diff options
-rw-r--r-- | RELNOTES | 3 | ||||
-rw-r--r-- | src/firejail/caps.c | 18 | ||||
-rw-r--r-- | src/firejail/join.c | 2 | ||||
-rw-r--r-- | src/firejail/sandbox.c | 2 | ||||
-rwxr-xr-x | test/apps-x11/chromium.exp | 2 | ||||
-rwxr-xr-x | test/apps/chromium.exp | 2 |
6 files changed, 16 insertions, 13 deletions
@@ -4,7 +4,8 @@ firejail (0.9.47) baseline; urgency=low | |||
4 | please use ~/Downloads directory for saving files | 4 | please use ~/Downloads directory for saving files |
5 | * modifs: AppArmor made optional; a warning is printed on the screen | 5 | * modifs: AppArmor made optional; a warning is printed on the screen |
6 | if the sandbox fails to load the AppArmor profile | 6 | if the sandbox fails to load the AppArmor profile |
7 | * feature: drop discretionary access control capabilities by default | 7 | * feature: drop discretionary access control capabilities for |
8 | root sandboxes | ||
8 | * feature: added /etc/firejail/globals.local for global customizations | 9 | * feature: added /etc/firejail/globals.local for global customizations |
9 | * feature: profile support in overlayfs mode | 10 | * feature: profile support in overlayfs mode |
10 | * new profiles: vym, darktable, Waterfox, digiKam, Catfish, HandBrake | 11 | * new profiles: vym, darktable, Waterfox, digiKam, Catfish, HandBrake |
diff --git a/src/firejail/caps.c b/src/firejail/caps.c index 883e8015e..ff4d3a9d7 100644 --- a/src/firejail/caps.c +++ b/src/firejail/caps.c | |||
@@ -248,15 +248,17 @@ void caps_print(void) { | |||
248 | } | 248 | } |
249 | } | 249 | } |
250 | 250 | ||
251 | // drop discretionary access control capabilities by default in all sandboxes | 251 | // drop discretionary access control capabilities for root sandboxes |
252 | void caps_drop_dac_override(void) { | 252 | void caps_drop_dac_override(void) { |
253 | if (prctl(PR_CAPBSET_DROP, CAP_DAC_OVERRIDE, 0, 0, 0)); | 253 | if (getuid() == 0) { |
254 | else if (arg_debug) | 254 | if (prctl(PR_CAPBSET_DROP, CAP_DAC_OVERRIDE, 0, 0, 0)); |
255 | printf("Drop CAP_DAC_OVERRIDE\n"); | 255 | else if (arg_debug) |
256 | 256 | printf("Drop CAP_DAC_OVERRIDE\n"); | |
257 | if (prctl(PR_CAPBSET_DROP, CAP_DAC_READ_SEARCH, 0, 0, 0)); | 257 | |
258 | else if (arg_debug) | 258 | if (prctl(PR_CAPBSET_DROP, CAP_DAC_READ_SEARCH, 0, 0, 0)); |
259 | printf("Drop CAP_DAC_READ_SEARCH\n"); | 259 | else if (arg_debug) |
260 | printf("Drop CAP_DAC_READ_SEARCH\n"); | ||
261 | } | ||
260 | } | 262 | } |
261 | 263 | ||
262 | int caps_default_filter(void) { | 264 | int caps_default_filter(void) { |
diff --git a/src/firejail/join.c b/src/firejail/join.c index d7328a91b..4c0537413 100644 --- a/src/firejail/join.c +++ b/src/firejail/join.c | |||
@@ -242,7 +242,7 @@ void join(pid_t pid, int argc, char **argv, int index) { | |||
242 | if (child < 0) | 242 | if (child < 0) |
243 | errExit("fork"); | 243 | errExit("fork"); |
244 | if (child == 0) { | 244 | if (child == 0) { |
245 | // drop discretionary access control capabilities by default | 245 | // drop discretionary access control capabilities for root sandboxes |
246 | caps_drop_dac_override(); | 246 | caps_drop_dac_override(); |
247 | 247 | ||
248 | // chroot into /proc/PID/root directory | 248 | // chroot into /proc/PID/root directory |
diff --git a/src/firejail/sandbox.c b/src/firejail/sandbox.c index 0a32393a2..7489e7b6d 100644 --- a/src/firejail/sandbox.c +++ b/src/firejail/sandbox.c | |||
@@ -100,7 +100,7 @@ static void set_caps(void) { | |||
100 | else if (arg_caps_default_filter) | 100 | else if (arg_caps_default_filter) |
101 | caps_default_filter(); | 101 | caps_default_filter(); |
102 | 102 | ||
103 | // drop discretionary access control capabilities by default | 103 | // drop discretionary access control capabilities for root sandboxes |
104 | caps_drop_dac_override(); | 104 | caps_drop_dac_override(); |
105 | } | 105 | } |
106 | 106 | ||
diff --git a/test/apps-x11/chromium.exp b/test/apps-x11/chromium.exp index 3ec2bc049..a7eace125 100755 --- a/test/apps-x11/chromium.exp +++ b/test/apps-x11/chromium.exp | |||
@@ -71,7 +71,7 @@ expect { | |||
71 | } | 71 | } |
72 | expect { | 72 | expect { |
73 | timeout {puts "TESTING ERROR 6.2\n";exit} | 73 | timeout {puts "TESTING ERROR 6.2\n";exit} |
74 | "fffffffff" | 74 | "00240000" |
75 | } | 75 | } |
76 | expect { | 76 | expect { |
77 | timeout {puts "TESTING ERROR 6.3\n";exit} | 77 | timeout {puts "TESTING ERROR 6.3\n";exit} |
diff --git a/test/apps/chromium.exp b/test/apps/chromium.exp index 041918d7f..6b784e395 100755 --- a/test/apps/chromium.exp +++ b/test/apps/chromium.exp | |||
@@ -72,7 +72,7 @@ expect { | |||
72 | } | 72 | } |
73 | expect { | 73 | expect { |
74 | timeout {puts "TESTING ERROR 6.2\n";exit} | 74 | timeout {puts "TESTING ERROR 6.2\n";exit} |
75 | "fffffffff" | 75 | "00240000" |
76 | } | 76 | } |
77 | expect { | 77 | expect { |
78 | timeout {puts "TESTING ERROR 6.3\n";exit} | 78 | timeout {puts "TESTING ERROR 6.3\n";exit} |