aboutsummaryrefslogtreecommitdiffstats
diff options
context:
space:
mode:
-rw-r--r--.gitignore4
-rw-r--r--Makefile.in10
-rw-r--r--README.md9
-rw-r--r--RELNOTES1
-rwxr-xr-xplatform/rpm/old-mkrpm.sh8
-rw-r--r--src/firejail/firejail.h10
-rw-r--r--src/firejail/main.c44
-rw-r--r--src/firejail/preproc.c84
-rw-r--r--src/firejail/profile.c23
-rw-r--r--src/firejail/seccomp.c24
-rw-r--r--src/firejail/usage.c1
-rw-r--r--src/fseccomp/seccomp_print.c4
-rw-r--r--src/fseccomp/seccomp_secondary.c2
-rw-r--r--src/fseccomp/syscall.c6
-rw-r--r--src/include/seccomp.h58
-rw-r--r--src/man/firejail.txt13
-rwxr-xr-xtest/filters/seccomp-debug-32.exp16
-rwxr-xr-xtest/filters/seccomp-debug.exp28
-rwxr-xr-xtest/profiles/test-profile.exp1
19 files changed, 281 insertions, 65 deletions
diff --git a/.gitignore b/.gitignore
index 30793847c..554d1985b 100644
--- a/.gitignore
+++ b/.gitignore
@@ -28,7 +28,7 @@ src/fldd/fldd
28uids.h 28uids.h
29seccomp 29seccomp
30seccomp.debug 30seccomp.debug
31seccomp.i386 31seccomp.32
32seccomp.amd64 32seccomp.64
33seccomp.block_secondary 33seccomp.block_secondary
34seccomp.mdwx 34seccomp.mdwx
diff --git a/Makefile.in b/Makefile.in
index 9111a3c95..e20aa5b62 100644
--- a/Makefile.in
+++ b/Makefile.in
@@ -2,7 +2,7 @@ all: apps man filters
2MYLIBS = src/lib 2MYLIBS = src/lib
3APPS = src/firejail src/firemon src/firecfg src/libtrace src/libtracelog src/ftee src/faudit src/fnet src/fseccomp src/fcopy src/fldd src/libpostexecseccomp 3APPS = src/firejail src/firemon src/firecfg src/libtrace src/libtracelog src/ftee src/faudit src/fnet src/fseccomp src/fcopy src/fldd src/libpostexecseccomp
4MANPAGES = firejail.1 firemon.1 firecfg.1 firejail-profile.5 firejail-login.5 4MANPAGES = firejail.1 firemon.1 firecfg.1 firejail-profile.5 firejail-login.5
5SECCOMP_FILTERS = seccomp seccomp.debug seccomp.i386 seccomp.amd64 seccomp.block_secondary seccomp.mdwx 5SECCOMP_FILTERS = seccomp seccomp.debug seccomp.32 seccomp.64 seccomp.block_secondary seccomp.mdwx
6 6
7prefix=@prefix@ 7prefix=@prefix@
8exec_prefix=@exec_prefix@ 8exec_prefix=@exec_prefix@
@@ -43,8 +43,8 @@ filters: src/fseccomp
43ifeq ($(HAVE_SECCOMP),-DHAVE_SECCOMP) 43ifeq ($(HAVE_SECCOMP),-DHAVE_SECCOMP)
44 src/fseccomp/fseccomp default seccomp 44 src/fseccomp/fseccomp default seccomp
45 src/fseccomp/fseccomp default seccomp.debug allow-debuggers 45 src/fseccomp/fseccomp default seccomp.debug allow-debuggers
46 src/fseccomp/fseccomp secondary 32 seccomp.i386 46 src/fseccomp/fseccomp secondary 32 seccomp.32
47 src/fseccomp/fseccomp secondary 64 seccomp.amd64 47 src/fseccomp/fseccomp secondary 64 seccomp.64
48 src/fseccomp/fseccomp secondary block seccomp.block_secondary 48 src/fseccomp/fseccomp secondary block seccomp.block_secondary
49 src/fseccomp/fseccomp memory-deny-write-execute seccomp.mdwx 49 src/fseccomp/fseccomp memory-deny-write-execute seccomp.mdwx
50endif 50endif
@@ -103,8 +103,8 @@ ifeq ($(HAVE_SECCOMP),-DHAVE_SECCOMP)
103 install -c -m 0755 src/fseccomp/fseccomp $(DESTDIR)/$(libdir)/firejail/. 103 install -c -m 0755 src/fseccomp/fseccomp $(DESTDIR)/$(libdir)/firejail/.
104 install -c -m 0644 seccomp $(DESTDIR)/$(libdir)/firejail/. 104 install -c -m 0644 seccomp $(DESTDIR)/$(libdir)/firejail/.
105 install -c -m 0644 seccomp.debug $(DESTDIR)/$(libdir)/firejail/. 105 install -c -m 0644 seccomp.debug $(DESTDIR)/$(libdir)/firejail/.
106 install -c -m 0644 seccomp.i386 $(DESTDIR)/$(libdir)/firejail/. 106 install -c -m 0644 seccomp.32 $(DESTDIR)/$(libdir)/firejail/.
107 install -c -m 0644 seccomp.amd64 $(DESTDIR)/$(libdir)/firejail/. 107 install -c -m 0644 seccomp.64 $(DESTDIR)/$(libdir)/firejail/.
108 install -c -m 0644 seccomp.block_secondary $(DESTDIR)/$(libdir)/firejail/. 108 install -c -m 0644 seccomp.block_secondary $(DESTDIR)/$(libdir)/firejail/.
109 install -c -m 0644 seccomp.mdwx $(DESTDIR)/$(libdir)/firejail/. 109 install -c -m 0644 seccomp.mdwx $(DESTDIR)/$(libdir)/firejail/.
110endif 110endif
diff --git a/README.md b/README.md
index 6f1c892aa..7edad942a 100644
--- a/README.md
+++ b/README.md
@@ -174,6 +174,15 @@ Check the status of the latest build here: https://travis-ci.org/netblue30/firej
174 amd64, i386 and x32 system calls are blocked as well as chang‐ 174 amd64, i386 and x32 system calls are blocked as well as chang‐
175 ing the execution domain with personality(2) system call. 175 ing the execution domain with personality(2) system call.
176 176
177 --profile.print=name|pid
178 Print the name of the profile file for the sandbox identified
179 by name or or PID.
180
181 Example:
182 $ firejail --profile.print=browser
183 /etc/firejail/firefox.profile
184
185
177````` 186`````
178 187
179## /etc/firejail/firejail.config 188## /etc/firejail/firejail.config
diff --git a/RELNOTES b/RELNOTES
index a54438411..43ec0a142 100644
--- a/RELNOTES
+++ b/RELNOTES
@@ -6,6 +6,7 @@ firejail (0.9.50~rc1) baseline; urgency=low
6 * feature: private /lib directory (--private-lib) 6 * feature: private /lib directory (--private-lib)
7 * feature: disable CDROM/DVD drive (--nodvd) 7 * feature: disable CDROM/DVD drive (--nodvd)
8 * feature: disable DVB devices (--notv) 8 * feature: disable DVB devices (--notv)
9 * feature: --profile.print
9 * enhancement: print all seccomp filters under --debug 10 * enhancement: print all seccomp filters under --debug
10 * enhancement: /proc/sys mounting 11 * enhancement: /proc/sys mounting
11 * enhancement: rework IP address assingment for --net options 12 * enhancement: rework IP address assingment for --net options
diff --git a/platform/rpm/old-mkrpm.sh b/platform/rpm/old-mkrpm.sh
index 505171d1c..7d817c7e2 100755
--- a/platform/rpm/old-mkrpm.sh
+++ b/platform/rpm/old-mkrpm.sh
@@ -36,9 +36,9 @@ install -m 644 /usr/lib/firejail/libtracelog.so firejail-$VERSION/usr/lib/firej
36install -m 644 /usr/lib/firejail/libtrace.so firejail-$VERSION/usr/lib/firejail/. 36install -m 644 /usr/lib/firejail/libtrace.so firejail-$VERSION/usr/lib/firejail/.
37install -m 644 /usr/lib/firejail/libpostexecseccomp.so firejail-$VERSION/usr/lib/firejail/. 37install -m 644 /usr/lib/firejail/libpostexecseccomp.so firejail-$VERSION/usr/lib/firejail/.
38install -m 644 /usr/lib/firejail/seccomp firejail-$VERSION/usr/lib/firejail/. 38install -m 644 /usr/lib/firejail/seccomp firejail-$VERSION/usr/lib/firejail/.
39install -m 644 /usr/lib/firejail/seccomp.amd64 firejail-$VERSION/usr/lib/firejail/. 39install -m 644 /usr/lib/firejail/seccomp.64 firejail-$VERSION/usr/lib/firejail/.
40install -m 644 /usr/lib/firejail/seccomp.debug firejail-$VERSION/usr/lib/firejail/. 40install -m 644 /usr/lib/firejail/seccomp.debug firejail-$VERSION/usr/lib/firejail/.
41install -m 644 /usr/lib/firejail/seccomp.i386 firejail-$VERSION/usr/lib/firejail/. 41install -m 644 /usr/lib/firejail/seccomp.32 firejail-$VERSION/usr/lib/firejail/.
42install -m 644 /usr/lib/firejail/seccomp.block_secondary firejail-$VERSION/usr/lib/firejail/. 42install -m 644 /usr/lib/firejail/seccomp.block_secondary firejail-$VERSION/usr/lib/firejail/.
43install -m 644 /usr/lib/firejail/seccomp.mdwx firejail-$VERSION/usr/lib/firejail/. 43install -m 644 /usr/lib/firejail/seccomp.mdwx firejail-$VERSION/usr/lib/firejail/.
44 44
@@ -492,9 +492,9 @@ rm -rf %{buildroot}
492/usr/lib/firejail/fnet 492/usr/lib/firejail/fnet
493/usr/lib/firejail/fseccomp 493/usr/lib/firejail/fseccomp
494/usr/lib/firejail/seccomp 494/usr/lib/firejail/seccomp
495/usr/lib/firejail/seccomp.amd64 495/usr/lib/firejail/seccomp.64
496/usr/lib/firejail/seccomp.debug 496/usr/lib/firejail/seccomp.debug
497/usr/lib/firejail/seccomp.i386 497/usr/lib/firejail/seccomp.32
498/usr/lib/firejail/seccomp.block_secondary 498/usr/lib/firejail/seccomp.block_secondary
499/usr/lib/firejail/seccomp.mdwx 499/usr/lib/firejail/seccomp.mdwx
500 500
diff --git a/src/firejail/firejail.h b/src/firejail/firejail.h
index 435b9527d..75450fe0f 100644
--- a/src/firejail/firejail.h
+++ b/src/firejail/firejail.h
@@ -34,6 +34,7 @@
34#define RUN_FIREJAIL_X11_DIR "/run/firejail/x11" 34#define RUN_FIREJAIL_X11_DIR "/run/firejail/x11"
35#define RUN_FIREJAIL_NETWORK_DIR "/run/firejail/network" 35#define RUN_FIREJAIL_NETWORK_DIR "/run/firejail/network"
36#define RUN_FIREJAIL_BANDWIDTH_DIR "/run/firejail/bandwidth" 36#define RUN_FIREJAIL_BANDWIDTH_DIR "/run/firejail/bandwidth"
37#define RUN_FIREJAIL_PROFILE_DIR "/run/firejail/profile"
37#define RUN_NETWORK_LOCK_FILE "/run/firejail/firejail.lock" 38#define RUN_NETWORK_LOCK_FILE "/run/firejail/firejail.lock"
38#define RUN_RO_DIR "/run/firejail/firejail.ro.dir" 39#define RUN_RO_DIR "/run/firejail/firejail.ro.dir"
39#define RUN_RO_FILE "/run/firejail/firejail.ro.file" 40#define RUN_RO_FILE "/run/firejail/firejail.ro.file"
@@ -54,15 +55,15 @@
54 55
55#define RUN_SECCOMP_PROTOCOL "/run/firejail/mnt/seccomp.protocol" // protocol filter 56#define RUN_SECCOMP_PROTOCOL "/run/firejail/mnt/seccomp.protocol" // protocol filter
56#define RUN_SECCOMP_CFG "/run/firejail/mnt/seccomp" // configured filter 57#define RUN_SECCOMP_CFG "/run/firejail/mnt/seccomp" // configured filter
57#define RUN_SECCOMP_AMD64 "/run/firejail/mnt/seccomp.amd64" // amd64 filter installed on i386 architectures 58#define RUN_SECCOMP_64 "/run/firejail/mnt/seccomp.64" // 64bit arch filter installed on 32bit architectures
58#define RUN_SECCOMP_I386 "/run/firejail/mnt/seccomp.i386" // i386 filter installed on amd64 architectures 59#define RUN_SECCOMP_32 "/run/firejail/mnt/seccomp.32" // 32bit arch filter installed on 64bit architectures
59#define RUN_SECCOMP_MDWX "/run/firejail/mnt/seccomp.mdwx" // filter for memory-deny-write-execute 60#define RUN_SECCOMP_MDWX "/run/firejail/mnt/seccomp.mdwx" // filter for memory-deny-write-execute
60#define RUN_SECCOMP_BLOCK_SECONDARY "/run/firejail/mnt/seccomp.block_secondary" // secondary arch blocking filter 61#define RUN_SECCOMP_BLOCK_SECONDARY "/run/firejail/mnt/seccomp.block_secondary" // secondary arch blocking filter
61#define RUN_SECCOMP_POSTEXEC "/run/firejail/mnt/seccomp.postexec" // filter for post-exec library 62#define RUN_SECCOMP_POSTEXEC "/run/firejail/mnt/seccomp.postexec" // filter for post-exec library
62#define PATH_SECCOMP_DEFAULT (LIBDIR "/firejail/seccomp") // default filter built during make 63#define PATH_SECCOMP_DEFAULT (LIBDIR "/firejail/seccomp") // default filter built during make
63#define PATH_SECCOMP_DEFAULT_DEBUG (LIBDIR "/firejail/seccomp.debug") // default filter built during make 64#define PATH_SECCOMP_DEFAULT_DEBUG (LIBDIR "/firejail/seccomp.debug") // default filter built during make
64#define PATH_SECCOMP_AMD64 (LIBDIR "/firejail/seccomp.amd64") // amd64 filter built during make 65#define PATH_SECCOMP_64 (LIBDIR "/firejail/seccomp.64") // 64bit arch filter built during make
65#define PATH_SECCOMP_I386 (LIBDIR "/firejail/seccomp.i386") // i386 filter built during make 66#define PATH_SECCOMP_32 (LIBDIR "/firejail/seccomp.32") // 32bit arch filter built during make
66#define PATH_SECCOMP_MDWX (LIBDIR "/firejail/seccomp.mdwx") // filter for memory-deny-write-execute built during make 67#define PATH_SECCOMP_MDWX (LIBDIR "/firejail/seccomp.mdwx") // filter for memory-deny-write-execute built during make
67#define PATH_SECCOMP_BLOCK_SECONDARY (LIBDIR "/firejail/seccomp.block_secondary") // secondary arch blocking filter built during make 68#define PATH_SECCOMP_BLOCK_SECONDARY (LIBDIR "/firejail/seccomp.block_secondary") // secondary arch blocking filter built during make
68 69
@@ -410,6 +411,7 @@ void net_config_interface(const char *dev, uint32_t ip, uint32_t mask, int mtu);
410// preproc.c 411// preproc.c
411void preproc_build_firejail_dir(void); 412void preproc_build_firejail_dir(void);
412void preproc_mount_mnt_dir(void); 413void preproc_mount_mnt_dir(void);
414void preproc_clean_run(void);
413 415
414// fs.c 416// fs.c
415// blacklist files or directoies by mounting empty files on top of them 417// blacklist files or directoies by mounting empty files on top of them
diff --git a/src/firejail/main.c b/src/firejail/main.c
index 3f805a7e0..c317aa477 100644
--- a/src/firejail/main.c
+++ b/src/firejail/main.c
@@ -130,15 +130,22 @@ unsigned long long start_timestamp;
130 130
131static void set_name_file(pid_t pid); 131static void set_name_file(pid_t pid);
132static void delete_name_file(pid_t pid); 132static void delete_name_file(pid_t pid);
133static void delete_profile_file(pid_t pid);
133static void delete_x11_file(pid_t pid); 134static void delete_x11_file(pid_t pid);
134 135
135void clear_run_files(pid_t pid) { 136void clear_run_files(pid_t pid) {
136 bandwidth_del_run_file(pid); // bandwidth file 137 bandwidth_del_run_file(pid); // bandwidth file
137 network_del_run_file(pid); // network map file 138 network_del_run_file(pid); // network map file
138 delete_name_file(pid); 139 delete_name_file(pid);
140 delete_profile_file(pid);
139 delete_x11_file(pid); 141 delete_x11_file(pid);
140} 142}
141 143
144static void clear_atexit(void) {
145 EUID_ROOT();
146 clear_run_files(getpid());
147}
148
142static void myexit(int rv) { 149static void myexit(int rv) {
143 logmsg("exiting..."); 150 logmsg("exiting...");
144 if (!arg_command && !arg_quiet) 151 if (!arg_command && !arg_quiet)
@@ -465,6 +472,26 @@ static void run_cmd_and_exit(int i, int argc, char **argv) {
465 exit(0); 472 exit(0);
466 } 473 }
467#endif 474#endif
475 else if (strncmp(argv[i], "--profile.print=", 16) == 0) {
476 pid_t pid = read_pid(argv[i] + 16);
477
478 // print /run/firejail/profile/<PID> file
479 char *fname;
480 if (asprintf(&fname, RUN_FIREJAIL_PROFILE_DIR "/%d", pid) == -1)
481 errExit("asprintf");
482 FILE *fp = fopen(fname, "r");
483 if (!fp) {
484 fprintf(stderr, "Error: sandbox %s not found\n", argv[i] + 16);
485 exit(1);
486 }
487#define MAXBUF 4096
488 char buf[MAXBUF];
489 if (fgets(buf, MAXBUF, fp))
490 printf("%s", buf);
491 fclose(fp);
492 exit(0);
493
494 }
468 else if (strncmp(argv[i], "--cpu.print=", 12) == 0) { 495 else if (strncmp(argv[i], "--cpu.print=", 12) == 0) {
469 // join sandbox by pid or by name 496 // join sandbox by pid or by name
470 pid_t pid = read_pid(argv[i] + 12); 497 pid_t pid = read_pid(argv[i] + 12);
@@ -738,6 +765,15 @@ static void delete_name_file(pid_t pid) {
738 free(fname); 765 free(fname);
739} 766}
740 767
768static void delete_profile_file(pid_t pid) {
769 char *fname;
770 if (asprintf(&fname, "%s/%d", RUN_FIREJAIL_PROFILE_DIR, pid) == -1)
771 errExit("asprintf");
772 int rv = unlink(fname);
773 (void) rv;
774 free(fname);
775}
776
741void set_x11_file(pid_t pid, int display) { 777void set_x11_file(pid_t pid, int display) {
742 char *fname; 778 char *fname;
743 if (asprintf(&fname, "%s/%d", RUN_FIREJAIL_X11_DIR, pid) == -1) 779 if (asprintf(&fname, "%s/%d", RUN_FIREJAIL_X11_DIR, pid) == -1)
@@ -825,12 +861,14 @@ int main(int argc, char **argv) {
825 char *custom_profile_dir = NULL; // custom profile directory 861 char *custom_profile_dir = NULL; // custom profile directory
826 862
827 863
864 atexit(clear_atexit);
865
828 // get starting timestamp 866 // get starting timestamp
829 start_timestamp = getticks(); 867 start_timestamp = getticks();
830 868
831
832 // build /run/firejail directory structure 869 // build /run/firejail directory structure
833 preproc_build_firejail_dir(); 870 preproc_build_firejail_dir();
871 preproc_clean_run();
834 872
835 if (check_arg(argc, argv, "--quiet")) 873 if (check_arg(argc, argv, "--quiet"))
836 arg_quiet = 1; 874 arg_quiet = 1;
@@ -2554,14 +2592,10 @@ int main(int argc, char **argv) {
2554 close(lockfd); 2592 close(lockfd);
2555 } 2593 }
2556 2594
2557 // create name file under /run/firejail
2558
2559
2560 // handle CTRL-C in parent 2595 // handle CTRL-C in parent
2561 signal (SIGINT, my_handler); 2596 signal (SIGINT, my_handler);
2562 signal (SIGTERM, my_handler); 2597 signal (SIGTERM, my_handler);
2563 2598
2564
2565 // wait for the child to finish 2599 // wait for the child to finish
2566 EUID_USER(); 2600 EUID_USER();
2567 int status = 0; 2601 int status = 0;
diff --git a/src/firejail/preproc.c b/src/firejail/preproc.c
index bf1ef0469..42502008e 100644
--- a/src/firejail/preproc.c
+++ b/src/firejail/preproc.c
@@ -20,6 +20,8 @@
20#include "firejail.h" 20#include "firejail.h"
21#include <sys/mount.h> 21#include <sys/mount.h>
22#include <sys/stat.h> 22#include <sys/stat.h>
23#include <sys/types.h>
24#include <dirent.h>
23 25
24static int tmpfs_mounted = 0; 26static int tmpfs_mounted = 0;
25 27
@@ -48,6 +50,10 @@ void preproc_build_firejail_dir(void) {
48 create_empty_dir_as_root(RUN_FIREJAIL_NAME_DIR, 0755); 50 create_empty_dir_as_root(RUN_FIREJAIL_NAME_DIR, 0755);
49 } 51 }
50 52
53 if (stat(RUN_FIREJAIL_PROFILE_DIR, &s)) {
54 create_empty_dir_as_root(RUN_FIREJAIL_PROFILE_DIR, 0755);
55 }
56
51 if (stat(RUN_FIREJAIL_X11_DIR, &s)) { 57 if (stat(RUN_FIREJAIL_X11_DIR, &s)) {
52 create_empty_dir_as_root(RUN_FIREJAIL_X11_DIR, 0755); 58 create_empty_dir_as_root(RUN_FIREJAIL_X11_DIR, 0755);
53 } 59 }
@@ -79,8 +85,8 @@ void preproc_mount_mnt_dir(void) {
79 copy_file(PATH_SECCOMP_BLOCK_SECONDARY, RUN_SECCOMP_BLOCK_SECONDARY, getuid(), getgid(), 0644); // root needed 85 copy_file(PATH_SECCOMP_BLOCK_SECONDARY, RUN_SECCOMP_BLOCK_SECONDARY, getuid(), getgid(), 0644); // root needed
80 else { 86 else {
81 //copy default seccomp files 87 //copy default seccomp files
82 copy_file(PATH_SECCOMP_I386, RUN_SECCOMP_I386, getuid(), getgid(), 0644); // root needed 88 copy_file(PATH_SECCOMP_32, RUN_SECCOMP_32, getuid(), getgid(), 0644); // root needed
83 copy_file(PATH_SECCOMP_AMD64, RUN_SECCOMP_AMD64, getuid(), getgid(), 0644); // root needed 89 copy_file(PATH_SECCOMP_64, RUN_SECCOMP_64, getuid(), getgid(), 0644); // root needed
84 } 90 }
85 if (arg_allow_debuggers) 91 if (arg_allow_debuggers)
86 copy_file(PATH_SECCOMP_DEFAULT_DEBUG, RUN_SECCOMP_CFG, getuid(), getgid(), 0644); // root needed 92 copy_file(PATH_SECCOMP_DEFAULT_DEBUG, RUN_SECCOMP_CFG, getuid(), getgid(), 0644); // root needed
@@ -98,3 +104,77 @@ void preproc_mount_mnt_dir(void) {
98 errExit("set_perms"); 104 errExit("set_perms");
99 } 105 }
100} 106}
107
108// clean run directory
109void preproc_clean_run(void) {
110 int max_pids=32769;
111 int start_pid = 100;
112 // extract real max_pids
113 FILE *fp = fopen("/proc/sys/kernel/pid_max", "r");
114 if (fp) {
115 int val;
116 if (fscanf(fp, "%d", &val) == 1) {
117 if (val >= max_pids)
118 max_pids = val + 1;
119 }
120 fclose(fp);
121 }
122 int *pidarr = malloc(max_pids * sizeof(int));
123 if (!pidarr)
124 errExit("malloc");
125
126 memset(pidarr, 0, max_pids * sizeof(int));
127
128 // open /proc directory
129 DIR *dir;
130 if (!(dir = opendir("/proc"))) {
131 // sleep 2 seconds and try again
132 sleep(2);
133 if (!(dir = opendir("/proc"))) {
134 fprintf(stderr, "Error: cannot open /proc directory\n");
135 exit(1);
136 }
137 }
138
139 // read /proc and populate pidarr with all active processes
140 struct dirent *entry;
141 char *end;
142 while ((entry = readdir(dir)) != NULL) {
143 pid_t pid = strtol(entry->d_name, &end, 10);
144 pid %= max_pids;
145 if (end == entry->d_name || *end)
146 continue;
147
148 if (pid < start_pid)
149 continue;
150 pidarr[pid] = 1;
151 }
152 closedir(dir);
153
154 // open /run/firejail/profile directory
155 if (!(dir = opendir(RUN_FIREJAIL_PROFILE_DIR))) {
156 // sleep 2 seconds and try again
157 sleep(2);
158 if (!(dir = opendir(RUN_FIREJAIL_PROFILE_DIR))) {
159 fprintf(stderr, "Error: cannot open %s directory\n", RUN_FIREJAIL_PROFILE_DIR);
160 exit(1);
161 }
162 }
163
164 // read /run/firejail/profile directory and clean leftover files
165 while ((entry = readdir(dir)) != NULL) {
166 pid_t pid = strtol(entry->d_name, &end, 10);
167 pid %= max_pids;
168 if (end == entry->d_name || *end)
169 continue;
170
171 if (pid < start_pid)
172 continue;
173 if (pidarr[pid] == 0)
174 clear_run_files(pid);
175 }
176 closedir(dir);
177
178 free(pidarr);
179}
180
diff --git a/src/firejail/profile.c b/src/firejail/profile.c
index fc390c83a..e61f59f46 100644
--- a/src/firejail/profile.c
+++ b/src/firejail/profile.c
@@ -1193,6 +1193,29 @@ void profile_read(const char *fname) {
1193 exit(1); 1193 exit(1);
1194 } 1194 }
1195 1195
1196 // save the name of the file for --profile.print option
1197 if (include_level == 0) {
1198 char *runfile;
1199 if (asprintf(&runfile, "%s/%d", RUN_FIREJAIL_PROFILE_DIR, getpid()) == -1)
1200 errExit("asprintf");
1201
1202 EUID_ROOT();
1203 // the file is deleted first
1204 FILE *fp = fopen(runfile, "w");
1205 if (!fp) {
1206 fprintf(stderr, "Error: cannot create %s\n", runfile);
1207 exit(1);
1208 }
1209 fprintf(fp, "%s\n", fname);
1210
1211 // mode and ownership
1212 SET_PERMS_STREAM(fp, 0, 0, 0644);
1213 fclose(fp);
1214 EUID_USER();
1215 free(runfile);
1216 }
1217
1218
1196 int msg_printed = 0; 1219 int msg_printed = 0;
1197 1220
1198 // read the file line by line 1221 // read the file line by line
diff --git a/src/firejail/seccomp.c b/src/firejail/seccomp.c
index 7b45e2574..e75863c3a 100644
--- a/src/firejail/seccomp.c
+++ b/src/firejail/seccomp.c
@@ -137,22 +137,22 @@ errexit:
137 exit(1); 137 exit(1);
138} 138}
139 139
140// i386 filter installed on amd64 architectures 140// 32 bit arch filter installed on 64 bit architectures
141#if defined(__x86_64__) 141#if defined(__LP64__)
142static void seccomp_filter_32(void) { 142static void seccomp_filter_32(void) {
143 if (seccomp_load(RUN_SECCOMP_I386) == 0) { 143 if (seccomp_load(RUN_SECCOMP_32) == 0) {
144 if (arg_debug) 144 if (arg_debug)
145 printf("Dual i386/amd64 seccomp filter configured\n"); 145 printf("Dual 32/64 bit seccomp filter configured\n");
146 } 146 }
147} 147}
148#endif 148#endif
149 149
150// amd64 filter installed on i386 architectures 150// 64 bit arch filter installed on 32 bit architectures
151#if defined(__i386__) 151#if defined(__ILP32__)
152static void seccomp_filter_64(void) { 152static void seccomp_filter_64(void) {
153 if (seccomp_load(RUN_SECCOMP_AMD64) == 0) { 153 if (seccomp_load(RUN_SECCOMP_64) == 0) {
154 if (arg_debug) 154 if (arg_debug)
155 printf("Dual i386/amd64 seccomp filter configured\n"); 155 printf("Dual 32/64 bit seccomp filter configured\n");
156 } 156 }
157} 157}
158#endif 158#endif
@@ -177,10 +177,10 @@ int seccomp_filter_drop(void) {
177 if (arg_seccomp_block_secondary) 177 if (arg_seccomp_block_secondary)
178 seccomp_filter_block_secondary(); 178 seccomp_filter_block_secondary();
179 else { 179 else {
180#if defined(__x86_64__) 180#if defined(__LP64__)
181 seccomp_filter_32(); 181 seccomp_filter_32();
182#endif 182#endif
183#if defined(__i386__) 183#if defined(__ILP32__)
184 seccomp_filter_64(); 184 seccomp_filter_64();
185#endif 185#endif
186 } 186 }
@@ -190,10 +190,10 @@ int seccomp_filter_drop(void) {
190 if (arg_seccomp_block_secondary) 190 if (arg_seccomp_block_secondary)
191 seccomp_filter_block_secondary(); 191 seccomp_filter_block_secondary();
192 else { 192 else {
193#if defined(__x86_64__) 193#if defined(__LP64__)
194 seccomp_filter_32(); 194 seccomp_filter_32();
195#endif 195#endif
196#if defined(__i386__) 196#if defined(__ILP32__)
197 seccomp_filter_64(); 197 seccomp_filter_64();
198#endif 198#endif
199 } 199 }
diff --git a/src/firejail/usage.c b/src/firejail/usage.c
index 10e6ab687..fc7dbd69c 100644
--- a/src/firejail/usage.c
+++ b/src/firejail/usage.c
@@ -159,6 +159,7 @@ void usage(void) {
159 printf(" --private-tmp - mount a tmpfs on top of /tmp directory.\n"); 159 printf(" --private-tmp - mount a tmpfs on top of /tmp directory.\n");
160 printf(" --private-opt=file,directory - build a new /opt in a temporary filesystem.\n"); 160 printf(" --private-opt=file,directory - build a new /opt in a temporary filesystem.\n");
161 printf(" --profile=filename - use a custom profile.\n"); 161 printf(" --profile=filename - use a custom profile.\n");
162 printf(" --profile.print=name|pid - print the name of profile file.\n");
162 printf(" --profile-path=directory - use this directory to look for profile files.\n"); 163 printf(" --profile-path=directory - use this directory to look for profile files.\n");
163 printf(" --protocol=protocol,protocol,protocol - enable protocol filter.\n"); 164 printf(" --protocol=protocol,protocol,protocol - enable protocol filter.\n");
164 printf(" --protocol.print=name|pid - print the protocol filter.\n"); 165 printf(" --protocol.print=name|pid - print the protocol filter.\n");
diff --git a/src/fseccomp/seccomp_print.c b/src/fseccomp/seccomp_print.c
index 3793e125d..e8df2bda5 100644
--- a/src/fseccomp/seccomp_print.c
+++ b/src/fseccomp/seccomp_print.c
@@ -90,7 +90,7 @@ static int detect_filter_type(void) {
90 } 90 }
91 91
92 92
93 // testing for secondare amd64 filter 93 // testing for secondary 64 bit filter
94 const struct sock_filter start_secondary_64[] = { 94 const struct sock_filter start_secondary_64[] = {
95 VALIDATE_ARCHITECTURE_64, 95 VALIDATE_ARCHITECTURE_64,
96 EXAMINE_SYSCALL, 96 EXAMINE_SYSCALL,
@@ -102,7 +102,7 @@ static int detect_filter_type(void) {
102 return sizeof(start_secondary_64) / sizeof(struct sock_filter); 102 return sizeof(start_secondary_64) / sizeof(struct sock_filter);
103 } 103 }
104 104
105 // testing for secondare i386 filter 105 // testing for secondary 32 bit filter
106 const struct sock_filter start_secondary_32[] = { 106 const struct sock_filter start_secondary_32[] = {
107 VALIDATE_ARCHITECTURE_32, 107 VALIDATE_ARCHITECTURE_32,
108 EXAMINE_SYSCALL, 108 EXAMINE_SYSCALL,
diff --git a/src/fseccomp/seccomp_secondary.c b/src/fseccomp/seccomp_secondary.c
index dd69b58cc..da6a693e6 100644
--- a/src/fseccomp/seccomp_secondary.c
+++ b/src/fseccomp/seccomp_secondary.c
@@ -108,7 +108,7 @@ void seccomp_secondary_64(const char *fname) {
108 write_filter(fname, sizeof(filter), filter); 108 write_filter(fname, sizeof(filter), filter);
109} 109}
110 110
111// i386 filter installed on amd64 architectures 111// 32 bit arch filter installed on 64 bit architectures
112void seccomp_secondary_32(const char *fname) { 112void seccomp_secondary_32(const char *fname) {
113 // hardcoded syscall values 113 // hardcoded syscall values
114 struct sock_filter filter[] = { 114 struct sock_filter filter[] = {
diff --git a/src/fseccomp/syscall.c b/src/fseccomp/syscall.c
index d5b40cf8e..abdedb957 100644
--- a/src/fseccomp/syscall.c
+++ b/src/fseccomp/syscall.c
@@ -83,6 +83,9 @@ static const SyscallGroupList sysgroups[] = {
83#ifdef SYS_vm86old 83#ifdef SYS_vm86old
84 "vm86old" 84 "vm86old"
85#endif 85#endif
86#if !defined(SYS_modify_ldt) && !defined(SYS_subpage_prot) && !defined(SYS_switch_endian) && !defined(SYS_vm86) && !defined(SYS_vm86old)
87 "__dummy_syscall__" // workaround for arm64, s390x and sparc64 which don't have any of above defined and empty syscall lists are not allowed
88#endif
86 }, 89 },
87 { .name = "@debug", .list = 90 { .name = "@debug", .list =
88#ifdef SYS_lookup_dcookie 91#ifdef SYS_lookup_dcookie
@@ -103,9 +106,6 @@ static const SyscallGroupList sysgroups[] = {
103#ifdef SYS_sys_debug_setcontext 106#ifdef SYS_sys_debug_setcontext
104 "sys_debug_setcontext," 107 "sys_debug_setcontext,"
105#endif 108#endif
106#if !defined(SYS_lookup_dcookie) && !defined(SYS_perf_event_open) && !defined(SYS_process_vm_writev) && !defined(SYS_rtas) && !defined(SYS_s390_runtime_instr) && !defined(SYS_sys_debug_setcontext)
107 "__dummy_syscall__" // workaround for arm64, s390x and sparc64 which don't have any of above defined and empty syscall lists are not allowed
108#endif
109 }, 109 },
110 { .name = "@default", .list = 110 { .name = "@default", .list =
111 "@cpu-emulation," 111 "@cpu-emulation,"
diff --git a/src/include/seccomp.h b/src/include/seccomp.h
index 2f2b2384d..133b6ce72 100644
--- a/src/include/seccomp.h
+++ b/src/include/seccomp.h
@@ -91,10 +91,64 @@ struct seccomp_data {
91 91
92#if defined(__i386__) 92#if defined(__i386__)
93# define ARCH_NR AUDIT_ARCH_I386 93# define ARCH_NR AUDIT_ARCH_I386
94# define ARCH_32 AUDIT_ARCH_I386
95# define ARCH_64 AUDIT_ARCH_X86_64
94#elif defined(__x86_64__) 96#elif defined(__x86_64__)
95# define ARCH_NR AUDIT_ARCH_X86_64 97# define ARCH_NR AUDIT_ARCH_X86_64
98# define ARCH_32 AUDIT_ARCH_I386
99# define ARCH_64 AUDIT_ARCH_X86_64
100#elif defined(__aarch64__)
101# define ARCH_NR AUDIT_ARCH_AARCH64
102# define ARCH_32 AUDIT_ARCH_ARM
103# define ARCH_64 AUDIT_ARCH_AARCH64
96#elif defined(__arm__) 104#elif defined(__arm__)
97# define ARCH_NR AUDIT_ARCH_ARM 105# define ARCH_NR AUDIT_ARCH_ARM
106# define ARCH_32 AUDIT_ARCH_ARM
107# define ARCH_64 AUDIT_ARCH_AARCH64
108#elif defined(__mips__) && __BYTE_ORDER == __BIG_ENDIAN && _MIPS_SIM == _MIPS_SIM_ABI32
109# define ARCH_NR AUDIT_ARCH_MIPS
110# define ARCH_32 AUDIT_ARCH_MIPS
111# define ARCH_64 AUDIT_ARCH_MIPS64
112#elif defined(__mips__) && __BYTE_ORDER == __LITTLE_ENDIAN && _MIPS_SIM == _MIPS_SIM_ABI32
113# define ARCH_NR AUDIT_ARCH_MIPSEL
114# define ARCH_32 AUDIT_ARCH_MIPSEL
115# define ARCH_64 AUDIT_ARCH_MIPSEL64
116#elif defined(__mips__) && __BYTE_ORDER == __BIG_ENDIAN && _MIPS_SIM == _MIPS_SIM_ABI64
117# define ARCH_NR AUDIT_ARCH_MIPS64
118# define ARCH_32 AUDIT_ARCH_MIPS
119# define ARCH_64 AUDIT_ARCH_MIPS64
120#elif defined(__mips__) && __BYTE_ORDER == __LITTLE_ENDIAN && _MIPS_SIM == _MIPS_SIM_ABI64
121# define ARCH_NR AUDIT_ARCH_MIPSEL64
122# define ARCH_32 AUDIT_ARCH_MIPSEL
123# define ARCH_64 AUDIT_ARCH_MIPSEL64
124#elif defined(__mips__) && __BYTE_ORDER == __BIG_ENDIAN && _MIPS_SIM == _MIPS_SIM_NABI32
125# define ARCH_NR AUDIT_ARCH_MIPS64N32
126# define ARCH_32 AUDIT_ARCH_MIPS64N32
127# define ARCH_64 AUDIT_ARCH_MIPS64
128#elif defined(__mips__) && __BYTE_ORDER == __LITTLE_ENDIAN && _MIPS_SIM == _MIPS_SIM_NABI32
129# define ARCH_NR AUDIT_ARCH_MIPSEL64N32
130# define ARCH_32 AUDIT_ARCH_MIPSEL64N32
131# define ARCH_64 AUDIT_ARCH_MIPSEL64
132#elif defined(__powerpc64__) && __BYTE_ORDER == __BIG_ENDIAN
133# define ARCH_NR AUDIT_ARCH_PPC64
134# define ARCH_32 AUDIT_ARCH_PPC
135# define ARCH_64 AUDIT_ARCH_PPC64
136#elif defined(__powerpc64__) && __BYTE_ORDER == __LITTLE_ENDIAN
137# define ARCH_NR AUDIT_ARCH_PPC64LE
138# define ARCH_32 AUDIT_ARCH_PPC
139# define ARCH_64 AUDIT_ARCH_PPC64LE
140#elif defined(__powerpc__)
141# define ARCH_NR AUDIT_ARCH_PPC
142# define ARCH_32 AUDIT_ARCH_PPC
143# define ARCH_64 AUDIT_ARCH_PPC64LE
144#elif defined(__s390x__)
145# define ARCH_NR AUDIT_ARCH_S390X
146# define ARCH_32 AUDIT_ARCH_S390
147# define ARCH_64 AUDIT_ARCH_S390X
148#elif defined(__s390__)
149# define ARCH_NR AUDIT_ARCH_S390
150# define ARCH_32 AUDIT_ARCH_S390
151# define ARCH_64 AUDIT_ARCH_S390X
98#else 152#else
99# warning "Platform does not support seccomp filter yet" 153# warning "Platform does not support seccomp filter yet"
100# define ARCH_NR 0 154# define ARCH_NR 0
@@ -112,12 +166,12 @@ struct seccomp_data {
112 166
113#define VALIDATE_ARCHITECTURE_64 \ 167#define VALIDATE_ARCHITECTURE_64 \
114 BPF_STMT(BPF_LD+BPF_W+BPF_ABS, (offsetof(struct seccomp_data, arch))), \ 168 BPF_STMT(BPF_LD+BPF_W+BPF_ABS, (offsetof(struct seccomp_data, arch))), \
115 BPF_JUMP(BPF_JMP+BPF_JEQ+BPF_K, AUDIT_ARCH_X86_64, 1, 0), \ 169 BPF_JUMP(BPF_JMP+BPF_JEQ+BPF_K, ARCH_64, 1, 0), \
116 BPF_STMT(BPF_RET+BPF_K, SECCOMP_RET_ALLOW) 170 BPF_STMT(BPF_RET+BPF_K, SECCOMP_RET_ALLOW)
117 171
118#define VALIDATE_ARCHITECTURE_32 \ 172#define VALIDATE_ARCHITECTURE_32 \
119 BPF_STMT(BPF_LD+BPF_W+BPF_ABS, (offsetof(struct seccomp_data, arch))), \ 173 BPF_STMT(BPF_LD+BPF_W+BPF_ABS, (offsetof(struct seccomp_data, arch))), \
120 BPF_JUMP(BPF_JMP+BPF_JEQ+BPF_K, AUDIT_ARCH_I386, 1, 0), \ 174 BPF_JUMP(BPF_JMP+BPF_JEQ+BPF_K, ARCH_32, 1, 0), \
121 BPF_STMT(BPF_RET+BPF_K, SECCOMP_RET_ALLOW) 175 BPF_STMT(BPF_RET+BPF_K, SECCOMP_RET_ALLOW)
122 176
123#if defined(__x86_64__) 177#if defined(__x86_64__)
diff --git a/src/man/firejail.txt b/src/man/firejail.txt
index 9ae5d6782..a70f662fd 100644
--- a/src/man/firejail.txt
+++ b/src/man/firejail.txt
@@ -1424,6 +1424,19 @@ Example:
1424$ firejail \-\-profile=myprofile 1424$ firejail \-\-profile=myprofile
1425 1425
1426.TP 1426.TP
1427\fB\-\-profile.print=name|pid
1428Print the name of the profile file for the sandbox identified by name or or PID.
1429.br
1430
1431.br
1432Example:
1433.br
1434$ firejail \-\-profile.print=browser
1435.br
1436/etc/firejail/firefox.profile
1437.br
1438
1439.TP
1427\fB\-\-profile-path=directory 1440\fB\-\-profile-path=directory
1428Use this directory to look for profile files. Use an absolute path or a path in the home directory starting with ~/. 1441Use this directory to look for profile files. Use an absolute path or a path in the home directory starting with ~/.
1429For more information, see \fBSECURITY PROFILES\fR section below and \fBRELOCATING PROFILE FILES\fR in 1442For more information, see \fBSECURITY PROFILES\fR section below and \fBRELOCATING PROFILE FILES\fR in
diff --git a/test/filters/seccomp-debug-32.exp b/test/filters/seccomp-debug-32.exp
index 6983758c3..098b309f5 100755
--- a/test/filters/seccomp-debug-32.exp
+++ b/test/filters/seccomp-debug-32.exp
@@ -43,7 +43,7 @@ expect {
43} 43}
44expect { 44expect {
45 timeout {puts "TESTING ERROR 7\n";exit} 45 timeout {puts "TESTING ERROR 7\n";exit}
46 "Installing /run/firejail/mnt/seccomp.amd64 seccomp filter" 46 "Installing /run/firejail/mnt/seccomp.64 seccomp filter"
47} 47}
48expect { 48expect {
49 timeout {puts "TESTING ERROR 9\n";exit} 49 timeout {puts "TESTING ERROR 9\n";exit}
@@ -56,13 +56,13 @@ send -- "firejail --debug --ignore=seccomp sleep 1; echo done\r"
56expect { 56expect {
57 timeout {puts "TESTING ERROR 10\n";exit} 57 timeout {puts "TESTING ERROR 10\n";exit}
58 "Installing /run/firejail/mnt/seccomp seccomp filter" {puts "TESTING ERROR 11\n";exit} 58 "Installing /run/firejail/mnt/seccomp seccomp filter" {puts "TESTING ERROR 11\n";exit}
59 "Installing /run/firejail/mnt/seccomp.amd64 seccomp filter" {puts "TESTING ERROR 12\n";exit} 59 "Installing /run/firejail/mnt/seccomp.64 seccomp filter" {puts "TESTING ERROR 12\n";exit}
60 "Child process initialized" 60 "Child process initialized"
61} 61}
62expect { 62expect {
63 timeout {puts "TESTING ERROR 13\n";exit} 63 timeout {puts "TESTING ERROR 13\n";exit}
64 "Installing /run/firejail/mnt/seccomp seccomp filter" {puts "TESTING ERROR 14\n";exit} 64 "Installing /run/firejail/mnt/seccomp seccomp filter" {puts "TESTING ERROR 14\n";exit}
65 "Installing /run/firejail/mnt/seccomp.amd64 seccomp filter" {puts "TESTING ERROR 15\n";exit} 65 "Installing /run/firejail/mnt/seccomp.64 seccomp filter" {puts "TESTING ERROR 15\n";exit}
66 "done" 66 "done"
67} 67}
68after 100 68after 100
@@ -82,7 +82,7 @@ expect {
82expect { 82expect {
83 timeout {puts "TESTING ERROR 21\n";exit} 83 timeout {puts "TESTING ERROR 21\n";exit}
84 "Installing /run/firejail/mnt/seccomp.protocol seccomp filter" {puts "TESTING ERROR 22\n";exit} 84 "Installing /run/firejail/mnt/seccomp.protocol seccomp filter" {puts "TESTING ERROR 22\n";exit}
85 "Installing /run/firejail/mnt/seccomp.amd64 seccomp filter" 85 "Installing /run/firejail/mnt/seccomp.64 seccomp filter"
86} 86}
87expect { 87expect {
88 timeout {puts "TESTING ERROR 23\n";exit} 88 timeout {puts "TESTING ERROR 23\n";exit}
@@ -110,12 +110,12 @@ expect {
110send -- "firejail --debug --seccomp.block-secondary sleep 1; echo done\r" 110send -- "firejail --debug --seccomp.block-secondary sleep 1; echo done\r"
111expect { 111expect {
112 timeout {puts "TESTING ERROR 27\n";exit} 112 timeout {puts "TESTING ERROR 27\n";exit}
113 "Installing /run/firejail/mnt/seccomp.amd64 seccomp filter" {puts "TESTING ERROR 28\n";exit} 113 "Installing /run/firejail/mnt/seccomp.64 seccomp filter" {puts "TESTING ERROR 28\n";exit}
114 "Child process initialized" 114 "Child process initialized"
115} 115}
116expect { 116expect {
117 timeout {puts "TESTING ERROR 29\n";exit} 117 timeout {puts "TESTING ERROR 29\n";exit}
118 "Installing /run/firejail/mnt/seccomp.amd64 seccomp filter" {puts "TESTING ERROR 30\n";exit} 118 "Installing /run/firejail/mnt/seccomp.64 seccomp filter" {puts "TESTING ERROR 30\n";exit}
119 "Installing /run/firejail/mnt/seccomp seccomp filter" 119 "Installing /run/firejail/mnt/seccomp seccomp filter"
120} 120}
121expect { 121expect {
@@ -128,12 +128,12 @@ after 100
128send -- "firejail --debug --profile=block-secondary.profile sleep 1; echo done\r" 128send -- "firejail --debug --profile=block-secondary.profile sleep 1; echo done\r"
129expect { 129expect {
130 timeout {puts "TESTING ERROR 33\n";exit} 130 timeout {puts "TESTING ERROR 33\n";exit}
131 "Installing /run/firejail/mnt/seccomp.amd64 seccomp filter" {puts "TESTING ERROR 34\n";exit} 131 "Installing /run/firejail/mnt/seccomp.64 seccomp filter" {puts "TESTING ERROR 34\n";exit}
132 "Child process initialized" 132 "Child process initialized"
133} 133}
134expect { 134expect {
135 timeout {puts "TESTING ERROR 35\n";exit} 135 timeout {puts "TESTING ERROR 35\n";exit}
136 "Installing /run/firejail/mnt/seccomp.amd64 seccomp filter" {puts "TESTING ERROR 35\n";exit} 136 "Installing /run/firejail/mnt/seccomp.64 seccomp filter" {puts "TESTING ERROR 35\n";exit}
137 "Installing /run/firejail/mnt/seccomp seccomp filter" 137 "Installing /run/firejail/mnt/seccomp seccomp filter"
138} 138}
139expect { 139expect {
diff --git a/test/filters/seccomp-debug.exp b/test/filters/seccomp-debug.exp
index 7a4a13991..4986a6bf6 100755
--- a/test/filters/seccomp-debug.exp
+++ b/test/filters/seccomp-debug.exp
@@ -31,7 +31,7 @@ expect {
31after 100 31after 100
32 32
33 33
34# amd64 architecture 34# 64 bit architecture
35send -- "firejail --debug sleep 1; echo done\r" 35send -- "firejail --debug sleep 1; echo done\r"
36expect { 36expect {
37 timeout {puts "TESTING ERROR 5\n";exit} 37 timeout {puts "TESTING ERROR 5\n";exit}
@@ -43,7 +43,7 @@ expect {
43} 43}
44expect { 44expect {
45 timeout {puts "TESTING ERROR 7\n";exit} 45 timeout {puts "TESTING ERROR 7\n";exit}
46 "Installing /run/firejail/mnt/seccomp.i386 seccomp filter" 46 "Installing /run/firejail/mnt/seccomp.32 seccomp filter"
47} 47}
48expect { 48expect {
49 timeout {puts "TESTING ERROR 8\n";exit} 49 timeout {puts "TESTING ERROR 8\n";exit}
@@ -55,18 +55,18 @@ expect {
55} 55}
56after 100 56after 100
57 57
58# amd64 architecture - ignore seccomp 58# 64 bit architecture - ignore seccomp
59send -- "firejail --debug --ignore=seccomp sleep 1; echo done\r" 59send -- "firejail --debug --ignore=seccomp sleep 1; echo done\r"
60expect { 60expect {
61 timeout {puts "TESTING ERROR 10\n";exit} 61 timeout {puts "TESTING ERROR 10\n";exit}
62 "Installing /run/firejail/mnt/seccomp seccomp filter" {puts "TESTING ERROR 11\n";exit} 62 "Installing /run/firejail/mnt/seccomp seccomp filter" {puts "TESTING ERROR 11\n";exit}
63 "Installing /run/firejail/mnt/seccomp.i386 seccomp filter" {puts "TESTING ERROR 12\n";exit} 63 "Installing /run/firejail/mnt/seccomp.32 seccomp filter" {puts "TESTING ERROR 12\n";exit}
64 "Child process initialized" 64 "Child process initialized"
65} 65}
66expect { 66expect {
67 timeout {puts "TESTING ERROR 13\n";exit} 67 timeout {puts "TESTING ERROR 13\n";exit}
68 "Installing /run/firejail/mnt/seccomp seccomp filter" {puts "TESTING ERROR 14\n";exit} 68 "Installing /run/firejail/mnt/seccomp seccomp filter" {puts "TESTING ERROR 14\n";exit}
69 "Installing /run/firejail/mnt/seccomp.i386 seccomp filter" {puts "TESTING ERROR 15\n";exit} 69 "Installing /run/firejail/mnt/seccomp.32 seccomp filter" {puts "TESTING ERROR 15\n";exit}
70 "Installing /run/firejail/mnt/seccomp.protocol seccomp filter" 70 "Installing /run/firejail/mnt/seccomp.protocol seccomp filter"
71} 71}
72expect { 72expect {
@@ -75,7 +75,7 @@ expect {
75} 75}
76after 100 76after 100
77 77
78# amd64 architecture - ignore protocol 78# 64 bit architecture - ignore protocol
79send -- "firejail --debug --ignore=protocol sleep 1; echo done\r" 79send -- "firejail --debug --ignore=protocol sleep 1; echo done\r"
80expect { 80expect {
81 timeout {puts "TESTING ERROR 17\n";exit} 81 timeout {puts "TESTING ERROR 17\n";exit}
@@ -90,7 +90,7 @@ expect {
90expect { 90expect {
91 timeout {puts "TESTING ERROR 21\n";exit} 91 timeout {puts "TESTING ERROR 21\n";exit}
92 "Installing /run/firejail/mnt/seccomp.protocol seccomp filter" {puts "TESTING ERROR 22\n";exit} 92 "Installing /run/firejail/mnt/seccomp.protocol seccomp filter" {puts "TESTING ERROR 22\n";exit}
93 "Installing /run/firejail/mnt/seccomp.i386 seccomp filter" 93 "Installing /run/firejail/mnt/seccomp.32 seccomp filter"
94} 94}
95expect { 95expect {
96 timeout {puts "TESTING ERROR 23\n";exit} 96 timeout {puts "TESTING ERROR 23\n";exit}
@@ -114,21 +114,21 @@ expect {
114} 114}
115 115
116 116
117# amd64 architecture - seccomp.block-secondary 117# 64 bit architecture - seccomp.block-secondary
118send -- "firejail --debug --seccomp.block-secondary sleep 1; echo done\r" 118send -- "firejail --debug --seccomp.block-secondary sleep 1; echo done\r"
119expect { 119expect {
120 timeout {puts "TESTING ERROR 27\n";exit} 120 timeout {puts "TESTING ERROR 27\n";exit}
121 "Installing /run/firejail/mnt/seccomp.i386 seccomp filter" {puts "TESTING ERROR 28\n";exit} 121 "Installing /run/firejail/mnt/seccomp.32 seccomp filter" {puts "TESTING ERROR 28\n";exit}
122 "Child process initialized" 122 "Child process initialized"
123} 123}
124expect { 124expect {
125 timeout {puts "TESTING ERROR 29\n";exit} 125 timeout {puts "TESTING ERROR 29\n";exit}
126 "Installing /run/firejail/mnt/seccomp.i386 seccomp filter" {puts "TESTING ERROR 30\n";exit} 126 "Installing /run/firejail/mnt/seccomp.32 seccomp filter" {puts "TESTING ERROR 30\n";exit}
127 "Installing /run/firejail/mnt/seccomp seccomp filter" 127 "Installing /run/firejail/mnt/seccomp seccomp filter"
128} 128}
129expect { 129expect {
130 timeout {puts "TESTING ERROR 31\n";exit} 130 timeout {puts "TESTING ERROR 31\n";exit}
131 "Installing /run/firejail/mnt/seccomp.i386 seccomp filter" {puts "TESTING ERROR 32\n";exit} 131 "Installing /run/firejail/mnt/seccomp.32 seccomp filter" {puts "TESTING ERROR 32\n";exit}
132 "Installing /run/firejail/mnt/seccomp.protocol seccomp filter" 132 "Installing /run/firejail/mnt/seccomp.protocol seccomp filter"
133} 133}
134expect { 134expect {
@@ -137,16 +137,16 @@ expect {
137} 137}
138after 100 138after 100
139 139
140# amd64 architecture - seccomp.block-secondary, profile 140# 64 bit architecture - seccomp.block-secondary, profile
141send -- "firejail --debug --profile=block-secondary.profile sleep 1; echo done\r" 141send -- "firejail --debug --profile=block-secondary.profile sleep 1; echo done\r"
142expect { 142expect {
143 timeout {puts "TESTING ERROR 33\n";exit} 143 timeout {puts "TESTING ERROR 33\n";exit}
144 "Installing /run/firejail/mnt/seccomp.i386 seccomp filter" {puts "TESTING ERROR 34\n";exit} 144 "Installing /run/firejail/mnt/seccomp.32 seccomp filter" {puts "TESTING ERROR 34\n";exit}
145 "Child process initialized" 145 "Child process initialized"
146} 146}
147expect { 147expect {
148 timeout {puts "TESTING ERROR 35\n";exit} 148 timeout {puts "TESTING ERROR 35\n";exit}
149 "Installing /run/firejail/mnt/seccomp.i386 seccomp filter" {puts "TESTING ERROR 35\n";exit} 149 "Installing /run/firejail/mnt/seccomp.32 seccomp filter" {puts "TESTING ERROR 35\n";exit}
150 "Installing /run/firejail/mnt/seccomp seccomp filter" 150 "Installing /run/firejail/mnt/seccomp seccomp filter"
151} 151}
152expect { 152expect {
diff --git a/test/profiles/test-profile.exp b/test/profiles/test-profile.exp
index 6bc47f33f..63fb3a150 100755
--- a/test/profiles/test-profile.exp
+++ b/test/profiles/test-profile.exp
@@ -18,6 +18,5 @@ expect {
18 timeout {puts "TESTING ERROR 0\n";exit} 18 timeout {puts "TESTING ERROR 0\n";exit}
19 "done" 19 "done"
20} 20}
21send -- "exit\r"
22after 100 21after 100
23puts "\n" 22puts "\n"