diff options
author | 2017-08-19 23:22:38 +0300 | |
---|---|---|
committer | 2017-08-19 23:33:11 +0300 | |
commit | d01216de45884300c87e7d3ccb70e53ebb461449 (patch) | |
tree | 480519f5849df4c6048a7f62ec97f96e51174c3e /src/firejail/preproc.c | |
parent | Merge update after #1483 (diff) | |
download | firejail-d01216de45884300c87e7d3ccb70e53ebb461449.tar.gz firejail-d01216de45884300c87e7d3ccb70e53ebb461449.tar.zst firejail-d01216de45884300c87e7d3ccb70e53ebb461449.zip |
Feature: switch/config option to block secondary architectures
Add a feature for a new (opt-in) command line switch and config file
option to block secondary architectures entirely. Also block changing
Linux execution domain with personality() system call for the primary
architecture.
Closes #1479
Diffstat (limited to 'src/firejail/preproc.c')
-rw-r--r-- | src/firejail/preproc.c | 10 |
1 files changed, 7 insertions, 3 deletions
diff --git a/src/firejail/preproc.c b/src/firejail/preproc.c index 583cc4610..bf1ef0469 100644 --- a/src/firejail/preproc.c +++ b/src/firejail/preproc.c | |||
@@ -75,9 +75,13 @@ void preproc_mount_mnt_dir(void) { | |||
75 | tmpfs_mounted = 1; | 75 | tmpfs_mounted = 1; |
76 | fs_logger2("tmpfs", RUN_MNT_DIR); | 76 | fs_logger2("tmpfs", RUN_MNT_DIR); |
77 | 77 | ||
78 | //copy defaultl seccomp files | 78 | if (arg_seccomp_block_secondary) |
79 | copy_file(PATH_SECCOMP_I386, RUN_SECCOMP_I386, getuid(), getgid(), 0644); // root needed | 79 | copy_file(PATH_SECCOMP_BLOCK_SECONDARY, RUN_SECCOMP_BLOCK_SECONDARY, getuid(), getgid(), 0644); // root needed |
80 | copy_file(PATH_SECCOMP_AMD64, RUN_SECCOMP_AMD64, getuid(), getgid(), 0644); // root needed | 80 | else { |
81 | //copy default seccomp files | ||
82 | copy_file(PATH_SECCOMP_I386, RUN_SECCOMP_I386, getuid(), getgid(), 0644); // root needed | ||
83 | copy_file(PATH_SECCOMP_AMD64, RUN_SECCOMP_AMD64, getuid(), getgid(), 0644); // root needed | ||
84 | } | ||
81 | if (arg_allow_debuggers) | 85 | if (arg_allow_debuggers) |
82 | copy_file(PATH_SECCOMP_DEFAULT_DEBUG, RUN_SECCOMP_CFG, getuid(), getgid(), 0644); // root needed | 86 | copy_file(PATH_SECCOMP_DEFAULT_DEBUG, RUN_SECCOMP_CFG, getuid(), getgid(), 0644); // root needed |
83 | else | 87 | else |