diff options
Diffstat (limited to 'src')
-rw-r--r-- | src/firejail/firejail.h | 1 | ||||
-rw-r--r-- | src/firejail/main.c | 7 | ||||
-rw-r--r-- | src/firejail/profile.c | 4 | ||||
-rw-r--r-- | src/man/firejail-profile.txt | 4 |
4 files changed, 13 insertions, 3 deletions
diff --git a/src/firejail/firejail.h b/src/firejail/firejail.h index 1fcb92fea..3097a7a0e 100644 --- a/src/firejail/firejail.h +++ b/src/firejail/firejail.h | |||
@@ -241,6 +241,7 @@ extern int arg_quiet; // no output for scripting | |||
241 | extern int arg_join_network; // join only the network namespace | 241 | extern int arg_join_network; // join only the network namespace |
242 | extern int arg_join_filesystem; // join only the mount namespace | 242 | extern int arg_join_filesystem; // join only the mount namespace |
243 | extern int arg_nice; // nice value configured | 243 | extern int arg_nice; // nice value configured |
244 | extern int arg_ipc; // enable ipc namespace | ||
244 | 245 | ||
245 | extern int parent_to_child_fds[2]; | 246 | extern int parent_to_child_fds[2]; |
246 | extern int child_to_parent_fds[2]; | 247 | extern int child_to_parent_fds[2]; |
diff --git a/src/firejail/main.c b/src/firejail/main.c index c0050be1f..05745a3f1 100644 --- a/src/firejail/main.c +++ b/src/firejail/main.c | |||
@@ -95,6 +95,7 @@ int arg_quiet = 0; // no output for scripting | |||
95 | int arg_join_network = 0; // join only the network namespace | 95 | int arg_join_network = 0; // join only the network namespace |
96 | int arg_join_filesystem = 0; // join only the mount namespace | 96 | int arg_join_filesystem = 0; // join only the mount namespace |
97 | int arg_nice = 0; // nice value configured | 97 | int arg_nice = 0; // nice value configured |
98 | int arg_ipc = 0; // enable ipc namespace | ||
98 | 99 | ||
99 | int parent_to_child_fds[2]; | 100 | int parent_to_child_fds[2]; |
100 | int child_to_parent_fds[2]; | 101 | int child_to_parent_fds[2]; |
@@ -551,7 +552,6 @@ int main(int argc, char **argv) { | |||
551 | int i; | 552 | int i; |
552 | int prog_index = -1; // index in argv where the program command starts | 553 | int prog_index = -1; // index in argv where the program command starts |
553 | int lockfd = -1; | 554 | int lockfd = -1; |
554 | int arg_ipc = 0; | ||
555 | int arg_cgroup = 0; | 555 | int arg_cgroup = 0; |
556 | int custom_profile = 0; // custom profile loaded | 556 | int custom_profile = 0; // custom profile loaded |
557 | char *custom_profile_dir = NULL; // custom profile directory | 557 | char *custom_profile_dir = NULL; // custom profile directory |
@@ -1619,8 +1619,11 @@ int main(int argc, char **argv) { | |||
1619 | 1619 | ||
1620 | // in root mode also enable CLONE_NEWIPC | 1620 | // in root mode also enable CLONE_NEWIPC |
1621 | // in user mode CLONE_NEWIPC will break MIT Shared Memory Extension (MIT-SHM) | 1621 | // in user mode CLONE_NEWIPC will break MIT Shared Memory Extension (MIT-SHM) |
1622 | if (getuid() == 0 || arg_ipc) | 1622 | if (getuid() == 0 || arg_ipc) { |
1623 | flags |= CLONE_NEWIPC; | 1623 | flags |= CLONE_NEWIPC; |
1624 | if (arg_debug) | ||
1625 | printf("Enabling IPC namespace\n"); | ||
1626 | } | ||
1624 | 1627 | ||
1625 | if (any_bridge_configured() || any_interface_configured() || arg_nonetwork) { | 1628 | if (any_bridge_configured() || any_interface_configured() || arg_nonetwork) { |
1626 | flags |= CLONE_NEWNET; | 1629 | flags |= CLONE_NEWNET; |
diff --git a/src/firejail/profile.c b/src/firejail/profile.c index 8771a7fa8..28df9f03e 100644 --- a/src/firejail/profile.c +++ b/src/firejail/profile.c | |||
@@ -116,6 +116,10 @@ int profile_check_line(char *ptr, int lineno, const char *fname) { | |||
116 | } | 116 | } |
117 | return 0; | 117 | return 0; |
118 | } | 118 | } |
119 | else if (strcmp(ptr, "ipc-namespace") == 0) { | ||
120 | arg_ipc = 1; | ||
121 | return 0; | ||
122 | } | ||
119 | // seccomp, caps, private, user namespace | 123 | // seccomp, caps, private, user namespace |
120 | else if (strcmp(ptr, "noroot") == 0) { | 124 | else if (strcmp(ptr, "noroot") == 0) { |
121 | #if HAVE_USERNS | 125 | #if HAVE_USERNS |
diff --git a/src/man/firejail-profile.txt b/src/man/firejail-profile.txt index b46958bd4..8897efc09 100644 --- a/src/man/firejail-profile.txt +++ b/src/man/firejail-profile.txt | |||
@@ -283,7 +283,9 @@ Disable supplementary user groups | |||
283 | .TP | 283 | .TP |
284 | \fBshell none | 284 | \fBshell none |
285 | Run the program directly, without a shell. | 285 | Run the program directly, without a shell. |
286 | 286 | .TP | |
287 | \fBipc-namespace | ||
288 | Enable IPC namespace. | ||
287 | .SH Networking | 289 | .SH Networking |
288 | Networking features available in profile files. | 290 | Networking features available in profile files. |
289 | 291 | ||