aboutsummaryrefslogtreecommitdiffstats
path: root/src
diff options
context:
space:
mode:
authorLibravatar netblue30 <netblue30@yahoo.com>2016-08-02 10:03:28 -0400
committerLibravatar netblue30 <netblue30@yahoo.com>2016-08-02 10:03:28 -0400
commit355c86b0ff225bdc48b27fb4dfcb6232e4ec7b29 (patch)
tree4bc45dad2214b25b279a0d2475c5f7b38269e3d3 /src
parentMerge pull request #679 from manevich/xephyr (diff)
downloadfirejail-355c86b0ff225bdc48b27fb4dfcb6232e4ec7b29.tar.gz
firejail-355c86b0ff225bdc48b27fb4dfcb6232e4ec7b29.tar.zst
firejail-355c86b0ff225bdc48b27fb4dfcb6232e4ec7b29.zip
apparmor
Diffstat (limited to 'src')
-rw-r--r--src/firejail/Makefile.in6
-rw-r--r--src/firejail/sandbox.c12
2 files changed, 14 insertions, 4 deletions
diff --git a/src/firejail/Makefile.in b/src/firejail/Makefile.in
index 21f415ba5..15253b5ab 100644
--- a/src/firejail/Makefile.in
+++ b/src/firejail/Makefile.in
@@ -18,19 +18,21 @@ HAVE_X11=@HAVE_X11@
18HAVE_FILE_TRANSFER=@HAVE_FILE_TRANSFER@ 18HAVE_FILE_TRANSFER=@HAVE_FILE_TRANSFER@
19HAVE_WHITELIST=@HAVE_WHITELIST@ 19HAVE_WHITELIST=@HAVE_WHITELIST@
20HAVE_GLOBALCFG=@HAVE_GLOBALCFG@ 20HAVE_GLOBALCFG=@HAVE_GLOBALCFG@
21HAVE_APPARMOR=@HAVE_APPARMOR@
22EXTRA_LDFLAGS +=@EXTRA_LDFLAGS@
21 23
22H_FILE_LIST = $(sort $(wildcard *.[h])) 24H_FILE_LIST = $(sort $(wildcard *.[h]))
23C_FILE_LIST = $(sort $(wildcard *.c)) 25C_FILE_LIST = $(sort $(wildcard *.c))
24OBJS = $(C_FILE_LIST:.c=.o) 26OBJS = $(C_FILE_LIST:.c=.o)
25BINOBJS = $(foreach file, $(OBJS), $file) 27BINOBJS = $(foreach file, $(OBJS), $file)
26CFLAGS += -ggdb $(HAVE_FATAL_WARNINGS) -O2 -DVERSION='"$(VERSION)"' -DPREFIX='"$(prefix)"' -DSYSCONFDIR='"$(sysconfdir)/firejail"' -DLIBDIR='"$(libdir)"' $(HAVE_X11) $(HAVE_SECCOMP) $(HAVE_GLOBALCFG) $(HAVE_SECCOMP_H) $(HAVE_CHROOT) $(HAVE_NETWORK) $(HAVE_USERNS) $(HAVE_BIND) $(HAVE_FILE_TRANSFER) $(HAVE_WHITELIST) -fstack-protector-all -D_FORTIFY_SOURCE=2 -fPIE -pie -Wformat -Wformat-security 28CFLAGS += -ggdb $(HAVE_FATAL_WARNINGS) -O2 -DVERSION='"$(VERSION)"' -DPREFIX='"$(prefix)"' -DSYSCONFDIR='"$(sysconfdir)/firejail"' -DLIBDIR='"$(libdir)"' $(HAVE_X11) $(HAVE_APPARMOR) $(HAVE_SECCOMP) $(HAVE_GLOBALCFG) $(HAVE_SECCOMP_H) $(HAVE_CHROOT) $(HAVE_NETWORK) $(HAVE_USERNS) $(HAVE_BIND) $(HAVE_FILE_TRANSFER) $(HAVE_WHITELIST) -fstack-protector-all -D_FORTIFY_SOURCE=2 -fPIE -pie -Wformat -Wformat-security
27LDFLAGS += -pie -Wl,-z,relro -Wl,-z,now -lpthread 29LDFLAGS += -pie -Wl,-z,relro -Wl,-z,now -lpthread
28 30
29%.o : %.c $(H_FILE_LIST) ../include/common.h ../include/euid_common.h ../include/libnetlink.h ../include/pid.h 31%.o : %.c $(H_FILE_LIST) ../include/common.h ../include/euid_common.h ../include/libnetlink.h ../include/pid.h
30 $(CC) $(CFLAGS) $(INCLUDE) -c $< -o $@ 32 $(CC) $(CFLAGS) $(INCLUDE) -c $< -o $@
31 33
32firejail: $(OBJS) ../lib/libnetlink.o ../lib/common.o 34firejail: $(OBJS) ../lib/libnetlink.o ../lib/common.o
33 $(CC) $(LDFLAGS) -o $@ $(OBJS) ../lib/libnetlink.o ../lib/common.o $(LIBS) 35 $(CC) $(LDFLAGS) -o $@ $(OBJS) ../lib/libnetlink.o ../lib/common.o $(LIBS) $(EXTRA_LDFLAGS)
34 36
35clean:; rm -f *.o firejail firejail.1 firejail.1.gz 37clean:; rm -f *.o firejail firejail.1 firejail.1.gz
36 38
diff --git a/src/firejail/sandbox.c b/src/firejail/sandbox.c
index 0fd81979f..1502a0312 100644
--- a/src/firejail/sandbox.c
+++ b/src/firejail/sandbox.c
@@ -39,6 +39,9 @@
39# define PR_SET_NO_NEW_PRIVS 38 39# define PR_SET_NO_NEW_PRIVS 38
40#endif 40#endif
41 41
42#ifdef HAVE_APPARMOR
43#include <sys/apparmor.h>
44#endif
42 45
43 46
44static int monitored_pid = 0; 47static int monitored_pid = 0;
@@ -392,6 +395,7 @@ int sandbox(void* sandbox_arg) {
392 if (arg_debug && child_pid == 1) 395 if (arg_debug && child_pid == 1)
393 printf("PID namespace installed\n"); 396 printf("PID namespace installed\n");
394 397
398
395 //**************************** 399 //****************************
396 // set hostname 400 // set hostname
397 //**************************** 401 //****************************
@@ -503,7 +507,6 @@ int sandbox(void* sandbox_arg) {
503 else 507 else
504 fs_basic_fs(); 508 fs_basic_fs();
505 509
506
507 //**************************** 510 //****************************
508 // set hostname in /etc/hostname 511 // set hostname in /etc/hostname
509 //**************************** 512 //****************************
@@ -798,8 +801,13 @@ int sandbox(void* sandbox_arg) {
798 pid_t app_pid = fork(); 801 pid_t app_pid = fork();
799 if (app_pid == -1) 802 if (app_pid == -1)
800 errExit("fork"); 803 errExit("fork");
801 804
802 if (app_pid == 0) { 805 if (app_pid == 0) {
806#ifdef HAVE_APPARMOR
807 errno = 0;
808 if (aa_change_onexec("firejail-default"))
809 fprintf(stderr, "Warning: apparmor profile not loaded, errno %d\n", errno);
810#endif
803 prctl(PR_SET_PDEATHSIG, SIGKILL, 0, 0, 0); // kill the child in case the parent died 811 prctl(PR_SET_PDEATHSIG, SIGKILL, 0, 0, 0); // kill the child in case the parent died
804 start_application(); // start app 812 start_application(); // start app
805 } 813 }
generated by cgit v1.2.3-70-g09d2 (git 2.46.0) at 2024-08-22 00:27:21 +0000