diff options
-rw-r--r-- | RELNOTES | 3 | ||||
-rw-r--r-- | src/firejail/fs.c | 8 | ||||
-rw-r--r-- | src/firejail/profile.c | 15 | ||||
-rwxr-xr-x | test/network/configure | 3 | ||||
-rwxr-xr-x | test/network/netns.exp | 34 | ||||
-rwxr-xr-x | test/network/network.sh | 3 |
6 files changed, 50 insertions, 16 deletions
@@ -34,9 +34,6 @@ firejail (0.9.45) baseline; urgency=low | |||
34 | * feature: allow /tmp directory in mkdir and mkfile profile commands | 34 | * feature: allow /tmp directory in mkdir and mkfile profile commands |
35 | * feature: implemented --noblacklist command, profile support | 35 | * feature: implemented --noblacklist command, profile support |
36 | * feature: config support to disable access to /mnt and /media (disable-mnt) | 36 | * feature: config support to disable access to /mnt and /media (disable-mnt) |
37 | * feature: allow tmpfs for regular users for files in home directory | ||
38 | * feature: mount a tmpfs on top of ~/.cache directory by default | ||
39 | * feature: config support to disable tmpfs mounting on ~/.cache (cache-tmpfs) | ||
40 | * feature: config support to disable join (join) | 37 | * feature: config support to disable join (join) |
41 | * new profiles: xiphos, Tor Browser Bundle, display (imagemagik), Wire, | 38 | * new profiles: xiphos, Tor Browser Bundle, display (imagemagik), Wire, |
42 | * new profiles: mumble, zoom, Guayadeque, qemu, keypass2, xed, pluma, | 39 | * new profiles: mumble, zoom, Guayadeque, qemu, keypass2, xed, pluma, |
diff --git a/src/firejail/fs.c b/src/firejail/fs.c index 3413febcb..fc6bdc7d0 100644 --- a/src/firejail/fs.c +++ b/src/firejail/fs.c | |||
@@ -486,7 +486,15 @@ void fs_cache(void) { | |||
486 | char *cache; | 486 | char *cache; |
487 | if (asprintf(&cache, "%s/.cache", cfg.homedir) == -1) | 487 | if (asprintf(&cache, "%s/.cache", cfg.homedir) == -1) |
488 | errExit("asprintf"); | 488 | errExit("asprintf"); |
489 | if (is_link(cache)) { | ||
490 | fprintf(stderr, "Error: ~/.cache directory is a symbolik link\n"); | ||
491 | exit(1); | ||
492 | } | ||
489 | disable_file(MOUNT_TMPFS, cache); | 493 | disable_file(MOUNT_TMPFS, cache); |
494 | if (is_link(cache)) { | ||
495 | fprintf(stderr, "Error: ~/.cache directory is a symbolik link\n"); | ||
496 | exit(1); | ||
497 | } | ||
490 | free(cache); | 498 | free(cache); |
491 | } | 499 | } |
492 | 500 | ||
diff --git a/src/firejail/profile.c b/src/firejail/profile.c index 4b3cab041..993acf2aa 100644 --- a/src/firejail/profile.c +++ b/src/firejail/profile.c | |||
@@ -970,19 +970,8 @@ int profile_check_line(char *ptr, int lineno, const char *fname) { | |||
970 | ptr += 7; | 970 | ptr += 7; |
971 | else if (strncmp(ptr, "tmpfs ", 6) == 0) { | 971 | else if (strncmp(ptr, "tmpfs ", 6) == 0) { |
972 | if (getuid() != 0) { | 972 | if (getuid() != 0) { |
973 | // allow a non-root user to mount tmpfs in user home directory, links are not allowed | 973 | fprintf(stderr, "Error: tmpfs available only when running the sandbox as root\n"); |
974 | invalid_filename(ptr + 6); | 974 | exit(1); |
975 | char *newfname = expand_home(ptr + 6, cfg.homedir); | ||
976 | assert(newfname); | ||
977 | if (is_link(newfname)) { | ||
978 | fprintf(stderr, "Error: for regular user, tmpfs is not available for symbolic links\n"); | ||
979 | exit(1); | ||
980 | } | ||
981 | if (strncmp(newfname, cfg.homedir, strlen(cfg.homedir)) != 0) { | ||
982 | fprintf(stderr, "Error: for regular user, tmpfs is available only for files in user home directory\n"); | ||
983 | exit(1); | ||
984 | } | ||
985 | free(newfname); | ||
986 | } | 975 | } |
987 | ptr += 6; | 976 | ptr += 6; |
988 | } | 977 | } |
diff --git a/test/network/configure b/test/network/configure index 35d938340..d4511c705 100755 --- a/test/network/configure +++ b/test/network/configure | |||
@@ -25,3 +25,6 @@ ip link add link eth0 name eth0.6 type vlan id 6 | |||
25 | ip link add link eth0 name eth0.7 type vlan id 7 | 25 | ip link add link eth0 name eth0.7 type vlan id 7 |
26 | /sbin/ifconfig eth0.7 10.10.207.10/24 up | 26 | /sbin/ifconfig eth0.7 10.10.207.10/24 up |
27 | 27 | ||
28 | # network namespace | ||
29 | ip netns add red | ||
30 | |||
diff --git a/test/network/netns.exp b/test/network/netns.exp new file mode 100755 index 000000000..9475cf958 --- /dev/null +++ b/test/network/netns.exp | |||
@@ -0,0 +1,34 @@ | |||
1 | #!/usr/bin/expect -f | ||
2 | # This file is part of Firejail project | ||
3 | # Copyright (C) 2014-2017 Firejail Authors | ||
4 | # License GPL v2 | ||
5 | |||
6 | set timeout 10 | ||
7 | spawn $env(SHELL) | ||
8 | match_max 100000 | ||
9 | |||
10 | send -- "firejail --netns=red --noprofile\r" | ||
11 | expect { | ||
12 | timeout {puts "TESTING ERROR 1\n";exit} | ||
13 | "Child process initialized" | ||
14 | } | ||
15 | after 100 | ||
16 | |||
17 | send -- "ip link show\r" | ||
18 | expect { | ||
19 | timeout {puts "TESTING ERROR 2\n";exit} | ||
20 | "LOOPBACK" | ||
21 | } | ||
22 | expect { | ||
23 | timeout {puts "TESTING ERROR 3\n";exit} | ||
24 | "DOWN" | ||
25 | } | ||
26 | expect { | ||
27 | timeout {puts "TESTING ERROR 4\n";exit} | ||
28 | "link/loopback" | ||
29 | } | ||
30 | after 100 | ||
31 | send -- "exit\r" | ||
32 | after 100 | ||
33 | |||
34 | puts "all done\n" | ||
diff --git a/test/network/network.sh b/test/network/network.sh index 2c60be0a5..c4c104042 100755 --- a/test/network/network.sh +++ b/test/network/network.sh | |||
@@ -11,6 +11,9 @@ sudo ./configure | |||
11 | echo "TESTING: firemon interface (firemon-interfaces.exp)" | 11 | echo "TESTING: firemon interface (firemon-interfaces.exp)" |
12 | sudo ./firemon-interfaces.exp | 12 | sudo ./firemon-interfaces.exp |
13 | 13 | ||
14 | echo "TESTING: netns (netns.exp)" | ||
15 | ./netns.exp | ||
16 | |||
14 | echo "TESTING: print dns (dns-print.exp)" | 17 | echo "TESTING: print dns (dns-print.exp)" |
15 | ./dns-print.exp | 18 | ./dns-print.exp |
16 | 19 | ||