diff options
-rw-r--r-- | README | 2 | ||||
-rw-r--r-- | RELNOTES | 9 | ||||
-rw-r--r-- | etc/inc/disable-programs.inc | 1 | ||||
-rw-r--r-- | etc/inc/whitelist-usr-share-common.inc | 1 | ||||
-rw-r--r-- | etc/profile-a-l/geeqie.profile | 3 | ||||
-rw-r--r-- | etc/profile-m-z/shellcheck.profile | 2 | ||||
-rw-r--r-- | etc/profile-m-z/steam.profile | 5 | ||||
-rw-r--r-- | src/fcopy/main.c | 9 | ||||
-rw-r--r-- | src/firejail/fs_etc.c | 9 |
9 files changed, 27 insertions, 14 deletions
@@ -136,6 +136,7 @@ Anton Shestakov (https://github.com/antonv6) | |||
136 | - add whitelist items for uim | 136 | - add whitelist items for uim |
137 | - allow /etc/vulkan in steam profile | 137 | - allow /etc/vulkan in steam profile |
138 | - allow ~/.cache/wine in lutris and wine profile | 138 | - allow ~/.cache/wine in lutris and wine profile |
139 | - support MangoHud in steam profile | ||
139 | Antonio Russo (https://github.com/aerusso) | 140 | Antonio Russo (https://github.com/aerusso) |
140 | - enumerate root directories in apparmor profile | 141 | - enumerate root directories in apparmor profile |
141 | - fix join-or-start | 142 | - fix join-or-start |
@@ -520,6 +521,7 @@ Jan-Niclas (https://github.com/0x6a61) | |||
520 | - fix Firefox 'Profile not found' - whitelist /run/user/xxx/firefox | 521 | - fix Firefox 'Profile not found' - whitelist /run/user/xxx/firefox |
521 | Jan Sonntag (https://github.com/jmetrius) | 522 | Jan Sonntag (https://github.com/jmetrius) |
522 | - added OpenStego profile | 523 | - added OpenStego profile |
524 | - allow common access to EGL External platform configuration directory | ||
523 | Jean Lucas (https://github.com/flacks) | 525 | Jean Lucas (https://github.com/flacks) |
524 | - fix Discord profile | 526 | - fix Discord profile |
525 | - add AnyDesk profile | 527 | - add AnyDesk profile |
@@ -1,5 +1,9 @@ | |||
1 | firejail (0.9.68rc2) baseline; urgency=low | 1 | firejail (0.9.68rc2) baseline; urgency=low |
2 | * work in progress | 2 | * work in progress |
3 | * security: on Ubuntu, the PPA is now recommended over the distro package | ||
4 | (see README.md) (#4748) | ||
5 | * security: bugfix: private-cwd leaks access to the entire filesystem | ||
6 | (#4780); reported by Hugo Osvaldo Barrera | ||
3 | * exit code: distinguish fatal signals by adding 128 (#4533) | 7 | * exit code: distinguish fatal signals by adding 128 (#4533) |
4 | * close file descriptors greater than 2 (--keep-fd) (#4845) | 8 | * close file descriptors greater than 2 (--keep-fd) (#4845) |
5 | * intrusion detection system (--ids-init, --ids-check) | 9 | * intrusion detection system (--ids-init, --ids-check) |
@@ -7,7 +11,7 @@ firejail (0.9.68rc2) baseline; urgency=low | |||
7 | --deterministic-shutdown) (#4635) | 11 | --deterministic-shutdown) (#4635) |
8 | * noprinters command (#4607 #4827) | 12 | * noprinters command (#4607 #4827) |
9 | * network monitor (--nettrace) | 13 | * network monitor (--nettrace) |
10 | * network locker (--netlock) | 14 | * network locker (--netlock) (#4848) |
11 | * whitelist-ro profile command | 15 | * whitelist-ro profile command |
12 | * AppImage support in --build command | 16 | * AppImage support in --build command |
13 | * build: firecfg.config is now installed to /etc/firejail/ (#4669) | 17 | * build: firecfg.config is now installed to /etc/firejail/ (#4669) |
@@ -15,10 +19,13 @@ firejail (0.9.68rc2) baseline; urgency=low | |||
15 | * removed whitelist=yes/no in /etc/firejail/firejail.config | 19 | * removed whitelist=yes/no in /etc/firejail/firejail.config |
16 | * new condition: ALLOW_TRAY (#4510 #4599) | 20 | * new condition: ALLOW_TRAY (#4510 #4599) |
17 | * remove (some) environment variables with auth-tokens (#4157) | 21 | * remove (some) environment variables with auth-tokens (#4157) |
22 | * bugfix: Fix sndio support (#4362 #4365) | ||
18 | * bugfix: Error mounting tmpfs (MS_REMOUNT flag not being cleared) (#4387) | 23 | * bugfix: Error mounting tmpfs (MS_REMOUNT flag not being cleared) (#4387) |
19 | * bugfix: --build clears the environment (#4460 #4467) | 24 | * bugfix: --build clears the environment (#4460 #4467) |
25 | * bugfix: firejail hangs with net parameter (#3958 #4476) | ||
20 | * bugfix: Firejail does not work with a custom hosts file (#2758 #4560) | 26 | * bugfix: Firejail does not work with a custom hosts file (#2758 #4560) |
21 | * bugfix: --tracelog and --trace override /etc/ld.so.preload (#4558 #4586) | 27 | * bugfix: --tracelog and --trace override /etc/ld.so.preload (#4558 #4586) |
28 | * bugfix: PATH_MAX is undeclared on musl libc (#4578 #4579 #4583) | ||
22 | * bugfix: Firejail rejects empty arguments (#4395) | 29 | * bugfix: Firejail rejects empty arguments (#4395) |
23 | * bugfix: firecfg does not work with symlinks (discord.desktop) (#4235) | 30 | * bugfix: firecfg does not work with symlinks (discord.desktop) (#4235) |
24 | * bugfix: Seccomp list output goes to stdout instead of stderr (#4328) | 31 | * bugfix: Seccomp list output goes to stdout instead of stderr (#4328) |
diff --git a/etc/inc/disable-programs.inc b/etc/inc/disable-programs.inc index 5a189559a..255da0fbd 100644 --- a/etc/inc/disable-programs.inc +++ b/etc/inc/disable-programs.inc | |||
@@ -286,6 +286,7 @@ blacklist ${HOME}/.config/LibreCAD | |||
286 | blacklist ${HOME}/.config/Loop_Hero | 286 | blacklist ${HOME}/.config/Loop_Hero |
287 | blacklist ${HOME}/.config/Luminance | 287 | blacklist ${HOME}/.config/Luminance |
288 | blacklist ${HOME}/.config/LyX | 288 | blacklist ${HOME}/.config/LyX |
289 | blacklist ${HOME}/.config/MangoHud | ||
289 | blacklist ${HOME}/.config/Mattermost | 290 | blacklist ${HOME}/.config/Mattermost |
290 | blacklist ${HOME}/.config/Meltytech | 291 | blacklist ${HOME}/.config/Meltytech |
291 | blacklist ${HOME}/.config/Mendeley Ltd. | 292 | blacklist ${HOME}/.config/Mendeley Ltd. |
diff --git a/etc/inc/whitelist-usr-share-common.inc b/etc/inc/whitelist-usr-share-common.inc index 0049ce804..b4e5ac5d9 100644 --- a/etc/inc/whitelist-usr-share-common.inc +++ b/etc/inc/whitelist-usr-share-common.inc | |||
@@ -12,6 +12,7 @@ whitelist /usr/share/cursors | |||
12 | whitelist /usr/share/dconf | 12 | whitelist /usr/share/dconf |
13 | whitelist /usr/share/distro-info | 13 | whitelist /usr/share/distro-info |
14 | whitelist /usr/share/drirc.d | 14 | whitelist /usr/share/drirc.d |
15 | whitelist /usr/share/egl | ||
15 | whitelist /usr/share/enchant | 16 | whitelist /usr/share/enchant |
16 | whitelist /usr/share/enchant-2 | 17 | whitelist /usr/share/enchant-2 |
17 | whitelist /usr/share/file | 18 | whitelist /usr/share/file |
diff --git a/etc/profile-a-l/geeqie.profile b/etc/profile-a-l/geeqie.profile index fbb509d89..b79a82c83 100644 --- a/etc/profile-a-l/geeqie.profile +++ b/etc/profile-a-l/geeqie.profile | |||
@@ -25,7 +25,8 @@ nosound | |||
25 | notv | 25 | notv |
26 | nou2f | 26 | nou2f |
27 | novideo | 27 | novideo |
28 | protocol unix | 28 | # remove inet,inet6 to disable network access |
29 | protocol unix,inet,inet6 | ||
29 | seccomp | 30 | seccomp |
30 | shell none | 31 | shell none |
31 | 32 | ||
diff --git a/etc/profile-m-z/shellcheck.profile b/etc/profile-m-z/shellcheck.profile index f2469048f..61fe534d6 100644 --- a/etc/profile-m-z/shellcheck.profile +++ b/etc/profile-m-z/shellcheck.profile | |||
@@ -50,5 +50,3 @@ private-tmp | |||
50 | 50 | ||
51 | dbus-user none | 51 | dbus-user none |
52 | dbus-system none | 52 | dbus-system none |
53 | |||
54 | memory-deny-write-execute | ||
diff --git a/etc/profile-m-z/steam.profile b/etc/profile-m-z/steam.profile index b31818274..b0be8a517 100644 --- a/etc/profile-m-z/steam.profile +++ b/etc/profile-m-z/steam.profile | |||
@@ -8,6 +8,7 @@ include globals.local | |||
8 | 8 | ||
9 | noblacklist ${HOME}/.config/Epic | 9 | noblacklist ${HOME}/.config/Epic |
10 | noblacklist ${HOME}/.config/Loop_Hero | 10 | noblacklist ${HOME}/.config/Loop_Hero |
11 | noblacklist ${HOME}/.config/MangoHud | ||
11 | noblacklist ${HOME}/.config/ModTheSpire | 12 | noblacklist ${HOME}/.config/ModTheSpire |
12 | noblacklist ${HOME}/.config/RogueLegacy | 13 | noblacklist ${HOME}/.config/RogueLegacy |
13 | noblacklist ${HOME}/.config/RogueLegacyStorageContainer | 14 | noblacklist ${HOME}/.config/RogueLegacyStorageContainer |
@@ -55,6 +56,7 @@ include disable-programs.inc | |||
55 | 56 | ||
56 | mkdir ${HOME}/.config/Epic | 57 | mkdir ${HOME}/.config/Epic |
57 | mkdir ${HOME}/.config/Loop_Hero | 58 | mkdir ${HOME}/.config/Loop_Hero |
59 | mkdir ${HOME}/.config/MangoHud | ||
58 | mkdir ${HOME}/.config/ModTheSpire | 60 | mkdir ${HOME}/.config/ModTheSpire |
59 | mkdir ${HOME}/.config/RogueLegacy | 61 | mkdir ${HOME}/.config/RogueLegacy |
60 | mkdir ${HOME}/.config/unity3d | 62 | mkdir ${HOME}/.config/unity3d |
@@ -85,6 +87,7 @@ mkfile ${HOME}/.steampath | |||
85 | mkfile ${HOME}/.steampid | 87 | mkfile ${HOME}/.steampid |
86 | whitelist ${HOME}/.config/Epic | 88 | whitelist ${HOME}/.config/Epic |
87 | whitelist ${HOME}/.config/Loop_Hero | 89 | whitelist ${HOME}/.config/Loop_Hero |
90 | whitelist ${HOME}/.config/MangoHud | ||
88 | whitelist ${HOME}/.config/ModTheSpire | 91 | whitelist ${HOME}/.config/ModTheSpire |
89 | whitelist ${HOME}/.config/RogueLegacy | 92 | whitelist ${HOME}/.config/RogueLegacy |
90 | whitelist ${HOME}/.config/RogueLegacyStorageContainer | 93 | whitelist ${HOME}/.config/RogueLegacyStorageContainer |
@@ -162,3 +165,5 @@ private-tmp | |||
162 | 165 | ||
163 | # dbus-user none | 166 | # dbus-user none |
164 | # dbus-system none | 167 | # dbus-system none |
168 | |||
169 | read-only ${HOME}/.config/MangoHud | ||
diff --git a/src/fcopy/main.c b/src/fcopy/main.c index 4be35e23f..c64d20127 100644 --- a/src/fcopy/main.c +++ b/src/fcopy/main.c | |||
@@ -402,15 +402,6 @@ static void duplicate_link(const char *src, const char *dest, struct stat *s) { | |||
402 | gid_t gid = s->st_gid; | 402 | gid_t gid = s->st_gid; |
403 | mode_t mode = s->st_mode; | 403 | mode_t mode = s->st_mode; |
404 | 404 | ||
405 | // NixOS problem #4887: | ||
406 | // /etc/fonts is a double symlink to a directory - copy the files instead of copying the symlink | ||
407 | if (strcmp(src, "/etc/fonts") == 0) { | ||
408 | duplicate_dir(src, dest, s); | ||
409 | free(rsrc); | ||
410 | free(rdest); | ||
411 | return; | ||
412 | } | ||
413 | |||
414 | // build destination file name | 405 | // build destination file name |
415 | char *name; | 406 | char *name; |
416 | // char *ptr = strrchr(rsrc, '/'); | 407 | // char *ptr = strrchr(rsrc, '/'); |
diff --git a/src/firejail/fs_etc.c b/src/firejail/fs_etc.c index 786e0d360..deaee31bb 100644 --- a/src/firejail/fs_etc.c +++ b/src/firejail/fs_etc.c | |||
@@ -165,7 +165,14 @@ static void duplicate(const char *fname, const char *private_dir, const char *pr | |||
165 | errExit("asprintf"); | 165 | errExit("asprintf"); |
166 | 166 | ||
167 | build_dirs(src, dst, strlen(private_dir), strlen(private_run_dir)); | 167 | build_dirs(src, dst, strlen(private_dir), strlen(private_run_dir)); |
168 | sbox_run(SBOX_ROOT | SBOX_SECCOMP, 3, PATH_FCOPY, src, dst); | 168 | |
169 | // follow links! this will make a copy of the file or directory pointed by the symlink | ||
170 | // this will solve problems such as NixOS #4887 | ||
171 | // don't follow links to dynamic directories such as /proc | ||
172 | if (strcmp(src, "/etc/mtab") == 0) | ||
173 | sbox_run(SBOX_ROOT | SBOX_SECCOMP, 3, PATH_FCOPY, src, dst); | ||
174 | else | ||
175 | sbox_run(SBOX_ROOT | SBOX_SECCOMP, 4, PATH_FCOPY, "--follow-link", src, dst); | ||
169 | 176 | ||
170 | free(dst); | 177 | free(dst); |
171 | fs_logger2("clone", src); | 178 | fs_logger2("clone", src); |