diff options
-rw-r--r-- | src/firejail/join.c | 17 | ||||
-rw-r--r-- | src/man/firejail.txt | 13 |
2 files changed, 19 insertions, 11 deletions
diff --git a/src/firejail/join.c b/src/firejail/join.c index cf99b9c6d..ca9ec33e9 100644 --- a/src/firejail/join.c +++ b/src/firejail/join.c | |||
@@ -232,7 +232,7 @@ void join(pid_t pid, const char *homedir, int argc, char **argv, int index) { | |||
232 | } | 232 | } |
233 | 233 | ||
234 | // set cgroup | 234 | // set cgroup |
235 | if (cfg.cgroup) | 235 | if (cfg.cgroup) // not available for uid 0 |
236 | set_cgroup(cfg.cgroup); | 236 | set_cgroup(cfg.cgroup); |
237 | 237 | ||
238 | // join namespaces | 238 | // join namespaces |
@@ -273,21 +273,22 @@ void join(pid_t pid, const char *homedir, int argc, char **argv, int index) { | |||
273 | } | 273 | } |
274 | 274 | ||
275 | // set cpu affinity | 275 | // set cpu affinity |
276 | if (cfg.cpus) | 276 | if (cfg.cpus) // not available for uid 0 |
277 | set_cpu_affinity(); | 277 | set_cpu_affinity(); |
278 | 278 | ||
279 | // set caps filter | 279 | // set caps filter |
280 | if (apply_caps == 1) | 280 | if (apply_caps == 1) // not available for uid 0 |
281 | caps_set(caps); | 281 | caps_set(caps); |
282 | #ifdef HAVE_SECCOMP | 282 | #ifdef HAVE_SECCOMP |
283 | // set protocol filter | 283 | // set protocol filter |
284 | protocol_filter_load(RUN_PROTOCOL_CFG); | 284 | if (getuid() != 0) |
285 | if (cfg.protocol) { | 285 | protocol_filter_load(RUN_PROTOCOL_CFG); |
286 | if (cfg.protocol) { // not available for uid 0 | ||
286 | protocol_filter(); | 287 | protocol_filter(); |
287 | } | 288 | } |
288 | 289 | ||
289 | // set seccomp filter | 290 | // set seccomp filter |
290 | if (apply_seccomp == 1) | 291 | if (apply_seccomp == 1) // not available for uid 0 |
291 | seccomp_set(); | 292 | seccomp_set(); |
292 | 293 | ||
293 | #endif | 294 | #endif |
@@ -299,14 +300,14 @@ void join(pid_t pid, const char *homedir, int argc, char **argv, int index) { | |||
299 | errExit("setenv"); | 300 | errExit("setenv"); |
300 | 301 | ||
301 | // mount user namespace or drop privileges | 302 | // mount user namespace or drop privileges |
302 | if (arg_noroot) { | 303 | if (arg_noroot) { // not available for uid 0 |
303 | if (arg_debug) | 304 | if (arg_debug) |
304 | printf("Joining user namespace\n"); | 305 | printf("Joining user namespace\n"); |
305 | if (join_namespace(1, "user")) | 306 | if (join_namespace(1, "user")) |
306 | exit(1); | 307 | exit(1); |
307 | } | 308 | } |
308 | else | 309 | else |
309 | drop_privs(arg_nogroups); | 310 | drop_privs(arg_nogroups); // nogroups not available for uid 0 |
310 | 311 | ||
311 | // set prompt color to green | 312 | // set prompt color to green |
312 | //export PS1='\[\e[1;32m\][\u@\h \W]\$\[\e[0m\] ' | 313 | //export PS1='\[\e[1;32m\][\u@\h \W]\$\[\e[0m\] ' |
diff --git a/src/man/firejail.txt b/src/man/firejail.txt index 75e962b56..895b7a3af 100644 --- a/src/man/firejail.txt +++ b/src/man/firejail.txt | |||
@@ -495,7 +495,11 @@ $ firejail \-\-ipc-namespace firefox | |||
495 | .TP | 495 | .TP |
496 | \fB\-\-join=name | 496 | \fB\-\-join=name |
497 | Join the sandbox identified by name. By default a /bin/bash shell is started after joining the sandbox. | 497 | Join the sandbox identified by name. By default a /bin/bash shell is started after joining the sandbox. |
498 | If a program is specified, the program is run in the sandbox. | 498 | If a program is specified, the program is run in the sandbox. If \-\-join command is issued as a regular user, |
499 | all security filters are configured for the new process the same they are configured in the sandbox. | ||
500 | If \-\-join command is issued as root, the security filters, cgroups and cpus configurations are not applied | ||
501 | to the process joining the sandbox. | ||
502 | |||
499 | .br | 503 | .br |
500 | 504 | ||
501 | .br | 505 | .br |
@@ -510,8 +514,11 @@ $ firejail \-\-join=mygame | |||
510 | 514 | ||
511 | .TP | 515 | .TP |
512 | \fB\-\-join=pid | 516 | \fB\-\-join=pid |
513 | Join the sandbox identified by PID. By default a /bin/bash shell is started after joining the sandbox. | 517 | Join the sandbox identified by process ID. By default a /bin/bash shell is started after joining the sandbox. |
514 | If a program is specified, the program is run in the sandbox. | 518 | If a program is specified, the program is run in the sandbox. If \-\-join command is issued as a regular user, |
519 | all security filters are configured for the new process the same they are configured in the sandbox. | ||
520 | If \-\-join command is issued as root, the security filters, cgroups and cpus configurations are not applied | ||
521 | to the process joining the sandbox. | ||
515 | .br | 522 | .br |
516 | 523 | ||
517 | .br | 524 | .br |