seccomp work 1

.gitignore

@@ -24,3 +24,8 @@ src/fnet/fnet
 src/fseccomp/fseccomp
 src/fcopy/fcopy
 uids.h
+seccomp
+seccomp.debug
+seccomp.i386
+seccomp.amd64
+

Makefile.in

@@ -1,7 +1,8 @@
-all: apps man
+all: apps man filters
 MYLIBS = src/lib
 APPS = src/firejail src/firemon src/firecfg src/libtrace src/libtracelog src/ftee src/faudit src/libconnect src/fnet src/fseccomp src/fcopy
 MANPAGES = firejail.1 firemon.1 firecfg.1 firejail-profile.5 firejail-login.5
+SECCOMP_FILTERS = seccomp seccomp.i386 seccomp.amd64
 
 prefix=@prefix@
 exec_prefix=@exec_prefix@
@@ -35,11 +36,18 @@ $(MANPAGES): $(wildcard src/man/*.txt)
 
 man: $(MANPAGES)
 
+filters: src/fseccomp
+	src/fseccomp/fseccomp default seccomp
+	src/fseccomp/fseccomp default seccomp.debug allow-debuggers
+	src/fseccomp/fseccomp secondary 32 seccomp.i386
+	src/fseccomp/fseccomp secondary 64 seccomp.amd64
+
 clean:
 	for dir in $(APPS) $(MYLIBS); do \
 		$(MAKE) -C $$dir clean; \
 	done
 	rm -f $(MANPAGES) $(MANPAGES:%=%.gz) firejail*.rpm
+	rm -f seccomp seccomp.debug seccomp.i386 seccomp.amd64
 	rm -f test/utils/index.html*
 	rm -f test/utils/wget-log
 	rm -f test/utils/lstesting
@@ -79,6 +87,10 @@ realinstall:
 	install -c -m 0755 src/fnet/fnet $(DESTDIR)/$(libdir)/firejail/.
 	install -c -m 0755 src/fseccomp/fseccomp $(DESTDIR)/$(libdir)/firejail/.
 	install -c -m 0755 src/fcopy/fcopy $(DESTDIR)/$(libdir)/firejail/.
+	install -c -m 0644 seccomp $(DESTDIR)/$(libdir)/firejail/.
+	install -c -m 0644 seccomp.debug $(DESTDIR)/$(libdir)/firejail/.
+	install -c -m 0644 seccomp.i386 $(DESTDIR)/$(libdir)/firejail/.
+	install -c -m 0644 seccomp.amd64 $(DESTDIR)/$(libdir)/firejail/.
 	# documents
 	install -m 0755 -d $(DESTDIR)/$(DOCDIR)
 	install -c -m 0644 COPYING $(DESTDIR)/$(DOCDIR)/.

src/firejail/firejail.h

@@ -47,10 +47,14 @@
 #define RUN_BIN_DIR	"/run/firejail/mnt/bin"
 #define RUN_PULSE_DIR	"/run/firejail/mnt/pulse"
 
-#define RUN_SECCOMP_CFG	"/run/firejail/mnt/seccomp"			// configured filter
 #define RUN_SECCOMP_PROTOCOL	"/run/firejail/mnt/seccomp.protocol"	// protocol filter
+#define RUN_SECCOMP_CFG	"/run/firejail/mnt/seccomp"			// configured filter
 #define RUN_SECCOMP_AMD64	"/run/firejail/mnt/seccomp.amd64"	// amd64 filter installed on i386 architectures
 #define RUN_SECCOMP_I386	"/run/firejail/mnt/seccomp.i386"		// i386 filter installed on amd64 architectures
+#define PATH_SECCOMP_DEFAULT (LIBDIR "/firejail/seccomp")			// default filter built during make
+#define PATH_SECCOMP_DEFAULT_DEBUG (LIBDIR "/firejail/seccomp.debug")	// default filter built during make
+#define PATH_SECCOMP_AMD64 (LIBDIR "/firejail/seccomp.amd64")		// amd64 filter built during make
+#define PATH_SECCOMP_I386 (LIBDIR "/firejail/seccomp.i386")			// i386 filter built during make
 
 
 #define RUN_DEV_DIR		"/run/firejail/mnt/dev"
@@ -374,9 +378,6 @@ void net_config_interface(const char *dev, uint32_t ip, uint32_t mask, int mtu);
 // preproc.c
 void preproc_build_firejail_dir(void);
 void preproc_mount_mnt_dir(void);
-void preproc_build_cp_command(void);
-void preproc_delete_cp_command(void) ;
-void preproc_remount_mnt_dir(void);
 
 // fs.c
 // blacklist files or directoies by mounting empty files on top of them

src/firejail/preproc.c

@@ -56,9 +56,9 @@ void preproc_build_firejail_dir(void) {
 		create_empty_dir_as_root(RUN_FIREJAIL_APPIMAGE_DIR, 0755);
 	}
 
-        if (stat(RUN_MNT_DIR, &s)) {
-                create_empty_dir_as_root(RUN_MNT_DIR, 0755);
-        }
+	if (stat(RUN_MNT_DIR, &s)) {
+		create_empty_dir_as_root(RUN_MNT_DIR, 0755);
+	}
 
 	create_empty_file_as_root(RUN_RO_FILE, S_IRUSR);
 	create_empty_dir_as_root(RUN_RO_DIR, S_IRUSR);
@@ -75,51 +75,17 @@ void preproc_mount_mnt_dir(void) {
 		tmpfs_mounted = 1;
 		fs_logger2("tmpfs", RUN_MNT_DIR);
 
-		// create all seccomp files
-		// as root, create RUN_SECCOMP_I386 file
-		create_empty_file_as_root(RUN_SECCOMP_I386, 0644);
-		if (set_perms(RUN_SECCOMP_I386, getuid(), getgid(), 0644))
-			errExit("set_perms");
-
-		// as root, create RUN_SECCOMP_AMD64 file
-		create_empty_file_as_root(RUN_SECCOMP_AMD64, 0644);
-		if (set_perms(RUN_SECCOMP_AMD64, getuid(), getgid(), 0644))
-			errExit("set_perms");
-
-		// as root, create RUN_SECCOMP file
-		create_empty_file_as_root(RUN_SECCOMP_CFG, 0644);
-		if (set_perms(RUN_SECCOMP_CFG, getuid(), getgid(), 0644))
-			errExit("set_perms");
-
-		// as root, create RUN_SECCOMP_PROTOCOL file
+		//copy defaultl seccomp files
+		copy_file(PATH_SECCOMP_I386, RUN_SECCOMP_I386, getuid(), getgid(), 0644);
+		copy_file(PATH_SECCOMP_AMD64, RUN_SECCOMP_AMD64, getuid(), getgid(), 0644);
+		if (arg_allow_debuggers)
+			copy_file(PATH_SECCOMP_DEFAULT_DEBUG, RUN_SECCOMP_CFG, getuid(), getgid(), 0644);
+		else
+			copy_file(PATH_SECCOMP_DEFAULT, RUN_SECCOMP_CFG, getuid(), getgid(), 0644);
+
+		// as root, create an empty RUN_SECCOMP_PROTOCOL file
 		create_empty_file_as_root(RUN_SECCOMP_PROTOCOL, 0644);
 		if (set_perms(RUN_SECCOMP_PROTOCOL, getuid(), getgid(), 0644))
 			errExit("set_perms");
 	}
 }
-
-// grab a copy of cp command
-void preproc_build_cp_command(void) {
-	struct stat s;
-	preproc_mount_mnt_dir();
-	if (stat(RUN_CP_COMMAND, &s)) {
-		char* fname = realpath("/bin/cp", NULL);
-		if (fname == NULL || stat(fname, &s) || is_link(fname)) {
-			fprintf(stderr, "Error: invalid /bin/cp\n");
-			exit(1);
-		}
-		int rv = copy_file(fname, RUN_CP_COMMAND, 0, 0, 0755);
-		if (rv) {
-			fprintf(stderr, "Error: cannot access /bin/cp\n");
-			exit(1);
-		}
-		ASSERT_PERMS(RUN_CP_COMMAND, 0, 0, 0755);
-
-		free(fname);
-	}
-}
-
-// delete the temporary cp command
-void preproc_delete_cp_command(void) {
-	unlink(RUN_CP_COMMAND);
-}

src/firejail/sandbox.c

@@ -555,12 +555,9 @@ int sandbox(void* sandbox_arg) {
 
 	//****************************
 	// fs pre-processing:
-	//  - copy some commands under /run
 	//  - build seccomp filters
 	//  - create an empty /etc/ld.so.preload
 	//****************************
-	preproc_build_cp_command();
-
 #ifdef HAVE_SECCOMP
 	if (cfg.protocol) {
 		if (arg_debug)
@@ -765,7 +762,6 @@ int sandbox(void* sandbox_arg) {
 	//****************************
 	// fs post-processing
 	//****************************
-	preproc_delete_cp_command();
 	fs_logger_print();
 	fs_logger_change_owner();
 

src/firejail/seccomp.c

@@ -92,11 +92,9 @@ int seccomp_load(const char *fname) {
 	return 0;
 }
 
-
-
-
 // i386 filter installed on amd64 architectures
 void seccomp_filter_32(void) {
+#if 0
 	if (arg_debug)
 		printf("Build secondary 32-bit filter\n");
 
@@ -105,7 +103,7 @@ void seccomp_filter_32(void) {
 		PATH_FSECCOMP, "secondary", "32", RUN_SECCOMP_I386);
 	if (rv)
 		exit(rv);
-
+#endif
 	if (seccomp_load(RUN_SECCOMP_I386) == 0) {
 		if (arg_debug)
 			printf("Dual i386/amd64 seccomp filter configured\n");
@@ -114,6 +112,7 @@ void seccomp_filter_32(void) {
 
 // amd64 filter installed on i386 architectures
 void seccomp_filter_64(void) {
+#if 0
 	if (arg_debug)
 		printf("Build secondary 64-bit filter\n");
 
@@ -122,14 +121,14 @@ void seccomp_filter_64(void) {
 		PATH_FSECCOMP, "secondary", "64", RUN_SECCOMP_AMD64);
 	if (rv)
 		exit(rv);
+#endif
 
 	if (seccomp_load(RUN_SECCOMP_AMD64) == 0) {
 		if (arg_debug)
 			printf("Dual i386/amd64 seccomp filter configured\n");
 	}
 }
 
-
 // drop filter for seccomp option
 int seccomp_filter_drop(int enforce_seccomp) {
 	// default seccomp
@@ -140,6 +139,8 @@ int seccomp_filter_drop(int enforce_seccomp) {
 #if defined(__i386__)
 		seccomp_filter_64();
 #endif
+
+#if 0
 		if (arg_debug)
 			printf("Build default seccomp filter\n");
 		// build the seccomp filter as a regular user
@@ -152,8 +153,8 @@ int seccomp_filter_drop(int enforce_seccomp) {
 				PATH_FSECCOMP, "default", RUN_SECCOMP_CFG);
 		if (rv)
 			exit(rv);
+#endif
 	}
-
 	// default seccomp filter with additional drop list
 	else if (cfg.seccomp_list && cfg.seccomp_list_drop == NULL) {
 #if defined(__x86_64__)

src/fseccomp/main.c

@@ -38,15 +38,15 @@ static void usage(void) {
 }
 
 int main(int argc, char **argv) {
-#if 0
+//#if 0
 {
 //system("cat /proc/self/status");
 int i;
 for (i = 0; i < argc; i++)
         printf("*%s* ", argv[i]);
 printf("\n");
 }       
-#endif
+//#endif
 	if (argc < 2) {
 		usage();
 		return 1;