diff options
-rw-r--r-- | .github/workflows/build.yml | 6 | ||||
-rw-r--r-- | README | 1 | ||||
-rw-r--r-- | README.md | 44 | ||||
-rw-r--r-- | RELNOTES | 3 | ||||
-rw-r--r-- | etc/profile-a-l/evolution.profile | 60 | ||||
-rw-r--r-- | etc/profile-a-l/kmail.profile | 81 | ||||
-rw-r--r-- | src/firejail/fs.c | 8 | ||||
-rw-r--r-- | src/firejail/profile.c | 21 |
8 files changed, 188 insertions, 36 deletions
diff --git a/.github/workflows/build.yml b/.github/workflows/build.yml index 214f39923..71cb7f0b4 100644 --- a/.github/workflows/build.yml +++ b/.github/workflows/build.yml | |||
@@ -47,3 +47,9 @@ jobs: | |||
47 | run: sudo apt-get install cppcheck | 47 | run: sudo apt-get install cppcheck |
48 | - name: cppcheck | 48 | - name: cppcheck |
49 | run: cppcheck -q --force --error-exitcode=1 --enable=warning,performance . | 49 | run: cppcheck -q --force --error-exitcode=1 --enable=warning,performance . |
50 | profile-sort: | ||
51 | runs-on: ubuntu-20.04 | ||
52 | steps: | ||
53 | - uses: actions/checkout@v2 | ||
54 | - name: check profiles | ||
55 | run: ./contrib/sort.py etc/*/{*.inc,*.net,*.profile} | ||
@@ -525,6 +525,7 @@ KOLANICH (https://github.com/KOLANICH) | |||
525 | - fix meld | 525 | - fix meld |
526 | kortewegdevries (https://github.com/kortewegdevries) | 526 | kortewegdevries (https://github.com/kortewegdevries) |
527 | - a whole bunch of new profiles and fixes | 527 | - a whole bunch of new profiles and fixes |
528 | - whitelisting evolution, kmail | ||
528 | Kristóf Marussy (https://github.com/kris7t) | 529 | Kristóf Marussy (https://github.com/kris7t) |
529 | - dns support | 530 | - dns support |
530 | Kunal Mehta (https://github.com/legoktm) | 531 | Kunal Mehta (https://github.com/legoktm) |
@@ -158,36 +158,42 @@ We also keep a list of profile fixes for previous released versions in [etc-fixe | |||
158 | 158 | ||
159 | ## Current development version: 0.9.65 | 159 | ## Current development version: 0.9.65 |
160 | 160 | ||
161 | Milestone page: https://github.com/netblue30/firejail/milestone/1 | ||
162 | Release discussion: https://github.com/netblue30/firejail/issues/3696 | ||
163 | |||
164 | |||
165 | |||
161 | ### Profile Statistics | 166 | ### Profile Statistics |
162 | 167 | ||
163 | A small tool to print profile statistics. Compile as usual and run in /etc/profiles: | 168 | A small tool to print profile statistics. Compile as usual and run in /etc/profiles: |
164 | ````` | 169 | ````` |
170 | $ sudo cp src/prfostats/profstats /etc/firejail/. | ||
171 | $ cd /etc/firejail | ||
165 | $ ./profstats *.profile | 172 | $ ./profstats *.profile |
166 | Warning: multiple caps in transmission-daemon.profile | 173 | Warning: multiple caps in transmission-daemon.profile |
167 | 174 | ||
168 | Stats: | 175 | Stats: |
169 | profiles 1029 | 176 | profiles 1031 |
170 | include local profile 1029 (include profile-name.local) | 177 | include local profile 1031 (include profile-name.local) |
171 | include globals 1029 (include globals.local) | 178 | include globals 1031 (include globals.local) |
172 | blacklist ~/.ssh 1005 (include disable-common.inc) | 179 | blacklist ~/.ssh 1007 (include disable-common.inc) |
173 | seccomp 975 | 180 | seccomp 976 |
174 | capabilities 1028 | 181 | capabilities 1030 |
175 | noexec 899 (include disable-exec.inc) | 182 | noexec 901 (include disable-exec.inc) |
176 | memory-deny-write-execute 220 | 183 | memory-deny-write-execute 221 |
177 | apparmor 549 | 184 | apparmor 555 |
178 | private-bin 542 | 185 | private-bin 544 |
179 | private-dev 897 | 186 | private-dev 897 |
180 | private-etc 431 | 187 | private-etc 435 |
181 | private-tmp 784 | 188 | private-tmp 785 |
182 | whitelist home directory 469 | 189 | whitelist home directory 474 |
183 | whitelist var 695 (include whitelist-var-common.inc) | 190 | whitelist var 699 (include whitelist-var-common.inc) |
184 | whitelist run/user 334 (include whitelist-runuser-common.inc | 191 | whitelist run/user 336 (include whitelist-runuser-common.inc |
185 | or blacklist ${RUNUSER}) | 192 | or blacklist ${RUNUSER}) |
186 | whitelist usr/share 354 (include whitelist-usr-share-common.inc | 193 | whitelist usr/share 359 (include whitelist-usr-share-common.inc |
187 | net none 332 | 194 | net none 333 |
188 | dbus-user none 523 | 195 | dbus-user none 523 |
189 | dbus-system none 627 | 196 | dbus-system none 632 |
190 | ````` | ||
191 | 197 | ||
192 | ### New profiles: | 198 | ### New profiles: |
193 | 199 | ||
@@ -1,3 +1,6 @@ | |||
1 | firejail (0.9.65) baseline; urgency=low | ||
2 | * allow --tmpfs inside $HOME for unprivileged users | ||
3 | |||
1 | firejail (0.9.64) baseline; urgency=low | 4 | firejail (0.9.64) baseline; urgency=low |
2 | * replaced --nowrap option with --wrap in firemon | 5 | * replaced --nowrap option with --wrap in firemon |
3 | * The blocking action of seccomp filters has been changed from | 6 | * The blocking action of seccomp filters has been changed from |
diff --git a/etc/profile-a-l/evolution.profile b/etc/profile-a-l/evolution.profile index 422200ffe..1355c4337 100644 --- a/etc/profile-a-l/evolution.profile +++ b/etc/profile-a-l/evolution.profile | |||
@@ -6,15 +6,16 @@ include evolution.local | |||
6 | # Persistent global definitions | 6 | # Persistent global definitions |
7 | include globals.local | 7 | include globals.local |
8 | 8 | ||
9 | noblacklist /var/mail | ||
10 | noblacklist /var/spool/mail | ||
11 | noblacklist ${HOME}/.bogofilter | 9 | noblacklist ${HOME}/.bogofilter |
10 | noblacklist ${HOME}/.gnupg | ||
11 | noblacklist ${HOME}/.mozilla | ||
12 | noblacklist ${HOME}/.pki | ||
12 | noblacklist ${HOME}/.cache/evolution | 13 | noblacklist ${HOME}/.cache/evolution |
13 | noblacklist ${HOME}/.config/evolution | 14 | noblacklist ${HOME}/.config/evolution |
14 | noblacklist ${HOME}/.gnupg | ||
15 | noblacklist ${HOME}/.local/share/evolution | 15 | noblacklist ${HOME}/.local/share/evolution |
16 | noblacklist ${HOME}/.pki | ||
17 | noblacklist ${HOME}/.local/share/pki | 16 | noblacklist ${HOME}/.local/share/pki |
17 | noblacklist /var/mail | ||
18 | noblacklist /var/spool/mail | ||
18 | 19 | ||
19 | include disable-common.inc | 20 | include disable-common.inc |
20 | include disable-devel.inc | 21 | include disable-devel.inc |
@@ -22,13 +23,42 @@ include disable-exec.inc | |||
22 | include disable-interpreters.inc | 23 | include disable-interpreters.inc |
23 | include disable-passwdmgr.inc | 24 | include disable-passwdmgr.inc |
24 | include disable-programs.inc | 25 | include disable-programs.inc |
26 | include disable-shell.inc | ||
27 | include disable-xdg.inc | ||
25 | 28 | ||
29 | mkdir ${HOME}/.bogofilter | ||
30 | mkdir ${HOME}/.gnupg | ||
31 | mkdir ${HOME}/.pki | ||
32 | mkdir ${HOME}/.cache/evolution | ||
33 | mkdir ${HOME}/.config/evolution | ||
34 | mkdir ${HOME}/.local/share/evolution | ||
35 | mkdir ${HOME}/.local/share/pki | ||
36 | whitelist ${HOME}/.bogofilter | ||
37 | whitelist ${HOME}/.gnupg | ||
38 | whitelist ${HOME}/.mozilla/firefox/profiles.ini | ||
39 | whitelist ${HOME}/.pki | ||
40 | whitelist ${HOME}/.cache/evolution | ||
41 | whitelist ${HOME}/.config/evolution | ||
42 | whitelist ${HOME}/.local/share/evolution | ||
43 | whitelist ${HOME}/.local/share/pki | ||
44 | whitelist ${DOCUMENTS} | ||
45 | whitelist ${DOWNLOADS} | ||
46 | whitelist ${RUNUSER}/gnupg | ||
47 | whitelist /usr/share/evolution | ||
48 | whitelist /usr/share/gnupg | ||
49 | whitelist /usr/share/gnupg2 | ||
50 | whitelist /var/mail | ||
51 | whitelist /var/spool/mail | ||
52 | include whitelist-common.inc | ||
26 | include whitelist-runuser-common.inc | 53 | include whitelist-runuser-common.inc |
54 | include whitelist-usr-share-common.inc | ||
55 | include whitelist-var-common.inc | ||
27 | 56 | ||
57 | apparmor | ||
28 | caps.drop all | 58 | caps.drop all |
29 | netfilter | 59 | netfilter |
30 | # no3d breaks under wayland | 60 | # no3d breaks under wayland |
31 | #no3d | 61 | # no3d |
32 | nodvd | 62 | nodvd |
33 | nogroups | 63 | nogroups |
34 | nonewprivs | 64 | nonewprivs |
@@ -40,7 +70,27 @@ novideo | |||
40 | protocol unix,inet,inet6 | 70 | protocol unix,inet,inet6 |
41 | seccomp | 71 | seccomp |
42 | shell none | 72 | shell none |
73 | tracelog | ||
43 | 74 | ||
75 | # disable-mnt | ||
76 | # Add "gpg,gpg2,gpg-agent,pinentry-curses,pinentry-emacs,pinentry-fltk,pinentry-gnome3,pinentry-gtk,pinentry-gtk2,pinentry-gtk-2,pinentry-qt,pinentry-qt4,pinentry-tty,pinentry-x2go,pinentry-kwallet" for gpg | ||
77 | # To use private-bin add all evolution,gpg,pinentry binaries and follow firefox.profile for hyperlink support | ||
78 | # private-bin evolution | ||
79 | private-cache | ||
44 | private-dev | 80 | private-dev |
81 | private-etc alternatives,ca-certificates,crypto-policies,dconf,fonts,gcrypt,groups,gtk-2.0,gtk-3.0,hostname,hosts,mailname,passwd,pki,resolv.conf,selinux,ssl,xdg | ||
45 | private-tmp | 82 | private-tmp |
83 | writable-run-user | ||
46 | writable-var | 84 | writable-var |
85 | |||
86 | dbus-user filter | ||
87 | dbus-user.own org.gnome.Evolution | ||
88 | dbus-user.talk ca.desrt.dconf | ||
89 | # Uncomment to have keyring access | ||
90 | # dbus-user.talk org.freedesktop.secrets | ||
91 | dbus-user.talk org.gnome.keyring.SystemPrompter | ||
92 | dbus-user.talk org.gnome.OnlineAccounts | ||
93 | dbus-user.talk org.freedesktop.Notifications | ||
94 | dbus-system none | ||
95 | |||
96 | read-only ${HOME}/.mozilla/firefox/profiles.ini | ||
diff --git a/etc/profile-a-l/kmail.profile b/etc/profile-a-l/kmail.profile index ab4ff10b9..8d99da3cf 100644 --- a/etc/profile-a-l/kmail.profile +++ b/etc/profile-a-l/kmail.profile | |||
@@ -9,6 +9,10 @@ include globals.local | |||
9 | # kmail has problems launching akonadi in debian and ubuntu. | 9 | # kmail has problems launching akonadi in debian and ubuntu. |
10 | # one solution is to have akonadi already running when kmail is started | 10 | # one solution is to have akonadi already running when kmail is started |
11 | 11 | ||
12 | noblacklist ${HOME}/.gnupg | ||
13 | # noblacklist ${HOME}/.kde/ | ||
14 | # noblacklist ${HOME}/.kde4/ | ||
15 | noblacklist ${HOME}/.mozilla | ||
12 | noblacklist ${HOME}/.cache/akonadi* | 16 | noblacklist ${HOME}/.cache/akonadi* |
13 | noblacklist ${HOME}/.cache/kmail2 | 17 | noblacklist ${HOME}/.cache/kmail2 |
14 | noblacklist ${HOME}/.config/akonadi* | 18 | noblacklist ${HOME}/.config/akonadi* |
@@ -19,7 +23,6 @@ noblacklist ${HOME}/.config/kmail2rc | |||
19 | noblacklist ${HOME}/.config/kmailsearchindexingrc | 23 | noblacklist ${HOME}/.config/kmailsearchindexingrc |
20 | noblacklist ${HOME}/.config/mailtransports | 24 | noblacklist ${HOME}/.config/mailtransports |
21 | noblacklist ${HOME}/.config/specialmailcollectionsrc | 25 | noblacklist ${HOME}/.config/specialmailcollectionsrc |
22 | noblacklist ${HOME}/.gnupg | ||
23 | noblacklist ${HOME}/.local/share/akonadi* | 26 | noblacklist ${HOME}/.local/share/akonadi* |
24 | noblacklist ${HOME}/.local/share/apps/korganizer | 27 | noblacklist ${HOME}/.local/share/apps/korganizer |
25 | noblacklist ${HOME}/.local/share/contacts | 28 | noblacklist ${HOME}/.local/share/contacts |
@@ -30,6 +33,8 @@ noblacklist ${HOME}/.local/share/kxmlgui5/kmail2 | |||
30 | noblacklist ${HOME}/.local/share/local-mail | 33 | noblacklist ${HOME}/.local/share/local-mail |
31 | noblacklist ${HOME}/.local/share/notes | 34 | noblacklist ${HOME}/.local/share/notes |
32 | noblacklist /tmp/akonadi-* | 35 | noblacklist /tmp/akonadi-* |
36 | noblacklist /var/mail | ||
37 | noblacklist /var/spool/mail | ||
33 | 38 | ||
34 | include disable-common.inc | 39 | include disable-common.inc |
35 | include disable-devel.inc | 40 | include disable-devel.inc |
@@ -37,10 +42,73 @@ include disable-exec.inc | |||
37 | include disable-interpreters.inc | 42 | include disable-interpreters.inc |
38 | include disable-passwdmgr.inc | 43 | include disable-passwdmgr.inc |
39 | include disable-programs.inc | 44 | include disable-programs.inc |
45 | include disable-xdg.inc | ||
40 | 46 | ||
47 | mkdir ${HOME}/.gnupg | ||
48 | # mkdir ${HOME}/.kde/ | ||
49 | # mkdir ${HOME}/.kde4/ | ||
50 | mkdir ${HOME}/.cache/akonadi* | ||
51 | mkdir ${HOME}/.cache/kmail2 | ||
52 | mkdir ${HOME}/.config/akonadi* | ||
53 | mkdir ${HOME}/.config/baloorc | ||
54 | mkdir ${HOME}/.config/emaildefaults | ||
55 | mkdir ${HOME}/.config/emailidentities | ||
56 | mkdir ${HOME}/.config/kmail2rc | ||
57 | mkdir ${HOME}/.config/kmailsearchindexingrc | ||
58 | mkdir ${HOME}/.config/mailtransports | ||
59 | mkdir ${HOME}/.config/specialmailcollectionsrc | ||
60 | mkdir ${HOME}/.local/share/akonadi* | ||
61 | mkdir ${HOME}/.local/share/apps/korganizer | ||
62 | mkdir ${HOME}/.local/share/contacts | ||
63 | mkdir ${HOME}/.local/share/emailidentities | ||
64 | mkdir ${HOME}/.local/share/kmail2 | ||
65 | mkdir ${HOME}/.local/share/kxmlgui5/kmail | ||
66 | mkdir ${HOME}/.local/share/kxmlgui5/kmail2 | ||
67 | mkdir ${HOME}/.local/share/local-mail | ||
68 | mkdir ${HOME}/.local/share/notes | ||
69 | mkdir /tmp/akonadi-* | ||
70 | whitelist ${HOME}/.gnupg | ||
71 | # whitelist ${HOME}/.kde/ | ||
72 | # whitelist ${HOME}/.kde4/ | ||
73 | whitelist ${HOME}/.mozilla/firefox/profiles.ini | ||
74 | whitelist ${HOME}/.cache/akonadi* | ||
75 | whitelist ${HOME}/.cache/kmail2 | ||
76 | whitelist ${HOME}/.config/akonadi* | ||
77 | whitelist ${HOME}/.config/baloorc | ||
78 | whitelist ${HOME}/.config/emaildefaults | ||
79 | whitelist ${HOME}/.config/emailidentities | ||
80 | whitelist ${HOME}/.config/kmail2rc | ||
81 | whitelist ${HOME}/.config/kmailsearchindexingrc | ||
82 | whitelist ${HOME}/.config/mailtransports | ||
83 | whitelist ${HOME}/.config/specialmailcollectionsrc | ||
84 | whitelist ${HOME}/.local/share/akonadi* | ||
85 | whitelist ${HOME}/.local/share/apps/korganizer | ||
86 | whitelist ${HOME}/.local/share/contacts | ||
87 | whitelist ${HOME}/.local/share/emailidentities | ||
88 | whitelist ${HOME}/.local/share/kmail2 | ||
89 | whitelist ${HOME}/.local/share/kxmlgui5/kmail | ||
90 | whitelist ${HOME}/.local/share/kxmlgui5/kmail2 | ||
91 | whitelist ${HOME}/.local/share/local-mail | ||
92 | whitelist ${HOME}/.local/share/notes | ||
93 | whitelist ${DOWNLOADS} | ||
94 | whitelist ${DOCUMENTS} | ||
95 | whitelist ${RUNUSER}/gnupg | ||
96 | whitelist /tmp/akonadi-* | ||
97 | whitelist /usr/share/akonadi | ||
98 | whitelist /usr/share/gnupg | ||
99 | whitelist /usr/share/gnupg2 | ||
100 | whitelist /usr/share/kconf_update | ||
101 | whitelist /usr/share/kf5 | ||
102 | whitelist /usr/share/kservices5 | ||
103 | whitelist /usr/share/qlogging-categories5 | ||
104 | whitelist /var/mail | ||
105 | whitelist /var/spool/mail | ||
106 | include whitelist-common.inc | ||
107 | include whitelist-runuser-common.inc | ||
108 | include whitelist-usr-share-common.inc | ||
41 | include whitelist-var-common.inc | 109 | include whitelist-var-common.inc |
42 | 110 | ||
43 | # apparmor | 111 | apparmor |
44 | caps.drop all | 112 | caps.drop all |
45 | netfilter | 113 | netfilter |
46 | nodvd | 114 | nodvd |
@@ -56,7 +124,14 @@ protocol unix,inet,inet6,netlink | |||
56 | seccomp !chroot,!io_getevents,!io_setup,!io_submit,!ioprio_set | 124 | seccomp !chroot,!io_getevents,!io_setup,!io_submit,!ioprio_set |
57 | # tracelog | 125 | # tracelog |
58 | 126 | ||
127 | private-cache | ||
59 | private-dev | 128 | private-dev |
129 | private-etc alternatives,ca-certificates,crypto-policies,dconf,drirc,fonts,gcrypt,groups,gtk-2.0,gtk-3.0,hostname,hosts,ld.so.cache,ld.so.preload,mailname,nsswitch.conf,passwd,pki,resolv.conf,selinux,ssl,xdg | ||
60 | # private-tmp - interrupts connection to akonadi, breaks opening of email attachments | 130 | # private-tmp - interrupts connection to akonadi, breaks opening of email attachments |
61 | # writable-run-user is needed for signing and encrypting emails | ||
62 | writable-run-user | 131 | writable-run-user |
132 | writable-var | ||
133 | |||
134 | # dbus-user none | ||
135 | dbus-system none | ||
136 | |||
137 | read-only ${HOME}/.mozilla/firefox/profiles.ini \ No newline at end of file | ||
diff --git a/src/firejail/fs.c b/src/firejail/fs.c index 2000ffc62..2f2bfdc79 100644 --- a/src/firejail/fs.c +++ b/src/firejail/fs.c | |||
@@ -366,6 +366,14 @@ void fs_blacklist(void) { | |||
366 | else if (strncmp(entry->data, "tmpfs ", 6) == 0) { | 366 | else if (strncmp(entry->data, "tmpfs ", 6) == 0) { |
367 | ptr = entry->data + 6; | 367 | ptr = entry->data + 6; |
368 | op = MOUNT_TMPFS; | 368 | op = MOUNT_TMPFS; |
369 | char *resolved_path = realpath(ptr, NULL); | ||
370 | if (!resolved_path || strncmp(cfg.homedir, resolved_path, strlen(cfg.homedir)) != 0) { | ||
371 | if (getuid() != 0) { | ||
372 | fprintf(stderr, "Error: tmpfs outside $HOME is only available for root\n"); | ||
373 | exit(1); | ||
374 | } | ||
375 | } | ||
376 | free(resolved_path); | ||
369 | } | 377 | } |
370 | else if (strncmp(entry->data, "mkdir ", 6) == 0) { | 378 | else if (strncmp(entry->data, "mkdir ", 6) == 0) { |
371 | EUID_USER(); | 379 | EUID_USER(); |
diff --git a/src/firejail/profile.c b/src/firejail/profile.c index 5d83e6a73..869183e2f 100644 --- a/src/firejail/profile.c +++ b/src/firejail/profile.c | |||
@@ -1412,11 +1412,6 @@ int profile_check_line(char *ptr, int lineno, const char *fname) { | |||
1412 | // filesystem bind | 1412 | // filesystem bind |
1413 | if (strncmp(ptr, "bind ", 5) == 0) { | 1413 | if (strncmp(ptr, "bind ", 5) == 0) { |
1414 | if (checkcfg(CFG_BIND)) { | 1414 | if (checkcfg(CFG_BIND)) { |
1415 | if (getuid() != 0) { | ||
1416 | fprintf(stderr, "Error: --bind option is available only if running as root\n"); | ||
1417 | exit(1); | ||
1418 | } | ||
1419 | |||
1420 | // extract two directories | 1415 | // extract two directories |
1421 | char *dname1 = ptr + 5; | 1416 | char *dname1 = ptr + 5; |
1422 | char *dname2 = split_comma(dname1); // this inserts a '0 to separate the two dierctories | 1417 | char *dname2 = split_comma(dname1); // this inserts a '0 to separate the two dierctories |
@@ -1432,6 +1427,18 @@ int profile_check_line(char *ptr, int lineno, const char *fname) { | |||
1432 | fprintf(stderr, "Error: invalid file name.\n"); | 1427 | fprintf(stderr, "Error: invalid file name.\n"); |
1433 | exit(1); | 1428 | exit(1); |
1434 | } | 1429 | } |
1430 | if (getuid() != 0) { | ||
1431 | char *resolved_path1 = realpath(dname1, NULL); | ||
1432 | char *resolved_path2 = realpath(dname2, NULL); | ||
1433 | assert(resolved_path1 && resolved_path2); | ||
1434 | if (strncmp(cfg.homedir, resolved_path1, strlen(cfg.homedir)) != 0 | ||
1435 | || strncmp(cfg.homedir, resolved_path2, strlen(cfg.homedir)) != 0) { | ||
1436 | fprintf(stderr, "Error: bind outside $HOME is only available for root\n"); | ||
1437 | exit(1); | ||
1438 | } | ||
1439 | free(resolved_path1); | ||
1440 | free(resolved_path2); | ||
1441 | } | ||
1435 | if (is_link(dname1) || is_link(dname2)) { | 1442 | if (is_link(dname1) || is_link(dname2)) { |
1436 | fprintf(stderr, "Symbolic links are not allowed for bind command\n"); | 1443 | fprintf(stderr, "Symbolic links are not allowed for bind command\n"); |
1437 | exit(1); | 1444 | exit(1); |
@@ -1563,10 +1570,6 @@ int profile_check_line(char *ptr, int lineno, const char *fname) { | |||
1563 | else if (strncmp(ptr, "noexec ", 7) == 0) | 1570 | else if (strncmp(ptr, "noexec ", 7) == 0) |
1564 | ptr += 7; | 1571 | ptr += 7; |
1565 | else if (strncmp(ptr, "tmpfs ", 6) == 0) { | 1572 | else if (strncmp(ptr, "tmpfs ", 6) == 0) { |
1566 | if (getuid() != 0) { | ||
1567 | fprintf(stderr, "Error: tmpfs available only when running the sandbox as root\n"); | ||
1568 | exit(1); | ||
1569 | } | ||
1570 | ptr += 6; | 1573 | ptr += 6; |
1571 | } | 1574 | } |
1572 | else { | 1575 | else { |