dual i386/amd64 seccomp support for --seccomp option

author: netblue30 <netblue30@yahoo.com> 2015-10-28 22:02:45 -0400
committer: netblue30 <netblue30@yahoo.com> 2015-10-28 22:02:45 -0400
commit: b12c846f58e7c78b81b4923aa4191536fe6ad2b8 (patch)
tree: c518c8e807bb7723cdce3815ecbacc6a826a38c1 /src/firejail/protocol.c
parent: enable --protocol by default in profiles (diff)
download: firejail-b12c846f58e7c78b81b4923aa4191536fe6ad2b8.tar.gz
firejail-b12c846f58e7c78b81b4923aa4191536fe6ad2b8.tar.zst
firejail-b12c846f58e7c78b81b4923aa4191536fe6ad2b8.zip
1 files changed, 27 insertions, 0 deletions
diff --git a/src/firejail/protocol.c b/src/firejail/protocol.c
index ba784fc2e..e71daaad8 100644
--- a/src/firejail/protocol.c
+++ b/src/firejail/protocol.c
@@ -18,6 +18,33 @@
 * 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA.
 */
+/*
+        struct sock_filter filter[] = {
+                VALIDATE_ARCHITECTURE,
+                EXAMINE_SYSCALL,
+                ONLY(SYS_socket),
+                EXAMINE_ARGUMENT(0), // allow only AF_INET and AF_INET6, drop everything else
+                WHITELIST(AF_INET),
+                WHITELIST(AF_INET6),
+                WHITELIST(AF_PACKET),
+                RETURN_ERRNO(ENOTSUP)
+        };
+        struct sock_fprog prog = {
+                .len = (unsigned short)(sizeof(filter) / sizeof(filter[0])),
+                .filter = filter,
+        };
+        if (prctl(PR_SET_NO_NEW_PRIVS, 1, 0, 0, 0)) {
+                perror("prctl(NO_NEW_PRIVS)");
+                return 1;
+        }
+        if (prctl(PR_SET_SECCOMP, SECCOMP_MODE_FILTER, &prog)) {
+                perror("prctl");
+                return 1;
+        }
+*/
 #ifdef HAVE_SECCOMP
 #include "firejail.h"
 #include "seccomp.h"
author	netblue30 <netblue30@yahoo.com>	2015-10-28 22:02:45 -0400
committer	netblue30 <netblue30@yahoo.com>	2015-10-28 22:02:45 -0400
commit	b12c846f58e7c78b81b4923aa4191536fe6ad2b8 (patch)
tree	c518c8e807bb7723cdce3815ecbacc6a826a38c1 /src/firejail/protocol.c
parent	enable --protocol by default in profiles (diff)
download	firejail-b12c846f58e7c78b81b4923aa4191536fe6ad2b8.tar.gz firejail-b12c846f58e7c78b81b4923aa4191536fe6ad2b8.tar.zst firejail-b12c846f58e7c78b81b4923aa4191536fe6ad2b8.zip

diff --git a/src/firejail/protocol.c b/src/firejail/protocol.c index ba784fc2e..e71daaad8 100644 --- a/src/firejail/protocol.c +++ b/src/firejail/protocol.c
@@ -18,6 +18,33 @@
18	* 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA.	18	* 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA.
19	*/	19	*/
20		20
		21	/*
		22	struct sock_filter filter[] = {
		23	VALIDATE_ARCHITECTURE,
		24	EXAMINE_SYSCALL,
		25	ONLY(SYS_socket),
		26	EXAMINE_ARGUMENT(0), // allow only AF_INET and AF_INET6, drop everything else
		27	WHITELIST(AF_INET),
		28	WHITELIST(AF_INET6),
		29	WHITELIST(AF_PACKET),
		30	RETURN_ERRNO(ENOTSUP)
		31	};
		32	struct sock_fprog prog = {
		33	.len = (unsigned short)(sizeof(filter) / sizeof(filter[0])),
		34	.filter = filter,
		35	};
		36
		37
		38	if (prctl(PR_SET_NO_NEW_PRIVS, 1, 0, 0, 0)) {
		39	perror("prctl(NO_NEW_PRIVS)");
		40	return 1;
		41	}
		42	if (prctl(PR_SET_SECCOMP, SECCOMP_MODE_FILTER, &prog)) {
		43	perror("prctl");
		44	return 1;
		45	}
		46	*/
		47
21	#ifdef HAVE_SECCOMP	48	#ifdef HAVE_SECCOMP
22	#include "firejail.h"	49	#include "firejail.h"
23	#include "seccomp.h"	50	#include "seccomp.h"