enforce seccomp

author: netblue30 <netblue30@yahoo.com> 2017-08-23 13:12:28 -0400
committer: netblue30 <netblue30@yahoo.com> 2017-08-23 13:12:28 -0400
commit: e81ad9569c7e2b9a3d9d9a9500ecef812a94e90b (patch)
tree: 26ba14b04e541ecac7eca22c003c827c727a6086
parent: fix seccomp.keep for #1490 (diff)
download: firejail-e81ad9569c7e2b9a3d9d9a9500ecef812a94e90b.tar.gz
firejail-e81ad9569c7e2b9a3d9d9a9500ecef812a94e90b.tar.zst
firejail-e81ad9569c7e2b9a3d9d9a9500ecef812a94e90b.zip
3 files changed, 20 insertions, 26 deletions
diff --git a/src/firejail/firejail.h b/src/firejail/firejail.h
index 71c5ae87c..435b9527d 100644
--- a/src/firejail/firejail.h
+++ b/src/firejail/firejail.h
@@ -541,7 +541,7 @@ void fs_private_home_list(void);
 char *seccomp_check_list(const char *str);
 int seccomp_install_filters(void);
 int seccomp_load(const char *fname);
-int seccomp_filter_drop(int enforce_seccomp);
+int seccomp_filter_drop(void);
 int seccomp_filter_keep(void);
 void seccomp_print_filter(pid_t pid);
diff --git a/src/firejail/sandbox.c b/src/firejail/sandbox.c
index 853555581..3718004a5 100644
--- a/src/firejail/sandbox.c
+++ b/src/firejail/sandbox.c
@@ -45,6 +45,12 @@
 #endif
 #include <syscall.h>
+#ifdef HAVE_SECCOMP
+int enforce_seccomp = 0;
+#endif
 static int monitored_pid = 0;
 static void sandbox_handler(int sig){
        if (!arg_quiet) {
@@ -459,6 +465,7 @@ static void enforce_filters(void) {
        // force default seccomp inside the chroot, no keep or drop list
        // the list build on top of the default drop list is kept intact
        arg_seccomp = 1;
+        enforce_seccomp = 1;
        if (cfg.seccomp_list_drop) {
                free(cfg.seccomp_list_drop);
                cfg.seccomp_list_drop = NULL;
@@ -681,27 +688,16 @@ int sandbox(void* sandbox_arg) {
        //****************************
        // configure filesystem
        //****************************
-#ifdef HAVE_SECCOMP
+        if (arg_appimage)
-        int enforce_seccomp = 0;
-#endif
-        if (arg_appimage) {
                enforce_filters();
-#ifdef HAVE_SECCOMP
-                enforce_seccomp = 1;
-#endif
-        }
 #ifdef HAVE_CHROOT
        if (cfg.chrootdir) {
                fs_chroot(cfg.chrootdir);
                // force caps and seccomp if not started as root
-                if (getuid() != 0) {
+                if (getuid() != 0)
                        enforce_filters();
-#ifdef HAVE_SECCOMP
-                        enforce_seccomp = 1;
-#endif
-                }
                else
                        arg_seccomp = 1;
@@ -717,12 +713,8 @@ int sandbox(void* sandbox_arg) {
        if (arg_overlay)        {
                fs_overlayfs();
                // force caps and seccomp if not started as root
-                if (getuid() != 0) {
+                if (getuid() != 0)
                        enforce_filters();
-#ifdef HAVE_SECCOMP
-                        enforce_seccomp = 1;
-#endif
-                }
                else
                        arg_seccomp = 1;
        }
@@ -1004,7 +996,7 @@ int sandbox(void* sandbox_arg) {
                if (cfg.seccomp_list_keep)
                        seccomp_filter_keep();
                else
-                        seccomp_filter_drop(enforce_seccomp);
+                        seccomp_filter_drop();
        }
        if (arg_debug) {
diff --git a/src/firejail/seccomp.c b/src/firejail/seccomp.c
index bd57cff42..7b45e2574 100644
--- a/src/firejail/seccomp.c
+++ b/src/firejail/seccomp.c
@@ -30,8 +30,8 @@ typedef struct filter_list {
 } FilterList;
 static FilterList *filter_list_head = NULL;
 static int err_printed = 0;
+extern int enforce_seccomp;
 char *seccomp_check_list(const char *str) {
        assert(str);
@@ -73,6 +73,12 @@ int seccomp_install_filters(void) {
                                printf("Installing %s seccomp filter\n", fl->fname);
                        if (prctl(PR_SET_SECCOMP, SECCOMP_MODE_FILTER, &fl->prog)) {
+                                if (enforce_seccomp) {
+                                        fprintf(stderr, "Error: a seccomp-enabled Linux kernel is required, exiting...\n");
+                                        exit(1);
+                                }
                                if (!err_printed)
                                        fwarning("seccomp disabled, it requires a Linux kernel version 3.5 or newer.\n");
                                err_printed = 1;
@@ -159,7 +165,7 @@ static void seccomp_filter_block_secondary(void) {
 }
 // drop filter for seccomp option
-int seccomp_filter_drop(int enforce_seccomp) {
+int seccomp_filter_drop(void) {
        // if we have multiple seccomp commands, only one of them is executed
        // in the following order:
        //      - seccomp.drop list
@@ -233,10 +239,6 @@ int seccomp_filter_drop(int enforce_seccomp) {
                if (arg_debug)
                        printf("seccomp filter configured\n");
        }
-        else if (enforce_seccomp) {
-                fprintf(stderr, "Error: a seccomp-enabled Linux kernel is required, exiting...\n");
-                exit(1);
-        }
        if (arg_debug && access(PATH_FSECCOMP, X_OK) == 0) {
                struct stat st;
author	netblue30 <netblue30@yahoo.com>	2017-08-23 13:12:28 -0400
committer	netblue30 <netblue30@yahoo.com>	2017-08-23 13:12:28 -0400
commit	e81ad9569c7e2b9a3d9d9a9500ecef812a94e90b (patch)
tree	26ba14b04e541ecac7eca22c003c827c727a6086
parent	fix seccomp.keep for #1490 (diff)
download	firejail-e81ad9569c7e2b9a3d9d9a9500ecef812a94e90b.tar.gz firejail-e81ad9569c7e2b9a3d9d9a9500ecef812a94e90b.tar.zst firejail-e81ad9569c7e2b9a3d9d9a9500ecef812a94e90b.zip