From 6fa19aab98b0b350c3a77c5f614f1b781760ab53 Mon Sep 17 00:00:00 2001
From: netblue30 <netblue30@protonmail.com>
Date: Wed, 12 Jul 2023 09:31:49 -0400
Subject: feature: use seccomp filters build at install time for
 --restrict-namespaces

---
 src/firejail/firejail.h |  1 +
 src/firejail/main.c     |  5 ++++-
 src/firejail/preproc.c  |  4 ++++
 src/firejail/profile.c  |  4 +++-
 src/firejail/sandbox.c  | 14 +++++++++++++-
 src/include/rundefs.h   |  2 ++
 6 files changed, 27 insertions(+), 3 deletions(-)

(limited to 'src')

diff --git a/src/firejail/firejail.h b/src/firejail/firejail.h
index d85b470e6..c791913ea 100644
--- a/src/firejail/firejail.h
+++ b/src/firejail/firejail.h
@@ -357,6 +357,7 @@ extern int arg_deterministic_exit_code;	// always exit with first child's exit s
 extern int arg_deterministic_shutdown;	// shut down the sandbox if first child dies
 extern int arg_keep_fd_all;	// inherit all file descriptors to sandbox
 extern int arg_netlock;	// netlocker
+extern int arg_restrict_namespaces;
 
 typedef enum {
 	DBUS_POLICY_ALLOW,	// Allow unrestricted access to the bus
diff --git a/src/firejail/main.c b/src/firejail/main.c
index 732ca93c2..45b199db4 100644
--- a/src/firejail/main.c
+++ b/src/firejail/main.c
@@ -165,6 +165,7 @@ int arg_tab = 0;
 int login_shell = 0;
 int just_run_the_shell = 0;
 int arg_netlock = 0;
+int arg_restrict_namespaces = 0;
 
 int parent_to_child_fds[2];
 int child_to_parent_fds[2];
@@ -1508,8 +1509,10 @@ int main(int argc, char **argv, char **envp) {
 				exit_err_feature("seccomp");
 		}
 		else if (strcmp(argv[i], "--restrict-namespaces") == 0) {
-			if (checkcfg(CFG_SECCOMP))
+			if (checkcfg(CFG_SECCOMP)) {
+				arg_restrict_namespaces = 1;
 				profile_list_augment(&cfg.restrict_namespaces, "cgroup,ipc,net,mnt,pid,time,user,uts");
+			}
 			else
 				exit_err_feature("seccomp");
 		}
diff --git a/src/firejail/preproc.c b/src/firejail/preproc.c
index 6055ec95b..e0c11a005 100644
--- a/src/firejail/preproc.c
+++ b/src/firejail/preproc.c
@@ -96,12 +96,16 @@ void preproc_mount_mnt_dir(void) {
 		if (set_perms(RUN_SECCOMP_PROTOCOL, getuid(), getgid(), 0644))
 			errExit("set_perms");
 		if (cfg.restrict_namespaces) {
+			copy_file(PATH_SECCOMP_NAMESPACES, RUN_SECCOMP_NS, getuid(), getgid(), 0644); // root needed
+			copy_file(PATH_SECCOMP_NAMESPACES_32, RUN_SECCOMP_NS_32, getuid(), getgid(), 0644); // root needed
+#if 0
 			create_empty_file_as_root(RUN_SECCOMP_NS, 0644);
 			if (set_perms(RUN_SECCOMP_NS, getuid(), getgid(), 0644))
 				errExit("set_perms");
 			create_empty_file_as_root(RUN_SECCOMP_NS_32, 0644);
 			if (set_perms(RUN_SECCOMP_NS_32, getuid(), getgid(), 0644))
 				errExit("set_perms");
+#endif
 		}
 		create_empty_file_as_root(RUN_SECCOMP_POSTEXEC, 0644);
 		if (set_perms(RUN_SECCOMP_POSTEXEC, getuid(), getgid(), 0644))
diff --git a/src/firejail/profile.c b/src/firejail/profile.c
index ae881664b..07449f646 100644
--- a/src/firejail/profile.c
+++ b/src/firejail/profile.c
@@ -1088,8 +1088,10 @@ int profile_check_line(char *ptr, int lineno, const char *fname) {
 
 	// restrict-namespaces
 	if (strcmp(ptr, "restrict-namespaces") == 0) {
-		if (checkcfg(CFG_SECCOMP))
+		if (checkcfg(CFG_SECCOMP)) {
+			arg_restrict_namespaces = 1;
 			profile_list_augment(&cfg.restrict_namespaces, "cgroup,ipc,net,mnt,pid,time,user,uts");
+		}
 		else
 			warning_feature_disabled("seccomp");
 		return 0;
diff --git a/src/firejail/sandbox.c b/src/firejail/sandbox.c
index 9eb476f16..538f5be67 100644
--- a/src/firejail/sandbox.c
+++ b/src/firejail/sandbox.c
@@ -1211,7 +1211,19 @@ int sandbox(void* sandbox_arg) {
 		seccomp_load(RUN_SECCOMP_MDWX_32);
 	}
 
-	if (cfg.restrict_namespaces) {
+	if (arg_restrict_namespaces) {
+		if (arg_seccomp_error_action != EPERM) {
+			seccomp_filter_namespaces(true, cfg.restrict_namespaces);
+			seccomp_filter_namespaces(false, cfg.restrict_namespaces);
+		}
+
+		if (arg_debug)
+			printf("Install namespaces filter\n");
+		seccomp_load(RUN_SECCOMP_NS);	// install filter
+		seccomp_load(RUN_SECCOMP_NS_32);
+
+	}
+	else if (cfg.restrict_namespaces) {
 		seccomp_filter_namespaces(true, cfg.restrict_namespaces);
 		seccomp_filter_namespaces(false, cfg.restrict_namespaces);
 
diff --git a/src/include/rundefs.h b/src/include/rundefs.h
index 7fc0f21f3..d36851a4e 100644
--- a/src/include/rundefs.h
+++ b/src/include/rundefs.h
@@ -79,6 +79,8 @@
 #define PATH_SECCOMP_DEBUG_32 		LIBDIR "/firejail/seccomp.debug32"		// 32bit arch debug filter built during make
 #define PATH_SECCOMP_MDWX 		LIBDIR "/firejail/seccomp.mdwx"			// filter for memory-deny-write-execute built during make
 #define PATH_SECCOMP_MDWX_32 		LIBDIR "/firejail/seccomp.mdwx.32"
+#define PATH_SECCOMP_NAMESPACES	LIBDIR "/firejail/seccomp.namespaces"	// filter for restrict-namespaces
+#define PATH_SECCOMP_NAMESPACES_32	LIBDIR "/firejail/seccomp.namespaces.32"
 #define PATH_SECCOMP_BLOCK_SECONDARY 	LIBDIR "/firejail/seccomp.block_secondary"	// secondary arch blocking filter built during make
 
 #define RUN_DEV_DIR			RUN_MNT_DIR "/dev"
-- 
cgit v1.2.3-54-g00ecf