aboutsummaryrefslogtreecommitdiffstats
path: root/src/firejail
diff options
context:
space:
mode:
Diffstat (limited to 'src/firejail')
-rw-r--r--src/firejail/firejail.h2
-rw-r--r--src/firejail/preproc.c1
-rw-r--r--src/firejail/sandbox.c9
-rw-r--r--src/firejail/seccomp.c16
4 files changed, 3 insertions, 25 deletions
diff --git a/src/firejail/firejail.h b/src/firejail/firejail.h
index 7544b642a..2db171070 100644
--- a/src/firejail/firejail.h
+++ b/src/firejail/firejail.h
@@ -59,14 +59,12 @@
59 59
60#define RUN_SECCOMP_PROTOCOL "/run/firejail/mnt/seccomp.protocol" // protocol filter 60#define RUN_SECCOMP_PROTOCOL "/run/firejail/mnt/seccomp.protocol" // protocol filter
61#define RUN_SECCOMP_CFG "/run/firejail/mnt/seccomp" // configured filter 61#define RUN_SECCOMP_CFG "/run/firejail/mnt/seccomp" // configured filter
62#define RUN_SECCOMP_64 "/run/firejail/mnt/seccomp.64" // 64bit arch filter installed on 32bit architectures
63#define RUN_SECCOMP_32 "/run/firejail/mnt/seccomp.32" // 32bit arch filter installed on 64bit architectures 62#define RUN_SECCOMP_32 "/run/firejail/mnt/seccomp.32" // 32bit arch filter installed on 64bit architectures
64#define RUN_SECCOMP_MDWX "/run/firejail/mnt/seccomp.mdwx" // filter for memory-deny-write-execute 63#define RUN_SECCOMP_MDWX "/run/firejail/mnt/seccomp.mdwx" // filter for memory-deny-write-execute
65#define RUN_SECCOMP_BLOCK_SECONDARY "/run/firejail/mnt/seccomp.block_secondary" // secondary arch blocking filter 64#define RUN_SECCOMP_BLOCK_SECONDARY "/run/firejail/mnt/seccomp.block_secondary" // secondary arch blocking filter
66#define RUN_SECCOMP_POSTEXEC "/run/firejail/mnt/seccomp.postexec" // filter for post-exec library 65#define RUN_SECCOMP_POSTEXEC "/run/firejail/mnt/seccomp.postexec" // filter for post-exec library
67#define PATH_SECCOMP_DEFAULT (LIBDIR "/firejail/seccomp") // default filter built during make 66#define PATH_SECCOMP_DEFAULT (LIBDIR "/firejail/seccomp") // default filter built during make
68#define PATH_SECCOMP_DEFAULT_DEBUG (LIBDIR "/firejail/seccomp.debug") // default filter built during make 67#define PATH_SECCOMP_DEFAULT_DEBUG (LIBDIR "/firejail/seccomp.debug") // default filter built during make
69#define PATH_SECCOMP_64 (LIBDIR "/firejail/seccomp.64") // 64bit arch filter built during make
70#define PATH_SECCOMP_32 (LIBDIR "/firejail/seccomp.32") // 32bit arch filter built during make 68#define PATH_SECCOMP_32 (LIBDIR "/firejail/seccomp.32") // 32bit arch filter built during make
71#define PATH_SECCOMP_MDWX (LIBDIR "/firejail/seccomp.mdwx") // filter for memory-deny-write-execute built during make 69#define PATH_SECCOMP_MDWX (LIBDIR "/firejail/seccomp.mdwx") // filter for memory-deny-write-execute built during make
72#define PATH_SECCOMP_BLOCK_SECONDARY (LIBDIR "/firejail/seccomp.block_secondary") // secondary arch blocking filter built during make 70#define PATH_SECCOMP_BLOCK_SECONDARY (LIBDIR "/firejail/seccomp.block_secondary") // secondary arch blocking filter built during make
diff --git a/src/firejail/preproc.c b/src/firejail/preproc.c
index 45399bd48..9fb4840c6 100644
--- a/src/firejail/preproc.c
+++ b/src/firejail/preproc.c
@@ -87,7 +87,6 @@ void preproc_mount_mnt_dir(void) {
87 else { 87 else {
88 //copy default seccomp files 88 //copy default seccomp files
89 copy_file(PATH_SECCOMP_32, RUN_SECCOMP_32, getuid(), getgid(), 0644); // root needed 89 copy_file(PATH_SECCOMP_32, RUN_SECCOMP_32, getuid(), getgid(), 0644); // root needed
90 copy_file(PATH_SECCOMP_64, RUN_SECCOMP_64, getuid(), getgid(), 0644); // root needed
91 } 90 }
92 if (arg_allow_debuggers) 91 if (arg_allow_debuggers)
93 copy_file(PATH_SECCOMP_DEFAULT_DEBUG, RUN_SECCOMP_CFG, getuid(), getgid(), 0644); // root needed 92 copy_file(PATH_SECCOMP_DEFAULT_DEBUG, RUN_SECCOMP_CFG, getuid(), getgid(), 0644); // root needed
diff --git a/src/firejail/sandbox.c b/src/firejail/sandbox.c
index 8abdf6b2c..1498007eb 100644
--- a/src/firejail/sandbox.c
+++ b/src/firejail/sandbox.c
@@ -1017,18 +1017,9 @@ int sandbox(void* sandbox_arg) {
1017 else 1017 else
1018 seccomp_filter_drop(); 1018 seccomp_filter_drop();
1019 1019
1020 // clean unused filters
1021#if defined(__LP64__)
1022 int rv = unlink(RUN_SECCOMP_64);
1023#endif
1024#if defined(__ILP32__)
1025 int rv = unlink(RUN_SECCOMP_32);
1026#endif
1027 (void) rv;
1028 } 1020 }
1029 else { // clean seccomp files under /run/firejail/mnt 1021 else { // clean seccomp files under /run/firejail/mnt
1030 int rv = unlink(RUN_SECCOMP_CFG); 1022 int rv = unlink(RUN_SECCOMP_CFG);
1031 rv |= unlink(RUN_SECCOMP_64);
1032 rv |= unlink(RUN_SECCOMP_32); 1023 rv |= unlink(RUN_SECCOMP_32);
1033 (void) rv; 1024 (void) rv;
1034 } 1025 }
diff --git a/src/firejail/seccomp.c b/src/firejail/seccomp.c
index 1ee6256d4..3da0206e1 100644
--- a/src/firejail/seccomp.c
+++ b/src/firejail/seccomp.c
@@ -138,6 +138,7 @@ errexit:
138} 138}
139 139
140// 32 bit arch filter installed on 64 bit architectures 140// 32 bit arch filter installed on 64 bit architectures
141#if defined(__x86_64__)
141#if defined(__LP64__) 142#if defined(__LP64__)
142static void seccomp_filter_32(void) { 143static void seccomp_filter_32(void) {
143 if (seccomp_load(RUN_SECCOMP_32) == 0) { 144 if (seccomp_load(RUN_SECCOMP_32) == 0) {
@@ -146,15 +147,6 @@ static void seccomp_filter_32(void) {
146 } 147 }
147} 148}
148#endif 149#endif
149
150// 64 bit arch filter installed on 32 bit architectures
151#if defined(__ILP32__)
152static void seccomp_filter_64(void) {
153 if (seccomp_load(RUN_SECCOMP_64) == 0) {
154 if (arg_debug)
155 printf("Dual 32/64 bit seccomp filter configured\n");
156 }
157}
158#endif 150#endif
159 151
160static void seccomp_filter_block_secondary(void) { 152static void seccomp_filter_block_secondary(void) {
@@ -177,11 +169,10 @@ int seccomp_filter_drop(void) {
177 if (arg_seccomp_block_secondary) 169 if (arg_seccomp_block_secondary)
178 seccomp_filter_block_secondary(); 170 seccomp_filter_block_secondary();
179 else { 171 else {
172#if defined(__x86_64__)
180#if defined(__LP64__) 173#if defined(__LP64__)
181 seccomp_filter_32(); 174 seccomp_filter_32();
182#endif 175#endif
183#if defined(__ILP32__)
184 seccomp_filter_64();
185#endif 176#endif
186 } 177 }
187 } 178 }
@@ -190,11 +181,10 @@ int seccomp_filter_drop(void) {
190 if (arg_seccomp_block_secondary) 181 if (arg_seccomp_block_secondary)
191 seccomp_filter_block_secondary(); 182 seccomp_filter_block_secondary();
192 else { 183 else {
184#if defined(__x86_64__)
193#if defined(__LP64__) 185#if defined(__LP64__)
194 seccomp_filter_32(); 186 seccomp_filter_32();
195#endif 187#endif
196#if defined(__ILP32__)
197 seccomp_filter_64();
198#endif 188#endif
199 } 189 }
200 if (arg_debug) 190 if (arg_debug)
generated by cgit v1.2.3-70-g09d2 (git 2.46.0) at 2024-09-13 19:51:35 +0000