aboutsummaryrefslogtreecommitdiffstats
diff options
context:
space:
mode:
Diffstat
-rw-r--r--README1
-rw-r--r--RELNOTES1
-rw-r--r--etc/firejail.config3
-rw-r--r--src/firejail/checkcfg.c11
-rw-r--r--src/firejail/firejail.h3
-rw-r--r--src/firejail/sandbox.c9
6 files changed, 24 insertions, 4 deletions
diff --git a/README b/README
index 51adbaf86..fe9ddaaae 100644
--- a/README
+++ b/README
@@ -41,6 +41,7 @@ Aleksey Manevich (https://github.com/manevich)
41 - gether shell selection code in one place 41 - gether shell selection code in one place
42greigdp (https://github.com/greigdp) 42greigdp (https://github.com/greigdp)
43 - Gajim IM client profile 43 - Gajim IM client profile
44 - fix Slack profile
44Icaro Perseo (https://github.com/icaroperseo) 45Icaro Perseo (https://github.com/icaroperseo)
45 - Icecat profile 46 - Icecat profile
46 - several profile fixes 47 - several profile fixes
diff --git a/RELNOTES b/RELNOTES
index 52eef6a0e..d9e4314ba 100644
--- a/RELNOTES
+++ b/RELNOTES
@@ -24,6 +24,7 @@ firejail (0.9.42~rc2) baseline; urgency=low
24 * seccomp filter updated 24 * seccomp filter updated
25 * compile time and run time support to disable whitelists 25 * compile time and run time support to disable whitelists
26 * compile time support to disable global configuration file 26 * compile time support to disable global configuration file
27 * run time support to disable remounting of /proc and /sys
27 * added quiet-by-default config option in /etc/firejail/firejail.config 28 * added quiet-by-default config option in /etc/firejail/firejail.config
28 * added netfilter-default config option in /etc/firejail/firejail.config 29 * added netfilter-default config option in /etc/firejail/firejail.config
29 * new profiles: Gitter, gThumb, mpv, Franz messenger, LibreOffice 30 * new profiles: Gitter, gThumb, mpv, Franz messenger, LibreOffice
diff --git a/etc/firejail.config b/etc/firejail.config
index 82fe65ac7..1b8d5f4e3 100644
--- a/etc/firejail.config
+++ b/etc/firejail.config
@@ -3,6 +3,9 @@
3# Most features are enabled by default. Use 'yes' or 'no' as configuration 3# Most features are enabled by default. Use 'yes' or 'no' as configuration
4# values. 4# values.
5 5
6# Remount /proc and /sys inside the sandbox, default enabled.
7# remount-proc-sys yes
8
6# Enable or disable bind support, default enabled. 9# Enable or disable bind support, default enabled.
7# bind yes 10# bind yes
8 11
diff --git a/src/firejail/checkcfg.c b/src/firejail/checkcfg.c
index f5ea7439b..c4a6888a9 100644
--- a/src/firejail/checkcfg.c
+++ b/src/firejail/checkcfg.c
@@ -29,7 +29,6 @@ char *xephyr_extra_params = "";
29char *netfilter_default = NULL; 29char *netfilter_default = NULL;
30 30
31int checkcfg(int val) { 31int checkcfg(int val) {
32 EUID_ASSERT();
33 assert(val < CFG_MAX); 32 assert(val < CFG_MAX);
34 int line = 0; 33 int line = 0;
35 34
@@ -38,7 +37,6 @@ int checkcfg(int val) {
38 int i; 37 int i;
39 for (i = 0; i < CFG_MAX; i++) 38 for (i = 0; i < CFG_MAX; i++)
40 cfg_val[i] = 1; // most of them are enabled by default 39 cfg_val[i] = 1; // most of them are enabled by default
41
42 cfg_val[CFG_RESTRICTED_NETWORK] = 0; // disabled by default 40 cfg_val[CFG_RESTRICTED_NETWORK] = 0; // disabled by default
43 cfg_val[CFG_FORCE_NONEWPRIVS] = 0; // disabled by default 41 cfg_val[CFG_FORCE_NONEWPRIVS] = 0; // disabled by default
44 42
@@ -226,6 +224,15 @@ int checkcfg(int val) {
226 if (strcmp(ptr + 17, "yes") == 0) 224 if (strcmp(ptr + 17, "yes") == 0)
227 arg_quiet = 1; 225 arg_quiet = 1;
228 } 226 }
227 // remount /proc and /sys
228 else if (strncmp(ptr, "remount-proc-sys ", 17) == 0) {
229 if (strcmp(ptr + 17, "yes") == 0)
230 cfg_val[CFG_REMOUNT_PROC_SYS] = 1;
231 else if (strcmp(ptr + 17, "no") == 0)
232 cfg_val[CFG_REMOUNT_PROC_SYS] = 0;
233 else
234 goto errout;
235 }
229 else 236 else
230 goto errout; 237 goto errout;
231 238
diff --git a/src/firejail/firejail.h b/src/firejail/firejail.h
index 8301a79a0..067d788a6 100644
--- a/src/firejail/firejail.h
+++ b/src/firejail/firejail.h
@@ -590,7 +590,8 @@ void sandboxfs(int op, pid_t pid, const char *patqh);
590#define CFG_FORCE_NONEWPRIVS 8 590#define CFG_FORCE_NONEWPRIVS 8
591#define CFG_WHITELIST 9 591#define CFG_WHITELIST 9
592#define CFG_XEPHYR_WINDOW_TITLE 10 592#define CFG_XEPHYR_WINDOW_TITLE 10
593#define CFG_MAX 11 // this should always be the last entry 593#define CFG_REMOUNT_PROC_SYS 11
594#define CFG_MAX 12 // this should always be the last entry
594extern char *xephyr_screen; 595extern char *xephyr_screen;
595extern char *xephyr_extra_params; 596extern char *xephyr_extra_params;
596extern char *netfilter_default; 597extern char *netfilter_default;
diff --git a/src/firejail/sandbox.c b/src/firejail/sandbox.c
index a33c81937..0818bf450 100644
--- a/src/firejail/sandbox.c
+++ b/src/firejail/sandbox.c
@@ -208,6 +208,12 @@ static int monitor_application(pid_t app_pid) {
208 if (arg_debug) 208 if (arg_debug)
209 printf("Sandbox monitor: waitpid %u retval %d status %d\n", monitored_pid, rv, status); 209 printf("Sandbox monitor: waitpid %u retval %d status %d\n", monitored_pid, rv, status);
210 210
211 // if /proc is not remounted, we cannot check /proc directory,
212 // for now we just get out of here
213 // todo: find another way of checking child processes!
214 if (!checkcfg(CFG_REMOUNT_PROC_SYS))
215 break;
216
211 DIR *dir; 217 DIR *dir;
212 if (!(dir = opendir("/proc"))) { 218 if (!(dir = opendir("/proc"))) {
213 // sleep 2 seconds and try again 219 // sleep 2 seconds and try again
@@ -551,7 +557,8 @@ int sandbox(void* sandbox_arg) {
551 //**************************** 557 //****************************
552 // update /proc, /sys, /dev, /boot directorymy 558 // update /proc, /sys, /dev, /boot directorymy
553 //**************************** 559 //****************************
554 fs_proc_sys_dev_boot(); 560 if (checkcfg(CFG_REMOUNT_PROC_SYS))
561 fs_proc_sys_dev_boot();
555 562
556 //**************************** 563 //****************************
557 // apply the profile file 564 // apply the profile file
generated by cgit v1.2.3-54-g00ecf (git 2.45.2) at 2024-07-07 18:42:02 +0000