From 88eadbf31fe25dcd7c224a5d92f71c79ccf6c9d3 Mon Sep 17 00:00:00 2001
From: Topi Miettinen <toiwoton@gmail.com>
Date: Sat, 14 Mar 2020 00:07:06 +0200
Subject: seccomp: allow defining separate filters for 32-bit arch

System calls (names and numbers) are not exactly the same for 32 bit
and 64 bit architectures. Let's allow defining separate filters for
32-bit arch using seccomp.32, seccomp.32.drop, seccomp.32.keep. This
is useful for mixed 64/32 bit application environments like Steam and
Wine.

Implement protocol and mdwx filtering also for 32 bit arch. It's still
better to block secondary archs completely if not needed.

Lists of supported system calls are also updated.

Warn if preload libraries would be needed due to trace, tracelog or
postexecseccomp (seccomp.drop=execve etc), because a 32-bit dynamic
linker does not understand the 64 bit preload libraries.

Closes #3267.

Signed-off-by: Topi Miettinen <toiwoton@gmail.com>
---
 src/include/rundefs.h | 10 +++++++---
 1 file changed, 7 insertions(+), 3 deletions(-)

(limited to 'src/include/rundefs.h')

diff --git a/src/include/rundefs.h b/src/include/rundefs.h
index 1cfeee28d..32f5ff12c 100644
--- a/src/include/rundefs.h
+++ b/src/include/rundefs.h
@@ -62,13 +62,17 @@
 #define RUN_SECCOMP_PROTOCOL		RUN_SECCOMP_DIR "/seccomp.protocol"		// protocol filter
 #define RUN_SECCOMP_CFG			RUN_SECCOMP_DIR "/seccomp"			// configured filter
 #define RUN_SECCOMP_32			RUN_SECCOMP_DIR "/seccomp.32"			// 32bit arch filter installed on 64bit architectures
-#define RUN_SECCOMP_MDWX		RUN_SECCOMP_DIR "/seccomp.mdwx"		// filter for memory-deny-write-execute
+#define RUN_SECCOMP_MDWX		RUN_SECCOMP_DIR "/seccomp.mdwx"			// filter for memory-deny-write-execute
+#define RUN_SECCOMP_MDWX_32		RUN_SECCOMP_DIR "/seccomp.mdwx.32"
 #define RUN_SECCOMP_BLOCK_SECONDARY	RUN_SECCOMP_DIR "/seccomp.block_secondary"	// secondary arch blocking filter
 #define RUN_SECCOMP_POSTEXEC		RUN_SECCOMP_DIR "/seccomp.postexec"		// filter for post-exec library
+#define RUN_SECCOMP_POSTEXEC_32		RUN_SECCOMP_DIR "/seccomp.postexec32"		// filter for post-exec library
 #define PATH_SECCOMP_DEFAULT 		LIBDIR "/firejail/seccomp"			// default filter built during make
-#define PATH_SECCOMP_DEFAULT_DEBUG 	LIBDIR "/firejail/seccomp.debug"		// default filter built during make
+#define PATH_SECCOMP_DEFAULT_DEBUG 	LIBDIR "/firejail/seccomp.debug"		// debug filter built during make
 #define PATH_SECCOMP_32 		LIBDIR "/firejail/seccomp.32"			// 32bit arch filter built during make
-#define PATH_SECCOMP_MDWX 		LIBDIR "/firejail/seccomp.mdwx"		// filter for memory-deny-write-execute built during make
+#define PATH_SECCOMP_DEBUG_32 		LIBDIR "/firejail/seccomp.debug32"		// 32bit arch debug filter built during make
+#define PATH_SECCOMP_MDWX 		LIBDIR "/firejail/seccomp.mdwx"			// filter for memory-deny-write-execute built during make
+#define PATH_SECCOMP_MDWX_32 		LIBDIR "/firejail/seccomp.mdwx.32"
 #define PATH_SECCOMP_BLOCK_SECONDARY 	LIBDIR "/firejail/seccomp.block_secondary"	// secondary arch blocking filter built during make
 
 
-- 
cgit v1.2.3-70-g09d2