diff options
author | Aleksey Manevich <manevich.aleksey@gmail.com> | 2016-08-20 15:56:07 +0300 |
---|---|---|
committer | Aleksey Manevich <manevich.aleksey@gmail.com> | 2016-08-20 15:56:07 +0300 |
commit | 5b9ac21d4e98fd05549051f8dc9f92f9f0159ce3 (patch) | |
tree | f47b98aea6f7f9ae11f81f71755e9831b38d2fb2 | |
parent | audit for existing sandbox (diff) | |
download | firejail-5b9ac21d4e98fd05549051f8dc9f92f9f0159ce3.tar.gz firejail-5b9ac21d4e98fd05549051f8dc9f92f9f0159ce3.tar.zst firejail-5b9ac21d4e98fd05549051f8dc9f92f9f0159ce3.zip |
set caps filter when joining
-rw-r--r-- | src/firejail/join.c | 10 |
1 files changed, 7 insertions, 3 deletions
diff --git a/src/firejail/join.c b/src/firejail/join.c index 672913480..37bac7e65 100644 --- a/src/firejail/join.c +++ b/src/firejail/join.c | |||
@@ -122,7 +122,7 @@ static void extract_caps_seccomp(pid_t pid) { | |||
122 | break; | 122 | break; |
123 | } | 123 | } |
124 | else if (strncmp(buf, "CapBnd:", 7) == 0) { | 124 | else if (strncmp(buf, "CapBnd:", 7) == 0) { |
125 | char *ptr = buf + 8; | 125 | char *ptr = buf + 7; |
126 | unsigned long long val; | 126 | unsigned long long val; |
127 | sscanf(ptr, "%llx", &val); | 127 | sscanf(ptr, "%llx", &val); |
128 | apply_caps = 1; | 128 | apply_caps = 1; |
@@ -295,9 +295,8 @@ void join(pid_t pid, int argc, char **argv, int index) { | |||
295 | // set seccomp filter | 295 | // set seccomp filter |
296 | if (apply_seccomp == 1) // not available for uid 0 | 296 | if (apply_seccomp == 1) // not available for uid 0 |
297 | seccomp_set(); | 297 | seccomp_set(); |
298 | |||
299 | #endif | 298 | #endif |
300 | 299 | ||
301 | // fix qt 4.8 | 300 | // fix qt 4.8 |
302 | if (setenv("QT_X11_NO_MITSHM", "1", 1) < 0) | 301 | if (setenv("QT_X11_NO_MITSHM", "1", 1) < 0) |
303 | errExit("setenv"); | 302 | errExit("setenv"); |
@@ -314,6 +313,11 @@ void join(pid_t pid, int argc, char **argv, int index) { | |||
314 | else | 313 | else |
315 | drop_privs(arg_nogroups); // nogroups not available for uid 0 | 314 | drop_privs(arg_nogroups); // nogroups not available for uid 0 |
316 | 315 | ||
316 | // user namespace resets capabilities | ||
317 | // set caps filter | ||
318 | if (apply_caps == 1) // not available for uid 0 | ||
319 | caps_set(caps); | ||
320 | |||
317 | // set prompt color to green | 321 | // set prompt color to green |
318 | //export PS1='\[\e[1;32m\][\u@\h \W]\$\[\e[0m\] ' | 322 | //export PS1='\[\e[1;32m\][\u@\h \W]\$\[\e[0m\] ' |
319 | if (setenv("PROMPT_COMMAND", "export PS1=\"\\[\\e[1;32m\\][\\u@\\h \\W]\\$\\[\\e[0m\\] \"", 1) < 0) | 323 | if (setenv("PROMPT_COMMAND", "export PS1=\"\\[\\e[1;32m\\][\\u@\\h \\W]\\$\\[\\e[0m\\] \"", 1) < 0) |