diff options
Diffstat (limited to 'src/firejail/sandbox.c')
-rw-r--r-- | src/firejail/sandbox.c | 27 |
1 files changed, 25 insertions, 2 deletions
diff --git a/src/firejail/sandbox.c b/src/firejail/sandbox.c index 9299268a3..5fcccbd92 100644 --- a/src/firejail/sandbox.c +++ b/src/firejail/sandbox.c | |||
@@ -488,6 +488,7 @@ void start_application(int no_sandbox, int fd, char *set_sandbox_status) { | |||
488 | #ifdef HAVE_APPARMOR | 488 | #ifdef HAVE_APPARMOR |
489 | set_apparmor(); | 489 | set_apparmor(); |
490 | #endif | 490 | #endif |
491 | |||
491 | close_file_descriptors(); | 492 | close_file_descriptors(); |
492 | 493 | ||
493 | // set nice and rlimits | 494 | // set nice and rlimits |
@@ -509,6 +510,16 @@ void start_application(int no_sandbox, int fd, char *set_sandbox_status) { | |||
509 | printf("LD_PRELOAD=%s\n", getenv("LD_PRELOAD")); | 510 | printf("LD_PRELOAD=%s\n", getenv("LD_PRELOAD")); |
510 | } | 511 | } |
511 | 512 | ||
513 | #ifdef HAVE_LANDLOCK | ||
514 | // set Landlock | ||
515 | if (arg_landlock >= 0) { | ||
516 | if (landlock_restrict_self(arg_landlock,0)) { | ||
517 | fprintf(stderr,"An error has occured while enabling Landlock self-restriction. Exiting...\n"); | ||
518 | exit(1); // it isn't safe to continue if Landlock self-restriction was enabled and the "landlock_restrict_self" syscall has failed | ||
519 | } | ||
520 | } | ||
521 | #endif | ||
522 | |||
512 | if (just_run_the_shell) { | 523 | if (just_run_the_shell) { |
513 | char *arg[2]; | 524 | char *arg[2]; |
514 | arg[0] = cfg.usershell; | 525 | arg[0] = cfg.usershell; |
@@ -999,6 +1010,15 @@ int sandbox(void* sandbox_arg) { | |||
999 | fs_proc_sys_dev_boot(); | 1010 | fs_proc_sys_dev_boot(); |
1000 | 1011 | ||
1001 | //**************************** | 1012 | //**************************** |
1013 | // Allow access to /proc | ||
1014 | //**************************** | ||
1015 | #ifdef HAVE_LANDLOCK | ||
1016 | if (arg_landlock>-1) { | ||
1017 | if (arg_landlock_proc >= 1) add_read_access_rule_by_path(arg_landlock, "/proc/"); | ||
1018 | if (arg_landlock_proc == 2) add_write_access_rule_by_path(arg_landlock, "/proc/"); | ||
1019 | } | ||
1020 | #endif | ||
1021 | //**************************** | ||
1002 | // handle /mnt and /media | 1022 | // handle /mnt and /media |
1003 | //**************************** | 1023 | //**************************** |
1004 | if (checkcfg(CFG_DISABLE_MNT)) | 1024 | if (checkcfg(CFG_DISABLE_MNT)) |
@@ -1093,9 +1113,12 @@ int sandbox(void* sandbox_arg) { | |||
1093 | //**************************** | 1113 | //**************************** |
1094 | // rebuild etc directory, set dns | 1114 | // rebuild etc directory, set dns |
1095 | //**************************** | 1115 | //**************************** |
1096 | if (!arg_writable_etc) | 1116 | if (!arg_writable_etc){ |
1097 | fs_rebuild_etc(); | 1117 | fs_rebuild_etc(); |
1098 | 1118 | #ifdef HAVE_LANDLOCK | |
1119 | if (arg_landlock>-1) add_read_access_rule_by_path(arg_landlock, "/etc/"); | ||
1120 | #endif | ||
1121 | } | ||
1099 | //**************************** | 1122 | //**************************** |
1100 | // start dhcp client | 1123 | // start dhcp client |
1101 | //**************************** | 1124 | //**************************** |