diff options
author | netblue30 <netblue30@yahoo.com> | 2016-08-09 07:46:28 -0400 |
---|---|---|
committer | netblue30 <netblue30@yahoo.com> | 2016-08-09 07:46:28 -0400 |
commit | c22f9de02db17cb10b08f3d4893987228799ca89 (patch) | |
tree | 592437e48f29b98a18fefc7f60e2cc7abf0b7c04 /src | |
parent | --private-bin and --private-etc fix (diff) | |
download | firejail-c22f9de02db17cb10b08f3d4893987228799ca89.tar.gz firejail-c22f9de02db17cb10b08f3d4893987228799ca89.tar.zst firejail-c22f9de02db17cb10b08f3d4893987228799ca89.zip |
various fixes
Diffstat (limited to 'src')
-rw-r--r-- | src/firejail/sandbox.c | 27 | ||||
-rw-r--r-- | src/firejail/seccomp.c | 12 |
2 files changed, 30 insertions, 9 deletions
diff --git a/src/firejail/sandbox.c b/src/firejail/sandbox.c index f37605e20..a131d9e91 100644 --- a/src/firejail/sandbox.c +++ b/src/firejail/sandbox.c | |||
@@ -460,8 +460,9 @@ int sandbox(void* sandbox_arg) { | |||
460 | #ifdef HAVE_CHROOT | 460 | #ifdef HAVE_CHROOT |
461 | if (cfg.chrootdir) { | 461 | if (cfg.chrootdir) { |
462 | fs_chroot(cfg.chrootdir); | 462 | fs_chroot(cfg.chrootdir); |
463 | // redo cp command | 463 | |
464 | fs_build_cp_command(); | 464 | // // redo cp command |
465 | // fs_build_cp_command(); | ||
465 | 466 | ||
466 | // force caps and seccomp if not started as root | 467 | // force caps and seccomp if not started as root |
467 | if (getuid() != 0) { | 468 | if (getuid() != 0) { |
@@ -482,7 +483,7 @@ int sandbox(void* sandbox_arg) { | |||
482 | 483 | ||
483 | // disable all capabilities | 484 | // disable all capabilities |
484 | if (arg_caps_default_filter || arg_caps_list) | 485 | if (arg_caps_default_filter || arg_caps_list) |
485 | fprintf(stderr, "Warning: all capabilities disabled for a regular user during chroot\n"); | 486 | fprintf(stderr, "Warning: all capabilities disabled for a regular user in chroot\n"); |
486 | arg_caps_drop_all = 1; | 487 | arg_caps_drop_all = 1; |
487 | 488 | ||
488 | // drop all supplementary groups; /etc/group file inside chroot | 489 | // drop all supplementary groups; /etc/group file inside chroot |
@@ -530,13 +531,21 @@ int sandbox(void* sandbox_arg) { | |||
530 | if (arg_private_dev) | 531 | if (arg_private_dev) |
531 | fs_private_dev(); | 532 | fs_private_dev(); |
532 | if (arg_private_etc) { | 533 | if (arg_private_etc) { |
533 | fs_private_etc_list(); | 534 | if (cfg.chrootdir) |
534 | // create /etc/ld.so.preload file again | 535 | fprintf(stderr, "Warning: private-etc feature is disabled in chroot\n"); |
535 | if (arg_trace || arg_tracelog) | 536 | else { |
536 | fs_trace_preload(); | 537 | fs_private_etc_list(); |
538 | // create /etc/ld.so.preload file again | ||
539 | if (arg_trace || arg_tracelog) | ||
540 | fs_trace_preload(); | ||
541 | } | ||
542 | } | ||
543 | if (arg_private_bin) { | ||
544 | if (cfg.chrootdir) | ||
545 | fprintf(stderr, "Warning: private-bin feature is disabled in chroot\n"); | ||
546 | else | ||
547 | fs_private_bin_list(); | ||
537 | } | 548 | } |
538 | if (arg_private_bin) | ||
539 | fs_private_bin_list(); | ||
540 | if (arg_private_tmp) | 549 | if (arg_private_tmp) |
541 | fs_private_tmp(); | 550 | fs_private_tmp(); |
542 | 551 | ||
diff --git a/src/firejail/seccomp.c b/src/firejail/seccomp.c index efe24a211..88620d1dd 100644 --- a/src/firejail/seccomp.c +++ b/src/firejail/seccomp.c | |||
@@ -101,10 +101,22 @@ static void filter_init(void) { | |||
101 | sfilter_alloc_size = SECSIZE; | 101 | sfilter_alloc_size = SECSIZE; |
102 | 102 | ||
103 | // copy the start entries | 103 | // copy the start entries |
104 | #if defined(__x86_64__) | ||
105 | #define X32_SYSCALL_BIT 0x40000000 | ||
106 | struct sock_filter filter[] = { | ||
107 | VALIDATE_ARCHITECTURE, | ||
108 | EXAMINE_SYSCALL, | ||
109 | // handle X32 ABI | ||
110 | BPF_JUMP(BPF_JMP+BPF_JGE+BPF_K, X32_SYSCALL_BIT, 1, 0), | ||
111 | BPF_JUMP(BPF_JMP+BPF_JGE+BPF_K, 0, 1, 0), | ||
112 | RETURN_ERRNO(EPERM) | ||
113 | }; | ||
114 | #else | ||
104 | struct sock_filter filter[] = { | 115 | struct sock_filter filter[] = { |
105 | VALIDATE_ARCHITECTURE, | 116 | VALIDATE_ARCHITECTURE, |
106 | EXAMINE_SYSCALL | 117 | EXAMINE_SYSCALL |
107 | }; | 118 | }; |
119 | #endif | ||
108 | sfilter_index = sizeof(filter) / sizeof(struct sock_filter); | 120 | sfilter_index = sizeof(filter) / sizeof(struct sock_filter); |
109 | memcpy(sfilter, filter, sizeof(filter)); | 121 | memcpy(sfilter, filter, sizeof(filter)); |
110 | } | 122 | } |