optimize seccomp.drop and seccomp= filters

2 files changed, 11 insertions, 0 deletions

diff --git a/src/firejail/firejail.h b/src/firejail/firejail.h
index d6c39260b..4fd11ab4f 100644
--- a/src/firejail/firejail.h
+++ b/src/firejail/firejail.h
@@ -778,6 +778,7 @@ void build_appimage_cmdline(char **command_line, char **window_title, int argc,
 #define PATH_FIREJAIL (PREFIX "/bin/firejail")
 #define PATH_FSECCOMP (LIBDIR "/firejail/fseccomp")
 #define PATH_FSEC_PRINT (LIBDIR "/firejail/fsec-print")
+#define PATH_FSEC_OPTIMIZE (LIBDIR "/firejail/fsec-optimize")
 #define PATH_FCOPY (LIBDIR "/firejail/fcopy")
 #define SBOX_STDIN_FILE "/run/firejail/mnt/sbox_stdin"
 #define PATH_FLDD (LIBDIR "/firejail/fldd")
diff --git a/src/firejail/seccomp.c b/src/firejail/seccomp.c
index 0184db65c..1ee6256d4 100644
--- a/src/firejail/seccomp.c
+++ b/src/firejail/seccomp.c
@@ -210,6 +210,11 @@ int seccomp_filter_drop(void) {
                                               PATH_FSECCOMP, "default", "drop", RUN_SECCOMP_CFG, RUN_SECCOMP_POSTEXEC, cfg.seccomp_list);
                         if (rv)
                                 exit(rv);
+
+                        // optimize the new filter
+                        rv = sbox_run(SBOX_USER | SBOX_CAPS_NONE | SBOX_SECCOMP, 2, PATH_FSEC_OPTIMIZE, RUN_SECCOMP_CFG);
+                        if (rv)
+                                exit(rv);
                 }
         }
 
@@ -232,6 +237,11 @@ int seccomp_filter_drop(void) {
 
                 if (rv)
                         exit(rv);
+
+                // optimize the drop filter
+                rv = sbox_run(SBOX_USER | SBOX_CAPS_NONE | SBOX_SECCOMP, 2, PATH_FSEC_OPTIMIZE, RUN_SECCOMP_CFG);
+                if (rv)
+                        exit(rv);
         }
 
         // load the filter