diff options
-rw-r--r-- | RELNOTES | 1 | ||||
-rw-r--r-- | etc/firejail.config | 3 | ||||
-rw-r--r-- | src/firejail/checkcfg.c | 9 | ||||
-rw-r--r-- | src/firejail/firejail.h | 1 | ||||
-rw-r--r-- | src/firejail/main.c | 2 | ||||
-rw-r--r-- | src/firejail/profile.c | 2 | ||||
-rw-r--r-- | src/firejail/sandbox.c | 9 |
7 files changed, 6 insertions, 21 deletions
@@ -3,6 +3,7 @@ firejail (0.9.51) baseline; urgency=low | |||
3 | * modif: --allow-private-blacklists was deprecated; blacklisting, | 3 | * modif: --allow-private-blacklists was deprecated; blacklisting, |
4 | read-only, read-write, tmpfs and noexec are allowed in | 4 | read-only, read-write, tmpfs and noexec are allowed in |
5 | private home directories | 5 | private home directories |
6 | * modif: remount-proc-sys deprecated from firejail.config | ||
6 | * enhancement: support Firejail user config directory in firecfg | 7 | * enhancement: support Firejail user config directory in firecfg |
7 | * enhancement: disable DBus activation in firecfg | 8 | * enhancement: disable DBus activation in firecfg |
8 | * enhancement; enumerate root directories in apparmor profile | 9 | * enhancement; enumerate root directories in apparmor profile |
diff --git a/etc/firejail.config b/etc/firejail.config index b597ed603..26f2dedfc 100644 --- a/etc/firejail.config +++ b/etc/firejail.config | |||
@@ -69,9 +69,6 @@ | |||
69 | # Enable --quiet as default every time the sandbox is started. Default disabled. | 69 | # Enable --quiet as default every time the sandbox is started. Default disabled. |
70 | # quiet-by-default no | 70 | # quiet-by-default no |
71 | 71 | ||
72 | # Remount /proc and /sys inside the sandbox, default enabled. | ||
73 | # remount-proc-sys yes | ||
74 | |||
75 | # Enable or disable restricted network support, default disabled. If enabled, | 72 | # Enable or disable restricted network support, default disabled. If enabled, |
76 | # networking features should also be enabled (network yes). | 73 | # networking features should also be enabled (network yes). |
77 | # Restricted networking grants access to --interface, --net=ethXXX and | 74 | # Restricted networking grants access to --interface, --net=ethXXX and |
diff --git a/src/firejail/checkcfg.c b/src/firejail/checkcfg.c index 7f371b299..1dee87a64 100644 --- a/src/firejail/checkcfg.c +++ b/src/firejail/checkcfg.c | |||
@@ -299,14 +299,9 @@ int checkcfg(int val) { | |||
299 | else | 299 | else |
300 | goto errout; | 300 | goto errout; |
301 | } | 301 | } |
302 | // remount /proc and /sys | ||
303 | else if (strncmp(ptr, "remount-proc-sys ", 17) == 0) { | 302 | else if (strncmp(ptr, "remount-proc-sys ", 17) == 0) { |
304 | if (strcmp(ptr + 17, "yes") == 0) | 303 | if (!arg_quiet) |
305 | cfg_val[CFG_REMOUNT_PROC_SYS] = 1; | 304 | fprintf(stderr, "Warning: remount-proc-sys from firejail.config was deprecated\n"); |
306 | else if (strcmp(ptr + 17, "no") == 0) | ||
307 | cfg_val[CFG_REMOUNT_PROC_SYS] = 0; | ||
308 | else | ||
309 | goto errout; | ||
310 | } | 305 | } |
311 | else if (strncmp(ptr, "overlayfs ", 10) == 0) { | 306 | else if (strncmp(ptr, "overlayfs ", 10) == 0) { |
312 | if (strcmp(ptr + 10, "yes") == 0) | 307 | if (strcmp(ptr + 10, "yes") == 0) |
diff --git a/src/firejail/firejail.h b/src/firejail/firejail.h index a6b57f263..c6c6c76cc 100644 --- a/src/firejail/firejail.h +++ b/src/firejail/firejail.h | |||
@@ -725,7 +725,6 @@ enum { | |||
725 | CFG_FORCE_NONEWPRIVS, | 725 | CFG_FORCE_NONEWPRIVS, |
726 | CFG_WHITELIST, | 726 | CFG_WHITELIST, |
727 | CFG_XEPHYR_WINDOW_TITLE, | 727 | CFG_XEPHYR_WINDOW_TITLE, |
728 | CFG_REMOUNT_PROC_SYS, | ||
729 | CFG_OVERLAYFS, | 728 | CFG_OVERLAYFS, |
730 | CFG_CHROOT_DESKTOP, | 729 | CFG_CHROOT_DESKTOP, |
731 | CFG_PRIVATE_HOME, | 730 | CFG_PRIVATE_HOME, |
diff --git a/src/firejail/main.c b/src/firejail/main.c index 67b40f9c2..069aa6ca8 100644 --- a/src/firejail/main.c +++ b/src/firejail/main.c | |||
@@ -1615,7 +1615,7 @@ int main(int argc, char **argv) { | |||
1615 | } | 1615 | } |
1616 | else if (strcmp(argv[i], "--allow-private-blacklist") == 0) { | 1616 | else if (strcmp(argv[i], "--allow-private-blacklist") == 0) { |
1617 | if (!arg_quiet) | 1617 | if (!arg_quiet) |
1618 | fprintf(stderr, "--allow-private-blacklist was deprecated\n"); | 1618 | fprintf(stderr, "Warning: --allow-private-blacklist was deprecated\n"); |
1619 | } | 1619 | } |
1620 | else if (strcmp(argv[i], "--private") == 0) { | 1620 | else if (strcmp(argv[i], "--private") == 0) { |
1621 | arg_private = 1; | 1621 | arg_private = 1; |
diff --git a/src/firejail/profile.c b/src/firejail/profile.c index dc1333988..4851dc9ad 100644 --- a/src/firejail/profile.c +++ b/src/firejail/profile.c | |||
@@ -243,7 +243,7 @@ int profile_check_line(char *ptr, int lineno, const char *fname) { | |||
243 | } | 243 | } |
244 | else if (strcmp(ptr, "allow-private-blacklist") == 0) { | 244 | else if (strcmp(ptr, "allow-private-blacklist") == 0) { |
245 | if (!arg_quiet) | 245 | if (!arg_quiet) |
246 | fprintf(stderr, "--allow-private-blacklist was deprecated\n"); | 246 | fprintf(stderr, "Warning: --allow-private-blacklist was deprecated\n"); |
247 | return 0; | 247 | return 0; |
248 | } | 248 | } |
249 | else if (strcmp(ptr, "netfilter") == 0) { | 249 | else if (strcmp(ptr, "netfilter") == 0) { |
diff --git a/src/firejail/sandbox.c b/src/firejail/sandbox.c index b92483c66..131163c68 100644 --- a/src/firejail/sandbox.c +++ b/src/firejail/sandbox.c | |||
@@ -245,12 +245,6 @@ static int monitor_application(pid_t app_pid) { | |||
245 | sleep(1); | 245 | sleep(1); |
246 | } | 246 | } |
247 | 247 | ||
248 | // if /proc is not remounted, we cannot check /proc directory, | ||
249 | // for now we just get out of here | ||
250 | // todo: find another way of checking child processes! | ||
251 | if (!checkcfg(CFG_REMOUNT_PROC_SYS)) | ||
252 | break; | ||
253 | |||
254 | DIR *dir; | 248 | DIR *dir; |
255 | if (!(dir = opendir("/proc"))) { | 249 | if (!(dir = opendir("/proc"))) { |
256 | // sleep 2 seconds and try again | 250 | // sleep 2 seconds and try again |
@@ -872,8 +866,7 @@ int sandbox(void* sandbox_arg) { | |||
872 | //**************************** | 866 | //**************************** |
873 | // update /proc, /sys, /dev, /boot directory | 867 | // update /proc, /sys, /dev, /boot directory |
874 | //**************************** | 868 | //**************************** |
875 | if (checkcfg(CFG_REMOUNT_PROC_SYS)) | 869 | fs_proc_sys_dev_boot(); |
876 | fs_proc_sys_dev_boot(); | ||
877 | 870 | ||
878 | //**************************** | 871 | //**************************** |
879 | // handle /mnt and /media | 872 | // handle /mnt and /media |