diff options
Diffstat (limited to 'src')
-rw-r--r-- | src/faudit/main.c | 2 | ||||
-rw-r--r-- | src/faudit/syscall.c | 3 | ||||
-rw-r--r-- | src/firecfg/firecfg.config | 12 | ||||
-rw-r--r-- | src/firejail/appimage.c | 4 | ||||
-rw-r--r-- | src/firejail/caps.c | 15 | ||||
-rw-r--r-- | src/firejail/firejail.h | 3 | ||||
-rw-r--r-- | src/firejail/fs_dev.c | 54 | ||||
-rw-r--r-- | src/firejail/fs_var.c | 3 | ||||
-rw-r--r-- | src/firejail/join.c | 3 | ||||
-rw-r--r-- | src/firejail/main.c | 6 | ||||
-rw-r--r-- | src/firejail/no_sandbox.c | 5 | ||||
-rw-r--r-- | src/firejail/run_symlink.c | 6 | ||||
-rw-r--r-- | src/firejail/sandbox.c | 13 | ||||
-rw-r--r-- | src/firejail/seccomp.c | 4 | ||||
-rw-r--r-- | src/firejail/usage.c | 2 | ||||
-rw-r--r-- | src/firejail/x11.c | 4 | ||||
-rw-r--r-- | src/ftee/main.c | 6 | ||||
-rw-r--r-- | src/man/firejail-profile.txt | 1 |
18 files changed, 92 insertions, 54 deletions
diff --git a/src/faudit/main.c b/src/faudit/main.c index 8ab0de5a6..57c709767 100644 --- a/src/faudit/main.c +++ b/src/faudit/main.c | |||
@@ -38,7 +38,7 @@ int main(int argc, char **argv) { | |||
38 | int i; | 38 | int i; |
39 | 39 | ||
40 | for (i = 1; i < argc; i++) { | 40 | for (i = 1; i < argc; i++) { |
41 | if (strcmp(argv[i], "syscall")) { | 41 | if (strcmp(argv[i], "syscall") == 0) { |
42 | syscall_helper(argc, argv); | 42 | syscall_helper(argc, argv); |
43 | return 0; | 43 | return 0; |
44 | } | 44 | } |
diff --git a/src/faudit/syscall.c b/src/faudit/syscall.c index 2925a6c30..9661f81e6 100644 --- a/src/faudit/syscall.c +++ b/src/faudit/syscall.c | |||
@@ -34,6 +34,9 @@ extern int pivot_root(const char *new_root, const char *put_old); | |||
34 | void syscall_helper(int argc, char **argv) { | 34 | void syscall_helper(int argc, char **argv) { |
35 | (void) argc; | 35 | (void) argc; |
36 | 36 | ||
37 | if (argc < 3) | ||
38 | return; | ||
39 | |||
37 | if (strcmp(argv[2], "mount") == 0) { | 40 | if (strcmp(argv[2], "mount") == 0) { |
38 | int rv = mount(NULL, NULL, NULL, 0, NULL); | 41 | int rv = mount(NULL, NULL, NULL, 0, NULL); |
39 | (void) rv; | 42 | (void) rv; |
diff --git a/src/firecfg/firecfg.config b/src/firecfg/firecfg.config index e58c8ee52..c68db372b 100644 --- a/src/firecfg/firecfg.config +++ b/src/firecfg/firecfg.config | |||
@@ -1,5 +1,5 @@ | |||
1 | # /usr/lib/firejail/firecfg.config - firecfg utility configuration file | 1 | # /usr/lib/firejail/firecfg.config - firecfg utility configuration file |
2 | # This is the list of programs in alfabetical order handled by firecfg utility | 2 | # This is the list of programs in alphabetical order handled by firecfg utility |
3 | # | 3 | # |
4 | 0ad | 4 | 0ad |
5 | 2048-qt | 5 | 2048-qt |
@@ -23,6 +23,8 @@ bless | |||
23 | blender | 23 | blender |
24 | brasero | 24 | brasero |
25 | brave | 25 | brave |
26 | calibre | ||
27 | catfish | ||
26 | cherrytree | 28 | cherrytree |
27 | chromium | 29 | chromium |
28 | chromium-browser | 30 | chromium-browser |
@@ -39,6 +41,7 @@ darktable | |||
39 | deadbeef | 41 | deadbeef |
40 | deluge | 42 | deluge |
41 | dia | 43 | dia |
44 | digikam | ||
42 | dillo | 45 | dillo |
43 | dino | 46 | dino |
44 | display | 47 | display |
@@ -48,6 +51,7 @@ dolphin | |||
48 | dosbox | 51 | dosbox |
49 | dragon | 52 | dragon |
50 | dropbox | 53 | dropbox |
54 | ebook-viewer | ||
51 | elinks | 55 | elinks |
52 | empathy | 56 | empathy |
53 | eog | 57 | eog |
@@ -70,6 +74,7 @@ galculator | |||
70 | geany | 74 | geany |
71 | gedit | 75 | gedit |
72 | geeqie | 76 | geeqie |
77 | ghb | ||
73 | gimp | 78 | gimp |
74 | gitter | 79 | gitter |
75 | gjs | 80 | gjs |
@@ -97,6 +102,8 @@ gpredict | |||
97 | gthumb | 102 | gthumb |
98 | gucharmap | 103 | gucharmap |
99 | gwenview | 104 | gwenview |
105 | handbrake | ||
106 | handbrake-gtk | ||
100 | hedgewars | 107 | hedgewars |
101 | hexchat | 108 | hexchat |
102 | highlight | 109 | highlight |
@@ -150,6 +157,7 @@ mediathekview | |||
150 | meld | 157 | meld |
151 | midori | 158 | midori |
152 | mousepad | 159 | mousepad |
160 | mplayer | ||
153 | mpv | 161 | mpv |
154 | multimc5 | 162 | multimc5 |
155 | mumble | 163 | mumble |
@@ -196,6 +204,7 @@ skanlite | |||
196 | skype | 204 | skype |
197 | skypeforlinux | 205 | skypeforlinux |
198 | slack | 206 | slack |
207 | smplayer | ||
199 | soffice | 208 | soffice |
200 | spectacle | 209 | spectacle |
201 | spotify | 210 | spotify |
@@ -224,6 +233,7 @@ vlc | |||
224 | vym | 233 | vym |
225 | w3m | 234 | w3m |
226 | warzone2100 | 235 | warzone2100 |
236 | waterfox | ||
227 | weechat | 237 | weechat |
228 | weechat-curses | 238 | weechat-curses |
229 | wesnot | 239 | wesnot |
diff --git a/src/firejail/appimage.c b/src/firejail/appimage.c index 976750f8f..0f7ab40ff 100644 --- a/src/firejail/appimage.c +++ b/src/firejail/appimage.c | |||
@@ -31,17 +31,19 @@ | |||
31 | static char *devloop = NULL; // device file | 31 | static char *devloop = NULL; // device file |
32 | static char *mntdir = NULL; // mount point in /tmp directory | 32 | static char *mntdir = NULL; // mount point in /tmp directory |
33 | 33 | ||
34 | #ifdef LOOP_CTL_GET_FREE // test for older kernels; this definition is found in /usr/include/linux/loop.h | ||
34 | static void err_loop(void) { | 35 | static void err_loop(void) { |
35 | fprintf(stderr, "Error: cannot configure loopback device\n"); | 36 | fprintf(stderr, "Error: cannot configure loopback device\n"); |
36 | exit(1); | 37 | exit(1); |
37 | } | 38 | } |
39 | #endif | ||
38 | 40 | ||
39 | void appimage_set(const char *appimage) { | 41 | void appimage_set(const char *appimage) { |
40 | assert(appimage); | 42 | assert(appimage); |
41 | assert(devloop == NULL); // don't call this twice! | 43 | assert(devloop == NULL); // don't call this twice! |
42 | EUID_ASSERT(); | 44 | EUID_ASSERT(); |
43 | 45 | ||
44 | #ifdef LOOP_CTL_GET_FREE // test for older kernels; this definition is found in /usr/include/linux/loop.h | 46 | #ifdef LOOP_CTL_GET_FREE |
45 | // check appimage file | 47 | // check appimage file |
46 | invalid_filename(appimage); | 48 | invalid_filename(appimage); |
47 | if (access(appimage, R_OK) == -1) { | 49 | if (access(appimage, R_OK) == -1) { |
diff --git a/src/firejail/caps.c b/src/firejail/caps.c index d45ba20ce..ff4d3a9d7 100644 --- a/src/firejail/caps.c +++ b/src/firejail/caps.c | |||
@@ -248,10 +248,19 @@ void caps_print(void) { | |||
248 | } | 248 | } |
249 | } | 249 | } |
250 | 250 | ||
251 | // drop discretionary access control capabilities for root sandboxes | ||
252 | void caps_drop_dac_override(void) { | ||
253 | if (getuid() == 0) { | ||
254 | if (prctl(PR_CAPBSET_DROP, CAP_DAC_OVERRIDE, 0, 0, 0)); | ||
255 | else if (arg_debug) | ||
256 | printf("Drop CAP_DAC_OVERRIDE\n"); | ||
257 | |||
258 | if (prctl(PR_CAPBSET_DROP, CAP_DAC_READ_SEARCH, 0, 0, 0)); | ||
259 | else if (arg_debug) | ||
260 | printf("Drop CAP_DAC_READ_SEARCH\n"); | ||
261 | } | ||
262 | } | ||
251 | 263 | ||
252 | |||
253 | |||
254 | // enabled by default | ||
255 | int caps_default_filter(void) { | 264 | int caps_default_filter(void) { |
256 | // drop capabilities | 265 | // drop capabilities |
257 | if (prctl(PR_CAPBSET_DROP, CAP_SYS_MODULE, 0, 0, 0)) | 266 | if (prctl(PR_CAPBSET_DROP, CAP_SYS_MODULE, 0, 0, 0)) |
diff --git a/src/firejail/firejail.h b/src/firejail/firejail.h index 91b9c7be7..8bf2a75c3 100644 --- a/src/firejail/firejail.h +++ b/src/firejail/firejail.h | |||
@@ -500,6 +500,7 @@ void fs_dev_shm(void); | |||
500 | void fs_private_dev(void); | 500 | void fs_private_dev(void); |
501 | void fs_dev_disable_sound(void); | 501 | void fs_dev_disable_sound(void); |
502 | void fs_dev_disable_3d(void); | 502 | void fs_dev_disable_3d(void); |
503 | void fs_dev_disable_video(void); | ||
503 | 504 | ||
504 | // fs_home.c | 505 | // fs_home.c |
505 | // private mode (--private) | 506 | // private mode (--private) |
@@ -533,6 +534,7 @@ void caps_check_list(const char *clist, void (*callback)(int)); | |||
533 | void caps_drop_list(const char *clist); | 534 | void caps_drop_list(const char *clist); |
534 | void caps_keep_list(const char *clist); | 535 | void caps_keep_list(const char *clist); |
535 | void caps_print_filter(pid_t pid); | 536 | void caps_print_filter(pid_t pid); |
537 | void caps_drop_dac_override(void); | ||
536 | 538 | ||
537 | // syscall.c | 539 | // syscall.c |
538 | const char *syscall_find_nr(int nr); | 540 | const char *syscall_find_nr(int nr); |
@@ -718,6 +720,7 @@ void build_appimage_cmdline(char **command_line, char **window_title, int argc, | |||
718 | // programs | 720 | // programs |
719 | #define PATH_FNET (LIBDIR "/firejail/fnet") | 721 | #define PATH_FNET (LIBDIR "/firejail/fnet") |
720 | #define PATH_FIREMON (PREFIX "/bin/firemon") | 722 | #define PATH_FIREMON (PREFIX "/bin/firemon") |
723 | #define PATH_FIREJAIL (PREFIX "/bin/firejail") | ||
721 | #define PATH_FSECCOMP (LIBDIR "/firejail/fseccomp") | 724 | #define PATH_FSECCOMP (LIBDIR "/firejail/fseccomp") |
722 | #define PATH_FCOPY (LIBDIR "/firejail/fcopy") | 725 | #define PATH_FCOPY (LIBDIR "/firejail/fcopy") |
723 | #define SBOX_STDIN_FILE "/run/firejail/mnt/sbox_stdin" | 726 | #define SBOX_STDIN_FILE "/run/firejail/mnt/sbox_stdin" |
diff --git a/src/firejail/fs_dev.c b/src/firejail/fs_dev.c index 159c8e654..fdaa0b355 100644 --- a/src/firejail/fs_dev.c +++ b/src/firejail/fs_dev.c | |||
@@ -35,37 +35,37 @@ typedef struct { | |||
35 | const char *dev_fname; | 35 | const char *dev_fname; |
36 | const char *run_fname; | 36 | const char *run_fname; |
37 | int sound; | 37 | int sound; |
38 | int video; | ||
39 | int hw3d; | 38 | int hw3d; |
39 | int video; | ||
40 | } DevEntry; | 40 | } DevEntry; |
41 | 41 | ||
42 | static DevEntry dev[] = { | 42 | static DevEntry dev[] = { |
43 | {"/dev/snd", RUN_DEV_DIR "/snd", 1, 0}, // sound device | 43 | {"/dev/snd", RUN_DEV_DIR "/snd", 1, 0, 0}, // sound device |
44 | {"/dev/dri", RUN_DEV_DIR "/dri", 0, 1}, // 3d device | 44 | {"/dev/dri", RUN_DEV_DIR "/dri", 0, 1, 0}, // 3d device |
45 | {"/dev/nvidia0", RUN_DEV_DIR "/nvidia0", 0, 1}, | 45 | {"/dev/nvidia0", RUN_DEV_DIR "/nvidia0", 0, 1, 0}, |
46 | {"/dev/nvidia1", RUN_DEV_DIR "/nvidia1", 0, 1}, | 46 | {"/dev/nvidia1", RUN_DEV_DIR "/nvidia1", 0, 1, 0}, |
47 | {"/dev/nvidia2", RUN_DEV_DIR "/nvidia2", 0, 1}, | 47 | {"/dev/nvidia2", RUN_DEV_DIR "/nvidia2", 0, 1, 0}, |
48 | {"/dev/nvidia3", RUN_DEV_DIR "/nvidia3", 0, 1}, | 48 | {"/dev/nvidia3", RUN_DEV_DIR "/nvidia3", 0, 1, 0}, |
49 | {"/dev/nvidia4", RUN_DEV_DIR "/nvidia4", 0, 1}, | 49 | {"/dev/nvidia4", RUN_DEV_DIR "/nvidia4", 0, 1, 0}, |
50 | {"/dev/nvidia5", RUN_DEV_DIR "/nvidia5", 0, 1}, | 50 | {"/dev/nvidia5", RUN_DEV_DIR "/nvidia5", 0, 1, 0}, |
51 | {"/dev/nvidia6", RUN_DEV_DIR "/nvidia6", 0, 1}, | 51 | {"/dev/nvidia6", RUN_DEV_DIR "/nvidia6", 0, 1, 0}, |
52 | {"/dev/nvidia7", RUN_DEV_DIR "/nvidia7", 0, 1}, | 52 | {"/dev/nvidia7", RUN_DEV_DIR "/nvidia7", 0, 1, 0}, |
53 | {"/dev/nvidia8", RUN_DEV_DIR "/nvidia8", 0, 1}, | 53 | {"/dev/nvidia8", RUN_DEV_DIR "/nvidia8", 0, 1, 0}, |
54 | {"/dev/nvidia9", RUN_DEV_DIR "/nvidia9", 0, 1}, | 54 | {"/dev/nvidia9", RUN_DEV_DIR "/nvidia9", 0, 1, 0}, |
55 | {"/dev/nvidiactl", RUN_DEV_DIR "/nvidiactl", 0, 1}, | 55 | {"/dev/nvidiactl", RUN_DEV_DIR "/nvidiactl", 0, 1, 0}, |
56 | {"/dev/nvidia-modeset", RUN_DEV_DIR "/nvidia-modeset", 0, 1}, | 56 | {"/dev/nvidia-modeset", RUN_DEV_DIR "/nvidia-modeset", 0, 1, 0}, |
57 | {"/dev/nvidia-uvm", RUN_DEV_DIR "/nvidia-uvm", 0, 1}, | 57 | {"/dev/nvidia-uvm", RUN_DEV_DIR "/nvidia-uvm", 0, 1, 0}, |
58 | {"/dev/video0", RUN_DEV_DIR "/video0", 0, 1}, | 58 | {"/dev/video0", RUN_DEV_DIR "/video0", 0, 0, 1}, // video camera devices |
59 | {"/dev/video1", RUN_DEV_DIR "/video1", 0, 1}, | 59 | {"/dev/video1", RUN_DEV_DIR "/video1", 0, 0, 1}, |
60 | {"/dev/video2", RUN_DEV_DIR "/video2", 0, 1}, | 60 | {"/dev/video2", RUN_DEV_DIR "/video2", 0, 0, 1}, |
61 | {"/dev/video3", RUN_DEV_DIR "/video3", 0, 1}, | 61 | {"/dev/video3", RUN_DEV_DIR "/video3", 0, 0, 1}, |
62 | {"/dev/video4", RUN_DEV_DIR "/video4", 0, 1}, | 62 | {"/dev/video4", RUN_DEV_DIR "/video4", 0, 0, 1}, |
63 | {"/dev/video5", RUN_DEV_DIR "/video5", 0, 1}, | 63 | {"/dev/video5", RUN_DEV_DIR "/video5", 0, 0, 1}, |
64 | {"/dev/video6", RUN_DEV_DIR "/video6", 0, 1}, | 64 | {"/dev/video6", RUN_DEV_DIR "/video6", 0, 0, 1}, |
65 | {"/dev/video7", RUN_DEV_DIR "/video7", 0, 1}, | 65 | {"/dev/video7", RUN_DEV_DIR "/video7", 0, 0, 1}, |
66 | {"/dev/video8", RUN_DEV_DIR "/video8", 0, 1}, | 66 | {"/dev/video8", RUN_DEV_DIR "/video8", 0, 0, 1}, |
67 | {"/dev/video9", RUN_DEV_DIR "/video9", 0, 1}, | 67 | {"/dev/video9", RUN_DEV_DIR "/video9", 0, 0, 1}, |
68 | {NULL, NULL, 0, 0} | 68 | {NULL, NULL, 0, 0, 0} |
69 | }; | 69 | }; |
70 | 70 | ||
71 | static void deventry_mount(void) { | 71 | static void deventry_mount(void) { |
diff --git a/src/firejail/fs_var.c b/src/firejail/fs_var.c index 9452d162d..11e9eabf5 100644 --- a/src/firejail/fs_var.c +++ b/src/firejail/fs_var.c | |||
@@ -326,7 +326,8 @@ void fs_var_utmp(void) { | |||
326 | endutent(); | 326 | endutent(); |
327 | 327 | ||
328 | // save new utmp file | 328 | // save new utmp file |
329 | fwrite(&u_boot, sizeof(u_boot), 1, fp); | 329 | int rv = fwrite(&u_boot, sizeof(u_boot), 1, fp); |
330 | (void) rv; | ||
330 | SET_PERMS_STREAM(fp, 0, utmp_group, S_IRUSR | S_IWRITE | S_IRGRP | S_IWGRP | S_IROTH); | 331 | SET_PERMS_STREAM(fp, 0, utmp_group, S_IRUSR | S_IWRITE | S_IRGRP | S_IWGRP | S_IROTH); |
331 | fclose(fp); | 332 | fclose(fp); |
332 | 333 | ||
diff --git a/src/firejail/join.c b/src/firejail/join.c index b5b45a3bf..4c0537413 100644 --- a/src/firejail/join.c +++ b/src/firejail/join.c | |||
@@ -242,6 +242,9 @@ void join(pid_t pid, int argc, char **argv, int index) { | |||
242 | if (child < 0) | 242 | if (child < 0) |
243 | errExit("fork"); | 243 | errExit("fork"); |
244 | if (child == 0) { | 244 | if (child == 0) { |
245 | // drop discretionary access control capabilities for root sandboxes | ||
246 | caps_drop_dac_override(); | ||
247 | |||
245 | // chroot into /proc/PID/root directory | 248 | // chroot into /proc/PID/root directory |
246 | char *rootdir; | 249 | char *rootdir; |
247 | if (asprintf(&rootdir, "/proc/%d/root", pid) == -1) | 250 | if (asprintf(&rootdir, "/proc/%d/root", pid) == -1) |
diff --git a/src/firejail/main.c b/src/firejail/main.c index 95c325f9f..cff61f64a 100644 --- a/src/firejail/main.c +++ b/src/firejail/main.c | |||
@@ -2272,9 +2272,9 @@ int main(int argc, char **argv) { | |||
2272 | if (cfg.chrootdir) { | 2272 | if (cfg.chrootdir) { |
2273 | fwarning("default profile disabled by --chroot option\n"); | 2273 | fwarning("default profile disabled by --chroot option\n"); |
2274 | } | 2274 | } |
2275 | else if (arg_overlay) { | 2275 | // else if (arg_overlay) { |
2276 | fwarning("default profile disabled by --overlay option\n"); | 2276 | // fwarning("default profile disabled by --overlay option\n"); |
2277 | } | 2277 | // } |
2278 | else { | 2278 | else { |
2279 | // try to load a default profile | 2279 | // try to load a default profile |
2280 | char *profile_name = DEFAULT_USER_PROFILE; | 2280 | char *profile_name = DEFAULT_USER_PROFILE; |
diff --git a/src/firejail/no_sandbox.c b/src/firejail/no_sandbox.c index b37c5abf7..07c42006d 100644 --- a/src/firejail/no_sandbox.c +++ b/src/firejail/no_sandbox.c | |||
@@ -209,6 +209,11 @@ void run_no_sandbox(int argc, char **argv) { | |||
209 | break; | 209 | break; |
210 | } | 210 | } |
211 | } | 211 | } |
212 | // if shell is /usr/bin/firejail, replace it with /bin/bash | ||
213 | if (strcmp(cfg.shell, PATH_FIREJAIL) == 0) { | ||
214 | cfg.shell = "/bin/bash"; | ||
215 | prog_index = 0; | ||
216 | } | ||
212 | 217 | ||
213 | if (prog_index == 0) { | 218 | if (prog_index == 0) { |
214 | cfg.command_line = cfg.shell; | 219 | cfg.command_line = cfg.shell; |
diff --git a/src/firejail/run_symlink.c b/src/firejail/run_symlink.c index a9298a33f..ed885d3b1 100644 --- a/src/firejail/run_symlink.c +++ b/src/firejail/run_symlink.c | |||
@@ -86,10 +86,6 @@ void run_symlink(int argc, char **argv) { | |||
86 | 86 | ||
87 | 87 | ||
88 | // start the argv[0] program in a new sandbox | 88 | // start the argv[0] program in a new sandbox |
89 | char *firejail; | ||
90 | if (asprintf(&firejail, "%s/bin/firejail", PREFIX) == -1) | ||
91 | errExit("asprintf"); | ||
92 | |||
93 | // drop privileges | 89 | // drop privileges |
94 | if (setgid(getgid()) < 0) | 90 | if (setgid(getgid()) < 0) |
95 | errExit("setgid/getgid"); | 91 | errExit("setgid/getgid"); |
@@ -98,7 +94,7 @@ void run_symlink(int argc, char **argv) { | |||
98 | 94 | ||
99 | // run command | 95 | // run command |
100 | char *a[3 + argc]; | 96 | char *a[3 + argc]; |
101 | a[0] = firejail; | 97 | a[0] =PATH_FIREJAIL; |
102 | a[1] = program; | 98 | a[1] = program; |
103 | int i; | 99 | int i; |
104 | for (i = 0; i < (argc - 1); i++) { | 100 | for (i = 0; i < (argc - 1); i++) { |
diff --git a/src/firejail/sandbox.c b/src/firejail/sandbox.c index 7f82e2253..4ee05d070 100644 --- a/src/firejail/sandbox.c +++ b/src/firejail/sandbox.c | |||
@@ -99,6 +99,9 @@ static void set_caps(void) { | |||
99 | caps_keep_list(arg_caps_list); | 99 | caps_keep_list(arg_caps_list); |
100 | else if (arg_caps_default_filter) | 100 | else if (arg_caps_default_filter) |
101 | caps_default_filter(); | 101 | caps_default_filter(); |
102 | |||
103 | // drop discretionary access control capabilities for root sandboxes | ||
104 | caps_drop_dac_override(); | ||
102 | } | 105 | } |
103 | 106 | ||
104 | void save_nogroups(void) { | 107 | void save_nogroups(void) { |
@@ -896,8 +899,7 @@ int sandbox(void* sandbox_arg) { | |||
896 | // set security filters | 899 | // set security filters |
897 | //**************************** | 900 | //**************************** |
898 | // set capabilities | 901 | // set capabilities |
899 | // if (!arg_noroot) | 902 | set_caps(); |
900 | set_caps(); | ||
901 | 903 | ||
902 | // set rlimits | 904 | // set rlimits |
903 | set_rlimits(); | 905 | set_rlimits(); |
@@ -989,10 +991,9 @@ int sandbox(void* sandbox_arg) { | |||
989 | if (arg_apparmor) { | 991 | if (arg_apparmor) { |
990 | errno = 0; | 992 | errno = 0; |
991 | if (aa_change_onexec("firejail-default")) { | 993 | if (aa_change_onexec("firejail-default")) { |
992 | fprintf(stderr, "Error: cannot confine the application using AppArmor.\n"); | 994 | fwarning("Cannot confine the application using AppArmor.\n" |
993 | fprintf(stderr, "Maybe firejail-default AppArmor profile is not loaded into the kernel.\n"); | 995 | "Maybe firejail-default AppArmor profile is not loaded into the kernel.\n" |
994 | fprintf(stderr, "As root, run \"aa-enforce firejail-default\" to load it.\n"); | 996 | "As root, run \"aa-enforce firejail-default\" to load it.\n"); |
995 | exit(1); | ||
996 | } | 997 | } |
997 | else if (arg_debug) | 998 | else if (arg_debug) |
998 | printf("AppArmor enabled\n"); | 999 | printf("AppArmor enabled\n"); |
diff --git a/src/firejail/seccomp.c b/src/firejail/seccomp.c index 72a5874f8..15379215c 100644 --- a/src/firejail/seccomp.c +++ b/src/firejail/seccomp.c | |||
@@ -68,7 +68,7 @@ int seccomp_load(const char *fname) { | |||
68 | goto errexit; | 68 | goto errexit; |
69 | unsigned short entries = (unsigned short) size / (unsigned short) sizeof(struct sock_filter); | 69 | unsigned short entries = (unsigned short) size / (unsigned short) sizeof(struct sock_filter); |
70 | if (arg_debug) | 70 | if (arg_debug) |
71 | printf("reading %d seccomp entries from %s\n", entries, fname); | 71 | printf("configuring %d seccomp entries from %s\n", entries, fname); |
72 | 72 | ||
73 | // read filter | 73 | // read filter |
74 | struct sock_filter *filter = malloc(size); | 74 | struct sock_filter *filter = malloc(size); |
@@ -205,6 +205,8 @@ int seccomp_filter_keep(void) { | |||
205 | printf("seccomp filter configured\n"); | 205 | printf("seccomp filter configured\n"); |
206 | 206 | ||
207 | 207 | ||
208 | if (arg_debug && access(PATH_FSECCOMP, X_OK) == 0) | ||
209 | sbox_run(SBOX_ROOT | SBOX_SECCOMP, 3, PATH_FSECCOMP, "print", RUN_SECCOMP_CFG); | ||
208 | return seccomp_load(RUN_SECCOMP_CFG); | 210 | return seccomp_load(RUN_SECCOMP_CFG); |
209 | } | 211 | } |
210 | 212 | ||
diff --git a/src/firejail/usage.c b/src/firejail/usage.c index 76930e1de..6f8298589 100644 --- a/src/firejail/usage.c +++ b/src/firejail/usage.c | |||
@@ -220,7 +220,7 @@ void usage(void) { | |||
220 | printf("\tstart Mozilla Firefox\n"); | 220 | printf("\tstart Mozilla Firefox\n"); |
221 | printf(" $ firejail --debug firefox\n"); | 221 | printf(" $ firejail --debug firefox\n"); |
222 | printf("\tdebug Firefox sandbox\n"); | 222 | printf("\tdebug Firefox sandbox\n"); |
223 | printf(" $ firejail --private --sna=8.8.8.8 firefox\n"); | 223 | printf(" $ firejail --private --dns=8.8.8.8 firefox\n"); |
224 | printf("\tstart Firefox with a new, empty home directory, and a well-known DNS\n"); | 224 | printf("\tstart Firefox with a new, empty home directory, and a well-known DNS\n"); |
225 | printf("\tserver setting.\n"); | 225 | printf("\tserver setting.\n"); |
226 | printf(" $ firejail --net=eth0 firefox\n"); | 226 | printf(" $ firejail --net=eth0 firefox\n"); |
diff --git a/src/firejail/x11.c b/src/firejail/x11.c index 5ce156603..79ebc3b1b 100644 --- a/src/firejail/x11.c +++ b/src/firejail/x11.c | |||
@@ -639,7 +639,7 @@ void x11_start_xpra(int argc, char **argv) { | |||
639 | 639 | ||
640 | // build the start command | 640 | // build the start command |
641 | char *server_argv[256] = { // rest initialyzed to NULL | 641 | char *server_argv[256] = { // rest initialyzed to NULL |
642 | "xpra", "start", display_str, "--no-daemon", | 642 | "xpra", "start", display_str, "--no-daemon", "--use-display", |
643 | }; | 643 | }; |
644 | unsigned pos = 0; | 644 | unsigned pos = 0; |
645 | while (server_argv[pos] != NULL) pos++; | 645 | while (server_argv[pos] != NULL) pos++; |
@@ -736,7 +736,7 @@ void x11_start_xpra(int argc, char **argv) { | |||
736 | } | 736 | } |
737 | 737 | ||
738 | // add a small delay, on some systems it takes some time for the server to start | 738 | // add a small delay, on some systems it takes some time for the server to start |
739 | sleep(1); | 739 | sleep(5); |
740 | 740 | ||
741 | // check X11 socket | 741 | // check X11 socket |
742 | char *fname; | 742 | char *fname; |
diff --git a/src/ftee/main.c b/src/ftee/main.c index 2628a77c5..6aede324c 100644 --- a/src/ftee/main.c +++ b/src/ftee/main.c | |||
@@ -129,7 +129,8 @@ static void log_write(const unsigned char *str, int len, const char *fname) { | |||
129 | out_cnt = len; | 129 | out_cnt = len; |
130 | } | 130 | } |
131 | 131 | ||
132 | fwrite(str, len, 1, out_fp); | 132 | int rv = fwrite(str, len, 1, out_fp); |
133 | (void) rv; | ||
133 | fflush(0); | 134 | fflush(0); |
134 | } | 135 | } |
135 | 136 | ||
@@ -230,7 +231,8 @@ int main(int argc, char **argv) { | |||
230 | if (n <= 0) | 231 | if (n <= 0) |
231 | break; | 232 | break; |
232 | 233 | ||
233 | fwrite(buf, n, 1, stdout); | 234 | int rv = fwrite(buf, n, 1, stdout); |
235 | (void) rv; | ||
234 | log_write(buf, n, fname); | 236 | log_write(buf, n, fname); |
235 | } | 237 | } |
236 | 238 | ||
diff --git a/src/man/firejail-profile.txt b/src/man/firejail-profile.txt index cbffa9ce4..e4ef90944 100644 --- a/src/man/firejail-profile.txt +++ b/src/man/firejail-profile.txt | |||
@@ -407,6 +407,7 @@ Disable sound system. | |||
407 | .TP | 407 | .TP |
408 | \fBnovideo | 408 | \fBnovideo |
409 | Disable video devices. | 409 | Disable video devices. |
410 | .TP | ||
410 | \fBno3d | 411 | \fBno3d |
411 | Disable 3D hardware acceleration. | 412 | Disable 3D hardware acceleration. |
412 | 413 | ||