1 files changed, 30 insertions, 1 deletions
diff --git a/src/firejail/seccomp.c b/src/firejail/seccomp.c
index b8b4ec0d6..84748da77 100644
--- a/src/firejail/seccomp.c
+++ b/src/firejail/seccomp.c
@@ -416,7 +416,7 @@ int seccomp_filter_mdwx(bool native) {
        // build the seccomp filter as a regular user
        int rv = sbox_run(SBOX_USER | SBOX_CAPS_NONE | SBOX_SECCOMP, 3,
-                 PATH_FSECCOMP, command, filter);
+                PATH_FSECCOMP, command, filter);
        if (rv) {
                fprintf(stderr, "Error: cannot build memory-deny-write-execute filter\n");
@@ -429,6 +429,35 @@ int seccomp_filter_mdwx(bool native) {
        return 0;
 }
+// create namespaces filter
+int seccomp_filter_namespaces(bool native, const char *list) {
+        if (arg_debug)
+                printf("Build restrict-namespaces filter\n");
+        const char *command, *filter;
+        if (native) {
+                command = "restrict-namespaces";
+                filter = RUN_SECCOMP_NS;
+        } else {
+                command = "restrict-namespaces.32";
+                filter = RUN_SECCOMP_NS_32;
+        }
+        // build the seccomp filter as a regular user
+        int rv = sbox_run(SBOX_USER | SBOX_CAPS_NONE | SBOX_SECCOMP, 4,
+                PATH_FSECCOMP, command, filter, list);
+        if (rv) {
+                fprintf(stderr, "Error: cannot build restrict-namespaces filter\n");
+                exit(rv);
+        }
+        if (arg_debug)
+                printf("restrict-namespaces filter configured\n");
+        return 0;
+}
 void seccomp_print_filter(pid_t pid) {
        EUID_ASSERT();

diff --git a/src/firejail/seccomp.c b/src/firejail/seccomp.c index b8b4ec0d6..84748da77 100644 --- a/src/firejail/seccomp.c +++ b/src/firejail/seccomp.c
@@ -416,7 +416,7 @@ int seccomp_filter_mdwx(bool native) {
416		416
417	// build the seccomp filter as a regular user	417	// build the seccomp filter as a regular user
418	int rv = sbox_run(SBOX_USER \| SBOX_CAPS_NONE \| SBOX_SECCOMP, 3,	418	int rv = sbox_run(SBOX_USER \| SBOX_CAPS_NONE \| SBOX_SECCOMP, 3,
419	PATH_FSECCOMP, command, filter);	419	PATH_FSECCOMP, command, filter);
420		420
421	if (rv) {	421	if (rv) {
422	fprintf(stderr, "Error: cannot build memory-deny-write-execute filter\n");	422	fprintf(stderr, "Error: cannot build memory-deny-write-execute filter\n");
@@ -429,6 +429,35 @@ int seccomp_filter_mdwx(bool native) {
429	return 0;	429	return 0;
430	}	430	}
431		431
		432	// create namespaces filter
		433	int seccomp_filter_namespaces(bool native, const char *list) {
		434	if (arg_debug)
		435	printf("Build restrict-namespaces filter\n");
		436
		437	const char command, filter;
		438	if (native) {
		439	command = "restrict-namespaces";
		440	filter = RUN_SECCOMP_NS;
		441	} else {
		442	command = "restrict-namespaces.32";
		443	filter = RUN_SECCOMP_NS_32;
		444	}
		445
		446	// build the seccomp filter as a regular user
		447	int rv = sbox_run(SBOX_USER \| SBOX_CAPS_NONE \| SBOX_SECCOMP, 4,
		448	PATH_FSECCOMP, command, filter, list);
		449
		450	if (rv) {
		451	fprintf(stderr, "Error: cannot build restrict-namespaces filter\n");
		452	exit(rv);
		453	}
		454
		455	if (arg_debug)
		456	printf("restrict-namespaces filter configured\n");
		457
		458	return 0;
		459	}
		460
432	void seccomp_print_filter(pid_t pid) {	461	void seccomp_print_filter(pid_t pid) {
433	EUID_ASSERT();	462	EUID_ASSERT();
434		463