summaryrefslogtreecommitdiffstats
diff options
context:
space:
mode:
Diffstat
-rw-r--r--src/firejail/firejail.h16
-rw-r--r--src/firejail/fs_lib.c1
-rw-r--r--src/firejail/preproc.c2
-rw-r--r--src/firejail/sandbox.c8
4 files changed, 16 insertions, 11 deletions
diff --git a/src/firejail/firejail.h b/src/firejail/firejail.h
index 5291361c8..4cb10c875 100644
--- a/src/firejail/firejail.h
+++ b/src/firejail/firejail.h
@@ -57,13 +57,14 @@
57#define RUN_LIB_FILE "/run/firejail/mnt/libfiles" 57#define RUN_LIB_FILE "/run/firejail/mnt/libfiles"
58#define RUN_DNS_ETC "/run/firejail/mnt/dns-etc" 58#define RUN_DNS_ETC "/run/firejail/mnt/dns-etc"
59 59
60#define RUN_SECCOMP_LIST "/run/firejail/mnt/seccomp.list" // list of seccomp files installed 60#define RUN_SECCOMP_DIR "/run/firejail/mnt/seccomp"
61#define RUN_SECCOMP_PROTOCOL "/run/firejail/mnt/seccomp.protocol" // protocol filter 61#define RUN_SECCOMP_LIST "/run/firejail/mnt/seccomp/seccomp.list" // list of seccomp files installed
62#define RUN_SECCOMP_CFG "/run/firejail/mnt/seccomp" // configured filter 62#define RUN_SECCOMP_PROTOCOL "/run/firejail/mnt/seccomp/seccomp.protocol" // protocol filter
63#define RUN_SECCOMP_32 "/run/firejail/mnt/seccomp.32" // 32bit arch filter installed on 64bit architectures 63#define RUN_SECCOMP_CFG "/run/firejail/mnt/seccomp/seccomp" // configured filter
64#define RUN_SECCOMP_MDWX "/run/firejail/mnt/seccomp.mdwx" // filter for memory-deny-write-execute 64#define RUN_SECCOMP_32 "/run/firejail/mnt/seccomp/seccomp.32" // 32bit arch filter installed on 64bit architectures
65#define RUN_SECCOMP_BLOCK_SECONDARY "/run/firejail/mnt/seccomp.block_secondary" // secondary arch blocking filter 65#define RUN_SECCOMP_MDWX "/run/firejail/mnt/seccomp/seccomp.mdwx" // filter for memory-deny-write-execute
66#define RUN_SECCOMP_POSTEXEC "/run/firejail/mnt/seccomp.postexec" // filter for post-exec library 66#define RUN_SECCOMP_BLOCK_SECONDARY "/run/firejail/mnt/seccomp/seccomp.block_secondary" // secondary arch blocking filter
67#define RUN_SECCOMP_POSTEXEC "/run/firejail/mnt/seccomp/seccomp.postexec" // filter for post-exec library
67#define PATH_SECCOMP_DEFAULT (LIBDIR "/firejail/seccomp") // default filter built during make 68#define PATH_SECCOMP_DEFAULT (LIBDIR "/firejail/seccomp") // default filter built during make
68#define PATH_SECCOMP_DEFAULT_DEBUG (LIBDIR "/firejail/seccomp.debug") // default filter built during make 69#define PATH_SECCOMP_DEFAULT_DEBUG (LIBDIR "/firejail/seccomp.debug") // default filter built during make
69#define PATH_SECCOMP_32 (LIBDIR "/firejail/seccomp.32") // 32bit arch filter built during make 70#define PATH_SECCOMP_32 (LIBDIR "/firejail/seccomp.32") // 32bit arch filter built during make
@@ -95,7 +96,6 @@
95#define RUN_ASOUNDRC_FILE "/run/firejail/mnt/.asoundrc" 96#define RUN_ASOUNDRC_FILE "/run/firejail/mnt/.asoundrc"
96#define RUN_HOSTNAME_FILE "/run/firejail/mnt/hostname" 97#define RUN_HOSTNAME_FILE "/run/firejail/mnt/hostname"
97#define RUN_HOSTS_FILE "/run/firejail/mnt/hosts" 98#define RUN_HOSTS_FILE "/run/firejail/mnt/hosts"
98#define RUN_RESOLVCONF_FILE "/run/firejail/mnt/resolv.conf"
99#define RUN_MACHINEID "/run/firejail/mnt/machine-id" 99#define RUN_MACHINEID "/run/firejail/mnt/machine-id"
100#define RUN_LDPRELOAD_FILE "/run/firejail/mnt/ld.so.preload" 100#define RUN_LDPRELOAD_FILE "/run/firejail/mnt/ld.so.preload"
101#define RUN_UTMP_FILE "/run/firejail/mnt/utmp" 101#define RUN_UTMP_FILE "/run/firejail/mnt/utmp"
diff --git a/src/firejail/fs_lib.c b/src/firejail/fs_lib.c
index 808ead240..70c6ac88a 100644
--- a/src/firejail/fs_lib.c
+++ b/src/firejail/fs_lib.c
@@ -133,6 +133,7 @@ void fslib_copy_libs(const char *full_path) {
133 fslib_duplicate(buf); 133 fslib_duplicate(buf);
134 } 134 }
135 fclose(fp); 135 fclose(fp);
136 unlink(RUN_LIB_FILE);
136} 137}
137 138
138 139
diff --git a/src/firejail/preproc.c b/src/firejail/preproc.c
index 2effebbaa..a7af4b127 100644
--- a/src/firejail/preproc.c
+++ b/src/firejail/preproc.c
@@ -86,6 +86,8 @@ void preproc_mount_mnt_dir(void) {
86 fs_logger2("tmpfs", RUN_MNT_DIR); 86 fs_logger2("tmpfs", RUN_MNT_DIR);
87 87
88#ifdef HAVE_SECCOMP 88#ifdef HAVE_SECCOMP
89 create_empty_dir_as_root(RUN_SECCOMP_DIR, 0755);
90
89 if (arg_seccomp_block_secondary) 91 if (arg_seccomp_block_secondary)
90 copy_file(PATH_SECCOMP_BLOCK_SECONDARY, RUN_SECCOMP_BLOCK_SECONDARY, getuid(), getgid(), 0644); // root needed 92 copy_file(PATH_SECCOMP_BLOCK_SECONDARY, RUN_SECCOMP_BLOCK_SECONDARY, getuid(), getgid(), 0644); // root needed
91 else { 93 else {
diff --git a/src/firejail/sandbox.c b/src/firejail/sandbox.c
index 2b5d30158..101a16d00 100644
--- a/src/firejail/sandbox.c
+++ b/src/firejail/sandbox.c
@@ -1053,9 +1053,6 @@ int sandbox(void* sandbox_arg) {
1053 // save state of nonewprivs 1053 // save state of nonewprivs
1054 save_nonewprivs(); 1054 save_nonewprivs();
1055 1055
1056 // set capabilities
1057 set_caps();
1058
1059 // save cpu affinity mask to CPU_CFG file 1056 // save cpu affinity mask to CPU_CFG file
1060 save_cpu(); 1057 save_cpu();
1061 1058
@@ -1101,8 +1098,13 @@ int sandbox(void* sandbox_arg) {
1101 int rv = unlink(RUN_SECCOMP_MDWX); 1098 int rv = unlink(RUN_SECCOMP_MDWX);
1102 (void) rv; 1099 (void) rv;
1103 } 1100 }
1101 // make seccomp filters read-only
1102 fs_rdonly(RUN_SECCOMP_DIR);
1104#endif 1103#endif
1105 1104
1105 // set capabilities
1106 set_caps();
1107
1106 //**************************************** 1108 //****************************************
1107 // communicate progress of sandbox set up 1109 // communicate progress of sandbox set up
1108 // to --join 1110 // to --join
generated by cgit v1.2.3-54-g00ecf (git 2.45.2) at 2024-07-20 17:46:37 +0000