diff options
Diffstat (limited to 'src')
-rw-r--r-- | src/firejail/main.c | 13 | ||||
-rw-r--r-- | src/man/firejail.txt | 4 |
2 files changed, 13 insertions, 4 deletions
diff --git a/src/firejail/main.c b/src/firejail/main.c index 976348c33..0b47fd6db 100644 --- a/src/firejail/main.c +++ b/src/firejail/main.c | |||
@@ -1084,6 +1084,11 @@ int main(int argc, char **argv) { | |||
1084 | fprintf(stderr, "Error: --overlay and --chroot options are mutually exclusive\n"); | 1084 | fprintf(stderr, "Error: --overlay and --chroot options are mutually exclusive\n"); |
1085 | exit(1); | 1085 | exit(1); |
1086 | } | 1086 | } |
1087 | struct stat s; | ||
1088 | if (stat("/proc/sys/kernel/grsecurity", &s) == 0) { | ||
1089 | fprintf(stderr, "Error: --overlay option is not available on Grsecurity systems\n"); | ||
1090 | exit(1); | ||
1091 | } | ||
1087 | arg_overlay = 1; | 1092 | arg_overlay = 1; |
1088 | arg_overlay_keep = 1; | 1093 | arg_overlay_keep = 1; |
1089 | 1094 | ||
@@ -1091,7 +1096,6 @@ int main(int argc, char **argv) { | |||
1091 | char *dirname; | 1096 | char *dirname; |
1092 | if (asprintf(&dirname, "%s/.firejail", cfg.homedir) == -1) | 1097 | if (asprintf(&dirname, "%s/.firejail", cfg.homedir) == -1) |
1093 | errExit("asprintf"); | 1098 | errExit("asprintf"); |
1094 | struct stat s; | ||
1095 | if (stat(dirname, &s) == -1) { | 1099 | if (stat(dirname, &s) == -1) { |
1096 | /* coverity[toctou] */ | 1100 | /* coverity[toctou] */ |
1097 | if (mkdir(dirname, 0700)) | 1101 | if (mkdir(dirname, 0700)) |
@@ -1122,6 +1126,11 @@ int main(int argc, char **argv) { | |||
1122 | fprintf(stderr, "Error: --overlay and --chroot options are mutually exclusive\n"); | 1126 | fprintf(stderr, "Error: --overlay and --chroot options are mutually exclusive\n"); |
1123 | exit(1); | 1127 | exit(1); |
1124 | } | 1128 | } |
1129 | struct stat s; | ||
1130 | if (stat("/proc/sys/kernel/grsecurity", &s) == 0) { | ||
1131 | fprintf(stderr, "Error: --overlay option is not available on Grsecurity systems\n"); | ||
1132 | exit(1); | ||
1133 | } | ||
1125 | arg_overlay = 1; | 1134 | arg_overlay = 1; |
1126 | } | 1135 | } |
1127 | else if (strncmp(argv[i], "--profile=", 10) == 0) { | 1136 | else if (strncmp(argv[i], "--profile=", 10) == 0) { |
@@ -1207,7 +1216,7 @@ int main(int argc, char **argv) { | |||
1207 | 1216 | ||
1208 | struct stat s; | 1217 | struct stat s; |
1209 | if (stat("/proc/sys/kernel/grsecurity", &s) == 0) { | 1218 | if (stat("/proc/sys/kernel/grsecurity", &s) == 0) { |
1210 | fprintf(stderr, "Error: --chroot option is not available on GRSecurity systems\n"); | 1219 | fprintf(stderr, "Error: --chroot option is not available on Grsecurity systems\n"); |
1211 | exit(1); | 1220 | exit(1); |
1212 | } | 1221 | } |
1213 | 1222 | ||
diff --git a/src/man/firejail.txt b/src/man/firejail.txt index 8972e2380..24dbff67a 100644 --- a/src/man/firejail.txt +++ b/src/man/firejail.txt | |||
@@ -971,7 +971,7 @@ $ ls -l sandboxlog* | |||
971 | .TP | 971 | .TP |
972 | \fB\-\-overlay | 972 | \fB\-\-overlay |
973 | Mount a filesystem overlay on top of the current filesystem. All filesystem modifications go into the overlay. | 973 | Mount a filesystem overlay on top of the current filesystem. All filesystem modifications go into the overlay. |
974 | The overlay is stored in $HOME/.firejail directory. | 974 | The overlay is stored in $HOME/.firejail directory. This option is not available on Grsecurity systems. |
975 | .br | 975 | .br |
976 | 976 | ||
977 | .br | 977 | .br |
@@ -987,7 +987,7 @@ $ firejail \-\-overlay firefox | |||
987 | .TP | 987 | .TP |
988 | \fB\-\-overlay-tmpfs | 988 | \fB\-\-overlay-tmpfs |
989 | Mount a filesystem overlay on top of the current filesystem. All filesystem modifications go into the overlay, | 989 | Mount a filesystem overlay on top of the current filesystem. All filesystem modifications go into the overlay, |
990 | and are discarded when the sandbox is closed. | 990 | and are discarded when the sandbox is closed. This option is not available on Grsecurity systems. |
991 | .br | 991 | .br |
992 | 992 | ||
993 | .br | 993 | .br |