diff options
Diffstat (limited to 'src/firejail/sbox.c')
-rw-r--r-- | src/firejail/sbox.c | 55 |
1 files changed, 29 insertions, 26 deletions
diff --git a/src/firejail/sbox.c b/src/firejail/sbox.c index 0c7b13f1c..e96b9cf79 100644 --- a/src/firejail/sbox.c +++ b/src/firejail/sbox.c | |||
@@ -31,7 +31,27 @@ | |||
31 | #define O_PATH 010000000 | 31 | #define O_PATH 010000000 |
32 | #endif | 32 | #endif |
33 | 33 | ||
34 | static struct sock_filter filter[] = { | 34 | int sbox_run(unsigned filtermask, int num, ...) { |
35 | va_list valist; | ||
36 | va_start(valist, num); | ||
37 | |||
38 | // build argument list | ||
39 | char **arg = malloc((num + 1) * sizeof(char *)); | ||
40 | int i; | ||
41 | for (i = 0; i < num; i++) | ||
42 | arg[i] = va_arg(valist, char*); | ||
43 | arg[i] = NULL; | ||
44 | va_end(valist); | ||
45 | |||
46 | int status = sbox_run_v(filtermask, arg); | ||
47 | |||
48 | free(arg); | ||
49 | |||
50 | return status; | ||
51 | } | ||
52 | |||
53 | int sbox_run_v(unsigned filtermask, char * const arg[]) { | ||
54 | struct sock_filter filter[] = { | ||
35 | VALIDATE_ARCHITECTURE, | 55 | VALIDATE_ARCHITECTURE, |
36 | EXAMINE_SYSCALL, | 56 | EXAMINE_SYSCALL, |
37 | 57 | ||
@@ -105,33 +125,13 @@ static struct sock_filter filter[] = { | |||
105 | BLACKLIST(SYS_syslog), // kernel printk control | 125 | BLACKLIST(SYS_syslog), // kernel printk control |
106 | #endif | 126 | #endif |
107 | RETURN_ALLOW | 127 | RETURN_ALLOW |
108 | }; | 128 | }; |
109 | 129 | ||
110 | static struct sock_fprog prog = { | 130 | struct sock_fprog prog = { |
111 | .len = (unsigned short)(sizeof(filter) / sizeof(filter[0])), | 131 | .len = (unsigned short)(sizeof(filter) / sizeof(filter[0])), |
112 | .filter = filter, | 132 | .filter = filter, |
113 | }; | 133 | }; |
114 | 134 | ||
115 | int sbox_run(unsigned filtermask, int num, ...) { | ||
116 | va_list valist; | ||
117 | va_start(valist, num); | ||
118 | |||
119 | // build argument list | ||
120 | char **arg = malloc((num + 1) * sizeof(char *)); | ||
121 | int i; | ||
122 | for (i = 0; i < num; i++) | ||
123 | arg[i] = va_arg(valist, char*); | ||
124 | arg[i] = NULL; | ||
125 | va_end(valist); | ||
126 | |||
127 | int status = sbox_run_v(filtermask, arg); | ||
128 | |||
129 | free(arg); | ||
130 | |||
131 | return status; | ||
132 | } | ||
133 | |||
134 | int sbox_run_v(unsigned filtermask, char * const arg[]) { | ||
135 | EUID_ROOT(); | 135 | EUID_ROOT(); |
136 | 136 | ||
137 | if (arg_debug) { | 137 | if (arg_debug) { |
@@ -161,6 +161,9 @@ int sbox_run_v(unsigned filtermask, char * const arg[]) { | |||
161 | new_environment[env_index++] = "FIREJAIL_QUIET=yes"; | 161 | new_environment[env_index++] = "FIREJAIL_QUIET=yes"; |
162 | if (arg_debug) // --debug is passed as an environment variable | 162 | if (arg_debug) // --debug is passed as an environment variable |
163 | new_environment[env_index++] = "FIREJAIL_DEBUG=yes"; | 163 | new_environment[env_index++] = "FIREJAIL_DEBUG=yes"; |
164 | if (cfg.seccomp_error_action) | ||
165 | if (asprintf(&new_environment[env_index++], "FIREJAIL_SECCOMP_ERROR_ACTION=%s", cfg.seccomp_error_action) == -1) | ||
166 | errExit("asprintf"); | ||
164 | 167 | ||
165 | if (filtermask & SBOX_STDIN_FROM_FILE) { | 168 | if (filtermask & SBOX_STDIN_FROM_FILE) { |
166 | int fd; | 169 | int fd; |