5 files changed, 56 insertions, 26 deletions
diff --git a/src/firejail/sandbox.c b/src/firejail/sandbox.c
index f37605e20..a131d9e91 100644
--- a/src/firejail/sandbox.c
+++ b/src/firejail/sandbox.c
@@ -460,8 +460,9 @@ int sandbox(void* sandbox_arg) {
 #ifdef HAVE_CHROOT              
        if (cfg.chrootdir) {
                fs_chroot(cfg.chrootdir);
-                // redo cp command
-                fs_build_cp_command();
+//              // redo cp command
+//              fs_build_cp_command();
                
                // force caps and seccomp if not started as root
                if (getuid() != 0) {
@@ -482,7 +483,7 @@ int sandbox(void* sandbox_arg) {
                        
                        // disable all capabilities
                        if (arg_caps_default_filter || arg_caps_list)
-                                fprintf(stderr, "Warning: all capabilities disabled for a regular user during chroot\n");
+                                fprintf(stderr, "Warning: all capabilities disabled for a regular user in chroot\n");
                        arg_caps_drop_all = 1;
                        
                        // drop all supplementary groups; /etc/group file inside chroot
@@ -530,13 +531,21 @@ int sandbox(void* sandbox_arg) {
        if (arg_private_dev)
                fs_private_dev();
        if (arg_private_etc) {
-                fs_private_etc_list();
+                if (cfg.chrootdir)
-                // create /etc/ld.so.preload file again
+                        fprintf(stderr, "Warning: private-etc feature is disabled in chroot\n");
-                if (arg_trace || arg_tracelog)
+                else {
-                        fs_trace_preload();
+                        fs_private_etc_list();
+                        // create /etc/ld.so.preload file again
+                        if (arg_trace || arg_tracelog)
+                                fs_trace_preload();
+                }
+        }
+        if (arg_private_bin) {
+                if (cfg.chrootdir)
+                        fprintf(stderr, "Warning: private-bin feature is disabled in chroot\n");
+                else
+                        fs_private_bin_list();
        }
-        if (arg_private_bin)
-                fs_private_bin_list();
        if (arg_private_tmp)
                fs_private_tmp();
        
diff --git a/src/firejail/seccomp.c b/src/firejail/seccomp.c
index efe24a211..88620d1dd 100644
--- a/src/firejail/seccomp.c
+++ b/src/firejail/seccomp.c
@@ -101,10 +101,22 @@ static void filter_init(void) {
        sfilter_alloc_size = SECSIZE;
        
        // copy the start entries
+#if defined(__x86_64__)
+#define X32_SYSCALL_BIT 0x40000000
+        struct sock_filter filter[] = {
+                VALIDATE_ARCHITECTURE,
+                EXAMINE_SYSCALL,
+                // handle X32 ABI
+                BPF_JUMP(BPF_JMP+BPF_JGE+BPF_K, X32_SYSCALL_BIT, 1, 0),
+                BPF_JUMP(BPF_JMP+BPF_JGE+BPF_K, 0, 1, 0),
+                RETURN_ERRNO(EPERM)
+        };
+#else
        struct sock_filter filter[] = {
                VALIDATE_ARCHITECTURE,
                EXAMINE_SYSCALL
        };
+#endif
        sfilter_index = sizeof(filter) / sizeof(struct sock_filter);    
        memcpy(sfilter, filter, sizeof(filter));
 }
diff --git a/test/features/1.2.exp b/test/features/1.2.exp
index 685acf737..bcb227304 100755
--- a/test/features/1.2.exp
+++ b/test/features/1.2.exp
@@ -115,22 +115,22 @@ if { $chroot == "chroot" } {
                timeout {puts "TESTING ERROR 5.3\n";exit}
                "proc /proc/sys proc"
        }
-        expect {
+#       expect {
-                timeout {puts "TESTING ERROR 5.4\n";exit}
+#               timeout {puts "TESTING ERROR 5.4\n";exit}
-                "proc /proc/sysrq-trigger proc"
+#               "proc /proc/sysrq-trigger proc"
-        }
+#       }
 #       expect {
 #               timeout {puts "TESTING ERROR 5.5\n";exit}
 #               "proc /proc/sys/kernel/hotplug"
 #       }
-        expect {
+#       expect {
-                timeout {puts "TESTING ERROR 5.6\n";exit}
+#               timeout {puts "TESTING ERROR 5.6\n";exit}
-                "proc /proc/irq proc"
+#               "proc /proc/irq proc"
-        }
+#       }
-        expect {
+#       expect {
-                timeout {puts "TESTING ERROR 5.7\n";exit}
+#               timeout {puts "TESTING ERROR 5.7\n";exit}
-                "proc /proc/bus proc"
+#               "proc /proc/bus proc"
-        }
+#       }
        after 100
        send -- "exit\r"
        sleep 1
diff --git a/test/features/3.6.exp b/test/features/3.6.exp
index a00517716..389e63a1d 100755
--- a/test/features/3.6.exp
+++ b/test/features/3.6.exp
@@ -60,14 +60,19 @@ if { $chroot == "chroot" } {
        expect {
                timeout {puts "TESTING ERROR 4\n";exit}
                "chroot option is not available" {puts "grsecurity\n"; exit}
+                "private-etc feature is disabled in chroot"
+        }
+        expect {
+                timeout {puts "TESTING ERROR 5\n";exit}
+                "chroot option is not available" {puts "grsecurity\n"; exit}
                "Child process initialized"
        }
        sleep 1
        
-        send -- "ls -al /etc | wc -l\r"
+        send -- "ls /etc | grep firejail\r"
        expect {
-                timeout {puts "TESTING ERROR 5.1\n";exit}
+                timeout {puts "TESTING ERROR 6\n";exit}
-                "10"
+                "firejail"
        }
        
        after 100
diff --git a/test/features/3.8.exp b/test/features/3.8.exp
index 94a1abf67..d941fa9b7 100755
--- a/test/features/3.8.exp
+++ b/test/features/3.8.exp
@@ -61,14 +61,18 @@ if { $chroot == "chroot" } {
        send -- "firejail --noprofile --chroot=/tmp/chroot --private-bin=bash,cat,cp,ls,wc\r"
        expect {
                timeout {puts "TESTING ERROR 4\n";exit}
+                "private-bin feature is disabled in chroot"
+        }
+        expect {
+                timeout {puts "TESTING ERROR 5\n";exit}
                "Child process initialized"
        }
        sleep 1
        
        send -- "ls -l /usr/bin | wc -l\r"
        expect {
-                timeout {puts "TESTING ERROR 5.1\n";exit}
+                timeout {puts "TESTING ERROR 6\n";exit}
-                "6"
+                "9"
        }
        
        after 100

diff --git a/src/firejail/sandbox.c b/src/firejail/sandbox.c index f37605e20..a131d9e91 100644 --- a/src/firejail/sandbox.c +++ b/src/firejail/sandbox.c
@@ -460,8 +460,9 @@ int sandbox(void* sandbox_arg) {
460	#ifdef HAVE_CHROOT	460	#ifdef HAVE_CHROOT
461	if (cfg.chrootdir) {	461	if (cfg.chrootdir) {
462	fs_chroot(cfg.chrootdir);	462	fs_chroot(cfg.chrootdir);
463	// redo cp command	463
464	fs_build_cp_command();	464	// // redo cp command
		465	// fs_build_cp_command();
465		466
466	// force caps and seccomp if not started as root	467	// force caps and seccomp if not started as root
467	if (getuid() != 0) {	468	if (getuid() != 0) {
@@ -482,7 +483,7 @@ int sandbox(void* sandbox_arg) {
482		483
483	// disable all capabilities	484	// disable all capabilities
484	if (arg_caps_default_filter \|\| arg_caps_list)	485	if (arg_caps_default_filter \|\| arg_caps_list)
485	fprintf(stderr, "Warning: all capabilities disabled for a regular user during chroot\n");	486	fprintf(stderr, "Warning: all capabilities disabled for a regular user in chroot\n");
486	arg_caps_drop_all = 1;	487	arg_caps_drop_all = 1;
487		488
488	// drop all supplementary groups; /etc/group file inside chroot	489	// drop all supplementary groups; /etc/group file inside chroot
@@ -530,13 +531,21 @@ int sandbox(void* sandbox_arg) {
530	if (arg_private_dev)	531	if (arg_private_dev)
531	fs_private_dev();	532	fs_private_dev();
532	if (arg_private_etc) {	533	if (arg_private_etc) {
533	fs_private_etc_list();	534	if (cfg.chrootdir)
534	// create /etc/ld.so.preload file again	535	fprintf(stderr, "Warning: private-etc feature is disabled in chroot\n");
535	if (arg_trace \|\| arg_tracelog)	536	else {
536	fs_trace_preload();	537	fs_private_etc_list();
		538	// create /etc/ld.so.preload file again
		539	if (arg_trace \|\| arg_tracelog)
		540	fs_trace_preload();
		541	}
		542	}
		543	if (arg_private_bin) {
		544	if (cfg.chrootdir)
		545	fprintf(stderr, "Warning: private-bin feature is disabled in chroot\n");
		546	else
		547	fs_private_bin_list();
537	}	548	}
538	if (arg_private_bin)
539	fs_private_bin_list();
540	if (arg_private_tmp)	549	if (arg_private_tmp)
541	fs_private_tmp();	550	fs_private_tmp();
542		551


diff --git a/src/firejail/seccomp.c b/src/firejail/seccomp.c index efe24a211..88620d1dd 100644 --- a/src/firejail/seccomp.c +++ b/src/firejail/seccomp.c
@@ -101,10 +101,22 @@ static void filter_init(void) {
101	sfilter_alloc_size = SECSIZE;	101	sfilter_alloc_size = SECSIZE;
102		102
103	// copy the start entries	103	// copy the start entries
		104	#if defined(__x86_64__)
		105	#define X32_SYSCALL_BIT 0x40000000
		106	struct sock_filter filter[] = {
		107	VALIDATE_ARCHITECTURE,
		108	EXAMINE_SYSCALL,
		109	// handle X32 ABI
		110	BPF_JUMP(BPF_JMP+BPF_JGE+BPF_K, X32_SYSCALL_BIT, 1, 0),
		111	BPF_JUMP(BPF_JMP+BPF_JGE+BPF_K, 0, 1, 0),
		112	RETURN_ERRNO(EPERM)
		113	};
		114	#else
104	struct sock_filter filter[] = {	115	struct sock_filter filter[] = {
105	VALIDATE_ARCHITECTURE,	116	VALIDATE_ARCHITECTURE,
106	EXAMINE_SYSCALL	117	EXAMINE_SYSCALL
107	};	118	};
		119	#endif
108	sfilter_index = sizeof(filter) / sizeof(struct sock_filter);	120	sfilter_index = sizeof(filter) / sizeof(struct sock_filter);
109	memcpy(sfilter, filter, sizeof(filter));	121	memcpy(sfilter, filter, sizeof(filter));
110	}	122	}


diff --git a/test/features/1.2.exp b/test/features/1.2.exp index 685acf737..bcb227304 100755 --- a/test/features/1.2.exp +++ b/test/features/1.2.exp
@@ -115,22 +115,22 @@ if { $chroot == "chroot" } {
115	timeout {puts "TESTING ERROR 5.3\n";exit}	115	timeout {puts "TESTING ERROR 5.3\n";exit}
116	"proc /proc/sys proc"	116	"proc /proc/sys proc"
117	}	117	}
118	expect {	118	# expect {
119	timeout {puts "TESTING ERROR 5.4\n";exit}	119	# timeout {puts "TESTING ERROR 5.4\n";exit}
120	"proc /proc/sysrq-trigger proc"	120	# "proc /proc/sysrq-trigger proc"
121	}	121	# }
122	# expect {	122	# expect {
123	# timeout {puts "TESTING ERROR 5.5\n";exit}	123	# timeout {puts "TESTING ERROR 5.5\n";exit}
124	# "proc /proc/sys/kernel/hotplug"	124	# "proc /proc/sys/kernel/hotplug"
125	# }	125	# }
126	expect {	126	# expect {
127	timeout {puts "TESTING ERROR 5.6\n";exit}	127	# timeout {puts "TESTING ERROR 5.6\n";exit}
128	"proc /proc/irq proc"	128	# "proc /proc/irq proc"
129	}	129	# }
130	expect {	130	# expect {
131	timeout {puts "TESTING ERROR 5.7\n";exit}	131	# timeout {puts "TESTING ERROR 5.7\n";exit}
132	"proc /proc/bus proc"	132	# "proc /proc/bus proc"
133	}	133	# }
134	after 100	134	after 100
135	send -- "exit\r"	135	send -- "exit\r"
136	sleep 1	136	sleep 1


diff --git a/test/features/3.6.exp b/test/features/3.6.exp index a00517716..389e63a1d 100755 --- a/test/features/3.6.exp +++ b/test/features/3.6.exp
@@ -60,14 +60,19 @@ if { $chroot == "chroot" } {
60	expect {	60	expect {
61	timeout {puts "TESTING ERROR 4\n";exit}	61	timeout {puts "TESTING ERROR 4\n";exit}
62	"chroot option is not available" {puts "grsecurity\n"; exit}	62	"chroot option is not available" {puts "grsecurity\n"; exit}
		63	"private-etc feature is disabled in chroot"
		64	}
		65	expect {
		66	timeout {puts "TESTING ERROR 5\n";exit}
		67	"chroot option is not available" {puts "grsecurity\n"; exit}
63	"Child process initialized"	68	"Child process initialized"
64	}	69	}
65	sleep 1	70	sleep 1
66		71
67	send -- "ls -al /etc \| wc -l\r"	72	send -- "ls /etc \| grep firejail\r"
68	expect {	73	expect {
69	timeout {puts "TESTING ERROR 5.1\n";exit}	74	timeout {puts "TESTING ERROR 6\n";exit}
70	"10"	75	"firejail"
71	}	76	}
72		77
73	after 100	78	after 100


diff --git a/test/features/3.8.exp b/test/features/3.8.exp index 94a1abf67..d941fa9b7 100755 --- a/test/features/3.8.exp +++ b/test/features/3.8.exp
@@ -61,14 +61,18 @@ if { $chroot == "chroot" } {
61	send -- "firejail --noprofile --chroot=/tmp/chroot --private-bin=bash,cat,cp,ls,wc\r"	61	send -- "firejail --noprofile --chroot=/tmp/chroot --private-bin=bash,cat,cp,ls,wc\r"
62	expect {	62	expect {
63	timeout {puts "TESTING ERROR 4\n";exit}	63	timeout {puts "TESTING ERROR 4\n";exit}
		64	"private-bin feature is disabled in chroot"
		65	}
		66	expect {
		67	timeout {puts "TESTING ERROR 5\n";exit}
64	"Child process initialized"	68	"Child process initialized"
65	}	69	}
66	sleep 1	70	sleep 1
67		71
68	send -- "ls -l /usr/bin \| wc -l\r"	72	send -- "ls -l /usr/bin \| wc -l\r"
69	expect {	73	expect {
70	timeout {puts "TESTING ERROR 5.1\n";exit}	74	timeout {puts "TESTING ERROR 6\n";exit}
71	"6"	75	"9"
72	}	76	}
73		77
74	after 100	78	after 100