diff options
Diffstat (limited to 'src/firejail/seccomp.c')
-rw-r--r-- | src/firejail/seccomp.c | 37 |
1 files changed, 1 insertions, 36 deletions
diff --git a/src/firejail/seccomp.c b/src/firejail/seccomp.c index 4a2221e98..4678f366b 100644 --- a/src/firejail/seccomp.c +++ b/src/firejail/seccomp.c | |||
@@ -92,20 +92,8 @@ int seccomp_load(const char *fname) { | |||
92 | return 0; | 92 | return 0; |
93 | } | 93 | } |
94 | 94 | ||
95 | |||
96 | |||
97 | |||
98 | // i386 filter installed on amd64 architectures | 95 | // i386 filter installed on amd64 architectures |
99 | void seccomp_filter_32(void) { | 96 | void seccomp_filter_32(void) { |
100 | if (arg_debug) | ||
101 | printf("Build secondary 32-bit filter\n"); | ||
102 | |||
103 | // build the seccomp filter as a regular user | ||
104 | int rv = sbox_run(SBOX_USER | SBOX_CAPS_NONE | SBOX_SECCOMP, 4, | ||
105 | PATH_FSECCOMP, "secondary", "32", RUN_SECCOMP_I386); | ||
106 | if (rv) | ||
107 | exit(rv); | ||
108 | |||
109 | if (seccomp_load(RUN_SECCOMP_I386) == 0) { | 97 | if (seccomp_load(RUN_SECCOMP_I386) == 0) { |
110 | if (arg_debug) | 98 | if (arg_debug) |
111 | printf("Dual i386/amd64 seccomp filter configured\n"); | 99 | printf("Dual i386/amd64 seccomp filter configured\n"); |
@@ -114,22 +102,12 @@ void seccomp_filter_32(void) { | |||
114 | 102 | ||
115 | // amd64 filter installed on i386 architectures | 103 | // amd64 filter installed on i386 architectures |
116 | void seccomp_filter_64(void) { | 104 | void seccomp_filter_64(void) { |
117 | if (arg_debug) | ||
118 | printf("Build secondary 64-bit filter\n"); | ||
119 | |||
120 | // build the seccomp filter as a regular user | ||
121 | int rv = sbox_run(SBOX_USER | SBOX_CAPS_NONE | SBOX_SECCOMP, 4, | ||
122 | PATH_FSECCOMP, "secondary", "64", RUN_SECCOMP_AMD64); | ||
123 | if (rv) | ||
124 | exit(rv); | ||
125 | |||
126 | if (seccomp_load(RUN_SECCOMP_AMD64) == 0) { | 105 | if (seccomp_load(RUN_SECCOMP_AMD64) == 0) { |
127 | if (arg_debug) | 106 | if (arg_debug) |
128 | printf("Dual i386/amd64 seccomp filter configured\n"); | 107 | printf("Dual i386/amd64 seccomp filter configured\n"); |
129 | } | 108 | } |
130 | } | 109 | } |
131 | 110 | ||
132 | |||
133 | // drop filter for seccomp option | 111 | // drop filter for seccomp option |
134 | int seccomp_filter_drop(int enforce_seccomp) { | 112 | int seccomp_filter_drop(int enforce_seccomp) { |
135 | // default seccomp | 113 | // default seccomp |
@@ -140,20 +118,7 @@ int seccomp_filter_drop(int enforce_seccomp) { | |||
140 | #if defined(__i386__) | 118 | #if defined(__i386__) |
141 | seccomp_filter_64(); | 119 | seccomp_filter_64(); |
142 | #endif | 120 | #endif |
143 | if (arg_debug) | ||
144 | printf("Build default seccomp filter\n"); | ||
145 | // build the seccomp filter as a regular user | ||
146 | int rv; | ||
147 | if (arg_allow_debuggers) | ||
148 | rv = sbox_run(SBOX_USER | SBOX_CAPS_NONE | SBOX_SECCOMP, 4, | ||
149 | PATH_FSECCOMP, "default", RUN_SECCOMP_CFG, "allow-debuggers"); | ||
150 | else | ||
151 | rv = sbox_run(SBOX_USER | SBOX_CAPS_NONE | SBOX_SECCOMP, 3, | ||
152 | PATH_FSECCOMP, "default", RUN_SECCOMP_CFG); | ||
153 | if (rv) | ||
154 | exit(rv); | ||
155 | } | 121 | } |
156 | |||
157 | // default seccomp filter with additional drop list | 122 | // default seccomp filter with additional drop list |
158 | else if (cfg.seccomp_list && cfg.seccomp_list_drop == NULL) { | 123 | else if (cfg.seccomp_list && cfg.seccomp_list_drop == NULL) { |
159 | #if defined(__x86_64__) | 124 | #if defined(__x86_64__) |
@@ -208,7 +173,7 @@ int seccomp_filter_drop(int enforce_seccomp) { | |||
208 | exit(1); | 173 | exit(1); |
209 | } | 174 | } |
210 | 175 | ||
211 | if (arg_debug) | 176 | if (arg_debug && access(PATH_FSECCOMP, X_OK) == 0) |
212 | sbox_run(SBOX_USER | SBOX_CAPS_NONE | SBOX_SECCOMP, 3, | 177 | sbox_run(SBOX_USER | SBOX_CAPS_NONE | SBOX_SECCOMP, 3, |
213 | PATH_FSECCOMP, "print", RUN_SECCOMP_CFG); | 178 | PATH_FSECCOMP, "print", RUN_SECCOMP_CFG); |
214 | 179 | ||