From fe226a207bff3e52188d8b064d61cb5711278b09 Mon Sep 17 00:00:00 2001
From: smitsohu <smitsohu@gmail.com>
Date: Sun, 9 Sep 2018 15:23:34 +0200
Subject: set rlimits at later timepoint during sandbox setup

---
 src/firejail/sandbox.c | 11 ++++++-----
 1 file changed, 6 insertions(+), 5 deletions(-)

diff --git a/src/firejail/sandbox.c b/src/firejail/sandbox.c
index f5abb18ba..b2d49c1e7 100644
--- a/src/firejail/sandbox.c
+++ b/src/firejail/sandbox.c
@@ -522,6 +522,7 @@ void start_application(int no_sandbox, FILE *fp) {
 static void enforce_filters(void) {
 	// force default seccomp inside the chroot, no keep or drop list
 	// the list build on top of the default drop list is kept intact
+	arg_nonewprivs = 1;
 	arg_seccomp = 1;
 #ifdef HAVE_SECCOMP
 	enforce_seccomp = 1;
@@ -1008,9 +1009,6 @@ int sandbox(void* sandbox_arg) {
 		}
 	}
 
-	// set rlimits
-	set_rlimits();
-
 	// set nice
 	if (arg_nice) {
 		errno = 0;
@@ -1128,9 +1126,9 @@ int sandbox(void* sandbox_arg) {
 	// Set NO_NEW_PRIVS if desired
 	//****************************************
 	if (arg_nonewprivs) {
-		int no_new_privs = prctl(PR_SET_NO_NEW_PRIVS, 1, 0, 0, 0);
+		prctl(PR_SET_NO_NEW_PRIVS, 1, 0, 0, 0);
 
-		if(no_new_privs != 0 && !arg_quiet)
+		if (prctl(PR_GET_NO_NEW_PRIVS, 0, 0, 0, 0) != 1)
 			fwarning("NO_NEW_PRIVS disabled, it requires a Linux kernel version 3.5 or newer.\n");
 		else if (arg_debug)
 			printf("NO_NEW_PRIVS set\n");
@@ -1145,6 +1143,9 @@ int sandbox(void* sandbox_arg) {
 		errExit("fork");
 
 	if (app_pid == 0) {
+		// set rlimits
+		set_rlimits();
+
 #ifdef HAVE_APPARMOR
 		if (checkcfg(CFG_APPARMOR) && arg_apparmor) {
 			errno = 0;
-- 
cgit v1.2.3-54-g00ecf