aboutsummaryrefslogtreecommitdiffstats
path: root/src/fseccomp
diff options
context:
space:
mode:
Diffstat (limited to 'src/fseccomp')
-rw-r--r--src/fseccomp/Makefile.in4
-rw-r--r--src/fseccomp/errno.c204
-rw-r--r--src/fseccomp/fseccomp.h34
-rw-r--r--src/fseccomp/main.c41
-rw-r--r--src/fseccomp/protocol.c21
-rw-r--r--src/fseccomp/seccomp.c143
-rw-r--r--src/fseccomp/seccomp_file.c33
-rw-r--r--src/fseccomp/syscall.c1632
8 files changed, 203 insertions, 1909 deletions
diff --git a/src/fseccomp/Makefile.in b/src/fseccomp/Makefile.in
index 67e074b3d..8623db6f8 100644
--- a/src/fseccomp/Makefile.in
+++ b/src/fseccomp/Makefile.in
@@ -5,8 +5,8 @@ include ../common.mk
5%.o : %.c $(H_FILE_LIST) ../include/common.h ../include/syscall.h 5%.o : %.c $(H_FILE_LIST) ../include/common.h ../include/syscall.h
6 $(CC) $(CFLAGS) $(EXTRA_CFLAGS) $(INCLUDE) -c $< -o $@ 6 $(CC) $(CFLAGS) $(EXTRA_CFLAGS) $(INCLUDE) -c $< -o $@
7 7
8fseccomp: $(OBJS) 8fseccomp: $(OBJS) ../lib/errno.o ../lib/syscall.o
9 $(CC) $(LDFLAGS) -o $@ $(OBJS) $(LIBS) $(EXTRA_LDFLAGS) 9 $(CC) $(LDFLAGS) -o $@ $(OBJS) ../lib/errno.o ../lib/syscall.o $(LIBS) $(EXTRA_LDFLAGS)
10 10
11clean:; rm -fr *.o fseccomp *.gcov *.gcda *.gcno *.plist 11clean:; rm -fr *.o fseccomp *.gcov *.gcda *.gcno *.plist
12 12
diff --git a/src/fseccomp/errno.c b/src/fseccomp/errno.c
deleted file mode 100644
index 9c5aa770c..000000000
--- a/src/fseccomp/errno.c
+++ /dev/null
@@ -1,204 +0,0 @@
1/*
2 * Copyright (C) 2014-2020 Firejail Authors
3 *
4 * This file is part of firejail project
5 *
6 * This program is free software; you can redistribute it and/or modify
7 * it under the terms of the GNU General Public License as published by
8 * the Free Software Foundation; either version 2 of the License, or
9 * (at your option) any later version.
10 *
11 * This program is distributed in the hope that it will be useful,
12 * but WITHOUT ANY WARRANTY; without even the implied warranty of
13 * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
14 * GNU General Public License for more details.
15 *
16 * You should have received a copy of the GNU General Public License along
17 * with this program; if not, write to the Free Software Foundation, Inc.,
18 * 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA.
19*/
20#include "fseccomp.h"
21
22#include <errno.h>
23//#include <attr/xattr.h>
24
25typedef struct {
26 char *name;
27 int nr;
28} ErrnoEntry;
29
30static ErrnoEntry errnolist[] = {
31//
32// code generated using tools/extract-errnos
33//
34 {"EPERM", EPERM},
35 {"ENOENT", ENOENT},
36 {"ESRCH", ESRCH},
37 {"EINTR", EINTR},
38 {"EIO", EIO},
39 {"ENXIO", ENXIO},
40 {"E2BIG", E2BIG},
41 {"ENOEXEC", ENOEXEC},
42 {"EBADF", EBADF},
43 {"ECHILD", ECHILD},
44 {"EAGAIN", EAGAIN},
45 {"ENOMEM", ENOMEM},
46 {"EACCES", EACCES},
47 {"EFAULT", EFAULT},
48 {"ENOTBLK", ENOTBLK},
49 {"EBUSY", EBUSY},
50 {"EEXIST", EEXIST},
51 {"EXDEV", EXDEV},
52 {"ENODEV", ENODEV},
53 {"ENOTDIR", ENOTDIR},
54 {"EISDIR", EISDIR},
55 {"EINVAL", EINVAL},
56 {"ENFILE", ENFILE},
57 {"EMFILE", EMFILE},
58 {"ENOTTY", ENOTTY},
59 {"ETXTBSY", ETXTBSY},
60 {"EFBIG", EFBIG},
61 {"ENOSPC", ENOSPC},
62 {"ESPIPE", ESPIPE},
63 {"EROFS", EROFS},
64 {"EMLINK", EMLINK},
65 {"EPIPE", EPIPE},
66 {"EDOM", EDOM},
67 {"ERANGE", ERANGE},
68 {"EDEADLK", EDEADLK},
69 {"ENAMETOOLONG", ENAMETOOLONG},
70 {"ENOLCK", ENOLCK},
71 {"ENOSYS", ENOSYS},
72 {"ENOTEMPTY", ENOTEMPTY},
73 {"ELOOP", ELOOP},
74 {"EWOULDBLOCK", EWOULDBLOCK},
75 {"ENOMSG", ENOMSG},
76 {"EIDRM", EIDRM},
77 {"ECHRNG", ECHRNG},
78 {"EL2NSYNC", EL2NSYNC},
79 {"EL3HLT", EL3HLT},
80 {"EL3RST", EL3RST},
81 {"ELNRNG", ELNRNG},
82 {"EUNATCH", EUNATCH},
83 {"ENOCSI", ENOCSI},
84 {"EL2HLT", EL2HLT},
85 {"EBADE", EBADE},
86 {"EBADR", EBADR},
87 {"EXFULL", EXFULL},
88 {"ENOANO", ENOANO},
89 {"EBADRQC", EBADRQC},
90 {"EBADSLT", EBADSLT},
91 {"EDEADLOCK", EDEADLOCK},
92 {"EBFONT", EBFONT},
93 {"ENOSTR", ENOSTR},
94 {"ENODATA", ENODATA},
95 {"ETIME", ETIME},
96 {"ENOSR", ENOSR},
97 {"ENONET", ENONET},
98 {"ENOPKG", ENOPKG},
99 {"EREMOTE", EREMOTE},
100 {"ENOLINK", ENOLINK},
101 {"EADV", EADV},
102 {"ESRMNT", ESRMNT},
103 {"ECOMM", ECOMM},
104 {"EPROTO", EPROTO},
105 {"EMULTIHOP", EMULTIHOP},
106 {"EDOTDOT", EDOTDOT},
107 {"EBADMSG", EBADMSG},
108 {"EOVERFLOW", EOVERFLOW},
109 {"ENOTUNIQ", ENOTUNIQ},
110 {"EBADFD", EBADFD},
111 {"EREMCHG", EREMCHG},
112 {"ELIBACC", ELIBACC},
113 {"ELIBBAD", ELIBBAD},
114 {"ELIBSCN", ELIBSCN},
115 {"ELIBMAX", ELIBMAX},
116 {"ELIBEXEC", ELIBEXEC},
117 {"EILSEQ", EILSEQ},
118 {"ERESTART", ERESTART},
119 {"ESTRPIPE", ESTRPIPE},
120 {"EUSERS", EUSERS},
121 {"ENOTSOCK", ENOTSOCK},
122 {"EDESTADDRREQ", EDESTADDRREQ},
123 {"EMSGSIZE", EMSGSIZE},
124 {"EPROTOTYPE", EPROTOTYPE},
125 {"ENOPROTOOPT", ENOPROTOOPT},
126 {"EPROTONOSUPPORT", EPROTONOSUPPORT},
127 {"ESOCKTNOSUPPORT", ESOCKTNOSUPPORT},
128 {"EOPNOTSUPP", EOPNOTSUPP},
129 {"EPFNOSUPPORT", EPFNOSUPPORT},
130 {"EAFNOSUPPORT", EAFNOSUPPORT},
131 {"EADDRINUSE", EADDRINUSE},
132 {"EADDRNOTAVAIL", EADDRNOTAVAIL},
133 {"ENETDOWN", ENETDOWN},
134 {"ENETUNREACH", ENETUNREACH},
135 {"ENETRESET", ENETRESET},
136 {"ECONNABORTED", ECONNABORTED},
137 {"ECONNRESET", ECONNRESET},
138 {"ENOBUFS", ENOBUFS},
139 {"EISCONN", EISCONN},
140 {"ENOTCONN", ENOTCONN},
141 {"ESHUTDOWN", ESHUTDOWN},
142 {"ETOOMANYREFS", ETOOMANYREFS},
143 {"ETIMEDOUT", ETIMEDOUT},
144 {"ECONNREFUSED", ECONNREFUSED},
145 {"EHOSTDOWN", EHOSTDOWN},
146 {"EHOSTUNREACH", EHOSTUNREACH},
147 {"EALREADY", EALREADY},
148 {"EINPROGRESS", EINPROGRESS},
149 {"ESTALE", ESTALE},
150 {"EUCLEAN", EUCLEAN},
151 {"ENOTNAM", ENOTNAM},
152 {"ENAVAIL", ENAVAIL},
153 {"EISNAM", EISNAM},
154 {"EREMOTEIO", EREMOTEIO},
155 {"EDQUOT", EDQUOT},
156 {"ENOMEDIUM", ENOMEDIUM},
157 {"EMEDIUMTYPE", EMEDIUMTYPE},
158 {"ECANCELED", ECANCELED},
159 {"ENOKEY", ENOKEY},
160 {"EKEYEXPIRED", EKEYEXPIRED},
161 {"EKEYREVOKED", EKEYREVOKED},
162 {"EKEYREJECTED", EKEYREJECTED},
163 {"EOWNERDEAD", EOWNERDEAD},
164 {"ENOTRECOVERABLE", ENOTRECOVERABLE},
165 {"ERFKILL", ERFKILL},
166 {"EHWPOISON", EHWPOISON},
167 {"ENOTSUP", ENOTSUP},
168#ifdef ENOATTR
169 {"ENOATTR", ENOATTR},
170#endif
171};
172
173int errno_find_name(const char *name) {
174 int i;
175 int elems = sizeof(errnolist) / sizeof(errnolist[0]);
176 for (i = 0; i < elems; i++) {
177 if (strcasecmp(name, errnolist[i].name) == 0)
178 return errnolist[i].nr;
179 }
180
181 return -1;
182}
183
184char *errno_find_nr(int nr) {
185 int i;
186 int elems = sizeof(errnolist) / sizeof(errnolist[0]);
187 for (i = 0; i < elems; i++) {
188 if (nr == errnolist[i].nr)
189 return errnolist[i].name;
190 }
191
192 return "unknown";
193}
194
195
196
197void errno_print(void) {
198 int i;
199 int elems = sizeof(errnolist) / sizeof(errnolist[0]);
200 for (i = 0; i < elems; i++) {
201 printf("%d\t- %s\n", errnolist[i].nr, errnolist[i].name);
202 }
203 printf("\n");
204}
diff --git a/src/fseccomp/fseccomp.h b/src/fseccomp/fseccomp.h
index bf55870f2..e8dd083b6 100644
--- a/src/fseccomp/fseccomp.h
+++ b/src/fseccomp/fseccomp.h
@@ -24,21 +24,11 @@
24#include <string.h> 24#include <string.h>
25#include <assert.h> 25#include <assert.h>
26#include "../include/common.h" 26#include "../include/common.h"
27#include "../include/syscall.h"
27 28
28// main.c 29// main.c
29extern int arg_quiet; 30extern int arg_quiet;
30 31
31// syscall.c
32void syscall_print(void);
33int syscall_check_list(const char *slist, void (*callback)(int fd, int syscall, int arg, void *ptrarg), int fd, int arg, void *ptrarg);
34const char *syscall_find_nr(int nr);
35void syscalls_in_list(const char *list, const char *slist, int fd, char **prelist, char **postlist);
36
37// errno.c
38void errno_print(void);
39int errno_find_name(const char *name);
40char *errno_find_nr(int nr);
41
42// protocol.c 32// protocol.c
43void protocol_print(void); 33void protocol_print(void);
44void protocol_build_filter(const char *prlist, const char *fname); 34void protocol_build_filter(const char *prlist, const char *fname);
@@ -49,27 +39,27 @@ void seccomp_secondary_32(const char *fname);
49void seccomp_secondary_block(const char *fname); 39void seccomp_secondary_block(const char *fname);
50 40
51// seccomp_file.c 41// seccomp_file.c
52void write_to_file(int fd, const void *data, int size); 42void write_to_file(int fd, const void *data, size_t size);
53void filter_init(int fd); 43void filter_init(int fd, bool native);
54void filter_add_whitelist(int fd, int syscall, int arg, void *ptrarg); 44void filter_add_whitelist(int fd, int syscall, int arg, void *ptrarg, bool native);
55void filter_add_whitelist_for_excluded(int fd, int syscall, int arg, void *ptrarg); 45void filter_add_whitelist_for_excluded(int fd, int syscall, int arg, void *ptrarg, bool native);
56void filter_add_blacklist(int fd, int syscall, int arg, void *ptrarg); 46void filter_add_blacklist(int fd, int syscall, int arg, void *ptrarg, bool native);
57void filter_add_blacklist_for_excluded(int fd, int syscall, int arg, void *ptrarg); 47void filter_add_blacklist_for_excluded(int fd, int syscall, int arg, void *ptrarg, bool native);
58void filter_add_errno(int fd, int syscall, int arg, void *ptrarg);
59void filter_end_blacklist(int fd); 48void filter_end_blacklist(int fd);
60void filter_end_whitelist(int fd); 49void filter_end_whitelist(int fd);
61 50
62// seccomp.c 51// seccomp.c
63// default list 52// default list
64void seccomp_default(const char *fname, int allow_debuggers); 53void seccomp_default(const char *fname, int allow_debuggers, bool native);
65// drop list 54// drop list
66void seccomp_drop(const char *fname1, const char *fname2, char *list, int allow_debuggers); 55void seccomp_drop(const char *fname1, const char *fname2, char *list, int allow_debuggers, bool native);
67// default+drop list 56// default+drop list
68void seccomp_default_drop(const char *fname1, const char *fname2, char *list, int allow_debuggers); 57void seccomp_default_drop(const char *fname1, const char *fname2, char *list, int allow_debuggers, bool native);
69// whitelisted filter 58// whitelisted filter
70void seccomp_keep(const char *fname1, const char *fname2, char *list); 59void seccomp_keep(const char *fname1, const char *fname2, char *list, bool native);
71// block writable and executable memory 60// block writable and executable memory
72void memory_deny_write_execute(const char *fname); 61void memory_deny_write_execute(const char *fname);
62void memory_deny_write_execute_32(const char *fname);
73 63
74// seccomp_print 64// seccomp_print
75void filter_print(const char *fname); 65void filter_print(const char *fname);
diff --git a/src/fseccomp/main.c b/src/fseccomp/main.c
index 82b96f476..b3161a6db 100644
--- a/src/fseccomp/main.c
+++ b/src/fseccomp/main.c
@@ -23,6 +23,7 @@ int arg_quiet = 0;
23static void usage(void) { 23static void usage(void) {
24 printf("Usage:\n"); 24 printf("Usage:\n");
25 printf("\tfseccomp debug-syscalls\n"); 25 printf("\tfseccomp debug-syscalls\n");
26 printf("\tfseccomp debug-syscalls32\n");
26 printf("\tfseccomp debug-errnos\n"); 27 printf("\tfseccomp debug-errnos\n");
27 printf("\tfseccomp debug-protocols\n"); 28 printf("\tfseccomp debug-protocols\n");
28 printf("\tfseccomp protocol build list file\n"); 29 printf("\tfseccomp protocol build list file\n");
@@ -31,12 +32,20 @@ static void usage(void) {
31 printf("\tfseccomp secondary block file\n"); 32 printf("\tfseccomp secondary block file\n");
32 printf("\tfseccomp default file\n"); 33 printf("\tfseccomp default file\n");
33 printf("\tfseccomp default file allow-debuggers\n"); 34 printf("\tfseccomp default file allow-debuggers\n");
35 printf("\tfseccomp default32 file\n");
36 printf("\tfseccomp default32 file allow-debuggers\n");
34 printf("\tfseccomp drop file1 file2 list\n"); 37 printf("\tfseccomp drop file1 file2 list\n");
35 printf("\tfseccomp drop file1 file2 list allow-debuggers\n"); 38 printf("\tfseccomp drop file1 file2 list allow-debuggers\n");
39 printf("\tfseccomp drop32 file1 file2 list\n");
40 printf("\tfseccomp drop32 file1 file2 list allow-debuggers\n");
36 printf("\tfseccomp default drop file1 file2 list\n"); 41 printf("\tfseccomp default drop file1 file2 list\n");
37 printf("\tfseccomp default drop file1 file2 list allow-debuggers\n"); 42 printf("\tfseccomp default drop file1 file2 list allow-debuggers\n");
43 printf("\tfseccomp default32 drop file1 file2 list\n");
44 printf("\tfseccomp default32 drop file1 file2 list allow-debuggers\n");
38 printf("\tfseccomp keep file1 file2 list\n"); 45 printf("\tfseccomp keep file1 file2 list\n");
46 printf("\tfseccomp keep32 file1 file2 list\n");
39 printf("\tfseccomp memory-deny-write-execute file\n"); 47 printf("\tfseccomp memory-deny-write-execute file\n");
48 printf("\tfseccomp memory-deny-write-execute.32 file\n");
40} 49}
41 50
42int main(int argc, char **argv) { 51int main(int argc, char **argv) {
@@ -64,6 +73,8 @@ printf("\n");
64 } 73 }
65 else if (argc == 2 && strcmp(argv[1], "debug-syscalls") == 0) 74 else if (argc == 2 && strcmp(argv[1], "debug-syscalls") == 0)
66 syscall_print(); 75 syscall_print();
76 else if (argc == 2 && strcmp(argv[1], "debug-syscalls32") == 0)
77 syscall_print_32();
67 else if (argc == 2 && strcmp(argv[1], "debug-errnos") == 0) 78 else if (argc == 2 && strcmp(argv[1], "debug-errnos") == 0)
68 errno_print(); 79 errno_print();
69 else if (argc == 2 && strcmp(argv[1], "debug-protocols") == 0) 80 else if (argc == 2 && strcmp(argv[1], "debug-protocols") == 0)
@@ -75,21 +86,37 @@ printf("\n");
75 else if (argc == 4 && strcmp(argv[1], "secondary") == 0 && strcmp(argv[2], "block") == 0) 86 else if (argc == 4 && strcmp(argv[1], "secondary") == 0 && strcmp(argv[2], "block") == 0)
76 seccomp_secondary_block(argv[3]); 87 seccomp_secondary_block(argv[3]);
77 else if (argc == 3 && strcmp(argv[1], "default") == 0) 88 else if (argc == 3 && strcmp(argv[1], "default") == 0)
78 seccomp_default(argv[2], 0); 89 seccomp_default(argv[2], 0, true);
79 else if (argc == 4 && strcmp(argv[1], "default") == 0 && strcmp(argv[3], "allow-debuggers") == 0) 90 else if (argc == 4 && strcmp(argv[1], "default") == 0 && strcmp(argv[3], "allow-debuggers") == 0)
80 seccomp_default(argv[2], 1); 91 seccomp_default(argv[2], 1, true);
92 else if (argc == 3 && strcmp(argv[1], "default32") == 0)
93 seccomp_default(argv[2], 0, false);
94 else if (argc == 4 && strcmp(argv[1], "default32") == 0 && strcmp(argv[3], "allow-debuggers") == 0)
95 seccomp_default(argv[2], 1, false);
81 else if (argc == 5 && strcmp(argv[1], "drop") == 0) 96 else if (argc == 5 && strcmp(argv[1], "drop") == 0)
82 seccomp_drop(argv[2], argv[3], argv[4], 0); 97 seccomp_drop(argv[2], argv[3], argv[4], 0, true);
83 else if (argc == 6 && strcmp(argv[1], "drop") == 0 && strcmp(argv[5], "allow-debuggers") == 0) 98 else if (argc == 6 && strcmp(argv[1], "drop") == 0 && strcmp(argv[5], "allow-debuggers") == 0)
84 seccomp_drop(argv[2], argv[3], argv[4], 1); 99 seccomp_drop(argv[2], argv[3], argv[4], 1, true);
100 else if (argc == 5 && strcmp(argv[1], "drop32") == 0)
101 seccomp_drop(argv[2], argv[3], argv[4], 0, false);
102 else if (argc == 6 && strcmp(argv[1], "drop32") == 0 && strcmp(argv[5], "allow-debuggers") == 0)
103 seccomp_drop(argv[2], argv[3], argv[4], 1, false);
85 else if (argc == 6 && strcmp(argv[1], "default") == 0 && strcmp(argv[2], "drop") == 0) 104 else if (argc == 6 && strcmp(argv[1], "default") == 0 && strcmp(argv[2], "drop") == 0)
86 seccomp_default_drop(argv[3], argv[4], argv[5], 0); 105 seccomp_default_drop(argv[3], argv[4], argv[5], 0, true);
87 else if (argc == 7 && strcmp(argv[1], "default") == 0 && strcmp(argv[2], "drop") == 0 && strcmp(argv[6], "allow-debuggers") == 0) 106 else if (argc == 7 && strcmp(argv[1], "default") == 0 && strcmp(argv[2], "drop") == 0 && strcmp(argv[6], "allow-debuggers") == 0)
88 seccomp_default_drop(argv[3], argv[4], argv[5], 1); 107 seccomp_default_drop(argv[3], argv[4], argv[5], 1, true);
108 else if (argc == 6 && strcmp(argv[1], "default32") == 0 && strcmp(argv[2], "drop") == 0)
109 seccomp_default_drop(argv[3], argv[4], argv[5], 0, false);
110 else if (argc == 7 && strcmp(argv[1], "default32") == 0 && strcmp(argv[2], "drop") == 0 && strcmp(argv[6], "allow-debuggers") == 0)
111 seccomp_default_drop(argv[3], argv[4], argv[5], 1, false);
89 else if (argc == 5 && strcmp(argv[1], "keep") == 0) 112 else if (argc == 5 && strcmp(argv[1], "keep") == 0)
90 seccomp_keep(argv[2], argv[3], argv[4]); 113 seccomp_keep(argv[2], argv[3], argv[4], true);
114 else if (argc == 5 && strcmp(argv[1], "keep32") == 0)
115 seccomp_keep(argv[2], argv[3], argv[4], false);
91 else if (argc == 3 && strcmp(argv[1], "memory-deny-write-execute") == 0) 116 else if (argc == 3 && strcmp(argv[1], "memory-deny-write-execute") == 0)
92 memory_deny_write_execute(argv[2]); 117 memory_deny_write_execute(argv[2]);
118 else if (argc == 3 && strcmp(argv[1], "memory-deny-write-execute.32") == 0)
119 memory_deny_write_execute_32(argv[2]);
93 else { 120 else {
94 fprintf(stderr, "Error fseccomp: invalid arguments\n"); 121 fprintf(stderr, "Error fseccomp: invalid arguments\n");
95 return 1; 122 return 1;
diff --git a/src/fseccomp/protocol.c b/src/fseccomp/protocol.c
index 7a21eb2c2..b8b30f488 100644
--- a/src/fseccomp/protocol.c
+++ b/src/fseccomp/protocol.c
@@ -122,10 +122,23 @@ void protocol_build_filter(const char *prlist, const char *fname) {
122 122
123 // header 123 // header
124 struct sock_filter filter_start[] = { 124 struct sock_filter filter_start[] = {
125 VALIDATE_ARCHITECTURE, 125#if defined __x86_64__
126 EXAMINE_SYSCALL, 126 /* check for native arch */
127 ONLY(SYS_socket), 127 BPF_STMT(BPF_LD+BPF_W+BPF_ABS, (offsetof(struct seccomp_data, arch))),
128 EXAMINE_ARGUMENT(0) 128 BPF_JUMP(BPF_JMP+BPF_JEQ+BPF_K, ARCH_NR, 1 + 2 + 1, 0),
129 /* i386 filter */
130 EXAMINE_SYSCALL, // 1
131 // checking SYS_socket only: filtering SYS_socketcall not possible with seccomp
132 ONLY(359), // 1 + 2
133 BPF_JUMP(BPF_JMP+BPF_JA+BPF_K, (3 + 1 + 2), 0, 0), // 1 + 2 + 1
134#else
135#warning 32 bit protocol filter not implemented yet for your architecture
136#endif
137 VALIDATE_ARCHITECTURE, // 3
138 EXAMINE_SYSCALL, // 3 + 1
139 ONLY(SYS_socket), // 3 + 1 + 2
140
141 EXAMINE_ARGUMENT(0) // 3 + 1 + 2 + 1
129 }; 142 };
130 memcpy(ptr, &filter_start[0], sizeof(filter_start)); 143 memcpy(ptr, &filter_start[0], sizeof(filter_start));
131 ptr += sizeof(filter_start); 144 ptr += sizeof(filter_start);
diff --git a/src/fseccomp/seccomp.c b/src/fseccomp/seccomp.c
index 29aa2f2f5..0db7b5954 100644
--- a/src/fseccomp/seccomp.c
+++ b/src/fseccomp/seccomp.c
@@ -24,12 +24,12 @@
24#include <sys/syscall.h> 24#include <sys/syscall.h>
25#include <sys/types.h> 25#include <sys/types.h>
26 26
27static void add_default_list(int fd, int allow_debuggers) { 27static void add_default_list(int fd, int allow_debuggers, bool native) {
28 int r; 28 int r;
29 if (!allow_debuggers) 29 if (!allow_debuggers)
30 r = syscall_check_list("@default-nodebuggers", filter_add_blacklist, fd, 0, NULL); 30 r = syscall_check_list("@default-nodebuggers", filter_add_blacklist, fd, 0, NULL, native);
31 else 31 else
32 r = syscall_check_list("@default", filter_add_blacklist, fd, 0, NULL); 32 r = syscall_check_list("@default", filter_add_blacklist, fd, 0, NULL, native);
33 33
34 assert(r == 0); 34 assert(r == 0);
35//#ifdef SYS_mknod - emoved in 0.9.29 - it breaks Zotero extension 35//#ifdef SYS_mknod - emoved in 0.9.29 - it breaks Zotero extension
@@ -46,7 +46,7 @@ static void add_default_list(int fd, int allow_debuggers) {
46} 46}
47 47
48// default list 48// default list
49void seccomp_default(const char *fname, int allow_debuggers) { 49void seccomp_default(const char *fname, int allow_debuggers, bool native) {
50 assert(fname); 50 assert(fname);
51 51
52 // open file 52 // open file
@@ -57,8 +57,8 @@ void seccomp_default(const char *fname, int allow_debuggers) {
57 } 57 }
58 58
59 // build filter (no post-exec filter needed because default list is fine for us) 59 // build filter (no post-exec filter needed because default list is fine for us)
60 filter_init(fd); 60 filter_init(fd, native);
61 add_default_list(fd, allow_debuggers); 61 add_default_list(fd, allow_debuggers, native);
62 filter_end_blacklist(fd); 62 filter_end_blacklist(fd);
63 63
64 // close file 64 // close file
@@ -66,7 +66,7 @@ void seccomp_default(const char *fname, int allow_debuggers) {
66} 66}
67 67
68// drop list 68// drop list
69void seccomp_drop(const char *fname1, const char *fname2, char *list, int allow_debuggers) { 69void seccomp_drop(const char *fname1, const char *fname2, char *list, int allow_debuggers, bool native) {
70 assert(fname1); 70 assert(fname1);
71 assert(fname2); 71 assert(fname2);
72 (void) allow_debuggers; // todo: to implemnet it 72 (void) allow_debuggers; // todo: to implemnet it
@@ -79,15 +79,15 @@ void seccomp_drop(const char *fname1, const char *fname2, char *list, int allow_
79 } 79 }
80 80
81 // build pre-exec filter: don't blacklist any syscalls in @default-keep 81 // build pre-exec filter: don't blacklist any syscalls in @default-keep
82 filter_init(fd); 82 filter_init(fd, native);
83 83
84 // allow exceptions in form of !syscall 84 // allow exceptions in form of !syscall
85 syscall_check_list(list, filter_add_whitelist_for_excluded, fd, 0, NULL); 85 syscall_check_list(list, filter_add_whitelist_for_excluded, fd, 0, NULL, native);
86 86
87 char *prelist, *postlist; 87 char *prelist, *postlist;
88 syscalls_in_list(list, "@default-keep", fd, &prelist, &postlist); 88 syscalls_in_list(list, "@default-keep", fd, &prelist, &postlist, native);
89 if (prelist) 89 if (prelist)
90 if (syscall_check_list(prelist, filter_add_blacklist, fd, 0, NULL)) { 90 if (syscall_check_list(prelist, filter_add_blacklist, fd, 0, NULL, native)) {
91 fprintf(stderr, "Error fseccomp: cannot build seccomp filter\n"); 91 fprintf(stderr, "Error fseccomp: cannot build seccomp filter\n");
92 exit(1); 92 exit(1);
93 } 93 }
@@ -106,8 +106,8 @@ void seccomp_drop(const char *fname1, const char *fname2, char *list, int allow_
106 } 106 }
107 107
108 // build post-exec filter: blacklist remaining syscalls 108 // build post-exec filter: blacklist remaining syscalls
109 filter_init(fd); 109 filter_init(fd, native);
110 if (syscall_check_list(postlist, filter_add_blacklist, fd, 0, NULL)) { 110 if (syscall_check_list(postlist, filter_add_blacklist, fd, 0, NULL, native)) {
111 fprintf(stderr, "Error fseccomp: cannot build seccomp filter\n"); 111 fprintf(stderr, "Error fseccomp: cannot build seccomp filter\n");
112 exit(1); 112 exit(1);
113 } 113 }
@@ -118,7 +118,7 @@ void seccomp_drop(const char *fname1, const char *fname2, char *list, int allow_
118} 118}
119 119
120// default+drop 120// default+drop
121void seccomp_default_drop(const char *fname1, const char *fname2, char *list, int allow_debuggers) { 121void seccomp_default_drop(const char *fname1, const char *fname2, char *list, int allow_debuggers, bool native) {
122 assert(fname1); 122 assert(fname1);
123 assert(fname2); 123 assert(fname2);
124 124
@@ -131,16 +131,16 @@ void seccomp_default_drop(const char *fname1, const char *fname2, char *list, in
131 131
132 // build pre-exec filter: blacklist @default, don't blacklist 132 // build pre-exec filter: blacklist @default, don't blacklist
133 // any listed syscalls in @default-keep 133 // any listed syscalls in @default-keep
134 filter_init(fd); 134 filter_init(fd, native);
135 135
136 // allow exceptions in form of !syscall 136 // allow exceptions in form of !syscall
137 syscall_check_list(list, filter_add_whitelist_for_excluded, fd, 0, NULL); 137 syscall_check_list(list, filter_add_whitelist_for_excluded, fd, 0, NULL, native);
138 138
139 add_default_list(fd, allow_debuggers); 139 add_default_list(fd, allow_debuggers, native);
140 char *prelist, *postlist; 140 char *prelist, *postlist;
141 syscalls_in_list(list, "@default-keep", fd, &prelist, &postlist); 141 syscalls_in_list(list, "@default-keep", fd, &prelist, &postlist, native);
142 if (prelist) 142 if (prelist)
143 if (syscall_check_list(prelist, filter_add_blacklist, fd, 0, NULL)) { 143 if (syscall_check_list(prelist, filter_add_blacklist, fd, 0, NULL, native)) {
144 fprintf(stderr, "Error fseccomp: cannot build seccomp filter\n"); 144 fprintf(stderr, "Error fseccomp: cannot build seccomp filter\n");
145 exit(1); 145 exit(1);
146 } 146 }
@@ -160,8 +160,8 @@ void seccomp_default_drop(const char *fname1, const char *fname2, char *list, in
160 } 160 }
161 161
162 // build post-exec filter: blacklist remaining syscalls 162 // build post-exec filter: blacklist remaining syscalls
163 filter_init(fd); 163 filter_init(fd, native);
164 if (syscall_check_list(postlist, filter_add_blacklist, fd, 0, NULL)) { 164 if (syscall_check_list(postlist, filter_add_blacklist, fd, 0, NULL, native)) {
165 fprintf(stderr, "Error fseccomp: cannot build seccomp filter\n"); 165 fprintf(stderr, "Error fseccomp: cannot build seccomp filter\n");
166 exit(1); 166 exit(1);
167 } 167 }
@@ -171,7 +171,7 @@ void seccomp_default_drop(const char *fname1, const char *fname2, char *list, in
171 close(fd); 171 close(fd);
172} 172}
173 173
174void seccomp_keep(const char *fname1, const char *fname2, char *list) { 174void seccomp_keep(const char *fname1, const char *fname2, char *list, bool native) {
175 (void) fname2; 175 (void) fname2;
176 176
177 // open file for pre-exec filter 177 // open file for pre-exec filter
@@ -182,17 +182,17 @@ void seccomp_keep(const char *fname1, const char *fname2, char *list) {
182 } 182 }
183 183
184 // build pre-exec filter: whitelist also @default-keep 184 // build pre-exec filter: whitelist also @default-keep
185 filter_init(fd); 185 filter_init(fd, native);
186 186
187 // allow exceptions in form of !syscall 187 // allow exceptions in form of !syscall
188 syscall_check_list(list, filter_add_blacklist_for_excluded, fd, 0, NULL); 188 syscall_check_list(list, filter_add_blacklist_for_excluded, fd, 0, NULL, native);
189 189
190 // these syscalls are used by firejail after the seccomp filter is initialized 190 // these syscalls are used by firejail after the seccomp filter is initialized
191 int r; 191 int r;
192 r = syscall_check_list("@default-keep", filter_add_whitelist, fd, 0, NULL); 192 r = syscall_check_list("@default-keep", filter_add_whitelist, fd, 0, NULL, native);
193 assert(r == 0); 193 assert(r == 0);
194 194
195 if (syscall_check_list(list, filter_add_whitelist, fd, 0, NULL)) { 195 if (syscall_check_list(list, filter_add_whitelist, fd, 0, NULL, native)) {
196 fprintf(stderr, "Error fseccomp: cannot build seccomp filter\n"); 196 fprintf(stderr, "Error fseccomp: cannot build seccomp filter\n");
197 exit(1); 197 exit(1);
198 } 198 }
@@ -206,6 +206,15 @@ void seccomp_keep(const char *fname1, const char *fname2, char *list) {
206#if defined(__x86_64__) || defined(__aarch64__) || defined(__powerpc64__) 206#if defined(__x86_64__) || defined(__aarch64__) || defined(__powerpc64__)
207# define filter_syscall SYS_mmap 207# define filter_syscall SYS_mmap
208# undef block_syscall 208# undef block_syscall
209#if defined(__x86_64__)
210// i386 syscalls
211# define filter_syscall_32 192
212# define block_syscall_32 90
213# define mprotect_32 125
214# define pkey_mprotect_32 380
215# define shmat_32 397
216# define memfd_create_32 356
217#endif
209#elif defined(__i386__) 218#elif defined(__i386__)
210# define filter_syscall SYS_mmap2 219# define filter_syscall SYS_mmap2
211# define block_syscall SYS_mmap 220# define block_syscall SYS_mmap
@@ -216,6 +225,12 @@ void seccomp_keep(const char *fname1, const char *fname2, char *list) {
216# warning "Platform does not support seccomp memory-deny-write-execute filter yet" 225# warning "Platform does not support seccomp memory-deny-write-execute filter yet"
217# undef filter_syscall 226# undef filter_syscall
218# undef block_syscall 227# undef block_syscall
228# undef filter_syscall_32
229# undef block_syscall_32
230# undef mprotect_32
231# undef pkey_mprotect_32
232# undef shmat_32
233# undef memfd_create_32
219#endif 234#endif
220 235
221void memory_deny_write_execute(const char *fname) { 236void memory_deny_write_execute(const char *fname) {
@@ -226,10 +241,10 @@ void memory_deny_write_execute(const char *fname) {
226 exit(1); 241 exit(1);
227 } 242 }
228 243
229 filter_init(fd); 244 filter_init(fd, true);
230 245
231 // build filter 246 // build filter
232 static const struct sock_filter filter[] = { 247 struct sock_filter filter[] = {
233#ifdef block_syscall 248#ifdef block_syscall
234 // block old multiplexing mmap syscall for i386 249 // block old multiplexing mmap syscall for i386
235 BLACKLIST(block_syscall), 250 BLACKLIST(block_syscall),
@@ -288,3 +303,75 @@ void memory_deny_write_execute(const char *fname) {
288 // close file 303 // close file
289 close(fd); 304 close(fd);
290} 305}
306
307void memory_deny_write_execute_32(const char *fname) {
308 // open file
309 int fd = open(fname, O_CREAT|O_WRONLY|O_TRUNC, S_IRUSR | S_IWUSR | S_IRGRP | S_IROTH);
310 if (fd < 0) {
311 fprintf(stderr, "Error fseccomp: cannot open %s file\n", fname);
312 exit(1);
313 }
314
315 filter_init(fd, false);
316
317 // build filter
318 struct sock_filter filter[] = {
319#if defined(__x86_64__)
320#ifdef block_syscall_32
321 // block old multiplexing mmap syscall for i386
322 BLACKLIST(block_syscall_32),
323#endif
324#ifdef filter_syscall_32
325 // block mmap(,,x|PROT_WRITE|PROT_EXEC) so W&X memory can't be created
326 BPF_JUMP(BPF_JMP+BPF_JEQ+BPF_K, filter_syscall_32, 0, 5),
327 EXAMINE_ARGUMENT(2),
328 BPF_STMT(BPF_ALU+BPF_AND+BPF_K, PROT_WRITE|PROT_EXEC),
329 BPF_JUMP(BPF_JMP+BPF_JEQ+BPF_K, PROT_WRITE|PROT_EXEC, 0, 1),
330 KILL_PROCESS,
331 RETURN_ALLOW,
332#endif
333#ifdef mprotect_32
334 // block mprotect(,,PROT_EXEC) so writable memory can't be turned into executable
335 BPF_JUMP(BPF_JMP+BPF_JEQ+BPF_K, mprotect_32, 0, 5),
336 EXAMINE_ARGUMENT(2),
337 BPF_STMT(BPF_ALU+BPF_AND+BPF_K, PROT_EXEC),
338 BPF_JUMP(BPF_JMP+BPF_JEQ+BPF_K, PROT_EXEC, 0, 1),
339 KILL_PROCESS,
340 RETURN_ALLOW,
341#endif
342#ifdef pkey_mprotect_32
343 // same for pkey_mprotect(,,PROT_EXEC), where available
344 BPF_JUMP(BPF_JMP+BPF_JEQ+BPF_K, pkey_mprotect_32, 0, 5),
345 EXAMINE_ARGUMENT(2),
346 BPF_STMT(BPF_ALU+BPF_AND+BPF_K, PROT_EXEC),
347 BPF_JUMP(BPF_JMP+BPF_JEQ+BPF_K, PROT_EXEC, 0, 1),
348 KILL_PROCESS,
349 RETURN_ALLOW,
350#endif
351
352#ifdef shmat_32
353 // block shmat(,,x|SHM_EXEC) so W&X shared memory can't be created
354 BPF_JUMP(BPF_JMP+BPF_JEQ+BPF_K, shmat_32, 0, 5),
355 EXAMINE_ARGUMENT(2),
356 BPF_STMT(BPF_ALU+BPF_AND+BPF_K, SHM_EXEC),
357 BPF_JUMP(BPF_JMP+BPF_JEQ+BPF_K, SHM_EXEC, 0, 1),
358 KILL_PROCESS,
359 RETURN_ALLOW,
360#endif
361#ifdef memfd_create_32
362 // block memfd_create as it can be used to create
363 // arbitrary memory contents which can be later mapped
364 // as executable
365 BPF_JUMP(BPF_JMP+BPF_JEQ+BPF_K, memfd_create_32, 0, 1),
366 KILL_PROCESS,
367#endif
368#endif
369 RETURN_ALLOW
370 };
371 write_to_file(fd, filter, sizeof(filter));
372
373 filter_end_blacklist(fd);
374
375 // close file
376 close(fd);
377}
diff --git a/src/fseccomp/seccomp_file.c b/src/fseccomp/seccomp_file.c
index e47e8db25..872b41261 100644
--- a/src/fseccomp/seccomp_file.c
+++ b/src/fseccomp/seccomp_file.c
@@ -21,11 +21,11 @@
21#include "../include/seccomp.h" 21#include "../include/seccomp.h"
22#include <sys/syscall.h> 22#include <sys/syscall.h>
23 23
24void write_to_file(int fd, const void *data, int size) { 24void write_to_file(int fd, const void *data, size_t size) {
25 assert(data); 25 assert(data);
26 assert(size); 26 assert(size);
27 27
28 int written = 0; 28 size_t written = 0;
29 while (written < size) { 29 while (written < size) {
30 int rv = write(fd, (unsigned char *) data + written, size - written); 30 int rv = write(fd, (unsigned char *) data + written, size - written);
31 if (rv == -1) { 31 if (rv == -1) {
@@ -36,8 +36,8 @@ void write_to_file(int fd, const void *data, int size) {
36 } 36 }
37} 37}
38 38
39void filter_init(int fd) { 39void filter_init(int fd, bool native) {
40 struct sock_filter filter[] = { 40 struct sock_filter filter_native[] = {
41 VALIDATE_ARCHITECTURE, 41 VALIDATE_ARCHITECTURE,
42#if defined(__x86_64__) 42#if defined(__x86_64__)
43 EXAMINE_SYSCALL, 43 EXAMINE_SYSCALL,
@@ -46,6 +46,10 @@ void filter_init(int fd) {
46 EXAMINE_SYSCALL 46 EXAMINE_SYSCALL
47#endif 47#endif
48 }; 48 };
49 struct sock_filter filter_32[] = {
50 VALIDATE_ARCHITECTURE_32,
51 EXAMINE_SYSCALL
52 };
49 53
50#if 0 54#if 0
51{ 55{
@@ -57,7 +61,10 @@ void filter_init(int fd) {
57} 61}
58#endif 62#endif
59 63
60 write_to_file(fd, filter, sizeof(filter)); 64 if (native)
65 write_to_file(fd, filter_native, sizeof(filter_native));
66 else
67 write_to_file(fd, filter_32, sizeof(filter_32));
61} 68}
62 69
63static void write_whitelist(int fd, int syscall) { 70static void write_whitelist(int fd, int syscall) {
@@ -74,9 +81,10 @@ static void write_blacklist(int fd, int syscall) {
74 write_to_file(fd, filter, sizeof(filter)); 81 write_to_file(fd, filter, sizeof(filter));
75} 82}
76 83
77void filter_add_whitelist(int fd, int syscall, int arg, void *ptrarg) { 84void filter_add_whitelist(int fd, int syscall, int arg, void *ptrarg, bool native) {
78 (void) arg; 85 (void) arg;
79 (void) ptrarg; 86 (void) ptrarg;
87 (void) native;
80 88
81 if (syscall >= 0) { 89 if (syscall >= 0) {
82 write_whitelist(fd, syscall); 90 write_whitelist(fd, syscall);
@@ -84,18 +92,20 @@ void filter_add_whitelist(int fd, int syscall, int arg, void *ptrarg) {
84} 92}
85 93
86// handle seccomp list exceptions (seccomp x,y,!z) 94// handle seccomp list exceptions (seccomp x,y,!z)
87void filter_add_whitelist_for_excluded(int fd, int syscall, int arg, void *ptrarg) { 95void filter_add_whitelist_for_excluded(int fd, int syscall, int arg, void *ptrarg, bool native) {
88 (void) arg; 96 (void) arg;
89 (void) ptrarg; 97 (void) ptrarg;
98 (void) native;
90 99
91 if (syscall < 0) { 100 if (syscall < 0) {
92 write_whitelist(fd, -syscall); 101 write_whitelist(fd, -syscall);
93 } 102 }
94} 103}
95 104
96void filter_add_blacklist(int fd, int syscall, int arg, void *ptrarg) { 105void filter_add_blacklist(int fd, int syscall, int arg, void *ptrarg, bool native) {
97 (void) arg; 106 (void) arg;
98 (void) ptrarg; 107 (void) ptrarg;
108 (void) native;
99 109
100 if (syscall >= 0) { 110 if (syscall >= 0) {
101 write_blacklist(fd, syscall); 111 write_blacklist(fd, syscall);
@@ -103,17 +113,20 @@ void filter_add_blacklist(int fd, int syscall, int arg, void *ptrarg) {
103} 113}
104 114
105// handle seccomp list exceptions (seccomp x,y,!z) 115// handle seccomp list exceptions (seccomp x,y,!z)
106void filter_add_blacklist_for_excluded(int fd, int syscall, int arg, void *ptrarg) { 116void filter_add_blacklist_for_excluded(int fd, int syscall, int arg, void *ptrarg, bool native) {
107 (void) arg; 117 (void) arg;
108 (void) ptrarg; 118 (void) ptrarg;
119 (void) native;
109 120
110 if (syscall < 0) { 121 if (syscall < 0) {
111 write_blacklist(fd, -syscall); 122 write_blacklist(fd, -syscall);
112 } 123 }
113} 124}
114 125
115void filter_add_errno(int fd, int syscall, int arg, void *ptrarg) { 126void filter_add_errno(int fd, int syscall, int arg, void *ptrarg, bool native) {
116 (void) ptrarg; 127 (void) ptrarg;
128 (void) native;
129
117 struct sock_filter filter[] = { 130 struct sock_filter filter[] = {
118 BLACKLIST_ERRNO(syscall, arg) 131 BLACKLIST_ERRNO(syscall, arg)
119 }; 132 };
diff --git a/src/fseccomp/syscall.c b/src/fseccomp/syscall.c
deleted file mode 100644
index 2b112245c..000000000
--- a/src/fseccomp/syscall.c
+++ /dev/null
@@ -1,1632 +0,0 @@
1/*
2 * Copyright (C) 2014-2020 Firejail Authors
3 *
4 * This file is part of firejail project
5 *
6 * This program is free software; you can redistribute it and/or modify
7 * it under the terms of the GNU General Public License as published by
8 * the Free Software Foundation; either version 2 of the License, or
9 * (at your option) any later version.
10 *
11 * This program is distributed in the hope that it will be useful,
12 * but WITHOUT ANY WARRANTY; without even the implied warranty of
13 * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
14 * GNU General Public License for more details.
15 *
16 * You should have received a copy of the GNU General Public License along
17 * with this program; if not, write to the Free Software Foundation, Inc.,
18 * 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA.
19*/
20#define _GNU_SOURCE
21#include "fseccomp.h"
22#include <stdio.h>
23#include <sys/syscall.h>
24
25typedef struct {
26 const char * const name;
27 int nr;
28} SyscallEntry;
29
30typedef struct {
31 const char * const name;
32 const char * const list;
33} SyscallGroupList;
34
35typedef struct {
36 const char *slist;
37 char *prelist, *postlist;
38 bool found;
39 int syscall;
40} SyscallCheckList;
41
42static const SyscallEntry syslist[] = {
43//
44// code generated using tools/extract-syscall
45//
46#include "../include/syscall.h"
47//
48// end of generated code
49//
50}; // end of syslist
51
52static const SyscallGroupList sysgroups[] = {
53 { .name = "@aio", .list =
54#ifdef SYS_io_cancel
55 "io_cancel,"
56#endif
57#ifdef SYS_io_destroy
58 "io_destroy,"
59#endif
60#ifdef SYS_io_getevents
61 "io_getevents,"
62#endif
63#ifdef SYS_io_pgetevents
64 "io_pgetevents,"
65#endif
66#ifdef SYS_io_setup
67 "io_setup,"
68#endif
69#ifdef SYS_io_submit
70 "io_submit"
71#endif
72 },
73 { .name = "@basic-io", .list =
74#ifdef SYS__llseek
75 "_llseek,"
76#endif
77#ifdef SYS_close
78 "close,"
79#endif
80#ifdef SYS_dup
81 "dup,"
82#endif
83#ifdef SYS_dup2
84 "dup2,"
85#endif
86#ifdef SYS_dup3
87 "dup3,"
88#endif
89#ifdef SYS_lseek
90 "lseek,"
91#endif
92#ifdef SYS_pread64
93 "pread64,"
94#endif
95#ifdef SYS_preadv
96 "preadv,"
97#endif
98#ifdef SYS_preadv2
99 "preadv2,"
100#endif
101#ifdef SYS_pwrite64
102 "pwrite64,"
103#endif
104#ifdef SYS_pwritev
105 "pwritev,"
106#endif
107#ifdef SYS_pwritev2
108 "pwritev2,"
109#endif
110#ifdef SYS_read
111 "read,"
112#endif
113#ifdef SYS_readv
114 "readv,"
115#endif
116#ifdef SYS_write
117 "write,"
118#endif
119#ifdef SYS_writev
120 "writev"
121#endif
122 },
123 { .name = "@chown", .list =
124#ifdef SYS_chown
125 "chown,"
126#endif
127#ifdef SYS_chown32
128 "chown32,"
129#endif
130#ifdef SYS_fchown
131 "fchown,"
132#endif
133#ifdef SYS_fchown32
134 "fchown32,"
135#endif
136#ifdef SYS_fchownat
137 "fchownat,"
138#endif
139#ifdef SYS_lchown
140 "lchown,"
141#endif
142#ifdef SYS_lchown32
143 "lchown32"
144#endif
145 },
146 { .name = "@clock", .list =
147#ifdef SYS_adjtimex
148 "adjtimex,"
149#endif
150#ifdef SYS_clock_adjtime
151 "clock_adjtime,"
152#endif
153#ifdef SYS_clock_settime
154 "clock_settime,"
155#endif
156#ifdef SYS_settimeofday
157 "settimeofday,"
158#endif
159#ifdef SYS_stime
160 "stime"
161#endif
162 },
163 { .name = "@cpu-emulation", .list =
164#ifdef SYS_modify_ldt
165 "modify_ldt,"
166#endif
167#ifdef SYS_subpage_prot
168 "subpage_prot,"
169#endif
170#ifdef SYS_switch_endian
171 "switch_endian,"
172#endif
173#ifdef SYS_vm86
174 "vm86,"
175#endif
176#ifdef SYS_vm86old
177 "vm86old"
178#endif
179#if !defined(SYS_modify_ldt) && !defined(SYS_subpage_prot) && !defined(SYS_switch_endian) && !defined(SYS_vm86) && !defined(SYS_vm86old)
180 "__dummy_syscall__" // workaround for arm64, s390x and sparc64 which don't have any of above defined and empty syscall lists are not allowed
181#endif
182 },
183 { .name = "@debug", .list =
184#ifdef SYS_lookup_dcookie
185 "lookup_dcookie,"
186#endif
187#ifdef SYS_perf_event_open
188 "perf_event_open,"
189#endif
190#ifdef SYS_process_vm_writev
191 "process_vm_writev,"
192#endif
193#ifdef SYS_rtas
194 "rtas,"
195#endif
196#ifdef SYS_s390_runtime_instr
197 "s390_runtime_instr,"
198#endif
199#ifdef SYS_sys_debug_setcontext
200 "sys_debug_setcontext,"
201#endif
202 },
203 { .name = "@default", .list =
204 "@clock,"
205 "@cpu-emulation,"
206 "@debug,"
207 "@module,"
208 "@obsolete,"
209 "@raw-io,"
210 "@reboot,"
211 "@swap,"
212#ifdef SYS_open_by_handle_at
213 "open_by_handle_at,"
214#endif
215#ifdef SYS_name_to_handle_at
216 "name_to_handle_at,"
217#endif
218#ifdef SYS_ioprio_set
219 "ioprio_set,"
220#endif
221#ifdef SYS_ni_syscall
222 "ni_syscall,"
223#endif
224#ifdef SYS_syslog
225 "syslog,"
226#endif
227#ifdef SYS_fanotify_init
228 "fanotify_init,"
229#endif
230#ifdef SYS_kcmp
231 "kcmp,"
232#endif
233#ifdef SYS_add_key
234 "add_key,"
235#endif
236#ifdef SYS_request_key
237 "request_key,"
238#endif
239#ifdef SYS_mbind
240 "mbind,"
241#endif
242#ifdef SYS_migrate_pages
243 "migrate_pages,"
244#endif
245#ifdef SYS_move_pages
246 "move_pages,"
247#endif
248#ifdef SYS_keyctl
249 "keyctl,"
250#endif
251#ifdef SYS_io_setup
252 "io_setup,"
253#endif
254#ifdef SYS_io_destroy
255 "io_destroy,"
256#endif
257#ifdef SYS_io_getevents
258 "io_getevents,"
259#endif
260#ifdef SYS_io_submit
261 "io_submit,"
262#endif
263#ifdef SYS_io_cancel
264 "io_cancel,"
265#endif
266#ifdef SYS_remap_file_pages
267 "remap_file_pages,"
268#endif
269#ifdef SYS_set_mempolicy
270 "set_mempolicy"
271#endif
272#ifdef SYS_vmsplice
273 "vmsplice,"
274#endif
275#ifdef SYS_umount
276 "umount,"
277#endif
278#ifdef SYS_userfaultfd
279 "userfaultfd,"
280#endif
281#ifdef SYS_acct
282 "acct,"
283#endif
284#ifdef SYS_bpf
285 "bpf,"
286#endif
287#ifdef SYS_chroot
288 "chroot,"
289#endif
290#ifdef SYS_mount
291 "mount,"
292#endif
293#ifdef SYS_nfsservctl
294 "nfsservctl,"
295#endif
296#ifdef SYS_pivot_root
297 "pivot_root,"
298#endif
299#ifdef SYS_setdomainname
300 "setdomainname,"
301#endif
302#ifdef SYS_sethostname
303 "sethostname,"
304#endif
305#ifdef SYS_umount2
306 "umount2,"
307#endif
308#ifdef SYS_vhangup
309 "vhangup"
310#endif
311//#ifdef SYS_mincore // 0.9.57 - problem fixed in Linux kernel 5.0; on 4.x it will break kodi, mpv, totem
312// "mincore"
313//#endif
314 },
315 { .name = "@default-nodebuggers", .list =
316 "@default,"
317#ifdef SYS_ptrace
318 "ptrace,"
319#endif
320#ifdef SYS_personality
321 "personality,"
322#endif
323#ifdef SYS_process_vm_readv
324 "process_vm_readv"
325#endif
326 },
327 { .name = "@default-keep", .list =
328 "execve,"
329 "prctl"
330 },
331 { .name = "@file-system", .list =
332#ifdef SYS_access
333 "access,"
334#endif
335#ifdef SYS_chdir
336 "chdir,"
337#endif
338#ifdef SYS_chmod
339 "chmod,"
340#endif
341#ifdef SYS_close
342 "close,"
343#endif
344#ifdef SYS_creat
345 "creat,"
346#endif
347#ifdef SYS_faccessat
348 "faccessat,"
349#endif
350#ifdef SYS_fallocate
351 "fallocate,"
352#endif
353#ifdef SYS_fchdir
354 "fchdir,"
355#endif
356#ifdef SYS_fchmod
357 "fchmod,"
358#endif
359#ifdef SYS_fchmodat
360 "fchmodat,"
361#endif
362#ifdef SYS_fcntl
363 "fcntl,"
364#endif
365#ifdef SYS_fcntl64
366 "fcntl64,"
367#endif
368#ifdef SYS_fgetxattr
369 "fgetxattr,"
370#endif
371#ifdef SYS_flistxattr
372 "flistxattr,"
373#endif
374#ifdef SYS_fremovexattr
375 "fremovexattr,"
376#endif
377#ifdef SYS_fsetxattr
378 "fsetxattr,"
379#endif
380#ifdef SYS_fstat
381 "fstat,"
382#endif
383#ifdef SYS_fstat64
384 "fstat64,"
385#endif
386#ifdef SYS_fstatat64
387 "fstatat64,"
388#endif
389#ifdef SYS_fstatfs
390 "fstatfs,"
391#endif
392#ifdef SYS_fstatfs64
393 "fstatfs64,"
394#endif
395#ifdef SYS_ftruncate
396 "ftruncate,"
397#endif
398#ifdef SYS_ftruncate64
399 "ftruncate64,"
400#endif
401#ifdef SYS_futimesat
402 "futimesat,"
403#endif
404#ifdef SYS_getcwd
405 "getcwd,"
406#endif
407#ifdef SYS_getdents
408 "getdents,"
409#endif
410#ifdef SYS_getdents64
411 "getdents64,"
412#endif
413#ifdef SYS_getxattr
414 "getxattr,"
415#endif
416#ifdef SYS_inotify_add_watch
417 "inotify_add_watch,"
418#endif
419#ifdef SYS_inotify_init
420 "inotify_init,"
421#endif
422#ifdef SYS_inotify_init1
423 "inotify_init1,"
424#endif
425#ifdef SYS_inotify_rm_watch
426 "inotify_rm_watch,"
427#endif
428#ifdef SYS_lgetxattr
429 "lgetxattr,"
430#endif
431#ifdef SYS_link
432 "link,"
433#endif
434#ifdef SYS_linkat
435 "linkat,"
436#endif
437#ifdef SYS_listxattr
438 "listxattr,"
439#endif
440#ifdef SYS_llistxattr
441 "llistxattr,"
442#endif
443#ifdef SYS_lremovexattr
444 "lremovexattr,"
445#endif
446#ifdef SYS_lsetxattr
447 "lsetxattr,"
448#endif
449#ifdef SYS_lstat
450 "lstat,"
451#endif
452#ifdef SYS_lstat64
453 "lstat64,"
454#endif
455#ifdef SYS_mkdir
456 "mkdir,"
457#endif
458#ifdef SYS_mkdirat
459 "mkdirat,"
460#endif
461#ifdef SYS_mknod
462 "mknod,"
463#endif
464#ifdef SYS_mknodat
465 "mknodat,"
466#endif
467#ifdef SYS_mmap
468 "mmap,"
469#endif
470#ifdef SYS_mmap2
471 "mmap2,"
472#endif
473#ifdef SYS_munmap
474 "munmap,"
475#endif
476#ifdef SYS_newfstatat
477 "newfstatat,"
478#endif
479#ifdef SYS_oldfstat
480 "oldfstat,"
481#endif
482#ifdef SYS_oldlstat
483 "oldlstat,"
484#endif
485#ifdef SYS_oldstat
486 "oldstat,"
487#endif
488#ifdef SYS_open
489 "open,"
490#endif
491#ifdef SYS_openat
492 "openat,"
493#endif
494#ifdef SYS_readlink
495 "readlink,"
496#endif
497#ifdef SYS_readlinkat
498 "readlinkat,"
499#endif
500#ifdef SYS_removexattr
501 "removexattr,"
502#endif
503#ifdef SYS_rename
504 "rename,"
505#endif
506#ifdef SYS_renameat
507 "renameat,"
508#endif
509#ifdef SYS_renameat2
510 "renameat2,"
511#endif
512#ifdef SYS_rmdir
513 "rmdir,"
514#endif
515#ifdef SYS_setxattr
516 "setxattr,"
517#endif
518#ifdef SYS_stat
519 "stat,"
520#endif
521#ifdef SYS_stat64
522 "stat64,"
523#endif
524#ifdef SYS_statfs
525 "statfs,"
526#endif
527#ifdef SYS_statfs64
528 "statfs64,"
529#endif
530#ifdef SYS_statx
531 "statx,"
532#endif
533#ifdef SYS_symlink
534 "symlink,"
535#endif
536#ifdef SYS_symlinkat
537 "symlinkat,"
538#endif
539#ifdef SYS_truncate
540 "truncate,"
541#endif
542#ifdef SYS_truncate64
543 "truncate64,"
544#endif
545#ifdef SYS_unlink
546 "unlink,"
547#endif
548#ifdef SYS_unlinkat
549 "unlinkat,"
550#endif
551#ifdef SYS_utime
552 "utime,"
553#endif
554#ifdef SYS_utimensat
555 "utimensat,"
556#endif
557#ifdef SYS_utimes
558 "utimes"
559#endif
560 },
561 { .name = "@io-event", .list =
562#ifdef SYS__newselect
563 "_newselect,"
564#endif
565#ifdef SYS_epoll_create
566 "epoll_create,"
567#endif
568#ifdef SYS_epoll_create1
569 "epoll_create1,"
570#endif
571#ifdef SYS_epoll_ctl
572 "epoll_ctl,"
573#endif
574#ifdef SYS_epoll_ctl_old
575 "epoll_ctl_old,"
576#endif
577#ifdef SYS_epoll_pwait
578 "epoll_pwait,"
579#endif
580#ifdef SYS_epoll_wait
581 "epoll_wait,"
582#endif
583#ifdef SYS_epoll_wait_old
584 "epoll_wait_old,"
585#endif
586#ifdef SYS_eventfd
587 "eventfd,"
588#endif
589#ifdef SYS_eventfd2
590 "eventfd2,"
591#endif
592#ifdef SYS_poll
593 "poll,"
594#endif
595#ifdef SYS_ppoll
596 "ppoll,"
597#endif
598#ifdef SYS_pselect6
599 "pselect6,"
600#endif
601#ifdef SYS_select
602 "select"
603#endif
604 },
605 { .name = "@ipc", .list =
606#ifdef SYS_ipc
607 "ipc,"
608#endif
609#ifdef SYS_memfd_create
610 "memfd_create,"
611#endif
612#ifdef SYS_mq_getsetattr
613 "mq_getsetattr,"
614#endif
615#ifdef SYS_mq_notify
616 "mq_notify,"
617#endif
618#ifdef SYS_mq_open
619 "mq_open,"
620#endif
621#ifdef SYS_mq_timedreceive
622 "mq_timedreceive,"
623#endif
624#ifdef SYS_mq_timedsend
625 "mq_timedsend,"
626#endif
627#ifdef SYS_mq_unlink
628 "mq_unlink,"
629#endif
630#ifdef SYS_msgctl
631 "msgctl,"
632#endif
633#ifdef SYS_msgget
634 "msgget,"
635#endif
636#ifdef SYS_msgrcv
637 "msgrcv,"
638#endif
639#ifdef SYS_msgsnd
640 "msgsnd,"
641#endif
642#ifdef SYS_pipe
643 "pipe,"
644#endif
645#ifdef SYS_pipe2
646 "pipe2,"
647#endif
648#ifdef SYS_process_vm_readv
649 "process_vm_readv,"
650#endif
651#ifdef SYS_process_vm_writev
652 "process_vm_writev,"
653#endif
654#ifdef SYS_semctl
655 "semctl,"
656#endif
657#ifdef SYS_semget
658 "semget,"
659#endif
660#ifdef SYS_semop
661 "semop,"
662#endif
663#ifdef SYS_semtimedop
664 "semtimedop,"
665#endif
666#ifdef SYS_shmat
667 "shmat,"
668#endif
669#ifdef SYS_shmctl
670 "shmctl,"
671#endif
672#ifdef SYS_shmdt
673 "shmdt,"
674#endif
675#ifdef SYS_shmget
676 "shmget"
677#endif
678 },
679 { .name = "@keyring", .list =
680#ifdef SYS_add_key
681 "add_key,"
682#endif
683#ifdef SYS_keyctl
684 "keyctl,"
685#endif
686#ifdef SYS_request_key
687 "request_key"
688#endif
689 },
690 { .name = "@memlock", .list =
691#ifdef SYS_mlock
692 "mlock,"
693#endif
694#ifdef SYS_mlock2
695 "mlock2,"
696#endif
697#ifdef SYS_mlockall
698 "mlockall,"
699#endif
700#ifdef SYS_munlock
701 "munlock,"
702#endif
703#ifdef SYS_munlockall
704 "munlockall"
705#endif
706 },
707 { .name = "@module", .list =
708#ifdef SYS_delete_module
709 "delete_module,"
710#endif
711#ifdef SYS_finit_module
712 "finit_module,"
713#endif
714#ifdef SYS_init_module
715 "init_module"
716#endif
717 },
718 { .name = "@mount", .list =
719#ifdef SYS_chroot
720 "chroot,"
721#endif
722#ifdef SYS_mount
723 "mount,"
724#endif
725#ifdef SYS_pivot_root
726 "pivot_root,"
727#endif
728#ifdef SYS_umount
729 "umount,"
730#endif
731#ifdef SYS_umount2
732 "umount2"
733#endif
734 },
735 { .name = "@network-io", .list =
736#ifdef SYS_accept
737 "accept,"
738#endif
739#ifdef SYS_accept4
740 "accept4,"
741#endif
742#ifdef SYS_bind
743 "bind,"
744#endif
745#ifdef SYS_connect
746 "connect,"
747#endif
748#ifdef SYS_getpeername
749 "getpeername,"
750#endif
751#ifdef SYS_getsockname
752 "getsockname,"
753#endif
754#ifdef SYS_getsockopt
755 "getsockopt,"
756#endif
757#ifdef SYS_listen
758 "listen,"
759#endif
760#ifdef SYS_recv
761 "recv,"
762#endif
763#ifdef SYS_recvfrom
764 "recvfrom,"
765#endif
766#ifdef SYS_recvmmsg
767 "recvmmsg,"
768#endif
769#ifdef SYS_recvmsg
770 "recvmsg,"
771#endif
772#ifdef SYS_send
773 "send,"
774#endif
775#ifdef SYS_sendmmsg
776 "sendmmsg,"
777#endif
778#ifdef SYS_sendmsg
779 "sendmsg,"
780#endif
781#ifdef SYS_sendto
782 "sendto,"
783#endif
784#ifdef SYS_setsockopt
785 "setsockopt,"
786#endif
787#ifdef SYS_shutdown
788 "shutdown,"
789#endif
790#ifdef SYS_socket
791 "socket,"
792#endif
793#ifdef SYS_socketcall
794 "socketcall,"
795#endif
796#ifdef SYS_socketpair
797 "socketpair"
798#endif
799 },
800 { .name = "@obsolete", .list =
801#ifdef SYS__sysctl
802 "_sysctl,"
803#endif
804#ifdef SYS_afs_syscall
805 "afs_syscall,"
806#endif
807#ifdef SYS_bdflush
808 "bdflush,"
809#endif
810#ifdef SYS_break
811 "break,"
812#endif
813#ifdef SYS_create_module
814 "create_module,"
815#endif
816#ifdef SYS_ftime
817 "ftime,"
818#endif
819#ifdef SYS_get_kernel_syms
820 "get_kernel_syms,"
821#endif
822#ifdef SYS_getpmsg
823 "getpmsg,"
824#endif
825#ifdef SYS_gtty
826 "gtty,"
827#endif
828#ifdef SYS_idle
829 "idle,"
830#endif
831#ifdef SYS_lock
832 "lock,"
833#endif
834#ifdef SYS_mpx
835 "mpx,"
836#endif
837#ifdef SYS_prof
838 "prof,"
839#endif
840#ifdef SYS_profil
841 "profil,"
842#endif
843#ifdef SYS_putpmsg
844 "putpmsg,"
845#endif
846#ifdef SYS_query_module
847 "query_module,"
848#endif
849#ifdef SYS_security
850 "security,"
851#endif
852#ifdef SYS_sgetmask
853 "sgetmask,"
854#endif
855#ifdef SYS_ssetmask
856 "ssetmask,"
857#endif
858#ifdef SYS_stty
859 "stty,"
860#endif
861#ifdef SYS_sysfs
862 "sysfs,"
863#endif
864#ifdef SYS_tuxcall
865 "tuxcall,"
866#endif
867#ifdef SYS_ulimit
868 "ulimit,"
869#endif
870#ifdef SYS_uselib
871 "uselib,"
872#endif
873#ifdef SYS_ustat
874 "ustat,"
875#endif
876#ifdef SYS_vserver
877 "vserver"
878#endif
879#if !defined(SYS__sysctl) && !defined(SYS_afs_syscall) && !defined(SYS_bdflush) && !defined(SYS_break) && !defined(SYS_create_module) && !defined(SYS_ftime) && !defined(SYS_get_kernel_syms) && !defined(SYS_getpmsg) && !defined(SYS_gtty) && !defined(SYS_lock) && !defined(SYS_mpx) && !defined(SYS_prof) && !defined(SYS_profil) && !defined(SYS_putpmsg) && !defined(SYS_query_module) && !defined(SYS_security) && !defined(SYS_sgetmask) && !defined(SYS_ssetmask) && !defined(SYS_stty) && !defined(SYS_sysfs) && !defined(SYS_tuxcall) && !defined(SYS_ulimit) && !defined(SYS_uselib) && !defined(SYS_ustat) && !defined(SYS_vserver)
880 "__dummy_syscall__" // workaround for arm64 which doesn't have any of above defined and empty syscall lists are not allowed
881#endif
882 },
883 { .name = "@privileged", .list =
884 "@chown,"
885 "@clock,"
886 "@module,"
887 "@raw-io,"
888 "@reboot,"
889 "@swap,"
890#ifdef SYS__sysctl
891 "_sysctl,"
892#endif
893#ifdef SYS_acct
894 "acct,"
895#endif
896#ifdef SYS_bpf
897 "bpf,"
898#endif
899#ifdef SYS_capset
900 "capset,"
901#endif
902#ifdef SYS_chroot
903 "chroot,"
904#endif
905#ifdef SYS_fanotify_init
906 "fanotify_init,"
907#endif
908#ifdef SYS_mount
909 "mount,"
910#endif
911#ifdef SYS_nfsservctl
912 "nfsservctl,"
913#endif
914#ifdef SYS_open_by_handle_at
915 "open_by_handle_at,"
916#endif
917#ifdef SYS_pivot_root
918 "pivot_root,"
919#endif
920#ifdef SYS_quotactl
921 "quotactl,"
922#endif
923#ifdef SYS_setdomainname
924 "setdomainname,"
925#endif
926#ifdef SYS_setfsuid
927 "setfsuid,"
928#endif
929#ifdef SYS_setfsuid32
930 "setfsuid32,"
931#endif
932#ifdef SYS_setgroups
933 "setgroups,"
934#endif
935#ifdef SYS_setgroups32
936 "setgroups32,"
937#endif
938#ifdef SYS_sethostname
939 "sethostname,"
940#endif
941#ifdef SYS_setresuid
942 "setresuid,"
943#endif
944#ifdef SYS_setresuid32
945 "setresuid32,"
946#endif
947#ifdef SYS_setreuid
948 "setreuid,"
949#endif
950#ifdef SYS_setreuid32
951 "setreuid32,"
952#endif
953#ifdef SYS_setuid
954 "setuid,"
955#endif
956#ifdef SYS_setuid32
957 "setuid32,"
958#endif
959#ifdef SYS_umount2
960 "umount2,"
961#endif
962#ifdef SYS_vhangup
963 "vhangup"
964#endif
965 },
966 { .name = "@process", .list =
967#ifdef SYS_arch_prctl
968 "arch_prctl,"
969#endif
970#ifdef SYS_capget
971 "capget,"
972#endif
973#ifdef SYS_clone
974 "clone,"
975#endif
976#ifdef SYS_execveat
977 "execveat,"
978#endif
979#ifdef SYS_fork
980 "fork,"
981#endif
982#ifdef SYS_getrusage
983 "getrusage,"
984#endif
985#ifdef SYS_kill
986 "kill,"
987#endif
988#ifdef SYS_pidfd_send_signal
989 "pidfd_send_signal,"
990#endif
991#ifdef SYS_prctl
992 "prctl,"
993#endif
994#ifdef SYS_rt_sigqueueinfo
995 "rt_sigqueueinfo,"
996#endif
997#ifdef SYS_rt_tgsigqueueinfo
998 "rt_tgsigqueueinfo,"
999#endif
1000#ifdef SYS_setns
1001 "setns,"
1002#endif
1003#ifdef SYS_swapcontext
1004 "swapcontext,"
1005#endif
1006#ifdef SYS_tgkill
1007 "tgkill,"
1008#endif
1009#ifdef SYS_times
1010 "times,"
1011#endif
1012#ifdef SYS_tkill
1013 "tkill,"
1014#endif
1015#ifdef SYS_unshare
1016 "unshare,"
1017#endif
1018#ifdef SYS_vfork
1019 "vfork,"
1020#endif
1021#ifdef SYS_wait4
1022 "wait4,"
1023#endif
1024#ifdef SYS_waitid
1025 "waitid,"
1026#endif
1027#ifdef SYS_waitpid
1028 "waitpid"
1029#endif
1030 },
1031 { .name = "@raw-io", .list =
1032#ifdef SYS_ioperm
1033 "ioperm,"
1034#endif
1035#ifdef SYS_iopl
1036 "iopl,"
1037#endif
1038#ifdef SYS_pciconfig_iobase
1039 "pciconfig_iobase,"
1040#endif
1041#ifdef SYS_pciconfig_read
1042 "pciconfig_read,"
1043#endif
1044#ifdef SYS_pciconfig_write
1045 "pciconfig_write,"
1046#endif
1047#ifdef SYS_s390_mmio_read
1048 "s390_mmio_read,"
1049#endif
1050#ifdef SYS_s390_mmio_write
1051 "s390_mmio_write"
1052#endif
1053#if !defined(SYS_ioperm) && !defined(SYS_iopl) && !defined(SYS_pciconfig_iobase) && !defined(SYS_pciconfig_read) && !defined(SYS_pciconfig_write) && !defined(SYS_s390_mmio_read) && !defined(SYS_s390_mmio_write)
1054 "__dummy_syscall__" // workaround for s390x which doesn't have any of above defined and empty syscall lists are not allowed
1055#endif
1056 },
1057 { .name = "@reboot", .list =
1058#ifdef SYS_kexec_load
1059 "kexec_load,"
1060#endif
1061#ifdef SYS_kexec_file_load
1062 "kexec_file_load,"
1063#endif
1064#ifdef SYS_reboot
1065 "reboot,"
1066#endif
1067 },
1068 { .name = "@resources", .list =
1069#ifdef SYS_ioprio_set
1070 "ioprio_set,"
1071#endif
1072#ifdef SYS_mbind
1073 "mbind,"
1074#endif
1075#ifdef SYS_migrate_pages
1076 "migrate_pages,"
1077#endif
1078#ifdef SYS_move_pages
1079 "move_pages,"
1080#endif
1081#ifdef SYS_nice
1082 "nice,"
1083#endif
1084#ifdef SYS_sched_setaffinity
1085 "sched_setaffinity,"
1086#endif
1087#ifdef SYS_sched_setattr
1088 "sched_setattr,"
1089#endif
1090#ifdef SYS_sched_setparam
1091 "sched_setparam,"
1092#endif
1093#ifdef SYS_sched_setscheduler
1094 "sched_setscheduler,"
1095#endif
1096#ifdef SYS_set_mempolicy
1097 "set_mempolicy"
1098#endif
1099 },
1100 { .name = "@setuid", .list =
1101#ifdef SYS_setgid
1102 "setgid,"
1103#endif
1104#ifdef SYS_setgid32
1105 "setgid32,"
1106#endif
1107#ifdef SYS_setgroups
1108 "setgroups,"
1109#endif
1110#ifdef SYS_setgroups32
1111 "setgroups32,"
1112#endif
1113#ifdef SYS_setregid
1114 "setregid,"
1115#endif
1116#ifdef SYS_setregid32
1117 "setregid32,"
1118#endif
1119#ifdef SYS_setresgid
1120 "setresgid,"
1121#endif
1122#ifdef SYS_setresgid32
1123 "setresgid32,"
1124#endif
1125#ifdef SYS_setresuid
1126 "setresuid,"
1127#endif
1128#ifdef SYS_setresuid32
1129 "setresuid32,"
1130#endif
1131#ifdef SYS_setreuid
1132 "setreuid,"
1133#endif
1134#ifdef SYS_setreuid32
1135 "setreuid32,"
1136#endif
1137#ifdef SYS_setuid
1138 "setuid,"
1139#endif
1140#ifdef SYS_setuid32
1141 "setuid32"
1142#endif
1143 },
1144 { .name = "@signal", .list =
1145#ifdef SYS_rt_sigaction
1146 "rt_sigaction,"
1147#endif
1148#ifdef SYS_rt_sigpending
1149 "rt_sigpending,"
1150#endif
1151#ifdef SYS_rt_sigprocmask
1152 "rt_sigprocmask,"
1153#endif
1154#ifdef SYS_rt_sigsuspend
1155 "rt_sigsuspend,"
1156#endif
1157#ifdef SYS_rt_sigtimedwait
1158 "rt_sigtimedwait,"
1159#endif
1160#ifdef SYS_sigaction
1161 "sigaction,"
1162#endif
1163#ifdef SYS_sigaltstack
1164 "sigaltstack,"
1165#endif
1166#ifdef SYS_signal
1167 "signal,"
1168#endif
1169#ifdef SYS_signalfd
1170 "signalfd,"
1171#endif
1172#ifdef SYS_signalfd4
1173 "signalfd4,"
1174#endif
1175#ifdef SYS_sigpending
1176 "sigpending,"
1177#endif
1178#ifdef SYS_sigprocmask
1179 "sigprocmask,"
1180#endif
1181#ifdef SYS_sigsuspend
1182 "sigsuspend"
1183#endif
1184 },
1185 { .name = "@swap", .list =
1186#ifdef SYS_swapon
1187 "swapon,"
1188#endif
1189#ifdef SYS_swapoff
1190 "swapoff"
1191#endif
1192 },
1193 { .name = "@sync", .list =
1194#ifdef SYS_fdatasync
1195 "fdatasync,"
1196#endif
1197#ifdef SYS_fsync
1198 "fsync,"
1199#endif
1200#ifdef SYS_msync
1201 "msync,"
1202#endif
1203#ifdef SYS_sync
1204 "sync,"
1205#endif
1206#ifdef SYS_sync_file_range
1207 "sync_file_range,"
1208#endif
1209#ifdef SYS_sync_file_range2
1210 "sync_file_range2,"
1211#endif
1212#ifdef SYS_syncfs
1213 "syncfs"
1214#endif
1215 },
1216 { .name = "@system-service", .list =
1217 "@aio,"
1218 "@basic-io,"
1219 "@chown,"
1220 "@default,"
1221 "@file-system,"
1222 "@io-event,"
1223 "@ipc,"
1224 "@keyring,"
1225 "@memlock,"
1226 "@network-io,"
1227 "@process,"
1228 "@resources,"
1229 "@setuid,"
1230 "@signal,"
1231 "@sync,"
1232 "@timer,"
1233#ifdef SYS_brk
1234 "brk,"
1235#endif
1236#ifdef SYS_capget
1237 "capget,"
1238#endif
1239#ifdef SYS_capset
1240 "capset,"
1241#endif
1242#ifdef SYS_copy_file_range
1243 "copy_file_range,"
1244#endif
1245#ifdef SYS_fadvise64
1246 "fadvise64,"
1247#endif
1248#ifdef SYS_fadvise64_64
1249 "fadvise64_64,"
1250#endif
1251#ifdef SYS_flock
1252 "flock,"
1253#endif
1254#ifdef SYS_get_mempolicy
1255 "get_mempolicy,"
1256#endif
1257#ifdef SYS_getcpu
1258 "getcpu,"
1259#endif
1260#ifdef SYS_getpriority
1261 "getpriority,"
1262#endif
1263#ifdef SYS_getrandom
1264 "getrandom,"
1265#endif
1266#ifdef SYS_ioctl
1267 "ioctl,"
1268#endif
1269#ifdef SYS_ioprio_get
1270 "ioprio_get,"
1271#endif
1272#ifdef SYS_kcmp
1273 "kcmp,"
1274#endif
1275#ifdef SYS_madvise
1276 "madvise,"
1277#endif
1278#ifdef SYS_mprotect
1279 "mprotect,"
1280#endif
1281#ifdef SYS_mremap
1282 "mremap,"
1283#endif
1284#ifdef SYS_name_to_handle_at
1285 "name_to_handle_at,"
1286#endif
1287#ifdef SYS_oldolduname
1288 "oldolduname,"
1289#endif
1290#ifdef SYS_olduname
1291 "olduname,"
1292#endif
1293#ifdef SYS_personality
1294 "personality,"
1295#endif
1296#ifdef SYS_readahead
1297 "readahead,"
1298#endif
1299#ifdef SYS_readdir
1300 "readdir,"
1301#endif
1302#ifdef SYS_remap_file_pages
1303 "remap_file_pages,"
1304#endif
1305#ifdef SYS_sched_get_priority_max
1306 "sched_get_priority_max,"
1307#endif
1308#ifdef SYS_sched_get_priority_min
1309 "sched_get_priority_min,"
1310#endif
1311#ifdef SYS_sched_getaffinity
1312 "sched_getaffinity,"
1313#endif
1314#ifdef SYS_sched_getattr
1315 "sched_getattr,"
1316#endif
1317#ifdef SYS_sched_getparam
1318 "sched_getparam,"
1319#endif
1320#ifdef SYS_sched_getscheduler
1321 "sched_getscheduler,"
1322#endif
1323#ifdef SYS_sched_rr_get_interval
1324 "sched_rr_get_interval,"
1325#endif
1326#ifdef SYS_sched_yield
1327 "sched_yield,"
1328#endif
1329#ifdef SYS_sendfile
1330 "sendfile,"
1331#endif
1332#ifdef SYS_sendfile64
1333 "sendfile64,"
1334#endif
1335#ifdef SYS_setfsgid
1336 "setfsgid,"
1337#endif
1338#ifdef SYS_setfsgid32
1339 "setfsgid32,"
1340#endif
1341#ifdef SYS_setfsuid
1342 "setfsuid,"
1343#endif
1344#ifdef SYS_setfsuid32
1345 "setfsuid32,"
1346#endif
1347#ifdef SYS_setpgid
1348 "setpgid,"
1349#endif
1350#ifdef SYS_setsid
1351 "setsid,"
1352#endif
1353#ifdef SYS_splice
1354 "splice,"
1355#endif
1356#ifdef SYS_sysinfo
1357 "sysinfo,"
1358#endif
1359#ifdef SYS_tee
1360 "tee,"
1361#endif
1362#ifdef SYS_umask
1363 "umask,"
1364#endif
1365#ifdef SYS_uname
1366 "uname,"
1367#endif
1368#ifdef SYS_userfaultfd
1369 "userfaultfd,"
1370#endif
1371#ifdef SYS_vmsplice
1372 "vmsplice"
1373#endif
1374 },
1375 { .name = "@timer", .list =
1376#ifdef SYS_alarm
1377 "alarm,"
1378#endif
1379#ifdef SYS_getitimer
1380 "getitimer,"
1381#endif
1382#ifdef SYS_setitimer
1383 "setitimer,"
1384#endif
1385#ifdef SYS_timer_create
1386 "timer_create,"
1387#endif
1388#ifdef SYS_timer_delete
1389 "timer_delete,"
1390#endif
1391#ifdef SYS_timer_getoverrun
1392 "timer_getoverrun,"
1393#endif
1394#ifdef SYS_timer_gettime
1395 "timer_gettime,"
1396#endif
1397#ifdef SYS_timer_settime
1398 "timer_settime,"
1399#endif
1400#ifdef SYS_timerfd_create
1401 "timerfd_create,"
1402#endif
1403#ifdef SYS_timerfd_gettime
1404 "timerfd_gettime,"
1405#endif
1406#ifdef SYS_timerfd_settime
1407 "timerfd_settime,"
1408#endif
1409#ifdef SYS_times
1410 "times"
1411#endif
1412 }
1413};
1414
1415// return -1 if error, or syscall number
1416static int syscall_find_name(const char *name) {
1417 int i;
1418 int elems = sizeof(syslist) / sizeof(syslist[0]);
1419 for (i = 0; i < elems; i++) {
1420 if (strcmp(name, syslist[i].name) == 0)
1421 return syslist[i].nr;
1422 }
1423
1424 return -1;
1425}
1426
1427const char *syscall_find_nr(int nr) {
1428 int i;
1429 int elems = sizeof(syslist) / sizeof(syslist[0]);
1430 for (i = 0; i < elems; i++) {
1431 if (nr == syslist[i].nr)
1432 return syslist[i].name;
1433 }
1434
1435 return "unknown";
1436}
1437
1438void syscall_print(void) {
1439 int i;
1440 int elems = sizeof(syslist) / sizeof(syslist[0]);
1441 for (i = 0; i < elems; i++) {
1442 printf("%d\t- %s\n", syslist[i].nr, syslist[i].name);
1443 }
1444 printf("\n");
1445}
1446
1447static const char *syscall_find_group(const char *name) {
1448 int i;
1449 int elems = sizeof(sysgroups) / sizeof(sysgroups[0]);
1450 for (i = 0; i < elems; i++) {
1451 if (strcmp(name, sysgroups[i].name) == 0)
1452 return sysgroups[i].list;
1453 }
1454
1455 return NULL;
1456}
1457
1458// allowed input:
1459// - syscall
1460// - syscall(error)
1461static void syscall_process_name(const char *name, int *syscall_nr, int *error_nr) {
1462 assert(name);
1463 if (strlen(name) == 0)
1464 goto error;
1465 *error_nr = -1;
1466
1467 // syntax check
1468 char *str = strdup(name);
1469 if (!str)
1470 errExit("strdup");
1471
1472 char *syscall_name = str;
1473 char *error_name = strchr(str, ':');
1474 if (error_name) {
1475 *error_name = '\0';
1476 error_name++;
1477 }
1478 if (strlen(syscall_name) == 0) {
1479 free(str);
1480 goto error;
1481 }
1482
1483 if (*syscall_name == '$')
1484 *syscall_nr = strtol(syscall_name + 1, NULL, 0);
1485 else
1486 *syscall_nr = syscall_find_name(syscall_name);
1487 if (error_name) {
1488 *error_nr = errno_find_name(error_name);
1489 if (*error_nr == -1)
1490 *syscall_nr = -1;
1491 }
1492
1493 free(str);
1494 return;
1495
1496error:
1497 fprintf(stderr, "Error fseccomp: invalid syscall list entry %s\n", name);
1498 exit(1);
1499}
1500
1501// return 1 if error, 0 if OK
1502int syscall_check_list(const char *slist, void (*callback)(int fd, int syscall, int arg, void *ptrarg), int fd, int arg, void *ptrarg) {
1503 // don't allow empty lists
1504 if (slist == NULL || *slist == '\0') {
1505 fprintf(stderr, "Error fseccomp: empty syscall lists are not allowed\n");
1506 exit(1);
1507 }
1508
1509 // work on a copy of the string
1510 char *str = strdup(slist);
1511 if (!str)
1512 errExit("strdup");
1513
1514 char *saveptr;
1515 char *ptr = strtok_r(str, ",", &saveptr);
1516 if (ptr == NULL) {
1517 fprintf(stderr, "Error fseccomp: empty syscall lists are not allowed\n");
1518 exit(1);
1519 }
1520
1521 while (ptr) {
1522 int syscall_nr;
1523 int error_nr;
1524 if (*ptr == '@') {
1525 const char *new_list = syscall_find_group(ptr);
1526 if (!new_list) {
1527 fprintf(stderr, "Error fseccomp: unknown syscall group %s\n", ptr);
1528 exit(1);
1529 }
1530 syscall_check_list(new_list, callback, fd, arg, ptrarg);
1531 }
1532 else {
1533 bool negate = false;
1534 if (*ptr == '!') {
1535 negate = true;
1536 ptr++;
1537 }
1538 syscall_process_name(ptr, &syscall_nr, &error_nr);
1539 if (syscall_nr == -1) {;}
1540 else if (callback != NULL) {
1541 if (negate) {
1542 syscall_nr = -syscall_nr;
1543 }
1544 if (error_nr != -1 && fd != 0) {
1545 filter_add_errno(fd, syscall_nr, error_nr, ptrarg);
1546 }
1547 else if (error_nr != -1 && fd == 0) {
1548 callback(fd, syscall_nr, error_nr, ptrarg);
1549 }
1550 else {
1551 callback(fd, syscall_nr, arg, ptrarg);
1552 }
1553 }
1554 }
1555 ptr = strtok_r(NULL, ",", &saveptr);
1556 }
1557
1558 free(str);
1559 return 0;
1560}
1561
1562static void find_syscall(int fd, int syscall, int arg, void *ptrarg) {
1563 (void)fd;
1564 (void) arg;
1565 SyscallCheckList *ptr = ptrarg;
1566 if (abs(syscall) == ptr->syscall)
1567 ptr->found = true;
1568}
1569
1570// go through list2 and find matches for problem syscall
1571static void syscall_in_list(int fd, int syscall, int arg, void *ptrarg) {
1572 (void) fd;
1573 (void)arg;
1574 SyscallCheckList *ptr = ptrarg;
1575 SyscallCheckList sl;
1576 sl.found = false;
1577 sl.syscall = syscall;
1578 syscall_check_list(ptr->slist, find_syscall, fd, 0, &sl);
1579 // if found in the problem list, add to post-exec list
1580 if (sl.found) {
1581 if (ptr->postlist) {
1582 if (asprintf(&ptr->postlist, "%s,%s", ptr->postlist, syscall_find_nr(syscall)) == -1)
1583 errExit("asprintf");
1584 }
1585 else
1586 ptr->postlist = strdup(syscall_find_nr(syscall));
1587 }
1588 else { // no problem, add to pre-exec list
1589 // build syscall:error_no
1590 char *newcall = NULL;
1591 if (arg != 0) {
1592 if (asprintf(&newcall, "%s:%s", syscall_find_nr(syscall), errno_find_nr(arg)) == -1)
1593 errExit("asprintf");
1594 }
1595 else {
1596 newcall = strdup(syscall_find_nr(syscall));
1597 if (!newcall)
1598 errExit("strdup");
1599 }
1600
1601 if (ptr->prelist) {
1602 if (asprintf(&ptr->prelist, "%s,%s", ptr->prelist, newcall) == -1)
1603 errExit("asprintf");
1604 free(newcall);
1605 }
1606 else
1607 ptr->prelist = newcall;
1608 }
1609}
1610
1611// go through list and find matches for syscalls in list @default-keep
1612void syscalls_in_list(const char *list, const char *slist, int fd, char **prelist, char **postlist) {
1613 (void) fd;
1614 SyscallCheckList sl;
1615 // these syscalls are used by firejail after the seccomp filter is initialized
1616 sl.slist = slist;
1617 sl.prelist = NULL;
1618 sl.postlist = NULL;
1619 syscall_check_list(list, syscall_in_list, 0, 0, &sl);
1620 if (!arg_quiet) {
1621 printf("Seccomp list in: %s,", list);
1622 if (sl.slist)
1623 printf(" check list: %s,", sl.slist);
1624 if (sl.prelist)
1625 printf(" prelist: %s,", sl.prelist);
1626 if (sl.postlist)
1627 printf(" postlist: %s", sl.postlist);
1628 printf("\n");
1629 }
1630 *prelist = sl.prelist;
1631 *postlist = sl.postlist;
1632}
generated by cgit v1.2.3-54-g00ecf (git 2.45.2) at 2024-07-20 09:12:31 +0000