| Commit message (Collapse) | Author | Age |
| |
|
| |
|
| |
|
|\
| |
| | |
Keep some groups regardless of nogroups and restore nogroups on nvidia
|
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| | |
Remove workaround from commit 623e68216 ("temporary fix for
nvidia/nogroups/noroot issue (#3644, #841)", 2020-10-02) and from commit
cb460c32c ("more nvidia (#3644)", 2020-10-03).
The handling of the "render" and "video" groups is separate from
`nogroups` now, so disabling `nogroups` on nvidia shouldn't be necessary
anymore. See the previous 2 commits for details.
See also the discussion on PR #4632.
|
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| | |
Mappings of command -> group that this commit adds:
* no3d -> render
* noprinters -> lp
* nodvd -> cdrom (Debian[1] and Gentoo[2]), optical (Arch[3])
* noinput -> input
Mappings that were considered but that are not added:
* notv -> ? (unknown group)
* nou2f -> ? (devices are apparently owned by root; see #4603)
Based on @rusty-snake's suggestion:
https://github.com/netblue30/firejail/issues/4603#issuecomment-944046299
See the previous commit ("Keep audio and video groups regardless of
nogroups") for details.
Relates to #2042 and #4632.
[1] https://wiki.debian.org/SystemGroups
[2] https://api.gentoo.org/uid-gid.txt
[3] https://wiki.archlinux.org/title/Users_and_groups
|
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| | |
Currently, on systems that use seat managers that do not implement
seat-based ACLs (such as seatd), sound is broken whenever `nogroups` is
used. This happens because without ACLs, access to the audio devices in
/dev is controlled by the standard group permissions and the "audio"
group is always dropped when `nogroups` is used. This patch makes the
"audio" and "video" groups be dropped if and only if `noaudio` and
`novideo` are in effect, respectively (and independently of `nogroups`).
See #4603 and the linked issues/discussions for details.
Note: This is a continuation of commit ea564eb74 ("Consider nosound and
novideo when keeping groups") / PR #4632.
Relates to #2042 and #4531.
|
| | |
|
| |
| |
| |
| | |
development
|
|\ \
| | |
| | | |
Configure improvements2
|
| |/
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| | |
See commit 15d793838 ("Try to fix #2310 -- Can't create run directory
without suid-root", 2021-05-13) / PR #4273.
It is the only "HAVE_" option whose value is set by if/else on a
makefile. Also, it is set in different places to either "yes", "no",
blank or "-DHAVE_SUID". Set the value only on configure.ac and only to
either blank or to "-DHAVE_SUID".
Misc: The `ifeq ($(HAVE_SUID),-DHAVE_SUID)` comparison that this adds is
based on the existing `ifeq ($(HAVE_APPARMOR),-DHAVE_APPARMOR)`
comparison on Makefile.in.
|
| | |
|
|/ |
|
|\
| |
| | |
Consider nosound and novideo when keeping groups & misc refactors
|
| |
| |
| |
| |
| |
| |
| |
| |
| |
| | |
Even when `nogroups` is not used, avoid keeping the audio and video
groups when `nosound` and `novideo` are used, respectively.
Based on @rusty-snake's suggestion:
https://github.com/netblue30/firejail/issues/4603#issuecomment-944046299
Relates to #4603.
|
| |
| |
| |
| | |
Check if new_groups already is full before trying to add to it.
|
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| | |
Move the logic from clean_supplementary_groups into the following new
functions:
* find_group
* copy_group_ifcont
These will be reused later.
Misc: The latter function's signature is based on getgrouplist(2), which
is used on clean_supplementary_groups.
|
| | |
|
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| | |
Added on commit 137985136 ("Baseline firejail 0.9.28", 2015-08-08). See
also commit ad6bb83fa ("consolidate makefiles", 2018-03-31).
It is not used anywhere. And it looks like it has never been used
anywhere:
$ git log --oneline -Gpthread.h 137985136..master
$
Issue mentioned by @rusty-snake:
https://github.com/netblue30/firejail/issues/4642#issuecomment-955795463
|
| |
| |
| |
| |
| |
| |
| | |
This amends commit b5de1d0f9 ("Fix inconsistent descriptions of
machine-id option").
Relates to #4689.
|
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| | |
Some places say that it "preserves" the file and other places say that
it "spoofs" the file. Based on the fs_machineid function on
src/firejail/fs_etc.c, the latter one is correct.
This amends commit d0cc960c9 ("spoof machine-id", 2016-12-05).
Fixes #4689.
Reported-by: @svc88
|
| | |
|
|\ \
| | |
| | | |
deterministic-shutdown option
|
| | | |
|
|\ \ \
| | | |
| | | | |
Add OpenStego profile
|
| | | | |
|
|/ / / |
|
|\ \ \
| | | |
| | | | |
Make env/arg sanity check failure messages more useful
|
| | | |
| | | |
| | | |
| | | |
| | | |
| | | |
| | | |
| | | |
| | | |
| | | |
| | | |
| | | | |
This change doesn't alter any checks, but it gives more specific
errors when a sanity check of env vars or argv does not pass, which
can point to limits to raise or at least give us better detailed bug
reports.
Signed-off-by: Hank Leininger <hlein@korelogic.com>
Bug: https://github.com/netblue30/firejail/issues/3678
Bug: https://github.com/netblue30/firejail/issues/3851
Bug: https://github.com/netblue30/firejail/issues/4633
|
|\ \ \ \
| | | | |
| | | | | |
Fix TOCTOU/CodeQL CWE-367 warnings (easy ones + fs.c)
|
| | | | |
| | | | |
| | | | |
| | | | | |
Relates to #4503.
|
| | |/ /
| |/| |
| | | |
| | | |
| | | |
| | | |
| | | |
| | | |
| | | |
| | | |
| | | |
| | | |
| | | |
| | | |
| | | |
| | | |
| | | |
| | | | |
This should fix all such warnings on the following files:
* src/fids/main.c
* src/firejail/seccomp.c
Misc: Besides the above reason, these are some of the more
straightforward TOCTOU warning fixes and they are done without any
additional refactor commits, so that's the reason for "easy ones".
List of TOCTOU warnings:
https://github.com/netblue30/firejail/security/code-scanning?query=id%3Acpp%2Ftoctou-race-condition
See https://cwe.mitre.org/data/definitions/367.html
Relates to #4503.
|
| |/ /
|/| |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | | |
This should make it easier for users, and distributions, to customize
which programs they want firejail to wrap. Also fixed some
firecfg.cfg -> firecfg.config references.
Signed-off-by: Hank Leininger <hlein@korelogic.com>
Closes: https://github.com/netblue30/firejail/issues/408
Bug: https://github.com/netblue30/firejail/issues/2097
Bug: https://github.com/netblue30/firejail/issues/2829
Bug: https://github.com/netblue30/firejail/issues/3665
|
| | | |
|
|\ \ \
| | | |
| | | | |
Profile Checks
|
| |/ / |
|
| | |
| | |
| | |
| | |
| | | |
cannot create fslogger file as user,
so raise privs and create it as root
|
|/ /
| |
| |
| |
| | |
possible because selinux_relabel_path
now raises privs itself where necessary
|
| | |
|
| | |
|
|/ |
|
|\
| |
| | |
Add profiles for imv, retroarch, and torbrowser
|
| |
| |
| |
| |
| | |
imv, retroarch, and torbrowser are also added to
firecfg.config
|
| | |
|
| | |
|
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| | |
Removes the inconsistency that some blacklisted
paths could be remounted (files specified explicitly)
and some could not. Now all blacklisted paths can
be mounted nosuid, nodev, noexec if users
specify this.
Also fixes the bug that mount id can indeed be 0.
Other than that no functional or algorithmic changes,
only readability improvements.
|
| | |
|
| | |
|
| | |
|
|\ \
| | |
| | | |
Fix misc in get_group_id
|