diff options
author | netblue30 <netblue30@yahoo.com> | 2018-04-08 10:04:17 -0400 |
---|---|---|
committer | netblue30 <netblue30@yahoo.com> | 2018-04-08 10:04:17 -0400 |
commit | ffa81b0f1863861b6753a84d567ff8dd9991220c (patch) | |
tree | d787a08dd91227529eb4a64c6b3633ae2cca5a8f /src | |
parent | Replace shell and seccomp filter for firefox >= 60, should fix #1765 and #1847 (diff) | |
download | firejail-ffa81b0f1863861b6753a84d567ff8dd9991220c.tar.gz firejail-ffa81b0f1863861b6753a84d567ff8dd9991220c.tar.zst firejail-ffa81b0f1863861b6753a84d567ff8dd9991220c.zip |
optimize seccomp.drop and seccomp= filters
Diffstat (limited to 'src')
-rw-r--r-- | src/firejail/firejail.h | 1 | ||||
-rw-r--r-- | src/firejail/seccomp.c | 10 |
2 files changed, 11 insertions, 0 deletions
diff --git a/src/firejail/firejail.h b/src/firejail/firejail.h index d6c39260b..4fd11ab4f 100644 --- a/src/firejail/firejail.h +++ b/src/firejail/firejail.h | |||
@@ -778,6 +778,7 @@ void build_appimage_cmdline(char **command_line, char **window_title, int argc, | |||
778 | #define PATH_FIREJAIL (PREFIX "/bin/firejail") | 778 | #define PATH_FIREJAIL (PREFIX "/bin/firejail") |
779 | #define PATH_FSECCOMP (LIBDIR "/firejail/fseccomp") | 779 | #define PATH_FSECCOMP (LIBDIR "/firejail/fseccomp") |
780 | #define PATH_FSEC_PRINT (LIBDIR "/firejail/fsec-print") | 780 | #define PATH_FSEC_PRINT (LIBDIR "/firejail/fsec-print") |
781 | #define PATH_FSEC_OPTIMIZE (LIBDIR "/firejail/fsec-optimize") | ||
781 | #define PATH_FCOPY (LIBDIR "/firejail/fcopy") | 782 | #define PATH_FCOPY (LIBDIR "/firejail/fcopy") |
782 | #define SBOX_STDIN_FILE "/run/firejail/mnt/sbox_stdin" | 783 | #define SBOX_STDIN_FILE "/run/firejail/mnt/sbox_stdin" |
783 | #define PATH_FLDD (LIBDIR "/firejail/fldd") | 784 | #define PATH_FLDD (LIBDIR "/firejail/fldd") |
diff --git a/src/firejail/seccomp.c b/src/firejail/seccomp.c index 0184db65c..1ee6256d4 100644 --- a/src/firejail/seccomp.c +++ b/src/firejail/seccomp.c | |||
@@ -210,6 +210,11 @@ int seccomp_filter_drop(void) { | |||
210 | PATH_FSECCOMP, "default", "drop", RUN_SECCOMP_CFG, RUN_SECCOMP_POSTEXEC, cfg.seccomp_list); | 210 | PATH_FSECCOMP, "default", "drop", RUN_SECCOMP_CFG, RUN_SECCOMP_POSTEXEC, cfg.seccomp_list); |
211 | if (rv) | 211 | if (rv) |
212 | exit(rv); | 212 | exit(rv); |
213 | |||
214 | // optimize the new filter | ||
215 | rv = sbox_run(SBOX_USER | SBOX_CAPS_NONE | SBOX_SECCOMP, 2, PATH_FSEC_OPTIMIZE, RUN_SECCOMP_CFG); | ||
216 | if (rv) | ||
217 | exit(rv); | ||
213 | } | 218 | } |
214 | } | 219 | } |
215 | 220 | ||
@@ -232,6 +237,11 @@ int seccomp_filter_drop(void) { | |||
232 | 237 | ||
233 | if (rv) | 238 | if (rv) |
234 | exit(rv); | 239 | exit(rv); |
240 | |||
241 | // optimize the drop filter | ||
242 | rv = sbox_run(SBOX_USER | SBOX_CAPS_NONE | SBOX_SECCOMP, 2, PATH_FSEC_OPTIMIZE, RUN_SECCOMP_CFG); | ||
243 | if (rv) | ||
244 | exit(rv); | ||
235 | } | 245 | } |
236 | 246 | ||
237 | // load the filter | 247 | // load the filter |