diff options
| author |  Topi Miettinen <toiwoton@gmail.com> | 2020-03-14 00:07:06 +0200 |
|---|---|---|
| committer |  Topi Miettinen <topimiettinen@users.noreply.github.com> | 2020-03-28 11:24:25 +0000 |
| commit | 88eadbf31fe25dcd7c224a5d92f71c79ccf6c9d3 (patch) | |
| tree | 6b4d2a805a2900755bfc857586a10948b3c8395e /src/firejail/sandbox.c | |
| parent | Added compatibility with BetterDiscord (#3300) (diff) | |
| download | firejail-88eadbf31fe25dcd7c224a5d92f71c79ccf6c9d3.tar.gz firejail-88eadbf31fe25dcd7c224a5d92f71c79ccf6c9d3.tar.zst firejail-88eadbf31fe25dcd7c224a5d92f71c79ccf6c9d3.zip | |
seccomp: allow defining separate filters for 32-bit arch
System calls (names and numbers) are not exactly the same for 32 bit
and 64 bit architectures. Let's allow defining separate filters for
32-bit arch using seccomp.32, seccomp.32.drop, seccomp.32.keep. This
is useful for mixed 64/32 bit application environments like Steam and
Wine.
Implement protocol and mdwx filtering also for 32 bit arch. It's still
better to block secondary archs completely if not needed.
Lists of supported system calls are also updated.
Warn if preload libraries would be needed due to trace, tracelog or
postexecseccomp (seccomp.drop=execve etc), because a 32-bit dynamic
linker does not understand the 64 bit preload libraries.
Closes #3267.
Signed-off-by: Topi Miettinen <toiwoton@gmail.com>
Diffstat (limited to 'src/firejail/sandbox.c')
| -rw-r--r-- | src/firejail/sandbox.c | 14 |
1 files changed, 10 insertions, 4 deletions
diff --git a/src/firejail/sandbox.c b/src/firejail/sandbox.c index d1879fd98..93fe5425a 100644 --- a/src/firejail/sandbox.c +++ b/src/firejail/sandbox.c | |||
| @@ -793,8 +793,6 @@ int sandbox(void* sandbox_arg) { | |||
| 793 | if (rv) | 793 | if (rv) |
| 794 | exit(rv); | 794 | exit(rv); |
| 795 | } | 795 | } |
| 796 | if (arg_seccomp && (cfg.seccomp_list || cfg.seccomp_list_drop || cfg.seccomp_list_keep)) | ||
| 797 | arg_seccomp_postexec = 1; | ||
| 798 | #endif | 796 | #endif |
| 799 | 797 | ||
| 800 | // need ld.so.preload if tracing or seccomp with any non-default lists | 798 | // need ld.so.preload if tracing or seccomp with any non-default lists |
| @@ -1113,9 +1111,15 @@ int sandbox(void* sandbox_arg) { | |||
| 1113 | // if a keep list is available, disregard the drop list | 1111 | // if a keep list is available, disregard the drop list |
| 1114 | if (arg_seccomp == 1) { | 1112 | if (arg_seccomp == 1) { |
| 1115 | if (cfg.seccomp_list_keep) | 1113 | if (cfg.seccomp_list_keep) |
| 1116 | seccomp_filter_keep(); | 1114 | seccomp_filter_keep(true); |
| 1117 | else | 1115 | else |
| 1118 | seccomp_filter_drop(); | 1116 | seccomp_filter_drop(true); |
| 1117 | } | ||
| 1118 | if (arg_seccomp32 == 1) { | ||
| 1119 | if (cfg.seccomp_list_keep32) | ||
| 1120 | seccomp_filter_keep(false); | ||
| 1121 | else | ||
| 1122 | seccomp_filter_drop(false); | ||
| 1119 | 1123 | ||
| 1120 | } | 1124 | } |
| 1121 | else { // clean seccomp files under /run/firejail/mnt | 1125 | else { // clean seccomp files under /run/firejail/mnt |
| @@ -1128,9 +1132,11 @@ int sandbox(void* sandbox_arg) { | |||
| 1128 | if (arg_debug) | 1132 | if (arg_debug) |
| 1129 | printf("Install memory write&execute filter\n"); | 1133 | printf("Install memory write&execute filter\n"); |
| 1130 | seccomp_load(RUN_SECCOMP_MDWX); // install filter | 1134 | seccomp_load(RUN_SECCOMP_MDWX); // install filter |
| 1135 | seccomp_load(RUN_SECCOMP_MDWX_32); | ||
| 1131 | } | 1136 | } |
| 1132 | else { | 1137 | else { |
| 1133 | int rv = unlink(RUN_SECCOMP_MDWX); | 1138 | int rv = unlink(RUN_SECCOMP_MDWX); |
| 1139 | rv |= unlink(RUN_SECCOMP_MDWX_32); | ||
| 1134 | (void) rv; | 1140 | (void) rv; |
| 1135 | } | 1141 | } |
| 1136 | // make seccomp filters read-only | 1142 | // make seccomp filters read-only |