diff options
Diffstat (limited to 'src/firejail')
-rw-r--r-- | src/firejail/main.c | 4 | ||||
-rw-r--r-- | src/firejail/sandbox.c | 2 | ||||
-rw-r--r-- | src/firejail/seccomp.c | 4 | ||||
-rw-r--r-- | src/firejail/usage.c | 2 |
4 files changed, 9 insertions, 3 deletions
diff --git a/src/firejail/main.c b/src/firejail/main.c index e39a41502..1c1c3a08f 100644 --- a/src/firejail/main.c +++ b/src/firejail/main.c | |||
@@ -1226,8 +1226,8 @@ int main(int argc, char **argv) { | |||
1226 | fprintf(stderr, "Warning: default profile disabled by --chroot option\n"); | 1226 | fprintf(stderr, "Warning: default profile disabled by --chroot option\n"); |
1227 | else if (arg_overlay) | 1227 | else if (arg_overlay) |
1228 | fprintf(stderr, "Warning: default profile disabled by --overlay option\n"); | 1228 | fprintf(stderr, "Warning: default profile disabled by --overlay option\n"); |
1229 | else if (cfg.home_private_keep) | 1229 | // else if (cfg.home_private_keep) |
1230 | fprintf(stderr, "Warning: default profile disabled by --private-home option\n"); | 1230 | // fprintf(stderr, "Warning: default profile disabled by --private-home option\n"); |
1231 | else { | 1231 | else { |
1232 | // try to load a default profile | 1232 | // try to load a default profile |
1233 | char *profile_name = DEFAULT_USER_PROFILE; | 1233 | char *profile_name = DEFAULT_USER_PROFILE; |
diff --git a/src/firejail/sandbox.c b/src/firejail/sandbox.c index 427b3fc09..b23c5d742 100644 --- a/src/firejail/sandbox.c +++ b/src/firejail/sandbox.c | |||
@@ -210,6 +210,8 @@ int sandbox(void* sandbox_arg) { | |||
210 | if (!arg_quiet) | 210 | if (!arg_quiet) |
211 | printf("Dropping all Linux capabilities and enforcing default seccomp filter\n"); | 211 | printf("Dropping all Linux capabilities and enforcing default seccomp filter\n"); |
212 | } | 212 | } |
213 | else | ||
214 | arg_seccomp = 1; | ||
213 | 215 | ||
214 | //**************************** | 216 | //**************************** |
215 | // trace pre-install, this time inside chroot | 217 | // trace pre-install, this time inside chroot |
diff --git a/src/firejail/seccomp.c b/src/firejail/seccomp.c index 6ab3ae56e..353b212f6 100644 --- a/src/firejail/seccomp.c +++ b/src/firejail/seccomp.c | |||
@@ -385,6 +385,7 @@ void seccomp_filter_32(void) { | |||
385 | BLACKLIST(294), // migrate_pages | 385 | BLACKLIST(294), // migrate_pages |
386 | BLACKLIST(317), // move_pages | 386 | BLACKLIST(317), // move_pages |
387 | BLACKLIST(316), // vmsplice | 387 | BLACKLIST(316), // vmsplice |
388 | BLACKLIST(61), // chroot | ||
388 | RETURN_ALLOW | 389 | RETURN_ALLOW |
389 | }; | 390 | }; |
390 | 391 | ||
@@ -558,6 +559,9 @@ int seccomp_filter_drop(void) { | |||
558 | #ifdef SYS_vmsplice | 559 | #ifdef SYS_vmsplice |
559 | filter_add_blacklist(SYS_vmsplice, 0); | 560 | filter_add_blacklist(SYS_vmsplice, 0); |
560 | #endif | 561 | #endif |
562 | #ifdef SYS_chroot | ||
563 | filter_add_blacklist(SYS_chroot, 0); | ||
564 | #endif | ||
561 | //#ifdef SYS_set_robust_list | 565 | //#ifdef SYS_set_robust_list |
562 | // filter_add_blacklist(SYS_set_robust_list, 0); | 566 | // filter_add_blacklist(SYS_set_robust_list, 0); |
563 | //#endif | 567 | //#endif |
diff --git a/src/firejail/usage.c b/src/firejail/usage.c index c829b94f2..76c12ecc1 100644 --- a/src/firejail/usage.c +++ b/src/firejail/usage.c | |||
@@ -225,7 +225,7 @@ void usage(void) { | |||
225 | printf("\t\tio_destroy, io_getevents, io_submit, io_cancel,\n"); | 225 | printf("\t\tio_destroy, io_getevents, io_submit, io_cancel,\n"); |
226 | printf("\t\tremap_file_pages, mbind, get_mempolicy, set_mempolicy,\n"); | 226 | printf("\t\tremap_file_pages, mbind, get_mempolicy, set_mempolicy,\n"); |
227 | printf("\t\tmigrate_pages, move_pages, vmsplice, perf_event_open and\n"); | 227 | printf("\t\tmigrate_pages, move_pages, vmsplice, perf_event_open and\n"); |
228 | printf("\t\tkexec_file_load.\n\n"); | 228 | printf("\t\tkexec_file_load, chroot.\n\n"); |
229 | 229 | ||
230 | printf("\t--seccomp=syscall,syscall,syscall - enable seccomp filter, blacklist the\n"); | 230 | printf("\t--seccomp=syscall,syscall,syscall - enable seccomp filter, blacklist the\n"); |
231 | printf("\t\tdefault syscall list and the syscalls specified by the command.\n\n"); | 231 | printf("\t\tdefault syscall list and the syscalls specified by the command.\n\n"); |