aboutsummaryrefslogtreecommitdiffstats
path: root/src/firejail/sandbox.c
diff options
context:
space:
mode:
Diffstat (limited to 'src/firejail/sandbox.c')
-rw-r--r--src/firejail/sandbox.c62
1 files changed, 50 insertions, 12 deletions
diff --git a/src/firejail/sandbox.c b/src/firejail/sandbox.c
index 493877db3..e56526f34 100644
--- a/src/firejail/sandbox.c
+++ b/src/firejail/sandbox.c
@@ -386,7 +386,7 @@ static void enforce_filters(void) {
386 } 386 }
387 387
388 // disable all capabilities 388 // disable all capabilities
389 if (arg_caps_default_filter || arg_caps_list) 389 if (arg_caps_default_filter || arg_caps_list && !arg_quiet)
390 fprintf(stderr, "Warning: all capabilities disabled for a regular user in chroot\n"); 390 fprintf(stderr, "Warning: all capabilities disabled for a regular user in chroot\n");
391 arg_caps_drop_all = 1; 391 arg_caps_drop_all = 1;
392 392
@@ -467,6 +467,11 @@ int sandbox(void* sandbox_arg) {
467 if (arg_debug) 467 if (arg_debug)
468 printf("Network namespace enabled, only loopback interface available\n"); 468 printf("Network namespace enabled, only loopback interface available\n");
469 } 469 }
470 else if (arg_netns) {
471 netns(arg_netns);
472 if (arg_debug)
473 printf("Network namespace '%s' activated\n", arg_netns);
474 }
470 else if (any_bridge_configured() || any_interface_configured()) { 475 else if (any_bridge_configured() || any_interface_configured()) {
471 // configure lo and eth0...eth3 476 // configure lo and eth0...eth3
472 net_if_up("lo"); 477 net_if_up("lo");
@@ -515,7 +520,8 @@ int sandbox(void* sandbox_arg) {
515 if (cfg.defaultgw) { 520 if (cfg.defaultgw) {
516 // set the default route 521 // set the default route
517 if (net_add_route(0, 0, cfg.defaultgw)) { 522 if (net_add_route(0, 0, cfg.defaultgw)) {
518 fprintf(stderr, "Warning: cannot configure default route\n"); 523 if (!arg_quiet)
524 fprintf(stderr, "Warning: cannot configure default route\n");
519 gw_cfg_failed = 1; 525 gw_cfg_failed = 1;
520 } 526 }
521 } 527 }
@@ -582,6 +588,10 @@ int sandbox(void* sandbox_arg) {
582 if (arg_trace || arg_tracelog || mask_x11_abstract_socket) 588 if (arg_trace || arg_tracelog || mask_x11_abstract_socket)
583 fs_trace_preload(); 589 fs_trace_preload();
584 590
591 // store hosts file
592 if (cfg.hosts_file)
593 fs_store_hosts_file();
594
585 //**************************** 595 //****************************
586 // configure filesystem 596 // configure filesystem
587 //**************************** 597 //****************************
@@ -620,19 +630,29 @@ int sandbox(void* sandbox_arg) {
620#ifdef HAVE_OVERLAYFS 630#ifdef HAVE_OVERLAYFS
621 if (arg_overlay) { 631 if (arg_overlay) {
622 fs_overlayfs(); 632 fs_overlayfs();
633
634//todo - bring it back for overlay-named
635#if 0
636 fs_overlayfs();
637 // force caps and seccomp if not started as root
638 if (getuid() != 0) {
639 enforce_filters();
640#ifdef HAVE_SECCOMP
641 enforce_seccomp = 1;
642#endif
643 }
644 else
645 arg_seccomp = 1;
646#endif
647
648
649
623 } 650 }
624 else 651 else
625#endif 652#endif
626 fs_basic_fs(); 653 fs_basic_fs();
627 654
628 //**************************** 655 //****************************
629 // set hostname in /etc/hostname
630 //****************************
631 if (cfg.hostname) {
632 fs_hostname(cfg.hostname);
633 }
634
635 //****************************
636 // private mode 656 // private mode
637 //**************************** 657 //****************************
638 if (arg_private) { 658 if (arg_private) {
@@ -729,6 +749,22 @@ int sandbox(void* sandbox_arg) {
729 EUID_ROOT(); 749 EUID_ROOT();
730 } 750 }
731 } 751 }
752
753
754 //****************************
755 // hosts and hostname
756 //****************************
757 if (cfg.hostname)
758 fs_hostname(cfg.hostname);
759
760 if (cfg.hosts_file)
761 fs_mount_hosts_file();
762
763 //****************************
764 // /etc overrides from the network namespace
765 //****************************
766 if (arg_netns)
767 netns_mounts(arg_netns);
732 768
733 //**************************** 769 //****************************
734 // update /proc, /sys, /dev, /boot directorymy 770 // update /proc, /sys, /dev, /boot directorymy
@@ -812,7 +848,8 @@ int sandbox(void* sandbox_arg) {
812 int rv = nice(cfg.nice); 848 int rv = nice(cfg.nice);
813 (void) rv; 849 (void) rv;
814 if (errno) { 850 if (errno) {
815 fprintf(stderr, "Warning: cannot set nice value\n"); 851 if (!arg_quiet)
852 fprintf(stderr, "Warning: cannot set nice value\n");
816 errno = 0; 853 errno = 0;
817 } 854 }
818 } 855 }
@@ -868,7 +905,8 @@ int sandbox(void* sandbox_arg) {
868 if (arg_noroot) { 905 if (arg_noroot) {
869 int rv = unshare(CLONE_NEWUSER); 906 int rv = unshare(CLONE_NEWUSER);
870 if (rv == -1) { 907 if (rv == -1) {
871 fprintf(stderr, "Warning: cannot create a new user namespace, going forward without it...\n"); 908 if (!arg_quiet)
909 fprintf(stderr, "Warning: cannot create a new user namespace, going forward without it...\n");
872 drop_privs(arg_nogroups); 910 drop_privs(arg_nogroups);
873 arg_noroot = 0; 911 arg_noroot = 0;
874 } 912 }
@@ -899,7 +937,7 @@ int sandbox(void* sandbox_arg) {
899 if (arg_nonewprivs) { 937 if (arg_nonewprivs) {
900 int no_new_privs = prctl(PR_SET_NO_NEW_PRIVS, 1, 0, 0, 0); 938 int no_new_privs = prctl(PR_SET_NO_NEW_PRIVS, 1, 0, 0, 0);
901 939
902 if(no_new_privs != 0) 940 if(no_new_privs != 0 && !arg_quiet)
903 fprintf(stderr, "Warning: NO_NEW_PRIVS disabled, it requires a Linux kernel version 3.5 or newer.\n"); 941 fprintf(stderr, "Warning: NO_NEW_PRIVS disabled, it requires a Linux kernel version 3.5 or newer.\n");
904 else if (arg_debug) 942 else if (arg_debug)
905 printf("NO_NEW_PRIVS set\n"); 943 printf("NO_NEW_PRIVS set\n");
generated by cgit v1.2.3-70-g09d2 (git 2.46.0) at 2024-09-04 16:30:20 +0000