diff options
-rw-r--r-- | RELNOTES | 14 | ||||
-rwxr-xr-x | configure | 18 | ||||
-rw-r--r-- | configure.ac | 2 | ||||
-rw-r--r-- | src/firejail/fs.c | 10 | ||||
-rw-r--r-- | src/firejail/fs_home.c | 24 | ||||
-rw-r--r-- | src/firejail/main.c | 2 | ||||
-rw-r--r-- | src/firejail/pulseaudio.c | 4 | ||||
-rw-r--r-- | src/firejail/restrict_users.c | 8 | ||||
-rw-r--r-- | src/firejail/shutdown.c | 6 |
9 files changed, 68 insertions, 20 deletions
@@ -1,13 +1,11 @@ | |||
1 | firejail (0.9.37) baseline; urgency=low | 1 | firejail (0.9.38) baseline; urgency=low |
2 | * development version | 2 | * IPv6 support (--ip6 and --netfilter6) |
3 | * security profiles fixes | ||
4 | * dynamic allocation of noblacklist buffer | ||
5 | * --ip6 option - IPv6 support | ||
6 | * added KMail, Seamonkey, Telegram profiles | ||
7 | * --join command enhancement (--join-network, --join-filesystem) | 3 | * --join command enhancement (--join-network, --join-filesystem) |
8 | * symlink invocation | ||
9 | * --user command | 4 | * --user command |
10 | -- netblue30 <netblue30@yahoo.com> Tue, 5 Jan 2016 08:00:00 -0500 | 5 | * symlink invocation |
6 | * added KMail, Seamonkey, Telegram profiles | ||
7 | * bugfixes | ||
8 | -- netblue30 <netblue30@yahoo.com> Sun, 24 Jan 2016 20:00:00 -0500 | ||
11 | 9 | ||
12 | firejail (0.9.36) baseline; urgency=low | 10 | firejail (0.9.36) baseline; urgency=low |
13 | * added unbound, dnscrypt-proxy, BitlBee, HexChat, WeeChat, | 11 | * added unbound, dnscrypt-proxy, BitlBee, HexChat, WeeChat, |
@@ -1,6 +1,6 @@ | |||
1 | #! /bin/sh | 1 | #! /bin/sh |
2 | # Guess values for system-dependent variables and create Makefiles. | 2 | # Guess values for system-dependent variables and create Makefiles. |
3 | # Generated by GNU Autoconf 2.69 for firejail 0.9.37. | 3 | # Generated by GNU Autoconf 2.69 for firejail 0.9.38. |
4 | # | 4 | # |
5 | # Report bugs to <netblue30@yahoo.com>. | 5 | # Report bugs to <netblue30@yahoo.com>. |
6 | # | 6 | # |
@@ -580,8 +580,8 @@ MAKEFLAGS= | |||
580 | # Identity of this package. | 580 | # Identity of this package. |
581 | PACKAGE_NAME='firejail' | 581 | PACKAGE_NAME='firejail' |
582 | PACKAGE_TARNAME='firejail' | 582 | PACKAGE_TARNAME='firejail' |
583 | PACKAGE_VERSION='0.9.37' | 583 | PACKAGE_VERSION='0.9.38' |
584 | PACKAGE_STRING='firejail 0.9.37' | 584 | PACKAGE_STRING='firejail 0.9.38' |
585 | PACKAGE_BUGREPORT='netblue30@yahoo.com' | 585 | PACKAGE_BUGREPORT='netblue30@yahoo.com' |
586 | PACKAGE_URL='http://firejail.wordpress.com' | 586 | PACKAGE_URL='http://firejail.wordpress.com' |
587 | 587 | ||
@@ -1238,7 +1238,7 @@ if test "$ac_init_help" = "long"; then | |||
1238 | # Omit some internal or obsolete options to make the list less imposing. | 1238 | # Omit some internal or obsolete options to make the list less imposing. |
1239 | # This message is too long to be a string in the A/UX 3.1 sh. | 1239 | # This message is too long to be a string in the A/UX 3.1 sh. |
1240 | cat <<_ACEOF | 1240 | cat <<_ACEOF |
1241 | \`configure' configures firejail 0.9.37 to adapt to many kinds of systems. | 1241 | \`configure' configures firejail 0.9.38 to adapt to many kinds of systems. |
1242 | 1242 | ||
1243 | Usage: $0 [OPTION]... [VAR=VALUE]... | 1243 | Usage: $0 [OPTION]... [VAR=VALUE]... |
1244 | 1244 | ||
@@ -1299,7 +1299,7 @@ fi | |||
1299 | 1299 | ||
1300 | if test -n "$ac_init_help"; then | 1300 | if test -n "$ac_init_help"; then |
1301 | case $ac_init_help in | 1301 | case $ac_init_help in |
1302 | short | recursive ) echo "Configuration of firejail 0.9.37:";; | 1302 | short | recursive ) echo "Configuration of firejail 0.9.38:";; |
1303 | esac | 1303 | esac |
1304 | cat <<\_ACEOF | 1304 | cat <<\_ACEOF |
1305 | 1305 | ||
@@ -1389,7 +1389,7 @@ fi | |||
1389 | test -n "$ac_init_help" && exit $ac_status | 1389 | test -n "$ac_init_help" && exit $ac_status |
1390 | if $ac_init_version; then | 1390 | if $ac_init_version; then |
1391 | cat <<\_ACEOF | 1391 | cat <<\_ACEOF |
1392 | firejail configure 0.9.37 | 1392 | firejail configure 0.9.38 |
1393 | generated by GNU Autoconf 2.69 | 1393 | generated by GNU Autoconf 2.69 |
1394 | 1394 | ||
1395 | Copyright (C) 2012 Free Software Foundation, Inc. | 1395 | Copyright (C) 2012 Free Software Foundation, Inc. |
@@ -1691,7 +1691,7 @@ cat >config.log <<_ACEOF | |||
1691 | This file contains any messages produced by compilers while | 1691 | This file contains any messages produced by compilers while |
1692 | running configure, to aid debugging if configure makes a mistake. | 1692 | running configure, to aid debugging if configure makes a mistake. |
1693 | 1693 | ||
1694 | It was created by firejail $as_me 0.9.37, which was | 1694 | It was created by firejail $as_me 0.9.38, which was |
1695 | generated by GNU Autoconf 2.69. Invocation command line was | 1695 | generated by GNU Autoconf 2.69. Invocation command line was |
1696 | 1696 | ||
1697 | $ $0 $@ | 1697 | $ $0 $@ |
@@ -4107,7 +4107,7 @@ cat >>$CONFIG_STATUS <<\_ACEOF || ac_write_fail=1 | |||
4107 | # report actual input values of CONFIG_FILES etc. instead of their | 4107 | # report actual input values of CONFIG_FILES etc. instead of their |
4108 | # values after options handling. | 4108 | # values after options handling. |
4109 | ac_log=" | 4109 | ac_log=" |
4110 | This file was extended by firejail $as_me 0.9.37, which was | 4110 | This file was extended by firejail $as_me 0.9.38, which was |
4111 | generated by GNU Autoconf 2.69. Invocation command line was | 4111 | generated by GNU Autoconf 2.69. Invocation command line was |
4112 | 4112 | ||
4113 | CONFIG_FILES = $CONFIG_FILES | 4113 | CONFIG_FILES = $CONFIG_FILES |
@@ -4161,7 +4161,7 @@ _ACEOF | |||
4161 | cat >>$CONFIG_STATUS <<_ACEOF || ac_write_fail=1 | 4161 | cat >>$CONFIG_STATUS <<_ACEOF || ac_write_fail=1 |
4162 | ac_cs_config="`$as_echo "$ac_configure_args" | sed 's/^ //; s/[\\""\`\$]/\\\\&/g'`" | 4162 | ac_cs_config="`$as_echo "$ac_configure_args" | sed 's/^ //; s/[\\""\`\$]/\\\\&/g'`" |
4163 | ac_cs_version="\\ | 4163 | ac_cs_version="\\ |
4164 | firejail config.status 0.9.37 | 4164 | firejail config.status 0.9.38 |
4165 | configured by $0, generated by GNU Autoconf 2.69, | 4165 | configured by $0, generated by GNU Autoconf 2.69, |
4166 | with options \\"\$ac_cs_config\\" | 4166 | with options \\"\$ac_cs_config\\" |
4167 | 4167 | ||
diff --git a/configure.ac b/configure.ac index 6d7a09bdf..cc505ef5f 100644 --- a/configure.ac +++ b/configure.ac | |||
@@ -1,5 +1,5 @@ | |||
1 | AC_PREREQ([2.68]) | 1 | AC_PREREQ([2.68]) |
2 | AC_INIT(firejail, 0.9.37, netblue30@yahoo.com, , http://firejail.wordpress.com) | 2 | AC_INIT(firejail, 0.9.38, netblue30@yahoo.com, , http://firejail.wordpress.com) |
3 | AC_CONFIG_SRCDIR([src/firejail/main.c]) | 3 | AC_CONFIG_SRCDIR([src/firejail/main.c]) |
4 | #AC_CONFIG_HEADERS([config.h]) | 4 | #AC_CONFIG_HEADERS([config.h]) |
5 | 5 | ||
diff --git a/src/firejail/fs.c b/src/firejail/fs.c index f4c448024..cad101bf9 100644 --- a/src/firejail/fs.c +++ b/src/firejail/fs.c | |||
@@ -136,12 +136,18 @@ void fs_build_cp_command(void) { | |||
136 | fprintf(stderr, "Error: /bin/cp not found\n"); | 136 | fprintf(stderr, "Error: /bin/cp not found\n"); |
137 | exit(1); | 137 | exit(1); |
138 | } | 138 | } |
139 | if (is_link(fname)) { | ||
140 | fprintf(stderr, "Error: invalid /bin/cp file\n"); | ||
141 | exit(1); | ||
142 | } | ||
139 | int rv = copy_file(fname, RUN_CP_COMMAND); | 143 | int rv = copy_file(fname, RUN_CP_COMMAND); |
140 | if (rv) { | 144 | if (rv) { |
141 | fprintf(stderr, "Error: cannot access /bin/cp\n"); | 145 | fprintf(stderr, "Error: cannot access /bin/cp\n"); |
142 | exit(1); | 146 | exit(1); |
143 | } | 147 | } |
144 | /* coverity[toctou] */ | 148 | /* coverity[toctou] */ |
149 | if (chown(RUN_CP_COMMAND, 0, 0)) | ||
150 | errExit("chown"); | ||
145 | if (chmod(RUN_CP_COMMAND, 0755)) | 151 | if (chmod(RUN_CP_COMMAND, 0755)) |
146 | errExit("chmod"); | 152 | errExit("chmod"); |
147 | 153 | ||
@@ -921,6 +927,10 @@ void fs_chroot(const char *rootdir) { | |||
921 | errExit("asprintf"); | 927 | errExit("asprintf"); |
922 | if (arg_debug) | 928 | if (arg_debug) |
923 | printf("Updating /etc/resolv.conf in %s\n", fname); | 929 | printf("Updating /etc/resolv.conf in %s\n", fname); |
930 | if (is_link(fname)) { | ||
931 | fprintf(stderr, "Error: invalid %s file\n", fname); | ||
932 | exit(1); | ||
933 | } | ||
924 | if (copy_file("/etc/resolv.conf", fname) == -1) | 934 | if (copy_file("/etc/resolv.conf", fname) == -1) |
925 | fprintf(stderr, "Warning: /etc/resolv.conf not initialized\n"); | 935 | fprintf(stderr, "Warning: /etc/resolv.conf not initialized\n"); |
926 | 936 | ||
diff --git a/src/firejail/fs_home.c b/src/firejail/fs_home.c index 08141ed03..e42ce5255 100644 --- a/src/firejail/fs_home.c +++ b/src/firejail/fs_home.c | |||
@@ -41,6 +41,10 @@ static void skel(const char *homedir, uid_t u, gid_t g) { | |||
41 | if (stat(fname, &s) == 0) | 41 | if (stat(fname, &s) == 0) |
42 | return; | 42 | return; |
43 | if (stat("/etc/skel/.zshrc", &s) == 0) { | 43 | if (stat("/etc/skel/.zshrc", &s) == 0) { |
44 | if (is_link("/etc/skel/.zshrc")) { | ||
45 | fprintf(stderr, "Error: invalid /etc/skel/.zshrc file\n"); | ||
46 | exit(1); | ||
47 | } | ||
44 | if (copy_file("/etc/skel/.zshrc", fname) == 0) { | 48 | if (copy_file("/etc/skel/.zshrc", fname) == 0) { |
45 | if (chown(fname, u, g) == -1) | 49 | if (chown(fname, u, g) == -1) |
46 | errExit("chown"); | 50 | errExit("chown"); |
@@ -71,6 +75,10 @@ static void skel(const char *homedir, uid_t u, gid_t g) { | |||
71 | if (stat(fname, &s) == 0) | 75 | if (stat(fname, &s) == 0) |
72 | return; | 76 | return; |
73 | if (stat("/etc/skel/.cshrc", &s) == 0) { | 77 | if (stat("/etc/skel/.cshrc", &s) == 0) { |
78 | if (is_link("/etc/skel/.cshrc")) { | ||
79 | fprintf(stderr, "Error: invalid /etc/skel/.cshrc file\n"); | ||
80 | exit(1); | ||
81 | } | ||
74 | if (copy_file("/etc/skel/.cshrc", fname) == 0) { | 82 | if (copy_file("/etc/skel/.cshrc", fname) == 0) { |
75 | if (chown(fname, u, g) == -1) | 83 | if (chown(fname, u, g) == -1) |
76 | errExit("chown"); | 84 | errExit("chown"); |
@@ -102,6 +110,10 @@ static void skel(const char *homedir, uid_t u, gid_t g) { | |||
102 | if (stat(fname, &s) == 0) | 110 | if (stat(fname, &s) == 0) |
103 | return; | 111 | return; |
104 | if (stat("/etc/skel/.bashrc", &s) == 0) { | 112 | if (stat("/etc/skel/.bashrc", &s) == 0) { |
113 | if (is_link("/etc/skel/.bashrc")) { | ||
114 | fprintf(stderr, "Error: invalid /etc/skel/.bashrc file\n"); | ||
115 | exit(1); | ||
116 | } | ||
105 | if (copy_file("/etc/skel/.bashrc", fname) == 0) { | 117 | if (copy_file("/etc/skel/.bashrc", fname) == 0) { |
106 | /* coverity[toctou] */ | 118 | /* coverity[toctou] */ |
107 | if (chown(fname, u, g) == -1) | 119 | if (chown(fname, u, g) == -1) |
@@ -123,7 +135,12 @@ static int store_xauthority(void) { | |||
123 | errExit("asprintf"); | 135 | errExit("asprintf"); |
124 | 136 | ||
125 | struct stat s; | 137 | struct stat s; |
126 | if (stat(src, &s) == 0) { | 138 | if (stat(src, &s) == 0) { |
139 | if (is_link(src)) { | ||
140 | fprintf(stderr, "Error: invalid .Xauthority file\n"); | ||
141 | exit(1); | ||
142 | } | ||
143 | |||
127 | int rv = copy_file(src, dest); | 144 | int rv = copy_file(src, dest); |
128 | if (rv) { | 145 | if (rv) { |
129 | fprintf(stderr, "Warning: cannot transfer .Xauthority in private home directory\n"); | 146 | fprintf(stderr, "Warning: cannot transfer .Xauthority in private home directory\n"); |
@@ -146,6 +163,11 @@ static int store_asoundrc(void) { | |||
146 | 163 | ||
147 | struct stat s; | 164 | struct stat s; |
148 | if (stat(src, &s) == 0) { | 165 | if (stat(src, &s) == 0) { |
166 | if (is_link(src)) { | ||
167 | fprintf(stderr, "Error: invalid .asoundrc file\n"); | ||
168 | exit(1); | ||
169 | } | ||
170 | |||
149 | int rv = copy_file(src, dest); | 171 | int rv = copy_file(src, dest); |
150 | if (rv) { | 172 | if (rv) { |
151 | fprintf(stderr, "Warning: cannot transfer .asoundrc in private home directory\n"); | 173 | fprintf(stderr, "Warning: cannot transfer .asoundrc in private home directory\n"); |
diff --git a/src/firejail/main.c b/src/firejail/main.c index 7afbf9ce3..014ea8cae 100644 --- a/src/firejail/main.c +++ b/src/firejail/main.c | |||
@@ -300,7 +300,7 @@ static void run_cmd_and_exit(int i, int argc, char **argv) { | |||
300 | if (read_pid(argv[i] + 12, &pid) == 0) | 300 | if (read_pid(argv[i] + 12, &pid) == 0) |
301 | bandwidth_pid(pid, cmd, dev, down, up); | 301 | bandwidth_pid(pid, cmd, dev, down, up); |
302 | else | 302 | else |
303 | bandwidth_name(argv[i] + 12, cmd, dev, down, up); | 303 | bandwidth_name(argv[i] + 12, cmd, dev, down, up); |
304 | exit(0); | 304 | exit(0); |
305 | } | 305 | } |
306 | 306 | ||
diff --git a/src/firejail/pulseaudio.c b/src/firejail/pulseaudio.c index 29f3bc4f0..a3348baf4 100644 --- a/src/firejail/pulseaudio.c +++ b/src/firejail/pulseaudio.c | |||
@@ -104,6 +104,10 @@ void pulseaudio_init(void) { | |||
104 | char *pulsecfg = NULL; | 104 | char *pulsecfg = NULL; |
105 | if (asprintf(&pulsecfg, "%s/client.conf", RUN_PULSE_DIR) == -1) | 105 | if (asprintf(&pulsecfg, "%s/client.conf", RUN_PULSE_DIR) == -1) |
106 | errExit("asprintf"); | 106 | errExit("asprintf"); |
107 | if (is_link("/etc/pulse/client.conf")) { | ||
108 | fprintf(stderr, "Error: invalid /etc/pulse/client.conf file\n"); | ||
109 | exit(1); | ||
110 | } | ||
107 | if (copy_file("/etc/pulse/client.conf", pulsecfg)) | 111 | if (copy_file("/etc/pulse/client.conf", pulsecfg)) |
108 | errExit("copy_file"); | 112 | errExit("copy_file"); |
109 | FILE *fp = fopen(pulsecfg, "a+"); | 113 | FILE *fp = fopen(pulsecfg, "a+"); |
diff --git a/src/firejail/restrict_users.c b/src/firejail/restrict_users.c index aa6a5d268..88dd38021 100644 --- a/src/firejail/restrict_users.c +++ b/src/firejail/restrict_users.c | |||
@@ -115,6 +115,10 @@ static void sanitize_passwd(void) { | |||
115 | return; | 115 | return; |
116 | if (arg_debug) | 116 | if (arg_debug) |
117 | printf("Sanitizing /etc/passwd\n"); | 117 | printf("Sanitizing /etc/passwd\n"); |
118 | if (is_link("/etc/passwd")) { | ||
119 | fprintf(stderr, "Error: invalid /etc/passwd\n"); | ||
120 | exit(1); | ||
121 | } | ||
118 | 122 | ||
119 | FILE *fpin = NULL; | 123 | FILE *fpin = NULL; |
120 | FILE *fpout = NULL; | 124 | FILE *fpout = NULL; |
@@ -248,6 +252,10 @@ static void sanitize_group(void) { | |||
248 | return; | 252 | return; |
249 | if (arg_debug) | 253 | if (arg_debug) |
250 | printf("Sanitizing /etc/group\n"); | 254 | printf("Sanitizing /etc/group\n"); |
255 | if (is_link("/etc/group")) { | ||
256 | fprintf(stderr, "Error: invalid /etc/group\n"); | ||
257 | exit(1); | ||
258 | } | ||
251 | 259 | ||
252 | FILE *fpin = NULL; | 260 | FILE *fpin = NULL; |
253 | FILE *fpout = NULL; | 261 | FILE *fpout = NULL; |
diff --git a/src/firejail/shutdown.c b/src/firejail/shutdown.c index 131f663d4..edaac7eb9 100644 --- a/src/firejail/shutdown.c +++ b/src/firejail/shutdown.c | |||
@@ -54,8 +54,14 @@ void shut(pid_t pid) { | |||
54 | printf("Switching to pid %u, the first child process inside the sandbox\n", (unsigned) pid); | 54 | printf("Switching to pid %u, the first child process inside the sandbox\n", (unsigned) pid); |
55 | } | 55 | } |
56 | } | 56 | } |
57 | else { | ||
58 | fprintf(stderr, "Error: this is not a firejail sandbox\n"); | ||
59 | exit(1); | ||
60 | } | ||
57 | free(comm); | 61 | free(comm); |
58 | } | 62 | } |
63 | else | ||
64 | errExit("/proc/PID/comm"); | ||
59 | 65 | ||
60 | // check privileges for non-root users | 66 | // check privileges for non-root users |
61 | uid_t uid = getuid(); | 67 | uid_t uid = getuid(); |