Merge pull request #3572 from smitsohu/dumpable

hardening: run plugins with dumpable flag cleared

2 files changed, 12 insertions, 5 deletions

diff --git a/src/fseccomp/fseccomp.h b/src/fseccomp/fseccomp.h
index e8dd083b6..e40999938 100644
--- a/src/fseccomp/fseccomp.h
+++ b/src/fseccomp/fseccomp.h
@@ -23,6 +23,7 @@
 #include <stdlib.h>
 #include <string.h>
 #include <assert.h>
+#include <sys/prctl.h>
 #include "../include/common.h"
 #include "../include/syscall.h"
 
diff --git a/src/fseccomp/main.c b/src/fseccomp/main.c
index 3b3c92b46..f505ca0f3 100644
--- a/src/fseccomp/main.c
+++ b/src/fseccomp/main.c
@@ -64,6 +64,16 @@ printf("\n");
                 usage();
                 return 1;
         }
+        if (strcmp(argv[1], "-h") == 0 || strcmp(argv[1], "--help") == 0 || strcmp(argv[1], "-?") ==0) {
+                usage();
+                return 0;
+        }
+
+#ifdef WARN_DUMPABLE
+        // check FIREJAIL_PLUGIN in order to not print a warning during make
+        if (prctl(PR_GET_DUMPABLE, 0, 0, 0, 0) == 1 && getuid() && getenv("FIREJAIL_PLUGIN"))
+                fprintf(stderr, "Error fseccomp: I am dumpable\n");
+#endif
 
         char *quiet = getenv("FIREJAIL_QUIET");
         if (quiet && strcmp(quiet, "yes") == 0)
@@ -83,11 +93,7 @@ printf("\n");
                 }
         }
 
-        if (strcmp(argv[1], "-h") == 0 || strcmp(argv[1], "--help") == 0 || strcmp(argv[1], "-?") ==0) {
-                usage();
-                return 0;
-        }
-        else if (argc == 2 && strcmp(argv[1], "debug-syscalls") == 0)
+        if (argc == 2 && strcmp(argv[1], "debug-syscalls") == 0)
                 syscall_print();
         else if (argc == 2 && strcmp(argv[1], "debug-syscalls32") == 0)
                 syscall_print_32();