github-starred/firejail
2
0
Fork 0
mirror of https://github.com/netblue30/firejail.git synced 2026-05-21 06:45:29 -06:00
Code Issues 531 Projects Packages Wiki Activity Actions 1

Improve cross-platform build

Browse source
This commit is contained in:
Topi Miettinen 2017-08-30 23:03:22 +03:00
parent d453d2dad9
commit a3e734279d
No known key found for this signature in database
GPG key ID: 9587E0A2656F2D29
1 changed files with 21 additions and 9 deletions
Download patch file Download diff file Expand all files Collapse all files

30
src/fseccomp/seccomp.c
View file

@ -191,6 +191,21 @@ void seccomp_keep(const char *fname1, const char *fname2, char *list) {
close(fd); close(fd);
} }
#if defined(__x86_64__) || defined(__aarch64__) || defined(__powerpc64__)
# define filter_syscall SYS_mmap
# undef block_syscall
#elif defined(__i386__)
# define filter_syscall SYS_mmap2
# define block_syscall SYS_mmap
#elif defined(__arm__)
# define filter_syscall SYS_mmap2
# undef block_syscall
#else
# warning "Platform does not support seccomp memory-deny-write-execute filter yet"
# undef filter_syscall
# undef block_syscall
#endif
void memory_deny_write_execute(const char *fname) { void memory_deny_write_execute(const char *fname) {
// open file // open file
int fd = open(fname, O_CREAT|O_WRONLY|O_TRUNC, S_IRUSR | S_IWUSR | S_IRGRP | S_IROTH); int fd = open(fname, O_CREAT|O_WRONLY|O_TRUNC, S_IRUSR | S_IWUSR | S_IRGRP | S_IROTH);
@ -203,22 +218,19 @@ void memory_deny_write_execute(const char *fname) {
// build filter // build filter
static const struct sock_filter filter[] = { static const struct sock_filter filter[] = {
#ifdef __i386__ #ifdef block_syscall
// block old multiplexing mmap syscall for i386 // block old multiplexing mmap syscall for i386
BLACKLIST(SYS_mmap), BLACKLIST(block_syscall),
#endif #endif
#ifdef filter_syscall
// block mmap(,,x|PROT_WRITE|PROT_EXEC) so W&X memory can't be created // block mmap(,,x|PROT_WRITE|PROT_EXEC) so W&X memory can't be created
#ifdef __i386__ BPF_JUMP(BPF_JMP+BPF_JEQ+BPF_K, filter_syscall, 0, 5),
// mmap2 is used for mmap on i386 these days
BPF_JUMP(BPF_JMP+BPF_JEQ+BPF_K, SYS_mmap2, 0, 5),
#else
BPF_JUMP(BPF_JMP+BPF_JEQ+BPF_K, SYS_mmap, 0, 5),
#endif
EXAMINE_ARGUMENT(2), EXAMINE_ARGUMENT(2),
BPF_STMT(BPF_ALU+BPF_AND+BPF_K, PROT_WRITE|PROT_EXEC), BPF_STMT(BPF_ALU+BPF_AND+BPF_K, PROT_WRITE|PROT_EXEC),
BPF_JUMP(BPF_JMP+BPF_JEQ+BPF_K, PROT_WRITE|PROT_EXEC, 0, 1), BPF_JUMP(BPF_JMP+BPF_JEQ+BPF_K, PROT_WRITE|PROT_EXEC, 0, 1),
KILL_PROCESS, KILL_PROCESS,
RETURN_ALLOW, RETURN_ALLOW,
#endif
// block mprotect(,,PROT_EXEC) so writable memory can't be turned into executable // block mprotect(,,PROT_EXEC) so writable memory can't be turned into executable
BPF_JUMP(BPF_JMP+BPF_JEQ+BPF_K, SYS_mprotect, 0, 5), BPF_JUMP(BPF_JMP+BPF_JEQ+BPF_K, SYS_mprotect, 0, 5),
@ -228,7 +240,7 @@ void memory_deny_write_execute(const char *fname) {
KILL_PROCESS, KILL_PROCESS,
RETURN_ALLOW, RETURN_ALLOW,
// shmat is not implemented as a syscall on some platforms (i386, possibly arm) // shmat is not implemented as a syscall on some platforms (i386, powerpc64, powerpc64le)
#ifdef SYS_shmat #ifdef SYS_shmat
// block shmat(,,x|SHM_EXEC) so W&X shared memory can't be created // block shmat(,,x|SHM_EXEC) so W&X shared memory can't be created
BPF_JUMP(BPF_JMP+BPF_JEQ+BPF_K, SYS_shmat, 0, 5), BPF_JUMP(BPF_JMP+BPF_JEQ+BPF_K, SYS_shmat, 0, 5),