diff options
Diffstat (limited to 'src/firejail/main.c')
-rw-r--r-- | src/firejail/main.c | 22 |
1 files changed, 21 insertions, 1 deletions
diff --git a/src/firejail/main.c b/src/firejail/main.c index e70e20eec..3a347b3d9 100644 --- a/src/firejail/main.c +++ b/src/firejail/main.c | |||
@@ -35,6 +35,7 @@ | |||
35 | #include <signal.h> | 35 | #include <signal.h> |
36 | #include <time.h> | 36 | #include <time.h> |
37 | #include <net/if.h> | 37 | #include <net/if.h> |
38 | #include <sys/utsname.h> | ||
38 | 39 | ||
39 | #if 0 | 40 | #if 0 |
40 | #include <sys/times.h> | 41 | #include <sys/times.h> |
@@ -817,8 +818,27 @@ int main(int argc, char **argv) { | |||
817 | 818 | ||
818 | if (check_arg(argc, argv, "--quiet")) | 819 | if (check_arg(argc, argv, "--quiet")) |
819 | arg_quiet = 1; | 820 | arg_quiet = 1; |
820 | if (check_arg(argc, argv, "--allow-debuggers")) | 821 | if (check_arg(argc, argv, "--allow-debuggers")) { |
822 | // check kernel version | ||
823 | struct utsname u; | ||
824 | int rv = uname(&u); | ||
825 | if (rv != 0) | ||
826 | errExit("uname"); | ||
827 | int major; | ||
828 | int minor; | ||
829 | if (2 != sscanf(u.release, "%d.%d", &major, &minor)) { | ||
830 | fprintf(stderr, "Error: cannot extract Linux kernel version: %s\n", u.version); | ||
831 | exit(1); | ||
832 | } | ||
833 | if (major < 4 || (major == 4 && minor < 8)) { | ||
834 | fprintf(stderr, "Error: --allow-debuggers is disabled on Linux kernels prior to 4.8. " | ||
835 | "A bug in ptrace call allows a full bypass of the seccomp filter. " | ||
836 | "Your current kernel version is %d.%d.\n", major, minor); | ||
837 | exit(1); | ||
838 | } | ||
839 | |||
821 | arg_allow_debuggers = 1; | 840 | arg_allow_debuggers = 1; |
841 | } | ||
822 | 842 | ||
823 | // drop permissions by default and rise them when required | 843 | // drop permissions by default and rise them when required |
824 | EUID_INIT(); | 844 | EUID_INIT(); |