github-starred/firejail
2
0
Fork 0
mirror of https://github.com/netblue30/firejail.git synced 2026-05-15 14:16:14 -06:00
Code Issues 531 Projects Packages Wiki Activity Actions 6

disable gnupg and systemd directories under /run/user

Browse source
This commit is contained in:
netblue30 2016-12-09 09:21:30 -05:00
parent a9a9651d91
commit 0c5aa59b93
3 changed files with 21 additions and 18 deletions
Download patch file Download diff file Expand all files Collapse all files

1
README
View file

@ -96,6 +96,7 @@ valoq (https://github.com/valoq)
- added img2txt, k3b, kate, lynx, mediainfo, nautilus, odt2txt, pdftotext, simple-scan profiles
- added skanlite, ssh-agent, transmission-cli, tracker, transmission-show, w3m, xfburn, xpra profiles
- added wget profile
- disable gnupg and systemd directories under /run/user
Lari Rauno (https://github.com/tuutti)
- qutebrowser profile fixes
SpotComms (https://github.com/SpotComms)

1
RELNOTES
View file

@ -6,6 +6,7 @@ firejail (0.9.45) baseline; urgency=low
* security: split most of networking code in a separate executable
* security: split seccomp filter code configuration in a separate executable
* security: split file copying in private option in a separate executable
* feature: disable gnupg and systemd directories under /run/user
* feature: allow root user access to /dev/shm (--noblacklist=/dev/shm)
* feature: AppImage type 2 support
* feature: test coverage (gcov) support

37
src/firejail/fs.c
View file

@ -538,6 +538,24 @@ void fs_proc_sys_dev_boot(void) {
struct stat s;
// disable /run/user/{uid}/gnupg
char *fnamegpg;
if (asprintf(&fnamegpg, "/run/user/%d/gnupg", getuid()) == -1)
errExit("asprintf");
if (stat(fnamegpg, &s) == 0)
disable_file(BLACKLIST_FILE, fnamegpg);
free(fnamegpg);
// disable /run/user/{uid}/systemd
char *fnamesysd;
if (asprintf(&fnamesysd, "/run/user/%d/systemd", getuid()) == -1)
errExit("asprintf");
if (stat(fnamesysd, &s) == 0)
disable_file(BLACKLIST_FILE, fnamesysd);
free(fnamesysd);
// todo: investigate
#if 0
// breaks too many applications, option needed
/* // disable /run/user/{uid}/bus */
/* char *fnamebus; */
@ -547,23 +565,6 @@ void fs_proc_sys_dev_boot(void) {
/* disable_file(BLACKLIST_FILE, fnamebus); */
/* free(fnamebus); */
// disable /run/user/{uid}/gnupg
char *fnamegpg;
if (asprintf(&fnamegpg, "/run/user/%d/gnupg", getuid()) == -1)
errExit("asprintf");
if (stat(fnamegpg, &s) == 0)
disable_file(BLACKLIST_FILE, fnamegpg);
free(fnamegpg);
// disable /run/user/{uid}/systemd
char *fnamesysd;
if (asprintf(&fnamesysd, "/run/user/%d/systemd", getuid()) == -1)
errExit("asprintf");
if (stat(fnamesysd, &s) == 0)
disable_file(BLACKLIST_FILE, fnamesysd);
free(fnamesysd);
// WARNING: not working
// disable /run/user/{uid}/kdeinit*
//char *fnamekde;
@ -593,7 +594,7 @@ void fs_proc_sys_dev_boot(void) {
//more files with sockets to be blacklisted
// /run/dbus /run/systemd /run/udev /run/lvm
#endif
if (getuid() != 0) {