summaryrefslogtreecommitdiffstats
path: root/src/libpostexecseccomp
diff options
context:
space:
mode:
authorLibravatar netblue30 <netblue30@yahoo.com>2019-04-09 16:28:40 -0400
committerLibravatar netblue30 <netblue30@yahoo.com>2019-04-09 16:28:40 -0400
commit9a27ac2137f38b775eca8995a4ab800c2e956447 (patch)
treef2fe56c1e9182367020c4bca9a7a73130492e486 /src/libpostexecseccomp
parentseccomp testing (diff)
downloadfirejail-9a27ac2137f38b775eca8995a4ab800c2e956447.tar.gz
firejail-9a27ac2137f38b775eca8995a4ab800c2e956447.tar.zst
firejail-9a27ac2137f38b775eca8995a4ab800c2e956447.zip
seccomp fixes
Diffstat (limited to 'src/libpostexecseccomp')
-rw-r--r--src/libpostexecseccomp/Makefile.in3
-rw-r--r--src/libpostexecseccomp/libpostexecseccomp.c12
2 files changed, 9 insertions, 6 deletions
diff --git a/src/libpostexecseccomp/Makefile.in b/src/libpostexecseccomp/Makefile.in
index 92803342c..8d6dde4e0 100644
--- a/src/libpostexecseccomp/Makefile.in
+++ b/src/libpostexecseccomp/Makefile.in
@@ -13,13 +13,12 @@ LDFLAGS += -pie -Wl,-z,relro -Wl,-z,now
13 13
14all: libpostexecseccomp.so 14all: libpostexecseccomp.so
15 15
16%.o : %.c $(H_FILE_LIST) 16%.o : %.c $(H_FILE_LIST) ../include/seccomp.h ../include/rundefs.h
17 $(CC) $(CFLAGS) $(INCLUDE) -c $< -o $@ 17 $(CC) $(CFLAGS) $(INCLUDE) -c $< -o $@
18 18
19libpostexecseccomp.so: $(OBJS) 19libpostexecseccomp.so: $(OBJS)
20 $(CC) $(LDFLAGS) -shared -fPIC -z relro -o $@ $(OBJS) -ldl 20 $(CC) $(LDFLAGS) -shared -fPIC -z relro -o $@ $(OBJS) -ldl
21 21
22
23clean:; rm -f $(OBJS) libpostexecseccomp.so 22clean:; rm -f $(OBJS) libpostexecseccomp.so
24 23
25distclean: clean 24distclean: clean
diff --git a/src/libpostexecseccomp/libpostexecseccomp.c b/src/libpostexecseccomp/libpostexecseccomp.c
index e51445de4..3983510ec 100644
--- a/src/libpostexecseccomp/libpostexecseccomp.c
+++ b/src/libpostexecseccomp/libpostexecseccomp.c
@@ -17,19 +17,22 @@
17 * with this program; if not, write to the Free Software Foundation, Inc., 17 * with this program; if not, write to the Free Software Foundation, Inc.,
18 * 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA. 18 * 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA.
19*/ 19*/
20#include "libpostexecseccomp.h"
21#include "../include/seccomp.h" 20#include "../include/seccomp.h"
21#include "../include/rundefs.h"
22#include <fcntl.h> 22#include <fcntl.h>
23#include <linux/filter.h> 23#include <linux/filter.h>
24#include <sys/mman.h> 24#include <sys/mman.h>
25#include <sys/prctl.h> 25#include <sys/prctl.h>
26#include <unistd.h> 26#include <unistd.h>
27#include <stdio.h>
27 28
28__attribute__((constructor)) 29__attribute__((constructor))
29static void load_seccomp(void) { 30static void load_seccomp(void) {
30 int fd = open(RUN_SECCOMP_POSTEXEC, O_RDONLY); 31 int fd = open(RUN_SECCOMP_POSTEXEC, O_RDONLY);
31 if (fd == -1) 32 if (fd == -1) {
33 fprintf(stderr, "Error: cannot open seccomp postexec filter file %s\n", RUN_SECCOMP_POSTEXEC);
32 return; 34 return;
35 }
33 36
34 off_t size = lseek(fd, 0, SEEK_END); 37 off_t size = lseek(fd, 0, SEEK_END);
35 if (size <= 0) { 38 if (size <= 0) {
@@ -40,11 +43,12 @@ static void load_seccomp(void) {
40 struct sock_filter *filter = MAP_FAILED; 43 struct sock_filter *filter = MAP_FAILED;
41 if (size != 0) 44 if (size != 0)
42 filter = mmap(NULL, size, PROT_READ, MAP_PRIVATE, fd, 0); 45 filter = mmap(NULL, size, PROT_READ, MAP_PRIVATE, fd, 0);
43
44 close(fd); 46 close(fd);
45 47
46 if (filter == MAP_FAILED) 48 if (filter == MAP_FAILED) {
49 fprintf(stderr, "Error: cannot map seccomp postexec filter data\n");
47 return; 50 return;
51 }
48 52
49 // install filter 53 // install filter
50 struct sock_fprog prog = { 54 struct sock_fprog prog = {
generated by cgit v1.2.3-54-g00ecf (git 2.45.2) at 2024-07-03 13:45:15 +0000