16 files changed, 53 insertions, 70 deletions
diff --git a/README b/README
index 3f8eb6136..04d2c7001 100644
--- a/README
+++ b/README
@@ -310,6 +310,8 @@ DiGitHubCap (https://github.com/DiGitHubCap)
        - fix qt5ct colour schemes and QSS
 Disconnect3d (https://github.com/disconnect3d)
        - code cleanup
+dm9pZCAq (https://github.com/dm9pZCAq)
+        - fix for compilation under musl
 dmfreemon (https://github.com/dmfreemon)
        - add sandbox name or name of private directory to the window title when xpra is used
        - handle malloc() failures; use gnu_basename() instead of basenaem()
diff --git a/README.md b/README.md
index 40c6e9d98..cf9d9563e 100644
--- a/README.md
+++ b/README.md
@@ -22,43 +22,23 @@ implemented directly in Linux kernel and available on any Linux computer.
 <table><tr>
 <td>
-<a href="http://www.youtube.com/watch?feature=player_embedded&v=8jfXL0ePV7U
+<a href="https://www.brighteon.com/1928415c-2bce-40b2-a81f-7861a3734913" target="_blank">
-" target="_blank"><img src="http://img.youtube.com/vi/8jfXL0ePV7U/0.jpg"
+<img src="https://video.brighteon.com/file/Brighteon-staging/thumbnail/682ae17c-3fd8-4813-9c4e-6917c7cd2a5c.0000001.jpg"
-alt="Firejail Introduction" width="240" height="180" border="10" /><br/>Firejail Intro</a>
+alt="Introduction" width="240" height="142" border="10" /><br/>Introduction</a>
 </td>
 <td>
-<a href="http://www.youtube.com/watch?feature=player_embedded&v=J1ZsXrpAgBU
+<a href="https://www.brighteon.com/c20c32ac-1953-438f-8640-a414dcb318d6" target="_blank">
-" target="_blank"><img src="http://img.youtube.com/vi/J1ZsXrpAgBU/0.jpg"
+<img src="https://photos.brighteon.com/thumbnail/ecd8b0ca-7564-4993-a676-bbe4aa21cffc"
-alt="Firejail Demo" width="240" height="180" border="10" /><br/>Firejail Demo</a>
+alt="Technology" width="240" height="142" border="10" /><br/>Technology</a>
 </td>
 <td>
-<a href="http://www.youtube.com/watch?feature=player_embedded&v=EyEz65RYfw4
+<a href="https://www.brighteon.com/94ae1731-2352-4cda-bb48-7cc7a6ad32f8" target="_blank">
-" target="_blank"><img src="http://img.youtube.com/vi/EyEz65RYfw4/0.jpg"
+<img src="https://photos.brighteon.com/thumbnail/5c90254c-61f3-4927-ac57-ae279dc543cf"
-alt="Debian Install" width="240" height="180" border="10" /><br/>Debian Install</a>
+alt="Deep Dive" width="240" height="142" border="10" /><br/>Deep Dive</a>
 </td>
-</tr><tr>
-<td>
-<a href="http://www.youtube.com/watch?feature=player_embedded&v=Uy2ZTHc4s0w
-" target="_blank"><img src="http://img.youtube.com/vi/Uy2ZTHc4s0w/0.jpg"
-alt="Arch Linux Install" width="240" height="180" border="10" /><br/>Arch Linux Install</a>
-</td>
-<td>
-<a href="http://www.youtube.com/watch?feature=player_embedded&v=xuMxRx0zSfQ
-" target="_blank"><img src="http://img.youtube.com/vi/xuMxRx0zSfQ/0.jpg"
-alt="Disable Network Access" width="240" height="180" border="10" /><br/>Disable Network Access</a>
-</td>
-<td>
-<a href="http://www.youtube.com/watch?feature=player_embedded&v=N-Mso2bSr3o
-" target="_blank"><img src="http://img.youtube.com/vi/N-Mso2bSr3o/0.jpg"
-alt="Firejail Security Deep Dive" width="240" height="180" border="10" /><br/>Firejail Security Deep Dive</a>
-</td>
 </tr></table>
 Project webpage: https://firejail.wordpress.com/
@@ -239,30 +219,30 @@ A small tool to print profile statistics. Compile as usual and run in /etc/profi
 $ sudo cp src/profstats/profstats /etc/firejail/.
 $ cd /etc/firejail
 $ ./profstats *.profile
-    profiles                    1150
+    profiles                    1167
-    include local profile       1150   (include profile-name.local)
+    include local profile       1167   (include profile-name.local)
-    include globals             1120   (include globals.local)
+    include globals             1136   (include globals.local)
-    blacklist ~/.ssh            1026   (include disable-common.inc)
+    blacklist ~/.ssh            1042   (include disable-common.inc)
-    seccomp                     1050
+    seccomp                     1062
-    capabilities                1146
+    capabilities                1163
-    noexec                      1030   (include disable-exec.inc)
+    noexec                      1049   (include disable-exec.inc)
-    noroot                      959
+    noroot                      971
-    memory-deny-write-execute   253
+    memory-deny-write-execute   256
-    apparmor                    681
+    apparmor                    693
-    private-bin                 667
+    private-bin                 677
-    private-dev                 1009
+    private-dev                 1027
-    private-etc                 523
+    private-etc                 532
-    private-tmp                 883
+    private-tmp                 897
-    whitelist home directory    547
+    whitelist home directory    557
-    whitelist var               818   (include whitelist-var-common.inc)
+    whitelist var               836   (include whitelist-var-common.inc)
-    whitelist run/user          616   (include whitelist-runuser-common.inc
+    whitelist run/user          1137   (include whitelist-runuser-common.inc
                                        or blacklist ${RUNUSER})
-    whitelist usr/share         591   (include whitelist-usr-share-common.inc
+    whitelist usr/share         609   (include whitelist-usr-share-common.inc
-    net none                    391
+    net none                    396
-    dbus-user none              641
+    dbus-user none              656
-    dbus-user filter            105
+    dbus-user filter            108
-    dbus-system none            792
+    dbus-system none            808
-    dbus-system filter          7
+    dbus-system filter          10
 ```
 ### New profiles:
diff --git a/etc/profile-a-l/Books.profile b/etc/profile-a-l/Books.profile
index 76fd21d32..a256e942f 100644
--- a/etc/profile-a-l/Books.profile
+++ b/etc/profile-a-l/Books.profile
@@ -1,5 +1,10 @@
 # Firejail profile for gnome-books
 # This file is overwritten after every install/update
+# Persistent local customizations
+include Books.local
+# Persistent global definitions
+# added by included profile
+#include globals.local
 # Temporary fix for https://github.com/netblue30/firejail/issues/2624
diff --git a/src/firejail/chroot.c b/src/firejail/chroot.c
index 37ec22117..9425638ea 100644
--- a/src/firejail/chroot.c
+++ b/src/firejail/chroot.c
@@ -86,7 +86,7 @@ static void update_file(int parentfd, const char *relpath) {
        if (arg_debug)
                printf("Updating chroot /%s\n", relpath);
        unlinkat(parentfd, relpath, 0);
-        int out = openat(parentfd, relpath, O_WRONLY|O_CREAT|O_EXCL|O_CLOEXEC, S_IRUSR | S_IWRITE | S_IRGRP | S_IROTH);
+        int out = openat(parentfd, relpath, O_WRONLY|O_CREAT|O_EXCL|O_CLOEXEC, S_IRUSR | S_IWUSR | S_IRGRP | S_IROTH);
        if (out == -1) {
                close(in);
                goto errout;
diff --git a/src/firejail/env.c b/src/firejail/env.c
index ad16de037..4c0d729a1 100644
--- a/src/firejail/env.c
+++ b/src/firejail/env.c
@@ -22,6 +22,7 @@
 #include <sys/stat.h>
 #include <unistd.h>
 #include <dirent.h>
+#include <limits.h>
 typedef struct env_t {
        struct env_t *next;
diff --git a/src/firejail/firejail.h b/src/firejail/firejail.h
index 730c37aed..bf51a4c93 100644
--- a/src/firejail/firejail.h
+++ b/src/firejail/firejail.h
@@ -22,6 +22,7 @@
 #include "../include/common.h"
 #include "../include/euid_common.h"
 #include "../include/rundefs.h"
+#include <linux/limits.h> // Note: Plain limits.h may break ARG_MAX (see #4583)
 #include <stdarg.h>
 #include <sys/stat.h>
diff --git a/src/firejail/fs.c b/src/firejail/fs.c
index 3144156a3..1a9a8df0d 100644
--- a/src/firejail/fs.c
+++ b/src/firejail/fs.c
@@ -23,7 +23,6 @@
 #include <sys/stat.h>
 #include <sys/statvfs.h>
 #include <sys/wait.h>
-#include <linux/limits.h>
 #include <fnmatch.h>
 #include <glob.h>
 #include <dirent.h>
diff --git a/src/firejail/fs_dev.c b/src/firejail/fs_dev.c
index a43b18344..694d0a379 100644
--- a/src/firejail/fs_dev.c
+++ b/src/firejail/fs_dev.c
@@ -20,7 +20,6 @@
 #include "firejail.h"
 #include <sys/mount.h>
 #include <sys/stat.h>
-#include <linux/limits.h>
 #include <glob.h>
 #include <dirent.h>
 #include <fcntl.h>
diff --git a/src/firejail/fs_home.c b/src/firejail/fs_home.c
index 590337da1..8d8530d81 100644
--- a/src/firejail/fs_home.c
+++ b/src/firejail/fs_home.c
@@ -19,7 +19,6 @@
 */
 #include "firejail.h"
 #include <sys/mount.h>
-#include <linux/limits.h>
 #include <dirent.h>
 #include <errno.h>
 #include <sys/stat.h>
diff --git a/src/firejail/fs_hostname.c b/src/firejail/fs_hostname.c
index 7d320e90b..8b7e94f51 100644
--- a/src/firejail/fs_hostname.c
+++ b/src/firejail/fs_hostname.c
@@ -20,7 +20,6 @@
 #include "firejail.h"
 #include <sys/mount.h>
 #include <sys/stat.h>
-#include <linux/limits.h>
 #include <glob.h>
 #include <dirent.h>
 #include <fcntl.h>
@@ -33,7 +32,7 @@ void fs_hostname(const char *hostname) {
                if (arg_debug)
                        printf("Creating a new /etc/hostname file\n");
-                create_empty_file_as_root(RUN_HOSTNAME_FILE, S_IRUSR | S_IWRITE | S_IRGRP | S_IROTH);
+                create_empty_file_as_root(RUN_HOSTNAME_FILE, S_IRUSR | S_IWUSR | S_IRGRP | S_IROTH);
                // bind-mount the file on top of /etc/hostname
                if (mount(RUN_HOSTNAME_FILE, "/etc/hostname", NULL, MS_BIND|MS_REC, NULL) < 0)
@@ -75,7 +74,7 @@ void fs_hostname(const char *hostname) {
                }
                fclose(fp1);
                // mode and owner
-                SET_PERMS_STREAM(fp2, 0, 0, S_IRUSR | S_IWRITE | S_IRGRP | S_IROTH);
+                SET_PERMS_STREAM(fp2, 0, 0, S_IRUSR | S_IWUSR | S_IRGRP | S_IROTH);
                fclose(fp2);
                // bind-mount the file on top of /etc/hostname
diff --git a/src/firejail/fs_trace.c b/src/firejail/fs_trace.c
index 718786cdc..17a7b3d23 100644
--- a/src/firejail/fs_trace.c
+++ b/src/firejail/fs_trace.c
@@ -20,7 +20,6 @@
 #include "firejail.h"
 #include <sys/mount.h>
 #include <sys/stat.h>
-#include <linux/limits.h>
 #include <glob.h>
 #include <dirent.h>
 #include <fcntl.h>
@@ -54,7 +53,7 @@ void fs_tracefile(void) {
        if (arg_debug)
                printf("Creating an empty trace log file: %s\n", arg_tracefile);
        EUID_USER();
-        int fd = open(arg_tracefile, O_CREAT|O_WRONLY|O_CLOEXEC, S_IRUSR | S_IWRITE | S_IRGRP | S_IROTH);
+        int fd = open(arg_tracefile, O_CREAT|O_WRONLY|O_CLOEXEC, S_IRUSR | S_IWUSR | S_IRGRP | S_IROTH);
        if (fd == -1) {
                perror("open");
                fprintf(stderr, "Error: cannot open trace log file %s for writing\n", arg_tracefile);
@@ -107,7 +106,7 @@ void fs_trace(void) {
                fmessage("Post-exec seccomp protector enabled\n");
        }
-        SET_PERMS_STREAM(fp, 0, 0, S_IRUSR | S_IWRITE | S_IRGRP | S_IROTH);
+        SET_PERMS_STREAM(fp, 0, 0, S_IRUSR | S_IWUSR | S_IRGRP | S_IROTH);
        fclose(fp);
        // mount the new preload file
diff --git a/src/firejail/fs_var.c b/src/firejail/fs_var.c
index 20e262d80..e19d0df96 100644
--- a/src/firejail/fs_var.c
+++ b/src/firejail/fs_var.c
@@ -20,7 +20,6 @@
 #include "firejail.h"
 #include <sys/mount.h>
 #include <sys/stat.h>
-#include <linux/limits.h>
 #include <glob.h>
 #include <dirent.h>
 #include <fcntl.h>
@@ -129,7 +128,7 @@ void fs_var_log(void) {
                /* coverity[toctou] */
                FILE *fp = fopen("/var/log/wtmp", "wxe");
                if (fp) {
-                        SET_PERMS_STREAM(fp, 0, wtmp_group, S_IRUSR | S_IWRITE | S_IRGRP | S_IWGRP | S_IROTH);
+                        SET_PERMS_STREAM(fp, 0, wtmp_group, S_IRUSR | S_IWUSR | S_IRGRP | S_IWGRP | S_IROTH);
                        fclose(fp);
                }
                fs_logger("touch /var/log/wtmp");
@@ -137,7 +136,7 @@ void fs_var_log(void) {
                // create an empty /var/log/btmp file
                fp = fopen("/var/log/btmp", "wxe");
                if (fp) {
-                        SET_PERMS_STREAM(fp, 0, wtmp_group, S_IRUSR | S_IWRITE | S_IRGRP | S_IWGRP);
+                        SET_PERMS_STREAM(fp, 0, wtmp_group, S_IRUSR | S_IWUSR | S_IRGRP | S_IWGRP);
                        fclose(fp);
                }
                fs_logger("touch /var/log/btmp");
@@ -314,7 +313,7 @@ void fs_var_utmp(void) {
        // save new utmp file
        int rv = fwrite(&u_boot, sizeof(u_boot), 1, fp);
        (void) rv;
-        SET_PERMS_STREAM(fp, 0, utmp_group, S_IRUSR | S_IWRITE | S_IRGRP | S_IWGRP | S_IROTH);
+        SET_PERMS_STREAM(fp, 0, utmp_group, S_IRUSR | S_IWUSR | S_IRGRP | S_IWGRP | S_IROTH);
        fclose(fp);
        // mount the new utmp file
diff --git a/src/firejail/ls.c b/src/firejail/ls.c
index 70985ba9e..53e918dde 100644
--- a/src/firejail/ls.c
+++ b/src/firejail/ls.c
@@ -305,7 +305,7 @@ void sandboxfs(int op, pid_t pid, const char *path1, const char *path2) {
                }
                // create destination file if necessary
                EUID_ASSERT();
-                int fd = open(dest_fname, O_WRONLY|O_CREAT|O_CLOEXEC, S_IRUSR | S_IWRITE);
+                int fd = open(dest_fname, O_WRONLY|O_CREAT|O_CLOEXEC, S_IRUSR | S_IWUSR);
                if (fd == -1) {
                        fprintf(stderr, "Error: cannot open %s for writing\n", dest_fname);
                        exit(1);
diff --git a/src/firejail/main.c b/src/firejail/main.c
index 81d148257..cc5186204 100644
--- a/src/firejail/main.c
+++ b/src/firejail/main.c
@@ -32,7 +32,8 @@
 #include <dirent.h>
 #include <pwd.h>
 #include <errno.h>
-//#include <limits.h>
+#include <limits.h>
 #include <sys/file.h>
 #include <sys/prctl.h>
 #include <signal.h>
diff --git a/src/firejail/restrict_users.c b/src/firejail/restrict_users.c
index 6f17231a4..59077dada 100644
--- a/src/firejail/restrict_users.c
+++ b/src/firejail/restrict_users.c
@@ -21,7 +21,6 @@
 #include "../include/firejail_user.h"
 #include <sys/mount.h>
 #include <sys/stat.h>
-#include <linux/limits.h>
 #include <fnmatch.h>
 #include <glob.h>
 #include <dirent.h>
diff --git a/src/firejail/sandbox.c b/src/firejail/sandbox.c
index b776a0cc5..d66b6c573 100644
--- a/src/firejail/sandbox.c
+++ b/src/firejail/sandbox.c
@@ -204,7 +204,7 @@ static void save_umask(void) {
 }
 static char *create_join_file(void) {
-        int fd = open(RUN_JOIN_FILE, O_RDWR|O_CREAT|O_EXCL|O_CLOEXEC, S_IRUSR | S_IWRITE | S_IRGRP | S_IROTH);
+        int fd = open(RUN_JOIN_FILE, O_RDWR|O_CREAT|O_EXCL|O_CLOEXEC, S_IRUSR | S_IWUSR | S_IRGRP | S_IROTH);
        if (fd == -1)
                errExit("open");
        if (ftruncate(fd, 1) == -1)

diff --git a/README b/README index 3f8eb6136..04d2c7001 100644 --- a/README +++ b/README
@@ -310,6 +310,8 @@ DiGitHubCap (https://github.com/DiGitHubCap)
310	- fix qt5ct colour schemes and QSS	310	- fix qt5ct colour schemes and QSS
311	Disconnect3d (https://github.com/disconnect3d)	311	Disconnect3d (https://github.com/disconnect3d)
312	- code cleanup	312	- code cleanup
		313	dm9pZCAq (https://github.com/dm9pZCAq)
		314	- fix for compilation under musl
313	dmfreemon (https://github.com/dmfreemon)	315	dmfreemon (https://github.com/dmfreemon)
314	- add sandbox name or name of private directory to the window title when xpra is used	316	- add sandbox name or name of private directory to the window title when xpra is used
315	- handle malloc() failures; use gnu_basename() instead of basenaem()	317	- handle malloc() failures; use gnu_basename() instead of basenaem()


diff --git a/README.md b/README.md index 40c6e9d98..cf9d9563e 100644 --- a/README.md +++ b/README.md
@@ -22,43 +22,23 @@ implemented directly in Linux kernel and available on any Linux computer.
22	<table><tr>	22	<table><tr>
23		23
24	<td>	24	<td>
25	<a href="http://www.youtube.com/watch?feature=player_embedded&v=8jfXL0ePV7U	25	<a href="https://www.brighteon.com/1928415c-2bce-40b2-a81f-7861a3734913" target="_blank">
26	" target="_blank"><img src="http://img.youtube.com/vi/8jfXL0ePV7U/0.jpg"	26	<img src="https://video.brighteon.com/file/Brighteon-staging/thumbnail/682ae17c-3fd8-4813-9c4e-6917c7cd2a5c.0000001.jpg"
27	alt="Firejail Introduction" width="240" height="180" border="10" /><br/>Firejail Intro</a>	27	alt="Introduction" width="240" height="142" border="10" /><br/>Introduction</a>
28	</td>	28	</td>
29		29
30	<td>	30	<td>
31	<a href="http://www.youtube.com/watch?feature=player_embedded&v=J1ZsXrpAgBU	31	<a href="https://www.brighteon.com/c20c32ac-1953-438f-8640-a414dcb318d6" target="_blank">
32	" target="_blank"><img src="http://img.youtube.com/vi/J1ZsXrpAgBU/0.jpg"	32	<img src="https://photos.brighteon.com/thumbnail/ecd8b0ca-7564-4993-a676-bbe4aa21cffc"
33	alt="Firejail Demo" width="240" height="180" border="10" /><br/>Firejail Demo</a>	33	alt="Technology" width="240" height="142" border="10" /><br/>Technology</a>
34	</td>	34	</td>
35		35
36	<td>	36	<td>
37	<a href="http://www.youtube.com/watch?feature=player_embedded&v=EyEz65RYfw4	37	<a href="https://www.brighteon.com/94ae1731-2352-4cda-bb48-7cc7a6ad32f8" target="_blank">
38	" target="_blank"><img src="http://img.youtube.com/vi/EyEz65RYfw4/0.jpg"	38	<img src="https://photos.brighteon.com/thumbnail/5c90254c-61f3-4927-ac57-ae279dc543cf"
39	alt="Debian Install" width="240" height="180" border="10" /><br/>Debian Install</a>	39	alt="Deep Dive" width="240" height="142" border="10" /><br/>Deep Dive</a>
40	</td>	40	</td>
41		41
42
43	</tr><tr>
44	<td>
45	<a href="http://www.youtube.com/watch?feature=player_embedded&v=Uy2ZTHc4s0w
46	" target="_blank"><img src="http://img.youtube.com/vi/Uy2ZTHc4s0w/0.jpg"
47	alt="Arch Linux Install" width="240" height="180" border="10" /><br/>Arch Linux Install</a>
48
49	</td>
50	<td>
51	<a href="http://www.youtube.com/watch?feature=player_embedded&v=xuMxRx0zSfQ
52	" target="_blank"><img src="http://img.youtube.com/vi/xuMxRx0zSfQ/0.jpg"
53	alt="Disable Network Access" width="240" height="180" border="10" /><br/>Disable Network Access</a>
54
55	</td>
56	<td>
57	<a href="http://www.youtube.com/watch?feature=player_embedded&v=N-Mso2bSr3o
58	" target="_blank"><img src="http://img.youtube.com/vi/N-Mso2bSr3o/0.jpg"
59	alt="Firejail Security Deep Dive" width="240" height="180" border="10" /><br/>Firejail Security Deep Dive</a>
60
61	</td>
62	</tr></table>	42	</tr></table>
63		43
64	Project webpage: https://firejail.wordpress.com/	44	Project webpage: https://firejail.wordpress.com/
@@ -239,30 +219,30 @@ A small tool to print profile statistics. Compile as usual and run in /etc/profi
239	$ sudo cp src/profstats/profstats /etc/firejail/.	219	$ sudo cp src/profstats/profstats /etc/firejail/.
240	$ cd /etc/firejail	220	$ cd /etc/firejail
241	$ ./profstats *.profile	221	$ ./profstats *.profile
242	profiles 1150	222	profiles 1167
243	include local profile 1150 (include profile-name.local)	223	include local profile 1167 (include profile-name.local)
244	include globals 1120 (include globals.local)	224	include globals 1136 (include globals.local)
245	blacklist ~/.ssh 1026 (include disable-common.inc)	225	blacklist ~/.ssh 1042 (include disable-common.inc)
246	seccomp 1050	226	seccomp 1062
247	capabilities 1146	227	capabilities 1163
248	noexec 1030 (include disable-exec.inc)	228	noexec 1049 (include disable-exec.inc)
249	noroot 959	229	noroot 971
250	memory-deny-write-execute 253	230	memory-deny-write-execute 256
251	apparmor 681	231	apparmor 693
252	private-bin 667	232	private-bin 677
253	private-dev 1009	233	private-dev 1027
254	private-etc 523	234	private-etc 532
255	private-tmp 883	235	private-tmp 897
256	whitelist home directory 547	236	whitelist home directory 557
257	whitelist var 818 (include whitelist-var-common.inc)	237	whitelist var 836 (include whitelist-var-common.inc)
258	whitelist run/user 616 (include whitelist-runuser-common.inc	238	whitelist run/user 1137 (include whitelist-runuser-common.inc
259	or blacklist ${RUNUSER})	239	or blacklist ${RUNUSER})
260	whitelist usr/share 591 (include whitelist-usr-share-common.inc	240	whitelist usr/share 609 (include whitelist-usr-share-common.inc
261	net none 391	241	net none 396
262	dbus-user none 641	242	dbus-user none 656
263	dbus-user filter 105	243	dbus-user filter 108
264	dbus-system none 792	244	dbus-system none 808
265	dbus-system filter 7	245	dbus-system filter 10
266	```	246	```
267		247
268	### New profiles:	248	### New profiles:


diff --git a/etc/profile-a-l/Books.profile b/etc/profile-a-l/Books.profile index 76fd21d32..a256e942f 100644 --- a/etc/profile-a-l/Books.profile +++ b/etc/profile-a-l/Books.profile
@@ -1,5 +1,10 @@
1	# Firejail profile for gnome-books	1	# Firejail profile for gnome-books
2	# This file is overwritten after every install/update	2	# This file is overwritten after every install/update
		3	# Persistent local customizations
		4	include Books.local
		5	# Persistent global definitions
		6	# added by included profile
		7	#include globals.local
3		8
4		9
5	# Temporary fix for https://github.com/netblue30/firejail/issues/2624	10	# Temporary fix for https://github.com/netblue30/firejail/issues/2624


diff --git a/src/firejail/chroot.c b/src/firejail/chroot.c index 37ec22117..9425638ea 100644 --- a/src/firejail/chroot.c +++ b/src/firejail/chroot.c
@@ -86,7 +86,7 @@ static void update_file(int parentfd, const char *relpath) {
86	if (arg_debug)	86	if (arg_debug)
87	printf("Updating chroot /%s\n", relpath);	87	printf("Updating chroot /%s\n", relpath);
88	unlinkat(parentfd, relpath, 0);	88	unlinkat(parentfd, relpath, 0);
89	int out = openat(parentfd, relpath, O_WRONLY\|O_CREAT\|O_EXCL\|O_CLOEXEC, S_IRUSR \| S_IWRITE \| S_IRGRP \| S_IROTH);	89	int out = openat(parentfd, relpath, O_WRONLY\|O_CREAT\|O_EXCL\|O_CLOEXEC, S_IRUSR \| S_IWUSR \| S_IRGRP \| S_IROTH);
90	if (out == -1) {	90	if (out == -1) {
91	close(in);	91	close(in);
92	goto errout;	92	goto errout;


diff --git a/src/firejail/env.c b/src/firejail/env.c index ad16de037..4c0d729a1 100644 --- a/src/firejail/env.c +++ b/src/firejail/env.c
@@ -22,6 +22,7 @@
22	#include <sys/stat.h>	22	#include <sys/stat.h>
23	#include <unistd.h>	23	#include <unistd.h>
24	#include <dirent.h>	24	#include <dirent.h>
		25	#include <limits.h>
25		26
26	typedef struct env_t {	27	typedef struct env_t {
27	struct env_t *next;	28	struct env_t *next;


diff --git a/src/firejail/firejail.h b/src/firejail/firejail.h index 730c37aed..bf51a4c93 100644 --- a/src/firejail/firejail.h +++ b/src/firejail/firejail.h
@@ -22,6 +22,7 @@
22	#include "../include/common.h"	22	#include "../include/common.h"
23	#include "../include/euid_common.h"	23	#include "../include/euid_common.h"
24	#include "../include/rundefs.h"	24	#include "../include/rundefs.h"
		25	#include <linux/limits.h> // Note: Plain limits.h may break ARG_MAX (see #4583)
25	#include <stdarg.h>	26	#include <stdarg.h>
26	#include <sys/stat.h>	27	#include <sys/stat.h>
27		28


diff --git a/src/firejail/fs.c b/src/firejail/fs.c index 3144156a3..1a9a8df0d 100644 --- a/src/firejail/fs.c +++ b/src/firejail/fs.c
@@ -23,7 +23,6 @@
23	#include <sys/stat.h>	23	#include <sys/stat.h>
24	#include <sys/statvfs.h>	24	#include <sys/statvfs.h>
25	#include <sys/wait.h>	25	#include <sys/wait.h>
26	#include <linux/limits.h>
27	#include <fnmatch.h>	26	#include <fnmatch.h>
28	#include <glob.h>	27	#include <glob.h>
29	#include <dirent.h>	28	#include <dirent.h>


diff --git a/src/firejail/fs_dev.c b/src/firejail/fs_dev.c index a43b18344..694d0a379 100644 --- a/src/firejail/fs_dev.c +++ b/src/firejail/fs_dev.c
@@ -20,7 +20,6 @@
20	#include "firejail.h"	20	#include "firejail.h"
21	#include <sys/mount.h>	21	#include <sys/mount.h>
22	#include <sys/stat.h>	22	#include <sys/stat.h>
23	#include <linux/limits.h>
24	#include <glob.h>	23	#include <glob.h>
25	#include <dirent.h>	24	#include <dirent.h>
26	#include <fcntl.h>	25	#include <fcntl.h>


diff --git a/src/firejail/fs_home.c b/src/firejail/fs_home.c index 590337da1..8d8530d81 100644 --- a/src/firejail/fs_home.c +++ b/src/firejail/fs_home.c
@@ -19,7 +19,6 @@
19	*/	19	*/
20	#include "firejail.h"	20	#include "firejail.h"
21	#include <sys/mount.h>	21	#include <sys/mount.h>
22	#include <linux/limits.h>
23	#include <dirent.h>	22	#include <dirent.h>
24	#include <errno.h>	23	#include <errno.h>
25	#include <sys/stat.h>	24	#include <sys/stat.h>


diff --git a/src/firejail/fs_hostname.c b/src/firejail/fs_hostname.c index 7d320e90b..8b7e94f51 100644 --- a/src/firejail/fs_hostname.c +++ b/src/firejail/fs_hostname.c
@@ -20,7 +20,6 @@
20	#include "firejail.h"	20	#include "firejail.h"
21	#include <sys/mount.h>	21	#include <sys/mount.h>
22	#include <sys/stat.h>	22	#include <sys/stat.h>
23	#include <linux/limits.h>
24	#include <glob.h>	23	#include <glob.h>
25	#include <dirent.h>	24	#include <dirent.h>
26	#include <fcntl.h>	25	#include <fcntl.h>
@@ -33,7 +32,7 @@ void fs_hostname(const char *hostname) {
33	if (arg_debug)	32	if (arg_debug)
34	printf("Creating a new /etc/hostname file\n");	33	printf("Creating a new /etc/hostname file\n");
35		34
36	create_empty_file_as_root(RUN_HOSTNAME_FILE, S_IRUSR \| S_IWRITE \| S_IRGRP \| S_IROTH);	35	create_empty_file_as_root(RUN_HOSTNAME_FILE, S_IRUSR \| S_IWUSR \| S_IRGRP \| S_IROTH);
37		36
38	// bind-mount the file on top of /etc/hostname	37	// bind-mount the file on top of /etc/hostname
39	if (mount(RUN_HOSTNAME_FILE, "/etc/hostname", NULL, MS_BIND\|MS_REC, NULL) < 0)	38	if (mount(RUN_HOSTNAME_FILE, "/etc/hostname", NULL, MS_BIND\|MS_REC, NULL) < 0)
@@ -75,7 +74,7 @@ void fs_hostname(const char *hostname) {
75	}	74	}
76	fclose(fp1);	75	fclose(fp1);
77	// mode and owner	76	// mode and owner
78	SET_PERMS_STREAM(fp2, 0, 0, S_IRUSR \| S_IWRITE \| S_IRGRP \| S_IROTH);	77	SET_PERMS_STREAM(fp2, 0, 0, S_IRUSR \| S_IWUSR \| S_IRGRP \| S_IROTH);
79	fclose(fp2);	78	fclose(fp2);
80		79
81	// bind-mount the file on top of /etc/hostname	80	// bind-mount the file on top of /etc/hostname


diff --git a/src/firejail/fs_trace.c b/src/firejail/fs_trace.c index 718786cdc..17a7b3d23 100644 --- a/src/firejail/fs_trace.c +++ b/src/firejail/fs_trace.c
@@ -20,7 +20,6 @@
20	#include "firejail.h"	20	#include "firejail.h"
21	#include <sys/mount.h>	21	#include <sys/mount.h>
22	#include <sys/stat.h>	22	#include <sys/stat.h>
23	#include <linux/limits.h>
24	#include <glob.h>	23	#include <glob.h>
25	#include <dirent.h>	24	#include <dirent.h>
26	#include <fcntl.h>	25	#include <fcntl.h>
@@ -54,7 +53,7 @@ void fs_tracefile(void) {
54	if (arg_debug)	53	if (arg_debug)
55	printf("Creating an empty trace log file: %s\n", arg_tracefile);	54	printf("Creating an empty trace log file: %s\n", arg_tracefile);
56	EUID_USER();	55	EUID_USER();
57	int fd = open(arg_tracefile, O_CREAT\|O_WRONLY\|O_CLOEXEC, S_IRUSR \| S_IWRITE \| S_IRGRP \| S_IROTH);	56	int fd = open(arg_tracefile, O_CREAT\|O_WRONLY\|O_CLOEXEC, S_IRUSR \| S_IWUSR \| S_IRGRP \| S_IROTH);
58	if (fd == -1) {	57	if (fd == -1) {
59	perror("open");	58	perror("open");
60	fprintf(stderr, "Error: cannot open trace log file %s for writing\n", arg_tracefile);	59	fprintf(stderr, "Error: cannot open trace log file %s for writing\n", arg_tracefile);
@@ -107,7 +106,7 @@ void fs_trace(void) {
107	fmessage("Post-exec seccomp protector enabled\n");	106	fmessage("Post-exec seccomp protector enabled\n");
108	}	107	}
109		108
110	SET_PERMS_STREAM(fp, 0, 0, S_IRUSR \| S_IWRITE \| S_IRGRP \| S_IROTH);	109	SET_PERMS_STREAM(fp, 0, 0, S_IRUSR \| S_IWUSR \| S_IRGRP \| S_IROTH);
111	fclose(fp);	110	fclose(fp);
112		111
113	// mount the new preload file	112	// mount the new preload file


diff --git a/src/firejail/fs_var.c b/src/firejail/fs_var.c index 20e262d80..e19d0df96 100644 --- a/src/firejail/fs_var.c +++ b/src/firejail/fs_var.c
@@ -20,7 +20,6 @@
20	#include "firejail.h"	20	#include "firejail.h"
21	#include <sys/mount.h>	21	#include <sys/mount.h>
22	#include <sys/stat.h>	22	#include <sys/stat.h>
23	#include <linux/limits.h>
24	#include <glob.h>	23	#include <glob.h>
25	#include <dirent.h>	24	#include <dirent.h>
26	#include <fcntl.h>	25	#include <fcntl.h>
@@ -129,7 +128,7 @@ void fs_var_log(void) {
129	/* coverity[toctou] */	128	/* coverity[toctou] */
130	FILE *fp = fopen("/var/log/wtmp", "wxe");	129	FILE *fp = fopen("/var/log/wtmp", "wxe");
131	if (fp) {	130	if (fp) {
132	SET_PERMS_STREAM(fp, 0, wtmp_group, S_IRUSR \| S_IWRITE \| S_IRGRP \| S_IWGRP \| S_IROTH);	131	SET_PERMS_STREAM(fp, 0, wtmp_group, S_IRUSR \| S_IWUSR \| S_IRGRP \| S_IWGRP \| S_IROTH);
133	fclose(fp);	132	fclose(fp);
134	}	133	}
135	fs_logger("touch /var/log/wtmp");	134	fs_logger("touch /var/log/wtmp");
@@ -137,7 +136,7 @@ void fs_var_log(void) {
137	// create an empty /var/log/btmp file	136	// create an empty /var/log/btmp file
138	fp = fopen("/var/log/btmp", "wxe");	137	fp = fopen("/var/log/btmp", "wxe");
139	if (fp) {	138	if (fp) {
140	SET_PERMS_STREAM(fp, 0, wtmp_group, S_IRUSR \| S_IWRITE \| S_IRGRP \| S_IWGRP);	139	SET_PERMS_STREAM(fp, 0, wtmp_group, S_IRUSR \| S_IWUSR \| S_IRGRP \| S_IWGRP);
141	fclose(fp);	140	fclose(fp);
142	}	141	}
143	fs_logger("touch /var/log/btmp");	142	fs_logger("touch /var/log/btmp");
@@ -314,7 +313,7 @@ void fs_var_utmp(void) {
314	// save new utmp file	313	// save new utmp file
315	int rv = fwrite(&u_boot, sizeof(u_boot), 1, fp);	314	int rv = fwrite(&u_boot, sizeof(u_boot), 1, fp);
316	(void) rv;	315	(void) rv;
317	SET_PERMS_STREAM(fp, 0, utmp_group, S_IRUSR \| S_IWRITE \| S_IRGRP \| S_IWGRP \| S_IROTH);	316	SET_PERMS_STREAM(fp, 0, utmp_group, S_IRUSR \| S_IWUSR \| S_IRGRP \| S_IWGRP \| S_IROTH);
318	fclose(fp);	317	fclose(fp);
319		318
320	// mount the new utmp file	319	// mount the new utmp file


diff --git a/src/firejail/ls.c b/src/firejail/ls.c index 70985ba9e..53e918dde 100644 --- a/src/firejail/ls.c +++ b/src/firejail/ls.c
@@ -305,7 +305,7 @@ void sandboxfs(int op, pid_t pid, const char path1, const char path2) {
305	}	305	}
306	// create destination file if necessary	306	// create destination file if necessary
307	EUID_ASSERT();	307	EUID_ASSERT();
308	int fd = open(dest_fname, O_WRONLY\|O_CREAT\|O_CLOEXEC, S_IRUSR \| S_IWRITE);	308	int fd = open(dest_fname, O_WRONLY\|O_CREAT\|O_CLOEXEC, S_IRUSR \| S_IWUSR);
309	if (fd == -1) {	309	if (fd == -1) {
310	fprintf(stderr, "Error: cannot open %s for writing\n", dest_fname);	310	fprintf(stderr, "Error: cannot open %s for writing\n", dest_fname);
311	exit(1);	311	exit(1);


diff --git a/src/firejail/main.c b/src/firejail/main.c index 81d148257..cc5186204 100644 --- a/src/firejail/main.c +++ b/src/firejail/main.c
@@ -32,7 +32,8 @@
32	#include <dirent.h>	32	#include <dirent.h>
33	#include <pwd.h>	33	#include <pwd.h>
34	#include <errno.h>	34	#include <errno.h>
35	//#include <limits.h>	35
		36	#include <limits.h>
36	#include <sys/file.h>	37	#include <sys/file.h>
37	#include <sys/prctl.h>	38	#include <sys/prctl.h>
38	#include <signal.h>	39	#include <signal.h>


diff --git a/src/firejail/restrict_users.c b/src/firejail/restrict_users.c index 6f17231a4..59077dada 100644 --- a/src/firejail/restrict_users.c +++ b/src/firejail/restrict_users.c
@@ -21,7 +21,6 @@
21	#include "../include/firejail_user.h"	21	#include "../include/firejail_user.h"
22	#include <sys/mount.h>	22	#include <sys/mount.h>
23	#include <sys/stat.h>	23	#include <sys/stat.h>
24	#include <linux/limits.h>
25	#include <fnmatch.h>	24	#include <fnmatch.h>
26	#include <glob.h>	25	#include <glob.h>
27	#include <dirent.h>	26	#include <dirent.h>


diff --git a/src/firejail/sandbox.c b/src/firejail/sandbox.c index b776a0cc5..d66b6c573 100644 --- a/src/firejail/sandbox.c +++ b/src/firejail/sandbox.c
@@ -204,7 +204,7 @@ static void save_umask(void) {
204	}	204	}
205		205
206	static char *create_join_file(void) {	206	static char *create_join_file(void) {
207	int fd = open(RUN_JOIN_FILE, O_RDWR\|O_CREAT\|O_EXCL\|O_CLOEXEC, S_IRUSR \| S_IWRITE \| S_IRGRP \| S_IROTH);	207	int fd = open(RUN_JOIN_FILE, O_RDWR\|O_CREAT\|O_EXCL\|O_CLOEXEC, S_IRUSR \| S_IWUSR \| S_IRGRP \| S_IROTH);
208	if (fd == -1)	208	if (fd == -1)
209	errExit("open");	209	errExit("open");
210	if (ftruncate(fd, 1) == -1)	210	if (ftruncate(fd, 1) == -1)