diff options
-rw-r--r-- | COPYING | 85 | ||||
-rw-r--r-- | SECURITY.md | 36 | ||||
-rwxr-xr-x | configure | 2 | ||||
-rw-r--r-- | configure.ac | 2 | ||||
-rwxr-xr-x | contrib/fix_private-bin.py | 2 | ||||
-rwxr-xr-x | contrib/sort.py | 2 | ||||
-rw-r--r-- | etc/firejail.config | 2 | ||||
-rw-r--r-- | etc/profile-a-l/eog.profile | 2 | ||||
-rw-r--r-- | etc/profile-m-z/mpv.profile | 2 | ||||
-rw-r--r-- | etc/profile-m-z/softmaker-common.profile | 6 | ||||
-rw-r--r-- | etc/templates/profile.template | 2 | ||||
-rw-r--r-- | src/firejail/env.c | 6 | ||||
-rw-r--r-- | src/firejail/fs.c | 2 | ||||
-rw-r--r-- | src/firejail/fs_hostname.c | 7 | ||||
-rw-r--r-- | src/firejail/join.c | 9 | ||||
-rw-r--r-- | src/firejail/profile.c | 2 | ||||
-rw-r--r-- | src/man/firejail-profile.txt | 2 | ||||
-rwxr-xr-x | test/environment/environment.sh | 7 | ||||
-rwxr-xr-x | test/environment/rlimit-join.exp | 36 |
19 files changed, 155 insertions, 59 deletions
@@ -1,12 +1,12 @@ | |||
1 | GNU GENERAL PUBLIC LICENSE | 1 | GNU GENERAL PUBLIC LICENSE |
2 | Version 2, June 1991 | 2 | Version 2, June 1991 |
3 | 3 | ||
4 | Copyright (C) 1989, 1991 Free Software Foundation, Inc. | 4 | Copyright (C) 1989, 1991 Free Software Foundation, Inc., |
5 | 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA | 5 | 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA |
6 | Everyone is permitted to copy and distribute verbatim copies | 6 | Everyone is permitted to copy and distribute verbatim copies |
7 | of this license document, but changing it is not allowed. | 7 | of this license document, but changing it is not allowed. |
8 | 8 | ||
9 | Preamble | 9 | Preamble |
10 | 10 | ||
11 | The licenses for most software are designed to take away your | 11 | The licenses for most software are designed to take away your |
12 | freedom to share and change it. By contrast, the GNU General Public | 12 | freedom to share and change it. By contrast, the GNU General Public |
@@ -15,7 +15,7 @@ software--to make sure the software is free for all its users. This | |||
15 | General Public License applies to most of the Free Software | 15 | General Public License applies to most of the Free Software |
16 | Foundation's software and to any other program whose authors commit to | 16 | Foundation's software and to any other program whose authors commit to |
17 | using it. (Some other Free Software Foundation software is covered by | 17 | using it. (Some other Free Software Foundation software is covered by |
18 | the GNU Library General Public License instead.) You can apply it to | 18 | the GNU Lesser General Public License instead.) You can apply it to |
19 | your programs, too. | 19 | your programs, too. |
20 | 20 | ||
21 | When we speak of free software, we are referring to freedom, not | 21 | When we speak of free software, we are referring to freedom, not |
@@ -55,8 +55,8 @@ patent must be licensed for everyone's free use or not licensed at all. | |||
55 | 55 | ||
56 | The precise terms and conditions for copying, distribution and | 56 | The precise terms and conditions for copying, distribution and |
57 | modification follow. | 57 | modification follow. |
58 | 58 | ||
59 | GNU GENERAL PUBLIC LICENSE | 59 | GNU GENERAL PUBLIC LICENSE |
60 | TERMS AND CONDITIONS FOR COPYING, DISTRIBUTION AND MODIFICATION | 60 | TERMS AND CONDITIONS FOR COPYING, DISTRIBUTION AND MODIFICATION |
61 | 61 | ||
62 | 0. This License applies to any program or other work which contains | 62 | 0. This License applies to any program or other work which contains |
@@ -110,7 +110,7 @@ above, provided that you also meet all of these conditions: | |||
110 | License. (Exception: if the Program itself is interactive but | 110 | License. (Exception: if the Program itself is interactive but |
111 | does not normally print such an announcement, your work based on | 111 | does not normally print such an announcement, your work based on |
112 | the Program is not required to print an announcement.) | 112 | the Program is not required to print an announcement.) |
113 | 113 | ||
114 | These requirements apply to the modified work as a whole. If | 114 | These requirements apply to the modified work as a whole. If |
115 | identifiable sections of that work are not derived from the Program, | 115 | identifiable sections of that work are not derived from the Program, |
116 | and can be reasonably considered independent and separate works in | 116 | and can be reasonably considered independent and separate works in |
@@ -168,7 +168,7 @@ access to copy from a designated place, then offering equivalent | |||
168 | access to copy the source code from the same place counts as | 168 | access to copy the source code from the same place counts as |
169 | distribution of the source code, even though third parties are not | 169 | distribution of the source code, even though third parties are not |
170 | compelled to copy the source along with the object code. | 170 | compelled to copy the source along with the object code. |
171 | 171 | ||
172 | 4. You may not copy, modify, sublicense, or distribute the Program | 172 | 4. You may not copy, modify, sublicense, or distribute the Program |
173 | except as expressly provided under this License. Any attempt | 173 | except as expressly provided under this License. Any attempt |
174 | otherwise to copy, modify, sublicense or distribute the Program is | 174 | otherwise to copy, modify, sublicense or distribute the Program is |
@@ -225,7 +225,7 @@ impose that choice. | |||
225 | 225 | ||
226 | This section is intended to make thoroughly clear what is believed to | 226 | This section is intended to make thoroughly clear what is believed to |
227 | be a consequence of the rest of this License. | 227 | be a consequence of the rest of this License. |
228 | 228 | ||
229 | 8. If the distribution and/or use of the Program is restricted in | 229 | 8. If the distribution and/or use of the Program is restricted in |
230 | certain countries either by patents or by copyrighted interfaces, the | 230 | certain countries either by patents or by copyrighted interfaces, the |
231 | original copyright holder who places the Program under this License | 231 | original copyright holder who places the Program under this License |
@@ -255,7 +255,7 @@ make exceptions for this. Our decision will be guided by the two goals | |||
255 | of preserving the free status of all derivatives of our free software and | 255 | of preserving the free status of all derivatives of our free software and |
256 | of promoting the sharing and reuse of software generally. | 256 | of promoting the sharing and reuse of software generally. |
257 | 257 | ||
258 | NO WARRANTY | 258 | NO WARRANTY |
259 | 259 | ||
260 | 11. BECAUSE THE PROGRAM IS LICENSED FREE OF CHARGE, THERE IS NO WARRANTY | 260 | 11. BECAUSE THE PROGRAM IS LICENSED FREE OF CHARGE, THERE IS NO WARRANTY |
261 | FOR THE PROGRAM, TO THE EXTENT PERMITTED BY APPLICABLE LAW. EXCEPT WHEN | 261 | FOR THE PROGRAM, TO THE EXTENT PERMITTED BY APPLICABLE LAW. EXCEPT WHEN |
@@ -277,4 +277,63 @@ YOU OR THIRD PARTIES OR A FAILURE OF THE PROGRAM TO OPERATE WITH ANY OTHER | |||
277 | PROGRAMS), EVEN IF SUCH HOLDER OR OTHER PARTY HAS BEEN ADVISED OF THE | 277 | PROGRAMS), EVEN IF SUCH HOLDER OR OTHER PARTY HAS BEEN ADVISED OF THE |
278 | POSSIBILITY OF SUCH DAMAGES. | 278 | POSSIBILITY OF SUCH DAMAGES. |
279 | 279 | ||
280 | END OF TERMS AND CONDITIONS | 280 | END OF TERMS AND CONDITIONS |
281 | |||
282 | How to Apply These Terms to Your New Programs | ||
283 | |||
284 | If you develop a new program, and you want it to be of the greatest | ||
285 | possible use to the public, the best way to achieve this is to make it | ||
286 | free software which everyone can redistribute and change under these terms. | ||
287 | |||
288 | To do so, attach the following notices to the program. It is safest | ||
289 | to attach them to the start of each source file to most effectively | ||
290 | convey the exclusion of warranty; and each file should have at least | ||
291 | the "copyright" line and a pointer to where the full notice is found. | ||
292 | |||
293 | <one line to give the program's name and a brief idea of what it does.> | ||
294 | Copyright (C) <year> <name of author> | ||
295 | |||
296 | This program is free software; you can redistribute it and/or modify | ||
297 | it under the terms of the GNU General Public License as published by | ||
298 | the Free Software Foundation; either version 2 of the License, or | ||
299 | (at your option) any later version. | ||
300 | |||
301 | This program is distributed in the hope that it will be useful, | ||
302 | but WITHOUT ANY WARRANTY; without even the implied warranty of | ||
303 | MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the | ||
304 | GNU General Public License for more details. | ||
305 | |||
306 | You should have received a copy of the GNU General Public License along | ||
307 | with this program; if not, write to the Free Software Foundation, Inc., | ||
308 | 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA. | ||
309 | |||
310 | Also add information on how to contact you by electronic and paper mail. | ||
311 | |||
312 | If the program is interactive, make it output a short notice like this | ||
313 | when it starts in an interactive mode: | ||
314 | |||
315 | Gnomovision version 69, Copyright (C) year name of author | ||
316 | Gnomovision comes with ABSOLUTELY NO WARRANTY; for details type `show w'. | ||
317 | This is free software, and you are welcome to redistribute it | ||
318 | under certain conditions; type `show c' for details. | ||
319 | |||
320 | The hypothetical commands `show w' and `show c' should show the appropriate | ||
321 | parts of the General Public License. Of course, the commands you use may | ||
322 | be called something other than `show w' and `show c'; they could even be | ||
323 | mouse-clicks or menu items--whatever suits your program. | ||
324 | |||
325 | You should also get your employer (if you work as a programmer) or your | ||
326 | school, if any, to sign a "copyright disclaimer" for the program, if | ||
327 | necessary. Here is a sample; alter the names: | ||
328 | |||
329 | Yoyodyne, Inc., hereby disclaims all copyright interest in the program | ||
330 | `Gnomovision' (which makes passes at compilers) written by James Hacker. | ||
331 | |||
332 | <signature of Ty Coon>, 1 April 1989 | ||
333 | Ty Coon, President of Vice | ||
334 | |||
335 | This General Public License does not permit incorporating your program into | ||
336 | proprietary programs. If your program is a subroutine library, you may | ||
337 | consider it more useful to permit linking proprietary applications with the | ||
338 | library. If this is what you want to do, use the GNU Lesser General | ||
339 | Public License instead of this License. | ||
diff --git a/SECURITY.md b/SECURITY.md index 7ec2940f6..ef9b9b5fb 100644 --- a/SECURITY.md +++ b/SECURITY.md | |||
@@ -2,24 +2,24 @@ | |||
2 | 2 | ||
3 | ## Supported Versions | 3 | ## Supported Versions |
4 | 4 | ||
5 | | Version | Supported by us | EOL | Supported by distribution | | 5 | | Version | Supported by us | EOL | Supported by distribution | |
6 | | ------- | ------------------ | ---- | ------------------------- | | 6 | | ------- | ------------------ | ------------------ | --------------------------------------------------------------------------------- | |
7 | | 0.9.66 | :heavy_check_mark: | | | | 7 | | 0.9.66 | :heavy_check_mark: | | :white_check_mark: Debian 11 **backports**, Debian 12 (testing/unstable) | |
8 | | 0.9.64 | :x: | | :white_check_mark: Debian 10 **backports**, Debian 11 **backports**, Debian 12 (testing/unstable) | | 8 | | 0.9.64 | :x: | | :white_check_mark: Debian 10 **backports**, Debian 11, Ubuntu 21.04, Ubuntu 21.10 | |
9 | | 0.9.62 | :x: | | :white_check_mark: Ubuntu 20.04 LTS, Ubuntu 20.10 | | 9 | | 0.9.62 | :x: | | :white_check_mark: Ubuntu 20.04 LTS, Ubuntu 20.10 | |
10 | | 0.9.60 | :x: | 29 Dec 2019 | | | 10 | | 0.9.60 | :x: | 29 Dec 2019 | | |
11 | | 0.9.58 | :x: | | :white_check_mark: Debian 9 **backports**, Debian 10 | | 11 | | 0.9.58 | :x: | | :white_check_mark: Debian 9 **backports**, Debian 10 | |
12 | | 0.9.56 | :x: | 27 Jan 2019 | | | 12 | | 0.9.56 | :x: | 27 Jan 2019 | | |
13 | | 0.9.54 | :x: | 18 Sep 2018 | | | 13 | | 0.9.54 | :x: | 18 Sep 2018 | | |
14 | | 0.9.52 | :x: | | :white_check_mark: Ubuntu 18.04 LTS | | 14 | | 0.9.52 | :x: | | :white_check_mark: Ubuntu 18.04 LTS | |
15 | | 0.9.50 | :x: | 12 Dec 2017 | | | 15 | | 0.9.50 | :x: | 12 Dec 2017 | | |
16 | | 0.9.48 | :x: | 09 Sep 2017 | | | 16 | | 0.9.48 | :x: | 09 Sep 2017 | | |
17 | | 0.9.46 | :x: | 12 Jun 2017 | | | 17 | | 0.9.46 | :x: | 12 Jun 2017 | | |
18 | | 0.9.44 | :x: | | :white_check_mark: Debian 9 | | 18 | | 0.9.44 | :x: | | :white_check_mark: Debian 9 | |
19 | | 0.9.42 | :x: | 22 Oct 2016 | | | 19 | | 0.9.42 | :x: | 22 Oct 2016 | | |
20 | | 0.9.40 | :x: | 09 Sep 2016 | | | 20 | | 0.9.40 | :x: | 09 Sep 2016 | | |
21 | | 0.9.38 | :x: | | :white_check_mark: Ubuntu 16.04 LTS | | 21 | | 0.9.38 | :x: | | :white_check_mark: Ubuntu 16.04 LTS | |
22 | | <0.9.38 | :x: | Before 05 Feb 2016 | | | 22 | | <0.9.38 | :x: | Before 05 Feb 2016 | | |
23 | 23 | ||
24 | ## Security vulnerabilities | 24 | ## Security vulnerabilities |
25 | 25 | ||
@@ -3549,7 +3549,7 @@ if test "x$enable_dbusproxy" != "xno"; then : | |||
3549 | 3549 | ||
3550 | fi | 3550 | fi |
3551 | 3551 | ||
3552 | # overlayfs features temporarely disabled pending fixes | 3552 | # overlayfs features temporarily disabled pending fixes |
3553 | HAVE_OVERLAYFS="" | 3553 | HAVE_OVERLAYFS="" |
3554 | 3554 | ||
3555 | # | 3555 | # |
diff --git a/configure.ac b/configure.ac index 7879a5239..5fde6d402 100644 --- a/configure.ac +++ b/configure.ac | |||
@@ -76,7 +76,7 @@ AS_IF([test "x$enable_dbusproxy" != "xno"], [ | |||
76 | AC_SUBST(HAVE_DBUSPROXY) | 76 | AC_SUBST(HAVE_DBUSPROXY) |
77 | ]) | 77 | ]) |
78 | 78 | ||
79 | # overlayfs features temporarely disabled pending fixes | 79 | # overlayfs features temporarily disabled pending fixes |
80 | HAVE_OVERLAYFS="" | 80 | HAVE_OVERLAYFS="" |
81 | AC_SUBST(HAVE_OVERLAYFS) | 81 | AC_SUBST(HAVE_OVERLAYFS) |
82 | # | 82 | # |
diff --git a/contrib/fix_private-bin.py b/contrib/fix_private-bin.py index 12b596749..961646aa4 100755 --- a/contrib/fix_private-bin.py +++ b/contrib/fix_private-bin.py | |||
@@ -164,7 +164,7 @@ def printHelp(): | |||
164 | 164 | ||
165 | 165 | ||
166 | def main() -> None: | 166 | def main() -> None: |
167 | """The main function. Parses the commandline args, shows messages and calles the function actually doing the work.""" | 167 | """The main function. Parses the commandline args, shows messages and calls the function actually doing the work.""" |
168 | if len(sys.argv) > 2 or (len(sys.argv) == 2 and | 168 | if len(sys.argv) > 2 or (len(sys.argv) == 2 and |
169 | (sys.argv[1] == "-h" or sys.argv[1] == "--help")): | 169 | (sys.argv[1] == "-h" or sys.argv[1] == "--help")): |
170 | printHelp() | 170 | printHelp() |
diff --git a/contrib/sort.py b/contrib/sort.py index d7a2cd05d..4af9c674c 100755 --- a/contrib/sort.py +++ b/contrib/sort.py | |||
@@ -34,7 +34,7 @@ def sort_alphabetical(raw_items): | |||
34 | 34 | ||
35 | 35 | ||
36 | def sort_protocol(protocols): | 36 | def sort_protocol(protocols): |
37 | """sort the given protocole into this scheme: unix,inet,inet6,netlink,packet,bluetooth""" | 37 | """sort the given protocols into this scheme: unix,inet,inet6,netlink,packet,bluetooth""" |
38 | 38 | ||
39 | # shortcut for common protocol lines | 39 | # shortcut for common protocol lines |
40 | if protocols in ("unix", "unix,inet,inet6"): | 40 | if protocols in ("unix", "unix,inet,inet6"): |
diff --git a/etc/firejail.config b/etc/firejail.config index 2e355586b..aec152b85 100644 --- a/etc/firejail.config +++ b/etc/firejail.config | |||
@@ -63,7 +63,7 @@ | |||
63 | # a file argument, the default filter is hardcoded (see man 1 firejail). This | 63 | # a file argument, the default filter is hardcoded (see man 1 firejail). This |
64 | # configuration entry allows the user to change the default by specifying | 64 | # configuration entry allows the user to change the default by specifying |
65 | # a file containing the filter configuration. The filter file format is the | 65 | # a file containing the filter configuration. The filter file format is the |
66 | # format of iptables-save and iptable-restore commands. Example: | 66 | # format of iptables-save and iptables-restore commands. Example: |
67 | # netfilter-default /etc/iptables.iptables.rules | 67 | # netfilter-default /etc/iptables.iptables.rules |
68 | 68 | ||
69 | # Enable or disable networking features, default enabled. | 69 | # Enable or disable networking features, default enabled. |
diff --git a/etc/profile-a-l/eog.profile b/etc/profile-a-l/eog.profile index 5892374bd..65e5c6e69 100644 --- a/etc/profile-a-l/eog.profile +++ b/etc/profile-a-l/eog.profile | |||
@@ -18,7 +18,7 @@ whitelist /usr/share/eog | |||
18 | 18 | ||
19 | private-bin eog | 19 | private-bin eog |
20 | 20 | ||
21 | # broken on Debian 10 (buster) running LXDE got the folowing error: | 21 | # broken on Debian 10 (buster) running LXDE got the following error: |
22 | # Failed to register: GDBus.Error:org.freedesktop.DBus.Error.ServiceUnknown: org.freedesktop.DBus.Error.ServiceUnknown | 22 | # Failed to register: GDBus.Error:org.freedesktop.DBus.Error.ServiceUnknown: org.freedesktop.DBus.Error.ServiceUnknown |
23 | #dbus-user filter | 23 | #dbus-user filter |
24 | #dbus-user.own org.gnome.eog | 24 | #dbus-user.own org.gnome.eog |
diff --git a/etc/profile-m-z/mpv.profile b/etc/profile-m-z/mpv.profile index fa433b672..74402a8de 100644 --- a/etc/profile-m-z/mpv.profile +++ b/etc/profile-m-z/mpv.profile | |||
@@ -11,7 +11,7 @@ include globals.local | |||
11 | # edit ~/.config/mpv/foobar.conf: | 11 | # edit ~/.config/mpv/foobar.conf: |
12 | # screenshot-directory=~/Pictures | 12 | # screenshot-directory=~/Pictures |
13 | 13 | ||
14 | # Mpv has a powerfull lua-API, some off these lua-scripts interact | 14 | # Mpv has a powerful lua-API, some off these lua-scripts interact |
15 | # with external resources which are blocked by firejail. In such cases | 15 | # with external resources which are blocked by firejail. In such cases |
16 | # you need to allow these resources by | 16 | # you need to allow these resources by |
17 | # - adding additional binaries to private-bin | 17 | # - adding additional binaries to private-bin |
diff --git a/etc/profile-m-z/softmaker-common.profile b/etc/profile-m-z/softmaker-common.profile index ebdd5c1f8..47468a531 100644 --- a/etc/profile-m-z/softmaker-common.profile +++ b/etc/profile-m-z/softmaker-common.profile | |||
@@ -6,9 +6,9 @@ include softmaker-common.local | |||
6 | # added by caller profile | 6 | # added by caller profile |
7 | #include globals.local | 7 | #include globals.local |
8 | 8 | ||
9 | # The offical packages install the desktop file under /usr/local/share/applications | 9 | # The official packages install the desktop file under /usr/local/share/applications |
10 | # with an absolute Exec line. These files are NOT handelt by firecfg, | 10 | # with an absolute Exec line. These files are NOT handled by firecfg, |
11 | # therefore you must manualy copy them in you home and remove '/usr/bin/'. | 11 | # therefore you must manually copy them in you home and remove '/usr/bin/'. |
12 | 12 | ||
13 | noblacklist ${HOME}/SoftMaker | 13 | noblacklist ${HOME}/SoftMaker |
14 | 14 | ||
diff --git a/etc/templates/profile.template b/etc/templates/profile.template index e580a0c0c..7628313e0 100644 --- a/etc/templates/profile.template +++ b/etc/templates/profile.template | |||
@@ -204,7 +204,7 @@ include globals.local | |||
204 | 204 | ||
205 | # Since 0.9.63 also a more granular control of dbus is supported. | 205 | # Since 0.9.63 also a more granular control of dbus is supported. |
206 | # To get the dbus-addresses an application needs access to you can | 206 | # To get the dbus-addresses an application needs access to you can |
207 | # check with flatpak (when the application is distriputed that way): | 207 | # check with flatpak (when the application is distributed that way): |
208 | # flatpak remote-info --show-metadata flathub <APP-ID> | 208 | # flatpak remote-info --show-metadata flathub <APP-ID> |
209 | # Notes: | 209 | # Notes: |
210 | # - flatpak implicitly allows an app to own <APP-ID> on the session bus | 210 | # - flatpak implicitly allows an app to own <APP-ID> on the session bus |
diff --git a/src/firejail/env.c b/src/firejail/env.c index f5e9dd980..ad16de037 100644 --- a/src/firejail/env.c +++ b/src/firejail/env.c | |||
@@ -262,7 +262,7 @@ static const char * const env_whitelist[] = { | |||
262 | "LANG", | 262 | "LANG", |
263 | "LANGUAGE", | 263 | "LANGUAGE", |
264 | "LC_MESSAGES", | 264 | "LC_MESSAGES", |
265 | "PATH", | 265 | // "PATH", |
266 | "DISPLAY" // required by X11 | 266 | "DISPLAY" // required by X11 |
267 | }; | 267 | }; |
268 | 268 | ||
@@ -311,6 +311,10 @@ void env_apply_whitelist(void) { | |||
311 | errExit("clearenv"); | 311 | errExit("clearenv"); |
312 | 312 | ||
313 | env_apply_list(env_whitelist, ARRAY_SIZE(env_whitelist)); | 313 | env_apply_list(env_whitelist, ARRAY_SIZE(env_whitelist)); |
314 | |||
315 | // hardcoding PATH | ||
316 | if (setenv("PATH", "/usr/local/bin:/usr/bin:/bin:/usr/local/sbin:/usr/sbin:/sbin", 1) < 0) | ||
317 | errExit("setenv"); | ||
314 | } | 318 | } |
315 | 319 | ||
316 | // Filter env variables for a sbox app | 320 | // Filter env variables for a sbox app |
diff --git a/src/firejail/fs.c b/src/firejail/fs.c index 5ac2da164..dd4c2139d 100644 --- a/src/firejail/fs.c +++ b/src/firejail/fs.c | |||
@@ -108,7 +108,7 @@ static void disable_file(OPERATION op, const char *filename) { | |||
108 | } | 108 | } |
109 | 109 | ||
110 | // check for firejail executable | 110 | // check for firejail executable |
111 | // we migth have a file found in ${PATH} pointing to /usr/bin/firejail | 111 | // we might have a file found in ${PATH} pointing to /usr/bin/firejail |
112 | // blacklisting it here will end up breaking situations like user clicks on a link in Thunderbird | 112 | // blacklisting it here will end up breaking situations like user clicks on a link in Thunderbird |
113 | // and expects Firefox to open in the same sandbox | 113 | // and expects Firefox to open in the same sandbox |
114 | if (strcmp(BINDIR "/firejail", fname) == 0) { | 114 | if (strcmp(BINDIR "/firejail", fname) == 0) { |
diff --git a/src/firejail/fs_hostname.c b/src/firejail/fs_hostname.c index 1a9a78ceb..7d320e90b 100644 --- a/src/firejail/fs_hostname.c +++ b/src/firejail/fs_hostname.c | |||
@@ -93,10 +93,6 @@ char *fs_check_hosts_file(const char *fname) { | |||
93 | invalid_filename(fname, 0); // no globbing | 93 | invalid_filename(fname, 0); // no globbing |
94 | char *rv = expand_macros(fname); | 94 | char *rv = expand_macros(fname); |
95 | 95 | ||
96 | // no a link | ||
97 | if (is_link(rv)) | ||
98 | goto errexit; | ||
99 | |||
100 | // the user has read access to the file | 96 | // the user has read access to the file |
101 | if (access(rv, R_OK)) | 97 | if (access(rv, R_OK)) |
102 | goto errexit; | 98 | goto errexit; |
@@ -119,9 +115,6 @@ void fs_mount_hosts_file(void) { | |||
119 | struct stat s; | 115 | struct stat s; |
120 | if (stat("/etc/hosts", &s) == -1) | 116 | if (stat("/etc/hosts", &s) == -1) |
121 | goto errexit; | 117 | goto errexit; |
122 | // not a link | ||
123 | if (is_link("/etc/hosts")) | ||
124 | goto errexit; | ||
125 | // owned by root | 118 | // owned by root |
126 | if (s.st_uid != 0) | 119 | if (s.st_uid != 0) |
127 | goto errexit; | 120 | goto errexit; |
diff --git a/src/firejail/join.c b/src/firejail/join.c index 99fbfdd0a..a869f6b64 100644 --- a/src/firejail/join.c +++ b/src/firejail/join.c | |||
@@ -551,10 +551,6 @@ void join(pid_t pid, int argc, char **argv, int index) { | |||
551 | if (cfg.cpus) // not available for uid 0 | 551 | if (cfg.cpus) // not available for uid 0 |
552 | set_cpu_affinity(); | 552 | set_cpu_affinity(); |
553 | 553 | ||
554 | // set nice value | ||
555 | if (arg_nice) | ||
556 | set_nice(cfg.nice); | ||
557 | |||
558 | // add x11 display | 554 | // add x11 display |
559 | if (display) { | 555 | if (display) { |
560 | char *display_str; | 556 | char *display_str; |
@@ -573,6 +569,11 @@ void join(pid_t pid, int argc, char **argv, int index) { | |||
573 | dbus_set_system_bus_env(); | 569 | dbus_set_system_bus_env(); |
574 | #endif | 570 | #endif |
575 | 571 | ||
572 | // set nice and rlimits | ||
573 | if (arg_nice) | ||
574 | set_nice(cfg.nice); | ||
575 | set_rlimits(); | ||
576 | |||
576 | start_application(0, shfd, NULL); | 577 | start_application(0, shfd, NULL); |
577 | 578 | ||
578 | __builtin_unreachable(); | 579 | __builtin_unreachable(); |
diff --git a/src/firejail/profile.c b/src/firejail/profile.c index b7c7185a6..059100fcb 100644 --- a/src/firejail/profile.c +++ b/src/firejail/profile.c | |||
@@ -1938,7 +1938,7 @@ char *profile_list_compress(char *list) | |||
1938 | /* Include non-empty item */ | 1938 | /* Include non-empty item */ |
1939 | if (!*item) | 1939 | if (!*item) |
1940 | in[i] = 0; | 1940 | in[i] = 0; |
1941 | /* Remove all allready included items */ | 1941 | /* Remove all already included items */ |
1942 | for (k = 0; k < i; ++k) | 1942 | for (k = 0; k < i; ++k) |
1943 | in[k] = 0; | 1943 | in[k] = 0; |
1944 | break; | 1944 | break; |
diff --git a/src/man/firejail-profile.txt b/src/man/firejail-profile.txt index d0d3c25e8..a768829a1 100644 --- a/src/man/firejail-profile.txt +++ b/src/man/firejail-profile.txt | |||
@@ -606,7 +606,7 @@ Allow the application to see but not talk to the name org.freedesktop.Notificati | |||
606 | Allow the application to call methods of the interface org.freedesktop.Notifications of the object exposed at the path /org/freedesktop/Notifications by the client owning the bus name org.freedesktop.Notifications on the system DBus. | 606 | Allow the application to call methods of the interface org.freedesktop.Notifications of the object exposed at the path /org/freedesktop/Notifications by the client owning the bus name org.freedesktop.Notifications on the system DBus. |
607 | .TP | 607 | .TP |
608 | \fBdbus-system.broadcast org.freedesktop.Notifications=org.freedesktop.Notifications.*@/org/freedesktop/Notifications | 608 | \fBdbus-system.broadcast org.freedesktop.Notifications=org.freedesktop.Notifications.*@/org/freedesktop/Notifications |
609 | Allow the application to receive broadcast signals from the the interface org.freedesktop.Notifications of the object exposed at the path /org/freedesktop/Notifications by the client owning the bus name org.freedesktop.Notifications on the system DBus. | 609 | Allow the application to receive broadcast signals from the interface org.freedesktop.Notifications of the object exposed at the path /org/freedesktop/Notifications by the client owning the bus name org.freedesktop.Notifications on the system DBus. |
610 | .TP | 610 | .TP |
611 | \fBdbus-user filter | 611 | \fBdbus-user filter |
612 | Enable filtered access to the session DBus. Filters can be specified with the dbus-user.talk and dbus-user.own commands. | 612 | Enable filtered access to the session DBus. Filters can be specified with the dbus-user.talk and dbus-user.own commands. |
diff --git a/test/environment/environment.sh b/test/environment/environment.sh index 152975c9d..1e1dd549b 100755 --- a/test/environment/environment.sh +++ b/test/environment/environment.sh | |||
@@ -112,14 +112,17 @@ echo "TESTING: rlimit (test/environment/rlimit.exp)" | |||
112 | echo "TESTING: rlimit profile (test/environment/rlimit-profile.exp)" | 112 | echo "TESTING: rlimit profile (test/environment/rlimit-profile.exp)" |
113 | ./rlimit-profile.exp | 113 | ./rlimit-profile.exp |
114 | 114 | ||
115 | echo "TESTING: rlimit join (test/environment/rlimit-join.exp)" | ||
116 | ./rlimit-join.exp | ||
117 | |||
115 | echo "TESTING: rlimit errors (test/environment/rlimit-bad.exp)" | 118 | echo "TESTING: rlimit errors (test/environment/rlimit-bad.exp)" |
116 | ./rlimit-bad.exp | 119 | ./rlimit-bad.exp |
117 | 120 | ||
118 | echo "TESTING: rlimit errors profile (test/environment/rlimit-bad-profile.exp)" | 121 | echo "TESTING: rlimit errors profile (test/environment/rlimit-bad-profile.exp)" |
119 | ./rlimit-bad-profile.exp | 122 | ./rlimit-bad-profile.exp |
120 | 123 | ||
121 | echo "TESTING: deterministic exit code (test/environment/deterministic-exit-code.exp" | 124 | echo "TESTING: deterministic exit code (test/environment/deterministic-exit-code.exp)" |
122 | ./deterministic-exit-code.exp | 125 | ./deterministic-exit-code.exp |
123 | 126 | ||
124 | echo "TESTING: retain umask (test/environment/umask.exp" | 127 | echo "TESTING: retain umask (test/environment/umask.exp)" |
125 | (umask 123 && ./umask.exp) | 128 | (umask 123 && ./umask.exp) |
diff --git a/test/environment/rlimit-join.exp b/test/environment/rlimit-join.exp new file mode 100755 index 000000000..aa8a203c0 --- /dev/null +++ b/test/environment/rlimit-join.exp | |||
@@ -0,0 +1,36 @@ | |||
1 | #!/usr/bin/expect -f | ||
2 | # This file is part of Firejail project | ||
3 | # Copyright (C) 2014-2021 Firejail Authors | ||
4 | # License GPL v2 | ||
5 | |||
6 | set timeout 10 | ||
7 | cd /home | ||
8 | spawn $env(SHELL) | ||
9 | match_max 100000 | ||
10 | |||
11 | send -- "firejail --noprofile --name=\"rlimit testing\"\r" | ||
12 | expect { | ||
13 | timeout {puts "TESTING ERROR 0\n";exit} | ||
14 | "Child process initialized" | ||
15 | } | ||
16 | sleep 1 | ||
17 | |||
18 | spawn $env(SHELL) | ||
19 | send -- "firejail --rlimit-nofile=1234 --join=\"rlimit testing\"\r" | ||
20 | expect { | ||
21 | timeout {puts "TESTING ERROR 1\n";exit} | ||
22 | "Switching to pid" | ||
23 | } | ||
24 | sleep 1 | ||
25 | |||
26 | send -- "cat /proc/self/limits\r" | ||
27 | expect { | ||
28 | timeout {puts "TESTING ERROR 2\n";exit} | ||
29 | "Max open files 1234 1234" | ||
30 | } | ||
31 | after 100 | ||
32 | |||
33 | send -- "exit\r" | ||
34 | after 100 | ||
35 | |||
36 | puts "\nall done\n" | ||