diff options
author | 2020-08-22 06:41:56 -0500 | |
---|---|---|
committer | 2020-08-22 06:41:56 -0500 | |
commit | 14f7b4decb811eb2e0d2c4d5a10bfd16351a7a5a (patch) | |
tree | 2dfd331b7bededc4bb4d12c25386652d8dc4bff0 /src/fsec-optimize | |
parent | Merge pull request #3594 from smitsohu/ls (diff) | |
parent | cleanup (diff) | |
download | firejail-14f7b4decb811eb2e0d2c4d5a10bfd16351a7a5a.tar.gz firejail-14f7b4decb811eb2e0d2c4d5a10bfd16351a7a5a.tar.zst firejail-14f7b4decb811eb2e0d2c4d5a10bfd16351a7a5a.zip |
Merge pull request #3572 from smitsohu/dumpable
hardening: run plugins with dumpable flag cleared
Diffstat (limited to 'src/fsec-optimize')
-rw-r--r-- | src/fsec-optimize/fsec_optimize.h | 1 | ||||
-rw-r--r-- | src/fsec-optimize/main.c | 6 |
2 files changed, 7 insertions, 0 deletions
diff --git a/src/fsec-optimize/fsec_optimize.h b/src/fsec-optimize/fsec_optimize.h index 211111641..034fde2ac 100644 --- a/src/fsec-optimize/fsec_optimize.h +++ b/src/fsec-optimize/fsec_optimize.h | |||
@@ -22,6 +22,7 @@ | |||
22 | #include "../include/common.h" | 22 | #include "../include/common.h" |
23 | #include "../include/seccomp.h" | 23 | #include "../include/seccomp.h" |
24 | #include <sys/mman.h> | 24 | #include <sys/mman.h> |
25 | #include <sys/prctl.h> | ||
25 | 26 | ||
26 | // optimize.c | 27 | // optimize.c |
27 | struct sock_filter *duplicate(struct sock_filter *filter, int entries); | 28 | struct sock_filter *duplicate(struct sock_filter *filter, int entries); |
diff --git a/src/fsec-optimize/main.c b/src/fsec-optimize/main.c index 416d85b88..fb13eeca8 100644 --- a/src/fsec-optimize/main.c +++ b/src/fsec-optimize/main.c | |||
@@ -44,6 +44,12 @@ printf("\n"); | |||
44 | return 0; | 44 | return 0; |
45 | } | 45 | } |
46 | 46 | ||
47 | #ifdef WARN_DUMPABLE | ||
48 | // check FIREJAIL_PLUGIN in order to not print a warning during make | ||
49 | if (prctl(PR_GET_DUMPABLE, 0, 0, 0, 0) == 1 && getuid() && getenv("FIREJAIL_PLUGIN")) | ||
50 | fprintf(stderr, "Error fsec-optimize: I am dumpable\n"); | ||
51 | #endif | ||
52 | |||
47 | char *fname = argv[1]; | 53 | char *fname = argv[1]; |
48 | 54 | ||
49 | // open input file | 55 | // open input file |