$splitCommand = explode( ' ', $command, 2 );
$this->logger->debug(
"firejail: Command {$splitCommand[0]} {params} has no restrictions",
$splitCommand = explode( ' ', $command, 2 );
$this->logger->debug(
"firejail: Command {$splitCommand[0]} {params} has no restrictions",
// Normally firejail will run commands in a bash shell,
// but that won't work if we ban the execve syscall, so
// run the command without a shell.
$cmd[] = '--shell=none';
}
// Normally firejail will run commands in a bash shell,
// but that won't work if we ban the execve syscall, so
// run the command without a shell.
$cmd[] = '--shell=none';
}
- if ( $seccomp ) {
- $cmd[] = '--seccomp=' . implode( ',', $seccomp );
+ if ( $useSeccomp ) {
+ $seccomp = '--seccomp';
+ if ( $extraSeccomp ) {
+ // The "@default" seccomp group will always be enabled
+ $seccomp .= '=' . implode( ',', $extraSeccomp );
+ }
+ $cmd[] = $seccomp;