5 files changed, 45 insertions, 34 deletions
diff --git a/src/firejail/caps.c b/src/firejail/caps.c
index f63d17e02..cd7dbee74 100644
--- a/src/firejail/caps.c
+++ b/src/firejail/caps.c
@@ -377,7 +377,7 @@ static uint64_t extract_caps(int pid) {
        
        char buf[MAXBUF];
        while (fgets(buf, MAXBUF, fp)) {
-                if (strncmp(buf, "CapBnd:", 7) == 0) {
+                if (strncmp(buf, "CapBnd:\t", 8) == 0) {
                        char *ptr = buf + 8;
                        unsigned long long val;
                        sscanf(ptr, "%llx", &val);
diff --git a/src/firejail/fs.c b/src/firejail/fs.c
index 8491537b8..8a6dfc674 100644
--- a/src/firejail/fs.c
+++ b/src/firejail/fs.c
@@ -246,7 +246,7 @@ void fs_blacklist(const char *homedir) {
                char *ptr;
                // process blacklist command
-                if (strncmp(entry->data, "bind", 4) == 0)  {
+                if (strncmp(entry->data, "bind ", 5) == 0)  {
                        char *dname1 = entry->data + 5;
                        char *dname2 = split_comma(dname1);
                        if (dname2 == NULL) {
@@ -284,15 +284,15 @@ void fs_blacklist(const char *homedir) {
                }
                // process blacklist command
-                if (strncmp(entry->data, "blacklist", 9) == 0)  {
+                if (strncmp(entry->data, "blacklist ", 10) == 0)  {
                        ptr = entry->data + 10;
                        op = BLACKLIST_FILE;
                }
-                else if (strncmp(entry->data, "read-only", 9) == 0) {
+                else if (strncmp(entry->data, "read-only ", 10) == 0) {
                        ptr = entry->data + 10;
                        op = MOUNT_READONLY;
                }                       
-                else if (strncmp(entry->data, "tmpfs", 5) == 0) {
+                else if (strncmp(entry->data, "tmpfs ", 6) == 0) {
                        ptr = entry->data + 6;
                        op = MOUNT_TMPFS;
                }                       
diff --git a/src/firejail/main.c b/src/firejail/main.c
index 9d635436d..3b2e7e4d9 100644
--- a/src/firejail/main.c
+++ b/src/firejail/main.c
@@ -695,7 +695,6 @@ int main(int argc, char **argv) {
                        }
                        
                        // extract private home dirname
-printf("here %s:%d\n", __FILE__, __LINE__);                     
                        cfg.home_private = argv[i] + 10;
                        fs_check_private_dir();
                        arg_private = 1;
@@ -1058,26 +1057,35 @@ printf("here %s:%d\n", __FILE__, __LINE__);
        // use generic.profile as the default
        if (!custom_profile && !arg_noprofile) {
-                char *profile_name = DEFAULT_USER_PROFILE;
+                if (cfg.chrootdir)
-                if (getuid() == 0)
+                        fprintf(stderr, "Warning: default profile disabled by --chroot option\n");
-                        profile_name = DEFAULT_ROOT_PROFILE;
+                else if (arg_overlay)
-                if (arg_debug)
+                        fprintf(stderr, "Warning: default profile disabled by --overlay option\n");
-                        printf("Attempting to find %s.profile...", profile_name);
+                else if (cfg.home_private_keep)
+                        fprintf(stderr, "Warning: default profile disabled by --private-home option\n");
-                // look for the profile in ~/.config/firejail directory
+                else {
-                char *usercfgdir;
+                        // try to load a default profile
-                if (asprintf(&usercfgdir, "%s/.config/firejail", cfg.homedir) == -1)
+                        char *profile_name = DEFAULT_USER_PROFILE;
-                        errExit("asprintf");
+                        if (getuid() == 0)
-                custom_profile = profile_find(profile_name, usercfgdir);
+                                profile_name = DEFAULT_ROOT_PROFILE;
-                free(usercfgdir);
+                        if (arg_debug)
+                                printf("Attempting to find %s.profile...\n", profile_name);
-                if (!custom_profile) {
+        
-                        // look for the profile in /etc/firejail directory
+                        // look for the profile in ~/.config/firejail directory
-                        custom_profile = profile_find(profile_name, "/etc/firejail");
+                        char *usercfgdir;
+                        if (asprintf(&usercfgdir, "%s/.config/firejail", cfg.homedir) == -1)
+                                errExit("asprintf");
+                        custom_profile = profile_find(profile_name, usercfgdir);
+                        free(usercfgdir);
+        
+                        if (!custom_profile) {
+                                // look for the profile in /etc/firejail directory
+                                custom_profile = profile_find(profile_name, "/etc/firejail");
+                        }
+                        
+                        if (custom_profile)
+                                printf("\n** Note: %s profile can be disabled by --noprofile option **\n\n", profile_name);
                }
-                
-                if (custom_profile)
-                        printf("Note: %s profile can be disabled by --noprofile option.\n", profile_name);
        }
        // check and assign an IP address - for macvlan it will be done again in the sandbox!
diff --git a/src/firejail/sandbox.c b/src/firejail/sandbox.c
index 46cb03da7..53782a288 100644
--- a/src/firejail/sandbox.c
+++ b/src/firejail/sandbox.c
@@ -179,6 +179,7 @@ int sandbox(void* sandbox_arg) {
        //****************************
        // configure filesystem
        //****************************
+        
 #ifdef HAVE_CHROOT              
        if (cfg.chrootdir) {
                fs_chroot(cfg.chrootdir);
@@ -267,6 +268,8 @@ int sandbox(void* sandbox_arg) {
        //****************************
        if (arg_nonetwork) {
                net_if_up("lo");
+                if (arg_debug)
+                        printf("Network namespace enabled, only loopback interface available\n");
        }
        else if (any_bridge_configured()) {
                // configure lo and eth0...eth3
@@ -397,7 +400,7 @@ int sandbox(void* sandbox_arg) {
        if (arg_noroot) {
                int rv = unshare(CLONE_NEWUSER);
                if (rv == -1) {
-                        fprintf(stderr, "Warning: cannot mount a new user namespace\n");
+                        fprintf(stderr, "Error: cannot mount a new user namespace\n");
                        perror("unshare");
                        drop_privs(arg_nogroups);
                }
diff --git a/src/firejail/seccomp.c b/src/firejail/seccomp.c
index 17f038a2e..47988dbf4 100644
--- a/src/firejail/seccomp.c
+++ b/src/firejail/seccomp.c
@@ -179,8 +179,8 @@ static void filter_init(void) {
                return;
        }
-        if (arg_debug)
+//      if (arg_debug)
-                printf("Initialize seccomp filter\n");  
+//              printf("Initialize seccomp filter\n");  
        // allocate a filter of SECSIZE
        sfilter = malloc(sizeof(struct sock_filter) * SECSIZE);
        if (!sfilter)
@@ -220,8 +220,8 @@ static void filter_add_whitelist(int syscall) {
        assert(sfilter);
        assert(sfilter_alloc_size);
        assert(sfilter_index);
-        if (arg_debug)
+//      if (arg_debug)
-                printf("Whitelisting syscall %d %s\n", syscall, syscall_find_nr(syscall));
+//              printf("Whitelisting syscall %d %s\n", syscall, syscall_find_nr(syscall));
        
        if ((sfilter_index + 2) > sfilter_alloc_size)
                filter_realloc();
@@ -246,8 +246,8 @@ static void filter_add_blacklist(int syscall) {
        assert(sfilter);
        assert(sfilter_alloc_size);
        assert(sfilter_index);
-        if (arg_debug)
+//      if (arg_debug)
-                printf("Blacklisting syscall %d %s\n", syscall, syscall_find_nr(syscall));
+//              printf("Blacklisting syscall %d %s\n", syscall, syscall_find_nr(syscall));
        
        if ((sfilter_index + 2) > sfilter_alloc_size)
                filter_realloc();
@@ -272,8 +272,8 @@ static void filter_end_blacklist(void) {
        assert(sfilter);
        assert(sfilter_alloc_size);
        assert(sfilter_index);
-        if (arg_debug)
+//      if (arg_debug)
-                printf("Ending syscall filter\n");
+//              printf("Ending syscall filter\n");
        if ((sfilter_index + 2) > sfilter_alloc_size)
                filter_realloc();

diff --git a/src/firejail/caps.c b/src/firejail/caps.c index f63d17e02..cd7dbee74 100644 --- a/src/firejail/caps.c +++ b/src/firejail/caps.c
@@ -377,7 +377,7 @@ static uint64_t extract_caps(int pid) {
377		377
378	char buf[MAXBUF];	378	char buf[MAXBUF];
379	while (fgets(buf, MAXBUF, fp)) {	379	while (fgets(buf, MAXBUF, fp)) {
380	if (strncmp(buf, "CapBnd:", 7) == 0) {	380	if (strncmp(buf, "CapBnd:\t", 8) == 0) {
381	char *ptr = buf + 8;	381	char *ptr = buf + 8;
382	unsigned long long val;	382	unsigned long long val;
383	sscanf(ptr, "%llx", &val);	383	sscanf(ptr, "%llx", &val);


diff --git a/src/firejail/fs.c b/src/firejail/fs.c index 8491537b8..8a6dfc674 100644 --- a/src/firejail/fs.c +++ b/src/firejail/fs.c
@@ -246,7 +246,7 @@ void fs_blacklist(const char *homedir) {
246	char *ptr;	246	char *ptr;
247		247
248	// process blacklist command	248	// process blacklist command
249	if (strncmp(entry->data, "bind", 4) == 0) {	249	if (strncmp(entry->data, "bind ", 5) == 0) {
250	char *dname1 = entry->data + 5;	250	char *dname1 = entry->data + 5;
251	char *dname2 = split_comma(dname1);	251	char *dname2 = split_comma(dname1);
252	if (dname2 == NULL) {	252	if (dname2 == NULL) {
@@ -284,15 +284,15 @@ void fs_blacklist(const char *homedir) {
284	}	284	}
285		285
286	// process blacklist command	286	// process blacklist command
287	if (strncmp(entry->data, "blacklist", 9) == 0) {	287	if (strncmp(entry->data, "blacklist ", 10) == 0) {
288	ptr = entry->data + 10;	288	ptr = entry->data + 10;
289	op = BLACKLIST_FILE;	289	op = BLACKLIST_FILE;
290	}	290	}
291	else if (strncmp(entry->data, "read-only", 9) == 0) {	291	else if (strncmp(entry->data, "read-only ", 10) == 0) {
292	ptr = entry->data + 10;	292	ptr = entry->data + 10;
293	op = MOUNT_READONLY;	293	op = MOUNT_READONLY;
294	}	294	}
295	else if (strncmp(entry->data, "tmpfs", 5) == 0) {	295	else if (strncmp(entry->data, "tmpfs ", 6) == 0) {
296	ptr = entry->data + 6;	296	ptr = entry->data + 6;
297	op = MOUNT_TMPFS;	297	op = MOUNT_TMPFS;
298	}	298	}


diff --git a/src/firejail/main.c b/src/firejail/main.c index 9d635436d..3b2e7e4d9 100644 --- a/src/firejail/main.c +++ b/src/firejail/main.c
@@ -695,7 +695,6 @@ int main(int argc, char **argv) {
695	}	695	}
696		696
697	// extract private home dirname	697	// extract private home dirname
698	printf("here %s:%d\n", __FILE__, __LINE__);
699	cfg.home_private = argv[i] + 10;	698	cfg.home_private = argv[i] + 10;
700	fs_check_private_dir();	699	fs_check_private_dir();
701	arg_private = 1;	700	arg_private = 1;
@@ -1058,26 +1057,35 @@ printf("here %s:%d\n", __FILE__, __LINE__);
1058		1057
1059	// use generic.profile as the default	1058	// use generic.profile as the default
1060	if (!custom_profile && !arg_noprofile) {	1059	if (!custom_profile && !arg_noprofile) {
1061	char *profile_name = DEFAULT_USER_PROFILE;	1060	if (cfg.chrootdir)
1062	if (getuid() == 0)	1061	fprintf(stderr, "Warning: default profile disabled by --chroot option\n");
1063	profile_name = DEFAULT_ROOT_PROFILE;	1062	else if (arg_overlay)
1064	if (arg_debug)	1063	fprintf(stderr, "Warning: default profile disabled by --overlay option\n");
1065	printf("Attempting to find %s.profile...", profile_name);	1064	else if (cfg.home_private_keep)
1066		1065	fprintf(stderr, "Warning: default profile disabled by --private-home option\n");
1067	// look for the profile in ~/.config/firejail directory	1066	else {
1068	char *usercfgdir;	1067	// try to load a default profile
1069	if (asprintf(&usercfgdir, "%s/.config/firejail", cfg.homedir) == -1)	1068	char *profile_name = DEFAULT_USER_PROFILE;
1070	errExit("asprintf");	1069	if (getuid() == 0)
1071	custom_profile = profile_find(profile_name, usercfgdir);	1070	profile_name = DEFAULT_ROOT_PROFILE;
1072	free(usercfgdir);	1071	if (arg_debug)
1073		1072	printf("Attempting to find %s.profile...\n", profile_name);
1074	if (!custom_profile) {	1073
1075	// look for the profile in /etc/firejail directory	1074	// look for the profile in ~/.config/firejail directory
1076	custom_profile = profile_find(profile_name, "/etc/firejail");	1075	char *usercfgdir;
		1076	if (asprintf(&usercfgdir, "%s/.config/firejail", cfg.homedir) == -1)
		1077	errExit("asprintf");
		1078	custom_profile = profile_find(profile_name, usercfgdir);
		1079	free(usercfgdir);
		1080
		1081	if (!custom_profile) {
		1082	// look for the profile in /etc/firejail directory
		1083	custom_profile = profile_find(profile_name, "/etc/firejail");
		1084	}
		1085
		1086	if (custom_profile)
		1087	printf("\n Note: %s profile can be disabled by --noprofile option \n\n", profile_name);
1077	}	1088	}
1078
1079	if (custom_profile)
1080	printf("Note: %s profile can be disabled by --noprofile option.\n", profile_name);
1081	}	1089	}
1082		1090
1083	// check and assign an IP address - for macvlan it will be done again in the sandbox!	1091	// check and assign an IP address - for macvlan it will be done again in the sandbox!


diff --git a/src/firejail/sandbox.c b/src/firejail/sandbox.c index 46cb03da7..53782a288 100644 --- a/src/firejail/sandbox.c +++ b/src/firejail/sandbox.c
@@ -179,6 +179,7 @@ int sandbox(void* sandbox_arg) {
179	//****************************	179	//****************************
180	// configure filesystem	180	// configure filesystem
181	//****************************	181	//****************************
		182
182	#ifdef HAVE_CHROOT	183	#ifdef HAVE_CHROOT
183	if (cfg.chrootdir) {	184	if (cfg.chrootdir) {
184	fs_chroot(cfg.chrootdir);	185	fs_chroot(cfg.chrootdir);
@@ -267,6 +268,8 @@ int sandbox(void* sandbox_arg) {
267	//****************************	268	//****************************
268	if (arg_nonetwork) {	269	if (arg_nonetwork) {
269	net_if_up("lo");	270	net_if_up("lo");
		271	if (arg_debug)
		272	printf("Network namespace enabled, only loopback interface available\n");
270	}	273	}
271	else if (any_bridge_configured()) {	274	else if (any_bridge_configured()) {
272	// configure lo and eth0...eth3	275	// configure lo and eth0...eth3
@@ -397,7 +400,7 @@ int sandbox(void* sandbox_arg) {
397	if (arg_noroot) {	400	if (arg_noroot) {
398	int rv = unshare(CLONE_NEWUSER);	401	int rv = unshare(CLONE_NEWUSER);
399	if (rv == -1) {	402	if (rv == -1) {
400	fprintf(stderr, "Warning: cannot mount a new user namespace\n");	403	fprintf(stderr, "Error: cannot mount a new user namespace\n");
401	perror("unshare");	404	perror("unshare");
402	drop_privs(arg_nogroups);	405	drop_privs(arg_nogroups);
403	}	406	}


diff --git a/src/firejail/seccomp.c b/src/firejail/seccomp.c index 17f038a2e..47988dbf4 100644 --- a/src/firejail/seccomp.c +++ b/src/firejail/seccomp.c
@@ -179,8 +179,8 @@ static void filter_init(void) {
179	return;	179	return;
180	}	180	}
181		181
182	if (arg_debug)	182	// if (arg_debug)
183	printf("Initialize seccomp filter\n");	183	// printf("Initialize seccomp filter\n");
184	// allocate a filter of SECSIZE	184	// allocate a filter of SECSIZE
185	sfilter = malloc(sizeof(struct sock_filter) * SECSIZE);	185	sfilter = malloc(sizeof(struct sock_filter) * SECSIZE);
186	if (!sfilter)	186	if (!sfilter)
@@ -220,8 +220,8 @@ static void filter_add_whitelist(int syscall) {
220	assert(sfilter);	220	assert(sfilter);
221	assert(sfilter_alloc_size);	221	assert(sfilter_alloc_size);
222	assert(sfilter_index);	222	assert(sfilter_index);
223	if (arg_debug)	223	// if (arg_debug)
224	printf("Whitelisting syscall %d %s\n", syscall, syscall_find_nr(syscall));	224	// printf("Whitelisting syscall %d %s\n", syscall, syscall_find_nr(syscall));
225		225
226	if ((sfilter_index + 2) > sfilter_alloc_size)	226	if ((sfilter_index + 2) > sfilter_alloc_size)
227	filter_realloc();	227	filter_realloc();
@@ -246,8 +246,8 @@ static void filter_add_blacklist(int syscall) {
246	assert(sfilter);	246	assert(sfilter);
247	assert(sfilter_alloc_size);	247	assert(sfilter_alloc_size);
248	assert(sfilter_index);	248	assert(sfilter_index);
249	if (arg_debug)	249	// if (arg_debug)
250	printf("Blacklisting syscall %d %s\n", syscall, syscall_find_nr(syscall));	250	// printf("Blacklisting syscall %d %s\n", syscall, syscall_find_nr(syscall));
251		251
252	if ((sfilter_index + 2) > sfilter_alloc_size)	252	if ((sfilter_index + 2) > sfilter_alloc_size)
253	filter_realloc();	253	filter_realloc();
@@ -272,8 +272,8 @@ static void filter_end_blacklist(void) {
272	assert(sfilter);	272	assert(sfilter);
273	assert(sfilter_alloc_size);	273	assert(sfilter_alloc_size);
274	assert(sfilter_index);	274	assert(sfilter_index);
275	if (arg_debug)	275	// if (arg_debug)
276	printf("Ending syscall filter\n");	276	// printf("Ending syscall filter\n");
277		277
278	if ((sfilter_index + 2) > sfilter_alloc_size)	278	if ((sfilter_index + 2) > sfilter_alloc_size)
279	filter_realloc();	279	filter_realloc();