diff options
| author |  netblue30 <netblue30@yahoo.com> | 2018-02-19 10:11:39 -0500 |
|---|---|---|
| committer | netblue30 <netblue30@yahoo.com> | 2018-02-19 10:11:39 -0500 |
| commit | 23e5d5e94bbed9ab9e788108227d5e50959e12cd (patch) | |
| tree | 642eb79e1d2960c1577e261abf96d7daa64a06e3 | |
| parent | new video demo (diff) | |
| download | firejail-23e5d5e94bbed9ab9e788108227d5e50959e12cd.tar.gz firejail-23e5d5e94bbed9ab9e788108227d5e50959e12cd.tar.zst firejail-23e5d5e94bbed9ab9e788108227d5e50959e12cd.zip | |
added support to disable apparmor globally in /etc/firejail/firejail.config
| -rw-r--r-- | etc/firejail.config | 2 | ||||
| -rw-r--r-- | src/firejail/checkcfg.c | 9 | ||||
| -rw-r--r-- | src/firejail/firejail.h | 1 | ||||
| -rw-r--r-- | src/firejail/sandbox.c | 2 |
4 files changed, 13 insertions, 1 deletions
diff --git a/etc/firejail.config b/etc/firejail.config index 6fd5f1b06..ade3e3c84 100644 --- a/etc/firejail.config +++ b/etc/firejail.config | |||
| @@ -2,6 +2,8 @@ | |||
| 2 | # keyword-argument pairs, one per line. Most features are enabled by default. | 2 | # keyword-argument pairs, one per line. Most features are enabled by default. |
| 3 | # Use 'yes' or 'no' as configuration values. | 3 | # Use 'yes' or 'no' as configuration values. |
| 4 | 4 | ||
| 5 | # Enable AppArmor functionality, default enabled. | ||
| 6 | # apparmor yes | ||
| 5 | 7 | ||
| 6 | # Number of ARP probes sent when assigning an IP address for --net option, | 8 | # Number of ARP probes sent when assigning an IP address for --net option, |
| 7 | # default 2. This is a partial implementation of RFC 5227. A 0.5 seconds | 9 | # default 2. This is a partial implementation of RFC 5227. A 0.5 seconds |
diff --git a/src/firejail/checkcfg.c b/src/firejail/checkcfg.c index 2629fb3ec..0d77c199b 100644 --- a/src/firejail/checkcfg.c +++ b/src/firejail/checkcfg.c | |||
| @@ -103,6 +103,15 @@ int checkcfg(int val) { | |||
| 103 | else | 103 | else |
| 104 | goto errout; | 104 | goto errout; |
| 105 | } | 105 | } |
| 106 | // apparmor | ||
| 107 | else if (strncmp(ptr, "apparmor ", 9) == 0) { | ||
| 108 | if (strcmp(ptr + 9, "yes") == 0) | ||
| 109 | cfg_val[CFG_APPARMOR] = 1; | ||
| 110 | else if (strcmp(ptr + 9, "no") == 0) | ||
| 111 | cfg_val[CFG_APPARMOR] = 0; | ||
| 112 | else | ||
| 113 | goto errout; | ||
| 114 | } | ||
| 106 | // bind | 115 | // bind |
| 107 | else if (strncmp(ptr, "bind ", 5) == 0) { | 116 | else if (strncmp(ptr, "bind ", 5) == 0) { |
| 108 | if (strcmp(ptr + 5, "yes") == 0) | 117 | if (strcmp(ptr + 5, "yes") == 0) |
diff --git a/src/firejail/firejail.h b/src/firejail/firejail.h index e8dc390d4..ca3b73ffc 100644 --- a/src/firejail/firejail.h +++ b/src/firejail/firejail.h | |||
| @@ -742,6 +742,7 @@ enum { | |||
| 742 | CFG_ARP_PROBES, | 742 | CFG_ARP_PROBES, |
| 743 | CFG_XPRA_ATTACH, | 743 | CFG_XPRA_ATTACH, |
| 744 | CFG_PRIVATE_LIB, | 744 | CFG_PRIVATE_LIB, |
| 745 | CFG_APPARMOR, | ||
| 745 | CFG_MAX // this should always be the last entry | 746 | CFG_MAX // this should always be the last entry |
| 746 | }; | 747 | }; |
| 747 | extern char *xephyr_screen; | 748 | extern char *xephyr_screen; |
diff --git a/src/firejail/sandbox.c b/src/firejail/sandbox.c index 47bb94a52..503d822a9 100644 --- a/src/firejail/sandbox.c +++ b/src/firejail/sandbox.c | |||
| @@ -1065,7 +1065,7 @@ int sandbox(void* sandbox_arg) { | |||
| 1065 | 1065 | ||
| 1066 | if (app_pid == 0) { | 1066 | if (app_pid == 0) { |
| 1067 | #ifdef HAVE_APPARMOR | 1067 | #ifdef HAVE_APPARMOR |
| 1068 | if (arg_apparmor) { | 1068 | if (checkcfg(CFG_APPARMOR) && arg_apparmor) { |
| 1069 | errno = 0; | 1069 | errno = 0; |
| 1070 | if (aa_change_onexec("firejail-default")) { | 1070 | if (aa_change_onexec("firejail-default")) { |
| 1071 | fwarning("Cannot confine the application using AppArmor.\n" | 1071 | fwarning("Cannot confine the application using AppArmor.\n" |