From d006e0c0ff3c3518d9ae683e7ad7755819fb8180 Mon Sep 17 00:00:00 2001
From: curiosity-seeker <my-github@mailbox.org>
Date: Sun, 12 May 2019 17:41:29 +0200
Subject: Update firecfg.config for cantata

---
 src/firecfg/firecfg.config | 1 +
 1 file changed, 1 insertion(+)

(limited to 'src')

diff --git a/src/firecfg/firecfg.config b/src/firecfg/firecfg.config
index 2d4902b91..aba0e9f60 100644
--- a/src/firecfg/firecfg.config
+++ b/src/firecfg/firecfg.config
@@ -92,6 +92,7 @@ calligraplanwork
 calligrasheets
 calligrastage
 calligrawords
+cantata
 catfish
 celluloid
 checkbashisms
-- 
cgit v1.2.3-70-g09d2


From f1207e70c4703c5ff2c2f4b8a7506860f611c633 Mon Sep 17 00:00:00 2001
From: quentin <quentin@minster.io>
Date: Mon, 13 May 2019 22:17:44 +0200
Subject: Propagate --quiet to children Firejail'ed processes

If quiet, set environment variable FIREJAIL_QUIET to "yes" before
spawning the child process.
Upon starting Firejail, become quiet if the FIREJAIL_QUIET environment
variable is set to "yes".

Signed-off-by: Quentin Minster <quentin@minster.io>
---
 src/firejail/main.c | 7 ++++++-
 1 file changed, 6 insertions(+), 1 deletion(-)

(limited to 'src')

diff --git a/src/firejail/main.c b/src/firejail/main.c
index ece4c2cb5..7fa552c98 100644
--- a/src/firejail/main.c
+++ b/src/firejail/main.c
@@ -907,7 +907,8 @@ int main(int argc, char **argv) {
 
 	// get starting timestamp, process --quiet
 	start_timestamp = getticks();
-	if (check_arg(argc, argv, "--quiet", 1))
+	char *env_quiet = getenv("FIREJAIL_QUIET");
+	if (check_arg(argc, argv, "--quiet", 1) || (env_quiet && strcmp(env_quiet, "yes") == 0))
 		arg_quiet = 1;
 
 	// cleanup at exit
@@ -2422,6 +2423,10 @@ int main(int argc, char **argv) {
 	}
 	EUID_ASSERT();
 
+	// pass --quiet as an environment variable, in case the command calls further firejailed commands
+	if (arg_quiet)
+		setenv("FIREJAIL_QUIET", "yes", 1);
+
 	// block X11 sockets
 	if (arg_x11_block)
 		x11_block();
-- 
cgit v1.2.3-70-g09d2


From 4814096e104f70f4a899894e2aa3e68b33753002 Mon Sep 17 00:00:00 2001
From: Topi Miettinen <toiwoton@gmail.com>
Date: Wed, 15 May 2019 16:09:40 +0300
Subject: dbus: make --nodbus block also system D-Bus socket

Signed-off-by: Topi Miettinen <toiwoton@gmail.com>
---
 src/firejail/dbus.c     | 5 ++++-
 src/firejail/firejail.h | 2 +-
 src/firejail/sandbox.c  | 2 +-
 src/man/firejail.txt    | 8 +++++---
 4 files changed, 11 insertions(+), 6 deletions(-)

(limited to 'src')

diff --git a/src/firejail/dbus.c b/src/firejail/dbus.c
index baa41e85e..b046b3279 100644
--- a/src/firejail/dbus.c
+++ b/src/firejail/dbus.c
@@ -19,7 +19,7 @@
 */
 #include "firejail.h"
 
-void dbus_session_disable(void) {
+void dbus_disable(void) {
 	if (!checkcfg(CFG_DBUS)) {
 		fwarning("D-Bus handling is disabled in Firejail configuration file\n");
 		return;
@@ -43,6 +43,9 @@ void dbus_session_disable(void) {
 	free(path);
 	free(env_var);
 
+	// blacklist also system D-Bus socket
+	disable_file_or_dir("/run/dbus/system_bus_socket");
+
 	// look for a possible abstract unix socket
 
 	// --net=none
diff --git a/src/firejail/firejail.h b/src/firejail/firejail.h
index 2e04084e3..e0f3a6a16 100644
--- a/src/firejail/firejail.h
+++ b/src/firejail/firejail.h
@@ -782,6 +782,6 @@ void set_x11_run_file(pid_t pid, int display);
 void set_profile_run_file(pid_t pid, const char *fname);
 
 // dbus.c
-void dbus_session_disable(void);
+void dbus_disable(void);
 
 #endif
diff --git a/src/firejail/sandbox.c b/src/firejail/sandbox.c
index 101a16d00..9f0a5f25c 100644
--- a/src/firejail/sandbox.c
+++ b/src/firejail/sandbox.c
@@ -923,7 +923,7 @@ int sandbox(void* sandbox_arg) {
 	// Session D-BUS
 	//****************************
 	if (arg_nodbus)
-		dbus_session_disable();
+		dbus_disable();
 
 
 	//****************************
diff --git a/src/man/firejail.txt b/src/man/firejail.txt
index 1b56dedcd..8f6948ef4 100644
--- a/src/man/firejail.txt
+++ b/src/man/firejail.txt
@@ -1107,9 +1107,11 @@ $ nc dict.org 2628
 .br
 .TP
 \fB\-\-nodbus
-Disable D-Bus access. Only the regular UNIX socket is handled by this command. To
-disable the abstract socket you would need to request a new network namespace using
-\-\-net command. Another option is to remove unix from \-\-protocol set.
+Disable D-Bus access (both system and session buses). Only the regular
+UNIX sockets are handled by this command. To disable the abstract
+sockets you would need to request a new network namespace using
+\-\-net command. Another option is to remove unix from \-\-protocol
+set.
 .br
 
 .br
-- 
cgit v1.2.3-70-g09d2


From 203e34db60e9200a53708c425868a041e32eaf0d Mon Sep 17 00:00:00 2001
From: smitsohu <smitsohu@gmail.com>
Date: Thu, 16 May 2019 22:43:10 +0200
Subject: glibc missing O_PATH definition on CentOS 6 - #2696

---
 src/firejail/fs.c           | 4 ++++
 src/firejail/fs_home.c      | 6 +++++-
 src/firejail/fs_whitelist.c | 6 +++++-
 src/firejail/mountinfo.c    | 4 ++++
 src/firejail/pulseaudio.c   | 4 ++++
 src/firejail/util.c         | 4 ++++
 src/firejail/x11.c          | 4 ++++
 7 files changed, 30 insertions(+), 2 deletions(-)

(limited to 'src')

diff --git a/src/firejail/fs.c b/src/firejail/fs.c
index f9d968427..bf7c0a4b2 100644
--- a/src/firejail/fs.c
+++ b/src/firejail/fs.c
@@ -27,7 +27,11 @@
 #include <glob.h>
 #include <dirent.h>
 #include <errno.h>
+
 #include <fcntl.h>
+#ifndef O_PATH
+# define O_PATH 010000000
+#endif
 
 #define MAX_BUF 4096
 #define EMPTY_STRING ("")
diff --git a/src/firejail/fs_home.c b/src/firejail/fs_home.c
index e35bf073d..b44d09acc 100644
--- a/src/firejail/fs_home.c
+++ b/src/firejail/fs_home.c
@@ -22,7 +22,6 @@
 #include <linux/limits.h>
 #include <glob.h>
 #include <dirent.h>
-#include <fcntl.h>
 #include <errno.h>
 #include <sys/stat.h>
 #include <sys/types.h>
@@ -31,6 +30,11 @@
 #include <grp.h>
 //#include <ftw.h>
 
+#include <fcntl.h>
+#ifndef O_PATH
+# define O_PATH 010000000
+#endif
+
 static void skel(const char *homedir, uid_t u, gid_t g) {
 	char *fname;
 
diff --git a/src/firejail/fs_whitelist.c b/src/firejail/fs_whitelist.c
index d128065d3..bce44b9e5 100644
--- a/src/firejail/fs_whitelist.c
+++ b/src/firejail/fs_whitelist.c
@@ -24,9 +24,13 @@
 #include <fnmatch.h>
 #include <glob.h>
 #include <dirent.h>
-#include <fcntl.h>
 #include <errno.h>
 
+#include <fcntl.h>
+#ifndef O_PATH
+# define O_PATH 010000000
+#endif
+
 // mountinfo functionality test;
 // 1. enable TEST_MOUNTINFO definition
 // 2. run firejail --whitelist=/any/directory
diff --git a/src/firejail/mountinfo.c b/src/firejail/mountinfo.c
index 0717b2044..7369ad247 100644
--- a/src/firejail/mountinfo.c
+++ b/src/firejail/mountinfo.c
@@ -19,7 +19,11 @@
 */
 
 #include "firejail.h"
+
 #include <fcntl.h>
+#ifndef O_PATH
+# define O_PATH 010000000
+#endif
 
 #define MAX_BUF 4096
 
diff --git a/src/firejail/pulseaudio.c b/src/firejail/pulseaudio.c
index 26beaf35a..e3f237b8e 100644
--- a/src/firejail/pulseaudio.c
+++ b/src/firejail/pulseaudio.c
@@ -24,7 +24,11 @@
 #include <sys/mount.h>
 #include <dirent.h>
 #include <sys/wait.h>
+
 #include <fcntl.h>
+#ifndef O_PATH
+# define O_PATH 010000000
+#endif
 
 // disable pulseaudio socket
 void pulseaudio_disable(void) {
diff --git a/src/firejail/util.c b/src/firejail/util.c
index 3e2cd13d5..fff0bbf2f 100644
--- a/src/firejail/util.c
+++ b/src/firejail/util.c
@@ -29,7 +29,11 @@
 #include <sys/ioctl.h>
 #include <termios.h>
 #include <sys/wait.h>
+
 #include <fcntl.h>
+#ifndef O_PATH
+# define O_PATH 010000000
+#endif
 
 #define MAX_GROUPS 1024
 #define MAXBUF 4098
diff --git a/src/firejail/x11.c b/src/firejail/x11.c
index b0ed10b30..9d821d980 100644
--- a/src/firejail/x11.c
+++ b/src/firejail/x11.c
@@ -31,7 +31,11 @@
 #include <sys/wait.h>
 #include <errno.h>
 #include <limits.h>
+
 #include <fcntl.h>
+#ifndef O_PATH
+# define O_PATH 010000000
+#endif
 
 
 // Parse the DISPLAY environment variable and return a display number.
-- 
cgit v1.2.3-70-g09d2


From ce3ff9711e7cb6d966ce07714c5cd7ac331f7937 Mon Sep 17 00:00:00 2001
From: quentin <quentin@minster.io>
Date: Fri, 17 May 2019 17:02:58 +0200
Subject: Move export of FIREJAIL_QUIET to env_defaults()

So that it also works with --join. (HT @smitsohu)
---
 src/firejail/env.c  | 5 +++++
 src/firejail/main.c | 4 ----
 2 files changed, 5 insertions(+), 4 deletions(-)

(limited to 'src')

diff --git a/src/firejail/env.c b/src/firejail/env.c
index 2e9f516ba..f15e1362f 100644
--- a/src/firejail/env.c
+++ b/src/firejail/env.c
@@ -160,6 +160,11 @@ void env_defaults(void) {
 	// set the window title
 	if (!arg_quiet)
 		printf("\033]0;firejail %s\007", cfg.window_title);
+
+	// pass --quiet as an environment variable, in case the command calls further firejailed commands
+	if (arg_quiet)
+		setenv("FIREJAIL_QUIET", "yes", 1);
+
 	fflush(0);
 }
 
diff --git a/src/firejail/main.c b/src/firejail/main.c
index 7fa552c98..f3dc72944 100644
--- a/src/firejail/main.c
+++ b/src/firejail/main.c
@@ -2423,10 +2423,6 @@ int main(int argc, char **argv) {
 	}
 	EUID_ASSERT();
 
-	// pass --quiet as an environment variable, in case the command calls further firejailed commands
-	if (arg_quiet)
-		setenv("FIREJAIL_QUIET", "yes", 1);
-
 	// block X11 sockets
 	if (arg_x11_block)
 		x11_block();
-- 
cgit v1.2.3-70-g09d2