From ffa81b0f1863861b6753a84d567ff8dd9991220c Mon Sep 17 00:00:00 2001
From: netblue30 <netblue30@yahoo.com>
Date: Sun, 8 Apr 2018 10:04:17 -0400
Subject: optimize seccomp.drop and seccomp= filters

---
 src/firejail/firejail.h |  1 +
 src/firejail/seccomp.c  | 10 ++++++++++
 2 files changed, 11 insertions(+)

(limited to 'src')

diff --git a/src/firejail/firejail.h b/src/firejail/firejail.h
index d6c39260b..4fd11ab4f 100644
--- a/src/firejail/firejail.h
+++ b/src/firejail/firejail.h
@@ -778,6 +778,7 @@ void build_appimage_cmdline(char **command_line, char **window_title, int argc,
 #define PATH_FIREJAIL (PREFIX "/bin/firejail")
 #define PATH_FSECCOMP (LIBDIR "/firejail/fseccomp")
 #define PATH_FSEC_PRINT (LIBDIR "/firejail/fsec-print")
+#define PATH_FSEC_OPTIMIZE (LIBDIR "/firejail/fsec-optimize")
 #define PATH_FCOPY (LIBDIR "/firejail/fcopy")
 #define SBOX_STDIN_FILE "/run/firejail/mnt/sbox_stdin"
 #define PATH_FLDD (LIBDIR "/firejail/fldd")
diff --git a/src/firejail/seccomp.c b/src/firejail/seccomp.c
index 0184db65c..1ee6256d4 100644
--- a/src/firejail/seccomp.c
+++ b/src/firejail/seccomp.c
@@ -210,6 +210,11 @@ int seccomp_filter_drop(void) {
 					      PATH_FSECCOMP, "default", "drop", RUN_SECCOMP_CFG, RUN_SECCOMP_POSTEXEC, cfg.seccomp_list);
 			if (rv)
 				exit(rv);
+
+			// optimize the new filter
+			rv = sbox_run(SBOX_USER | SBOX_CAPS_NONE | SBOX_SECCOMP, 2, PATH_FSEC_OPTIMIZE, RUN_SECCOMP_CFG);
+			if (rv)
+				exit(rv);
 		}
 	}
 
@@ -232,6 +237,11 @@ int seccomp_filter_drop(void) {
 
 		if (rv)
 			exit(rv);
+
+		// optimize the drop filter
+		rv = sbox_run(SBOX_USER | SBOX_CAPS_NONE | SBOX_SECCOMP, 2, PATH_FSEC_OPTIMIZE, RUN_SECCOMP_CFG);
+		if (rv)
+			exit(rv);
 	}
 
 	// load the filter
-- 
cgit v1.2.3-54-g00ecf