diff options
Diffstat (limited to 'src/firejail/sandbox.c')
| -rw-r--r-- | src/firejail/sandbox.c | 33 |
1 files changed, 12 insertions, 21 deletions
diff --git a/src/firejail/sandbox.c b/src/firejail/sandbox.c index a15003d03..3942e4da6 100644 --- a/src/firejail/sandbox.c +++ b/src/firejail/sandbox.c | |||
| @@ -559,13 +559,6 @@ assert(0); | |||
| 559 | if (cfg.protocol) { | 559 | if (cfg.protocol) { |
| 560 | if (arg_debug) | 560 | if (arg_debug) |
| 561 | printf("Build protocol filter: %s\n", cfg.protocol); | 561 | printf("Build protocol filter: %s\n", cfg.protocol); |
| 562 | // as root, create RUN_SECCOMP_PROTOCOL file | ||
| 563 | // this is where fseccomp program will store the protocol filter | ||
| 564 | create_empty_file_as_root(RUN_SECCOMP_PROTOCOL, 0644); | ||
| 565 | if (chown(RUN_SECCOMP_PROTOCOL, getuid(), getgid()) == -1) | ||
| 566 | errExit("chown"); | ||
| 567 | if (chmod(RUN_SECCOMP_PROTOCOL, 0644) == -1) | ||
| 568 | errExit("chmod"); | ||
| 569 | 562 | ||
| 570 | // build the seccomp filter as a regular user | 563 | // build the seccomp filter as a regular user |
| 571 | int rv = sbox_run(SBOX_USER | SBOX_CAPS_NONE | SBOX_SECCOMP, 5, | 564 | int rv = sbox_run(SBOX_USER | SBOX_CAPS_NONE | SBOX_SECCOMP, 5, |
| @@ -826,13 +819,23 @@ assert(0); | |||
| 826 | // set rlimits | 819 | // set rlimits |
| 827 | set_rlimits(); | 820 | set_rlimits(); |
| 828 | 821 | ||
| 829 | // set seccomp | 822 | // set cpu affinity |
| 823 | if (cfg.cpus) { | ||
| 824 | save_cpu(); // save cpu affinity mask to CPU_CFG file | ||
| 825 | set_cpu_affinity(); | ||
| 826 | } | ||
| 827 | |||
| 828 | // save cgroup in CGROUP_CFG file | ||
| 829 | if (cfg.cgroup) | ||
| 830 | save_cgroup(); | ||
| 831 | |||
| 832 | // set seccomp //todo: push it down after drop_privs and/or configuring noroot | ||
| 830 | #ifdef HAVE_SECCOMP | 833 | #ifdef HAVE_SECCOMP |
| 831 | // install protocol filter | 834 | // install protocol filter |
| 832 | if (cfg.protocol) { | 835 | if (cfg.protocol) { |
| 833 | if (arg_debug) | 836 | if (arg_debug) |
| 834 | printf("Install protocol filter: %s\n", cfg.protocol); | 837 | printf("Install protocol filter: %s\n", cfg.protocol); |
| 835 | protocol_filter(RUN_SECCOMP_PROTOCOL); // install filter | 838 | seccomp_load(RUN_SECCOMP_PROTOCOL); // install filter |
| 836 | protocol_filter_save(); // save filter in RUN_PROTOCOL_CFG | 839 | protocol_filter_save(); // save filter in RUN_PROTOCOL_CFG |
| 837 | } | 840 | } |
| 838 | 841 | ||
| @@ -847,16 +850,6 @@ assert(0); | |||
| 847 | } | 850 | } |
| 848 | #endif | 851 | #endif |
| 849 | 852 | ||
| 850 | // set cpu affinity | ||
| 851 | if (cfg.cpus) { | ||
| 852 | save_cpu(); // save cpu affinity mask to CPU_CFG file | ||
| 853 | set_cpu_affinity(); | ||
| 854 | } | ||
| 855 | |||
| 856 | // save cgroup in CGROUP_CFG file | ||
| 857 | if (cfg.cgroup) | ||
| 858 | save_cgroup(); | ||
| 859 | |||
| 860 | //**************************************** | 853 | //**************************************** |
| 861 | // drop privileges or create a new user namespace | 854 | // drop privileges or create a new user namespace |
| 862 | //**************************************** | 855 | //**************************************** |
| @@ -929,8 +922,6 @@ assert(0); | |||
| 929 | int status = monitor_application(app_pid); // monitor application | 922 | int status = monitor_application(app_pid); // monitor application |
| 930 | flush_stdin(); | 923 | flush_stdin(); |
| 931 | 924 | ||
| 932 | |||
| 933 | |||
| 934 | if (WIFEXITED(status)) { | 925 | if (WIFEXITED(status)) { |
| 935 | // if we had a proper exit, return that exit status | 926 | // if we had a proper exit, return that exit status |
| 936 | return WEXITSTATUS(status); | 927 | return WEXITSTATUS(status); |