diff options
author | netblue30 <netblue30@protonmail.com> | 2022-06-20 08:18:13 -0400 |
---|---|---|
committer | netblue30 <netblue30@protonmail.com> | 2022-06-20 08:18:13 -0400 |
commit | 4b4d752158e2a7164765c6c7247ef8b4d6014689 (patch) | |
tree | 18fa1b4e32564376b6502a1cc7b1caed27bbdc54 | |
parent | reverting previous seccomp log fix (#5207) (diff) | |
download | firejail-4b4d752158e2a7164765c6c7247ef8b4d6014689.tar.gz firejail-4b4d752158e2a7164765c6c7247ef8b4d6014689.tar.zst firejail-4b4d752158e2a7164765c6c7247ef8b4d6014689.zip |
deprecating --shell (#5196)
-rw-r--r-- | src/firejail/env.c | 5 | ||||
-rw-r--r-- | src/firejail/firejail.h | 2 | ||||
-rw-r--r-- | src/firejail/fs_home.c | 4 | ||||
-rw-r--r-- | src/firejail/fs_lib.c | 21 | ||||
-rw-r--r-- | src/firejail/join.c | 18 | ||||
-rw-r--r-- | src/firejail/main.c | 88 | ||||
-rw-r--r-- | src/firejail/no_sandbox.c | 14 | ||||
-rw-r--r-- | src/firejail/profile.c | 3 | ||||
-rw-r--r-- | src/firejail/sandbox.c | 18 |
9 files changed, 40 insertions, 133 deletions
diff --git a/src/firejail/env.c b/src/firejail/env.c index 548e8102d..8d2b9ea5a 100644 --- a/src/firejail/env.c +++ b/src/firejail/env.c | |||
@@ -118,10 +118,7 @@ void env_defaults(void) { | |||
118 | // env_store_name_val("QTWEBENGINE_DISABLE_SANDBOX", "1", SETENV); | 118 | // env_store_name_val("QTWEBENGINE_DISABLE_SANDBOX", "1", SETENV); |
119 | // env_store_name_val("MOZ_NO_REMOTE, "1", SETENV); | 119 | // env_store_name_val("MOZ_NO_REMOTE, "1", SETENV); |
120 | env_store_name_val("container", "firejail", SETENV); // LXC sets container=lxc, | 120 | env_store_name_val("container", "firejail", SETENV); // LXC sets container=lxc, |
121 | if (!cfg.shell) | 121 | env_store_name_val("SHELL", cfg.usershell, SETENV); |
122 | cfg.shell = cfg.usershell; | ||
123 | if (cfg.shell) | ||
124 | env_store_name_val("SHELL", cfg.shell, SETENV); | ||
125 | 122 | ||
126 | // spawn KIO slaves inside the sandbox | 123 | // spawn KIO slaves inside the sandbox |
127 | env_store_name_val("KDE_FORK_SLAVES", "1", SETENV); | 124 | env_store_name_val("KDE_FORK_SLAVES", "1", SETENV); |
diff --git a/src/firejail/firejail.h b/src/firejail/firejail.h index 325524379..a403767fb 100644 --- a/src/firejail/firejail.h +++ b/src/firejail/firejail.h | |||
@@ -217,7 +217,6 @@ typedef struct config_t { | |||
217 | char *command_line; | 217 | char *command_line; |
218 | char *window_title; | 218 | char *window_title; |
219 | char *command_name; | 219 | char *command_name; |
220 | char *shell; | ||
221 | char **original_argv; | 220 | char **original_argv; |
222 | int original_argc; | 221 | int original_argc; |
223 | int original_program_index; | 222 | int original_program_index; |
@@ -310,7 +309,6 @@ extern char *arg_netfilter_file; // netfilter file | |||
310 | extern char *arg_netfilter6_file; // netfilter file | 309 | extern char *arg_netfilter6_file; // netfilter file |
311 | extern char *arg_netns; // "ip netns"-created network namespace to use | 310 | extern char *arg_netns; // "ip netns"-created network namespace to use |
312 | extern int arg_doubledash; // double dash | 311 | extern int arg_doubledash; // double dash |
313 | extern int arg_shell_none; // run the program directly without a shell | ||
314 | extern int arg_private_dev; // private dev directory | 312 | extern int arg_private_dev; // private dev directory |
315 | extern int arg_keep_dev_shm; // preserve /dev/shm | 313 | extern int arg_keep_dev_shm; // preserve /dev/shm |
316 | extern int arg_private_etc; // private etc directory | 314 | extern int arg_private_etc; // private etc directory |
diff --git a/src/firejail/fs_home.c b/src/firejail/fs_home.c index 061461590..8c4cb3d4f 100644 --- a/src/firejail/fs_home.c +++ b/src/firejail/fs_home.c | |||
@@ -62,7 +62,7 @@ static void skel(const char *homedir) { | |||
62 | disable_tab_completion(homedir); | 62 | disable_tab_completion(homedir); |
63 | 63 | ||
64 | // zsh | 64 | // zsh |
65 | if (!arg_shell_none && (strcmp(cfg.shell,"/usr/bin/zsh") == 0 || strcmp(cfg.shell,"/bin/zsh") == 0)) { | 65 | if (strcmp(cfg.usershell,"/usr/bin/zsh") == 0 || strcmp(cfg.usershell,"/bin/zsh") == 0) { |
66 | // copy skel files | 66 | // copy skel files |
67 | if (asprintf(&fname, "%s/.zshrc", homedir) == -1) | 67 | if (asprintf(&fname, "%s/.zshrc", homedir) == -1) |
68 | errExit("asprintf"); | 68 | errExit("asprintf"); |
@@ -86,7 +86,7 @@ static void skel(const char *homedir) { | |||
86 | free(fname); | 86 | free(fname); |
87 | } | 87 | } |
88 | // csh | 88 | // csh |
89 | else if (!arg_shell_none && strcmp(cfg.shell,"/bin/csh") == 0) { | 89 | else if (strcmp(cfg.usershell,"/bin/csh") == 0) { |
90 | // copy skel files | 90 | // copy skel files |
91 | if (asprintf(&fname, "%s/.cshrc", homedir) == -1) | 91 | if (asprintf(&fname, "%s/.cshrc", homedir) == -1) |
92 | errExit("asprintf"); | 92 | errExit("asprintf"); |
diff --git a/src/firejail/fs_lib.c b/src/firejail/fs_lib.c index 848691a56..5d6d81ae1 100644 --- a/src/firejail/fs_lib.c +++ b/src/firejail/fs_lib.c | |||
@@ -392,8 +392,7 @@ void fs_private_lib(void) { | |||
392 | char *private_list = cfg.lib_private_keep; | 392 | char *private_list = cfg.lib_private_keep; |
393 | if (arg_debug || arg_debug_private_lib) | 393 | if (arg_debug || arg_debug_private_lib) |
394 | printf("Starting private-lib processing: program %s, shell %s\n", | 394 | printf("Starting private-lib processing: program %s, shell %s\n", |
395 | (cfg.original_program_index > 0)? cfg.original_argv[cfg.original_program_index]: "none", | 395 | (cfg.original_program_index > 0)? cfg.original_argv[cfg.original_program_index]: "none", cfg.usershell); |
396 | (arg_shell_none)? "none": cfg.shell); | ||
397 | 396 | ||
398 | // create /run/firejail/mnt/lib directory | 397 | // create /run/firejail/mnt/lib directory |
399 | mkdir_attr(RUN_LIB_DIR, 0755, 0, 0); | 398 | mkdir_attr(RUN_LIB_DIR, 0755, 0, 0); |
@@ -430,15 +429,15 @@ void fs_private_lib(void) { | |||
430 | } | 429 | } |
431 | } | 430 | } |
432 | 431 | ||
433 | // for the shell | 432 | // Note: this might be used for appimages!!! |
434 | if (!arg_shell_none) { | 433 | // if (!arg_shell_none) { |
435 | if (arg_debug || arg_debug_private_lib) | 434 | // if (arg_debug || arg_debug_private_lib) |
436 | printf("Installing shell libraries\n"); | 435 | // printf("Installing shell libraries\n"); |
437 | 436 | // | |
438 | fslib_install_list(cfg.shell); | 437 | // fslib_install_list(cfg.shell); |
439 | // a shell is useless without some basic commands | 438 | // // a shell is useless without some basic commands |
440 | fslib_install_list("/bin/ls,/bin/cat,/bin/mv,/bin/rm"); | 439 | // fslib_install_list("/bin/ls,/bin/cat,/bin/mv,/bin/rm"); |
441 | } | 440 | // } |
442 | 441 | ||
443 | // for the listed libs and directories | 442 | // for the listed libs and directories |
444 | if (private_list && *private_list != '\0') { | 443 | if (private_list && *private_list != '\0') { |
diff --git a/src/firejail/join.c b/src/firejail/join.c index b47089b0e..7bfe47059 100644 --- a/src/firejail/join.c +++ b/src/firejail/join.c | |||
@@ -113,14 +113,13 @@ static void extract_command(int argc, char **argv, int index) { | |||
113 | 113 | ||
114 | static int open_shell(void) { | 114 | static int open_shell(void) { |
115 | EUID_ASSERT(); | 115 | EUID_ASSERT(); |
116 | assert(cfg.shell); | ||
117 | 116 | ||
118 | if (arg_debug) | 117 | if (arg_debug) |
119 | printf("Opening shell %s\n", cfg.shell); | 118 | printf("Opening shell %s\n", cfg.usershell); |
120 | // file descriptor will leak if not opened with O_CLOEXEC !! | 119 | // file descriptor will leak if not opened with O_CLOEXEC !! |
121 | int fd = open(cfg.shell, O_PATH|O_CLOEXEC); | 120 | int fd = open(cfg.usershell, O_PATH|O_CLOEXEC); |
122 | if (fd == -1) { | 121 | if (fd == -1) { |
123 | fprintf(stderr, "Error: cannot open shell %s\n", cfg.shell); | 122 | fprintf(stderr, "Error: cannot open shell %s\n", cfg.usershell); |
124 | exit(1); | 123 | exit(1); |
125 | } | 124 | } |
126 | 125 | ||
@@ -411,8 +410,9 @@ void join(pid_t pid, int argc, char **argv, int index) { | |||
411 | extract_x11_display(pid); | 410 | extract_x11_display(pid); |
412 | 411 | ||
413 | int shfd = -1; | 412 | int shfd = -1; |
414 | if (!arg_shell_none) | 413 | // Note: this might be used by joining appimages!!!! |
415 | shfd = open_shell(); | 414 | // if (!arg_shell_none) |
415 | // shfd = open_shell(); | ||
416 | 416 | ||
417 | // in user mode set caps seccomp, cpu etc. | 417 | // in user mode set caps seccomp, cpu etc. |
418 | if (getuid() != 0) { | 418 | if (getuid() != 0) { |
@@ -516,10 +516,8 @@ void join(pid_t pid, int argc, char **argv, int index) { | |||
516 | #endif | 516 | #endif |
517 | 517 | ||
518 | extract_command(argc, argv, index); | 518 | extract_command(argc, argv, index); |
519 | if (cfg.command_line == NULL) { | 519 | if (cfg.command_line == NULL) |
520 | assert(cfg.shell); | 520 | cfg.window_title = cfg.usershell; |
521 | cfg.window_title = cfg.shell; | ||
522 | } | ||
523 | else if (arg_debug) | 521 | else if (arg_debug) |
524 | printf("Extracted command #%s#\n", cfg.command_line); | 522 | printf("Extracted command #%s#\n", cfg.command_line); |
525 | 523 | ||
diff --git a/src/firejail/main.c b/src/firejail/main.c index 1554209b9..6466be7d4 100644 --- a/src/firejail/main.c +++ b/src/firejail/main.c | |||
@@ -105,7 +105,6 @@ char *arg_netfilter_file = NULL; // netfilter file | |||
105 | char *arg_netfilter6_file = NULL; // netfilter6 file | 105 | char *arg_netfilter6_file = NULL; // netfilter6 file |
106 | char *arg_netns = NULL; // "ip netns"-created network namespace to use | 106 | char *arg_netns = NULL; // "ip netns"-created network namespace to use |
107 | int arg_doubledash = 0; // double dash | 107 | int arg_doubledash = 0; // double dash |
108 | int arg_shell_none = 1; // run the program directly without a shell | ||
109 | int arg_private_dev = 0; // private dev directory | 108 | int arg_private_dev = 0; // private dev directory |
110 | int arg_keep_dev_shm = 0; // preserve /dev/shm | 109 | int arg_keep_dev_shm = 0; // preserve /dev/shm |
111 | int arg_private_etc = 0; // private etc directory | 110 | int arg_private_etc = 0; // private etc directory |
@@ -799,8 +798,6 @@ static void run_cmd_and_exit(int i, int argc, char **argv) { | |||
799 | if (argc <= (i+1)) | 798 | if (argc <= (i+1)) |
800 | just_run_the_shell = 1; | 799 | just_run_the_shell = 1; |
801 | cfg.original_program_index = i + 1; | 800 | cfg.original_program_index = i + 1; |
802 | if (!cfg.shell) | ||
803 | cfg.shell = cfg.usershell; | ||
804 | 801 | ||
805 | // join sandbox by pid or by name | 802 | // join sandbox by pid or by name |
806 | pid_t pid = require_pid(argv[i] + 7); | 803 | pid_t pid = require_pid(argv[i] + 7); |
@@ -821,10 +818,6 @@ static void run_cmd_and_exit(int i, int argc, char **argv) { | |||
821 | just_run_the_shell = 1; | 818 | just_run_the_shell = 1; |
822 | cfg.original_program_index = i + 1; | 819 | cfg.original_program_index = i + 1; |
823 | 820 | ||
824 | if (!cfg.shell) | ||
825 | cfg.shell = cfg.usershell; | ||
826 | |||
827 | printf("***** %d\n", just_run_the_shell); | ||
828 | // try to join by name only | 821 | // try to join by name only |
829 | pid_t pid; | 822 | pid_t pid; |
830 | if (!read_pid(argv[i] + 16, &pid)) { | 823 | if (!read_pid(argv[i] + 16, &pid)) { |
@@ -847,9 +840,6 @@ printf("***** %d\n", just_run_the_shell); | |||
847 | exit(1); | 840 | exit(1); |
848 | } | 841 | } |
849 | 842 | ||
850 | if (!cfg.shell) | ||
851 | cfg.shell = cfg.usershell; | ||
852 | |||
853 | // join sandbox by pid or by name | 843 | // join sandbox by pid or by name |
854 | pid_t pid = require_pid(argv[i] + 15); | 844 | pid_t pid = require_pid(argv[i] + 15); |
855 | join(pid, argc, argv, i + 1); | 845 | join(pid, argc, argv, i + 1); |
@@ -867,9 +857,6 @@ printf("***** %d\n", just_run_the_shell); | |||
867 | exit(1); | 857 | exit(1); |
868 | } | 858 | } |
869 | 859 | ||
870 | if (!cfg.shell) | ||
871 | cfg.shell = cfg.usershell; | ||
872 | |||
873 | // join sandbox by pid or by name | 860 | // join sandbox by pid or by name |
874 | pid_t pid = require_pid(argv[i] + 18); | 861 | pid_t pid = require_pid(argv[i] + 18); |
875 | join(pid, argc, argv, i + 1); | 862 | join(pid, argc, argv, i + 1); |
@@ -2685,45 +2672,9 @@ int main(int argc, char **argv, char **envp) { | |||
2685 | else if (strncmp(argv[i], "--oom=", 6) == 0) { | 2672 | else if (strncmp(argv[i], "--oom=", 6) == 0) { |
2686 | // already handled | 2673 | // already handled |
2687 | } | 2674 | } |
2688 | else if (strcmp(argv[i], "--shell=none") == 0) { | ||
2689 | fprintf(stderr, "Warning: --shell=none is done by default; the command will be deprecated\n"); | ||
2690 | if (cfg.shell) { | ||
2691 | fprintf(stderr, "Error: a shell was already specified\n"); | ||
2692 | return 1; | ||
2693 | } | ||
2694 | } | ||
2695 | else if (strncmp(argv[i], "--shell=", 8) == 0) { | 2675 | else if (strncmp(argv[i], "--shell=", 8) == 0) { |
2696 | if (arg_shell_none) { | 2676 | fprintf(stderr, "Warning: --shell feature has been deprecated\n"); |
2697 | fprintf(stderr, "Error: --shell=none was already specified.\n"); | 2677 | exit(1); |
2698 | return 1; | ||
2699 | } | ||
2700 | invalid_filename(argv[i] + 8, 0); // no globbing | ||
2701 | |||
2702 | if (cfg.shell) { | ||
2703 | fprintf(stderr, "Error: only one user shell can be specified\n"); | ||
2704 | return 1; | ||
2705 | } | ||
2706 | cfg.shell = argv[i] + 8; | ||
2707 | |||
2708 | if (is_dir(cfg.shell) || strstr(cfg.shell, "..")) { | ||
2709 | fprintf(stderr, "Error: invalid shell\n"); | ||
2710 | exit(1); | ||
2711 | } | ||
2712 | |||
2713 | // access call checks as real UID/GID, not as effective UID/GID | ||
2714 | if(cfg.chrootdir) { | ||
2715 | char *shellpath; | ||
2716 | if (asprintf(&shellpath, "%s%s", cfg.chrootdir, cfg.shell) == -1) | ||
2717 | errExit("asprintf"); | ||
2718 | if (access(shellpath, X_OK)) { | ||
2719 | fprintf(stderr, "Error: cannot access shell file in chroot\n"); | ||
2720 | exit(1); | ||
2721 | } | ||
2722 | free(shellpath); | ||
2723 | } else if (access(cfg.shell, X_OK)) { | ||
2724 | fprintf(stderr, "Error: cannot access shell file\n"); | ||
2725 | exit(1); | ||
2726 | } | ||
2727 | } | 2678 | } |
2728 | else if (strcmp(argv[i], "-c") == 0) { | 2679 | else if (strcmp(argv[i], "-c") == 0) { |
2729 | arg_command = 1; | 2680 | arg_command = 1; |
@@ -2785,9 +2736,6 @@ int main(int argc, char **argv, char **envp) { | |||
2785 | cfg.command_name = strdup(argv[i]); | 2736 | cfg.command_name = strdup(argv[i]); |
2786 | if (!cfg.command_name) | 2737 | if (!cfg.command_name) |
2787 | errExit("strdup"); | 2738 | errExit("strdup"); |
2788 | |||
2789 | // disable shell=* for appimages | ||
2790 | arg_shell_none = 0; | ||
2791 | } | 2739 | } |
2792 | else | 2740 | else |
2793 | extract_command_name(i, argv); | 2741 | extract_command_name(i, argv); |
@@ -2814,12 +2762,6 @@ int main(int argc, char **argv, char **envp) { | |||
2814 | } | 2762 | } |
2815 | } | 2763 | } |
2816 | 2764 | ||
2817 | // prog_index could still be -1 if no program was specified | ||
2818 | if (prog_index == -1 && arg_shell_none) { | ||
2819 | just_run_the_shell = 1; | ||
2820 | if (!cfg.shell) | ||
2821 | cfg.shell = cfg.usershell; | ||
2822 | } | ||
2823 | 2765 | ||
2824 | // check trace configuration | 2766 | // check trace configuration |
2825 | if (arg_trace && arg_tracelog) { | 2767 | if (arg_trace && arg_tracelog) { |
@@ -2863,27 +2805,18 @@ int main(int argc, char **argv, char **envp) { | |||
2863 | free(msg); | 2805 | free(msg); |
2864 | } | 2806 | } |
2865 | 2807 | ||
2866 | // guess shell if unspecified | ||
2867 | if (!arg_shell_none && !cfg.shell) { | ||
2868 | cfg.shell = cfg.usershell; | ||
2869 | if (!cfg.shell) { | ||
2870 | fprintf(stderr, "Error: unable to guess your shell, please set explicitly by using --shell option.\n"); | ||
2871 | exit(1); | ||
2872 | } | ||
2873 | if (arg_debug) | ||
2874 | printf("Autoselecting %s as shell\n", cfg.shell); | ||
2875 | } | ||
2876 | |||
2877 | // build the sandbox command | 2808 | // build the sandbox command |
2878 | if (prog_index == -1 && cfg.shell) { | 2809 | if (prog_index == -1) { |
2879 | assert(cfg.command_line == NULL); // runs cfg.shell | 2810 | just_run_the_shell = 1; |
2811 | |||
2812 | assert(cfg.command_line == NULL); // runs the user shell | ||
2880 | if (arg_appimage) { | 2813 | if (arg_appimage) { |
2881 | fprintf(stderr, "Error: no appimage archive specified\n"); | 2814 | fprintf(stderr, "Error: no appimage archive specified\n"); |
2882 | exit(1); | 2815 | exit(1); |
2883 | } | 2816 | } |
2884 | 2817 | ||
2885 | cfg.window_title = cfg.shell; | 2818 | cfg.window_title = cfg.usershell; |
2886 | cfg.command_name = cfg.shell; | 2819 | cfg.command_name = cfg.usershell; |
2887 | } | 2820 | } |
2888 | else if (arg_appimage) { | 2821 | else if (arg_appimage) { |
2889 | if (arg_debug) | 2822 | if (arg_debug) |
@@ -2907,11 +2840,8 @@ int main(int argc, char **argv, char **envp) { | |||
2907 | 2840 | ||
2908 | // load the profile | 2841 | // load the profile |
2909 | if (!arg_noprofile && !custom_profile) { | 2842 | if (!arg_noprofile && !custom_profile) { |
2910 | if (arg_appimage) { | 2843 | if (arg_appimage) |
2911 | custom_profile = appimage_find_profile(cfg.command_name); | 2844 | custom_profile = appimage_find_profile(cfg.command_name); |
2912 | // disable shell=* for appimages | ||
2913 | arg_shell_none = 0; | ||
2914 | } | ||
2915 | else | 2845 | else |
2916 | custom_profile = profile_find_firejail(cfg.command_name, 1); | 2846 | custom_profile = profile_find_firejail(cfg.command_name, 1); |
2917 | } | 2847 | } |
diff --git a/src/firejail/no_sandbox.c b/src/firejail/no_sandbox.c index 62b701c4d..f5e287e32 100644 --- a/src/firejail/no_sandbox.c +++ b/src/firejail/no_sandbox.c | |||
@@ -189,25 +189,15 @@ void run_no_sandbox(int argc, char **argv) { | |||
189 | } | 189 | } |
190 | 190 | ||
191 | if (prog_index == 0) { | 191 | if (prog_index == 0) { |
192 | // got no command, require a shell and try to execute it | ||
193 | cfg.shell = cfg.usershell; | ||
194 | if (!cfg.shell) { | ||
195 | fprintf(stderr, "Error: unable to guess your shell, please set SHELL environment variable\n"); | ||
196 | exit(1); | ||
197 | } | ||
198 | |||
199 | assert(cfg.command_line == NULL); | 192 | assert(cfg.command_line == NULL); |
200 | cfg.window_title = cfg.shell; | 193 | cfg.window_title = cfg.usershell; |
201 | } else { | 194 | } else { |
202 | // this sandbox might not allow execution of a shell | 195 | // this sandbox might not allow execution of a shell |
203 | // force --shell=none in order to not break firecfg symbolic links | ||
204 | arg_shell_none = 1; | ||
205 | |||
206 | build_cmdline(&cfg.command_line, &cfg.window_title, argc, argv, prog_index, true); | 196 | build_cmdline(&cfg.command_line, &cfg.window_title, argc, argv, prog_index, true); |
207 | } | 197 | } |
208 | 198 | ||
209 | fwarning("an existing sandbox was detected. " | 199 | fwarning("an existing sandbox was detected. " |
210 | "%s will run without any additional sandboxing features\n", prog_index ? argv[prog_index] : cfg.shell); | 200 | "%s will run without any additional sandboxing features\n", prog_index ? argv[prog_index] : cfg.usershell); |
211 | 201 | ||
212 | cfg.original_argv = argv; | 202 | cfg.original_argv = argv; |
213 | cfg.original_program_index = prog_index; | 203 | cfg.original_program_index = prog_index; |
diff --git a/src/firejail/profile.c b/src/firejail/profile.c index b0389fc3f..1a83a0628 100644 --- a/src/firejail/profile.c +++ b/src/firejail/profile.c | |||
@@ -1561,9 +1561,6 @@ int profile_check_line(char *ptr, int lineno, const char *fname) { | |||
1561 | int r = name2pid(ptr + 14, &pid); | 1561 | int r = name2pid(ptr + 14, &pid); |
1562 | EUID_USER(); | 1562 | EUID_USER(); |
1563 | if (!r) { | 1563 | if (!r) { |
1564 | if (!cfg.shell && !arg_shell_none) | ||
1565 | cfg.shell = cfg.usershell; | ||
1566 | |||
1567 | // find first non-option arg | 1564 | // find first non-option arg |
1568 | int i; | 1565 | int i; |
1569 | for (i = 1; i < cfg.original_argc && strncmp(cfg.original_argv[i], "--", 2) != 0; i++); | 1566 | for (i = 1; i < cfg.original_argc && strncmp(cfg.original_argv[i], "--", 2) != 0; i++); |
diff --git a/src/firejail/sandbox.c b/src/firejail/sandbox.c index 7f74635ec..6b84faf13 100644 --- a/src/firejail/sandbox.c +++ b/src/firejail/sandbox.c | |||
@@ -528,7 +528,7 @@ void start_application(int no_sandbox, int fd, char *set_sandbox_status) { | |||
528 | //**************************************** | 528 | //**************************************** |
529 | // start the program without using a shell | 529 | // start the program without using a shell |
530 | //**************************************** | 530 | //**************************************** |
531 | else if (arg_shell_none) { | 531 | else if (!arg_appimage) { |
532 | if (arg_debug) { | 532 | if (arg_debug) { |
533 | int i; | 533 | int i; |
534 | for (i = cfg.original_program_index; i < cfg.original_argc; i++) { | 534 | for (i = cfg.original_program_index; i < cfg.original_argc; i++) { |
@@ -560,17 +560,15 @@ void start_application(int no_sandbox, int fd, char *set_sandbox_status) { | |||
560 | execvp(cfg.original_argv[cfg.original_program_index], &cfg.original_argv[cfg.original_program_index]); | 560 | execvp(cfg.original_argv[cfg.original_program_index], &cfg.original_argv[cfg.original_program_index]); |
561 | } | 561 | } |
562 | //**************************************** | 562 | //**************************************** |
563 | // start the program using a shell | 563 | // start the program using a shell (appimages) |
564 | //**************************************** | 564 | //**************************************** |
565 | else { | 565 | else { // appimage |
566 | assert(cfg.shell); | ||
567 | |||
568 | char *arg[5]; | 566 | char *arg[5]; |
569 | int index = 0; | 567 | int index = 0; |
570 | arg[index++] = cfg.shell; | 568 | arg[index++] = cfg.usershell; |
571 | if (cfg.command_line) { | 569 | if (cfg.command_line) { |
572 | if (arg_debug) | 570 | if (arg_debug) |
573 | printf("Running %s command through %s\n", cfg.command_line, cfg.shell); | 571 | printf("Running %s command through %s\n", cfg.command_line, cfg.usershell); |
574 | arg[index++] = "-c"; | 572 | arg[index++] = "-c"; |
575 | if (arg_doubledash) | 573 | if (arg_doubledash) |
576 | arg[index++] = "--"; | 574 | arg[index++] = "--"; |
@@ -578,11 +576,11 @@ void start_application(int no_sandbox, int fd, char *set_sandbox_status) { | |||
578 | } | 576 | } |
579 | else if (login_shell) { | 577 | else if (login_shell) { |
580 | if (arg_debug) | 578 | if (arg_debug) |
581 | printf("Starting %s login shell\n", cfg.shell); | 579 | printf("Starting %s login shell\n", cfg.usershell); |
582 | arg[index++] = "-l"; | 580 | arg[index++] = "-l"; |
583 | } | 581 | } |
584 | else if (arg_debug) | 582 | else if (arg_debug) |
585 | printf("Starting %s shell\n", cfg.shell); | 583 | printf("Starting %s shell\n", cfg.usershell); |
586 | 584 | ||
587 | assert(index < 5); | 585 | assert(index < 5); |
588 | arg[index] = NULL; | 586 | arg[index] = NULL; |
@@ -590,7 +588,7 @@ void start_application(int no_sandbox, int fd, char *set_sandbox_status) { | |||
590 | if (arg_debug) { | 588 | if (arg_debug) { |
591 | char *msg; | 589 | char *msg; |
592 | if (asprintf(&msg, "sandbox %d, execvp into %s", | 590 | if (asprintf(&msg, "sandbox %d, execvp into %s", |
593 | sandbox_pid, cfg.command_line ? cfg.command_line : cfg.shell) == -1) | 591 | sandbox_pid, cfg.command_line ? cfg.command_line : cfg.usershell) == -1) |
594 | errExit("asprintf"); | 592 | errExit("asprintf"); |
595 | logmsg(msg); | 593 | logmsg(msg); |
596 | free(msg); | 594 | free(msg); |