From 64431c712ffb5d4805b61ea740bc9be98cf1b48f Mon Sep 17 00:00:00 2001 From: netblue30 Date: Sun, 20 Nov 2016 07:45:50 -0500 Subject: seccomp work 1 --- src/firejail/firejail.h | 9 ++++---- src/firejail/preproc.c | 58 ++++++++++--------------------------------------- src/firejail/sandbox.c | 4 ---- src/firejail/seccomp.c | 13 ++++++----- src/fseccomp/main.c | 4 ++-- 5 files changed, 26 insertions(+), 62 deletions(-) (limited to 'src') diff --git a/src/firejail/firejail.h b/src/firejail/firejail.h index 2562094d3..2e031ce04 100644 --- a/src/firejail/firejail.h +++ b/src/firejail/firejail.h @@ -47,10 +47,14 @@ #define RUN_BIN_DIR "/run/firejail/mnt/bin" #define RUN_PULSE_DIR "/run/firejail/mnt/pulse" -#define RUN_SECCOMP_CFG "/run/firejail/mnt/seccomp" // configured filter #define RUN_SECCOMP_PROTOCOL "/run/firejail/mnt/seccomp.protocol" // protocol filter +#define RUN_SECCOMP_CFG "/run/firejail/mnt/seccomp" // configured filter #define RUN_SECCOMP_AMD64 "/run/firejail/mnt/seccomp.amd64" // amd64 filter installed on i386 architectures #define RUN_SECCOMP_I386 "/run/firejail/mnt/seccomp.i386" // i386 filter installed on amd64 architectures +#define PATH_SECCOMP_DEFAULT (LIBDIR "/firejail/seccomp") // default filter built during make +#define PATH_SECCOMP_DEFAULT_DEBUG (LIBDIR "/firejail/seccomp.debug") // default filter built during make +#define PATH_SECCOMP_AMD64 (LIBDIR "/firejail/seccomp.amd64") // amd64 filter built during make +#define PATH_SECCOMP_I386 (LIBDIR "/firejail/seccomp.i386") // i386 filter built during make #define RUN_DEV_DIR "/run/firejail/mnt/dev" @@ -374,9 +378,6 @@ void net_config_interface(const char *dev, uint32_t ip, uint32_t mask, int mtu); // preproc.c void preproc_build_firejail_dir(void); void preproc_mount_mnt_dir(void); -void preproc_build_cp_command(void); -void preproc_delete_cp_command(void) ; -void preproc_remount_mnt_dir(void); // fs.c // blacklist files or directoies by mounting empty files on top of them diff --git a/src/firejail/preproc.c b/src/firejail/preproc.c index ea4e6743f..d2db7d3dd 100644 --- a/src/firejail/preproc.c +++ b/src/firejail/preproc.c @@ -56,9 +56,9 @@ void preproc_build_firejail_dir(void) { create_empty_dir_as_root(RUN_FIREJAIL_APPIMAGE_DIR, 0755); } - if (stat(RUN_MNT_DIR, &s)) { - create_empty_dir_as_root(RUN_MNT_DIR, 0755); - } + if (stat(RUN_MNT_DIR, &s)) { + create_empty_dir_as_root(RUN_MNT_DIR, 0755); + } create_empty_file_as_root(RUN_RO_FILE, S_IRUSR); create_empty_dir_as_root(RUN_RO_DIR, S_IRUSR); @@ -75,51 +75,17 @@ void preproc_mount_mnt_dir(void) { tmpfs_mounted = 1; fs_logger2("tmpfs", RUN_MNT_DIR); - // create all seccomp files - // as root, create RUN_SECCOMP_I386 file - create_empty_file_as_root(RUN_SECCOMP_I386, 0644); - if (set_perms(RUN_SECCOMP_I386, getuid(), getgid(), 0644)) - errExit("set_perms"); - - // as root, create RUN_SECCOMP_AMD64 file - create_empty_file_as_root(RUN_SECCOMP_AMD64, 0644); - if (set_perms(RUN_SECCOMP_AMD64, getuid(), getgid(), 0644)) - errExit("set_perms"); - - // as root, create RUN_SECCOMP file - create_empty_file_as_root(RUN_SECCOMP_CFG, 0644); - if (set_perms(RUN_SECCOMP_CFG, getuid(), getgid(), 0644)) - errExit("set_perms"); - - // as root, create RUN_SECCOMP_PROTOCOL file + //copy defaultl seccomp files + copy_file(PATH_SECCOMP_I386, RUN_SECCOMP_I386, getuid(), getgid(), 0644); + copy_file(PATH_SECCOMP_AMD64, RUN_SECCOMP_AMD64, getuid(), getgid(), 0644); + if (arg_allow_debuggers) + copy_file(PATH_SECCOMP_DEFAULT_DEBUG, RUN_SECCOMP_CFG, getuid(), getgid(), 0644); + else + copy_file(PATH_SECCOMP_DEFAULT, RUN_SECCOMP_CFG, getuid(), getgid(), 0644); + + // as root, create an empty RUN_SECCOMP_PROTOCOL file create_empty_file_as_root(RUN_SECCOMP_PROTOCOL, 0644); if (set_perms(RUN_SECCOMP_PROTOCOL, getuid(), getgid(), 0644)) errExit("set_perms"); } } - -// grab a copy of cp command -void preproc_build_cp_command(void) { - struct stat s; - preproc_mount_mnt_dir(); - if (stat(RUN_CP_COMMAND, &s)) { - char* fname = realpath("/bin/cp", NULL); - if (fname == NULL || stat(fname, &s) || is_link(fname)) { - fprintf(stderr, "Error: invalid /bin/cp\n"); - exit(1); - } - int rv = copy_file(fname, RUN_CP_COMMAND, 0, 0, 0755); - if (rv) { - fprintf(stderr, "Error: cannot access /bin/cp\n"); - exit(1); - } - ASSERT_PERMS(RUN_CP_COMMAND, 0, 0, 0755); - - free(fname); - } -} - -// delete the temporary cp command -void preproc_delete_cp_command(void) { - unlink(RUN_CP_COMMAND); -} diff --git a/src/firejail/sandbox.c b/src/firejail/sandbox.c index c2e053b0c..ad77caeb2 100644 --- a/src/firejail/sandbox.c +++ b/src/firejail/sandbox.c @@ -555,12 +555,9 @@ int sandbox(void* sandbox_arg) { //**************************** // fs pre-processing: - // - copy some commands under /run // - build seccomp filters // - create an empty /etc/ld.so.preload //**************************** - preproc_build_cp_command(); - #ifdef HAVE_SECCOMP if (cfg.protocol) { if (arg_debug) @@ -765,7 +762,6 @@ int sandbox(void* sandbox_arg) { //**************************** // fs post-processing //**************************** - preproc_delete_cp_command(); fs_logger_print(); fs_logger_change_owner(); diff --git a/src/firejail/seccomp.c b/src/firejail/seccomp.c index 4a2221e98..30c63d734 100644 --- a/src/firejail/seccomp.c +++ b/src/firejail/seccomp.c @@ -92,11 +92,9 @@ int seccomp_load(const char *fname) { return 0; } - - - // i386 filter installed on amd64 architectures void seccomp_filter_32(void) { +#if 0 if (arg_debug) printf("Build secondary 32-bit filter\n"); @@ -105,7 +103,7 @@ void seccomp_filter_32(void) { PATH_FSECCOMP, "secondary", "32", RUN_SECCOMP_I386); if (rv) exit(rv); - +#endif if (seccomp_load(RUN_SECCOMP_I386) == 0) { if (arg_debug) printf("Dual i386/amd64 seccomp filter configured\n"); @@ -114,6 +112,7 @@ void seccomp_filter_32(void) { // amd64 filter installed on i386 architectures void seccomp_filter_64(void) { +#if 0 if (arg_debug) printf("Build secondary 64-bit filter\n"); @@ -122,6 +121,7 @@ void seccomp_filter_64(void) { PATH_FSECCOMP, "secondary", "64", RUN_SECCOMP_AMD64); if (rv) exit(rv); +#endif if (seccomp_load(RUN_SECCOMP_AMD64) == 0) { if (arg_debug) @@ -129,7 +129,6 @@ void seccomp_filter_64(void) { } } - // drop filter for seccomp option int seccomp_filter_drop(int enforce_seccomp) { // default seccomp @@ -140,6 +139,8 @@ int seccomp_filter_drop(int enforce_seccomp) { #if defined(__i386__) seccomp_filter_64(); #endif + +#if 0 if (arg_debug) printf("Build default seccomp filter\n"); // build the seccomp filter as a regular user @@ -152,8 +153,8 @@ int seccomp_filter_drop(int enforce_seccomp) { PATH_FSECCOMP, "default", RUN_SECCOMP_CFG); if (rv) exit(rv); +#endif } - // default seccomp filter with additional drop list else if (cfg.seccomp_list && cfg.seccomp_list_drop == NULL) { #if defined(__x86_64__) diff --git a/src/fseccomp/main.c b/src/fseccomp/main.c index 2f85a786b..471e0b193 100644 --- a/src/fseccomp/main.c +++ b/src/fseccomp/main.c @@ -38,7 +38,7 @@ static void usage(void) { } int main(int argc, char **argv) { -#if 0 +//#if 0 { //system("cat /proc/self/status"); int i; @@ -46,7 +46,7 @@ for (i = 0; i < argc; i++) printf("*%s* ", argv[i]); printf("\n"); } -#endif +//#endif if (argc < 2) { usage(); return 1; -- cgit v1.2.3-54-g00ecf