diff options
39 files changed, 72 insertions, 18 deletions
diff --git a/.gitignore b/.gitignore new file mode 100644 index 000000000..a085e155a --- /dev/null +++ b/.gitignore | |||
@@ -0,0 +1,14 @@ | |||
1 | *.o | ||
2 | *.so | ||
3 | *~ | ||
4 | Makefile | ||
5 | config.log | ||
6 | config.status | ||
7 | firejail-login.5 | ||
8 | firejail-profile.5 | ||
9 | firejail.1 | ||
10 | firemon.1 | ||
11 | src/firejail/firejail | ||
12 | src/firemon/firemon | ||
13 | src/ftee/ftee | ||
14 | |||
diff --git a/Makefile.in b/Makefile.in index 6b9739524..da92ac138 100644 --- a/Makefile.in +++ b/Makefile.in | |||
@@ -86,6 +86,7 @@ install: all | |||
86 | install -c -m 0644 etc/disable-mgmt.inc $(DESTDIR)/etc/firejail/. | 86 | install -c -m 0644 etc/disable-mgmt.inc $(DESTDIR)/etc/firejail/. |
87 | install -c -m 0644 etc/disable-secret.inc $(DESTDIR)/etc/firejail/. | 87 | install -c -m 0644 etc/disable-secret.inc $(DESTDIR)/etc/firejail/. |
88 | install -c -m 0644 etc/disable-common.inc $(DESTDIR)/etc/firejail/. | 88 | install -c -m 0644 etc/disable-common.inc $(DESTDIR)/etc/firejail/. |
89 | install -c -m 0644 etc/disable-history.inc $(DESTDIR)/etc/firejail/. | ||
89 | install -c -m 0644 etc/dropbox.profile $(DESTDIR)/etc/firejail/. | 90 | install -c -m 0644 etc/dropbox.profile $(DESTDIR)/etc/firejail/. |
90 | install -c -m 0644 etc/opera.profile $(DESTDIR)/etc/firejail/. | 91 | install -c -m 0644 etc/opera.profile $(DESTDIR)/etc/firejail/. |
91 | install -c -m 0644 etc/thunderbird.profile $(DESTDIR)/etc/firejail/. | 92 | install -c -m 0644 etc/thunderbird.profile $(DESTDIR)/etc/firejail/. |
@@ -24,5 +24,9 @@ Alexey Kuznetsov, <kuznet@ms2.inr.ac.ru> | |||
24 | - src/lib/libnetlink.c extracted from iproute2 software package | 24 | - src/lib/libnetlink.c extracted from iproute2 software package |
25 | G4JC (http://sourceforge.net/u/gaming4jc/profile/) | 25 | G4JC (http://sourceforge.net/u/gaming4jc/profile/) |
26 | - ARM support (ticket 17) | 26 | - ARM support (ticket 17) |
27 | dewbasaur (https://github.com/dewbasaur) | ||
28 | - block access to history files (issue 16) | ||
29 | Peter Millerchip (https://github.com/pmillerchip) | ||
30 | - memory allocation fix (issue 13) | ||
27 | 31 | ||
28 | Copyright (C) 2014, 2015 Firejail Authors | 32 | Copyright (C) 2014, 2015 Firejail Authors |
@@ -1,3 +1,11 @@ | |||
1 | firejail (0.9.29) baseline; urgency=low | ||
2 | * added a disable-history.inc profile as a result of Firefox PDF.js exploit; | ||
3 | disable-history.inc included in all default profiles | ||
4 | * added --private-etc option | ||
5 | * support ${HOME} token in include directive in profile files | ||
6 | * bugfixes | ||
7 | -- netblue30 <netblue30@yahoo.com> Sat, 12 Aug 2015 20:25:00 -0500 | ||
8 | |||
1 | firejail (0.9.28) baseline; urgency=low | 9 | firejail (0.9.28) baseline; urgency=low |
2 | * network scanning, --scan option | 10 | * network scanning, --scan option |
3 | * interface MAC address support, --mac option | 11 | * interface MAC address support, --mac option |
diff --git a/etc/audacious.profile b/etc/audacious.profile index 23f223a29..923b70184 100644 --- a/etc/audacious.profile +++ b/etc/audacious.profile | |||
@@ -2,6 +2,7 @@ | |||
2 | include /etc/firejail/disable-mgmt.inc | 2 | include /etc/firejail/disable-mgmt.inc |
3 | include /etc/firejail/disable-secret.inc | 3 | include /etc/firejail/disable-secret.inc |
4 | include /etc/firejail/disable-common.inc | 4 | include /etc/firejail/disable-common.inc |
5 | include /etc/firejail/disable-history.inc | ||
5 | caps.drop all | 6 | caps.drop all |
6 | seccomp | 7 | seccomp |
7 | noroot | 8 | noroot |
diff --git a/etc/chromium.profile b/etc/chromium.profile index 4f6e7e450..13559a5a8 100644 --- a/etc/chromium.profile +++ b/etc/chromium.profile | |||
@@ -2,6 +2,7 @@ | |||
2 | include /etc/firejail/disable-mgmt.inc | 2 | include /etc/firejail/disable-mgmt.inc |
3 | include /etc/firejail/disable-secret.inc | 3 | include /etc/firejail/disable-secret.inc |
4 | include /etc/firejail/disable-common.inc chromium | 4 | include /etc/firejail/disable-common.inc chromium |
5 | include /etc/firejail/disable-history.inc | ||
5 | netfilter | 6 | netfilter |
6 | 7 | ||
7 | 8 | ||
diff --git a/etc/clementine.profile b/etc/clementine.profile index dd855cc62..47c40506a 100644 --- a/etc/clementine.profile +++ b/etc/clementine.profile | |||
@@ -2,6 +2,7 @@ | |||
2 | include /etc/firejail/disable-mgmt.inc | 2 | include /etc/firejail/disable-mgmt.inc |
3 | include /etc/firejail/disable-secret.inc | 3 | include /etc/firejail/disable-secret.inc |
4 | include /etc/firejail/disable-common.inc | 4 | include /etc/firejail/disable-common.inc |
5 | include /etc/firejail/disable-history.inc | ||
5 | caps.drop all | 6 | caps.drop all |
6 | seccomp | 7 | seccomp |
7 | noroot | 8 | noroot |
diff --git a/etc/deadbeef.profile b/etc/deadbeef.profile index e2f5787cc..68027bd7c 100644 --- a/etc/deadbeef.profile +++ b/etc/deadbeef.profile | |||
@@ -2,6 +2,7 @@ | |||
2 | include /etc/firejail/disable-mgmt.inc | 2 | include /etc/firejail/disable-mgmt.inc |
3 | include /etc/firejail/disable-secret.inc | 3 | include /etc/firejail/disable-secret.inc |
4 | include /etc/firejail/disable-common.inc | 4 | include /etc/firejail/disable-common.inc |
5 | include /etc/firejail/disable-history.inc | ||
5 | caps.drop all | 6 | caps.drop all |
6 | seccomp | 7 | seccomp |
7 | noroot | 8 | noroot |
diff --git a/etc/deluge.profile b/etc/deluge.profile index 138d0a133..24a082099 100644 --- a/etc/deluge.profile +++ b/etc/deluge.profile | |||
@@ -2,6 +2,7 @@ | |||
2 | include /etc/firejail/disable-mgmt.inc | 2 | include /etc/firejail/disable-mgmt.inc |
3 | include /etc/firejail/disable-secret.inc | 3 | include /etc/firejail/disable-secret.inc |
4 | include /etc/firejail/disable-common.inc | 4 | include /etc/firejail/disable-common.inc |
5 | include /etc/firejail/disable-history.inc | ||
5 | caps.drop all | 6 | caps.drop all |
6 | seccomp | 7 | seccomp |
7 | netfilter | 8 | netfilter |
diff --git a/etc/dropbox.profile b/etc/dropbox.profile index 82b54adb1..008660f77 100644 --- a/etc/dropbox.profile +++ b/etc/dropbox.profile | |||
@@ -2,6 +2,7 @@ | |||
2 | include /etc/firejail/disable-mgmt.inc | 2 | include /etc/firejail/disable-mgmt.inc |
3 | include /etc/firejail/disable-secret.inc | 3 | include /etc/firejail/disable-secret.inc |
4 | include /etc/firejail/disable-common.inc | 4 | include /etc/firejail/disable-common.inc |
5 | include /etc/firejail/disable-history.inc | ||
5 | caps | 6 | caps |
6 | seccomp | 7 | seccomp |
7 | noroot | 8 | noroot |
diff --git a/etc/empathy.profile b/etc/empathy.profile index d24cae528..7a9e53b86 100644 --- a/etc/empathy.profile +++ b/etc/empathy.profile | |||
@@ -2,5 +2,6 @@ | |||
2 | include /etc/firejail/disable-mgmt.inc | 2 | include /etc/firejail/disable-mgmt.inc |
3 | include /etc/firejail/disable-secret.inc | 3 | include /etc/firejail/disable-secret.inc |
4 | include /etc/firejail/disable-common.inc | 4 | include /etc/firejail/disable-common.inc |
5 | include /etc/firejail/disable-history.inc | ||
5 | caps.drop all | 6 | caps.drop all |
6 | seccomp | 7 | seccomp |
diff --git a/etc/evince.profile b/etc/evince.profile index 4d96d5904..e81044314 100644 --- a/etc/evince.profile +++ b/etc/evince.profile | |||
@@ -2,6 +2,7 @@ | |||
2 | include /etc/firejail/disable-mgmt.inc | 2 | include /etc/firejail/disable-mgmt.inc |
3 | include /etc/firejail/disable-secret.inc | 3 | include /etc/firejail/disable-secret.inc |
4 | include /etc/firejail/disable-common.inc | 4 | include /etc/firejail/disable-common.inc |
5 | include /etc/firejail/disable-history.inc | ||
5 | caps.drop all | 6 | caps.drop all |
6 | seccomp | 7 | seccomp |
7 | netfilter | 8 | netfilter |
diff --git a/etc/filezilla.profile b/etc/filezilla.profile index a54b5a734..dc5086595 100644 --- a/etc/filezilla.profile +++ b/etc/filezilla.profile | |||
@@ -2,6 +2,7 @@ | |||
2 | include /etc/firejail/disable-mgmt.inc | 2 | include /etc/firejail/disable-mgmt.inc |
3 | include /etc/firejail/disable-secret.inc | 3 | include /etc/firejail/disable-secret.inc |
4 | include /etc/firejail/disable-common.inc .filezilla | 4 | include /etc/firejail/disable-common.inc .filezilla |
5 | include /etc/firejail/disable-history.inc | ||
5 | caps.drop all | 6 | caps.drop all |
6 | seccomp | 7 | seccomp |
7 | noroot | 8 | noroot |
diff --git a/etc/firefox.profile b/etc/firefox.profile index dc3489d35..cd504ab44 100644 --- a/etc/firefox.profile +++ b/etc/firefox.profile | |||
@@ -2,6 +2,7 @@ | |||
2 | include /etc/firejail/disable-mgmt.inc | 2 | include /etc/firejail/disable-mgmt.inc |
3 | include /etc/firejail/disable-secret.inc | 3 | include /etc/firejail/disable-secret.inc |
4 | include /etc/firejail/disable-common.inc .mozilla | 4 | include /etc/firejail/disable-common.inc .mozilla |
5 | include /etc/firejail/disable-history.inc | ||
5 | caps.drop all | 6 | caps.drop all |
6 | seccomp | 7 | seccomp |
7 | netfilter | 8 | netfilter |
diff --git a/etc/gnome-mplayer.profile b/etc/gnome-mplayer.profile index b69cf3a57..4be1c1093 100644 --- a/etc/gnome-mplayer.profile +++ b/etc/gnome-mplayer.profile | |||
@@ -2,6 +2,7 @@ | |||
2 | include /etc/firejail/disable-mgmt.inc | 2 | include /etc/firejail/disable-mgmt.inc |
3 | include /etc/firejail/disable-secret.inc | 3 | include /etc/firejail/disable-secret.inc |
4 | include /etc/firejail/disable-common.inc | 4 | include /etc/firejail/disable-common.inc |
5 | include /etc/firejail/disable-history.inc | ||
5 | caps.drop all | 6 | caps.drop all |
6 | seccomp | 7 | seccomp |
7 | noroot | 8 | noroot |
diff --git a/etc/midori.profile b/etc/midori.profile index 5479ba172..b21bc94ef 100644 --- a/etc/midori.profile +++ b/etc/midori.profile | |||
@@ -2,6 +2,7 @@ | |||
2 | include /etc/firejail/disable-mgmt.inc | 2 | include /etc/firejail/disable-mgmt.inc |
3 | include /etc/firejail/disable-secret.inc | 3 | include /etc/firejail/disable-secret.inc |
4 | include /etc/firejail/disable-common.inc midori | 4 | include /etc/firejail/disable-common.inc midori |
5 | include /etc/firejail/disable-history.inc | ||
5 | caps.drop all | 6 | caps.drop all |
6 | seccomp | 7 | seccomp |
7 | netfilter | 8 | netfilter |
diff --git a/etc/opera.profile b/etc/opera.profile index 852f10719..8f8dbc609 100644 --- a/etc/opera.profile +++ b/etc/opera.profile | |||
@@ -2,6 +2,7 @@ | |||
2 | include /etc/firejail/disable-mgmt.inc | 2 | include /etc/firejail/disable-mgmt.inc |
3 | include /etc/firejail/disable-secret.inc | 3 | include /etc/firejail/disable-secret.inc |
4 | include /etc/firejail/disable-common.inc opera | 4 | include /etc/firejail/disable-common.inc opera |
5 | include /etc/firejail/disable-history.inc | ||
5 | netfilter | 6 | netfilter |
6 | noroot | 7 | noroot |
7 | 8 | ||
diff --git a/etc/pidgin.profile b/etc/pidgin.profile index 6f5594919..3574e4d66 100644 --- a/etc/pidgin.profile +++ b/etc/pidgin.profile | |||
@@ -2,6 +2,7 @@ | |||
2 | include /etc/firejail/disable-mgmt.inc | 2 | include /etc/firejail/disable-mgmt.inc |
3 | include /etc/firejail/disable-secret.inc | 3 | include /etc/firejail/disable-secret.inc |
4 | include /etc/firejail/disable-common.inc | 4 | include /etc/firejail/disable-common.inc |
5 | include /etc/firejail/disable-history.inc | ||
5 | caps.drop all | 6 | caps.drop all |
6 | seccomp | 7 | seccomp |
7 | noroot | 8 | noroot |
diff --git a/etc/qbittorrent.profile b/etc/qbittorrent.profile index f85dfc994..71ddff631 100644 --- a/etc/qbittorrent.profile +++ b/etc/qbittorrent.profile | |||
@@ -2,6 +2,7 @@ | |||
2 | include /etc/firejail/disable-mgmt.inc | 2 | include /etc/firejail/disable-mgmt.inc |
3 | include /etc/firejail/disable-secret.inc | 3 | include /etc/firejail/disable-secret.inc |
4 | include /etc/firejail/disable-common.inc | 4 | include /etc/firejail/disable-common.inc |
5 | include /etc/firejail/disable-history.inc | ||
5 | caps.drop all | 6 | caps.drop all |
6 | seccomp | 7 | seccomp |
7 | netfilter | 8 | netfilter |
diff --git a/etc/quassel.profile b/etc/quassel.profile index a2057ad01..931debc95 100644 --- a/etc/quassel.profile +++ b/etc/quassel.profile | |||
@@ -2,6 +2,7 @@ | |||
2 | include /etc/firejail/disable-mgmt.inc | 2 | include /etc/firejail/disable-mgmt.inc |
3 | include /etc/firejail/disable-secret.inc | 3 | include /etc/firejail/disable-secret.inc |
4 | include /etc/firejail/disable-common.inc | 4 | include /etc/firejail/disable-common.inc |
5 | include /etc/firejail/disable-history.inc | ||
5 | caps.drop all | 6 | caps.drop all |
6 | seccomp | 7 | seccomp |
7 | noroot | 8 | noroot |
diff --git a/etc/rhythmbox.profile b/etc/rhythmbox.profile index 42d4dc0fa..f2870d543 100644 --- a/etc/rhythmbox.profile +++ b/etc/rhythmbox.profile | |||
@@ -2,6 +2,7 @@ | |||
2 | include /etc/firejail/disable-mgmt.inc | 2 | include /etc/firejail/disable-mgmt.inc |
3 | include /etc/firejail/disable-secret.inc | 3 | include /etc/firejail/disable-secret.inc |
4 | include /etc/firejail/disable-common.inc | 4 | include /etc/firejail/disable-common.inc |
5 | include /etc/firejail/disable-history.inc | ||
5 | caps.drop all | 6 | caps.drop all |
6 | seccomp | 7 | seccomp |
7 | noroot | 8 | noroot |
diff --git a/etc/thunderbird.profile b/etc/thunderbird.profile index 8b63a6ec5..34594b837 100644 --- a/etc/thunderbird.profile +++ b/etc/thunderbird.profile | |||
@@ -2,6 +2,7 @@ | |||
2 | include /etc/firejail/disable-mgmt.inc | 2 | include /etc/firejail/disable-mgmt.inc |
3 | include /etc/firejail/disable-secret.inc | 3 | include /etc/firejail/disable-secret.inc |
4 | include /etc/firejail/disable-common.inc thunderbird icedove | 4 | include /etc/firejail/disable-common.inc thunderbird icedove |
5 | include /etc/firejail/disable-history.inc | ||
5 | caps.drop all | 6 | caps.drop all |
6 | seccomp | 7 | seccomp |
7 | netfilter | 8 | netfilter |
diff --git a/etc/totem.profile b/etc/totem.profile index 50115deb5..6b26a4e0e 100644 --- a/etc/totem.profile +++ b/etc/totem.profile | |||
@@ -2,6 +2,7 @@ | |||
2 | include /etc/firejail/disable-mgmt.inc | 2 | include /etc/firejail/disable-mgmt.inc |
3 | include /etc/firejail/disable-secret.inc | 3 | include /etc/firejail/disable-secret.inc |
4 | include /etc/firejail/disable-common.inc | 4 | include /etc/firejail/disable-common.inc |
5 | include /etc/firejail/disable-history.inc | ||
5 | caps.drop all | 6 | caps.drop all |
6 | seccomp | 7 | seccomp |
7 | noroot | 8 | noroot |
diff --git a/etc/transmission-gtk.profile b/etc/transmission-gtk.profile index 9ccece285..dc1d9d524 100644 --- a/etc/transmission-gtk.profile +++ b/etc/transmission-gtk.profile | |||
@@ -2,6 +2,7 @@ | |||
2 | include /etc/firejail/disable-mgmt.inc | 2 | include /etc/firejail/disable-mgmt.inc |
3 | include /etc/firejail/disable-secret.inc | 3 | include /etc/firejail/disable-secret.inc |
4 | include /etc/firejail/disable-common.inc | 4 | include /etc/firejail/disable-common.inc |
5 | include /etc/firejail/disable-history.inc | ||
5 | caps.drop all | 6 | caps.drop all |
6 | seccomp | 7 | seccomp |
7 | netfilter | 8 | netfilter |
diff --git a/etc/transmission-qt.profile b/etc/transmission-qt.profile index 65a045f8e..64c2ba8ad 100644 --- a/etc/transmission-qt.profile +++ b/etc/transmission-qt.profile | |||
@@ -2,6 +2,7 @@ | |||
2 | include /etc/firejail/disable-mgmt.inc | 2 | include /etc/firejail/disable-mgmt.inc |
3 | include /etc/firejail/disable-secret.inc | 3 | include /etc/firejail/disable-secret.inc |
4 | include /etc/firejail/disable-common.inc | 4 | include /etc/firejail/disable-common.inc |
5 | include /etc/firejail/disable-history.inc | ||
5 | caps.drop all | 6 | caps.drop all |
6 | seccomp | 7 | seccomp |
7 | netfilter | 8 | netfilter |
diff --git a/etc/vlc.profile b/etc/vlc.profile index 76e1395f9..365ea838a 100644 --- a/etc/vlc.profile +++ b/etc/vlc.profile | |||
@@ -2,6 +2,7 @@ | |||
2 | include /etc/firejail/disable-mgmt.inc | 2 | include /etc/firejail/disable-mgmt.inc |
3 | include /etc/firejail/disable-secret.inc | 3 | include /etc/firejail/disable-secret.inc |
4 | include /etc/firejail/disable-common.inc | 4 | include /etc/firejail/disable-common.inc |
5 | include /etc/firejail/disable-history.inc | ||
5 | caps.drop all | 6 | caps.drop all |
6 | seccomp | 7 | seccomp |
7 | noroot | 8 | noroot |
diff --git a/etc/xchat.profile b/etc/xchat.profile index b8d8cb1e2..45f0f15ba 100644 --- a/etc/xchat.profile +++ b/etc/xchat.profile | |||
@@ -2,6 +2,7 @@ | |||
2 | include /etc/firejail/disable-mgmt.inc | 2 | include /etc/firejail/disable-mgmt.inc |
3 | include /etc/firejail/disable-secret.inc | 3 | include /etc/firejail/disable-secret.inc |
4 | include /etc/firejail/disable-common.inc | 4 | include /etc/firejail/disable-common.inc |
5 | include /etc/firejail/disable-history.inc | ||
5 | caps.drop all | 6 | caps.drop all |
6 | seccomp | 7 | seccomp |
7 | noroot | 8 | noroot |
@@ -77,6 +77,7 @@ cp etc/pidgin.profile debian/etc/firejail/. | |||
77 | cp etc/filezilla.profile debian/etc/firejail/. | 77 | cp etc/filezilla.profile debian/etc/firejail/. |
78 | cp etc/empathy.profile debian/etc/firejail/. | 78 | cp etc/empathy.profile debian/etc/firejail/. |
79 | cp etc/disable-common.inc debian/etc/firejail/. | 79 | cp etc/disable-common.inc debian/etc/firejail/. |
80 | cp etc/disable-history.inc debian/etc/firejail/. | ||
80 | cp etc/deadbeef.profile debian/etc/firejail/. | 81 | cp etc/deadbeef.profile debian/etc/firejail/. |
81 | cp etc/icecat.profile debian/etc/firejail/. | 82 | cp etc/icecat.profile debian/etc/firejail/. |
82 | cp platform/debian/conffiles $DEBIAN_CTRL_DIR/. | 83 | cp platform/debian/conffiles $DEBIAN_CTRL_DIR/. |
diff --git a/platform/debian/conffiles b/platform/debian/conffiles index 6f55cc021..7bf575dd8 100644 --- a/platform/debian/conffiles +++ b/platform/debian/conffiles | |||
@@ -29,5 +29,6 @@ | |||
29 | /etc/firejail/filezilla.profile | 29 | /etc/firejail/filezilla.profile |
30 | /etc/firejail/empathy.profile | 30 | /etc/firejail/empathy.profile |
31 | /etc/firejail/disable-common.inc | 31 | /etc/firejail/disable-common.inc |
32 | /etc/firejail/disable-history.inc | ||
32 | /etc/firejail/deadbeef.profile | 33 | /etc/firejail/deadbeef.profile |
33 | /etc/firejail/icecat.profile | 34 | /etc/firejail/icecat.profile |
diff --git a/src/firejail/arg-checking.txt b/src/firejail/arg-checking.txt index c1ab2cb21..07e61df93 100644 --- a/src/firejail/arg-checking.txt +++ b/src/firejail/arg-checking.txt | |||
@@ -59,7 +59,7 @@ arg checking: | |||
59 | - check same owner | 59 | - check same owner |
60 | - unit test | 60 | - unit test |
61 | 61 | ||
62 | 9. --private.keep=filelist | 62 | 9. --private-home=filelist |
63 | - supported in profiles | 63 | - supported in profiles |
64 | - checking no ".." | 64 | - checking no ".." |
65 | - checking file found | 65 | - checking file found |
diff --git a/src/firejail/firejail.h b/src/firejail/firejail.h index 5adabbcb3..a1833b4bc 100644 --- a/src/firejail/firejail.h +++ b/src/firejail/firejail.h | |||
@@ -282,9 +282,9 @@ void fs_private_dev(void); | |||
282 | void fs_private(void); | 282 | void fs_private(void); |
283 | // private mode (--private=homedir) | 283 | // private mode (--private=homedir) |
284 | void fs_private_homedir(void); | 284 | void fs_private_homedir(void); |
285 | // private mode (--private.keep=list) | 285 | // private mode (--private-home=list) |
286 | void fs_private_home_list(void); | 286 | void fs_private_home_list(void); |
287 | // check directory linst specified by user (--private.keep option) - exit if it fails | 287 | // check directory list specified by user (--private-home option) - exit if it fails |
288 | void fs_check_home_list(void); | 288 | void fs_check_home_list(void); |
289 | // check new private home directory (--private= option) - exit if it fails | 289 | // check new private home directory (--private= option) - exit if it fails |
290 | void fs_check_private_dir(void); | 290 | void fs_check_private_dir(void); |
@@ -357,4 +357,4 @@ void network_shm_set_file(pid_t pid); | |||
357 | void fs_check_etc_list(void); | 357 | void fs_check_etc_list(void); |
358 | void fs_private_etc_list(void); | 358 | void fs_private_etc_list(void); |
359 | 359 | ||
360 | #endif \ No newline at end of file | 360 | #endif |
diff --git a/src/firejail/fs_home.c b/src/firejail/fs_home.c index ca4691751..e726d6f10 100644 --- a/src/firejail/fs_home.c +++ b/src/firejail/fs_home.c | |||
@@ -302,10 +302,10 @@ static void check_dir_or_file(const char *name) { | |||
302 | exit(1); | 302 | exit(1); |
303 | } | 303 | } |
304 | 304 | ||
305 | // check directory linst specified by user (--private.keep option) - exit if it fails | 305 | // check directory list specified by user (--private-home option) - exit if it fails |
306 | void fs_check_home_list(void) { | 306 | void fs_check_home_list(void) { |
307 | if (strstr(cfg.home_private_keep, "..")) { | 307 | if (strstr(cfg.home_private_keep, "..")) { |
308 | fprintf(stderr, "Error: invalid private.keep list\n"); | 308 | fprintf(stderr, "Error: invalid private-home list\n"); |
309 | exit(1); | 309 | exit(1); |
310 | } | 310 | } |
311 | 311 | ||
@@ -385,7 +385,7 @@ static void duplicate(char *fname) { | |||
385 | } | 385 | } |
386 | 386 | ||
387 | 387 | ||
388 | // private mode (--private.keep=list): | 388 | // private mode (--private-home=list): |
389 | // mount homedir on top of /home/user, | 389 | // mount homedir on top of /home/user, |
390 | // tmpfs on top of /root in nonroot mode, | 390 | // tmpfs on top of /root in nonroot mode, |
391 | // tmpfs on top of /tmp in root mode, | 391 | // tmpfs on top of /tmp in root mode, |
diff --git a/src/firejail/main.c b/src/firejail/main.c index 1f4574c5c..6c5d9a44e 100644 --- a/src/firejail/main.c +++ b/src/firejail/main.c | |||
@@ -677,7 +677,7 @@ int main(int argc, char **argv) { | |||
677 | arg_private = 1; | 677 | arg_private = 1; |
678 | else if (strncmp(argv[i], "--private=", 10) == 0) { | 678 | else if (strncmp(argv[i], "--private=", 10) == 0) { |
679 | if (cfg.home_private_keep) { | 679 | if (cfg.home_private_keep) { |
680 | fprintf(stderr, "Error: a private list of files was already defined with --private.keep option.\n"); | 680 | fprintf(stderr, "Error: a private list of files was already defined with --private-home option.\n"); |
681 | exit(1); | 681 | exit(1); |
682 | } | 682 | } |
683 | 683 | ||
@@ -686,7 +686,8 @@ int main(int argc, char **argv) { | |||
686 | fs_check_private_dir(); | 686 | fs_check_private_dir(); |
687 | arg_private = 1; | 687 | arg_private = 1; |
688 | } | 688 | } |
689 | else if (strncmp(argv[i], "--private.keep=", 15) == 0) { | 689 | else if ((strncmp(argv[i], "--private.keep=", 15) == 0) |
690 | || (strncmp(argv[i], "--private-home=", 15) == 0)) { | ||
690 | if (cfg.home_private) { | 691 | if (cfg.home_private) { |
691 | fprintf(stderr, "Error: a private home directory was already defined with --private option.\n"); | 692 | fprintf(stderr, "Error: a private home directory was already defined with --private option.\n"); |
692 | exit(1); | 693 | exit(1); |
diff --git a/src/firejail/netfilter.c b/src/firejail/netfilter.c index dbed4ac30..fd8a9b2f3 100644 --- a/src/firejail/netfilter.c +++ b/src/firejail/netfilter.c | |||
@@ -67,9 +67,9 @@ void netfilter(const char *fname) { | |||
67 | } | 67 | } |
68 | 68 | ||
69 | filter = malloc(s.st_size + 1); // + '\0' | 69 | filter = malloc(s.st_size + 1); // + '\0' |
70 | memset(filter, 0, s.st_size + 1); | ||
71 | if (!filter) | 70 | if (!filter) |
72 | errExit("malloc"); | 71 | errExit("malloc"); |
72 | memset(filter, 0, s.st_size + 1); | ||
73 | 73 | ||
74 | /* coverity[toctou] */ | 74 | /* coverity[toctou] */ |
75 | FILE *fp = fopen(fname, "r"); | 75 | FILE *fp = fopen(fname, "r"); |
diff --git a/src/firejail/profile.c b/src/firejail/profile.c index a6843cc6d..a73582499 100644 --- a/src/firejail/profile.c +++ b/src/firejail/profile.c | |||
@@ -228,7 +228,8 @@ int profile_check_line(char *ptr, int lineno) { | |||
228 | } | 228 | } |
229 | 229 | ||
230 | // private home list of files and directories | 230 | // private home list of files and directories |
231 | if (strncmp(ptr, "private.keep ", 13) == 0) { | 231 | if ((strncmp(ptr, "private.keep ", 13) == 0) |
232 | || (strncmp(ptr, "private-home ", 13) == 0)) { | ||
232 | cfg.home_private_keep = ptr + 13; | 233 | cfg.home_private_keep = ptr + 13; |
233 | fs_check_home_list(); | 234 | fs_check_home_list(); |
234 | arg_private = 1; | 235 | arg_private = 1; |
diff --git a/src/firejail/sandbox.c b/src/firejail/sandbox.c index 2beb31099..2cdc67d1c 100644 --- a/src/firejail/sandbox.c +++ b/src/firejail/sandbox.c | |||
@@ -237,7 +237,7 @@ int sandbox(void* sandbox_arg) { | |||
237 | if (arg_private) { | 237 | if (arg_private) { |
238 | if (cfg.home_private) // --private= | 238 | if (cfg.home_private) // --private= |
239 | fs_private_homedir(); | 239 | fs_private_homedir(); |
240 | else if (cfg.home_private_keep) // --private.keep= | 240 | else if (cfg.home_private_keep) // --private-home= |
241 | fs_private_home_list(); | 241 | fs_private_home_list(); |
242 | else // --private | 242 | else // --private |
243 | fs_private(); | 243 | fs_private(); |
diff --git a/src/firejail/usage.c b/src/firejail/usage.c index 2beeddb70..3ddd85aac 100644 --- a/src/firejail/usage.c +++ b/src/firejail/usage.c | |||
@@ -148,7 +148,7 @@ void usage(void) { | |||
148 | printf("\t\tfilesystems. All modifications are discarded when the sandbox is\n"); | 148 | printf("\t\tfilesystems. All modifications are discarded when the sandbox is\n"); |
149 | printf("\t\tclosed.\n\n"); | 149 | printf("\t\tclosed.\n\n"); |
150 | printf("\t--private=directory - use directory as user home.\n\n"); | 150 | printf("\t--private=directory - use directory as user home.\n\n"); |
151 | printf("\t--private.keep=file,directory - build a new user home in a temporary\n"); | 151 | printf("\t--private-home=file,directory - build a new user home in a temporary\n"); |
152 | printf("\t\tfilesystem, and copy the files and directories in the list in\n"); | 152 | printf("\t\tfilesystem, and copy the files and directories in the list in\n"); |
153 | printf("\t\tthe new home. All modifications are discarded when the sandbox\n"); | 153 | printf("\t\tthe new home. All modifications are discarded when the sandbox\n"); |
154 | printf("\t\tis closed.\n\n"); | 154 | printf("\t\tis closed.\n\n"); |
diff --git a/src/man/firejail-profile.txt b/src/man/firejail-profile.txt index 60d9c47c5..ff265c198 100644 --- a/src/man/firejail-profile.txt +++ b/src/man/firejail-profile.txt | |||
@@ -16,9 +16,9 @@ Include and comment support: | |||
16 | 16 | ||
17 | .TP | 17 | .TP |
18 | \f\include other.profile exclude-token | 18 | \f\include other.profile exclude-token |
19 | Include other.profile file. exclued-token disables blacklist commands in other.profile | 19 | Include other.profile file. exclude-token disables blacklist commands in other.profile |
20 | if exclude-token word is found in the name section of blacklist command. | 20 | if exclude-token word is found in the name section of blacklist command. |
21 | exclude-tyoken is optional. | 21 | exclude-token is optional. |
22 | 22 | ||
23 | Example: "include /etc/firejail/disable-common.inc .filezilla" | 23 | Example: "include /etc/firejail/disable-common.inc .filezilla" |
24 | loads disable-common.inc file disables "blacklist ${HOME}/.filezilla" command in this file. | 24 | loads disable-common.inc file disables "blacklist ${HOME}/.filezilla" command in this file. |
@@ -73,7 +73,7 @@ closed. | |||
73 | \f\private directory | 73 | \f\private directory |
74 | Use directory as user home. | 74 | Use directory as user home. |
75 | .TP | 75 | .TP |
76 | \f\private.keep file,directory | 76 | \f\private-home file,directory |
77 | Build a new user home in a temporary | 77 | Build a new user home in a temporary |
78 | filesystem, and copy the files and directories in the list in the | 78 | filesystem, and copy the files and directories in the list in the |
79 | new home. All modifications are discarded when the sandbox is | 79 | new home. All modifications are discarded when the sandbox is |
diff --git a/src/man/firejail.txt b/src/man/firejail.txt index dbffe68ed..21310aebc 100644 --- a/src/man/firejail.txt +++ b/src/man/firejail.txt | |||
@@ -639,7 +639,7 @@ Example: | |||
639 | $ firejail \-\-private=/home/netblue/firefox-home firefox | 639 | $ firejail \-\-private=/home/netblue/firefox-home firefox |
640 | 640 | ||
641 | .TP | 641 | .TP |
642 | \fB\-\-private.keep=file,directory | 642 | \fB\-\-private-home=file,directory |
643 | Build a new user home in a temporary | 643 | Build a new user home in a temporary |
644 | filesystem, and copy the files and directories in the list in the | 644 | filesystem, and copy the files and directories in the list in the |
645 | new home. All modifications are discarded when the sandbox is | 645 | new home. All modifications are discarded when the sandbox is |
@@ -649,7 +649,7 @@ closed. | |||
649 | .br | 649 | .br |
650 | Example: | 650 | Example: |
651 | .br | 651 | .br |
652 | $ firejail \-\-private.keep=.mozilla firefox | 652 | $ firejail \-\-private-home=.mozilla firefox |
653 | .TP | 653 | .TP |
654 | \fB\-\-private-dev | 654 | \fB\-\-private-dev |
655 | Create a new /dev directory. Only null, full, zero, tty, pts, ptmx, random, urandom and shm devices are available. | 655 | Create a new /dev directory. Only null, full, zero, tty, pts, ptmx, random, urandom and shm devices are available. |