From 0040969e439dbddb76bc190900b453b71e895068 Mon Sep 17 00:00:00 2001 From: Topi Miettinen Date: Sun, 31 Jan 2021 00:15:31 +0200 Subject: Seccomp error action fixes fsec-optimize: Optimize BPF with current seccomp error action, not just KILL fseccomp: use correct BPF code for errno action firejail: honor seccomp error action for X32 and secondary filters, rebuild filters if the error action is changed Closes: #3933 Signed-off-by: Topi Miettinen --- src/include/seccomp.h | 10 ++++------ 1 file changed, 4 insertions(+), 6 deletions(-) (limited to 'src/include') diff --git a/src/include/seccomp.h b/src/include/seccomp.h index 90db16d39..b3b75c2d1 100644 --- a/src/include/seccomp.h +++ b/src/include/seccomp.h @@ -201,7 +201,7 @@ #define VALIDATE_ARCHITECTURE_KILL \ BPF_STMT(BPF_LD+BPF_W+BPF_ABS, (offsetof(struct seccomp_data, arch))), \ BPF_JUMP(BPF_JMP+BPF_JEQ+BPF_K, ARCH_NR, 1, 0), \ - BPF_STMT(BPF_RET+BPF_K, SECCOMP_RET_KILL) + KILL_OR_RETURN_ERRNO #define VALIDATE_ARCHITECTURE_64 \ BPF_STMT(BPF_LD+BPF_W+BPF_ABS, (offsetof(struct seccomp_data, arch))), \ @@ -222,11 +222,7 @@ #define HANDLE_X32 \ BPF_JUMP(BPF_JMP+BPF_JGE+BPF_K, X32_SYSCALL_BIT, 1, 0), \ BPF_JUMP(BPF_JMP+BPF_JGE+BPF_K, 0, 1, 0), \ - RETURN_ERRNO(EPERM) -#define HANDLE_X32_KILL \ - BPF_JUMP(BPF_JMP+BPF_JGE+BPF_K, X32_SYSCALL_BIT, 1, 0), \ - BPF_JUMP(BPF_JMP+BPF_JGE+BPF_K, 0, 1, 0), \ - BPF_STMT(BPF_RET+BPF_K, SECCOMP_RET_KILL) + KILL_OR_RETURN_ERRNO #endif #define EXAMINE_SYSCALL BPF_STMT(BPF_LD+BPF_W+BPF_ABS, \ @@ -258,6 +254,8 @@ BPF_STMT(BPF_RET+BPF_K, SECCOMP_RET_ERRNO | nr) extern int arg_seccomp_error_action; // error action: errno, log or kill +#define DEFAULT_SECCOMP_ERROR_ACTION EPERM + #define KILL_OR_RETURN_ERRNO \ BPF_STMT(BPF_RET+BPF_K, arg_seccomp_error_action) -- cgit v1.2.3-70-g09d2