diff options
-rw-r--r-- | README | 8 | ||||
-rw-r--r-- | README.md | 2 | ||||
-rw-r--r-- | etc/cherrytree.profile | 10 | ||||
-rw-r--r-- | etc/evince.profile | 1 | ||||
-rw-r--r-- | etc/firejail-default | 3 | ||||
-rw-r--r-- | etc/keepass.profile | 2 | ||||
-rw-r--r-- | etc/libreoffice.profile | 5 | ||||
-rw-r--r-- | etc/vlc.profile | 1 | ||||
-rw-r--r-- | src/firejail/appimage.c | 53 | ||||
-rw-r--r-- | src/firejail/firejail.h | 4 | ||||
-rw-r--r-- | src/firejail/fs.c | 17 | ||||
-rw-r--r-- | src/firejail/fs_bin.c | 2 | ||||
-rw-r--r-- | src/firejail/fs_dev.c | 2 | ||||
-rw-r--r-- | src/firejail/fs_etc.c | 2 | ||||
-rw-r--r-- | src/firejail/fs_home.c | 2 | ||||
-rw-r--r-- | src/firejail/fs_trace.c | 2 | ||||
-rw-r--r-- | src/firejail/fs_var.c | 2 | ||||
-rw-r--r-- | src/firejail/fs_whitelist.c | 23 | ||||
-rw-r--r-- | src/firejail/main.c | 27 | ||||
-rw-r--r-- | src/firejail/restricted_shell.c | 16 | ||||
-rw-r--r-- | src/firejail/seccomp.c | 8 | ||||
-rw-r--r-- | src/firejail/util.c | 21 |
22 files changed, 113 insertions, 100 deletions
@@ -77,13 +77,17 @@ Fred-Barclay (https://github.com/Fred-Barclay) | |||
77 | - added gnome-chess profile | 77 | - added gnome-chess profile |
78 | - added DOSBox profile | 78 | - added DOSBox profile |
79 | - evince profile enhancement | 79 | - evince profile enhancement |
80 | Dara Adib (https://github.com/daradib) | ||
81 | - ssh profile fix | ||
82 | - evince profile fix | ||
83 | valoq (https://github.com/valoq) | ||
84 | - LibreOffice profile fixes | ||
85 | - cherrytree profile fixes | ||
80 | vismir2 (https://github.com/vismir2) | 86 | vismir2 (https://github.com/vismir2) |
81 | - feh, ranger, 7z, keepass, keepassx and zathura profiles | 87 | - feh, ranger, 7z, keepass, keepassx and zathura profiles |
82 | - lots of profile fixes | 88 | - lots of profile fixes |
83 | graywolf (https://github.com/graywolf) | 89 | graywolf (https://github.com/graywolf) |
84 | - spelling fix | 90 | - spelling fix |
85 | Dara Adib (https://github.com/daradib) | ||
86 | - ssh profile fix | ||
87 | Tomasz Jan Góralczyk (https://github.com/tjg) | 91 | Tomasz Jan Góralczyk (https://github.com/tjg) |
88 | - fixed Steam profile | 92 | - fixed Steam profile |
89 | pwnage-pineapple (https://github.com/pwnage-pineapple) | 93 | pwnage-pineapple (https://github.com/pwnage-pineapple) |
@@ -40,6 +40,8 @@ FAQ: https://firejail.wordpress.com/support/frequently-asked-questions/ | |||
40 | If you keep your Firejail profiles in a public repository, please give us a link: | 40 | If you keep your Firejail profiles in a public repository, please give us a link: |
41 | 41 | ||
42 | * https://github.com/chiraag-nataraj/firejail-profiles | 42 | * https://github.com/chiraag-nataraj/firejail-profiles |
43 | |||
44 | * https://github.com/triceratops1/fe | ||
43 | ````` | 45 | ````` |
44 | 46 | ||
45 | ````` | 47 | ````` |
diff --git a/etc/cherrytree.profile b/etc/cherrytree.profile index 7c324a34b..d16e7c067 100644 --- a/etc/cherrytree.profile +++ b/etc/cherrytree.profile | |||
@@ -1,6 +1,7 @@ | |||
1 | # cherrytree note taking application | 1 | # cherrytree note taking application |
2 | noblacklist /usr/bin/python2* | 2 | noblacklist /usr/bin/python2* |
3 | noblacklist /usr/lib/python3* | 3 | noblacklist /usr/lib/python3* |
4 | noblacklist ${HOME}/.config/cherrytree/ | ||
4 | include /etc/firejail/disable-common.inc | 5 | include /etc/firejail/disable-common.inc |
5 | include /etc/firejail/disable-programs.inc | 6 | include /etc/firejail/disable-programs.inc |
6 | include /etc/firejail/disable-devel.inc | 7 | include /etc/firejail/disable-devel.inc |
@@ -15,13 +16,4 @@ seccomp | |||
15 | protocol unix,inet,inet6,netlink | 16 | protocol unix,inet,inet6,netlink |
16 | tracelog | 17 | tracelog |
17 | 18 | ||
18 | include /etc/firejail/whitelist-common.inc | ||
19 | 19 | ||
20 | # no private-bin support for various reasons: | ||
21 | #10:25:34 exec 11249 (root) NEW SANDBOX: /usr/bin/firejail /usr/bin/cherrytree | ||
22 | #10:25:34 exec 11252 (netblue) /bin/bash -c "/usr/bin/cherrytree" | ||
23 | #10:25:34 exec 11252 (netblue) /usr/bin/python /usr/bin/cherrytree | ||
24 | #10:25:34 exec 11253 (netblue) sh -c /sbin/ldconfig -p 2>/dev/null | ||
25 | #10:25:34 exec 11255 (netblue) sh -c if type gcc >/dev/null 2>&1; then CC=gcc; elif type cc >/dev/null 2>&1; then CC=cc;else exit 10; fi;LANG=C LC_ALL=C $CC -Wl,-t -o /tmp/tmpiYr44S 2>&1 -llibc | ||
26 | # it requires acces to browser to show the online help | ||
27 | # it doesn't play nicely with expect | ||
diff --git a/etc/evince.profile b/etc/evince.profile index 374fa4aaa..894c7c70d 100644 --- a/etc/evince.profile +++ b/etc/evince.profile | |||
@@ -15,5 +15,4 @@ shell none | |||
15 | tracelog | 15 | tracelog |
16 | 16 | ||
17 | private-bin evince,evince-previewer,evince-thumbnailer | 17 | private-bin evince,evince-previewer,evince-thumbnailer |
18 | whitelist /tmp/.X11-unix | ||
19 | private-dev | 18 | private-dev |
diff --git a/etc/firejail-default b/etc/firejail-default index 0b771f834..1b0eb7658 100644 --- a/etc/firejail-default +++ b/etc/firejail-default | |||
@@ -31,6 +31,9 @@ profile firejail-default { | |||
31 | /{,var/}run/user/**/pulse/ rw, | 31 | /{,var/}run/user/**/pulse/ rw, |
32 | /{,var/}run/user/**/pulse/** rw, | 32 | /{,var/}run/user/**/pulse/** rw, |
33 | /{,var/}run/firejail/mnt/fslogger r, | 33 | /{,var/}run/firejail/mnt/fslogger r, |
34 | /{,var/}run/firejail/appimage r, | ||
35 | /{,var/}run/firejail/appimage/** r, | ||
36 | /{,var/}run/firejail/appimage/** ix, | ||
34 | /{run,dev}/shm/ r, | 37 | /{run,dev}/shm/ r, |
35 | /{run,dev}/shm/** rmwk, | 38 | /{run,dev}/shm/** rmwk, |
36 | 39 | ||
diff --git a/etc/keepass.profile b/etc/keepass.profile index b2085f53d..23f9a7b40 100644 --- a/etc/keepass.profile +++ b/etc/keepass.profile | |||
@@ -13,7 +13,7 @@ nogroups | |||
13 | nonewprivs | 13 | nonewprivs |
14 | noroot | 14 | noroot |
15 | nosound | 15 | nosound |
16 | protocol unix | 16 | protocol unix,inet,inet6 |
17 | seccomp | 17 | seccomp |
18 | netfilter | 18 | netfilter |
19 | shell none | 19 | shell none |
diff --git a/etc/libreoffice.profile b/etc/libreoffice.profile index 75a52e9ff..d6aceb7a8 100644 --- a/etc/libreoffice.profile +++ b/etc/libreoffice.profile | |||
@@ -1,5 +1,6 @@ | |||
1 | # Firejail profile for LibreOffice | 1 | # Firejail profile for LibreOffice |
2 | noblacklist ~/.config/libreoffice | 2 | noblacklist ~/.config/libreoffice |
3 | noblacklist /usr/local/sbin | ||
3 | include /etc/firejail/disable-common.inc | 4 | include /etc/firejail/disable-common.inc |
4 | include /etc/firejail/disable-programs.inc | 5 | include /etc/firejail/disable-programs.inc |
5 | include /etc/firejail/disable-devel.inc | 6 | include /etc/firejail/disable-devel.inc |
@@ -10,9 +11,9 @@ netfilter | |||
10 | nogroups | 11 | nogroups |
11 | nonewprivs | 12 | nonewprivs |
12 | noroot | 13 | noroot |
13 | protocol unix,inet,inet6,netlink | 14 | protocol unix,inet,inet6 |
14 | seccomp | 15 | seccomp |
15 | tracelog | 16 | tracelog |
16 | 17 | ||
17 | private-dev | 18 | private-dev |
18 | whitelist /tmp/.X11-unix/ | 19 | # whitelist /tmp/.X11-unix/ |
diff --git a/etc/vlc.profile b/etc/vlc.profile index cdd098dd5..446e47864 100644 --- a/etc/vlc.profile +++ b/etc/vlc.profile | |||
@@ -14,7 +14,6 @@ noroot | |||
14 | protocol unix,inet,inet6 | 14 | protocol unix,inet,inet6 |
15 | seccomp | 15 | seccomp |
16 | shell none | 16 | shell none |
17 | tracelog | ||
18 | 17 | ||
19 | private-bin vlc,cvlc,nvlc,rvlc,qvlc,svlc | 18 | private-bin vlc,cvlc,nvlc,rvlc,qvlc,svlc |
20 | private-dev | 19 | private-dev |
diff --git a/src/firejail/appimage.c b/src/firejail/appimage.c index 05bd8a1d8..375d6be24 100644 --- a/src/firejail/appimage.c +++ b/src/firejail/appimage.c | |||
@@ -54,9 +54,13 @@ void appimage_set(const char *appimage_path) { | |||
54 | exit(1); | 54 | exit(1); |
55 | } | 55 | } |
56 | 56 | ||
57 | // populate /run/firejail directory | ||
57 | EUID_ROOT(); | 58 | EUID_ROOT(); |
59 | fs_build_firejail_dir(); | ||
60 | EUID_USER(); | ||
58 | 61 | ||
59 | // find or allocate a free loop device to use | 62 | // find or allocate a free loop device to use |
63 | EUID_ROOT(); | ||
60 | int cfd = open("/dev/loop-control", O_RDWR); | 64 | int cfd = open("/dev/loop-control", O_RDWR); |
61 | int devnr = ioctl(cfd, LOOP_CTL_GET_FREE); | 65 | int devnr = ioctl(cfd, LOOP_CTL_GET_FREE); |
62 | if (devnr == -1) { | 66 | if (devnr == -1) { |
@@ -74,36 +78,37 @@ void appimage_set(const char *appimage_path) { | |||
74 | } | 78 | } |
75 | close(lfd); | 79 | close(lfd); |
76 | close(ffd); | 80 | close(ffd); |
77 | |||
78 | EUID_USER(); | 81 | EUID_USER(); |
79 | 82 | ||
80 | // creates directory with perms 0700 | 83 | // creates appimage mount point perms 0700 |
81 | char dirname[] = "/tmp/firejail-mnt-XXXXXX"; | 84 | if (asprintf(&mntdir, "%s/appimage-%u", RUN_FIREJAIL_APPIMAGE_DIR, getpid()) == -1) |
82 | mntdir = strdup(mkdtemp(dirname)); | 85 | errExit("asprintf"); |
83 | if (mntdir == NULL) { | 86 | EUID_ROOT(); |
84 | fprintf(stderr, "Error: cannot create temporary directory\n"); | 87 | if (mkdir(mntdir, 0700) == -1) { |
88 | fprintf(stderr, "Error: cannot create appimage mount point\n"); | ||
85 | exit(1); | 89 | exit(1); |
86 | } | 90 | } |
87 | if (chmod(mntdir, 0700) == -1) | 91 | if (chmod(mntdir, 0700) == -1) |
88 | errExit("chmod"); | 92 | errExit("chmod"); |
93 | if (chown(mntdir, getuid(), getgid()) == -1) | ||
94 | errExit("chown"); | ||
95 | EUID_USER(); | ||
89 | ASSERT_PERMS(mntdir, getuid(), getgid(), 0700); | 96 | ASSERT_PERMS(mntdir, getuid(), getgid(), 0700); |
90 | 97 | ||
98 | // mount | ||
91 | char *mode; | 99 | char *mode; |
92 | if (asprintf(&mode, "mode=700,uid=%d,gid=%d", getuid(), getgid()) == -1) | 100 | if (asprintf(&mode, "mode=700,uid=%d,gid=%d", getuid(), getgid()) == -1) |
93 | errExit("asprintf"); | 101 | errExit("asprintf"); |
94 | |||
95 | EUID_ROOT(); | 102 | EUID_ROOT(); |
96 | if (mount(devloop, mntdir, "iso9660",MS_MGC_VAL|MS_RDONLY, mode) < 0) | 103 | if (mount(devloop, mntdir, "iso9660",MS_MGC_VAL|MS_RDONLY, mode) < 0) |
97 | errExit("mounting appimage"); | 104 | errExit("mounting appimage"); |
98 | |||
99 | |||
100 | if (arg_debug) | 105 | if (arg_debug) |
101 | printf("appimage mounted on %s\n", mntdir); | 106 | printf("appimage mounted on %s\n", mntdir); |
102 | EUID_USER(); | 107 | EUID_USER(); |
103 | 108 | ||
109 | // set environment | ||
104 | if (appimage_path && setenv("APPIMAGE", appimage_path, 1) < 0) | 110 | if (appimage_path && setenv("APPIMAGE", appimage_path, 1) < 0) |
105 | errExit("setenv"); | 111 | errExit("setenv"); |
106 | |||
107 | if (mntdir && setenv("APPDIR", mntdir, 1) < 0) | 112 | if (mntdir && setenv("APPDIR", mntdir, 1) < 0) |
108 | errExit("setenv"); | 113 | errExit("setenv"); |
109 | 114 | ||
@@ -121,16 +126,32 @@ void appimage_set(const char *appimage_path) { | |||
121 | void appimage_clear(void) { | 126 | void appimage_clear(void) { |
122 | int rv; | 127 | int rv; |
123 | 128 | ||
129 | EUID_ROOT(); | ||
124 | if (mntdir) { | 130 | if (mntdir) { |
125 | rv = umount2(mntdir, MNT_FORCE); | 131 | int i; |
126 | if (rv == -1 && errno == EBUSY) { | 132 | int rv = 0; |
127 | sleep(1); | 133 | for (i = 0; i < 5; i++) { |
128 | rv = umount2(mntdir, MNT_FORCE); | 134 | rv = umount2(mntdir, MNT_FORCE); |
129 | (void) rv; | 135 | if (rv == 0) |
136 | break; | ||
137 | if (rv == -1 && errno == EBUSY) { | ||
138 | if (!arg_quiet) | ||
139 | printf("Warning: EBUSY error trying to unmount %s\n", mntdir); | ||
140 | sleep(2); | ||
141 | continue; | ||
142 | } | ||
130 | 143 | ||
144 | // rv = -1 | ||
145 | if (!arg_quiet) { | ||
146 | printf("Warning: error trying to unmount %s\n", mntdir); | ||
147 | perror("umount"); | ||
148 | } | ||
149 | } | ||
150 | |||
151 | if (rv == 0) { | ||
152 | rmdir(mntdir); | ||
153 | free(mntdir); | ||
131 | } | 154 | } |
132 | rmdir(mntdir); | ||
133 | free(mntdir); | ||
134 | } | 155 | } |
135 | 156 | ||
136 | if (devloop) { | 157 | if (devloop) { |
diff --git a/src/firejail/firejail.h b/src/firejail/firejail.h index f4d468394..15e108056 100644 --- a/src/firejail/firejail.h +++ b/src/firejail/firejail.h | |||
@@ -28,6 +28,7 @@ | |||
28 | // filesystem | 28 | // filesystem |
29 | #define RUN_FIREJAIL_BASEDIR "/run" | 29 | #define RUN_FIREJAIL_BASEDIR "/run" |
30 | #define RUN_FIREJAIL_DIR "/run/firejail" | 30 | #define RUN_FIREJAIL_DIR "/run/firejail" |
31 | #define RUN_FIREJAIL_APPIMAGE_DIR "/run/firejail/appimage" | ||
31 | #define RUN_FIREJAIL_NAME_DIR "/run/firejail/name" | 32 | #define RUN_FIREJAIL_NAME_DIR "/run/firejail/name" |
32 | #define RUN_FIREJAIL_X11_DIR "/run/firejail/x11" | 33 | #define RUN_FIREJAIL_X11_DIR "/run/firejail/x11" |
33 | #define RUN_FIREJAIL_NETWORK_DIR "/run/firejail/network" | 34 | #define RUN_FIREJAIL_NETWORK_DIR "/run/firejail/network" |
@@ -457,8 +458,7 @@ char *expand_home(const char *path, const char* homedir); | |||
457 | const char *gnu_basename(const char *path); | 458 | const char *gnu_basename(const char *path); |
458 | uid_t pid_get_uid(pid_t pid); | 459 | uid_t pid_get_uid(pid_t pid); |
459 | void invalid_filename(const char *fname); | 460 | void invalid_filename(const char *fname); |
460 | uid_t get_tty_gid(void); | 461 | uid_t get_group_id(const char *group); |
461 | uid_t get_audio_gid(void); | ||
462 | int remove_directory(const char *path); | 462 | int remove_directory(const char *path); |
463 | void flush_stdin(void); | 463 | void flush_stdin(void); |
464 | 464 | ||
diff --git a/src/firejail/fs.c b/src/firejail/fs.c index b40f8a3fa..a5f12c7df 100644 --- a/src/firejail/fs.c +++ b/src/firejail/fs.c | |||
@@ -77,14 +77,15 @@ void fs_build_firejail_dir(void) { | |||
77 | if (stat(RUN_FIREJAIL_BASEDIR, &s)) { | 77 | if (stat(RUN_FIREJAIL_BASEDIR, &s)) { |
78 | create_dir_as_root(RUN_FIREJAIL_BASEDIR, 0755); | 78 | create_dir_as_root(RUN_FIREJAIL_BASEDIR, 0755); |
79 | } | 79 | } |
80 | else { // check /tmp/firejail directory belongs to root end exit if doesn't! | 80 | |
81 | // check /run/firejail directory belongs to root end exit if doesn't! | ||
82 | if (stat(RUN_FIREJAIL_DIR, &s) == 0) { | ||
81 | if (s.st_uid != 0 || s.st_gid != 0) { | 83 | if (s.st_uid != 0 || s.st_gid != 0) { |
82 | fprintf(stderr, "Error: non-root %s directory, exiting...\n", RUN_FIREJAIL_DIR); | 84 | fprintf(stderr, "Error: non-root %s directory, exiting...\n", RUN_FIREJAIL_DIR); |
83 | exit(1); | 85 | exit(1); |
84 | } | 86 | } |
85 | } | 87 | } |
86 | 88 | else { | |
87 | if (stat(RUN_FIREJAIL_DIR, &s)) { | ||
88 | create_dir_as_root(RUN_FIREJAIL_DIR, 0755); | 89 | create_dir_as_root(RUN_FIREJAIL_DIR, 0755); |
89 | } | 90 | } |
90 | 91 | ||
@@ -104,12 +105,16 @@ void fs_build_firejail_dir(void) { | |||
104 | create_dir_as_root(RUN_FIREJAIL_X11_DIR, 0755); | 105 | create_dir_as_root(RUN_FIREJAIL_X11_DIR, 0755); |
105 | } | 106 | } |
106 | 107 | ||
108 | if (stat(RUN_FIREJAIL_APPIMAGE_DIR, &s)) { | ||
109 | create_dir_as_root(RUN_FIREJAIL_APPIMAGE_DIR, 0755); | ||
110 | } | ||
111 | |||
107 | create_empty_dir(); | 112 | create_empty_dir(); |
108 | create_empty_file(); | 113 | create_empty_file(); |
109 | } | 114 | } |
110 | 115 | ||
111 | 116 | ||
112 | // build /tmp/firejail/mnt directory | 117 | // build /run/firejail/mnt directory |
113 | static int tmpfs_mounted = 0; | 118 | static int tmpfs_mounted = 0; |
114 | #ifdef HAVE_CHROOT | 119 | #ifdef HAVE_CHROOT |
115 | static void fs_build_remount_mnt_dir(void) { | 120 | static void fs_build_remount_mnt_dir(void) { |
@@ -133,7 +138,7 @@ void fs_build_mnt_dir(void) { | |||
133 | if (arg_debug) | 138 | if (arg_debug) |
134 | printf("Mounting tmpfs on %s directory\n", RUN_MNT_DIR); | 139 | printf("Mounting tmpfs on %s directory\n", RUN_MNT_DIR); |
135 | if (mount("tmpfs", RUN_MNT_DIR, "tmpfs", MS_NOSUID | MS_STRICTATIME | MS_REC, "mode=755,gid=0") < 0) | 140 | if (mount("tmpfs", RUN_MNT_DIR, "tmpfs", MS_NOSUID | MS_STRICTATIME | MS_REC, "mode=755,gid=0") < 0) |
136 | errExit("mounting /tmp/firejail/mnt"); | 141 | errExit("mounting /run/firejail/mnt"); |
137 | tmpfs_mounted = 1; | 142 | tmpfs_mounted = 1; |
138 | fs_logger2("tmpfs", RUN_MNT_DIR); | 143 | fs_logger2("tmpfs", RUN_MNT_DIR); |
139 | } | 144 | } |
@@ -1250,7 +1255,7 @@ void fs_private_tmp(void) { | |||
1250 | if (arg_debug) | 1255 | if (arg_debug) |
1251 | printf("Mounting tmpfs on /tmp directory\n"); | 1256 | printf("Mounting tmpfs on /tmp directory\n"); |
1252 | if (mount("tmpfs", "/tmp", "tmpfs", MS_NOSUID | MS_STRICTATIME | MS_REC, "mode=1777,gid=0") < 0) | 1257 | if (mount("tmpfs", "/tmp", "tmpfs", MS_NOSUID | MS_STRICTATIME | MS_REC, "mode=1777,gid=0") < 0) |
1253 | errExit("mounting /tmp/firejail/mnt"); | 1258 | errExit("mounting tmpfs on /tmp directory"); |
1254 | fs_logger2("tmpfs", "/tmp"); | 1259 | fs_logger2("tmpfs", "/tmp"); |
1255 | } | 1260 | } |
1256 | 1261 | ||
diff --git a/src/firejail/fs_bin.c b/src/firejail/fs_bin.c index 40539305f..e65474f44 100644 --- a/src/firejail/fs_bin.c +++ b/src/firejail/fs_bin.c | |||
@@ -208,7 +208,7 @@ void fs_private_bin_list(void) { | |||
208 | char *private_list = cfg.bin_private_keep; | 208 | char *private_list = cfg.bin_private_keep; |
209 | assert(private_list); | 209 | assert(private_list); |
210 | 210 | ||
211 | // create /tmp/firejail/mnt/bin directory | 211 | // create /run/firejail/mnt/bin directory |
212 | fs_build_mnt_dir(); | 212 | fs_build_mnt_dir(); |
213 | if (mkdir(RUN_BIN_DIR, 0755) == -1) | 213 | if (mkdir(RUN_BIN_DIR, 0755) == -1) |
214 | errExit("mkdir"); | 214 | errExit("mkdir"); |
diff --git a/src/firejail/fs_dev.c b/src/firejail/fs_dev.c index daf0afd9e..aa5f7c28b 100644 --- a/src/firejail/fs_dev.c +++ b/src/firejail/fs_dev.c | |||
@@ -225,7 +225,7 @@ void fs_private_dev(void){ | |||
225 | 225 | ||
226 | 226 | ||
227 | // mount /dev/pts | 227 | // mount /dev/pts |
228 | gid_t ttygid = get_tty_gid(); | 228 | gid_t ttygid = get_group_id("tty"); |
229 | char *data; | 229 | char *data; |
230 | if (asprintf(&data, "newinstance,gid=%d,mode=620,ptmxmode=0666", (int) ttygid) == -1) | 230 | if (asprintf(&data, "newinstance,gid=%d,mode=620,ptmxmode=0666", (int) ttygid) == -1) |
231 | errExit("asprintf"); | 231 | errExit("asprintf"); |
diff --git a/src/firejail/fs_etc.c b/src/firejail/fs_etc.c index e860bc173..fc9e40ca0 100644 --- a/src/firejail/fs_etc.c +++ b/src/firejail/fs_etc.c | |||
@@ -128,7 +128,7 @@ void fs_private_etc_list(void) { | |||
128 | exit(1); | 128 | exit(1); |
129 | } | 129 | } |
130 | 130 | ||
131 | // create /tmp/firejail/mnt/etc directory | 131 | // create /run/firejail/mnt/etc directory |
132 | fs_build_mnt_dir(); | 132 | fs_build_mnt_dir(); |
133 | if (mkdir(RUN_ETC_DIR, 0755) == -1) | 133 | if (mkdir(RUN_ETC_DIR, 0755) == -1) |
134 | errExit("mkdir"); | 134 | errExit("mkdir"); |
diff --git a/src/firejail/fs_home.c b/src/firejail/fs_home.c index 63d5a1c5e..bd3c404e9 100644 --- a/src/firejail/fs_home.c +++ b/src/firejail/fs_home.c | |||
@@ -591,7 +591,7 @@ void fs_private_home_list(void) { | |||
591 | exit(1); | 591 | exit(1); |
592 | } | 592 | } |
593 | 593 | ||
594 | // create /tmp/firejail/mnt/home directory | 594 | // create /run/firejail/mnt/home directory |
595 | fs_build_mnt_dir(); | 595 | fs_build_mnt_dir(); |
596 | int rv = mkdir(RUN_HOME_DIR, 0755); | 596 | int rv = mkdir(RUN_HOME_DIR, 0755); |
597 | if (rv == -1) | 597 | if (rv == -1) |
diff --git a/src/firejail/fs_trace.c b/src/firejail/fs_trace.c index 78fc8a647..37e899f12 100644 --- a/src/firejail/fs_trace.c +++ b/src/firejail/fs_trace.c | |||
@@ -44,7 +44,7 @@ void fs_trace_preload(void) { | |||
44 | } | 44 | } |
45 | 45 | ||
46 | void fs_trace(void) { | 46 | void fs_trace(void) { |
47 | // create /tmp/firejail/mnt directory | 47 | // create /run/firejail/mnt directory |
48 | fs_build_mnt_dir(); | 48 | fs_build_mnt_dir(); |
49 | 49 | ||
50 | // create the new ld.so.preload file and mount-bind it | 50 | // create the new ld.so.preload file and mount-bind it |
diff --git a/src/firejail/fs_var.c b/src/firejail/fs_var.c index a578d04e6..4468efb10 100644 --- a/src/firejail/fs_var.c +++ b/src/firejail/fs_var.c | |||
@@ -317,7 +317,7 @@ void fs_var_utmp(void) { | |||
317 | return; | 317 | return; |
318 | } | 318 | } |
319 | 319 | ||
320 | // create /tmp/firejail/mnt directory | 320 | // create /run/firejail/mnt directory |
321 | fs_build_mnt_dir(); | 321 | fs_build_mnt_dir(); |
322 | 322 | ||
323 | // create a new utmp file | 323 | // create a new utmp file |
diff --git a/src/firejail/fs_whitelist.c b/src/firejail/fs_whitelist.c index ad7fea227..849861805 100644 --- a/src/firejail/fs_whitelist.c +++ b/src/firejail/fs_whitelist.c | |||
@@ -550,29 +550,6 @@ void fs_whitelist(void) { | |||
550 | if (mount("tmpfs", "/tmp", "tmpfs", MS_NOSUID | MS_STRICTATIME | MS_REC, "mode=1777,gid=0") < 0) | 550 | if (mount("tmpfs", "/tmp", "tmpfs", MS_NOSUID | MS_STRICTATIME | MS_REC, "mode=1777,gid=0") < 0) |
551 | errExit("mounting tmpfs on /tmp"); | 551 | errExit("mounting tmpfs on /tmp"); |
552 | fs_logger("tmpfs /tmp"); | 552 | fs_logger("tmpfs /tmp"); |
553 | |||
554 | // mount appimage directory if necessary | ||
555 | if (arg_appimage) { | ||
556 | const char *dir = appimage_getdir(); | ||
557 | assert(dir); | ||
558 | char *wdir; | ||
559 | if (asprintf(&wdir, "%s/%s", RUN_WHITELIST_TMP_DIR, dir + 4) == -1) | ||
560 | errExit("asprintf"); | ||
561 | |||
562 | // create directory | ||
563 | if (mkdir(dir, 0755) < 0) | ||
564 | errExit("mkdir"); | ||
565 | if (chown(dir, getuid(), getgid()) < 0) | ||
566 | errExit("chown"); | ||
567 | if (chmod(dir, 0755) < 0) | ||
568 | errExit("chmod"); | ||
569 | |||
570 | // mount | ||
571 | if (mount(wdir, dir, NULL, MS_BIND|MS_REC, NULL) < 0) | ||
572 | errExit("mount bind"); | ||
573 | fs_logger2("whitelist", dir); | ||
574 | free(wdir); | ||
575 | } | ||
576 | } | 553 | } |
577 | 554 | ||
578 | // /media mountpoint | 555 | // /media mountpoint |
diff --git a/src/firejail/main.c b/src/firejail/main.c index 6d4eb21df..987a79d1c 100644 --- a/src/firejail/main.c +++ b/src/firejail/main.c | |||
@@ -2555,16 +2555,31 @@ int main(int argc, char **argv) { | |||
2555 | ptr += strlen(ptr); | 2555 | ptr += strlen(ptr); |
2556 | 2556 | ||
2557 | // add tty group | 2557 | // add tty group |
2558 | gid_t ttygid = get_tty_gid(); | 2558 | gid_t g = get_group_id("tty"); |
2559 | if (ttygid) { | 2559 | if (g) { |
2560 | sprintf(ptr, "%d %d 1\n", ttygid, ttygid); | 2560 | sprintf(ptr, "%d %d 1\n", g, g); |
2561 | ptr += strlen(ptr); | 2561 | ptr += strlen(ptr); |
2562 | } | 2562 | } |
2563 | 2563 | ||
2564 | // add audio group | 2564 | // add audio group |
2565 | gid_t audiogid = get_audio_gid(); | 2565 | g = get_group_id("audio"); |
2566 | if (ttygid) { | 2566 | if (g) { |
2567 | sprintf(ptr, "%d %d 1\n", audiogid, audiogid); | 2567 | sprintf(ptr, "%d %d 1\n", g, g); |
2568 | ptr += strlen(ptr); | ||
2569 | } | ||
2570 | |||
2571 | // add video group | ||
2572 | g = get_group_id("video"); | ||
2573 | if (g) { | ||
2574 | sprintf(ptr, "%d %d 1\n", g, g); | ||
2575 | ptr += strlen(ptr); | ||
2576 | } | ||
2577 | |||
2578 | // add games group | ||
2579 | g = get_group_id("games"); | ||
2580 | if (g) { | ||
2581 | sprintf(ptr, "%d %d 1\n", g, g); | ||
2582 | ptr += strlen(ptr); | ||
2568 | } | 2583 | } |
2569 | 2584 | ||
2570 | EUID_ROOT(); | 2585 | EUID_ROOT(); |
diff --git a/src/firejail/restricted_shell.c b/src/firejail/restricted_shell.c index 24ce27c2e..979bb1eed 100644 --- a/src/firejail/restricted_shell.c +++ b/src/firejail/restricted_shell.c | |||
@@ -18,6 +18,7 @@ | |||
18 | * 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA. | 18 | * 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA. |
19 | */ | 19 | */ |
20 | #include "firejail.h" | 20 | #include "firejail.h" |
21 | #include <fnmatch.h> | ||
21 | 22 | ||
22 | #define MAX_READ 4096 // maximum line length | 23 | #define MAX_READ 4096 // maximum line length |
23 | char *restricted_user = NULL; | 24 | char *restricted_user = NULL; |
@@ -49,7 +50,11 @@ int restricted_shell(const char *user) { | |||
49 | if (*ptr == '\n' || *ptr == '#') | 50 | if (*ptr == '\n' || *ptr == '#') |
50 | continue; | 51 | continue; |
51 | 52 | ||
52 | // parse line | 53 | // |
54 | // parse line | ||
55 | // | ||
56 | |||
57 | // extract users | ||
53 | char *usr = ptr; | 58 | char *usr = ptr; |
54 | char *args = strchr(usr, ':'); | 59 | char *args = strchr(usr, ':'); |
55 | if (args == NULL) { | 60 | if (args == NULL) { |
@@ -63,7 +68,7 @@ int restricted_shell(const char *user) { | |||
63 | if (ptr) | 68 | if (ptr) |
64 | *ptr = '\0'; | 69 | *ptr = '\0'; |
65 | 70 | ||
66 | // if nothing follows, continue | 71 | // extract firejail command line arguments |
67 | char *ptr2 = args; | 72 | char *ptr2 = args; |
68 | int found = 0; | 73 | int found = 0; |
69 | while (*ptr2 != '\0') { | 74 | while (*ptr2 != '\0') { |
@@ -73,12 +78,13 @@ int restricted_shell(const char *user) { | |||
73 | } | 78 | } |
74 | ptr2++; | 79 | ptr2++; |
75 | } | 80 | } |
81 | // if nothing follows, continue | ||
76 | if (!found) | 82 | if (!found) |
77 | continue; | 83 | continue; |
78 | 84 | ||
79 | // process user | 85 | // user name globbing |
80 | if (strcmp(user, usr) == 0) { | 86 | if (fnmatch(usr, user, 0) == 0) { |
81 | // extract program arguments | 87 | // process program arguments |
82 | 88 | ||
83 | fullargv[0] = "firejail"; | 89 | fullargv[0] = "firejail"; |
84 | int i; | 90 | int i; |
diff --git a/src/firejail/seccomp.c b/src/firejail/seccomp.c index c2da1168a..549359d94 100644 --- a/src/firejail/seccomp.c +++ b/src/firejail/seccomp.c | |||
@@ -708,7 +708,7 @@ int seccomp_filter_drop(int enforce_seccomp) { | |||
708 | if (arg_debug) | 708 | if (arg_debug) |
709 | filter_debug(); | 709 | filter_debug(); |
710 | 710 | ||
711 | // save seccomp filter in /tmp/firejail/mnt/seccomp | 711 | // save seccomp filter in /run/firejail/mnt/seccomp |
712 | // in order to use it in --join operations | 712 | // in order to use it in --join operations |
713 | write_seccomp_file(); | 713 | write_seccomp_file(); |
714 | 714 | ||
@@ -754,7 +754,7 @@ int seccomp_filter_keep(void) { | |||
754 | if (arg_debug) | 754 | if (arg_debug) |
755 | filter_debug(); | 755 | filter_debug(); |
756 | 756 | ||
757 | // save seccomp filter in /tmp/firejail/mnt/seccomp | 757 | // save seccomp filter in /run/firejail/mnt/seccomp |
758 | // in order to use it in --join operations | 758 | // in order to use it in --join operations |
759 | write_seccomp_file(); | 759 | write_seccomp_file(); |
760 | 760 | ||
@@ -796,7 +796,7 @@ int seccomp_filter_errno(void) { | |||
796 | if (arg_debug) | 796 | if (arg_debug) |
797 | filter_debug(); | 797 | filter_debug(); |
798 | 798 | ||
799 | // save seccomp filter in /tmp/firejail/mnt/seccomp | 799 | // save seccomp filter in /run/firejail/mnt/seccomp |
800 | // in order to use it in --join operations | 800 | // in order to use it in --join operations |
801 | write_seccomp_file(); | 801 | write_seccomp_file(); |
802 | 802 | ||
@@ -819,7 +819,7 @@ int seccomp_filter_errno(void) { | |||
819 | 819 | ||
820 | 820 | ||
821 | void seccomp_set(void) { | 821 | void seccomp_set(void) { |
822 | // read seccomp filter from /tmp/firejail/mnt/seccomp | 822 | // read seccomp filter from /runp/firejail/mnt/seccomp |
823 | read_seccomp_file(RUN_SECCOMP_CFG); | 823 | read_seccomp_file(RUN_SECCOMP_CFG); |
824 | 824 | ||
825 | // apply filter | 825 | // apply filter |
diff --git a/src/firejail/util.c b/src/firejail/util.c index 7aa0ae0e8..f38b02fd0 100644 --- a/src/firejail/util.c +++ b/src/firejail/util.c | |||
@@ -649,25 +649,14 @@ void invalid_filename(const char *fname) { | |||
649 | } | 649 | } |
650 | 650 | ||
651 | 651 | ||
652 | uid_t get_tty_gid(void) { | 652 | uid_t get_group_id(const char *group) { |
653 | // find tty group id | 653 | // find tty group id |
654 | gid_t ttygid = 0; | 654 | gid_t gid = 0; |
655 | struct group *g = getgrnam("tty"); | 655 | struct group *g = getgrnam(group); |
656 | if (g) | 656 | if (g) |
657 | ttygid = g->gr_gid; | 657 | gid = g->gr_gid; |
658 | 658 | ||
659 | return ttygid; | 659 | return gid; |
660 | } | ||
661 | |||
662 | |||
663 | uid_t get_audio_gid(void) { | ||
664 | // find tty group id | ||
665 | gid_t audiogid = 0; | ||
666 | struct group *g = getgrnam("audio"); | ||
667 | if (g) | ||
668 | audiogid = g->gr_gid; | ||
669 | |||
670 | return audiogid; | ||
671 | } | 660 | } |
672 | 661 | ||
673 | 662 | ||