16 files changed, 101 insertions, 85 deletions
diff --git a/etc/firejail-default b/etc/firejail-default
index 0b771f834..1b0eb7658 100644
--- a/etc/firejail-default
+++ b/etc/firejail-default
@@ -31,6 +31,9 @@ profile firejail-default {
 /{,var/}run/user/**/pulse/ rw,
 /{,var/}run/user/**/pulse/** rw,
 /{,var/}run/firejail/mnt/fslogger r,
+/{,var/}run/firejail/appimage r,
+/{,var/}run/firejail/appimage/** r,
+/{,var/}run/firejail/appimage/** ix,
 /{run,dev}/shm/ r,
 /{run,dev}/shm/** rmwk,
diff --git a/etc/keepass.profile b/etc/keepass.profile
index b2085f53d..23f9a7b40 100644
--- a/etc/keepass.profile
+++ b/etc/keepass.profile
@@ -13,7 +13,7 @@ nogroups
 nonewprivs
 noroot
 nosound
-protocol unix
+protocol unix,inet,inet6
 seccomp
 netfilter
 shell none
diff --git a/src/firejail/appimage.c b/src/firejail/appimage.c
index 05bd8a1d8..375d6be24 100644
--- a/src/firejail/appimage.c
+++ b/src/firejail/appimage.c
@@ -54,9 +54,13 @@ void appimage_set(const char *appimage_path) {
                exit(1);
        }
+        // populate /run/firejail directory
        EUID_ROOT();
+        fs_build_firejail_dir();
+        EUID_USER();
        // find or allocate a free loop device to use
+        EUID_ROOT();
        int cfd = open("/dev/loop-control", O_RDWR);
        int devnr = ioctl(cfd, LOOP_CTL_GET_FREE);
        if (devnr == -1) {
@@ -74,36 +78,37 @@ void appimage_set(const char *appimage_path) {
        }
        close(lfd);
        close(ffd);
-        
        EUID_USER();
-        // creates directory with perms 0700
+        // creates appimage mount point perms 0700
-        char dirname[] = "/tmp/firejail-mnt-XXXXXX";
+        if (asprintf(&mntdir, "%s/appimage-%u",  RUN_FIREJAIL_APPIMAGE_DIR, getpid()) == -1)
-        mntdir =  strdup(mkdtemp(dirname));
+                errExit("asprintf");
-        if (mntdir == NULL) {
+        EUID_ROOT();
-                fprintf(stderr, "Error: cannot create temporary directory\n");
+        if (mkdir(mntdir, 0700) == -1) {
+                fprintf(stderr, "Error: cannot create appimage mount point\n");
                exit(1);
        }
        if (chmod(mntdir, 0700) == -1)
                errExit("chmod");
+        if (chown(mntdir, getuid(), getgid()) == -1)
+                errExit("chown");
+        EUID_USER();
        ASSERT_PERMS(mntdir, getuid(), getgid(), 0700);
        
+        // mount
        char *mode;
        if (asprintf(&mode, "mode=700,uid=%d,gid=%d", getuid(), getgid()) == -1)
                errExit("asprintf");
        EUID_ROOT();
        if (mount(devloop, mntdir, "iso9660",MS_MGC_VAL|MS_RDONLY,  mode) < 0)
                errExit("mounting appimage");
        if (arg_debug)
                printf("appimage mounted on %s\n", mntdir);
        EUID_USER();
+        // set environment
        if (appimage_path && setenv("APPIMAGE", appimage_path, 1) < 0)
                errExit("setenv");
-        
        if (mntdir && setenv("APPDIR", mntdir, 1) < 0)
                errExit("setenv");
@@ -121,16 +126,32 @@ void appimage_set(const char *appimage_path) {
 void appimage_clear(void) {
        int rv;
+        EUID_ROOT();
        if (mntdir) {
-                rv = umount2(mntdir, MNT_FORCE);
+                int i;
-                if (rv == -1 && errno == EBUSY) {
+                int rv = 0;
-                        sleep(1);                       
+                for (i = 0; i < 5; i++) {
                        rv = umount2(mntdir, MNT_FORCE);
-                        (void) rv;
+                        if (rv == 0)
+                                break;
+                        if (rv == -1 && errno == EBUSY) {
+                                if (!arg_quiet)
+                                        printf("Warning: EBUSY error trying to unmount %s\n", mntdir);                  
+                                sleep(2);
+                                continue;
+                        }
                        
+                        // rv = -1
+                        if (!arg_quiet) {
+                                printf("Warning: error trying to unmount %s\n", mntdir);
+                                perror("umount");
+                        }
+                }
+                
+                if (rv == 0) {
+                        rmdir(mntdir);
+                        free(mntdir);
                }
-                rmdir(mntdir);
-                free(mntdir);
        }
        if (devloop) {
diff --git a/src/firejail/firejail.h b/src/firejail/firejail.h
index f4d468394..15e108056 100644
--- a/src/firejail/firejail.h
+++ b/src/firejail/firejail.h
@@ -28,6 +28,7 @@
 // filesystem
 #define RUN_FIREJAIL_BASEDIR    "/run"
 #define RUN_FIREJAIL_DIR        "/run/firejail"
+#define RUN_FIREJAIL_APPIMAGE_DIR       "/run/firejail/appimage"
 #define RUN_FIREJAIL_NAME_DIR   "/run/firejail/name"
 #define RUN_FIREJAIL_X11_DIR    "/run/firejail/x11"
 #define RUN_FIREJAIL_NETWORK_DIR        "/run/firejail/network"
@@ -457,8 +458,7 @@ char *expand_home(const char *path, const char* homedir);
 const char *gnu_basename(const char *path);
 uid_t pid_get_uid(pid_t pid);
 void invalid_filename(const char *fname);
-uid_t get_tty_gid(void);
+uid_t get_group_id(const char *group);
-uid_t get_audio_gid(void);
 int remove_directory(const char *path);
 void flush_stdin(void);
diff --git a/src/firejail/fs.c b/src/firejail/fs.c
index b40f8a3fa..a5f12c7df 100644
--- a/src/firejail/fs.c
+++ b/src/firejail/fs.c
@@ -77,14 +77,15 @@ void fs_build_firejail_dir(void) {
        if (stat(RUN_FIREJAIL_BASEDIR, &s)) {
                create_dir_as_root(RUN_FIREJAIL_BASEDIR, 0755);
        }
-        else { // check /tmp/firejail directory belongs to root end exit if doesn't!
+        // check /run/firejail directory belongs to root end exit if doesn't!
+        if (stat(RUN_FIREJAIL_DIR, &s) == 0) {
                if (s.st_uid != 0 || s.st_gid != 0) {
                        fprintf(stderr, "Error: non-root %s directory, exiting...\n", RUN_FIREJAIL_DIR);
                        exit(1);
                }
        }
+        else {
-        if (stat(RUN_FIREJAIL_DIR, &s)) {
                create_dir_as_root(RUN_FIREJAIL_DIR, 0755);
        }
        
@@ -104,12 +105,16 @@ void fs_build_firejail_dir(void) {
                create_dir_as_root(RUN_FIREJAIL_X11_DIR, 0755);
        }
        
+        if (stat(RUN_FIREJAIL_APPIMAGE_DIR, &s)) {
+                create_dir_as_root(RUN_FIREJAIL_APPIMAGE_DIR, 0755);
+        }
+        
        create_empty_dir();
        create_empty_file();
 }
-// build /tmp/firejail/mnt directory
+// build /run/firejail/mnt directory
 static int tmpfs_mounted = 0;
 #ifdef HAVE_CHROOT              
 static void fs_build_remount_mnt_dir(void) {
@@ -133,7 +138,7 @@ void fs_build_mnt_dir(void) {
                if (arg_debug)
                        printf("Mounting tmpfs on %s directory\n", RUN_MNT_DIR);
                if (mount("tmpfs", RUN_MNT_DIR, "tmpfs", MS_NOSUID | MS_STRICTATIME | MS_REC,  "mode=755,gid=0") < 0)
-                        errExit("mounting /tmp/firejail/mnt");
+                        errExit("mounting /run/firejail/mnt");
                tmpfs_mounted = 1;
                fs_logger2("tmpfs", RUN_MNT_DIR);
        }
@@ -1250,7 +1255,7 @@ void fs_private_tmp(void) {
        if (arg_debug)
                printf("Mounting tmpfs on /tmp directory\n");
        if (mount("tmpfs", "/tmp", "tmpfs", MS_NOSUID | MS_STRICTATIME | MS_REC,  "mode=1777,gid=0") < 0)
-                errExit("mounting /tmp/firejail/mnt");
+                errExit("mounting tmpfs on /tmp directory");
        fs_logger2("tmpfs", "/tmp");
 }
diff --git a/src/firejail/fs_bin.c b/src/firejail/fs_bin.c
index 40539305f..e65474f44 100644
--- a/src/firejail/fs_bin.c
+++ b/src/firejail/fs_bin.c
@@ -208,7 +208,7 @@ void fs_private_bin_list(void) {
        char *private_list = cfg.bin_private_keep;
        assert(private_list);
        
-        // create /tmp/firejail/mnt/bin directory
+        // create /run/firejail/mnt/bin directory
        fs_build_mnt_dir();
        if (mkdir(RUN_BIN_DIR, 0755) == -1)
                errExit("mkdir");
diff --git a/src/firejail/fs_dev.c b/src/firejail/fs_dev.c
index daf0afd9e..aa5f7c28b 100644
--- a/src/firejail/fs_dev.c
+++ b/src/firejail/fs_dev.c
@@ -225,7 +225,7 @@ void fs_private_dev(void){
        // mount /dev/pts
-        gid_t ttygid = get_tty_gid();
+        gid_t ttygid = get_group_id("tty");
        char *data;
        if (asprintf(&data, "newinstance,gid=%d,mode=620,ptmxmode=0666", (int) ttygid) == -1)
                errExit("asprintf");
diff --git a/src/firejail/fs_etc.c b/src/firejail/fs_etc.c
index e860bc173..fc9e40ca0 100644
--- a/src/firejail/fs_etc.c
+++ b/src/firejail/fs_etc.c
@@ -128,7 +128,7 @@ void fs_private_etc_list(void) {
                exit(1);
        }
-        // create /tmp/firejail/mnt/etc directory
+        // create /run/firejail/mnt/etc directory
        fs_build_mnt_dir();
        if (mkdir(RUN_ETC_DIR, 0755) == -1)
                errExit("mkdir");
diff --git a/src/firejail/fs_home.c b/src/firejail/fs_home.c
index 63d5a1c5e..bd3c404e9 100644
--- a/src/firejail/fs_home.c
+++ b/src/firejail/fs_home.c
@@ -591,7 +591,7 @@ void fs_private_home_list(void) {
                exit(1);
        }
-        // create /tmp/firejail/mnt/home directory
+        // create /run/firejail/mnt/home directory
        fs_build_mnt_dir();
        int rv = mkdir(RUN_HOME_DIR, 0755);
        if (rv == -1)
diff --git a/src/firejail/fs_trace.c b/src/firejail/fs_trace.c
index 78fc8a647..37e899f12 100644
--- a/src/firejail/fs_trace.c
+++ b/src/firejail/fs_trace.c
@@ -44,7 +44,7 @@ void fs_trace_preload(void) {
 }
 void fs_trace(void) {
-        // create /tmp/firejail/mnt directory
+        // create /run/firejail/mnt directory
        fs_build_mnt_dir();
        
        // create the new ld.so.preload file and mount-bind it
diff --git a/src/firejail/fs_var.c b/src/firejail/fs_var.c
index a578d04e6..4468efb10 100644
--- a/src/firejail/fs_var.c
+++ b/src/firejail/fs_var.c
@@ -317,7 +317,7 @@ void fs_var_utmp(void) {
                return;
        }
-        // create /tmp/firejail/mnt directory
+        // create /run/firejail/mnt directory
        fs_build_mnt_dir();
        
        // create a new utmp file
diff --git a/src/firejail/fs_whitelist.c b/src/firejail/fs_whitelist.c
index ad7fea227..849861805 100644
--- a/src/firejail/fs_whitelist.c
+++ b/src/firejail/fs_whitelist.c
@@ -550,29 +550,6 @@ void fs_whitelist(void) {
                if (mount("tmpfs", "/tmp", "tmpfs", MS_NOSUID | MS_STRICTATIME | MS_REC,  "mode=1777,gid=0") < 0)
                        errExit("mounting tmpfs on /tmp");
                fs_logger("tmpfs /tmp");
-                
-                // mount appimage directory if necessary
-                if (arg_appimage) {
-                        const char *dir = appimage_getdir();
-                        assert(dir);
-                        char *wdir;
-                        if (asprintf(&wdir, "%s/%s", RUN_WHITELIST_TMP_DIR, dir + 4) == -1)
-                                errExit("asprintf");
-                        // create directory
-                        if (mkdir(dir, 0755) < 0)
-                                errExit("mkdir");
-                        if (chown(dir, getuid(), getgid()) < 0)
-                                errExit("chown");
-                        if (chmod(dir, 0755) < 0)
-                                errExit("chmod");
-                
-                        // mount
-                        if (mount(wdir, dir, NULL, MS_BIND|MS_REC, NULL) < 0)
-                                errExit("mount bind");
-                        fs_logger2("whitelist", dir);
-                        free(wdir);
-                }
        }
        
        // /media mountpoint
diff --git a/src/firejail/main.c b/src/firejail/main.c
index 6d4eb21df..987a79d1c 100644
--- a/src/firejail/main.c
+++ b/src/firejail/main.c
@@ -2555,16 +2555,31 @@ int main(int argc, char **argv) {
                ptr += strlen(ptr);
                
                //  add tty group
-                gid_t ttygid = get_tty_gid();
+                gid_t g = get_group_id("tty");
-                if (ttygid) {
+                if (g) {
-                        sprintf(ptr, "%d %d 1\n", ttygid, ttygid);
+                        sprintf(ptr, "%d %d 1\n", g, g);
                        ptr += strlen(ptr);
                }
                
                //  add audio group
-                gid_t audiogid = get_audio_gid();
+                g = get_group_id("audio");
-                if (ttygid) {
+                if (g) {
-                        sprintf(ptr, "%d %d 1\n", audiogid, audiogid);
+                        sprintf(ptr, "%d %d 1\n", g, g);
+                        ptr += strlen(ptr);
+                }
+                
+                //  add video group
+                g = get_group_id("video");
+                if (g) {
+                        sprintf(ptr, "%d %d 1\n", g, g);
+                        ptr += strlen(ptr);
+                }
+                
+                //  add games group
+                g = get_group_id("games");
+                if (g) {
+                        sprintf(ptr, "%d %d 1\n", g, g);
+                        ptr += strlen(ptr);
                }
                
                EUID_ROOT();
diff --git a/src/firejail/restricted_shell.c b/src/firejail/restricted_shell.c
index 24ce27c2e..979bb1eed 100644
--- a/src/firejail/restricted_shell.c
+++ b/src/firejail/restricted_shell.c
@@ -18,6 +18,7 @@
 * 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA.
 */
 #include "firejail.h"
+#include <fnmatch.h>
 #define MAX_READ 4096   // maximum line length
 char *restricted_user = NULL;
@@ -49,7 +50,11 @@ int restricted_shell(const char *user) {
                if (*ptr == '\n' || *ptr == '#')
                        continue;
-                // parse line   
+                //
+                // parse line
+                //
+                
+                // extract users
                char *usr = ptr;
                char *args = strchr(usr, ':');
                if (args == NULL) {
@@ -63,7 +68,7 @@ int restricted_shell(const char *user) {
                if (ptr)
                        *ptr = '\0';
                
-                // if nothing follows, continue
+                // extract firejail command line arguments
                char *ptr2 = args;
                int found = 0;
                while (*ptr2 != '\0') {
@@ -73,12 +78,13 @@ int restricted_shell(const char *user) {
                        }
                        ptr2++;
                }
+                // if nothing follows, continue
                if (!found)
                        continue;
                
-                // process user
+                // user name globbing
-                if (strcmp(user, usr) == 0) {
+                if (fnmatch(usr, user, 0) == 0) {
-                        // extract program arguments
+                        // process program arguments
                        fullargv[0] = "firejail";
                        int i;
diff --git a/src/firejail/seccomp.c b/src/firejail/seccomp.c
index c2da1168a..549359d94 100644
--- a/src/firejail/seccomp.c
+++ b/src/firejail/seccomp.c
@@ -708,7 +708,7 @@ int seccomp_filter_drop(int enforce_seccomp) {
        if (arg_debug)
                filter_debug();
-        // save seccomp filter in  /tmp/firejail/mnt/seccomp
+        // save seccomp filter in  /run/firejail/mnt/seccomp
        // in order to use it in --join operations
        write_seccomp_file();
@@ -754,7 +754,7 @@ int seccomp_filter_keep(void) {
        if (arg_debug)
                filter_debug();
-        // save seccomp filter in  /tmp/firejail/mnt/seccomp
+        // save seccomp filter in  /run/firejail/mnt/seccomp
        // in order to use it in --join operations
        write_seccomp_file();
@@ -796,7 +796,7 @@ int seccomp_filter_errno(void) {
        if (arg_debug)
                filter_debug();
-        // save seccomp filter in  /tmp/firejail/mnt/seccomp
+        // save seccomp filter in  /run/firejail/mnt/seccomp
        // in order to use it in --join operations
        write_seccomp_file();
@@ -819,7 +819,7 @@ int seccomp_filter_errno(void) {
 void seccomp_set(void) {
-        // read seccomp filter from  /tmp/firejail/mnt/seccomp
+        // read seccomp filter from  /runp/firejail/mnt/seccomp
        read_seccomp_file(RUN_SECCOMP_CFG);
        
        // apply filter
diff --git a/src/firejail/util.c b/src/firejail/util.c
index 7aa0ae0e8..f38b02fd0 100644
--- a/src/firejail/util.c
+++ b/src/firejail/util.c
@@ -649,25 +649,14 @@ void invalid_filename(const char *fname) {
 }
-uid_t get_tty_gid(void) {
+uid_t get_group_id(const char *group) {
        // find tty group id
-        gid_t ttygid = 0;
+        gid_t gid = 0;
-        struct group *g = getgrnam("tty");
+        struct group *g = getgrnam(group);
        if (g)
-                ttygid = g->gr_gid;
+                gid = g->gr_gid;
-        return ttygid;
+        return gid;
-}
-uid_t get_audio_gid(void) {
-        // find tty group id
-        gid_t audiogid = 0;
-        struct group *g = getgrnam("audio");
-        if (g)
-                audiogid = g->gr_gid;
-        return audiogid;
 }

diff --git a/etc/firejail-default b/etc/firejail-default index 0b771f834..1b0eb7658 100644 --- a/etc/firejail-default +++ b/etc/firejail-default
@@ -31,6 +31,9 @@ profile firejail-default {
31	/{,var/}run/user/**/pulse/ rw,	31	/{,var/}run/user/**/pulse/ rw,
32	/{,var/}run/user//pulse/ rw,	32	/{,var/}run/user//pulse/ rw,
33	/{,var/}run/firejail/mnt/fslogger r,	33	/{,var/}run/firejail/mnt/fslogger r,
		34	/{,var/}run/firejail/appimage r,
		35	/{,var/}run/firejail/appimage/** r,
		36	/{,var/}run/firejail/appimage/** ix,
34	/{run,dev}/shm/ r,	37	/{run,dev}/shm/ r,
35	/{run,dev}/shm/** rmwk,	38	/{run,dev}/shm/** rmwk,
36		39


diff --git a/etc/keepass.profile b/etc/keepass.profile index b2085f53d..23f9a7b40 100644 --- a/etc/keepass.profile +++ b/etc/keepass.profile
@@ -13,7 +13,7 @@ nogroups
13	nonewprivs	13	nonewprivs
14	noroot	14	noroot
15	nosound	15	nosound
16	protocol unix	16	protocol unix,inet,inet6
17	seccomp	17	seccomp
18	netfilter	18	netfilter
19	shell none	19	shell none


diff --git a/src/firejail/appimage.c b/src/firejail/appimage.c index 05bd8a1d8..375d6be24 100644 --- a/src/firejail/appimage.c +++ b/src/firejail/appimage.c
@@ -54,9 +54,13 @@ void appimage_set(const char *appimage_path) {
54	exit(1);	54	exit(1);
55	}	55	}
56		56
		57	// populate /run/firejail directory
57	EUID_ROOT();	58	EUID_ROOT();
		59	fs_build_firejail_dir();
		60	EUID_USER();
58		61
59	// find or allocate a free loop device to use	62	// find or allocate a free loop device to use
		63	EUID_ROOT();
60	int cfd = open("/dev/loop-control", O_RDWR);	64	int cfd = open("/dev/loop-control", O_RDWR);
61	int devnr = ioctl(cfd, LOOP_CTL_GET_FREE);	65	int devnr = ioctl(cfd, LOOP_CTL_GET_FREE);
62	if (devnr == -1) {	66	if (devnr == -1) {
@@ -74,36 +78,37 @@ void appimage_set(const char *appimage_path) {
74	}	78	}
75	close(lfd);	79	close(lfd);
76	close(ffd);	80	close(ffd);
77
78	EUID_USER();	81	EUID_USER();
79		82
80	// creates directory with perms 0700	83	// creates appimage mount point perms 0700
81	char dirname[] = "/tmp/firejail-mnt-XXXXXX";	84	if (asprintf(&mntdir, "%s/appimage-%u", RUN_FIREJAIL_APPIMAGE_DIR, getpid()) == -1)
82	mntdir = strdup(mkdtemp(dirname));	85	errExit("asprintf");
83	if (mntdir == NULL) {	86	EUID_ROOT();
84	fprintf(stderr, "Error: cannot create temporary directory\n");	87	if (mkdir(mntdir, 0700) == -1) {
		88	fprintf(stderr, "Error: cannot create appimage mount point\n");
85	exit(1);	89	exit(1);
86	}	90	}
87	if (chmod(mntdir, 0700) == -1)	91	if (chmod(mntdir, 0700) == -1)
88	errExit("chmod");	92	errExit("chmod");
		93	if (chown(mntdir, getuid(), getgid()) == -1)
		94	errExit("chown");
		95	EUID_USER();
89	ASSERT_PERMS(mntdir, getuid(), getgid(), 0700);	96	ASSERT_PERMS(mntdir, getuid(), getgid(), 0700);
90		97
		98	// mount
91	char *mode;	99	char *mode;
92	if (asprintf(&mode, "mode=700,uid=%d,gid=%d", getuid(), getgid()) == -1)	100	if (asprintf(&mode, "mode=700,uid=%d,gid=%d", getuid(), getgid()) == -1)
93	errExit("asprintf");	101	errExit("asprintf");
94
95	EUID_ROOT();	102	EUID_ROOT();
96	if (mount(devloop, mntdir, "iso9660",MS_MGC_VAL\|MS_RDONLY, mode) < 0)	103	if (mount(devloop, mntdir, "iso9660",MS_MGC_VAL\|MS_RDONLY, mode) < 0)
97	errExit("mounting appimage");	104	errExit("mounting appimage");
98
99
100	if (arg_debug)	105	if (arg_debug)
101	printf("appimage mounted on %s\n", mntdir);	106	printf("appimage mounted on %s\n", mntdir);
102	EUID_USER();	107	EUID_USER();
103		108
		109	// set environment
104	if (appimage_path && setenv("APPIMAGE", appimage_path, 1) < 0)	110	if (appimage_path && setenv("APPIMAGE", appimage_path, 1) < 0)
105	errExit("setenv");	111	errExit("setenv");
106
107	if (mntdir && setenv("APPDIR", mntdir, 1) < 0)	112	if (mntdir && setenv("APPDIR", mntdir, 1) < 0)
108	errExit("setenv");	113	errExit("setenv");
109		114
@@ -121,16 +126,32 @@ void appimage_set(const char *appimage_path) {
121	void appimage_clear(void) {	126	void appimage_clear(void) {
122	int rv;	127	int rv;
123		128
		129	EUID_ROOT();
124	if (mntdir) {	130	if (mntdir) {
125	rv = umount2(mntdir, MNT_FORCE);	131	int i;
126	if (rv == -1 && errno == EBUSY) {	132	int rv = 0;
127	sleep(1);	133	for (i = 0; i < 5; i++) {
128	rv = umount2(mntdir, MNT_FORCE);	134	rv = umount2(mntdir, MNT_FORCE);
129	(void) rv;	135	if (rv == 0)
		136	break;
		137	if (rv == -1 && errno == EBUSY) {
		138	if (!arg_quiet)
		139	printf("Warning: EBUSY error trying to unmount %s\n", mntdir);
		140	sleep(2);
		141	continue;
		142	}
130		143
		144	// rv = -1
		145	if (!arg_quiet) {
		146	printf("Warning: error trying to unmount %s\n", mntdir);
		147	perror("umount");
		148	}
		149	}
		150
		151	if (rv == 0) {
		152	rmdir(mntdir);
		153	free(mntdir);
131	}	154	}
132	rmdir(mntdir);
133	free(mntdir);
134	}	155	}
135		156
136	if (devloop) {	157	if (devloop) {


diff --git a/src/firejail/firejail.h b/src/firejail/firejail.h index f4d468394..15e108056 100644 --- a/src/firejail/firejail.h +++ b/src/firejail/firejail.h
@@ -28,6 +28,7 @@
28	// filesystem	28	// filesystem
29	#define RUN_FIREJAIL_BASEDIR "/run"	29	#define RUN_FIREJAIL_BASEDIR "/run"
30	#define RUN_FIREJAIL_DIR "/run/firejail"	30	#define RUN_FIREJAIL_DIR "/run/firejail"
		31	#define RUN_FIREJAIL_APPIMAGE_DIR "/run/firejail/appimage"
31	#define RUN_FIREJAIL_NAME_DIR "/run/firejail/name"	32	#define RUN_FIREJAIL_NAME_DIR "/run/firejail/name"
32	#define RUN_FIREJAIL_X11_DIR "/run/firejail/x11"	33	#define RUN_FIREJAIL_X11_DIR "/run/firejail/x11"
33	#define RUN_FIREJAIL_NETWORK_DIR "/run/firejail/network"	34	#define RUN_FIREJAIL_NETWORK_DIR "/run/firejail/network"
@@ -457,8 +458,7 @@ char expand_home(const char path, const char* homedir);
457	const char gnu_basename(const char path);	458	const char gnu_basename(const char path);
458	uid_t pid_get_uid(pid_t pid);	459	uid_t pid_get_uid(pid_t pid);
459	void invalid_filename(const char *fname);	460	void invalid_filename(const char *fname);
460	uid_t get_tty_gid(void);	461	uid_t get_group_id(const char *group);
461	uid_t get_audio_gid(void);
462	int remove_directory(const char *path);	462	int remove_directory(const char *path);
463	void flush_stdin(void);	463	void flush_stdin(void);
464		464


diff --git a/src/firejail/fs.c b/src/firejail/fs.c index b40f8a3fa..a5f12c7df 100644 --- a/src/firejail/fs.c +++ b/src/firejail/fs.c
@@ -77,14 +77,15 @@ void fs_build_firejail_dir(void) {
77	if (stat(RUN_FIREJAIL_BASEDIR, &s)) {	77	if (stat(RUN_FIREJAIL_BASEDIR, &s)) {
78	create_dir_as_root(RUN_FIREJAIL_BASEDIR, 0755);	78	create_dir_as_root(RUN_FIREJAIL_BASEDIR, 0755);
79	}	79	}
80	else { // check /tmp/firejail directory belongs to root end exit if doesn't!	80
		81	// check /run/firejail directory belongs to root end exit if doesn't!
		82	if (stat(RUN_FIREJAIL_DIR, &s) == 0) {
81	if (s.st_uid != 0 \|\| s.st_gid != 0) {	83	if (s.st_uid != 0 \|\| s.st_gid != 0) {
82	fprintf(stderr, "Error: non-root %s directory, exiting...\n", RUN_FIREJAIL_DIR);	84	fprintf(stderr, "Error: non-root %s directory, exiting...\n", RUN_FIREJAIL_DIR);
83	exit(1);	85	exit(1);
84	}	86	}
85	}	87	}
86		88	else {
87	if (stat(RUN_FIREJAIL_DIR, &s)) {
88	create_dir_as_root(RUN_FIREJAIL_DIR, 0755);	89	create_dir_as_root(RUN_FIREJAIL_DIR, 0755);
89	}	90	}
90		91
@@ -104,12 +105,16 @@ void fs_build_firejail_dir(void) {
104	create_dir_as_root(RUN_FIREJAIL_X11_DIR, 0755);	105	create_dir_as_root(RUN_FIREJAIL_X11_DIR, 0755);
105	}	106	}
106		107
		108	if (stat(RUN_FIREJAIL_APPIMAGE_DIR, &s)) {
		109	create_dir_as_root(RUN_FIREJAIL_APPIMAGE_DIR, 0755);
		110	}
		111
107	create_empty_dir();	112	create_empty_dir();
108	create_empty_file();	113	create_empty_file();
109	}	114	}
110		115
111		116
112	// build /tmp/firejail/mnt directory	117	// build /run/firejail/mnt directory
113	static int tmpfs_mounted = 0;	118	static int tmpfs_mounted = 0;
114	#ifdef HAVE_CHROOT	119	#ifdef HAVE_CHROOT
115	static void fs_build_remount_mnt_dir(void) {	120	static void fs_build_remount_mnt_dir(void) {
@@ -133,7 +138,7 @@ void fs_build_mnt_dir(void) {
133	if (arg_debug)	138	if (arg_debug)
134	printf("Mounting tmpfs on %s directory\n", RUN_MNT_DIR);	139	printf("Mounting tmpfs on %s directory\n", RUN_MNT_DIR);
135	if (mount("tmpfs", RUN_MNT_DIR, "tmpfs", MS_NOSUID \| MS_STRICTATIME \| MS_REC, "mode=755,gid=0") < 0)	140	if (mount("tmpfs", RUN_MNT_DIR, "tmpfs", MS_NOSUID \| MS_STRICTATIME \| MS_REC, "mode=755,gid=0") < 0)
136	errExit("mounting /tmp/firejail/mnt");	141	errExit("mounting /run/firejail/mnt");
137	tmpfs_mounted = 1;	142	tmpfs_mounted = 1;
138	fs_logger2("tmpfs", RUN_MNT_DIR);	143	fs_logger2("tmpfs", RUN_MNT_DIR);
139	}	144	}
@@ -1250,7 +1255,7 @@ void fs_private_tmp(void) {
1250	if (arg_debug)	1255	if (arg_debug)
1251	printf("Mounting tmpfs on /tmp directory\n");	1256	printf("Mounting tmpfs on /tmp directory\n");
1252	if (mount("tmpfs", "/tmp", "tmpfs", MS_NOSUID \| MS_STRICTATIME \| MS_REC, "mode=1777,gid=0") < 0)	1257	if (mount("tmpfs", "/tmp", "tmpfs", MS_NOSUID \| MS_STRICTATIME \| MS_REC, "mode=1777,gid=0") < 0)
1253	errExit("mounting /tmp/firejail/mnt");	1258	errExit("mounting tmpfs on /tmp directory");
1254	fs_logger2("tmpfs", "/tmp");	1259	fs_logger2("tmpfs", "/tmp");
1255	}	1260	}
1256		1261


diff --git a/src/firejail/fs_bin.c b/src/firejail/fs_bin.c index 40539305f..e65474f44 100644 --- a/src/firejail/fs_bin.c +++ b/src/firejail/fs_bin.c
@@ -208,7 +208,7 @@ void fs_private_bin_list(void) {
208	char *private_list = cfg.bin_private_keep;	208	char *private_list = cfg.bin_private_keep;
209	assert(private_list);	209	assert(private_list);
210		210
211	// create /tmp/firejail/mnt/bin directory	211	// create /run/firejail/mnt/bin directory
212	fs_build_mnt_dir();	212	fs_build_mnt_dir();
213	if (mkdir(RUN_BIN_DIR, 0755) == -1)	213	if (mkdir(RUN_BIN_DIR, 0755) == -1)
214	errExit("mkdir");	214	errExit("mkdir");


diff --git a/src/firejail/fs_dev.c b/src/firejail/fs_dev.c index daf0afd9e..aa5f7c28b 100644 --- a/src/firejail/fs_dev.c +++ b/src/firejail/fs_dev.c
@@ -225,7 +225,7 @@ void fs_private_dev(void){
225		225
226		226
227	// mount /dev/pts	227	// mount /dev/pts
228	gid_t ttygid = get_tty_gid();	228	gid_t ttygid = get_group_id("tty");
229	char *data;	229	char *data;
230	if (asprintf(&data, "newinstance,gid=%d,mode=620,ptmxmode=0666", (int) ttygid) == -1)	230	if (asprintf(&data, "newinstance,gid=%d,mode=620,ptmxmode=0666", (int) ttygid) == -1)
231	errExit("asprintf");	231	errExit("asprintf");


diff --git a/src/firejail/fs_etc.c b/src/firejail/fs_etc.c index e860bc173..fc9e40ca0 100644 --- a/src/firejail/fs_etc.c +++ b/src/firejail/fs_etc.c
@@ -128,7 +128,7 @@ void fs_private_etc_list(void) {
128	exit(1);	128	exit(1);
129	}	129	}
130		130
131	// create /tmp/firejail/mnt/etc directory	131	// create /run/firejail/mnt/etc directory
132	fs_build_mnt_dir();	132	fs_build_mnt_dir();
133	if (mkdir(RUN_ETC_DIR, 0755) == -1)	133	if (mkdir(RUN_ETC_DIR, 0755) == -1)
134	errExit("mkdir");	134	errExit("mkdir");


diff --git a/src/firejail/fs_home.c b/src/firejail/fs_home.c index 63d5a1c5e..bd3c404e9 100644 --- a/src/firejail/fs_home.c +++ b/src/firejail/fs_home.c
@@ -591,7 +591,7 @@ void fs_private_home_list(void) {
591	exit(1);	591	exit(1);
592	}	592	}
593		593
594	// create /tmp/firejail/mnt/home directory	594	// create /run/firejail/mnt/home directory
595	fs_build_mnt_dir();	595	fs_build_mnt_dir();
596	int rv = mkdir(RUN_HOME_DIR, 0755);	596	int rv = mkdir(RUN_HOME_DIR, 0755);
597	if (rv == -1)	597	if (rv == -1)


diff --git a/src/firejail/fs_trace.c b/src/firejail/fs_trace.c index 78fc8a647..37e899f12 100644 --- a/src/firejail/fs_trace.c +++ b/src/firejail/fs_trace.c
@@ -44,7 +44,7 @@ void fs_trace_preload(void) {
44	}	44	}
45		45
46	void fs_trace(void) {	46	void fs_trace(void) {
47	// create /tmp/firejail/mnt directory	47	// create /run/firejail/mnt directory
48	fs_build_mnt_dir();	48	fs_build_mnt_dir();
49		49
50	// create the new ld.so.preload file and mount-bind it	50	// create the new ld.so.preload file and mount-bind it


diff --git a/src/firejail/fs_var.c b/src/firejail/fs_var.c index a578d04e6..4468efb10 100644 --- a/src/firejail/fs_var.c +++ b/src/firejail/fs_var.c
@@ -317,7 +317,7 @@ void fs_var_utmp(void) {
317	return;	317	return;
318	}	318	}
319		319
320	// create /tmp/firejail/mnt directory	320	// create /run/firejail/mnt directory
321	fs_build_mnt_dir();	321	fs_build_mnt_dir();
322		322
323	// create a new utmp file	323	// create a new utmp file


diff --git a/src/firejail/fs_whitelist.c b/src/firejail/fs_whitelist.c index ad7fea227..849861805 100644 --- a/src/firejail/fs_whitelist.c +++ b/src/firejail/fs_whitelist.c
@@ -550,29 +550,6 @@ void fs_whitelist(void) {
550	if (mount("tmpfs", "/tmp", "tmpfs", MS_NOSUID \| MS_STRICTATIME \| MS_REC, "mode=1777,gid=0") < 0)	550	if (mount("tmpfs", "/tmp", "tmpfs", MS_NOSUID \| MS_STRICTATIME \| MS_REC, "mode=1777,gid=0") < 0)
551	errExit("mounting tmpfs on /tmp");	551	errExit("mounting tmpfs on /tmp");
552	fs_logger("tmpfs /tmp");	552	fs_logger("tmpfs /tmp");
553
554	// mount appimage directory if necessary
555	if (arg_appimage) {
556	const char *dir = appimage_getdir();
557	assert(dir);
558	char *wdir;
559	if (asprintf(&wdir, "%s/%s", RUN_WHITELIST_TMP_DIR, dir + 4) == -1)
560	errExit("asprintf");
561
562	// create directory
563	if (mkdir(dir, 0755) < 0)
564	errExit("mkdir");
565	if (chown(dir, getuid(), getgid()) < 0)
566	errExit("chown");
567	if (chmod(dir, 0755) < 0)
568	errExit("chmod");
569
570	// mount
571	if (mount(wdir, dir, NULL, MS_BIND\|MS_REC, NULL) < 0)
572	errExit("mount bind");
573	fs_logger2("whitelist", dir);
574	free(wdir);
575	}
576	}	553	}
577		554
578	// /media mountpoint	555	// /media mountpoint


diff --git a/src/firejail/main.c b/src/firejail/main.c index 6d4eb21df..987a79d1c 100644 --- a/src/firejail/main.c +++ b/src/firejail/main.c
@@ -2555,16 +2555,31 @@ int main(int argc, char **argv) {
2555	ptr += strlen(ptr);	2555	ptr += strlen(ptr);
2556		2556
2557	// add tty group	2557	// add tty group
2558	gid_t ttygid = get_tty_gid();	2558	gid_t g = get_group_id("tty");
2559	if (ttygid) {	2559	if (g) {
2560	sprintf(ptr, "%d %d 1\n", ttygid, ttygid);	2560	sprintf(ptr, "%d %d 1\n", g, g);
2561	ptr += strlen(ptr);	2561	ptr += strlen(ptr);
2562	}	2562	}
2563		2563
2564	// add audio group	2564	// add audio group
2565	gid_t audiogid = get_audio_gid();	2565	g = get_group_id("audio");
2566	if (ttygid) {	2566	if (g) {
2567	sprintf(ptr, "%d %d 1\n", audiogid, audiogid);	2567	sprintf(ptr, "%d %d 1\n", g, g);
		2568	ptr += strlen(ptr);
		2569	}
		2570
		2571	// add video group
		2572	g = get_group_id("video");
		2573	if (g) {
		2574	sprintf(ptr, "%d %d 1\n", g, g);
		2575	ptr += strlen(ptr);
		2576	}
		2577
		2578	// add games group
		2579	g = get_group_id("games");
		2580	if (g) {
		2581	sprintf(ptr, "%d %d 1\n", g, g);
		2582	ptr += strlen(ptr);
2568	}	2583	}
2569		2584
2570	EUID_ROOT();	2585	EUID_ROOT();


diff --git a/src/firejail/restricted_shell.c b/src/firejail/restricted_shell.c index 24ce27c2e..979bb1eed 100644 --- a/src/firejail/restricted_shell.c +++ b/src/firejail/restricted_shell.c
@@ -18,6 +18,7 @@
18	* 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA.	18	* 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA.
19	*/	19	*/
20	#include "firejail.h"	20	#include "firejail.h"
		21	#include <fnmatch.h>
21		22
22	#define MAX_READ 4096 // maximum line length	23	#define MAX_READ 4096 // maximum line length
23	char *restricted_user = NULL;	24	char *restricted_user = NULL;
@@ -49,7 +50,11 @@ int restricted_shell(const char *user) {
49	if (ptr == '\n' \|\| ptr == '#')	50	if (ptr == '\n' \|\| ptr == '#')
50	continue;	51	continue;
51		52
52	// parse line	53	//
		54	// parse line
		55	//
		56
		57	// extract users
53	char *usr = ptr;	58	char *usr = ptr;
54	char *args = strchr(usr, ':');	59	char *args = strchr(usr, ':');
55	if (args == NULL) {	60	if (args == NULL) {
@@ -63,7 +68,7 @@ int restricted_shell(const char *user) {
63	if (ptr)	68	if (ptr)
64	*ptr = '\0';	69	*ptr = '\0';
65		70
66	// if nothing follows, continue	71	// extract firejail command line arguments
67	char *ptr2 = args;	72	char *ptr2 = args;
68	int found = 0;	73	int found = 0;
69	while (*ptr2 != '\0') {	74	while (*ptr2 != '\0') {
@@ -73,12 +78,13 @@ int restricted_shell(const char *user) {
73	}	78	}
74	ptr2++;	79	ptr2++;
75	}	80	}
		81	// if nothing follows, continue
76	if (!found)	82	if (!found)
77	continue;	83	continue;
78		84
79	// process user	85	// user name globbing
80	if (strcmp(user, usr) == 0) {	86	if (fnmatch(usr, user, 0) == 0) {
81	// extract program arguments	87	// process program arguments
82		88
83	fullargv[0] = "firejail";	89	fullargv[0] = "firejail";
84	int i;	90	int i;


diff --git a/src/firejail/seccomp.c b/src/firejail/seccomp.c index c2da1168a..549359d94 100644 --- a/src/firejail/seccomp.c +++ b/src/firejail/seccomp.c
@@ -708,7 +708,7 @@ int seccomp_filter_drop(int enforce_seccomp) {
708	if (arg_debug)	708	if (arg_debug)
709	filter_debug();	709	filter_debug();
710		710
711	// save seccomp filter in /tmp/firejail/mnt/seccomp	711	// save seccomp filter in /run/firejail/mnt/seccomp
712	// in order to use it in --join operations	712	// in order to use it in --join operations
713	write_seccomp_file();	713	write_seccomp_file();
714		714
@@ -754,7 +754,7 @@ int seccomp_filter_keep(void) {
754	if (arg_debug)	754	if (arg_debug)
755	filter_debug();	755	filter_debug();
756		756
757	// save seccomp filter in /tmp/firejail/mnt/seccomp	757	// save seccomp filter in /run/firejail/mnt/seccomp
758	// in order to use it in --join operations	758	// in order to use it in --join operations
759	write_seccomp_file();	759	write_seccomp_file();
760		760
@@ -796,7 +796,7 @@ int seccomp_filter_errno(void) {
796	if (arg_debug)	796	if (arg_debug)
797	filter_debug();	797	filter_debug();
798		798
799	// save seccomp filter in /tmp/firejail/mnt/seccomp	799	// save seccomp filter in /run/firejail/mnt/seccomp
800	// in order to use it in --join operations	800	// in order to use it in --join operations
801	write_seccomp_file();	801	write_seccomp_file();
802		802
@@ -819,7 +819,7 @@ int seccomp_filter_errno(void) {
819		819
820		820
821	void seccomp_set(void) {	821	void seccomp_set(void) {
822	// read seccomp filter from /tmp/firejail/mnt/seccomp	822	// read seccomp filter from /runp/firejail/mnt/seccomp
823	read_seccomp_file(RUN_SECCOMP_CFG);	823	read_seccomp_file(RUN_SECCOMP_CFG);
824		824
825	// apply filter	825	// apply filter


diff --git a/src/firejail/util.c b/src/firejail/util.c index 7aa0ae0e8..f38b02fd0 100644 --- a/src/firejail/util.c +++ b/src/firejail/util.c
@@ -649,25 +649,14 @@ void invalid_filename(const char *fname) {
649	}	649	}
650		650
651		651
652	uid_t get_tty_gid(void) {	652	uid_t get_group_id(const char *group) {
653	// find tty group id	653	// find tty group id
654	gid_t ttygid = 0;	654	gid_t gid = 0;
655	struct group *g = getgrnam("tty");	655	struct group *g = getgrnam(group);
656	if (g)	656	if (g)
657	ttygid = g->gr_gid;	657	gid = g->gr_gid;
658		658
659	return ttygid;	659	return gid;
660	}
661
662
663	uid_t get_audio_gid(void) {
664	// find tty group id
665	gid_t audiogid = 0;
666	struct group *g = getgrnam("audio");
667	if (g)
668	audiogid = g->gr_gid;
669
670	return audiogid;
671	}	660	}
672		661
673		662