aboutsummaryrefslogtreecommitdiffstats
path: root/src
diff options
context:
space:
mode:
authorLibravatar netblue30 <netblue30@yahoo.com>2016-03-17 08:35:27 -0400
committerLibravatar netblue30 <netblue30@yahoo.com>2016-03-17 08:35:27 -0400
commitf1c1e550aaf04b3573b232b6e464d9a3b4304288 (patch)
treec4658139a76091cd3f4cde9db270e09c9aebd275 /src
parentadded SlimJet profile (diff)
downloadfirejail-f1c1e550aaf04b3573b232b6e464d9a3b4304288.tar.gz
firejail-f1c1e550aaf04b3573b232b6e464d9a3b4304288.tar.zst
firejail-f1c1e550aaf04b3573b232b6e464d9a3b4304288.zip
overlayfs work, fixed hedgwoars profile
Diffstat (limited to 'src')
-rw-r--r--src/firejail/fs.c8
-rw-r--r--src/firejail/main.c22
-rw-r--r--src/lib/pid.c6
3 files changed, 28 insertions, 8 deletions
diff --git a/src/firejail/fs.c b/src/firejail/fs.c
index f63e8b5eb..644255de5 100644
--- a/src/firejail/fs.c
+++ b/src/firejail/fs.c
@@ -960,7 +960,13 @@ void fs_overlayfs(void) {
960 // don't leak user information 960 // don't leak user information
961 restrict_users(); 961 restrict_users();
962 962
963 disable_firejail_config(); 963 // when starting as root in overlay mode, firejail config is not disabled;
964 // this mode could be used to install and test new software by chaining
965 // firejail sandboxes (firejail --force)
966 if (getuid() != 0)
967 disable_firejail_config();
968 else
969 fprintf(stderr, "Warning: masking /etc/firejail disabled when starting the sandbox as root using --overlay option\n");
964 970
965 // cleanup and exit 971 // cleanup and exit
966 free(option); 972 free(option);
diff --git a/src/firejail/main.c b/src/firejail/main.c
index 8f89a804f..476f9c39c 100644
--- a/src/firejail/main.c
+++ b/src/firejail/main.c
@@ -645,7 +645,8 @@ int main(int argc, char **argv) {
645 int i; 645 int i;
646 int prog_index = -1; // index in argv where the program command starts 646 int prog_index = -1; // index in argv where the program command starts
647 int lockfd = -1; 647 int lockfd = -1;
648 int arg_cgroup = 0; 648 int option_cgroup = 0;
649 int option_force = 0;
649 int custom_profile = 0; // custom profile loaded 650 int custom_profile = 0; // custom profile loaded
650 char *custom_profile_dir = NULL; // custom profile directory 651 char *custom_profile_dir = NULL; // custom profile directory
651 int arg_noprofile = 0; // use generic.profile if none other found/specified 652 int arg_noprofile = 0; // use generic.profile if none other found/specified
@@ -667,7 +668,11 @@ int main(int argc, char **argv) {
667 // if --force option is passed to the program, disregard the existing sandbox 668 // if --force option is passed to the program, disregard the existing sandbox
668 int found = 0; 669 int found = 0;
669 for (i = 1; i < argc; i++) { 670 for (i = 1; i < argc; i++) {
670 if (strcmp(argv[i], "--force") == 0) { 671 if (strcmp(argv[i], "--force") == 0 ||
672 strcmp(argv[i], "--netstats") == 0 ||
673 strcmp(argv[i], "--list") == 0 ||
674 strcmp(argv[i], "--tree") == 0 ||
675 strcmp(argv[i], "--top") == 0) {
671 found = 1; 676 found = 1;
672 break; 677 break;
673 } 678 }
@@ -683,6 +688,8 @@ int main(int argc, char **argv) {
683 // it will never get here! 688 // it will never get here!
684 assert(0); 689 assert(0);
685 } 690 }
691 else
692 option_force = 1;
686 } 693 }
687 694
688 // check root/suid 695 // check root/suid
@@ -740,8 +747,11 @@ int main(int argc, char **argv) {
740 for (i = 1; i < argc; i++) { 747 for (i = 1; i < argc; i++) {
741 run_cmd_and_exit(i, argc, argv); // will exit if the command is recognized 748 run_cmd_and_exit(i, argc, argv); // will exit if the command is recognized
742 749
743 if (strcmp(argv[i], "--debug") == 0) 750 if (strcmp(argv[i], "--debug") == 0) {
744 arg_debug = 1; 751 arg_debug = 1;
752 if (option_force)
753 printf("Entering sandbox-in-sandbox mode\n");
754 }
745 else if (strcmp(argv[i], "--debug-check-filename") == 0) 755 else if (strcmp(argv[i], "--debug-check-filename") == 0)
746 arg_debug_check_filename = 1; 756 arg_debug_check_filename = 1;
747 else if (strcmp(argv[i], "--debug-blacklists") == 0) 757 else if (strcmp(argv[i], "--debug-blacklists") == 0)
@@ -752,7 +762,7 @@ int main(int argc, char **argv) {
752 arg_quiet = 1; 762 arg_quiet = 1;
753 else if (strcmp(argv[i], "--force") == 0) 763 else if (strcmp(argv[i], "--force") == 0)
754 ; 764 ;
755 765
756 //************************************* 766 //*************************************
757 // filtering 767 // filtering
758 //************************************* 768 //*************************************
@@ -931,12 +941,12 @@ int main(int argc, char **argv) {
931 arg_nice = 1; 941 arg_nice = 1;
932 } 942 }
933 else if (strncmp(argv[i], "--cgroup=", 9) == 0) { 943 else if (strncmp(argv[i], "--cgroup=", 9) == 0) {
934 if (arg_cgroup) { 944 if (option_cgroup) {
935 fprintf(stderr, "Error: only a cgroup can be defined\n"); 945 fprintf(stderr, "Error: only a cgroup can be defined\n");
936 exit(1); 946 exit(1);
937 } 947 }
938 948
939 arg_cgroup = 1; 949 option_cgroup = 1;
940 cfg.cgroup = strdup(argv[i] + 9); 950 cfg.cgroup = strdup(argv[i] + 9);
941 if (!cfg.cgroup) 951 if (!cfg.cgroup)
942 errExit("strdup"); 952 errExit("strdup");
diff --git a/src/lib/pid.c b/src/lib/pid.c
index a89ac434b..d1ade389e 100644
--- a/src/lib/pid.c
+++ b/src/lib/pid.c
@@ -310,7 +310,11 @@ void pid_read(pid_t mon_pid) {
310 continue; 310 continue;
311 if (pid == mypid) 311 if (pid == mypid)
312 continue; 312 continue;
313 313
314 // skip PID 1 just in case we run a sandbox-in-sandbox
315 if (pid == 1)
316 continue;
317
314 // open stat file 318 // open stat file
315 char *file; 319 char *file;
316 if (asprintf(&file, "/proc/%u/status", pid) == -1) { 320 if (asprintf(&file, "/proc/%u/status", pid) == -1) {
generated by cgit v1.2.3-54-g00ecf (git 2.45.2) at 2024-07-07 09:09:50 +0000