diff options
| author |  netblue30 <netblue30@yahoo.com> | 2016-03-13 09:42:39 -0400 |
|---|---|---|
| committer | netblue30 <netblue30@yahoo.com> | 2016-03-13 09:42:39 -0400 |
| commit | bc4eda4d4b2a2d242af04cf979c2e9fc28d572bf (patch) | |
| tree | 87a9e16f64541c4e8eca93637b6328d4b7d11114 /src | |
| parent | cfg bind (diff) | |
| download | firejail-bc4eda4d4b2a2d242af04cf979c2e9fc28d572bf.tar.gz firejail-bc4eda4d4b2a2d242af04cf979c2e9fc28d572bf.tar.zst firejail-bc4eda4d4b2a2d242af04cf979c2e9fc28d572bf.zip | |
cfg userns
Diffstat (limited to 'src')
| -rw-r--r-- | src/firejail/checkcfg.c | 9 | ||||
| -rw-r--r-- | src/firejail/firejail.h | 3 | ||||
| -rw-r--r-- | src/firejail/main.c | 7 | ||||
| -rw-r--r-- | src/firejail/profile.c | 6 |
4 files changed, 22 insertions, 3 deletions
diff --git a/src/firejail/checkcfg.c b/src/firejail/checkcfg.c index 68dc6ac58..670fdc502 100644 --- a/src/firejail/checkcfg.c +++ b/src/firejail/checkcfg.c | |||
| @@ -86,6 +86,15 @@ int checkcfg(int val) { | |||
| 86 | else | 86 | else |
| 87 | goto errout; | 87 | goto errout; |
| 88 | } | 88 | } |
| 89 | // bind | ||
| 90 | else if (strncmp(ptr, "userns ", 7) == 0) { | ||
| 91 | if (strcmp(ptr + 7, "yes") == 0) | ||
| 92 | cfg_val[CFG_USERNS] = 1; | ||
| 93 | else if (strcmp(ptr + 7, "no") == 0) | ||
| 94 | cfg_val[CFG_USERNS] = 0; | ||
| 95 | else | ||
| 96 | goto errout; | ||
| 97 | } | ||
| 89 | else | 98 | else |
| 90 | goto errout; | 99 | goto errout; |
| 91 | free(ptr); | 100 | free(ptr); |
diff --git a/src/firejail/firejail.h b/src/firejail/firejail.h index ff6eb485b..ed9343345 100644 --- a/src/firejail/firejail.h +++ b/src/firejail/firejail.h | |||
| @@ -541,7 +541,8 @@ void sandboxfs(int op, pid_t pid, const char *patqh); | |||
| 541 | #define CFG_FILE_TRANSFER 0 | 541 | #define CFG_FILE_TRANSFER 0 |
| 542 | #define CFG_X11 1 | 542 | #define CFG_X11 1 |
| 543 | #define CFG_BIND 2 | 543 | #define CFG_BIND 2 |
| 544 | #define CFG_MAX 3 // this should always be the last entry | 544 | #define CFG_USERNS 3 |
| 545 | #define CFG_MAX 4 // this should always be the last entry | ||
| 545 | int checkcfg(int val); | 546 | int checkcfg(int val); |
| 546 | 547 | ||
| 547 | #endif | 548 | #endif |
diff --git a/src/firejail/main.c b/src/firejail/main.c index d1d0f91a6..df625a7ba 100644 --- a/src/firejail/main.c +++ b/src/firejail/main.c | |||
| @@ -1155,7 +1155,12 @@ int main(int argc, char **argv) { | |||
| 1155 | arg_nogroups = 1; | 1155 | arg_nogroups = 1; |
| 1156 | #ifdef HAVE_USERNS | 1156 | #ifdef HAVE_USERNS |
| 1157 | else if (strcmp(argv[i], "--noroot") == 0) { | 1157 | else if (strcmp(argv[i], "--noroot") == 0) { |
| 1158 | check_user_namespace(); | 1158 | if (checkcfg(CFG_USERNS)) |
| 1159 | check_user_namespace(); | ||
| 1160 | else { | ||
| 1161 | fprintf(stderr, "Error: --noroot feature is disabled in Firejail configuration file\n"); | ||
| 1162 | exit(1); | ||
| 1163 | } | ||
| 1159 | } | 1164 | } |
| 1160 | #endif | 1165 | #endif |
| 1161 | else if (strncmp(argv[i], "--env=", 6) == 0) | 1166 | else if (strncmp(argv[i], "--env=", 6) == 0) |
diff --git a/src/firejail/profile.c b/src/firejail/profile.c index 36741ad4a..1c843a460 100644 --- a/src/firejail/profile.c +++ b/src/firejail/profile.c | |||
| @@ -123,8 +123,12 @@ int profile_check_line(char *ptr, int lineno, const char *fname) { | |||
| 123 | // seccomp, caps, private, user namespace | 123 | // seccomp, caps, private, user namespace |
| 124 | else if (strcmp(ptr, "noroot") == 0) { | 124 | else if (strcmp(ptr, "noroot") == 0) { |
| 125 | #if HAVE_USERNS | 125 | #if HAVE_USERNS |
| 126 | check_user_namespace(); | 126 | if (checkcfg(CFG_USERNS)) |
| 127 | check_user_namespace(); | ||
| 128 | else | ||
| 129 | fprintf(stderr, "Warning: user namespace feature is disabled in Firejail configuration file\n"); | ||
| 127 | #endif | 130 | #endif |
| 131 | |||
| 128 | return 0; | 132 | return 0; |
| 129 | } | 133 | } |
| 130 | else if (strcmp(ptr, "seccomp") == 0) { | 134 | else if (strcmp(ptr, "seccomp") == 0) { |