From 6d0ff0c7db8d710ceae142a5cfd689bf100d57dc Mon Sep 17 00:00:00 2001 From: netblue30 Date: Fri, 3 Jun 2022 07:02:31 -0400 Subject: enforce nonewprivs for --noprofile option --- RELNOTES | 2 ++ src/firejail/main.c | 2 ++ src/man/firejail.txt | 2 +- 3 files changed, 5 insertions(+), 1 deletion(-) diff --git a/RELNOTES b/RELNOTES index 9df00d976..015c55201 100644 --- a/RELNOTES +++ b/RELNOTES @@ -1,8 +1,10 @@ firejail (0.9.69) baseline; urgency=low * work in progress + * modif: --noprofile enforces nonewprivs * feature: enable shell tab completion (#4936) * feature: disable user profiles at compile time (#4990) * rework: whitelist restructuring (#4985) + * rework: firemon, speed up lots of fixes * bugfix: --private-cwd not expanding macros, broken hyperrogue (#4910) * bugfix: nogroups + wrc prints confusing messages (#4930 #4933) * bugfix: openSUSE Leap - whitelist-run-common.inc (#4954) diff --git a/src/firejail/main.c b/src/firejail/main.c index cbf9df79f..f3b656e2e 100644 --- a/src/firejail/main.c +++ b/src/firejail/main.c @@ -1875,6 +1875,8 @@ int main(int argc, char **argv, char **envp) { arg_noprofile = 1; // force keep-config-pulse in order to keep ~/.config/pulse as is arg_keep_config_pulse = 1; + // force nonewprivs + arg_nonewprivs = 1; } else if (strncmp(argv[i], "--ignore=", 9) == 0) { if (custom_profile) { diff --git a/src/man/firejail.txt b/src/man/firejail.txt index 420a96ab5..f78b75346 100644 --- a/src/man/firejail.txt +++ b/src/man/firejail.txt @@ -1696,7 +1696,7 @@ Disable printers. .TP \fB\-\-noprofile -Do not use a security profile. +Do not use a security profile. nonewprivs is enforced for this option. .br .br -- cgit v1.2.3-54-g00ecf