diff options
author | netblue30 <netblue30@yahoo.com> | 2017-08-23 06:58:47 -0400 |
---|---|---|
committer | netblue30 <netblue30@yahoo.com> | 2017-08-23 06:58:47 -0400 |
commit | 79957c9662989782b78bedc540c14a5a424a469e (patch) | |
tree | 2f8b047eee6f1636d8f591be3fbcc1b986c8eaab /src | |
parent | seccomp: fix errno (diff) | |
download | firejail-79957c9662989782b78bedc540c14a5a424a469e.tar.gz firejail-79957c9662989782b78bedc540c14a5a424a469e.tar.zst firejail-79957c9662989782b78bedc540c14a5a424a469e.zip |
cleanup
Diffstat (limited to 'src')
-rw-r--r-- | src/firejail/bandwidth.c | 3 | ||||
-rw-r--r-- | src/firejail/output.c | 4 | ||||
-rw-r--r-- | src/firejail/sandbox.c | 13 | ||||
-rw-r--r-- | src/firejail/usage.c | 7 | ||||
-rw-r--r-- | src/firejail/x11.c | 30 | ||||
-rw-r--r-- | src/fseccomp/syscall.c | 12 | ||||
-rw-r--r-- | src/man/firejail.txt | 2 |
7 files changed, 16 insertions, 55 deletions
diff --git a/src/firejail/bandwidth.c b/src/firejail/bandwidth.c index 831b76e79..24d027d54 100644 --- a/src/firejail/bandwidth.c +++ b/src/firejail/bandwidth.c | |||
@@ -441,9 +441,6 @@ void bandwidth_pid(pid_t pid, const char *command, const char *dev, int down, in | |||
441 | arg[2] = cmd; | 441 | arg[2] = cmd; |
442 | arg[3] = NULL; | 442 | arg[3] = NULL; |
443 | clearenv(); | 443 | clearenv(); |
444 | #ifdef HAVE_SECCOMP | ||
445 | seccomp_install_filters(); | ||
446 | #endif | ||
447 | execvp(arg[0], arg); | 444 | execvp(arg[0], arg); |
448 | 445 | ||
449 | // it will never get here | 446 | // it will never get here |
diff --git a/src/firejail/output.c b/src/firejail/output.c index d69f5f051..b99604ec4 100644 --- a/src/firejail/output.c +++ b/src/firejail/output.c | |||
@@ -102,10 +102,6 @@ void check_output(int argc, char **argv) { | |||
102 | a[1] = "-c"; | 102 | a[1] = "-c"; |
103 | a[2] = cmd; | 103 | a[2] = cmd; |
104 | a[3] = NULL; | 104 | a[3] = NULL; |
105 | |||
106 | #ifdef HAVE_SECCOMP | ||
107 | seccomp_install_filters(); | ||
108 | #endif | ||
109 | execvp(a[0], a); | 105 | execvp(a[0], a); |
110 | 106 | ||
111 | perror("execvp"); | 107 | perror("execvp"); |
diff --git a/src/firejail/sandbox.c b/src/firejail/sandbox.c index 30b55d7d0..150c23de7 100644 --- a/src/firejail/sandbox.c +++ b/src/firejail/sandbox.c | |||
@@ -269,19 +269,6 @@ static int monitor_application(pid_t app_pid) { | |||
269 | return status; | 269 | return status; |
270 | } | 270 | } |
271 | 271 | ||
272 | void start_audit(void) { | ||
273 | char *audit_prog; | ||
274 | if (asprintf(&audit_prog, "%s/firejail/faudit", LIBDIR) == -1) | ||
275 | errExit("asprintf"); | ||
276 | assert(getenv("LD_PRELOAD") == NULL); | ||
277 | #ifdef HAVE_SECCOMP | ||
278 | seccomp_install_filters(); | ||
279 | #endif | ||
280 | execl(audit_prog, audit_prog, NULL); | ||
281 | perror("execl"); | ||
282 | exit(1); | ||
283 | } | ||
284 | |||
285 | static void print_time(void) { | 272 | static void print_time(void) { |
286 | if (start_timestamp) { | 273 | if (start_timestamp) { |
287 | unsigned long long end_timestamp = getticks(); | 274 | unsigned long long end_timestamp = getticks(); |
diff --git a/src/firejail/usage.c b/src/firejail/usage.c index 4de33c83d..10e6ab687 100644 --- a/src/firejail/usage.c +++ b/src/firejail/usage.c | |||
@@ -106,6 +106,10 @@ void usage(void) { | |||
106 | printf(" --mac=xx:xx:xx:xx:xx:xx - set interface MAC address.\n"); | 106 | printf(" --mac=xx:xx:xx:xx:xx:xx - set interface MAC address.\n"); |
107 | #endif | 107 | #endif |
108 | printf(" --machine-id - preserve /etc/machine-id\n"); | 108 | printf(" --machine-id - preserve /etc/machine-id\n"); |
109 | #ifdef HAVE_SECCOMP | ||
110 | printf(" --memory-deny-write-execute - seccomp filter to block attempts to create\n"); | ||
111 | printf("\tmemory mappings that are both writable and executable.\n"); | ||
112 | #endif | ||
109 | #ifdef HAVE_NETWORK | 113 | #ifdef HAVE_NETWORK |
110 | printf(" --mtu=number - set interface MTU.\n"); | 114 | printf(" --mtu=number - set interface MTU.\n"); |
111 | #endif | 115 | #endif |
@@ -179,12 +183,11 @@ void usage(void) { | |||
179 | printf(" --seccomp - enable seccomp filter and apply the default blacklist.\n"); | 183 | printf(" --seccomp - enable seccomp filter and apply the default blacklist.\n"); |
180 | printf(" --seccomp=syscall,syscall,syscall - enable seccomp filter, blacklist the\n"); | 184 | printf(" --seccomp=syscall,syscall,syscall - enable seccomp filter, blacklist the\n"); |
181 | printf("\tdefault syscall list and the syscalls specified by the command.\n"); | 185 | printf("\tdefault syscall list and the syscalls specified by the command.\n"); |
186 | printf(" --seccomp.block-secondary - build only the native architecture filters.\n"); | ||
182 | printf(" --seccomp.drop=syscall,syscall,syscall - enable seccomp filter, and\n"); | 187 | printf(" --seccomp.drop=syscall,syscall,syscall - enable seccomp filter, and\n"); |
183 | printf("\tblacklist the syscalls specified by the command.\n"); | 188 | printf("\tblacklist the syscalls specified by the command.\n"); |
184 | printf(" --seccomp.keep=syscall,syscall,syscall - enable seccomp filter, and\n"); | 189 | printf(" --seccomp.keep=syscall,syscall,syscall - enable seccomp filter, and\n"); |
185 | printf("\twhitelist the syscalls specified by the command.\n"); | 190 | printf("\twhitelist the syscalls specified by the command.\n"); |
186 | printf(" --seccomp.<errno>=syscall,syscall,syscall - enable seccomp filter, and\n"); | ||
187 | printf("\treturn errno for the syscalls specified by the command.\n"); | ||
188 | printf(" --seccomp.print=name|pid - print the seccomp filter for the sandbox\n"); | 191 | printf(" --seccomp.print=name|pid - print the seccomp filter for the sandbox\n"); |
189 | printf("\tidentified by name or PID.\n"); | 192 | printf("\tidentified by name or PID.\n"); |
190 | #endif | 193 | #endif |
diff --git a/src/firejail/x11.c b/src/firejail/x11.c index 26af8ad35..d41f46d93 100644 --- a/src/firejail/x11.c +++ b/src/firejail/x11.c | |||
@@ -321,9 +321,6 @@ void x11_start_xvfb(int argc, char **argv) { | |||
321 | 321 | ||
322 | // running without privileges - see drop_privs call above | 322 | // running without privileges - see drop_privs call above |
323 | assert(getenv("LD_PRELOAD") == NULL); | 323 | assert(getenv("LD_PRELOAD") == NULL); |
324 | #ifdef HAVE_SECCOMP | ||
325 | seccomp_install_filters(); | ||
326 | #endif | ||
327 | execvp(server_argv[0], server_argv); | 324 | execvp(server_argv[0], server_argv); |
328 | perror("execvp"); | 325 | perror("execvp"); |
329 | _exit(1); | 326 | _exit(1); |
@@ -368,9 +365,6 @@ void x11_start_xvfb(int argc, char **argv) { | |||
368 | 365 | ||
369 | // running without privileges - see drop_privs call above | 366 | // running without privileges - see drop_privs call above |
370 | assert(getenv("LD_PRELOAD") == NULL); | 367 | assert(getenv("LD_PRELOAD") == NULL); |
371 | #ifdef HAVE_SECCOMP | ||
372 | seccomp_install_filters(); | ||
373 | #endif | ||
374 | execvp(jail_argv[0], jail_argv); | 368 | execvp(jail_argv[0], jail_argv); |
375 | perror("execvp"); | 369 | perror("execvp"); |
376 | _exit(1); | 370 | _exit(1); |
@@ -563,9 +557,6 @@ void x11_start_xephyr(int argc, char **argv) { | |||
563 | 557 | ||
564 | // running without privileges - see drop_privs call above | 558 | // running without privileges - see drop_privs call above |
565 | assert(getenv("LD_PRELOAD") == NULL); | 559 | assert(getenv("LD_PRELOAD") == NULL); |
566 | #ifdef HAVE_SECCOMP | ||
567 | seccomp_install_filters(); | ||
568 | #endif | ||
569 | execvp(server_argv[0], server_argv); | 560 | execvp(server_argv[0], server_argv); |
570 | perror("execvp"); | 561 | perror("execvp"); |
571 | _exit(1); | 562 | _exit(1); |
@@ -610,9 +601,6 @@ void x11_start_xephyr(int argc, char **argv) { | |||
610 | 601 | ||
611 | // running without privileges - see drop_privs call above | 602 | // running without privileges - see drop_privs call above |
612 | assert(getenv("LD_PRELOAD") == NULL); | 603 | assert(getenv("LD_PRELOAD") == NULL); |
613 | #ifdef HAVE_SECCOMP | ||
614 | seccomp_install_filters(); | ||
615 | #endif | ||
616 | execvp(jail_argv[0], jail_argv); | 604 | execvp(jail_argv[0], jail_argv); |
617 | perror("execvp"); | 605 | perror("execvp"); |
618 | _exit(1); | 606 | _exit(1); |
@@ -742,9 +730,6 @@ void x11_start_xpra_old(int argc, char **argv, int display, char *display_str) { | |||
742 | 730 | ||
743 | // running without privileges - see drop_privs call above | 731 | // running without privileges - see drop_privs call above |
744 | assert(getenv("LD_PRELOAD") == NULL); | 732 | assert(getenv("LD_PRELOAD") == NULL); |
745 | #ifdef HAVE_SECCOMP | ||
746 | seccomp_install_filters(); | ||
747 | #endif | ||
748 | execvp(server_argv[0], server_argv); | 733 | execvp(server_argv[0], server_argv); |
749 | perror("execvp"); | 734 | perror("execvp"); |
750 | _exit(1); | 735 | _exit(1); |
@@ -796,9 +781,6 @@ void x11_start_xpra_old(int argc, char **argv, int display, char *display_str) { | |||
796 | 781 | ||
797 | // running without privileges - see drop_privs call above | 782 | // running without privileges - see drop_privs call above |
798 | assert(getenv("LD_PRELOAD") == NULL); | 783 | assert(getenv("LD_PRELOAD") == NULL); |
799 | #ifdef HAVE_SECCOMP | ||
800 | seccomp_install_filters(); | ||
801 | #endif | ||
802 | execvp(attach_argv[0], attach_argv); | 784 | execvp(attach_argv[0], attach_argv); |
803 | perror("execvp"); | 785 | perror("execvp"); |
804 | _exit(1); | 786 | _exit(1); |
@@ -828,9 +810,6 @@ void x11_start_xpra_old(int argc, char **argv, int display, char *display_str) { | |||
828 | if (jail == 0) { | 810 | if (jail == 0) { |
829 | // running without privileges - see drop_privs call above | 811 | // running without privileges - see drop_privs call above |
830 | assert(getenv("LD_PRELOAD") == NULL); | 812 | assert(getenv("LD_PRELOAD") == NULL); |
831 | #ifdef HAVE_SECCOMP | ||
832 | seccomp_install_filters(); | ||
833 | #endif | ||
834 | if (firejail_argv[0]) // shut up llvm scan-build | 813 | if (firejail_argv[0]) // shut up llvm scan-build |
835 | execvp(firejail_argv[0], firejail_argv); | 814 | execvp(firejail_argv[0], firejail_argv); |
836 | perror("execvp"); | 815 | perror("execvp"); |
@@ -859,9 +838,6 @@ void x11_start_xpra_old(int argc, char **argv, int display, char *display_str) { | |||
859 | } | 838 | } |
860 | // running without privileges - see drop_privs call above | 839 | // running without privileges - see drop_privs call above |
861 | assert(getenv("LD_PRELOAD") == NULL); | 840 | assert(getenv("LD_PRELOAD") == NULL); |
862 | #ifdef HAVE_SECCOMP | ||
863 | seccomp_install_filters(); | ||
864 | #endif | ||
865 | execvp(stop_argv[0], stop_argv); | 841 | execvp(stop_argv[0], stop_argv); |
866 | perror("execvp"); | 842 | perror("execvp"); |
867 | _exit(1); | 843 | _exit(1); |
@@ -1028,9 +1004,6 @@ void x11_start_xpra_new(int argc, char **argv, char *display_str) { | |||
1028 | 1004 | ||
1029 | // running without privileges - see drop_privs call above | 1005 | // running without privileges - see drop_privs call above |
1030 | assert(getenv("LD_PRELOAD") == NULL); | 1006 | assert(getenv("LD_PRELOAD") == NULL); |
1031 | #ifdef HAVE_SECCOMP | ||
1032 | seccomp_install_filters(); | ||
1033 | #endif | ||
1034 | execvp(server_argv[0], server_argv); | 1007 | execvp(server_argv[0], server_argv); |
1035 | perror("execvp"); | 1008 | perror("execvp"); |
1036 | _exit(1); | 1009 | _exit(1); |
@@ -1168,9 +1141,6 @@ void x11_xorg(void) { | |||
1168 | #ifdef HAVE_GCOV | 1141 | #ifdef HAVE_GCOV |
1169 | __gcov_flush(); | 1142 | __gcov_flush(); |
1170 | #endif | 1143 | #endif |
1171 | #ifdef HAVE_SECCOMP | ||
1172 | seccomp_install_filters(); | ||
1173 | #endif | ||
1174 | execlp("/usr/bin/xauth", "/usr/bin/xauth", "-v", "-f", tmpfname, | 1144 | execlp("/usr/bin/xauth", "/usr/bin/xauth", "-v", "-f", tmpfname, |
1175 | "generate", display, "MIT-MAGIC-COOKIE-1", "untrusted", NULL); | 1145 | "generate", display, "MIT-MAGIC-COOKIE-1", "untrusted", NULL); |
1176 | 1146 | ||
diff --git a/src/fseccomp/syscall.c b/src/fseccomp/syscall.c index 8afa3f63d..8c18b2d14 100644 --- a/src/fseccomp/syscall.c +++ b/src/fseccomp/syscall.c | |||
@@ -567,8 +567,16 @@ void syscalls_in_list(const char *list, const char *slist, int fd, char **prelis | |||
567 | sl.prelist = NULL; | 567 | sl.prelist = NULL; |
568 | sl.postlist = NULL; | 568 | sl.postlist = NULL; |
569 | syscall_check_list(list, syscall_in_list, 0, 0, &sl); | 569 | syscall_check_list(list, syscall_in_list, 0, 0, &sl); |
570 | if (!arg_quiet) | 570 | if (!arg_quiet) { |
571 | printf("list in: %s, check list: %s prelist: %s, postlist: %s\n", list, sl.slist, sl.prelist, sl.postlist); | 571 | printf("Seccomp list in: %s,", list); |
572 | if (sl.slist) | ||
573 | printf(" check list: %s,", sl.slist); | ||
574 | if (sl.prelist) | ||
575 | printf(" prelist: %s,", sl.prelist); | ||
576 | if (sl.postlist) | ||
577 | printf(" postlist: %s", sl.postlist); | ||
578 | printf("\n"); | ||
579 | } | ||
572 | *prelist = sl.prelist; | 580 | *prelist = sl.prelist; |
573 | *postlist = sl.postlist; | 581 | *postlist = sl.postlist; |
574 | } | 582 | } |
diff --git a/src/man/firejail.txt b/src/man/firejail.txt index d1970c985..dd21951ec 100644 --- a/src/man/firejail.txt +++ b/src/man/firejail.txt | |||
@@ -1573,7 +1573,7 @@ $, so for example $165 would be equal to mount on i386. | |||
1573 | 1573 | ||
1574 | .br | 1574 | .br |
1575 | System architecture is strictly imposed only if flag | 1575 | System architecture is strictly imposed only if flag |
1576 | \-\-seccomp.block_secondary is used. The filter is applied at run time | 1576 | \-\-seccomp.block-secondary is used. The filter is applied at run time |
1577 | only if the correct architecture was detected. For the case of I386 | 1577 | only if the correct architecture was detected. For the case of I386 |
1578 | and AMD64 both 32-bit and 64-bit filters are installed. | 1578 | and AMD64 both 32-bit and 64-bit filters are installed. |
1579 | .br | 1579 | .br |