diff options
| author |  netblue30 <netblue30@yahoo.com> | 2018-09-03 08:48:52 -0400 |
|---|---|---|
| committer | netblue30 <netblue30@yahoo.com> | 2018-09-03 08:48:52 -0400 |
| commit | 55cd5c1d8f4007bc28d50c4324d2f1ff8dbef14a (patch) | |
| tree | bc67034d4998a65589470061d87e29a912308040 | |
| parent | Merges (diff) | |
| download | firejail-55cd5c1d8f4007bc28d50c4324d2f1ff8dbef14a.tar.gz firejail-55cd5c1d8f4007bc28d50c4324d2f1ff8dbef14a.tar.zst firejail-55cd5c1d8f4007bc28d50c4324d2f1ff8dbef14a.zip | |
chroot problem (Debian)
| -rw-r--r-- | src/firejail/main.c | 21 |
1 files changed, 18 insertions, 3 deletions
diff --git a/src/firejail/main.c b/src/firejail/main.c index f50774379..3f8640e9a 100644 --- a/src/firejail/main.c +++ b/src/firejail/main.c | |||
| @@ -860,6 +860,8 @@ int main(int argc, char **argv) { | |||
| 860 | int lockfd_directory = -1; | 860 | int lockfd_directory = -1; |
| 861 | int option_cgroup = 0; | 861 | int option_cgroup = 0; |
| 862 | int custom_profile = 0; // custom profile loaded | 862 | int custom_profile = 0; // custom profile loaded |
| 863 | int arg_seccomp_cmdline = 0; // seccomp requested on command line (used to break --chroot) | ||
| 864 | int arg_caps_cmdline = 0; // seccomp requested on command line (used to break --chroot) | ||
| 863 | 865 | ||
| 864 | // drop permissions by default and rise them when required | 866 | // drop permissions by default and rise them when required |
| 865 | EUID_INIT(); | 867 | EUID_INIT(); |
| @@ -1144,6 +1146,7 @@ int main(int argc, char **argv) { | |||
| 1144 | } | 1146 | } |
| 1145 | arg_seccomp = 1; | 1147 | arg_seccomp = 1; |
| 1146 | cfg.seccomp_list = seccomp_check_list(argv[i] + 10); | 1148 | cfg.seccomp_list = seccomp_check_list(argv[i] + 10); |
| 1149 | arg_seccomp_cmdline = 1; | ||
| 1147 | } | 1150 | } |
| 1148 | else | 1151 | else |
| 1149 | exit_err_feature("seccomp"); | 1152 | exit_err_feature("seccomp"); |
| @@ -1156,6 +1159,7 @@ int main(int argc, char **argv) { | |||
| 1156 | } | 1159 | } |
| 1157 | arg_seccomp = 1; | 1160 | arg_seccomp = 1; |
| 1158 | cfg.seccomp_list_drop = seccomp_check_list(argv[i] + 15); | 1161 | cfg.seccomp_list_drop = seccomp_check_list(argv[i] + 15); |
| 1162 | arg_seccomp_cmdline = 1; | ||
| 1159 | } | 1163 | } |
| 1160 | else | 1164 | else |
| 1161 | exit_err_feature("seccomp"); | 1165 | exit_err_feature("seccomp"); |
| @@ -1168,6 +1172,7 @@ int main(int argc, char **argv) { | |||
| 1168 | } | 1172 | } |
| 1169 | arg_seccomp = 1; | 1173 | arg_seccomp = 1; |
| 1170 | cfg.seccomp_list_keep = seccomp_check_list(argv[i] + 15); | 1174 | cfg.seccomp_list_keep = seccomp_check_list(argv[i] + 15); |
| 1175 | arg_seccomp_cmdline = 1; | ||
| 1171 | } | 1176 | } |
| 1172 | else | 1177 | else |
| 1173 | exit_err_feature("seccomp"); | 1178 | exit_err_feature("seccomp"); |
| @@ -1186,8 +1191,10 @@ int main(int argc, char **argv) { | |||
| 1186 | exit_err_feature("seccomp"); | 1191 | exit_err_feature("seccomp"); |
| 1187 | } | 1192 | } |
| 1188 | #endif | 1193 | #endif |
| 1189 | else if (strcmp(argv[i], "--caps") == 0) | 1194 | else if (strcmp(argv[i], "--caps") == 0) { |
| 1190 | arg_caps_default_filter = 1; | 1195 | arg_caps_default_filter = 1; |
| 1196 | arg_caps_cmdline = 1; | ||
| 1197 | } | ||
| 1191 | else if (strcmp(argv[i], "--caps.drop=all") == 0) | 1198 | else if (strcmp(argv[i], "--caps.drop=all") == 0) |
| 1192 | arg_caps_drop_all = 1; | 1199 | arg_caps_drop_all = 1; |
| 1193 | else if (strncmp(argv[i], "--caps.drop=", 12) == 0) { | 1200 | else if (strncmp(argv[i], "--caps.drop=", 12) == 0) { |
| @@ -1197,6 +1204,7 @@ int main(int argc, char **argv) { | |||
| 1197 | errExit("strdup"); | 1204 | errExit("strdup"); |
| 1198 | // verify caps list and exit if problems | 1205 | // verify caps list and exit if problems |
| 1199 | caps_check_list(arg_caps_list, NULL); | 1206 | caps_check_list(arg_caps_list, NULL); |
| 1207 | arg_caps_cmdline = 1; | ||
| 1200 | } | 1208 | } |
| 1201 | else if (strncmp(argv[i], "--caps.keep=", 12) == 0) { | 1209 | else if (strncmp(argv[i], "--caps.keep=", 12) == 0) { |
| 1202 | arg_caps_keep = 1; | 1210 | arg_caps_keep = 1; |
| @@ -1205,9 +1213,8 @@ int main(int argc, char **argv) { | |||
| 1205 | errExit("strdup"); | 1213 | errExit("strdup"); |
| 1206 | // verify caps list and exit if problems | 1214 | // verify caps list and exit if problems |
| 1207 | caps_check_list(arg_caps_list, NULL); | 1215 | caps_check_list(arg_caps_list, NULL); |
| 1216 | arg_caps_cmdline = 1; | ||
| 1208 | } | 1217 | } |
| 1209 | |||
| 1210 | |||
| 1211 | else if (strcmp(argv[i], "--trace") == 0) | 1218 | else if (strcmp(argv[i], "--trace") == 0) |
| 1212 | arg_trace = 1; | 1219 | arg_trace = 1; |
| 1213 | else if (strcmp(argv[i], "--tracelog") == 0) | 1220 | else if (strcmp(argv[i], "--tracelog") == 0) |
| @@ -2218,6 +2225,14 @@ int main(int argc, char **argv) { | |||
| 2218 | } | 2225 | } |
| 2219 | EUID_ASSERT(); | 2226 | EUID_ASSERT(); |
| 2220 | 2227 | ||
| 2228 | // exit for --chroot sandboxes when secomp or caps are explicitly specified on command line | ||
| 2229 | if (getuid() != 0 && cfg.chrootdir && (arg_seccomp_cmdline || arg_caps_cmdline)) { | ||
| 2230 | fprintf(stderr, "Error: for chroot sandboxes, default seccomp and capabilities filters are\n" | ||
| 2231 | "enabled by default. Please remove all --seccomp and --caps options from the\n" | ||
| 2232 | "command line.\n"); | ||
| 2233 | exit(1); | ||
| 2234 | } | ||
| 2235 | |||
| 2221 | // prog_index could still be -1 if no program was specified | 2236 | // prog_index could still be -1 if no program was specified |
| 2222 | if (prog_index == -1 && arg_shell_none) { | 2237 | if (prog_index == -1 && arg_shell_none) { |
| 2223 | fprintf(stderr, "Error: shell=none configured, but no program specified\n"); | 2238 | fprintf(stderr, "Error: shell=none configured, but no program specified\n"); |