testing 0.9.42~rc2

author: netblue30 <netblue30@yahoo.com> 2016-08-24 09:29:39 -0400
committer: netblue30 <netblue30@yahoo.com> 2016-08-24 09:29:39 -0400
commit: 1ccd5d84b9d7491bb8deec24db5c8ea0a163fa10 (patch)
tree: a951ab073dfa608483e3c5a3013ccc892195ba89 /src
parent: Merge pull request #742 from manevich/security (diff)
download: firejail-1ccd5d84b9d7491bb8deec24db5c8ea0a163fa10.tar.gz
firejail-1ccd5d84b9d7491bb8deec24db5c8ea0a163fa10.tar.zst
firejail-1ccd5d84b9d7491bb8deec24db5c8ea0a163fa10.zip
6 files changed, 35 insertions, 19 deletions
diff --git a/src/firejail/firejail.h b/src/firejail/firejail.h
index a3b573acc..755ed4979 100644
--- a/src/firejail/firejail.h
+++ b/src/firejail/firejail.h
@@ -81,19 +81,23 @@
                assert(file);\
                struct stat s;\
                if (stat(file, &s) == -1) errExit("stat");\
-                assert(s.st_uid == uid && s.st_gid == gid && (s.st_mode & 07777) == mode);\
+                assert(s.st_uid == uid);\
+                assert(s.st_gid == gid);\
+                assert((s.st_mode & 07777) == (mode));\
        } while (0)
 #define ASSERT_PERMS_FD(fd, uid, gid, mode) \
        do { \
                struct stat s;\
                if (stat(fd, &s) == -1) errExit("stat");\
-                assert(s.st_uid == uid && s.st_gid == gid && (s.st_mode & 07777) == mode);\
+                assert(s.st_uid == uid);\
+                assert(s.st_gid == gid);\
+                assert((s.st_mode & 07777) == (mode));\
        } while (0)
 #define ASSERT_PERMS_STREAM(file, uid, gid, mode) \
        do { \
                int fd = fileno(file);\
                if (fd == -1) errExit("fileno");\
-                ASSERT_PERMS_FD(fd, uid, gid, mode);\
+                ASSERT_PERMS_FD(fd, uid, gid, (mode));\
        } while (0)
 // main.c
diff --git a/src/firejail/main.c b/src/firejail/main.c
index 27e2a7f1a..2181a274b 100644
--- a/src/firejail/main.c
+++ b/src/firejail/main.c
@@ -1561,17 +1561,21 @@ int main(int argc, char **argv) {
                        arg_writable_var = 1;
                }
                else if (strcmp(argv[i], "--private") == 0) {
+#if 0 
         if (arg_private_template) {
            fprintf(stderr, "Error: --private and --private-template are mutually exclusive\n");
            exit(1);
         }
+#endif
                        arg_private = 1;
-      }
+                }
                else if (strncmp(argv[i], "--private=", 10) == 0) {
+#if 0 
         if (arg_private_template) {
            fprintf(stderr, "Error: --private and --private-template are mutually exclusive\n");
            exit(1);
         }
+#endif
                        // extract private home dirname
                        cfg.home_private = argv[i] + 10;
                        if (*cfg.home_private == '\0') {
@@ -1581,6 +1585,7 @@ int main(int argc, char **argv) {
                        fs_check_private_dir();
                        arg_private = 1;
                }
+#if 0           
      else if (strncmp(argv[i], "--private-template=", 19) == 0) {
         cfg.private_template = argv[i] + 19;
         if (arg_private) {
@@ -1594,6 +1599,7 @@ int main(int argc, char **argv) {
         fs_check_private_template();
         arg_private_template = 1;
      }
+#endif
                else if (strcmp(argv[i], "--private-dev") == 0) {
                        arg_private_dev = 1;
                }
diff --git a/src/firejail/profile.c b/src/firejail/profile.c
index 916e39892..ee5d8c159 100644
--- a/src/firejail/profile.c
+++ b/src/firejail/profile.c
@@ -630,7 +630,7 @@ int profile_check_line(char *ptr, int lineno, const char *fname) {
                return 0;
        }
        
+#if 0
   if (strncmp(ptr, "private-template ", 17) == 0) {
      if (arg_private) {
         fprintf(stderr, "Error: --private and --private-template are mutually exclusive\n");
@@ -642,6 +642,7 @@ int profile_check_line(char *ptr, int lineno, const char *fname) {
      return 0;
   }
+#endif   
        // private /etc list of files and directories
        if (strncmp(ptr, "private-etc ", 12) == 0) {
                if (arg_writable_etc) {
diff --git a/src/firejail/sandbox.c b/src/firejail/sandbox.c
index 40df00a98..5f845fbd3 100644
--- a/src/firejail/sandbox.c
+++ b/src/firejail/sandbox.c
@@ -544,9 +544,11 @@ int sandbox(void* sandbox_arg) {
                else // --private
                        fs_private();
        }
-        
+#if 0   
   if (arg_private_template) 
      fs_private_template();
+#endif
        if (arg_private_dev) {
                if (cfg.chrootdir)
diff --git a/src/firejail/usage.c b/src/firejail/usage.c
index d4eab7802..363f973e8 100644
--- a/src/firejail/usage.c
+++ b/src/firejail/usage.c
@@ -221,10 +221,25 @@ $ firejail \-\-overlay-path=~/jails/jail1 firefox
        printf("\tfilesystems. All modifications are discarded when the sandbox is\n");
        printf("\tclosed.\n\n");
        printf("    --private=directory - use directory as user home.\n\n");
+#if 0
   printf("    --private-template=directory - same as --private but copy the\n");
   printf("\ttemplatedirectory in the tmpfs mounted user home.\n\n");
+.TP
+\fB\-\-private-template=templatedir
+Mount new /root and /home/user directories in temporary
+filesystems, and copy all files in templatedir. All modifications are discarded when the sandbox is
+closed.
+.br
+.br
+Example:
+.br
+$ firejail \-\-private-template=/home/netblue/.config/mozilla firefox
+#endif
        printf("    --private-bin=file,file - build a new /bin in a temporary filesystem,\n");
        printf("\tand copy the programs in the list.\n\n");
diff --git a/src/man/firejail.txt b/src/man/firejail.txt
index 19fca9854..434c29c0f 100644
--- a/src/man/firejail.txt
+++ b/src/man/firejail.txt
@@ -1086,18 +1086,6 @@ Example:
 $ firejail \-\-private=/home/netblue/firefox-home firefox
 .TP
-\fB\-\-private-template=templatedir
-Mount new /root and /home/user directories in temporary
-filesystems, and copy all files in templatedir. All modifications are discarded when the sandbox is
-closed.
-.br
-.br
-Example:
-.br
-$ firejail \-\-private-template=/home/netblue/.config/mozilla firefox
-.TP
 \fB\-\-private-bin=file,file
 Build a new /bin in a temporary filesystem, and copy the programs in the list.
 If no listed file is found, /bin directory will be empty.
author	netblue30 <netblue30@yahoo.com>	2016-08-24 09:29:39 -0400
committer	netblue30 <netblue30@yahoo.com>	2016-08-24 09:29:39 -0400
commit	1ccd5d84b9d7491bb8deec24db5c8ea0a163fa10 (patch)
tree	a951ab073dfa608483e3c5a3013ccc892195ba89 /src
parent	Merge pull request #742 from manevich/security (diff)
download	firejail-1ccd5d84b9d7491bb8deec24db5c8ea0a163fa10.tar.gz firejail-1ccd5d84b9d7491bb8deec24db5c8ea0a163fa10.tar.zst firejail-1ccd5d84b9d7491bb8deec24db5c8ea0a163fa10.zip

diff --git a/src/firejail/firejail.h b/src/firejail/firejail.h index a3b573acc..755ed4979 100644 --- a/src/firejail/firejail.h +++ b/src/firejail/firejail.h
@@ -81,19 +81,23 @@
81	assert(file);\	81	assert(file);\
82	struct stat s;\	82	struct stat s;\
83	if (stat(file, &s) == -1) errExit("stat");\	83	if (stat(file, &s) == -1) errExit("stat");\
84	assert(s.st_uid == uid && s.st_gid == gid && (s.st_mode & 07777) == mode);\	84	assert(s.st_uid == uid);\
		85	assert(s.st_gid == gid);\
		86	assert((s.st_mode & 07777) == (mode));\
85	} while (0)	87	} while (0)
86	#define ASSERT_PERMS_FD(fd, uid, gid, mode) \	88	#define ASSERT_PERMS_FD(fd, uid, gid, mode) \
87	do { \	89	do { \
88	struct stat s;\	90	struct stat s;\
89	if (stat(fd, &s) == -1) errExit("stat");\	91	if (stat(fd, &s) == -1) errExit("stat");\
90	assert(s.st_uid == uid && s.st_gid == gid && (s.st_mode & 07777) == mode);\	92	assert(s.st_uid == uid);\
		93	assert(s.st_gid == gid);\
		94	assert((s.st_mode & 07777) == (mode));\
91	} while (0)	95	} while (0)
92	#define ASSERT_PERMS_STREAM(file, uid, gid, mode) \	96	#define ASSERT_PERMS_STREAM(file, uid, gid, mode) \
93	do { \	97	do { \
94	int fd = fileno(file);\	98	int fd = fileno(file);\
95	if (fd == -1) errExit("fileno");\	99	if (fd == -1) errExit("fileno");\
96	ASSERT_PERMS_FD(fd, uid, gid, mode);\	100	ASSERT_PERMS_FD(fd, uid, gid, (mode));\
97	} while (0)	101	} while (0)
98		102
99	// main.c	103	// main.c


diff --git a/src/firejail/main.c b/src/firejail/main.c index 27e2a7f1a..2181a274b 100644 --- a/src/firejail/main.c +++ b/src/firejail/main.c
@@ -1561,17 +1561,21 @@ int main(int argc, char **argv) {
1561	arg_writable_var = 1;	1561	arg_writable_var = 1;
1562	}	1562	}
1563	else if (strcmp(argv[i], "--private") == 0) {	1563	else if (strcmp(argv[i], "--private") == 0) {
		1564	#if 0
1564	if (arg_private_template) {	1565	if (arg_private_template) {
1565	fprintf(stderr, "Error: --private and --private-template are mutually exclusive\n");	1566	fprintf(stderr, "Error: --private and --private-template are mutually exclusive\n");
1566	exit(1);	1567	exit(1);
1567	}	1568	}
		1569	#endif
1568	arg_private = 1;	1570	arg_private = 1;
1569	}	1571	}
1570	else if (strncmp(argv[i], "--private=", 10) == 0) {	1572	else if (strncmp(argv[i], "--private=", 10) == 0) {
		1573	#if 0
1571	if (arg_private_template) {	1574	if (arg_private_template) {
1572	fprintf(stderr, "Error: --private and --private-template are mutually exclusive\n");	1575	fprintf(stderr, "Error: --private and --private-template are mutually exclusive\n");
1573	exit(1);	1576	exit(1);
1574	}	1577	}
		1578	#endif
1575	// extract private home dirname	1579	// extract private home dirname
1576	cfg.home_private = argv[i] + 10;	1580	cfg.home_private = argv[i] + 10;
1577	if (*cfg.home_private == '\0') {	1581	if (*cfg.home_private == '\0') {
@@ -1581,6 +1585,7 @@ int main(int argc, char **argv) {
1581	fs_check_private_dir();	1585	fs_check_private_dir();
1582	arg_private = 1;	1586	arg_private = 1;
1583	}	1587	}
		1588	#if 0
1584	else if (strncmp(argv[i], "--private-template=", 19) == 0) {	1589	else if (strncmp(argv[i], "--private-template=", 19) == 0) {
1585	cfg.private_template = argv[i] + 19;	1590	cfg.private_template = argv[i] + 19;
1586	if (arg_private) {	1591	if (arg_private) {
@@ -1594,6 +1599,7 @@ int main(int argc, char **argv) {
1594	fs_check_private_template();	1599	fs_check_private_template();
1595	arg_private_template = 1;	1600	arg_private_template = 1;
1596	}	1601	}
		1602	#endif
1597	else if (strcmp(argv[i], "--private-dev") == 0) {	1603	else if (strcmp(argv[i], "--private-dev") == 0) {
1598	arg_private_dev = 1;	1604	arg_private_dev = 1;
1599	}	1605	}


diff --git a/src/firejail/profile.c b/src/firejail/profile.c index 916e39892..ee5d8c159 100644 --- a/src/firejail/profile.c +++ b/src/firejail/profile.c
@@ -630,7 +630,7 @@ int profile_check_line(char ptr, int lineno, const char fname) {
630	return 0;	630	return 0;
631	}	631	}
632		632
633		633	#if 0
634	if (strncmp(ptr, "private-template ", 17) == 0) {	634	if (strncmp(ptr, "private-template ", 17) == 0) {
635	if (arg_private) {	635	if (arg_private) {
636	fprintf(stderr, "Error: --private and --private-template are mutually exclusive\n");	636	fprintf(stderr, "Error: --private and --private-template are mutually exclusive\n");
@@ -642,6 +642,7 @@ int profile_check_line(char ptr, int lineno, const char fname) {
642		642
643	return 0;	643	return 0;
644	}	644	}
		645	#endif
645	// private /etc list of files and directories	646	// private /etc list of files and directories
646	if (strncmp(ptr, "private-etc ", 12) == 0) {	647	if (strncmp(ptr, "private-etc ", 12) == 0) {
647	if (arg_writable_etc) {	648	if (arg_writable_etc) {


diff --git a/src/firejail/sandbox.c b/src/firejail/sandbox.c index 40df00a98..5f845fbd3 100644 --- a/src/firejail/sandbox.c +++ b/src/firejail/sandbox.c
@@ -544,9 +544,11 @@ int sandbox(void* sandbox_arg) {
544	else // --private	544	else // --private
545	fs_private();	545	fs_private();
546	}	546	}
547		547
		548	#if 0
548	if (arg_private_template)	549	if (arg_private_template)
549	fs_private_template();	550	fs_private_template();
		551	#endif
550		552
551	if (arg_private_dev) {	553	if (arg_private_dev) {
552	if (cfg.chrootdir)	554	if (cfg.chrootdir)


diff --git a/src/firejail/usage.c b/src/firejail/usage.c index d4eab7802..363f973e8 100644 --- a/src/firejail/usage.c +++ b/src/firejail/usage.c
@@ -221,10 +221,25 @@ $ firejail \-\-overlay-path=~/jails/jail1 firefox
221	printf("\tfilesystems. All modifications are discarded when the sandbox is\n");	221	printf("\tfilesystems. All modifications are discarded when the sandbox is\n");
222	printf("\tclosed.\n\n");	222	printf("\tclosed.\n\n");
223	printf(" --private=directory - use directory as user home.\n\n");	223	printf(" --private=directory - use directory as user home.\n\n");
224		224	#if 0
225	printf(" --private-template=directory - same as --private but copy the\n");	225	printf(" --private-template=directory - same as --private but copy the\n");
226	printf("\ttemplatedirectory in the tmpfs mounted user home.\n\n");	226	printf("\ttemplatedirectory in the tmpfs mounted user home.\n\n");
227		227
		228	.TP
		229	\fB\-\-private-template=templatedir
		230	Mount new /root and /home/user directories in temporary
		231	filesystems, and copy all files in templatedir. All modifications are discarded when the sandbox is
		232	closed.
		233	.br
		234
		235	.br
		236	Example:
		237	.br
		238	$ firejail \-\-private-template=/home/netblue/.config/mozilla firefox
		239	#endif
		240
		241
		242
228	printf(" --private-bin=file,file - build a new /bin in a temporary filesystem,\n");	243	printf(" --private-bin=file,file - build a new /bin in a temporary filesystem,\n");
229	printf("\tand copy the programs in the list.\n\n");	244	printf("\tand copy the programs in the list.\n\n");
230		245


diff --git a/src/man/firejail.txt b/src/man/firejail.txt index 19fca9854..434c29c0f 100644 --- a/src/man/firejail.txt +++ b/src/man/firejail.txt
@@ -1086,18 +1086,6 @@ Example:
1086	$ firejail \-\-private=/home/netblue/firefox-home firefox	1086	$ firejail \-\-private=/home/netblue/firefox-home firefox
1087		1087
1088	.TP	1088	.TP
1089	\fB\-\-private-template=templatedir
1090	Mount new /root and /home/user directories in temporary
1091	filesystems, and copy all files in templatedir. All modifications are discarded when the sandbox is
1092	closed.
1093	.br
1094
1095	.br
1096	Example:
1097	.br
1098	$ firejail \-\-private-template=/home/netblue/.config/mozilla firefox
1099
1100	.TP
1101	\fB\-\-private-bin=file,file	1089	\fB\-\-private-bin=file,file
1102	Build a new /bin in a temporary filesystem, and copy the programs in the list.	1090	Build a new /bin in a temporary filesystem, and copy the programs in the list.
1103	If no listed file is found, /bin directory will be empty.	1091	If no listed file is found, /bin directory will be empty.