diff options
author | netblue30 <netblue30@yahoo.com> | 2018-09-26 09:25:45 -0400 |
---|---|---|
committer | netblue30 <netblue30@yahoo.com> | 2018-09-26 09:25:45 -0400 |
commit | b706669ff642ee81dad07482ac89c8770415e686 (patch) | |
tree | 2f90e41dd61aac40cc33afa99ac904433554baab /src | |
parent | mainline merge: profiles (diff) | |
download | firejail-b706669ff642ee81dad07482ac89c8770415e686.tar.gz firejail-b706669ff642ee81dad07482ac89c8770415e686.tar.zst firejail-b706669ff642ee81dad07482ac89c8770415e686.zip |
mainline merge: set rlimits at later timepoint during sandbox setup
Diffstat (limited to 'src')
-rw-r--r-- | src/firejail/sandbox.c | 5 |
1 files changed, 3 insertions, 2 deletions
diff --git a/src/firejail/sandbox.c b/src/firejail/sandbox.c index f9be62a79..7871b8ac3 100644 --- a/src/firejail/sandbox.c +++ b/src/firejail/sandbox.c | |||
@@ -502,6 +502,7 @@ static void enforce_filters(void) { | |||
502 | // force default seccomp inside the chroot, no keep or drop list | 502 | // force default seccomp inside the chroot, no keep or drop list |
503 | // the list build on top of the default drop list is kept intact | 503 | // the list build on top of the default drop list is kept intact |
504 | arg_seccomp = 1; | 504 | arg_seccomp = 1; |
505 | arg_nonewprivs = 1; | ||
505 | #ifdef HAVE_SECCOMP | 506 | #ifdef HAVE_SECCOMP |
506 | enforce_seccomp = 1; | 507 | enforce_seccomp = 1; |
507 | #endif | 508 | #endif |
@@ -989,9 +990,9 @@ int sandbox(void* sandbox_arg) { | |||
989 | // Set NO_NEW_PRIVS if desired | 990 | // Set NO_NEW_PRIVS if desired |
990 | //**************************************** | 991 | //**************************************** |
991 | if (arg_nonewprivs) { | 992 | if (arg_nonewprivs) { |
992 | int no_new_privs = prctl(PR_SET_NO_NEW_PRIVS, 1, 0, 0, 0); | 993 | prctl(PR_SET_NO_NEW_PRIVS, 1, 0, 0, 0); |
993 | 994 | ||
994 | if(no_new_privs != 0 && !arg_quiet) | 995 | if (prctl(PR_GET_NO_NEW_PRIVS, 0, 0, 0, 0) != 1) |
995 | fwarning("NO_NEW_PRIVS disabled, it requires a Linux kernel version 3.5 or newer.\n"); | 996 | fwarning("NO_NEW_PRIVS disabled, it requires a Linux kernel version 3.5 or newer.\n"); |
996 | else if (arg_debug) | 997 | else if (arg_debug) |
997 | printf("NO_NEW_PRIVS set\n"); | 998 | printf("NO_NEW_PRIVS set\n"); |