diff options
Diffstat (limited to 'src')
-rw-r--r-- | src/firejail/checkcfg.c | 2 | ||||
-rw-r--r-- | src/firejail/firejail.h | 1 | ||||
-rw-r--r-- | src/firejail/seccomp.c | 10 |
3 files changed, 11 insertions, 2 deletions
diff --git a/src/firejail/checkcfg.c b/src/firejail/checkcfg.c index 166f2945a..9548ecb5b 100644 --- a/src/firejail/checkcfg.c +++ b/src/firejail/checkcfg.c | |||
@@ -60,6 +60,7 @@ int checkcfg(int val) { | |||
60 | cfg_val[CFG_BROWSER_ALLOW_DRM] = 0; | 60 | cfg_val[CFG_BROWSER_ALLOW_DRM] = 0; |
61 | cfg_val[CFG_ALLOW_TRAY] = 0; | 61 | cfg_val[CFG_ALLOW_TRAY] = 0; |
62 | cfg_val[CFG_CHROOT] = 0; | 62 | cfg_val[CFG_CHROOT] = 0; |
63 | cfg_val[CFG_SECCOMP_LOG] = 0; | ||
63 | 64 | ||
64 | // open configuration file | 65 | // open configuration file |
65 | const char *fname = SYSCONFDIR "/firejail.config"; | 66 | const char *fname = SYSCONFDIR "/firejail.config"; |
@@ -124,6 +125,7 @@ int checkcfg(int val) { | |||
124 | PARSE_YESNO(CFG_BROWSER_DISABLE_U2F, "browser-disable-u2f") | 125 | PARSE_YESNO(CFG_BROWSER_DISABLE_U2F, "browser-disable-u2f") |
125 | PARSE_YESNO(CFG_BROWSER_ALLOW_DRM, "browser-allow-drm") | 126 | PARSE_YESNO(CFG_BROWSER_ALLOW_DRM, "browser-allow-drm") |
126 | PARSE_YESNO(CFG_ALLOW_TRAY, "allow-tray") | 127 | PARSE_YESNO(CFG_ALLOW_TRAY, "allow-tray") |
128 | PARSE_YESNO(CFG_SECCOMP_LOG, "seccomp-log") | ||
127 | #undef PARSE_YESNO | 129 | #undef PARSE_YESNO |
128 | 130 | ||
129 | // netfilter | 131 | // netfilter |
diff --git a/src/firejail/firejail.h b/src/firejail/firejail.h index 7930778ca..19cbacc01 100644 --- a/src/firejail/firejail.h +++ b/src/firejail/firejail.h | |||
@@ -828,6 +828,7 @@ enum { | |||
828 | CFG_SECCOMP_ERROR_ACTION, | 828 | CFG_SECCOMP_ERROR_ACTION, |
829 | // CFG_FILE_COPY_LIMIT - file copy limit handled using setenv/getenv | 829 | // CFG_FILE_COPY_LIMIT - file copy limit handled using setenv/getenv |
830 | CFG_ALLOW_TRAY, | 830 | CFG_ALLOW_TRAY, |
831 | CFG_SECCOMP_LOG, | ||
831 | CFG_MAX // this should always be the last entry | 832 | CFG_MAX // this should always be the last entry |
832 | }; | 833 | }; |
833 | extern char *xephyr_screen; | 834 | extern char *xephyr_screen; |
diff --git a/src/firejail/seccomp.c b/src/firejail/seccomp.c index e8959f263..b8b4ec0d6 100644 --- a/src/firejail/seccomp.c +++ b/src/firejail/seccomp.c | |||
@@ -71,11 +71,17 @@ int seccomp_install_filters(void) { | |||
71 | assert(fl->fname); | 71 | assert(fl->fname); |
72 | if (arg_debug) | 72 | if (arg_debug) |
73 | printf("Installing %s seccomp filter\n", fl->fname); | 73 | printf("Installing %s seccomp filter\n", fl->fname); |
74 | int rv = 0; | ||
74 | #ifdef SECCOMP_FILTER_FLAG_LOG | 75 | #ifdef SECCOMP_FILTER_FLAG_LOG |
75 | if (syscall(SYS_seccomp, SECCOMP_SET_MODE_FILTER, SECCOMP_FILTER_FLAG_LOG, &fl->prog)) { | 76 | if (checkcfg(CFG_SECCOMP_LOG)) |
77 | rv = syscall(SYS_seccomp, SECCOMP_SET_MODE_FILTER, SECCOMP_FILTER_FLAG_LOG, &fl->prog); | ||
78 | else | ||
79 | rv = prctl(PR_SET_SECCOMP, SECCOMP_MODE_FILTER, &fl->prog); | ||
76 | #else | 80 | #else |
77 | if (prctl(PR_SET_SECCOMP, SECCOMP_MODE_FILTER, &fl->prog)) { | 81 | rv = prctl(PR_SET_SECCOMP, SECCOMP_MODE_FILTER, &fl->prog); |
78 | #endif | 82 | #endif |
83 | |||
84 | if (rv == -1) { | ||
79 | if (!err_printed) | 85 | if (!err_printed) |
80 | fwarning("seccomp disabled, it requires a Linux kernel version 3.5 or newer.\n"); | 86 | fwarning("seccomp disabled, it requires a Linux kernel version 3.5 or newer.\n"); |
81 | err_printed = 1; | 87 | err_printed = 1; |