6 files changed, 35 insertions, 20 deletions
diff --git a/src/firecfg/firecfg.config b/src/firecfg/firecfg.config
index 3f1591cbd..23b1e364a 100644
--- a/src/firecfg/firecfg.config
+++ b/src/firecfg/firecfg.config
@@ -423,6 +423,7 @@ kwrite
 leafpad
 # less - breaks man
 libreoffice
+librewolf
 liferea
 lightsoff
 lincity-ng
@@ -462,6 +463,7 @@ mate-calculator
 mate-color-select
 mate-dictionary
 mathematica
+matrix-mirage
 mattermost-desktop
 mcabber
 mediainfo
@@ -473,6 +475,8 @@ mencoder
 mendeleydesktop
 menulibre
 meteo-qt
+microsoft-edge
+microsoft-edge-dev
 midori
 min
 mindless
diff --git a/src/firejail/main.c b/src/firejail/main.c
index b8ed29ece..544bfe83a 100644
--- a/src/firejail/main.c
+++ b/src/firejail/main.c
@@ -867,7 +867,8 @@ char *guess_shell(void) {
        shell = getenv("SHELL");
        if (shell) {
                invalid_filename(shell, 0); // no globbing
-                if (!is_dir(shell) && strstr(shell, "..") == NULL && stat(shell, &s) == 0 && access(shell, X_OK) == 0)
+                if (!is_dir(shell) && strstr(shell, "..") == NULL && stat(shell, &s) == 0 && access(shell, X_OK) == 0 &&
+                    strcmp(shell, PATH_FIREJAIL) != 0)
                        return shell;
        }
@@ -3029,8 +3030,15 @@ int main(int argc, char **argv, char **envp) {
                ptr += strlen(ptr);
                if (!arg_nogroups) {
+                        //  add firejail group
+                        gid_t g = get_group_id("firejail");
+                        if (g) {
+                                sprintf(ptr, "%d %d 1\n", g, g);
+                                ptr += strlen(ptr);
+                        }
                        //  add tty group
-                        gid_t g = get_group_id("tty");
+                        g = get_group_id("tty");
                        if (g) {
                                sprintf(ptr, "%d %d 1\n", g, g);
                                ptr += strlen(ptr);
diff --git a/src/firejail/no_sandbox.c b/src/firejail/no_sandbox.c
index 01df77ee6..d7426f6ae 100644
--- a/src/firejail/no_sandbox.c
+++ b/src/firejail/no_sandbox.c
@@ -204,11 +204,12 @@ void run_no_sandbox(int argc, char **argv) {
                        break;
                }
        }
-        // if shell is /usr/bin/firejail, replace it with /bin/bash
-        if (strcmp(cfg.shell, PATH_FIREJAIL) == 0) {
+// if shell is /usr/bin/firejail, replace it with /bin/bash
-                cfg.shell = "/bin/bash";
+//      if (strcmp(cfg.shell, PATH_FIREJAIL) == 0) {
-                prog_index = 0;
+//              cfg.shell = "/bin/bash";
-        }
+//              prog_index = 0;
+//      }
        if (prog_index == 0) {
                cfg.command_line = cfg.shell;
diff --git a/src/firejail/profile.c b/src/firejail/profile.c
index fe9d27ff1..1ee8cdfcb 100644
--- a/src/firejail/profile.c
+++ b/src/firejail/profile.c
@@ -756,6 +756,12 @@ int profile_check_line(char *ptr, int lineno, const char *fname) {
                                fprintf(stderr, "Error: invalid MAC address\n");
                                exit(1);
                        }
+                        // check multicast address
+                        if (br->macsandbox[0] & 1) {
+                                fprintf(stderr, "Error: invalid MAC address (multicast)\n");
+                                exit(1);
+                        }
                }
                else
                        warning_feature_disabled("networking");
diff --git a/src/firejail/util.c b/src/firejail/util.c
index 6cc1bc720..a3927cc88 100644
--- a/src/firejail/util.c
+++ b/src/firejail/util.c
@@ -29,7 +29,6 @@
 #include <sys/ioctl.h>
 #include <termios.h>
 #include <sys/wait.h>
-#include <sys/syscall.h>
 #include <limits.h>
 #include <fcntl.h>
@@ -37,6 +36,7 @@
 #define O_PATH 010000000
 #endif
+#include <sys/syscall.h>
 #ifdef __NR_openat2
 #include <linux/openat2.h>
 #endif
@@ -1013,12 +1013,8 @@ int create_empty_dir_as_user(const char *dir, mode_t mode) {
                                if (chmod(dir, mode) == -1)
                                        {;} // do nothing
                        }
-                        else if (arg_debug) {
+                        else if (arg_debug)
-                                char *str;
+                                printf("Directory %s not created: %s\n", dir, strerror(errno));
-                                if (asprintf(&str, "Directory %s not created", dir) == -1)
-                                        errExit("asprintf");
-                                perror(str);
-                        }
 #ifdef HAVE_GCOV
                        __gcov_flush();
 #endif
@@ -1165,12 +1161,12 @@ void disable_file_path(const char *path, const char *file) {
 // open an existing file without following any symbolic link
 int safe_fd(const char *path, int flags) {
+        flags |= O_NOFOLLOW;
        assert(path);
        if (*path != '/' || strstr(path, "..")) {
                fprintf(stderr, "Error: invalid path %s\n", path);
                exit(1);
        }
-        flags |= O_NOFOLLOW;
        int fd = -1;
 #ifdef __NR_openat2 // kernel 5.6 or better
diff --git a/src/man/firejail.txt b/src/man/firejail.txt
index 562b3eda3..347e2b31b 100644
--- a/src/man/firejail.txt
+++ b/src/man/firejail.txt
@@ -76,10 +76,10 @@ If an appropriate profile is not found, Firejail will use a default profile.
 The default profile is quite restrictive. In case the application doesn't work, use --noprofile option
 to disable it. For more information, please see \fBSECURITY PROFILES\fR section below.
 .PP
-If a program argument is not specified, Firejail starts /bin/bash shell.
+If a program argument is not specified, Firejail starts the user's preferred shell.
 Examples:
 .PP
-$ firejail [OPTIONS]                # starting a /bin/bash shell
+$ firejail [OPTIONS]                # starting the program specified in $SHELL, usually /bin/bash
 .PP
 $ firejail [OPTIONS] firefox        # starting Mozilla Firefox
 .PP
@@ -2476,7 +2476,7 @@ $ firejail \-\-shell=none script.sh
 \fB\-\-shell=program
 Set default user shell. Use this shell to run the application using \-c shell option.
 For example "firejail \-\-shell=/bin/dash firefox" will start Mozilla Firefox as "/bin/dash \-c firefox".
-By default Bash shell (/bin/bash) is used.
+By default the user's preferred shell is used.
 .br
 .br
@@ -3023,7 +3023,7 @@ We provide a tool that automates all this integration, please see \&\flfirecfg\f
 .SH EXAMPLES
 .TP
 \f\firejail
-Sandbox a regular /bin/bash session.
+Sandbox a regular shell session.
 .TP
 \f\firejail firefox
 Start Mozilla Firefox.
@@ -3043,7 +3043,7 @@ Start Firefox in a new network namespace. An IP address is
 assigned automatically.
 .TP
 \f\firejail \-\-net=br0 \-\-ip=10.10.20.5 \-\-net=br1 \-\-net=br2
-Start a /bin/bash session in a new network namespace and connect it
+Start a shell session in a new network namespace and connect it
 to br0, br1, and br2 host bridge devices. IP addresses are assigned
 automatically for the interfaces connected to br1 and b2
 #endif

diff --git a/src/firecfg/firecfg.config b/src/firecfg/firecfg.config index 3f1591cbd..23b1e364a 100644 --- a/src/firecfg/firecfg.config +++ b/src/firecfg/firecfg.config
@@ -423,6 +423,7 @@ kwrite
423	leafpad	423	leafpad
424	# less - breaks man	424	# less - breaks man
425	libreoffice	425	libreoffice
		426	librewolf
426	liferea	427	liferea
427	lightsoff	428	lightsoff
428	lincity-ng	429	lincity-ng
@@ -462,6 +463,7 @@ mate-calculator
462	mate-color-select	463	mate-color-select
463	mate-dictionary	464	mate-dictionary
464	mathematica	465	mathematica
		466	matrix-mirage
465	mattermost-desktop	467	mattermost-desktop
466	mcabber	468	mcabber
467	mediainfo	469	mediainfo
@@ -473,6 +475,8 @@ mencoder
473	mendeleydesktop	475	mendeleydesktop
474	menulibre	476	menulibre
475	meteo-qt	477	meteo-qt
		478	microsoft-edge
		479	microsoft-edge-dev
476	midori	480	midori
477	min	481	min
478	mindless	482	mindless


diff --git a/src/firejail/main.c b/src/firejail/main.c index b8ed29ece..544bfe83a 100644 --- a/src/firejail/main.c +++ b/src/firejail/main.c
@@ -867,7 +867,8 @@ char *guess_shell(void) {
867	shell = getenv("SHELL");	867	shell = getenv("SHELL");
868	if (shell) {	868	if (shell) {
869	invalid_filename(shell, 0); // no globbing	869	invalid_filename(shell, 0); // no globbing
870	if (!is_dir(shell) && strstr(shell, "..") == NULL && stat(shell, &s) == 0 && access(shell, X_OK) == 0)	870	if (!is_dir(shell) && strstr(shell, "..") == NULL && stat(shell, &s) == 0 && access(shell, X_OK) == 0 &&
		871	strcmp(shell, PATH_FIREJAIL) != 0)
871	return shell;	872	return shell;
872	}	873	}
873		874
@@ -3029,8 +3030,15 @@ int main(int argc, char argv, char envp) {
3029	ptr += strlen(ptr);	3030	ptr += strlen(ptr);
3030		3031
3031	if (!arg_nogroups) {	3032	if (!arg_nogroups) {
		3033	// add firejail group
		3034	gid_t g = get_group_id("firejail");
		3035	if (g) {
		3036	sprintf(ptr, "%d %d 1\n", g, g);
		3037	ptr += strlen(ptr);
		3038	}
		3039
3032	// add tty group	3040	// add tty group
3033	gid_t g = get_group_id("tty");	3041	g = get_group_id("tty");
3034	if (g) {	3042	if (g) {
3035	sprintf(ptr, "%d %d 1\n", g, g);	3043	sprintf(ptr, "%d %d 1\n", g, g);
3036	ptr += strlen(ptr);	3044	ptr += strlen(ptr);


diff --git a/src/firejail/no_sandbox.c b/src/firejail/no_sandbox.c index 01df77ee6..d7426f6ae 100644 --- a/src/firejail/no_sandbox.c +++ b/src/firejail/no_sandbox.c
@@ -204,11 +204,12 @@ void run_no_sandbox(int argc, char **argv) {
204	break;	204	break;
205	}	205	}
206	}	206	}
207	// if shell is /usr/bin/firejail, replace it with /bin/bash	207
208	if (strcmp(cfg.shell, PATH_FIREJAIL) == 0) {	208	// if shell is /usr/bin/firejail, replace it with /bin/bash
209	cfg.shell = "/bin/bash";	209	// if (strcmp(cfg.shell, PATH_FIREJAIL) == 0) {
210	prog_index = 0;	210	// cfg.shell = "/bin/bash";
211	}	211	// prog_index = 0;
		212	// }
212		213
213	if (prog_index == 0) {	214	if (prog_index == 0) {
214	cfg.command_line = cfg.shell;	215	cfg.command_line = cfg.shell;


diff --git a/src/firejail/profile.c b/src/firejail/profile.c index fe9d27ff1..1ee8cdfcb 100644 --- a/src/firejail/profile.c +++ b/src/firejail/profile.c
@@ -756,6 +756,12 @@ int profile_check_line(char ptr, int lineno, const char fname) {
756	fprintf(stderr, "Error: invalid MAC address\n");	756	fprintf(stderr, "Error: invalid MAC address\n");
757	exit(1);	757	exit(1);
758	}	758	}
		759
		760	// check multicast address
		761	if (br->macsandbox[0] & 1) {
		762	fprintf(stderr, "Error: invalid MAC address (multicast)\n");
		763	exit(1);
		764	}
759	}	765	}
760	else	766	else
761	warning_feature_disabled("networking");	767	warning_feature_disabled("networking");


diff --git a/src/firejail/util.c b/src/firejail/util.c index 6cc1bc720..a3927cc88 100644 --- a/src/firejail/util.c +++ b/src/firejail/util.c
@@ -29,7 +29,6 @@
29	#include <sys/ioctl.h>	29	#include <sys/ioctl.h>
30	#include <termios.h>	30	#include <termios.h>
31	#include <sys/wait.h>	31	#include <sys/wait.h>
32	#include <sys/syscall.h>
33	#include <limits.h>	32	#include <limits.h>
34		33
35	#include <fcntl.h>	34	#include <fcntl.h>
@@ -37,6 +36,7 @@
37	#define O_PATH 010000000	36	#define O_PATH 010000000
38	#endif	37	#endif
39		38
		39	#include <sys/syscall.h>
40	#ifdef __NR_openat2	40	#ifdef __NR_openat2
41	#include <linux/openat2.h>	41	#include <linux/openat2.h>
42	#endif	42	#endif
@@ -1013,12 +1013,8 @@ int create_empty_dir_as_user(const char *dir, mode_t mode) {
1013	if (chmod(dir, mode) == -1)	1013	if (chmod(dir, mode) == -1)
1014	{;} // do nothing	1014	{;} // do nothing
1015	}	1015	}
1016	else if (arg_debug) {	1016	else if (arg_debug)
1017	char *str;	1017	printf("Directory %s not created: %s\n", dir, strerror(errno));
1018	if (asprintf(&str, "Directory %s not created", dir) == -1)
1019	errExit("asprintf");
1020	perror(str);
1021	}
1022	#ifdef HAVE_GCOV	1018	#ifdef HAVE_GCOV
1023	__gcov_flush();	1019	__gcov_flush();
1024	#endif	1020	#endif
@@ -1165,12 +1161,12 @@ void disable_file_path(const char path, const char file) {
1165		1161
1166	// open an existing file without following any symbolic link	1162	// open an existing file without following any symbolic link
1167	int safe_fd(const char *path, int flags) {	1163	int safe_fd(const char *path, int flags) {
		1164	flags \|= O_NOFOLLOW;
1168	assert(path);	1165	assert(path);
1169	if (*path != '/' \|\| strstr(path, "..")) {	1166	if (*path != '/' \|\| strstr(path, "..")) {
1170	fprintf(stderr, "Error: invalid path %s\n", path);	1167	fprintf(stderr, "Error: invalid path %s\n", path);
1171	exit(1);	1168	exit(1);
1172	}	1169	}
1173	flags \|= O_NOFOLLOW;
1174	int fd = -1;	1170	int fd = -1;
1175		1171
1176	#ifdef __NR_openat2 // kernel 5.6 or better	1172	#ifdef __NR_openat2 // kernel 5.6 or better


diff --git a/src/man/firejail.txt b/src/man/firejail.txt index 562b3eda3..347e2b31b 100644 --- a/src/man/firejail.txt +++ b/src/man/firejail.txt
@@ -76,10 +76,10 @@ If an appropriate profile is not found, Firejail will use a default profile.
76	The default profile is quite restrictive. In case the application doesn't work, use --noprofile option	76	The default profile is quite restrictive. In case the application doesn't work, use --noprofile option
77	to disable it. For more information, please see \fBSECURITY PROFILES\fR section below.	77	to disable it. For more information, please see \fBSECURITY PROFILES\fR section below.
78	.PP	78	.PP
79	If a program argument is not specified, Firejail starts /bin/bash shell.	79	If a program argument is not specified, Firejail starts the user's preferred shell.
80	Examples:	80	Examples:
81	.PP	81	.PP
82	$ firejail [OPTIONS] # starting a /bin/bash shell	82	$ firejail [OPTIONS] # starting the program specified in $SHELL, usually /bin/bash
83	.PP	83	.PP
84	$ firejail [OPTIONS] firefox # starting Mozilla Firefox	84	$ firejail [OPTIONS] firefox # starting Mozilla Firefox
85	.PP	85	.PP
@@ -2476,7 +2476,7 @@ $ firejail \-\-shell=none script.sh
2476	\fB\-\-shell=program	2476	\fB\-\-shell=program
2477	Set default user shell. Use this shell to run the application using \-c shell option.	2477	Set default user shell. Use this shell to run the application using \-c shell option.
2478	For example "firejail \-\-shell=/bin/dash firefox" will start Mozilla Firefox as "/bin/dash \-c firefox".	2478	For example "firejail \-\-shell=/bin/dash firefox" will start Mozilla Firefox as "/bin/dash \-c firefox".
2479	By default Bash shell (/bin/bash) is used.	2479	By default the user's preferred shell is used.
2480	.br	2480	.br
2481		2481
2482	.br	2482	.br
@@ -3023,7 +3023,7 @@ We provide a tool that automates all this integration, please see \&\flfirecfg\f
3023	.SH EXAMPLES	3023	.SH EXAMPLES
3024	.TP	3024	.TP
3025	\f\firejail	3025	\f\firejail
3026	Sandbox a regular /bin/bash session.	3026	Sandbox a regular shell session.
3027	.TP	3027	.TP
3028	\f\firejail firefox	3028	\f\firejail firefox
3029	Start Mozilla Firefox.	3029	Start Mozilla Firefox.
@@ -3043,7 +3043,7 @@ Start Firefox in a new network namespace. An IP address is
3043	assigned automatically.	3043	assigned automatically.
3044	.TP	3044	.TP
3045	\f\firejail \-\-net=br0 \-\-ip=10.10.20.5 \-\-net=br1 \-\-net=br2	3045	\f\firejail \-\-net=br0 \-\-ip=10.10.20.5 \-\-net=br1 \-\-net=br2
3046	Start a /bin/bash session in a new network namespace and connect it	3046	Start a shell session in a new network namespace and connect it
3047	to br0, br1, and br2 host bridge devices. IP addresses are assigned	3047	to br0, br1, and br2 host bridge devices. IP addresses are assigned
3048	automatically for the interfaces connected to br1 and b2	3048	automatically for the interfaces connected to br1 and b2
3049	#endif	3049	#endif