diff options
author | netblue30 <netblue30@yahoo.com> | 2016-01-26 09:19:19 -0500 |
---|---|---|
committer | netblue30 <netblue30@yahoo.com> | 2016-01-26 09:19:19 -0500 |
commit | a23ac1bf390fa4c3db4ea31e6ee6100a9c511d59 (patch) | |
tree | 7e6446c218495c2b9bb4960c14d0e972591e902a /src | |
parent | Mahtematica profile (diff) | |
download | firejail-a23ac1bf390fa4c3db4ea31e6ee6100a9c511d59.tar.gz firejail-a23ac1bf390fa4c3db4ea31e6ee6100a9c511d59.tar.zst firejail-a23ac1bf390fa4c3db4ea31e6ee6100a9c511d59.zip |
don't allow --chroot as user without seccomp support
Diffstat (limited to 'src')
-rw-r--r-- | src/firejail/firejail.h | 2 | ||||
-rw-r--r-- | src/firejail/sandbox.c | 4 | ||||
-rw-r--r-- | src/firejail/seccomp.c | 10 |
3 files changed, 12 insertions, 4 deletions
diff --git a/src/firejail/firejail.h b/src/firejail/firejail.h index 2f40b4d86..2a7ff4104 100644 --- a/src/firejail/firejail.h +++ b/src/firejail/firejail.h | |||
@@ -387,7 +387,7 @@ void fs_check_private_dir(void); | |||
387 | 387 | ||
388 | 388 | ||
389 | // seccomp.c | 389 | // seccomp.c |
390 | int seccomp_filter_drop(void); | 390 | int seccomp_filter_drop(int enforce_seccomp); |
391 | int seccomp_filter_keep(void); | 391 | int seccomp_filter_keep(void); |
392 | void seccomp_set(void); | 392 | void seccomp_set(void); |
393 | void seccomp_print_filter_name(const char *name); | 393 | void seccomp_print_filter_name(const char *name); |
diff --git a/src/firejail/sandbox.c b/src/firejail/sandbox.c index 02ff7737f..a7308dda6 100644 --- a/src/firejail/sandbox.c +++ b/src/firejail/sandbox.c | |||
@@ -349,6 +349,7 @@ int sandbox(void* sandbox_arg) { | |||
349 | //**************************** | 349 | //**************************** |
350 | // configure filesystem | 350 | // configure filesystem |
351 | //**************************** | 351 | //**************************** |
352 | int enforce_seccomp = 0; | ||
352 | #ifdef HAVE_CHROOT | 353 | #ifdef HAVE_CHROOT |
353 | if (cfg.chrootdir) { | 354 | if (cfg.chrootdir) { |
354 | fs_chroot(cfg.chrootdir); | 355 | fs_chroot(cfg.chrootdir); |
@@ -360,6 +361,7 @@ int sandbox(void* sandbox_arg) { | |||
360 | // force default seccomp inside the chroot, no keep or drop list | 361 | // force default seccomp inside the chroot, no keep or drop list |
361 | // the list build on top of the default drop list is kept intact | 362 | // the list build on top of the default drop list is kept intact |
362 | arg_seccomp = 1; | 363 | arg_seccomp = 1; |
364 | enforce_seccomp = 1; | ||
363 | if (cfg.seccomp_list_drop) { | 365 | if (cfg.seccomp_list_drop) { |
364 | free(cfg.seccomp_list_drop); | 366 | free(cfg.seccomp_list_drop); |
365 | cfg.seccomp_list_drop = NULL; | 367 | cfg.seccomp_list_drop = NULL; |
@@ -603,7 +605,7 @@ int sandbox(void* sandbox_arg) { | |||
603 | else if (cfg.seccomp_list_errno) | 605 | else if (cfg.seccomp_list_errno) |
604 | seccomp_filter_errno(); | 606 | seccomp_filter_errno(); |
605 | else | 607 | else |
606 | seccomp_filter_drop(); | 608 | seccomp_filter_drop(enforce_seccomp); |
607 | } | 609 | } |
608 | #endif | 610 | #endif |
609 | 611 | ||
diff --git a/src/firejail/seccomp.c b/src/firejail/seccomp.c index 396ab99db..c97741a86 100644 --- a/src/firejail/seccomp.c +++ b/src/firejail/seccomp.c | |||
@@ -390,7 +390,7 @@ void seccomp_filter_32(void) { | |||
390 | } | 390 | } |
391 | 391 | ||
392 | // drop filter for seccomp option | 392 | // drop filter for seccomp option |
393 | int seccomp_filter_drop(void) { | 393 | int seccomp_filter_drop(int enforce_seccomp) { |
394 | filter_init(); | 394 | filter_init(); |
395 | 395 | ||
396 | // default seccomp | 396 | // default seccomp |
@@ -595,7 +595,13 @@ int seccomp_filter_drop(void) { | |||
595 | }; | 595 | }; |
596 | 596 | ||
597 | if (prctl(PR_SET_SECCOMP, SECCOMP_MODE_FILTER, &prog) || prctl(PR_SET_NO_NEW_PRIVS, 1, 0, 0, 0)) { | 597 | if (prctl(PR_SET_SECCOMP, SECCOMP_MODE_FILTER, &prog) || prctl(PR_SET_NO_NEW_PRIVS, 1, 0, 0, 0)) { |
598 | fprintf(stderr, "Warning: seccomp disabled, it requires a Linux kernel version 3.5 or newer.\n"); | 598 | if (enforce_seccomp) { |
599 | fprintf(stderr, "Error: a seccomp-enabled Linux kernel is required, exiting...\n"); | ||
600 | exit(1); | ||
601 | } | ||
602 | else | ||
603 | fprintf(stderr, "Warning: seccomp disabled, it requires a Linux kernel version 3.5 or newer.\n"); | ||
604 | |||
599 | return 1; | 605 | return 1; |
600 | } | 606 | } |
601 | 607 | ||