diff options
Diffstat (limited to 'src')
-rw-r--r-- | src/firejail/Makefile.in | 6 | ||||
-rw-r--r-- | src/firejail/sandbox.c | 12 |
2 files changed, 14 insertions, 4 deletions
diff --git a/src/firejail/Makefile.in b/src/firejail/Makefile.in index 21f415ba5..15253b5ab 100644 --- a/src/firejail/Makefile.in +++ b/src/firejail/Makefile.in | |||
@@ -18,19 +18,21 @@ HAVE_X11=@HAVE_X11@ | |||
18 | HAVE_FILE_TRANSFER=@HAVE_FILE_TRANSFER@ | 18 | HAVE_FILE_TRANSFER=@HAVE_FILE_TRANSFER@ |
19 | HAVE_WHITELIST=@HAVE_WHITELIST@ | 19 | HAVE_WHITELIST=@HAVE_WHITELIST@ |
20 | HAVE_GLOBALCFG=@HAVE_GLOBALCFG@ | 20 | HAVE_GLOBALCFG=@HAVE_GLOBALCFG@ |
21 | HAVE_APPARMOR=@HAVE_APPARMOR@ | ||
22 | EXTRA_LDFLAGS +=@EXTRA_LDFLAGS@ | ||
21 | 23 | ||
22 | H_FILE_LIST = $(sort $(wildcard *.[h])) | 24 | H_FILE_LIST = $(sort $(wildcard *.[h])) |
23 | C_FILE_LIST = $(sort $(wildcard *.c)) | 25 | C_FILE_LIST = $(sort $(wildcard *.c)) |
24 | OBJS = $(C_FILE_LIST:.c=.o) | 26 | OBJS = $(C_FILE_LIST:.c=.o) |
25 | BINOBJS = $(foreach file, $(OBJS), $file) | 27 | BINOBJS = $(foreach file, $(OBJS), $file) |
26 | CFLAGS += -ggdb $(HAVE_FATAL_WARNINGS) -O2 -DVERSION='"$(VERSION)"' -DPREFIX='"$(prefix)"' -DSYSCONFDIR='"$(sysconfdir)/firejail"' -DLIBDIR='"$(libdir)"' $(HAVE_X11) $(HAVE_SECCOMP) $(HAVE_GLOBALCFG) $(HAVE_SECCOMP_H) $(HAVE_CHROOT) $(HAVE_NETWORK) $(HAVE_USERNS) $(HAVE_BIND) $(HAVE_FILE_TRANSFER) $(HAVE_WHITELIST) -fstack-protector-all -D_FORTIFY_SOURCE=2 -fPIE -pie -Wformat -Wformat-security | 28 | CFLAGS += -ggdb $(HAVE_FATAL_WARNINGS) -O2 -DVERSION='"$(VERSION)"' -DPREFIX='"$(prefix)"' -DSYSCONFDIR='"$(sysconfdir)/firejail"' -DLIBDIR='"$(libdir)"' $(HAVE_X11) $(HAVE_APPARMOR) $(HAVE_SECCOMP) $(HAVE_GLOBALCFG) $(HAVE_SECCOMP_H) $(HAVE_CHROOT) $(HAVE_NETWORK) $(HAVE_USERNS) $(HAVE_BIND) $(HAVE_FILE_TRANSFER) $(HAVE_WHITELIST) -fstack-protector-all -D_FORTIFY_SOURCE=2 -fPIE -pie -Wformat -Wformat-security |
27 | LDFLAGS += -pie -Wl,-z,relro -Wl,-z,now -lpthread | 29 | LDFLAGS += -pie -Wl,-z,relro -Wl,-z,now -lpthread |
28 | 30 | ||
29 | %.o : %.c $(H_FILE_LIST) ../include/common.h ../include/euid_common.h ../include/libnetlink.h ../include/pid.h | 31 | %.o : %.c $(H_FILE_LIST) ../include/common.h ../include/euid_common.h ../include/libnetlink.h ../include/pid.h |
30 | $(CC) $(CFLAGS) $(INCLUDE) -c $< -o $@ | 32 | $(CC) $(CFLAGS) $(INCLUDE) -c $< -o $@ |
31 | 33 | ||
32 | firejail: $(OBJS) ../lib/libnetlink.o ../lib/common.o | 34 | firejail: $(OBJS) ../lib/libnetlink.o ../lib/common.o |
33 | $(CC) $(LDFLAGS) -o $@ $(OBJS) ../lib/libnetlink.o ../lib/common.o $(LIBS) | 35 | $(CC) $(LDFLAGS) -o $@ $(OBJS) ../lib/libnetlink.o ../lib/common.o $(LIBS) $(EXTRA_LDFLAGS) |
34 | 36 | ||
35 | clean:; rm -f *.o firejail firejail.1 firejail.1.gz | 37 | clean:; rm -f *.o firejail firejail.1 firejail.1.gz |
36 | 38 | ||
diff --git a/src/firejail/sandbox.c b/src/firejail/sandbox.c index 0fd81979f..1502a0312 100644 --- a/src/firejail/sandbox.c +++ b/src/firejail/sandbox.c | |||
@@ -39,6 +39,9 @@ | |||
39 | # define PR_SET_NO_NEW_PRIVS 38 | 39 | # define PR_SET_NO_NEW_PRIVS 38 |
40 | #endif | 40 | #endif |
41 | 41 | ||
42 | #ifdef HAVE_APPARMOR | ||
43 | #include <sys/apparmor.h> | ||
44 | #endif | ||
42 | 45 | ||
43 | 46 | ||
44 | static int monitored_pid = 0; | 47 | static int monitored_pid = 0; |
@@ -392,6 +395,7 @@ int sandbox(void* sandbox_arg) { | |||
392 | if (arg_debug && child_pid == 1) | 395 | if (arg_debug && child_pid == 1) |
393 | printf("PID namespace installed\n"); | 396 | printf("PID namespace installed\n"); |
394 | 397 | ||
398 | |||
395 | //**************************** | 399 | //**************************** |
396 | // set hostname | 400 | // set hostname |
397 | //**************************** | 401 | //**************************** |
@@ -503,7 +507,6 @@ int sandbox(void* sandbox_arg) { | |||
503 | else | 507 | else |
504 | fs_basic_fs(); | 508 | fs_basic_fs(); |
505 | 509 | ||
506 | |||
507 | //**************************** | 510 | //**************************** |
508 | // set hostname in /etc/hostname | 511 | // set hostname in /etc/hostname |
509 | //**************************** | 512 | //**************************** |
@@ -798,8 +801,13 @@ int sandbox(void* sandbox_arg) { | |||
798 | pid_t app_pid = fork(); | 801 | pid_t app_pid = fork(); |
799 | if (app_pid == -1) | 802 | if (app_pid == -1) |
800 | errExit("fork"); | 803 | errExit("fork"); |
801 | 804 | ||
802 | if (app_pid == 0) { | 805 | if (app_pid == 0) { |
806 | #ifdef HAVE_APPARMOR | ||
807 | errno = 0; | ||
808 | if (aa_change_onexec("firejail-default")) | ||
809 | fprintf(stderr, "Warning: apparmor profile not loaded, errno %d\n", errno); | ||
810 | #endif | ||
803 | prctl(PR_SET_PDEATHSIG, SIGKILL, 0, 0, 0); // kill the child in case the parent died | 811 | prctl(PR_SET_PDEATHSIG, SIGKILL, 0, 0, 0); // kill the child in case the parent died |
804 | start_application(); // start app | 812 | start_application(); // start app |
805 | } | 813 | } |