testing 0.9.42~rc2

author: netblue30 <netblue30@yahoo.com> 2016-08-24 09:29:39 -0400
committer: netblue30 <netblue30@yahoo.com> 2016-08-24 09:29:39 -0400
commit: 1ccd5d84b9d7491bb8deec24db5c8ea0a163fa10 (patch)
tree: a951ab073dfa608483e3c5a3013ccc892195ba89
parent: Merge pull request #742 from manevich/security (diff)
download: firejail-1ccd5d84b9d7491bb8deec24db5c8ea0a163fa10.tar.gz
firejail-1ccd5d84b9d7491bb8deec24db5c8ea0a163fa10.tar.zst
firejail-1ccd5d84b9d7491bb8deec24db5c8ea0a163fa10.zip
10 files changed, 49 insertions, 49 deletions
diff --git a/Makefile.in b/Makefile.in
index d1b3d3be8..803769f3f 100644
--- a/Makefile.in
+++ b/Makefile.in
@@ -204,5 +204,5 @@ test-network:
 test-fs:
        cd test/fs; ./fs.sh | grep TESTING
-test: test-profiles test-fs test-utils  test-environment test-sysutils test-apps test-apps-x11 test-filters
+test: test-profiles test-fs test-utils  test-environment test-apps test-apps-x11 test-filters
        echo "TEST COMPLETE"
diff --git a/README b/README
index fe9ddaaae..c8cdbb6d8 100644
--- a/README
+++ b/README
@@ -39,6 +39,7 @@ Aleksey Manevich (https://github.com/manevich)
        - Busybox support
        - X11 support rewrite
        - gether shell selection code in one place
+        - fixed several TOCTOU security problems
 greigdp (https://github.com/greigdp)
        - Gajim IM client profile
        - fix Slack profile
diff --git a/README.md b/README.md
index 14dcd4d56..6785e3f7a 100644
--- a/README.md
+++ b/README.md
@@ -38,27 +38,6 @@ FAQ: https://firejail.wordpress.com/support/frequently-asked-questions/
 Version 0.9.41~rc1 was released.
-# Branch status: unstable
-A number of problems are being worked on. This is the output of "make test":
-`````
-[...]
-cd test/sysutils; ./sysutils.sh | grep TESTING
-TESTING: cpio
-netblue@debian:~/work/github/firejail/test/sysutils$ TESTING ERROR 1
-TESTING: gzip
-netblue@debian:~/work/github/firejail/test/sysutils$ TESTING ERROR 1
-TESTING: xzdec
-netblue@debian:~/work/github/firejail/test/sysutils$ TESTING ERROR 1
-TESTING: xz
-netblue@debian:~/work/github/firejail/test/sysutils$ TESTING ERROR 1
-TESTING: less
-TESTING: file
-TESTING: tar
-netblue@debian:~/work/github/firejail/test/sysutils$ TESTING ERROR 3.1
-[...]
-`````
 ## Deprecated --user
 --user option was deprecated, please use "sudo -u username firejail application" instead.
diff --git a/RELNOTES b/RELNOTES
index cc0c1489c..674c9de5e 100644
--- a/RELNOTES
+++ b/RELNOTES
@@ -3,12 +3,14 @@ firejail (0.9.42~rc2) baseline; urgency=low
  * security: disable x32 ABI in seccomp, submitted by Jann Horn
  * security: tighten --chroot, submitted by Jann Horn
  * security: terminal sandbox escape, submitted by Stephan Sokolow
-  * modifs: deprecated --user option, please use "sudo -u username firejail" instead
+  * security: several TOCTOU fixes submitted by Aleksey Manevich
+  * modifs: deprecated --user option, please use "sudo -u username firejail"
  * modifs: allow symlinks in home directory for --whitelist option
  * modifs: Firejail prompt is enabled by env variable FIREJAIL_PROMPT="yes"
  * modifs: recursive mkdir
  * modifs: include /dev/snd in --private-dev
  * modifs: seccomp filter update
+  * modifs: release archives moved to .xz format
  * feature: AppImage support (--appimage)
  * feature: AppArmor support (--apparmor)
  * feature: Ubuntu snap support (/etc/firejail/snap.profile)
@@ -17,7 +19,8 @@ firejail (0.9.42~rc2) baseline; urgency=low
  * feature: noexec support (--noexec)
  * feature: clean local overlay storage directory (--overlay-clean)
  * feature: store and reuse overlay (--overlay-named)
-  * feature: allow debugging inside the sandbox with gdb and strace (--allow-debuggers)
+  * feature: allow debugging inside the sandbox with gdb and strace
+         (--allow-debuggers)
  * feature: mkfile profile command
  * feature: quiet profile command
  * feature: x11 profile command
@@ -29,13 +32,14 @@ firejail (0.9.42~rc2) baseline; urgency=low
  * run time: enable/disable  quiet as default (quiet-by-default yes/no)
  * run time: user-defined network filter (netfilter-default)
  * run time: enable/disable whitelisting (whitelist yes/no)
-  * run time: enable/disable remounting of /proc and /sys (remount-proc-sys yes/no)
+  * run time: enable/disable remounting of /proc and /sys
+          (remount-proc-sys yes/no)
  * run time: enable/disable chroot desktop features (chroot-desktop yes/no)
-  * new profiles: Gitter, gThumb, mpv, Franz messenger, LibreOffice
+  * profiles: Gitter, gThumb, mpv, Franz messenger, LibreOffice
-  * new profiles: pix, audacity, xz, xzdec, gzip, cpio, less
+  * profiles: pix, audacity, xz, xzdec, gzip, cpio, less
-  * new profiles: Atom Beta, Atom, jitsi, eom, uudeview
+  * profiles: Atom Beta, Atom, jitsi, eom, uudeview
-  * new profiles: tar (gtar), unzip, unrar, file, skypeforlinux,
+  * profiles: tar (gtar), unzip, unrar, file, skypeforlinux,
-  * new profiles: inox, Slack, gnome-chess. Gajim IM client
+  * profiles: inox, Slack, gnome-chess. Gajim IM client
 -- netblue30 <netblue30@yahoo.com>  Thu, 21 Jul 2016 08:00:00 -0500
 firejail (0.9.40) baseline; urgency=low
diff --git a/src/firejail/firejail.h b/src/firejail/firejail.h
index a3b573acc..755ed4979 100644
--- a/src/firejail/firejail.h
+++ b/src/firejail/firejail.h
@@ -81,19 +81,23 @@
                assert(file);\
                struct stat s;\
                if (stat(file, &s) == -1) errExit("stat");\
-                assert(s.st_uid == uid && s.st_gid == gid && (s.st_mode & 07777) == mode);\
+                assert(s.st_uid == uid);\
+                assert(s.st_gid == gid);\
+                assert((s.st_mode & 07777) == (mode));\
        } while (0)
 #define ASSERT_PERMS_FD(fd, uid, gid, mode) \
        do { \
                struct stat s;\
                if (stat(fd, &s) == -1) errExit("stat");\
-                assert(s.st_uid == uid && s.st_gid == gid && (s.st_mode & 07777) == mode);\
+                assert(s.st_uid == uid);\
+                assert(s.st_gid == gid);\
+                assert((s.st_mode & 07777) == (mode));\
        } while (0)
 #define ASSERT_PERMS_STREAM(file, uid, gid, mode) \
        do { \
                int fd = fileno(file);\
                if (fd == -1) errExit("fileno");\
-                ASSERT_PERMS_FD(fd, uid, gid, mode);\
+                ASSERT_PERMS_FD(fd, uid, gid, (mode));\
        } while (0)
 // main.c
diff --git a/src/firejail/main.c b/src/firejail/main.c
index 27e2a7f1a..2181a274b 100644
--- a/src/firejail/main.c
+++ b/src/firejail/main.c
@@ -1561,17 +1561,21 @@ int main(int argc, char **argv) {
                        arg_writable_var = 1;
                }
                else if (strcmp(argv[i], "--private") == 0) {
+#if 0 
         if (arg_private_template) {
            fprintf(stderr, "Error: --private and --private-template are mutually exclusive\n");
            exit(1);
         }
+#endif
                        arg_private = 1;
-      }
+                }
                else if (strncmp(argv[i], "--private=", 10) == 0) {
+#if 0 
         if (arg_private_template) {
            fprintf(stderr, "Error: --private and --private-template are mutually exclusive\n");
            exit(1);
         }
+#endif
                        // extract private home dirname
                        cfg.home_private = argv[i] + 10;
                        if (*cfg.home_private == '\0') {
@@ -1581,6 +1585,7 @@ int main(int argc, char **argv) {
                        fs_check_private_dir();
                        arg_private = 1;
                }
+#if 0           
      else if (strncmp(argv[i], "--private-template=", 19) == 0) {
         cfg.private_template = argv[i] + 19;
         if (arg_private) {
@@ -1594,6 +1599,7 @@ int main(int argc, char **argv) {
         fs_check_private_template();
         arg_private_template = 1;
      }
+#endif
                else if (strcmp(argv[i], "--private-dev") == 0) {
                        arg_private_dev = 1;
                }
diff --git a/src/firejail/profile.c b/src/firejail/profile.c
index 916e39892..ee5d8c159 100644
--- a/src/firejail/profile.c
+++ b/src/firejail/profile.c
@@ -630,7 +630,7 @@ int profile_check_line(char *ptr, int lineno, const char *fname) {
                return 0;
        }
        
+#if 0
   if (strncmp(ptr, "private-template ", 17) == 0) {
      if (arg_private) {
         fprintf(stderr, "Error: --private and --private-template are mutually exclusive\n");
@@ -642,6 +642,7 @@ int profile_check_line(char *ptr, int lineno, const char *fname) {
      return 0;
   }
+#endif   
        // private /etc list of files and directories
        if (strncmp(ptr, "private-etc ", 12) == 0) {
                if (arg_writable_etc) {
diff --git a/src/firejail/sandbox.c b/src/firejail/sandbox.c
index 40df00a98..5f845fbd3 100644
--- a/src/firejail/sandbox.c
+++ b/src/firejail/sandbox.c
@@ -544,9 +544,11 @@ int sandbox(void* sandbox_arg) {
                else // --private
                        fs_private();
        }
-        
+#if 0   
   if (arg_private_template) 
      fs_private_template();
+#endif
        if (arg_private_dev) {
                if (cfg.chrootdir)
diff --git a/src/firejail/usage.c b/src/firejail/usage.c
index d4eab7802..363f973e8 100644
--- a/src/firejail/usage.c
+++ b/src/firejail/usage.c
@@ -221,10 +221,25 @@ $ firejail \-\-overlay-path=~/jails/jail1 firefox
        printf("\tfilesystems. All modifications are discarded when the sandbox is\n");
        printf("\tclosed.\n\n");
        printf("    --private=directory - use directory as user home.\n\n");
+#if 0
   printf("    --private-template=directory - same as --private but copy the\n");
   printf("\ttemplatedirectory in the tmpfs mounted user home.\n\n");
+.TP
+\fB\-\-private-template=templatedir
+Mount new /root and /home/user directories in temporary
+filesystems, and copy all files in templatedir. All modifications are discarded when the sandbox is
+closed.
+.br
+.br
+Example:
+.br
+$ firejail \-\-private-template=/home/netblue/.config/mozilla firefox
+#endif
        printf("    --private-bin=file,file - build a new /bin in a temporary filesystem,\n");
        printf("\tand copy the programs in the list.\n\n");
diff --git a/src/man/firejail.txt b/src/man/firejail.txt
index 19fca9854..434c29c0f 100644
--- a/src/man/firejail.txt
+++ b/src/man/firejail.txt
@@ -1086,18 +1086,6 @@ Example:
 $ firejail \-\-private=/home/netblue/firefox-home firefox
 .TP
-\fB\-\-private-template=templatedir
-Mount new /root and /home/user directories in temporary
-filesystems, and copy all files in templatedir. All modifications are discarded when the sandbox is
-closed.
-.br
-.br
-Example:
-.br
-$ firejail \-\-private-template=/home/netblue/.config/mozilla firefox
-.TP
 \fB\-\-private-bin=file,file
 Build a new /bin in a temporary filesystem, and copy the programs in the list.
 If no listed file is found, /bin directory will be empty.
author	netblue30 <netblue30@yahoo.com>	2016-08-24 09:29:39 -0400
committer	netblue30 <netblue30@yahoo.com>	2016-08-24 09:29:39 -0400
commit	1ccd5d84b9d7491bb8deec24db5c8ea0a163fa10 (patch)
tree	a951ab073dfa608483e3c5a3013ccc892195ba89
parent	Merge pull request #742 from manevich/security (diff)
download	firejail-1ccd5d84b9d7491bb8deec24db5c8ea0a163fa10.tar.gz firejail-1ccd5d84b9d7491bb8deec24db5c8ea0a163fa10.tar.zst firejail-1ccd5d84b9d7491bb8deec24db5c8ea0a163fa10.zip

diff --git a/Makefile.in b/Makefile.in index d1b3d3be8..803769f3f 100644 --- a/Makefile.in +++ b/Makefile.in
@@ -204,5 +204,5 @@ test-network:
204	test-fs:	204	test-fs:
205	cd test/fs; ./fs.sh \| grep TESTING	205	cd test/fs; ./fs.sh \| grep TESTING
206		206
207	test: test-profiles test-fs test-utils test-environment test-sysutils test-apps test-apps-x11 test-filters	207	test: test-profiles test-fs test-utils test-environment test-apps test-apps-x11 test-filters
208	echo "TEST COMPLETE"	208	echo "TEST COMPLETE"


diff --git a/README b/README index fe9ddaaae..c8cdbb6d8 100644 --- a/README +++ b/README
@@ -39,6 +39,7 @@ Aleksey Manevich (https://github.com/manevich)
39	- Busybox support	39	- Busybox support
40	- X11 support rewrite	40	- X11 support rewrite
41	- gether shell selection code in one place	41	- gether shell selection code in one place
		42	- fixed several TOCTOU security problems
42	greigdp (https://github.com/greigdp)	43	greigdp (https://github.com/greigdp)
43	- Gajim IM client profile	44	- Gajim IM client profile
44	- fix Slack profile	45	- fix Slack profile


diff --git a/README.md b/README.md index 14dcd4d56..6785e3f7a 100644 --- a/README.md +++ b/README.md
@@ -38,27 +38,6 @@ FAQ: https://firejail.wordpress.com/support/frequently-asked-questions/
38		38
39	Version 0.9.41~rc1 was released.	39	Version 0.9.41~rc1 was released.
40		40
41	# Branch status: unstable
42
43	A number of problems are being worked on. This is the output of "make test":
44	`````
45	[...]
46	cd test/sysutils; ./sysutils.sh \| grep TESTING
47	TESTING: cpio
48	netblue@debian:~/work/github/firejail/test/sysutils$ TESTING ERROR 1
49	TESTING: gzip
50	netblue@debian:~/work/github/firejail/test/sysutils$ TESTING ERROR 1
51	TESTING: xzdec
52	netblue@debian:~/work/github/firejail/test/sysutils$ TESTING ERROR 1
53	TESTING: xz
54	netblue@debian:~/work/github/firejail/test/sysutils$ TESTING ERROR 1
55	TESTING: less
56	TESTING: file
57	TESTING: tar
58	netblue@debian:~/work/github/firejail/test/sysutils$ TESTING ERROR 3.1
59	[...]
60	`````
61
62	## Deprecated --user	41	## Deprecated --user
63		42
64	--user option was deprecated, please use "sudo -u username firejail application" instead.	43	--user option was deprecated, please use "sudo -u username firejail application" instead.


diff --git a/RELNOTES b/RELNOTES index cc0c1489c..674c9de5e 100644 --- a/RELNOTES +++ b/RELNOTES
@@ -3,12 +3,14 @@ firejail (0.9.42~rc2) baseline; urgency=low
3	* security: disable x32 ABI in seccomp, submitted by Jann Horn	3	* security: disable x32 ABI in seccomp, submitted by Jann Horn
4	* security: tighten --chroot, submitted by Jann Horn	4	* security: tighten --chroot, submitted by Jann Horn
5	* security: terminal sandbox escape, submitted by Stephan Sokolow	5	* security: terminal sandbox escape, submitted by Stephan Sokolow
6	* modifs: deprecated --user option, please use "sudo -u username firejail" instead	6	* security: several TOCTOU fixes submitted by Aleksey Manevich
		7	* modifs: deprecated --user option, please use "sudo -u username firejail"
7	* modifs: allow symlinks in home directory for --whitelist option	8	* modifs: allow symlinks in home directory for --whitelist option
8	* modifs: Firejail prompt is enabled by env variable FIREJAIL_PROMPT="yes"	9	* modifs: Firejail prompt is enabled by env variable FIREJAIL_PROMPT="yes"
9	* modifs: recursive mkdir	10	* modifs: recursive mkdir
10	* modifs: include /dev/snd in --private-dev	11	* modifs: include /dev/snd in --private-dev
11	* modifs: seccomp filter update	12	* modifs: seccomp filter update
		13	* modifs: release archives moved to .xz format
12	* feature: AppImage support (--appimage)	14	* feature: AppImage support (--appimage)
13	* feature: AppArmor support (--apparmor)	15	* feature: AppArmor support (--apparmor)
14	* feature: Ubuntu snap support (/etc/firejail/snap.profile)	16	* feature: Ubuntu snap support (/etc/firejail/snap.profile)
@@ -17,7 +19,8 @@ firejail (0.9.42~rc2) baseline; urgency=low
17	* feature: noexec support (--noexec)	19	* feature: noexec support (--noexec)
18	* feature: clean local overlay storage directory (--overlay-clean)	20	* feature: clean local overlay storage directory (--overlay-clean)
19	* feature: store and reuse overlay (--overlay-named)	21	* feature: store and reuse overlay (--overlay-named)
20	* feature: allow debugging inside the sandbox with gdb and strace (--allow-debuggers)	22	* feature: allow debugging inside the sandbox with gdb and strace
		23	(--allow-debuggers)
21	* feature: mkfile profile command	24	* feature: mkfile profile command
22	* feature: quiet profile command	25	* feature: quiet profile command
23	* feature: x11 profile command	26	* feature: x11 profile command
@@ -29,13 +32,14 @@ firejail (0.9.42~rc2) baseline; urgency=low
29	* run time: enable/disable quiet as default (quiet-by-default yes/no)	32	* run time: enable/disable quiet as default (quiet-by-default yes/no)
30	* run time: user-defined network filter (netfilter-default)	33	* run time: user-defined network filter (netfilter-default)
31	* run time: enable/disable whitelisting (whitelist yes/no)	34	* run time: enable/disable whitelisting (whitelist yes/no)
32	* run time: enable/disable remounting of /proc and /sys (remount-proc-sys yes/no)	35	* run time: enable/disable remounting of /proc and /sys
		36	(remount-proc-sys yes/no)
33	* run time: enable/disable chroot desktop features (chroot-desktop yes/no)	37	* run time: enable/disable chroot desktop features (chroot-desktop yes/no)
34	* new profiles: Gitter, gThumb, mpv, Franz messenger, LibreOffice	38	* profiles: Gitter, gThumb, mpv, Franz messenger, LibreOffice
35	* new profiles: pix, audacity, xz, xzdec, gzip, cpio, less	39	* profiles: pix, audacity, xz, xzdec, gzip, cpio, less
36	* new profiles: Atom Beta, Atom, jitsi, eom, uudeview	40	* profiles: Atom Beta, Atom, jitsi, eom, uudeview
37	* new profiles: tar (gtar), unzip, unrar, file, skypeforlinux,	41	* profiles: tar (gtar), unzip, unrar, file, skypeforlinux,
38	* new profiles: inox, Slack, gnome-chess. Gajim IM client	42	* profiles: inox, Slack, gnome-chess. Gajim IM client
39	-- netblue30 <netblue30@yahoo.com> Thu, 21 Jul 2016 08:00:00 -0500	43	-- netblue30 <netblue30@yahoo.com> Thu, 21 Jul 2016 08:00:00 -0500
40		44
41	firejail (0.9.40) baseline; urgency=low	45	firejail (0.9.40) baseline; urgency=low


diff --git a/src/firejail/firejail.h b/src/firejail/firejail.h index a3b573acc..755ed4979 100644 --- a/src/firejail/firejail.h +++ b/src/firejail/firejail.h
@@ -81,19 +81,23 @@
81	assert(file);\	81	assert(file);\
82	struct stat s;\	82	struct stat s;\
83	if (stat(file, &s) == -1) errExit("stat");\	83	if (stat(file, &s) == -1) errExit("stat");\
84	assert(s.st_uid == uid && s.st_gid == gid && (s.st_mode & 07777) == mode);\	84	assert(s.st_uid == uid);\
		85	assert(s.st_gid == gid);\
		86	assert((s.st_mode & 07777) == (mode));\
85	} while (0)	87	} while (0)
86	#define ASSERT_PERMS_FD(fd, uid, gid, mode) \	88	#define ASSERT_PERMS_FD(fd, uid, gid, mode) \
87	do { \	89	do { \
88	struct stat s;\	90	struct stat s;\
89	if (stat(fd, &s) == -1) errExit("stat");\	91	if (stat(fd, &s) == -1) errExit("stat");\
90	assert(s.st_uid == uid && s.st_gid == gid && (s.st_mode & 07777) == mode);\	92	assert(s.st_uid == uid);\
		93	assert(s.st_gid == gid);\
		94	assert((s.st_mode & 07777) == (mode));\
91	} while (0)	95	} while (0)
92	#define ASSERT_PERMS_STREAM(file, uid, gid, mode) \	96	#define ASSERT_PERMS_STREAM(file, uid, gid, mode) \
93	do { \	97	do { \
94	int fd = fileno(file);\	98	int fd = fileno(file);\
95	if (fd == -1) errExit("fileno");\	99	if (fd == -1) errExit("fileno");\
96	ASSERT_PERMS_FD(fd, uid, gid, mode);\	100	ASSERT_PERMS_FD(fd, uid, gid, (mode));\
97	} while (0)	101	} while (0)
98		102
99	// main.c	103	// main.c


diff --git a/src/firejail/main.c b/src/firejail/main.c index 27e2a7f1a..2181a274b 100644 --- a/src/firejail/main.c +++ b/src/firejail/main.c
@@ -1561,17 +1561,21 @@ int main(int argc, char **argv) {
1561	arg_writable_var = 1;	1561	arg_writable_var = 1;
1562	}	1562	}
1563	else if (strcmp(argv[i], "--private") == 0) {	1563	else if (strcmp(argv[i], "--private") == 0) {
		1564	#if 0
1564	if (arg_private_template) {	1565	if (arg_private_template) {
1565	fprintf(stderr, "Error: --private and --private-template are mutually exclusive\n");	1566	fprintf(stderr, "Error: --private and --private-template are mutually exclusive\n");
1566	exit(1);	1567	exit(1);
1567	}	1568	}
		1569	#endif
1568	arg_private = 1;	1570	arg_private = 1;
1569	}	1571	}
1570	else if (strncmp(argv[i], "--private=", 10) == 0) {	1572	else if (strncmp(argv[i], "--private=", 10) == 0) {
		1573	#if 0
1571	if (arg_private_template) {	1574	if (arg_private_template) {
1572	fprintf(stderr, "Error: --private and --private-template are mutually exclusive\n");	1575	fprintf(stderr, "Error: --private and --private-template are mutually exclusive\n");
1573	exit(1);	1576	exit(1);
1574	}	1577	}
		1578	#endif
1575	// extract private home dirname	1579	// extract private home dirname
1576	cfg.home_private = argv[i] + 10;	1580	cfg.home_private = argv[i] + 10;
1577	if (*cfg.home_private == '\0') {	1581	if (*cfg.home_private == '\0') {
@@ -1581,6 +1585,7 @@ int main(int argc, char **argv) {
1581	fs_check_private_dir();	1585	fs_check_private_dir();
1582	arg_private = 1;	1586	arg_private = 1;
1583	}	1587	}
		1588	#if 0
1584	else if (strncmp(argv[i], "--private-template=", 19) == 0) {	1589	else if (strncmp(argv[i], "--private-template=", 19) == 0) {
1585	cfg.private_template = argv[i] + 19;	1590	cfg.private_template = argv[i] + 19;
1586	if (arg_private) {	1591	if (arg_private) {
@@ -1594,6 +1599,7 @@ int main(int argc, char **argv) {
1594	fs_check_private_template();	1599	fs_check_private_template();
1595	arg_private_template = 1;	1600	arg_private_template = 1;
1596	}	1601	}
		1602	#endif
1597	else if (strcmp(argv[i], "--private-dev") == 0) {	1603	else if (strcmp(argv[i], "--private-dev") == 0) {
1598	arg_private_dev = 1;	1604	arg_private_dev = 1;
1599	}	1605	}


diff --git a/src/firejail/profile.c b/src/firejail/profile.c index 916e39892..ee5d8c159 100644 --- a/src/firejail/profile.c +++ b/src/firejail/profile.c
@@ -630,7 +630,7 @@ int profile_check_line(char ptr, int lineno, const char fname) {
630	return 0;	630	return 0;
631	}	631	}
632		632
633		633	#if 0
634	if (strncmp(ptr, "private-template ", 17) == 0) {	634	if (strncmp(ptr, "private-template ", 17) == 0) {
635	if (arg_private) {	635	if (arg_private) {
636	fprintf(stderr, "Error: --private and --private-template are mutually exclusive\n");	636	fprintf(stderr, "Error: --private and --private-template are mutually exclusive\n");
@@ -642,6 +642,7 @@ int profile_check_line(char ptr, int lineno, const char fname) {
642		642
643	return 0;	643	return 0;
644	}	644	}
		645	#endif
645	// private /etc list of files and directories	646	// private /etc list of files and directories
646	if (strncmp(ptr, "private-etc ", 12) == 0) {	647	if (strncmp(ptr, "private-etc ", 12) == 0) {
647	if (arg_writable_etc) {	648	if (arg_writable_etc) {


diff --git a/src/firejail/sandbox.c b/src/firejail/sandbox.c index 40df00a98..5f845fbd3 100644 --- a/src/firejail/sandbox.c +++ b/src/firejail/sandbox.c
@@ -544,9 +544,11 @@ int sandbox(void* sandbox_arg) {
544	else // --private	544	else // --private
545	fs_private();	545	fs_private();
546	}	546	}
547		547
		548	#if 0
548	if (arg_private_template)	549	if (arg_private_template)
549	fs_private_template();	550	fs_private_template();
		551	#endif
550		552
551	if (arg_private_dev) {	553	if (arg_private_dev) {
552	if (cfg.chrootdir)	554	if (cfg.chrootdir)


diff --git a/src/firejail/usage.c b/src/firejail/usage.c index d4eab7802..363f973e8 100644 --- a/src/firejail/usage.c +++ b/src/firejail/usage.c
@@ -221,10 +221,25 @@ $ firejail \-\-overlay-path=~/jails/jail1 firefox
221	printf("\tfilesystems. All modifications are discarded when the sandbox is\n");	221	printf("\tfilesystems. All modifications are discarded when the sandbox is\n");
222	printf("\tclosed.\n\n");	222	printf("\tclosed.\n\n");
223	printf(" --private=directory - use directory as user home.\n\n");	223	printf(" --private=directory - use directory as user home.\n\n");
224		224	#if 0
225	printf(" --private-template=directory - same as --private but copy the\n");	225	printf(" --private-template=directory - same as --private but copy the\n");
226	printf("\ttemplatedirectory in the tmpfs mounted user home.\n\n");	226	printf("\ttemplatedirectory in the tmpfs mounted user home.\n\n");
227		227
		228	.TP
		229	\fB\-\-private-template=templatedir
		230	Mount new /root and /home/user directories in temporary
		231	filesystems, and copy all files in templatedir. All modifications are discarded when the sandbox is
		232	closed.
		233	.br
		234
		235	.br
		236	Example:
		237	.br
		238	$ firejail \-\-private-template=/home/netblue/.config/mozilla firefox
		239	#endif
		240
		241
		242
228	printf(" --private-bin=file,file - build a new /bin in a temporary filesystem,\n");	243	printf(" --private-bin=file,file - build a new /bin in a temporary filesystem,\n");
229	printf("\tand copy the programs in the list.\n\n");	244	printf("\tand copy the programs in the list.\n\n");
230		245


diff --git a/src/man/firejail.txt b/src/man/firejail.txt index 19fca9854..434c29c0f 100644 --- a/src/man/firejail.txt +++ b/src/man/firejail.txt
@@ -1086,18 +1086,6 @@ Example:
1086	$ firejail \-\-private=/home/netblue/firefox-home firefox	1086	$ firejail \-\-private=/home/netblue/firefox-home firefox
1087		1087
1088	.TP	1088	.TP
1089	\fB\-\-private-template=templatedir
1090	Mount new /root and /home/user directories in temporary
1091	filesystems, and copy all files in templatedir. All modifications are discarded when the sandbox is
1092	closed.
1093	.br
1094
1095	.br
1096	Example:
1097	.br
1098	$ firejail \-\-private-template=/home/netblue/.config/mozilla firefox
1099
1100	.TP
1101	\fB\-\-private-bin=file,file	1089	\fB\-\-private-bin=file,file
1102	Build a new /bin in a temporary filesystem, and copy the programs in the list.	1090	Build a new /bin in a temporary filesystem, and copy the programs in the list.
1103	If no listed file is found, /bin directory will be empty.	1091	If no listed file is found, /bin directory will be empty.