diff options
Diffstat (limited to 'src/firejail/sbox.c')
| -rw-r--r-- | src/firejail/sbox.c | 55 |
1 files changed, 29 insertions, 26 deletions
diff --git a/src/firejail/sbox.c b/src/firejail/sbox.c index 0c7b13f1c..e96b9cf79 100644 --- a/src/firejail/sbox.c +++ b/src/firejail/sbox.c | |||
| @@ -31,7 +31,27 @@ | |||
| 31 | #define O_PATH 010000000 | 31 | #define O_PATH 010000000 |
| 32 | #endif | 32 | #endif |
| 33 | 33 | ||
| 34 | static struct sock_filter filter[] = { | 34 | int sbox_run(unsigned filtermask, int num, ...) { |
| 35 | va_list valist; | ||
| 36 | va_start(valist, num); | ||
| 37 | |||
| 38 | // build argument list | ||
| 39 | char **arg = malloc((num + 1) * sizeof(char *)); | ||
| 40 | int i; | ||
| 41 | for (i = 0; i < num; i++) | ||
| 42 | arg[i] = va_arg(valist, char*); | ||
| 43 | arg[i] = NULL; | ||
| 44 | va_end(valist); | ||
| 45 | |||
| 46 | int status = sbox_run_v(filtermask, arg); | ||
| 47 | |||
| 48 | free(arg); | ||
| 49 | |||
| 50 | return status; | ||
| 51 | } | ||
| 52 | |||
| 53 | int sbox_run_v(unsigned filtermask, char * const arg[]) { | ||
| 54 | struct sock_filter filter[] = { | ||
| 35 | VALIDATE_ARCHITECTURE, | 55 | VALIDATE_ARCHITECTURE, |
| 36 | EXAMINE_SYSCALL, | 56 | EXAMINE_SYSCALL, |
| 37 | 57 | ||
| @@ -105,33 +125,13 @@ static struct sock_filter filter[] = { | |||
| 105 | BLACKLIST(SYS_syslog), // kernel printk control | 125 | BLACKLIST(SYS_syslog), // kernel printk control |
| 106 | #endif | 126 | #endif |
| 107 | RETURN_ALLOW | 127 | RETURN_ALLOW |
| 108 | }; | 128 | }; |
| 109 | 129 | ||
| 110 | static struct sock_fprog prog = { | 130 | struct sock_fprog prog = { |
| 111 | .len = (unsigned short)(sizeof(filter) / sizeof(filter[0])), | 131 | .len = (unsigned short)(sizeof(filter) / sizeof(filter[0])), |
| 112 | .filter = filter, | 132 | .filter = filter, |
| 113 | }; | 133 | }; |
| 114 | 134 | ||
| 115 | int sbox_run(unsigned filtermask, int num, ...) { | ||
| 116 | va_list valist; | ||
| 117 | va_start(valist, num); | ||
| 118 | |||
| 119 | // build argument list | ||
| 120 | char **arg = malloc((num + 1) * sizeof(char *)); | ||
| 121 | int i; | ||
| 122 | for (i = 0; i < num; i++) | ||
| 123 | arg[i] = va_arg(valist, char*); | ||
| 124 | arg[i] = NULL; | ||
| 125 | va_end(valist); | ||
| 126 | |||
| 127 | int status = sbox_run_v(filtermask, arg); | ||
| 128 | |||
| 129 | free(arg); | ||
| 130 | |||
| 131 | return status; | ||
| 132 | } | ||
| 133 | |||
| 134 | int sbox_run_v(unsigned filtermask, char * const arg[]) { | ||
| 135 | EUID_ROOT(); | 135 | EUID_ROOT(); |
| 136 | 136 | ||
| 137 | if (arg_debug) { | 137 | if (arg_debug) { |
| @@ -161,6 +161,9 @@ int sbox_run_v(unsigned filtermask, char * const arg[]) { | |||
| 161 | new_environment[env_index++] = "FIREJAIL_QUIET=yes"; | 161 | new_environment[env_index++] = "FIREJAIL_QUIET=yes"; |
| 162 | if (arg_debug) // --debug is passed as an environment variable | 162 | if (arg_debug) // --debug is passed as an environment variable |
| 163 | new_environment[env_index++] = "FIREJAIL_DEBUG=yes"; | 163 | new_environment[env_index++] = "FIREJAIL_DEBUG=yes"; |
| 164 | if (cfg.seccomp_error_action) | ||
| 165 | if (asprintf(&new_environment[env_index++], "FIREJAIL_SECCOMP_ERROR_ACTION=%s", cfg.seccomp_error_action) == -1) | ||
| 166 | errExit("asprintf"); | ||
| 164 | 167 | ||
| 165 | if (filtermask & SBOX_STDIN_FROM_FILE) { | 168 | if (filtermask & SBOX_STDIN_FROM_FILE) { |
| 166 | int fd; | 169 | int fd; |