From c7bc2e151d8ede16adb1489dc149466b665202d3 Mon Sep 17 00:00:00 2001
From: smitsohu <smitsohu@gmail.com>
Date: Wed, 3 Mar 2021 22:31:10 +0100
Subject: sandbox setup: postpone library preloading

for now avoids mixing of traces from sandbox helpers
into application traces
---
 src/firejail/sandbox.c | 16 ++++++++++------
 1 file changed, 10 insertions(+), 6 deletions(-)

(limited to 'src/firejail/sandbox.c')

diff --git a/src/firejail/sandbox.c b/src/firejail/sandbox.c
index 9a4be5cc0..57ea2c477 100644
--- a/src/firejail/sandbox.c
+++ b/src/firejail/sandbox.c
@@ -1014,12 +1014,6 @@ int sandbox(void* sandbox_arg) {
 	if (arg_novideo)
 		fs_dev_disable_video();
 
-	//****************************
-	// install trace
-	//****************************
-	if (need_preload)
-		fs_trace();
-
 	//****************************
 	// set dns
 	//****************************
@@ -1136,6 +1130,16 @@ int sandbox(void* sandbox_arg) {
 	fs_remount(RUN_SECCOMP_DIR, MOUNT_READONLY, 0);
 	seccomp_debug();
 
+	//****************************
+	// install trace - still need capabilities
+	//****************************
+	if (need_preload)
+		fs_trace();
+
+	//****************************
+	// continue security filters
+	//****************************
+
 	// set capabilities
 	set_caps();
 
-- 
cgit v1.2.3-54-g00ecf