From 0c5aa59b932c22798980899e1cd4df72badc8bbd Mon Sep 17 00:00:00 2001
From: netblue30 <netblue30@yahoo.com>
Date: Fri, 9 Dec 2016 09:21:30 -0500
Subject: disable gnupg and systemd directories under /run/user

---
 README            |  1 +
 RELNOTES          |  1 +
 src/firejail/fs.c | 29 +++++++++++++++--------------
 3 files changed, 17 insertions(+), 14 deletions(-)

diff --git a/README b/README
index 10136207d..476ec40c6 100644
--- a/README
+++ b/README
@@ -96,6 +96,7 @@ valoq (https://github.com/valoq)
 	- added img2txt, k3b, kate, lynx, mediainfo, nautilus, odt2txt, pdftotext, simple-scan profiles
 	- added skanlite, ssh-agent, transmission-cli, tracker, transmission-show, w3m, xfburn, xpra profiles
 	- added wget profile
+	- disable gnupg and systemd directories under /run/user
 Lari Rauno (https://github.com/tuutti)
 	- qutebrowser profile fixes
 SpotComms (https://github.com/SpotComms)
diff --git a/RELNOTES b/RELNOTES
index 28aa1f4e1..7755ae3a6 100644
--- a/RELNOTES
+++ b/RELNOTES
@@ -6,6 +6,7 @@ firejail (0.9.45) baseline; urgency=low
   * security: split most of networking code in a separate executable
   * security: split seccomp filter code configuration in a separate executable
   * security: split file copying in private option in a separate executable
+  * feature: disable gnupg and systemd directories under /run/user
   * feature: allow root user access to /dev/shm (--noblacklist=/dev/shm)
   * feature: AppImage type 2 support
   * feature: test coverage (gcov) support
diff --git a/src/firejail/fs.c b/src/firejail/fs.c
index 905d2903d..84dc9046c 100644
--- a/src/firejail/fs.c
+++ b/src/firejail/fs.c
@@ -538,31 +538,32 @@ void fs_proc_sys_dev_boot(void) {
 	struct stat s;
 
 
-	// breaks too many applications, option needed
-	/* // disable /run/user/{uid}/bus */
-	/* char *fnamebus; */
-	/* if (asprintf(&fnamebus, "/run/user/%d/bus", getuid()) == -1) */
-	/*     errExit("asprintf"); */
-	/* if (stat(fnamebus, &s) == 0) */
-	/*     disable_file(BLACKLIST_FILE, fnamebus); */
-	/* free(fnamebus); */
-
 	// disable /run/user/{uid}/gnupg
 	char *fnamegpg;
 	if (asprintf(&fnamegpg, "/run/user/%d/gnupg", getuid()) == -1)
-	    errExit("asprintf");
+		errExit("asprintf");
 	if (stat(fnamegpg, &s) == 0)
-	    disable_file(BLACKLIST_FILE, fnamegpg);
+		disable_file(BLACKLIST_FILE, fnamegpg);
 	free(fnamegpg);
 
 	// disable /run/user/{uid}/systemd
 	char *fnamesysd;
 	if (asprintf(&fnamesysd, "/run/user/%d/systemd", getuid()) == -1)
-	    errExit("asprintf");
+		errExit("asprintf");
 	if (stat(fnamesysd, &s) == 0)
-	    disable_file(BLACKLIST_FILE, fnamesysd);
+		disable_file(BLACKLIST_FILE, fnamesysd);
 	free(fnamesysd);
 
+// todo: investigate
+#if 0
+	// breaks too many applications, option needed
+	/* // disable /run/user/{uid}/bus */
+	/* char *fnamebus; */
+	/* if (asprintf(&fnamebus, "/run/user/%d/bus", getuid()) == -1) */
+	/*     errExit("asprintf"); */
+	/* if (stat(fnamebus, &s) == 0) */
+	/*     disable_file(BLACKLIST_FILE, fnamebus); */
+	/* free(fnamebus); */
 
 	// WARNING: not working
 	// disable /run/user/{uid}/kdeinit*
@@ -593,7 +594,7 @@ void fs_proc_sys_dev_boot(void) {
 	
 	//more files with sockets to be blacklisted
 	//  /run/dbus /run/systemd /run/udev /run/lvm
-
+#endif
 	
 	
 	if (getuid() != 0) {
-- 
cgit v1.2.3-70-g09d2