always log seccomp errors (#5110)

author: netblue30 <netblue30@protonmail.com> 2022-05-09 10:23:52 -0400
committer: netblue30 <netblue30@protonmail.com> 2022-05-09 10:23:52 -0400
commit: a3f00edb32aca7516d690db046dd1ed3eb186bdd (patch)
tree: 18ade02a399fa244f5aa899d9c3d2ab9bbc48d32 /src
parent: configure*: remove ultimately unused INSTALL and RANLIB check macros (diff)
download: firejail-a3f00edb32aca7516d690db046dd1ed3eb186bdd.tar.gz
firejail-a3f00edb32aca7516d690db046dd1ed3eb186bdd.tar.zst
firejail-a3f00edb32aca7516d690db046dd1ed3eb186bdd.zip
2 files changed, 8 insertions, 2 deletions
diff --git a/src/firejail/seccomp.c b/src/firejail/seccomp.c
index 0cd6ac7ec..9fcf74c02 100644
--- a/src/firejail/seccomp.c
+++ b/src/firejail/seccomp.c
@@ -70,9 +70,11 @@ int seccomp_install_filters(void) {
                        assert(fl->fname);
                        if (arg_debug)
                                printf("Installing %s seccomp filter\n", fl->fname);
+#ifdef SECCOMP_FILTER_FLAG_LOG
+                        if (syscall(SYS_seccomp, SECCOMP_SET_MODE_FILTER, SECCOMP_FILTER_FLAG_LOG, &fl->prog)) {
+#else
                        if (prctl(PR_SET_SECCOMP, SECCOMP_MODE_FILTER, &fl->prog)) {
+#endif
                                if (!err_printed)
                                        fwarning("seccomp disabled, it requires a Linux kernel version 3.5 or newer.\n");
                                err_printed = 1;
diff --git a/src/libpostexecseccomp/libpostexecseccomp.c b/src/libpostexecseccomp/libpostexecseccomp.c
index e2339547e..c8f1fb3fb 100644
--- a/src/libpostexecseccomp/libpostexecseccomp.c
+++ b/src/libpostexecseccomp/libpostexecseccomp.c
@@ -55,6 +55,10 @@ static void load_seccomp(void) {
        };
        prctl(PR_SET_NO_NEW_PRIVS, 1, 0, 0, 0);
+#ifdef SECCOMP_FILTER_FLAG_LOG
+        syscall(SYS_seccomp, SECCOMP_SET_MODE_FILTER, SECCOMP_FILTER_FLAG_LOG, &prog);
+#else
        prctl(PR_SET_SECCOMP, SECCOMP_MODE_FILTER, &prog);
+#endif
        munmap(filter, size);
 }
author	netblue30 <netblue30@protonmail.com>	2022-05-09 10:23:52 -0400
committer	netblue30 <netblue30@protonmail.com>	2022-05-09 10:23:52 -0400
commit	a3f00edb32aca7516d690db046dd1ed3eb186bdd (patch)
tree	18ade02a399fa244f5aa899d9c3d2ab9bbc48d32 /src
parent	configure*: remove ultimately unused INSTALL and RANLIB check macros (diff)
download	firejail-a3f00edb32aca7516d690db046dd1ed3eb186bdd.tar.gz firejail-a3f00edb32aca7516d690db046dd1ed3eb186bdd.tar.zst firejail-a3f00edb32aca7516d690db046dd1ed3eb186bdd.zip

diff --git a/src/firejail/seccomp.c b/src/firejail/seccomp.c index 0cd6ac7ec..9fcf74c02 100644 --- a/src/firejail/seccomp.c +++ b/src/firejail/seccomp.c
@@ -70,9 +70,11 @@ int seccomp_install_filters(void) {
70	assert(fl->fname);	70	assert(fl->fname);
71	if (arg_debug)	71	if (arg_debug)
72	printf("Installing %s seccomp filter\n", fl->fname);	72	printf("Installing %s seccomp filter\n", fl->fname);
73		73	#ifdef SECCOMP_FILTER_FLAG_LOG
		74	if (syscall(SYS_seccomp, SECCOMP_SET_MODE_FILTER, SECCOMP_FILTER_FLAG_LOG, &fl->prog)) {
		75	#else
74	if (prctl(PR_SET_SECCOMP, SECCOMP_MODE_FILTER, &fl->prog)) {	76	if (prctl(PR_SET_SECCOMP, SECCOMP_MODE_FILTER, &fl->prog)) {
75		77	#endif
76	if (!err_printed)	78	if (!err_printed)
77	fwarning("seccomp disabled, it requires a Linux kernel version 3.5 or newer.\n");	79	fwarning("seccomp disabled, it requires a Linux kernel version 3.5 or newer.\n");
78	err_printed = 1;	80	err_printed = 1;


diff --git a/src/libpostexecseccomp/libpostexecseccomp.c b/src/libpostexecseccomp/libpostexecseccomp.c index e2339547e..c8f1fb3fb 100644 --- a/src/libpostexecseccomp/libpostexecseccomp.c +++ b/src/libpostexecseccomp/libpostexecseccomp.c
@@ -55,6 +55,10 @@ static void load_seccomp(void) {
55	};	55	};
56		56
57	prctl(PR_SET_NO_NEW_PRIVS, 1, 0, 0, 0);	57	prctl(PR_SET_NO_NEW_PRIVS, 1, 0, 0, 0);
		58	#ifdef SECCOMP_FILTER_FLAG_LOG
		59	syscall(SYS_seccomp, SECCOMP_SET_MODE_FILTER, SECCOMP_FILTER_FLAG_LOG, &prog);
		60	#else
58	prctl(PR_SET_SECCOMP, SECCOMP_MODE_FILTER, &prog);	61	prctl(PR_SET_SECCOMP, SECCOMP_MODE_FILTER, &prog);
		62	#endif
59	munmap(filter, size);	63	munmap(filter, size);
60	}	64	}