seccomp: allow defining separate filters for 32-bit arch

System calls (names and numbers) are not exactly the same for 32 bit and 64 bit architectures. Let's allow defining separate filters for 32-bit arch using seccomp.32, seccomp.32.drop, seccomp.32.keep. This is useful for mixed 64/32 bit application environments like Steam and Wine. Implement protocol and mdwx filtering also for 32 bit arch. It's still better to block secondary archs completely if not needed. Lists of supported system calls are also updated. Warn if preload libraries would be needed due to trace, tracelog or postexecseccomp (seccomp.drop=execve etc), because a 32-bit dynamic linker does not understand the 64 bit preload libraries. Closes #3267. Signed-off-by: Topi Miettinen <toiwoton@gmail.com>
author: Topi Miettinen <toiwoton@gmail.com> 2020-03-14 00:07:06 +0200
committer: Topi Miettinen <topimiettinen@users.noreply.github.com> 2020-03-28 11:24:25 +0000
commit: 88eadbf31fe25dcd7c224a5d92f71c79ccf6c9d3 (patch)
tree: 6b4d2a805a2900755bfc857586a10948b3c8395e /Makefile.in
parent: Added compatibility with BetterDiscord (#3300) (diff)
download: firejail-88eadbf31fe25dcd7c224a5d92f71c79ccf6c9d3.tar.gz
firejail-88eadbf31fe25dcd7c224a5d92f71c79ccf6c9d3.tar.zst
firejail-88eadbf31fe25dcd7c224a5d92f71c79ccf6c9d3.zip
1 files changed, 3 insertions, 1 deletions
diff --git a/Makefile.in b/Makefile.in
index f7c94aa09..afe8c9972 100644
--- a/Makefile.in
+++ b/Makefile.in
@@ -3,7 +3,7 @@ MYLIBS = src/lib
 APPS = src/firejail src/firemon src/fsec-print src/fsec-optimize src/firecfg src/fnetfilter src/libtrace src/libtracelog src/ftee \
 src/faudit src/fnet src/fseccomp src/fbuilder src/fcopy src/fldd src/libpostexecseccomp src/profstats
 MANPAGES = firejail.1 firemon.1 firecfg.1 firejail-profile.5 firejail-login.5 firejail-users.5
-SECCOMP_FILTERS = seccomp seccomp.debug seccomp.32 seccomp.block_secondary seccomp.mdwx
+SECCOMP_FILTERS = seccomp seccomp.debug seccomp.32 seccomp.block_secondary seccomp.mdwx seccomp.mdwx.32
 prefix=@prefix@
 exec_prefix=@exec_prefix@
@@ -48,6 +48,7 @@ ifeq ($(HAVE_SECCOMP),-DHAVE_SECCOMP)
        src/fsec-optimize/fsec-optimize seccomp.32
        src/fseccomp/fseccomp secondary block seccomp.block_secondary
        src/fseccomp/fseccomp memory-deny-write-execute seccomp.mdwx
+        src/fseccomp/fseccomp memory-deny-write-execute.32 seccomp.mdwx.32
 endif
 clean:
@@ -109,6 +110,7 @@ ifeq ($(HAVE_SECCOMP),-DHAVE_SECCOMP)
        install -c -m 0644 seccomp.32 $(DESTDIR)/$(libdir)/firejail/.
        install -c -m 0644 seccomp.block_secondary $(DESTDIR)/$(libdir)/firejail/.
        install -c -m 0644 seccomp.mdwx $(DESTDIR)/$(libdir)/firejail/.
+        install -c -m 0644 seccomp.mdwx.32 $(DESTDIR)/$(libdir)/firejail/.
 endif
 ifeq ($(HAVE_CONTRIB_INSTALL),yes)
        install -c -m 0755 contrib/fix_private-bin.py $(DESTDIR)/$(libdir)/firejail/.
author	Topi Miettinen <toiwoton@gmail.com>	2020-03-14 00:07:06 +0200
committer	Topi Miettinen <topimiettinen@users.noreply.github.com>	2020-03-28 11:24:25 +0000
commit	88eadbf31fe25dcd7c224a5d92f71c79ccf6c9d3 (patch)
tree	6b4d2a805a2900755bfc857586a10948b3c8395e /Makefile.in
parent	Added compatibility with BetterDiscord (#3300) (diff)
download	firejail-88eadbf31fe25dcd7c224a5d92f71c79ccf6c9d3.tar.gz firejail-88eadbf31fe25dcd7c224a5d92f71c79ccf6c9d3.tar.zst firejail-88eadbf31fe25dcd7c224a5d92f71c79ccf6c9d3.zip