diff options
author | Topi Miettinen <toiwoton@gmail.com> | 2017-09-02 14:05:31 +0300 |
---|---|---|
committer | Topi Miettinen <toiwoton@gmail.com> | 2017-09-02 14:05:31 +0300 |
commit | cb5d361a7b52844bb18346f1829b69b4b7084439 (patch) | |
tree | a5c75843eca9db0ee432dde47454f2ec06224fb8 /src/firejail | |
parent | Workaround for build problems, but correct problem this time (diff) | |
download | firejail-cb5d361a7b52844bb18346f1829b69b4b7084439.tar.gz firejail-cb5d361a7b52844bb18346f1829b69b4b7084439.tar.zst firejail-cb5d361a7b52844bb18346f1829b69b4b7084439.zip |
Improve seccomp support for non-x86 architectures
Diffstat (limited to 'src/firejail')
-rw-r--r-- | src/firejail/firejail.h | 8 | ||||
-rw-r--r-- | src/firejail/preproc.c | 4 | ||||
-rw-r--r-- | src/firejail/seccomp.c | 24 |
3 files changed, 18 insertions, 18 deletions
diff --git a/src/firejail/firejail.h b/src/firejail/firejail.h index 435b9527d..60a43a600 100644 --- a/src/firejail/firejail.h +++ b/src/firejail/firejail.h | |||
@@ -54,15 +54,15 @@ | |||
54 | 54 | ||
55 | #define RUN_SECCOMP_PROTOCOL "/run/firejail/mnt/seccomp.protocol" // protocol filter | 55 | #define RUN_SECCOMP_PROTOCOL "/run/firejail/mnt/seccomp.protocol" // protocol filter |
56 | #define RUN_SECCOMP_CFG "/run/firejail/mnt/seccomp" // configured filter | 56 | #define RUN_SECCOMP_CFG "/run/firejail/mnt/seccomp" // configured filter |
57 | #define RUN_SECCOMP_AMD64 "/run/firejail/mnt/seccomp.amd64" // amd64 filter installed on i386 architectures | 57 | #define RUN_SECCOMP_64 "/run/firejail/mnt/seccomp.64" // 64bit arch filter installed on 32bit architectures |
58 | #define RUN_SECCOMP_I386 "/run/firejail/mnt/seccomp.i386" // i386 filter installed on amd64 architectures | 58 | #define RUN_SECCOMP_32 "/run/firejail/mnt/seccomp.32" // 32bit arch filter installed on 64bit architectures |
59 | #define RUN_SECCOMP_MDWX "/run/firejail/mnt/seccomp.mdwx" // filter for memory-deny-write-execute | 59 | #define RUN_SECCOMP_MDWX "/run/firejail/mnt/seccomp.mdwx" // filter for memory-deny-write-execute |
60 | #define RUN_SECCOMP_BLOCK_SECONDARY "/run/firejail/mnt/seccomp.block_secondary" // secondary arch blocking filter | 60 | #define RUN_SECCOMP_BLOCK_SECONDARY "/run/firejail/mnt/seccomp.block_secondary" // secondary arch blocking filter |
61 | #define RUN_SECCOMP_POSTEXEC "/run/firejail/mnt/seccomp.postexec" // filter for post-exec library | 61 | #define RUN_SECCOMP_POSTEXEC "/run/firejail/mnt/seccomp.postexec" // filter for post-exec library |
62 | #define PATH_SECCOMP_DEFAULT (LIBDIR "/firejail/seccomp") // default filter built during make | 62 | #define PATH_SECCOMP_DEFAULT (LIBDIR "/firejail/seccomp") // default filter built during make |
63 | #define PATH_SECCOMP_DEFAULT_DEBUG (LIBDIR "/firejail/seccomp.debug") // default filter built during make | 63 | #define PATH_SECCOMP_DEFAULT_DEBUG (LIBDIR "/firejail/seccomp.debug") // default filter built during make |
64 | #define PATH_SECCOMP_AMD64 (LIBDIR "/firejail/seccomp.amd64") // amd64 filter built during make | 64 | #define PATH_SECCOMP_64 (LIBDIR "/firejail/seccomp.64") // 64bit arch filter built during make |
65 | #define PATH_SECCOMP_I386 (LIBDIR "/firejail/seccomp.i386") // i386 filter built during make | 65 | #define PATH_SECCOMP_32 (LIBDIR "/firejail/seccomp.32") // 32bit arch filter built during make |
66 | #define PATH_SECCOMP_MDWX (LIBDIR "/firejail/seccomp.mdwx") // filter for memory-deny-write-execute built during make | 66 | #define PATH_SECCOMP_MDWX (LIBDIR "/firejail/seccomp.mdwx") // filter for memory-deny-write-execute built during make |
67 | #define PATH_SECCOMP_BLOCK_SECONDARY (LIBDIR "/firejail/seccomp.block_secondary") // secondary arch blocking filter built during make | 67 | #define PATH_SECCOMP_BLOCK_SECONDARY (LIBDIR "/firejail/seccomp.block_secondary") // secondary arch blocking filter built during make |
68 | 68 | ||
diff --git a/src/firejail/preproc.c b/src/firejail/preproc.c index bf1ef0469..0b447e03b 100644 --- a/src/firejail/preproc.c +++ b/src/firejail/preproc.c | |||
@@ -79,8 +79,8 @@ void preproc_mount_mnt_dir(void) { | |||
79 | copy_file(PATH_SECCOMP_BLOCK_SECONDARY, RUN_SECCOMP_BLOCK_SECONDARY, getuid(), getgid(), 0644); // root needed | 79 | copy_file(PATH_SECCOMP_BLOCK_SECONDARY, RUN_SECCOMP_BLOCK_SECONDARY, getuid(), getgid(), 0644); // root needed |
80 | else { | 80 | else { |
81 | //copy default seccomp files | 81 | //copy default seccomp files |
82 | copy_file(PATH_SECCOMP_I386, RUN_SECCOMP_I386, getuid(), getgid(), 0644); // root needed | 82 | copy_file(PATH_SECCOMP_32, RUN_SECCOMP_32, getuid(), getgid(), 0644); // root needed |
83 | copy_file(PATH_SECCOMP_AMD64, RUN_SECCOMP_AMD64, getuid(), getgid(), 0644); // root needed | 83 | copy_file(PATH_SECCOMP_64, RUN_SECCOMP_64, getuid(), getgid(), 0644); // root needed |
84 | } | 84 | } |
85 | if (arg_allow_debuggers) | 85 | if (arg_allow_debuggers) |
86 | copy_file(PATH_SECCOMP_DEFAULT_DEBUG, RUN_SECCOMP_CFG, getuid(), getgid(), 0644); // root needed | 86 | copy_file(PATH_SECCOMP_DEFAULT_DEBUG, RUN_SECCOMP_CFG, getuid(), getgid(), 0644); // root needed |
diff --git a/src/firejail/seccomp.c b/src/firejail/seccomp.c index 7b45e2574..e75863c3a 100644 --- a/src/firejail/seccomp.c +++ b/src/firejail/seccomp.c | |||
@@ -137,22 +137,22 @@ errexit: | |||
137 | exit(1); | 137 | exit(1); |
138 | } | 138 | } |
139 | 139 | ||
140 | // i386 filter installed on amd64 architectures | 140 | // 32 bit arch filter installed on 64 bit architectures |
141 | #if defined(__x86_64__) | 141 | #if defined(__LP64__) |
142 | static void seccomp_filter_32(void) { | 142 | static void seccomp_filter_32(void) { |
143 | if (seccomp_load(RUN_SECCOMP_I386) == 0) { | 143 | if (seccomp_load(RUN_SECCOMP_32) == 0) { |
144 | if (arg_debug) | 144 | if (arg_debug) |
145 | printf("Dual i386/amd64 seccomp filter configured\n"); | 145 | printf("Dual 32/64 bit seccomp filter configured\n"); |
146 | } | 146 | } |
147 | } | 147 | } |
148 | #endif | 148 | #endif |
149 | 149 | ||
150 | // amd64 filter installed on i386 architectures | 150 | // 64 bit arch filter installed on 32 bit architectures |
151 | #if defined(__i386__) | 151 | #if defined(__ILP32__) |
152 | static void seccomp_filter_64(void) { | 152 | static void seccomp_filter_64(void) { |
153 | if (seccomp_load(RUN_SECCOMP_AMD64) == 0) { | 153 | if (seccomp_load(RUN_SECCOMP_64) == 0) { |
154 | if (arg_debug) | 154 | if (arg_debug) |
155 | printf("Dual i386/amd64 seccomp filter configured\n"); | 155 | printf("Dual 32/64 bit seccomp filter configured\n"); |
156 | } | 156 | } |
157 | } | 157 | } |
158 | #endif | 158 | #endif |
@@ -177,10 +177,10 @@ int seccomp_filter_drop(void) { | |||
177 | if (arg_seccomp_block_secondary) | 177 | if (arg_seccomp_block_secondary) |
178 | seccomp_filter_block_secondary(); | 178 | seccomp_filter_block_secondary(); |
179 | else { | 179 | else { |
180 | #if defined(__x86_64__) | 180 | #if defined(__LP64__) |
181 | seccomp_filter_32(); | 181 | seccomp_filter_32(); |
182 | #endif | 182 | #endif |
183 | #if defined(__i386__) | 183 | #if defined(__ILP32__) |
184 | seccomp_filter_64(); | 184 | seccomp_filter_64(); |
185 | #endif | 185 | #endif |
186 | } | 186 | } |
@@ -190,10 +190,10 @@ int seccomp_filter_drop(void) { | |||
190 | if (arg_seccomp_block_secondary) | 190 | if (arg_seccomp_block_secondary) |
191 | seccomp_filter_block_secondary(); | 191 | seccomp_filter_block_secondary(); |
192 | else { | 192 | else { |
193 | #if defined(__x86_64__) | 193 | #if defined(__LP64__) |
194 | seccomp_filter_32(); | 194 | seccomp_filter_32(); |
195 | #endif | 195 | #endif |
196 | #if defined(__i386__) | 196 | #if defined(__ILP32__) |
197 | seccomp_filter_64(); | 197 | seccomp_filter_64(); |
198 | #endif | 198 | #endif |
199 | } | 199 | } |