From 38276c9c64c8a0e086f2fb84402c5105c1483216 Mon Sep 17 00:00:00 2001
From: netblue30 <netblue30@yahoo.com>
Date: Thu, 12 Apr 2018 12:45:43 -0400
Subject: cleanup seccomp run files

---
 src/firejail/sandbox.c | 33 ++++++++++++++++++++++++++++-----
 src/firejail/sbox.c    |  3 ++-
 2 files changed, 30 insertions(+), 6 deletions(-)

(limited to 'src')

diff --git a/src/firejail/sandbox.c b/src/firejail/sandbox.c
index 709ce96b6..5c7f73fc1 100644
--- a/src/firejail/sandbox.c
+++ b/src/firejail/sandbox.c
@@ -997,6 +997,10 @@ int sandbox(void* sandbox_arg) {
 		seccomp_load(RUN_SECCOMP_PROTOCOL);	// install filter
 		protocol_filter_save();	// save filter in RUN_PROTOCOL_CFG
 	}
+	else {
+		int rv = unlink(RUN_SECCOMP_PROTOCOL);
+		(void) rv;
+	}
 #endif
 
 	// if a keep list is available, disregard the drop list
@@ -1005,13 +1009,21 @@ int sandbox(void* sandbox_arg) {
 			seccomp_filter_keep();
 		else
 			seccomp_filter_drop();
-	}
 
-	if (arg_debug) {
-		printf("\nSeccomp files:\n");
-		int rv = system("ls -l /run/firejail/mnt/seccomp*\n");
+		// clean unused filters
+#if defined(__LP64__)
+		int rv = unlink(RUN_SECCOMP_64);
+#endif
+#if defined(__ILP32__)
+		int rv = unlink(RUN_SECCOMP_32);
+#endif
+		(void) rv;
+	}
+	else { // clean seccomp files under /run/firejail/mnt
+		int rv = unlink(RUN_SECCOMP_CFG);
+		rv |= unlink(RUN_SECCOMP_64);
+		rv |= unlink(RUN_SECCOMP_32);
 		(void) rv;
-		printf("\n");
 	}
 
 	if (arg_memory_deny_write_execute) {
@@ -1019,6 +1031,17 @@ int sandbox(void* sandbox_arg) {
 			printf("Install memory write&execute filter\n");
 		seccomp_load(RUN_SECCOMP_MDWX);	// install filter
 	}
+	else {
+		int rv = unlink(RUN_SECCOMP_MDWX);
+		(void) rv;
+	}
+
+	if (arg_debug) {
+		printf("\nSeccomp files:\n");
+		int rv = system("ls -l /run/firejail/mnt/seccomp*\n");
+		(void) rv;
+		printf("\n");
+	}
 #endif
 
 	//****************************************
diff --git a/src/firejail/sbox.c b/src/firejail/sbox.c
index fed1f7ba7..cc2b08542 100644
--- a/src/firejail/sbox.c
+++ b/src/firejail/sbox.c
@@ -153,12 +153,13 @@ int sbox_run(unsigned filter, int num, ...) {
 		for (i = 3; i < max; i++)
 			close(i); // close open files
 
+#if 0
 		if (arg_debug) {
 			printf("sbox file descriptors:\n");
 			int rv = system("ls -l /proc/self/fd");
 			(void) rv;
 		}
-
+#endif
 		umask(027);
 
 		// apply filters
-- 
cgit v1.2.3-54-g00ecf