diff options
| author |  netblue30 <netblue30@yahoo.com> | 2018-09-26 09:25:45 -0400 |
|---|---|---|
| committer | netblue30 <netblue30@yahoo.com> | 2018-09-26 09:25:45 -0400 |
| commit | b706669ff642ee81dad07482ac89c8770415e686 (patch) | |
| tree | 2f90e41dd61aac40cc33afa99ac904433554baab /src | |
| parent | mainline merge: profiles (diff) | |
| download | firejail-b706669ff642ee81dad07482ac89c8770415e686.tar.gz firejail-b706669ff642ee81dad07482ac89c8770415e686.tar.zst firejail-b706669ff642ee81dad07482ac89c8770415e686.zip | |
mainline merge: set rlimits at later timepoint during sandbox setup
Diffstat (limited to 'src')
| -rw-r--r-- | src/firejail/sandbox.c | 5 |
1 files changed, 3 insertions, 2 deletions
diff --git a/src/firejail/sandbox.c b/src/firejail/sandbox.c index f9be62a79..7871b8ac3 100644 --- a/src/firejail/sandbox.c +++ b/src/firejail/sandbox.c | |||
| @@ -502,6 +502,7 @@ static void enforce_filters(void) { | |||
| 502 | // force default seccomp inside the chroot, no keep or drop list | 502 | // force default seccomp inside the chroot, no keep or drop list |
| 503 | // the list build on top of the default drop list is kept intact | 503 | // the list build on top of the default drop list is kept intact |
| 504 | arg_seccomp = 1; | 504 | arg_seccomp = 1; |
| 505 | arg_nonewprivs = 1; | ||
| 505 | #ifdef HAVE_SECCOMP | 506 | #ifdef HAVE_SECCOMP |
| 506 | enforce_seccomp = 1; | 507 | enforce_seccomp = 1; |
| 507 | #endif | 508 | #endif |
| @@ -989,9 +990,9 @@ int sandbox(void* sandbox_arg) { | |||
| 989 | // Set NO_NEW_PRIVS if desired | 990 | // Set NO_NEW_PRIVS if desired |
| 990 | //**************************************** | 991 | //**************************************** |
| 991 | if (arg_nonewprivs) { | 992 | if (arg_nonewprivs) { |
| 992 | int no_new_privs = prctl(PR_SET_NO_NEW_PRIVS, 1, 0, 0, 0); | 993 | prctl(PR_SET_NO_NEW_PRIVS, 1, 0, 0, 0); |
| 993 | 994 | ||
| 994 | if(no_new_privs != 0 && !arg_quiet) | 995 | if (prctl(PR_GET_NO_NEW_PRIVS, 0, 0, 0, 0) != 1) |
| 995 | fwarning("NO_NEW_PRIVS disabled, it requires a Linux kernel version 3.5 or newer.\n"); | 996 | fwarning("NO_NEW_PRIVS disabled, it requires a Linux kernel version 3.5 or newer.\n"); |
| 996 | else if (arg_debug) | 997 | else if (arg_debug) |
| 997 | printf("NO_NEW_PRIVS set\n"); | 998 | printf("NO_NEW_PRIVS set\n"); |