diff options
Diffstat (limited to 'src/firejail/seccomp.c')
-rw-r--r-- | src/firejail/seccomp.c | 25 |
1 files changed, 19 insertions, 6 deletions
diff --git a/src/firejail/seccomp.c b/src/firejail/seccomp.c index 52b4679ae..bd57cff42 100644 --- a/src/firejail/seccomp.c +++ b/src/firejail/seccomp.c | |||
@@ -258,23 +258,36 @@ int seccomp_filter_keep(void) { | |||
258 | seccomp_filter_block_secondary(); | 258 | seccomp_filter_block_secondary(); |
259 | 259 | ||
260 | if (arg_debug) | 260 | if (arg_debug) |
261 | printf("Build drop seccomp filter\n"); | 261 | printf("Build keep seccomp filter\n"); |
262 | 262 | ||
263 | // build the seccomp filter as a regular user | 263 | // build the seccomp filter as a regular user |
264 | sbox_run(SBOX_USER | SBOX_CAPS_NONE | SBOX_SECCOMP, 5, | 264 | int rv = sbox_run(SBOX_USER | SBOX_CAPS_NONE | SBOX_SECCOMP, 5, |
265 | PATH_FSECCOMP, "keep", RUN_SECCOMP_CFG, RUN_SECCOMP_POSTEXEC, cfg.seccomp_list_keep); | 265 | PATH_FSECCOMP, "keep", RUN_SECCOMP_CFG, RUN_SECCOMP_POSTEXEC, cfg.seccomp_list_keep); |
266 | |||
267 | if (rv) { | ||
268 | fprintf(stderr, "Error: cannot configure seccomp filter\n"); | ||
269 | exit(rv); | ||
270 | } | ||
271 | |||
266 | if (arg_debug) | 272 | if (arg_debug) |
267 | printf("seccomp filter configured\n"); | 273 | printf("seccomp filter configured\n"); |
268 | 274 | ||
275 | // load the filter | ||
276 | if (seccomp_load(RUN_SECCOMP_CFG) == 0) { | ||
277 | if (arg_debug) | ||
278 | printf("seccomp filter configured\n"); | ||
279 | } | ||
269 | 280 | ||
270 | if (arg_debug && access(PATH_FSECCOMP, X_OK) == 0) { | 281 | if (arg_debug && access(PATH_FSECCOMP, X_OK) == 0) { |
271 | sbox_run(SBOX_ROOT | SBOX_SECCOMP, 3, PATH_FSECCOMP, "print", RUN_SECCOMP_CFG); | ||
272 | struct stat st; | 282 | struct stat st; |
273 | if (stat(RUN_SECCOMP_POSTEXEC, &st) != -1 && st.st_size != 0) | 283 | if (stat(RUN_SECCOMP_POSTEXEC, &st) != -1 && st.st_size != 0) { |
274 | sbox_run(SBOX_ROOT | SBOX_SECCOMP, 3, PATH_FSECCOMP, "print", RUN_SECCOMP_POSTEXEC); | 284 | printf("configuring postexec seccomp filter in %s\n", RUN_SECCOMP_POSTEXEC); |
285 | sbox_run(SBOX_USER | SBOX_CAPS_NONE | SBOX_SECCOMP, 3, | ||
286 | PATH_FSECCOMP, "print", RUN_SECCOMP_POSTEXEC); | ||
287 | } | ||
275 | } | 288 | } |
276 | 289 | ||
277 | return seccomp_load(RUN_SECCOMP_CFG); | 290 | return 0; |
278 | } | 291 | } |
279 | 292 | ||
280 | void seccomp_print_filter(pid_t pid) { | 293 | void seccomp_print_filter(pid_t pid) { |