diff options
-rw-r--r-- | README | 2 | ||||
-rw-r--r-- | README.md | 84 | ||||
-rw-r--r-- | etc/profile-a-l/Books.profile | 5 | ||||
-rw-r--r-- | src/firejail/chroot.c | 2 | ||||
-rw-r--r-- | src/firejail/env.c | 1 | ||||
-rw-r--r-- | src/firejail/firejail.h | 1 | ||||
-rw-r--r-- | src/firejail/fs.c | 1 | ||||
-rw-r--r-- | src/firejail/fs_dev.c | 1 | ||||
-rw-r--r-- | src/firejail/fs_home.c | 1 | ||||
-rw-r--r-- | src/firejail/fs_hostname.c | 5 | ||||
-rw-r--r-- | src/firejail/fs_trace.c | 5 | ||||
-rw-r--r-- | src/firejail/fs_var.c | 7 | ||||
-rw-r--r-- | src/firejail/ls.c | 2 | ||||
-rw-r--r-- | src/firejail/main.c | 3 | ||||
-rw-r--r-- | src/firejail/restrict_users.c | 1 | ||||
-rw-r--r-- | src/firejail/sandbox.c | 2 |
16 files changed, 53 insertions, 70 deletions
@@ -310,6 +310,8 @@ DiGitHubCap (https://github.com/DiGitHubCap) | |||
310 | - fix qt5ct colour schemes and QSS | 310 | - fix qt5ct colour schemes and QSS |
311 | Disconnect3d (https://github.com/disconnect3d) | 311 | Disconnect3d (https://github.com/disconnect3d) |
312 | - code cleanup | 312 | - code cleanup |
313 | dm9pZCAq (https://github.com/dm9pZCAq) | ||
314 | - fix for compilation under musl | ||
313 | dmfreemon (https://github.com/dmfreemon) | 315 | dmfreemon (https://github.com/dmfreemon) |
314 | - add sandbox name or name of private directory to the window title when xpra is used | 316 | - add sandbox name or name of private directory to the window title when xpra is used |
315 | - handle malloc() failures; use gnu_basename() instead of basenaem() | 317 | - handle malloc() failures; use gnu_basename() instead of basenaem() |
@@ -22,43 +22,23 @@ implemented directly in Linux kernel and available on any Linux computer. | |||
22 | <table><tr> | 22 | <table><tr> |
23 | 23 | ||
24 | <td> | 24 | <td> |
25 | <a href="http://www.youtube.com/watch?feature=player_embedded&v=8jfXL0ePV7U | 25 | <a href="https://www.brighteon.com/1928415c-2bce-40b2-a81f-7861a3734913" target="_blank"> |
26 | " target="_blank"><img src="http://img.youtube.com/vi/8jfXL0ePV7U/0.jpg" | 26 | <img src="https://video.brighteon.com/file/Brighteon-staging/thumbnail/682ae17c-3fd8-4813-9c4e-6917c7cd2a5c.0000001.jpg" |
27 | alt="Firejail Introduction" width="240" height="180" border="10" /><br/>Firejail Intro</a> | 27 | alt="Introduction" width="240" height="142" border="10" /><br/>Introduction</a> |
28 | </td> | 28 | </td> |
29 | 29 | ||
30 | <td> | 30 | <td> |
31 | <a href="http://www.youtube.com/watch?feature=player_embedded&v=J1ZsXrpAgBU | 31 | <a href="https://www.brighteon.com/c20c32ac-1953-438f-8640-a414dcb318d6" target="_blank"> |
32 | " target="_blank"><img src="http://img.youtube.com/vi/J1ZsXrpAgBU/0.jpg" | 32 | <img src="https://photos.brighteon.com/thumbnail/ecd8b0ca-7564-4993-a676-bbe4aa21cffc" |
33 | alt="Firejail Demo" width="240" height="180" border="10" /><br/>Firejail Demo</a> | 33 | alt="Technology" width="240" height="142" border="10" /><br/>Technology</a> |
34 | </td> | 34 | </td> |
35 | 35 | ||
36 | <td> | 36 | <td> |
37 | <a href="http://www.youtube.com/watch?feature=player_embedded&v=EyEz65RYfw4 | 37 | <a href="https://www.brighteon.com/94ae1731-2352-4cda-bb48-7cc7a6ad32f8" target="_blank"> |
38 | " target="_blank"><img src="http://img.youtube.com/vi/EyEz65RYfw4/0.jpg" | 38 | <img src="https://photos.brighteon.com/thumbnail/5c90254c-61f3-4927-ac57-ae279dc543cf" |
39 | alt="Debian Install" width="240" height="180" border="10" /><br/>Debian Install</a> | 39 | alt="Deep Dive" width="240" height="142" border="10" /><br/>Deep Dive</a> |
40 | </td> | 40 | </td> |
41 | 41 | ||
42 | |||
43 | </tr><tr> | ||
44 | <td> | ||
45 | <a href="http://www.youtube.com/watch?feature=player_embedded&v=Uy2ZTHc4s0w | ||
46 | " target="_blank"><img src="http://img.youtube.com/vi/Uy2ZTHc4s0w/0.jpg" | ||
47 | alt="Arch Linux Install" width="240" height="180" border="10" /><br/>Arch Linux Install</a> | ||
48 | |||
49 | </td> | ||
50 | <td> | ||
51 | <a href="http://www.youtube.com/watch?feature=player_embedded&v=xuMxRx0zSfQ | ||
52 | " target="_blank"><img src="http://img.youtube.com/vi/xuMxRx0zSfQ/0.jpg" | ||
53 | alt="Disable Network Access" width="240" height="180" border="10" /><br/>Disable Network Access</a> | ||
54 | |||
55 | </td> | ||
56 | <td> | ||
57 | <a href="http://www.youtube.com/watch?feature=player_embedded&v=N-Mso2bSr3o | ||
58 | " target="_blank"><img src="http://img.youtube.com/vi/N-Mso2bSr3o/0.jpg" | ||
59 | alt="Firejail Security Deep Dive" width="240" height="180" border="10" /><br/>Firejail Security Deep Dive</a> | ||
60 | |||
61 | </td> | ||
62 | </tr></table> | 42 | </tr></table> |
63 | 43 | ||
64 | Project webpage: https://firejail.wordpress.com/ | 44 | Project webpage: https://firejail.wordpress.com/ |
@@ -239,30 +219,30 @@ A small tool to print profile statistics. Compile as usual and run in /etc/profi | |||
239 | $ sudo cp src/profstats/profstats /etc/firejail/. | 219 | $ sudo cp src/profstats/profstats /etc/firejail/. |
240 | $ cd /etc/firejail | 220 | $ cd /etc/firejail |
241 | $ ./profstats *.profile | 221 | $ ./profstats *.profile |
242 | profiles 1150 | 222 | profiles 1167 |
243 | include local profile 1150 (include profile-name.local) | 223 | include local profile 1167 (include profile-name.local) |
244 | include globals 1120 (include globals.local) | 224 | include globals 1136 (include globals.local) |
245 | blacklist ~/.ssh 1026 (include disable-common.inc) | 225 | blacklist ~/.ssh 1042 (include disable-common.inc) |
246 | seccomp 1050 | 226 | seccomp 1062 |
247 | capabilities 1146 | 227 | capabilities 1163 |
248 | noexec 1030 (include disable-exec.inc) | 228 | noexec 1049 (include disable-exec.inc) |
249 | noroot 959 | 229 | noroot 971 |
250 | memory-deny-write-execute 253 | 230 | memory-deny-write-execute 256 |
251 | apparmor 681 | 231 | apparmor 693 |
252 | private-bin 667 | 232 | private-bin 677 |
253 | private-dev 1009 | 233 | private-dev 1027 |
254 | private-etc 523 | 234 | private-etc 532 |
255 | private-tmp 883 | 235 | private-tmp 897 |
256 | whitelist home directory 547 | 236 | whitelist home directory 557 |
257 | whitelist var 818 (include whitelist-var-common.inc) | 237 | whitelist var 836 (include whitelist-var-common.inc) |
258 | whitelist run/user 616 (include whitelist-runuser-common.inc | 238 | whitelist run/user 1137 (include whitelist-runuser-common.inc |
259 | or blacklist ${RUNUSER}) | 239 | or blacklist ${RUNUSER}) |
260 | whitelist usr/share 591 (include whitelist-usr-share-common.inc | 240 | whitelist usr/share 609 (include whitelist-usr-share-common.inc |
261 | net none 391 | 241 | net none 396 |
262 | dbus-user none 641 | 242 | dbus-user none 656 |
263 | dbus-user filter 105 | 243 | dbus-user filter 108 |
264 | dbus-system none 792 | 244 | dbus-system none 808 |
265 | dbus-system filter 7 | 245 | dbus-system filter 10 |
266 | ``` | 246 | ``` |
267 | 247 | ||
268 | ### New profiles: | 248 | ### New profiles: |
diff --git a/etc/profile-a-l/Books.profile b/etc/profile-a-l/Books.profile index 76fd21d32..a256e942f 100644 --- a/etc/profile-a-l/Books.profile +++ b/etc/profile-a-l/Books.profile | |||
@@ -1,5 +1,10 @@ | |||
1 | # Firejail profile for gnome-books | 1 | # Firejail profile for gnome-books |
2 | # This file is overwritten after every install/update | 2 | # This file is overwritten after every install/update |
3 | # Persistent local customizations | ||
4 | include Books.local | ||
5 | # Persistent global definitions | ||
6 | # added by included profile | ||
7 | #include globals.local | ||
3 | 8 | ||
4 | 9 | ||
5 | # Temporary fix for https://github.com/netblue30/firejail/issues/2624 | 10 | # Temporary fix for https://github.com/netblue30/firejail/issues/2624 |
diff --git a/src/firejail/chroot.c b/src/firejail/chroot.c index 37ec22117..9425638ea 100644 --- a/src/firejail/chroot.c +++ b/src/firejail/chroot.c | |||
@@ -86,7 +86,7 @@ static void update_file(int parentfd, const char *relpath) { | |||
86 | if (arg_debug) | 86 | if (arg_debug) |
87 | printf("Updating chroot /%s\n", relpath); | 87 | printf("Updating chroot /%s\n", relpath); |
88 | unlinkat(parentfd, relpath, 0); | 88 | unlinkat(parentfd, relpath, 0); |
89 | int out = openat(parentfd, relpath, O_WRONLY|O_CREAT|O_EXCL|O_CLOEXEC, S_IRUSR | S_IWRITE | S_IRGRP | S_IROTH); | 89 | int out = openat(parentfd, relpath, O_WRONLY|O_CREAT|O_EXCL|O_CLOEXEC, S_IRUSR | S_IWUSR | S_IRGRP | S_IROTH); |
90 | if (out == -1) { | 90 | if (out == -1) { |
91 | close(in); | 91 | close(in); |
92 | goto errout; | 92 | goto errout; |
diff --git a/src/firejail/env.c b/src/firejail/env.c index ad16de037..4c0d729a1 100644 --- a/src/firejail/env.c +++ b/src/firejail/env.c | |||
@@ -22,6 +22,7 @@ | |||
22 | #include <sys/stat.h> | 22 | #include <sys/stat.h> |
23 | #include <unistd.h> | 23 | #include <unistd.h> |
24 | #include <dirent.h> | 24 | #include <dirent.h> |
25 | #include <limits.h> | ||
25 | 26 | ||
26 | typedef struct env_t { | 27 | typedef struct env_t { |
27 | struct env_t *next; | 28 | struct env_t *next; |
diff --git a/src/firejail/firejail.h b/src/firejail/firejail.h index 730c37aed..bf51a4c93 100644 --- a/src/firejail/firejail.h +++ b/src/firejail/firejail.h | |||
@@ -22,6 +22,7 @@ | |||
22 | #include "../include/common.h" | 22 | #include "../include/common.h" |
23 | #include "../include/euid_common.h" | 23 | #include "../include/euid_common.h" |
24 | #include "../include/rundefs.h" | 24 | #include "../include/rundefs.h" |
25 | #include <linux/limits.h> // Note: Plain limits.h may break ARG_MAX (see #4583) | ||
25 | #include <stdarg.h> | 26 | #include <stdarg.h> |
26 | #include <sys/stat.h> | 27 | #include <sys/stat.h> |
27 | 28 | ||
diff --git a/src/firejail/fs.c b/src/firejail/fs.c index 3144156a3..1a9a8df0d 100644 --- a/src/firejail/fs.c +++ b/src/firejail/fs.c | |||
@@ -23,7 +23,6 @@ | |||
23 | #include <sys/stat.h> | 23 | #include <sys/stat.h> |
24 | #include <sys/statvfs.h> | 24 | #include <sys/statvfs.h> |
25 | #include <sys/wait.h> | 25 | #include <sys/wait.h> |
26 | #include <linux/limits.h> | ||
27 | #include <fnmatch.h> | 26 | #include <fnmatch.h> |
28 | #include <glob.h> | 27 | #include <glob.h> |
29 | #include <dirent.h> | 28 | #include <dirent.h> |
diff --git a/src/firejail/fs_dev.c b/src/firejail/fs_dev.c index a43b18344..694d0a379 100644 --- a/src/firejail/fs_dev.c +++ b/src/firejail/fs_dev.c | |||
@@ -20,7 +20,6 @@ | |||
20 | #include "firejail.h" | 20 | #include "firejail.h" |
21 | #include <sys/mount.h> | 21 | #include <sys/mount.h> |
22 | #include <sys/stat.h> | 22 | #include <sys/stat.h> |
23 | #include <linux/limits.h> | ||
24 | #include <glob.h> | 23 | #include <glob.h> |
25 | #include <dirent.h> | 24 | #include <dirent.h> |
26 | #include <fcntl.h> | 25 | #include <fcntl.h> |
diff --git a/src/firejail/fs_home.c b/src/firejail/fs_home.c index 590337da1..8d8530d81 100644 --- a/src/firejail/fs_home.c +++ b/src/firejail/fs_home.c | |||
@@ -19,7 +19,6 @@ | |||
19 | */ | 19 | */ |
20 | #include "firejail.h" | 20 | #include "firejail.h" |
21 | #include <sys/mount.h> | 21 | #include <sys/mount.h> |
22 | #include <linux/limits.h> | ||
23 | #include <dirent.h> | 22 | #include <dirent.h> |
24 | #include <errno.h> | 23 | #include <errno.h> |
25 | #include <sys/stat.h> | 24 | #include <sys/stat.h> |
diff --git a/src/firejail/fs_hostname.c b/src/firejail/fs_hostname.c index 7d320e90b..8b7e94f51 100644 --- a/src/firejail/fs_hostname.c +++ b/src/firejail/fs_hostname.c | |||
@@ -20,7 +20,6 @@ | |||
20 | #include "firejail.h" | 20 | #include "firejail.h" |
21 | #include <sys/mount.h> | 21 | #include <sys/mount.h> |
22 | #include <sys/stat.h> | 22 | #include <sys/stat.h> |
23 | #include <linux/limits.h> | ||
24 | #include <glob.h> | 23 | #include <glob.h> |
25 | #include <dirent.h> | 24 | #include <dirent.h> |
26 | #include <fcntl.h> | 25 | #include <fcntl.h> |
@@ -33,7 +32,7 @@ void fs_hostname(const char *hostname) { | |||
33 | if (arg_debug) | 32 | if (arg_debug) |
34 | printf("Creating a new /etc/hostname file\n"); | 33 | printf("Creating a new /etc/hostname file\n"); |
35 | 34 | ||
36 | create_empty_file_as_root(RUN_HOSTNAME_FILE, S_IRUSR | S_IWRITE | S_IRGRP | S_IROTH); | 35 | create_empty_file_as_root(RUN_HOSTNAME_FILE, S_IRUSR | S_IWUSR | S_IRGRP | S_IROTH); |
37 | 36 | ||
38 | // bind-mount the file on top of /etc/hostname | 37 | // bind-mount the file on top of /etc/hostname |
39 | if (mount(RUN_HOSTNAME_FILE, "/etc/hostname", NULL, MS_BIND|MS_REC, NULL) < 0) | 38 | if (mount(RUN_HOSTNAME_FILE, "/etc/hostname", NULL, MS_BIND|MS_REC, NULL) < 0) |
@@ -75,7 +74,7 @@ void fs_hostname(const char *hostname) { | |||
75 | } | 74 | } |
76 | fclose(fp1); | 75 | fclose(fp1); |
77 | // mode and owner | 76 | // mode and owner |
78 | SET_PERMS_STREAM(fp2, 0, 0, S_IRUSR | S_IWRITE | S_IRGRP | S_IROTH); | 77 | SET_PERMS_STREAM(fp2, 0, 0, S_IRUSR | S_IWUSR | S_IRGRP | S_IROTH); |
79 | fclose(fp2); | 78 | fclose(fp2); |
80 | 79 | ||
81 | // bind-mount the file on top of /etc/hostname | 80 | // bind-mount the file on top of /etc/hostname |
diff --git a/src/firejail/fs_trace.c b/src/firejail/fs_trace.c index 718786cdc..17a7b3d23 100644 --- a/src/firejail/fs_trace.c +++ b/src/firejail/fs_trace.c | |||
@@ -20,7 +20,6 @@ | |||
20 | #include "firejail.h" | 20 | #include "firejail.h" |
21 | #include <sys/mount.h> | 21 | #include <sys/mount.h> |
22 | #include <sys/stat.h> | 22 | #include <sys/stat.h> |
23 | #include <linux/limits.h> | ||
24 | #include <glob.h> | 23 | #include <glob.h> |
25 | #include <dirent.h> | 24 | #include <dirent.h> |
26 | #include <fcntl.h> | 25 | #include <fcntl.h> |
@@ -54,7 +53,7 @@ void fs_tracefile(void) { | |||
54 | if (arg_debug) | 53 | if (arg_debug) |
55 | printf("Creating an empty trace log file: %s\n", arg_tracefile); | 54 | printf("Creating an empty trace log file: %s\n", arg_tracefile); |
56 | EUID_USER(); | 55 | EUID_USER(); |
57 | int fd = open(arg_tracefile, O_CREAT|O_WRONLY|O_CLOEXEC, S_IRUSR | S_IWRITE | S_IRGRP | S_IROTH); | 56 | int fd = open(arg_tracefile, O_CREAT|O_WRONLY|O_CLOEXEC, S_IRUSR | S_IWUSR | S_IRGRP | S_IROTH); |
58 | if (fd == -1) { | 57 | if (fd == -1) { |
59 | perror("open"); | 58 | perror("open"); |
60 | fprintf(stderr, "Error: cannot open trace log file %s for writing\n", arg_tracefile); | 59 | fprintf(stderr, "Error: cannot open trace log file %s for writing\n", arg_tracefile); |
@@ -107,7 +106,7 @@ void fs_trace(void) { | |||
107 | fmessage("Post-exec seccomp protector enabled\n"); | 106 | fmessage("Post-exec seccomp protector enabled\n"); |
108 | } | 107 | } |
109 | 108 | ||
110 | SET_PERMS_STREAM(fp, 0, 0, S_IRUSR | S_IWRITE | S_IRGRP | S_IROTH); | 109 | SET_PERMS_STREAM(fp, 0, 0, S_IRUSR | S_IWUSR | S_IRGRP | S_IROTH); |
111 | fclose(fp); | 110 | fclose(fp); |
112 | 111 | ||
113 | // mount the new preload file | 112 | // mount the new preload file |
diff --git a/src/firejail/fs_var.c b/src/firejail/fs_var.c index 20e262d80..e19d0df96 100644 --- a/src/firejail/fs_var.c +++ b/src/firejail/fs_var.c | |||
@@ -20,7 +20,6 @@ | |||
20 | #include "firejail.h" | 20 | #include "firejail.h" |
21 | #include <sys/mount.h> | 21 | #include <sys/mount.h> |
22 | #include <sys/stat.h> | 22 | #include <sys/stat.h> |
23 | #include <linux/limits.h> | ||
24 | #include <glob.h> | 23 | #include <glob.h> |
25 | #include <dirent.h> | 24 | #include <dirent.h> |
26 | #include <fcntl.h> | 25 | #include <fcntl.h> |
@@ -129,7 +128,7 @@ void fs_var_log(void) { | |||
129 | /* coverity[toctou] */ | 128 | /* coverity[toctou] */ |
130 | FILE *fp = fopen("/var/log/wtmp", "wxe"); | 129 | FILE *fp = fopen("/var/log/wtmp", "wxe"); |
131 | if (fp) { | 130 | if (fp) { |
132 | SET_PERMS_STREAM(fp, 0, wtmp_group, S_IRUSR | S_IWRITE | S_IRGRP | S_IWGRP | S_IROTH); | 131 | SET_PERMS_STREAM(fp, 0, wtmp_group, S_IRUSR | S_IWUSR | S_IRGRP | S_IWGRP | S_IROTH); |
133 | fclose(fp); | 132 | fclose(fp); |
134 | } | 133 | } |
135 | fs_logger("touch /var/log/wtmp"); | 134 | fs_logger("touch /var/log/wtmp"); |
@@ -137,7 +136,7 @@ void fs_var_log(void) { | |||
137 | // create an empty /var/log/btmp file | 136 | // create an empty /var/log/btmp file |
138 | fp = fopen("/var/log/btmp", "wxe"); | 137 | fp = fopen("/var/log/btmp", "wxe"); |
139 | if (fp) { | 138 | if (fp) { |
140 | SET_PERMS_STREAM(fp, 0, wtmp_group, S_IRUSR | S_IWRITE | S_IRGRP | S_IWGRP); | 139 | SET_PERMS_STREAM(fp, 0, wtmp_group, S_IRUSR | S_IWUSR | S_IRGRP | S_IWGRP); |
141 | fclose(fp); | 140 | fclose(fp); |
142 | } | 141 | } |
143 | fs_logger("touch /var/log/btmp"); | 142 | fs_logger("touch /var/log/btmp"); |
@@ -314,7 +313,7 @@ void fs_var_utmp(void) { | |||
314 | // save new utmp file | 313 | // save new utmp file |
315 | int rv = fwrite(&u_boot, sizeof(u_boot), 1, fp); | 314 | int rv = fwrite(&u_boot, sizeof(u_boot), 1, fp); |
316 | (void) rv; | 315 | (void) rv; |
317 | SET_PERMS_STREAM(fp, 0, utmp_group, S_IRUSR | S_IWRITE | S_IRGRP | S_IWGRP | S_IROTH); | 316 | SET_PERMS_STREAM(fp, 0, utmp_group, S_IRUSR | S_IWUSR | S_IRGRP | S_IWGRP | S_IROTH); |
318 | fclose(fp); | 317 | fclose(fp); |
319 | 318 | ||
320 | // mount the new utmp file | 319 | // mount the new utmp file |
diff --git a/src/firejail/ls.c b/src/firejail/ls.c index 70985ba9e..53e918dde 100644 --- a/src/firejail/ls.c +++ b/src/firejail/ls.c | |||
@@ -305,7 +305,7 @@ void sandboxfs(int op, pid_t pid, const char *path1, const char *path2) { | |||
305 | } | 305 | } |
306 | // create destination file if necessary | 306 | // create destination file if necessary |
307 | EUID_ASSERT(); | 307 | EUID_ASSERT(); |
308 | int fd = open(dest_fname, O_WRONLY|O_CREAT|O_CLOEXEC, S_IRUSR | S_IWRITE); | 308 | int fd = open(dest_fname, O_WRONLY|O_CREAT|O_CLOEXEC, S_IRUSR | S_IWUSR); |
309 | if (fd == -1) { | 309 | if (fd == -1) { |
310 | fprintf(stderr, "Error: cannot open %s for writing\n", dest_fname); | 310 | fprintf(stderr, "Error: cannot open %s for writing\n", dest_fname); |
311 | exit(1); | 311 | exit(1); |
diff --git a/src/firejail/main.c b/src/firejail/main.c index 81d148257..cc5186204 100644 --- a/src/firejail/main.c +++ b/src/firejail/main.c | |||
@@ -32,7 +32,8 @@ | |||
32 | #include <dirent.h> | 32 | #include <dirent.h> |
33 | #include <pwd.h> | 33 | #include <pwd.h> |
34 | #include <errno.h> | 34 | #include <errno.h> |
35 | //#include <limits.h> | 35 | |
36 | #include <limits.h> | ||
36 | #include <sys/file.h> | 37 | #include <sys/file.h> |
37 | #include <sys/prctl.h> | 38 | #include <sys/prctl.h> |
38 | #include <signal.h> | 39 | #include <signal.h> |
diff --git a/src/firejail/restrict_users.c b/src/firejail/restrict_users.c index 6f17231a4..59077dada 100644 --- a/src/firejail/restrict_users.c +++ b/src/firejail/restrict_users.c | |||
@@ -21,7 +21,6 @@ | |||
21 | #include "../include/firejail_user.h" | 21 | #include "../include/firejail_user.h" |
22 | #include <sys/mount.h> | 22 | #include <sys/mount.h> |
23 | #include <sys/stat.h> | 23 | #include <sys/stat.h> |
24 | #include <linux/limits.h> | ||
25 | #include <fnmatch.h> | 24 | #include <fnmatch.h> |
26 | #include <glob.h> | 25 | #include <glob.h> |
27 | #include <dirent.h> | 26 | #include <dirent.h> |
diff --git a/src/firejail/sandbox.c b/src/firejail/sandbox.c index b776a0cc5..d66b6c573 100644 --- a/src/firejail/sandbox.c +++ b/src/firejail/sandbox.c | |||
@@ -204,7 +204,7 @@ static void save_umask(void) { | |||
204 | } | 204 | } |
205 | 205 | ||
206 | static char *create_join_file(void) { | 206 | static char *create_join_file(void) { |
207 | int fd = open(RUN_JOIN_FILE, O_RDWR|O_CREAT|O_EXCL|O_CLOEXEC, S_IRUSR | S_IWRITE | S_IRGRP | S_IROTH); | 207 | int fd = open(RUN_JOIN_FILE, O_RDWR|O_CREAT|O_EXCL|O_CLOEXEC, S_IRUSR | S_IWUSR | S_IRGRP | S_IROTH); |
208 | if (fd == -1) | 208 | if (fd == -1) |
209 | errExit("open"); | 209 | errExit("open"); |
210 | if (ftruncate(fd, 1) == -1) | 210 | if (ftruncate(fd, 1) == -1) |