From fb2406ff02ea1e4fe6a5d5840e5e24ad303330aa Mon Sep 17 00:00:00 2001 From: netblue30 Date: Sat, 9 Jul 2016 09:48:17 -0400 Subject: seccomp filter update --- RELNOTES | 1 + src/firejail/seccomp.c | 18 ++++++++++++++++++ src/man/firejail-profile.txt | 10 +--------- src/man/firejail.txt | 4 ++-- todo | 4 +--- 5 files changed, 23 insertions(+), 14 deletions(-) diff --git a/RELNOTES b/RELNOTES index f93237d43..2ff5ae16c 100644 --- a/RELNOTES +++ b/RELNOTES @@ -4,6 +4,7 @@ firejail (0.9.41) baseline; urgency=low * Sandbox auditing support (--audit) * include /dev/snd in --private-dev * added mkfile profile command + * seccomp filter updated * compile time and run time support to disable whitelists * compile time support to disable global configuration file * some profiles have been converted to private-bin diff --git a/src/firejail/seccomp.c b/src/firejail/seccomp.c index 7108b5a05..efe24a211 100644 --- a/src/firejail/seccomp.c +++ b/src/firejail/seccomp.c @@ -334,12 +334,15 @@ void seccomp_filter_32(void) { BLACKLIST(52), // umount2 BLACKLIST(26), // ptrace BLACKLIST(283), // kexec_load + BLACKLIST(341), // name_to_handle_at BLACKLIST(342), // open_by_handle_at + BLACKLIST(127), // create_module BLACKLIST(128), // init_module BLACKLIST(350), // finit_module BLACKLIST(129), // delete_module BLACKLIST(110), // iopl BLACKLIST(101), // ioperm + BLACKLIST(289), // ioprio_set BLACKLIST(87), // swapon BLACKLIST(115), // swapoff BLACKLIST(103), // syslog @@ -376,6 +379,7 @@ void seccomp_filter_32(void) { BLACKLIST(88), // reboot BLACKLIST(169), // nfsservctl BLACKLIST(130), // get_kernel_syms + RETURN_ALLOW }; @@ -403,11 +407,14 @@ void seccomp_filter_64(void) { BLACKLIST(101), // ptrace BLACKLIST(246), // kexec_load BLACKLIST(304), // open_by_handle_at + BLACKLIST(303), // name_to_handle_at + BLACKLIST(174), // create_module BLACKLIST(175), // init_module BLACKLIST(313), // finit_module BLACKLIST(176), // delete_module BLACKLIST(172), // iopl BLACKLIST(173), // ioperm + BLACKLIST(251), // ioprio_set BLACKLIST(167), // swapon BLACKLIST(168), // swapoff BLACKLIST(103), // syslog @@ -445,6 +452,7 @@ void seccomp_filter_64(void) { BLACKLIST(169), // reboot BLACKLIST(180), // nfsservctl BLACKLIST(177), // get_kernel_syms + RETURN_ALLOW }; @@ -493,12 +501,18 @@ int seccomp_filter_drop(int enforce_seccomp) { #ifdef SYS_open_by_handle_at filter_add_blacklist(SYS_open_by_handle_at, 0); #endif +#ifdef SYS_name_to_handle_at + filter_add_blacklist(SYS_name_to_handle_at, 0); +#endif #ifdef SYS_init_module filter_add_blacklist(SYS_init_module, 0); #endif #ifdef SYS_finit_module // introduced in 2013 filter_add_blacklist(SYS_finit_module, 0); #endif +#ifdef SYS_create_module + filter_add_blacklist(SYS_create_module, 0); +#endif #ifdef SYS_delete_module filter_add_blacklist(SYS_delete_module, 0); #endif @@ -508,6 +522,9 @@ int seccomp_filter_drop(int enforce_seccomp) { #ifdef SYS_ioperm filter_add_blacklist(SYS_ioperm, 0); #endif +#ifdef SYS_ioprio_set + filter_add_blacklist(SYS_ioprio_set, 0); +#endif #ifdef SYS_ni_syscall // new io permissions call on arm devices filter_add_blacklist(SYS_ni_syscall, 0); #endif @@ -648,6 +665,7 @@ int seccomp_filter_drop(int enforce_seccomp) { #ifdef SYS_get_kernel_syms filter_add_blacklist(SYS_get_kernel_syms, 0); #endif + } // default seccomp filter with additional drop list diff --git a/src/man/firejail-profile.txt b/src/man/firejail-profile.txt index 9c416b0f3..98fa17908 100644 --- a/src/man/firejail-profile.txt +++ b/src/man/firejail-profile.txt @@ -224,15 +224,7 @@ first argument to socket system call. Recognized values: \fBunix\fR, \fBinet\fR, \fBinet6\fR, \fBnetlink\fR and \fBpacket\fR. .TP \fBseccomp -Enable seccomp filter and blacklist the syscalls in the default list. The default list is as follows: -mount, umount2, ptrace, kexec_load, kexec_file_load, open_by_handle_at, init_module, finit_module, delete_module, -iopl, ioperm, swapon, swapoff, syslog, process_vm_readv, process_vm_writev, -sysfs,_sysctl, adjtimex, clock_adjtime, lookup_dcookie, perf_event_open, fanotify_init, kcmp, -add_key, request_key, keyctl, uselib, acct, modify_ldt, pivot_root, io_setup, -io_destroy, io_getevents, io_submit, io_cancel, -remap_file_pages, mbind, get_mempolicy, set_mempolicy, -migrate_pages, move_pages, vmsplice, perf_event_open, chroot, -tuxcall, reboot, mfsservctl and get_kernel_syms. +Enable seccomp filter and blacklist the syscalls in the default list. See man 1 firejail for more details. .TP \fBseccomp syscall,syscall,syscall Enable seccomp filter and blacklist the system calls in the list on top of default seccomp filter. diff --git a/src/man/firejail.txt b/src/man/firejail.txt index e915ab6cb..cb555980d 100644 --- a/src/man/firejail.txt +++ b/src/man/firejail.txt @@ -1206,8 +1206,8 @@ $ firejail \-\-net=eth0 \-\-scan .TP \fB\-\-seccomp Enable seccomp filter and blacklist the syscalls in the default list. The default list is as follows: -mount, umount2, ptrace, kexec_load, kexec_file_load, open_by_handle_at, init_module, finit_module, delete_module, -iopl, ioperm, swapon, swapoff, syslog, process_vm_readv, process_vm_writev, +mount, umount2, ptrace, kexec_load, kexec_file_load, name_to_handle_at, open_by_handle_at, create_module, init_module, finit_module, delete_module, +iopl, ioperm, ioprio_set, swapon, swapoff, syslog, process_vm_readv, process_vm_writev, sysfs,_sysctl, adjtimex, clock_adjtime, lookup_dcookie, perf_event_open, fanotify_init, kcmp, add_key, request_key, keyctl, uselib, acct, modify_ldt, pivot_root, io_setup, io_destroy, io_getevents, io_submit, io_cancel, diff --git a/todo b/todo index 0a76cd850..8f27fb26a 100644 --- a/todo +++ b/todo @@ -164,12 +164,10 @@ $ vblank_mode=0 glxgears 18. Add nosound in all profiles with private-dev (including server.profile) test hedgewars! -19. new syscalls: +19. new syscalls in 0.9.41: create_module name_to_handle_at ioprio_set, - -??? 146 - sched_get_priority_max 147 - sched_get_priority_min 204 - sched_getaffinity -- cgit v1.2.3-54-g00ecf