aboutsummaryrefslogtreecommitdiffstats
path: root/src/firejail
diff options
context:
space:
mode:
Diffstat (limited to 'src/firejail')
-rw-r--r--src/firejail/firejail.h1
-rw-r--r--src/firejail/main.c9
-rw-r--r--src/firejail/profile.c11
-rw-r--r--src/firejail/sandbox.c2
-rw-r--r--src/firejail/usage.c4
5 files changed, 24 insertions, 3 deletions
diff --git a/src/firejail/firejail.h b/src/firejail/firejail.h
index 167b6a843..0a4dffb75 100644
--- a/src/firejail/firejail.h
+++ b/src/firejail/firejail.h
@@ -338,6 +338,7 @@ extern int arg_writable_run_user; // writable /run/user
338extern int arg_writable_var_log; // writable /var/log 338extern int arg_writable_var_log; // writable /var/log
339extern int arg_appimage; // appimage 339extern int arg_appimage; // appimage
340extern int arg_apparmor; // apparmor 340extern int arg_apparmor; // apparmor
341extern char *apparmor_profile; // apparmor profile
341extern int arg_allow_debuggers; // allow debuggers 342extern int arg_allow_debuggers; // allow debuggers
342extern int arg_x11_block; // block X11 343extern int arg_x11_block; // block X11
343extern int arg_x11_xorg; // use X11 security extension 344extern int arg_x11_xorg; // use X11 security extension
diff --git a/src/firejail/main.c b/src/firejail/main.c
index 55f623138..29c25dfc5 100644
--- a/src/firejail/main.c
+++ b/src/firejail/main.c
@@ -133,6 +133,7 @@ int arg_writable_run_user = 0; // writable /run/user
133int arg_writable_var_log = 0; // writable /var/log 133int arg_writable_var_log = 0; // writable /var/log
134int arg_appimage = 0; // appimage 134int arg_appimage = 0; // appimage
135int arg_apparmor = 0; // apparmor 135int arg_apparmor = 0; // apparmor
136char *apparmor_profile = NULL; // apparmor profile
136int arg_allow_debuggers = 0; // allow debuggers 137int arg_allow_debuggers = 0; // allow debuggers
137int arg_x11_block = 0; // block X11 138int arg_x11_block = 0; // block X11
138int arg_x11_xorg = 0; // use X11 security extension 139int arg_x11_xorg = 0; // use X11 security extension
@@ -1287,8 +1288,14 @@ int main(int argc, char **argv, char **envp) {
1287 // filtering 1288 // filtering
1288 //************************************* 1289 //*************************************
1289#ifdef HAVE_APPARMOR 1290#ifdef HAVE_APPARMOR
1290 else if (strcmp(argv[i], "--apparmor") == 0) 1291 else if (strcmp(argv[i], "--apparmor") == 0) {
1291 arg_apparmor = 1; 1292 arg_apparmor = 1;
1293 apparmor_profile = "firejail-default";
1294 }
1295 else if (strncmp(argv[i], "--apparmor=", 11) == 0) {
1296 arg_apparmor = 1;
1297 apparmor_profile = argv[i] + 11;
1298 }
1292#endif 1299#endif
1293 else if (strncmp(argv[i], "--protocol=", 11) == 0) { 1300 else if (strncmp(argv[i], "--protocol=", 11) == 0) {
1294 if (checkcfg(CFG_SECCOMP)) { 1301 if (checkcfg(CFG_SECCOMP)) {
diff --git a/src/firejail/profile.c b/src/firejail/profile.c
index dc1aff49a..82f8a393b 100644
--- a/src/firejail/profile.c
+++ b/src/firejail/profile.c
@@ -939,6 +939,17 @@ int profile_check_line(char *ptr, int lineno, const char *fname) {
939 if (strcmp(ptr, "apparmor") == 0) { 939 if (strcmp(ptr, "apparmor") == 0) {
940#ifdef HAVE_APPARMOR 940#ifdef HAVE_APPARMOR
941 arg_apparmor = 1; 941 arg_apparmor = 1;
942 apparmor_profile = "firejail-default";
943#endif
944 return 0;
945 }
946
947 if (strncmp(ptr, "apparmor ", 9) == 0) {
948#ifdef HAVE_APPARMOR
949 arg_apparmor = 1;
950 apparmor_profile = strdup(ptr + 9);
951 if (!apparmor_profile)
952 errExit("strdup");
942#endif 953#endif
943 return 0; 954 return 0;
944 } 955 }
diff --git a/src/firejail/sandbox.c b/src/firejail/sandbox.c
index b1b3407b4..9299268a3 100644
--- a/src/firejail/sandbox.c
+++ b/src/firejail/sandbox.c
@@ -130,7 +130,7 @@ static void set_caps(void) {
130static void set_apparmor(void) { 130static void set_apparmor(void) {
131 EUID_ASSERT(); 131 EUID_ASSERT();
132 if (checkcfg(CFG_APPARMOR) && arg_apparmor) { 132 if (checkcfg(CFG_APPARMOR) && arg_apparmor) {
133 if (aa_change_onexec("firejail-default")) { 133 if (aa_stack_onexec(apparmor_profile)) {
134 fwarning("Cannot confine the application using AppArmor.\n" 134 fwarning("Cannot confine the application using AppArmor.\n"
135 "Maybe firejail-default AppArmor profile is not loaded into the kernel.\n" 135 "Maybe firejail-default AppArmor profile is not loaded into the kernel.\n"
136 "As root, run \"aa-enforce firejail-default\" to load it.\n"); 136 "As root, run \"aa-enforce firejail-default\" to load it.\n");
diff --git a/src/firejail/usage.c b/src/firejail/usage.c
index c3c17393c..e11081eed 100644
--- a/src/firejail/usage.c
+++ b/src/firejail/usage.c
@@ -30,7 +30,9 @@ static char *usage_str =
30 " -- - signal the end of options and disables further option processing.\n" 30 " -- - signal the end of options and disables further option processing.\n"
31 " --allow-debuggers - allow tools such as strace and gdb inside the sandbox.\n" 31 " --allow-debuggers - allow tools such as strace and gdb inside the sandbox.\n"
32 " --allusers - all user home directories are visible inside the sandbox.\n" 32 " --allusers - all user home directories are visible inside the sandbox.\n"
33 " --apparmor - enable AppArmor confinement.\n" 33 " --apparmor - enable AppArmor confinement with the default profile.\n"
34 " --apparmor=profile_name - enable AppArmor confinement with a\n"
35 "\tcustom profile.\n"
34 " --apparmor.print=name|pid - print apparmor status.\n" 36 " --apparmor.print=name|pid - print apparmor status.\n"
35 " --appimage - sandbox an AppImage application.\n" 37 " --appimage - sandbox an AppImage application.\n"
36#ifdef HAVE_NETWORK 38#ifdef HAVE_NETWORK
generated by cgit v1.2.3-70-g09d2 (git 2.46.0) at 2024-09-27 17:04:25 +0000