Improve seccomp support for non-x86 architectures

author: Topi Miettinen <toiwoton@gmail.com> 2017-09-02 14:05:31 +0300
committer: Topi Miettinen <toiwoton@gmail.com> 2017-09-02 14:05:31 +0300
commit: cb5d361a7b52844bb18346f1829b69b4b7084439 (patch)
tree: a5c75843eca9db0ee432dde47454f2ec06224fb8 /src/firejail
parent: Workaround for build problems, but correct problem this time (diff)
download: firejail-cb5d361a7b52844bb18346f1829b69b4b7084439.tar.gz
firejail-cb5d361a7b52844bb18346f1829b69b4b7084439.tar.zst
firejail-cb5d361a7b52844bb18346f1829b69b4b7084439.zip
3 files changed, 18 insertions, 18 deletions
diff --git a/src/firejail/firejail.h b/src/firejail/firejail.h
index 435b9527d..60a43a600 100644
--- a/src/firejail/firejail.h
+++ b/src/firejail/firejail.h
@@ -54,15 +54,15 @@
 #define RUN_SECCOMP_PROTOCOL    "/run/firejail/mnt/seccomp.protocol"    // protocol filter
 #define RUN_SECCOMP_CFG "/run/firejail/mnt/seccomp"                     // configured filter
-#define RUN_SECCOMP_AMD64       "/run/firejail/mnt/seccomp.amd64"       // amd64 filter installed on i386 architectures
+#define RUN_SECCOMP_64  "/run/firejail/mnt/seccomp.64"          // 64bit arch filter installed on 32bit architectures
-#define RUN_SECCOMP_I386        "/run/firejail/mnt/seccomp.i386"                // i386 filter installed on amd64 architectures
+#define RUN_SECCOMP_32  "/run/firejail/mnt/seccomp.32"          // 32bit arch filter installed on 64bit architectures
 #define RUN_SECCOMP_MDWX        "/run/firejail/mnt/seccomp.mdwx"                // filter for memory-deny-write-execute
 #define RUN_SECCOMP_BLOCK_SECONDARY     "/run/firejail/mnt/seccomp.block_secondary"     // secondary arch blocking filter
 #define RUN_SECCOMP_POSTEXEC    "/run/firejail/mnt/seccomp.postexec"            // filter for post-exec library
 #define PATH_SECCOMP_DEFAULT (LIBDIR "/firejail/seccomp")                       // default filter built during make
 #define PATH_SECCOMP_DEFAULT_DEBUG (LIBDIR "/firejail/seccomp.debug")   // default filter built during make
-#define PATH_SECCOMP_AMD64 (LIBDIR "/firejail/seccomp.amd64")           // amd64 filter built during make
+#define PATH_SECCOMP_64 (LIBDIR "/firejail/seccomp.64")                 // 64bit arch filter built during make
-#define PATH_SECCOMP_I386 (LIBDIR "/firejail/seccomp.i386")                     // i386 filter built during make
+#define PATH_SECCOMP_32 (LIBDIR "/firejail/seccomp.32")                 // 32bit arch filter built during make
 #define PATH_SECCOMP_MDWX (LIBDIR "/firejail/seccomp.mdwx")             // filter for memory-deny-write-execute built during make
 #define PATH_SECCOMP_BLOCK_SECONDARY (LIBDIR "/firejail/seccomp.block_secondary")       // secondary arch blocking filter built during make
diff --git a/src/firejail/preproc.c b/src/firejail/preproc.c
index bf1ef0469..0b447e03b 100644
--- a/src/firejail/preproc.c
+++ b/src/firejail/preproc.c
@@ -79,8 +79,8 @@ void preproc_mount_mnt_dir(void) {
                        copy_file(PATH_SECCOMP_BLOCK_SECONDARY, RUN_SECCOMP_BLOCK_SECONDARY, getuid(), getgid(), 0644); // root needed
                else {
                        //copy default seccomp files
-                        copy_file(PATH_SECCOMP_I386, RUN_SECCOMP_I386, getuid(), getgid(), 0644); // root needed
+                        copy_file(PATH_SECCOMP_32, RUN_SECCOMP_32, getuid(), getgid(), 0644); // root needed
-                        copy_file(PATH_SECCOMP_AMD64, RUN_SECCOMP_AMD64, getuid(), getgid(), 0644); // root needed
+                        copy_file(PATH_SECCOMP_64, RUN_SECCOMP_64, getuid(), getgid(), 0644); // root needed
                }
                if (arg_allow_debuggers)
                        copy_file(PATH_SECCOMP_DEFAULT_DEBUG, RUN_SECCOMP_CFG, getuid(), getgid(), 0644); // root needed
diff --git a/src/firejail/seccomp.c b/src/firejail/seccomp.c
index 7b45e2574..e75863c3a 100644
--- a/src/firejail/seccomp.c
+++ b/src/firejail/seccomp.c
@@ -137,22 +137,22 @@ errexit:
        exit(1);
 }
-// i386 filter installed on amd64 architectures
+// 32 bit arch filter installed on 64 bit architectures
-#if defined(__x86_64__)
+#if defined(__LP64__)
 static void seccomp_filter_32(void) {
-        if (seccomp_load(RUN_SECCOMP_I386) == 0) {
+        if (seccomp_load(RUN_SECCOMP_32) == 0) {
                if (arg_debug)
-                        printf("Dual i386/amd64 seccomp filter configured\n");
+                        printf("Dual 32/64 bit seccomp filter configured\n");
        }
 }
 #endif
-// amd64 filter installed on i386 architectures
+// 64 bit arch filter installed on 32 bit architectures
-#if defined(__i386__)
+#if defined(__ILP32__)
 static void seccomp_filter_64(void) {
-        if (seccomp_load(RUN_SECCOMP_AMD64) == 0) {
+        if (seccomp_load(RUN_SECCOMP_64) == 0) {
                if (arg_debug)
-                        printf("Dual i386/amd64 seccomp filter configured\n");
+                        printf("Dual 32/64 bit seccomp filter configured\n");
        }
 }
 #endif
@@ -177,10 +177,10 @@ int seccomp_filter_drop(void) {
                        if (arg_seccomp_block_secondary)
                                seccomp_filter_block_secondary();
                        else {
-#if defined(__x86_64__)
+#if defined(__LP64__)
                                seccomp_filter_32();
 #endif
-#if defined(__i386__)
+#if defined(__ILP32__)
                                seccomp_filter_64();
 #endif
                        }
@@ -190,10 +190,10 @@ int seccomp_filter_drop(void) {
                        if (arg_seccomp_block_secondary)
                                seccomp_filter_block_secondary();
                        else {
-#if defined(__x86_64__)
+#if defined(__LP64__)
                                seccomp_filter_32();
 #endif
-#if defined(__i386__)
+#if defined(__ILP32__)
                                seccomp_filter_64();
 #endif
                        }
author	Topi Miettinen <toiwoton@gmail.com>	2017-09-02 14:05:31 +0300
committer	Topi Miettinen <toiwoton@gmail.com>	2017-09-02 14:05:31 +0300
commit	cb5d361a7b52844bb18346f1829b69b4b7084439 (patch)
tree	a5c75843eca9db0ee432dde47454f2ec06224fb8 /src/firejail
parent	Workaround for build problems, but correct problem this time (diff)
download	firejail-cb5d361a7b52844bb18346f1829b69b4b7084439.tar.gz firejail-cb5d361a7b52844bb18346f1829b69b4b7084439.tar.zst firejail-cb5d361a7b52844bb18346f1829b69b4b7084439.zip

diff --git a/src/firejail/firejail.h b/src/firejail/firejail.h index 435b9527d..60a43a600 100644 --- a/src/firejail/firejail.h +++ b/src/firejail/firejail.h
@@ -54,15 +54,15 @@
54		54
55	#define RUN_SECCOMP_PROTOCOL "/run/firejail/mnt/seccomp.protocol" // protocol filter	55	#define RUN_SECCOMP_PROTOCOL "/run/firejail/mnt/seccomp.protocol" // protocol filter
56	#define RUN_SECCOMP_CFG "/run/firejail/mnt/seccomp" // configured filter	56	#define RUN_SECCOMP_CFG "/run/firejail/mnt/seccomp" // configured filter
57	#define RUN_SECCOMP_AMD64 "/run/firejail/mnt/seccomp.amd64" // amd64 filter installed on i386 architectures	57	#define RUN_SECCOMP_64 "/run/firejail/mnt/seccomp.64" // 64bit arch filter installed on 32bit architectures
58	#define RUN_SECCOMP_I386 "/run/firejail/mnt/seccomp.i386" // i386 filter installed on amd64 architectures	58	#define RUN_SECCOMP_32 "/run/firejail/mnt/seccomp.32" // 32bit arch filter installed on 64bit architectures
59	#define RUN_SECCOMP_MDWX "/run/firejail/mnt/seccomp.mdwx" // filter for memory-deny-write-execute	59	#define RUN_SECCOMP_MDWX "/run/firejail/mnt/seccomp.mdwx" // filter for memory-deny-write-execute
60	#define RUN_SECCOMP_BLOCK_SECONDARY "/run/firejail/mnt/seccomp.block_secondary" // secondary arch blocking filter	60	#define RUN_SECCOMP_BLOCK_SECONDARY "/run/firejail/mnt/seccomp.block_secondary" // secondary arch blocking filter
61	#define RUN_SECCOMP_POSTEXEC "/run/firejail/mnt/seccomp.postexec" // filter for post-exec library	61	#define RUN_SECCOMP_POSTEXEC "/run/firejail/mnt/seccomp.postexec" // filter for post-exec library
62	#define PATH_SECCOMP_DEFAULT (LIBDIR "/firejail/seccomp") // default filter built during make	62	#define PATH_SECCOMP_DEFAULT (LIBDIR "/firejail/seccomp") // default filter built during make
63	#define PATH_SECCOMP_DEFAULT_DEBUG (LIBDIR "/firejail/seccomp.debug") // default filter built during make	63	#define PATH_SECCOMP_DEFAULT_DEBUG (LIBDIR "/firejail/seccomp.debug") // default filter built during make
64	#define PATH_SECCOMP_AMD64 (LIBDIR "/firejail/seccomp.amd64") // amd64 filter built during make	64	#define PATH_SECCOMP_64 (LIBDIR "/firejail/seccomp.64") // 64bit arch filter built during make
65	#define PATH_SECCOMP_I386 (LIBDIR "/firejail/seccomp.i386") // i386 filter built during make	65	#define PATH_SECCOMP_32 (LIBDIR "/firejail/seccomp.32") // 32bit arch filter built during make
66	#define PATH_SECCOMP_MDWX (LIBDIR "/firejail/seccomp.mdwx") // filter for memory-deny-write-execute built during make	66	#define PATH_SECCOMP_MDWX (LIBDIR "/firejail/seccomp.mdwx") // filter for memory-deny-write-execute built during make
67	#define PATH_SECCOMP_BLOCK_SECONDARY (LIBDIR "/firejail/seccomp.block_secondary") // secondary arch blocking filter built during make	67	#define PATH_SECCOMP_BLOCK_SECONDARY (LIBDIR "/firejail/seccomp.block_secondary") // secondary arch blocking filter built during make
68		68


diff --git a/src/firejail/preproc.c b/src/firejail/preproc.c index bf1ef0469..0b447e03b 100644 --- a/src/firejail/preproc.c +++ b/src/firejail/preproc.c
@@ -79,8 +79,8 @@ void preproc_mount_mnt_dir(void) {
79	copy_file(PATH_SECCOMP_BLOCK_SECONDARY, RUN_SECCOMP_BLOCK_SECONDARY, getuid(), getgid(), 0644); // root needed	79	copy_file(PATH_SECCOMP_BLOCK_SECONDARY, RUN_SECCOMP_BLOCK_SECONDARY, getuid(), getgid(), 0644); // root needed
80	else {	80	else {
81	//copy default seccomp files	81	//copy default seccomp files
82	copy_file(PATH_SECCOMP_I386, RUN_SECCOMP_I386, getuid(), getgid(), 0644); // root needed	82	copy_file(PATH_SECCOMP_32, RUN_SECCOMP_32, getuid(), getgid(), 0644); // root needed
83	copy_file(PATH_SECCOMP_AMD64, RUN_SECCOMP_AMD64, getuid(), getgid(), 0644); // root needed	83	copy_file(PATH_SECCOMP_64, RUN_SECCOMP_64, getuid(), getgid(), 0644); // root needed
84	}	84	}
85	if (arg_allow_debuggers)	85	if (arg_allow_debuggers)
86	copy_file(PATH_SECCOMP_DEFAULT_DEBUG, RUN_SECCOMP_CFG, getuid(), getgid(), 0644); // root needed	86	copy_file(PATH_SECCOMP_DEFAULT_DEBUG, RUN_SECCOMP_CFG, getuid(), getgid(), 0644); // root needed


diff --git a/src/firejail/seccomp.c b/src/firejail/seccomp.c index 7b45e2574..e75863c3a 100644 --- a/src/firejail/seccomp.c +++ b/src/firejail/seccomp.c
@@ -137,22 +137,22 @@ errexit:
137	exit(1);	137	exit(1);
138	}	138	}
139		139
140	// i386 filter installed on amd64 architectures	140	// 32 bit arch filter installed on 64 bit architectures
141	#if defined(__x86_64__)	141	#if defined(__LP64__)
142	static void seccomp_filter_32(void) {	142	static void seccomp_filter_32(void) {
143	if (seccomp_load(RUN_SECCOMP_I386) == 0) {	143	if (seccomp_load(RUN_SECCOMP_32) == 0) {
144	if (arg_debug)	144	if (arg_debug)
145	printf("Dual i386/amd64 seccomp filter configured\n");	145	printf("Dual 32/64 bit seccomp filter configured\n");
146	}	146	}
147	}	147	}
148	#endif	148	#endif
149		149
150	// amd64 filter installed on i386 architectures	150	// 64 bit arch filter installed on 32 bit architectures
151	#if defined(__i386__)	151	#if defined(__ILP32__)
152	static void seccomp_filter_64(void) {	152	static void seccomp_filter_64(void) {
153	if (seccomp_load(RUN_SECCOMP_AMD64) == 0) {	153	if (seccomp_load(RUN_SECCOMP_64) == 0) {
154	if (arg_debug)	154	if (arg_debug)
155	printf("Dual i386/amd64 seccomp filter configured\n");	155	printf("Dual 32/64 bit seccomp filter configured\n");
156	}	156	}
157	}	157	}
158	#endif	158	#endif
@@ -177,10 +177,10 @@ int seccomp_filter_drop(void) {
177	if (arg_seccomp_block_secondary)	177	if (arg_seccomp_block_secondary)
178	seccomp_filter_block_secondary();	178	seccomp_filter_block_secondary();
179	else {	179	else {
180	#if defined(__x86_64__)	180	#if defined(__LP64__)
181	seccomp_filter_32();	181	seccomp_filter_32();
182	#endif	182	#endif
183	#if defined(__i386__)	183	#if defined(__ILP32__)
184	seccomp_filter_64();	184	seccomp_filter_64();
185	#endif	185	#endif
186	}	186	}
@@ -190,10 +190,10 @@ int seccomp_filter_drop(void) {
190	if (arg_seccomp_block_secondary)	190	if (arg_seccomp_block_secondary)
191	seccomp_filter_block_secondary();	191	seccomp_filter_block_secondary();
192	else {	192	else {
193	#if defined(__x86_64__)	193	#if defined(__LP64__)
194	seccomp_filter_32();	194	seccomp_filter_32();
195	#endif	195	#endif
196	#if defined(__i386__)	196	#if defined(__ILP32__)
197	seccomp_filter_64();	197	seccomp_filter_64();
198	#endif	198	#endif
199	}	199	}