aboutsummaryrefslogtreecommitdiffstats
path: root/src
diff options
context:
space:
mode:
authorLibravatar netblue30 <netblue30@yahoo.com>2016-01-26 09:19:19 -0500
committerLibravatar netblue30 <netblue30@yahoo.com>2016-01-26 09:19:19 -0500
commita23ac1bf390fa4c3db4ea31e6ee6100a9c511d59 (patch)
tree7e6446c218495c2b9bb4960c14d0e972591e902a /src
parentMahtematica profile (diff)
downloadfirejail-a23ac1bf390fa4c3db4ea31e6ee6100a9c511d59.tar.gz
firejail-a23ac1bf390fa4c3db4ea31e6ee6100a9c511d59.tar.zst
firejail-a23ac1bf390fa4c3db4ea31e6ee6100a9c511d59.zip
don't allow --chroot as user without seccomp support
Diffstat (limited to 'src')
-rw-r--r--src/firejail/firejail.h2
-rw-r--r--src/firejail/sandbox.c4
-rw-r--r--src/firejail/seccomp.c10
3 files changed, 12 insertions, 4 deletions
diff --git a/src/firejail/firejail.h b/src/firejail/firejail.h
index 2f40b4d86..2a7ff4104 100644
--- a/src/firejail/firejail.h
+++ b/src/firejail/firejail.h
@@ -387,7 +387,7 @@ void fs_check_private_dir(void);
387 387
388 388
389// seccomp.c 389// seccomp.c
390int seccomp_filter_drop(void); 390int seccomp_filter_drop(int enforce_seccomp);
391int seccomp_filter_keep(void); 391int seccomp_filter_keep(void);
392void seccomp_set(void); 392void seccomp_set(void);
393void seccomp_print_filter_name(const char *name); 393void seccomp_print_filter_name(const char *name);
diff --git a/src/firejail/sandbox.c b/src/firejail/sandbox.c
index 02ff7737f..a7308dda6 100644
--- a/src/firejail/sandbox.c
+++ b/src/firejail/sandbox.c
@@ -349,6 +349,7 @@ int sandbox(void* sandbox_arg) {
349 //**************************** 349 //****************************
350 // configure filesystem 350 // configure filesystem
351 //**************************** 351 //****************************
352 int enforce_seccomp = 0;
352#ifdef HAVE_CHROOT 353#ifdef HAVE_CHROOT
353 if (cfg.chrootdir) { 354 if (cfg.chrootdir) {
354 fs_chroot(cfg.chrootdir); 355 fs_chroot(cfg.chrootdir);
@@ -360,6 +361,7 @@ int sandbox(void* sandbox_arg) {
360 // force default seccomp inside the chroot, no keep or drop list 361 // force default seccomp inside the chroot, no keep or drop list
361 // the list build on top of the default drop list is kept intact 362 // the list build on top of the default drop list is kept intact
362 arg_seccomp = 1; 363 arg_seccomp = 1;
364 enforce_seccomp = 1;
363 if (cfg.seccomp_list_drop) { 365 if (cfg.seccomp_list_drop) {
364 free(cfg.seccomp_list_drop); 366 free(cfg.seccomp_list_drop);
365 cfg.seccomp_list_drop = NULL; 367 cfg.seccomp_list_drop = NULL;
@@ -603,7 +605,7 @@ int sandbox(void* sandbox_arg) {
603 else if (cfg.seccomp_list_errno) 605 else if (cfg.seccomp_list_errno)
604 seccomp_filter_errno(); 606 seccomp_filter_errno();
605 else 607 else
606 seccomp_filter_drop(); 608 seccomp_filter_drop(enforce_seccomp);
607 } 609 }
608#endif 610#endif
609 611
diff --git a/src/firejail/seccomp.c b/src/firejail/seccomp.c
index 396ab99db..c97741a86 100644
--- a/src/firejail/seccomp.c
+++ b/src/firejail/seccomp.c
@@ -390,7 +390,7 @@ void seccomp_filter_32(void) {
390} 390}
391 391
392// drop filter for seccomp option 392// drop filter for seccomp option
393int seccomp_filter_drop(void) { 393int seccomp_filter_drop(int enforce_seccomp) {
394 filter_init(); 394 filter_init();
395 395
396 // default seccomp 396 // default seccomp
@@ -595,7 +595,13 @@ int seccomp_filter_drop(void) {
595 }; 595 };
596 596
597 if (prctl(PR_SET_SECCOMP, SECCOMP_MODE_FILTER, &prog) || prctl(PR_SET_NO_NEW_PRIVS, 1, 0, 0, 0)) { 597 if (prctl(PR_SET_SECCOMP, SECCOMP_MODE_FILTER, &prog) || prctl(PR_SET_NO_NEW_PRIVS, 1, 0, 0, 0)) {
598 fprintf(stderr, "Warning: seccomp disabled, it requires a Linux kernel version 3.5 or newer.\n"); 598 if (enforce_seccomp) {
599 fprintf(stderr, "Error: a seccomp-enabled Linux kernel is required, exiting...\n");
600 exit(1);
601 }
602 else
603 fprintf(stderr, "Warning: seccomp disabled, it requires a Linux kernel version 3.5 or newer.\n");
604
599 return 1; 605 return 1;
600 } 606 }
601 607
generated by cgit v1.2.3-54-g00ecf (git 2.45.2) at 2024-07-08 22:50:04 +0000