diff options
author | netblue30 <netblue30@yahoo.com> | 2016-06-10 10:41:57 -0400 |
---|---|---|
committer | netblue30 <netblue30@yahoo.com> | 2016-06-10 10:41:57 -0400 |
commit | e3abab47dcda4dba4a1412261e35cb1608ffd900 (patch) | |
tree | c1b75716185ea40aa77ff947991c868f7d5d8628 | |
parent | private-bin conversion (diff) | |
download | firejail-e3abab47dcda4dba4a1412261e35cb1608ffd900.tar.gz firejail-e3abab47dcda4dba4a1412261e35cb1608ffd900.tar.zst firejail-e3abab47dcda4dba4a1412261e35cb1608ffd900.zip |
private-bin conversion
-rw-r--r-- | README.md | 4 | ||||
-rw-r--r-- | etc/cherrytree.profile | 9 | ||||
-rw-r--r-- | etc/disable-devel.inc | 2 | ||||
-rw-r--r-- | etc/evince.profile | 3 | ||||
-rw-r--r-- | etc/fbreader.profile | 3 | ||||
-rw-r--r-- | etc/gnome-mplayer.profile | 3 | ||||
-rw-r--r-- | etc/gthumb.profile | 2 | ||||
-rw-r--r-- | etc/vlc.profile | 2 | ||||
-rw-r--r-- | src/firejail/main.c | 1 | ||||
-rwxr-xr-x | test/apps/apps.sh | 10 | ||||
-rwxr-xr-x | test/apps/gthumb.exp | 83 |
11 files changed, 118 insertions, 4 deletions
@@ -71,6 +71,10 @@ BitTorrent profiles converted to private-bin: deluge, qbittorrent, rtorrent, tra | |||
71 | 71 | ||
72 | File transfer: filezilla | 72 | File transfer: filezilla |
73 | 73 | ||
74 | Media: vlc, mpv, gnome-mplayer | ||
75 | |||
76 | Office: evince, gthumb, fbreader | ||
77 | |||
74 | ## New security profiles | 78 | ## New security profiles |
75 | 79 | ||
76 | Gitter, gThumb, mpv, Franz messenger | 80 | Gitter, gThumb, mpv, Franz messenger |
diff --git a/etc/cherrytree.profile b/etc/cherrytree.profile index bc6fe1d86..7b6238d98 100644 --- a/etc/cherrytree.profile +++ b/etc/cherrytree.profile | |||
@@ -24,3 +24,12 @@ protocol unix,inet,inet6,netlink | |||
24 | tracelog | 24 | tracelog |
25 | 25 | ||
26 | include /etc/firejail/whitelist-common.inc | 26 | include /etc/firejail/whitelist-common.inc |
27 | |||
28 | # no private-bin support for various reasons: | ||
29 | #10:25:34 exec 11249 (root) NEW SANDBOX: /usr/bin/firejail /usr/bin/cherrytree | ||
30 | #10:25:34 exec 11252 (netblue) /bin/bash -c "/usr/bin/cherrytree" | ||
31 | #10:25:34 exec 11252 (netblue) /usr/bin/python /usr/bin/cherrytree | ||
32 | #10:25:34 exec 11253 (netblue) sh -c /sbin/ldconfig -p 2>/dev/null | ||
33 | #10:25:34 exec 11255 (netblue) sh -c if type gcc >/dev/null 2>&1; then CC=gcc; elif type cc >/dev/null 2>&1; then CC=cc;else exit 10; fi;LANG=C LC_ALL=C $CC -Wl,-t -o /tmp/tmpiYr44S 2>&1 -llibc | ||
34 | # it requires acces to browser to show the online help | ||
35 | # it doesn't play nicely with expect | ||
diff --git a/etc/disable-devel.inc b/etc/disable-devel.inc index 8c18ec2c3..071a82f76 100644 --- a/etc/disable-devel.inc +++ b/etc/disable-devel.inc | |||
@@ -37,7 +37,7 @@ blacklist /usr/lib/php* | |||
37 | blacklist /usr/bin/ruby | 37 | blacklist /usr/bin/ruby |
38 | blacklist /usr/lib/ruby | 38 | blacklist /usr/lib/ruby |
39 | 39 | ||
40 | # Programs using python: deluge, some firefox addons, filezilla | 40 | # Programs using python: deluge, firefox addons, filezilla, cherrytree |
41 | # Python 2 | 41 | # Python 2 |
42 | #blacklist /usr/bin/python2* | 42 | #blacklist /usr/bin/python2* |
43 | #blacklist /usr/lib/python2* | 43 | #blacklist /usr/lib/python2* |
diff --git a/etc/evince.profile b/etc/evince.profile index 8c84a1daa..8671c1251 100644 --- a/etc/evince.profile +++ b/etc/evince.profile | |||
@@ -10,3 +10,6 @@ noroot | |||
10 | nosound | 10 | nosound |
11 | protocol unix,inet,inet6 | 11 | protocol unix,inet,inet6 |
12 | seccomp | 12 | seccomp |
13 | |||
14 | shell none | ||
15 | private-bin evince,evince-previewer,evince-thumbnailer | ||
diff --git a/etc/fbreader.profile b/etc/fbreader.profile index c4d84691c..df359e50a 100644 --- a/etc/fbreader.profile +++ b/etc/fbreader.profile | |||
@@ -13,3 +13,6 @@ noroot | |||
13 | nosound | 13 | nosound |
14 | protocol unix,inet,inet6 | 14 | protocol unix,inet,inet6 |
15 | seccomp | 15 | seccomp |
16 | |||
17 | shell none | ||
18 | private-bin fbreader,FBReader \ No newline at end of file | ||
diff --git a/etc/gnome-mplayer.profile b/etc/gnome-mplayer.profile index f15778534..1caea177d 100644 --- a/etc/gnome-mplayer.profile +++ b/etc/gnome-mplayer.profile | |||
@@ -9,3 +9,6 @@ nonewprivs | |||
9 | noroot | 9 | noroot |
10 | protocol unix,inet,inet6 | 10 | protocol unix,inet,inet6 |
11 | seccomp | 11 | seccomp |
12 | |||
13 | shell none | ||
14 | private-bin gnome-mplayer | ||
diff --git a/etc/gthumb.profile b/etc/gthumb.profile index 55041b5cc..68d6a52d9 100644 --- a/etc/gthumb.profile +++ b/etc/gthumb.profile | |||
@@ -13,5 +13,5 @@ noroot | |||
13 | protocol unix,inet,inet6 | 13 | protocol unix,inet,inet6 |
14 | seccomp | 14 | seccomp |
15 | 15 | ||
16 | private-bin gthumb | ||
17 | shell none | 16 | shell none |
17 | private-bin gthumb | ||
diff --git a/etc/vlc.profile b/etc/vlc.profile index e225e80e9..1a6e5a151 100644 --- a/etc/vlc.profile +++ b/etc/vlc.profile | |||
@@ -16,4 +16,4 @@ seccomp | |||
16 | 16 | ||
17 | # to test | 17 | # to test |
18 | shell none | 18 | shell none |
19 | private-bin vlc | 19 | private-bin vlc,cvlc,nvlc,rvlc,qvlc,svlc |
diff --git a/src/firejail/main.c b/src/firejail/main.c index 1621d810f..d027eb697 100644 --- a/src/firejail/main.c +++ b/src/firejail/main.c | |||
@@ -135,7 +135,6 @@ static void myexit(int rv) { | |||
135 | } | 135 | } |
136 | 136 | ||
137 | static void my_handler(int s){ | 137 | static void my_handler(int s){ |
138 | printf("**************************\n"); | ||
139 | EUID_ROOT(); | 138 | EUID_ROOT(); |
140 | if (!arg_quiet) { | 139 | if (!arg_quiet) { |
141 | printf("\nParent received signal %d, shutting down the child process...\n", s); | 140 | printf("\nParent received signal %d, shutting down the child process...\n", s); |
diff --git a/test/apps/apps.sh b/test/apps/apps.sh index fa56ce370..bbfe2a606 100755 --- a/test/apps/apps.sh +++ b/test/apps/apps.sh | |||
@@ -87,6 +87,16 @@ else | |||
87 | echo "TESTING SKIP: evince not found" | 87 | echo "TESTING SKIP: evince not found" |
88 | fi | 88 | fi |
89 | 89 | ||
90 | |||
91 | which gthumb | ||
92 | if [ "$?" -eq 0 ]; | ||
93 | then | ||
94 | echo "TESTING: gthumb" | ||
95 | ./gthumb.exp | ||
96 | else | ||
97 | echo "TESTING SKIP: gthumb not found" | ||
98 | fi | ||
99 | |||
90 | which icedove | 100 | which icedove |
91 | if [ "$?" -eq 0 ]; | 101 | if [ "$?" -eq 0 ]; |
92 | then | 102 | then |
diff --git a/test/apps/gthumb.exp b/test/apps/gthumb.exp new file mode 100755 index 000000000..86bb975ba --- /dev/null +++ b/test/apps/gthumb.exp | |||
@@ -0,0 +1,83 @@ | |||
1 | #!/usr/bin/expect -f | ||
2 | # This file is part of Firejail project | ||
3 | # Copyright (C) 2014-2016 Firejail Authors | ||
4 | # License GPL v2 | ||
5 | |||
6 | set timeout 10 | ||
7 | spawn $env(SHELL) | ||
8 | match_max 100000 | ||
9 | |||
10 | send -- "firejail gthumb\r" | ||
11 | expect { | ||
12 | timeout {puts "TESTING ERROR 0\n";exit} | ||
13 | "Reading profile /etc/firejail/gthumb.profile" | ||
14 | } | ||
15 | expect { | ||
16 | timeout {puts "TESTING ERROR 1\n";exit} | ||
17 | "Child process initialized" | ||
18 | } | ||
19 | sleep 3 | ||
20 | |||
21 | spawn $env(SHELL) | ||
22 | send -- "firejail --list\r" | ||
23 | expect { | ||
24 | timeout {puts "TESTING ERROR 3\n";exit} | ||
25 | ":firejail" | ||
26 | } | ||
27 | expect { | ||
28 | timeout {puts "TESTING ERROR 3.1\n";exit} | ||
29 | "gthumb" | ||
30 | } | ||
31 | sleep 1 | ||
32 | |||
33 | # grsecurity exit | ||
34 | send -- "file /proc/sys/kernel/grsecurity\r" | ||
35 | expect { | ||
36 | timeout {puts "TESTING ERROR - grsecurity detection\n";exit} | ||
37 | "grsecurity: directory" {puts "grsecurity present, exiting...\n";exit} | ||
38 | "cannot open" {puts "grsecurity not present\n"} | ||
39 | } | ||
40 | |||
41 | send -- "firejail --name=blablabla\r" | ||
42 | expect { | ||
43 | timeout {puts "TESTING ERROR 4\n";exit} | ||
44 | "Child process initialized" | ||
45 | } | ||
46 | sleep 2 | ||
47 | |||
48 | spawn $env(SHELL) | ||
49 | send -- "firemon --seccomp\r" | ||
50 | expect { | ||
51 | timeout {puts "TESTING ERROR 5\n";exit} | ||
52 | ":firejail gthumb" | ||
53 | } | ||
54 | expect { | ||
55 | timeout {puts "TESTING ERROR 5.1 (seccomp)\n";exit} | ||
56 | "Seccomp: 2" | ||
57 | } | ||
58 | expect { | ||
59 | timeout {puts "TESTING ERROR 5.1\n";exit} | ||
60 | "name=blablabla" | ||
61 | } | ||
62 | sleep 1 | ||
63 | send -- "firemon --caps\r" | ||
64 | expect { | ||
65 | timeout {puts "TESTING ERROR 6\n";exit} | ||
66 | ":firejail gthumb" | ||
67 | } | ||
68 | expect { | ||
69 | timeout {puts "TESTING ERROR 6.1\n";exit} | ||
70 | "CapBnd:" | ||
71 | } | ||
72 | expect { | ||
73 | timeout {puts "TESTING ERROR 6.2\n";exit} | ||
74 | "0000000000000000" | ||
75 | } | ||
76 | expect { | ||
77 | timeout {puts "TESTING ERROR 6.3\n";exit} | ||
78 | "name=blablabla" | ||
79 | } | ||
80 | sleep 1 | ||
81 | |||
82 | puts "\nall done\n" | ||
83 | |||