diff options
author | Topi Miettinen <toiwoton@gmail.com> | 2017-08-19 23:22:38 +0300 |
---|---|---|
committer | Topi Miettinen <toiwoton@gmail.com> | 2017-08-19 23:33:11 +0300 |
commit | d01216de45884300c87e7d3ccb70e53ebb461449 (patch) | |
tree | 480519f5849df4c6048a7f62ec97f96e51174c3e /src/fseccomp/main.c | |
parent | Merge update after #1483 (diff) | |
download | firejail-d01216de45884300c87e7d3ccb70e53ebb461449.tar.gz firejail-d01216de45884300c87e7d3ccb70e53ebb461449.tar.zst firejail-d01216de45884300c87e7d3ccb70e53ebb461449.zip |
Feature: switch/config option to block secondary architectures
Add a feature for a new (opt-in) command line switch and config file
option to block secondary architectures entirely. Also block changing
Linux execution domain with personality() system call for the primary
architecture.
Closes #1479
Diffstat (limited to 'src/fseccomp/main.c')
-rw-r--r-- | src/fseccomp/main.c | 3 |
1 files changed, 3 insertions, 0 deletions
diff --git a/src/fseccomp/main.c b/src/fseccomp/main.c index 3bf7de0fa..ae0ae64ef 100644 --- a/src/fseccomp/main.c +++ b/src/fseccomp/main.c | |||
@@ -28,6 +28,7 @@ static void usage(void) { | |||
28 | printf("\tfseccomp protocol build list file\n"); | 28 | printf("\tfseccomp protocol build list file\n"); |
29 | printf("\tfseccomp secondary 64 file\n"); | 29 | printf("\tfseccomp secondary 64 file\n"); |
30 | printf("\tfseccomp secondary 32 file\n"); | 30 | printf("\tfseccomp secondary 32 file\n"); |
31 | printf("\tfseccomp secondary block file\n"); | ||
31 | printf("\tfseccomp default file\n"); | 32 | printf("\tfseccomp default file\n"); |
32 | printf("\tfseccomp default file allow-debuggers\n"); | 33 | printf("\tfseccomp default file allow-debuggers\n"); |
33 | printf("\tfseccomp drop file1 file2 list\n"); | 34 | printf("\tfseccomp drop file1 file2 list\n"); |
@@ -74,6 +75,8 @@ printf("\n"); | |||
74 | seccomp_secondary_64(argv[3]); | 75 | seccomp_secondary_64(argv[3]); |
75 | else if (argc == 4 && strcmp(argv[1], "secondary") == 0 && strcmp(argv[2], "32") == 0) | 76 | else if (argc == 4 && strcmp(argv[1], "secondary") == 0 && strcmp(argv[2], "32") == 0) |
76 | seccomp_secondary_32(argv[3]); | 77 | seccomp_secondary_32(argv[3]); |
78 | else if (argc == 4 && strcmp(argv[1], "secondary") == 0 && strcmp(argv[2], "block") == 0) | ||
79 | seccomp_secondary_block(argv[3]); | ||
77 | else if (argc == 3 && strcmp(argv[1], "default") == 0) | 80 | else if (argc == 3 && strcmp(argv[1], "default") == 0) |
78 | seccomp_default(argv[2], 0); | 81 | seccomp_default(argv[2], 0); |
79 | else if (argc == 4 && strcmp(argv[1], "default") == 0 && strcmp(argv[3], "allow-debuggers") == 0) | 82 | else if (argc == 4 && strcmp(argv[1], "default") == 0 && strcmp(argv[3], "allow-debuggers") == 0) |