diff options
| author |  netblue30 <netblue30@yahoo.com> | 2016-03-23 09:18:13 -0400 |
|---|---|---|
| committer | netblue30 <netblue30@yahoo.com> | 2016-03-23 09:18:13 -0400 |
| commit | 7d13ec6274b71fa1359b1ef8ebb966498e5b2f45 (patch) | |
| tree | 7adfceb348c88c811ccbe6dc6e2be7fad61cbdb3 | |
| parent | --quiet problem (diff) | |
| download | firejail-7d13ec6274b71fa1359b1ef8ebb966498e5b2f45.tar.gz firejail-7d13ec6274b71fa1359b1ef8ebb966498e5b2f45.tar.zst firejail-7d13ec6274b71fa1359b1ef8ebb966498e5b2f45.zip | |
hide firejail run time information
| -rw-r--r-- | src/firejail/fs.c | 12 | ||||
| -rw-r--r-- | todo | 20 |
2 files changed, 30 insertions, 2 deletions
diff --git a/src/firejail/fs.c b/src/firejail/fs.c index 644255de5..a5edec714 100644 --- a/src/firejail/fs.c +++ b/src/firejail/fs.c | |||
| @@ -710,10 +710,18 @@ static void disable_firejail_config(void) { | |||
| 710 | if (stat(fname, &s) == 0) | 710 | if (stat(fname, &s) == 0) |
| 711 | disable_file(BLACKLIST_FILE, fname); | 711 | disable_file(BLACKLIST_FILE, fname); |
| 712 | } | 712 | } |
| 713 | |||
| 714 | |||
| 715 | 713 | ||
| 716 | free(fname); | 714 | free(fname); |
| 715 | |||
| 716 | // disable run time information | ||
| 717 | if (stat(RUN_FIREJAIL_NETWORK_DIR, &s) == 0) | ||
| 718 | disable_file(BLACKLIST_FILE, RUN_FIREJAIL_NETWORK_DIR); | ||
| 719 | if (stat(RUN_FIREJAIL_BANDWIDTH_DIR, &s) == 0) | ||
| 720 | disable_file(BLACKLIST_FILE, RUN_FIREJAIL_BANDWIDTH_DIR); | ||
| 721 | if (stat(RUN_FIREJAIL_NAME_DIR, &s) == 0) | ||
| 722 | disable_file(BLACKLIST_FILE, RUN_FIREJAIL_NAME_DIR); | ||
| 723 | if (stat(RUN_FIREJAIL_X11_DIR, &s) == 0) | ||
| 724 | disable_file(BLACKLIST_FILE, RUN_FIREJAIL_X11_DIR); | ||
| 717 | } | 725 | } |
| 718 | 726 | ||
| 719 | 727 | ||
| @@ -55,3 +55,23 @@ Warning: seccomp file not found | |||
| 55 | Warning: seccomp disabled, it requires a Linux kernel version 3.5 or newer. | 55 | Warning: seccomp disabled, it requires a Linux kernel version 3.5 or newer. |
| 56 | $ ls ~ <----------------- all files are available, the directory is not empty! | 56 | $ ls ~ <----------------- all files are available, the directory is not empty! |
| 57 | 57 | ||
| 58 | 10. Posibly capabilities broken for --join | ||
| 59 | |||
| 60 | $ firejail --name=test | ||
| 61 | ... | ||
| 62 | $ firejail --debug --join=test | ||
| 63 | Switching to pid 18591, the first child process inside the sandbox | ||
| 64 | User namespace detected: /proc/18591/uid_map, 1000, 1000 | ||
| 65 | Set caps filter 0 | ||
| 66 | Set protocol filter: unix,inet,inet6 | ||
| 67 | Read seccomp filter, size 792 bytes | ||
| 68 | |||
| 69 | However, in the join sandbox we have: | ||
| 70 | $ cat /proc/self/status | grep Cap | ||
| 71 | CapInh: 0000000000000000 | ||
| 72 | CapPrm: 0000000000000000 | ||
| 73 | CapEff: 0000000000000000 | ||
| 74 | CapBnd: 0000003fffffffff | ||
| 75 | CapAmb: 0000000000000000 | ||
| 76 | |||
| 77 | 11. net_netfilter.exp broken | ||