diff options
author | Glenn Washburn <development@efficientek.com> | 2018-10-16 01:41:52 -0500 |
---|---|---|
committer | Glenn Washburn <development@efficientek.com> | 2018-10-16 01:42:55 -0500 |
commit | f74fa71cf9d549b1607ca5b0c9fb2442e31f72ab (patch) | |
tree | 68f323ff771fae30668c4565ec8dbef46b5dce2d | |
parent | Merge branch 'improve-profile-handling' (diff) | |
download | firejail-f74fa71cf9d549b1607ca5b0c9fb2442e31f72ab.tar.gz firejail-f74fa71cf9d549b1607ca5b0c9fb2442e31f72ab.tar.zst firejail-f74fa71cf9d549b1607ca5b0c9fb2442e31f72ab.zip |
Do not override user provided seccomp lists when in chroot/overlay/appimage, but to use the default if none is provided.
-rw-r--r-- | src/firejail/sandbox.c | 11 |
1 files changed, 1 insertions, 10 deletions
diff --git a/src/firejail/sandbox.c b/src/firejail/sandbox.c index 3abeb174e..95732b95e 100644 --- a/src/firejail/sandbox.c +++ b/src/firejail/sandbox.c | |||
@@ -530,14 +530,6 @@ static void enforce_filters(void) { | |||
530 | #ifdef HAVE_SECCOMP | 530 | #ifdef HAVE_SECCOMP |
531 | enforce_seccomp = 1; | 531 | enforce_seccomp = 1; |
532 | #endif | 532 | #endif |
533 | if (cfg.seccomp_list_drop) { | ||
534 | free(cfg.seccomp_list_drop); | ||
535 | cfg.seccomp_list_drop = NULL; | ||
536 | } | ||
537 | if (cfg.seccomp_list_keep) { | ||
538 | free(cfg.seccomp_list_keep); | ||
539 | cfg.seccomp_list_keep = NULL; | ||
540 | } | ||
541 | 533 | ||
542 | // disable all capabilities | 534 | // disable all capabilities |
543 | if (arg_caps_default_filter || arg_caps_list) | 535 | if (arg_caps_default_filter || arg_caps_list) |
@@ -547,8 +539,7 @@ static void enforce_filters(void) { | |||
547 | // drop all supplementary groups; /etc/group file inside chroot | 539 | // drop all supplementary groups; /etc/group file inside chroot |
548 | // is controlled by a regular usr | 540 | // is controlled by a regular usr |
549 | arg_nogroups = 1; | 541 | arg_nogroups = 1; |
550 | fmessage("\n** Warning: dropping all Linux capabilities and enforcing **\n"); | 542 | fmessage("\n** Warning: dropping all Linux capabilities **\n"); |
551 | fmessage("** default seccomp filter **\n\n"); | ||
552 | } | 543 | } |
553 | 544 | ||
554 | int sandbox(void* sandbox_arg) { | 545 | int sandbox(void* sandbox_arg) { |