following up 493a0ef

netblue30 · Jan 18, 2022 · c4e7912 · c4e7912
1 parent 397a908
commit c4e7912
Showing 1 changed file with 7 additions and 6 deletions.
diff --git a/src/firejail/sbox.c b/src/firejail/sbox.c
@@ -78,11 +78,6 @@ static int __attribute__((noreturn)) sbox_do_exec_v(unsigned filtermask, char *
 
  umask(027);
 
- // https://seclists.org/oss-sec/2021/q4/43
- struct rlimit tozero = { .rlim_cur = 0, .rlim_max = 0 };
- if (setrlimit(RLIMIT_CORE, &tozero))
- errExit("setrlimit");
-
  // apply filters
  if (filtermask & SBOX_CAPS_NONE) {
  caps_drop_all();
@@ -209,6 +204,11 @@ static int __attribute__((noreturn)) sbox_do_exec_v(unsigned filtermask, char *
  if (filtermask & SBOX_USER)
  drop_privs(1);
  else if (filtermask & SBOX_ROOT) {
+ // https://seclists.org/oss-sec/2021/q4/43
+ struct rlimit tozero = { .rlim_cur = 0, .rlim_max = 0 };
+ if (setrlimit(RLIMIT_CORE, &tozero))
+ errExit("setrlimit");
+
  // elevate privileges in order to get grsecurity working
  if (setreuid(0, 0))
  errExit("setreuid");
@@ -295,7 +295,8 @@ int sbox_run_v(unsigned filtermask, char * const arg[]) {
  if (waitpid(child, &status, 0) == -1 ) {
  errExit("waitpid");
  }
- if (!WIFEXITED(status) || WEXITSTATUS(status) != 0) {
+ if (WIFSIGNALED(status) ||
+ (WIFEXITED(status) && WEXITSTATUS(status) != 0)) {
  fprintf(stderr, "Error: failed to run %s, exiting...\n", arg[0]);
  exit(1);
  }