fix seccomp.keep for #1490

author: netblue30 <netblue30@yahoo.com> 2017-08-23 11:41:31 -0400
committer: netblue30 <netblue30@yahoo.com> 2017-08-23 11:41:31 -0400
commit: 5129e321ca42172bf8e6b85c5679adb8da163492 (patch)
tree: 878f7c83adc899e04b697bcb8210a87fd3b12b2a /src
parent: deb, rpm (diff)
download: firejail-5129e321ca42172bf8e6b85c5679adb8da163492.tar.gz
firejail-5129e321ca42172bf8e6b85c5679adb8da163492.tar.zst
firejail-5129e321ca42172bf8e6b85c5679adb8da163492.zip
4 files changed, 44 insertions, 6 deletions
diff --git a/src/firejail/sandbox.c b/src/firejail/sandbox.c
index 150c23de7..853555581 100644
--- a/src/firejail/sandbox.c
+++ b/src/firejail/sandbox.c
@@ -1006,6 +1006,14 @@ int sandbox(void* sandbox_arg) {
                else
                        seccomp_filter_drop(enforce_seccomp);
        }
+        if (arg_debug) {
+                printf("\nSeccomp files:\n");
+                int rv = system("ls -l /run/firejail/mnt/seccomp*\n");
+                (void) rv;
+                printf("\n");
+        }
        if (arg_memory_deny_write_execute) {
                if (arg_debug)
                        printf("Install memory write&execute filter\n");
diff --git a/src/firejail/sbox.c b/src/firejail/sbox.c
index 8f96f8fca..1d6cc2353 100644
--- a/src/firejail/sbox.c
+++ b/src/firejail/sbox.c
@@ -222,5 +222,12 @@ int sbox_run(unsigned filter, int num, ...) {
                exit(1);
        }
+#if 0
+printf("** sbox run out *********************************\n");
+system("ls -l /run/firejail/mnt\n");
+system("ls -l /proc/self/fd");
+printf("** sbox run out *********************************\n");
+#endif
        return status;
 }
diff --git a/src/firejail/seccomp.c b/src/firejail/seccomp.c
index 52b4679ae..bd57cff42 100644
--- a/src/firejail/seccomp.c
+++ b/src/firejail/seccomp.c
@@ -258,23 +258,36 @@ int seccomp_filter_keep(void) {
                seccomp_filter_block_secondary();
        if (arg_debug)
-                printf("Build drop seccomp filter\n");
+                printf("Build keep seccomp filter\n");
        // build the seccomp filter as a regular user
-        sbox_run(SBOX_USER | SBOX_CAPS_NONE | SBOX_SECCOMP, 5,
+        int rv = sbox_run(SBOX_USER | SBOX_CAPS_NONE | SBOX_SECCOMP, 5,
                 PATH_FSECCOMP, "keep", RUN_SECCOMP_CFG, RUN_SECCOMP_POSTEXEC, cfg.seccomp_list_keep);
+        if (rv) {
+                fprintf(stderr, "Error: cannot configure seccomp filter\n");
+                exit(rv);
+        }
        if (arg_debug)
                printf("seccomp filter configured\n");
+        // load the filter
+        if (seccomp_load(RUN_SECCOMP_CFG) == 0) {
+                if (arg_debug)
+                        printf("seccomp filter configured\n");
+        }
        if (arg_debug && access(PATH_FSECCOMP, X_OK) == 0) {
-                sbox_run(SBOX_ROOT | SBOX_SECCOMP, 3, PATH_FSECCOMP, "print", RUN_SECCOMP_CFG);
                struct stat st;
-                if (stat(RUN_SECCOMP_POSTEXEC, &st) != -1 && st.st_size != 0)
+                if (stat(RUN_SECCOMP_POSTEXEC, &st) != -1 && st.st_size != 0) {
-                    sbox_run(SBOX_ROOT | SBOX_SECCOMP, 3, PATH_FSECCOMP, "print", RUN_SECCOMP_POSTEXEC);
+                        printf("configuring postexec seccomp filter in %s\n", RUN_SECCOMP_POSTEXEC);
+                        sbox_run(SBOX_USER | SBOX_CAPS_NONE | SBOX_SECCOMP, 3,
+                                  PATH_FSECCOMP, "print", RUN_SECCOMP_POSTEXEC);
+                }
        }
-        return seccomp_load(RUN_SECCOMP_CFG);
+        return 0;
 }
 void seccomp_print_filter(pid_t pid) {
diff --git a/src/fseccomp/seccomp.c b/src/fseccomp/seccomp.c
index 0112d8aec..7ae74c340 100644
--- a/src/fseccomp/seccomp.c
+++ b/src/fseccomp/seccomp.c
@@ -188,6 +188,12 @@ void seccomp_keep(const char *fname1, const char *fname2, char *list) {
        // close file
        close(fd);
+#if 0
+// There is something very wrong here with the file descriptors, "ls -l /proc/self/fd" will show no file
+// after running this code. We don't need the postexec filter in this case anyway.
+printf("@@seccomp_keep start %s %s %s\n", fname1, fname2, list);
+system("ls -l /proc/self/fd");
+printf("@@seccomp_keep start %s %s %s\n", fname1, fname2, list);
        // open file for post-exec filter
        fd = open(fname2, O_CREAT|O_WRONLY|O_TRUNC, S_IRUSR | S_IWUSR | S_IRGRP | S_IROTH);
        if (fd < 0) {
@@ -207,6 +213,10 @@ void seccomp_keep(const char *fname1, const char *fname2, char *list) {
        // close file
        close(fd);
+printf("@@seccomp_keep end %s %s %s\n", fname1, fname2, list);
+system("ls -l /proc/self/fd");
+printf("@@seccomp_keep end %s %s %s\n", fname1, fname2, list);
+#endif
 }
 void memory_deny_write_execute(const char *fname) {
author	netblue30 <netblue30@yahoo.com>	2017-08-23 11:41:31 -0400
committer	netblue30 <netblue30@yahoo.com>	2017-08-23 11:41:31 -0400
commit	5129e321ca42172bf8e6b85c5679adb8da163492 (patch)
tree	878f7c83adc899e04b697bcb8210a87fd3b12b2a /src
parent	deb, rpm (diff)
download	firejail-5129e321ca42172bf8e6b85c5679adb8da163492.tar.gz firejail-5129e321ca42172bf8e6b85c5679adb8da163492.tar.zst firejail-5129e321ca42172bf8e6b85c5679adb8da163492.zip