From 9a27ac2137f38b775eca8995a4ab800c2e956447 Mon Sep 17 00:00:00 2001
From: netblue30 <netblue30@yahoo.com>
Date: Tue, 9 Apr 2019 16:28:40 -0400
Subject: seccomp fixes

---
 src/firejail/firejail.h                     | 79 +----------------------------
 src/libpostexecseccomp/Makefile.in          |  3 +-
 src/libpostexecseccomp/libpostexecseccomp.c | 12 +++--
 3 files changed, 10 insertions(+), 84 deletions(-)

diff --git a/src/firejail/firejail.h b/src/firejail/firejail.h
index 4cb10c875..b2c18d79f 100644
--- a/src/firejail/firejail.h
+++ b/src/firejail/firejail.h
@@ -21,90 +21,13 @@
 #define FIREJAIL_H
 #include "../include/common.h"
 #include "../include/euid_common.h"
+#include "../include/rundefs.h"
 #include <stdarg.h>
 #include <sys/stat.h>
 
 // debug restricted shell
 //#define DEBUG_RESTRICTED_SHELL
 
-// filesystem
-#define RUN_FIREJAIL_BASEDIR	"/run"
-#define RUN_FIREJAIL_DIR	"/run/firejail"
-#define RUN_FIREJAIL_APPIMAGE_DIR	"/run/firejail/appimage"
-#define RUN_FIREJAIL_NAME_DIR	"/run/firejail/name" // also used in src/lib/pid.c - todo: move it in a common place
-#define RUN_FIREJAIL_LIB_DIR		"/run/firejail/lib"
-#define RUN_FIREJAIL_X11_DIR	"/run/firejail/x11"
-#define RUN_FIREJAIL_NETWORK_DIR	"/run/firejail/network"
-#define RUN_FIREJAIL_BANDWIDTH_DIR	"/run/firejail/bandwidth"
-#define RUN_FIREJAIL_PROFILE_DIR		"/run/firejail/profile"
-#define RUN_NETWORK_LOCK_FILE	"/run/firejail/firejail-network.lock"
-#define RUN_DIRECTORY_LOCK_FILE	"/run/firejail/firejail-run.lock"
-#define RUN_RO_DIR	"/run/firejail/firejail.ro.dir"
-#define RUN_RO_FILE	"/run/firejail/firejail.ro.file"
-#define RUN_MNT_DIR	"/run/firejail/mnt"	// a tmpfs is mounted on this directory before any of the files below are created
-#define RUN_CGROUP_CFG	"/run/firejail/mnt/cgroup"
-#define RUN_CPU_CFG	"/run/firejail/mnt/cpu"
-#define RUN_GROUPS_CFG	"/run/firejail/mnt/groups"
-#define RUN_PROTOCOL_CFG	"/run/firejail/mnt/protocol"
-#define RUN_NONEWPRIVS_CFG	"/run/firejail/mnt/nonewprivs"
-#define RUN_HOME_DIR	"/run/firejail/mnt/home"
-#define RUN_ETC_DIR	"/run/firejail/mnt/etc"
-#define RUN_OPT_DIR	"/run/firejail/mnt/opt"
-#define RUN_SRV_DIR	"/run/firejail/mnt/srv"
-#define RUN_BIN_DIR	"/run/firejail/mnt/bin"
-#define RUN_PULSE_DIR	"/run/firejail/mnt/pulse"
-#define RUN_LIB_DIR	"/run/firejail/mnt/lib"
-#define RUN_LIB_FILE	"/run/firejail/mnt/libfiles"
-#define RUN_DNS_ETC	"/run/firejail/mnt/dns-etc"
-
-#define RUN_SECCOMP_DIR	"/run/firejail/mnt/seccomp"
-#define RUN_SECCOMP_LIST	"/run/firejail/mnt/seccomp/seccomp.list"	// list of seccomp files installed
-#define RUN_SECCOMP_PROTOCOL	"/run/firejail/mnt/seccomp/seccomp.protocol"	// protocol filter
-#define RUN_SECCOMP_CFG	"/run/firejail/mnt/seccomp/seccomp"			// configured filter
-#define RUN_SECCOMP_32		"/run/firejail/mnt/seccomp/seccomp.32"		// 32bit arch filter installed on 64bit architectures
-#define RUN_SECCOMP_MDWX	"/run/firejail/mnt/seccomp/seccomp.mdwx"		// filter for memory-deny-write-execute
-#define RUN_SECCOMP_BLOCK_SECONDARY	"/run/firejail/mnt/seccomp/seccomp.block_secondary"	// secondary arch blocking filter
-#define RUN_SECCOMP_POSTEXEC	"/run/firejail/mnt/seccomp/seccomp.postexec"		// filter for post-exec library
-#define PATH_SECCOMP_DEFAULT (LIBDIR "/firejail/seccomp")			// default filter built during make
-#define PATH_SECCOMP_DEFAULT_DEBUG (LIBDIR "/firejail/seccomp.debug")	// default filter built during make
-#define PATH_SECCOMP_32 (LIBDIR "/firejail/seccomp.32")			// 32bit arch filter built during make
-#define PATH_SECCOMP_MDWX (LIBDIR "/firejail/seccomp.mdwx")		// filter for memory-deny-write-execute built during make
-#define PATH_SECCOMP_BLOCK_SECONDARY (LIBDIR "/firejail/seccomp.block_secondary")	// secondary arch blocking filter built during make
-
-
-#define RUN_DEV_DIR		"/run/firejail/mnt/dev"
-#define RUN_DEVLOG_FILE	"/run/firejail/mnt/devlog"
-
-#define RUN_WHITELIST_X11_DIR	"/run/firejail/mnt/orig-x11"
-#define RUN_WHITELIST_HOME_DIR	"/run/firejail/mnt/orig-home"	// default home directory masking
-#define RUN_WHITELIST_RUN_DIR	"/run/firejail/mnt/orig-run"	// default run directory masking
-#define RUN_WHITELIST_HOME_USER_DIR	"/run/firejail/mnt/orig-home-user"	// home directory whitelisting
-#define RUN_WHITELIST_RUN_USER_DIR	"/run/firejail/mnt/orig-run-user"	// run directory whitelisting
-#define RUN_WHITELIST_TMP_DIR	"/run/firejail/mnt/orig-tmp"
-#define RUN_WHITELIST_MEDIA_DIR	"/run/firejail/mnt/orig-media"
-#define RUN_WHITELIST_MNT_DIR	"/run/firejail/mnt/orig-mnt"
-#define RUN_WHITELIST_VAR_DIR	"/run/firejail/mnt/orig-var"
-#define RUN_WHITELIST_DEV_DIR	"/run/firejail/mnt/orig-dev"
-#define RUN_WHITELIST_OPT_DIR	"/run/firejail/mnt/orig-opt"
-#define RUN_WHITELIST_SRV_DIR   "/run/firejail/mnt/orig-srv"
-#define RUN_WHITELIST_ETC_DIR   "/run/firejail/mnt/orig-etc"
-#define RUN_WHITELIST_SHARE_DIR   "/run/firejail/mnt/orig-share"
-#define RUN_WHITELIST_MODULE_DIR   "/run/firejail/mnt/orig-module"
-
-#define RUN_XAUTHORITY_FILE	"/run/firejail/mnt/.Xauthority"
-#define RUN_XAUTHORITY_SEC_FILE	"/run/firejail/mnt/sec.Xauthority"
-#define RUN_ASOUNDRC_FILE	"/run/firejail/mnt/.asoundrc"
-#define RUN_HOSTNAME_FILE	"/run/firejail/mnt/hostname"
-#define RUN_HOSTS_FILE	"/run/firejail/mnt/hosts"
-#define RUN_MACHINEID	"/run/firejail/mnt/machine-id"
-#define RUN_LDPRELOAD_FILE	"/run/firejail/mnt/ld.so.preload"
-#define RUN_UTMP_FILE		"/run/firejail/mnt/utmp"
-#define RUN_PASSWD_FILE		"/run/firejail/mnt/passwd"
-#define RUN_GROUP_FILE		"/run/firejail/mnt/group"
-#define RUN_FSLOGGER_FILE		"/run/firejail/mnt/fslogger"
-#define RUN_UMASK_FILE		"/run/firejail/mnt/umask"
-#define RUN_OVERLAY_ROOT	"/run/firejail/mnt/oroot"
-#define RUN_READY_FOR_JOIN 	"/run/firejail/mnt/ready-for-join"
 
 
 // profiles
diff --git a/src/libpostexecseccomp/Makefile.in b/src/libpostexecseccomp/Makefile.in
index 92803342c..8d6dde4e0 100644
--- a/src/libpostexecseccomp/Makefile.in
+++ b/src/libpostexecseccomp/Makefile.in
@@ -13,13 +13,12 @@ LDFLAGS += -pie -Wl,-z,relro -Wl,-z,now
 
 all: libpostexecseccomp.so
 
-%.o : %.c $(H_FILE_LIST)
+%.o : %.c $(H_FILE_LIST) ../include/seccomp.h ../include/rundefs.h
 	$(CC) $(CFLAGS) $(INCLUDE) -c $< -o $@
 
 libpostexecseccomp.so: $(OBJS)
 	$(CC) $(LDFLAGS) -shared -fPIC -z relro -o $@ $(OBJS) -ldl
 
-
 clean:; rm -f $(OBJS) libpostexecseccomp.so
 
 distclean: clean
diff --git a/src/libpostexecseccomp/libpostexecseccomp.c b/src/libpostexecseccomp/libpostexecseccomp.c
index e51445de4..3983510ec 100644
--- a/src/libpostexecseccomp/libpostexecseccomp.c
+++ b/src/libpostexecseccomp/libpostexecseccomp.c
@@ -17,19 +17,22 @@
  * with this program; if not, write to the Free Software Foundation, Inc.,
  * 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA.
 */
-#include "libpostexecseccomp.h"
 #include "../include/seccomp.h"
+#include "../include/rundefs.h"
 #include <fcntl.h>
 #include <linux/filter.h>
 #include <sys/mman.h>
 #include <sys/prctl.h>
 #include <unistd.h>
+#include <stdio.h>
 
 __attribute__((constructor))
 static void load_seccomp(void) {
 	int fd = open(RUN_SECCOMP_POSTEXEC, O_RDONLY);
-	if (fd == -1)
+	if (fd == -1) {
+		fprintf(stderr, "Error: cannot open seccomp postexec filter file %s\n", RUN_SECCOMP_POSTEXEC);
 		return;
+	}
 
 	off_t size = lseek(fd, 0, SEEK_END);
 	if (size <= 0) {
@@ -40,11 +43,12 @@ static void load_seccomp(void) {
 	struct sock_filter *filter = MAP_FAILED;
 	if (size != 0)
 		filter = mmap(NULL, size, PROT_READ, MAP_PRIVATE, fd, 0);
-
 	close(fd);
 
-	if (filter == MAP_FAILED)
+	if (filter == MAP_FAILED) {
+		fprintf(stderr, "Error: cannot map seccomp postexec filter data\n");
 		return;
+	}
 
 	// install filter
 	struct sock_fprog prog = {
-- 
cgit v1.2.3-70-g09d2