diff options
-rw-r--r-- | src/firejail/fs.c | 32 | ||||
-rw-r--r-- | src/man/firejail.txt | 2 |
2 files changed, 12 insertions, 22 deletions
diff --git a/src/firejail/fs.c b/src/firejail/fs.c index 630458549..ff5887c10 100644 --- a/src/firejail/fs.c +++ b/src/firejail/fs.c | |||
@@ -716,10 +716,8 @@ void fs_proc_sys_dev_boot(void) { | |||
716 | } | 716 | } |
717 | 717 | ||
718 | // disable firejail configuration in /etc/firejail and in ~/.config/firejail | 718 | // disable firejail configuration in /etc/firejail and in ~/.config/firejail |
719 | static void disable_firejail_config(void) { | 719 | static void disable_config(void) { |
720 | struct stat s; | 720 | struct stat s; |
721 | // if (stat("/etc/firejail", &s) == 0) | ||
722 | // disable_file(BLACKLIST_FILE, "/etc/firejail"); | ||
723 | 721 | ||
724 | char *fname; | 722 | char *fname; |
725 | if (asprintf(&fname, "%s/.config/firejail", cfg.homedir) == -1) | 723 | if (asprintf(&fname, "%s/.config/firejail", cfg.homedir) == -1) |
@@ -728,18 +726,6 @@ static void disable_firejail_config(void) { | |||
728 | disable_file(BLACKLIST_FILE, fname); | 726 | disable_file(BLACKLIST_FILE, fname); |
729 | free(fname); | 727 | free(fname); |
730 | 728 | ||
731 | // if (stat("/usr/local/etc/firejail", &s) == 0) | ||
732 | // disable_file(BLACKLIST_FILE, "/usr/local/etc/firejail"); | ||
733 | // | ||
734 | // if (strcmp(PREFIX, "/usr/local")) { | ||
735 | // if (asprintf(&fname, "%s/etc/firejail", PREFIX) == -1) | ||
736 | // errExit("asprintf"); | ||
737 | // if (stat(fname, &s) == 0) | ||
738 | // disable_file(BLACKLIST_FILE, fname); | ||
739 | // free(fname); | ||
740 | // } | ||
741 | |||
742 | |||
743 | // disable run time information | 729 | // disable run time information |
744 | if (stat(RUN_FIREJAIL_NETWORK_DIR, &s) == 0) | 730 | if (stat(RUN_FIREJAIL_NETWORK_DIR, &s) == 0) |
745 | disable_file(BLACKLIST_FILE, RUN_FIREJAIL_NETWORK_DIR); | 731 | disable_file(BLACKLIST_FILE, RUN_FIREJAIL_NETWORK_DIR); |
@@ -754,16 +740,20 @@ static void disable_firejail_config(void) { | |||
754 | 740 | ||
755 | // build a basic read-only filesystem | 741 | // build a basic read-only filesystem |
756 | void fs_basic_fs(void) { | 742 | void fs_basic_fs(void) { |
743 | uid_t uid = getuid(); | ||
744 | |||
757 | if (arg_debug) | 745 | if (arg_debug) |
758 | printf("Mounting read-only /bin, /sbin, /lib, /lib32, /lib64, /usr"); | 746 | printf("Mounting read-only /bin, /sbin, /lib, /lib32, /lib64, /usr"); |
759 | if (!arg_writable_etc) { | 747 | if (!arg_writable_etc) { |
760 | fs_rdonly("/etc"); | 748 | fs_rdonly("/etc"); |
761 | fs_noexec("/etc"); | 749 | if (uid) |
750 | fs_noexec("/etc"); | ||
762 | if (arg_debug) printf(", /etc"); | 751 | if (arg_debug) printf(", /etc"); |
763 | } | 752 | } |
764 | if (!arg_writable_var) { | 753 | if (!arg_writable_var) { |
765 | fs_rdonly("/var"); | 754 | fs_rdonly("/var"); |
766 | fs_noexec("/var"); | 755 | if (uid) |
756 | fs_noexec("/var"); | ||
767 | if (arg_debug) printf(", /var"); | 757 | if (arg_debug) printf(", /var"); |
768 | } | 758 | } |
769 | if (arg_debug) printf("\n"); | 759 | if (arg_debug) printf("\n"); |
@@ -791,8 +781,8 @@ void fs_basic_fs(void) { | |||
791 | // when starting as root, firejail config is not disabled; | 781 | // when starting as root, firejail config is not disabled; |
792 | // this mode could be used to install and test new software by chaining | 782 | // this mode could be used to install and test new software by chaining |
793 | // firejail sandboxes (firejail --force) | 783 | // firejail sandboxes (firejail --force) |
794 | if (getuid() != 0) | 784 | if (uid) |
795 | disable_firejail_config(); | 785 | disable_config(); |
796 | } | 786 | } |
797 | 787 | ||
798 | 788 | ||
@@ -1028,7 +1018,7 @@ void fs_overlayfs(void) { | |||
1028 | // this mode could be used to install and test new software by chaining | 1018 | // this mode could be used to install and test new software by chaining |
1029 | // firejail sandboxes (firejail --force) | 1019 | // firejail sandboxes (firejail --force) |
1030 | if (getuid() != 0) | 1020 | if (getuid() != 0) |
1031 | disable_firejail_config(); | 1021 | disable_config(); |
1032 | 1022 | ||
1033 | // cleanup and exit | 1023 | // cleanup and exit |
1034 | free(option); | 1024 | free(option); |
@@ -1185,7 +1175,7 @@ void fs_chroot(const char *rootdir) { | |||
1185 | // this mode could be used to install and test new software by chaining | 1175 | // this mode could be used to install and test new software by chaining |
1186 | // firejail sandboxes (firejail --force) | 1176 | // firejail sandboxes (firejail --force) |
1187 | if (getuid() != 0) | 1177 | if (getuid() != 0) |
1188 | disable_firejail_config(); | 1178 | disable_config(); |
1189 | } | 1179 | } |
1190 | #endif | 1180 | #endif |
1191 | 1181 | ||
diff --git a/src/man/firejail.txt b/src/man/firejail.txt index 2ddbc9f88..d34cfdb20 100644 --- a/src/man/firejail.txt +++ b/src/man/firejail.txt | |||
@@ -862,7 +862,7 @@ $ firejail \-\-noexec=/tmp | |||
862 | .br | 862 | .br |
863 | 863 | ||
864 | .br | 864 | .br |
865 | /etc and /var are noexec by default. If there are more than one mount operation | 865 | /etc and /var are noexec by default if the sandbox was started as a regular user. If there are more than one mount operation |
866 | on the path of the file or directory, noexec should be applied to the last one. Always check if the change took effect inside the sandbox. | 866 | on the path of the file or directory, noexec should be applied to the last one. Always check if the change took effect inside the sandbox. |
867 | 867 | ||
868 | .TP | 868 | .TP |