diff options
-rw-r--r-- | etc/hedgewars.profile | 1 | ||||
-rw-r--r-- | src/firejail/fs.c | 8 | ||||
-rw-r--r-- | src/firejail/main.c | 22 | ||||
-rw-r--r-- | src/lib/pid.c | 6 |
4 files changed, 28 insertions, 9 deletions
diff --git a/etc/hedgewars.profile b/etc/hedgewars.profile index ab0e067c7..03a376e2f 100644 --- a/etc/hedgewars.profile +++ b/etc/hedgewars.profile | |||
@@ -12,7 +12,6 @@ private-dev | |||
12 | whitelist /tmp/.X11-unix | 12 | whitelist /tmp/.X11-unix |
13 | seccomp | 13 | seccomp |
14 | tracelog | 14 | tracelog |
15 | netfilter | ||
16 | 15 | ||
17 | mkdir ~/.hedgewars | 16 | mkdir ~/.hedgewars |
18 | whitelist ~/.hedgewars | 17 | whitelist ~/.hedgewars |
diff --git a/src/firejail/fs.c b/src/firejail/fs.c index f63e8b5eb..644255de5 100644 --- a/src/firejail/fs.c +++ b/src/firejail/fs.c | |||
@@ -960,7 +960,13 @@ void fs_overlayfs(void) { | |||
960 | // don't leak user information | 960 | // don't leak user information |
961 | restrict_users(); | 961 | restrict_users(); |
962 | 962 | ||
963 | disable_firejail_config(); | 963 | // when starting as root in overlay mode, firejail config is not disabled; |
964 | // this mode could be used to install and test new software by chaining | ||
965 | // firejail sandboxes (firejail --force) | ||
966 | if (getuid() != 0) | ||
967 | disable_firejail_config(); | ||
968 | else | ||
969 | fprintf(stderr, "Warning: masking /etc/firejail disabled when starting the sandbox as root using --overlay option\n"); | ||
964 | 970 | ||
965 | // cleanup and exit | 971 | // cleanup and exit |
966 | free(option); | 972 | free(option); |
diff --git a/src/firejail/main.c b/src/firejail/main.c index 8f89a804f..476f9c39c 100644 --- a/src/firejail/main.c +++ b/src/firejail/main.c | |||
@@ -645,7 +645,8 @@ int main(int argc, char **argv) { | |||
645 | int i; | 645 | int i; |
646 | int prog_index = -1; // index in argv where the program command starts | 646 | int prog_index = -1; // index in argv where the program command starts |
647 | int lockfd = -1; | 647 | int lockfd = -1; |
648 | int arg_cgroup = 0; | 648 | int option_cgroup = 0; |
649 | int option_force = 0; | ||
649 | int custom_profile = 0; // custom profile loaded | 650 | int custom_profile = 0; // custom profile loaded |
650 | char *custom_profile_dir = NULL; // custom profile directory | 651 | char *custom_profile_dir = NULL; // custom profile directory |
651 | int arg_noprofile = 0; // use generic.profile if none other found/specified | 652 | int arg_noprofile = 0; // use generic.profile if none other found/specified |
@@ -667,7 +668,11 @@ int main(int argc, char **argv) { | |||
667 | // if --force option is passed to the program, disregard the existing sandbox | 668 | // if --force option is passed to the program, disregard the existing sandbox |
668 | int found = 0; | 669 | int found = 0; |
669 | for (i = 1; i < argc; i++) { | 670 | for (i = 1; i < argc; i++) { |
670 | if (strcmp(argv[i], "--force") == 0) { | 671 | if (strcmp(argv[i], "--force") == 0 || |
672 | strcmp(argv[i], "--netstats") == 0 || | ||
673 | strcmp(argv[i], "--list") == 0 || | ||
674 | strcmp(argv[i], "--tree") == 0 || | ||
675 | strcmp(argv[i], "--top") == 0) { | ||
671 | found = 1; | 676 | found = 1; |
672 | break; | 677 | break; |
673 | } | 678 | } |
@@ -683,6 +688,8 @@ int main(int argc, char **argv) { | |||
683 | // it will never get here! | 688 | // it will never get here! |
684 | assert(0); | 689 | assert(0); |
685 | } | 690 | } |
691 | else | ||
692 | option_force = 1; | ||
686 | } | 693 | } |
687 | 694 | ||
688 | // check root/suid | 695 | // check root/suid |
@@ -740,8 +747,11 @@ int main(int argc, char **argv) { | |||
740 | for (i = 1; i < argc; i++) { | 747 | for (i = 1; i < argc; i++) { |
741 | run_cmd_and_exit(i, argc, argv); // will exit if the command is recognized | 748 | run_cmd_and_exit(i, argc, argv); // will exit if the command is recognized |
742 | 749 | ||
743 | if (strcmp(argv[i], "--debug") == 0) | 750 | if (strcmp(argv[i], "--debug") == 0) { |
744 | arg_debug = 1; | 751 | arg_debug = 1; |
752 | if (option_force) | ||
753 | printf("Entering sandbox-in-sandbox mode\n"); | ||
754 | } | ||
745 | else if (strcmp(argv[i], "--debug-check-filename") == 0) | 755 | else if (strcmp(argv[i], "--debug-check-filename") == 0) |
746 | arg_debug_check_filename = 1; | 756 | arg_debug_check_filename = 1; |
747 | else if (strcmp(argv[i], "--debug-blacklists") == 0) | 757 | else if (strcmp(argv[i], "--debug-blacklists") == 0) |
@@ -752,7 +762,7 @@ int main(int argc, char **argv) { | |||
752 | arg_quiet = 1; | 762 | arg_quiet = 1; |
753 | else if (strcmp(argv[i], "--force") == 0) | 763 | else if (strcmp(argv[i], "--force") == 0) |
754 | ; | 764 | ; |
755 | 765 | ||
756 | //************************************* | 766 | //************************************* |
757 | // filtering | 767 | // filtering |
758 | //************************************* | 768 | //************************************* |
@@ -931,12 +941,12 @@ int main(int argc, char **argv) { | |||
931 | arg_nice = 1; | 941 | arg_nice = 1; |
932 | } | 942 | } |
933 | else if (strncmp(argv[i], "--cgroup=", 9) == 0) { | 943 | else if (strncmp(argv[i], "--cgroup=", 9) == 0) { |
934 | if (arg_cgroup) { | 944 | if (option_cgroup) { |
935 | fprintf(stderr, "Error: only a cgroup can be defined\n"); | 945 | fprintf(stderr, "Error: only a cgroup can be defined\n"); |
936 | exit(1); | 946 | exit(1); |
937 | } | 947 | } |
938 | 948 | ||
939 | arg_cgroup = 1; | 949 | option_cgroup = 1; |
940 | cfg.cgroup = strdup(argv[i] + 9); | 950 | cfg.cgroup = strdup(argv[i] + 9); |
941 | if (!cfg.cgroup) | 951 | if (!cfg.cgroup) |
942 | errExit("strdup"); | 952 | errExit("strdup"); |
diff --git a/src/lib/pid.c b/src/lib/pid.c index a89ac434b..d1ade389e 100644 --- a/src/lib/pid.c +++ b/src/lib/pid.c | |||
@@ -310,7 +310,11 @@ void pid_read(pid_t mon_pid) { | |||
310 | continue; | 310 | continue; |
311 | if (pid == mypid) | 311 | if (pid == mypid) |
312 | continue; | 312 | continue; |
313 | 313 | ||
314 | // skip PID 1 just in case we run a sandbox-in-sandbox | ||
315 | if (pid == 1) | ||
316 | continue; | ||
317 | |||
314 | // open stat file | 318 | // open stat file |
315 | char *file; | 319 | char *file; |
316 | if (asprintf(&file, "/proc/%u/status", pid) == -1) { | 320 | if (asprintf(&file, "/proc/%u/status", pid) == -1) { |