diff options
| -rw-r--r-- | etc/firefox.profile | 2 | ||||
| -rw-r--r-- | src/firejail/sbox.c | 15 | ||||
| -rw-r--r-- | src/fnet/Makefile.in | 4 | ||||
| -rw-r--r-- | src/fseccomp/Makefile.in | 4 |
4 files changed, 20 insertions, 5 deletions
diff --git a/etc/firefox.profile b/etc/firefox.profile index 3fb56fd0e..7862bd010 100644 --- a/etc/firefox.profile +++ b/etc/firefox.profile | |||
| @@ -48,6 +48,6 @@ include /etc/firejail/whitelist-common.inc | |||
| 48 | 48 | ||
| 49 | # experimental features | 49 | # experimental features |
| 50 | #private-bin firefox,which,sh,dbus-launch,dbus-send,env | 50 | #private-bin firefox,which,sh,dbus-launch,dbus-send,env |
| 51 | private-etc passwd,group,hostname,hosts,localtime,nsswitch.conf,resolv.conf,xdg,gtk-2.0,gtk-3.0,X11,pango,fonts,firefox,mime.types,mailcap,asound.conf,pulse | 51 | #private-etc passwd,group,hostname,hosts,localtime,nsswitch.conf,resolv.conf,xdg,gtk-2.0,gtk-3.0,X11,pango,fonts,firefox,mime.types,mailcap,asound.conf,pulse |
| 52 | private-dev | 52 | private-dev |
| 53 | private-tmp | 53 | private-tmp |
diff --git a/src/firejail/sbox.c b/src/firejail/sbox.c index 65ca5c443..b16736dee 100644 --- a/src/firejail/sbox.c +++ b/src/firejail/sbox.c | |||
| @@ -136,6 +136,21 @@ int sbox_run(unsigned filter, int num, ...) { | |||
| 136 | if (child < 0) | 136 | if (child < 0) |
| 137 | errExit("fork"); | 137 | errExit("fork"); |
| 138 | if (child == 0) { | 138 | if (child == 0) { |
| 139 | // clean the new process | ||
| 140 | clearenv(); | ||
| 141 | int max = 20; // getdtablesize() is overkill for a firejail process | ||
| 142 | for (i = 3; i < max; i++) | ||
| 143 | close(i); // close open files | ||
| 144 | int fd = open("/dev/null",O_RDWR, 0); | ||
| 145 | if (fd != -1) { | ||
| 146 | dup2 (fd, STDIN_FILENO); | ||
| 147 | if (fd > 2) | ||
| 148 | close (fd); | ||
| 149 | } | ||
| 150 | else // the user could run the sandbox without /dev/null | ||
| 151 | close(STDIN_FILENO); | ||
| 152 | umask(027); | ||
| 153 | |||
| 139 | // apply filters | 154 | // apply filters |
| 140 | if (filter & SBOX_CAPS_NONE) { | 155 | if (filter & SBOX_CAPS_NONE) { |
| 141 | caps_drop_all(); | 156 | caps_drop_all(); |
diff --git a/src/fnet/Makefile.in b/src/fnet/Makefile.in index b515d2333..bba4406d4 100644 --- a/src/fnet/Makefile.in +++ b/src/fnet/Makefile.in | |||
| @@ -33,8 +33,8 @@ LDFLAGS += -pie -Wl,-z,relro -Wl,-z,now -lpthread | |||
| 33 | %.o : %.c $(H_FILE_LIST) ../include/common.h ../include/libnetlink.h | 33 | %.o : %.c $(H_FILE_LIST) ../include/common.h ../include/libnetlink.h |
| 34 | $(CC) $(CFLAGS) $(INCLUDE) -c $< -o $@ | 34 | $(CC) $(CFLAGS) $(INCLUDE) -c $< -o $@ |
| 35 | 35 | ||
| 36 | fnet: $(OBJS) ../lib/libnetlink.o ../lib/common.o | 36 | fnet: $(OBJS) ../lib/libnetlink.o |
| 37 | $(CC) $(LDFLAGS) -o $@ $(OBJS) ../lib/libnetlink.o $(LIBS) $(EXTRA_LDFLAGS) | 37 | $(CC) $(LDFLAGS) -o $@ $(OBJS) ../lib/libnetlink.o $(LIBS) |
| 38 | 38 | ||
| 39 | clean:; rm -f *.o fnet | 39 | clean:; rm -f *.o fnet |
| 40 | 40 | ||
diff --git a/src/fseccomp/Makefile.in b/src/fseccomp/Makefile.in index 110d2c95f..1878ad2f3 100644 --- a/src/fseccomp/Makefile.in +++ b/src/fseccomp/Makefile.in | |||
| @@ -33,8 +33,8 @@ LDFLAGS += -pie -Wl,-z,relro -Wl,-z,now -lpthread | |||
| 33 | %.o : %.c $(H_FILE_LIST) ../include/common.h ../include/syscall.h | 33 | %.o : %.c $(H_FILE_LIST) ../include/common.h ../include/syscall.h |
| 34 | $(CC) $(CFLAGS) $(INCLUDE) -c $< -o $@ | 34 | $(CC) $(CFLAGS) $(INCLUDE) -c $< -o $@ |
| 35 | 35 | ||
| 36 | fseccomp: $(OBJS) ../lib/libnetlink.o ../lib/common.o | 36 | fseccomp: $(OBJS) |
| 37 | $(CC) $(LDFLAGS) -o $@ $(OBJS) $(LIBS) $(EXTRA_LDFLAGS) | 37 | $(CC) $(LDFLAGS) -o $@ $(OBJS) $(LIBS) |
| 38 | 38 | ||
| 39 | clean:; rm -f *.o fseccomp | 39 | clean:; rm -f *.o fseccomp |
| 40 | 40 | ||