bring back postexecseccomp for chroot/appimage/overlay sandboxes

back in the days always the same default seccomp filter was loaded for chroot/appimage/overlayfs sandboxes. Nowadays users can configure their own filters, so allow postexecseccomp again.
author: smitsohu <smitsohu@gmail.com> 2021-03-03 16:14:57 +0100
committer: smitsohu <smitsohu@gmail.com> 2021-03-03 16:43:29 +0100
commit: 3565217343a64b71c60e376053dda6af1bfff42f (patch)
tree: b4d60e1533ca9f06c5cdafcafbafcce9f8cabea7 /src
parent: cosmetics (diff)
download: firejail-3565217343a64b71c60e376053dda6af1bfff42f.tar.gz
firejail-3565217343a64b71c60e376053dda6af1bfff42f.tar.zst
firejail-3565217343a64b71c60e376053dda6af1bfff42f.zip
1 files changed, 4 insertions, 5 deletions
diff --git a/src/firejail/sandbox.c b/src/firejail/sandbox.c
index a4c038897..b6e0468c6 100644
--- a/src/firejail/sandbox.c
+++ b/src/firejail/sandbox.c
@@ -786,14 +786,13 @@ int sandbox(void* sandbox_arg) {
 #else
        bool always_enforce_filters = false;
 #endif
-        // need ld.so.preload if tracing or seccomp with any non-default lists
-        bool need_preload = arg_trace || arg_tracelog || arg_seccomp_postexec;
        // for --appimage, --chroot and --overlay* we force NO_NEW_PRIVS
        // and drop all capabilities
-        if (getuid() != 0 && (arg_appimage || cfg.chrootdir || arg_overlay || always_enforce_filters)) {
+        if (getuid() != 0 && (arg_appimage || cfg.chrootdir || arg_overlay || always_enforce_filters))
                enforce_filters();
-                need_preload = arg_trace || arg_tracelog;
-        }
+        // need ld.so.preload if tracing or seccomp with any non-default lists
+        bool need_preload = arg_trace || arg_tracelog || arg_seccomp_postexec;
        // trace pre-install
        if (need_preload)
author	smitsohu <smitsohu@gmail.com>	2021-03-03 16:14:57 +0100
committer	smitsohu <smitsohu@gmail.com>	2021-03-03 16:43:29 +0100
commit	3565217343a64b71c60e376053dda6af1bfff42f (patch)
tree	b4d60e1533ca9f06c5cdafcafbafcce9f8cabea7 /src
parent	cosmetics (diff)
download	firejail-3565217343a64b71c60e376053dda6af1bfff42f.tar.gz firejail-3565217343a64b71c60e376053dda6af1bfff42f.tar.zst firejail-3565217343a64b71c60e376053dda6af1bfff42f.zip

diff --git a/src/firejail/sandbox.c b/src/firejail/sandbox.c index a4c038897..b6e0468c6 100644 --- a/src/firejail/sandbox.c +++ b/src/firejail/sandbox.c
@@ -786,14 +786,13 @@ int sandbox(void* sandbox_arg) {
786	#else	786	#else
787	bool always_enforce_filters = false;	787	bool always_enforce_filters = false;
788	#endif	788	#endif
789	// need ld.so.preload if tracing or seccomp with any non-default lists
790	bool need_preload = arg_trace \|\| arg_tracelog \|\| arg_seccomp_postexec;
791	// for --appimage, --chroot and --overlay* we force NO_NEW_PRIVS	789	// for --appimage, --chroot and --overlay* we force NO_NEW_PRIVS
792	// and drop all capabilities	790	// and drop all capabilities
793	if (getuid() != 0 && (arg_appimage \|\| cfg.chrootdir \|\| arg_overlay \|\| always_enforce_filters)) {	791	if (getuid() != 0 && (arg_appimage \|\| cfg.chrootdir \|\| arg_overlay \|\| always_enforce_filters))
794	enforce_filters();	792	enforce_filters();
795	need_preload = arg_trace \|\| arg_tracelog;	793
796	}	794	// need ld.so.preload if tracing or seccomp with any non-default lists
		795	bool need_preload = arg_trace \|\| arg_tracelog \|\| arg_seccomp_postexec;
797		796
798	// trace pre-install	797	// trace pre-install
799	if (need_preload)	798	if (need_preload)