diff options
author | Topi Miettinen <toiwoton@gmail.com> | 2020-03-14 00:07:06 +0200 |
---|---|---|
committer | Topi Miettinen <topimiettinen@users.noreply.github.com> | 2020-03-28 11:24:25 +0000 |
commit | 88eadbf31fe25dcd7c224a5d92f71c79ccf6c9d3 (patch) | |
tree | 6b4d2a805a2900755bfc857586a10948b3c8395e /src/firejail/preproc.c | |
parent | Added compatibility with BetterDiscord (#3300) (diff) | |
download | firejail-88eadbf31fe25dcd7c224a5d92f71c79ccf6c9d3.tar.gz firejail-88eadbf31fe25dcd7c224a5d92f71c79ccf6c9d3.tar.zst firejail-88eadbf31fe25dcd7c224a5d92f71c79ccf6c9d3.zip |
seccomp: allow defining separate filters for 32-bit arch
System calls (names and numbers) are not exactly the same for 32 bit
and 64 bit architectures. Let's allow defining separate filters for
32-bit arch using seccomp.32, seccomp.32.drop, seccomp.32.keep. This
is useful for mixed 64/32 bit application environments like Steam and
Wine.
Implement protocol and mdwx filtering also for 32 bit arch. It's still
better to block secondary archs completely if not needed.
Lists of supported system calls are also updated.
Warn if preload libraries would be needed due to trace, tracelog or
postexecseccomp (seccomp.drop=execve etc), because a 32-bit dynamic
linker does not understand the 64 bit preload libraries.
Closes #3267.
Signed-off-by: Topi Miettinen <toiwoton@gmail.com>
Diffstat (limited to 'src/firejail/preproc.c')
-rw-r--r-- | src/firejail/preproc.c | 12 |
1 files changed, 9 insertions, 3 deletions
diff --git a/src/firejail/preproc.c b/src/firejail/preproc.c index 278099e55..7f23a9f6f 100644 --- a/src/firejail/preproc.c +++ b/src/firejail/preproc.c | |||
@@ -98,13 +98,16 @@ void preproc_mount_mnt_dir(void) { | |||
98 | //copy default seccomp files | 98 | //copy default seccomp files |
99 | copy_file(PATH_SECCOMP_32, RUN_SECCOMP_32, getuid(), getgid(), 0644); // root needed | 99 | copy_file(PATH_SECCOMP_32, RUN_SECCOMP_32, getuid(), getgid(), 0644); // root needed |
100 | } | 100 | } |
101 | if (arg_allow_debuggers) | 101 | if (arg_allow_debuggers) { |
102 | copy_file(PATH_SECCOMP_DEFAULT_DEBUG, RUN_SECCOMP_CFG, getuid(), getgid(), 0644); // root needed | 102 | copy_file(PATH_SECCOMP_DEFAULT_DEBUG, RUN_SECCOMP_CFG, getuid(), getgid(), 0644); // root needed |
103 | else | 103 | copy_file(PATH_SECCOMP_DEBUG_32, RUN_SECCOMP_32, getuid(), getgid(), 0644); // root needed |
104 | } else | ||
104 | copy_file(PATH_SECCOMP_DEFAULT, RUN_SECCOMP_CFG, getuid(), getgid(), 0644); // root needed | 105 | copy_file(PATH_SECCOMP_DEFAULT, RUN_SECCOMP_CFG, getuid(), getgid(), 0644); // root needed |
105 | 106 | ||
106 | if (arg_memory_deny_write_execute) | 107 | if (arg_memory_deny_write_execute) { |
107 | copy_file(PATH_SECCOMP_MDWX, RUN_SECCOMP_MDWX, getuid(), getgid(), 0644); // root needed | 108 | copy_file(PATH_SECCOMP_MDWX, RUN_SECCOMP_MDWX, getuid(), getgid(), 0644); // root needed |
109 | copy_file(PATH_SECCOMP_MDWX_32, RUN_SECCOMP_MDWX_32, getuid(), getgid(), 0644); // root needed | ||
110 | } | ||
108 | // as root, create empty RUN_SECCOMP_PROTOCOL and RUN_SECCOMP_POSTEXEC files | 111 | // as root, create empty RUN_SECCOMP_PROTOCOL and RUN_SECCOMP_POSTEXEC files |
109 | create_empty_file_as_root(RUN_SECCOMP_PROTOCOL, 0644); | 112 | create_empty_file_as_root(RUN_SECCOMP_PROTOCOL, 0644); |
110 | if (set_perms(RUN_SECCOMP_PROTOCOL, getuid(), getgid(), 0644)) | 113 | if (set_perms(RUN_SECCOMP_PROTOCOL, getuid(), getgid(), 0644)) |
@@ -112,6 +115,9 @@ void preproc_mount_mnt_dir(void) { | |||
112 | create_empty_file_as_root(RUN_SECCOMP_POSTEXEC, 0644); | 115 | create_empty_file_as_root(RUN_SECCOMP_POSTEXEC, 0644); |
113 | if (set_perms(RUN_SECCOMP_POSTEXEC, getuid(), getgid(), 0644)) | 116 | if (set_perms(RUN_SECCOMP_POSTEXEC, getuid(), getgid(), 0644)) |
114 | errExit("set_perms"); | 117 | errExit("set_perms"); |
118 | create_empty_file_as_root(RUN_SECCOMP_POSTEXEC_32, 0644); | ||
119 | if (set_perms(RUN_SECCOMP_POSTEXEC_32, getuid(), getgid(), 0644)) | ||
120 | errExit("set_perms"); | ||
115 | #endif | 121 | #endif |
116 | } | 122 | } |
117 | } | 123 | } |