moving --profile to sbox

Makefile.in

@@ -1,6 +1,6 @@
 all: apps man
 MYLIBS = src/lib
-APPS = src/firejail src/firemon src/firecfg src/libtrace src/libtracelog src/ftee src/faudit src/libconnect src/fnet
+APPS = src/firejail src/firemon src/firecfg src/libtrace src/libtracelog src/ftee src/faudit src/libconnect src/fnet src/fseccomp
 MANPAGES = firejail.1 firemon.1 firecfg.1 firejail-profile.5 firejail-login.5
 
 prefix=@prefix@
@@ -77,6 +77,7 @@ realinstall:
  install -c -m 0644 src/firecfg/firecfg.config $(DESTDIR)/$(libdir)/firejail/.
  install -c -m 0755 src/faudit/faudit $(DESTDIR)/$(libdir)/firejail/.
  install -c -m 0755 src/fnet/fnet $(DESTDIR)/$(libdir)/firejail/.
+ install -c -m 0755 src/fseccomp/fseccomp $(DESTDIR)/$(libdir)/firejail/.
  # documents
  install -m 0755 -d $(DESTDIR)/$(DOCDIR)
  install -c -m 0644 COPYING $(DESTDIR)/$(DOCDIR)/.
@@ -126,6 +127,7 @@ install-strip: all
  strip src/ftee/ftee
  strip src/faudit/faudit
  strip src/fnet/fnet
+ strip src/fseccomp/fseccomp
  $(MAKE) realinstall
 
 uninstall:

configure

@@ -3759,7 +3759,7 @@ if test "$prefix" = /usr; then
  sysconfdir="/etc"
 fi
 
-ac_config_files="$ac_config_files Makefile src/lib/Makefile src/fnet/Makefile src/firejail/Makefile src/firemon/Makefile src/libtrace/Makefile src/libtracelog/Makefile src/firecfg/Makefile src/ftee/Makefile src/faudit/Makefile src/libconnect/Makefile"
+ac_config_files="$ac_config_files Makefile src/lib/Makefile src/fnet/Makefile src/firejail/Makefile src/firemon/Makefile src/libtrace/Makefile src/libtracelog/Makefile src/firecfg/Makefile src/ftee/Makefile src/faudit/Makefile src/libconnect/Makefile src/fseccomp/Makefile"
 
 cat >confcache <<\_ACEOF
 # This file is a shell script that caches the results of configure
@@ -4479,6 +4479,7 @@ do
  "src/ftee/Makefile") CONFIG_FILES="$CONFIG_FILES src/ftee/Makefile" ;;
  "src/faudit/Makefile") CONFIG_FILES="$CONFIG_FILES src/faudit/Makefile" ;;
  "src/libconnect/Makefile") CONFIG_FILES="$CONFIG_FILES src/libconnect/Makefile" ;;
+ "src/fseccomp/Makefile") CONFIG_FILES="$CONFIG_FILES src/fseccomp/Makefile" ;;
 
  *) as_fn_error $? "invalid argument: \`$ac_config_target'" "$LINENO" 5;;
  esac

configure.ac

@@ -148,7 +148,8 @@ if test "$prefix" = /usr; then
  sysconfdir="/etc"
 fi
 
-AC_OUTPUT(Makefile src/lib/Makefile src/fnet/Makefile src/firejail/Makefile src/firemon/Makefile src/libtrace/Makefile src/libtracelog/Makefile src/firecfg/Makefile src/ftee/Makefile src/faudit/Makefile src/libconnect/Makefile)
+AC_OUTPUT(Makefile src/lib/Makefile src/fnet/Makefile src/firejail/Makefile src/firemon/Makefile src/libtrace/Makefile src/libtracelog/Makefile \
+src/firecfg/Makefile src/ftee/Makefile src/faudit/Makefile src/libconnect/Makefile src/fseccomp/Makefile)
 
 echo
 echo "Configuration options:"

src/firejail/Makefile.in

@@ -30,7 +30,7 @@ BINOBJS = $(foreach file, $(OBJS), $file)
 CFLAGS += -ggdb $(HAVE_FATAL_WARNINGS) -O2 -DVERSION='"$(VERSION)"' -DPREFIX='"$(prefix)"' -DSYSCONFDIR='"$(sysconfdir)/firejail"' -DLIBDIR='"$(libdir)"' $(HAVE_X11) $(HAVE_PRIVATE_HOME) $(HAVE_APPARMOR) $(HAVE_OVERLAYFS) $(HAVE_SECCOMP) $(HAVE_GLOBALCFG) $(HAVE_SECCOMP_H) $(HAVE_CHROOT) $(HAVE_NETWORK) $(HAVE_USERNS) $(HAVE_BIND) $(HAVE_FILE_TRANSFER) $(HAVE_WHITELIST) -fstack-protector-all -D_FORTIFY_SOURCE=2 -fPIE -pie -Wformat -Wformat-security
 LDFLAGS += -pie -Wl,-z,relro -Wl,-z,now -lpthread
 
-%.o : %.c $(H_FILE_LIST) ../include/common.h ../include/euid_common.h ../include/pid.h ../include/seccomp.h
+%.o : %.c $(H_FILE_LIST) ../include/common.h ../include/euid_common.h ../include/pid.h ../include/seccomp.h ../include/syscall.h
  $(CC) $(CFLAGS) $(INCLUDE) -c $< -o $@
 
 firejail: $(OBJS) ../lib/libnetlink.o ../lib/common.o

src/firejail/errno.c

@@ -206,15 +206,4 @@ char *errno_find_nr(int nr) {
  return "unknown";
 }
 
-void errno_print(void) {
- EUID_ASSERT();
-
- int i;
- int elems = sizeof(errnolist) / sizeof(errnolist[0]);
- for (i = 0; i < elems; i++) {
- printf("%d\t- %s\n", errnolist[i].nr, errnolist[i].name);
- }
- printf("\n");
-}
-
 #endif // HAVE_SECCOMP

src/firejail/firejail.h

@@ -39,6 +39,7 @@
 #define RUN_RO_FILE "/run/firejail/firejail.ro.file"
 #define RUN_MNT_DIR "/run/firejail/mnt" // a tmpfs is mounted on this directory before any of the files below are created
 #define RUN_SECCOMP_CFG "/run/firejail/mnt/seccomp"
+#define RUN_SECCOMP_PROTOCOL "/run/firejail/mnt/seccomp.protocol"
 #define RUN_CGROUP_CFG "/run/firejail/mnt/cgroup"
 #define RUN_CPU_CFG "/run/firejail/mnt/cpu"
 #define RUN_GROUPS_CFG "/run/firejail/mnt/groups"
@@ -514,8 +515,6 @@ void caps_print_filter_name(const char *name);
 const char *syscall_find_nr(int nr);
 // return -1 if error, 0 if no error
 int syscall_check_list(const char *slist, void (*callback)(int syscall, int arg), int arg);
-// print all available syscallsseccomp
-void syscall_print(void);
 
 // fs_trace.c
 void fs_trace_preload(void);
@@ -598,7 +597,7 @@ void protocol_list();
 void protocol_print_filter_name(const char *name);
 void protocol_print_filter(pid_t pid);
 void protocol_store(const char *prlist);
-void protocol_filter(void);
+void protocol_filter(const char *fname);
 void protocol_filter_save(void);
 void protocol_filter_load(const char *fname);
 
@@ -686,11 +685,13 @@ void build_cmdline(char **command_line, char **window_title, int argc, char **ar
 // programs
 #define PATH_FNET (LIBDIR "/firejail/fnet")
 #define PATH_FIREMON (PREFIX "/bin/firemon")
+#define PATH_FSECCOMP (LIBDIR "/firejail/fseccomp")
 // bitmapped filters for sbox_run
 #define SBOX_ROOT 1
 #define SBOX_USER 2
 #define SBOX_CAPS 4
 #define SBOX_SECCOMP 8
+// run sbox
 int sbox_run(unsigned filter, int num, ...);
 
 

src/firejail/join.c

@@ -296,7 +296,7 @@ void join(pid_t pid, int argc, char **argv, int index) {
  if (getuid() != 0)
  protocol_filter_load(RUN_PROTOCOL_CFG);
  if (cfg.protocol) { // not available for uid 0
- protocol_filter();
+ protocol_filter(RUN_SECCOMP_PROTOCOL);
  }
 
  // set seccomp filter

src/firejail/main.c

@@ -404,8 +404,8 @@ static void run_cmd_and_exit(int i, int argc, char **argv) {
 #ifdef HAVE_SECCOMP
  else if (strcmp(argv[i], "--debug-syscalls") == 0) {
  if (checkcfg(CFG_SECCOMP)) {
- syscall_print();
- exit(0);
+ int rv = sbox_run(SBOX_USER | SBOX_CAPS | SBOX_SECCOMP, 2, PATH_FSECCOMP, "debug-syscalls");
+ exit(rv);
  }
  else {
  fprintf(stderr, "Error: seccomp feature is disabled in Firejail configuration file\n");
@@ -414,7 +414,8 @@ static void run_cmd_and_exit(int i, int argc, char **argv) {
  }
  else if (strcmp(argv[i], "--debug-errnos") == 0) {
  if (checkcfg(CFG_SECCOMP)) {
- errno_print();
+ int rv = sbox_run(SBOX_USER | SBOX_CAPS | SBOX_SECCOMP, 2, PATH_FSECCOMP, "debug-errnos");
+ exit(rv);
  }
  else {
  fprintf(stderr, "Error: seccomp feature is disabled in Firejail configuration file\n");
@@ -438,8 +439,8 @@ static void run_cmd_and_exit(int i, int argc, char **argv) {
  exit(0);
  }
  else if (strcmp(argv[i], "--debug-protocols") == 0) {
- protocol_list();
- exit(0);
+ int rv = sbox_run(SBOX_USER | SBOX_CAPS | SBOX_SECCOMP, 2, PATH_FSECCOMP, "debug-protocols");
+ exit(rv);
  }
  else if (strncmp(argv[i], "--protocol.print=", 17) == 0) {
  if (checkcfg(CFG_SECCOMP)) {
@@ -1117,7 +1118,16 @@ int main(int argc, char **argv) {
 #ifdef HAVE_SECCOMP
  else if (strncmp(argv[i], "--protocol=", 11) == 0) {
  if (checkcfg(CFG_SECCOMP)) {
- protocol_store(argv[i] + 11);
+ if (cfg.protocol) {
+ if (!arg_quiet)
+ fprintf(stderr, "Warning: a protocol list is present, the new list \"%s\" will not be installed\n", argv[i] + 11);
+ }
+ else {
+ // store list
+ cfg.protocol = strdup(argv[i] + 11);
+ if (!cfg.protocol)
+ errExit("strdup");
+ }
  }
  else {
  fprintf(stderr, "Error: seccomp feature is disabled in Firejail configuration file\n");

src/firejail/profile.c

@@ -497,8 +497,18 @@ int profile_check_line(char *ptr, int lineno, const char *fname) {
 
  if (strncmp(ptr, "protocol ", 9) == 0) {
 #ifdef HAVE_SECCOMP
- if (checkcfg(CFG_SECCOMP))
- protocol_store(ptr + 9);
+ if (checkcfg(CFG_SECCOMP)) {
+ if (cfg.protocol) {
+ if (!arg_quiet)
+ fprintf(stderr, "Warning: a protocol list is present, the new list \"%s\" will not be installed\n", ptr + 9);
+ return 0;
+ }
+
+ // store list
+ cfg.protocol = strdup(ptr + 9);
+ if (!cfg.protocol)
+ errExit("strdup");
+ }
  else
  fprintf(stderr, "Warning: user seccomp feature is disabled in Firejail configuration file\n");
 #endif