diff options
author | smitsohu <smitsohu@gmail.com> | 2022-01-17 18:03:38 +0100 |
---|---|---|
committer | smitsohu <smitsohu@gmail.com> | 2022-01-18 03:07:16 +0100 |
commit | c4e7912f8b9cb04c1690559f25d4b94e5ddab7a8 (patch) | |
tree | f28205320c08085d32cf42afcbb78e533b2786fe /src | |
parent | keep-fd cleanup (diff) | |
download | firejail-c4e7912f8b9cb04c1690559f25d4b94e5ddab7a8.tar.gz firejail-c4e7912f8b9cb04c1690559f25d4b94e5ddab7a8.tar.zst firejail-c4e7912f8b9cb04c1690559f25d4b94e5ddab7a8.zip |
following up 493a0ef306a8b610f3ed6a1b88a4dbea25e8498b
Diffstat (limited to 'src')
-rw-r--r-- | src/firejail/sbox.c | 13 |
1 files changed, 7 insertions, 6 deletions
diff --git a/src/firejail/sbox.c b/src/firejail/sbox.c index d7147b8ea..a37943940 100644 --- a/src/firejail/sbox.c +++ b/src/firejail/sbox.c | |||
@@ -78,11 +78,6 @@ static int __attribute__((noreturn)) sbox_do_exec_v(unsigned filtermask, char * | |||
78 | 78 | ||
79 | umask(027); | 79 | umask(027); |
80 | 80 | ||
81 | // https://seclists.org/oss-sec/2021/q4/43 | ||
82 | struct rlimit tozero = { .rlim_cur = 0, .rlim_max = 0 }; | ||
83 | if (setrlimit(RLIMIT_CORE, &tozero)) | ||
84 | errExit("setrlimit"); | ||
85 | |||
86 | // apply filters | 81 | // apply filters |
87 | if (filtermask & SBOX_CAPS_NONE) { | 82 | if (filtermask & SBOX_CAPS_NONE) { |
88 | caps_drop_all(); | 83 | caps_drop_all(); |
@@ -209,6 +204,11 @@ static int __attribute__((noreturn)) sbox_do_exec_v(unsigned filtermask, char * | |||
209 | if (filtermask & SBOX_USER) | 204 | if (filtermask & SBOX_USER) |
210 | drop_privs(1); | 205 | drop_privs(1); |
211 | else if (filtermask & SBOX_ROOT) { | 206 | else if (filtermask & SBOX_ROOT) { |
207 | // https://seclists.org/oss-sec/2021/q4/43 | ||
208 | struct rlimit tozero = { .rlim_cur = 0, .rlim_max = 0 }; | ||
209 | if (setrlimit(RLIMIT_CORE, &tozero)) | ||
210 | errExit("setrlimit"); | ||
211 | |||
212 | // elevate privileges in order to get grsecurity working | 212 | // elevate privileges in order to get grsecurity working |
213 | if (setreuid(0, 0)) | 213 | if (setreuid(0, 0)) |
214 | errExit("setreuid"); | 214 | errExit("setreuid"); |
@@ -295,7 +295,8 @@ int sbox_run_v(unsigned filtermask, char * const arg[]) { | |||
295 | if (waitpid(child, &status, 0) == -1 ) { | 295 | if (waitpid(child, &status, 0) == -1 ) { |
296 | errExit("waitpid"); | 296 | errExit("waitpid"); |
297 | } | 297 | } |
298 | if (!WIFEXITED(status) || WEXITSTATUS(status) != 0) { | 298 | if (WIFSIGNALED(status) || |
299 | (WIFEXITED(status) && WEXITSTATUS(status) != 0)) { | ||
299 | fprintf(stderr, "Error: failed to run %s, exiting...\n", arg[0]); | 300 | fprintf(stderr, "Error: failed to run %s, exiting...\n", arg[0]); |
300 | exit(1); | 301 | exit(1); |
301 | } | 302 | } |