seccomp fixes

3 files changed, 10 insertions, 84 deletions

diff --git a/src/firejail/firejail.h b/src/firejail/firejail.h
index 4cb10c875..b2c18d79f 100644
--- a/src/firejail/firejail.h
+++ b/src/firejail/firejail.h
@@ -21,90 +21,13 @@
 #define FIREJAIL_H
 #include "../include/common.h"
 #include "../include/euid_common.h"
+#include "../include/rundefs.h"
 #include <stdarg.h>
 #include <sys/stat.h>
 
 // debug restricted shell
 //#define DEBUG_RESTRICTED_SHELL
 
-// filesystem
-#define RUN_FIREJAIL_BASEDIR    "/run"
-#define RUN_FIREJAIL_DIR        "/run/firejail"
-#define RUN_FIREJAIL_APPIMAGE_DIR       "/run/firejail/appimage"
-#define RUN_FIREJAIL_NAME_DIR   "/run/firejail/name" // also used in src/lib/pid.c - todo: move it in a common place
-#define RUN_FIREJAIL_LIB_DIR            "/run/firejail/lib"
-#define RUN_FIREJAIL_X11_DIR    "/run/firejail/x11"
-#define RUN_FIREJAIL_NETWORK_DIR        "/run/firejail/network"
-#define RUN_FIREJAIL_BANDWIDTH_DIR      "/run/firejail/bandwidth"
-#define RUN_FIREJAIL_PROFILE_DIR                "/run/firejail/profile"
-#define RUN_NETWORK_LOCK_FILE   "/run/firejail/firejail-network.lock"
-#define RUN_DIRECTORY_LOCK_FILE "/run/firejail/firejail-run.lock"
-#define RUN_RO_DIR      "/run/firejail/firejail.ro.dir"
-#define RUN_RO_FILE     "/run/firejail/firejail.ro.file"
-#define RUN_MNT_DIR     "/run/firejail/mnt"     // a tmpfs is mounted on this directory before any of the files below are created
-#define RUN_CGROUP_CFG  "/run/firejail/mnt/cgroup"
-#define RUN_CPU_CFG     "/run/firejail/mnt/cpu"
-#define RUN_GROUPS_CFG  "/run/firejail/mnt/groups"
-#define RUN_PROTOCOL_CFG        "/run/firejail/mnt/protocol"
-#define RUN_NONEWPRIVS_CFG      "/run/firejail/mnt/nonewprivs"
-#define RUN_HOME_DIR    "/run/firejail/mnt/home"
-#define RUN_ETC_DIR     "/run/firejail/mnt/etc"
-#define RUN_OPT_DIR     "/run/firejail/mnt/opt"
-#define RUN_SRV_DIR     "/run/firejail/mnt/srv"
-#define RUN_BIN_DIR     "/run/firejail/mnt/bin"
-#define RUN_PULSE_DIR   "/run/firejail/mnt/pulse"
-#define RUN_LIB_DIR     "/run/firejail/mnt/lib"
-#define RUN_LIB_FILE    "/run/firejail/mnt/libfiles"
-#define RUN_DNS_ETC     "/run/firejail/mnt/dns-etc"
-
-#define RUN_SECCOMP_DIR "/run/firejail/mnt/seccomp"
-#define RUN_SECCOMP_LIST        "/run/firejail/mnt/seccomp/seccomp.list"        // list of seccomp files installed
-#define RUN_SECCOMP_PROTOCOL    "/run/firejail/mnt/seccomp/seccomp.protocol"    // protocol filter
-#define RUN_SECCOMP_CFG "/run/firejail/mnt/seccomp/seccomp"                     // configured filter
-#define RUN_SECCOMP_32          "/run/firejail/mnt/seccomp/seccomp.32"          // 32bit arch filter installed on 64bit architectures
-#define RUN_SECCOMP_MDWX        "/run/firejail/mnt/seccomp/seccomp.mdwx"                // filter for memory-deny-write-execute
-#define RUN_SECCOMP_BLOCK_SECONDARY     "/run/firejail/mnt/seccomp/seccomp.block_secondary"     // secondary arch blocking filter
-#define RUN_SECCOMP_POSTEXEC    "/run/firejail/mnt/seccomp/seccomp.postexec"            // filter for post-exec library
-#define PATH_SECCOMP_DEFAULT (LIBDIR "/firejail/seccomp")                       // default filter built during make
-#define PATH_SECCOMP_DEFAULT_DEBUG (LIBDIR "/firejail/seccomp.debug")   // default filter built during make
-#define PATH_SECCOMP_32 (LIBDIR "/firejail/seccomp.32")                 // 32bit arch filter built during make
-#define PATH_SECCOMP_MDWX (LIBDIR "/firejail/seccomp.mdwx")             // filter for memory-deny-write-execute built during make
-#define PATH_SECCOMP_BLOCK_SECONDARY (LIBDIR "/firejail/seccomp.block_secondary")       // secondary arch blocking filter built during make
-
-
-#define RUN_DEV_DIR             "/run/firejail/mnt/dev"
-#define RUN_DEVLOG_FILE "/run/firejail/mnt/devlog"
-
-#define RUN_WHITELIST_X11_DIR   "/run/firejail/mnt/orig-x11"
-#define RUN_WHITELIST_HOME_DIR  "/run/firejail/mnt/orig-home"   // default home directory masking
-#define RUN_WHITELIST_RUN_DIR   "/run/firejail/mnt/orig-run"    // default run directory masking
-#define RUN_WHITELIST_HOME_USER_DIR     "/run/firejail/mnt/orig-home-user"      // home directory whitelisting
-#define RUN_WHITELIST_RUN_USER_DIR      "/run/firejail/mnt/orig-run-user"       // run directory whitelisting
-#define RUN_WHITELIST_TMP_DIR   "/run/firejail/mnt/orig-tmp"
-#define RUN_WHITELIST_MEDIA_DIR "/run/firejail/mnt/orig-media"
-#define RUN_WHITELIST_MNT_DIR   "/run/firejail/mnt/orig-mnt"
-#define RUN_WHITELIST_VAR_DIR   "/run/firejail/mnt/orig-var"
-#define RUN_WHITELIST_DEV_DIR   "/run/firejail/mnt/orig-dev"
-#define RUN_WHITELIST_OPT_DIR   "/run/firejail/mnt/orig-opt"
-#define RUN_WHITELIST_SRV_DIR   "/run/firejail/mnt/orig-srv"
-#define RUN_WHITELIST_ETC_DIR   "/run/firejail/mnt/orig-etc"
-#define RUN_WHITELIST_SHARE_DIR   "/run/firejail/mnt/orig-share"
-#define RUN_WHITELIST_MODULE_DIR   "/run/firejail/mnt/orig-module"
-
-#define RUN_XAUTHORITY_FILE     "/run/firejail/mnt/.Xauthority"
-#define RUN_XAUTHORITY_SEC_FILE "/run/firejail/mnt/sec.Xauthority"
-#define RUN_ASOUNDRC_FILE       "/run/firejail/mnt/.asoundrc"
-#define RUN_HOSTNAME_FILE       "/run/firejail/mnt/hostname"
-#define RUN_HOSTS_FILE  "/run/firejail/mnt/hosts"
-#define RUN_MACHINEID   "/run/firejail/mnt/machine-id"
-#define RUN_LDPRELOAD_FILE      "/run/firejail/mnt/ld.so.preload"
-#define RUN_UTMP_FILE           "/run/firejail/mnt/utmp"
-#define RUN_PASSWD_FILE         "/run/firejail/mnt/passwd"
-#define RUN_GROUP_FILE          "/run/firejail/mnt/group"
-#define RUN_FSLOGGER_FILE               "/run/firejail/mnt/fslogger"
-#define RUN_UMASK_FILE          "/run/firejail/mnt/umask"
-#define RUN_OVERLAY_ROOT        "/run/firejail/mnt/oroot"
-#define RUN_READY_FOR_JOIN      "/run/firejail/mnt/ready-for-join"
 
 
 // profiles
diff --git a/src/libpostexecseccomp/Makefile.in b/src/libpostexecseccomp/Makefile.in
index 92803342c..8d6dde4e0 100644
--- a/src/libpostexecseccomp/Makefile.in
+++ b/src/libpostexecseccomp/Makefile.in
@@ -13,13 +13,12 @@ LDFLAGS += -pie -Wl,-z,relro -Wl,-z,now
 
 all: libpostexecseccomp.so
 
-%.o : %.c $(H_FILE_LIST)
+%.o : %.c $(H_FILE_LIST) ../include/seccomp.h ../include/rundefs.h
         $(CC) $(CFLAGS) $(INCLUDE) -c $< -o $@
 
 libpostexecseccomp.so: $(OBJS)
         $(CC) $(LDFLAGS) -shared -fPIC -z relro -o $@ $(OBJS) -ldl
 
-
 clean:; rm -f $(OBJS) libpostexecseccomp.so
 
 distclean: clean
diff --git a/src/libpostexecseccomp/libpostexecseccomp.c b/src/libpostexecseccomp/libpostexecseccomp.c
index e51445de4..3983510ec 100644
--- a/src/libpostexecseccomp/libpostexecseccomp.c
+++ b/src/libpostexecseccomp/libpostexecseccomp.c
@@ -17,19 +17,22 @@
  * with this program; if not, write to the Free Software Foundation, Inc.,
  * 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA.
 */
-#include "libpostexecseccomp.h"
 #include "../include/seccomp.h"
+#include "../include/rundefs.h"
 #include <fcntl.h>
 #include <linux/filter.h>
 #include <sys/mman.h>
 #include <sys/prctl.h>
 #include <unistd.h>
+#include <stdio.h>
 
 __attribute__((constructor))
 static void load_seccomp(void) {
         int fd = open(RUN_SECCOMP_POSTEXEC, O_RDONLY);
-        if (fd == -1)
+        if (fd == -1) {
+                fprintf(stderr, "Error: cannot open seccomp postexec filter file %s\n", RUN_SECCOMP_POSTEXEC);
                 return;
+        }
 
         off_t size = lseek(fd, 0, SEEK_END);
         if (size <= 0) {
@@ -40,11 +43,12 @@ static void load_seccomp(void) {
         struct sock_filter *filter = MAP_FAILED;
         if (size != 0)
                 filter = mmap(NULL, size, PROT_READ, MAP_PRIVATE, fd, 0);
-
         close(fd);
 
-        if (filter == MAP_FAILED)
+        if (filter == MAP_FAILED) {
+                fprintf(stderr, "Error: cannot map seccomp postexec filter data\n");
                 return;
+        }
 
         // install filter
         struct sock_fprog prog = {