added ipc-namespace profile command

author: netblue30 <netblue30@yahoo.com> 2016-03-02 06:36:33 -0500
committer: netblue30 <netblue30@yahoo.com> 2016-03-02 06:36:33 -0500
commit: a8c23c28ec9b1c3753896f8e08e7fee8b8bbb366 (patch)
tree: 4e65de6408dd0776ae5365b34aad4388d47b3ce1 /src
parent: sshd fixes (diff)
download: firejail-a8c23c28ec9b1c3753896f8e08e7fee8b8bbb366.tar.gz
firejail-a8c23c28ec9b1c3753896f8e08e7fee8b8bbb366.tar.zst
firejail-a8c23c28ec9b1c3753896f8e08e7fee8b8bbb366.zip
4 files changed, 13 insertions, 3 deletions
diff --git a/src/firejail/firejail.h b/src/firejail/firejail.h
index 1fcb92fea..3097a7a0e 100644
--- a/src/firejail/firejail.h
+++ b/src/firejail/firejail.h
@@ -241,6 +241,7 @@ extern int arg_quiet;		// no output for scripting
 extern int arg_join_network;    // join only the network namespace
 extern int arg_join_filesystem; // join only the mount namespace
 extern int arg_nice;            // nice value configured
+extern int arg_ipc;             // enable ipc namespace
 extern int parent_to_child_fds[2];
 extern int child_to_parent_fds[2];
diff --git a/src/firejail/main.c b/src/firejail/main.c
index c0050be1f..05745a3f1 100644
--- a/src/firejail/main.c
+++ b/src/firejail/main.c
@@ -95,6 +95,7 @@ int arg_quiet = 0;				// no output for scripting
 int arg_join_network = 0;                       // join only the network namespace
 int arg_join_filesystem = 0;                    // join only the mount namespace
 int arg_nice = 0;                               // nice value configured
+int arg_ipc = 0;                                        // enable ipc namespace
 int parent_to_child_fds[2];
 int child_to_parent_fds[2];
@@ -551,7 +552,6 @@ int main(int argc, char **argv) {
        int i;
        int prog_index = -1;                      // index in argv where the program command starts
        int lockfd = -1;
-        int arg_ipc = 0;
        int arg_cgroup = 0;
        int custom_profile = 0; // custom profile loaded
        char *custom_profile_dir = NULL; // custom profile directory
@@ -1619,8 +1619,11 @@ int main(int argc, char **argv) {
        
        // in root mode also enable CLONE_NEWIPC
        // in user mode CLONE_NEWIPC will break MIT Shared Memory Extension (MIT-SHM)
-        if (getuid() == 0 || arg_ipc)
+        if (getuid() == 0 || arg_ipc) {
                flags |= CLONE_NEWIPC;
+                if (arg_debug)
+                        printf("Enabling IPC namespace\n");
+        }
        
        if (any_bridge_configured() || any_interface_configured() || arg_nonetwork) {
                flags |= CLONE_NEWNET;
diff --git a/src/firejail/profile.c b/src/firejail/profile.c
index 8771a7fa8..28df9f03e 100644
--- a/src/firejail/profile.c
+++ b/src/firejail/profile.c
@@ -116,6 +116,10 @@ int profile_check_line(char *ptr, int lineno, const char *fname) {
                }
                return 0;
        }
+        else if (strcmp(ptr, "ipc-namespace") == 0) {
+                arg_ipc = 1;
+                return 0;
+        }
        // seccomp, caps, private, user namespace
        else if (strcmp(ptr, "noroot") == 0) {
 #if HAVE_USERNS
diff --git a/src/man/firejail-profile.txt b/src/man/firejail-profile.txt
index b46958bd4..8897efc09 100644
--- a/src/man/firejail-profile.txt
+++ b/src/man/firejail-profile.txt
@@ -283,7 +283,9 @@ Disable supplementary user groups
 .TP
 \fBshell none
 Run the program directly, without a shell.
+.TP
+\fBipc-namespace
+Enable IPC namespace.
 .SH Networking
 Networking features available in profile files.
author	netblue30 <netblue30@yahoo.com>	2016-03-02 06:36:33 -0500
committer	netblue30 <netblue30@yahoo.com>	2016-03-02 06:36:33 -0500
commit	a8c23c28ec9b1c3753896f8e08e7fee8b8bbb366 (patch)
tree	4e65de6408dd0776ae5365b34aad4388d47b3ce1 /src
parent	sshd fixes (diff)
download	firejail-a8c23c28ec9b1c3753896f8e08e7fee8b8bbb366.tar.gz firejail-a8c23c28ec9b1c3753896f8e08e7fee8b8bbb366.tar.zst firejail-a8c23c28ec9b1c3753896f8e08e7fee8b8bbb366.zip

diff --git a/src/firejail/firejail.h b/src/firejail/firejail.h index 1fcb92fea..3097a7a0e 100644 --- a/src/firejail/firejail.h +++ b/src/firejail/firejail.h
@@ -241,6 +241,7 @@ extern int arg_quiet; // no output for scripting
241	extern int arg_join_network; // join only the network namespace	241	extern int arg_join_network; // join only the network namespace
242	extern int arg_join_filesystem; // join only the mount namespace	242	extern int arg_join_filesystem; // join only the mount namespace
243	extern int arg_nice; // nice value configured	243	extern int arg_nice; // nice value configured
		244	extern int arg_ipc; // enable ipc namespace
244		245
245	extern int parent_to_child_fds[2];	246	extern int parent_to_child_fds[2];
246	extern int child_to_parent_fds[2];	247	extern int child_to_parent_fds[2];


diff --git a/src/firejail/main.c b/src/firejail/main.c index c0050be1f..05745a3f1 100644 --- a/src/firejail/main.c +++ b/src/firejail/main.c
@@ -95,6 +95,7 @@ int arg_quiet = 0; // no output for scripting
95	int arg_join_network = 0; // join only the network namespace	95	int arg_join_network = 0; // join only the network namespace
96	int arg_join_filesystem = 0; // join only the mount namespace	96	int arg_join_filesystem = 0; // join only the mount namespace
97	int arg_nice = 0; // nice value configured	97	int arg_nice = 0; // nice value configured
		98	int arg_ipc = 0; // enable ipc namespace
98		99
99	int parent_to_child_fds[2];	100	int parent_to_child_fds[2];
100	int child_to_parent_fds[2];	101	int child_to_parent_fds[2];
@@ -551,7 +552,6 @@ int main(int argc, char **argv) {
551	int i;	552	int i;
552	int prog_index = -1; // index in argv where the program command starts	553	int prog_index = -1; // index in argv where the program command starts
553	int lockfd = -1;	554	int lockfd = -1;
554	int arg_ipc = 0;
555	int arg_cgroup = 0;	555	int arg_cgroup = 0;
556	int custom_profile = 0; // custom profile loaded	556	int custom_profile = 0; // custom profile loaded
557	char *custom_profile_dir = NULL; // custom profile directory	557	char *custom_profile_dir = NULL; // custom profile directory
@@ -1619,8 +1619,11 @@ int main(int argc, char **argv) {
1619		1619
1620	// in root mode also enable CLONE_NEWIPC	1620	// in root mode also enable CLONE_NEWIPC
1621	// in user mode CLONE_NEWIPC will break MIT Shared Memory Extension (MIT-SHM)	1621	// in user mode CLONE_NEWIPC will break MIT Shared Memory Extension (MIT-SHM)
1622	if (getuid() == 0 \|\| arg_ipc)	1622	if (getuid() == 0 \|\| arg_ipc) {
1623	flags \|= CLONE_NEWIPC;	1623	flags \|= CLONE_NEWIPC;
		1624	if (arg_debug)
		1625	printf("Enabling IPC namespace\n");
		1626	}
1624		1627
1625	if (any_bridge_configured() \|\| any_interface_configured() \|\| arg_nonetwork) {	1628	if (any_bridge_configured() \|\| any_interface_configured() \|\| arg_nonetwork) {
1626	flags \|= CLONE_NEWNET;	1629	flags \|= CLONE_NEWNET;


diff --git a/src/firejail/profile.c b/src/firejail/profile.c index 8771a7fa8..28df9f03e 100644 --- a/src/firejail/profile.c +++ b/src/firejail/profile.c
@@ -116,6 +116,10 @@ int profile_check_line(char ptr, int lineno, const char fname) {
116	}	116	}
117	return 0;	117	return 0;
118	}	118	}
		119	else if (strcmp(ptr, "ipc-namespace") == 0) {
		120	arg_ipc = 1;
		121	return 0;
		122	}
119	// seccomp, caps, private, user namespace	123	// seccomp, caps, private, user namespace
120	else if (strcmp(ptr, "noroot") == 0) {	124	else if (strcmp(ptr, "noroot") == 0) {
121	#if HAVE_USERNS	125	#if HAVE_USERNS


diff --git a/src/man/firejail-profile.txt b/src/man/firejail-profile.txt index b46958bd4..8897efc09 100644 --- a/src/man/firejail-profile.txt +++ b/src/man/firejail-profile.txt
@@ -283,7 +283,9 @@ Disable supplementary user groups
283	.TP	283	.TP
284	\fBshell none	284	\fBshell none
285	Run the program directly, without a shell.	285	Run the program directly, without a shell.
286		286	.TP
		287	\fBipc-namespace
		288	Enable IPC namespace.
287	.SH Networking	289	.SH Networking
288	Networking features available in profile files.	290	Networking features available in profile files.
289		291