From a5c62dfa5955ad91aa6592c0a5443b93f8432bf3 Mon Sep 17 00:00:00 2001 From: startx2017 Date: Tue, 1 Sep 2020 09:54:26 -0400 Subject: removed --disable-seccomp from ./configure --- Makefile.in | 7 ------- configure | 24 ++---------------------- configure.ac | 13 +------------ src/common.mk.in | 4 +--- src/firejail/checkcfg.c | 12 ------------ src/firejail/dbus.c | 2 -- src/firejail/join.c | 2 -- src/firejail/main.c | 9 +-------- src/firejail/preproc.c | 2 -- src/firejail/profile.c | 22 ---------------------- src/firejail/protocol.c | 4 ---- src/firejail/sandbox.c | 14 ++------------ src/firejail/seccomp.c | 3 --- src/firejail/usage.c | 4 ---- src/include/seccomp.h | 17 ----------------- test/compile/compile.sh | 38 +++++++++++++++++++------------------- 16 files changed, 26 insertions(+), 151 deletions(-) diff --git a/Makefile.in b/Makefile.in index 890ba1b0a..3e500413d 100644 --- a/Makefile.in +++ b/Makefile.in @@ -10,7 +10,6 @@ VERSION=@PACKAGE_VERSION@ NAME=@PACKAGE_NAME@ PACKAGE_TARNAME=@PACKAGE_TARNAME@ DOCDIR=@docdir@ -HAVE_SECCOMP=@HAVE_SECCOMP@ HAVE_APPARMOR=@HAVE_APPARMOR@ HAVE_CONTRIB_INSTALL=@HAVE_CONTRIB_INSTALL@ BUSYBOX_WORKAROUND=@BUSYBOX_WORKAROUND@ @@ -23,10 +22,8 @@ SBOX_APPS_NON_DUMPABLE = src/fcopy/fcopy src/fldd/fldd src/fnet/fnet src/fnetfil MYDIRS = src/lib MYLIBS = src/libpostexecseccomp/libpostexecseccomp.so src/libtrace/libtrace.so src/libtracelog/libtracelog.so MANPAGES = firejail.1 firemon.1 firecfg.1 firejail-profile.5 firejail-login.5 firejail-users.5 -ifeq ($(HAVE_SECCOMP),-DHAVE_SECCOMP) SBOX_APPS_NON_DUMPABLE += src/fsec-optimize/fsec-optimize src/fsec-print/fsec-print src/fseccomp/fseccomp SECCOMP_FILTERS = seccomp seccomp.debug seccomp.32 seccomp.block_secondary seccomp.mdwx seccomp.mdwx.32 -endif ALL_ITEMS = $(APPS) $(SBOX_APPS) $(SBOX_APPS_NON_DUMPABLE) $(MYLIBS) .PHONY: all_items $(ALL_ITEMS) @@ -45,7 +42,6 @@ $(MANPAGES): $(wildcard src/man/*.txt) man: $(MANPAGES) filters: $(SECCOMP_FILTERS) $(SBOX_APPS_NON_DUMPABLE) -ifeq ($(HAVE_SECCOMP),-DHAVE_SECCOMP) seccomp: src/fseccomp/fseccomp src/fsec-optimize/fsec-optimize src/fseccomp/fseccomp default seccomp src/fsec-optimize/fsec-optimize seccomp @@ -66,7 +62,6 @@ seccomp.mdwx: src/fseccomp/fseccomp seccomp.mdwx.32: src/fseccomp/fseccomp src/fseccomp/fseccomp memory-deny-write-execute.32 seccomp.mdwx.32 -endif clean: for dir in $$(dirname $(ALL_ITEMS)) $(MYDIRS); do \ @@ -248,9 +243,7 @@ test-environment: cd test/environment; ./environment.sh | grep TESTING test-filters: -ifeq ($(HAVE_SECCOMP),-DHAVE_SECCOMP) cd test/filters; ./filters.sh | grep TESTING -endif test-arguments: cd test/arguments; ./arguments.sh | grep TESTING diff --git a/configure b/configure index 12881fcaf..1a89499b2 100755 --- a/configure +++ b/configure @@ -624,7 +624,6 @@ ac_includes_default="\ ac_subst_vars='LTLIBOBJS LIBOBJS -HAVE_SECCOMP_H EGREP GREP CPP @@ -641,7 +640,6 @@ HAVE_USERNS HAVE_NETWORK HAVE_GLOBALCFG HAVE_CHROOT -HAVE_SECCOMP HAVE_PRIVATE_HOME HAVE_FIRETUNNEL HAVE_OVERLAYFS @@ -710,7 +708,6 @@ enable_apparmor enable_overlayfs enable_firetunnel enable_private_home -enable_seccomp enable_chroot enable_globalcfg enable_network @@ -1363,7 +1360,6 @@ Optional Features: --disable-overlayfs disable overlayfs --disable-firetunnel disable firetunnel --disable-private-home disable private home feature - --disable-seccomp disable seccomp --disable-chroot disable chroot --disable-globalcfg if the global config file firejail.cfg is not present, continue the program using defaults @@ -3535,19 +3531,6 @@ if test "x$enable_private_home" != "xno"; then : HAVE_PRIVATE_HOME="-DHAVE_PRIVATE_HOME" -fi - -HAVE_SECCOMP="" -# Check whether --enable-seccomp was given. -if test "${enable_seccomp+set}" = set; then : - enableval=$enable_seccomp; -fi - -if test "x$enable_seccomp" != "xno"; then : - - HAVE_SECCOMP="-DHAVE_SECCOMP" - - fi HAVE_CHROOT="" @@ -4173,14 +4156,13 @@ fi ac_fn_c_check_header_mongrel "$LINENO" "linux/seccomp.h" "ac_cv_header_linux_seccomp_h" "$ac_includes_default" if test "x$ac_cv_header_linux_seccomp_h" = xyes; then : - HAVE_SECCOMP_H="-DHAVE_SECCOMP_H" + else - HAVE_SECCOMP_H="" + as_fn_error $? "*** SECCOMP support is not installed (/usr/include/linux/seccomp.h missing) ***" "$LINENO" 5 fi - # set sysconfdir if test "$prefix" = /usr; then test "$sysconfdir" = '${prefix}/etc' && sysconfdir="/etc" @@ -5382,8 +5364,6 @@ echo echo "Configuration options:" echo " prefix: $prefix" echo " sysconfdir: $sysconfdir" -echo " seccomp: $HAVE_SECCOMP" -echo " : $HAVE_SECCOMP_H" echo " apparmor: $HAVE_APPARMOR" echo " global config: $HAVE_GLOBALCFG" echo " chroot: $HAVE_CHROOT" diff --git a/configure.ac b/configure.ac index feb0b38a6..0524651fb 100644 --- a/configure.ac +++ b/configure.ac @@ -76,14 +76,6 @@ AS_IF([test "x$enable_private_home" != "xno"], [ AC_SUBST(HAVE_PRIVATE_HOME) ]) -HAVE_SECCOMP="" -AC_ARG_ENABLE([seccomp], - AS_HELP_STRING([--disable-seccomp], [disable seccomp])) -AS_IF([test "x$enable_seccomp" != "xno"], [ - HAVE_SECCOMP="-DHAVE_SECCOMP" - AC_SUBST(HAVE_SECCOMP) -]) - HAVE_CHROOT="" AC_ARG_ENABLE([chroot], AS_HELP_STRING([--disable-chroot], [disable chroot])) @@ -196,8 +188,7 @@ AS_IF([test "x$enable_selinux" = "xyes"], [ # checking pthread library AC_CHECK_LIB([pthread], [main], [], AC_MSG_ERROR([*** POSIX thread support not installed ***])) AC_CHECK_HEADER(pthread.h,,AC_MSG_ERROR([*** POSIX thread support not installed ***])) -AC_CHECK_HEADER([linux/seccomp.h], HAVE_SECCOMP_H="-DHAVE_SECCOMP_H", HAVE_SECCOMP_H="") -AC_SUBST(HAVE_SECCOMP_H) +AC_CHECK_HEADER([linux/seccomp.h],,AC_MSG_ERROR([*** SECCOMP support is not installed (/usr/include/linux/seccomp.h missing) ***])) # set sysconfdir if test "$prefix" = /usr; then @@ -214,8 +205,6 @@ echo echo "Configuration options:" echo " prefix: $prefix" echo " sysconfdir: $sysconfdir" -echo " seccomp: $HAVE_SECCOMP" -echo " : $HAVE_SECCOMP_H" echo " apparmor: $HAVE_APPARMOR" echo " global config: $HAVE_GLOBALCFG" echo " chroot: $HAVE_CHROOT" diff --git a/src/common.mk.in b/src/common.mk.in index 8104bc258..4c4d0862c 100644 --- a/src/common.mk.in +++ b/src/common.mk.in @@ -9,8 +9,6 @@ sysconfdir=@sysconfdir@ VERSION=@PACKAGE_VERSION@ NAME=@PACKAGE_NAME@ -HAVE_SECCOMP_H=@HAVE_SECCOMP_H@ -HAVE_SECCOMP=@HAVE_SECCOMP@ HAVE_CHROOT=@HAVE_CHROOT@ HAVE_FATAL_WARNINGS=@HAVE_FATAL_WARNINGS@ HAVE_NETWORK=@HAVE_NETWORK@ @@ -34,7 +32,7 @@ BINOBJS = $(foreach file, $(OBJS), $file) CFLAGS = @CFLAGS@ CFLAGS += -ggdb $(HAVE_FATAL_WARNINGS) -O2 -DVERSION='"$(VERSION)"' $(HAVE_GCOV) CFLAGS += -DPREFIX='"$(prefix)"' -DSYSCONFDIR='"$(sysconfdir)/firejail"' -DLIBDIR='"$(libdir)"' -DBINDIR='"$(bindir)"' -CFLAGS += $(HAVE_X11) $(HAVE_PRIVATE_HOME) $(HAVE_APPARMOR) $(HAVE_OVERLAYFS) $(HAVE_FIRETUNNEL) $(HAVE_SECCOMP) $(HAVE_GLOBALCFG) $(HAVE_SECCOMP_H) $(HAVE_CHROOT) $(HAVE_NETWORK) $(HAVE_USERNS) $(HAVE_FILE_TRANSFER) $(HAVE_WHITELIST) $(HAVE_SELINUX) +CFLAGS += $(HAVE_X11) $(HAVE_PRIVATE_HOME) $(HAVE_APPARMOR) $(HAVE_OVERLAYFS) $(HAVE_FIRETUNNEL) $(HAVE_GLOBALCFG) $(HAVE_CHROOT) $(HAVE_NETWORK) $(HAVE_USERNS) $(HAVE_FILE_TRANSFER) $(HAVE_WHITELIST) $(HAVE_SELINUX) CFLAGS += -fstack-protector-all -D_FORTIFY_SOURCE=2 -fPIE -pie -Wformat -Wformat-security LDFLAGS += -pie -Wl,-z,relro -Wl,-z,now -lpthread EXTRA_LDFLAGS +=@EXTRA_LDFLAGS@ diff --git a/src/firejail/checkcfg.c b/src/firejail/checkcfg.c index f6b3b3252..fb19e8f5a 100644 --- a/src/firejail/checkcfg.c +++ b/src/firejail/checkcfg.c @@ -226,7 +226,6 @@ int checkcfg(int val) { // seccomp error action else if (strncmp(ptr, "seccomp-error-action ", 21) == 0) { -#ifdef HAVE_SECCOMP if (strcmp(ptr + 21, "kill") == 0) cfg_val[CFG_SECCOMP_ERROR_ACTION] = SECCOMP_RET_KILL; else if (strcmp(ptr + 21, "log") == 0) @@ -239,9 +238,6 @@ int checkcfg(int val) { config_seccomp_error_action_str = strdup(ptr + 21); if (!config_seccomp_error_action_str) errExit("strdup"); -#else - warning_feature_disabled("seccomp"); -#endif } else @@ -347,14 +343,6 @@ void print_compiletime_support(void) { #endif ); - printf("\t- seccomp-bpf support is %s\n", -#ifdef HAVE_SECCOMP - "enabled" -#else - "disabled" -#endif - ); - printf("\t- SELinux support is %s\n", #ifdef HAVE_SELINUX "enabled" diff --git a/src/firejail/dbus.c b/src/firejail/dbus.c index 36d110ac7..f0ba10afc 100644 --- a/src/firejail/dbus.c +++ b/src/firejail/dbus.c @@ -555,10 +555,8 @@ void dbus_apply_policy(void) { return; // --protocol=unix -#ifdef HAVE_SECCOMP if (cfg.protocol && !strstr(cfg.protocol, "unix")) return; -#endif fwarning("An abstract unix socket for session D-BUS might still be available. Use --net or remove unix from --protocol set.\n"); } diff --git a/src/firejail/join.c b/src/firejail/join.c index c7619ef3b..7fd5ec3d3 100644 --- a/src/firejail/join.c +++ b/src/firejail/join.c @@ -465,10 +465,8 @@ void join(pid_t pid, int argc, char **argv, int index) { EUID_ROOT(); if (apply_caps == 1) // not available for uid 0 caps_set(caps); -#ifdef HAVE_SECCOMP if (getuid() != 0) seccomp_load_file_list(); -#endif // mount user namespace or drop privileges if (arg_noroot) { // not available for uid 0 diff --git a/src/firejail/main.c b/src/firejail/main.c index df890ecea..75324b66a 100644 --- a/src/firejail/main.c +++ b/src/firejail/main.c @@ -479,7 +479,6 @@ static void run_cmd_and_exit(int i, int argc, char **argv) { //************************************* // independent commands - the program will exit! //************************************* -#ifdef HAVE_SECCOMP else if (strcmp(argv[i], "--debug-syscalls") == 0) { if (checkcfg(CFG_SECCOMP)) { int rv = sbox_run(SBOX_USER | SBOX_CAPS_NONE | SBOX_SECCOMP, 2, PATH_FSECCOMP_MAIN, "debug-syscalls"); @@ -529,7 +528,6 @@ static void run_cmd_and_exit(int i, int argc, char **argv) { exit_err_feature("seccomp"); exit(0); } -#endif else if (strncmp(argv[i], "--profile.print=", 16) == 0) { pid_t pid = require_pid(argv[i] + 16); @@ -950,7 +948,6 @@ void filter_add_blacklist_override(int fd, int syscall, int arg, void *ptrarg, b (void) native; } -#ifdef HAVE_SECCOMP static int check_postexec(const char *list) { char *prelist, *postlist; @@ -961,7 +958,6 @@ static int check_postexec(const char *list) { } return 0; } -#endif //******************************************* // Main program @@ -1264,7 +1260,6 @@ int main(int argc, char **argv, char **envp) { else if (strcmp(argv[i], "--apparmor") == 0) arg_apparmor = 1; #endif -#ifdef HAVE_SECCOMP else if (strncmp(argv[i], "--protocol=", 11) == 0) { if (checkcfg(CFG_SECCOMP)) { if (cfg.protocol) { @@ -1402,7 +1397,6 @@ int main(int argc, char **argv, char **envp) { } else exit_err_feature("seccomp"); } -#endif else if (strcmp(argv[i], "--caps") == 0) { arg_caps_default_filter = 1; arg_caps_cmdline = 1; @@ -2783,10 +2777,9 @@ int main(int argc, char **argv, char **envp) { // check network configuration options - it will exit if anything went wrong net_check_cfg(); -#ifdef HAVE_SECCOMP if (arg_seccomp) arg_seccomp_postexec = check_postexec(cfg.seccomp_list) || check_postexec(cfg.seccomp_list_drop); -#endif + bool need_preload = arg_trace || arg_tracelog || arg_seccomp_postexec; if (need_preload && (cfg.seccomp_list32 || cfg.seccomp_list_drop32 || cfg.seccomp_list_keep32)) fwarning("preload libraries (trace, tracelog, postexecseccomp due to seccomp.drop=execve etc.) are incompatible with 32 bit filters\n"); diff --git a/src/firejail/preproc.c b/src/firejail/preproc.c index c0b09e945..836526593 100644 --- a/src/firejail/preproc.c +++ b/src/firejail/preproc.c @@ -103,7 +103,6 @@ void preproc_mount_mnt_dir(void) { if (arg_tracefile) fs_tracefile(); -#ifdef HAVE_SECCOMP create_empty_dir_as_root(RUN_SECCOMP_DIR, 0755); if (arg_seccomp_block_secondary) @@ -132,7 +131,6 @@ void preproc_mount_mnt_dir(void) { create_empty_file_as_root(RUN_SECCOMP_POSTEXEC_32, 0644); if (set_perms(RUN_SECCOMP_POSTEXEC_32, getuid(), getgid(), 0644)) errExit("set_perms"); -#endif } } diff --git a/src/firejail/profile.c b/src/firejail/profile.c index 970033899..8eaae9a30 100644 --- a/src/firejail/profile.c +++ b/src/firejail/profile.c @@ -327,12 +327,10 @@ int profile_check_line(char *ptr, int lineno, const char *fname) { return 0; } else if (strcmp(ptr, "seccomp") == 0) { -#ifdef HAVE_SECCOMP if (checkcfg(CFG_SECCOMP)) arg_seccomp = 1; else warning_feature_disabled("seccomp"); -#endif return 0; } else if (strcmp(ptr, "caps") == 0) { @@ -861,7 +859,6 @@ int profile_check_line(char *ptr, int lineno, const char *fname) { } if (strncmp(ptr, "protocol ", 9) == 0) { -#ifdef HAVE_SECCOMP if (checkcfg(CFG_SECCOMP)) { if (cfg.protocol) { fwarning("two protocol lists are present, \"%s\" will be installed\n", cfg.protocol); @@ -875,7 +872,6 @@ int profile_check_line(char *ptr, int lineno, const char *fname) { } else warning_feature_disabled("seccomp"); -#endif return 0; } @@ -890,102 +886,85 @@ int profile_check_line(char *ptr, int lineno, const char *fname) { // seccomp drop list on top of default list if (strncmp(ptr, "seccomp ", 8) == 0) { -#ifdef HAVE_SECCOMP if (checkcfg(CFG_SECCOMP)) { arg_seccomp = 1; cfg.seccomp_list = seccomp_check_list(ptr + 8); } else if (!arg_quiet) warning_feature_disabled("seccomp"); -#endif return 0; } if (strncmp(ptr, "seccomp.32 ", 11) == 0) { -#ifdef HAVE_SECCOMP if (checkcfg(CFG_SECCOMP)) { arg_seccomp32 = 1; cfg.seccomp_list32 = seccomp_check_list(ptr + 11); } else if (!arg_quiet) warning_feature_disabled("seccomp"); -#endif return 0; } if (strcmp(ptr, "seccomp.block-secondary") == 0) { -#ifdef HAVE_SECCOMP if (checkcfg(CFG_SECCOMP)) { arg_seccomp_block_secondary = 1; } else warning_feature_disabled("seccomp"); -#endif return 0; } // seccomp drop list without default list if (strncmp(ptr, "seccomp.drop ", 13) == 0) { -#ifdef HAVE_SECCOMP if (checkcfg(CFG_SECCOMP)) { arg_seccomp = 1; cfg.seccomp_list_drop = seccomp_check_list(ptr + 13); } else warning_feature_disabled("seccomp"); -#endif return 0; } if (strncmp(ptr, "seccomp.32.drop ", 13) == 0) { -#ifdef HAVE_SECCOMP if (checkcfg(CFG_SECCOMP)) { arg_seccomp32 = 1; cfg.seccomp_list_drop32 = seccomp_check_list(ptr + 13); } else warning_feature_disabled("seccomp"); -#endif return 0; } // seccomp keep list if (strncmp(ptr, "seccomp.keep ", 13) == 0) { -#ifdef HAVE_SECCOMP if (checkcfg(CFG_SECCOMP)) { arg_seccomp = 1; cfg.seccomp_list_keep= seccomp_check_list(ptr + 13); } else warning_feature_disabled("seccomp"); -#endif return 0; } if (strncmp(ptr, "seccomp.32.keep ", 13) == 0) { -#ifdef HAVE_SECCOMP if (checkcfg(CFG_SECCOMP)) { arg_seccomp32 = 1; cfg.seccomp_list_keep32 = seccomp_check_list(ptr + 13); } else warning_feature_disabled("seccomp"); -#endif return 0; } // memory deny write&execute if (strcmp(ptr, "memory-deny-write-execute") == 0) { -#ifdef HAVE_SECCOMP if (checkcfg(CFG_SECCOMP)) arg_memory_deny_write_execute = 1; else warning_feature_disabled("seccomp"); -#endif return 0; } // seccomp error action if (strncmp(ptr, "seccomp-error-action ", 21) == 0) { -#ifdef HAVE_SECCOMP if (checkcfg(CFG_SECCOMP)) { int config_seccomp_error_action = checkcfg(CFG_SECCOMP_ERROR_ACTION); if (config_seccomp_error_action == -1) { @@ -1008,7 +987,6 @@ int profile_check_line(char *ptr, int lineno, const char *fname) { } } else warning_feature_disabled("seccomp"); -#endif return 0; } diff --git a/src/firejail/protocol.c b/src/firejail/protocol.c index a1594d6b9..cd54eb72d 100644 --- a/src/firejail/protocol.c +++ b/src/firejail/protocol.c @@ -18,7 +18,6 @@ * 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA. */ -#ifdef HAVE_SECCOMP #include "firejail.h" #include "../include/seccomp.h" @@ -93,6 +92,3 @@ void protocol_print_filter(pid_t pid) { exit(1); #endif } - - -#endif // HAVE_SECCOMP diff --git a/src/firejail/sandbox.c b/src/firejail/sandbox.c index 5a4741a56..3bb4858c9 100644 --- a/src/firejail/sandbox.c +++ b/src/firejail/sandbox.c @@ -141,7 +141,6 @@ void set_apparmor(void) { } #endif -#ifdef HAVE_SECCOMP void seccomp_debug(void) { if (arg_debug == 0) return; @@ -158,7 +157,6 @@ void seccomp_debug(void) { printf("No active seccomp files\n"); EUID_ROOT(); } -#endif static void save_nogroups(void) { if (arg_nogroups == 0) @@ -497,9 +495,7 @@ void start_application(int no_sandbox, char *set_sandbox_status) { #ifdef HAVE_GCOV __gcov_dump(); #endif -#ifdef HAVE_SECCOMP seccomp_install_filters(); -#endif if (set_sandbox_status) *set_sandbox_status = SANDBOX_DONE; execl(arg_audit_prog, arg_audit_prog, NULL); @@ -536,9 +532,8 @@ void start_application(int no_sandbox, char *set_sandbox_status) { #ifdef HAVE_GCOV __gcov_dump(); #endif -#ifdef HAVE_SECCOMP seccomp_install_filters(); -#endif + if (set_sandbox_status) *set_sandbox_status = SANDBOX_DONE; execvp(cfg.original_argv[cfg.original_program_index], &cfg.original_argv[cfg.original_program_index]); @@ -591,9 +586,8 @@ void start_application(int no_sandbox, char *set_sandbox_status) { #ifdef HAVE_GCOV __gcov_dump(); #endif -#ifdef HAVE_SECCOMP seccomp_install_filters(); -#endif + if (set_sandbox_status) *set_sandbox_status = SANDBOX_DONE; execvp(arg[0], arg); @@ -797,7 +791,6 @@ int sandbox(void* sandbox_arg) { // - build seccomp filters // - create an empty /etc/ld.so.preload //**************************** -#ifdef HAVE_SECCOMP if (cfg.protocol) { if (arg_debug) printf("Build protocol filter: %s\n", cfg.protocol); @@ -808,7 +801,6 @@ int sandbox(void* sandbox_arg) { if (rv) exit(rv); } -#endif // need ld.so.preload if tracing or seccomp with any non-default lists bool need_preload = arg_trace || arg_tracelog || arg_seccomp_postexec; @@ -1107,7 +1099,6 @@ int sandbox(void* sandbox_arg) { save_cgroup(); // set seccomp -#ifdef HAVE_SECCOMP // install protocol filter #ifdef SYS_socket if (cfg.protocol) { @@ -1151,7 +1142,6 @@ int sandbox(void* sandbox_arg) { // make seccomp filters read-only fs_remount(RUN_SECCOMP_DIR, MOUNT_READONLY, 0); seccomp_debug(); -#endif // set capabilities set_caps(); diff --git a/src/firejail/seccomp.c b/src/firejail/seccomp.c index 7f55ccc0e..e47e6c910 100644 --- a/src/firejail/seccomp.c +++ b/src/firejail/seccomp.c @@ -18,7 +18,6 @@ * 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA. */ -#ifdef HAVE_SECCOMP #include "firejail.h" #include "../include/seccomp.h" #include @@ -445,5 +444,3 @@ errexit: printf("Cannot access seccomp filter.\n"); exit(1); } - -#endif // HAVE_SECCOMP diff --git a/src/firejail/usage.c b/src/firejail/usage.c index 2390706f2..d58bbb409 100644 --- a/src/firejail/usage.c +++ b/src/firejail/usage.c @@ -123,10 +123,8 @@ static char *usage_str = " --mac=xx:xx:xx:xx:xx:xx - set interface MAC address.\n" #endif " --machine-id - preserve /etc/machine-id\n" -#ifdef HAVE_SECCOMP " --memory-deny-write-execute - seccomp filter to block attempts to create\n" "\tmemory mappings that are both writable and executable.\n" -#endif #ifdef HAVE_NETWORK " --mtu=number - set interface MTU.\n" #endif @@ -215,7 +213,6 @@ static char *usage_str = #ifdef HAVE_NETWORK " --scan - ARP-scan all the networks from inside a network namespace.\n" #endif -#ifdef HAVE_SECCOMP " --seccomp - enable seccomp filter and apply the default blacklist.\n" " --seccomp=syscall,syscall,syscall - enable seccomp filter, blacklist the\n" "\tdefault syscall list and the syscalls specified by the command.\n" @@ -229,7 +226,6 @@ static char *usage_str = " --seccomp.32[.drop,.keep][=syscall] - like above but for 32 bit architecture.\n" " --seccomp-error-action=errno|kill|log - change error code, kill process\n" "\tor log the attempt.\n" -#endif " --shell=none - run the program directly without a user shell.\n" " --shell=program - set default user shell.\n" " --shutdown=name|pid - shutdown the sandbox identified by name or PID.\n" diff --git a/src/include/seccomp.h b/src/include/seccomp.h index 29b858c70..90db16d39 100644 --- a/src/include/seccomp.h +++ b/src/include/seccomp.h @@ -96,24 +96,7 @@ # define PR_SET_NO_NEW_PRIVS 38 #endif -#if HAVE_SECCOMP_H #include -#else -#define SECCOMP_MODE_FILTER 2 -#define SECCOMP_RET_KILL 0x00000000U -#define SECCOMP_RET_TRAP 0x00030000U -#define SECCOMP_RET_ALLOW 0x7fff0000U -#define SECCOMP_RET_ERRNO 0x00050000U -#define SECCOMP_RET_DATA 0x0000ffffU - -struct seccomp_data { - int nr; - __u32 arch; - __u64 instruction_pointer; - __u64 args[6]; -}; -#endif - #ifndef SECCOMP_RET_LOG #define SECCOMP_RET_LOG 0x7ffc0000U #endif diff --git a/test/compile/compile.sh b/test/compile/compile.sh index 2f9e0ece6..3d334e0fa 100755 --- a/test/compile/compile.sh +++ b/test/compile/compile.sh @@ -4,7 +4,7 @@ # License GPL v2 arr[1]="TEST 1: standard compilation" -arr[2]="TEST 2: compile seccomp disabled" +arr[2]="deprecated" arr[3]="TEST 3: compile chroot disabled" arr[4]="TEST 4: compile firetunnel disabled" arr[5]="TEST 5: compile user namespace disabled" @@ -74,23 +74,23 @@ cp output-make om1 rm output-configure output-make -#***************************************************************** -# TEST 2 -#***************************************************************** -# - disable seccomp configuration -#***************************************************************** -print_title "${arr[2]}" -# seccomp -cd firejail -make distclean -./configure --prefix=/usr --disable-seccomp --enable-fatal-warnings 2>&1 | tee ../output-configure -make -j4 2>&1 | tee ../output-make -cd .. -grep Warning output-configure output-make > ./report-test2 -grep Error output-configure output-make >> ./report-test2 -cp output-configure oc2 -cp output-make om2 -rm output-configure output-make +##***************************************************************** +## TEST 2 +##***************************************************************** +## - disable seccomp configuration +##***************************************************************** +#print_title "${arr[2]}" +## seccomp +#cd firejail +#make distclean +#./configure --prefix=/usr --disable-seccomp --enable-fatal-warnings 2>&1 | tee ../output-configure +#make -j4 2>&1 | tee ../output-make +#cd .. +#grep Warning output-configure output-make > ./report-test2 +#grep Error output-configure output-make >> ./report-test2 +#cp output-configure oc2 +#cp output-make om2 +#rm output-configure output-make #***************************************************************** # TEST 3 @@ -342,7 +342,7 @@ wc -l report-test* echo echo "Legend:" echo ${arr[1]} -echo ${arr[2]} +#echo ${arr[2]} echo ${arr[3]} echo ${arr[4]} echo ${arr[5]} -- cgit v1.2.3-54-g00ecf