aboutsummaryrefslogtreecommitdiffstats
path: root/src
diff options
context:
space:
mode:
Diffstat (limited to 'src')
-rw-r--r--src/firecfg/firecfg.config1
-rw-r--r--src/firejail/env.c3
-rw-r--r--src/firejail/fs_whitelist.c38
-rw-r--r--src/firejail/join.c9
-rw-r--r--src/firejail/main.c7
-rw-r--r--src/include/euid_common.h5
-rw-r--r--src/man/firejail.txt6
7 files changed, 44 insertions, 25 deletions
diff --git a/src/firecfg/firecfg.config b/src/firecfg/firecfg.config
index c909e6903..dd876c87c 100644
--- a/src/firecfg/firecfg.config
+++ b/src/firecfg/firecfg.config
@@ -75,6 +75,7 @@ unbound
75# emulators/compatibility layers 75# emulators/compatibility layers
76mupen64plus 76mupen64plus
77wine 77wine
78dosbox
78 79
79# games 80# games
800ad 810ad
diff --git a/src/firejail/env.c b/src/firejail/env.c
index 2cc65e464..88cd6918d 100644
--- a/src/firejail/env.c
+++ b/src/firejail/env.c
@@ -135,7 +135,8 @@ void env_defaults(void) {
135 } 135 }
136 136
137 // set the window title 137 // set the window title
138 printf("\033]0;firejail %s\007", cfg.window_title); 138 if (!arg_quiet)
139 printf("\033]0;firejail %s\007", cfg.window_title);
139 fflush(0); 140 fflush(0);
140} 141}
141 142
diff --git a/src/firejail/fs_whitelist.c b/src/firejail/fs_whitelist.c
index 33037da29..11e626b6e 100644
--- a/src/firejail/fs_whitelist.c
+++ b/src/firejail/fs_whitelist.c
@@ -554,24 +554,30 @@ void fs_whitelist(void) {
554 554
555 // /media mountpoint 555 // /media mountpoint
556 if (media_dir) { 556 if (media_dir) {
557 // keep a copy of real /media directory in RUN_WHITELIST_MEDIA_DIR 557 // some distros don't have a /media directory
558 int rv = mkdir(RUN_WHITELIST_MEDIA_DIR, 0755); 558 struct stat s;
559 if (rv == -1) 559 if (stat("/media", &s) == 0) {
560 errExit("mkdir"); 560 // keep a copy of real /media directory in RUN_WHITELIST_MEDIA_DIR
561 if (chown(RUN_WHITELIST_MEDIA_DIR, 0, 0) < 0) 561 int rv = mkdir(RUN_WHITELIST_MEDIA_DIR, 0755);
562 errExit("chown"); 562 if (rv == -1)
563 if (chmod(RUN_WHITELIST_MEDIA_DIR, 0755) < 0) 563 errExit("mkdir");
564 errExit("chmod"); 564 if (chown(RUN_WHITELIST_MEDIA_DIR, 0, 0) < 0)
565 errExit("chown");
566 if (chmod(RUN_WHITELIST_MEDIA_DIR, 0755) < 0)
567 errExit("chmod");
565 568
566 if (mount("/media", RUN_WHITELIST_MEDIA_DIR, NULL, MS_BIND|MS_REC, NULL) < 0) 569 if (mount("/media", RUN_WHITELIST_MEDIA_DIR, NULL, MS_BIND|MS_REC, NULL) < 0)
567 errExit("mount bind"); 570 errExit("mount bind");
568 571
569 // mount tmpfs on /media 572 // mount tmpfs on /media
570 if (arg_debug || arg_debug_whitelists) 573 if (arg_debug || arg_debug_whitelists)
571 printf("Mounting tmpfs on /media directory\n"); 574 printf("Mounting tmpfs on /media directory\n");
572 if (mount("tmpfs", "/media", "tmpfs", MS_NOSUID | MS_STRICTATIME | MS_REC, "mode=755,gid=0") < 0) 575 if (mount("tmpfs", "/media", "tmpfs", MS_NOSUID | MS_STRICTATIME | MS_REC, "mode=755,gid=0") < 0)
573 errExit("mounting tmpfs on /media"); 576 errExit("mounting tmpfs on /media");
574 fs_logger("tmpfs /media"); 577 fs_logger("tmpfs /media");
578 }
579 else
580 media_dir = 0;
575 } 581 }
576 582
577 // /var mountpoint 583 // /var mountpoint
diff --git a/src/firejail/join.c b/src/firejail/join.c
index 948c7ef71..414b899ce 100644
--- a/src/firejail/join.c
+++ b/src/firejail/join.c
@@ -309,14 +309,15 @@ void join(pid_t pid, int argc, char **argv, int index) {
309 printf("Joining user namespace\n"); 309 printf("Joining user namespace\n");
310 if (join_namespace(1, "user")) 310 if (join_namespace(1, "user"))
311 exit(1); 311 exit(1);
312
313 // user namespace resets capabilities
314 // set caps filter
315 if (apply_caps == 1) // not available for uid 0
316 caps_set(caps);
312 } 317 }
313 else 318 else
314 drop_privs(arg_nogroups); // nogroups not available for uid 0 319 drop_privs(arg_nogroups); // nogroups not available for uid 0
315 320
316 // user namespace resets capabilities
317 // set caps filter
318 if (apply_caps == 1) // not available for uid 0
319 caps_set(caps);
320 321
321 // set prompt color to green 322 // set prompt color to green
322 char *prompt = getenv("FIREJAIL_PROMPT"); 323 char *prompt = getenv("FIREJAIL_PROMPT");
diff --git a/src/firejail/main.c b/src/firejail/main.c
index dbb92a899..501bccff2 100644
--- a/src/firejail/main.c
+++ b/src/firejail/main.c
@@ -46,6 +46,7 @@ printf("time %s:%d %u\n", __FILE__, __LINE__, (uint32_t) systick);
46#endif 46#endif
47 47
48uid_t firejail_uid = 0; 48uid_t firejail_uid = 0;
49gid_t firejail_gid = 0;
49 50
50#define STACK_SIZE (1024 * 1024) 51#define STACK_SIZE (1024 * 1024)
51static char child_stack[STACK_SIZE]; // space for child's stack 52static char child_stack[STACK_SIZE]; // space for child's stack
@@ -606,6 +607,9 @@ static void run_cmd_and_exit(int i, int argc, char **argv) {
606 exit(1); 607 exit(1);
607 } 608 }
608 609
610 if (!cfg.shell && !arg_shell_none)
611 cfg.shell = guess_shell();
612
609 // join sandbox by pid or by name 613 // join sandbox by pid or by name
610 pid_t pid; 614 pid_t pid;
611 if (read_pid(argv[i] + 15, &pid) == 0) 615 if (read_pid(argv[i] + 15, &pid) == 0)
@@ -629,6 +633,9 @@ static void run_cmd_and_exit(int i, int argc, char **argv) {
629 exit(1); 633 exit(1);
630 } 634 }
631 635
636 if (!cfg.shell && !arg_shell_none)
637 cfg.shell = guess_shell();
638
632 // join sandbox by pid or by name 639 // join sandbox by pid or by name
633 pid_t pid; 640 pid_t pid;
634 if (read_pid(argv[i] + 18, &pid) == 0) 641 if (read_pid(argv[i] + 18, &pid) == 0)
diff --git a/src/include/euid_common.h b/src/include/euid_common.h
index de5572fb1..752df5fff 100644
--- a/src/include/euid_common.h
+++ b/src/include/euid_common.h
@@ -31,6 +31,7 @@
31} 31}
32 32
33extern uid_t firejail_uid; 33extern uid_t firejail_uid;
34extern uid_t firejail_gid;
34 35
35 36
36 37
@@ -44,16 +45,18 @@ static inline void EUID_ROOT(void) {
44static inline void EUID_USER(void) { 45static inline void EUID_USER(void) {
45 if (seteuid(firejail_uid) == -1) 46 if (seteuid(firejail_uid) == -1)
46 errExit("seteuid"); 47 errExit("seteuid");
47 if (setegid(firejail_uid) == -1) 48 if (setegid(firejail_gid) == -1)
48 errExit("setegid"); 49 errExit("setegid");
49} 50}
50 51
51static inline void EUID_PRINT(void) { 52static inline void EUID_PRINT(void) {
52 printf("debug: uid %d, euid %d\n", getuid(), geteuid()); 53 printf("debug: uid %d, euid %d\n", getuid(), geteuid());
54 printf("debug: gid %d, egid %d\n", getgid(), getegid());
53} 55}
54 56
55static inline void EUID_INIT(void) { 57static inline void EUID_INIT(void) {
56 firejail_uid = getuid(); 58 firejail_uid = getuid();
59 firejail_gid = getgid();
57} 60}
58 61
59#endif 62#endif
diff --git a/src/man/firejail.txt b/src/man/firejail.txt
index 35b84b981..dbb0df233 100644
--- a/src/man/firejail.txt
+++ b/src/man/firejail.txt
@@ -578,19 +578,19 @@ $ firejail --net=eth0 --name=browser firefox &
578.br 578.br
579# change netfilter configuration 579# change netfilter configuration
580.br 580.br
581$ sudo firejail --join-network=browser "cat /etc/firejail/nolocal.net | /sbin/iptables-restore" 581$ sudo firejail --join-network=browser bash -c "cat /etc/firejail/nolocal.net | /sbin/iptables-restore"
582.br 582.br
583 583
584.br 584.br
585# verify netfilter configuration 585# verify netfilter configuration
586.br 586.br
587$ sudo firejail --join-network=browser "/sbin/iptables -vL" 587$ sudo firejail --join-network=browser /sbin/iptables -vL
588.br 588.br
589 589
590.br 590.br
591# verify IP addresses 591# verify IP addresses
592.br 592.br
593$ sudo firejail --join-network=browser "ip addr" 593$ sudo firejail --join-network=browser ip addr
594.br 594.br
595Switching to pid 1932, the first child process inside the sandbox 595Switching to pid 1932, the first child process inside the sandbox
596.br 596.br
generated by cgit v1.2.3-70-g09d2 (git 2.46.0) at 2024-09-05 23:53:14 +0000