diff options
author | netblue30 <netblue30@yahoo.com> | 2017-09-17 09:53:54 -0400 |
---|---|---|
committer | netblue30 <netblue30@yahoo.com> | 2017-09-17 09:53:54 -0400 |
commit | b3f2318759905dd58bbdc93782ccf9d63322bf05 (patch) | |
tree | 87e3793007593a4bdbe9123a415d58b6022e6b6b | |
parent | cleanup (diff) | |
download | firejail-b3f2318759905dd58bbdc93782ccf9d63322bf05.tar.gz firejail-b3f2318759905dd58bbdc93782ccf9d63322bf05.tar.zst firejail-b3f2318759905dd58bbdc93782ccf9d63322bf05.zip |
profile build tool
-rw-r--r-- | README.md | 58 | ||||
-rw-r--r-- | src/fbuilder/build_fs.c | 6 | ||||
-rw-r--r-- | src/firejail/usage.c | 1 | ||||
-rw-r--r-- | src/man/firejail.txt | 12 |
4 files changed, 76 insertions, 1 deletions
@@ -98,6 +98,64 @@ Use this issue to request new profiles: [#1139](https://github.com/netblue30/fir | |||
98 | ````` | 98 | ````` |
99 | # Current development version: 0.9.51 | 99 | # Current development version: 0.9.51 |
100 | 100 | ||
101 | ## Profile build tool | ||
102 | ````` | ||
103 | $ firejail --build appname | ||
104 | ````` | ||
105 | The command builds a whitelisted profile. If /usr/bin/strace is installed on the system, it also | ||
106 | builds a whitelisted seccomp profile. The program is run in a very relaxed sandbox, | ||
107 | with only --caps.drop=all and --nonewprivs. Only programs that don't rise privileges are supported | ||
108 | in order to allow strace to run. Chromium and Chromium-based browsers will not work. | ||
109 | |||
110 | Example: | ||
111 | ````` | ||
112 | $ firejail --build vlc ~/Videos/test.mp4 | ||
113 | |||
114 | [...] | ||
115 | |||
116 | ############################################ | ||
117 | # vlc profile | ||
118 | ############################################ | ||
119 | # Persistent global definitions | ||
120 | # include /etc/firejail/globals.local | ||
121 | |||
122 | ### basic blacklisting | ||
123 | include /etc/firejail/disable-common.inc | ||
124 | # include /etc/firejail/disable-devel.inc | ||
125 | include /etc/firejail/disable-passwdmgr.inc | ||
126 | # include /etc/firejail/disable-programs.inc | ||
127 | |||
128 | ### home directory whitelisting | ||
129 | whitelist ~/Videos | ||
130 | whitelist ~/.local/share/vlc | ||
131 | whitelist ~/.config/vlc | ||
132 | include /etc/firejail/whitelist-common.inc | ||
133 | |||
134 | ### filesystem | ||
135 | private-tmp | ||
136 | private-dev | ||
137 | private-etc vdpau_wrapper.cfg,udev,drirc,fonts,xdg,gtk-3.0,machine-id,selinux, | ||
138 | whitelist /var/lib/menu-xdg | ||
139 | |||
140 | ### security filters | ||
141 | caps.drop all | ||
142 | nonewprivs | ||
143 | seccomp | ||
144 | # seccomp.keep futex,poll,rt_sigtimedwait,ioctl,fdatasync,stat,writev,read,recvmsg,mprotect,write,sendto,clock_nanosleep,open,dup3,mmap,rt_sigprocmask,close,fstat,lstat,lseek,munmap,brk,rt_sigaction,rt_sigreturn,access,madvise,shmget,shmat,shmctl,alarm,getpid,socket,connect,recvfrom,sendmsg,shutdown,getsockname,getpeername,setsockopt,getsockopt,clone,execve,uname,shmdt,fcntl,flock,ftruncate,getdents,rename,mkdir,unlink,readlink,chmod,getrlimit,sysinfo,getuid,getgid,setuid,setgid,geteuid,getegid,getppid,getpgrp,setresuid,getresuid,setresgid,getresgid,statfs,fstatfs,prctl,arch_prctl,sched_getaffinity,set_tid_address,fadvise64,clock_getres,tgkill,set_robust_list,eventfd2,pipe2,getrandom,memfd_create | ||
145 | # 82 syscalls total | ||
146 | # Probably you will need to add more syscalls to seccomp.keep. Look for | ||
147 | # seccomp errors in /var/log/syslog or /var/log/audit/audit.log while | ||
148 | # running your sandbox. | ||
149 | |||
150 | ### network | ||
151 | protocol unix,netlink, | ||
152 | net none | ||
153 | |||
154 | ### environment | ||
155 | shell none | ||
156 | $ | ||
157 | ```` | ||
158 | |||
101 | ## New command line options | 159 | ## New command line options |
102 | ````` | 160 | ````` |
103 | --writable-run-user | 161 | --writable-run-user |
diff --git a/src/fbuilder/build_fs.c b/src/fbuilder/build_fs.c index 76281a54d..dcd86e069 100644 --- a/src/fbuilder/build_fs.c +++ b/src/fbuilder/build_fs.c | |||
@@ -148,7 +148,11 @@ void build_etc(const char *fname) { | |||
148 | //******************************************* | 148 | //******************************************* |
149 | static FileDB *var_out = NULL; | 149 | static FileDB *var_out = NULL; |
150 | static void var_callback(char *ptr) { | 150 | static void var_callback(char *ptr) { |
151 | if (strncmp(ptr, "/var/lib/menu-xdg", 17) == 0) | 151 | if (strcmp(ptr, "/var/lib") == 0) |
152 | ; | ||
153 | else if (strcmp(ptr, "/var/cache") == 0) | ||
154 | ; | ||
155 | else if (strncmp(ptr, "/var/lib/menu-xdg", 17) == 0) | ||
152 | var_out = filedb_add(var_out, "/var/lib/menu-xdg"); | 156 | var_out = filedb_add(var_out, "/var/lib/menu-xdg"); |
153 | else if (strncmp(ptr, "/var/cache/fontconfig", 21) == 0) | 157 | else if (strncmp(ptr, "/var/cache/fontconfig", 21) == 0) |
154 | var_out = filedb_add(var_out, "/var/cache/fontconfig"); | 158 | var_out = filedb_add(var_out, "/var/cache/fontconfig"); |
diff --git a/src/firejail/usage.c b/src/firejail/usage.c index fc7dbd69c..f09eb6416 100644 --- a/src/firejail/usage.c +++ b/src/firejail/usage.c | |||
@@ -44,6 +44,7 @@ void usage(void) { | |||
44 | printf(" --bind=filename1,filename2 - mount-bind filename1 on top of filename2.\n"); | 44 | printf(" --bind=filename1,filename2 - mount-bind filename1 on top of filename2.\n"); |
45 | #endif | 45 | #endif |
46 | printf(" --blacklist=filename - blacklist directory or file.\n"); | 46 | printf(" --blacklist=filename - blacklist directory or file.\n"); |
47 | printf(" --build - build a whitelisted profile for the application.\n"); | ||
47 | printf(" -c - execute command and exit.\n"); | 48 | printf(" -c - execute command and exit.\n"); |
48 | printf(" --caps - enable default Linux capabilities filter.\n"); | 49 | printf(" --caps - enable default Linux capabilities filter.\n"); |
49 | printf(" --caps.drop=all - drop all capabilities.\n"); | 50 | printf(" --caps.drop=all - drop all capabilities.\n"); |
diff --git a/src/man/firejail.txt b/src/man/firejail.txt index 2dd3abbb7..36ae3166b 100644 --- a/src/man/firejail.txt +++ b/src/man/firejail.txt | |||
@@ -154,6 +154,18 @@ $ firejail "\-\-blacklist=/home/username/My Virtual Machines" | |||
154 | .br | 154 | .br |
155 | $ firejail \-\-blacklist=/home/username/My\\ Virtual\\ Machines | 155 | $ firejail \-\-blacklist=/home/username/My\\ Virtual\\ Machines |
156 | .TP | 156 | .TP |
157 | \fB\-\-build | ||
158 | The command builds a whitelisted profile. If /usr/bin/strace is installed on the system, it also | ||
159 | builds a whitelisted seccomp profile. The program is run in a very relaxed sandbox, | ||
160 | with only --caps.drop=all and --nonewprivs. Only programs that don't rise privileges are supported | ||
161 | in order to allow strace to run. Chromium and Chromium-based browsers will not work. | ||
162 | .br | ||
163 | |||
164 | .br | ||
165 | Example: | ||
166 | .br | ||
167 | $ firejail --build vlc ~/Videos/test.mp4 | ||
168 | .TP | ||
157 | \fB\-c | 169 | \fB\-c |
158 | Execute command and exit. | 170 | Execute command and exit. |
159 | .TP | 171 | .TP |