diff options
author | netblue30 <netblue30@yahoo.com> | 2017-07-08 12:10:51 -0400 |
---|---|---|
committer | netblue30 <netblue30@yahoo.com> | 2017-07-08 12:10:51 -0400 |
commit | 9794356e80df9a2b3eaf6ddda310d26ecc56b3ec (patch) | |
tree | f3ef8973af15a8a9877ef4c0adbef718caf470db /src | |
parent | fixing the previous fix (diff) | |
download | firejail-9794356e80df9a2b3eaf6ddda310d26ecc56b3ec.tar.gz firejail-9794356e80df9a2b3eaf6ddda310d26ecc56b3ec.tar.zst firejail-9794356e80df9a2b3eaf6ddda310d26ecc56b3ec.zip |
fix discretionary access control for sandboxes running as root with --noprofile
Diffstat (limited to 'src')
-rw-r--r-- | src/firejail/caps.c | 2 | ||||
-rw-r--r-- | src/firejail/firejail.h | 1 | ||||
-rw-r--r-- | src/firejail/main.c | 2 |
3 files changed, 3 insertions, 2 deletions
diff --git a/src/firejail/caps.c b/src/firejail/caps.c index ff4d3a9d7..14f981a86 100644 --- a/src/firejail/caps.c +++ b/src/firejail/caps.c | |||
@@ -250,7 +250,7 @@ void caps_print(void) { | |||
250 | 250 | ||
251 | // drop discretionary access control capabilities for root sandboxes | 251 | // drop discretionary access control capabilities for root sandboxes |
252 | void caps_drop_dac_override(void) { | 252 | void caps_drop_dac_override(void) { |
253 | if (getuid() == 0) { | 253 | if (getuid() == 0 && !arg_noprofile) { |
254 | if (prctl(PR_CAPBSET_DROP, CAP_DAC_OVERRIDE, 0, 0, 0)); | 254 | if (prctl(PR_CAPBSET_DROP, CAP_DAC_OVERRIDE, 0, 0, 0)); |
255 | else if (arg_debug) | 255 | else if (arg_debug) |
256 | printf("Drop CAP_DAC_OVERRIDE\n"); | 256 | printf("Drop CAP_DAC_OVERRIDE\n"); |
diff --git a/src/firejail/firejail.h b/src/firejail/firejail.h index 8aa80f274..6aa29f896 100644 --- a/src/firejail/firejail.h +++ b/src/firejail/firejail.h | |||
@@ -351,6 +351,7 @@ extern int arg_x11_xorg; // use X11 security extention | |||
351 | extern int arg_allusers; // all user home directories visible | 351 | extern int arg_allusers; // all user home directories visible |
352 | extern int arg_machineid; // preserve /etc/machine-id | 352 | extern int arg_machineid; // preserve /etc/machine-id |
353 | extern int arg_disable_mnt; // disable /mnt and /media | 353 | extern int arg_disable_mnt; // disable /mnt and /media |
354 | extern int arg_noprofile; // use default.profile if none other found/specified | ||
354 | 355 | ||
355 | extern int login_shell; | 356 | extern int login_shell; |
356 | extern int parent_to_child_fds[2]; | 357 | extern int parent_to_child_fds[2]; |
diff --git a/src/firejail/main.c b/src/firejail/main.c index 1f714df58..7f3f0f248 100644 --- a/src/firejail/main.c +++ b/src/firejail/main.c | |||
@@ -109,6 +109,7 @@ int arg_machineid = 0; // preserve /etc/machine-id | |||
109 | int arg_allow_private_blacklist = 0; // blacklist things in private directories | 109 | int arg_allow_private_blacklist = 0; // blacklist things in private directories |
110 | int arg_writable_var_log = 0; // writable /var/log | 110 | int arg_writable_var_log = 0; // writable /var/log |
111 | int arg_disable_mnt = 0; // disable /mnt and /media | 111 | int arg_disable_mnt = 0; // disable /mnt and /media |
112 | int arg_noprofile = 0; // use default.profile if none other found/specified | ||
112 | 113 | ||
113 | int login_shell = 0; | 114 | int login_shell = 0; |
114 | 115 | ||
@@ -818,7 +819,6 @@ int main(int argc, char **argv) { | |||
818 | int option_force = 0; | 819 | int option_force = 0; |
819 | int custom_profile = 0; // custom profile loaded | 820 | int custom_profile = 0; // custom profile loaded |
820 | char *custom_profile_dir = NULL; // custom profile directory | 821 | char *custom_profile_dir = NULL; // custom profile directory |
821 | int arg_noprofile = 0; // use default.profile if none other found/specified | ||
822 | 822 | ||
823 | 823 | ||
824 | // get starting timestamp | 824 | // get starting timestamp |