aboutsummaryrefslogtreecommitdiffstats
path: root/src
diff options
context:
space:
mode:
Diffstat (limited to 'src')
-rw-r--r--src/firejail/checkcfg.c2
-rw-r--r--src/firejail/firejail.h1
-rw-r--r--src/firejail/seccomp.c10
3 files changed, 11 insertions, 2 deletions
diff --git a/src/firejail/checkcfg.c b/src/firejail/checkcfg.c
index 166f2945a..9548ecb5b 100644
--- a/src/firejail/checkcfg.c
+++ b/src/firejail/checkcfg.c
@@ -60,6 +60,7 @@ int checkcfg(int val) {
60 cfg_val[CFG_BROWSER_ALLOW_DRM] = 0; 60 cfg_val[CFG_BROWSER_ALLOW_DRM] = 0;
61 cfg_val[CFG_ALLOW_TRAY] = 0; 61 cfg_val[CFG_ALLOW_TRAY] = 0;
62 cfg_val[CFG_CHROOT] = 0; 62 cfg_val[CFG_CHROOT] = 0;
63 cfg_val[CFG_SECCOMP_LOG] = 0;
63 64
64 // open configuration file 65 // open configuration file
65 const char *fname = SYSCONFDIR "/firejail.config"; 66 const char *fname = SYSCONFDIR "/firejail.config";
@@ -124,6 +125,7 @@ int checkcfg(int val) {
124 PARSE_YESNO(CFG_BROWSER_DISABLE_U2F, "browser-disable-u2f") 125 PARSE_YESNO(CFG_BROWSER_DISABLE_U2F, "browser-disable-u2f")
125 PARSE_YESNO(CFG_BROWSER_ALLOW_DRM, "browser-allow-drm") 126 PARSE_YESNO(CFG_BROWSER_ALLOW_DRM, "browser-allow-drm")
126 PARSE_YESNO(CFG_ALLOW_TRAY, "allow-tray") 127 PARSE_YESNO(CFG_ALLOW_TRAY, "allow-tray")
128 PARSE_YESNO(CFG_SECCOMP_LOG, "seccomp-log")
127#undef PARSE_YESNO 129#undef PARSE_YESNO
128 130
129 // netfilter 131 // netfilter
diff --git a/src/firejail/firejail.h b/src/firejail/firejail.h
index 7930778ca..19cbacc01 100644
--- a/src/firejail/firejail.h
+++ b/src/firejail/firejail.h
@@ -828,6 +828,7 @@ enum {
828 CFG_SECCOMP_ERROR_ACTION, 828 CFG_SECCOMP_ERROR_ACTION,
829 // CFG_FILE_COPY_LIMIT - file copy limit handled using setenv/getenv 829 // CFG_FILE_COPY_LIMIT - file copy limit handled using setenv/getenv
830 CFG_ALLOW_TRAY, 830 CFG_ALLOW_TRAY,
831 CFG_SECCOMP_LOG,
831 CFG_MAX // this should always be the last entry 832 CFG_MAX // this should always be the last entry
832}; 833};
833extern char *xephyr_screen; 834extern char *xephyr_screen;
diff --git a/src/firejail/seccomp.c b/src/firejail/seccomp.c
index e8959f263..b8b4ec0d6 100644
--- a/src/firejail/seccomp.c
+++ b/src/firejail/seccomp.c
@@ -71,11 +71,17 @@ int seccomp_install_filters(void) {
71 assert(fl->fname); 71 assert(fl->fname);
72 if (arg_debug) 72 if (arg_debug)
73 printf("Installing %s seccomp filter\n", fl->fname); 73 printf("Installing %s seccomp filter\n", fl->fname);
74 int rv = 0;
74#ifdef SECCOMP_FILTER_FLAG_LOG 75#ifdef SECCOMP_FILTER_FLAG_LOG
75 if (syscall(SYS_seccomp, SECCOMP_SET_MODE_FILTER, SECCOMP_FILTER_FLAG_LOG, &fl->prog)) { 76 if (checkcfg(CFG_SECCOMP_LOG))
77 rv = syscall(SYS_seccomp, SECCOMP_SET_MODE_FILTER, SECCOMP_FILTER_FLAG_LOG, &fl->prog);
78 else
79 rv = prctl(PR_SET_SECCOMP, SECCOMP_MODE_FILTER, &fl->prog);
76#else 80#else
77 if (prctl(PR_SET_SECCOMP, SECCOMP_MODE_FILTER, &fl->prog)) { 81 rv = prctl(PR_SET_SECCOMP, SECCOMP_MODE_FILTER, &fl->prog);
78#endif 82#endif
83
84 if (rv == -1) {
79 if (!err_printed) 85 if (!err_printed)
80 fwarning("seccomp disabled, it requires a Linux kernel version 3.5 or newer.\n"); 86 fwarning("seccomp disabled, it requires a Linux kernel version 3.5 or newer.\n");
81 err_printed = 1; 87 err_printed = 1;
generated by cgit v1.2.3-54-g00ecf (git 2.45.2) at 2024-07-08 21:31:24 +0000