aboutsummaryrefslogtreecommitdiffstats
path: root/src/firejail/main.c
diff options
context:
space:
mode:
Diffstat (limited to 'src/firejail/main.c')
-rw-r--r--src/firejail/main.c19
1 files changed, 19 insertions, 0 deletions
diff --git a/src/firejail/main.c b/src/firejail/main.c
index c055a1537..ff57a5693 100644
--- a/src/firejail/main.c
+++ b/src/firejail/main.c
@@ -85,6 +85,7 @@ int arg_private_opt = 0; // private opt directory
85int arg_private_srv = 0; // private srv directory 85int arg_private_srv = 0; // private srv directory
86int arg_private_bin = 0; // private bin directory 86int arg_private_bin = 0; // private bin directory
87int arg_private_tmp = 0; // private tmp directory 87int arg_private_tmp = 0; // private tmp directory
88int arg_private_lib = 0; // private lib directory
88int arg_scan = 0; // arp-scan all interfaces 89int arg_scan = 0; // arp-scan all interfaces
89int arg_whitelist = 0; // whitelist commad 90int arg_whitelist = 0; // whitelist commad
90int arg_nosound = 0; // disable sound 91int arg_nosound = 0; // disable sound
@@ -110,6 +111,7 @@ int arg_allow_private_blacklist = 0; // blacklist things in private directorie
110int arg_writable_var_log = 0; // writable /var/log 111int arg_writable_var_log = 0; // writable /var/log
111int arg_disable_mnt = 0; // disable /mnt and /media 112int arg_disable_mnt = 0; // disable /mnt and /media
112int arg_noprofile = 0; // use default.profile if none other found/specified 113int arg_noprofile = 0; // use default.profile if none other found/specified
114int arg_memory_deny_write_execute = 0; // block writable and executable memory
113 115
114int login_shell = 0; 116int login_shell = 0;
115 117
@@ -1144,6 +1146,12 @@ int main(int argc, char **argv) {
1144 else 1146 else
1145 exit_err_feature("seccomp"); 1147 exit_err_feature("seccomp");
1146 } 1148 }
1149 else if (strcmp(argv[i], "--memory-deny-write-execute") == 0) {
1150 if (checkcfg(CFG_SECCOMP))
1151 arg_memory_deny_write_execute = 1;
1152 else
1153 exit_err_feature("seccomp");
1154 }
1147#endif 1155#endif
1148 else if (strcmp(argv[i], "--caps") == 0) 1156 else if (strcmp(argv[i], "--caps") == 0)
1149 arg_caps_default_filter = 1; 1157 arg_caps_default_filter = 1;
@@ -1622,6 +1630,17 @@ int main(int argc, char **argv) {
1622 cfg.bin_private_keep = argv[i] + 14; 1630 cfg.bin_private_keep = argv[i] + 14;
1623 arg_private_bin = 1; 1631 arg_private_bin = 1;
1624 } 1632 }
1633 else if (strncmp(argv[i], "--private-lib", 13) == 0) {
1634 // extract private lib list (if any)
1635 if (argv[i][13] == '=') {
1636 if (cfg.lib_private_keep) {
1637 if (argv[i][14] != '\0' && asprintf(&cfg.lib_private_keep, "%s,%s", cfg.lib_private_keep, argv[i] + 14) < 0)
1638 errExit("asprintf");
1639 } else
1640 cfg.lib_private_keep = argv[i] + 14;
1641 }
1642 arg_private_lib = 1;
1643 }
1625 else if (strcmp(argv[i], "--private-tmp") == 0) { 1644 else if (strcmp(argv[i], "--private-tmp") == 0) {
1626 arg_private_tmp = 1; 1645 arg_private_tmp = 1;
1627 } 1646 }
generated by cgit v1.2.3-70-g09d2 (git 2.46.0) at 2024-09-13 01:12:09 +0000