From f905f046cc554f8ec2b800bcb9965b0f360cfd91 Mon Sep 17 00:00:00 2001 From: netblue30 Date: Sun, 6 May 2018 11:22:35 -0400 Subject: remove 64bit seccomp filter from 32bit architectures --- src/firejail/firejail.h | 2 -- src/firejail/preproc.c | 1 - src/firejail/sandbox.c | 9 ------ src/firejail/seccomp.c | 16 ++-------- src/fseccomp/main.c | 2 -- src/fseccomp/seccomp_secondary.c | 65 ---------------------------------------- 6 files changed, 3 insertions(+), 92 deletions(-) (limited to 'src') diff --git a/src/firejail/firejail.h b/src/firejail/firejail.h index 7544b642a..2db171070 100644 --- a/src/firejail/firejail.h +++ b/src/firejail/firejail.h @@ -59,14 +59,12 @@ #define RUN_SECCOMP_PROTOCOL "/run/firejail/mnt/seccomp.protocol" // protocol filter #define RUN_SECCOMP_CFG "/run/firejail/mnt/seccomp" // configured filter -#define RUN_SECCOMP_64 "/run/firejail/mnt/seccomp.64" // 64bit arch filter installed on 32bit architectures #define RUN_SECCOMP_32 "/run/firejail/mnt/seccomp.32" // 32bit arch filter installed on 64bit architectures #define RUN_SECCOMP_MDWX "/run/firejail/mnt/seccomp.mdwx" // filter for memory-deny-write-execute #define RUN_SECCOMP_BLOCK_SECONDARY "/run/firejail/mnt/seccomp.block_secondary" // secondary arch blocking filter #define RUN_SECCOMP_POSTEXEC "/run/firejail/mnt/seccomp.postexec" // filter for post-exec library #define PATH_SECCOMP_DEFAULT (LIBDIR "/firejail/seccomp") // default filter built during make #define PATH_SECCOMP_DEFAULT_DEBUG (LIBDIR "/firejail/seccomp.debug") // default filter built during make -#define PATH_SECCOMP_64 (LIBDIR "/firejail/seccomp.64") // 64bit arch filter built during make #define PATH_SECCOMP_32 (LIBDIR "/firejail/seccomp.32") // 32bit arch filter built during make #define PATH_SECCOMP_MDWX (LIBDIR "/firejail/seccomp.mdwx") // filter for memory-deny-write-execute built during make #define PATH_SECCOMP_BLOCK_SECONDARY (LIBDIR "/firejail/seccomp.block_secondary") // secondary arch blocking filter built during make diff --git a/src/firejail/preproc.c b/src/firejail/preproc.c index 45399bd48..9fb4840c6 100644 --- a/src/firejail/preproc.c +++ b/src/firejail/preproc.c @@ -87,7 +87,6 @@ void preproc_mount_mnt_dir(void) { else { //copy default seccomp files copy_file(PATH_SECCOMP_32, RUN_SECCOMP_32, getuid(), getgid(), 0644); // root needed - copy_file(PATH_SECCOMP_64, RUN_SECCOMP_64, getuid(), getgid(), 0644); // root needed } if (arg_allow_debuggers) copy_file(PATH_SECCOMP_DEFAULT_DEBUG, RUN_SECCOMP_CFG, getuid(), getgid(), 0644); // root needed diff --git a/src/firejail/sandbox.c b/src/firejail/sandbox.c index 8abdf6b2c..1498007eb 100644 --- a/src/firejail/sandbox.c +++ b/src/firejail/sandbox.c @@ -1017,18 +1017,9 @@ int sandbox(void* sandbox_arg) { else seccomp_filter_drop(); - // clean unused filters -#if defined(__LP64__) - int rv = unlink(RUN_SECCOMP_64); -#endif -#if defined(__ILP32__) - int rv = unlink(RUN_SECCOMP_32); -#endif - (void) rv; } else { // clean seccomp files under /run/firejail/mnt int rv = unlink(RUN_SECCOMP_CFG); - rv |= unlink(RUN_SECCOMP_64); rv |= unlink(RUN_SECCOMP_32); (void) rv; } diff --git a/src/firejail/seccomp.c b/src/firejail/seccomp.c index 1ee6256d4..3da0206e1 100644 --- a/src/firejail/seccomp.c +++ b/src/firejail/seccomp.c @@ -138,6 +138,7 @@ errexit: } // 32 bit arch filter installed on 64 bit architectures +#if defined(__x86_64__) #if defined(__LP64__) static void seccomp_filter_32(void) { if (seccomp_load(RUN_SECCOMP_32) == 0) { @@ -146,15 +147,6 @@ static void seccomp_filter_32(void) { } } #endif - -// 64 bit arch filter installed on 32 bit architectures -#if defined(__ILP32__) -static void seccomp_filter_64(void) { - if (seccomp_load(RUN_SECCOMP_64) == 0) { - if (arg_debug) - printf("Dual 32/64 bit seccomp filter configured\n"); - } -} #endif static void seccomp_filter_block_secondary(void) { @@ -177,11 +169,10 @@ int seccomp_filter_drop(void) { if (arg_seccomp_block_secondary) seccomp_filter_block_secondary(); else { +#if defined(__x86_64__) #if defined(__LP64__) seccomp_filter_32(); #endif -#if defined(__ILP32__) - seccomp_filter_64(); #endif } } @@ -190,11 +181,10 @@ int seccomp_filter_drop(void) { if (arg_seccomp_block_secondary) seccomp_filter_block_secondary(); else { +#if defined(__x86_64__) #if defined(__LP64__) seccomp_filter_32(); #endif -#if defined(__ILP32__) - seccomp_filter_64(); #endif } if (arg_debug) diff --git a/src/fseccomp/main.c b/src/fseccomp/main.c index ab6683065..7fd96bc43 100644 --- a/src/fseccomp/main.c +++ b/src/fseccomp/main.c @@ -70,8 +70,6 @@ printf("\n"); protocol_print(); else if (argc == 5 && strcmp(argv[1], "protocol") == 0 && strcmp(argv[2], "build") == 0) protocol_build_filter(argv[3], argv[4]); - else if (argc == 4 && strcmp(argv[1], "secondary") == 0 && strcmp(argv[2], "64") == 0) - seccomp_secondary_64(argv[3]); else if (argc == 4 && strcmp(argv[1], "secondary") == 0 && strcmp(argv[2], "32") == 0) seccomp_secondary_32(argv[3]); else if (argc == 4 && strcmp(argv[1], "secondary") == 0 && strcmp(argv[2], "block") == 0) diff --git a/src/fseccomp/seccomp_secondary.c b/src/fseccomp/seccomp_secondary.c index ebda1b938..e398f94d0 100644 --- a/src/fseccomp/seccomp_secondary.c +++ b/src/fseccomp/seccomp_secondary.c @@ -42,71 +42,6 @@ static void write_filter(const char *fname, size_t size, const void *filter) { close(dst); } -void seccomp_secondary_64(const char *fname) { - // hardcoded syscall values - struct sock_filter filter[] = { - VALIDATE_ARCHITECTURE_64, - EXAMINE_SYSCALL, - BLACKLIST(165), // mount - BLACKLIST(166), // umount2 -// todo: implement --allow-debuggers - BLACKLIST(101), // ptrace - BLACKLIST(246), // kexec_load - BLACKLIST(304), // open_by_handle_at - BLACKLIST(303), // name_to_handle_at - BLACKLIST(174), // create_module - BLACKLIST(175), // init_module - BLACKLIST(313), // finit_module - BLACKLIST(176), // delete_module - BLACKLIST(172), // iopl - BLACKLIST(173), // ioperm - BLACKLIST(251), // ioprio_set - BLACKLIST(167), // swapon - BLACKLIST(168), // swapoff - BLACKLIST(103), // syslog - BLACKLIST(310), // process_vm_readv - BLACKLIST(311), // process_vm_writev - BLACKLIST(139), // sysfs - BLACKLIST(156), // _sysctl - BLACKLIST(159), // adjtimex - BLACKLIST(305), // clock_adjtime - BLACKLIST(212), // lookup_dcookie - BLACKLIST(298), // perf_event_open - BLACKLIST(300), // fanotify_init - BLACKLIST(312), // kcmp - BLACKLIST(248), // add_key - BLACKLIST(249), // request_key - BLACKLIST(250), // keyctl - BLACKLIST(134), // uselib - BLACKLIST(163), // acct - BLACKLIST(154), // modify_ldt - BLACKLIST(155), // pivot_root - BLACKLIST(206), // io_setup - BLACKLIST(207), // io_destroy - BLACKLIST(208), // io_getevents - BLACKLIST(209), // io_submit - BLACKLIST(210), // io_cancel - BLACKLIST(216), // remap_file_pages - BLACKLIST(237), // mbind -// breaking Firefox nightly when playing youtube videos -// TODO: test again when firefox sandbox is finally released -// BLACKLIST(239), // get_mempolicy - BLACKLIST(238), // set_mempolicy - BLACKLIST(256), // migrate_pages - BLACKLIST(279), // move_pages - BLACKLIST(278), // vmsplice - BLACKLIST(161), // chroot - BLACKLIST(184), // tuxcall - BLACKLIST(169), // reboot - BLACKLIST(180), // nfsservctl - BLACKLIST(177), // get_kernel_syms - - RETURN_ALLOW - }; - - // save filter to file - write_filter(fname, sizeof(filter), filter); -} // 32 bit arch filter installed on 64 bit architectures void seccomp_secondary_32(const char *fname) { -- cgit v1.2.3-54-g00ecf