Commit cb5d361a authored by Topi Miettinen's avatar Topi Miettinen

Improve seccomp support for non-x86 architectures

parent f883155b
......@@ -28,7 +28,7 @@ src/fldd/fldd
uids.h
seccomp
seccomp.debug
seccomp.i386
seccomp.amd64
seccomp.32
seccomp.64
seccomp.block_secondary
seccomp.mdwx
......@@ -2,7 +2,7 @@ all: apps man filters
MYLIBS = src/lib
APPS = src/firejail src/firemon src/firecfg src/libtrace src/libtracelog src/ftee src/faudit src/fnet src/fseccomp src/fcopy src/fldd src/libpostexecseccomp
MANPAGES = firejail.1 firemon.1 firecfg.1 firejail-profile.5 firejail-login.5
SECCOMP_FILTERS = seccomp seccomp.debug seccomp.i386 seccomp.amd64 seccomp.block_secondary seccomp.mdwx
SECCOMP_FILTERS = seccomp seccomp.debug seccomp.32 seccomp.64 seccomp.block_secondary seccomp.mdwx
prefix=@prefix@
exec_prefix=@exec_prefix@
......@@ -43,8 +43,8 @@ filters: src/fseccomp
ifeq ($(HAVE_SECCOMP),-DHAVE_SECCOMP)
src/fseccomp/fseccomp default seccomp
src/fseccomp/fseccomp default seccomp.debug allow-debuggers
src/fseccomp/fseccomp secondary 32 seccomp.i386
src/fseccomp/fseccomp secondary 64 seccomp.amd64
src/fseccomp/fseccomp secondary 32 seccomp.32
src/fseccomp/fseccomp secondary 64 seccomp.64
src/fseccomp/fseccomp secondary block seccomp.block_secondary
src/fseccomp/fseccomp memory-deny-write-execute seccomp.mdwx
endif
......@@ -103,8 +103,8 @@ ifeq ($(HAVE_SECCOMP),-DHAVE_SECCOMP)
install -c -m 0755 src/fseccomp/fseccomp $(DESTDIR)/$(libdir)/firejail/.
install -c -m 0644 seccomp $(DESTDIR)/$(libdir)/firejail/.
install -c -m 0644 seccomp.debug $(DESTDIR)/$(libdir)/firejail/.
install -c -m 0644 seccomp.i386 $(DESTDIR)/$(libdir)/firejail/.
install -c -m 0644 seccomp.amd64 $(DESTDIR)/$(libdir)/firejail/.
install -c -m 0644 seccomp.32 $(DESTDIR)/$(libdir)/firejail/.
install -c -m 0644 seccomp.64 $(DESTDIR)/$(libdir)/firejail/.
install -c -m 0644 seccomp.block_secondary $(DESTDIR)/$(libdir)/firejail/.
install -c -m 0644 seccomp.mdwx $(DESTDIR)/$(libdir)/firejail/.
endif
......
......@@ -36,9 +36,9 @@ install -m 644 /usr/lib/firejail/libtracelog.so firejail-$VERSION/usr/lib/firej
install -m 644 /usr/lib/firejail/libtrace.so firejail-$VERSION/usr/lib/firejail/.
install -m 644 /usr/lib/firejail/libpostexecseccomp.so firejail-$VERSION/usr/lib/firejail/.
install -m 644 /usr/lib/firejail/seccomp firejail-$VERSION/usr/lib/firejail/.
install -m 644 /usr/lib/firejail/seccomp.amd64 firejail-$VERSION/usr/lib/firejail/.
install -m 644 /usr/lib/firejail/seccomp.64 firejail-$VERSION/usr/lib/firejail/.
install -m 644 /usr/lib/firejail/seccomp.debug firejail-$VERSION/usr/lib/firejail/.
install -m 644 /usr/lib/firejail/seccomp.i386 firejail-$VERSION/usr/lib/firejail/.
install -m 644 /usr/lib/firejail/seccomp.32 firejail-$VERSION/usr/lib/firejail/.
install -m 644 /usr/lib/firejail/seccomp.block_secondary firejail-$VERSION/usr/lib/firejail/.
install -m 644 /usr/lib/firejail/seccomp.mdwx firejail-$VERSION/usr/lib/firejail/.
......@@ -492,9 +492,9 @@ rm -rf %{buildroot}
/usr/lib/firejail/fnet
/usr/lib/firejail/fseccomp
/usr/lib/firejail/seccomp
/usr/lib/firejail/seccomp.amd64
/usr/lib/firejail/seccomp.64
/usr/lib/firejail/seccomp.debug
/usr/lib/firejail/seccomp.i386
/usr/lib/firejail/seccomp.32
/usr/lib/firejail/seccomp.block_secondary
/usr/lib/firejail/seccomp.mdwx
......
......@@ -54,15 +54,15 @@
#define RUN_SECCOMP_PROTOCOL "/run/firejail/mnt/seccomp.protocol" // protocol filter
#define RUN_SECCOMP_CFG "/run/firejail/mnt/seccomp" // configured filter
#define RUN_SECCOMP_AMD64 "/run/firejail/mnt/seccomp.amd64" // amd64 filter installed on i386 architectures
#define RUN_SECCOMP_I386 "/run/firejail/mnt/seccomp.i386" // i386 filter installed on amd64 architectures
#define RUN_SECCOMP_64 "/run/firejail/mnt/seccomp.64" // 64bit arch filter installed on 32bit architectures
#define RUN_SECCOMP_32 "/run/firejail/mnt/seccomp.32" // 32bit arch filter installed on 64bit architectures
#define RUN_SECCOMP_MDWX "/run/firejail/mnt/seccomp.mdwx" // filter for memory-deny-write-execute
#define RUN_SECCOMP_BLOCK_SECONDARY "/run/firejail/mnt/seccomp.block_secondary" // secondary arch blocking filter
#define RUN_SECCOMP_POSTEXEC "/run/firejail/mnt/seccomp.postexec" // filter for post-exec library
#define PATH_SECCOMP_DEFAULT (LIBDIR "/firejail/seccomp") // default filter built during make
#define PATH_SECCOMP_DEFAULT_DEBUG (LIBDIR "/firejail/seccomp.debug") // default filter built during make
#define PATH_SECCOMP_AMD64 (LIBDIR "/firejail/seccomp.amd64") // amd64 filter built during make
#define PATH_SECCOMP_I386 (LIBDIR "/firejail/seccomp.i386") // i386 filter built during make
#define PATH_SECCOMP_64 (LIBDIR "/firejail/seccomp.64") // 64bit arch filter built during make
#define PATH_SECCOMP_32 (LIBDIR "/firejail/seccomp.32") // 32bit arch filter built during make
#define PATH_SECCOMP_MDWX (LIBDIR "/firejail/seccomp.mdwx") // filter for memory-deny-write-execute built during make
#define PATH_SECCOMP_BLOCK_SECONDARY (LIBDIR "/firejail/seccomp.block_secondary") // secondary arch blocking filter built during make
......
......@@ -79,8 +79,8 @@ void preproc_mount_mnt_dir(void) {
copy_file(PATH_SECCOMP_BLOCK_SECONDARY, RUN_SECCOMP_BLOCK_SECONDARY, getuid(), getgid(), 0644); // root needed
else {
//copy default seccomp files
copy_file(PATH_SECCOMP_I386, RUN_SECCOMP_I386, getuid(), getgid(), 0644); // root needed
copy_file(PATH_SECCOMP_AMD64, RUN_SECCOMP_AMD64, getuid(), getgid(), 0644); // root needed
copy_file(PATH_SECCOMP_32, RUN_SECCOMP_32, getuid(), getgid(), 0644); // root needed
copy_file(PATH_SECCOMP_64, RUN_SECCOMP_64, getuid(), getgid(), 0644); // root needed
}
if (arg_allow_debuggers)
copy_file(PATH_SECCOMP_DEFAULT_DEBUG, RUN_SECCOMP_CFG, getuid(), getgid(), 0644); // root needed
......
......@@ -137,22 +137,22 @@ errexit:
exit(1);
}
// i386 filter installed on amd64 architectures
#if defined(__x86_64__)
// 32 bit arch filter installed on 64 bit architectures
#if defined(__LP64__)
static void seccomp_filter_32(void) {
if (seccomp_load(RUN_SECCOMP_I386) == 0) {
if (seccomp_load(RUN_SECCOMP_32) == 0) {
if (arg_debug)
printf("Dual i386/amd64 seccomp filter configured\n");
printf("Dual 32/64 bit seccomp filter configured\n");
}
}
#endif
// amd64 filter installed on i386 architectures
#if defined(__i386__)
// 64 bit arch filter installed on 32 bit architectures
#if defined(__ILP32__)
static void seccomp_filter_64(void) {
if (seccomp_load(RUN_SECCOMP_AMD64) == 0) {
if (seccomp_load(RUN_SECCOMP_64) == 0) {
if (arg_debug)
printf("Dual i386/amd64 seccomp filter configured\n");
printf("Dual 32/64 bit seccomp filter configured\n");
}
}
#endif
......@@ -177,10 +177,10 @@ int seccomp_filter_drop(void) {
if (arg_seccomp_block_secondary)
seccomp_filter_block_secondary();
else {
#if defined(__x86_64__)
#if defined(__LP64__)
seccomp_filter_32();
#endif
#if defined(__i386__)
#if defined(__ILP32__)
seccomp_filter_64();
#endif
}
......@@ -190,10 +190,10 @@ int seccomp_filter_drop(void) {
if (arg_seccomp_block_secondary)
seccomp_filter_block_secondary();
else {
#if defined(__x86_64__)
#if defined(__LP64__)
seccomp_filter_32();
#endif
#if defined(__i386__)
#if defined(__ILP32__)
seccomp_filter_64();
#endif
}
......
......@@ -90,7 +90,7 @@ static int detect_filter_type(void) {
}
// testing for secondare amd64 filter
// testing for secondary 64 bit filter
const struct sock_filter start_secondary_64[] = {
VALIDATE_ARCHITECTURE_64,
EXAMINE_SYSCALL,
......@@ -102,7 +102,7 @@ static int detect_filter_type(void) {
return sizeof(start_secondary_64) / sizeof(struct sock_filter);
}
// testing for secondare i386 filter
// testing for secondary 32 bit filter
const struct sock_filter start_secondary_32[] = {
VALIDATE_ARCHITECTURE_32,
EXAMINE_SYSCALL,
......
......@@ -108,7 +108,7 @@ void seccomp_secondary_64(const char *fname) {
write_filter(fname, sizeof(filter), filter);
}
// i386 filter installed on amd64 architectures
// 32 bit arch filter installed on 64 bit architectures
void seccomp_secondary_32(const char *fname) {
// hardcoded syscall values
struct sock_filter filter[] = {
......
......@@ -91,10 +91,64 @@ struct seccomp_data {
#if defined(__i386__)
# define ARCH_NR AUDIT_ARCH_I386
# define ARCH_32 AUDIT_ARCH_I386
# define ARCH_64 AUDIT_ARCH_X86_64
#elif defined(__x86_64__)
# define ARCH_NR AUDIT_ARCH_X86_64
# define ARCH_32 AUDIT_ARCH_I386
# define ARCH_64 AUDIT_ARCH_X86_64
#elif defined(__aarch64__)
# define ARCH_NR AUDIT_ARCH_AARCH64
# define ARCH_32 AUDIT_ARCH_ARM
# define ARCH_64 AUDIT_ARCH_AARCH64
#elif defined(__arm__)
# define ARCH_NR AUDIT_ARCH_ARM
# define ARCH_32 AUDIT_ARCH_ARM
# define ARCH_64 AUDIT_ARCH_AARCH64
#elif defined(__mips__) && __BYTE_ORDER == __BIG_ENDIAN && _MIPS_SIM == _MIPS_SIM_ABI32
# define ARCH_NR AUDIT_ARCH_MIPS
# define ARCH_32 AUDIT_ARCH_MIPS
# define ARCH_64 AUDIT_ARCH_MIPS64
#elif defined(__mips__) && __BYTE_ORDER == __LITTLE_ENDIAN && _MIPS_SIM == _MIPS_SIM_ABI32
# define ARCH_NR AUDIT_ARCH_MIPSEL
# define ARCH_32 AUDIT_ARCH_MIPSEL
# define ARCH_64 AUDIT_ARCH_MIPSEL64
#elif defined(__mips__) && __BYTE_ORDER == __BIG_ENDIAN && _MIPS_SIM == _MIPS_SIM_ABI64
# define ARCH_NR AUDIT_ARCH_MIPS64
# define ARCH_32 AUDIT_ARCH_MIPS
# define ARCH_64 AUDIT_ARCH_MIPS64
#elif defined(__mips__) && __BYTE_ORDER == __LITTLE_ENDIAN && _MIPS_SIM == _MIPS_SIM_ABI64
# define ARCH_NR AUDIT_ARCH_MIPSEL64
# define ARCH_32 AUDIT_ARCH_MIPSEL
# define ARCH_64 AUDIT_ARCH_MIPSEL64
#elif defined(__mips__) && __BYTE_ORDER == __BIG_ENDIAN && _MIPS_SIM == _MIPS_SIM_NABI32
# define ARCH_NR AUDIT_ARCH_MIPS64N32
# define ARCH_32 AUDIT_ARCH_MIPS64N32
# define ARCH_64 AUDIT_ARCH_MIPS64
#elif defined(__mips__) && __BYTE_ORDER == __LITTLE_ENDIAN && _MIPS_SIM == _MIPS_SIM_NABI32
# define ARCH_NR AUDIT_ARCH_MIPSEL64N32
# define ARCH_32 AUDIT_ARCH_MIPSEL64N32
# define ARCH_64 AUDIT_ARCH_MIPSEL64
#elif defined(__powerpc64__) && __BYTE_ORDER == __BIG_ENDIAN
# define ARCH_NR AUDIT_ARCH_PPC64
# define ARCH_32 AUDIT_ARCH_PPC
# define ARCH_64 AUDIT_ARCH_PPC64
#elif defined(__powerpc64__) && __BYTE_ORDER == __LITTLE_ENDIAN
# define ARCH_NR AUDIT_ARCH_PPC64LE
# define ARCH_32 AUDIT_ARCH_PPC
# define ARCH_64 AUDIT_ARCH_PPC64LE
#elif defined(__powerpc__)
# define ARCH_NR AUDIT_ARCH_PPC
# define ARCH_32 AUDIT_ARCH_PPC
# define ARCH_64 AUDIT_ARCH_PPC64LE
#elif defined(__s390x__)
# define ARCH_NR AUDIT_ARCH_S390X
# define ARCH_32 AUDIT_ARCH_S390
# define ARCH_64 AUDIT_ARCH_S390X
#elif defined(__s390__)
# define ARCH_NR AUDIT_ARCH_S390
# define ARCH_32 AUDIT_ARCH_S390
# define ARCH_64 AUDIT_ARCH_S390X
#else
# warning "Platform does not support seccomp filter yet"
# define ARCH_NR 0
......@@ -112,12 +166,12 @@ struct seccomp_data {
#define VALIDATE_ARCHITECTURE_64 \
BPF_STMT(BPF_LD+BPF_W+BPF_ABS, (offsetof(struct seccomp_data, arch))), \
BPF_JUMP(BPF_JMP+BPF_JEQ+BPF_K, AUDIT_ARCH_X86_64, 1, 0), \
BPF_JUMP(BPF_JMP+BPF_JEQ+BPF_K, ARCH_64, 1, 0), \
BPF_STMT(BPF_RET+BPF_K, SECCOMP_RET_ALLOW)
#define VALIDATE_ARCHITECTURE_32 \
BPF_STMT(BPF_LD+BPF_W+BPF_ABS, (offsetof(struct seccomp_data, arch))), \
BPF_JUMP(BPF_JMP+BPF_JEQ+BPF_K, AUDIT_ARCH_I386, 1, 0), \
BPF_JUMP(BPF_JMP+BPF_JEQ+BPF_K, ARCH_32, 1, 0), \
BPF_STMT(BPF_RET+BPF_K, SECCOMP_RET_ALLOW)
#if defined(__x86_64__)
......
......@@ -43,7 +43,7 @@ expect {
}
expect {
timeout {puts "TESTING ERROR 7\n";exit}
"Installing /run/firejail/mnt/seccomp.amd64 seccomp filter"
"Installing /run/firejail/mnt/seccomp.64 seccomp filter"
}
expect {
timeout {puts "TESTING ERROR 9\n";exit}
......@@ -56,13 +56,13 @@ send -- "firejail --debug --ignore=seccomp sleep 1; echo done\r"
expect {
timeout {puts "TESTING ERROR 10\n";exit}
"Installing /run/firejail/mnt/seccomp seccomp filter" {puts "TESTING ERROR 11\n";exit}
"Installing /run/firejail/mnt/seccomp.amd64 seccomp filter" {puts "TESTING ERROR 12\n";exit}
"Installing /run/firejail/mnt/seccomp.64 seccomp filter" {puts "TESTING ERROR 12\n";exit}
"Child process initialized"
}
expect {
timeout {puts "TESTING ERROR 13\n";exit}
"Installing /run/firejail/mnt/seccomp seccomp filter" {puts "TESTING ERROR 14\n";exit}
"Installing /run/firejail/mnt/seccomp.amd64 seccomp filter" {puts "TESTING ERROR 15\n";exit}
"Installing /run/firejail/mnt/seccomp.64 seccomp filter" {puts "TESTING ERROR 15\n";exit}
"done"
}
after 100
......@@ -82,7 +82,7 @@ expect {
expect {
timeout {puts "TESTING ERROR 21\n";exit}
"Installing /run/firejail/mnt/seccomp.protocol seccomp filter" {puts "TESTING ERROR 22\n";exit}
"Installing /run/firejail/mnt/seccomp.amd64 seccomp filter"
"Installing /run/firejail/mnt/seccomp.64 seccomp filter"
}
expect {
timeout {puts "TESTING ERROR 23\n";exit}
......@@ -110,12 +110,12 @@ expect {
send -- "firejail --debug --seccomp.block-secondary sleep 1; echo done\r"
expect {
timeout {puts "TESTING ERROR 27\n";exit}
"Installing /run/firejail/mnt/seccomp.amd64 seccomp filter" {puts "TESTING ERROR 28\n";exit}
"Installing /run/firejail/mnt/seccomp.64 seccomp filter" {puts "TESTING ERROR 28\n";exit}
"Child process initialized"
}
expect {
timeout {puts "TESTING ERROR 29\n";exit}
"Installing /run/firejail/mnt/seccomp.amd64 seccomp filter" {puts "TESTING ERROR 30\n";exit}
"Installing /run/firejail/mnt/seccomp.64 seccomp filter" {puts "TESTING ERROR 30\n";exit}
"Installing /run/firejail/mnt/seccomp seccomp filter"
}
expect {
......@@ -128,12 +128,12 @@ after 100
send -- "firejail --debug --profile=block-secondary.profile sleep 1; echo done\r"
expect {
timeout {puts "TESTING ERROR 33\n";exit}
"Installing /run/firejail/mnt/seccomp.amd64 seccomp filter" {puts "TESTING ERROR 34\n";exit}
"Installing /run/firejail/mnt/seccomp.64 seccomp filter" {puts "TESTING ERROR 34\n";exit}
"Child process initialized"
}
expect {
timeout {puts "TESTING ERROR 35\n";exit}
"Installing /run/firejail/mnt/seccomp.amd64 seccomp filter" {puts "TESTING ERROR 35\n";exit}
"Installing /run/firejail/mnt/seccomp.64 seccomp filter" {puts "TESTING ERROR 35\n";exit}
"Installing /run/firejail/mnt/seccomp seccomp filter"
}
expect {
......
......@@ -31,7 +31,7 @@ expect {
after 100
# amd64 architecture
# 64 bit architecture
send -- "firejail --debug sleep 1; echo done\r"
expect {
timeout {puts "TESTING ERROR 5\n";exit}
......@@ -43,7 +43,7 @@ expect {
}
expect {
timeout {puts "TESTING ERROR 7\n";exit}
"Installing /run/firejail/mnt/seccomp.i386 seccomp filter"
"Installing /run/firejail/mnt/seccomp.32 seccomp filter"
}
expect {
timeout {puts "TESTING ERROR 8\n";exit}
......@@ -55,18 +55,18 @@ expect {
}
after 100
# amd64 architecture - ignore seccomp
# 64 bit architecture - ignore seccomp
send -- "firejail --debug --ignore=seccomp sleep 1; echo done\r"
expect {
timeout {puts "TESTING ERROR 10\n";exit}
"Installing /run/firejail/mnt/seccomp seccomp filter" {puts "TESTING ERROR 11\n";exit}
"Installing /run/firejail/mnt/seccomp.i386 seccomp filter" {puts "TESTING ERROR 12\n";exit}
"Installing /run/firejail/mnt/seccomp.32 seccomp filter" {puts "TESTING ERROR 12\n";exit}
"Child process initialized"
}
expect {
timeout {puts "TESTING ERROR 13\n";exit}
"Installing /run/firejail/mnt/seccomp seccomp filter" {puts "TESTING ERROR 14\n";exit}
"Installing /run/firejail/mnt/seccomp.i386 seccomp filter" {puts "TESTING ERROR 15\n";exit}
"Installing /run/firejail/mnt/seccomp.32 seccomp filter" {puts "TESTING ERROR 15\n";exit}
"Installing /run/firejail/mnt/seccomp.protocol seccomp filter"
}
expect {
......@@ -75,7 +75,7 @@ expect {
}
after 100
# amd64 architecture - ignore protocol
# 64 bit architecture - ignore protocol
send -- "firejail --debug --ignore=protocol sleep 1; echo done\r"
expect {
timeout {puts "TESTING ERROR 17\n";exit}
......@@ -90,7 +90,7 @@ expect {
expect {
timeout {puts "TESTING ERROR 21\n";exit}
"Installing /run/firejail/mnt/seccomp.protocol seccomp filter" {puts "TESTING ERROR 22\n";exit}
"Installing /run/firejail/mnt/seccomp.i386 seccomp filter"
"Installing /run/firejail/mnt/seccomp.32 seccomp filter"
}
expect {
timeout {puts "TESTING ERROR 23\n";exit}
......@@ -114,21 +114,21 @@ expect {
}
# amd64 architecture - seccomp.block-secondary
# 64 bit architecture - seccomp.block-secondary
send -- "firejail --debug --seccomp.block-secondary sleep 1; echo done\r"
expect {
timeout {puts "TESTING ERROR 27\n";exit}
"Installing /run/firejail/mnt/seccomp.i386 seccomp filter" {puts "TESTING ERROR 28\n";exit}
"Installing /run/firejail/mnt/seccomp.32 seccomp filter" {puts "TESTING ERROR 28\n";exit}
"Child process initialized"
}
expect {
timeout {puts "TESTING ERROR 29\n";exit}
"Installing /run/firejail/mnt/seccomp.i386 seccomp filter" {puts "TESTING ERROR 30\n";exit}
"Installing /run/firejail/mnt/seccomp.32 seccomp filter" {puts "TESTING ERROR 30\n";exit}
"Installing /run/firejail/mnt/seccomp seccomp filter"
}
expect {
timeout {puts "TESTING ERROR 31\n";exit}
"Installing /run/firejail/mnt/seccomp.i386 seccomp filter" {puts "TESTING ERROR 32\n";exit}
"Installing /run/firejail/mnt/seccomp.32 seccomp filter" {puts "TESTING ERROR 32\n";exit}
"Installing /run/firejail/mnt/seccomp.protocol seccomp filter"
}
expect {
......@@ -137,16 +137,16 @@ expect {
}
after 100
# amd64 architecture - seccomp.block-secondary, profile
# 64 bit architecture - seccomp.block-secondary, profile
send -- "firejail --debug --profile=block-secondary.profile sleep 1; echo done\r"
expect {
timeout {puts "TESTING ERROR 33\n";exit}
"Installing /run/firejail/mnt/seccomp.i386 seccomp filter" {puts "TESTING ERROR 34\n";exit}
"Installing /run/firejail/mnt/seccomp.32 seccomp filter" {puts "TESTING ERROR 34\n";exit}
"Child process initialized"
}
expect {
timeout {puts "TESTING ERROR 35\n";exit}
"Installing /run/firejail/mnt/seccomp.i386 seccomp filter" {puts "TESTING ERROR 35\n";exit}
"Installing /run/firejail/mnt/seccomp.32 seccomp filter" {puts "TESTING ERROR 35\n";exit}
"Installing /run/firejail/mnt/seccomp seccomp filter"
}
expect {
......
Markdown is supported
0% or
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment