diff options
| author |  netblue30 <netblue30@protonmail.com> | 2022-05-20 08:08:34 -0400 |
|---|---|---|
| committer | netblue30 <netblue30@protonmail.com> | 2022-05-20 08:08:34 -0400 |
| commit | 7c5fcbf3d17d771f1420264b4fc5c43ade38e726 (patch) | |
| tree | ed90ec0fb7417a61aab50ddc08d8357133c43d64 /src | |
| parent | onionshare-gui.profile: fix breakage (diff) | |
| download | firejail-7c5fcbf3d17d771f1420264b4fc5c43ade38e726.tar.gz firejail-7c5fcbf3d17d771f1420264b4fc5c43ade38e726.tar.zst firejail-7c5fcbf3d17d771f1420264b4fc5c43ade38e726.zip | |
--oom (#5122)
Diffstat (limited to 'src')
| -rw-r--r-- | src/firejail/firejail.h | 3 | ||||
| -rw-r--r-- | src/firejail/main.c | 11 | ||||
| -rw-r--r-- | src/firejail/usage.c | 1 | ||||
| -rw-r--r-- | src/man/firejail.txt | 11 |
4 files changed, 22 insertions, 4 deletions
diff --git a/src/firejail/firejail.h b/src/firejail/firejail.h index de11b438d..38408b534 100644 --- a/src/firejail/firejail.h +++ b/src/firejail/firejail.h | |||
| @@ -922,4 +922,7 @@ void selinux_relabel_path(const char *path, const char *inside_path); | |||
| 922 | // ids.c | 922 | // ids.c |
| 923 | void run_ids(int argc, char **argv); | 923 | void run_ids(int argc, char **argv); |
| 924 | 924 | ||
| 925 | // oom.c | ||
| 926 | void oom_set(const char *oom_string); | ||
| 927 | |||
| 925 | #endif | 928 | #endif |
diff --git a/src/firejail/main.c b/src/firejail/main.c index 1d90b9fc5..1bcec667e 100644 --- a/src/firejail/main.c +++ b/src/firejail/main.c | |||
| @@ -1031,10 +1031,6 @@ int main(int argc, char **argv, char **envp) { | |||
| 1031 | 1031 | ||
| 1032 | // sanity check for arguments | 1032 | // sanity check for arguments |
| 1033 | for (i = 0; i < argc; i++) { | 1033 | for (i = 0; i < argc; i++) { |
| 1034 | // if (*argv[i] == 0) { // see #4395 - bug reported by Debian | ||
| 1035 | // fprintf(stderr, "Error: too short arguments: argv[%d] is empty\n", i); | ||
| 1036 | // exit(1); | ||
| 1037 | // } | ||
| 1038 | if (strlen(argv[i]) >= MAX_ARG_LEN) { | 1034 | if (strlen(argv[i]) >= MAX_ARG_LEN) { |
| 1039 | fprintf(stderr, "Error: too long arguments: argv[%d] len (%zu) >= MAX_ARG_LEN (%d)\n", i, strlen(argv[i]), MAX_ARG_LEN); | 1035 | fprintf(stderr, "Error: too long arguments: argv[%d] len (%zu) >= MAX_ARG_LEN (%d)\n", i, strlen(argv[i]), MAX_ARG_LEN); |
| 1040 | exit(1); | 1036 | exit(1); |
| @@ -1280,6 +1276,10 @@ int main(int argc, char **argv, char **envp) { | |||
| 1280 | if (checkcfg(CFG_FORCE_NONEWPRIVS)) | 1276 | if (checkcfg(CFG_FORCE_NONEWPRIVS)) |
| 1281 | arg_nonewprivs = 1; | 1277 | arg_nonewprivs = 1; |
| 1282 | 1278 | ||
| 1279 | // check oom | ||
| 1280 | if ((i = check_arg(argc, argv, "--oom=", 0)) != 0) | ||
| 1281 | oom_set(argv[i] + 6); | ||
| 1282 | |||
| 1283 | // parse arguments | 1283 | // parse arguments |
| 1284 | for (i = 1; i < argc; i++) { | 1284 | for (i = 1; i < argc; i++) { |
| 1285 | run_cmd_and_exit(i, argc, argv); // will exit if the command is recognized | 1285 | run_cmd_and_exit(i, argc, argv); // will exit if the command is recognized |
| @@ -2719,6 +2719,9 @@ int main(int argc, char **argv, char **envp) { | |||
| 2719 | else if (strcmp(argv[i], "--appimage") == 0) { | 2719 | else if (strcmp(argv[i], "--appimage") == 0) { |
| 2720 | // already handled | 2720 | // already handled |
| 2721 | } | 2721 | } |
| 2722 | else if (strncmp(argv[i], "--oom=", 6) == 0) { | ||
| 2723 | // already handled | ||
| 2724 | } | ||
| 2722 | else if (strcmp(argv[i], "--shell=none") == 0) { | 2725 | else if (strcmp(argv[i], "--shell=none") == 0) { |
| 2723 | arg_shell_none = 1; | 2726 | arg_shell_none = 1; |
| 2724 | if (cfg.shell) { | 2727 | if (cfg.shell) { |
diff --git a/src/firejail/usage.c b/src/firejail/usage.c index 2dd913b5e..7a545982b 100644 --- a/src/firejail/usage.c +++ b/src/firejail/usage.c | |||
| @@ -173,6 +173,7 @@ static char *usage_str = | |||
| 173 | " --novideo - disable video devices.\n" | 173 | " --novideo - disable video devices.\n" |
| 174 | " --nou2f - disable U2F devices.\n" | 174 | " --nou2f - disable U2F devices.\n" |
| 175 | " --nowhitelist=filename - disable whitelist for file or directory.\n" | 175 | " --nowhitelist=filename - disable whitelist for file or directory.\n" |
| 176 | " --oom=value - configure OutOfMemory killer for the sandbox\n" | ||
| 176 | #ifdef HAVE_OUTPUT | 177 | #ifdef HAVE_OUTPUT |
| 177 | " --output=logfile - stdout logging and log rotation.\n" | 178 | " --output=logfile - stdout logging and log rotation.\n" |
| 178 | " --output-stderr=logfile - stdout and stderr logging and log rotation.\n" | 179 | " --output-stderr=logfile - stdout and stderr logging and log rotation.\n" |
diff --git a/src/man/firejail.txt b/src/man/firejail.txt index cf80ab25c..366a4e061 100644 --- a/src/man/firejail.txt +++ b/src/man/firejail.txt | |||
| @@ -1783,6 +1783,17 @@ Disable video devices. | |||
| 1783 | \fB\-\-nowhitelist=dirname_or_filename | 1783 | \fB\-\-nowhitelist=dirname_or_filename |
| 1784 | Disable whitelist for this directory or file. | 1784 | Disable whitelist for this directory or file. |
| 1785 | 1785 | ||
| 1786 | .TP | ||
| 1787 | \fB\-\-oom=value | ||
| 1788 | Configure kernel's OutOfMemory-killer score for this sandbox. The acceptable score values are between 0 and 1000 | ||
| 1789 | for regular users, and -1000 to 1000 for root. For more information on OOM kernel feature see \fBman choom\fR. | ||
| 1790 | .br | ||
| 1791 | |||
| 1792 | .br | ||
| 1793 | Example: | ||
| 1794 | .br | ||
| 1795 | $ firejail \-\-oom=300 firefox | ||
| 1796 | |||
| 1786 | #ifdef HAVE_OUTPUT | 1797 | #ifdef HAVE_OUTPUT |
| 1787 | .TP | 1798 | .TP |
| 1788 | \fB\-\-output=logfile | 1799 | \fB\-\-output=logfile |