10 files changed, 157 insertions, 37 deletions
diff --git a/README b/README
index 7384a8c99..368feb827 100644
--- a/README
+++ b/README
@@ -435,6 +435,7 @@ Pixel Fairy (https://github.com/xahare)
 PizzaDude (https://github.com/pizzadude)
        - add mpv support to smplayer
        - added profile for torbrowser-launcher
+        - added profile for sayonara and qmmp
 probonopd (https://github.com/probonopd)
        - automatic build on Travis CI
 pshpsh (https://github.com/pshpsh)
diff --git a/README.md b/README.md
index cb040852a..854e02cd1 100644
--- a/README.md
+++ b/README.md
@@ -376,4 +376,4 @@ gnome-recipes, akonadi_control, evince-previewer, evince-thumbnailer, blender-2.
 thunderbird-beta, ncdu, gnome-logs, gcloud, musixmatch, gunzip, bunzip2, enchant,
 enchant-2, enchant-lsmod, enchant-lsmod-2, Discord, acat, adiff, als, apack, arepack,
 aunpack profiles, ppsspp, scallion, clion, baloo_filemetadata_temp_extractor,
-AnyDesk, webstorm, xmind
+AnyDesk, webstorm, xmind, qmmp, sayonara
diff --git a/RELNOTES b/RELNOTES
index 4945e3d3c..f73793740 100644
--- a/RELNOTES
+++ b/RELNOTES
@@ -34,6 +34,7 @@ firejail (0.9.54~rc1) baseline; urgency=low
  * private-dev support for overlay and chroot sandboxes
  * private-tmp support for overlay and chroot sandboxes
  * added sandbox name support in firemon
+  * firemon/prctl enhancements
  * new profiles: basilisk, Tor Browser language packs, PlayOnLinux, sylpheed,
  * new profiles: discord-canary, pycharm-community, pycharm-professional,
  * new profiles: pdfchain, tilp, vivaldi-snapshot, bitcoin-qt, kaffeine,
@@ -43,7 +44,8 @@ firejail (0.9.54~rc1) baseline; urgency=low
  * new profiles: musixmatch, gunzip, bunzip2, enchant-lsmod, enchant-lsmod-2,
  * new profiles: enchant, enchant-2, Discord, acat, adiff, als, apack,
  * new profiles: arepack, aunpack profiles, ppsspp, scallion, clion,
-  * new profiles: baloo_filemetadata_temp_extractor, AnyDesk, webstorm, xmind
+  * new profiles: baloo_filemetadata_temp_extractor, AnyDesk, webstorm, xmind,
+  * new profiles: qmmp, sayonara
 -- netblue30 <netblue30@yahoo.com>  Sun, 6 May 2018 08:00:00 -0500
 firejail (0.9.52) baseline; urgency=low
diff --git a/etc/disable-programs.inc b/etc/disable-programs.inc
index ea334c289..c7605d660 100644
--- a/etc/disable-programs.inc
+++ b/etc/disable-programs.inc
@@ -16,6 +16,7 @@ blacklist ${HOME}/.LuminanceHDR
 blacklist ${HOME}/.Mathematica
 blacklist ${HOME}/.Natron
 blacklist ${HOME}/.PyCharm*
+blacklist ${HOME}/.Sayonara
 blacklist ${HOME}/.Skype
 blacklist ${HOME}/.Steam
 blacklist ${HOME}/.Steampath
@@ -465,6 +466,7 @@ blacklist ${HOME}/.passwd-s3fs
 blacklist ${HOME}/.pingus
 blacklist ${HOME}/.purple
 blacklist ${HOME}/.qemu-launcher
+blacklist ${HOME}/.qmmp
 blacklist ${HOME}/.redeclipse
 blacklist ${HOME}/.remmina
 blacklist ${HOME}/.repo_.gitconfig.json
diff --git a/etc/qmmp.profile b/etc/qmmp.profile
new file mode 100644
index 000000000..d785ddbbe
--- /dev/null
+++ b/etc/qmmp.profile
@@ -0,0 +1,34 @@
+# Firejail profile for qmmp
+# This file is overwritten after every install/update
+# Persistent local customizations
+include /etc/firejail/qmmp.local
+# Persistent global definitions
+include /etc/firejail/globals.local
+noblacklist ${HOME}/.qmmp
+include /etc/firejail/disable-common.inc
+include /etc/firejail/disable-devel.inc
+include /etc/firejail/disable-passwdmgr.inc
+include /etc/firejail/disable-programs.inc
+caps.drop all
+netfilter
+# no3d
+nodbus
+nogroups
+nonewprivs
+noroot
+notv
+novideo
+protocol unix,inet,inet6
+seccomp
+shell none
+tracelog
+private-bin qmmp
+private-dev
+private-tmp
+noexec ${HOME}
+noexec /tmp
diff --git a/etc/sayonara.profile b/etc/sayonara.profile
new file mode 100644
index 000000000..756bd99eb
--- /dev/null
+++ b/etc/sayonara.profile
@@ -0,0 +1,33 @@
+# Firejail profile for sayonara player
+# This file is overwritten after every install/update
+# Persistent local customizations
+include /etc/firejail/sayonara.local
+# Persistent global definitions
+include /etc/firejail/globals.local
+noblacklist ${HOME}/.Sayonara
+include /etc/firejail/disable-common.inc
+include /etc/firejail/disable-devel.inc
+include /etc/firejail/disable-passwdmgr.inc
+include /etc/firejail/disable-programs.inc
+caps.drop all
+netfilter
+no3d
+nogroups
+nonewprivs
+noroot
+notv
+novideo
+protocol unix,inet,inet6
+seccomp
+shell none
+tracelog
+private-bin sayonara
+private-dev
+private-tmp
+noexec ${HOME}
+noexec /tmp
diff --git a/src/firejail/fs.c b/src/firejail/fs.c
index 88f92ad74..f3ed67928 100644
--- a/src/firejail/fs.c
+++ b/src/firejail/fs.c
@@ -484,29 +484,44 @@ void fs_rdonly(const char *dir) {
 static void fs_rdwr(const char *dir) {
        assert(dir);
-        // check directory exists
+        // check directory exists and ensure we have a resolved path
+        // the resolved path allows to run a sanity check after the mount
+        char *path = realpath(dir, NULL);
+        if (path == NULL)
+                return;
+        // allow only user owned directories, except the user is root
+        uid_t u = getuid();
        struct stat s;
-        int rv = stat(dir, &s);
+        int rv = stat(path, &s);
-        if (rv == 0) {
+        if (rv) {
-                // if the file is outside /home directory, allow only root user
+                free(path);
-                uid_t u = getuid();
+                return;
-                if (u != 0 && s.st_uid != u) {
+        }
-                        fwarning("you are not allowed to change %s to read-write\n", dir);
+        if (u != 0 && s.st_uid != u) {
-                        return;
+                fwarning("you are not allowed to change %s to read-write\n", path);
-                }
+                free(path);
+                return;
-                // mount --bind /bin /bin
+        }
-                // mount --bind -o remount,rw /bin
+        // mount --bind /bin /bin
-                unsigned long flags = 0;
+        // mount --bind -o remount,rw /bin
-                get_mount_flags(dir, &flags);
+        unsigned long flags = 0;
-                if ((flags & MS_RDONLY) == 0)
+        get_mount_flags(path, &flags);
-                        return;
+        if ((flags & MS_RDONLY) == 0) {
-                flags &= ~MS_RDONLY;
+                free(path);
-                if (mount(dir, dir, NULL, MS_BIND|MS_REC, NULL) < 0 ||
+                return;
-                    mount(NULL, dir, NULL, flags|MS_BIND|MS_REMOUNT|MS_REC, NULL) < 0)
-                        errExit("mount read-write");
-                fs_logger2("read-write", dir);
        }
+        flags &= ~MS_RDONLY;
+        if (mount(path, path, NULL, MS_BIND|MS_REC, NULL) < 0 ||
+            mount(NULL, path, NULL, flags|MS_BIND|MS_REMOUNT|MS_REC, NULL) < 0)
+                errExit("mount read-write");
+        fs_logger2("read-write", path);
+        // run a check on /proc/self/mountinfo to validate the mount
+        MountData *mptr = get_last_mount();
+        if (strncmp(mptr->dir, path, strlen(path)) != 0)
+                errLogExit("invalid read-write mount");
+        free(path);
 }
 void fs_noexec(const char *dir) {
diff --git a/src/firejail/pulseaudio.c b/src/firejail/pulseaudio.c
index eaaba86c0..15d44e4cc 100644
--- a/src/firejail/pulseaudio.c
+++ b/src/firejail/pulseaudio.c
@@ -178,10 +178,10 @@ void pulseaudio_init(void) {
                // check /proc/self/mountinfo to confirm the mount is ok
                MountData *mptr = get_last_mount();
-                if (strncmp(mptr->dir, homeusercfg, strlen(homeusercfg)) != 0)
+                if (strcmp(mptr->dir, homeusercfg) != 0)
-                        errLogExit("invalid mount on top of %s (should be %s)\n", mptr->dir, homeusercfg);
+                        errLogExit("invalid pulseaudio mount");
-                if (strncmp(mptr->fstype, "tmpfs", 5) != 0)
+                if (strcmp(mptr->fstype, "tmpfs") != 0)
-                        errLogExit("invalid mount on top of %s (filesystem type is %s)\n", mptr->dir, mptr->fstype);
+                        errLogExit("invalid pulseaudio mount");
                char *p;
                if (asprintf(&p, "%s/client.conf", homeusercfg) == -1)
diff --git a/src/firejail/x11.c b/src/firejail/x11.c
index 0eace3215..ec8775370 100644
--- a/src/firejail/x11.c
+++ b/src/firejail/x11.c
@@ -1196,10 +1196,11 @@ void x11_xorg(void) {
        // check /proc/self/mountinfo to confirm the mount is ok
        MountData *mptr = get_last_mount();
-        if (strncmp(mptr->dir, dest, strlen(dest)) != 0)
+        if (strcmp(mptr->dir, dest) != 0)
-                errLogExit("invalid mount on top of %s (should be %s)\n", mptr->dir, dest);
+                errLogExit("invalid .Xauthority mount");
-        if (strncmp(mptr->fstype, "tmpfs", 5) != 0)
+        if (strcmp(mptr->fstype, "tmpfs") != 0)
-                errLogExit("invalid mount on top of %s (filesystem type is %s)\n", mptr->dir, mptr->fstype);
+                errLogExit("invalid .Xauthority mount");
        free(dest);
 #endif
 }
diff --git a/src/firemon/procevent.c b/src/firemon/procevent.c
index 301e5397b..5b16191be 100644
--- a/src/firemon/procevent.c
+++ b/src/firemon/procevent.c
@@ -94,10 +94,21 @@ static int pid_is_firejail(pid_t pid) {
                // list of firejail arguments that don't trigger sandbox creation
                // the initial -- is not included
                char *exclude_args[] = {
-                        "ls", "list", "tree", "x11", "help", "version", "top", "netstats", "debug-syscalls",
+                        // all print options
-                        "debug-errnos", "debug-protocols", "protocol.print",  "debug.caps",
+                        "apparmor.print", "caps.print", "cpu.print", "dns.print", "fs.print", "netfilter.print",
-                        "shutdown", "bandwidth", "caps.print", "cpu.print", "debug-caps",
+                        "netfilter6.print", "profile.print", "protocol.print", "seccomp.print",
-                        "fs.print", "get", "overlay-clean", NULL
+                        // debug
+                        "debug-caps", "debug-errnos", "debug-protocols", "debug-syscalls",
+                        // file transfer
+                        "ls", "get", "put",
+                        // stats
+                        "tree", "list", "top",
+                        // network
+                        "netstats", "bandwidth",
+                        // etc
+                        "help", "version", "overlay-clean",
+                        NULL // end of list marker
                };
                int i;
@@ -291,6 +302,7 @@ static int procevent_monitor(const int sock, pid_t mypid) {
                                                child %= max_pids;
                                                pids[child].level = pids[pid].level + 1;
                                                pids[child].uid = pid_get_uid(child);
+                                                pids[child].parent = pid;
                                        }
                                        sprintf(lineptr, " fork");
                                        break;
@@ -318,12 +330,22 @@ static int procevent_monitor(const int sock, pid_t mypid) {
                                        sprintf(lineptr, " exit");
                                        break;
                                case PROC_EVENT_UID:
                                        pid = proc_ev->event_data.id.process_tgid;
 #ifdef DEBUG_PRCTL
        printf("%s: %d, event uid, pid %d\n", __FUNCTION__, __LINE__, pid);
 #endif
-                                        sprintf(lineptr, " uid ");
+                                        if (pids[pid].level == 1 ||
+                                            pids[pids[pid].parent].level == 1) {
+                                                sprintf(lineptr, "\n");
+                                                continue;
+                                        }
+                                        else
+                                                sprintf(lineptr, " uid (%d:%d)",
+                                                        proc_ev->event_data.id.r.ruid,
+                                                        proc_ev->event_data.id.e.euid);
                                        break;
                                case PROC_EVENT_GID:
@@ -331,9 +353,19 @@ static int procevent_monitor(const int sock, pid_t mypid) {
 #ifdef DEBUG_PRCTL
        printf("%s: %d, event gid, pid %d\n", __FUNCTION__, __LINE__, pid);
 #endif
-                                        sprintf(lineptr, " gid ");
+                                        if (pids[pid].level == 1 ||
+                                            pids[pids[pid].parent].level == 1) {
+                                                sprintf(lineptr, "\n");
+                                                continue;
+                                        }
+                                        else
+                                                sprintf(lineptr, " gid (%d:%d)",
+                                                        proc_ev->event_data.id.r.rgid,
+                                                        proc_ev->event_data.id.e.egid);
                                        break;
                                case PROC_EVENT_SID:
                                        pid = proc_ev->event_data.sid.process_tgid;
 #ifdef DEBUG_PRCTL

diff --git a/README b/README index 7384a8c99..368feb827 100644 --- a/README +++ b/README
@@ -435,6 +435,7 @@ Pixel Fairy (https://github.com/xahare)
435	PizzaDude (https://github.com/pizzadude)	435	PizzaDude (https://github.com/pizzadude)
436	- add mpv support to smplayer	436	- add mpv support to smplayer
437	- added profile for torbrowser-launcher	437	- added profile for torbrowser-launcher
		438	- added profile for sayonara and qmmp
438	probonopd (https://github.com/probonopd)	439	probonopd (https://github.com/probonopd)
439	- automatic build on Travis CI	440	- automatic build on Travis CI
440	pshpsh (https://github.com/pshpsh)	441	pshpsh (https://github.com/pshpsh)


diff --git a/README.md b/README.md index cb040852a..854e02cd1 100644 --- a/README.md +++ b/README.md
@@ -376,4 +376,4 @@ gnome-recipes, akonadi_control, evince-previewer, evince-thumbnailer, blender-2.
376	thunderbird-beta, ncdu, gnome-logs, gcloud, musixmatch, gunzip, bunzip2, enchant,	376	thunderbird-beta, ncdu, gnome-logs, gcloud, musixmatch, gunzip, bunzip2, enchant,
377	enchant-2, enchant-lsmod, enchant-lsmod-2, Discord, acat, adiff, als, apack, arepack,	377	enchant-2, enchant-lsmod, enchant-lsmod-2, Discord, acat, adiff, als, apack, arepack,
378	aunpack profiles, ppsspp, scallion, clion, baloo_filemetadata_temp_extractor,	378	aunpack profiles, ppsspp, scallion, clion, baloo_filemetadata_temp_extractor,
379	AnyDesk, webstorm, xmind	379	AnyDesk, webstorm, xmind, qmmp, sayonara


diff --git a/RELNOTES b/RELNOTES index 4945e3d3c..f73793740 100644 --- a/RELNOTES +++ b/RELNOTES
@@ -34,6 +34,7 @@ firejail (0.9.54~rc1) baseline; urgency=low
34	* private-dev support for overlay and chroot sandboxes	34	* private-dev support for overlay and chroot sandboxes
35	* private-tmp support for overlay and chroot sandboxes	35	* private-tmp support for overlay and chroot sandboxes
36	* added sandbox name support in firemon	36	* added sandbox name support in firemon
		37	* firemon/prctl enhancements
37	* new profiles: basilisk, Tor Browser language packs, PlayOnLinux, sylpheed,	38	* new profiles: basilisk, Tor Browser language packs, PlayOnLinux, sylpheed,
38	* new profiles: discord-canary, pycharm-community, pycharm-professional,	39	* new profiles: discord-canary, pycharm-community, pycharm-professional,
39	* new profiles: pdfchain, tilp, vivaldi-snapshot, bitcoin-qt, kaffeine,	40	* new profiles: pdfchain, tilp, vivaldi-snapshot, bitcoin-qt, kaffeine,
@@ -43,7 +44,8 @@ firejail (0.9.54~rc1) baseline; urgency=low
43	* new profiles: musixmatch, gunzip, bunzip2, enchant-lsmod, enchant-lsmod-2,	44	* new profiles: musixmatch, gunzip, bunzip2, enchant-lsmod, enchant-lsmod-2,
44	* new profiles: enchant, enchant-2, Discord, acat, adiff, als, apack,	45	* new profiles: enchant, enchant-2, Discord, acat, adiff, als, apack,
45	* new profiles: arepack, aunpack profiles, ppsspp, scallion, clion,	46	* new profiles: arepack, aunpack profiles, ppsspp, scallion, clion,
46	* new profiles: baloo_filemetadata_temp_extractor, AnyDesk, webstorm, xmind	47	* new profiles: baloo_filemetadata_temp_extractor, AnyDesk, webstorm, xmind,
		48	* new profiles: qmmp, sayonara
47	-- netblue30 <netblue30@yahoo.com> Sun, 6 May 2018 08:00:00 -0500	49	-- netblue30 <netblue30@yahoo.com> Sun, 6 May 2018 08:00:00 -0500
48		50
49	firejail (0.9.52) baseline; urgency=low	51	firejail (0.9.52) baseline; urgency=low


diff --git a/etc/disable-programs.inc b/etc/disable-programs.inc index ea334c289..c7605d660 100644 --- a/etc/disable-programs.inc +++ b/etc/disable-programs.inc
@@ -16,6 +16,7 @@ blacklist ${HOME}/.LuminanceHDR
16	blacklist ${HOME}/.Mathematica	16	blacklist ${HOME}/.Mathematica
17	blacklist ${HOME}/.Natron	17	blacklist ${HOME}/.Natron
18	blacklist ${HOME}/.PyCharm*	18	blacklist ${HOME}/.PyCharm*
		19	blacklist ${HOME}/.Sayonara
19	blacklist ${HOME}/.Skype	20	blacklist ${HOME}/.Skype
20	blacklist ${HOME}/.Steam	21	blacklist ${HOME}/.Steam
21	blacklist ${HOME}/.Steampath	22	blacklist ${HOME}/.Steampath
@@ -465,6 +466,7 @@ blacklist ${HOME}/.passwd-s3fs
465	blacklist ${HOME}/.pingus	466	blacklist ${HOME}/.pingus
466	blacklist ${HOME}/.purple	467	blacklist ${HOME}/.purple
467	blacklist ${HOME}/.qemu-launcher	468	blacklist ${HOME}/.qemu-launcher
		469	blacklist ${HOME}/.qmmp
468	blacklist ${HOME}/.redeclipse	470	blacklist ${HOME}/.redeclipse
469	blacklist ${HOME}/.remmina	471	blacklist ${HOME}/.remmina
470	blacklist ${HOME}/.repo_.gitconfig.json	472	blacklist ${HOME}/.repo_.gitconfig.json


diff --git a/etc/qmmp.profile b/etc/qmmp.profile new file mode 100644 index 000000000..d785ddbbe --- /dev/null +++ b/etc/qmmp.profile
@@ -0,0 +1,34 @@
		1	# Firejail profile for qmmp
		2	# This file is overwritten after every install/update
		3	# Persistent local customizations
		4	include /etc/firejail/qmmp.local
		5	# Persistent global definitions
		6	include /etc/firejail/globals.local
		7
		8	noblacklist ${HOME}/.qmmp
		9
		10	include /etc/firejail/disable-common.inc
		11	include /etc/firejail/disable-devel.inc
		12	include /etc/firejail/disable-passwdmgr.inc
		13	include /etc/firejail/disable-programs.inc
		14
		15	caps.drop all
		16	netfilter
		17	# no3d
		18	nodbus
		19	nogroups
		20	nonewprivs
		21	noroot
		22	notv
		23	novideo
		24	protocol unix,inet,inet6
		25	seccomp
		26	shell none
		27	tracelog
		28
		29	private-bin qmmp
		30	private-dev
		31	private-tmp
		32
		33	noexec ${HOME}
		34	noexec /tmp


diff --git a/etc/sayonara.profile b/etc/sayonara.profile new file mode 100644 index 000000000..756bd99eb --- /dev/null +++ b/etc/sayonara.profile
@@ -0,0 +1,33 @@
		1	# Firejail profile for sayonara player
		2	# This file is overwritten after every install/update
		3	# Persistent local customizations
		4	include /etc/firejail/sayonara.local
		5	# Persistent global definitions
		6	include /etc/firejail/globals.local
		7
		8	noblacklist ${HOME}/.Sayonara
		9
		10	include /etc/firejail/disable-common.inc
		11	include /etc/firejail/disable-devel.inc
		12	include /etc/firejail/disable-passwdmgr.inc
		13	include /etc/firejail/disable-programs.inc
		14
		15	caps.drop all
		16	netfilter
		17	no3d
		18	nogroups
		19	nonewprivs
		20	noroot
		21	notv
		22	novideo
		23	protocol unix,inet,inet6
		24	seccomp
		25	shell none
		26	tracelog
		27
		28	private-bin sayonara
		29	private-dev
		30	private-tmp
		31
		32	noexec ${HOME}
		33	noexec /tmp


diff --git a/src/firejail/fs.c b/src/firejail/fs.c index 88f92ad74..f3ed67928 100644 --- a/src/firejail/fs.c +++ b/src/firejail/fs.c
@@ -484,29 +484,44 @@ void fs_rdonly(const char *dir) {
484		484
485	static void fs_rdwr(const char *dir) {	485	static void fs_rdwr(const char *dir) {
486	assert(dir);	486	assert(dir);
487	// check directory exists	487	// check directory exists and ensure we have a resolved path
		488	// the resolved path allows to run a sanity check after the mount
		489	char *path = realpath(dir, NULL);
		490	if (path == NULL)
		491	return;
		492	// allow only user owned directories, except the user is root
		493	uid_t u = getuid();
488	struct stat s;	494	struct stat s;
489	int rv = stat(dir, &s);	495	int rv = stat(path, &s);
490	if (rv == 0) {	496	if (rv) {
491	// if the file is outside /home directory, allow only root user	497	free(path);
492	uid_t u = getuid();	498	return;
493	if (u != 0 && s.st_uid != u) {	499	}
494	fwarning("you are not allowed to change %s to read-write\n", dir);	500	if (u != 0 && s.st_uid != u) {
495	return;	501	fwarning("you are not allowed to change %s to read-write\n", path);
496	}	502	free(path);
497		503	return;
498	// mount --bind /bin /bin	504	}
499	// mount --bind -o remount,rw /bin	505	// mount --bind /bin /bin
500	unsigned long flags = 0;	506	// mount --bind -o remount,rw /bin
501	get_mount_flags(dir, &flags);	507	unsigned long flags = 0;
502	if ((flags & MS_RDONLY) == 0)	508	get_mount_flags(path, &flags);
503	return;	509	if ((flags & MS_RDONLY) == 0) {
504	flags &= ~MS_RDONLY;	510	free(path);
505	if (mount(dir, dir, NULL, MS_BIND\|MS_REC, NULL) < 0 \|\|	511	return;
506	mount(NULL, dir, NULL, flags\|MS_BIND\|MS_REMOUNT\|MS_REC, NULL) < 0)
507	errExit("mount read-write");
508	fs_logger2("read-write", dir);
509	}	512	}
		513	flags &= ~MS_RDONLY;
		514	if (mount(path, path, NULL, MS_BIND\|MS_REC, NULL) < 0 \|\|
		515	mount(NULL, path, NULL, flags\|MS_BIND\|MS_REMOUNT\|MS_REC, NULL) < 0)
		516	errExit("mount read-write");
		517	fs_logger2("read-write", path);
		518
		519	// run a check on /proc/self/mountinfo to validate the mount
		520	MountData *mptr = get_last_mount();
		521	if (strncmp(mptr->dir, path, strlen(path)) != 0)
		522	errLogExit("invalid read-write mount");
		523
		524	free(path);
510	}	525	}
511		526
512	void fs_noexec(const char *dir) {	527	void fs_noexec(const char *dir) {


diff --git a/src/firejail/pulseaudio.c b/src/firejail/pulseaudio.c index eaaba86c0..15d44e4cc 100644 --- a/src/firejail/pulseaudio.c +++ b/src/firejail/pulseaudio.c
@@ -178,10 +178,10 @@ void pulseaudio_init(void) {
178		178
179	// check /proc/self/mountinfo to confirm the mount is ok	179	// check /proc/self/mountinfo to confirm the mount is ok
180	MountData *mptr = get_last_mount();	180	MountData *mptr = get_last_mount();
181	if (strncmp(mptr->dir, homeusercfg, strlen(homeusercfg)) != 0)	181	if (strcmp(mptr->dir, homeusercfg) != 0)
182	errLogExit("invalid mount on top of %s (should be %s)\n", mptr->dir, homeusercfg);	182	errLogExit("invalid pulseaudio mount");
183	if (strncmp(mptr->fstype, "tmpfs", 5) != 0)	183	if (strcmp(mptr->fstype, "tmpfs") != 0)
184	errLogExit("invalid mount on top of %s (filesystem type is %s)\n", mptr->dir, mptr->fstype);	184	errLogExit("invalid pulseaudio mount");
185		185
186	char *p;	186	char *p;
187	if (asprintf(&p, "%s/client.conf", homeusercfg) == -1)	187	if (asprintf(&p, "%s/client.conf", homeusercfg) == -1)


diff --git a/src/firejail/x11.c b/src/firejail/x11.c index 0eace3215..ec8775370 100644 --- a/src/firejail/x11.c +++ b/src/firejail/x11.c
@@ -1196,10 +1196,11 @@ void x11_xorg(void) {
1196		1196
1197	// check /proc/self/mountinfo to confirm the mount is ok	1197	// check /proc/self/mountinfo to confirm the mount is ok
1198	MountData *mptr = get_last_mount();	1198	MountData *mptr = get_last_mount();
1199	if (strncmp(mptr->dir, dest, strlen(dest)) != 0)	1199	if (strcmp(mptr->dir, dest) != 0)
1200	errLogExit("invalid mount on top of %s (should be %s)\n", mptr->dir, dest);	1200	errLogExit("invalid .Xauthority mount");
1201	if (strncmp(mptr->fstype, "tmpfs", 5) != 0)	1201	if (strcmp(mptr->fstype, "tmpfs") != 0)
1202	errLogExit("invalid mount on top of %s (filesystem type is %s)\n", mptr->dir, mptr->fstype);	1202	errLogExit("invalid .Xauthority mount");
		1203
1203	free(dest);	1204	free(dest);
1204	#endif	1205	#endif
1205	}	1206	}


diff --git a/src/firemon/procevent.c b/src/firemon/procevent.c index 301e5397b..5b16191be 100644 --- a/src/firemon/procevent.c +++ b/src/firemon/procevent.c
@@ -94,10 +94,21 @@ static int pid_is_firejail(pid_t pid) {
94	// list of firejail arguments that don't trigger sandbox creation	94	// list of firejail arguments that don't trigger sandbox creation
95	// the initial -- is not included	95	// the initial -- is not included
96	char *exclude_args[] = {	96	char *exclude_args[] = {
97	"ls", "list", "tree", "x11", "help", "version", "top", "netstats", "debug-syscalls",	97	// all print options
98	"debug-errnos", "debug-protocols", "protocol.print", "debug.caps",	98	"apparmor.print", "caps.print", "cpu.print", "dns.print", "fs.print", "netfilter.print",
99	"shutdown", "bandwidth", "caps.print", "cpu.print", "debug-caps",	99	"netfilter6.print", "profile.print", "protocol.print", "seccomp.print",
100	"fs.print", "get", "overlay-clean", NULL	100	// debug
		101	"debug-caps", "debug-errnos", "debug-protocols", "debug-syscalls",
		102	// file transfer
		103	"ls", "get", "put",
		104	// stats
		105	"tree", "list", "top",
		106	// network
		107	"netstats", "bandwidth",
		108	// etc
		109	"help", "version", "overlay-clean",
		110
		111	NULL // end of list marker
101	};	112	};
102		113
103	int i;	114	int i;
@@ -291,6 +302,7 @@ static int procevent_monitor(const int sock, pid_t mypid) {
291	child %= max_pids;	302	child %= max_pids;
292	pids[child].level = pids[pid].level + 1;	303	pids[child].level = pids[pid].level + 1;
293	pids[child].uid = pid_get_uid(child);	304	pids[child].uid = pid_get_uid(child);
		305	pids[child].parent = pid;
294	}	306	}
295	sprintf(lineptr, " fork");	307	sprintf(lineptr, " fork");
296	break;	308	break;
@@ -318,12 +330,22 @@ static int procevent_monitor(const int sock, pid_t mypid) {
318	sprintf(lineptr, " exit");	330	sprintf(lineptr, " exit");
319	break;	331	break;
320		332
		333
		334
321	case PROC_EVENT_UID:	335	case PROC_EVENT_UID:
322	pid = proc_ev->event_data.id.process_tgid;	336	pid = proc_ev->event_data.id.process_tgid;
323	#ifdef DEBUG_PRCTL	337	#ifdef DEBUG_PRCTL
324	printf("%s: %d, event uid, pid %d\n", __FUNCTION__, __LINE__, pid);	338	printf("%s: %d, event uid, pid %d\n", __FUNCTION__, __LINE__, pid);
325	#endif	339	#endif
326	sprintf(lineptr, " uid ");	340	if (pids[pid].level == 1 \|\|
		341	pids[pids[pid].parent].level == 1) {
		342	sprintf(lineptr, "\n");
		343	continue;
		344	}
		345	else
		346	sprintf(lineptr, " uid (%d:%d)",
		347	proc_ev->event_data.id.r.ruid,
		348	proc_ev->event_data.id.e.euid);
327	break;	349	break;
328		350
329	case PROC_EVENT_GID:	351	case PROC_EVENT_GID:
@@ -331,9 +353,19 @@ static int procevent_monitor(const int sock, pid_t mypid) {
331	#ifdef DEBUG_PRCTL	353	#ifdef DEBUG_PRCTL
332	printf("%s: %d, event gid, pid %d\n", __FUNCTION__, __LINE__, pid);	354	printf("%s: %d, event gid, pid %d\n", __FUNCTION__, __LINE__, pid);
333	#endif	355	#endif
334	sprintf(lineptr, " gid ");	356	if (pids[pid].level == 1 \|\|
		357	pids[pids[pid].parent].level == 1) {
		358	sprintf(lineptr, "\n");
		359	continue;
		360	}
		361	else
		362	sprintf(lineptr, " gid (%d:%d)",
		363	proc_ev->event_data.id.r.rgid,
		364	proc_ev->event_data.id.e.egid);
335	break;	365	break;
336		366
		367
		368
337	case PROC_EVENT_SID:	369	case PROC_EVENT_SID:
338	pid = proc_ev->event_data.sid.process_tgid;	370	pid = proc_ev->event_data.sid.process_tgid;
339	#ifdef DEBUG_PRCTL	371	#ifdef DEBUG_PRCTL