cleanup

author: netblue30 <netblue30@yahoo.com> 2017-08-23 06:58:47 -0400
committer: netblue30 <netblue30@yahoo.com> 2017-08-23 06:58:47 -0400
commit: 79957c9662989782b78bedc540c14a5a424a469e (patch)
tree: 2f8b047eee6f1636d8f591be3fbcc1b986c8eaab /src
parent: seccomp: fix errno (diff)
download: firejail-79957c9662989782b78bedc540c14a5a424a469e.tar.gz
firejail-79957c9662989782b78bedc540c14a5a424a469e.tar.zst
firejail-79957c9662989782b78bedc540c14a5a424a469e.zip
7 files changed, 16 insertions, 55 deletions
diff --git a/src/firejail/bandwidth.c b/src/firejail/bandwidth.c
index 831b76e79..24d027d54 100644
--- a/src/firejail/bandwidth.c
+++ b/src/firejail/bandwidth.c
@@ -441,9 +441,6 @@ void bandwidth_pid(pid_t pid, const char *command, const char *dev, int down, in
        arg[2] = cmd;
        arg[3] = NULL;
        clearenv();
-#ifdef HAVE_SECCOMP
-        seccomp_install_filters();
-#endif
        execvp(arg[0], arg);
        // it will never get here
diff --git a/src/firejail/output.c b/src/firejail/output.c
index d69f5f051..b99604ec4 100644
--- a/src/firejail/output.c
+++ b/src/firejail/output.c
@@ -102,10 +102,6 @@ void check_output(int argc, char **argv) {
        a[1] = "-c";
        a[2] = cmd;
        a[3] = NULL;
-#ifdef HAVE_SECCOMP
-        seccomp_install_filters();
-#endif
        execvp(a[0], a);
        perror("execvp");
diff --git a/src/firejail/sandbox.c b/src/firejail/sandbox.c
index 30b55d7d0..150c23de7 100644
--- a/src/firejail/sandbox.c
+++ b/src/firejail/sandbox.c
@@ -269,19 +269,6 @@ static int monitor_application(pid_t app_pid) {
        return status;
 }
-void start_audit(void) {
-        char *audit_prog;
-        if (asprintf(&audit_prog, "%s/firejail/faudit", LIBDIR) == -1)
-                errExit("asprintf");
-        assert(getenv("LD_PRELOAD") == NULL);
-#ifdef HAVE_SECCOMP
-        seccomp_install_filters();
-#endif
-        execl(audit_prog, audit_prog, NULL);
-        perror("execl");
-        exit(1);
-}
 static void print_time(void) {
        if (start_timestamp) {
                unsigned long long end_timestamp = getticks();
diff --git a/src/firejail/usage.c b/src/firejail/usage.c
index 4de33c83d..10e6ab687 100644
--- a/src/firejail/usage.c
+++ b/src/firejail/usage.c
@@ -106,6 +106,10 @@ void usage(void) {
        printf("    --mac=xx:xx:xx:xx:xx:xx - set interface MAC address.\n");
 #endif
        printf("    --machine-id - preserve /etc/machine-id\n");
+#ifdef HAVE_SECCOMP
+        printf("    --memory-deny-write-execute - seccomp filter to block attempts to create\n");
+        printf("\tmemory mappings  that are both writable and executable.\n");
+#endif
 #ifdef HAVE_NETWORK
        printf("    --mtu=number - set interface MTU.\n");
 #endif
@@ -179,12 +183,11 @@ void usage(void) {
        printf("    --seccomp - enable seccomp filter and apply the default blacklist.\n");
        printf("    --seccomp=syscall,syscall,syscall - enable seccomp filter, blacklist the\n");
        printf("\tdefault syscall list and the syscalls specified by the command.\n");
+        printf("    --seccomp.block-secondary - build only the native architecture filters.\n");
        printf("    --seccomp.drop=syscall,syscall,syscall - enable seccomp filter, and\n");
        printf("\tblacklist the syscalls specified by the command.\n");
        printf("    --seccomp.keep=syscall,syscall,syscall - enable seccomp filter, and\n");
        printf("\twhitelist the syscalls specified by the command.\n");
-        printf("    --seccomp.<errno>=syscall,syscall,syscall - enable seccomp filter, and\n");
-        printf("\treturn errno for the syscalls specified by the command.\n");
        printf("    --seccomp.print=name|pid - print the seccomp filter for the sandbox\n");
        printf("\tidentified by name or PID.\n");
 #endif
diff --git a/src/firejail/x11.c b/src/firejail/x11.c
index 26af8ad35..d41f46d93 100644
--- a/src/firejail/x11.c
+++ b/src/firejail/x11.c
@@ -321,9 +321,6 @@ void x11_start_xvfb(int argc, char **argv) {
                // running without privileges - see drop_privs call above
                assert(getenv("LD_PRELOAD") == NULL);
-#ifdef HAVE_SECCOMP
-                seccomp_install_filters();
-#endif
                execvp(server_argv[0], server_argv);
                perror("execvp");
                _exit(1);
@@ -368,9 +365,6 @@ void x11_start_xvfb(int argc, char **argv) {
                // running without privileges - see drop_privs call above
                assert(getenv("LD_PRELOAD") == NULL);
-#ifdef HAVE_SECCOMP
-                seccomp_install_filters();
-#endif
                execvp(jail_argv[0], jail_argv);
                perror("execvp");
                _exit(1);
@@ -563,9 +557,6 @@ void x11_start_xephyr(int argc, char **argv) {
                // running without privileges - see drop_privs call above
                assert(getenv("LD_PRELOAD") == NULL);
-#ifdef HAVE_SECCOMP
-                seccomp_install_filters();
-#endif
                execvp(server_argv[0], server_argv);
                perror("execvp");
                _exit(1);
@@ -610,9 +601,6 @@ void x11_start_xephyr(int argc, char **argv) {
                // running without privileges - see drop_privs call above
                assert(getenv("LD_PRELOAD") == NULL);
-#ifdef HAVE_SECCOMP
-                seccomp_install_filters();
-#endif
                execvp(jail_argv[0], jail_argv);
                perror("execvp");
                _exit(1);
@@ -742,9 +730,6 @@ void x11_start_xpra_old(int argc, char **argv, int display, char *display_str) {
                // running without privileges - see drop_privs call above
                assert(getenv("LD_PRELOAD") == NULL);
-#ifdef HAVE_SECCOMP
-                seccomp_install_filters();
-#endif
                execvp(server_argv[0], server_argv);
                perror("execvp");
                _exit(1);
@@ -796,9 +781,6 @@ void x11_start_xpra_old(int argc, char **argv, int display, char *display_str) {
                // running without privileges - see drop_privs call above
                assert(getenv("LD_PRELOAD") == NULL);
-#ifdef HAVE_SECCOMP
-                seccomp_install_filters();
-#endif
                execvp(attach_argv[0], attach_argv);
                perror("execvp");
                _exit(1);
@@ -828,9 +810,6 @@ void x11_start_xpra_old(int argc, char **argv, int display, char *display_str) {
        if (jail == 0) {
                // running without privileges - see drop_privs call above
                assert(getenv("LD_PRELOAD") == NULL);
-#ifdef HAVE_SECCOMP
-                seccomp_install_filters();
-#endif
                if (firejail_argv[0])             // shut up llvm scan-build
                        execvp(firejail_argv[0], firejail_argv);
                perror("execvp");
@@ -859,9 +838,6 @@ void x11_start_xpra_old(int argc, char **argv, int display, char *display_str) {
                                }
                                // running without privileges - see drop_privs call above
                                assert(getenv("LD_PRELOAD") == NULL);
-#ifdef HAVE_SECCOMP
-                                seccomp_install_filters();
-#endif
                                execvp(stop_argv[0], stop_argv);
                                perror("execvp");
                                _exit(1);
@@ -1028,9 +1004,6 @@ void x11_start_xpra_new(int argc, char **argv, char *display_str) {
                // running without privileges - see drop_privs call above
                assert(getenv("LD_PRELOAD") == NULL);
-#ifdef HAVE_SECCOMP
-                seccomp_install_filters();
-#endif
                execvp(server_argv[0], server_argv);
                perror("execvp");
                _exit(1);
@@ -1168,9 +1141,6 @@ void x11_xorg(void) {
 #ifdef HAVE_GCOV
                __gcov_flush();
 #endif
-#ifdef HAVE_SECCOMP
-                seccomp_install_filters();
-#endif
                execlp("/usr/bin/xauth", "/usr/bin/xauth", "-v", "-f", tmpfname,
                        "generate", display, "MIT-MAGIC-COOKIE-1", "untrusted", NULL);
diff --git a/src/fseccomp/syscall.c b/src/fseccomp/syscall.c
index 8afa3f63d..8c18b2d14 100644
--- a/src/fseccomp/syscall.c
+++ b/src/fseccomp/syscall.c
@@ -567,8 +567,16 @@ void syscalls_in_list(const char *list, const char *slist, int fd, char **prelis
        sl.prelist = NULL;
        sl.postlist = NULL;
        syscall_check_list(list, syscall_in_list, 0, 0, &sl);
-        if (!arg_quiet)
+        if (!arg_quiet) {
-                printf("list in: %s, check list: %s prelist: %s, postlist: %s\n", list, sl.slist, sl.prelist, sl.postlist);
+                printf("Seccomp list in: %s,", list);
+                if (sl.slist)
+                        printf(" check list: %s,", sl.slist);
+                if (sl.prelist)
+                        printf(" prelist: %s,", sl.prelist);
+                if (sl.postlist)
+                        printf(" postlist: %s", sl.postlist);
+                printf("\n");
+        }
        *prelist = sl.prelist;
        *postlist = sl.postlist;
 }
diff --git a/src/man/firejail.txt b/src/man/firejail.txt
index d1970c985..dd21951ec 100644
--- a/src/man/firejail.txt
+++ b/src/man/firejail.txt
@@ -1573,7 +1573,7 @@ $, so for example $165 would be equal to mount on i386.
 .br
 System architecture is strictly imposed only if flag
-\-\-seccomp.block_secondary is used. The filter is applied at run time
+\-\-seccomp.block-secondary is used. The filter is applied at run time
 only if the correct architecture was detected. For the case of I386
 and AMD64 both 32-bit and 64-bit filters are installed.
 .br
author	netblue30 <netblue30@yahoo.com>	2017-08-23 06:58:47 -0400
committer	netblue30 <netblue30@yahoo.com>	2017-08-23 06:58:47 -0400
commit	79957c9662989782b78bedc540c14a5a424a469e (patch)
tree	2f8b047eee6f1636d8f591be3fbcc1b986c8eaab /src
parent	seccomp: fix errno (diff)
download	firejail-79957c9662989782b78bedc540c14a5a424a469e.tar.gz firejail-79957c9662989782b78bedc540c14a5a424a469e.tar.zst firejail-79957c9662989782b78bedc540c14a5a424a469e.zip