summaryrefslogtreecommitdiffstats
diff options
context:
space:
mode:
Diffstat
-rw-r--r--Makefile.in6
-rw-r--r--RELNOTES1
-rw-r--r--src/firejail/fs_home.c14
-rw-r--r--src/firejail/pulseaudio.c15
4 files changed, 35 insertions, 1 deletions
diff --git a/Makefile.in b/Makefile.in
index 8251f9882..fb6460dfd 100644
--- a/Makefile.in
+++ b/Makefile.in
@@ -91,6 +91,10 @@ realinstall:
91 install -c -m 0644 seccomp.debug $(DESTDIR)/$(libdir)/firejail/. 91 install -c -m 0644 seccomp.debug $(DESTDIR)/$(libdir)/firejail/.
92 install -c -m 0644 seccomp.i386 $(DESTDIR)/$(libdir)/firejail/. 92 install -c -m 0644 seccomp.i386 $(DESTDIR)/$(libdir)/firejail/.
93 install -c -m 0644 seccomp.amd64 $(DESTDIR)/$(libdir)/firejail/. 93 install -c -m 0644 seccomp.amd64 $(DESTDIR)/$(libdir)/firejail/.
94 install -c -m 0755 contrib/fix_private-bin.py $(DESTDIR)/$(libdir)/firejail/.
95 install -c -m 0755 contrib/fjclip.py $(DESTDIR)/$(libdir)/firejail/.
96 install -c -m 0755 contrib/fjdisplay.py $(DESTDIR)/$(libdir)/firejail/.
97 install -c -m 0755 contrib/fjresize.py $(DESTDIR)/$(libdir)/firejail/.
94 # documents 98 # documents
95 install -m 0755 -d $(DESTDIR)/$(DOCDIR) 99 install -m 0755 -d $(DESTDIR)/$(DOCDIR)
96 install -c -m 0644 COPYING $(DESTDIR)/$(DOCDIR)/. 100 install -c -m 0644 COPYING $(DESTDIR)/$(DOCDIR)/.
@@ -158,7 +162,7 @@ uninstall:
158 rm -f $(DESTDIR)/$(datarootdir)/bash-completion/completions/firemon 162 rm -f $(DESTDIR)/$(datarootdir)/bash-completion/completions/firemon
159 rm -f $(DESTDIR)/$(datarootdir)/bash-completion/completions/firecfg 163 rm -f $(DESTDIR)/$(datarootdir)/bash-completion/completions/firecfg
160 164
161DISTFILES = "src etc platform configure configure.ac Makefile.in install.sh mkman.sh mketc.sh mkdeb.sh mkuid.sh COPYING README RELNOTES" 165DISTFILES = "src etc platform contrib configure configure.ac Makefile.in install.sh mkman.sh mketc.sh mkdeb.sh mkuid.sh COPYING README RELNOTES"
162DISTFILES_TEST = "test/apps test/apps-x11 test/apps-x11-xorg test/root test/fcopy test/environment test/profiles test/utils test/compile test/filters test/network test/arguments test/fs test/sysutils" 166DISTFILES_TEST = "test/apps test/apps-x11 test/apps-x11-xorg test/root test/fcopy test/environment test/profiles test/utils test/compile test/filters test/network test/arguments test/fs test/sysutils"
163 167
164dist: 168dist:
diff --git a/RELNOTES b/RELNOTES
index 645d158b7..08444bc0a 100644
--- a/RELNOTES
+++ b/RELNOTES
@@ -6,6 +6,7 @@ firejail (0.9.45) baseline; urgency=low
6 * security: split most of networking code in a separate executable 6 * security: split most of networking code in a separate executable
7 * security: split seccomp filter code configuration in a separate executable 7 * security: split seccomp filter code configuration in a separate executable
8 * security: split file copying in private option in a separate executable 8 * security: split file copying in private option in a separate executable
9 * security: root exploit found by Sebastian Krahmer
9 * feature: disable gnupg and systemd directories under /run/user 10 * feature: disable gnupg and systemd directories under /run/user
10 * feature: allow root user access to /dev/shm (--noblacklist=/dev/shm) 11 * feature: allow root user access to /dev/shm (--noblacklist=/dev/shm)
11 * feature: AppImage type 2 support 12 * feature: AppImage type 2 support
diff --git a/src/firejail/fs_home.c b/src/firejail/fs_home.c
index 0872bf0d0..f5e545bf3 100644
--- a/src/firejail/fs_home.c
+++ b/src/firejail/fs_home.c
@@ -167,6 +167,13 @@ static void copy_xauthority(void) {
167 char *dest; 167 char *dest;
168 if (asprintf(&dest, "%s/.Xauthority", cfg.homedir) == -1) 168 if (asprintf(&dest, "%s/.Xauthority", cfg.homedir) == -1)
169 errExit("asprintf"); 169 errExit("asprintf");
170
171 // if destination is a symbolic link, exit the sandbox!!!
172 if (is_link(dest)) {
173 fprintf(stderr, "Error: %s is a symbolic link\n", dest);
174 exit(1);
175 }
176
170 // copy, set permissions and ownership 177 // copy, set permissions and ownership
171 int rv = copy_file(src, dest, getuid(), getgid(), S_IRUSR | S_IWUSR); 178 int rv = copy_file(src, dest, getuid(), getgid(), S_IRUSR | S_IWUSR);
172 if (rv) 179 if (rv)
@@ -185,6 +192,13 @@ static void copy_asoundrc(void) {
185 char *dest; 192 char *dest;
186 if (asprintf(&dest, "%s/.asoundrc", cfg.homedir) == -1) 193 if (asprintf(&dest, "%s/.asoundrc", cfg.homedir) == -1)
187 errExit("asprintf"); 194 errExit("asprintf");
195
196 // if destination is a symbolic link, exit the sandbox!!!
197 if (is_link(dest)) {
198 fprintf(stderr, "Error: %s is a symbolic link\n", dest);
199 exit(1);
200 }
201
188 // copy, set permissions and ownership 202 // copy, set permissions and ownership
189 int rv = copy_file(src, dest, getuid(), getgid(), S_IRUSR | S_IWUSR); 203 int rv = copy_file(src, dest, getuid(), getgid(), S_IRUSR | S_IWUSR);
190 if (rv) 204 if (rv)
diff --git a/src/firejail/pulseaudio.c b/src/firejail/pulseaudio.c
index f890dd534..b3a22bad9 100644
--- a/src/firejail/pulseaudio.c
+++ b/src/firejail/pulseaudio.c
@@ -133,7 +133,15 @@ void pulseaudio_init(void) {
133 {;} // do nothing 133 {;} // do nothing
134 } 134 }
135 } 135 }
136 else {
137 // make sure the directory is owned by the user
138 if (s.st_uid != getuid()) {
139 fprintf(stderr, "Error: user .config directory is not owned by the current user\n");
140 exit(1);
141 }
142 }
136 free(dir1); 143 free(dir1);
144
137 if (asprintf(&dir1, "%s/.config/pulse", cfg.homedir) == -1) 145 if (asprintf(&dir1, "%s/.config/pulse", cfg.homedir) == -1)
138 errExit("asprintf"); 146 errExit("asprintf");
139 if (stat(dir1, &s) == -1) { 147 if (stat(dir1, &s) == -1) {
@@ -144,6 +152,13 @@ void pulseaudio_init(void) {
144 {;} // do nothing 152 {;} // do nothing
145 } 153 }
146 } 154 }
155 else {
156 // make sure the directory is owned by the user
157 if (s.st_uid != getuid()) {
158 fprintf(stderr, "Error: user .config/pulse directory is not owned by the current user\n");
159 exit(1);
160 }
161 }
147 free(dir1); 162 free(dir1);
148 163
149 164
generated by cgit v1.2.3-70-g09d2 (git 2.46.0) at 2024-09-12 05:46:52 +0000