diff options
-rw-r--r-- | etc/profile-a-l/gunzip.profile | 2 | ||||
-rw-r--r-- | etc/profile-a-l/hexchat.profile | 5 | ||||
-rw-r--r-- | src/firejail/fs_whitelist.c | 7 | ||||
-rw-r--r-- | src/firejail/main.c | 4 | ||||
-rw-r--r-- | src/firejail/shutdown.c | 6 | ||||
-rw-r--r-- | src/firejail/util.c | 8 |
6 files changed, 22 insertions, 10 deletions
diff --git a/etc/profile-a-l/gunzip.profile b/etc/profile-a-l/gunzip.profile index 6e97c6b78..584d88f85 100644 --- a/etc/profile-a-l/gunzip.profile +++ b/etc/profile-a-l/gunzip.profile | |||
@@ -7,5 +7,7 @@ include gunzip.local | |||
7 | # added by included profile | 7 | # added by included profile |
8 | #include globals.local | 8 | #include globals.local |
9 | 9 | ||
10 | include allow-bin-sh.inc | ||
11 | |||
10 | # Redirect | 12 | # Redirect |
11 | include gzip.profile | 13 | include gzip.profile |
diff --git a/etc/profile-a-l/hexchat.profile b/etc/profile-a-l/hexchat.profile index f72af0b4a..b887de147 100644 --- a/etc/profile-a-l/hexchat.profile +++ b/etc/profile-a-l/hexchat.profile | |||
@@ -8,6 +8,9 @@ include globals.local | |||
8 | 8 | ||
9 | noblacklist ${HOME}/.config/hexchat | 9 | noblacklist ${HOME}/.config/hexchat |
10 | 10 | ||
11 | # Allow /bin/sh (blacklisted by disable-shell.inc) | ||
12 | include allow-bin-sh.inc | ||
13 | |||
11 | # Allow perl (blacklisted by disable-interpreters.inc) | 14 | # Allow perl (blacklisted by disable-interpreters.inc) |
12 | include allow-perl.inc | 15 | include allow-perl.inc |
13 | 16 | ||
@@ -48,7 +51,7 @@ tracelog | |||
48 | 51 | ||
49 | disable-mnt | 52 | disable-mnt |
50 | # debug note: private-bin requires perl, python, etc on some systems | 53 | # debug note: private-bin requires perl, python, etc on some systems |
51 | private-bin hexchat,python* | 54 | private-bin hexchat,python*,sh |
52 | private-dev | 55 | private-dev |
53 | #private-lib - python problems | 56 | #private-lib - python problems |
54 | private-tmp | 57 | private-tmp |
diff --git a/src/firejail/fs_whitelist.c b/src/firejail/fs_whitelist.c index 77bb5e5bb..9a7a1bac7 100644 --- a/src/firejail/fs_whitelist.c +++ b/src/firejail/fs_whitelist.c | |||
@@ -423,6 +423,13 @@ static TopDir *add_topdir(const char *dir, TopDir *topdirs, const char *path) { | |||
423 | strcmp(dir, "/sys") == 0) | 423 | strcmp(dir, "/sys") == 0) |
424 | whitelist_error(path); | 424 | whitelist_error(path); |
425 | 425 | ||
426 | // whitelisting home directory is disabled if --private option is present | ||
427 | if (arg_private && strcmp(dir, cfg.homedir) == 0) { | ||
428 | if (arg_debug || arg_debug_whitelists) | ||
429 | printf("Debug %d: skip %s - a private home dir is configured!\n", __LINE__, path); | ||
430 | return NULL; | ||
431 | } | ||
432 | |||
426 | // do nothing if directory doesn't exist | 433 | // do nothing if directory doesn't exist |
427 | struct stat s; | 434 | struct stat s; |
428 | if (lstat(dir, &s) != 0) { | 435 | if (lstat(dir, &s) != 0) { |
diff --git a/src/firejail/main.c b/src/firejail/main.c index 31694558d..7cfa58078 100644 --- a/src/firejail/main.c +++ b/src/firejail/main.c | |||
@@ -1904,8 +1904,6 @@ int main(int argc, char **argv, char **envp) { | |||
1904 | } | 1904 | } |
1905 | else if (strcmp(argv[i], "--private") == 0) { | 1905 | else if (strcmp(argv[i], "--private") == 0) { |
1906 | arg_private = 1; | 1906 | arg_private = 1; |
1907 | // disable whitelisting in home directory | ||
1908 | profile_add("whitelist ~/*"); | ||
1909 | } | 1907 | } |
1910 | else if (strncmp(argv[i], "--private=", 10) == 0) { | 1908 | else if (strncmp(argv[i], "--private=", 10) == 0) { |
1911 | if (cfg.home_private_keep) { | 1909 | if (cfg.home_private_keep) { |
@@ -1927,8 +1925,6 @@ int main(int argc, char **argv, char **envp) { | |||
1927 | cfg.home_private = NULL; | 1925 | cfg.home_private = NULL; |
1928 | } | 1926 | } |
1929 | arg_private = 1; | 1927 | arg_private = 1; |
1930 | // disable whitelisting in home directory | ||
1931 | profile_add("whitelist ~/*"); | ||
1932 | } | 1928 | } |
1933 | #ifdef HAVE_PRIVATE_HOME | 1929 | #ifdef HAVE_PRIVATE_HOME |
1934 | else if (strncmp(argv[i], "--private-home=", 15) == 0) { | 1930 | else if (strncmp(argv[i], "--private-home=", 15) == 0) { |
diff --git a/src/firejail/shutdown.c b/src/firejail/shutdown.c index fbfe1765b..d1be6eed4 100644 --- a/src/firejail/shutdown.c +++ b/src/firejail/shutdown.c | |||
@@ -36,8 +36,10 @@ void shut(pid_t pid) { | |||
36 | } | 36 | } |
37 | free(comm); | 37 | free(comm); |
38 | } | 38 | } |
39 | else | 39 | else { |
40 | errExit("/proc/PID/comm"); | 40 | fprintf(stderr, "Error: cannot find process %d\n", pid); |
41 | exit(1); | ||
42 | } | ||
41 | 43 | ||
42 | // check privileges for non-root users | 44 | // check privileges for non-root users |
43 | uid_t uid = getuid(); | 45 | uid_t uid = getuid(); |
diff --git a/src/firejail/util.c b/src/firejail/util.c index b15b719b7..6a7318c4b 100644 --- a/src/firejail/util.c +++ b/src/firejail/util.c | |||
@@ -647,9 +647,11 @@ int find_child(pid_t parent, pid_t *child) { | |||
647 | if (parent == atoi(ptr)) { | 647 | if (parent == atoi(ptr)) { |
648 | // we don't want /usr/bin/xdg-dbus-proxy! | 648 | // we don't want /usr/bin/xdg-dbus-proxy! |
649 | char *cmdline = pid_proc_cmdline(pid); | 649 | char *cmdline = pid_proc_cmdline(pid); |
650 | if (strncmp(cmdline, XDG_DBUS_PROXY_PATH, strlen(XDG_DBUS_PROXY_PATH)) != 0) | 650 | if (cmdline) { |
651 | *child = pid; | 651 | if (strncmp(cmdline, XDG_DBUS_PROXY_PATH, strlen(XDG_DBUS_PROXY_PATH)) != 0) |
652 | free(cmdline); | 652 | *child = pid; |
653 | free(cmdline); | ||
654 | } | ||
653 | } | 655 | } |
654 | break; // stop reading the file | 656 | break; // stop reading the file |
655 | } | 657 | } |