diff options
-rw-r--r-- | etc/asunder.profile | 3 | ||||
-rw-r--r-- | etc/atool.profile | 1 | ||||
-rw-r--r-- | etc/brasero.profile | 1 | ||||
-rw-r--r-- | etc/frozen-bubble.profile | 2 | ||||
-rw-r--r-- | etc/gnome-twitch.profile | 1 | ||||
-rw-r--r-- | etc/open-invaders.profile | 1 | ||||
-rw-r--r-- | etc/pingus.profile | 1 | ||||
-rw-r--r-- | etc/simutrans.profile | 1 | ||||
-rw-r--r-- | etc/spotify.profile | 2 | ||||
-rw-r--r-- | etc/supertux2.profile | 2 | ||||
-rw-r--r-- | etc/terasology.profile | 2 | ||||
-rw-r--r-- | src/firejail/main.c | 18 | ||||
-rw-r--r-- | src/firejail/preproc.c | 51 | ||||
-rw-r--r-- | src/firejail/run_files.c | 2 |
14 files changed, 56 insertions, 32 deletions
diff --git a/etc/asunder.profile b/etc/asunder.profile index ce68f8897..0fbc3a158 100644 --- a/etc/asunder.profile +++ b/etc/asunder.profile | |||
@@ -10,8 +10,6 @@ noblacklist ${HOME}/.asunder_album_genre | |||
10 | noblacklist ${HOME}/.asunder_album_title | 10 | noblacklist ${HOME}/.asunder_album_title |
11 | noblacklist ${HOME}/.asunder_album_artist | 11 | noblacklist ${HOME}/.asunder_album_artist |
12 | 12 | ||
13 | |||
14 | |||
15 | include /etc/firejail/disable-common.inc | 13 | include /etc/firejail/disable-common.inc |
16 | include /etc/firejail/disable-devel.inc | 14 | include /etc/firejail/disable-devel.inc |
17 | include /etc/firejail/disable-passwdmgr.inc | 15 | include /etc/firejail/disable-passwdmgr.inc |
@@ -29,7 +27,6 @@ protocol unix,inet,inet6 | |||
29 | seccomp | 27 | seccomp |
30 | shell none | 28 | shell none |
31 | 29 | ||
32 | |||
33 | #private-bin vlc,cvlc,nvlc,rvlc,qvlc,svlc | 30 | #private-bin vlc,cvlc,nvlc,rvlc,qvlc,svlc |
34 | private-dev | 31 | private-dev |
35 | private-tmp | 32 | private-tmp |
diff --git a/etc/atool.profile b/etc/atool.profile index c2e772f9d..4cc3f02de 100644 --- a/etc/atool.profile +++ b/etc/atool.profile | |||
@@ -14,6 +14,7 @@ include /etc/firejail/disable-programs.inc | |||
14 | 14 | ||
15 | caps.drop all | 15 | caps.drop all |
16 | netfilter | 16 | netfilter |
17 | net none | ||
17 | no3d | 18 | no3d |
18 | nodvd | 19 | nodvd |
19 | nogroups | 20 | nogroups |
diff --git a/etc/brasero.profile b/etc/brasero.profile index f90d4688a..90a7b176e 100644 --- a/etc/brasero.profile +++ b/etc/brasero.profile | |||
@@ -13,6 +13,7 @@ include /etc/firejail/disable-passwdmgr.inc | |||
13 | include /etc/firejail/disable-programs.inc | 13 | include /etc/firejail/disable-programs.inc |
14 | 14 | ||
15 | caps.drop all | 15 | caps.drop all |
16 | net none | ||
16 | nogroups | 17 | nogroups |
17 | nonewprivs | 18 | nonewprivs |
18 | noroot | 19 | noroot |
diff --git a/etc/frozen-bubble.profile b/etc/frozen-bubble.profile index 0660137e0..ca38ed1b8 100644 --- a/etc/frozen-bubble.profile +++ b/etc/frozen-bubble.profile | |||
@@ -10,6 +10,7 @@ blacklist /run/user/*/bus | |||
10 | noblacklist ${HOME}/.frozen-bubble | 10 | noblacklist ${HOME}/.frozen-bubble |
11 | 11 | ||
12 | include /etc/firejail/disable-common.inc | 12 | include /etc/firejail/disable-common.inc |
13 | include /etc/firejail/disable-devel.inc | ||
13 | include /etc/firejail/disable-passwdmgr.inc | 14 | include /etc/firejail/disable-passwdmgr.inc |
14 | include /etc/firejail/disable-programs.inc | 15 | include /etc/firejail/disable-programs.inc |
15 | 16 | ||
@@ -29,6 +30,7 @@ protocol unix,netlink | |||
29 | seccomp | 30 | seccomp |
30 | shell none | 31 | shell none |
31 | 32 | ||
33 | disable-mnt | ||
32 | # private-bin frozen-bubble | 34 | # private-bin frozen-bubble |
33 | private-dev | 35 | private-dev |
34 | # private-etc none | 36 | # private-etc none |
diff --git a/etc/gnome-twitch.profile b/etc/gnome-twitch.profile index 9c94404d1..9e8f2a241 100644 --- a/etc/gnome-twitch.profile +++ b/etc/gnome-twitch.profile | |||
@@ -30,6 +30,7 @@ protocol unix,inet,inet6 | |||
30 | seccomp | 30 | seccomp |
31 | shell none | 31 | shell none |
32 | 32 | ||
33 | disable-mnt | ||
33 | private-dev | 34 | private-dev |
34 | private-tmp | 35 | private-tmp |
35 | 36 | ||
diff --git a/etc/open-invaders.profile b/etc/open-invaders.profile index 331bfa939..191f8d87b 100644 --- a/etc/open-invaders.profile +++ b/etc/open-invaders.profile | |||
@@ -10,6 +10,7 @@ blacklist /run/user/*/bus | |||
10 | noblacklist ${HOME}/.openinvaders | 10 | noblacklist ${HOME}/.openinvaders |
11 | 11 | ||
12 | include /etc/firejail/disable-common.inc | 12 | include /etc/firejail/disable-common.inc |
13 | include /etc/firejail/disable-devel.inc | ||
13 | include /etc/firejail/disable-passwdmgr.inc | 14 | include /etc/firejail/disable-passwdmgr.inc |
14 | include /etc/firejail/disable-programs.inc | 15 | include /etc/firejail/disable-programs.inc |
15 | 16 | ||
diff --git a/etc/pingus.profile b/etc/pingus.profile index 65aeedd86..ec7eff632 100644 --- a/etc/pingus.profile +++ b/etc/pingus.profile | |||
@@ -10,6 +10,7 @@ blacklist /run/user/*/bus | |||
10 | noblacklist ${HOME}/.pingus | 10 | noblacklist ${HOME}/.pingus |
11 | 11 | ||
12 | include /etc/firejail/disable-common.inc | 12 | include /etc/firejail/disable-common.inc |
13 | include /etc/firejail/disable-devel.inc | ||
13 | include /etc/firejail/disable-passwdmgr.inc | 14 | include /etc/firejail/disable-passwdmgr.inc |
14 | include /etc/firejail/disable-programs.inc | 15 | include /etc/firejail/disable-programs.inc |
15 | 16 | ||
diff --git a/etc/simutrans.profile b/etc/simutrans.profile index 89d1f2925..8b4113d2f 100644 --- a/etc/simutrans.profile +++ b/etc/simutrans.profile | |||
@@ -10,6 +10,7 @@ blacklist /run/user/*/bus | |||
10 | noblacklist ${HOME}/.simutrans | 10 | noblacklist ${HOME}/.simutrans |
11 | 11 | ||
12 | include /etc/firejail/disable-common.inc | 12 | include /etc/firejail/disable-common.inc |
13 | include /etc/firejail/disable-devel.inc | ||
13 | include /etc/firejail/disable-passwdmgr.inc | 14 | include /etc/firejail/disable-passwdmgr.inc |
14 | include /etc/firejail/disable-programs.inc | 15 | include /etc/firejail/disable-programs.inc |
15 | 16 | ||
diff --git a/etc/spotify.profile b/etc/spotify.profile index 5a6227a8a..c973783a9 100644 --- a/etc/spotify.profile +++ b/etc/spotify.profile | |||
@@ -44,7 +44,7 @@ tracelog | |||
44 | disable-mnt | 44 | disable-mnt |
45 | private-bin spotify,bash,sh,zenity | 45 | private-bin spotify,bash,sh,zenity |
46 | private-dev | 46 | private-dev |
47 | private-etc fonts,ld.so.cache,machine-id,pulse,resolv.conf | 47 | private-etc fonts,group,ld.so.cache,machine-id,pulse,resolv.conf |
48 | private-opt spotify | 48 | private-opt spotify |
49 | private-tmp | 49 | private-tmp |
50 | 50 | ||
diff --git a/etc/supertux2.profile b/etc/supertux2.profile index 2b5bb07c3..d60d7fa5f 100644 --- a/etc/supertux2.profile +++ b/etc/supertux2.profile | |||
@@ -10,6 +10,7 @@ blacklist /run/user/*/bus | |||
10 | noblacklist ${HOME}/.local/share/supertux2 | 10 | noblacklist ${HOME}/.local/share/supertux2 |
11 | 11 | ||
12 | include /etc/firejail/disable-common.inc | 12 | include /etc/firejail/disable-common.inc |
13 | include /etc/firejail/disable-devel.inc | ||
13 | include /etc/firejail/disable-passwdmgr.inc | 14 | include /etc/firejail/disable-passwdmgr.inc |
14 | include /etc/firejail/disable-programs.inc | 15 | include /etc/firejail/disable-programs.inc |
15 | 16 | ||
@@ -29,6 +30,7 @@ protocol unix,netlink | |||
29 | seccomp | 30 | seccomp |
30 | shell none | 31 | shell none |
31 | 32 | ||
33 | disable-mnt | ||
32 | # private-bin supertux2 | 34 | # private-bin supertux2 |
33 | private-dev | 35 | private-dev |
34 | # private-etc none | 36 | # private-etc none |
diff --git a/etc/terasology.profile b/etc/terasology.profile index 3d27134c4..ea25938d3 100644 --- a/etc/terasology.profile +++ b/etc/terasology.profile | |||
@@ -1,7 +1,7 @@ | |||
1 | # Firejail profile for terasology | 1 | # Firejail profile for terasology |
2 | # This file is overwritten after every install/update | 2 | # This file is overwritten after every install/update |
3 | # Persistent local customizations | 3 | # Persistent local customizations |
4 | include /etc/firejail/default.local | 4 | include /etc/firejail/terasology.local |
5 | # Persistent global definitions | 5 | # Persistent global definitions |
6 | include /etc/firejail/globals.local | 6 | include /etc/firejail/globals.local |
7 | 7 | ||
diff --git a/src/firejail/main.c b/src/firejail/main.c index dad9befd3..38db165e8 100644 --- a/src/firejail/main.c +++ b/src/firejail/main.c | |||
@@ -835,12 +835,24 @@ int main(int argc, char **argv) { | |||
835 | // get starting timestamp | 835 | // get starting timestamp |
836 | start_timestamp = getticks(); | 836 | start_timestamp = getticks(); |
837 | 837 | ||
838 | if (check_arg(argc, argv, "--quiet", 1)) | ||
839 | arg_quiet = 1; | ||
840 | |||
838 | // build /run/firejail directory structure | 841 | // build /run/firejail directory structure |
839 | preproc_build_firejail_dir(); | 842 | preproc_build_firejail_dir(); |
840 | preproc_clean_run(); | 843 | char *container_name = getenv("container"); |
844 | if (!container_name || strcmp(container_name, "firejail")) { | ||
845 | lockfd_directory = open(RUN_DIRECTORY_LOCK_FILE, O_WRONLY | O_CREAT, S_IRUSR | S_IWUSR); | ||
846 | if (lockfd_directory != -1) { | ||
847 | int rv = fchown(lockfd_directory, 0, 0); | ||
848 | (void) rv; | ||
849 | flock(lockfd_directory, LOCK_EX); | ||
850 | } | ||
851 | preproc_clean_run(); | ||
852 | flock(lockfd_directory, LOCK_UN); | ||
853 | close(lockfd_directory); | ||
854 | } | ||
841 | 855 | ||
842 | if (check_arg(argc, argv, "--quiet", 1)) | ||
843 | arg_quiet = 1; | ||
844 | if (check_arg(argc, argv, "--allow-debuggers", 1)) { | 856 | if (check_arg(argc, argv, "--allow-debuggers", 1)) { |
845 | // check kernel version | 857 | // check kernel version |
846 | struct utsname u; | 858 | struct utsname u; |
diff --git a/src/firejail/preproc.c b/src/firejail/preproc.c index 1f4cf9e54..45399bd48 100644 --- a/src/firejail/preproc.c +++ b/src/firejail/preproc.c | |||
@@ -107,6 +107,31 @@ void preproc_mount_mnt_dir(void) { | |||
107 | } | 107 | } |
108 | } | 108 | } |
109 | 109 | ||
110 | static void clean_dir(const char *name, int *pidarr, int start_pid, int max_pids) { | ||
111 | DIR *dir; | ||
112 | if (!(dir = opendir(name))) { | ||
113 | fwarning("cannot clean %s directory\n", name); | ||
114 | return; // we live to fight another day! | ||
115 | } | ||
116 | |||
117 | // clean leftover files | ||
118 | struct dirent *entry; | ||
119 | char *end; | ||
120 | while ((entry = readdir(dir)) != NULL) { | ||
121 | pid_t pid = strtol(entry->d_name, &end, 10); | ||
122 | pid %= max_pids; | ||
123 | if (end == entry->d_name || *end) | ||
124 | continue; | ||
125 | |||
126 | if (pid < start_pid) | ||
127 | continue; | ||
128 | if (pidarr[pid] == 0) | ||
129 | delete_run_files(pid); | ||
130 | } | ||
131 | closedir(dir); | ||
132 | } | ||
133 | |||
134 | |||
110 | // clean run directory | 135 | // clean run directory |
111 | void preproc_clean_run(void) { | 136 | void preproc_clean_run(void) { |
112 | int max_pids=32769; | 137 | int max_pids=32769; |
@@ -153,29 +178,9 @@ void preproc_clean_run(void) { | |||
153 | } | 178 | } |
154 | closedir(dir); | 179 | closedir(dir); |
155 | 180 | ||
156 | // open /run/firejail/profile directory | 181 | // clean profile and name directories |
157 | if (!(dir = opendir(RUN_FIREJAIL_PROFILE_DIR))) { | 182 | clean_dir(RUN_FIREJAIL_PROFILE_DIR, pidarr, start_pid, max_pids); |
158 | // sleep 2 seconds and try again | 183 | clean_dir(RUN_FIREJAIL_NAME_DIR, pidarr, start_pid, max_pids); |
159 | sleep(2); | ||
160 | if (!(dir = opendir(RUN_FIREJAIL_PROFILE_DIR))) { | ||
161 | fprintf(stderr, "Error: cannot open %s directory\n", RUN_FIREJAIL_PROFILE_DIR); | ||
162 | exit(1); | ||
163 | } | ||
164 | } | ||
165 | |||
166 | // read /run/firejail/profile directory and clean leftover files | ||
167 | while ((entry = readdir(dir)) != NULL) { | ||
168 | pid_t pid = strtol(entry->d_name, &end, 10); | ||
169 | pid %= max_pids; | ||
170 | if (end == entry->d_name || *end) | ||
171 | continue; | ||
172 | |||
173 | if (pid < start_pid) | ||
174 | continue; | ||
175 | if (pidarr[pid] == 0) | ||
176 | delete_run_files(pid); | ||
177 | } | ||
178 | closedir(dir); | ||
179 | 184 | ||
180 | free(pidarr); | 185 | free(pidarr); |
181 | } | 186 | } |
diff --git a/src/firejail/run_files.c b/src/firejail/run_files.c index 42303c07b..57a0e19df 100644 --- a/src/firejail/run_files.c +++ b/src/firejail/run_files.c | |||
@@ -70,8 +70,8 @@ void delete_run_files(pid_t pid) { | |||
70 | delete_bandwidth_run_file(pid); | 70 | delete_bandwidth_run_file(pid); |
71 | delete_network_run_file(pid); | 71 | delete_network_run_file(pid); |
72 | delete_name_run_file(pid); | 72 | delete_name_run_file(pid); |
73 | delete_profile_run_file(pid); | ||
74 | delete_x11_run_file(pid); | 73 | delete_x11_run_file(pid); |
74 | delete_profile_run_file(pid); | ||
75 | } | 75 | } |
76 | 76 | ||
77 | void set_name_run_file(pid_t pid) { | 77 | void set_name_run_file(pid_t pid) { |