From c67467fed6392a2888c8e044f7dfa6815bc92901 Mon Sep 17 00:00:00 2001 From: netblue30 Date: Sun, 20 Nov 2016 08:20:09 -0500 Subject: seccomp work 2 --- src/firejail/fs.c | 22 ++++------------------ src/firejail/seccomp.c | 38 +------------------------------------- 2 files changed, 5 insertions(+), 55 deletions(-) diff --git a/src/firejail/fs.c b/src/firejail/fs.c index 7ff7e3c59..5774ebf6a 100644 --- a/src/firejail/fs.c +++ b/src/firejail/fs.c @@ -1010,24 +1010,13 @@ void fs_chroot(const char *rootdir) { create_empty_dir_as_root(rundir, 0755); free(rundir); - // create /run/firejail/mnt directory in chroot and mount a tmpfs - if (asprintf(&rundir, "%s/run/firejail/mnt", rootdir) == -1) + // create /run/firejail/mnt directory in chroot and mount the current one + if (asprintf(&rundir, "%s%s", rootdir, RUN_MNT_DIR) == -1) errExit("asprintf"); create_empty_dir_as_root(rundir, 0755); - if (mount("tmpfs", rundir, "tmpfs", MS_NOSUID | MS_STRICTATIME | MS_REC, "mode=755,gid=0") < 0) - errExit("mounting /run/firejail/mnt"); - fs_logger2("tmpfs", RUN_MNT_DIR); - free(rundir); + if (mount(RUN_MNT_DIR, rundir, NULL, MS_BIND|MS_REC, NULL) < 0) + errExit("mount bind"); - // retrieve seccomp.protocol - struct stat s; - if (stat(RUN_SECCOMP_PROTOCOL, &s) == 0) { - if (asprintf(&rundir, "%s%s", rootdir, RUN_SECCOMP_PROTOCOL) == -1) - errExit("asprintf"); - copy_file(RUN_SECCOMP_PROTOCOL, rundir, getuid(), getgid(), 0644); - free(rundir); - } - // copy /etc/resolv.conf in chroot directory // if resolv.conf in chroot is a symbolic link, this will fail // no exit on error, let the user deal with the problem @@ -1053,9 +1042,6 @@ void fs_chroot(const char *rootdir) { if (chroot(rootdir) < 0) errExit("chroot"); - // create all other /run/firejail files and directories - preproc_build_firejail_dir(); - if (checkcfg(CFG_CHROOT_DESKTOP)) { // update /var directory in order to support multiple sandboxes running on the same root directory // if (!arg_private_dev) diff --git a/src/firejail/seccomp.c b/src/firejail/seccomp.c index 30c63d734..4678f366b 100644 --- a/src/firejail/seccomp.c +++ b/src/firejail/seccomp.c @@ -94,16 +94,6 @@ int seccomp_load(const char *fname) { // i386 filter installed on amd64 architectures void seccomp_filter_32(void) { -#if 0 - if (arg_debug) - printf("Build secondary 32-bit filter\n"); - - // build the seccomp filter as a regular user - int rv = sbox_run(SBOX_USER | SBOX_CAPS_NONE | SBOX_SECCOMP, 4, - PATH_FSECCOMP, "secondary", "32", RUN_SECCOMP_I386); - if (rv) - exit(rv); -#endif if (seccomp_load(RUN_SECCOMP_I386) == 0) { if (arg_debug) printf("Dual i386/amd64 seccomp filter configured\n"); @@ -112,17 +102,6 @@ void seccomp_filter_32(void) { // amd64 filter installed on i386 architectures void seccomp_filter_64(void) { -#if 0 - if (arg_debug) - printf("Build secondary 64-bit filter\n"); - - // build the seccomp filter as a regular user - int rv = sbox_run(SBOX_USER | SBOX_CAPS_NONE | SBOX_SECCOMP, 4, - PATH_FSECCOMP, "secondary", "64", RUN_SECCOMP_AMD64); - if (rv) - exit(rv); -#endif - if (seccomp_load(RUN_SECCOMP_AMD64) == 0) { if (arg_debug) printf("Dual i386/amd64 seccomp filter configured\n"); @@ -139,21 +118,6 @@ int seccomp_filter_drop(int enforce_seccomp) { #if defined(__i386__) seccomp_filter_64(); #endif - -#if 0 - if (arg_debug) - printf("Build default seccomp filter\n"); - // build the seccomp filter as a regular user - int rv; - if (arg_allow_debuggers) - rv = sbox_run(SBOX_USER | SBOX_CAPS_NONE | SBOX_SECCOMP, 4, - PATH_FSECCOMP, "default", RUN_SECCOMP_CFG, "allow-debuggers"); - else - rv = sbox_run(SBOX_USER | SBOX_CAPS_NONE | SBOX_SECCOMP, 3, - PATH_FSECCOMP, "default", RUN_SECCOMP_CFG); - if (rv) - exit(rv); -#endif } // default seccomp filter with additional drop list else if (cfg.seccomp_list && cfg.seccomp_list_drop == NULL) { @@ -209,7 +173,7 @@ int seccomp_filter_drop(int enforce_seccomp) { exit(1); } - if (arg_debug) + if (arg_debug && access(PATH_FSECCOMP, X_OK) == 0) sbox_run(SBOX_USER | SBOX_CAPS_NONE | SBOX_SECCOMP, 3, PATH_FSECCOMP, "print", RUN_SECCOMP_CFG); -- cgit v1.2.3-70-g09d2