diff options
author | Martin Carpenter <mcarpenter@free.fr> | 2016-01-29 04:29:30 -0500 |
---|---|---|
committer | Martin Carpenter <mcarpenter@free.fr> | 2016-01-29 04:38:58 -0500 |
commit | eaf273846152ec2fc8950590d8b3a65895bd5b88 (patch) | |
tree | 281b3bddadaa14aa98da7c74bc37f4f2dba273d2 /src | |
parent | the first protocol list requested takes precedence (diff) | |
download | firejail-eaf273846152ec2fc8950590d8b3a65895bd5b88.tar.gz firejail-eaf273846152ec2fc8950590d8b3a65895bd5b88.tar.zst firejail-eaf273846152ec2fc8950590d8b3a65895bd5b88.zip |
Fix for systems that don't have CAP_SYSLOG
CAP_SYSLOG was retroactively split from CAP_SYSADMIN (Linux
kernel commit ce6ada35bdf710d16582cc4869c26722547e6f11). Existing
supported systems might not yet have this commit (eg RHEL 6.6) in
which case compilation fails.
Diffstat (limited to 'src')
-rw-r--r-- | src/firejail/caps.c | 2 | ||||
-rw-r--r-- | src/firejail/usage.c | 4 |
2 files changed, 6 insertions, 0 deletions
diff --git a/src/firejail/caps.c b/src/firejail/caps.c index 93049ebf0..1c4ac8d37 100644 --- a/src/firejail/caps.c +++ b/src/firejail/caps.c | |||
@@ -289,10 +289,12 @@ int caps_default_filter(void) { | |||
289 | else if (arg_debug) | 289 | else if (arg_debug) |
290 | printf("Drop CAP_SYS_TTY_CONFIG\n"); | 290 | printf("Drop CAP_SYS_TTY_CONFIG\n"); |
291 | 291 | ||
292 | #ifdef CAP_SYSLOG | ||
292 | if (prctl(PR_CAPBSET_DROP, CAP_SYSLOG, 0, 0, 0) && arg_debug) | 293 | if (prctl(PR_CAPBSET_DROP, CAP_SYSLOG, 0, 0, 0) && arg_debug) |
293 | fprintf(stderr, "Warning: cannot drop CAP_SYSLOG"); | 294 | fprintf(stderr, "Warning: cannot drop CAP_SYSLOG"); |
294 | else if (arg_debug) | 295 | else if (arg_debug) |
295 | printf("Drop CAP_SYSLOG\n"); | 296 | printf("Drop CAP_SYSLOG\n"); |
297 | #endif | ||
296 | 298 | ||
297 | if (prctl(PR_CAPBSET_DROP, CAP_MKNOD, 0, 0, 0) && arg_debug) | 299 | if (prctl(PR_CAPBSET_DROP, CAP_MKNOD, 0, 0, 0) && arg_debug) |
298 | fprintf(stderr, "Warning: cannot drop CAP_MKNOD"); | 300 | fprintf(stderr, "Warning: cannot drop CAP_MKNOD"); |
diff --git a/src/firejail/usage.c b/src/firejail/usage.c index 5021025e8..52b85f5ce 100644 --- a/src/firejail/usage.c +++ b/src/firejail/usage.c | |||
@@ -48,7 +48,11 @@ void usage(void) { | |||
48 | printf("\t-c - execute command and exit.\n\n"); | 48 | printf("\t-c - execute command and exit.\n\n"); |
49 | printf("\t--caps - enable default Linux capabilities filter. The filter disables\n"); | 49 | printf("\t--caps - enable default Linux capabilities filter. The filter disables\n"); |
50 | printf("\t\tCAP_SYS_MODULE, CAP_SYS_RAWIO, CAP_SYS_BOOT, CAP_SYS_NICE,\n"); | 50 | printf("\t\tCAP_SYS_MODULE, CAP_SYS_RAWIO, CAP_SYS_BOOT, CAP_SYS_NICE,\n"); |
51 | #ifdef CAP_SYSLOG | ||
51 | printf("\t\tCAP_SYS_TTY_CONFIG, CAP_SYSLOG, CAP_MKNOD, CAP_SYS_ADMIN.\n\n"); | 52 | printf("\t\tCAP_SYS_TTY_CONFIG, CAP_SYSLOG, CAP_MKNOD, CAP_SYS_ADMIN.\n\n"); |
53 | #else | ||
54 | printf("\t\tCAP_SYS_TTY_CONFIG, CAP_MKNOD, CAP_SYS_ADMIN.\n\n"); | ||
55 | #endif | ||
52 | printf("\t--caps.drop=all - drop all capabilities.\n\n"); | 56 | printf("\t--caps.drop=all - drop all capabilities.\n\n"); |
53 | printf("\t--caps.drop=capability,capability,capability - blacklist Linux\n"); | 57 | printf("\t--caps.drop=capability,capability,capability - blacklist Linux\n"); |
54 | printf("\t\tcapabilities filter.\n\n"); | 58 | printf("\t\tcapabilities filter.\n\n"); |