diff options
| author |  netblue30 <netblue30@yahoo.com> | 2017-11-13 07:55:29 -0500 |
|---|---|---|
| committer | netblue30 <netblue30@yahoo.com> | 2017-11-13 07:55:29 -0500 |
| commit | 39a175d692bfa8514a649449c938afbc2c12dc6f (patch) | |
| tree | 54796c70ee3cdcca3a0607e5c1d74269bd27913a /src | |
| parent | Add private-dev to qtox (diff) | |
| download | firejail-39a175d692bfa8514a649449c938afbc2c12dc6f.tar.gz firejail-39a175d692bfa8514a649449c938afbc2c12dc6f.tar.zst firejail-39a175d692bfa8514a649449c938afbc2c12dc6f.zip | |
cleanup
Diffstat (limited to 'src')
| -rw-r--r-- | src/firejail/netfilter.c | 4 | ||||
| -rw-r--r-- | src/firejail/sbox.c | 9 |
2 files changed, 3 insertions, 10 deletions
diff --git a/src/firejail/netfilter.c b/src/firejail/netfilter.c index cb0d9d7af..7246be8cf 100644 --- a/src/firejail/netfilter.c +++ b/src/firejail/netfilter.c | |||
| @@ -98,7 +98,7 @@ void netfilter(const char *fname) { | |||
| 98 | 98 | ||
| 99 | // first run of iptables on this platform installs a number of kernel modules such as ip_tables, x_tables, iptable_filter | 99 | // first run of iptables on this platform installs a number of kernel modules such as ip_tables, x_tables, iptable_filter |
| 100 | // we run this command with caps and seccomp disabled in order to allow the loading of these modules | 100 | // we run this command with caps and seccomp disabled in order to allow the loading of these modules |
| 101 | sbox_run(SBOX_ROOT /* | SBOX_CAPS_NETWORK | SBOX_SECCOMP*/ | SBOX_STDIN_FROM_FILE, 1, iptables_restore); | 101 | sbox_run(SBOX_ROOT | SBOX_STDIN_FROM_FILE, 1, iptables_restore); |
| 102 | unlink(SBOX_STDIN_FILE); | 102 | unlink(SBOX_STDIN_FILE); |
| 103 | 103 | ||
| 104 | // debug | 104 | // debug |
| @@ -147,7 +147,7 @@ void netfilter6(const char *fname) { | |||
| 147 | 147 | ||
| 148 | // first run of iptables on this platform installs a number of kernel modules such as ip_tables, x_tables, iptable_filter | 148 | // first run of iptables on this platform installs a number of kernel modules such as ip_tables, x_tables, iptable_filter |
| 149 | // we run this command with caps and seccomp disabled in order to allow the loading of these modules | 149 | // we run this command with caps and seccomp disabled in order to allow the loading of these modules |
| 150 | sbox_run(SBOX_ROOT | /* SBOX_CAPS_NETWORK | SBOX_SECCOMP | */ SBOX_STDIN_FROM_FILE, 1, ip6tables_restore); | 150 | sbox_run(SBOX_ROOT | SBOX_STDIN_FROM_FILE, 1, ip6tables_restore); |
| 151 | unlink(SBOX_STDIN_FILE); | 151 | unlink(SBOX_STDIN_FILE); |
| 152 | 152 | ||
| 153 | // debug | 153 | // debug |
diff --git a/src/firejail/sbox.c b/src/firejail/sbox.c index 1d6cc2353..274a4353f 100644 --- a/src/firejail/sbox.c +++ b/src/firejail/sbox.c | |||
| @@ -104,13 +104,6 @@ static struct sock_fprog prog = { | |||
| 104 | .filter = filter, | 104 | .filter = filter, |
| 105 | }; | 105 | }; |
| 106 | 106 | ||
| 107 | typedef struct sbox_config { | ||
| 108 | char *name; | ||
| 109 | char *path; | ||
| 110 | unsigned filters; | ||
| 111 | } SboxConfig; | ||
| 112 | |||
| 113 | |||
| 114 | int sbox_run(unsigned filter, int num, ...) { | 107 | int sbox_run(unsigned filter, int num, ...) { |
| 115 | EUID_ROOT(); | 108 | EUID_ROOT(); |
| 116 | 109 | ||
| @@ -142,7 +135,7 @@ int sbox_run(unsigned filter, int num, ...) { | |||
| 142 | if (filter & SBOX_STDIN_FROM_FILE) { | 135 | if (filter & SBOX_STDIN_FROM_FILE) { |
| 143 | int fd; | 136 | int fd; |
| 144 | if((fd = open(SBOX_STDIN_FILE, O_RDONLY)) == -1) { | 137 | if((fd = open(SBOX_STDIN_FILE, O_RDONLY)) == -1) { |
| 145 | fprintf(stderr,"Error: cannot open /tmp/netfilter\n"); | 138 | fprintf(stderr,"Error: cannot open %s\n", SBOX_STDIN_FILE); |
| 146 | exit(1); | 139 | exit(1); |
| 147 | } | 140 | } |
| 148 | dup2(fd,STDIN_FILENO); | 141 | dup2(fd,STDIN_FILENO); |