github-starred/firejail
2
0
Fork 0
mirror of https://github.com/netblue30/firejail.git synced 2026-05-15 14:16:14 -06:00
Code Issues 531 Projects Packages Wiki Activity Actions 6

bwrap replacement - part 9 - allow-bwrap profile command

Browse source
This commit is contained in:
netblue30 2025-12-29 13:56:35 -05:00
parent 4124e76b4a
commit 27c5724d33
3 changed files with 10 additions and 0 deletions
Download patch file Download diff file Expand all files Collapse all files

1
contrib/syntax/lists/profile_commands_arg0.list
View file

@ -1,3 +1,4 @@
allow-bwrap
allow-debuggers
allusers
apparmor

5
src/firejail/profile.c
View file

@ -1000,6 +1000,11 @@ int profile_check_line(char *ptr, int lineno, const char *fname) {
return 0;
}
if (strcmp(ptr, "allow-bwrap") == 0) {
arg_allow_bwrap = 1;
return 0;
}
if (strncmp(ptr, "protocol ", 9) == 0) {
if (checkcfg(CFG_SECCOMP)) {
const char *add = ptr + 9;

4
src/man/firejail-profile.5.in
View file

@ -521,6 +521,10 @@ directory, and a skeleton filesystem is created based on the original /var/log.
.SH Security filters
The following security filters are currently implemented:
.TP
\fBallow-bwrap
Allow bubblewrap sandbox inside Firejail sandbox. By default Firejail replaces
/usr/bin/bwrap executable with a do-nothing program.
.TP
\fBallow-debuggers
Allow tools such as strace and gdb inside the sandbox by whitelisting system calls ptrace and process_vm_readv.