diff options
Diffstat (limited to 'src/firejail/sandbox.c')
-rw-r--r-- | src/firejail/sandbox.c | 20 |
1 files changed, 18 insertions, 2 deletions
diff --git a/src/firejail/sandbox.c b/src/firejail/sandbox.c index f5cca7494..7a63461ef 100644 --- a/src/firejail/sandbox.c +++ b/src/firejail/sandbox.c | |||
@@ -819,8 +819,24 @@ int sandbox(void* sandbox_arg) { | |||
819 | #ifdef HAVE_SECCOMP | 819 | #ifdef HAVE_SECCOMP |
820 | // install protocol filter | 820 | // install protocol filter |
821 | if (cfg.protocol) { | 821 | if (cfg.protocol) { |
822 | protocol_filter(); // install filter | 822 | if (arg_debug) |
823 | protocol_filter_save(); // save filter in PROTOCOL_CFG | 823 | printf("Set protocol filter: %s\n", cfg.protocol); |
824 | // as root, create RUN_SECCOMP_PROTOCOL file | ||
825 | // this is where fseccomp program will store the protocol filter | ||
826 | int dst = open(RUN_SECCOMP_PROTOCOL, O_CREAT|O_WRONLY|O_TRUNC, S_IRUSR | S_IWUSR | S_IRGRP | S_IROTH); | ||
827 | if (dst == -1) | ||
828 | errExit("open"); | ||
829 | close(dst); | ||
830 | if (chown(RUN_SECCOMP_PROTOCOL, getuid(), getgid()) == -1) | ||
831 | errExit("chown"); | ||
832 | |||
833 | // build the seccomp filter as a regular user | ||
834 | int rv = sbox_run(SBOX_USER | SBOX_CAPS | SBOX_SECCOMP, 5, | ||
835 | PATH_FSECCOMP, "protocol", "build", cfg.protocol, RUN_SECCOMP_PROTOCOL); | ||
836 | if (rv) | ||
837 | exit(rv); | ||
838 | protocol_filter(RUN_SECCOMP_PROTOCOL); // install filter | ||
839 | protocol_filter_save(); // save filter in RUN_PROTOCOL_CFG | ||
824 | } | 840 | } |
825 | 841 | ||
826 | // if a keep list is available, disregard the drop list | 842 | // if a keep list is available, disregard the drop list |