diff options
Diffstat (limited to 'src/firejail/checkcfg.c')
-rw-r--r-- | src/firejail/checkcfg.c | 22 |
1 files changed, 22 insertions, 0 deletions
diff --git a/src/firejail/checkcfg.c b/src/firejail/checkcfg.c index fbe150b34..eb4841210 100644 --- a/src/firejail/checkcfg.c +++ b/src/firejail/checkcfg.c | |||
@@ -18,6 +18,8 @@ | |||
18 | * 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA. | 18 | * 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA. |
19 | */ | 19 | */ |
20 | #include "firejail.h" | 20 | #include "firejail.h" |
21 | #include "../include/seccomp.h" | ||
22 | #include "../include/syscall.h" | ||
21 | #include <sys/stat.h> | 23 | #include <sys/stat.h> |
22 | #include <linux/loop.h> | 24 | #include <linux/loop.h> |
23 | 25 | ||
@@ -32,6 +34,7 @@ char *xvfb_screen = "800x600x24"; | |||
32 | char *xvfb_extra_params = ""; | 34 | char *xvfb_extra_params = ""; |
33 | char *netfilter_default = NULL; | 35 | char *netfilter_default = NULL; |
34 | unsigned long join_timeout = 5000000; // microseconds | 36 | unsigned long join_timeout = 5000000; // microseconds |
37 | char *config_seccomp_error_action_str = "EPERM"; | ||
35 | 38 | ||
36 | int checkcfg(int val) { | 39 | int checkcfg(int val) { |
37 | assert(val < CFG_MAX); | 40 | assert(val < CFG_MAX); |
@@ -51,6 +54,7 @@ int checkcfg(int val) { | |||
51 | cfg_val[CFG_DISABLE_MNT] = 0; | 54 | cfg_val[CFG_DISABLE_MNT] = 0; |
52 | cfg_val[CFG_ARP_PROBES] = DEFAULT_ARP_PROBES; | 55 | cfg_val[CFG_ARP_PROBES] = DEFAULT_ARP_PROBES; |
53 | cfg_val[CFG_XPRA_ATTACH] = 0; | 56 | cfg_val[CFG_XPRA_ATTACH] = 0; |
57 | cfg_val[CFG_SECCOMP_ERROR_ACTION] = -1; | ||
54 | 58 | ||
55 | // open configuration file | 59 | // open configuration file |
56 | const char *fname = SYSCONFDIR "/firejail.config"; | 60 | const char *fname = SYSCONFDIR "/firejail.config"; |
@@ -219,6 +223,24 @@ int checkcfg(int val) { | |||
219 | else if (strncmp(ptr, "join-timeout ", 13) == 0) | 223 | else if (strncmp(ptr, "join-timeout ", 13) == 0) |
220 | join_timeout = strtoul(ptr + 13, NULL, 10) * 1000000; // seconds to microseconds | 224 | join_timeout = strtoul(ptr + 13, NULL, 10) * 1000000; // seconds to microseconds |
221 | 225 | ||
226 | // seccomp error action | ||
227 | else if (strncmp(ptr, "seccomp-error-action ", 21) == 0) { | ||
228 | #ifdef HAVE_SECCOMP | ||
229 | if (strcmp(ptr + 21, "kill") == 0) | ||
230 | cfg_val[CFG_SECCOMP_ERROR_ACTION] = SECCOMP_RET_KILL; | ||
231 | else { | ||
232 | cfg_val[CFG_SECCOMP_ERROR_ACTION] = errno_find_name(ptr + 21); | ||
233 | if (cfg_val[CFG_SECCOMP_ERROR_ACTION] == -1) | ||
234 | errExit("seccomp-error-action: unknown errno"); | ||
235 | } | ||
236 | config_seccomp_error_action_str = strdup(ptr + 21); | ||
237 | if (!config_seccomp_error_action_str) | ||
238 | errExit("strdup"); | ||
239 | #else | ||
240 | warning_feature_disabled("seccomp"); | ||
241 | #endif | ||
242 | } | ||
243 | |||
222 | else | 244 | else |
223 | goto errout; | 245 | goto errout; |
224 | 246 | ||