From d01216de45884300c87e7d3ccb70e53ebb461449 Mon Sep 17 00:00:00 2001
From: Topi Miettinen <toiwoton@gmail.com>
Date: Sat, 19 Aug 2017 23:22:38 +0300
Subject: Feature: switch/config option to block secondary architectures

Add a feature for a new (opt-in) command line switch and config file
option to block secondary architectures entirely. Also block changing
Linux execution domain with personality() system call for the primary
architecture.

Closes #1479
---
 src/man/firejail-profile.txt |  4 ++++
 src/man/firejail.txt         | 15 ++++++++++++---
 2 files changed, 16 insertions(+), 3 deletions(-)

(limited to 'src/man')

diff --git a/src/man/firejail-profile.txt b/src/man/firejail-profile.txt
index 2a7d926b9..050c3d7e5 100644
--- a/src/man/firejail-profile.txt
+++ b/src/man/firejail-profile.txt
@@ -310,6 +310,10 @@ Enable seccomp filter and blacklist the syscalls in the default list. See man 1
 \fBseccomp syscall,syscall,syscall
 Enable seccomp filter and blacklist the system calls in the list on top of default seccomp filter.
 .TP
+\fBseccomp.block-secondary
+Enable seccomp filter and filter system call architectures
+so that only the native architecture is allowed.
+.TP
 \fBseccomp.drop syscall,syscall,syscall
 Enable seccomp filter and blacklist  the system calls in the list.
 .TP
diff --git a/src/man/firejail.txt b/src/man/firejail.txt
index 89b815e02..d1970c985 100644
--- a/src/man/firejail.txt
+++ b/src/man/firejail.txt
@@ -1572,9 +1572,10 @@ system call can be specified by its number instead of name with prefix
 $, so for example $165 would be equal to mount on i386.
 
 .br
-System architecture is not strictly imposed. The filter is applied
-at run time only if the correct architecture was detected. For the case of I386 and AMD64
-both 32-bit and 64-bit filters are installed.
+System architecture is strictly imposed only if flag
+\-\-seccomp.block_secondary is used. The filter is applied at run time
+only if the correct architecture was detected. For the case of I386
+and AMD64 both 32-bit and 64-bit filters are installed.
 .br
 
 .br
@@ -1645,6 +1646,14 @@ $ ls
 Bad system call
 .br
 
+.TP
+\fB\-\-seccomp.block_secondary
+Enable seccomp filter and filter system call architectures so that
+only the native architecture is allowed. For example, on amd64, i386
+and x32 system calls are blocked as well as changing the execution
+domain with personality(2) system call.
+.br
+
 .TP
 \fB\-\-seccomp.drop=syscall,syscall,syscall
 Enable seccomp filter, and blacklist the syscalls specified by the command.
-- 
cgit v1.2.3-70-g09d2