From ea97f7c534769181b2cf3ea4ba0d4d9c5e0078cb Mon Sep 17 00:00:00 2001 From: netblue30 Date: Mon, 2 Nov 2015 11:02:12 -0500 Subject: cleanup --- src/firejail/cgroup.c | 11 ++--------- src/firejail/cpu.c | 10 ++-------- src/firejail/firejail.h | 19 ++++++++++++++++--- src/firejail/fs_etc.c | 4 ++-- src/firejail/fs_home.c | 14 ++++---------- src/firejail/fs_hostname.c | 47 ++++++++++++++++------------------------------ src/firejail/fs_trace.c | 12 +++++------- src/firejail/fs_var.c | 38 +++++-------------------------------- src/firejail/join.c | 10 +++++----- src/firejail/main.c | 2 +- src/firejail/pulseaudio.c | 17 ++++++----------- src/firejail/sandbox.c | 19 +++++++------------ src/firejail/seccomp.c | 24 ++++++----------------- 13 files changed, 77 insertions(+), 150 deletions(-) (limited to 'src') diff --git a/src/firejail/cgroup.c b/src/firejail/cgroup.c index 9e6a2e549..aab7be0fd 100644 --- a/src/firejail/cgroup.c +++ b/src/firejail/cgroup.c @@ -26,30 +26,23 @@ void save_cgroup(void) { if (cfg.cgroup == NULL) return; - char *fname; - if (asprintf(&fname, "%s/cgroup", MNT_DIR) == -1) - errExit(fname); - - FILE *fp = fopen(fname, "w"); + FILE *fp = fopen(CGROUP_CFG, "w"); if (fp) { fprintf(fp, "%s", cfg.cgroup); fflush(0); if (fclose(fp)) goto errout; - if (chown(fname, 0, 0) < 0) + if (chown(CGROUP_CFG, 0, 0) < 0) errExit("chown"); } else goto errout; - free(fname); return; errout: fprintf(stderr, "Error: cannot save cgroup\n"); - free(fname); exit(1); - } void load_cgroup(const char *fname) { diff --git a/src/firejail/cpu.c b/src/firejail/cpu.c index 9462568f2..6dcbbd07b 100644 --- a/src/firejail/cpu.c +++ b/src/firejail/cpu.c @@ -71,23 +71,17 @@ void save_cpu(void) { if (cfg.cpus == 0) return; - char *fname; - if (asprintf(&fname, "%s/cpu", MNT_DIR) == -1) - errExit("asprintf"); - FILE *fp = fopen(fname, "w"); + FILE *fp = fopen(CPU_CFG, "w"); if (fp) { fprintf(fp, "%x\n", cfg.cpus); fclose(fp); - if (chown(fname, 0, 0) < 0) + if (chown(CPU_CFG, 0, 0) < 0) errExit("chown"); } else { fprintf(stderr, "Error: cannot save cpu affinity mask\n"); - free(fname); exit(1); } - - free(fname); } void load_cpu(const char *fname) { diff --git a/src/firejail/firejail.h b/src/firejail/firejail.h index e79cc4a2c..1068485ff 100644 --- a/src/firejail/firejail.h +++ b/src/firejail/firejail.h @@ -21,20 +21,33 @@ #define FIREJAIL_H #include "../include/common.h" -#define USELOCK +// filesystem #define FIREJAIL_DIR "/tmp/firejail" +#define NETWORK_LOCK_FILE "/tmp/firejail/firejail.lock" #define RO_DIR "/tmp/firejail/firejail.ro.dir" #define RO_FILE "/tmp/firejail/firejail.ro.file" -#define MNT_DIR "/tmp/firejail/mnt" +#define MNT_DIR "/tmp/firejail/mnt" // a tmpfs is mounted on this directory before any of the files below are created +#define SECCOMP_CFG "/tmp/firejail/mnt/seccomp" +#define CGROUP_CFG "/tmp/firejail/mnt/cgroup" +#define CPU_CFG "/tmp/firejail/mnt/cpu" +#define GROUPS_CFG "/tmp/firejail/mnt/groups" #define CP_COMMAND "/tmp/firejail/mnt/cp" #define HOME_DIR "/tmp/firejail/mnt/home" #define ETC_DIR "/tmp/firejail/mnt/etc" #define BIN_DIR "/tmp/firejail/mnt/bin" #define DRI_DIR "/tmp/firejail/mnt/dri" +#define PULSE_DIR "/tmp/firejail/mnt/pulse" #define WHITELIST_HOME_DIR "/tmp/firejail/mnt/whome" +#define XAUTHORITY_FILE "/tmp/firejail/mnt/.Xauthority" +#define HOSTNAME_FILE "/tmp/firejail/mnt/hostname" +#define RESOLVCONF_FILE "/tmp/firejail/mnt/resolv.conf" +#define LDPRELOAD_FILE "/tmp/firejail/mnt/ld.so.preload" +#define UTMP_FILE "/tmp/firejail/mnt/utmp" + +// profiles #define DEFAULT_USER_PROFILE "generic" #define DEFAULT_ROOT_PROFILE "server" -#define MAX_INCLUDE_LEVEL 6 +#define MAX_INCLUDE_LEVEL 6 // include levels in profile files // main.c typedef struct bridge_t { diff --git a/src/firejail/fs_etc.c b/src/firejail/fs_etc.c index 617d45d06..f9088f1ba 100644 --- a/src/firejail/fs_etc.c +++ b/src/firejail/fs_etc.c @@ -75,7 +75,7 @@ void fs_check_etc_list(void) { static void duplicate(char *fname) { char *cmd; - // copy the file + // copy the file - this code assumes ETC_DIR is actually MNT_DIR/etc if (asprintf(&cmd, "%s -a --parents /etc/%s %s", CP_COMMAND, fname, MNT_DIR) == -1) errExit("asprintf"); if (arg_debug) @@ -113,7 +113,7 @@ void fs_private_etc_list(void) { errExit("fork"); if (child == 0) { if (arg_debug) - printf("Copying files in the new home:\n"); + printf("Copying files in the new etc directory:\n"); // elevate privileges - files in the new /etc directory belong to root if (setreuid(0, 0) < 0) diff --git a/src/firejail/fs_home.c b/src/firejail/fs_home.c index 2cbb59e69..63c03a8db 100644 --- a/src/firejail/fs_home.c +++ b/src/firejail/fs_home.c @@ -109,15 +109,13 @@ static void skel(const char *homedir, uid_t u, gid_t g) { } static int store_xauthority(void) { - // put a copy of .Xauthority in MNT_DIR + // put a copy of .Xauthority in XAUTHORITY_FILE fs_build_mnt_dir(); char *src; - char *dest; + char *dest = XAUTHORITY_FILE; if (asprintf(&src, "%s/.Xauthority", cfg.homedir) == -1) errExit("asprintf"); - if (asprintf(&dest, "%s/.Xauthority", MNT_DIR) == -1) - errExit("asprintf"); struct stat s; if (stat(src, &s) == 0) { @@ -133,15 +131,11 @@ static int store_xauthority(void) { } static void copy_xauthority(void) { - // put a copy of .Xauthority in MNT_DIR - fs_build_mnt_dir(); - - char *src; + // copy XAUTHORITY_FILE in the new home directory + char *src = XAUTHORITY_FILE ; char *dest; if (asprintf(&dest, "%s/.Xauthority", cfg.homedir) == -1) errExit("asprintf"); - if (asprintf(&src, "%s/.Xauthority", MNT_DIR) == -1) - errExit("asprintf"); int rv = copy_file(src, dest); if (rv) fprintf(stderr, "Warning: cannot transfer .Xauthority in private home directory\n"); diff --git a/src/firejail/fs_hostname.c b/src/firejail/fs_hostname.c index 2d9ad6fa7..94251df57 100644 --- a/src/firejail/fs_hostname.c +++ b/src/firejail/fs_hostname.c @@ -33,49 +33,40 @@ void fs_hostname(const char *hostname) { if (stat("/etc/hostname", &s) == 0) { if (arg_debug) printf("Creating a new /etc/hostname file\n"); - char *fhost; - if (asprintf(&fhost, "%s/hostname", MNT_DIR) == -1) - errExit("asprintf"); - FILE *fp = fopen(fhost, "w"); + + FILE *fp = fopen(HOSTNAME_FILE, "w"); if (!fp) { - fprintf(stderr, "Error: cannot create %s\n", fhost); - free(fhost); + fprintf(stderr, "Error: cannot create %s\n", HOSTNAME_FILE); exit(1); } fprintf(fp, "%s\n", hostname); fclose(fp); // mode and owner - if (chown(fhost, 0, 0) < 0) + if (chown(HOSTNAME_FILE, 0, 0) < 0) errExit("chown"); - if (chmod(fhost, S_IRUSR | S_IWRITE | S_IRGRP | S_IROTH ) < 0) + if (chmod(HOSTNAME_FILE, S_IRUSR | S_IWRITE | S_IRGRP | S_IROTH ) < 0) errExit("chmod"); // bind-mount the file on top of /etc/hostname - if (mount(fhost, "/etc/hostname", NULL, MS_BIND|MS_REC, NULL) < 0) + if (mount(HOSTNAME_FILE, "/etc/hostname", NULL, MS_BIND|MS_REC, NULL) < 0) errExit("mount bind /etc/hostname"); - free(fhost); } // create a new /etc/hosts if (stat("/etc/hosts", &s) == 0) { if (arg_debug) printf("Creating a new /etc/hosts file\n"); - char *fhost; - if (asprintf(&fhost, "%s/hosts", MNT_DIR) == -1) - errExit("asprintf"); // copy /etc/host into our new file, and modify it on the fly /* coverity[toctou] */ FILE *fp1 = fopen("/etc/hosts", "r"); if (!fp1) { fprintf(stderr, "Error: cannot open /etc/hosts\n"); - free(fhost); exit(1); } - FILE *fp2 = fopen(fhost, "w"); + FILE *fp2 = fopen(HOSTNAME_FILE, "w"); if (!fp2) { - fprintf(stderr, "Error: cannot create %s\n", fhost); - free(fhost); + fprintf(stderr, "Error: cannot create %s\n", HOSTNAME_FILE); exit(1); } @@ -96,15 +87,14 @@ void fs_hostname(const char *hostname) { fclose(fp2); // mode and owner - if (chown(fhost, 0, 0) < 0) + if (chown(HOSTNAME_FILE, 0, 0) < 0) errExit("chown"); - if (chmod(fhost, S_IRUSR | S_IWRITE | S_IRGRP | S_IROTH ) < 0) + if (chmod(HOSTNAME_FILE, S_IRUSR | S_IWRITE | S_IRGRP | S_IROTH ) < 0) errExit("chmod"); // bind-mount the file on top of /etc/hostname - if (mount(fhost, "/etc/hosts", NULL, MS_BIND|MS_REC, NULL) < 0) + if (mount(HOSTNAME_FILE, "/etc/hosts", NULL, MS_BIND|MS_REC, NULL) < 0) errExit("mount bind /etc/hosts"); - free(fhost); } } @@ -119,13 +109,9 @@ void fs_resolvconf(void) { if (stat("/etc/resolv.conf", &s) == 0) { if (arg_debug) printf("Creating a new /etc/resolv.conf file\n"); - char *fname; - if (asprintf(&fname, "%s/resolv.conf", MNT_DIR) == -1) - errExit("asprintf"); - FILE *fp = fopen(fname, "w"); + FILE *fp = fopen(RESOLVCONF_FILE, "w"); if (!fp) { - fprintf(stderr, "Error: cannot create %s\n", fname); - free(fname); + fprintf(stderr, "Error: cannot create %s\n", RESOLVCONF_FILE); exit(1); } @@ -138,15 +124,14 @@ void fs_resolvconf(void) { fclose(fp); // mode and owner - if (chown(fname, 0, 0) < 0) + if (chown(RESOLVCONF_FILE, 0, 0) < 0) errExit("chown"); - if (chmod(fname, S_IRUSR | S_IWRITE | S_IRGRP | S_IROTH ) < 0) + if (chmod(RESOLVCONF_FILE, S_IRUSR | S_IWRITE | S_IRGRP | S_IROTH ) < 0) errExit("chmod"); // bind-mount the file on top of /etc/hostname - if (mount(fname, "/etc/resolv.conf", NULL, MS_BIND|MS_REC, NULL) < 0) + if (mount(RESOLVCONF_FILE, "/etc/resolv.conf", NULL, MS_BIND|MS_REC, NULL) < 0) errExit("mount bind /etc/resolv.conf"); - free(fname); } else { fprintf(stderr, "Error: cannot set DNS servers, /etc/resolv.conf file is missing\n"); diff --git a/src/firejail/fs_trace.c b/src/firejail/fs_trace.c index 6058bf3c4..2b0f52a98 100644 --- a/src/firejail/fs_trace.c +++ b/src/firejail/fs_trace.c @@ -52,23 +52,21 @@ void fs_trace(void) { // create the new ld.so.preload file and mount-bind it if (arg_debug) printf("Create the new ld.so.preload file\n"); - char *preload; - if (asprintf(&preload, "%s/ld.so.preload", MNT_DIR) == -1) - errExit("asprintf"); - FILE *fp = fopen(preload, "w"); + + FILE *fp = fopen(LDPRELOAD_FILE, "w"); if (!fp) errExit("fopen"); fprintf(fp, "%s/firejail/libtrace.so\n", LIBDIR); fclose(fp); - if (chown(preload, 0, 0) < 0) + if (chown(LDPRELOAD_FILE, 0, 0) < 0) errExit("chown"); - if (chmod(preload, S_IRUSR | S_IWRITE | S_IRGRP | S_IROTH ) < 0) + if (chmod(LDPRELOAD_FILE, S_IRUSR | S_IWRITE | S_IRGRP | S_IROTH ) < 0) errExit("chmod"); // mount the new preload file if (arg_debug) printf("Mount the new ld.so.preload file\n"); - if (mount(preload, "/etc/ld.so.preload", NULL, MS_BIND|MS_REC, NULL) < 0) + if (mount(LDPRELOAD_FILE, "/etc/ld.so.preload", NULL, MS_BIND|MS_REC, NULL) < 0) errExit("mount bind ls.so.preload"); } diff --git a/src/firejail/fs_var.c b/src/firejail/fs_var.c index 93625633a..7e822f614 100644 --- a/src/firejail/fs_var.c +++ b/src/firejail/fs_var.c @@ -317,10 +317,8 @@ void fs_var_utmp(void) { // create a new utmp file if (arg_debug) printf("Create the new utmp file\n"); - char *utmp; - if (asprintf(&utmp, "%s/utmp", MNT_DIR) == -1) - errExit("asprintf"); - FILE *fp = fopen(utmp, "w"); + + FILE *fp = fopen(UTMP_FILE, "w"); if (!fp) errExit("fopen"); @@ -339,42 +337,16 @@ void fs_var_utmp(void) { // save new utmp file fwrite(&u_boot, sizeof(u_boot), 1, fp); fclose(fp); - if (chown(utmp, 0, utmp_group) < 0) + if (chown(UTMP_FILE, 0, utmp_group) < 0) errExit("chown"); - if (chmod(utmp, S_IRUSR | S_IWRITE | S_IRGRP | S_IWGRP | S_IROTH ) < 0) + if (chmod(UTMP_FILE, S_IRUSR | S_IWRITE | S_IRGRP | S_IWGRP | S_IROTH ) < 0) errExit("chmod"); // mount the new utmp file if (arg_debug) printf("Mount the new utmp file\n"); - if (mount(utmp, "/var/run/utmp", NULL, MS_BIND|MS_REC, NULL) < 0) + if (mount(UTMP_FILE, "/var/run/utmp", NULL, MS_BIND|MS_REC, NULL) < 0) errExit("mount bind utmp"); } -#if 0 -Testing servers: - -brctl addbr br0 -ifconfig br0 10.10.20.1/24 - -apt-get install snmpd -insserv -r snmpd -sudo firejail --net=br0 --ip=10.10.20.10 "/etc/init.d/rsyslog start; /etc/init.d/ssh start; /etc/init.d/snmpd start; sleep inf" - -apt-get install apache2 -insserv -r apache2 -sudo firejail --net=br0 --ip=10.10.20.10 "/etc/init.d/rsyslog start; /etc/init.d/ssh start; /etc/init.d/apache2 start; sleep inf" - -apt-get install nginx -insserv -r nginx -sudo firejail --net=br0 --ip=10.10.20.10 "/etc/init.d/rsyslog start; /etc/init.d/ssh start; /etc/init.d/nginx start; sleep inf" - -apt-get install lighttpd -insserv -r lighttpd -sudo firejail --net=br0 --ip=10.10.20.10 "/etc/init.d/rsyslog start; /etc/init.d/ssh start; /etc/init.d/lighttpd start; sleep inf" - -apt-get install isc-dhcp-server -insserv -r isc-dhcp-server -sudo firejail --net=br0 --ip=10.10.20.10 "/etc/init.d/rsyslog start; /etc/init.d/ssh start; /etc/init.d/isc-dhcp-server start; sleep inf" -#endif diff --git a/src/firejail/join.c b/src/firejail/join.c index 35e302bf0..91dad420a 100644 --- a/src/firejail/join.c +++ b/src/firejail/join.c @@ -69,7 +69,7 @@ static void extract_command(int argc, char **argv, int index) { static void extract_nogroups(pid_t pid) { char *fname; - if (asprintf(&fname, "/proc/%d/root%s/groups", pid, MNT_DIR) == -1) + if (asprintf(&fname, "/proc/%d/root%s", pid, GROUPS_CFG) == -1) errExit("asprintf"); struct stat s; @@ -82,28 +82,28 @@ static void extract_nogroups(pid_t pid) { static void extract_cpu(pid_t pid) { char *fname; - if (asprintf(&fname, "/proc/%d/root%s/cpu", pid, MNT_DIR) == -1) + if (asprintf(&fname, "/proc/%d/root%s", pid, CPU_CFG) == -1) errExit("asprintf"); struct stat s; if (stat(fname, &s) == -1) return; - // there is a cpu file in MNT_DIR; load the information from the file + // there is a CPU_CFG file, load it! load_cpu(fname); free(fname); } static void extract_cgroup(pid_t pid) { char *fname; - if (asprintf(&fname, "/proc/%d/root%s/cgroup", pid, MNT_DIR) == -1) + if (asprintf(&fname, "/proc/%d/root%s", pid, CGROUP_CFG) == -1) errExit("asprintf"); struct stat s; if (stat(fname, &s) == -1) return; - // there is a cgroup file in MNT_DIR; load the information from the file + // there is a cgroup file CGROUP_CFG, load it! load_cgroup(fname); free(fname); } diff --git a/src/firejail/main.c b/src/firejail/main.c index 1c1c3a08f..4fa2e5b3b 100644 --- a/src/firejail/main.c +++ b/src/firejail/main.c @@ -1255,7 +1255,7 @@ int main(int argc, char **argv) { // check and assign an IP address - for macvlan it will be done again in the sandbox! if (any_bridge_configured()) { - lockfd = open("/tmp/firejail/firejail.lock", O_WRONLY | O_CREAT, S_IRUSR | S_IWUSR); + lockfd = open(NETWORK_LOCK_FILE, O_WRONLY | O_CREAT, S_IRUSR | S_IWUSR); if (lockfd != -1) { int rv = fchown(lockfd, 0, 0); (void) rv; diff --git a/src/firejail/pulseaudio.c b/src/firejail/pulseaudio.c index 0cd5bace2..22c2a0d3d 100644 --- a/src/firejail/pulseaudio.c +++ b/src/firejail/pulseaudio.c @@ -86,26 +86,24 @@ void pulseaudio_disable(void) { void pulseaudio_init(void) { struct stat s; +printf("here %d\n", __LINE__); // do we have pulseaudio in the system? if (stat("/etc/pulse/client.conf", &s) == -1) return; - +printf("here %d\n", __LINE__); // create the new user pulseaudio directory fs_build_mnt_dir(); - char *pulsedir; - if (asprintf(&pulsedir, "%s/pulse", MNT_DIR) == -1) - errExit("asprintf"); - int rv = mkdir(pulsedir, S_IRWXU | S_IRWXG | S_IRWXO); + int rv = mkdir(PULSE_DIR, S_IRWXU | S_IRWXG | S_IRWXO); (void) rv; // in --chroot mode the directory canalready be there - if (chown(pulsedir, getuid(), getgid()) < 0) + if (chown(PULSE_DIR, getuid(), getgid()) < 0) errExit("chown"); - if (chmod(pulsedir, 0700) < 0) + if (chmod(PULSE_DIR, 0700) < 0) errExit("chmod"); // create the new client.conf file char *pulsecfg = NULL; - if (asprintf(&pulsecfg, "%s/client.conf", pulsedir) == -1) + if (asprintf(&pulsecfg, "%s/client.conf", PULSE_DIR) == -1) errExit("asprintf"); if (copy_file("/etc/pulse/client.conf", pulsecfg)) errExit("copy_file"); @@ -119,12 +117,9 @@ void pulseaudio_init(void) { if (chown(pulsecfg, getuid(), getgid()) == -1) errExit("chown"); - // set environment if (setenv("PULSE_CLIENTCONFIG", pulsecfg, 1) < 0) errExit("setenv"); - free(pulsecfg); - free(pulsedir); } diff --git a/src/firejail/sandbox.c b/src/firejail/sandbox.c index b23c5d742..d9ce717e0 100644 --- a/src/firejail/sandbox.c +++ b/src/firejail/sandbox.c @@ -46,23 +46,18 @@ void save_nogroups(void) { if (arg_nogroups == 0) return; - char *fname; - if (asprintf(&fname, "%s/groups", MNT_DIR) == -1) - errExit("asprintf"); - FILE *fp = fopen(fname, "w"); + FILE *fp = fopen(GROUPS_CFG, "w"); if (fp) { fprintf(fp, "\n"); fclose(fp); - if (chown(fname, 0, 0) < 0) + if (chown(GROUPS_CFG, 0, 0) < 0) errExit("chown"); } else { fprintf(stderr, "Error: cannot save nogroups state\n"); - free(fname); exit(1); } - free(fname); } static void sandbox_if_up(Bridge *br) { @@ -436,21 +431,21 @@ int sandbox(void* sandbox_arg) { // if a keep list is available, disregard the drop list if (arg_seccomp == 1) { if (cfg.seccomp_list_keep) - seccomp_filter_keep(); // this will also save the fmyilter to MNT_DIR/seccomp file + seccomp_filter_keep(); else if (cfg.seccomp_list_errno) - seccomp_filter_errno(); // this will also save the filter to MNT_DIR/seccomp file + seccomp_filter_errno(); else - seccomp_filter_drop(); // this will also save the filter to MNT_DIR/seccomp file + seccomp_filter_drop(); } #endif // set cpu affinity if (cfg.cpus) { - save_cpu(); // save cpu affinity mask to MNT_DIR/cpu file + save_cpu(); // save cpu affinity mask to CPU_CFG file set_cpu_affinity(); } - // save cgroup in MNT_DIR/cgroup file + // save cgroup in CGROUP_CFG file if (cfg.cgroup) save_cgroup(); diff --git a/src/firejail/seccomp.c b/src/firejail/seccomp.c index 353b212f6..f8053d698 100644 --- a/src/firejail/seccomp.c +++ b/src/firejail/seccomp.c @@ -266,10 +266,7 @@ static void write_seccomp_file(void) { fs_build_mnt_dir(); assert(sfilter); - char *fname; - if (asprintf(&fname, "%s/seccomp", MNT_DIR) == -1) - errExit("asprintf"); - int fd = open(fname, O_CREAT | O_WRONLY, S_IRUSR | S_IWUSR); + int fd = open(SECCOMP_CFG, O_CREAT | O_WRONLY, S_IRUSR | S_IWUSR); if (fd == -1) errExit("open"); @@ -282,23 +279,14 @@ static void write_seccomp_file(void) { exit(1); } close(fd); - if (chown(fname, 0, 0) < 0) + if (chown(SECCOMP_CFG, 0, 0) < 0) errExit("chown"); - free(fname); } // read seccomp filter from /tmp/firejail/mnt/seccomp -static void read_seccomp_file(char *file_name) { +static void read_seccomp_file(const char *fname) { assert(sfilter == NULL && sfilter_index == 0); - char *fname; - if (file_name) - fname = file_name; - else { - if (asprintf(&fname, "%s/seccomp", MNT_DIR) == -1) - errExit("asprintf"); - } - // check file struct stat s; if (stat(fname, &s) == -1) { @@ -331,7 +319,6 @@ static void read_seccomp_file(char *file_name) { printf("Read seccomp filter, size %u bytes\n", (unsigned) (sfilter_index * sizeof(struct sock_filter))); close(fd); - free(fname); if (arg_debug) filter_debug(); @@ -706,7 +693,7 @@ int seccomp_filter_errno(void) { void seccomp_set(void) { // read seccomp filter from /tmp/firejail/mnt/seccomp - read_seccomp_file(NULL); + read_seccomp_file(SECCOMP_CFG); // apply filter struct sock_fprog prog = { @@ -767,7 +754,7 @@ void seccomp_print_filter(pid_t pid) { // find the seccomp filter char *fname; - if (asprintf(&fname, "/proc/%d/root/tmp/firejail/mnt/seccomp", pid) == -1) + if (asprintf(&fname, "/proc/%d/root%s", pid, SECCOMP_CFG) == -1) errExit("asprintf"); struct stat s; @@ -780,6 +767,7 @@ void seccomp_print_filter(pid_t pid) { read_seccomp_file(fname); drop_privs(1); filter_debug(); + free(fname); exit(0); } -- cgit v1.2.3-54-g00ecf