diff options
Diffstat (limited to 'src/firejail/seccomp.c')
-rw-r--r-- | src/firejail/seccomp.c | 31 |
1 files changed, 30 insertions, 1 deletions
diff --git a/src/firejail/seccomp.c b/src/firejail/seccomp.c index b8b4ec0d6..84748da77 100644 --- a/src/firejail/seccomp.c +++ b/src/firejail/seccomp.c | |||
@@ -416,7 +416,7 @@ int seccomp_filter_mdwx(bool native) { | |||
416 | 416 | ||
417 | // build the seccomp filter as a regular user | 417 | // build the seccomp filter as a regular user |
418 | int rv = sbox_run(SBOX_USER | SBOX_CAPS_NONE | SBOX_SECCOMP, 3, | 418 | int rv = sbox_run(SBOX_USER | SBOX_CAPS_NONE | SBOX_SECCOMP, 3, |
419 | PATH_FSECCOMP, command, filter); | 419 | PATH_FSECCOMP, command, filter); |
420 | 420 | ||
421 | if (rv) { | 421 | if (rv) { |
422 | fprintf(stderr, "Error: cannot build memory-deny-write-execute filter\n"); | 422 | fprintf(stderr, "Error: cannot build memory-deny-write-execute filter\n"); |
@@ -429,6 +429,35 @@ int seccomp_filter_mdwx(bool native) { | |||
429 | return 0; | 429 | return 0; |
430 | } | 430 | } |
431 | 431 | ||
432 | // create namespaces filter | ||
433 | int seccomp_filter_namespaces(bool native, const char *list) { | ||
434 | if (arg_debug) | ||
435 | printf("Build restrict-namespaces filter\n"); | ||
436 | |||
437 | const char *command, *filter; | ||
438 | if (native) { | ||
439 | command = "restrict-namespaces"; | ||
440 | filter = RUN_SECCOMP_NS; | ||
441 | } else { | ||
442 | command = "restrict-namespaces.32"; | ||
443 | filter = RUN_SECCOMP_NS_32; | ||
444 | } | ||
445 | |||
446 | // build the seccomp filter as a regular user | ||
447 | int rv = sbox_run(SBOX_USER | SBOX_CAPS_NONE | SBOX_SECCOMP, 4, | ||
448 | PATH_FSECCOMP, command, filter, list); | ||
449 | |||
450 | if (rv) { | ||
451 | fprintf(stderr, "Error: cannot build restrict-namespaces filter\n"); | ||
452 | exit(rv); | ||
453 | } | ||
454 | |||
455 | if (arg_debug) | ||
456 | printf("restrict-namespaces filter configured\n"); | ||
457 | |||
458 | return 0; | ||
459 | } | ||
460 | |||
432 | void seccomp_print_filter(pid_t pid) { | 461 | void seccomp_print_filter(pid_t pid) { |
433 | EUID_ASSERT(); | 462 | EUID_ASSERT(); |
434 | 463 | ||