replacing seccomp printing with a seccomp disassembler

netblue30 · Dec 28, 2017 · f9c60d5 · f9c60d5
1 parent 96f26b0
commit f9c60d5
Show file tree

Hide file tree

Showing 14 changed files with 571 additions and 199 deletions.
diff --git a/.gitignore b/.gitignore
@@ -23,6 +23,7 @@ src/tags
 src/faudit/faudit
 src/fnet/fnet
 src/fnetfilter/fnetfilter
+src/fsec-print/fsec-print
 src/fseccomp/fseccomp
 src/fcopy/fcopy
 src/fldd/fldd

diff --git a/Makefile.in b/Makefile.in
@@ -1,6 +1,6 @@
 all: apps man filters
 MYLIBS = src/lib
-APPS = src/firejail src/firemon src/firecfg src/fnetfilter src/libtrace src/libtracelog src/ftee src/faudit src/fnet src/fseccomp src/fbuilder src/fcopy src/fldd src/libpostexecseccomp
+APPS = src/firejail src/firemon src/fsec-print src/firecfg src/fnetfilter src/libtrace src/libtracelog src/ftee src/faudit src/fnet src/fseccomp src/fbuilder src/fcopy src/fldd src/libpostexecseccomp
 MANPAGES = firejail.1 firemon.1 firecfg.1 firejail-profile.5 firejail-login.5
 SECCOMP_FILTERS = seccomp seccomp.debug seccomp.32 seccomp.64 seccomp.block_secondary seccomp.mdwx
 
@@ -102,6 +102,7 @@ endif
 	install -c -m 0755 src/fldd/fldd $(DESTDIR)/$(libdir)/firejail/.
 	install -c -m 0755 src/fbuilder/fbuilder $(DESTDIR)/$(libdir)/firejail/.
 ifeq ($(HAVE_SECCOMP),-DHAVE_SECCOMP)
+	install -c -m 0755 src/fsec-print/fsec-print $(DESTDIR)/$(libdir)/firejail/.
 	install -c -m 0755 src/fseccomp/fseccomp $(DESTDIR)/$(libdir)/firejail/.
 	install -c -m 0644 seccomp $(DESTDIR)/$(libdir)/firejail/.
 	install -c -m 0644 seccomp.debug $(DESTDIR)/$(libdir)/firejail/.
@@ -170,6 +171,7 @@ install-strip: all
 	strip src/fnet/fnet
 	strip src/fnetfilter/fnetfilter
 	strip src/fseccomp/fseccomp
+	strip src/fsec-print/fsec-print
 	strip src/fcopy/fcopy
 	strip src/fldd/fldd
 	strip src/fbuilder/fbuilder

diff --git a/configure b/configure
@@ -3823,7 +3823,7 @@ if test "$prefix" = /usr; then
 	sysconfdir="/etc"
 fi
 
-ac_config_files="$ac_config_files Makefile src/lib/Makefile src/fcopy/Makefile src/fnet/Makefile src/firejail/Makefile src/fnetfilter/Makefile src/firemon/Makefile src/libtrace/Makefile src/libtracelog/Makefile src/firecfg/Makefile src/fbuilder/Makefile src/ftee/Makefile src/faudit/Makefile src/fseccomp/Makefile src/fldd/Makefile src/libpostexecseccomp/Makefile"
+ac_config_files="$ac_config_files Makefile src/lib/Makefile src/fcopy/Makefile src/fnet/Makefile src/firejail/Makefile src/fnetfilter/Makefile src/firemon/Makefile src/libtrace/Makefile src/libtracelog/Makefile src/firecfg/Makefile src/fbuilder/Makefile src/fsec-print/Makefile src/ftee/Makefile src/faudit/Makefile src/fseccomp/Makefile src/fldd/Makefile src/libpostexecseccomp/Makefile"
 
 cat >confcache <<\_ACEOF
 # This file is a shell script that caches the results of configure
@@ -4543,6 +4543,7 @@ do
     "src/libtracelog/Makefile") CONFIG_FILES="$CONFIG_FILES src/libtracelog/Makefile" ;;
     "src/firecfg/Makefile") CONFIG_FILES="$CONFIG_FILES src/firecfg/Makefile" ;;
     "src/fbuilder/Makefile") CONFIG_FILES="$CONFIG_FILES src/fbuilder/Makefile" ;;
+    "src/fsec-print/Makefile") CONFIG_FILES="$CONFIG_FILES src/fsec-print/Makefile" ;;
     "src/ftee/Makefile") CONFIG_FILES="$CONFIG_FILES src/ftee/Makefile" ;;
     "src/faudit/Makefile") CONFIG_FILES="$CONFIG_FILES src/faudit/Makefile" ;;
     "src/fseccomp/Makefile") CONFIG_FILES="$CONFIG_FILES src/fseccomp/Makefile" ;;

diff --git a/configure.ac b/configure.ac
@@ -176,7 +176,7 @@ if test "$prefix" = /usr; then
 fi
 
 AC_OUTPUT(Makefile src/lib/Makefile src/fcopy/Makefile src/fnet/Makefile src/firejail/Makefile src/fnetfilter/Makefile \
-src/firemon/Makefile src/libtrace/Makefile src/libtracelog/Makefile src/firecfg/Makefile src/fbuilder/Makefile \
+src/firemon/Makefile src/libtrace/Makefile src/libtracelog/Makefile src/firecfg/Makefile src/fbuilder/Makefile src/fsec-print/Makefile \
 src/ftee/Makefile src/faudit/Makefile src/fseccomp/Makefile src/fldd/Makefile src/libpostexecseccomp/Makefile)
 
 echo

diff --git a/src/firejail/firejail.h b/src/firejail/firejail.h
@@ -771,6 +771,7 @@ void build_appimage_cmdline(char **command_line, char **window_title, int argc,
 #define PATH_FIREMON (PREFIX "/bin/firemon")
 #define PATH_FIREJAIL (PREFIX "/bin/firejail")
 #define PATH_FSECCOMP (LIBDIR "/firejail/fseccomp")
+#define PATH_FSEC_PRINT (LIBDIR "/firejail/fsec-print")
 #define PATH_FCOPY (LIBDIR "/firejail/fcopy")
 #define SBOX_STDIN_FILE "/run/firejail/mnt/sbox_stdin"
 #define PATH_FLDD (LIBDIR "/firejail/fldd")

diff --git a/src/firejail/seccomp.c b/src/firejail/seccomp.c
@@ -126,9 +126,9 @@ int seccomp_load(const char *fname) {
 		errExit("strdup");
 	filter_list_head = fl;
 
-	if (arg_debug && access(PATH_FSECCOMP, X_OK) == 0) {
-		sbox_run(SBOX_USER | SBOX_CAPS_NONE | SBOX_SECCOMP, 3,
-			PATH_FSECCOMP, "print", fname);
+	if (arg_debug && access(PATH_FSEC_PRINT, X_OK) == 0) {
+		sbox_run(SBOX_USER | SBOX_CAPS_NONE | SBOX_SECCOMP, 2,
+			PATH_FSEC_PRINT, fname);
 	}
 
 	return 0;
@@ -240,12 +240,12 @@ int seccomp_filter_drop(void) {
 			printf("seccomp filter configured\n");
 	}
 
-	if (arg_debug && access(PATH_FSECCOMP, X_OK) == 0) {
+	if (arg_debug && access(PATH_FSEC_PRINT, X_OK) == 0) {
 		struct stat st;
 		if (stat(RUN_SECCOMP_POSTEXEC, &st) != -1 && st.st_size != 0) {
 			printf("configuring postexec seccomp filter in %s\n", RUN_SECCOMP_POSTEXEC);
-			sbox_run(SBOX_USER | SBOX_CAPS_NONE | SBOX_SECCOMP, 3,
-				  PATH_FSECCOMP, "print", RUN_SECCOMP_POSTEXEC);
+			sbox_run(SBOX_USER | SBOX_CAPS_NONE | SBOX_SECCOMP, 2,
+				  PATH_FSEC_PRINT, RUN_SECCOMP_POSTEXEC);
 		}
 	}
 
@@ -280,12 +280,12 @@ int seccomp_filter_keep(void) {
 			printf("seccomp filter configured\n");
 	}
 
-	if (arg_debug && access(PATH_FSECCOMP, X_OK) == 0) {
+	if (arg_debug && access(PATH_FSEC_PRINT, X_OK) == 0) {
 		struct stat st;
 		if (stat(RUN_SECCOMP_POSTEXEC, &st) != -1 && st.st_size != 0) {
 			printf("configuring postexec seccomp filter in %s\n", RUN_SECCOMP_POSTEXEC);
-			sbox_run(SBOX_USER | SBOX_CAPS_NONE | SBOX_SECCOMP, 3,
-				  PATH_FSECCOMP, "print", RUN_SECCOMP_POSTEXEC);
+			sbox_run(SBOX_USER | SBOX_CAPS_NONE | SBOX_SECCOMP, 2,
+				  PATH_FSEC_PRINT, RUN_SECCOMP_POSTEXEC);
 		}
 	}
 
@@ -332,7 +332,7 @@ void seccomp_print_filter(pid_t pid) {
 	}
 
 	// read and print the filter - run this as root, the user doesn't have access
-	sbox_run(SBOX_ROOT | SBOX_SECCOMP, 3, PATH_FSECCOMP, "print", fname);
+	sbox_run(SBOX_ROOT | SBOX_SECCOMP, 2, PATH_FSEC_PRINT, fname);
 	free(fname);
 
 	exit(0);

diff --git a/src/fsec-print/Makefile.in b/src/fsec-print/Makefile.in
@@ -0,0 +1,45 @@
+all: fsec-print
+
+CC=@CC@
+prefix=@prefix@
+exec_prefix=@exec_prefix@
+libdir=@libdir@
+sysconfdir=@sysconfdir@
+
+VERSION=@PACKAGE_VERSION@
+NAME=@PACKAGE_NAME@
+HAVE_SECCOMP_H=@HAVE_SECCOMP_H@
+HAVE_SECCOMP=@HAVE_SECCOMP@
+HAVE_CHROOT=@HAVE_CHROOT@
+HAVE_BIND=@HAVE_BIND@
+HAVE_FATAL_WARNINGS=@HAVE_FATAL_WARNINGS@
+HAVE_NETWORK=@HAVE_NETWORK@
+HAVE_USERNS=@HAVE_USERNS@
+HAVE_X11=@HAVE_X11@
+HAVE_FILE_TRANSFER=@HAVE_FILE_TRANSFER@
+HAVE_WHITELIST=@HAVE_WHITELIST@
+HAVE_GLOBALCFG=@HAVE_GLOBALCFG@
+HAVE_APPARMOR=@HAVE_APPARMOR@
+HAVE_OVERLAYFS=@HAVE_OVERLAYFS@
+HAVE_PRIVATE_HOME=@HAVE_PRIVATE_HOME@
+EXTRA_LDFLAGS +=@EXTRA_LDFLAGS@
+HAVE_GCOV=@HAVE_GCOV@
+EXTRA_LDFLAGS +=@EXTRA_LDFLAGS@
+
+H_FILE_LIST       = $(sort $(wildcard *.[h]))
+C_FILE_LIST       = $(sort $(wildcard *.c))
+OBJS = $(C_FILE_LIST:.c=.o)
+BINOBJS =  $(foreach file, $(OBJS), $file)
+CFLAGS += -ggdb $(HAVE_FATAL_WARNINGS) -O2 -DVERSION='"$(VERSION)"' $(HAVE_GCOV) -DPREFIX='"$(prefix)"'  -DSYSCONFDIR='"$(sysconfdir)/firejail"' -DLIBDIR='"$(libdir)"' $(HAVE_X11) $(HAVE_PRIVATE_HOME) $(HAVE_APPARMOR) $(HAVE_OVERLAYFS) $(HAVE_SECCOMP) $(HAVE_GLOBALCFG) $(HAVE_SECCOMP_H) $(HAVE_CHROOT) $(HAVE_NETWORK) $(HAVE_USERNS) $(HAVE_BIND) $(HAVE_FILE_TRANSFER) $(HAVE_WHITELIST) -fstack-protector-all -D_FORTIFY_SOURCE=2 -fPIE -pie -Wformat -Wformat-security
+LDFLAGS += -pie -Wl,-z,relro -Wl,-z,now -lpthread
+
+%.o : %.c $(H_FILE_LIST) ../include/common.h ../include/seccomp.h ../include/syscall.h
+	$(CC) $(CFLAGS) $(INCLUDE) -c $< -o $@
+
+fsec-print: $(OBJS) ../lib/libnetlink.o
+	$(CC)  $(LDFLAGS) -o $@ $(OBJS) $(LIBS) $(EXTRA_LDFLAGS)
+
+clean:; rm -f *.o fsec-print *.gcov *.gcda *.gcno
+
+distclean: clean
+	rm -fr Makefile
diff --git a/src/fsec-print/fsec_print.h b/src/fsec-print/fsec_print.h
@@ -0,0 +1,32 @@
+/*
+ * Copyright (C) 2014-2017 Firejail Authors
+ *
+ * This file is part of firejail project
+ *
+ * This program is free software; you can redistribute it and/or modify
+ * it under the terms of the GNU General Public License as published by
+ * the Free Software Foundation; either version 2 of the License, or
+ * (at your option) any later version.
+ *
+ * This program is distributed in the hope that it will be useful,
+ * but WITHOUT ANY WARRANTY; without even the implied warranty of
+ * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
+ * GNU General Public License for more details.
+ *
+ * You should have received a copy of the GNU General Public License along
+ * with this program; if not, write to the Free Software Foundation, Inc.,
+ * 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA.
+*/
+#ifndef FSEC_PRINT_H
+#define FSEC_PRINT_H
+#include "../include/common.h"
+#include "../include/seccomp.h"
+#include <sys/mman.h>
+
+// print.c
+void print(struct sock_filter *filter, int entries);
+
+// syscall_list.c
+const char *syscall_find_nr(int nr);
+
+#endif
diff --git a/src/fsec-print/main.c b/src/fsec-print/main.c
@@ -0,0 +1,81 @@
+/*
+ * Copyright (C) 2014-2017 Firejail Authors
+ *
+ * This file is part of firejail project
+ *
+ * This program is free software; you can redistribute it and/or modify
+ * it under the terms of the GNU General Public License as published by
+ * the Free Software Foundation; either version 2 of the License, or
+ * (at your option) any later version.
+ *
+ * This program is distributed in the hope that it will be useful,
+ * but WITHOUT ANY WARRANTY; without even the implied warranty of
+ * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
+ * GNU General Public License for more details.
+ *
+ * You should have received a copy of the GNU General Public License along
+ * with this program; if not, write to the Free Software Foundation, Inc.,
+ * 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA.
+*/
+#include "fsec_print.h"
+
+static void usage(void) {
+	printf("Usage:\n");
+	printf("\tfsec-print file - disassemble seccomp filter\n");
+}
+
+int main(int argc, char **argv) {
+#if 0
+{
+//system("cat /proc/self/status");
+int i;
+for (i = 0; i < argc; i++)
+        printf("*%s* ", argv[i]);
+printf("\n");
+}
+#endif
+	if (argc != 2) {
+		usage();
+		return 1;
+	}
+
+	if (strcmp(argv[1], "-h") == 0 || strcmp(argv[1], "--help") == 0 || strcmp(argv[1], "-?") == 0) {
+		usage();
+		return 0;
+	}
+
+	char *fname = argv[1];
+
+	// open input file
+	int fd = open(fname, O_RDONLY);
+	if (fd == -1)
+		goto errexit;
+
+	// calculate the number of entries
+	int size = lseek(fd, 0, SEEK_END);
+	if (size == -1) // todo: check maximum size of seccomp filter (4KB?)
+		goto errexit;
+	unsigned short entries = (unsigned short) size / (unsigned short) sizeof(struct sock_filter);
+
+	// read filter
+	struct sock_filter *filter = mmap(NULL, size, PROT_READ, MAP_PRIVATE, fd, 0);
+	if (filter == MAP_FAILED)
+		goto errexit;
+
+
+	// print filter
+	print(filter, entries);
+
+	// free mapped memory
+	if (munmap(filter, size) == -1)
+		perror("Error un-mmapping the file");
+
+	// close file
+	close(fd);
+	return 0;
+errexit:
+	close(fd);
+	fprintf(stderr, "Error: cannot read %s\n", fname);
+	exit(1);
+
+}