From 646d046c4c42004f007ad1bce1a94e1633e7c57f Mon Sep 17 00:00:00 2001 From: netblue30 Date: Sun, 6 Nov 2016 08:13:44 -0500 Subject: cleanup --- etc/firefox.profile | 2 +- src/firejail/sbox.c | 15 +++++++++++++++ src/fnet/Makefile.in | 4 ++-- src/fseccomp/Makefile.in | 4 ++-- 4 files changed, 20 insertions(+), 5 deletions(-) diff --git a/etc/firefox.profile b/etc/firefox.profile index 3fb56fd0e..7862bd010 100644 --- a/etc/firefox.profile +++ b/etc/firefox.profile @@ -48,6 +48,6 @@ include /etc/firejail/whitelist-common.inc # experimental features #private-bin firefox,which,sh,dbus-launch,dbus-send,env -private-etc passwd,group,hostname,hosts,localtime,nsswitch.conf,resolv.conf,xdg,gtk-2.0,gtk-3.0,X11,pango,fonts,firefox,mime.types,mailcap,asound.conf,pulse +#private-etc passwd,group,hostname,hosts,localtime,nsswitch.conf,resolv.conf,xdg,gtk-2.0,gtk-3.0,X11,pango,fonts,firefox,mime.types,mailcap,asound.conf,pulse private-dev private-tmp diff --git a/src/firejail/sbox.c b/src/firejail/sbox.c index 65ca5c443..b16736dee 100644 --- a/src/firejail/sbox.c +++ b/src/firejail/sbox.c @@ -136,6 +136,21 @@ int sbox_run(unsigned filter, int num, ...) { if (child < 0) errExit("fork"); if (child == 0) { + // clean the new process + clearenv(); + int max = 20; // getdtablesize() is overkill for a firejail process + for (i = 3; i < max; i++) + close(i); // close open files + int fd = open("/dev/null",O_RDWR, 0); + if (fd != -1) { + dup2 (fd, STDIN_FILENO); + if (fd > 2) + close (fd); + } + else // the user could run the sandbox without /dev/null + close(STDIN_FILENO); + umask(027); + // apply filters if (filter & SBOX_CAPS_NONE) { caps_drop_all(); diff --git a/src/fnet/Makefile.in b/src/fnet/Makefile.in index b515d2333..bba4406d4 100644 --- a/src/fnet/Makefile.in +++ b/src/fnet/Makefile.in @@ -33,8 +33,8 @@ LDFLAGS += -pie -Wl,-z,relro -Wl,-z,now -lpthread %.o : %.c $(H_FILE_LIST) ../include/common.h ../include/libnetlink.h $(CC) $(CFLAGS) $(INCLUDE) -c $< -o $@ -fnet: $(OBJS) ../lib/libnetlink.o ../lib/common.o - $(CC) $(LDFLAGS) -o $@ $(OBJS) ../lib/libnetlink.o $(LIBS) $(EXTRA_LDFLAGS) +fnet: $(OBJS) ../lib/libnetlink.o + $(CC) $(LDFLAGS) -o $@ $(OBJS) ../lib/libnetlink.o $(LIBS) clean:; rm -f *.o fnet diff --git a/src/fseccomp/Makefile.in b/src/fseccomp/Makefile.in index 110d2c95f..1878ad2f3 100644 --- a/src/fseccomp/Makefile.in +++ b/src/fseccomp/Makefile.in @@ -33,8 +33,8 @@ LDFLAGS += -pie -Wl,-z,relro -Wl,-z,now -lpthread %.o : %.c $(H_FILE_LIST) ../include/common.h ../include/syscall.h $(CC) $(CFLAGS) $(INCLUDE) -c $< -o $@ -fseccomp: $(OBJS) ../lib/libnetlink.o ../lib/common.o - $(CC) $(LDFLAGS) -o $@ $(OBJS) $(LIBS) $(EXTRA_LDFLAGS) +fseccomp: $(OBJS) + $(CC) $(LDFLAGS) -o $@ $(OBJS) $(LIBS) clean:; rm -f *.o fseccomp -- cgit v1.2.3-54-g00ecf