diff options
Diffstat (limited to 'src/firejail/sandbox.c')
| -rw-r--r-- | src/firejail/sandbox.c | 30 |
1 files changed, 11 insertions, 19 deletions
diff --git a/src/firejail/sandbox.c b/src/firejail/sandbox.c index 853555581..3718004a5 100644 --- a/src/firejail/sandbox.c +++ b/src/firejail/sandbox.c | |||
| @@ -45,6 +45,12 @@ | |||
| 45 | #endif | 45 | #endif |
| 46 | #include <syscall.h> | 46 | #include <syscall.h> |
| 47 | 47 | ||
| 48 | |||
| 49 | #ifdef HAVE_SECCOMP | ||
| 50 | int enforce_seccomp = 0; | ||
| 51 | #endif | ||
| 52 | |||
| 53 | |||
| 48 | static int monitored_pid = 0; | 54 | static int monitored_pid = 0; |
| 49 | static void sandbox_handler(int sig){ | 55 | static void sandbox_handler(int sig){ |
| 50 | if (!arg_quiet) { | 56 | if (!arg_quiet) { |
| @@ -459,6 +465,7 @@ static void enforce_filters(void) { | |||
| 459 | // force default seccomp inside the chroot, no keep or drop list | 465 | // force default seccomp inside the chroot, no keep or drop list |
| 460 | // the list build on top of the default drop list is kept intact | 466 | // the list build on top of the default drop list is kept intact |
| 461 | arg_seccomp = 1; | 467 | arg_seccomp = 1; |
| 468 | enforce_seccomp = 1; | ||
| 462 | if (cfg.seccomp_list_drop) { | 469 | if (cfg.seccomp_list_drop) { |
| 463 | free(cfg.seccomp_list_drop); | 470 | free(cfg.seccomp_list_drop); |
| 464 | cfg.seccomp_list_drop = NULL; | 471 | cfg.seccomp_list_drop = NULL; |
| @@ -681,27 +688,16 @@ int sandbox(void* sandbox_arg) { | |||
| 681 | //**************************** | 688 | //**************************** |
| 682 | // configure filesystem | 689 | // configure filesystem |
| 683 | //**************************** | 690 | //**************************** |
| 684 | #ifdef HAVE_SECCOMP | 691 | if (arg_appimage) |
| 685 | int enforce_seccomp = 0; | ||
| 686 | #endif | ||
| 687 | if (arg_appimage) { | ||
| 688 | enforce_filters(); | 692 | enforce_filters(); |
| 689 | #ifdef HAVE_SECCOMP | ||
| 690 | enforce_seccomp = 1; | ||
| 691 | #endif | ||
| 692 | } | ||
| 693 | 693 | ||
| 694 | #ifdef HAVE_CHROOT | 694 | #ifdef HAVE_CHROOT |
| 695 | if (cfg.chrootdir) { | 695 | if (cfg.chrootdir) { |
| 696 | fs_chroot(cfg.chrootdir); | 696 | fs_chroot(cfg.chrootdir); |
| 697 | 697 | ||
| 698 | // force caps and seccomp if not started as root | 698 | // force caps and seccomp if not started as root |
| 699 | if (getuid() != 0) { | 699 | if (getuid() != 0) |
| 700 | enforce_filters(); | 700 | enforce_filters(); |
| 701 | #ifdef HAVE_SECCOMP | ||
| 702 | enforce_seccomp = 1; | ||
| 703 | #endif | ||
| 704 | } | ||
| 705 | else | 701 | else |
| 706 | arg_seccomp = 1; | 702 | arg_seccomp = 1; |
| 707 | 703 | ||
| @@ -717,12 +713,8 @@ int sandbox(void* sandbox_arg) { | |||
| 717 | if (arg_overlay) { | 713 | if (arg_overlay) { |
| 718 | fs_overlayfs(); | 714 | fs_overlayfs(); |
| 719 | // force caps and seccomp if not started as root | 715 | // force caps and seccomp if not started as root |
| 720 | if (getuid() != 0) { | 716 | if (getuid() != 0) |
| 721 | enforce_filters(); | 717 | enforce_filters(); |
| 722 | #ifdef HAVE_SECCOMP | ||
| 723 | enforce_seccomp = 1; | ||
| 724 | #endif | ||
| 725 | } | ||
| 726 | else | 718 | else |
| 727 | arg_seccomp = 1; | 719 | arg_seccomp = 1; |
| 728 | } | 720 | } |
| @@ -1004,7 +996,7 @@ int sandbox(void* sandbox_arg) { | |||
| 1004 | if (cfg.seccomp_list_keep) | 996 | if (cfg.seccomp_list_keep) |
| 1005 | seccomp_filter_keep(); | 997 | seccomp_filter_keep(); |
| 1006 | else | 998 | else |
| 1007 | seccomp_filter_drop(enforce_seccomp); | 999 | seccomp_filter_drop(); |
| 1008 | } | 1000 | } |
| 1009 | 1001 | ||
| 1010 | if (arg_debug) { | 1002 | if (arg_debug) { |