diff options
author | netblue30 <netblue30@yahoo.com> | 2015-12-06 13:11:00 -0500 |
---|---|---|
committer | netblue30 <netblue30@yahoo.com> | 2015-12-06 13:11:00 -0500 |
commit | 873b9d161f4d87a87af78d5074016a5749588513 (patch) | |
tree | a7c4d7f8d68fa7175facc2b64975ddbd9ae305e5 | |
parent | Merge pull request #186 from avoidr/parole.profile (diff) | |
download | firejail-873b9d161f4d87a87af78d5074016a5749588513.tar.gz firejail-873b9d161f4d87a87af78d5074016a5749588513.tar.zst firejail-873b9d161f4d87a87af78d5074016a5749588513.zip |
traclog added to various profiles
-rw-r--r-- | README | 1 | ||||
-rw-r--r-- | RELNOTES | 4 | ||||
-rw-r--r-- | etc/chromium.profile | 1 | ||||
-rw-r--r-- | etc/conkeror.profile | 1 | ||||
-rw-r--r-- | etc/deluge.profile | 2 | ||||
-rw-r--r-- | etc/dnscrypt-proxy.profile | 1 | ||||
-rw-r--r-- | etc/dropbox.profile | 2 | ||||
-rw-r--r-- | etc/evince.profile | 1 | ||||
-rw-r--r-- | etc/fbreader.profile | 1 | ||||
-rw-r--r-- | etc/filezilla.profile | 1 | ||||
-rw-r--r-- | etc/firefox.profile | 1 | ||||
-rw-r--r-- | etc/google-chrome-beta.profile | 1 | ||||
-rw-r--r-- | etc/google-chrome-unstable.profile | 1 | ||||
-rw-r--r-- | etc/google-chrome.profile | 1 | ||||
-rw-r--r-- | etc/midori.profile | 1 | ||||
-rw-r--r-- | etc/opera-beta.profile | 1 | ||||
-rw-r--r-- | etc/opera.profile | 1 | ||||
-rw-r--r-- | etc/qbittorrent.profile | 1 | ||||
-rw-r--r-- | etc/rtorrent.profile | 1 | ||||
-rw-r--r-- | etc/skype.profile | 1 | ||||
-rw-r--r-- | etc/spotify.profile | 1 | ||||
-rw-r--r-- | etc/steam.profile | 1 | ||||
-rw-r--r-- | etc/thunderbird.profile | 1 | ||||
-rw-r--r-- | etc/transmission-gtk.profile | 2 | ||||
-rw-r--r-- | etc/transmission-qt.profile | 1 | ||||
-rw-r--r-- | etc/weechat.profile | 1 | ||||
-rw-r--r-- | etc/wine.profile | 1 | ||||
-rw-r--r-- | src/firejail/fs_trace.c | 5 | ||||
-rw-r--r-- | src/firejail/profile.c | 4 | ||||
-rw-r--r-- | src/man/firejail-profile.txt | 4 |
30 files changed, 42 insertions, 4 deletions
@@ -26,6 +26,7 @@ rogshdo (https://github.com/rogshdo) | |||
26 | avoidr (https://github.com/avoidr) | 26 | avoidr (https://github.com/avoidr) |
27 | - whitelist fix | 27 | - whitelist fix |
28 | - recently-used.xbel fix | 28 | - recently-used.xbel fix |
29 | - added parole profile | ||
29 | - blacklist ncat, manpage fixes, | 30 | - blacklist ncat, manpage fixes, |
30 | - hostname support in profile file | 31 | - hostname support in profile file |
31 | - Google Chrome profile rework | 32 | - Google Chrome profile rework |
@@ -1,6 +1,6 @@ | |||
1 | firejail (0.9.35) baseline; urgency=low | 1 | firejail (0.9.35) baseline; urgency=low |
2 | * added unbound, dnscrypt-proxy, BitlBee, HexChat, WeeChat | 2 | * added unbound, dnscrypt-proxy, BitlBee, HexChat, WeeChat, |
3 | and rtorrent profiles | 3 | parole and rtorrent profiles |
4 | * Google Chrome profile rework | 4 | * Google Chrome profile rework |
5 | * added google-chrome-stable profile | 5 | * added google-chrome-stable profile |
6 | * added google-chrome-beta profile | 6 | * added google-chrome-beta profile |
diff --git a/etc/chromium.profile b/etc/chromium.profile index 76dc6b234..61b75f7a6 100644 --- a/etc/chromium.profile +++ b/etc/chromium.profile | |||
@@ -9,6 +9,7 @@ include /etc/firejail/disable-common.inc | |||
9 | # | 9 | # |
10 | 10 | ||
11 | netfilter | 11 | netfilter |
12 | tracelog | ||
12 | whitelist ${DOWNLOADS} | 13 | whitelist ${DOWNLOADS} |
13 | whitelist ~/.config/chromium | 14 | whitelist ~/.config/chromium |
14 | whitelist ~/.cache/chromium | 15 | whitelist ~/.cache/chromium |
diff --git a/etc/conkeror.profile b/etc/conkeror.profile index 7c1384523..dde756754 100644 --- a/etc/conkeror.profile +++ b/etc/conkeror.profile | |||
@@ -7,6 +7,7 @@ caps.drop all | |||
7 | seccomp | 7 | seccomp |
8 | protocol unix,inet,inet6 | 8 | protocol unix,inet,inet6 |
9 | netfilter | 9 | netfilter |
10 | tracelog | ||
10 | noroot | 11 | noroot |
11 | whitelist ~/.conkeror.mozdev.org | 12 | whitelist ~/.conkeror.mozdev.org |
12 | whitelist ~/Downloads | 13 | whitelist ~/Downloads |
diff --git a/etc/deluge.profile b/etc/deluge.profile index 6ca5d33a4..98c2e4fc5 100644 --- a/etc/deluge.profile +++ b/etc/deluge.profile | |||
@@ -12,5 +12,7 @@ caps.drop all | |||
12 | seccomp | 12 | seccomp |
13 | protocol unix,inet,inet6 | 13 | protocol unix,inet,inet6 |
14 | netfilter | 14 | netfilter |
15 | tracelog | ||
15 | noroot | 16 | noroot |
16 | 17 | ||
18 | |||
diff --git a/etc/dnscrypt-proxy.profile b/etc/dnscrypt-proxy.profile index e0c5c93a3..8a57a8975 100644 --- a/etc/dnscrypt-proxy.profile +++ b/etc/dnscrypt-proxy.profile | |||
@@ -5,4 +5,5 @@ include /etc/firejail/disable-mgmt.inc | |||
5 | private | 5 | private |
6 | private-dev | 6 | private-dev |
7 | seccomp.drop mount,umount2,ptrace,kexec_load,kexec_file_load,open_by_handle_at,init_module,finit_module,delete_module,iopl,ioperm,swapon,swapoff,syslog,process_vm_readv,process_vm_writev,sysfs,_sysctl,adjtimex,clock_adjtime,lookup_dcookie,perf_event_open,fanotify_init,kcmp,add_key,request_key,keyctl,uselib,acct,modify_ldt,pivot_root,io_setup,io_destroy,io_getevents,io_submit,io_cancel,remap_file_pages,mbind,get_mempolicy,set_mempolicy,migrate_pages,move_pages,vmsplice,perf_event_open | 7 | seccomp.drop mount,umount2,ptrace,kexec_load,kexec_file_load,open_by_handle_at,init_module,finit_module,delete_module,iopl,ioperm,swapon,swapoff,syslog,process_vm_readv,process_vm_writev,sysfs,_sysctl,adjtimex,clock_adjtime,lookup_dcookie,perf_event_open,fanotify_init,kcmp,add_key,request_key,keyctl,uselib,acct,modify_ldt,pivot_root,io_setup,io_destroy,io_getevents,io_submit,io_cancel,remap_file_pages,mbind,get_mempolicy,set_mempolicy,migrate_pages,move_pages,vmsplice,perf_event_open |
8 | tracelog | ||
8 | 9 | ||
diff --git a/etc/dropbox.profile b/etc/dropbox.profile index 52be5a8be..c0b7e6342 100644 --- a/etc/dropbox.profile +++ b/etc/dropbox.profile | |||
@@ -11,3 +11,5 @@ caps | |||
11 | seccomp | 11 | seccomp |
12 | protocol unix,inet,inet6 | 12 | protocol unix,inet,inet6 |
13 | noroot | 13 | noroot |
14 | tracelog | ||
15 | |||
diff --git a/etc/evince.profile b/etc/evince.profile index 34d8162b3..977a2bd68 100644 --- a/etc/evince.profile +++ b/etc/evince.profile | |||
@@ -12,3 +12,4 @@ caps.drop all | |||
12 | seccomp | 12 | seccomp |
13 | protocol unix,inet,inet6 | 13 | protocol unix,inet,inet6 |
14 | noroot | 14 | noroot |
15 | tracelog | ||
diff --git a/etc/fbreader.profile b/etc/fbreader.profile index f94fc28df..1a530a867 100644 --- a/etc/fbreader.profile +++ b/etc/fbreader.profile | |||
@@ -13,5 +13,6 @@ caps.drop all | |||
13 | seccomp | 13 | seccomp |
14 | protocol unix,inet,inet6 | 14 | protocol unix,inet,inet6 |
15 | netfilter | 15 | netfilter |
16 | tracelog | ||
16 | noroot | 17 | noroot |
17 | 18 | ||
diff --git a/etc/filezilla.profile b/etc/filezilla.profile index ba8649067..3f20fe755 100644 --- a/etc/filezilla.profile +++ b/etc/filezilla.profile | |||
@@ -11,5 +11,6 @@ seccomp | |||
11 | protocol unix,inet,inet6 | 11 | protocol unix,inet,inet6 |
12 | noroot | 12 | noroot |
13 | netfilter | 13 | netfilter |
14 | tracelog | ||
14 | 15 | ||
15 | 16 | ||
diff --git a/etc/firefox.profile b/etc/firefox.profile index aa7808c37..2e8b2fa02 100644 --- a/etc/firefox.profile +++ b/etc/firefox.profile | |||
@@ -8,6 +8,7 @@ caps.drop all | |||
8 | seccomp | 8 | seccomp |
9 | protocol unix,inet,inet6,netlink | 9 | protocol unix,inet,inet6,netlink |
10 | netfilter | 10 | netfilter |
11 | tracelog | ||
11 | noroot | 12 | noroot |
12 | whitelist ${DOWNLOADS} | 13 | whitelist ${DOWNLOADS} |
13 | whitelist ~/.mozilla | 14 | whitelist ~/.mozilla |
diff --git a/etc/google-chrome-beta.profile b/etc/google-chrome-beta.profile index 6122876bf..d08a5f41d 100644 --- a/etc/google-chrome-beta.profile +++ b/etc/google-chrome-beta.profile | |||
@@ -9,6 +9,7 @@ include /etc/firejail/disable-common.inc | |||
9 | # | 9 | # |
10 | 10 | ||
11 | netfilter | 11 | netfilter |
12 | tracelog | ||
12 | whitelist ${DOWNLOADS} | 13 | whitelist ${DOWNLOADS} |
13 | whitelist ~/.config/google-chrome-beta | 14 | whitelist ~/.config/google-chrome-beta |
14 | whitelist ~/.cache/google-chrome-beta | 15 | whitelist ~/.cache/google-chrome-beta |
diff --git a/etc/google-chrome-unstable.profile b/etc/google-chrome-unstable.profile index 7b8b12d04..06b1399e1 100644 --- a/etc/google-chrome-unstable.profile +++ b/etc/google-chrome-unstable.profile | |||
@@ -9,6 +9,7 @@ include /etc/firejail/disable-common.inc | |||
9 | # | 9 | # |
10 | 10 | ||
11 | netfilter | 11 | netfilter |
12 | tracelog | ||
12 | whitelist ${DOWNLOADS} | 13 | whitelist ${DOWNLOADS} |
13 | whitelist ~/.config/google-chrome-unstable | 14 | whitelist ~/.config/google-chrome-unstable |
14 | whitelist ~/.cache/google-chrome-unstable | 15 | whitelist ~/.cache/google-chrome-unstable |
diff --git a/etc/google-chrome.profile b/etc/google-chrome.profile index 351490d7f..7d2580116 100644 --- a/etc/google-chrome.profile +++ b/etc/google-chrome.profile | |||
@@ -9,6 +9,7 @@ include /etc/firejail/disable-common.inc | |||
9 | # | 9 | # |
10 | 10 | ||
11 | netfilter | 11 | netfilter |
12 | tracelog | ||
12 | whitelist ${DOWNLOADS} | 13 | whitelist ${DOWNLOADS} |
13 | whitelist ~/.config/google-chrome | 14 | whitelist ~/.config/google-chrome |
14 | whitelist ~/.cache/google-chrome | 15 | whitelist ~/.cache/google-chrome |
diff --git a/etc/midori.profile b/etc/midori.profile index 77a6fb984..9722d0313 100644 --- a/etc/midori.profile +++ b/etc/midori.profile | |||
@@ -8,4 +8,5 @@ caps.drop all | |||
8 | seccomp | 8 | seccomp |
9 | protocol unix,inet,inet6 | 9 | protocol unix,inet,inet6 |
10 | netfilter | 10 | netfilter |
11 | tracelog | ||
11 | 12 | ||
diff --git a/etc/opera-beta.profile b/etc/opera-beta.profile index c1672abce..ab8f55e28 100644 --- a/etc/opera-beta.profile +++ b/etc/opera-beta.profile | |||
@@ -5,6 +5,7 @@ include /etc/firejail/disable-secret.inc | |||
5 | include /etc/firejail/disable-common.inc | 5 | include /etc/firejail/disable-common.inc |
6 | include /etc/firejail/disable-devel.inc | 6 | include /etc/firejail/disable-devel.inc |
7 | netfilter | 7 | netfilter |
8 | tracelog | ||
8 | whitelist ~/.config/opera-beta | 9 | whitelist ~/.config/opera-beta |
9 | whitelist ${DOWNLOADS} | 10 | whitelist ${DOWNLOADS} |
10 | whitelist ~/.cache/opera-beta | 11 | whitelist ~/.cache/opera-beta |
diff --git a/etc/opera.profile b/etc/opera.profile index a76806ed0..c307e7703 100644 --- a/etc/opera.profile +++ b/etc/opera.profile | |||
@@ -5,6 +5,7 @@ include /etc/firejail/disable-secret.inc | |||
5 | include /etc/firejail/disable-common.inc | 5 | include /etc/firejail/disable-common.inc |
6 | include /etc/firejail/disable-devel.inc | 6 | include /etc/firejail/disable-devel.inc |
7 | netfilter | 7 | netfilter |
8 | tracelog | ||
8 | whitelist ~/.config/opera | 9 | whitelist ~/.config/opera |
9 | whitelist ${DOWNLOADS} | 10 | whitelist ${DOWNLOADS} |
10 | whitelist ~/.cache/opera | 11 | whitelist ~/.cache/opera |
diff --git a/etc/qbittorrent.profile b/etc/qbittorrent.profile index dd50c779e..af5a6f697 100644 --- a/etc/qbittorrent.profile +++ b/etc/qbittorrent.profile | |||
@@ -12,5 +12,6 @@ caps.drop all | |||
12 | seccomp | 12 | seccomp |
13 | protocol unix,inet,inet6 | 13 | protocol unix,inet,inet6 |
14 | netfilter | 14 | netfilter |
15 | tracelog | ||
15 | noroot | 16 | noroot |
16 | 17 | ||
diff --git a/etc/rtorrent.profile b/etc/rtorrent.profile index c2c0356d9..03aa8a71f 100644 --- a/etc/rtorrent.profile +++ b/etc/rtorrent.profile | |||
@@ -7,4 +7,5 @@ caps.drop all | |||
7 | seccomp | 7 | seccomp |
8 | protocol unix,inet,inet6 | 8 | protocol unix,inet,inet6 |
9 | netfilter | 9 | netfilter |
10 | tracelog | ||
10 | noroot | 11 | noroot |
diff --git a/etc/skype.profile b/etc/skype.profile index 4d2d042cc..f1519b0ff 100644 --- a/etc/skype.profile +++ b/etc/skype.profile | |||
@@ -6,6 +6,7 @@ include /etc/firejail/disable-common.inc | |||
6 | include /etc/firejail/disable-devel.inc | 6 | include /etc/firejail/disable-devel.inc |
7 | caps.drop all | 7 | caps.drop all |
8 | netfilter | 8 | netfilter |
9 | tracelog | ||
9 | noroot | 10 | noroot |
10 | seccomp | 11 | seccomp |
11 | protocol unix,inet,inet6 | 12 | protocol unix,inet,inet6 |
diff --git a/etc/spotify.profile b/etc/spotify.profile index 414660857..0063564ae 100644 --- a/etc/spotify.profile +++ b/etc/spotify.profile | |||
@@ -16,5 +16,6 @@ caps.drop all | |||
16 | seccomp | 16 | seccomp |
17 | protocol unix,inet,inet6 | 17 | protocol unix,inet,inet6 |
18 | netfilter | 18 | netfilter |
19 | tracelog | ||
19 | noroot | 20 | noroot |
20 | 21 | ||
diff --git a/etc/steam.profile b/etc/steam.profile index 5b9244567..af49580ce 100644 --- a/etc/steam.profile +++ b/etc/steam.profile | |||
@@ -7,6 +7,7 @@ include /etc/firejail/disable-common.inc | |||
7 | include /etc/firejail/disable-devel.inc | 7 | include /etc/firejail/disable-devel.inc |
8 | caps.drop all | 8 | caps.drop all |
9 | netfilter | 9 | netfilter |
10 | tracelog | ||
10 | noroot | 11 | noroot |
11 | seccomp | 12 | seccomp |
12 | protocol unix,inet,inet6 | 13 | protocol unix,inet,inet6 |
diff --git a/etc/thunderbird.profile b/etc/thunderbird.profile index d234d777e..f608f5467 100644 --- a/etc/thunderbird.profile +++ b/etc/thunderbird.profile | |||
@@ -21,5 +21,6 @@ caps.drop all | |||
21 | seccomp | 21 | seccomp |
22 | protocol unix,inet,inet6 | 22 | protocol unix,inet,inet6 |
23 | netfilter | 23 | netfilter |
24 | tracelog | ||
24 | noroot | 25 | noroot |
25 | 26 | ||
diff --git a/etc/transmission-gtk.profile b/etc/transmission-gtk.profile index b0dfdbfad..1245a514b 100644 --- a/etc/transmission-gtk.profile +++ b/etc/transmission-gtk.profile | |||
@@ -13,4 +13,6 @@ seccomp | |||
13 | protocol unix,inet,inet6 | 13 | protocol unix,inet,inet6 |
14 | netfilter | 14 | netfilter |
15 | noroot | 15 | noroot |
16 | tracelog | ||
17 | |||
16 | 18 | ||
diff --git a/etc/transmission-qt.profile b/etc/transmission-qt.profile index 7aca04fe7..1af714953 100644 --- a/etc/transmission-qt.profile +++ b/etc/transmission-qt.profile | |||
@@ -12,5 +12,6 @@ caps.drop all | |||
12 | seccomp | 12 | seccomp |
13 | protocol unix,inet,inet6 | 13 | protocol unix,inet,inet6 |
14 | netfilter | 14 | netfilter |
15 | tracelog | ||
15 | noroot | 16 | noroot |
16 | 17 | ||
diff --git a/etc/weechat.profile b/etc/weechat.profile index 79e3ae774..1a9fa02b3 100644 --- a/etc/weechat.profile +++ b/etc/weechat.profile | |||
@@ -7,4 +7,5 @@ caps.drop all | |||
7 | seccomp | 7 | seccomp |
8 | protocol unix,inet,inet6 | 8 | protocol unix,inet,inet6 |
9 | netfilter | 9 | netfilter |
10 | tracelog | ||
10 | noroot | 11 | noroot |
diff --git a/etc/wine.profile b/etc/wine.profile index 8a7f66773..6d1106993 100644 --- a/etc/wine.profile +++ b/etc/wine.profile | |||
@@ -8,5 +8,6 @@ include /etc/firejail/disable-common.inc | |||
8 | include /etc/firejail/disable-devel.inc | 8 | include /etc/firejail/disable-devel.inc |
9 | caps.drop all | 9 | caps.drop all |
10 | netfilter | 10 | netfilter |
11 | tracelog | ||
11 | noroot | 12 | noroot |
12 | seccomp | 13 | seccomp |
diff --git a/src/firejail/fs_trace.c b/src/firejail/fs_trace.c index f555a6693..55a1b9c7a 100644 --- a/src/firejail/fs_trace.c +++ b/src/firejail/fs_trace.c | |||
@@ -59,8 +59,11 @@ void fs_trace(void) { | |||
59 | errExit("fopen"); | 59 | errExit("fopen"); |
60 | if (arg_trace) | 60 | if (arg_trace) |
61 | fprintf(fp, "%s/firejail/libtrace.so\n", LIBDIR); | 61 | fprintf(fp, "%s/firejail/libtrace.so\n", LIBDIR); |
62 | else if (arg_tracelog) | 62 | else if (arg_tracelog) { |
63 | fprintf(fp, "%s/firejail/libtracelog.so\n", LIBDIR); | 63 | fprintf(fp, "%s/firejail/libtracelog.so\n", LIBDIR); |
64 | if (!arg_quiet) | ||
65 | printf("Blacklist violations are logged to syslog\n"); | ||
66 | } | ||
64 | else | 67 | else |
65 | assert(0); | 68 | assert(0); |
66 | 69 | ||
diff --git a/src/firejail/profile.c b/src/firejail/profile.c index 50fdeda7e..366a56e13 100644 --- a/src/firejail/profile.c +++ b/src/firejail/profile.c | |||
@@ -120,6 +120,10 @@ int profile_check_line(char *ptr, int lineno) { | |||
120 | arg_shell_none = 1; | 120 | arg_shell_none = 1; |
121 | return 0; | 121 | return 0; |
122 | } | 122 | } |
123 | else if (strcmp(ptr, "tracelog") == 0) { | ||
124 | arg_tracelog = 1; | ||
125 | return 0; | ||
126 | } | ||
123 | else if (strcmp(ptr, "private") == 0) { | 127 | else if (strcmp(ptr, "private") == 0) { |
124 | arg_private = 1; | 128 | arg_private = 1; |
125 | return 0; | 129 | return 0; |
diff --git a/src/man/firejail-profile.txt b/src/man/firejail-profile.txt index 90aca5130..600b82d3d 100644 --- a/src/man/firejail-profile.txt +++ b/src/man/firejail-profile.txt | |||
@@ -158,7 +158,9 @@ All modifications are discarded when the sandbox is closed. | |||
158 | Build a new user home in a temporary filesystem, and mount-bind file_or_directory. | 158 | Build a new user home in a temporary filesystem, and mount-bind file_or_directory. |
159 | The modifications to file_or_directory are persistent, everything else is discarded | 159 | The modifications to file_or_directory are persistent, everything else is discarded |
160 | when the sandbox is closed. | 160 | when the sandbox is closed. |
161 | 161 | .TP | |
162 | \f\ tracelog | ||
163 | Blacklist violations logged to syslog. | ||
162 | .SH Filters | 164 | .SH Filters |
163 | \fBcaps\fR and \fBseccomp\fR enable Linux capabilities and seccomp filters. Examples: | 165 | \fBcaps\fR and \fBseccomp\fR enable Linux capabilities and seccomp filters. Examples: |
164 | 166 | ||