diff options
author | valoq <valoq@mailbox.org> | 2016-12-01 12:29:00 +0100 |
---|---|---|
committer | valoq <valoq@mailbox.org> | 2016-12-01 12:29:00 +0100 |
commit | bfceeab77bc89e6c10ba570834ed988ee3fae958 (patch) | |
tree | 497d6e5ac375905fc1a1f3dc82ea92a8ff3d704e | |
parent | blacklisted various program files (diff) | |
parent | private-opt, private-srv (diff) | |
download | firejail-bfceeab77bc89e6c10ba570834ed988ee3fae958.tar.gz firejail-bfceeab77bc89e6c10ba570834ed988ee3fae958.tar.zst firejail-bfceeab77bc89e6c10ba570834ed988ee3fae958.zip |
fixed conflict
32 files changed, 591 insertions, 144 deletions
@@ -95,6 +95,9 @@ valoq (https://github.com/valoq) | |||
95 | - added img2txt, k3b, kate, lynx, mediainfo, nautilus, odt2txt, pdftotext, simple-scan profiles | 95 | - added img2txt, k3b, kate, lynx, mediainfo, nautilus, odt2txt, pdftotext, simple-scan profiles |
96 | - added skanlite, ssh-agent, transmission-cli, tracker, transmission-show, w3m, xfburn, xpra profiles | 96 | - added skanlite, ssh-agent, transmission-cli, tracker, transmission-show, w3m, xfburn, xpra profiles |
97 | - added wget profile | 97 | - added wget profile |
98 | SpotComms (https://github.com/SpotComms) | ||
99 | - added Bless, Gnome 2048, Gnome Calculator, Gnome Contacts, JD-GUI, Lollypop, MultiMC5 profiles | ||
100 | - added PDFSam, Pithos, and Xonotic profiles | ||
98 | Vasya Novikov (https://github.com/vn971) | 101 | Vasya Novikov (https://github.com/vn971) |
99 | - Wesnoth profile | 102 | - Wesnoth profile |
100 | - Hedegewars profile | 103 | - Hedegewars profile |
@@ -55,10 +55,31 @@ Use this issue to request new profiles: https://github.com/netblue30/firejail/is | |||
55 | ````` | 55 | ````` |
56 | 56 | ||
57 | ````` | 57 | ````` |
58 | ## New command line options | ||
59 | ````` | ||
60 | --private-opt=file,directory | ||
61 | Build a new /opt in a temporary filesystem, and copy the files | ||
62 | and directories in the list. If no listed file is found, /opt | ||
63 | directory will be empty. All modifications are discarded when | ||
64 | the sandbox is closed. | ||
65 | |||
66 | Example: | ||
67 | $ firejail --private-opt=firefox /opt/firefox/firefox | ||
68 | |||
69 | --private-srv=file,directory | ||
70 | Build a new /srv in a temporary filesystem, and copy the files | ||
71 | and directories in the list. If no listed file is found, /srv | ||
72 | directory will be empty. All modifications are discarded when | ||
73 | the sandbox is closed. | ||
74 | |||
75 | Example: | ||
76 | # firejail --private-srv=www /etc/init.d/apache2 start | ||
77 | ````` | ||
58 | ## New Profiles | 78 | ## New Profiles |
59 | xiphos, Tor Browser Bundle, display (imagemagik), Wire, mumble, zoom, Guayadeque, qemu, keypass2, | 79 | xiphos, Tor Browser Bundle, display (imagemagik), Wire, mumble, zoom, Guayadeque, qemu, keypass2, |
60 | amarok, ark, atool, bleachbit, brasero, dolphin, dragon, elinks, enchant, exiftool, file-roller, gedit, | 80 | amarok, ark, atool, bleachbit, brasero, dolphin, dragon, elinks, enchant, exiftool, file-roller, gedit, |
61 | gjs, gnome-books, gnome-clocks, gnome-documents, gnome-maps, gnome-music, gnome-photos, gnome-weather, | 81 | gjs, gnome-books, gnome-clocks, gnome-documents, gnome-maps, gnome-music, gnome-photos, gnome-weather, |
62 | goobox, gpa, gpg, gpg-agent, highlight, img2txt, k3b, kate, lynx, mediainfo, nautilus, odt2txt, pdftotext, | 82 | goobox, gpa, gpg, gpg-agent, highlight, img2txt, k3b, kate, lynx, mediainfo, nautilus, odt2txt, pdftotext, |
63 | simple-scan, skanlite, ssh-agent, tracker, transmission-cli, transmission-show, w3m, xfburn, xpra, wget, | 83 | simple-scan, skanlite, ssh-agent, tracker, transmission-cli, transmission-show, w3m, xfburn, xpra, wget, |
64 | xed, pluma, Cryptocat | 84 | xed, pluma, Cryptocat Bless, Gnome 2048, Gnome Calculator, Gnome Contacts, JD-GUI, Lollypop, MultiMC5, |
85 | PDFSam, Pithos, Xonotic | ||
@@ -9,9 +9,13 @@ firejail (0.9.45) baseline; urgency=low | |||
9 | * feature: allow root user access to /dev/shm (--noblacklist=/dev/shm) | 9 | * feature: allow root user access to /dev/shm (--noblacklist=/dev/shm) |
10 | * feature: AppImage type 2 support | 10 | * feature: AppImage type 2 support |
11 | * feature: test coverage (gcov) support | 11 | * feature: test coverage (gcov) support |
12 | * feature: private /opt directory (--private-opt, profile support) | ||
13 | * feature: private /srv directory (--private-srv, profile support) | ||
12 | * new profiles: xiphos, Tor Browser Bundle, display (imagemagik), Wire, | 14 | * new profiles: xiphos, Tor Browser Bundle, display (imagemagik), Wire, |
13 | * new profiles: mumble, zoom, Guayadeque, qemu, keypass2, xed, pluma, | 15 | * new profiles: mumble, zoom, Guayadeque, qemu, keypass2, xed, pluma, |
14 | * new profiles: Cryptocat | 16 | * new profiles: Cryptocat, Bless, Gnome 2048, Gnome Calculator, |
17 | * new profiles: Gnome Contacts, JD-GUI, Lollypop, MultiMC5, PDFSam, Pithos, | ||
18 | * new profies: Xonotic | ||
15 | * bugfixes | 19 | * bugfixes |
16 | -- netblue30 <netblue30@yahoo.com> Sun, 23 Oct 2016 08:00:00 -0500 | 20 | -- netblue30 <netblue30@yahoo.com> Sun, 23 Oct 2016 08:00:00 -0500 |
17 | 21 | ||
diff --git a/etc/bless.profile b/etc/bless.profile new file mode 100644 index 000000000..752edadf7 --- /dev/null +++ b/etc/bless.profile | |||
@@ -0,0 +1,20 @@ | |||
1 | # | ||
2 | #Profile for bless | ||
3 | # | ||
4 | |||
5 | #No Blacklist Paths | ||
6 | noblacklist ${HOME}/.config/bless | ||
7 | |||
8 | #Blacklist Paths | ||
9 | include /etc/firejail/disable-common.inc | ||
10 | include /etc/firejail/disable-programs.inc | ||
11 | include /etc/firejail/disable-passwdmgr.inc | ||
12 | include /etc/firejail/disable-devel.inc | ||
13 | |||
14 | #Options | ||
15 | caps.drop all | ||
16 | netfilter | ||
17 | nonewprivs | ||
18 | noroot | ||
19 | protocol unix,inet,inet6 | ||
20 | seccomp | ||
diff --git a/etc/disable-programs.inc b/etc/disable-programs.inc index f87053b7c..8d0d75d63 100644 --- a/etc/disable-programs.inc +++ b/etc/disable-programs.inc | |||
@@ -10,6 +10,7 @@ blacklist ${HOME}/.stellarium | |||
10 | blacklist ${HOME}/.sword | 10 | blacklist ${HOME}/.sword |
11 | blacklist ${HOME}/.xiphos | 11 | blacklist ${HOME}/.xiphos |
12 | blacklist ${HOME}/.config/Atom | 12 | blacklist ${HOME}/.config/Atom |
13 | blacklist ${HOME}/.config/bless | ||
13 | blacklist ${HOME}/.config/gthumb | 14 | blacklist ${HOME}/.config/gthumb |
14 | blacklist ${HOME}/.config/mupen64plus | 15 | blacklist ${HOME}/.config/mupen64plus |
15 | blacklist ${HOME}/.config/transmission | 16 | blacklist ${HOME}/.config/transmission |
@@ -44,6 +45,7 @@ blacklist ${HOME}/.openshot_qt | |||
44 | blacklist ${HOME}/.flowblade | 45 | blacklist ${HOME}/.flowblade |
45 | blacklist ${HOME}/.config/flowblade | 46 | blacklist ${HOME}/.config/flowblade |
46 | blacklist ${HOME}/.config/eog | 47 | blacklist ${HOME}/.config/eog |
48 | blacklist ${HOME}/.config/jd-gui.cfg | ||
47 | blacklist ${HOME}/.config/arkrc | 49 | blacklist ${HOME}/.config/arkrc |
48 | blacklist ${HOME}/.config/atril | 50 | blacklist ${HOME}/.config/atril |
49 | blacklist ${HOME}/.config/aweather | 51 | blacklist ${HOME}/.config/aweather |
@@ -77,6 +79,7 @@ blacklist ${HOME}/.config/xplayer | |||
77 | blacklist ${HOME}/.audacity-data | 79 | blacklist ${HOME}/.audacity-data |
78 | blacklist ${HOME}/.guayadeque | 80 | blacklist ${HOME}/.guayadeque |
79 | blacklist ${HOME}/.config/dragonplayerrc | 81 | blacklist ${HOME}/.config/dragonplayerrc |
82 | blacklist ${HOME}/.local/share/lollypop | ||
80 | 83 | ||
81 | # HTTP / FTP / Mail | 84 | # HTTP / FTP / Mail |
82 | blacklist ${HOME}/.icedove | 85 | blacklist ${HOME}/.icedove |
@@ -144,6 +147,10 @@ blacklist ${HOME}/.config/0ad | |||
144 | blacklist ${HOME}/.warzone2100-3.1 | 147 | blacklist ${HOME}/.warzone2100-3.1 |
145 | blacklist ${HOME}/.dosbox | 148 | blacklist ${HOME}/.dosbox |
146 | blacklist ${HOME}/.local/share/gnome-chess | 149 | blacklist ${HOME}/.local/share/gnome-chess |
150 | blacklist ${HOME}/.local/share/gnome-2048 | ||
151 | blacklist ${HOME}/.local/share/multimc5 | ||
152 | blacklist ${HOME}/.multimc5 | ||
153 | blacklist ${HOME}/.xonotic | ||
147 | 154 | ||
148 | # Cryptocoins | 155 | # Cryptocoins |
149 | blacklist ${HOME}/.*coin | 156 | blacklist ${HOME}/.*coin |
diff --git a/etc/gnome-2048.profile b/etc/gnome-2048.profile new file mode 100644 index 000000000..f9982da61 --- /dev/null +++ b/etc/gnome-2048.profile | |||
@@ -0,0 +1,25 @@ | |||
1 | # | ||
2 | #Profile for gnome-2048 | ||
3 | # | ||
4 | |||
5 | #No Blacklist Paths | ||
6 | noblacklist ${HOME}/.local/share/gnome-2048 | ||
7 | |||
8 | #Blacklist Paths | ||
9 | include /etc/firejail/disable-common.inc | ||
10 | include /etc/firejail/disable-programs.inc | ||
11 | include /etc/firejail/disable-passwdmgr.inc | ||
12 | include /etc/firejail/disable-devel.inc | ||
13 | |||
14 | #Whitelist Paths | ||
15 | mkdir ${HOME}/.local/share/gnome-2048 | ||
16 | whitelist ${HOME}/.local/share/gnome-2048 | ||
17 | include /etc/firejail/whitelist-common.inc | ||
18 | |||
19 | #Options | ||
20 | caps.drop all | ||
21 | netfilter | ||
22 | nonewprivs | ||
23 | noroot | ||
24 | protocol unix,inet,inet6 | ||
25 | seccomp | ||
diff --git a/etc/gnome-calculator.profile b/etc/gnome-calculator.profile new file mode 100644 index 000000000..49e068171 --- /dev/null +++ b/etc/gnome-calculator.profile | |||
@@ -0,0 +1,19 @@ | |||
1 | # | ||
2 | #Profile for gnome-calculator | ||
3 | # | ||
4 | |||
5 | #Blacklist Paths | ||
6 | include /etc/firejail/disable-common.inc | ||
7 | include /etc/firejail/disable-programs.inc | ||
8 | include /etc/firejail/disable-passwdmgr.inc | ||
9 | include /etc/firejail/disable-devel.inc | ||
10 | |||
11 | include /etc/firejail/whitelist-common.inc | ||
12 | |||
13 | #Options | ||
14 | caps.drop all | ||
15 | netfilter | ||
16 | nonewprivs | ||
17 | noroot | ||
18 | protocol unix,inet,inet6 | ||
19 | seccomp | ||
diff --git a/etc/gnome-contacts.profile b/etc/gnome-contacts.profile new file mode 100644 index 000000000..9dc25b26c --- /dev/null +++ b/etc/gnome-contacts.profile | |||
@@ -0,0 +1,19 @@ | |||
1 | # | ||
2 | #Profile for gnome-contacts | ||
3 | # | ||
4 | |||
5 | #Blacklist Paths | ||
6 | include /etc/firejail/disable-common.inc | ||
7 | include /etc/firejail/disable-programs.inc | ||
8 | include /etc/firejail/disable-passwdmgr.inc | ||
9 | include /etc/firejail/disable-devel.inc | ||
10 | |||
11 | include /etc/firejail/whitelist-common.inc | ||
12 | |||
13 | #Options | ||
14 | caps.drop all | ||
15 | netfilter | ||
16 | nonewprivs | ||
17 | noroot | ||
18 | protocol unix,inet,inet6 | ||
19 | seccomp | ||
diff --git a/etc/jd-gui.profile b/etc/jd-gui.profile new file mode 100644 index 000000000..1d6eb41f8 --- /dev/null +++ b/etc/jd-gui.profile | |||
@@ -0,0 +1,19 @@ | |||
1 | # | ||
2 | #Profile for jd-gui | ||
3 | # | ||
4 | |||
5 | noblacklist ${HOME}/.config/jd-gui.cfg | ||
6 | |||
7 | #Blacklist Paths | ||
8 | include /etc/firejail/disable-common.inc | ||
9 | include /etc/firejail/disable-programs.inc | ||
10 | include /etc/firejail/disable-passwdmgr.inc | ||
11 | include /etc/firejail/disable-devel.inc | ||
12 | |||
13 | #Options | ||
14 | caps.drop all | ||
15 | netfilter | ||
16 | nonewprivs | ||
17 | noroot | ||
18 | protocol unix,inet,inet6 | ||
19 | seccomp | ||
diff --git a/etc/lollypop.profile b/etc/lollypop.profile new file mode 100644 index 000000000..41a662bca --- /dev/null +++ b/etc/lollypop.profile | |||
@@ -0,0 +1,20 @@ | |||
1 | # | ||
2 | #Profile for lollypop | ||
3 | # | ||
4 | |||
5 | #No Blacklist Paths | ||
6 | noblacklist ${HOME}/.local/share/lollypop | ||
7 | |||
8 | #Blacklist Paths | ||
9 | include /etc/firejail/disable-common.inc | ||
10 | include /etc/firejail/disable-programs.inc | ||
11 | include /etc/firejail/disable-passwdmgr.inc | ||
12 | include /etc/firejail/disable-devel.inc | ||
13 | |||
14 | #Options | ||
15 | caps.drop all | ||
16 | netfilter | ||
17 | nonewprivs | ||
18 | noroot | ||
19 | protocol unix,inet,inet6 | ||
20 | seccomp | ||
diff --git a/etc/multimc5.profile b/etc/multimc5.profile new file mode 100644 index 000000000..cc310f294 --- /dev/null +++ b/etc/multimc5.profile | |||
@@ -0,0 +1,27 @@ | |||
1 | # | ||
2 | #Profile for multimc5 | ||
3 | # | ||
4 | |||
5 | #No Blacklist Paths | ||
6 | noblacklist ${HOME}/.local/share/multimc5 | ||
7 | noblacklist ${HOME}/.multimc5 | ||
8 | |||
9 | #Blacklist Paths | ||
10 | include /etc/firejail/disable-common.inc | ||
11 | include /etc/firejail/disable-programs.inc | ||
12 | include /etc/firejail/disable-passwdmgr.inc | ||
13 | include /etc/firejail/disable-devel.inc | ||
14 | |||
15 | #Whitelist Paths | ||
16 | mkdir ${HOME}/.local/share/multimc5 | ||
17 | whitelist ${HOME}/.local/share/multimc5 | ||
18 | mkdir ${HOME}/.multimc5 | ||
19 | whitelist ${HOME}/.multimc5 | ||
20 | include /etc/firejail/whitelist-common.inc | ||
21 | |||
22 | #Options | ||
23 | caps.drop all | ||
24 | netfilter | ||
25 | nonewprivs | ||
26 | noroot | ||
27 | protocol unix,inet,inet6 | ||
diff --git a/etc/pdfsam.profile b/etc/pdfsam.profile new file mode 100644 index 000000000..6e50f37cf --- /dev/null +++ b/etc/pdfsam.profile | |||
@@ -0,0 +1,17 @@ | |||
1 | # | ||
2 | #Profile for pdfsam | ||
3 | # | ||
4 | |||
5 | #Blacklist Paths | ||
6 | include /etc/firejail/disable-common.inc | ||
7 | include /etc/firejail/disable-programs.inc | ||
8 | include /etc/firejail/disable-passwdmgr.inc | ||
9 | include /etc/firejail/disable-devel.inc | ||
10 | |||
11 | #Options | ||
12 | caps.drop all | ||
13 | netfilter | ||
14 | nonewprivs | ||
15 | noroot | ||
16 | protocol unix,inet,inet6 | ||
17 | seccomp | ||
diff --git a/etc/pithos.profile b/etc/pithos.profile new file mode 100644 index 000000000..8270b8bee --- /dev/null +++ b/etc/pithos.profile | |||
@@ -0,0 +1,19 @@ | |||
1 | # | ||
2 | #Profile for pithos | ||
3 | # | ||
4 | |||
5 | #Blacklist Paths | ||
6 | include /etc/firejail/disable-common.inc | ||
7 | include /etc/firejail/disable-programs.inc | ||
8 | include /etc/firejail/disable-passwdmgr.inc | ||
9 | include /etc/firejail/disable-devel.inc | ||
10 | |||
11 | include /etc/firejail/whitelist-common.inc | ||
12 | |||
13 | #Options | ||
14 | caps.drop all | ||
15 | netfilter | ||
16 | nonewprivs | ||
17 | noroot | ||
18 | protocol unix,inet,inet6 | ||
19 | seccomp | ||
diff --git a/etc/xonotic-glx.profile b/etc/xonotic-glx.profile new file mode 100644 index 000000000..b255ffdbb --- /dev/null +++ b/etc/xonotic-glx.profile | |||
@@ -0,0 +1,5 @@ | |||
1 | # | ||
2 | #Profile for xonotic:xonotic-glx | ||
3 | # | ||
4 | |||
5 | include /etc/firejail/xonotic.profile | ||
diff --git a/etc/xonotic-sdl.profile b/etc/xonotic-sdl.profile new file mode 100644 index 000000000..783667304 --- /dev/null +++ b/etc/xonotic-sdl.profile | |||
@@ -0,0 +1,5 @@ | |||
1 | # | ||
2 | #Profile for xonotic:xonotic-sdl | ||
3 | # | ||
4 | |||
5 | include /etc/firejail/xonotic.profile | ||
diff --git a/etc/xonotic.profile b/etc/xonotic.profile new file mode 100644 index 000000000..75d649619 --- /dev/null +++ b/etc/xonotic.profile | |||
@@ -0,0 +1,25 @@ | |||
1 | # | ||
2 | #Profile for xonotic | ||
3 | # | ||
4 | |||
5 | #No Blacklist Paths | ||
6 | noblacklist ${HOME}/.xonotic | ||
7 | |||
8 | #Blacklist Paths | ||
9 | include /etc/firejail/disable-common.inc | ||
10 | include /etc/firejail/disable-programs.inc | ||
11 | include /etc/firejail/disable-passwdmgr.inc | ||
12 | include /etc/firejail/disable-devel.inc | ||
13 | |||
14 | #Whitelist Paths | ||
15 | mkdir ${HOME}/.xonotic | ||
16 | whitelist ${HOME}/.xonotic | ||
17 | include /etc/firejail/whitelist-common.inc | ||
18 | |||
19 | #Options | ||
20 | caps.drop all | ||
21 | netfilter | ||
22 | nonewprivs | ||
23 | noroot | ||
24 | protocol unix,inet,inet6 | ||
25 | seccomp | ||
diff --git a/platform/debian/conffiles b/platform/debian/conffiles index 4dcbc28f6..551e7ad36 100644 --- a/platform/debian/conffiles +++ b/platform/debian/conffiles | |||
@@ -223,3 +223,15 @@ | |||
223 | /etc/firejail/zathura.profile | 223 | /etc/firejail/zathura.profile |
224 | /etc/firejail/zoom.profile | 224 | /etc/firejail/zoom.profile |
225 | /etc/firejail/wget.profile | 225 | /etc/firejail/wget.profile |
226 | /etc/firejail/bless.profile | ||
227 | /etc/firejail/gnome-2048.profile | ||
228 | /etc/firejail/gnome-calculator.profile | ||
229 | /etc/firejail/gnome-contacts.profile | ||
230 | /etc/firejail/jd-gui.profile | ||
231 | /etc/firejail/lollypop.profile | ||
232 | /etc/firejail/multimc5.profile | ||
233 | /etc/firejail/pdfsam.profile | ||
234 | /etc/firejail/pithos.profile | ||
235 | /etc/firejail/xonotic-glx.profile | ||
236 | /etc/firejail/xonotic-sdl.profile | ||
237 | /etc/firejail/xonotic.profile | ||
diff --git a/src/firejail/firejail.h b/src/firejail/firejail.h index 61de17bf8..d172efce1 100644 --- a/src/firejail/firejail.h +++ b/src/firejail/firejail.h | |||
@@ -43,6 +43,8 @@ | |||
43 | #define RUN_PROTOCOL_CFG "/run/firejail/mnt/protocol" | 43 | #define RUN_PROTOCOL_CFG "/run/firejail/mnt/protocol" |
44 | #define RUN_HOME_DIR "/run/firejail/mnt/home" | 44 | #define RUN_HOME_DIR "/run/firejail/mnt/home" |
45 | #define RUN_ETC_DIR "/run/firejail/mnt/etc" | 45 | #define RUN_ETC_DIR "/run/firejail/mnt/etc" |
46 | #define RUN_OPT_DIR "/run/firejail/mnt/opt" | ||
47 | #define RUN_SRV_DIR "/run/firejail/mnt/srv" | ||
46 | #define RUN_BIN_DIR "/run/firejail/mnt/bin" | 48 | #define RUN_BIN_DIR "/run/firejail/mnt/bin" |
47 | #define RUN_PULSE_DIR "/run/firejail/mnt/pulse" | 49 | #define RUN_PULSE_DIR "/run/firejail/mnt/pulse" |
48 | 50 | ||
@@ -200,6 +202,8 @@ typedef struct config_t { | |||
200 | char *home_private; // private home directory | 202 | char *home_private; // private home directory |
201 | char *home_private_keep; // keep list for private home directory | 203 | char *home_private_keep; // keep list for private home directory |
202 | char *etc_private_keep; // keep list for private etc directory | 204 | char *etc_private_keep; // keep list for private etc directory |
205 | char *opt_private_keep; // keep list for private opt directory | ||
206 | char *srv_private_keep; // keep list for private srv directory | ||
203 | char *bin_private_keep; // keep list for private bin directory | 207 | char *bin_private_keep; // keep list for private bin directory |
204 | char *cwd; // current working directory | 208 | char *cwd; // current working directory |
205 | char *overlay_dir; | 209 | char *overlay_dir; |
@@ -315,6 +319,8 @@ extern int arg_doubledash; // double dash | |||
315 | extern int arg_shell_none; // run the program directly without a shell | 319 | extern int arg_shell_none; // run the program directly without a shell |
316 | extern int arg_private_dev; // private dev directory | 320 | extern int arg_private_dev; // private dev directory |
317 | extern int arg_private_etc; // private etc directory | 321 | extern int arg_private_etc; // private etc directory |
322 | extern int arg_private_opt; // private opt directory | ||
323 | extern int arg_private_srv; // private srv directory | ||
318 | extern int arg_private_bin; // private bin directory | 324 | extern int arg_private_bin; // private bin directory |
319 | extern int arg_private_tmp; // private tmp directory | 325 | extern int arg_private_tmp; // private tmp directory |
320 | extern int arg_scan; // arp-scan all interfaces | 326 | extern int arg_scan; // arp-scan all interfaces |
@@ -556,7 +562,7 @@ void network_del_run_file(pid_t pid); | |||
556 | void network_set_run_file(pid_t pid); | 562 | void network_set_run_file(pid_t pid); |
557 | 563 | ||
558 | // fs_etc.c | 564 | // fs_etc.c |
559 | void fs_private_etc_list(void); | 565 | void fs_private_dir_list(const char *private_dir, const char *private_run_dir, const char *private_list); |
560 | 566 | ||
561 | // no_sandbox.c | 567 | // no_sandbox.c |
562 | int check_namespace_virt(void); | 568 | int check_namespace_virt(void); |
diff --git a/src/firejail/fs_etc.c b/src/firejail/fs_etc.c index 80329d5ba..9a28ac601 100644 --- a/src/firejail/fs_etc.c +++ b/src/firejail/fs_etc.c | |||
@@ -47,7 +47,7 @@ errexit: | |||
47 | exit(1); | 47 | exit(1); |
48 | } | 48 | } |
49 | 49 | ||
50 | static void duplicate(char *fname) { | 50 | static void duplicate(const char *fname, const char *private_dir, const char *private_run_dir) { |
51 | if (*fname == '~' || *fname == '/' || strstr(fname, "..")) { | 51 | if (*fname == '~' || *fname == '/' || strstr(fname, "..")) { |
52 | fprintf(stderr, "Error: \"%s\" is an invalid filename\n", fname); | 52 | fprintf(stderr, "Error: \"%s\" is an invalid filename\n", fname); |
53 | exit(1); | 53 | exit(1); |
@@ -55,40 +55,44 @@ static void duplicate(char *fname) { | |||
55 | invalid_filename(fname); | 55 | invalid_filename(fname); |
56 | 56 | ||
57 | char *src; | 57 | char *src; |
58 | if (asprintf(&src, "/etc/%s", fname) == -1) | 58 | if (asprintf(&src, "%s/%s", private_dir, fname) == -1) |
59 | errExit("asprintf"); | 59 | errExit("asprintf"); |
60 | if (check_dir_or_file(src) == 0) { | 60 | if (check_dir_or_file(src) == 0) { |
61 | if (!arg_quiet) | 61 | if (!arg_quiet) |
62 | fprintf(stderr, "Warning: skipping %s for private bin\n", fname); | 62 | fprintf(stderr, "Warning: skipping %s for private %s\n", fname, private_dir); |
63 | free(src); | 63 | free(src); |
64 | return; | 64 | return; |
65 | } | 65 | } |
66 | 66 | ||
67 | if (arg_debug) | ||
68 | printf("copying %s to private %s\n", src, private_dir); | ||
69 | |||
67 | struct stat s; | 70 | struct stat s; |
68 | if (stat(src, &s) == 0 && S_ISDIR(s.st_mode)) { | 71 | if (stat(src, &s) == 0 && S_ISDIR(s.st_mode)) { |
69 | // create the directory in RUN_ETC_DIR | 72 | // create the directory in RUN_ETC_DIR |
70 | char *dirname; | 73 | char *dirname; |
71 | if (asprintf(&dirname, "%s/%s", RUN_ETC_DIR, fname) == -1) | 74 | if (asprintf(&dirname, "%s/%s", private_run_dir, fname) == -1) |
72 | errExit("asprintf"); | 75 | errExit("asprintf"); |
73 | create_empty_dir_as_root(dirname, s.st_mode); | 76 | create_empty_dir_as_root(dirname, s.st_mode); |
74 | sbox_run(SBOX_ROOT| SBOX_SECCOMP, 3, PATH_FCOPY, src, dirname); | 77 | sbox_run(SBOX_ROOT| SBOX_SECCOMP, 3, PATH_FCOPY, src, dirname); |
75 | free(dirname); | 78 | free(dirname); |
76 | } | 79 | } |
77 | else | 80 | else |
78 | sbox_run(SBOX_ROOT| SBOX_SECCOMP, 3, PATH_FCOPY, src, RUN_ETC_DIR); | 81 | sbox_run(SBOX_ROOT| SBOX_SECCOMP, 3, PATH_FCOPY, src, private_run_dir); |
79 | 82 | ||
80 | fs_logger2("clone", src); | 83 | fs_logger2("clone", src); |
81 | free(src); | 84 | free(src); |
82 | } | 85 | } |
83 | 86 | ||
84 | 87 | ||
85 | void fs_private_etc_list(void) { | 88 | void fs_private_dir_list(const char *private_dir, const char *private_run_dir, const char *private_list) { |
86 | char *private_list = cfg.etc_private_keep; | 89 | assert(private_dir); |
90 | assert(private_run_dir); | ||
87 | assert(private_list); | 91 | assert(private_list); |
88 | 92 | ||
89 | // create /run/firejail/mnt/etc directory | 93 | // create /run/firejail/mnt/etc directory |
90 | mkdir_attr(RUN_ETC_DIR, 0755, 0, 0); | 94 | mkdir_attr(private_run_dir, 0755, 0, 0); |
91 | fs_logger("tmpfs /etc"); | 95 | fs_logger2("tmpfs", private_dir); |
92 | 96 | ||
93 | fs_logger_print(); // save the current log | 97 | fs_logger_print(); // save the current log |
94 | 98 | ||
@@ -97,7 +101,7 @@ void fs_private_etc_list(void) { | |||
97 | // using a new child process with root privileges | 101 | // using a new child process with root privileges |
98 | if (*private_list != '\0') { | 102 | if (*private_list != '\0') { |
99 | if (arg_debug) | 103 | if (arg_debug) |
100 | printf("Copying files in the new etc directory:\n"); | 104 | printf("Copying files in the new %s directory:\n", private_dir); |
101 | 105 | ||
102 | // copy the list of files in the new home directory | 106 | // copy the list of files in the new home directory |
103 | char *dlist = strdup(private_list); | 107 | char *dlist = strdup(private_list); |
@@ -106,18 +110,18 @@ void fs_private_etc_list(void) { | |||
106 | 110 | ||
107 | 111 | ||
108 | char *ptr = strtok(dlist, ","); | 112 | char *ptr = strtok(dlist, ","); |
109 | duplicate(ptr); | 113 | duplicate(ptr, private_dir, private_run_dir); |
110 | 114 | ||
111 | while ((ptr = strtok(NULL, ",")) != NULL) | 115 | while ((ptr = strtok(NULL, ",")) != NULL) |
112 | duplicate(ptr); | 116 | duplicate(ptr, private_dir, private_run_dir); |
113 | free(dlist); | 117 | free(dlist); |
114 | fs_logger_print(); | 118 | fs_logger_print(); |
115 | } | 119 | } |
116 | 120 | ||
117 | if (arg_debug) | 121 | if (arg_debug) |
118 | printf("Mount-bind %s on top of /etc\n", RUN_ETC_DIR); | 122 | printf("Mount-bind %s on top of %s\n", private_run_dir, private_dir); |
119 | if (mount(RUN_ETC_DIR, "/etc", NULL, MS_BIND|MS_REC, NULL) < 0) | 123 | if (mount(private_run_dir, private_dir, NULL, MS_BIND|MS_REC, NULL) < 0) |
120 | errExit("mount bind"); | 124 | errExit("mount bind"); |
121 | fs_logger("mount /etc"); | 125 | fs_logger2("mount", private_dir); |
122 | } | 126 | } |
123 | 127 | ||
diff --git a/src/firejail/join.c b/src/firejail/join.c index 628002d35..bcf951f33 100644 --- a/src/firejail/join.c +++ b/src/firejail/join.c | |||
@@ -285,12 +285,6 @@ void join(pid_t pid, int argc, char **argv, int index) { | |||
285 | seccomp_load(RUN_SECCOMP_CFG); | 285 | seccomp_load(RUN_SECCOMP_CFG); |
286 | #endif | 286 | #endif |
287 | 287 | ||
288 | // fix qt 4.8 | ||
289 | if (setenv("QT_X11_NO_MITSHM", "1", 1) < 0) | ||
290 | errExit("setenv"); | ||
291 | if (setenv("container", "firejail", 1) < 0) // LXC sets container=lxc, | ||
292 | errExit("setenv"); | ||
293 | |||
294 | // mount user namespace or drop privileges | 288 | // mount user namespace or drop privileges |
295 | if (arg_noroot) { // not available for uid 0 | 289 | if (arg_noroot) { // not available for uid 0 |
296 | if (arg_debug) | 290 | if (arg_debug) |
@@ -307,14 +301,6 @@ void join(pid_t pid, int argc, char **argv, int index) { | |||
307 | drop_privs(arg_nogroups); // nogroups not available for uid 0 | 301 | drop_privs(arg_nogroups); // nogroups not available for uid 0 |
308 | 302 | ||
309 | 303 | ||
310 | // set prompt color to green | ||
311 | char *prompt = getenv("FIREJAIL_PROMPT"); | ||
312 | if (prompt && strcmp(prompt, "yes") == 0) { | ||
313 | //export PS1='\[\e[1;32m\][\u@\h \W]\$\[\e[0m\] ' | ||
314 | if (setenv("PROMPT_COMMAND", "export PS1=\"\\[\\e[1;32m\\][\\u@\\h \\W]\\$\\[\\e[0m\\] \"", 1) < 0) | ||
315 | errExit("setenv"); | ||
316 | } | ||
317 | |||
318 | // set nice | 304 | // set nice |
319 | if (arg_nice) { | 305 | if (arg_nice) { |
320 | errno = 0; | 306 | errno = 0; |
@@ -326,24 +312,9 @@ void join(pid_t pid, int argc, char **argv, int index) { | |||
326 | } | 312 | } |
327 | } | 313 | } |
328 | 314 | ||
329 | // run cmdline trough shell | 315 | env_defaults(); |
330 | if (cfg.command_line == NULL) { | 316 | if (cfg.command_line == NULL) { |
331 | // if the sandbox was started with --shell=none, it is possible we don't have a shell | 317 | assert(cfg.shell); |
332 | // inside the sandbox | ||
333 | if (cfg.shell == NULL) { | ||
334 | cfg.shell = guess_shell(); | ||
335 | if (!cfg.shell) { | ||
336 | fprintf(stderr, "Error: no POSIX shell found, please use --shell command line option\n"); | ||
337 | exit(1); | ||
338 | } | ||
339 | } | ||
340 | |||
341 | struct stat s; | ||
342 | if (stat(cfg.shell, &s) == -1) { | ||
343 | fprintf(stderr, "Error: %s shell not found inside the sandbox\n", cfg.shell); | ||
344 | exit(1); | ||
345 | } | ||
346 | |||
347 | cfg.command_line = cfg.shell; | 318 | cfg.command_line = cfg.shell; |
348 | cfg.window_title = cfg.shell; | 319 | cfg.window_title = cfg.shell; |
349 | } | 320 | } |
diff --git a/src/firejail/main.c b/src/firejail/main.c index 0929347b7..4ccbb6a86 100644 --- a/src/firejail/main.c +++ b/src/firejail/main.c | |||
@@ -88,6 +88,8 @@ int arg_doubledash = 0; // double dash | |||
88 | int arg_shell_none = 0; // run the program directly without a shell | 88 | int arg_shell_none = 0; // run the program directly without a shell |
89 | int arg_private_dev = 0; // private dev directory | 89 | int arg_private_dev = 0; // private dev directory |
90 | int arg_private_etc = 0; // private etc directory | 90 | int arg_private_etc = 0; // private etc directory |
91 | int arg_private_opt = 0; // private opt directory | ||
92 | int arg_private_srv = 0; // private srv directory | ||
91 | int arg_private_bin = 0; // private bin directory | 93 | int arg_private_bin = 0; // private bin directory |
92 | int arg_private_tmp = 0; // private tmp directory | 94 | int arg_private_tmp = 0; // private tmp directory |
93 | int arg_scan = 0; // arp-scan all interfaces | 95 | int arg_scan = 0; // arp-scan all interfaces |
@@ -1624,6 +1626,24 @@ int main(int argc, char **argv) { | |||
1624 | } | 1626 | } |
1625 | arg_private_etc = 1; | 1627 | arg_private_etc = 1; |
1626 | } | 1628 | } |
1629 | else if (strncmp(argv[i], "--private-opt=", 14) == 0) { | ||
1630 | // extract private opt list | ||
1631 | cfg.opt_private_keep = argv[i] + 14; | ||
1632 | if (*cfg.opt_private_keep == '\0') { | ||
1633 | fprintf(stderr, "Error: invalid private-opt option\n"); | ||
1634 | exit(1); | ||
1635 | } | ||
1636 | arg_private_opt = 1; | ||
1637 | } | ||
1638 | else if (strncmp(argv[i], "--private-srv=", 14) == 0) { | ||
1639 | // extract private srv list | ||
1640 | cfg.srv_private_keep = argv[i] + 14; | ||
1641 | if (*cfg.srv_private_keep == '\0') { | ||
1642 | fprintf(stderr, "Error: invalid private-etc option\n"); | ||
1643 | exit(1); | ||
1644 | } | ||
1645 | arg_private_srv = 1; | ||
1646 | } | ||
1627 | else if (strncmp(argv[i], "--private-bin=", 14) == 0) { | 1647 | else if (strncmp(argv[i], "--private-bin=", 14) == 0) { |
1628 | // extract private bin list | 1648 | // extract private bin list |
1629 | cfg.bin_private_keep = argv[i] + 14; | 1649 | cfg.bin_private_keep = argv[i] + 14; |
diff --git a/src/firejail/profile.c b/src/firejail/profile.c index 9acb1b813..2be6948f0 100644 --- a/src/firejail/profile.c +++ b/src/firejail/profile.c | |||
@@ -739,6 +739,22 @@ int profile_check_line(char *ptr, int lineno, const char *fname) { | |||
739 | return 0; | 739 | return 0; |
740 | } | 740 | } |
741 | 741 | ||
742 | // private /opt list of files and directories | ||
743 | if (strncmp(ptr, "private-opt ", 12) == 0) { | ||
744 | cfg.opt_private_keep = ptr + 12; | ||
745 | arg_private_opt = 1; | ||
746 | |||
747 | return 0; | ||
748 | } | ||
749 | |||
750 | // private /srv list of files and directories | ||
751 | if (strncmp(ptr, "private-srv ", 12) == 0) { | ||
752 | cfg.srv_private_keep = ptr + 12; | ||
753 | arg_private_srv = 1; | ||
754 | |||
755 | return 0; | ||
756 | } | ||
757 | |||
742 | // private /bin list of files | 758 | // private /bin list of files |
743 | if (strncmp(ptr, "private-bin ", 12) == 0) { | 759 | if (strncmp(ptr, "private-bin ", 12) == 0) { |
744 | cfg.bin_private_keep = ptr + 12; | 760 | cfg.bin_private_keep = ptr + 12; |
diff --git a/src/firejail/sandbox.c b/src/firejail/sandbox.c index 0a6777fef..68b8f554d 100644 --- a/src/firejail/sandbox.c +++ b/src/firejail/sandbox.c | |||
@@ -671,13 +671,33 @@ int sandbox(void* sandbox_arg) { | |||
671 | else if (arg_overlay) | 671 | else if (arg_overlay) |
672 | fprintf(stderr, "Warning: private-etc feature is disabled in overlay\n"); | 672 | fprintf(stderr, "Warning: private-etc feature is disabled in overlay\n"); |
673 | else { | 673 | else { |
674 | fs_private_etc_list(); | 674 | fs_private_dir_list("/etc", RUN_ETC_DIR, cfg.etc_private_keep); |
675 | // create /etc/ld.so.preload file again | 675 | // create /etc/ld.so.preload file again |
676 | if (arg_trace || arg_tracelog || mask_x11_abstract_socket) | 676 | if (arg_trace || arg_tracelog || mask_x11_abstract_socket) |
677 | fs_trace_preload(); | 677 | fs_trace_preload(); |
678 | } | 678 | } |
679 | } | 679 | } |
680 | 680 | ||
681 | if (arg_private_opt) { | ||
682 | if (cfg.chrootdir) | ||
683 | fprintf(stderr, "Warning: private-opt feature is disabled in chroot\n"); | ||
684 | else if (arg_overlay) | ||
685 | fprintf(stderr, "Warning: private-opt feature is disabled in overlay\n"); | ||
686 | else { | ||
687 | fs_private_dir_list("/opt", RUN_OPT_DIR, cfg.opt_private_keep); | ||
688 | } | ||
689 | } | ||
690 | |||
691 | if (arg_private_srv) { | ||
692 | if (cfg.chrootdir) | ||
693 | fprintf(stderr, "Warning: private-srv feature is disabled in chroot\n"); | ||
694 | else if (arg_overlay) | ||
695 | fprintf(stderr, "Warning: private-srv feature is disabled in overlay\n"); | ||
696 | else { | ||
697 | fs_private_dir_list("/srv", RUN_SRV_DIR, cfg.srv_private_keep); | ||
698 | } | ||
699 | } | ||
700 | |||
681 | if (arg_private_bin) { | 701 | if (arg_private_bin) { |
682 | if (cfg.chrootdir) | 702 | if (cfg.chrootdir) |
683 | fprintf(stderr, "Warning: private-bin feature is disabled in chroot\n"); | 703 | fprintf(stderr, "Warning: private-bin feature is disabled in chroot\n"); |
diff --git a/src/man/firejail-profile.txt b/src/man/firejail-profile.txt index d6113218c..007374c75 100644 --- a/src/man/firejail-profile.txt +++ b/src/man/firejail-profile.txt | |||
@@ -181,7 +181,7 @@ closed. | |||
181 | \fBprivate directory | 181 | \fBprivate directory |
182 | Use directory as user home. | 182 | Use directory as user home. |
183 | .TP | 183 | .TP |
184 | \f\private-home file,directory | 184 | \fBprivate-home file,directory |
185 | Build a new user home in a temporary | 185 | Build a new user home in a temporary |
186 | filesystem, and copy the files and directories in the list in the | 186 | filesystem, and copy the files and directories in the list in the |
187 | new home. All modifications are discarded when the sandbox is | 187 | new home. All modifications are discarded when the sandbox is |
@@ -199,6 +199,16 @@ Build a new /etc in a temporary | |||
199 | filesystem, and copy the files and directories in the list. | 199 | filesystem, and copy the files and directories in the list. |
200 | All modifications are discarded when the sandbox is closed. | 200 | All modifications are discarded when the sandbox is closed. |
201 | .TP | 201 | .TP |
202 | \fBprivate-opt file,directory | ||
203 | Build a new /optin a temporary | ||
204 | filesystem, and copy the files and directories in the list. | ||
205 | All modifications are discarded when the sandbox is closed. | ||
206 | .TP | ||
207 | \fBprivate-srv file,directory | ||
208 | Build a new /srv in a temporary | ||
209 | filesystem, and copy the files and directories in the list. | ||
210 | All modifications are discarded when the sandbox is closed. | ||
211 | .TP | ||
202 | \fBprivate-tmp | 212 | \fBprivate-tmp |
203 | Mount an empty temporary filesystem on top of /tmp directory whitelisting /tmp/.X11-unix. | 213 | Mount an empty temporary filesystem on top of /tmp directory whitelisting /tmp/.X11-unix. |
204 | .TP | 214 | .TP |
diff --git a/src/man/firejail.txt b/src/man/firejail.txt index 8441f25d5..450f30c68 100644 --- a/src/man/firejail.txt +++ b/src/man/firejail.txt | |||
@@ -1179,6 +1179,32 @@ $ firejail --private-etc=group,hostname,localtime, \\ | |||
1179 | nsswitch.conf,passwd,resolv.conf | 1179 | nsswitch.conf,passwd,resolv.conf |
1180 | 1180 | ||
1181 | .TP | 1181 | .TP |
1182 | \fB\-\-private-opt=file,directory | ||
1183 | Build a new /opt in a temporary | ||
1184 | filesystem, and copy the files and directories in the list. | ||
1185 | If no listed file is found, /opt directory will be empty. | ||
1186 | All modifications are discarded when the sandbox is closed. | ||
1187 | .br | ||
1188 | |||
1189 | .br | ||
1190 | Example: | ||
1191 | .br | ||
1192 | $ firejail --private-opt=firefox /opt/firefox/firefox | ||
1193 | |||
1194 | .TP | ||
1195 | \fB\-\-private-srv=file,directory | ||
1196 | Build a new /srv in a temporary | ||
1197 | filesystem, and copy the files and directories in the list. | ||
1198 | If no listed file is found, /srv directory will be empty. | ||
1199 | All modifications are discarded when the sandbox is closed. | ||
1200 | .br | ||
1201 | |||
1202 | .br | ||
1203 | Example: | ||
1204 | .br | ||
1205 | # firejail --private-srv=www /etc/init.d/apache2 start | ||
1206 | |||
1207 | .TP | ||
1182 | \fB\-\-private-tmp | 1208 | \fB\-\-private-tmp |
1183 | Mount an empty temporary filesystem on top of /tmp directory whitelisting /tmp/.X11-unix. | 1209 | Mount an empty temporary filesystem on top of /tmp directory whitelisting /tmp/.X11-unix. |
1184 | .br | 1210 | .br |
diff --git a/test/environment/dns.exp b/test/environment/dns.exp index d00e9fb94..3e2a0ffd4 100755 --- a/test/environment/dns.exp +++ b/test/environment/dns.exp | |||
@@ -55,10 +55,6 @@ sleep 1 | |||
55 | 55 | ||
56 | send -- "firejail --trace --dns=208.67.222.222 wget -q debian.org\r" | 56 | send -- "firejail --trace --dns=208.67.222.222 wget -q debian.org\r" |
57 | expect { | 57 | expect { |
58 | timeout {puts "TESTING ERROR 1.1\n";exit} | ||
59 | "Child process initialized" | ||
60 | } | ||
61 | expect { | ||
62 | timeout {puts "TESTING ERROR 1.2\n";exit} | 58 | timeout {puts "TESTING ERROR 1.2\n";exit} |
63 | "connect" | 59 | "connect" |
64 | } | 60 | } |
diff --git a/test/network/net_veth.exp b/test/network/net_veth.exp index 89dedcb24..04091047b 100755 --- a/test/network/net_veth.exp +++ b/test/network/net_veth.exp | |||
@@ -123,6 +123,18 @@ expect { | |||
123 | } | 123 | } |
124 | sleep 1 | 124 | sleep 1 |
125 | send -- "exit\r" | 125 | send -- "exit\r" |
126 | sleep 1 | ||
127 | |||
128 | send -- "firejail --net=eth0 --ip=10.10.20.1\r" | ||
129 | expect { | ||
130 | timeout {puts "TESTING ERROR 27\n";exit} | ||
131 | "the IP address is not in the interface range" | ||
132 | } | ||
133 | |||
134 | |||
135 | |||
136 | |||
137 | |||
126 | 138 | ||
127 | after 100 | 139 | after 100 |
128 | 140 | ||
diff --git a/test/root/private.exp b/test/root/private.exp index 4040081ee..9ce9716f9 100755 --- a/test/root/private.exp +++ b/test/root/private.exp | |||
@@ -29,5 +29,62 @@ expect { | |||
29 | after 100 | 29 | after 100 |
30 | 30 | ||
31 | send -- "exit\r" | 31 | send -- "exit\r" |
32 | sleep 1 | ||
33 | |||
34 | |||
35 | |||
36 | send -- "touch /opt/firejail-test-file\r" | ||
37 | after 100 | ||
38 | send -- "mkdir /opt/firejail-test-dir\r" | ||
39 | after 100 | ||
40 | send -- "touch /opt/firejail-test-dir/firejail-test-file\r" | ||
41 | after 100 | ||
42 | send -- "firejail --private-opt=firejail-test-file,firejail-test-dir --debug\r" | ||
43 | expect { | ||
44 | timeout {puts "TESTING ERROR 3\n";exit} | ||
45 | "Child process initialized" | ||
46 | } | ||
47 | sleep 1 | ||
48 | |||
49 | send -- "find /opt | wc -l\r" | ||
50 | expect { | ||
51 | timeout {puts "TESTING ERROR 4\n";exit} | ||
52 | "4" | ||
53 | } | ||
54 | after 100 | ||
55 | send -- "exit\r" | ||
56 | sleep 1 | ||
57 | |||
58 | |||
59 | send -- "touch /srv/firejail-test-file\r" | ||
60 | after 100 | ||
61 | send -- "mkdir /srv/firejail-test-dir\r" | ||
62 | after 100 | ||
63 | send -- "touch /srv/firejail-test-dir/firejail-test-file\r" | ||
32 | after 100 | 64 | after 100 |
65 | send -- "firejail --private-srv=firejail-test-file,firejail-test-dir --debug\r" | ||
66 | expect { | ||
67 | timeout {puts "TESTING ERROR 5\n";exit} | ||
68 | "Child process initialized" | ||
69 | } | ||
70 | sleep 1 | ||
71 | |||
72 | send -- "find /srv | wc -l\r" | ||
73 | expect { | ||
74 | timeout {puts "TESTING ERROR 6\n";exit} | ||
75 | "4" | ||
76 | } | ||
77 | after 100 | ||
78 | send -- "exit\r" | ||
79 | sleep 1 | ||
80 | |||
81 | |||
82 | |||
83 | |||
84 | |||
85 | |||
86 | |||
87 | |||
88 | |||
89 | |||
33 | puts "\nall done\n" | 90 | puts "\nall done\n" |
diff --git a/test/root/root.sh b/test/root/root.sh index 01c372f68..371bccdff 100755 --- a/test/root/root.sh +++ b/test/root/root.sh | |||
@@ -53,8 +53,8 @@ fi | |||
53 | echo "TESTING: fs private (test/root/private.exp)" | 53 | echo "TESTING: fs private (test/root/private.exp)" |
54 | ./private.exp | 54 | ./private.exp |
55 | 55 | ||
56 | echo "TESTING: fs whitelist mnt, opt, media(test/root/whitelist-mnt.exp)" | 56 | echo "TESTING: fs whitelist mnt, opt, media (test/root/whitelist-mnt.exp)" |
57 | ./whitelist-mnt.exp | 57 | ./whitelist.exp |
58 | 58 | ||
59 | #******************************** | 59 | #******************************** |
60 | # seccomp | 60 | # seccomp |
diff --git a/test/root/whitelist-mnt.exp b/test/root/whitelist-mnt.exp deleted file mode 100755 index 58ae4fffc..000000000 --- a/test/root/whitelist-mnt.exp +++ /dev/null | |||
@@ -1,86 +0,0 @@ | |||
1 | #!/usr/bin/expect -f | ||
2 | # This file is part of Firejail project | ||
3 | # Copyright (C) 2014-2016 Firejail Authors | ||
4 | # License GPL v2 | ||
5 | |||
6 | set timeout 10 | ||
7 | spawn $env(SHELL) | ||
8 | match_max 100000 | ||
9 | |||
10 | send -- "touch /mnt/firejail-test-file\r" | ||
11 | after 100 | ||
12 | send -- "firejail --whitelist=/mnt/firejail-test-file --debug\r" | ||
13 | expect { | ||
14 | timeout {puts "TESTING ERROR 0\n";exit} | ||
15 | "Child process initialized" | ||
16 | } | ||
17 | sleep 1 | ||
18 | |||
19 | send -- "find /mnt | wc -l\r" | ||
20 | expect { | ||
21 | timeout {puts "TESTING ERROR 1\n";exit} | ||
22 | "2" | ||
23 | } | ||
24 | after 100 | ||
25 | send -- "exit\r" | ||
26 | sleep 1 | ||
27 | |||
28 | |||
29 | send -- "touch /opt/firejail-test-file\r" | ||
30 | after 100 | ||
31 | send -- "firejail --whitelist=/opt/firejail-test-file --debug\r" | ||
32 | expect { | ||
33 | timeout {puts "TESTING ERROR 0\n";exit} | ||
34 | "Child process initialized" | ||
35 | } | ||
36 | sleep 1 | ||
37 | |||
38 | send -- "find /opt | wc -l\r" | ||
39 | expect { | ||
40 | timeout {puts "TESTING ERROR 1\n";exit} | ||
41 | "2" | ||
42 | } | ||
43 | after 100 | ||
44 | send -- "exit\r" | ||
45 | sleep 1 | ||
46 | |||
47 | send -- "touch /media/firejail-test-file\r" | ||
48 | after 100 | ||
49 | send -- "firejail --whitelist=/media/firejail-test-file --debug\r" | ||
50 | expect { | ||
51 | timeout {puts "TESTING ERROR 0\n";exit} | ||
52 | "Child process initialized" | ||
53 | } | ||
54 | sleep 1 | ||
55 | |||
56 | send -- "find /media | wc -l\r" | ||
57 | expect { | ||
58 | timeout {puts "TESTING ERROR 1\n";exit} | ||
59 | "2" | ||
60 | } | ||
61 | after 100 | ||
62 | send -- "exit\r" | ||
63 | sleep 1 | ||
64 | |||
65 | |||
66 | send -- "firejail --whitelist=/var/run --whitelist=/var/lock --debug\r" | ||
67 | expect { | ||
68 | timeout {puts "TESTING ERROR 0\n";exit} | ||
69 | "Child process initialized" | ||
70 | } | ||
71 | sleep 1 | ||
72 | |||
73 | send -- "find /var | wc -l\r" | ||
74 | expect { | ||
75 | timeout {puts "TESTING ERROR 1\n";exit} | ||
76 | "" | ||
77 | } | ||
78 | after 100 | ||
79 | send -- "exit\r" | ||
80 | sleep 1 | ||
81 | |||
82 | |||
83 | |||
84 | after 100 | ||
85 | puts "\nall done\n" | ||
86 | |||
diff --git a/test/root/whitelist.exp b/test/root/whitelist.exp new file mode 100755 index 000000000..f6936c048 --- /dev/null +++ b/test/root/whitelist.exp | |||
@@ -0,0 +1,118 @@ | |||
1 | #!/usr/bin/expect -f | ||
2 | # This file is part of Firejail project | ||
3 | # Copyright (C) 2014-2016 Firejail Authors | ||
4 | # License GPL v2 | ||
5 | |||
6 | set timeout 10 | ||
7 | spawn $env(SHELL) | ||
8 | match_max 100000 | ||
9 | |||
10 | send -- "touch /mnt/firejail-test-file\r" | ||
11 | after 100 | ||
12 | send -- "mkdir /mnt/firejail-test-dir\r" | ||
13 | after 100 | ||
14 | send -- "touch /mnt/firejail-test-dir/firejail-test-file\r" | ||
15 | after 100 | ||
16 | send -- "firejail --whitelist=/mnt/firejail-test-file --whitelist=/mnt/firejail-test-dir --debug\r" | ||
17 | expect { | ||
18 | timeout {puts "TESTING ERROR 0\n";exit} | ||
19 | "Child process initialized" | ||
20 | } | ||
21 | sleep 1 | ||
22 | |||
23 | send -- "find /mnt | wc -l\r" | ||
24 | expect { | ||
25 | timeout {puts "TESTING ERROR 1\n";exit} | ||
26 | "4" | ||
27 | } | ||
28 | after 100 | ||
29 | send -- "exit\r" | ||
30 | sleep 1 | ||
31 | |||
32 | |||
33 | send -- "touch /opt/firejail-test-file\r" | ||
34 | after 100 | ||
35 | send -- "mkdir /opt/firejail-test-dir\r" | ||
36 | after 100 | ||
37 | send -- "touch /opt/firejail-test-dir/firejail-test-file\r" | ||
38 | after 100 | ||
39 | send -- "firejail --whitelist=/opt/firejail-test-file --whitelist=/opt/firejail-test-dir --debug\r" | ||
40 | expect { | ||
41 | timeout {puts "TESTING ERROR 2\n";exit} | ||
42 | "Child process initialized" | ||
43 | } | ||
44 | sleep 1 | ||
45 | |||
46 | send -- "find /opt | wc -l\r" | ||
47 | expect { | ||
48 | timeout {puts "TESTING ERROR 3\n";exit} | ||
49 | "4" | ||
50 | } | ||
51 | after 100 | ||
52 | send -- "exit\r" | ||
53 | sleep 1 | ||
54 | |||
55 | send -- "touch /media/firejail-test-file\r" | ||
56 | after 100 | ||
57 | send -- "mkdir /media/firejail-test-dir\r" | ||
58 | after 100 | ||
59 | send -- "touch /media/firejail-test-dir/firejail-test-file\r" | ||
60 | after 100 | ||
61 | send -- "firejail --whitelist=/media/firejail-test-file --whitelist=/media/firejail-test-dir --debug\r" | ||
62 | expect { | ||
63 | timeout {puts "TESTING ERROR 4\n";exit} | ||
64 | "Child process initialized" | ||
65 | } | ||
66 | sleep 1 | ||
67 | |||
68 | send -- "find /media | wc -l\r" | ||
69 | expect { | ||
70 | timeout {puts "TESTING ERROR 5\n";exit} | ||
71 | "4" | ||
72 | } | ||
73 | after 100 | ||
74 | send -- "exit\r" | ||
75 | sleep 1 | ||
76 | |||
77 | |||
78 | send -- "firejail --whitelist=/var/run --whitelist=/var/lock --debug\r" | ||
79 | expect { | ||
80 | timeout {puts "TESTING ERROR 6\n";exit} | ||
81 | "Child process initialized" | ||
82 | } | ||
83 | sleep 1 | ||
84 | |||
85 | send -- "find /var | wc -l\r" | ||
86 | expect { | ||
87 | timeout {puts "TESTING ERROR 7\n";exit} | ||
88 | "" | ||
89 | } | ||
90 | after 100 | ||
91 | send -- "exit\r" | ||
92 | sleep 1 | ||
93 | |||
94 | send -- "touch /srv/firejail-test-file\r" | ||
95 | after 100 | ||
96 | send -- "mkdir /srv/firejail-test-dir\r" | ||
97 | after 100 | ||
98 | send -- "touch /srv/firejail-test-dir/firejail-test-file\r" | ||
99 | after 100 | ||
100 | send -- "firejail --whitelist=/srv/firejail-test-file --whitelist=/srv/firejail-test-dir --debug\r" | ||
101 | expect { | ||
102 | timeout {puts "TESTING ERROR 8\n";exit} | ||
103 | "Child process initialized" | ||
104 | } | ||
105 | sleep 1 | ||
106 | |||
107 | send -- "find /srv | wc -l\r" | ||
108 | expect { | ||
109 | timeout {puts "TESTING ERROR 9\n";exit} | ||
110 | "4" | ||
111 | } | ||
112 | after 100 | ||
113 | send -- "exit\r" | ||
114 | |||
115 | |||
116 | after 100 | ||
117 | puts "\nall done\n" | ||
118 | |||
@@ -286,4 +286,14 @@ removable media, partitions, software RAID volumes, logical volumes, and files. | |||
286 | 286 | ||
287 | 29. grsecurity - move test after "firejail --name=blablabla" in /test/apps* | 287 | 29. grsecurity - move test after "firejail --name=blablabla" in /test/apps* |
288 | 288 | ||
289 | 289 | 30. | |
290 | $ sudo firejail --fs.print=test | ||
291 | [sudo] password for netblue: | ||
292 | tmpfs /run/firejail/mnt << ???????????????? | ||
293 | sandbox name: test | ||
294 | sandbox pid: 5790 | ||
295 | sandbox filesystem: local | ||
296 | install mount namespace | ||
297 | read-only /etc | ||
298 | read-only /var | ||
299 | read-only /bin | ||