From 9794356e80df9a2b3eaf6ddda310d26ecc56b3ec Mon Sep 17 00:00:00 2001 From: netblue30 Date: Sat, 8 Jul 2017 12:10:51 -0400 Subject: fix discretionary access control for sandboxes running as root with --noprofile --- src/firejail/caps.c | 2 +- src/firejail/firejail.h | 1 + src/firejail/main.c | 2 +- 3 files changed, 3 insertions(+), 2 deletions(-) (limited to 'src') diff --git a/src/firejail/caps.c b/src/firejail/caps.c index ff4d3a9d7..14f981a86 100644 --- a/src/firejail/caps.c +++ b/src/firejail/caps.c @@ -250,7 +250,7 @@ void caps_print(void) { // drop discretionary access control capabilities for root sandboxes void caps_drop_dac_override(void) { - if (getuid() == 0) { + if (getuid() == 0 && !arg_noprofile) { if (prctl(PR_CAPBSET_DROP, CAP_DAC_OVERRIDE, 0, 0, 0)); else if (arg_debug) printf("Drop CAP_DAC_OVERRIDE\n"); diff --git a/src/firejail/firejail.h b/src/firejail/firejail.h index 8aa80f274..6aa29f896 100644 --- a/src/firejail/firejail.h +++ b/src/firejail/firejail.h @@ -351,6 +351,7 @@ extern int arg_x11_xorg; // use X11 security extention extern int arg_allusers; // all user home directories visible extern int arg_machineid; // preserve /etc/machine-id extern int arg_disable_mnt; // disable /mnt and /media +extern int arg_noprofile; // use default.profile if none other found/specified extern int login_shell; extern int parent_to_child_fds[2]; diff --git a/src/firejail/main.c b/src/firejail/main.c index 1f714df58..7f3f0f248 100644 --- a/src/firejail/main.c +++ b/src/firejail/main.c @@ -109,6 +109,7 @@ int arg_machineid = 0; // preserve /etc/machine-id int arg_allow_private_blacklist = 0; // blacklist things in private directories int arg_writable_var_log = 0; // writable /var/log int arg_disable_mnt = 0; // disable /mnt and /media +int arg_noprofile = 0; // use default.profile if none other found/specified int login_shell = 0; @@ -818,7 +819,6 @@ int main(int argc, char **argv) { int option_force = 0; int custom_profile = 0; // custom profile loaded char *custom_profile_dir = NULL; // custom profile directory - int arg_noprofile = 0; // use default.profile if none other found/specified // get starting timestamp -- cgit v1.2.3-54-g00ecf