diff options
Diffstat (limited to 'src/firejail/sandbox.c')
-rw-r--r-- | src/firejail/sandbox.c | 13 |
1 files changed, 7 insertions, 6 deletions
diff --git a/src/firejail/sandbox.c b/src/firejail/sandbox.c index 7f82e2253..4ee05d070 100644 --- a/src/firejail/sandbox.c +++ b/src/firejail/sandbox.c | |||
@@ -99,6 +99,9 @@ static void set_caps(void) { | |||
99 | caps_keep_list(arg_caps_list); | 99 | caps_keep_list(arg_caps_list); |
100 | else if (arg_caps_default_filter) | 100 | else if (arg_caps_default_filter) |
101 | caps_default_filter(); | 101 | caps_default_filter(); |
102 | |||
103 | // drop discretionary access control capabilities for root sandboxes | ||
104 | caps_drop_dac_override(); | ||
102 | } | 105 | } |
103 | 106 | ||
104 | void save_nogroups(void) { | 107 | void save_nogroups(void) { |
@@ -896,8 +899,7 @@ int sandbox(void* sandbox_arg) { | |||
896 | // set security filters | 899 | // set security filters |
897 | //**************************** | 900 | //**************************** |
898 | // set capabilities | 901 | // set capabilities |
899 | // if (!arg_noroot) | 902 | set_caps(); |
900 | set_caps(); | ||
901 | 903 | ||
902 | // set rlimits | 904 | // set rlimits |
903 | set_rlimits(); | 905 | set_rlimits(); |
@@ -989,10 +991,9 @@ int sandbox(void* sandbox_arg) { | |||
989 | if (arg_apparmor) { | 991 | if (arg_apparmor) { |
990 | errno = 0; | 992 | errno = 0; |
991 | if (aa_change_onexec("firejail-default")) { | 993 | if (aa_change_onexec("firejail-default")) { |
992 | fprintf(stderr, "Error: cannot confine the application using AppArmor.\n"); | 994 | fwarning("Cannot confine the application using AppArmor.\n" |
993 | fprintf(stderr, "Maybe firejail-default AppArmor profile is not loaded into the kernel.\n"); | 995 | "Maybe firejail-default AppArmor profile is not loaded into the kernel.\n" |
994 | fprintf(stderr, "As root, run \"aa-enforce firejail-default\" to load it.\n"); | 996 | "As root, run \"aa-enforce firejail-default\" to load it.\n"); |
995 | exit(1); | ||
996 | } | 997 | } |
997 | else if (arg_debug) | 998 | else if (arg_debug) |
998 | printf("AppArmor enabled\n"); | 999 | printf("AppArmor enabled\n"); |