From 533242ac32590a47e76fc1ef5bfe48f32e1f131f Mon Sep 17 00:00:00 2001 From: smitsohu Date: Sun, 20 Jun 2021 13:29:48 +0200 Subject: augment seccomp lists in firejail.config --- src/firejail/checkcfg.c | 5 +++++ src/firejail/firejail.h | 1 + src/firejail/main.c | 11 ++++++++++- src/firejail/seccomp.c | 5 +++-- src/man/firejail.txt | 6 ++++++ 5 files changed, 25 insertions(+), 3 deletions(-) (limited to 'src') diff --git a/src/firejail/checkcfg.c b/src/firejail/checkcfg.c index 6726abdc8..12b5fc683 100644 --- a/src/firejail/checkcfg.c +++ b/src/firejail/checkcfg.c @@ -35,6 +35,7 @@ char *xvfb_extra_params = ""; char *netfilter_default = NULL; unsigned long join_timeout = 5000000; // microseconds char *config_seccomp_error_action_str = "EPERM"; +char *config_seccomp_filter_add = NULL; char **whitelist_reject_topdirs = NULL; int checkcfg(int val) { @@ -222,6 +223,10 @@ int checkcfg(int val) { else if (strncmp(ptr, "join-timeout ", 13) == 0) join_timeout = strtoul(ptr + 13, NULL, 10) * 1000000; // seconds to microseconds + // add rules to default seccomp filter + else if (strncmp(ptr, "seccomp-filter-add ", 19) == 0) + config_seccomp_filter_add = seccomp_check_list(ptr + 19); + // seccomp error action else if (strncmp(ptr, "seccomp-error-action ", 21) == 0) { if (strcmp(ptr + 21, "kill") == 0) diff --git a/src/firejail/firejail.h b/src/firejail/firejail.h index 1da70fd54..60d178f1e 100644 --- a/src/firejail/firejail.h +++ b/src/firejail/firejail.h @@ -789,6 +789,7 @@ extern char *xvfb_extra_params; extern char *netfilter_default; extern unsigned long join_timeout; extern char *config_seccomp_error_action_str; +extern char *config_seccomp_filter_add; extern char **whitelist_reject_topdirs; int checkcfg(int val); diff --git a/src/firejail/main.c b/src/firejail/main.c index 089d80a68..d46a56627 100644 --- a/src/firejail/main.c +++ b/src/firejail/main.c @@ -961,7 +961,7 @@ void filter_add_blacklist_override(int fd, int syscall, int arg, void *ptrarg, b static int check_postexec(const char *list) { char *prelist, *postlist; - if (list) { + if (list && list[0]) { syscalls_in_list(list, "@default-keep", -1, &prelist, &postlist, true); if (postlist) return 1; @@ -2855,6 +2855,15 @@ int main(int argc, char **argv, char **envp) { // check network configuration options - it will exit if anything went wrong net_check_cfg(); + // customization of default seccomp filter + if (config_seccomp_filter_add) { + if (arg_seccomp && !cfg.seccomp_list_keep && !cfg.seccomp_list_drop) + profile_list_augment(&cfg.seccomp_list, config_seccomp_filter_add); + + if (arg_seccomp32 && !cfg.seccomp_list_keep32 && !cfg.seccomp_list_drop32) + profile_list_augment(&cfg.seccomp_list32, config_seccomp_filter_add); + } + if (arg_seccomp) arg_seccomp_postexec = check_postexec(cfg.seccomp_list) || check_postexec(cfg.seccomp_list_drop); diff --git a/src/firejail/seccomp.c b/src/firejail/seccomp.c index 9670fe816..3d9bf9082 100644 --- a/src/firejail/seccomp.c +++ b/src/firejail/seccomp.c @@ -208,7 +208,8 @@ int seccomp_filter_drop(bool native) { // - seccomp if (cfg.seccomp_list_drop == NULL) { // default seccomp if error action is not changed - if (cfg.seccomp_list == NULL && arg_seccomp_error_action == DEFAULT_SECCOMP_ERROR_ACTION) { + if ((cfg.seccomp_list == NULL || cfg.seccomp_list[0] == '\0') + && arg_seccomp_error_action == DEFAULT_SECCOMP_ERROR_ACTION) { if (arg_seccomp_block_secondary) seccomp_filter_block_secondary(); else { @@ -261,7 +262,7 @@ int seccomp_filter_drop(bool native) { } // build the seccomp filter as a regular user - if (list) + if (list && list[0]) if (arg_allow_debuggers) rv = sbox_run(SBOX_USER | SBOX_CAPS_NONE | SBOX_SECCOMP, 7, PATH_FSECCOMP, command, "drop", filter, postexec_filter, list, "allow-debuggers"); diff --git a/src/man/firejail.txt b/src/man/firejail.txt index 3212a88e4..7d7a1eb31 100644 --- a/src/man/firejail.txt +++ b/src/man/firejail.txt @@ -2209,6 +2209,12 @@ Firejail will print seccomp violations to the audit log if the kernel was compil Example: .br $ firejail \-\-seccomp +.br + +.br +The default list can be customized, see \-\-seccomp= for a description. It can be customized +also globally in /etc/firejail/firejail.config file. + .TP \fB\-\-seccomp=syscall,@group,!syscall2 Enable seccomp filter, whitelist "syscall2", but blacklist the default -- cgit v1.2.3-70-g09d2