9 files changed, 27 insertions, 14 deletions
diff --git a/README b/README
index 08ccefc3b..1bf45250d 100644
--- a/README
+++ b/README
@@ -136,6 +136,7 @@ Anton Shestakov (https://github.com/antonv6)
        - add whitelist items for uim
        - allow /etc/vulkan in steam profile
        - allow ~/.cache/wine in lutris and wine profile
+        - support MangoHud in steam profile
 Antonio Russo (https://github.com/aerusso)
        - enumerate root directories in apparmor profile
        - fix join-or-start
@@ -520,6 +521,7 @@ Jan-Niclas (https://github.com/0x6a61)
        - fix Firefox 'Profile not found' - whitelist /run/user/xxx/firefox
 Jan Sonntag (https://github.com/jmetrius)
        - added OpenStego profile
+        - allow common access to EGL External platform configuration directory
 Jean Lucas (https://github.com/flacks)
        - fix Discord profile
        - add AnyDesk profile
diff --git a/RELNOTES b/RELNOTES
index 8fd438ad3..1d781fca9 100644
--- a/RELNOTES
+++ b/RELNOTES
@@ -1,5 +1,9 @@
 firejail (0.9.68rc2) baseline; urgency=low
  * work in progress
+  * security: on Ubuntu, the PPA is now recommended over the distro package
+    (see README.md) (#4748)
+  * security: bugfix: private-cwd leaks access to the entire filesystem
+    (#4780); reported by Hugo Osvaldo Barrera
  * exit code: distinguish fatal signals by adding 128 (#4533)
  * close file descriptors greater than 2 (--keep-fd) (#4845)
  * intrusion detection system (--ids-init, --ids-check)
@@ -7,7 +11,7 @@ firejail (0.9.68rc2) baseline; urgency=low
     --deterministic-shutdown) (#4635)
  * noprinters command (#4607 #4827)
  * network monitor (--nettrace)
-  * network locker (--netlock)
+  * network locker (--netlock) (#4848)
  * whitelist-ro profile command
  * AppImage support in --build command
  * build: firecfg.config is now installed to /etc/firejail/ (#4669)
@@ -15,10 +19,13 @@ firejail (0.9.68rc2) baseline; urgency=low
  * removed whitelist=yes/no in /etc/firejail/firejail.config
  * new condition: ALLOW_TRAY (#4510 #4599)
  * remove (some) environment variables with auth-tokens (#4157)
+  * bugfix: Fix sndio support (#4362 #4365)
  * bugfix: Error mounting tmpfs (MS_REMOUNT flag not being cleared) (#4387)
  * bugfix: --build clears the environment (#4460 #4467)
+  * bugfix: firejail hangs with net parameter (#3958 #4476)
  * bugfix: Firejail does not work with a custom hosts file (#2758 #4560)
  * bugfix: --tracelog and --trace override /etc/ld.so.preload (#4558 #4586)
+  * bugfix: PATH_MAX is undeclared on musl libc (#4578 #4579 #4583)
  * bugfix: Firejail rejects empty arguments (#4395)
  * bugfix: firecfg does not work with symlinks (discord.desktop) (#4235)
  * bugfix: Seccomp list output goes to stdout instead of stderr (#4328)
diff --git a/etc/inc/disable-programs.inc b/etc/inc/disable-programs.inc
index 5a189559a..255da0fbd 100644
--- a/etc/inc/disable-programs.inc
+++ b/etc/inc/disable-programs.inc
@@ -286,6 +286,7 @@ blacklist ${HOME}/.config/LibreCAD
 blacklist ${HOME}/.config/Loop_Hero
 blacklist ${HOME}/.config/Luminance
 blacklist ${HOME}/.config/LyX
+blacklist ${HOME}/.config/MangoHud
 blacklist ${HOME}/.config/Mattermost
 blacklist ${HOME}/.config/Meltytech
 blacklist ${HOME}/.config/Mendeley Ltd.
diff --git a/etc/inc/whitelist-usr-share-common.inc b/etc/inc/whitelist-usr-share-common.inc
index 0049ce804..b4e5ac5d9 100644
--- a/etc/inc/whitelist-usr-share-common.inc
+++ b/etc/inc/whitelist-usr-share-common.inc
@@ -12,6 +12,7 @@ whitelist /usr/share/cursors
 whitelist /usr/share/dconf
 whitelist /usr/share/distro-info
 whitelist /usr/share/drirc.d
+whitelist /usr/share/egl
 whitelist /usr/share/enchant
 whitelist /usr/share/enchant-2
 whitelist /usr/share/file
diff --git a/etc/profile-a-l/geeqie.profile b/etc/profile-a-l/geeqie.profile
index fbb509d89..b79a82c83 100644
--- a/etc/profile-a-l/geeqie.profile
+++ b/etc/profile-a-l/geeqie.profile
@@ -25,7 +25,8 @@ nosound
 notv
 nou2f
 novideo
-protocol unix
+# remove inet,inet6 to disable network access
+protocol unix,inet,inet6
 seccomp
 shell none
diff --git a/etc/profile-m-z/shellcheck.profile b/etc/profile-m-z/shellcheck.profile
index f2469048f..61fe534d6 100644
--- a/etc/profile-m-z/shellcheck.profile
+++ b/etc/profile-m-z/shellcheck.profile
@@ -50,5 +50,3 @@ private-tmp
 dbus-user none
 dbus-system none
-memory-deny-write-execute
diff --git a/etc/profile-m-z/steam.profile b/etc/profile-m-z/steam.profile
index b31818274..b0be8a517 100644
--- a/etc/profile-m-z/steam.profile
+++ b/etc/profile-m-z/steam.profile
@@ -8,6 +8,7 @@ include globals.local
 noblacklist ${HOME}/.config/Epic
 noblacklist ${HOME}/.config/Loop_Hero
+noblacklist ${HOME}/.config/MangoHud
 noblacklist ${HOME}/.config/ModTheSpire
 noblacklist ${HOME}/.config/RogueLegacy
 noblacklist ${HOME}/.config/RogueLegacyStorageContainer
@@ -55,6 +56,7 @@ include disable-programs.inc
 mkdir ${HOME}/.config/Epic
 mkdir ${HOME}/.config/Loop_Hero
+mkdir ${HOME}/.config/MangoHud
 mkdir ${HOME}/.config/ModTheSpire
 mkdir ${HOME}/.config/RogueLegacy
 mkdir ${HOME}/.config/unity3d
@@ -85,6 +87,7 @@ mkfile ${HOME}/.steampath
 mkfile ${HOME}/.steampid
 whitelist ${HOME}/.config/Epic
 whitelist ${HOME}/.config/Loop_Hero
+whitelist ${HOME}/.config/MangoHud
 whitelist ${HOME}/.config/ModTheSpire
 whitelist ${HOME}/.config/RogueLegacy
 whitelist ${HOME}/.config/RogueLegacyStorageContainer
@@ -162,3 +165,5 @@ private-tmp
 # dbus-user none
 # dbus-system none
+read-only ${HOME}/.config/MangoHud
diff --git a/src/fcopy/main.c b/src/fcopy/main.c
index 4be35e23f..c64d20127 100644
--- a/src/fcopy/main.c
+++ b/src/fcopy/main.c
@@ -402,15 +402,6 @@ static void duplicate_link(const char *src, const char *dest, struct stat *s) {
        gid_t gid = s->st_gid;
        mode_t mode = s->st_mode;
-        // NixOS problem #4887:
-        //      /etc/fonts is a double symlink to a directory - copy the files instead of copying the symlink
-        if (strcmp(src, "/etc/fonts") == 0) {
-                duplicate_dir(src, dest, s);
-                free(rsrc);
-                free(rdest);
-                return;
-        }
        // build destination file name
        char *name;
        //     char *ptr = strrchr(rsrc, '/');
diff --git a/src/firejail/fs_etc.c b/src/firejail/fs_etc.c
index 786e0d360..deaee31bb 100644
--- a/src/firejail/fs_etc.c
+++ b/src/firejail/fs_etc.c
@@ -165,7 +165,14 @@ static void duplicate(const char *fname, const char *private_dir, const char *pr
                errExit("asprintf");
        build_dirs(src, dst, strlen(private_dir), strlen(private_run_dir));
-        sbox_run(SBOX_ROOT | SBOX_SECCOMP, 3, PATH_FCOPY, src, dst);
+        // follow links! this will make a copy of the file or directory pointed by the symlink
+        // this will solve problems such as NixOS #4887
+        // don't follow links to dynamic directories such as /proc
+        if (strcmp(src, "/etc/mtab") == 0)
+                sbox_run(SBOX_ROOT | SBOX_SECCOMP, 3, PATH_FCOPY, src, dst);
+        else
+                sbox_run(SBOX_ROOT | SBOX_SECCOMP, 4, PATH_FCOPY, "--follow-link", src, dst);
        free(dst);
        fs_logger2("clone", src);

diff --git a/README b/README index 08ccefc3b..1bf45250d 100644 --- a/README +++ b/README
@@ -136,6 +136,7 @@ Anton Shestakov (https://github.com/antonv6)
136	- add whitelist items for uim	136	- add whitelist items for uim
137	- allow /etc/vulkan in steam profile	137	- allow /etc/vulkan in steam profile
138	- allow ~/.cache/wine in lutris and wine profile	138	- allow ~/.cache/wine in lutris and wine profile
		139	- support MangoHud in steam profile
139	Antonio Russo (https://github.com/aerusso)	140	Antonio Russo (https://github.com/aerusso)
140	- enumerate root directories in apparmor profile	141	- enumerate root directories in apparmor profile
141	- fix join-or-start	142	- fix join-or-start
@@ -520,6 +521,7 @@ Jan-Niclas (https://github.com/0x6a61)
520	- fix Firefox 'Profile not found' - whitelist /run/user/xxx/firefox	521	- fix Firefox 'Profile not found' - whitelist /run/user/xxx/firefox
521	Jan Sonntag (https://github.com/jmetrius)	522	Jan Sonntag (https://github.com/jmetrius)
522	- added OpenStego profile	523	- added OpenStego profile
		524	- allow common access to EGL External platform configuration directory
523	Jean Lucas (https://github.com/flacks)	525	Jean Lucas (https://github.com/flacks)
524	- fix Discord profile	526	- fix Discord profile
525	- add AnyDesk profile	527	- add AnyDesk profile


diff --git a/RELNOTES b/RELNOTES index 8fd438ad3..1d781fca9 100644 --- a/RELNOTES +++ b/RELNOTES
@@ -1,5 +1,9 @@
1	firejail (0.9.68rc2) baseline; urgency=low	1	firejail (0.9.68rc2) baseline; urgency=low
2	* work in progress	2	* work in progress
		3	* security: on Ubuntu, the PPA is now recommended over the distro package
		4	(see README.md) (#4748)
		5	* security: bugfix: private-cwd leaks access to the entire filesystem
		6	(#4780); reported by Hugo Osvaldo Barrera
3	* exit code: distinguish fatal signals by adding 128 (#4533)	7	* exit code: distinguish fatal signals by adding 128 (#4533)
4	* close file descriptors greater than 2 (--keep-fd) (#4845)	8	* close file descriptors greater than 2 (--keep-fd) (#4845)
5	* intrusion detection system (--ids-init, --ids-check)	9	* intrusion detection system (--ids-init, --ids-check)
@@ -7,7 +11,7 @@ firejail (0.9.68rc2) baseline; urgency=low
7	--deterministic-shutdown) (#4635)	11	--deterministic-shutdown) (#4635)
8	* noprinters command (#4607 #4827)	12	* noprinters command (#4607 #4827)
9	* network monitor (--nettrace)	13	* network monitor (--nettrace)
10	* network locker (--netlock)	14	* network locker (--netlock) (#4848)
11	* whitelist-ro profile command	15	* whitelist-ro profile command
12	* AppImage support in --build command	16	* AppImage support in --build command
13	* build: firecfg.config is now installed to /etc/firejail/ (#4669)	17	* build: firecfg.config is now installed to /etc/firejail/ (#4669)
@@ -15,10 +19,13 @@ firejail (0.9.68rc2) baseline; urgency=low
15	* removed whitelist=yes/no in /etc/firejail/firejail.config	19	* removed whitelist=yes/no in /etc/firejail/firejail.config
16	* new condition: ALLOW_TRAY (#4510 #4599)	20	* new condition: ALLOW_TRAY (#4510 #4599)
17	* remove (some) environment variables with auth-tokens (#4157)	21	* remove (some) environment variables with auth-tokens (#4157)
		22	* bugfix: Fix sndio support (#4362 #4365)
18	* bugfix: Error mounting tmpfs (MS_REMOUNT flag not being cleared) (#4387)	23	* bugfix: Error mounting tmpfs (MS_REMOUNT flag not being cleared) (#4387)
19	* bugfix: --build clears the environment (#4460 #4467)	24	* bugfix: --build clears the environment (#4460 #4467)
		25	* bugfix: firejail hangs with net parameter (#3958 #4476)
20	* bugfix: Firejail does not work with a custom hosts file (#2758 #4560)	26	* bugfix: Firejail does not work with a custom hosts file (#2758 #4560)
21	* bugfix: --tracelog and --trace override /etc/ld.so.preload (#4558 #4586)	27	* bugfix: --tracelog and --trace override /etc/ld.so.preload (#4558 #4586)
		28	* bugfix: PATH_MAX is undeclared on musl libc (#4578 #4579 #4583)
22	* bugfix: Firejail rejects empty arguments (#4395)	29	* bugfix: Firejail rejects empty arguments (#4395)
23	* bugfix: firecfg does not work with symlinks (discord.desktop) (#4235)	30	* bugfix: firecfg does not work with symlinks (discord.desktop) (#4235)
24	* bugfix: Seccomp list output goes to stdout instead of stderr (#4328)	31	* bugfix: Seccomp list output goes to stdout instead of stderr (#4328)


diff --git a/etc/inc/disable-programs.inc b/etc/inc/disable-programs.inc index 5a189559a..255da0fbd 100644 --- a/etc/inc/disable-programs.inc +++ b/etc/inc/disable-programs.inc
@@ -286,6 +286,7 @@ blacklist ${HOME}/.config/LibreCAD
286	blacklist ${HOME}/.config/Loop_Hero	286	blacklist ${HOME}/.config/Loop_Hero
287	blacklist ${HOME}/.config/Luminance	287	blacklist ${HOME}/.config/Luminance
288	blacklist ${HOME}/.config/LyX	288	blacklist ${HOME}/.config/LyX
		289	blacklist ${HOME}/.config/MangoHud
289	blacklist ${HOME}/.config/Mattermost	290	blacklist ${HOME}/.config/Mattermost
290	blacklist ${HOME}/.config/Meltytech	291	blacklist ${HOME}/.config/Meltytech
291	blacklist ${HOME}/.config/Mendeley Ltd.	292	blacklist ${HOME}/.config/Mendeley Ltd.


diff --git a/etc/inc/whitelist-usr-share-common.inc b/etc/inc/whitelist-usr-share-common.inc index 0049ce804..b4e5ac5d9 100644 --- a/etc/inc/whitelist-usr-share-common.inc +++ b/etc/inc/whitelist-usr-share-common.inc
@@ -12,6 +12,7 @@ whitelist /usr/share/cursors
12	whitelist /usr/share/dconf	12	whitelist /usr/share/dconf
13	whitelist /usr/share/distro-info	13	whitelist /usr/share/distro-info
14	whitelist /usr/share/drirc.d	14	whitelist /usr/share/drirc.d
		15	whitelist /usr/share/egl
15	whitelist /usr/share/enchant	16	whitelist /usr/share/enchant
16	whitelist /usr/share/enchant-2	17	whitelist /usr/share/enchant-2
17	whitelist /usr/share/file	18	whitelist /usr/share/file


diff --git a/etc/profile-a-l/geeqie.profile b/etc/profile-a-l/geeqie.profile index fbb509d89..b79a82c83 100644 --- a/etc/profile-a-l/geeqie.profile +++ b/etc/profile-a-l/geeqie.profile
@@ -25,7 +25,8 @@ nosound
25	notv	25	notv
26	nou2f	26	nou2f
27	novideo	27	novideo
28	protocol unix	28	# remove inet,inet6 to disable network access
		29	protocol unix,inet,inet6
29	seccomp	30	seccomp
30	shell none	31	shell none
31		32


diff --git a/etc/profile-m-z/shellcheck.profile b/etc/profile-m-z/shellcheck.profile index f2469048f..61fe534d6 100644 --- a/etc/profile-m-z/shellcheck.profile +++ b/etc/profile-m-z/shellcheck.profile
@@ -50,5 +50,3 @@ private-tmp
50		50
51	dbus-user none	51	dbus-user none
52	dbus-system none	52	dbus-system none
53
54	memory-deny-write-execute


diff --git a/etc/profile-m-z/steam.profile b/etc/profile-m-z/steam.profile index b31818274..b0be8a517 100644 --- a/etc/profile-m-z/steam.profile +++ b/etc/profile-m-z/steam.profile
@@ -8,6 +8,7 @@ include globals.local
8		8
9	noblacklist ${HOME}/.config/Epic	9	noblacklist ${HOME}/.config/Epic
10	noblacklist ${HOME}/.config/Loop_Hero	10	noblacklist ${HOME}/.config/Loop_Hero
		11	noblacklist ${HOME}/.config/MangoHud
11	noblacklist ${HOME}/.config/ModTheSpire	12	noblacklist ${HOME}/.config/ModTheSpire
12	noblacklist ${HOME}/.config/RogueLegacy	13	noblacklist ${HOME}/.config/RogueLegacy
13	noblacklist ${HOME}/.config/RogueLegacyStorageContainer	14	noblacklist ${HOME}/.config/RogueLegacyStorageContainer
@@ -55,6 +56,7 @@ include disable-programs.inc
55		56
56	mkdir ${HOME}/.config/Epic	57	mkdir ${HOME}/.config/Epic
57	mkdir ${HOME}/.config/Loop_Hero	58	mkdir ${HOME}/.config/Loop_Hero
		59	mkdir ${HOME}/.config/MangoHud
58	mkdir ${HOME}/.config/ModTheSpire	60	mkdir ${HOME}/.config/ModTheSpire
59	mkdir ${HOME}/.config/RogueLegacy	61	mkdir ${HOME}/.config/RogueLegacy
60	mkdir ${HOME}/.config/unity3d	62	mkdir ${HOME}/.config/unity3d
@@ -85,6 +87,7 @@ mkfile ${HOME}/.steampath
85	mkfile ${HOME}/.steampid	87	mkfile ${HOME}/.steampid
86	whitelist ${HOME}/.config/Epic	88	whitelist ${HOME}/.config/Epic
87	whitelist ${HOME}/.config/Loop_Hero	89	whitelist ${HOME}/.config/Loop_Hero
		90	whitelist ${HOME}/.config/MangoHud
88	whitelist ${HOME}/.config/ModTheSpire	91	whitelist ${HOME}/.config/ModTheSpire
89	whitelist ${HOME}/.config/RogueLegacy	92	whitelist ${HOME}/.config/RogueLegacy
90	whitelist ${HOME}/.config/RogueLegacyStorageContainer	93	whitelist ${HOME}/.config/RogueLegacyStorageContainer
@@ -162,3 +165,5 @@ private-tmp
162		165
163	# dbus-user none	166	# dbus-user none
164	# dbus-system none	167	# dbus-system none
		168
		169	read-only ${HOME}/.config/MangoHud


diff --git a/src/fcopy/main.c b/src/fcopy/main.c index 4be35e23f..c64d20127 100644 --- a/src/fcopy/main.c +++ b/src/fcopy/main.c
@@ -402,15 +402,6 @@ static void duplicate_link(const char src, const char dest, struct stat *s) {
402	gid_t gid = s->st_gid;	402	gid_t gid = s->st_gid;
403	mode_t mode = s->st_mode;	403	mode_t mode = s->st_mode;
404		404
405	// NixOS problem #4887:
406	// /etc/fonts is a double symlink to a directory - copy the files instead of copying the symlink
407	if (strcmp(src, "/etc/fonts") == 0) {
408	duplicate_dir(src, dest, s);
409	free(rsrc);
410	free(rdest);
411	return;
412	}
413
414	// build destination file name	405	// build destination file name
415	char *name;	406	char *name;
416	// char *ptr = strrchr(rsrc, '/');	407	// char *ptr = strrchr(rsrc, '/');


diff --git a/src/firejail/fs_etc.c b/src/firejail/fs_etc.c index 786e0d360..deaee31bb 100644 --- a/src/firejail/fs_etc.c +++ b/src/firejail/fs_etc.c
@@ -165,7 +165,14 @@ static void duplicate(const char fname, const char private_dir, const char *pr
165	errExit("asprintf");	165	errExit("asprintf");
166		166
167	build_dirs(src, dst, strlen(private_dir), strlen(private_run_dir));	167	build_dirs(src, dst, strlen(private_dir), strlen(private_run_dir));
168	sbox_run(SBOX_ROOT \| SBOX_SECCOMP, 3, PATH_FCOPY, src, dst);	168
		169	// follow links! this will make a copy of the file or directory pointed by the symlink
		170	// this will solve problems such as NixOS #4887
		171	// don't follow links to dynamic directories such as /proc
		172	if (strcmp(src, "/etc/mtab") == 0)
		173	sbox_run(SBOX_ROOT \| SBOX_SECCOMP, 3, PATH_FCOPY, src, dst);
		174	else
		175	sbox_run(SBOX_ROOT \| SBOX_SECCOMP, 4, PATH_FCOPY, "--follow-link", src, dst);
169		176
170	free(dst);	177	free(dst);
171	fs_logger2("clone", src);	178	fs_logger2("clone", src);