diff options
| author |  netblue30 <netblue30@yahoo.com> | 2016-12-09 09:21:30 -0500 |
|---|---|---|
| committer | netblue30 <netblue30@yahoo.com> | 2016-12-09 09:21:30 -0500 |
| commit | 0c5aa59b932c22798980899e1cd4df72badc8bbd (patch) | |
| tree | 8410fd2549ca3666be312bd9e734efaacfca997a | |
| parent | Merge pull request #963 from Fred-Barclay/wireshark (diff) | |
| download | firejail-0c5aa59b932c22798980899e1cd4df72badc8bbd.tar.gz firejail-0c5aa59b932c22798980899e1cd4df72badc8bbd.tar.zst firejail-0c5aa59b932c22798980899e1cd4df72badc8bbd.zip | |
disable gnupg and systemd directories under /run/user
| -rw-r--r-- | README | 1 | ||||
| -rw-r--r-- | RELNOTES | 1 | ||||
| -rw-r--r-- | src/firejail/fs.c | 29 |
3 files changed, 17 insertions, 14 deletions
| @@ -96,6 +96,7 @@ valoq (https://github.com/valoq) | |||
| 96 | - added img2txt, k3b, kate, lynx, mediainfo, nautilus, odt2txt, pdftotext, simple-scan profiles | 96 | - added img2txt, k3b, kate, lynx, mediainfo, nautilus, odt2txt, pdftotext, simple-scan profiles |
| 97 | - added skanlite, ssh-agent, transmission-cli, tracker, transmission-show, w3m, xfburn, xpra profiles | 97 | - added skanlite, ssh-agent, transmission-cli, tracker, transmission-show, w3m, xfburn, xpra profiles |
| 98 | - added wget profile | 98 | - added wget profile |
| 99 | - disable gnupg and systemd directories under /run/user | ||
| 99 | Lari Rauno (https://github.com/tuutti) | 100 | Lari Rauno (https://github.com/tuutti) |
| 100 | - qutebrowser profile fixes | 101 | - qutebrowser profile fixes |
| 101 | SpotComms (https://github.com/SpotComms) | 102 | SpotComms (https://github.com/SpotComms) |
| @@ -6,6 +6,7 @@ firejail (0.9.45) baseline; urgency=low | |||
| 6 | * security: split most of networking code in a separate executable | 6 | * security: split most of networking code in a separate executable |
| 7 | * security: split seccomp filter code configuration in a separate executable | 7 | * security: split seccomp filter code configuration in a separate executable |
| 8 | * security: split file copying in private option in a separate executable | 8 | * security: split file copying in private option in a separate executable |
| 9 | * feature: disable gnupg and systemd directories under /run/user | ||
| 9 | * feature: allow root user access to /dev/shm (--noblacklist=/dev/shm) | 10 | * feature: allow root user access to /dev/shm (--noblacklist=/dev/shm) |
| 10 | * feature: AppImage type 2 support | 11 | * feature: AppImage type 2 support |
| 11 | * feature: test coverage (gcov) support | 12 | * feature: test coverage (gcov) support |
diff --git a/src/firejail/fs.c b/src/firejail/fs.c index 905d2903d..84dc9046c 100644 --- a/src/firejail/fs.c +++ b/src/firejail/fs.c | |||
| @@ -538,31 +538,32 @@ void fs_proc_sys_dev_boot(void) { | |||
| 538 | struct stat s; | 538 | struct stat s; |
| 539 | 539 | ||
| 540 | 540 | ||
| 541 | // breaks too many applications, option needed | ||
| 542 | /* // disable /run/user/{uid}/bus */ | ||
| 543 | /* char *fnamebus; */ | ||
| 544 | /* if (asprintf(&fnamebus, "/run/user/%d/bus", getuid()) == -1) */ | ||
| 545 | /* errExit("asprintf"); */ | ||
| 546 | /* if (stat(fnamebus, &s) == 0) */ | ||
| 547 | /* disable_file(BLACKLIST_FILE, fnamebus); */ | ||
| 548 | /* free(fnamebus); */ | ||
| 549 | |||
| 550 | // disable /run/user/{uid}/gnupg | 541 | // disable /run/user/{uid}/gnupg |
| 551 | char *fnamegpg; | 542 | char *fnamegpg; |
| 552 | if (asprintf(&fnamegpg, "/run/user/%d/gnupg", getuid()) == -1) | 543 | if (asprintf(&fnamegpg, "/run/user/%d/gnupg", getuid()) == -1) |
| 553 | errExit("asprintf"); | 544 | errExit("asprintf"); |
| 554 | if (stat(fnamegpg, &s) == 0) | 545 | if (stat(fnamegpg, &s) == 0) |
| 555 | disable_file(BLACKLIST_FILE, fnamegpg); | 546 | disable_file(BLACKLIST_FILE, fnamegpg); |
| 556 | free(fnamegpg); | 547 | free(fnamegpg); |
| 557 | 548 | ||
| 558 | // disable /run/user/{uid}/systemd | 549 | // disable /run/user/{uid}/systemd |
| 559 | char *fnamesysd; | 550 | char *fnamesysd; |
| 560 | if (asprintf(&fnamesysd, "/run/user/%d/systemd", getuid()) == -1) | 551 | if (asprintf(&fnamesysd, "/run/user/%d/systemd", getuid()) == -1) |
| 561 | errExit("asprintf"); | 552 | errExit("asprintf"); |
| 562 | if (stat(fnamesysd, &s) == 0) | 553 | if (stat(fnamesysd, &s) == 0) |
| 563 | disable_file(BLACKLIST_FILE, fnamesysd); | 554 | disable_file(BLACKLIST_FILE, fnamesysd); |
| 564 | free(fnamesysd); | 555 | free(fnamesysd); |
| 565 | 556 | ||
| 557 | // todo: investigate | ||
| 558 | #if 0 | ||
| 559 | // breaks too many applications, option needed | ||
| 560 | /* // disable /run/user/{uid}/bus */ | ||
| 561 | /* char *fnamebus; */ | ||
| 562 | /* if (asprintf(&fnamebus, "/run/user/%d/bus", getuid()) == -1) */ | ||
| 563 | /* errExit("asprintf"); */ | ||
| 564 | /* if (stat(fnamebus, &s) == 0) */ | ||
| 565 | /* disable_file(BLACKLIST_FILE, fnamebus); */ | ||
| 566 | /* free(fnamebus); */ | ||
| 566 | 567 | ||
| 567 | // WARNING: not working | 568 | // WARNING: not working |
| 568 | // disable /run/user/{uid}/kdeinit* | 569 | // disable /run/user/{uid}/kdeinit* |
| @@ -593,7 +594,7 @@ void fs_proc_sys_dev_boot(void) { | |||
| 593 | 594 | ||
| 594 | //more files with sockets to be blacklisted | 595 | //more files with sockets to be blacklisted |
| 595 | // /run/dbus /run/systemd /run/udev /run/lvm | 596 | // /run/dbus /run/systemd /run/udev /run/lvm |
| 596 | 597 | #endif | |
| 597 | 598 | ||
| 598 | 599 | ||
| 599 | if (getuid() != 0) { | 600 | if (getuid() != 0) { |