diff options
Diffstat (limited to 'src')
-rw-r--r-- | src/firecfg/firecfg.config | 1 | ||||
-rw-r--r-- | src/firejail/env.c | 3 | ||||
-rw-r--r-- | src/firejail/fs_whitelist.c | 38 | ||||
-rw-r--r-- | src/firejail/join.c | 9 | ||||
-rw-r--r-- | src/firejail/main.c | 7 | ||||
-rw-r--r-- | src/include/euid_common.h | 5 | ||||
-rw-r--r-- | src/man/firejail.txt | 6 |
7 files changed, 44 insertions, 25 deletions
diff --git a/src/firecfg/firecfg.config b/src/firecfg/firecfg.config index c909e6903..dd876c87c 100644 --- a/src/firecfg/firecfg.config +++ b/src/firecfg/firecfg.config | |||
@@ -75,6 +75,7 @@ unbound | |||
75 | # emulators/compatibility layers | 75 | # emulators/compatibility layers |
76 | mupen64plus | 76 | mupen64plus |
77 | wine | 77 | wine |
78 | dosbox | ||
78 | 79 | ||
79 | # games | 80 | # games |
80 | 0ad | 81 | 0ad |
diff --git a/src/firejail/env.c b/src/firejail/env.c index 2cc65e464..88cd6918d 100644 --- a/src/firejail/env.c +++ b/src/firejail/env.c | |||
@@ -135,7 +135,8 @@ void env_defaults(void) { | |||
135 | } | 135 | } |
136 | 136 | ||
137 | // set the window title | 137 | // set the window title |
138 | printf("\033]0;firejail %s\007", cfg.window_title); | 138 | if (!arg_quiet) |
139 | printf("\033]0;firejail %s\007", cfg.window_title); | ||
139 | fflush(0); | 140 | fflush(0); |
140 | } | 141 | } |
141 | 142 | ||
diff --git a/src/firejail/fs_whitelist.c b/src/firejail/fs_whitelist.c index 33037da29..11e626b6e 100644 --- a/src/firejail/fs_whitelist.c +++ b/src/firejail/fs_whitelist.c | |||
@@ -554,24 +554,30 @@ void fs_whitelist(void) { | |||
554 | 554 | ||
555 | // /media mountpoint | 555 | // /media mountpoint |
556 | if (media_dir) { | 556 | if (media_dir) { |
557 | // keep a copy of real /media directory in RUN_WHITELIST_MEDIA_DIR | 557 | // some distros don't have a /media directory |
558 | int rv = mkdir(RUN_WHITELIST_MEDIA_DIR, 0755); | 558 | struct stat s; |
559 | if (rv == -1) | 559 | if (stat("/media", &s) == 0) { |
560 | errExit("mkdir"); | 560 | // keep a copy of real /media directory in RUN_WHITELIST_MEDIA_DIR |
561 | if (chown(RUN_WHITELIST_MEDIA_DIR, 0, 0) < 0) | 561 | int rv = mkdir(RUN_WHITELIST_MEDIA_DIR, 0755); |
562 | errExit("chown"); | 562 | if (rv == -1) |
563 | if (chmod(RUN_WHITELIST_MEDIA_DIR, 0755) < 0) | 563 | errExit("mkdir"); |
564 | errExit("chmod"); | 564 | if (chown(RUN_WHITELIST_MEDIA_DIR, 0, 0) < 0) |
565 | errExit("chown"); | ||
566 | if (chmod(RUN_WHITELIST_MEDIA_DIR, 0755) < 0) | ||
567 | errExit("chmod"); | ||
565 | 568 | ||
566 | if (mount("/media", RUN_WHITELIST_MEDIA_DIR, NULL, MS_BIND|MS_REC, NULL) < 0) | 569 | if (mount("/media", RUN_WHITELIST_MEDIA_DIR, NULL, MS_BIND|MS_REC, NULL) < 0) |
567 | errExit("mount bind"); | 570 | errExit("mount bind"); |
568 | 571 | ||
569 | // mount tmpfs on /media | 572 | // mount tmpfs on /media |
570 | if (arg_debug || arg_debug_whitelists) | 573 | if (arg_debug || arg_debug_whitelists) |
571 | printf("Mounting tmpfs on /media directory\n"); | 574 | printf("Mounting tmpfs on /media directory\n"); |
572 | if (mount("tmpfs", "/media", "tmpfs", MS_NOSUID | MS_STRICTATIME | MS_REC, "mode=755,gid=0") < 0) | 575 | if (mount("tmpfs", "/media", "tmpfs", MS_NOSUID | MS_STRICTATIME | MS_REC, "mode=755,gid=0") < 0) |
573 | errExit("mounting tmpfs on /media"); | 576 | errExit("mounting tmpfs on /media"); |
574 | fs_logger("tmpfs /media"); | 577 | fs_logger("tmpfs /media"); |
578 | } | ||
579 | else | ||
580 | media_dir = 0; | ||
575 | } | 581 | } |
576 | 582 | ||
577 | // /var mountpoint | 583 | // /var mountpoint |
diff --git a/src/firejail/join.c b/src/firejail/join.c index 948c7ef71..414b899ce 100644 --- a/src/firejail/join.c +++ b/src/firejail/join.c | |||
@@ -309,14 +309,15 @@ void join(pid_t pid, int argc, char **argv, int index) { | |||
309 | printf("Joining user namespace\n"); | 309 | printf("Joining user namespace\n"); |
310 | if (join_namespace(1, "user")) | 310 | if (join_namespace(1, "user")) |
311 | exit(1); | 311 | exit(1); |
312 | |||
313 | // user namespace resets capabilities | ||
314 | // set caps filter | ||
315 | if (apply_caps == 1) // not available for uid 0 | ||
316 | caps_set(caps); | ||
312 | } | 317 | } |
313 | else | 318 | else |
314 | drop_privs(arg_nogroups); // nogroups not available for uid 0 | 319 | drop_privs(arg_nogroups); // nogroups not available for uid 0 |
315 | 320 | ||
316 | // user namespace resets capabilities | ||
317 | // set caps filter | ||
318 | if (apply_caps == 1) // not available for uid 0 | ||
319 | caps_set(caps); | ||
320 | 321 | ||
321 | // set prompt color to green | 322 | // set prompt color to green |
322 | char *prompt = getenv("FIREJAIL_PROMPT"); | 323 | char *prompt = getenv("FIREJAIL_PROMPT"); |
diff --git a/src/firejail/main.c b/src/firejail/main.c index dbb92a899..501bccff2 100644 --- a/src/firejail/main.c +++ b/src/firejail/main.c | |||
@@ -46,6 +46,7 @@ printf("time %s:%d %u\n", __FILE__, __LINE__, (uint32_t) systick); | |||
46 | #endif | 46 | #endif |
47 | 47 | ||
48 | uid_t firejail_uid = 0; | 48 | uid_t firejail_uid = 0; |
49 | gid_t firejail_gid = 0; | ||
49 | 50 | ||
50 | #define STACK_SIZE (1024 * 1024) | 51 | #define STACK_SIZE (1024 * 1024) |
51 | static char child_stack[STACK_SIZE]; // space for child's stack | 52 | static char child_stack[STACK_SIZE]; // space for child's stack |
@@ -606,6 +607,9 @@ static void run_cmd_and_exit(int i, int argc, char **argv) { | |||
606 | exit(1); | 607 | exit(1); |
607 | } | 608 | } |
608 | 609 | ||
610 | if (!cfg.shell && !arg_shell_none) | ||
611 | cfg.shell = guess_shell(); | ||
612 | |||
609 | // join sandbox by pid or by name | 613 | // join sandbox by pid or by name |
610 | pid_t pid; | 614 | pid_t pid; |
611 | if (read_pid(argv[i] + 15, &pid) == 0) | 615 | if (read_pid(argv[i] + 15, &pid) == 0) |
@@ -629,6 +633,9 @@ static void run_cmd_and_exit(int i, int argc, char **argv) { | |||
629 | exit(1); | 633 | exit(1); |
630 | } | 634 | } |
631 | 635 | ||
636 | if (!cfg.shell && !arg_shell_none) | ||
637 | cfg.shell = guess_shell(); | ||
638 | |||
632 | // join sandbox by pid or by name | 639 | // join sandbox by pid or by name |
633 | pid_t pid; | 640 | pid_t pid; |
634 | if (read_pid(argv[i] + 18, &pid) == 0) | 641 | if (read_pid(argv[i] + 18, &pid) == 0) |
diff --git a/src/include/euid_common.h b/src/include/euid_common.h index de5572fb1..752df5fff 100644 --- a/src/include/euid_common.h +++ b/src/include/euid_common.h | |||
@@ -31,6 +31,7 @@ | |||
31 | } | 31 | } |
32 | 32 | ||
33 | extern uid_t firejail_uid; | 33 | extern uid_t firejail_uid; |
34 | extern uid_t firejail_gid; | ||
34 | 35 | ||
35 | 36 | ||
36 | 37 | ||
@@ -44,16 +45,18 @@ static inline void EUID_ROOT(void) { | |||
44 | static inline void EUID_USER(void) { | 45 | static inline void EUID_USER(void) { |
45 | if (seteuid(firejail_uid) == -1) | 46 | if (seteuid(firejail_uid) == -1) |
46 | errExit("seteuid"); | 47 | errExit("seteuid"); |
47 | if (setegid(firejail_uid) == -1) | 48 | if (setegid(firejail_gid) == -1) |
48 | errExit("setegid"); | 49 | errExit("setegid"); |
49 | } | 50 | } |
50 | 51 | ||
51 | static inline void EUID_PRINT(void) { | 52 | static inline void EUID_PRINT(void) { |
52 | printf("debug: uid %d, euid %d\n", getuid(), geteuid()); | 53 | printf("debug: uid %d, euid %d\n", getuid(), geteuid()); |
54 | printf("debug: gid %d, egid %d\n", getgid(), getegid()); | ||
53 | } | 55 | } |
54 | 56 | ||
55 | static inline void EUID_INIT(void) { | 57 | static inline void EUID_INIT(void) { |
56 | firejail_uid = getuid(); | 58 | firejail_uid = getuid(); |
59 | firejail_gid = getgid(); | ||
57 | } | 60 | } |
58 | 61 | ||
59 | #endif | 62 | #endif |
diff --git a/src/man/firejail.txt b/src/man/firejail.txt index 35b84b981..dbb0df233 100644 --- a/src/man/firejail.txt +++ b/src/man/firejail.txt | |||
@@ -578,19 +578,19 @@ $ firejail --net=eth0 --name=browser firefox & | |||
578 | .br | 578 | .br |
579 | # change netfilter configuration | 579 | # change netfilter configuration |
580 | .br | 580 | .br |
581 | $ sudo firejail --join-network=browser "cat /etc/firejail/nolocal.net | /sbin/iptables-restore" | 581 | $ sudo firejail --join-network=browser bash -c "cat /etc/firejail/nolocal.net | /sbin/iptables-restore" |
582 | .br | 582 | .br |
583 | 583 | ||
584 | .br | 584 | .br |
585 | # verify netfilter configuration | 585 | # verify netfilter configuration |
586 | .br | 586 | .br |
587 | $ sudo firejail --join-network=browser "/sbin/iptables -vL" | 587 | $ sudo firejail --join-network=browser /sbin/iptables -vL |
588 | .br | 588 | .br |
589 | 589 | ||
590 | .br | 590 | .br |
591 | # verify IP addresses | 591 | # verify IP addresses |
592 | .br | 592 | .br |
593 | $ sudo firejail --join-network=browser "ip addr" | 593 | $ sudo firejail --join-network=browser ip addr |
594 | .br | 594 | .br |
595 | Switching to pid 1932, the first child process inside the sandbox | 595 | Switching to pid 1932, the first child process inside the sandbox |
596 | .br | 596 | .br |