diff options
Diffstat (limited to 'src/firejail/main.c')
-rw-r--r-- | src/firejail/main.c | 43 |
1 files changed, 43 insertions, 0 deletions
diff --git a/src/firejail/main.c b/src/firejail/main.c index 9d94630ef..ea04ea73f 100644 --- a/src/firejail/main.c +++ b/src/firejail/main.c | |||
@@ -61,6 +61,7 @@ int arg_seccomp = 0; // enable default seccomp filter | |||
61 | char *arg_seccomp_list = NULL; // optional seccomp list on top of default filter | 61 | char *arg_seccomp_list = NULL; // optional seccomp list on top of default filter |
62 | char *arg_seccomp_list_drop = NULL; // seccomp drop list | 62 | char *arg_seccomp_list_drop = NULL; // seccomp drop list |
63 | char *arg_seccomp_list_keep = NULL; // seccomp keep list | 63 | char *arg_seccomp_list_keep = NULL; // seccomp keep list |
64 | char **arg_seccomp_list_errno = NULL; // seccomp errno[nr] lists | ||
64 | 65 | ||
65 | int arg_caps_default_filter = 0; // enable default capabilities filter | 66 | int arg_caps_default_filter = 0; // enable default capabilities filter |
66 | int arg_caps_drop = 0; // drop list | 67 | int arg_caps_drop = 0; // drop list |
@@ -302,6 +303,10 @@ static void run_cmd_and_exit(int i, int argc, char **argv) { | |||
302 | syscall_print(); | 303 | syscall_print(); |
303 | exit(0); | 304 | exit(0); |
304 | } | 305 | } |
306 | else if (strcmp(argv[i], "--debug-errnos") == 0) { | ||
307 | errno_print(); | ||
308 | exit(0); | ||
309 | } | ||
305 | else if (strncmp(argv[i], "--seccomp.print=", 16) == 0) { | 310 | else if (strncmp(argv[i], "--seccomp.print=", 16) == 0) { |
306 | // join sandbox by pid or by name | 311 | // join sandbox by pid or by name |
307 | pid_t pid; | 312 | pid_t pid; |
@@ -387,6 +392,7 @@ int main(int argc, char **argv) { | |||
387 | int arg_cgroup = 0; | 392 | int arg_cgroup = 0; |
388 | int custom_profile = 0; // custom profile loaded | 393 | int custom_profile = 0; // custom profile loaded |
389 | int arg_noprofile = 0; // use generic.profile if none other found/specified | 394 | int arg_noprofile = 0; // use generic.profile if none other found/specified |
395 | int highest_errno = errno_highest_nr(); | ||
390 | 396 | ||
391 | // check if we already have a sandbox running | 397 | // check if we already have a sandbox running |
392 | int rv = check_kernel_procs(); | 398 | int rv = check_kernel_procs(); |
@@ -478,6 +484,34 @@ int main(int argc, char **argv) { | |||
478 | if (!arg_seccomp_list_keep) | 484 | if (!arg_seccomp_list_keep) |
479 | errExit("strdup"); | 485 | errExit("strdup"); |
480 | } | 486 | } |
487 | else if (strncmp(argv[i], "--seccomp.e", 11) == 0 && strchr(argv[i], '=')) { | ||
488 | if (arg_seccomp && !arg_seccomp_list_errno) { | ||
489 | fprintf(stderr, "Error: seccomp already enabled\n"); | ||
490 | exit(1); | ||
491 | } | ||
492 | char *eq = strchr(argv[i], '='); | ||
493 | char *errnoname = strndup(argv[i] + 10, eq - (argv[i] + 10)); | ||
494 | int nr = errno_find_name(errnoname); | ||
495 | if (nr == -1) { | ||
496 | fprintf(stderr, "Error: unknown errno %s\n", errnoname); | ||
497 | free(errnoname); | ||
498 | exit(1); | ||
499 | } | ||
500 | |||
501 | if (!arg_seccomp_list_errno) | ||
502 | arg_seccomp_list_errno = calloc(highest_errno+1, sizeof(arg_seccomp_list_errno[0])); | ||
503 | |||
504 | if (arg_seccomp_list_errno[nr]) { | ||
505 | fprintf(stderr, "Error: errno %s already configured\n", errnoname); | ||
506 | free(errnoname); | ||
507 | exit(1); | ||
508 | } | ||
509 | arg_seccomp = 1; | ||
510 | arg_seccomp_list_errno[nr] = strdup(eq+1); | ||
511 | if (!arg_seccomp_list_errno[nr]) | ||
512 | errExit("strdup"); | ||
513 | free(errnoname); | ||
514 | } | ||
481 | #endif | 515 | #endif |
482 | else if (strcmp(argv[i], "--caps") == 0) | 516 | else if (strcmp(argv[i], "--caps") == 0) |
483 | arg_caps_default_filter = 1; | 517 | arg_caps_default_filter = 1; |
@@ -1288,6 +1322,15 @@ int main(int argc, char **argv) { | |||
1288 | 1322 | ||
1289 | // wait for the child to finish | 1323 | // wait for the child to finish |
1290 | waitpid(child, NULL, 0); | 1324 | waitpid(child, NULL, 0); |
1325 | |||
1326 | // free globals | ||
1327 | if (arg_seccomp_list_errno) { | ||
1328 | for (i = 0; i < highest_errno; i++) | ||
1329 | free(arg_seccomp_list_errno[i]); | ||
1330 | free(arg_seccomp_list_errno); | ||
1331 | } | ||
1332 | |||
1291 | myexit(0); | 1333 | myexit(0); |
1334 | |||
1292 | return 0; | 1335 | return 0; |
1293 | } | 1336 | } |