diff options
Diffstat (limited to 'src')
-rw-r--r-- | src/firejail/checkcfg.c | 11 | ||||
-rw-r--r-- | src/firejail/firejail.h | 3 | ||||
-rw-r--r-- | src/firejail/sandbox.c | 9 |
3 files changed, 19 insertions, 4 deletions
diff --git a/src/firejail/checkcfg.c b/src/firejail/checkcfg.c index f5ea7439b..c4a6888a9 100644 --- a/src/firejail/checkcfg.c +++ b/src/firejail/checkcfg.c | |||
@@ -29,7 +29,6 @@ char *xephyr_extra_params = ""; | |||
29 | char *netfilter_default = NULL; | 29 | char *netfilter_default = NULL; |
30 | 30 | ||
31 | int checkcfg(int val) { | 31 | int checkcfg(int val) { |
32 | EUID_ASSERT(); | ||
33 | assert(val < CFG_MAX); | 32 | assert(val < CFG_MAX); |
34 | int line = 0; | 33 | int line = 0; |
35 | 34 | ||
@@ -38,7 +37,6 @@ int checkcfg(int val) { | |||
38 | int i; | 37 | int i; |
39 | for (i = 0; i < CFG_MAX; i++) | 38 | for (i = 0; i < CFG_MAX; i++) |
40 | cfg_val[i] = 1; // most of them are enabled by default | 39 | cfg_val[i] = 1; // most of them are enabled by default |
41 | |||
42 | cfg_val[CFG_RESTRICTED_NETWORK] = 0; // disabled by default | 40 | cfg_val[CFG_RESTRICTED_NETWORK] = 0; // disabled by default |
43 | cfg_val[CFG_FORCE_NONEWPRIVS] = 0; // disabled by default | 41 | cfg_val[CFG_FORCE_NONEWPRIVS] = 0; // disabled by default |
44 | 42 | ||
@@ -226,6 +224,15 @@ int checkcfg(int val) { | |||
226 | if (strcmp(ptr + 17, "yes") == 0) | 224 | if (strcmp(ptr + 17, "yes") == 0) |
227 | arg_quiet = 1; | 225 | arg_quiet = 1; |
228 | } | 226 | } |
227 | // remount /proc and /sys | ||
228 | else if (strncmp(ptr, "remount-proc-sys ", 17) == 0) { | ||
229 | if (strcmp(ptr + 17, "yes") == 0) | ||
230 | cfg_val[CFG_REMOUNT_PROC_SYS] = 1; | ||
231 | else if (strcmp(ptr + 17, "no") == 0) | ||
232 | cfg_val[CFG_REMOUNT_PROC_SYS] = 0; | ||
233 | else | ||
234 | goto errout; | ||
235 | } | ||
229 | else | 236 | else |
230 | goto errout; | 237 | goto errout; |
231 | 238 | ||
diff --git a/src/firejail/firejail.h b/src/firejail/firejail.h index 8301a79a0..067d788a6 100644 --- a/src/firejail/firejail.h +++ b/src/firejail/firejail.h | |||
@@ -590,7 +590,8 @@ void sandboxfs(int op, pid_t pid, const char *patqh); | |||
590 | #define CFG_FORCE_NONEWPRIVS 8 | 590 | #define CFG_FORCE_NONEWPRIVS 8 |
591 | #define CFG_WHITELIST 9 | 591 | #define CFG_WHITELIST 9 |
592 | #define CFG_XEPHYR_WINDOW_TITLE 10 | 592 | #define CFG_XEPHYR_WINDOW_TITLE 10 |
593 | #define CFG_MAX 11 // this should always be the last entry | 593 | #define CFG_REMOUNT_PROC_SYS 11 |
594 | #define CFG_MAX 12 // this should always be the last entry | ||
594 | extern char *xephyr_screen; | 595 | extern char *xephyr_screen; |
595 | extern char *xephyr_extra_params; | 596 | extern char *xephyr_extra_params; |
596 | extern char *netfilter_default; | 597 | extern char *netfilter_default; |
diff --git a/src/firejail/sandbox.c b/src/firejail/sandbox.c index a33c81937..0818bf450 100644 --- a/src/firejail/sandbox.c +++ b/src/firejail/sandbox.c | |||
@@ -208,6 +208,12 @@ static int monitor_application(pid_t app_pid) { | |||
208 | if (arg_debug) | 208 | if (arg_debug) |
209 | printf("Sandbox monitor: waitpid %u retval %d status %d\n", monitored_pid, rv, status); | 209 | printf("Sandbox monitor: waitpid %u retval %d status %d\n", monitored_pid, rv, status); |
210 | 210 | ||
211 | // if /proc is not remounted, we cannot check /proc directory, | ||
212 | // for now we just get out of here | ||
213 | // todo: find another way of checking child processes! | ||
214 | if (!checkcfg(CFG_REMOUNT_PROC_SYS)) | ||
215 | break; | ||
216 | |||
211 | DIR *dir; | 217 | DIR *dir; |
212 | if (!(dir = opendir("/proc"))) { | 218 | if (!(dir = opendir("/proc"))) { |
213 | // sleep 2 seconds and try again | 219 | // sleep 2 seconds and try again |
@@ -551,7 +557,8 @@ int sandbox(void* sandbox_arg) { | |||
551 | //**************************** | 557 | //**************************** |
552 | // update /proc, /sys, /dev, /boot directorymy | 558 | // update /proc, /sys, /dev, /boot directorymy |
553 | //**************************** | 559 | //**************************** |
554 | fs_proc_sys_dev_boot(); | 560 | if (checkcfg(CFG_REMOUNT_PROC_SYS)) |
561 | fs_proc_sys_dev_boot(); | ||
555 | 562 | ||
556 | //**************************** | 563 | //**************************** |
557 | // apply the profile file | 564 | // apply the profile file |