1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
204
205
206
207
208
209
210
211
212
213
214
215
216
217
218
219
220
221
222
223
224
225
226
227
228
229
230
231
232
233
234
235
236
237
238
239
240
241
242
243
244
245
246
247
248
249
250
251
252
253
254
255
256
257
258
259
260
261
262
263
264
265
266
267
268
269
270
271
272
273
274
275
276
277
278
279
280
281
282
283
284
285
286
287
288
289
290
|
/*
* Copyright (C) 2014-2019 Firejail Authors
*
* This file is part of firejail project
*
* This program is free software; you can redistribute it and/or modify
* it under the terms of the GNU General Public License as published by
* the Free Software Foundation; either version 2 of the License, or
* (at your option) any later version.
*
* This program is distributed in the hope that it will be useful,
* but WITHOUT ANY WARRANTY; without even the implied warranty of
* MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
* GNU General Public License for more details.
*
* You should have received a copy of the GNU General Public License along
* with this program; if not, write to the Free Software Foundation, Inc.,
* 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA.
*/
#include "fseccomp.h"
#include "../include/seccomp.h"
#include <sys/mman.h>
#include <sys/shm.h>
#include <sys/syscall.h>
#include <sys/types.h>
static void add_default_list(int fd, int allow_debuggers) {
int r;
if (!allow_debuggers)
r = syscall_check_list("@default-nodebuggers", filter_add_blacklist, fd, 0, NULL);
else
r = syscall_check_list("@default", filter_add_blacklist, fd, 0, NULL);
assert(r == 0);
//#ifdef SYS_mknod - emoved in 0.9.29 - it breaks Zotero extension
// filter_add_blacklist(SYS_mknod, 0);
//#endif
// breaking Firefox nightly when playing youtube videos
// TODO: test again when firefox sandbox is finally released
//#ifdef SYS_get_mempolicy
// filter_add_blacklist(fd, SYS_get_mempolicy, 0);
//#endif
//#ifdef SYS_quotactl - in use by Firefox
// filter_add_blacklist(fd, SYS_quotactl, 0);
//#endif
}
// default list
void seccomp_default(const char *fname, int allow_debuggers) {
assert(fname);
// open file
int fd = open(fname, O_CREAT|O_WRONLY|O_TRUNC, S_IRUSR | S_IWUSR | S_IRGRP | S_IROTH);
if (fd < 0) {
fprintf(stderr, "Error fseccomp: cannot open %s file\n", fname);
exit(1);
}
// build filter (no post-exec filter needed because default list is fine for us)
filter_init(fd);
add_default_list(fd, allow_debuggers);
filter_end_blacklist(fd);
// close file
close(fd);
}
// drop list
void seccomp_drop(const char *fname1, const char *fname2, char *list, int allow_debuggers) {
assert(fname1);
assert(fname2);
(void) allow_debuggers; // todo: to implemnet it
// open file for pre-exec filter
int fd = open(fname1, O_CREAT|O_WRONLY|O_TRUNC, S_IRUSR | S_IWUSR | S_IRGRP | S_IROTH);
if (fd < 0) {
fprintf(stderr, "Error fseccomp: cannot open %s file\n", fname1);
exit(1);
}
// build pre-exec filter: don't blacklist any syscalls in @default-keep
filter_init(fd);
// allow exceptions in form of !syscall
syscall_check_list(list, filter_add_whitelist_for_excluded, fd, 0, NULL);
char *prelist, *postlist;
syscalls_in_list(list, "@default-keep", fd, &prelist, &postlist);
if (prelist)
if (syscall_check_list(prelist, filter_add_blacklist, fd, 0, NULL)) {
fprintf(stderr, "Error fseccomp: cannot build seccomp filter\n");
exit(1);
}
filter_end_blacklist(fd);
// close file
close(fd);
if (!postlist)
return;
// open file for post-exec filter
fd = open(fname2, O_CREAT|O_WRONLY|O_TRUNC, S_IRUSR | S_IWUSR | S_IRGRP | S_IROTH);
if (fd < 0) {
fprintf(stderr, "Error fseccomp: cannot open %s file\n", fname2);
exit(1);
}
// build post-exec filter: blacklist remaining syscalls
filter_init(fd);
if (syscall_check_list(postlist, filter_add_blacklist, fd, 0, NULL)) {
fprintf(stderr, "Error fseccomp: cannot build seccomp filter\n");
exit(1);
}
filter_end_blacklist(fd);
// close file
close(fd);
}
// default+drop
void seccomp_default_drop(const char *fname1, const char *fname2, char *list, int allow_debuggers) {
assert(fname1);
assert(fname2);
// open file
int fd = open(fname1, O_CREAT|O_WRONLY|O_TRUNC, S_IRUSR | S_IWUSR | S_IRGRP | S_IROTH);
if (fd < 0) {
fprintf(stderr, "Error fseccomp: cannot open %s file\n", fname1);
exit(1);
}
// build pre-exec filter: blacklist @default, don't blacklist
// any listed syscalls in @default-keep
filter_init(fd);
// allow exceptions in form of !syscall
syscall_check_list(list, filter_add_whitelist_for_excluded, fd, 0, NULL);
add_default_list(fd, allow_debuggers);
char *prelist, *postlist;
syscalls_in_list(list, "@default-keep", fd, &prelist, &postlist);
if (prelist)
if (syscall_check_list(prelist, filter_add_blacklist, fd, 0, NULL)) {
fprintf(stderr, "Error fseccomp: cannot build seccomp filter\n");
exit(1);
}
filter_end_blacklist(fd);
// close file
close(fd);
if (!postlist)
return;
// open file for post-exec filter
fd = open(fname2, O_CREAT|O_WRONLY|O_TRUNC, S_IRUSR | S_IWUSR | S_IRGRP | S_IROTH);
if (fd < 0) {
fprintf(stderr, "Error fseccomp: cannot open %s file\n", fname2);
exit(1);
}
// build post-exec filter: blacklist remaining syscalls
filter_init(fd);
if (syscall_check_list(postlist, filter_add_blacklist, fd, 0, NULL)) {
fprintf(stderr, "Error fseccomp: cannot build seccomp filter\n");
exit(1);
}
filter_end_blacklist(fd);
// close file
close(fd);
}
void seccomp_keep(const char *fname1, const char *fname2, char *list) {
(void) fname2;
// open file for pre-exec filter
int fd = open(fname1, O_CREAT|O_WRONLY|O_TRUNC, S_IRUSR | S_IWUSR | S_IRGRP | S_IROTH);
if (fd < 0) {
fprintf(stderr, "Error fseccomp: cannot open %s file\n", fname1);
exit(1);
}
// build pre-exec filter: whitelist also @default-keep
filter_init(fd);
// allow exceptions in form of !syscall
syscall_check_list(list, filter_add_blacklist_for_excluded, fd, 0, NULL);
// these syscalls are used by firejail after the seccomp filter is initialized
int r;
r = syscall_check_list("@default-keep", filter_add_whitelist, fd, 0, NULL);
assert(r == 0);
if (syscall_check_list(list, filter_add_whitelist, fd, 0, NULL)) {
fprintf(stderr, "Error fseccomp: cannot build seccomp filter\n");
exit(1);
}
filter_end_whitelist(fd);
// close file
close(fd);
}
#if defined(__x86_64__) || defined(__aarch64__) || defined(__powerpc64__)
# define filter_syscall SYS_mmap
# undef block_syscall
#elif defined(__i386__)
# define filter_syscall SYS_mmap2
# define block_syscall SYS_mmap
#elif defined(__arm__)
# define filter_syscall SYS_mmap2
# undef block_syscall
#else
# warning "Platform does not support seccomp memory-deny-write-execute filter yet"
# undef filter_syscall
# undef block_syscall
#endif
void memory_deny_write_execute(const char *fname) {
// open file
int fd = open(fname, O_CREAT|O_WRONLY|O_TRUNC, S_IRUSR | S_IWUSR | S_IRGRP | S_IROTH);
if (fd < 0) {
fprintf(stderr, "Error fseccomp: cannot open %s file\n", fname);
exit(1);
}
filter_init(fd);
// build filter
static const struct sock_filter filter[] = {
#ifdef block_syscall
// block old multiplexing mmap syscall for i386
BLACKLIST(block_syscall),
#endif
#ifdef filter_syscall
// block mmap(,,x|PROT_WRITE|PROT_EXEC) so W&X memory can't be created
BPF_JUMP(BPF_JMP+BPF_JEQ+BPF_K, filter_syscall, 0, 5),
EXAMINE_ARGUMENT(2),
BPF_STMT(BPF_ALU+BPF_AND+BPF_K, PROT_WRITE|PROT_EXEC),
BPF_JUMP(BPF_JMP+BPF_JEQ+BPF_K, PROT_WRITE|PROT_EXEC, 0, 1),
KILL_PROCESS,
RETURN_ALLOW,
#endif
// block mprotect(,,PROT_EXEC) so writable memory can't be turned into executable
BPF_JUMP(BPF_JMP+BPF_JEQ+BPF_K, SYS_mprotect, 0, 5),
EXAMINE_ARGUMENT(2),
BPF_STMT(BPF_ALU+BPF_AND+BPF_K, PROT_EXEC),
BPF_JUMP(BPF_JMP+BPF_JEQ+BPF_K, PROT_EXEC, 0, 1),
KILL_PROCESS,
RETURN_ALLOW,
// same for pkey_mprotect(,,PROT_EXEC), where available
#ifdef SYS_pkey_mprotect
BPF_JUMP(BPF_JMP+BPF_JEQ+BPF_K, SYS_pkey_mprotect, 0, 5),
EXAMINE_ARGUMENT(2),
BPF_STMT(BPF_ALU+BPF_AND+BPF_K, PROT_EXEC),
BPF_JUMP(BPF_JMP+BPF_JEQ+BPF_K, PROT_EXEC, 0, 1),
KILL_PROCESS,
RETURN_ALLOW,
#endif
// shmat is not implemented as a syscall on some platforms (i386, powerpc64, powerpc64le)
#ifdef SYS_shmat
// block shmat(,,x|SHM_EXEC) so W&X shared memory can't be created
BPF_JUMP(BPF_JMP+BPF_JEQ+BPF_K, SYS_shmat, 0, 5),
EXAMINE_ARGUMENT(2),
BPF_STMT(BPF_ALU+BPF_AND+BPF_K, SHM_EXEC),
BPF_JUMP(BPF_JMP+BPF_JEQ+BPF_K, SHM_EXEC, 0, 1),
KILL_PROCESS,
RETURN_ALLOW,
#endif
#ifdef SYS_memfd_create
// block memfd_create as it can be used to create
// arbitrary memory contents which can be later mapped
// as executable
BPF_JUMP(BPF_JMP+BPF_JEQ+BPF_K, SYS_memfd_create, 0, 1),
KILL_PROCESS,
RETURN_ALLOW
#endif
};
write_to_file(fd, filter, sizeof(filter));
filter_end_blacklist(fd);
// close file
close(fd);
}
|
