diff options
author | netblue30 <netblue30@yahoo.com> | 2016-08-23 08:48:38 -0400 |
---|---|---|
committer | netblue30 <netblue30@yahoo.com> | 2016-08-23 08:48:38 -0400 |
commit | 567585fe3b2375e0b9dc55dac3672b99aade19f0 (patch) | |
tree | 45a967a61e93bbc91554a8e9922f48e8d6980a56 /src | |
parent | run time support to disable chroot desktop features (diff) | |
download | firejail-567585fe3b2375e0b9dc55dac3672b99aade19f0.tar.gz firejail-567585fe3b2375e0b9dc55dac3672b99aade19f0.tar.zst firejail-567585fe3b2375e0b9dc55dac3672b99aade19f0.zip |
chroot and overlayfs hardening
Diffstat (limited to 'src')
-rw-r--r-- | src/firejail/sandbox.c | 44 |
1 files changed, 37 insertions, 7 deletions
diff --git a/src/firejail/sandbox.c b/src/firejail/sandbox.c index 0851e71cd..40df00a98 100644 --- a/src/firejail/sandbox.c +++ b/src/firejail/sandbox.c | |||
@@ -533,8 +533,14 @@ int sandbox(void* sandbox_arg) { | |||
533 | // private mode | 533 | // private mode |
534 | //**************************** | 534 | //**************************** |
535 | if (arg_private) { | 535 | if (arg_private) { |
536 | if (cfg.home_private) // --private= | 536 | if (cfg.home_private) { // --private= |
537 | fs_private_homedir(); | 537 | if (cfg.chrootdir) |
538 | fprintf(stderr, "Warning: private=directory feature is disabled in chroot\n"); | ||
539 | else if (arg_overlay) | ||
540 | fprintf(stderr, "Warning: private=directory feature is disabled in overlay\n"); | ||
541 | else | ||
542 | fs_private_homedir(); | ||
543 | } | ||
538 | else // --private | 544 | else // --private |
539 | fs_private(); | 545 | fs_private(); |
540 | } | 546 | } |
@@ -542,11 +548,20 @@ int sandbox(void* sandbox_arg) { | |||
542 | if (arg_private_template) | 548 | if (arg_private_template) |
543 | fs_private_template(); | 549 | fs_private_template(); |
544 | 550 | ||
545 | if (arg_private_dev) | 551 | if (arg_private_dev) { |
546 | fs_private_dev(); | 552 | if (cfg.chrootdir) |
553 | fprintf(stderr, "Warning: private-dev feature is disabled in chroot\n"); | ||
554 | else if (arg_overlay) | ||
555 | fprintf(stderr, "Warning: private-dev feature is disabled in overlay\n"); | ||
556 | else | ||
557 | fs_private_dev(); | ||
558 | } | ||
559 | |||
547 | if (arg_private_etc) { | 560 | if (arg_private_etc) { |
548 | if (cfg.chrootdir) | 561 | if (cfg.chrootdir) |
549 | fprintf(stderr, "Warning: private-etc feature is disabled in chroot\n"); | 562 | fprintf(stderr, "Warning: private-etc feature is disabled in chroot\n"); |
563 | else if (arg_overlay) | ||
564 | fprintf(stderr, "Warning: private-etc feature is disabled in overlay\n"); | ||
550 | else { | 565 | else { |
551 | fs_private_etc_list(); | 566 | fs_private_etc_list(); |
552 | // create /etc/ld.so.preload file again | 567 | // create /etc/ld.so.preload file again |
@@ -554,14 +569,24 @@ int sandbox(void* sandbox_arg) { | |||
554 | fs_trace_preload(); | 569 | fs_trace_preload(); |
555 | } | 570 | } |
556 | } | 571 | } |
572 | |||
557 | if (arg_private_bin) { | 573 | if (arg_private_bin) { |
558 | if (cfg.chrootdir) | 574 | if (cfg.chrootdir) |
559 | fprintf(stderr, "Warning: private-bin feature is disabled in chroot\n"); | 575 | fprintf(stderr, "Warning: private-bin feature is disabled in chroot\n"); |
576 | else if (arg_overlay) | ||
577 | fprintf(stderr, "Warning: private-bin feature is disabled in overlay\n"); | ||
560 | else | 578 | else |
561 | fs_private_bin_list(); | 579 | fs_private_bin_list(); |
562 | } | 580 | } |
563 | if (arg_private_tmp) | 581 | |
564 | fs_private_tmp(); | 582 | if (arg_private_tmp) { |
583 | if (cfg.chrootdir) | ||
584 | fprintf(stderr, "Warning: private-tmp feature is disabled in chroot\n"); | ||
585 | else if (arg_overlay) | ||
586 | fprintf(stderr, "Warning: private-tmp feature is disabled in overlay\n"); | ||
587 | else | ||
588 | fs_private_tmp(); | ||
589 | } | ||
565 | 590 | ||
566 | //**************************** | 591 | //**************************** |
567 | // update /proc, /sys, /dev, /boot directorymy | 592 | // update /proc, /sys, /dev, /boot directorymy |
@@ -574,7 +599,12 @@ int sandbox(void* sandbox_arg) { | |||
574 | //**************************** | 599 | //**************************** |
575 | if (cfg.profile) { | 600 | if (cfg.profile) { |
576 | // apply all whitelist commands ... | 601 | // apply all whitelist commands ... |
577 | fs_whitelist(); | 602 | if (cfg.chrootdir) |
603 | fprintf(stderr, "Warning: whitelist feature is disabled in chroot\n"); | ||
604 | else if (arg_overlay) | ||
605 | fprintf(stderr, "Warning: whitelist feature is disabled in overlay\n"); | ||
606 | else | ||
607 | fs_whitelist(); | ||
578 | 608 | ||
579 | // ... followed by blacklist commands | 609 | // ... followed by blacklist commands |
580 | fs_blacklist(); | 610 | fs_blacklist(); |