diff options
-rw-r--r-- | src/fseccomp/namespaces.c | 19 |
1 files changed, 17 insertions, 2 deletions
diff --git a/src/fseccomp/namespaces.c b/src/fseccomp/namespaces.c index 3df23dcff..8254b54ef 100644 --- a/src/fseccomp/namespaces.c +++ b/src/fseccomp/namespaces.c | |||
@@ -133,7 +133,8 @@ void deny_ns(const char *fname, const char *list) { | |||
133 | RETURN_ALLOW | 133 | RETURN_ALLOW |
134 | #endif | 134 | #endif |
135 | }; | 135 | }; |
136 | write_to_file(fd, filter, sizeof(filter)); | 136 | if (sizeof(filter)) |
137 | write_to_file(fd, filter, sizeof(filter)); | ||
137 | 138 | ||
138 | filter_end_blacklist(fd); | 139 | filter_end_blacklist(fd); |
139 | 140 | ||
@@ -188,7 +189,21 @@ void deny_ns_32(const char *fname, const char *list) { | |||
188 | RETURN_ALLOW | 189 | RETURN_ALLOW |
189 | #endif | 190 | #endif |
190 | }; | 191 | }; |
191 | write_to_file(fd, filter, sizeof(filter)); | 192 | |
193 | // For Debian 10 and older, the size of the filter[] array will be 0. | ||
194 | // The following filter will end up being generated: | ||
195 | // | ||
196 | // FILE: /run/firejail/mnt/seccomp/seccomp.namespaces.32 | ||
197 | // line OP JT JF K | ||
198 | // ================================= | ||
199 | // 0000: 20 00 00 00000004 ld data.architecture | ||
200 | // 0001: 15 01 00 40000003 jeq ARCH_32 0003 (false 0002) | ||
201 | // 0002: 06 00 00 7fff0000 ret ALLOW | ||
202 | // 0003: 20 00 00 00000000 ld data.syscall-number | ||
203 | // 0004: 06 00 00 7fff0000 ret ALLOW | ||
204 | // | ||
205 | if (sizeof(filter)) | ||
206 | write_to_file(fd, filter, sizeof(filter)); | ||
192 | 207 | ||
193 | filter_end_blacklist(fd); | 208 | filter_end_blacklist(fd); |
194 | 209 | ||