seccomp: allow defining separate filters for 32-bit arch

System calls (names and numbers) are not exactly the same for 32 bit
and 64 bit architectures. Let's allow defining separate filters for
32-bit arch using seccomp.32, seccomp.32.drop, seccomp.32.keep. This
is useful for mixed 64/32 bit application environments like Steam and
Wine.

Implement protocol and mdwx filtering also for 32 bit arch. It's still
better to block secondary archs completely if not needed.

Lists of supported system calls are also updated.

Warn if preload libraries would be needed due to trace, tracelog or
postexecseccomp (seccomp.drop=execve etc), because a 32-bit dynamic
linker does not understand the 64 bit preload libraries.

Closes #3267.

Signed-off-by: Topi Miettinen <toiwoton@gmail.com>

1 files changed, 7 insertions, 3 deletions

diff --git a/src/include/rundefs.h b/src/include/rundefs.h
index 1cfeee28d..32f5ff12c 100644
--- a/src/include/rundefs.h
+++ b/src/include/rundefs.h
@@ -62,13 +62,17 @@
 #define RUN_SECCOMP_PROTOCOL            RUN_SECCOMP_DIR "/seccomp.protocol"             // protocol filter
 #define RUN_SECCOMP_CFG                 RUN_SECCOMP_DIR "/seccomp"                      // configured filter
 #define RUN_SECCOMP_32                  RUN_SECCOMP_DIR "/seccomp.32"                   // 32bit arch filter installed on 64bit architectures
-#define RUN_SECCOMP_MDWX                RUN_SECCOMP_DIR "/seccomp.mdwx"         // filter for memory-deny-write-execute
+#define RUN_SECCOMP_MDWX                RUN_SECCOMP_DIR "/seccomp.mdwx"                 // filter for memory-deny-write-execute
+#define RUN_SECCOMP_MDWX_32             RUN_SECCOMP_DIR "/seccomp.mdwx.32"
 #define RUN_SECCOMP_BLOCK_SECONDARY     RUN_SECCOMP_DIR "/seccomp.block_secondary"      // secondary arch blocking filter
 #define RUN_SECCOMP_POSTEXEC            RUN_SECCOMP_DIR "/seccomp.postexec"             // filter for post-exec library
+#define RUN_SECCOMP_POSTEXEC_32         RUN_SECCOMP_DIR "/seccomp.postexec32"           // filter for post-exec library
 #define PATH_SECCOMP_DEFAULT            LIBDIR "/firejail/seccomp"                      // default filter built during make
-#define PATH_SECCOMP_DEFAULT_DEBUG      LIBDIR "/firejail/seccomp.debug"                // default filter built during make
+#define PATH_SECCOMP_DEFAULT_DEBUG      LIBDIR "/firejail/seccomp.debug"                // debug filter built during make
 #define PATH_SECCOMP_32                 LIBDIR "/firejail/seccomp.32"                   // 32bit arch filter built during make
-#define PATH_SECCOMP_MDWX               LIBDIR "/firejail/seccomp.mdwx"         // filter for memory-deny-write-execute built during make
+#define PATH_SECCOMP_DEBUG_32           LIBDIR "/firejail/seccomp.debug32"              // 32bit arch debug filter built during make
+#define PATH_SECCOMP_MDWX               LIBDIR "/firejail/seccomp.mdwx"                 // filter for memory-deny-write-execute built during make
+#define PATH_SECCOMP_MDWX_32            LIBDIR "/firejail/seccomp.mdwx.32"
 #define PATH_SECCOMP_BLOCK_SECONDARY    LIBDIR "/firejail/seccomp.block_secondary"      // secondary arch blocking filter built during make