From 135338ba895d5feb444e3e4d6548e3474f262637 Mon Sep 17 00:00:00 2001 From: netblue30 Date: Tue, 5 Apr 2016 09:48:36 -0400 Subject: grsecurity: --chroot --- src/firejail/main.c | 8 ++++++++ src/man/firejail.txt | 3 ++- test/fs_chroot.exp | 3 ++- test/invalid_filename.exp | 3 ++- test/option_chroot_overlay.exp | 3 ++- 5 files changed, 16 insertions(+), 4 deletions(-) diff --git a/src/firejail/main.c b/src/firejail/main.c index e86aa85ac..976348c33 100644 --- a/src/firejail/main.c +++ b/src/firejail/main.c @@ -1204,6 +1204,14 @@ int main(int argc, char **argv) { fprintf(stderr, "Error: --overlay and --chroot options are mutually exclusive\n"); exit(1); } + + struct stat s; + if (stat("/proc/sys/kernel/grsecurity", &s) == 0) { + fprintf(stderr, "Error: --chroot option is not available on GRSecurity systems\n"); + exit(1); + } + + invalid_filename(argv[i] + 9); // extract chroot dirname diff --git a/src/man/firejail.txt b/src/man/firejail.txt index f22762499..8972e2380 100644 --- a/src/man/firejail.txt +++ b/src/man/firejail.txt @@ -201,7 +201,8 @@ Example: .TP \fB\-\-chroot=dirname Chroot the sandbox into a root filesystem. If the sandbox is started as a -regular user, default seccomp and capabilities filters are enabled. +regular user, default seccomp and capabilities filters are enabled. This +option is not available on Grsecurity systems. .br .br diff --git a/test/fs_chroot.exp b/test/fs_chroot.exp index cc0d82179..cced5a0f0 100755 --- a/test/fs_chroot.exp +++ b/test/fs_chroot.exp @@ -7,7 +7,8 @@ match_max 100000 send -- "firejail --chroot=/tmp/chroot\r" expect { timeout {puts "TESTING ERROR 0\n";exit} - "Child process initialized" + "Error: --chroot option is not available on GRSecurity systems" {puts "\nall done\n"; exit} + "Child process initialized" {puts "chroot available\n"}; } sleep 1 diff --git a/test/invalid_filename.exp b/test/invalid_filename.exp index dd1fa4634..8b8087e9b 100755 --- a/test/invalid_filename.exp +++ b/test/invalid_filename.exp @@ -56,7 +56,8 @@ after 100 send -- "firejail --debug-check-filename --noprofile --chroot=\"bla&&bla\"\r" expect { timeout {puts "TESTING ERROR 3.1\n";exit} - "Checking filename bla&&bla" + "Checking filename bla&&bla" {puts "normal system\n"} + "Error: --chroot option is not available on GRSecurity systems" { puts "\nall done\n"; exit} } expect { timeout {puts "TESTING ERROR 3.2\n";exit} diff --git a/test/option_chroot_overlay.exp b/test/option_chroot_overlay.exp index b39bc0c8e..dd1b8eb28 100755 --- a/test/option_chroot_overlay.exp +++ b/test/option_chroot_overlay.exp @@ -7,7 +7,8 @@ match_max 100000 send -- "firejail --chroot=/tmp/chroot --overlay\r" expect { timeout {puts "TESTING ERROR 0\n";exit} - "mutually exclusive" + "mutually exclusive" {puts "normal system\n"} + "Error: --chroot option is not available on GRSecurity systems" { puts "\nall done\n"; exit} } sleep 1 -- cgit v1.2.3-54-g00ecf