Merge branch 'master' of https://github.com/netblue30/firejail

author: Fred-Barclay <Fred-Barclay@users.noreply.github.com> 2017-10-16 08:20:38 -0500
committer: Fred-Barclay <Fred-Barclay@users.noreply.github.com> 2017-10-16 08:20:38 -0500
commit: d84dc3860d7ea29f7bc8494023d9e21a7bd25fa1 (patch)
tree: 08657bd95245d1e8495cc1ba63ad5a395d54109b
parent: Fix debian build error (diff)
parent: added private-lib to eog, eom, file, gpicview, less, strings, and tar (diff)
download: firejail-d84dc3860d7ea29f7bc8494023d9e21a7bd25fa1.tar.gz
firejail-d84dc3860d7ea29f7bc8494023d9e21a7bd25fa1.tar.zst
firejail-d84dc3860d7ea29f7bc8494023d9e21a7bd25fa1.zip
17 files changed, 269 insertions, 8 deletions
diff --git a/.travis.yml b/.travis.yml
index a52c34bd2..0484f0d4d 100644
--- a/.travis.yml
+++ b/.travis.yml
@@ -10,8 +10,6 @@ script:
  - ( sudo dpkg -P firejail )
  - ( cd firejail ; ./configure --prefix=/usr --enable-git-install && make && sudo make install && make test-travis )
  - ( cd firejail ; sudo make install-strip DESTDIR=$(readlink -f appdir) )
-  - ( cd firejail ; ./configure --prefix=/usr --enable-git-install && make && sudo make install && make test-travis )
-  - ( cd firejail ; sudo make install-strip DESTDIR=$(readlink -f appdir) )
  # If successful, build release tarball
  - ( cd appdir/ ; tar cfvj ../firejail-build$TRAVIS_BUILD_NUMBER.tar.bz2 . )
  - curl --upload-file ./firejail-*.tar.bz2 https://transfer.sh/firejail-build$TRAVIS_BUILD_NUMBER.tar.bz2
diff --git a/RELNOTES b/RELNOTES
index 026c67f9b..9a15686db 100644
--- a/RELNOTES
+++ b/RELNOTES
@@ -3,13 +3,15 @@ firejail (0.9.51) baseline; urgency=low
  * enhancement: support Firejail user config directory in firecfg
  * enhancement: disable DBus activation in firecfg
  * enhancement; enumerate root directories in apparmor profile
+  * enhancement: enable private-lib in Firefox profile
  * feature: systemd-resolved integration
  * feature: whitelisting /var directory in most profiles
  * feature: GTK2, GTK3 and Qt4 private-lib support
  * feature: test deployment of private-lib for the following
    applications: evince, galculator, gnome-calculator,
    leafpad, mousepad, transmission-gtk, xcalc, xmr-stak-cpu,
-    atril, mate-color-select
+    atril, mate-color-select, tar, file, strings, gpicview,
+    eom, eog
  * feature: --writable-run-user
  * feature: profile build tool (--build)
 -- netblue30 <netblue30@yahoo.com>  Thu, 14 Sep 2017 20:00:00 -0500
diff --git a/etc/eog.profile b/etc/eog.profile
index 5ff926371..112ec7c98 100644
--- a/etc/eog.profile
+++ b/etc/eog.profile
@@ -34,6 +34,7 @@ shell none
 private-bin eog
 private-dev
 private-etc fonts
+private-lib
 private-tmp
 memory-deny-write-execute
diff --git a/etc/eom.profile b/etc/eom.profile
index 802578959..af7ded91a 100644
--- a/etc/eom.profile
+++ b/etc/eom.profile
@@ -35,6 +35,7 @@ tracelog
 private-bin eom
 private-dev
 private-etc fonts
+private-lib
 private-tmp
 memory-deny-write-execute
diff --git a/etc/file.profile b/etc/file.profile
index a83b2cf7d..2316b8e9b 100644
--- a/etc/file.profile
+++ b/etc/file.profile
@@ -31,6 +31,7 @@ x11 none
 private-bin file
 private-dev
 private-etc magic.mgc,magic,localtime
+private-lib
 memory-deny-write-execute
 noexec ${HOME}
diff --git a/etc/firefox.profile b/etc/firefox.profile
index 1f4a8e3f6..80cdb6ab0 100644
--- a/etc/firefox.profile
+++ b/etc/firefox.profile
@@ -76,7 +76,7 @@ tracelog
 # firefox requires a shell to launch on Arch. We can possibly remove sh though.
 # private-bin firefox,which,sh,dbus-launch,dbus-send,env,sh,bash
 private-dev
-# private-etc passwd,group,hostname,hosts,localtime,nsswitch.conf,resolv.conf,xdg,gtk-2.0,gtk-3.0,X11,pango,fonts,firefox,mime.types,mailcap,asound.conf,pulse
+private-etc iceweasel,ca-certificates,ssl,machine-id,dconf,selinux,passwd,group,hostname,hosts,localtime,nsswitch.conf,resolv.conf,xdg,gtk-2.0,gtk-3.0,X11,pango,fonts,firefox,mime.types,mailcap,asound.conf,pulse
 private-tmp
 noexec ${HOME}
diff --git a/etc/gpicview.profile b/etc/gpicview.profile
index 1842c9cb1..b37af2843 100644
--- a/etc/gpicview.profile
+++ b/etc/gpicview.profile
@@ -31,4 +31,5 @@ tracelog
 private-bin gpicview
 private-dev
 private-etc fonts
+private-lib
 private-tmp
diff --git a/etc/less.profile b/etc/less.profile
index e1c42ed76..0935f8945 100644
--- a/etc/less.profile
+++ b/etc/less.profile
@@ -20,8 +20,9 @@ tracelog
 writable-var-log
 # The user can have a custom coloring scritps configured in ~/.lessfilter.
-# Enable private-bin if you are not using any filter.
+# Enable private-bin and private-lib if you are not using any filter.
 # private-bin less
+# private-lib
 private-dev
 memory-deny-write-execute
diff --git a/etc/strings.profile b/etc/strings.profile
index 90bb35ecd..83561cae5 100644
--- a/etc/strings.profile
+++ b/etc/strings.profile
@@ -18,8 +18,9 @@ novideo
 shell none
 tracelog
-# private-bin strings - breaking on Debian
+private-bin strings
 private-dev
+private-lib
 memory-deny-write-execute
diff --git a/etc/tar.profile b/etc/tar.profile
index c8c0b2cae..92ddaa2f3 100644
--- a/etc/tar.profile
+++ b/etc/tar.profile
@@ -23,5 +23,6 @@ tracelog
 private-bin sh,bash,tar,gtar,compress,gzip,lzma,xz,bzip2,lbzip2,lzip,lzop
 private-dev
 private-etc passwd,group,localtime
+private-lib
 include /etc/firejail/default.profile
diff --git a/platform/debian/conffiles b/platform/debian/conffiles
index 175e1bc6c..c24e13b61 100644
--- a/platform/debian/conffiles
+++ b/platform/debian/conffiles
@@ -415,3 +415,8 @@
 /etc/firejail/xmr-stak-cpu.profile
 /etc/firejail/zart.profile
 /etc/firejail/xcalc.profile
+/etc/firejail/aosp.profile
+/etc/firejail/gnome-ring.profile
+/etc/firejail/pdfmod.profile
+/etc/firejail/signal-desktop.profile
+/etc/firejail/zaproxy.profile
diff --git a/test/apps/apps.sh b/test/apps/apps.sh
index 5e2397c2d..04b6f0c85 100755
--- a/test/apps/apps.sh
+++ b/test/apps/apps.sh
@@ -7,7 +7,7 @@ export MALLOC_CHECK_=3
 export MALLOC_PERTURB_=$(($RANDOM % 255 + 1))
 LIST="firefox midori chromium opera transmission-qt qbittorrent uget-gtk filezilla gthumb thunderbird "
-LIST+="vlc fbreader deluge gnome-mplayer xchat wine kcalc ktorrent"
+LIST+="vlc fbreader deluge gnome-mplayer xchat wine kcalc ktorrent hexchat"
 for app in $LIST; do
        which $app
diff --git a/test/private-lib/hexchat.exp b/test/apps/hexchat.exp
index 35e12ea87..35e12ea87 100755
--- a/test/private-lib/hexchat.exp
+++ b/test/apps/hexchat.exp
diff --git a/test/private-lib/eog.exp b/test/private-lib/eog.exp
new file mode 100755
index 000000000..23af4e793
--- /dev/null
+++ b/test/private-lib/eog.exp
@@ -0,0 +1,83 @@
+#!/usr/bin/expect -f
+# This file is part of Firejail project
+# Copyright (C) 2014-2017 Firejail Authors
+# License GPL v2
+set timeout 10
+spawn $env(SHELL)
+match_max 100000
+send -- "firejail eog\r"
+expect {
+        timeout {puts "TESTING ERROR 0\n";exit}
+        "Reading profile /etc/firejail/eog.profile"
+}
+expect {
+        timeout {puts "TESTING ERROR 1\n";exit}
+        "Child process initialized"
+}
+sleep 3
+spawn $env(SHELL)
+send -- "firejail --list\r"
+expect {
+        timeout {puts "TESTING ERROR 3\n";exit}
+        ":firejail"
+}
+expect {
+        timeout {puts "TESTING ERROR 3.1\n";exit}
+        "eog"
+}
+after 100
+# grsecurity exit
+send -- "file /proc/sys/kernel/grsecurity\r"
+expect {
+        timeout {puts "TESTING ERROR - grsecurity detection\n";exit}
+        "grsecurity: directory" {puts "grsecurity present, exiting...\n";exit}
+        "cannot open" {puts "grsecurity not present\n"}
+}
+send -- "firejail --name=blablabla\r"
+expect {
+        timeout {puts "TESTING ERROR 4\n";exit}
+        "Child process initialized"
+}
+sleep 2
+spawn $env(SHELL)
+send -- "firemon --seccomp\r"
+expect {
+        timeout {puts "TESTING ERROR 5\n";exit}
+        "need to be root" {puts "/proc mounted as hidepid, exiting...\n"; exit}
+        ":firejail eog"
+}
+expect {
+        timeout {puts "TESTING ERROR 5.1 (seccomp)\n";exit}
+        "Seccomp:       2"
+}
+expect {
+        timeout {puts "TESTING ERROR 5.1\n";exit}
+        "name=blablabla"
+}
+after 100
+send -- "firemon --caps\r"
+expect {
+        timeout {puts "TESTING ERROR 6\n";exit}
+        ":firejail eog"
+}
+expect {
+        timeout {puts "TESTING ERROR 6.1\n";exit}
+        "CapBnd:"
+}
+expect {
+        timeout {puts "TESTING ERROR 6.2\n";exit}
+        "0000000000000000"
+}
+expect {
+        timeout {puts "TESTING ERROR 6.3\n";exit}
+        "name=blablabla"
+}
+after 100
+puts "\nall done\n"
diff --git a/test/private-lib/eom.exp b/test/private-lib/eom.exp
new file mode 100755
index 000000000..aaedf8c86
--- /dev/null
+++ b/test/private-lib/eom.exp
@@ -0,0 +1,83 @@
+#!/usr/bin/expect -f
+# This file is part of Firejail project
+# Copyright (C) 2014-2017 Firejail Authors
+# License GPL v2
+set timeout 10
+spawn $env(SHELL)
+match_max 100000
+send -- "firejail eom\r"
+expect {
+        timeout {puts "TESTING ERROR 0\n";exit}
+        "Reading profile /etc/firejail/eom.profile"
+}
+expect {
+        timeout {puts "TESTING ERROR 1\n";exit}
+        "Child process initialized"
+}
+sleep 3
+spawn $env(SHELL)
+send -- "firejail --list\r"
+expect {
+        timeout {puts "TESTING ERROR 3\n";exit}
+        ":firejail"
+}
+expect {
+        timeout {puts "TESTING ERROR 3.1\n";exit}
+        "eom"
+}
+after 100
+# grsecurity exit
+send -- "file /proc/sys/kernel/grsecurity\r"
+expect {
+        timeout {puts "TESTING ERROR - grsecurity detection\n";exit}
+        "grsecurity: directory" {puts "grsecurity present, exiting...\n";exit}
+        "cannot open" {puts "grsecurity not present\n"}
+}
+send -- "firejail --name=blablabla\r"
+expect {
+        timeout {puts "TESTING ERROR 4\n";exit}
+        "Child process initialized"
+}
+sleep 2
+spawn $env(SHELL)
+send -- "firemon --seccomp\r"
+expect {
+        timeout {puts "TESTING ERROR 5\n";exit}
+        "need to be root" {puts "/proc mounted as hidepid, exiting...\n"; exit}
+        ":firejail eom"
+}
+expect {
+        timeout {puts "TESTING ERROR 5.1 (seccomp)\n";exit}
+        "Seccomp:       2"
+}
+expect {
+        timeout {puts "TESTING ERROR 5.1\n";exit}
+        "name=blablabla"
+}
+after 100
+send -- "firemon --caps\r"
+expect {
+        timeout {puts "TESTING ERROR 6\n";exit}
+        ":firejail eom"
+}
+expect {
+        timeout {puts "TESTING ERROR 6.1\n";exit}
+        "CapBnd:"
+}
+expect {
+        timeout {puts "TESTING ERROR 6.2\n";exit}
+        "0000000000000000"
+}
+expect {
+        timeout {puts "TESTING ERROR 6.3\n";exit}
+        "name=blablabla"
+}
+after 100
+puts "\nall done\n"
diff --git a/test/private-lib/gpicview.exp b/test/private-lib/gpicview.exp
new file mode 100755
index 000000000..ed566a892
--- /dev/null
+++ b/test/private-lib/gpicview.exp
@@ -0,0 +1,83 @@
+#!/usr/bin/expect -f
+# This file is part of Firejail project
+# Copyright (C) 2014-2017 Firejail Authors
+# License GPL v2
+set timeout 10
+spawn $env(SHELL)
+match_max 100000
+send -- "firejail gpicview\r"
+expect {
+        timeout {puts "TESTING ERROR 0\n";exit}
+        "Reading profile /etc/firejail/gpicview.profile"
+}
+expect {
+        timeout {puts "TESTING ERROR 1\n";exit}
+        "Child process initialized"
+}
+sleep 3
+spawn $env(SHELL)
+send -- "firejail --list\r"
+expect {
+        timeout {puts "TESTING ERROR 3\n";exit}
+        ":firejail"
+}
+expect {
+        timeout {puts "TESTING ERROR 3.1\n";exit}
+        "gpicview"
+}
+after 100
+# grsecurity exit
+send -- "file /proc/sys/kernel/grsecurity\r"
+expect {
+        timeout {puts "TESTING ERROR - grsecurity detection\n";exit}
+        "grsecurity: directory" {puts "grsecurity present, exiting...\n";exit}
+        "cannot open" {puts "grsecurity not present\n"}
+}
+send -- "firejail --name=blablabla\r"
+expect {
+        timeout {puts "TESTING ERROR 4\n";exit}
+        "Child process initialized"
+}
+sleep 2
+spawn $env(SHELL)
+send -- "firemon --seccomp\r"
+expect {
+        timeout {puts "TESTING ERROR 5\n";exit}
+        "need to be root" {puts "/proc mounted as hidepid, exiting...\n"; exit}
+        ":firejail gpicview"
+}
+expect {
+        timeout {puts "TESTING ERROR 5.1 (seccomp)\n";exit}
+        "Seccomp:       2"
+}
+expect {
+        timeout {puts "TESTING ERROR 5.1\n";exit}
+        "name=blablabla"
+}
+after 100
+send -- "firemon --caps\r"
+expect {
+        timeout {puts "TESTING ERROR 6\n";exit}
+        ":firejail gpicview"
+}
+expect {
+        timeout {puts "TESTING ERROR 6.1\n";exit}
+        "CapBnd:"
+}
+expect {
+        timeout {puts "TESTING ERROR 6.2\n";exit}
+        "0000000000000000"
+}
+expect {
+        timeout {puts "TESTING ERROR 6.3\n";exit}
+        "name=blablabla"
+}
+after 100
+puts "\nall done\n"
diff --git a/test/private-lib/private-lib.sh b/test/private-lib/private-lib.sh
index 7e17f4eda..2449e91d7 100755
--- a/test/private-lib/private-lib.sh
+++ b/test/private-lib/private-lib.sh
@@ -5,7 +5,7 @@
 export MALLOC_CHECK_=3
 export MALLOC_PERTURB_=$(($RANDOM % 255 + 1))
-LIST="evince galculator gnome-calculator hexchat leafpad mousepad transmission-gtk xcalc atril"
+LIST="evince galculator gnome-calculator hexchat leafpad mousepad transmission-gtk xcalc atril gpicview eom eog"
 for app in $LIST; do
author	Fred-Barclay <Fred-Barclay@users.noreply.github.com>	2017-10-16 08:20:38 -0500
committer	Fred-Barclay <Fred-Barclay@users.noreply.github.com>	2017-10-16 08:20:38 -0500
commit	d84dc3860d7ea29f7bc8494023d9e21a7bd25fa1 (patch)
tree	08657bd95245d1e8495cc1ba63ad5a395d54109b
parent	Fix debian build error (diff)
parent	added private-lib to eog, eom, file, gpicview, less, strings, and tar (diff)
download	firejail-d84dc3860d7ea29f7bc8494023d9e21a7bd25fa1.tar.gz firejail-d84dc3860d7ea29f7bc8494023d9e21a7bd25fa1.tar.zst firejail-d84dc3860d7ea29f7bc8494023d9e21a7bd25fa1.zip

diff --git a/.travis.yml b/.travis.yml index a52c34bd2..0484f0d4d 100644 --- a/.travis.yml +++ b/.travis.yml
@@ -10,8 +10,6 @@ script:
10	- ( sudo dpkg -P firejail )	10	- ( sudo dpkg -P firejail )
11	- ( cd firejail ; ./configure --prefix=/usr --enable-git-install && make && sudo make install && make test-travis )	11	- ( cd firejail ; ./configure --prefix=/usr --enable-git-install && make && sudo make install && make test-travis )
12	- ( cd firejail ; sudo make install-strip DESTDIR=$(readlink -f appdir) )	12	- ( cd firejail ; sudo make install-strip DESTDIR=$(readlink -f appdir) )
13	- ( cd firejail ; ./configure --prefix=/usr --enable-git-install && make && sudo make install && make test-travis )
14	- ( cd firejail ; sudo make install-strip DESTDIR=$(readlink -f appdir) )
15	# If successful, build release tarball	13	# If successful, build release tarball
16	- ( cd appdir/ ; tar cfvj ../firejail-build$TRAVIS_BUILD_NUMBER.tar.bz2 . )	14	- ( cd appdir/ ; tar cfvj ../firejail-build$TRAVIS_BUILD_NUMBER.tar.bz2 . )
17	- curl --upload-file ./firejail-*.tar.bz2 https://transfer.sh/firejail-build$TRAVIS_BUILD_NUMBER.tar.bz2	15	- curl --upload-file ./firejail-*.tar.bz2 https://transfer.sh/firejail-build$TRAVIS_BUILD_NUMBER.tar.bz2


diff --git a/RELNOTES b/RELNOTES index 026c67f9b..9a15686db 100644 --- a/RELNOTES +++ b/RELNOTES
@@ -3,13 +3,15 @@ firejail (0.9.51) baseline; urgency=low
3	* enhancement: support Firejail user config directory in firecfg	3	* enhancement: support Firejail user config directory in firecfg
4	* enhancement: disable DBus activation in firecfg	4	* enhancement: disable DBus activation in firecfg
5	* enhancement; enumerate root directories in apparmor profile	5	* enhancement; enumerate root directories in apparmor profile
		6	* enhancement: enable private-lib in Firefox profile
6	* feature: systemd-resolved integration	7	* feature: systemd-resolved integration
7	* feature: whitelisting /var directory in most profiles	8	* feature: whitelisting /var directory in most profiles
8	* feature: GTK2, GTK3 and Qt4 private-lib support	9	* feature: GTK2, GTK3 and Qt4 private-lib support
9	* feature: test deployment of private-lib for the following	10	* feature: test deployment of private-lib for the following
10	applications: evince, galculator, gnome-calculator,	11	applications: evince, galculator, gnome-calculator,
11	leafpad, mousepad, transmission-gtk, xcalc, xmr-stak-cpu,	12	leafpad, mousepad, transmission-gtk, xcalc, xmr-stak-cpu,
12	atril, mate-color-select	13	atril, mate-color-select, tar, file, strings, gpicview,
		14	eom, eog
13	* feature: --writable-run-user	15	* feature: --writable-run-user
14	* feature: profile build tool (--build)	16	* feature: profile build tool (--build)
15	-- netblue30 <netblue30@yahoo.com> Thu, 14 Sep 2017 20:00:00 -0500	17	-- netblue30 <netblue30@yahoo.com> Thu, 14 Sep 2017 20:00:00 -0500


diff --git a/etc/eog.profile b/etc/eog.profile index 5ff926371..112ec7c98 100644 --- a/etc/eog.profile +++ b/etc/eog.profile
@@ -34,6 +34,7 @@ shell none
34	private-bin eog	34	private-bin eog
35	private-dev	35	private-dev
36	private-etc fonts	36	private-etc fonts
		37	private-lib
37	private-tmp	38	private-tmp
38		39
39	memory-deny-write-execute	40	memory-deny-write-execute


diff --git a/etc/eom.profile b/etc/eom.profile index 802578959..af7ded91a 100644 --- a/etc/eom.profile +++ b/etc/eom.profile
@@ -35,6 +35,7 @@ tracelog
35	private-bin eom	35	private-bin eom
36	private-dev	36	private-dev
37	private-etc fonts	37	private-etc fonts
		38	private-lib
38	private-tmp	39	private-tmp
39		40
40	memory-deny-write-execute	41	memory-deny-write-execute


diff --git a/etc/file.profile b/etc/file.profile index a83b2cf7d..2316b8e9b 100644 --- a/etc/file.profile +++ b/etc/file.profile
@@ -31,6 +31,7 @@ x11 none
31	private-bin file	31	private-bin file
32	private-dev	32	private-dev
33	private-etc magic.mgc,magic,localtime	33	private-etc magic.mgc,magic,localtime
		34	private-lib
34		35
35	memory-deny-write-execute	36	memory-deny-write-execute
36	noexec ${HOME}	37	noexec ${HOME}


diff --git a/etc/firefox.profile b/etc/firefox.profile index 1f4a8e3f6..80cdb6ab0 100644 --- a/etc/firefox.profile +++ b/etc/firefox.profile
@@ -76,7 +76,7 @@ tracelog
76	# firefox requires a shell to launch on Arch. We can possibly remove sh though.	76	# firefox requires a shell to launch on Arch. We can possibly remove sh though.
77	# private-bin firefox,which,sh,dbus-launch,dbus-send,env,sh,bash	77	# private-bin firefox,which,sh,dbus-launch,dbus-send,env,sh,bash
78	private-dev	78	private-dev
79	# private-etc passwd,group,hostname,hosts,localtime,nsswitch.conf,resolv.conf,xdg,gtk-2.0,gtk-3.0,X11,pango,fonts,firefox,mime.types,mailcap,asound.conf,pulse	79	private-etc iceweasel,ca-certificates,ssl,machine-id,dconf,selinux,passwd,group,hostname,hosts,localtime,nsswitch.conf,resolv.conf,xdg,gtk-2.0,gtk-3.0,X11,pango,fonts,firefox,mime.types,mailcap,asound.conf,pulse
80	private-tmp	80	private-tmp
81		81
82	noexec ${HOME}	82	noexec ${HOME}


diff --git a/etc/gpicview.profile b/etc/gpicview.profile index 1842c9cb1..b37af2843 100644 --- a/etc/gpicview.profile +++ b/etc/gpicview.profile
@@ -31,4 +31,5 @@ tracelog
31	private-bin gpicview	31	private-bin gpicview
32	private-dev	32	private-dev
33	private-etc fonts	33	private-etc fonts
		34	private-lib
34	private-tmp	35	private-tmp


diff --git a/etc/less.profile b/etc/less.profile index e1c42ed76..0935f8945 100644 --- a/etc/less.profile +++ b/etc/less.profile
@@ -20,8 +20,9 @@ tracelog
20	writable-var-log	20	writable-var-log
21		21
22	# The user can have a custom coloring scritps configured in ~/.lessfilter.	22	# The user can have a custom coloring scritps configured in ~/.lessfilter.
23	# Enable private-bin if you are not using any filter.	23	# Enable private-bin and private-lib if you are not using any filter.
24	# private-bin less	24	# private-bin less
		25	# private-lib
25	private-dev	26	private-dev
26		27
27	memory-deny-write-execute	28	memory-deny-write-execute


diff --git a/etc/strings.profile b/etc/strings.profile index 90bb35ecd..83561cae5 100644 --- a/etc/strings.profile +++ b/etc/strings.profile
@@ -18,8 +18,9 @@ novideo
18	shell none	18	shell none
19	tracelog	19	tracelog
20		20
21	# private-bin strings - breaking on Debian	21	private-bin strings
22	private-dev	22	private-dev
		23	private-lib
23		24
24	memory-deny-write-execute	25	memory-deny-write-execute
25		26


diff --git a/etc/tar.profile b/etc/tar.profile index c8c0b2cae..92ddaa2f3 100644 --- a/etc/tar.profile +++ b/etc/tar.profile
@@ -23,5 +23,6 @@ tracelog
23	private-bin sh,bash,tar,gtar,compress,gzip,lzma,xz,bzip2,lbzip2,lzip,lzop	23	private-bin sh,bash,tar,gtar,compress,gzip,lzma,xz,bzip2,lbzip2,lzip,lzop
24	private-dev	24	private-dev
25	private-etc passwd,group,localtime	25	private-etc passwd,group,localtime
		26	private-lib
26		27
27	include /etc/firejail/default.profile	28	include /etc/firejail/default.profile


diff --git a/platform/debian/conffiles b/platform/debian/conffiles index 175e1bc6c..c24e13b61 100644 --- a/platform/debian/conffiles +++ b/platform/debian/conffiles
@@ -415,3 +415,8 @@
415	/etc/firejail/xmr-stak-cpu.profile	415	/etc/firejail/xmr-stak-cpu.profile
416	/etc/firejail/zart.profile	416	/etc/firejail/zart.profile
417	/etc/firejail/xcalc.profile	417	/etc/firejail/xcalc.profile
		418	/etc/firejail/aosp.profile
		419	/etc/firejail/gnome-ring.profile
		420	/etc/firejail/pdfmod.profile
		421	/etc/firejail/signal-desktop.profile
		422	/etc/firejail/zaproxy.profile


diff --git a/test/apps/apps.sh b/test/apps/apps.sh index 5e2397c2d..04b6f0c85 100755 --- a/test/apps/apps.sh +++ b/test/apps/apps.sh
@@ -7,7 +7,7 @@ export MALLOC_CHECK_=3
7	export MALLOC_PERTURB_=$(($RANDOM % 255 + 1))	7	export MALLOC_PERTURB_=$(($RANDOM % 255 + 1))
8		8
9	LIST="firefox midori chromium opera transmission-qt qbittorrent uget-gtk filezilla gthumb thunderbird "	9	LIST="firefox midori chromium opera transmission-qt qbittorrent uget-gtk filezilla gthumb thunderbird "
10	LIST+="vlc fbreader deluge gnome-mplayer xchat wine kcalc ktorrent"	10	LIST+="vlc fbreader deluge gnome-mplayer xchat wine kcalc ktorrent hexchat"
11		11
12	for app in $LIST; do	12	for app in $LIST; do
13	which $app	13	which $app


diff --git a/test/private-lib/hexchat.exp b/test/apps/hexchat.exp index 35e12ea87..35e12ea87 100755 --- a/test/private-lib/hexchat.exp +++ b/test/apps/hexchat.exp


diff --git a/test/private-lib/eog.exp b/test/private-lib/eog.exp new file mode 100755 index 000000000..23af4e793 --- /dev/null +++ b/test/private-lib/eog.exp
@@ -0,0 +1,83 @@
		1	#!/usr/bin/expect -f
		2	# This file is part of Firejail project
		3	# Copyright (C) 2014-2017 Firejail Authors
		4	# License GPL v2
		5
		6	set timeout 10
		7	spawn $env(SHELL)
		8	match_max 100000
		9
		10	send -- "firejail eog\r"
		11	expect {
		12	timeout {puts "TESTING ERROR 0\n";exit}
		13	"Reading profile /etc/firejail/eog.profile"
		14	}
		15	expect {
		16	timeout {puts "TESTING ERROR 1\n";exit}
		17	"Child process initialized"
		18	}
		19	sleep 3
		20
		21	spawn $env(SHELL)
		22	send -- "firejail --list\r"
		23	expect {
		24	timeout {puts "TESTING ERROR 3\n";exit}
		25	":firejail"
		26	}
		27	expect {
		28	timeout {puts "TESTING ERROR 3.1\n";exit}
		29	"eog"
		30	}
		31	after 100
		32
		33	# grsecurity exit
		34	send -- "file /proc/sys/kernel/grsecurity\r"
		35	expect {
		36	timeout {puts "TESTING ERROR - grsecurity detection\n";exit}
		37	"grsecurity: directory" {puts "grsecurity present, exiting...\n";exit}
		38	"cannot open" {puts "grsecurity not present\n"}
		39	}
		40
		41	send -- "firejail --name=blablabla\r"
		42	expect {
		43	timeout {puts "TESTING ERROR 4\n";exit}
		44	"Child process initialized"
		45	}
		46	sleep 2
		47
		48	spawn $env(SHELL)
		49	send -- "firemon --seccomp\r"
		50	expect {
		51	timeout {puts "TESTING ERROR 5\n";exit}
		52	"need to be root" {puts "/proc mounted as hidepid, exiting...\n"; exit}
		53	":firejail eog"
		54	}
		55	expect {
		56	timeout {puts "TESTING ERROR 5.1 (seccomp)\n";exit}
		57	"Seccomp: 2"
		58	}
		59	expect {
		60	timeout {puts "TESTING ERROR 5.1\n";exit}
		61	"name=blablabla"
		62	}
		63	after 100
		64	send -- "firemon --caps\r"
		65	expect {
		66	timeout {puts "TESTING ERROR 6\n";exit}
		67	":firejail eog"
		68	}
		69	expect {
		70	timeout {puts "TESTING ERROR 6.1\n";exit}
		71	"CapBnd:"
		72	}
		73	expect {
		74	timeout {puts "TESTING ERROR 6.2\n";exit}
		75	"0000000000000000"
		76	}
		77	expect {
		78	timeout {puts "TESTING ERROR 6.3\n";exit}
		79	"name=blablabla"
		80	}
		81	after 100
		82
		83	puts "\nall done\n"


diff --git a/test/private-lib/eom.exp b/test/private-lib/eom.exp new file mode 100755 index 000000000..aaedf8c86 --- /dev/null +++ b/test/private-lib/eom.exp
@@ -0,0 +1,83 @@
		1	#!/usr/bin/expect -f
		2	# This file is part of Firejail project
		3	# Copyright (C) 2014-2017 Firejail Authors
		4	# License GPL v2
		5
		6	set timeout 10
		7	spawn $env(SHELL)
		8	match_max 100000
		9
		10	send -- "firejail eom\r"
		11	expect {
		12	timeout {puts "TESTING ERROR 0\n";exit}
		13	"Reading profile /etc/firejail/eom.profile"
		14	}
		15	expect {
		16	timeout {puts "TESTING ERROR 1\n";exit}
		17	"Child process initialized"
		18	}
		19	sleep 3
		20
		21	spawn $env(SHELL)
		22	send -- "firejail --list\r"
		23	expect {
		24	timeout {puts "TESTING ERROR 3\n";exit}
		25	":firejail"
		26	}
		27	expect {
		28	timeout {puts "TESTING ERROR 3.1\n";exit}
		29	"eom"
		30	}
		31	after 100
		32
		33	# grsecurity exit
		34	send -- "file /proc/sys/kernel/grsecurity\r"
		35	expect {
		36	timeout {puts "TESTING ERROR - grsecurity detection\n";exit}
		37	"grsecurity: directory" {puts "grsecurity present, exiting...\n";exit}
		38	"cannot open" {puts "grsecurity not present\n"}
		39	}
		40
		41	send -- "firejail --name=blablabla\r"
		42	expect {
		43	timeout {puts "TESTING ERROR 4\n";exit}
		44	"Child process initialized"
		45	}
		46	sleep 2
		47
		48	spawn $env(SHELL)
		49	send -- "firemon --seccomp\r"
		50	expect {
		51	timeout {puts "TESTING ERROR 5\n";exit}
		52	"need to be root" {puts "/proc mounted as hidepid, exiting...\n"; exit}
		53	":firejail eom"
		54	}
		55	expect {
		56	timeout {puts "TESTING ERROR 5.1 (seccomp)\n";exit}
		57	"Seccomp: 2"
		58	}
		59	expect {
		60	timeout {puts "TESTING ERROR 5.1\n";exit}
		61	"name=blablabla"
		62	}
		63	after 100
		64	send -- "firemon --caps\r"
		65	expect {
		66	timeout {puts "TESTING ERROR 6\n";exit}
		67	":firejail eom"
		68	}
		69	expect {
		70	timeout {puts "TESTING ERROR 6.1\n";exit}
		71	"CapBnd:"
		72	}
		73	expect {
		74	timeout {puts "TESTING ERROR 6.2\n";exit}
		75	"0000000000000000"
		76	}
		77	expect {
		78	timeout {puts "TESTING ERROR 6.3\n";exit}
		79	"name=blablabla"
		80	}
		81	after 100
		82
		83	puts "\nall done\n"


diff --git a/test/private-lib/gpicview.exp b/test/private-lib/gpicview.exp new file mode 100755 index 000000000..ed566a892 --- /dev/null +++ b/test/private-lib/gpicview.exp
@@ -0,0 +1,83 @@
		1	#!/usr/bin/expect -f
		2	# This file is part of Firejail project
		3	# Copyright (C) 2014-2017 Firejail Authors
		4	# License GPL v2
		5
		6	set timeout 10
		7	spawn $env(SHELL)
		8	match_max 100000
		9
		10	send -- "firejail gpicview\r"
		11	expect {
		12	timeout {puts "TESTING ERROR 0\n";exit}
		13	"Reading profile /etc/firejail/gpicview.profile"
		14	}
		15	expect {
		16	timeout {puts "TESTING ERROR 1\n";exit}
		17	"Child process initialized"
		18	}
		19	sleep 3
		20
		21	spawn $env(SHELL)
		22	send -- "firejail --list\r"
		23	expect {
		24	timeout {puts "TESTING ERROR 3\n";exit}
		25	":firejail"
		26	}
		27	expect {
		28	timeout {puts "TESTING ERROR 3.1\n";exit}
		29	"gpicview"
		30	}
		31	after 100
		32
		33	# grsecurity exit
		34	send -- "file /proc/sys/kernel/grsecurity\r"
		35	expect {
		36	timeout {puts "TESTING ERROR - grsecurity detection\n";exit}
		37	"grsecurity: directory" {puts "grsecurity present, exiting...\n";exit}
		38	"cannot open" {puts "grsecurity not present\n"}
		39	}
		40
		41	send -- "firejail --name=blablabla\r"
		42	expect {
		43	timeout {puts "TESTING ERROR 4\n";exit}
		44	"Child process initialized"
		45	}
		46	sleep 2
		47
		48	spawn $env(SHELL)
		49	send -- "firemon --seccomp\r"
		50	expect {
		51	timeout {puts "TESTING ERROR 5\n";exit}
		52	"need to be root" {puts "/proc mounted as hidepid, exiting...\n"; exit}
		53	":firejail gpicview"
		54	}
		55	expect {
		56	timeout {puts "TESTING ERROR 5.1 (seccomp)\n";exit}
		57	"Seccomp: 2"
		58	}
		59	expect {
		60	timeout {puts "TESTING ERROR 5.1\n";exit}
		61	"name=blablabla"
		62	}
		63	after 100
		64	send -- "firemon --caps\r"
		65	expect {
		66	timeout {puts "TESTING ERROR 6\n";exit}
		67	":firejail gpicview"
		68	}
		69	expect {
		70	timeout {puts "TESTING ERROR 6.1\n";exit}
		71	"CapBnd:"
		72	}
		73	expect {
		74	timeout {puts "TESTING ERROR 6.2\n";exit}
		75	"0000000000000000"
		76	}
		77	expect {
		78	timeout {puts "TESTING ERROR 6.3\n";exit}
		79	"name=blablabla"
		80	}
		81	after 100
		82
		83	puts "\nall done\n"


diff --git a/test/private-lib/private-lib.sh b/test/private-lib/private-lib.sh index 7e17f4eda..2449e91d7 100755 --- a/test/private-lib/private-lib.sh +++ b/test/private-lib/private-lib.sh
@@ -5,7 +5,7 @@
5		5
6	export MALLOC_CHECK_=3	6	export MALLOC_CHECK_=3
7	export MALLOC_PERTURB_=$(($RANDOM % 255 + 1))	7	export MALLOC_PERTURB_=$(($RANDOM % 255 + 1))
8	LIST="evince galculator gnome-calculator hexchat leafpad mousepad transmission-gtk xcalc atril"	8	LIST="evince galculator gnome-calculator hexchat leafpad mousepad transmission-gtk xcalc atril gpicview eom eog"
9		9
10		10
11	for app in $LIST; do	11	for app in $LIST; do