diff options
author | netblue30 <netblue30@yahoo.com> | 2016-12-09 09:21:30 -0500 |
---|---|---|
committer | netblue30 <netblue30@yahoo.com> | 2016-12-09 09:21:30 -0500 |
commit | 0c5aa59b932c22798980899e1cd4df72badc8bbd (patch) | |
tree | 8410fd2549ca3666be312bd9e734efaacfca997a | |
parent | Merge pull request #963 from Fred-Barclay/wireshark (diff) | |
download | firejail-0c5aa59b932c22798980899e1cd4df72badc8bbd.tar.gz firejail-0c5aa59b932c22798980899e1cd4df72badc8bbd.tar.zst firejail-0c5aa59b932c22798980899e1cd4df72badc8bbd.zip |
disable gnupg and systemd directories under /run/user
-rw-r--r-- | README | 1 | ||||
-rw-r--r-- | RELNOTES | 1 | ||||
-rw-r--r-- | src/firejail/fs.c | 29 |
3 files changed, 17 insertions, 14 deletions
@@ -96,6 +96,7 @@ valoq (https://github.com/valoq) | |||
96 | - added img2txt, k3b, kate, lynx, mediainfo, nautilus, odt2txt, pdftotext, simple-scan profiles | 96 | - added img2txt, k3b, kate, lynx, mediainfo, nautilus, odt2txt, pdftotext, simple-scan profiles |
97 | - added skanlite, ssh-agent, transmission-cli, tracker, transmission-show, w3m, xfburn, xpra profiles | 97 | - added skanlite, ssh-agent, transmission-cli, tracker, transmission-show, w3m, xfburn, xpra profiles |
98 | - added wget profile | 98 | - added wget profile |
99 | - disable gnupg and systemd directories under /run/user | ||
99 | Lari Rauno (https://github.com/tuutti) | 100 | Lari Rauno (https://github.com/tuutti) |
100 | - qutebrowser profile fixes | 101 | - qutebrowser profile fixes |
101 | SpotComms (https://github.com/SpotComms) | 102 | SpotComms (https://github.com/SpotComms) |
@@ -6,6 +6,7 @@ firejail (0.9.45) baseline; urgency=low | |||
6 | * security: split most of networking code in a separate executable | 6 | * security: split most of networking code in a separate executable |
7 | * security: split seccomp filter code configuration in a separate executable | 7 | * security: split seccomp filter code configuration in a separate executable |
8 | * security: split file copying in private option in a separate executable | 8 | * security: split file copying in private option in a separate executable |
9 | * feature: disable gnupg and systemd directories under /run/user | ||
9 | * feature: allow root user access to /dev/shm (--noblacklist=/dev/shm) | 10 | * feature: allow root user access to /dev/shm (--noblacklist=/dev/shm) |
10 | * feature: AppImage type 2 support | 11 | * feature: AppImage type 2 support |
11 | * feature: test coverage (gcov) support | 12 | * feature: test coverage (gcov) support |
diff --git a/src/firejail/fs.c b/src/firejail/fs.c index 905d2903d..84dc9046c 100644 --- a/src/firejail/fs.c +++ b/src/firejail/fs.c | |||
@@ -538,31 +538,32 @@ void fs_proc_sys_dev_boot(void) { | |||
538 | struct stat s; | 538 | struct stat s; |
539 | 539 | ||
540 | 540 | ||
541 | // breaks too many applications, option needed | ||
542 | /* // disable /run/user/{uid}/bus */ | ||
543 | /* char *fnamebus; */ | ||
544 | /* if (asprintf(&fnamebus, "/run/user/%d/bus", getuid()) == -1) */ | ||
545 | /* errExit("asprintf"); */ | ||
546 | /* if (stat(fnamebus, &s) == 0) */ | ||
547 | /* disable_file(BLACKLIST_FILE, fnamebus); */ | ||
548 | /* free(fnamebus); */ | ||
549 | |||
550 | // disable /run/user/{uid}/gnupg | 541 | // disable /run/user/{uid}/gnupg |
551 | char *fnamegpg; | 542 | char *fnamegpg; |
552 | if (asprintf(&fnamegpg, "/run/user/%d/gnupg", getuid()) == -1) | 543 | if (asprintf(&fnamegpg, "/run/user/%d/gnupg", getuid()) == -1) |
553 | errExit("asprintf"); | 544 | errExit("asprintf"); |
554 | if (stat(fnamegpg, &s) == 0) | 545 | if (stat(fnamegpg, &s) == 0) |
555 | disable_file(BLACKLIST_FILE, fnamegpg); | 546 | disable_file(BLACKLIST_FILE, fnamegpg); |
556 | free(fnamegpg); | 547 | free(fnamegpg); |
557 | 548 | ||
558 | // disable /run/user/{uid}/systemd | 549 | // disable /run/user/{uid}/systemd |
559 | char *fnamesysd; | 550 | char *fnamesysd; |
560 | if (asprintf(&fnamesysd, "/run/user/%d/systemd", getuid()) == -1) | 551 | if (asprintf(&fnamesysd, "/run/user/%d/systemd", getuid()) == -1) |
561 | errExit("asprintf"); | 552 | errExit("asprintf"); |
562 | if (stat(fnamesysd, &s) == 0) | 553 | if (stat(fnamesysd, &s) == 0) |
563 | disable_file(BLACKLIST_FILE, fnamesysd); | 554 | disable_file(BLACKLIST_FILE, fnamesysd); |
564 | free(fnamesysd); | 555 | free(fnamesysd); |
565 | 556 | ||
557 | // todo: investigate | ||
558 | #if 0 | ||
559 | // breaks too many applications, option needed | ||
560 | /* // disable /run/user/{uid}/bus */ | ||
561 | /* char *fnamebus; */ | ||
562 | /* if (asprintf(&fnamebus, "/run/user/%d/bus", getuid()) == -1) */ | ||
563 | /* errExit("asprintf"); */ | ||
564 | /* if (stat(fnamebus, &s) == 0) */ | ||
565 | /* disable_file(BLACKLIST_FILE, fnamebus); */ | ||
566 | /* free(fnamebus); */ | ||
566 | 567 | ||
567 | // WARNING: not working | 568 | // WARNING: not working |
568 | // disable /run/user/{uid}/kdeinit* | 569 | // disable /run/user/{uid}/kdeinit* |
@@ -593,7 +594,7 @@ void fs_proc_sys_dev_boot(void) { | |||
593 | 594 | ||
594 | //more files with sockets to be blacklisted | 595 | //more files with sockets to be blacklisted |
595 | // /run/dbus /run/systemd /run/udev /run/lvm | 596 | // /run/dbus /run/systemd /run/udev /run/lvm |
596 | 597 | #endif | |
597 | 598 | ||
598 | 599 | ||
599 | if (getuid() != 0) { | 600 | if (getuid() != 0) { |