diff options
38 files changed, 118 insertions, 50 deletions
@@ -103,6 +103,7 @@ Fred-Barclay (https://github.com/Fred-Barclay) | |||
103 | - pidgin private-bin conversion | 103 | - pidgin private-bin conversion |
104 | - added eom profile | 104 | - added eom profile |
105 | - added gnome-chess profile | 105 | - added gnome-chess profile |
106 | - added DOSBox profile | ||
106 | Jaykishan Mutkawoa (https://github.com/jmutkawoa) | 107 | Jaykishan Mutkawoa (https://github.com/jmutkawoa) |
107 | - cpio profile | 108 | - cpio profile |
108 | Paupiah Yash (https://github.com/CaffeinatedStud) | 109 | Paupiah Yash (https://github.com/CaffeinatedStud) |
@@ -197,5 +197,5 @@ Browsers: Palemoon | |||
197 | ## New security profiles | 197 | ## New security profiles |
198 | 198 | ||
199 | Gitter, gThumb, mpv, Franz messenger, LibreOffice, pix, audacity, xz, xzdec, gzip, cpio, less, Atom Beta, Atom, jitsi, eom, uudeview | 199 | Gitter, gThumb, mpv, Franz messenger, LibreOffice, pix, audacity, xz, xzdec, gzip, cpio, less, Atom Beta, Atom, jitsi, eom, uudeview |
200 | tar (gtar), unzip, unrar, file, skypeforlinux, gnome-chess, inox, Slack, Gajim IM client | 200 | tar (gtar), unzip, unrar, file, skypeforlinux, gnome-chess, inox, Slack, Gajim IM client, DOSBox |
201 | 201 | ||
@@ -39,7 +39,7 @@ firejail (0.9.42~rc2) baseline; urgency=low | |||
39 | * profiles: pix, audacity, xz, xzdec, gzip, cpio, less | 39 | * profiles: pix, audacity, xz, xzdec, gzip, cpio, less |
40 | * profiles: Atom Beta, Atom, jitsi, eom, uudeview | 40 | * profiles: Atom Beta, Atom, jitsi, eom, uudeview |
41 | * profiles: tar (gtar), unzip, unrar, file, skypeforlinux, | 41 | * profiles: tar (gtar), unzip, unrar, file, skypeforlinux, |
42 | * profiles: inox, Slack, gnome-chess. Gajim IM client | 42 | * profiles: inox, Slack, gnome-chess. Gajim IM client, DOSBox |
43 | * bugfixes | 43 | * bugfixes |
44 | -- netblue30 <netblue30@yahoo.com> Thu, 26 Aug 2016 08:00:00 -0500 | 44 | -- netblue30 <netblue30@yahoo.com> Thu, 26 Aug 2016 08:00:00 -0500 |
45 | 45 | ||
diff --git a/etc/0ad.profile b/etc/0ad.profile index 217cdeee0..1e7c06879 100644 --- a/etc/0ad.profile +++ b/etc/0ad.profile | |||
@@ -19,8 +19,8 @@ whitelist ~/.local/share/0ad | |||
19 | 19 | ||
20 | caps.drop all | 20 | caps.drop all |
21 | netfilter | 21 | netfilter |
22 | nonewprivs | ||
23 | nogroups | 22 | nogroups |
23 | nonewprivs | ||
24 | noroot | 24 | noroot |
25 | protocol unix,inet,inet6 | 25 | protocol unix,inet,inet6 |
26 | seccomp | 26 | seccomp |
@@ -28,4 +28,4 @@ shell none | |||
28 | tracelog | 28 | tracelog |
29 | 29 | ||
30 | private-dev | 30 | private-dev |
31 | 31 | private-tmp | |
diff --git a/etc/atom-beta.profile b/etc/atom-beta.profile index 3c753e86c..9a8d93875 100644 --- a/etc/atom-beta.profile +++ b/etc/atom-beta.profile | |||
@@ -1,4 +1,4 @@ | |||
1 | # Firjail profile for Atom Beta. | 1 | # Firejail profile for Atom Beta. |
2 | noblacklist ~/.atom | 2 | noblacklist ~/.atom |
3 | noblacklist ~/.config/Atom | 3 | noblacklist ~/.config/Atom |
4 | 4 | ||
@@ -11,9 +11,10 @@ netfilter | |||
11 | nonewprivs | 11 | nonewprivs |
12 | nogroups | 12 | nogroups |
13 | noroot | 13 | noroot |
14 | nosound | ||
15 | protocol unix,inet,inet6,netlink | ||
14 | seccomp | 16 | seccomp |
15 | shell none | 17 | shell none |
16 | 18 | ||
17 | private-dev | 19 | private-dev |
18 | nosound | 20 | private-tmp |
19 | |||
diff --git a/etc/atom.profile b/etc/atom.profile index 8304cd379..3cb86847e 100644 --- a/etc/atom.profile +++ b/etc/atom.profile | |||
@@ -1,4 +1,4 @@ | |||
1 | # Firjail profile for Atom. | 1 | # Firejail profile for Atom. |
2 | noblacklist ~/.atom | 2 | noblacklist ~/.atom |
3 | noblacklist ~/.config/Atom | 3 | noblacklist ~/.config/Atom |
4 | 4 | ||
@@ -11,8 +11,10 @@ netfilter | |||
11 | nonewprivs | 11 | nonewprivs |
12 | nogroups | 12 | nogroups |
13 | noroot | 13 | noroot |
14 | nosound | ||
15 | protocol unix,inet,inet6,netlink | ||
14 | seccomp | 16 | seccomp |
15 | shell none | 17 | shell none |
16 | 18 | ||
17 | private-dev | 19 | private-dev |
18 | nosound | 20 | private-tmp |
diff --git a/etc/atril.profile b/etc/atril.profile index bfe731bec..d9e10b072 100644 --- a/etc/atril.profile +++ b/etc/atril.profile | |||
@@ -18,3 +18,4 @@ tracelog | |||
18 | 18 | ||
19 | private-bin atril, atril-previewer, atril-thumbnailer | 19 | private-bin atril, atril-previewer, atril-thumbnailer |
20 | private-dev | 20 | private-dev |
21 | private-tmp | ||
diff --git a/etc/audacity.profile b/etc/audacity.profile index 162201cb8..be3fac9be 100644 --- a/etc/audacity.profile +++ b/etc/audacity.profile | |||
@@ -7,6 +7,7 @@ include /etc/firejail/disable-passwdmgr.inc | |||
7 | include /etc/firejail/disable-programs.inc | 7 | include /etc/firejail/disable-programs.inc |
8 | 8 | ||
9 | caps.drop all | 9 | caps.drop all |
10 | netfilter | ||
10 | nonewprivs | 11 | nonewprivs |
11 | nogroups | 12 | nogroups |
12 | noroot | 13 | noroot |
@@ -17,3 +18,4 @@ tracelog | |||
17 | 18 | ||
18 | private-bin audacity | 19 | private-bin audacity |
19 | private-dev | 20 | private-dev |
21 | private-tmp | ||
diff --git a/etc/aweather.profile b/etc/aweather.profile index da93e8ba3..4e5c36f50 100644 --- a/etc/aweather.profile +++ b/etc/aweather.profile | |||
@@ -15,10 +15,11 @@ nonewprivs | |||
15 | nogroups | 15 | nogroups |
16 | noroot | 16 | noroot |
17 | nosound | 17 | nosound |
18 | protocol unix,inet,inet6,netlink | 18 | protocol unix,inet,inet6 |
19 | seccomp | 19 | seccomp |
20 | shell none | 20 | shell none |
21 | tracelog | 21 | tracelog |
22 | 22 | ||
23 | private-bin aweather | 23 | private-bin aweather |
24 | private-dev | 24 | private-dev |
25 | private-tmp | ||
diff --git a/etc/disable-programs.inc b/etc/disable-programs.inc index 2f7584241..fb0f5a669 100644 --- a/etc/disable-programs.inc +++ b/etc/disable-programs.inc | |||
@@ -89,6 +89,7 @@ blacklist ${HOME}/.steam | |||
89 | blacklist ${HOME}/.config/wesnoth | 89 | blacklist ${HOME}/.config/wesnoth |
90 | blacklist ${HOME}/.config/0ad | 90 | blacklist ${HOME}/.config/0ad |
91 | blacklist ${HOME}/.warzone2100-3.1 | 91 | blacklist ${HOME}/.warzone2100-3.1 |
92 | blacklist ${HOME}/.dosbox | ||
92 | 93 | ||
93 | # Cryptocoins | 94 | # Cryptocoins |
94 | blacklist ${HOME}/.*coin | 95 | blacklist ${HOME}/.*coin |
diff --git a/etc/dosbox.profile b/etc/dosbox.profile new file mode 100644 index 000000000..45fbb712a --- /dev/null +++ b/etc/dosbox.profile | |||
@@ -0,0 +1,21 @@ | |||
1 | # Firejail profile for dosbox | ||
2 | noblacklist ~/.dosbox | ||
3 | |||
4 | include /etc/firejail/disable-common.inc | ||
5 | include /etc/firejail/disable-programs.inc | ||
6 | include /etc/firejail/disable-devel.inc | ||
7 | include /etc/firejail/disable-passwdmgr.inc | ||
8 | |||
9 | caps.drop all | ||
10 | netfilter | ||
11 | nogroups | ||
12 | nonewprivs | ||
13 | noroot | ||
14 | protocol unix,inet,inet6 | ||
15 | seccomp | ||
16 | shell none | ||
17 | tracelog | ||
18 | |||
19 | private-bin dosbox | ||
20 | private-dev | ||
21 | private-tmp | ||
diff --git a/etc/eom.profile b/etc/eom.profile index 81d993e96..dfcea82c1 100644 --- a/etc/eom.profile +++ b/etc/eom.profile | |||
@@ -18,3 +18,4 @@ tracelog | |||
18 | 18 | ||
19 | private-bin eom | 19 | private-bin eom |
20 | private-dev | 20 | private-dev |
21 | private-tmp | ||
diff --git a/etc/gitter.profile b/etc/gitter.profile index 2882c59a6..f43f5f199 100644 --- a/etc/gitter.profile +++ b/etc/gitter.profile | |||
@@ -7,12 +7,14 @@ include /etc/firejail/disable-devel.inc | |||
7 | 7 | ||
8 | caps.drop all | 8 | caps.drop all |
9 | netfilter | 9 | netfilter |
10 | nonewprivs | ||
11 | nogroups | 10 | nogroups |
11 | nonewprivs | ||
12 | noroot | 12 | noroot |
13 | nosound | ||
13 | protocol unix,inet,inet6,netlink | 14 | protocol unix,inet,inet6,netlink |
14 | seccomp | 15 | seccomp |
15 | shell none | 16 | shell none |
16 | 17 | ||
17 | private-bin gitter | 18 | private-bin gitter |
18 | private-dev | 19 | private-dev |
20 | private-tmp | ||
diff --git a/etc/gthumb.profile b/etc/gthumb.profile index e043c7229..3ffd10add 100644 --- a/etc/gthumb.profile +++ b/etc/gthumb.profile | |||
@@ -19,4 +19,3 @@ tracelog | |||
19 | private-bin gthumb | 19 | private-bin gthumb |
20 | whitelist /tmp/.X11-unix | 20 | whitelist /tmp/.X11-unix |
21 | private-dev | 21 | private-dev |
22 | private-tmp | ||
diff --git a/etc/hexchat.profile b/etc/hexchat.profile index 0ff64aef5..5cefe45b5 100644 --- a/etc/hexchat.profile +++ b/etc/hexchat.profile | |||
@@ -1,7 +1,8 @@ | |||
1 | # HexChat instant messaging profile | 1 | # HexChat instant messaging profile |
2 | # Currently in testing (may not work for all users) | ||
2 | noblacklist ${HOME}/.config/hexchat | 3 | noblacklist ${HOME}/.config/hexchat |
3 | noblacklist /usr/lib/python2* | 4 | #noblacklist /usr/lib/python2* |
4 | noblacklist /usr/lib/python3* | 5 | #noblacklist /usr/lib/python3* |
5 | include /etc/firejail/disable-common.inc | 6 | include /etc/firejail/disable-common.inc |
6 | include /etc/firejail/disable-programs.inc | 7 | include /etc/firejail/disable-programs.inc |
7 | include /etc/firejail/disable-devel.inc | 8 | include /etc/firejail/disable-devel.inc |
@@ -14,11 +15,14 @@ noroot | |||
14 | nosound | 15 | nosound |
15 | protocol unix,inet,inet6 | 16 | protocol unix,inet,inet6 |
16 | seccomp | 17 | seccomp |
18 | shell none | ||
19 | tracelog | ||
17 | 20 | ||
18 | mkdir ~/.config/hexchat | 21 | mkdir ~/.config/hexchat |
19 | whitelist ~/.config/hexchat | 22 | whitelist ~/.config/hexchat |
20 | include /etc/firejail/whitelist-common.inc | 23 | include /etc/firejail/whitelist-common.inc |
21 | 24 | ||
22 | # private-bin requires perl, python, etc. | 25 | private-bin hexchat |
26 | #debug note: private-bin requires perl, python, etc on some systems | ||
23 | private-dev | 27 | private-dev |
24 | private-tmp | 28 | private-tmp |
diff --git a/etc/libreoffice.profile b/etc/libreoffice.profile index 77a00ebef..75a52e9ff 100644 --- a/etc/libreoffice.profile +++ b/etc/libreoffice.profile | |||
@@ -7,6 +7,7 @@ include /etc/firejail/disable-passwdmgr.inc | |||
7 | 7 | ||
8 | caps.drop all | 8 | caps.drop all |
9 | netfilter | 9 | netfilter |
10 | nogroups | ||
10 | nonewprivs | 11 | nonewprivs |
11 | noroot | 12 | noroot |
12 | protocol unix,inet,inet6,netlink | 13 | protocol unix,inet,inet6,netlink |
@@ -15,5 +16,3 @@ tracelog | |||
15 | 16 | ||
16 | private-dev | 17 | private-dev |
17 | whitelist /tmp/.X11-unix/ | 18 | whitelist /tmp/.X11-unix/ |
18 | nosound | ||
19 | |||
diff --git a/etc/palemoon.profile b/etc/palemoon.profile index acedaebb7..71deec6bc 100644 --- a/etc/palemoon.profile +++ b/etc/palemoon.profile | |||
@@ -23,6 +23,7 @@ shell none | |||
23 | tracelog | 23 | tracelog |
24 | 24 | ||
25 | private-bin palemoon | 25 | private-bin palemoon |
26 | private-tmp | ||
26 | 27 | ||
27 | # These are uncommented in the Firefox profile. If you run into trouble you may | 28 | # These are uncommented in the Firefox profile. If you run into trouble you may |
28 | # want to uncomment (some of) them. | 29 | # want to uncomment (some of) them. |
diff --git a/etc/pidgin.profile b/etc/pidgin.profile index 3df2cafa6..47be2b6ea 100644 --- a/etc/pidgin.profile +++ b/etc/pidgin.profile | |||
@@ -18,3 +18,4 @@ tracelog | |||
18 | 18 | ||
19 | private-bin pidgin | 19 | private-bin pidgin |
20 | private-dev | 20 | private-dev |
21 | private-tmp | ||
diff --git a/etc/qtox.profile b/etc/qtox.profile index 0cac18573..927487037 100644 --- a/etc/qtox.profile +++ b/etc/qtox.profile | |||
@@ -20,3 +20,4 @@ shell none | |||
20 | tracelog | 20 | tracelog |
21 | 21 | ||
22 | private-bin qtox | 22 | private-bin qtox |
23 | private-tmp | ||
diff --git a/etc/rhythmbox.profile b/etc/rhythmbox.profile index 9f087ea1d..0e8527ae7 100644 --- a/etc/rhythmbox.profile +++ b/etc/rhythmbox.profile | |||
@@ -16,3 +16,4 @@ tracelog | |||
16 | 16 | ||
17 | private-bin rhythmbox | 17 | private-bin rhythmbox |
18 | private-dev | 18 | private-dev |
19 | private-tmp | ||
diff --git a/etc/stellarium.profile b/etc/stellarium.profile index adefa75ff..d57c9e5f7 100644 --- a/etc/stellarium.profile +++ b/etc/stellarium.profile | |||
@@ -25,4 +25,4 @@ tracelog | |||
25 | 25 | ||
26 | private-bin stellarium | 26 | private-bin stellarium |
27 | private-dev | 27 | private-dev |
28 | 28 | private-tmp | |
diff --git a/etc/transmission-gtk.profile b/etc/transmission-gtk.profile index fa5c3b22b..0cfa4fcfc 100644 --- a/etc/transmission-gtk.profile +++ b/etc/transmission-gtk.profile | |||
@@ -14,9 +14,9 @@ noroot | |||
14 | nosound | 14 | nosound |
15 | protocol unix,inet,inet6 | 15 | protocol unix,inet,inet6 |
16 | seccomp | 16 | seccomp |
17 | shell none | ||
17 | tracelog | 18 | tracelog |
18 | 19 | ||
19 | shell none | ||
20 | private-bin transmission-gtk | 20 | private-bin transmission-gtk |
21 | whitelist /tmp/.X11-unix | 21 | whitelist /tmp/.X11-unix |
22 | private-dev | 22 | private-dev |
diff --git a/etc/vlc.profile b/etc/vlc.profile index c82247dd2..cdd098dd5 100644 --- a/etc/vlc.profile +++ b/etc/vlc.profile | |||
@@ -17,3 +17,5 @@ shell none | |||
17 | tracelog | 17 | tracelog |
18 | 18 | ||
19 | private-bin vlc,cvlc,nvlc,rvlc,qvlc,svlc | 19 | private-bin vlc,cvlc,nvlc,rvlc,qvlc,svlc |
20 | private-dev | ||
21 | private-tmp | ||
diff --git a/etc/warzone2100.profile b/etc/warzone2100.profile index ff37e2800..7c7efade8 100644 --- a/etc/warzone2100.profile +++ b/etc/warzone2100.profile | |||
@@ -23,3 +23,4 @@ tracelog | |||
23 | 23 | ||
24 | private-bin warzone2100 | 24 | private-bin warzone2100 |
25 | private-dev | 25 | private-dev |
26 | private-tmp | ||
diff --git a/etc/xplayer.profile b/etc/xplayer.profile index a46b2fa06..54d5ed89b 100644 --- a/etc/xplayer.profile +++ b/etc/xplayer.profile | |||
@@ -19,3 +19,4 @@ tracelog | |||
19 | 19 | ||
20 | private-bin xplayer,xplayer-audio-preview,xplayer-video-thumbnailer | 20 | private-bin xplayer,xplayer-audio-preview,xplayer-video-thumbnailer |
21 | private-dev | 21 | private-dev |
22 | private-tmp | ||
diff --git a/etc/xreader.profile b/etc/xreader.profile index ac7d34022..d2a000bd0 100644 --- a/etc/xreader.profile +++ b/etc/xreader.profile | |||
@@ -20,3 +20,4 @@ tracelog | |||
20 | 20 | ||
21 | private-bin xreader, xreader-previewer, xreader-thumbnailer | 21 | private-bin xreader, xreader-previewer, xreader-thumbnailer |
22 | private-dev | 22 | private-dev |
23 | private-tmp | ||
diff --git a/etc/xviewer.profile b/etc/xviewer.profile index 7a4ae4858..cbb59d16e 100644 --- a/etc/xviewer.profile +++ b/etc/xviewer.profile | |||
@@ -6,8 +6,8 @@ include /etc/firejail/disable-devel.inc | |||
6 | include /etc/firejail/disable-passwdmgr.inc | 6 | include /etc/firejail/disable-passwdmgr.inc |
7 | 7 | ||
8 | caps.drop all | 8 | caps.drop all |
9 | nonewprivs | ||
10 | nogroups | 9 | nogroups |
10 | nonewprivs | ||
11 | noroot | 11 | noroot |
12 | nosound | 12 | nosound |
13 | protocol unix | 13 | protocol unix |
@@ -17,3 +17,4 @@ tracelog | |||
17 | 17 | ||
18 | private-dev | 18 | private-dev |
19 | private-bin xviewer | 19 | private-bin xviewer |
20 | private-tmp | ||
diff --git a/platform/debian/conffiles b/platform/debian/conffiles index 2eaca90ce..691c536df 100644 --- a/platform/debian/conffiles +++ b/platform/debian/conffiles | |||
@@ -142,3 +142,4 @@ | |||
142 | /etc/firejail/xz.profile | 142 | /etc/firejail/xz.profile |
143 | /etc/firejail/xzdec.profile | 143 | /etc/firejail/xzdec.profile |
144 | /etc/firejail/strings.profile | 144 | /etc/firejail/strings.profile |
145 | /etc/firejail/dosbox.profile | ||
diff --git a/src/firecfg/firecfg.config b/src/firecfg/firecfg.config index c909e6903..dd876c87c 100644 --- a/src/firecfg/firecfg.config +++ b/src/firecfg/firecfg.config | |||
@@ -75,6 +75,7 @@ unbound | |||
75 | # emulators/compatibility layers | 75 | # emulators/compatibility layers |
76 | mupen64plus | 76 | mupen64plus |
77 | wine | 77 | wine |
78 | dosbox | ||
78 | 79 | ||
79 | # games | 80 | # games |
80 | 0ad | 81 | 0ad |
diff --git a/src/firejail/env.c b/src/firejail/env.c index 2cc65e464..88cd6918d 100644 --- a/src/firejail/env.c +++ b/src/firejail/env.c | |||
@@ -135,7 +135,8 @@ void env_defaults(void) { | |||
135 | } | 135 | } |
136 | 136 | ||
137 | // set the window title | 137 | // set the window title |
138 | printf("\033]0;firejail %s\007", cfg.window_title); | 138 | if (!arg_quiet) |
139 | printf("\033]0;firejail %s\007", cfg.window_title); | ||
139 | fflush(0); | 140 | fflush(0); |
140 | } | 141 | } |
141 | 142 | ||
diff --git a/src/firejail/fs_whitelist.c b/src/firejail/fs_whitelist.c index 33037da29..11e626b6e 100644 --- a/src/firejail/fs_whitelist.c +++ b/src/firejail/fs_whitelist.c | |||
@@ -554,24 +554,30 @@ void fs_whitelist(void) { | |||
554 | 554 | ||
555 | // /media mountpoint | 555 | // /media mountpoint |
556 | if (media_dir) { | 556 | if (media_dir) { |
557 | // keep a copy of real /media directory in RUN_WHITELIST_MEDIA_DIR | 557 | // some distros don't have a /media directory |
558 | int rv = mkdir(RUN_WHITELIST_MEDIA_DIR, 0755); | 558 | struct stat s; |
559 | if (rv == -1) | 559 | if (stat("/media", &s) == 0) { |
560 | errExit("mkdir"); | 560 | // keep a copy of real /media directory in RUN_WHITELIST_MEDIA_DIR |
561 | if (chown(RUN_WHITELIST_MEDIA_DIR, 0, 0) < 0) | 561 | int rv = mkdir(RUN_WHITELIST_MEDIA_DIR, 0755); |
562 | errExit("chown"); | 562 | if (rv == -1) |
563 | if (chmod(RUN_WHITELIST_MEDIA_DIR, 0755) < 0) | 563 | errExit("mkdir"); |
564 | errExit("chmod"); | 564 | if (chown(RUN_WHITELIST_MEDIA_DIR, 0, 0) < 0) |
565 | errExit("chown"); | ||
566 | if (chmod(RUN_WHITELIST_MEDIA_DIR, 0755) < 0) | ||
567 | errExit("chmod"); | ||
565 | 568 | ||
566 | if (mount("/media", RUN_WHITELIST_MEDIA_DIR, NULL, MS_BIND|MS_REC, NULL) < 0) | 569 | if (mount("/media", RUN_WHITELIST_MEDIA_DIR, NULL, MS_BIND|MS_REC, NULL) < 0) |
567 | errExit("mount bind"); | 570 | errExit("mount bind"); |
568 | 571 | ||
569 | // mount tmpfs on /media | 572 | // mount tmpfs on /media |
570 | if (arg_debug || arg_debug_whitelists) | 573 | if (arg_debug || arg_debug_whitelists) |
571 | printf("Mounting tmpfs on /media directory\n"); | 574 | printf("Mounting tmpfs on /media directory\n"); |
572 | if (mount("tmpfs", "/media", "tmpfs", MS_NOSUID | MS_STRICTATIME | MS_REC, "mode=755,gid=0") < 0) | 575 | if (mount("tmpfs", "/media", "tmpfs", MS_NOSUID | MS_STRICTATIME | MS_REC, "mode=755,gid=0") < 0) |
573 | errExit("mounting tmpfs on /media"); | 576 | errExit("mounting tmpfs on /media"); |
574 | fs_logger("tmpfs /media"); | 577 | fs_logger("tmpfs /media"); |
578 | } | ||
579 | else | ||
580 | media_dir = 0; | ||
575 | } | 581 | } |
576 | 582 | ||
577 | // /var mountpoint | 583 | // /var mountpoint |
diff --git a/src/firejail/join.c b/src/firejail/join.c index 948c7ef71..414b899ce 100644 --- a/src/firejail/join.c +++ b/src/firejail/join.c | |||
@@ -309,14 +309,15 @@ void join(pid_t pid, int argc, char **argv, int index) { | |||
309 | printf("Joining user namespace\n"); | 309 | printf("Joining user namespace\n"); |
310 | if (join_namespace(1, "user")) | 310 | if (join_namespace(1, "user")) |
311 | exit(1); | 311 | exit(1); |
312 | |||
313 | // user namespace resets capabilities | ||
314 | // set caps filter | ||
315 | if (apply_caps == 1) // not available for uid 0 | ||
316 | caps_set(caps); | ||
312 | } | 317 | } |
313 | else | 318 | else |
314 | drop_privs(arg_nogroups); // nogroups not available for uid 0 | 319 | drop_privs(arg_nogroups); // nogroups not available for uid 0 |
315 | 320 | ||
316 | // user namespace resets capabilities | ||
317 | // set caps filter | ||
318 | if (apply_caps == 1) // not available for uid 0 | ||
319 | caps_set(caps); | ||
320 | 321 | ||
321 | // set prompt color to green | 322 | // set prompt color to green |
322 | char *prompt = getenv("FIREJAIL_PROMPT"); | 323 | char *prompt = getenv("FIREJAIL_PROMPT"); |
diff --git a/src/firejail/main.c b/src/firejail/main.c index dbb92a899..501bccff2 100644 --- a/src/firejail/main.c +++ b/src/firejail/main.c | |||
@@ -46,6 +46,7 @@ printf("time %s:%d %u\n", __FILE__, __LINE__, (uint32_t) systick); | |||
46 | #endif | 46 | #endif |
47 | 47 | ||
48 | uid_t firejail_uid = 0; | 48 | uid_t firejail_uid = 0; |
49 | gid_t firejail_gid = 0; | ||
49 | 50 | ||
50 | #define STACK_SIZE (1024 * 1024) | 51 | #define STACK_SIZE (1024 * 1024) |
51 | static char child_stack[STACK_SIZE]; // space for child's stack | 52 | static char child_stack[STACK_SIZE]; // space for child's stack |
@@ -606,6 +607,9 @@ static void run_cmd_and_exit(int i, int argc, char **argv) { | |||
606 | exit(1); | 607 | exit(1); |
607 | } | 608 | } |
608 | 609 | ||
610 | if (!cfg.shell && !arg_shell_none) | ||
611 | cfg.shell = guess_shell(); | ||
612 | |||
609 | // join sandbox by pid or by name | 613 | // join sandbox by pid or by name |
610 | pid_t pid; | 614 | pid_t pid; |
611 | if (read_pid(argv[i] + 15, &pid) == 0) | 615 | if (read_pid(argv[i] + 15, &pid) == 0) |
@@ -629,6 +633,9 @@ static void run_cmd_and_exit(int i, int argc, char **argv) { | |||
629 | exit(1); | 633 | exit(1); |
630 | } | 634 | } |
631 | 635 | ||
636 | if (!cfg.shell && !arg_shell_none) | ||
637 | cfg.shell = guess_shell(); | ||
638 | |||
632 | // join sandbox by pid or by name | 639 | // join sandbox by pid or by name |
633 | pid_t pid; | 640 | pid_t pid; |
634 | if (read_pid(argv[i] + 18, &pid) == 0) | 641 | if (read_pid(argv[i] + 18, &pid) == 0) |
diff --git a/src/include/euid_common.h b/src/include/euid_common.h index de5572fb1..752df5fff 100644 --- a/src/include/euid_common.h +++ b/src/include/euid_common.h | |||
@@ -31,6 +31,7 @@ | |||
31 | } | 31 | } |
32 | 32 | ||
33 | extern uid_t firejail_uid; | 33 | extern uid_t firejail_uid; |
34 | extern uid_t firejail_gid; | ||
34 | 35 | ||
35 | 36 | ||
36 | 37 | ||
@@ -44,16 +45,18 @@ static inline void EUID_ROOT(void) { | |||
44 | static inline void EUID_USER(void) { | 45 | static inline void EUID_USER(void) { |
45 | if (seteuid(firejail_uid) == -1) | 46 | if (seteuid(firejail_uid) == -1) |
46 | errExit("seteuid"); | 47 | errExit("seteuid"); |
47 | if (setegid(firejail_uid) == -1) | 48 | if (setegid(firejail_gid) == -1) |
48 | errExit("setegid"); | 49 | errExit("setegid"); |
49 | } | 50 | } |
50 | 51 | ||
51 | static inline void EUID_PRINT(void) { | 52 | static inline void EUID_PRINT(void) { |
52 | printf("debug: uid %d, euid %d\n", getuid(), geteuid()); | 53 | printf("debug: uid %d, euid %d\n", getuid(), geteuid()); |
54 | printf("debug: gid %d, egid %d\n", getgid(), getegid()); | ||
53 | } | 55 | } |
54 | 56 | ||
55 | static inline void EUID_INIT(void) { | 57 | static inline void EUID_INIT(void) { |
56 | firejail_uid = getuid(); | 58 | firejail_uid = getuid(); |
59 | firejail_gid = getgid(); | ||
57 | } | 60 | } |
58 | 61 | ||
59 | #endif | 62 | #endif |
diff --git a/src/man/firejail.txt b/src/man/firejail.txt index 35b84b981..dbb0df233 100644 --- a/src/man/firejail.txt +++ b/src/man/firejail.txt | |||
@@ -578,19 +578,19 @@ $ firejail --net=eth0 --name=browser firefox & | |||
578 | .br | 578 | .br |
579 | # change netfilter configuration | 579 | # change netfilter configuration |
580 | .br | 580 | .br |
581 | $ sudo firejail --join-network=browser "cat /etc/firejail/nolocal.net | /sbin/iptables-restore" | 581 | $ sudo firejail --join-network=browser bash -c "cat /etc/firejail/nolocal.net | /sbin/iptables-restore" |
582 | .br | 582 | .br |
583 | 583 | ||
584 | .br | 584 | .br |
585 | # verify netfilter configuration | 585 | # verify netfilter configuration |
586 | .br | 586 | .br |
587 | $ sudo firejail --join-network=browser "/sbin/iptables -vL" | 587 | $ sudo firejail --join-network=browser /sbin/iptables -vL |
588 | .br | 588 | .br |
589 | 589 | ||
590 | .br | 590 | .br |
591 | # verify IP addresses | 591 | # verify IP addresses |
592 | .br | 592 | .br |
593 | $ sudo firejail --join-network=browser "ip addr" | 593 | $ sudo firejail --join-network=browser ip addr |
594 | .br | 594 | .br |
595 | Switching to pid 1932, the first child process inside the sandbox | 595 | Switching to pid 1932, the first child process inside the sandbox |
596 | .br | 596 | .br |
diff --git a/test/environment/environment.sh b/test/environment/environment.sh index 785f57d3f..04a1daaf6 100755 --- a/test/environment/environment.sh +++ b/test/environment/environment.sh | |||
@@ -50,7 +50,7 @@ which zsh | |||
50 | if [ "$?" -eq 0 ]; | 50 | if [ "$?" -eq 0 ]; |
51 | then | 51 | then |
52 | echo "TESTING: zsh (test/environment/zsh.exp)" | 52 | echo "TESTING: zsh (test/environment/zsh.exp)" |
53 | ./csh.exp | 53 | ./zsh.exp |
54 | else | 54 | else |
55 | echo "TESTING SKIP: zsh not found" | 55 | echo "TESTING SKIP: zsh not found" |
56 | fi | 56 | fi |
diff --git a/test/environment/zsh.exp b/test/environment/zsh.exp index 5fca1cf22..578951ce0 100755 --- a/test/environment/zsh.exp +++ b/test/environment/zsh.exp | |||
@@ -27,7 +27,7 @@ expect { | |||
27 | } | 27 | } |
28 | expect { | 28 | expect { |
29 | timeout {puts "TESTING ERROR 2.1\n";exit} | 29 | timeout {puts "TESTING ERROR 2.1\n";exit} |
30 | "/usr/bin/zsh" | 30 | "/bin/zsh" |
31 | } | 31 | } |
32 | send -- "exit\r" | 32 | send -- "exit\r" |
33 | after 100 | 33 | after 100 |
diff --git a/test/fs/private-etc-empty.exp b/test/fs/private-etc-empty.exp index 2ab634afd..5ddce8678 100755 --- a/test/fs/private-etc-empty.exp +++ b/test/fs/private-etc-empty.exp | |||
@@ -3,7 +3,7 @@ | |||
3 | # Copyright (C) 2014-2016 Firejail Authors | 3 | # Copyright (C) 2014-2016 Firejail Authors |
4 | # License GPL v2 | 4 | # License GPL v2 |
5 | 5 | ||
6 | set timeout 30 | 6 | set timeout 10 |
7 | spawn $env(SHELL) | 7 | spawn $env(SHELL) |
8 | match_max 100000 | 8 | match_max 100000 |
9 | 9 | ||
@@ -17,7 +17,8 @@ sleep 1 | |||
17 | send -- "ls -l /etc | wc -l\r" | 17 | send -- "ls -l /etc | wc -l\r" |
18 | expect { | 18 | expect { |
19 | timeout {puts "TESTING ERROR 1\n";exit} | 19 | timeout {puts "TESTING ERROR 1\n";exit} |
20 | "0" | 20 | "0" {puts "Debian\n"} |
21 | "1" {puts "Arch\n"} | ||
21 | } | 22 | } |
22 | send -- "exit\r" | 23 | send -- "exit\r" |
23 | sleep 1 | 24 | sleep 1 |
@@ -32,7 +33,9 @@ sleep 1 | |||
32 | send -- "ls -l /etc | wc -l\r" | 33 | send -- "ls -l /etc | wc -l\r" |
33 | expect { | 34 | expect { |
34 | timeout {puts "TESTING ERROR 1\n";exit} | 35 | timeout {puts "TESTING ERROR 1\n";exit} |
35 | "0" | 36 | "0" {puts "Debian\n"} |
37 | "1" {puts "Arch\n"} | ||
38 | |||
36 | } | 39 | } |
37 | 40 | ||
38 | after 100 | 41 | after 100 |