From d382f230ed46004d81b60b97ddc79380632688d1 Mon Sep 17 00:00:00 2001 From: Topi Miettinen Date: Sun, 6 Aug 2017 23:20:34 +0300 Subject: Seccomp: split @default into more meaningful smaller groups --- src/fseccomp/syscall.c | 354 ++++++++++++++++++++++++++----------------------- src/man/firejail.txt | 9 +- 2 files changed, 196 insertions(+), 167 deletions(-) diff --git a/src/fseccomp/syscall.c b/src/fseccomp/syscall.c index ecf057ee0..5893a2ea8 100644 --- a/src/fseccomp/syscall.c +++ b/src/fseccomp/syscall.c @@ -41,78 +41,81 @@ static const SyscallEntry syslist[] = { }; // end of syslist static const SyscallGroupList sysgroups[] = { - { .name = "@default", .list = -#ifdef SYS_mount - "mount," -#endif -#ifdef SYS_umount2 - "umount2," -#endif -#ifdef SYS_kexec_load - "kexec_load," -#endif -#ifdef SYS_kexec_file_load - "kexec_file_load," -#endif -#ifdef SYS_open_by_handle_at - "open_by_handle_at," -#endif -#ifdef SYS_name_to_handle_at - "name_to_handle_at," + { .name = "@clock", .list = +#ifdef SYS_adjtimex + "adjtimex," #endif -#ifdef SYS_init_module - "init_module," +#ifdef SYS_clock_adjtime + "clock_adjtime," #endif -#ifdef SYS_finit_module - "finit_module," +#ifdef SYS_clock_settime + "clock_settime," #endif -#ifdef SYS_create_module - "create_module," +#ifdef SYS_settimeofday + "settimeofday," #endif -#ifdef SYS_delete_module - "delete_module," +#ifdef SYS_stime + "stime" #endif -#ifdef SYS_iopl - "iopl," + }, + { .name = "@cpu-emulation", .list = +#ifdef SYS_modify_ldt + "modify_ldt," #endif -#ifdef SYS_ioperm - "ioperm," +#ifdef SYS_subpage_prot + "subpage_prot," #endif -#ifdef SYS_ioprio_set - "ioprio_set," +#ifdef SYS_switch_endian + "switch_endian," #endif -#ifdef SYS_ni_syscall - "ni_syscall," +#ifdef SYS_vm86 + "vm86," #endif -#ifdef SYS_swapon - "swapon," +#ifdef SYS_vm86old + "vm86old" #endif -#ifdef SYS_swapoff - "swapoff," + }, + { .name = "@debug", .list = +#ifdef SYS_lookup_dcookie + "lookup_dcookie," #endif -#ifdef SYS_syslog - "syslog," +#ifdef SYS_perf_event_open + "perf_event_open," #endif #ifdef SYS_process_vm_writev "process_vm_writev," #endif -#ifdef SYS_sysfs - "sysfs," +#ifdef SYS_rtas + "rtas," #endif -#ifdef SYS__sysctl - "_sysctl," +#ifdef SYS_s390_runtime_instr + "s390_runtime_instr," #endif -#ifdef SYS_adjtimex - "adjtimex," +#ifdef SYS_sys_debug_setcontext + "sys_debug_setcontext," #endif -#ifdef SYS_clock_adjtime - "clock_adjtime," + }, + { .name = "@default", .list = + "@cpu-emulation," + "@debug," + "@module," + "@obsolete," + "@privileged," + "@resources," +#ifdef SYS_open_by_handle_at + "open_by_handle_at," #endif -#ifdef SYS_lookup_dcookie - "lookup_dcookie," +#ifdef SYS_name_to_handle_at + "name_to_handle_at," #endif -#ifdef SYS_perf_event_open - "perf_event_open," +#ifdef SYS_ioprio_set + "ioprio_set," +#endif +#ifdef SYS_ni_syscall + "ni_syscall," +#endif +#ifdef SYS_syslog + "syslog," #endif #ifdef SYS_fanotify_init "fanotify_init," @@ -129,18 +132,6 @@ static const SyscallGroupList sysgroups[] = { #ifdef SYS_keyctl "keyctl," #endif -#ifdef SYS_uselib - "uselib," -#endif -#ifdef SYS_acct - "acct," -#endif -#ifdef SYS_modify_ldt - "modify_ldt," -#endif -#ifdef SYS_pivot_root - "pivot_root," -#endif #ifdef SYS_io_setup "io_setup," #endif @@ -159,71 +150,49 @@ static const SyscallGroupList sysgroups[] = { #ifdef SYS_remap_file_pages "remap_file_pages," #endif -#ifdef SYS_mbind - "mbind," -#endif -#ifdef SYS_set_mempolicy - "set_mempolicy," -#endif -#ifdef SYS_migrate_pages - "migrate_pages," -#endif -#ifdef SYS_move_pages - "move_pages," -#endif #ifdef SYS_vmsplice "vmsplice," #endif -#ifdef SYS_chroot - "chroot," -#endif -#ifdef SYS_tuxcall - "tuxcall," -#endif -#ifdef SYS_reboot - "reboot," -#endif -#ifdef SYS_nfsservctl - "nfsservctl," -#endif -#ifdef SYS_get_kernel_syms - "get_kernel_syms," -#endif -#ifdef SYS_bpf - "bpf," -#endif -#ifdef SYS_clock_settime - "clock_settime," -#endif #ifdef SYS_personality "personality," #endif -#ifdef SYS_process_vm_writev - "process_vm_writev," -#endif -#ifdef SYS_query_module - "query_module," -#endif -#ifdef SYS_settimeofday - "settimeofday," -#endif -#ifdef SYS_stime - "stime," -#endif #ifdef SYS_umount "umount," #endif #ifdef SYS_userfaultfd - "userfaultfd," + "userfaultfd" #endif -#ifdef SYS_ustat - "ustat," + }, + { .name = "@default-nodebuggers", .list = + "@default," +#ifdef SYS_ptrace + "ptrace," #endif -#ifdef SYS_vm86 - "vm86," +#ifdef SYS_process_vm_readv + "process_vm_readv" #endif -#ifdef SYS_vm86old - "vm86old," + }, + { .name = "@default-keep", .list = + "dup," + "prctl," + "setgid," + "setgroups," + "setuid" + }, + { .name = "@module", .list = +#ifdef SYS_delete_module + "delete_module," +#endif +#ifdef SYS_finit_module + "finit_module," +#endif +#ifdef SYS_init_module + "init_module" +#endif + }, + { .name = "@obsolete", .list = +#ifdef SYS__sysctl + "_sysctl," #endif #ifdef SYS_afs_syscall "afs_syscall," @@ -234,9 +203,15 @@ static const SyscallGroupList sysgroups[] = { #ifdef SYS_break "break," #endif +#ifdef SYS_create_module + "create_module," +#endif #ifdef SYS_ftime "ftime," #endif +#ifdef SYS_get_kernel_syms + "get_kernel_syms," +#endif #ifdef SYS_getpmsg "getpmsg," #endif @@ -249,15 +224,6 @@ static const SyscallGroupList sysgroups[] = { #ifdef SYS_mpx "mpx," #endif -#ifdef SYS_pciconfig_iobase - "pciconfig_iobase," -#endif -#ifdef SYS_pciconfig_read - "pciconfig_read," -#endif -#ifdef SYS_pciconfig_write - "pciconfig_write," -#endif #ifdef SYS_prof "prof," #endif @@ -267,27 +233,12 @@ static const SyscallGroupList sysgroups[] = { #ifdef SYS_putpmsg "putpmsg," #endif -#ifdef SYS_rtas - "rtas," -#endif -#ifdef SYS_s390_runtime_instr - "s390_runtime_instr," -#endif -#ifdef SYS_s390_mmio_read - "s390_mmio_read," -#endif -#ifdef SYS_s390_mmio_write - "s390_mmio_write," +#ifdef SYS_query_module + "query_module," #endif #ifdef SYS_security "security," #endif -#ifdef SYS_setdomainname - "setdomainname," -#endif -#ifdef SYS_sethostname - "sethostname," -#endif #ifdef SYS_sgetmask "sgetmask," #endif @@ -297,40 +248,117 @@ static const SyscallGroupList sysgroups[] = { #ifdef SYS_stty "stty," #endif -#ifdef SYS_subpage_prot - "subpage_prot," -#endif -#ifdef SYS_switch_endian - "switch_endian," +#ifdef SYS_sysfs + "sysfs," #endif -#ifdef SYS_sys_debug_setcontext - "sys_debug_setcontext," +#ifdef SYS_tuxcall + "tuxcall," #endif #ifdef SYS_ulimit "ulimit," #endif -#ifdef SYS_vhangup - "vhangup," +#ifdef SYS_uselib + "uselib," +#endif +#ifdef SYS_ustat + "ustat," #endif #ifdef SYS_vserver "vserver" #endif }, - { .name = "@default-nodebuggers", .list = - "@default," -#ifdef SYS_ptrace - "ptrace," + { .name = "@privileged", .list = + "@clock," + "@module," + "@raw-io," + "@reboot," + "@swap," +#ifdef SYS_acct + "acct," #endif -#ifdef SYS_process_vm_readv - "process_vm_readv" +#ifdef SYS_bpf + "bpf," +#endif +#ifdef SYS_chroot + "chroot," +#endif +#ifdef SYS_mount + "mount," +#endif +#ifdef SYS_nfsservctl + "nfsservctl," +#endif +#ifdef SYS_pivot_root + "pivot_root," +#endif +#ifdef SYS_setdomainname + "setdomainname," +#endif +#ifdef SYS_sethostname + "sethostname," +#endif +#ifdef SYS_umount2 + "umount2," +#endif +#ifdef SYS_vhangup + "vhangup" #endif }, - { .name = "@default-keep", .list = - "dup," - "prctl," - "setgid," - "setgroups," - "setuid" + { .name = "@raw-io", .list = +#ifdef SYS_ioperm + "ioperm," +#endif +#ifdef SYS_iopl + "iopl," +#endif +#ifdef SYS_pciconfig_iobase + "pciconfig_iobase," +#endif +#ifdef SYS_pciconfig_read + "pciconfig_read," +#endif +#ifdef SYS_pciconfig_write + "pciconfig_write," +#endif +#ifdef SYS_s390_mmio_read + "s390_mmio_read," +#endif +#ifdef SYS_s390_mmio_write + "s390_mmio_write" +#endif + }, + { .name = "@reboot", .list = +#ifdef SYS_kexec_load + "kexec_load," +#endif +#ifdef SYS_kexec_file_load + "kexec_file_load," +#endif +#ifdef SYS_reboot + "reboot," +#endif + }, + { .name = "@resources", .list = +#ifdef SYS_set_mempolicy + "set_mempolicy," +#endif +#ifdef SYS_migrate_pages + "migrate_pages," +#endif +#ifdef SYS_move_pages + "move_pages," +#endif +#ifdef SYS_mbind + "mbind" +#endif + }, + { .name = "@swap", .list = +#ifdef SYS_swapon + "swapon," +#endif +#ifdef SYS_swapoff + "swapoff" +#endif } }; diff --git a/src/man/firejail.txt b/src/man/firejail.txt index a03556caf..bf18167b2 100644 --- a/src/man/firejail.txt +++ b/src/man/firejail.txt @@ -1501,10 +1501,11 @@ ulimit, vhangup and vserver. .br To help creating useful seccomp filters more easily, the following -system call groups are defined: @default, @default-nodebuggers and -@default-keep. In addtion, a system call can be specified by its -number instead of name with prefix $, so for example $165 would be -equal to mount on i386. +system call groups are defined: @clock, @cpu-emulation, @debug, +@default, @default-nodebuggers, @default-keep, @module, @obsolete, +@privileged, @raw-io, @reboot, @resources and @swap. In addtion, a +system call can be specified by its number instead of name with prefix +$, so for example $165 would be equal to mount on i386. .br System architecture is not strictly imposed. The filter is applied -- cgit v1.2.3-54-g00ecf