diff options
author | Fred-Barclay <Fred-Barclay@users.noreply.github.com> | 2018-01-28 23:38:54 -0600 |
---|---|---|
committer | Fred-Barclay <Fred-Barclay@users.noreply.github.com> | 2018-01-28 23:38:54 -0600 |
commit | cfaf67e1aea9791970b1e7b28fbbbecc8d871c82 (patch) | |
tree | fb34b71d2f87e22238a9d9b094413cd3fca3c5e8 | |
parent | noblacklist /usr/share/perl in hexchat - potential fix for #1754 (diff) | |
parent | debug messages for appimage (diff) | |
download | firejail-cfaf67e1aea9791970b1e7b28fbbbecc8d871c82.tar.gz firejail-cfaf67e1aea9791970b1e7b28fbbbecc8d871c82.tar.zst firejail-cfaf67e1aea9791970b1e7b28fbbbecc8d871c82.zip |
Merge branch 'master' of https://github.com/netblue30/firejail
-rw-r--r-- | RELNOTES | 4 | ||||
-rw-r--r-- | etc/disable-programs.inc | 2 | ||||
-rw-r--r-- | etc/redeclipse.profile (renamed from etc/xmr-stak-cpu.profile) | 17 | ||||
-rw-r--r-- | etc/xmr-stak.profile | 44 | ||||
-rw-r--r-- | etc/xonotic.profile | 1 | ||||
-rw-r--r-- | src/firecfg/firecfg.config | 3 | ||||
-rw-r--r-- | src/firejail/appimage.c | 2 | ||||
-rw-r--r-- | src/firejail/sandbox.c | 31 | ||||
-rw-r--r-- | src/firemon/apparmor.c | 3 |
9 files changed, 70 insertions, 37 deletions
@@ -1,6 +1,10 @@ | |||
1 | firejail (0.9.53) baseline; urgency=low | 1 | firejail (0.9.53) baseline; urgency=low |
2 | * work in progress | 2 | * work in progress |
3 | * seccomp syscall list update for glibc 2.26-10 | 3 | * seccomp syscall list update for glibc 2.26-10 |
4 | * IPv6 DNS support | ||
5 | * whitelist support for overlay and chroot sandboxes | ||
6 | * private-dev support for overlay and chroot sandboxes | ||
7 | * private-tmp support for overlay and chroot sandboxes | ||
4 | * new profiles: basilisk, Tor Browser language packs, PlayOnLinux, sylpheed, discord-canary | 8 | * new profiles: basilisk, Tor Browser language packs, PlayOnLinux, sylpheed, discord-canary |
5 | * new profiles: pycharm-community, pycharm-professional | 9 | * new profiles: pycharm-community, pycharm-professional |
6 | -- netblue30 <netblue30@yahoo.com> Tue, 12 Dec 2017 08:00:00 -0500 | 10 | -- netblue30 <netblue30@yahoo.com> Tue, 12 Dec 2017 08:00:00 -0500 |
diff --git a/etc/disable-programs.inc b/etc/disable-programs.inc index 8cfcaa838..4d9c4d85f 100644 --- a/etc/disable-programs.inc +++ b/etc/disable-programs.inc | |||
@@ -416,6 +416,7 @@ blacklist ${HOME}/.passwd-s3fs | |||
416 | blacklist ${HOME}/.pingus | 416 | blacklist ${HOME}/.pingus |
417 | blacklist ${HOME}/.purple | 417 | blacklist ${HOME}/.purple |
418 | blacklist ${HOME}/.qemu-launcher | 418 | blacklist ${HOME}/.qemu-launcher |
419 | blacklist ${HOME}/.redeclipse | ||
419 | blacklist ${HOME}/.remmina | 420 | blacklist ${HOME}/.remmina |
420 | blacklist ${HOME}/.repo_.gitconfig.json | 421 | blacklist ${HOME}/.repo_.gitconfig.json |
421 | blacklist ${HOME}/.repoconfig | 422 | blacklist ${HOME}/.repoconfig |
@@ -453,6 +454,7 @@ blacklist ${HOME}/.wireshark | |||
453 | blacklist ${HOME}/.wine64 | 454 | blacklist ${HOME}/.wine64 |
454 | blacklist ${HOME}/.xiphos | 455 | blacklist ${HOME}/.xiphos |
455 | blacklist ${HOME}/.xmms | 456 | blacklist ${HOME}/.xmms |
457 | blacklist ${HOME}/.xmr-stak | ||
456 | blacklist ${HOME}/.xonotic | 458 | blacklist ${HOME}/.xonotic |
457 | blacklist ${HOME}/.xpdfrc | 459 | blacklist ${HOME}/.xpdfrc |
458 | blacklist ${HOME}/.zoom | 460 | blacklist ${HOME}/.zoom |
diff --git a/etc/xmr-stak-cpu.profile b/etc/redeclipse.profile index 9cc6e0c1f..f0a993c54 100644 --- a/etc/xmr-stak-cpu.profile +++ b/etc/redeclipse.profile | |||
@@ -1,27 +1,28 @@ | |||
1 | # Firejail profile for xmr-stak-cpu | 1 | # Firejail profile for redeclipse |
2 | # This file is overwritten after every install/update | 2 | # This file is overwritten after every install/update |
3 | # Persistent local customizations | 3 | # Persistent local customizations |
4 | include /etc/firejail/xmr-stak-cpu.local | 4 | include /etc/firejail/redeclipse.local |
5 | # Persistent global definitions | 5 | # Persistent global definitions |
6 | include /etc/firejail/globals.local | 6 | include /etc/firejail/globals.local |
7 | 7 | ||
8 | noblacklist ${HOME}/.redeclipse | ||
8 | 9 | ||
9 | include /etc/firejail/disable-common.inc | 10 | include /etc/firejail/disable-common.inc |
10 | include /etc/firejail/disable-devel.inc | 11 | include /etc/firejail/disable-devel.inc |
11 | include /etc/firejail/disable-passwdmgr.inc | 12 | include /etc/firejail/disable-passwdmgr.inc |
12 | include /etc/firejail/disable-programs.inc | 13 | include /etc/firejail/disable-programs.inc |
13 | 14 | ||
15 | mkdir ${HOME}/.redeclipse | ||
16 | whitelist ${HOME}/.redeclipse | ||
17 | include /etc/firejail/whitelist-common.inc | ||
14 | include /etc/firejail/whitelist-var-common.inc | 18 | include /etc/firejail/whitelist-var-common.inc |
15 | 19 | ||
16 | caps.drop all | 20 | caps.drop all |
17 | ipc-namespace | ||
18 | netfilter | 21 | netfilter |
19 | no3d | ||
20 | nodvd | 22 | nodvd |
21 | nogroups | 23 | nogroups |
22 | nonewprivs | 24 | nonewprivs |
23 | noroot | 25 | noroot |
24 | nosound | ||
25 | notv | 26 | notv |
26 | novideo | 27 | novideo |
27 | protocol unix,inet,inet6 | 28 | protocol unix,inet,inet6 |
@@ -29,14 +30,8 @@ seccomp | |||
29 | shell none | 30 | shell none |
30 | 31 | ||
31 | disable-mnt | 32 | disable-mnt |
32 | private | ||
33 | private-bin xmr-stak-cpu | ||
34 | private-dev | 33 | private-dev |
35 | private-etc xmr-stak-cpu.json | ||
36 | private-lib | ||
37 | private-opt none | ||
38 | private-tmp | 34 | private-tmp |
39 | 35 | ||
40 | memory-deny-write-execute | ||
41 | noexec ${HOME} | 36 | noexec ${HOME} |
42 | noexec /tmp | 37 | noexec /tmp |
diff --git a/etc/xmr-stak.profile b/etc/xmr-stak.profile new file mode 100644 index 000000000..151a4c694 --- /dev/null +++ b/etc/xmr-stak.profile | |||
@@ -0,0 +1,44 @@ | |||
1 | # Firejail profile for xmr-stak | ||
2 | # This file is overwritten after every install/update | ||
3 | # Persistent local customizations | ||
4 | include /etc/firejail/xmr-stak.local | ||
5 | # Persistent global definitions | ||
6 | include /etc/firejail/globals.local | ||
7 | |||
8 | noblacklist ${HOME}/.xmr-stak | ||
9 | noblacklist /usr/lib/llvm* | ||
10 | |||
11 | include /etc/firejail/disable-common.inc | ||
12 | include /etc/firejail/disable-devel.inc | ||
13 | include /etc/firejail/disable-passwdmgr.inc | ||
14 | include /etc/firejail/disable-programs.inc | ||
15 | |||
16 | mkdir ${HOME}/.xmr-stak | ||
17 | include /etc/firejail/whitelist-var-common.inc | ||
18 | |||
19 | caps.drop all | ||
20 | ipc-namespace | ||
21 | netfilter | ||
22 | nodvd | ||
23 | nogroups | ||
24 | nonewprivs | ||
25 | noroot | ||
26 | nosound | ||
27 | notv | ||
28 | novideo | ||
29 | protocol unix,inet,inet6 | ||
30 | seccomp | ||
31 | shell none | ||
32 | |||
33 | disable-mnt | ||
34 | private ${HOME}/.xmr-stak | ||
35 | private-bin xmr-stak | ||
36 | private-dev | ||
37 | private-etc ca-certificates,crypto-policies,nsswitch.conf,pki,resolv.conf,ssl | ||
38 | #private-lib libxmrstak_opencl_backend,libxmrstak_cuda_backend | ||
39 | private-opt cuda | ||
40 | private-tmp | ||
41 | |||
42 | memory-deny-write-execute | ||
43 | noexec ${HOME} | ||
44 | noexec /tmp | ||
diff --git a/etc/xonotic.profile b/etc/xonotic.profile index d17d2b612..7a466db9b 100644 --- a/etc/xonotic.profile +++ b/etc/xonotic.profile | |||
@@ -15,6 +15,7 @@ include /etc/firejail/disable-programs.inc | |||
15 | mkdir ${HOME}/.xonotic | 15 | mkdir ${HOME}/.xonotic |
16 | whitelist ${HOME}/.xonotic | 16 | whitelist ${HOME}/.xonotic |
17 | include /etc/firejail/whitelist-common.inc | 17 | include /etc/firejail/whitelist-common.inc |
18 | include /etc/firejail/whitelist-var-common.inc | ||
18 | 19 | ||
19 | caps.drop all | 20 | caps.drop all |
20 | netfilter | 21 | netfilter |
diff --git a/src/firecfg/firecfg.config b/src/firecfg/firecfg.config index 1cd9d9c1f..e9e1db287 100644 --- a/src/firecfg/firecfg.config +++ b/src/firecfg/firecfg.config | |||
@@ -293,6 +293,7 @@ qupzilla | |||
293 | qutebrowser | 293 | qutebrowser |
294 | rambox | 294 | rambox |
295 | ranger | 295 | ranger |
296 | redeclipse | ||
296 | remmina | 297 | remmina |
297 | rhythmbox | 298 | rhythmbox |
298 | ricochet | 299 | ricochet |
@@ -393,7 +394,7 @@ xfce4-dict | |||
393 | xfce4-notes | 394 | xfce4-notes |
394 | xiphos | 395 | xiphos |
395 | xmms | 396 | xmms |
396 | xmr-stak-cpu | 397 | xmr-stak |
397 | xonotic | 398 | xonotic |
398 | xonotic-glx | 399 | xonotic-glx |
399 | xonotic-sdl | 400 | xonotic-sdl |
diff --git a/src/firejail/appimage.c b/src/firejail/appimage.c index 7436b7755..631276c0b 100644 --- a/src/firejail/appimage.c +++ b/src/firejail/appimage.c | |||
@@ -109,10 +109,12 @@ void appimage_set(const char *appimage) { | |||
109 | EUID_ROOT(); | 109 | EUID_ROOT(); |
110 | 110 | ||
111 | if (size == 0) { | 111 | if (size == 0) { |
112 | fmessage("Mounting appimage type 1\n"); | ||
112 | if (mount(devloop, mntdir, "iso9660",MS_MGC_VAL|MS_RDONLY, mode) < 0) | 113 | if (mount(devloop, mntdir, "iso9660",MS_MGC_VAL|MS_RDONLY, mode) < 0) |
113 | errExit("mounting appimage"); | 114 | errExit("mounting appimage"); |
114 | } | 115 | } |
115 | else { | 116 | else { |
117 | fmessage("Mounting appimage type 2\n"); | ||
116 | if (mount(devloop, mntdir, "squashfs",MS_MGC_VAL|MS_RDONLY, mode) < 0) | 118 | if (mount(devloop, mntdir, "squashfs",MS_MGC_VAL|MS_RDONLY, mode) < 0) |
117 | errExit("mounting appimage"); | 119 | errExit("mounting appimage"); |
118 | } | 120 | } |
diff --git a/src/firejail/sandbox.c b/src/firejail/sandbox.c index ed0a253b3..47bb94a52 100644 --- a/src/firejail/sandbox.c +++ b/src/firejail/sandbox.c | |||
@@ -763,14 +763,8 @@ int sandbox(void* sandbox_arg) { | |||
763 | fs_private(); | 763 | fs_private(); |
764 | } | 764 | } |
765 | 765 | ||
766 | if (arg_private_dev) { | 766 | if (arg_private_dev) |
767 | if (cfg.chrootdir) | 767 | fs_private_dev(); |
768 | fwarning("private-dev feature is disabled in chroot\n"); | ||
769 | else if (arg_overlay) | ||
770 | fwarning("private-dev feature is disabled in overlay\n"); | ||
771 | else | ||
772 | fs_private_dev(); | ||
773 | } | ||
774 | 768 | ||
775 | if (arg_private_etc) { | 769 | if (arg_private_etc) { |
776 | if (cfg.chrootdir) | 770 | if (cfg.chrootdir) |
@@ -835,16 +829,10 @@ int sandbox(void* sandbox_arg) { | |||
835 | } | 829 | } |
836 | 830 | ||
837 | if (arg_private_tmp) { | 831 | if (arg_private_tmp) { |
838 | if (cfg.chrootdir) | 832 | // private-tmp is implemented as a whitelist |
839 | fwarning("private-tmp feature is disabled in chroot\n"); | 833 | EUID_USER(); |
840 | else if (arg_overlay) | 834 | fs_private_tmp(); |
841 | fwarning("private-tmp feature is disabled in overlay\n"); | 835 | EUID_ROOT(); |
842 | else { | ||
843 | // private-tmp is implemented as a whitelist | ||
844 | EUID_USER(); | ||
845 | fs_private_tmp(); | ||
846 | EUID_ROOT(); | ||
847 | } | ||
848 | } | 836 | } |
849 | 837 | ||
850 | //**************************** | 838 | //**************************** |
@@ -877,12 +865,7 @@ int sandbox(void* sandbox_arg) { | |||
877 | // apply the profile file | 865 | // apply the profile file |
878 | //**************************** | 866 | //**************************** |
879 | // apply all whitelist commands ... | 867 | // apply all whitelist commands ... |
880 | if (cfg.chrootdir) | 868 | fs_whitelist(); |
881 | fwarning("whitelist feature is disabled in chroot\n"); | ||
882 | else if (arg_overlay) | ||
883 | fwarning("whitelist feature is disabled in overlay\n"); | ||
884 | else | ||
885 | fs_whitelist(); | ||
886 | 869 | ||
887 | // ... followed by blacklist commands | 870 | // ... followed by blacklist commands |
888 | fs_blacklist(); // mkdir and mkfile are processed all over again | 871 | fs_blacklist(); // mkdir and mkfile are processed all over again |
diff --git a/src/firemon/apparmor.c b/src/firemon/apparmor.c index 0fe287e8f..0b921f8a2 100644 --- a/src/firemon/apparmor.c +++ b/src/firemon/apparmor.c | |||
@@ -18,9 +18,10 @@ | |||
18 | * 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA. | 18 | * 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA. |
19 | */ | 19 | */ |
20 | #include "firemon.h" | 20 | #include "firemon.h" |
21 | #include <sys/apparmor.h> | ||
22 | 21 | ||
23 | #ifdef HAVE_APPARMOR | 22 | #ifdef HAVE_APPARMOR |
23 | #include <sys/apparmor.h> | ||
24 | |||
24 | static void print_apparmor(int pid) { | 25 | static void print_apparmor(int pid) { |
25 | char *label = NULL; | 26 | char *label = NULL; |
26 | char *mode = NULL; | 27 | char *mode = NULL; |