diff options
Diffstat (limited to 'src/firejail/seccomp.c')
| -rw-r--r-- | src/firejail/seccomp.c | 12 |
1 files changed, 12 insertions, 0 deletions
diff --git a/src/firejail/seccomp.c b/src/firejail/seccomp.c index efe24a211..88620d1dd 100644 --- a/src/firejail/seccomp.c +++ b/src/firejail/seccomp.c | |||
| @@ -101,10 +101,22 @@ static void filter_init(void) { | |||
| 101 | sfilter_alloc_size = SECSIZE; | 101 | sfilter_alloc_size = SECSIZE; |
| 102 | 102 | ||
| 103 | // copy the start entries | 103 | // copy the start entries |
| 104 | #if defined(__x86_64__) | ||
| 105 | #define X32_SYSCALL_BIT 0x40000000 | ||
| 106 | struct sock_filter filter[] = { | ||
| 107 | VALIDATE_ARCHITECTURE, | ||
| 108 | EXAMINE_SYSCALL, | ||
| 109 | // handle X32 ABI | ||
| 110 | BPF_JUMP(BPF_JMP+BPF_JGE+BPF_K, X32_SYSCALL_BIT, 1, 0), | ||
| 111 | BPF_JUMP(BPF_JMP+BPF_JGE+BPF_K, 0, 1, 0), | ||
| 112 | RETURN_ERRNO(EPERM) | ||
| 113 | }; | ||
| 114 | #else | ||
| 104 | struct sock_filter filter[] = { | 115 | struct sock_filter filter[] = { |
| 105 | VALIDATE_ARCHITECTURE, | 116 | VALIDATE_ARCHITECTURE, |
| 106 | EXAMINE_SYSCALL | 117 | EXAMINE_SYSCALL |
| 107 | }; | 118 | }; |
| 119 | #endif | ||
| 108 | sfilter_index = sizeof(filter) / sizeof(struct sock_filter); | 120 | sfilter_index = sizeof(filter) / sizeof(struct sock_filter); |
| 109 | memcpy(sfilter, filter, sizeof(filter)); | 121 | memcpy(sfilter, filter, sizeof(filter)); |
| 110 | } | 122 | } |