From 1a69bb3156688b63a28b33b3f36e75a41b35fb0a Mon Sep 17 00:00:00 2001
From: smitsohu <smitsohu@gmail.com>
Date: Mon, 20 Apr 2020 22:16:48 +0200
Subject: debug seccomp as the user

---
 src/firejail/sandbox.c | 35 +++++++++++++++++++++++++++--------
 1 file changed, 27 insertions(+), 8 deletions(-)

diff --git a/src/firejail/sandbox.c b/src/firejail/sandbox.c
index 37d108750..631f721ad 100644
--- a/src/firejail/sandbox.c
+++ b/src/firejail/sandbox.c
@@ -198,6 +198,32 @@ static FILE *create_ready_for_join_file(void) {
 	}
 }
 
+#ifdef HAVE_SECCOMP
+static void seccomp_debug(void) {
+	if (arg_debug == 0)
+		return;
+
+	pid_t child = fork();
+	if (child < 0)
+		errExit("fork");
+	if (child == 0) {
+		// dropping privs before calling system(3)
+		drop_privs(1);
+		printf("Seccomp directory:\n");
+		int rv = system("ls -l "  RUN_SECCOMP_DIR);
+		(void) rv;
+		printf("Active seccomp files:\n");
+		rv = system("cat " RUN_SECCOMP_LIST);
+		(void) rv;
+#ifdef HAVE_GCOV
+		__gcov_flush();
+#endif
+		_exit(0);
+	}
+	waitpid(child, NULL, 0);
+}
+#endif
+
 static void sandbox_if_up(Bridge *br) {
 	assert(br);
 	if (!br->configured)
@@ -1136,14 +1162,7 @@ int sandbox(void* sandbox_arg) {
 
 	// make seccomp filters read-only
 	fs_remount(RUN_SECCOMP_DIR, MOUNT_READONLY, 0);
-	if (arg_debug) {
-		printf("Seccomp directory:\n");
-		int rv = system("ls -l "  RUN_SECCOMP_DIR);
-		(void) rv;
-		printf("Active seccomp files:\n");
-		rv = system("cat " RUN_SECCOMP_LIST);
-		(void) rv;
-	}
+	seccomp_debug();
 #endif
 
 	// set capabilities
-- 
cgit v1.2.3-70-g09d2