From c7e4c8ed592fee7f1644152a23c3e1343b01b922 Mon Sep 17 00:00:00 2001
From: netblue30 <netblue30@protonmail.com>
Date: Sat, 18 Jun 2022 07:20:46 -0400
Subject: seccomp-log support in firejail.config

---
 src/firejail/checkcfg.c |  2 ++
 src/firejail/firejail.h |  1 +
 src/firejail/seccomp.c  | 10 ++++++++--
 3 files changed, 11 insertions(+), 2 deletions(-)

(limited to 'src')

diff --git a/src/firejail/checkcfg.c b/src/firejail/checkcfg.c
index 166f2945a..9548ecb5b 100644
--- a/src/firejail/checkcfg.c
+++ b/src/firejail/checkcfg.c
@@ -60,6 +60,7 @@ int checkcfg(int val) {
 		cfg_val[CFG_BROWSER_ALLOW_DRM] = 0;
 		cfg_val[CFG_ALLOW_TRAY] = 0;
 		cfg_val[CFG_CHROOT] = 0;
+		cfg_val[CFG_SECCOMP_LOG] = 0;
 
 		// open configuration file
 		const char *fname = SYSCONFDIR "/firejail.config";
@@ -124,6 +125,7 @@ int checkcfg(int val) {
 			PARSE_YESNO(CFG_BROWSER_DISABLE_U2F, "browser-disable-u2f")
 			PARSE_YESNO(CFG_BROWSER_ALLOW_DRM, "browser-allow-drm")
 			PARSE_YESNO(CFG_ALLOW_TRAY, "allow-tray")
+			PARSE_YESNO(CFG_SECCOMP_LOG, "seccomp-log")
 #undef PARSE_YESNO
 
 			// netfilter
diff --git a/src/firejail/firejail.h b/src/firejail/firejail.h
index 7930778ca..19cbacc01 100644
--- a/src/firejail/firejail.h
+++ b/src/firejail/firejail.h
@@ -828,6 +828,7 @@ enum {
 	CFG_SECCOMP_ERROR_ACTION,
 	// CFG_FILE_COPY_LIMIT - file copy limit handled using setenv/getenv
 	CFG_ALLOW_TRAY,
+	CFG_SECCOMP_LOG,
 	CFG_MAX // this should always be the last entry
 };
 extern char *xephyr_screen;
diff --git a/src/firejail/seccomp.c b/src/firejail/seccomp.c
index e8959f263..b8b4ec0d6 100644
--- a/src/firejail/seccomp.c
+++ b/src/firejail/seccomp.c
@@ -71,11 +71,17 @@ int seccomp_install_filters(void) {
 			assert(fl->fname);
 			if (arg_debug)
 				printf("Installing %s seccomp filter\n", fl->fname);
+			int rv = 0;
 #ifdef SECCOMP_FILTER_FLAG_LOG
-			if (syscall(SYS_seccomp, SECCOMP_SET_MODE_FILTER, SECCOMP_FILTER_FLAG_LOG, &fl->prog)) {
+			if (checkcfg(CFG_SECCOMP_LOG))
+				rv = syscall(SYS_seccomp, SECCOMP_SET_MODE_FILTER, SECCOMP_FILTER_FLAG_LOG, &fl->prog);
+			else
+				rv = prctl(PR_SET_SECCOMP, SECCOMP_MODE_FILTER, &fl->prog);
 #else
-			if (prctl(PR_SET_SECCOMP, SECCOMP_MODE_FILTER, &fl->prog)) {
+			rv = prctl(PR_SET_SECCOMP, SECCOMP_MODE_FILTER, &fl->prog);
 #endif
+
+			if (rv == -1) {
 				if (!err_printed)
 					fwarning("seccomp disabled, it requires a Linux kernel version 3.5 or newer.\n");
 				err_printed = 1;
-- 
cgit v1.2.3-70-g09d2