3 files changed, 22 insertions, 10 deletions
diff --git a/etc/net/nolocal.net b/etc/net/nolocal.net
index 8955f740d..0eb9f9784 100644
--- a/etc/net/nolocal.net
+++ b/etc/net/nolocal.net
@@ -32,5 +32,5 @@
 -A OUTPUT -d 172.16.0.0/12 -j DROP
 # drop multicast traffic
-A OUTPUT -d 244.0.0.0/4 -j DROP
+-A OUTPUT -d 224.0.0.0/4 -j DROP
 COMMIT
diff --git a/etc/profile-m-z/meld.profile b/etc/profile-m-z/meld.profile
index 84db8b785..385700648 100644
--- a/etc/profile-m-z/meld.profile
+++ b/etc/profile-m-z/meld.profile
@@ -70,6 +70,7 @@ private-cache
 private-dev
 # Uncomment the next line (or put it into your meld.local) if you don't need to compare in /etc.
 #private-etc alternatives,ca-certificates,crypto-policies,fonts,hostname,hosts,pki,resolv.conf,ssl,subversion
+# Comment the next line (or add 'ignore private-tmp to your meld.local') if you want to use it as a difftool (#3551)
 private-tmp
 read-only ${HOME}/.ssh
diff --git a/src/firejail/util.c b/src/firejail/util.c
index 6bfc80903..3aa0584d6 100644
--- a/src/firejail/util.c
+++ b/src/firejail/util.c
@@ -957,16 +957,27 @@ int remove_overlay_directory(void) {
        return 0;
 }
+// flush stdin if it is connected to a tty and has input
 void flush_stdin(void) {
-        if (isatty(STDIN_FILENO)) {
+        if (!isatty(STDIN_FILENO))
-                int cnt = 0;
+                return;
-                int rv = ioctl(STDIN_FILENO, FIONREAD, &cnt);
-                if (rv == 0 && cnt) {
+        int cnt = 0;
-                        fwarning("removing %d bytes from stdin\n", cnt);
+        int rv = ioctl(STDIN_FILENO, FIONREAD, &cnt);
-                        rv = ioctl(STDIN_FILENO, TCFLSH, TCIFLUSH);
+        if (rv != 0 || cnt == 0)
-                        (void) rv;
+                return;
-                }
-        }
+        fwarning("removing %d bytes from stdin\n", cnt);
+        // If this process is backgrounded, below ioctl() will trigger
+        // SIGTTOU and stop us. We avoid this by ignoring SIGTTOU for
+        // the duration of the ioctl.
+        sighandler_t hdlr = signal(SIGTTOU, SIG_IGN);
+        rv = ioctl(STDIN_FILENO, TCFLSH, TCIFLUSH);
+        signal(SIGTTOU, hdlr);
+        if (rv)
+                fwarning("Flushing stdin failed: %s\n", strerror(errno));
 }
 // return 1 if new directory was created, else return 0

diff --git a/etc/net/nolocal.net b/etc/net/nolocal.net index 8955f740d..0eb9f9784 100644 --- a/etc/net/nolocal.net +++ b/etc/net/nolocal.net
@@ -32,5 +32,5 @@
32	-A OUTPUT -d 172.16.0.0/12 -j DROP	32	-A OUTPUT -d 172.16.0.0/12 -j DROP
33		33
34	# drop multicast traffic	34	# drop multicast traffic
35	-A OUTPUT -d 244.0.0.0/4 -j DROP	35	-A OUTPUT -d 224.0.0.0/4 -j DROP
36	COMMIT	36	COMMIT


diff --git a/etc/profile-m-z/meld.profile b/etc/profile-m-z/meld.profile index 84db8b785..385700648 100644 --- a/etc/profile-m-z/meld.profile +++ b/etc/profile-m-z/meld.profile
@@ -70,6 +70,7 @@ private-cache
70	private-dev	70	private-dev
71	# Uncomment the next line (or put it into your meld.local) if you don't need to compare in /etc.	71	# Uncomment the next line (or put it into your meld.local) if you don't need to compare in /etc.
72	#private-etc alternatives,ca-certificates,crypto-policies,fonts,hostname,hosts,pki,resolv.conf,ssl,subversion	72	#private-etc alternatives,ca-certificates,crypto-policies,fonts,hostname,hosts,pki,resolv.conf,ssl,subversion
		73	# Comment the next line (or add 'ignore private-tmp to your meld.local') if you want to use it as a difftool (#3551)
73	private-tmp	74	private-tmp
74		75
75	read-only ${HOME}/.ssh	76	read-only ${HOME}/.ssh


diff --git a/src/firejail/util.c b/src/firejail/util.c index 6bfc80903..3aa0584d6 100644 --- a/src/firejail/util.c +++ b/src/firejail/util.c
@@ -957,16 +957,27 @@ int remove_overlay_directory(void) {
957	return 0;	957	return 0;
958	}	958	}
959		959
		960	// flush stdin if it is connected to a tty and has input
960	void flush_stdin(void) {	961	void flush_stdin(void) {
961	if (isatty(STDIN_FILENO)) {	962	if (!isatty(STDIN_FILENO))
962	int cnt = 0;	963	return;
963	int rv = ioctl(STDIN_FILENO, FIONREAD, &cnt);	964
964	if (rv == 0 && cnt) {	965	int cnt = 0;
965	fwarning("removing %d bytes from stdin\n", cnt);	966	int rv = ioctl(STDIN_FILENO, FIONREAD, &cnt);
966	rv = ioctl(STDIN_FILENO, TCFLSH, TCIFLUSH);	967	if (rv != 0 \|\| cnt == 0)
967	(void) rv;	968	return;
968	}	969
969	}	970	fwarning("removing %d bytes from stdin\n", cnt);
		971
		972	// If this process is backgrounded, below ioctl() will trigger
		973	// SIGTTOU and stop us. We avoid this by ignoring SIGTTOU for
		974	// the duration of the ioctl.
		975	sighandler_t hdlr = signal(SIGTTOU, SIG_IGN);
		976	rv = ioctl(STDIN_FILENO, TCFLSH, TCIFLUSH);
		977	signal(SIGTTOU, hdlr);
		978
		979	if (rv)
		980	fwarning("Flushing stdin failed: %s\n", strerror(errno));
970	}	981	}
971		982
972	// return 1 if new directory was created, else return 0	983	// return 1 if new directory was created, else return 0