diff options
author | netblue30 <netblue30@yahoo.com> | 2016-07-27 17:53:09 -0400 |
---|---|---|
committer | netblue30 <netblue30@yahoo.com> | 2016-07-27 17:53:09 -0400 |
commit | 82c353409ab09554c2a4f3517f8e654725d8da46 (patch) | |
tree | 6cd8d462973901bb6aa1c3034b1d667d60dcc149 /src | |
parent | symlink whitelist fix (diff) | |
download | firejail-82c353409ab09554c2a4f3517f8e654725d8da46.tar.gz firejail-82c353409ab09554c2a4f3517f8e654725d8da46.tar.zst firejail-82c353409ab09554c2a4f3517f8e654725d8da46.zip |
symlink whitelist fix
Diffstat (limited to 'src')
-rw-r--r-- | src/firejail/fs_whitelist.c | 3 | ||||
-rw-r--r-- | src/man/firejail.txt | 4 |
2 files changed, 7 insertions, 0 deletions
diff --git a/src/firejail/fs_whitelist.c b/src/firejail/fs_whitelist.c index f94040d0f..e3668140d 100644 --- a/src/firejail/fs_whitelist.c +++ b/src/firejail/fs_whitelist.c | |||
@@ -401,6 +401,9 @@ void fs_whitelist(void) { | |||
401 | struct stat s; | 401 | struct stat s; |
402 | if (stat(fname, &s) == 0 && s.st_uid != getuid()) | 402 | if (stat(fname, &s) == 0 && s.st_uid != getuid()) |
403 | goto errexit; | 403 | goto errexit; |
404 | |||
405 | // set nonewprivs | ||
406 | arg_nonewprivs = 1; | ||
404 | } | 407 | } |
405 | } | 408 | } |
406 | else if (strncmp(new_name, "/tmp/", 5) == 0) { | 409 | else if (strncmp(new_name, "/tmp/", 5) == 0) { |
diff --git a/src/man/firejail.txt b/src/man/firejail.txt index d8bd34f10..65744235e 100644 --- a/src/man/firejail.txt +++ b/src/man/firejail.txt | |||
@@ -949,6 +949,10 @@ cannot acquire new privileges using execve(2); in particular, | |||
949 | this means that calling a suid binary (or one with file capabilities) | 949 | this means that calling a suid binary (or one with file capabilities) |
950 | does not result in an increase of privilege. | 950 | does not result in an increase of privilege. |
951 | 951 | ||
952 | --nonewprivs is enabled by default if seccomp filter is activated, or if a | ||
953 | symbolic link in user home directory pointing outside user home | ||
954 | is whitelisted. | ||
955 | |||
952 | .TP | 956 | .TP |
953 | \fB\-\-nosound | 957 | \fB\-\-nosound |
954 | Disable sound system. | 958 | Disable sound system. |