github-starred/firejail
2
0
Fork 0
mirror of https://github.com/netblue30/firejail.git synced 2026-05-21 06:45:29 -06:00
Code Issues 531 Projects Packages Wiki Activity Actions 1

renamed ERRNO to BLACKLIST_ERRNO in seccomp.c

Browse source
This commit is contained in:
netblue30 2015-10-24 09:33:19 -04:00
parent 6b5ee43567
commit d32b4d874d
2 changed files with 11 additions and 31 deletions
Download patch file Download diff file Expand all files Collapse all files

4
src/firejail/seccomp.c
View file

@ -109,7 +109,7 @@ struct seccomp_data {
BPF_JUMP(BPF_JMP+BPF_JEQ+BPF_K, syscall_nr, 0, 1), \
BPF_STMT(BPF_RET+BPF_K, SECCOMP_RET_ALLOW)
#define ERRNO(syscall_nr, nr) \
#define BLACKLIST_ERRNO(syscall_nr, nr) \
BPF_JUMP(BPF_JMP+BPF_JEQ+BPF_K, syscall_nr, 0, 1), \
BPF_STMT(BPF_RET+BPF_K, SECCOMP_RET_ERRNO | nr)
@ -290,7 +290,7 @@ static void filter_add_errno(int syscall, int arg) {
filter_realloc();
struct sock_filter filter[] = {
ERRNO(syscall, arg)
BLACKLIST_ERRNO(syscall, arg)
};
#if 0
{

38
todo
View file

@ -34,35 +34,7 @@ $
5. Add IRC clients: KVIrc (KDE), BitchX (CLI), Smuxi, Konversation (KDE), HexChat, Irssi (CLI), WeeChat (CLI)
RSS: Liferea, akregator (KDE), newsbeuter (CLI), rawdog,
6. To investigate
// Restrict the set of allowable network protocol families
CHECK_SECCOMP(seccomp_rule_add(ctx, SCMP_ACT_ERRNO(EAFNOSUPPORT), SCMP_SYS(socket), 1,
SCMP_A0(SCMP_CMP_GE, AF_NETLINK + 1)));
CHECK_SECCOMP(seccomp_rule_add(ctx, SCMP_ACT_ERRNO(EAFNOSUPPORT), SCMP_SYS(socket), 1,
SCMP_A0(SCMP_CMP_EQ, AF_AX25)));
CHECK_SECCOMP(seccomp_rule_add(ctx, SCMP_ACT_ERRNO(EAFNOSUPPORT), SCMP_SYS(socket), 1,
SCMP_A0(SCMP_CMP_EQ, AF_IPX)));
CHECK_SECCOMP(seccomp_rule_add(ctx, SCMP_ACT_ERRNO(EAFNOSUPPORT), SCMP_SYS(socket), 1,
SCMP_A0(SCMP_CMP_EQ, AF_APPLETALK)));
CHECK_SECCOMP(seccomp_rule_add(ctx, SCMP_ACT_ERRNO(EAFNOSUPPORT), SCMP_SYS(socket), 1,
SCMP_A0(SCMP_CMP_EQ, AF_NETROM)));
CHECK_SECCOMP(seccomp_rule_add(ctx, SCMP_ACT_ERRNO(EAFNOSUPPORT), SCMP_SYS(socket), 1,
SCMP_A0(SCMP_CMP_EQ, AF_BRIDGE)));
CHECK_SECCOMP(seccomp_rule_add(ctx, SCMP_ACT_ERRNO(EAFNOSUPPORT), SCMP_SYS(socket), 1,
SCMP_A0(SCMP_CMP_EQ, AF_ATMPVC)));
CHECK_SECCOMP(seccomp_rule_add(ctx, SCMP_ACT_ERRNO(EAFNOSUPPORT), SCMP_SYS(socket), 1,
SCMP_A0(SCMP_CMP_EQ, AF_X25)));
CHECK_SECCOMP(seccomp_rule_add(ctx, SCMP_ACT_ERRNO(EAFNOSUPPORT), SCMP_SYS(socket), 1,
SCMP_A0(SCMP_CMP_EQ, AF_ROSE)));
CHECK_SECCOMP(seccomp_rule_add(ctx, SCMP_ACT_ERRNO(EAFNOSUPPORT), SCMP_SYS(socket), 1,
SCMP_A0(SCMP_CMP_EQ, AF_DECnet)));
CHECK_SECCOMP(seccomp_rule_add(ctx, SCMP_ACT_ERRNO(EAFNOSUPPORT), SCMP_SYS(socket), 1,
SCMP_A0(SCMP_CMP_EQ, AF_NETBEUI)));
CHECK_SECCOMP(seccomp_rule_add(ctx, SCMP_ACT_ERRNO(EAFNOSUPPORT), SCMP_SYS(socket), 1,
SCMP_A0(SCMP_CMP_EQ, AF_SECURITY)));
CHECK_SECCOMP(seccomp_rule_add(ctx, SCMP_ACT_ERRNO(EAFNOSUPPORT), SCMP_SYS(socket), 1,
SCMP_A0(SCMP_CMP_EQ, AF_KEY)));
6. add kexec_file_load to default seccomp filter
7. Tests not working on Arch:
profile_syntax.exp (profile syntax)
@ -84,3 +56,11 @@ cat <&3
c) A list of attacks
http://www.lanmaster53.com/2011/05/7-linux-shells-using-built-in-tools/
9. protocol filter: AF_UNIX, AF_INET, AF_INET6, AF_NETLINK, AF_PACKET
// Create a raw IP socket with UDP protocol
sd = socket(PF_INET, SOCK_RAW, IPPROTO_UDP);
// open a raw ethernet socket
s = socket(AF_PACKET, SOCK_DGRAM, htons(ETHERTYPE_IP));