diff options
Diffstat (limited to 'src')
-rw-r--r-- | src/firejail/sandbox.c | 33 | ||||
-rw-r--r-- | src/firejail/sbox.c | 3 |
2 files changed, 30 insertions, 6 deletions
diff --git a/src/firejail/sandbox.c b/src/firejail/sandbox.c index 709ce96b6..5c7f73fc1 100644 --- a/src/firejail/sandbox.c +++ b/src/firejail/sandbox.c | |||
@@ -997,6 +997,10 @@ int sandbox(void* sandbox_arg) { | |||
997 | seccomp_load(RUN_SECCOMP_PROTOCOL); // install filter | 997 | seccomp_load(RUN_SECCOMP_PROTOCOL); // install filter |
998 | protocol_filter_save(); // save filter in RUN_PROTOCOL_CFG | 998 | protocol_filter_save(); // save filter in RUN_PROTOCOL_CFG |
999 | } | 999 | } |
1000 | else { | ||
1001 | int rv = unlink(RUN_SECCOMP_PROTOCOL); | ||
1002 | (void) rv; | ||
1003 | } | ||
1000 | #endif | 1004 | #endif |
1001 | 1005 | ||
1002 | // if a keep list is available, disregard the drop list | 1006 | // if a keep list is available, disregard the drop list |
@@ -1005,13 +1009,21 @@ int sandbox(void* sandbox_arg) { | |||
1005 | seccomp_filter_keep(); | 1009 | seccomp_filter_keep(); |
1006 | else | 1010 | else |
1007 | seccomp_filter_drop(); | 1011 | seccomp_filter_drop(); |
1008 | } | ||
1009 | 1012 | ||
1010 | if (arg_debug) { | 1013 | // clean unused filters |
1011 | printf("\nSeccomp files:\n"); | 1014 | #if defined(__LP64__) |
1012 | int rv = system("ls -l /run/firejail/mnt/seccomp*\n"); | 1015 | int rv = unlink(RUN_SECCOMP_64); |
1016 | #endif | ||
1017 | #if defined(__ILP32__) | ||
1018 | int rv = unlink(RUN_SECCOMP_32); | ||
1019 | #endif | ||
1020 | (void) rv; | ||
1021 | } | ||
1022 | else { // clean seccomp files under /run/firejail/mnt | ||
1023 | int rv = unlink(RUN_SECCOMP_CFG); | ||
1024 | rv |= unlink(RUN_SECCOMP_64); | ||
1025 | rv |= unlink(RUN_SECCOMP_32); | ||
1013 | (void) rv; | 1026 | (void) rv; |
1014 | printf("\n"); | ||
1015 | } | 1027 | } |
1016 | 1028 | ||
1017 | if (arg_memory_deny_write_execute) { | 1029 | if (arg_memory_deny_write_execute) { |
@@ -1019,6 +1031,17 @@ int sandbox(void* sandbox_arg) { | |||
1019 | printf("Install memory write&execute filter\n"); | 1031 | printf("Install memory write&execute filter\n"); |
1020 | seccomp_load(RUN_SECCOMP_MDWX); // install filter | 1032 | seccomp_load(RUN_SECCOMP_MDWX); // install filter |
1021 | } | 1033 | } |
1034 | else { | ||
1035 | int rv = unlink(RUN_SECCOMP_MDWX); | ||
1036 | (void) rv; | ||
1037 | } | ||
1038 | |||
1039 | if (arg_debug) { | ||
1040 | printf("\nSeccomp files:\n"); | ||
1041 | int rv = system("ls -l /run/firejail/mnt/seccomp*\n"); | ||
1042 | (void) rv; | ||
1043 | printf("\n"); | ||
1044 | } | ||
1022 | #endif | 1045 | #endif |
1023 | 1046 | ||
1024 | //**************************************** | 1047 | //**************************************** |
diff --git a/src/firejail/sbox.c b/src/firejail/sbox.c index fed1f7ba7..cc2b08542 100644 --- a/src/firejail/sbox.c +++ b/src/firejail/sbox.c | |||
@@ -153,12 +153,13 @@ int sbox_run(unsigned filter, int num, ...) { | |||
153 | for (i = 3; i < max; i++) | 153 | for (i = 3; i < max; i++) |
154 | close(i); // close open files | 154 | close(i); // close open files |
155 | 155 | ||
156 | #if 0 | ||
156 | if (arg_debug) { | 157 | if (arg_debug) { |
157 | printf("sbox file descriptors:\n"); | 158 | printf("sbox file descriptors:\n"); |
158 | int rv = system("ls -l /proc/self/fd"); | 159 | int rv = system("ls -l /proc/self/fd"); |
159 | (void) rv; | 160 | (void) rv; |
160 | } | 161 | } |
161 | 162 | #endif | |
162 | umask(027); | 163 | umask(027); |
163 | 164 | ||
164 | // apply filters | 165 | // apply filters |