diff options
author | netblue30 <netblue30@yahoo.com> | 2017-01-06 15:39:54 -0500 |
---|---|---|
committer | netblue30 <netblue30@yahoo.com> | 2017-01-06 15:39:54 -0500 |
commit | 85517885bece9209bbcace80fec115b0126263ad (patch) | |
tree | 40ad1c5a321e6e9d8977b00dba68b533900de5e1 /src | |
parent | security fixes (diff) | |
download | firejail-85517885bece9209bbcace80fec115b0126263ad.tar.gz firejail-85517885bece9209bbcace80fec115b0126263ad.tar.zst firejail-85517885bece9209bbcace80fec115b0126263ad.zip |
security fix
Diffstat (limited to 'src')
-rw-r--r-- | src/firejail/main.c | 22 | ||||
-rw-r--r-- | src/man/firejail.txt | 4 |
2 files changed, 24 insertions, 2 deletions
diff --git a/src/firejail/main.c b/src/firejail/main.c index e70e20eec..3a347b3d9 100644 --- a/src/firejail/main.c +++ b/src/firejail/main.c | |||
@@ -35,6 +35,7 @@ | |||
35 | #include <signal.h> | 35 | #include <signal.h> |
36 | #include <time.h> | 36 | #include <time.h> |
37 | #include <net/if.h> | 37 | #include <net/if.h> |
38 | #include <sys/utsname.h> | ||
38 | 39 | ||
39 | #if 0 | 40 | #if 0 |
40 | #include <sys/times.h> | 41 | #include <sys/times.h> |
@@ -817,8 +818,27 @@ int main(int argc, char **argv) { | |||
817 | 818 | ||
818 | if (check_arg(argc, argv, "--quiet")) | 819 | if (check_arg(argc, argv, "--quiet")) |
819 | arg_quiet = 1; | 820 | arg_quiet = 1; |
820 | if (check_arg(argc, argv, "--allow-debuggers")) | 821 | if (check_arg(argc, argv, "--allow-debuggers")) { |
822 | // check kernel version | ||
823 | struct utsname u; | ||
824 | int rv = uname(&u); | ||
825 | if (rv != 0) | ||
826 | errExit("uname"); | ||
827 | int major; | ||
828 | int minor; | ||
829 | if (2 != sscanf(u.release, "%d.%d", &major, &minor)) { | ||
830 | fprintf(stderr, "Error: cannot extract Linux kernel version: %s\n", u.version); | ||
831 | exit(1); | ||
832 | } | ||
833 | if (major < 4 || (major == 4 && minor < 8)) { | ||
834 | fprintf(stderr, "Error: --allow-debuggers is disabled on Linux kernels prior to 4.8. " | ||
835 | "A bug in ptrace call allows a full bypass of the seccomp filter. " | ||
836 | "Your current kernel version is %d.%d.\n", major, minor); | ||
837 | exit(1); | ||
838 | } | ||
839 | |||
821 | arg_allow_debuggers = 1; | 840 | arg_allow_debuggers = 1; |
841 | } | ||
822 | 842 | ||
823 | // drop permissions by default and rise them when required | 843 | // drop permissions by default and rise them when required |
824 | EUID_INIT(); | 844 | EUID_INIT(); |
diff --git a/src/man/firejail.txt b/src/man/firejail.txt index 60c21cbc1..69d28c788 100644 --- a/src/man/firejail.txt +++ b/src/man/firejail.txt | |||
@@ -76,7 +76,9 @@ $ firejail [OPTIONS] firefox # starting Mozilla Firefox | |||
76 | Signal the end of options and disables further option processing. | 76 | Signal the end of options and disables further option processing. |
77 | .TP | 77 | .TP |
78 | \fB\-\-allow-debuggers | 78 | \fB\-\-allow-debuggers |
79 | Allow tools such as strace and gdb inside the sandbox. | 79 | Allow tools such as strace and gdb inside the sandbox. This option is only available |
80 | when running on Linux kernels 4.8 or newer - a kernel bug in ptrace system call allows a full | ||
81 | bypass of the seccomp filter. | ||
80 | .br | 82 | .br |
81 | 83 | ||
82 | .br | 84 | .br |