github-starred/firejail
2
0
Fork 0
mirror of https://github.com/netblue30/firejail.git synced 2026-05-15 14:16:14 -06:00
Code Issues 531 Projects Packages Wiki Activity Actions 6

Improve seccomp architecture support

Browse source
This commit is contained in:
Topi Miettinen 2017-09-10 10:34:42 +03:00
parent 3d6cd1b0e1
commit c3acf2d222
No known key found for this signature in database
GPG key ID: 9587E0A2656F2D29
2 changed files with 32 additions and 0 deletions
Download patch file Download diff file Expand all files Collapse all files

6
src/fseccomp/syscall.c
View file

@ -273,6 +273,9 @@ static const SyscallGroupList sysgroups[] = {
#endif
#ifdef SYS_vserver
"vserver"
#endif
#if !defined(SYS__sysctl) && !defined(SYS_afs_syscall) && !defined(SYS_bdflush) && !defined(SYS_break) && !defined(SYS_create_module) && !defined(SYS_ftime) && !defined(SYS_get_kernel_syms) && !defined(SYS_getpmsg) && !defined(SYS_gtty) && !defined(SYS_lock) && !defined(SYS_mpx) && !defined(SYS_prof) && !defined(SYS_profil) && !defined(SYS_putpmsg) && !defined(SYS_query_module) && !defined(SYS_security) && !defined(SYS_sgetmask) && !defined(SYS_ssetmask) && !defined(SYS_stty) && !defined(SYS_sysfs) && !defined(SYS_tuxcall) && !defined(SYS_ulimit) && !defined(SYS_uselib) && !defined(SYS_ustat) && !defined(SYS_vserver)
"__dummy_syscall__" // workaround for arm64 which doesn't have any of above defined and empty syscall lists are not allowed
#endif
},
{ .name = "@privileged", .list =
@ -333,6 +336,9 @@ static const SyscallGroupList sysgroups[] = {
#endif
#ifdef SYS_s390_mmio_write
"s390_mmio_write"
#endif
#if !defined(SYS_ioperm) && !defined(SYS_iopl) && !defined(SYS_pciconfig_iobase) && !defined(SYS_pciconfig_read) && !defined(SYS_pciconfig_write) && !defined(SYS_s390_mmio_read) && !defined(SYS_s390_mmio_write)
"__dummy_syscall__" // workaround for s390x which doesn't have any of above defined and empty syscall lists are not allowed
#endif
},
{ .name = "@reboot", .list =

26
src/include/seccomp.h
View file

@ -149,9 +149,35 @@ struct seccomp_data {
# define ARCH_NR AUDIT_ARCH_S390
# define ARCH_32 AUDIT_ARCH_S390
# define ARCH_64 AUDIT_ARCH_S390X
#elif defined(__sh64__) && __BYTE_ORDER == __BIG_ENDIAN
# define ARCH_NR AUDIT_ARCH_SH64
# define ARCH_32 AUDIT_ARCH_SH
# define ARCH_64 AUDIT_ARCH_SH64
#elif defined(__sh64__) && __BYTE_ORDER == __LITTLE_ENDIAN
# define ARCH_NR AUDIT_ARCH_SHEL64
# define ARCH_32 AUDIT_ARCH_SHEL
# define ARCH_64 AUDIT_ARCH_SHEL64
#elif defined(__sh__) && __BYTE_ORDER == __BIG_ENDIAN
# define ARCH_NR AUDIT_ARCH_SH
# define ARCH_32 AUDIT_ARCH_SH
# define ARCH_64 AUDIT_ARCH_SH64
#elif defined(__sh__) && __BYTE_ORDER == __LITTLE_ENDIAN
# define ARCH_NR AUDIT_ARCH_SHEL
# define ARCH_32 AUDIT_ARCH_SHEL
# define ARCH_64 AUDIT_ARCH_SHEL64
#elif defined(__sparc64__)
# define ARCH_NR AUDIT_ARCH_SPARC64
# define ARCH_32 AUDIT_ARCH_SPARC
# define ARCH_64 AUDIT_ARCH_SPARC64
#elif defined(__sparc__)
# define ARCH_NR AUDIT_ARCH_SPARC
# define ARCH_32 AUDIT_ARCH_SPARC
# define ARCH_64 AUDIT_ARCH_SPARC64
#else
# warning "Platform does not support seccomp filter yet"
# define ARCH_NR 0
# define ARCH_32 0
# define ARCH_64 0
#endif
#define VALIDATE_ARCHITECTURE \