From ce3e345c87a45a6c9faf408295c2cc4c8ee60178 Mon Sep 17 00:00:00 2001 From: startx2017 Date: Tue, 11 Jul 2017 08:27:57 -0400 Subject: fix #1371; rework seccomp_filter_drop() function --- src/firejail/profile.c | 8 +++++-- src/firejail/seccomp.c | 57 +++++++++++++++++++++++++++----------------------- 2 files changed, 37 insertions(+), 28 deletions(-) (limited to 'src') diff --git a/src/firejail/profile.c b/src/firejail/profile.c index af943581e..88f04f47f 100644 --- a/src/firejail/profile.c +++ b/src/firejail/profile.c @@ -81,8 +81,12 @@ int profile_check_line(char *ptr, int lineno, const char *fname) { if (cfg.profile_ignore[i] == NULL) break; - if (strncmp(ptr, cfg.profile_ignore[i], strlen(cfg.profile_ignore[i])) == 0) - return 0; // ignore line + int len = strlen(cfg.profile_ignore[i]); + if (strncmp(ptr, cfg.profile_ignore[i], len) == 0) { + // full word match + if (*(ptr + len) == '\0' || *(ptr + len) == ' ') + return 0; // ignore line + } } if (strncmp(ptr, "ignore ", 7) == 0) { diff --git a/src/firejail/seccomp.c b/src/firejail/seccomp.c index 15379215c..de9fe27f3 100644 --- a/src/firejail/seccomp.c +++ b/src/firejail/seccomp.c @@ -123,40 +123,48 @@ void seccomp_filter_64(void) { // drop filter for seccomp option int seccomp_filter_drop(int enforce_seccomp) { - // default seccomp - if (cfg.seccomp_list_drop == NULL && cfg.seccomp_list == NULL) { +printf("cfg.seccomp_list %p, cfg.seccomp_list_drop %p\n", cfg.seccomp_list, cfg.seccomp_list_drop); + // if we have multiple seccomp commands, only one of them is executed + // in the following order: + // - seccomp.drop list + // - seccomp list + // - seccomp + if (cfg.seccomp_list_drop == NULL) { + // default seccomp + if (cfg.seccomp_list == NULL) { #if defined(__x86_64__) - seccomp_filter_32(); + seccomp_filter_32(); #endif #if defined(__i386__) - seccomp_filter_64(); + seccomp_filter_64(); #endif - } - // default seccomp filter with additional drop list - else if (cfg.seccomp_list && cfg.seccomp_list_drop == NULL) { + } + // default seccomp filter with additional drop list + else { // cfg.seccomp_list != NULL #if defined(__x86_64__) - seccomp_filter_32(); + seccomp_filter_32(); #endif #if defined(__i386__) - seccomp_filter_64(); + seccomp_filter_64(); #endif - if (arg_debug) - printf("Build default+drop seccomp filter\n"); - - // build the seccomp filter as a regular user - int rv; - if (arg_allow_debuggers) - rv = sbox_run(SBOX_USER | SBOX_CAPS_NONE | SBOX_SECCOMP, 6, - PATH_FSECCOMP, "default", "drop", RUN_SECCOMP_CFG, cfg.seccomp_list, "allow-debuggers"); - else - rv = sbox_run(SBOX_USER | SBOX_CAPS_NONE | SBOX_SECCOMP, 5, - PATH_FSECCOMP, "default", "drop", RUN_SECCOMP_CFG, cfg.seccomp_list); - if (rv) - exit(rv); + if (arg_debug) + printf("Build default+drop seccomp filter\n"); + + // build the seccomp filter as a regular user + int rv; + if (arg_allow_debuggers) + rv = sbox_run(SBOX_USER | SBOX_CAPS_NONE | SBOX_SECCOMP, 6, + PATH_FSECCOMP, "default", "drop", RUN_SECCOMP_CFG, cfg.seccomp_list, "allow-debuggers"); + else + rv = sbox_run(SBOX_USER | SBOX_CAPS_NONE | SBOX_SECCOMP, 5, + PATH_FSECCOMP, "default", "drop", RUN_SECCOMP_CFG, cfg.seccomp_list); + if (rv) + exit(rv); + } } // drop list without defaults - secondary filters are not installed - else if (cfg.seccomp_list == NULL && cfg.seccomp_list_drop) { + else { // cfg.seccomp_list_drop != NULL if (arg_debug) printf("Build drop seccomp filter\n"); @@ -172,9 +180,6 @@ int seccomp_filter_drop(int enforce_seccomp) { if (rv) exit(rv); } - else { - assert(0); - } // load the filter if (seccomp_load(RUN_SECCOMP_CFG) == 0) { -- cgit v1.2.3-70-g09d2