diff options
Diffstat (limited to 'src/firejail/main.c')
-rw-r--r-- | src/firejail/main.c | 19 |
1 files changed, 19 insertions, 0 deletions
diff --git a/src/firejail/main.c b/src/firejail/main.c index c055a1537..ff57a5693 100644 --- a/src/firejail/main.c +++ b/src/firejail/main.c | |||
@@ -85,6 +85,7 @@ int arg_private_opt = 0; // private opt directory | |||
85 | int arg_private_srv = 0; // private srv directory | 85 | int arg_private_srv = 0; // private srv directory |
86 | int arg_private_bin = 0; // private bin directory | 86 | int arg_private_bin = 0; // private bin directory |
87 | int arg_private_tmp = 0; // private tmp directory | 87 | int arg_private_tmp = 0; // private tmp directory |
88 | int arg_private_lib = 0; // private lib directory | ||
88 | int arg_scan = 0; // arp-scan all interfaces | 89 | int arg_scan = 0; // arp-scan all interfaces |
89 | int arg_whitelist = 0; // whitelist commad | 90 | int arg_whitelist = 0; // whitelist commad |
90 | int arg_nosound = 0; // disable sound | 91 | int arg_nosound = 0; // disable sound |
@@ -110,6 +111,7 @@ int arg_allow_private_blacklist = 0; // blacklist things in private directorie | |||
110 | int arg_writable_var_log = 0; // writable /var/log | 111 | int arg_writable_var_log = 0; // writable /var/log |
111 | int arg_disable_mnt = 0; // disable /mnt and /media | 112 | int arg_disable_mnt = 0; // disable /mnt and /media |
112 | int arg_noprofile = 0; // use default.profile if none other found/specified | 113 | int arg_noprofile = 0; // use default.profile if none other found/specified |
114 | int arg_memory_deny_write_execute = 0; // block writable and executable memory | ||
113 | 115 | ||
114 | int login_shell = 0; | 116 | int login_shell = 0; |
115 | 117 | ||
@@ -1144,6 +1146,12 @@ int main(int argc, char **argv) { | |||
1144 | else | 1146 | else |
1145 | exit_err_feature("seccomp"); | 1147 | exit_err_feature("seccomp"); |
1146 | } | 1148 | } |
1149 | else if (strcmp(argv[i], "--memory-deny-write-execute") == 0) { | ||
1150 | if (checkcfg(CFG_SECCOMP)) | ||
1151 | arg_memory_deny_write_execute = 1; | ||
1152 | else | ||
1153 | exit_err_feature("seccomp"); | ||
1154 | } | ||
1147 | #endif | 1155 | #endif |
1148 | else if (strcmp(argv[i], "--caps") == 0) | 1156 | else if (strcmp(argv[i], "--caps") == 0) |
1149 | arg_caps_default_filter = 1; | 1157 | arg_caps_default_filter = 1; |
@@ -1622,6 +1630,17 @@ int main(int argc, char **argv) { | |||
1622 | cfg.bin_private_keep = argv[i] + 14; | 1630 | cfg.bin_private_keep = argv[i] + 14; |
1623 | arg_private_bin = 1; | 1631 | arg_private_bin = 1; |
1624 | } | 1632 | } |
1633 | else if (strncmp(argv[i], "--private-lib", 13) == 0) { | ||
1634 | // extract private lib list (if any) | ||
1635 | if (argv[i][13] == '=') { | ||
1636 | if (cfg.lib_private_keep) { | ||
1637 | if (argv[i][14] != '\0' && asprintf(&cfg.lib_private_keep, "%s,%s", cfg.lib_private_keep, argv[i] + 14) < 0) | ||
1638 | errExit("asprintf"); | ||
1639 | } else | ||
1640 | cfg.lib_private_keep = argv[i] + 14; | ||
1641 | } | ||
1642 | arg_private_lib = 1; | ||
1643 | } | ||
1625 | else if (strcmp(argv[i], "--private-tmp") == 0) { | 1644 | else if (strcmp(argv[i], "--private-tmp") == 0) { |
1626 | arg_private_tmp = 1; | 1645 | arg_private_tmp = 1; |
1627 | } | 1646 | } |