diff options
author | netblue30 <netblue30@yahoo.com> | 2016-03-18 08:07:15 -0400 |
---|---|---|
committer | netblue30 <netblue30@yahoo.com> | 2016-03-18 08:07:15 -0400 |
commit | e62ce59f5556555b52741ec677bb273a35939336 (patch) | |
tree | 7c8256956766a6e54642b732290424544b74528f | |
parent | various fixes (diff) | |
download | firejail-e62ce59f5556555b52741ec677bb273a35939336.tar.gz firejail-e62ce59f5556555b52741ec677bb273a35939336.tar.zst firejail-e62ce59f5556555b52741ec677bb273a35939336.zip |
join fixes
-rw-r--r-- | src/firejail/seccomp.c | 6 | ||||
-rw-r--r-- | todo | 20 |
2 files changed, 23 insertions, 3 deletions
diff --git a/src/firejail/seccomp.c b/src/firejail/seccomp.c index d29184b7c..43b849ecf 100644 --- a/src/firejail/seccomp.c +++ b/src/firejail/seccomp.c | |||
@@ -286,12 +286,12 @@ static void write_seccomp_file(void) { | |||
286 | // read seccomp filter from /run/firejail/mnt/seccomp | 286 | // read seccomp filter from /run/firejail/mnt/seccomp |
287 | static void read_seccomp_file(const char *fname) { | 287 | static void read_seccomp_file(const char *fname) { |
288 | assert(sfilter == NULL && sfilter_index == 0); | 288 | assert(sfilter == NULL && sfilter_index == 0); |
289 | printf("***%s***\n", fname); | 289 | |
290 | // check file | 290 | // check file |
291 | struct stat s; | 291 | struct stat s; |
292 | if (stat(fname, &s) == -1) { | 292 | if (stat(fname, &s) == -1) { |
293 | fprintf(stderr, "Error: seccomp file not found\n"); | 293 | fprintf(stderr, "Warning: seccomp file not found\n"); |
294 | exit(1); | 294 | return; |
295 | } | 295 | } |
296 | ssize_t sz = s.st_size; | 296 | ssize_t sz = s.st_size; |
297 | if (sz == 0 || (sz % sizeof(struct sock_filter)) != 0) { | 297 | if (sz == 0 || (sz % sizeof(struct sock_filter)) != 0) { |
@@ -35,3 +35,23 @@ socat ABSTRACT-LISTEN:/tmp/dbus-awBoQTCc,fork UNIX-CONNECT:/tmp/mysock | |||
35 | 8. profile for dillo | 35 | 8. profile for dillo |
36 | Also, in dillo open a directory (file:///etc), when the browser window is closed the sandbox still remains active. | 36 | Also, in dillo open a directory (file:///etc), when the browser window is closed the sandbox still remains active. |
37 | This is probably a dillo problem. | 37 | This is probably a dillo problem. |
38 | |||
39 | 9. --force sandbox in a overlayfs sandbox | ||
40 | |||
41 | $ sudo firejail --overlay | ||
42 | # su netblue | ||
43 | $ xterm & | ||
44 | $ firejail --force --private | ||
45 | Parent pid 77, child pid 78 | ||
46 | Warning: failed to unmount /sys | ||
47 | |||
48 | Warning: cannot mount a new user namespace, going forward without it... | ||
49 | Child process initialized | ||
50 | |||
51 | Try to join the forced sandbox in xterm window: | ||
52 | $ firejail --join=77 | ||
53 | Switching to pid 78, the first child process inside the sandbox | ||
54 | Warning: seccomp file not found | ||
55 | Warning: seccomp disabled, it requires a Linux kernel version 3.5 or newer. | ||
56 | $ ls ~ <----------------- all files are available, the directory is not empty! | ||
57 | |||