1 files changed, 16 insertions, 1 deletions
diff --git a/src/firejail/sbox.c b/src/firejail/sbox.c
index a5a067090..b16736dee 100644
--- a/src/firejail/sbox.c
+++ b/src/firejail/sbox.c
@@ -136,6 +136,21 @@ int sbox_run(unsigned filter, int num, ...) {
        if (child < 0)
                errExit("fork");
        if (child == 0) {
+                // clean the new process
+                clearenv();
+                int max = 20; // getdtablesize() is overkill for a firejail process
+                for (i = 3; i < max; i++)
+                        close(i); // close open files
+                int fd = open("/dev/null",O_RDWR, 0);
+                if (fd != -1) {
+                        dup2 (fd, STDIN_FILENO);
+                        if (fd > 2)
+                                close (fd);
+                }
+                else // the user could run the sandbox without /dev/null
+                        close(STDIN_FILENO);
+                umask(027);     
                // apply filters
                if (filter & SBOX_CAPS_NONE) {
                        caps_drop_all();
@@ -165,7 +180,7 @@ int sbox_run(unsigned filter, int num, ...) {
                else if (filter & SBOX_USER)
                        drop_privs(1);
-                assert(getenv("LD_PRELOAD") == NULL);   
+                clearenv();
                if (arg[0])     // get rid of scan-build warning
                        execvp(arg[0], arg);
                else

diff --git a/src/firejail/sbox.c b/src/firejail/sbox.c index a5a067090..b16736dee 100644 --- a/src/firejail/sbox.c +++ b/src/firejail/sbox.c
@@ -136,6 +136,21 @@ int sbox_run(unsigned filter, int num, ...) {
136	if (child < 0)	136	if (child < 0)
137	errExit("fork");	137	errExit("fork");
138	if (child == 0) {	138	if (child == 0) {
		139	// clean the new process
		140	clearenv();
		141	int max = 20; // getdtablesize() is overkill for a firejail process
		142	for (i = 3; i < max; i++)
		143	close(i); // close open files
		144	int fd = open("/dev/null",O_RDWR, 0);
		145	if (fd != -1) {
		146	dup2 (fd, STDIN_FILENO);
		147	if (fd > 2)
		148	close (fd);
		149	}
		150	else // the user could run the sandbox without /dev/null
		151	close(STDIN_FILENO);
		152	umask(027);
		153
139	// apply filters	154	// apply filters
140	if (filter & SBOX_CAPS_NONE) {	155	if (filter & SBOX_CAPS_NONE) {
141	caps_drop_all();	156	caps_drop_all();
@@ -165,7 +180,7 @@ int sbox_run(unsigned filter, int num, ...) {
165	else if (filter & SBOX_USER)	180	else if (filter & SBOX_USER)
166	drop_privs(1);	181	drop_privs(1);
167		182
168	assert(getenv("LD_PRELOAD") == NULL);	183	clearenv();
169	if (arg[0]) // get rid of scan-build warning	184	if (arg[0]) // get rid of scan-build warning
170	execvp(arg[0], arg);	185	execvp(arg[0], arg);
171	else	186	else