private-bin conversion

author: netblue30 <netblue30@yahoo.com> 2016-06-10 11:22:24 -0400
committer: netblue30 <netblue30@yahoo.com> 2016-06-10 11:22:24 -0400
commit: f5b452bc4276ff2abecae522d9598441899293f1 (patch)
tree: 81084de530711c44752cec367acecec9d27dd060
parent: private-bin conversion (diff)
download: firejail-f5b452bc4276ff2abecae522d9598441899293f1.tar.gz
firejail-f5b452bc4276ff2abecae522d9598441899293f1.tar.zst
firejail-f5b452bc4276ff2abecae522d9598441899293f1.zip
17 files changed, 116 insertions, 3 deletions
diff --git a/README.md b/README.md
index db0625d43..69890ffaf 100644
--- a/README.md
+++ b/README.md
@@ -67,7 +67,7 @@ AppImage project home: https://github.com/probonopd/AppImageKit
 ## Converting profiles to private-bin - work in progress!
-BitTorrent profiles converted to private-bin: deluge, qbittorrent, rtorrent, transmission-gtk, transmission-qt
+BitTorrent: deluge, qbittorrent, rtorrent, transmission-gtk, transmission-qt, uget-gtk
 File transfer: filezilla
diff --git a/etc/deluge.profile b/etc/deluge.profile
index 87a17423b..96df13a73 100644
--- a/etc/deluge.profile
+++ b/etc/deluge.profile
@@ -15,3 +15,4 @@ seccomp
 shell none
 private-bin deluge,sh,python,uname
+whitelist /tmp/.X11-unix
diff --git a/etc/disable-devel.inc b/etc/disable-devel.inc
index 071a82f76..4e401055a 100644
--- a/etc/disable-devel.inc
+++ b/etc/disable-devel.inc
@@ -37,7 +37,7 @@ blacklist /usr/lib/php*
 blacklist /usr/bin/ruby
 blacklist /usr/lib/ruby
-# Programs using python: deluge, firefox addons, filezilla, cherrytree
+# Programs using python: deluge, firefox addons, filezilla, cherrytree, xchat, hexchat
 # Python 2
 #blacklist /usr/bin/python2*
 #blacklist /usr/lib/python2*
diff --git a/etc/evince.profile b/etc/evince.profile
index 8671c1251..320d55fad 100644
--- a/etc/evince.profile
+++ b/etc/evince.profile
@@ -13,3 +13,4 @@ seccomp
 shell none
 private-bin evince,evince-previewer,evince-thumbnailer
+whitelist /tmp/.X11-unix
diff --git a/etc/fbreader.profile b/etc/fbreader.profile
index df359e50a..f155b02af 100644
--- a/etc/fbreader.profile
+++ b/etc/fbreader.profile
@@ -15,4 +15,5 @@ protocol unix,inet,inet6
 seccomp
 shell none
-private-bin fbreader,FBReader
-\ No newline at end of file
+private-bin fbreader,FBReader
+whitelist /tmp/.X11-unix
diff --git a/etc/filezilla.profile b/etc/filezilla.profile
index 35663f2fa..c146dba13 100644
--- a/etc/filezilla.profile
+++ b/etc/filezilla.profile
@@ -16,3 +16,4 @@ seccomp
 shell none
 private-bin filezilla,uname,sh,python,lsb_release,fzputtygen,fzsftp
+whitelist /tmp/.X11-unix
diff --git a/etc/gthumb.profile b/etc/gthumb.profile
index 68d6a52d9..2d6cd160c 100644
--- a/etc/gthumb.profile
+++ b/etc/gthumb.profile
@@ -15,3 +15,4 @@ seccomp
 shell none
 private-bin gthumb
+whitelist /tmp/.X11-unix
diff --git a/etc/hexchat.profile b/etc/hexchat.profile
index a584d25c5..4e829c379 100644
--- a/etc/hexchat.profile
+++ b/etc/hexchat.profile
@@ -17,3 +17,5 @@ mkdir ~/.config
 mkdir ~/.config/hexchat
 whitelist ~/.config/hexchat
 include /etc/firejail/whitelist-common.inc
+# private-bin requires perl, python, etc.
diff --git a/etc/qbittorrent.profile b/etc/qbittorrent.profile
index bb97a880b..bc87ad5c8 100644
--- a/etc/qbittorrent.profile
+++ b/etc/qbittorrent.profile
@@ -14,3 +14,4 @@ seccomp
 shell none
 private-bin qbittorrent
+whitelist /tmp/.X11-unix
diff --git a/etc/rtorrent.profile b/etc/rtorrent.profile
index c196370a2..97c2335a8 100644
--- a/etc/rtorrent.profile
+++ b/etc/rtorrent.profile
@@ -14,3 +14,4 @@ seccomp
 shell none
 private-bin rtorrent
+whitelist /tmp/.X11-unix
diff --git a/etc/transmission-gtk.profile b/etc/transmission-gtk.profile
index e8d0e25e7..80d71d615 100644
--- a/etc/transmission-gtk.profile
+++ b/etc/transmission-gtk.profile
@@ -18,3 +18,4 @@ tracelog
 shell none
 private-bin transmission-gtk
+whitelist /tmp/.X11-unix
diff --git a/etc/transmission-qt.profile b/etc/transmission-qt.profile
index fd3a98aad..dfb600871 100644
--- a/etc/transmission-qt.profile
+++ b/etc/transmission-qt.profile
@@ -18,3 +18,4 @@ tracelog
 shell none
 private-bin transmission-qt
+whitelist /tmp/.X11-unix
diff --git a/etc/uget-gtk.profile b/etc/uget-gtk.profile
index 02c7f56bf..591a82af4 100644
--- a/etc/uget-gtk.profile
+++ b/etc/uget-gtk.profile
@@ -17,3 +17,7 @@ mkdir ~/.config
 mkdir ~/.config/uGet
 whitelist ~/.config/uGet
 include /etc/firejail/whitelist-common.inc
+shell none
+private-bin uget-gtk
+whitelist /tmp/.X11-unix
diff --git a/etc/weechat.profile b/etc/weechat.profile
index 6cfe58420..410061278 100644
--- a/etc/weechat.profile
+++ b/etc/weechat.profile
@@ -9,3 +9,7 @@ nonewprivs
 noroot
 protocol unix,inet,inet6
 seccomp
+# no private-bin support for various reasons:
+# Plugins loaded: alias, aspell, charset, exec, fifo, guile, irc,
+# logger, lua, perl, python, relay, ruby, script, tcl, trigger, xferloading plugins 
+\ No newline at end of file
diff --git a/etc/xchat.profile b/etc/xchat.profile
index 061c4f3da..1f2865cab 100644
--- a/etc/xchat.profile
+++ b/etc/xchat.profile
@@ -10,3 +10,5 @@ nonewprivs
 noroot
 protocol unix,inet,inet6
 seccomp
+# private-bin requires perl, python, etc.
diff --git a/test/apps/apps.sh b/test/apps/apps.sh
index bbfe2a606..c329c57e5 100755
--- a/test/apps/apps.sh
+++ b/test/apps/apps.sh
@@ -69,6 +69,15 @@ else
        echo "TESTING SKIP: qbittorrent not found"
 fi
+which uget-gtk
+if [ "$?" -eq 0 ];
+then
+        echo "TESTING: uget"
+        ./uget-gtk.exp
+else
+        echo "TESTING SKIP: uget-gtk not found"
+fi
 which filezilla
 if [ "$?" -eq 0 ];
 then
diff --git a/test/apps/uget-gtk.exp b/test/apps/uget-gtk.exp
new file mode 100755
index 000000000..47fa5849b
--- /dev/null
+++ b/test/apps/uget-gtk.exp
@@ -0,0 +1,83 @@
+#!/usr/bin/expect -f
+# This file is part of Firejail project
+# Copyright (C) 2014-2016 Firejail Authors
+# License GPL v2
+set timeout 10
+spawn $env(SHELL)
+match_max 100000
+send -- "firejail uget-gtk\r"
+expect {
+        timeout {puts "TESTING ERROR 0\n";exit}
+        "Reading profile /etc/firejail/uget-gtk.profile"
+}
+expect {
+        timeout {puts "TESTING ERROR 1\n";exit}
+        "Child process initialized"
+}
+sleep 3
+spawn $env(SHELL)
+send -- "firejail --list\r"
+expect {
+        timeout {puts "TESTING ERROR 3\n";exit}
+        ":firejail"
+}
+expect {
+        timeout {puts "TESTING ERROR 3.1\n";exit}
+        "uget-gtk"
+}
+sleep 1
+# grsecurity exit
+send -- "file /proc/sys/kernel/grsecurity\r"
+expect {
+        timeout {puts "TESTING ERROR - grsecurity detection\n";exit}
+        "grsecurity: directory" {puts "grsecurity present, exiting...\n";exit}
+        "cannot open" {puts "grsecurity not present\n"}
+}
+send -- "firejail --name=blablabla\r"
+expect {
+        timeout {puts "TESTING ERROR 4\n";exit}
+        "Child process initialized"
+}
+sleep 2
+spawn $env(SHELL)
+send -- "firemon --seccomp\r"
+expect {
+        timeout {puts "TESTING ERROR 5\n";exit}
+        ":firejail uget-gtk"
+}
+expect {
+        timeout {puts "TESTING ERROR 5.1 (seccomp)\n";exit}
+        "Seccomp:       2"
+}
+expect {
+        timeout {puts "TESTING ERROR 5.1\n";exit}
+        "name=blablabla"
+}
+sleep 1
+send -- "firemon --caps\r"
+expect {
+        timeout {puts "TESTING ERROR 6\n";exit}
+        ":firejail uget-gtk"
+}
+expect {
+        timeout {puts "TESTING ERROR 6.1\n";exit}
+        "CapBnd:"
+}
+expect {
+        timeout {puts "TESTING ERROR 6.2\n";exit}
+        "0000000000000000"
+}
+expect {
+        timeout {puts "TESTING ERROR 6.3\n";exit}
+        "name=blablabla"
+}
+sleep 1
+puts "\nall done\n"
author	netblue30 <netblue30@yahoo.com>	2016-06-10 11:22:24 -0400
committer	netblue30 <netblue30@yahoo.com>	2016-06-10 11:22:24 -0400
commit	f5b452bc4276ff2abecae522d9598441899293f1 (patch)
tree	81084de530711c44752cec367acecec9d27dd060
parent	private-bin conversion (diff)
download	firejail-f5b452bc4276ff2abecae522d9598441899293f1.tar.gz firejail-f5b452bc4276ff2abecae522d9598441899293f1.tar.zst firejail-f5b452bc4276ff2abecae522d9598441899293f1.zip

diff --git a/README.md b/README.md index db0625d43..69890ffaf 100644 --- a/README.md +++ b/README.md
@@ -67,7 +67,7 @@ AppImage project home: https://github.com/probonopd/AppImageKit
67		67
68	## Converting profiles to private-bin - work in progress!	68	## Converting profiles to private-bin - work in progress!
69		69
70	BitTorrent profiles converted to private-bin: deluge, qbittorrent, rtorrent, transmission-gtk, transmission-qt	70	BitTorrent: deluge, qbittorrent, rtorrent, transmission-gtk, transmission-qt, uget-gtk
71		71
72	File transfer: filezilla	72	File transfer: filezilla
73		73


diff --git a/etc/deluge.profile b/etc/deluge.profile index 87a17423b..96df13a73 100644 --- a/etc/deluge.profile +++ b/etc/deluge.profile
@@ -15,3 +15,4 @@ seccomp
15		15
16	shell none	16	shell none
17	private-bin deluge,sh,python,uname	17	private-bin deluge,sh,python,uname
		18	whitelist /tmp/.X11-unix


diff --git a/etc/disable-devel.inc b/etc/disable-devel.inc index 071a82f76..4e401055a 100644 --- a/etc/disable-devel.inc +++ b/etc/disable-devel.inc
@@ -37,7 +37,7 @@ blacklist /usr/lib/php*
37	blacklist /usr/bin/ruby	37	blacklist /usr/bin/ruby
38	blacklist /usr/lib/ruby	38	blacklist /usr/lib/ruby
39		39
40	# Programs using python: deluge, firefox addons, filezilla, cherrytree	40	# Programs using python: deluge, firefox addons, filezilla, cherrytree, xchat, hexchat
41	# Python 2	41	# Python 2
42	#blacklist /usr/bin/python2*	42	#blacklist /usr/bin/python2*
43	#blacklist /usr/lib/python2*	43	#blacklist /usr/lib/python2*


diff --git a/etc/evince.profile b/etc/evince.profile index 8671c1251..320d55fad 100644 --- a/etc/evince.profile +++ b/etc/evince.profile
@@ -13,3 +13,4 @@ seccomp
13		13
14	shell none	14	shell none
15	private-bin evince,evince-previewer,evince-thumbnailer	15	private-bin evince,evince-previewer,evince-thumbnailer
		16	whitelist /tmp/.X11-unix


diff --git a/etc/fbreader.profile b/etc/fbreader.profile index df359e50a..f155b02af 100644 --- a/etc/fbreader.profile +++ b/etc/fbreader.profile
@@ -15,4 +15,5 @@ protocol unix,inet,inet6
15	seccomp	15	seccomp
16		16
17	shell none	17	shell none
18	private-bin fbreader,FBReader \ No newline at end of file	18	private-bin fbreader,FBReader
		19	whitelist /tmp/.X11-unix


diff --git a/etc/filezilla.profile b/etc/filezilla.profile index 35663f2fa..c146dba13 100644 --- a/etc/filezilla.profile +++ b/etc/filezilla.profile
@@ -16,3 +16,4 @@ seccomp
16		16
17	shell none	17	shell none
18	private-bin filezilla,uname,sh,python,lsb_release,fzputtygen,fzsftp	18	private-bin filezilla,uname,sh,python,lsb_release,fzputtygen,fzsftp
		19	whitelist /tmp/.X11-unix


diff --git a/etc/gthumb.profile b/etc/gthumb.profile index 68d6a52d9..2d6cd160c 100644 --- a/etc/gthumb.profile +++ b/etc/gthumb.profile
@@ -15,3 +15,4 @@ seccomp
15		15
16	shell none	16	shell none
17	private-bin gthumb	17	private-bin gthumb
		18	whitelist /tmp/.X11-unix


diff --git a/etc/hexchat.profile b/etc/hexchat.profile index a584d25c5..4e829c379 100644 --- a/etc/hexchat.profile +++ b/etc/hexchat.profile
@@ -17,3 +17,5 @@ mkdir ~/.config
17	mkdir ~/.config/hexchat	17	mkdir ~/.config/hexchat
18	whitelist ~/.config/hexchat	18	whitelist ~/.config/hexchat
19	include /etc/firejail/whitelist-common.inc	19	include /etc/firejail/whitelist-common.inc
		20
		21	# private-bin requires perl, python, etc.


diff --git a/etc/qbittorrent.profile b/etc/qbittorrent.profile index bb97a880b..bc87ad5c8 100644 --- a/etc/qbittorrent.profile +++ b/etc/qbittorrent.profile
@@ -14,3 +14,4 @@ seccomp
14		14
15	shell none	15	shell none
16	private-bin qbittorrent	16	private-bin qbittorrent
		17	whitelist /tmp/.X11-unix


diff --git a/etc/rtorrent.profile b/etc/rtorrent.profile index c196370a2..97c2335a8 100644 --- a/etc/rtorrent.profile +++ b/etc/rtorrent.profile
@@ -14,3 +14,4 @@ seccomp
14		14
15	shell none	15	shell none
16	private-bin rtorrent	16	private-bin rtorrent
		17	whitelist /tmp/.X11-unix


diff --git a/etc/transmission-gtk.profile b/etc/transmission-gtk.profile index e8d0e25e7..80d71d615 100644 --- a/etc/transmission-gtk.profile +++ b/etc/transmission-gtk.profile
@@ -18,3 +18,4 @@ tracelog
18		18
19	shell none	19	shell none
20	private-bin transmission-gtk	20	private-bin transmission-gtk
		21	whitelist /tmp/.X11-unix


diff --git a/etc/transmission-qt.profile b/etc/transmission-qt.profile index fd3a98aad..dfb600871 100644 --- a/etc/transmission-qt.profile +++ b/etc/transmission-qt.profile
@@ -18,3 +18,4 @@ tracelog
18		18
19	shell none	19	shell none
20	private-bin transmission-qt	20	private-bin transmission-qt
		21	whitelist /tmp/.X11-unix


diff --git a/etc/uget-gtk.profile b/etc/uget-gtk.profile index 02c7f56bf..591a82af4 100644 --- a/etc/uget-gtk.profile +++ b/etc/uget-gtk.profile
@@ -17,3 +17,7 @@ mkdir ~/.config
17	mkdir ~/.config/uGet	17	mkdir ~/.config/uGet
18	whitelist ~/.config/uGet	18	whitelist ~/.config/uGet
19	include /etc/firejail/whitelist-common.inc	19	include /etc/firejail/whitelist-common.inc
		20
		21	shell none
		22	private-bin uget-gtk
		23	whitelist /tmp/.X11-unix


diff --git a/etc/weechat.profile b/etc/weechat.profile index 6cfe58420..410061278 100644 --- a/etc/weechat.profile +++ b/etc/weechat.profile
@@ -9,3 +9,7 @@ nonewprivs
9	noroot	9	noroot
10	protocol unix,inet,inet6	10	protocol unix,inet,inet6
11	seccomp	11	seccomp
		12
		13	# no private-bin support for various reasons:
		14	# Plugins loaded: alias, aspell, charset, exec, fifo, guile, irc,
		15	# logger, lua, perl, python, relay, ruby, script, tcl, trigger, xferloading plugins \ No newline at end of file


diff --git a/etc/xchat.profile b/etc/xchat.profile index 061c4f3da..1f2865cab 100644 --- a/etc/xchat.profile +++ b/etc/xchat.profile
@@ -10,3 +10,5 @@ nonewprivs
10	noroot	10	noroot
11	protocol unix,inet,inet6	11	protocol unix,inet,inet6
12	seccomp	12	seccomp
		13
		14	# private-bin requires perl, python, etc.


diff --git a/test/apps/apps.sh b/test/apps/apps.sh index bbfe2a606..c329c57e5 100755 --- a/test/apps/apps.sh +++ b/test/apps/apps.sh
@@ -69,6 +69,15 @@ else
69	echo "TESTING SKIP: qbittorrent not found"	69	echo "TESTING SKIP: qbittorrent not found"
70	fi	70	fi
71		71
		72	which uget-gtk
		73	if [ "$?" -eq 0 ];
		74	then
		75	echo "TESTING: uget"
		76	./uget-gtk.exp
		77	else
		78	echo "TESTING SKIP: uget-gtk not found"
		79	fi
		80
72	which filezilla	81	which filezilla
73	if [ "$?" -eq 0 ];	82	if [ "$?" -eq 0 ];
74	then	83	then


diff --git a/test/apps/uget-gtk.exp b/test/apps/uget-gtk.exp new file mode 100755 index 000000000..47fa5849b --- /dev/null +++ b/test/apps/uget-gtk.exp
@@ -0,0 +1,83 @@
		1	#!/usr/bin/expect -f
		2	# This file is part of Firejail project
		3	# Copyright (C) 2014-2016 Firejail Authors
		4	# License GPL v2
		5
		6	set timeout 10
		7	spawn $env(SHELL)
		8	match_max 100000
		9
		10	send -- "firejail uget-gtk\r"
		11	expect {
		12	timeout {puts "TESTING ERROR 0\n";exit}
		13	"Reading profile /etc/firejail/uget-gtk.profile"
		14	}
		15	expect {
		16	timeout {puts "TESTING ERROR 1\n";exit}
		17	"Child process initialized"
		18	}
		19	sleep 3
		20
		21	spawn $env(SHELL)
		22	send -- "firejail --list\r"
		23	expect {
		24	timeout {puts "TESTING ERROR 3\n";exit}
		25	":firejail"
		26	}
		27	expect {
		28	timeout {puts "TESTING ERROR 3.1\n";exit}
		29	"uget-gtk"
		30	}
		31	sleep 1
		32
		33	# grsecurity exit
		34	send -- "file /proc/sys/kernel/grsecurity\r"
		35	expect {
		36	timeout {puts "TESTING ERROR - grsecurity detection\n";exit}
		37	"grsecurity: directory" {puts "grsecurity present, exiting...\n";exit}
		38	"cannot open" {puts "grsecurity not present\n"}
		39	}
		40
		41	send -- "firejail --name=blablabla\r"
		42	expect {
		43	timeout {puts "TESTING ERROR 4\n";exit}
		44	"Child process initialized"
		45	}
		46	sleep 2
		47
		48	spawn $env(SHELL)
		49	send -- "firemon --seccomp\r"
		50	expect {
		51	timeout {puts "TESTING ERROR 5\n";exit}
		52	":firejail uget-gtk"
		53	}
		54	expect {
		55	timeout {puts "TESTING ERROR 5.1 (seccomp)\n";exit}
		56	"Seccomp: 2"
		57	}
		58	expect {
		59	timeout {puts "TESTING ERROR 5.1\n";exit}
		60	"name=blablabla"
		61	}
		62	sleep 1
		63	send -- "firemon --caps\r"
		64	expect {
		65	timeout {puts "TESTING ERROR 6\n";exit}
		66	":firejail uget-gtk"
		67	}
		68	expect {
		69	timeout {puts "TESTING ERROR 6.1\n";exit}
		70	"CapBnd:"
		71	}
		72	expect {
		73	timeout {puts "TESTING ERROR 6.2\n";exit}
		74	"0000000000000000"
		75	}
		76	expect {
		77	timeout {puts "TESTING ERROR 6.3\n";exit}
		78	"name=blablabla"
		79	}
		80	sleep 1
		81
		82	puts "\nall done\n"
		83