diff options
author | 2021-03-03 16:14:57 +0100 | |
---|---|---|
committer | 2021-03-03 16:43:29 +0100 | |
commit | 3565217343a64b71c60e376053dda6af1bfff42f (patch) | |
tree | b4d60e1533ca9f06c5cdafcafbafcce9f8cabea7 /src | |
parent | cosmetics (diff) | |
download | firejail-3565217343a64b71c60e376053dda6af1bfff42f.tar.gz firejail-3565217343a64b71c60e376053dda6af1bfff42f.tar.zst firejail-3565217343a64b71c60e376053dda6af1bfff42f.zip |
bring back postexecseccomp for chroot/appimage/overlay sandboxes
back in the days always the same default seccomp filter was loaded
for chroot/appimage/overlayfs sandboxes. Nowadays users can configure
their own filters, so allow postexecseccomp again.
Diffstat (limited to 'src')
-rw-r--r-- | src/firejail/sandbox.c | 9 |
1 files changed, 4 insertions, 5 deletions
diff --git a/src/firejail/sandbox.c b/src/firejail/sandbox.c index a4c038897..b6e0468c6 100644 --- a/src/firejail/sandbox.c +++ b/src/firejail/sandbox.c | |||
@@ -786,14 +786,13 @@ int sandbox(void* sandbox_arg) { | |||
786 | #else | 786 | #else |
787 | bool always_enforce_filters = false; | 787 | bool always_enforce_filters = false; |
788 | #endif | 788 | #endif |
789 | // need ld.so.preload if tracing or seccomp with any non-default lists | ||
790 | bool need_preload = arg_trace || arg_tracelog || arg_seccomp_postexec; | ||
791 | // for --appimage, --chroot and --overlay* we force NO_NEW_PRIVS | 789 | // for --appimage, --chroot and --overlay* we force NO_NEW_PRIVS |
792 | // and drop all capabilities | 790 | // and drop all capabilities |
793 | if (getuid() != 0 && (arg_appimage || cfg.chrootdir || arg_overlay || always_enforce_filters)) { | 791 | if (getuid() != 0 && (arg_appimage || cfg.chrootdir || arg_overlay || always_enforce_filters)) |
794 | enforce_filters(); | 792 | enforce_filters(); |
795 | need_preload = arg_trace || arg_tracelog; | 793 | |
796 | } | 794 | // need ld.so.preload if tracing or seccomp with any non-default lists |
795 | bool need_preload = arg_trace || arg_tracelog || arg_seccomp_postexec; | ||
797 | 796 | ||
798 | // trace pre-install | 797 | // trace pre-install |
799 | if (need_preload) | 798 | if (need_preload) |