diff options
Diffstat (limited to 'src/firejail/seccomp.c')
-rw-r--r-- | src/firejail/seccomp.c | 35 |
1 files changed, 33 insertions, 2 deletions
diff --git a/src/firejail/seccomp.c b/src/firejail/seccomp.c index 612ece85d..b42a1eeb0 100644 --- a/src/firejail/seccomp.c +++ b/src/firejail/seccomp.c | |||
@@ -208,8 +208,8 @@ int seccomp_filter_drop(bool native) { | |||
208 | // - seccomp list | 208 | // - seccomp list |
209 | // - seccomp | 209 | // - seccomp |
210 | if (cfg.seccomp_list_drop == NULL) { | 210 | if (cfg.seccomp_list_drop == NULL) { |
211 | // default seccomp | 211 | // default seccomp if error action is not changed |
212 | if (cfg.seccomp_list == NULL) { | 212 | if (cfg.seccomp_list == NULL && cfg.seccomp_error_action) { |
213 | if (arg_seccomp_block_secondary) | 213 | if (arg_seccomp_block_secondary) |
214 | seccomp_filter_block_secondary(); | 214 | seccomp_filter_block_secondary(); |
215 | else { | 215 | else { |
@@ -243,6 +243,8 @@ int seccomp_filter_drop(bool native) { | |||
243 | list = cfg.seccomp_list32; | 243 | list = cfg.seccomp_list32; |
244 | } | 244 | } |
245 | 245 | ||
246 | if (list == NULL) | ||
247 | list = ""; | ||
246 | // build the seccomp filter as a regular user | 248 | // build the seccomp filter as a regular user |
247 | int rv; | 249 | int rv; |
248 | if (arg_allow_debuggers) | 250 | if (arg_allow_debuggers) |
@@ -365,6 +367,35 @@ int seccomp_filter_keep(bool native) { | |||
365 | return 0; | 367 | return 0; |
366 | } | 368 | } |
367 | 369 | ||
370 | // create mdwx filter for non-default error action | ||
371 | int seccomp_filter_mdwx(bool native) { | ||
372 | if (arg_debug) | ||
373 | printf("Build memory-deny-write-execute filter\n"); | ||
374 | |||
375 | const char *command, *filter, *postexec_filter, *list; | ||
376 | if (native) { | ||
377 | command = "memory-deny-write-execute"; | ||
378 | filter = RUN_SECCOMP_MDWX; | ||
379 | } else { | ||
380 | command = "memory-deny-write-execute.32"; | ||
381 | filter = RUN_SECCOMP_MDWX_32; | ||
382 | } | ||
383 | |||
384 | // build the seccomp filter as a regular user | ||
385 | int rv = sbox_run(SBOX_USER | SBOX_CAPS_NONE | SBOX_SECCOMP, 3, | ||
386 | PATH_FSECCOMP, command, filter); | ||
387 | |||
388 | if (rv) { | ||
389 | fprintf(stderr, "Error: cannot build memory-deny-write-execute filter\n"); | ||
390 | exit(rv); | ||
391 | } | ||
392 | |||
393 | if (arg_debug) | ||
394 | printf("Memory-deny-write-execute filter configured\n"); | ||
395 | |||
396 | return 0; | ||
397 | } | ||
398 | |||
368 | void seccomp_print_filter(pid_t pid) { | 399 | void seccomp_print_filter(pid_t pid) { |
369 | EUID_ASSERT(); | 400 | EUID_ASSERT(); |
370 | 401 | ||