diff options
Diffstat (limited to 'src')
-rw-r--r-- | src/firejail/fs.c | 67 |
1 files changed, 66 insertions, 1 deletions
diff --git a/src/firejail/fs.c b/src/firejail/fs.c index 53d63a108..905d2903d 100644 --- a/src/firejail/fs.c +++ b/src/firejail/fs.c | |||
@@ -225,7 +225,7 @@ static void globbing(OPERATION op, const char *pattern, const char *noblacklist[ | |||
225 | } | 225 | } |
226 | 226 | ||
227 | 227 | ||
228 | // blacklist files or directoies by mounting empty files on top of them | 228 | // blacklist files or directories by mounting empty files on top of them |
229 | void fs_blacklist(void) { | 229 | void fs_blacklist(void) { |
230 | char *homedir = cfg.homedir; | 230 | char *homedir = cfg.homedir; |
231 | assert(homedir); | 231 | assert(homedir); |
@@ -530,6 +530,71 @@ void fs_proc_sys_dev_boot(void) { | |||
530 | 530 | ||
531 | // disable /dev/port | 531 | // disable /dev/port |
532 | disable_file(BLACKLIST_FILE, "/dev/port"); | 532 | disable_file(BLACKLIST_FILE, "/dev/port"); |
533 | |||
534 | |||
535 | // WARNING: this is not reliable. When services like gpg-agent are started after the jail, the sockets are not blacklisted | ||
536 | |||
537 | // disable various ipc sockets | ||
538 | struct stat s; | ||
539 | |||
540 | |||
541 | // breaks too many applications, option needed | ||
542 | /* // disable /run/user/{uid}/bus */ | ||
543 | /* char *fnamebus; */ | ||
544 | /* if (asprintf(&fnamebus, "/run/user/%d/bus", getuid()) == -1) */ | ||
545 | /* errExit("asprintf"); */ | ||
546 | /* if (stat(fnamebus, &s) == 0) */ | ||
547 | /* disable_file(BLACKLIST_FILE, fnamebus); */ | ||
548 | /* free(fnamebus); */ | ||
549 | |||
550 | // disable /run/user/{uid}/gnupg | ||
551 | char *fnamegpg; | ||
552 | if (asprintf(&fnamegpg, "/run/user/%d/gnupg", getuid()) == -1) | ||
553 | errExit("asprintf"); | ||
554 | if (stat(fnamegpg, &s) == 0) | ||
555 | disable_file(BLACKLIST_FILE, fnamegpg); | ||
556 | free(fnamegpg); | ||
557 | |||
558 | // disable /run/user/{uid}/systemd | ||
559 | char *fnamesysd; | ||
560 | if (asprintf(&fnamesysd, "/run/user/%d/systemd", getuid()) == -1) | ||
561 | errExit("asprintf"); | ||
562 | if (stat(fnamesysd, &s) == 0) | ||
563 | disable_file(BLACKLIST_FILE, fnamesysd); | ||
564 | free(fnamesysd); | ||
565 | |||
566 | |||
567 | // WARNING: not working | ||
568 | // disable /run/user/{uid}/kdeinit* | ||
569 | //char *fnamekde; | ||
570 | //if (asprintf(&fnamekde, "/run/user/%d/kdeinit*", getuid()) == -1) | ||
571 | // errExit("asprintf"); | ||
572 | //if (stat(fnamekde, &s) == 0) | ||
573 | // disable_file(BLACKLIST_FILE, fnamekde); | ||
574 | //free(fnamekde); | ||
575 | |||
576 | |||
577 | // disable /run/user/{uid}/pulse | ||
578 | /* char *fnamepulse; */ | ||
579 | /* if (asprintf(&fnamepulse, "/run/user/%d/pulse", getuid()) == -1) */ | ||
580 | /* errExit("asprintf"); */ | ||
581 | /* if (stat(fnamepulse, &s) == 0) */ | ||
582 | /* disable_file(BLACKLIST_FILE, fnamepulse); */ | ||
583 | /* free(fnamepulse); */ | ||
584 | |||
585 | // disable /run/user/{uid}/dconf | ||
586 | /* char *fnamedconf; */ | ||
587 | /* if (asprintf(&fnamedconf, "/run/user/%d/dconf", getuid()) == -1) */ | ||
588 | /* errExit("asprintf"); */ | ||
589 | /* if (stat(fnamedconf, &s) == 0) */ | ||
590 | /* disable_file(BLACKLIST_FILE, fnamedconf); */ | ||
591 | /* free(fnamedconf); */ | ||
592 | |||
593 | |||
594 | //more files with sockets to be blacklisted | ||
595 | // /run/dbus /run/systemd /run/udev /run/lvm | ||
596 | |||
597 | |||
533 | 598 | ||
534 | if (getuid() != 0) { | 599 | if (getuid() != 0) { |
535 | // disable /dev/kmsg and /proc/kmsg | 600 | // disable /dev/kmsg and /proc/kmsg |