cleanup seccomp run files

author: netblue30 <netblue30@yahoo.com> 2018-04-12 12:45:43 -0400
committer: netblue30 <netblue30@yahoo.com> 2018-04-12 12:45:43 -0400
commit: 38276c9c64c8a0e086f2fb84402c5105c1483216 (patch)
tree: 98f2bbafeef4bb1bdad64795607e961109eb1880 /src
parent: AppArmor: disable MAC related capabilities (diff)
download: firejail-38276c9c64c8a0e086f2fb84402c5105c1483216.tar.gz
firejail-38276c9c64c8a0e086f2fb84402c5105c1483216.tar.zst
firejail-38276c9c64c8a0e086f2fb84402c5105c1483216.zip
2 files changed, 30 insertions, 6 deletions
diff --git a/src/firejail/sandbox.c b/src/firejail/sandbox.c
index 709ce96b6..5c7f73fc1 100644
--- a/src/firejail/sandbox.c
+++ b/src/firejail/sandbox.c
@@ -997,6 +997,10 @@ int sandbox(void* sandbox_arg) {
                seccomp_load(RUN_SECCOMP_PROTOCOL);     // install filter
                protocol_filter_save(); // save filter in RUN_PROTOCOL_CFG
        }
+        else {
+                int rv = unlink(RUN_SECCOMP_PROTOCOL);
+                (void) rv;
+        }
 #endif
        // if a keep list is available, disregard the drop list
@@ -1005,13 +1009,21 @@ int sandbox(void* sandbox_arg) {
                        seccomp_filter_keep();
                else
                        seccomp_filter_drop();
-        }
-        if (arg_debug) {
+                // clean unused filters
-                printf("\nSeccomp files:\n");
+#if defined(__LP64__)
-                int rv = system("ls -l /run/firejail/mnt/seccomp*\n");
+                int rv = unlink(RUN_SECCOMP_64);
+#endif
+#if defined(__ILP32__)
+                int rv = unlink(RUN_SECCOMP_32);
+#endif
+                (void) rv;
+        }
+        else { // clean seccomp files under /run/firejail/mnt
+                int rv = unlink(RUN_SECCOMP_CFG);
+                rv |= unlink(RUN_SECCOMP_64);
+                rv |= unlink(RUN_SECCOMP_32);
                (void) rv;
-                printf("\n");
        }
        if (arg_memory_deny_write_execute) {
@@ -1019,6 +1031,17 @@ int sandbox(void* sandbox_arg) {
                        printf("Install memory write&execute filter\n");
                seccomp_load(RUN_SECCOMP_MDWX); // install filter
        }
+        else {
+                int rv = unlink(RUN_SECCOMP_MDWX);
+                (void) rv;
+        }
+        if (arg_debug) {
+                printf("\nSeccomp files:\n");
+                int rv = system("ls -l /run/firejail/mnt/seccomp*\n");
+                (void) rv;
+                printf("\n");
+        }
 #endif
        //****************************************
diff --git a/src/firejail/sbox.c b/src/firejail/sbox.c
index fed1f7ba7..cc2b08542 100644
--- a/src/firejail/sbox.c
+++ b/src/firejail/sbox.c
@@ -153,12 +153,13 @@ int sbox_run(unsigned filter, int num, ...) {
                for (i = 3; i < max; i++)
                        close(i); // close open files
+#if 0
                if (arg_debug) {
                        printf("sbox file descriptors:\n");
                        int rv = system("ls -l /proc/self/fd");
                        (void) rv;
                }
+#endif
                umask(027);
                // apply filters
author	netblue30 <netblue30@yahoo.com>	2018-04-12 12:45:43 -0400
committer	netblue30 <netblue30@yahoo.com>	2018-04-12 12:45:43 -0400
commit	38276c9c64c8a0e086f2fb84402c5105c1483216 (patch)
tree	98f2bbafeef4bb1bdad64795607e961109eb1880 /src
parent	AppArmor: disable MAC related capabilities (diff)
download	firejail-38276c9c64c8a0e086f2fb84402c5105c1483216.tar.gz firejail-38276c9c64c8a0e086f2fb84402c5105c1483216.tar.zst firejail-38276c9c64c8a0e086f2fb84402c5105c1483216.zip

diff --git a/src/firejail/sandbox.c b/src/firejail/sandbox.c index 709ce96b6..5c7f73fc1 100644 --- a/src/firejail/sandbox.c +++ b/src/firejail/sandbox.c
@@ -997,6 +997,10 @@ int sandbox(void* sandbox_arg) {
997	seccomp_load(RUN_SECCOMP_PROTOCOL); // install filter	997	seccomp_load(RUN_SECCOMP_PROTOCOL); // install filter
998	protocol_filter_save(); // save filter in RUN_PROTOCOL_CFG	998	protocol_filter_save(); // save filter in RUN_PROTOCOL_CFG
999	}	999	}
		1000	else {
		1001	int rv = unlink(RUN_SECCOMP_PROTOCOL);
		1002	(void) rv;
		1003	}
1000	#endif	1004	#endif
1001		1005
1002	// if a keep list is available, disregard the drop list	1006	// if a keep list is available, disregard the drop list
@@ -1005,13 +1009,21 @@ int sandbox(void* sandbox_arg) {
1005	seccomp_filter_keep();	1009	seccomp_filter_keep();
1006	else	1010	else
1007	seccomp_filter_drop();	1011	seccomp_filter_drop();
1008	}
1009		1012
1010	if (arg_debug) {	1013	// clean unused filters
1011	printf("\nSeccomp files:\n");	1014	#if defined(__LP64__)
1012	int rv = system("ls -l /run/firejail/mnt/seccomp*\n");	1015	int rv = unlink(RUN_SECCOMP_64);
		1016	#endif
		1017	#if defined(__ILP32__)
		1018	int rv = unlink(RUN_SECCOMP_32);
		1019	#endif
		1020	(void) rv;
		1021	}
		1022	else { // clean seccomp files under /run/firejail/mnt
		1023	int rv = unlink(RUN_SECCOMP_CFG);
		1024	rv \|= unlink(RUN_SECCOMP_64);
		1025	rv \|= unlink(RUN_SECCOMP_32);
1013	(void) rv;	1026	(void) rv;
1014	printf("\n");
1015	}	1027	}
1016		1028
1017	if (arg_memory_deny_write_execute) {	1029	if (arg_memory_deny_write_execute) {
@@ -1019,6 +1031,17 @@ int sandbox(void* sandbox_arg) {
1019	printf("Install memory write&execute filter\n");	1031	printf("Install memory write&execute filter\n");
1020	seccomp_load(RUN_SECCOMP_MDWX); // install filter	1032	seccomp_load(RUN_SECCOMP_MDWX); // install filter
1021	}	1033	}
		1034	else {
		1035	int rv = unlink(RUN_SECCOMP_MDWX);
		1036	(void) rv;
		1037	}
		1038
		1039	if (arg_debug) {
		1040	printf("\nSeccomp files:\n");
		1041	int rv = system("ls -l /run/firejail/mnt/seccomp*\n");
		1042	(void) rv;
		1043	printf("\n");
		1044	}
1022	#endif	1045	#endif
1023		1046
1024	//****************************************	1047	//****************************************


diff --git a/src/firejail/sbox.c b/src/firejail/sbox.c index fed1f7ba7..cc2b08542 100644 --- a/src/firejail/sbox.c +++ b/src/firejail/sbox.c
@@ -153,12 +153,13 @@ int sbox_run(unsigned filter, int num, ...) {
153	for (i = 3; i < max; i++)	153	for (i = 3; i < max; i++)
154	close(i); // close open files	154	close(i); // close open files
155		155
		156	#if 0
156	if (arg_debug) {	157	if (arg_debug) {
157	printf("sbox file descriptors:\n");	158	printf("sbox file descriptors:\n");
158	int rv = system("ls -l /proc/self/fd");	159	int rv = system("ls -l /proc/self/fd");
159	(void) rv;	160	(void) rv;
160	}	161	}
161		162	#endif
162	umask(027);	163	umask(027);
163		164
164	// apply filters	165	// apply filters