mirror of
https://github.com/netblue30/firejail.git
synced 2026-05-15 14:16:14 -06:00
remove 64bit seccomp filter from 32bit architectures
This commit is contained in:
netblue30
parent
8be61f77c2
commit
f905f046cc
8 changed files with 4 additions and 113 deletions
|
|
@ -2,7 +2,7 @@ all: apps man filters
|
|||
MYLIBS = src/lib
|
||||
APPS = src/firejail src/firemon src/fsec-print src/fsec-optimize src/firecfg src/fnetfilter src/libtrace src/libtracelog src/ftee src/faudit src/fnet src/fseccomp src/fbuilder src/fcopy src/fldd src/libpostexecseccomp
|
||||
MANPAGES = firejail.1 firemon.1 firecfg.1 firejail-profile.5 firejail-login.5 firejail-users.5
|
||||
SECCOMP_FILTERS = seccomp seccomp.debug seccomp.32 seccomp.64 seccomp.block_secondary seccomp.mdwx
|
||||
SECCOMP_FILTERS = seccomp seccomp.debug seccomp.32 seccomp.block_secondary seccomp.mdwx
|
||||
|
||||
prefix=@prefix@
|
||||
exec_prefix=@exec_prefix@
|
||||
|
|
@ -47,8 +47,6 @@ ifeq ($(HAVE_SECCOMP),-DHAVE_SECCOMP)
|
|||
src/fsec-optimize/fsec-optimize seccomp.debug
|
||||
src/fseccomp/fseccomp secondary 32 seccomp.32
|
||||
src/fsec-optimize/fsec-optimize seccomp.32
|
||||
src/fseccomp/fseccomp secondary 64 seccomp.64
|
||||
src/fsec-optimize/fsec-optimize seccomp.64
|
||||
src/fseccomp/fseccomp secondary block seccomp.block_secondary
|
||||
src/fseccomp/fseccomp memory-deny-write-execute seccomp.mdwx
|
||||
endif
|
||||
|
|
@ -110,7 +108,6 @@ ifeq ($(HAVE_SECCOMP),-DHAVE_SECCOMP)
|
|||
install -c -m 0644 seccomp $(DESTDIR)/$(libdir)/firejail/.
|
||||
install -c -m 0644 seccomp.debug $(DESTDIR)/$(libdir)/firejail/.
|
||||
install -c -m 0644 seccomp.32 $(DESTDIR)/$(libdir)/firejail/.
|
||||
install -c -m 0644 seccomp.64 $(DESTDIR)/$(libdir)/firejail/.
|
||||
install -c -m 0644 seccomp.block_secondary $(DESTDIR)/$(libdir)/firejail/.
|
||||
install -c -m 0644 seccomp.mdwx $(DESTDIR)/$(libdir)/firejail/.
|
||||
endif
|
||||
|
|
|
|||
|
|
@ -59,14 +59,12 @@
|
|||
|
||||
#define RUN_SECCOMP_PROTOCOL "/run/firejail/mnt/seccomp.protocol" // protocol filter
|
||||
#define RUN_SECCOMP_CFG "/run/firejail/mnt/seccomp" // configured filter
|
||||
#define RUN_SECCOMP_64 "/run/firejail/mnt/seccomp.64" // 64bit arch filter installed on 32bit architectures
|
||||
#define RUN_SECCOMP_32 "/run/firejail/mnt/seccomp.32" // 32bit arch filter installed on 64bit architectures
|
||||
#define RUN_SECCOMP_MDWX "/run/firejail/mnt/seccomp.mdwx" // filter for memory-deny-write-execute
|
||||
#define RUN_SECCOMP_BLOCK_SECONDARY "/run/firejail/mnt/seccomp.block_secondary" // secondary arch blocking filter
|
||||
#define RUN_SECCOMP_POSTEXEC "/run/firejail/mnt/seccomp.postexec" // filter for post-exec library
|
||||
#define PATH_SECCOMP_DEFAULT (LIBDIR "/firejail/seccomp") // default filter built during make
|
||||
#define PATH_SECCOMP_DEFAULT_DEBUG (LIBDIR "/firejail/seccomp.debug") // default filter built during make
|
||||
#define PATH_SECCOMP_64 (LIBDIR "/firejail/seccomp.64") // 64bit arch filter built during make
|
||||
#define PATH_SECCOMP_32 (LIBDIR "/firejail/seccomp.32") // 32bit arch filter built during make
|
||||
#define PATH_SECCOMP_MDWX (LIBDIR "/firejail/seccomp.mdwx") // filter for memory-deny-write-execute built during make
|
||||
#define PATH_SECCOMP_BLOCK_SECONDARY (LIBDIR "/firejail/seccomp.block_secondary") // secondary arch blocking filter built during make
|
||||
|
|
|
|||
|
|
@ -87,7 +87,6 @@ void preproc_mount_mnt_dir(void) {
|
|||
else {
|
||||
//copy default seccomp files
|
||||
copy_file(PATH_SECCOMP_32, RUN_SECCOMP_32, getuid(), getgid(), 0644); // root needed
|
||||
copy_file(PATH_SECCOMP_64, RUN_SECCOMP_64, getuid(), getgid(), 0644); // root needed
|
||||
}
|
||||
if (arg_allow_debuggers)
|
||||
copy_file(PATH_SECCOMP_DEFAULT_DEBUG, RUN_SECCOMP_CFG, getuid(), getgid(), 0644); // root needed
|
||||
|
|
|
|||
|
|
@ -1017,18 +1017,9 @@ int sandbox(void* sandbox_arg) {
|
|||
else
|
||||
seccomp_filter_drop();
|
||||
|
||||
// clean unused filters
|
||||
#if defined(__LP64__)
|
||||
int rv = unlink(RUN_SECCOMP_64);
|
||||
#endif
|
||||
#if defined(__ILP32__)
|
||||
int rv = unlink(RUN_SECCOMP_32);
|
||||
#endif
|
||||
(void) rv;
|
||||
}
|
||||
else { // clean seccomp files under /run/firejail/mnt
|
||||
int rv = unlink(RUN_SECCOMP_CFG);
|
||||
rv |= unlink(RUN_SECCOMP_64);
|
||||
rv |= unlink(RUN_SECCOMP_32);
|
||||
(void) rv;
|
||||
}
|
||||
|
|
|
|||
|
|
@ -138,6 +138,7 @@ errexit:
|
|||
}
|
||||
|
||||
// 32 bit arch filter installed on 64 bit architectures
|
||||
#if defined(__x86_64__)
|
||||
#if defined(__LP64__)
|
||||
static void seccomp_filter_32(void) {
|
||||
if (seccomp_load(RUN_SECCOMP_32) == 0) {
|
||||
|
|
@ -146,15 +147,6 @@ static void seccomp_filter_32(void) {
|
|||
}
|
||||
}
|
||||
#endif
|
||||
|
||||
// 64 bit arch filter installed on 32 bit architectures
|
||||
#if defined(__ILP32__)
|
||||
static void seccomp_filter_64(void) {
|
||||
if (seccomp_load(RUN_SECCOMP_64) == 0) {
|
||||
if (arg_debug)
|
||||
printf("Dual 32/64 bit seccomp filter configured\n");
|
||||
}
|
||||
}
|
||||
#endif
|
||||
|
||||
static void seccomp_filter_block_secondary(void) {
|
||||
|
|
@ -177,11 +169,10 @@ int seccomp_filter_drop(void) {
|
|||
if (arg_seccomp_block_secondary)
|
||||
seccomp_filter_block_secondary();
|
||||
else {
|
||||
#if defined(__x86_64__)
|
||||
#if defined(__LP64__)
|
||||
seccomp_filter_32();
|
||||
#endif
|
||||
#if defined(__ILP32__)
|
||||
seccomp_filter_64();
|
||||
#endif
|
||||
}
|
||||
}
|
||||
|
|
@ -190,11 +181,10 @@ int seccomp_filter_drop(void) {
|
|||
if (arg_seccomp_block_secondary)
|
||||
seccomp_filter_block_secondary();
|
||||
else {
|
||||
#if defined(__x86_64__)
|
||||
#if defined(__LP64__)
|
||||
seccomp_filter_32();
|
||||
#endif
|
||||
#if defined(__ILP32__)
|
||||
seccomp_filter_64();
|
||||
#endif
|
||||
}
|
||||
if (arg_debug)
|
||||
|
|
|
|||
|
|
@ -70,8 +70,6 @@ printf("\n");
|
|||
protocol_print();
|
||||
else if (argc == 5 && strcmp(argv[1], "protocol") == 0 && strcmp(argv[2], "build") == 0)
|
||||
protocol_build_filter(argv[3], argv[4]);
|
||||
else if (argc == 4 && strcmp(argv[1], "secondary") == 0 && strcmp(argv[2], "64") == 0)
|
||||
seccomp_secondary_64(argv[3]);
|
||||
else if (argc == 4 && strcmp(argv[1], "secondary") == 0 && strcmp(argv[2], "32") == 0)
|
||||
seccomp_secondary_32(argv[3]);
|
||||
else if (argc == 4 && strcmp(argv[1], "secondary") == 0 && strcmp(argv[2], "block") == 0)
|
||||
|
|
|
|||
|
|
@ -42,71 +42,6 @@ static void write_filter(const char *fname, size_t size, const void *filter) {
|
|||
close(dst);
|
||||
}
|
||||
|
||||
void seccomp_secondary_64(const char *fname) {
|
||||
// hardcoded syscall values
|
||||
struct sock_filter filter[] = {
|
||||
VALIDATE_ARCHITECTURE_64,
|
||||
EXAMINE_SYSCALL,
|
||||
BLACKLIST(165), // mount
|
||||
BLACKLIST(166), // umount2
|
||||
// todo: implement --allow-debuggers
|
||||
BLACKLIST(101), // ptrace
|
||||
BLACKLIST(246), // kexec_load
|
||||
BLACKLIST(304), // open_by_handle_at
|
||||
BLACKLIST(303), // name_to_handle_at
|
||||
BLACKLIST(174), // create_module
|
||||
BLACKLIST(175), // init_module
|
||||
BLACKLIST(313), // finit_module
|
||||
BLACKLIST(176), // delete_module
|
||||
BLACKLIST(172), // iopl
|
||||
BLACKLIST(173), // ioperm
|
||||
BLACKLIST(251), // ioprio_set
|
||||
BLACKLIST(167), // swapon
|
||||
BLACKLIST(168), // swapoff
|
||||
BLACKLIST(103), // syslog
|
||||
BLACKLIST(310), // process_vm_readv
|
||||
BLACKLIST(311), // process_vm_writev
|
||||
BLACKLIST(139), // sysfs
|
||||
BLACKLIST(156), // _sysctl
|
||||
BLACKLIST(159), // adjtimex
|
||||
BLACKLIST(305), // clock_adjtime
|
||||
BLACKLIST(212), // lookup_dcookie
|
||||
BLACKLIST(298), // perf_event_open
|
||||
BLACKLIST(300), // fanotify_init
|
||||
BLACKLIST(312), // kcmp
|
||||
BLACKLIST(248), // add_key
|
||||
BLACKLIST(249), // request_key
|
||||
BLACKLIST(250), // keyctl
|
||||
BLACKLIST(134), // uselib
|
||||
BLACKLIST(163), // acct
|
||||
BLACKLIST(154), // modify_ldt
|
||||
BLACKLIST(155), // pivot_root
|
||||
BLACKLIST(206), // io_setup
|
||||
BLACKLIST(207), // io_destroy
|
||||
BLACKLIST(208), // io_getevents
|
||||
BLACKLIST(209), // io_submit
|
||||
BLACKLIST(210), // io_cancel
|
||||
BLACKLIST(216), // remap_file_pages
|
||||
BLACKLIST(237), // mbind
|
||||
// breaking Firefox nightly when playing youtube videos
|
||||
// TODO: test again when firefox sandbox is finally released
|
||||
// BLACKLIST(239), // get_mempolicy
|
||||
BLACKLIST(238), // set_mempolicy
|
||||
BLACKLIST(256), // migrate_pages
|
||||
BLACKLIST(279), // move_pages
|
||||
BLACKLIST(278), // vmsplice
|
||||
BLACKLIST(161), // chroot
|
||||
BLACKLIST(184), // tuxcall
|
||||
BLACKLIST(169), // reboot
|
||||
BLACKLIST(180), // nfsservctl
|
||||
BLACKLIST(177), // get_kernel_syms
|
||||
|
||||
RETURN_ALLOW
|
||||
};
|
||||
|
||||
// save filter to file
|
||||
write_filter(fname, sizeof(filter), filter);
|
||||
}
|
||||
|
||||
// 32 bit arch filter installed on 64 bit architectures
|
||||
void seccomp_secondary_32(const char *fname) {
|
||||
|
|
|
|||
|
|
@ -37,23 +37,6 @@ expect {
|
|||
"jeq socket"
|
||||
}
|
||||
|
||||
after 100
|
||||
send -- "fseccomp secondary 64 seccomp-test-file\r"
|
||||
after 100
|
||||
send -- "fsec-print seccomp-test-file\r"
|
||||
expect {
|
||||
timeout {puts "TESTING ERROR 5.1\n";exit}
|
||||
"jeq mount"
|
||||
}
|
||||
expect {
|
||||
timeout {puts "TESTING ERROR 5.2\n";exit}
|
||||
"jeq umount2"
|
||||
}
|
||||
expect {
|
||||
timeout {puts "TESTING ERROR 5.3\n";exit}
|
||||
"ret ALLOW"
|
||||
}
|
||||
|
||||
after 100
|
||||
send -- "fseccomp default seccomp-test-file\r"
|
||||
after 100
|
||||
|
|
|
|||
Loading…
Add table
Add a link
Reference in a new issue