diff options
-rw-r--r-- | src/firejail/firejail.h | 1 | ||||
-rw-r--r-- | src/firejail/join.c | 8 | ||||
-rw-r--r-- | src/firejail/sandbox.c | 10 |
3 files changed, 5 insertions, 14 deletions
diff --git a/src/firejail/firejail.h b/src/firejail/firejail.h index f8a23678a..96e3f735e 100644 --- a/src/firejail/firejail.h +++ b/src/firejail/firejail.h | |||
@@ -385,7 +385,6 @@ char *guess_shell(void); | |||
385 | #define SANDBOX_DONE '1' | 385 | #define SANDBOX_DONE '1' |
386 | int sandbox(void* sandbox_arg); | 386 | int sandbox(void* sandbox_arg); |
387 | void start_application(int no_sandbox, int fd, char *set_sandbox_status) __attribute__((noreturn)); | 387 | void start_application(int no_sandbox, int fd, char *set_sandbox_status) __attribute__((noreturn)); |
388 | void set_apparmor(void); | ||
389 | 388 | ||
390 | // network_main.c | 389 | // network_main.c |
391 | void net_configure_sandbox_ip(Bridge *br); | 390 | void net_configure_sandbox_ip(Bridge *br); |
diff --git a/src/firejail/join.c b/src/firejail/join.c index ec9c922ef..4e636ca27 100644 --- a/src/firejail/join.c +++ b/src/firejail/join.c | |||
@@ -33,10 +33,6 @@ | |||
33 | #define PR_SET_NO_NEW_PRIVS 38 | 33 | #define PR_SET_NO_NEW_PRIVS 38 |
34 | #endif | 34 | #endif |
35 | 35 | ||
36 | #ifdef HAVE_APPARMOR | ||
37 | #include <sys/apparmor.h> | ||
38 | #endif | ||
39 | |||
40 | static int apply_caps = 0; | 36 | static int apply_caps = 0; |
41 | static uint64_t caps = 0; | 37 | static uint64_t caps = 0; |
42 | static unsigned display = 0; | 38 | static unsigned display = 0; |
@@ -513,10 +509,6 @@ void join(pid_t pid, int argc, char **argv, int index) { | |||
513 | // kill the child in case the parent died | 509 | // kill the child in case the parent died |
514 | prctl(PR_SET_PDEATHSIG, SIGKILL, 0, 0, 0); | 510 | prctl(PR_SET_PDEATHSIG, SIGKILL, 0, 0, 0); |
515 | 511 | ||
516 | #ifdef HAVE_APPARMOR | ||
517 | set_apparmor(); | ||
518 | #endif | ||
519 | |||
520 | extract_command(argc, argv, index); | 512 | extract_command(argc, argv, index); |
521 | if (cfg.command_line == NULL) | 513 | if (cfg.command_line == NULL) |
522 | cfg.window_title = cfg.usershell; | 514 | cfg.window_title = cfg.usershell; |
diff --git a/src/firejail/sandbox.c b/src/firejail/sandbox.c index e8c4a445a..e72b03e15 100644 --- a/src/firejail/sandbox.c +++ b/src/firejail/sandbox.c | |||
@@ -128,7 +128,7 @@ static void set_caps(void) { | |||
128 | } | 128 | } |
129 | 129 | ||
130 | #ifdef HAVE_APPARMOR | 130 | #ifdef HAVE_APPARMOR |
131 | void set_apparmor(void) { | 131 | static void set_apparmor(void) { |
132 | EUID_ASSERT(); | 132 | EUID_ASSERT(); |
133 | if (checkcfg(CFG_APPARMOR) && arg_apparmor) { | 133 | if (checkcfg(CFG_APPARMOR) && arg_apparmor) { |
134 | if (aa_change_onexec("firejail-default")) { | 134 | if (aa_change_onexec("firejail-default")) { |
@@ -486,6 +486,9 @@ static void close_file_descriptors(void) { | |||
486 | 486 | ||
487 | void start_application(int no_sandbox, int fd, char *set_sandbox_status) { | 487 | void start_application(int no_sandbox, int fd, char *set_sandbox_status) { |
488 | if (no_sandbox == 0) { | 488 | if (no_sandbox == 0) { |
489 | #ifdef HAVE_APPARMOR | ||
490 | set_apparmor(); | ||
491 | #endif | ||
489 | close_file_descriptors(); | 492 | close_file_descriptors(); |
490 | 493 | ||
491 | // set nice and rlimits | 494 | // set nice and rlimits |
@@ -1299,10 +1302,7 @@ int sandbox(void* sandbox_arg) { | |||
1299 | errExit("fork"); | 1302 | errExit("fork"); |
1300 | 1303 | ||
1301 | if (app_pid == 0) { | 1304 | if (app_pid == 0) { |
1302 | #ifdef HAVE_APPARMOR | 1305 | start_application(0, -1, set_sandbox_status); // this function does not return |
1303 | set_apparmor(); | ||
1304 | #endif | ||
1305 | start_application(0, -1, set_sandbox_status); | ||
1306 | } | 1306 | } |
1307 | 1307 | ||
1308 | munmap(set_sandbox_status, 1); | 1308 | munmap(set_sandbox_status, 1); |