diff options
Diffstat (limited to 'src')
| -rw-r--r-- | src/firejail/env.c | 6 | ||||
| -rw-r--r-- | src/firejail/fs.c | 2 | ||||
| -rw-r--r-- | src/firejail/fs_hostname.c | 7 | ||||
| -rw-r--r-- | src/firejail/join.c | 9 | ||||
| -rw-r--r-- | src/firejail/profile.c | 2 | ||||
| -rw-r--r-- | src/man/firejail-profile.txt | 2 |
6 files changed, 13 insertions, 15 deletions
diff --git a/src/firejail/env.c b/src/firejail/env.c index f5e9dd980..ad16de037 100644 --- a/src/firejail/env.c +++ b/src/firejail/env.c | |||
| @@ -262,7 +262,7 @@ static const char * const env_whitelist[] = { | |||
| 262 | "LANG", | 262 | "LANG", |
| 263 | "LANGUAGE", | 263 | "LANGUAGE", |
| 264 | "LC_MESSAGES", | 264 | "LC_MESSAGES", |
| 265 | "PATH", | 265 | // "PATH", |
| 266 | "DISPLAY" // required by X11 | 266 | "DISPLAY" // required by X11 |
| 267 | }; | 267 | }; |
| 268 | 268 | ||
| @@ -311,6 +311,10 @@ void env_apply_whitelist(void) { | |||
| 311 | errExit("clearenv"); | 311 | errExit("clearenv"); |
| 312 | 312 | ||
| 313 | env_apply_list(env_whitelist, ARRAY_SIZE(env_whitelist)); | 313 | env_apply_list(env_whitelist, ARRAY_SIZE(env_whitelist)); |
| 314 | |||
| 315 | // hardcoding PATH | ||
| 316 | if (setenv("PATH", "/usr/local/bin:/usr/bin:/bin:/usr/local/sbin:/usr/sbin:/sbin", 1) < 0) | ||
| 317 | errExit("setenv"); | ||
| 314 | } | 318 | } |
| 315 | 319 | ||
| 316 | // Filter env variables for a sbox app | 320 | // Filter env variables for a sbox app |
diff --git a/src/firejail/fs.c b/src/firejail/fs.c index 5ac2da164..dd4c2139d 100644 --- a/src/firejail/fs.c +++ b/src/firejail/fs.c | |||
| @@ -108,7 +108,7 @@ static void disable_file(OPERATION op, const char *filename) { | |||
| 108 | } | 108 | } |
| 109 | 109 | ||
| 110 | // check for firejail executable | 110 | // check for firejail executable |
| 111 | // we migth have a file found in ${PATH} pointing to /usr/bin/firejail | 111 | // we might have a file found in ${PATH} pointing to /usr/bin/firejail |
| 112 | // blacklisting it here will end up breaking situations like user clicks on a link in Thunderbird | 112 | // blacklisting it here will end up breaking situations like user clicks on a link in Thunderbird |
| 113 | // and expects Firefox to open in the same sandbox | 113 | // and expects Firefox to open in the same sandbox |
| 114 | if (strcmp(BINDIR "/firejail", fname) == 0) { | 114 | if (strcmp(BINDIR "/firejail", fname) == 0) { |
diff --git a/src/firejail/fs_hostname.c b/src/firejail/fs_hostname.c index 1a9a78ceb..7d320e90b 100644 --- a/src/firejail/fs_hostname.c +++ b/src/firejail/fs_hostname.c | |||
| @@ -93,10 +93,6 @@ char *fs_check_hosts_file(const char *fname) { | |||
| 93 | invalid_filename(fname, 0); // no globbing | 93 | invalid_filename(fname, 0); // no globbing |
| 94 | char *rv = expand_macros(fname); | 94 | char *rv = expand_macros(fname); |
| 95 | 95 | ||
| 96 | // no a link | ||
| 97 | if (is_link(rv)) | ||
| 98 | goto errexit; | ||
| 99 | |||
| 100 | // the user has read access to the file | 96 | // the user has read access to the file |
| 101 | if (access(rv, R_OK)) | 97 | if (access(rv, R_OK)) |
| 102 | goto errexit; | 98 | goto errexit; |
| @@ -119,9 +115,6 @@ void fs_mount_hosts_file(void) { | |||
| 119 | struct stat s; | 115 | struct stat s; |
| 120 | if (stat("/etc/hosts", &s) == -1) | 116 | if (stat("/etc/hosts", &s) == -1) |
| 121 | goto errexit; | 117 | goto errexit; |
| 122 | // not a link | ||
| 123 | if (is_link("/etc/hosts")) | ||
| 124 | goto errexit; | ||
| 125 | // owned by root | 118 | // owned by root |
| 126 | if (s.st_uid != 0) | 119 | if (s.st_uid != 0) |
| 127 | goto errexit; | 120 | goto errexit; |
diff --git a/src/firejail/join.c b/src/firejail/join.c index 99fbfdd0a..a869f6b64 100644 --- a/src/firejail/join.c +++ b/src/firejail/join.c | |||
| @@ -551,10 +551,6 @@ void join(pid_t pid, int argc, char **argv, int index) { | |||
| 551 | if (cfg.cpus) // not available for uid 0 | 551 | if (cfg.cpus) // not available for uid 0 |
| 552 | set_cpu_affinity(); | 552 | set_cpu_affinity(); |
| 553 | 553 | ||
| 554 | // set nice value | ||
| 555 | if (arg_nice) | ||
| 556 | set_nice(cfg.nice); | ||
| 557 | |||
| 558 | // add x11 display | 554 | // add x11 display |
| 559 | if (display) { | 555 | if (display) { |
| 560 | char *display_str; | 556 | char *display_str; |
| @@ -573,6 +569,11 @@ void join(pid_t pid, int argc, char **argv, int index) { | |||
| 573 | dbus_set_system_bus_env(); | 569 | dbus_set_system_bus_env(); |
| 574 | #endif | 570 | #endif |
| 575 | 571 | ||
| 572 | // set nice and rlimits | ||
| 573 | if (arg_nice) | ||
| 574 | set_nice(cfg.nice); | ||
| 575 | set_rlimits(); | ||
| 576 | |||
| 576 | start_application(0, shfd, NULL); | 577 | start_application(0, shfd, NULL); |
| 577 | 578 | ||
| 578 | __builtin_unreachable(); | 579 | __builtin_unreachable(); |
diff --git a/src/firejail/profile.c b/src/firejail/profile.c index b7c7185a6..059100fcb 100644 --- a/src/firejail/profile.c +++ b/src/firejail/profile.c | |||
| @@ -1938,7 +1938,7 @@ char *profile_list_compress(char *list) | |||
| 1938 | /* Include non-empty item */ | 1938 | /* Include non-empty item */ |
| 1939 | if (!*item) | 1939 | if (!*item) |
| 1940 | in[i] = 0; | 1940 | in[i] = 0; |
| 1941 | /* Remove all allready included items */ | 1941 | /* Remove all already included items */ |
| 1942 | for (k = 0; k < i; ++k) | 1942 | for (k = 0; k < i; ++k) |
| 1943 | in[k] = 0; | 1943 | in[k] = 0; |
| 1944 | break; | 1944 | break; |
diff --git a/src/man/firejail-profile.txt b/src/man/firejail-profile.txt index d0d3c25e8..a768829a1 100644 --- a/src/man/firejail-profile.txt +++ b/src/man/firejail-profile.txt | |||
| @@ -606,7 +606,7 @@ Allow the application to see but not talk to the name org.freedesktop.Notificati | |||
| 606 | Allow the application to call methods of the interface org.freedesktop.Notifications of the object exposed at the path /org/freedesktop/Notifications by the client owning the bus name org.freedesktop.Notifications on the system DBus. | 606 | Allow the application to call methods of the interface org.freedesktop.Notifications of the object exposed at the path /org/freedesktop/Notifications by the client owning the bus name org.freedesktop.Notifications on the system DBus. |
| 607 | .TP | 607 | .TP |
| 608 | \fBdbus-system.broadcast org.freedesktop.Notifications=org.freedesktop.Notifications.*@/org/freedesktop/Notifications | 608 | \fBdbus-system.broadcast org.freedesktop.Notifications=org.freedesktop.Notifications.*@/org/freedesktop/Notifications |
| 609 | Allow the application to receive broadcast signals from the the interface org.freedesktop.Notifications of the object exposed at the path /org/freedesktop/Notifications by the client owning the bus name org.freedesktop.Notifications on the system DBus. | 609 | Allow the application to receive broadcast signals from the interface org.freedesktop.Notifications of the object exposed at the path /org/freedesktop/Notifications by the client owning the bus name org.freedesktop.Notifications on the system DBus. |
| 610 | .TP | 610 | .TP |
| 611 | \fBdbus-user filter | 611 | \fBdbus-user filter |
| 612 | Enable filtered access to the session DBus. Filters can be specified with the dbus-user.talk and dbus-user.own commands. | 612 | Enable filtered access to the session DBus. Filters can be specified with the dbus-user.talk and dbus-user.own commands. |