9 files changed, 34 insertions, 5 deletions

diff --git a/.gitignore b/.gitignore
index 180f623eb..549f12738 100644
--- a/.gitignore
+++ b/.gitignore
@@ -61,6 +61,8 @@ seccomp.64
 seccomp.block_secondary
 seccomp.mdwx
 seccomp.mdwx.32
+seccomp.namespaces
+seccomp.namespaces.32
 aclocal.m4
 __pycache__
 *.pyc
diff --git a/Makefile b/Makefile
index 494f853d5..1343cb87d 100644
--- a/Makefile
+++ b/Makefile
@@ -17,7 +17,7 @@ SBOX_APPS_NON_DUMPABLE += src/fnettrace-icmp/fnettrace-icmp
 MYDIRS = src/lib src/man $(COMPLETIONDIRS)
 MYLIBS = src/libpostexecseccomp/libpostexecseccomp.so src/libtrace/libtrace.so src/libtracelog/libtracelog.so
 COMPLETIONS = src/zsh_completion/_firejail src/bash_completion/firejail.bash_completion
-SECCOMP_FILTERS = seccomp seccomp.debug seccomp.32 seccomp.block_secondary seccomp.mdwx seccomp.mdwx.32
+SECCOMP_FILTERS = seccomp seccomp.debug seccomp.32 seccomp.block_secondary seccomp.mdwx seccomp.mdwx.32 seccomp.namespaces seccomp.namespaces.32
 
 SYSCALL_HEADERS := $(sort $(wildcard src/include/syscall*.h))
 
@@ -63,6 +63,8 @@ define build_filters
         src/fseccomp/fseccomp secondary block seccomp.block_secondary
         src/fseccomp/fseccomp memory-deny-write-execute seccomp.mdwx
         src/fseccomp/fseccomp memory-deny-write-execute.32 seccomp.mdwx.32
+        src/fseccomp/fseccomp restrict-namespaces seccomp.namespaces cgroup,ipc,net,mnt,pid,time,user,uts
+        src/fseccomp/fseccomp restrict-namespaces seccomp.namespaces.32 cgroup,ipc,net,mnt,pid,time,user,uts
 endef
 
 
diff --git a/RELNOTES b/RELNOTES
index e356d712a..0244d9741 100644
--- a/RELNOTES
+++ b/RELNOTES
@@ -6,6 +6,7 @@ firejail (0.9.73) baseline; urgency=low
     overwritten using --hostname command
   * feature: add IPv6 support for --net.print option
   * feature: QUIC (HTTP/3) support in --nettrace
+  * feature: use seccomp filters build at install time for --restrict-namespaces
   * modif: Stop forwarding own double-dash to the shell (#5599 #5600)
   * modif: Prevent sandbox name (--name=) and host name (--hostname=)
     from containing only digits (#5578 #5741)
@@ -20,7 +21,7 @@ firejail (0.9.73) baseline; urgency=low
     #5618)
   * bugfix: fix --hostname and --hosts-file commands
   * bugfix: arp.c: ensure positive timeout on select(2) (#5806)
-  * bugfix: makefiles fixes: seccomp filters and man pages are build every
+  * build: fixed problem with seccomp filters and man pages built every
      time when running make
   * build: auto-generate syntax files (#5627)
   * build: mark all phony targets as such (#5637)
diff --git a/src/firejail/firejail.h b/src/firejail/firejail.h
index d85b470e6..c791913ea 100644
--- a/src/firejail/firejail.h
+++ b/src/firejail/firejail.h
@@ -357,6 +357,7 @@ extern int arg_deterministic_exit_code;	// always exit with first child's exit s
 extern int arg_deterministic_shutdown;  // shut down the sandbox if first child dies
 extern int arg_keep_fd_all;     // inherit all file descriptors to sandbox
 extern int arg_netlock; // netlocker
+extern int arg_restrict_namespaces;
 
 typedef enum {
         DBUS_POLICY_ALLOW,      // Allow unrestricted access to the bus
diff --git a/src/firejail/main.c b/src/firejail/main.c
index 732ca93c2..45b199db4 100644
--- a/src/firejail/main.c
+++ b/src/firejail/main.c
@@ -165,6 +165,7 @@ int arg_tab = 0;
 int login_shell = 0;
 int just_run_the_shell = 0;
 int arg_netlock = 0;
+int arg_restrict_namespaces = 0;
 
 int parent_to_child_fds[2];
 int child_to_parent_fds[2];
@@ -1508,8 +1509,10 @@ int main(int argc, char **argv, char **envp) {
                                 exit_err_feature("seccomp");
                 }
                 else if (strcmp(argv[i], "--restrict-namespaces") == 0) {
-                        if (checkcfg(CFG_SECCOMP))
+                        if (checkcfg(CFG_SECCOMP)) {
+                                arg_restrict_namespaces = 1;
                                 profile_list_augment(&cfg.restrict_namespaces, "cgroup,ipc,net,mnt,pid,time,user,uts");
+                        }
                         else
                                 exit_err_feature("seccomp");
                 }
diff --git a/src/firejail/preproc.c b/src/firejail/preproc.c
index 6055ec95b..e0c11a005 100644
--- a/src/firejail/preproc.c
+++ b/src/firejail/preproc.c
@@ -96,12 +96,16 @@ void preproc_mount_mnt_dir(void) {
                 if (set_perms(RUN_SECCOMP_PROTOCOL, getuid(), getgid(), 0644))
                         errExit("set_perms");
                 if (cfg.restrict_namespaces) {
+                        copy_file(PATH_SECCOMP_NAMESPACES, RUN_SECCOMP_NS, getuid(), getgid(), 0644); // root needed
+                        copy_file(PATH_SECCOMP_NAMESPACES_32, RUN_SECCOMP_NS_32, getuid(), getgid(), 0644); // root needed
+#if 0
                         create_empty_file_as_root(RUN_SECCOMP_NS, 0644);
                         if (set_perms(RUN_SECCOMP_NS, getuid(), getgid(), 0644))
                                 errExit("set_perms");
                         create_empty_file_as_root(RUN_SECCOMP_NS_32, 0644);
                         if (set_perms(RUN_SECCOMP_NS_32, getuid(), getgid(), 0644))
                                 errExit("set_perms");
+#endif
                 }
                 create_empty_file_as_root(RUN_SECCOMP_POSTEXEC, 0644);
                 if (set_perms(RUN_SECCOMP_POSTEXEC, getuid(), getgid(), 0644))
diff --git a/src/firejail/profile.c b/src/firejail/profile.c
index ae881664b..07449f646 100644
--- a/src/firejail/profile.c
+++ b/src/firejail/profile.c
@@ -1088,8 +1088,10 @@ int profile_check_line(char *ptr, int lineno, const char *fname) {
 
         // restrict-namespaces
         if (strcmp(ptr, "restrict-namespaces") == 0) {
-                if (checkcfg(CFG_SECCOMP))
+                if (checkcfg(CFG_SECCOMP)) {
+                        arg_restrict_namespaces = 1;
                         profile_list_augment(&cfg.restrict_namespaces, "cgroup,ipc,net,mnt,pid,time,user,uts");
+                }
                 else
                         warning_feature_disabled("seccomp");
                 return 0;
diff --git a/src/firejail/sandbox.c b/src/firejail/sandbox.c
index 9eb476f16..538f5be67 100644
--- a/src/firejail/sandbox.c
+++ b/src/firejail/sandbox.c
@@ -1211,7 +1211,19 @@ int sandbox(void* sandbox_arg) {
                 seccomp_load(RUN_SECCOMP_MDWX_32);
         }
 
-        if (cfg.restrict_namespaces) {
+        if (arg_restrict_namespaces) {
+                if (arg_seccomp_error_action != EPERM) {
+                        seccomp_filter_namespaces(true, cfg.restrict_namespaces);
+                        seccomp_filter_namespaces(false, cfg.restrict_namespaces);
+                }
+
+                if (arg_debug)
+                        printf("Install namespaces filter\n");
+                seccomp_load(RUN_SECCOMP_NS);   // install filter
+                seccomp_load(RUN_SECCOMP_NS_32);
+
+        }
+        else if (cfg.restrict_namespaces) {
                 seccomp_filter_namespaces(true, cfg.restrict_namespaces);
                 seccomp_filter_namespaces(false, cfg.restrict_namespaces);
 
diff --git a/src/include/rundefs.h b/src/include/rundefs.h
index 7fc0f21f3..d36851a4e 100644
--- a/src/include/rundefs.h
+++ b/src/include/rundefs.h
@@ -79,6 +79,8 @@
 #define PATH_SECCOMP_DEBUG_32           LIBDIR "/firejail/seccomp.debug32"              // 32bit arch debug filter built during make
 #define PATH_SECCOMP_MDWX               LIBDIR "/firejail/seccomp.mdwx"                 // filter for memory-deny-write-execute built during make
 #define PATH_SECCOMP_MDWX_32            LIBDIR "/firejail/seccomp.mdwx.32"
+#define PATH_SECCOMP_NAMESPACES LIBDIR "/firejail/seccomp.namespaces"   // filter for restrict-namespaces
+#define PATH_SECCOMP_NAMESPACES_32      LIBDIR "/firejail/seccomp.namespaces.32"
 #define PATH_SECCOMP_BLOCK_SECONDARY    LIBDIR "/firejail/seccomp.block_secondary"      // secondary arch blocking filter built during make
 
 #define RUN_DEV_DIR                     RUN_MNT_DIR "/dev"