diff options
Diffstat (limited to 'src')
-rw-r--r-- | src/firejail/env.c | 6 | ||||
-rw-r--r-- | src/firejail/fs.c | 2 | ||||
-rw-r--r-- | src/firejail/fs_hostname.c | 7 | ||||
-rw-r--r-- | src/firejail/join.c | 9 | ||||
-rw-r--r-- | src/firejail/profile.c | 2 | ||||
-rw-r--r-- | src/man/firejail-profile.txt | 2 |
6 files changed, 13 insertions, 15 deletions
diff --git a/src/firejail/env.c b/src/firejail/env.c index f5e9dd980..ad16de037 100644 --- a/src/firejail/env.c +++ b/src/firejail/env.c | |||
@@ -262,7 +262,7 @@ static const char * const env_whitelist[] = { | |||
262 | "LANG", | 262 | "LANG", |
263 | "LANGUAGE", | 263 | "LANGUAGE", |
264 | "LC_MESSAGES", | 264 | "LC_MESSAGES", |
265 | "PATH", | 265 | // "PATH", |
266 | "DISPLAY" // required by X11 | 266 | "DISPLAY" // required by X11 |
267 | }; | 267 | }; |
268 | 268 | ||
@@ -311,6 +311,10 @@ void env_apply_whitelist(void) { | |||
311 | errExit("clearenv"); | 311 | errExit("clearenv"); |
312 | 312 | ||
313 | env_apply_list(env_whitelist, ARRAY_SIZE(env_whitelist)); | 313 | env_apply_list(env_whitelist, ARRAY_SIZE(env_whitelist)); |
314 | |||
315 | // hardcoding PATH | ||
316 | if (setenv("PATH", "/usr/local/bin:/usr/bin:/bin:/usr/local/sbin:/usr/sbin:/sbin", 1) < 0) | ||
317 | errExit("setenv"); | ||
314 | } | 318 | } |
315 | 319 | ||
316 | // Filter env variables for a sbox app | 320 | // Filter env variables for a sbox app |
diff --git a/src/firejail/fs.c b/src/firejail/fs.c index 5ac2da164..dd4c2139d 100644 --- a/src/firejail/fs.c +++ b/src/firejail/fs.c | |||
@@ -108,7 +108,7 @@ static void disable_file(OPERATION op, const char *filename) { | |||
108 | } | 108 | } |
109 | 109 | ||
110 | // check for firejail executable | 110 | // check for firejail executable |
111 | // we migth have a file found in ${PATH} pointing to /usr/bin/firejail | 111 | // we might have a file found in ${PATH} pointing to /usr/bin/firejail |
112 | // blacklisting it here will end up breaking situations like user clicks on a link in Thunderbird | 112 | // blacklisting it here will end up breaking situations like user clicks on a link in Thunderbird |
113 | // and expects Firefox to open in the same sandbox | 113 | // and expects Firefox to open in the same sandbox |
114 | if (strcmp(BINDIR "/firejail", fname) == 0) { | 114 | if (strcmp(BINDIR "/firejail", fname) == 0) { |
diff --git a/src/firejail/fs_hostname.c b/src/firejail/fs_hostname.c index 1a9a78ceb..7d320e90b 100644 --- a/src/firejail/fs_hostname.c +++ b/src/firejail/fs_hostname.c | |||
@@ -93,10 +93,6 @@ char *fs_check_hosts_file(const char *fname) { | |||
93 | invalid_filename(fname, 0); // no globbing | 93 | invalid_filename(fname, 0); // no globbing |
94 | char *rv = expand_macros(fname); | 94 | char *rv = expand_macros(fname); |
95 | 95 | ||
96 | // no a link | ||
97 | if (is_link(rv)) | ||
98 | goto errexit; | ||
99 | |||
100 | // the user has read access to the file | 96 | // the user has read access to the file |
101 | if (access(rv, R_OK)) | 97 | if (access(rv, R_OK)) |
102 | goto errexit; | 98 | goto errexit; |
@@ -119,9 +115,6 @@ void fs_mount_hosts_file(void) { | |||
119 | struct stat s; | 115 | struct stat s; |
120 | if (stat("/etc/hosts", &s) == -1) | 116 | if (stat("/etc/hosts", &s) == -1) |
121 | goto errexit; | 117 | goto errexit; |
122 | // not a link | ||
123 | if (is_link("/etc/hosts")) | ||
124 | goto errexit; | ||
125 | // owned by root | 118 | // owned by root |
126 | if (s.st_uid != 0) | 119 | if (s.st_uid != 0) |
127 | goto errexit; | 120 | goto errexit; |
diff --git a/src/firejail/join.c b/src/firejail/join.c index 99fbfdd0a..a869f6b64 100644 --- a/src/firejail/join.c +++ b/src/firejail/join.c | |||
@@ -551,10 +551,6 @@ void join(pid_t pid, int argc, char **argv, int index) { | |||
551 | if (cfg.cpus) // not available for uid 0 | 551 | if (cfg.cpus) // not available for uid 0 |
552 | set_cpu_affinity(); | 552 | set_cpu_affinity(); |
553 | 553 | ||
554 | // set nice value | ||
555 | if (arg_nice) | ||
556 | set_nice(cfg.nice); | ||
557 | |||
558 | // add x11 display | 554 | // add x11 display |
559 | if (display) { | 555 | if (display) { |
560 | char *display_str; | 556 | char *display_str; |
@@ -573,6 +569,11 @@ void join(pid_t pid, int argc, char **argv, int index) { | |||
573 | dbus_set_system_bus_env(); | 569 | dbus_set_system_bus_env(); |
574 | #endif | 570 | #endif |
575 | 571 | ||
572 | // set nice and rlimits | ||
573 | if (arg_nice) | ||
574 | set_nice(cfg.nice); | ||
575 | set_rlimits(); | ||
576 | |||
576 | start_application(0, shfd, NULL); | 577 | start_application(0, shfd, NULL); |
577 | 578 | ||
578 | __builtin_unreachable(); | 579 | __builtin_unreachable(); |
diff --git a/src/firejail/profile.c b/src/firejail/profile.c index b7c7185a6..059100fcb 100644 --- a/src/firejail/profile.c +++ b/src/firejail/profile.c | |||
@@ -1938,7 +1938,7 @@ char *profile_list_compress(char *list) | |||
1938 | /* Include non-empty item */ | 1938 | /* Include non-empty item */ |
1939 | if (!*item) | 1939 | if (!*item) |
1940 | in[i] = 0; | 1940 | in[i] = 0; |
1941 | /* Remove all allready included items */ | 1941 | /* Remove all already included items */ |
1942 | for (k = 0; k < i; ++k) | 1942 | for (k = 0; k < i; ++k) |
1943 | in[k] = 0; | 1943 | in[k] = 0; |
1944 | break; | 1944 | break; |
diff --git a/src/man/firejail-profile.txt b/src/man/firejail-profile.txt index d0d3c25e8..a768829a1 100644 --- a/src/man/firejail-profile.txt +++ b/src/man/firejail-profile.txt | |||
@@ -606,7 +606,7 @@ Allow the application to see but not talk to the name org.freedesktop.Notificati | |||
606 | Allow the application to call methods of the interface org.freedesktop.Notifications of the object exposed at the path /org/freedesktop/Notifications by the client owning the bus name org.freedesktop.Notifications on the system DBus. | 606 | Allow the application to call methods of the interface org.freedesktop.Notifications of the object exposed at the path /org/freedesktop/Notifications by the client owning the bus name org.freedesktop.Notifications on the system DBus. |
607 | .TP | 607 | .TP |
608 | \fBdbus-system.broadcast org.freedesktop.Notifications=org.freedesktop.Notifications.*@/org/freedesktop/Notifications | 608 | \fBdbus-system.broadcast org.freedesktop.Notifications=org.freedesktop.Notifications.*@/org/freedesktop/Notifications |
609 | Allow the application to receive broadcast signals from the the interface org.freedesktop.Notifications of the object exposed at the path /org/freedesktop/Notifications by the client owning the bus name org.freedesktop.Notifications on the system DBus. | 609 | Allow the application to receive broadcast signals from the interface org.freedesktop.Notifications of the object exposed at the path /org/freedesktop/Notifications by the client owning the bus name org.freedesktop.Notifications on the system DBus. |
610 | .TP | 610 | .TP |
611 | \fBdbus-user filter | 611 | \fBdbus-user filter |
612 | Enable filtered access to the session DBus. Filters can be specified with the dbus-user.talk and dbus-user.own commands. | 612 | Enable filtered access to the session DBus. Filters can be specified with the dbus-user.talk and dbus-user.own commands. |