diff options
Diffstat (limited to 'src')
-rw-r--r-- | src/firejail/profile.c | 8 | ||||
-rw-r--r-- | src/firejail/seccomp.c | 57 |
2 files changed, 37 insertions, 28 deletions
diff --git a/src/firejail/profile.c b/src/firejail/profile.c index af943581e..88f04f47f 100644 --- a/src/firejail/profile.c +++ b/src/firejail/profile.c | |||
@@ -81,8 +81,12 @@ int profile_check_line(char *ptr, int lineno, const char *fname) { | |||
81 | if (cfg.profile_ignore[i] == NULL) | 81 | if (cfg.profile_ignore[i] == NULL) |
82 | break; | 82 | break; |
83 | 83 | ||
84 | if (strncmp(ptr, cfg.profile_ignore[i], strlen(cfg.profile_ignore[i])) == 0) | 84 | int len = strlen(cfg.profile_ignore[i]); |
85 | return 0; // ignore line | 85 | if (strncmp(ptr, cfg.profile_ignore[i], len) == 0) { |
86 | // full word match | ||
87 | if (*(ptr + len) == '\0' || *(ptr + len) == ' ') | ||
88 | return 0; // ignore line | ||
89 | } | ||
86 | } | 90 | } |
87 | 91 | ||
88 | if (strncmp(ptr, "ignore ", 7) == 0) { | 92 | if (strncmp(ptr, "ignore ", 7) == 0) { |
diff --git a/src/firejail/seccomp.c b/src/firejail/seccomp.c index 15379215c..de9fe27f3 100644 --- a/src/firejail/seccomp.c +++ b/src/firejail/seccomp.c | |||
@@ -123,40 +123,48 @@ void seccomp_filter_64(void) { | |||
123 | 123 | ||
124 | // drop filter for seccomp option | 124 | // drop filter for seccomp option |
125 | int seccomp_filter_drop(int enforce_seccomp) { | 125 | int seccomp_filter_drop(int enforce_seccomp) { |
126 | // default seccomp | 126 | printf("cfg.seccomp_list %p, cfg.seccomp_list_drop %p\n", cfg.seccomp_list, cfg.seccomp_list_drop); |
127 | if (cfg.seccomp_list_drop == NULL && cfg.seccomp_list == NULL) { | 127 | // if we have multiple seccomp commands, only one of them is executed |
128 | // in the following order: | ||
129 | // - seccomp.drop list | ||
130 | // - seccomp list | ||
131 | // - seccomp | ||
132 | if (cfg.seccomp_list_drop == NULL) { | ||
133 | // default seccomp | ||
134 | if (cfg.seccomp_list == NULL) { | ||
128 | #if defined(__x86_64__) | 135 | #if defined(__x86_64__) |
129 | seccomp_filter_32(); | 136 | seccomp_filter_32(); |
130 | #endif | 137 | #endif |
131 | #if defined(__i386__) | 138 | #if defined(__i386__) |
132 | seccomp_filter_64(); | 139 | seccomp_filter_64(); |
133 | #endif | 140 | #endif |
134 | } | 141 | } |
135 | // default seccomp filter with additional drop list | 142 | // default seccomp filter with additional drop list |
136 | else if (cfg.seccomp_list && cfg.seccomp_list_drop == NULL) { | 143 | else { // cfg.seccomp_list != NULL |
137 | #if defined(__x86_64__) | 144 | #if defined(__x86_64__) |
138 | seccomp_filter_32(); | 145 | seccomp_filter_32(); |
139 | #endif | 146 | #endif |
140 | #if defined(__i386__) | 147 | #if defined(__i386__) |
141 | seccomp_filter_64(); | 148 | seccomp_filter_64(); |
142 | #endif | 149 | #endif |
143 | if (arg_debug) | 150 | if (arg_debug) |
144 | printf("Build default+drop seccomp filter\n"); | 151 | printf("Build default+drop seccomp filter\n"); |
145 | 152 | ||
146 | // build the seccomp filter as a regular user | 153 | // build the seccomp filter as a regular user |
147 | int rv; | 154 | int rv; |
148 | if (arg_allow_debuggers) | 155 | if (arg_allow_debuggers) |
149 | rv = sbox_run(SBOX_USER | SBOX_CAPS_NONE | SBOX_SECCOMP, 6, | 156 | rv = sbox_run(SBOX_USER | SBOX_CAPS_NONE | SBOX_SECCOMP, 6, |
150 | PATH_FSECCOMP, "default", "drop", RUN_SECCOMP_CFG, cfg.seccomp_list, "allow-debuggers"); | 157 | PATH_FSECCOMP, "default", "drop", RUN_SECCOMP_CFG, cfg.seccomp_list, "allow-debuggers"); |
151 | else | 158 | else |
152 | rv = sbox_run(SBOX_USER | SBOX_CAPS_NONE | SBOX_SECCOMP, 5, | 159 | rv = sbox_run(SBOX_USER | SBOX_CAPS_NONE | SBOX_SECCOMP, 5, |
153 | PATH_FSECCOMP, "default", "drop", RUN_SECCOMP_CFG, cfg.seccomp_list); | 160 | PATH_FSECCOMP, "default", "drop", RUN_SECCOMP_CFG, cfg.seccomp_list); |
154 | if (rv) | 161 | if (rv) |
155 | exit(rv); | 162 | exit(rv); |
163 | } | ||
156 | } | 164 | } |
157 | 165 | ||
158 | // drop list without defaults - secondary filters are not installed | 166 | // drop list without defaults - secondary filters are not installed |
159 | else if (cfg.seccomp_list == NULL && cfg.seccomp_list_drop) { | 167 | else { // cfg.seccomp_list_drop != NULL |
160 | if (arg_debug) | 168 | if (arg_debug) |
161 | printf("Build drop seccomp filter\n"); | 169 | printf("Build drop seccomp filter\n"); |
162 | 170 | ||
@@ -172,9 +180,6 @@ int seccomp_filter_drop(int enforce_seccomp) { | |||
172 | if (rv) | 180 | if (rv) |
173 | exit(rv); | 181 | exit(rv); |
174 | } | 182 | } |
175 | else { | ||
176 | assert(0); | ||
177 | } | ||
178 | 183 | ||
179 | // load the filter | 184 | // load the filter |
180 | if (seccomp_load(RUN_SECCOMP_CFG) == 0) { | 185 | if (seccomp_load(RUN_SECCOMP_CFG) == 0) { |