From e62ce59f5556555b52741ec677bb273a35939336 Mon Sep 17 00:00:00 2001 From: netblue30 Date: Fri, 18 Mar 2016 08:07:15 -0400 Subject: join fixes --- src/firejail/seccomp.c | 6 +++--- todo | 20 ++++++++++++++++++++ 2 files changed, 23 insertions(+), 3 deletions(-) diff --git a/src/firejail/seccomp.c b/src/firejail/seccomp.c index d29184b7c..43b849ecf 100644 --- a/src/firejail/seccomp.c +++ b/src/firejail/seccomp.c @@ -286,12 +286,12 @@ static void write_seccomp_file(void) { // read seccomp filter from /run/firejail/mnt/seccomp static void read_seccomp_file(const char *fname) { assert(sfilter == NULL && sfilter_index == 0); -printf("***%s***\n", fname); + // check file struct stat s; if (stat(fname, &s) == -1) { - fprintf(stderr, "Error: seccomp file not found\n"); - exit(1); + fprintf(stderr, "Warning: seccomp file not found\n"); + return; } ssize_t sz = s.st_size; if (sz == 0 || (sz % sizeof(struct sock_filter)) != 0) { diff --git a/todo b/todo index e45d86eba..b631e6a06 100644 --- a/todo +++ b/todo @@ -35,3 +35,23 @@ socat ABSTRACT-LISTEN:/tmp/dbus-awBoQTCc,fork UNIX-CONNECT:/tmp/mysock 8. profile for dillo Also, in dillo open a directory (file:///etc), when the browser window is closed the sandbox still remains active. This is probably a dillo problem. + +9. --force sandbox in a overlayfs sandbox + +$ sudo firejail --overlay +# su netblue +$ xterm & +$ firejail --force --private +Parent pid 77, child pid 78 +Warning: failed to unmount /sys + +Warning: cannot mount a new user namespace, going forward without it... +Child process initialized + +Try to join the forced sandbox in xterm window: +$ firejail --join=77 +Switching to pid 78, the first child process inside the sandbox +Warning: seccomp file not found +Warning: seccomp disabled, it requires a Linux kernel version 3.5 or newer. +$ ls ~ <----------------- all files are available, the directory is not empty! + -- cgit v1.2.3-54-g00ecf