summaryrefslogtreecommitdiffstats
path: root/src
diff options
context:
space:
mode:
authorLibravatar netblue30 <netblue30@yahoo.com>2017-07-08 12:10:51 -0400
committerLibravatar netblue30 <netblue30@yahoo.com>2017-07-08 12:10:51 -0400
commit9794356e80df9a2b3eaf6ddda310d26ecc56b3ec (patch)
treef3ef8973af15a8a9877ef4c0adbef718caf470db /src
parentfixing the previous fix (diff)
downloadfirejail-9794356e80df9a2b3eaf6ddda310d26ecc56b3ec.tar.gz
firejail-9794356e80df9a2b3eaf6ddda310d26ecc56b3ec.tar.zst
firejail-9794356e80df9a2b3eaf6ddda310d26ecc56b3ec.zip
fix discretionary access control for sandboxes running as root with --noprofile
Diffstat (limited to 'src')
-rw-r--r--src/firejail/caps.c2
-rw-r--r--src/firejail/firejail.h1
-rw-r--r--src/firejail/main.c2
3 files changed, 3 insertions, 2 deletions
diff --git a/src/firejail/caps.c b/src/firejail/caps.c
index ff4d3a9d7..14f981a86 100644
--- a/src/firejail/caps.c
+++ b/src/firejail/caps.c
@@ -250,7 +250,7 @@ void caps_print(void) {
250 250
251// drop discretionary access control capabilities for root sandboxes 251// drop discretionary access control capabilities for root sandboxes
252void caps_drop_dac_override(void) { 252void caps_drop_dac_override(void) {
253 if (getuid() == 0) { 253 if (getuid() == 0 && !arg_noprofile) {
254 if (prctl(PR_CAPBSET_DROP, CAP_DAC_OVERRIDE, 0, 0, 0)); 254 if (prctl(PR_CAPBSET_DROP, CAP_DAC_OVERRIDE, 0, 0, 0));
255 else if (arg_debug) 255 else if (arg_debug)
256 printf("Drop CAP_DAC_OVERRIDE\n"); 256 printf("Drop CAP_DAC_OVERRIDE\n");
diff --git a/src/firejail/firejail.h b/src/firejail/firejail.h
index 8aa80f274..6aa29f896 100644
--- a/src/firejail/firejail.h
+++ b/src/firejail/firejail.h
@@ -351,6 +351,7 @@ extern int arg_x11_xorg; // use X11 security extention
351extern int arg_allusers; // all user home directories visible 351extern int arg_allusers; // all user home directories visible
352extern int arg_machineid; // preserve /etc/machine-id 352extern int arg_machineid; // preserve /etc/machine-id
353extern int arg_disable_mnt; // disable /mnt and /media 353extern int arg_disable_mnt; // disable /mnt and /media
354extern int arg_noprofile; // use default.profile if none other found/specified
354 355
355extern int login_shell; 356extern int login_shell;
356extern int parent_to_child_fds[2]; 357extern int parent_to_child_fds[2];
diff --git a/src/firejail/main.c b/src/firejail/main.c
index 1f714df58..7f3f0f248 100644
--- a/src/firejail/main.c
+++ b/src/firejail/main.c
@@ -109,6 +109,7 @@ int arg_machineid = 0; // preserve /etc/machine-id
109int arg_allow_private_blacklist = 0; // blacklist things in private directories 109int arg_allow_private_blacklist = 0; // blacklist things in private directories
110int arg_writable_var_log = 0; // writable /var/log 110int arg_writable_var_log = 0; // writable /var/log
111int arg_disable_mnt = 0; // disable /mnt and /media 111int arg_disable_mnt = 0; // disable /mnt and /media
112int arg_noprofile = 0; // use default.profile if none other found/specified
112 113
113int login_shell = 0; 114int login_shell = 0;
114 115
@@ -818,7 +819,6 @@ int main(int argc, char **argv) {
818 int option_force = 0; 819 int option_force = 0;
819 int custom_profile = 0; // custom profile loaded 820 int custom_profile = 0; // custom profile loaded
820 char *custom_profile_dir = NULL; // custom profile directory 821 char *custom_profile_dir = NULL; // custom profile directory
821 int arg_noprofile = 0; // use default.profile if none other found/specified
822 822
823 823
824 // get starting timestamp 824 // get starting timestamp
generated by cgit v1.2.3-54-g00ecf (git 2.45.2) at 2024-07-02 17:06:02 +0000