From 811af13d5120e85d1e0cb2cbc9ea0b60c0350af7 Mon Sep 17 00:00:00 2001 From: netblue30 Date: Thu, 17 Dec 2015 12:35:15 -0500 Subject: added --force option --- src/firejail/main.c | 21 +++++++++++++++++---- src/man/firejail.txt | 7 +++++++ 2 files changed, 24 insertions(+), 4 deletions(-) (limited to 'src') diff --git a/src/firejail/main.c b/src/firejail/main.c index a9ccfc9cc..3a06ec0f1 100644 --- a/src/firejail/main.c +++ b/src/firejail/main.c @@ -425,10 +425,21 @@ int main(int argc, char **argv) { // check if we already have a sandbox running int rv = check_kernel_procs(); if (rv == 0) { - // start the program directly without sandboxing - run_no_sandbox(argc, argv); - // it will never get here! - assert(0); + // if --force option is passed to the program, disregard the existing sandbox + int found = 0; + for (i = 1; i < argc; i++) { + if (strcmp(argv[i], "--force") == 0) { + found = 1; + break; + } + } + + if (found == 0) { + // start the program directly without sandboxing + run_no_sandbox(argc, argv); + // it will never get here! + assert(0); + } } // initialize globals @@ -478,6 +489,8 @@ int main(int argc, char **argv) { arg_debug_whitelists = 1; else if (strcmp(argv[i], "--quiet") == 0) arg_quiet = 1; + else if (strcmp(argv[i], "--force") == 0) + ; //************************************* // filtering diff --git a/src/man/firejail.txt b/src/man/firejail.txt index cd36bead6..eed87c574 100644 --- a/src/man/firejail.txt +++ b/src/man/firejail.txt @@ -367,6 +367,13 @@ Example: .br $ firejail \-\-env=LD_LIBRARY_PATH=/opt/test/lib +.TP +\fB\-\-force +By default, if Firejail is started in an existing sandbox, it will run the program in a bash shell. +This option disables this behavior, and attempts to start Firejail in the existing sandbox. +There could be lots of reasons for it to fail, for example if the existing sandbox disables +admin capabilities, SUID binaries, or if it runs seccomp. + .TP \fB\-\-fs.print=name Print the filesystem log for the sandbox identified by name. -- cgit v1.2.3-70-g09d2