aboutsummaryrefslogtreecommitdiffstats
path: root/src/fseccomp/syscall.c
diff options
context:
space:
mode:
Diffstat (limited to 'src/fseccomp/syscall.c')
-rw-r--r--src/fseccomp/syscall.c1632
1 files changed, 0 insertions, 1632 deletions
diff --git a/src/fseccomp/syscall.c b/src/fseccomp/syscall.c
deleted file mode 100644
index 2b112245c..000000000
--- a/src/fseccomp/syscall.c
+++ /dev/null
@@ -1,1632 +0,0 @@
1/*
2 * Copyright (C) 2014-2020 Firejail Authors
3 *
4 * This file is part of firejail project
5 *
6 * This program is free software; you can redistribute it and/or modify
7 * it under the terms of the GNU General Public License as published by
8 * the Free Software Foundation; either version 2 of the License, or
9 * (at your option) any later version.
10 *
11 * This program is distributed in the hope that it will be useful,
12 * but WITHOUT ANY WARRANTY; without even the implied warranty of
13 * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
14 * GNU General Public License for more details.
15 *
16 * You should have received a copy of the GNU General Public License along
17 * with this program; if not, write to the Free Software Foundation, Inc.,
18 * 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA.
19*/
20#define _GNU_SOURCE
21#include "fseccomp.h"
22#include <stdio.h>
23#include <sys/syscall.h>
24
25typedef struct {
26 const char * const name;
27 int nr;
28} SyscallEntry;
29
30typedef struct {
31 const char * const name;
32 const char * const list;
33} SyscallGroupList;
34
35typedef struct {
36 const char *slist;
37 char *prelist, *postlist;
38 bool found;
39 int syscall;
40} SyscallCheckList;
41
42static const SyscallEntry syslist[] = {
43//
44// code generated using tools/extract-syscall
45//
46#include "../include/syscall.h"
47//
48// end of generated code
49//
50}; // end of syslist
51
52static const SyscallGroupList sysgroups[] = {
53 { .name = "@aio", .list =
54#ifdef SYS_io_cancel
55 "io_cancel,"
56#endif
57#ifdef SYS_io_destroy
58 "io_destroy,"
59#endif
60#ifdef SYS_io_getevents
61 "io_getevents,"
62#endif
63#ifdef SYS_io_pgetevents
64 "io_pgetevents,"
65#endif
66#ifdef SYS_io_setup
67 "io_setup,"
68#endif
69#ifdef SYS_io_submit
70 "io_submit"
71#endif
72 },
73 { .name = "@basic-io", .list =
74#ifdef SYS__llseek
75 "_llseek,"
76#endif
77#ifdef SYS_close
78 "close,"
79#endif
80#ifdef SYS_dup
81 "dup,"
82#endif
83#ifdef SYS_dup2
84 "dup2,"
85#endif
86#ifdef SYS_dup3
87 "dup3,"
88#endif
89#ifdef SYS_lseek
90 "lseek,"
91#endif
92#ifdef SYS_pread64
93 "pread64,"
94#endif
95#ifdef SYS_preadv
96 "preadv,"
97#endif
98#ifdef SYS_preadv2
99 "preadv2,"
100#endif
101#ifdef SYS_pwrite64
102 "pwrite64,"
103#endif
104#ifdef SYS_pwritev
105 "pwritev,"
106#endif
107#ifdef SYS_pwritev2
108 "pwritev2,"
109#endif
110#ifdef SYS_read
111 "read,"
112#endif
113#ifdef SYS_readv
114 "readv,"
115#endif
116#ifdef SYS_write
117 "write,"
118#endif
119#ifdef SYS_writev
120 "writev"
121#endif
122 },
123 { .name = "@chown", .list =
124#ifdef SYS_chown
125 "chown,"
126#endif
127#ifdef SYS_chown32
128 "chown32,"
129#endif
130#ifdef SYS_fchown
131 "fchown,"
132#endif
133#ifdef SYS_fchown32
134 "fchown32,"
135#endif
136#ifdef SYS_fchownat
137 "fchownat,"
138#endif
139#ifdef SYS_lchown
140 "lchown,"
141#endif
142#ifdef SYS_lchown32
143 "lchown32"
144#endif
145 },
146 { .name = "@clock", .list =
147#ifdef SYS_adjtimex
148 "adjtimex,"
149#endif
150#ifdef SYS_clock_adjtime
151 "clock_adjtime,"
152#endif
153#ifdef SYS_clock_settime
154 "clock_settime,"
155#endif
156#ifdef SYS_settimeofday
157 "settimeofday,"
158#endif
159#ifdef SYS_stime
160 "stime"
161#endif
162 },
163 { .name = "@cpu-emulation", .list =
164#ifdef SYS_modify_ldt
165 "modify_ldt,"
166#endif
167#ifdef SYS_subpage_prot
168 "subpage_prot,"
169#endif
170#ifdef SYS_switch_endian
171 "switch_endian,"
172#endif
173#ifdef SYS_vm86
174 "vm86,"
175#endif
176#ifdef SYS_vm86old
177 "vm86old"
178#endif
179#if !defined(SYS_modify_ldt) && !defined(SYS_subpage_prot) && !defined(SYS_switch_endian) && !defined(SYS_vm86) && !defined(SYS_vm86old)
180 "__dummy_syscall__" // workaround for arm64, s390x and sparc64 which don't have any of above defined and empty syscall lists are not allowed
181#endif
182 },
183 { .name = "@debug", .list =
184#ifdef SYS_lookup_dcookie
185 "lookup_dcookie,"
186#endif
187#ifdef SYS_perf_event_open
188 "perf_event_open,"
189#endif
190#ifdef SYS_process_vm_writev
191 "process_vm_writev,"
192#endif
193#ifdef SYS_rtas
194 "rtas,"
195#endif
196#ifdef SYS_s390_runtime_instr
197 "s390_runtime_instr,"
198#endif
199#ifdef SYS_sys_debug_setcontext
200 "sys_debug_setcontext,"
201#endif
202 },
203 { .name = "@default", .list =
204 "@clock,"
205 "@cpu-emulation,"
206 "@debug,"
207 "@module,"
208 "@obsolete,"
209 "@raw-io,"
210 "@reboot,"
211 "@swap,"
212#ifdef SYS_open_by_handle_at
213 "open_by_handle_at,"
214#endif
215#ifdef SYS_name_to_handle_at
216 "name_to_handle_at,"
217#endif
218#ifdef SYS_ioprio_set
219 "ioprio_set,"
220#endif
221#ifdef SYS_ni_syscall
222 "ni_syscall,"
223#endif
224#ifdef SYS_syslog
225 "syslog,"
226#endif
227#ifdef SYS_fanotify_init
228 "fanotify_init,"
229#endif
230#ifdef SYS_kcmp
231 "kcmp,"
232#endif
233#ifdef SYS_add_key
234 "add_key,"
235#endif
236#ifdef SYS_request_key
237 "request_key,"
238#endif
239#ifdef SYS_mbind
240 "mbind,"
241#endif
242#ifdef SYS_migrate_pages
243 "migrate_pages,"
244#endif
245#ifdef SYS_move_pages
246 "move_pages,"
247#endif
248#ifdef SYS_keyctl
249 "keyctl,"
250#endif
251#ifdef SYS_io_setup
252 "io_setup,"
253#endif
254#ifdef SYS_io_destroy
255 "io_destroy,"
256#endif
257#ifdef SYS_io_getevents
258 "io_getevents,"
259#endif
260#ifdef SYS_io_submit
261 "io_submit,"
262#endif
263#ifdef SYS_io_cancel
264 "io_cancel,"
265#endif
266#ifdef SYS_remap_file_pages
267 "remap_file_pages,"
268#endif
269#ifdef SYS_set_mempolicy
270 "set_mempolicy"
271#endif
272#ifdef SYS_vmsplice
273 "vmsplice,"
274#endif
275#ifdef SYS_umount
276 "umount,"
277#endif
278#ifdef SYS_userfaultfd
279 "userfaultfd,"
280#endif
281#ifdef SYS_acct
282 "acct,"
283#endif
284#ifdef SYS_bpf
285 "bpf,"
286#endif
287#ifdef SYS_chroot
288 "chroot,"
289#endif
290#ifdef SYS_mount
291 "mount,"
292#endif
293#ifdef SYS_nfsservctl
294 "nfsservctl,"
295#endif
296#ifdef SYS_pivot_root
297 "pivot_root,"
298#endif
299#ifdef SYS_setdomainname
300 "setdomainname,"
301#endif
302#ifdef SYS_sethostname
303 "sethostname,"
304#endif
305#ifdef SYS_umount2
306 "umount2,"
307#endif
308#ifdef SYS_vhangup
309 "vhangup"
310#endif
311//#ifdef SYS_mincore // 0.9.57 - problem fixed in Linux kernel 5.0; on 4.x it will break kodi, mpv, totem
312// "mincore"
313//#endif
314 },
315 { .name = "@default-nodebuggers", .list =
316 "@default,"
317#ifdef SYS_ptrace
318 "ptrace,"
319#endif
320#ifdef SYS_personality
321 "personality,"
322#endif
323#ifdef SYS_process_vm_readv
324 "process_vm_readv"
325#endif
326 },
327 { .name = "@default-keep", .list =
328 "execve,"
329 "prctl"
330 },
331 { .name = "@file-system", .list =
332#ifdef SYS_access
333 "access,"
334#endif
335#ifdef SYS_chdir
336 "chdir,"
337#endif
338#ifdef SYS_chmod
339 "chmod,"
340#endif
341#ifdef SYS_close
342 "close,"
343#endif
344#ifdef SYS_creat
345 "creat,"
346#endif
347#ifdef SYS_faccessat
348 "faccessat,"
349#endif
350#ifdef SYS_fallocate
351 "fallocate,"
352#endif
353#ifdef SYS_fchdir
354 "fchdir,"
355#endif
356#ifdef SYS_fchmod
357 "fchmod,"
358#endif
359#ifdef SYS_fchmodat
360 "fchmodat,"
361#endif
362#ifdef SYS_fcntl
363 "fcntl,"
364#endif
365#ifdef SYS_fcntl64
366 "fcntl64,"
367#endif
368#ifdef SYS_fgetxattr
369 "fgetxattr,"
370#endif
371#ifdef SYS_flistxattr
372 "flistxattr,"
373#endif
374#ifdef SYS_fremovexattr
375 "fremovexattr,"
376#endif
377#ifdef SYS_fsetxattr
378 "fsetxattr,"
379#endif
380#ifdef SYS_fstat
381 "fstat,"
382#endif
383#ifdef SYS_fstat64
384 "fstat64,"
385#endif
386#ifdef SYS_fstatat64
387 "fstatat64,"
388#endif
389#ifdef SYS_fstatfs
390 "fstatfs,"
391#endif
392#ifdef SYS_fstatfs64
393 "fstatfs64,"
394#endif
395#ifdef SYS_ftruncate
396 "ftruncate,"
397#endif
398#ifdef SYS_ftruncate64
399 "ftruncate64,"
400#endif
401#ifdef SYS_futimesat
402 "futimesat,"
403#endif
404#ifdef SYS_getcwd
405 "getcwd,"
406#endif
407#ifdef SYS_getdents
408 "getdents,"
409#endif
410#ifdef SYS_getdents64
411 "getdents64,"
412#endif
413#ifdef SYS_getxattr
414 "getxattr,"
415#endif
416#ifdef SYS_inotify_add_watch
417 "inotify_add_watch,"
418#endif
419#ifdef SYS_inotify_init
420 "inotify_init,"
421#endif
422#ifdef SYS_inotify_init1
423 "inotify_init1,"
424#endif
425#ifdef SYS_inotify_rm_watch
426 "inotify_rm_watch,"
427#endif
428#ifdef SYS_lgetxattr
429 "lgetxattr,"
430#endif
431#ifdef SYS_link
432 "link,"
433#endif
434#ifdef SYS_linkat
435 "linkat,"
436#endif
437#ifdef SYS_listxattr
438 "listxattr,"
439#endif
440#ifdef SYS_llistxattr
441 "llistxattr,"
442#endif
443#ifdef SYS_lremovexattr
444 "lremovexattr,"
445#endif
446#ifdef SYS_lsetxattr
447 "lsetxattr,"
448#endif
449#ifdef SYS_lstat
450 "lstat,"
451#endif
452#ifdef SYS_lstat64
453 "lstat64,"
454#endif
455#ifdef SYS_mkdir
456 "mkdir,"
457#endif
458#ifdef SYS_mkdirat
459 "mkdirat,"
460#endif
461#ifdef SYS_mknod
462 "mknod,"
463#endif
464#ifdef SYS_mknodat
465 "mknodat,"
466#endif
467#ifdef SYS_mmap
468 "mmap,"
469#endif
470#ifdef SYS_mmap2
471 "mmap2,"
472#endif
473#ifdef SYS_munmap
474 "munmap,"
475#endif
476#ifdef SYS_newfstatat
477 "newfstatat,"
478#endif
479#ifdef SYS_oldfstat
480 "oldfstat,"
481#endif
482#ifdef SYS_oldlstat
483 "oldlstat,"
484#endif
485#ifdef SYS_oldstat
486 "oldstat,"
487#endif
488#ifdef SYS_open
489 "open,"
490#endif
491#ifdef SYS_openat
492 "openat,"
493#endif
494#ifdef SYS_readlink
495 "readlink,"
496#endif
497#ifdef SYS_readlinkat
498 "readlinkat,"
499#endif
500#ifdef SYS_removexattr
501 "removexattr,"
502#endif
503#ifdef SYS_rename
504 "rename,"
505#endif
506#ifdef SYS_renameat
507 "renameat,"
508#endif
509#ifdef SYS_renameat2
510 "renameat2,"
511#endif
512#ifdef SYS_rmdir
513 "rmdir,"
514#endif
515#ifdef SYS_setxattr
516 "setxattr,"
517#endif
518#ifdef SYS_stat
519 "stat,"
520#endif
521#ifdef SYS_stat64
522 "stat64,"
523#endif
524#ifdef SYS_statfs
525 "statfs,"
526#endif
527#ifdef SYS_statfs64
528 "statfs64,"
529#endif
530#ifdef SYS_statx
531 "statx,"
532#endif
533#ifdef SYS_symlink
534 "symlink,"
535#endif
536#ifdef SYS_symlinkat
537 "symlinkat,"
538#endif
539#ifdef SYS_truncate
540 "truncate,"
541#endif
542#ifdef SYS_truncate64
543 "truncate64,"
544#endif
545#ifdef SYS_unlink
546 "unlink,"
547#endif
548#ifdef SYS_unlinkat
549 "unlinkat,"
550#endif
551#ifdef SYS_utime
552 "utime,"
553#endif
554#ifdef SYS_utimensat
555 "utimensat,"
556#endif
557#ifdef SYS_utimes
558 "utimes"
559#endif
560 },
561 { .name = "@io-event", .list =
562#ifdef SYS__newselect
563 "_newselect,"
564#endif
565#ifdef SYS_epoll_create
566 "epoll_create,"
567#endif
568#ifdef SYS_epoll_create1
569 "epoll_create1,"
570#endif
571#ifdef SYS_epoll_ctl
572 "epoll_ctl,"
573#endif
574#ifdef SYS_epoll_ctl_old
575 "epoll_ctl_old,"
576#endif
577#ifdef SYS_epoll_pwait
578 "epoll_pwait,"
579#endif
580#ifdef SYS_epoll_wait
581 "epoll_wait,"
582#endif
583#ifdef SYS_epoll_wait_old
584 "epoll_wait_old,"
585#endif
586#ifdef SYS_eventfd
587 "eventfd,"
588#endif
589#ifdef SYS_eventfd2
590 "eventfd2,"
591#endif
592#ifdef SYS_poll
593 "poll,"
594#endif
595#ifdef SYS_ppoll
596 "ppoll,"
597#endif
598#ifdef SYS_pselect6
599 "pselect6,"
600#endif
601#ifdef SYS_select
602 "select"
603#endif
604 },
605 { .name = "@ipc", .list =
606#ifdef SYS_ipc
607 "ipc,"
608#endif
609#ifdef SYS_memfd_create
610 "memfd_create,"
611#endif
612#ifdef SYS_mq_getsetattr
613 "mq_getsetattr,"
614#endif
615#ifdef SYS_mq_notify
616 "mq_notify,"
617#endif
618#ifdef SYS_mq_open
619 "mq_open,"
620#endif
621#ifdef SYS_mq_timedreceive
622 "mq_timedreceive,"
623#endif
624#ifdef SYS_mq_timedsend
625 "mq_timedsend,"
626#endif
627#ifdef SYS_mq_unlink
628 "mq_unlink,"
629#endif
630#ifdef SYS_msgctl
631 "msgctl,"
632#endif
633#ifdef SYS_msgget
634 "msgget,"
635#endif
636#ifdef SYS_msgrcv
637 "msgrcv,"
638#endif
639#ifdef SYS_msgsnd
640 "msgsnd,"
641#endif
642#ifdef SYS_pipe
643 "pipe,"
644#endif
645#ifdef SYS_pipe2
646 "pipe2,"
647#endif
648#ifdef SYS_process_vm_readv
649 "process_vm_readv,"
650#endif
651#ifdef SYS_process_vm_writev
652 "process_vm_writev,"
653#endif
654#ifdef SYS_semctl
655 "semctl,"
656#endif
657#ifdef SYS_semget
658 "semget,"
659#endif
660#ifdef SYS_semop
661 "semop,"
662#endif
663#ifdef SYS_semtimedop
664 "semtimedop,"
665#endif
666#ifdef SYS_shmat
667 "shmat,"
668#endif
669#ifdef SYS_shmctl
670 "shmctl,"
671#endif
672#ifdef SYS_shmdt
673 "shmdt,"
674#endif
675#ifdef SYS_shmget
676 "shmget"
677#endif
678 },
679 { .name = "@keyring", .list =
680#ifdef SYS_add_key
681 "add_key,"
682#endif
683#ifdef SYS_keyctl
684 "keyctl,"
685#endif
686#ifdef SYS_request_key
687 "request_key"
688#endif
689 },
690 { .name = "@memlock", .list =
691#ifdef SYS_mlock
692 "mlock,"
693#endif
694#ifdef SYS_mlock2
695 "mlock2,"
696#endif
697#ifdef SYS_mlockall
698 "mlockall,"
699#endif
700#ifdef SYS_munlock
701 "munlock,"
702#endif
703#ifdef SYS_munlockall
704 "munlockall"
705#endif
706 },
707 { .name = "@module", .list =
708#ifdef SYS_delete_module
709 "delete_module,"
710#endif
711#ifdef SYS_finit_module
712 "finit_module,"
713#endif
714#ifdef SYS_init_module
715 "init_module"
716#endif
717 },
718 { .name = "@mount", .list =
719#ifdef SYS_chroot
720 "chroot,"
721#endif
722#ifdef SYS_mount
723 "mount,"
724#endif
725#ifdef SYS_pivot_root
726 "pivot_root,"
727#endif
728#ifdef SYS_umount
729 "umount,"
730#endif
731#ifdef SYS_umount2
732 "umount2"
733#endif
734 },
735 { .name = "@network-io", .list =
736#ifdef SYS_accept
737 "accept,"
738#endif
739#ifdef SYS_accept4
740 "accept4,"
741#endif
742#ifdef SYS_bind
743 "bind,"
744#endif
745#ifdef SYS_connect
746 "connect,"
747#endif
748#ifdef SYS_getpeername
749 "getpeername,"
750#endif
751#ifdef SYS_getsockname
752 "getsockname,"
753#endif
754#ifdef SYS_getsockopt
755 "getsockopt,"
756#endif
757#ifdef SYS_listen
758 "listen,"
759#endif
760#ifdef SYS_recv
761 "recv,"
762#endif
763#ifdef SYS_recvfrom
764 "recvfrom,"
765#endif
766#ifdef SYS_recvmmsg
767 "recvmmsg,"
768#endif
769#ifdef SYS_recvmsg
770 "recvmsg,"
771#endif
772#ifdef SYS_send
773 "send,"
774#endif
775#ifdef SYS_sendmmsg
776 "sendmmsg,"
777#endif
778#ifdef SYS_sendmsg
779 "sendmsg,"
780#endif
781#ifdef SYS_sendto
782 "sendto,"
783#endif
784#ifdef SYS_setsockopt
785 "setsockopt,"
786#endif
787#ifdef SYS_shutdown
788 "shutdown,"
789#endif
790#ifdef SYS_socket
791 "socket,"
792#endif
793#ifdef SYS_socketcall
794 "socketcall,"
795#endif
796#ifdef SYS_socketpair
797 "socketpair"
798#endif
799 },
800 { .name = "@obsolete", .list =
801#ifdef SYS__sysctl
802 "_sysctl,"
803#endif
804#ifdef SYS_afs_syscall
805 "afs_syscall,"
806#endif
807#ifdef SYS_bdflush
808 "bdflush,"
809#endif
810#ifdef SYS_break
811 "break,"
812#endif
813#ifdef SYS_create_module
814 "create_module,"
815#endif
816#ifdef SYS_ftime
817 "ftime,"
818#endif
819#ifdef SYS_get_kernel_syms
820 "get_kernel_syms,"
821#endif
822#ifdef SYS_getpmsg
823 "getpmsg,"
824#endif
825#ifdef SYS_gtty
826 "gtty,"
827#endif
828#ifdef SYS_idle
829 "idle,"
830#endif
831#ifdef SYS_lock
832 "lock,"
833#endif
834#ifdef SYS_mpx
835 "mpx,"
836#endif
837#ifdef SYS_prof
838 "prof,"
839#endif
840#ifdef SYS_profil
841 "profil,"
842#endif
843#ifdef SYS_putpmsg
844 "putpmsg,"
845#endif
846#ifdef SYS_query_module
847 "query_module,"
848#endif
849#ifdef SYS_security
850 "security,"
851#endif
852#ifdef SYS_sgetmask
853 "sgetmask,"
854#endif
855#ifdef SYS_ssetmask
856 "ssetmask,"
857#endif
858#ifdef SYS_stty
859 "stty,"
860#endif
861#ifdef SYS_sysfs
862 "sysfs,"
863#endif
864#ifdef SYS_tuxcall
865 "tuxcall,"
866#endif
867#ifdef SYS_ulimit
868 "ulimit,"
869#endif
870#ifdef SYS_uselib
871 "uselib,"
872#endif
873#ifdef SYS_ustat
874 "ustat,"
875#endif
876#ifdef SYS_vserver
877 "vserver"
878#endif
879#if !defined(SYS__sysctl) && !defined(SYS_afs_syscall) && !defined(SYS_bdflush) && !defined(SYS_break) && !defined(SYS_create_module) && !defined(SYS_ftime) && !defined(SYS_get_kernel_syms) && !defined(SYS_getpmsg) && !defined(SYS_gtty) && !defined(SYS_lock) && !defined(SYS_mpx) && !defined(SYS_prof) && !defined(SYS_profil) && !defined(SYS_putpmsg) && !defined(SYS_query_module) && !defined(SYS_security) && !defined(SYS_sgetmask) && !defined(SYS_ssetmask) && !defined(SYS_stty) && !defined(SYS_sysfs) && !defined(SYS_tuxcall) && !defined(SYS_ulimit) && !defined(SYS_uselib) && !defined(SYS_ustat) && !defined(SYS_vserver)
880 "__dummy_syscall__" // workaround for arm64 which doesn't have any of above defined and empty syscall lists are not allowed
881#endif
882 },
883 { .name = "@privileged", .list =
884 "@chown,"
885 "@clock,"
886 "@module,"
887 "@raw-io,"
888 "@reboot,"
889 "@swap,"
890#ifdef SYS__sysctl
891 "_sysctl,"
892#endif
893#ifdef SYS_acct
894 "acct,"
895#endif
896#ifdef SYS_bpf
897 "bpf,"
898#endif
899#ifdef SYS_capset
900 "capset,"
901#endif
902#ifdef SYS_chroot
903 "chroot,"
904#endif
905#ifdef SYS_fanotify_init
906 "fanotify_init,"
907#endif
908#ifdef SYS_mount
909 "mount,"
910#endif
911#ifdef SYS_nfsservctl
912 "nfsservctl,"
913#endif
914#ifdef SYS_open_by_handle_at
915 "open_by_handle_at,"
916#endif
917#ifdef SYS_pivot_root
918 "pivot_root,"
919#endif
920#ifdef SYS_quotactl
921 "quotactl,"
922#endif
923#ifdef SYS_setdomainname
924 "setdomainname,"
925#endif
926#ifdef SYS_setfsuid
927 "setfsuid,"
928#endif
929#ifdef SYS_setfsuid32
930 "setfsuid32,"
931#endif
932#ifdef SYS_setgroups
933 "setgroups,"
934#endif
935#ifdef SYS_setgroups32
936 "setgroups32,"
937#endif
938#ifdef SYS_sethostname
939 "sethostname,"
940#endif
941#ifdef SYS_setresuid
942 "setresuid,"
943#endif
944#ifdef SYS_setresuid32
945 "setresuid32,"
946#endif
947#ifdef SYS_setreuid
948 "setreuid,"
949#endif
950#ifdef SYS_setreuid32
951 "setreuid32,"
952#endif
953#ifdef SYS_setuid
954 "setuid,"
955#endif
956#ifdef SYS_setuid32
957 "setuid32,"
958#endif
959#ifdef SYS_umount2
960 "umount2,"
961#endif
962#ifdef SYS_vhangup
963 "vhangup"
964#endif
965 },
966 { .name = "@process", .list =
967#ifdef SYS_arch_prctl
968 "arch_prctl,"
969#endif
970#ifdef SYS_capget
971 "capget,"
972#endif
973#ifdef SYS_clone
974 "clone,"
975#endif
976#ifdef SYS_execveat
977 "execveat,"
978#endif
979#ifdef SYS_fork
980 "fork,"
981#endif
982#ifdef SYS_getrusage
983 "getrusage,"
984#endif
985#ifdef SYS_kill
986 "kill,"
987#endif
988#ifdef SYS_pidfd_send_signal
989 "pidfd_send_signal,"
990#endif
991#ifdef SYS_prctl
992 "prctl,"
993#endif
994#ifdef SYS_rt_sigqueueinfo
995 "rt_sigqueueinfo,"
996#endif
997#ifdef SYS_rt_tgsigqueueinfo
998 "rt_tgsigqueueinfo,"
999#endif
1000#ifdef SYS_setns
1001 "setns,"
1002#endif
1003#ifdef SYS_swapcontext
1004 "swapcontext,"
1005#endif
1006#ifdef SYS_tgkill
1007 "tgkill,"
1008#endif
1009#ifdef SYS_times
1010 "times,"
1011#endif
1012#ifdef SYS_tkill
1013 "tkill,"
1014#endif
1015#ifdef SYS_unshare
1016 "unshare,"
1017#endif
1018#ifdef SYS_vfork
1019 "vfork,"
1020#endif
1021#ifdef SYS_wait4
1022 "wait4,"
1023#endif
1024#ifdef SYS_waitid
1025 "waitid,"
1026#endif
1027#ifdef SYS_waitpid
1028 "waitpid"
1029#endif
1030 },
1031 { .name = "@raw-io", .list =
1032#ifdef SYS_ioperm
1033 "ioperm,"
1034#endif
1035#ifdef SYS_iopl
1036 "iopl,"
1037#endif
1038#ifdef SYS_pciconfig_iobase
1039 "pciconfig_iobase,"
1040#endif
1041#ifdef SYS_pciconfig_read
1042 "pciconfig_read,"
1043#endif
1044#ifdef SYS_pciconfig_write
1045 "pciconfig_write,"
1046#endif
1047#ifdef SYS_s390_mmio_read
1048 "s390_mmio_read,"
1049#endif
1050#ifdef SYS_s390_mmio_write
1051 "s390_mmio_write"
1052#endif
1053#if !defined(SYS_ioperm) && !defined(SYS_iopl) && !defined(SYS_pciconfig_iobase) && !defined(SYS_pciconfig_read) && !defined(SYS_pciconfig_write) && !defined(SYS_s390_mmio_read) && !defined(SYS_s390_mmio_write)
1054 "__dummy_syscall__" // workaround for s390x which doesn't have any of above defined and empty syscall lists are not allowed
1055#endif
1056 },
1057 { .name = "@reboot", .list =
1058#ifdef SYS_kexec_load
1059 "kexec_load,"
1060#endif
1061#ifdef SYS_kexec_file_load
1062 "kexec_file_load,"
1063#endif
1064#ifdef SYS_reboot
1065 "reboot,"
1066#endif
1067 },
1068 { .name = "@resources", .list =
1069#ifdef SYS_ioprio_set
1070 "ioprio_set,"
1071#endif
1072#ifdef SYS_mbind
1073 "mbind,"
1074#endif
1075#ifdef SYS_migrate_pages
1076 "migrate_pages,"
1077#endif
1078#ifdef SYS_move_pages
1079 "move_pages,"
1080#endif
1081#ifdef SYS_nice
1082 "nice,"
1083#endif
1084#ifdef SYS_sched_setaffinity
1085 "sched_setaffinity,"
1086#endif
1087#ifdef SYS_sched_setattr
1088 "sched_setattr,"
1089#endif
1090#ifdef SYS_sched_setparam
1091 "sched_setparam,"
1092#endif
1093#ifdef SYS_sched_setscheduler
1094 "sched_setscheduler,"
1095#endif
1096#ifdef SYS_set_mempolicy
1097 "set_mempolicy"
1098#endif
1099 },
1100 { .name = "@setuid", .list =
1101#ifdef SYS_setgid
1102 "setgid,"
1103#endif
1104#ifdef SYS_setgid32
1105 "setgid32,"
1106#endif
1107#ifdef SYS_setgroups
1108 "setgroups,"
1109#endif
1110#ifdef SYS_setgroups32
1111 "setgroups32,"
1112#endif
1113#ifdef SYS_setregid
1114 "setregid,"
1115#endif
1116#ifdef SYS_setregid32
1117 "setregid32,"
1118#endif
1119#ifdef SYS_setresgid
1120 "setresgid,"
1121#endif
1122#ifdef SYS_setresgid32
1123 "setresgid32,"
1124#endif
1125#ifdef SYS_setresuid
1126 "setresuid,"
1127#endif
1128#ifdef SYS_setresuid32
1129 "setresuid32,"
1130#endif
1131#ifdef SYS_setreuid
1132 "setreuid,"
1133#endif
1134#ifdef SYS_setreuid32
1135 "setreuid32,"
1136#endif
1137#ifdef SYS_setuid
1138 "setuid,"
1139#endif
1140#ifdef SYS_setuid32
1141 "setuid32"
1142#endif
1143 },
1144 { .name = "@signal", .list =
1145#ifdef SYS_rt_sigaction
1146 "rt_sigaction,"
1147#endif
1148#ifdef SYS_rt_sigpending
1149 "rt_sigpending,"
1150#endif
1151#ifdef SYS_rt_sigprocmask
1152 "rt_sigprocmask,"
1153#endif
1154#ifdef SYS_rt_sigsuspend
1155 "rt_sigsuspend,"
1156#endif
1157#ifdef SYS_rt_sigtimedwait
1158 "rt_sigtimedwait,"
1159#endif
1160#ifdef SYS_sigaction
1161 "sigaction,"
1162#endif
1163#ifdef SYS_sigaltstack
1164 "sigaltstack,"
1165#endif
1166#ifdef SYS_signal
1167 "signal,"
1168#endif
1169#ifdef SYS_signalfd
1170 "signalfd,"
1171#endif
1172#ifdef SYS_signalfd4
1173 "signalfd4,"
1174#endif
1175#ifdef SYS_sigpending
1176 "sigpending,"
1177#endif
1178#ifdef SYS_sigprocmask
1179 "sigprocmask,"
1180#endif
1181#ifdef SYS_sigsuspend
1182 "sigsuspend"
1183#endif
1184 },
1185 { .name = "@swap", .list =
1186#ifdef SYS_swapon
1187 "swapon,"
1188#endif
1189#ifdef SYS_swapoff
1190 "swapoff"
1191#endif
1192 },
1193 { .name = "@sync", .list =
1194#ifdef SYS_fdatasync
1195 "fdatasync,"
1196#endif
1197#ifdef SYS_fsync
1198 "fsync,"
1199#endif
1200#ifdef SYS_msync
1201 "msync,"
1202#endif
1203#ifdef SYS_sync
1204 "sync,"
1205#endif
1206#ifdef SYS_sync_file_range
1207 "sync_file_range,"
1208#endif
1209#ifdef SYS_sync_file_range2
1210 "sync_file_range2,"
1211#endif
1212#ifdef SYS_syncfs
1213 "syncfs"
1214#endif
1215 },
1216 { .name = "@system-service", .list =
1217 "@aio,"
1218 "@basic-io,"
1219 "@chown,"
1220 "@default,"
1221 "@file-system,"
1222 "@io-event,"
1223 "@ipc,"
1224 "@keyring,"
1225 "@memlock,"
1226 "@network-io,"
1227 "@process,"
1228 "@resources,"
1229 "@setuid,"
1230 "@signal,"
1231 "@sync,"
1232 "@timer,"
1233#ifdef SYS_brk
1234 "brk,"
1235#endif
1236#ifdef SYS_capget
1237 "capget,"
1238#endif
1239#ifdef SYS_capset
1240 "capset,"
1241#endif
1242#ifdef SYS_copy_file_range
1243 "copy_file_range,"
1244#endif
1245#ifdef SYS_fadvise64
1246 "fadvise64,"
1247#endif
1248#ifdef SYS_fadvise64_64
1249 "fadvise64_64,"
1250#endif
1251#ifdef SYS_flock
1252 "flock,"
1253#endif
1254#ifdef SYS_get_mempolicy
1255 "get_mempolicy,"
1256#endif
1257#ifdef SYS_getcpu
1258 "getcpu,"
1259#endif
1260#ifdef SYS_getpriority
1261 "getpriority,"
1262#endif
1263#ifdef SYS_getrandom
1264 "getrandom,"
1265#endif
1266#ifdef SYS_ioctl
1267 "ioctl,"
1268#endif
1269#ifdef SYS_ioprio_get
1270 "ioprio_get,"
1271#endif
1272#ifdef SYS_kcmp
1273 "kcmp,"
1274#endif
1275#ifdef SYS_madvise
1276 "madvise,"
1277#endif
1278#ifdef SYS_mprotect
1279 "mprotect,"
1280#endif
1281#ifdef SYS_mremap
1282 "mremap,"
1283#endif
1284#ifdef SYS_name_to_handle_at
1285 "name_to_handle_at,"
1286#endif
1287#ifdef SYS_oldolduname
1288 "oldolduname,"
1289#endif
1290#ifdef SYS_olduname
1291 "olduname,"
1292#endif
1293#ifdef SYS_personality
1294 "personality,"
1295#endif
1296#ifdef SYS_readahead
1297 "readahead,"
1298#endif
1299#ifdef SYS_readdir
1300 "readdir,"
1301#endif
1302#ifdef SYS_remap_file_pages
1303 "remap_file_pages,"
1304#endif
1305#ifdef SYS_sched_get_priority_max
1306 "sched_get_priority_max,"
1307#endif
1308#ifdef SYS_sched_get_priority_min
1309 "sched_get_priority_min,"
1310#endif
1311#ifdef SYS_sched_getaffinity
1312 "sched_getaffinity,"
1313#endif
1314#ifdef SYS_sched_getattr
1315 "sched_getattr,"
1316#endif
1317#ifdef SYS_sched_getparam
1318 "sched_getparam,"
1319#endif
1320#ifdef SYS_sched_getscheduler
1321 "sched_getscheduler,"
1322#endif
1323#ifdef SYS_sched_rr_get_interval
1324 "sched_rr_get_interval,"
1325#endif
1326#ifdef SYS_sched_yield
1327 "sched_yield,"
1328#endif
1329#ifdef SYS_sendfile
1330 "sendfile,"
1331#endif
1332#ifdef SYS_sendfile64
1333 "sendfile64,"
1334#endif
1335#ifdef SYS_setfsgid
1336 "setfsgid,"
1337#endif
1338#ifdef SYS_setfsgid32
1339 "setfsgid32,"
1340#endif
1341#ifdef SYS_setfsuid
1342 "setfsuid,"
1343#endif
1344#ifdef SYS_setfsuid32
1345 "setfsuid32,"
1346#endif
1347#ifdef SYS_setpgid
1348 "setpgid,"
1349#endif
1350#ifdef SYS_setsid
1351 "setsid,"
1352#endif
1353#ifdef SYS_splice
1354 "splice,"
1355#endif
1356#ifdef SYS_sysinfo
1357 "sysinfo,"
1358#endif
1359#ifdef SYS_tee
1360 "tee,"
1361#endif
1362#ifdef SYS_umask
1363 "umask,"
1364#endif
1365#ifdef SYS_uname
1366 "uname,"
1367#endif
1368#ifdef SYS_userfaultfd
1369 "userfaultfd,"
1370#endif
1371#ifdef SYS_vmsplice
1372 "vmsplice"
1373#endif
1374 },
1375 { .name = "@timer", .list =
1376#ifdef SYS_alarm
1377 "alarm,"
1378#endif
1379#ifdef SYS_getitimer
1380 "getitimer,"
1381#endif
1382#ifdef SYS_setitimer
1383 "setitimer,"
1384#endif
1385#ifdef SYS_timer_create
1386 "timer_create,"
1387#endif
1388#ifdef SYS_timer_delete
1389 "timer_delete,"
1390#endif
1391#ifdef SYS_timer_getoverrun
1392 "timer_getoverrun,"
1393#endif
1394#ifdef SYS_timer_gettime
1395 "timer_gettime,"
1396#endif
1397#ifdef SYS_timer_settime
1398 "timer_settime,"
1399#endif
1400#ifdef SYS_timerfd_create
1401 "timerfd_create,"
1402#endif
1403#ifdef SYS_timerfd_gettime
1404 "timerfd_gettime,"
1405#endif
1406#ifdef SYS_timerfd_settime
1407 "timerfd_settime,"
1408#endif
1409#ifdef SYS_times
1410 "times"
1411#endif
1412 }
1413};
1414
1415// return -1 if error, or syscall number
1416static int syscall_find_name(const char *name) {
1417 int i;
1418 int elems = sizeof(syslist) / sizeof(syslist[0]);
1419 for (i = 0; i < elems; i++) {
1420 if (strcmp(name, syslist[i].name) == 0)
1421 return syslist[i].nr;
1422 }
1423
1424 return -1;
1425}
1426
1427const char *syscall_find_nr(int nr) {
1428 int i;
1429 int elems = sizeof(syslist) / sizeof(syslist[0]);
1430 for (i = 0; i < elems; i++) {
1431 if (nr == syslist[i].nr)
1432 return syslist[i].name;
1433 }
1434
1435 return "unknown";
1436}
1437
1438void syscall_print(void) {
1439 int i;
1440 int elems = sizeof(syslist) / sizeof(syslist[0]);
1441 for (i = 0; i < elems; i++) {
1442 printf("%d\t- %s\n", syslist[i].nr, syslist[i].name);
1443 }
1444 printf("\n");
1445}
1446
1447static const char *syscall_find_group(const char *name) {
1448 int i;
1449 int elems = sizeof(sysgroups) / sizeof(sysgroups[0]);
1450 for (i = 0; i < elems; i++) {
1451 if (strcmp(name, sysgroups[i].name) == 0)
1452 return sysgroups[i].list;
1453 }
1454
1455 return NULL;
1456}
1457
1458// allowed input:
1459// - syscall
1460// - syscall(error)
1461static void syscall_process_name(const char *name, int *syscall_nr, int *error_nr) {
1462 assert(name);
1463 if (strlen(name) == 0)
1464 goto error;
1465 *error_nr = -1;
1466
1467 // syntax check
1468 char *str = strdup(name);
1469 if (!str)
1470 errExit("strdup");
1471
1472 char *syscall_name = str;
1473 char *error_name = strchr(str, ':');
1474 if (error_name) {
1475 *error_name = '\0';
1476 error_name++;
1477 }
1478 if (strlen(syscall_name) == 0) {
1479 free(str);
1480 goto error;
1481 }
1482
1483 if (*syscall_name == '$')
1484 *syscall_nr = strtol(syscall_name + 1, NULL, 0);
1485 else
1486 *syscall_nr = syscall_find_name(syscall_name);
1487 if (error_name) {
1488 *error_nr = errno_find_name(error_name);
1489 if (*error_nr == -1)
1490 *syscall_nr = -1;
1491 }
1492
1493 free(str);
1494 return;
1495
1496error:
1497 fprintf(stderr, "Error fseccomp: invalid syscall list entry %s\n", name);
1498 exit(1);
1499}
1500
1501// return 1 if error, 0 if OK
1502int syscall_check_list(const char *slist, void (*callback)(int fd, int syscall, int arg, void *ptrarg), int fd, int arg, void *ptrarg) {
1503 // don't allow empty lists
1504 if (slist == NULL || *slist == '\0') {
1505 fprintf(stderr, "Error fseccomp: empty syscall lists are not allowed\n");
1506 exit(1);
1507 }
1508
1509 // work on a copy of the string
1510 char *str = strdup(slist);
1511 if (!str)
1512 errExit("strdup");
1513
1514 char *saveptr;
1515 char *ptr = strtok_r(str, ",", &saveptr);
1516 if (ptr == NULL) {
1517 fprintf(stderr, "Error fseccomp: empty syscall lists are not allowed\n");
1518 exit(1);
1519 }
1520
1521 while (ptr) {
1522 int syscall_nr;
1523 int error_nr;
1524 if (*ptr == '@') {
1525 const char *new_list = syscall_find_group(ptr);
1526 if (!new_list) {
1527 fprintf(stderr, "Error fseccomp: unknown syscall group %s\n", ptr);
1528 exit(1);
1529 }
1530 syscall_check_list(new_list, callback, fd, arg, ptrarg);
1531 }
1532 else {
1533 bool negate = false;
1534 if (*ptr == '!') {
1535 negate = true;
1536 ptr++;
1537 }
1538 syscall_process_name(ptr, &syscall_nr, &error_nr);
1539 if (syscall_nr == -1) {;}
1540 else if (callback != NULL) {
1541 if (negate) {
1542 syscall_nr = -syscall_nr;
1543 }
1544 if (error_nr != -1 && fd != 0) {
1545 filter_add_errno(fd, syscall_nr, error_nr, ptrarg);
1546 }
1547 else if (error_nr != -1 && fd == 0) {
1548 callback(fd, syscall_nr, error_nr, ptrarg);
1549 }
1550 else {
1551 callback(fd, syscall_nr, arg, ptrarg);
1552 }
1553 }
1554 }
1555 ptr = strtok_r(NULL, ",", &saveptr);
1556 }
1557
1558 free(str);
1559 return 0;
1560}
1561
1562static void find_syscall(int fd, int syscall, int arg, void *ptrarg) {
1563 (void)fd;
1564 (void) arg;
1565 SyscallCheckList *ptr = ptrarg;
1566 if (abs(syscall) == ptr->syscall)
1567 ptr->found = true;
1568}
1569
1570// go through list2 and find matches for problem syscall
1571static void syscall_in_list(int fd, int syscall, int arg, void *ptrarg) {
1572 (void) fd;
1573 (void)arg;
1574 SyscallCheckList *ptr = ptrarg;
1575 SyscallCheckList sl;
1576 sl.found = false;
1577 sl.syscall = syscall;
1578 syscall_check_list(ptr->slist, find_syscall, fd, 0, &sl);
1579 // if found in the problem list, add to post-exec list
1580 if (sl.found) {
1581 if (ptr->postlist) {
1582 if (asprintf(&ptr->postlist, "%s,%s", ptr->postlist, syscall_find_nr(syscall)) == -1)
1583 errExit("asprintf");
1584 }
1585 else
1586 ptr->postlist = strdup(syscall_find_nr(syscall));
1587 }
1588 else { // no problem, add to pre-exec list
1589 // build syscall:error_no
1590 char *newcall = NULL;
1591 if (arg != 0) {
1592 if (asprintf(&newcall, "%s:%s", syscall_find_nr(syscall), errno_find_nr(arg)) == -1)
1593 errExit("asprintf");
1594 }
1595 else {
1596 newcall = strdup(syscall_find_nr(syscall));
1597 if (!newcall)
1598 errExit("strdup");
1599 }
1600
1601 if (ptr->prelist) {
1602 if (asprintf(&ptr->prelist, "%s,%s", ptr->prelist, newcall) == -1)
1603 errExit("asprintf");
1604 free(newcall);
1605 }
1606 else
1607 ptr->prelist = newcall;
1608 }
1609}
1610
1611// go through list and find matches for syscalls in list @default-keep
1612void syscalls_in_list(const char *list, const char *slist, int fd, char **prelist, char **postlist) {
1613 (void) fd;
1614 SyscallCheckList sl;
1615 // these syscalls are used by firejail after the seccomp filter is initialized
1616 sl.slist = slist;
1617 sl.prelist = NULL;
1618 sl.postlist = NULL;
1619 syscall_check_list(list, syscall_in_list, 0, 0, &sl);
1620 if (!arg_quiet) {
1621 printf("Seccomp list in: %s,", list);
1622 if (sl.slist)
1623 printf(" check list: %s,", sl.slist);
1624 if (sl.prelist)
1625 printf(" prelist: %s,", sl.prelist);
1626 if (sl.postlist)
1627 printf(" postlist: %s", sl.postlist);
1628 printf("\n");
1629 }
1630 *prelist = sl.prelist;
1631 *postlist = sl.postlist;
1632}
generated by cgit v1.2.3-70-g09d2 (git 2.46.0) at 2024-09-06 21:11:17 +0000