--private-tmp whitelists /tmp/.X11-unix directory

author: netblue30 <netblue30@yahoo.com> 2016-09-19 13:11:59 -0400
committer: netblue30 <netblue30@yahoo.com> 2016-09-19 13:11:59 -0400
commit: 83c7253a753a810240408ac2057e7c2b920a2a52 (patch)
tree: 33cfcccedac37ecbfaf483a27e1ae3a1aa4d9113 /src
parent: document blacklist-nolog (diff)
download: firejail-83c7253a753a810240408ac2057e7c2b920a2a52.tar.gz
firejail-83c7253a753a810240408ac2057e7c2b920a2a52.tar.zst
firejail-83c7253a753a810240408ac2057e7c2b920a2a52.zip
1 files changed, 17 insertions, 14 deletions
diff --git a/src/firejail/sandbox.c b/src/firejail/sandbox.c
index 76efe996b..cc5483c08 100644
--- a/src/firejail/sandbox.c
+++ b/src/firejail/sandbox.c
@@ -593,8 +593,13 @@ int sandbox(void* sandbox_arg) {
                        fprintf(stderr, "Warning: private-tmp feature is disabled in chroot\n");
                else if (arg_overlay)
                        fprintf(stderr, "Warning: private-tmp feature is disabled in overlay\n");
-                else
+                else {
-                        fs_private_tmp();
+                        // private-tmp is implemented as a whitelist
+                        EUID_USER();
+                        profile_add("whitelist /tmp/.X11-unix");
+                        EUID_ROOT();
+//                      fs_private_tmp();
+                }
        }
        
        //****************************
@@ -606,18 +611,16 @@ int sandbox(void* sandbox_arg) {
        //****************************
        // apply the profile file
        //****************************
-        if (cfg.profile) {
+        // apply all whitelist commands ... 
-                // apply all whitelist commands ... 
+        if (cfg.chrootdir)
-                if (cfg.chrootdir)
+                fprintf(stderr, "Warning: whitelist feature is disabled in chroot\n");
-                        fprintf(stderr, "Warning: whitelist feature is disabled in chroot\n");
+        else if (arg_overlay)
-                else if (arg_overlay)
+                fprintf(stderr, "Warning: whitelist feature is disabled in overlay\n");
-                        fprintf(stderr, "Warning: whitelist feature is disabled in overlay\n");
+        else
-                else
+                fs_whitelist();
-                        fs_whitelist();
+        
-                
+        // ... followed by blacklist commands
-                // ... followed by blacklist commands
+        fs_blacklist();
-                fs_blacklist();
-        }
        
        //****************************
        // install trace
author	netblue30 <netblue30@yahoo.com>	2016-09-19 13:11:59 -0400
committer	netblue30 <netblue30@yahoo.com>	2016-09-19 13:11:59 -0400
commit	83c7253a753a810240408ac2057e7c2b920a2a52 (patch)
tree	33cfcccedac37ecbfaf483a27e1ae3a1aa4d9113 /src
parent	document blacklist-nolog (diff)
download	firejail-83c7253a753a810240408ac2057e7c2b920a2a52.tar.gz firejail-83c7253a753a810240408ac2057e7c2b920a2a52.tar.zst firejail-83c7253a753a810240408ac2057e7c2b920a2a52.zip

diff --git a/src/firejail/sandbox.c b/src/firejail/sandbox.c index 76efe996b..cc5483c08 100644 --- a/src/firejail/sandbox.c +++ b/src/firejail/sandbox.c
@@ -593,8 +593,13 @@ int sandbox(void* sandbox_arg) {
593	fprintf(stderr, "Warning: private-tmp feature is disabled in chroot\n");	593	fprintf(stderr, "Warning: private-tmp feature is disabled in chroot\n");
594	else if (arg_overlay)	594	else if (arg_overlay)
595	fprintf(stderr, "Warning: private-tmp feature is disabled in overlay\n");	595	fprintf(stderr, "Warning: private-tmp feature is disabled in overlay\n");
596	else	596	else {
597	fs_private_tmp();	597	// private-tmp is implemented as a whitelist
		598	EUID_USER();
		599	profile_add("whitelist /tmp/.X11-unix");
		600	EUID_ROOT();
		601	// fs_private_tmp();
		602	}
598	}	603	}
599		604
600	//****************************	605	//****************************
@@ -606,18 +611,16 @@ int sandbox(void* sandbox_arg) {
606	//****************************	611	//****************************
607	// apply the profile file	612	// apply the profile file
608	//****************************	613	//****************************
609	if (cfg.profile) {	614	// apply all whitelist commands ...
610	// apply all whitelist commands ...	615	if (cfg.chrootdir)
611	if (cfg.chrootdir)	616	fprintf(stderr, "Warning: whitelist feature is disabled in chroot\n");
612	fprintf(stderr, "Warning: whitelist feature is disabled in chroot\n");	617	else if (arg_overlay)
613	else if (arg_overlay)	618	fprintf(stderr, "Warning: whitelist feature is disabled in overlay\n");
614	fprintf(stderr, "Warning: whitelist feature is disabled in overlay\n");	619	else
615	else	620	fs_whitelist();
616	fs_whitelist();	621
617		622	// ... followed by blacklist commands
618	// ... followed by blacklist commands	623	fs_blacklist();
619	fs_blacklist();
620	}
621		624
622	//****************************	625	//****************************
623	// install trace	626	// install trace