diff options
author | netblue30 <netblue30@yahoo.com> | 2016-09-19 13:11:59 -0400 |
---|---|---|
committer | netblue30 <netblue30@yahoo.com> | 2016-09-19 13:11:59 -0400 |
commit | 83c7253a753a810240408ac2057e7c2b920a2a52 (patch) | |
tree | 33cfcccedac37ecbfaf483a27e1ae3a1aa4d9113 /src | |
parent | document blacklist-nolog (diff) | |
download | firejail-83c7253a753a810240408ac2057e7c2b920a2a52.tar.gz firejail-83c7253a753a810240408ac2057e7c2b920a2a52.tar.zst firejail-83c7253a753a810240408ac2057e7c2b920a2a52.zip |
--private-tmp whitelists /tmp/.X11-unix directory
Diffstat (limited to 'src')
-rw-r--r-- | src/firejail/sandbox.c | 31 |
1 files changed, 17 insertions, 14 deletions
diff --git a/src/firejail/sandbox.c b/src/firejail/sandbox.c index 76efe996b..cc5483c08 100644 --- a/src/firejail/sandbox.c +++ b/src/firejail/sandbox.c | |||
@@ -593,8 +593,13 @@ int sandbox(void* sandbox_arg) { | |||
593 | fprintf(stderr, "Warning: private-tmp feature is disabled in chroot\n"); | 593 | fprintf(stderr, "Warning: private-tmp feature is disabled in chroot\n"); |
594 | else if (arg_overlay) | 594 | else if (arg_overlay) |
595 | fprintf(stderr, "Warning: private-tmp feature is disabled in overlay\n"); | 595 | fprintf(stderr, "Warning: private-tmp feature is disabled in overlay\n"); |
596 | else | 596 | else { |
597 | fs_private_tmp(); | 597 | // private-tmp is implemented as a whitelist |
598 | EUID_USER(); | ||
599 | profile_add("whitelist /tmp/.X11-unix"); | ||
600 | EUID_ROOT(); | ||
601 | // fs_private_tmp(); | ||
602 | } | ||
598 | } | 603 | } |
599 | 604 | ||
600 | //**************************** | 605 | //**************************** |
@@ -606,18 +611,16 @@ int sandbox(void* sandbox_arg) { | |||
606 | //**************************** | 611 | //**************************** |
607 | // apply the profile file | 612 | // apply the profile file |
608 | //**************************** | 613 | //**************************** |
609 | if (cfg.profile) { | 614 | // apply all whitelist commands ... |
610 | // apply all whitelist commands ... | 615 | if (cfg.chrootdir) |
611 | if (cfg.chrootdir) | 616 | fprintf(stderr, "Warning: whitelist feature is disabled in chroot\n"); |
612 | fprintf(stderr, "Warning: whitelist feature is disabled in chroot\n"); | 617 | else if (arg_overlay) |
613 | else if (arg_overlay) | 618 | fprintf(stderr, "Warning: whitelist feature is disabled in overlay\n"); |
614 | fprintf(stderr, "Warning: whitelist feature is disabled in overlay\n"); | 619 | else |
615 | else | 620 | fs_whitelist(); |
616 | fs_whitelist(); | 621 | |
617 | 622 | // ... followed by blacklist commands | |
618 | // ... followed by blacklist commands | 623 | fs_blacklist(); |
619 | fs_blacklist(); | ||
620 | } | ||
621 | 624 | ||
622 | //**************************** | 625 | //**************************** |
623 | // install trace | 626 | // install trace |