introduce new option restrict-namespaces

author: smitsohu <smitsohu@gmail.com> 2022-07-19 15:19:24 +0200
committer: smitsohu <smitsohu@gmail.com> 2022-07-23 16:21:14 +0200
commit: 87afef810c2dfbf67420dc76a67c707fbb7353db (patch)
tree: d44aed25d9c050967eb6abe31b4081c0956f4a74 /src/firejail/firejail.h
parent: protocol filter: add x32 ABI handling (diff)
download: firejail-87afef810c2dfbf67420dc76a67c707fbb7353db.tar.gz
firejail-87afef810c2dfbf67420dc76a67c707fbb7353db.tar.zst
firejail-87afef810c2dfbf67420dc76a67c707fbb7353db.zip
1 files changed, 2 insertions, 0 deletions
diff --git a/src/firejail/firejail.h b/src/firejail/firejail.h
index f8a23678a..b744ebd45 100644
--- a/src/firejail/firejail.h
+++ b/src/firejail/firejail.h
@@ -198,6 +198,7 @@ typedef struct config_t {
        char *seccomp_list_drop, *seccomp_list_drop32;  // seccomp drop list
        char *seccomp_list_keep, *seccomp_list_keep32;  // seccomp keep list
        char *protocol;                 // protocol list
+        char *restrict_namespaces;                      // namespaces list
        char *seccomp_error_action;                     // error action: kill, log or errno
        // rlimits
@@ -633,6 +634,7 @@ int seccomp_load(const char *fname);
 int seccomp_filter_drop(bool native);
 int seccomp_filter_keep(bool native);
 int seccomp_filter_mdwx(bool native);
+int seccomp_filter_namespaces(bool native, const char *list);
 void seccomp_print_filter(pid_t pid) __attribute__((noreturn));
 // caps.c
author	smitsohu <smitsohu@gmail.com>	2022-07-19 15:19:24 +0200
committer	smitsohu <smitsohu@gmail.com>	2022-07-23 16:21:14 +0200
commit	87afef810c2dfbf67420dc76a67c707fbb7353db (patch)
tree	d44aed25d9c050967eb6abe31b4081c0956f4a74 /src/firejail/firejail.h
parent	protocol filter: add x32 ABI handling (diff)
download	firejail-87afef810c2dfbf67420dc76a67c707fbb7353db.tar.gz firejail-87afef810c2dfbf67420dc76a67c707fbb7353db.tar.zst firejail-87afef810c2dfbf67420dc76a67c707fbb7353db.zip