diff options
Diffstat (limited to 'src')
-rw-r--r-- | src/firejail/firejail.h | 16 | ||||
-rw-r--r-- | src/firejail/fs_lib.c | 1 | ||||
-rw-r--r-- | src/firejail/preproc.c | 2 | ||||
-rw-r--r-- | src/firejail/sandbox.c | 8 |
4 files changed, 16 insertions, 11 deletions
diff --git a/src/firejail/firejail.h b/src/firejail/firejail.h index 5291361c8..4cb10c875 100644 --- a/src/firejail/firejail.h +++ b/src/firejail/firejail.h | |||
@@ -57,13 +57,14 @@ | |||
57 | #define RUN_LIB_FILE "/run/firejail/mnt/libfiles" | 57 | #define RUN_LIB_FILE "/run/firejail/mnt/libfiles" |
58 | #define RUN_DNS_ETC "/run/firejail/mnt/dns-etc" | 58 | #define RUN_DNS_ETC "/run/firejail/mnt/dns-etc" |
59 | 59 | ||
60 | #define RUN_SECCOMP_LIST "/run/firejail/mnt/seccomp.list" // list of seccomp files installed | 60 | #define RUN_SECCOMP_DIR "/run/firejail/mnt/seccomp" |
61 | #define RUN_SECCOMP_PROTOCOL "/run/firejail/mnt/seccomp.protocol" // protocol filter | 61 | #define RUN_SECCOMP_LIST "/run/firejail/mnt/seccomp/seccomp.list" // list of seccomp files installed |
62 | #define RUN_SECCOMP_CFG "/run/firejail/mnt/seccomp" // configured filter | 62 | #define RUN_SECCOMP_PROTOCOL "/run/firejail/mnt/seccomp/seccomp.protocol" // protocol filter |
63 | #define RUN_SECCOMP_32 "/run/firejail/mnt/seccomp.32" // 32bit arch filter installed on 64bit architectures | 63 | #define RUN_SECCOMP_CFG "/run/firejail/mnt/seccomp/seccomp" // configured filter |
64 | #define RUN_SECCOMP_MDWX "/run/firejail/mnt/seccomp.mdwx" // filter for memory-deny-write-execute | 64 | #define RUN_SECCOMP_32 "/run/firejail/mnt/seccomp/seccomp.32" // 32bit arch filter installed on 64bit architectures |
65 | #define RUN_SECCOMP_BLOCK_SECONDARY "/run/firejail/mnt/seccomp.block_secondary" // secondary arch blocking filter | 65 | #define RUN_SECCOMP_MDWX "/run/firejail/mnt/seccomp/seccomp.mdwx" // filter for memory-deny-write-execute |
66 | #define RUN_SECCOMP_POSTEXEC "/run/firejail/mnt/seccomp.postexec" // filter for post-exec library | 66 | #define RUN_SECCOMP_BLOCK_SECONDARY "/run/firejail/mnt/seccomp/seccomp.block_secondary" // secondary arch blocking filter |
67 | #define RUN_SECCOMP_POSTEXEC "/run/firejail/mnt/seccomp/seccomp.postexec" // filter for post-exec library | ||
67 | #define PATH_SECCOMP_DEFAULT (LIBDIR "/firejail/seccomp") // default filter built during make | 68 | #define PATH_SECCOMP_DEFAULT (LIBDIR "/firejail/seccomp") // default filter built during make |
68 | #define PATH_SECCOMP_DEFAULT_DEBUG (LIBDIR "/firejail/seccomp.debug") // default filter built during make | 69 | #define PATH_SECCOMP_DEFAULT_DEBUG (LIBDIR "/firejail/seccomp.debug") // default filter built during make |
69 | #define PATH_SECCOMP_32 (LIBDIR "/firejail/seccomp.32") // 32bit arch filter built during make | 70 | #define PATH_SECCOMP_32 (LIBDIR "/firejail/seccomp.32") // 32bit arch filter built during make |
@@ -95,7 +96,6 @@ | |||
95 | #define RUN_ASOUNDRC_FILE "/run/firejail/mnt/.asoundrc" | 96 | #define RUN_ASOUNDRC_FILE "/run/firejail/mnt/.asoundrc" |
96 | #define RUN_HOSTNAME_FILE "/run/firejail/mnt/hostname" | 97 | #define RUN_HOSTNAME_FILE "/run/firejail/mnt/hostname" |
97 | #define RUN_HOSTS_FILE "/run/firejail/mnt/hosts" | 98 | #define RUN_HOSTS_FILE "/run/firejail/mnt/hosts" |
98 | #define RUN_RESOLVCONF_FILE "/run/firejail/mnt/resolv.conf" | ||
99 | #define RUN_MACHINEID "/run/firejail/mnt/machine-id" | 99 | #define RUN_MACHINEID "/run/firejail/mnt/machine-id" |
100 | #define RUN_LDPRELOAD_FILE "/run/firejail/mnt/ld.so.preload" | 100 | #define RUN_LDPRELOAD_FILE "/run/firejail/mnt/ld.so.preload" |
101 | #define RUN_UTMP_FILE "/run/firejail/mnt/utmp" | 101 | #define RUN_UTMP_FILE "/run/firejail/mnt/utmp" |
diff --git a/src/firejail/fs_lib.c b/src/firejail/fs_lib.c index 808ead240..70c6ac88a 100644 --- a/src/firejail/fs_lib.c +++ b/src/firejail/fs_lib.c | |||
@@ -133,6 +133,7 @@ void fslib_copy_libs(const char *full_path) { | |||
133 | fslib_duplicate(buf); | 133 | fslib_duplicate(buf); |
134 | } | 134 | } |
135 | fclose(fp); | 135 | fclose(fp); |
136 | unlink(RUN_LIB_FILE); | ||
136 | } | 137 | } |
137 | 138 | ||
138 | 139 | ||
diff --git a/src/firejail/preproc.c b/src/firejail/preproc.c index 2effebbaa..a7af4b127 100644 --- a/src/firejail/preproc.c +++ b/src/firejail/preproc.c | |||
@@ -86,6 +86,8 @@ void preproc_mount_mnt_dir(void) { | |||
86 | fs_logger2("tmpfs", RUN_MNT_DIR); | 86 | fs_logger2("tmpfs", RUN_MNT_DIR); |
87 | 87 | ||
88 | #ifdef HAVE_SECCOMP | 88 | #ifdef HAVE_SECCOMP |
89 | create_empty_dir_as_root(RUN_SECCOMP_DIR, 0755); | ||
90 | |||
89 | if (arg_seccomp_block_secondary) | 91 | if (arg_seccomp_block_secondary) |
90 | copy_file(PATH_SECCOMP_BLOCK_SECONDARY, RUN_SECCOMP_BLOCK_SECONDARY, getuid(), getgid(), 0644); // root needed | 92 | copy_file(PATH_SECCOMP_BLOCK_SECONDARY, RUN_SECCOMP_BLOCK_SECONDARY, getuid(), getgid(), 0644); // root needed |
91 | else { | 93 | else { |
diff --git a/src/firejail/sandbox.c b/src/firejail/sandbox.c index 2b5d30158..101a16d00 100644 --- a/src/firejail/sandbox.c +++ b/src/firejail/sandbox.c | |||
@@ -1053,9 +1053,6 @@ int sandbox(void* sandbox_arg) { | |||
1053 | // save state of nonewprivs | 1053 | // save state of nonewprivs |
1054 | save_nonewprivs(); | 1054 | save_nonewprivs(); |
1055 | 1055 | ||
1056 | // set capabilities | ||
1057 | set_caps(); | ||
1058 | |||
1059 | // save cpu affinity mask to CPU_CFG file | 1056 | // save cpu affinity mask to CPU_CFG file |
1060 | save_cpu(); | 1057 | save_cpu(); |
1061 | 1058 | ||
@@ -1101,8 +1098,13 @@ int sandbox(void* sandbox_arg) { | |||
1101 | int rv = unlink(RUN_SECCOMP_MDWX); | 1098 | int rv = unlink(RUN_SECCOMP_MDWX); |
1102 | (void) rv; | 1099 | (void) rv; |
1103 | } | 1100 | } |
1101 | // make seccomp filters read-only | ||
1102 | fs_rdonly(RUN_SECCOMP_DIR); | ||
1104 | #endif | 1103 | #endif |
1105 | 1104 | ||
1105 | // set capabilities | ||
1106 | set_caps(); | ||
1107 | |||
1106 | //**************************************** | 1108 | //**************************************** |
1107 | // communicate progress of sandbox set up | 1109 | // communicate progress of sandbox set up |
1108 | // to --join | 1110 | // to --join |