aboutsummaryrefslogtreecommitdiffstats
diff options
context:
space:
mode:
authorLibravatar netblue30 <netblue30@protonmail.com>2021-05-20 21:38:01 -0400
committerLibravatar netblue30 <netblue30@protonmail.com>2021-05-20 21:38:01 -0400
commit4222217198ceedc3e5fd7c356bcd798548eb94ff (patch)
treee48e5c450c41cb67b9a33a77afa891c5fa9363cf
parentadd support for cargo toml/non-toml files (#4286) (diff)
downloadfirejail-4222217198ceedc3e5fd7c356bcd798548eb94ff.tar.gz
firejail-4222217198ceedc3e5fd7c356bcd798548eb94ff.tar.zst
firejail-4222217198ceedc3e5fd7c356bcd798548eb94ff.zip
--buid fixes
Diffstat
-rw-r--r--src/fbuilder/build_profile.c54
-rw-r--r--src/fbuilder/build_seccomp.c29
-rw-r--r--src/man/firejail-profile.txt11
3 files changed, 45 insertions, 49 deletions
diff --git a/src/fbuilder/build_profile.c b/src/fbuilder/build_profile.c
index 1726b4dbb..5df19f511 100644
--- a/src/fbuilder/build_profile.c
+++ b/src/fbuilder/build_profile.c
@@ -24,21 +24,6 @@
24#define TRACE_OUTPUT "/tmp/firejail-trace.XXXXXX" 24#define TRACE_OUTPUT "/tmp/firejail-trace.XXXXXX"
25#define STRACE_OUTPUT "/tmp/firejail-strace.XXXXXX" 25#define STRACE_OUTPUT "/tmp/firejail-strace.XXXXXX"
26 26
27/* static char *cmdlist[] = { */
28/* "/usr/bin/firejail", */
29/* "--quiet", */
30/* "--output=" TRACE_OUTPUT, */
31/* "--noprofile", */
32/* "--caps.drop=all", */
33/* "--nonewprivs", */
34/* "--trace", */
35/* "--shell=none", */
36/* "/usr/bin/strace", // also used as a marker in build_profile() */
37/* "-c", */
38/* "-f", */
39/* "-o" STRACE_OUTPUT, */
40/* }; */
41
42void build_profile(int argc, char **argv, int index, FILE *fp) { 27void build_profile(int argc, char **argv, int index, FILE *fp) {
43 // next index is the application name 28 // next index is the application name
44 if (index >= argc) { 29 if (index >= argc) {
@@ -158,14 +143,14 @@ void build_profile(int argc, char **argv, int index, FILE *fp) {
158 fprintf(fp, "### Enable as many of them as you can! A very important one is\n"); 143 fprintf(fp, "### Enable as many of them as you can! A very important one is\n");
159 fprintf(fp, "### \"disable-exec.inc\". This will make among other things your home\n"); 144 fprintf(fp, "### \"disable-exec.inc\". This will make among other things your home\n");
160 fprintf(fp, "### and /tmp directories non-executable.\n"); 145 fprintf(fp, "### and /tmp directories non-executable.\n");
161 fprintf(fp, "include disable-common.inc\n"); 146 fprintf(fp, "include disable-common.inc\t# dangerous directories like ~/.ssh and ~/.gnupg\n");
162 fprintf(fp, "#include disable-devel.inc\n"); 147 fprintf(fp, "#include disable-devel.inc\t# development tools such as gcc and gdb\n");
163 fprintf(fp, "#include disable-exec.inc\n"); 148 fprintf(fp, "#include disable-exec.inc\t# non-executable directories such as /var, /tmp, and /home\n");
164 fprintf(fp, "#include disable-interpreters.inc\n"); 149 fprintf(fp, "#include disable-interpreters.inc\t# perl, python, lua etc.\n");
165 fprintf(fp, "include disable-passwdmgr.inc\n"); 150 fprintf(fp, "include disable-passwdmgr.inc\t# password managers\n");
166 fprintf(fp, "include disable-programs.inc\n"); 151 fprintf(fp, "include disable-programs.inc\t# user configuration for programs such as firefox, vlc etc.\n");
167 fprintf(fp, "#include disable-shell.inc\n"); 152 fprintf(fp, "#include disable-shell.inc\t# sh, bash, zsh etc.\n");
168 fprintf(fp, "#include disable-xdg.inc\n"); 153 fprintf(fp, "#include disable-xdg.inc\t# standard user directories: Documents, Pictures, Videos, Music\n");
169 fprintf(fp, "\n"); 154 fprintf(fp, "\n");
170 155
171 fprintf(fp, "### Home Directory Whitelisting ###\n"); 156 fprintf(fp, "### Home Directory Whitelisting ###\n");
@@ -180,18 +165,19 @@ void build_profile(int argc, char **argv, int index, FILE *fp) {
180 build_var(trace_output, fp); 165 build_var(trace_output, fp);
181 fprintf(fp, "\n"); 166 fprintf(fp, "\n");
182 167
183 fprintf(fp, "#apparmor\n"); 168 fprintf(fp, "#apparmor\t# if you have AppArmor running, try this one!\n");
184 fprintf(fp, "caps.drop all\n"); 169 fprintf(fp, "caps.drop all\n");
185 fprintf(fp, "ipc-namespace\n"); 170 fprintf(fp, "ipc-namespace\n");
186 fprintf(fp, "netfilter\n"); 171 fprintf(fp, "netfilter\n");
187 fprintf(fp, "#nodvd\n"); 172 fprintf(fp, "#no3d\t# disable 3D acceleration\n");
188 fprintf(fp, "#nogroups\n"); 173 fprintf(fp, "#nodvd\t# disable DVD and CD devices\n");
189 fprintf(fp, "#noinput\n"); 174 fprintf(fp, "#nogroups\t# disable supplementary user groups\n");
175 fprintf(fp, "#noinput\t# disable input devices\n");
190 fprintf(fp, "nonewprivs\n"); 176 fprintf(fp, "nonewprivs\n");
191 fprintf(fp, "noroot\n"); 177 fprintf(fp, "noroot\n");
192 fprintf(fp, "#notv\n"); 178 fprintf(fp, "#notv\t# disable DVB TV devices\n");
193 fprintf(fp, "#nou2f\n"); 179 fprintf(fp, "#nou2f\t# disable U2F devices\n");
194 fprintf(fp, "#novideo\n"); 180 fprintf(fp, "#novideo\t# disable video capture devices\n");
195 build_protocol(trace_output, fp); 181 build_protocol(trace_output, fp);
196 fprintf(fp, "seccomp\n"); 182 fprintf(fp, "seccomp\n");
197 if (!have_strace) { 183 if (!have_strace) {
@@ -203,19 +189,21 @@ void build_profile(int argc, char **argv, int index, FILE *fp) {
203 else 189 else
204 build_seccomp(strace_output, fp); 190 build_seccomp(strace_output, fp);
205 fprintf(fp, "shell none\n"); 191 fprintf(fp, "shell none\n");
206 fprintf(fp, "#tracelog\n"); 192 fprintf(fp, "tracelog\n");
207 fprintf(fp, "\n"); 193 fprintf(fp, "\n");
208 194
209 fprintf(fp, "#disable-mnt\n"); 195 fprintf(fp, "#disable-mnt\t# no access to /mnt, /media, /run/mount and /run/media\n");
210 build_bin(trace_output, fp); 196 build_bin(trace_output, fp);
211 fprintf(fp, "#private-lib\n"); 197 fprintf(fp, "#private-cache\t# run with an empty ~/.cache directory\n");
212 build_dev(trace_output, fp); 198 build_dev(trace_output, fp);
213 build_etc(trace_output, fp); 199 build_etc(trace_output, fp);
200 fprintf(fp, "#private-lib\n");
214 build_tmp(trace_output, fp); 201 build_tmp(trace_output, fp);
215 fprintf(fp, "\n"); 202 fprintf(fp, "\n");
216 203
217 fprintf(fp, "#dbus-user none\n"); 204 fprintf(fp, "#dbus-user none\n");
218 fprintf(fp, "#dbus-system none\n"); 205 fprintf(fp, "#dbus-system none\n");
206 fprintf(fp, "\n");
219 fprintf(fp, "#memory-deny-write-execute\n"); 207 fprintf(fp, "#memory-deny-write-execute\n");
220 208
221 if (!arg_debug) { 209 if (!arg_debug) {
diff --git a/src/fbuilder/build_seccomp.c b/src/fbuilder/build_seccomp.c
index dc3cce456..b3187227e 100644
--- a/src/fbuilder/build_seccomp.c
+++ b/src/fbuilder/build_seccomp.c
@@ -82,11 +82,12 @@ void build_seccomp(const char *fname, FILE *fp) {
82//*************************************** 82//***************************************
83// protocol 83// protocol
84//*************************************** 84//***************************************
85int unix_s = 0; 85static int unix_s = 0;
86int inet = 0; 86static int inet = 0;
87int inet6 = 0; 87static int inet6 = 0;
88int netlink = 0; 88static int netlink = 0;
89int packet = 0; 89static int packet = 0;
90static int bluetooth = 0;
90static void process_protocol(const char *fname) { 91static void process_protocol(const char *fname) {
91 assert(fname); 92 assert(fname);
92 93
@@ -135,6 +136,8 @@ static void process_protocol(const char *fname) {
135 netlink = 1; 136 netlink = 1;
136 else if (strncmp(ptr, "AF_PACKET ", 10) == 0) 137 else if (strncmp(ptr, "AF_PACKET ", 10) == 0)
137 packet = 1; 138 packet = 1;
139 else if (strncmp(ptr, "AF_BLUETOOTH ", 13) == 0)
140 bluetooth = 1;
138 } 141 }
139 142
140 fclose(fp); 143 fclose(fp);
@@ -161,22 +164,22 @@ void build_protocol(const char *fname, FILE *fp) {
161 } 164 }
162 165
163 int net = 0; 166 int net = 0;
164 if (unix_s || inet || inet6 || netlink || packet) { 167 if (unix_s || inet || inet6 || netlink || packet || bluetooth) {
165 fprintf(fp, "protocol "); 168 fprintf(fp, "protocol ");
166 if (unix_s) 169 if (unix_s)
167 fprintf(fp, "unix,"); 170 fprintf(fp, "unix,");
168 if (inet) { 171 if (inet || inet6) {
169 fprintf(fp, "inet,"); 172 fprintf(fp, "inet,inet6,");
170 net = 1;
171 }
172 if (inet6) {
173 fprintf(fp, "inet6,");
174 net = 1; 173 net = 1;
175 } 174 }
176 if (netlink) 175 if (netlink)
177 fprintf(fp, "netlink,"); 176 fprintf(fp, "netlink,");
178 if (packet) { 177 if (packet) {
179 fprintf(fp, "packet"); 178 fprintf(fp, "packet,");
179 net = 1;
180 }
181 if (bluetooth) {
182 fprintf(fp, "bluetooth");
180 net = 1; 183 net = 1;
181 } 184 }
182 fprintf(fp, "\n"); 185 fprintf(fp, "\n");
diff --git a/src/man/firejail-profile.txt b/src/man/firejail-profile.txt
index 3d59705b9..12e841af5 100644
--- a/src/man/firejail-profile.txt
+++ b/src/man/firejail-profile.txt
@@ -160,6 +160,11 @@ Example: "blacklist ~/My Virtual Machines"
160 160
161.TP 161.TP
162\fB# this is a comment 162\fB# this is a comment
163Example:
164
165# disable networking
166.br
167net none # this command creates an empty network namespace
163 168
164.TP 169.TP
165\fB?CONDITIONAL: profile line 170\fB?CONDITIONAL: profile line
@@ -731,6 +736,9 @@ Disable DVD and audio CD devices.
731\fBnogroups 736\fBnogroups
732Disable supplementary user groups 737Disable supplementary user groups
733.TP 738.TP
739\fBnoinput
740Disable input devices.
741.TP
734\fBnosound 742\fBnosound
735Disable sound system. 743Disable sound system.
736.TP 744.TP
@@ -743,9 +751,6 @@ Disable U2F devices.
743\fBnovideo 751\fBnovideo
744Disable video capture devices. 752Disable video capture devices.
745.TP 753.TP
746\fBnoinput
747Disable input devices.
748.TP
749\fBshell none 754\fBshell none
750Run the program directly, without a shell. 755Run the program directly, without a shell.
751 756
generated by cgit v1.2.3-54-g00ecf (git 2.45.2) at 2024-07-18 16:57:51 +0000