diff options
Diffstat (limited to 'src')
-rw-r--r-- | src/firecfg/firecfg.config | 2 | ||||
-rw-r--r-- | src/firejail/main.c | 2 | ||||
-rw-r--r-- | src/firejail/no_sandbox.c | 3 | ||||
-rw-r--r-- | src/firejail/profile.c | 6 | ||||
-rw-r--r-- | src/firejail/sandbox.c | 4 | ||||
-rw-r--r-- | src/firejail/x11.c | 4 | ||||
-rw-r--r-- | src/fseccomp/protocol.c | 5 | ||||
-rw-r--r-- | src/man/firecfg.txt | 12 |
8 files changed, 18 insertions, 20 deletions
diff --git a/src/firecfg/firecfg.config b/src/firecfg/firecfg.config index 60e414755..f46fdea35 100644 --- a/src/firecfg/firecfg.config +++ b/src/firecfg/firecfg.config | |||
@@ -230,6 +230,7 @@ wire | |||
230 | wireshark | 230 | wireshark |
231 | xchat | 231 | xchat |
232 | xed | 232 | xed |
233 | Xephyr | ||
233 | xfburn | 234 | xfburn |
234 | xfce4-dict | 235 | xfce4-dict |
235 | xfce4-notes | 236 | xfce4-notes |
@@ -239,6 +240,7 @@ xonotic-glx | |||
239 | xonotic-sdl | 240 | xonotic-sdl |
240 | xpdf | 241 | xpdf |
241 | xplayer | 242 | xplayer |
243 | xpra | ||
242 | xreader | 244 | xreader |
243 | xviewer | 245 | xviewer |
244 | youtube-dl | 246 | youtube-dl |
diff --git a/src/firejail/main.c b/src/firejail/main.c index 9e5c31c32..86ca422ae 100644 --- a/src/firejail/main.c +++ b/src/firejail/main.c | |||
@@ -2174,7 +2174,7 @@ int main(int argc, char **argv) { | |||
2174 | 2174 | ||
2175 | // prog_index could still be -1 if no program was specified | 2175 | // prog_index could still be -1 if no program was specified |
2176 | if (prog_index == -1 && arg_shell_none) { | 2176 | if (prog_index == -1 && arg_shell_none) { |
2177 | fprintf(stderr, "shell=none configured, but no program specified\n"); | 2177 | fprintf(stderr, "Error: shell=none configured, but no program specified\n"); |
2178 | exit(1); | 2178 | exit(1); |
2179 | } | 2179 | } |
2180 | 2180 | ||
diff --git a/src/firejail/no_sandbox.c b/src/firejail/no_sandbox.c index 9221aaa99..05f5abe2a 100644 --- a/src/firejail/no_sandbox.c +++ b/src/firejail/no_sandbox.c | |||
@@ -230,8 +230,5 @@ void run_no_sandbox(int argc, char **argv) { | |||
230 | 230 | ||
231 | arg_quiet = 1; | 231 | arg_quiet = 1; |
232 | 232 | ||
233 | // we don't want to run a shell, otherwise it will be recursively | ||
234 | arg_shell_none = 1; | ||
235 | |||
236 | start_application(); | 233 | start_application(); |
237 | } | 234 | } |
diff --git a/src/firejail/profile.c b/src/firejail/profile.c index c515accc0..9ae2aa5b4 100644 --- a/src/firejail/profile.c +++ b/src/firejail/profile.c | |||
@@ -1089,12 +1089,8 @@ void profile_read(const char *fname) { | |||
1089 | } | 1089 | } |
1090 | 1090 | ||
1091 | // check file | 1091 | // check file |
1092 | if (strlen(fname) == 0) { | ||
1093 | fprintf(stderr, "Error: invalid profile file\n"); | ||
1094 | exit(1); | ||
1095 | } | ||
1096 | invalid_filename(fname); | 1092 | invalid_filename(fname); |
1097 | if (is_dir(fname) || is_link(fname) || strstr(fname, "..")) { | 1093 | if (strlen(fname) == 0 || is_dir(fname)) { |
1098 | fprintf(stderr, "Error: invalid profile file\n"); | 1094 | fprintf(stderr, "Error: invalid profile file\n"); |
1099 | exit(1); | 1095 | exit(1); |
1100 | } | 1096 | } |
diff --git a/src/firejail/sandbox.c b/src/firejail/sandbox.c index d8880b924..3ff104d26 100644 --- a/src/firejail/sandbox.c +++ b/src/firejail/sandbox.c | |||
@@ -43,7 +43,7 @@ | |||
43 | #ifdef HAVE_APPARMOR | 43 | #ifdef HAVE_APPARMOR |
44 | #include <sys/apparmor.h> | 44 | #include <sys/apparmor.h> |
45 | #endif | 45 | #endif |
46 | 46 | #include <syscall.h> | |
47 | 47 | ||
48 | static int monitored_pid = 0; | 48 | static int monitored_pid = 0; |
49 | static void sandbox_handler(int sig){ | 49 | static void sandbox_handler(int sig){ |
@@ -907,7 +907,7 @@ int sandbox(void* sandbox_arg) { | |||
907 | // set seccomp //todo: push it down after drop_privs and/or configuring noroot | 907 | // set seccomp //todo: push it down after drop_privs and/or configuring noroot |
908 | #ifdef HAVE_SECCOMP | 908 | #ifdef HAVE_SECCOMP |
909 | // install protocol filter | 909 | // install protocol filter |
910 | #ifdef SYS_SOCKET | 910 | #ifdef SYS_socket |
911 | if (cfg.protocol) { | 911 | if (cfg.protocol) { |
912 | if (arg_debug) | 912 | if (arg_debug) |
913 | printf("Install protocol filter: %s\n", cfg.protocol); | 913 | printf("Install protocol filter: %s\n", cfg.protocol); |
diff --git a/src/firejail/x11.c b/src/firejail/x11.c index 0f7ea56b6..f1d45adef 100644 --- a/src/firejail/x11.c +++ b/src/firejail/x11.c | |||
@@ -568,6 +568,7 @@ void x11_start_xephyr(int argc, char **argv) { | |||
568 | (void) rv; | 568 | (void) rv; |
569 | } | 569 | } |
570 | 570 | ||
571 | assert(display_str); | ||
571 | setenv("DISPLAY", display_str, 1); | 572 | setenv("DISPLAY", display_str, 1); |
572 | // run attach command | 573 | // run attach command |
573 | jail = fork(); | 574 | jail = fork(); |
@@ -785,6 +786,7 @@ void x11_start_xpra(int argc, char **argv) { | |||
785 | _exit(1); | 786 | _exit(1); |
786 | } | 787 | } |
787 | 788 | ||
789 | assert(display_str); | ||
788 | setenv("DISPLAY", display_str, 1); | 790 | setenv("DISPLAY", display_str, 1); |
789 | 791 | ||
790 | // build jail command | 792 | // build jail command |
@@ -798,7 +800,7 @@ void x11_start_xpra(int argc, char **argv) { | |||
798 | } | 800 | } |
799 | firejail_argv[pos] = NULL; | 801 | firejail_argv[pos] = NULL; |
800 | 802 | ||
801 | assert(pos < (argc+2)); | 803 | assert((int) pos < (argc+2)); |
802 | assert(!firejail_argv[pos]); | 804 | assert(!firejail_argv[pos]); |
803 | 805 | ||
804 | // start jail | 806 | // start jail |
diff --git a/src/fseccomp/protocol.c b/src/fseccomp/protocol.c index 57ce2f8e0..4a0fadb3c 100644 --- a/src/fseccomp/protocol.c +++ b/src/fseccomp/protocol.c | |||
@@ -60,6 +60,7 @@ static char *protocol[] = { | |||
60 | NULL | 60 | NULL |
61 | }; | 61 | }; |
62 | 62 | ||
63 | #ifdef SYS_socket | ||
63 | static struct sock_filter protocol_filter_command[] = { | 64 | static struct sock_filter protocol_filter_command[] = { |
64 | WHITELIST(AF_UNIX), | 65 | WHITELIST(AF_UNIX), |
65 | WHITELIST(AF_INET), | 66 | WHITELIST(AF_INET), |
@@ -67,6 +68,7 @@ static struct sock_filter protocol_filter_command[] = { | |||
67 | WHITELIST(AF_NETLINK), | 68 | WHITELIST(AF_NETLINK), |
68 | WHITELIST(AF_PACKET) | 69 | WHITELIST(AF_PACKET) |
69 | }; | 70 | }; |
71 | #endif | ||
70 | // Note: protocol[] and protocol_filter_command are synchronized | 72 | // Note: protocol[] and protocol_filter_command are synchronized |
71 | 73 | ||
72 | // command length | 74 | // command length |
@@ -75,6 +77,7 @@ struct sock_filter whitelist[] = { | |||
75 | }; | 77 | }; |
76 | unsigned whitelist_len = sizeof(whitelist) / sizeof(struct sock_filter); | 78 | unsigned whitelist_len = sizeof(whitelist) / sizeof(struct sock_filter); |
77 | 79 | ||
80 | #ifdef SYS_socket | ||
78 | static struct sock_filter *find_protocol_domain(const char *p) { | 81 | static struct sock_filter *find_protocol_domain(const char *p) { |
79 | int i = 0; | 82 | int i = 0; |
80 | while (protocol[i] != NULL) { | 83 | while (protocol[i] != NULL) { |
@@ -85,7 +88,7 @@ static struct sock_filter *find_protocol_domain(const char *p) { | |||
85 | 88 | ||
86 | return NULL; | 89 | return NULL; |
87 | } | 90 | } |
88 | 91 | #endif | |
89 | 92 | ||
90 | void protocol_print(void) { | 93 | void protocol_print(void) { |
91 | #ifndef SYS_socket | 94 | #ifndef SYS_socket |
diff --git a/src/man/firecfg.txt b/src/man/firecfg.txt index 979d4fc06..55b60dcac 100644 --- a/src/man/firecfg.txt +++ b/src/man/firecfg.txt | |||
@@ -20,16 +20,14 @@ The integration covers: | |||
20 | .br | 20 | .br |
21 | 21 | ||
22 | .br | 22 | .br |
23 | - programs started by clicking on file icons in file manager - only Cinnamon, KDE, LXDE, MATE and XFCE | 23 | - programs started by clicking on file icons in file manager - only Cinnamon, KDE, LXDE/LXQT, MATE and XFCE |
24 | desktop managers are supported in this moment | 24 | desktop managers are supported in this moment |
25 | .RE | 25 | .RE |
26 | 26 | ||
27 | This brings us as very close to full desktop integration. | 27 | To set it up, run "sudo firecfg" after installing Firejail software. |
28 | 28 | The same command should also be run after | |
29 | To set it up, run "sudo firecfg" after installing | 29 | installing new programs. If the program is supported by Firejail, the symbolic link in /usr/local/bin |
30 | Firejail software, and logout/login for the integration to take effect. "sudo firecfg" should also be run after | 30 | will be created. For a full list of programs supported by default run "cat /usr/lib/firejail/firecfg.config". |
31 | you install new programs. If the program is supported by Firejail, the symbolic link in /usr/local/bin | ||
32 | will be created. For a list of programs supported by default run "ls /etc/firejail". | ||
33 | 31 | ||
34 | For user-driven manual integration, see \fBDESKTOP INTEGRATION\fR section in \fBman 1 firejail\fR. | 32 | For user-driven manual integration, see \fBDESKTOP INTEGRATION\fR section in \fBman 1 firejail\fR. |
35 | 33 | ||