diff options
-rw-r--r-- | etc/firejail.config | 4 | ||||
-rw-r--r-- | src/firejail/checkcfg.c | 9 | ||||
-rw-r--r-- | src/firejail/firejail.h | 1 | ||||
-rw-r--r-- | src/firejail/main.c | 34 |
4 files changed, 33 insertions, 15 deletions
diff --git a/etc/firejail.config b/etc/firejail.config index 0887e05b5..1db734f77 100644 --- a/etc/firejail.config +++ b/etc/firejail.config | |||
@@ -43,6 +43,10 @@ | |||
43 | # that is partially under their control. Default disabled. | 43 | # that is partially under their control. Default disabled. |
44 | # force-nonewprivs no | 44 | # force-nonewprivs no |
45 | 45 | ||
46 | # Allow sandbox joining as a regular user, default enabled. | ||
47 | # root user can always join sandboxes. | ||
48 | # join yes | ||
49 | |||
46 | # Enable or disable networking features, default enabled. | 50 | # Enable or disable networking features, default enabled. |
47 | # network yes | 51 | # network yes |
48 | 52 | ||
diff --git a/src/firejail/checkcfg.c b/src/firejail/checkcfg.c index 476ecbe10..67bcd996a 100644 --- a/src/firejail/checkcfg.c +++ b/src/firejail/checkcfg.c | |||
@@ -92,6 +92,15 @@ int checkcfg(int val) { | |||
92 | else | 92 | else |
93 | goto errout; | 93 | goto errout; |
94 | } | 94 | } |
95 | // join | ||
96 | else if (strncmp(ptr, "join ", 5) == 0) { | ||
97 | if (strcmp(ptr + 5, "yes") == 0) | ||
98 | cfg_val[CFG_JOIN] = 1; | ||
99 | else if (strcmp(ptr + 5, "no") == 0) | ||
100 | cfg_val[CFG_JOIN] = 0; | ||
101 | else | ||
102 | goto errout; | ||
103 | } | ||
95 | // x11 | 104 | // x11 |
96 | else if (strncmp(ptr, "x11 ", 4) == 0) { | 105 | else if (strncmp(ptr, "x11 ", 4) == 0) { |
97 | if (strcmp(ptr + 4, "yes") == 0) | 106 | if (strcmp(ptr + 4, "yes") == 0) |
diff --git a/src/firejail/firejail.h b/src/firejail/firejail.h index f85560588..dbb6c4d16 100644 --- a/src/firejail/firejail.h +++ b/src/firejail/firejail.h | |||
@@ -686,6 +686,7 @@ enum { | |||
686 | CFG_FOLLOW_SYMLINK_PRIVATE_BIN, | 686 | CFG_FOLLOW_SYMLINK_PRIVATE_BIN, |
687 | CFG_DISABLE_MNT, | 687 | CFG_DISABLE_MNT, |
688 | CFG_CACHE_TMPFS, | 688 | CFG_CACHE_TMPFS, |
689 | CFG_JOIN, | ||
689 | CFG_MAX // this should always be the last entry | 690 | CFG_MAX // this should always be the last entry |
690 | }; | 691 | }; |
691 | extern char *xephyr_screen; | 692 | extern char *xephyr_screen; |
diff --git a/src/firejail/main.c b/src/firejail/main.c index db9a9c8cb..3dcc5c62d 100644 --- a/src/firejail/main.c +++ b/src/firejail/main.c | |||
@@ -615,23 +615,27 @@ static void run_cmd_and_exit(int i, int argc, char **argv) { | |||
615 | } | 615 | } |
616 | #endif | 616 | #endif |
617 | else if (strncmp(argv[i], "--join=", 7) == 0) { | 617 | else if (strncmp(argv[i], "--join=", 7) == 0) { |
618 | logargs(argc, argv); | 618 | if (checkcfg(CFG_JOIN) || getuid() == 0) { |
619 | 619 | logargs(argc, argv); | |
620 | if (arg_shell_none) { | 620 | |
621 | if (argc <= (i+1)) { | 621 | if (arg_shell_none) { |
622 | fprintf(stderr, "Error: --shell=none set, but no command specified\n"); | 622 | if (argc <= (i+1)) { |
623 | exit(1); | 623 | fprintf(stderr, "Error: --shell=none set, but no command specified\n"); |
624 | exit(1); | ||
625 | } | ||
626 | cfg.original_program_index = i + 1; | ||
624 | } | 627 | } |
625 | cfg.original_program_index = i + 1; | 628 | |
629 | if (!cfg.shell && !arg_shell_none) | ||
630 | cfg.shell = guess_shell(); | ||
631 | |||
632 | // join sandbox by pid or by name | ||
633 | pid_t pid = read_pid(argv[i] + 7); | ||
634 | join(pid, argc, argv, i + 1); | ||
635 | exit(0); | ||
626 | } | 636 | } |
627 | 637 | else | |
628 | if (!cfg.shell && !arg_shell_none) | 638 | exit_err_feature("join"); |
629 | cfg.shell = guess_shell(); | ||
630 | |||
631 | // join sandbox by pid or by name | ||
632 | pid_t pid = read_pid(argv[i] + 7); | ||
633 | join(pid, argc, argv, i + 1); | ||
634 | exit(0); | ||
635 | 639 | ||
636 | } | 640 | } |
637 | else if (strncmp(argv[i], "--join-or-start=", 16) == 0) { | 641 | else if (strncmp(argv[i], "--join-or-start=", 16) == 0) { |