diff options
author | netblue30 <netblue30@yahoo.com> | 2017-05-06 13:03:15 -0400 |
---|---|---|
committer | netblue30 <netblue30@yahoo.com> | 2017-05-06 13:03:15 -0400 |
commit | 4515f44e59001c13122f9e9976f420c230806737 (patch) | |
tree | 42dd67e9279f1bbfc715271fcb420bfa8f664dda | |
parent | Merge pull request #1266 from SYN-cook/patch-2 (diff) | |
download | firejail-4515f44e59001c13122f9e9976f420c230806737.tar.gz firejail-4515f44e59001c13122f9e9976f420c230806737.tar.zst firejail-4515f44e59001c13122f9e9976f420c230806737.zip |
merge #1100 from zackw: added support for sandboxing Xpra, Xvfb and Xephyr in independent sandboxes when started with firejail --x11
-rw-r--r-- | README | 5 | ||||
-rw-r--r-- | README.md | 2 | ||||
-rw-r--r-- | RELNOTES | 4 | ||||
-rw-r--r-- | etc/Xephyr.profile | 40 | ||||
-rw-r--r-- | etc/Xvfb.profile | 39 | ||||
-rw-r--r-- | etc/xpra.profile | 31 | ||||
-rw-r--r-- | platform/debian/conffiles | 2 |
7 files changed, 113 insertions, 10 deletions
@@ -463,6 +463,9 @@ Zack Weinberg (https://github.com/zackw) | |||
463 | - rework fcopy, --follow-link support in fcopy | 463 | - rework fcopy, --follow-link support in fcopy |
464 | - follow link support in --private-bin | 464 | - follow link support in --private-bin |
465 | - wait_for_other function rewrite | 465 | - wait_for_other function rewrite |
466 | - xvfb X11 server support | 466 | - Xvfb X11 server support |
467 | - Xvfb and Xephyr profiles, modified Xpra profile | ||
468 | - support for sandboxing Xpra, Xvfb and Xephyr in independent sandboxes when started | ||
469 | with firejail --x11 | ||
467 | 470 | ||
468 | Copyright (C) 2014-2017 Firejail Authors | 471 | Copyright (C) 2014-2017 Firejail Authors |
@@ -219,4 +219,4 @@ Kino, Thunar, Geeqie, Engrampa, Scribus, mousepad, gpicview, keepassxc, cvlc, Me | |||
219 | Nylas, dino, BibleTime, viewnior, Kodi, viking, youtube-dl, meld, Arduino, Akregator, KCalc, KTorrent, | 219 | Nylas, dino, BibleTime, viewnior, Kodi, viking, youtube-dl, meld, Arduino, Akregator, KCalc, KTorrent, |
220 | Orage Globaltime, Orage Clendar, xfce4-notes, xfce4-dict, Ristretto, PCManFM, Dia, FontForge, Geany, Hugin, | 220 | Orage Globaltime, Orage Clendar, xfce4-notes, xfce4-dict, Ristretto, PCManFM, Dia, FontForge, Geany, Hugin, |
221 | mate-calc, mate-dictionary, mate-color-select, caja, galculator, Nemo, gnome-font-viewer, gucharmap, | 221 | mate-calc, mate-dictionary, mate-color-select, caja, galculator, Nemo, gnome-font-viewer, gucharmap, |
222 | knotes, clipit, leafpad, lximage-qt, lxmusic, qlipper | 222 | knotes, clipit, leafpad, lximage-qt, lxmusic, qlipper, Xvfb, Xephyr |
@@ -32,6 +32,8 @@ firejail (0.9.46-rc1) baseline; urgency=low | |||
32 | * feature: support overlay, overlay-named and overlay-tmpfs in profile files | 32 | * feature: support overlay, overlay-named and overlay-tmpfs in profile files |
33 | * feature: allow PulseAudio sockets in --private-tmp | 33 | * feature: allow PulseAudio sockets in --private-tmp |
34 | * feature: --fix-sound support in firecfg | 34 | * feature: --fix-sound support in firecfg |
35 | * feature: added support for sandboxing Xpra, Xvfb and Xephyr in | ||
36 | independent sandboxes when started with firejail --x11 | ||
35 | * new profiles: xiphos, Tor Browser Bundle, display (imagemagick), Wire, | 37 | * new profiles: xiphos, Tor Browser Bundle, display (imagemagick), Wire, |
36 | * new profiles: mumble, zoom, Guayadeque, qemu, keypass2, xed, pluma, | 38 | * new profiles: mumble, zoom, Guayadeque, qemu, keypass2, xed, pluma, |
37 | * new profiles: Cryptocat, Bless, Gnome 2048, Gnome Calculator, | 39 | * new profiles: Cryptocat, Bless, Gnome 2048, Gnome Calculator, |
@@ -45,7 +47,7 @@ firejail (0.9.46-rc1) baseline; urgency=low | |||
45 | * new profiles: Ristretto, PCManFM, Dia, FontForge, Geany, Hugin, | 47 | * new profiles: Ristretto, PCManFM, Dia, FontForge, Geany, Hugin, |
46 | * new profiles: mate-calc, mate-dictionary, mate-color-select, caja, | 48 | * new profiles: mate-calc, mate-dictionary, mate-color-select, caja, |
47 | * new profiles: galculator, Nemo, gnome-font-viewer, gucharmap, knotes | 49 | * new profiles: galculator, Nemo, gnome-font-viewer, gucharmap, knotes |
48 | * new profiles: clipit, leafpad, lximage-qt, lxmusic, qlipper | 50 | * new profiles: clipit, leafpad, lximage-qt, lxmusic, qlipper, Xvfb, Xephyr |
49 | * bugfixes | 51 | * bugfixes |
50 | -- netblue30 <netblue30@yahoo.com> Fri, 7 Apr 2017 08:00:00 -0500 | 52 | -- netblue30 <netblue30@yahoo.com> Fri, 7 Apr 2017 08:00:00 -0500 |
51 | 53 | ||
diff --git a/etc/Xephyr.profile b/etc/Xephyr.profile new file mode 100644 index 000000000..362318bb1 --- /dev/null +++ b/etc/Xephyr.profile | |||
@@ -0,0 +1,40 @@ | |||
1 | # This file is overwritten during software install. | ||
2 | # Persistent customizations should go in a .local file. | ||
3 | include /etc/firejail/Xephyr.local | ||
4 | |||
5 | # | ||
6 | # This profile will sandbox Xephyr server itself when used with firejail --x11=xephyr. | ||
7 | # The target program is sandboxed with its own profile. By default the this functionality | ||
8 | # is disabled. To enable it, create a firejail-Xephyr symlink in /usr/local/bin: | ||
9 | # | ||
10 | # $ sudo ln -s /usr/bin/firejail /usr/local/bin/Xephyr | ||
11 | # | ||
12 | # We have this functionality disabled by default because it creates problems on | ||
13 | # some Linux distributions. | ||
14 | # | ||
15 | |||
16 | |||
17 | # using a private home directory | ||
18 | private | ||
19 | |||
20 | |||
21 | caps.drop all | ||
22 | # Xephyr needs to be allowed access to the abstract Unix socket namespace. | ||
23 | #net none | ||
24 | nogroups | ||
25 | nonewprivs | ||
26 | # In noroot mode, Xephyr cannot create a socket in the real /tmp/.X11-unix. | ||
27 | #noroot | ||
28 | nosound | ||
29 | shell none | ||
30 | seccomp | ||
31 | protocol unix | ||
32 | |||
33 | private-dev | ||
34 | private-tmp | ||
35 | #private-bin Xephyr,sh,xkbcomp,strace,bash,cat,ls | ||
36 | #private-bin Xephyr,sh,xkbcomp | ||
37 | #private-etc ld.so.conf,ld.so.cache,resolv.conf,host.conf,nsswitch.conf,gai.conf,hosts,hostname | ||
38 | |||
39 | blacklist /media | ||
40 | whitelist /var/lib/xkb | ||
diff --git a/etc/Xvfb.profile b/etc/Xvfb.profile new file mode 100644 index 000000000..9c919f432 --- /dev/null +++ b/etc/Xvfb.profile | |||
@@ -0,0 +1,39 @@ | |||
1 | # This file is overwritten during software install. | ||
2 | # Persistent customizations should go in a .local file. | ||
3 | include /etc/firejail/xvfb.local | ||
4 | |||
5 | # | ||
6 | # This profile will sandbox Xvfb server itself when used with firejail --x11=xvfb. | ||
7 | # The target program is sandboxed with its own profile. By default the this functionality | ||
8 | # is disabled. To enable it, create a firejail-Xvfb symlink in /usr/local/bin: | ||
9 | # | ||
10 | # $ sudo ln -s /usr/bin/firejail /usr/local/bin/Xvfb | ||
11 | # | ||
12 | # We have this functionality disabled by default because it creates problems on | ||
13 | # some Linux distributions. | ||
14 | # | ||
15 | |||
16 | |||
17 | # using a private home directory | ||
18 | private | ||
19 | |||
20 | caps.drop all | ||
21 | # Xvfb needs to be allowed access to the abstract Unix socket namespace. | ||
22 | #net none | ||
23 | nogroups | ||
24 | nonewprivs | ||
25 | # In noroot mode, Xvfb cannot create a socket in the real /tmp/.X11-unix. | ||
26 | #noroot | ||
27 | nosound | ||
28 | shell none | ||
29 | seccomp | ||
30 | protocol unix | ||
31 | |||
32 | private-dev | ||
33 | private-tmp | ||
34 | private-etc ld.so.conf,ld.so.cache,resolv.conf,host.conf,nsswitch.conf,gai.conf,hosts,hostname | ||
35 | #private-bin Xvfb,sh,xkbcomp,strace,bash,cat,ls | ||
36 | #private-bin Xvfb,sh,xkbcomp | ||
37 | |||
38 | blacklist /media | ||
39 | whitelist /var/lib/xkb | ||
diff --git a/etc/xpra.profile b/etc/xpra.profile index d0fff2ebf..f4f28f9de 100644 --- a/etc/xpra.profile +++ b/etc/xpra.profile | |||
@@ -2,26 +2,43 @@ | |||
2 | # Persistent customizations should go in a .local file. | 2 | # Persistent customizations should go in a .local file. |
3 | include /etc/firejail/xpra.local | 3 | include /etc/firejail/xpra.local |
4 | 4 | ||
5 | # xpra profile | 5 | |
6 | # | ||
7 | # This profile will sandbox Xpra server itself when used with firejail --x11=xpra. | ||
8 | # The target program is sandboxed with its own profile. By default the this functionality | ||
9 | # is disabled. To enable it, create a firejail-xpra symlink in /usr/local/bin: | ||
10 | # | ||
11 | # $ sudo ln -s /usr/bin/firejail /usr/local/bin/xpra | ||
12 | # | ||
13 | # We have this functionality disabled by default because it creates problems on | ||
14 | # some Linux distributions. | ||
15 | # | ||
16 | |||
17 | # private home directory doesn't work on some distros, so we go for a regular home | ||
18 | #private | ||
6 | include /etc/firejail/disable-common.inc | 19 | include /etc/firejail/disable-common.inc |
7 | include /etc/firejail/disable-programs.inc | 20 | include /etc/firejail/disable-programs.inc |
8 | include /etc/firejail/disable-devel.inc | 21 | include /etc/firejail/disable-devel.inc |
9 | include /etc/firejail/disable-passwdmgr.inc | 22 | include /etc/firejail/disable-passwdmgr.inc |
10 | 23 | ||
11 | caps.drop all | 24 | caps.drop all |
12 | netfilter | 25 | # xpra needs to be allowed access to the abstract Unix socket namespace. |
26 | #net none | ||
13 | nogroups | 27 | nogroups |
14 | nonewprivs | 28 | nonewprivs |
15 | noroot | 29 | # In noroot mode, xpra cannot create a socket in the real /tmp/.X11-unix. |
30 | #noroot | ||
16 | nosound | 31 | nosound |
17 | shell none | 32 | shell none |
18 | seccomp | 33 | seccomp |
19 | protocol unix,inet,inet6 | 34 | protocol unix |
20 | 35 | ||
21 | # blacklist /tmp/.X11-unix | ||
22 | 36 | ||
23 | # private-bin | ||
24 | private-dev | 37 | private-dev |
25 | private-tmp | 38 | private-tmp |
26 | # private-etc | 39 | #private-bin xpra,python,Xvfb,Xorg,sh,xkbcomp,xauth,dbus-launch,pactl,ldconfig,which,strace,bash,cat,ls |
40 | #private-etc ld.so.conf,ld.so.cache,resolv.conf,host.conf,nsswitch.conf,gai.conf,hosts,hostname,machine-id,xpra,X11 | ||
41 | |||
42 | blacklist /media | ||
43 | whitelist /var/lib/xkb | ||
27 | 44 | ||
diff --git a/platform/debian/conffiles b/platform/debian/conffiles index 200ecd685..ae7924140 100644 --- a/platform/debian/conffiles +++ b/platform/debian/conffiles | |||
@@ -296,3 +296,5 @@ | |||
296 | /etc/firejail/lximage-qt.profile | 296 | /etc/firejail/lximage-qt.profile |
297 | /etc/firejail/lxmusic.profile | 297 | /etc/firejail/lxmusic.profile |
298 | /etc/firejail/qlipper.profile | 298 | /etc/firejail/qlipper.profile |
299 | /etc/firejail/Xvfb.profile | ||
300 | /etc/firejail/Xephyr.profile | ||