diff options
Diffstat (limited to 'src/firejail/sbox.c')
| -rw-r--r-- | src/firejail/sbox.c | 35 |
1 files changed, 23 insertions, 12 deletions
diff --git a/src/firejail/sbox.c b/src/firejail/sbox.c index a90cb7668..a1e65cd3c 100644 --- a/src/firejail/sbox.c +++ b/src/firejail/sbox.c | |||
| @@ -190,23 +190,34 @@ int sbox_run_v(unsigned filtermask, char * const arg[]) { | |||
| 190 | // apply filters | 190 | // apply filters |
| 191 | if (filtermask & SBOX_CAPS_NONE) { | 191 | if (filtermask & SBOX_CAPS_NONE) { |
| 192 | caps_drop_all(); | 192 | caps_drop_all(); |
| 193 | } | 193 | } else { |
| 194 | else if (filtermask & SBOX_CAPS_NETWORK) { | 194 | uint64_t set = 0; |
| 195 | if (filtermask & SBOX_CAPS_NETWORK) { | ||
| 195 | #ifndef HAVE_GCOV // the following filter will prevent GCOV from saving info in .gcda files | 196 | #ifndef HAVE_GCOV // the following filter will prevent GCOV from saving info in .gcda files |
| 196 | uint64_t set = ((uint64_t) 1) << CAP_NET_ADMIN; | 197 | set |= ((uint64_t) 1) << CAP_NET_ADMIN; |
| 197 | set |= ((uint64_t) 1) << CAP_NET_RAW; | 198 | set |= ((uint64_t) 1) << CAP_NET_RAW; |
| 198 | caps_set(set); | ||
| 199 | #endif | 199 | #endif |
| 200 | } | 200 | } |
| 201 | else if (filtermask & SBOX_CAPS_HIDEPID) { | 201 | if (filtermask & SBOX_CAPS_HIDEPID) { |
| 202 | #ifndef HAVE_GCOV // the following filter will prevent GCOV from saving info in .gcda files | 202 | #ifndef HAVE_GCOV // the following filter will prevent GCOV from saving info in .gcda files |
| 203 | uint64_t set = ((uint64_t) 1) << CAP_SYS_PTRACE; | 203 | set |= ((uint64_t) 1) << CAP_SYS_PTRACE; |
| 204 | set |= ((uint64_t) 1) << CAP_SYS_PACCT; | 204 | set |= ((uint64_t) 1) << CAP_SYS_PACCT; |
| 205 | caps_set(set); | ||
| 206 | #endif | 205 | #endif |
| 207 | } | 206 | } |
| 207 | if (filtermask & SBOX_CAPS_NET_SERVICE) { | ||
| 208 | #ifndef HAVE_GCOV // the following filter will prevent GCOV from saving info in .gcda files | ||
| 209 | set |= ((uint64_t) 1) << CAP_NET_BIND_SERVICE; | ||
| 210 | set |= ((uint64_t) 1) << CAP_NET_BROADCAST; | ||
| 211 | #endif | ||
| 212 | } | ||
| 213 | if (set != 0) { // some SBOX_CAPS_ flag was specified, drop all other capabilities | ||
| 214 | #ifndef HAVE_GCOV // the following filter will prevent GCOV from saving info in .gcda files | ||
| 215 | caps_set(set); | ||
| 216 | #endif | ||
| 217 | } | ||
| 218 | } | ||
| 208 | 219 | ||
| 209 | if (filtermask & SBOX_SECCOMP) { | 220 | if (filtermask & SBOX_SECCOMP) { |
| 210 | if (prctl(PR_SET_NO_NEW_PRIVS, 1, 0, 0, 0)) { | 221 | if (prctl(PR_SET_NO_NEW_PRIVS, 1, 0, 0, 0)) { |
| 211 | perror("prctl(NO_NEW_PRIVS)"); | 222 | perror("prctl(NO_NEW_PRIVS)"); |
| 212 | } | 223 | } |