From a8c23c28ec9b1c3753896f8e08e7fee8b8bbb366 Mon Sep 17 00:00:00 2001 From: netblue30 Date: Wed, 2 Mar 2016 06:36:33 -0500 Subject: added ipc-namespace profile command --- src/firejail/firejail.h | 1 + src/firejail/main.c | 7 +++++-- src/firejail/profile.c | 4 ++++ src/man/firejail-profile.txt | 4 +++- 4 files changed, 13 insertions(+), 3 deletions(-) (limited to 'src') diff --git a/src/firejail/firejail.h b/src/firejail/firejail.h index 1fcb92fea..3097a7a0e 100644 --- a/src/firejail/firejail.h +++ b/src/firejail/firejail.h @@ -241,6 +241,7 @@ extern int arg_quiet; // no output for scripting extern int arg_join_network; // join only the network namespace extern int arg_join_filesystem; // join only the mount namespace extern int arg_nice; // nice value configured +extern int arg_ipc; // enable ipc namespace extern int parent_to_child_fds[2]; extern int child_to_parent_fds[2]; diff --git a/src/firejail/main.c b/src/firejail/main.c index c0050be1f..05745a3f1 100644 --- a/src/firejail/main.c +++ b/src/firejail/main.c @@ -95,6 +95,7 @@ int arg_quiet = 0; // no output for scripting int arg_join_network = 0; // join only the network namespace int arg_join_filesystem = 0; // join only the mount namespace int arg_nice = 0; // nice value configured +int arg_ipc = 0; // enable ipc namespace int parent_to_child_fds[2]; int child_to_parent_fds[2]; @@ -551,7 +552,6 @@ int main(int argc, char **argv) { int i; int prog_index = -1; // index in argv where the program command starts int lockfd = -1; - int arg_ipc = 0; int arg_cgroup = 0; int custom_profile = 0; // custom profile loaded char *custom_profile_dir = NULL; // custom profile directory @@ -1619,8 +1619,11 @@ int main(int argc, char **argv) { // in root mode also enable CLONE_NEWIPC // in user mode CLONE_NEWIPC will break MIT Shared Memory Extension (MIT-SHM) - if (getuid() == 0 || arg_ipc) + if (getuid() == 0 || arg_ipc) { flags |= CLONE_NEWIPC; + if (arg_debug) + printf("Enabling IPC namespace\n"); + } if (any_bridge_configured() || any_interface_configured() || arg_nonetwork) { flags |= CLONE_NEWNET; diff --git a/src/firejail/profile.c b/src/firejail/profile.c index 8771a7fa8..28df9f03e 100644 --- a/src/firejail/profile.c +++ b/src/firejail/profile.c @@ -116,6 +116,10 @@ int profile_check_line(char *ptr, int lineno, const char *fname) { } return 0; } + else if (strcmp(ptr, "ipc-namespace") == 0) { + arg_ipc = 1; + return 0; + } // seccomp, caps, private, user namespace else if (strcmp(ptr, "noroot") == 0) { #if HAVE_USERNS diff --git a/src/man/firejail-profile.txt b/src/man/firejail-profile.txt index b46958bd4..8897efc09 100644 --- a/src/man/firejail-profile.txt +++ b/src/man/firejail-profile.txt @@ -283,7 +283,9 @@ Disable supplementary user groups .TP \fBshell none Run the program directly, without a shell. - +.TP +\fBipc-namespace +Enable IPC namespace. .SH Networking Networking features available in profile files. -- cgit v1.2.3-54-g00ecf