diff options
-rw-r--r-- | etc/login.users | 2 | ||||
-rw-r--r-- | src/firejail/main.c | 16 | ||||
-rw-r--r-- | src/firejail/restricted_shell.c | 15 | ||||
-rw-r--r-- | src/firejail/sandbox.c | 7 | ||||
-rw-r--r-- | src/man/firejail-login.txt | 2 |
5 files changed, 34 insertions, 8 deletions
diff --git a/etc/login.users b/etc/login.users index 5d5969091..bc6ac4b09 100644 --- a/etc/login.users +++ b/etc/login.users | |||
@@ -7,7 +7,7 @@ | |||
7 | # | 7 | # |
8 | # For example: | 8 | # For example: |
9 | # | 9 | # |
10 | # netblue:--debug --net=none | 10 | # netblue:--net=none --protocol=unix |
11 | # | 11 | # |
12 | # The extra arguments are inserted into program command line if firejail | 12 | # The extra arguments are inserted into program command line if firejail |
13 | # was started as a login shell. | 13 | # was started as a login shell. |
diff --git a/src/firejail/main.c b/src/firejail/main.c index 166ca1b89..9df4653cd 100644 --- a/src/firejail/main.c +++ b/src/firejail/main.c | |||
@@ -787,8 +787,10 @@ int main(int argc, char **argv) { | |||
787 | char *comm = pid_proc_comm(ppid); | 787 | char *comm = pid_proc_comm(ppid); |
788 | EUID_USER(); | 788 | EUID_USER(); |
789 | if (comm) { | 789 | if (comm) { |
790 | if (strcmp(comm, "sshd") == 0) | 790 | if (strcmp(comm, "sshd") == 0) { |
791 | arg_quiet = 1; | ||
791 | parent_sshd = 1; | 792 | parent_sshd = 1; |
793 | } | ||
792 | free(comm); | 794 | free(comm); |
793 | } | 795 | } |
794 | } | 796 | } |
@@ -817,9 +819,11 @@ int main(int argc, char **argv) { | |||
817 | run_cmd_and_exit(i, argc, argv); // will exit if the command is recognized | 819 | run_cmd_and_exit(i, argc, argv); // will exit if the command is recognized |
818 | 820 | ||
819 | if (strcmp(argv[i], "--debug") == 0) { | 821 | if (strcmp(argv[i], "--debug") == 0) { |
820 | arg_debug = 1; | 822 | if (!arg_quiet) { |
821 | if (option_force) | 823 | arg_debug = 1; |
822 | printf("Entering sandbox-in-sandbox mode\n"); | 824 | if (option_force) |
825 | printf("Entering sandbox-in-sandbox mode\n"); | ||
826 | } | ||
823 | } | 827 | } |
824 | else if (strcmp(argv[i], "--debug-check-filename") == 0) | 828 | else if (strcmp(argv[i], "--debug-check-filename") == 0) |
825 | arg_debug_check_filename = 1; | 829 | arg_debug_check_filename = 1; |
@@ -827,8 +831,10 @@ int main(int argc, char **argv) { | |||
827 | arg_debug_blacklists = 1; | 831 | arg_debug_blacklists = 1; |
828 | else if (strcmp(argv[i], "--debug-whitelists") == 0) | 832 | else if (strcmp(argv[i], "--debug-whitelists") == 0) |
829 | arg_debug_whitelists = 1; | 833 | arg_debug_whitelists = 1; |
830 | else if (strcmp(argv[i], "--quiet") == 0) | 834 | else if (strcmp(argv[i], "--quiet") == 0) { |
831 | arg_quiet = 1; | 835 | arg_quiet = 1; |
836 | arg_debug = 0; | ||
837 | } | ||
832 | else if (strcmp(argv[i], "--force") == 0) | 838 | else if (strcmp(argv[i], "--force") == 0) |
833 | ; | 839 | ; |
834 | 840 | ||
diff --git a/src/firejail/restricted_shell.c b/src/firejail/restricted_shell.c index da4e9d332..ee6e94957 100644 --- a/src/firejail/restricted_shell.c +++ b/src/firejail/restricted_shell.c | |||
@@ -61,7 +61,20 @@ int restricted_shell(const char *user) { | |||
61 | ptr = strchr(args, '\n'); | 61 | ptr = strchr(args, '\n'); |
62 | if (ptr) | 62 | if (ptr) |
63 | *ptr = '\0'; | 63 | *ptr = '\0'; |
64 | 64 | ||
65 | // if nothing follows, continue | ||
66 | char *ptr2 = args; | ||
67 | int found = 0; | ||
68 | while (*ptr2 != '\0') { | ||
69 | if (*ptr2 != ' ' && *ptr2 != '\t') { | ||
70 | found = 1; | ||
71 | break; | ||
72 | } | ||
73 | } | ||
74 | if (!found) | ||
75 | continue; | ||
76 | |||
77 | // process user | ||
65 | if (strcmp(user, usr) == 0) { | 78 | if (strcmp(user, usr) == 0) { |
66 | restricted_user = strdup(user); | 79 | restricted_user = strdup(user); |
67 | // extract program arguments | 80 | // extract program arguments |
diff --git a/src/firejail/sandbox.c b/src/firejail/sandbox.c index ccddeb888..d148c1f40 100644 --- a/src/firejail/sandbox.c +++ b/src/firejail/sandbox.c | |||
@@ -131,9 +131,16 @@ static void chk_chroot(void) { | |||
131 | } | 131 | } |
132 | 132 | ||
133 | static int monitor_application(pid_t app_pid) { | 133 | static int monitor_application(pid_t app_pid) { |
134 | |||
135 | |||
134 | int status; | 136 | int status; |
135 | while (app_pid) { | 137 | while (app_pid) { |
136 | usleep(20000); | 138 | usleep(20000); |
139 | char *msg; | ||
140 | if (asprintf(&msg, "monitoring pid %d\n", app_pid) == -1) | ||
141 | errExit("asprintf"); | ||
142 | logmsg(msg); | ||
143 | free(msg); | ||
137 | 144 | ||
138 | pid_t rv; | 145 | pid_t rv; |
139 | do { | 146 | do { |
diff --git a/src/man/firejail-login.txt b/src/man/firejail-login.txt index 2825ca4cf..6cd9ce3cb 100644 --- a/src/man/firejail-login.txt +++ b/src/man/firejail-login.txt | |||
@@ -11,7 +11,7 @@ a user name followed by the arguments passed to firejail. The format is as follo | |||
11 | 11 | ||
12 | Example: | 12 | Example: |
13 | 13 | ||
14 | netblue:--debug --net=none | 14 | netblue:--net=none --protocol=unix |
15 | 15 | ||
16 | .SH RESTRICTED SHELL | 16 | .SH RESTRICTED SHELL |
17 | To configure a restricted shell, replace /bin/bash with /usr/bin/firejail in | 17 | To configure a restricted shell, replace /bin/bash with /usr/bin/firejail in |