diff options
author | netblue30 <netblue30@yahoo.com> | 2016-11-06 08:13:44 -0500 |
---|---|---|
committer | netblue30 <netblue30@yahoo.com> | 2016-11-06 08:13:44 -0500 |
commit | 646d046c4c42004f007ad1bce1a94e1633e7c57f (patch) | |
tree | ed3015a9316e8fe99a56f9dd48fa7cdc2e4e4e15 /src | |
parent | profile fixes (diff) | |
download | firejail-646d046c4c42004f007ad1bce1a94e1633e7c57f.tar.gz firejail-646d046c4c42004f007ad1bce1a94e1633e7c57f.tar.zst firejail-646d046c4c42004f007ad1bce1a94e1633e7c57f.zip |
cleanup
Diffstat (limited to 'src')
-rw-r--r-- | src/firejail/sbox.c | 15 | ||||
-rw-r--r-- | src/fnet/Makefile.in | 4 | ||||
-rw-r--r-- | src/fseccomp/Makefile.in | 4 |
3 files changed, 19 insertions, 4 deletions
diff --git a/src/firejail/sbox.c b/src/firejail/sbox.c index 65ca5c443..b16736dee 100644 --- a/src/firejail/sbox.c +++ b/src/firejail/sbox.c | |||
@@ -136,6 +136,21 @@ int sbox_run(unsigned filter, int num, ...) { | |||
136 | if (child < 0) | 136 | if (child < 0) |
137 | errExit("fork"); | 137 | errExit("fork"); |
138 | if (child == 0) { | 138 | if (child == 0) { |
139 | // clean the new process | ||
140 | clearenv(); | ||
141 | int max = 20; // getdtablesize() is overkill for a firejail process | ||
142 | for (i = 3; i < max; i++) | ||
143 | close(i); // close open files | ||
144 | int fd = open("/dev/null",O_RDWR, 0); | ||
145 | if (fd != -1) { | ||
146 | dup2 (fd, STDIN_FILENO); | ||
147 | if (fd > 2) | ||
148 | close (fd); | ||
149 | } | ||
150 | else // the user could run the sandbox without /dev/null | ||
151 | close(STDIN_FILENO); | ||
152 | umask(027); | ||
153 | |||
139 | // apply filters | 154 | // apply filters |
140 | if (filter & SBOX_CAPS_NONE) { | 155 | if (filter & SBOX_CAPS_NONE) { |
141 | caps_drop_all(); | 156 | caps_drop_all(); |
diff --git a/src/fnet/Makefile.in b/src/fnet/Makefile.in index b515d2333..bba4406d4 100644 --- a/src/fnet/Makefile.in +++ b/src/fnet/Makefile.in | |||
@@ -33,8 +33,8 @@ LDFLAGS += -pie -Wl,-z,relro -Wl,-z,now -lpthread | |||
33 | %.o : %.c $(H_FILE_LIST) ../include/common.h ../include/libnetlink.h | 33 | %.o : %.c $(H_FILE_LIST) ../include/common.h ../include/libnetlink.h |
34 | $(CC) $(CFLAGS) $(INCLUDE) -c $< -o $@ | 34 | $(CC) $(CFLAGS) $(INCLUDE) -c $< -o $@ |
35 | 35 | ||
36 | fnet: $(OBJS) ../lib/libnetlink.o ../lib/common.o | 36 | fnet: $(OBJS) ../lib/libnetlink.o |
37 | $(CC) $(LDFLAGS) -o $@ $(OBJS) ../lib/libnetlink.o $(LIBS) $(EXTRA_LDFLAGS) | 37 | $(CC) $(LDFLAGS) -o $@ $(OBJS) ../lib/libnetlink.o $(LIBS) |
38 | 38 | ||
39 | clean:; rm -f *.o fnet | 39 | clean:; rm -f *.o fnet |
40 | 40 | ||
diff --git a/src/fseccomp/Makefile.in b/src/fseccomp/Makefile.in index 110d2c95f..1878ad2f3 100644 --- a/src/fseccomp/Makefile.in +++ b/src/fseccomp/Makefile.in | |||
@@ -33,8 +33,8 @@ LDFLAGS += -pie -Wl,-z,relro -Wl,-z,now -lpthread | |||
33 | %.o : %.c $(H_FILE_LIST) ../include/common.h ../include/syscall.h | 33 | %.o : %.c $(H_FILE_LIST) ../include/common.h ../include/syscall.h |
34 | $(CC) $(CFLAGS) $(INCLUDE) -c $< -o $@ | 34 | $(CC) $(CFLAGS) $(INCLUDE) -c $< -o $@ |
35 | 35 | ||
36 | fseccomp: $(OBJS) ../lib/libnetlink.o ../lib/common.o | 36 | fseccomp: $(OBJS) |
37 | $(CC) $(LDFLAGS) -o $@ $(OBJS) $(LIBS) $(EXTRA_LDFLAGS) | 37 | $(CC) $(LDFLAGS) -o $@ $(OBJS) $(LIBS) |
38 | 38 | ||
39 | clean:; rm -f *.o fseccomp | 39 | clean:; rm -f *.o fseccomp |
40 | 40 | ||