diff options
Diffstat (limited to 'src')
-rw-r--r-- | src/firejail/firejail.h | 2 | ||||
-rw-r--r-- | src/firejail/preproc.c | 1 | ||||
-rw-r--r-- | src/firejail/sandbox.c | 9 | ||||
-rw-r--r-- | src/firejail/seccomp.c | 16 | ||||
-rw-r--r-- | src/fseccomp/main.c | 2 | ||||
-rw-r--r-- | src/fseccomp/seccomp_secondary.c | 65 |
6 files changed, 3 insertions, 92 deletions
diff --git a/src/firejail/firejail.h b/src/firejail/firejail.h index 7544b642a..2db171070 100644 --- a/src/firejail/firejail.h +++ b/src/firejail/firejail.h | |||
@@ -59,14 +59,12 @@ | |||
59 | 59 | ||
60 | #define RUN_SECCOMP_PROTOCOL "/run/firejail/mnt/seccomp.protocol" // protocol filter | 60 | #define RUN_SECCOMP_PROTOCOL "/run/firejail/mnt/seccomp.protocol" // protocol filter |
61 | #define RUN_SECCOMP_CFG "/run/firejail/mnt/seccomp" // configured filter | 61 | #define RUN_SECCOMP_CFG "/run/firejail/mnt/seccomp" // configured filter |
62 | #define RUN_SECCOMP_64 "/run/firejail/mnt/seccomp.64" // 64bit arch filter installed on 32bit architectures | ||
63 | #define RUN_SECCOMP_32 "/run/firejail/mnt/seccomp.32" // 32bit arch filter installed on 64bit architectures | 62 | #define RUN_SECCOMP_32 "/run/firejail/mnt/seccomp.32" // 32bit arch filter installed on 64bit architectures |
64 | #define RUN_SECCOMP_MDWX "/run/firejail/mnt/seccomp.mdwx" // filter for memory-deny-write-execute | 63 | #define RUN_SECCOMP_MDWX "/run/firejail/mnt/seccomp.mdwx" // filter for memory-deny-write-execute |
65 | #define RUN_SECCOMP_BLOCK_SECONDARY "/run/firejail/mnt/seccomp.block_secondary" // secondary arch blocking filter | 64 | #define RUN_SECCOMP_BLOCK_SECONDARY "/run/firejail/mnt/seccomp.block_secondary" // secondary arch blocking filter |
66 | #define RUN_SECCOMP_POSTEXEC "/run/firejail/mnt/seccomp.postexec" // filter for post-exec library | 65 | #define RUN_SECCOMP_POSTEXEC "/run/firejail/mnt/seccomp.postexec" // filter for post-exec library |
67 | #define PATH_SECCOMP_DEFAULT (LIBDIR "/firejail/seccomp") // default filter built during make | 66 | #define PATH_SECCOMP_DEFAULT (LIBDIR "/firejail/seccomp") // default filter built during make |
68 | #define PATH_SECCOMP_DEFAULT_DEBUG (LIBDIR "/firejail/seccomp.debug") // default filter built during make | 67 | #define PATH_SECCOMP_DEFAULT_DEBUG (LIBDIR "/firejail/seccomp.debug") // default filter built during make |
69 | #define PATH_SECCOMP_64 (LIBDIR "/firejail/seccomp.64") // 64bit arch filter built during make | ||
70 | #define PATH_SECCOMP_32 (LIBDIR "/firejail/seccomp.32") // 32bit arch filter built during make | 68 | #define PATH_SECCOMP_32 (LIBDIR "/firejail/seccomp.32") // 32bit arch filter built during make |
71 | #define PATH_SECCOMP_MDWX (LIBDIR "/firejail/seccomp.mdwx") // filter for memory-deny-write-execute built during make | 69 | #define PATH_SECCOMP_MDWX (LIBDIR "/firejail/seccomp.mdwx") // filter for memory-deny-write-execute built during make |
72 | #define PATH_SECCOMP_BLOCK_SECONDARY (LIBDIR "/firejail/seccomp.block_secondary") // secondary arch blocking filter built during make | 70 | #define PATH_SECCOMP_BLOCK_SECONDARY (LIBDIR "/firejail/seccomp.block_secondary") // secondary arch blocking filter built during make |
diff --git a/src/firejail/preproc.c b/src/firejail/preproc.c index 45399bd48..9fb4840c6 100644 --- a/src/firejail/preproc.c +++ b/src/firejail/preproc.c | |||
@@ -87,7 +87,6 @@ void preproc_mount_mnt_dir(void) { | |||
87 | else { | 87 | else { |
88 | //copy default seccomp files | 88 | //copy default seccomp files |
89 | copy_file(PATH_SECCOMP_32, RUN_SECCOMP_32, getuid(), getgid(), 0644); // root needed | 89 | copy_file(PATH_SECCOMP_32, RUN_SECCOMP_32, getuid(), getgid(), 0644); // root needed |
90 | copy_file(PATH_SECCOMP_64, RUN_SECCOMP_64, getuid(), getgid(), 0644); // root needed | ||
91 | } | 90 | } |
92 | if (arg_allow_debuggers) | 91 | if (arg_allow_debuggers) |
93 | copy_file(PATH_SECCOMP_DEFAULT_DEBUG, RUN_SECCOMP_CFG, getuid(), getgid(), 0644); // root needed | 92 | copy_file(PATH_SECCOMP_DEFAULT_DEBUG, RUN_SECCOMP_CFG, getuid(), getgid(), 0644); // root needed |
diff --git a/src/firejail/sandbox.c b/src/firejail/sandbox.c index 8abdf6b2c..1498007eb 100644 --- a/src/firejail/sandbox.c +++ b/src/firejail/sandbox.c | |||
@@ -1017,18 +1017,9 @@ int sandbox(void* sandbox_arg) { | |||
1017 | else | 1017 | else |
1018 | seccomp_filter_drop(); | 1018 | seccomp_filter_drop(); |
1019 | 1019 | ||
1020 | // clean unused filters | ||
1021 | #if defined(__LP64__) | ||
1022 | int rv = unlink(RUN_SECCOMP_64); | ||
1023 | #endif | ||
1024 | #if defined(__ILP32__) | ||
1025 | int rv = unlink(RUN_SECCOMP_32); | ||
1026 | #endif | ||
1027 | (void) rv; | ||
1028 | } | 1020 | } |
1029 | else { // clean seccomp files under /run/firejail/mnt | 1021 | else { // clean seccomp files under /run/firejail/mnt |
1030 | int rv = unlink(RUN_SECCOMP_CFG); | 1022 | int rv = unlink(RUN_SECCOMP_CFG); |
1031 | rv |= unlink(RUN_SECCOMP_64); | ||
1032 | rv |= unlink(RUN_SECCOMP_32); | 1023 | rv |= unlink(RUN_SECCOMP_32); |
1033 | (void) rv; | 1024 | (void) rv; |
1034 | } | 1025 | } |
diff --git a/src/firejail/seccomp.c b/src/firejail/seccomp.c index 1ee6256d4..3da0206e1 100644 --- a/src/firejail/seccomp.c +++ b/src/firejail/seccomp.c | |||
@@ -138,6 +138,7 @@ errexit: | |||
138 | } | 138 | } |
139 | 139 | ||
140 | // 32 bit arch filter installed on 64 bit architectures | 140 | // 32 bit arch filter installed on 64 bit architectures |
141 | #if defined(__x86_64__) | ||
141 | #if defined(__LP64__) | 142 | #if defined(__LP64__) |
142 | static void seccomp_filter_32(void) { | 143 | static void seccomp_filter_32(void) { |
143 | if (seccomp_load(RUN_SECCOMP_32) == 0) { | 144 | if (seccomp_load(RUN_SECCOMP_32) == 0) { |
@@ -146,15 +147,6 @@ static void seccomp_filter_32(void) { | |||
146 | } | 147 | } |
147 | } | 148 | } |
148 | #endif | 149 | #endif |
149 | |||
150 | // 64 bit arch filter installed on 32 bit architectures | ||
151 | #if defined(__ILP32__) | ||
152 | static void seccomp_filter_64(void) { | ||
153 | if (seccomp_load(RUN_SECCOMP_64) == 0) { | ||
154 | if (arg_debug) | ||
155 | printf("Dual 32/64 bit seccomp filter configured\n"); | ||
156 | } | ||
157 | } | ||
158 | #endif | 150 | #endif |
159 | 151 | ||
160 | static void seccomp_filter_block_secondary(void) { | 152 | static void seccomp_filter_block_secondary(void) { |
@@ -177,11 +169,10 @@ int seccomp_filter_drop(void) { | |||
177 | if (arg_seccomp_block_secondary) | 169 | if (arg_seccomp_block_secondary) |
178 | seccomp_filter_block_secondary(); | 170 | seccomp_filter_block_secondary(); |
179 | else { | 171 | else { |
172 | #if defined(__x86_64__) | ||
180 | #if defined(__LP64__) | 173 | #if defined(__LP64__) |
181 | seccomp_filter_32(); | 174 | seccomp_filter_32(); |
182 | #endif | 175 | #endif |
183 | #if defined(__ILP32__) | ||
184 | seccomp_filter_64(); | ||
185 | #endif | 176 | #endif |
186 | } | 177 | } |
187 | } | 178 | } |
@@ -190,11 +181,10 @@ int seccomp_filter_drop(void) { | |||
190 | if (arg_seccomp_block_secondary) | 181 | if (arg_seccomp_block_secondary) |
191 | seccomp_filter_block_secondary(); | 182 | seccomp_filter_block_secondary(); |
192 | else { | 183 | else { |
184 | #if defined(__x86_64__) | ||
193 | #if defined(__LP64__) | 185 | #if defined(__LP64__) |
194 | seccomp_filter_32(); | 186 | seccomp_filter_32(); |
195 | #endif | 187 | #endif |
196 | #if defined(__ILP32__) | ||
197 | seccomp_filter_64(); | ||
198 | #endif | 188 | #endif |
199 | } | 189 | } |
200 | if (arg_debug) | 190 | if (arg_debug) |
diff --git a/src/fseccomp/main.c b/src/fseccomp/main.c index ab6683065..7fd96bc43 100644 --- a/src/fseccomp/main.c +++ b/src/fseccomp/main.c | |||
@@ -70,8 +70,6 @@ printf("\n"); | |||
70 | protocol_print(); | 70 | protocol_print(); |
71 | else if (argc == 5 && strcmp(argv[1], "protocol") == 0 && strcmp(argv[2], "build") == 0) | 71 | else if (argc == 5 && strcmp(argv[1], "protocol") == 0 && strcmp(argv[2], "build") == 0) |
72 | protocol_build_filter(argv[3], argv[4]); | 72 | protocol_build_filter(argv[3], argv[4]); |
73 | else if (argc == 4 && strcmp(argv[1], "secondary") == 0 && strcmp(argv[2], "64") == 0) | ||
74 | seccomp_secondary_64(argv[3]); | ||
75 | else if (argc == 4 && strcmp(argv[1], "secondary") == 0 && strcmp(argv[2], "32") == 0) | 73 | else if (argc == 4 && strcmp(argv[1], "secondary") == 0 && strcmp(argv[2], "32") == 0) |
76 | seccomp_secondary_32(argv[3]); | 74 | seccomp_secondary_32(argv[3]); |
77 | else if (argc == 4 && strcmp(argv[1], "secondary") == 0 && strcmp(argv[2], "block") == 0) | 75 | else if (argc == 4 && strcmp(argv[1], "secondary") == 0 && strcmp(argv[2], "block") == 0) |
diff --git a/src/fseccomp/seccomp_secondary.c b/src/fseccomp/seccomp_secondary.c index ebda1b938..e398f94d0 100644 --- a/src/fseccomp/seccomp_secondary.c +++ b/src/fseccomp/seccomp_secondary.c | |||
@@ -42,71 +42,6 @@ static void write_filter(const char *fname, size_t size, const void *filter) { | |||
42 | close(dst); | 42 | close(dst); |
43 | } | 43 | } |
44 | 44 | ||
45 | void seccomp_secondary_64(const char *fname) { | ||
46 | // hardcoded syscall values | ||
47 | struct sock_filter filter[] = { | ||
48 | VALIDATE_ARCHITECTURE_64, | ||
49 | EXAMINE_SYSCALL, | ||
50 | BLACKLIST(165), // mount | ||
51 | BLACKLIST(166), // umount2 | ||
52 | // todo: implement --allow-debuggers | ||
53 | BLACKLIST(101), // ptrace | ||
54 | BLACKLIST(246), // kexec_load | ||
55 | BLACKLIST(304), // open_by_handle_at | ||
56 | BLACKLIST(303), // name_to_handle_at | ||
57 | BLACKLIST(174), // create_module | ||
58 | BLACKLIST(175), // init_module | ||
59 | BLACKLIST(313), // finit_module | ||
60 | BLACKLIST(176), // delete_module | ||
61 | BLACKLIST(172), // iopl | ||
62 | BLACKLIST(173), // ioperm | ||
63 | BLACKLIST(251), // ioprio_set | ||
64 | BLACKLIST(167), // swapon | ||
65 | BLACKLIST(168), // swapoff | ||
66 | BLACKLIST(103), // syslog | ||
67 | BLACKLIST(310), // process_vm_readv | ||
68 | BLACKLIST(311), // process_vm_writev | ||
69 | BLACKLIST(139), // sysfs | ||
70 | BLACKLIST(156), // _sysctl | ||
71 | BLACKLIST(159), // adjtimex | ||
72 | BLACKLIST(305), // clock_adjtime | ||
73 | BLACKLIST(212), // lookup_dcookie | ||
74 | BLACKLIST(298), // perf_event_open | ||
75 | BLACKLIST(300), // fanotify_init | ||
76 | BLACKLIST(312), // kcmp | ||
77 | BLACKLIST(248), // add_key | ||
78 | BLACKLIST(249), // request_key | ||
79 | BLACKLIST(250), // keyctl | ||
80 | BLACKLIST(134), // uselib | ||
81 | BLACKLIST(163), // acct | ||
82 | BLACKLIST(154), // modify_ldt | ||
83 | BLACKLIST(155), // pivot_root | ||
84 | BLACKLIST(206), // io_setup | ||
85 | BLACKLIST(207), // io_destroy | ||
86 | BLACKLIST(208), // io_getevents | ||
87 | BLACKLIST(209), // io_submit | ||
88 | BLACKLIST(210), // io_cancel | ||
89 | BLACKLIST(216), // remap_file_pages | ||
90 | BLACKLIST(237), // mbind | ||
91 | // breaking Firefox nightly when playing youtube videos | ||
92 | // TODO: test again when firefox sandbox is finally released | ||
93 | // BLACKLIST(239), // get_mempolicy | ||
94 | BLACKLIST(238), // set_mempolicy | ||
95 | BLACKLIST(256), // migrate_pages | ||
96 | BLACKLIST(279), // move_pages | ||
97 | BLACKLIST(278), // vmsplice | ||
98 | BLACKLIST(161), // chroot | ||
99 | BLACKLIST(184), // tuxcall | ||
100 | BLACKLIST(169), // reboot | ||
101 | BLACKLIST(180), // nfsservctl | ||
102 | BLACKLIST(177), // get_kernel_syms | ||
103 | |||
104 | RETURN_ALLOW | ||
105 | }; | ||
106 | |||
107 | // save filter to file | ||
108 | write_filter(fname, sizeof(filter), filter); | ||
109 | } | ||
110 | 45 | ||
111 | // 32 bit arch filter installed on 64 bit architectures | 46 | // 32 bit arch filter installed on 64 bit architectures |
112 | void seccomp_secondary_32(const char *fname) { | 47 | void seccomp_secondary_32(const char *fname) { |