1 files changed, 37 insertions, 7 deletions
diff --git a/src/firejail/sandbox.c b/src/firejail/sandbox.c
index 0851e71cd..40df00a98 100644
--- a/src/firejail/sandbox.c
+++ b/src/firejail/sandbox.c
@@ -533,8 +533,14 @@ int sandbox(void* sandbox_arg) {
        // private mode
        //****************************
        if (arg_private) {
-                if (cfg.home_private)   // --private=
+                if (cfg.home_private) { // --private=
-                        fs_private_homedir();
+                        if (cfg.chrootdir)
+                                fprintf(stderr, "Warning: private=directory feature is disabled in chroot\n");
+                        else if (arg_overlay)
+                                fprintf(stderr, "Warning: private=directory feature is disabled in overlay\n");
+                        else
+                                fs_private_homedir();
+                }
                else // --private
                        fs_private();
        }
@@ -542,11 +548,20 @@ int sandbox(void* sandbox_arg) {
   if (arg_private_template) 
      fs_private_template();
-        if (arg_private_dev)
+        if (arg_private_dev) {
-                fs_private_dev();
+                if (cfg.chrootdir)
+                        fprintf(stderr, "Warning: private-dev feature is disabled in chroot\n");
+                else if (arg_overlay)
+                        fprintf(stderr, "Warning: private-dev feature is disabled in overlay\n");
+                else
+                        fs_private_dev();
+        }
+                
        if (arg_private_etc) {
                if (cfg.chrootdir)
                        fprintf(stderr, "Warning: private-etc feature is disabled in chroot\n");
+                else if (arg_overlay)
+                        fprintf(stderr, "Warning: private-etc feature is disabled in overlay\n");
                else {
                        fs_private_etc_list();
                        // create /etc/ld.so.preload file again
@@ -554,14 +569,24 @@ int sandbox(void* sandbox_arg) {
                                fs_trace_preload();
                }
        }
+        
        if (arg_private_bin) {
                if (cfg.chrootdir)
                        fprintf(stderr, "Warning: private-bin feature is disabled in chroot\n");
+                else if (arg_overlay)
+                        fprintf(stderr, "Warning: private-bin feature is disabled in overlay\n");
                else
                        fs_private_bin_list();
        }
-        if (arg_private_tmp)
+        
-                fs_private_tmp();
+        if (arg_private_tmp) {
+                if (cfg.chrootdir)
+                        fprintf(stderr, "Warning: private-tmp feature is disabled in chroot\n");
+                else if (arg_overlay)
+                        fprintf(stderr, "Warning: private-tmp feature is disabled in overlay\n");
+                else
+                        fs_private_tmp();
+        }
        
        //****************************
        // update /proc, /sys, /dev, /boot directorymy
@@ -574,7 +599,12 @@ int sandbox(void* sandbox_arg) {
        //****************************
        if (cfg.profile) {
                // apply all whitelist commands ... 
-                fs_whitelist();
+                if (cfg.chrootdir)
+                        fprintf(stderr, "Warning: whitelist feature is disabled in chroot\n");
+                else if (arg_overlay)
+                        fprintf(stderr, "Warning: whitelist feature is disabled in overlay\n");
+                else
+                        fs_whitelist();
                
                // ... followed by blacklist commands
                fs_blacklist();

diff --git a/src/firejail/sandbox.c b/src/firejail/sandbox.c index 0851e71cd..40df00a98 100644 --- a/src/firejail/sandbox.c +++ b/src/firejail/sandbox.c
@@ -533,8 +533,14 @@ int sandbox(void* sandbox_arg) {
533	// private mode	533	// private mode
534	//****************************	534	//****************************
535	if (arg_private) {	535	if (arg_private) {
536	if (cfg.home_private) // --private=	536	if (cfg.home_private) { // --private=
537	fs_private_homedir();	537	if (cfg.chrootdir)
		538	fprintf(stderr, "Warning: private=directory feature is disabled in chroot\n");
		539	else if (arg_overlay)
		540	fprintf(stderr, "Warning: private=directory feature is disabled in overlay\n");
		541	else
		542	fs_private_homedir();
		543	}
538	else // --private	544	else // --private
539	fs_private();	545	fs_private();
540	}	546	}
@@ -542,11 +548,20 @@ int sandbox(void* sandbox_arg) {
542	if (arg_private_template)	548	if (arg_private_template)
543	fs_private_template();	549	fs_private_template();
544		550
545	if (arg_private_dev)	551	if (arg_private_dev) {
546	fs_private_dev();	552	if (cfg.chrootdir)
		553	fprintf(stderr, "Warning: private-dev feature is disabled in chroot\n");
		554	else if (arg_overlay)
		555	fprintf(stderr, "Warning: private-dev feature is disabled in overlay\n");
		556	else
		557	fs_private_dev();
		558	}
		559
547	if (arg_private_etc) {	560	if (arg_private_etc) {
548	if (cfg.chrootdir)	561	if (cfg.chrootdir)
549	fprintf(stderr, "Warning: private-etc feature is disabled in chroot\n");	562	fprintf(stderr, "Warning: private-etc feature is disabled in chroot\n");
		563	else if (arg_overlay)
		564	fprintf(stderr, "Warning: private-etc feature is disabled in overlay\n");
550	else {	565	else {
551	fs_private_etc_list();	566	fs_private_etc_list();
552	// create /etc/ld.so.preload file again	567	// create /etc/ld.so.preload file again
@@ -554,14 +569,24 @@ int sandbox(void* sandbox_arg) {
554	fs_trace_preload();	569	fs_trace_preload();
555	}	570	}
556	}	571	}
		572
557	if (arg_private_bin) {	573	if (arg_private_bin) {
558	if (cfg.chrootdir)	574	if (cfg.chrootdir)
559	fprintf(stderr, "Warning: private-bin feature is disabled in chroot\n");	575	fprintf(stderr, "Warning: private-bin feature is disabled in chroot\n");
		576	else if (arg_overlay)
		577	fprintf(stderr, "Warning: private-bin feature is disabled in overlay\n");
560	else	578	else
561	fs_private_bin_list();	579	fs_private_bin_list();
562	}	580	}
563	if (arg_private_tmp)	581
564	fs_private_tmp();	582	if (arg_private_tmp) {
		583	if (cfg.chrootdir)
		584	fprintf(stderr, "Warning: private-tmp feature is disabled in chroot\n");
		585	else if (arg_overlay)
		586	fprintf(stderr, "Warning: private-tmp feature is disabled in overlay\n");
		587	else
		588	fs_private_tmp();
		589	}
565		590
566	//****************************	591	//****************************
567	// update /proc, /sys, /dev, /boot directorymy	592	// update /proc, /sys, /dev, /boot directorymy
@@ -574,7 +599,12 @@ int sandbox(void* sandbox_arg) {
574	//****************************	599	//****************************
575	if (cfg.profile) {	600	if (cfg.profile) {
576	// apply all whitelist commands ...	601	// apply all whitelist commands ...
577	fs_whitelist();	602	if (cfg.chrootdir)
		603	fprintf(stderr, "Warning: whitelist feature is disabled in chroot\n");
		604	else if (arg_overlay)
		605	fprintf(stderr, "Warning: whitelist feature is disabled in overlay\n");
		606	else
		607	fs_whitelist();
578		608
579	// ... followed by blacklist commands	609	// ... followed by blacklist commands
580	fs_blacklist();	610	fs_blacklist();