diff options
-rw-r--r-- | RELNOTES | 3 | ||||
-rw-r--r-- | src/firejail/firejail.h | 1 | ||||
-rw-r--r-- | src/firejail/fs.c | 8 | ||||
-rw-r--r-- | src/firejail/main.c | 3 | ||||
-rw-r--r-- | src/firejail/profile.c | 3 | ||||
-rw-r--r-- | src/man/firejail.txt | 9 | ||||
-rwxr-xr-x | test/fs/private-home-dir.exp | 26 |
7 files changed, 7 insertions, 46 deletions
@@ -1,5 +1,8 @@ | |||
1 | firejail (0.9.51) baseline; urgency=low | 1 | firejail (0.9.51) baseline; urgency=low |
2 | * work in progress! | 2 | * work in progress! |
3 | * modif: --allow-private-blacklists was deprecated; blacklisting, | ||
4 | read-only, read-write, tmpfs and noexec are allowed in | ||
5 | private home directories | ||
3 | * enhancement: support Firejail user config directory in firecfg | 6 | * enhancement: support Firejail user config directory in firecfg |
4 | * enhancement: disable DBus activation in firecfg | 7 | * enhancement: disable DBus activation in firecfg |
5 | * enhancement; enumerate root directories in apparmor profile | 8 | * enhancement; enumerate root directories in apparmor profile |
diff --git a/src/firejail/firejail.h b/src/firejail/firejail.h index e10a5d346..d853daa44 100644 --- a/src/firejail/firejail.h +++ b/src/firejail/firejail.h | |||
@@ -298,7 +298,6 @@ void clear_run_files(pid_t pid); | |||
298 | 298 | ||
299 | extern int arg_private; // mount private /home | 299 | extern int arg_private; // mount private /home |
300 | extern int arg_private_template; // private /home template | 300 | extern int arg_private_template; // private /home template |
301 | extern int arg_allow_private_blacklist; // blacklist things in private directories | ||
302 | extern int arg_debug; // print debug messages | 301 | extern int arg_debug; // print debug messages |
303 | extern int arg_debug_check_filename; // print debug messages for filename checking | 302 | extern int arg_debug_check_filename; // print debug messages for filename checking |
304 | extern int arg_debug_blacklists; // print debug messages for blacklists | 303 | extern int arg_debug_blacklists; // print debug messages for blacklists |
diff --git a/src/firejail/fs.c b/src/firejail/fs.c index 0a6f40959..ed2c9a566 100644 --- a/src/firejail/fs.c +++ b/src/firejail/fs.c | |||
@@ -220,14 +220,6 @@ static void globbing(OPERATION op, const char *pattern, const char *noblacklist[ | |||
220 | } | 220 | } |
221 | } | 221 | } |
222 | 222 | ||
223 | // We don't usually need to blacklist things in private home directories | ||
224 | if (okay_to_blacklist | ||
225 | && cfg.homedir | ||
226 | && arg_private | ||
227 | && (!arg_allow_private_blacklist) | ||
228 | && (strncmp(path, cfg.homedir, strlen(cfg.homedir)) == 0)) | ||
229 | okay_to_blacklist = false; | ||
230 | |||
231 | if (okay_to_blacklist) | 223 | if (okay_to_blacklist) |
232 | disable_file(op, path); | 224 | disable_file(op, path); |
233 | else if (arg_debug) | 225 | else if (arg_debug) |
diff --git a/src/firejail/main.c b/src/firejail/main.c index 584d0c293..126f98d9b 100644 --- a/src/firejail/main.c +++ b/src/firejail/main.c | |||
@@ -1600,7 +1600,8 @@ int main(int argc, char **argv) { | |||
1600 | arg_machineid = 1; | 1600 | arg_machineid = 1; |
1601 | } | 1601 | } |
1602 | else if (strcmp(argv[i], "--allow-private-blacklist") == 0) { | 1602 | else if (strcmp(argv[i], "--allow-private-blacklist") == 0) { |
1603 | arg_allow_private_blacklist = 1; | 1603 | if (!arg_quiet) |
1604 | fprintf(stderr, "--allow-private-blacklist was deprecated\n"); | ||
1604 | } | 1605 | } |
1605 | else if (strcmp(argv[i], "--private") == 0) { | 1606 | else if (strcmp(argv[i], "--private") == 0) { |
1606 | arg_private = 1; | 1607 | arg_private = 1; |
diff --git a/src/firejail/profile.c b/src/firejail/profile.c index a1c94579c..622306c22 100644 --- a/src/firejail/profile.c +++ b/src/firejail/profile.c | |||
@@ -242,7 +242,8 @@ int profile_check_line(char *ptr, int lineno, const char *fname) { | |||
242 | return 0; | 242 | return 0; |
243 | } | 243 | } |
244 | else if (strcmp(ptr, "allow-private-blacklist") == 0) { | 244 | else if (strcmp(ptr, "allow-private-blacklist") == 0) { |
245 | arg_allow_private_blacklist = 1; | 245 | if (!arg_quiet) |
246 | fprintf(stderr, "--allow-private-blacklist was deprecated\n"); | ||
246 | return 0; | 247 | return 0; |
247 | } | 248 | } |
248 | else if (strcmp(ptr, "netfilter") == 0) { | 249 | else if (strcmp(ptr, "netfilter") == 0) { |
diff --git a/src/man/firejail.txt b/src/man/firejail.txt index 7ba09ba8a..00481d4d3 100644 --- a/src/man/firejail.txt +++ b/src/man/firejail.txt | |||
@@ -87,15 +87,6 @@ Example: | |||
87 | .br | 87 | .br |
88 | $ firejail --allow-debuggers --profile=/etc/firejail/firefox.profile strace -f firefox | 88 | $ firejail --allow-debuggers --profile=/etc/firejail/firefox.profile strace -f firefox |
89 | .TP | 89 | .TP |
90 | \fB\-\-allow-private-blacklist | ||
91 | Allow blacklisting files in private home directory. By default these blacklists are disabled. | ||
92 | .br | ||
93 | |||
94 | .br | ||
95 | Example: | ||
96 | .br | ||
97 | $ firejail --allow-private-blacklist --private=~/priv-dir --blacklist=~/.mozilla | ||
98 | .TP | ||
99 | \fB\-\-allusers | 90 | \fB\-\-allusers |
100 | All directories under /home are visible inside the sandbox. By default, only current user home directory is visible. | 91 | All directories under /home are visible inside the sandbox. By default, only current user home directory is visible. |
101 | .br | 92 | .br |
diff --git a/test/fs/private-home-dir.exp b/test/fs/private-home-dir.exp index 9c97ff4ea..d58adf801 100755 --- a/test/fs/private-home-dir.exp +++ b/test/fs/private-home-dir.exp | |||
@@ -74,32 +74,6 @@ sleep 1 | |||
74 | 74 | ||
75 | send -- "firejail --debug --noprofile --blacklist=~/test_dir_2 --private=~/_firejail_test_dir_\r" | 75 | send -- "firejail --debug --noprofile --blacklist=~/test_dir_2 --private=~/_firejail_test_dir_\r" |
76 | expect { | 76 | expect { |
77 | timeout {puts "TESTING ERROR 6\n";exit} | ||
78 | "Not blacklist" | ||
79 | } | ||
80 | expect { | ||
81 | timeout {puts "TESTING ERROR 7\n";exit} | ||
82 | "test_dir_2" | ||
83 | } | ||
84 | expect { | ||
85 | timeout {puts "TESTING ERROR 8\n";exit} | ||
86 | "Child process initialized" | ||
87 | } | ||
88 | |||
89 | sleep 1 | ||
90 | |||
91 | send -- "find ~\r" | ||
92 | expect { | ||
93 | timeout {puts "TESTING ERROR 9\n";exit} | ||
94 | "testfile" | ||
95 | } | ||
96 | after 100 | ||
97 | |||
98 | send -- "exit\r" | ||
99 | sleep 1 | ||
100 | |||
101 | send -- "firejail --debug --noprofile --allow-private-blacklist --blacklist=~/test_dir_2 --private=~/_firejail_test_dir_\r" | ||
102 | expect { | ||
103 | timeout {puts "TESTING ERROR 10\n";exit} | 77 | timeout {puts "TESTING ERROR 10\n";exit} |
104 | "Disable" | 78 | "Disable" |
105 | } | 79 | } |