From a1ea3e726196e5fa54950ebd0f88d25b6e9fe98c Mon Sep 17 00:00:00 2001
From: netblue30 <netblue30@yahoo.com>
Date: Tue, 27 Oct 2015 08:51:41 -0400
Subject: seccomp refactoring

---
 src/firejail/firejail.h | 10 ++++++----
 src/firejail/main.c     | 34 +++++++++++++++-------------------
 src/firejail/profile.c  | 12 ++++++------
 src/firejail/sandbox.c  | 16 ++++++++--------
 src/firejail/seccomp.c  | 18 +++++++++---------
 5 files changed, 44 insertions(+), 46 deletions(-)

diff --git a/src/firejail/firejail.h b/src/firejail/firejail.h
index ab2fedbd8..91bb420b6 100644
--- a/src/firejail/firejail.h
+++ b/src/firejail/firejail.h
@@ -107,6 +107,12 @@ typedef struct config_t {
 	uint32_t dns2;
 	uint32_t dns3;
 
+	// seccomp
+	char *seccomp_list;//  optional seccomp list on top of default filter
+	char *seccomp_list_drop;		// seccomp drop list
+	char *seccomp_list_keep;		// seccomp keep list
+	char **seccomp_list_errno;		// seccomp errno[nr] lists
+
 	// rlimits
 	unsigned rlimit_nofile;
 	unsigned rlimit_nproc;
@@ -152,10 +158,6 @@ extern int arg_zsh;		// use zsh as default shell
 extern int arg_csh;		// use csh as default shell
 
 extern int arg_seccomp;	// enable default seccomp filter
-extern char *arg_seccomp_list;//  optional seccomp list on top of default filter
-extern char *arg_seccomp_list_drop;		// seccomp drop list
-extern char *arg_seccomp_list_keep;		// seccomp keep list
-extern char **arg_seccomp_list_errno;		// seccomp errno[nr] lists
 
 extern int arg_caps_default_filter;	// enable default capabilities filter
 extern int arg_caps_drop;		// drop list
diff --git a/src/firejail/main.c b/src/firejail/main.c
index 8d11caef3..b59ff699c 100644
--- a/src/firejail/main.c
+++ b/src/firejail/main.c
@@ -58,10 +58,6 @@ int arg_zsh = 0;				// use zsh as default shell
 int arg_csh = 0;				// use csh as default shell
 
 int arg_seccomp = 0;				// enable default seccomp filter
-char *arg_seccomp_list = NULL;		// optional seccomp list on top of default filter
-char *arg_seccomp_list_drop = NULL;		// seccomp drop list
-char *arg_seccomp_list_keep = NULL;		// seccomp keep list
-char **arg_seccomp_list_errno = NULL;		// seccomp errno[nr] lists
 
 int arg_caps_default_filter = 0;			// enable default capabilities filter
 int arg_caps_drop = 0;				// drop list
@@ -468,8 +464,8 @@ int main(int argc, char **argv) {
 				exit(1);
 			}
 			arg_seccomp = 1;
-			arg_seccomp_list = strdup(argv[i] + 10);
-			if (!arg_seccomp_list)
+			cfg.seccomp_list = strdup(argv[i] + 10);
+			if (!cfg.seccomp_list)
 				errExit("strdup");
 		}
 		else if (strncmp(argv[i], "--seccomp.drop=", 15) == 0) {
@@ -478,8 +474,8 @@ int main(int argc, char **argv) {
 				exit(1);
 			}
 			arg_seccomp = 1;
-			arg_seccomp_list_drop = strdup(argv[i] + 15);
-			if (!arg_seccomp_list_drop)
+			cfg.seccomp_list_drop = strdup(argv[i] + 15);
+			if (!cfg.seccomp_list_drop)
 				errExit("strdup");
 		}
 		else if (strncmp(argv[i], "--seccomp.keep=", 15) == 0) {
@@ -488,12 +484,12 @@ int main(int argc, char **argv) {
 				exit(1);
 			}
 			arg_seccomp = 1;
-			arg_seccomp_list_keep = strdup(argv[i] + 15);
-			if (!arg_seccomp_list_keep)
+			cfg.seccomp_list_keep = strdup(argv[i] + 15);
+			if (!cfg.seccomp_list_keep)
 				errExit("strdup");
 		}
 		else if (strncmp(argv[i], "--seccomp.e", 11) == 0 && strchr(argv[i], '=')) {
-			if (arg_seccomp && !arg_seccomp_list_errno) {
+			if (arg_seccomp && !cfg.seccomp_list_errno) {
 				fprintf(stderr, "Error: seccomp already enabled\n");
 				exit(1);
 			}
@@ -506,17 +502,17 @@ int main(int argc, char **argv) {
 				exit(1);
 			}
 
-			if (!arg_seccomp_list_errno)
-				arg_seccomp_list_errno = calloc(highest_errno+1, sizeof(arg_seccomp_list_errno[0]));
+			if (!cfg.seccomp_list_errno)
+				cfg.seccomp_list_errno = calloc(highest_errno+1, sizeof(cfg.seccomp_list_errno[0]));
 
-			if (arg_seccomp_list_errno[nr]) {
+			if (cfg.seccomp_list_errno[nr]) {
 				fprintf(stderr, "Error: errno %s already configured\n", errnoname);
 				free(errnoname);
 				exit(1);
 			}
 			arg_seccomp = 1;
-			arg_seccomp_list_errno[nr] = strdup(eq+1);
-			if (!arg_seccomp_list_errno[nr])
+			cfg.seccomp_list_errno[nr] = strdup(eq+1);
+			if (!cfg.seccomp_list_errno[nr])
 				errExit("strdup");
 			free(errnoname);
 		}
@@ -1393,10 +1389,10 @@ int main(int argc, char **argv) {
 
 	// free globals
 #ifdef HAVE_SECCOMP
-	if (arg_seccomp_list_errno) {
+	if (cfg.seccomp_list_errno) {
 		for (i = 0; i < highest_errno; i++)
-			free(arg_seccomp_list_errno[i]);
-		free(arg_seccomp_list_errno);
+			free(cfg.seccomp_list_errno[i]);
+		free(cfg.seccomp_list_errno);
 	}
 #endif
 
diff --git a/src/firejail/profile.c b/src/firejail/profile.c
index 3edeabee9..1fadab1fa 100644
--- a/src/firejail/profile.c
+++ b/src/firejail/profile.c
@@ -160,8 +160,8 @@ int profile_check_line(char *ptr, int lineno) {
 	if (strncmp(ptr, "seccomp ", 8) == 0) {
 		arg_seccomp = 1;
 #ifdef HAVE_SECCOMP
-		arg_seccomp_list = strdup(ptr + 8);
-		if (!arg_seccomp_list)
+		cfg.seccomp_list = strdup(ptr + 8);
+		if (!cfg.seccomp_list)
 			errExit("strdup");
 #endif
 		return 0;
@@ -171,8 +171,8 @@ int profile_check_line(char *ptr, int lineno) {
 	if (strncmp(ptr, "seccomp.drop ", 13) == 0) {
 		arg_seccomp = 1;
 #ifdef HAVE_SECCOMP
-		arg_seccomp_list_drop = strdup(ptr + 13);
-		if (!arg_seccomp_list_drop)
+		cfg.seccomp_list_drop = strdup(ptr + 13);
+		if (!cfg.seccomp_list_drop)
 			errExit("strdup");
 #endif
 		return 0;
@@ -182,8 +182,8 @@ int profile_check_line(char *ptr, int lineno) {
 	if (strncmp(ptr, "seccomp.keep ", 13) == 0) {
 		arg_seccomp = 1;
 #ifdef HAVE_SECCOMP
-		arg_seccomp_list_keep= strdup(ptr + 13);
-		if (!arg_seccomp_list_keep)
+		cfg.seccomp_list_keep= strdup(ptr + 13);
+		if (!cfg.seccomp_list_keep)
 			errExit("strdup");
 #endif
 		return 0;
diff --git a/src/firejail/sandbox.c b/src/firejail/sandbox.c
index 3c5a176e6..d2c943ea1 100644
--- a/src/firejail/sandbox.c
+++ b/src/firejail/sandbox.c
@@ -190,13 +190,13 @@ int sandbox(void* sandbox_arg) {
 			// force default seccomp inside the chroot, no keep or drop list
 			// the list build on top of the default drop list is kept intact
 			arg_seccomp = 1;
-			if (arg_seccomp_list_drop) {
-				free(arg_seccomp_list_drop);
-				arg_seccomp_list_drop = NULL;
+			if (cfg.seccomp_list_drop) {
+				free(cfg.seccomp_list_drop);
+				cfg.seccomp_list_drop = NULL;
 			}
-			if (arg_seccomp_list_keep) {
-				free(arg_seccomp_list_keep);
-				arg_seccomp_list_keep = NULL;
+			if (cfg.seccomp_list_keep) {
+				free(cfg.seccomp_list_keep);
+				cfg.seccomp_list_keep = NULL;
 			}
 			
 			// disable all capabilities
@@ -428,9 +428,9 @@ int sandbox(void* sandbox_arg) {
 #ifdef HAVE_SECCOMP
 	// if a keep list is available, disregard the drop list
 	if (arg_seccomp == 1) {
-		if (arg_seccomp_list_keep)
+		if (cfg.seccomp_list_keep)
 			seccomp_filter_keep(); // this will also save the fmyilter to MNT_DIR/seccomp file
-		else if (arg_seccomp_list_errno)
+		else if (cfg.seccomp_list_errno)
 			seccomp_filter_errno(); // this will also save the filter to MNT_DIR/seccomp file
 		else
 			seccomp_filter_drop(); // this will also save the filter to MNT_DIR/seccomp file
diff --git a/src/firejail/seccomp.c b/src/firejail/seccomp.c
index 29c87b18b..dd7b8d344 100644
--- a/src/firejail/seccomp.c
+++ b/src/firejail/seccomp.c
@@ -343,7 +343,7 @@ int seccomp_filter_drop(void) {
 	filter_init();
 	
 	// default seccomp
-	if (arg_seccomp_list_drop == NULL) {
+	if (cfg.seccomp_list_drop == NULL) {
 #ifdef SYS_mount		
 		filter_add_blacklist(SYS_mount, 0);
 #endif
@@ -507,15 +507,15 @@ int seccomp_filter_drop(void) {
 	}
 
 	// default seccomp filter with additional drop list
-	if (arg_seccomp_list && arg_seccomp_list_drop == NULL) {
-		if (syscall_check_list(arg_seccomp_list, filter_add_blacklist, 0)) {
+	if (cfg.seccomp_list && cfg.seccomp_list_drop == NULL) {
+		if (syscall_check_list(cfg.seccomp_list, filter_add_blacklist, 0)) {
 			fprintf(stderr, "Error: cannot load seccomp filter\n");
 			exit(1);
 		}
 	}
 	// drop list
-	else if (arg_seccomp_list == NULL && arg_seccomp_list_drop) {
-		if (syscall_check_list(arg_seccomp_list_drop, filter_add_blacklist, 0)) {
+	else if (cfg.seccomp_list == NULL && cfg.seccomp_list_drop) {
+		if (syscall_check_list(cfg.seccomp_list_drop, filter_add_blacklist, 0)) {
 			fprintf(stderr, "Error: cannot load seccomp filter\n");
 			exit(1);
 		}
@@ -558,8 +558,8 @@ int seccomp_filter_keep(void) {
 	filter_add_whitelist(SYS_dup, 0);
 	
 	// apply keep list
-	if (arg_seccomp_list_keep) {
-		if (syscall_check_list(arg_seccomp_list_keep, filter_add_whitelist, 0)) {
+	if (cfg.seccomp_list_keep) {
+		if (syscall_check_list(cfg.seccomp_list_keep, filter_add_whitelist, 0)) {
 			fprintf(stderr, "Error: cannot load seccomp filter\n");
 			exit(1);
 		}
@@ -599,8 +599,8 @@ int seccomp_filter_errno(void) {
 	// apply errno list
 
 	for (i = 0; i < higest_errno; i++) {
-		if (arg_seccomp_list_errno[i]) {
-			if (syscall_check_list(arg_seccomp_list_errno[i], filter_add_errno, i)) {
+		if (cfg.seccomp_list_errno[i]) {
+			if (syscall_check_list(cfg.seccomp_list_errno[i], filter_add_errno, i)) {
 				fprintf(stderr, "Error: cannot load seccomp filter\n");
 				exit(1);
 			}
-- 
cgit v1.2.3-70-g09d2