grsecurity: --overlay

2 files changed, 13 insertions, 4 deletions

diff --git a/src/firejail/main.c b/src/firejail/main.c
index 976348c33..0b47fd6db 100644
--- a/src/firejail/main.c
+++ b/src/firejail/main.c
@@ -1084,6 +1084,11 @@ int main(int argc, char **argv) {
                                 fprintf(stderr, "Error: --overlay and --chroot options are mutually exclusive\n");
                                 exit(1);
                         }
+                        struct stat s;
+                        if (stat("/proc/sys/kernel/grsecurity", &s) == 0) {
+                                fprintf(stderr, "Error: --overlay option is not available on Grsecurity systems\n");
+                                exit(1);        
+                        }
                         arg_overlay = 1;
                         arg_overlay_keep = 1;
                         
@@ -1091,7 +1096,6 @@ int main(int argc, char **argv) {
                         char *dirname;
                         if (asprintf(&dirname, "%s/.firejail", cfg.homedir) == -1)
                                 errExit("asprintf");
-                        struct stat s;
                         if (stat(dirname, &s) == -1) {
                                 /* coverity[toctou] */
                                 if (mkdir(dirname, 0700))
@@ -1122,6 +1126,11 @@ int main(int argc, char **argv) {
                                 fprintf(stderr, "Error: --overlay and --chroot options are mutually exclusive\n");
                                 exit(1);
                         }
+                        struct stat s;
+                        if (stat("/proc/sys/kernel/grsecurity", &s) == 0) {
+                                fprintf(stderr, "Error: --overlay option is not available on Grsecurity systems\n");
+                                exit(1);        
+                        }
                         arg_overlay = 1;
                 }
                 else if (strncmp(argv[i], "--profile=", 10) == 0) {
@@ -1207,7 +1216,7 @@ int main(int argc, char **argv) {
                                 
                                 struct stat s;
                                 if (stat("/proc/sys/kernel/grsecurity", &s) == 0) {
-                                        fprintf(stderr, "Error: --chroot option is not available on GRSecurity systems\n");
+                                        fprintf(stderr, "Error: --chroot option is not available on Grsecurity systems\n");
                                         exit(1);        
                                 }
                                 
diff --git a/src/man/firejail.txt b/src/man/firejail.txt
index 8972e2380..24dbff67a 100644
--- a/src/man/firejail.txt
+++ b/src/man/firejail.txt
@@ -971,7 +971,7 @@ $ ls -l sandboxlog*
 .TP
 \fB\-\-overlay
 Mount a filesystem overlay on top of the current filesystem. All filesystem modifications go into the overlay.
-The overlay is stored in $HOME/.firejail directory.
+The overlay is stored in $HOME/.firejail directory. This option is not available on Grsecurity systems.
 .br
 
 .br
@@ -987,7 +987,7 @@ $ firejail \-\-overlay firefox
 .TP
 \fB\-\-overlay-tmpfs
 Mount a filesystem overlay on top of the current filesystem. All filesystem modifications go into the overlay,
-and are discarded when the sandbox is closed.
+and are discarded when the sandbox is closed. This option is not available on Grsecurity systems.
 .br
 
 .br