diff options
-rw-r--r-- | RELNOTES | 3 | ||||
-rw-r--r-- | etc/firejail.config | 6 | ||||
-rw-r--r-- | src/firejail/checkcfg.c | 1 | ||||
-rw-r--r-- | src/firejail/firejail.h | 1 | ||||
-rw-r--r-- | src/firejail/main.c | 4 |
5 files changed, 6 insertions, 9 deletions
@@ -1,4 +1,6 @@ | |||
1 | firejail (0.9.65) baseline; urgency=low | 1 | firejail (0.9.65) baseline; urgency=low |
2 | * deprecated --audit options, relpaced by jailtest | ||
3 | * deprecated follow-symlink-as-user from firejail.config | ||
2 | * filtering environment variables | 4 | * filtering environment variables |
3 | * zsh completion | 5 | * zsh completion |
4 | * command line: --mkdir, --mkfile | 6 | * command line: --mkdir, --mkfile |
@@ -7,7 +9,6 @@ firejail (0.9.65) baseline; urgency=low | |||
7 | * private-lib rework | 9 | * private-lib rework |
8 | * whitelist rework | 10 | * whitelist rework |
9 | * jailtest utility for testing running sandboxes | 11 | * jailtest utility for testing running sandboxes |
10 | * removed --audit options, relpaced by jailtest | ||
11 | * capabilities list update | 12 | * capabilities list update |
12 | * faccessat2 syscall support | 13 | * faccessat2 syscall support |
13 | * --private-dev keeps /dev/input | 14 | * --private-dev keeps /dev/input |
diff --git a/etc/firejail.config b/etc/firejail.config index 9dd33b5ed..c671efef9 100644 --- a/etc/firejail.config +++ b/etc/firejail.config | |||
@@ -46,12 +46,6 @@ | |||
46 | # Enable Firejail green prompt in terminal, default disabled | 46 | # Enable Firejail green prompt in terminal, default disabled |
47 | # firejail-prompt no | 47 | # firejail-prompt no |
48 | 48 | ||
49 | # Follow symlink as user. While using --whitelist feature, | ||
50 | # symlinks pointing outside home directory are followed only | ||
51 | # if both the link and the real file are owned by the user. | ||
52 | # Enabled by default | ||
53 | # follow-symlink-as-user yes | ||
54 | |||
55 | # Force use of nonewprivs. This mitigates the possibility of | 49 | # Force use of nonewprivs. This mitigates the possibility of |
56 | # a user abusing firejail's features to trick a privileged (suid | 50 | # a user abusing firejail's features to trick a privileged (suid |
57 | # or file capabilities) process into loading code or configuration | 51 | # or file capabilities) process into loading code or configuration |
diff --git a/src/firejail/checkcfg.c b/src/firejail/checkcfg.c index 614b144e5..cb087d395 100644 --- a/src/firejail/checkcfg.c +++ b/src/firejail/checkcfg.c | |||
@@ -103,7 +103,6 @@ int checkcfg(int val) { | |||
103 | PARSE_YESNO(CFG_USERNS, "userns") | 103 | PARSE_YESNO(CFG_USERNS, "userns") |
104 | PARSE_YESNO(CFG_CHROOT, "chroot") | 104 | PARSE_YESNO(CFG_CHROOT, "chroot") |
105 | PARSE_YESNO(CFG_FIREJAIL_PROMPT, "firejail-prompt") | 105 | PARSE_YESNO(CFG_FIREJAIL_PROMPT, "firejail-prompt") |
106 | PARSE_YESNO(CFG_FOLLOW_SYMLINK_AS_USER, "follow-symlink-as-user") | ||
107 | PARSE_YESNO(CFG_FORCE_NONEWPRIVS, "force-nonewprivs") | 106 | PARSE_YESNO(CFG_FORCE_NONEWPRIVS, "force-nonewprivs") |
108 | PARSE_YESNO(CFG_SECCOMP, "seccomp") | 107 | PARSE_YESNO(CFG_SECCOMP, "seccomp") |
109 | PARSE_YESNO(CFG_WHITELIST, "whitelist") | 108 | PARSE_YESNO(CFG_WHITELIST, "whitelist") |
diff --git a/src/firejail/firejail.h b/src/firejail/firejail.h index 1c1ad4e97..1da70fd54 100644 --- a/src/firejail/firejail.h +++ b/src/firejail/firejail.h | |||
@@ -765,7 +765,6 @@ enum { | |||
765 | CFG_PRIVATE_HOME, | 765 | CFG_PRIVATE_HOME, |
766 | CFG_PRIVATE_BIN_NO_LOCAL, | 766 | CFG_PRIVATE_BIN_NO_LOCAL, |
767 | CFG_FIREJAIL_PROMPT, | 767 | CFG_FIREJAIL_PROMPT, |
768 | CFG_FOLLOW_SYMLINK_AS_USER, | ||
769 | CFG_DISABLE_MNT, | 768 | CFG_DISABLE_MNT, |
770 | CFG_JOIN, | 769 | CFG_JOIN, |
771 | CFG_ARP_PROBES, | 770 | CFG_ARP_PROBES, |
diff --git a/src/firejail/main.c b/src/firejail/main.c index 7cfa58078..31694558d 100644 --- a/src/firejail/main.c +++ b/src/firejail/main.c | |||
@@ -1904,6 +1904,8 @@ int main(int argc, char **argv, char **envp) { | |||
1904 | } | 1904 | } |
1905 | else if (strcmp(argv[i], "--private") == 0) { | 1905 | else if (strcmp(argv[i], "--private") == 0) { |
1906 | arg_private = 1; | 1906 | arg_private = 1; |
1907 | // disable whitelisting in home directory | ||
1908 | profile_add("whitelist ~/*"); | ||
1907 | } | 1909 | } |
1908 | else if (strncmp(argv[i], "--private=", 10) == 0) { | 1910 | else if (strncmp(argv[i], "--private=", 10) == 0) { |
1909 | if (cfg.home_private_keep) { | 1911 | if (cfg.home_private_keep) { |
@@ -1925,6 +1927,8 @@ int main(int argc, char **argv, char **envp) { | |||
1925 | cfg.home_private = NULL; | 1927 | cfg.home_private = NULL; |
1926 | } | 1928 | } |
1927 | arg_private = 1; | 1929 | arg_private = 1; |
1930 | // disable whitelisting in home directory | ||
1931 | profile_add("whitelist ~/*"); | ||
1928 | } | 1932 | } |
1929 | #ifdef HAVE_PRIVATE_HOME | 1933 | #ifdef HAVE_PRIVATE_HOME |
1930 | else if (strncmp(argv[i], "--private-home=", 15) == 0) { | 1934 | else if (strncmp(argv[i], "--private-home=", 15) == 0) { |