diff options
| author |  Glenn Washburn <development@efficientek.com> | 2018-10-16 01:41:52 -0500 |
|---|---|---|
| committer | Glenn Washburn <development@efficientek.com> | 2018-10-16 01:42:55 -0500 |
| commit | f74fa71cf9d549b1607ca5b0c9fb2442e31f72ab (patch) | |
| tree | 68f323ff771fae30668c4565ec8dbef46b5dce2d /src | |
| parent | Merge branch 'improve-profile-handling' (diff) | |
| download | firejail-f74fa71cf9d549b1607ca5b0c9fb2442e31f72ab.tar.gz firejail-f74fa71cf9d549b1607ca5b0c9fb2442e31f72ab.tar.zst firejail-f74fa71cf9d549b1607ca5b0c9fb2442e31f72ab.zip | |
Do not override user provided seccomp lists when in chroot/overlay/appimage, but to use the default if none is provided.
Diffstat (limited to 'src')
| -rw-r--r-- | src/firejail/sandbox.c | 11 |
1 files changed, 1 insertions, 10 deletions
diff --git a/src/firejail/sandbox.c b/src/firejail/sandbox.c index 3abeb174e..95732b95e 100644 --- a/src/firejail/sandbox.c +++ b/src/firejail/sandbox.c | |||
| @@ -530,14 +530,6 @@ static void enforce_filters(void) { | |||
| 530 | #ifdef HAVE_SECCOMP | 530 | #ifdef HAVE_SECCOMP |
| 531 | enforce_seccomp = 1; | 531 | enforce_seccomp = 1; |
| 532 | #endif | 532 | #endif |
| 533 | if (cfg.seccomp_list_drop) { | ||
| 534 | free(cfg.seccomp_list_drop); | ||
| 535 | cfg.seccomp_list_drop = NULL; | ||
| 536 | } | ||
| 537 | if (cfg.seccomp_list_keep) { | ||
| 538 | free(cfg.seccomp_list_keep); | ||
| 539 | cfg.seccomp_list_keep = NULL; | ||
| 540 | } | ||
| 541 | 533 | ||
| 542 | // disable all capabilities | 534 | // disable all capabilities |
| 543 | if (arg_caps_default_filter || arg_caps_list) | 535 | if (arg_caps_default_filter || arg_caps_list) |
| @@ -547,8 +539,7 @@ static void enforce_filters(void) { | |||
| 547 | // drop all supplementary groups; /etc/group file inside chroot | 539 | // drop all supplementary groups; /etc/group file inside chroot |
| 548 | // is controlled by a regular usr | 540 | // is controlled by a regular usr |
| 549 | arg_nogroups = 1; | 541 | arg_nogroups = 1; |
| 550 | fmessage("\n** Warning: dropping all Linux capabilities and enforcing **\n"); | 542 | fmessage("\n** Warning: dropping all Linux capabilities **\n"); |
| 551 | fmessage("** default seccomp filter **\n\n"); | ||
| 552 | } | 543 | } |
| 553 | 544 | ||
| 554 | int sandbox(void* sandbox_arg) { | 545 | int sandbox(void* sandbox_arg) { |