diff options
Diffstat (limited to 'src/firejail/seccomp.c')
| -rw-r--r-- | src/firejail/seccomp.c | 24 |
1 files changed, 6 insertions, 18 deletions
diff --git a/src/firejail/seccomp.c b/src/firejail/seccomp.c index 353b212f6..f8053d698 100644 --- a/src/firejail/seccomp.c +++ b/src/firejail/seccomp.c | |||
| @@ -266,10 +266,7 @@ static void write_seccomp_file(void) { | |||
| 266 | fs_build_mnt_dir(); | 266 | fs_build_mnt_dir(); |
| 267 | assert(sfilter); | 267 | assert(sfilter); |
| 268 | 268 | ||
| 269 | char *fname; | 269 | int fd = open(SECCOMP_CFG, O_CREAT | O_WRONLY, S_IRUSR | S_IWUSR); |
| 270 | if (asprintf(&fname, "%s/seccomp", MNT_DIR) == -1) | ||
| 271 | errExit("asprintf"); | ||
| 272 | int fd = open(fname, O_CREAT | O_WRONLY, S_IRUSR | S_IWUSR); | ||
| 273 | if (fd == -1) | 270 | if (fd == -1) |
| 274 | errExit("open"); | 271 | errExit("open"); |
| 275 | 272 | ||
| @@ -282,23 +279,14 @@ static void write_seccomp_file(void) { | |||
| 282 | exit(1); | 279 | exit(1); |
| 283 | } | 280 | } |
| 284 | close(fd); | 281 | close(fd); |
| 285 | if (chown(fname, 0, 0) < 0) | 282 | if (chown(SECCOMP_CFG, 0, 0) < 0) |
| 286 | errExit("chown"); | 283 | errExit("chown"); |
| 287 | free(fname); | ||
| 288 | } | 284 | } |
| 289 | 285 | ||
| 290 | // read seccomp filter from /tmp/firejail/mnt/seccomp | 286 | // read seccomp filter from /tmp/firejail/mnt/seccomp |
| 291 | static void read_seccomp_file(char *file_name) { | 287 | static void read_seccomp_file(const char *fname) { |
| 292 | assert(sfilter == NULL && sfilter_index == 0); | 288 | assert(sfilter == NULL && sfilter_index == 0); |
| 293 | 289 | ||
| 294 | char *fname; | ||
| 295 | if (file_name) | ||
| 296 | fname = file_name; | ||
| 297 | else { | ||
| 298 | if (asprintf(&fname, "%s/seccomp", MNT_DIR) == -1) | ||
| 299 | errExit("asprintf"); | ||
| 300 | } | ||
| 301 | |||
| 302 | // check file | 290 | // check file |
| 303 | struct stat s; | 291 | struct stat s; |
| 304 | if (stat(fname, &s) == -1) { | 292 | if (stat(fname, &s) == -1) { |
| @@ -331,7 +319,6 @@ static void read_seccomp_file(char *file_name) { | |||
| 331 | printf("Read seccomp filter, size %u bytes\n", (unsigned) (sfilter_index * sizeof(struct sock_filter))); | 319 | printf("Read seccomp filter, size %u bytes\n", (unsigned) (sfilter_index * sizeof(struct sock_filter))); |
| 332 | 320 | ||
| 333 | close(fd); | 321 | close(fd); |
| 334 | free(fname); | ||
| 335 | 322 | ||
| 336 | if (arg_debug) | 323 | if (arg_debug) |
| 337 | filter_debug(); | 324 | filter_debug(); |
| @@ -706,7 +693,7 @@ int seccomp_filter_errno(void) { | |||
| 706 | 693 | ||
| 707 | void seccomp_set(void) { | 694 | void seccomp_set(void) { |
| 708 | // read seccomp filter from /tmp/firejail/mnt/seccomp | 695 | // read seccomp filter from /tmp/firejail/mnt/seccomp |
| 709 | read_seccomp_file(NULL); | 696 | read_seccomp_file(SECCOMP_CFG); |
| 710 | 697 | ||
| 711 | // apply filter | 698 | // apply filter |
| 712 | struct sock_fprog prog = { | 699 | struct sock_fprog prog = { |
| @@ -767,7 +754,7 @@ void seccomp_print_filter(pid_t pid) { | |||
| 767 | 754 | ||
| 768 | // find the seccomp filter | 755 | // find the seccomp filter |
| 769 | char *fname; | 756 | char *fname; |
| 770 | if (asprintf(&fname, "/proc/%d/root/tmp/firejail/mnt/seccomp", pid) == -1) | 757 | if (asprintf(&fname, "/proc/%d/root%s", pid, SECCOMP_CFG) == -1) |
| 771 | errExit("asprintf"); | 758 | errExit("asprintf"); |
| 772 | 759 | ||
| 773 | struct stat s; | 760 | struct stat s; |
| @@ -780,6 +767,7 @@ void seccomp_print_filter(pid_t pid) { | |||
| 780 | read_seccomp_file(fname); | 767 | read_seccomp_file(fname); |
| 781 | drop_privs(1); | 768 | drop_privs(1); |
| 782 | filter_debug(); | 769 | filter_debug(); |
| 770 | free(fname); | ||
| 783 | 771 | ||
| 784 | exit(0); | 772 | exit(0); |
| 785 | } | 773 | } |