aboutsummaryrefslogtreecommitdiffstats
diff options
context:
space:
mode:
authorLibravatar smitsohu <smitsohu@gmail.com>2022-07-20 16:13:13 +0200
committerLibravatar smitsohu <smitsohu@gmail.com>2022-07-20 16:21:01 +0200
commit8c627c37e77e7234367bd4212e202a913ed9842c (patch)
treee10bc87d0b80c0b941038085d9f132f074cc1255
parentremmina.profile: allow python3 (#5253) (diff)
downloadfirejail-8c627c37e77e7234367bd4212e202a913ed9842c.tar.gz
firejail-8c627c37e77e7234367bd4212e202a913ed9842c.tar.zst
firejail-8c627c37e77e7234367bd4212e202a913ed9842c.zip
apparmor cleanup
Diffstat
-rw-r--r--src/firejail/firejail.h1
-rw-r--r--src/firejail/join.c8
-rw-r--r--src/firejail/sandbox.c10
3 files changed, 5 insertions, 14 deletions
diff --git a/src/firejail/firejail.h b/src/firejail/firejail.h
index f8a23678a..96e3f735e 100644
--- a/src/firejail/firejail.h
+++ b/src/firejail/firejail.h
@@ -385,7 +385,6 @@ char *guess_shell(void);
385#define SANDBOX_DONE '1' 385#define SANDBOX_DONE '1'
386int sandbox(void* sandbox_arg); 386int sandbox(void* sandbox_arg);
387void start_application(int no_sandbox, int fd, char *set_sandbox_status) __attribute__((noreturn)); 387void start_application(int no_sandbox, int fd, char *set_sandbox_status) __attribute__((noreturn));
388void set_apparmor(void);
389 388
390// network_main.c 389// network_main.c
391void net_configure_sandbox_ip(Bridge *br); 390void net_configure_sandbox_ip(Bridge *br);
diff --git a/src/firejail/join.c b/src/firejail/join.c
index ec9c922ef..4e636ca27 100644
--- a/src/firejail/join.c
+++ b/src/firejail/join.c
@@ -33,10 +33,6 @@
33#define PR_SET_NO_NEW_PRIVS 38 33#define PR_SET_NO_NEW_PRIVS 38
34#endif 34#endif
35 35
36#ifdef HAVE_APPARMOR
37#include <sys/apparmor.h>
38#endif
39
40static int apply_caps = 0; 36static int apply_caps = 0;
41static uint64_t caps = 0; 37static uint64_t caps = 0;
42static unsigned display = 0; 38static unsigned display = 0;
@@ -513,10 +509,6 @@ void join(pid_t pid, int argc, char **argv, int index) {
513 // kill the child in case the parent died 509 // kill the child in case the parent died
514 prctl(PR_SET_PDEATHSIG, SIGKILL, 0, 0, 0); 510 prctl(PR_SET_PDEATHSIG, SIGKILL, 0, 0, 0);
515 511
516#ifdef HAVE_APPARMOR
517 set_apparmor();
518#endif
519
520 extract_command(argc, argv, index); 512 extract_command(argc, argv, index);
521 if (cfg.command_line == NULL) 513 if (cfg.command_line == NULL)
522 cfg.window_title = cfg.usershell; 514 cfg.window_title = cfg.usershell;
diff --git a/src/firejail/sandbox.c b/src/firejail/sandbox.c
index e8c4a445a..e72b03e15 100644
--- a/src/firejail/sandbox.c
+++ b/src/firejail/sandbox.c
@@ -128,7 +128,7 @@ static void set_caps(void) {
128} 128}
129 129
130#ifdef HAVE_APPARMOR 130#ifdef HAVE_APPARMOR
131void set_apparmor(void) { 131static void set_apparmor(void) {
132 EUID_ASSERT(); 132 EUID_ASSERT();
133 if (checkcfg(CFG_APPARMOR) && arg_apparmor) { 133 if (checkcfg(CFG_APPARMOR) && arg_apparmor) {
134 if (aa_change_onexec("firejail-default")) { 134 if (aa_change_onexec("firejail-default")) {
@@ -486,6 +486,9 @@ static void close_file_descriptors(void) {
486 486
487void start_application(int no_sandbox, int fd, char *set_sandbox_status) { 487void start_application(int no_sandbox, int fd, char *set_sandbox_status) {
488 if (no_sandbox == 0) { 488 if (no_sandbox == 0) {
489#ifdef HAVE_APPARMOR
490 set_apparmor();
491#endif
489 close_file_descriptors(); 492 close_file_descriptors();
490 493
491 // set nice and rlimits 494 // set nice and rlimits
@@ -1299,10 +1302,7 @@ int sandbox(void* sandbox_arg) {
1299 errExit("fork"); 1302 errExit("fork");
1300 1303
1301 if (app_pid == 0) { 1304 if (app_pid == 0) {
1302#ifdef HAVE_APPARMOR 1305 start_application(0, -1, set_sandbox_status); // this function does not return
1303 set_apparmor();
1304#endif
1305 start_application(0, -1, set_sandbox_status);
1306 } 1306 }
1307 1307
1308 munmap(set_sandbox_status, 1); 1308 munmap(set_sandbox_status, 1);
generated by cgit v1.2.3-54-g00ecf (git 2.45.2) at 2024-07-23 06:14:51 +0000