diff options
-rw-r--r-- | src/firejail/main.c | 13 | ||||
-rw-r--r-- | src/man/firejail.txt | 4 | ||||
-rwxr-xr-x | test/fs_chroot.exp | 2 | ||||
-rwxr-xr-x | test/fs_overlay.exp | 1 |
4 files changed, 15 insertions, 5 deletions
diff --git a/src/firejail/main.c b/src/firejail/main.c index 976348c33..0b47fd6db 100644 --- a/src/firejail/main.c +++ b/src/firejail/main.c | |||
@@ -1084,6 +1084,11 @@ int main(int argc, char **argv) { | |||
1084 | fprintf(stderr, "Error: --overlay and --chroot options are mutually exclusive\n"); | 1084 | fprintf(stderr, "Error: --overlay and --chroot options are mutually exclusive\n"); |
1085 | exit(1); | 1085 | exit(1); |
1086 | } | 1086 | } |
1087 | struct stat s; | ||
1088 | if (stat("/proc/sys/kernel/grsecurity", &s) == 0) { | ||
1089 | fprintf(stderr, "Error: --overlay option is not available on Grsecurity systems\n"); | ||
1090 | exit(1); | ||
1091 | } | ||
1087 | arg_overlay = 1; | 1092 | arg_overlay = 1; |
1088 | arg_overlay_keep = 1; | 1093 | arg_overlay_keep = 1; |
1089 | 1094 | ||
@@ -1091,7 +1096,6 @@ int main(int argc, char **argv) { | |||
1091 | char *dirname; | 1096 | char *dirname; |
1092 | if (asprintf(&dirname, "%s/.firejail", cfg.homedir) == -1) | 1097 | if (asprintf(&dirname, "%s/.firejail", cfg.homedir) == -1) |
1093 | errExit("asprintf"); | 1098 | errExit("asprintf"); |
1094 | struct stat s; | ||
1095 | if (stat(dirname, &s) == -1) { | 1099 | if (stat(dirname, &s) == -1) { |
1096 | /* coverity[toctou] */ | 1100 | /* coverity[toctou] */ |
1097 | if (mkdir(dirname, 0700)) | 1101 | if (mkdir(dirname, 0700)) |
@@ -1122,6 +1126,11 @@ int main(int argc, char **argv) { | |||
1122 | fprintf(stderr, "Error: --overlay and --chroot options are mutually exclusive\n"); | 1126 | fprintf(stderr, "Error: --overlay and --chroot options are mutually exclusive\n"); |
1123 | exit(1); | 1127 | exit(1); |
1124 | } | 1128 | } |
1129 | struct stat s; | ||
1130 | if (stat("/proc/sys/kernel/grsecurity", &s) == 0) { | ||
1131 | fprintf(stderr, "Error: --overlay option is not available on Grsecurity systems\n"); | ||
1132 | exit(1); | ||
1133 | } | ||
1125 | arg_overlay = 1; | 1134 | arg_overlay = 1; |
1126 | } | 1135 | } |
1127 | else if (strncmp(argv[i], "--profile=", 10) == 0) { | 1136 | else if (strncmp(argv[i], "--profile=", 10) == 0) { |
@@ -1207,7 +1216,7 @@ int main(int argc, char **argv) { | |||
1207 | 1216 | ||
1208 | struct stat s; | 1217 | struct stat s; |
1209 | if (stat("/proc/sys/kernel/grsecurity", &s) == 0) { | 1218 | if (stat("/proc/sys/kernel/grsecurity", &s) == 0) { |
1210 | fprintf(stderr, "Error: --chroot option is not available on GRSecurity systems\n"); | 1219 | fprintf(stderr, "Error: --chroot option is not available on Grsecurity systems\n"); |
1211 | exit(1); | 1220 | exit(1); |
1212 | } | 1221 | } |
1213 | 1222 | ||
diff --git a/src/man/firejail.txt b/src/man/firejail.txt index 8972e2380..24dbff67a 100644 --- a/src/man/firejail.txt +++ b/src/man/firejail.txt | |||
@@ -971,7 +971,7 @@ $ ls -l sandboxlog* | |||
971 | .TP | 971 | .TP |
972 | \fB\-\-overlay | 972 | \fB\-\-overlay |
973 | Mount a filesystem overlay on top of the current filesystem. All filesystem modifications go into the overlay. | 973 | Mount a filesystem overlay on top of the current filesystem. All filesystem modifications go into the overlay. |
974 | The overlay is stored in $HOME/.firejail directory. | 974 | The overlay is stored in $HOME/.firejail directory. This option is not available on Grsecurity systems. |
975 | .br | 975 | .br |
976 | 976 | ||
977 | .br | 977 | .br |
@@ -987,7 +987,7 @@ $ firejail \-\-overlay firefox | |||
987 | .TP | 987 | .TP |
988 | \fB\-\-overlay-tmpfs | 988 | \fB\-\-overlay-tmpfs |
989 | Mount a filesystem overlay on top of the current filesystem. All filesystem modifications go into the overlay, | 989 | Mount a filesystem overlay on top of the current filesystem. All filesystem modifications go into the overlay, |
990 | and are discarded when the sandbox is closed. | 990 | and are discarded when the sandbox is closed. This option is not available on Grsecurity systems. |
991 | .br | 991 | .br |
992 | 992 | ||
993 | .br | 993 | .br |
diff --git a/test/fs_chroot.exp b/test/fs_chroot.exp index cced5a0f0..aeb5669e1 100755 --- a/test/fs_chroot.exp +++ b/test/fs_chroot.exp | |||
@@ -7,7 +7,7 @@ match_max 100000 | |||
7 | send -- "firejail --chroot=/tmp/chroot\r" | 7 | send -- "firejail --chroot=/tmp/chroot\r" |
8 | expect { | 8 | expect { |
9 | timeout {puts "TESTING ERROR 0\n";exit} | 9 | timeout {puts "TESTING ERROR 0\n";exit} |
10 | "Error: --chroot option is not available on GRSecurity systems" {puts "\nall done\n"; exit} | 10 | "Error: --chroot option is not available on Grsecurity systems" {puts "\nall done\n"; exit} |
11 | "Child process initialized" {puts "chroot available\n"}; | 11 | "Child process initialized" {puts "chroot available\n"}; |
12 | } | 12 | } |
13 | sleep 1 | 13 | sleep 1 |
diff --git a/test/fs_overlay.exp b/test/fs_overlay.exp index 42d25b407..b7eeba80f 100755 --- a/test/fs_overlay.exp +++ b/test/fs_overlay.exp | |||
@@ -20,6 +20,7 @@ send -- "firejail --noprofile --overlay\r" | |||
20 | expect { | 20 | expect { |
21 | timeout {puts "TESTING ERROR 2\n";exit} | 21 | timeout {puts "TESTING ERROR 2\n";exit} |
22 | "not available for kernels older than 3.18" {puts "\nTESTING: overlayfs not available\n"; exit} | 22 | "not available for kernels older than 3.18" {puts "\nTESTING: overlayfs not available\n"; exit} |
23 | "Error: --overlay option is not available on Grsecurity systems" {puts "\nTESTING: overlayfs not available\n"; exit} | ||
23 | "Child process initialized" {puts "found\n"} | 24 | "Child process initialized" {puts "found\n"} |
24 | } | 25 | } |
25 | sleep 1 | 26 | sleep 1 |