aboutsummaryrefslogtreecommitdiffstats
path: root/src
diff options
context:
space:
mode:
Diffstat (limited to 'src')
-rw-r--r--src/firejail/caps.c11
-rw-r--r--src/firejail/firejail.h1
-rw-r--r--src/firejail/join.c3
-rw-r--r--src/firejail/sandbox.c6
4 files changed, 17 insertions, 4 deletions
diff --git a/src/firejail/caps.c b/src/firejail/caps.c
index d45ba20ce..883e8015e 100644
--- a/src/firejail/caps.c
+++ b/src/firejail/caps.c
@@ -248,10 +248,17 @@ void caps_print(void) {
248 } 248 }
249} 249}
250 250
251// drop discretionary access control capabilities by default in all sandboxes
252void caps_drop_dac_override(void) {
253 if (prctl(PR_CAPBSET_DROP, CAP_DAC_OVERRIDE, 0, 0, 0));
254 else if (arg_debug)
255 printf("Drop CAP_DAC_OVERRIDE\n");
251 256
257 if (prctl(PR_CAPBSET_DROP, CAP_DAC_READ_SEARCH, 0, 0, 0));
258 else if (arg_debug)
259 printf("Drop CAP_DAC_READ_SEARCH\n");
260}
252 261
253
254// enabled by default
255int caps_default_filter(void) { 262int caps_default_filter(void) {
256 // drop capabilities 263 // drop capabilities
257 if (prctl(PR_CAPBSET_DROP, CAP_SYS_MODULE, 0, 0, 0)) 264 if (prctl(PR_CAPBSET_DROP, CAP_SYS_MODULE, 0, 0, 0))
diff --git a/src/firejail/firejail.h b/src/firejail/firejail.h
index 6f0a5aa7b..8224b5012 100644
--- a/src/firejail/firejail.h
+++ b/src/firejail/firejail.h
@@ -533,6 +533,7 @@ void caps_check_list(const char *clist, void (*callback)(int));
533void caps_drop_list(const char *clist); 533void caps_drop_list(const char *clist);
534void caps_keep_list(const char *clist); 534void caps_keep_list(const char *clist);
535void caps_print_filter(pid_t pid); 535void caps_print_filter(pid_t pid);
536void caps_drop_dac_override(void);
536 537
537// syscall.c 538// syscall.c
538const char *syscall_find_nr(int nr); 539const char *syscall_find_nr(int nr);
diff --git a/src/firejail/join.c b/src/firejail/join.c
index b5b45a3bf..d7328a91b 100644
--- a/src/firejail/join.c
+++ b/src/firejail/join.c
@@ -242,6 +242,9 @@ void join(pid_t pid, int argc, char **argv, int index) {
242 if (child < 0) 242 if (child < 0)
243 errExit("fork"); 243 errExit("fork");
244 if (child == 0) { 244 if (child == 0) {
245 // drop discretionary access control capabilities by default
246 caps_drop_dac_override();
247
245 // chroot into /proc/PID/root directory 248 // chroot into /proc/PID/root directory
246 char *rootdir; 249 char *rootdir;
247 if (asprintf(&rootdir, "/proc/%d/root", pid) == -1) 250 if (asprintf(&rootdir, "/proc/%d/root", pid) == -1)
diff --git a/src/firejail/sandbox.c b/src/firejail/sandbox.c
index b22a4c651..0a32393a2 100644
--- a/src/firejail/sandbox.c
+++ b/src/firejail/sandbox.c
@@ -99,6 +99,9 @@ static void set_caps(void) {
99 caps_keep_list(arg_caps_list); 99 caps_keep_list(arg_caps_list);
100 else if (arg_caps_default_filter) 100 else if (arg_caps_default_filter)
101 caps_default_filter(); 101 caps_default_filter();
102
103 // drop discretionary access control capabilities by default
104 caps_drop_dac_override();
102} 105}
103 106
104void save_nogroups(void) { 107void save_nogroups(void) {
@@ -896,8 +899,7 @@ int sandbox(void* sandbox_arg) {
896 // set security filters 899 // set security filters
897 //**************************** 900 //****************************
898 // set capabilities 901 // set capabilities
899// if (!arg_noroot) 902 set_caps();
900 set_caps();
901 903
902 // set rlimits 904 // set rlimits
903 set_rlimits(); 905 set_rlimits();
generated by cgit v1.2.3-54-g00ecf (git 2.45.2) at 2024-06-29 07:55:18 +0000