disable gnupg and systemd directories under /run/user

author: netblue30 <netblue30@yahoo.com> 2016-12-09 09:21:30 -0500
committer: netblue30 <netblue30@yahoo.com> 2016-12-09 09:21:30 -0500
commit: 0c5aa59b932c22798980899e1cd4df72badc8bbd (patch)
tree: 8410fd2549ca3666be312bd9e734efaacfca997a /src
parent: Merge pull request #963 from Fred-Barclay/wireshark (diff)
download: firejail-0c5aa59b932c22798980899e1cd4df72badc8bbd.tar.gz
firejail-0c5aa59b932c22798980899e1cd4df72badc8bbd.tar.zst
firejail-0c5aa59b932c22798980899e1cd4df72badc8bbd.zip
1 files changed, 15 insertions, 14 deletions
diff --git a/src/firejail/fs.c b/src/firejail/fs.c
index 905d2903d..84dc9046c 100644
--- a/src/firejail/fs.c
+++ b/src/firejail/fs.c
@@ -538,31 +538,32 @@ void fs_proc_sys_dev_boot(void) {
        struct stat s;
-        // breaks too many applications, option needed
-        /* // disable /run/user/{uid}/bus */
-        /* char *fnamebus; */
-        /* if (asprintf(&fnamebus, "/run/user/%d/bus", getuid()) == -1) */
-        /*     errExit("asprintf"); */
-        /* if (stat(fnamebus, &s) == 0) */
-        /*     disable_file(BLACKLIST_FILE, fnamebus); */
-        /* free(fnamebus); */
        // disable /run/user/{uid}/gnupg
        char *fnamegpg;
        if (asprintf(&fnamegpg, "/run/user/%d/gnupg", getuid()) == -1)
-            errExit("asprintf");
+                errExit("asprintf");
        if (stat(fnamegpg, &s) == 0)
-            disable_file(BLACKLIST_FILE, fnamegpg);
+                disable_file(BLACKLIST_FILE, fnamegpg);
        free(fnamegpg);
        // disable /run/user/{uid}/systemd
        char *fnamesysd;
        if (asprintf(&fnamesysd, "/run/user/%d/systemd", getuid()) == -1)
-            errExit("asprintf");
+                errExit("asprintf");
        if (stat(fnamesysd, &s) == 0)
-            disable_file(BLACKLIST_FILE, fnamesysd);
+                disable_file(BLACKLIST_FILE, fnamesysd);
        free(fnamesysd);
+// todo: investigate
+#if 0
+        // breaks too many applications, option needed
+        /* // disable /run/user/{uid}/bus */
+        /* char *fnamebus; */
+        /* if (asprintf(&fnamebus, "/run/user/%d/bus", getuid()) == -1) */
+        /*     errExit("asprintf"); */
+        /* if (stat(fnamebus, &s) == 0) */
+        /*     disable_file(BLACKLIST_FILE, fnamebus); */
+        /* free(fnamebus); */
        // WARNING: not working
        // disable /run/user/{uid}/kdeinit*
@@ -593,7 +594,7 @@ void fs_proc_sys_dev_boot(void) {
        
        //more files with sockets to be blacklisted
        //  /run/dbus /run/systemd /run/udev /run/lvm
+#endif
        
        
        if (getuid() != 0) {
author	netblue30 <netblue30@yahoo.com>	2016-12-09 09:21:30 -0500
committer	netblue30 <netblue30@yahoo.com>	2016-12-09 09:21:30 -0500
commit	0c5aa59b932c22798980899e1cd4df72badc8bbd (patch)
tree	8410fd2549ca3666be312bd9e734efaacfca997a /src
parent	Merge pull request #963 from Fred-Barclay/wireshark (diff)
download	firejail-0c5aa59b932c22798980899e1cd4df72badc8bbd.tar.gz firejail-0c5aa59b932c22798980899e1cd4df72badc8bbd.tar.zst firejail-0c5aa59b932c22798980899e1cd4df72badc8bbd.zip

diff --git a/src/firejail/fs.c b/src/firejail/fs.c index 905d2903d..84dc9046c 100644 --- a/src/firejail/fs.c +++ b/src/firejail/fs.c
@@ -538,31 +538,32 @@ void fs_proc_sys_dev_boot(void) {
538	struct stat s;	538	struct stat s;
539		539
540		540
541	// breaks too many applications, option needed
542	/* // disable /run/user/{uid}/bus */
543	/* char fnamebus; /
544	/* if (asprintf(&fnamebus, "/run/user/%d/bus", getuid()) == -1) */
545	/* errExit("asprintf"); */
546	/* if (stat(fnamebus, &s) == 0) */
547	/* disable_file(BLACKLIST_FILE, fnamebus); */
548	/* free(fnamebus); */
549
550	// disable /run/user/{uid}/gnupg	541	// disable /run/user/{uid}/gnupg
551	char *fnamegpg;	542	char *fnamegpg;
552	if (asprintf(&fnamegpg, "/run/user/%d/gnupg", getuid()) == -1)	543	if (asprintf(&fnamegpg, "/run/user/%d/gnupg", getuid()) == -1)
553	errExit("asprintf");	544	errExit("asprintf");
554	if (stat(fnamegpg, &s) == 0)	545	if (stat(fnamegpg, &s) == 0)
555	disable_file(BLACKLIST_FILE, fnamegpg);	546	disable_file(BLACKLIST_FILE, fnamegpg);
556	free(fnamegpg);	547	free(fnamegpg);
557		548
558	// disable /run/user/{uid}/systemd	549	// disable /run/user/{uid}/systemd
559	char *fnamesysd;	550	char *fnamesysd;
560	if (asprintf(&fnamesysd, "/run/user/%d/systemd", getuid()) == -1)	551	if (asprintf(&fnamesysd, "/run/user/%d/systemd", getuid()) == -1)
561	errExit("asprintf");	552	errExit("asprintf");
562	if (stat(fnamesysd, &s) == 0)	553	if (stat(fnamesysd, &s) == 0)
563	disable_file(BLACKLIST_FILE, fnamesysd);	554	disable_file(BLACKLIST_FILE, fnamesysd);
564	free(fnamesysd);	555	free(fnamesysd);
565		556
		557	// todo: investigate
		558	#if 0
		559	// breaks too many applications, option needed
		560	/* // disable /run/user/{uid}/bus */
		561	/* char fnamebus; /
		562	/* if (asprintf(&fnamebus, "/run/user/%d/bus", getuid()) == -1) */
		563	/* errExit("asprintf"); */
		564	/* if (stat(fnamebus, &s) == 0) */
		565	/* disable_file(BLACKLIST_FILE, fnamebus); */
		566	/* free(fnamebus); */
566		567
567	// WARNING: not working	568	// WARNING: not working
568	// disable /run/user/{uid}/kdeinit*	569	// disable /run/user/{uid}/kdeinit*
@@ -593,7 +594,7 @@ void fs_proc_sys_dev_boot(void) {
593		594
594	//more files with sockets to be blacklisted	595	//more files with sockets to be blacklisted
595	// /run/dbus /run/systemd /run/udev /run/lvm	596	// /run/dbus /run/systemd /run/udev /run/lvm
596		597	#endif
597		598
598		599
599	if (getuid() != 0) {	600	if (getuid() != 0) {