diff options
-rw-r--r-- | RELNOTES | 1 | ||||
-rw-r--r-- | src/firejail/firejail.h | 2 | ||||
-rw-r--r-- | src/firejail/fs.c | 6 | ||||
-rw-r--r-- | src/firejail/main.c | 16 | ||||
-rw-r--r-- | src/firejail/usage.c | 6 | ||||
-rw-r--r-- | src/man/firejail.txt | 21 |
6 files changed, 50 insertions, 2 deletions
@@ -5,6 +5,7 @@ firejail (0.9.40-rc1) baseline; urgency=low | |||
5 | * added --x11=xephyr option | 5 | * added --x11=xephyr option |
6 | * added --cpu.print option | 6 | * added --cpu.print option |
7 | * added filetransfer options --ls and --get | 7 | * added filetransfer options --ls and --get |
8 | * added --writable-etc and --writable-var options | ||
8 | * added mkdir, ipc-namespace, and nosound profile commands | 9 | * added mkdir, ipc-namespace, and nosound profile commands |
9 | * added net iface, and iprange profile commands | 10 | * added net iface, and iprange profile commands |
10 | * --version also prints compile options | 11 | * --version also prints compile options |
diff --git a/src/firejail/firejail.h b/src/firejail/firejail.h index 24ea53476..ece1eee4e 100644 --- a/src/firejail/firejail.h +++ b/src/firejail/firejail.h | |||
@@ -256,6 +256,8 @@ extern int arg_join_network; // join only the network namespace | |||
256 | extern int arg_join_filesystem; // join only the mount namespace | 256 | extern int arg_join_filesystem; // join only the mount namespace |
257 | extern int arg_nice; // nice value configured | 257 | extern int arg_nice; // nice value configured |
258 | extern int arg_ipc; // enable ipc namespace | 258 | extern int arg_ipc; // enable ipc namespace |
259 | extern int arg_writable_etc; // writable etc | ||
260 | extern int arg_writable_var; // writable var | ||
259 | 261 | ||
260 | extern int parent_to_child_fds[2]; | 262 | extern int parent_to_child_fds[2]; |
261 | extern int child_to_parent_fds[2]; | 263 | extern int child_to_parent_fds[2]; |
diff --git a/src/firejail/fs.c b/src/firejail/fs.c index 652f897d0..af1ddf93b 100644 --- a/src/firejail/fs.c +++ b/src/firejail/fs.c | |||
@@ -734,8 +734,10 @@ void fs_basic_fs(void) { | |||
734 | fs_rdonly("/lib32"); | 734 | fs_rdonly("/lib32"); |
735 | fs_rdonly("/libx32"); | 735 | fs_rdonly("/libx32"); |
736 | fs_rdonly("/usr"); | 736 | fs_rdonly("/usr"); |
737 | fs_rdonly("/etc"); | 737 | if (!arg_writable_etc) |
738 | fs_rdonly("/var"); | 738 | fs_rdonly("/etc"); |
739 | if (!arg_writable_var) | ||
740 | fs_rdonly("/var"); | ||
739 | 741 | ||
740 | // update /var directory in order to support multiple sandboxes running on the same root directory | 742 | // update /var directory in order to support multiple sandboxes running on the same root directory |
741 | if (!arg_private_dev) | 743 | if (!arg_private_dev) |
diff --git a/src/firejail/main.c b/src/firejail/main.c index 6b50b450c..27bd7c385 100644 --- a/src/firejail/main.c +++ b/src/firejail/main.c | |||
@@ -96,6 +96,8 @@ int arg_join_network = 0; // join only the network namespace | |||
96 | int arg_join_filesystem = 0; // join only the mount namespace | 96 | int arg_join_filesystem = 0; // join only the mount namespace |
97 | int arg_nice = 0; // nice value configured | 97 | int arg_nice = 0; // nice value configured |
98 | int arg_ipc = 0; // enable ipc namespace | 98 | int arg_ipc = 0; // enable ipc namespace |
99 | int arg_writable_etc = 0; // writable etc | ||
100 | int arg_writable_var = 0; // writable var | ||
99 | 101 | ||
100 | int parent_to_child_fds[2]; | 102 | int parent_to_child_fds[2]; |
101 | int child_to_parent_fds[2]; | 103 | int child_to_parent_fds[2]; |
@@ -1272,6 +1274,20 @@ int main(int argc, char **argv) { | |||
1272 | 1274 | ||
1273 | } | 1275 | } |
1274 | #endif | 1276 | #endif |
1277 | else if (strcmp(argv[i], "--writable-etc") == 0) { | ||
1278 | if (getuid() != 0) { | ||
1279 | fprintf(stderr, "Error: --writable-etc is available only for root user\n"); | ||
1280 | exit(1); | ||
1281 | } | ||
1282 | arg_writable_etc = 1; | ||
1283 | } | ||
1284 | else if (strcmp(argv[i], "--writable-var") == 0) { | ||
1285 | if (getuid() != 0) { | ||
1286 | fprintf(stderr, "Error: --writable-var is available only for root user\n"); | ||
1287 | exit(1); | ||
1288 | } | ||
1289 | arg_writable_var = 1; | ||
1290 | } | ||
1275 | else if (strcmp(argv[i], "--private") == 0) | 1291 | else if (strcmp(argv[i], "--private") == 0) |
1276 | arg_private = 1; | 1292 | arg_private = 1; |
1277 | else if (strncmp(argv[i], "--private=", 10) == 0) { | 1293 | else if (strncmp(argv[i], "--private=", 10) == 0) { |
diff --git a/src/firejail/usage.c b/src/firejail/usage.c index 539785f21..8b61629f4 100644 --- a/src/firejail/usage.c +++ b/src/firejail/usage.c | |||
@@ -246,6 +246,12 @@ void usage(void) { | |||
246 | printf(" --user=new_user - switch the user before starting the sandbox.\n\n"); | 246 | printf(" --user=new_user - switch the user before starting the sandbox.\n\n"); |
247 | printf(" --version - print program version and exit.\n\n"); | 247 | printf(" --version - print program version and exit.\n\n"); |
248 | printf(" --whitelist=dirname_or_filename - whitelist directory or file.\n\n"); | 248 | printf(" --whitelist=dirname_or_filename - whitelist directory or file.\n\n"); |
249 | |||
250 | printf(" --writable-etc - /etc directory is mounted read-write. This option is\n"); | ||
251 | printf("\tavailable only when running the sandbox as root user.\n\n"); | ||
252 | printf(" --writable-var - /var directory is mounted read-write. This option is\n"); | ||
253 | printf("\tavailable only when running the sandbox as root user.\n\n"); | ||
254 | |||
249 | printf(" --x11 - enable X11 server. The software checks first if Xpra is installed,\n"); | 255 | printf(" --x11 - enable X11 server. The software checks first if Xpra is installed,\n"); |
250 | printf("\tthen it checks if Xephyr is installed.\n\n"); | 256 | printf("\tthen it checks if Xephyr is installed.\n\n"); |
251 | printf(" --x11=xpra - enable Xpra X11 server.\n\n"); | 257 | printf(" --x11=xpra - enable Xpra X11 server.\n\n"); |
diff --git a/src/man/firejail.txt b/src/man/firejail.txt index 23db832c1..14b3c6a60 100644 --- a/src/man/firejail.txt +++ b/src/man/firejail.txt | |||
@@ -1462,6 +1462,27 @@ $ firejail \-\-whitelist=/tmp/.X11-unix --whitelist=/dev/null | |||
1462 | $ firejail "\-\-whitelist=/home/username/My Virtual Machines" | 1462 | $ firejail "\-\-whitelist=/home/username/My Virtual Machines" |
1463 | 1463 | ||
1464 | .TP | 1464 | .TP |
1465 | \fB\-\-writable-etc | ||
1466 | Mount /etc directory read-write. This option is available only when running the sandbox as root user | ||
1467 | .br | ||
1468 | |||
1469 | .br | ||
1470 | Example: | ||
1471 | .br | ||
1472 | $ sudo firejail --writable-etc | ||
1473 | |||
1474 | .TP | ||
1475 | \fB\-\-writable-var | ||
1476 | Mount /var directory read-write. This option is available only when running the sandbox as root user | ||
1477 | .br | ||
1478 | |||
1479 | .br | ||
1480 | Example: | ||
1481 | .br | ||
1482 | $ sudo firejail --writable-var | ||
1483 | |||
1484 | |||
1485 | .TP | ||
1465 | \fB\-\-x11 | 1486 | \fB\-\-x11 |
1466 | Start a new X11 server using Xpra or Xephyr and attach the sandbox to this server. | 1487 | Start a new X11 server using Xpra or Xephyr and attach the sandbox to this server. |
1467 | The regular X11 server (display 0) is not visible in the sandbox. This prevents screenshot and keylogger | 1488 | The regular X11 server (display 0) is not visible in the sandbox. This prevents screenshot and keylogger |