diff options
-rw-r--r-- | RELNOTES | 4 | ||||
-rw-r--r-- | src/firejail/sandbox.c | 31 |
2 files changed, 11 insertions, 24 deletions
@@ -1,6 +1,10 @@ | |||
1 | firejail (0.9.53) baseline; urgency=low | 1 | firejail (0.9.53) baseline; urgency=low |
2 | * work in progress | 2 | * work in progress |
3 | * seccomp syscall list update for glibc 2.26-10 | 3 | * seccomp syscall list update for glibc 2.26-10 |
4 | * IPv6 DNS support | ||
5 | * whitelist support for overlay and chroot sandboxes | ||
6 | * private-dev support for overlay and chroot sandboxes | ||
7 | * private-tmp support for overlay and chroot sandboxes | ||
4 | * new profiles: basilisk, Tor Browser language packs, PlayOnLinux, sylpheed, discord-canary | 8 | * new profiles: basilisk, Tor Browser language packs, PlayOnLinux, sylpheed, discord-canary |
5 | * new profiles: pycharm-community, pycharm-professional | 9 | * new profiles: pycharm-community, pycharm-professional |
6 | -- netblue30 <netblue30@yahoo.com> Tue, 12 Dec 2017 08:00:00 -0500 | 10 | -- netblue30 <netblue30@yahoo.com> Tue, 12 Dec 2017 08:00:00 -0500 |
diff --git a/src/firejail/sandbox.c b/src/firejail/sandbox.c index ed0a253b3..47bb94a52 100644 --- a/src/firejail/sandbox.c +++ b/src/firejail/sandbox.c | |||
@@ -763,14 +763,8 @@ int sandbox(void* sandbox_arg) { | |||
763 | fs_private(); | 763 | fs_private(); |
764 | } | 764 | } |
765 | 765 | ||
766 | if (arg_private_dev) { | 766 | if (arg_private_dev) |
767 | if (cfg.chrootdir) | 767 | fs_private_dev(); |
768 | fwarning("private-dev feature is disabled in chroot\n"); | ||
769 | else if (arg_overlay) | ||
770 | fwarning("private-dev feature is disabled in overlay\n"); | ||
771 | else | ||
772 | fs_private_dev(); | ||
773 | } | ||
774 | 768 | ||
775 | if (arg_private_etc) { | 769 | if (arg_private_etc) { |
776 | if (cfg.chrootdir) | 770 | if (cfg.chrootdir) |
@@ -835,16 +829,10 @@ int sandbox(void* sandbox_arg) { | |||
835 | } | 829 | } |
836 | 830 | ||
837 | if (arg_private_tmp) { | 831 | if (arg_private_tmp) { |
838 | if (cfg.chrootdir) | 832 | // private-tmp is implemented as a whitelist |
839 | fwarning("private-tmp feature is disabled in chroot\n"); | 833 | EUID_USER(); |
840 | else if (arg_overlay) | 834 | fs_private_tmp(); |
841 | fwarning("private-tmp feature is disabled in overlay\n"); | 835 | EUID_ROOT(); |
842 | else { | ||
843 | // private-tmp is implemented as a whitelist | ||
844 | EUID_USER(); | ||
845 | fs_private_tmp(); | ||
846 | EUID_ROOT(); | ||
847 | } | ||
848 | } | 836 | } |
849 | 837 | ||
850 | //**************************** | 838 | //**************************** |
@@ -877,12 +865,7 @@ int sandbox(void* sandbox_arg) { | |||
877 | // apply the profile file | 865 | // apply the profile file |
878 | //**************************** | 866 | //**************************** |
879 | // apply all whitelist commands ... | 867 | // apply all whitelist commands ... |
880 | if (cfg.chrootdir) | 868 | fs_whitelist(); |
881 | fwarning("whitelist feature is disabled in chroot\n"); | ||
882 | else if (arg_overlay) | ||
883 | fwarning("whitelist feature is disabled in overlay\n"); | ||
884 | else | ||
885 | fs_whitelist(); | ||
886 | 869 | ||
887 | // ... followed by blacklist commands | 870 | // ... followed by blacklist commands |
888 | fs_blacklist(); // mkdir and mkfile are processed all over again | 871 | fs_blacklist(); // mkdir and mkfile are processed all over again |