summaryrefslogtreecommitdiffstats
path: root/src
diff options
context:
space:
mode:
Diffstat (limited to 'src')
-rw-r--r--src/faudit/main.c2
-rw-r--r--src/faudit/syscall.c3
-rw-r--r--src/firecfg/firecfg.config12
-rw-r--r--src/firejail/appimage.c4
-rw-r--r--src/firejail/caps.c15
-rw-r--r--src/firejail/firejail.h3
-rw-r--r--src/firejail/fs_dev.c54
-rw-r--r--src/firejail/fs_var.c3
-rw-r--r--src/firejail/join.c3
-rw-r--r--src/firejail/main.c6
-rw-r--r--src/firejail/no_sandbox.c5
-rw-r--r--src/firejail/run_symlink.c6
-rw-r--r--src/firejail/sandbox.c13
-rw-r--r--src/firejail/seccomp.c4
-rw-r--r--src/firejail/usage.c2
-rw-r--r--src/firejail/x11.c4
-rw-r--r--src/ftee/main.c6
-rw-r--r--src/man/firejail-profile.txt1
18 files changed, 92 insertions, 54 deletions
diff --git a/src/faudit/main.c b/src/faudit/main.c
index 8ab0de5a6..57c709767 100644
--- a/src/faudit/main.c
+++ b/src/faudit/main.c
@@ -38,7 +38,7 @@ int main(int argc, char **argv) {
38 int i; 38 int i;
39 39
40 for (i = 1; i < argc; i++) { 40 for (i = 1; i < argc; i++) {
41 if (strcmp(argv[i], "syscall")) { 41 if (strcmp(argv[i], "syscall") == 0) {
42 syscall_helper(argc, argv); 42 syscall_helper(argc, argv);
43 return 0; 43 return 0;
44 } 44 }
diff --git a/src/faudit/syscall.c b/src/faudit/syscall.c
index 2925a6c30..9661f81e6 100644
--- a/src/faudit/syscall.c
+++ b/src/faudit/syscall.c
@@ -34,6 +34,9 @@ extern int pivot_root(const char *new_root, const char *put_old);
34void syscall_helper(int argc, char **argv) { 34void syscall_helper(int argc, char **argv) {
35 (void) argc; 35 (void) argc;
36 36
37 if (argc < 3)
38 return;
39
37 if (strcmp(argv[2], "mount") == 0) { 40 if (strcmp(argv[2], "mount") == 0) {
38 int rv = mount(NULL, NULL, NULL, 0, NULL); 41 int rv = mount(NULL, NULL, NULL, 0, NULL);
39 (void) rv; 42 (void) rv;
diff --git a/src/firecfg/firecfg.config b/src/firecfg/firecfg.config
index e58c8ee52..c68db372b 100644
--- a/src/firecfg/firecfg.config
+++ b/src/firecfg/firecfg.config
@@ -1,5 +1,5 @@
1# /usr/lib/firejail/firecfg.config - firecfg utility configuration file 1# /usr/lib/firejail/firecfg.config - firecfg utility configuration file
2# This is the list of programs in alfabetical order handled by firecfg utility 2# This is the list of programs in alphabetical order handled by firecfg utility
3# 3#
40ad 40ad
52048-qt 52048-qt
@@ -23,6 +23,8 @@ bless
23blender 23blender
24brasero 24brasero
25brave 25brave
26calibre
27catfish
26cherrytree 28cherrytree
27chromium 29chromium
28chromium-browser 30chromium-browser
@@ -39,6 +41,7 @@ darktable
39deadbeef 41deadbeef
40deluge 42deluge
41dia 43dia
44digikam
42dillo 45dillo
43dino 46dino
44display 47display
@@ -48,6 +51,7 @@ dolphin
48dosbox 51dosbox
49dragon 52dragon
50dropbox 53dropbox
54ebook-viewer
51elinks 55elinks
52empathy 56empathy
53eog 57eog
@@ -70,6 +74,7 @@ galculator
70geany 74geany
71gedit 75gedit
72geeqie 76geeqie
77ghb
73gimp 78gimp
74gitter 79gitter
75gjs 80gjs
@@ -97,6 +102,8 @@ gpredict
97gthumb 102gthumb
98gucharmap 103gucharmap
99gwenview 104gwenview
105handbrake
106handbrake-gtk
100hedgewars 107hedgewars
101hexchat 108hexchat
102highlight 109highlight
@@ -150,6 +157,7 @@ mediathekview
150meld 157meld
151midori 158midori
152mousepad 159mousepad
160mplayer
153mpv 161mpv
154multimc5 162multimc5
155mumble 163mumble
@@ -196,6 +204,7 @@ skanlite
196skype 204skype
197skypeforlinux 205skypeforlinux
198slack 206slack
207smplayer
199soffice 208soffice
200spectacle 209spectacle
201spotify 210spotify
@@ -224,6 +233,7 @@ vlc
224vym 233vym
225w3m 234w3m
226warzone2100 235warzone2100
236waterfox
227weechat 237weechat
228weechat-curses 238weechat-curses
229wesnot 239wesnot
diff --git a/src/firejail/appimage.c b/src/firejail/appimage.c
index 976750f8f..0f7ab40ff 100644
--- a/src/firejail/appimage.c
+++ b/src/firejail/appimage.c
@@ -31,17 +31,19 @@
31static char *devloop = NULL; // device file 31static char *devloop = NULL; // device file
32static char *mntdir = NULL; // mount point in /tmp directory 32static char *mntdir = NULL; // mount point in /tmp directory
33 33
34#ifdef LOOP_CTL_GET_FREE // test for older kernels; this definition is found in /usr/include/linux/loop.h
34static void err_loop(void) { 35static void err_loop(void) {
35 fprintf(stderr, "Error: cannot configure loopback device\n"); 36 fprintf(stderr, "Error: cannot configure loopback device\n");
36 exit(1); 37 exit(1);
37} 38}
39#endif
38 40
39void appimage_set(const char *appimage) { 41void appimage_set(const char *appimage) {
40 assert(appimage); 42 assert(appimage);
41 assert(devloop == NULL); // don't call this twice! 43 assert(devloop == NULL); // don't call this twice!
42 EUID_ASSERT(); 44 EUID_ASSERT();
43 45
44#ifdef LOOP_CTL_GET_FREE // test for older kernels; this definition is found in /usr/include/linux/loop.h 46#ifdef LOOP_CTL_GET_FREE
45 // check appimage file 47 // check appimage file
46 invalid_filename(appimage); 48 invalid_filename(appimage);
47 if (access(appimage, R_OK) == -1) { 49 if (access(appimage, R_OK) == -1) {
diff --git a/src/firejail/caps.c b/src/firejail/caps.c
index d45ba20ce..ff4d3a9d7 100644
--- a/src/firejail/caps.c
+++ b/src/firejail/caps.c
@@ -248,10 +248,19 @@ void caps_print(void) {
248 } 248 }
249} 249}
250 250
251// drop discretionary access control capabilities for root sandboxes
252void caps_drop_dac_override(void) {
253 if (getuid() == 0) {
254 if (prctl(PR_CAPBSET_DROP, CAP_DAC_OVERRIDE, 0, 0, 0));
255 else if (arg_debug)
256 printf("Drop CAP_DAC_OVERRIDE\n");
257
258 if (prctl(PR_CAPBSET_DROP, CAP_DAC_READ_SEARCH, 0, 0, 0));
259 else if (arg_debug)
260 printf("Drop CAP_DAC_READ_SEARCH\n");
261 }
262}
251 263
252
253
254// enabled by default
255int caps_default_filter(void) { 264int caps_default_filter(void) {
256 // drop capabilities 265 // drop capabilities
257 if (prctl(PR_CAPBSET_DROP, CAP_SYS_MODULE, 0, 0, 0)) 266 if (prctl(PR_CAPBSET_DROP, CAP_SYS_MODULE, 0, 0, 0))
diff --git a/src/firejail/firejail.h b/src/firejail/firejail.h
index 91b9c7be7..8bf2a75c3 100644
--- a/src/firejail/firejail.h
+++ b/src/firejail/firejail.h
@@ -500,6 +500,7 @@ void fs_dev_shm(void);
500void fs_private_dev(void); 500void fs_private_dev(void);
501void fs_dev_disable_sound(void); 501void fs_dev_disable_sound(void);
502void fs_dev_disable_3d(void); 502void fs_dev_disable_3d(void);
503void fs_dev_disable_video(void);
503 504
504// fs_home.c 505// fs_home.c
505// private mode (--private) 506// private mode (--private)
@@ -533,6 +534,7 @@ void caps_check_list(const char *clist, void (*callback)(int));
533void caps_drop_list(const char *clist); 534void caps_drop_list(const char *clist);
534void caps_keep_list(const char *clist); 535void caps_keep_list(const char *clist);
535void caps_print_filter(pid_t pid); 536void caps_print_filter(pid_t pid);
537void caps_drop_dac_override(void);
536 538
537// syscall.c 539// syscall.c
538const char *syscall_find_nr(int nr); 540const char *syscall_find_nr(int nr);
@@ -718,6 +720,7 @@ void build_appimage_cmdline(char **command_line, char **window_title, int argc,
718// programs 720// programs
719#define PATH_FNET (LIBDIR "/firejail/fnet") 721#define PATH_FNET (LIBDIR "/firejail/fnet")
720#define PATH_FIREMON (PREFIX "/bin/firemon") 722#define PATH_FIREMON (PREFIX "/bin/firemon")
723#define PATH_FIREJAIL (PREFIX "/bin/firejail")
721#define PATH_FSECCOMP (LIBDIR "/firejail/fseccomp") 724#define PATH_FSECCOMP (LIBDIR "/firejail/fseccomp")
722#define PATH_FCOPY (LIBDIR "/firejail/fcopy") 725#define PATH_FCOPY (LIBDIR "/firejail/fcopy")
723#define SBOX_STDIN_FILE "/run/firejail/mnt/sbox_stdin" 726#define SBOX_STDIN_FILE "/run/firejail/mnt/sbox_stdin"
diff --git a/src/firejail/fs_dev.c b/src/firejail/fs_dev.c
index 159c8e654..fdaa0b355 100644
--- a/src/firejail/fs_dev.c
+++ b/src/firejail/fs_dev.c
@@ -35,37 +35,37 @@ typedef struct {
35 const char *dev_fname; 35 const char *dev_fname;
36 const char *run_fname; 36 const char *run_fname;
37 int sound; 37 int sound;
38 int video;
39 int hw3d; 38 int hw3d;
39 int video;
40} DevEntry; 40} DevEntry;
41 41
42static DevEntry dev[] = { 42static DevEntry dev[] = {
43 {"/dev/snd", RUN_DEV_DIR "/snd", 1, 0}, // sound device 43 {"/dev/snd", RUN_DEV_DIR "/snd", 1, 0, 0}, // sound device
44 {"/dev/dri", RUN_DEV_DIR "/dri", 0, 1}, // 3d device 44 {"/dev/dri", RUN_DEV_DIR "/dri", 0, 1, 0}, // 3d device
45 {"/dev/nvidia0", RUN_DEV_DIR "/nvidia0", 0, 1}, 45 {"/dev/nvidia0", RUN_DEV_DIR "/nvidia0", 0, 1, 0},
46 {"/dev/nvidia1", RUN_DEV_DIR "/nvidia1", 0, 1}, 46 {"/dev/nvidia1", RUN_DEV_DIR "/nvidia1", 0, 1, 0},
47 {"/dev/nvidia2", RUN_DEV_DIR "/nvidia2", 0, 1}, 47 {"/dev/nvidia2", RUN_DEV_DIR "/nvidia2", 0, 1, 0},
48 {"/dev/nvidia3", RUN_DEV_DIR "/nvidia3", 0, 1}, 48 {"/dev/nvidia3", RUN_DEV_DIR "/nvidia3", 0, 1, 0},
49 {"/dev/nvidia4", RUN_DEV_DIR "/nvidia4", 0, 1}, 49 {"/dev/nvidia4", RUN_DEV_DIR "/nvidia4", 0, 1, 0},
50 {"/dev/nvidia5", RUN_DEV_DIR "/nvidia5", 0, 1}, 50 {"/dev/nvidia5", RUN_DEV_DIR "/nvidia5", 0, 1, 0},
51 {"/dev/nvidia6", RUN_DEV_DIR "/nvidia6", 0, 1}, 51 {"/dev/nvidia6", RUN_DEV_DIR "/nvidia6", 0, 1, 0},
52 {"/dev/nvidia7", RUN_DEV_DIR "/nvidia7", 0, 1}, 52 {"/dev/nvidia7", RUN_DEV_DIR "/nvidia7", 0, 1, 0},
53 {"/dev/nvidia8", RUN_DEV_DIR "/nvidia8", 0, 1}, 53 {"/dev/nvidia8", RUN_DEV_DIR "/nvidia8", 0, 1, 0},
54 {"/dev/nvidia9", RUN_DEV_DIR "/nvidia9", 0, 1}, 54 {"/dev/nvidia9", RUN_DEV_DIR "/nvidia9", 0, 1, 0},
55 {"/dev/nvidiactl", RUN_DEV_DIR "/nvidiactl", 0, 1}, 55 {"/dev/nvidiactl", RUN_DEV_DIR "/nvidiactl", 0, 1, 0},
56 {"/dev/nvidia-modeset", RUN_DEV_DIR "/nvidia-modeset", 0, 1}, 56 {"/dev/nvidia-modeset", RUN_DEV_DIR "/nvidia-modeset", 0, 1, 0},
57 {"/dev/nvidia-uvm", RUN_DEV_DIR "/nvidia-uvm", 0, 1}, 57 {"/dev/nvidia-uvm", RUN_DEV_DIR "/nvidia-uvm", 0, 1, 0},
58 {"/dev/video0", RUN_DEV_DIR "/video0", 0, 1}, 58 {"/dev/video0", RUN_DEV_DIR "/video0", 0, 0, 1}, // video camera devices
59 {"/dev/video1", RUN_DEV_DIR "/video1", 0, 1}, 59 {"/dev/video1", RUN_DEV_DIR "/video1", 0, 0, 1},
60 {"/dev/video2", RUN_DEV_DIR "/video2", 0, 1}, 60 {"/dev/video2", RUN_DEV_DIR "/video2", 0, 0, 1},
61 {"/dev/video3", RUN_DEV_DIR "/video3", 0, 1}, 61 {"/dev/video3", RUN_DEV_DIR "/video3", 0, 0, 1},
62 {"/dev/video4", RUN_DEV_DIR "/video4", 0, 1}, 62 {"/dev/video4", RUN_DEV_DIR "/video4", 0, 0, 1},
63 {"/dev/video5", RUN_DEV_DIR "/video5", 0, 1}, 63 {"/dev/video5", RUN_DEV_DIR "/video5", 0, 0, 1},
64 {"/dev/video6", RUN_DEV_DIR "/video6", 0, 1}, 64 {"/dev/video6", RUN_DEV_DIR "/video6", 0, 0, 1},
65 {"/dev/video7", RUN_DEV_DIR "/video7", 0, 1}, 65 {"/dev/video7", RUN_DEV_DIR "/video7", 0, 0, 1},
66 {"/dev/video8", RUN_DEV_DIR "/video8", 0, 1}, 66 {"/dev/video8", RUN_DEV_DIR "/video8", 0, 0, 1},
67 {"/dev/video9", RUN_DEV_DIR "/video9", 0, 1}, 67 {"/dev/video9", RUN_DEV_DIR "/video9", 0, 0, 1},
68 {NULL, NULL, 0, 0} 68 {NULL, NULL, 0, 0, 0}
69}; 69};
70 70
71static void deventry_mount(void) { 71static void deventry_mount(void) {
diff --git a/src/firejail/fs_var.c b/src/firejail/fs_var.c
index 9452d162d..11e9eabf5 100644
--- a/src/firejail/fs_var.c
+++ b/src/firejail/fs_var.c
@@ -326,7 +326,8 @@ void fs_var_utmp(void) {
326 endutent(); 326 endutent();
327 327
328 // save new utmp file 328 // save new utmp file
329 fwrite(&u_boot, sizeof(u_boot), 1, fp); 329 int rv = fwrite(&u_boot, sizeof(u_boot), 1, fp);
330 (void) rv;
330 SET_PERMS_STREAM(fp, 0, utmp_group, S_IRUSR | S_IWRITE | S_IRGRP | S_IWGRP | S_IROTH); 331 SET_PERMS_STREAM(fp, 0, utmp_group, S_IRUSR | S_IWRITE | S_IRGRP | S_IWGRP | S_IROTH);
331 fclose(fp); 332 fclose(fp);
332 333
diff --git a/src/firejail/join.c b/src/firejail/join.c
index b5b45a3bf..4c0537413 100644
--- a/src/firejail/join.c
+++ b/src/firejail/join.c
@@ -242,6 +242,9 @@ void join(pid_t pid, int argc, char **argv, int index) {
242 if (child < 0) 242 if (child < 0)
243 errExit("fork"); 243 errExit("fork");
244 if (child == 0) { 244 if (child == 0) {
245 // drop discretionary access control capabilities for root sandboxes
246 caps_drop_dac_override();
247
245 // chroot into /proc/PID/root directory 248 // chroot into /proc/PID/root directory
246 char *rootdir; 249 char *rootdir;
247 if (asprintf(&rootdir, "/proc/%d/root", pid) == -1) 250 if (asprintf(&rootdir, "/proc/%d/root", pid) == -1)
diff --git a/src/firejail/main.c b/src/firejail/main.c
index 95c325f9f..cff61f64a 100644
--- a/src/firejail/main.c
+++ b/src/firejail/main.c
@@ -2272,9 +2272,9 @@ int main(int argc, char **argv) {
2272 if (cfg.chrootdir) { 2272 if (cfg.chrootdir) {
2273 fwarning("default profile disabled by --chroot option\n"); 2273 fwarning("default profile disabled by --chroot option\n");
2274 } 2274 }
2275 else if (arg_overlay) { 2275// else if (arg_overlay) {
2276 fwarning("default profile disabled by --overlay option\n"); 2276// fwarning("default profile disabled by --overlay option\n");
2277 } 2277// }
2278 else { 2278 else {
2279 // try to load a default profile 2279 // try to load a default profile
2280 char *profile_name = DEFAULT_USER_PROFILE; 2280 char *profile_name = DEFAULT_USER_PROFILE;
diff --git a/src/firejail/no_sandbox.c b/src/firejail/no_sandbox.c
index b37c5abf7..07c42006d 100644
--- a/src/firejail/no_sandbox.c
+++ b/src/firejail/no_sandbox.c
@@ -209,6 +209,11 @@ void run_no_sandbox(int argc, char **argv) {
209 break; 209 break;
210 } 210 }
211 } 211 }
212 // if shell is /usr/bin/firejail, replace it with /bin/bash
213 if (strcmp(cfg.shell, PATH_FIREJAIL) == 0) {
214 cfg.shell = "/bin/bash";
215 prog_index = 0;
216 }
212 217
213 if (prog_index == 0) { 218 if (prog_index == 0) {
214 cfg.command_line = cfg.shell; 219 cfg.command_line = cfg.shell;
diff --git a/src/firejail/run_symlink.c b/src/firejail/run_symlink.c
index a9298a33f..ed885d3b1 100644
--- a/src/firejail/run_symlink.c
+++ b/src/firejail/run_symlink.c
@@ -86,10 +86,6 @@ void run_symlink(int argc, char **argv) {
86 86
87 87
88 // start the argv[0] program in a new sandbox 88 // start the argv[0] program in a new sandbox
89 char *firejail;
90 if (asprintf(&firejail, "%s/bin/firejail", PREFIX) == -1)
91 errExit("asprintf");
92
93 // drop privileges 89 // drop privileges
94 if (setgid(getgid()) < 0) 90 if (setgid(getgid()) < 0)
95 errExit("setgid/getgid"); 91 errExit("setgid/getgid");
@@ -98,7 +94,7 @@ void run_symlink(int argc, char **argv) {
98 94
99 // run command 95 // run command
100 char *a[3 + argc]; 96 char *a[3 + argc];
101 a[0] = firejail; 97 a[0] =PATH_FIREJAIL;
102 a[1] = program; 98 a[1] = program;
103 int i; 99 int i;
104 for (i = 0; i < (argc - 1); i++) { 100 for (i = 0; i < (argc - 1); i++) {
diff --git a/src/firejail/sandbox.c b/src/firejail/sandbox.c
index 7f82e2253..4ee05d070 100644
--- a/src/firejail/sandbox.c
+++ b/src/firejail/sandbox.c
@@ -99,6 +99,9 @@ static void set_caps(void) {
99 caps_keep_list(arg_caps_list); 99 caps_keep_list(arg_caps_list);
100 else if (arg_caps_default_filter) 100 else if (arg_caps_default_filter)
101 caps_default_filter(); 101 caps_default_filter();
102
103 // drop discretionary access control capabilities for root sandboxes
104 caps_drop_dac_override();
102} 105}
103 106
104void save_nogroups(void) { 107void save_nogroups(void) {
@@ -896,8 +899,7 @@ int sandbox(void* sandbox_arg) {
896 // set security filters 899 // set security filters
897 //**************************** 900 //****************************
898 // set capabilities 901 // set capabilities
899// if (!arg_noroot) 902 set_caps();
900 set_caps();
901 903
902 // set rlimits 904 // set rlimits
903 set_rlimits(); 905 set_rlimits();
@@ -989,10 +991,9 @@ int sandbox(void* sandbox_arg) {
989 if (arg_apparmor) { 991 if (arg_apparmor) {
990 errno = 0; 992 errno = 0;
991 if (aa_change_onexec("firejail-default")) { 993 if (aa_change_onexec("firejail-default")) {
992 fprintf(stderr, "Error: cannot confine the application using AppArmor.\n"); 994 fwarning("Cannot confine the application using AppArmor.\n"
993 fprintf(stderr, "Maybe firejail-default AppArmor profile is not loaded into the kernel.\n"); 995 "Maybe firejail-default AppArmor profile is not loaded into the kernel.\n"
994 fprintf(stderr, "As root, run \"aa-enforce firejail-default\" to load it.\n"); 996 "As root, run \"aa-enforce firejail-default\" to load it.\n");
995 exit(1);
996 } 997 }
997 else if (arg_debug) 998 else if (arg_debug)
998 printf("AppArmor enabled\n"); 999 printf("AppArmor enabled\n");
diff --git a/src/firejail/seccomp.c b/src/firejail/seccomp.c
index 72a5874f8..15379215c 100644
--- a/src/firejail/seccomp.c
+++ b/src/firejail/seccomp.c
@@ -68,7 +68,7 @@ int seccomp_load(const char *fname) {
68 goto errexit; 68 goto errexit;
69 unsigned short entries = (unsigned short) size / (unsigned short) sizeof(struct sock_filter); 69 unsigned short entries = (unsigned short) size / (unsigned short) sizeof(struct sock_filter);
70 if (arg_debug) 70 if (arg_debug)
71 printf("reading %d seccomp entries from %s\n", entries, fname); 71 printf("configuring %d seccomp entries from %s\n", entries, fname);
72 72
73 // read filter 73 // read filter
74 struct sock_filter *filter = malloc(size); 74 struct sock_filter *filter = malloc(size);
@@ -205,6 +205,8 @@ int seccomp_filter_keep(void) {
205 printf("seccomp filter configured\n"); 205 printf("seccomp filter configured\n");
206 206
207 207
208 if (arg_debug && access(PATH_FSECCOMP, X_OK) == 0)
209 sbox_run(SBOX_ROOT | SBOX_SECCOMP, 3, PATH_FSECCOMP, "print", RUN_SECCOMP_CFG);
208 return seccomp_load(RUN_SECCOMP_CFG); 210 return seccomp_load(RUN_SECCOMP_CFG);
209} 211}
210 212
diff --git a/src/firejail/usage.c b/src/firejail/usage.c
index 76930e1de..6f8298589 100644
--- a/src/firejail/usage.c
+++ b/src/firejail/usage.c
@@ -220,7 +220,7 @@ void usage(void) {
220 printf("\tstart Mozilla Firefox\n"); 220 printf("\tstart Mozilla Firefox\n");
221 printf(" $ firejail --debug firefox\n"); 221 printf(" $ firejail --debug firefox\n");
222 printf("\tdebug Firefox sandbox\n"); 222 printf("\tdebug Firefox sandbox\n");
223 printf(" $ firejail --private --sna=8.8.8.8 firefox\n"); 223 printf(" $ firejail --private --dns=8.8.8.8 firefox\n");
224 printf("\tstart Firefox with a new, empty home directory, and a well-known DNS\n"); 224 printf("\tstart Firefox with a new, empty home directory, and a well-known DNS\n");
225 printf("\tserver setting.\n"); 225 printf("\tserver setting.\n");
226 printf(" $ firejail --net=eth0 firefox\n"); 226 printf(" $ firejail --net=eth0 firefox\n");
diff --git a/src/firejail/x11.c b/src/firejail/x11.c
index 5ce156603..79ebc3b1b 100644
--- a/src/firejail/x11.c
+++ b/src/firejail/x11.c
@@ -639,7 +639,7 @@ void x11_start_xpra(int argc, char **argv) {
639 639
640 // build the start command 640 // build the start command
641 char *server_argv[256] = { // rest initialyzed to NULL 641 char *server_argv[256] = { // rest initialyzed to NULL
642 "xpra", "start", display_str, "--no-daemon", 642 "xpra", "start", display_str, "--no-daemon", "--use-display",
643 }; 643 };
644 unsigned pos = 0; 644 unsigned pos = 0;
645 while (server_argv[pos] != NULL) pos++; 645 while (server_argv[pos] != NULL) pos++;
@@ -736,7 +736,7 @@ void x11_start_xpra(int argc, char **argv) {
736 } 736 }
737 737
738 // add a small delay, on some systems it takes some time for the server to start 738 // add a small delay, on some systems it takes some time for the server to start
739 sleep(1); 739 sleep(5);
740 740
741 // check X11 socket 741 // check X11 socket
742 char *fname; 742 char *fname;
diff --git a/src/ftee/main.c b/src/ftee/main.c
index 2628a77c5..6aede324c 100644
--- a/src/ftee/main.c
+++ b/src/ftee/main.c
@@ -129,7 +129,8 @@ static void log_write(const unsigned char *str, int len, const char *fname) {
129 out_cnt = len; 129 out_cnt = len;
130 } 130 }
131 131
132 fwrite(str, len, 1, out_fp); 132 int rv = fwrite(str, len, 1, out_fp);
133 (void) rv;
133 fflush(0); 134 fflush(0);
134} 135}
135 136
@@ -230,7 +231,8 @@ int main(int argc, char **argv) {
230 if (n <= 0) 231 if (n <= 0)
231 break; 232 break;
232 233
233 fwrite(buf, n, 1, stdout); 234 int rv = fwrite(buf, n, 1, stdout);
235 (void) rv;
234 log_write(buf, n, fname); 236 log_write(buf, n, fname);
235 } 237 }
236 238
diff --git a/src/man/firejail-profile.txt b/src/man/firejail-profile.txt
index cbffa9ce4..e4ef90944 100644
--- a/src/man/firejail-profile.txt
+++ b/src/man/firejail-profile.txt
@@ -407,6 +407,7 @@ Disable sound system.
407.TP 407.TP
408\fBnovideo 408\fBnovideo
409Disable video devices. 409Disable video devices.
410.TP
410\fBno3d 411\fBno3d
411Disable 3D hardware acceleration. 412Disable 3D hardware acceleration.
412 413
generated by cgit v1.2.3-70-g09d2 (git 2.46.0) at 2024-09-15 23:22:44 +0000