From 5e1b85e41594efb4a3f6b19033a53dca90ce6987 Mon Sep 17 00:00:00 2001 From: smitsohu Date: Thu, 2 Mar 2023 17:45:13 +0100 Subject: cleanup --- src/firejail/join.c | 5 +---- src/firejail/main.c | 6 +++++- src/firejail/sandbox.c | 5 +---- 3 files changed, 7 insertions(+), 9 deletions(-) diff --git a/src/firejail/join.c b/src/firejail/join.c index 5ef54002b..742cda80b 100644 --- a/src/firejail/join.c +++ b/src/firejail/join.c @@ -501,10 +501,7 @@ void join(pid_t pid, int argc, char **argv, int index) { } // set nonewprivs -#ifndef HAVE_FORCE_NONEWPRIVS - if (arg_nonewprivs == 1) // not available for uid 0 -#endif - { + if (arg_nonewprivs == 1) { if (prctl(PR_SET_NO_NEW_PRIVS, 1, 0, 0, 0) != 0) errExit("prctl"); if (arg_debug) diff --git a/src/firejail/main.c b/src/firejail/main.c index ac84f00c9..0e5363cb0 100644 --- a/src/firejail/main.c +++ b/src/firejail/main.c @@ -97,7 +97,11 @@ int arg_rlimit_fsize = 0; // rlimit fsize int arg_rlimit_sigpending = 0; // rlimit fsize int arg_rlimit_as = 0; // rlimit as int arg_nogroups = 0; // disable supplementary groups -int arg_nonewprivs = 0; // set the NO_NEW_PRIVS prctl +#ifdef HAVE_FORCE_NONEWPRIVS +int arg_nonewprivs = 1; // set the NO_NEW_PRIVS prctl +#else +int arg_nonewprivs = 0; +#endif int arg_noroot = 0; // create a new user namespace and disable root user int arg_netfilter; // enable netfilter int arg_netfilter6; // enable netfilter6 diff --git a/src/firejail/sandbox.c b/src/firejail/sandbox.c index 88de1fc5f..648fc2248 100644 --- a/src/firejail/sandbox.c +++ b/src/firejail/sandbox.c @@ -1277,10 +1277,7 @@ int sandbox(void* sandbox_arg) { //**************************************** // Set NO_NEW_PRIVS if desired //**************************************** -#ifndef HAVE_FORCE_NONEWPRIVS - if (arg_nonewprivs) -#endif - { + if (arg_nonewprivs) { if (prctl(PR_SET_NO_NEW_PRIVS, 1, 0, 0, 0) != 0) { fprintf(stderr, "Error: cannot set NO_NEW_PRIVS, it requires a Linux kernel version 3.5 or newer.\n"); exit(1); -- cgit v1.2.3-54-g00ecf