1 files changed, 43 insertions, 0 deletions
diff --git a/src/firejail/main.c b/src/firejail/main.c
index 9d94630ef..ea04ea73f 100644
--- a/src/firejail/main.c
+++ b/src/firejail/main.c
@@ -61,6 +61,7 @@ int arg_seccomp = 0;				// enable default seccomp filter
 char *arg_seccomp_list = NULL;          // optional seccomp list on top of default filter
 char *arg_seccomp_list_drop = NULL;             // seccomp drop list
 char *arg_seccomp_list_keep = NULL;             // seccomp keep list
+char **arg_seccomp_list_errno = NULL;           // seccomp errno[nr] lists
 int arg_caps_default_filter = 0;                        // enable default capabilities filter
 int arg_caps_drop = 0;                          // drop list
@@ -302,6 +303,10 @@ static void run_cmd_and_exit(int i, int argc, char **argv) {
                syscall_print();
                exit(0);
        }
+        else if (strcmp(argv[i], "--debug-errnos") == 0) {
+                errno_print();
+                exit(0);
+        }
        else if (strncmp(argv[i], "--seccomp.print=", 16) == 0) {
                // join sandbox by pid or by name
                pid_t pid;
@@ -387,6 +392,7 @@ int main(int argc, char **argv) {
        int arg_cgroup = 0;
        int custom_profile = 0; // custom profile loaded
        int arg_noprofile = 0; // use generic.profile if none other found/specified
+        int highest_errno = errno_highest_nr();
        // check if we already have a sandbox running
        int rv = check_kernel_procs();
@@ -478,6 +484,34 @@ int main(int argc, char **argv) {
                        if (!arg_seccomp_list_keep)
                                errExit("strdup");
                }
+                else if (strncmp(argv[i], "--seccomp.e", 11) == 0 && strchr(argv[i], '=')) {
+                        if (arg_seccomp && !arg_seccomp_list_errno) {
+                                fprintf(stderr, "Error: seccomp already enabled\n");
+                                exit(1);
+                        }
+                        char *eq = strchr(argv[i], '=');
+                        char *errnoname = strndup(argv[i] + 10, eq - (argv[i] + 10));
+                        int nr = errno_find_name(errnoname);
+                        if (nr == -1) {
+                                fprintf(stderr, "Error: unknown errno %s\n", errnoname);
+                                free(errnoname);
+                                exit(1);
+                        }
+                        if (!arg_seccomp_list_errno)
+                                arg_seccomp_list_errno = calloc(highest_errno+1, sizeof(arg_seccomp_list_errno[0]));
+                        if (arg_seccomp_list_errno[nr]) {
+                                fprintf(stderr, "Error: errno %s already configured\n", errnoname);
+                                free(errnoname);
+                                exit(1);
+                        }
+                        arg_seccomp = 1;
+                        arg_seccomp_list_errno[nr] = strdup(eq+1);
+                        if (!arg_seccomp_list_errno[nr])
+                                errExit("strdup");
+                        free(errnoname);
+                }
 #endif          
                else if (strcmp(argv[i], "--caps") == 0)
                        arg_caps_default_filter = 1;
@@ -1288,6 +1322,15 @@ int main(int argc, char **argv) {
        
        // wait for the child to finish
        waitpid(child, NULL, 0);
+        // free globals
+        if (arg_seccomp_list_errno) {
+                for (i = 0; i < highest_errno; i++)
+                        free(arg_seccomp_list_errno[i]);
+                free(arg_seccomp_list_errno);
+        }
        myexit(0);
        return 0;
 }

diff --git a/src/firejail/main.c b/src/firejail/main.c index 9d94630ef..ea04ea73f 100644 --- a/src/firejail/main.c +++ b/src/firejail/main.c
@@ -61,6 +61,7 @@ int arg_seccomp = 0; // enable default seccomp filter
61	char *arg_seccomp_list = NULL; // optional seccomp list on top of default filter	61	char *arg_seccomp_list = NULL; // optional seccomp list on top of default filter
62	char *arg_seccomp_list_drop = NULL; // seccomp drop list	62	char *arg_seccomp_list_drop = NULL; // seccomp drop list
63	char *arg_seccomp_list_keep = NULL; // seccomp keep list	63	char *arg_seccomp_list_keep = NULL; // seccomp keep list
		64	char **arg_seccomp_list_errno = NULL; // seccomp errno[nr] lists
64		65
65	int arg_caps_default_filter = 0; // enable default capabilities filter	66	int arg_caps_default_filter = 0; // enable default capabilities filter
66	int arg_caps_drop = 0; // drop list	67	int arg_caps_drop = 0; // drop list
@@ -302,6 +303,10 @@ static void run_cmd_and_exit(int i, int argc, char **argv) {
302	syscall_print();	303	syscall_print();
303	exit(0);	304	exit(0);
304	}	305	}
		306	else if (strcmp(argv[i], "--debug-errnos") == 0) {
		307	errno_print();
		308	exit(0);
		309	}
305	else if (strncmp(argv[i], "--seccomp.print=", 16) == 0) {	310	else if (strncmp(argv[i], "--seccomp.print=", 16) == 0) {
306	// join sandbox by pid or by name	311	// join sandbox by pid or by name
307	pid_t pid;	312	pid_t pid;
@@ -387,6 +392,7 @@ int main(int argc, char **argv) {
387	int arg_cgroup = 0;	392	int arg_cgroup = 0;
388	int custom_profile = 0; // custom profile loaded	393	int custom_profile = 0; // custom profile loaded
389	int arg_noprofile = 0; // use generic.profile if none other found/specified	394	int arg_noprofile = 0; // use generic.profile if none other found/specified
		395	int highest_errno = errno_highest_nr();
390		396
391	// check if we already have a sandbox running	397	// check if we already have a sandbox running
392	int rv = check_kernel_procs();	398	int rv = check_kernel_procs();
@@ -478,6 +484,34 @@ int main(int argc, char **argv) {
478	if (!arg_seccomp_list_keep)	484	if (!arg_seccomp_list_keep)
479	errExit("strdup");	485	errExit("strdup");
480	}	486	}
		487	else if (strncmp(argv[i], "--seccomp.e", 11) == 0 && strchr(argv[i], '=')) {
		488	if (arg_seccomp && !arg_seccomp_list_errno) {
		489	fprintf(stderr, "Error: seccomp already enabled\n");
		490	exit(1);
		491	}
		492	char *eq = strchr(argv[i], '=');
		493	char *errnoname = strndup(argv[i] + 10, eq - (argv[i] + 10));
		494	int nr = errno_find_name(errnoname);
		495	if (nr == -1) {
		496	fprintf(stderr, "Error: unknown errno %s\n", errnoname);
		497	free(errnoname);
		498	exit(1);
		499	}
		500
		501	if (!arg_seccomp_list_errno)
		502	arg_seccomp_list_errno = calloc(highest_errno+1, sizeof(arg_seccomp_list_errno[0]));
		503
		504	if (arg_seccomp_list_errno[nr]) {
		505	fprintf(stderr, "Error: errno %s already configured\n", errnoname);
		506	free(errnoname);
		507	exit(1);
		508	}
		509	arg_seccomp = 1;
		510	arg_seccomp_list_errno[nr] = strdup(eq+1);
		511	if (!arg_seccomp_list_errno[nr])
		512	errExit("strdup");
		513	free(errnoname);
		514	}
481	#endif	515	#endif
482	else if (strcmp(argv[i], "--caps") == 0)	516	else if (strcmp(argv[i], "--caps") == 0)
483	arg_caps_default_filter = 1;	517	arg_caps_default_filter = 1;
@@ -1288,6 +1322,15 @@ int main(int argc, char **argv) {
1288		1322
1289	// wait for the child to finish	1323	// wait for the child to finish
1290	waitpid(child, NULL, 0);	1324	waitpid(child, NULL, 0);
		1325
		1326	// free globals
		1327	if (arg_seccomp_list_errno) {
		1328	for (i = 0; i < highest_errno; i++)
		1329	free(arg_seccomp_list_errno[i]);
		1330	free(arg_seccomp_list_errno);
		1331	}
		1332
1291	myexit(0);	1333	myexit(0);
		1334
1292	return 0;	1335	return 0;
1293	}	1336	}