2 files changed, 30 insertions, 2 deletions
diff --git a/src/firejail/fs.c b/src/firejail/fs.c
index 644255de5..a5edec714 100644
--- a/src/firejail/fs.c
+++ b/src/firejail/fs.c
@@ -710,10 +710,18 @@ static void disable_firejail_config(void) {
                if (stat(fname, &s) == 0)
                        disable_file(BLACKLIST_FILE, fname);
        }
-        
        
        free(fname);
+        
+        // disable run time information
+        if (stat(RUN_FIREJAIL_NETWORK_DIR, &s) == 0)
+                disable_file(BLACKLIST_FILE, RUN_FIREJAIL_NETWORK_DIR);
+        if (stat(RUN_FIREJAIL_BANDWIDTH_DIR, &s) == 0)
+                disable_file(BLACKLIST_FILE, RUN_FIREJAIL_BANDWIDTH_DIR);
+        if (stat(RUN_FIREJAIL_NAME_DIR, &s) == 0)
+                disable_file(BLACKLIST_FILE, RUN_FIREJAIL_NAME_DIR);
+        if (stat(RUN_FIREJAIL_X11_DIR, &s) == 0)
+                disable_file(BLACKLIST_FILE, RUN_FIREJAIL_X11_DIR);
 }
diff --git a/todo b/todo
index b631e6a06..d47a47fd0 100644
--- a/todo
+++ b/todo
@@ -55,3 +55,23 @@ Warning: seccomp file not found
 Warning: seccomp disabled, it requires a Linux kernel version 3.5 or newer.
 $ ls ~ <----------------- all files are available, the directory is not empty!
+10. Posibly capabilities broken for --join
+$ firejail --name=test
+...
+$ firejail --debug --join=test
+Switching to pid 18591, the first child process inside the sandbox
+User namespace detected: /proc/18591/uid_map, 1000, 1000
+Set caps filter 0
+Set protocol filter: unix,inet,inet6
+Read seccomp filter, size 792 bytes
+However, in the join sandbox we have:
+$ cat /proc/self/status | grep Cap
+CapInh: 0000000000000000
+CapPrm: 0000000000000000
+CapEff: 0000000000000000
+CapBnd: 0000003fffffffff
+CapAmb: 0000000000000000
+11. net_netfilter.exp broken

diff --git a/src/firejail/fs.c b/src/firejail/fs.c index 644255de5..a5edec714 100644 --- a/src/firejail/fs.c +++ b/src/firejail/fs.c
@@ -710,10 +710,18 @@ static void disable_firejail_config(void) {
710	if (stat(fname, &s) == 0)	710	if (stat(fname, &s) == 0)
711	disable_file(BLACKLIST_FILE, fname);	711	disable_file(BLACKLIST_FILE, fname);
712	}	712	}
713
714
715		713
716	free(fname);	714	free(fname);
		715
		716	// disable run time information
		717	if (stat(RUN_FIREJAIL_NETWORK_DIR, &s) == 0)
		718	disable_file(BLACKLIST_FILE, RUN_FIREJAIL_NETWORK_DIR);
		719	if (stat(RUN_FIREJAIL_BANDWIDTH_DIR, &s) == 0)
		720	disable_file(BLACKLIST_FILE, RUN_FIREJAIL_BANDWIDTH_DIR);
		721	if (stat(RUN_FIREJAIL_NAME_DIR, &s) == 0)
		722	disable_file(BLACKLIST_FILE, RUN_FIREJAIL_NAME_DIR);
		723	if (stat(RUN_FIREJAIL_X11_DIR, &s) == 0)
		724	disable_file(BLACKLIST_FILE, RUN_FIREJAIL_X11_DIR);
717	}	725	}
718		726
719		727


diff --git a/todo b/todo index b631e6a06..d47a47fd0 100644 --- a/todo +++ b/todo
@@ -55,3 +55,23 @@ Warning: seccomp file not found
55	Warning: seccomp disabled, it requires a Linux kernel version 3.5 or newer.	55	Warning: seccomp disabled, it requires a Linux kernel version 3.5 or newer.
56	$ ls ~ <----------------- all files are available, the directory is not empty!	56	$ ls ~ <----------------- all files are available, the directory is not empty!
57		57
		58	10. Posibly capabilities broken for --join
		59
		60	$ firejail --name=test
		61	...
		62	$ firejail --debug --join=test
		63	Switching to pid 18591, the first child process inside the sandbox
		64	User namespace detected: /proc/18591/uid_map, 1000, 1000
		65	Set caps filter 0
		66	Set protocol filter: unix,inet,inet6
		67	Read seccomp filter, size 792 bytes
		68
		69	However, in the join sandbox we have:
		70	$ cat /proc/self/status \| grep Cap
		71	CapInh: 0000000000000000
		72	CapPrm: 0000000000000000
		73	CapEff: 0000000000000000
		74	CapBnd: 0000003fffffffff
		75	CapAmb: 0000000000000000
		76
		77	11. net_netfilter.exp broken