Seccomp error action fixes

fsec-optimize: Optimize BPF with current seccomp error action, not just KILL fseccomp: use correct BPF code for errno action firejail: honor seccomp error action for X32 and secondary filters, rebuild filters if the error action is changed Closes: #3933 Signed-off-by: Topi Miettinen <toiwoton@gmail.com>
author: Topi Miettinen <toiwoton@gmail.com> 2021-01-31 00:15:31 +0200
committer: Topi Miettinen <topimiettinen@users.noreply.github.com> 2021-02-01 20:09:21 +0000
commit: 0040969e439dbddb76bc190900b453b71e895068 (patch)
tree: 3d9606b116e47f8702d86fde5194d8c8d22fdde5 /src/fsec-optimize/optimizer.c
parent: Add profile for avidemux (#3935) (diff)
download: firejail-0040969e439dbddb76bc190900b453b71e895068.tar.gz
firejail-0040969e439dbddb76bc190900b453b71e895068.tar.zst
firejail-0040969e439dbddb76bc190900b453b71e895068.zip
1 files changed, 3 insertions, 3 deletions
diff --git a/src/fsec-optimize/optimizer.c b/src/fsec-optimize/optimizer.c
index 776beaa75..eb777f13b 100644
--- a/src/fsec-optimize/optimizer.c
+++ b/src/fsec-optimize/optimizer.c
@@ -33,7 +33,7 @@
 static inline int is_blacklist(struct sock_filter *bpf) {
        if (bpf->code == BPF_JMP + BPF_JEQ + BPF_K &&
            (bpf + 1)->code == BPF_RET + BPF_K &&
-            (bpf + 1)->k == SECCOMP_RET_KILL )
+            (bpf + 1)->k == (__u32)arg_seccomp_error_action)
                return 1;
        return 0;
 }
@@ -89,9 +89,9 @@ static int optimize_blacklists(struct sock_filter *filter, int entries) {
                }
        }
-        // step 3: add the new ret KILL, and recalculate entries
+        // step 3: add the new ret KILL/LOG/ERRNO, and recalculate entries
        filter_step2[j].code = BPF_RET + BPF_K;
-        filter_step2[j].k = SECCOMP_RET_KILL;
+        filter_step2[j].k = arg_seccomp_error_action;
        entries = j + 1;
        // step 4: recalculate jumps
author	Topi Miettinen <toiwoton@gmail.com>	2021-01-31 00:15:31 +0200
committer	Topi Miettinen <topimiettinen@users.noreply.github.com>	2021-02-01 20:09:21 +0000
commit	0040969e439dbddb76bc190900b453b71e895068 (patch)
tree	3d9606b116e47f8702d86fde5194d8c8d22fdde5 /src/fsec-optimize/optimizer.c
parent	Add profile for avidemux (#3935) (diff)
download	firejail-0040969e439dbddb76bc190900b453b71e895068.tar.gz firejail-0040969e439dbddb76bc190900b453b71e895068.tar.zst firejail-0040969e439dbddb76bc190900b453b71e895068.zip

diff --git a/src/fsec-optimize/optimizer.c b/src/fsec-optimize/optimizer.c index 776beaa75..eb777f13b 100644 --- a/src/fsec-optimize/optimizer.c +++ b/src/fsec-optimize/optimizer.c
@@ -33,7 +33,7 @@
33	static inline int is_blacklist(struct sock_filter *bpf) {	33	static inline int is_blacklist(struct sock_filter *bpf) {
34	if (bpf->code == BPF_JMP + BPF_JEQ + BPF_K &&	34	if (bpf->code == BPF_JMP + BPF_JEQ + BPF_K &&
35	(bpf + 1)->code == BPF_RET + BPF_K &&	35	(bpf + 1)->code == BPF_RET + BPF_K &&
36	(bpf + 1)->k == SECCOMP_RET_KILL )	36	(bpf + 1)->k == (__u32)arg_seccomp_error_action)
37	return 1;	37	return 1;
38	return 0;	38	return 0;
39	}	39	}
@@ -89,9 +89,9 @@ static int optimize_blacklists(struct sock_filter *filter, int entries) {
89	}	89	}
90	}	90	}
91		91
92	// step 3: add the new ret KILL, and recalculate entries	92	// step 3: add the new ret KILL/LOG/ERRNO, and recalculate entries
93	filter_step2[j].code = BPF_RET + BPF_K;	93	filter_step2[j].code = BPF_RET + BPF_K;
94	filter_step2[j].k = SECCOMP_RET_KILL;	94	filter_step2[j].k = arg_seccomp_error_action;
95	entries = j + 1;	95	entries = j + 1;
96		96
97	// step 4: recalculate jumps	97	// step 4: recalculate jumps