11 files changed, 73 insertions, 18 deletions
diff --git a/README b/README
index d08a11680..05c9408ec 100644
--- a/README
+++ b/README
@@ -25,6 +25,8 @@ Reiner Herrmann (https://github.com/reinerh)
        - clang-analyzer fixes
        - Debian reproducible build
        - unit testing framework
+Simon Peter (https://github.com/probonopd)
+        - set $APPIMAGE and $APPDIR environment variables
 maces (https://github.com/maces)
        - Franz messenger profile
 KellerFuchs (https://github.com/KellerFuchs)
diff --git a/RELNOTES b/RELNOTES
index c2552c533..04a9d7cbb 100644
--- a/RELNOTES
+++ b/RELNOTES
@@ -1,5 +1,8 @@
 firejail (0.9.41) baseline; urgency=low
  * work in progress...
+  * compile time and run time support to disable whitelists
+  * compile time support to disable global configuration file
+  * some profiles have been converted to private-bin
  * new profiles: Gitter, gThumb, mpv, Franz messenger
 -- netblue30 <netblue30@yahoo.com>  Tue, 31 May 2016 08:00:00 -0500
diff --git a/configure b/configure
index da7d370d3..ca0704e91 100755
--- a/configure
+++ b/configure
@@ -634,6 +634,7 @@ HAVE_FILE_TRANSFER
 HAVE_X11
 HAVE_USERNS
 HAVE_NETWORK
+HAVE_GLOBALCFG
 HAVE_BIND
 HAVE_CHROOT
 HAVE_SECCOMP
@@ -692,6 +693,7 @@ enable_option_checking
 enable_seccomp
 enable_chroot
 enable_bind
+enable_globalcfg
 enable_network
 enable_userns
 enable_x11
@@ -1320,6 +1322,8 @@ Optional Features:
  --disable-seccomp       disable seccomp
  --disable-chroot        disable chroot
  --disable-bind          disable bind
+  --disable-globalcfg     disable global config file
+                          (/etc/firejail/firejail.cfg)
  --disable-network       disable network
  --enable-network=restricted
                          restrict --net= to root only
@@ -3104,6 +3108,19 @@ if test "x$enable_bind" != "xno"; then :
 fi
+HAVE_GLOBALCFG=""
+# Check whether --enable-globalcfg was given.
+if test "${enable_globalcfg+set}" = set; then :
+  enableval=$enable_globalcfg;
+fi
+if test "x$enable_globalcfg" != "xno"; then :
+        HAVE_GLOBALCFG="-DHAVE_GLOBALCFG"
+fi
 HAVE_NETWORK=""
 # Check whether --enable-network was given.
 if test "${enable_network+set}" = set; then :
@@ -4834,6 +4851,7 @@ echo "   prefix: $prefix"
 echo "   sysconfdir: $sysconfdir"
 echo "   seccomp: $HAVE_SECCOMP"
 echo "   <linux/seccomp.h>: $HAVE_SECCOMP_H"
+echo "   global config: $HAVE_GLOBALCFG"
 echo "   chroot: $HAVE_CHROOT"
 echo "   bind: $HAVE_BIND"
 echo "   network: $HAVE_NETWORK"
diff --git a/configure.ac b/configure.ac
index c9061f219..93e062518 100644
--- a/configure.ac
+++ b/configure.ac
@@ -33,6 +33,14 @@ AS_IF([test "x$enable_bind" != "xno"], [
        AC_SUBST(HAVE_BIND)
 ])
+HAVE_GLOBALCFG=""
+AC_ARG_ENABLE([globalcfg],
+    AS_HELP_STRING([--disable-globalcfg], [if the global config file firejail.cfg is not present, continue the program using defaults]))
+AS_IF([test "x$enable_globalcfg" != "xno"], [
+        HAVE_GLOBALCFG="-DHAVE_GLOBALCFG"
+        AC_SUBST(HAVE_GLOBALCFG)
+])
 HAVE_NETWORK=""
 AC_ARG_ENABLE([network],
    AS_HELP_STRING([--disable-network], [disable network]))
@@ -106,6 +114,7 @@ echo "   prefix: $prefix"
 echo "   sysconfdir: $sysconfdir"
 echo "   seccomp: $HAVE_SECCOMP"
 echo "   <linux/seccomp.h>: $HAVE_SECCOMP_H"
+echo "   global config: $HAVE_GLOBALCFG"
 echo "   chroot: $HAVE_CHROOT"
 echo "   bind: $HAVE_BIND"
 echo "   network: $HAVE_NETWORK"
diff --git a/src/firejail/Makefile.in b/src/firejail/Makefile.in
index a8af1a4e0..21f415ba5 100644
--- a/src/firejail/Makefile.in
+++ b/src/firejail/Makefile.in
@@ -17,13 +17,13 @@ HAVE_USERNS=@HAVE_USERNS@
 HAVE_X11=@HAVE_X11@
 HAVE_FILE_TRANSFER=@HAVE_FILE_TRANSFER@
 HAVE_WHITELIST=@HAVE_WHITELIST@
+HAVE_GLOBALCFG=@HAVE_GLOBALCFG@
 H_FILE_LIST       = $(sort $(wildcard *.[h]))
 C_FILE_LIST       = $(sort $(wildcard *.c))
 OBJS = $(C_FILE_LIST:.c=.o)
 BINOBJS =  $(foreach file, $(OBJS), $file)
-CFLAGS += -ggdb $(HAVE_FATAL_WARNINGS) -O2 -DVERSION='"$(VERSION)"' -DPREFIX='"$(prefix)"'  -DSYSCONFDIR='"$(sysconfdir)/firejail"' -DLIBDIR='"$(libdir)"' $(HAVE_X11) $(HAVE_SECCOMP) $(HAVE_SECCOMP_H) $(HAVE_CHROOT) $(HAVE_NETWORK) $(HAVE_USERNS) $(HAVE_BIND) $(HAVE_FILE_TRANSFER) $(HAVE_WHITELIST) -fstack-protector-all -D_FORTIFY_SOURCE=2 -fPIE -pie -Wformat -Wformat-security
+CFLAGS += -ggdb $(HAVE_FATAL_WARNINGS) -O2 -DVERSION='"$(VERSION)"' -DPREFIX='"$(prefix)"'  -DSYSCONFDIR='"$(sysconfdir)/firejail"' -DLIBDIR='"$(libdir)"' $(HAVE_X11) $(HAVE_SECCOMP) $(HAVE_GLOBALCFG) $(HAVE_SECCOMP_H) $(HAVE_CHROOT) $(HAVE_NETWORK) $(HAVE_USERNS) $(HAVE_BIND) $(HAVE_FILE_TRANSFER) $(HAVE_WHITELIST) -fstack-protector-all -D_FORTIFY_SOURCE=2 -fPIE -pie -Wformat -Wformat-security
 LDFLAGS += -pie -Wl,-z,relro -Wl,-z,now -lpthread
 %.o : %.c $(H_FILE_LIST) ../include/common.h ../include/euid_common.h ../include/libnetlink.h ../include/pid.h
diff --git a/src/firejail/checkcfg.c b/src/firejail/checkcfg.c
index a69c2831e..6636e7efe 100644
--- a/src/firejail/checkcfg.c
+++ b/src/firejail/checkcfg.c
@@ -48,8 +48,13 @@ int checkcfg(int val) {
                FILE *fp = fopen(fname, "r");
                if (!fp) {
+#ifdef HAVE_GLOBALCFG                   
                        fprintf(stderr, "Warning: Firejail configuration file %s not found\n", fname);
                        exit(1);
+#else
+                        initialized = 1;
+                        return  cfg_val[val];
+#endif  
                }
                
                // read configuration file
diff --git a/src/firejail/fs.c b/src/firejail/fs.c
index 8cae9191c..acc03e412 100644
--- a/src/firejail/fs.c
+++ b/src/firejail/fs.c
@@ -652,26 +652,27 @@ void fs_proc_sys_dev_boot(void) {
 // disable firejail configuration in /etc/firejail and in ~/.config/firejail
 static void disable_firejail_config(void) {
        struct stat s;
-        if (stat("/etc/firejail", &s) == 0)
+//      if (stat("/etc/firejail", &s) == 0)
-                disable_file(BLACKLIST_FILE, "/etc/firejail");
+//              disable_file(BLACKLIST_FILE, "/etc/firejail");
        char *fname;
        if (asprintf(&fname, "%s/.config/firejail", cfg.homedir) == -1)
                errExit("asprintf");
        if (stat(fname, &s) == 0)
                disable_file(BLACKLIST_FILE, fname);
+        free(fname);
        
-        if (stat("/usr/local/etc/firejail", &s) == 0)
+//      if (stat("/usr/local/etc/firejail", &s) == 0)
-                disable_file(BLACKLIST_FILE, "/usr/local/etc/firejail");
+//              disable_file(BLACKLIST_FILE, "/usr/local/etc/firejail");
+//
-        if (strcmp(PREFIX, "/usr/local")) {
+//      if (strcmp(PREFIX, "/usr/local")) {
-                if (asprintf(&fname, "%s/etc/firejail", PREFIX) == -1)
+//              if (asprintf(&fname, "%s/etc/firejail", PREFIX) == -1)
-                        errExit("asprintf");
+//                      errExit("asprintf");
-                if (stat(fname, &s) == 0)
+//              if (stat(fname, &s) == 0)
-                        disable_file(BLACKLIST_FILE, fname);
+//                      disable_file(BLACKLIST_FILE, fname);
-        }
+//              free(fname);
+//      }
        
-        free(fname);
        
        // disable run time information
        if (stat(RUN_FIREJAIL_NETWORK_DIR, &s) == 0)
diff --git a/src/firejail/main.c b/src/firejail/main.c
index d027eb697..423df3752 100644
--- a/src/firejail/main.c
+++ b/src/firejail/main.c
@@ -854,7 +854,7 @@ int main(int argc, char **argv) {
        
        
        // check for force-nonewprivs in /etc/firejail/firejail.config file
-        if (!option_force && checkcfg(CFG_FORCE_NONEWPRIVS))
+        if (checkcfg(CFG_FORCE_NONEWPRIVS))
                arg_nonewprivs = 1;
        
        // parse arguments
diff --git a/src/include/euid_common.h b/src/include/euid_common.h
index f07cf2868..b6d341bf4 100644
--- a/src/include/euid_common.h
+++ b/src/include/euid_common.h
@@ -36,12 +36,12 @@ extern uid_t firejail_uid;
 static inline void EUID_ROOT(void) {
        if (seteuid(0) == -1)
-                fprintf(stderr, "Error: cannot switch euid to root\n");
+                fprintf(stderr, "Warning: cannot switch euid to root\n");
 }
 static inline void EUID_USER(void) {
        if (seteuid(firejail_uid) == -1)
-                fprintf(stderr, "Error: cannot switch euid to user\n");
+                fprintf(stderr, "Warning: cannot switch euid to user\n");
 }
 static inline void EUID_PRINT(void) {
diff --git a/src/man/firecfg.txt b/src/man/firecfg.txt
index e2e4229b0..c12bf7731 100644
--- a/src/man/firecfg.txt
+++ b/src/man/firecfg.txt
@@ -10,7 +10,7 @@ sandbox applications automatically, just by clicking on a regular desktop
 menus and icons.
 The symbolic links are placed in /usr/local/bin. For more information, see
-DESKTOP INTEGRATION section in man 1 firejail.
+\fBDESKTOP INTEGRATION\fR section in \fBman 1 firejail\fR.
 .SH OPTIONS
 .TP
diff --git a/src/man/firejail-config.txt b/src/man/firejail-config.txt
index 6a66c7f75..bc29dc977 100644
--- a/src/man/firejail-config.txt
+++ b/src/man/firejail-config.txt
@@ -74,6 +74,23 @@ xephyr-screen 1024x768
 .br
 xephyr-screen 1280x1024
+.TP
+\fBxephyr-window-title
+Firejail window title in Xephry, default enabled.
+.TP
+\fBxephyr-extra-params
+Xephyr command extra parameters. None by default, and the declaration is commented out. Examples:
+.br
+.br
+xephyr-extra-params -keybd ephyr,,,xkbmodel=evdev
+.br
+xephyr-extra-params -grayscale
+.SH COMPILE TIME CONFIGURATION
+Most of the features described in this file can also be configured at compile time, please run \fB./configure --help\fR for more details.
 .SH FILES
 /etc/firejail/firejail.config

diff --git a/README b/README index d08a11680..05c9408ec 100644 --- a/README +++ b/README
@@ -25,6 +25,8 @@ Reiner Herrmann (https://github.com/reinerh)
25	- clang-analyzer fixes	25	- clang-analyzer fixes
26	- Debian reproducible build	26	- Debian reproducible build
27	- unit testing framework	27	- unit testing framework
		28	Simon Peter (https://github.com/probonopd)
		29	- set $APPIMAGE and $APPDIR environment variables
28	maces (https://github.com/maces)	30	maces (https://github.com/maces)
29	- Franz messenger profile	31	- Franz messenger profile
30	KellerFuchs (https://github.com/KellerFuchs)	32	KellerFuchs (https://github.com/KellerFuchs)


diff --git a/RELNOTES b/RELNOTES index c2552c533..04a9d7cbb 100644 --- a/RELNOTES +++ b/RELNOTES
@@ -1,5 +1,8 @@
1	firejail (0.9.41) baseline; urgency=low	1	firejail (0.9.41) baseline; urgency=low
2	* work in progress...	2	* work in progress...
		3	* compile time and run time support to disable whitelists
		4	* compile time support to disable global configuration file
		5	* some profiles have been converted to private-bin
3	* new profiles: Gitter, gThumb, mpv, Franz messenger	6	* new profiles: Gitter, gThumb, mpv, Franz messenger
4	-- netblue30 <netblue30@yahoo.com> Tue, 31 May 2016 08:00:00 -0500	7	-- netblue30 <netblue30@yahoo.com> Tue, 31 May 2016 08:00:00 -0500
5		8


diff --git a/configure b/configure index da7d370d3..ca0704e91 100755 --- a/configure +++ b/configure
@@ -634,6 +634,7 @@ HAVE_FILE_TRANSFER
634	HAVE_X11	634	HAVE_X11
635	HAVE_USERNS	635	HAVE_USERNS
636	HAVE_NETWORK	636	HAVE_NETWORK
		637	HAVE_GLOBALCFG
637	HAVE_BIND	638	HAVE_BIND
638	HAVE_CHROOT	639	HAVE_CHROOT
639	HAVE_SECCOMP	640	HAVE_SECCOMP
@@ -692,6 +693,7 @@ enable_option_checking
692	enable_seccomp	693	enable_seccomp
693	enable_chroot	694	enable_chroot
694	enable_bind	695	enable_bind
		696	enable_globalcfg
695	enable_network	697	enable_network
696	enable_userns	698	enable_userns
697	enable_x11	699	enable_x11
@@ -1320,6 +1322,8 @@ Optional Features:
1320	--disable-seccomp disable seccomp	1322	--disable-seccomp disable seccomp
1321	--disable-chroot disable chroot	1323	--disable-chroot disable chroot
1322	--disable-bind disable bind	1324	--disable-bind disable bind
		1325	--disable-globalcfg disable global config file
		1326	(/etc/firejail/firejail.cfg)
1323	--disable-network disable network	1327	--disable-network disable network
1324	--enable-network=restricted	1328	--enable-network=restricted
1325	restrict --net= to root only	1329	restrict --net= to root only
@@ -3104,6 +3108,19 @@ if test "x$enable_bind" != "xno"; then :
3104		3108
3105	fi	3109	fi
3106		3110
		3111	HAVE_GLOBALCFG=""
		3112	# Check whether --enable-globalcfg was given.
		3113	if test "${enable_globalcfg+set}" = set; then :
		3114	enableval=$enable_globalcfg;
		3115	fi
		3116
		3117	if test "x$enable_globalcfg" != "xno"; then :
		3118
		3119	HAVE_GLOBALCFG="-DHAVE_GLOBALCFG"
		3120
		3121
		3122	fi
		3123
3107	HAVE_NETWORK=""	3124	HAVE_NETWORK=""
3108	# Check whether --enable-network was given.	3125	# Check whether --enable-network was given.
3109	if test "${enable_network+set}" = set; then :	3126	if test "${enable_network+set}" = set; then :
@@ -4834,6 +4851,7 @@ echo " prefix: $prefix"
4834	echo " sysconfdir: $sysconfdir"	4851	echo " sysconfdir: $sysconfdir"
4835	echo " seccomp: $HAVE_SECCOMP"	4852	echo " seccomp: $HAVE_SECCOMP"
4836	echo " <linux/seccomp.h>: $HAVE_SECCOMP_H"	4853	echo " <linux/seccomp.h>: $HAVE_SECCOMP_H"
		4854	echo " global config: $HAVE_GLOBALCFG"
4837	echo " chroot: $HAVE_CHROOT"	4855	echo " chroot: $HAVE_CHROOT"
4838	echo " bind: $HAVE_BIND"	4856	echo " bind: $HAVE_BIND"
4839	echo " network: $HAVE_NETWORK"	4857	echo " network: $HAVE_NETWORK"


diff --git a/configure.ac b/configure.ac index c9061f219..93e062518 100644 --- a/configure.ac +++ b/configure.ac
@@ -33,6 +33,14 @@ AS_IF([test "x$enable_bind" != "xno"], [
33	AC_SUBST(HAVE_BIND)	33	AC_SUBST(HAVE_BIND)
34	])	34	])
35		35
		36	HAVE_GLOBALCFG=""
		37	AC_ARG_ENABLE([globalcfg],
		38	AS_HELP_STRING([--disable-globalcfg], [if the global config file firejail.cfg is not present, continue the program using defaults]))
		39	AS_IF([test "x$enable_globalcfg" != "xno"], [
		40	HAVE_GLOBALCFG="-DHAVE_GLOBALCFG"
		41	AC_SUBST(HAVE_GLOBALCFG)
		42	])
		43
36	HAVE_NETWORK=""	44	HAVE_NETWORK=""
37	AC_ARG_ENABLE([network],	45	AC_ARG_ENABLE([network],
38	AS_HELP_STRING([--disable-network], [disable network]))	46	AS_HELP_STRING([--disable-network], [disable network]))
@@ -106,6 +114,7 @@ echo " prefix: $prefix"
106	echo " sysconfdir: $sysconfdir"	114	echo " sysconfdir: $sysconfdir"
107	echo " seccomp: $HAVE_SECCOMP"	115	echo " seccomp: $HAVE_SECCOMP"
108	echo " <linux/seccomp.h>: $HAVE_SECCOMP_H"	116	echo " <linux/seccomp.h>: $HAVE_SECCOMP_H"
		117	echo " global config: $HAVE_GLOBALCFG"
109	echo " chroot: $HAVE_CHROOT"	118	echo " chroot: $HAVE_CHROOT"
110	echo " bind: $HAVE_BIND"	119	echo " bind: $HAVE_BIND"
111	echo " network: $HAVE_NETWORK"	120	echo " network: $HAVE_NETWORK"


diff --git a/src/firejail/Makefile.in b/src/firejail/Makefile.in index a8af1a4e0..21f415ba5 100644 --- a/src/firejail/Makefile.in +++ b/src/firejail/Makefile.in
@@ -17,13 +17,13 @@ HAVE_USERNS=@HAVE_USERNS@
17	HAVE_X11=@HAVE_X11@	17	HAVE_X11=@HAVE_X11@
18	HAVE_FILE_TRANSFER=@HAVE_FILE_TRANSFER@	18	HAVE_FILE_TRANSFER=@HAVE_FILE_TRANSFER@
19	HAVE_WHITELIST=@HAVE_WHITELIST@	19	HAVE_WHITELIST=@HAVE_WHITELIST@
20		20	HAVE_GLOBALCFG=@HAVE_GLOBALCFG@
21		21
22	H_FILE_LIST = $(sort $(wildcard *.[h]))	22	H_FILE_LIST = $(sort $(wildcard *.[h]))
23	C_FILE_LIST = $(sort $(wildcard *.c))	23	C_FILE_LIST = $(sort $(wildcard *.c))
24	OBJS = $(C_FILE_LIST:.c=.o)	24	OBJS = $(C_FILE_LIST:.c=.o)
25	BINOBJS = $(foreach file, $(OBJS), $file)	25	BINOBJS = $(foreach file, $(OBJS), $file)
26	CFLAGS += -ggdb $(HAVE_FATAL_WARNINGS) -O2 -DVERSION='"$(VERSION)"' -DPREFIX='"$(prefix)"' -DSYSCONFDIR='"$(sysconfdir)/firejail"' -DLIBDIR='"$(libdir)"' $(HAVE_X11) $(HAVE_SECCOMP) $(HAVE_SECCOMP_H) $(HAVE_CHROOT) $(HAVE_NETWORK) $(HAVE_USERNS) $(HAVE_BIND) $(HAVE_FILE_TRANSFER) $(HAVE_WHITELIST) -fstack-protector-all -D_FORTIFY_SOURCE=2 -fPIE -pie -Wformat -Wformat-security	26	CFLAGS += -ggdb $(HAVE_FATAL_WARNINGS) -O2 -DVERSION='"$(VERSION)"' -DPREFIX='"$(prefix)"' -DSYSCONFDIR='"$(sysconfdir)/firejail"' -DLIBDIR='"$(libdir)"' $(HAVE_X11) $(HAVE_SECCOMP) $(HAVE_GLOBALCFG) $(HAVE_SECCOMP_H) $(HAVE_CHROOT) $(HAVE_NETWORK) $(HAVE_USERNS) $(HAVE_BIND) $(HAVE_FILE_TRANSFER) $(HAVE_WHITELIST) -fstack-protector-all -D_FORTIFY_SOURCE=2 -fPIE -pie -Wformat -Wformat-security
27	LDFLAGS += -pie -Wl,-z,relro -Wl,-z,now -lpthread	27	LDFLAGS += -pie -Wl,-z,relro -Wl,-z,now -lpthread
28		28
29	%.o : %.c $(H_FILE_LIST) ../include/common.h ../include/euid_common.h ../include/libnetlink.h ../include/pid.h	29	%.o : %.c $(H_FILE_LIST) ../include/common.h ../include/euid_common.h ../include/libnetlink.h ../include/pid.h


diff --git a/src/firejail/checkcfg.c b/src/firejail/checkcfg.c index a69c2831e..6636e7efe 100644 --- a/src/firejail/checkcfg.c +++ b/src/firejail/checkcfg.c
@@ -48,8 +48,13 @@ int checkcfg(int val) {
48		48
49	FILE *fp = fopen(fname, "r");	49	FILE *fp = fopen(fname, "r");
50	if (!fp) {	50	if (!fp) {
		51	#ifdef HAVE_GLOBALCFG
51	fprintf(stderr, "Warning: Firejail configuration file %s not found\n", fname);	52	fprintf(stderr, "Warning: Firejail configuration file %s not found\n", fname);
52	exit(1);	53	exit(1);
		54	#else
		55	initialized = 1;
		56	return cfg_val[val];
		57	#endif
53	}	58	}
54		59
55	// read configuration file	60	// read configuration file


diff --git a/src/firejail/fs.c b/src/firejail/fs.c index 8cae9191c..acc03e412 100644 --- a/src/firejail/fs.c +++ b/src/firejail/fs.c
@@ -652,26 +652,27 @@ void fs_proc_sys_dev_boot(void) {
652	// disable firejail configuration in /etc/firejail and in ~/.config/firejail	652	// disable firejail configuration in /etc/firejail and in ~/.config/firejail
653	static void disable_firejail_config(void) {	653	static void disable_firejail_config(void) {
654	struct stat s;	654	struct stat s;
655	if (stat("/etc/firejail", &s) == 0)	655	// if (stat("/etc/firejail", &s) == 0)
656	disable_file(BLACKLIST_FILE, "/etc/firejail");	656	// disable_file(BLACKLIST_FILE, "/etc/firejail");
657		657
658	char *fname;	658	char *fname;
659	if (asprintf(&fname, "%s/.config/firejail", cfg.homedir) == -1)	659	if (asprintf(&fname, "%s/.config/firejail", cfg.homedir) == -1)
660	errExit("asprintf");	660	errExit("asprintf");
661	if (stat(fname, &s) == 0)	661	if (stat(fname, &s) == 0)
662	disable_file(BLACKLIST_FILE, fname);	662	disable_file(BLACKLIST_FILE, fname);
		663	free(fname);
663		664
664	if (stat("/usr/local/etc/firejail", &s) == 0)	665	// if (stat("/usr/local/etc/firejail", &s) == 0)
665	disable_file(BLACKLIST_FILE, "/usr/local/etc/firejail");	666	// disable_file(BLACKLIST_FILE, "/usr/local/etc/firejail");
666		667	//
667	if (strcmp(PREFIX, "/usr/local")) {	668	// if (strcmp(PREFIX, "/usr/local")) {
668	if (asprintf(&fname, "%s/etc/firejail", PREFIX) == -1)	669	// if (asprintf(&fname, "%s/etc/firejail", PREFIX) == -1)
669	errExit("asprintf");	670	// errExit("asprintf");
670	if (stat(fname, &s) == 0)	671	// if (stat(fname, &s) == 0)
671	disable_file(BLACKLIST_FILE, fname);	672	// disable_file(BLACKLIST_FILE, fname);
672	}	673	// free(fname);
		674	// }
673		675
674	free(fname);
675		676
676	// disable run time information	677	// disable run time information
677	if (stat(RUN_FIREJAIL_NETWORK_DIR, &s) == 0)	678	if (stat(RUN_FIREJAIL_NETWORK_DIR, &s) == 0)


diff --git a/src/firejail/main.c b/src/firejail/main.c index d027eb697..423df3752 100644 --- a/src/firejail/main.c +++ b/src/firejail/main.c
@@ -854,7 +854,7 @@ int main(int argc, char **argv) {
854		854
855		855
856	// check for force-nonewprivs in /etc/firejail/firejail.config file	856	// check for force-nonewprivs in /etc/firejail/firejail.config file
857	if (!option_force && checkcfg(CFG_FORCE_NONEWPRIVS))	857	if (checkcfg(CFG_FORCE_NONEWPRIVS))
858	arg_nonewprivs = 1;	858	arg_nonewprivs = 1;
859		859
860	// parse arguments	860	// parse arguments


diff --git a/src/include/euid_common.h b/src/include/euid_common.h index f07cf2868..b6d341bf4 100644 --- a/src/include/euid_common.h +++ b/src/include/euid_common.h
@@ -36,12 +36,12 @@ extern uid_t firejail_uid;
36		36
37	static inline void EUID_ROOT(void) {	37	static inline void EUID_ROOT(void) {
38	if (seteuid(0) == -1)	38	if (seteuid(0) == -1)
39	fprintf(stderr, "Error: cannot switch euid to root\n");	39	fprintf(stderr, "Warning: cannot switch euid to root\n");
40	}	40	}
41		41
42	static inline void EUID_USER(void) {	42	static inline void EUID_USER(void) {
43	if (seteuid(firejail_uid) == -1)	43	if (seteuid(firejail_uid) == -1)
44	fprintf(stderr, "Error: cannot switch euid to user\n");	44	fprintf(stderr, "Warning: cannot switch euid to user\n");
45	}	45	}
46		46
47	static inline void EUID_PRINT(void) {	47	static inline void EUID_PRINT(void) {


diff --git a/src/man/firecfg.txt b/src/man/firecfg.txt index e2e4229b0..c12bf7731 100644 --- a/src/man/firecfg.txt +++ b/src/man/firecfg.txt
@@ -10,7 +10,7 @@ sandbox applications automatically, just by clicking on a regular desktop
10	menus and icons.	10	menus and icons.
11		11
12	The symbolic links are placed in /usr/local/bin. For more information, see	12	The symbolic links are placed in /usr/local/bin. For more information, see
13	DESKTOP INTEGRATION section in man 1 firejail.	13	\fBDESKTOP INTEGRATION\fR section in \fBman 1 firejail\fR.
14		14
15	.SH OPTIONS	15	.SH OPTIONS
16	.TP	16	.TP


diff --git a/src/man/firejail-config.txt b/src/man/firejail-config.txt index 6a66c7f75..bc29dc977 100644 --- a/src/man/firejail-config.txt +++ b/src/man/firejail-config.txt
@@ -74,6 +74,23 @@ xephyr-screen 1024x768
74	.br	74	.br
75	xephyr-screen 1280x1024	75	xephyr-screen 1280x1024
76		76
		77	.TP
		78	\fBxephyr-window-title
		79	Firejail window title in Xephry, default enabled.
		80
		81	.TP
		82	\fBxephyr-extra-params
		83	Xephyr command extra parameters. None by default, and the declaration is commented out. Examples:
		84	.br
		85
		86	.br
		87	xephyr-extra-params -keybd ephyr,,,xkbmodel=evdev
		88	.br
		89	xephyr-extra-params -grayscale
		90
		91	.SH COMPILE TIME CONFIGURATION
		92	Most of the features described in this file can also be configured at compile time, please run \fB./configure --help\fR for more details.
		93
77	.SH FILES	94	.SH FILES
78	/etc/firejail/firejail.config	95	/etc/firejail/firejail.config
79		96