Merge pull request #4340 from smitsohu/kcmp

augment seccomp lists in firejail.config
netblue30 · Jun 26, 2021 · 46712f7 · 46712f7
2 parents 99e5335 + 43fb38e
commit 46712f7
Show file tree

Hide file tree

Showing 7 changed files with 60 additions and 23 deletions.
diff --git a/RELNOTES b/RELNOTES
@@ -1,6 +1,10 @@
 firejail (0.9.65) baseline; urgency=low
  * deprecated --audit options, relpaced by jailcheck utility
  * deprecated follow-symlink-as-user from firejail.config
+ * new firejail.config settings: private-bin, private-etc
+ * new firejail.config settings: private-opt, private-srv
+ * new firejail.config settings: whitelist-disable-topdir
+ * new firejail.config settings: seccomp-filter-add
  * rename --noautopulse to keep-config-pulse
  * filtering environment variables
  * zsh completion

diff --git a/etc/firejail.config b/etc/firejail.config
@@ -113,6 +113,10 @@
 # Enable or disable seccomp support, default enabled.
 # seccomp yes
 
+# Add rules to the default seccomp filter. Same syntax as for --seccomp=
+# None by default; this is an example.
+# seccomp-filter-add !chroot,kcmp,mincore
+
 # Seccomp error action, kill, log or errno (EPERM, ENOSYS etc)
 # seccomp-error-action EPERM
 

diff --git a/src/firejail/checkcfg.c b/src/firejail/checkcfg.c
@@ -35,6 +35,7 @@ char *xvfb_extra_params = "";
 char *netfilter_default = NULL;
 unsigned long join_timeout = 5000000; // microseconds
 char *config_seccomp_error_action_str = "EPERM";
+char *config_seccomp_filter_add = NULL;
 char **whitelist_reject_topdirs = NULL;
 
 int checkcfg(int val) {
@@ -225,6 +226,10 @@ int checkcfg(int val) {
  else if (strncmp(ptr, "join-timeout ", 13) == 0)
  join_timeout = strtoul(ptr + 13, NULL, 10) * 1000000; // seconds to microseconds
 
+ // add rules to default seccomp filter
+ else if (strncmp(ptr, "seccomp-filter-add ", 19) == 0)
+ config_seccomp_filter_add = seccomp_check_list(ptr + 19);
+
  // seccomp error action
  else if (strncmp(ptr, "seccomp-error-action ", 21) == 0) {
  if (strcmp(ptr + 21, "kill") == 0)

diff --git a/src/firejail/firejail.h b/src/firejail/firejail.h
@@ -810,6 +810,7 @@ extern char *xvfb_extra_params;
 extern char *netfilter_default;
 extern unsigned long join_timeout;
 extern char *config_seccomp_error_action_str;
+extern char *config_seccomp_filter_add;
 extern char **whitelist_reject_topdirs;
 
 int checkcfg(int val);

diff --git a/src/firejail/main.c b/src/firejail/main.c
@@ -967,7 +967,7 @@ void filter_add_blacklist_override(int fd, int syscall, int arg, void *ptrarg, b
 static int check_postexec(const char *list) {
  char *prelist, *postlist;
 
- if (list) {
+ if (list && list[0]) {
  syscalls_in_list(list, "@default-keep", -1, &prelist, &postlist, true);
  if (postlist)
  return 1;
@@ -2895,6 +2895,15 @@ int main(int argc, char **argv, char **envp) {
  // check network configuration options - it will exit if anything went wrong
  net_check_cfg();
 
+ // customization of default seccomp filter
+ if (config_seccomp_filter_add) {
+ if (arg_seccomp && !cfg.seccomp_list_keep && !cfg.seccomp_list_drop)
+ profile_list_augment(&cfg.seccomp_list, config_seccomp_filter_add);
+
+ if (arg_seccomp32 && !cfg.seccomp_list_keep32 && !cfg.seccomp_list_drop32)
+ profile_list_augment(&cfg.seccomp_list32, config_seccomp_filter_add);
+ }
+
  if (arg_seccomp)
  arg_seccomp_postexec = check_postexec(cfg.seccomp_list) || check_postexec(cfg.seccomp_list_drop);
 

diff --git a/src/firejail/seccomp.c b/src/firejail/seccomp.c
@@ -208,7 +208,8 @@ int seccomp_filter_drop(bool native) {
  // - seccomp
  if (cfg.seccomp_list_drop == NULL) {
  // default seccomp if error action is not changed
- if (cfg.seccomp_list == NULL && arg_seccomp_error_action == DEFAULT_SECCOMP_ERROR_ACTION) {
+ if ((cfg.seccomp_list == NULL || cfg.seccomp_list[0] == '\0')
+ && arg_seccomp_error_action == DEFAULT_SECCOMP_ERROR_ACTION) {
  if (arg_seccomp_block_secondary)
  seccomp_filter_block_secondary();
  else {
@@ -261,7 +262,7 @@ int seccomp_filter_drop(bool native) {
  }
 
  // build the seccomp filter as a regular user
- if (list)
+ if (list && list[0])
  if (arg_allow_debuggers)
  rv = sbox_run(SBOX_USER | SBOX_CAPS_NONE | SBOX_SECCOMP, 7,
  PATH_FSECCOMP, command, "drop", filter, postexec_filter, list, "allow-debuggers");

diff --git a/src/man/firejail.txt b/src/man/firejail.txt
@@ -2178,7 +2178,7 @@ $ firejail \-\-net=eth0 \-\-scan
 .TP
 \fB\-\-seccomp
 Enable seccomp filter and blacklist the syscalls in the default list,
-which is @default-nodebuggers unless allow-debuggers is specified,
+which is @default-nodebuggers unless \-\-allow-debuggers is specified,
 then it is @default.
 
 .br
@@ -2189,18 +2189,13 @@ system call groups are defined: @aio, @basic-io, @chown, @clock,
 @network-io, @obsolete, @privileged, @process, @raw-io, @reboot,
 @resources, @setuid, @swap, @sync, @system-service and @timer.
 More information about groups can be found in /usr/share/doc/firejail/syscalls.txt
-
-In addition, a system call can be specified by its number instead of
-name with prefix $, so for example $165 would be equal to mount on i386.
-Exceptions can be allowed with prefix !.
+.br
 
 .br
 System architecture is strictly imposed only if flag
 \-\-seccomp.block-secondary is used. The filter is applied at run time
 only if the correct architecture was detected. For the case of I386
-and AMD64 both 32-bit and 64-bit filters are installed. On a 64 bit
-architecture, an additional filter for 32 bit system calls can be
-installed with \-\-seccomp.32.
+and AMD64 both 32-bit and 64-bit filters are installed.
 .br
 
 .br
@@ -2211,11 +2206,18 @@ Firejail will print seccomp violations to the audit log if the kernel was compil
 Example:
 .br
 $ firejail \-\-seccomp
+.br
+
+.br
+The default list can be customized, see \-\-seccomp= for a description. It can be customized
+also globally in /etc/firejail/firejail.config file.
+
 .TP
 \fB\-\-seccomp=syscall,@group,!syscall2
-Enable seccomp filter, whitelist "syscall2", but blacklist the default
-list and the syscalls or syscall groups specified by the
-command.
+Enable seccomp filter, blacklist the default list and the syscalls or syscall groups
+specified by the command, but don't blacklist "syscall2". On a 64 bit
+architecture, an additional filter for 32 bit system calls can be
+installed with \-\-seccomp.32.
 .br
 
 .br
@@ -2225,6 +2227,13 @@ $ firejail \-\-seccomp=utime,utimensat,utimes firefox
 .br
 $ firejail \-\-seccomp=@clock,mkdir,unlinkat transmission-gtk
 .br
+$ firejail '\-\-seccomp=@ipc,!pipe,!pipe2' audacious
+.br
+
+.br
+Syscalls can be specified by their number if prefix $ is added,
+so for example $165 would be equal to mount on i386.
+.br
 
 .br
 Instead of dropping the syscall by returning EPERM, another error
@@ -2237,6 +2246,7 @@ by using \fBsyscall:kill\fR syntax, or the attempt may be logged with
 
 .br
 Example:
+.br
 $ firejail \-\-seccomp=unlinkat:ENOENT,utimensat,utimes
 .br
 Parent pid 10662, child pid 10663
@@ -2245,9 +2255,13 @@ Child process initialized
 .br
 $ touch testfile
 .br
+$ ls testfile
+.br
+testfile
+.br
 $ rm testfile
 .br
-rm: cannot remove `testfile': Operation not permitted
+rm: cannot remove `testfile': No such file or directory
 .br
 
 .br
@@ -2260,7 +2274,7 @@ filters.
 .br
 Example:
 .br
-$ firejail \-\-noprofile \-\-shell=none \-\-seccomp=execve bash
+$ firejail \-\-noprofile \-\-shell=none \-\-seccomp=execve sh
 .br
 Parent pid 32751, child pid 32752
 .br
@@ -2272,8 +2286,7 @@ Child process initialized in 46.44 ms
 .br
 $ ls
 .br
-Bad system call
-.br
+Operation not permitted
 
 .TP
 \fB\-\-seccomp.block-secondary
@@ -2317,15 +2330,15 @@ Child process initialized
 .br
 $ touch testfile
 .br
+$ ls testfile
+.br
+testfile
+.br
 $ rm testfile
 .br
-rm: cannot remove `testfile': Operation not permitted
+rm: cannot remove `testfile': No such file or directory
 .br
 
-
-
-
-
 .TP
 \fB\-\-seccomp.keep=syscall,@group,!syscall2
 Enable seccomp filter, blacklist all syscall not listed and "syscall2".