Permalink
Browse files

seccomp work 1

  • Loading branch information...
1 parent be09b34 commit 64431c712ffb5d4805b61ea740bc9be98cf1b48f @netblue30 committed Nov 20, 2016
Showing with 44 additions and 63 deletions.
  1. +5 −0 .gitignore
  2. +13 −1 Makefile.in
  3. +5 −4 src/firejail/firejail.h
  4. +12 −46 src/firejail/preproc.c
  5. +0 −4 src/firejail/sandbox.c
  6. +7 −6 src/firejail/seccomp.c
  7. +2 −2 src/fseccomp/main.c
View
@@ -24,3 +24,8 @@ src/fnet/fnet
src/fseccomp/fseccomp
src/fcopy/fcopy
uids.h
+seccomp
+seccomp.debug
+seccomp.i386
+seccomp.amd64
+
View
@@ -1,7 +1,8 @@
-all: apps man
+all: apps man filters
MYLIBS = src/lib
APPS = src/firejail src/firemon src/firecfg src/libtrace src/libtracelog src/ftee src/faudit src/libconnect src/fnet src/fseccomp src/fcopy
MANPAGES = firejail.1 firemon.1 firecfg.1 firejail-profile.5 firejail-login.5
+SECCOMP_FILTERS = seccomp seccomp.i386 seccomp.amd64
prefix=@prefix@
exec_prefix=@exec_prefix@
@@ -35,11 +36,18 @@ $(MANPAGES): $(wildcard src/man/*.txt)
man: $(MANPAGES)
+filters: src/fseccomp
+ src/fseccomp/fseccomp default seccomp
+ src/fseccomp/fseccomp default seccomp.debug allow-debuggers
+ src/fseccomp/fseccomp secondary 32 seccomp.i386
+ src/fseccomp/fseccomp secondary 64 seccomp.amd64
+
clean:
for dir in $(APPS) $(MYLIBS); do \
$(MAKE) -C $$dir clean; \
done
rm -f $(MANPAGES) $(MANPAGES:%=%.gz) firejail*.rpm
+ rm -f seccomp seccomp.debug seccomp.i386 seccomp.amd64
rm -f test/utils/index.html*
rm -f test/utils/wget-log
rm -f test/utils/lstesting
@@ -79,6 +87,10 @@ realinstall:
install -c -m 0755 src/fnet/fnet $(DESTDIR)/$(libdir)/firejail/.
install -c -m 0755 src/fseccomp/fseccomp $(DESTDIR)/$(libdir)/firejail/.
install -c -m 0755 src/fcopy/fcopy $(DESTDIR)/$(libdir)/firejail/.
+ install -c -m 0644 seccomp $(DESTDIR)/$(libdir)/firejail/.
+ install -c -m 0644 seccomp.debug $(DESTDIR)/$(libdir)/firejail/.
+ install -c -m 0644 seccomp.i386 $(DESTDIR)/$(libdir)/firejail/.
+ install -c -m 0644 seccomp.amd64 $(DESTDIR)/$(libdir)/firejail/.
# documents
install -m 0755 -d $(DESTDIR)/$(DOCDIR)
install -c -m 0644 COPYING $(DESTDIR)/$(DOCDIR)/.
@@ -47,10 +47,14 @@
#define RUN_BIN_DIR "/run/firejail/mnt/bin"
#define RUN_PULSE_DIR "/run/firejail/mnt/pulse"
-#define RUN_SECCOMP_CFG "/run/firejail/mnt/seccomp" // configured filter
#define RUN_SECCOMP_PROTOCOL "/run/firejail/mnt/seccomp.protocol" // protocol filter
+#define RUN_SECCOMP_CFG "/run/firejail/mnt/seccomp" // configured filter
#define RUN_SECCOMP_AMD64 "/run/firejail/mnt/seccomp.amd64" // amd64 filter installed on i386 architectures
#define RUN_SECCOMP_I386 "/run/firejail/mnt/seccomp.i386" // i386 filter installed on amd64 architectures
+#define PATH_SECCOMP_DEFAULT (LIBDIR "/firejail/seccomp") // default filter built during make
+#define PATH_SECCOMP_DEFAULT_DEBUG (LIBDIR "/firejail/seccomp.debug") // default filter built during make
+#define PATH_SECCOMP_AMD64 (LIBDIR "/firejail/seccomp.amd64") // amd64 filter built during make
+#define PATH_SECCOMP_I386 (LIBDIR "/firejail/seccomp.i386") // i386 filter built during make
#define RUN_DEV_DIR "/run/firejail/mnt/dev"
@@ -374,9 +378,6 @@ void net_config_interface(const char *dev, uint32_t ip, uint32_t mask, int mtu);
// preproc.c
void preproc_build_firejail_dir(void);
void preproc_mount_mnt_dir(void);
-void preproc_build_cp_command(void);
-void preproc_delete_cp_command(void) ;
-void preproc_remount_mnt_dir(void);
// fs.c
// blacklist files or directoies by mounting empty files on top of them
@@ -56,9 +56,9 @@ void preproc_build_firejail_dir(void) {
create_empty_dir_as_root(RUN_FIREJAIL_APPIMAGE_DIR, 0755);
}
- if (stat(RUN_MNT_DIR, &s)) {
- create_empty_dir_as_root(RUN_MNT_DIR, 0755);
- }
+ if (stat(RUN_MNT_DIR, &s)) {
+ create_empty_dir_as_root(RUN_MNT_DIR, 0755);
+ }
create_empty_file_as_root(RUN_RO_FILE, S_IRUSR);
create_empty_dir_as_root(RUN_RO_DIR, S_IRUSR);
@@ -75,51 +75,17 @@ void preproc_mount_mnt_dir(void) {
tmpfs_mounted = 1;
fs_logger2("tmpfs", RUN_MNT_DIR);
- // create all seccomp files
- // as root, create RUN_SECCOMP_I386 file
- create_empty_file_as_root(RUN_SECCOMP_I386, 0644);
- if (set_perms(RUN_SECCOMP_I386, getuid(), getgid(), 0644))
- errExit("set_perms");
-
- // as root, create RUN_SECCOMP_AMD64 file
- create_empty_file_as_root(RUN_SECCOMP_AMD64, 0644);
- if (set_perms(RUN_SECCOMP_AMD64, getuid(), getgid(), 0644))
- errExit("set_perms");
-
- // as root, create RUN_SECCOMP file
- create_empty_file_as_root(RUN_SECCOMP_CFG, 0644);
- if (set_perms(RUN_SECCOMP_CFG, getuid(), getgid(), 0644))
- errExit("set_perms");
-
- // as root, create RUN_SECCOMP_PROTOCOL file
+ //copy defaultl seccomp files
+ copy_file(PATH_SECCOMP_I386, RUN_SECCOMP_I386, getuid(), getgid(), 0644);
+ copy_file(PATH_SECCOMP_AMD64, RUN_SECCOMP_AMD64, getuid(), getgid(), 0644);
+ if (arg_allow_debuggers)
+ copy_file(PATH_SECCOMP_DEFAULT_DEBUG, RUN_SECCOMP_CFG, getuid(), getgid(), 0644);
+ else
+ copy_file(PATH_SECCOMP_DEFAULT, RUN_SECCOMP_CFG, getuid(), getgid(), 0644);
+
+ // as root, create an empty RUN_SECCOMP_PROTOCOL file
create_empty_file_as_root(RUN_SECCOMP_PROTOCOL, 0644);
if (set_perms(RUN_SECCOMP_PROTOCOL, getuid(), getgid(), 0644))
errExit("set_perms");
}
}
-
-// grab a copy of cp command
-void preproc_build_cp_command(void) {
- struct stat s;
- preproc_mount_mnt_dir();
- if (stat(RUN_CP_COMMAND, &s)) {
- char* fname = realpath("/bin/cp", NULL);
- if (fname == NULL || stat(fname, &s) || is_link(fname)) {
- fprintf(stderr, "Error: invalid /bin/cp\n");
- exit(1);
- }
- int rv = copy_file(fname, RUN_CP_COMMAND, 0, 0, 0755);
- if (rv) {
- fprintf(stderr, "Error: cannot access /bin/cp\n");
- exit(1);
- }
- ASSERT_PERMS(RUN_CP_COMMAND, 0, 0, 0755);
-
- free(fname);
- }
-}
-
-// delete the temporary cp command
-void preproc_delete_cp_command(void) {
- unlink(RUN_CP_COMMAND);
-}
@@ -555,12 +555,9 @@ int sandbox(void* sandbox_arg) {
//****************************
// fs pre-processing:
- // - copy some commands under /run
// - build seccomp filters
// - create an empty /etc/ld.so.preload
//****************************
- preproc_build_cp_command();
-
#ifdef HAVE_SECCOMP
if (cfg.protocol) {
if (arg_debug)
@@ -765,7 +762,6 @@ int sandbox(void* sandbox_arg) {
//****************************
// fs post-processing
//****************************
- preproc_delete_cp_command();
fs_logger_print();
fs_logger_change_owner();
@@ -92,11 +92,9 @@ int seccomp_load(const char *fname) {
return 0;
}
-
-
-
// i386 filter installed on amd64 architectures
void seccomp_filter_32(void) {
+#if 0
if (arg_debug)
printf("Build secondary 32-bit filter\n");
@@ -105,7 +103,7 @@ void seccomp_filter_32(void) {
PATH_FSECCOMP, "secondary", "32", RUN_SECCOMP_I386);
if (rv)
exit(rv);
-
+#endif
if (seccomp_load(RUN_SECCOMP_I386) == 0) {
if (arg_debug)
printf("Dual i386/amd64 seccomp filter configured\n");
@@ -114,6 +112,7 @@ void seccomp_filter_32(void) {
// amd64 filter installed on i386 architectures
void seccomp_filter_64(void) {
+#if 0
if (arg_debug)
printf("Build secondary 64-bit filter\n");
@@ -122,14 +121,14 @@ void seccomp_filter_64(void) {
PATH_FSECCOMP, "secondary", "64", RUN_SECCOMP_AMD64);
if (rv)
exit(rv);
+#endif
if (seccomp_load(RUN_SECCOMP_AMD64) == 0) {
if (arg_debug)
printf("Dual i386/amd64 seccomp filter configured\n");
}
}
-
// drop filter for seccomp option
int seccomp_filter_drop(int enforce_seccomp) {
// default seccomp
@@ -140,6 +139,8 @@ int seccomp_filter_drop(int enforce_seccomp) {
#if defined(__i386__)
seccomp_filter_64();
#endif
+
+#if 0
if (arg_debug)
printf("Build default seccomp filter\n");
// build the seccomp filter as a regular user
@@ -152,8 +153,8 @@ int seccomp_filter_drop(int enforce_seccomp) {
PATH_FSECCOMP, "default", RUN_SECCOMP_CFG);
if (rv)
exit(rv);
+#endif
}
-
// default seccomp filter with additional drop list
else if (cfg.seccomp_list && cfg.seccomp_list_drop == NULL) {
#if defined(__x86_64__)
View
@@ -38,15 +38,15 @@ static void usage(void) {
}
int main(int argc, char **argv) {
-#if 0
+//#if 0
{
//system("cat /proc/self/status");
int i;
for (i = 0; i < argc; i++)
printf("*%s* ", argv[i]);
printf("\n");
}
-#endif
+//#endif
if (argc < 2) {
usage();
return 1;

0 comments on commit 64431c7

Please sign in to comment.