diff options
| author |  netblue30 <netblue30@protonmail.com> | 2023-01-14 12:32:12 -0500 |
|---|---|---|
| committer | netblue30 <netblue30@protonmail.com> | 2023-01-14 12:32:12 -0500 |
| commit | 4380baacf6cda826e909df016d2170470cda1e53 (patch) | |
| tree | 2742ca9886c44b802599769f3083a10c2260580f /src/fseccomp | |
| parent | bringing back whitelisting /dev (diff) | |
| download | firejail-4380baacf6cda826e909df016d2170470cda1e53.tar.gz firejail-4380baacf6cda826e909df016d2170470cda1e53.tar.zst firejail-4380baacf6cda826e909df016d2170470cda1e53.zip | |
fix restrict-namespaces for Debian 10 and older
Diffstat (limited to 'src/fseccomp')
| -rw-r--r-- | src/fseccomp/namespaces.c | 19 |
1 files changed, 17 insertions, 2 deletions
diff --git a/src/fseccomp/namespaces.c b/src/fseccomp/namespaces.c index 3df23dcff..8254b54ef 100644 --- a/src/fseccomp/namespaces.c +++ b/src/fseccomp/namespaces.c | |||
| @@ -133,7 +133,8 @@ void deny_ns(const char *fname, const char *list) { | |||
| 133 | RETURN_ALLOW | 133 | RETURN_ALLOW |
| 134 | #endif | 134 | #endif |
| 135 | }; | 135 | }; |
| 136 | write_to_file(fd, filter, sizeof(filter)); | 136 | if (sizeof(filter)) |
| 137 | write_to_file(fd, filter, sizeof(filter)); | ||
| 137 | 138 | ||
| 138 | filter_end_blacklist(fd); | 139 | filter_end_blacklist(fd); |
| 139 | 140 | ||
| @@ -188,7 +189,21 @@ void deny_ns_32(const char *fname, const char *list) { | |||
| 188 | RETURN_ALLOW | 189 | RETURN_ALLOW |
| 189 | #endif | 190 | #endif |
| 190 | }; | 191 | }; |
| 191 | write_to_file(fd, filter, sizeof(filter)); | 192 | |
| 193 | // For Debian 10 and older, the size of the filter[] array will be 0. | ||
| 194 | // The following filter will end up being generated: | ||
| 195 | // | ||
| 196 | // FILE: /run/firejail/mnt/seccomp/seccomp.namespaces.32 | ||
| 197 | // line OP JT JF K | ||
| 198 | // ================================= | ||
| 199 | // 0000: 20 00 00 00000004 ld data.architecture | ||
| 200 | // 0001: 15 01 00 40000003 jeq ARCH_32 0003 (false 0002) | ||
| 201 | // 0002: 06 00 00 7fff0000 ret ALLOW | ||
| 202 | // 0003: 20 00 00 00000000 ld data.syscall-number | ||
| 203 | // 0004: 06 00 00 7fff0000 ret ALLOW | ||
| 204 | // | ||
| 205 | if (sizeof(filter)) | ||
| 206 | write_to_file(fd, filter, sizeof(filter)); | ||
| 192 | 207 | ||
| 193 | filter_end_blacklist(fd); | 208 | filter_end_blacklist(fd); |
| 194 | 209 | ||