aboutsummaryrefslogtreecommitdiffstats
diff options
context:
space:
mode:
authorLibravatar Topi Miettinen <toiwoton@gmail.com>2017-09-02 14:05:31 +0300
committerLibravatar Topi Miettinen <toiwoton@gmail.com>2017-09-02 14:05:31 +0300
commitcb5d361a7b52844bb18346f1829b69b4b7084439 (patch)
treea5c75843eca9db0ee432dde47454f2ec06224fb8
parentWorkaround for build problems, but correct problem this time (diff)
downloadfirejail-cb5d361a7b52844bb18346f1829b69b4b7084439.tar.gz
firejail-cb5d361a7b52844bb18346f1829b69b4b7084439.tar.zst
firejail-cb5d361a7b52844bb18346f1829b69b4b7084439.zip
Improve seccomp support for non-x86 architectures
Diffstat
-rw-r--r--.gitignore4
-rw-r--r--Makefile.in10
-rwxr-xr-xplatform/rpm/old-mkrpm.sh8
-rw-r--r--src/firejail/firejail.h8
-rw-r--r--src/firejail/preproc.c4
-rw-r--r--src/firejail/seccomp.c24
-rw-r--r--src/fseccomp/seccomp_print.c4
-rw-r--r--src/fseccomp/seccomp_secondary.c2
-rw-r--r--src/include/seccomp.h58
-rwxr-xr-xtest/filters/seccomp-debug-32.exp16
-rwxr-xr-xtest/filters/seccomp-debug.exp28
11 files changed, 110 insertions, 56 deletions
diff --git a/.gitignore b/.gitignore
index 30793847c..554d1985b 100644
--- a/.gitignore
+++ b/.gitignore
@@ -28,7 +28,7 @@ src/fldd/fldd
28uids.h 28uids.h
29seccomp 29seccomp
30seccomp.debug 30seccomp.debug
31seccomp.i386 31seccomp.32
32seccomp.amd64 32seccomp.64
33seccomp.block_secondary 33seccomp.block_secondary
34seccomp.mdwx 34seccomp.mdwx
diff --git a/Makefile.in b/Makefile.in
index 9111a3c95..e20aa5b62 100644
--- a/Makefile.in
+++ b/Makefile.in
@@ -2,7 +2,7 @@ all: apps man filters
2MYLIBS = src/lib 2MYLIBS = src/lib
3APPS = src/firejail src/firemon src/firecfg src/libtrace src/libtracelog src/ftee src/faudit src/fnet src/fseccomp src/fcopy src/fldd src/libpostexecseccomp 3APPS = src/firejail src/firemon src/firecfg src/libtrace src/libtracelog src/ftee src/faudit src/fnet src/fseccomp src/fcopy src/fldd src/libpostexecseccomp
4MANPAGES = firejail.1 firemon.1 firecfg.1 firejail-profile.5 firejail-login.5 4MANPAGES = firejail.1 firemon.1 firecfg.1 firejail-profile.5 firejail-login.5
5SECCOMP_FILTERS = seccomp seccomp.debug seccomp.i386 seccomp.amd64 seccomp.block_secondary seccomp.mdwx 5SECCOMP_FILTERS = seccomp seccomp.debug seccomp.32 seccomp.64 seccomp.block_secondary seccomp.mdwx
6 6
7prefix=@prefix@ 7prefix=@prefix@
8exec_prefix=@exec_prefix@ 8exec_prefix=@exec_prefix@
@@ -43,8 +43,8 @@ filters: src/fseccomp
43ifeq ($(HAVE_SECCOMP),-DHAVE_SECCOMP) 43ifeq ($(HAVE_SECCOMP),-DHAVE_SECCOMP)
44 src/fseccomp/fseccomp default seccomp 44 src/fseccomp/fseccomp default seccomp
45 src/fseccomp/fseccomp default seccomp.debug allow-debuggers 45 src/fseccomp/fseccomp default seccomp.debug allow-debuggers
46 src/fseccomp/fseccomp secondary 32 seccomp.i386 46 src/fseccomp/fseccomp secondary 32 seccomp.32
47 src/fseccomp/fseccomp secondary 64 seccomp.amd64 47 src/fseccomp/fseccomp secondary 64 seccomp.64
48 src/fseccomp/fseccomp secondary block seccomp.block_secondary 48 src/fseccomp/fseccomp secondary block seccomp.block_secondary
49 src/fseccomp/fseccomp memory-deny-write-execute seccomp.mdwx 49 src/fseccomp/fseccomp memory-deny-write-execute seccomp.mdwx
50endif 50endif
@@ -103,8 +103,8 @@ ifeq ($(HAVE_SECCOMP),-DHAVE_SECCOMP)
103 install -c -m 0755 src/fseccomp/fseccomp $(DESTDIR)/$(libdir)/firejail/. 103 install -c -m 0755 src/fseccomp/fseccomp $(DESTDIR)/$(libdir)/firejail/.
104 install -c -m 0644 seccomp $(DESTDIR)/$(libdir)/firejail/. 104 install -c -m 0644 seccomp $(DESTDIR)/$(libdir)/firejail/.
105 install -c -m 0644 seccomp.debug $(DESTDIR)/$(libdir)/firejail/. 105 install -c -m 0644 seccomp.debug $(DESTDIR)/$(libdir)/firejail/.
106 install -c -m 0644 seccomp.i386 $(DESTDIR)/$(libdir)/firejail/. 106 install -c -m 0644 seccomp.32 $(DESTDIR)/$(libdir)/firejail/.
107 install -c -m 0644 seccomp.amd64 $(DESTDIR)/$(libdir)/firejail/. 107 install -c -m 0644 seccomp.64 $(DESTDIR)/$(libdir)/firejail/.
108 install -c -m 0644 seccomp.block_secondary $(DESTDIR)/$(libdir)/firejail/. 108 install -c -m 0644 seccomp.block_secondary $(DESTDIR)/$(libdir)/firejail/.
109 install -c -m 0644 seccomp.mdwx $(DESTDIR)/$(libdir)/firejail/. 109 install -c -m 0644 seccomp.mdwx $(DESTDIR)/$(libdir)/firejail/.
110endif 110endif
diff --git a/platform/rpm/old-mkrpm.sh b/platform/rpm/old-mkrpm.sh
index 505171d1c..7d817c7e2 100755
--- a/platform/rpm/old-mkrpm.sh
+++ b/platform/rpm/old-mkrpm.sh
@@ -36,9 +36,9 @@ install -m 644 /usr/lib/firejail/libtracelog.so firejail-$VERSION/usr/lib/firej
36install -m 644 /usr/lib/firejail/libtrace.so firejail-$VERSION/usr/lib/firejail/. 36install -m 644 /usr/lib/firejail/libtrace.so firejail-$VERSION/usr/lib/firejail/.
37install -m 644 /usr/lib/firejail/libpostexecseccomp.so firejail-$VERSION/usr/lib/firejail/. 37install -m 644 /usr/lib/firejail/libpostexecseccomp.so firejail-$VERSION/usr/lib/firejail/.
38install -m 644 /usr/lib/firejail/seccomp firejail-$VERSION/usr/lib/firejail/. 38install -m 644 /usr/lib/firejail/seccomp firejail-$VERSION/usr/lib/firejail/.
39install -m 644 /usr/lib/firejail/seccomp.amd64 firejail-$VERSION/usr/lib/firejail/. 39install -m 644 /usr/lib/firejail/seccomp.64 firejail-$VERSION/usr/lib/firejail/.
40install -m 644 /usr/lib/firejail/seccomp.debug firejail-$VERSION/usr/lib/firejail/. 40install -m 644 /usr/lib/firejail/seccomp.debug firejail-$VERSION/usr/lib/firejail/.
41install -m 644 /usr/lib/firejail/seccomp.i386 firejail-$VERSION/usr/lib/firejail/. 41install -m 644 /usr/lib/firejail/seccomp.32 firejail-$VERSION/usr/lib/firejail/.
42install -m 644 /usr/lib/firejail/seccomp.block_secondary firejail-$VERSION/usr/lib/firejail/. 42install -m 644 /usr/lib/firejail/seccomp.block_secondary firejail-$VERSION/usr/lib/firejail/.
43install -m 644 /usr/lib/firejail/seccomp.mdwx firejail-$VERSION/usr/lib/firejail/. 43install -m 644 /usr/lib/firejail/seccomp.mdwx firejail-$VERSION/usr/lib/firejail/.
44 44
@@ -492,9 +492,9 @@ rm -rf %{buildroot}
492/usr/lib/firejail/fnet 492/usr/lib/firejail/fnet
493/usr/lib/firejail/fseccomp 493/usr/lib/firejail/fseccomp
494/usr/lib/firejail/seccomp 494/usr/lib/firejail/seccomp
495/usr/lib/firejail/seccomp.amd64 495/usr/lib/firejail/seccomp.64
496/usr/lib/firejail/seccomp.debug 496/usr/lib/firejail/seccomp.debug
497/usr/lib/firejail/seccomp.i386 497/usr/lib/firejail/seccomp.32
498/usr/lib/firejail/seccomp.block_secondary 498/usr/lib/firejail/seccomp.block_secondary
499/usr/lib/firejail/seccomp.mdwx 499/usr/lib/firejail/seccomp.mdwx
500 500
diff --git a/src/firejail/firejail.h b/src/firejail/firejail.h
index 435b9527d..60a43a600 100644
--- a/src/firejail/firejail.h
+++ b/src/firejail/firejail.h
@@ -54,15 +54,15 @@
54 54
55#define RUN_SECCOMP_PROTOCOL "/run/firejail/mnt/seccomp.protocol" // protocol filter 55#define RUN_SECCOMP_PROTOCOL "/run/firejail/mnt/seccomp.protocol" // protocol filter
56#define RUN_SECCOMP_CFG "/run/firejail/mnt/seccomp" // configured filter 56#define RUN_SECCOMP_CFG "/run/firejail/mnt/seccomp" // configured filter
57#define RUN_SECCOMP_AMD64 "/run/firejail/mnt/seccomp.amd64" // amd64 filter installed on i386 architectures 57#define RUN_SECCOMP_64 "/run/firejail/mnt/seccomp.64" // 64bit arch filter installed on 32bit architectures
58#define RUN_SECCOMP_I386 "/run/firejail/mnt/seccomp.i386" // i386 filter installed on amd64 architectures 58#define RUN_SECCOMP_32 "/run/firejail/mnt/seccomp.32" // 32bit arch filter installed on 64bit architectures
59#define RUN_SECCOMP_MDWX "/run/firejail/mnt/seccomp.mdwx" // filter for memory-deny-write-execute 59#define RUN_SECCOMP_MDWX "/run/firejail/mnt/seccomp.mdwx" // filter for memory-deny-write-execute
60#define RUN_SECCOMP_BLOCK_SECONDARY "/run/firejail/mnt/seccomp.block_secondary" // secondary arch blocking filter 60#define RUN_SECCOMP_BLOCK_SECONDARY "/run/firejail/mnt/seccomp.block_secondary" // secondary arch blocking filter
61#define RUN_SECCOMP_POSTEXEC "/run/firejail/mnt/seccomp.postexec" // filter for post-exec library 61#define RUN_SECCOMP_POSTEXEC "/run/firejail/mnt/seccomp.postexec" // filter for post-exec library
62#define PATH_SECCOMP_DEFAULT (LIBDIR "/firejail/seccomp") // default filter built during make 62#define PATH_SECCOMP_DEFAULT (LIBDIR "/firejail/seccomp") // default filter built during make
63#define PATH_SECCOMP_DEFAULT_DEBUG (LIBDIR "/firejail/seccomp.debug") // default filter built during make 63#define PATH_SECCOMP_DEFAULT_DEBUG (LIBDIR "/firejail/seccomp.debug") // default filter built during make
64#define PATH_SECCOMP_AMD64 (LIBDIR "/firejail/seccomp.amd64") // amd64 filter built during make 64#define PATH_SECCOMP_64 (LIBDIR "/firejail/seccomp.64") // 64bit arch filter built during make
65#define PATH_SECCOMP_I386 (LIBDIR "/firejail/seccomp.i386") // i386 filter built during make 65#define PATH_SECCOMP_32 (LIBDIR "/firejail/seccomp.32") // 32bit arch filter built during make
66#define PATH_SECCOMP_MDWX (LIBDIR "/firejail/seccomp.mdwx") // filter for memory-deny-write-execute built during make 66#define PATH_SECCOMP_MDWX (LIBDIR "/firejail/seccomp.mdwx") // filter for memory-deny-write-execute built during make
67#define PATH_SECCOMP_BLOCK_SECONDARY (LIBDIR "/firejail/seccomp.block_secondary") // secondary arch blocking filter built during make 67#define PATH_SECCOMP_BLOCK_SECONDARY (LIBDIR "/firejail/seccomp.block_secondary") // secondary arch blocking filter built during make
68 68
diff --git a/src/firejail/preproc.c b/src/firejail/preproc.c
index bf1ef0469..0b447e03b 100644
--- a/src/firejail/preproc.c
+++ b/src/firejail/preproc.c
@@ -79,8 +79,8 @@ void preproc_mount_mnt_dir(void) {
79 copy_file(PATH_SECCOMP_BLOCK_SECONDARY, RUN_SECCOMP_BLOCK_SECONDARY, getuid(), getgid(), 0644); // root needed 79 copy_file(PATH_SECCOMP_BLOCK_SECONDARY, RUN_SECCOMP_BLOCK_SECONDARY, getuid(), getgid(), 0644); // root needed
80 else { 80 else {
81 //copy default seccomp files 81 //copy default seccomp files
82 copy_file(PATH_SECCOMP_I386, RUN_SECCOMP_I386, getuid(), getgid(), 0644); // root needed 82 copy_file(PATH_SECCOMP_32, RUN_SECCOMP_32, getuid(), getgid(), 0644); // root needed
83 copy_file(PATH_SECCOMP_AMD64, RUN_SECCOMP_AMD64, getuid(), getgid(), 0644); // root needed 83 copy_file(PATH_SECCOMP_64, RUN_SECCOMP_64, getuid(), getgid(), 0644); // root needed
84 } 84 }
85 if (arg_allow_debuggers) 85 if (arg_allow_debuggers)
86 copy_file(PATH_SECCOMP_DEFAULT_DEBUG, RUN_SECCOMP_CFG, getuid(), getgid(), 0644); // root needed 86 copy_file(PATH_SECCOMP_DEFAULT_DEBUG, RUN_SECCOMP_CFG, getuid(), getgid(), 0644); // root needed
diff --git a/src/firejail/seccomp.c b/src/firejail/seccomp.c
index 7b45e2574..e75863c3a 100644
--- a/src/firejail/seccomp.c
+++ b/src/firejail/seccomp.c
@@ -137,22 +137,22 @@ errexit:
137 exit(1); 137 exit(1);
138} 138}
139 139
140// i386 filter installed on amd64 architectures 140// 32 bit arch filter installed on 64 bit architectures
141#if defined(__x86_64__) 141#if defined(__LP64__)
142static void seccomp_filter_32(void) { 142static void seccomp_filter_32(void) {
143 if (seccomp_load(RUN_SECCOMP_I386) == 0) { 143 if (seccomp_load(RUN_SECCOMP_32) == 0) {
144 if (arg_debug) 144 if (arg_debug)
145 printf("Dual i386/amd64 seccomp filter configured\n"); 145 printf("Dual 32/64 bit seccomp filter configured\n");
146 } 146 }
147} 147}
148#endif 148#endif
149 149
150// amd64 filter installed on i386 architectures 150// 64 bit arch filter installed on 32 bit architectures
151#if defined(__i386__) 151#if defined(__ILP32__)
152static void seccomp_filter_64(void) { 152static void seccomp_filter_64(void) {
153 if (seccomp_load(RUN_SECCOMP_AMD64) == 0) { 153 if (seccomp_load(RUN_SECCOMP_64) == 0) {
154 if (arg_debug) 154 if (arg_debug)
155 printf("Dual i386/amd64 seccomp filter configured\n"); 155 printf("Dual 32/64 bit seccomp filter configured\n");
156 } 156 }
157} 157}
158#endif 158#endif
@@ -177,10 +177,10 @@ int seccomp_filter_drop(void) {
177 if (arg_seccomp_block_secondary) 177 if (arg_seccomp_block_secondary)
178 seccomp_filter_block_secondary(); 178 seccomp_filter_block_secondary();
179 else { 179 else {
180#if defined(__x86_64__) 180#if defined(__LP64__)
181 seccomp_filter_32(); 181 seccomp_filter_32();
182#endif 182#endif
183#if defined(__i386__) 183#if defined(__ILP32__)
184 seccomp_filter_64(); 184 seccomp_filter_64();
185#endif 185#endif
186 } 186 }
@@ -190,10 +190,10 @@ int seccomp_filter_drop(void) {
190 if (arg_seccomp_block_secondary) 190 if (arg_seccomp_block_secondary)
191 seccomp_filter_block_secondary(); 191 seccomp_filter_block_secondary();
192 else { 192 else {
193#if defined(__x86_64__) 193#if defined(__LP64__)
194 seccomp_filter_32(); 194 seccomp_filter_32();
195#endif 195#endif
196#if defined(__i386__) 196#if defined(__ILP32__)
197 seccomp_filter_64(); 197 seccomp_filter_64();
198#endif 198#endif
199 } 199 }
diff --git a/src/fseccomp/seccomp_print.c b/src/fseccomp/seccomp_print.c
index 3793e125d..e8df2bda5 100644
--- a/src/fseccomp/seccomp_print.c
+++ b/src/fseccomp/seccomp_print.c
@@ -90,7 +90,7 @@ static int detect_filter_type(void) {
90 } 90 }
91 91
92 92
93 // testing for secondare amd64 filter 93 // testing for secondary 64 bit filter
94 const struct sock_filter start_secondary_64[] = { 94 const struct sock_filter start_secondary_64[] = {
95 VALIDATE_ARCHITECTURE_64, 95 VALIDATE_ARCHITECTURE_64,
96 EXAMINE_SYSCALL, 96 EXAMINE_SYSCALL,
@@ -102,7 +102,7 @@ static int detect_filter_type(void) {
102 return sizeof(start_secondary_64) / sizeof(struct sock_filter); 102 return sizeof(start_secondary_64) / sizeof(struct sock_filter);
103 } 103 }
104 104
105 // testing for secondare i386 filter 105 // testing for secondary 32 bit filter
106 const struct sock_filter start_secondary_32[] = { 106 const struct sock_filter start_secondary_32[] = {
107 VALIDATE_ARCHITECTURE_32, 107 VALIDATE_ARCHITECTURE_32,
108 EXAMINE_SYSCALL, 108 EXAMINE_SYSCALL,
diff --git a/src/fseccomp/seccomp_secondary.c b/src/fseccomp/seccomp_secondary.c
index dd69b58cc..da6a693e6 100644
--- a/src/fseccomp/seccomp_secondary.c
+++ b/src/fseccomp/seccomp_secondary.c
@@ -108,7 +108,7 @@ void seccomp_secondary_64(const char *fname) {
108 write_filter(fname, sizeof(filter), filter); 108 write_filter(fname, sizeof(filter), filter);
109} 109}
110 110
111// i386 filter installed on amd64 architectures 111// 32 bit arch filter installed on 64 bit architectures
112void seccomp_secondary_32(const char *fname) { 112void seccomp_secondary_32(const char *fname) {
113 // hardcoded syscall values 113 // hardcoded syscall values
114 struct sock_filter filter[] = { 114 struct sock_filter filter[] = {
diff --git a/src/include/seccomp.h b/src/include/seccomp.h
index 2f2b2384d..133b6ce72 100644
--- a/src/include/seccomp.h
+++ b/src/include/seccomp.h
@@ -91,10 +91,64 @@ struct seccomp_data {
91 91
92#if defined(__i386__) 92#if defined(__i386__)
93# define ARCH_NR AUDIT_ARCH_I386 93# define ARCH_NR AUDIT_ARCH_I386
94# define ARCH_32 AUDIT_ARCH_I386
95# define ARCH_64 AUDIT_ARCH_X86_64
94#elif defined(__x86_64__) 96#elif defined(__x86_64__)
95# define ARCH_NR AUDIT_ARCH_X86_64 97# define ARCH_NR AUDIT_ARCH_X86_64
98# define ARCH_32 AUDIT_ARCH_I386
99# define ARCH_64 AUDIT_ARCH_X86_64
100#elif defined(__aarch64__)
101# define ARCH_NR AUDIT_ARCH_AARCH64
102# define ARCH_32 AUDIT_ARCH_ARM
103# define ARCH_64 AUDIT_ARCH_AARCH64
96#elif defined(__arm__) 104#elif defined(__arm__)
97# define ARCH_NR AUDIT_ARCH_ARM 105# define ARCH_NR AUDIT_ARCH_ARM
106# define ARCH_32 AUDIT_ARCH_ARM
107# define ARCH_64 AUDIT_ARCH_AARCH64
108#elif defined(__mips__) && __BYTE_ORDER == __BIG_ENDIAN && _MIPS_SIM == _MIPS_SIM_ABI32
109# define ARCH_NR AUDIT_ARCH_MIPS
110# define ARCH_32 AUDIT_ARCH_MIPS
111# define ARCH_64 AUDIT_ARCH_MIPS64
112#elif defined(__mips__) && __BYTE_ORDER == __LITTLE_ENDIAN && _MIPS_SIM == _MIPS_SIM_ABI32
113# define ARCH_NR AUDIT_ARCH_MIPSEL
114# define ARCH_32 AUDIT_ARCH_MIPSEL
115# define ARCH_64 AUDIT_ARCH_MIPSEL64
116#elif defined(__mips__) && __BYTE_ORDER == __BIG_ENDIAN && _MIPS_SIM == _MIPS_SIM_ABI64
117# define ARCH_NR AUDIT_ARCH_MIPS64
118# define ARCH_32 AUDIT_ARCH_MIPS
119# define ARCH_64 AUDIT_ARCH_MIPS64
120#elif defined(__mips__) && __BYTE_ORDER == __LITTLE_ENDIAN && _MIPS_SIM == _MIPS_SIM_ABI64
121# define ARCH_NR AUDIT_ARCH_MIPSEL64
122# define ARCH_32 AUDIT_ARCH_MIPSEL
123# define ARCH_64 AUDIT_ARCH_MIPSEL64
124#elif defined(__mips__) && __BYTE_ORDER == __BIG_ENDIAN && _MIPS_SIM == _MIPS_SIM_NABI32
125# define ARCH_NR AUDIT_ARCH_MIPS64N32
126# define ARCH_32 AUDIT_ARCH_MIPS64N32
127# define ARCH_64 AUDIT_ARCH_MIPS64
128#elif defined(__mips__) && __BYTE_ORDER == __LITTLE_ENDIAN && _MIPS_SIM == _MIPS_SIM_NABI32
129# define ARCH_NR AUDIT_ARCH_MIPSEL64N32
130# define ARCH_32 AUDIT_ARCH_MIPSEL64N32
131# define ARCH_64 AUDIT_ARCH_MIPSEL64
132#elif defined(__powerpc64__) && __BYTE_ORDER == __BIG_ENDIAN
133# define ARCH_NR AUDIT_ARCH_PPC64
134# define ARCH_32 AUDIT_ARCH_PPC
135# define ARCH_64 AUDIT_ARCH_PPC64
136#elif defined(__powerpc64__) && __BYTE_ORDER == __LITTLE_ENDIAN
137# define ARCH_NR AUDIT_ARCH_PPC64LE
138# define ARCH_32 AUDIT_ARCH_PPC
139# define ARCH_64 AUDIT_ARCH_PPC64LE
140#elif defined(__powerpc__)
141# define ARCH_NR AUDIT_ARCH_PPC
142# define ARCH_32 AUDIT_ARCH_PPC
143# define ARCH_64 AUDIT_ARCH_PPC64LE
144#elif defined(__s390x__)
145# define ARCH_NR AUDIT_ARCH_S390X
146# define ARCH_32 AUDIT_ARCH_S390
147# define ARCH_64 AUDIT_ARCH_S390X
148#elif defined(__s390__)
149# define ARCH_NR AUDIT_ARCH_S390
150# define ARCH_32 AUDIT_ARCH_S390
151# define ARCH_64 AUDIT_ARCH_S390X
98#else 152#else
99# warning "Platform does not support seccomp filter yet" 153# warning "Platform does not support seccomp filter yet"
100# define ARCH_NR 0 154# define ARCH_NR 0
@@ -112,12 +166,12 @@ struct seccomp_data {
112 166
113#define VALIDATE_ARCHITECTURE_64 \ 167#define VALIDATE_ARCHITECTURE_64 \
114 BPF_STMT(BPF_LD+BPF_W+BPF_ABS, (offsetof(struct seccomp_data, arch))), \ 168 BPF_STMT(BPF_LD+BPF_W+BPF_ABS, (offsetof(struct seccomp_data, arch))), \
115 BPF_JUMP(BPF_JMP+BPF_JEQ+BPF_K, AUDIT_ARCH_X86_64, 1, 0), \ 169 BPF_JUMP(BPF_JMP+BPF_JEQ+BPF_K, ARCH_64, 1, 0), \
116 BPF_STMT(BPF_RET+BPF_K, SECCOMP_RET_ALLOW) 170 BPF_STMT(BPF_RET+BPF_K, SECCOMP_RET_ALLOW)
117 171
118#define VALIDATE_ARCHITECTURE_32 \ 172#define VALIDATE_ARCHITECTURE_32 \
119 BPF_STMT(BPF_LD+BPF_W+BPF_ABS, (offsetof(struct seccomp_data, arch))), \ 173 BPF_STMT(BPF_LD+BPF_W+BPF_ABS, (offsetof(struct seccomp_data, arch))), \
120 BPF_JUMP(BPF_JMP+BPF_JEQ+BPF_K, AUDIT_ARCH_I386, 1, 0), \ 174 BPF_JUMP(BPF_JMP+BPF_JEQ+BPF_K, ARCH_32, 1, 0), \
121 BPF_STMT(BPF_RET+BPF_K, SECCOMP_RET_ALLOW) 175 BPF_STMT(BPF_RET+BPF_K, SECCOMP_RET_ALLOW)
122 176
123#if defined(__x86_64__) 177#if defined(__x86_64__)
diff --git a/test/filters/seccomp-debug-32.exp b/test/filters/seccomp-debug-32.exp
index 6983758c3..098b309f5 100755
--- a/test/filters/seccomp-debug-32.exp
+++ b/test/filters/seccomp-debug-32.exp
@@ -43,7 +43,7 @@ expect {
43} 43}
44expect { 44expect {
45 timeout {puts "TESTING ERROR 7\n";exit} 45 timeout {puts "TESTING ERROR 7\n";exit}
46 "Installing /run/firejail/mnt/seccomp.amd64 seccomp filter" 46 "Installing /run/firejail/mnt/seccomp.64 seccomp filter"
47} 47}
48expect { 48expect {
49 timeout {puts "TESTING ERROR 9\n";exit} 49 timeout {puts "TESTING ERROR 9\n";exit}
@@ -56,13 +56,13 @@ send -- "firejail --debug --ignore=seccomp sleep 1; echo done\r"
56expect { 56expect {
57 timeout {puts "TESTING ERROR 10\n";exit} 57 timeout {puts "TESTING ERROR 10\n";exit}
58 "Installing /run/firejail/mnt/seccomp seccomp filter" {puts "TESTING ERROR 11\n";exit} 58 "Installing /run/firejail/mnt/seccomp seccomp filter" {puts "TESTING ERROR 11\n";exit}
59 "Installing /run/firejail/mnt/seccomp.amd64 seccomp filter" {puts "TESTING ERROR 12\n";exit} 59 "Installing /run/firejail/mnt/seccomp.64 seccomp filter" {puts "TESTING ERROR 12\n";exit}
60 "Child process initialized" 60 "Child process initialized"
61} 61}
62expect { 62expect {
63 timeout {puts "TESTING ERROR 13\n";exit} 63 timeout {puts "TESTING ERROR 13\n";exit}
64 "Installing /run/firejail/mnt/seccomp seccomp filter" {puts "TESTING ERROR 14\n";exit} 64 "Installing /run/firejail/mnt/seccomp seccomp filter" {puts "TESTING ERROR 14\n";exit}
65 "Installing /run/firejail/mnt/seccomp.amd64 seccomp filter" {puts "TESTING ERROR 15\n";exit} 65 "Installing /run/firejail/mnt/seccomp.64 seccomp filter" {puts "TESTING ERROR 15\n";exit}
66 "done" 66 "done"
67} 67}
68after 100 68after 100
@@ -82,7 +82,7 @@ expect {
82expect { 82expect {
83 timeout {puts "TESTING ERROR 21\n";exit} 83 timeout {puts "TESTING ERROR 21\n";exit}
84 "Installing /run/firejail/mnt/seccomp.protocol seccomp filter" {puts "TESTING ERROR 22\n";exit} 84 "Installing /run/firejail/mnt/seccomp.protocol seccomp filter" {puts "TESTING ERROR 22\n";exit}
85 "Installing /run/firejail/mnt/seccomp.amd64 seccomp filter" 85 "Installing /run/firejail/mnt/seccomp.64 seccomp filter"
86} 86}
87expect { 87expect {
88 timeout {puts "TESTING ERROR 23\n";exit} 88 timeout {puts "TESTING ERROR 23\n";exit}
@@ -110,12 +110,12 @@ expect {
110send -- "firejail --debug --seccomp.block-secondary sleep 1; echo done\r" 110send -- "firejail --debug --seccomp.block-secondary sleep 1; echo done\r"
111expect { 111expect {
112 timeout {puts "TESTING ERROR 27\n";exit} 112 timeout {puts "TESTING ERROR 27\n";exit}
113 "Installing /run/firejail/mnt/seccomp.amd64 seccomp filter" {puts "TESTING ERROR 28\n";exit} 113 "Installing /run/firejail/mnt/seccomp.64 seccomp filter" {puts "TESTING ERROR 28\n";exit}
114 "Child process initialized" 114 "Child process initialized"
115} 115}
116expect { 116expect {
117 timeout {puts "TESTING ERROR 29\n";exit} 117 timeout {puts "TESTING ERROR 29\n";exit}
118 "Installing /run/firejail/mnt/seccomp.amd64 seccomp filter" {puts "TESTING ERROR 30\n";exit} 118 "Installing /run/firejail/mnt/seccomp.64 seccomp filter" {puts "TESTING ERROR 30\n";exit}
119 "Installing /run/firejail/mnt/seccomp seccomp filter" 119 "Installing /run/firejail/mnt/seccomp seccomp filter"
120} 120}
121expect { 121expect {
@@ -128,12 +128,12 @@ after 100
128send -- "firejail --debug --profile=block-secondary.profile sleep 1; echo done\r" 128send -- "firejail --debug --profile=block-secondary.profile sleep 1; echo done\r"
129expect { 129expect {
130 timeout {puts "TESTING ERROR 33\n";exit} 130 timeout {puts "TESTING ERROR 33\n";exit}
131 "Installing /run/firejail/mnt/seccomp.amd64 seccomp filter" {puts "TESTING ERROR 34\n";exit} 131 "Installing /run/firejail/mnt/seccomp.64 seccomp filter" {puts "TESTING ERROR 34\n";exit}
132 "Child process initialized" 132 "Child process initialized"
133} 133}
134expect { 134expect {
135 timeout {puts "TESTING ERROR 35\n";exit} 135 timeout {puts "TESTING ERROR 35\n";exit}
136 "Installing /run/firejail/mnt/seccomp.amd64 seccomp filter" {puts "TESTING ERROR 35\n";exit} 136 "Installing /run/firejail/mnt/seccomp.64 seccomp filter" {puts "TESTING ERROR 35\n";exit}
137 "Installing /run/firejail/mnt/seccomp seccomp filter" 137 "Installing /run/firejail/mnt/seccomp seccomp filter"
138} 138}
139expect { 139expect {
diff --git a/test/filters/seccomp-debug.exp b/test/filters/seccomp-debug.exp
index 7a4a13991..4986a6bf6 100755
--- a/test/filters/seccomp-debug.exp
+++ b/test/filters/seccomp-debug.exp
@@ -31,7 +31,7 @@ expect {
31after 100 31after 100
32 32
33 33
34# amd64 architecture 34# 64 bit architecture
35send -- "firejail --debug sleep 1; echo done\r" 35send -- "firejail --debug sleep 1; echo done\r"
36expect { 36expect {
37 timeout {puts "TESTING ERROR 5\n";exit} 37 timeout {puts "TESTING ERROR 5\n";exit}
@@ -43,7 +43,7 @@ expect {
43} 43}
44expect { 44expect {
45 timeout {puts "TESTING ERROR 7\n";exit} 45 timeout {puts "TESTING ERROR 7\n";exit}
46 "Installing /run/firejail/mnt/seccomp.i386 seccomp filter" 46 "Installing /run/firejail/mnt/seccomp.32 seccomp filter"
47} 47}
48expect { 48expect {
49 timeout {puts "TESTING ERROR 8\n";exit} 49 timeout {puts "TESTING ERROR 8\n";exit}
@@ -55,18 +55,18 @@ expect {
55} 55}
56after 100 56after 100
57 57
58# amd64 architecture - ignore seccomp 58# 64 bit architecture - ignore seccomp
59send -- "firejail --debug --ignore=seccomp sleep 1; echo done\r" 59send -- "firejail --debug --ignore=seccomp sleep 1; echo done\r"
60expect { 60expect {
61 timeout {puts "TESTING ERROR 10\n";exit} 61 timeout {puts "TESTING ERROR 10\n";exit}
62 "Installing /run/firejail/mnt/seccomp seccomp filter" {puts "TESTING ERROR 11\n";exit} 62 "Installing /run/firejail/mnt/seccomp seccomp filter" {puts "TESTING ERROR 11\n";exit}
63 "Installing /run/firejail/mnt/seccomp.i386 seccomp filter" {puts "TESTING ERROR 12\n";exit} 63 "Installing /run/firejail/mnt/seccomp.32 seccomp filter" {puts "TESTING ERROR 12\n";exit}
64 "Child process initialized" 64 "Child process initialized"
65} 65}
66expect { 66expect {
67 timeout {puts "TESTING ERROR 13\n";exit} 67 timeout {puts "TESTING ERROR 13\n";exit}
68 "Installing /run/firejail/mnt/seccomp seccomp filter" {puts "TESTING ERROR 14\n";exit} 68 "Installing /run/firejail/mnt/seccomp seccomp filter" {puts "TESTING ERROR 14\n";exit}
69 "Installing /run/firejail/mnt/seccomp.i386 seccomp filter" {puts "TESTING ERROR 15\n";exit} 69 "Installing /run/firejail/mnt/seccomp.32 seccomp filter" {puts "TESTING ERROR 15\n";exit}
70 "Installing /run/firejail/mnt/seccomp.protocol seccomp filter" 70 "Installing /run/firejail/mnt/seccomp.protocol seccomp filter"
71} 71}
72expect { 72expect {
@@ -75,7 +75,7 @@ expect {
75} 75}
76after 100 76after 100
77 77
78# amd64 architecture - ignore protocol 78# 64 bit architecture - ignore protocol
79send -- "firejail --debug --ignore=protocol sleep 1; echo done\r" 79send -- "firejail --debug --ignore=protocol sleep 1; echo done\r"
80expect { 80expect {
81 timeout {puts "TESTING ERROR 17\n";exit} 81 timeout {puts "TESTING ERROR 17\n";exit}
@@ -90,7 +90,7 @@ expect {
90expect { 90expect {
91 timeout {puts "TESTING ERROR 21\n";exit} 91 timeout {puts "TESTING ERROR 21\n";exit}
92 "Installing /run/firejail/mnt/seccomp.protocol seccomp filter" {puts "TESTING ERROR 22\n";exit} 92 "Installing /run/firejail/mnt/seccomp.protocol seccomp filter" {puts "TESTING ERROR 22\n";exit}
93 "Installing /run/firejail/mnt/seccomp.i386 seccomp filter" 93 "Installing /run/firejail/mnt/seccomp.32 seccomp filter"
94} 94}
95expect { 95expect {
96 timeout {puts "TESTING ERROR 23\n";exit} 96 timeout {puts "TESTING ERROR 23\n";exit}
@@ -114,21 +114,21 @@ expect {
114} 114}
115 115
116 116
117# amd64 architecture - seccomp.block-secondary 117# 64 bit architecture - seccomp.block-secondary
118send -- "firejail --debug --seccomp.block-secondary sleep 1; echo done\r" 118send -- "firejail --debug --seccomp.block-secondary sleep 1; echo done\r"
119expect { 119expect {
120 timeout {puts "TESTING ERROR 27\n";exit} 120 timeout {puts "TESTING ERROR 27\n";exit}
121 "Installing /run/firejail/mnt/seccomp.i386 seccomp filter" {puts "TESTING ERROR 28\n";exit} 121 "Installing /run/firejail/mnt/seccomp.32 seccomp filter" {puts "TESTING ERROR 28\n";exit}
122 "Child process initialized" 122 "Child process initialized"
123} 123}
124expect { 124expect {
125 timeout {puts "TESTING ERROR 29\n";exit} 125 timeout {puts "TESTING ERROR 29\n";exit}
126 "Installing /run/firejail/mnt/seccomp.i386 seccomp filter" {puts "TESTING ERROR 30\n";exit} 126 "Installing /run/firejail/mnt/seccomp.32 seccomp filter" {puts "TESTING ERROR 30\n";exit}
127 "Installing /run/firejail/mnt/seccomp seccomp filter" 127 "Installing /run/firejail/mnt/seccomp seccomp filter"
128} 128}
129expect { 129expect {
130 timeout {puts "TESTING ERROR 31\n";exit} 130 timeout {puts "TESTING ERROR 31\n";exit}
131 "Installing /run/firejail/mnt/seccomp.i386 seccomp filter" {puts "TESTING ERROR 32\n";exit} 131 "Installing /run/firejail/mnt/seccomp.32 seccomp filter" {puts "TESTING ERROR 32\n";exit}
132 "Installing /run/firejail/mnt/seccomp.protocol seccomp filter" 132 "Installing /run/firejail/mnt/seccomp.protocol seccomp filter"
133} 133}
134expect { 134expect {
@@ -137,16 +137,16 @@ expect {
137} 137}
138after 100 138after 100
139 139
140# amd64 architecture - seccomp.block-secondary, profile 140# 64 bit architecture - seccomp.block-secondary, profile
141send -- "firejail --debug --profile=block-secondary.profile sleep 1; echo done\r" 141send -- "firejail --debug --profile=block-secondary.profile sleep 1; echo done\r"
142expect { 142expect {
143 timeout {puts "TESTING ERROR 33\n";exit} 143 timeout {puts "TESTING ERROR 33\n";exit}
144 "Installing /run/firejail/mnt/seccomp.i386 seccomp filter" {puts "TESTING ERROR 34\n";exit} 144 "Installing /run/firejail/mnt/seccomp.32 seccomp filter" {puts "TESTING ERROR 34\n";exit}
145 "Child process initialized" 145 "Child process initialized"
146} 146}
147expect { 147expect {
148 timeout {puts "TESTING ERROR 35\n";exit} 148 timeout {puts "TESTING ERROR 35\n";exit}
149 "Installing /run/firejail/mnt/seccomp.i386 seccomp filter" {puts "TESTING ERROR 35\n";exit} 149 "Installing /run/firejail/mnt/seccomp.32 seccomp filter" {puts "TESTING ERROR 35\n";exit}
150 "Installing /run/firejail/mnt/seccomp seccomp filter" 150 "Installing /run/firejail/mnt/seccomp seccomp filter"
151} 151}
152expect { 152expect {
generated by cgit v1.2.3-54-g00ecf (git 2.45.2) at 2024-07-19 09:11:52 +0000