diff options
author | netblue30 <netblue30@yahoo.com> | 2016-03-13 09:42:39 -0400 |
---|---|---|
committer | netblue30 <netblue30@yahoo.com> | 2016-03-13 09:42:39 -0400 |
commit | bc4eda4d4b2a2d242af04cf979c2e9fc28d572bf (patch) | |
tree | 87a9e16f64541c4e8eca93637b6328d4b7d11114 | |
parent | cfg bind (diff) | |
download | firejail-bc4eda4d4b2a2d242af04cf979c2e9fc28d572bf.tar.gz firejail-bc4eda4d4b2a2d242af04cf979c2e9fc28d572bf.tar.zst firejail-bc4eda4d4b2a2d242af04cf979c2e9fc28d572bf.zip |
cfg userns
-rw-r--r-- | src/firejail/checkcfg.c | 9 | ||||
-rw-r--r-- | src/firejail/firejail.h | 3 | ||||
-rw-r--r-- | src/firejail/main.c | 7 | ||||
-rw-r--r-- | src/firejail/profile.c | 6 |
4 files changed, 22 insertions, 3 deletions
diff --git a/src/firejail/checkcfg.c b/src/firejail/checkcfg.c index 68dc6ac58..670fdc502 100644 --- a/src/firejail/checkcfg.c +++ b/src/firejail/checkcfg.c | |||
@@ -86,6 +86,15 @@ int checkcfg(int val) { | |||
86 | else | 86 | else |
87 | goto errout; | 87 | goto errout; |
88 | } | 88 | } |
89 | // bind | ||
90 | else if (strncmp(ptr, "userns ", 7) == 0) { | ||
91 | if (strcmp(ptr + 7, "yes") == 0) | ||
92 | cfg_val[CFG_USERNS] = 1; | ||
93 | else if (strcmp(ptr + 7, "no") == 0) | ||
94 | cfg_val[CFG_USERNS] = 0; | ||
95 | else | ||
96 | goto errout; | ||
97 | } | ||
89 | else | 98 | else |
90 | goto errout; | 99 | goto errout; |
91 | free(ptr); | 100 | free(ptr); |
diff --git a/src/firejail/firejail.h b/src/firejail/firejail.h index ff6eb485b..ed9343345 100644 --- a/src/firejail/firejail.h +++ b/src/firejail/firejail.h | |||
@@ -541,7 +541,8 @@ void sandboxfs(int op, pid_t pid, const char *patqh); | |||
541 | #define CFG_FILE_TRANSFER 0 | 541 | #define CFG_FILE_TRANSFER 0 |
542 | #define CFG_X11 1 | 542 | #define CFG_X11 1 |
543 | #define CFG_BIND 2 | 543 | #define CFG_BIND 2 |
544 | #define CFG_MAX 3 // this should always be the last entry | 544 | #define CFG_USERNS 3 |
545 | #define CFG_MAX 4 // this should always be the last entry | ||
545 | int checkcfg(int val); | 546 | int checkcfg(int val); |
546 | 547 | ||
547 | #endif | 548 | #endif |
diff --git a/src/firejail/main.c b/src/firejail/main.c index d1d0f91a6..df625a7ba 100644 --- a/src/firejail/main.c +++ b/src/firejail/main.c | |||
@@ -1155,7 +1155,12 @@ int main(int argc, char **argv) { | |||
1155 | arg_nogroups = 1; | 1155 | arg_nogroups = 1; |
1156 | #ifdef HAVE_USERNS | 1156 | #ifdef HAVE_USERNS |
1157 | else if (strcmp(argv[i], "--noroot") == 0) { | 1157 | else if (strcmp(argv[i], "--noroot") == 0) { |
1158 | check_user_namespace(); | 1158 | if (checkcfg(CFG_USERNS)) |
1159 | check_user_namespace(); | ||
1160 | else { | ||
1161 | fprintf(stderr, "Error: --noroot feature is disabled in Firejail configuration file\n"); | ||
1162 | exit(1); | ||
1163 | } | ||
1159 | } | 1164 | } |
1160 | #endif | 1165 | #endif |
1161 | else if (strncmp(argv[i], "--env=", 6) == 0) | 1166 | else if (strncmp(argv[i], "--env=", 6) == 0) |
diff --git a/src/firejail/profile.c b/src/firejail/profile.c index 36741ad4a..1c843a460 100644 --- a/src/firejail/profile.c +++ b/src/firejail/profile.c | |||
@@ -123,8 +123,12 @@ int profile_check_line(char *ptr, int lineno, const char *fname) { | |||
123 | // seccomp, caps, private, user namespace | 123 | // seccomp, caps, private, user namespace |
124 | else if (strcmp(ptr, "noroot") == 0) { | 124 | else if (strcmp(ptr, "noroot") == 0) { |
125 | #if HAVE_USERNS | 125 | #if HAVE_USERNS |
126 | check_user_namespace(); | 126 | if (checkcfg(CFG_USERNS)) |
127 | check_user_namespace(); | ||
128 | else | ||
129 | fprintf(stderr, "Warning: user namespace feature is disabled in Firejail configuration file\n"); | ||
127 | #endif | 130 | #endif |
131 | |||
128 | return 0; | 132 | return 0; |
129 | } | 133 | } |
130 | else if (strcmp(ptr, "seccomp") == 0) { | 134 | else if (strcmp(ptr, "seccomp") == 0) { |