diff options
| author |  smitsohu <smitsohu@gmail.com> | 2023-03-02 17:45:13 +0100 |
|---|---|---|
| committer | smitsohu <smitsohu@gmail.com> | 2023-03-02 17:53:58 +0100 |
| commit | 5e1b85e41594efb4a3f6b19033a53dca90ce6987 (patch) | |
| tree | 5f9d07e50856313cbe0c5581f70c03cfe56ce1ea /src | |
| parent | cleanup (diff) | |
| download | firejail-5e1b85e41594efb4a3f6b19033a53dca90ce6987.tar.gz firejail-5e1b85e41594efb4a3f6b19033a53dca90ce6987.tar.zst firejail-5e1b85e41594efb4a3f6b19033a53dca90ce6987.zip | |
cleanup
Diffstat (limited to 'src')
| -rw-r--r-- | src/firejail/join.c | 5 | ||||
| -rw-r--r-- | src/firejail/main.c | 6 | ||||
| -rw-r--r-- | src/firejail/sandbox.c | 5 |
3 files changed, 7 insertions, 9 deletions
diff --git a/src/firejail/join.c b/src/firejail/join.c index 5ef54002b..742cda80b 100644 --- a/src/firejail/join.c +++ b/src/firejail/join.c | |||
| @@ -501,10 +501,7 @@ void join(pid_t pid, int argc, char **argv, int index) { | |||
| 501 | } | 501 | } |
| 502 | 502 | ||
| 503 | // set nonewprivs | 503 | // set nonewprivs |
| 504 | #ifndef HAVE_FORCE_NONEWPRIVS | 504 | if (arg_nonewprivs == 1) { |
| 505 | if (arg_nonewprivs == 1) // not available for uid 0 | ||
| 506 | #endif | ||
| 507 | { | ||
| 508 | if (prctl(PR_SET_NO_NEW_PRIVS, 1, 0, 0, 0) != 0) | 505 | if (prctl(PR_SET_NO_NEW_PRIVS, 1, 0, 0, 0) != 0) |
| 509 | errExit("prctl"); | 506 | errExit("prctl"); |
| 510 | if (arg_debug) | 507 | if (arg_debug) |
diff --git a/src/firejail/main.c b/src/firejail/main.c index ac84f00c9..0e5363cb0 100644 --- a/src/firejail/main.c +++ b/src/firejail/main.c | |||
| @@ -97,7 +97,11 @@ int arg_rlimit_fsize = 0; // rlimit fsize | |||
| 97 | int arg_rlimit_sigpending = 0; // rlimit fsize | 97 | int arg_rlimit_sigpending = 0; // rlimit fsize |
| 98 | int arg_rlimit_as = 0; // rlimit as | 98 | int arg_rlimit_as = 0; // rlimit as |
| 99 | int arg_nogroups = 0; // disable supplementary groups | 99 | int arg_nogroups = 0; // disable supplementary groups |
| 100 | int arg_nonewprivs = 0; // set the NO_NEW_PRIVS prctl | 100 | #ifdef HAVE_FORCE_NONEWPRIVS |
| 101 | int arg_nonewprivs = 1; // set the NO_NEW_PRIVS prctl | ||
| 102 | #else | ||
| 103 | int arg_nonewprivs = 0; | ||
| 104 | #endif | ||
| 101 | int arg_noroot = 0; // create a new user namespace and disable root user | 105 | int arg_noroot = 0; // create a new user namespace and disable root user |
| 102 | int arg_netfilter; // enable netfilter | 106 | int arg_netfilter; // enable netfilter |
| 103 | int arg_netfilter6; // enable netfilter6 | 107 | int arg_netfilter6; // enable netfilter6 |
diff --git a/src/firejail/sandbox.c b/src/firejail/sandbox.c index 88de1fc5f..648fc2248 100644 --- a/src/firejail/sandbox.c +++ b/src/firejail/sandbox.c | |||
| @@ -1277,10 +1277,7 @@ int sandbox(void* sandbox_arg) { | |||
| 1277 | //**************************************** | 1277 | //**************************************** |
| 1278 | // Set NO_NEW_PRIVS if desired | 1278 | // Set NO_NEW_PRIVS if desired |
| 1279 | //**************************************** | 1279 | //**************************************** |
| 1280 | #ifndef HAVE_FORCE_NONEWPRIVS | 1280 | if (arg_nonewprivs) { |
| 1281 | if (arg_nonewprivs) | ||
| 1282 | #endif | ||
| 1283 | { | ||
| 1284 | if (prctl(PR_SET_NO_NEW_PRIVS, 1, 0, 0, 0) != 0) { | 1281 | if (prctl(PR_SET_NO_NEW_PRIVS, 1, 0, 0, 0) != 0) { |
| 1285 | fprintf(stderr, "Error: cannot set NO_NEW_PRIVS, it requires a Linux kernel version 3.5 or newer.\n"); | 1282 | fprintf(stderr, "Error: cannot set NO_NEW_PRIVS, it requires a Linux kernel version 3.5 or newer.\n"); |
| 1286 | exit(1); | 1283 | exit(1); |