diff options
author | 2021-03-01 12:40:02 +0100 | |
---|---|---|
committer | 2021-03-01 12:40:02 +0100 | |
commit | b02d8f91c7fa2ba7c0e0b8a255952d4c8c86fc5e (patch) | |
tree | e50efc1e1dcb77e7b250fab9b0a50ca4b2082acf /src/firejail/sandbox.c | |
parent | fixes (diff) | |
download | firejail-b02d8f91c7fa2ba7c0e0b8a255952d4c8c86fc5e.tar.gz firejail-b02d8f91c7fa2ba7c0e0b8a255952d4c8c86fc5e.tar.zst firejail-b02d8f91c7fa2ba7c0e0b8a255952d4c8c86fc5e.zip |
Add ./configure --enable-force-nonewprivs
This will always set 'nonewprivs', 'caps.drop all' and 'nogroups'.
Diffstat (limited to 'src/firejail/sandbox.c')
-rw-r--r-- | src/firejail/sandbox.c | 7 |
1 files changed, 6 insertions, 1 deletions
diff --git a/src/firejail/sandbox.c b/src/firejail/sandbox.c index ff5f4cb1e..e320e77f9 100644 --- a/src/firejail/sandbox.c +++ b/src/firejail/sandbox.c | |||
@@ -795,11 +795,16 @@ int sandbox(void* sandbox_arg) { | |||
795 | exit(rv); | 795 | exit(rv); |
796 | } | 796 | } |
797 | 797 | ||
798 | #ifdef HAVE_FORCE_NONEWPRIVS | ||
799 | bool always_enforce_filters = true; | ||
800 | #else | ||
801 | bool always_enforce_filters = false; | ||
802 | #endif | ||
798 | // need ld.so.preload if tracing or seccomp with any non-default lists | 803 | // need ld.so.preload if tracing or seccomp with any non-default lists |
799 | bool need_preload = arg_trace || arg_tracelog || arg_seccomp_postexec; | 804 | bool need_preload = arg_trace || arg_tracelog || arg_seccomp_postexec; |
800 | // for --appimage, --chroot and --overlay* we force NO_NEW_PRIVS | 805 | // for --appimage, --chroot and --overlay* we force NO_NEW_PRIVS |
801 | // and drop all capabilities | 806 | // and drop all capabilities |
802 | if (getuid() != 0 && (arg_appimage || cfg.chrootdir || arg_overlay)) { | 807 | if (getuid() != 0 && (arg_appimage || cfg.chrootdir || arg_overlay || always_enforce_filters)) { |
803 | enforce_filters(); | 808 | enforce_filters(); |
804 | need_preload = arg_trace || arg_tracelog; | 809 | need_preload = arg_trace || arg_tracelog; |
805 | } | 810 | } |