grsecurity: --chroot

2 files changed, 10 insertions, 1 deletions

diff --git a/src/firejail/main.c b/src/firejail/main.c
index e86aa85ac..976348c33 100644
--- a/src/firejail/main.c
+++ b/src/firejail/main.c
@@ -1204,6 +1204,14 @@ int main(int argc, char **argv) {
                                         fprintf(stderr, "Error: --overlay and --chroot options are mutually exclusive\n");
                                         exit(1);
                                 }
+                                
+                                struct stat s;
+                                if (stat("/proc/sys/kernel/grsecurity", &s) == 0) {
+                                        fprintf(stderr, "Error: --chroot option is not available on GRSecurity systems\n");
+                                        exit(1);        
+                                }
+                                
+                                
                                 invalid_filename(argv[i] + 9);
                                 
                                 // extract chroot dirname
diff --git a/src/man/firejail.txt b/src/man/firejail.txt
index f22762499..8972e2380 100644
--- a/src/man/firejail.txt
+++ b/src/man/firejail.txt
@@ -201,7 +201,8 @@ Example:
 .TP
 \fB\-\-chroot=dirname
 Chroot the sandbox into a root filesystem. If the sandbox is started as a
-regular user, default seccomp and capabilities filters are enabled.
+regular user, default seccomp and capabilities filters are enabled. This
+option is not available on Grsecurity systems.
 .br
 
 .br