aboutsummaryrefslogtreecommitdiffstats
path: root/src
diff options
context:
space:
mode:
Diffstat (limited to 'src')
-rw-r--r--src/firecfg/firecfg.config1
-rw-r--r--src/firejail/env.c4
-rw-r--r--src/firejail/firejail.h1
-rw-r--r--src/firejail/fs.c66
-rw-r--r--src/firejail/macros.c9
-rw-r--r--src/firejail/profile.c1
-rw-r--r--src/firejail/util.c38
-rw-r--r--src/firejail/x11.c7
-rw-r--r--src/man/firejail-profile.txt2
9 files changed, 64 insertions, 65 deletions
diff --git a/src/firecfg/firecfg.config b/src/firecfg/firecfg.config
index 68ef5e5d1..bfba93190 100644
--- a/src/firecfg/firecfg.config
+++ b/src/firecfg/firecfg.config
@@ -412,6 +412,7 @@ telegram-desktop
412terasology 412terasology
413thunderbird 413thunderbird
414thunderbird-beta 414thunderbird-beta
415thunderbird-wayland
415tilp 416tilp
416tor-browser-ar 417tor-browser-ar
417tor-browser-en 418tor-browser-en
diff --git a/src/firejail/env.c b/src/firejail/env.c
index a09be8a77..fd4bfbd57 100644
--- a/src/firejail/env.c
+++ b/src/firejail/env.c
@@ -132,6 +132,10 @@ void env_defaults(void) {
132 if (cfg.shell && setenv("SHELL", cfg.shell, 1) < 0) 132 if (cfg.shell && setenv("SHELL", cfg.shell, 1) < 0)
133 errExit("setenv"); 133 errExit("setenv");
134 134
135 // spawn KIO slaves inside the sandbox
136 if (setenv("KDE_FORK_SLAVES", "1", 1) < 0)
137 errExit("setenv");
138
135 // set prompt color to green 139 // set prompt color to green
136 int set_prompt = 0; 140 int set_prompt = 0;
137 if (checkcfg(CFG_FIREJAIL_PROMPT)) 141 if (checkcfg(CFG_FIREJAIL_PROMPT))
diff --git a/src/firejail/firejail.h b/src/firejail/firejail.h
index a4aa20667..c0072debe 100644
--- a/src/firejail/firejail.h
+++ b/src/firejail/firejail.h
@@ -540,6 +540,7 @@ uid_t pid_get_uid(pid_t pid);
540uid_t get_group_id(const char *group); 540uid_t get_group_id(const char *group);
541int remove_overlay_directory(void); 541int remove_overlay_directory(void);
542void flush_stdin(void); 542void flush_stdin(void);
543void create_empty_dir_as_user(const char *dir, mode_t mode);
543void create_empty_dir_as_root(const char *dir, mode_t mode); 544void create_empty_dir_as_root(const char *dir, mode_t mode);
544void create_empty_file_as_root(const char *dir, mode_t mode); 545void create_empty_file_as_root(const char *dir, mode_t mode);
545int set_perms(const char *fname, uid_t uid, gid_t gid, mode_t mode); 546int set_perms(const char *fname, uid_t uid, gid_t gid, mode_t mode);
diff --git a/src/firejail/fs.c b/src/firejail/fs.c
index 49074f525..c689a49fa 100644
--- a/src/firejail/fs.c
+++ b/src/firejail/fs.c
@@ -767,26 +767,7 @@ void fs_proc_sys_dev_boot(void) {
767 char *fnamegpg; 767 char *fnamegpg;
768 if (asprintf(&fnamegpg, "/run/user/%d/gnupg", getuid()) == -1) 768 if (asprintf(&fnamegpg, "/run/user/%d/gnupg", getuid()) == -1)
769 errExit("asprintf"); 769 errExit("asprintf");
770 if (stat(fnamegpg, &s) == -1) { 770 create_empty_dir_as_user(fnamegpg, 0700);
771 pid_t child = fork();
772 if (child < 0)
773 errExit("fork");
774 if (child == 0) {
775 // drop privileges
776 drop_privs(0);
777 if (mkdir(fnamegpg, 0700) == 0) {
778 if (chmod(fnamegpg, 0700) == -1)
779 {;} // do nothing
780 }
781#ifdef HAVE_GCOV
782 __gcov_flush();
783#endif
784 _exit(0);
785 }
786 // wait for the child to finish
787 waitpid(child, NULL, 0);
788 fs_logger2("create", fnamegpg);
789 }
790 if (stat(fnamegpg, &s) == 0) 771 if (stat(fnamegpg, &s) == 0)
791 disable_file(BLACKLIST_FILE, fnamegpg); 772 disable_file(BLACKLIST_FILE, fnamegpg);
792 free(fnamegpg); 773 free(fnamegpg);
@@ -795,26 +776,7 @@ void fs_proc_sys_dev_boot(void) {
795 char *fnamesysd; 776 char *fnamesysd;
796 if (asprintf(&fnamesysd, "/run/user/%d/systemd", getuid()) == -1) 777 if (asprintf(&fnamesysd, "/run/user/%d/systemd", getuid()) == -1)
797 errExit("asprintf"); 778 errExit("asprintf");
798 if (stat(fnamesysd, &s) == -1) { 779 create_empty_dir_as_user(fnamesysd, 0755);
799 pid_t child = fork();
800 if (child < 0)
801 errExit("fork");
802 if (child == 0) {
803 // drop privileges
804 drop_privs(0);
805 if (mkdir(fnamesysd, 0755) == 0) {
806 if (chmod(fnamesysd, 0755) == -1)
807 {;} // do nothing
808 }
809#ifdef HAVE_GCOV
810 __gcov_flush();
811#endif
812 _exit(0);
813 }
814 // wait for the child to finish
815 waitpid(child, NULL, 0);
816 fs_logger2("create", fnamesysd);
817 }
818 if (stat(fnamesysd, &s) == 0) 780 if (stat(fnamesysd, &s) == 0)
819 disable_file(BLACKLIST_FILE, fnamesysd); 781 disable_file(BLACKLIST_FILE, fnamesysd);
820 free(fnamesysd); 782 free(fnamesysd);
@@ -924,31 +886,11 @@ char *fs_check_overlay_dir(const char *subdirname, int allow_reuse) {
924 } 886 }
925 else { 887 else {
926 // create ~/.firejail directory 888 // create ~/.firejail directory
927 pid_t child = fork(); 889 create_empty_dir_as_user(dirname, 0700);
928 if (child < 0)
929 errExit("fork");
930 if (child == 0) {
931 // drop privileges
932 drop_privs(0);
933
934 // create directory
935 if (mkdir(dirname, 0700))
936 errExit("mkdir");
937 if (chmod(dirname, 0700) == -1)
938 errExit("chmod");
939 ASSERT_PERMS(dirname, getuid(), getgid(), 0700);
940#ifdef HAVE_GCOV
941 __gcov_flush();
942#endif
943 _exit(0);
944 }
945 // wait for the child to finish
946 waitpid(child, NULL, 0);
947 if (stat(dirname, &s) == -1) { 890 if (stat(dirname, &s) == -1) {
948 fprintf(stderr, "Error: cannot create ~/.firejail directory\n"); 891 fprintf(stderr, "Error: cannot create directory %s\n", dirname);
949 exit(1); 892 exit(1);
950 } 893 }
951 fs_logger2("create", dirname);
952 } 894 }
953 free(dirname); 895 free(dirname);
954 896
diff --git a/src/firejail/macros.c b/src/firejail/macros.c
index 59b5db3d8..7e08ab340 100644
--- a/src/firejail/macros.c
+++ b/src/firejail/macros.c
@@ -229,6 +229,13 @@ char *expand_macros(const char *path) {
229 EUID_ROOT(); 229 EUID_ROOT();
230 return new_name; 230 return new_name;
231 } 231 }
232 else if (strncmp(path, "${RUNUSER}", 10) == 0) {
233 if (asprintf(&new_name, "/run/user/%u%s", getuid(), path + 10) == -1)
234 errExit("asprintf");
235 if(called_as_root)
236 EUID_ROOT();
237 return new_name;
238 }
232 else { 239 else {
233 char *directory = resolve_macro(path); 240 char *directory = resolve_macro(path);
234 if (directory) { 241 if (directory) {
@@ -260,6 +267,8 @@ void invalid_filename(const char *fname, int globbing) {
260 ptr = fname + 7; 267 ptr = fname + 7;
261 else if (strncmp(ptr, "${PATH}", 7) == 0) 268 else if (strncmp(ptr, "${PATH}", 7) == 0)
262 ptr = fname + 7; 269 ptr = fname + 7;
270 else if (strncmp(ptr, "${RUNUSER}", 10) == 0)
271 ptr = fname + 10;
263 else { 272 else {
264 int id = macro_id(fname); 273 int id = macro_id(fname);
265 if (id != -1) 274 if (id != -1)
diff --git a/src/firejail/profile.c b/src/firejail/profile.c
index 5f5d94ddf..a6d619f38 100644
--- a/src/firejail/profile.c
+++ b/src/firejail/profile.c
@@ -141,6 +141,7 @@ int profile_check_conditional(char *ptr, int lineno, const char *fname) {
141 bool value; // true if set 141 bool value; // true if set
142 } conditionals[] = { 142 } conditionals[] = {
143 {"HAS_APPIMAGE", strlen("HAS_APPIMAGE"), arg_appimage!=0}, 143 {"HAS_APPIMAGE", strlen("HAS_APPIMAGE"), arg_appimage!=0},
144 {"HAS_NODBUS", strlen("HAS_NODBUS"), arg_nodbus!=0},
144 {"BROWSER_DISABLE_U2F", strlen("BROWSER_DISABLE_U2F"), checkcfg(CFG_BROWSER_DISABLE_U2F)!=0}, 145 {"BROWSER_DISABLE_U2F", strlen("BROWSER_DISABLE_U2F"), checkcfg(CFG_BROWSER_DISABLE_U2F)!=0},
145 NULL 146 NULL
146 }, *cond = conditionals; 147 }, *cond = conditionals;
diff --git a/src/firejail/util.c b/src/firejail/util.c
index 47b237911..9af41ffe2 100644
--- a/src/firejail/util.c
+++ b/src/firejail/util.c
@@ -961,6 +961,42 @@ void flush_stdin(void) {
961 } 961 }
962} 962}
963 963
964void create_empty_dir_as_user(const char *dir, mode_t mode) {
965 assert(dir);
966 mode &= 07777;
967 struct stat s;
968
969 if (stat(dir, &s)) {
970 if (arg_debug)
971 printf("Creating empty %s directory\n", dir);
972 pid_t child = fork();
973 if (child < 0)
974 errExit("fork");
975 if (child == 0) {
976 // drop privileges
977 drop_privs(0);
978
979 if (mkdir(dir, mode) == 0) {
980 if (chmod(dir, mode) == -1)
981 {;} // do nothing
982 }
983 else if (errno != EEXIST && arg_debug) {
984 char *str;
985 if (asprintf(&str, "Directory %s not created", dir) == -1)
986 errExit("asprintf");
987 perror(str);
988 }
989#ifdef HAVE_GCOV
990 __gcov_flush();
991#endif
992 _exit(0);
993 }
994 waitpid(child, NULL, 0);
995 if (stat(dir, &s) == 0)
996 fs_logger2("create", dir);
997 }
998}
999
964void create_empty_dir_as_root(const char *dir, mode_t mode) { 1000void create_empty_dir_as_root(const char *dir, mode_t mode) {
965 assert(dir); 1001 assert(dir);
966 mode &= 07777; 1002 mode &= 07777;
@@ -1262,4 +1298,4 @@ void enter_network_namespace(pid_t pid) {
1262 fprintf(stderr, "Error: cannot join the network namespace\n"); 1298 fprintf(stderr, "Error: cannot join the network namespace\n");
1263 exit(1); 1299 exit(1);
1264 } 1300 }
1265} \ No newline at end of file 1301}
diff --git a/src/firejail/x11.c b/src/firejail/x11.c
index c30ab5956..a59ee3ffb 100644
--- a/src/firejail/x11.c
+++ b/src/firejail/x11.c
@@ -1171,8 +1171,13 @@ void x11_xorg(void) {
1171 char *dest; 1171 char *dest;
1172 if (asprintf(&dest, "%s/.Xauthority", cfg.homedir) == -1) 1172 if (asprintf(&dest, "%s/.Xauthority", cfg.homedir) == -1)
1173 errExit("asprintf"); 1173 errExit("asprintf");
1174 if (lstat(dest, &s) == -1) 1174 if (lstat(dest, &s) == -1) {
1175 touch_file_as_user(dest, 0600); 1175 touch_file_as_user(dest, 0600);
1176 if (stat(dest, &s) == -1) {
1177 fprintf(stderr, "Error: cannot create %s\n", dest);
1178 exit(1);
1179 }
1180 }
1176 1181
1177 // get a file descriptor for .Xauthority 1182 // get a file descriptor for .Xauthority
1178 fd = safe_fd(dest, O_PATH|O_NOFOLLOW|O_CLOEXEC); 1183 fd = safe_fd(dest, O_PATH|O_NOFOLLOW|O_CLOEXEC);
diff --git a/src/man/firejail-profile.txt b/src/man/firejail-profile.txt
index 4e22796c9..dde815d05 100644
--- a/src/man/firejail-profile.txt
+++ b/src/man/firejail-profile.txt
@@ -94,7 +94,7 @@ Example: "?HAS_APPIMAGE: whitelist ${HOME}/special/appimage/dir"
94 94
95This example will load the whitelist profile line only if the \-\-appimage option has been specified on the command line. 95This example will load the whitelist profile line only if the \-\-appimage option has been specified on the command line.
96 96
97Currently the only conditionals supported are HAS_APPIMAGE and BROWSER_DISABLE_U2F. 97Currently the only conditionals supported are HAS_APPIMAGE, HAS_NODBUS and BROWSER_DISABLE_U2F.
98 98
99The profile line may be any profile line that you would normally use in a profile \fBexcept\fR for "quiet" and "include" lines. 99The profile line may be any profile line that you would normally use in a profile \fBexcept\fR for "quiet" and "include" lines.
100 100
generated by cgit v1.2.3-70-g09d2 (git 2.46.0) at 2024-09-07 13:19:35 +0000