mirror of
https://github.com/netblue30/firejail.git
synced 2026-05-15 22:01:33 -06:00
seccomp work 1
This commit is contained in:
netblue30
parent
be09b34e3b
commit
64431c712f
7 changed files with 44 additions and 63 deletions
5
.gitignore
vendored
5
.gitignore
vendored
|
|
@ -24,3 +24,8 @@ src/fnet/fnet
|
|||
src/fseccomp/fseccomp
|
||||
src/fcopy/fcopy
|
||||
uids.h
|
||||
seccomp
|
||||
seccomp.debug
|
||||
seccomp.i386
|
||||
seccomp.amd64
|
||||
|
||||
|
|
|
|||
14
Makefile.in
14
Makefile.in
|
|
@ -1,7 +1,8 @@
|
|||
all: apps man
|
||||
all: apps man filters
|
||||
MYLIBS = src/lib
|
||||
APPS = src/firejail src/firemon src/firecfg src/libtrace src/libtracelog src/ftee src/faudit src/libconnect src/fnet src/fseccomp src/fcopy
|
||||
MANPAGES = firejail.1 firemon.1 firecfg.1 firejail-profile.5 firejail-login.5
|
||||
SECCOMP_FILTERS = seccomp seccomp.i386 seccomp.amd64
|
||||
|
||||
prefix=@prefix@
|
||||
exec_prefix=@exec_prefix@
|
||||
|
|
@ -35,11 +36,18 @@ $(MANPAGES): $(wildcard src/man/*.txt)
|
|||
|
||||
man: $(MANPAGES)
|
||||
|
||||
filters: src/fseccomp
|
||||
src/fseccomp/fseccomp default seccomp
|
||||
src/fseccomp/fseccomp default seccomp.debug allow-debuggers
|
||||
src/fseccomp/fseccomp secondary 32 seccomp.i386
|
||||
src/fseccomp/fseccomp secondary 64 seccomp.amd64
|
||||
|
||||
clean:
|
||||
for dir in $(APPS) $(MYLIBS); do \
|
||||
$(MAKE) -C $$dir clean; \
|
||||
done
|
||||
rm -f $(MANPAGES) $(MANPAGES:%=%.gz) firejail*.rpm
|
||||
rm -f seccomp seccomp.debug seccomp.i386 seccomp.amd64
|
||||
rm -f test/utils/index.html*
|
||||
rm -f test/utils/wget-log
|
||||
rm -f test/utils/lstesting
|
||||
|
|
@ -79,6 +87,10 @@ realinstall:
|
|||
install -c -m 0755 src/fnet/fnet $(DESTDIR)/$(libdir)/firejail/.
|
||||
install -c -m 0755 src/fseccomp/fseccomp $(DESTDIR)/$(libdir)/firejail/.
|
||||
install -c -m 0755 src/fcopy/fcopy $(DESTDIR)/$(libdir)/firejail/.
|
||||
install -c -m 0644 seccomp $(DESTDIR)/$(libdir)/firejail/.
|
||||
install -c -m 0644 seccomp.debug $(DESTDIR)/$(libdir)/firejail/.
|
||||
install -c -m 0644 seccomp.i386 $(DESTDIR)/$(libdir)/firejail/.
|
||||
install -c -m 0644 seccomp.amd64 $(DESTDIR)/$(libdir)/firejail/.
|
||||
# documents
|
||||
install -m 0755 -d $(DESTDIR)/$(DOCDIR)
|
||||
install -c -m 0644 COPYING $(DESTDIR)/$(DOCDIR)/.
|
||||
|
|
|
|||
|
|
@ -47,10 +47,14 @@
|
|||
#define RUN_BIN_DIR "/run/firejail/mnt/bin"
|
||||
#define RUN_PULSE_DIR "/run/firejail/mnt/pulse"
|
||||
|
||||
#define RUN_SECCOMP_CFG "/run/firejail/mnt/seccomp" // configured filter
|
||||
#define RUN_SECCOMP_PROTOCOL "/run/firejail/mnt/seccomp.protocol" // protocol filter
|
||||
#define RUN_SECCOMP_CFG "/run/firejail/mnt/seccomp" // configured filter
|
||||
#define RUN_SECCOMP_AMD64 "/run/firejail/mnt/seccomp.amd64" // amd64 filter installed on i386 architectures
|
||||
#define RUN_SECCOMP_I386 "/run/firejail/mnt/seccomp.i386" // i386 filter installed on amd64 architectures
|
||||
#define PATH_SECCOMP_DEFAULT (LIBDIR "/firejail/seccomp") // default filter built during make
|
||||
#define PATH_SECCOMP_DEFAULT_DEBUG (LIBDIR "/firejail/seccomp.debug") // default filter built during make
|
||||
#define PATH_SECCOMP_AMD64 (LIBDIR "/firejail/seccomp.amd64") // amd64 filter built during make
|
||||
#define PATH_SECCOMP_I386 (LIBDIR "/firejail/seccomp.i386") // i386 filter built during make
|
||||
|
||||
|
||||
#define RUN_DEV_DIR "/run/firejail/mnt/dev"
|
||||
|
|
@ -374,9 +378,6 @@ void net_config_interface(const char *dev, uint32_t ip, uint32_t mask, int mtu);
|
|||
// preproc.c
|
||||
void preproc_build_firejail_dir(void);
|
||||
void preproc_mount_mnt_dir(void);
|
||||
void preproc_build_cp_command(void);
|
||||
void preproc_delete_cp_command(void) ;
|
||||
void preproc_remount_mnt_dir(void);
|
||||
|
||||
// fs.c
|
||||
// blacklist files or directoies by mounting empty files on top of them
|
||||
|
|
|
|||
|
|
@ -56,9 +56,9 @@ void preproc_build_firejail_dir(void) {
|
|||
create_empty_dir_as_root(RUN_FIREJAIL_APPIMAGE_DIR, 0755);
|
||||
}
|
||||
|
||||
if (stat(RUN_MNT_DIR, &s)) {
|
||||
create_empty_dir_as_root(RUN_MNT_DIR, 0755);
|
||||
}
|
||||
if (stat(RUN_MNT_DIR, &s)) {
|
||||
create_empty_dir_as_root(RUN_MNT_DIR, 0755);
|
||||
}
|
||||
|
||||
create_empty_file_as_root(RUN_RO_FILE, S_IRUSR);
|
||||
create_empty_dir_as_root(RUN_RO_DIR, S_IRUSR);
|
||||
|
|
@ -75,51 +75,17 @@ void preproc_mount_mnt_dir(void) {
|
|||
tmpfs_mounted = 1;
|
||||
fs_logger2("tmpfs", RUN_MNT_DIR);
|
||||
|
||||
// create all seccomp files
|
||||
// as root, create RUN_SECCOMP_I386 file
|
||||
create_empty_file_as_root(RUN_SECCOMP_I386, 0644);
|
||||
if (set_perms(RUN_SECCOMP_I386, getuid(), getgid(), 0644))
|
||||
errExit("set_perms");
|
||||
|
||||
// as root, create RUN_SECCOMP_AMD64 file
|
||||
create_empty_file_as_root(RUN_SECCOMP_AMD64, 0644);
|
||||
if (set_perms(RUN_SECCOMP_AMD64, getuid(), getgid(), 0644))
|
||||
errExit("set_perms");
|
||||
|
||||
// as root, create RUN_SECCOMP file
|
||||
create_empty_file_as_root(RUN_SECCOMP_CFG, 0644);
|
||||
if (set_perms(RUN_SECCOMP_CFG, getuid(), getgid(), 0644))
|
||||
errExit("set_perms");
|
||||
|
||||
// as root, create RUN_SECCOMP_PROTOCOL file
|
||||
//copy defaultl seccomp files
|
||||
copy_file(PATH_SECCOMP_I386, RUN_SECCOMP_I386, getuid(), getgid(), 0644);
|
||||
copy_file(PATH_SECCOMP_AMD64, RUN_SECCOMP_AMD64, getuid(), getgid(), 0644);
|
||||
if (arg_allow_debuggers)
|
||||
copy_file(PATH_SECCOMP_DEFAULT_DEBUG, RUN_SECCOMP_CFG, getuid(), getgid(), 0644);
|
||||
else
|
||||
copy_file(PATH_SECCOMP_DEFAULT, RUN_SECCOMP_CFG, getuid(), getgid(), 0644);
|
||||
|
||||
// as root, create an empty RUN_SECCOMP_PROTOCOL file
|
||||
create_empty_file_as_root(RUN_SECCOMP_PROTOCOL, 0644);
|
||||
if (set_perms(RUN_SECCOMP_PROTOCOL, getuid(), getgid(), 0644))
|
||||
errExit("set_perms");
|
||||
}
|
||||
}
|
||||
|
||||
// grab a copy of cp command
|
||||
void preproc_build_cp_command(void) {
|
||||
struct stat s;
|
||||
preproc_mount_mnt_dir();
|
||||
if (stat(RUN_CP_COMMAND, &s)) {
|
||||
char* fname = realpath("/bin/cp", NULL);
|
||||
if (fname == NULL || stat(fname, &s) || is_link(fname)) {
|
||||
fprintf(stderr, "Error: invalid /bin/cp\n");
|
||||
exit(1);
|
||||
}
|
||||
int rv = copy_file(fname, RUN_CP_COMMAND, 0, 0, 0755);
|
||||
if (rv) {
|
||||
fprintf(stderr, "Error: cannot access /bin/cp\n");
|
||||
exit(1);
|
||||
}
|
||||
ASSERT_PERMS(RUN_CP_COMMAND, 0, 0, 0755);
|
||||
|
||||
free(fname);
|
||||
}
|
||||
}
|
||||
|
||||
// delete the temporary cp command
|
||||
void preproc_delete_cp_command(void) {
|
||||
unlink(RUN_CP_COMMAND);
|
||||
}
|
||||
|
|
|
|||
|
|
@ -555,12 +555,9 @@ int sandbox(void* sandbox_arg) {
|
|||
|
||||
//****************************
|
||||
// fs pre-processing:
|
||||
// - copy some commands under /run
|
||||
// - build seccomp filters
|
||||
// - create an empty /etc/ld.so.preload
|
||||
//****************************
|
||||
preproc_build_cp_command();
|
||||
|
||||
#ifdef HAVE_SECCOMP
|
||||
if (cfg.protocol) {
|
||||
if (arg_debug)
|
||||
|
|
@ -765,7 +762,6 @@ int sandbox(void* sandbox_arg) {
|
|||
//****************************
|
||||
// fs post-processing
|
||||
//****************************
|
||||
preproc_delete_cp_command();
|
||||
fs_logger_print();
|
||||
fs_logger_change_owner();
|
||||
|
||||
|
|
|
|||
|
|
@ -92,11 +92,9 @@ int seccomp_load(const char *fname) {
|
|||
return 0;
|
||||
}
|
||||
|
||||
|
||||
|
||||
|
||||
// i386 filter installed on amd64 architectures
|
||||
void seccomp_filter_32(void) {
|
||||
#if 0
|
||||
if (arg_debug)
|
||||
printf("Build secondary 32-bit filter\n");
|
||||
|
||||
|
|
@ -105,7 +103,7 @@ void seccomp_filter_32(void) {
|
|||
PATH_FSECCOMP, "secondary", "32", RUN_SECCOMP_I386);
|
||||
if (rv)
|
||||
exit(rv);
|
||||
|
||||
#endif
|
||||
if (seccomp_load(RUN_SECCOMP_I386) == 0) {
|
||||
if (arg_debug)
|
||||
printf("Dual i386/amd64 seccomp filter configured\n");
|
||||
|
|
@ -114,6 +112,7 @@ void seccomp_filter_32(void) {
|
|||
|
||||
// amd64 filter installed on i386 architectures
|
||||
void seccomp_filter_64(void) {
|
||||
#if 0
|
||||
if (arg_debug)
|
||||
printf("Build secondary 64-bit filter\n");
|
||||
|
||||
|
|
@ -122,6 +121,7 @@ void seccomp_filter_64(void) {
|
|||
PATH_FSECCOMP, "secondary", "64", RUN_SECCOMP_AMD64);
|
||||
if (rv)
|
||||
exit(rv);
|
||||
#endif
|
||||
|
||||
if (seccomp_load(RUN_SECCOMP_AMD64) == 0) {
|
||||
if (arg_debug)
|
||||
|
|
@ -129,7 +129,6 @@ void seccomp_filter_64(void) {
|
|||
}
|
||||
}
|
||||
|
||||
|
||||
// drop filter for seccomp option
|
||||
int seccomp_filter_drop(int enforce_seccomp) {
|
||||
// default seccomp
|
||||
|
|
@ -140,6 +139,8 @@ int seccomp_filter_drop(int enforce_seccomp) {
|
|||
#if defined(__i386__)
|
||||
seccomp_filter_64();
|
||||
#endif
|
||||
|
||||
#if 0
|
||||
if (arg_debug)
|
||||
printf("Build default seccomp filter\n");
|
||||
// build the seccomp filter as a regular user
|
||||
|
|
@ -152,8 +153,8 @@ int seccomp_filter_drop(int enforce_seccomp) {
|
|||
PATH_FSECCOMP, "default", RUN_SECCOMP_CFG);
|
||||
if (rv)
|
||||
exit(rv);
|
||||
#endif
|
||||
}
|
||||
|
||||
// default seccomp filter with additional drop list
|
||||
else if (cfg.seccomp_list && cfg.seccomp_list_drop == NULL) {
|
||||
#if defined(__x86_64__)
|
||||
|
|
|
|||
|
|
@ -38,7 +38,7 @@ static void usage(void) {
|
|||
}
|
||||
|
||||
int main(int argc, char **argv) {
|
||||
#if 0
|
||||
//#if 0
|
||||
{
|
||||
//system("cat /proc/self/status");
|
||||
int i;
|
||||
|
|
@ -46,7 +46,7 @@ for (i = 0; i < argc; i++)
|
|||
printf("*%s* ", argv[i]);
|
||||
printf("\n");
|
||||
}
|
||||
#endif
|
||||
//#endif
|
||||
if (argc < 2) {
|
||||
usage();
|
||||
return 1;
|
||||
|
|
|
|||
Loading…
Add table
Add a link
Reference in a new issue