diff options
Diffstat (limited to 'src/firejail/main.c')
-rw-r--r-- | src/firejail/main.c | 50 |
1 files changed, 11 insertions, 39 deletions
diff --git a/src/firejail/main.c b/src/firejail/main.c index e210ceb31..fc86f9651 100644 --- a/src/firejail/main.c +++ b/src/firejail/main.c | |||
@@ -404,7 +404,7 @@ static void run_cmd_and_exit(int i, int argc, char **argv) { | |||
404 | #ifdef HAVE_SECCOMP | 404 | #ifdef HAVE_SECCOMP |
405 | else if (strcmp(argv[i], "--debug-syscalls") == 0) { | 405 | else if (strcmp(argv[i], "--debug-syscalls") == 0) { |
406 | if (checkcfg(CFG_SECCOMP)) { | 406 | if (checkcfg(CFG_SECCOMP)) { |
407 | int rv = sbox_run(SBOX_USER | SBOX_CAPS | SBOX_SECCOMP, 2, PATH_FSECCOMP, "debug-syscalls"); | 407 | int rv = sbox_run(SBOX_USER | SBOX_CAPS_NONE | SBOX_SECCOMP, 2, PATH_FSECCOMP, "debug-syscalls"); |
408 | exit(rv); | 408 | exit(rv); |
409 | } | 409 | } |
410 | else { | 410 | else { |
@@ -414,7 +414,7 @@ static void run_cmd_and_exit(int i, int argc, char **argv) { | |||
414 | } | 414 | } |
415 | else if (strcmp(argv[i], "--debug-errnos") == 0) { | 415 | else if (strcmp(argv[i], "--debug-errnos") == 0) { |
416 | if (checkcfg(CFG_SECCOMP)) { | 416 | if (checkcfg(CFG_SECCOMP)) { |
417 | int rv = sbox_run(SBOX_USER | SBOX_CAPS | SBOX_SECCOMP, 2, PATH_FSECCOMP, "debug-errnos"); | 417 | int rv = sbox_run(SBOX_USER | SBOX_CAPS_NONE | SBOX_SECCOMP, 2, PATH_FSECCOMP, "debug-errnos"); |
418 | exit(rv); | 418 | exit(rv); |
419 | } | 419 | } |
420 | else { | 420 | else { |
@@ -439,7 +439,7 @@ static void run_cmd_and_exit(int i, int argc, char **argv) { | |||
439 | exit(0); | 439 | exit(0); |
440 | } | 440 | } |
441 | else if (strcmp(argv[i], "--debug-protocols") == 0) { | 441 | else if (strcmp(argv[i], "--debug-protocols") == 0) { |
442 | int rv = sbox_run(SBOX_USER | SBOX_CAPS | SBOX_SECCOMP, 2, PATH_FSECCOMP, "debug-protocols"); | 442 | int rv = sbox_run(SBOX_USER | SBOX_CAPS_NONE | SBOX_SECCOMP, 2, PATH_FSECCOMP, "debug-protocols"); |
443 | exit(rv); | 443 | exit(rv); |
444 | } | 444 | } |
445 | else if (strncmp(argv[i], "--protocol.print=", 17) == 0) { | 445 | else if (strncmp(argv[i], "--protocol.print=", 17) == 0) { |
@@ -499,15 +499,15 @@ static void run_cmd_and_exit(int i, int argc, char **argv) { | |||
499 | exit(0); | 499 | exit(0); |
500 | } | 500 | } |
501 | else if (strcmp(argv[i], "--list") == 0) { | 501 | else if (strcmp(argv[i], "--list") == 0) { |
502 | int rv = sbox_run(SBOX_USER | SBOX_CAPS | SBOX_SECCOMP, 2, PATH_FIREMON, "--list"); | 502 | int rv = sbox_run(SBOX_USER | SBOX_CAPS_NONE | SBOX_SECCOMP, 2, PATH_FIREMON, "--list"); |
503 | exit(rv); | 503 | exit(rv); |
504 | } | 504 | } |
505 | else if (strcmp(argv[i], "--tree") == 0) { | 505 | else if (strcmp(argv[i], "--tree") == 0) { |
506 | int rv = sbox_run(SBOX_USER | SBOX_CAPS | SBOX_SECCOMP, 2, PATH_FIREMON, "--tree"); | 506 | int rv = sbox_run(SBOX_USER | SBOX_CAPS_NONE | SBOX_SECCOMP, 2, PATH_FIREMON, "--tree"); |
507 | exit(rv); | 507 | exit(rv); |
508 | } | 508 | } |
509 | else if (strcmp(argv[i], "--top") == 0) { | 509 | else if (strcmp(argv[i], "--top") == 0) { |
510 | int rv = sbox_run(SBOX_USER | SBOX_CAPS | SBOX_SECCOMP, 2, PATH_FIREMON, "--top"); | 510 | int rv = sbox_run(SBOX_USER | SBOX_CAPS_NONE | SBOX_SECCOMP, 2, PATH_FIREMON, "--top"); |
511 | exit(rv); | 511 | exit(rv); |
512 | } | 512 | } |
513 | #ifdef HAVE_NETWORK | 513 | #ifdef HAVE_NETWORK |
@@ -516,9 +516,9 @@ static void run_cmd_and_exit(int i, int argc, char **argv) { | |||
516 | struct stat s; | 516 | struct stat s; |
517 | int rv; | 517 | int rv; |
518 | if (stat("/proc/sys/kernel/grsecurity", &s) == 0) | 518 | if (stat("/proc/sys/kernel/grsecurity", &s) == 0) |
519 | rv = sbox_run(SBOX_ROOT | SBOX_CAPS | SBOX_SECCOMP, 2, PATH_FIREMON, "--netstats"); | 519 | rv = sbox_run(SBOX_ROOT | SBOX_CAPS_NONE | SBOX_SECCOMP, 2, PATH_FIREMON, "--netstats"); |
520 | else | 520 | else |
521 | rv = sbox_run(SBOX_USER | SBOX_CAPS | SBOX_SECCOMP, 2, PATH_FIREMON, "--netstats"); | 521 | rv = sbox_run(SBOX_USER | SBOX_CAPS_NONE | SBOX_SECCOMP, 2, PATH_FIREMON, "--netstats"); |
522 | exit(rv); | 522 | exit(rv); |
523 | } | 523 | } |
524 | else { | 524 | else { |
@@ -855,6 +855,9 @@ int main(int argc, char **argv) { | |||
855 | int highest_errno = errno_highest_nr(); | 855 | int highest_errno = errno_highest_nr(); |
856 | #endif | 856 | #endif |
857 | 857 | ||
858 | // build /run/firejail directory structure | ||
859 | preproc_build_firejail_dir(); | ||
860 | |||
858 | detect_quiet(argc, argv); | 861 | detect_quiet(argc, argv); |
859 | detect_allow_debuggers(argc, argv); | 862 | detect_allow_debuggers(argc, argv); |
860 | 863 | ||
@@ -957,10 +960,8 @@ int main(int argc, char **argv) { | |||
957 | // initialize globals | 960 | // initialize globals |
958 | init_cfg(argc, argv); | 961 | init_cfg(argc, argv); |
959 | 962 | ||
960 | |||
961 | // check firejail directories | 963 | // check firejail directories |
962 | EUID_ROOT(); | 964 | EUID_ROOT(); |
963 | fs_build_firejail_dir(); | ||
964 | bandwidth_del_run_file(sandbox_pid); | 965 | bandwidth_del_run_file(sandbox_pid); |
965 | network_del_run_file(sandbox_pid); | 966 | network_del_run_file(sandbox_pid); |
966 | delete_name_file(sandbox_pid); | 967 | delete_name_file(sandbox_pid); |
@@ -1462,35 +1463,6 @@ int main(int argc, char **argv) { | |||
1462 | } | 1463 | } |
1463 | 1464 | ||
1464 | } | 1465 | } |
1465 | #if 0 // disabled for now, it could be used to overwrite system directories | ||
1466 | else if (strncmp(argv[i], "--overlay-path=", 15) == 0) { | ||
1467 | if (checkcfg(CFG_OVERLAYFS)) { | ||
1468 | if (cfg.chrootdir) { | ||
1469 | fprintf(stderr, "Error: --overlay and --chroot options are mutually exclusive\n"); | ||
1470 | exit(1); | ||
1471 | } | ||
1472 | struct stat s; | ||
1473 | if (stat("/proc/sys/kernel/grsecurity", &s) == 0) { | ||
1474 | fprintf(stderr, "Error: --overlay option is not available on Grsecurity systems\n"); | ||
1475 | exit(1); | ||
1476 | } | ||
1477 | arg_overlay = 1; | ||
1478 | arg_overlay_keep = 1; | ||
1479 | arg_overlay_reuse = 1; | ||
1480 | |||
1481 | char *dirname = argv[i] + 15; | ||
1482 | if (dirname == '\0') { | ||
1483 | fprintf(stderr, "Error: invalid overlay option\n"); | ||
1484 | exit(1); | ||
1485 | } | ||
1486 | cfg.overlay_dir = expand_home(dirname, cfg.homedir); | ||
1487 | } | ||
1488 | else { | ||
1489 | fprintf(stderr, "Error: overlayfs feature is disabled in Firejail configuration file\n"); | ||
1490 | exit(1); | ||
1491 | } | ||
1492 | } | ||
1493 | #endif | ||
1494 | else if (strcmp(argv[i], "--overlay-tmpfs") == 0) { | 1466 | else if (strcmp(argv[i], "--overlay-tmpfs") == 0) { |
1495 | if (checkcfg(CFG_OVERLAYFS)) { | 1467 | if (checkcfg(CFG_OVERLAYFS)) { |
1496 | if (cfg.chrootdir) { | 1468 | if (cfg.chrootdir) { |