github-starred/firejail
2
0
Fork 0
mirror of https://github.com/netblue30/firejail.git synced 2026-05-21 06:45:29 -06:00
Code Issues 531 Projects Packages Wiki Activity Actions 1

bugfix: do sandbox check before checkcfg()

Browse source 
The check for an existing sandbox (and running `run_no_sandbox()` if
applicable) must be done before calling `checkcfg()`, since if
`private-etc` is already in effect, running firejail again will abort at
`checkcfg()`, as /etc/firejail/firejail.config will not be accessible
(see #6966).

This is a follow-up to #6969.

Relates to #2877 #6878 #6951 #6966.

Kind of relates to #6592.
This commit is contained in:
Kelvin M. Klann 2025-11-22 02:45:26 -03:00
parent 7cd56fa47d
commit 768b2a2e64
1 changed files with 30 additions and 24 deletions
Download patch file Download diff file Expand all files Collapse all files

54
src/firejail/main.c
View file

@ -1092,6 +1092,36 @@ int main(int argc, char **argv, char **envp) {
arg_quiet = 0; arg_quiet = 0;
} }
// Note: The check for an existing sandbox (and running
// `run_no_sandbox()` if applicable) must be done before calling
// `checkcfg()`, since if `private-etc` is already in effect, running
// firejail again will abort at `checkcfg()`, as
// /etc/firejail/firejail.config will not be accessible (see #6966).
//
// check if we already have a sandbox running
// If LXC is detected, start firejail sandbox
// otherwise try to detect a PID namespace by looking under /proc for specific kernel processes and:
// - start the application in a /bin/bash shell
#ifdef HAVE_SANDBOX_CHECK
if (check_namespace_virt() == 0) {
EUID_ROOT();
int rv = check_kernel_procs();
EUID_USER();
if (rv == 0) {
if (check_arg(argc, argv, "--version", 1)) {
print_version_full();
exit(0);
}
// start the program directly without sandboxing
run_no_sandbox(argc, argv);
__builtin_unreachable();
}
}
#else
fwarning("firejail was built with --disable-sandbox-check, this is only intended for development\n");
#endif
// initialize values from firejail.config (needed for arg/env checks) // initialize values from firejail.config (needed for arg/env checks)
checkcfg(0); checkcfg(0);
@ -1134,30 +1164,6 @@ int main(int argc, char **argv, char **envp) {
if (*argv[0] != '-') if (*argv[0] != '-')
run_symlink(argc, argv, 0); // if symlink detected, this function will not return run_symlink(argc, argv, 0); // if symlink detected, this function will not return
// check if we already have a sandbox running
// If LXC is detected, start firejail sandbox
// otherwise try to detect a PID namespace by looking under /proc for specific kernel processes and:
// - start the application in a /bin/bash shell
#ifdef HAVE_SANDBOX_CHECK
if (check_namespace_virt() == 0) {
EUID_ROOT();
int rv = check_kernel_procs();
EUID_USER();
if (rv == 0) {
if (check_arg(argc, argv, "--version", 1)) {
print_version_full();
exit(0);
}
// start the program directly without sandboxing
run_no_sandbox(argc, argv);
__builtin_unreachable();
}
}
#else
fwarning("firejail was built with --disable-sandbox-check, this is only intended for development\n");
#endif
// profile builder // profile builder
if (check_arg(argc, argv, "--build", 0)) // supports both --build and --build=filename if (check_arg(argc, argv, "--build", 0)) // supports both --build and --build=filename
run_builder(argc, argv); // this function will not return run_builder(argc, argv); // this function will not return