[PR #3572] [MERGED] hardening: run plugins with dumpable flag cleared #4816

New issue

Closed

opened 2026-05-05 10:27:04 -06:00 by gitea-mirror · 0 comments

gitea-mirror commented

2026-05-05 10:27:04 -06:00

Owner

📋 Pull Request Information

Original PR: https://github.com/netblue30/firejail/pull/3572
Author: @smitsohu
Created: 8/6/2020
Status: ✅ Merged
Merged: 8/22/2020
Merged by: @netblue30

Base: master ← Head: dumpable

📝 Commits (4)

515f344 hardening: run plugins with dumpable flag cleared
7d08006 various x11 xorg enhancements
9e3b7b9 add dumpable warnings
21918f6 cleanup

📊 Changes

16 files changed (+140 additions, -122 deletions)

View changed files

📝 Makefile.in (+8 -4)
📝 src/fcopy/main.c (+6 -0)
📝 src/firejail/main.c (+4 -0)
📝 src/firejail/sbox.c (+1 -0)
📝 src/firejail/x11.c (+69 -104)
📝 src/fldd/main.c (+6 -0)
📝 src/fnet/main.c (+10 -6)
📝 src/fnetfilter/main.c (+5 -1)
📝 src/fsec-optimize/fsec_optimize.h (+1 -0)
📝 src/fsec-optimize/main.c (+6 -0)
📝 src/fsec-print/fsec_print.h (+1 -0)
📝 src/fsec-print/main.c (+5 -0)
📝 src/fseccomp/fseccomp.h (+1 -0)
📝 src/fseccomp/main.c (+11 -5)
📝 src/include/common.h (+3 -0)
📝 src/include/rundefs.h (+3 -2)

📄 Description

The kernel clears the dumpable flag if a user has no read permission on an executable and it is owned by another user (root in this case). I omitted faudit, fbuilder and ftee for now as they are not used to configure the sandbox itself, and as this commit is going to complicate debugging efforts to some extent. By design some processes are not covered this way, most notably xauth and shell instances created by system(3). But still it should be an improvement over the current state.

_{🔄 This issue represents a GitHub Pull Request. It cannot be merged through Gitea due to API limitations.}

## 📋 Pull Request Information **Original PR:** https://github.com/netblue30/firejail/pull/3572 **Author:** [@smitsohu](https://github.com/smitsohu) **Created:** 8/6/2020 **Status:** ✅ Merged **Merged:** 8/22/2020 **Merged by:** [@netblue30](https://github.com/netblue30) **Base:** `master` ← **Head:** `dumpable` --- ### 📝 Commits (4) - [`515f344`](https://github.com/netblue30/firejail/commit/515f3440439fa8c70e5e517b529cdc994845f6ec) hardening: run plugins with dumpable flag cleared - [`7d08006`](https://github.com/netblue30/firejail/commit/7d0800682ab3a74e3d463836cd2ca5cd697d542c) various x11 xorg enhancements - [`9e3b7b9`](https://github.com/netblue30/firejail/commit/9e3b7b90cf9aad35fc8db2eabdeb9e1ed038acea) add dumpable warnings - [`21918f6`](https://github.com/netblue30/firejail/commit/21918f6d92f9261cc45f208ac407819980d4a59c) cleanup ### 📊 Changes **16 files changed** (+140 additions, -122 deletions) <details> <summary>View changed files</summary> 📝 `Makefile.in` (+8 -4) 📝 `src/fcopy/main.c` (+6 -0) 📝 `src/firejail/main.c` (+4 -0) 📝 `src/firejail/sbox.c` (+1 -0) 📝 `src/firejail/x11.c` (+69 -104) 📝 `src/fldd/main.c` (+6 -0) 📝 `src/fnet/main.c` (+10 -6) 📝 `src/fnetfilter/main.c` (+5 -1) 📝 `src/fsec-optimize/fsec_optimize.h` (+1 -0) 📝 `src/fsec-optimize/main.c` (+6 -0) 📝 `src/fsec-print/fsec_print.h` (+1 -0) 📝 `src/fsec-print/main.c` (+5 -0) 📝 `src/fseccomp/fseccomp.h` (+1 -0) 📝 `src/fseccomp/main.c` (+11 -5) 📝 `src/include/common.h` (+3 -0) 📝 `src/include/rundefs.h` (+3 -2) </details> ### 📄 Description The kernel clears the dumpable flag if a user has no read permission on an executable and it is owned by another user (root in this case). I omitted faudit, fbuilder and ftee for now as they are not used to configure the sandbox itself, and as this commit is going to complicate debugging efforts to some extent. By design some processes are not covered this way, most notably xauth and shell instances created by system(3). But still it should be an improvement over the current state. --- <sub>🔄 This issue represents a GitHub Pull Request. It cannot be merged through Gitea due to API limitations.</sub>

gitea-mirror

2026-05-05 10:27:04 -06:00

closed this issue
added the
pull-request
label

No milestone

No project

No assignees

1 participant

Notifications

Due date

The due date is invalid or out of range. Please use the format "yyyy-mm-dd".

No due date set.

Dependencies

No dependencies set.

Reference: github-starred/firejail#4816

No description provided.

Rows
Columns