Merge branch 'master' of http://github.com/netblue30/firejail

netblue30 · Sep 9, 2018 · efa8fb6 · efa8fb6
2 parents 419d876 + fe226a2
commit efa8fb6
Showing 1 changed file with 6 additions and 5 deletions.
diff --git a/src/firejail/sandbox.c b/src/firejail/sandbox.c
@@ -522,6 +522,7 @@ void start_application(int no_sandbox, FILE *fp) {
 static void enforce_filters(void) {
 	// force default seccomp inside the chroot, no keep or drop list
 	// the list build on top of the default drop list is kept intact
+	arg_nonewprivs = 1;
 	arg_seccomp = 1;
 #ifdef HAVE_SECCOMP
 	enforce_seccomp = 1;
@@ -1008,9 +1009,6 @@ int sandbox(void* sandbox_arg) {
 		}
 	}
 
-	// set rlimits
-	set_rlimits();
-
 	// set nice
 	if (arg_nice) {
 		errno = 0;
@@ -1128,9 +1126,9 @@ int sandbox(void* sandbox_arg) {
 	// Set NO_NEW_PRIVS if desired
 	//****************************************
 	if (arg_nonewprivs) {
-		int no_new_privs = prctl(PR_SET_NO_NEW_PRIVS, 1, 0, 0, 0);
+		prctl(PR_SET_NO_NEW_PRIVS, 1, 0, 0, 0);
 
-		if(no_new_privs != 0 && !arg_quiet)
+		if (prctl(PR_GET_NO_NEW_PRIVS, 0, 0, 0, 0) != 1)
 			fwarning("NO_NEW_PRIVS disabled, it requires a Linux kernel version 3.5 or newer.\n");
 		else if (arg_debug)
 			printf("NO_NEW_PRIVS set\n");
@@ -1145,6 +1143,9 @@ int sandbox(void* sandbox_arg) {
 		errExit("fork");
 
 	if (app_pid == 0) {
+		// set rlimits
+		set_rlimits();
+
 #ifdef HAVE_APPARMOR
 		if (checkcfg(CFG_APPARMOR) && arg_apparmor) {
 			errno = 0;