diff options
author | netblue30 <netblue30@yahoo.com> | 2016-03-23 09:18:13 -0400 |
---|---|---|
committer | netblue30 <netblue30@yahoo.com> | 2016-03-23 09:18:13 -0400 |
commit | 7d13ec6274b71fa1359b1ef8ebb966498e5b2f45 (patch) | |
tree | 7adfceb348c88c811ccbe6dc6e2be7fad61cbdb3 | |
parent | --quiet problem (diff) | |
download | firejail-7d13ec6274b71fa1359b1ef8ebb966498e5b2f45.tar.gz firejail-7d13ec6274b71fa1359b1ef8ebb966498e5b2f45.tar.zst firejail-7d13ec6274b71fa1359b1ef8ebb966498e5b2f45.zip |
hide firejail run time information
-rw-r--r-- | src/firejail/fs.c | 12 | ||||
-rw-r--r-- | todo | 20 |
2 files changed, 30 insertions, 2 deletions
diff --git a/src/firejail/fs.c b/src/firejail/fs.c index 644255de5..a5edec714 100644 --- a/src/firejail/fs.c +++ b/src/firejail/fs.c | |||
@@ -710,10 +710,18 @@ static void disable_firejail_config(void) { | |||
710 | if (stat(fname, &s) == 0) | 710 | if (stat(fname, &s) == 0) |
711 | disable_file(BLACKLIST_FILE, fname); | 711 | disable_file(BLACKLIST_FILE, fname); |
712 | } | 712 | } |
713 | |||
714 | |||
715 | 713 | ||
716 | free(fname); | 714 | free(fname); |
715 | |||
716 | // disable run time information | ||
717 | if (stat(RUN_FIREJAIL_NETWORK_DIR, &s) == 0) | ||
718 | disable_file(BLACKLIST_FILE, RUN_FIREJAIL_NETWORK_DIR); | ||
719 | if (stat(RUN_FIREJAIL_BANDWIDTH_DIR, &s) == 0) | ||
720 | disable_file(BLACKLIST_FILE, RUN_FIREJAIL_BANDWIDTH_DIR); | ||
721 | if (stat(RUN_FIREJAIL_NAME_DIR, &s) == 0) | ||
722 | disable_file(BLACKLIST_FILE, RUN_FIREJAIL_NAME_DIR); | ||
723 | if (stat(RUN_FIREJAIL_X11_DIR, &s) == 0) | ||
724 | disable_file(BLACKLIST_FILE, RUN_FIREJAIL_X11_DIR); | ||
717 | } | 725 | } |
718 | 726 | ||
719 | 727 | ||
@@ -55,3 +55,23 @@ Warning: seccomp file not found | |||
55 | Warning: seccomp disabled, it requires a Linux kernel version 3.5 or newer. | 55 | Warning: seccomp disabled, it requires a Linux kernel version 3.5 or newer. |
56 | $ ls ~ <----------------- all files are available, the directory is not empty! | 56 | $ ls ~ <----------------- all files are available, the directory is not empty! |
57 | 57 | ||
58 | 10. Posibly capabilities broken for --join | ||
59 | |||
60 | $ firejail --name=test | ||
61 | ... | ||
62 | $ firejail --debug --join=test | ||
63 | Switching to pid 18591, the first child process inside the sandbox | ||
64 | User namespace detected: /proc/18591/uid_map, 1000, 1000 | ||
65 | Set caps filter 0 | ||
66 | Set protocol filter: unix,inet,inet6 | ||
67 | Read seccomp filter, size 792 bytes | ||
68 | |||
69 | However, in the join sandbox we have: | ||
70 | $ cat /proc/self/status | grep Cap | ||
71 | CapInh: 0000000000000000 | ||
72 | CapPrm: 0000000000000000 | ||
73 | CapEff: 0000000000000000 | ||
74 | CapBnd: 0000003fffffffff | ||
75 | CapAmb: 0000000000000000 | ||
76 | |||
77 | 11. net_netfilter.exp broken | ||