whitelist fix

author: netblue30 <netblue30@yahoo.com> 2016-07-28 08:26:27 -0400
committer: netblue30 <netblue30@yahoo.com> 2016-07-28 08:26:27 -0400
commit: 2aea8f1d20d68a65ce15d9f70480aecdc81e18b1 (patch)
tree: 0526bbe73b6dd9364eb6f1eff6141c634f153b61 /src
parent: fix cyberfox profile (diff)
download: firejail-2aea8f1d20d68a65ce15d9f70480aecdc81e18b1.tar.gz
firejail-2aea8f1d20d68a65ce15d9f70480aecdc81e18b1.tar.zst
firejail-2aea8f1d20d68a65ce15d9f70480aecdc81e18b1.zip
2 files changed, 2 insertions, 8 deletions
diff --git a/src/firejail/fs_whitelist.c b/src/firejail/fs_whitelist.c
index e3668140d..f94040d0f 100644
--- a/src/firejail/fs_whitelist.c
+++ b/src/firejail/fs_whitelist.c
@@ -401,9 +401,6 @@ void fs_whitelist(void) {
                                struct stat s;
                                if (stat(fname, &s) == 0 && s.st_uid != getuid())
                                        goto errexit;
-                                        
-                                // set nonewprivs
-                                arg_nonewprivs = 1;
                        }
                }
                else if (strncmp(new_name, "/tmp/", 5) == 0) {
diff --git a/src/man/firejail.txt b/src/man/firejail.txt
index 65744235e..2ddbc9f88 100644
--- a/src/man/firejail.txt
+++ b/src/man/firejail.txt
@@ -947,11 +947,8 @@ $
 Sets the NO_NEW_PRIVS prctl.  This ensures that child processes
 cannot acquire new privileges using execve(2);  in particular,
 this means that calling a suid binary (or one with file capabilities)
-does not result in an increase of privilege.
+does not result in an increase of privilege. This option
+is enabled by default if seccomp filter is activated.
--nonewprivs is enabled by default if seccomp filter is activated, or if a
-symbolic link in user home directory pointing outside user home
-is whitelisted.
 .TP
 \fB\-\-nosound
author	netblue30 <netblue30@yahoo.com>	2016-07-28 08:26:27 -0400
committer	netblue30 <netblue30@yahoo.com>	2016-07-28 08:26:27 -0400
commit	2aea8f1d20d68a65ce15d9f70480aecdc81e18b1 (patch)
tree	0526bbe73b6dd9364eb6f1eff6141c634f153b61 /src
parent	fix cyberfox profile (diff)
download	firejail-2aea8f1d20d68a65ce15d9f70480aecdc81e18b1.tar.gz firejail-2aea8f1d20d68a65ce15d9f70480aecdc81e18b1.tar.zst firejail-2aea8f1d20d68a65ce15d9f70480aecdc81e18b1.zip

diff --git a/src/firejail/fs_whitelist.c b/src/firejail/fs_whitelist.c index e3668140d..f94040d0f 100644 --- a/src/firejail/fs_whitelist.c +++ b/src/firejail/fs_whitelist.c
@@ -401,9 +401,6 @@ void fs_whitelist(void) {
401	struct stat s;	401	struct stat s;
402	if (stat(fname, &s) == 0 && s.st_uid != getuid())	402	if (stat(fname, &s) == 0 && s.st_uid != getuid())
403	goto errexit;	403	goto errexit;
404
405	// set nonewprivs
406	arg_nonewprivs = 1;
407	}	404	}
408	}	405	}
409	else if (strncmp(new_name, "/tmp/", 5) == 0) {	406	else if (strncmp(new_name, "/tmp/", 5) == 0) {


diff --git a/src/man/firejail.txt b/src/man/firejail.txt index 65744235e..2ddbc9f88 100644 --- a/src/man/firejail.txt +++ b/src/man/firejail.txt
@@ -947,11 +947,8 @@ $
947	Sets the NO_NEW_PRIVS prctl. This ensures that child processes	947	Sets the NO_NEW_PRIVS prctl. This ensures that child processes
948	cannot acquire new privileges using execve(2); in particular,	948	cannot acquire new privileges using execve(2); in particular,
949	this means that calling a suid binary (or one with file capabilities)	949	this means that calling a suid binary (or one with file capabilities)
950	does not result in an increase of privilege.	950	does not result in an increase of privilege. This option
951		951	is enabled by default if seccomp filter is activated.
952	--nonewprivs is enabled by default if seccomp filter is activated, or if a
953	symbolic link in user home directory pointing outside user home
954	is whitelisted.
955		952
956	.TP	953	.TP
957	\fB\-\-nosound	954	\fB\-\-nosound