7 files changed, 28 insertions, 110 deletions

diff --git a/src/firejail/firejail.h b/src/firejail/firejail.h
index 2562094d3..2e031ce04 100644
--- a/src/firejail/firejail.h
+++ b/src/firejail/firejail.h
@@ -47,10 +47,14 @@
 #define RUN_BIN_DIR     "/run/firejail/mnt/bin"
 #define RUN_PULSE_DIR   "/run/firejail/mnt/pulse"
 
-#define RUN_SECCOMP_CFG "/run/firejail/mnt/seccomp"                     // configured filter
 #define RUN_SECCOMP_PROTOCOL    "/run/firejail/mnt/seccomp.protocol"    // protocol filter
+#define RUN_SECCOMP_CFG "/run/firejail/mnt/seccomp"                     // configured filter
 #define RUN_SECCOMP_AMD64       "/run/firejail/mnt/seccomp.amd64"       // amd64 filter installed on i386 architectures
 #define RUN_SECCOMP_I386        "/run/firejail/mnt/seccomp.i386"                // i386 filter installed on amd64 architectures
+#define PATH_SECCOMP_DEFAULT (LIBDIR "/firejail/seccomp")                       // default filter built during make
+#define PATH_SECCOMP_DEFAULT_DEBUG (LIBDIR "/firejail/seccomp.debug")   // default filter built during make
+#define PATH_SECCOMP_AMD64 (LIBDIR "/firejail/seccomp.amd64")           // amd64 filter built during make
+#define PATH_SECCOMP_I386 (LIBDIR "/firejail/seccomp.i386")                     // i386 filter built during make
 
 
 #define RUN_DEV_DIR             "/run/firejail/mnt/dev"
@@ -374,9 +378,6 @@ void net_config_interface(const char *dev, uint32_t ip, uint32_t mask, int mtu);
 // preproc.c
 void preproc_build_firejail_dir(void);
 void preproc_mount_mnt_dir(void);
-void preproc_build_cp_command(void);
-void preproc_delete_cp_command(void) ;
-void preproc_remount_mnt_dir(void);
 
 // fs.c
 // blacklist files or directoies by mounting empty files on top of them
diff --git a/src/firejail/fs.c b/src/firejail/fs.c
index 7ff7e3c59..5774ebf6a 100644
--- a/src/firejail/fs.c
+++ b/src/firejail/fs.c
@@ -1010,24 +1010,13 @@ void fs_chroot(const char *rootdir) {
                 create_empty_dir_as_root(rundir, 0755);
                 free(rundir);
                 
-                // create /run/firejail/mnt directory in chroot and mount a tmpfs
-                if (asprintf(&rundir, "%s/run/firejail/mnt", rootdir) == -1)
+                // create /run/firejail/mnt directory in chroot and mount the current one
+                if (asprintf(&rundir, "%s%s", rootdir, RUN_MNT_DIR) == -1)
                         errExit("asprintf");
                 create_empty_dir_as_root(rundir, 0755);
-                if (mount("tmpfs", rundir, "tmpfs", MS_NOSUID | MS_STRICTATIME | MS_REC,  "mode=755,gid=0") < 0)
-                        errExit("mounting /run/firejail/mnt");
-                fs_logger2("tmpfs", RUN_MNT_DIR);
-                free(rundir);
+                if (mount(RUN_MNT_DIR, rundir, NULL, MS_BIND|MS_REC, NULL) < 0)
+                        errExit("mount bind");
 
-                // retrieve seccomp.protocol
-                struct stat s;
-                if (stat(RUN_SECCOMP_PROTOCOL, &s) == 0) {
-                        if (asprintf(&rundir, "%s%s", rootdir, RUN_SECCOMP_PROTOCOL) == -1)
-                                errExit("asprintf");
-                        copy_file(RUN_SECCOMP_PROTOCOL, rundir, getuid(), getgid(), 0644);
-                        free(rundir);
-                }
-                
                 // copy /etc/resolv.conf in chroot directory
                 // if resolv.conf in chroot is a symbolic link, this will fail
                 // no exit on error, let the user deal with the problem
@@ -1053,9 +1042,6 @@ void fs_chroot(const char *rootdir) {
         if (chroot(rootdir) < 0)
                 errExit("chroot");
 
-        // create all other /run/firejail files and directories
-        preproc_build_firejail_dir();
-                
         if (checkcfg(CFG_CHROOT_DESKTOP)) {
                 // update /var directory in order to support multiple sandboxes running on the same root directory
 //              if (!arg_private_dev)
diff --git a/src/firejail/preproc.c b/src/firejail/preproc.c
index ea4e6743f..d2db7d3dd 100644
--- a/src/firejail/preproc.c
+++ b/src/firejail/preproc.c
@@ -56,9 +56,9 @@ void preproc_build_firejail_dir(void) {
                 create_empty_dir_as_root(RUN_FIREJAIL_APPIMAGE_DIR, 0755);
         }
         
-        if (stat(RUN_MNT_DIR, &s)) {
-                create_empty_dir_as_root(RUN_MNT_DIR, 0755);
-        }
+        if (stat(RUN_MNT_DIR, &s)) {
+                create_empty_dir_as_root(RUN_MNT_DIR, 0755);
+        }
 
         create_empty_file_as_root(RUN_RO_FILE, S_IRUSR);
         create_empty_dir_as_root(RUN_RO_DIR, S_IRUSR);
@@ -75,51 +75,17 @@ void preproc_mount_mnt_dir(void) {
                 tmpfs_mounted = 1;
                 fs_logger2("tmpfs", RUN_MNT_DIR);
                 
-                // create all seccomp files
-                // as root, create RUN_SECCOMP_I386 file
-                create_empty_file_as_root(RUN_SECCOMP_I386, 0644);
-                if (set_perms(RUN_SECCOMP_I386, getuid(), getgid(), 0644))
-                        errExit("set_perms");
-
-                // as root, create RUN_SECCOMP_AMD64 file
-                create_empty_file_as_root(RUN_SECCOMP_AMD64, 0644);
-                if (set_perms(RUN_SECCOMP_AMD64, getuid(), getgid(), 0644))
-                        errExit("set_perms");
-
-                // as root, create RUN_SECCOMP file
-                create_empty_file_as_root(RUN_SECCOMP_CFG, 0644);
-                if (set_perms(RUN_SECCOMP_CFG, getuid(), getgid(), 0644))
-                        errExit("set_perms");
-
-                // as root, create RUN_SECCOMP_PROTOCOL file
+                //copy defaultl seccomp files
+                copy_file(PATH_SECCOMP_I386, RUN_SECCOMP_I386, getuid(), getgid(), 0644);
+                copy_file(PATH_SECCOMP_AMD64, RUN_SECCOMP_AMD64, getuid(), getgid(), 0644);
+                if (arg_allow_debuggers)
+                        copy_file(PATH_SECCOMP_DEFAULT_DEBUG, RUN_SECCOMP_CFG, getuid(), getgid(), 0644);
+                else
+                        copy_file(PATH_SECCOMP_DEFAULT, RUN_SECCOMP_CFG, getuid(), getgid(), 0644);
+                        
+                // as root, create an empty RUN_SECCOMP_PROTOCOL file
                 create_empty_file_as_root(RUN_SECCOMP_PROTOCOL, 0644);
                 if (set_perms(RUN_SECCOMP_PROTOCOL, getuid(), getgid(), 0644))
                         errExit("set_perms");
         }
 }
-
-// grab a copy of cp command
-void preproc_build_cp_command(void) {
-        struct stat s;
-        preproc_mount_mnt_dir();
-        if (stat(RUN_CP_COMMAND, &s)) {
-                char* fname = realpath("/bin/cp", NULL);
-                if (fname == NULL || stat(fname, &s) || is_link(fname)) {
-                        fprintf(stderr, "Error: invalid /bin/cp\n");
-                        exit(1);
-                }
-                int rv = copy_file(fname, RUN_CP_COMMAND, 0, 0, 0755);
-                if (rv) {
-                        fprintf(stderr, "Error: cannot access /bin/cp\n");
-                        exit(1);
-                }
-                ASSERT_PERMS(RUN_CP_COMMAND, 0, 0, 0755);
-                        
-                free(fname);
-        }
-}
-
-// delete the temporary cp command
-void preproc_delete_cp_command(void) {
-        unlink(RUN_CP_COMMAND);
-}
diff --git a/src/firejail/sandbox.c b/src/firejail/sandbox.c
index c2e053b0c..ad77caeb2 100644
--- a/src/firejail/sandbox.c
+++ b/src/firejail/sandbox.c
@@ -555,12 +555,9 @@ int sandbox(void* sandbox_arg) {
         
         //****************************
         // fs pre-processing:
-        //  - copy some commands under /run
         //  - build seccomp filters
         //  - create an empty /etc/ld.so.preload
         //****************************
-        preproc_build_cp_command();
-
 #ifdef HAVE_SECCOMP
         if (cfg.protocol) {
                 if (arg_debug)
@@ -765,7 +762,6 @@ int sandbox(void* sandbox_arg) {
         //****************************
         // fs post-processing
         //****************************
-        preproc_delete_cp_command();
         fs_logger_print();
         fs_logger_change_owner();
 
diff --git a/src/firejail/seccomp.c b/src/firejail/seccomp.c
index 4a2221e98..4678f366b 100644
--- a/src/firejail/seccomp.c
+++ b/src/firejail/seccomp.c
@@ -92,20 +92,8 @@ int seccomp_load(const char *fname) {
         return 0;
 }
 
-
-
-
 // i386 filter installed on amd64 architectures
 void seccomp_filter_32(void) {
-        if (arg_debug)
-                printf("Build secondary 32-bit filter\n");
-
-        // build the seccomp filter as a regular user
-        int rv = sbox_run(SBOX_USER | SBOX_CAPS_NONE | SBOX_SECCOMP, 4,
-                PATH_FSECCOMP, "secondary", "32", RUN_SECCOMP_I386);
-        if (rv)
-                exit(rv);
-
         if (seccomp_load(RUN_SECCOMP_I386) == 0) {
                 if (arg_debug)
                         printf("Dual i386/amd64 seccomp filter configured\n");
@@ -114,22 +102,12 @@ void seccomp_filter_32(void) {
 
 // amd64 filter installed on i386 architectures
 void seccomp_filter_64(void) {
-        if (arg_debug)
-                printf("Build secondary 64-bit filter\n");
-
-        // build the seccomp filter as a regular user
-        int rv = sbox_run(SBOX_USER | SBOX_CAPS_NONE | SBOX_SECCOMP, 4,
-                PATH_FSECCOMP, "secondary", "64", RUN_SECCOMP_AMD64);
-        if (rv)
-                exit(rv);
-
         if (seccomp_load(RUN_SECCOMP_AMD64) == 0) {
                 if (arg_debug)
                         printf("Dual i386/amd64 seccomp filter configured\n");
         }
 }
 
-
 // drop filter for seccomp option
 int seccomp_filter_drop(int enforce_seccomp) {
         // default seccomp
@@ -140,20 +118,7 @@ int seccomp_filter_drop(int enforce_seccomp) {
 #if defined(__i386__)
                 seccomp_filter_64();
 #endif
-                if (arg_debug)
-                        printf("Build default seccomp filter\n");
-                // build the seccomp filter as a regular user
-                int rv;
-                if (arg_allow_debuggers)
-                        rv = sbox_run(SBOX_USER | SBOX_CAPS_NONE | SBOX_SECCOMP, 4,
-                                PATH_FSECCOMP, "default", RUN_SECCOMP_CFG, "allow-debuggers");
-                else
-                        rv = sbox_run(SBOX_USER | SBOX_CAPS_NONE | SBOX_SECCOMP, 3,
-                                PATH_FSECCOMP, "default", RUN_SECCOMP_CFG);
-                if (rv)
-                        exit(rv);
         }
-
         // default seccomp filter with additional drop list
         else if (cfg.seccomp_list && cfg.seccomp_list_drop == NULL) {
 #if defined(__x86_64__)
@@ -208,7 +173,7 @@ int seccomp_filter_drop(int enforce_seccomp) {
                 exit(1);
         }
         
-        if (arg_debug)
+        if (arg_debug && access(PATH_FSECCOMP, X_OK) == 0)
                 sbox_run(SBOX_USER | SBOX_CAPS_NONE | SBOX_SECCOMP, 3,
                         PATH_FSECCOMP, "print", RUN_SECCOMP_CFG);
 
diff --git a/src/fseccomp/main.c b/src/fseccomp/main.c
index 2f85a786b..471e0b193 100644
--- a/src/fseccomp/main.c
+++ b/src/fseccomp/main.c
@@ -38,7 +38,7 @@ static void usage(void) {
 }
 
 int main(int argc, char **argv) {
-#if 0
+//#if 0
 {
 //system("cat /proc/self/status");
 int i;
@@ -46,7 +46,7 @@ for (i = 0; i < argc; i++)
         printf("*%s* ", argv[i]);
 printf("\n");
 }       
-#endif
+//#endif
         if (argc < 2) {
                 usage();
                 return 1;
diff --git a/src/man/firejail.txt b/src/man/firejail.txt
index bb9ae270c..8441f25d5 100644
--- a/src/man/firejail.txt
+++ b/src/man/firejail.txt
@@ -1341,6 +1341,10 @@ both 32-bit and 64-bit filters are installed.
 .br
 
 .br
+Firejail will print seccomp violations to the audit log if the kernel was compiled with audit support (CONFIG_AUDIT flag).
+.br
+
+.br
 Example:
 .br
 $ firejail \-\-seccomp