diff options
| author |  Topi Miettinen <toiwoton@gmail.com> | 2020-03-14 00:07:06 +0200 |
|---|---|---|
| committer |  Topi Miettinen <topimiettinen@users.noreply.github.com> | 2020-03-28 11:24:25 +0000 |
| commit | 88eadbf31fe25dcd7c224a5d92f71c79ccf6c9d3 (patch) | |
| tree | 6b4d2a805a2900755bfc857586a10948b3c8395e /src/firejail/profile.c | |
| parent | Added compatibility with BetterDiscord (#3300) (diff) | |
| download | firejail-88eadbf31fe25dcd7c224a5d92f71c79ccf6c9d3.tar.gz firejail-88eadbf31fe25dcd7c224a5d92f71c79ccf6c9d3.tar.zst firejail-88eadbf31fe25dcd7c224a5d92f71c79ccf6c9d3.zip | |
seccomp: allow defining separate filters for 32-bit arch
System calls (names and numbers) are not exactly the same for 32 bit
and 64 bit architectures. Let's allow defining separate filters for
32-bit arch using seccomp.32, seccomp.32.drop, seccomp.32.keep. This
is useful for mixed 64/32 bit application environments like Steam and
Wine.
Implement protocol and mdwx filtering also for 32 bit arch. It's still
better to block secondary archs completely if not needed.
Lists of supported system calls are also updated.
Warn if preload libraries would be needed due to trace, tracelog or
postexecseccomp (seccomp.drop=execve etc), because a 32-bit dynamic
linker does not understand the 64 bit preload libraries.
Closes #3267.
Signed-off-by: Topi Miettinen <toiwoton@gmail.com>
Diffstat (limited to 'src/firejail/profile.c')
| -rw-r--r-- | src/firejail/profile.c | 34 |
1 files changed, 34 insertions, 0 deletions
diff --git a/src/firejail/profile.c b/src/firejail/profile.c index c7269857d..2200fec01 100644 --- a/src/firejail/profile.c +++ b/src/firejail/profile.c | |||
| @@ -788,6 +788,18 @@ int profile_check_line(char *ptr, int lineno, const char *fname) { | |||
| 788 | 788 | ||
| 789 | return 0; | 789 | return 0; |
| 790 | } | 790 | } |
| 791 | if (strncmp(ptr, "seccomp.32 ", 11) == 0) { | ||
| 792 | #ifdef HAVE_SECCOMP | ||
| 793 | if (checkcfg(CFG_SECCOMP)) { | ||
| 794 | arg_seccomp32 = 1; | ||
| 795 | cfg.seccomp_list32 = seccomp_check_list(ptr + 11); | ||
| 796 | } | ||
| 797 | else if (!arg_quiet) | ||
| 798 | warning_feature_disabled("seccomp"); | ||
| 799 | #endif | ||
| 800 | |||
| 801 | return 0; | ||
| 802 | } | ||
| 791 | 803 | ||
| 792 | if (strcmp(ptr, "seccomp.block-secondary") == 0) { | 804 | if (strcmp(ptr, "seccomp.block-secondary") == 0) { |
| 793 | #ifdef HAVE_SECCOMP | 805 | #ifdef HAVE_SECCOMP |
| @@ -811,6 +823,17 @@ int profile_check_line(char *ptr, int lineno, const char *fname) { | |||
| 811 | #endif | 823 | #endif |
| 812 | return 0; | 824 | return 0; |
| 813 | } | 825 | } |
| 826 | if (strncmp(ptr, "seccomp.32.drop ", 13) == 0) { | ||
| 827 | #ifdef HAVE_SECCOMP | ||
| 828 | if (checkcfg(CFG_SECCOMP)) { | ||
| 829 | arg_seccomp32 = 1; | ||
| 830 | cfg.seccomp_list_drop32 = seccomp_check_list(ptr + 13); | ||
| 831 | } | ||
| 832 | else | ||
| 833 | warning_feature_disabled("seccomp"); | ||
| 834 | #endif | ||
| 835 | return 0; | ||
| 836 | } | ||
| 814 | 837 | ||
| 815 | // seccomp keep list | 838 | // seccomp keep list |
| 816 | if (strncmp(ptr, "seccomp.keep ", 13) == 0) { | 839 | if (strncmp(ptr, "seccomp.keep ", 13) == 0) { |
| @@ -824,6 +847,17 @@ int profile_check_line(char *ptr, int lineno, const char *fname) { | |||
| 824 | #endif | 847 | #endif |
| 825 | return 0; | 848 | return 0; |
| 826 | } | 849 | } |
| 850 | if (strncmp(ptr, "seccomp.32.keep ", 13) == 0) { | ||
| 851 | #ifdef HAVE_SECCOMP | ||
| 852 | if (checkcfg(CFG_SECCOMP)) { | ||
| 853 | arg_seccomp32 = 1; | ||
| 854 | cfg.seccomp_list_keep32 = seccomp_check_list(ptr + 13); | ||
| 855 | } | ||
| 856 | else | ||
| 857 | warning_feature_disabled("seccomp"); | ||
| 858 | #endif | ||
| 859 | return 0; | ||
| 860 | } | ||
| 827 | 861 | ||
| 828 | // memory deny write&execute | 862 | // memory deny write&execute |
| 829 | if (strcmp(ptr, "memory-deny-write-execute") == 0) { | 863 | if (strcmp(ptr, "memory-deny-write-execute") == 0) { |