1 files changed, 33 insertions, 2 deletions
diff --git a/src/firejail/seccomp.c b/src/firejail/seccomp.c
index 612ece85d..b42a1eeb0 100644
--- a/src/firejail/seccomp.c
+++ b/src/firejail/seccomp.c
@@ -208,8 +208,8 @@ int seccomp_filter_drop(bool native) {
        //      - seccomp list
        //      - seccomp
        if (cfg.seccomp_list_drop == NULL) {
-                // default seccomp
+                // default seccomp if error action is not changed
-                if (cfg.seccomp_list == NULL) {
+                if (cfg.seccomp_list == NULL && cfg.seccomp_error_action) {
                        if (arg_seccomp_block_secondary)
                                seccomp_filter_block_secondary();
                        else {
@@ -243,6 +243,8 @@ int seccomp_filter_drop(bool native) {
                                list = cfg.seccomp_list32;
                        }
+                        if (list == NULL)
+                                list = "";
                        // build the seccomp filter as a regular user
                        int rv;
                        if (arg_allow_debuggers)
@@ -365,6 +367,35 @@ int seccomp_filter_keep(bool native) {
        return 0;
 }
+// create mdwx filter for non-default error action
+int seccomp_filter_mdwx(bool native) {
+        if (arg_debug)
+                printf("Build memory-deny-write-execute filter\n");
+        const char *command, *filter, *postexec_filter, *list;
+        if (native) {
+                command = "memory-deny-write-execute";
+                filter = RUN_SECCOMP_MDWX;
+        } else {
+                command = "memory-deny-write-execute.32";
+                filter = RUN_SECCOMP_MDWX_32;
+        }
+        // build the seccomp filter as a regular user
+        int rv = sbox_run(SBOX_USER | SBOX_CAPS_NONE | SBOX_SECCOMP, 3,
+                 PATH_FSECCOMP, command, filter);
+        if (rv) {
+                fprintf(stderr, "Error: cannot build memory-deny-write-execute filter\n");
+                exit(rv);
+        }
+        if (arg_debug)
+                printf("Memory-deny-write-execute filter configured\n");
+        return 0;
+}
 void seccomp_print_filter(pid_t pid) {
        EUID_ASSERT();

diff --git a/src/firejail/seccomp.c b/src/firejail/seccomp.c index 612ece85d..b42a1eeb0 100644 --- a/src/firejail/seccomp.c +++ b/src/firejail/seccomp.c
@@ -208,8 +208,8 @@ int seccomp_filter_drop(bool native) {
208	// - seccomp list	208	// - seccomp list
209	// - seccomp	209	// - seccomp
210	if (cfg.seccomp_list_drop == NULL) {	210	if (cfg.seccomp_list_drop == NULL) {
211	// default seccomp	211	// default seccomp if error action is not changed
212	if (cfg.seccomp_list == NULL) {	212	if (cfg.seccomp_list == NULL && cfg.seccomp_error_action) {
213	if (arg_seccomp_block_secondary)	213	if (arg_seccomp_block_secondary)
214	seccomp_filter_block_secondary();	214	seccomp_filter_block_secondary();
215	else {	215	else {
@@ -243,6 +243,8 @@ int seccomp_filter_drop(bool native) {
243	list = cfg.seccomp_list32;	243	list = cfg.seccomp_list32;
244	}	244	}
245		245
		246	if (list == NULL)
		247	list = "";
246	// build the seccomp filter as a regular user	248	// build the seccomp filter as a regular user
247	int rv;	249	int rv;
248	if (arg_allow_debuggers)	250	if (arg_allow_debuggers)
@@ -365,6 +367,35 @@ int seccomp_filter_keep(bool native) {
365	return 0;	367	return 0;
366	}	368	}
367		369
		370	// create mdwx filter for non-default error action
		371	int seccomp_filter_mdwx(bool native) {
		372	if (arg_debug)
		373	printf("Build memory-deny-write-execute filter\n");
		374
		375	const char command, filter, postexec_filter, list;
		376	if (native) {
		377	command = "memory-deny-write-execute";
		378	filter = RUN_SECCOMP_MDWX;
		379	} else {
		380	command = "memory-deny-write-execute.32";
		381	filter = RUN_SECCOMP_MDWX_32;
		382	}
		383
		384	// build the seccomp filter as a regular user
		385	int rv = sbox_run(SBOX_USER \| SBOX_CAPS_NONE \| SBOX_SECCOMP, 3,
		386	PATH_FSECCOMP, command, filter);
		387
		388	if (rv) {
		389	fprintf(stderr, "Error: cannot build memory-deny-write-execute filter\n");
		390	exit(rv);
		391	}
		392
		393	if (arg_debug)
		394	printf("Memory-deny-write-execute filter configured\n");
		395
		396	return 0;
		397	}
		398
368	void seccomp_print_filter(pid_t pid) {	399	void seccomp_print_filter(pid_t pid) {
369	EUID_ASSERT();	400	EUID_ASSERT();
370		401