IROTH); | 168 | int fd = open(fname1, O_CREAT|O_WRONLY|O_TRUNC, S_IRUSR | S_IWUSR | S_IRGRP | S_IROTH); |
119 | if (fd < 0) { | 169 | if (fd < 0) { |
120 | fprintf(stderr, "Error fseccomp: cannot open %s file\n", fname); | 170 | fprintf(stderr, "Error fseccomp: cannot open %s file\n", fname1); |
121 | exit(1); | 171 | exit(1); |
122 | } | 172 | } |
123 | 173 | ||
124 | // build filter | 174 | // build pre-exec filter: whitelist also @default-keep |
125 | filter_init(fd); | 175 | filter_init(fd); |
126 | // these syscalls are used by firejail after the seccomp filter is initialized | 176 | // these syscalls are used by firejail after the seccomp filter is initialized |
127 | int r; | 177 | int r; |
128 | r = syscall_check_list("@default-keep", filter_add_whitelist, fd, 0); | 178 | r = syscall_check_list("@default-keep", filter_add_whitelist, fd, 0, NULL); |
129 | assert(r == 0); | 179 | assert(r == 0); |
130 | 180 | ||
131 | if (syscall_check_list(list, filter_add_whitelist, fd, 0)) { | 181 | if (syscall_check_list(list, filter_add_whitelist, fd, 0, NULL)) { |
182 | fprintf(stderr, "Error fseccomp: cannot build seccomp filter\n"); | ||
183 | exit(1); | ||
184 | } | ||
185 | |||
186 | filter_end_whitelist(fd); | ||
187 | |||
188 | // close file | ||
189 | close(fd); | ||
190 | |||
191 | // open file for post-exec filter | ||
192 | fd = open(fname2, O_CREAT|O_WRONLY|O_TRUNC, S_IRUSR | S_IWUSR | S_IRGRP | S_IROTH); | ||
193 | if (fd < 0) { | ||
194 | fprintf(stderr, "Error fseccomp: cannot open %s file\n", fname2); | ||
195 | exit(1); | ||
196 | } | ||
197 | |||
198 | // build post-exec filter: whitelist without @default-keep | ||
199 | filter_init(fd); | ||
200 | |||
201 | if (syscall_check_list(list, filter_add_whitelist, fd, 0, NULL)) { | ||
132 | fprintf(stderr, "Error fseccomp: cannot build seccomp filter\n"); | 202 | fprintf(stderr, "Error fseccomp: cannot build seccomp filter\n"); |
133 | exit(1); | 203 | exit(1); |
134 | } | 204 | } |