fixes

etc/disable-secret.inc

@@ -10,3 +10,9 @@ blacklist ${HOME}/.local/share/recently-used.xbel
 blacklist ${HOME}/*.kdb
 blacklist ${HOME}/*.key
 blacklist /etc/shadow
+blacklist /etc/gshadow
+blacklist /etc/passwd-
+blacklist /etc/group-
+blacklist /etc/shadow-
+blacklist /etc/gshadow-
+blacklist /etc/ssh

src/firejail/fs.c

@@ -56,7 +56,7 @@ static void create_empty_file(void) {
 	}
 }
 
-// build /tmp/firejail directory
+// build /run/firejail directory
 void fs_build_firejail_dir(void) {
 	struct stat s;
 
@@ -86,11 +86,16 @@ void fs_build_firejail_dir(void) {
 
 // build /tmp/firejail/mnt directory
 static int tmpfs_mounted = 0;
+static void fs_build_remount_mnt_dir(void) {
+	tmpfs_mounted = 0;
+	fs_build_mnt_dir();
+}
+
 void fs_build_mnt_dir(void) {
 	struct stat s;
 	fs_build_firejail_dir();
 	
-	// create /tmp/firejail directory
+	// create /run/firejail/mnt directory
 	if (stat(MNT_DIR, &s)) {
 		if (arg_debug)
 			printf("Creating %s directory\n", MNT_DIR);
@@ -106,7 +111,7 @@ void fs_build_mnt_dir(void) {
 
 	// ... and mount tmpfs on top of it
 	if (!tmpfs_mounted) {
-		// mount tmpfs on top of /tmp/firejail/mnt
+		// mount tmpfs on top of /run/firejail/mnt
 		if (arg_debug)
 			printf("Mounting tmpfs on %s directory\n", MNT_DIR);
 		if (mount("tmpfs", MNT_DIR, "tmpfs", MS_NOSUID | MS_STRICTATIME | MS_REC,  "mode=755,gid=0") < 0)
@@ -533,6 +538,14 @@ void fs_proc_sys_dev_boot(void) {
 			errExit("mounting /boot directory");
 	}
 	
+	// disable /selinux
+	if (stat("/selinux", &s) == 0) {
+		if (arg_debug)
+			printf("Mounting a new /selinux directory\n");
+		if (mount("tmpfs", "/selinux", "tmpfs", MS_NOSUID | MS_NODEV | MS_STRICTATIME | MS_REC,  "mode=777,gid=0") < 0)
+			errExit("mounting /selinux directory");
+	}
+	
 	// disable /dev/port
 	if (stat("/dev/port", &s) == 0) {
 		disable_file(BLACKLIST_FILE, "/dev/port");
@@ -818,6 +831,8 @@ void fs_chroot(const char *rootdir) {
 		printf("Chrooting into %s\n", rootdir);
 	if (chroot(rootdir) < 0)
 		errExit("chroot");
+	// mount a new tmpfs in /run/firejail/mnt - the old one was lost in chroot
+	fs_build_remount_mnt_dir();
 		
 	// update /var directory in order to support multiple sandboxes running on the same root directory
 	if (!arg_private_dev)

src/firejail/main.c

@@ -1285,6 +1285,15 @@ int main(int argc, char **argv) {
  	if (pipe(child_to_parent_fds) < 0)
 		errExit("pipe");
 
+	if (arg_noroot && arg_overlay) {
+		fprintf(stderr, "Warning: --overlay and --noroot are mutually exclusive, noroot disabled\n");
+		arg_noroot = 0;
+	}
+	else if (arg_noroot && cfg.chrootdir) {
+		fprintf(stderr, "Warning: --overlay and --chroot are mutually exclusive, noroot disabled\n");
+		arg_noroot = 0;
+	}
+
 	// clone environment
 	int flags = CLONE_NEWNS | CLONE_NEWPID | CLONE_NEWUTS | SIGCHLD;
 	

src/firejail/restrict_users.c

@@ -293,7 +293,6 @@ static void sanitize_group(void) {
 		if ((gid_t) gid != mygid) {
 			continue; // skip line
 		}
-		fprintf(fpout, "%s", buf);
 		if (copy_line(fpout, buf, ptr))
 			goto errout;
 	}

src/firejail/sandbox.c

@@ -300,6 +300,9 @@ int sandbox(void* sandbox_arg) {
 #ifdef HAVE_CHROOT		
 	if (cfg.chrootdir) {
 		fs_chroot(cfg.chrootdir);
+		// redo cp command
+		fs_build_cp_command();
+		
 		// force caps and seccomp if not started as root
 		if (getuid() != 0) {
 			// force default seccomp inside the chroot, no keep or drop list
@@ -336,7 +339,7 @@ int sandbox(void* sandbox_arg) {
 	}
 	else 
 #endif		
-	if (arg_overlay)
+	if (arg_overlay)	
 		fs_overlayfs();
 	else
 		fs_basic_fs();

todo

@@ -73,4 +73,5 @@ socat ABSTRACT-LISTEN:/tmp/dbus-awBoQTCc,fork UNIX-CONNECT:/tmp/mysock
 ./configure --enable-fatal-warnings --disable-chroot --prefix=/usr
 ./configure --enable-fatal-warnings --disable-bind --prefix=/usr
 
+12. do not allow symlinks for --bind