Merge branch 'master' of ssh://github.com/netblue30/firejail

15 files changed, 106 insertions, 13 deletions

diff --git a/etc/inc/allow-nodejs.inc b/etc/inc/allow-nodejs.inc
index 351c94ab8..f69d9eee2 100644
--- a/etc/inc/allow-nodejs.inc
+++ b/etc/inc/allow-nodejs.inc
@@ -2,6 +2,8 @@
 # Persistent customizations should go in a .local file.
 include allow-nodejs.local
 
+ignore read-only ${HOME}/.nvm
+noblacklist ${HOME}/.nvm
 noblacklist ${PATH}/node
 noblacklist /usr/include/node
 
diff --git a/etc/profile-a-l/curl.profile b/etc/profile-a-l/curl.profile
index 448d8b655..7d7863b6a 100644
--- a/etc/profile-a-l/curl.profile
+++ b/etc/profile-a-l/curl.profile
@@ -18,6 +18,10 @@ noblacklist ${HOME}/.curlrc
 blacklist /tmp/.X11-unix
 blacklist ${RUNUSER}
 
+# If you use nvm, add the below lines to your curl.local
+#ignore read-only ${HOME}/.nvm
+#noblacklist ${HOME}/.nvm
+
 include disable-common.inc
 include disable-exec.inc
 include disable-programs.inc
diff --git a/etc/profile-m-z/nvm.profile b/etc/profile-m-z/node-gyp.profile
index 80da22834..015607087 100644
--- a/etc/profile-m-z/nvm.profile
+++ b/etc/profile-m-z/node-gyp.profile
@@ -1,13 +1,11 @@
-# Firejail profile for nvm
-# Description: Node Version Manager - Simple bash script to manage multiple active node.js versions
+# Firejail profile for node-gyp
+# Description: Part of the Node.js stack
 quiet
 # This file is overwritten after every install/update
 # Persistent local customizations
-include nvm.local
+include node-gyp.local
 # Persistent global definitions
 include globals.local
 
-ignore noroot
-
 # Redirect
 include nodejs-common.profile
diff --git a/etc/profile-m-z/nodejs-common.profile b/etc/profile-m-z/nodejs-common.profile
index ab69136f6..dd3080ad9 100644
--- a/etc/profile-m-z/nodejs-common.profile
+++ b/etc/profile-m-z/nodejs-common.profile
@@ -7,7 +7,14 @@ include nodejs-common.local
 # added by caller profile
 #include globals.local
 
-blacklist /tmp/.X11-unix
+# NOTE: gulp, node-gyp, npm, npx, semver and yarn are all node scripts
+# using the `#!/usr/bin/env node` shebang. By sandboxing node the full
+# node.js stack will be firejailed. The only exception is nvm, which is implemented
+# as a sourced shell function, not an executable binary. Hence it is not
+# directly firejailable. You can work around this by sandboxing the programs
+# used by nvm: curl, sha256sum, tar and wget. We have comments in these
+# profiles on how to enable nvm support via local overrides.
+
 blacklist ${RUNUSER}
 
 ignore read-only ${HOME}/.npm-packages
@@ -25,13 +32,13 @@ noblacklist ${HOME}/.yarncache
 noblacklist ${HOME}/.yarnrc
 
 ignore noexec ${HOME}
-
 include allow-bin-sh.inc
 
 include disable-common.inc
 include disable-exec.inc
 include disable-programs.inc
 include disable-shell.inc
+include disable-X11.inc
 include disable-xdg.inc
 
 # If you want whitelisting, change ${HOME}/Projects below to your node projects directory
@@ -73,6 +80,7 @@ nodvd
 nogroups
 noinput
 nonewprivs
+noprinters
 noroot
 nosound
 notv
diff --git a/etc/profile-m-z/npx.profile b/etc/profile-m-z/npx.profile
new file mode 100644
index 000000000..6d5602c88
--- /dev/null
+++ b/etc/profile-m-z/npx.profile
@@ -0,0 +1,11 @@
+# Firejail profile for npx
+# Description: Part of the Node.js stack
+quiet
+# This file is overwritten after every install/update
+# Persistent local customizations
+include npx.local
+# Persistent global definitions
+include globals.local
+
+# Redirect
+include nodejs-common.profile
diff --git a/etc/profile-m-z/ping-hardened.inc.profile b/etc/profile-m-z/ping-hardened.inc.profile
new file mode 100644
index 000000000..eda53654a
--- /dev/null
+++ b/etc/profile-m-z/ping-hardened.inc.profile
@@ -0,0 +1,11 @@
+# This file is overwritten during software install.
+# Persistent customizations should go in a .local file.
+include ping-hardened.inc.local
+
+caps.drop all
+nonewprivs
+noroot
+protocol unix,inet,inet6
+seccomp
+
+memory-deny-write-execute
diff --git a/etc/profile-m-z/ping.profile b/etc/profile-m-z/ping.profile
index b4923c38a..ed21bd1ce 100644
--- a/etc/profile-m-z/ping.profile
+++ b/etc/profile-m-z/ping.profile
@@ -7,23 +7,30 @@ include ping.local
 # Persistent global definitions
 include globals.local
 
-blacklist /tmp/.X11-unix
 blacklist ${RUNUSER}
 
 include disable-common.inc
 include disable-devel.inc
 include disable-exec.inc
 include disable-interpreters.inc
+include disable-proc.inc
 include disable-programs.inc
+include disable-X11.inc
 include disable-xdg.inc
 
 include whitelist-common.inc
+include whitelist-run-common.inc
+include whitelist-runuser-common.inc
 include whitelist-usr-share-common.inc
 include whitelist-var-common.inc
 
+# Add the next line to your ping.local if your kernel allows unprivileged userns clone.
+#include ping-hardened.inc.profile
+
 apparmor
 caps.keep net_raw
 ipc-namespace
+machine-id
 #net tun0
 #netfilter /etc/firejail/ping.net
 netfilter
@@ -31,8 +38,9 @@ no3d
 nodvd
 nogroups
 noinput
-# ping needs to rise privileges, noroot and nonewprivs will kill it
+# ping needs to raise privileges, nonewprivs and noroot will kill it
 #nonewprivs
+noprinters
 #noroot
 nosound
 notv
@@ -40,15 +48,18 @@ nou2f
 novideo
 # protocol command is built using seccomp; nonewprivs will kill it
 #protocol unix,inet,inet6,netlink,packet
-# killed by no-new-privs
 #seccomp
+shell none
+tracelog
 
 disable-mnt
 private
-#private-bin has mammoth problems with execvp: "No such file or directory"
+#private-bin ping - has mammoth problems with execvp: "No such file or directory"
+private-cache
 private-dev
 # /etc/hosts is required in private-etc; however, just adding it to the list doesn't solve the problem!
 #private-etc ca-certificates,crypto-policies,hosts,pki,resolv.conf,ssl
+private-lib
 private-tmp
 
 # memory-deny-write-execute is built using seccomp; nonewprivs will kill it
@@ -56,3 +67,5 @@ private-tmp
 
 dbus-user none
 dbus-system none
+
+read-only ${HOME}
diff --git a/etc/profile-m-z/semver.profile b/etc/profile-m-z/semver.profile
new file mode 100644
index 000000000..3e0c19b8b
--- /dev/null
+++ b/etc/profile-m-z/semver.profile
@@ -0,0 +1,11 @@
+# Firejail profile for semver
+# Description: Part of the Node.js stack
+quiet
+# This file is overwritten after every install/update
+# Persistent local customizations
+include semver.local
+# Persistent global definitions
+include globals.local
+
+# Redirect
+include nodejs-common.profile
diff --git a/etc/profile-m-z/sha256sum.profile b/etc/profile-m-z/sha256sum.profile
index 48944ebea..45ddecd2d 100644
--- a/etc/profile-m-z/sha256sum.profile
+++ b/etc/profile-m-z/sha256sum.profile
@@ -7,6 +7,9 @@ include sha256sum.local
 # Persistent global definitions
 include globals.local
 
+# If you use nvm, add the below lines to your sha256sum.local
+#noblacklist ${HOME}/.nvm
+
 private-bin sha256sum
 
 # Redirect
diff --git a/etc/profile-m-z/tar.profile b/etc/profile-m-z/tar.profile
index 0817adda8..a9d0a60d1 100644
--- a/etc/profile-m-z/tar.profile
+++ b/etc/profile-m-z/tar.profile
@@ -7,6 +7,9 @@ include tar.local
 # Persistent global definitions
 include globals.local
 
+# If you use nvm, add the below lines to your tar.local
+#noblacklist ${HOME}/.nvm
+
 # Included in archiver-common.profile
 ignore include disable-shell.inc
 
diff --git a/etc/profile-m-z/webstorm.profile b/etc/profile-m-z/webstorm.profile
index 4d849c582..52d2091fe 100644
--- a/etc/profile-m-z/webstorm.profile
+++ b/etc/profile-m-z/webstorm.profile
@@ -18,8 +18,8 @@ include allow-common-devel.inc
 # Allow ssh (blacklisted by disable-common.inc)
 include allow-ssh.inc
 
-noblacklist ${PATH}/node
 noblacklist ${HOME}/.nvm
+noblacklist ${PATH}/node
 
 include disable-common.inc
 include disable-devel.inc
diff --git a/etc/profile-m-z/webui-aria2.profile b/etc/profile-m-z/webui-aria2.profile
index 2fe727b9c..1aa546a29 100644
--- a/etc/profile-m-z/webui-aria2.profile
+++ b/etc/profile-m-z/webui-aria2.profile
@@ -6,6 +6,7 @@ include webui-aria2.local
 # Persistent global definitions
 include globals.local
 
+noblacklist ${HOME}/.nvm
 noblacklist ${PATH}/node
 
 include disable-common.inc
diff --git a/etc/profile-m-z/wget.profile b/etc/profile-m-z/wget.profile
index 4c21d6965..82af30d2a 100644
--- a/etc/profile-m-z/wget.profile
+++ b/etc/profile-m-z/wget.profile
@@ -11,6 +11,10 @@ noblacklist ${HOME}/.netrc
 noblacklist ${HOME}/.wget-hsts
 noblacklist ${HOME}/.wgetrc
 
+# If you use nvm, add the below lines to your wget.local
+#ignore read-only ${HOME}/.nvm
+#noblacklist ${HOME}/.nvm
+
 blacklist /tmp/.X11-unix
 blacklist ${RUNUSER}
 
diff --git a/src/man/firejail-profile.txt b/src/man/firejail-profile.txt
index e962e18da..3dd339d94 100644
--- a/src/man/firejail-profile.txt
+++ b/src/man/firejail-profile.txt
@@ -343,6 +343,18 @@ closed.
 .TP
 \fBprivate directory
 Use directory as user home.
+--private and --private=directory cannot be used together.
+.br
+
+.br
+Bug: Even with this enabled, some commands (such as mkdir, mkfile and
+private-cache) will still operate on the original home directory.
+Workaround: Disable the incompatible commands, such as by using "ignore mkdir"
+and "ignore mkfile".
+For details, see
+.UR https://github.com/netblue30/firejail/issues/903
+#903
+.UE
 .TP
 \fBprivate-bin file,file
 Build a new /bin in a temporary filesystem, and copy the programs in the list.
@@ -505,7 +517,7 @@ There is no root account (uid 0) defined in the namespace.
 Enable protocol filter. The filter is based on seccomp and checks the
 first argument to socket system call. Recognized values: \fBunix\fR,
 \fBinet\fR, \fBinet6\fR, \fBnetlink\fR, \fBpacket\fR, and \fBbluetooth\fR.
-Multiple protocol commands are allowed.
+Multiple protocol commands are allowed and they accumulate.
 .TP
 \fBseccomp
 Enable seccomp filter and blacklist the syscalls in the default list. See man 1 firejail for more details.
diff --git a/src/man/firejail.txt b/src/man/firejail.txt
index feb9e4e81..41171a4e7 100644
--- a/src/man/firejail.txt
+++ b/src/man/firejail.txt
@@ -1905,6 +1905,17 @@ Use directory as user home.
 Example:
 .br
 $ firejail \-\-private=/home/netblue/firefox-home firefox
+.br
+
+.br
+Bug: Even with this enabled, some commands (such as mkdir, mkfile and
+private-cache) will still operate on the original home directory.
+Workaround: Disable the incompatible commands, such as by using "ignore mkdir"
+and "ignore mkfile".
+For details, see
+.UR https://github.com/netblue30/firejail/issues/903
+#903
+.UE
 
 .TP
 \fB\-\-private-bin=file,file
@@ -2171,6 +2182,7 @@ $ firejail \-\-profile.print=browser
 \fB\-\-protocol=protocol,protocol,protocol
 Enable protocol filter. The filter is based on seccomp and checks the first argument to socket system call.
 Recognized values: unix, inet, inet6, netlink, packet, and bluetooth. This option is not supported for i386 architecture.
+Multiple protocol commands are allowed and they accumulate.
 .br
 
 .br