diff options
-rw-r--r-- | README | 3 | ||||
-rwxr-xr-x | configure | 2 | ||||
-rw-r--r-- | configure.ac | 2 | ||||
-rw-r--r-- | etc/discord-common.profile | 2 | ||||
-rw-r--r-- | etc/evince.profile | 2 | ||||
-rw-r--r-- | etc/firejail-default | 3 | ||||
-rw-r--r-- | src/firejail/fs_whitelist.c | 2 | ||||
-rw-r--r-- | src/firejail/util.c | 34 | ||||
-rw-r--r-- | src/lib/pid.c | 7 |
9 files changed, 33 insertions, 24 deletions
@@ -147,6 +147,8 @@ Christian Stadelmann (https://github.com/genodeftest) | |||
147 | - evolution profile fix | 147 | - evolution profile fix |
148 | Clayton Williams (https://github.com/gosre) | 148 | Clayton Williams (https://github.com/gosre) |
149 | - addition of RLIMIT_AS | 149 | - addition of RLIMIT_AS |
150 | crass (https://github.com/crass) | ||
151 | - extract_command_name fixes | ||
150 | curiosity-seeker (https://github.com/curiosity-seeker) | 152 | curiosity-seeker (https://github.com/curiosity-seeker) |
151 | - tightening unbound and dnscrypt-proxy profiles | 153 | - tightening unbound and dnscrypt-proxy profiles |
152 | - correct and tighten QuiteRss profile | 154 | - correct and tighten QuiteRss profile |
@@ -660,6 +662,7 @@ veloute (https://github.com/veloute) | |||
660 | - added standardnotes profile | 662 | - added standardnotes profile |
661 | - added flameshot profile | 663 | - added flameshot profile |
662 | - added jdownloader profile | 664 | - added jdownloader profile |
665 | - fixed discord profile | ||
663 | Vincent43 (https://github.com/Vincent43) | 666 | Vincent43 (https://github.com/Vincent43) |
664 | - apparmor enhancements | 667 | - apparmor enhancements |
665 | vismir2 (https://github.com/vismir2) | 668 | vismir2 (https://github.com/vismir2) |
@@ -3832,7 +3832,7 @@ fi | |||
3832 | 3832 | ||
3833 | # set sysconfdir | 3833 | # set sysconfdir |
3834 | if test "$prefix" = /usr; then | 3834 | if test "$prefix" = /usr; then |
3835 | sysconfdir="/etc" | 3835 | test "$sysconfdir" = '${prefix}/etc' && sysconfdir="/etc" |
3836 | fi | 3836 | fi |
3837 | 3837 | ||
3838 | ac_config_files="$ac_config_files Makefile src/common.mk src/lib/Makefile src/fcopy/Makefile src/fnet/Makefile src/firejail/Makefile src/fnetfilter/Makefile src/firemon/Makefile src/libtrace/Makefile src/libtracelog/Makefile src/firecfg/Makefile src/fbuilder/Makefile src/fsec-print/Makefile src/ftee/Makefile src/faudit/Makefile src/fseccomp/Makefile src/fldd/Makefile src/libpostexecseccomp/Makefile src/fsec-optimize/Makefile" | 3838 | ac_config_files="$ac_config_files Makefile src/common.mk src/lib/Makefile src/fcopy/Makefile src/fnet/Makefile src/firejail/Makefile src/fnetfilter/Makefile src/firemon/Makefile src/libtrace/Makefile src/libtracelog/Makefile src/firecfg/Makefile src/fbuilder/Makefile src/fsec-print/Makefile src/ftee/Makefile src/faudit/Makefile src/fseccomp/Makefile src/fldd/Makefile src/libpostexecseccomp/Makefile src/fsec-optimize/Makefile" |
diff --git a/configure.ac b/configure.ac index f01bf2199..d1b827fef 100644 --- a/configure.ac +++ b/configure.ac | |||
@@ -183,7 +183,7 @@ AC_SUBST(HAVE_SECCOMP_H) | |||
183 | 183 | ||
184 | # set sysconfdir | 184 | # set sysconfdir |
185 | if test "$prefix" = /usr; then | 185 | if test "$prefix" = /usr; then |
186 | sysconfdir="/etc" | 186 | test "$sysconfdir" = '${prefix}/etc' && sysconfdir="/etc" |
187 | fi | 187 | fi |
188 | 188 | ||
189 | AC_OUTPUT(Makefile src/common.mk src/lib/Makefile src/fcopy/Makefile src/fnet/Makefile src/firejail/Makefile src/fnetfilter/Makefile \ | 189 | AC_OUTPUT(Makefile src/common.mk src/lib/Makefile src/fcopy/Makefile src/fnet/Makefile src/firejail/Makefile src/fnetfilter/Makefile \ |
diff --git a/etc/discord-common.profile b/etc/discord-common.profile index b835ce401..babef37b1 100644 --- a/etc/discord-common.profile +++ b/etc/discord-common.profile | |||
@@ -26,7 +26,7 @@ seccomp | |||
26 | 26 | ||
27 | private-bin sh,xdg-mime,tr,sed,echo,head,cut,xdg-open,grep,egrep,bash,zsh | 27 | private-bin sh,xdg-mime,tr,sed,echo,head,cut,xdg-open,grep,egrep,bash,zsh |
28 | private-dev | 28 | private-dev |
29 | private-etc fonts,machine-id,localtime,ld.so.cache,ca-certificates,ssl,pki,crypto-policies | 29 | private-etc fonts,machine-id,localtime,ld.so.cache,ca-certificates,ssl,pki,crypto-policies,resolv.conf |
30 | private-tmp | 30 | private-tmp |
31 | 31 | ||
32 | noexec ${HOME} | 32 | noexec ${HOME} |
diff --git a/etc/evince.profile b/etc/evince.profile index 2ade9c6f6..ea46ccc40 100644 --- a/etc/evince.profile +++ b/etc/evince.profile | |||
@@ -40,7 +40,7 @@ private-bin evince,evince-previewer,evince-thumbnailer | |||
40 | private-dev | 40 | private-dev |
41 | private-etc fonts | 41 | private-etc fonts |
42 | 42 | ||
43 | private-lib evince,gdk-pixbuf-2.*,gio,gvfs/libgvfscommon.so,libdjvulibre.so.*,libgconf-2.so.*,libpoppler-glib.so.*,librsvg-2.so.* | 43 | private-lib evince,gdk-pixbuf-2.*,gio,gvfs/libgvfscommon.so,libdjvulibre.so.*,libgconf-2.so.*,libpoppler-glib.so.*,librsvg-2.so.*,gconv |
44 | 44 | ||
45 | private-tmp | 45 | private-tmp |
46 | 46 | ||
diff --git a/etc/firejail-default b/etc/firejail-default index c4107270c..88bf9aa44 100644 --- a/etc/firejail-default +++ b/etc/firejail-default | |||
@@ -47,6 +47,9 @@ owner /{,run/firejail/mnt/oroot/}{,var/}run/user/[0-9]*/orcexec.* w, | |||
47 | 47 | ||
48 | owner /{,run/firejail/mnt/oroot/}{run,dev}/shm/** w, | 48 | owner /{,run/firejail/mnt/oroot/}{run,dev}/shm/** w, |
49 | 49 | ||
50 | # Allow writing to removable media | ||
51 | owner /{,var/}run/media/** w, | ||
52 | |||
50 | # Allow logging Firejail blacklist violations to journal | 53 | # Allow logging Firejail blacklist violations to journal |
51 | /{,var/}run/systemd/journal/socket w, | 54 | /{,var/}run/systemd/journal/socket w, |
52 | /{,var/}run/systemd/journal/dev-log w, | 55 | /{,var/}run/systemd/journal/dev-log w, |
diff --git a/src/firejail/fs_whitelist.c b/src/firejail/fs_whitelist.c index 2d4640430..6dd4a7e2d 100644 --- a/src/firejail/fs_whitelist.c +++ b/src/firejail/fs_whitelist.c | |||
@@ -430,7 +430,7 @@ void fs_whitelist(void) { | |||
430 | 430 | ||
431 | // if 1 the file was not found; mount an empty directory | 431 | // if 1 the file was not found; mount an empty directory |
432 | if (!nowhitelist_flag) { | 432 | if (!nowhitelist_flag) { |
433 | if (strncmp(new_name, cfg.homedir, strlen(cfg.homedir)) == 0) { | 433 | if (strncmp(new_name, cfg.homedir, strlen(cfg.homedir)) == 0 && new_name[strlen(cfg.homedir)] == '/') { |
434 | if(!arg_private) | 434 | if(!arg_private) |
435 | home_dir = 1; | 435 | home_dir = 1; |
436 | } | 436 | } |
diff --git a/src/firejail/util.c b/src/firejail/util.c index 4a164901d..ae07a42b0 100644 --- a/src/firejail/util.c +++ b/src/firejail/util.c | |||
@@ -636,33 +636,33 @@ void extract_command_name(int index, char **argv) { | |||
636 | if (!cfg.command_name) | 636 | if (!cfg.command_name) |
637 | errExit("strdup"); | 637 | errExit("strdup"); |
638 | 638 | ||
639 | // restrict the command name to the first word | ||
640 | char *ptr = cfg.command_name; | ||
641 | while (*ptr != ' ' && *ptr != '\t' && *ptr != '\0') | ||
642 | ptr++; | ||
643 | *ptr = '\0'; | ||
644 | |||
645 | // remove the path: /usr/bin/firefox becomes firefox | 639 | // remove the path: /usr/bin/firefox becomes firefox |
646 | ptr = strrchr(cfg.command_name, '/'); | 640 | char *basename = cfg.command_name; |
641 | char *ptr = strrchr(cfg.command_name, '/'); | ||
647 | if (ptr) { | 642 | if (ptr) { |
648 | ptr++; | 643 | basename = ++ptr; |
649 | if (*ptr == '\0') { | 644 | if (*ptr == '\0') { |
650 | fprintf(stderr, "Error: invalid command name\n"); | 645 | fprintf(stderr, "Error: invalid command name\n"); |
651 | exit(1); | 646 | exit(1); |
652 | } | 647 | } |
648 | } | ||
649 | else | ||
650 | ptr = basename; | ||
653 | 651 | ||
654 | char *tmp = strdup(ptr); | 652 | // restrict the command name to the first word |
655 | if (!tmp) | 653 | while (*ptr != ' ' && *ptr != '\t' && *ptr != '\0') |
656 | errExit("strdup"); | 654 | ptr++; |
657 | 655 | ||
658 | // limit the command to the first ' ' | 656 | // command name is a substring of cfg.command_name |
659 | char *ptr2 = tmp; | 657 | if (basename != cfg.command_name || *ptr != '\0') { |
660 | while (*ptr2 != ' ' && *ptr2 != '\0') | 658 | *ptr = '\0'; |
661 | ptr2++; | 659 | |
662 | *ptr2 = '\0'; | 660 | basename = strdup(basename); |
661 | if (!basename) | ||
662 | errExit("strdup"); | ||
663 | 663 | ||
664 | free(cfg.command_name); | 664 | free(cfg.command_name); |
665 | cfg.command_name = tmp; | 665 | cfg.command_name = basename; |
666 | } | 666 | } |
667 | } | 667 | } |
668 | 668 | ||
diff --git a/src/lib/pid.c b/src/lib/pid.c index 75576c787..ee1550e57 100644 --- a/src/lib/pid.c +++ b/src/lib/pid.c | |||
@@ -359,7 +359,10 @@ void pid_read(pid_t mon_pid) { | |||
359 | char buf[PIDS_BUFLEN]; | 359 | char buf[PIDS_BUFLEN]; |
360 | while (fgets(buf, PIDS_BUFLEN - 1, fp)) { | 360 | while (fgets(buf, PIDS_BUFLEN - 1, fp)) { |
361 | if (strncmp(buf, "Name:", 5) == 0) { | 361 | if (strncmp(buf, "Name:", 5) == 0) { |
362 | char *ptr = buf + 5; | 362 | char *ptr = strchr(buf, '\n'); |
363 | if (ptr) | ||
364 | *ptr = '\0'; | ||
365 | ptr = buf + 5; | ||
363 | while (*ptr != '\0' && (*ptr == ' ' || *ptr == '\t')) { | 366 | while (*ptr != '\0' && (*ptr == ' ' || *ptr == '\t')) { |
364 | ptr++; | 367 | ptr++; |
365 | } | 368 | } |
@@ -368,7 +371,7 @@ void pid_read(pid_t mon_pid) { | |||
368 | exit(1); | 371 | exit(1); |
369 | } | 372 | } |
370 | 373 | ||
371 | if ((strncmp(ptr, "firejail", 8) == 0) && (mon_pid == 0 || mon_pid == pid)) { | 374 | if ((strcmp(ptr, "firejail") == 0) && (mon_pid == 0 || mon_pid == pid)) { |
372 | if (pid_proc_cmdline_x11_xpra_xephyr(pid)) | 375 | if (pid_proc_cmdline_x11_xpra_xephyr(pid)) |
373 | pids[pid].level = -1; | 376 | pids[pid].level = -1; |
374 | else | 377 | else |