grsecurity: --chroot

author: netblue30 <netblue30@yahoo.com> 2016-04-05 09:48:36 -0400
committer: netblue30 <netblue30@yahoo.com> 2016-04-05 09:48:36 -0400
commit: 135338ba895d5feb444e3e4d6548e3474f262637 (patch)
tree: 9370a54dc7b05dd6381c8b517618cfc30445addb
parent: Opera profile patch (diff)
download: firejail-135338ba895d5feb444e3e4d6548e3474f262637.tar.gz
firejail-135338ba895d5feb444e3e4d6548e3474f262637.tar.zst
firejail-135338ba895d5feb444e3e4d6548e3474f262637.zip
5 files changed, 16 insertions, 4 deletions
diff --git a/src/firejail/main.c b/src/firejail/main.c
index e86aa85ac..976348c33 100644
--- a/src/firejail/main.c
+++ b/src/firejail/main.c
@@ -1204,6 +1204,14 @@ int main(int argc, char **argv) {
                                        fprintf(stderr, "Error: --overlay and --chroot options are mutually exclusive\n");
                                        exit(1);
                                }
+                                
+                                struct stat s;
+                                if (stat("/proc/sys/kernel/grsecurity", &s) == 0) {
+                                        fprintf(stderr, "Error: --chroot option is not available on GRSecurity systems\n");
+                                        exit(1);        
+                                }
+                                
+                                
                                invalid_filename(argv[i] + 9);
                                
                                // extract chroot dirname
diff --git a/src/man/firejail.txt b/src/man/firejail.txt
index f22762499..8972e2380 100644
--- a/src/man/firejail.txt
+++ b/src/man/firejail.txt
@@ -201,7 +201,8 @@ Example:
 .TP
 \fB\-\-chroot=dirname
 Chroot the sandbox into a root filesystem. If the sandbox is started as a
-regular user, default seccomp and capabilities filters are enabled.
+regular user, default seccomp and capabilities filters are enabled. This
+option is not available on Grsecurity systems.
 .br
 .br
diff --git a/test/fs_chroot.exp b/test/fs_chroot.exp
index cc0d82179..cced5a0f0 100755
--- a/test/fs_chroot.exp
+++ b/test/fs_chroot.exp
@@ -7,7 +7,8 @@ match_max 100000
 send -- "firejail  --chroot=/tmp/chroot\r"
 expect {
        timeout {puts "TESTING ERROR 0\n";exit}
-        "Child process initialized"
+        "Error: --chroot option is not available on GRSecurity systems" {puts "\nall done\n"; exit}
+        "Child process initialized" {puts "chroot available\n"};
 }
 sleep 1
diff --git a/test/invalid_filename.exp b/test/invalid_filename.exp
index dd1fa4634..8b8087e9b 100755
--- a/test/invalid_filename.exp
+++ b/test/invalid_filename.exp
@@ -56,7 +56,8 @@ after 100
 send -- "firejail --debug-check-filename --noprofile --chroot=\"bla&&bla\"\r"
 expect {
        timeout {puts "TESTING ERROR 3.1\n";exit}
-        "Checking filename bla&&bla"
+        "Checking filename bla&&bla" {puts "normal system\n"}
+        "Error: --chroot option is not available on GRSecurity systems" { puts "\nall done\n"; exit}
 }
 expect {
        timeout {puts "TESTING ERROR 3.2\n";exit}
diff --git a/test/option_chroot_overlay.exp b/test/option_chroot_overlay.exp
index b39bc0c8e..dd1b8eb28 100755
--- a/test/option_chroot_overlay.exp
+++ b/test/option_chroot_overlay.exp
@@ -7,7 +7,8 @@ match_max 100000
 send --  "firejail --chroot=/tmp/chroot --overlay\r"
 expect {
        timeout {puts "TESTING ERROR 0\n";exit}
-        "mutually exclusive"
+        "mutually exclusive" {puts "normal system\n"}
+        "Error: --chroot option is not available on GRSecurity systems" { puts "\nall done\n"; exit}
 }
 sleep 1
author	netblue30 <netblue30@yahoo.com>	2016-04-05 09:48:36 -0400
committer	netblue30 <netblue30@yahoo.com>	2016-04-05 09:48:36 -0400
commit	135338ba895d5feb444e3e4d6548e3474f262637 (patch)
tree	9370a54dc7b05dd6381c8b517618cfc30445addb
parent	Opera profile patch (diff)
download	firejail-135338ba895d5feb444e3e4d6548e3474f262637.tar.gz firejail-135338ba895d5feb444e3e4d6548e3474f262637.tar.zst firejail-135338ba895d5feb444e3e4d6548e3474f262637.zip