always log seccomp errors (#5110)

netblue30 · May 9, 2022 · a3f00ed · a3f00ed
1 parent 4421517
commit a3f00ed
Show file tree

Hide file tree

Showing 2 changed files with 8 additions and 2 deletions.
diff --git a/src/firejail/seccomp.c b/src/firejail/seccomp.c
@@ -70,9 +70,11 @@ int seccomp_install_filters(void) {
 			assert(fl->fname);
 			if (arg_debug)
 				printf("Installing %s seccomp filter\n", fl->fname);
-
+#ifdef SECCOMP_FILTER_FLAG_LOG
+			if (syscall(SYS_seccomp, SECCOMP_SET_MODE_FILTER, SECCOMP_FILTER_FLAG_LOG, &fl->prog)) {
+#else
 			if (prctl(PR_SET_SECCOMP, SECCOMP_MODE_FILTER, &fl->prog)) {
-
+#endif
 				if (!err_printed)
 					fwarning("seccomp disabled, it requires a Linux kernel version 3.5 or newer.\n");
 				err_printed = 1;

diff --git a/src/libpostexecseccomp/libpostexecseccomp.c b/src/libpostexecseccomp/libpostexecseccomp.c
@@ -55,6 +55,10 @@ static void load_seccomp(void) {
 	};
 
 	prctl(PR_SET_NO_NEW_PRIVS, 1, 0, 0, 0);
+#ifdef SECCOMP_FILTER_FLAG_LOG
+	syscall(SYS_seccomp, SECCOMP_SET_MODE_FILTER, SECCOMP_FILTER_FLAG_LOG, &prog);
+#else
 	prctl(PR_SET_SECCOMP, SECCOMP_MODE_FILTER, &prog);
+#endif
 	munmap(filter, size);
 }