diff options
-rw-r--r-- | src/firejail/sandbox.c | 28 | ||||
-rw-r--r-- | src/man/firejail.txt | 10 |
2 files changed, 16 insertions, 22 deletions
diff --git a/src/firejail/sandbox.c b/src/firejail/sandbox.c index 5d9526b4c..0e719ceaf 100644 --- a/src/firejail/sandbox.c +++ b/src/firejail/sandbox.c | |||
@@ -543,7 +543,8 @@ static void enforce_filters(void) { | |||
543 | // drop all supplementary groups; /etc/group file inside chroot | 543 | // drop all supplementary groups; /etc/group file inside chroot |
544 | // is controlled by a regular usr | 544 | // is controlled by a regular usr |
545 | arg_nogroups = 1; | 545 | arg_nogroups = 1; |
546 | fmessage("Dropping all Linux capabilities and enforcing default seccomp filter\n"); | 546 | fmessage("\n** Warning: dropping all Linux capabilities and enforcing **\n"); |
547 | fmessage("** default seccomp filter **\n\n"); | ||
547 | } | 548 | } |
548 | 549 | ||
549 | int sandbox(void* sandbox_arg) { | 550 | int sandbox(void* sandbox_arg) { |
@@ -744,7 +745,13 @@ int sandbox(void* sandbox_arg) { | |||
744 | 745 | ||
745 | // need ld.so.preload if tracing or seccomp with any non-default lists | 746 | // need ld.so.preload if tracing or seccomp with any non-default lists |
746 | bool need_preload = arg_trace || arg_tracelog || arg_seccomp_postexec; | 747 | bool need_preload = arg_trace || arg_tracelog || arg_seccomp_postexec; |
747 | 748 | // for --appimage, --chroot and --overlay* we replace the seccomp filter with the default one | |
749 | // we also drop all capabilities | ||
750 | if (getuid() != 0 && (arg_appimage || cfg.chrootdir || arg_overlay)) { | ||
751 | enforce_filters(); | ||
752 | need_preload = arg_trace || arg_tracelog; | ||
753 | arg_seccomp = 1; | ||
754 | } | ||
748 | // trace pre-install | 755 | // trace pre-install |
749 | if (need_preload) | 756 | if (need_preload) |
750 | fs_trace_preload(); | 757 | fs_trace_preload(); |
@@ -756,19 +763,10 @@ int sandbox(void* sandbox_arg) { | |||
756 | //**************************** | 763 | //**************************** |
757 | // configure filesystem | 764 | // configure filesystem |
758 | //**************************** | 765 | //**************************** |
759 | if (arg_appimage) | ||
760 | enforce_filters(); | ||
761 | |||
762 | #ifdef HAVE_CHROOT | 766 | #ifdef HAVE_CHROOT |
763 | if (cfg.chrootdir) { | 767 | if (cfg.chrootdir) { |
764 | fs_chroot(cfg.chrootdir); | 768 | fs_chroot(cfg.chrootdir); |
765 | 769 | ||
766 | // force caps and seccomp if not started as root | ||
767 | if (getuid() != 0) | ||
768 | enforce_filters(); | ||
769 | else | ||
770 | arg_seccomp = 1; | ||
771 | |||
772 | //**************************** | 770 | //**************************** |
773 | // trace pre-install, this time inside chroot | 771 | // trace pre-install, this time inside chroot |
774 | //**************************** | 772 | //**************************** |
@@ -778,14 +776,8 @@ int sandbox(void* sandbox_arg) { | |||
778 | else | 776 | else |
779 | #endif | 777 | #endif |
780 | #ifdef HAVE_OVERLAYFS | 778 | #ifdef HAVE_OVERLAYFS |
781 | if (arg_overlay) { | 779 | if (arg_overlay) |
782 | fs_overlayfs(); | 780 | fs_overlayfs(); |
783 | // force caps and seccomp if not started as root | ||
784 | if (getuid() != 0) | ||
785 | enforce_filters(); | ||
786 | else | ||
787 | arg_seccomp = 1; | ||
788 | } | ||
789 | else | 781 | else |
790 | #endif | 782 | #endif |
791 | fs_basic_fs(); | 783 | fs_basic_fs(); |
diff --git a/src/man/firejail.txt b/src/man/firejail.txt index d7e402e31..c09684596 100644 --- a/src/man/firejail.txt +++ b/src/man/firejail.txt | |||
@@ -100,7 +100,8 @@ $ firejail --allusers | |||
100 | Enable AppArmor confinement. For more information, please see \fBAPPARMOR\fR section below. | 100 | Enable AppArmor confinement. For more information, please see \fBAPPARMOR\fR section below. |
101 | .TP | 101 | .TP |
102 | \fB\-\-appimage | 102 | \fB\-\-appimage |
103 | Sandbox an AppImage (https://appimage.org/) application. | 103 | Sandbox an AppImage (https://appimage.org/) application. If the sandbox is started as a |
104 | regular user, default seccomp and capabilities filters are enabled. | ||
104 | .br | 105 | .br |
105 | 106 | ||
106 | .br | 107 | .br |
@@ -272,8 +273,7 @@ Example: | |||
272 | \fB\-\-chroot=dirname | 273 | \fB\-\-chroot=dirname |
273 | Chroot the sandbox into a root filesystem. Unlike the regular filesystem container, | 274 | Chroot the sandbox into a root filesystem. Unlike the regular filesystem container, |
274 | the system directories are mounted read-write. If the sandbox is started as a | 275 | the system directories are mounted read-write. If the sandbox is started as a |
275 | regular user, default seccomp and capabilities filters are enabled. This | 276 | regular user, default seccomp and capabilities filters are enabled. |
276 | option is not available on Grsecurity systems. | ||
277 | .br | 277 | .br |
278 | 278 | ||
279 | .br | 279 | .br |
@@ -1268,6 +1268,7 @@ Similar to \-\-output, but stderr is also stored. | |||
1268 | Mount a filesystem overlay on top of the current filesystem. Unlike the regular filesystem container, | 1268 | Mount a filesystem overlay on top of the current filesystem. Unlike the regular filesystem container, |
1269 | the system directories are mounted read-write. All filesystem modifications go into the overlay. | 1269 | the system directories are mounted read-write. All filesystem modifications go into the overlay. |
1270 | Directories /run, /tmp and /dev are not covered by the overlay. The overlay is stored in $HOME/.firejail/<PID> directory. | 1270 | Directories /run, /tmp and /dev are not covered by the overlay. The overlay is stored in $HOME/.firejail/<PID> directory. |
1271 | If the sandbox is started as a regular user, default seccomp and capabilities filters are enabled. | ||
1271 | .br | 1272 | .br |
1272 | 1273 | ||
1273 | .br | 1274 | .br |
@@ -1287,6 +1288,7 @@ Mount a filesystem overlay on top of the current filesystem. Unlike the regular | |||
1287 | the system directories are mounted read-write. All filesystem modifications go into the overlay. | 1288 | the system directories are mounted read-write. All filesystem modifications go into the overlay. |
1288 | Directories /run, /tmp and /dev are not covered by the overlay. The overlay is stored in $HOME/.firejail/<NAME> directory. | 1289 | Directories /run, /tmp and /dev are not covered by the overlay. The overlay is stored in $HOME/.firejail/<NAME> directory. |
1289 | The created overlay can be reused between multiple sessions. | 1290 | The created overlay can be reused between multiple sessions. |
1291 | If the sandbox is started as a regular user, default seccomp and capabilities filters are enabled. | ||
1290 | .br | 1292 | .br |
1291 | 1293 | ||
1292 | .br | 1294 | .br |
@@ -1304,7 +1306,7 @@ $ firejail \-\-overlay-named=jail1 firefox | |||
1304 | \fB\-\-overlay-tmpfs | 1306 | \fB\-\-overlay-tmpfs |
1305 | Mount a filesystem overlay on top of the current filesystem. All filesystem modifications | 1307 | Mount a filesystem overlay on top of the current filesystem. All filesystem modifications |
1306 | are discarded when the sandbox is closed. Directories /run, /tmp and /dev are not covered by the overlay. | 1308 | are discarded when the sandbox is closed. Directories /run, /tmp and /dev are not covered by the overlay. |
1307 | 1309 | If the sandbox is started as a regular user, default seccomp and capabilities filters are enabled. | |
1308 | .br | 1310 | .br |
1309 | 1311 | ||
1310 | .br | 1312 | .br |