diff options
Diffstat (limited to 'src/firejail/sandbox.c')
-rw-r--r-- | src/firejail/sandbox.c | 33 |
1 files changed, 12 insertions, 21 deletions
diff --git a/src/firejail/sandbox.c b/src/firejail/sandbox.c index a15003d03..3942e4da6 100644 --- a/src/firejail/sandbox.c +++ b/src/firejail/sandbox.c | |||
@@ -559,13 +559,6 @@ assert(0); | |||
559 | if (cfg.protocol) { | 559 | if (cfg.protocol) { |
560 | if (arg_debug) | 560 | if (arg_debug) |
561 | printf("Build protocol filter: %s\n", cfg.protocol); | 561 | printf("Build protocol filter: %s\n", cfg.protocol); |
562 | // as root, create RUN_SECCOMP_PROTOCOL file | ||
563 | // this is where fseccomp program will store the protocol filter | ||
564 | create_empty_file_as_root(RUN_SECCOMP_PROTOCOL, 0644); | ||
565 | if (chown(RUN_SECCOMP_PROTOCOL, getuid(), getgid()) == -1) | ||
566 | errExit("chown"); | ||
567 | if (chmod(RUN_SECCOMP_PROTOCOL, 0644) == -1) | ||
568 | errExit("chmod"); | ||
569 | 562 | ||
570 | // build the seccomp filter as a regular user | 563 | // build the seccomp filter as a regular user |
571 | int rv = sbox_run(SBOX_USER | SBOX_CAPS_NONE | SBOX_SECCOMP, 5, | 564 | int rv = sbox_run(SBOX_USER | SBOX_CAPS_NONE | SBOX_SECCOMP, 5, |
@@ -826,13 +819,23 @@ assert(0); | |||
826 | // set rlimits | 819 | // set rlimits |
827 | set_rlimits(); | 820 | set_rlimits(); |
828 | 821 | ||
829 | // set seccomp | 822 | // set cpu affinity |
823 | if (cfg.cpus) { | ||
824 | save_cpu(); // save cpu affinity mask to CPU_CFG file | ||
825 | set_cpu_affinity(); | ||
826 | } | ||
827 | |||
828 | // save cgroup in CGROUP_CFG file | ||
829 | if (cfg.cgroup) | ||
830 | save_cgroup(); | ||
831 | |||
832 | // set seccomp //todo: push it down after drop_privs and/or configuring noroot | ||
830 | #ifdef HAVE_SECCOMP | 833 | #ifdef HAVE_SECCOMP |
831 | // install protocol filter | 834 | // install protocol filter |
832 | if (cfg.protocol) { | 835 | if (cfg.protocol) { |
833 | if (arg_debug) | 836 | if (arg_debug) |
834 | printf("Install protocol filter: %s\n", cfg.protocol); | 837 | printf("Install protocol filter: %s\n", cfg.protocol); |
835 | protocol_filter(RUN_SECCOMP_PROTOCOL); // install filter | 838 | seccomp_load(RUN_SECCOMP_PROTOCOL); // install filter |
836 | protocol_filter_save(); // save filter in RUN_PROTOCOL_CFG | 839 | protocol_filter_save(); // save filter in RUN_PROTOCOL_CFG |
837 | } | 840 | } |
838 | 841 | ||
@@ -847,16 +850,6 @@ assert(0); | |||
847 | } | 850 | } |
848 | #endif | 851 | #endif |
849 | 852 | ||
850 | // set cpu affinity | ||
851 | if (cfg.cpus) { | ||
852 | save_cpu(); // save cpu affinity mask to CPU_CFG file | ||
853 | set_cpu_affinity(); | ||
854 | } | ||
855 | |||
856 | // save cgroup in CGROUP_CFG file | ||
857 | if (cfg.cgroup) | ||
858 | save_cgroup(); | ||
859 | |||
860 | //**************************************** | 853 | //**************************************** |
861 | // drop privileges or create a new user namespace | 854 | // drop privileges or create a new user namespace |
862 | //**************************************** | 855 | //**************************************** |
@@ -929,8 +922,6 @@ assert(0); | |||
929 | int status = monitor_application(app_pid); // monitor application | 922 | int status = monitor_application(app_pid); // monitor application |
930 | flush_stdin(); | 923 | flush_stdin(); |
931 | 924 | ||
932 | |||
933 | |||
934 | if (WIFEXITED(status)) { | 925 | if (WIFEXITED(status)) { |
935 | // if we had a proper exit, return that exit status | 926 | // if we had a proper exit, return that exit status |
936 | return WEXITSTATUS(status); | 927 | return WEXITSTATUS(status); |