diff options
-rw-r--r-- | etc/disable-mgmt.inc | 2 | ||||
-rw-r--r-- | etc/midori.profile | 1 | ||||
-rw-r--r-- | src/firejail/caps.c | 2 | ||||
-rw-r--r-- | src/firejail/fs_home.c | 19 | ||||
-rw-r--r-- | src/firejail/main.c | 2 | ||||
-rw-r--r-- | src/firejail/netfilter.c | 2 | ||||
-rw-r--r-- | todo | 1 |
7 files changed, 5 insertions, 24 deletions
diff --git a/etc/disable-mgmt.inc b/etc/disable-mgmt.inc index 8cc346ae1..b01b326d4 100644 --- a/etc/disable-mgmt.inc +++ b/etc/disable-mgmt.inc | |||
@@ -9,6 +9,8 @@ blacklist ${PATH}/fusermount | |||
9 | blacklist ${PATH}/su | 9 | blacklist ${PATH}/su |
10 | blacklist ${PATH}/sudo | 10 | blacklist ${PATH}/sudo |
11 | blacklist ${PATH}/xinput | 11 | blacklist ${PATH}/xinput |
12 | blacklist ${PATH}/evtest | ||
13 | blacklist ${PATH}/xev | ||
12 | blacklist ${PATH}/strace | 14 | blacklist ${PATH}/strace |
13 | 15 | ||
14 | # Prevent manipulation of firejail configuration | 16 | # Prevent manipulation of firejail configuration |
diff --git a/etc/midori.profile b/etc/midori.profile index 5bc864e31..7ce9b7151 100644 --- a/etc/midori.profile +++ b/etc/midori.profile | |||
@@ -7,5 +7,4 @@ include /etc/firejail/disable-history.inc | |||
7 | caps.drop all | 7 | caps.drop all |
8 | seccomp | 8 | seccomp |
9 | netfilter | 9 | netfilter |
10 | noroot | ||
11 | 10 | ||
diff --git a/src/firejail/caps.c b/src/firejail/caps.c index cd7dbee74..12d0eec57 100644 --- a/src/firejail/caps.c +++ b/src/firejail/caps.c | |||
@@ -309,7 +309,7 @@ int caps_default_filter(void) { | |||
309 | 309 | ||
310 | void caps_drop_all(void) { | 310 | void caps_drop_all(void) { |
311 | if (arg_debug) | 311 | if (arg_debug) |
312 | printf("Droping all capabilities\n"); | 312 | printf("Dropping all capabilities\n"); |
313 | 313 | ||
314 | unsigned long cap; | 314 | unsigned long cap; |
315 | for (cap=0; cap <= 63; cap++) { | 315 | for (cap=0; cap <= 63; cap++) { |
diff --git a/src/firejail/fs_home.c b/src/firejail/fs_home.c index fca5f51c8..98d62b685 100644 --- a/src/firejail/fs_home.c +++ b/src/firejail/fs_home.c | |||
@@ -203,12 +203,6 @@ void fs_private_homedir(void) { | |||
203 | printf("Mounting a new /home directory\n"); | 203 | printf("Mounting a new /home directory\n"); |
204 | if (mount("tmpfs", "/home", "tmpfs", MS_NOSUID | MS_NODEV | MS_STRICTATIME | MS_REC, "mode=755,gid=0") < 0) | 204 | if (mount("tmpfs", "/home", "tmpfs", MS_NOSUID | MS_NODEV | MS_STRICTATIME | MS_REC, "mode=755,gid=0") < 0) |
205 | errExit("mounting home directory"); | 205 | errExit("mounting home directory"); |
206 | |||
207 | // mask /tmp only in root mode; KDE keeps all kind of sockets in /tmp! | ||
208 | if (arg_debug) | ||
209 | printf("Mounting a new /tmp directory\n"); | ||
210 | if (mount("tmpfs", "/tmp", "tmpfs", MS_NOSUID | MS_NODEV | MS_STRICTATIME | MS_REC, "mode=777,gid=0") < 0) | ||
211 | errExit("mounting tmp directory"); | ||
212 | } | 206 | } |
213 | 207 | ||
214 | 208 | ||
@@ -253,13 +247,6 @@ void fs_private(void) { | |||
253 | if (chown(homedir, u, g) < 0) | 247 | if (chown(homedir, u, g) < 0) |
254 | errExit("chown"); | 248 | errExit("chown"); |
255 | } | 249 | } |
256 | else { | ||
257 | // mask tmp only in root mode; KDE keeps all kind of sockets in /tmp! | ||
258 | if (arg_debug) | ||
259 | printf("Mounting a new /tmp directory\n"); | ||
260 | if (mount("tmpfs", "/tmp", "tmpfs", MS_NOSUID | MS_NODEV | MS_STRICTATIME | MS_REC, "mode=777,gid=0") < 0) | ||
261 | errExit("mounting tmp directory"); | ||
262 | } | ||
263 | 250 | ||
264 | skel(homedir, u, g); | 251 | skel(homedir, u, g); |
265 | if (xflag) | 252 | if (xflag) |
@@ -502,12 +489,6 @@ void fs_private_home_list(void) { | |||
502 | printf("Mounting a new /home directory\n"); | 489 | printf("Mounting a new /home directory\n"); |
503 | if (mount("tmpfs", "/home", "tmpfs", MS_NOSUID | MS_NODEV | MS_STRICTATIME | MS_REC, "mode=755,gid=0") < 0) | 490 | if (mount("tmpfs", "/home", "tmpfs", MS_NOSUID | MS_NODEV | MS_STRICTATIME | MS_REC, "mode=755,gid=0") < 0) |
504 | errExit("mounting home directory"); | 491 | errExit("mounting home directory"); |
505 | |||
506 | // mask /tmp only in root mode; KDE keeps all kind of sockets in /tmp! | ||
507 | if (arg_debug) | ||
508 | printf("Mounting a new /tmp directory\n"); | ||
509 | if (mount("tmpfs", "/tmp", "tmpfs", MS_NOSUID | MS_NODEV | MS_STRICTATIME | MS_REC, "mode=777,gid=0") < 0) | ||
510 | errExit("mounting tmp directory"); | ||
511 | } | 492 | } |
512 | 493 | ||
513 | skel(homedir, u, g); | 494 | skel(homedir, u, g); |
diff --git a/src/firejail/main.c b/src/firejail/main.c index 3b2e7e4d9..43a468c46 100644 --- a/src/firejail/main.c +++ b/src/firejail/main.c | |||
@@ -1084,7 +1084,7 @@ int main(int argc, char **argv) { | |||
1084 | } | 1084 | } |
1085 | 1085 | ||
1086 | if (custom_profile) | 1086 | if (custom_profile) |
1087 | printf("\n** Note: %s profile can be disabled by --noprofile option **\n\n", profile_name); | 1087 | printf("\n** Note: you can use --noprofile to disable %s.profile **\n\n", profile_name); |
1088 | } | 1088 | } |
1089 | } | 1089 | } |
1090 | 1090 | ||
diff --git a/src/firejail/netfilter.c b/src/firejail/netfilter.c index 5b5026a3d..8601a5696 100644 --- a/src/firejail/netfilter.c +++ b/src/firejail/netfilter.c | |||
@@ -87,7 +87,7 @@ void netfilter(const char *fname) { | |||
87 | allocated = 1; | 87 | allocated = 1; |
88 | } | 88 | } |
89 | 89 | ||
90 | // mount a tempfs on top of /tmp directory | 90 | // temporarily mount a tempfs on top of /tmp directory |
91 | if (mount("tmpfs", "/tmp", "tmpfs", MS_NOSUID | MS_STRICTATIME | MS_REC, "mode=755,gid=0") < 0) | 91 | if (mount("tmpfs", "/tmp", "tmpfs", MS_NOSUID | MS_STRICTATIME | MS_REC, "mode=755,gid=0") < 0) |
92 | errExit("mounting /tmp"); | 92 | errExit("mounting /tmp"); |
93 | 93 | ||
@@ -31,4 +31,3 @@ $ | |||
31 | 31 | ||
32 | 4. Remove exclude-token from profile include in 0.9.34 (deprecated in 0.9.30) | 32 | 4. Remove exclude-token from profile include in 0.9.34 (deprecated in 0.9.30) |
33 | 33 | ||
34 | |||