diff options
| author |  netblue30 <netblue30@yahoo.com> | 2018-01-25 16:09:32 -0500 |
|---|---|---|
| committer | netblue30 <netblue30@yahoo.com> | 2018-01-25 16:09:32 -0500 |
| commit | 092898da755fa6bc1965c7e786718dd6429cefc1 (patch) | |
| tree | 0fd811b7e1a4fc7c3f525e2f1c2af0ba70bebffc /src | |
| parent | Replace xmr-stak-cpu profile with unified xmr-stak profile (diff) | |
| download | firejail-092898da755fa6bc1965c7e786718dd6429cefc1.tar.gz firejail-092898da755fa6bc1965c7e786718dd6429cefc1.tar.zst firejail-092898da755fa6bc1965c7e786718dd6429cefc1.zip | |
whitelist, private-dev, private-tmp support for chroot and overlay sandboxes
Diffstat (limited to 'src')
| -rw-r--r-- | src/firejail/sandbox.c | 31 |
1 files changed, 7 insertions, 24 deletions
diff --git a/src/firejail/sandbox.c b/src/firejail/sandbox.c index ed0a253b3..47bb94a52 100644 --- a/src/firejail/sandbox.c +++ b/src/firejail/sandbox.c | |||
| @@ -763,14 +763,8 @@ int sandbox(void* sandbox_arg) { | |||
| 763 | fs_private(); | 763 | fs_private(); |
| 764 | } | 764 | } |
| 765 | 765 | ||
| 766 | if (arg_private_dev) { | 766 | if (arg_private_dev) |
| 767 | if (cfg.chrootdir) | 767 | fs_private_dev(); |
| 768 | fwarning("private-dev feature is disabled in chroot\n"); | ||
| 769 | else if (arg_overlay) | ||
| 770 | fwarning("private-dev feature is disabled in overlay\n"); | ||
| 771 | else | ||
| 772 | fs_private_dev(); | ||
| 773 | } | ||
| 774 | 768 | ||
| 775 | if (arg_private_etc) { | 769 | if (arg_private_etc) { |
| 776 | if (cfg.chrootdir) | 770 | if (cfg.chrootdir) |
| @@ -835,16 +829,10 @@ int sandbox(void* sandbox_arg) { | |||
| 835 | } | 829 | } |
| 836 | 830 | ||
| 837 | if (arg_private_tmp) { | 831 | if (arg_private_tmp) { |
| 838 | if (cfg.chrootdir) | 832 | // private-tmp is implemented as a whitelist |
| 839 | fwarning("private-tmp feature is disabled in chroot\n"); | 833 | EUID_USER(); |
| 840 | else if (arg_overlay) | 834 | fs_private_tmp(); |
| 841 | fwarning("private-tmp feature is disabled in overlay\n"); | 835 | EUID_ROOT(); |
| 842 | else { | ||
| 843 | // private-tmp is implemented as a whitelist | ||
| 844 | EUID_USER(); | ||
| 845 | fs_private_tmp(); | ||
| 846 | EUID_ROOT(); | ||
| 847 | } | ||
| 848 | } | 836 | } |
| 849 | 837 | ||
| 850 | //**************************** | 838 | //**************************** |
| @@ -877,12 +865,7 @@ int sandbox(void* sandbox_arg) { | |||
| 877 | // apply the profile file | 865 | // apply the profile file |
| 878 | //**************************** | 866 | //**************************** |
| 879 | // apply all whitelist commands ... | 867 | // apply all whitelist commands ... |
| 880 | if (cfg.chrootdir) | 868 | fs_whitelist(); |
| 881 | fwarning("whitelist feature is disabled in chroot\n"); | ||
| 882 | else if (arg_overlay) | ||
| 883 | fwarning("whitelist feature is disabled in overlay\n"); | ||
| 884 | else | ||
| 885 | fs_whitelist(); | ||
| 886 | 869 | ||
| 887 | // ... followed by blacklist commands | 870 | // ... followed by blacklist commands |
| 888 | fs_blacklist(); // mkdir and mkfile are processed all over again | 871 | fs_blacklist(); // mkdir and mkfile are processed all over again |