diff options
author | netblue30 <netblue30@yahoo.com> | 2016-10-27 10:54:34 -0400 |
---|---|---|
committer | netblue30 <netblue30@yahoo.com> | 2016-10-27 10:54:34 -0400 |
commit | 096333704e0c3d6b7cf23fe6f4e34e99fdc9770f (patch) | |
tree | e21337713211357ea7867c25524833b92eada03d | |
parent | security: overwrite /etc/resolv.conf (diff) | |
download | firejail-096333704e0c3d6b7cf23fe6f4e34e99fdc9770f.tar.gz firejail-096333704e0c3d6b7cf23fe6f4e34e99fdc9770f.tar.zst firejail-096333704e0c3d6b7cf23fe6f4e34e99fdc9770f.zip |
remove tmpfs from /dev/shm for root user
-rw-r--r-- | RELNOTES | 1 | ||||
-rw-r--r-- | src/firejail/fs.c | 12 | ||||
-rw-r--r-- | src/firejail/fs_dev.c | 2 |
3 files changed, 9 insertions, 6 deletions
@@ -1,6 +1,7 @@ | |||
1 | firejail (0.9.45) baseline; urgency=low | 1 | firejail (0.9.45) baseline; urgency=low |
2 | * development version, work in progress | 2 | * development version, work in progress |
3 | * security: overwrite /etc/resolv.conf found by Martin Carpenter | 3 | * security: overwrite /etc/resolv.conf found by Martin Carpenter |
4 | * feature: allow root user access to /dev/shm (--noblacklist=/dev/shm) | ||
4 | * feature: split most of networking code in a separate executable | 5 | * feature: split most of networking code in a separate executable |
5 | * new profiles: xiphos, Tor Browser Bundle | 6 | * new profiles: xiphos, Tor Browser Bundle |
6 | * bugfixes | 7 | * bugfixes |
diff --git a/src/firejail/fs.c b/src/firejail/fs.c index 6c566bd90..572b08205 100644 --- a/src/firejail/fs.c +++ b/src/firejail/fs.c | |||
@@ -754,8 +754,8 @@ void fs_basic_fs(void) { | |||
754 | fs_rdonly("/usr"); | 754 | fs_rdonly("/usr"); |
755 | 755 | ||
756 | // update /var directory in order to support multiple sandboxes running on the same root directory | 756 | // update /var directory in order to support multiple sandboxes running on the same root directory |
757 | if (!arg_private_dev) | 757 | // if (!arg_private_dev) |
758 | fs_dev_shm(); | 758 | // fs_dev_shm(); |
759 | fs_var_lock(); | 759 | fs_var_lock(); |
760 | fs_var_tmp(); | 760 | fs_var_tmp(); |
761 | fs_var_log(); | 761 | fs_var_log(); |
@@ -1061,8 +1061,8 @@ void fs_overlayfs(void) { | |||
1061 | errExit("chroot"); | 1061 | errExit("chroot"); |
1062 | 1062 | ||
1063 | // update /var directory in order to support multiple sandboxes running on the same root directory | 1063 | // update /var directory in order to support multiple sandboxes running on the same root directory |
1064 | if (!arg_private_dev) | 1064 | // if (!arg_private_dev) |
1065 | fs_dev_shm(); | 1065 | // fs_dev_shm(); |
1066 | fs_var_lock(); | 1066 | fs_var_lock(); |
1067 | fs_var_tmp(); | 1067 | fs_var_tmp(); |
1068 | fs_var_log(); | 1068 | fs_var_log(); |
@@ -1233,8 +1233,8 @@ void fs_chroot(const char *rootdir) { | |||
1233 | 1233 | ||
1234 | if (checkcfg(CFG_CHROOT_DESKTOP)) { | 1234 | if (checkcfg(CFG_CHROOT_DESKTOP)) { |
1235 | // update /var directory in order to support multiple sandboxes running on the same root directory | 1235 | // update /var directory in order to support multiple sandboxes running on the same root directory |
1236 | if (!arg_private_dev) | 1236 | // if (!arg_private_dev) |
1237 | fs_dev_shm(); | 1237 | // fs_dev_shm(); |
1238 | fs_var_lock(); | 1238 | fs_var_lock(); |
1239 | fs_var_tmp(); | 1239 | fs_var_tmp(); |
1240 | fs_var_log(); | 1240 | fs_var_log(); |
diff --git a/src/firejail/fs_dev.c b/src/firejail/fs_dev.c index aa5f7c28b..0186c6f82 100644 --- a/src/firejail/fs_dev.c +++ b/src/firejail/fs_dev.c | |||
@@ -244,6 +244,7 @@ void fs_private_dev(void){ | |||
244 | } | 244 | } |
245 | 245 | ||
246 | 246 | ||
247 | #if 0 | ||
247 | void fs_dev_shm(void) { | 248 | void fs_dev_shm(void) { |
248 | uid_t uid = getuid(); // set a new shm only if we started as root | 249 | uid_t uid = getuid(); // set a new shm only if we started as root |
249 | if (uid) | 250 | if (uid) |
@@ -282,6 +283,7 @@ void fs_dev_shm(void) { | |||
282 | 283 | ||
283 | } | 284 | } |
284 | } | 285 | } |
286 | #endif | ||
285 | 287 | ||
286 | static void disable_file_or_dir(const char *fname) { | 288 | static void disable_file_or_dir(const char *fname) { |
287 | if (arg_debug) | 289 | if (arg_debug) |