diff options
Diffstat (limited to 'src/firejail')
-rw-r--r-- | src/firejail/firejail.h | 1 | ||||
-rw-r--r-- | src/firejail/main.c | 9 | ||||
-rw-r--r-- | src/firejail/profile.c | 11 | ||||
-rw-r--r-- | src/firejail/sandbox.c | 2 | ||||
-rw-r--r-- | src/firejail/usage.c | 4 |
5 files changed, 24 insertions, 3 deletions
diff --git a/src/firejail/firejail.h b/src/firejail/firejail.h index 167b6a843..0a4dffb75 100644 --- a/src/firejail/firejail.h +++ b/src/firejail/firejail.h | |||
@@ -338,6 +338,7 @@ extern int arg_writable_run_user; // writable /run/user | |||
338 | extern int arg_writable_var_log; // writable /var/log | 338 | extern int arg_writable_var_log; // writable /var/log |
339 | extern int arg_appimage; // appimage | 339 | extern int arg_appimage; // appimage |
340 | extern int arg_apparmor; // apparmor | 340 | extern int arg_apparmor; // apparmor |
341 | extern char *apparmor_profile; // apparmor profile | ||
341 | extern int arg_allow_debuggers; // allow debuggers | 342 | extern int arg_allow_debuggers; // allow debuggers |
342 | extern int arg_x11_block; // block X11 | 343 | extern int arg_x11_block; // block X11 |
343 | extern int arg_x11_xorg; // use X11 security extension | 344 | extern int arg_x11_xorg; // use X11 security extension |
diff --git a/src/firejail/main.c b/src/firejail/main.c index 55f623138..29c25dfc5 100644 --- a/src/firejail/main.c +++ b/src/firejail/main.c | |||
@@ -133,6 +133,7 @@ int arg_writable_run_user = 0; // writable /run/user | |||
133 | int arg_writable_var_log = 0; // writable /var/log | 133 | int arg_writable_var_log = 0; // writable /var/log |
134 | int arg_appimage = 0; // appimage | 134 | int arg_appimage = 0; // appimage |
135 | int arg_apparmor = 0; // apparmor | 135 | int arg_apparmor = 0; // apparmor |
136 | char *apparmor_profile = NULL; // apparmor profile | ||
136 | int arg_allow_debuggers = 0; // allow debuggers | 137 | int arg_allow_debuggers = 0; // allow debuggers |
137 | int arg_x11_block = 0; // block X11 | 138 | int arg_x11_block = 0; // block X11 |
138 | int arg_x11_xorg = 0; // use X11 security extension | 139 | int arg_x11_xorg = 0; // use X11 security extension |
@@ -1287,8 +1288,14 @@ int main(int argc, char **argv, char **envp) { | |||
1287 | // filtering | 1288 | // filtering |
1288 | //************************************* | 1289 | //************************************* |
1289 | #ifdef HAVE_APPARMOR | 1290 | #ifdef HAVE_APPARMOR |
1290 | else if (strcmp(argv[i], "--apparmor") == 0) | 1291 | else if (strcmp(argv[i], "--apparmor") == 0) { |
1291 | arg_apparmor = 1; | 1292 | arg_apparmor = 1; |
1293 | apparmor_profile = "firejail-default"; | ||
1294 | } | ||
1295 | else if (strncmp(argv[i], "--apparmor=", 11) == 0) { | ||
1296 | arg_apparmor = 1; | ||
1297 | apparmor_profile = argv[i] + 11; | ||
1298 | } | ||
1292 | #endif | 1299 | #endif |
1293 | else if (strncmp(argv[i], "--protocol=", 11) == 0) { | 1300 | else if (strncmp(argv[i], "--protocol=", 11) == 0) { |
1294 | if (checkcfg(CFG_SECCOMP)) { | 1301 | if (checkcfg(CFG_SECCOMP)) { |
diff --git a/src/firejail/profile.c b/src/firejail/profile.c index dc1aff49a..82f8a393b 100644 --- a/src/firejail/profile.c +++ b/src/firejail/profile.c | |||
@@ -939,6 +939,17 @@ int profile_check_line(char *ptr, int lineno, const char *fname) { | |||
939 | if (strcmp(ptr, "apparmor") == 0) { | 939 | if (strcmp(ptr, "apparmor") == 0) { |
940 | #ifdef HAVE_APPARMOR | 940 | #ifdef HAVE_APPARMOR |
941 | arg_apparmor = 1; | 941 | arg_apparmor = 1; |
942 | apparmor_profile = "firejail-default"; | ||
943 | #endif | ||
944 | return 0; | ||
945 | } | ||
946 | |||
947 | if (strncmp(ptr, "apparmor ", 9) == 0) { | ||
948 | #ifdef HAVE_APPARMOR | ||
949 | arg_apparmor = 1; | ||
950 | apparmor_profile = strdup(ptr + 9); | ||
951 | if (!apparmor_profile) | ||
952 | errExit("strdup"); | ||
942 | #endif | 953 | #endif |
943 | return 0; | 954 | return 0; |
944 | } | 955 | } |
diff --git a/src/firejail/sandbox.c b/src/firejail/sandbox.c index b1b3407b4..9299268a3 100644 --- a/src/firejail/sandbox.c +++ b/src/firejail/sandbox.c | |||
@@ -130,7 +130,7 @@ static void set_caps(void) { | |||
130 | static void set_apparmor(void) { | 130 | static void set_apparmor(void) { |
131 | EUID_ASSERT(); | 131 | EUID_ASSERT(); |
132 | if (checkcfg(CFG_APPARMOR) && arg_apparmor) { | 132 | if (checkcfg(CFG_APPARMOR) && arg_apparmor) { |
133 | if (aa_change_onexec("firejail-default")) { | 133 | if (aa_stack_onexec(apparmor_profile)) { |
134 | fwarning("Cannot confine the application using AppArmor.\n" | 134 | fwarning("Cannot confine the application using AppArmor.\n" |
135 | "Maybe firejail-default AppArmor profile is not loaded into the kernel.\n" | 135 | "Maybe firejail-default AppArmor profile is not loaded into the kernel.\n" |
136 | "As root, run \"aa-enforce firejail-default\" to load it.\n"); | 136 | "As root, run \"aa-enforce firejail-default\" to load it.\n"); |
diff --git a/src/firejail/usage.c b/src/firejail/usage.c index c3c17393c..e11081eed 100644 --- a/src/firejail/usage.c +++ b/src/firejail/usage.c | |||
@@ -30,7 +30,9 @@ static char *usage_str = | |||
30 | " -- - signal the end of options and disables further option processing.\n" | 30 | " -- - signal the end of options and disables further option processing.\n" |
31 | " --allow-debuggers - allow tools such as strace and gdb inside the sandbox.\n" | 31 | " --allow-debuggers - allow tools such as strace and gdb inside the sandbox.\n" |
32 | " --allusers - all user home directories are visible inside the sandbox.\n" | 32 | " --allusers - all user home directories are visible inside the sandbox.\n" |
33 | " --apparmor - enable AppArmor confinement.\n" | 33 | " --apparmor - enable AppArmor confinement with the default profile.\n" |
34 | " --apparmor=profile_name - enable AppArmor confinement with a\n" | ||
35 | "\tcustom profile.\n" | ||
34 | " --apparmor.print=name|pid - print apparmor status.\n" | 36 | " --apparmor.print=name|pid - print apparmor status.\n" |
35 | " --appimage - sandbox an AppImage application.\n" | 37 | " --appimage - sandbox an AppImage application.\n" |
36 | #ifdef HAVE_NETWORK | 38 | #ifdef HAVE_NETWORK |