diff options
Diffstat (limited to 'src')
-rw-r--r-- | src/firejail/main.c | 48 | ||||
-rw-r--r-- | src/firejail/sandbox.c | 5 | ||||
-rw-r--r-- | src/firejail/seccomp.c | 16 |
3 files changed, 40 insertions, 29 deletions
diff --git a/src/firejail/main.c b/src/firejail/main.c index 9d635436d..3b2e7e4d9 100644 --- a/src/firejail/main.c +++ b/src/firejail/main.c | |||
@@ -695,7 +695,6 @@ int main(int argc, char **argv) { | |||
695 | } | 695 | } |
696 | 696 | ||
697 | // extract private home dirname | 697 | // extract private home dirname |
698 | printf("here %s:%d\n", __FILE__, __LINE__); | ||
699 | cfg.home_private = argv[i] + 10; | 698 | cfg.home_private = argv[i] + 10; |
700 | fs_check_private_dir(); | 699 | fs_check_private_dir(); |
701 | arg_private = 1; | 700 | arg_private = 1; |
@@ -1058,26 +1057,35 @@ printf("here %s:%d\n", __FILE__, __LINE__); | |||
1058 | 1057 | ||
1059 | // use generic.profile as the default | 1058 | // use generic.profile as the default |
1060 | if (!custom_profile && !arg_noprofile) { | 1059 | if (!custom_profile && !arg_noprofile) { |
1061 | char *profile_name = DEFAULT_USER_PROFILE; | 1060 | if (cfg.chrootdir) |
1062 | if (getuid() == 0) | 1061 | fprintf(stderr, "Warning: default profile disabled by --chroot option\n"); |
1063 | profile_name = DEFAULT_ROOT_PROFILE; | 1062 | else if (arg_overlay) |
1064 | if (arg_debug) | 1063 | fprintf(stderr, "Warning: default profile disabled by --overlay option\n"); |
1065 | printf("Attempting to find %s.profile...", profile_name); | 1064 | else if (cfg.home_private_keep) |
1066 | 1065 | fprintf(stderr, "Warning: default profile disabled by --private-home option\n"); | |
1067 | // look for the profile in ~/.config/firejail directory | 1066 | else { |
1068 | char *usercfgdir; | 1067 | // try to load a default profile |
1069 | if (asprintf(&usercfgdir, "%s/.config/firejail", cfg.homedir) == -1) | 1068 | char *profile_name = DEFAULT_USER_PROFILE; |
1070 | errExit("asprintf"); | 1069 | if (getuid() == 0) |
1071 | custom_profile = profile_find(profile_name, usercfgdir); | 1070 | profile_name = DEFAULT_ROOT_PROFILE; |
1072 | free(usercfgdir); | 1071 | if (arg_debug) |
1073 | 1072 | printf("Attempting to find %s.profile...\n", profile_name); | |
1074 | if (!custom_profile) { | 1073 | |
1075 | // look for the profile in /etc/firejail directory | 1074 | // look for the profile in ~/.config/firejail directory |
1076 | custom_profile = profile_find(profile_name, "/etc/firejail"); | 1075 | char *usercfgdir; |
1076 | if (asprintf(&usercfgdir, "%s/.config/firejail", cfg.homedir) == -1) | ||
1077 | errExit("asprintf"); | ||
1078 | custom_profile = profile_find(profile_name, usercfgdir); | ||
1079 | free(usercfgdir); | ||
1080 | |||
1081 | if (!custom_profile) { | ||
1082 | // look for the profile in /etc/firejail directory | ||
1083 | custom_profile = profile_find(profile_name, "/etc/firejail"); | ||
1084 | } | ||
1085 | |||
1086 | if (custom_profile) | ||
1087 | printf("\n** Note: %s profile can be disabled by --noprofile option **\n\n", profile_name); | ||
1077 | } | 1088 | } |
1078 | |||
1079 | if (custom_profile) | ||
1080 | printf("Note: %s profile can be disabled by --noprofile option.\n", profile_name); | ||
1081 | } | 1089 | } |
1082 | 1090 | ||
1083 | // check and assign an IP address - for macvlan it will be done again in the sandbox! | 1091 | // check and assign an IP address - for macvlan it will be done again in the sandbox! |
diff --git a/src/firejail/sandbox.c b/src/firejail/sandbox.c index 46cb03da7..53782a288 100644 --- a/src/firejail/sandbox.c +++ b/src/firejail/sandbox.c | |||
@@ -179,6 +179,7 @@ int sandbox(void* sandbox_arg) { | |||
179 | //**************************** | 179 | //**************************** |
180 | // configure filesystem | 180 | // configure filesystem |
181 | //**************************** | 181 | //**************************** |
182 | |||
182 | #ifdef HAVE_CHROOT | 183 | #ifdef HAVE_CHROOT |
183 | if (cfg.chrootdir) { | 184 | if (cfg.chrootdir) { |
184 | fs_chroot(cfg.chrootdir); | 185 | fs_chroot(cfg.chrootdir); |
@@ -267,6 +268,8 @@ int sandbox(void* sandbox_arg) { | |||
267 | //**************************** | 268 | //**************************** |
268 | if (arg_nonetwork) { | 269 | if (arg_nonetwork) { |
269 | net_if_up("lo"); | 270 | net_if_up("lo"); |
271 | if (arg_debug) | ||
272 | printf("Network namespace enabled, only loopback interface available\n"); | ||
270 | } | 273 | } |
271 | else if (any_bridge_configured()) { | 274 | else if (any_bridge_configured()) { |
272 | // configure lo and eth0...eth3 | 275 | // configure lo and eth0...eth3 |
@@ -397,7 +400,7 @@ int sandbox(void* sandbox_arg) { | |||
397 | if (arg_noroot) { | 400 | if (arg_noroot) { |
398 | int rv = unshare(CLONE_NEWUSER); | 401 | int rv = unshare(CLONE_NEWUSER); |
399 | if (rv == -1) { | 402 | if (rv == -1) { |
400 | fprintf(stderr, "Warning: cannot mount a new user namespace\n"); | 403 | fprintf(stderr, "Error: cannot mount a new user namespace\n"); |
401 | perror("unshare"); | 404 | perror("unshare"); |
402 | drop_privs(arg_nogroups); | 405 | drop_privs(arg_nogroups); |
403 | } | 406 | } |
diff --git a/src/firejail/seccomp.c b/src/firejail/seccomp.c index 17f038a2e..47988dbf4 100644 --- a/src/firejail/seccomp.c +++ b/src/firejail/seccomp.c | |||
@@ -179,8 +179,8 @@ static void filter_init(void) { | |||
179 | return; | 179 | return; |
180 | } | 180 | } |
181 | 181 | ||
182 | if (arg_debug) | 182 | // if (arg_debug) |
183 | printf("Initialize seccomp filter\n"); | 183 | // printf("Initialize seccomp filter\n"); |
184 | // allocate a filter of SECSIZE | 184 | // allocate a filter of SECSIZE |
185 | sfilter = malloc(sizeof(struct sock_filter) * SECSIZE); | 185 | sfilter = malloc(sizeof(struct sock_filter) * SECSIZE); |
186 | if (!sfilter) | 186 | if (!sfilter) |
@@ -220,8 +220,8 @@ static void filter_add_whitelist(int syscall) { | |||
220 | assert(sfilter); | 220 | assert(sfilter); |
221 | assert(sfilter_alloc_size); | 221 | assert(sfilter_alloc_size); |
222 | assert(sfilter_index); | 222 | assert(sfilter_index); |
223 | if (arg_debug) | 223 | // if (arg_debug) |
224 | printf("Whitelisting syscall %d %s\n", syscall, syscall_find_nr(syscall)); | 224 | // printf("Whitelisting syscall %d %s\n", syscall, syscall_find_nr(syscall)); |
225 | 225 | ||
226 | if ((sfilter_index + 2) > sfilter_alloc_size) | 226 | if ((sfilter_index + 2) > sfilter_alloc_size) |
227 | filter_realloc(); | 227 | filter_realloc(); |
@@ -246,8 +246,8 @@ static void filter_add_blacklist(int syscall) { | |||
246 | assert(sfilter); | 246 | assert(sfilter); |
247 | assert(sfilter_alloc_size); | 247 | assert(sfilter_alloc_size); |
248 | assert(sfilter_index); | 248 | assert(sfilter_index); |
249 | if (arg_debug) | 249 | // if (arg_debug) |
250 | printf("Blacklisting syscall %d %s\n", syscall, syscall_find_nr(syscall)); | 250 | // printf("Blacklisting syscall %d %s\n", syscall, syscall_find_nr(syscall)); |
251 | 251 | ||
252 | if ((sfilter_index + 2) > sfilter_alloc_size) | 252 | if ((sfilter_index + 2) > sfilter_alloc_size) |
253 | filter_realloc(); | 253 | filter_realloc(); |
@@ -272,8 +272,8 @@ static void filter_end_blacklist(void) { | |||
272 | assert(sfilter); | 272 | assert(sfilter); |
273 | assert(sfilter_alloc_size); | 273 | assert(sfilter_alloc_size); |
274 | assert(sfilter_index); | 274 | assert(sfilter_index); |
275 | if (arg_debug) | 275 | // if (arg_debug) |
276 | printf("Ending syscall filter\n"); | 276 | // printf("Ending syscall filter\n"); |
277 | 277 | ||
278 | if ((sfilter_index + 2) > sfilter_alloc_size) | 278 | if ((sfilter_index + 2) > sfilter_alloc_size) |
279 | filter_realloc(); | 279 | filter_realloc(); |