diff options
| author |  rusty-snake <41237666+rusty-snake@users.noreply.github.com> | 2021-03-01 12:40:02 +0100 |
|---|---|---|
| committer | rusty-snake <41237666+rusty-snake@users.noreply.github.com> | 2021-03-01 12:40:02 +0100 |
| commit | b02d8f91c7fa2ba7c0e0b8a255952d4c8c86fc5e (patch) | |
| tree | e50efc1e1dcb77e7b250fab9b0a50ca4b2082acf /src/firejail/sandbox.c | |
| parent | fixes (diff) | |
| download | firejail-b02d8f91c7fa2ba7c0e0b8a255952d4c8c86fc5e.tar.gz firejail-b02d8f91c7fa2ba7c0e0b8a255952d4c8c86fc5e.tar.zst firejail-b02d8f91c7fa2ba7c0e0b8a255952d4c8c86fc5e.zip | |
Add ./configure --enable-force-nonewprivs
This will always set 'nonewprivs', 'caps.drop all' and 'nogroups'.
Diffstat (limited to 'src/firejail/sandbox.c')
| -rw-r--r-- | src/firejail/sandbox.c | 7 |
1 files changed, 6 insertions, 1 deletions
diff --git a/src/firejail/sandbox.c b/src/firejail/sandbox.c index ff5f4cb1e..e320e77f9 100644 --- a/src/firejail/sandbox.c +++ b/src/firejail/sandbox.c | |||
| @@ -795,11 +795,16 @@ int sandbox(void* sandbox_arg) { | |||
| 795 | exit(rv); | 795 | exit(rv); |
| 796 | } | 796 | } |
| 797 | 797 | ||
| 798 | #ifdef HAVE_FORCE_NONEWPRIVS | ||
| 799 | bool always_enforce_filters = true; | ||
| 800 | #else | ||
| 801 | bool always_enforce_filters = false; | ||
| 802 | #endif | ||
| 798 | // need ld.so.preload if tracing or seccomp with any non-default lists | 803 | // need ld.so.preload if tracing or seccomp with any non-default lists |
| 799 | bool need_preload = arg_trace || arg_tracelog || arg_seccomp_postexec; | 804 | bool need_preload = arg_trace || arg_tracelog || arg_seccomp_postexec; |
| 800 | // for --appimage, --chroot and --overlay* we force NO_NEW_PRIVS | 805 | // for --appimage, --chroot and --overlay* we force NO_NEW_PRIVS |
| 801 | // and drop all capabilities | 806 | // and drop all capabilities |
| 802 | if (getuid() != 0 && (arg_appimage || cfg.chrootdir || arg_overlay)) { | 807 | if (getuid() != 0 && (arg_appimage || cfg.chrootdir || arg_overlay || always_enforce_filters)) { |
| 803 | enforce_filters(); | 808 | enforce_filters(); |
| 804 | need_preload = arg_trace || arg_tracelog; | 809 | need_preload = arg_trace || arg_tracelog; |
| 805 | } | 810 | } |