From 39f9b1a2229f8624f92bdcf823ef755c15e28de2 Mon Sep 17 00:00:00 2001
From: Topi Miettinen <toiwoton@gmail.com>
Date: Sun, 25 Aug 2019 18:37:05 +0300
Subject: Allow exceptions to seccomp lists

Prefix ! can be used to make exceptions to system call blacklists and
whitelists used by seccomp, seccomp.drop and seccomp.keep.

Closes #1366
---
 src/fseccomp/seccomp.c | 12 ++++++++++++
 1 file changed, 12 insertions(+)

(limited to 'src/fseccomp/seccomp.c')

diff --git a/src/fseccomp/seccomp.c b/src/fseccomp/seccomp.c
index 2a719725e..95c20d388 100644
--- a/src/fseccomp/seccomp.c
+++ b/src/fseccomp/seccomp.c
@@ -80,6 +80,10 @@ void seccomp_drop(const char *fname1, const char *fname2, char *list, int allow_
 
 	// build pre-exec filter: don't blacklist any syscalls in @default-keep
 	filter_init(fd);
+
+	// allow exceptions in form of !syscall
+	syscall_check_list(list, filter_add_whitelist_for_excluded, fd, 0, NULL);
+
 	char *prelist, *postlist;
 	syscalls_in_list(list, "@default-keep", fd, &prelist, &postlist);
 	if (prelist)
@@ -128,6 +132,10 @@ void seccomp_default_drop(const char *fname1, const char *fname2, char *list, in
 	// build pre-exec filter: blacklist @default, don't blacklist
 	// any listed syscalls in @default-keep
 	filter_init(fd);
+
+	// allow exceptions in form of !syscall
+	syscall_check_list(list, filter_add_whitelist_for_excluded, fd, 0, NULL);
+
 	add_default_list(fd, allow_debuggers);
 	char *prelist, *postlist;
 	syscalls_in_list(list, "@default-keep", fd, &prelist, &postlist);
@@ -175,6 +183,10 @@ void seccomp_keep(const char *fname1, const char *fname2, char *list) {
 
 	// build pre-exec filter: whitelist also @default-keep
 	filter_init(fd);
+
+	// allow exceptions in form of !syscall
+	syscall_check_list(list, filter_add_blacklist_for_excluded, fd, 0, NULL);
+
 	// these syscalls are used by firejail after the seccomp filter is initialized
 	int r;
 	r = syscall_check_list("@default-keep", filter_add_whitelist, fd, 0, NULL);
-- 
cgit v1.2.3-54-g00ecf