diff options
-rw-r--r-- | README.md | 2 | ||||
-rw-r--r-- | RELNOTES | 2 | ||||
-rw-r--r-- | etc/bitlbee.profile | 1 | ||||
-rw-r--r-- | etc/disable-common.inc | 12 | ||||
-rw-r--r-- | etc/disable-programs.inc | 1 | ||||
-rw-r--r-- | etc/neverball.profile | 37 | ||||
-rw-r--r-- | etc/server.profile | 2 | ||||
-rw-r--r-- | etc/steam.profile | 18 | ||||
-rw-r--r-- | etc/strings.profile | 3 | ||||
-rw-r--r-- | etc/xonotic.profile | 1 | ||||
-rw-r--r-- | platform/debian/conffiles | 1 | ||||
-rw-r--r-- | src/firecfg/firecfg.config | 1 | ||||
-rw-r--r-- | src/firejail/bandwidth.c | 3 | ||||
-rw-r--r-- | src/firejail/output.c | 4 | ||||
-rw-r--r-- | src/firejail/sandbox.c | 13 | ||||
-rw-r--r-- | src/firejail/usage.c | 7 | ||||
-rw-r--r-- | src/firejail/x11.c | 30 | ||||
-rw-r--r-- | src/fseccomp/syscall.c | 43 | ||||
-rw-r--r-- | src/man/firejail.txt | 2 |
19 files changed, 113 insertions, 70 deletions
@@ -214,4 +214,4 @@ IntelliJ IDEA, Android Studio, electron, riot-web, | |||
214 | Extreme Tux Racer, Frozen Bubble, Open Invaders, Pingus, Simutrans, SuperTux, | 214 | Extreme Tux Racer, Frozen Bubble, Open Invaders, Pingus, Simutrans, SuperTux, |
215 | telegram-desktop, arm, rambox, apktool, baobab, dex2jar, gitg, hashcat, obs, picard, | 215 | telegram-desktop, arm, rambox, apktool, baobab, dex2jar, gitg, hashcat, obs, picard, |
216 | remmina, sdat2img, soundconverter, sqlitebrowse, truecraft, gnome-twitch, tuxguitar, | 216 | remmina, sdat2img, soundconverter, sqlitebrowse, truecraft, gnome-twitch, tuxguitar, |
217 | musescore | 217 | musescore, neverball |
@@ -25,7 +25,7 @@ firejail (0.9.49) baseline; urgency=low | |||
25 | * new profiles: Frozen Bubble, Open Invaders, Pingus, Simutrans, SuperTux | 25 | * new profiles: Frozen Bubble, Open Invaders, Pingus, Simutrans, SuperTux |
26 | * new profiles: telegram-desktop, arm, rambox, apktool, baobab, dex2jar, gitg, | 26 | * new profiles: telegram-desktop, arm, rambox, apktool, baobab, dex2jar, gitg, |
27 | * new profiles: hashcat, obs, picard, remmina, sdat2img, soundconverter, sqlitebrowse, | 27 | * new profiles: hashcat, obs, picard, remmina, sdat2img, soundconverter, sqlitebrowse, |
28 | * new profiles: truecraft, gnome-twitch, tuxguitar, musescore | 28 | * new profiles: truecraft, gnome-twitch, tuxguitar, musescore, neverball |
29 | * bugfixes | 29 | * bugfixes |
30 | -- netblue30 <netblue30@yahoo.com> Mon, 12 Jun 2017 20:00:00 -0500 | 30 | -- netblue30 <netblue30@yahoo.com> Mon, 12 Jun 2017 20:00:00 -0500 |
31 | 31 | ||
diff --git a/etc/bitlbee.profile b/etc/bitlbee.profile index 0b61e7b9f..1b7b2c258 100644 --- a/etc/bitlbee.profile +++ b/etc/bitlbee.profile | |||
@@ -7,6 +7,7 @@ include /etc/firejail/globals.local | |||
7 | 7 | ||
8 | noblacklist /sbin | 8 | noblacklist /sbin |
9 | noblacklist /usr/sbin | 9 | noblacklist /usr/sbin |
10 | noblacklist /var/log | ||
10 | 11 | ||
11 | include /etc/firejail/disable-common.inc | 12 | include /etc/firejail/disable-common.inc |
12 | include /etc/firejail/disable-devel.inc | 13 | include /etc/firejail/disable-devel.inc |
diff --git a/etc/disable-common.inc b/etc/disable-common.inc index c220b9c50..294ff6bcb 100644 --- a/etc/disable-common.inc +++ b/etc/disable-common.inc | |||
@@ -107,15 +107,27 @@ blacklist ${PATH}/zuluCrypt-cli | |||
107 | blacklist ${PATH}/zuluMount-cli | 107 | blacklist ${PATH}/zuluMount-cli |
108 | 108 | ||
109 | # var | 109 | # var |
110 | blacklist /var/cache/apt | ||
111 | blacklist /var/cache/pacman | ||
112 | blacklist /var/lib/apt | ||
113 | blacklist /var/lib/clamav | ||
114 | blacklist /var/lib/dkms | ||
110 | blacklist /var/lib/mysql/mysql.sock | 115 | blacklist /var/lib/mysql/mysql.sock |
111 | blacklist /var/lib/mysqld/mysql.sock | 116 | blacklist /var/lib/mysqld/mysql.sock |
117 | blacklist /var/lib/pacman | ||
118 | blacklist /var/lib/systemd | ||
119 | blacklist /var/lib/upower | ||
120 | blacklist /var/log | ||
112 | blacklist /var/mail | 121 | blacklist /var/mail |
122 | blacklist /var/opt | ||
113 | blacklist /var/run/acpid.socket | 123 | blacklist /var/run/acpid.socket |
114 | blacklist /var/run/docker.sock | 124 | blacklist /var/run/docker.sock |
115 | blacklist /var/run/minissdpd.sock | 125 | blacklist /var/run/minissdpd.sock |
116 | blacklist /var/run/mysql/mysqld.sock | 126 | blacklist /var/run/mysql/mysqld.sock |
117 | blacklist /var/run/mysqld/mysqld.sock | 127 | blacklist /var/run/mysqld/mysqld.sock |
118 | blacklist /var/run/rpcbind.sock | 128 | blacklist /var/run/rpcbind.sock |
129 | blacklist /var/run/screens | ||
130 | blacklist /var/run/systemd | ||
119 | blacklist /var/spool/anacron | 131 | blacklist /var/spool/anacron |
120 | blacklist /var/spool/cron | 132 | blacklist /var/spool/cron |
121 | 133 | ||
diff --git a/etc/disable-programs.inc b/etc/disable-programs.inc index 7b0e6e9eb..d02377036 100644 --- a/etc/disable-programs.inc +++ b/etc/disable-programs.inc | |||
@@ -334,6 +334,7 @@ blacklist ${HOME}/.multimc5 | |||
334 | blacklist ${HOME}/.mutt | 334 | blacklist ${HOME}/.mutt |
335 | blacklist ${HOME}/.mutt/muttrc | 335 | blacklist ${HOME}/.mutt/muttrc |
336 | blacklist ${HOME}/.muttrc | 336 | blacklist ${HOME}/.muttrc |
337 | blacklist ${HOME}/.neverball | ||
337 | blacklist ${HOME}/.nv | 338 | blacklist ${HOME}/.nv |
338 | blacklist ${HOME}/.nylas-mail | 339 | blacklist ${HOME}/.nylas-mail |
339 | blacklist ${HOME}/.openinvaders | 340 | blacklist ${HOME}/.openinvaders |
diff --git a/etc/neverball.profile b/etc/neverball.profile new file mode 100644 index 000000000..6a9a3a577 --- /dev/null +++ b/etc/neverball.profile | |||
@@ -0,0 +1,37 @@ | |||
1 | # Firejail profile for neverball | ||
2 | # This file is overwritten after every install/update | ||
3 | # Persistent local customizations | ||
4 | include /etc/firejail/neverball.local | ||
5 | # Persistent global definitions | ||
6 | include /etc/firejail/globals.local | ||
7 | |||
8 | noblacklist ${HOME}/.neverball | ||
9 | |||
10 | include /etc/firejail/disable-common.inc | ||
11 | include /etc/firejail/disable-devel.inc | ||
12 | include /etc/firejail/disable-passwdmgr.inc | ||
13 | include /etc/firejail/disable-programs.inc | ||
14 | |||
15 | mkdir ${HOME}/.neverball | ||
16 | whitelist ${HOME}/.neverball | ||
17 | include /etc/firejail/whitelist-common.inc | ||
18 | |||
19 | caps.drop all | ||
20 | netfilter | ||
21 | nodvd | ||
22 | nogroups | ||
23 | nonewprivs | ||
24 | noroot | ||
25 | notv | ||
26 | novideo | ||
27 | protocol unix,netlink | ||
28 | seccomp | ||
29 | shell none | ||
30 | |||
31 | disable-mnt | ||
32 | private-bin neverball | ||
33 | private-dev | ||
34 | private-tmp | ||
35 | |||
36 | noexec ${HOME} | ||
37 | noexec /tmp | ||
diff --git a/etc/server.profile b/etc/server.profile index 04ef555de..edd4666e1 100644 --- a/etc/server.profile +++ b/etc/server.profile | |||
@@ -13,6 +13,8 @@ blacklist /tmp/.X11-unix | |||
13 | 13 | ||
14 | noblacklist /sbin | 14 | noblacklist /sbin |
15 | noblacklist /usr/sbin | 15 | noblacklist /usr/sbin |
16 | # noblacklist /var/log | ||
17 | # noblacklist /var/opt | ||
16 | 18 | ||
17 | include /etc/firejail/disable-common.inc | 19 | include /etc/firejail/disable-common.inc |
18 | # include /etc/firejail/disable-devel.inc | 20 | # include /etc/firejail/disable-devel.inc |
diff --git a/etc/steam.profile b/etc/steam.profile index 96899038a..227162e1f 100644 --- a/etc/steam.profile +++ b/etc/steam.profile | |||
@@ -5,12 +5,17 @@ include /etc/firejail/steam.local | |||
5 | # Persistent global definitions | 5 | # Persistent global definitions |
6 | include /etc/firejail/globals.local | 6 | include /etc/firejail/globals.local |
7 | 7 | ||
8 | noblacklist ${HOME}/.Steam | ||
9 | noblacklist ${HOME}/.Steampath | ||
10 | noblacklist ${HOME}/.Steampid | ||
11 | noblacklist ${HOME}/.java | 8 | noblacklist ${HOME}/.java |
9 | noblacklist ${HOME}/.killingfloor | ||
10 | noblacklist ${HOME}/.local/share/3909/PapersPlease | ||
11 | noblacklist ${HOME}/.local/share/aspyr-media | ||
12 | noblacklist ${HOME}/.local/share/cdprojektred | ||
13 | noblacklist ${HOME}/.local/share/feral-interactive | ||
12 | noblacklist ${HOME}/.local/share/Steam | 14 | noblacklist ${HOME}/.local/share/Steam |
13 | noblacklist ${HOME}/.local/share/steam | 15 | noblacklist ${HOME}/.local/share/SuperHexagon |
16 | noblacklist ${HOME}/.local/share/Terraria | ||
17 | noblacklist ${HOME}/.local/share/vpltd | ||
18 | noblacklist ${HOME}/.local/share/vulkan | ||
14 | noblacklist ${HOME}/.steam | 19 | noblacklist ${HOME}/.steam |
15 | noblacklist ${HOME}/.steampath | 20 | noblacklist ${HOME}/.steampath |
16 | noblacklist ${HOME}/.steampid | 21 | noblacklist ${HOME}/.steampid |
@@ -29,12 +34,15 @@ nogroups | |||
29 | nonewprivs | 34 | nonewprivs |
30 | noroot | 35 | noroot |
31 | notv | 36 | notv |
32 | # novideo | 37 | # novideo should be commented for VR |
38 | novideo | ||
33 | protocol unix,inet,inet6,netlink | 39 | protocol unix,inet,inet6,netlink |
34 | seccomp | 40 | seccomp |
35 | shell none | 41 | shell none |
36 | # tracelog disabled as it breaks integrated browser | 42 | # tracelog disabled as it breaks integrated browser |
37 | # tracelog | 43 | # tracelog |
38 | 44 | ||
45 | # private-dev should be commented for controllers | ||
39 | private-dev | 46 | private-dev |
47 | private-etc asound.conf,ca-certificates,dbus-1,drirc,fonts,group,gtk-2.0,gtk-3.0,host.conf,hostname,hosts,ld.so.cache,ld.so.preload,localtime,lsb-release,machine-id,mime.types,passwd,pulse,resolv.conf,ssl | ||
40 | private-tmp | 48 | private-tmp |
diff --git a/etc/strings.profile b/etc/strings.profile index 83561cae5..90bb35ecd 100644 --- a/etc/strings.profile +++ b/etc/strings.profile | |||
@@ -18,9 +18,8 @@ novideo | |||
18 | shell none | 18 | shell none |
19 | tracelog | 19 | tracelog |
20 | 20 | ||
21 | private-bin strings | 21 | # private-bin strings - breaking on Debian |
22 | private-dev | 22 | private-dev |
23 | private-lib | ||
24 | 23 | ||
25 | memory-deny-write-execute | 24 | memory-deny-write-execute |
26 | 25 | ||
diff --git a/etc/xonotic.profile b/etc/xonotic.profile index c7db00daf..fefeac76b 100644 --- a/etc/xonotic.profile +++ b/etc/xonotic.profile | |||
@@ -31,6 +31,7 @@ shell none | |||
31 | disable-mnt | 31 | disable-mnt |
32 | private-bin xonotic-sdl,xonotic-glx,blind-id | 32 | private-bin xonotic-sdl,xonotic-glx,blind-id |
33 | private-dev | 33 | private-dev |
34 | private-etc asound.conf,ca-certificates,drirc,fonts,host.conf,hostname,hosts,ld.so.cache,ld.so.preload,localtime,nsswitch.conf,pulse,resolv.conf,ssl | ||
34 | private-tmp | 35 | private-tmp |
35 | 36 | ||
36 | noexec ${HOME} | 37 | noexec ${HOME} |
diff --git a/platform/debian/conffiles b/platform/debian/conffiles index 6473c6fef..e7eab20a2 100644 --- a/platform/debian/conffiles +++ b/platform/debian/conffiles | |||
@@ -220,6 +220,7 @@ | |||
220 | /etc/firejail/mutt.profile | 220 | /etc/firejail/mutt.profile |
221 | /etc/firejail/nautilus.profile | 221 | /etc/firejail/nautilus.profile |
222 | /etc/firejail/nemo.profile | 222 | /etc/firejail/nemo.profile |
223 | /etc/firejail/neverball.profile | ||
223 | /etc/firejail/netsurf.profile | 224 | /etc/firejail/netsurf.profile |
224 | /etc/firejail/nolocal.net | 225 | /etc/firejail/nolocal.net |
225 | /etc/firejail/nylas.profile | 226 | /etc/firejail/nylas.profile |
diff --git a/src/firecfg/firecfg.config b/src/firecfg/firecfg.config index 15e95b9a7..6bdeaab77 100644 --- a/src/firecfg/firecfg.config +++ b/src/firecfg/firecfg.config | |||
@@ -197,6 +197,7 @@ musescore | |||
197 | mutt | 197 | mutt |
198 | nautilus | 198 | nautilus |
199 | netsurf | 199 | netsurf |
200 | neverball | ||
200 | nylas | 201 | nylas |
201 | obs | 202 | obs |
202 | odt2txt | 203 | odt2txt |
diff --git a/src/firejail/bandwidth.c b/src/firejail/bandwidth.c index 831b76e79..24d027d54 100644 --- a/src/firejail/bandwidth.c +++ b/src/firejail/bandwidth.c | |||
@@ -441,9 +441,6 @@ void bandwidth_pid(pid_t pid, const char *command, const char *dev, int down, in | |||
441 | arg[2] = cmd; | 441 | arg[2] = cmd; |
442 | arg[3] = NULL; | 442 | arg[3] = NULL; |
443 | clearenv(); | 443 | clearenv(); |
444 | #ifdef HAVE_SECCOMP | ||
445 | seccomp_install_filters(); | ||
446 | #endif | ||
447 | execvp(arg[0], arg); | 444 | execvp(arg[0], arg); |
448 | 445 | ||
449 | // it will never get here | 446 | // it will never get here |
diff --git a/src/firejail/output.c b/src/firejail/output.c index d69f5f051..b99604ec4 100644 --- a/src/firejail/output.c +++ b/src/firejail/output.c | |||
@@ -102,10 +102,6 @@ void check_output(int argc, char **argv) { | |||
102 | a[1] = "-c"; | 102 | a[1] = "-c"; |
103 | a[2] = cmd; | 103 | a[2] = cmd; |
104 | a[3] = NULL; | 104 | a[3] = NULL; |
105 | |||
106 | #ifdef HAVE_SECCOMP | ||
107 | seccomp_install_filters(); | ||
108 | #endif | ||
109 | execvp(a[0], a); | 105 | execvp(a[0], a); |
110 | 106 | ||
111 | perror("execvp"); | 107 | perror("execvp"); |
diff --git a/src/firejail/sandbox.c b/src/firejail/sandbox.c index 30b55d7d0..150c23de7 100644 --- a/src/firejail/sandbox.c +++ b/src/firejail/sandbox.c | |||
@@ -269,19 +269,6 @@ static int monitor_application(pid_t app_pid) { | |||
269 | return status; | 269 | return status; |
270 | } | 270 | } |
271 | 271 | ||
272 | void start_audit(void) { | ||
273 | char *audit_prog; | ||
274 | if (asprintf(&audit_prog, "%s/firejail/faudit", LIBDIR) == -1) | ||
275 | errExit("asprintf"); | ||
276 | assert(getenv("LD_PRELOAD") == NULL); | ||
277 | #ifdef HAVE_SECCOMP | ||
278 | seccomp_install_filters(); | ||
279 | #endif | ||
280 | execl(audit_prog, audit_prog, NULL); | ||
281 | perror("execl"); | ||
282 | exit(1); | ||
283 | } | ||
284 | |||
285 | static void print_time(void) { | 272 | static void print_time(void) { |
286 | if (start_timestamp) { | 273 | if (start_timestamp) { |
287 | unsigned long long end_timestamp = getticks(); | 274 | unsigned long long end_timestamp = getticks(); |
diff --git a/src/firejail/usage.c b/src/firejail/usage.c index 4de33c83d..10e6ab687 100644 --- a/src/firejail/usage.c +++ b/src/firejail/usage.c | |||
@@ -106,6 +106,10 @@ void usage(void) { | |||
106 | printf(" --mac=xx:xx:xx:xx:xx:xx - set interface MAC address.\n"); | 106 | printf(" --mac=xx:xx:xx:xx:xx:xx - set interface MAC address.\n"); |
107 | #endif | 107 | #endif |
108 | printf(" --machine-id - preserve /etc/machine-id\n"); | 108 | printf(" --machine-id - preserve /etc/machine-id\n"); |
109 | #ifdef HAVE_SECCOMP | ||
110 | printf(" --memory-deny-write-execute - seccomp filter to block attempts to create\n"); | ||
111 | printf("\tmemory mappings that are both writable and executable.\n"); | ||
112 | #endif | ||
109 | #ifdef HAVE_NETWORK | 113 | #ifdef HAVE_NETWORK |
110 | printf(" --mtu=number - set interface MTU.\n"); | 114 | printf(" --mtu=number - set interface MTU.\n"); |
111 | #endif | 115 | #endif |
@@ -179,12 +183,11 @@ void usage(void) { | |||
179 | printf(" --seccomp - enable seccomp filter and apply the default blacklist.\n"); | 183 | printf(" --seccomp - enable seccomp filter and apply the default blacklist.\n"); |
180 | printf(" --seccomp=syscall,syscall,syscall - enable seccomp filter, blacklist the\n"); | 184 | printf(" --seccomp=syscall,syscall,syscall - enable seccomp filter, blacklist the\n"); |
181 | printf("\tdefault syscall list and the syscalls specified by the command.\n"); | 185 | printf("\tdefault syscall list and the syscalls specified by the command.\n"); |
186 | printf(" --seccomp.block-secondary - build only the native architecture filters.\n"); | ||
182 | printf(" --seccomp.drop=syscall,syscall,syscall - enable seccomp filter, and\n"); | 187 | printf(" --seccomp.drop=syscall,syscall,syscall - enable seccomp filter, and\n"); |
183 | printf("\tblacklist the syscalls specified by the command.\n"); | 188 | printf("\tblacklist the syscalls specified by the command.\n"); |
184 | printf(" --seccomp.keep=syscall,syscall,syscall - enable seccomp filter, and\n"); | 189 | printf(" --seccomp.keep=syscall,syscall,syscall - enable seccomp filter, and\n"); |
185 | printf("\twhitelist the syscalls specified by the command.\n"); | 190 | printf("\twhitelist the syscalls specified by the command.\n"); |
186 | printf(" --seccomp.<errno>=syscall,syscall,syscall - enable seccomp filter, and\n"); | ||
187 | printf("\treturn errno for the syscalls specified by the command.\n"); | ||
188 | printf(" --seccomp.print=name|pid - print the seccomp filter for the sandbox\n"); | 191 | printf(" --seccomp.print=name|pid - print the seccomp filter for the sandbox\n"); |
189 | printf("\tidentified by name or PID.\n"); | 192 | printf("\tidentified by name or PID.\n"); |
190 | #endif | 193 | #endif |
diff --git a/src/firejail/x11.c b/src/firejail/x11.c index 26af8ad35..d41f46d93 100644 --- a/src/firejail/x11.c +++ b/src/firejail/x11.c | |||
@@ -321,9 +321,6 @@ void x11_start_xvfb(int argc, char **argv) { | |||
321 | 321 | ||
322 | // running without privileges - see drop_privs call above | 322 | // running without privileges - see drop_privs call above |
323 | assert(getenv("LD_PRELOAD") == NULL); | 323 | assert(getenv("LD_PRELOAD") == NULL); |
324 | #ifdef HAVE_SECCOMP | ||
325 | seccomp_install_filters(); | ||
326 | #endif | ||
327 | execvp(server_argv[0], server_argv); | 324 | execvp(server_argv[0], server_argv); |
328 | perror("execvp"); | 325 | perror("execvp"); |
329 | _exit(1); | 326 | _exit(1); |
@@ -368,9 +365,6 @@ void x11_start_xvfb(int argc, char **argv) { | |||
368 | 365 | ||
369 | // running without privileges - see drop_privs call above | 366 | // running without privileges - see drop_privs call above |
370 | assert(getenv("LD_PRELOAD") == NULL); | 367 | assert(getenv("LD_PRELOAD") == NULL); |
371 | #ifdef HAVE_SECCOMP | ||
372 | seccomp_install_filters(); | ||
373 | #endif | ||
374 | execvp(jail_argv[0], jail_argv); | 368 | execvp(jail_argv[0], jail_argv); |
375 | perror("execvp"); | 369 | perror("execvp"); |
376 | _exit(1); | 370 | _exit(1); |
@@ -563,9 +557,6 @@ void x11_start_xephyr(int argc, char **argv) { | |||
563 | 557 | ||
564 | // running without privileges - see drop_privs call above | 558 | // running without privileges - see drop_privs call above |
565 | assert(getenv("LD_PRELOAD") == NULL); | 559 | assert(getenv("LD_PRELOAD") == NULL); |
566 | #ifdef HAVE_SECCOMP | ||
567 | seccomp_install_filters(); | ||
568 | #endif | ||
569 | execvp(server_argv[0], server_argv); | 560 | execvp(server_argv[0], server_argv); |
570 | perror("execvp"); | 561 | perror("execvp"); |
571 | _exit(1); | 562 | _exit(1); |
@@ -610,9 +601,6 @@ void x11_start_xephyr(int argc, char **argv) { | |||
610 | 601 | ||
611 | // running without privileges - see drop_privs call above | 602 | // running without privileges - see drop_privs call above |
612 | assert(getenv("LD_PRELOAD") == NULL); | 603 | assert(getenv("LD_PRELOAD") == NULL); |
613 | #ifdef HAVE_SECCOMP | ||
614 | seccomp_install_filters(); | ||
615 | #endif | ||
616 | execvp(jail_argv[0], jail_argv); | 604 | execvp(jail_argv[0], jail_argv); |
617 | perror("execvp"); | 605 | perror("execvp"); |
618 | _exit(1); | 606 | _exit(1); |
@@ -742,9 +730,6 @@ void x11_start_xpra_old(int argc, char **argv, int display, char *display_str) { | |||
742 | 730 | ||
743 | // running without privileges - see drop_privs call above | 731 | // running without privileges - see drop_privs call above |
744 | assert(getenv("LD_PRELOAD") == NULL); | 732 | assert(getenv("LD_PRELOAD") == NULL); |
745 | #ifdef HAVE_SECCOMP | ||
746 | seccomp_install_filters(); | ||
747 | #endif | ||
748 | execvp(server_argv[0], server_argv); | 733 | execvp(server_argv[0], server_argv); |
749 | perror("execvp"); | 734 | perror("execvp"); |
750 | _exit(1); | 735 | _exit(1); |
@@ -796,9 +781,6 @@ void x11_start_xpra_old(int argc, char **argv, int display, char *display_str) { | |||
796 | 781 | ||
797 | // running without privileges - see drop_privs call above | 782 | // running without privileges - see drop_privs call above |
798 | assert(getenv("LD_PRELOAD") == NULL); | 783 | assert(getenv("LD_PRELOAD") == NULL); |
799 | #ifdef HAVE_SECCOMP | ||
800 | seccomp_install_filters(); | ||
801 | #endif | ||
802 | execvp(attach_argv[0], attach_argv); | 784 | execvp(attach_argv[0], attach_argv); |
803 | perror("execvp"); | 785 | perror("execvp"); |
804 | _exit(1); | 786 | _exit(1); |
@@ -828,9 +810,6 @@ void x11_start_xpra_old(int argc, char **argv, int display, char *display_str) { | |||
828 | if (jail == 0) { | 810 | if (jail == 0) { |
829 | // running without privileges - see drop_privs call above | 811 | // running without privileges - see drop_privs call above |
830 | assert(getenv("LD_PRELOAD") == NULL); | 812 | assert(getenv("LD_PRELOAD") == NULL); |
831 | #ifdef HAVE_SECCOMP | ||
832 | seccomp_install_filters(); | ||
833 | #endif | ||
834 | if (firejail_argv[0]) // shut up llvm scan-build | 813 | if (firejail_argv[0]) // shut up llvm scan-build |
835 | execvp(firejail_argv[0], firejail_argv); | 814 | execvp(firejail_argv[0], firejail_argv); |
836 | perror("execvp"); | 815 | perror("execvp"); |
@@ -859,9 +838,6 @@ void x11_start_xpra_old(int argc, char **argv, int display, char *display_str) { | |||
859 | } | 838 | } |
860 | // running without privileges - see drop_privs call above | 839 | // running without privileges - see drop_privs call above |
861 | assert(getenv("LD_PRELOAD") == NULL); | 840 | assert(getenv("LD_PRELOAD") == NULL); |
862 | #ifdef HAVE_SECCOMP | ||
863 | seccomp_install_filters(); | ||
864 | #endif | ||
865 | execvp(stop_argv[0], stop_argv); | 841 | execvp(stop_argv[0], stop_argv); |
866 | perror("execvp"); | 842 | perror("execvp"); |
867 | _exit(1); | 843 | _exit(1); |
@@ -1028,9 +1004,6 @@ void x11_start_xpra_new(int argc, char **argv, char *display_str) { | |||
1028 | 1004 | ||
1029 | // running without privileges - see drop_privs call above | 1005 | // running without privileges - see drop_privs call above |
1030 | assert(getenv("LD_PRELOAD") == NULL); | 1006 | assert(getenv("LD_PRELOAD") == NULL); |
1031 | #ifdef HAVE_SECCOMP | ||
1032 | seccomp_install_filters(); | ||
1033 | #endif | ||
1034 | execvp(server_argv[0], server_argv); | 1007 | execvp(server_argv[0], server_argv); |
1035 | perror("execvp"); | 1008 | perror("execvp"); |
1036 | _exit(1); | 1009 | _exit(1); |
@@ -1168,9 +1141,6 @@ void x11_xorg(void) { | |||
1168 | #ifdef HAVE_GCOV | 1141 | #ifdef HAVE_GCOV |
1169 | __gcov_flush(); | 1142 | __gcov_flush(); |
1170 | #endif | 1143 | #endif |
1171 | #ifdef HAVE_SECCOMP | ||
1172 | seccomp_install_filters(); | ||
1173 | #endif | ||
1174 | execlp("/usr/bin/xauth", "/usr/bin/xauth", "-v", "-f", tmpfname, | 1144 | execlp("/usr/bin/xauth", "/usr/bin/xauth", "-v", "-f", tmpfname, |
1175 | "generate", display, "MIT-MAGIC-COOKIE-1", "untrusted", NULL); | 1145 | "generate", display, "MIT-MAGIC-COOKIE-1", "untrusted", NULL); |
1176 | 1146 | ||
diff --git a/src/fseccomp/syscall.c b/src/fseccomp/syscall.c index 08ae5953d..8c18b2d14 100644 --- a/src/fseccomp/syscall.c +++ b/src/fseccomp/syscall.c | |||
@@ -492,10 +492,15 @@ int syscall_check_list(const char *slist, void (*callback)(int fd, int syscall, | |||
492 | fprintf(stderr, "Warning fseccomp: syscall \"%s\" not available on this platform\n", ptr); | 492 | fprintf(stderr, "Warning fseccomp: syscall \"%s\" not available on this platform\n", ptr); |
493 | } | 493 | } |
494 | else if (callback != NULL) { | 494 | else if (callback != NULL) { |
495 | if (error_nr != -1) | 495 | if (error_nr != -1 && fd != 0) { |
496 | filter_add_errno(fd, syscall_nr, error_nr, ptrarg); | 496 | filter_add_errno(fd, syscall_nr, error_nr, ptrarg); |
497 | else | 497 | } |
498 | else if (error_nr != -1 && fd == 0) { | ||
499 | callback(fd, syscall_nr, error_nr, ptrarg); | ||
500 | } | ||
501 | else { | ||
498 | callback(fd, syscall_nr, arg, ptrarg); | 502 | callback(fd, syscall_nr, arg, ptrarg); |
503 | } | ||
499 | } | 504 | } |
500 | } | 505 | } |
501 | ptr = strtok_r(NULL, ",", &saveptr); | 506 | ptr = strtok_r(NULL, ",", &saveptr); |
@@ -523,20 +528,34 @@ static void syscall_in_list(int fd, int syscall, int arg, void *ptrarg) { | |||
523 | sl.syscall = syscall; | 528 | sl.syscall = syscall; |
524 | syscall_check_list(ptr->slist, find_syscall, fd, 0, &sl); | 529 | syscall_check_list(ptr->slist, find_syscall, fd, 0, &sl); |
525 | // if found in the problem list, add to post-exec list | 530 | // if found in the problem list, add to post-exec list |
526 | if (sl.found) | 531 | if (sl.found) { |
527 | if (ptr->postlist) { | 532 | if (ptr->postlist) { |
528 | if (asprintf(&ptr->postlist, "%s,%s", ptr->postlist, syscall_find_nr(syscall)) == -1) | 533 | if (asprintf(&ptr->postlist, "%s,%s", ptr->postlist, syscall_find_nr(syscall)) == -1) |
529 | errExit("asprintf"); | 534 | errExit("asprintf"); |
530 | } | 535 | } |
531 | else | 536 | else |
532 | ptr->postlist = strdup(syscall_find_nr(syscall)); | 537 | ptr->postlist = strdup(syscall_find_nr(syscall)); |
533 | else // no problem, add to pre-exec list | 538 | } |
539 | else { // no problem, add to pre-exec list | ||
540 | // build syscall:error_no | ||
541 | char *newcall; | ||
542 | if (arg != 0) { | ||
543 | if (asprintf(&newcall, "%s:%s", syscall_find_nr(syscall), errno_find_nr(arg)) == -1) | ||
544 | errExit("asprintf"); | ||
545 | } | ||
546 | else { | ||
547 | newcall = strdup(syscall_find_nr(syscall)); | ||
548 | if (!newcall) | ||
549 | errExit("strdup"); | ||
550 | } | ||
551 | |||
534 | if (ptr->prelist) { | 552 | if (ptr->prelist) { |
535 | if (asprintf(&ptr->prelist, "%s,%s", ptr->prelist, syscall_find_nr(syscall)) == -1) | 553 | if (asprintf(&ptr->prelist, "%s,%s", ptr->prelist, newcall) == -1) |
536 | errExit("asprintf"); | 554 | errExit("asprintf"); |
537 | } | 555 | } |
538 | else | 556 | else |
539 | ptr->prelist = strdup(syscall_find_nr(syscall)); | 557 | ptr->prelist = newcall; |
558 | } | ||
540 | } | 559 | } |
541 | 560 | ||
542 | // go through list and find matches for syscalls in list @default-keep | 561 | // go through list and find matches for syscalls in list @default-keep |
@@ -548,8 +567,16 @@ void syscalls_in_list(const char *list, const char *slist, int fd, char **prelis | |||
548 | sl.prelist = NULL; | 567 | sl.prelist = NULL; |
549 | sl.postlist = NULL; | 568 | sl.postlist = NULL; |
550 | syscall_check_list(list, syscall_in_list, 0, 0, &sl); | 569 | syscall_check_list(list, syscall_in_list, 0, 0, &sl); |
551 | if (!arg_quiet) | 570 | if (!arg_quiet) { |
552 | printf("list in: %s, check list: %s prelist: %s, postlist: %s\n", list, sl.slist, sl.prelist, sl.postlist); | 571 | printf("Seccomp list in: %s,", list); |
572 | if (sl.slist) | ||
573 | printf(" check list: %s,", sl.slist); | ||
574 | if (sl.prelist) | ||
575 | printf(" prelist: %s,", sl.prelist); | ||
576 | if (sl.postlist) | ||
577 | printf(" postlist: %s", sl.postlist); | ||
578 | printf("\n"); | ||
579 | } | ||
553 | *prelist = sl.prelist; | 580 | *prelist = sl.prelist; |
554 | *postlist = sl.postlist; | 581 | *postlist = sl.postlist; |
555 | } | 582 | } |
diff --git a/src/man/firejail.txt b/src/man/firejail.txt index d1970c985..dd21951ec 100644 --- a/src/man/firejail.txt +++ b/src/man/firejail.txt | |||
@@ -1573,7 +1573,7 @@ $, so for example $165 would be equal to mount on i386. | |||
1573 | 1573 | ||
1574 | .br | 1574 | .br |
1575 | System architecture is strictly imposed only if flag | 1575 | System architecture is strictly imposed only if flag |
1576 | \-\-seccomp.block_secondary is used. The filter is applied at run time | 1576 | \-\-seccomp.block-secondary is used. The filter is applied at run time |
1577 | only if the correct architecture was detected. For the case of I386 | 1577 | only if the correct architecture was detected. For the case of I386 |
1578 | and AMD64 both 32-bit and 64-bit filters are installed. | 1578 | and AMD64 both 32-bit and 64-bit filters are installed. |
1579 | .br | 1579 | .br |