diff options
| -rw-r--r-- | etc/profile-a-l/gunzip.profile | 2 | ||||
| -rw-r--r-- | etc/profile-a-l/hexchat.profile | 5 | ||||
| -rw-r--r-- | src/firejail/fs_whitelist.c | 7 | ||||
| -rw-r--r-- | src/firejail/main.c | 4 | ||||
| -rw-r--r-- | src/firejail/shutdown.c | 6 | ||||
| -rw-r--r-- | src/firejail/util.c | 8 |
6 files changed, 22 insertions, 10 deletions
diff --git a/etc/profile-a-l/gunzip.profile b/etc/profile-a-l/gunzip.profile index 6e97c6b78..584d88f85 100644 --- a/etc/profile-a-l/gunzip.profile +++ b/etc/profile-a-l/gunzip.profile | |||
| @@ -7,5 +7,7 @@ include gunzip.local | |||
| 7 | # added by included profile | 7 | # added by included profile |
| 8 | #include globals.local | 8 | #include globals.local |
| 9 | 9 | ||
| 10 | include allow-bin-sh.inc | ||
| 11 | |||
| 10 | # Redirect | 12 | # Redirect |
| 11 | include gzip.profile | 13 | include gzip.profile |
diff --git a/etc/profile-a-l/hexchat.profile b/etc/profile-a-l/hexchat.profile index f72af0b4a..b887de147 100644 --- a/etc/profile-a-l/hexchat.profile +++ b/etc/profile-a-l/hexchat.profile | |||
| @@ -8,6 +8,9 @@ include globals.local | |||
| 8 | 8 | ||
| 9 | noblacklist ${HOME}/.config/hexchat | 9 | noblacklist ${HOME}/.config/hexchat |
| 10 | 10 | ||
| 11 | # Allow /bin/sh (blacklisted by disable-shell.inc) | ||
| 12 | include allow-bin-sh.inc | ||
| 13 | |||
| 11 | # Allow perl (blacklisted by disable-interpreters.inc) | 14 | # Allow perl (blacklisted by disable-interpreters.inc) |
| 12 | include allow-perl.inc | 15 | include allow-perl.inc |
| 13 | 16 | ||
| @@ -48,7 +51,7 @@ tracelog | |||
| 48 | 51 | ||
| 49 | disable-mnt | 52 | disable-mnt |
| 50 | # debug note: private-bin requires perl, python, etc on some systems | 53 | # debug note: private-bin requires perl, python, etc on some systems |
| 51 | private-bin hexchat,python* | 54 | private-bin hexchat,python*,sh |
| 52 | private-dev | 55 | private-dev |
| 53 | #private-lib - python problems | 56 | #private-lib - python problems |
| 54 | private-tmp | 57 | private-tmp |
diff --git a/src/firejail/fs_whitelist.c b/src/firejail/fs_whitelist.c index 77bb5e5bb..9a7a1bac7 100644 --- a/src/firejail/fs_whitelist.c +++ b/src/firejail/fs_whitelist.c | |||
| @@ -423,6 +423,13 @@ static TopDir *add_topdir(const char *dir, TopDir *topdirs, const char *path) { | |||
| 423 | strcmp(dir, "/sys") == 0) | 423 | strcmp(dir, "/sys") == 0) |
| 424 | whitelist_error(path); | 424 | whitelist_error(path); |
| 425 | 425 | ||
| 426 | // whitelisting home directory is disabled if --private option is present | ||
| 427 | if (arg_private && strcmp(dir, cfg.homedir) == 0) { | ||
| 428 | if (arg_debug || arg_debug_whitelists) | ||
| 429 | printf("Debug %d: skip %s - a private home dir is configured!\n", __LINE__, path); | ||
| 430 | return NULL; | ||
| 431 | } | ||
| 432 | |||
| 426 | // do nothing if directory doesn't exist | 433 | // do nothing if directory doesn't exist |
| 427 | struct stat s; | 434 | struct stat s; |
| 428 | if (lstat(dir, &s) != 0) { | 435 | if (lstat(dir, &s) != 0) { |
diff --git a/src/firejail/main.c b/src/firejail/main.c index 31694558d..7cfa58078 100644 --- a/src/firejail/main.c +++ b/src/firejail/main.c | |||
| @@ -1904,8 +1904,6 @@ int main(int argc, char **argv, char **envp) { | |||
| 1904 | } | 1904 | } |
| 1905 | else if (strcmp(argv[i], "--private") == 0) { | 1905 | else if (strcmp(argv[i], "--private") == 0) { |
| 1906 | arg_private = 1; | 1906 | arg_private = 1; |
| 1907 | // disable whitelisting in home directory | ||
| 1908 | profile_add("whitelist ~/*"); | ||
| 1909 | } | 1907 | } |
| 1910 | else if (strncmp(argv[i], "--private=", 10) == 0) { | 1908 | else if (strncmp(argv[i], "--private=", 10) == 0) { |
| 1911 | if (cfg.home_private_keep) { | 1909 | if (cfg.home_private_keep) { |
| @@ -1927,8 +1925,6 @@ int main(int argc, char **argv, char **envp) { | |||
| 1927 | cfg.home_private = NULL; | 1925 | cfg.home_private = NULL; |
| 1928 | } | 1926 | } |
| 1929 | arg_private = 1; | 1927 | arg_private = 1; |
| 1930 | // disable whitelisting in home directory | ||
| 1931 | profile_add("whitelist ~/*"); | ||
| 1932 | } | 1928 | } |
| 1933 | #ifdef HAVE_PRIVATE_HOME | 1929 | #ifdef HAVE_PRIVATE_HOME |
| 1934 | else if (strncmp(argv[i], "--private-home=", 15) == 0) { | 1930 | else if (strncmp(argv[i], "--private-home=", 15) == 0) { |
diff --git a/src/firejail/shutdown.c b/src/firejail/shutdown.c index fbfe1765b..d1be6eed4 100644 --- a/src/firejail/shutdown.c +++ b/src/firejail/shutdown.c | |||
| @@ -36,8 +36,10 @@ void shut(pid_t pid) { | |||
| 36 | } | 36 | } |
| 37 | free(comm); | 37 | free(comm); |
| 38 | } | 38 | } |
| 39 | else | 39 | else { |
| 40 | errExit("/proc/PID/comm"); | 40 | fprintf(stderr, "Error: cannot find process %d\n", pid); |
| 41 | exit(1); | ||
| 42 | } | ||
| 41 | 43 | ||
| 42 | // check privileges for non-root users | 44 | // check privileges for non-root users |
| 43 | uid_t uid = getuid(); | 45 | uid_t uid = getuid(); |
diff --git a/src/firejail/util.c b/src/firejail/util.c index b15b719b7..6a7318c4b 100644 --- a/src/firejail/util.c +++ b/src/firejail/util.c | |||
| @@ -647,9 +647,11 @@ int find_child(pid_t parent, pid_t *child) { | |||
| 647 | if (parent == atoi(ptr)) { | 647 | if (parent == atoi(ptr)) { |
| 648 | // we don't want /usr/bin/xdg-dbus-proxy! | 648 | // we don't want /usr/bin/xdg-dbus-proxy! |
| 649 | char *cmdline = pid_proc_cmdline(pid); | 649 | char *cmdline = pid_proc_cmdline(pid); |
| 650 | if (strncmp(cmdline, XDG_DBUS_PROXY_PATH, strlen(XDG_DBUS_PROXY_PATH)) != 0) | 650 | if (cmdline) { |
| 651 | *child = pid; | 651 | if (strncmp(cmdline, XDG_DBUS_PROXY_PATH, strlen(XDG_DBUS_PROXY_PATH)) != 0) |
| 652 | free(cmdline); | 652 | *child = pid; |
| 653 | free(cmdline); | ||
| 654 | } | ||
| 653 | } | 655 | } |
| 654 | break; // stop reading the file | 656 | break; // stop reading the file |
| 655 | } | 657 | } |