diff options
author | netblue30 <netblue30@yahoo.com> | 2016-04-16 09:08:56 -0400 |
---|---|---|
committer | netblue30 <netblue30@yahoo.com> | 2016-04-16 09:08:56 -0400 |
commit | fa5e81aa1490f13372cc973543aeae9df09e506d (patch) | |
tree | 1d5a5aab26a19ac871c682675c241fd1e4836a29 | |
parent | fixed --profile option (diff) | |
download | firejail-fa5e81aa1490f13372cc973543aeae9df09e506d.tar.gz firejail-fa5e81aa1490f13372cc973543aeae9df09e506d.tar.zst firejail-fa5e81aa1490f13372cc973543aeae9df09e506d.zip |
fix: firejail config in /etc/firejail is not blacklisted if the sandbox is started as root in order to allow sandbox chanining
-rw-r--r-- | src/firejail/fs.c | 20 |
1 files changed, 16 insertions, 4 deletions
diff --git a/src/firejail/fs.c b/src/firejail/fs.c index 7ee76d096..652f897d0 100644 --- a/src/firejail/fs.c +++ b/src/firejail/fs.c | |||
@@ -750,7 +750,13 @@ void fs_basic_fs(void) { | |||
750 | // don't leak user information | 750 | // don't leak user information |
751 | restrict_users(); | 751 | restrict_users(); |
752 | 752 | ||
753 | disable_firejail_config(); | 753 | // when starting as root, firejail config is not disabled; |
754 | // this mode could be used to install and test new software by chaining | ||
755 | // firejail sandboxes (firejail --force) | ||
756 | if (getuid() != 0) | ||
757 | disable_firejail_config(); | ||
758 | else | ||
759 | fprintf(stderr, "Warning: masking /etc/firejail disabled when starting the sandbox as root\n"); | ||
754 | } | 760 | } |
755 | 761 | ||
756 | 762 | ||
@@ -967,13 +973,13 @@ void fs_overlayfs(void) { | |||
967 | // don't leak user information | 973 | // don't leak user information |
968 | restrict_users(); | 974 | restrict_users(); |
969 | 975 | ||
970 | // when starting as root in overlay mode, firejail config is not disabled; | 976 | // when starting as root, firejail config is not disabled; |
971 | // this mode could be used to install and test new software by chaining | 977 | // this mode could be used to install and test new software by chaining |
972 | // firejail sandboxes (firejail --force) | 978 | // firejail sandboxes (firejail --force) |
973 | if (getuid() != 0) | 979 | if (getuid() != 0) |
974 | disable_firejail_config(); | 980 | disable_firejail_config(); |
975 | else | 981 | else |
976 | fprintf(stderr, "Warning: masking /etc/firejail disabled when starting the sandbox as root using --overlay option\n"); | 982 | fprintf(stderr, "Warning: masking /etc/firejail disabled when starting the sandbox as root\n"); |
977 | 983 | ||
978 | // cleanup and exit | 984 | // cleanup and exit |
979 | free(option); | 985 | free(option); |
@@ -1104,7 +1110,13 @@ void fs_chroot(const char *rootdir) { | |||
1104 | // don't leak user information | 1110 | // don't leak user information |
1105 | restrict_users(); | 1111 | restrict_users(); |
1106 | 1112 | ||
1107 | disable_firejail_config(); | 1113 | // when starting as root, firejail config is not disabled; |
1114 | // this mode could be used to install and test new software by chaining | ||
1115 | // firejail sandboxes (firejail --force) | ||
1116 | if (getuid() != 0) | ||
1117 | disable_firejail_config(); | ||
1118 | else | ||
1119 | fprintf(stderr, "Warning: masking /etc/firejail disabled when starting the sandbox as root\n"); | ||
1108 | } | 1120 | } |
1109 | #endif | 1121 | #endif |
1110 | 1122 | ||