removed CFG_CHROOT_DESKTOP config option

author: netblue30 <netblue30@yahoo.com> 2018-06-11 12:55:56 -0400
committer: netblue30 <netblue30@yahoo.com> 2018-06-11 12:55:56 -0400
commit: a67dd36c4bf86536a163975fdb53db078e6bfed9 (patch)
tree: ea88da99f04576bc98fe493087574e0c26d5a874
parent: give fontforge access to python (diff)
download: firejail-a67dd36c4bf86536a163975fdb53db078e6bfed9.tar.gz
firejail-a67dd36c4bf86536a163975fdb53db078e6bfed9.tar.zst
firejail-a67dd36c4bf86536a163975fdb53db078e6bfed9.zip
5 files changed, 68 insertions, 85 deletions
diff --git a/RELNOTES b/RELNOTES
index da2d8527d..67cda39e3 100644
--- a/RELNOTES
+++ b/RELNOTES
@@ -1,5 +1,6 @@
 firejail (0.9.55) baseline; urgency=low
  * work in progress
+  * modif: removed CFG_CHROOT_DESKTOP configuration option
  * support full paths in private-lib
  * globbing support in private-lib
 -- netblue30 <netblue30@yahoo.com>  Fri, 25 May 2018 08:00:00 -0500
diff --git a/etc/firejail.config b/etc/firejail.config
index 0cd4dca3a..1f47f77d0 100644
--- a/etc/firejail.config
+++ b/etc/firejail.config
@@ -18,11 +18,6 @@
 # Enable or disable chroot support, default enabled.
 # chroot yes
-# Use chroot for desktop programs, default enabled. The sandbox will have full
-# access to system's /dev directory in order to allow video acceleration,
-# and it will harden the rest of the chroot tree.
-# chroot-desktop yes
 # Enable or disable dbus handling by --nodbus flag, default enabled.
 # dbus yes
diff --git a/src/firejail/checkcfg.c b/src/firejail/checkcfg.c
index ac3ad7cd8..68e93e16e 100644
--- a/src/firejail/checkcfg.c
+++ b/src/firejail/checkcfg.c
@@ -331,14 +331,6 @@ int checkcfg(int val) {
                                else
                                        goto errout;
                        }
-                        else if (strncmp(ptr, "chroot-desktop ", 15) == 0) {
-                                if (strcmp(ptr + 15, "yes") == 0)
-                                        cfg_val[CFG_CHROOT_DESKTOP] = 1;
-                                else if (strcmp(ptr + 15, "no") == 0)
-                                        cfg_val[CFG_CHROOT_DESKTOP] = 0;
-                                else
-                                        goto errout;
-                        }
                        else if (strncmp(ptr, "private-bin-no-local ", 21) == 0) {
                                if (strcmp(ptr + 21, "yes") == 0)
                                        cfg_val[CFG_PRIVATE_BIN_NO_LOCAL] = 1;
diff --git a/src/firejail/firejail.h b/src/firejail/firejail.h
index 18d66b983..e2a780d77 100644
--- a/src/firejail/firejail.h
+++ b/src/firejail/firejail.h
@@ -740,7 +740,6 @@ enum {
        CFG_WHITELIST,
        CFG_XEPHYR_WINDOW_TITLE,
        CFG_OVERLAYFS,
-        CFG_CHROOT_DESKTOP,
        CFG_PRIVATE_HOME,
        CFG_PRIVATE_BIN_NO_LOCAL,
        CFG_FIREJAIL_PROMPT,
diff --git a/src/firejail/fs.c b/src/firejail/fs.c
index 4e411c5ee..2546ab0bb 100644
--- a/src/firejail/fs.c
+++ b/src/firejail/fs.c
@@ -1199,63 +1199,61 @@ void fs_check_chroot_dir(const char *rootdir) {
 void fs_chroot(const char *rootdir) {
        assert(rootdir);
-        if (checkcfg(CFG_CHROOT_DESKTOP)) {
+        // mount-bind a /dev in rootdir
-                // mount-bind a /dev in rootdir
+        char *newdev;
-                char *newdev;
+        if (asprintf(&newdev, "%s/dev", rootdir) == -1)
-                if (asprintf(&newdev, "%s/dev", rootdir) == -1)
+                errExit("asprintf");
+        if (arg_debug)
+                printf("Mounting /dev on %s\n", newdev);
+        if (mount("/dev", newdev, NULL, MS_BIND|MS_REC, NULL) < 0)
+                errExit("mounting /dev");
+        free(newdev);
+        // x11
+        if (getenv("FIREJAIL_X11")) {
+                char *newx11;
+                if (asprintf(&newx11, "%s/tmp/.X11-unix", rootdir) == -1)
                        errExit("asprintf");
                if (arg_debug)
-                        printf("Mounting /dev on %s\n", newdev);
+                        printf("Mounting /tmp/.X11-unix on %s\n", newx11);
-                if (mount("/dev", newdev, NULL, MS_BIND|MS_REC, NULL) < 0)
+                if (mount("/tmp/.X11-unix", newx11, NULL, MS_BIND|MS_REC, NULL) < 0)
-                        errExit("mounting /dev");
+                        errExit("mounting /tmp/.X11-unix");
-                free(newdev);
+                free(newx11);
+        }
-                // x11
-                if (getenv("FIREJAIL_X11")) {
-                        char *newx11;
-                        if (asprintf(&newx11, "%s/tmp/.X11-unix", rootdir) == -1)
-                                errExit("asprintf");
-                        if (arg_debug)
-                                printf("Mounting /tmp/.X11-unix on %s\n", newx11);
-                        if (mount("/tmp/.X11-unix", newx11, NULL, MS_BIND|MS_REC, NULL) < 0)
-                                errExit("mounting /tmp/.X11-unix");
-                        free(newx11);
-                }
-                // some older distros don't have a /run directory
+        // some older distros don't have a /run directory
-                // create one by default
+        // create one by default
-                // create /run/firejail directory in chroot
+        // create /run/firejail directory in chroot
-                char *rundir;
+        char *rundir;
-                if (asprintf(&rundir, "%s/run", rootdir) == -1)
+        if (asprintf(&rundir, "%s/run", rootdir) == -1)
-                        errExit("asprintf");
+                errExit("asprintf");
-                if (is_link(rundir)) {
+        if (is_link(rundir)) {
-                        fprintf(stderr, "Error: invalid run directory inside chroot\n");
+                fprintf(stderr, "Error: invalid run directory inside chroot\n");
-                        exit(1);
+                exit(1);
-                }
+        }
-                create_empty_dir_as_root(rundir, 0755);
+        create_empty_dir_as_root(rundir, 0755);
-                free(rundir);
+        free(rundir);
-                if (asprintf(&rundir, "%s/run/firejail", rootdir) == -1)
+        if (asprintf(&rundir, "%s/run/firejail", rootdir) == -1)
-                        errExit("asprintf");
+                errExit("asprintf");
-                create_empty_dir_as_root(rundir, 0755);
+        create_empty_dir_as_root(rundir, 0755);
-                free(rundir);
+        free(rundir);
-                // create /run/firejail/mnt directory in chroot and mount the current one
+        // create /run/firejail/mnt directory in chroot and mount the current one
-                if (asprintf(&rundir, "%s%s", rootdir, RUN_MNT_DIR) == -1)
+        if (asprintf(&rundir, "%s%s", rootdir, RUN_MNT_DIR) == -1)
-                        errExit("asprintf");
+                errExit("asprintf");
-                create_empty_dir_as_root(rundir, 0755);
+        create_empty_dir_as_root(rundir, 0755);
-                if (mount(RUN_MNT_DIR, rundir, NULL, MS_BIND|MS_REC, NULL) < 0)
+        if (mount(RUN_MNT_DIR, rundir, NULL, MS_BIND|MS_REC, NULL) < 0)
-                        errExit("mount bind");
+                errExit("mount bind");
-                // copy /etc/resolv.conf in chroot directory
+        // copy /etc/resolv.conf in chroot directory
-                char *fname;
+        char *fname;
-                if (asprintf(&fname, "%s/etc/resolv.conf", rootdir) == -1)
+        if (asprintf(&fname, "%s/etc/resolv.conf", rootdir) == -1)
-                        errExit("asprintf");
+                errExit("asprintf");
-                if (arg_debug)
+        if (arg_debug)
-                        printf("Updating /etc/resolv.conf in %s\n", fname);
+                printf("Updating /etc/resolv.conf in %s\n", fname);
-                unlink(fname);
+        unlink(fname);
-                if (copy_file("/etc/resolv.conf", fname, 0, 0, 0644) == -1) // root needed
+        if (copy_file("/etc/resolv.conf", fname, 0, 0, 0644) == -1) // root needed
-                        fwarning("/etc/resolv.conf not initialized\n");
+                fwarning("/etc/resolv.conf not initialized\n");
-        }
        // chroot into the new directory
 #ifdef HAVE_GCOV
@@ -1275,30 +1273,28 @@ void fs_chroot(const char *rootdir) {
        // create all other /run/firejail files and directories
        preproc_build_firejail_dir();
-        if (checkcfg(CFG_CHROOT_DESKTOP)) {
+        // update /var directory in order to support multiple sandboxes running on the same root directory
-                // update /var directory in order to support multiple sandboxes running on the same root directory
 //              if (!arg_private_dev)
 //                      fs_dev_shm();
-                fs_var_lock();
+        fs_var_lock();
-                if (!arg_keep_var_tmp)
+        if (!arg_keep_var_tmp)
-                        fs_var_tmp();
+                fs_var_tmp();
-                if (!arg_writable_var_log)
+        if (!arg_writable_var_log)
-                        fs_var_log();
+                fs_var_log();
-                else
+        else
-                        fs_rdwr("/var/log");
+                fs_rdwr("/var/log");
-                fs_var_lib();
+        fs_var_lib();
-                fs_var_cache();
+        fs_var_cache();
-                fs_var_utmp();
+        fs_var_utmp();
-                fs_machineid();
+        fs_machineid();
-                // don't leak user information
+        // don't leak user information
-                restrict_users();
+        restrict_users();
-                // when starting as root, firejail config is not disabled;
+        // when starting as root, firejail config is not disabled;
-                if (getuid() != 0)
+        if (getuid() != 0)
-                        disable_config();
+                disable_config();
-        }
 }
 #endif
author	netblue30 <netblue30@yahoo.com>	2018-06-11 12:55:56 -0400
committer	netblue30 <netblue30@yahoo.com>	2018-06-11 12:55:56 -0400
commit	a67dd36c4bf86536a163975fdb53db078e6bfed9 (patch)
tree	ea88da99f04576bc98fe493087574e0c26d5a874
parent	give fontforge access to python (diff)
download	firejail-a67dd36c4bf86536a163975fdb53db078e6bfed9.tar.gz firejail-a67dd36c4bf86536a163975fdb53db078e6bfed9.tar.zst firejail-a67dd36c4bf86536a163975fdb53db078e6bfed9.zip

diff --git a/RELNOTES b/RELNOTES index da2d8527d..67cda39e3 100644 --- a/RELNOTES +++ b/RELNOTES
@@ -1,5 +1,6 @@
1	firejail (0.9.55) baseline; urgency=low	1	firejail (0.9.55) baseline; urgency=low
2	* work in progress	2	* work in progress
		3	* modif: removed CFG_CHROOT_DESKTOP configuration option
3	* support full paths in private-lib	4	* support full paths in private-lib
4	* globbing support in private-lib	5	* globbing support in private-lib
5	-- netblue30 <netblue30@yahoo.com> Fri, 25 May 2018 08:00:00 -0500	6	-- netblue30 <netblue30@yahoo.com> Fri, 25 May 2018 08:00:00 -0500


diff --git a/etc/firejail.config b/etc/firejail.config index 0cd4dca3a..1f47f77d0 100644 --- a/etc/firejail.config +++ b/etc/firejail.config
@@ -18,11 +18,6 @@
18	# Enable or disable chroot support, default enabled.	18	# Enable or disable chroot support, default enabled.
19	# chroot yes	19	# chroot yes
20		20
21	# Use chroot for desktop programs, default enabled. The sandbox will have full
22	# access to system's /dev directory in order to allow video acceleration,
23	# and it will harden the rest of the chroot tree.
24	# chroot-desktop yes
25
26	# Enable or disable dbus handling by --nodbus flag, default enabled.	21	# Enable or disable dbus handling by --nodbus flag, default enabled.
27	# dbus yes	22	# dbus yes
28		23


diff --git a/src/firejail/checkcfg.c b/src/firejail/checkcfg.c index ac3ad7cd8..68e93e16e 100644 --- a/src/firejail/checkcfg.c +++ b/src/firejail/checkcfg.c
@@ -331,14 +331,6 @@ int checkcfg(int val) {
331	else	331	else
332	goto errout;	332	goto errout;
333	}	333	}
334	else if (strncmp(ptr, "chroot-desktop ", 15) == 0) {
335	if (strcmp(ptr + 15, "yes") == 0)
336	cfg_val[CFG_CHROOT_DESKTOP] = 1;
337	else if (strcmp(ptr + 15, "no") == 0)
338	cfg_val[CFG_CHROOT_DESKTOP] = 0;
339	else
340	goto errout;
341	}
342	else if (strncmp(ptr, "private-bin-no-local ", 21) == 0) {	334	else if (strncmp(ptr, "private-bin-no-local ", 21) == 0) {
343	if (strcmp(ptr + 21, "yes") == 0)	335	if (strcmp(ptr + 21, "yes") == 0)
344	cfg_val[CFG_PRIVATE_BIN_NO_LOCAL] = 1;	336	cfg_val[CFG_PRIVATE_BIN_NO_LOCAL] = 1;


diff --git a/src/firejail/firejail.h b/src/firejail/firejail.h index 18d66b983..e2a780d77 100644 --- a/src/firejail/firejail.h +++ b/src/firejail/firejail.h
@@ -740,7 +740,6 @@ enum {
740	CFG_WHITELIST,	740	CFG_WHITELIST,
741	CFG_XEPHYR_WINDOW_TITLE,	741	CFG_XEPHYR_WINDOW_TITLE,
742	CFG_OVERLAYFS,	742	CFG_OVERLAYFS,
743	CFG_CHROOT_DESKTOP,
744	CFG_PRIVATE_HOME,	743	CFG_PRIVATE_HOME,
745	CFG_PRIVATE_BIN_NO_LOCAL,	744	CFG_PRIVATE_BIN_NO_LOCAL,
746	CFG_FIREJAIL_PROMPT,	745	CFG_FIREJAIL_PROMPT,


diff --git a/src/firejail/fs.c b/src/firejail/fs.c index 4e411c5ee..2546ab0bb 100644 --- a/src/firejail/fs.c +++ b/src/firejail/fs.c
@@ -1199,63 +1199,61 @@ void fs_check_chroot_dir(const char *rootdir) {
1199	void fs_chroot(const char *rootdir) {	1199	void fs_chroot(const char *rootdir) {
1200	assert(rootdir);	1200	assert(rootdir);
1201		1201
1202	if (checkcfg(CFG_CHROOT_DESKTOP)) {	1202	// mount-bind a /dev in rootdir
1203	// mount-bind a /dev in rootdir	1203	char *newdev;
1204	char *newdev;	1204	if (asprintf(&newdev, "%s/dev", rootdir) == -1)
1205	if (asprintf(&newdev, "%s/dev", rootdir) == -1)	1205	errExit("asprintf");
		1206	if (arg_debug)
		1207	printf("Mounting /dev on %s\n", newdev);
		1208	if (mount("/dev", newdev, NULL, MS_BIND\|MS_REC, NULL) < 0)
		1209	errExit("mounting /dev");
		1210	free(newdev);
		1211
		1212	// x11
		1213	if (getenv("FIREJAIL_X11")) {
		1214	char *newx11;
		1215	if (asprintf(&newx11, "%s/tmp/.X11-unix", rootdir) == -1)
1206	errExit("asprintf");	1216	errExit("asprintf");
1207	if (arg_debug)	1217	if (arg_debug)
1208	printf("Mounting /dev on %s\n", newdev);	1218	printf("Mounting /tmp/.X11-unix on %s\n", newx11);
1209	if (mount("/dev", newdev, NULL, MS_BIND\|MS_REC, NULL) < 0)	1219	if (mount("/tmp/.X11-unix", newx11, NULL, MS_BIND\|MS_REC, NULL) < 0)
1210	errExit("mounting /dev");	1220	errExit("mounting /tmp/.X11-unix");
1211	free(newdev);	1221	free(newx11);
1212		1222	}
1213	// x11
1214	if (getenv("FIREJAIL_X11")) {
1215	char *newx11;
1216	if (asprintf(&newx11, "%s/tmp/.X11-unix", rootdir) == -1)
1217	errExit("asprintf");
1218	if (arg_debug)
1219	printf("Mounting /tmp/.X11-unix on %s\n", newx11);
1220	if (mount("/tmp/.X11-unix", newx11, NULL, MS_BIND\|MS_REC, NULL) < 0)
1221	errExit("mounting /tmp/.X11-unix");
1222	free(newx11);
1223	}
1224		1223
1225	// some older distros don't have a /run directory	1224	// some older distros don't have a /run directory
1226	// create one by default	1225	// create one by default
1227	// create /run/firejail directory in chroot	1226	// create /run/firejail directory in chroot
1228	char *rundir;	1227	char *rundir;
1229	if (asprintf(&rundir, "%s/run", rootdir) == -1)	1228	if (asprintf(&rundir, "%s/run", rootdir) == -1)
1230	errExit("asprintf");	1229	errExit("asprintf");
1231	if (is_link(rundir)) {	1230	if (is_link(rundir)) {
1232	fprintf(stderr, "Error: invalid run directory inside chroot\n");	1231	fprintf(stderr, "Error: invalid run directory inside chroot\n");
1233	exit(1);	1232	exit(1);
1234	}	1233	}
1235	create_empty_dir_as_root(rundir, 0755);	1234	create_empty_dir_as_root(rundir, 0755);
1236	free(rundir);	1235	free(rundir);
1237	if (asprintf(&rundir, "%s/run/firejail", rootdir) == -1)	1236	if (asprintf(&rundir, "%s/run/firejail", rootdir) == -1)
1238	errExit("asprintf");	1237	errExit("asprintf");
1239	create_empty_dir_as_root(rundir, 0755);	1238	create_empty_dir_as_root(rundir, 0755);
1240	free(rundir);	1239	free(rundir);
1241		1240
1242	// create /run/firejail/mnt directory in chroot and mount the current one	1241	// create /run/firejail/mnt directory in chroot and mount the current one
1243	if (asprintf(&rundir, "%s%s", rootdir, RUN_MNT_DIR) == -1)	1242	if (asprintf(&rundir, "%s%s", rootdir, RUN_MNT_DIR) == -1)
1244	errExit("asprintf");	1243	errExit("asprintf");
1245	create_empty_dir_as_root(rundir, 0755);	1244	create_empty_dir_as_root(rundir, 0755);
1246	if (mount(RUN_MNT_DIR, rundir, NULL, MS_BIND\|MS_REC, NULL) < 0)	1245	if (mount(RUN_MNT_DIR, rundir, NULL, MS_BIND\|MS_REC, NULL) < 0)
1247	errExit("mount bind");	1246	errExit("mount bind");
1248		1247
1249	// copy /etc/resolv.conf in chroot directory	1248	// copy /etc/resolv.conf in chroot directory
1250	char *fname;	1249	char *fname;
1251	if (asprintf(&fname, "%s/etc/resolv.conf", rootdir) == -1)	1250	if (asprintf(&fname, "%s/etc/resolv.conf", rootdir) == -1)
1252	errExit("asprintf");	1251	errExit("asprintf");
1253	if (arg_debug)	1252	if (arg_debug)
1254	printf("Updating /etc/resolv.conf in %s\n", fname);	1253	printf("Updating /etc/resolv.conf in %s\n", fname);
1255	unlink(fname);	1254	unlink(fname);
1256	if (copy_file("/etc/resolv.conf", fname, 0, 0, 0644) == -1) // root needed	1255	if (copy_file("/etc/resolv.conf", fname, 0, 0, 0644) == -1) // root needed
1257	fwarning("/etc/resolv.conf not initialized\n");	1256	fwarning("/etc/resolv.conf not initialized\n");
1258	}
1259		1257
1260	// chroot into the new directory	1258	// chroot into the new directory
1261	#ifdef HAVE_GCOV	1259	#ifdef HAVE_GCOV
@@ -1275,30 +1273,28 @@ void fs_chroot(const char *rootdir) {
1275	// create all other /run/firejail files and directories	1273	// create all other /run/firejail files and directories
1276	preproc_build_firejail_dir();	1274	preproc_build_firejail_dir();
1277		1275
1278	if (checkcfg(CFG_CHROOT_DESKTOP)) {	1276	// update /var directory in order to support multiple sandboxes running on the same root directory
1279	// update /var directory in order to support multiple sandboxes running on the same root directory
1280	// if (!arg_private_dev)	1277	// if (!arg_private_dev)
1281	// fs_dev_shm();	1278	// fs_dev_shm();
1282	fs_var_lock();	1279	fs_var_lock();
1283	if (!arg_keep_var_tmp)	1280	if (!arg_keep_var_tmp)
1284	fs_var_tmp();	1281	fs_var_tmp();
1285	if (!arg_writable_var_log)	1282	if (!arg_writable_var_log)
1286	fs_var_log();	1283	fs_var_log();
1287	else	1284	else
1288	fs_rdwr("/var/log");	1285	fs_rdwr("/var/log");
1289		1286
1290	fs_var_lib();	1287	fs_var_lib();
1291	fs_var_cache();	1288	fs_var_cache();
1292	fs_var_utmp();	1289	fs_var_utmp();
1293	fs_machineid();	1290	fs_machineid();
1294		1291
1295	// don't leak user information	1292	// don't leak user information
1296	restrict_users();	1293	restrict_users();
1297		1294
1298	// when starting as root, firejail config is not disabled;	1295	// when starting as root, firejail config is not disabled;
1299	if (getuid() != 0)	1296	if (getuid() != 0)
1300	disable_config();	1297	disable_config();
1301	}
1302	}	1298	}
1303	#endif	1299	#endif
1304		1300