2 files changed, 5 insertions, 55 deletions
diff --git a/src/firejail/fs.c b/src/firejail/fs.c
index 7ff7e3c59..5774ebf6a 100644
--- a/src/firejail/fs.c
+++ b/src/firejail/fs.c
@@ -1010,24 +1010,13 @@ void fs_chroot(const char *rootdir) {
                create_empty_dir_as_root(rundir, 0755);
                free(rundir);
                
-                // create /run/firejail/mnt directory in chroot and mount a tmpfs
+                // create /run/firejail/mnt directory in chroot and mount the current one
-                if (asprintf(&rundir, "%s/run/firejail/mnt", rootdir) == -1)
+                if (asprintf(&rundir, "%s%s", rootdir, RUN_MNT_DIR) == -1)
                        errExit("asprintf");
                create_empty_dir_as_root(rundir, 0755);
-                if (mount("tmpfs", rundir, "tmpfs", MS_NOSUID | MS_STRICTATIME | MS_REC,  "mode=755,gid=0") < 0)
+                if (mount(RUN_MNT_DIR, rundir, NULL, MS_BIND|MS_REC, NULL) < 0)
-                        errExit("mounting /run/firejail/mnt");
+                        errExit("mount bind");
-                fs_logger2("tmpfs", RUN_MNT_DIR);
-                free(rundir);
-                // retrieve seccomp.protocol
-                struct stat s;
-                if (stat(RUN_SECCOMP_PROTOCOL, &s) == 0) {
-                        if (asprintf(&rundir, "%s%s", rootdir, RUN_SECCOMP_PROTOCOL) == -1)
-                                errExit("asprintf");
-                        copy_file(RUN_SECCOMP_PROTOCOL, rundir, getuid(), getgid(), 0644);
-                        free(rundir);
-                }
-                
                // copy /etc/resolv.conf in chroot directory
                // if resolv.conf in chroot is a symbolic link, this will fail
                // no exit on error, let the user deal with the problem
@@ -1053,9 +1042,6 @@ void fs_chroot(const char *rootdir) {
        if (chroot(rootdir) < 0)
                errExit("chroot");
-        // create all other /run/firejail files and directories
-        preproc_build_firejail_dir();
-                
        if (checkcfg(CFG_CHROOT_DESKTOP)) {
                // update /var directory in order to support multiple sandboxes running on the same root directory
 //              if (!arg_private_dev)
diff --git a/src/firejail/seccomp.c b/src/firejail/seccomp.c
index 30c63d734..4678f366b 100644
--- a/src/firejail/seccomp.c
+++ b/src/firejail/seccomp.c
@@ -94,16 +94,6 @@ int seccomp_load(const char *fname) {
 // i386 filter installed on amd64 architectures
 void seccomp_filter_32(void) {
-#if 0
-        if (arg_debug)
-                printf("Build secondary 32-bit filter\n");
-        // build the seccomp filter as a regular user
-        int rv = sbox_run(SBOX_USER | SBOX_CAPS_NONE | SBOX_SECCOMP, 4,
-                PATH_FSECCOMP, "secondary", "32", RUN_SECCOMP_I386);
-        if (rv)
-                exit(rv);
-#endif
        if (seccomp_load(RUN_SECCOMP_I386) == 0) {
                if (arg_debug)
                        printf("Dual i386/amd64 seccomp filter configured\n");
@@ -112,17 +102,6 @@ void seccomp_filter_32(void) {
 // amd64 filter installed on i386 architectures
 void seccomp_filter_64(void) {
-#if 0
-        if (arg_debug)
-                printf("Build secondary 64-bit filter\n");
-        // build the seccomp filter as a regular user
-        int rv = sbox_run(SBOX_USER | SBOX_CAPS_NONE | SBOX_SECCOMP, 4,
-                PATH_FSECCOMP, "secondary", "64", RUN_SECCOMP_AMD64);
-        if (rv)
-                exit(rv);
-#endif
        if (seccomp_load(RUN_SECCOMP_AMD64) == 0) {
                if (arg_debug)
                        printf("Dual i386/amd64 seccomp filter configured\n");
@@ -139,21 +118,6 @@ int seccomp_filter_drop(int enforce_seccomp) {
 #if defined(__i386__)
                seccomp_filter_64();
 #endif
-#if 0
-                if (arg_debug)
-                        printf("Build default seccomp filter\n");
-                // build the seccomp filter as a regular user
-                int rv;
-                if (arg_allow_debuggers)
-                        rv = sbox_run(SBOX_USER | SBOX_CAPS_NONE | SBOX_SECCOMP, 4,
-                                PATH_FSECCOMP, "default", RUN_SECCOMP_CFG, "allow-debuggers");
-                else
-                        rv = sbox_run(SBOX_USER | SBOX_CAPS_NONE | SBOX_SECCOMP, 3,
-                                PATH_FSECCOMP, "default", RUN_SECCOMP_CFG);
-                if (rv)
-                        exit(rv);
-#endif
        }
        // default seccomp filter with additional drop list
        else if (cfg.seccomp_list && cfg.seccomp_list_drop == NULL) {
@@ -209,7 +173,7 @@ int seccomp_filter_drop(int enforce_seccomp) {
                exit(1);
        }
        
-        if (arg_debug)
+        if (arg_debug && access(PATH_FSECCOMP, X_OK) == 0)
                sbox_run(SBOX_USER | SBOX_CAPS_NONE | SBOX_SECCOMP, 3,
                        PATH_FSECCOMP, "print", RUN_SECCOMP_CFG);

diff --git a/src/firejail/fs.c b/src/firejail/fs.c index 7ff7e3c59..5774ebf6a 100644 --- a/src/firejail/fs.c +++ b/src/firejail/fs.c
@@ -1010,24 +1010,13 @@ void fs_chroot(const char *rootdir) {
1010	create_empty_dir_as_root(rundir, 0755);	1010	create_empty_dir_as_root(rundir, 0755);
1011	free(rundir);	1011	free(rundir);
1012		1012
1013	// create /run/firejail/mnt directory in chroot and mount a tmpfs	1013	// create /run/firejail/mnt directory in chroot and mount the current one
1014	if (asprintf(&rundir, "%s/run/firejail/mnt", rootdir) == -1)	1014	if (asprintf(&rundir, "%s%s", rootdir, RUN_MNT_DIR) == -1)
1015	errExit("asprintf");	1015	errExit("asprintf");
1016	create_empty_dir_as_root(rundir, 0755);	1016	create_empty_dir_as_root(rundir, 0755);
1017	if (mount("tmpfs", rundir, "tmpfs", MS_NOSUID \| MS_STRICTATIME \| MS_REC, "mode=755,gid=0") < 0)	1017	if (mount(RUN_MNT_DIR, rundir, NULL, MS_BIND\|MS_REC, NULL) < 0)
1018	errExit("mounting /run/firejail/mnt");	1018	errExit("mount bind");
1019	fs_logger2("tmpfs", RUN_MNT_DIR);
1020	free(rundir);
1021		1019
1022	// retrieve seccomp.protocol
1023	struct stat s;
1024	if (stat(RUN_SECCOMP_PROTOCOL, &s) == 0) {
1025	if (asprintf(&rundir, "%s%s", rootdir, RUN_SECCOMP_PROTOCOL) == -1)
1026	errExit("asprintf");
1027	copy_file(RUN_SECCOMP_PROTOCOL, rundir, getuid(), getgid(), 0644);
1028	free(rundir);
1029	}
1030
1031	// copy /etc/resolv.conf in chroot directory	1020	// copy /etc/resolv.conf in chroot directory
1032	// if resolv.conf in chroot is a symbolic link, this will fail	1021	// if resolv.conf in chroot is a symbolic link, this will fail
1033	// no exit on error, let the user deal with the problem	1022	// no exit on error, let the user deal with the problem
@@ -1053,9 +1042,6 @@ void fs_chroot(const char *rootdir) {
1053	if (chroot(rootdir) < 0)	1042	if (chroot(rootdir) < 0)
1054	errExit("chroot");	1043	errExit("chroot");
1055		1044
1056	// create all other /run/firejail files and directories
1057	preproc_build_firejail_dir();
1058
1059	if (checkcfg(CFG_CHROOT_DESKTOP)) {	1045	if (checkcfg(CFG_CHROOT_DESKTOP)) {
1060	// update /var directory in order to support multiple sandboxes running on the same root directory	1046	// update /var directory in order to support multiple sandboxes running on the same root directory
1061	// if (!arg_private_dev)	1047	// if (!arg_private_dev)


diff --git a/src/firejail/seccomp.c b/src/firejail/seccomp.c index 30c63d734..4678f366b 100644 --- a/src/firejail/seccomp.c +++ b/src/firejail/seccomp.c
@@ -94,16 +94,6 @@ int seccomp_load(const char *fname) {
94		94
95	// i386 filter installed on amd64 architectures	95	// i386 filter installed on amd64 architectures
96	void seccomp_filter_32(void) {	96	void seccomp_filter_32(void) {
97	#if 0
98	if (arg_debug)
99	printf("Build secondary 32-bit filter\n");
100
101	// build the seccomp filter as a regular user
102	int rv = sbox_run(SBOX_USER \| SBOX_CAPS_NONE \| SBOX_SECCOMP, 4,
103	PATH_FSECCOMP, "secondary", "32", RUN_SECCOMP_I386);
104	if (rv)
105	exit(rv);
106	#endif
107	if (seccomp_load(RUN_SECCOMP_I386) == 0) {	97	if (seccomp_load(RUN_SECCOMP_I386) == 0) {
108	if (arg_debug)	98	if (arg_debug)
109	printf("Dual i386/amd64 seccomp filter configured\n");	99	printf("Dual i386/amd64 seccomp filter configured\n");
@@ -112,17 +102,6 @@ void seccomp_filter_32(void) {
112		102
113	// amd64 filter installed on i386 architectures	103	// amd64 filter installed on i386 architectures
114	void seccomp_filter_64(void) {	104	void seccomp_filter_64(void) {
115	#if 0
116	if (arg_debug)
117	printf("Build secondary 64-bit filter\n");
118
119	// build the seccomp filter as a regular user
120	int rv = sbox_run(SBOX_USER \| SBOX_CAPS_NONE \| SBOX_SECCOMP, 4,
121	PATH_FSECCOMP, "secondary", "64", RUN_SECCOMP_AMD64);
122	if (rv)
123	exit(rv);
124	#endif
125
126	if (seccomp_load(RUN_SECCOMP_AMD64) == 0) {	105	if (seccomp_load(RUN_SECCOMP_AMD64) == 0) {
127	if (arg_debug)	106	if (arg_debug)
128	printf("Dual i386/amd64 seccomp filter configured\n");	107	printf("Dual i386/amd64 seccomp filter configured\n");
@@ -139,21 +118,6 @@ int seccomp_filter_drop(int enforce_seccomp) {
139	#if defined(__i386__)	118	#if defined(__i386__)
140	seccomp_filter_64();	119	seccomp_filter_64();
141	#endif	120	#endif
142
143	#if 0
144	if (arg_debug)
145	printf("Build default seccomp filter\n");
146	// build the seccomp filter as a regular user
147	int rv;
148	if (arg_allow_debuggers)
149	rv = sbox_run(SBOX_USER \| SBOX_CAPS_NONE \| SBOX_SECCOMP, 4,
150	PATH_FSECCOMP, "default", RUN_SECCOMP_CFG, "allow-debuggers");
151	else
152	rv = sbox_run(SBOX_USER \| SBOX_CAPS_NONE \| SBOX_SECCOMP, 3,
153	PATH_FSECCOMP, "default", RUN_SECCOMP_CFG);
154	if (rv)
155	exit(rv);
156	#endif
157	}	121	}
158	// default seccomp filter with additional drop list	122	// default seccomp filter with additional drop list
159	else if (cfg.seccomp_list && cfg.seccomp_list_drop == NULL) {	123	else if (cfg.seccomp_list && cfg.seccomp_list_drop == NULL) {
@@ -209,7 +173,7 @@ int seccomp_filter_drop(int enforce_seccomp) {
209	exit(1);	173	exit(1);
210	}	174	}
211		175
212	if (arg_debug)	176	if (arg_debug && access(PATH_FSECCOMP, X_OK) == 0)
213	sbox_run(SBOX_USER \| SBOX_CAPS_NONE \| SBOX_SECCOMP, 3,	177	sbox_run(SBOX_USER \| SBOX_CAPS_NONE \| SBOX_SECCOMP, 3,
214	PATH_FSECCOMP, "print", RUN_SECCOMP_CFG);	178	PATH_FSECCOMP, "print", RUN_SECCOMP_CFG);
215		179