Merge pull request #3572 from smitsohu/dumpable

hardening: run plugins with dumpable flag cleared

1 files changed, 11 insertions, 5 deletions

diff --git a/src/fseccomp/main.c b/src/fseccomp/main.c
index 3b3c92b46..f505ca0f3 100644
--- a/src/fseccomp/main.c
+++ b/src/fseccomp/main.c
@@ -64,6 +64,16 @@ printf("\n");
                 usage();
                 return 1;
         }
+        if (strcmp(argv[1], "-h") == 0 || strcmp(argv[1], "--help") == 0 || strcmp(argv[1], "-?") ==0) {
+                usage();
+                return 0;
+        }
+
+#ifdef WARN_DUMPABLE
+        // check FIREJAIL_PLUGIN in order to not print a warning during make
+        if (prctl(PR_GET_DUMPABLE, 0, 0, 0, 0) == 1 && getuid() && getenv("FIREJAIL_PLUGIN"))
+                fprintf(stderr, "Error fseccomp: I am dumpable\n");
+#endif
 
         char *quiet = getenv("FIREJAIL_QUIET");
         if (quiet && strcmp(quiet, "yes") == 0)
@@ -83,11 +93,7 @@ printf("\n");
                 }
         }
 
-        if (strcmp(argv[1], "-h") == 0 || strcmp(argv[1], "--help") == 0 || strcmp(argv[1], "-?") ==0) {
-                usage();
-                return 0;
-        }
-        else if (argc == 2 && strcmp(argv[1], "debug-syscalls") == 0)
+        if (argc == 2 && strcmp(argv[1], "debug-syscalls") == 0)
                 syscall_print();
         else if (argc == 2 && strcmp(argv[1], "debug-syscalls32") == 0)
                 syscall_print_32();