diff options
author | netblue30 <netblue30@yahoo.com> | 2016-05-25 13:48:51 -0400 |
---|---|---|
committer | netblue30 <netblue30@yahoo.com> | 2016-05-25 13:48:51 -0400 |
commit | 8d14f1e157f06543e6f7799a25f19367da95ed8c (patch) | |
tree | 28e52f5480ad88ee7900cf9553979a1a2a2e6496 | |
parent | Merge pull request #536 from KellerFuchs/no_new_privs (diff) | |
download | firejail-8d14f1e157f06543e6f7799a25f19367da95ed8c.tar.gz firejail-8d14f1e157f06543e6f7799a25f19367da95ed8c.tar.zst firejail-8d14f1e157f06543e6f7799a25f19367da95ed8c.zip |
fixes
-rw-r--r-- | Makefile.in | 3 | ||||
-rw-r--r-- | README | 5 | ||||
-rw-r--r-- | README.md | 2 | ||||
-rw-r--r-- | RELNOTES | 2 | ||||
-rw-r--r-- | platform/debian/conffiles | 3 | ||||
-rw-r--r-- | src/firejail/checkcfg.c | 2 | ||||
-rw-r--r-- | src/firejail/main.c | 7 | ||||
-rw-r--r-- | src/firejail/sandbox.c | 2 |
8 files changed, 21 insertions, 5 deletions
diff --git a/Makefile.in b/Makefile.in index 34daed387..edcf09225 100644 --- a/Makefile.in +++ b/Makefile.in | |||
@@ -184,6 +184,9 @@ realinstall: | |||
184 | install -c -m 0644 .etc/xreader.profile $(DESTDIR)/$(sysconfdir)/firejail/. | 184 | install -c -m 0644 .etc/xreader.profile $(DESTDIR)/$(sysconfdir)/firejail/. |
185 | install -c -m 0644 .etc/xviewer.profile $(DESTDIR)/$(sysconfdir)/firejail/. | 185 | install -c -m 0644 .etc/xviewer.profile $(DESTDIR)/$(sysconfdir)/firejail/. |
186 | install -c -m 0644 .etc/mcabber.profile $(DESTDIR)/$(sysconfdir)/firejail/. | 186 | install -c -m 0644 .etc/mcabber.profile $(DESTDIR)/$(sysconfdir)/firejail/. |
187 | install -c -m 0644 .etc/corebird.profile $(DESTDIR)/$(sysconfdir)/firejail/. | ||
188 | install -c -m 0644 .etc/konversation.profile $(DESTDIR)/$(sysconfdir)/firejail/. | ||
189 | install -c -m 0644 .etc/psi-plus.profile $(DESTDIR)/$(sysconfdir)/firejail/. | ||
187 | sh -c "if [ ! -f $(DESTDIR)/$(sysconfdir)/firejail/login.users ]; then install -c -m 0644 etc/login.users $(DESTDIR)/$(sysconfdir)/firejail/.; fi;" | 190 | sh -c "if [ ! -f $(DESTDIR)/$(sysconfdir)/firejail/login.users ]; then install -c -m 0644 etc/login.users $(DESTDIR)/$(sysconfdir)/firejail/.; fi;" |
188 | sh -c "if [ ! -f $(DESTDIR)/$(sysconfdir)/firejail/firejail.config ]; then install -c -m 0644 etc/firejail.config $(DESTDIR)/$(sysconfdir)/firejail/.; fi;" | 191 | sh -c "if [ ! -f $(DESTDIR)/$(sysconfdir)/firejail/firejail.config ]; then install -c -m 0644 etc/firejail.config $(DESTDIR)/$(sysconfdir)/firejail/.; fi;" |
189 | rm -fr .etc | 192 | rm -fr .etc |
@@ -25,6 +25,11 @@ Reiner Herrmann | |||
25 | - clang-analyzer fixes | 25 | - clang-analyzer fixes |
26 | - Debian reproducible build | 26 | - Debian reproducible build |
27 | - unit testing framework | 27 | - unit testing framework |
28 | KellerFuchs (https://github.com/KellerFuchs) | ||
29 | - nonewpriv support | ||
30 | ValdikSS (https://github.com/ValdikSS) | ||
31 | - Psi+, Corebird, Konversation profiles | ||
32 | - various profile fixes | ||
28 | avoidr (https://github.com/avoidr) | 33 | avoidr (https://github.com/avoidr) |
29 | - whitelist fix | 34 | - whitelist fix |
30 | - recently-used.xbel fix | 35 | - recently-used.xbel fix |
@@ -290,6 +290,6 @@ $ man firejail-profile | |||
290 | lxterminal, Epiphany, cherrytree, Polari, Vivaldi, Atril, qutebrowser, SlimJet, Battle for Wesnoth, Hedgewars, qTox, | 290 | lxterminal, Epiphany, cherrytree, Polari, Vivaldi, Atril, qutebrowser, SlimJet, Battle for Wesnoth, Hedgewars, qTox, |
291 | OpenSSH client, OpenBox window manager, Dillo, cmus, dnsmasq, PaleMoon, Icedove, abrowser, 0ad, netsurf, | 291 | OpenSSH client, OpenBox window manager, Dillo, cmus, dnsmasq, PaleMoon, Icedove, abrowser, 0ad, netsurf, |
292 | Warzone2100, okular, gwenview, Gpredict, Aweather, Stellarium, Google-Play-Music-Desktop-Player, quiterss, | 292 | Warzone2100, okular, gwenview, Gpredict, Aweather, Stellarium, Google-Play-Music-Desktop-Player, quiterss, |
293 | cyberfox, generic Ubuntu snap application profile, xplayer, xreader, xviewer, mcabber | 293 | cyberfox, generic Ubuntu snap application profile, xplayer, xreader, xviewer, mcabber, Psi+, Corebird, Konversation |
294 | 294 | ||
295 | 295 | ||
@@ -24,7 +24,7 @@ firejail (0.9.40) baseline; urgency=low | |||
24 | * new profiles: okular, gwenview, Google-Play-Music-Desktop-Player | 24 | * new profiles: okular, gwenview, Google-Play-Music-Desktop-Player |
25 | * new profiles: Aweather, Stellarium, gpredict, quiterss, cyberfox | 25 | * new profiles: Aweather, Stellarium, gpredict, quiterss, cyberfox |
26 | * new profiles: generic Ubuntu snap application profile, xplayer | 26 | * new profiles: generic Ubuntu snap application profile, xplayer |
27 | * new profiles: xreader, xviewer, mcabber | 27 | * new profiles: xreader, xviewer, mcabber, Psi+, Corebird, Konversation |
28 | * generic.profile renamed default.profile | 28 | * generic.profile renamed default.profile |
29 | * build rpm packages using "make rpms" | 29 | * build rpm packages using "make rpms" |
30 | * bugfixes | 30 | * bugfixes |
diff --git a/platform/debian/conffiles b/platform/debian/conffiles index 8cf8f165c..eff859cc5 100644 --- a/platform/debian/conffiles +++ b/platform/debian/conffiles | |||
@@ -98,3 +98,6 @@ | |||
98 | /etc/firejail/xreader.profile | 98 | /etc/firejail/xreader.profile |
99 | /etc/firejail/xviewer.profile | 99 | /etc/firejail/xviewer.profile |
100 | /etc/firejail/mcabber.profile | 100 | /etc/firejail/mcabber.profile |
101 | /etc/firejail/corebird.profile | ||
102 | /etc/firejail/konversation.profile | ||
103 | /etc/firejail/psi-plus.profile | ||
diff --git a/src/firejail/checkcfg.c b/src/firejail/checkcfg.c index 4fdbe1897..3ea8caf5b 100644 --- a/src/firejail/checkcfg.c +++ b/src/firejail/checkcfg.c | |||
@@ -47,7 +47,7 @@ int checkcfg(int val) { | |||
47 | 47 | ||
48 | FILE *fp = fopen(fname, "r"); | 48 | FILE *fp = fopen(fname, "r"); |
49 | if (!fp) { | 49 | if (!fp) { |
50 | fprintf(stderr, "Error: Firejail configuration file %s not found\n", fname); | 50 | fprintf(stderr, "Warning: Firejail configuration file %s not found\n", fname); |
51 | exit(1); | 51 | exit(1); |
52 | } | 52 | } |
53 | 53 | ||
diff --git a/src/firejail/main.c b/src/firejail/main.c index 2f4a78d4b..cda9e788e 100644 --- a/src/firejail/main.c +++ b/src/firejail/main.c | |||
@@ -806,7 +806,7 @@ int main(int argc, char **argv) { | |||
806 | } | 806 | } |
807 | } | 807 | } |
808 | 808 | ||
809 | // is this a login shell, or a command passed by sshd insert command line options from /etc/firejail/login.users | 809 | // is this a login shell, or a command passed by sshd, insert command line options from /etc/firejail/login.users |
810 | if (*argv[0] == '-' || parent_sshd) { | 810 | if (*argv[0] == '-' || parent_sshd) { |
811 | fullargc = restricted_shell(cfg.username); | 811 | fullargc = restricted_shell(cfg.username); |
812 | if (fullargc) { | 812 | if (fullargc) { |
@@ -825,6 +825,11 @@ int main(int argc, char **argv) { | |||
825 | check_user(argc, argv); // the function will not return if --user option was found | 825 | check_user(argc, argv); // the function will not return if --user option was found |
826 | } | 826 | } |
827 | 827 | ||
828 | |||
829 | // check for force-nonewprivs in /etc/firejail/firejail.config file | ||
830 | if (!option_force && checkcfg(CFG_FORCE_NONEWPRIVS)) | ||
831 | arg_nonewprivs = 1; | ||
832 | |||
828 | // parse arguments | 833 | // parse arguments |
829 | for (i = 1; i < argc; i++) { | 834 | for (i = 1; i < argc; i++) { |
830 | run_cmd_and_exit(i, argc, argv); // will exit if the command is recognized | 835 | run_cmd_and_exit(i, argc, argv); // will exit if the command is recognized |
diff --git a/src/firejail/sandbox.c b/src/firejail/sandbox.c index 6133a610d..843c1efe5 100644 --- a/src/firejail/sandbox.c +++ b/src/firejail/sandbox.c | |||
@@ -750,7 +750,7 @@ int sandbox(void* sandbox_arg) { | |||
750 | //**************************************** | 750 | //**************************************** |
751 | // Set NO_NEW_PRIVS if desired | 751 | // Set NO_NEW_PRIVS if desired |
752 | //**************************************** | 752 | //**************************************** |
753 | if (arg_nonewprivs || checkcfg(CFG_FORCE_NONEWPRIVS)) { | 753 | if (arg_nonewprivs) { |
754 | int no_new_privs = prctl(PR_SET_NO_NEW_PRIVS, 1, 0, 0, 0); | 754 | int no_new_privs = prctl(PR_SET_NO_NEW_PRIVS, 1, 0, 0, 0); |
755 | 755 | ||
756 | if(no_new_privs != 0) | 756 | if(no_new_privs != 0) |