diff options
| author |  smitsohu <smitsohu@gmail.com> | 2022-01-17 18:03:38 +0100 |
|---|---|---|
| committer | smitsohu <smitsohu@gmail.com> | 2022-01-18 03:07:16 +0100 |
| commit | c4e7912f8b9cb04c1690559f25d4b94e5ddab7a8 (patch) | |
| tree | f28205320c08085d32cf42afcbb78e533b2786fe /src | |
| parent | keep-fd cleanup (diff) | |
| download | firejail-c4e7912f8b9cb04c1690559f25d4b94e5ddab7a8.tar.gz firejail-c4e7912f8b9cb04c1690559f25d4b94e5ddab7a8.tar.zst firejail-c4e7912f8b9cb04c1690559f25d4b94e5ddab7a8.zip | |
following up 493a0ef306a8b610f3ed6a1b88a4dbea25e8498b
Diffstat (limited to 'src')
| -rw-r--r-- | src/firejail/sbox.c | 13 |
1 files changed, 7 insertions, 6 deletions
diff --git a/src/firejail/sbox.c b/src/firejail/sbox.c index d7147b8ea..a37943940 100644 --- a/src/firejail/sbox.c +++ b/src/firejail/sbox.c | |||
| @@ -78,11 +78,6 @@ static int __attribute__((noreturn)) sbox_do_exec_v(unsigned filtermask, char * | |||
| 78 | 78 | ||
| 79 | umask(027); | 79 | umask(027); |
| 80 | 80 | ||
| 81 | // https://seclists.org/oss-sec/2021/q4/43 | ||
| 82 | struct rlimit tozero = { .rlim_cur = 0, .rlim_max = 0 }; | ||
| 83 | if (setrlimit(RLIMIT_CORE, &tozero)) | ||
| 84 | errExit("setrlimit"); | ||
| 85 | |||
| 86 | // apply filters | 81 | // apply filters |
| 87 | if (filtermask & SBOX_CAPS_NONE) { | 82 | if (filtermask & SBOX_CAPS_NONE) { |
| 88 | caps_drop_all(); | 83 | caps_drop_all(); |
| @@ -209,6 +204,11 @@ static int __attribute__((noreturn)) sbox_do_exec_v(unsigned filtermask, char * | |||
| 209 | if (filtermask & SBOX_USER) | 204 | if (filtermask & SBOX_USER) |
| 210 | drop_privs(1); | 205 | drop_privs(1); |
| 211 | else if (filtermask & SBOX_ROOT) { | 206 | else if (filtermask & SBOX_ROOT) { |
| 207 | // https://seclists.org/oss-sec/2021/q4/43 | ||
| 208 | struct rlimit tozero = { .rlim_cur = 0, .rlim_max = 0 }; | ||
| 209 | if (setrlimit(RLIMIT_CORE, &tozero)) | ||
| 210 | errExit("setrlimit"); | ||
| 211 | |||
| 212 | // elevate privileges in order to get grsecurity working | 212 | // elevate privileges in order to get grsecurity working |
| 213 | if (setreuid(0, 0)) | 213 | if (setreuid(0, 0)) |
| 214 | errExit("setreuid"); | 214 | errExit("setreuid"); |
| @@ -295,7 +295,8 @@ int sbox_run_v(unsigned filtermask, char * const arg[]) { | |||
| 295 | if (waitpid(child, &status, 0) == -1 ) { | 295 | if (waitpid(child, &status, 0) == -1 ) { |
| 296 | errExit("waitpid"); | 296 | errExit("waitpid"); |
| 297 | } | 297 | } |
| 298 | if (!WIFEXITED(status) || WEXITSTATUS(status) != 0) { | 298 | if (WIFSIGNALED(status) || |
| 299 | (WIFEXITED(status) && WEXITSTATUS(status) != 0)) { | ||
| 299 | fprintf(stderr, "Error: failed to run %s, exiting...\n", arg[0]); | 300 | fprintf(stderr, "Error: failed to run %s, exiting...\n", arg[0]); |
| 300 | exit(1); | 301 | exit(1); |
| 301 | } | 302 | } |