diff options
Diffstat (limited to 'src')
-rw-r--r-- | src/firejail/profile.c | 74 |
1 files changed, 74 insertions, 0 deletions
diff --git a/src/firejail/profile.c b/src/firejail/profile.c index 172aff121..c515accc0 100644 --- a/src/firejail/profile.c +++ b/src/firejail/profile.c | |||
@@ -830,6 +830,80 @@ int profile_check_line(char *ptr, int lineno, const char *fname) { | |||
830 | return 0; | 830 | return 0; |
831 | } | 831 | } |
832 | 832 | ||
833 | |||
834 | #ifdef HAVE_OVERLAYFS | ||
835 | if (strncmp(ptr, "overlay-named ", 14) == 0) { | ||
836 | if (checkcfg(CFG_OVERLAYFS)) { | ||
837 | if (cfg.chrootdir) { | ||
838 | fprintf(stderr, "Error: --overlay and --chroot options are mutually exclusive\n"); | ||
839 | exit(1); | ||
840 | } | ||
841 | struct stat s; | ||
842 | if (stat("/proc/sys/kernel/grsecurity", &s) == 0) { | ||
843 | fprintf(stderr, "Error: --overlay option is not available on Grsecurity systems\n"); | ||
844 | exit(1); | ||
845 | } | ||
846 | arg_overlay = 1; | ||
847 | arg_overlay_keep = 1; | ||
848 | arg_overlay_reuse = 1; | ||
849 | |||
850 | char *subdirname = ptr + 14; | ||
851 | if (subdirname == '\0') { | ||
852 | fprintf(stderr, "Error: invalid overlay option\n"); | ||
853 | exit(1); | ||
854 | } | ||
855 | |||
856 | // check name | ||
857 | invalid_filename(subdirname); | ||
858 | if (strstr(subdirname, "..") || strstr(subdirname, "/")) { | ||
859 | fprintf(stderr, "Error: invalid overlay name\n"); | ||
860 | exit(1); | ||
861 | } | ||
862 | cfg.overlay_dir = fs_check_overlay_dir(subdirname, arg_overlay_reuse); | ||
863 | } | ||
864 | |||
865 | return 0; | ||
866 | } else if (strcmp(ptr, "overlay-tmpfs") == 0) { | ||
867 | if (checkcfg(CFG_OVERLAYFS)) { | ||
868 | if (cfg.chrootdir) { | ||
869 | fprintf(stderr, "Error: --overlay and --chroot options are mutually exclusive\n"); | ||
870 | exit(1); | ||
871 | } | ||
872 | struct stat s; | ||
873 | if (stat("/proc/sys/kernel/grsecurity", &s) == 0) { | ||
874 | fprintf(stderr, "Error: --overlay option is not available on Grsecurity systems\n"); | ||
875 | exit(1); | ||
876 | } | ||
877 | arg_overlay = 1; | ||
878 | |||
879 | return 0; | ||
880 | } | ||
881 | } else if (strcmp(ptr, "overlay") == 0) { | ||
882 | if (checkcfg(CFG_OVERLAYFS)) { | ||
883 | if (cfg.chrootdir) { | ||
884 | fprintf(stderr, "Error: --overlay and --chroot options are mutually exclusive\n"); | ||
885 | exit(1); | ||
886 | } | ||
887 | struct stat s; | ||
888 | if (stat("/proc/sys/kernel/grsecurity", &s) == 0) { | ||
889 | fprintf(stderr, "Error: --overlay option is not available on Grsecurity systems\n"); | ||
890 | exit(1); | ||
891 | } | ||
892 | arg_overlay = 1; | ||
893 | arg_overlay_keep = 1; | ||
894 | |||
895 | char *subdirname; | ||
896 | if (asprintf(&subdirname, "%d", getpid()) == -1) | ||
897 | errExit("asprintf"); | ||
898 | cfg.overlay_dir = fs_check_overlay_dir(subdirname, arg_overlay_reuse); | ||
899 | |||
900 | free(subdirname); | ||
901 | |||
902 | return 0; | ||
903 | } | ||
904 | } | ||
905 | #endif | ||
906 | |||
833 | // filesystem bind | 907 | // filesystem bind |
834 | if (strncmp(ptr, "bind ", 5) == 0) { | 908 | if (strncmp(ptr, "bind ", 5) == 0) { |
835 | #ifdef HAVE_BIND | 909 | #ifdef HAVE_BIND |