Merge branch 'master' of https://github.com/netblue30/firejail

author: startx2017 <vradu.startx@yandex.com> 2018-05-09 19:40:29 -0400
committer: startx2017 <vradu.startx@yandex.com> 2018-05-09 19:40:29 -0400
commit: 694e2027c5b6d03919bac4b5b305f6d3d834786c (patch)
tree: 545d1817d90f7b3b867f79d110f8497670ac054c
parent: firemon/prctl enhancements (diff)
parent: merges (diff)
download: firejail-694e2027c5b6d03919bac4b5b305f6d3d834786c.tar.gz
firejail-694e2027c5b6d03919bac4b5b305f6d3d834786c.tar.zst
firejail-694e2027c5b6d03919bac4b5b305f6d3d834786c.zip
11 files changed, 117 insertions, 7 deletions
diff --git a/README b/README
index 7384a8c99..368feb827 100644
--- a/README
+++ b/README
@@ -435,6 +435,7 @@ Pixel Fairy (https://github.com/xahare)
 PizzaDude (https://github.com/pizzadude)
        - add mpv support to smplayer
        - added profile for torbrowser-launcher
+        - added profile for sayonara and qmmp
 probonopd (https://github.com/probonopd)
        - automatic build on Travis CI
 pshpsh (https://github.com/pshpsh)
diff --git a/README.md b/README.md
index cb040852a..854e02cd1 100644
--- a/README.md
+++ b/README.md
@@ -376,4 +376,4 @@ gnome-recipes, akonadi_control, evince-previewer, evince-thumbnailer, blender-2.
 thunderbird-beta, ncdu, gnome-logs, gcloud, musixmatch, gunzip, bunzip2, enchant,
 enchant-2, enchant-lsmod, enchant-lsmod-2, Discord, acat, adiff, als, apack, arepack,
 aunpack profiles, ppsspp, scallion, clion, baloo_filemetadata_temp_extractor,
-AnyDesk, webstorm, xmind
+AnyDesk, webstorm, xmind, qmmp, sayonara
diff --git a/RELNOTES b/RELNOTES
index 0cd51a16d..f73793740 100644
--- a/RELNOTES
+++ b/RELNOTES
@@ -44,7 +44,8 @@ firejail (0.9.54~rc1) baseline; urgency=low
  * new profiles: musixmatch, gunzip, bunzip2, enchant-lsmod, enchant-lsmod-2,
  * new profiles: enchant, enchant-2, Discord, acat, adiff, als, apack,
  * new profiles: arepack, aunpack profiles, ppsspp, scallion, clion,
-  * new profiles: baloo_filemetadata_temp_extractor, AnyDesk, webstorm, xmind
+  * new profiles: baloo_filemetadata_temp_extractor, AnyDesk, webstorm, xmind,
+  * new profiles: qmmp, sayonara
 -- netblue30 <netblue30@yahoo.com>  Sun, 6 May 2018 08:00:00 -0500
 firejail (0.9.52) baseline; urgency=low
diff --git a/etc/disable-programs.inc b/etc/disable-programs.inc
index ea334c289..c7605d660 100644
--- a/etc/disable-programs.inc
+++ b/etc/disable-programs.inc
@@ -16,6 +16,7 @@ blacklist ${HOME}/.LuminanceHDR
 blacklist ${HOME}/.Mathematica
 blacklist ${HOME}/.Natron
 blacklist ${HOME}/.PyCharm*
+blacklist ${HOME}/.Sayonara
 blacklist ${HOME}/.Skype
 blacklist ${HOME}/.Steam
 blacklist ${HOME}/.Steampath
@@ -465,6 +466,7 @@ blacklist ${HOME}/.passwd-s3fs
 blacklist ${HOME}/.pingus
 blacklist ${HOME}/.purple
 blacklist ${HOME}/.qemu-launcher
+blacklist ${HOME}/.qmmp
 blacklist ${HOME}/.redeclipse
 blacklist ${HOME}/.remmina
 blacklist ${HOME}/.repo_.gitconfig.json
diff --git a/etc/qmmp.profile b/etc/qmmp.profile
new file mode 100644
index 000000000..d785ddbbe
--- /dev/null
+++ b/etc/qmmp.profile
@@ -0,0 +1,34 @@
+# Firejail profile for qmmp
+# This file is overwritten after every install/update
+# Persistent local customizations
+include /etc/firejail/qmmp.local
+# Persistent global definitions
+include /etc/firejail/globals.local
+noblacklist ${HOME}/.qmmp
+include /etc/firejail/disable-common.inc
+include /etc/firejail/disable-devel.inc
+include /etc/firejail/disable-passwdmgr.inc
+include /etc/firejail/disable-programs.inc
+caps.drop all
+netfilter
+# no3d
+nodbus
+nogroups
+nonewprivs
+noroot
+notv
+novideo
+protocol unix,inet,inet6
+seccomp
+shell none
+tracelog
+private-bin qmmp
+private-dev
+private-tmp
+noexec ${HOME}
+noexec /tmp
diff --git a/etc/sayonara.profile b/etc/sayonara.profile
new file mode 100644
index 000000000..756bd99eb
--- /dev/null
+++ b/etc/sayonara.profile
@@ -0,0 +1,33 @@
+# Firejail profile for sayonara player
+# This file is overwritten after every install/update
+# Persistent local customizations
+include /etc/firejail/sayonara.local
+# Persistent global definitions
+include /etc/firejail/globals.local
+noblacklist ${HOME}/.Sayonara
+include /etc/firejail/disable-common.inc
+include /etc/firejail/disable-devel.inc
+include /etc/firejail/disable-passwdmgr.inc
+include /etc/firejail/disable-programs.inc
+caps.drop all
+netfilter
+no3d
+nogroups
+nonewprivs
+noroot
+notv
+novideo
+protocol unix,inet,inet6
+seccomp
+shell none
+tracelog
+private-bin sayonara
+private-dev
+private-tmp
+noexec ${HOME}
+noexec /tmp
diff --git a/src/firejail/firejail.h b/src/firejail/firejail.h
index 8c0b3ba4e..ec227340b 100644
--- a/src/firejail/firejail.h
+++ b/src/firejail/firejail.h
@@ -792,6 +792,7 @@ void build_appimage_cmdline(char **command_line, char **window_title, int argc,
 #define SBOX_CAPS_NETWORK (1 << 4)      // caps filter for programs running network programs
 #define SBOX_ALLOW_STDIN (1 << 5)               // don't close stdin
 #define SBOX_STDIN_FROM_FILE (1 << 6)   // open file and redirect it to stdin
+#define SBOX_CAPS_HIDEPID (1 << 7)      // hidepid caps filter for running firemon
 // run sbox
 int sbox_run(unsigned filter, int num, ...);
diff --git a/src/firejail/fs_whitelist.c b/src/firejail/fs_whitelist.c
index a765be1b6..b1b30cd5e 100644
--- a/src/firejail/fs_whitelist.c
+++ b/src/firejail/fs_whitelist.c
@@ -196,6 +196,7 @@ static void whitelist_path(ProfileEntry *entry) {
        const char *fname;
        char *wfile = NULL;
+        EUID_USER();
        if (entry->home_dir) {
                if (strncmp(path, cfg.homedir, strlen(cfg.homedir)) == 0) {
                        fname = path + strlen(cfg.homedir);
@@ -290,9 +291,12 @@ static void whitelist_path(ProfileEntry *entry) {
                if (arg_debug || arg_debug_whitelists)
                        printf("Whitelisting %s\n", path);
        }
-        else
+        else {
+                EUID_ROOT();
                return;
+        }
+        EUID_ROOT();
        // create the path if necessary
        mkpath(path, s.st_mode);
        fs_logger2("whitelist", path);
diff --git a/src/firejail/main.c b/src/firejail/main.c
index 2e47dd938..9d28f3352 100644
--- a/src/firejail/main.c
+++ b/src/firejail/main.c
@@ -551,21 +551,21 @@ static void run_cmd_and_exit(int i, int argc, char **argv) {
        }
        else if (strcmp(argv[i], "--list") == 0) {
                if (pid_hidepid())
-                        sbox_run(SBOX_ROOT| SBOX_CAPS_NONE | SBOX_SECCOMP, 2, PATH_FIREMON, "--list");
+                        sbox_run(SBOX_ROOT| SBOX_CAPS_HIDEPID | SBOX_SECCOMP, 2, PATH_FIREMON, "--list");
                else
                        sbox_run(SBOX_USER| SBOX_CAPS_NONE | SBOX_SECCOMP, 2, PATH_FIREMON, "--list");
                exit(0);
        }
        else if (strcmp(argv[i], "--tree") == 0) {
                if (pid_hidepid())
-                        sbox_run(SBOX_ROOT | SBOX_CAPS_NONE | SBOX_SECCOMP, 2, PATH_FIREMON, "--tree");
+                        sbox_run(SBOX_ROOT | SBOX_CAPS_HIDEPID | SBOX_SECCOMP, 2, PATH_FIREMON, "--tree");
                else
                        sbox_run(SBOX_USER | SBOX_CAPS_NONE | SBOX_SECCOMP, 2, PATH_FIREMON, "--tree");
                exit(0);
        }
        else if (strcmp(argv[i], "--top") == 0) {
                if (pid_hidepid())
-                        sbox_run(SBOX_ROOT | SBOX_CAPS_NONE | SBOX_SECCOMP | SBOX_ALLOW_STDIN,
+                        sbox_run(SBOX_ROOT | SBOX_CAPS_HIDEPID | SBOX_SECCOMP | SBOX_ALLOW_STDIN,
                                2, PATH_FIREMON, "--top");
                else
                        sbox_run(SBOX_USER | SBOX_CAPS_NONE | SBOX_SECCOMP | SBOX_ALLOW_STDIN,
@@ -577,7 +577,7 @@ static void run_cmd_and_exit(int i, int argc, char **argv) {
                if (checkcfg(CFG_NETWORK)) {
                        struct stat s;
                        if (stat("/proc/sys/kernel/grsecurity", &s) == 0 || pid_hidepid())
-                                sbox_run(SBOX_ROOT | SBOX_CAPS_NONE | SBOX_SECCOMP | SBOX_ALLOW_STDIN,
+                                sbox_run(SBOX_ROOT | SBOX_CAPS_HIDEPID | SBOX_SECCOMP | SBOX_ALLOW_STDIN,
                                        2, PATH_FIREMON, "--netstats");
                        else
                                sbox_run(SBOX_USER | SBOX_CAPS_NONE | SBOX_SECCOMP | SBOX_ALLOW_STDIN,
diff --git a/src/firejail/sbox.c b/src/firejail/sbox.c
index 53df20a54..c11daad58 100644
--- a/src/firejail/sbox.c
+++ b/src/firejail/sbox.c
@@ -166,6 +166,13 @@ int sbox_run(unsigned filter, int num, ...) {
                        caps_set(set);
 #endif
                }
+                else if (filter & SBOX_CAPS_HIDEPID) {
+#ifndef HAVE_GCOV // the following filter will prevent GCOV from saving info in .gcda files
+                        uint64_t set = ((uint64_t) 1) << CAP_SYS_PTRACE;
+                        set |=  ((uint64_t) 1) << CAP_SYS_PACCT;
+                        caps_set(set);
+#endif
+                }
                if (filter & SBOX_SECCOMP) {
                        if (prctl(PR_SET_NO_NEW_PRIVS, 1, 0, 0, 0)) {
diff --git a/test/hidepid-howto b/test/hidepid-howto
new file mode 100644
index 000000000..f207c9109
--- /dev/null
+++ b/test/hidepid-howto
@@ -0,0 +1,27 @@
+1. Find an unused user group for hidepid exception:
+$ id
+uid=1000(netblue) gid=100(users) groups=100(users),10(wheel),90(network),
+92(audio),93(optical),95(storage),98(power)
+From /etc/group I pick up a group I am not part of:
+$ cat /etc/group
+[...]
+xmms2:x:618:
+rtkit:x:133:
+vboxsf:x:109:
+git:x:617:
+[...]
+I'll use group 618 (xmms2)
+2. Set hidepid and allow xmms2 users to bypass hidepid
+$ sudo mount -o remount,rw,hidepid=2,gid=618 /proc
+$ cat /proc/mounts | grep proc
+proc /proc proc rw,nosuid,nodev,noexec,relatime,gid=618,hidepid=2 0 0
+3. Test "firejail --list", "firejail --top", "firejail --tree", "firejail --netstats"
author	startx2017 <vradu.startx@yandex.com>	2018-05-09 19:40:29 -0400
committer	startx2017 <vradu.startx@yandex.com>	2018-05-09 19:40:29 -0400
commit	694e2027c5b6d03919bac4b5b305f6d3d834786c (patch)
tree	545d1817d90f7b3b867f79d110f8497670ac054c
parent	firemon/prctl enhancements (diff)
parent	merges (diff)
download	firejail-694e2027c5b6d03919bac4b5b305f6d3d834786c.tar.gz firejail-694e2027c5b6d03919bac4b5b305f6d3d834786c.tar.zst firejail-694e2027c5b6d03919bac4b5b305f6d3d834786c.zip

diff --git a/README b/README index 7384a8c99..368feb827 100644 --- a/README +++ b/README
@@ -435,6 +435,7 @@ Pixel Fairy (https://github.com/xahare)
435	PizzaDude (https://github.com/pizzadude)	435	PizzaDude (https://github.com/pizzadude)
436	- add mpv support to smplayer	436	- add mpv support to smplayer
437	- added profile for torbrowser-launcher	437	- added profile for torbrowser-launcher
		438	- added profile for sayonara and qmmp
438	probonopd (https://github.com/probonopd)	439	probonopd (https://github.com/probonopd)
439	- automatic build on Travis CI	440	- automatic build on Travis CI
440	pshpsh (https://github.com/pshpsh)	441	pshpsh (https://github.com/pshpsh)


diff --git a/README.md b/README.md index cb040852a..854e02cd1 100644 --- a/README.md +++ b/README.md
@@ -376,4 +376,4 @@ gnome-recipes, akonadi_control, evince-previewer, evince-thumbnailer, blender-2.
376	thunderbird-beta, ncdu, gnome-logs, gcloud, musixmatch, gunzip, bunzip2, enchant,	376	thunderbird-beta, ncdu, gnome-logs, gcloud, musixmatch, gunzip, bunzip2, enchant,
377	enchant-2, enchant-lsmod, enchant-lsmod-2, Discord, acat, adiff, als, apack, arepack,	377	enchant-2, enchant-lsmod, enchant-lsmod-2, Discord, acat, adiff, als, apack, arepack,
378	aunpack profiles, ppsspp, scallion, clion, baloo_filemetadata_temp_extractor,	378	aunpack profiles, ppsspp, scallion, clion, baloo_filemetadata_temp_extractor,
379	AnyDesk, webstorm, xmind	379	AnyDesk, webstorm, xmind, qmmp, sayonara


diff --git a/RELNOTES b/RELNOTES index 0cd51a16d..f73793740 100644 --- a/RELNOTES +++ b/RELNOTES
@@ -44,7 +44,8 @@ firejail (0.9.54~rc1) baseline; urgency=low
44	* new profiles: musixmatch, gunzip, bunzip2, enchant-lsmod, enchant-lsmod-2,	44	* new profiles: musixmatch, gunzip, bunzip2, enchant-lsmod, enchant-lsmod-2,
45	* new profiles: enchant, enchant-2, Discord, acat, adiff, als, apack,	45	* new profiles: enchant, enchant-2, Discord, acat, adiff, als, apack,
46	* new profiles: arepack, aunpack profiles, ppsspp, scallion, clion,	46	* new profiles: arepack, aunpack profiles, ppsspp, scallion, clion,
47	* new profiles: baloo_filemetadata_temp_extractor, AnyDesk, webstorm, xmind	47	* new profiles: baloo_filemetadata_temp_extractor, AnyDesk, webstorm, xmind,
		48	* new profiles: qmmp, sayonara
48	-- netblue30 <netblue30@yahoo.com> Sun, 6 May 2018 08:00:00 -0500	49	-- netblue30 <netblue30@yahoo.com> Sun, 6 May 2018 08:00:00 -0500
49		50
50	firejail (0.9.52) baseline; urgency=low	51	firejail (0.9.52) baseline; urgency=low


diff --git a/etc/disable-programs.inc b/etc/disable-programs.inc index ea334c289..c7605d660 100644 --- a/etc/disable-programs.inc +++ b/etc/disable-programs.inc
@@ -16,6 +16,7 @@ blacklist ${HOME}/.LuminanceHDR
16	blacklist ${HOME}/.Mathematica	16	blacklist ${HOME}/.Mathematica
17	blacklist ${HOME}/.Natron	17	blacklist ${HOME}/.Natron
18	blacklist ${HOME}/.PyCharm*	18	blacklist ${HOME}/.PyCharm*
		19	blacklist ${HOME}/.Sayonara
19	blacklist ${HOME}/.Skype	20	blacklist ${HOME}/.Skype
20	blacklist ${HOME}/.Steam	21	blacklist ${HOME}/.Steam
21	blacklist ${HOME}/.Steampath	22	blacklist ${HOME}/.Steampath
@@ -465,6 +466,7 @@ blacklist ${HOME}/.passwd-s3fs
465	blacklist ${HOME}/.pingus	466	blacklist ${HOME}/.pingus
466	blacklist ${HOME}/.purple	467	blacklist ${HOME}/.purple
467	blacklist ${HOME}/.qemu-launcher	468	blacklist ${HOME}/.qemu-launcher
		469	blacklist ${HOME}/.qmmp
468	blacklist ${HOME}/.redeclipse	470	blacklist ${HOME}/.redeclipse
469	blacklist ${HOME}/.remmina	471	blacklist ${HOME}/.remmina
470	blacklist ${HOME}/.repo_.gitconfig.json	472	blacklist ${HOME}/.repo_.gitconfig.json


diff --git a/etc/qmmp.profile b/etc/qmmp.profile new file mode 100644 index 000000000..d785ddbbe --- /dev/null +++ b/etc/qmmp.profile
@@ -0,0 +1,34 @@
		1	# Firejail profile for qmmp
		2	# This file is overwritten after every install/update
		3	# Persistent local customizations
		4	include /etc/firejail/qmmp.local
		5	# Persistent global definitions
		6	include /etc/firejail/globals.local
		7
		8	noblacklist ${HOME}/.qmmp
		9
		10	include /etc/firejail/disable-common.inc
		11	include /etc/firejail/disable-devel.inc
		12	include /etc/firejail/disable-passwdmgr.inc
		13	include /etc/firejail/disable-programs.inc
		14
		15	caps.drop all
		16	netfilter
		17	# no3d
		18	nodbus
		19	nogroups
		20	nonewprivs
		21	noroot
		22	notv
		23	novideo
		24	protocol unix,inet,inet6
		25	seccomp
		26	shell none
		27	tracelog
		28
		29	private-bin qmmp
		30	private-dev
		31	private-tmp
		32
		33	noexec ${HOME}
		34	noexec /tmp


diff --git a/etc/sayonara.profile b/etc/sayonara.profile new file mode 100644 index 000000000..756bd99eb --- /dev/null +++ b/etc/sayonara.profile
@@ -0,0 +1,33 @@
		1	# Firejail profile for sayonara player
		2	# This file is overwritten after every install/update
		3	# Persistent local customizations
		4	include /etc/firejail/sayonara.local
		5	# Persistent global definitions
		6	include /etc/firejail/globals.local
		7
		8	noblacklist ${HOME}/.Sayonara
		9
		10	include /etc/firejail/disable-common.inc
		11	include /etc/firejail/disable-devel.inc
		12	include /etc/firejail/disable-passwdmgr.inc
		13	include /etc/firejail/disable-programs.inc
		14
		15	caps.drop all
		16	netfilter
		17	no3d
		18	nogroups
		19	nonewprivs
		20	noroot
		21	notv
		22	novideo
		23	protocol unix,inet,inet6
		24	seccomp
		25	shell none
		26	tracelog
		27
		28	private-bin sayonara
		29	private-dev
		30	private-tmp
		31
		32	noexec ${HOME}
		33	noexec /tmp


diff --git a/src/firejail/firejail.h b/src/firejail/firejail.h index 8c0b3ba4e..ec227340b 100644 --- a/src/firejail/firejail.h +++ b/src/firejail/firejail.h
@@ -792,6 +792,7 @@ void build_appimage_cmdline(char command_line, char window_title, int argc,
792	#define SBOX_CAPS_NETWORK (1 << 4) // caps filter for programs running network programs	792	#define SBOX_CAPS_NETWORK (1 << 4) // caps filter for programs running network programs
793	#define SBOX_ALLOW_STDIN (1 << 5) // don't close stdin	793	#define SBOX_ALLOW_STDIN (1 << 5) // don't close stdin
794	#define SBOX_STDIN_FROM_FILE (1 << 6) // open file and redirect it to stdin	794	#define SBOX_STDIN_FROM_FILE (1 << 6) // open file and redirect it to stdin
		795	#define SBOX_CAPS_HIDEPID (1 << 7) // hidepid caps filter for running firemon
795		796
796	// run sbox	797	// run sbox
797	int sbox_run(unsigned filter, int num, ...);	798	int sbox_run(unsigned filter, int num, ...);


diff --git a/src/firejail/fs_whitelist.c b/src/firejail/fs_whitelist.c index a765be1b6..b1b30cd5e 100644 --- a/src/firejail/fs_whitelist.c +++ b/src/firejail/fs_whitelist.c
@@ -196,6 +196,7 @@ static void whitelist_path(ProfileEntry *entry) {
196	const char *fname;	196	const char *fname;
197	char *wfile = NULL;	197	char *wfile = NULL;
198		198
		199	EUID_USER();
199	if (entry->home_dir) {	200	if (entry->home_dir) {
200	if (strncmp(path, cfg.homedir, strlen(cfg.homedir)) == 0) {	201	if (strncmp(path, cfg.homedir, strlen(cfg.homedir)) == 0) {
201	fname = path + strlen(cfg.homedir);	202	fname = path + strlen(cfg.homedir);
@@ -290,9 +291,12 @@ static void whitelist_path(ProfileEntry *entry) {
290	if (arg_debug \|\| arg_debug_whitelists)	291	if (arg_debug \|\| arg_debug_whitelists)
291	printf("Whitelisting %s\n", path);	292	printf("Whitelisting %s\n", path);
292	}	293	}
293	else	294	else {
		295	EUID_ROOT();
294	return;	296	return;
		297	}
295		298
		299	EUID_ROOT();
296	// create the path if necessary	300	// create the path if necessary
297	mkpath(path, s.st_mode);	301	mkpath(path, s.st_mode);
298	fs_logger2("whitelist", path);	302	fs_logger2("whitelist", path);


diff --git a/src/firejail/main.c b/src/firejail/main.c index 2e47dd938..9d28f3352 100644 --- a/src/firejail/main.c +++ b/src/firejail/main.c
@@ -551,21 +551,21 @@ static void run_cmd_and_exit(int i, int argc, char **argv) {
551	}	551	}
552	else if (strcmp(argv[i], "--list") == 0) {	552	else if (strcmp(argv[i], "--list") == 0) {
553	if (pid_hidepid())	553	if (pid_hidepid())
554	sbox_run(SBOX_ROOT\| SBOX_CAPS_NONE \| SBOX_SECCOMP, 2, PATH_FIREMON, "--list");	554	sbox_run(SBOX_ROOT\| SBOX_CAPS_HIDEPID \| SBOX_SECCOMP, 2, PATH_FIREMON, "--list");
555	else	555	else
556	sbox_run(SBOX_USER\| SBOX_CAPS_NONE \| SBOX_SECCOMP, 2, PATH_FIREMON, "--list");	556	sbox_run(SBOX_USER\| SBOX_CAPS_NONE \| SBOX_SECCOMP, 2, PATH_FIREMON, "--list");
557	exit(0);	557	exit(0);
558	}	558	}
559	else if (strcmp(argv[i], "--tree") == 0) {	559	else if (strcmp(argv[i], "--tree") == 0) {
560	if (pid_hidepid())	560	if (pid_hidepid())
561	sbox_run(SBOX_ROOT \| SBOX_CAPS_NONE \| SBOX_SECCOMP, 2, PATH_FIREMON, "--tree");	561	sbox_run(SBOX_ROOT \| SBOX_CAPS_HIDEPID \| SBOX_SECCOMP, 2, PATH_FIREMON, "--tree");
562	else	562	else
563	sbox_run(SBOX_USER \| SBOX_CAPS_NONE \| SBOX_SECCOMP, 2, PATH_FIREMON, "--tree");	563	sbox_run(SBOX_USER \| SBOX_CAPS_NONE \| SBOX_SECCOMP, 2, PATH_FIREMON, "--tree");
564	exit(0);	564	exit(0);
565	}	565	}
566	else if (strcmp(argv[i], "--top") == 0) {	566	else if (strcmp(argv[i], "--top") == 0) {
567	if (pid_hidepid())	567	if (pid_hidepid())
568	sbox_run(SBOX_ROOT \| SBOX_CAPS_NONE \| SBOX_SECCOMP \| SBOX_ALLOW_STDIN,	568	sbox_run(SBOX_ROOT \| SBOX_CAPS_HIDEPID \| SBOX_SECCOMP \| SBOX_ALLOW_STDIN,
569	2, PATH_FIREMON, "--top");	569	2, PATH_FIREMON, "--top");
570	else	570	else
571	sbox_run(SBOX_USER \| SBOX_CAPS_NONE \| SBOX_SECCOMP \| SBOX_ALLOW_STDIN,	571	sbox_run(SBOX_USER \| SBOX_CAPS_NONE \| SBOX_SECCOMP \| SBOX_ALLOW_STDIN,
@@ -577,7 +577,7 @@ static void run_cmd_and_exit(int i, int argc, char **argv) {
577	if (checkcfg(CFG_NETWORK)) {	577	if (checkcfg(CFG_NETWORK)) {
578	struct stat s;	578	struct stat s;
579	if (stat("/proc/sys/kernel/grsecurity", &s) == 0 \|\| pid_hidepid())	579	if (stat("/proc/sys/kernel/grsecurity", &s) == 0 \|\| pid_hidepid())
580	sbox_run(SBOX_ROOT \| SBOX_CAPS_NONE \| SBOX_SECCOMP \| SBOX_ALLOW_STDIN,	580	sbox_run(SBOX_ROOT \| SBOX_CAPS_HIDEPID \| SBOX_SECCOMP \| SBOX_ALLOW_STDIN,
581	2, PATH_FIREMON, "--netstats");	581	2, PATH_FIREMON, "--netstats");
582	else	582	else
583	sbox_run(SBOX_USER \| SBOX_CAPS_NONE \| SBOX_SECCOMP \| SBOX_ALLOW_STDIN,	583	sbox_run(SBOX_USER \| SBOX_CAPS_NONE \| SBOX_SECCOMP \| SBOX_ALLOW_STDIN,


diff --git a/src/firejail/sbox.c b/src/firejail/sbox.c index 53df20a54..c11daad58 100644 --- a/src/firejail/sbox.c +++ b/src/firejail/sbox.c
@@ -166,6 +166,13 @@ int sbox_run(unsigned filter, int num, ...) {
166	caps_set(set);	166	caps_set(set);
167	#endif	167	#endif
168	}	168	}
		169	else if (filter & SBOX_CAPS_HIDEPID) {
		170	#ifndef HAVE_GCOV // the following filter will prevent GCOV from saving info in .gcda files
		171	uint64_t set = ((uint64_t) 1) << CAP_SYS_PTRACE;
		172	set \|= ((uint64_t) 1) << CAP_SYS_PACCT;
		173	caps_set(set);
		174	#endif
		175	}
169		176
170	if (filter & SBOX_SECCOMP) {	177	if (filter & SBOX_SECCOMP) {
171	if (prctl(PR_SET_NO_NEW_PRIVS, 1, 0, 0, 0)) {	178	if (prctl(PR_SET_NO_NEW_PRIVS, 1, 0, 0, 0)) {


diff --git a/test/hidepid-howto b/test/hidepid-howto new file mode 100644 index 000000000..f207c9109 --- /dev/null +++ b/test/hidepid-howto
@@ -0,0 +1,27 @@
		1	1. Find an unused user group for hidepid exception:
		2
		3	$ id
		4	uid=1000(netblue) gid=100(users) groups=100(users),10(wheel),90(network),
		5	92(audio),93(optical),95(storage),98(power)
		6
		7	From /etc/group I pick up a group I am not part of:
		8
		9	$ cat /etc/group
		10	[...]
		11	xmms2:x:618:
		12	rtkit:x:133:
		13	vboxsf:x:109:
		14	git:x:617:
		15	[...]
		16
		17	I'll use group 618 (xmms2)
		18
		19	2. Set hidepid and allow xmms2 users to bypass hidepid
		20
		21	$ sudo mount -o remount,rw,hidepid=2,gid=618 /proc
		22	$ cat /proc/mounts \| grep proc
		23	proc /proc proc rw,nosuid,nodev,noexec,relatime,gid=618,hidepid=2 0 0
		24
		25	3. Test "firejail --list", "firejail --top", "firejail --tree", "firejail --netstats"
		26
		27