diff options
| -rw-r--r-- | etc/profile-m-z/mpv.profile | 2 | ||||
| -rw-r--r-- | src/firejail/fs_bin.c | 7 | ||||
| -rw-r--r-- | src/firejail/fs_home.c | 9 |
3 files changed, 9 insertions, 9 deletions
diff --git a/etc/profile-m-z/mpv.profile b/etc/profile-m-z/mpv.profile index 74402a8de..efb11465b 100644 --- a/etc/profile-m-z/mpv.profile +++ b/etc/profile-m-z/mpv.profile | |||
| @@ -74,7 +74,7 @@ seccomp.block-secondary | |||
| 74 | shell none | 74 | shell none |
| 75 | tracelog | 75 | tracelog |
| 76 | 76 | ||
| 77 | private-bin env,mpv,python*,waf,youtube-dl | 77 | private-bin env,mpv,python*,waf,youtube-dl,yt-dlp |
| 78 | # private-cache causes slow OSD, see #2838 | 78 | # private-cache causes slow OSD, see #2838 |
| 79 | #private-cache | 79 | #private-cache |
| 80 | private-dev | 80 | private-dev |
diff --git a/src/firejail/fs_bin.c b/src/firejail/fs_bin.c index a4c1ff822..4c9dac0c2 100644 --- a/src/firejail/fs_bin.c +++ b/src/firejail/fs_bin.c | |||
| @@ -285,24 +285,25 @@ void fs_private_bin_list(void) { | |||
| 285 | while ((ptr = strtok(NULL, ",")) != NULL) | 285 | while ((ptr = strtok(NULL, ",")) != NULL) |
| 286 | globbing(ptr); | 286 | globbing(ptr); |
| 287 | free(dlist); | 287 | free(dlist); |
| 288 | fs_logger_print(); | ||
| 289 | 288 | ||
| 290 | // mount-bind | 289 | // mount-bind |
| 290 | EUID_ROOT(); | ||
| 291 | int i = 0; | 291 | int i = 0; |
| 292 | while (paths[i]) { | 292 | while (paths[i]) { |
| 293 | struct stat s; | 293 | struct stat s; |
| 294 | if (stat(paths[i], &s) == 0) { | 294 | if (stat(paths[i], &s) == 0) { |
| 295 | if (arg_debug) | 295 | if (arg_debug) |
| 296 | printf("Mount-bind %s on top of %s\n", RUN_BIN_DIR, paths[i]); | 296 | printf("Mount-bind %s on top of %s\n", RUN_BIN_DIR, paths[i]); |
| 297 | EUID_ROOT(); | ||
| 298 | if (mount(RUN_BIN_DIR, paths[i], NULL, MS_BIND|MS_REC, NULL) < 0) | 297 | if (mount(RUN_BIN_DIR, paths[i], NULL, MS_BIND|MS_REC, NULL) < 0) |
| 299 | errExit("mount bind"); | 298 | errExit("mount bind"); |
| 300 | EUID_USER(); | ||
| 301 | fs_logger2("tmpfs", paths[i]); | 299 | fs_logger2("tmpfs", paths[i]); |
| 302 | fs_logger2("mount", paths[i]); | 300 | fs_logger2("mount", paths[i]); |
| 303 | } | 301 | } |
| 304 | i++; | 302 | i++; |
| 305 | } | 303 | } |
| 304 | fs_logger_print(); | ||
| 305 | EUID_USER(); | ||
| 306 | |||
| 306 | selinux_relabel_path(RUN_BIN_DIR, "/bin"); | 307 | selinux_relabel_path(RUN_BIN_DIR, "/bin"); |
| 307 | fmessage("%d %s installed in %0.2f ms\n", prog_cnt, (prog_cnt == 1)? "program": "programs", timetrace_end()); | 308 | fmessage("%d %s installed in %0.2f ms\n", prog_cnt, (prog_cnt == 1)? "program": "programs", timetrace_end()); |
| 308 | } | 309 | } |
diff --git a/src/firejail/fs_home.c b/src/firejail/fs_home.c index 8d8530d81..230e9186c 100644 --- a/src/firejail/fs_home.c +++ b/src/firejail/fs_home.c | |||
| @@ -380,12 +380,14 @@ void fs_private(void) { | |||
| 380 | selinux_relabel_path("/home", "/home"); | 380 | selinux_relabel_path("/home", "/home"); |
| 381 | fs_logger("tmpfs /home"); | 381 | fs_logger("tmpfs /home"); |
| 382 | } | 382 | } |
| 383 | EUID_USER(); | ||
| 383 | 384 | ||
| 384 | if (u != 0) { | 385 | if (u != 0) { |
| 385 | if (!arg_allusers && strncmp(homedir, "/home/", 6) == 0) { | 386 | if (!arg_allusers && strncmp(homedir, "/home/", 6) == 0) { |
| 386 | // create new empty /home/user directory | 387 | // create new empty /home/user directory |
| 387 | if (arg_debug) | 388 | if (arg_debug) |
| 388 | printf("Create a new user directory\n"); | 389 | printf("Create a new user directory\n"); |
| 390 | EUID_ROOT(); | ||
| 389 | if (mkdir(homedir, S_IRWXU) == -1) { | 391 | if (mkdir(homedir, S_IRWXU) == -1) { |
| 390 | if (mkpath_as_root(homedir) == -1) | 392 | if (mkpath_as_root(homedir) == -1) |
| 391 | errExit("mkpath"); | 393 | errExit("mkpath"); |
| @@ -394,20 +396,17 @@ void fs_private(void) { | |||
| 394 | } | 396 | } |
| 395 | if (chown(homedir, u, g) < 0) | 397 | if (chown(homedir, u, g) < 0) |
| 396 | errExit("chown"); | 398 | errExit("chown"); |
| 399 | EUID_USER(); | ||
| 397 | fs_logger2("mkdir", homedir); | 400 | fs_logger2("mkdir", homedir); |
| 398 | fs_logger2("tmpfs", homedir); | 401 | fs_logger2("tmpfs", homedir); |
| 399 | } | 402 | } |
| 400 | else { | 403 | else |
| 401 | // mask user home directory | 404 | // mask user home directory |
| 402 | // the directory should be owned by the current user | 405 | // the directory should be owned by the current user |
| 403 | EUID_USER(); | ||
| 404 | fs_tmpfs(homedir, 1); | 406 | fs_tmpfs(homedir, 1); |
| 405 | EUID_ROOT(); | ||
| 406 | } | ||
| 407 | 407 | ||
| 408 | selinux_relabel_path(homedir, homedir); | 408 | selinux_relabel_path(homedir, homedir); |
| 409 | } | 409 | } |
| 410 | EUID_USER(); | ||
| 411 | 410 | ||
| 412 | skel(homedir); | 411 | skel(homedir); |
| 413 | if (xflag) | 412 | if (xflag) |