1 files changed, 18 insertions, 2 deletions
diff --git a/src/firejail/sandbox.c b/src/firejail/sandbox.c
index f5cca7494..7a63461ef 100644
--- a/src/firejail/sandbox.c
+++ b/src/firejail/sandbox.c
@@ -819,8 +819,24 @@ int sandbox(void* sandbox_arg) {
 #ifdef HAVE_SECCOMP
        // install protocol filter
        if (cfg.protocol) {
-                protocol_filter();      // install filter       
+                if (arg_debug)
-                protocol_filter_save(); // save filter in PROTOCOL_CFG
+                        printf("Set protocol filter: %s\n", cfg.protocol);
+                // as root, create RUN_SECCOMP_PROTOCOL file
+                // this is where fseccomp program will store the protocol filter
+                int dst = open(RUN_SECCOMP_PROTOCOL, O_CREAT|O_WRONLY|O_TRUNC, S_IRUSR | S_IWUSR | S_IRGRP | S_IROTH);
+                if (dst == -1)
+                        errExit("open");
+                close(dst);
+                if (chown(RUN_SECCOMP_PROTOCOL, getuid(), getgid()) == -1)
+                        errExit("chown");
+                // build the seccomp filter as a regular user
+                int rv = sbox_run(SBOX_USER | SBOX_CAPS | SBOX_SECCOMP, 5,
+                        PATH_FSECCOMP, "protocol", "build", cfg.protocol, RUN_SECCOMP_PROTOCOL);
+                if (rv)
+                        exit(rv);
+                protocol_filter(RUN_SECCOMP_PROTOCOL);  // install filter       
+                protocol_filter_save(); // save filter in RUN_PROTOCOL_CFG
        }
        // if a keep list is available, disregard the drop list

diff --git a/src/firejail/sandbox.c b/src/firejail/sandbox.c index f5cca7494..7a63461ef 100644 --- a/src/firejail/sandbox.c +++ b/src/firejail/sandbox.c
@@ -819,8 +819,24 @@ int sandbox(void* sandbox_arg) {
819	#ifdef HAVE_SECCOMP	819	#ifdef HAVE_SECCOMP
820	// install protocol filter	820	// install protocol filter
821	if (cfg.protocol) {	821	if (cfg.protocol) {
822	protocol_filter(); // install filter	822	if (arg_debug)
823	protocol_filter_save(); // save filter in PROTOCOL_CFG	823	printf("Set protocol filter: %s\n", cfg.protocol);
		824	// as root, create RUN_SECCOMP_PROTOCOL file
		825	// this is where fseccomp program will store the protocol filter
		826	int dst = open(RUN_SECCOMP_PROTOCOL, O_CREAT\|O_WRONLY\|O_TRUNC, S_IRUSR \| S_IWUSR \| S_IRGRP \| S_IROTH);
		827	if (dst == -1)
		828	errExit("open");
		829	close(dst);
		830	if (chown(RUN_SECCOMP_PROTOCOL, getuid(), getgid()) == -1)
		831	errExit("chown");
		832
		833	// build the seccomp filter as a regular user
		834	int rv = sbox_run(SBOX_USER \| SBOX_CAPS \| SBOX_SECCOMP, 5,
		835	PATH_FSECCOMP, "protocol", "build", cfg.protocol, RUN_SECCOMP_PROTOCOL);
		836	if (rv)
		837	exit(rv);
		838	protocol_filter(RUN_SECCOMP_PROTOCOL); // install filter
		839	protocol_filter_save(); // save filter in RUN_PROTOCOL_CFG
824	}	840	}
825		841
826	// if a keep list is available, disregard the drop list	842	// if a keep list is available, disregard the drop list