diff options
| author |  netblue30 <netblue30@yahoo.com> | 2016-04-16 09:08:56 -0400 |
|---|---|---|
| committer | netblue30 <netblue30@yahoo.com> | 2016-04-16 09:08:56 -0400 |
| commit | fa5e81aa1490f13372cc973543aeae9df09e506d (patch) | |
| tree | 1d5a5aab26a19ac871c682675c241fd1e4836a29 /src | |
| parent | fixed --profile option (diff) | |
| download | firejail-fa5e81aa1490f13372cc973543aeae9df09e506d.tar.gz firejail-fa5e81aa1490f13372cc973543aeae9df09e506d.tar.zst firejail-fa5e81aa1490f13372cc973543aeae9df09e506d.zip | |
fix: firejail config in /etc/firejail is not blacklisted if the sandbox is started as root in order to allow sandbox chanining
Diffstat (limited to 'src')
| -rw-r--r-- | src/firejail/fs.c | 20 |
1 files changed, 16 insertions, 4 deletions
diff --git a/src/firejail/fs.c b/src/firejail/fs.c index 7ee76d096..652f897d0 100644 --- a/src/firejail/fs.c +++ b/src/firejail/fs.c | |||
| @@ -750,7 +750,13 @@ void fs_basic_fs(void) { | |||
| 750 | // don't leak user information | 750 | // don't leak user information |
| 751 | restrict_users(); | 751 | restrict_users(); |
| 752 | 752 | ||
| 753 | disable_firejail_config(); | 753 | // when starting as root, firejail config is not disabled; |
| 754 | // this mode could be used to install and test new software by chaining | ||
| 755 | // firejail sandboxes (firejail --force) | ||
| 756 | if (getuid() != 0) | ||
| 757 | disable_firejail_config(); | ||
| 758 | else | ||
| 759 | fprintf(stderr, "Warning: masking /etc/firejail disabled when starting the sandbox as root\n"); | ||
| 754 | } | 760 | } |
| 755 | 761 | ||
| 756 | 762 | ||
| @@ -967,13 +973,13 @@ void fs_overlayfs(void) { | |||
| 967 | // don't leak user information | 973 | // don't leak user information |
| 968 | restrict_users(); | 974 | restrict_users(); |
| 969 | 975 | ||
| 970 | // when starting as root in overlay mode, firejail config is not disabled; | 976 | // when starting as root, firejail config is not disabled; |
| 971 | // this mode could be used to install and test new software by chaining | 977 | // this mode could be used to install and test new software by chaining |
| 972 | // firejail sandboxes (firejail --force) | 978 | // firejail sandboxes (firejail --force) |
| 973 | if (getuid() != 0) | 979 | if (getuid() != 0) |
| 974 | disable_firejail_config(); | 980 | disable_firejail_config(); |
| 975 | else | 981 | else |
| 976 | fprintf(stderr, "Warning: masking /etc/firejail disabled when starting the sandbox as root using --overlay option\n"); | 982 | fprintf(stderr, "Warning: masking /etc/firejail disabled when starting the sandbox as root\n"); |
| 977 | 983 | ||
| 978 | // cleanup and exit | 984 | // cleanup and exit |
| 979 | free(option); | 985 | free(option); |
| @@ -1104,7 +1110,13 @@ void fs_chroot(const char *rootdir) { | |||
| 1104 | // don't leak user information | 1110 | // don't leak user information |
| 1105 | restrict_users(); | 1111 | restrict_users(); |
| 1106 | 1112 | ||
| 1107 | disable_firejail_config(); | 1113 | // when starting as root, firejail config is not disabled; |
| 1114 | // this mode could be used to install and test new software by chaining | ||
| 1115 | // firejail sandboxes (firejail --force) | ||
| 1116 | if (getuid() != 0) | ||
| 1117 | disable_firejail_config(); | ||
| 1118 | else | ||
| 1119 | fprintf(stderr, "Warning: masking /etc/firejail disabled when starting the sandbox as root\n"); | ||
| 1108 | } | 1120 | } |
| 1109 | #endif | 1121 | #endif |
| 1110 | 1122 | ||