From e81ad9569c7e2b9a3d9d9a9500ecef812a94e90b Mon Sep 17 00:00:00 2001 From: netblue30 Date: Wed, 23 Aug 2017 13:12:28 -0400 Subject: enforce seccomp --- src/firejail/firejail.h | 2 +- src/firejail/sandbox.c | 30 +++++++++++------------------- src/firejail/seccomp.c | 14 ++++++++------ 3 files changed, 20 insertions(+), 26 deletions(-) diff --git a/src/firejail/firejail.h b/src/firejail/firejail.h index 71c5ae87c..435b9527d 100644 --- a/src/firejail/firejail.h +++ b/src/firejail/firejail.h @@ -541,7 +541,7 @@ void fs_private_home_list(void); char *seccomp_check_list(const char *str); int seccomp_install_filters(void); int seccomp_load(const char *fname); -int seccomp_filter_drop(int enforce_seccomp); +int seccomp_filter_drop(void); int seccomp_filter_keep(void); void seccomp_print_filter(pid_t pid); diff --git a/src/firejail/sandbox.c b/src/firejail/sandbox.c index 853555581..3718004a5 100644 --- a/src/firejail/sandbox.c +++ b/src/firejail/sandbox.c @@ -45,6 +45,12 @@ #endif #include + +#ifdef HAVE_SECCOMP +int enforce_seccomp = 0; +#endif + + static int monitored_pid = 0; static void sandbox_handler(int sig){ if (!arg_quiet) { @@ -459,6 +465,7 @@ static void enforce_filters(void) { // force default seccomp inside the chroot, no keep or drop list // the list build on top of the default drop list is kept intact arg_seccomp = 1; + enforce_seccomp = 1; if (cfg.seccomp_list_drop) { free(cfg.seccomp_list_drop); cfg.seccomp_list_drop = NULL; @@ -681,27 +688,16 @@ int sandbox(void* sandbox_arg) { //**************************** // configure filesystem //**************************** -#ifdef HAVE_SECCOMP - int enforce_seccomp = 0; -#endif - if (arg_appimage) { + if (arg_appimage) enforce_filters(); -#ifdef HAVE_SECCOMP - enforce_seccomp = 1; -#endif - } #ifdef HAVE_CHROOT if (cfg.chrootdir) { fs_chroot(cfg.chrootdir); // force caps and seccomp if not started as root - if (getuid() != 0) { + if (getuid() != 0) enforce_filters(); -#ifdef HAVE_SECCOMP - enforce_seccomp = 1; -#endif - } else arg_seccomp = 1; @@ -717,12 +713,8 @@ int sandbox(void* sandbox_arg) { if (arg_overlay) { fs_overlayfs(); // force caps and seccomp if not started as root - if (getuid() != 0) { + if (getuid() != 0) enforce_filters(); -#ifdef HAVE_SECCOMP - enforce_seccomp = 1; -#endif - } else arg_seccomp = 1; } @@ -1004,7 +996,7 @@ int sandbox(void* sandbox_arg) { if (cfg.seccomp_list_keep) seccomp_filter_keep(); else - seccomp_filter_drop(enforce_seccomp); + seccomp_filter_drop(); } if (arg_debug) { diff --git a/src/firejail/seccomp.c b/src/firejail/seccomp.c index bd57cff42..7b45e2574 100644 --- a/src/firejail/seccomp.c +++ b/src/firejail/seccomp.c @@ -30,8 +30,8 @@ typedef struct filter_list { } FilterList; static FilterList *filter_list_head = NULL; - static int err_printed = 0; +extern int enforce_seccomp; char *seccomp_check_list(const char *str) { assert(str); @@ -73,6 +73,12 @@ int seccomp_install_filters(void) { printf("Installing %s seccomp filter\n", fl->fname); if (prctl(PR_SET_SECCOMP, SECCOMP_MODE_FILTER, &fl->prog)) { + + if (enforce_seccomp) { + fprintf(stderr, "Error: a seccomp-enabled Linux kernel is required, exiting...\n"); + exit(1); + } + if (!err_printed) fwarning("seccomp disabled, it requires a Linux kernel version 3.5 or newer.\n"); err_printed = 1; @@ -159,7 +165,7 @@ static void seccomp_filter_block_secondary(void) { } // drop filter for seccomp option -int seccomp_filter_drop(int enforce_seccomp) { +int seccomp_filter_drop(void) { // if we have multiple seccomp commands, only one of them is executed // in the following order: // - seccomp.drop list @@ -233,10 +239,6 @@ int seccomp_filter_drop(int enforce_seccomp) { if (arg_debug) printf("seccomp filter configured\n"); } - else if (enforce_seccomp) { - fprintf(stderr, "Error: a seccomp-enabled Linux kernel is required, exiting...\n"); - exit(1); - } if (arg_debug && access(PATH_FSECCOMP, X_OK) == 0) { struct stat st; -- cgit v1.2.3-54-g00ecf