aboutsummaryrefslogtreecommitdiffstats
path: root/src/firejail/seccomp.c
diff options
context:
space:
mode:
Diffstat (limited to 'src/firejail/seccomp.c')
-rw-r--r--src/firejail/seccomp.c37
1 files changed, 1 insertions, 36 deletions
diff --git a/src/firejail/seccomp.c b/src/firejail/seccomp.c
index 4a2221e98..4678f366b 100644
--- a/src/firejail/seccomp.c
+++ b/src/firejail/seccomp.c
@@ -92,20 +92,8 @@ int seccomp_load(const char *fname) {
92 return 0; 92 return 0;
93} 93}
94 94
95
96
97
98// i386 filter installed on amd64 architectures 95// i386 filter installed on amd64 architectures
99void seccomp_filter_32(void) { 96void seccomp_filter_32(void) {
100 if (arg_debug)
101 printf("Build secondary 32-bit filter\n");
102
103 // build the seccomp filter as a regular user
104 int rv = sbox_run(SBOX_USER | SBOX_CAPS_NONE | SBOX_SECCOMP, 4,
105 PATH_FSECCOMP, "secondary", "32", RUN_SECCOMP_I386);
106 if (rv)
107 exit(rv);
108
109 if (seccomp_load(RUN_SECCOMP_I386) == 0) { 97 if (seccomp_load(RUN_SECCOMP_I386) == 0) {
110 if (arg_debug) 98 if (arg_debug)
111 printf("Dual i386/amd64 seccomp filter configured\n"); 99 printf("Dual i386/amd64 seccomp filter configured\n");
@@ -114,22 +102,12 @@ void seccomp_filter_32(void) {
114 102
115// amd64 filter installed on i386 architectures 103// amd64 filter installed on i386 architectures
116void seccomp_filter_64(void) { 104void seccomp_filter_64(void) {
117 if (arg_debug)
118 printf("Build secondary 64-bit filter\n");
119
120 // build the seccomp filter as a regular user
121 int rv = sbox_run(SBOX_USER | SBOX_CAPS_NONE | SBOX_SECCOMP, 4,
122 PATH_FSECCOMP, "secondary", "64", RUN_SECCOMP_AMD64);
123 if (rv)
124 exit(rv);
125
126 if (seccomp_load(RUN_SECCOMP_AMD64) == 0) { 105 if (seccomp_load(RUN_SECCOMP_AMD64) == 0) {
127 if (arg_debug) 106 if (arg_debug)
128 printf("Dual i386/amd64 seccomp filter configured\n"); 107 printf("Dual i386/amd64 seccomp filter configured\n");
129 } 108 }
130} 109}
131 110
132
133// drop filter for seccomp option 111// drop filter for seccomp option
134int seccomp_filter_drop(int enforce_seccomp) { 112int seccomp_filter_drop(int enforce_seccomp) {
135 // default seccomp 113 // default seccomp
@@ -140,20 +118,7 @@ int seccomp_filter_drop(int enforce_seccomp) {
140#if defined(__i386__) 118#if defined(__i386__)
141 seccomp_filter_64(); 119 seccomp_filter_64();
142#endif 120#endif
143 if (arg_debug)
144 printf("Build default seccomp filter\n");
145 // build the seccomp filter as a regular user
146 int rv;
147 if (arg_allow_debuggers)
148 rv = sbox_run(SBOX_USER | SBOX_CAPS_NONE | SBOX_SECCOMP, 4,
149 PATH_FSECCOMP, "default", RUN_SECCOMP_CFG, "allow-debuggers");
150 else
151 rv = sbox_run(SBOX_USER | SBOX_CAPS_NONE | SBOX_SECCOMP, 3,
152 PATH_FSECCOMP, "default", RUN_SECCOMP_CFG);
153 if (rv)
154 exit(rv);
155 } 121 }
156
157 // default seccomp filter with additional drop list 122 // default seccomp filter with additional drop list
158 else if (cfg.seccomp_list && cfg.seccomp_list_drop == NULL) { 123 else if (cfg.seccomp_list && cfg.seccomp_list_drop == NULL) {
159#if defined(__x86_64__) 124#if defined(__x86_64__)
@@ -208,7 +173,7 @@ int seccomp_filter_drop(int enforce_seccomp) {
208 exit(1); 173 exit(1);
209 } 174 }
210 175
211 if (arg_debug) 176 if (arg_debug && access(PATH_FSECCOMP, X_OK) == 0)
212 sbox_run(SBOX_USER | SBOX_CAPS_NONE | SBOX_SECCOMP, 3, 177 sbox_run(SBOX_USER | SBOX_CAPS_NONE | SBOX_SECCOMP, 3,
213 PATH_FSECCOMP, "print", RUN_SECCOMP_CFG); 178 PATH_FSECCOMP, "print", RUN_SECCOMP_CFG);
214 179
generated by cgit v1.2.3-54-g00ecf (git 2.45.2) at 2024-08-09 15:23:23 +0000