Merge branch 'master' of ssh://github.com/netblue30/firejail

author: netblue30 <netblue30@protonmail.com> 2023-07-16 11:24:12 -0400
committer: netblue30 <netblue30@protonmail.com> 2023-07-16 11:24:12 -0400
commit: cb39a0eafd030829c0081e698cb934fd4f09692f (patch)
tree: 755ee6a74cd9fee380c4fd1c6a5cb2a4361c4b66
parent: fnettrace cleanup (diff)
parent: Merge pull request #5900 from kmk3/firecfg-support-doas (diff)
download: firejail-cb39a0eafd030829c0081e698cb934fd4f09692f.tar.gz
firejail-cb39a0eafd030829c0081e698cb934fd4f09692f.tar.zst
firejail-cb39a0eafd030829c0081e698cb934fd4f09692f.zip
15 files changed, 103 insertions, 16 deletions
diff --git a/Makefile b/Makefile
index 53b57a0e1..fdf83beb4 100644
--- a/Makefile
+++ b/Makefile
@@ -362,7 +362,7 @@ scan-build: clean
 .PHONY: codespell
 codespell: clean
-        codespell --ignore-regex "UE|creat|shotcut|ether" src test
+        codespell --ignore-regex "UE|creat|doas|shotcut|ether" src test
 .PHONY: print-env
 print-env:
diff --git a/etc/ids.config b/etc/ids.config
index 880ec6ab5..4b75c701c 100644
--- a/etc/ids.config
+++ b/etc/ids.config
@@ -139,6 +139,7 @@ ${HOME}/.local/share/autostart
 /etc/security
 /etc/selinux
 /etc/shadow*
+/etc/sudo*.conf
 /etc/sudoers*
 /etc/tripwire
 ${HOME}/.config/firejail
diff --git a/etc/inc/disable-common.inc b/etc/inc/disable-common.inc
index 4277100ce..ce4f08958 100644
--- a/etc/inc/disable-common.inc
+++ b/etc/inc/disable-common.inc
@@ -416,6 +416,7 @@ blacklist /tmp/ssh-*
 # top secret
 blacklist /.fscrypt
 blacklist /etc/davfs2/secrets
+blacklist /etc/doas.conf
 blacklist /etc/group+
 blacklist /etc/group-
 blacklist /etc/gshadow
@@ -428,6 +429,8 @@ blacklist /etc/shadow+
 blacklist /etc/shadow-
 blacklist /etc/ssh
 blacklist /etc/ssh/*
+blacklist /etc/sudo*.conf
+blacklist /etc/sudoers*
 blacklist /home/.ecryptfs
 blacklist /home/.fscrypt
 blacklist ${HOME}/*.kdb
diff --git a/etc/inc/disable-programs.inc b/etc/inc/disable-programs.inc
index b4a01638f..f95ddf2fa 100644
--- a/etc/inc/disable-programs.inc
+++ b/etc/inc/disable-programs.inc
@@ -329,6 +329,7 @@ blacklist ${HOME}/.config/Qlipper
 blacklist ${HOME}/.config/QuiteRss
 blacklist ${HOME}/.config/QuiteRssrc
 blacklist ${HOME}/.config/Quotient
+blacklist ${HOME}/.config/RSS Guard 4
 blacklist ${HOME}/.config/Rambox
 blacklist ${HOME}/.config/Riot
 blacklist ${HOME}/.config/Rocket.Chat
@@ -432,6 +433,7 @@ blacklist ${HOME}/.config/equalx
 blacklist ${HOME}/.config/evince
 blacklist ${HOME}/.config/evolution
 blacklist ${HOME}/.config/falkon
+blacklist ${HOME}/.config/feh
 blacklist ${HOME}/.config/filezilla
 blacklist ${HOME}/.config/flameshot
 blacklist ${HOME}/.config/flaska.net
diff --git a/etc/profile-a-l/bleachbit.profile b/etc/profile-a-l/bleachbit.profile
index 45ae345c3..52d970d89 100644
--- a/etc/profile-a-l/bleachbit.profile
+++ b/etc/profile-a-l/bleachbit.profile
@@ -7,6 +7,9 @@ include bleachbit.local
 # Persistent global definitions
 include globals.local
+# Necessary for BleachBit to erase Trash contents.
+noblacklist ${HOME}/.local/share/Trash
 # Allow python (blacklisted by disable-interpreters.inc)
 include allow-python2.inc
 include allow-python3.inc
diff --git a/etc/profile-a-l/feh.profile b/etc/profile-a-l/feh.profile
index 82b3f7645..2efd10ba2 100644
--- a/etc/profile-a-l/feh.profile
+++ b/etc/profile-a-l/feh.profile
@@ -7,23 +7,33 @@ include feh.local
 # Persistent global definitions
 include globals.local
+noblacklist ${HOME}/.config/feh
 include disable-common.inc
 include disable-devel.inc
 include disable-exec.inc
 include disable-interpreters.inc
+include disable-proc.inc
 include disable-programs.inc
 include disable-shell.inc
+include whitelist-run-common.inc
+include whitelist-runuser-common.inc
 # Add the next line to your feh.local to enable network access.
 #include feh-network.inc.profile
+apparmor
 caps.drop all
+ipc-namespace
+machine-id
 net none
 no3d
 nodvd
 nogroups
 noinput
 nonewprivs
+noprinters
 noroot
 nosound
 notv
@@ -31,6 +41,8 @@ nou2f
 novideo
 protocol unix
 seccomp
+seccomp.block-secondary
+tracelog
 private-bin feh,jpegexiforient,jpegtran
 private-cache
diff --git a/etc/profile-m-z/rssguard.profile b/etc/profile-m-z/rssguard.profile
new file mode 100644
index 000000000..81381c205
--- /dev/null
+++ b/etc/profile-m-z/rssguard.profile
@@ -0,0 +1,58 @@
+# Firejail profile for rssguard
+# Description: Simple (yet powerful) Qt feed reader
+# This file is overwritten after every install/update
+# Persistent local customizations
+include rssguard.local
+# Persistent global definitions
+include globals.local
+noblacklist ${HOME}/.config/RSS Guard 4
+include allow-nodejs.inc
+include disable-common.inc
+include disable-devel.inc
+include disable-exec.inc
+include disable-interpreters.inc
+include disable-proc.inc
+include disable-programs.inc
+include disable-shell.inc
+include disable-xdg.inc
+mkdir ${HOME}/.config/RSS Guard 4
+whitelist ${HOME}/.config/RSS Guard 4
+whitelist ${DOWNLOADS}
+include whitelist-common.inc
+include whitelist-run-common.inc
+include whitelist-runuser-common.inc
+include whitelist-usr-share-common.inc
+include whitelist-var-common.inc
+apparmor
+caps.drop all
+netfilter
+# no3d
+nodvd
+nogroups
+noinput
+nonewprivs
+noroot
+# nosound
+notv
+nou2f
+novideo
+protocol unix,inet,inet6,netlink
+seccomp
+seccomp.block-secondary
+tracelog
+disable-mnt
+private-bin node,rssguard
+private-dev
+private-etc @network,@sound,@tls-ca,@x11,mime.types
+private-tmp
+dbus-user none
+dbus-system none
+restrict-namespaces
diff --git a/src/firecfg/desktop_files.c b/src/firecfg/desktop_files.c
index 963e05ff3..7ac60f70c 100644
--- a/src/firecfg/desktop_files.c
+++ b/src/firecfg/desktop_files.c
@@ -108,7 +108,7 @@ static int have_profile(const char *filename, const char *homedir) {
        return rv;
 }
-void fix_desktop_files(char *homedir) {
+void fix_desktop_files(const char *homedir) {
        assert(homedir);
        struct stat sb;
diff --git a/src/firecfg/firecfg.config b/src/firecfg/firecfg.config
index dac5794b4..2755968c9 100644
--- a/src/firecfg/firecfg.config
+++ b/src/firecfg/firecfg.config
@@ -734,6 +734,7 @@ ripperx
 ristretto
 rocketchat
 rpcs3
+rssguard
 rtorrent
 runenpass.sh
 sayonara
diff --git a/src/firecfg/firecfg.h b/src/firecfg/firecfg.h
index 825bf8d03..8f74a1198 100644
--- a/src/firecfg/firecfg.h
+++ b/src/firecfg/firecfg.h
@@ -49,6 +49,6 @@ int is_link(const char *fname);
 void sound(void);
 // desktop_files.c
-void fix_desktop_files(char *homedir);
+void fix_desktop_files(const char *homedir);
 #endif
diff --git a/src/firecfg/main.c b/src/firecfg/main.c
index da962c35d..4ec81c5b3 100644
--- a/src/firecfg/main.c
+++ b/src/firecfg/main.c
@@ -288,8 +288,11 @@ static void set_links_homedir(const char *homedir) {
        free(firejail_exec);
 }
-static char *get_user(void) {
+static const char *get_sudo_user(void) {
-        char *user = getenv("SUDO_USER");
+        const char *doas_user = getenv("DOAS_USER");
+        const char *sudo_user = getenv("SUDO_USER");
+        const char *user = doas_user ? doas_user : sudo_user;
        if (!user) {
                user = getpwuid(getuid())->pw_name;
                if (!user) {
@@ -301,13 +304,13 @@ static char *get_user(void) {
        return user;
 }
-static char *get_homedir(const char *user, uid_t *uid, gid_t *gid) {
+static const char *get_homedir(const char *user, uid_t *uid, gid_t *gid) {
        // find home directory
        struct passwd *pw = getpwnam(user);
        if (!pw)
                goto errexit;
-        char *home = pw->pw_dir;
+        const char *home = pw->pw_dir;
        if (!home)
                goto errexit;
@@ -326,12 +329,11 @@ int main(int argc, char **argv) {
        int bindir_set = 0;
        // user setup
-        char *user = get_user();
+        const char *user = get_sudo_user();
        assert(user);
        uid_t uid;
        gid_t gid;
-        char *home = get_homedir(user, &uid, &gid);
+        const char *home = get_homedir(user, &uid, &gid);
        // check for --bindir
        for (i = 1; i < argc; i++) {
diff --git a/src/jailcheck/main.c b/src/jailcheck/main.c
index 27da309ea..6cc5cf904 100644
--- a/src/jailcheck/main.c
+++ b/src/jailcheck/main.c
@@ -86,7 +86,7 @@ int main(int argc, char **argv) {
        // user setup
        if (getuid() != 0) {
-                fprintf(stderr, "Error: you need to be root (via sudo) to run this program\n");
+                fprintf(stderr, "Error: you need to be root (via sudo or doas) to run this program\n");
                exit(1);
        }
        user_name = get_sudo_user();
@@ -120,6 +120,7 @@ int main(int argc, char **argv) {
        // basic sysfiles
        sysfiles_setup("/etc/shadow");
        sysfiles_setup("/etc/gshadow");
+        sysfiles_setup("/usr/bin/doas");
        sysfiles_setup("/usr/bin/mount");
        sysfiles_setup("/usr/bin/su");
        sysfiles_setup("/usr/bin/ksu");
diff --git a/src/jailcheck/utils.c b/src/jailcheck/utils.c
index 97fe8833b..930820604 100644
--- a/src/jailcheck/utils.c
+++ b/src/jailcheck/utils.c
@@ -26,7 +26,10 @@
 #define BUFLEN 4096
 char *get_sudo_user(void) {
-        char *user = getenv("SUDO_USER");
+        char *doas_user = getenv("DOAS_USER");
+        char *sudo_user = getenv("SUDO_USER");
+        char *user = doas_user ? doas_user : sudo_user;
        if (!user) {
                user = getpwuid(getuid())->pw_name;
                if (!user) {
diff --git a/src/man/firecfg.1.in b/src/man/firecfg.1.in
index 42add6a41..a85fbc5da 100644
--- a/src/man/firecfg.1.in
+++ b/src/man/firecfg.1.in
@@ -23,7 +23,9 @@ The integration covers:
 - programs started by clicking on file icons in file manager - only Cinnamon, KDE, LXDE/LXQT, MATE and XFCE
 desktop managers are supported in this moment
 .RE
+.PP
+Note: The examples use \fBsudo\fR, but \fBdoas\fR is also supported.
+.PP
 To set it up, run "sudo firecfg" after installing Firejail software.
 The same command should also be run after
 installing new programs. If the program is supported by Firejail, the symbolic link in /usr/local/bin
diff --git a/src/man/jailcheck.1.in b/src/man/jailcheck.1.in
index e889ea91b..eea5987b7 100644
--- a/src/man/jailcheck.1.in
+++ b/src/man/jailcheck.1.in
@@ -24,9 +24,8 @@ them from inside the sandbox.
 \fB5. Seccomp test
 .TP
 \fB6. Networking test
-.TP
+.PP
-The program is started as root using sudo.
+The program should be started using \fBsudo\fR or \fBdoas\fR.
 .SH OPTIONS
 .TP
 \fB\-\-debug
author	netblue30 <netblue30@protonmail.com>	2023-07-16 11:24:12 -0400
committer	netblue30 <netblue30@protonmail.com>	2023-07-16 11:24:12 -0400
commit	cb39a0eafd030829c0081e698cb934fd4f09692f (patch)
tree	755ee6a74cd9fee380c4fd1c6a5cb2a4361c4b66
parent	fnettrace cleanup (diff)
parent	Merge pull request #5900 from kmk3/firecfg-support-doas (diff)
download	firejail-cb39a0eafd030829c0081e698cb934fd4f09692f.tar.gz firejail-cb39a0eafd030829c0081e698cb934fd4f09692f.tar.zst firejail-cb39a0eafd030829c0081e698cb934fd4f09692f.zip

diff --git a/Makefile b/Makefile index 53b57a0e1..fdf83beb4 100644 --- a/Makefile +++ b/Makefile
@@ -362,7 +362,7 @@ scan-build: clean
362		362
363	.PHONY: codespell	363	.PHONY: codespell
364	codespell: clean	364	codespell: clean
365	codespell --ignore-regex "UE\|creat\|shotcut\|ether" src test	365	codespell --ignore-regex "UE\|creat\|doas\|shotcut\|ether" src test
366		366
367	.PHONY: print-env	367	.PHONY: print-env
368	print-env:	368	print-env:


diff --git a/etc/ids.config b/etc/ids.config index 880ec6ab5..4b75c701c 100644 --- a/etc/ids.config +++ b/etc/ids.config
@@ -139,6 +139,7 @@ ${HOME}/.local/share/autostart
139	/etc/security	139	/etc/security
140	/etc/selinux	140	/etc/selinux
141	/etc/shadow*	141	/etc/shadow*
		142	/etc/sudo*.conf
142	/etc/sudoers*	143	/etc/sudoers*
143	/etc/tripwire	144	/etc/tripwire
144	${HOME}/.config/firejail	145	${HOME}/.config/firejail


diff --git a/etc/inc/disable-common.inc b/etc/inc/disable-common.inc index 4277100ce..ce4f08958 100644 --- a/etc/inc/disable-common.inc +++ b/etc/inc/disable-common.inc
@@ -416,6 +416,7 @@ blacklist /tmp/ssh-*
416	# top secret	416	# top secret
417	blacklist /.fscrypt	417	blacklist /.fscrypt
418	blacklist /etc/davfs2/secrets	418	blacklist /etc/davfs2/secrets
		419	blacklist /etc/doas.conf
419	blacklist /etc/group+	420	blacklist /etc/group+
420	blacklist /etc/group-	421	blacklist /etc/group-
421	blacklist /etc/gshadow	422	blacklist /etc/gshadow
@@ -428,6 +429,8 @@ blacklist /etc/shadow+
428	blacklist /etc/shadow-	429	blacklist /etc/shadow-
429	blacklist /etc/ssh	430	blacklist /etc/ssh
430	blacklist /etc/ssh/*	431	blacklist /etc/ssh/*
		432	blacklist /etc/sudo*.conf
		433	blacklist /etc/sudoers*
431	blacklist /home/.ecryptfs	434	blacklist /home/.ecryptfs
432	blacklist /home/.fscrypt	435	blacklist /home/.fscrypt
433	blacklist ${HOME}/*.kdb	436	blacklist ${HOME}/*.kdb


diff --git a/etc/inc/disable-programs.inc b/etc/inc/disable-programs.inc index b4a01638f..f95ddf2fa 100644 --- a/etc/inc/disable-programs.inc +++ b/etc/inc/disable-programs.inc
@@ -329,6 +329,7 @@ blacklist ${HOME}/.config/Qlipper
329	blacklist ${HOME}/.config/QuiteRss	329	blacklist ${HOME}/.config/QuiteRss
330	blacklist ${HOME}/.config/QuiteRssrc	330	blacklist ${HOME}/.config/QuiteRssrc
331	blacklist ${HOME}/.config/Quotient	331	blacklist ${HOME}/.config/Quotient
		332	blacklist ${HOME}/.config/RSS Guard 4
332	blacklist ${HOME}/.config/Rambox	333	blacklist ${HOME}/.config/Rambox
333	blacklist ${HOME}/.config/Riot	334	blacklist ${HOME}/.config/Riot
334	blacklist ${HOME}/.config/Rocket.Chat	335	blacklist ${HOME}/.config/Rocket.Chat
@@ -432,6 +433,7 @@ blacklist ${HOME}/.config/equalx
432	blacklist ${HOME}/.config/evince	433	blacklist ${HOME}/.config/evince
433	blacklist ${HOME}/.config/evolution	434	blacklist ${HOME}/.config/evolution
434	blacklist ${HOME}/.config/falkon	435	blacklist ${HOME}/.config/falkon
		436	blacklist ${HOME}/.config/feh
435	blacklist ${HOME}/.config/filezilla	437	blacklist ${HOME}/.config/filezilla
436	blacklist ${HOME}/.config/flameshot	438	blacklist ${HOME}/.config/flameshot
437	blacklist ${HOME}/.config/flaska.net	439	blacklist ${HOME}/.config/flaska.net


diff --git a/etc/profile-a-l/bleachbit.profile b/etc/profile-a-l/bleachbit.profile index 45ae345c3..52d970d89 100644 --- a/etc/profile-a-l/bleachbit.profile +++ b/etc/profile-a-l/bleachbit.profile
@@ -7,6 +7,9 @@ include bleachbit.local
7	# Persistent global definitions	7	# Persistent global definitions
8	include globals.local	8	include globals.local
9		9
		10	# Necessary for BleachBit to erase Trash contents.
		11	noblacklist ${HOME}/.local/share/Trash
		12
10	# Allow python (blacklisted by disable-interpreters.inc)	13	# Allow python (blacklisted by disable-interpreters.inc)
11	include allow-python2.inc	14	include allow-python2.inc
12	include allow-python3.inc	15	include allow-python3.inc


diff --git a/etc/profile-a-l/feh.profile b/etc/profile-a-l/feh.profile index 82b3f7645..2efd10ba2 100644 --- a/etc/profile-a-l/feh.profile +++ b/etc/profile-a-l/feh.profile
@@ -7,23 +7,33 @@ include feh.local
7	# Persistent global definitions	7	# Persistent global definitions
8	include globals.local	8	include globals.local
9		9
		10	noblacklist ${HOME}/.config/feh
		11
10	include disable-common.inc	12	include disable-common.inc
11	include disable-devel.inc	13	include disable-devel.inc
12	include disable-exec.inc	14	include disable-exec.inc
13	include disable-interpreters.inc	15	include disable-interpreters.inc
		16	include disable-proc.inc
14	include disable-programs.inc	17	include disable-programs.inc
15	include disable-shell.inc	18	include disable-shell.inc
16		19
		20	include whitelist-run-common.inc
		21	include whitelist-runuser-common.inc
		22
17	# Add the next line to your feh.local to enable network access.	23	# Add the next line to your feh.local to enable network access.
18	#include feh-network.inc.profile	24	#include feh-network.inc.profile
19		25
		26	apparmor
20	caps.drop all	27	caps.drop all
		28	ipc-namespace
		29	machine-id
21	net none	30	net none
22	no3d	31	no3d
23	nodvd	32	nodvd
24	nogroups	33	nogroups
25	noinput	34	noinput
26	nonewprivs	35	nonewprivs
		36	noprinters
27	noroot	37	noroot
28	nosound	38	nosound
29	notv	39	notv
@@ -31,6 +41,8 @@ nou2f
31	novideo	41	novideo
32	protocol unix	42	protocol unix
33	seccomp	43	seccomp
		44	seccomp.block-secondary
		45	tracelog
34		46
35	private-bin feh,jpegexiforient,jpegtran	47	private-bin feh,jpegexiforient,jpegtran
36	private-cache	48	private-cache


diff --git a/etc/profile-m-z/rssguard.profile b/etc/profile-m-z/rssguard.profile new file mode 100644 index 000000000..81381c205 --- /dev/null +++ b/etc/profile-m-z/rssguard.profile
@@ -0,0 +1,58 @@
		1	# Firejail profile for rssguard
		2	# Description: Simple (yet powerful) Qt feed reader
		3	# This file is overwritten after every install/update
		4	# Persistent local customizations
		5	include rssguard.local
		6	# Persistent global definitions
		7	include globals.local
		8
		9	noblacklist ${HOME}/.config/RSS Guard 4
		10
		11	include allow-nodejs.inc
		12
		13	include disable-common.inc
		14	include disable-devel.inc
		15	include disable-exec.inc
		16	include disable-interpreters.inc
		17	include disable-proc.inc
		18	include disable-programs.inc
		19	include disable-shell.inc
		20	include disable-xdg.inc
		21
		22	mkdir ${HOME}/.config/RSS Guard 4
		23	whitelist ${HOME}/.config/RSS Guard 4
		24	whitelist ${DOWNLOADS}
		25	include whitelist-common.inc
		26	include whitelist-run-common.inc
		27	include whitelist-runuser-common.inc
		28	include whitelist-usr-share-common.inc
		29	include whitelist-var-common.inc
		30
		31	apparmor
		32	caps.drop all
		33	netfilter
		34	# no3d
		35	nodvd
		36	nogroups
		37	noinput
		38	nonewprivs
		39	noroot
		40	# nosound
		41	notv
		42	nou2f
		43	novideo
		44	protocol unix,inet,inet6,netlink
		45	seccomp
		46	seccomp.block-secondary
		47	tracelog
		48
		49	disable-mnt
		50	private-bin node,rssguard
		51	private-dev
		52	private-etc @network,@sound,@tls-ca,@x11,mime.types
		53	private-tmp
		54
		55	dbus-user none
		56	dbus-system none
		57
		58	restrict-namespaces


diff --git a/src/firecfg/desktop_files.c b/src/firecfg/desktop_files.c index 963e05ff3..7ac60f70c 100644 --- a/src/firecfg/desktop_files.c +++ b/src/firecfg/desktop_files.c
@@ -108,7 +108,7 @@ static int have_profile(const char filename, const char homedir) {
108	return rv;	108	return rv;
109	}	109	}
110		110
111	void fix_desktop_files(char *homedir) {	111	void fix_desktop_files(const char *homedir) {
112	assert(homedir);	112	assert(homedir);
113	struct stat sb;	113	struct stat sb;
114		114


diff --git a/src/firecfg/firecfg.config b/src/firecfg/firecfg.config index dac5794b4..2755968c9 100644 --- a/src/firecfg/firecfg.config +++ b/src/firecfg/firecfg.config
@@ -734,6 +734,7 @@ ripperx
734	ristretto	734	ristretto
735	rocketchat	735	rocketchat
736	rpcs3	736	rpcs3
		737	rssguard
737	rtorrent	738	rtorrent
738	runenpass.sh	739	runenpass.sh
739	sayonara	740	sayonara


diff --git a/src/firecfg/firecfg.h b/src/firecfg/firecfg.h index 825bf8d03..8f74a1198 100644 --- a/src/firecfg/firecfg.h +++ b/src/firecfg/firecfg.h
@@ -49,6 +49,6 @@ int is_link(const char *fname);
49	void sound(void);	49	void sound(void);
50		50
51	// desktop_files.c	51	// desktop_files.c
52	void fix_desktop_files(char *homedir);	52	void fix_desktop_files(const char *homedir);
53		53
54	#endif	54	#endif


diff --git a/src/firecfg/main.c b/src/firecfg/main.c index da962c35d..4ec81c5b3 100644 --- a/src/firecfg/main.c +++ b/src/firecfg/main.c
@@ -288,8 +288,11 @@ static void set_links_homedir(const char *homedir) {
288	free(firejail_exec);	288	free(firejail_exec);
289	}	289	}
290		290
291	static char *get_user(void) {	291	static const char *get_sudo_user(void) {
292	char *user = getenv("SUDO_USER");	292	const char *doas_user = getenv("DOAS_USER");
		293	const char *sudo_user = getenv("SUDO_USER");
		294	const char *user = doas_user ? doas_user : sudo_user;
		295
293	if (!user) {	296	if (!user) {
294	user = getpwuid(getuid())->pw_name;	297	user = getpwuid(getuid())->pw_name;
295	if (!user) {	298	if (!user) {
@@ -301,13 +304,13 @@ static char *get_user(void) {
301	return user;	304	return user;
302	}	305	}
303		306
304	static char get_homedir(const char user, uid_t uid, gid_t gid) {	307	static const char get_homedir(const char user, uid_t uid, gid_t gid) {
305	// find home directory	308	// find home directory
306	struct passwd *pw = getpwnam(user);	309	struct passwd *pw = getpwnam(user);
307	if (!pw)	310	if (!pw)
308	goto errexit;	311	goto errexit;
309		312
310	char *home = pw->pw_dir;	313	const char *home = pw->pw_dir;
311	if (!home)	314	if (!home)
312	goto errexit;	315	goto errexit;
313		316
@@ -326,12 +329,11 @@ int main(int argc, char **argv) {
326	int bindir_set = 0;	329	int bindir_set = 0;
327		330
328	// user setup	331	// user setup
329	char *user = get_user();	332	const char *user = get_sudo_user();
330	assert(user);	333	assert(user);
331	uid_t uid;	334	uid_t uid;
332	gid_t gid;	335	gid_t gid;
333	char *home = get_homedir(user, &uid, &gid);	336	const char *home = get_homedir(user, &uid, &gid);
334
335		337
336	// check for --bindir	338	// check for --bindir
337	for (i = 1; i < argc; i++) {	339	for (i = 1; i < argc; i++) {


diff --git a/src/jailcheck/main.c b/src/jailcheck/main.c index 27da309ea..6cc5cf904 100644 --- a/src/jailcheck/main.c +++ b/src/jailcheck/main.c
@@ -86,7 +86,7 @@ int main(int argc, char **argv) {
86		86
87	// user setup	87	// user setup
88	if (getuid() != 0) {	88	if (getuid() != 0) {
89	fprintf(stderr, "Error: you need to be root (via sudo) to run this program\n");	89	fprintf(stderr, "Error: you need to be root (via sudo or doas) to run this program\n");
90	exit(1);	90	exit(1);
91	}	91	}
92	user_name = get_sudo_user();	92	user_name = get_sudo_user();
@@ -120,6 +120,7 @@ int main(int argc, char **argv) {
120	// basic sysfiles	120	// basic sysfiles
121	sysfiles_setup("/etc/shadow");	121	sysfiles_setup("/etc/shadow");
122	sysfiles_setup("/etc/gshadow");	122	sysfiles_setup("/etc/gshadow");
		123	sysfiles_setup("/usr/bin/doas");
123	sysfiles_setup("/usr/bin/mount");	124	sysfiles_setup("/usr/bin/mount");
124	sysfiles_setup("/usr/bin/su");	125	sysfiles_setup("/usr/bin/su");
125	sysfiles_setup("/usr/bin/ksu");	126	sysfiles_setup("/usr/bin/ksu");


diff --git a/src/jailcheck/utils.c b/src/jailcheck/utils.c index 97fe8833b..930820604 100644 --- a/src/jailcheck/utils.c +++ b/src/jailcheck/utils.c
@@ -26,7 +26,10 @@
26	#define BUFLEN 4096	26	#define BUFLEN 4096
27		27
28	char *get_sudo_user(void) {	28	char *get_sudo_user(void) {
29	char *user = getenv("SUDO_USER");	29	char *doas_user = getenv("DOAS_USER");
		30	char *sudo_user = getenv("SUDO_USER");
		31	char *user = doas_user ? doas_user : sudo_user;
		32
30	if (!user) {	33	if (!user) {
31	user = getpwuid(getuid())->pw_name;	34	user = getpwuid(getuid())->pw_name;
32	if (!user) {	35	if (!user) {


diff --git a/src/man/firecfg.1.in b/src/man/firecfg.1.in index 42add6a41..a85fbc5da 100644 --- a/src/man/firecfg.1.in +++ b/src/man/firecfg.1.in
@@ -23,7 +23,9 @@ The integration covers:
23	- programs started by clicking on file icons in file manager - only Cinnamon, KDE, LXDE/LXQT, MATE and XFCE	23	- programs started by clicking on file icons in file manager - only Cinnamon, KDE, LXDE/LXQT, MATE and XFCE
24	desktop managers are supported in this moment	24	desktop managers are supported in this moment
25	.RE	25	.RE
26		26	.PP
		27	Note: The examples use \fBsudo\fR, but \fBdoas\fR is also supported.
		28	.PP
27	To set it up, run "sudo firecfg" after installing Firejail software.	29	To set it up, run "sudo firecfg" after installing Firejail software.
28	The same command should also be run after	30	The same command should also be run after
29	installing new programs. If the program is supported by Firejail, the symbolic link in /usr/local/bin	31	installing new programs. If the program is supported by Firejail, the symbolic link in /usr/local/bin


diff --git a/src/man/jailcheck.1.in b/src/man/jailcheck.1.in index e889ea91b..eea5987b7 100644 --- a/src/man/jailcheck.1.in +++ b/src/man/jailcheck.1.in
@@ -24,9 +24,8 @@ them from inside the sandbox.
24	\fB5. Seccomp test	24	\fB5. Seccomp test
25	.TP	25	.TP
26	\fB6. Networking test	26	\fB6. Networking test
27	.TP	27	.PP
28	The program is started as root using sudo.	28	The program should be started using \fBsudo\fR or \fBdoas\fR.
29
30	.SH OPTIONS	29	.SH OPTIONS
31	.TP	30	.TP
32	\fB\-\-debug	31	\fB\-\-debug