From c89bd3131770903c7121c271a7763b2ef1912272 Mon Sep 17 00:00:00 2001 From: netblue30 Date: Sat, 2 Apr 2016 18:59:52 -0400 Subject: various fixes --- README | 1 + etc/cmus.profile | 1 - etc/disable-programs.inc | 1 + src/firejail/main.c | 2 +- src/firejail/profile.c | 2 +- src/firejail/sandbox.c | 6 ++++++ test/firefox-x11.exp | 14 +++++++++++++- test/firefox.exp | 14 +++++++++++++- test/test-profile.exp | 2 +- 9 files changed, 37 insertions(+), 6 deletions(-) diff --git a/README b/README index c242faa85..aaf05e673 100644 --- a/README +++ b/README @@ -100,6 +100,7 @@ avoidr (https://github.com/avoidr) - hostname support in profile file - Google Chrome profile rework - added cmus profile + - man page fixes Bruno Nova (https://github.com/brunonova) - whitelist fix - bash arguments fix diff --git a/etc/cmus.profile b/etc/cmus.profile index bfefd3100..72b43a70f 100644 --- a/etc/cmus.profile +++ b/etc/cmus.profile @@ -15,4 +15,3 @@ noroot private-bin cmus private-etc group shell none -noroot diff --git a/etc/disable-programs.inc b/etc/disable-programs.inc index 660085194..89064d816 100644 --- a/etc/disable-programs.inc +++ b/etc/disable-programs.inc @@ -4,6 +4,7 @@ blacklist ${HOME}/.remmina blacklist ${HOME}/.tconn blacklist ${HOME}/.FBReader blacklist ${HOME}/.wine +blacklist ${HOME}/.config/cmus # HTTP / FTP / Mail blacklist ${HOME}/.icedove diff --git a/src/firejail/main.c b/src/firejail/main.c index 0269ff585..a66e10e0f 100644 --- a/src/firejail/main.c +++ b/src/firejail/main.c @@ -1268,8 +1268,8 @@ int main(int argc, char **argv) { fprintf(stderr, "Error: invalid private-bin option\n"); exit(1); } - fs_check_bin_list(); arg_private_bin = 1; + fs_check_bin_list(); } else if (strcmp(argv[i], "--private-tmp") == 0) { arg_private_tmp = 1; diff --git a/src/firejail/profile.c b/src/firejail/profile.c index d7ea4a550..d2894d463 100644 --- a/src/firejail/profile.c +++ b/src/firejail/profile.c @@ -385,8 +385,8 @@ int profile_check_line(char *ptr, int lineno, const char *fname) { // private /bin list of files if (strncmp(ptr, "private-bin ", 12) == 0) { cfg.bin_private_keep = ptr + 12; - fs_check_bin_list(); arg_private_bin = 1; + fs_check_bin_list(); return 0; } diff --git a/src/firejail/sandbox.c b/src/firejail/sandbox.c index 732ebf27e..ccddeb888 100644 --- a/src/firejail/sandbox.c +++ b/src/firejail/sandbox.c @@ -227,8 +227,14 @@ static void start_application(void) { } } + if (cfg.original_program_index == 0) { + fprintf(stderr, "Error: --shell=none configured, but no program specified\n"); + exit(1); + } + if (!arg_command && !arg_quiet) printf("Child process initialized\n"); + execvp(cfg.original_argv[cfg.original_program_index], &cfg.original_argv[cfg.original_program_index]); } //**************************************** diff --git a/test/firefox-x11.exp b/test/firefox-x11.exp index c82408896..8bc7fbd25 100755 --- a/test/firefox-x11.exp +++ b/test/firefox-x11.exp @@ -4,7 +4,7 @@ set timeout 10 spawn $env(SHELL) match_max 100000 -send -- "firejail --name=test --x11 --net=br0 firefox www.gentoo.org\r" +send -- "firejail --name=test --x11 --net=br0 firefox -no-remote www.gentoo.org\r" sleep 10 spawn $env(SHELL) @@ -18,6 +18,10 @@ expect { "firefox" {puts "firefox detected\n";} "iceweasel" {puts "iceweasel detected\n";} } +expect { + timeout {puts "TESTING ERROR 3.2\n";exit} + "no-remote" +} sleep 1 send -- "firejail --name=blablabla\r" expect { @@ -33,6 +37,10 @@ expect { " firefox" {puts "firefox detected\n";} " iceweasel" {puts "iceweasel detected\n";} } +expect { + timeout {puts "TESTING ERROR 5.0\n";exit} + "no-remote" +} expect { timeout {puts "TESTING ERROR 5.1 (seccomp)\n";exit} "Seccomp: 2" @@ -48,6 +56,10 @@ expect { " firefox" {puts "firefox detected\n";} " iceweasel" {puts "iceweasel detected\n";} } +expect { + timeout {puts "TESTING ERROR 6.0\n";exit} + "no-remote" +} expect { timeout {puts "TESTING ERROR 6.1\n";exit} "CapBnd:" diff --git a/test/firefox.exp b/test/firefox.exp index c2e64e04f..d531cf977 100755 --- a/test/firefox.exp +++ b/test/firefox.exp @@ -4,7 +4,7 @@ set timeout 10 spawn $env(SHELL) match_max 100000 -send -- "firejail firefox www.gentoo.org\r" +send -- "firejail firefox -no-remote www.gentoo.org\r" expect { timeout {puts "TESTING ERROR 0\n";exit} "Reading profile /etc/firejail/firefox.profile" @@ -26,6 +26,10 @@ expect { "firefox" {puts "firefox detected\n";} "iceweasel" {puts "iceweasel detected\n";} } +expect { + timeout {puts "TESTING ERROR 3.2\n";exit} + "no-remote" +} sleep 1 send -- "firejail --name=blablabla\r" expect { @@ -41,6 +45,10 @@ expect { " firefox" {puts "firefox detected\n";} " iceweasel" {puts "iceweasel detected\n";} } +expect { + timeout {puts "TESTING ERROR 5.0\n";exit} + "no-remote" +} expect { timeout {puts "TESTING ERROR 5.1 (seccomp)\n";exit} "Seccomp: 2" @@ -56,6 +64,10 @@ expect { " firefox" {puts "firefox detected\n";} " iceweasel" {puts "iceweasel detected\n";} } +expect { + timeout {puts "TESTING ERROR 6.0\n";exit} + "no-remote" +} expect { timeout {puts "TESTING ERROR 6.1\n";exit} "CapBnd:" diff --git a/test/test-profile.exp b/test/test-profile.exp index 89fe9c10a..a03e8db31 100755 --- a/test/test-profile.exp +++ b/test/test-profile.exp @@ -10,7 +10,7 @@ if { $argc != 1 } { exit } -send -- "firejail --profile=$argv\r" +send -- "firejail --profile=$argv /bin/bash\r" expect { timeout {puts "TESTING ERROR 0\n";exit} "Child process initialized" -- cgit v1.2.3-54-g00ecf