aboutsummaryrefslogtreecommitdiffstats
path: root/src
diff options
context:
space:
mode:
authorLibravatar glitsj16 <glitsj16@users.noreply.github.com>2023-01-04 18:51:36 +0000
committerLibravatar GitHub <noreply@github.com>2023-01-04 18:51:36 +0000
commit86b4561ffbb27fc943a1ceb95ea7eecf149d36a7 (patch)
treef5380e6c00f8ce5a0aa6832f07813bd556304428 /src
parentlinuxqq: drop comment (diff)
parentMerge pull request #5564 from glitsj16/claws-mail+sylpheed (diff)
downloadfirejail-86b4561ffbb27fc943a1ceb95ea7eecf149d36a7.tar.gz
firejail-86b4561ffbb27fc943a1ceb95ea7eecf149d36a7.tar.zst
firejail-86b4561ffbb27fc943a1ceb95ea7eecf149d36a7.zip
Merge branch 'netblue30:master' into linuxqq
Diffstat (limited to 'src')
-rw-r--r--src/firecfg/firecfg.config1
-rw-r--r--src/firejail/firejail.h1
-rw-r--r--src/firejail/main.c5
-rw-r--r--src/firejail/profile.c16
-rw-r--r--src/firejail/sandbox.c9
5 files changed, 31 insertions, 1 deletions
diff --git a/src/firecfg/firecfg.config b/src/firecfg/firecfg.config
index 788c150be..793ec9a52 100644
--- a/src/firecfg/firecfg.config
+++ b/src/firecfg/firecfg.config
@@ -130,6 +130,7 @@ catfish
130cawbird 130cawbird
131celluloid 131celluloid
132chafa 132chafa
133chatterino
133checkbashisms 134checkbashisms
134cheese 135cheese
135cherrytree 136cherrytree
diff --git a/src/firejail/firejail.h b/src/firejail/firejail.h
index 776649131..4fe3a5974 100644
--- a/src/firejail/firejail.h
+++ b/src/firejail/firejail.h
@@ -339,6 +339,7 @@ extern int arg_writable_var_log; // writable /var/log
339extern int arg_appimage; // appimage 339extern int arg_appimage; // appimage
340extern int arg_apparmor; // apparmor 340extern int arg_apparmor; // apparmor
341extern char *apparmor_profile; // apparmor profile 341extern char *apparmor_profile; // apparmor profile
342extern bool apparmor_replace; // whether apparmor should replace the profile (legacy behavior)
342extern int arg_allow_debuggers; // allow debuggers 343extern int arg_allow_debuggers; // allow debuggers
343extern int arg_x11_block; // block X11 344extern int arg_x11_block; // block X11
344extern int arg_x11_xorg; // use X11 security extension 345extern int arg_x11_xorg; // use X11 security extension
diff --git a/src/firejail/main.c b/src/firejail/main.c
index c95964503..18e9ae651 100644
--- a/src/firejail/main.c
+++ b/src/firejail/main.c
@@ -134,6 +134,7 @@ int arg_writable_var_log = 0; // writable /var/log
134int arg_appimage = 0; // appimage 134int arg_appimage = 0; // appimage
135int arg_apparmor = 0; // apparmor 135int arg_apparmor = 0; // apparmor
136char *apparmor_profile = NULL; // apparmor profile 136char *apparmor_profile = NULL; // apparmor profile
137bool apparmor_replace = false; // apparmor profile
137int arg_allow_debuggers = 0; // allow debuggers 138int arg_allow_debuggers = 0; // allow debuggers
138int arg_x11_block = 0; // block X11 139int arg_x11_block = 0; // block X11
139int arg_x11_xorg = 0; // use X11 security extension 140int arg_x11_xorg = 0; // use X11 security extension
@@ -1383,6 +1384,10 @@ int main(int argc, char **argv, char **envp) {
1383 arg_apparmor = 1; 1384 arg_apparmor = 1;
1384 apparmor_profile = argv[i] + 11; 1385 apparmor_profile = argv[i] + 11;
1385 } 1386 }
1387 else if (strncmp(argv[i], "--apparmor-replace", 18) == 0) {
1388 arg_apparmor = 1;
1389 apparmor_replace = true;
1390 }
1386#endif 1391#endif
1387 else if (strncmp(argv[i], "--protocol=", 11) == 0) { 1392 else if (strncmp(argv[i], "--protocol=", 11) == 0) {
1388 if (checkcfg(CFG_SECCOMP)) { 1393 if (checkcfg(CFG_SECCOMP)) {
diff --git a/src/firejail/profile.c b/src/firejail/profile.c
index 4e6ebdbca..acf206da6 100644
--- a/src/firejail/profile.c
+++ b/src/firejail/profile.c
@@ -966,6 +966,22 @@ int profile_check_line(char *ptr, int lineno, const char *fname) {
966 return 0; 966 return 0;
967 } 967 }
968 968
969 if (strcmp(ptr, "apparmor-replace") == 0) {
970#ifdef HAVE_APPARMOR
971 arg_apparmor = 1;
972 apparmor_replace = true;
973#endif
974 return 0;
975 }
976
977 if (strcmp(ptr, "apparmor-stack") == 0) {
978#ifdef HAVE_APPARMOR
979 arg_apparmor = 1;
980 apparmor_replace = false;
981#endif
982 return 0;
983 }
984
969 if (strncmp(ptr, "protocol ", 9) == 0) { 985 if (strncmp(ptr, "protocol ", 9) == 0) {
970 if (checkcfg(CFG_SECCOMP)) { 986 if (checkcfg(CFG_SECCOMP)) {
971 const char *add = ptr + 9; 987 const char *add = ptr + 9;
diff --git a/src/firejail/sandbox.c b/src/firejail/sandbox.c
index bae189a0d..77fe73174 100644
--- a/src/firejail/sandbox.c
+++ b/src/firejail/sandbox.c
@@ -130,7 +130,14 @@ static void set_caps(void) {
130static void set_apparmor(void) { 130static void set_apparmor(void) {
131 EUID_ASSERT(); 131 EUID_ASSERT();
132 if (checkcfg(CFG_APPARMOR) && arg_apparmor) { 132 if (checkcfg(CFG_APPARMOR) && arg_apparmor) {
133 if (aa_stack_onexec(apparmor_profile)) { 133 int res = 0;
134 if(apparmor_replace){
135 fwarning("Replacing profile instead of stacking it. It is a legacy behavior that can result in relaxation of the protection. It is here as a temporary measure to unbreak the software that has been broken by switching to the stacking behavior.\n");
136 res = aa_change_onexec(apparmor_profile);
137 } else {
138 res = aa_stack_onexec(apparmor_profile);
139 }
140 if (res) {
134 fwarning("Cannot confine the application using AppArmor.\n" 141 fwarning("Cannot confine the application using AppArmor.\n"
135 "Maybe firejail-default AppArmor profile is not loaded into the kernel.\n" 142 "Maybe firejail-default AppArmor profile is not loaded into the kernel.\n"
136 "As root, run \"aa-enforce firejail-default\" to load it.\n"); 143 "As root, run \"aa-enforce firejail-default\" to load it.\n");
generated by cgit v1.2.3-54-g00ecf (git 2.45.2) at 2024-07-19 16:57:00 +0000