diff options
author | netblue30 <netblue30@yahoo.com> | 2018-09-09 13:05:15 -0400 |
---|---|---|
committer | netblue30 <netblue30@yahoo.com> | 2018-09-09 13:05:15 -0400 |
commit | efa8fb6a8ee00c12472c3ac847fa4a29c59a5c70 (patch) | |
tree | c4587991e56ec8e55db426896c81a49bdb83a956 /src | |
parent | support for firetunnel utility (diff) | |
parent | set rlimits at later timepoint during sandbox setup (diff) | |
download | firejail-efa8fb6a8ee00c12472c3ac847fa4a29c59a5c70.tar.gz firejail-efa8fb6a8ee00c12472c3ac847fa4a29c59a5c70.tar.zst firejail-efa8fb6a8ee00c12472c3ac847fa4a29c59a5c70.zip |
Merge branch 'master' of http://github.com/netblue30/firejail
Diffstat (limited to 'src')
-rw-r--r-- | src/firejail/sandbox.c | 11 |
1 files changed, 6 insertions, 5 deletions
diff --git a/src/firejail/sandbox.c b/src/firejail/sandbox.c index f5abb18ba..b2d49c1e7 100644 --- a/src/firejail/sandbox.c +++ b/src/firejail/sandbox.c | |||
@@ -522,6 +522,7 @@ void start_application(int no_sandbox, FILE *fp) { | |||
522 | static void enforce_filters(void) { | 522 | static void enforce_filters(void) { |
523 | // force default seccomp inside the chroot, no keep or drop list | 523 | // force default seccomp inside the chroot, no keep or drop list |
524 | // the list build on top of the default drop list is kept intact | 524 | // the list build on top of the default drop list is kept intact |
525 | arg_nonewprivs = 1; | ||
525 | arg_seccomp = 1; | 526 | arg_seccomp = 1; |
526 | #ifdef HAVE_SECCOMP | 527 | #ifdef HAVE_SECCOMP |
527 | enforce_seccomp = 1; | 528 | enforce_seccomp = 1; |
@@ -1008,9 +1009,6 @@ int sandbox(void* sandbox_arg) { | |||
1008 | } | 1009 | } |
1009 | } | 1010 | } |
1010 | 1011 | ||
1011 | // set rlimits | ||
1012 | set_rlimits(); | ||
1013 | |||
1014 | // set nice | 1012 | // set nice |
1015 | if (arg_nice) { | 1013 | if (arg_nice) { |
1016 | errno = 0; | 1014 | errno = 0; |
@@ -1128,9 +1126,9 @@ int sandbox(void* sandbox_arg) { | |||
1128 | // Set NO_NEW_PRIVS if desired | 1126 | // Set NO_NEW_PRIVS if desired |
1129 | //**************************************** | 1127 | //**************************************** |
1130 | if (arg_nonewprivs) { | 1128 | if (arg_nonewprivs) { |
1131 | int no_new_privs = prctl(PR_SET_NO_NEW_PRIVS, 1, 0, 0, 0); | 1129 | prctl(PR_SET_NO_NEW_PRIVS, 1, 0, 0, 0); |
1132 | 1130 | ||
1133 | if(no_new_privs != 0 && !arg_quiet) | 1131 | if (prctl(PR_GET_NO_NEW_PRIVS, 0, 0, 0, 0) != 1) |
1134 | fwarning("NO_NEW_PRIVS disabled, it requires a Linux kernel version 3.5 or newer.\n"); | 1132 | fwarning("NO_NEW_PRIVS disabled, it requires a Linux kernel version 3.5 or newer.\n"); |
1135 | else if (arg_debug) | 1133 | else if (arg_debug) |
1136 | printf("NO_NEW_PRIVS set\n"); | 1134 | printf("NO_NEW_PRIVS set\n"); |
@@ -1145,6 +1143,9 @@ int sandbox(void* sandbox_arg) { | |||
1145 | errExit("fork"); | 1143 | errExit("fork"); |
1146 | 1144 | ||
1147 | if (app_pid == 0) { | 1145 | if (app_pid == 0) { |
1146 | // set rlimits | ||
1147 | set_rlimits(); | ||
1148 | |||
1148 | #ifdef HAVE_APPARMOR | 1149 | #ifdef HAVE_APPARMOR |
1149 | if (checkcfg(CFG_APPARMOR) && arg_apparmor) { | 1150 | if (checkcfg(CFG_APPARMOR) && arg_apparmor) { |
1150 | errno = 0; | 1151 | errno = 0; |