diff options
-rw-r--r-- | etc/cin.profile | 2 | ||||
-rw-r--r-- | etc/natron.profile | 2 | ||||
-rw-r--r-- | etc/vlc.profile | 6 | ||||
-rw-r--r-- | src/firejail/pulseaudio.c | 14 | ||||
-rw-r--r-- | src/firejail/x11.c | 8 |
5 files changed, 26 insertions, 6 deletions
diff --git a/etc/cin.profile b/etc/cin.profile index 356509da0..e2410e3a5 100644 --- a/etc/cin.profile +++ b/etc/cin.profile | |||
@@ -19,7 +19,7 @@ net none | |||
19 | nodbus | 19 | nodbus |
20 | nodvd | 20 | nodvd |
21 | #nogroups | 21 | #nogroups |
22 | #nonewprivs | 22 | nonewprivs |
23 | notv | 23 | notv |
24 | noroot | 24 | noroot |
25 | protocol unix | 25 | protocol unix |
diff --git a/etc/natron.profile b/etc/natron.profile index e7c597fe2..76e909f83 100644 --- a/etc/natron.profile +++ b/etc/natron.profile | |||
@@ -18,7 +18,7 @@ noblacklist /opt/natron | |||
18 | 18 | ||
19 | include /etc/firejail/disable-common.inc | 19 | include /etc/firejail/disable-common.inc |
20 | include /etc/firejail/disable-devel.inc | 20 | include /etc/firejail/disable-devel.inc |
21 | #include /etc/firejail/disable-interpreters.inc | 21 | include /etc/firejail/disable-interpreters.inc |
22 | include /etc/firejail/disable-passwdmgr.inc | 22 | include /etc/firejail/disable-passwdmgr.inc |
23 | include /etc/firejail/disable-programs.inc | 23 | include /etc/firejail/disable-programs.inc |
24 | 24 | ||
diff --git a/etc/vlc.profile b/etc/vlc.profile index 9ccbb7310..bda027aaa 100644 --- a/etc/vlc.profile +++ b/etc/vlc.profile | |||
@@ -20,8 +20,8 @@ include /etc/firejail/whitelist-var-common.inc | |||
20 | #apparmor - on Ubuntu 18.04 it refuses to start without dbus access | 20 | #apparmor - on Ubuntu 18.04 it refuses to start without dbus access |
21 | caps.drop all | 21 | caps.drop all |
22 | netfilter | 22 | netfilter |
23 | # nodbus - problems with KDE | 23 | #nodbus |
24 | # nogroups | 24 | #nogroups |
25 | nonewprivs | 25 | nonewprivs |
26 | noroot | 26 | noroot |
27 | protocol unix,inet,inet6,netlink | 27 | protocol unix,inet,inet6,netlink |
@@ -33,6 +33,6 @@ private-dev | |||
33 | private-tmp | 33 | private-tmp |
34 | 34 | ||
35 | # mdwe is disabled due to breaking hardware accelerated decoding | 35 | # mdwe is disabled due to breaking hardware accelerated decoding |
36 | # memory-deny-write-execute | 36 | #memory-deny-write-execute |
37 | noexec ${HOME} | 37 | noexec ${HOME} |
38 | noexec /tmp | 38 | noexec /tmp |
diff --git a/src/firejail/pulseaudio.c b/src/firejail/pulseaudio.c index 9109a6865..ad93efe3c 100644 --- a/src/firejail/pulseaudio.c +++ b/src/firejail/pulseaudio.c | |||
@@ -162,22 +162,34 @@ void pulseaudio_init(void) { | |||
162 | } | 162 | } |
163 | free(dir1); | 163 | free(dir1); |
164 | 164 | ||
165 | |||
166 | // if we have ~/.config/pulse mount the new directory, else set environment variable | 165 | // if we have ~/.config/pulse mount the new directory, else set environment variable |
167 | char *homeusercfg; | 166 | char *homeusercfg; |
168 | if (asprintf(&homeusercfg, "%s/.config/pulse", cfg.homedir) == -1) | 167 | if (asprintf(&homeusercfg, "%s/.config/pulse", cfg.homedir) == -1) |
169 | errExit("asprintf"); | 168 | errExit("asprintf"); |
170 | if (stat(homeusercfg, &s) == 0) { | 169 | if (stat(homeusercfg, &s) == 0) { |
170 | if (is_link(homeusercfg)) { | ||
171 | fprintf(stderr, "Error: user .config/pulse is a symbolic link\n"); | ||
172 | exit(1); | ||
173 | } | ||
171 | if (mount(RUN_PULSE_DIR, homeusercfg, "none", MS_BIND, NULL) < 0 || | 174 | if (mount(RUN_PULSE_DIR, homeusercfg, "none", MS_BIND, NULL) < 0 || |
172 | mount(NULL, homeusercfg, NULL, MS_NOEXEC|MS_NODEV|MS_NOSUID|MS_BIND|MS_REMOUNT, NULL) < 0) | 175 | mount(NULL, homeusercfg, NULL, MS_NOEXEC|MS_NODEV|MS_NOSUID|MS_BIND|MS_REMOUNT, NULL) < 0) |
173 | errExit("mount pulseaudio"); | 176 | errExit("mount pulseaudio"); |
174 | fs_logger2("tmpfs", homeusercfg); | 177 | fs_logger2("tmpfs", homeusercfg); |
178 | |||
179 | // check /proc/self/mounts to confirm the mount is ok | ||
180 | MountData *mptr = get_last_mount(); | ||
181 | if (strncmp(mptr->dir,homeusercfg,strlen(homeusercfg)) != 0) { | ||
182 | fprintf(stderr, "Error: invalid mount on top of %s (should be %s)\n", mptr->dir, homeusercfg); | ||
183 | exit(1); | ||
184 | } | ||
185 | |||
175 | char *p; | 186 | char *p; |
176 | if (asprintf(&p, "%s/client.conf", homeusercfg) == -1) | 187 | if (asprintf(&p, "%s/client.conf", homeusercfg) == -1) |
177 | errExit("asprintf"); | 188 | errExit("asprintf"); |
178 | fs_logger2("create", p); | 189 | fs_logger2("create", p); |
179 | free(p); | 190 | free(p); |
180 | } | 191 | } |
192 | |||
181 | else { | 193 | else { |
182 | // set environment | 194 | // set environment |
183 | if (setenv("PULSE_CLIENTCONFIG", pulsecfg, 1) < 0) | 195 | if (setenv("PULSE_CLIENTCONFIG", pulsecfg, 1) < 0) |
diff --git a/src/firejail/x11.c b/src/firejail/x11.c index 8cf4fccf3..d8b5961a2 100644 --- a/src/firejail/x11.c +++ b/src/firejail/x11.c | |||
@@ -1193,6 +1193,14 @@ void x11_xorg(void) { | |||
1193 | // just in case... | 1193 | // just in case... |
1194 | if (set_perms(dest, getuid(), getgid(), 0600)) | 1194 | if (set_perms(dest, getuid(), getgid(), 0600)) |
1195 | errExit("set_perms"); | 1195 | errExit("set_perms"); |
1196 | |||
1197 | // check /proc/self/mounts to confirm the mount is ok | ||
1198 | MountData *mptr = get_last_mount(); | ||
1199 | if (strncmp(mptr->dir,dest,strlen(dest)) != 0) { | ||
1200 | fprintf(stderr, "Error: invalid mount on top of %s (should be %s)\n", mptr->dir, dest); | ||
1201 | exit(1); | ||
1202 | } | ||
1203 | |||
1196 | free(dest); | 1204 | free(dest); |
1197 | #endif | 1205 | #endif |
1198 | } | 1206 | } |