diff options
Diffstat (limited to 'src/firejail/sandbox.c')
-rw-r--r-- | src/firejail/sandbox.c | 30 |
1 files changed, 11 insertions, 19 deletions
diff --git a/src/firejail/sandbox.c b/src/firejail/sandbox.c index 853555581..3718004a5 100644 --- a/src/firejail/sandbox.c +++ b/src/firejail/sandbox.c | |||
@@ -45,6 +45,12 @@ | |||
45 | #endif | 45 | #endif |
46 | #include <syscall.h> | 46 | #include <syscall.h> |
47 | 47 | ||
48 | |||
49 | #ifdef HAVE_SECCOMP | ||
50 | int enforce_seccomp = 0; | ||
51 | #endif | ||
52 | |||
53 | |||
48 | static int monitored_pid = 0; | 54 | static int monitored_pid = 0; |
49 | static void sandbox_handler(int sig){ | 55 | static void sandbox_handler(int sig){ |
50 | if (!arg_quiet) { | 56 | if (!arg_quiet) { |
@@ -459,6 +465,7 @@ static void enforce_filters(void) { | |||
459 | // force default seccomp inside the chroot, no keep or drop list | 465 | // force default seccomp inside the chroot, no keep or drop list |
460 | // the list build on top of the default drop list is kept intact | 466 | // the list build on top of the default drop list is kept intact |
461 | arg_seccomp = 1; | 467 | arg_seccomp = 1; |
468 | enforce_seccomp = 1; | ||
462 | if (cfg.seccomp_list_drop) { | 469 | if (cfg.seccomp_list_drop) { |
463 | free(cfg.seccomp_list_drop); | 470 | free(cfg.seccomp_list_drop); |
464 | cfg.seccomp_list_drop = NULL; | 471 | cfg.seccomp_list_drop = NULL; |
@@ -681,27 +688,16 @@ int sandbox(void* sandbox_arg) { | |||
681 | //**************************** | 688 | //**************************** |
682 | // configure filesystem | 689 | // configure filesystem |
683 | //**************************** | 690 | //**************************** |
684 | #ifdef HAVE_SECCOMP | 691 | if (arg_appimage) |
685 | int enforce_seccomp = 0; | ||
686 | #endif | ||
687 | if (arg_appimage) { | ||
688 | enforce_filters(); | 692 | enforce_filters(); |
689 | #ifdef HAVE_SECCOMP | ||
690 | enforce_seccomp = 1; | ||
691 | #endif | ||
692 | } | ||
693 | 693 | ||
694 | #ifdef HAVE_CHROOT | 694 | #ifdef HAVE_CHROOT |
695 | if (cfg.chrootdir) { | 695 | if (cfg.chrootdir) { |
696 | fs_chroot(cfg.chrootdir); | 696 | fs_chroot(cfg.chrootdir); |
697 | 697 | ||
698 | // force caps and seccomp if not started as root | 698 | // force caps and seccomp if not started as root |
699 | if (getuid() != 0) { | 699 | if (getuid() != 0) |
700 | enforce_filters(); | 700 | enforce_filters(); |
701 | #ifdef HAVE_SECCOMP | ||
702 | enforce_seccomp = 1; | ||
703 | #endif | ||
704 | } | ||
705 | else | 701 | else |
706 | arg_seccomp = 1; | 702 | arg_seccomp = 1; |
707 | 703 | ||
@@ -717,12 +713,8 @@ int sandbox(void* sandbox_arg) { | |||
717 | if (arg_overlay) { | 713 | if (arg_overlay) { |
718 | fs_overlayfs(); | 714 | fs_overlayfs(); |
719 | // force caps and seccomp if not started as root | 715 | // force caps and seccomp if not started as root |
720 | if (getuid() != 0) { | 716 | if (getuid() != 0) |
721 | enforce_filters(); | 717 | enforce_filters(); |
722 | #ifdef HAVE_SECCOMP | ||
723 | enforce_seccomp = 1; | ||
724 | #endif | ||
725 | } | ||
726 | else | 718 | else |
727 | arg_seccomp = 1; | 719 | arg_seccomp = 1; |
728 | } | 720 | } |
@@ -1004,7 +996,7 @@ int sandbox(void* sandbox_arg) { | |||
1004 | if (cfg.seccomp_list_keep) | 996 | if (cfg.seccomp_list_keep) |
1005 | seccomp_filter_keep(); | 997 | seccomp_filter_keep(); |
1006 | else | 998 | else |
1007 | seccomp_filter_drop(enforce_seccomp); | 999 | seccomp_filter_drop(); |
1008 | } | 1000 | } |
1009 | 1001 | ||
1010 | if (arg_debug) { | 1002 | if (arg_debug) { |