diff options
Diffstat (limited to 'src/firejail/main.c')
-rw-r--r-- | src/firejail/main.c | 12 |
1 files changed, 12 insertions, 0 deletions
diff --git a/src/firejail/main.c b/src/firejail/main.c index 71a37beb7..3f805a7e0 100644 --- a/src/firejail/main.c +++ b/src/firejail/main.c | |||
@@ -57,6 +57,7 @@ int arg_overlay_reuse = 0; // allow the reuse of overlays | |||
57 | 57 | ||
58 | int arg_seccomp = 0; // enable default seccomp filter | 58 | int arg_seccomp = 0; // enable default seccomp filter |
59 | int arg_seccomp_postexec = 0; // need postexec ld.preload library? | 59 | int arg_seccomp_postexec = 0; // need postexec ld.preload library? |
60 | int arg_seccomp_block_secondary = 0; // block any secondary architectures | ||
60 | 61 | ||
61 | int arg_caps_default_filter = 0; // enable default capabilities filter | 62 | int arg_caps_default_filter = 0; // enable default capabilities filter |
62 | int arg_caps_drop = 0; // drop list | 63 | int arg_caps_drop = 0; // drop list |
@@ -1147,6 +1148,13 @@ int main(int argc, char **argv) { | |||
1147 | else | 1148 | else |
1148 | exit_err_feature("seccomp"); | 1149 | exit_err_feature("seccomp"); |
1149 | } | 1150 | } |
1151 | else if (strcmp(argv[i], "--seccomp.block-secondary") == 0) { | ||
1152 | if (checkcfg(CFG_SECCOMP)) { | ||
1153 | arg_seccomp_block_secondary = 1; | ||
1154 | } | ||
1155 | else | ||
1156 | exit_err_feature("seccomp"); | ||
1157 | } | ||
1150 | else if (strcmp(argv[i], "--memory-deny-write-execute") == 0) { | 1158 | else if (strcmp(argv[i], "--memory-deny-write-execute") == 0) { |
1151 | if (checkcfg(CFG_SECCOMP)) | 1159 | if (checkcfg(CFG_SECCOMP)) |
1152 | arg_memory_deny_write_execute = 1; | 1160 | arg_memory_deny_write_execute = 1; |
@@ -2239,6 +2247,10 @@ int main(int argc, char **argv) { | |||
2239 | } | 2247 | } |
2240 | } | 2248 | } |
2241 | 2249 | ||
2250 | // enable seccomp if only seccomp.block-secondary was specified | ||
2251 | if (arg_seccomp_block_secondary) | ||
2252 | arg_seccomp = 1; | ||
2253 | |||
2242 | // log command | 2254 | // log command |
2243 | logargs(argc, argv); | 2255 | logargs(argc, argv); |
2244 | if (fullargc) { | 2256 | if (fullargc) { |