diff options
| author |  smitsohu <smitsohu@gmail.com> | 2018-09-09 15:23:34 +0200 |
|---|---|---|
| committer | smitsohu <smitsohu@gmail.com> | 2018-09-09 15:23:34 +0200 |
| commit | fe226a207bff3e52188d8b064d61cb5711278b09 (patch) | |
| tree | 35671098b24e1c247ab6aba445ce4d12445199f4 | |
| parent | remove blacklist /usr/lib/llvm* in dusable-devel.inc - problems with hardware... (diff) | |
| download | firejail-fe226a207bff3e52188d8b064d61cb5711278b09.tar.gz firejail-fe226a207bff3e52188d8b064d61cb5711278b09.tar.zst firejail-fe226a207bff3e52188d8b064d61cb5711278b09.zip | |
set rlimits at later timepoint during sandbox setup
| -rw-r--r-- | src/firejail/sandbox.c | 11 |
1 files changed, 6 insertions, 5 deletions
diff --git a/src/firejail/sandbox.c b/src/firejail/sandbox.c index f5abb18ba..b2d49c1e7 100644 --- a/src/firejail/sandbox.c +++ b/src/firejail/sandbox.c | |||
| @@ -522,6 +522,7 @@ void start_application(int no_sandbox, FILE *fp) { | |||
| 522 | static void enforce_filters(void) { | 522 | static void enforce_filters(void) { |
| 523 | // force default seccomp inside the chroot, no keep or drop list | 523 | // force default seccomp inside the chroot, no keep or drop list |
| 524 | // the list build on top of the default drop list is kept intact | 524 | // the list build on top of the default drop list is kept intact |
| 525 | arg_nonewprivs = 1; | ||
| 525 | arg_seccomp = 1; | 526 | arg_seccomp = 1; |
| 526 | #ifdef HAVE_SECCOMP | 527 | #ifdef HAVE_SECCOMP |
| 527 | enforce_seccomp = 1; | 528 | enforce_seccomp = 1; |
| @@ -1008,9 +1009,6 @@ int sandbox(void* sandbox_arg) { | |||
| 1008 | } | 1009 | } |
| 1009 | } | 1010 | } |
| 1010 | 1011 | ||
| 1011 | // set rlimits | ||
| 1012 | set_rlimits(); | ||
| 1013 | |||
| 1014 | // set nice | 1012 | // set nice |
| 1015 | if (arg_nice) { | 1013 | if (arg_nice) { |
| 1016 | errno = 0; | 1014 | errno = 0; |
| @@ -1128,9 +1126,9 @@ int sandbox(void* sandbox_arg) { | |||
| 1128 | // Set NO_NEW_PRIVS if desired | 1126 | // Set NO_NEW_PRIVS if desired |
| 1129 | //**************************************** | 1127 | //**************************************** |
| 1130 | if (arg_nonewprivs) { | 1128 | if (arg_nonewprivs) { |
| 1131 | int no_new_privs = prctl(PR_SET_NO_NEW_PRIVS, 1, 0, 0, 0); | 1129 | prctl(PR_SET_NO_NEW_PRIVS, 1, 0, 0, 0); |
| 1132 | 1130 | ||
| 1133 | if(no_new_privs != 0 && !arg_quiet) | 1131 | if (prctl(PR_GET_NO_NEW_PRIVS, 0, 0, 0, 0) != 1) |
| 1134 | fwarning("NO_NEW_PRIVS disabled, it requires a Linux kernel version 3.5 or newer.\n"); | 1132 | fwarning("NO_NEW_PRIVS disabled, it requires a Linux kernel version 3.5 or newer.\n"); |
| 1135 | else if (arg_debug) | 1133 | else if (arg_debug) |
| 1136 | printf("NO_NEW_PRIVS set\n"); | 1134 | printf("NO_NEW_PRIVS set\n"); |
| @@ -1145,6 +1143,9 @@ int sandbox(void* sandbox_arg) { | |||
| 1145 | errExit("fork"); | 1143 | errExit("fork"); |
| 1146 | 1144 | ||
| 1147 | if (app_pid == 0) { | 1145 | if (app_pid == 0) { |
| 1146 | // set rlimits | ||
| 1147 | set_rlimits(); | ||
| 1148 | |||
| 1148 | #ifdef HAVE_APPARMOR | 1149 | #ifdef HAVE_APPARMOR |
| 1149 | if (checkcfg(CFG_APPARMOR) && arg_apparmor) { | 1150 | if (checkcfg(CFG_APPARMOR) && arg_apparmor) { |
| 1150 | errno = 0; | 1151 | errno = 0; |