diff options
author | netblue30 <netblue30@protonmail.com> | 2022-01-08 17:43:00 -0500 |
---|---|---|
committer | netblue30 <netblue30@protonmail.com> | 2022-01-08 17:43:00 -0500 |
commit | 1754635a483feb3e1764eaedebf778486b1c6d37 (patch) | |
tree | 26b2670ff2dfdea86faee3aa31dd54b0f87811ef | |
parent | merge updates (diff) | |
parent | Merge pull request #4826 from adrianlshaw/master (diff) | |
download | firejail-1754635a483feb3e1764eaedebf778486b1c6d37.tar.gz firejail-1754635a483feb3e1764eaedebf778486b1c6d37.tar.zst firejail-1754635a483feb3e1764eaedebf778486b1c6d37.zip |
Merge branch 'master' of ssh://github.com/netblue30/firejail
-rw-r--r-- | contrib/vim/syntax/firejail.vim | 2 | ||||
-rw-r--r-- | etc/inc/disable-interpreters.inc | 9 | ||||
-rw-r--r-- | etc/inc/disable-programs.inc | 2 | ||||
-rw-r--r-- | etc/profile-m-z/rpcs3.profile | 62 | ||||
-rw-r--r-- | etc/templates/profile.template | 1 | ||||
-rw-r--r-- | src/firecfg/firecfg.config | 1 | ||||
-rw-r--r-- | src/firejail/usage.c | 1 | ||||
-rw-r--r-- | src/man/firejail-profile.txt | 3 | ||||
-rw-r--r-- | src/man/firejail.txt | 4 | ||||
-rw-r--r-- | src/zsh_completion/_firejail.in | 1 |
10 files changed, 85 insertions, 1 deletions
diff --git a/contrib/vim/syntax/firejail.vim b/contrib/vim/syntax/firejail.vim index bcaa85a9c..57c7b371d 100644 --- a/contrib/vim/syntax/firejail.vim +++ b/contrib/vim/syntax/firejail.vim | |||
@@ -51,7 +51,7 @@ syn match fjVar /\v\$\{(CFG|DESKTOP|DOCUMENTS|DOWNLOADS|HOME|MUSIC|PATH|PICTURES | |||
51 | " Generate list with: { rg -o 'strn?cmp\(ptr, "([^"]+) "' -r '$1' src/firejail/profile.c; echo private-lib; } | grep -vEx '(include|ignore|caps\.drop|caps\.keep|protocol|seccomp|seccomp\.drop|seccomp\.keep|env|rmenv|net|ip)' | sort -u | tr $'\n' '|' # private-lib is special-cased in the code and doesn't match the regex; grep-ed patterns are handled later with 'syn match nextgroup=' directives (except for include which is special-cased as a fjCommandNoCond keyword) | 51 | " Generate list with: { rg -o 'strn?cmp\(ptr, "([^"]+) "' -r '$1' src/firejail/profile.c; echo private-lib; } | grep -vEx '(include|ignore|caps\.drop|caps\.keep|protocol|seccomp|seccomp\.drop|seccomp\.keep|env|rmenv|net|ip)' | sort -u | tr $'\n' '|' # private-lib is special-cased in the code and doesn't match the regex; grep-ed patterns are handled later with 'syn match nextgroup=' directives (except for include which is special-cased as a fjCommandNoCond keyword) |
52 | syn match fjCommand /\v(bind|blacklist|blacklist-nolog|cgroup|cpu|defaultgw|dns|hostname|hosts-file|ip6|iprange|join-or-start|mac|mkdir|mkfile|mtu|name|netfilter|netfilter6|netmask|nice|noblacklist|noexec|nowhitelist|overlay-named|private|private-bin|private-cwd|private-etc|private-home|private-lib|private-opt|private-srv|read-only|read-write|rlimit-as|rlimit-cpu|rlimit-fsize|rlimit-nofile|rlimit-nproc|rlimit-sigpending|timeout|tmpfs|veth-name|whitelist|xephyr-screen) / skipwhite contained | 52 | syn match fjCommand /\v(bind|blacklist|blacklist-nolog|cgroup|cpu|defaultgw|dns|hostname|hosts-file|ip6|iprange|join-or-start|mac|mkdir|mkfile|mtu|name|netfilter|netfilter6|netmask|nice|noblacklist|noexec|nowhitelist|overlay-named|private|private-bin|private-cwd|private-etc|private-home|private-lib|private-opt|private-srv|read-only|read-write|rlimit-as|rlimit-cpu|rlimit-fsize|rlimit-nofile|rlimit-nproc|rlimit-sigpending|timeout|tmpfs|veth-name|whitelist|xephyr-screen) / skipwhite contained |
53 | " Generate list with: rg -o 'strn?cmp\(ptr, "([^ "]*[^ ])"' -r '$1' src/firejail/profile.c | grep -vEx '(include|rlimit|quiet)' | sed -e 's/\./\\./' | sort -u | tr $'\n' '|' # include/rlimit are false positives, quiet is special-cased below | 53 | " Generate list with: rg -o 'strn?cmp\(ptr, "([^ "]*[^ ])"' -r '$1' src/firejail/profile.c | grep -vEx '(include|rlimit|quiet)' | sed -e 's/\./\\./' | sort -u | tr $'\n' '|' # include/rlimit are false positives, quiet is special-cased below |
54 | syn match fjCommand /\v(allow-debuggers|allusers|apparmor|caps|deterministic-exit-code|deterministic-shutdown|disable-mnt|ipc-namespace|keep-config-pulse|keep-dev-shm|keep-var-tmp|machine-id|memory-deny-write-execute|netfilter|no3d|noautopulse|nodbus|nodvd|nogroups|noinput|nonewprivs|noroot|nosound|notv|nou2f|novideo|overlay|overlay-tmpfs|private|private-cache|private-cwd|private-dev|private-lib|private-tmp|seccomp|seccomp\.32|seccomp\.block-secondary|tracelog|writable-etc|writable-run-user|writable-var|writable-var-log|x11)$/ contained | 54 | syn match fjCommand /\v(allow-debuggers|allusers|apparmor|caps|deterministic-exit-code|deterministic-shutdown|disable-mnt|ipc-namespace|keep-config-pulse|keep-dev-shm|keep-var-tmp|machine-id|memory-deny-write-execute|netfilter|no3d|noautopulse|nodbus|nodvd|nogroups|noinput|nonewprivs|noprinters|noroot|nosound|notv|nou2f|novideo|overlay|overlay-tmpfs|private|private-cache|private-cwd|private-dev|private-lib|private-tmp|seccomp|seccomp\.32|seccomp\.block-secondary|tracelog|writable-etc|writable-run-user|writable-var|writable-var-log|x11)$/ contained |
55 | syn match fjCommand /ignore / nextgroup=fjCommand,fjCommandNoCond skipwhite contained | 55 | syn match fjCommand /ignore / nextgroup=fjCommand,fjCommandNoCond skipwhite contained |
56 | syn match fjCommand /caps\.drop / nextgroup=fjCapability,fjAll skipwhite contained | 56 | syn match fjCommand /caps\.drop / nextgroup=fjCapability,fjAll skipwhite contained |
57 | syn match fjCommand /caps\.keep / nextgroup=fjCapability skipwhite contained | 57 | syn match fjCommand /caps\.keep / nextgroup=fjCapability skipwhite contained |
diff --git a/etc/inc/disable-interpreters.inc b/etc/inc/disable-interpreters.inc index 804869e2a..ca43e5ed9 100644 --- a/etc/inc/disable-interpreters.inc +++ b/etc/inc/disable-interpreters.inc | |||
@@ -40,6 +40,15 @@ blacklist /usr/lib/perl* | |||
40 | blacklist /usr/lib64/perl* | 40 | blacklist /usr/lib64/perl* |
41 | blacklist /usr/share/perl* | 41 | blacklist /usr/share/perl* |
42 | 42 | ||
43 | # rxvt needs Perl modules, thus does not work. In particular, blacklisting | ||
44 | # it is needed so that Firefox can run applications with Terminal=true in | ||
45 | # their .desktop file (depending on what is installed). The reason is that | ||
46 | # this is done via glib, which currently uses a hardcoded list of terminal | ||
47 | # emulators: | ||
48 | # https://gitlab.gnome.org/GNOME/glib/-/issues/338 | ||
49 | # And in this list, rxvt comes before xterm. | ||
50 | blacklist ${PATH}/rxvt | ||
51 | |||
43 | # PHP | 52 | # PHP |
44 | blacklist ${PATH}/php* | 53 | blacklist ${PATH}/php* |
45 | blacklist /usr/lib/php* | 54 | blacklist /usr/lib/php* |
diff --git a/etc/inc/disable-programs.inc b/etc/inc/disable-programs.inc index 02407f54f..ca8820ab6 100644 --- a/etc/inc/disable-programs.inc +++ b/etc/inc/disable-programs.inc | |||
@@ -192,6 +192,7 @@ blacklist ${HOME}/.cache/qupzilla | |||
192 | blacklist ${HOME}/.cache/qutebrowser | 192 | blacklist ${HOME}/.cache/qutebrowser |
193 | blacklist ${HOME}/.cache/rednotebook | 193 | blacklist ${HOME}/.cache/rednotebook |
194 | blacklist ${HOME}/.cache/rhythmbox | 194 | blacklist ${HOME}/.cache/rhythmbox |
195 | blacklist ${HOME}/.cache/rpcs3 | ||
195 | blacklist ${HOME}/.cache/shotwell | 196 | blacklist ${HOME}/.cache/shotwell |
196 | blacklist ${HOME}/.cache/simple-scan | 197 | blacklist ${HOME}/.cache/simple-scan |
197 | blacklist ${HOME}/.cache/slimjet | 198 | blacklist ${HOME}/.cache/slimjet |
@@ -573,6 +574,7 @@ blacklist ${HOME}/.config/redshift | |||
573 | blacklist ${HOME}/.config/redshift.conf | 574 | blacklist ${HOME}/.config/redshift.conf |
574 | blacklist ${HOME}/.config/remmina | 575 | blacklist ${HOME}/.config/remmina |
575 | blacklist ${HOME}/.config/ristretto | 576 | blacklist ${HOME}/.config/ristretto |
577 | blacklist ${HOME}/.config/rpcs3 | ||
576 | blacklist ${HOME}/.config/rtv | 578 | blacklist ${HOME}/.config/rtv |
577 | blacklist ${HOME}/.config/scribus | 579 | blacklist ${HOME}/.config/scribus |
578 | blacklist ${HOME}/.config/scribusrc | 580 | blacklist ${HOME}/.config/scribusrc |
diff --git a/etc/profile-m-z/rpcs3.profile b/etc/profile-m-z/rpcs3.profile new file mode 100644 index 000000000..147afb236 --- /dev/null +++ b/etc/profile-m-z/rpcs3.profile | |||
@@ -0,0 +1,62 @@ | |||
1 | # Firejail profile for RPCS3 emulator | ||
2 | # Description: RPCS3 emulator | ||
3 | # This file is overwritten after every install/update | ||
4 | # Persistent local customizations | ||
5 | include rpcs3.local | ||
6 | # Persistent global definitions | ||
7 | include globals.local | ||
8 | |||
9 | noblacklist ${HOME}/.config/rpcs3 | ||
10 | noblacklist ${HOME}/.cache/rpcs3 | ||
11 | # Don't block access to /sbin and /usr/sbin to allow using ldconfig. Otherwise | ||
12 | # won't even start. | ||
13 | noblacklist /sbin | ||
14 | noblacklist /usr/sbin | ||
15 | |||
16 | blacklist /usr/libexec | ||
17 | |||
18 | include disable-common.inc | ||
19 | include disable-devel.inc | ||
20 | include disable-exec.inc | ||
21 | include disable-interpreters.inc | ||
22 | include disable-programs.inc # disable if PPU compilation crashes | ||
23 | include disable-shell.inc | ||
24 | include disable-xdg.inc | ||
25 | |||
26 | mkdir ${HOME}/.cache/rpcs3 | ||
27 | mkdir ${HOME}/.config/rpcs3 | ||
28 | whitelist ${HOME}/.cache/rpcs3 | ||
29 | whitelist ${HOME}/.config/rpcs3 | ||
30 | whitelist ${DOWNLOADS} | ||
31 | include whitelist-common.inc | ||
32 | include whitelist-run-common.inc | ||
33 | include whitelist-runuser-common.inc | ||
34 | include whitelist-usr-share-common.inc | ||
35 | include whitelist-var-common.inc | ||
36 | |||
37 | apparmor | ||
38 | caps.drop all | ||
39 | net none | ||
40 | netfilter | ||
41 | nodvd | ||
42 | nogroups | ||
43 | #noinput | ||
44 | nonewprivs | ||
45 | noroot | ||
46 | noprinters | ||
47 | notv | ||
48 | nou2f | ||
49 | novideo | ||
50 | protocol unix,netlink | ||
51 | seccomp | ||
52 | seccomp.block-secondary | ||
53 | shell none | ||
54 | tracelog | ||
55 | |||
56 | disable-mnt | ||
57 | #private-cache | ||
58 | #private-etc ca-certificates,crypto-policies,machine-id,pki,resolv.conf,ssl # seems to need awk | ||
59 | private-tmp | ||
60 | |||
61 | dbus-user none | ||
62 | dbus-system none | ||
diff --git a/etc/templates/profile.template b/etc/templates/profile.template index 1a4c8fef9..aefb75c2c 100644 --- a/etc/templates/profile.template +++ b/etc/templates/profile.template | |||
@@ -155,6 +155,7 @@ include globals.local | |||
155 | #nogroups | 155 | #nogroups |
156 | #noinput | 156 | #noinput |
157 | #nonewprivs | 157 | #nonewprivs |
158 | #noprinters | ||
158 | #noroot | 159 | #noroot |
159 | #nosound | 160 | #nosound |
160 | #notv | 161 | #notv |
diff --git a/src/firecfg/firecfg.config b/src/firecfg/firecfg.config index bbbd1e063..e68c04b4c 100644 --- a/src/firecfg/firecfg.config +++ b/src/firecfg/firecfg.config | |||
@@ -702,6 +702,7 @@ riot-web | |||
702 | ripperx | 702 | ripperx |
703 | ristretto | 703 | ristretto |
704 | rocketchat | 704 | rocketchat |
705 | rpcs3 | ||
705 | rtorrent | 706 | rtorrent |
706 | runenpass.sh | 707 | runenpass.sh |
707 | sayonara | 708 | sayonara |
diff --git a/src/firejail/usage.c b/src/firejail/usage.c index 183259f16..24c8e3194 100644 --- a/src/firejail/usage.c +++ b/src/firejail/usage.c | |||
@@ -161,6 +161,7 @@ static char *usage_str = | |||
161 | " --nogroups - disable supplementary groups.\n" | 161 | " --nogroups - disable supplementary groups.\n" |
162 | " --noinput - disable input devices.\n" | 162 | " --noinput - disable input devices.\n" |
163 | " --nonewprivs - sets the NO_NEW_PRIVS prctl.\n" | 163 | " --nonewprivs - sets the NO_NEW_PRIVS prctl.\n" |
164 | " --noprinters - disable printers.\n" | ||
164 | " --noprofile - do not use a security profile.\n" | 165 | " --noprofile - do not use a security profile.\n" |
165 | #ifdef HAVE_USERNS | 166 | #ifdef HAVE_USERNS |
166 | " --noroot - install a user namespace with only the current user.\n" | 167 | " --noroot - install a user namespace with only the current user.\n" |
diff --git a/src/man/firejail-profile.txt b/src/man/firejail-profile.txt index e35f2837b..71dab18ba 100644 --- a/src/man/firejail-profile.txt +++ b/src/man/firejail-profile.txt | |||
@@ -489,6 +489,9 @@ Sets the NO_NEW_PRIVS prctl. This ensures that child processes | |||
489 | cannot acquire new privileges using execve(2); in particular, | 489 | cannot acquire new privileges using execve(2); in particular, |
490 | this means that calling a suid binary (or one with file capabilities) | 490 | this means that calling a suid binary (or one with file capabilities) |
491 | does not result in an increase of privilege. | 491 | does not result in an increase of privilege. |
492 | .TP | ||
493 | \fBnoprinters | ||
494 | Disable printers. | ||
492 | #ifdef HAVE_USERNS | 495 | #ifdef HAVE_USERNS |
493 | .TP | 496 | .TP |
494 | \fBnoroot | 497 | \fBnoroot |
diff --git a/src/man/firejail.txt b/src/man/firejail.txt index 5a005ea5c..80487a49d 100644 --- a/src/man/firejail.txt +++ b/src/man/firejail.txt | |||
@@ -1635,6 +1635,10 @@ does not result in an increase of privilege. This option | |||
1635 | is enabled by default if seccomp filter is activated. | 1635 | is enabled by default if seccomp filter is activated. |
1636 | 1636 | ||
1637 | .TP | 1637 | .TP |
1638 | \fB\-\-noprinters | ||
1639 | Disable printers. | ||
1640 | |||
1641 | .TP | ||
1638 | \fB\-\-noprofile | 1642 | \fB\-\-noprofile |
1639 | Do not use a security profile. | 1643 | Do not use a security profile. |
1640 | .br | 1644 | .br |
diff --git a/src/zsh_completion/_firejail.in b/src/zsh_completion/_firejail.in index 8c1d758cc..334812dd6 100644 --- a/src/zsh_completion/_firejail.in +++ b/src/zsh_completion/_firejail.in | |||
@@ -123,6 +123,7 @@ _firejail_args=( | |||
123 | '--nogroups[disable supplementary groups]' | 123 | '--nogroups[disable supplementary groups]' |
124 | '--noinput[disable input devices]' | 124 | '--noinput[disable input devices]' |
125 | '--nonewprivs[sets the NO_NEW_PRIVS prctl]' | 125 | '--nonewprivs[sets the NO_NEW_PRIVS prctl]' |
126 | '--noprinters[disable printers]' | ||
126 | '--nosound[disable sound system]' | 127 | '--nosound[disable sound system]' |
127 | '--nou2f[disable U2F devices]' | 128 | '--nou2f[disable U2F devices]' |
128 | '--novideo[disable video devices]' | 129 | '--novideo[disable video devices]' |