diff options
| author |  netblue30 <netblue30@yahoo.com> | 2016-09-19 13:11:59 -0400 |
|---|---|---|
| committer | netblue30 <netblue30@yahoo.com> | 2016-09-19 13:11:59 -0400 |
| commit | 83c7253a753a810240408ac2057e7c2b920a2a52 (patch) | |
| tree | 33cfcccedac37ecbfaf483a27e1ae3a1aa4d9113 | |
| parent | document blacklist-nolog (diff) | |
| download | firejail-83c7253a753a810240408ac2057e7c2b920a2a52.tar.gz firejail-83c7253a753a810240408ac2057e7c2b920a2a52.tar.zst firejail-83c7253a753a810240408ac2057e7c2b920a2a52.zip | |
--private-tmp whitelists /tmp/.X11-unix directory
| -rw-r--r-- | RELNOTES | 1 | ||||
| -rw-r--r-- | src/firejail/sandbox.c | 31 |
2 files changed, 18 insertions, 14 deletions
| @@ -2,6 +2,7 @@ firejail (0.9.43) baseline; urgency=low | |||
| 2 | * development version | 2 | * development version |
| 3 | * modifs: removed man firejail-config | 3 | * modifs: removed man firejail-config |
| 4 | * modifs: make deb builds package based on the current configuration | 4 | * modifs: make deb builds package based on the current configuration |
| 5 | * modifs: --private-tmp whitelists /tmp/.X11-unix directory | ||
| 5 | * feature: blocking x11 (--x11=block) | 6 | * feature: blocking x11 (--x11=block) |
| 6 | * feature: x11 xpra, x11 xephyr, x11 block profile commands | 7 | * feature: x11 xpra, x11 xephyr, x11 block profile commands |
| 7 | * bugfixes | 8 | * bugfixes |
diff --git a/src/firejail/sandbox.c b/src/firejail/sandbox.c index 76efe996b..cc5483c08 100644 --- a/src/firejail/sandbox.c +++ b/src/firejail/sandbox.c | |||
| @@ -593,8 +593,13 @@ int sandbox(void* sandbox_arg) { | |||
| 593 | fprintf(stderr, "Warning: private-tmp feature is disabled in chroot\n"); | 593 | fprintf(stderr, "Warning: private-tmp feature is disabled in chroot\n"); |
| 594 | else if (arg_overlay) | 594 | else if (arg_overlay) |
| 595 | fprintf(stderr, "Warning: private-tmp feature is disabled in overlay\n"); | 595 | fprintf(stderr, "Warning: private-tmp feature is disabled in overlay\n"); |
| 596 | else | 596 | else { |
| 597 | fs_private_tmp(); | 597 | // private-tmp is implemented as a whitelist |
| 598 | EUID_USER(); | ||
| 599 | profile_add("whitelist /tmp/.X11-unix"); | ||
| 600 | EUID_ROOT(); | ||
| 601 | // fs_private_tmp(); | ||
| 602 | } | ||
| 598 | } | 603 | } |
| 599 | 604 | ||
| 600 | //**************************** | 605 | //**************************** |
| @@ -606,18 +611,16 @@ int sandbox(void* sandbox_arg) { | |||
| 606 | //**************************** | 611 | //**************************** |
| 607 | // apply the profile file | 612 | // apply the profile file |
| 608 | //**************************** | 613 | //**************************** |
| 609 | if (cfg.profile) { | 614 | // apply all whitelist commands ... |
| 610 | // apply all whitelist commands ... | 615 | if (cfg.chrootdir) |
| 611 | if (cfg.chrootdir) | 616 | fprintf(stderr, "Warning: whitelist feature is disabled in chroot\n"); |
| 612 | fprintf(stderr, "Warning: whitelist feature is disabled in chroot\n"); | 617 | else if (arg_overlay) |
| 613 | else if (arg_overlay) | 618 | fprintf(stderr, "Warning: whitelist feature is disabled in overlay\n"); |
| 614 | fprintf(stderr, "Warning: whitelist feature is disabled in overlay\n"); | 619 | else |
| 615 | else | 620 | fs_whitelist(); |
| 616 | fs_whitelist(); | 621 | |
| 617 | 622 | // ... followed by blacklist commands | |
| 618 | // ... followed by blacklist commands | 623 | fs_blacklist(); |
| 619 | fs_blacklist(); | ||
| 620 | } | ||
| 621 | 624 | ||
| 622 | //**************************** | 625 | //**************************** |
| 623 | // install trace | 626 | // install trace |