diff options
author | valoq <valoq@mailbox.org> | 2016-12-11 19:06:18 +0100 |
---|---|---|
committer | valoq <valoq@mailbox.org> | 2016-12-11 19:06:18 +0100 |
commit | bbb098e082e4d7493733b49c610859ac93ede8a5 (patch) | |
tree | 9da7b982e9f57e6a14cd2549567c14f720b7b83c | |
parent | config support for firejail prompt in terminals (diff) | |
download | firejail-bbb098e082e4d7493733b49c610859ac93ede8a5.tar.gz firejail-bbb098e082e4d7493733b49c610859ac93ede8a5.tar.zst firejail-bbb098e082e4d7493733b49c610859ac93ede8a5.zip |
fixed ipc blacklist
-rw-r--r-- | src/firejail/fs.c | 27 | ||||
-rw-r--r-- | src/firejail/fs_var.c | 2 |
2 files changed, 21 insertions, 8 deletions
diff --git a/src/firejail/fs.c b/src/firejail/fs.c index 84dc9046c..f469cba0a 100644 --- a/src/firejail/fs.c +++ b/src/firejail/fs.c | |||
@@ -531,17 +531,16 @@ void fs_proc_sys_dev_boot(void) { | |||
531 | // disable /dev/port | 531 | // disable /dev/port |
532 | disable_file(BLACKLIST_FILE, "/dev/port"); | 532 | disable_file(BLACKLIST_FILE, "/dev/port"); |
533 | 533 | ||
534 | |||
535 | // WARNING: this is not reliable. When services like gpg-agent are started after the jail, the sockets are not blacklisted | ||
536 | 534 | ||
537 | // disable various ipc sockets | 535 | /* // disable various ipc sockets */ |
538 | struct stat s; | 536 | struct stat s; |
539 | |||
540 | 537 | ||
541 | // disable /run/user/{uid}/gnupg | 538 | // disable /run/user/{uid}/gnupg |
542 | char *fnamegpg; | 539 | char *fnamegpg; |
543 | if (asprintf(&fnamegpg, "/run/user/%d/gnupg", getuid()) == -1) | 540 | if (asprintf(&fnamegpg, "/run/user/%d/gnupg", getuid()) == -1) |
544 | errExit("asprintf"); | 541 | errExit("asprintf"); |
542 | if (stat(fnamegpg, &s) == -1) | ||
543 | mkdir_attr(fnamegpg, 0700, getuid(), getgid()); | ||
545 | if (stat(fnamegpg, &s) == 0) | 544 | if (stat(fnamegpg, &s) == 0) |
546 | disable_file(BLACKLIST_FILE, fnamegpg); | 545 | disable_file(BLACKLIST_FILE, fnamegpg); |
547 | free(fnamegpg); | 546 | free(fnamegpg); |
@@ -550,10 +549,13 @@ void fs_proc_sys_dev_boot(void) { | |||
550 | char *fnamesysd; | 549 | char *fnamesysd; |
551 | if (asprintf(&fnamesysd, "/run/user/%d/systemd", getuid()) == -1) | 550 | if (asprintf(&fnamesysd, "/run/user/%d/systemd", getuid()) == -1) |
552 | errExit("asprintf"); | 551 | errExit("asprintf"); |
552 | if (stat(fnamesysd, &s) == -1) | ||
553 | mkdir_attr(fnamesysd, 0755, getuid(), getgid()); | ||
553 | if (stat(fnamesysd, &s) == 0) | 554 | if (stat(fnamesysd, &s) == 0) |
554 | disable_file(BLACKLIST_FILE, fnamesysd); | 555 | disable_file(BLACKLIST_FILE, fnamesysd); |
555 | free(fnamesysd); | 556 | free(fnamesysd); |
556 | 557 | ||
558 | |||
557 | // todo: investigate | 559 | // todo: investigate |
558 | #if 0 | 560 | #if 0 |
559 | // breaks too many applications, option needed | 561 | // breaks too many applications, option needed |
@@ -591,12 +593,21 @@ void fs_proc_sys_dev_boot(void) { | |||
591 | /* disable_file(BLACKLIST_FILE, fnamedconf); */ | 593 | /* disable_file(BLACKLIST_FILE, fnamedconf); */ |
592 | /* free(fnamedconf); */ | 594 | /* free(fnamedconf); */ |
593 | 595 | ||
594 | 596 | ||
597 | // dirs in /run/user/{uid}/ | ||
598 | // using gnome: | ||
599 | // bus, dconf, gdm, gnome-shell, gnupg, gvfs, keyring, pulse, systemd | ||
600 | |||
601 | // using kde: | ||
602 | // kdeinit__0, ... | ||
603 | |||
595 | //more files with sockets to be blacklisted | 604 | //more files with sockets to be blacklisted |
596 | // /run/dbus /run/systemd /run/udev /run/lvm | 605 | // /run/dbus /run/systemd /run/udev /run/lvm |
597 | #endif | 606 | |
598 | 607 | // /run/user/{uid} does not exist on some systems, usually used and created by desktop applications | |
599 | 608 | ||
609 | #endif | ||
610 | |||
600 | if (getuid() != 0) { | 611 | if (getuid() != 0) { |
601 | // disable /dev/kmsg and /proc/kmsg | 612 | // disable /dev/kmsg and /proc/kmsg |
602 | disable_file(BLACKLIST_FILE, "/dev/kmsg"); | 613 | disable_file(BLACKLIST_FILE, "/dev/kmsg"); |
diff --git a/src/firejail/fs_var.c b/src/firejail/fs_var.c index bdc5ecaf3..86122e1c0 100644 --- a/src/firejail/fs_var.c +++ b/src/firejail/fs_var.c | |||
@@ -106,6 +106,8 @@ static void build_dirs(void) { | |||
106 | void fs_var_log(void) { | 106 | void fs_var_log(void) { |
107 | build_list("/var/log"); | 107 | build_list("/var/log"); |
108 | 108 | ||
109 | // note: /var/log is not created here, if it does not exist, this section fails. Intended? | ||
110 | |||
109 | // create /var/log if it doesn't exit | 111 | // create /var/log if it doesn't exit |
110 | if (is_dir("/var/log")) { | 112 | if (is_dir("/var/log")) { |
111 | // extract group id for /var/log/wtmp | 113 | // extract group id for /var/log/wtmp |