diff options
author | netblue30 <netblue30@yahoo.com> | 2015-12-10 13:49:30 -0500 |
---|---|---|
committer | netblue30 <netblue30@yahoo.com> | 2015-12-10 13:49:30 -0500 |
commit | ac39cb31334c7951a97c4fc9b295c39924cd7427 (patch) | |
tree | db1898678f479797b3fd3e732982bd883f417fce | |
parent | release 0.9.36-rc1 testing (diff) | |
download | firejail-ac39cb31334c7951a97c4fc9b295c39924cd7427.tar.gz firejail-ac39cb31334c7951a97c4fc9b295c39924cd7427.tar.zst firejail-ac39cb31334c7951a97c4fc9b295c39924cd7427.zip |
fixes
-rwxr-xr-x | configure | 18 | ||||
-rw-r--r-- | configure.ac | 2 | ||||
-rw-r--r-- | etc/firefox.profile | 6 | ||||
-rw-r--r-- | src/firejail/fs_etc.c | 30 | ||||
-rw-r--r-- | src/firejail/fs_trace.c | 6 | ||||
-rw-r--r-- | src/firejail/main.c | 23 | ||||
-rw-r--r-- | src/firejail/profile.c | 8 | ||||
-rw-r--r-- | src/firejail/sandbox.c | 6 |
8 files changed, 75 insertions, 24 deletions
@@ -1,6 +1,6 @@ | |||
1 | #! /bin/sh | 1 | #! /bin/sh |
2 | # Guess values for system-dependent variables and create Makefiles. | 2 | # Guess values for system-dependent variables and create Makefiles. |
3 | # Generated by GNU Autoconf 2.69 for firejail 0.9.36-rc1. | 3 | # Generated by GNU Autoconf 2.69 for firejail 0.9.36-rc2. |
4 | # | 4 | # |
5 | # Report bugs to <netblue30@yahoo.com>. | 5 | # Report bugs to <netblue30@yahoo.com>. |
6 | # | 6 | # |
@@ -580,8 +580,8 @@ MAKEFLAGS= | |||
580 | # Identity of this package. | 580 | # Identity of this package. |
581 | PACKAGE_NAME='firejail' | 581 | PACKAGE_NAME='firejail' |
582 | PACKAGE_TARNAME='firejail' | 582 | PACKAGE_TARNAME='firejail' |
583 | PACKAGE_VERSION='0.9.36-rc1' | 583 | PACKAGE_VERSION='0.9.36-rc2' |
584 | PACKAGE_STRING='firejail 0.9.36-rc1' | 584 | PACKAGE_STRING='firejail 0.9.36-rc2' |
585 | PACKAGE_BUGREPORT='netblue30@yahoo.com' | 585 | PACKAGE_BUGREPORT='netblue30@yahoo.com' |
586 | PACKAGE_URL='http://github.com/netblue30/firejail' | 586 | PACKAGE_URL='http://github.com/netblue30/firejail' |
587 | 587 | ||
@@ -1238,7 +1238,7 @@ if test "$ac_init_help" = "long"; then | |||
1238 | # Omit some internal or obsolete options to make the list less imposing. | 1238 | # Omit some internal or obsolete options to make the list less imposing. |
1239 | # This message is too long to be a string in the A/UX 3.1 sh. | 1239 | # This message is too long to be a string in the A/UX 3.1 sh. |
1240 | cat <<_ACEOF | 1240 | cat <<_ACEOF |
1241 | \`configure' configures firejail 0.9.36-rc1 to adapt to many kinds of systems. | 1241 | \`configure' configures firejail 0.9.36-rc2 to adapt to many kinds of systems. |
1242 | 1242 | ||
1243 | Usage: $0 [OPTION]... [VAR=VALUE]... | 1243 | Usage: $0 [OPTION]... [VAR=VALUE]... |
1244 | 1244 | ||
@@ -1299,7 +1299,7 @@ fi | |||
1299 | 1299 | ||
1300 | if test -n "$ac_init_help"; then | 1300 | if test -n "$ac_init_help"; then |
1301 | case $ac_init_help in | 1301 | case $ac_init_help in |
1302 | short | recursive ) echo "Configuration of firejail 0.9.36-rc1:";; | 1302 | short | recursive ) echo "Configuration of firejail 0.9.36-rc2:";; |
1303 | esac | 1303 | esac |
1304 | cat <<\_ACEOF | 1304 | cat <<\_ACEOF |
1305 | 1305 | ||
@@ -1389,7 +1389,7 @@ fi | |||
1389 | test -n "$ac_init_help" && exit $ac_status | 1389 | test -n "$ac_init_help" && exit $ac_status |
1390 | if $ac_init_version; then | 1390 | if $ac_init_version; then |
1391 | cat <<\_ACEOF | 1391 | cat <<\_ACEOF |
1392 | firejail configure 0.9.36-rc1 | 1392 | firejail configure 0.9.36-rc2 |
1393 | generated by GNU Autoconf 2.69 | 1393 | generated by GNU Autoconf 2.69 |
1394 | 1394 | ||
1395 | Copyright (C) 2012 Free Software Foundation, Inc. | 1395 | Copyright (C) 2012 Free Software Foundation, Inc. |
@@ -1691,7 +1691,7 @@ cat >config.log <<_ACEOF | |||
1691 | This file contains any messages produced by compilers while | 1691 | This file contains any messages produced by compilers while |
1692 | running configure, to aid debugging if configure makes a mistake. | 1692 | running configure, to aid debugging if configure makes a mistake. |
1693 | 1693 | ||
1694 | It was created by firejail $as_me 0.9.36-rc1, which was | 1694 | It was created by firejail $as_me 0.9.36-rc2, which was |
1695 | generated by GNU Autoconf 2.69. Invocation command line was | 1695 | generated by GNU Autoconf 2.69. Invocation command line was |
1696 | 1696 | ||
1697 | $ $0 $@ | 1697 | $ $0 $@ |
@@ -4107,7 +4107,7 @@ cat >>$CONFIG_STATUS <<\_ACEOF || ac_write_fail=1 | |||
4107 | # report actual input values of CONFIG_FILES etc. instead of their | 4107 | # report actual input values of CONFIG_FILES etc. instead of their |
4108 | # values after options handling. | 4108 | # values after options handling. |
4109 | ac_log=" | 4109 | ac_log=" |
4110 | This file was extended by firejail $as_me 0.9.36-rc1, which was | 4110 | This file was extended by firejail $as_me 0.9.36-rc2, which was |
4111 | generated by GNU Autoconf 2.69. Invocation command line was | 4111 | generated by GNU Autoconf 2.69. Invocation command line was |
4112 | 4112 | ||
4113 | CONFIG_FILES = $CONFIG_FILES | 4113 | CONFIG_FILES = $CONFIG_FILES |
@@ -4161,7 +4161,7 @@ _ACEOF | |||
4161 | cat >>$CONFIG_STATUS <<_ACEOF || ac_write_fail=1 | 4161 | cat >>$CONFIG_STATUS <<_ACEOF || ac_write_fail=1 |
4162 | ac_cs_config="`$as_echo "$ac_configure_args" | sed 's/^ //; s/[\\""\`\$]/\\\\&/g'`" | 4162 | ac_cs_config="`$as_echo "$ac_configure_args" | sed 's/^ //; s/[\\""\`\$]/\\\\&/g'`" |
4163 | ac_cs_version="\\ | 4163 | ac_cs_version="\\ |
4164 | firejail config.status 0.9.36-rc1 | 4164 | firejail config.status 0.9.36-rc2 |
4165 | configured by $0, generated by GNU Autoconf 2.69, | 4165 | configured by $0, generated by GNU Autoconf 2.69, |
4166 | with options \\"\$ac_cs_config\\" | 4166 | with options \\"\$ac_cs_config\\" |
4167 | 4167 | ||
diff --git a/configure.ac b/configure.ac index d9f7ad22a..eec6481a8 100644 --- a/configure.ac +++ b/configure.ac | |||
@@ -1,5 +1,5 @@ | |||
1 | AC_PREREQ([2.68]) | 1 | AC_PREREQ([2.68]) |
2 | AC_INIT(firejail, 0.9.36-rc1, netblue30@yahoo.com, , http://github.com/netblue30/firejail) | 2 | AC_INIT(firejail, 0.9.36-rc2, netblue30@yahoo.com, , http://github.com/netblue30/firejail) |
3 | AC_CONFIG_SRCDIR([src/firejail/main.c]) | 3 | AC_CONFIG_SRCDIR([src/firejail/main.c]) |
4 | #AC_CONFIG_HEADERS([config.h]) | 4 | #AC_CONFIG_HEADERS([config.h]) |
5 | 5 | ||
diff --git a/etc/firefox.profile b/etc/firefox.profile index bc30b61d2..40ddd7920 100644 --- a/etc/firefox.profile +++ b/etc/firefox.profile | |||
@@ -24,3 +24,9 @@ whitelist ~/.keysnail.js | |||
24 | whitelist ~/.config/gnome-mplayer | 24 | whitelist ~/.config/gnome-mplayer |
25 | whitelist ~/.cache/gnome-mplayer/plugin | 25 | whitelist ~/.cache/gnome-mplayer/plugin |
26 | include /etc/firejail/whitelist-common.inc | 26 | include /etc/firejail/whitelist-common.inc |
27 | whitelist /tmp/.X11-unix | ||
28 | |||
29 | # experimental features | ||
30 | #private-etc passwd,group,hostname,hosts,localtime,nsswitch.conf,resolv.conf,gtk-2.0,pango,fonts,iceweasel,firefox,adobe,mime.types,mailcap,asound.conf,pulse | ||
31 | |||
32 | |||
diff --git a/src/firejail/fs_etc.c b/src/firejail/fs_etc.c index df0e92203..b82baf1ad 100644 --- a/src/firejail/fs_etc.c +++ b/src/firejail/fs_etc.c | |||
@@ -24,7 +24,8 @@ | |||
24 | #include <sys/wait.h> | 24 | #include <sys/wait.h> |
25 | #include <unistd.h> | 25 | #include <unistd.h> |
26 | 26 | ||
27 | static void check_dir_or_file(const char *name) { | 27 | // return 0 if file not found, 1 if found |
28 | static int check_dir_or_file(const char *name) { | ||
28 | assert(name); | 29 | assert(name); |
29 | invalid_filename(name); | 30 | invalid_filename(name); |
30 | 31 | ||
@@ -35,19 +36,20 @@ static void check_dir_or_file(const char *name) { | |||
35 | if (arg_debug) | 36 | if (arg_debug) |
36 | printf("Checking %s\n", fname); | 37 | printf("Checking %s\n", fname); |
37 | if (stat(fname, &s) == -1) { | 38 | if (stat(fname, &s) == -1) { |
38 | fprintf(stderr, "Error: file %s not found.\n", fname); | 39 | if (arg_debug) |
39 | exit(1); | 40 | printf("Warning: file %s not found.\n", fname); |
41 | return 0; | ||
40 | } | 42 | } |
41 | 43 | ||
42 | // dir or regular file | 44 | // dir or regular file |
43 | if (S_ISDIR(s.st_mode) || S_ISREG(s.st_mode)) { | 45 | if (S_ISDIR(s.st_mode) || S_ISREG(s.st_mode)) { |
44 | free(fname); | 46 | free(fname); |
45 | return; | 47 | return 1; |
46 | } | 48 | } |
47 | 49 | ||
48 | if (!is_link(fname)) { | 50 | if (!is_link(fname)) { |
49 | free(fname); | 51 | free(fname); |
50 | return; | 52 | return 1; |
51 | } | 53 | } |
52 | 54 | ||
53 | fprintf(stderr, "Error: invalid file type, %s.\n", fname); | 55 | fprintf(stderr, "Error: invalid file type, %s.\n", fname); |
@@ -63,11 +65,23 @@ void fs_check_etc_list(void) { | |||
63 | char *dlist = strdup(cfg.etc_private_keep); | 65 | char *dlist = strdup(cfg.etc_private_keep); |
64 | if (!dlist) | 66 | if (!dlist) |
65 | errExit("strdup"); | 67 | errExit("strdup"); |
68 | |||
69 | // build a new list only with the files found | ||
70 | char *newlist = malloc(strlen(cfg.etc_private_keep) + 1); | ||
71 | if (!newlist) | ||
72 | errExit("malloc"); | ||
73 | *newlist = '\0'; | ||
66 | 74 | ||
67 | char *ptr = strtok(dlist, ","); | 75 | char *ptr = strtok(dlist, ","); |
68 | check_dir_or_file(ptr); | 76 | if (check_dir_or_file(ptr)) |
69 | while ((ptr = strtok(NULL, ",")) != NULL) | 77 | strcat(newlist, ptr); |
70 | check_dir_or_file(ptr); | 78 | while ((ptr = strtok(NULL, ",")) != NULL) { |
79 | if (check_dir_or_file(ptr)) { | ||
80 | strcat(newlist, ","); | ||
81 | strcat(newlist, ptr); | ||
82 | } | ||
83 | } | ||
84 | cfg.etc_private_keep = newlist; | ||
71 | 85 | ||
72 | free(dlist); | 86 | free(dlist); |
73 | } | 87 | } |
diff --git a/src/firejail/fs_trace.c b/src/firejail/fs_trace.c index 55a1b9c7a..eec51c3f9 100644 --- a/src/firejail/fs_trace.c +++ b/src/firejail/fs_trace.c | |||
@@ -42,7 +42,7 @@ void fs_trace_preload(void) { | |||
42 | errExit("chown"); | 42 | errExit("chown"); |
43 | if (chmod("/etc/ld.so.preload", S_IRUSR | S_IWRITE | S_IRGRP | S_IROTH ) < 0) | 43 | if (chmod("/etc/ld.so.preload", S_IRUSR | S_IWRITE | S_IRGRP | S_IROTH ) < 0) |
44 | errExit("chmod"); | 44 | errExit("chmod"); |
45 | fs_logger("touch /etc/ls.so.preload"); | 45 | fs_logger("touch /etc/ld.so.preload"); |
46 | } | 46 | } |
47 | } | 47 | } |
48 | 48 | ||
@@ -77,8 +77,8 @@ void fs_trace(void) { | |||
77 | if (arg_debug) | 77 | if (arg_debug) |
78 | printf("Mount the new ld.so.preload file\n"); | 78 | printf("Mount the new ld.so.preload file\n"); |
79 | if (mount(RUN_LDPRELOAD_FILE, "/etc/ld.so.preload", NULL, MS_BIND|MS_REC, NULL) < 0) | 79 | if (mount(RUN_LDPRELOAD_FILE, "/etc/ld.so.preload", NULL, MS_BIND|MS_REC, NULL) < 0) |
80 | errExit("mount bind ls.so.preload"); | 80 | errExit("mount bind ld.so.preload"); |
81 | fs_logger("create /etc/ls.so.preload"); | 81 | fs_logger("create /etc/ld.so.preload"); |
82 | } | 82 | } |
83 | 83 | ||
84 | 84 | ||
diff --git a/src/firejail/main.c b/src/firejail/main.c index aad0af3e4..75b90ae81 100644 --- a/src/firejail/main.c +++ b/src/firejail/main.c | |||
@@ -831,6 +831,10 @@ int main(int argc, char **argv) { | |||
831 | 831 | ||
832 | // extract private home dirname | 832 | // extract private home dirname |
833 | cfg.home_private = argv[i] + 10; | 833 | cfg.home_private = argv[i] + 10; |
834 | if (*cfg.home_private == '\0') { | ||
835 | fprintf(stderr, "Error: invalid private option\n"); | ||
836 | exit(1); | ||
837 | } | ||
834 | fs_check_private_dir(); | 838 | fs_check_private_dir(); |
835 | arg_private = 1; | 839 | arg_private = 1; |
836 | } | 840 | } |
@@ -842,6 +846,10 @@ int main(int argc, char **argv) { | |||
842 | 846 | ||
843 | // extract private home dirname | 847 | // extract private home dirname |
844 | cfg.home_private_keep = argv[i] + 15; | 848 | cfg.home_private_keep = argv[i] + 15; |
849 | if (*cfg.home_private_keep == '\0') { | ||
850 | fprintf(stderr, "Error: invalid private-home option\n"); | ||
851 | exit(1); | ||
852 | } | ||
845 | fs_check_home_list(); | 853 | fs_check_home_list(); |
846 | arg_private = 1; | 854 | arg_private = 1; |
847 | } | 855 | } |
@@ -851,12 +859,25 @@ int main(int argc, char **argv) { | |||
851 | else if (strncmp(argv[i], "--private-etc=", 14) == 0) { | 859 | else if (strncmp(argv[i], "--private-etc=", 14) == 0) { |
852 | // extract private etc dirname | 860 | // extract private etc dirname |
853 | cfg.etc_private_keep = argv[i] + 14; | 861 | cfg.etc_private_keep = argv[i] + 14; |
862 | if (*cfg.etc_private_keep == '\0') { | ||
863 | fprintf(stderr, "Error: invalid private-etc option\n"); | ||
864 | exit(1); | ||
865 | } | ||
854 | fs_check_etc_list(); | 866 | fs_check_etc_list(); |
855 | arg_private_etc = 1; | 867 | if (*cfg.etc_private_keep != '\0') |
868 | arg_private_etc = 1; | ||
869 | else { | ||
870 | arg_private_etc = 0; | ||
871 | fprintf(stderr, "Warning: private-etc disabled, no file found\n"); | ||
872 | } | ||
856 | } | 873 | } |
857 | else if (strncmp(argv[i], "--private-bin=", 14) == 0) { | 874 | else if (strncmp(argv[i], "--private-bin=", 14) == 0) { |
858 | // extract private etc dirname | 875 | // extract private etc dirname |
859 | cfg.bin_private_keep = argv[i] + 14; | 876 | cfg.bin_private_keep = argv[i] + 14; |
877 | if (*cfg.bin_private_keep == '\0') { | ||
878 | fprintf(stderr, "Error: invalid private-bin option\n"); | ||
879 | exit(1); | ||
880 | } | ||
860 | fs_check_bin_list(); | 881 | fs_check_bin_list(); |
861 | arg_private_bin = 1; | 882 | arg_private_bin = 1; |
862 | } | 883 | } |
diff --git a/src/firejail/profile.c b/src/firejail/profile.c index 366a56e13..244370b98 100644 --- a/src/firejail/profile.c +++ b/src/firejail/profile.c | |||
@@ -285,7 +285,13 @@ int profile_check_line(char *ptr, int lineno) { | |||
285 | if (strncmp(ptr, "private-etc ", 12) == 0) { | 285 | if (strncmp(ptr, "private-etc ", 12) == 0) { |
286 | cfg.etc_private_keep = ptr + 12; | 286 | cfg.etc_private_keep = ptr + 12; |
287 | fs_check_etc_list(); | 287 | fs_check_etc_list(); |
288 | arg_private_etc = 1; | 288 | if (*cfg.etc_private_keep != '\0') |
289 | arg_private_etc = 1; | ||
290 | else { | ||
291 | arg_private_etc = 0; | ||
292 | fprintf(stderr, "Warning: private-etc disabled, no file found\n"); | ||
293 | } | ||
294 | |||
289 | return 0; | 295 | return 0; |
290 | } | 296 | } |
291 | 297 | ||
diff --git a/src/firejail/sandbox.c b/src/firejail/sandbox.c index 39f95a43a..4a1990382 100644 --- a/src/firejail/sandbox.c +++ b/src/firejail/sandbox.c | |||
@@ -380,8 +380,12 @@ int sandbox(void* sandbox_arg) { | |||
380 | 380 | ||
381 | if (arg_private_dev) | 381 | if (arg_private_dev) |
382 | fs_private_dev(); | 382 | fs_private_dev(); |
383 | if (arg_private_etc) | 383 | if (arg_private_etc) { |
384 | fs_private_etc_list(); | 384 | fs_private_etc_list(); |
385 | // create /etc/ld.so.preload file again | ||
386 | if (arg_trace || arg_tracelog) | ||
387 | fs_trace_preload(); | ||
388 | } | ||
385 | if (arg_private_bin) | 389 | if (arg_private_bin) |
386 | fs_private_bin_list(); | 390 | fs_private_bin_list(); |
387 | 391 | ||