seccomp work 1

author: netblue30 <netblue30@yahoo.com> 2016-11-20 07:45:50 -0500
committer: netblue30 <netblue30@yahoo.com> 2016-11-20 07:45:50 -0500
commit: 64431c712ffb5d4805b61ea740bc9be98cf1b48f (patch)
tree: b0ef6c3b653192a427de181bafd70702a15d43bd
parent: qemu profile (diff)
download: firejail-64431c712ffb5d4805b61ea740bc9be98cf1b48f.tar.gz
firejail-64431c712ffb5d4805b61ea740bc9be98cf1b48f.tar.zst
firejail-64431c712ffb5d4805b61ea740bc9be98cf1b48f.zip
7 files changed, 44 insertions, 63 deletions
diff --git a/.gitignore b/.gitignore
index 9b9935b93..89bf3c4fa 100644
--- a/.gitignore
+++ b/.gitignore
@@ -24,3 +24,8 @@ src/fnet/fnet
 src/fseccomp/fseccomp
 src/fcopy/fcopy
 uids.h
+seccomp
+seccomp.debug
+seccomp.i386
+seccomp.amd64
diff --git a/Makefile.in b/Makefile.in
index 772dc8c06..d1f03c788 100644
--- a/Makefile.in
+++ b/Makefile.in
@@ -1,7 +1,8 @@
-all: apps man
+all: apps man filters
 MYLIBS = src/lib
 APPS = src/firejail src/firemon src/firecfg src/libtrace src/libtracelog src/ftee src/faudit src/libconnect src/fnet src/fseccomp src/fcopy
 MANPAGES = firejail.1 firemon.1 firecfg.1 firejail-profile.5 firejail-login.5
+SECCOMP_FILTERS = seccomp seccomp.i386 seccomp.amd64
 prefix=@prefix@
 exec_prefix=@exec_prefix@
@@ -35,11 +36,18 @@ $(MANPAGES): $(wildcard src/man/*.txt)
 man: $(MANPAGES)
+filters: src/fseccomp
+        src/fseccomp/fseccomp default seccomp
+        src/fseccomp/fseccomp default seccomp.debug allow-debuggers
+        src/fseccomp/fseccomp secondary 32 seccomp.i386
+        src/fseccomp/fseccomp secondary 64 seccomp.amd64
 clean:
        for dir in $(APPS) $(MYLIBS); do \
                $(MAKE) -C $$dir clean; \
        done
        rm -f $(MANPAGES) $(MANPAGES:%=%.gz) firejail*.rpm
+        rm -f seccomp seccomp.debug seccomp.i386 seccomp.amd64
        rm -f test/utils/index.html*
        rm -f test/utils/wget-log
        rm -f test/utils/lstesting
@@ -79,6 +87,10 @@ realinstall:
        install -c -m 0755 src/fnet/fnet $(DESTDIR)/$(libdir)/firejail/.
        install -c -m 0755 src/fseccomp/fseccomp $(DESTDIR)/$(libdir)/firejail/.
        install -c -m 0755 src/fcopy/fcopy $(DESTDIR)/$(libdir)/firejail/.
+        install -c -m 0644 seccomp $(DESTDIR)/$(libdir)/firejail/.
+        install -c -m 0644 seccomp.debug $(DESTDIR)/$(libdir)/firejail/.
+        install -c -m 0644 seccomp.i386 $(DESTDIR)/$(libdir)/firejail/.
+        install -c -m 0644 seccomp.amd64 $(DESTDIR)/$(libdir)/firejail/.
        # documents
        install -m 0755 -d $(DESTDIR)/$(DOCDIR)
        install -c -m 0644 COPYING $(DESTDIR)/$(DOCDIR)/.
diff --git a/src/firejail/firejail.h b/src/firejail/firejail.h
index 2562094d3..2e031ce04 100644
--- a/src/firejail/firejail.h
+++ b/src/firejail/firejail.h
@@ -47,10 +47,14 @@
 #define RUN_BIN_DIR     "/run/firejail/mnt/bin"
 #define RUN_PULSE_DIR   "/run/firejail/mnt/pulse"
-#define RUN_SECCOMP_CFG "/run/firejail/mnt/seccomp"                     // configured filter
 #define RUN_SECCOMP_PROTOCOL    "/run/firejail/mnt/seccomp.protocol"    // protocol filter
+#define RUN_SECCOMP_CFG "/run/firejail/mnt/seccomp"                     // configured filter
 #define RUN_SECCOMP_AMD64       "/run/firejail/mnt/seccomp.amd64"       // amd64 filter installed on i386 architectures
 #define RUN_SECCOMP_I386        "/run/firejail/mnt/seccomp.i386"                // i386 filter installed on amd64 architectures
+#define PATH_SECCOMP_DEFAULT (LIBDIR "/firejail/seccomp")                       // default filter built during make
+#define PATH_SECCOMP_DEFAULT_DEBUG (LIBDIR "/firejail/seccomp.debug")   // default filter built during make
+#define PATH_SECCOMP_AMD64 (LIBDIR "/firejail/seccomp.amd64")           // amd64 filter built during make
+#define PATH_SECCOMP_I386 (LIBDIR "/firejail/seccomp.i386")                     // i386 filter built during make
 #define RUN_DEV_DIR             "/run/firejail/mnt/dev"
@@ -374,9 +378,6 @@ void net_config_interface(const char *dev, uint32_t ip, uint32_t mask, int mtu);
 // preproc.c
 void preproc_build_firejail_dir(void);
 void preproc_mount_mnt_dir(void);
-void preproc_build_cp_command(void);
-void preproc_delete_cp_command(void) ;
-void preproc_remount_mnt_dir(void);
 // fs.c
 // blacklist files or directoies by mounting empty files on top of them
diff --git a/src/firejail/preproc.c b/src/firejail/preproc.c
index ea4e6743f..d2db7d3dd 100644
--- a/src/firejail/preproc.c
+++ b/src/firejail/preproc.c
@@ -56,9 +56,9 @@ void preproc_build_firejail_dir(void) {
                create_empty_dir_as_root(RUN_FIREJAIL_APPIMAGE_DIR, 0755);
        }
        
-        if (stat(RUN_MNT_DIR, &s)) {
+        if (stat(RUN_MNT_DIR, &s)) {
-                create_empty_dir_as_root(RUN_MNT_DIR, 0755);
+                create_empty_dir_as_root(RUN_MNT_DIR, 0755);
-        }
+        }
        create_empty_file_as_root(RUN_RO_FILE, S_IRUSR);
        create_empty_dir_as_root(RUN_RO_DIR, S_IRUSR);
@@ -75,51 +75,17 @@ void preproc_mount_mnt_dir(void) {
                tmpfs_mounted = 1;
                fs_logger2("tmpfs", RUN_MNT_DIR);
                
-                // create all seccomp files
+                //copy defaultl seccomp files
-                // as root, create RUN_SECCOMP_I386 file
+                copy_file(PATH_SECCOMP_I386, RUN_SECCOMP_I386, getuid(), getgid(), 0644);
-                create_empty_file_as_root(RUN_SECCOMP_I386, 0644);
+                copy_file(PATH_SECCOMP_AMD64, RUN_SECCOMP_AMD64, getuid(), getgid(), 0644);
-                if (set_perms(RUN_SECCOMP_I386, getuid(), getgid(), 0644))
+                if (arg_allow_debuggers)
-                        errExit("set_perms");
+                        copy_file(PATH_SECCOMP_DEFAULT_DEBUG, RUN_SECCOMP_CFG, getuid(), getgid(), 0644);
+                else
-                // as root, create RUN_SECCOMP_AMD64 file
+                        copy_file(PATH_SECCOMP_DEFAULT, RUN_SECCOMP_CFG, getuid(), getgid(), 0644);
-                create_empty_file_as_root(RUN_SECCOMP_AMD64, 0644);
+                        
-                if (set_perms(RUN_SECCOMP_AMD64, getuid(), getgid(), 0644))
+                // as root, create an empty RUN_SECCOMP_PROTOCOL file
-                        errExit("set_perms");
-                // as root, create RUN_SECCOMP file
-                create_empty_file_as_root(RUN_SECCOMP_CFG, 0644);
-                if (set_perms(RUN_SECCOMP_CFG, getuid(), getgid(), 0644))
-                        errExit("set_perms");
-                // as root, create RUN_SECCOMP_PROTOCOL file
                create_empty_file_as_root(RUN_SECCOMP_PROTOCOL, 0644);
                if (set_perms(RUN_SECCOMP_PROTOCOL, getuid(), getgid(), 0644))
                        errExit("set_perms");
        }
 }
-// grab a copy of cp command
-void preproc_build_cp_command(void) {
-        struct stat s;
-        preproc_mount_mnt_dir();
-        if (stat(RUN_CP_COMMAND, &s)) {
-                char* fname = realpath("/bin/cp", NULL);
-                if (fname == NULL || stat(fname, &s) || is_link(fname)) {
-                        fprintf(stderr, "Error: invalid /bin/cp\n");
-                        exit(1);
-                }
-                int rv = copy_file(fname, RUN_CP_COMMAND, 0, 0, 0755);
-                if (rv) {
-                        fprintf(stderr, "Error: cannot access /bin/cp\n");
-                        exit(1);
-                }
-                ASSERT_PERMS(RUN_CP_COMMAND, 0, 0, 0755);
-                        
-                free(fname);
-        }
-}
-// delete the temporary cp command
-void preproc_delete_cp_command(void) {
-        unlink(RUN_CP_COMMAND);
-}
diff --git a/src/firejail/sandbox.c b/src/firejail/sandbox.c
index c2e053b0c..ad77caeb2 100644
--- a/src/firejail/sandbox.c
+++ b/src/firejail/sandbox.c
@@ -555,12 +555,9 @@ int sandbox(void* sandbox_arg) {
        
        //****************************
        // fs pre-processing:
-        //  - copy some commands under /run
        //  - build seccomp filters
        //  - create an empty /etc/ld.so.preload
        //****************************
-        preproc_build_cp_command();
 #ifdef HAVE_SECCOMP
        if (cfg.protocol) {
                if (arg_debug)
@@ -765,7 +762,6 @@ int sandbox(void* sandbox_arg) {
        //****************************
        // fs post-processing
        //****************************
-        preproc_delete_cp_command();
        fs_logger_print();
        fs_logger_change_owner();
diff --git a/src/firejail/seccomp.c b/src/firejail/seccomp.c
index 4a2221e98..30c63d734 100644
--- a/src/firejail/seccomp.c
+++ b/src/firejail/seccomp.c
@@ -92,11 +92,9 @@ int seccomp_load(const char *fname) {
        return 0;
 }
 // i386 filter installed on amd64 architectures
 void seccomp_filter_32(void) {
+#if 0
        if (arg_debug)
                printf("Build secondary 32-bit filter\n");
@@ -105,7 +103,7 @@ void seccomp_filter_32(void) {
                PATH_FSECCOMP, "secondary", "32", RUN_SECCOMP_I386);
        if (rv)
                exit(rv);
+#endif
        if (seccomp_load(RUN_SECCOMP_I386) == 0) {
                if (arg_debug)
                        printf("Dual i386/amd64 seccomp filter configured\n");
@@ -114,6 +112,7 @@ void seccomp_filter_32(void) {
 // amd64 filter installed on i386 architectures
 void seccomp_filter_64(void) {
+#if 0
        if (arg_debug)
                printf("Build secondary 64-bit filter\n");
@@ -122,6 +121,7 @@ void seccomp_filter_64(void) {
                PATH_FSECCOMP, "secondary", "64", RUN_SECCOMP_AMD64);
        if (rv)
                exit(rv);
+#endif
        if (seccomp_load(RUN_SECCOMP_AMD64) == 0) {
                if (arg_debug)
@@ -129,7 +129,6 @@ void seccomp_filter_64(void) {
        }
 }
 // drop filter for seccomp option
 int seccomp_filter_drop(int enforce_seccomp) {
        // default seccomp
@@ -140,6 +139,8 @@ int seccomp_filter_drop(int enforce_seccomp) {
 #if defined(__i386__)
                seccomp_filter_64();
 #endif
+#if 0
                if (arg_debug)
                        printf("Build default seccomp filter\n");
                // build the seccomp filter as a regular user
@@ -152,8 +153,8 @@ int seccomp_filter_drop(int enforce_seccomp) {
                                PATH_FSECCOMP, "default", RUN_SECCOMP_CFG);
                if (rv)
                        exit(rv);
+#endif
        }
        // default seccomp filter with additional drop list
        else if (cfg.seccomp_list && cfg.seccomp_list_drop == NULL) {
 #if defined(__x86_64__)
diff --git a/src/fseccomp/main.c b/src/fseccomp/main.c
index 2f85a786b..471e0b193 100644
--- a/src/fseccomp/main.c
+++ b/src/fseccomp/main.c
@@ -38,7 +38,7 @@ static void usage(void) {
 }
 int main(int argc, char **argv) {
-#if 0
+//#if 0
 {
 //system("cat /proc/self/status");
 int i;
@@ -46,7 +46,7 @@ for (i = 0; i < argc; i++)
        printf("*%s* ", argv[i]);
 printf("\n");
 }       
-#endif
+//#endif
        if (argc < 2) {
                usage();
                return 1;
author	netblue30 <netblue30@yahoo.com>	2016-11-20 07:45:50 -0500
committer	netblue30 <netblue30@yahoo.com>	2016-11-20 07:45:50 -0500
commit	64431c712ffb5d4805b61ea740bc9be98cf1b48f (patch)
tree	b0ef6c3b653192a427de181bafd70702a15d43bd
parent	qemu profile (diff)
download	firejail-64431c712ffb5d4805b61ea740bc9be98cf1b48f.tar.gz firejail-64431c712ffb5d4805b61ea740bc9be98cf1b48f.tar.zst firejail-64431c712ffb5d4805b61ea740bc9be98cf1b48f.zip

diff --git a/.gitignore b/.gitignore index 9b9935b93..89bf3c4fa 100644 --- a/.gitignore +++ b/.gitignore
@@ -24,3 +24,8 @@ src/fnet/fnet
24	src/fseccomp/fseccomp	24	src/fseccomp/fseccomp
25	src/fcopy/fcopy	25	src/fcopy/fcopy
26	uids.h	26	uids.h
		27	seccomp
		28	seccomp.debug
		29	seccomp.i386
		30	seccomp.amd64
		31


diff --git a/Makefile.in b/Makefile.in index 772dc8c06..d1f03c788 100644 --- a/Makefile.in +++ b/Makefile.in
@@ -1,7 +1,8 @@
1	all: apps man	1	all: apps man filters
2	MYLIBS = src/lib	2	MYLIBS = src/lib
3	APPS = src/firejail src/firemon src/firecfg src/libtrace src/libtracelog src/ftee src/faudit src/libconnect src/fnet src/fseccomp src/fcopy	3	APPS = src/firejail src/firemon src/firecfg src/libtrace src/libtracelog src/ftee src/faudit src/libconnect src/fnet src/fseccomp src/fcopy
4	MANPAGES = firejail.1 firemon.1 firecfg.1 firejail-profile.5 firejail-login.5	4	MANPAGES = firejail.1 firemon.1 firecfg.1 firejail-profile.5 firejail-login.5
		5	SECCOMP_FILTERS = seccomp seccomp.i386 seccomp.amd64
5		6
6	prefix=@prefix@	7	prefix=@prefix@
7	exec_prefix=@exec_prefix@	8	exec_prefix=@exec_prefix@
@@ -35,11 +36,18 @@ $(MANPAGES): $(wildcard src/man/*.txt)
35		36
36	man: $(MANPAGES)	37	man: $(MANPAGES)
37		38
		39	filters: src/fseccomp
		40	src/fseccomp/fseccomp default seccomp
		41	src/fseccomp/fseccomp default seccomp.debug allow-debuggers
		42	src/fseccomp/fseccomp secondary 32 seccomp.i386
		43	src/fseccomp/fseccomp secondary 64 seccomp.amd64
		44
38	clean:	45	clean:
39	for dir in $(APPS) $(MYLIBS); do \	46	for dir in $(APPS) $(MYLIBS); do \
40	$(MAKE) -C $$dir clean; \	47	$(MAKE) -C $$dir clean; \
41	done	48	done
42	rm -f $(MANPAGES) $(MANPAGES:%=%.gz) firejail*.rpm	49	rm -f $(MANPAGES) $(MANPAGES:%=%.gz) firejail*.rpm
		50	rm -f seccomp seccomp.debug seccomp.i386 seccomp.amd64
43	rm -f test/utils/index.html*	51	rm -f test/utils/index.html*
44	rm -f test/utils/wget-log	52	rm -f test/utils/wget-log
45	rm -f test/utils/lstesting	53	rm -f test/utils/lstesting
@@ -79,6 +87,10 @@ realinstall:
79	install -c -m 0755 src/fnet/fnet $(DESTDIR)/$(libdir)/firejail/.	87	install -c -m 0755 src/fnet/fnet $(DESTDIR)/$(libdir)/firejail/.
80	install -c -m 0755 src/fseccomp/fseccomp $(DESTDIR)/$(libdir)/firejail/.	88	install -c -m 0755 src/fseccomp/fseccomp $(DESTDIR)/$(libdir)/firejail/.
81	install -c -m 0755 src/fcopy/fcopy $(DESTDIR)/$(libdir)/firejail/.	89	install -c -m 0755 src/fcopy/fcopy $(DESTDIR)/$(libdir)/firejail/.
		90	install -c -m 0644 seccomp $(DESTDIR)/$(libdir)/firejail/.
		91	install -c -m 0644 seccomp.debug $(DESTDIR)/$(libdir)/firejail/.
		92	install -c -m 0644 seccomp.i386 $(DESTDIR)/$(libdir)/firejail/.
		93	install -c -m 0644 seccomp.amd64 $(DESTDIR)/$(libdir)/firejail/.
82	# documents	94	# documents
83	install -m 0755 -d $(DESTDIR)/$(DOCDIR)	95	install -m 0755 -d $(DESTDIR)/$(DOCDIR)
84	install -c -m 0644 COPYING $(DESTDIR)/$(DOCDIR)/.	96	install -c -m 0644 COPYING $(DESTDIR)/$(DOCDIR)/.


diff --git a/src/firejail/firejail.h b/src/firejail/firejail.h index 2562094d3..2e031ce04 100644 --- a/src/firejail/firejail.h +++ b/src/firejail/firejail.h
@@ -47,10 +47,14 @@
47	#define RUN_BIN_DIR "/run/firejail/mnt/bin"	47	#define RUN_BIN_DIR "/run/firejail/mnt/bin"
48	#define RUN_PULSE_DIR "/run/firejail/mnt/pulse"	48	#define RUN_PULSE_DIR "/run/firejail/mnt/pulse"
49		49
50	#define RUN_SECCOMP_CFG "/run/firejail/mnt/seccomp" // configured filter
51	#define RUN_SECCOMP_PROTOCOL "/run/firejail/mnt/seccomp.protocol" // protocol filter	50	#define RUN_SECCOMP_PROTOCOL "/run/firejail/mnt/seccomp.protocol" // protocol filter
		51	#define RUN_SECCOMP_CFG "/run/firejail/mnt/seccomp" // configured filter
52	#define RUN_SECCOMP_AMD64 "/run/firejail/mnt/seccomp.amd64" // amd64 filter installed on i386 architectures	52	#define RUN_SECCOMP_AMD64 "/run/firejail/mnt/seccomp.amd64" // amd64 filter installed on i386 architectures
53	#define RUN_SECCOMP_I386 "/run/firejail/mnt/seccomp.i386" // i386 filter installed on amd64 architectures	53	#define RUN_SECCOMP_I386 "/run/firejail/mnt/seccomp.i386" // i386 filter installed on amd64 architectures
		54	#define PATH_SECCOMP_DEFAULT (LIBDIR "/firejail/seccomp") // default filter built during make
		55	#define PATH_SECCOMP_DEFAULT_DEBUG (LIBDIR "/firejail/seccomp.debug") // default filter built during make
		56	#define PATH_SECCOMP_AMD64 (LIBDIR "/firejail/seccomp.amd64") // amd64 filter built during make
		57	#define PATH_SECCOMP_I386 (LIBDIR "/firejail/seccomp.i386") // i386 filter built during make
54		58
55		59
56	#define RUN_DEV_DIR "/run/firejail/mnt/dev"	60	#define RUN_DEV_DIR "/run/firejail/mnt/dev"
@@ -374,9 +378,6 @@ void net_config_interface(const char *dev, uint32_t ip, uint32_t mask, int mtu);
374	// preproc.c	378	// preproc.c
375	void preproc_build_firejail_dir(void);	379	void preproc_build_firejail_dir(void);
376	void preproc_mount_mnt_dir(void);	380	void preproc_mount_mnt_dir(void);
377	void preproc_build_cp_command(void);
378	void preproc_delete_cp_command(void) ;
379	void preproc_remount_mnt_dir(void);
380		381
381	// fs.c	382	// fs.c
382	// blacklist files or directoies by mounting empty files on top of them	383	// blacklist files or directoies by mounting empty files on top of them


diff --git a/src/firejail/preproc.c b/src/firejail/preproc.c index ea4e6743f..d2db7d3dd 100644 --- a/src/firejail/preproc.c +++ b/src/firejail/preproc.c
@@ -56,9 +56,9 @@ void preproc_build_firejail_dir(void) {
56	create_empty_dir_as_root(RUN_FIREJAIL_APPIMAGE_DIR, 0755);	56	create_empty_dir_as_root(RUN_FIREJAIL_APPIMAGE_DIR, 0755);
57	}	57	}
58		58
59	if (stat(RUN_MNT_DIR, &s)) {	59	if (stat(RUN_MNT_DIR, &s)) {
60	create_empty_dir_as_root(RUN_MNT_DIR, 0755);	60	create_empty_dir_as_root(RUN_MNT_DIR, 0755);
61	}	61	}
62		62
63	create_empty_file_as_root(RUN_RO_FILE, S_IRUSR);	63	create_empty_file_as_root(RUN_RO_FILE, S_IRUSR);
64	create_empty_dir_as_root(RUN_RO_DIR, S_IRUSR);	64	create_empty_dir_as_root(RUN_RO_DIR, S_IRUSR);
@@ -75,51 +75,17 @@ void preproc_mount_mnt_dir(void) {
75	tmpfs_mounted = 1;	75	tmpfs_mounted = 1;
76	fs_logger2("tmpfs", RUN_MNT_DIR);	76	fs_logger2("tmpfs", RUN_MNT_DIR);
77		77
78	// create all seccomp files	78	//copy defaultl seccomp files
79	// as root, create RUN_SECCOMP_I386 file	79	copy_file(PATH_SECCOMP_I386, RUN_SECCOMP_I386, getuid(), getgid(), 0644);
80	create_empty_file_as_root(RUN_SECCOMP_I386, 0644);	80	copy_file(PATH_SECCOMP_AMD64, RUN_SECCOMP_AMD64, getuid(), getgid(), 0644);
81	if (set_perms(RUN_SECCOMP_I386, getuid(), getgid(), 0644))	81	if (arg_allow_debuggers)
82	errExit("set_perms");	82	copy_file(PATH_SECCOMP_DEFAULT_DEBUG, RUN_SECCOMP_CFG, getuid(), getgid(), 0644);
83		83	else
84	// as root, create RUN_SECCOMP_AMD64 file	84	copy_file(PATH_SECCOMP_DEFAULT, RUN_SECCOMP_CFG, getuid(), getgid(), 0644);
85	create_empty_file_as_root(RUN_SECCOMP_AMD64, 0644);	85
86	if (set_perms(RUN_SECCOMP_AMD64, getuid(), getgid(), 0644))	86	// as root, create an empty RUN_SECCOMP_PROTOCOL file
87	errExit("set_perms");
88
89	// as root, create RUN_SECCOMP file
90	create_empty_file_as_root(RUN_SECCOMP_CFG, 0644);
91	if (set_perms(RUN_SECCOMP_CFG, getuid(), getgid(), 0644))
92	errExit("set_perms");
93
94	// as root, create RUN_SECCOMP_PROTOCOL file
95	create_empty_file_as_root(RUN_SECCOMP_PROTOCOL, 0644);	87	create_empty_file_as_root(RUN_SECCOMP_PROTOCOL, 0644);
96	if (set_perms(RUN_SECCOMP_PROTOCOL, getuid(), getgid(), 0644))	88	if (set_perms(RUN_SECCOMP_PROTOCOL, getuid(), getgid(), 0644))
97	errExit("set_perms");	89	errExit("set_perms");
98	}	90	}
99	}	91	}
100
101	// grab a copy of cp command
102	void preproc_build_cp_command(void) {
103	struct stat s;
104	preproc_mount_mnt_dir();
105	if (stat(RUN_CP_COMMAND, &s)) {
106	char* fname = realpath("/bin/cp", NULL);
107	if (fname == NULL \|\| stat(fname, &s) \|\| is_link(fname)) {
108	fprintf(stderr, "Error: invalid /bin/cp\n");
109	exit(1);
110	}
111	int rv = copy_file(fname, RUN_CP_COMMAND, 0, 0, 0755);
112	if (rv) {
113	fprintf(stderr, "Error: cannot access /bin/cp\n");
114	exit(1);
115	}
116	ASSERT_PERMS(RUN_CP_COMMAND, 0, 0, 0755);
117
118	free(fname);
119	}
120	}
121
122	// delete the temporary cp command
123	void preproc_delete_cp_command(void) {
124	unlink(RUN_CP_COMMAND);
125	}


diff --git a/src/firejail/sandbox.c b/src/firejail/sandbox.c index c2e053b0c..ad77caeb2 100644 --- a/src/firejail/sandbox.c +++ b/src/firejail/sandbox.c
@@ -555,12 +555,9 @@ int sandbox(void* sandbox_arg) {
555		555
556	//****************************	556	//****************************
557	// fs pre-processing:	557	// fs pre-processing:
558	// - copy some commands under /run
559	// - build seccomp filters	558	// - build seccomp filters
560	// - create an empty /etc/ld.so.preload	559	// - create an empty /etc/ld.so.preload
561	//****************************	560	//****************************
562	preproc_build_cp_command();
563
564	#ifdef HAVE_SECCOMP	561	#ifdef HAVE_SECCOMP
565	if (cfg.protocol) {	562	if (cfg.protocol) {
566	if (arg_debug)	563	if (arg_debug)
@@ -765,7 +762,6 @@ int sandbox(void* sandbox_arg) {
765	//****************************	762	//****************************
766	// fs post-processing	763	// fs post-processing
767	//****************************	764	//****************************
768	preproc_delete_cp_command();
769	fs_logger_print();	765	fs_logger_print();
770	fs_logger_change_owner();	766	fs_logger_change_owner();
771		767


diff --git a/src/firejail/seccomp.c b/src/firejail/seccomp.c index 4a2221e98..30c63d734 100644 --- a/src/firejail/seccomp.c +++ b/src/firejail/seccomp.c
@@ -92,11 +92,9 @@ int seccomp_load(const char *fname) {
92	return 0;	92	return 0;
93	}	93	}
94		94
95
96
97
98	// i386 filter installed on amd64 architectures	95	// i386 filter installed on amd64 architectures
99	void seccomp_filter_32(void) {	96	void seccomp_filter_32(void) {
		97	#if 0
100	if (arg_debug)	98	if (arg_debug)
101	printf("Build secondary 32-bit filter\n");	99	printf("Build secondary 32-bit filter\n");
102		100
@@ -105,7 +103,7 @@ void seccomp_filter_32(void) {
105	PATH_FSECCOMP, "secondary", "32", RUN_SECCOMP_I386);	103	PATH_FSECCOMP, "secondary", "32", RUN_SECCOMP_I386);
106	if (rv)	104	if (rv)
107	exit(rv);	105	exit(rv);
108		106	#endif
109	if (seccomp_load(RUN_SECCOMP_I386) == 0) {	107	if (seccomp_load(RUN_SECCOMP_I386) == 0) {
110	if (arg_debug)	108	if (arg_debug)
111	printf("Dual i386/amd64 seccomp filter configured\n");	109	printf("Dual i386/amd64 seccomp filter configured\n");
@@ -114,6 +112,7 @@ void seccomp_filter_32(void) {
114		112
115	// amd64 filter installed on i386 architectures	113	// amd64 filter installed on i386 architectures
116	void seccomp_filter_64(void) {	114	void seccomp_filter_64(void) {
		115	#if 0
117	if (arg_debug)	116	if (arg_debug)
118	printf("Build secondary 64-bit filter\n");	117	printf("Build secondary 64-bit filter\n");
119		118
@@ -122,6 +121,7 @@ void seccomp_filter_64(void) {
122	PATH_FSECCOMP, "secondary", "64", RUN_SECCOMP_AMD64);	121	PATH_FSECCOMP, "secondary", "64", RUN_SECCOMP_AMD64);
123	if (rv)	122	if (rv)
124	exit(rv);	123	exit(rv);
		124	#endif
125		125
126	if (seccomp_load(RUN_SECCOMP_AMD64) == 0) {	126	if (seccomp_load(RUN_SECCOMP_AMD64) == 0) {
127	if (arg_debug)	127	if (arg_debug)
@@ -129,7 +129,6 @@ void seccomp_filter_64(void) {
129	}	129	}
130	}	130	}
131		131
132
133	// drop filter for seccomp option	132	// drop filter for seccomp option
134	int seccomp_filter_drop(int enforce_seccomp) {	133	int seccomp_filter_drop(int enforce_seccomp) {
135	// default seccomp	134	// default seccomp
@@ -140,6 +139,8 @@ int seccomp_filter_drop(int enforce_seccomp) {
140	#if defined(__i386__)	139	#if defined(__i386__)
141	seccomp_filter_64();	140	seccomp_filter_64();
142	#endif	141	#endif
		142
		143	#if 0
143	if (arg_debug)	144	if (arg_debug)
144	printf("Build default seccomp filter\n");	145	printf("Build default seccomp filter\n");
145	// build the seccomp filter as a regular user	146	// build the seccomp filter as a regular user
@@ -152,8 +153,8 @@ int seccomp_filter_drop(int enforce_seccomp) {
152	PATH_FSECCOMP, "default", RUN_SECCOMP_CFG);	153	PATH_FSECCOMP, "default", RUN_SECCOMP_CFG);
153	if (rv)	154	if (rv)
154	exit(rv);	155	exit(rv);
		156	#endif
155	}	157	}
156
157	// default seccomp filter with additional drop list	158	// default seccomp filter with additional drop list
158	else if (cfg.seccomp_list && cfg.seccomp_list_drop == NULL) {	159	else if (cfg.seccomp_list && cfg.seccomp_list_drop == NULL) {
159	#if defined(__x86_64__)	160	#if defined(__x86_64__)


diff --git a/src/fseccomp/main.c b/src/fseccomp/main.c index 2f85a786b..471e0b193 100644 --- a/src/fseccomp/main.c +++ b/src/fseccomp/main.c
@@ -38,7 +38,7 @@ static void usage(void) {
38	}	38	}
39		39
40	int main(int argc, char **argv) {	40	int main(int argc, char **argv) {
41	#if 0	41	//#if 0
42	{	42	{
43	//system("cat /proc/self/status");	43	//system("cat /proc/self/status");
44	int i;	44	int i;
@@ -46,7 +46,7 @@ for (i = 0; i < argc; i++)
46	printf("%s ", argv[i]);	46	printf("%s ", argv[i]);
47	printf("\n");	47	printf("\n");
48	}	48	}
49	#endif	49	//#endif
50	if (argc < 2) {	50	if (argc < 2) {
51	usage();	51	usage();
52	return 1;	52	return 1;