aboutsummaryrefslogtreecommitdiffstats
diff options
context:
space:
mode:
Diffstat
-rw-r--r--RELNOTES1
-rw-r--r--etc/firejail.config3
-rw-r--r--src/firejail/checkcfg.c9
-rw-r--r--src/firejail/firejail.h1
-rw-r--r--src/firejail/main.c2
-rw-r--r--src/firejail/profile.c2
-rw-r--r--src/firejail/sandbox.c9
7 files changed, 6 insertions, 21 deletions
diff --git a/RELNOTES b/RELNOTES
index fb6b414c5..2c8b43433 100644
--- a/RELNOTES
+++ b/RELNOTES
@@ -3,6 +3,7 @@ firejail (0.9.51) baseline; urgency=low
3 * modif: --allow-private-blacklists was deprecated; blacklisting, 3 * modif: --allow-private-blacklists was deprecated; blacklisting,
4 read-only, read-write, tmpfs and noexec are allowed in 4 read-only, read-write, tmpfs and noexec are allowed in
5 private home directories 5 private home directories
6 * modif: remount-proc-sys deprecated from firejail.config
6 * enhancement: support Firejail user config directory in firecfg 7 * enhancement: support Firejail user config directory in firecfg
7 * enhancement: disable DBus activation in firecfg 8 * enhancement: disable DBus activation in firecfg
8 * enhancement; enumerate root directories in apparmor profile 9 * enhancement; enumerate root directories in apparmor profile
diff --git a/etc/firejail.config b/etc/firejail.config
index b597ed603..26f2dedfc 100644
--- a/etc/firejail.config
+++ b/etc/firejail.config
@@ -69,9 +69,6 @@
69# Enable --quiet as default every time the sandbox is started. Default disabled. 69# Enable --quiet as default every time the sandbox is started. Default disabled.
70# quiet-by-default no 70# quiet-by-default no
71 71
72# Remount /proc and /sys inside the sandbox, default enabled.
73# remount-proc-sys yes
74
75# Enable or disable restricted network support, default disabled. If enabled, 72# Enable or disable restricted network support, default disabled. If enabled,
76# networking features should also be enabled (network yes). 73# networking features should also be enabled (network yes).
77# Restricted networking grants access to --interface, --net=ethXXX and 74# Restricted networking grants access to --interface, --net=ethXXX and
diff --git a/src/firejail/checkcfg.c b/src/firejail/checkcfg.c
index 7f371b299..1dee87a64 100644
--- a/src/firejail/checkcfg.c
+++ b/src/firejail/checkcfg.c
@@ -299,14 +299,9 @@ int checkcfg(int val) {
299 else 299 else
300 goto errout; 300 goto errout;
301 } 301 }
302 // remount /proc and /sys
303 else if (strncmp(ptr, "remount-proc-sys ", 17) == 0) { 302 else if (strncmp(ptr, "remount-proc-sys ", 17) == 0) {
304 if (strcmp(ptr + 17, "yes") == 0) 303 if (!arg_quiet)
305 cfg_val[CFG_REMOUNT_PROC_SYS] = 1; 304 fprintf(stderr, "Warning: remount-proc-sys from firejail.config was deprecated\n");
306 else if (strcmp(ptr + 17, "no") == 0)
307 cfg_val[CFG_REMOUNT_PROC_SYS] = 0;
308 else
309 goto errout;
310 } 305 }
311 else if (strncmp(ptr, "overlayfs ", 10) == 0) { 306 else if (strncmp(ptr, "overlayfs ", 10) == 0) {
312 if (strcmp(ptr + 10, "yes") == 0) 307 if (strcmp(ptr + 10, "yes") == 0)
diff --git a/src/firejail/firejail.h b/src/firejail/firejail.h
index a6b57f263..c6c6c76cc 100644
--- a/src/firejail/firejail.h
+++ b/src/firejail/firejail.h
@@ -725,7 +725,6 @@ enum {
725 CFG_FORCE_NONEWPRIVS, 725 CFG_FORCE_NONEWPRIVS,
726 CFG_WHITELIST, 726 CFG_WHITELIST,
727 CFG_XEPHYR_WINDOW_TITLE, 727 CFG_XEPHYR_WINDOW_TITLE,
728 CFG_REMOUNT_PROC_SYS,
729 CFG_OVERLAYFS, 728 CFG_OVERLAYFS,
730 CFG_CHROOT_DESKTOP, 729 CFG_CHROOT_DESKTOP,
731 CFG_PRIVATE_HOME, 730 CFG_PRIVATE_HOME,
diff --git a/src/firejail/main.c b/src/firejail/main.c
index 67b40f9c2..069aa6ca8 100644
--- a/src/firejail/main.c
+++ b/src/firejail/main.c
@@ -1615,7 +1615,7 @@ int main(int argc, char **argv) {
1615 } 1615 }
1616 else if (strcmp(argv[i], "--allow-private-blacklist") == 0) { 1616 else if (strcmp(argv[i], "--allow-private-blacklist") == 0) {
1617 if (!arg_quiet) 1617 if (!arg_quiet)
1618 fprintf(stderr, "--allow-private-blacklist was deprecated\n"); 1618 fprintf(stderr, "Warning: --allow-private-blacklist was deprecated\n");
1619 } 1619 }
1620 else if (strcmp(argv[i], "--private") == 0) { 1620 else if (strcmp(argv[i], "--private") == 0) {
1621 arg_private = 1; 1621 arg_private = 1;
diff --git a/src/firejail/profile.c b/src/firejail/profile.c
index dc1333988..4851dc9ad 100644
--- a/src/firejail/profile.c
+++ b/src/firejail/profile.c
@@ -243,7 +243,7 @@ int profile_check_line(char *ptr, int lineno, const char *fname) {
243 } 243 }
244 else if (strcmp(ptr, "allow-private-blacklist") == 0) { 244 else if (strcmp(ptr, "allow-private-blacklist") == 0) {
245 if (!arg_quiet) 245 if (!arg_quiet)
246 fprintf(stderr, "--allow-private-blacklist was deprecated\n"); 246 fprintf(stderr, "Warning: --allow-private-blacklist was deprecated\n");
247 return 0; 247 return 0;
248 } 248 }
249 else if (strcmp(ptr, "netfilter") == 0) { 249 else if (strcmp(ptr, "netfilter") == 0) {
diff --git a/src/firejail/sandbox.c b/src/firejail/sandbox.c
index b92483c66..131163c68 100644
--- a/src/firejail/sandbox.c
+++ b/src/firejail/sandbox.c
@@ -245,12 +245,6 @@ static int monitor_application(pid_t app_pid) {
245 sleep(1); 245 sleep(1);
246 } 246 }
247 247
248 // if /proc is not remounted, we cannot check /proc directory,
249 // for now we just get out of here
250 // todo: find another way of checking child processes!
251 if (!checkcfg(CFG_REMOUNT_PROC_SYS))
252 break;
253
254 DIR *dir; 248 DIR *dir;
255 if (!(dir = opendir("/proc"))) { 249 if (!(dir = opendir("/proc"))) {
256 // sleep 2 seconds and try again 250 // sleep 2 seconds and try again
@@ -872,8 +866,7 @@ int sandbox(void* sandbox_arg) {
872 //**************************** 866 //****************************
873 // update /proc, /sys, /dev, /boot directory 867 // update /proc, /sys, /dev, /boot directory
874 //**************************** 868 //****************************
875 if (checkcfg(CFG_REMOUNT_PROC_SYS)) 869 fs_proc_sys_dev_boot();
876 fs_proc_sys_dev_boot();
877 870
878 //**************************** 871 //****************************
879 // handle /mnt and /media 872 // handle /mnt and /media
generated by cgit v1.2.3-54-g00ecf (git 2.45.2) at 2024-07-16 14:11:19 +0000