diff options
author | netblue30 <netblue30@yahoo.com> | 2017-06-06 10:31:41 -0400 |
---|---|---|
committer | netblue30 <netblue30@yahoo.com> | 2017-06-06 10:31:41 -0400 |
commit | 84ade8f847adfd3e18987ccc840f352aad92c1c2 (patch) | |
tree | 75945b727e178e6aa5ede48f976b222a1b23ca74 /src | |
parent | Merge branch 'master' of https://github.com/netblue30/firejail (diff) | |
download | firejail-84ade8f847adfd3e18987ccc840f352aad92c1c2.tar.gz firejail-84ade8f847adfd3e18987ccc840f352aad92c1c2.tar.zst firejail-84ade8f847adfd3e18987ccc840f352aad92c1c2.zip |
testing
Diffstat (limited to 'src')
-rw-r--r-- | src/firejail/caps.c | 18 | ||||
-rw-r--r-- | src/firejail/join.c | 2 | ||||
-rw-r--r-- | src/firejail/sandbox.c | 2 |
3 files changed, 12 insertions, 10 deletions
diff --git a/src/firejail/caps.c b/src/firejail/caps.c index 883e8015e..ff4d3a9d7 100644 --- a/src/firejail/caps.c +++ b/src/firejail/caps.c | |||
@@ -248,15 +248,17 @@ void caps_print(void) { | |||
248 | } | 248 | } |
249 | } | 249 | } |
250 | 250 | ||
251 | // drop discretionary access control capabilities by default in all sandboxes | 251 | // drop discretionary access control capabilities for root sandboxes |
252 | void caps_drop_dac_override(void) { | 252 | void caps_drop_dac_override(void) { |
253 | if (prctl(PR_CAPBSET_DROP, CAP_DAC_OVERRIDE, 0, 0, 0)); | 253 | if (getuid() == 0) { |
254 | else if (arg_debug) | 254 | if (prctl(PR_CAPBSET_DROP, CAP_DAC_OVERRIDE, 0, 0, 0)); |
255 | printf("Drop CAP_DAC_OVERRIDE\n"); | 255 | else if (arg_debug) |
256 | 256 | printf("Drop CAP_DAC_OVERRIDE\n"); | |
257 | if (prctl(PR_CAPBSET_DROP, CAP_DAC_READ_SEARCH, 0, 0, 0)); | 257 | |
258 | else if (arg_debug) | 258 | if (prctl(PR_CAPBSET_DROP, CAP_DAC_READ_SEARCH, 0, 0, 0)); |
259 | printf("Drop CAP_DAC_READ_SEARCH\n"); | 259 | else if (arg_debug) |
260 | printf("Drop CAP_DAC_READ_SEARCH\n"); | ||
261 | } | ||
260 | } | 262 | } |
261 | 263 | ||
262 | int caps_default_filter(void) { | 264 | int caps_default_filter(void) { |
diff --git a/src/firejail/join.c b/src/firejail/join.c index d7328a91b..4c0537413 100644 --- a/src/firejail/join.c +++ b/src/firejail/join.c | |||
@@ -242,7 +242,7 @@ void join(pid_t pid, int argc, char **argv, int index) { | |||
242 | if (child < 0) | 242 | if (child < 0) |
243 | errExit("fork"); | 243 | errExit("fork"); |
244 | if (child == 0) { | 244 | if (child == 0) { |
245 | // drop discretionary access control capabilities by default | 245 | // drop discretionary access control capabilities for root sandboxes |
246 | caps_drop_dac_override(); | 246 | caps_drop_dac_override(); |
247 | 247 | ||
248 | // chroot into /proc/PID/root directory | 248 | // chroot into /proc/PID/root directory |
diff --git a/src/firejail/sandbox.c b/src/firejail/sandbox.c index 0a32393a2..7489e7b6d 100644 --- a/src/firejail/sandbox.c +++ b/src/firejail/sandbox.c | |||
@@ -100,7 +100,7 @@ static void set_caps(void) { | |||
100 | else if (arg_caps_default_filter) | 100 | else if (arg_caps_default_filter) |
101 | caps_default_filter(); | 101 | caps_default_filter(); |
102 | 102 | ||
103 | // drop discretionary access control capabilities by default | 103 | // drop discretionary access control capabilities for root sandboxes |
104 | caps_drop_dac_override(); | 104 | caps_drop_dac_override(); |
105 | } | 105 | } |
106 | 106 | ||