diff options
-rw-r--r-- | .github/workflows/sort.yml | 2 | ||||
-rwxr-xr-x | contrib/sort.py | 11 | ||||
-rw-r--r-- | etc/apparmor/firejail-local | 3 | ||||
-rw-r--r-- | etc/profile-a-l/jitsi-meet-desktop.profile | 2 | ||||
-rw-r--r-- | etc/profile-m-z/start-tor-browser.desktop.profile | 5 | ||||
-rw-r--r-- | etc/profile-m-z/start-tor-browser.profile | 3 | ||||
-rw-r--r-- | etc/profile-m-z/torbrowser-launcher.profile | 5 | ||||
-rw-r--r-- | etc/templates/profile.template | 68 | ||||
-rw-r--r-- | src/firejail/chroot.c | 3 | ||||
-rw-r--r-- | src/firejail/main.c | 5 | ||||
-rw-r--r-- | src/firejail/sandbox.c | 6 |
11 files changed, 61 insertions, 52 deletions
diff --git a/.github/workflows/sort.yml b/.github/workflows/sort.yml index 3e717f162..f3ded0f22 100644 --- a/.github/workflows/sort.yml +++ b/.github/workflows/sort.yml | |||
@@ -5,10 +5,12 @@ on: | |||
5 | branches: [ master ] | 5 | branches: [ master ] |
6 | paths: | 6 | paths: |
7 | - 'etc/**' | 7 | - 'etc/**' |
8 | - 'contrib/sort.py' | ||
8 | pull_request: | 9 | pull_request: |
9 | branches: [ master ] | 10 | branches: [ master ] |
10 | paths: | 11 | paths: |
11 | - 'etc/**' | 12 | - 'etc/**' |
13 | - 'contrib/sort.py' | ||
12 | 14 | ||
13 | jobs: | 15 | jobs: |
14 | profile-sort: | 16 | profile-sort: |
diff --git a/contrib/sort.py b/contrib/sort.py index 5df353549..9e5062c3c 100755 --- a/contrib/sort.py +++ b/contrib/sort.py | |||
@@ -80,7 +80,7 @@ def fix_profile(filename): | |||
80 | lines = profile.read().split("\n") | 80 | lines = profile.read().split("\n") |
81 | was_fixed = False | 81 | was_fixed = False |
82 | fixed_profile = [] | 82 | fixed_profile = [] |
83 | for line in lines: | 83 | for lineno, line in enumerate(lines): |
84 | if line[:12] in ("private-bin ", "private-etc ", "private-lib "): | 84 | if line[:12] in ("private-bin ", "private-etc ", "private-lib "): |
85 | fixed_line = f"{line[:12]}{sort_alphabetical(line[12:])}" | 85 | fixed_line = f"{line[:12]}{sort_alphabetical(line[12:])}" |
86 | elif line[:13] in ("seccomp.drop ", "seccomp.keep "): | 86 | elif line[:13] in ("seccomp.drop ", "seccomp.keep "): |
@@ -95,6 +95,10 @@ def fix_profile(filename): | |||
95 | fixed_line = line | 95 | fixed_line = line |
96 | if fixed_line != line: | 96 | if fixed_line != line: |
97 | was_fixed = True | 97 | was_fixed = True |
98 | print( | ||
99 | f"{filename}:{lineno + 1}:-{line}\n" | ||
100 | f"{filename}:{lineno + 1}:+{fixed_line}" | ||
101 | ) | ||
98 | fixed_profile.append(fixed_line) | 102 | fixed_profile.append(fixed_line) |
99 | if was_fixed: | 103 | if was_fixed: |
100 | profile.seek(0) | 104 | profile.seek(0) |
@@ -108,6 +112,7 @@ def fix_profile(filename): | |||
108 | 112 | ||
109 | def main(args): | 113 | def main(args): |
110 | exit_code = 0 | 114 | exit_code = 0 |
115 | print(f"sort.py: checking {len(args)} {'profiles' if len(args) != 1 else 'profile'}...") | ||
111 | for filename in args: | 116 | for filename in args: |
112 | try: | 117 | try: |
113 | if exit_code not in (1, 101): | 118 | if exit_code not in (1, 101): |
@@ -120,8 +125,8 @@ def main(args): | |||
120 | except PermissionError: | 125 | except PermissionError: |
121 | print(f"[ Error ] Can't read/write `{filename}'") | 126 | print(f"[ Error ] Can't read/write `{filename}'") |
122 | exit_code = 1 | 127 | exit_code = 1 |
123 | except: | 128 | except Exception as err: |
124 | print(f"[ Error ] An error occurred while processing `{filename}'") | 129 | print(f"[ Error ] An error occurred while processing `{filename}': {err}") |
125 | exit_code = 1 | 130 | exit_code = 1 |
126 | return exit_code | 131 | return exit_code |
127 | 132 | ||
diff --git a/etc/apparmor/firejail-local b/etc/apparmor/firejail-local index f086653f8..893a1ce46 100644 --- a/etc/apparmor/firejail-local +++ b/etc/apparmor/firejail-local | |||
@@ -1,2 +1,5 @@ | |||
1 | # Site-specific additions and overrides for 'firejail-default'. | 1 | # Site-specific additions and overrides for 'firejail-default'. |
2 | # For more details, please see /etc/apparmor.d/local/README. | 2 | # For more details, please see /etc/apparmor.d/local/README. |
3 | |||
4 | # Uncomment to opt-in to apparmor for torbrowser-launcher | ||
5 | #owner @{HOME}/.local/share/torbrowser/tbb/{i686,x86_64}/tor-browser_*/Browser/** ix, | ||
diff --git a/etc/profile-a-l/jitsi-meet-desktop.profile b/etc/profile-a-l/jitsi-meet-desktop.profile index e5beb741a..edb7ed840 100644 --- a/etc/profile-a-l/jitsi-meet-desktop.profile +++ b/etc/profile-a-l/jitsi-meet-desktop.profile | |||
@@ -20,7 +20,7 @@ nowhitelist ${DOWNLOADS} | |||
20 | mkdir ${HOME}/.config/Jitsi Meet | 20 | mkdir ${HOME}/.config/Jitsi Meet |
21 | whitelist ${HOME}/.config/Jitsi Meet | 21 | whitelist ${HOME}/.config/Jitsi Meet |
22 | 22 | ||
23 | private-bin bash,jitsi-meet-desktop | 23 | private-bin bash,electron,electron[0-9],electron[0-9][0-9],jitsi-meet-desktop,sh |
24 | private-etc alsa,alternatives,asound.conf,bumblebee,ca-certificates,crypto-policies,drirc,fonts,glvnd,group,host.conf,hostname,hosts,ld.so.cache,ld.so.conf,ld.so.conf.d,ld.so.preload,locale,locale.alias,locale.conf,localtime,machine-id,mime.types,nsswitch.conf,nvidia,pango,passwd,pki,protocols,pulse,resolv.conf,rpc,services,ssl,X11,xdg | 24 | private-etc alsa,alternatives,asound.conf,bumblebee,ca-certificates,crypto-policies,drirc,fonts,glvnd,group,host.conf,hostname,hosts,ld.so.cache,ld.so.conf,ld.so.conf.d,ld.so.preload,locale,locale.alias,locale.conf,localtime,machine-id,mime.types,nsswitch.conf,nvidia,pango,passwd,pki,protocols,pulse,resolv.conf,rpc,services,ssl,X11,xdg |
25 | 25 | ||
26 | # Redirect | 26 | # Redirect |
diff --git a/etc/profile-m-z/start-tor-browser.desktop.profile b/etc/profile-m-z/start-tor-browser.desktop.profile index 7367d906e..2f73c9fee 100644 --- a/etc/profile-m-z/start-tor-browser.desktop.profile +++ b/etc/profile-m-z/start-tor-browser.desktop.profile | |||
@@ -4,7 +4,7 @@ | |||
4 | include start-tor-browser.desktop.local | 4 | include start-tor-browser.desktop.local |
5 | # Persistent global definitions | 5 | # Persistent global definitions |
6 | # added by included profile | 6 | # added by included profile |
7 | include globals.local | 7 | #include globals.local |
8 | 8 | ||
9 | noblacklist ${HOME}/.tor-browser* | 9 | noblacklist ${HOME}/.tor-browser* |
10 | 10 | ||
@@ -72,8 +72,5 @@ whitelist ${HOME}/.tor-browser_vi | |||
72 | whitelist ${HOME}/.tor-browser_zh-CN | 72 | whitelist ${HOME}/.tor-browser_zh-CN |
73 | whitelist ${HOME}/.tor-browser_zh-TW | 73 | whitelist ${HOME}/.tor-browser_zh-TW |
74 | 74 | ||
75 | # Ignoring apparmor, tor browser is installed in user home directory using the binary archive distributed by Tor Foundation | ||
76 | ignore apparmor | ||
77 | |||
78 | # Redirect | 75 | # Redirect |
79 | include torbrowser-launcher.profile | 76 | include torbrowser-launcher.profile |
diff --git a/etc/profile-m-z/start-tor-browser.profile b/etc/profile-m-z/start-tor-browser.profile index b5c4d211e..17ceedee7 100644 --- a/etc/profile-m-z/start-tor-browser.profile +++ b/etc/profile-m-z/start-tor-browser.profile | |||
@@ -3,7 +3,8 @@ | |||
3 | # Persistent local customizations | 3 | # Persistent local customizations |
4 | include start-tor-browser.local | 4 | include start-tor-browser.local |
5 | # Persistent global definitions | 5 | # Persistent global definitions |
6 | include globals.local | 6 | # added by included profile |
7 | #include globals.local | ||
7 | 8 | ||
8 | # Redirect | 9 | # Redirect |
9 | include start-tor-browser.desktop.profile | 10 | include start-tor-browser.desktop.profile |
diff --git a/etc/profile-m-z/torbrowser-launcher.profile b/etc/profile-m-z/torbrowser-launcher.profile index eb90f0030..1045fa02a 100644 --- a/etc/profile-m-z/torbrowser-launcher.profile +++ b/etc/profile-m-z/torbrowser-launcher.profile | |||
@@ -31,7 +31,10 @@ whitelist ${HOME}/.local/share/torbrowser | |||
31 | include whitelist-common.inc | 31 | include whitelist-common.inc |
32 | include whitelist-var-common.inc | 32 | include whitelist-var-common.inc |
33 | 33 | ||
34 | apparmor | 34 | # Uncomment the line below or put 'apparmor' in your torbrowser-launcher.local. |
35 | # IMPORTANT: the relevant rule in /etc/apparmor.d/local/firejail-default will need | ||
36 | # to be uncommented too for this to work as expected. | ||
37 | #apparmor | ||
35 | caps.drop all | 38 | caps.drop all |
36 | netfilter | 39 | netfilter |
37 | nodvd | 40 | nodvd |
diff --git a/etc/templates/profile.template b/etc/templates/profile.template index 9e9fc3fe9..72b7d3025 100644 --- a/etc/templates/profile.template +++ b/etc/templates/profile.template | |||
@@ -2,15 +2,15 @@ | |||
2 | # Description: DESCRIPTION | 2 | # Description: DESCRIPTION |
3 | # This file is overwritten after every install/update | 3 | # This file is overwritten after every install/update |
4 | # --- CUT HERE --- | 4 | # --- CUT HERE --- |
5 | # This is a generic template to help you with creation of profiles | 5 | # This is a generic template to help you create profiles. |
6 | # for new programs. PRs welcome at https://github.com/netblue30/firejail/. | 6 | # PRs welcome at https://github.com/netblue30/firejail/. |
7 | # | 7 | # |
8 | # Rules to follow: | 8 | # Rules to follow: |
9 | # - lines with one # are often used in profiles | 9 | # - lines with one # are often used in profiles |
10 | # - lines with two ## are only needed in special situations | 10 | # - lines with two ## are only needed in special situations |
11 | # - make the profile as restrictive as possible while still keeping the program useful | 11 | # - make the profile as restrictive as possible while still keeping the program useful |
12 | # (e. g. a program that is unable to save user's work is considered bad practice) | 12 | # (e.g. a program that is unable to save user's work is considered bad practice) |
13 | # - dedicate some time (based on the complexity of the application) to profile testing before raising | 13 | # - dedicate ample time (based on the complexity of the application) to profile testing before raising |
14 | # a pull request | 14 | # a pull request |
15 | # - keep the sections structure, use a single empty line as separator | 15 | # - keep the sections structure, use a single empty line as separator |
16 | # - entries within sections are alphabetically sorted | 16 | # - entries within sections are alphabetically sorted |
@@ -42,7 +42,7 @@ | |||
42 | # ${DOCUMENTS} | 42 | # ${DOCUMENTS} |
43 | # ${DOWNLOADS} | 43 | # ${DOWNLOADS} |
44 | # ${HOME} (user's home) | 44 | # ${HOME} (user's home) |
45 | # ${PATH} (contents of PATH envvar) | 45 | # ${PATH} (contents of PATH env var) |
46 | # ${MUSIC} | 46 | # ${MUSIC} |
47 | # ${RUNUSER} (/run/user/UID) | 47 | # ${RUNUSER} (/run/user/UID) |
48 | # ${VIDEOS} | 48 | # ${VIDEOS} |
@@ -81,12 +81,11 @@ include globals.local | |||
81 | # `ls -aR` | 81 | # `ls -aR` |
82 | #noblacklist PATH | 82 | #noblacklist PATH |
83 | 83 | ||
84 | # Allow python (blacklisted by disable-interpreters.inc) | 84 | # Allows files commonly used by IDEs |
85 | #include allow-python2.inc | 85 | #include allow-common-devel.inc |
86 | #include allow-python3.inc | ||
87 | 86 | ||
88 | # Allow perl (blacklisted by disable-interpreters.inc) | 87 | # Allow gjs (blacklisted by disable-interpreters.inc) |
89 | #include allow-perl.inc | 88 | #include allow-gjs.inc |
90 | 89 | ||
91 | # Allow java (blacklisted by disable-devel.inc) | 90 | # Allow java (blacklisted by disable-devel.inc) |
92 | #include allow-java.inc | 91 | #include allow-java.inc |
@@ -94,14 +93,15 @@ include globals.local | |||
94 | # Allow lua (blacklisted by disable-interpreters.inc) | 93 | # Allow lua (blacklisted by disable-interpreters.inc) |
95 | #include allow-lua.inc | 94 | #include allow-lua.inc |
96 | 95 | ||
97 | # Allow ruby (blacklisted by disable-interpreters.inc) | 96 | # Allow perl (blacklisted by disable-interpreters.inc) |
98 | #include allow-ruby.inc | 97 | #include allow-perl.inc |
99 | 98 | ||
100 | # Allow gjs (blacklisted by disable-interpreters.inc) | 99 | # Allow python (blacklisted by disable-interpreters.inc) |
101 | #include allow-gjs.inc | 100 | #include allow-python2.inc |
101 | #include allow-python3.inc | ||
102 | 102 | ||
103 | # Allows files commonly used by IDEs | 103 | # Allow ruby (blacklisted by disable-interpreters.inc) |
104 | #include allow-common-devel.inc | 104 | #include allow-ruby.inc |
105 | 105 | ||
106 | # Allow ssh (blacklisted by disable-common.inc) | 106 | # Allow ssh (blacklisted by disable-common.inc) |
107 | #include allow-ssh.inc | 107 | #include allow-ssh.inc |
@@ -117,10 +117,10 @@ include globals.local | |||
117 | #include disable-xdg.inc | 117 | #include disable-xdg.inc |
118 | 118 | ||
119 | # This section often mirrors noblacklist section above. The idea is | 119 | # This section often mirrors noblacklist section above. The idea is |
120 | # that if a user feels too restricted (he's unable to save files into | 120 | # that if a user feels too restricted (e.g. unable to save files into |
121 | # home directory for instance) he/she may disable whitelist (nowhitelist) | 121 | # home directory) they may disable whitelist (nowhitelist) |
122 | # in PROFILE.local but still be protected by BLACKLISTS section | 122 | # in PROFILE.local but still be protected by BLACKLISTS section |
123 | # (further explanation at https://github.com/netblue30/firejail/issues/1569) | 123 | # (explanation at https://github.com/netblue30/firejail/issues/1569) |
124 | #mkdir PATH | 124 | #mkdir PATH |
125 | ##mkfile PATH | 125 | ##mkfile PATH |
126 | #whitelist PATH | 126 | #whitelist PATH |
@@ -136,7 +136,7 @@ include globals.local | |||
136 | ##hostname NAME | 136 | ##hostname NAME |
137 | # CLI only | 137 | # CLI only |
138 | ##ipc-namespace | 138 | ##ipc-namespace |
139 | # breaks sound and sometime dbus related functions | 139 | # breaks audio and sometimes dbus related functions |
140 | #machine-id | 140 | #machine-id |
141 | # 'net none' or 'netfilter' | 141 | # 'net none' or 'netfilter' |
142 | #net none | 142 | #net none |
@@ -161,7 +161,7 @@ include globals.local | |||
161 | ##seccomp !chroot | 161 | ##seccomp !chroot |
162 | ##seccomp.drop SYSCALLS (see syscalls.txt) | 162 | ##seccomp.drop SYSCALLS (see syscalls.txt) |
163 | #seccomp.block-secondary | 163 | #seccomp.block-secondary |
164 | ##seccomp-error-action log (Only for debugging seccomp issues) | 164 | ##seccomp-error-action log (only for debugging seccomp issues) |
165 | #shell none | 165 | #shell none |
166 | #tracelog | 166 | #tracelog |
167 | # Prefer 'x11 none' instead of 'blacklist /tmp/.X11-unix' if 'net none' is set | 167 | # Prefer 'x11 none' instead of 'blacklist /tmp/.X11-unix' if 'net none' is set |
@@ -176,16 +176,16 @@ include globals.local | |||
176 | #private-etc FILES | 176 | #private-etc FILES |
177 | # private-etc templates (see also #1734, #2093) | 177 | # private-etc templates (see also #1734, #2093) |
178 | # Common: alternatives,ld.so.cache,ld.so.conf,ld.so.conf.d,ld.so.preload,locale,locale.alias,locale.conf,localtime,mime.types,xdg | 178 | # Common: alternatives,ld.so.cache,ld.so.conf,ld.so.conf.d,ld.so.preload,locale,locale.alias,locale.conf,localtime,mime.types,xdg |
179 | # Extra: magic,magic.mgc,passwd,group | 179 | # Extra: group,magic,magic.mgc,passwd |
180 | # Networking: ca-certificates,ssl,pki,crypto-policies,nsswitch.conf,resolv.conf,hosts,host.conf,hostname,protocols,services,rpc | 180 | # 3D: bumblebee,drirc,glvnd,nvidia |
181 | # Extra: proxychains.conf,gai.conf | 181 | # Audio: alsa,asound.conf,machine-id,pulse |
182 | # Sound: alsa,asound.conf,pulse,machine-id | 182 | # D-Bus: dbus-1,machine-id |
183 | # GUI: fonts,pango,X11 | 183 | # GUI: fonts,pango,X11 |
184 | # GTK: dconf,gconf,gtk-2.0,gtk-3.0 | 184 | # GTK: dconf,gconf,gtk-2.0,gtk-3.0 |
185 | # Qt: Trolltech.conf | ||
186 | # KDE: kde4rc,kde5rc | 185 | # KDE: kde4rc,kde5rc |
187 | # 3D: drirc,glvnd,bumblebee,nvidia | 186 | # Networking: ca-certificates,crypto-policies,host.conf,hostname,hosts,nsswitch.conf,pki,protocols,resolv.conf,services,rpc,ssl |
188 | # D-Bus: dbus-1,machine-id | 187 | # Extra: gai.conf,proxychains.conf |
188 | # Qt: Trolltech.conf | ||
189 | ##private-lib LIBS | 189 | ##private-lib LIBS |
190 | ##private-opt NAME | 190 | ##private-opt NAME |
191 | #private-tmp | 191 | #private-tmp |
@@ -194,14 +194,14 @@ include globals.local | |||
194 | ##writable-var | 194 | ##writable-var |
195 | ##writable-var-log | 195 | ##writable-var-log |
196 | 196 | ||
197 | # Since 0.9.63 also a more granular regulation of dbus is supported. | 197 | # Since 0.9.63 also a more granular control of dbus is supported. |
198 | # To get the dbus-addresses to which an application needs access to. | 198 | # To get the dbus-addresses an application needs access to you can |
199 | # You can look at flatpak if the application is also distriputed via flatpak: | 199 | # check with flatpak (when the application is distriputed that way): |
200 | # flatpak remote-info --show-metadata flathub <APP-ID> | 200 | # flatpak remote-info --show-metadata flathub <APP-ID> |
201 | # Notes: | 201 | # Notes: |
202 | # - flatpak implicitly allows an app to own <APP-ID> on the session bus | 202 | # - flatpak implicitly allows an app to own <APP-ID> on the session bus |
203 | # - In order to make dconf work (if it is used by the app) you need to allow | 203 | # - In order to make dconf work (when used by the app) you need to allow |
204 | # 'ca.desrt.dconf' even if it is not allowed by flatpak. | 204 | # 'ca.desrt.dconf' even when not allowed by flatpak. |
205 | # Notes and Policiy about addresses can be found at | 205 | # Notes and Policiy about addresses can be found at |
206 | # <https://github.com/netblue30/firejail/wiki/Restrict-D-Bus> | 206 | # <https://github.com/netblue30/firejail/wiki/Restrict-D-Bus> |
207 | #dbus-user filter | 207 | #dbus-user filter |
@@ -211,7 +211,7 @@ include globals.local | |||
211 | #dbus-system none | 211 | #dbus-system none |
212 | 212 | ||
213 | ##env VAR=VALUE | 213 | ##env VAR=VALUE |
214 | ##join-or-start NAME | ||
214 | #memory-deny-write-execute | 215 | #memory-deny-write-execute |
215 | ##noexec PATH | 216 | ##noexec PATH |
216 | ##read-only ${HOME} | 217 | ##read-only ${HOME} |
217 | ##join-or-start NAME | ||
diff --git a/src/firejail/chroot.c b/src/firejail/chroot.c index 88df8b9d4..d7e96cf4c 100644 --- a/src/firejail/chroot.c +++ b/src/firejail/chroot.c | |||
@@ -171,7 +171,7 @@ void fs_chroot(const char *rootdir) { | |||
171 | free(proc); | 171 | free(proc); |
172 | close(fd); | 172 | close(fd); |
173 | 173 | ||
174 | // x11 | 174 | #ifdef HAVE_X11 |
175 | // if users want this mount, they should set FIREJAIL_CHROOT_X11 | 175 | // if users want this mount, they should set FIREJAIL_CHROOT_X11 |
176 | if (env_get("FIREJAIL_X11") || env_get("FIREJAIL_CHROOT_X11")) { | 176 | if (env_get("FIREJAIL_X11") || env_get("FIREJAIL_CHROOT_X11")) { |
177 | if (arg_debug) | 177 | if (arg_debug) |
@@ -199,6 +199,7 @@ void fs_chroot(const char *rootdir) { | |||
199 | free(proc); | 199 | free(proc); |
200 | close(fd); | 200 | close(fd); |
201 | } | 201 | } |
202 | #endif // HAVE_X11 | ||
202 | 203 | ||
203 | // some older distros don't have a /run directory, create one by default | 204 | // some older distros don't have a /run directory, create one by default |
204 | if (mkdirat(parentfd, "run", 0755) == -1 && errno != EEXIST) | 205 | if (mkdirat(parentfd, "run", 0755) == -1 && errno != EEXIST) |
diff --git a/src/firejail/main.c b/src/firejail/main.c index ec601b1a0..61533fcd9 100644 --- a/src/firejail/main.c +++ b/src/firejail/main.c | |||
@@ -1008,7 +1008,7 @@ int main(int argc, char **argv, char **envp) { | |||
1008 | 1008 | ||
1009 | // sanity check for environment variables | 1009 | // sanity check for environment variables |
1010 | if (i >= MAX_ENVS) { | 1010 | if (i >= MAX_ENVS) { |
1011 | fprintf(stderr, "Error: too many environment variables, please use --rmenv\n"); | 1011 | fprintf(stderr, "Error: too many environment variables\n"); |
1012 | exit(1); | 1012 | exit(1); |
1013 | } | 1013 | } |
1014 | 1014 | ||
@@ -1022,9 +1022,6 @@ int main(int argc, char **argv, char **envp) { | |||
1022 | fprintf(stderr, "Error: too long arguments\n"); | 1022 | fprintf(stderr, "Error: too long arguments\n"); |
1023 | exit(1); | 1023 | exit(1); |
1024 | } | 1024 | } |
1025 | // Also remove requested environment variables | ||
1026 | if (strncmp(argv[i], "--rmenv=", 8) == 0) | ||
1027 | env_store(argv[i] + 8, RMENV); | ||
1028 | } | 1025 | } |
1029 | 1026 | ||
1030 | // Reapply a minimal set of environment variables | 1027 | // Reapply a minimal set of environment variables |
diff --git a/src/firejail/sandbox.c b/src/firejail/sandbox.c index 318c45335..9a4be5cc0 100644 --- a/src/firejail/sandbox.c +++ b/src/firejail/sandbox.c | |||
@@ -462,10 +462,10 @@ static int ok_to_run(const char *program) { | |||
462 | 462 | ||
463 | void start_application(int no_sandbox, int fd, char *set_sandbox_status) { | 463 | void start_application(int no_sandbox, int fd, char *set_sandbox_status) { |
464 | // set environment | 464 | // set environment |
465 | if (no_sandbox == 0) { | 465 | if (no_sandbox == 0) |
466 | env_defaults(); | 466 | env_defaults(); |
467 | env_apply_all(); | 467 | env_apply_all(); |
468 | } | 468 | |
469 | // restore original umask | 469 | // restore original umask |
470 | umask(orig_umask); | 470 | umask(orig_umask); |
471 | 471 | ||