diff options
Diffstat (limited to 'src/firejail/main.c')
-rw-r--r-- | src/firejail/main.c | 25 |
1 files changed, 15 insertions, 10 deletions
diff --git a/src/firejail/main.c b/src/firejail/main.c index f35b2a925..9aff4e4e5 100644 --- a/src/firejail/main.c +++ b/src/firejail/main.c | |||
@@ -866,7 +866,6 @@ int main(int argc, char **argv) { | |||
866 | int lockfd_directory = -1; | 866 | int lockfd_directory = -1; |
867 | int option_cgroup = 0; | 867 | int option_cgroup = 0; |
868 | int custom_profile = 0; // custom profile loaded | 868 | int custom_profile = 0; // custom profile loaded |
869 | int arg_seccomp_cmdline = 0; // seccomp requested on command line (used to break out of --chroot) | ||
870 | int arg_caps_cmdline = 0; // caps requested on command line (used to break out of --chroot) | 869 | int arg_caps_cmdline = 0; // caps requested on command line (used to break out of --chroot) |
871 | 870 | ||
872 | // drop permissions by default and rise them when required | 871 | // drop permissions by default and rise them when required |
@@ -1153,7 +1152,6 @@ int main(int argc, char **argv) { | |||
1153 | } | 1152 | } |
1154 | arg_seccomp = 1; | 1153 | arg_seccomp = 1; |
1155 | cfg.seccomp_list = seccomp_check_list(argv[i] + 10); | 1154 | cfg.seccomp_list = seccomp_check_list(argv[i] + 10); |
1156 | arg_seccomp_cmdline = 1; | ||
1157 | } | 1155 | } |
1158 | else | 1156 | else |
1159 | exit_err_feature("seccomp"); | 1157 | exit_err_feature("seccomp"); |
@@ -1166,7 +1164,6 @@ int main(int argc, char **argv) { | |||
1166 | } | 1164 | } |
1167 | arg_seccomp = 1; | 1165 | arg_seccomp = 1; |
1168 | cfg.seccomp_list_drop = seccomp_check_list(argv[i] + 15); | 1166 | cfg.seccomp_list_drop = seccomp_check_list(argv[i] + 15); |
1169 | arg_seccomp_cmdline = 1; | ||
1170 | } | 1167 | } |
1171 | else | 1168 | else |
1172 | exit_err_feature("seccomp"); | 1169 | exit_err_feature("seccomp"); |
@@ -1179,7 +1176,6 @@ int main(int argc, char **argv) { | |||
1179 | } | 1176 | } |
1180 | arg_seccomp = 1; | 1177 | arg_seccomp = 1; |
1181 | cfg.seccomp_list_keep = seccomp_check_list(argv[i] + 15); | 1178 | cfg.seccomp_list_keep = seccomp_check_list(argv[i] + 15); |
1182 | arg_seccomp_cmdline = 1; | ||
1183 | } | 1179 | } |
1184 | else | 1180 | else |
1185 | exit_err_feature("seccomp"); | 1181 | exit_err_feature("seccomp"); |
@@ -2278,12 +2274,21 @@ int main(int argc, char **argv) { | |||
2278 | } | 2274 | } |
2279 | EUID_ASSERT(); | 2275 | EUID_ASSERT(); |
2280 | 2276 | ||
2281 | // exit for --chroot sandboxes when secomp or caps are explicitly specified on command line | 2277 | // exit chroot, overlay and appimage sandboxes when caps are explicitly specified on command line |
2282 | if (getuid() != 0 && cfg.chrootdir && (arg_seccomp_cmdline || arg_caps_cmdline)) { | 2278 | if (getuid() != 0 && arg_caps_cmdline) { |
2283 | fprintf(stderr, "Error: for chroot sandboxes, default seccomp and capabilities filters are\n" | 2279 | char *opt = NULL; |
2284 | "enabled by default. Please remove all --seccomp and --caps options from the\n" | 2280 | if (cfg.chrootdir) |
2285 | "command line.\n"); | 2281 | opt = "chroot"; |
2286 | exit(1); | 2282 | else if (arg_overlay) |
2283 | opt = "overlay"; | ||
2284 | else if (arg_appimage) | ||
2285 | opt = "appimage"; | ||
2286 | |||
2287 | if (opt) { | ||
2288 | fprintf(stderr, "Error: all capabilities are dropped for %s by default.\n" | ||
2289 | "Please remove --caps options from the command line.\n", opt); | ||
2290 | exit(1); | ||
2291 | } | ||
2287 | } | 2292 | } |
2288 | 2293 | ||
2289 | // prog_index could still be -1 if no program was specified | 2294 | // prog_index could still be -1 if no program was specified |