diff options
author | smitsohu <smitsohu@gmail.com> | 2020-04-20 22:16:48 +0200 |
---|---|---|
committer | smitsohu <smitsohu@gmail.com> | 2020-04-20 22:16:48 +0200 |
commit | 1a69bb3156688b63a28b33b3f36e75a41b35fb0a (patch) | |
tree | 1d26417c4f4dbd46438097119e7aa9acfe1ae0a9 /src | |
parent | sbox: blacklist umount syscall (diff) | |
download | firejail-1a69bb3156688b63a28b33b3f36e75a41b35fb0a.tar.gz firejail-1a69bb3156688b63a28b33b3f36e75a41b35fb0a.tar.zst firejail-1a69bb3156688b63a28b33b3f36e75a41b35fb0a.zip |
debug seccomp as the user
Diffstat (limited to 'src')
-rw-r--r-- | src/firejail/sandbox.c | 35 |
1 files changed, 27 insertions, 8 deletions
diff --git a/src/firejail/sandbox.c b/src/firejail/sandbox.c index 37d108750..631f721ad 100644 --- a/src/firejail/sandbox.c +++ b/src/firejail/sandbox.c | |||
@@ -198,6 +198,32 @@ static FILE *create_ready_for_join_file(void) { | |||
198 | } | 198 | } |
199 | } | 199 | } |
200 | 200 | ||
201 | #ifdef HAVE_SECCOMP | ||
202 | static void seccomp_debug(void) { | ||
203 | if (arg_debug == 0) | ||
204 | return; | ||
205 | |||
206 | pid_t child = fork(); | ||
207 | if (child < 0) | ||
208 | errExit("fork"); | ||
209 | if (child == 0) { | ||
210 | // dropping privs before calling system(3) | ||
211 | drop_privs(1); | ||
212 | printf("Seccomp directory:\n"); | ||
213 | int rv = system("ls -l " RUN_SECCOMP_DIR); | ||
214 | (void) rv; | ||
215 | printf("Active seccomp files:\n"); | ||
216 | rv = system("cat " RUN_SECCOMP_LIST); | ||
217 | (void) rv; | ||
218 | #ifdef HAVE_GCOV | ||
219 | __gcov_flush(); | ||
220 | #endif | ||
221 | _exit(0); | ||
222 | } | ||
223 | waitpid(child, NULL, 0); | ||
224 | } | ||
225 | #endif | ||
226 | |||
201 | static void sandbox_if_up(Bridge *br) { | 227 | static void sandbox_if_up(Bridge *br) { |
202 | assert(br); | 228 | assert(br); |
203 | if (!br->configured) | 229 | if (!br->configured) |
@@ -1136,14 +1162,7 @@ int sandbox(void* sandbox_arg) { | |||
1136 | 1162 | ||
1137 | // make seccomp filters read-only | 1163 | // make seccomp filters read-only |
1138 | fs_remount(RUN_SECCOMP_DIR, MOUNT_READONLY, 0); | 1164 | fs_remount(RUN_SECCOMP_DIR, MOUNT_READONLY, 0); |
1139 | if (arg_debug) { | 1165 | seccomp_debug(); |
1140 | printf("Seccomp directory:\n"); | ||
1141 | int rv = system("ls -l " RUN_SECCOMP_DIR); | ||
1142 | (void) rv; | ||
1143 | printf("Active seccomp files:\n"); | ||
1144 | rv = system("cat " RUN_SECCOMP_LIST); | ||
1145 | (void) rv; | ||
1146 | } | ||
1147 | #endif | 1166 | #endif |
1148 | 1167 | ||
1149 | // set capabilities | 1168 | // set capabilities |