From 5129e321ca42172bf8e6b85c5679adb8da163492 Mon Sep 17 00:00:00 2001 From: netblue30 Date: Wed, 23 Aug 2017 11:41:31 -0400 Subject: fix seccomp.keep for #1490 --- src/firejail/sandbox.c | 8 ++++++++ src/firejail/sbox.c | 7 +++++++ src/firejail/seccomp.c | 25 +++++++++++++++++++------ src/fseccomp/seccomp.c | 10 ++++++++++ 4 files changed, 44 insertions(+), 6 deletions(-) diff --git a/src/firejail/sandbox.c b/src/firejail/sandbox.c index 150c23de7..853555581 100644 --- a/src/firejail/sandbox.c +++ b/src/firejail/sandbox.c @@ -1006,6 +1006,14 @@ int sandbox(void* sandbox_arg) { else seccomp_filter_drop(enforce_seccomp); } + + if (arg_debug) { + printf("\nSeccomp files:\n"); + int rv = system("ls -l /run/firejail/mnt/seccomp*\n"); + (void) rv; + printf("\n"); + } + if (arg_memory_deny_write_execute) { if (arg_debug) printf("Install memory write&execute filter\n"); diff --git a/src/firejail/sbox.c b/src/firejail/sbox.c index 8f96f8fca..1d6cc2353 100644 --- a/src/firejail/sbox.c +++ b/src/firejail/sbox.c @@ -222,5 +222,12 @@ int sbox_run(unsigned filter, int num, ...) { exit(1); } +#if 0 +printf("** sbox run out *********************************\n"); +system("ls -l /run/firejail/mnt\n"); +system("ls -l /proc/self/fd"); +printf("** sbox run out *********************************\n"); +#endif + return status; } diff --git a/src/firejail/seccomp.c b/src/firejail/seccomp.c index 52b4679ae..bd57cff42 100644 --- a/src/firejail/seccomp.c +++ b/src/firejail/seccomp.c @@ -258,23 +258,36 @@ int seccomp_filter_keep(void) { seccomp_filter_block_secondary(); if (arg_debug) - printf("Build drop seccomp filter\n"); + printf("Build keep seccomp filter\n"); // build the seccomp filter as a regular user - sbox_run(SBOX_USER | SBOX_CAPS_NONE | SBOX_SECCOMP, 5, + int rv = sbox_run(SBOX_USER | SBOX_CAPS_NONE | SBOX_SECCOMP, 5, PATH_FSECCOMP, "keep", RUN_SECCOMP_CFG, RUN_SECCOMP_POSTEXEC, cfg.seccomp_list_keep); + + if (rv) { + fprintf(stderr, "Error: cannot configure seccomp filter\n"); + exit(rv); + } + if (arg_debug) printf("seccomp filter configured\n"); + // load the filter + if (seccomp_load(RUN_SECCOMP_CFG) == 0) { + if (arg_debug) + printf("seccomp filter configured\n"); + } if (arg_debug && access(PATH_FSECCOMP, X_OK) == 0) { - sbox_run(SBOX_ROOT | SBOX_SECCOMP, 3, PATH_FSECCOMP, "print", RUN_SECCOMP_CFG); struct stat st; - if (stat(RUN_SECCOMP_POSTEXEC, &st) != -1 && st.st_size != 0) - sbox_run(SBOX_ROOT | SBOX_SECCOMP, 3, PATH_FSECCOMP, "print", RUN_SECCOMP_POSTEXEC); + if (stat(RUN_SECCOMP_POSTEXEC, &st) != -1 && st.st_size != 0) { + printf("configuring postexec seccomp filter in %s\n", RUN_SECCOMP_POSTEXEC); + sbox_run(SBOX_USER | SBOX_CAPS_NONE | SBOX_SECCOMP, 3, + PATH_FSECCOMP, "print", RUN_SECCOMP_POSTEXEC); + } } - return seccomp_load(RUN_SECCOMP_CFG); + return 0; } void seccomp_print_filter(pid_t pid) { diff --git a/src/fseccomp/seccomp.c b/src/fseccomp/seccomp.c index 0112d8aec..7ae74c340 100644 --- a/src/fseccomp/seccomp.c +++ b/src/fseccomp/seccomp.c @@ -188,6 +188,12 @@ void seccomp_keep(const char *fname1, const char *fname2, char *list) { // close file close(fd); +#if 0 +// There is something very wrong here with the file descriptors, "ls -l /proc/self/fd" will show no file +// after running this code. We don't need the postexec filter in this case anyway. +printf("@@seccomp_keep start %s %s %s\n", fname1, fname2, list); +system("ls -l /proc/self/fd"); +printf("@@seccomp_keep start %s %s %s\n", fname1, fname2, list); // open file for post-exec filter fd = open(fname2, O_CREAT|O_WRONLY|O_TRUNC, S_IRUSR | S_IWUSR | S_IRGRP | S_IROTH); if (fd < 0) { @@ -207,6 +213,10 @@ void seccomp_keep(const char *fname1, const char *fname2, char *list) { // close file close(fd); +printf("@@seccomp_keep end %s %s %s\n", fname1, fname2, list); +system("ls -l /proc/self/fd"); +printf("@@seccomp_keep end %s %s %s\n", fname1, fname2, list); +#endif } void memory_deny_write_execute(const char *fname) { -- cgit v1.2.3-54-g00ecf