From 0040969e439dbddb76bc190900b453b71e895068 Mon Sep 17 00:00:00 2001 From: Topi Miettinen Date: Sun, 31 Jan 2021 00:15:31 +0200 Subject: Seccomp error action fixes fsec-optimize: Optimize BPF with current seccomp error action, not just KILL fseccomp: use correct BPF code for errno action firejail: honor seccomp error action for X32 and secondary filters, rebuild filters if the error action is changed Closes: #3933 Signed-off-by: Topi Miettinen --- src/fsec-optimize/Makefile.in | 2 +- src/fsec-optimize/main.c | 17 +++++++++++++++++ src/fsec-optimize/optimizer.c | 6 +++--- 3 files changed, 21 insertions(+), 4 deletions(-) (limited to 'src/fsec-optimize') diff --git a/src/fsec-optimize/Makefile.in b/src/fsec-optimize/Makefile.in index b6a28fdd8..cc5ac7e35 100644 --- a/src/fsec-optimize/Makefile.in +++ b/src/fsec-optimize/Makefile.in @@ -6,7 +6,7 @@ include ../common.mk $(CC) $(CFLAGS) $(EXTRA_CFLAGS) $(INCLUDE) -c $< -o $@ fsec-optimize: $(OBJS) ../lib/common.o ../lib/libnetlink.o - $(CC) $(LDFLAGS) -o $@ $(OBJS) ../lib/common.o $(LIBS) $(EXTRA_LDFLAGS) + $(CC) $(LDFLAGS) -o $@ $(OBJS) ../lib/common.o ../lib/errno.o $(LIBS) $(EXTRA_LDFLAGS) clean:; rm -fr *.o fsec-optimize *.gcov *.gcda *.gcno *.plist diff --git a/src/fsec-optimize/main.c b/src/fsec-optimize/main.c index 74aebc9e0..c64587068 100644 --- a/src/fsec-optimize/main.c +++ b/src/fsec-optimize/main.c @@ -18,6 +18,9 @@ * 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA. */ #include "fsec_optimize.h" +#include "../include/syscall.h" + +int arg_seccomp_error_action = SECCOMP_RET_ERRNO | EPERM; // error action: errno, log or kill static void usage(void) { printf("Usage:\n"); @@ -46,6 +49,20 @@ printf("\n"); warn_dumpable(); + char *error_action = getenv("FIREJAIL_SECCOMP_ERROR_ACTION"); + if (error_action) { + if (strcmp(error_action, "kill") == 0) + arg_seccomp_error_action = SECCOMP_RET_KILL; + else if (strcmp(error_action, "log") == 0) + arg_seccomp_error_action = SECCOMP_RET_LOG; + else { + arg_seccomp_error_action = errno_find_name(error_action); + if (arg_seccomp_error_action == -1) + errExit("seccomp-error-action: unknown errno"); + arg_seccomp_error_action |= SECCOMP_RET_ERRNO; + } + } + char *fname = argv[1]; // open input file diff --git a/src/fsec-optimize/optimizer.c b/src/fsec-optimize/optimizer.c index 776beaa75..eb777f13b 100644 --- a/src/fsec-optimize/optimizer.c +++ b/src/fsec-optimize/optimizer.c @@ -33,7 +33,7 @@ static inline int is_blacklist(struct sock_filter *bpf) { if (bpf->code == BPF_JMP + BPF_JEQ + BPF_K && (bpf + 1)->code == BPF_RET + BPF_K && - (bpf + 1)->k == SECCOMP_RET_KILL ) + (bpf + 1)->k == (__u32)arg_seccomp_error_action) return 1; return 0; } @@ -89,9 +89,9 @@ static int optimize_blacklists(struct sock_filter *filter, int entries) { } } - // step 3: add the new ret KILL, and recalculate entries + // step 3: add the new ret KILL/LOG/ERRNO, and recalculate entries filter_step2[j].code = BPF_RET + BPF_K; - filter_step2[j].k = SECCOMP_RET_KILL; + filter_step2[j].k = arg_seccomp_error_action; entries = j + 1; // step 4: recalculate jumps -- cgit v1.2.3-54-g00ecf