seccomp: allow defining separate filters for 32-bit arch

System calls (names and numbers) are not exactly the same for 32 bit and 64 bit architectures. Let's allow defining separate filters for 32-bit arch using seccomp.32, seccomp.32.drop, seccomp.32.keep. This is useful for mixed 64/32 bit application environments like Steam and Wine. Implement protocol and mdwx filtering also for 32 bit arch. It's still better to block secondary archs completely if not needed. Lists of supported system calls are also updated. Warn if preload libraries would be needed due to trace, tracelog or postexecseccomp (seccomp.drop=execve etc), because a 32-bit dynamic linker does not understand the 64 bit preload libraries. Closes #3267. Signed-off-by: Topi Miettinen <toiwoton@gmail.com>
author: Topi Miettinen <toiwoton@gmail.com> 2020-03-14 00:07:06 +0200
committer: Topi Miettinen <topimiettinen@users.noreply.github.com> 2020-03-28 11:24:25 +0000
commit: 88eadbf31fe25dcd7c224a5d92f71c79ccf6c9d3 (patch)
tree: 6b4d2a805a2900755bfc857586a10948b3c8395e /src/firejail/preproc.c
parent: Added compatibility with BetterDiscord (#3300) (diff)
download: firejail-88eadbf31fe25dcd7c224a5d92f71c79ccf6c9d3.tar.gz
firejail-88eadbf31fe25dcd7c224a5d92f71c79ccf6c9d3.tar.zst
firejail-88eadbf31fe25dcd7c224a5d92f71c79ccf6c9d3.zip
1 files changed, 9 insertions, 3 deletions
diff --git a/src/firejail/preproc.c b/src/firejail/preproc.c
index 278099e55..7f23a9f6f 100644
--- a/src/firejail/preproc.c
+++ b/src/firejail/preproc.c
@@ -98,13 +98,16 @@ void preproc_mount_mnt_dir(void) {
                        //copy default seccomp files
                        copy_file(PATH_SECCOMP_32, RUN_SECCOMP_32, getuid(), getgid(), 0644); // root needed
                }
-                if (arg_allow_debuggers)
+                if (arg_allow_debuggers) {
                        copy_file(PATH_SECCOMP_DEFAULT_DEBUG, RUN_SECCOMP_CFG, getuid(), getgid(), 0644); // root needed
-                else
+                        copy_file(PATH_SECCOMP_DEBUG_32, RUN_SECCOMP_32, getuid(), getgid(), 0644); // root needed
+                } else
                        copy_file(PATH_SECCOMP_DEFAULT, RUN_SECCOMP_CFG, getuid(), getgid(), 0644); // root needed
-                if (arg_memory_deny_write_execute)
+                if (arg_memory_deny_write_execute) {
                        copy_file(PATH_SECCOMP_MDWX, RUN_SECCOMP_MDWX, getuid(), getgid(), 0644); // root needed
+                        copy_file(PATH_SECCOMP_MDWX_32, RUN_SECCOMP_MDWX_32, getuid(), getgid(), 0644); // root needed
+                }
                // as root, create empty RUN_SECCOMP_PROTOCOL and RUN_SECCOMP_POSTEXEC files
                create_empty_file_as_root(RUN_SECCOMP_PROTOCOL, 0644);
                if (set_perms(RUN_SECCOMP_PROTOCOL, getuid(), getgid(), 0644))
@@ -112,6 +115,9 @@ void preproc_mount_mnt_dir(void) {
                create_empty_file_as_root(RUN_SECCOMP_POSTEXEC, 0644);
                if (set_perms(RUN_SECCOMP_POSTEXEC, getuid(), getgid(), 0644))
                        errExit("set_perms");
+                create_empty_file_as_root(RUN_SECCOMP_POSTEXEC_32, 0644);
+                if (set_perms(RUN_SECCOMP_POSTEXEC_32, getuid(), getgid(), 0644))
+                        errExit("set_perms");
 #endif
        }
 }
author	Topi Miettinen <toiwoton@gmail.com>	2020-03-14 00:07:06 +0200
committer	Topi Miettinen <topimiettinen@users.noreply.github.com>	2020-03-28 11:24:25 +0000
commit	88eadbf31fe25dcd7c224a5d92f71c79ccf6c9d3 (patch)
tree	6b4d2a805a2900755bfc857586a10948b3c8395e /src/firejail/preproc.c
parent	Added compatibility with BetterDiscord (#3300) (diff)
download	firejail-88eadbf31fe25dcd7c224a5d92f71c79ccf6c9d3.tar.gz firejail-88eadbf31fe25dcd7c224a5d92f71c79ccf6c9d3.tar.zst firejail-88eadbf31fe25dcd7c224a5d92f71c79ccf6c9d3.zip