diff options
Diffstat (limited to 'src/firejail/main.c')
| -rw-r--r-- | src/firejail/main.c | 50 |
1 files changed, 11 insertions, 39 deletions
diff --git a/src/firejail/main.c b/src/firejail/main.c index e210ceb31..fc86f9651 100644 --- a/src/firejail/main.c +++ b/src/firejail/main.c | |||
| @@ -404,7 +404,7 @@ static void run_cmd_and_exit(int i, int argc, char **argv) { | |||
| 404 | #ifdef HAVE_SECCOMP | 404 | #ifdef HAVE_SECCOMP |
| 405 | else if (strcmp(argv[i], "--debug-syscalls") == 0) { | 405 | else if (strcmp(argv[i], "--debug-syscalls") == 0) { |
| 406 | if (checkcfg(CFG_SECCOMP)) { | 406 | if (checkcfg(CFG_SECCOMP)) { |
| 407 | int rv = sbox_run(SBOX_USER | SBOX_CAPS | SBOX_SECCOMP, 2, PATH_FSECCOMP, "debug-syscalls"); | 407 | int rv = sbox_run(SBOX_USER | SBOX_CAPS_NONE | SBOX_SECCOMP, 2, PATH_FSECCOMP, "debug-syscalls"); |
| 408 | exit(rv); | 408 | exit(rv); |
| 409 | } | 409 | } |
| 410 | else { | 410 | else { |
| @@ -414,7 +414,7 @@ static void run_cmd_and_exit(int i, int argc, char **argv) { | |||
| 414 | } | 414 | } |
| 415 | else if (strcmp(argv[i], "--debug-errnos") == 0) { | 415 | else if (strcmp(argv[i], "--debug-errnos") == 0) { |
| 416 | if (checkcfg(CFG_SECCOMP)) { | 416 | if (checkcfg(CFG_SECCOMP)) { |
| 417 | int rv = sbox_run(SBOX_USER | SBOX_CAPS | SBOX_SECCOMP, 2, PATH_FSECCOMP, "debug-errnos"); | 417 | int rv = sbox_run(SBOX_USER | SBOX_CAPS_NONE | SBOX_SECCOMP, 2, PATH_FSECCOMP, "debug-errnos"); |
| 418 | exit(rv); | 418 | exit(rv); |
| 419 | } | 419 | } |
| 420 | else { | 420 | else { |
| @@ -439,7 +439,7 @@ static void run_cmd_and_exit(int i, int argc, char **argv) { | |||
| 439 | exit(0); | 439 | exit(0); |
| 440 | } | 440 | } |
| 441 | else if (strcmp(argv[i], "--debug-protocols") == 0) { | 441 | else if (strcmp(argv[i], "--debug-protocols") == 0) { |
| 442 | int rv = sbox_run(SBOX_USER | SBOX_CAPS | SBOX_SECCOMP, 2, PATH_FSECCOMP, "debug-protocols"); | 442 | int rv = sbox_run(SBOX_USER | SBOX_CAPS_NONE | SBOX_SECCOMP, 2, PATH_FSECCOMP, "debug-protocols"); |
| 443 | exit(rv); | 443 | exit(rv); |
| 444 | } | 444 | } |
| 445 | else if (strncmp(argv[i], "--protocol.print=", 17) == 0) { | 445 | else if (strncmp(argv[i], "--protocol.print=", 17) == 0) { |
| @@ -499,15 +499,15 @@ static void run_cmd_and_exit(int i, int argc, char **argv) { | |||
| 499 | exit(0); | 499 | exit(0); |
| 500 | } | 500 | } |
| 501 | else if (strcmp(argv[i], "--list") == 0) { | 501 | else if (strcmp(argv[i], "--list") == 0) { |
| 502 | int rv = sbox_run(SBOX_USER | SBOX_CAPS | SBOX_SECCOMP, 2, PATH_FIREMON, "--list"); | 502 | int rv = sbox_run(SBOX_USER | SBOX_CAPS_NONE | SBOX_SECCOMP, 2, PATH_FIREMON, "--list"); |
| 503 | exit(rv); | 503 | exit(rv); |
| 504 | } | 504 | } |
| 505 | else if (strcmp(argv[i], "--tree") == 0) { | 505 | else if (strcmp(argv[i], "--tree") == 0) { |
| 506 | int rv = sbox_run(SBOX_USER | SBOX_CAPS | SBOX_SECCOMP, 2, PATH_FIREMON, "--tree"); | 506 | int rv = sbox_run(SBOX_USER | SBOX_CAPS_NONE | SBOX_SECCOMP, 2, PATH_FIREMON, "--tree"); |
| 507 | exit(rv); | 507 | exit(rv); |
| 508 | } | 508 | } |
| 509 | else if (strcmp(argv[i], "--top") == 0) { | 509 | else if (strcmp(argv[i], "--top") == 0) { |
| 510 | int rv = sbox_run(SBOX_USER | SBOX_CAPS | SBOX_SECCOMP, 2, PATH_FIREMON, "--top"); | 510 | int rv = sbox_run(SBOX_USER | SBOX_CAPS_NONE | SBOX_SECCOMP, 2, PATH_FIREMON, "--top"); |
| 511 | exit(rv); | 511 | exit(rv); |
| 512 | } | 512 | } |
| 513 | #ifdef HAVE_NETWORK | 513 | #ifdef HAVE_NETWORK |
| @@ -516,9 +516,9 @@ static void run_cmd_and_exit(int i, int argc, char **argv) { | |||
| 516 | struct stat s; | 516 | struct stat s; |
| 517 | int rv; | 517 | int rv; |
| 518 | if (stat("/proc/sys/kernel/grsecurity", &s) == 0) | 518 | if (stat("/proc/sys/kernel/grsecurity", &s) == 0) |
| 519 | rv = sbox_run(SBOX_ROOT | SBOX_CAPS | SBOX_SECCOMP, 2, PATH_FIREMON, "--netstats"); | 519 | rv = sbox_run(SBOX_ROOT | SBOX_CAPS_NONE | SBOX_SECCOMP, 2, PATH_FIREMON, "--netstats"); |
| 520 | else | 520 | else |
| 521 | rv = sbox_run(SBOX_USER | SBOX_CAPS | SBOX_SECCOMP, 2, PATH_FIREMON, "--netstats"); | 521 | rv = sbox_run(SBOX_USER | SBOX_CAPS_NONE | SBOX_SECCOMP, 2, PATH_FIREMON, "--netstats"); |
| 522 | exit(rv); | 522 | exit(rv); |
| 523 | } | 523 | } |
| 524 | else { | 524 | else { |
| @@ -855,6 +855,9 @@ int main(int argc, char **argv) { | |||
| 855 | int highest_errno = errno_highest_nr(); | 855 | int highest_errno = errno_highest_nr(); |
| 856 | #endif | 856 | #endif |
| 857 | 857 | ||
| 858 | // build /run/firejail directory structure | ||
| 859 | preproc_build_firejail_dir(); | ||
| 860 | |||
| 858 | detect_quiet(argc, argv); | 861 | detect_quiet(argc, argv); |
| 859 | detect_allow_debuggers(argc, argv); | 862 | detect_allow_debuggers(argc, argv); |
| 860 | 863 | ||
| @@ -957,10 +960,8 @@ int main(int argc, char **argv) { | |||
| 957 | // initialize globals | 960 | // initialize globals |
| 958 | init_cfg(argc, argv); | 961 | init_cfg(argc, argv); |
| 959 | 962 | ||
| 960 | |||
| 961 | // check firejail directories | 963 | // check firejail directories |
| 962 | EUID_ROOT(); | 964 | EUID_ROOT(); |
| 963 | fs_build_firejail_dir(); | ||
| 964 | bandwidth_del_run_file(sandbox_pid); | 965 | bandwidth_del_run_file(sandbox_pid); |
| 965 | network_del_run_file(sandbox_pid); | 966 | network_del_run_file(sandbox_pid); |
| 966 | delete_name_file(sandbox_pid); | 967 | delete_name_file(sandbox_pid); |
| @@ -1462,35 +1463,6 @@ int main(int argc, char **argv) { | |||
| 1462 | } | 1463 | } |
| 1463 | 1464 | ||
| 1464 | } | 1465 | } |
| 1465 | #if 0 // disabled for now, it could be used to overwrite system directories | ||
| 1466 | else if (strncmp(argv[i], "--overlay-path=", 15) == 0) { | ||
| 1467 | if (checkcfg(CFG_OVERLAYFS)) { | ||
| 1468 | if (cfg.chrootdir) { | ||
| 1469 | fprintf(stderr, "Error: --overlay and --chroot options are mutually exclusive\n"); | ||
| 1470 | exit(1); | ||
| 1471 | } | ||
| 1472 | struct stat s; | ||
| 1473 | if (stat("/proc/sys/kernel/grsecurity", &s) == 0) { | ||
| 1474 | fprintf(stderr, "Error: --overlay option is not available on Grsecurity systems\n"); | ||
| 1475 | exit(1); | ||
| 1476 | } | ||
| 1477 | arg_overlay = 1; | ||
| 1478 | arg_overlay_keep = 1; | ||
| 1479 | arg_overlay_reuse = 1; | ||
| 1480 | |||
| 1481 | char *dirname = argv[i] + 15; | ||
| 1482 | if (dirname == '\0') { | ||
| 1483 | fprintf(stderr, "Error: invalid overlay option\n"); | ||
| 1484 | exit(1); | ||
| 1485 | } | ||
| 1486 | cfg.overlay_dir = expand_home(dirname, cfg.homedir); | ||
| 1487 | } | ||
| 1488 | else { | ||
| 1489 | fprintf(stderr, "Error: overlayfs feature is disabled in Firejail configuration file\n"); | ||
| 1490 | exit(1); | ||
| 1491 | } | ||
| 1492 | } | ||
| 1493 | #endif | ||
| 1494 | else if (strcmp(argv[i], "--overlay-tmpfs") == 0) { | 1466 | else if (strcmp(argv[i], "--overlay-tmpfs") == 0) { |
| 1495 | if (checkcfg(CFG_OVERLAYFS)) { | 1467 | if (checkcfg(CFG_OVERLAYFS)) { |
| 1496 | if (cfg.chrootdir) { | 1468 | if (cfg.chrootdir) { |