From 37e16a1e65df28b2b1407843e3e3de68a432a18e Mon Sep 17 00:00:00 2001
From: netblue30 <netblue30@yahoo.com>
Date: Tue, 5 Apr 2016 09:59:44 -0400
Subject: grsecurity: --overlay

---
 src/firejail/main.c  | 13 +++++++++++--
 src/man/firejail.txt |  4 ++--
 test/fs_chroot.exp   |  2 +-
 test/fs_overlay.exp  |  1 +
 4 files changed, 15 insertions(+), 5 deletions(-)

diff --git a/src/firejail/main.c b/src/firejail/main.c
index 976348c33..0b47fd6db 100644
--- a/src/firejail/main.c
+++ b/src/firejail/main.c
@@ -1084,6 +1084,11 @@ int main(int argc, char **argv) {
 				fprintf(stderr, "Error: --overlay and --chroot options are mutually exclusive\n");
 				exit(1);
 			}
+			struct stat s;
+			if (stat("/proc/sys/kernel/grsecurity", &s) == 0) {
+				fprintf(stderr, "Error: --overlay option is not available on Grsecurity systems\n");
+				exit(1);	
+			}
 			arg_overlay = 1;
 			arg_overlay_keep = 1;
 			
@@ -1091,7 +1096,6 @@ int main(int argc, char **argv) {
 			char *dirname;
 			if (asprintf(&dirname, "%s/.firejail", cfg.homedir) == -1)
 				errExit("asprintf");
-			struct stat s;
 			if (stat(dirname, &s) == -1) {
 				/* coverity[toctou] */
 				if (mkdir(dirname, 0700))
@@ -1122,6 +1126,11 @@ int main(int argc, char **argv) {
 				fprintf(stderr, "Error: --overlay and --chroot options are mutually exclusive\n");
 				exit(1);
 			}
+			struct stat s;
+			if (stat("/proc/sys/kernel/grsecurity", &s) == 0) {
+				fprintf(stderr, "Error: --overlay option is not available on Grsecurity systems\n");
+				exit(1);	
+			}
 			arg_overlay = 1;
 		}
 		else if (strncmp(argv[i], "--profile=", 10) == 0) {
@@ -1207,7 +1216,7 @@ int main(int argc, char **argv) {
 				
 				struct stat s;
 				if (stat("/proc/sys/kernel/grsecurity", &s) == 0) {
-					fprintf(stderr, "Error: --chroot option is not available on GRSecurity systems\n");
+					fprintf(stderr, "Error: --chroot option is not available on Grsecurity systems\n");
 					exit(1);	
 				}
 				
diff --git a/src/man/firejail.txt b/src/man/firejail.txt
index 8972e2380..24dbff67a 100644
--- a/src/man/firejail.txt
+++ b/src/man/firejail.txt
@@ -971,7 +971,7 @@ $ ls -l sandboxlog*
 .TP
 \fB\-\-overlay
 Mount a filesystem overlay on top of the current filesystem. All filesystem modifications go into the overlay.
-The overlay is stored in $HOME/.firejail directory.
+The overlay is stored in $HOME/.firejail directory. This option is not available on Grsecurity systems.
 .br
 
 .br
@@ -987,7 +987,7 @@ $ firejail \-\-overlay firefox
 .TP
 \fB\-\-overlay-tmpfs
 Mount a filesystem overlay on top of the current filesystem. All filesystem modifications go into the overlay,
-and are discarded when the sandbox is closed.
+and are discarded when the sandbox is closed. This option is not available on Grsecurity systems.
 .br
 
 .br
diff --git a/test/fs_chroot.exp b/test/fs_chroot.exp
index cced5a0f0..aeb5669e1 100755
--- a/test/fs_chroot.exp
+++ b/test/fs_chroot.exp
@@ -7,7 +7,7 @@ match_max 100000
 send -- "firejail  --chroot=/tmp/chroot\r"
 expect {
 	timeout {puts "TESTING ERROR 0\n";exit}
-	"Error: --chroot option is not available on GRSecurity systems" {puts "\nall done\n"; exit}
+	"Error: --chroot option is not available on Grsecurity systems" {puts "\nall done\n"; exit}
 	"Child process initialized" {puts "chroot available\n"};
 }
 sleep 1
diff --git a/test/fs_overlay.exp b/test/fs_overlay.exp
index 42d25b407..b7eeba80f 100755
--- a/test/fs_overlay.exp
+++ b/test/fs_overlay.exp
@@ -20,6 +20,7 @@ send -- "firejail --noprofile --overlay\r"
 expect {
 	timeout {puts "TESTING ERROR 2\n";exit}
 	"not available for kernels older than 3.18" {puts "\nTESTING: overlayfs not available\n"; exit}
+	"Error: --overlay option is not available on Grsecurity systems" {puts "\nTESTING: overlayfs not available\n"; exit}
 	"Child process initialized" {puts "found\n"}
 }
 sleep 1
-- 
cgit v1.2.3-54-g00ecf