3 files changed, 59 insertions, 40 deletions
diff --git a/etc/firejail.config b/etc/firejail.config
index 8e830f707..b37edf7a5 100644
--- a/etc/firejail.config
+++ b/etc/firejail.config
@@ -54,7 +54,7 @@
 # root user can always join sandboxes.
 # join yes
-#Enable or disable sandbox name change, default enabled.
+# Enable or disable sandbox name change, default enabled.
 # name-change yes
 # Enable or disable networking features, default enabled.
diff --git a/src/firejail/main.c b/src/firejail/main.c
index c262402fa..2a8ee3e0f 100644
--- a/src/firejail/main.c
+++ b/src/firejail/main.c
@@ -733,26 +733,30 @@ static void run_cmd_and_exit(int i, int argc, char **argv) {
        else if (strncmp(argv[i], "--join-or-start=", 16) == 0) {
                // NOTE: this is first part of option handler,
                //               sandbox name is set in other part
-                logargs(argc, argv);
+                if (checkcfg(CFG_JOIN) || getuid() == 0) {
+                        logargs(argc, argv);
-                if (arg_shell_none) {
+                        if (arg_shell_none) {
-                        if (argc <= (i+1)) {
+                                if (argc <= (i+1)) {
-                                fprintf(stderr, "Error: --shell=none set, but no command specified\n");
+                                        fprintf(stderr, "Error: --shell=none set, but no command specified\n");
-                                exit(1);
+                                        exit(1);
+                                }
+                                cfg.original_program_index = i + 1;
                        }
-                        cfg.original_program_index = i + 1;
-                }
-                // try to join by name only
+                        // try to join by name only
-                pid_t pid;
+                        pid_t pid;
-                if (!read_pid(argv[i] + 16, &pid)) {
+                        if (!read_pid(argv[i] + 16, &pid)) {
-                        if (!cfg.shell && !arg_shell_none)
+                                if (!cfg.shell && !arg_shell_none)
-                                cfg.shell = guess_shell();
+                                        cfg.shell = guess_shell();
-                        join(pid, argc, argv, i + 1);
+                                join(pid, argc, argv, i + 1);
-                        exit(0);
+                                exit(0);
+                        }
+                        // if there no such sandbox continue argument processing
                }
-                // if there no such sandbox continue argument processing
+                else
+                        exit_err_feature("join");
        }
 #ifdef HAVE_NETWORK
        else if (strncmp(argv[i], "--join-network=", 15) == 0) {
diff --git a/src/firejail/profile.c b/src/firejail/profile.c
index 348b4e0ca..bc66aca78 100644
--- a/src/firejail/profile.c
+++ b/src/firejail/profile.c
@@ -241,6 +241,7 @@ error:
 // return 1 if the command is to be added to the linked list of profile commands
 // return 0 if the command was already executed inside the function
 int profile_check_line(char *ptr, int lineno, const char *fname) {
+        static int whitelist_warning_printed = 0;
        EUID_ASSERT();
        // check and process conditional profile lines
@@ -1126,8 +1127,10 @@ int profile_check_line(char *ptr, int lineno, const char *fname) {
                        }
                        cfg.overlay_dir = fs_check_overlay_dir(subdirname, arg_overlay_reuse);
                }
+                else
+                        warning_feature_disabled("overlayfs");
                return 0;
        } else if (strcmp(ptr, "overlay-tmpfs") == 0) {
                if (checkcfg(CFG_OVERLAYFS)) {
                        if (arg_overlay) {
@@ -1144,9 +1147,11 @@ int profile_check_line(char *ptr, int lineno, const char *fname) {
                                exit(1);
                        }
                        arg_overlay = 1;
-                        return 0;
                }
+                else
+                        warning_feature_disabled("overlayfs");
+                return 0;
        } else if (strcmp(ptr, "overlay") == 0) {
                if (checkcfg(CFG_OVERLAYFS)) {
                        if (arg_overlay) {
@@ -1171,9 +1176,10 @@ int profile_check_line(char *ptr, int lineno, const char *fname) {
                        cfg.overlay_dir = fs_check_overlay_dir(subdirname, arg_overlay_reuse);
                        free(subdirname);
-                        return 0;
                }
+                else
+                        warning_feature_disabled("overlayfs");
+                return 0;
        }
 #endif
@@ -1260,26 +1266,30 @@ int profile_check_line(char *ptr, int lineno, const char *fname) {
        }
        if (strncmp(ptr, "join-or-start ", 14) == 0) {
-                // try to join by name only
+                if (checkcfg(CFG_JOIN) || getuid() == 0) {
-                pid_t pid;
+                        // try to join by name only
-                if (!name2pid(ptr + 14, &pid)) {
+                        pid_t pid;
-                        if (!cfg.shell && !arg_shell_none)
+                        if (!name2pid(ptr + 14, &pid)) {
-                                cfg.shell = guess_shell();
+                                if (!cfg.shell && !arg_shell_none)
+                                        cfg.shell = guess_shell();
-                        // find first non-option arg
-                        int i;
+                                // find first non-option arg
-                        for (i = 1; i < cfg.original_argc && strncmp(cfg.original_argv[i], "--", 2) != 0; i++);
+                                int i;
+                                for (i = 1; i < cfg.original_argc && strncmp(cfg.original_argv[i], "--", 2) != 0; i++);
-                        join(pid, cfg.original_argc,cfg.original_argv, i + 1);
-                        exit(0);
+                                join(pid, cfg.original_argc,cfg.original_argv, i + 1);
-                }
+                                exit(0);
+                        }
-                // set sandbox name and start normally
+                        // set sandbox name and start normally
-                cfg.name = ptr + 14;
+                        cfg.name = ptr + 14;
-                if (strlen(cfg.name) == 0) {
+                        if (strlen(cfg.name) == 0) {
-                        fprintf(stderr, "Error: invalid sandbox name\n");
+                                fprintf(stderr, "Error: invalid sandbox name\n");
-                        exit(1);
+                                exit(1);
+                        }
                }
+                else
+                        warning_feature_disabled("join");
                return 0;
        }
@@ -1301,8 +1311,13 @@ int profile_check_line(char *ptr, int lineno, const char *fname) {
                        arg_whitelist = 1;
                        ptr += 10;
                }
-                else
+                else {
+                        if (!whitelist_warning_printed) {
+                                warning_feature_disabled("whitelist");
+                                whitelist_warning_printed = 1;
+                        }
                        return 0;
+                }
 #else
                return 0;
 #endif

diff --git a/etc/firejail.config b/etc/firejail.config index 8e830f707..b37edf7a5 100644 --- a/etc/firejail.config +++ b/etc/firejail.config
@@ -54,7 +54,7 @@
54	# root user can always join sandboxes.	54	# root user can always join sandboxes.
55	# join yes	55	# join yes
56		56
57	#Enable or disable sandbox name change, default enabled.	57	# Enable or disable sandbox name change, default enabled.
58	# name-change yes	58	# name-change yes
59		59
60	# Enable or disable networking features, default enabled.	60	# Enable or disable networking features, default enabled.


diff --git a/src/firejail/main.c b/src/firejail/main.c index c262402fa..2a8ee3e0f 100644 --- a/src/firejail/main.c +++ b/src/firejail/main.c
@@ -733,26 +733,30 @@ static void run_cmd_and_exit(int i, int argc, char **argv) {
733	else if (strncmp(argv[i], "--join-or-start=", 16) == 0) {	733	else if (strncmp(argv[i], "--join-or-start=", 16) == 0) {
734	// NOTE: this is first part of option handler,	734	// NOTE: this is first part of option handler,
735	// sandbox name is set in other part	735	// sandbox name is set in other part
736	logargs(argc, argv);	736	if (checkcfg(CFG_JOIN) \|\| getuid() == 0) {
		737	logargs(argc, argv);
737		738
738	if (arg_shell_none) {	739	if (arg_shell_none) {
739	if (argc <= (i+1)) {	740	if (argc <= (i+1)) {
740	fprintf(stderr, "Error: --shell=none set, but no command specified\n");	741	fprintf(stderr, "Error: --shell=none set, but no command specified\n");
741	exit(1);	742	exit(1);
		743	}
		744	cfg.original_program_index = i + 1;
742	}	745	}
743	cfg.original_program_index = i + 1;
744	}
745		746
746	// try to join by name only	747	// try to join by name only
747	pid_t pid;	748	pid_t pid;
748	if (!read_pid(argv[i] + 16, &pid)) {	749	if (!read_pid(argv[i] + 16, &pid)) {
749	if (!cfg.shell && !arg_shell_none)	750	if (!cfg.shell && !arg_shell_none)
750	cfg.shell = guess_shell();	751	cfg.shell = guess_shell();
751		752
752	join(pid, argc, argv, i + 1);	753	join(pid, argc, argv, i + 1);
753	exit(0);	754	exit(0);
		755	}
		756	// if there no such sandbox continue argument processing
754	}	757	}
755	// if there no such sandbox continue argument processing	758	else
		759	exit_err_feature("join");
756	}	760	}
757	#ifdef HAVE_NETWORK	761	#ifdef HAVE_NETWORK
758	else if (strncmp(argv[i], "--join-network=", 15) == 0) {	762	else if (strncmp(argv[i], "--join-network=", 15) == 0) {


diff --git a/src/firejail/profile.c b/src/firejail/profile.c index 348b4e0ca..bc66aca78 100644 --- a/src/firejail/profile.c +++ b/src/firejail/profile.c
@@ -241,6 +241,7 @@ error:
241	// return 1 if the command is to be added to the linked list of profile commands	241	// return 1 if the command is to be added to the linked list of profile commands
242	// return 0 if the command was already executed inside the function	242	// return 0 if the command was already executed inside the function
243	int profile_check_line(char ptr, int lineno, const char fname) {	243	int profile_check_line(char ptr, int lineno, const char fname) {
		244	static int whitelist_warning_printed = 0;
244	EUID_ASSERT();	245	EUID_ASSERT();
245		246
246	// check and process conditional profile lines	247	// check and process conditional profile lines
@@ -1126,8 +1127,10 @@ int profile_check_line(char ptr, int lineno, const char fname) {
1126	}	1127	}
1127	cfg.overlay_dir = fs_check_overlay_dir(subdirname, arg_overlay_reuse);	1128	cfg.overlay_dir = fs_check_overlay_dir(subdirname, arg_overlay_reuse);
1128	}	1129	}
1129		1130	else
		1131	warning_feature_disabled("overlayfs");
1130	return 0;	1132	return 0;
		1133
1131	} else if (strcmp(ptr, "overlay-tmpfs") == 0) {	1134	} else if (strcmp(ptr, "overlay-tmpfs") == 0) {
1132	if (checkcfg(CFG_OVERLAYFS)) {	1135	if (checkcfg(CFG_OVERLAYFS)) {
1133	if (arg_overlay) {	1136	if (arg_overlay) {
@@ -1144,9 +1147,11 @@ int profile_check_line(char ptr, int lineno, const char fname) {
1144	exit(1);	1147	exit(1);
1145	}	1148	}
1146	arg_overlay = 1;	1149	arg_overlay = 1;
1147
1148	return 0;
1149	}	1150	}
		1151	else
		1152	warning_feature_disabled("overlayfs");
		1153	return 0;
		1154
1150	} else if (strcmp(ptr, "overlay") == 0) {	1155	} else if (strcmp(ptr, "overlay") == 0) {
1151	if (checkcfg(CFG_OVERLAYFS)) {	1156	if (checkcfg(CFG_OVERLAYFS)) {
1152	if (arg_overlay) {	1157	if (arg_overlay) {
@@ -1171,9 +1176,10 @@ int profile_check_line(char ptr, int lineno, const char fname) {
1171	cfg.overlay_dir = fs_check_overlay_dir(subdirname, arg_overlay_reuse);	1176	cfg.overlay_dir = fs_check_overlay_dir(subdirname, arg_overlay_reuse);
1172		1177
1173	free(subdirname);	1178	free(subdirname);
1174
1175	return 0;
1176	}	1179	}
		1180	else
		1181	warning_feature_disabled("overlayfs");
		1182	return 0;
1177	}	1183	}
1178	#endif	1184	#endif
1179		1185
@@ -1260,26 +1266,30 @@ int profile_check_line(char ptr, int lineno, const char fname) {
1260	}	1266	}
1261		1267
1262	if (strncmp(ptr, "join-or-start ", 14) == 0) {	1268	if (strncmp(ptr, "join-or-start ", 14) == 0) {
1263	// try to join by name only	1269	if (checkcfg(CFG_JOIN) \|\| getuid() == 0) {
1264	pid_t pid;	1270	// try to join by name only
1265	if (!name2pid(ptr + 14, &pid)) {	1271	pid_t pid;
1266	if (!cfg.shell && !arg_shell_none)	1272	if (!name2pid(ptr + 14, &pid)) {
1267	cfg.shell = guess_shell();	1273	if (!cfg.shell && !arg_shell_none)
1268		1274	cfg.shell = guess_shell();
1269	// find first non-option arg	1275
1270	int i;	1276	// find first non-option arg
1271	for (i = 1; i < cfg.original_argc && strncmp(cfg.original_argv[i], "--", 2) != 0; i++);	1277	int i;
1272		1278	for (i = 1; i < cfg.original_argc && strncmp(cfg.original_argv[i], "--", 2) != 0; i++);
1273	join(pid, cfg.original_argc,cfg.original_argv, i + 1);	1279
1274	exit(0);	1280	join(pid, cfg.original_argc,cfg.original_argv, i + 1);
1275	}	1281	exit(0);
		1282	}
1276		1283
1277	// set sandbox name and start normally	1284	// set sandbox name and start normally
1278	cfg.name = ptr + 14;	1285	cfg.name = ptr + 14;
1279	if (strlen(cfg.name) == 0) {	1286	if (strlen(cfg.name) == 0) {
1280	fprintf(stderr, "Error: invalid sandbox name\n");	1287	fprintf(stderr, "Error: invalid sandbox name\n");
1281	exit(1);	1288	exit(1);
		1289	}
1282	}	1290	}
		1291	else
		1292	warning_feature_disabled("join");
1283	return 0;	1293	return 0;
1284	}	1294	}
1285		1295
@@ -1301,8 +1311,13 @@ int profile_check_line(char ptr, int lineno, const char fname) {
1301	arg_whitelist = 1;	1311	arg_whitelist = 1;
1302	ptr += 10;	1312	ptr += 10;
1303	}	1313	}
1304	else	1314	else {
		1315	if (!whitelist_warning_printed) {
		1316	warning_feature_disabled("whitelist");
		1317	whitelist_warning_printed = 1;
		1318	}
1305	return 0;	1319	return 0;
		1320	}
1306	#else	1321	#else
1307	return 0;	1322	return 0;
1308	#endif	1323	#endif