From 79957c9662989782b78bedc540c14a5a424a469e Mon Sep 17 00:00:00 2001 From: netblue30 Date: Wed, 23 Aug 2017 06:58:47 -0400 Subject: cleanup --- src/firejail/bandwidth.c | 3 --- src/firejail/output.c | 4 ---- src/firejail/sandbox.c | 13 ------------- src/firejail/usage.c | 7 +++++-- src/firejail/x11.c | 30 ------------------------------ src/fseccomp/syscall.c | 12 ++++++++++-- src/man/firejail.txt | 2 +- 7 files changed, 16 insertions(+), 55 deletions(-) diff --git a/src/firejail/bandwidth.c b/src/firejail/bandwidth.c index 831b76e79..24d027d54 100644 --- a/src/firejail/bandwidth.c +++ b/src/firejail/bandwidth.c @@ -441,9 +441,6 @@ void bandwidth_pid(pid_t pid, const char *command, const char *dev, int down, in arg[2] = cmd; arg[3] = NULL; clearenv(); -#ifdef HAVE_SECCOMP - seccomp_install_filters(); -#endif execvp(arg[0], arg); // it will never get here diff --git a/src/firejail/output.c b/src/firejail/output.c index d69f5f051..b99604ec4 100644 --- a/src/firejail/output.c +++ b/src/firejail/output.c @@ -102,10 +102,6 @@ void check_output(int argc, char **argv) { a[1] = "-c"; a[2] = cmd; a[3] = NULL; - -#ifdef HAVE_SECCOMP - seccomp_install_filters(); -#endif execvp(a[0], a); perror("execvp"); diff --git a/src/firejail/sandbox.c b/src/firejail/sandbox.c index 30b55d7d0..150c23de7 100644 --- a/src/firejail/sandbox.c +++ b/src/firejail/sandbox.c @@ -269,19 +269,6 @@ static int monitor_application(pid_t app_pid) { return status; } -void start_audit(void) { - char *audit_prog; - if (asprintf(&audit_prog, "%s/firejail/faudit", LIBDIR) == -1) - errExit("asprintf"); - assert(getenv("LD_PRELOAD") == NULL); -#ifdef HAVE_SECCOMP - seccomp_install_filters(); -#endif - execl(audit_prog, audit_prog, NULL); - perror("execl"); - exit(1); -} - static void print_time(void) { if (start_timestamp) { unsigned long long end_timestamp = getticks(); diff --git a/src/firejail/usage.c b/src/firejail/usage.c index 4de33c83d..10e6ab687 100644 --- a/src/firejail/usage.c +++ b/src/firejail/usage.c @@ -106,6 +106,10 @@ void usage(void) { printf(" --mac=xx:xx:xx:xx:xx:xx - set interface MAC address.\n"); #endif printf(" --machine-id - preserve /etc/machine-id\n"); +#ifdef HAVE_SECCOMP + printf(" --memory-deny-write-execute - seccomp filter to block attempts to create\n"); + printf("\tmemory mappings that are both writable and executable.\n"); +#endif #ifdef HAVE_NETWORK printf(" --mtu=number - set interface MTU.\n"); #endif @@ -179,12 +183,11 @@ void usage(void) { printf(" --seccomp - enable seccomp filter and apply the default blacklist.\n"); printf(" --seccomp=syscall,syscall,syscall - enable seccomp filter, blacklist the\n"); printf("\tdefault syscall list and the syscalls specified by the command.\n"); + printf(" --seccomp.block-secondary - build only the native architecture filters.\n"); printf(" --seccomp.drop=syscall,syscall,syscall - enable seccomp filter, and\n"); printf("\tblacklist the syscalls specified by the command.\n"); printf(" --seccomp.keep=syscall,syscall,syscall - enable seccomp filter, and\n"); printf("\twhitelist the syscalls specified by the command.\n"); - printf(" --seccomp.=syscall,syscall,syscall - enable seccomp filter, and\n"); - printf("\treturn errno for the syscalls specified by the command.\n"); printf(" --seccomp.print=name|pid - print the seccomp filter for the sandbox\n"); printf("\tidentified by name or PID.\n"); #endif diff --git a/src/firejail/x11.c b/src/firejail/x11.c index 26af8ad35..d41f46d93 100644 --- a/src/firejail/x11.c +++ b/src/firejail/x11.c @@ -321,9 +321,6 @@ void x11_start_xvfb(int argc, char **argv) { // running without privileges - see drop_privs call above assert(getenv("LD_PRELOAD") == NULL); -#ifdef HAVE_SECCOMP - seccomp_install_filters(); -#endif execvp(server_argv[0], server_argv); perror("execvp"); _exit(1); @@ -368,9 +365,6 @@ void x11_start_xvfb(int argc, char **argv) { // running without privileges - see drop_privs call above assert(getenv("LD_PRELOAD") == NULL); -#ifdef HAVE_SECCOMP - seccomp_install_filters(); -#endif execvp(jail_argv[0], jail_argv); perror("execvp"); _exit(1); @@ -563,9 +557,6 @@ void x11_start_xephyr(int argc, char **argv) { // running without privileges - see drop_privs call above assert(getenv("LD_PRELOAD") == NULL); -#ifdef HAVE_SECCOMP - seccomp_install_filters(); -#endif execvp(server_argv[0], server_argv); perror("execvp"); _exit(1); @@ -610,9 +601,6 @@ void x11_start_xephyr(int argc, char **argv) { // running without privileges - see drop_privs call above assert(getenv("LD_PRELOAD") == NULL); -#ifdef HAVE_SECCOMP - seccomp_install_filters(); -#endif execvp(jail_argv[0], jail_argv); perror("execvp"); _exit(1); @@ -742,9 +730,6 @@ void x11_start_xpra_old(int argc, char **argv, int display, char *display_str) { // running without privileges - see drop_privs call above assert(getenv("LD_PRELOAD") == NULL); -#ifdef HAVE_SECCOMP - seccomp_install_filters(); -#endif execvp(server_argv[0], server_argv); perror("execvp"); _exit(1); @@ -796,9 +781,6 @@ void x11_start_xpra_old(int argc, char **argv, int display, char *display_str) { // running without privileges - see drop_privs call above assert(getenv("LD_PRELOAD") == NULL); -#ifdef HAVE_SECCOMP - seccomp_install_filters(); -#endif execvp(attach_argv[0], attach_argv); perror("execvp"); _exit(1); @@ -828,9 +810,6 @@ void x11_start_xpra_old(int argc, char **argv, int display, char *display_str) { if (jail == 0) { // running without privileges - see drop_privs call above assert(getenv("LD_PRELOAD") == NULL); -#ifdef HAVE_SECCOMP - seccomp_install_filters(); -#endif if (firejail_argv[0]) // shut up llvm scan-build execvp(firejail_argv[0], firejail_argv); perror("execvp"); @@ -859,9 +838,6 @@ void x11_start_xpra_old(int argc, char **argv, int display, char *display_str) { } // running without privileges - see drop_privs call above assert(getenv("LD_PRELOAD") == NULL); -#ifdef HAVE_SECCOMP - seccomp_install_filters(); -#endif execvp(stop_argv[0], stop_argv); perror("execvp"); _exit(1); @@ -1028,9 +1004,6 @@ void x11_start_xpra_new(int argc, char **argv, char *display_str) { // running without privileges - see drop_privs call above assert(getenv("LD_PRELOAD") == NULL); -#ifdef HAVE_SECCOMP - seccomp_install_filters(); -#endif execvp(server_argv[0], server_argv); perror("execvp"); _exit(1); @@ -1167,9 +1140,6 @@ void x11_xorg(void) { clearenv(); #ifdef HAVE_GCOV __gcov_flush(); -#endif -#ifdef HAVE_SECCOMP - seccomp_install_filters(); #endif execlp("/usr/bin/xauth", "/usr/bin/xauth", "-v", "-f", tmpfname, "generate", display, "MIT-MAGIC-COOKIE-1", "untrusted", NULL); diff --git a/src/fseccomp/syscall.c b/src/fseccomp/syscall.c index 8afa3f63d..8c18b2d14 100644 --- a/src/fseccomp/syscall.c +++ b/src/fseccomp/syscall.c @@ -567,8 +567,16 @@ void syscalls_in_list(const char *list, const char *slist, int fd, char **prelis sl.prelist = NULL; sl.postlist = NULL; syscall_check_list(list, syscall_in_list, 0, 0, &sl); - if (!arg_quiet) - printf("list in: %s, check list: %s prelist: %s, postlist: %s\n", list, sl.slist, sl.prelist, sl.postlist); + if (!arg_quiet) { + printf("Seccomp list in: %s,", list); + if (sl.slist) + printf(" check list: %s,", sl.slist); + if (sl.prelist) + printf(" prelist: %s,", sl.prelist); + if (sl.postlist) + printf(" postlist: %s", sl.postlist); + printf("\n"); + } *prelist = sl.prelist; *postlist = sl.postlist; } diff --git a/src/man/firejail.txt b/src/man/firejail.txt index d1970c985..dd21951ec 100644 --- a/src/man/firejail.txt +++ b/src/man/firejail.txt @@ -1573,7 +1573,7 @@ $, so for example $165 would be equal to mount on i386. .br System architecture is strictly imposed only if flag -\-\-seccomp.block_secondary is used. The filter is applied at run time +\-\-seccomp.block-secondary is used. The filter is applied at run time only if the correct architecture was detected. For the case of I386 and AMD64 both 32-bit and 64-bit filters are installed. .br -- cgit v1.2.3-54-g00ecf