grsecurity: --overlay

author: netblue30 <netblue30@yahoo.com> 2016-04-05 09:59:44 -0400
committer: netblue30 <netblue30@yahoo.com> 2016-04-05 09:59:44 -0400
commit: 37e16a1e65df28b2b1407843e3e3de68a432a18e (patch)
tree: eaeacb08b9db24b8ceebd95431f93de7aeae84dd
parent: grsecurity: --chroot (diff)
download: firejail-37e16a1e65df28b2b1407843e3e3de68a432a18e.tar.gz
firejail-37e16a1e65df28b2b1407843e3e3de68a432a18e.tar.zst
firejail-37e16a1e65df28b2b1407843e3e3de68a432a18e.zip
4 files changed, 15 insertions, 5 deletions
diff --git a/src/firejail/main.c b/src/firejail/main.c
index 976348c33..0b47fd6db 100644
--- a/src/firejail/main.c
+++ b/src/firejail/main.c
@@ -1084,6 +1084,11 @@ int main(int argc, char **argv) {
                                fprintf(stderr, "Error: --overlay and --chroot options are mutually exclusive\n");
                                exit(1);
                        }
+                        struct stat s;
+                        if (stat("/proc/sys/kernel/grsecurity", &s) == 0) {
+                                fprintf(stderr, "Error: --overlay option is not available on Grsecurity systems\n");
+                                exit(1);        
+                        }
                        arg_overlay = 1;
                        arg_overlay_keep = 1;
                        
@@ -1091,7 +1096,6 @@ int main(int argc, char **argv) {
                        char *dirname;
                        if (asprintf(&dirname, "%s/.firejail", cfg.homedir) == -1)
                                errExit("asprintf");
-                        struct stat s;
                        if (stat(dirname, &s) == -1) {
                                /* coverity[toctou] */
                                if (mkdir(dirname, 0700))
@@ -1122,6 +1126,11 @@ int main(int argc, char **argv) {
                                fprintf(stderr, "Error: --overlay and --chroot options are mutually exclusive\n");
                                exit(1);
                        }
+                        struct stat s;
+                        if (stat("/proc/sys/kernel/grsecurity", &s) == 0) {
+                                fprintf(stderr, "Error: --overlay option is not available on Grsecurity systems\n");
+                                exit(1);        
+                        }
                        arg_overlay = 1;
                }
                else if (strncmp(argv[i], "--profile=", 10) == 0) {
@@ -1207,7 +1216,7 @@ int main(int argc, char **argv) {
                                
                                struct stat s;
                                if (stat("/proc/sys/kernel/grsecurity", &s) == 0) {
-                                        fprintf(stderr, "Error: --chroot option is not available on GRSecurity systems\n");
+                                        fprintf(stderr, "Error: --chroot option is not available on Grsecurity systems\n");
                                        exit(1);        
                                }
                                
diff --git a/src/man/firejail.txt b/src/man/firejail.txt
index 8972e2380..24dbff67a 100644
--- a/src/man/firejail.txt
+++ b/src/man/firejail.txt
@@ -971,7 +971,7 @@ $ ls -l sandboxlog*
 .TP
 \fB\-\-overlay
 Mount a filesystem overlay on top of the current filesystem. All filesystem modifications go into the overlay.
-The overlay is stored in $HOME/.firejail directory.
+The overlay is stored in $HOME/.firejail directory. This option is not available on Grsecurity systems.
 .br
 .br
@@ -987,7 +987,7 @@ $ firejail \-\-overlay firefox
 .TP
 \fB\-\-overlay-tmpfs
 Mount a filesystem overlay on top of the current filesystem. All filesystem modifications go into the overlay,
-and are discarded when the sandbox is closed.
+and are discarded when the sandbox is closed. This option is not available on Grsecurity systems.
 .br
 .br
diff --git a/test/fs_chroot.exp b/test/fs_chroot.exp
index cced5a0f0..aeb5669e1 100755
--- a/test/fs_chroot.exp
+++ b/test/fs_chroot.exp
@@ -7,7 +7,7 @@ match_max 100000
 send -- "firejail  --chroot=/tmp/chroot\r"
 expect {
        timeout {puts "TESTING ERROR 0\n";exit}
-        "Error: --chroot option is not available on GRSecurity systems" {puts "\nall done\n"; exit}
+        "Error: --chroot option is not available on Grsecurity systems" {puts "\nall done\n"; exit}
        "Child process initialized" {puts "chroot available\n"};
 }
 sleep 1
diff --git a/test/fs_overlay.exp b/test/fs_overlay.exp
index 42d25b407..b7eeba80f 100755
--- a/test/fs_overlay.exp
+++ b/test/fs_overlay.exp
@@ -20,6 +20,7 @@ send -- "firejail --noprofile --overlay\r"
 expect {
        timeout {puts "TESTING ERROR 2\n";exit}
        "not available for kernels older than 3.18" {puts "\nTESTING: overlayfs not available\n"; exit}
+        "Error: --overlay option is not available on Grsecurity systems" {puts "\nTESTING: overlayfs not available\n"; exit}
        "Child process initialized" {puts "found\n"}
 }
 sleep 1
author	netblue30 <netblue30@yahoo.com>	2016-04-05 09:59:44 -0400
committer	netblue30 <netblue30@yahoo.com>	2016-04-05 09:59:44 -0400
commit	37e16a1e65df28b2b1407843e3e3de68a432a18e (patch)
tree	eaeacb08b9db24b8ceebd95431f93de7aeae84dd
parent	grsecurity: --chroot (diff)
download	firejail-37e16a1e65df28b2b1407843e3e3de68a432a18e.tar.gz firejail-37e16a1e65df28b2b1407843e3e3de68a432a18e.tar.zst firejail-37e16a1e65df28b2b1407843e3e3de68a432a18e.zip