diff options
Diffstat (limited to 'src')
-rw-r--r-- | src/firejail/fs.c | 22 | ||||
-rw-r--r-- | src/firejail/seccomp.c | 38 |
2 files changed, 5 insertions, 55 deletions
diff --git a/src/firejail/fs.c b/src/firejail/fs.c index 7ff7e3c59..5774ebf6a 100644 --- a/src/firejail/fs.c +++ b/src/firejail/fs.c | |||
@@ -1010,24 +1010,13 @@ void fs_chroot(const char *rootdir) { | |||
1010 | create_empty_dir_as_root(rundir, 0755); | 1010 | create_empty_dir_as_root(rundir, 0755); |
1011 | free(rundir); | 1011 | free(rundir); |
1012 | 1012 | ||
1013 | // create /run/firejail/mnt directory in chroot and mount a tmpfs | 1013 | // create /run/firejail/mnt directory in chroot and mount the current one |
1014 | if (asprintf(&rundir, "%s/run/firejail/mnt", rootdir) == -1) | 1014 | if (asprintf(&rundir, "%s%s", rootdir, RUN_MNT_DIR) == -1) |
1015 | errExit("asprintf"); | 1015 | errExit("asprintf"); |
1016 | create_empty_dir_as_root(rundir, 0755); | 1016 | create_empty_dir_as_root(rundir, 0755); |
1017 | if (mount("tmpfs", rundir, "tmpfs", MS_NOSUID | MS_STRICTATIME | MS_REC, "mode=755,gid=0") < 0) | 1017 | if (mount(RUN_MNT_DIR, rundir, NULL, MS_BIND|MS_REC, NULL) < 0) |
1018 | errExit("mounting /run/firejail/mnt"); | 1018 | errExit("mount bind"); |
1019 | fs_logger2("tmpfs", RUN_MNT_DIR); | ||
1020 | free(rundir); | ||
1021 | 1019 | ||
1022 | // retrieve seccomp.protocol | ||
1023 | struct stat s; | ||
1024 | if (stat(RUN_SECCOMP_PROTOCOL, &s) == 0) { | ||
1025 | if (asprintf(&rundir, "%s%s", rootdir, RUN_SECCOMP_PROTOCOL) == -1) | ||
1026 | errExit("asprintf"); | ||
1027 | copy_file(RUN_SECCOMP_PROTOCOL, rundir, getuid(), getgid(), 0644); | ||
1028 | free(rundir); | ||
1029 | } | ||
1030 | |||
1031 | // copy /etc/resolv.conf in chroot directory | 1020 | // copy /etc/resolv.conf in chroot directory |
1032 | // if resolv.conf in chroot is a symbolic link, this will fail | 1021 | // if resolv.conf in chroot is a symbolic link, this will fail |
1033 | // no exit on error, let the user deal with the problem | 1022 | // no exit on error, let the user deal with the problem |
@@ -1053,9 +1042,6 @@ void fs_chroot(const char *rootdir) { | |||
1053 | if (chroot(rootdir) < 0) | 1042 | if (chroot(rootdir) < 0) |
1054 | errExit("chroot"); | 1043 | errExit("chroot"); |
1055 | 1044 | ||
1056 | // create all other /run/firejail files and directories | ||
1057 | preproc_build_firejail_dir(); | ||
1058 | |||
1059 | if (checkcfg(CFG_CHROOT_DESKTOP)) { | 1045 | if (checkcfg(CFG_CHROOT_DESKTOP)) { |
1060 | // update /var directory in order to support multiple sandboxes running on the same root directory | 1046 | // update /var directory in order to support multiple sandboxes running on the same root directory |
1061 | // if (!arg_private_dev) | 1047 | // if (!arg_private_dev) |
diff --git a/src/firejail/seccomp.c b/src/firejail/seccomp.c index 30c63d734..4678f366b 100644 --- a/src/firejail/seccomp.c +++ b/src/firejail/seccomp.c | |||
@@ -94,16 +94,6 @@ int seccomp_load(const char *fname) { | |||
94 | 94 | ||
95 | // i386 filter installed on amd64 architectures | 95 | // i386 filter installed on amd64 architectures |
96 | void seccomp_filter_32(void) { | 96 | void seccomp_filter_32(void) { |
97 | #if 0 | ||
98 | if (arg_debug) | ||
99 | printf("Build secondary 32-bit filter\n"); | ||
100 | |||
101 | // build the seccomp filter as a regular user | ||
102 | int rv = sbox_run(SBOX_USER | SBOX_CAPS_NONE | SBOX_SECCOMP, 4, | ||
103 | PATH_FSECCOMP, "secondary", "32", RUN_SECCOMP_I386); | ||
104 | if (rv) | ||
105 | exit(rv); | ||
106 | #endif | ||
107 | if (seccomp_load(RUN_SECCOMP_I386) == 0) { | 97 | if (seccomp_load(RUN_SECCOMP_I386) == 0) { |
108 | if (arg_debug) | 98 | if (arg_debug) |
109 | printf("Dual i386/amd64 seccomp filter configured\n"); | 99 | printf("Dual i386/amd64 seccomp filter configured\n"); |
@@ -112,17 +102,6 @@ void seccomp_filter_32(void) { | |||
112 | 102 | ||
113 | // amd64 filter installed on i386 architectures | 103 | // amd64 filter installed on i386 architectures |
114 | void seccomp_filter_64(void) { | 104 | void seccomp_filter_64(void) { |
115 | #if 0 | ||
116 | if (arg_debug) | ||
117 | printf("Build secondary 64-bit filter\n"); | ||
118 | |||
119 | // build the seccomp filter as a regular user | ||
120 | int rv = sbox_run(SBOX_USER | SBOX_CAPS_NONE | SBOX_SECCOMP, 4, | ||
121 | PATH_FSECCOMP, "secondary", "64", RUN_SECCOMP_AMD64); | ||
122 | if (rv) | ||
123 | exit(rv); | ||
124 | #endif | ||
125 | |||
126 | if (seccomp_load(RUN_SECCOMP_AMD64) == 0) { | 105 | if (seccomp_load(RUN_SECCOMP_AMD64) == 0) { |
127 | if (arg_debug) | 106 | if (arg_debug) |
128 | printf("Dual i386/amd64 seccomp filter configured\n"); | 107 | printf("Dual i386/amd64 seccomp filter configured\n"); |
@@ -139,21 +118,6 @@ int seccomp_filter_drop(int enforce_seccomp) { | |||
139 | #if defined(__i386__) | 118 | #if defined(__i386__) |
140 | seccomp_filter_64(); | 119 | seccomp_filter_64(); |
141 | #endif | 120 | #endif |
142 | |||
143 | #if 0 | ||
144 | if (arg_debug) | ||
145 | printf("Build default seccomp filter\n"); | ||
146 | // build the seccomp filter as a regular user | ||
147 | int rv; | ||
148 | if (arg_allow_debuggers) | ||
149 | rv = sbox_run(SBOX_USER | SBOX_CAPS_NONE | SBOX_SECCOMP, 4, | ||
150 | PATH_FSECCOMP, "default", RUN_SECCOMP_CFG, "allow-debuggers"); | ||
151 | else | ||
152 | rv = sbox_run(SBOX_USER | SBOX_CAPS_NONE | SBOX_SECCOMP, 3, | ||
153 | PATH_FSECCOMP, "default", RUN_SECCOMP_CFG); | ||
154 | if (rv) | ||
155 | exit(rv); | ||
156 | #endif | ||
157 | } | 121 | } |
158 | // default seccomp filter with additional drop list | 122 | // default seccomp filter with additional drop list |
159 | else if (cfg.seccomp_list && cfg.seccomp_list_drop == NULL) { | 123 | else if (cfg.seccomp_list && cfg.seccomp_list_drop == NULL) { |
@@ -209,7 +173,7 @@ int seccomp_filter_drop(int enforce_seccomp) { | |||
209 | exit(1); | 173 | exit(1); |
210 | } | 174 | } |
211 | 175 | ||
212 | if (arg_debug) | 176 | if (arg_debug && access(PATH_FSECCOMP, X_OK) == 0) |
213 | sbox_run(SBOX_USER | SBOX_CAPS_NONE | SBOX_SECCOMP, 3, | 177 | sbox_run(SBOX_USER | SBOX_CAPS_NONE | SBOX_SECCOMP, 3, |
214 | PATH_FSECCOMP, "print", RUN_SECCOMP_CFG); | 178 | PATH_FSECCOMP, "print", RUN_SECCOMP_CFG); |
215 | 179 | ||