Improve seccomp support for non-x86 architectures

.gitignore

@@ -28,7 +28,7 @@ src/fldd/fldd
 uids.h
 seccomp
 seccomp.debug
-seccomp.i386
-seccomp.amd64
+seccomp.32
+seccomp.64
 seccomp.block_secondary
 seccomp.mdwx

Makefile.in

@@ -2,7 +2,7 @@ all: apps man filters
 MYLIBS = src/lib
 APPS = src/firejail src/firemon src/firecfg src/libtrace src/libtracelog src/ftee src/faudit src/fnet src/fseccomp src/fcopy src/fldd src/libpostexecseccomp
 MANPAGES = firejail.1 firemon.1 firecfg.1 firejail-profile.5 firejail-login.5
-SECCOMP_FILTERS = seccomp seccomp.debug seccomp.i386 seccomp.amd64 seccomp.block_secondary seccomp.mdwx
+SECCOMP_FILTERS = seccomp seccomp.debug seccomp.32 seccomp.64 seccomp.block_secondary seccomp.mdwx
 
 prefix=@prefix@
 exec_prefix=@exec_prefix@
@@ -43,8 +43,8 @@ filters: src/fseccomp
 ifeq ($(HAVE_SECCOMP),-DHAVE_SECCOMP)
  src/fseccomp/fseccomp default seccomp
  src/fseccomp/fseccomp default seccomp.debug allow-debuggers
- src/fseccomp/fseccomp secondary 32 seccomp.i386
- src/fseccomp/fseccomp secondary 64 seccomp.amd64
+ src/fseccomp/fseccomp secondary 32 seccomp.32
+ src/fseccomp/fseccomp secondary 64 seccomp.64
  src/fseccomp/fseccomp secondary block seccomp.block_secondary
  src/fseccomp/fseccomp memory-deny-write-execute seccomp.mdwx
 endif
@@ -103,8 +103,8 @@ ifeq ($(HAVE_SECCOMP),-DHAVE_SECCOMP)
  install -c -m 0755 src/fseccomp/fseccomp $(DESTDIR)/$(libdir)/firejail/.
  install -c -m 0644 seccomp $(DESTDIR)/$(libdir)/firejail/.
  install -c -m 0644 seccomp.debug $(DESTDIR)/$(libdir)/firejail/.
- install -c -m 0644 seccomp.i386 $(DESTDIR)/$(libdir)/firejail/.
- install -c -m 0644 seccomp.amd64 $(DESTDIR)/$(libdir)/firejail/.
+ install -c -m 0644 seccomp.32 $(DESTDIR)/$(libdir)/firejail/.
+ install -c -m 0644 seccomp.64 $(DESTDIR)/$(libdir)/firejail/.
  install -c -m 0644 seccomp.block_secondary $(DESTDIR)/$(libdir)/firejail/.
  install -c -m 0644 seccomp.mdwx $(DESTDIR)/$(libdir)/firejail/.
 endif

platform/rpm/old-mkrpm.sh

@@ -36,9 +36,9 @@ install -m 644 /usr/lib/firejail/libtracelog.so firejail-$VERSION/usr/lib/firej
 install -m 644 /usr/lib/firejail/libtrace.so firejail-$VERSION/usr/lib/firejail/.
 install -m 644 /usr/lib/firejail/libpostexecseccomp.so firejail-$VERSION/usr/lib/firejail/.
 install -m 644 /usr/lib/firejail/seccomp firejail-$VERSION/usr/lib/firejail/.
-install -m 644 /usr/lib/firejail/seccomp.amd64 firejail-$VERSION/usr/lib/firejail/.
+install -m 644 /usr/lib/firejail/seccomp.64 firejail-$VERSION/usr/lib/firejail/.
 install -m 644 /usr/lib/firejail/seccomp.debug firejail-$VERSION/usr/lib/firejail/.
-install -m 644 /usr/lib/firejail/seccomp.i386 firejail-$VERSION/usr/lib/firejail/.
+install -m 644 /usr/lib/firejail/seccomp.32 firejail-$VERSION/usr/lib/firejail/.
 install -m 644 /usr/lib/firejail/seccomp.block_secondary firejail-$VERSION/usr/lib/firejail/.
 install -m 644 /usr/lib/firejail/seccomp.mdwx firejail-$VERSION/usr/lib/firejail/.
 
@@ -492,9 +492,9 @@ rm -rf %{buildroot}
 /usr/lib/firejail/fnet
 /usr/lib/firejail/fseccomp
 /usr/lib/firejail/seccomp
-/usr/lib/firejail/seccomp.amd64
+/usr/lib/firejail/seccomp.64
 /usr/lib/firejail/seccomp.debug
-/usr/lib/firejail/seccomp.i386
+/usr/lib/firejail/seccomp.32
 /usr/lib/firejail/seccomp.block_secondary
 /usr/lib/firejail/seccomp.mdwx
 

src/firejail/firejail.h

@@ -54,15 +54,15 @@
 
 #define RUN_SECCOMP_PROTOCOL "/run/firejail/mnt/seccomp.protocol" // protocol filter
 #define RUN_SECCOMP_CFG "/run/firejail/mnt/seccomp" // configured filter
-#define RUN_SECCOMP_AMD64 "/run/firejail/mnt/seccomp.amd64" // amd64 filter installed on i386 architectures
-#define RUN_SECCOMP_I386 "/run/firejail/mnt/seccomp.i386" // i386 filter installed on amd64 architectures
+#define RUN_SECCOMP_64 "/run/firejail/mnt/seccomp.64" // 64bit arch filter installed on 32bit architectures
+#define RUN_SECCOMP_32 "/run/firejail/mnt/seccomp.32" // 32bit arch filter installed on 64bit architectures
 #define RUN_SECCOMP_MDWX "/run/firejail/mnt/seccomp.mdwx" // filter for memory-deny-write-execute
 #define RUN_SECCOMP_BLOCK_SECONDARY "/run/firejail/mnt/seccomp.block_secondary" // secondary arch blocking filter
 #define RUN_SECCOMP_POSTEXEC "/run/firejail/mnt/seccomp.postexec" // filter for post-exec library
 #define PATH_SECCOMP_DEFAULT (LIBDIR "/firejail/seccomp") // default filter built during make
 #define PATH_SECCOMP_DEFAULT_DEBUG (LIBDIR "/firejail/seccomp.debug") // default filter built during make
-#define PATH_SECCOMP_AMD64 (LIBDIR "/firejail/seccomp.amd64") // amd64 filter built during make
-#define PATH_SECCOMP_I386 (LIBDIR "/firejail/seccomp.i386") // i386 filter built during make
+#define PATH_SECCOMP_64 (LIBDIR "/firejail/seccomp.64")  // 64bit arch filter built during make
+#define PATH_SECCOMP_32 (LIBDIR "/firejail/seccomp.32") // 32bit arch filter built during make
 #define PATH_SECCOMP_MDWX (LIBDIR "/firejail/seccomp.mdwx") // filter for memory-deny-write-execute built during make
 #define PATH_SECCOMP_BLOCK_SECONDARY (LIBDIR "/firejail/seccomp.block_secondary") // secondary arch blocking filter built during make
 

src/firejail/preproc.c

@@ -79,8 +79,8 @@ void preproc_mount_mnt_dir(void) {
  copy_file(PATH_SECCOMP_BLOCK_SECONDARY, RUN_SECCOMP_BLOCK_SECONDARY, getuid(), getgid(), 0644); // root needed
  else {
  //copy default seccomp files
- copy_file(PATH_SECCOMP_I386, RUN_SECCOMP_I386, getuid(), getgid(), 0644); // root needed
- copy_file(PATH_SECCOMP_AMD64, RUN_SECCOMP_AMD64, getuid(), getgid(), 0644); // root needed
+ copy_file(PATH_SECCOMP_32, RUN_SECCOMP_32, getuid(), getgid(), 0644); // root needed
+ copy_file(PATH_SECCOMP_64, RUN_SECCOMP_64, getuid(), getgid(), 0644); // root needed
  }
  if (arg_allow_debuggers)
  copy_file(PATH_SECCOMP_DEFAULT_DEBUG, RUN_SECCOMP_CFG, getuid(), getgid(), 0644); // root needed

src/firejail/seccomp.c

@@ -137,22 +137,22 @@ int seccomp_load(const char *fname) {
  exit(1);
 }
 
-// i386 filter installed on amd64 architectures
-#if defined(__x86_64__)
+// 32 bit arch filter installed on 64 bit architectures
+#if defined(__LP64__)
 static void seccomp_filter_32(void) {
- if (seccomp_load(RUN_SECCOMP_I386) == 0) {
+ if (seccomp_load(RUN_SECCOMP_32) == 0) {
  if (arg_debug)
- printf("Dual i386/amd64 seccomp filter configured\n");
+ printf("Dual 32/64 bit seccomp filter configured\n");
  }
 }
 #endif
 
-// amd64 filter installed on i386 architectures
-#if defined(__i386__)
+// 64 bit arch filter installed on 32 bit architectures
+#if defined(__ILP32__)
 static void seccomp_filter_64(void) {
- if (seccomp_load(RUN_SECCOMP_AMD64) == 0) {
+ if (seccomp_load(RUN_SECCOMP_64) == 0) {
  if (arg_debug)
- printf("Dual i386/amd64 seccomp filter configured\n");
+ printf("Dual 32/64 bit seccomp filter configured\n");
  }
 }
 #endif
@@ -177,10 +177,10 @@ int seccomp_filter_drop(void) {
  if (arg_seccomp_block_secondary)
  seccomp_filter_block_secondary();
  else {
-#if defined(__x86_64__)
+#if defined(__LP64__)
  seccomp_filter_32();
 #endif
-#if defined(__i386__)
+#if defined(__ILP32__)
  seccomp_filter_64();
 #endif
  }
@@ -190,10 +190,10 @@ int seccomp_filter_drop(void) {
  if (arg_seccomp_block_secondary)
  seccomp_filter_block_secondary();
  else {
-#if defined(__x86_64__)
+#if defined(__LP64__)
  seccomp_filter_32();
 #endif
-#if defined(__i386__)
+#if defined(__ILP32__)
  seccomp_filter_64();
 #endif
  }

src/fseccomp/seccomp_print.c

@@ -90,7 +90,7 @@ static int detect_filter_type(void) {
  }
 
 
- // testing for secondare amd64 filter
+ // testing for secondary 64 bit filter
  const struct sock_filter start_secondary_64[] = {
  VALIDATE_ARCHITECTURE_64,
  EXAMINE_SYSCALL,
@@ -102,7 +102,7 @@ static int detect_filter_type(void) {
  return sizeof(start_secondary_64) / sizeof(struct sock_filter);
  }
 
- // testing for secondare i386 filter
+ // testing for secondary 32 bit filter
  const struct sock_filter start_secondary_32[] = {
  VALIDATE_ARCHITECTURE_32,
  EXAMINE_SYSCALL,

src/fseccomp/seccomp_secondary.c

@@ -108,7 +108,7 @@ void seccomp_secondary_64(const char *fname) {
  write_filter(fname, sizeof(filter), filter);
 }
 
-// i386 filter installed on amd64 architectures
+// 32 bit arch filter installed on 64 bit architectures
 void seccomp_secondary_32(const char *fname) {
  // hardcoded syscall values
  struct sock_filter filter[] = {

src/include/seccomp.h

@@ -91,10 +91,64 @@ struct seccomp_data {
 
 #if defined(__i386__)
 # define ARCH_NR AUDIT_ARCH_I386
+# define ARCH_32 AUDIT_ARCH_I386
+# define ARCH_64 AUDIT_ARCH_X86_64
 #elif defined(__x86_64__)
 # define ARCH_NR AUDIT_ARCH_X86_64
+# define ARCH_32 AUDIT_ARCH_I386
+# define ARCH_64 AUDIT_ARCH_X86_64
+#elif defined(__aarch64__)
+# define ARCH_NR AUDIT_ARCH_AARCH64
+# define ARCH_32 AUDIT_ARCH_ARM
+# define ARCH_64 AUDIT_ARCH_AARCH64
 #elif defined(__arm__)
 # define ARCH_NR AUDIT_ARCH_ARM
+# define ARCH_32 AUDIT_ARCH_ARM
+# define ARCH_64 AUDIT_ARCH_AARCH64
+#elif defined(__mips__) && __BYTE_ORDER == __BIG_ENDIAN && _MIPS_SIM == _MIPS_SIM_ABI32
+# define ARCH_NR AUDIT_ARCH_MIPS
+# define ARCH_32 AUDIT_ARCH_MIPS
+# define ARCH_64 AUDIT_ARCH_MIPS64
+#elif defined(__mips__) && __BYTE_ORDER == __LITTLE_ENDIAN && _MIPS_SIM == _MIPS_SIM_ABI32
+# define ARCH_NR AUDIT_ARCH_MIPSEL
+# define ARCH_32 AUDIT_ARCH_MIPSEL
+# define ARCH_64 AUDIT_ARCH_MIPSEL64
+#elif defined(__mips__) && __BYTE_ORDER == __BIG_ENDIAN && _MIPS_SIM == _MIPS_SIM_ABI64
+# define ARCH_NR AUDIT_ARCH_MIPS64
+# define ARCH_32 AUDIT_ARCH_MIPS
+# define ARCH_64 AUDIT_ARCH_MIPS64
+#elif defined(__mips__) && __BYTE_ORDER == __LITTLE_ENDIAN && _MIPS_SIM == _MIPS_SIM_ABI64
+# define ARCH_NR AUDIT_ARCH_MIPSEL64
+# define ARCH_32 AUDIT_ARCH_MIPSEL
+# define ARCH_64 AUDIT_ARCH_MIPSEL64
+#elif defined(__mips__) && __BYTE_ORDER == __BIG_ENDIAN && _MIPS_SIM == _MIPS_SIM_NABI32
+# define ARCH_NR AUDIT_ARCH_MIPS64N32
+# define ARCH_32 AUDIT_ARCH_MIPS64N32
+# define ARCH_64 AUDIT_ARCH_MIPS64
+#elif defined(__mips__) && __BYTE_ORDER == __LITTLE_ENDIAN && _MIPS_SIM == _MIPS_SIM_NABI32
+# define ARCH_NR AUDIT_ARCH_MIPSEL64N32
+# define ARCH_32 AUDIT_ARCH_MIPSEL64N32
+# define ARCH_64 AUDIT_ARCH_MIPSEL64
+#elif defined(__powerpc64__) && __BYTE_ORDER == __BIG_ENDIAN
+# define ARCH_NR AUDIT_ARCH_PPC64
+# define ARCH_32 AUDIT_ARCH_PPC
+# define ARCH_64 AUDIT_ARCH_PPC64
+#elif defined(__powerpc64__) && __BYTE_ORDER == __LITTLE_ENDIAN
+# define ARCH_NR AUDIT_ARCH_PPC64LE
+# define ARCH_32 AUDIT_ARCH_PPC
+# define ARCH_64 AUDIT_ARCH_PPC64LE
+#elif defined(__powerpc__)
+# define ARCH_NR AUDIT_ARCH_PPC
+# define ARCH_32 AUDIT_ARCH_PPC
+# define ARCH_64 AUDIT_ARCH_PPC64LE
+#elif defined(__s390x__)
+# define ARCH_NR AUDIT_ARCH_S390X
+# define ARCH_32 AUDIT_ARCH_S390
+# define ARCH_64 AUDIT_ARCH_S390X
+#elif defined(__s390__)
+# define ARCH_NR AUDIT_ARCH_S390
+# define ARCH_32 AUDIT_ARCH_S390
+# define ARCH_64 AUDIT_ARCH_S390X
 #else
 # warning "Platform does not support seccomp filter yet"
 # define ARCH_NR 0
@@ -112,12 +166,12 @@ struct seccomp_data {
 
 #define VALIDATE_ARCHITECTURE_64 \
  BPF_STMT(BPF_LD+BPF_W+BPF_ABS, (offsetof(struct seccomp_data, arch))), \
- BPF_JUMP(BPF_JMP+BPF_JEQ+BPF_K, AUDIT_ARCH_X86_64, 1, 0), \
+ BPF_JUMP(BPF_JMP+BPF_JEQ+BPF_K, ARCH_64, 1, 0), \
  BPF_STMT(BPF_RET+BPF_K, SECCOMP_RET_ALLOW)
 
 #define VALIDATE_ARCHITECTURE_32 \
  BPF_STMT(BPF_LD+BPF_W+BPF_ABS, (offsetof(struct seccomp_data, arch))), \
- BPF_JUMP(BPF_JMP+BPF_JEQ+BPF_K, AUDIT_ARCH_I386, 1, 0), \
+ BPF_JUMP(BPF_JMP+BPF_JEQ+BPF_K, ARCH_32, 1, 0), \
  BPF_STMT(BPF_RET+BPF_K, SECCOMP_RET_ALLOW)
 
 #if defined(__x86_64__)

test/filters/seccomp-debug-32.exp

@@ -43,7 +43,7 @@ expect {
 }
 expect {
  timeout {puts "TESTING ERROR 7\n";exit}
- "Installing /run/firejail/mnt/seccomp.amd64 seccomp filter"
+ "Installing /run/firejail/mnt/seccomp.64 seccomp filter"
 }
 expect {
  timeout {puts "TESTING ERROR 9\n";exit}
@@ -56,13 +56,13 @@ send -- "firejail --debug --ignore=seccomp sleep 1; echo done\r"
 expect {
  timeout {puts "TESTING ERROR 10\n";exit}
  "Installing /run/firejail/mnt/seccomp seccomp filter" {puts "TESTING ERROR 11\n";exit}
- "Installing /run/firejail/mnt/seccomp.amd64 seccomp filter" {puts "TESTING ERROR 12\n";exit}
+ "Installing /run/firejail/mnt/seccomp.64 seccomp filter" {puts "TESTING ERROR 12\n";exit}
  "Child process initialized"
 }
 expect {
  timeout {puts "TESTING ERROR 13\n";exit}
  "Installing /run/firejail/mnt/seccomp seccomp filter" {puts "TESTING ERROR 14\n";exit}
- "Installing /run/firejail/mnt/seccomp.amd64 seccomp filter" {puts "TESTING ERROR 15\n";exit}
+ "Installing /run/firejail/mnt/seccomp.64 seccomp filter" {puts "TESTING ERROR 15\n";exit}
  "done"
 }
 after 100
@@ -82,7 +82,7 @@ expect {
 expect {
  timeout {puts "TESTING ERROR 21\n";exit}
  "Installing /run/firejail/mnt/seccomp.protocol seccomp filter" {puts "TESTING ERROR 22\n";exit}
- "Installing /run/firejail/mnt/seccomp.amd64 seccomp filter"
+ "Installing /run/firejail/mnt/seccomp.64 seccomp filter"
 }
 expect {
  timeout {puts "TESTING ERROR 23\n";exit}
@@ -110,12 +110,12 @@ expect {
 send -- "firejail --debug --seccomp.block-secondary sleep 1; echo done\r"
 expect {
  timeout {puts "TESTING ERROR 27\n";exit}
- "Installing /run/firejail/mnt/seccomp.amd64 seccomp filter" {puts "TESTING ERROR 28\n";exit}
+ "Installing /run/firejail/mnt/seccomp.64 seccomp filter" {puts "TESTING ERROR 28\n";exit}
  "Child process initialized"
 }
 expect {
  timeout {puts "TESTING ERROR 29\n";exit}
- "Installing /run/firejail/mnt/seccomp.amd64 seccomp filter" {puts "TESTING ERROR 30\n";exit}
+ "Installing /run/firejail/mnt/seccomp.64 seccomp filter" {puts "TESTING ERROR 30\n";exit}
  "Installing /run/firejail/mnt/seccomp seccomp filter"
 }
 expect {
@@ -128,12 +128,12 @@ after 100
 send -- "firejail --debug --profile=block-secondary.profile sleep 1; echo done\r"
 expect {
  timeout {puts "TESTING ERROR 33\n";exit}
- "Installing /run/firejail/mnt/seccomp.amd64 seccomp filter" {puts "TESTING ERROR 34\n";exit}
+ "Installing /run/firejail/mnt/seccomp.64 seccomp filter" {puts "TESTING ERROR 34\n";exit}
  "Child process initialized"
 }
 expect {
  timeout {puts "TESTING ERROR 35\n";exit}
- "Installing /run/firejail/mnt/seccomp.amd64 seccomp filter" {puts "TESTING ERROR 35\n";exit}
+ "Installing /run/firejail/mnt/seccomp.64 seccomp filter" {puts "TESTING ERROR 35\n";exit}
  "Installing /run/firejail/mnt/seccomp seccomp filter"
 }
 expect {