cleanup

13 files changed, 77 insertions, 150 deletions

diff --git a/src/firejail/cgroup.c b/src/firejail/cgroup.c
index 9e6a2e549..aab7be0fd 100644
--- a/src/firejail/cgroup.c
+++ b/src/firejail/cgroup.c
@@ -26,30 +26,23 @@ void save_cgroup(void) {
         if (cfg.cgroup == NULL)
                 return;
         
-        char *fname;
-        if (asprintf(&fname, "%s/cgroup", MNT_DIR) == -1)
-                errExit(fname);
-        
-        FILE *fp = fopen(fname, "w");
+        FILE *fp = fopen(CGROUP_CFG, "w");
         if (fp) {
                 fprintf(fp, "%s", cfg.cgroup);
                 fflush(0);
                 if (fclose(fp))
                         goto errout;
-                if (chown(fname, 0, 0) < 0)
+                if (chown(CGROUP_CFG, 0, 0) < 0)
                         errExit("chown");
         }
         else
                 goto errout;
         
-        free(fname);
         return;
 
 errout:
         fprintf(stderr, "Error: cannot save cgroup\n");
-        free(fname);
         exit(1);
-
 }
 
 void load_cgroup(const char *fname) {
diff --git a/src/firejail/cpu.c b/src/firejail/cpu.c
index 9462568f2..6dcbbd07b 100644
--- a/src/firejail/cpu.c
+++ b/src/firejail/cpu.c
@@ -71,23 +71,17 @@ void save_cpu(void) {
         if (cfg.cpus == 0)
                 return;
 
-        char *fname;
-        if (asprintf(&fname, "%s/cpu", MNT_DIR) == -1)
-                errExit("asprintf");
-        FILE *fp = fopen(fname, "w");
+        FILE *fp = fopen(CPU_CFG, "w");
         if (fp) {
                 fprintf(fp, "%x\n", cfg.cpus);
                 fclose(fp);
-                if (chown(fname, 0, 0) < 0)
+                if (chown(CPU_CFG, 0, 0) < 0)
                         errExit("chown");
         }
         else {
                 fprintf(stderr, "Error: cannot save cpu affinity mask\n");
-                free(fname);
                 exit(1);
         }
-        
-        free(fname);
 }
 
 void load_cpu(const char *fname) {
diff --git a/src/firejail/firejail.h b/src/firejail/firejail.h
index e79cc4a2c..1068485ff 100644
--- a/src/firejail/firejail.h
+++ b/src/firejail/firejail.h
@@ -21,20 +21,33 @@
 #define FIREJAIL_H
 #include "../include/common.h"
 
-#define USELOCK
+// filesystem
 #define FIREJAIL_DIR    "/tmp/firejail"
+#define NETWORK_LOCK_FILE       "/tmp/firejail/firejail.lock"
 #define RO_DIR  "/tmp/firejail/firejail.ro.dir"
 #define RO_FILE "/tmp/firejail/firejail.ro.file"
-#define MNT_DIR "/tmp/firejail/mnt"
+#define MNT_DIR "/tmp/firejail/mnt"     // a tmpfs is mounted on this directory before any of the files below are created
+#define SECCOMP_CFG     "/tmp/firejail/mnt/seccomp"
+#define CGROUP_CFG      "/tmp/firejail/mnt/cgroup"
+#define CPU_CFG "/tmp/firejail/mnt/cpu"
+#define GROUPS_CFG      "/tmp/firejail/mnt/groups"
 #define CP_COMMAND      "/tmp/firejail/mnt/cp"
 #define HOME_DIR        "/tmp/firejail/mnt/home"
 #define ETC_DIR "/tmp/firejail/mnt/etc"
 #define BIN_DIR "/tmp/firejail/mnt/bin"
 #define DRI_DIR "/tmp/firejail/mnt/dri"
+#define PULSE_DIR       "/tmp/firejail/mnt/pulse"
 #define WHITELIST_HOME_DIR      "/tmp/firejail/mnt/whome"
+#define XAUTHORITY_FILE "/tmp/firejail/mnt/.Xauthority"
+#define HOSTNAME_FILE   "/tmp/firejail/mnt/hostname"
+#define RESOLVCONF_FILE "/tmp/firejail/mnt/resolv.conf"
+#define LDPRELOAD_FILE  "/tmp/firejail/mnt/ld.so.preload"
+#define UTMP_FILE               "/tmp/firejail/mnt/utmp"
+
+// profiles
 #define DEFAULT_USER_PROFILE    "generic"
 #define DEFAULT_ROOT_PROFILE    "server"
-#define MAX_INCLUDE_LEVEL 6
+#define MAX_INCLUDE_LEVEL 6             // include levels in profile files
 
 // main.c
 typedef struct bridge_t {
diff --git a/src/firejail/fs_etc.c b/src/firejail/fs_etc.c
index 617d45d06..f9088f1ba 100644
--- a/src/firejail/fs_etc.c
+++ b/src/firejail/fs_etc.c
@@ -75,7 +75,7 @@ void fs_check_etc_list(void) {
 static void duplicate(char *fname) {
         char *cmd;
 
-        // copy the file
+        // copy the file - this code assumes ETC_DIR is actually MNT_DIR/etc
         if (asprintf(&cmd, "%s -a --parents /etc/%s %s", CP_COMMAND, fname, MNT_DIR) == -1)
                 errExit("asprintf");
         if (arg_debug)
@@ -113,7 +113,7 @@ void fs_private_etc_list(void) {
                 errExit("fork");
         if (child == 0) {
                 if (arg_debug)
-                        printf("Copying files in the new home:\n");
+                        printf("Copying files in the new etc directory:\n");
 
                 // elevate privileges - files in the new /etc directory belong to root
                 if (setreuid(0, 0) < 0)
diff --git a/src/firejail/fs_home.c b/src/firejail/fs_home.c
index 2cbb59e69..63c03a8db 100644
--- a/src/firejail/fs_home.c
+++ b/src/firejail/fs_home.c
@@ -109,15 +109,13 @@ static void skel(const char *homedir, uid_t u, gid_t g) {
 }
 
 static int store_xauthority(void) {
-        // put a copy of .Xauthority in MNT_DIR
+        // put a copy of .Xauthority in XAUTHORITY_FILE
         fs_build_mnt_dir();
 
         char *src;
-        char *dest;
+        char *dest = XAUTHORITY_FILE;
         if (asprintf(&src, "%s/.Xauthority", cfg.homedir) == -1)
                 errExit("asprintf");
-        if (asprintf(&dest, "%s/.Xauthority", MNT_DIR) == -1)
-                errExit("asprintf");
         
         struct stat s;
         if (stat(src, &s) == 0) {       
@@ -133,15 +131,11 @@ static int store_xauthority(void) {
 }
 
 static void copy_xauthority(void) {
-        // put a copy of .Xauthority in MNT_DIR
-        fs_build_mnt_dir();
-
-        char *src;
+        // copy XAUTHORITY_FILE in the new home directory
+        char *src = XAUTHORITY_FILE ;
         char *dest;
         if (asprintf(&dest, "%s/.Xauthority", cfg.homedir) == -1)
                 errExit("asprintf");
-        if (asprintf(&src, "%s/.Xauthority", MNT_DIR) == -1)
-                errExit("asprintf");
         int rv = copy_file(src, dest);
         if (rv)
                 fprintf(stderr, "Warning: cannot transfer .Xauthority in private home directory\n");
diff --git a/src/firejail/fs_hostname.c b/src/firejail/fs_hostname.c
index 2d9ad6fa7..94251df57 100644
--- a/src/firejail/fs_hostname.c
+++ b/src/firejail/fs_hostname.c
@@ -33,49 +33,40 @@ void fs_hostname(const char *hostname) {
         if (stat("/etc/hostname", &s) == 0) {
                 if (arg_debug)
                         printf("Creating a new /etc/hostname file\n");
-                char *fhost;
-                if (asprintf(&fhost, "%s/hostname", MNT_DIR) == -1)
-                        errExit("asprintf");
-                FILE *fp = fopen(fhost, "w");
+
+                FILE *fp = fopen(HOSTNAME_FILE, "w");
                 if (!fp) {
-                        fprintf(stderr, "Error: cannot create %s\n", fhost);
-                        free(fhost);
+                        fprintf(stderr, "Error: cannot create %s\n", HOSTNAME_FILE);
                         exit(1);
                 }
                 fprintf(fp, "%s\n", hostname);
                 fclose(fp);
                 
                 // mode and owner
-                if (chown(fhost, 0, 0) < 0)
+                if (chown(HOSTNAME_FILE, 0, 0) < 0)
                         errExit("chown");
-                if (chmod(fhost, S_IRUSR | S_IWRITE | S_IRGRP | S_IROTH ) < 0)
+                if (chmod(HOSTNAME_FILE, S_IRUSR | S_IWRITE | S_IRGRP | S_IROTH ) < 0)
                         errExit("chmod");
                 
                 // bind-mount the file on top of /etc/hostname
-                if (mount(fhost, "/etc/hostname", NULL, MS_BIND|MS_REC, NULL) < 0)
+                if (mount(HOSTNAME_FILE, "/etc/hostname", NULL, MS_BIND|MS_REC, NULL) < 0)
                         errExit("mount bind /etc/hostname");
-                free(fhost);
         }
         
         // create a new /etc/hosts
         if (stat("/etc/hosts", &s) == 0) {
                 if (arg_debug)
                         printf("Creating a new /etc/hosts file\n");
-                char *fhost;
-                if (asprintf(&fhost, "%s/hosts", MNT_DIR) == -1)
-                        errExit("asprintf");
                 // copy /etc/host into our new file, and modify it on the fly
                 /* coverity[toctou] */
                 FILE *fp1 = fopen("/etc/hosts", "r");
                 if (!fp1) {
                         fprintf(stderr, "Error: cannot open /etc/hosts\n");
-                        free(fhost);
                         exit(1);
                 }
-                FILE *fp2 = fopen(fhost, "w");
+                FILE *fp2 = fopen(HOSTNAME_FILE, "w");
                 if (!fp2) {
-                        fprintf(stderr, "Error: cannot create %s\n", fhost);
-                        free(fhost);
+                        fprintf(stderr, "Error: cannot create %s\n", HOSTNAME_FILE);
                         exit(1);
                 }
                 
@@ -96,15 +87,14 @@ void fs_hostname(const char *hostname) {
                 fclose(fp2);
                 
                 // mode and owner
-                if (chown(fhost, 0, 0) < 0)
+                if (chown(HOSTNAME_FILE, 0, 0) < 0)
                         errExit("chown");
-                if (chmod(fhost, S_IRUSR | S_IWRITE | S_IRGRP | S_IROTH ) < 0)
+                if (chmod(HOSTNAME_FILE, S_IRUSR | S_IWRITE | S_IRGRP | S_IROTH ) < 0)
                         errExit("chmod");
                 
                 // bind-mount the file on top of /etc/hostname
-                if (mount(fhost, "/etc/hosts", NULL, MS_BIND|MS_REC, NULL) < 0)
+                if (mount(HOSTNAME_FILE, "/etc/hosts", NULL, MS_BIND|MS_REC, NULL) < 0)
                         errExit("mount bind /etc/hosts");
-                free(fhost);
         }
 }
 
@@ -119,13 +109,9 @@ void fs_resolvconf(void) {
         if (stat("/etc/resolv.conf", &s) == 0) {
                 if (arg_debug)
                         printf("Creating a new /etc/resolv.conf file\n");
-                char *fname;
-                if (asprintf(&fname, "%s/resolv.conf", MNT_DIR) == -1)
-                        errExit("asprintf");
-                FILE *fp = fopen(fname, "w");
+                FILE *fp = fopen(RESOLVCONF_FILE, "w");
                 if (!fp) {
-                        fprintf(stderr, "Error: cannot create %s\n", fname);
-                        free(fname);
+                        fprintf(stderr, "Error: cannot create %s\n", RESOLVCONF_FILE);
                         exit(1);
                 }
                 
@@ -138,15 +124,14 @@ void fs_resolvconf(void) {
                 fclose(fp);
                 
                 // mode and owner
-                if (chown(fname, 0, 0) < 0)
+                if (chown(RESOLVCONF_FILE, 0, 0) < 0)
                         errExit("chown");
-                if (chmod(fname, S_IRUSR | S_IWRITE | S_IRGRP | S_IROTH ) < 0)
+                if (chmod(RESOLVCONF_FILE, S_IRUSR | S_IWRITE | S_IRGRP | S_IROTH ) < 0)
                         errExit("chmod");
                 
                 // bind-mount the file on top of /etc/hostname
-                if (mount(fname, "/etc/resolv.conf", NULL, MS_BIND|MS_REC, NULL) < 0)
+                if (mount(RESOLVCONF_FILE, "/etc/resolv.conf", NULL, MS_BIND|MS_REC, NULL) < 0)
                         errExit("mount bind /etc/resolv.conf");
-                free(fname);
         }
         else {
                 fprintf(stderr, "Error: cannot set DNS servers, /etc/resolv.conf file is missing\n");
diff --git a/src/firejail/fs_trace.c b/src/firejail/fs_trace.c
index 6058bf3c4..2b0f52a98 100644
--- a/src/firejail/fs_trace.c
+++ b/src/firejail/fs_trace.c
@@ -52,23 +52,21 @@ void fs_trace(void) {
         // create the new ld.so.preload file and mount-bind it
         if (arg_debug)
                 printf("Create the new ld.so.preload file\n");
-        char *preload;
-        if (asprintf(&preload, "%s/ld.so.preload", MNT_DIR) == -1)
-                errExit("asprintf");
-        FILE *fp = fopen(preload, "w");
+
+        FILE *fp = fopen(LDPRELOAD_FILE, "w");
         if (!fp)
                 errExit("fopen");
         fprintf(fp, "%s/firejail/libtrace.so\n", LIBDIR);
         fclose(fp);
-        if (chown(preload, 0, 0) < 0)
+        if (chown(LDPRELOAD_FILE, 0, 0) < 0)
                 errExit("chown");
-        if (chmod(preload, S_IRUSR | S_IWRITE | S_IRGRP | S_IROTH ) < 0)
+        if (chmod(LDPRELOAD_FILE, S_IRUSR | S_IWRITE | S_IRGRP | S_IROTH ) < 0)
                 errExit("chmod");
         
         // mount the new preload file
         if (arg_debug)
                 printf("Mount the new ld.so.preload file\n");
-        if (mount(preload, "/etc/ld.so.preload", NULL, MS_BIND|MS_REC, NULL) < 0)
+        if (mount(LDPRELOAD_FILE, "/etc/ld.so.preload", NULL, MS_BIND|MS_REC, NULL) < 0)
                 errExit("mount bind ls.so.preload");
 }
 
diff --git a/src/firejail/fs_var.c b/src/firejail/fs_var.c
index 93625633a..7e822f614 100644
--- a/src/firejail/fs_var.c
+++ b/src/firejail/fs_var.c
@@ -317,10 +317,8 @@ void fs_var_utmp(void) {
         // create a new utmp file
         if (arg_debug)
                 printf("Create the new utmp file\n");
-        char *utmp;
-        if (asprintf(&utmp, "%s/utmp", MNT_DIR) == -1)
-                errExit("asprintf");
-        FILE *fp = fopen(utmp, "w");
+
+        FILE *fp = fopen(UTMP_FILE, "w");
         if (!fp)
                 errExit("fopen");
                 
@@ -339,42 +337,16 @@ void fs_var_utmp(void) {
         // save new utmp file
         fwrite(&u_boot, sizeof(u_boot), 1, fp);
         fclose(fp);
-        if (chown(utmp, 0, utmp_group) < 0)
+        if (chown(UTMP_FILE, 0, utmp_group) < 0)
                 errExit("chown");
-        if (chmod(utmp, S_IRUSR | S_IWRITE | S_IRGRP | S_IWGRP | S_IROTH ) < 0)
+        if (chmod(UTMP_FILE, S_IRUSR | S_IWRITE | S_IRGRP | S_IWGRP | S_IROTH ) < 0)
                 errExit("chmod");
         
         // mount the new utmp file
         if (arg_debug)
                 printf("Mount the new utmp file\n");
-        if (mount(utmp, "/var/run/utmp", NULL, MS_BIND|MS_REC, NULL) < 0)
+        if (mount(UTMP_FILE, "/var/run/utmp", NULL, MS_BIND|MS_REC, NULL) < 0)
                 errExit("mount bind utmp");
 }
 
 
-#if 0
-Testing servers:
-
-brctl addbr br0
-ifconfig br0 10.10.20.1/24
-
-apt-get install snmpd
-insserv -r snmpd
-sudo firejail --net=br0 --ip=10.10.20.10 "/etc/init.d/rsyslog start; /etc/init.d/ssh start; /etc/init.d/snmpd start; sleep inf"
-
-apt-get install apache2
-insserv -r apache2
-sudo firejail --net=br0 --ip=10.10.20.10 "/etc/init.d/rsyslog start; /etc/init.d/ssh start; /etc/init.d/apache2 start; sleep inf"
-
-apt-get install nginx
-insserv -r nginx
-sudo firejail --net=br0 --ip=10.10.20.10 "/etc/init.d/rsyslog start; /etc/init.d/ssh start; /etc/init.d/nginx start; sleep inf"
-
-apt-get install lighttpd
-insserv -r lighttpd
-sudo firejail --net=br0 --ip=10.10.20.10 "/etc/init.d/rsyslog start; /etc/init.d/ssh start; /etc/init.d/lighttpd start; sleep inf"
-
-apt-get install isc-dhcp-server
-insserv -r isc-dhcp-server
-sudo firejail --net=br0 --ip=10.10.20.10 "/etc/init.d/rsyslog start; /etc/init.d/ssh start; /etc/init.d/isc-dhcp-server start; sleep inf"
-#endif
diff --git a/src/firejail/join.c b/src/firejail/join.c
index 35e302bf0..91dad420a 100644
--- a/src/firejail/join.c
+++ b/src/firejail/join.c
@@ -69,7 +69,7 @@ static void extract_command(int argc, char **argv, int index) {
 
 static void extract_nogroups(pid_t pid) {
         char *fname;
-        if (asprintf(&fname, "/proc/%d/root%s/groups", pid, MNT_DIR) == -1)
+        if (asprintf(&fname, "/proc/%d/root%s", pid, GROUPS_CFG) == -1)
                 errExit("asprintf");
                 
         struct stat s;
@@ -82,28 +82,28 @@ static void extract_nogroups(pid_t pid) {
 
 static void extract_cpu(pid_t pid) {
         char *fname;
-        if (asprintf(&fname, "/proc/%d/root%s/cpu", pid, MNT_DIR) == -1)
+        if (asprintf(&fname, "/proc/%d/root%s", pid, CPU_CFG) == -1)
                 errExit("asprintf");
                 
         struct stat s;
         if (stat(fname, &s) == -1)
                 return;
         
-        // there is a cpu file in MNT_DIR; load the information from the file
+        // there is a CPU_CFG file, load it!
         load_cpu(fname);
         free(fname);
 }
 
 static void extract_cgroup(pid_t pid) {
         char *fname;
-        if (asprintf(&fname, "/proc/%d/root%s/cgroup", pid, MNT_DIR) == -1)
+        if (asprintf(&fname, "/proc/%d/root%s", pid, CGROUP_CFG) == -1)
                 errExit("asprintf");
                 
         struct stat s;
         if (stat(fname, &s) == -1)
                 return;
         
-        // there is a cgroup file in MNT_DIR; load the information from the file
+        // there is a cgroup file CGROUP_CFG, load it!
         load_cgroup(fname);
         free(fname);
 }
diff --git a/src/firejail/main.c b/src/firejail/main.c
index 1c1c3a08f..4fa2e5b3b 100644
--- a/src/firejail/main.c
+++ b/src/firejail/main.c
@@ -1255,7 +1255,7 @@ int main(int argc, char **argv) {
 
         // check and assign an IP address - for macvlan it will be done again in the sandbox!
         if (any_bridge_configured()) {
-                lockfd = open("/tmp/firejail/firejail.lock", O_WRONLY | O_CREAT, S_IRUSR | S_IWUSR);
+                lockfd = open(NETWORK_LOCK_FILE, O_WRONLY | O_CREAT, S_IRUSR | S_IWUSR);
                 if (lockfd != -1) {
                         int rv = fchown(lockfd, 0, 0);
                         (void) rv;
diff --git a/src/firejail/pulseaudio.c b/src/firejail/pulseaudio.c
index 0cd5bace2..22c2a0d3d 100644
--- a/src/firejail/pulseaudio.c
+++ b/src/firejail/pulseaudio.c
@@ -86,26 +86,24 @@ void pulseaudio_disable(void) {
 void pulseaudio_init(void) {
         struct stat s;
         
+printf("here %d\n", __LINE__);
         // do we have pulseaudio in the system?
         if (stat("/etc/pulse/client.conf", &s) == -1)
                 return;
-
+printf("here %d\n", __LINE__);
          
         // create the new user pulseaudio directory
          fs_build_mnt_dir();
-        char *pulsedir;
-        if (asprintf(&pulsedir, "%s/pulse", MNT_DIR) == -1)
-                errExit("asprintf");
-        int rv = mkdir(pulsedir, S_IRWXU | S_IRWXG | S_IRWXO);
+        int rv = mkdir(PULSE_DIR, S_IRWXU | S_IRWXG | S_IRWXO);
         (void) rv; // in --chroot mode the directory canalready be there
-        if (chown(pulsedir, getuid(), getgid()) < 0)
+        if (chown(PULSE_DIR, getuid(), getgid()) < 0)
                 errExit("chown");
-        if (chmod(pulsedir, 0700) < 0)
+        if (chmod(PULSE_DIR, 0700) < 0)
                 errExit("chmod");
 
         // create the new client.conf file
         char *pulsecfg = NULL;
-        if (asprintf(&pulsecfg, "%s/client.conf", pulsedir) == -1)
+        if (asprintf(&pulsecfg, "%s/client.conf", PULSE_DIR) == -1)
                 errExit("asprintf");
         if (copy_file("/etc/pulse/client.conf", pulsecfg))
                 errExit("copy_file");
@@ -119,12 +117,9 @@ void pulseaudio_init(void) {
         if (chown(pulsecfg, getuid(), getgid()) == -1)
                 errExit("chown");
 
-
         // set environment
         if (setenv("PULSE_CLIENTCONFIG", pulsecfg, 1) < 0)
                 errExit("setenv");
         
-
         free(pulsecfg);
-        free(pulsedir);         
 }
diff --git a/src/firejail/sandbox.c b/src/firejail/sandbox.c
index b23c5d742..d9ce717e0 100644
--- a/src/firejail/sandbox.c
+++ b/src/firejail/sandbox.c
@@ -46,23 +46,18 @@ void save_nogroups(void) {
         if (arg_nogroups == 0)
                 return;
 
-        char *fname;
-        if (asprintf(&fname, "%s/groups", MNT_DIR) == -1)
-                errExit("asprintf");
-        FILE *fp = fopen(fname, "w");
+        FILE *fp = fopen(GROUPS_CFG, "w");
         if (fp) {
                 fprintf(fp, "\n");
                 fclose(fp);
-                if (chown(fname, 0, 0) < 0)
+                if (chown(GROUPS_CFG, 0, 0) < 0)
                         errExit("chown");
         }
         else {
                 fprintf(stderr, "Error: cannot save nogroups state\n");
-                free(fname);
                 exit(1);
         }
         
-        free(fname);
 }
 
 static void sandbox_if_up(Bridge *br) {
@@ -436,21 +431,21 @@ int sandbox(void* sandbox_arg) {
         // if a keep list is available, disregard the drop list
         if (arg_seccomp == 1) {
                 if (cfg.seccomp_list_keep)
-                        seccomp_filter_keep(); // this will also save the fmyilter to MNT_DIR/seccomp file
+                        seccomp_filter_keep();
                 else if (cfg.seccomp_list_errno)
-                        seccomp_filter_errno(); // this will also save the filter to MNT_DIR/seccomp file
+                        seccomp_filter_errno(); 
                 else
-                        seccomp_filter_drop(); // this will also save the filter to MNT_DIR/seccomp file
+                        seccomp_filter_drop();
         }
 #endif
 
         // set cpu affinity
         if (cfg.cpus) {
-                save_cpu(); // save cpu affinity mask to MNT_DIR/cpu file
+                save_cpu(); // save cpu affinity mask to CPU_CFG file
                 set_cpu_affinity();
         }
         
-        // save cgroup in MNT_DIR/cgroup file
+        // save cgroup in CGROUP_CFG file
         if (cfg.cgroup)
                 save_cgroup();
 
diff --git a/src/firejail/seccomp.c b/src/firejail/seccomp.c
index 353b212f6..f8053d698 100644
--- a/src/firejail/seccomp.c
+++ b/src/firejail/seccomp.c
@@ -266,10 +266,7 @@ static void write_seccomp_file(void) {
         fs_build_mnt_dir();
         assert(sfilter);
 
-        char *fname;
-        if (asprintf(&fname, "%s/seccomp", MNT_DIR) == -1)
-                errExit("asprintf");
-        int fd = open(fname, O_CREAT | O_WRONLY, S_IRUSR | S_IWUSR);
+        int fd = open(SECCOMP_CFG, O_CREAT | O_WRONLY, S_IRUSR | S_IWUSR);
         if (fd == -1)
                 errExit("open");
 
@@ -282,23 +279,14 @@ static void write_seccomp_file(void) {
                 exit(1);
         }
         close(fd);
-        if (chown(fname, 0, 0) < 0)
+        if (chown(SECCOMP_CFG, 0, 0) < 0)
                 errExit("chown");
-        free(fname);
 }
 
 // read seccomp filter from /tmp/firejail/mnt/seccomp
-static void read_seccomp_file(char *file_name) {
+static void read_seccomp_file(const char *fname) {
         assert(sfilter == NULL && sfilter_index == 0);
 
-        char *fname;
-        if (file_name)
-                fname = file_name;
-        else {
-                if (asprintf(&fname, "%s/seccomp", MNT_DIR) == -1)
-                        errExit("asprintf");
-        }
-                
         // check file
         struct stat s;
         if (stat(fname, &s) == -1) {
@@ -331,7 +319,6 @@ static void read_seccomp_file(char *file_name) {
                 printf("Read seccomp filter, size %u bytes\n", (unsigned) (sfilter_index * sizeof(struct sock_filter)));
 
         close(fd);
-        free(fname);
         
         if (arg_debug)
                 filter_debug();
@@ -706,7 +693,7 @@ int seccomp_filter_errno(void) {
 
 void seccomp_set(void) {
         // read seccomp filter from  /tmp/firejail/mnt/seccomp
-        read_seccomp_file(NULL);
+        read_seccomp_file(SECCOMP_CFG);
         
         // apply filter
         struct sock_fprog prog = {
@@ -767,7 +754,7 @@ void seccomp_print_filter(pid_t pid) {
 
         // find the seccomp filter
         char *fname;
-        if (asprintf(&fname, "/proc/%d/root/tmp/firejail/mnt/seccomp", pid) == -1)
+        if (asprintf(&fname, "/proc/%d/root%s", pid, SECCOMP_CFG) == -1)
                 errExit("asprintf");
 
         struct stat s;
@@ -780,6 +767,7 @@ void seccomp_print_filter(pid_t pid) {
         read_seccomp_file(fname);
         drop_privs(1);
         filter_debug();
+        free(fname);
 
         exit(0);
 }