aboutsummaryrefslogtreecommitdiffstats
diff options
context:
space:
mode:
Diffstat
-rw-r--r--RELNOTES14
-rwxr-xr-xconfigure18
-rw-r--r--configure.ac2
-rw-r--r--src/firejail/fs.c10
-rw-r--r--src/firejail/fs_home.c24
-rw-r--r--src/firejail/main.c2
-rw-r--r--src/firejail/pulseaudio.c4
-rw-r--r--src/firejail/restrict_users.c8
-rw-r--r--src/firejail/shutdown.c6
9 files changed, 68 insertions, 20 deletions
diff --git a/RELNOTES b/RELNOTES
index 8281c71a9..4b6cd2dca 100644
--- a/RELNOTES
+++ b/RELNOTES
@@ -1,13 +1,11 @@
1firejail (0.9.37) baseline; urgency=low 1firejail (0.9.38) baseline; urgency=low
2 * development version 2 * IPv6 support (--ip6 and --netfilter6)
3 * security profiles fixes
4 * dynamic allocation of noblacklist buffer
5 * --ip6 option - IPv6 support
6 * added KMail, Seamonkey, Telegram profiles
7 * --join command enhancement (--join-network, --join-filesystem) 3 * --join command enhancement (--join-network, --join-filesystem)
8 * symlink invocation
9 * --user command 4 * --user command
10 -- netblue30 <netblue30@yahoo.com> Tue, 5 Jan 2016 08:00:00 -0500 5 * symlink invocation
6 * added KMail, Seamonkey, Telegram profiles
7 * bugfixes
8 -- netblue30 <netblue30@yahoo.com> Sun, 24 Jan 2016 20:00:00 -0500
11 9
12firejail (0.9.36) baseline; urgency=low 10firejail (0.9.36) baseline; urgency=low
13 * added unbound, dnscrypt-proxy, BitlBee, HexChat, WeeChat, 11 * added unbound, dnscrypt-proxy, BitlBee, HexChat, WeeChat,
diff --git a/configure b/configure
index 46668e28a..414c70ccb 100755
--- a/configure
+++ b/configure
@@ -1,6 +1,6 @@
1#! /bin/sh 1#! /bin/sh
2# Guess values for system-dependent variables and create Makefiles. 2# Guess values for system-dependent variables and create Makefiles.
3# Generated by GNU Autoconf 2.69 for firejail 0.9.37. 3# Generated by GNU Autoconf 2.69 for firejail 0.9.38.
4# 4#
5# Report bugs to <netblue30@yahoo.com>. 5# Report bugs to <netblue30@yahoo.com>.
6# 6#
@@ -580,8 +580,8 @@ MAKEFLAGS=
580# Identity of this package. 580# Identity of this package.
581PACKAGE_NAME='firejail' 581PACKAGE_NAME='firejail'
582PACKAGE_TARNAME='firejail' 582PACKAGE_TARNAME='firejail'
583PACKAGE_VERSION='0.9.37' 583PACKAGE_VERSION='0.9.38'
584PACKAGE_STRING='firejail 0.9.37' 584PACKAGE_STRING='firejail 0.9.38'
585PACKAGE_BUGREPORT='netblue30@yahoo.com' 585PACKAGE_BUGREPORT='netblue30@yahoo.com'
586PACKAGE_URL='http://firejail.wordpress.com' 586PACKAGE_URL='http://firejail.wordpress.com'
587 587
@@ -1238,7 +1238,7 @@ if test "$ac_init_help" = "long"; then
1238 # Omit some internal or obsolete options to make the list less imposing. 1238 # Omit some internal or obsolete options to make the list less imposing.
1239 # This message is too long to be a string in the A/UX 3.1 sh. 1239 # This message is too long to be a string in the A/UX 3.1 sh.
1240 cat <<_ACEOF 1240 cat <<_ACEOF
1241\`configure' configures firejail 0.9.37 to adapt to many kinds of systems. 1241\`configure' configures firejail 0.9.38 to adapt to many kinds of systems.
1242 1242
1243Usage: $0 [OPTION]... [VAR=VALUE]... 1243Usage: $0 [OPTION]... [VAR=VALUE]...
1244 1244
@@ -1299,7 +1299,7 @@ fi
1299 1299
1300if test -n "$ac_init_help"; then 1300if test -n "$ac_init_help"; then
1301 case $ac_init_help in 1301 case $ac_init_help in
1302 short | recursive ) echo "Configuration of firejail 0.9.37:";; 1302 short | recursive ) echo "Configuration of firejail 0.9.38:";;
1303 esac 1303 esac
1304 cat <<\_ACEOF 1304 cat <<\_ACEOF
1305 1305
@@ -1389,7 +1389,7 @@ fi
1389test -n "$ac_init_help" && exit $ac_status 1389test -n "$ac_init_help" && exit $ac_status
1390if $ac_init_version; then 1390if $ac_init_version; then
1391 cat <<\_ACEOF 1391 cat <<\_ACEOF
1392firejail configure 0.9.37 1392firejail configure 0.9.38
1393generated by GNU Autoconf 2.69 1393generated by GNU Autoconf 2.69
1394 1394
1395Copyright (C) 2012 Free Software Foundation, Inc. 1395Copyright (C) 2012 Free Software Foundation, Inc.
@@ -1691,7 +1691,7 @@ cat >config.log <<_ACEOF
1691This file contains any messages produced by compilers while 1691This file contains any messages produced by compilers while
1692running configure, to aid debugging if configure makes a mistake. 1692running configure, to aid debugging if configure makes a mistake.
1693 1693
1694It was created by firejail $as_me 0.9.37, which was 1694It was created by firejail $as_me 0.9.38, which was
1695generated by GNU Autoconf 2.69. Invocation command line was 1695generated by GNU Autoconf 2.69. Invocation command line was
1696 1696
1697 $ $0 $@ 1697 $ $0 $@
@@ -4107,7 +4107,7 @@ cat >>$CONFIG_STATUS <<\_ACEOF || ac_write_fail=1
4107# report actual input values of CONFIG_FILES etc. instead of their 4107# report actual input values of CONFIG_FILES etc. instead of their
4108# values after options handling. 4108# values after options handling.
4109ac_log=" 4109ac_log="
4110This file was extended by firejail $as_me 0.9.37, which was 4110This file was extended by firejail $as_me 0.9.38, which was
4111generated by GNU Autoconf 2.69. Invocation command line was 4111generated by GNU Autoconf 2.69. Invocation command line was
4112 4112
4113 CONFIG_FILES = $CONFIG_FILES 4113 CONFIG_FILES = $CONFIG_FILES
@@ -4161,7 +4161,7 @@ _ACEOF
4161cat >>$CONFIG_STATUS <<_ACEOF || ac_write_fail=1 4161cat >>$CONFIG_STATUS <<_ACEOF || ac_write_fail=1
4162ac_cs_config="`$as_echo "$ac_configure_args" | sed 's/^ //; s/[\\""\`\$]/\\\\&/g'`" 4162ac_cs_config="`$as_echo "$ac_configure_args" | sed 's/^ //; s/[\\""\`\$]/\\\\&/g'`"
4163ac_cs_version="\\ 4163ac_cs_version="\\
4164firejail config.status 0.9.37 4164firejail config.status 0.9.38
4165configured by $0, generated by GNU Autoconf 2.69, 4165configured by $0, generated by GNU Autoconf 2.69,
4166 with options \\"\$ac_cs_config\\" 4166 with options \\"\$ac_cs_config\\"
4167 4167
diff --git a/configure.ac b/configure.ac
index 6d7a09bdf..cc505ef5f 100644
--- a/configure.ac
+++ b/configure.ac
@@ -1,5 +1,5 @@
1AC_PREREQ([2.68]) 1AC_PREREQ([2.68])
2AC_INIT(firejail, 0.9.37, netblue30@yahoo.com, , http://firejail.wordpress.com) 2AC_INIT(firejail, 0.9.38, netblue30@yahoo.com, , http://firejail.wordpress.com)
3AC_CONFIG_SRCDIR([src/firejail/main.c]) 3AC_CONFIG_SRCDIR([src/firejail/main.c])
4#AC_CONFIG_HEADERS([config.h]) 4#AC_CONFIG_HEADERS([config.h])
5 5
diff --git a/src/firejail/fs.c b/src/firejail/fs.c
index f4c448024..cad101bf9 100644
--- a/src/firejail/fs.c
+++ b/src/firejail/fs.c
@@ -136,12 +136,18 @@ void fs_build_cp_command(void) {
136 fprintf(stderr, "Error: /bin/cp not found\n"); 136 fprintf(stderr, "Error: /bin/cp not found\n");
137 exit(1); 137 exit(1);
138 } 138 }
139 if (is_link(fname)) {
140 fprintf(stderr, "Error: invalid /bin/cp file\n");
141 exit(1);
142 }
139 int rv = copy_file(fname, RUN_CP_COMMAND); 143 int rv = copy_file(fname, RUN_CP_COMMAND);
140 if (rv) { 144 if (rv) {
141 fprintf(stderr, "Error: cannot access /bin/cp\n"); 145 fprintf(stderr, "Error: cannot access /bin/cp\n");
142 exit(1); 146 exit(1);
143 } 147 }
144 /* coverity[toctou] */ 148 /* coverity[toctou] */
149 if (chown(RUN_CP_COMMAND, 0, 0))
150 errExit("chown");
145 if (chmod(RUN_CP_COMMAND, 0755)) 151 if (chmod(RUN_CP_COMMAND, 0755))
146 errExit("chmod"); 152 errExit("chmod");
147 153
@@ -921,6 +927,10 @@ void fs_chroot(const char *rootdir) {
921 errExit("asprintf"); 927 errExit("asprintf");
922 if (arg_debug) 928 if (arg_debug)
923 printf("Updating /etc/resolv.conf in %s\n", fname); 929 printf("Updating /etc/resolv.conf in %s\n", fname);
930 if (is_link(fname)) {
931 fprintf(stderr, "Error: invalid %s file\n", fname);
932 exit(1);
933 }
924 if (copy_file("/etc/resolv.conf", fname) == -1) 934 if (copy_file("/etc/resolv.conf", fname) == -1)
925 fprintf(stderr, "Warning: /etc/resolv.conf not initialized\n"); 935 fprintf(stderr, "Warning: /etc/resolv.conf not initialized\n");
926 936
diff --git a/src/firejail/fs_home.c b/src/firejail/fs_home.c
index 08141ed03..e42ce5255 100644
--- a/src/firejail/fs_home.c
+++ b/src/firejail/fs_home.c
@@ -41,6 +41,10 @@ static void skel(const char *homedir, uid_t u, gid_t g) {
41 if (stat(fname, &s) == 0) 41 if (stat(fname, &s) == 0)
42 return; 42 return;
43 if (stat("/etc/skel/.zshrc", &s) == 0) { 43 if (stat("/etc/skel/.zshrc", &s) == 0) {
44 if (is_link("/etc/skel/.zshrc")) {
45 fprintf(stderr, "Error: invalid /etc/skel/.zshrc file\n");
46 exit(1);
47 }
44 if (copy_file("/etc/skel/.zshrc", fname) == 0) { 48 if (copy_file("/etc/skel/.zshrc", fname) == 0) {
45 if (chown(fname, u, g) == -1) 49 if (chown(fname, u, g) == -1)
46 errExit("chown"); 50 errExit("chown");
@@ -71,6 +75,10 @@ static void skel(const char *homedir, uid_t u, gid_t g) {
71 if (stat(fname, &s) == 0) 75 if (stat(fname, &s) == 0)
72 return; 76 return;
73 if (stat("/etc/skel/.cshrc", &s) == 0) { 77 if (stat("/etc/skel/.cshrc", &s) == 0) {
78 if (is_link("/etc/skel/.cshrc")) {
79 fprintf(stderr, "Error: invalid /etc/skel/.cshrc file\n");
80 exit(1);
81 }
74 if (copy_file("/etc/skel/.cshrc", fname) == 0) { 82 if (copy_file("/etc/skel/.cshrc", fname) == 0) {
75 if (chown(fname, u, g) == -1) 83 if (chown(fname, u, g) == -1)
76 errExit("chown"); 84 errExit("chown");
@@ -102,6 +110,10 @@ static void skel(const char *homedir, uid_t u, gid_t g) {
102 if (stat(fname, &s) == 0) 110 if (stat(fname, &s) == 0)
103 return; 111 return;
104 if (stat("/etc/skel/.bashrc", &s) == 0) { 112 if (stat("/etc/skel/.bashrc", &s) == 0) {
113 if (is_link("/etc/skel/.bashrc")) {
114 fprintf(stderr, "Error: invalid /etc/skel/.bashrc file\n");
115 exit(1);
116 }
105 if (copy_file("/etc/skel/.bashrc", fname) == 0) { 117 if (copy_file("/etc/skel/.bashrc", fname) == 0) {
106 /* coverity[toctou] */ 118 /* coverity[toctou] */
107 if (chown(fname, u, g) == -1) 119 if (chown(fname, u, g) == -1)
@@ -123,7 +135,12 @@ static int store_xauthority(void) {
123 errExit("asprintf"); 135 errExit("asprintf");
124 136
125 struct stat s; 137 struct stat s;
126 if (stat(src, &s) == 0) { 138 if (stat(src, &s) == 0) {
139 if (is_link(src)) {
140 fprintf(stderr, "Error: invalid .Xauthority file\n");
141 exit(1);
142 }
143
127 int rv = copy_file(src, dest); 144 int rv = copy_file(src, dest);
128 if (rv) { 145 if (rv) {
129 fprintf(stderr, "Warning: cannot transfer .Xauthority in private home directory\n"); 146 fprintf(stderr, "Warning: cannot transfer .Xauthority in private home directory\n");
@@ -146,6 +163,11 @@ static int store_asoundrc(void) {
146 163
147 struct stat s; 164 struct stat s;
148 if (stat(src, &s) == 0) { 165 if (stat(src, &s) == 0) {
166 if (is_link(src)) {
167 fprintf(stderr, "Error: invalid .asoundrc file\n");
168 exit(1);
169 }
170
149 int rv = copy_file(src, dest); 171 int rv = copy_file(src, dest);
150 if (rv) { 172 if (rv) {
151 fprintf(stderr, "Warning: cannot transfer .asoundrc in private home directory\n"); 173 fprintf(stderr, "Warning: cannot transfer .asoundrc in private home directory\n");
diff --git a/src/firejail/main.c b/src/firejail/main.c
index 7afbf9ce3..014ea8cae 100644
--- a/src/firejail/main.c
+++ b/src/firejail/main.c
@@ -300,7 +300,7 @@ static void run_cmd_and_exit(int i, int argc, char **argv) {
300 if (read_pid(argv[i] + 12, &pid) == 0) 300 if (read_pid(argv[i] + 12, &pid) == 0)
301 bandwidth_pid(pid, cmd, dev, down, up); 301 bandwidth_pid(pid, cmd, dev, down, up);
302 else 302 else
303 bandwidth_name(argv[i] + 12, cmd, dev, down, up); 303 bandwidth_name(argv[i] + 12, cmd, dev, down, up);
304 exit(0); 304 exit(0);
305 } 305 }
306 306
diff --git a/src/firejail/pulseaudio.c b/src/firejail/pulseaudio.c
index 29f3bc4f0..a3348baf4 100644
--- a/src/firejail/pulseaudio.c
+++ b/src/firejail/pulseaudio.c
@@ -104,6 +104,10 @@ void pulseaudio_init(void) {
104 char *pulsecfg = NULL; 104 char *pulsecfg = NULL;
105 if (asprintf(&pulsecfg, "%s/client.conf", RUN_PULSE_DIR) == -1) 105 if (asprintf(&pulsecfg, "%s/client.conf", RUN_PULSE_DIR) == -1)
106 errExit("asprintf"); 106 errExit("asprintf");
107 if (is_link("/etc/pulse/client.conf")) {
108 fprintf(stderr, "Error: invalid /etc/pulse/client.conf file\n");
109 exit(1);
110 }
107 if (copy_file("/etc/pulse/client.conf", pulsecfg)) 111 if (copy_file("/etc/pulse/client.conf", pulsecfg))
108 errExit("copy_file"); 112 errExit("copy_file");
109 FILE *fp = fopen(pulsecfg, "a+"); 113 FILE *fp = fopen(pulsecfg, "a+");
diff --git a/src/firejail/restrict_users.c b/src/firejail/restrict_users.c
index aa6a5d268..88dd38021 100644
--- a/src/firejail/restrict_users.c
+++ b/src/firejail/restrict_users.c
@@ -115,6 +115,10 @@ static void sanitize_passwd(void) {
115 return; 115 return;
116 if (arg_debug) 116 if (arg_debug)
117 printf("Sanitizing /etc/passwd\n"); 117 printf("Sanitizing /etc/passwd\n");
118 if (is_link("/etc/passwd")) {
119 fprintf(stderr, "Error: invalid /etc/passwd\n");
120 exit(1);
121 }
118 122
119 FILE *fpin = NULL; 123 FILE *fpin = NULL;
120 FILE *fpout = NULL; 124 FILE *fpout = NULL;
@@ -248,6 +252,10 @@ static void sanitize_group(void) {
248 return; 252 return;
249 if (arg_debug) 253 if (arg_debug)
250 printf("Sanitizing /etc/group\n"); 254 printf("Sanitizing /etc/group\n");
255 if (is_link("/etc/group")) {
256 fprintf(stderr, "Error: invalid /etc/group\n");
257 exit(1);
258 }
251 259
252 FILE *fpin = NULL; 260 FILE *fpin = NULL;
253 FILE *fpout = NULL; 261 FILE *fpout = NULL;
diff --git a/src/firejail/shutdown.c b/src/firejail/shutdown.c
index 131f663d4..edaac7eb9 100644
--- a/src/firejail/shutdown.c
+++ b/src/firejail/shutdown.c
@@ -54,8 +54,14 @@ void shut(pid_t pid) {
54 printf("Switching to pid %u, the first child process inside the sandbox\n", (unsigned) pid); 54 printf("Switching to pid %u, the first child process inside the sandbox\n", (unsigned) pid);
55 } 55 }
56 } 56 }
57 else {
58 fprintf(stderr, "Error: this is not a firejail sandbox\n");
59 exit(1);
60 }
57 free(comm); 61 free(comm);
58 } 62 }
63 else
64 errExit("/proc/PID/comm");
59 65
60 // check privileges for non-root users 66 // check privileges for non-root users
61 uid_t uid = getuid(); 67 uid_t uid = getuid();
generated by cgit v1.2.3-54-g00ecf (git 2.45.1) at 2024-05-28 07:36:40 +0000