diff options
| author |  netblue30 <netblue30@yahoo.com> | 2017-06-06 10:31:41 -0400 |
|---|---|---|
| committer | netblue30 <netblue30@yahoo.com> | 2017-06-06 10:31:41 -0400 |
| commit | 84ade8f847adfd3e18987ccc840f352aad92c1c2 (patch) | |
| tree | 75945b727e178e6aa5ede48f976b222a1b23ca74 | |
| parent | Merge branch 'master' of https://github.com/netblue30/firejail (diff) | |
| download | firejail-84ade8f847adfd3e18987ccc840f352aad92c1c2.tar.gz firejail-84ade8f847adfd3e18987ccc840f352aad92c1c2.tar.zst firejail-84ade8f847adfd3e18987ccc840f352aad92c1c2.zip | |
testing
| -rw-r--r-- | RELNOTES | 3 | ||||
| -rw-r--r-- | src/firejail/caps.c | 18 | ||||
| -rw-r--r-- | src/firejail/join.c | 2 | ||||
| -rw-r--r-- | src/firejail/sandbox.c | 2 | ||||
| -rwxr-xr-x | test/apps-x11/chromium.exp | 2 | ||||
| -rwxr-xr-x | test/apps/chromium.exp | 2 |
6 files changed, 16 insertions, 13 deletions
| @@ -4,7 +4,8 @@ firejail (0.9.47) baseline; urgency=low | |||
| 4 | please use ~/Downloads directory for saving files | 4 | please use ~/Downloads directory for saving files |
| 5 | * modifs: AppArmor made optional; a warning is printed on the screen | 5 | * modifs: AppArmor made optional; a warning is printed on the screen |
| 6 | if the sandbox fails to load the AppArmor profile | 6 | if the sandbox fails to load the AppArmor profile |
| 7 | * feature: drop discretionary access control capabilities by default | 7 | * feature: drop discretionary access control capabilities for |
| 8 | root sandboxes | ||
| 8 | * feature: added /etc/firejail/globals.local for global customizations | 9 | * feature: added /etc/firejail/globals.local for global customizations |
| 9 | * feature: profile support in overlayfs mode | 10 | * feature: profile support in overlayfs mode |
| 10 | * new profiles: vym, darktable, Waterfox, digiKam, Catfish, HandBrake | 11 | * new profiles: vym, darktable, Waterfox, digiKam, Catfish, HandBrake |
diff --git a/src/firejail/caps.c b/src/firejail/caps.c index 883e8015e..ff4d3a9d7 100644 --- a/src/firejail/caps.c +++ b/src/firejail/caps.c | |||
| @@ -248,15 +248,17 @@ void caps_print(void) { | |||
| 248 | } | 248 | } |
| 249 | } | 249 | } |
| 250 | 250 | ||
| 251 | // drop discretionary access control capabilities by default in all sandboxes | 251 | // drop discretionary access control capabilities for root sandboxes |
| 252 | void caps_drop_dac_override(void) { | 252 | void caps_drop_dac_override(void) { |
| 253 | if (prctl(PR_CAPBSET_DROP, CAP_DAC_OVERRIDE, 0, 0, 0)); | 253 | if (getuid() == 0) { |
| 254 | else if (arg_debug) | 254 | if (prctl(PR_CAPBSET_DROP, CAP_DAC_OVERRIDE, 0, 0, 0)); |
| 255 | printf("Drop CAP_DAC_OVERRIDE\n"); | 255 | else if (arg_debug) |
| 256 | 256 | printf("Drop CAP_DAC_OVERRIDE\n"); | |
| 257 | if (prctl(PR_CAPBSET_DROP, CAP_DAC_READ_SEARCH, 0, 0, 0)); | 257 | |
| 258 | else if (arg_debug) | 258 | if (prctl(PR_CAPBSET_DROP, CAP_DAC_READ_SEARCH, 0, 0, 0)); |
| 259 | printf("Drop CAP_DAC_READ_SEARCH\n"); | 259 | else if (arg_debug) |
| 260 | printf("Drop CAP_DAC_READ_SEARCH\n"); | ||
| 261 | } | ||
| 260 | } | 262 | } |
| 261 | 263 | ||
| 262 | int caps_default_filter(void) { | 264 | int caps_default_filter(void) { |
diff --git a/src/firejail/join.c b/src/firejail/join.c index d7328a91b..4c0537413 100644 --- a/src/firejail/join.c +++ b/src/firejail/join.c | |||
| @@ -242,7 +242,7 @@ void join(pid_t pid, int argc, char **argv, int index) { | |||
| 242 | if (child < 0) | 242 | if (child < 0) |
| 243 | errExit("fork"); | 243 | errExit("fork"); |
| 244 | if (child == 0) { | 244 | if (child == 0) { |
| 245 | // drop discretionary access control capabilities by default | 245 | // drop discretionary access control capabilities for root sandboxes |
| 246 | caps_drop_dac_override(); | 246 | caps_drop_dac_override(); |
| 247 | 247 | ||
| 248 | // chroot into /proc/PID/root directory | 248 | // chroot into /proc/PID/root directory |
diff --git a/src/firejail/sandbox.c b/src/firejail/sandbox.c index 0a32393a2..7489e7b6d 100644 --- a/src/firejail/sandbox.c +++ b/src/firejail/sandbox.c | |||
| @@ -100,7 +100,7 @@ static void set_caps(void) { | |||
| 100 | else if (arg_caps_default_filter) | 100 | else if (arg_caps_default_filter) |
| 101 | caps_default_filter(); | 101 | caps_default_filter(); |
| 102 | 102 | ||
| 103 | // drop discretionary access control capabilities by default | 103 | // drop discretionary access control capabilities for root sandboxes |
| 104 | caps_drop_dac_override(); | 104 | caps_drop_dac_override(); |
| 105 | } | 105 | } |
| 106 | 106 | ||
diff --git a/test/apps-x11/chromium.exp b/test/apps-x11/chromium.exp index 3ec2bc049..a7eace125 100755 --- a/test/apps-x11/chromium.exp +++ b/test/apps-x11/chromium.exp | |||
| @@ -71,7 +71,7 @@ expect { | |||
| 71 | } | 71 | } |
| 72 | expect { | 72 | expect { |
| 73 | timeout {puts "TESTING ERROR 6.2\n";exit} | 73 | timeout {puts "TESTING ERROR 6.2\n";exit} |
| 74 | "fffffffff" | 74 | "00240000" |
| 75 | } | 75 | } |
| 76 | expect { | 76 | expect { |
| 77 | timeout {puts "TESTING ERROR 6.3\n";exit} | 77 | timeout {puts "TESTING ERROR 6.3\n";exit} |
diff --git a/test/apps/chromium.exp b/test/apps/chromium.exp index 041918d7f..6b784e395 100755 --- a/test/apps/chromium.exp +++ b/test/apps/chromium.exp | |||
| @@ -72,7 +72,7 @@ expect { | |||
| 72 | } | 72 | } |
| 73 | expect { | 73 | expect { |
| 74 | timeout {puts "TESTING ERROR 6.2\n";exit} | 74 | timeout {puts "TESTING ERROR 6.2\n";exit} |
| 75 | "fffffffff" | 75 | "00240000" |
| 76 | } | 76 | } |
| 77 | expect { | 77 | expect { |
| 78 | timeout {puts "TESTING ERROR 6.3\n";exit} | 78 | timeout {puts "TESTING ERROR 6.3\n";exit} |