From 533242ac32590a47e76fc1ef5bfe48f32e1f131f Mon Sep 17 00:00:00 2001 From: smitsohu Date: Sun, 20 Jun 2021 13:29:48 +0200 Subject: augment seccomp lists in firejail.config --- etc/firejail.config | 4 ++++ src/firejail/checkcfg.c | 5 +++++ src/firejail/firejail.h | 1 + src/firejail/main.c | 11 ++++++++++- src/firejail/seccomp.c | 5 +++-- src/man/firejail.txt | 6 ++++++ 6 files changed, 29 insertions(+), 3 deletions(-) diff --git a/etc/firejail.config b/etc/firejail.config index c671efef9..4b59f8955 100644 --- a/etc/firejail.config +++ b/etc/firejail.config @@ -101,6 +101,10 @@ # Enable or disable seccomp support, default enabled. # seccomp yes +# Add rules to the default seccomp filter. Same syntax as for --seccomp= +# None by default; this is an example. +# seccomp-filter-add !chroot,kcmp,mincore + # Seccomp error action, kill, log or errno (EPERM, ENOSYS etc) # seccomp-error-action EPERM diff --git a/src/firejail/checkcfg.c b/src/firejail/checkcfg.c index 6726abdc8..12b5fc683 100644 --- a/src/firejail/checkcfg.c +++ b/src/firejail/checkcfg.c @@ -35,6 +35,7 @@ char *xvfb_extra_params = ""; char *netfilter_default = NULL; unsigned long join_timeout = 5000000; // microseconds char *config_seccomp_error_action_str = "EPERM"; +char *config_seccomp_filter_add = NULL; char **whitelist_reject_topdirs = NULL; int checkcfg(int val) { @@ -222,6 +223,10 @@ int checkcfg(int val) { else if (strncmp(ptr, "join-timeout ", 13) == 0) join_timeout = strtoul(ptr + 13, NULL, 10) * 1000000; // seconds to microseconds + // add rules to default seccomp filter + else if (strncmp(ptr, "seccomp-filter-add ", 19) == 0) + config_seccomp_filter_add = seccomp_check_list(ptr + 19); + // seccomp error action else if (strncmp(ptr, "seccomp-error-action ", 21) == 0) { if (strcmp(ptr + 21, "kill") == 0) diff --git a/src/firejail/firejail.h b/src/firejail/firejail.h index 1da70fd54..60d178f1e 100644 --- a/src/firejail/firejail.h +++ b/src/firejail/firejail.h @@ -789,6 +789,7 @@ extern char *xvfb_extra_params; extern char *netfilter_default; extern unsigned long join_timeout; extern char *config_seccomp_error_action_str; +extern char *config_seccomp_filter_add; extern char **whitelist_reject_topdirs; int checkcfg(int val); diff --git a/src/firejail/main.c b/src/firejail/main.c index 089d80a68..d46a56627 100644 --- a/src/firejail/main.c +++ b/src/firejail/main.c @@ -961,7 +961,7 @@ void filter_add_blacklist_override(int fd, int syscall, int arg, void *ptrarg, b static int check_postexec(const char *list) { char *prelist, *postlist; - if (list) { + if (list && list[0]) { syscalls_in_list(list, "@default-keep", -1, &prelist, &postlist, true); if (postlist) return 1; @@ -2855,6 +2855,15 @@ int main(int argc, char **argv, char **envp) { // check network configuration options - it will exit if anything went wrong net_check_cfg(); + // customization of default seccomp filter + if (config_seccomp_filter_add) { + if (arg_seccomp && !cfg.seccomp_list_keep && !cfg.seccomp_list_drop) + profile_list_augment(&cfg.seccomp_list, config_seccomp_filter_add); + + if (arg_seccomp32 && !cfg.seccomp_list_keep32 && !cfg.seccomp_list_drop32) + profile_list_augment(&cfg.seccomp_list32, config_seccomp_filter_add); + } + if (arg_seccomp) arg_seccomp_postexec = check_postexec(cfg.seccomp_list) || check_postexec(cfg.seccomp_list_drop); diff --git a/src/firejail/seccomp.c b/src/firejail/seccomp.c index 9670fe816..3d9bf9082 100644 --- a/src/firejail/seccomp.c +++ b/src/firejail/seccomp.c @@ -208,7 +208,8 @@ int seccomp_filter_drop(bool native) { // - seccomp if (cfg.seccomp_list_drop == NULL) { // default seccomp if error action is not changed - if (cfg.seccomp_list == NULL && arg_seccomp_error_action == DEFAULT_SECCOMP_ERROR_ACTION) { + if ((cfg.seccomp_list == NULL || cfg.seccomp_list[0] == '\0') + && arg_seccomp_error_action == DEFAULT_SECCOMP_ERROR_ACTION) { if (arg_seccomp_block_secondary) seccomp_filter_block_secondary(); else { @@ -261,7 +262,7 @@ int seccomp_filter_drop(bool native) { } // build the seccomp filter as a regular user - if (list) + if (list && list[0]) if (arg_allow_debuggers) rv = sbox_run(SBOX_USER | SBOX_CAPS_NONE | SBOX_SECCOMP, 7, PATH_FSECCOMP, command, "drop", filter, postexec_filter, list, "allow-debuggers"); diff --git a/src/man/firejail.txt b/src/man/firejail.txt index 3212a88e4..7d7a1eb31 100644 --- a/src/man/firejail.txt +++ b/src/man/firejail.txt @@ -2209,6 +2209,12 @@ Firejail will print seccomp violations to the audit log if the kernel was compil Example: .br $ firejail \-\-seccomp +.br + +.br +The default list can be customized, see \-\-seccomp= for a description. It can be customized +also globally in /etc/firejail/firejail.config file. + .TP \fB\-\-seccomp=syscall,@group,!syscall2 Enable seccomp filter, whitelist "syscall2", but blacklist the default -- cgit v1.2.3-54-g00ecf From 925c9fe6b075a719f23bffde699652375b6bfe5f Mon Sep 17 00:00:00 2001 From: smitsohu Date: Sat, 26 Jun 2021 12:56:41 +0200 Subject: seccomp man page update * move everything related to modification of the default seccomp filter from --seccomp to --seccomp= entry * update errno descriptions --- src/man/firejail.txt | 47 +++++++++++++++++++++++++++-------------------- 1 file changed, 27 insertions(+), 20 deletions(-) diff --git a/src/man/firejail.txt b/src/man/firejail.txt index 7d7a1eb31..d4c2a5bc8 100644 --- a/src/man/firejail.txt +++ b/src/man/firejail.txt @@ -2176,7 +2176,7 @@ $ firejail \-\-net=eth0 \-\-scan .TP \fB\-\-seccomp Enable seccomp filter and blacklist the syscalls in the default list, -which is @default-nodebuggers unless allow-debuggers is specified, +which is @default-nodebuggers unless \-\-allow-debuggers is specified, then it is @default. .br @@ -2187,18 +2187,13 @@ system call groups are defined: @aio, @basic-io, @chown, @clock, @network-io, @obsolete, @privileged, @process, @raw-io, @reboot, @resources, @setuid, @swap, @sync, @system-service and @timer. More information about groups can be found in /usr/share/doc/firejail/syscalls.txt - -In addition, a system call can be specified by its number instead of -name with prefix $, so for example $165 would be equal to mount on i386. -Exceptions can be allowed with prefix !. +.br .br System architecture is strictly imposed only if flag \-\-seccomp.block-secondary is used. The filter is applied at run time only if the correct architecture was detected. For the case of I386 -and AMD64 both 32-bit and 64-bit filters are installed. On a 64 bit -architecture, an additional filter for 32 bit system calls can be -installed with \-\-seccomp.32. +and AMD64 both 32-bit and 64-bit filters are installed. .br .br @@ -2217,9 +2212,10 @@ also globally in /etc/firejail/firejail.config file. .TP \fB\-\-seccomp=syscall,@group,!syscall2 -Enable seccomp filter, whitelist "syscall2", but blacklist the default -list and the syscalls or syscall groups specified by the -command. +Enable seccomp filter, blacklist the default list and the syscalls or syscall groups +specified by the command, but don't blacklist "syscall2". On a 64 bit +architecture, an additional filter for 32 bit system calls can be +installed with \-\-seccomp.32. .br .br @@ -2229,6 +2225,13 @@ $ firejail \-\-seccomp=utime,utimensat,utimes firefox .br $ firejail \-\-seccomp=@clock,mkdir,unlinkat transmission-gtk .br +$ firejail '\-\-seccomp=@ipc,!pipe,!pipe2' audacious +.br + +.br +Syscalls can be specified by their number if prefix $ is added, +so for example $165 would be equal to mount on i386. +.br .br Instead of dropping the syscall by returning EPERM, another error @@ -2241,6 +2244,7 @@ by using \fBsyscall:kill\fR syntax, or the attempt may be logged with .br Example: +.br $ firejail \-\-seccomp=unlinkat:ENOENT,utimensat,utimes .br Parent pid 10662, child pid 10663 @@ -2249,9 +2253,13 @@ Child process initialized .br $ touch testfile .br +$ ls testfile +.br +testfile +.br $ rm testfile .br -rm: cannot remove `testfile': Operation not permitted +rm: cannot remove `testfile': No such file or directory .br .br @@ -2264,7 +2272,7 @@ filters. .br Example: .br -$ firejail \-\-noprofile \-\-shell=none \-\-seccomp=execve bash +$ firejail \-\-noprofile \-\-shell=none \-\-seccomp=execve sh .br Parent pid 32751, child pid 32752 .br @@ -2276,8 +2284,7 @@ Child process initialized in 46.44 ms .br $ ls .br -Bad system call -.br +Operation not permitted .TP \fB\-\-seccomp.block-secondary @@ -2321,15 +2328,15 @@ Child process initialized .br $ touch testfile .br +$ ls testfile +.br +testfile +.br $ rm testfile .br -rm: cannot remove `testfile': Operation not permitted +rm: cannot remove `testfile': No such file or directory .br - - - - .TP \fB\-\-seccomp.keep=syscall,@group,!syscall2 Enable seccomp filter, blacklist all syscall not listed and "syscall2". -- cgit v1.2.3-54-g00ecf From 43fb38e18ecd456a37273b388114a6ce718b405c Mon Sep 17 00:00:00 2001 From: smitsohu Date: Sat, 26 Jun 2021 12:57:05 +0200 Subject: RELNOTES --- RELNOTES | 4 ++++ 1 file changed, 4 insertions(+) diff --git a/RELNOTES b/RELNOTES index 9a5f165cd..a83a2c748 100644 --- a/RELNOTES +++ b/RELNOTES @@ -1,6 +1,10 @@ firejail (0.9.65) baseline; urgency=low * deprecated --audit options, relpaced by jailcheck utility * deprecated follow-symlink-as-user from firejail.config + * new firejail.config settings: private-bin, private-etc + * new firejail.config settings: private-opt, private-srv + * new firejail.config settings: whitelist-disable-topdir + * new firejail.config settings: seccomp-filter-add * rename --noautopulse to keep-config-pulse * filtering environment variables * zsh completion -- cgit v1.2.3-54-g00ecf