testing

author: netblue30 <netblue30@yahoo.com> 2017-06-06 10:31:41 -0400
committer: netblue30 <netblue30@yahoo.com> 2017-06-06 10:31:41 -0400
commit: 84ade8f847adfd3e18987ccc840f352aad92c1c2 (patch)
tree: 75945b727e178e6aa5ede48f976b222a1b23ca74 /src
parent: Merge branch 'master' of https://github.com/netblue30/firejail (diff)
download: firejail-84ade8f847adfd3e18987ccc840f352aad92c1c2.tar.gz
firejail-84ade8f847adfd3e18987ccc840f352aad92c1c2.tar.zst
firejail-84ade8f847adfd3e18987ccc840f352aad92c1c2.zip
3 files changed, 12 insertions, 10 deletions
diff --git a/src/firejail/caps.c b/src/firejail/caps.c
index 883e8015e..ff4d3a9d7 100644
--- a/src/firejail/caps.c
+++ b/src/firejail/caps.c
@@ -248,15 +248,17 @@ void caps_print(void) {
        }
 }
-// drop discretionary access control capabilities by default in all sandboxes
+// drop discretionary access control capabilities for root sandboxes
 void caps_drop_dac_override(void) {
-        if (prctl(PR_CAPBSET_DROP, CAP_DAC_OVERRIDE, 0, 0, 0));
+        if (getuid() == 0) {
-        else if (arg_debug)
+                if (prctl(PR_CAPBSET_DROP, CAP_DAC_OVERRIDE, 0, 0, 0));
-                printf("Drop CAP_DAC_OVERRIDE\n");
+                else if (arg_debug)
+                        printf("Drop CAP_DAC_OVERRIDE\n");
-        if (prctl(PR_CAPBSET_DROP, CAP_DAC_READ_SEARCH, 0, 0, 0));
-        else if (arg_debug)
+                if (prctl(PR_CAPBSET_DROP, CAP_DAC_READ_SEARCH, 0, 0, 0));
-                printf("Drop CAP_DAC_READ_SEARCH\n");
+                else if (arg_debug)
+                        printf("Drop CAP_DAC_READ_SEARCH\n");
+        }
 }
 int caps_default_filter(void) {
diff --git a/src/firejail/join.c b/src/firejail/join.c
index d7328a91b..4c0537413 100644
--- a/src/firejail/join.c
+++ b/src/firejail/join.c
@@ -242,7 +242,7 @@ void join(pid_t pid, int argc, char **argv, int index) {
        if (child < 0)
                errExit("fork");
        if (child == 0) {
-                // drop discretionary access control capabilities by default
+                // drop discretionary access control capabilities for root sandboxes
                caps_drop_dac_override();
                
                // chroot into /proc/PID/root directory
diff --git a/src/firejail/sandbox.c b/src/firejail/sandbox.c
index 0a32393a2..7489e7b6d 100644
--- a/src/firejail/sandbox.c
+++ b/src/firejail/sandbox.c
@@ -100,7 +100,7 @@ static void set_caps(void) {
        else if (arg_caps_default_filter)
                caps_default_filter();
        
-        // drop discretionary access control capabilities by default
+        // drop discretionary access control capabilities for root sandboxes
        caps_drop_dac_override();
 }
author	netblue30 <netblue30@yahoo.com>	2017-06-06 10:31:41 -0400
committer	netblue30 <netblue30@yahoo.com>	2017-06-06 10:31:41 -0400
commit	84ade8f847adfd3e18987ccc840f352aad92c1c2 (patch)
tree	75945b727e178e6aa5ede48f976b222a1b23ca74 /src
parent	Merge branch 'master' of https://github.com/netblue30/firejail (diff)
download	firejail-84ade8f847adfd3e18987ccc840f352aad92c1c2.tar.gz firejail-84ade8f847adfd3e18987ccc840f352aad92c1c2.tar.zst firejail-84ade8f847adfd3e18987ccc840f352aad92c1c2.zip

diff --git a/src/firejail/caps.c b/src/firejail/caps.c index 883e8015e..ff4d3a9d7 100644 --- a/src/firejail/caps.c +++ b/src/firejail/caps.c
@@ -248,15 +248,17 @@ void caps_print(void) {
248	}	248	}
249	}	249	}
250		250
251	// drop discretionary access control capabilities by default in all sandboxes	251	// drop discretionary access control capabilities for root sandboxes
252	void caps_drop_dac_override(void) {	252	void caps_drop_dac_override(void) {
253	if (prctl(PR_CAPBSET_DROP, CAP_DAC_OVERRIDE, 0, 0, 0));	253	if (getuid() == 0) {
254	else if (arg_debug)	254	if (prctl(PR_CAPBSET_DROP, CAP_DAC_OVERRIDE, 0, 0, 0));
255	printf("Drop CAP_DAC_OVERRIDE\n");	255	else if (arg_debug)
256		256	printf("Drop CAP_DAC_OVERRIDE\n");
257	if (prctl(PR_CAPBSET_DROP, CAP_DAC_READ_SEARCH, 0, 0, 0));	257
258	else if (arg_debug)	258	if (prctl(PR_CAPBSET_DROP, CAP_DAC_READ_SEARCH, 0, 0, 0));
259	printf("Drop CAP_DAC_READ_SEARCH\n");	259	else if (arg_debug)
		260	printf("Drop CAP_DAC_READ_SEARCH\n");
		261	}
260	}	262	}
261		263
262	int caps_default_filter(void) {	264	int caps_default_filter(void) {


diff --git a/src/firejail/join.c b/src/firejail/join.c index d7328a91b..4c0537413 100644 --- a/src/firejail/join.c +++ b/src/firejail/join.c
@@ -242,7 +242,7 @@ void join(pid_t pid, int argc, char **argv, int index) {
242	if (child < 0)	242	if (child < 0)
243	errExit("fork");	243	errExit("fork");
244	if (child == 0) {	244	if (child == 0) {
245	// drop discretionary access control capabilities by default	245	// drop discretionary access control capabilities for root sandboxes
246	caps_drop_dac_override();	246	caps_drop_dac_override();
247		247
248	// chroot into /proc/PID/root directory	248	// chroot into /proc/PID/root directory


diff --git a/src/firejail/sandbox.c b/src/firejail/sandbox.c index 0a32393a2..7489e7b6d 100644 --- a/src/firejail/sandbox.c +++ b/src/firejail/sandbox.c
@@ -100,7 +100,7 @@ static void set_caps(void) {
100	else if (arg_caps_default_filter)	100	else if (arg_caps_default_filter)
101	caps_default_filter();	101	caps_default_filter();
102		102
103	// drop discretionary access control capabilities by default	103	// drop discretionary access control capabilities for root sandboxes
104	caps_drop_dac_override();	104	caps_drop_dac_override();
105	}	105	}
106		106