diff options
author | glitsj16 <glitsj16@users.noreply.github.com> | 2023-01-31 02:25:56 +0000 |
---|---|---|
committer | GitHub <noreply@github.com> | 2023-01-31 02:25:56 +0000 |
commit | ad9cf975ae14e5de0c2b1d42beea6487696c1256 (patch) | |
tree | 65aa0ff826319129b72c786569316707cfaf1559 | |
parent | inkscape: additional hardening and settings saving functionality via D-Bus (diff) | |
parent | merges (diff) | |
download | firejail-ad9cf975ae14e5de0c2b1d42beea6487696c1256.tar.gz firejail-ad9cf975ae14e5de0c2b1d42beea6487696c1256.tar.zst firejail-ad9cf975ae14e5de0c2b1d42beea6487696c1256.zip |
Merge branch 'netblue30:master' into inkscape
32 files changed, 1072 insertions, 187 deletions
diff --git a/.github/workflows/build-extra.yml b/.github/workflows/build-extra.yml index c1c240922..a7b7c8a3e 100644 --- a/.github/workflows/build-extra.yml +++ b/.github/workflows/build-extra.yml | |||
@@ -5,9 +5,9 @@ on: | |||
5 | branches: [ master ] | 5 | branches: [ master ] |
6 | paths-ignore: | 6 | paths-ignore: |
7 | - '.github/ISSUE_TEMPLATE/*' | 7 | - '.github/ISSUE_TEMPLATE/*' |
8 | - 'etc/**' | 8 | - 'contrib/syntax/**' |
9 | - 'contrib/gtksourceview-5/**' | ||
10 | - 'contrib/vim/**' | 9 | - 'contrib/vim/**' |
10 | - 'etc/**' | ||
11 | - 'src/man/*.txt' | 11 | - 'src/man/*.txt' |
12 | - .git-blame-ignore-revs | 12 | - .git-blame-ignore-revs |
13 | - .github/dependabot.yml | 13 | - .github/dependabot.yml |
@@ -27,9 +27,9 @@ on: | |||
27 | branches: [ master ] | 27 | branches: [ master ] |
28 | paths-ignore: | 28 | paths-ignore: |
29 | - '.github/ISSUE_TEMPLATE/*' | 29 | - '.github/ISSUE_TEMPLATE/*' |
30 | - 'etc/**' | 30 | - 'contrib/syntax/**' |
31 | - 'contrib/gtksourceview-5/**' | ||
32 | - 'contrib/vim/**' | 31 | - 'contrib/vim/**' |
32 | - 'etc/**' | ||
33 | - 'src/man/*.txt' | 33 | - 'src/man/*.txt' |
34 | - .git-blame-ignore-revs | 34 | - .git-blame-ignore-revs |
35 | - .github/dependabot.yml | 35 | - .github/dependabot.yml |
diff --git a/.github/workflows/codeql-analysis.yml b/.github/workflows/codeql-analysis.yml index b86d432f9..9cf216492 100644 --- a/.github/workflows/codeql-analysis.yml +++ b/.github/workflows/codeql-analysis.yml | |||
@@ -10,9 +10,9 @@ on: | |||
10 | branches: [ master ] | 10 | branches: [ master ] |
11 | paths-ignore: | 11 | paths-ignore: |
12 | - '.github/ISSUE_TEMPLATE/*' | 12 | - '.github/ISSUE_TEMPLATE/*' |
13 | - 'etc/**' | 13 | - 'contrib/syntax/**' |
14 | - 'contrib/gtksourceview-5/**' | ||
15 | - 'contrib/vim/**' | 14 | - 'contrib/vim/**' |
15 | - 'etc/**' | ||
16 | - 'src/man/*.txt' | 16 | - 'src/man/*.txt' |
17 | - .git-blame-ignore-revs | 17 | - .git-blame-ignore-revs |
18 | - .github/dependabot.yml | 18 | - .github/dependabot.yml |
@@ -32,9 +32,9 @@ on: | |||
32 | branches: [ master ] | 32 | branches: [ master ] |
33 | paths-ignore: | 33 | paths-ignore: |
34 | - '.github/ISSUE_TEMPLATE/*' | 34 | - '.github/ISSUE_TEMPLATE/*' |
35 | - 'etc/**' | 35 | - 'contrib/syntax/**' |
36 | - 'contrib/gtksourceview-5/**' | ||
37 | - 'contrib/vim/**' | 36 | - 'contrib/vim/**' |
37 | - 'etc/**' | ||
38 | - 'src/man/*.txt' | 38 | - 'src/man/*.txt' |
39 | - .git-blame-ignore-revs | 39 | - .git-blame-ignore-revs |
40 | - .github/dependabot.yml | 40 | - .github/dependabot.yml |
@@ -88,7 +88,7 @@ jobs: | |||
88 | 88 | ||
89 | # Initializes the CodeQL tools for scanning. | 89 | # Initializes the CodeQL tools for scanning. |
90 | - name: Initialize CodeQL | 90 | - name: Initialize CodeQL |
91 | uses: github/codeql-action/init@a34ca99b4610d924e04c68db79e503e1f79f9f02 | 91 | uses: github/codeql-action/init@3ebbd71c74ef574dbc558c82f70e52732c8b44fe |
92 | with: | 92 | with: |
93 | languages: ${{ matrix.language }} | 93 | languages: ${{ matrix.language }} |
94 | # If you wish to specify custom queries, you can do so here or in a config file. | 94 | # If you wish to specify custom queries, you can do so here or in a config file. |
@@ -99,7 +99,7 @@ jobs: | |||
99 | # Autobuild attempts to build any compiled languages (C/C++, C#, or Java). | 99 | # Autobuild attempts to build any compiled languages (C/C++, C#, or Java). |
100 | # If this step fails, then you should remove it and run the build manually (see below) | 100 | # If this step fails, then you should remove it and run the build manually (see below) |
101 | - name: Autobuild | 101 | - name: Autobuild |
102 | uses: github/codeql-action/autobuild@a34ca99b4610d924e04c68db79e503e1f79f9f02 | 102 | uses: github/codeql-action/autobuild@3ebbd71c74ef574dbc558c82f70e52732c8b44fe |
103 | 103 | ||
104 | # âšī¸ Command-line programs to run using the OS shell. | 104 | # âšī¸ Command-line programs to run using the OS shell. |
105 | # đ https://git.io/JvXDl | 105 | # đ https://git.io/JvXDl |
@@ -113,4 +113,4 @@ jobs: | |||
113 | # make release | 113 | # make release |
114 | 114 | ||
115 | - name: Perform CodeQL Analysis | 115 | - name: Perform CodeQL Analysis |
116 | uses: github/codeql-action/analyze@a34ca99b4610d924e04c68db79e503e1f79f9f02 | 116 | uses: github/codeql-action/analyze@3ebbd71c74ef574dbc558c82f70e52732c8b44fe |
diff --git a/.gitignore b/.gitignore index 7333b1c8d..db3b16893 100644 --- a/.gitignore +++ b/.gitignore | |||
@@ -16,6 +16,9 @@ config.log | |||
16 | config.mk | 16 | config.mk |
17 | config.sh | 17 | config.sh |
18 | config.status | 18 | config.status |
19 | contrib/syntax/files/example | ||
20 | contrib/syntax/files/firejail-profile.lang | ||
21 | contrib/syntax/files/firejail.vim | ||
19 | firejail-*.tar.xz | 22 | firejail-*.tar.xz |
20 | firejail-login.5 | 23 | firejail-login.5 |
21 | firejail-profile.5 | 24 | firejail-profile.5 |
diff --git a/CONTRIBUTING.md b/CONTRIBUTING.md index 9a5f19b54..97730e533 100644 --- a/CONTRIBUTING.md +++ b/CONTRIBUTING.md | |||
@@ -38,8 +38,7 @@ If you add a new command, here's the checklist: | |||
38 | 38 | ||
39 | - [ ] Update manpages: firejail(1) and firejail-profile(5) | 39 | - [ ] Update manpages: firejail(1) and firejail-profile(5) |
40 | - [ ] Update shell completions | 40 | - [ ] Update shell completions |
41 | - [ ] Update vim syntax files | 41 | - [ ] Update syntax files (run `make syntax` or just `make`) |
42 | - [ ] Update gtksourceview language specs | ||
43 | - [ ] Update --help | 42 | - [ ] Update --help |
44 | 43 | ||
45 | # Editing the wiki | 44 | # Editing the wiki |
@@ -6,6 +6,10 @@ MAN_TARGET = man | |||
6 | MAN_SRC = src/man | 6 | MAN_SRC = src/man |
7 | endif | 7 | endif |
8 | 8 | ||
9 | ifneq ($(HAVE_CONTRIB_INSTALL),no) | ||
10 | CONTRIB_TARGET = contrib | ||
11 | endif | ||
12 | |||
9 | COMPLETIONDIRS = src/zsh_completion src/bash_completion | 13 | COMPLETIONDIRS = src/zsh_completion src/bash_completion |
10 | 14 | ||
11 | APPS = src/firecfg/firecfg src/firejail/firejail src/firemon/firemon src/profstats/profstats src/jailcheck/jailcheck | 15 | APPS = src/firecfg/firecfg src/firejail/firejail src/firemon/firemon src/profstats/profstats src/jailcheck/jailcheck |
@@ -17,16 +21,32 @@ SBOX_APPS_NON_DUMPABLE += src/fnettrace-icmp/fnettrace-icmp | |||
17 | MYDIRS = src/lib $(MAN_SRC) $(COMPLETIONDIRS) | 21 | MYDIRS = src/lib $(MAN_SRC) $(COMPLETIONDIRS) |
18 | MYLIBS = src/libpostexecseccomp/libpostexecseccomp.so src/libtrace/libtrace.so src/libtracelog/libtracelog.so | 22 | MYLIBS = src/libpostexecseccomp/libpostexecseccomp.so src/libtrace/libtrace.so src/libtracelog/libtracelog.so |
19 | COMPLETIONS = src/zsh_completion/_firejail src/bash_completion/firejail.bash_completion | 23 | COMPLETIONS = src/zsh_completion/_firejail src/bash_completion/firejail.bash_completion |
20 | MANPAGES = firejail.1 firemon.1 firecfg.1 firejail-profile.5 firejail-login.5 firejail-users.5 jailcheck.1 | ||
21 | SECCOMP_FILTERS = seccomp seccomp.debug seccomp.32 seccomp.block_secondary seccomp.mdwx seccomp.mdwx.32 | 24 | SECCOMP_FILTERS = seccomp seccomp.debug seccomp.32 seccomp.block_secondary seccomp.mdwx seccomp.mdwx.32 |
25 | MANPAGES = firejail.1 firemon.1 firecfg.1 firejail-profile.5 firejail-login.5 firejail-users.5 jailcheck.1 | ||
26 | |||
27 | SYSCALL_HEADERS := $(sort $(wildcard src/include/syscall*.h)) | ||
28 | |||
29 | # Lists of keywords used in profiles; used for generating syntax files. | ||
30 | SYNTAX_LISTS = \ | ||
31 | contrib/syntax/lists/profile_commands_arg0.list \ | ||
32 | contrib/syntax/lists/profile_commands_arg1.list \ | ||
33 | contrib/syntax/lists/profile_conditionals.list \ | ||
34 | contrib/syntax/lists/profile_macros.list \ | ||
35 | contrib/syntax/lists/syscall_groups.list \ | ||
36 | contrib/syntax/lists/syscalls.list \ | ||
37 | contrib/syntax/lists/system_errnos.list | ||
38 | |||
39 | SYNTAX_FILES_IN := $(sort $(wildcard contrib/syntax/files/*.in)) | ||
40 | SYNTAX_FILES := $(SYNTAX_FILES_IN:.in=) | ||
41 | |||
22 | ALL_ITEMS = $(APPS) $(SBOX_APPS) $(SBOX_APPS_NON_DUMPABLE) $(MYLIBS) | 42 | ALL_ITEMS = $(APPS) $(SBOX_APPS) $(SBOX_APPS_NON_DUMPABLE) $(MYLIBS) |
23 | 43 | ||
24 | .PHONY: all | 44 | .PHONY: all |
25 | all: all_items mydirs $(MAN_TARGET) filters | 45 | all: all_items mydirs filters $(MAN_TARGET) $(CONTRIB_TARGET) |
26 | 46 | ||
27 | config.mk config.sh: | 47 | config.mk config.sh: |
28 | printf 'run ./configure to generate %s\n' "$@" >&2 | 48 | @printf 'error: run ./configure to generate %s\n' "$@" >&2 |
29 | false | 49 | @false |
30 | 50 | ||
31 | .PHONY: all_items $(ALL_ITEMS) | 51 | .PHONY: all_items $(ALL_ITEMS) |
32 | all_items: $(ALL_ITEMS) | 52 | all_items: $(ALL_ITEMS) |
@@ -38,11 +58,6 @@ mydirs: $(MYDIRS) | |||
38 | $(MYDIRS): | 58 | $(MYDIRS): |
39 | $(MAKE) -C $@ | 59 | $(MAKE) -C $@ |
40 | 60 | ||
41 | $(MANPAGES): src/man config.mk | ||
42 | ./mkman.sh $(VERSION) src/man/$(basename $@).man $@ | ||
43 | |||
44 | man: $(MANPAGES) | ||
45 | |||
46 | filters: $(SECCOMP_FILTERS) $(SBOX_APPS_NON_DUMPABLE) | 61 | filters: $(SECCOMP_FILTERS) $(SBOX_APPS_NON_DUMPABLE) |
47 | seccomp: src/fseccomp/fseccomp src/fsec-optimize/fsec-optimize | 62 | seccomp: src/fseccomp/fseccomp src/fsec-optimize/fsec-optimize |
48 | src/fseccomp/fseccomp default seccomp | 63 | src/fseccomp/fseccomp default seccomp |
@@ -65,14 +80,83 @@ seccomp.mdwx: src/fseccomp/fseccomp | |||
65 | seccomp.mdwx.32: src/fseccomp/fseccomp | 80 | seccomp.mdwx.32: src/fseccomp/fseccomp |
66 | src/fseccomp/fseccomp memory-deny-write-execute.32 seccomp.mdwx.32 | 81 | src/fseccomp/fseccomp memory-deny-write-execute.32 seccomp.mdwx.32 |
67 | 82 | ||
83 | $(MANPAGES): src/man config.mk | ||
84 | ./mkman.sh $(VERSION) src/man/$(basename $@).man $@ | ||
85 | |||
86 | man: $(MANPAGES) | ||
87 | |||
88 | # Makes all targets in contrib/ | ||
89 | .PHONY: contrib | ||
90 | contrib: syntax | ||
91 | |||
92 | .PHONY: syntax | ||
93 | syntax: $(SYNTAX_FILES) | ||
94 | |||
95 | # TODO: include/rlimit are false positives | ||
96 | contrib/syntax/lists/profile_commands_arg0.list: src/firejail/profile.c | ||
97 | @sed -En 's/.*strn?cmp\(ptr, "([^ "]*[^ ])".*/\1/p' $< | \ | ||
98 | grep -Ev '^(include|rlimit)$$' | sed 's/\./\\./' | LC_ALL=C sort -u >$@ | ||
99 | |||
100 | # TODO: private-lib is special-cased in the code and doesn't match the regex | ||
101 | contrib/syntax/lists/profile_commands_arg1.list: src/firejail/profile.c | ||
102 | @{ sed -En 's/.*strn?cmp\(ptr, "([^"]+) ".*/\1/p' $<; echo private-lib; } | \ | ||
103 | LC_ALL=C sort -u >$@ | ||
104 | |||
105 | contrib/syntax/lists/profile_conditionals.list: src/firejail/profile.c | ||
106 | @awk -- 'BEGIN {process=0;} /^Cond conditionals\[\] = \{$$/ {process=1;} \ | ||
107 | /\t*\{"[^"]+".*/ \ | ||
108 | { if (process) {print gensub(/^\t*\{"([^"]+)".*$$/, "\\1", 1);} } \ | ||
109 | /^\t\{ NULL, NULL \}$$/ {process=0;}' \ | ||
110 | $< | LC_ALL=C sort -u >$@ | ||
111 | |||
112 | contrib/syntax/lists/profile_macros.list: src/firejail/macros.c | ||
113 | @sed -En 's/.*\$$\{([^}]+)\}.*/\1/p' $< | LC_ALL=C sort -u >$@ | ||
114 | |||
115 | contrib/syntax/lists/syscall_groups.list: src/lib/syscall.c | ||
116 | @sed -En 's/.*"@([^",]+).*/\1/p' $< | LC_ALL=C sort -u >$@ | ||
117 | |||
118 | contrib/syntax/lists/syscalls.list: $(SYSCALL_HEADERS) | ||
119 | @sed -n 's/{\s\+"\([^"]\+\)",.*},/\1/p' $(SYSCALL_HEADERS) | \ | ||
120 | LC_ALL=C sort -u >$@ | ||
121 | |||
122 | contrib/syntax/lists/system_errnos.list: src/lib/errno.c | ||
123 | @sed -En 's/.*"(E[^"]+).*/\1/p' $< | LC_ALL=C sort -u >$@ | ||
124 | |||
125 | pipe_fromlf = { tr '\n' '|' | sed 's/|$$//'; } | ||
126 | space_fromlf = { tr '\n' ' ' | sed 's/ $$//'; } | ||
127 | edit_syntax_file = sed \ | ||
128 | -e "s/@make_input@/$$(basename $@). Generated from $$(basename $<) by make./" \ | ||
129 | -e "s/@FJ_PROFILE_COMMANDS_ARG0@/$$($(pipe_fromlf) <contrib/syntax/lists/profile_commands_arg0.list)/" \ | ||
130 | -e "s/@FJ_PROFILE_COMMANDS_ARG1@/$$($(pipe_fromlf) <contrib/syntax/lists/profile_commands_arg1.list)/" \ | ||
131 | -e "s/@FJ_PROFILE_CONDITIONALS@/$$($(pipe_fromlf) <contrib/syntax/lists/profile_conditionals.list)/" \ | ||
132 | -e "s/@FJ_PROFILE_MACROS@/$$($(pipe_fromlf) <contrib/syntax/lists/profile_macros.list)/" \ | ||
133 | -e "s/@FJ_SYSCALLS@/$$($(space_fromlf) <contrib/syntax/lists/syscalls.list)/" \ | ||
134 | -e "s/@FJ_SYSCALL_GROUPS@/$$($(pipe_fromlf) <contrib/syntax/lists/syscall_groups.list)/" \ | ||
135 | -e "s/@FJ_SYSTEM_ERRNOS@/$$($(pipe_fromlf) <contrib/syntax/lists/system_errnos.list)/" | ||
136 | |||
137 | contrib/syntax/files/example: contrib/syntax/files/example.in $(SYNTAX_LISTS) | ||
138 | @printf 'Generating %s from %s\n' $@ $< | ||
139 | @$(edit_syntax_file) $< >$@ | ||
140 | |||
141 | # gtksourceview language-specs | ||
142 | contrib/syntax/files/%.lang: contrib/syntax/files/%.lang.in $(SYNTAX_LISTS) | ||
143 | @printf 'Generating %s from %s\n' $@ $< | ||
144 | @$(edit_syntax_file) $< >$@ | ||
145 | |||
146 | # vim syntax files | ||
147 | contrib/syntax/files/%.vim: contrib/syntax/files/%.vim.in $(SYNTAX_LISTS) | ||
148 | @printf 'Generating %s from %s\n' $@ $< | ||
149 | @$(edit_syntax_file) $< >$@ | ||
150 | |||
68 | .PHONY: clean | 151 | .PHONY: clean |
69 | clean: | 152 | clean: |
70 | for dir in $$(dirname $(ALL_ITEMS)) $(MYDIRS); do \ | 153 | for dir in $$(dirname $(ALL_ITEMS)) $(MYDIRS); do \ |
71 | $(MAKE) -C $$dir clean; \ | 154 | $(MAKE) -C $$dir clean; \ |
72 | done | 155 | done |
73 | $(MAKE) -C test clean | 156 | $(MAKE) -C test clean |
74 | rm -f $(MANPAGES) $(MANPAGES:%=%.gz) firejail*.rpm | ||
75 | rm -f $(SECCOMP_FILTERS) | 157 | rm -f $(SECCOMP_FILTERS) |
158 | rm -f $(MANPAGES) $(MANPAGES:%=%.gz) firejail*.rpm | ||
159 | rm -f $(SYNTAX_FILES) | ||
76 | rm -f test/utils/index.html* | 160 | rm -f test/utils/index.html* |
77 | rm -f test/utils/wget-log | 161 | rm -f test/utils/wget-log |
78 | rm -f test/utils/firejail-test-file* | 162 | rm -f test/utils/firejail-test-file* |
@@ -124,10 +208,10 @@ ifeq ($(HAVE_CONTRIB_INSTALL),yes) | |||
124 | install -m 0755 -d $(DESTDIR)$(datarootdir)/vim/vimfiles/ftdetect | 208 | install -m 0755 -d $(DESTDIR)$(datarootdir)/vim/vimfiles/ftdetect |
125 | install -m 0755 -d $(DESTDIR)$(datarootdir)/vim/vimfiles/syntax | 209 | install -m 0755 -d $(DESTDIR)$(datarootdir)/vim/vimfiles/syntax |
126 | install -m 0644 contrib/vim/ftdetect/firejail.vim $(DESTDIR)$(datarootdir)/vim/vimfiles/ftdetect | 210 | install -m 0644 contrib/vim/ftdetect/firejail.vim $(DESTDIR)$(datarootdir)/vim/vimfiles/ftdetect |
127 | install -m 0644 contrib/vim/syntax/firejail.vim $(DESTDIR)$(datarootdir)/vim/vimfiles/syntax | 211 | install -m 0644 contrib/syntax/files/firejail.vim $(DESTDIR)$(datarootdir)/vim/vimfiles/syntax |
128 | # gtksourceview-5 language-specs | 212 | # gtksourceview language-specs |
129 | install -m 0755 -d $(DESTDIR)$(datarootdir)/gtksourceview-5/language-specs | 213 | install -m 0755 -d $(DESTDIR)$(datarootdir)/gtksourceview-5/language-specs |
130 | install -m 0644 contrib/gtksourceview-5/language-specs/firejail-profile.lang $(DESTDIR)$(datarootdir)/gtksourceview-5/language-specs | 214 | install -m 0644 contrib/syntax/files/firejail-profile.lang $(DESTDIR)$(datarootdir)/gtksourceview-5/language-specs |
131 | endif | 215 | endif |
132 | # documents | 216 | # documents |
133 | install -m 0755 -d $(DESTDIR)$(docdir) | 217 | install -m 0755 -d $(DESTDIR)$(docdir) |
@@ -125,6 +125,8 @@ Alexander Stein (https://github.com/ajstein) | |||
125 | alkim0 (https://github.com/alkim0) | 125 | alkim0 (https://github.com/alkim0) |
126 | - warn when encountering EIO during remount | 126 | - warn when encountering EIO during remount |
127 | - Add profile for chafa | 127 | - Add profile for chafa |
128 | amano-kenji (https://github.com/amano-kenji) | ||
129 | - fix private-etc in qutebrowser profile | ||
128 | Amin Vakil (https://github.com/aminvakil) | 130 | Amin Vakil (https://github.com/aminvakil) |
129 | - whois profile fix | 131 | - whois profile fix |
130 | - added profile for strawberry | 132 | - added profile for strawberry |
@@ -679,6 +681,8 @@ Laurent Declercq (https://github.com/nuxwin) | |||
679 | - fixed test for shell interpreter in chroots | 681 | - fixed test for shell interpreter in chroots |
680 | LaurentGH (https://github.com/LaurentGH) | 682 | LaurentGH (https://github.com/LaurentGH) |
681 | - allow private-bin parameters to be absolute paths | 683 | - allow private-bin parameters to be absolute paths |
684 | layderv (https://github.com/layderv) | ||
685 | - prevent sandbox name from containing only digits | ||
682 | lecso7 (https://github.com/lecso7) | 686 | lecso7 (https://github.com/lecso7) |
683 | - added goldendict profile | 687 | - added goldendict profile |
684 | - allow evince to read .cbz file format | 688 | - allow evince to read .cbz file format |
@@ -184,7 +184,7 @@ We also keep a list of profile fixes for previous released versions in [etc-fixe | |||
184 | 184 | ||
185 | ### private-etc rework | 185 | ### private-etc rework |
186 | ````` | 186 | ````` |
187 | --private-etc, --private-etc=file,directory | 187 | --private-etc, --private-etc=file,directory,@group |
188 | The files installed by --private-etc are copies of the original | 188 | The files installed by --private-etc are copies of the original |
189 | system files from /etc directory. By default, the command | 189 | system files from /etc directory. By default, the command |
190 | brings in a skeleton of files and directories used by most conâ | 190 | brings in a skeleton of files and directories used by most conâ |
@@ -192,24 +192,23 @@ We also keep a list of profile fixes for previous released versions in [etc-fixe | |||
192 | 192 | ||
193 | $ firejail --private-etc dig debian.org | 193 | $ firejail --private-etc dig debian.org |
194 | 194 | ||
195 | For X11/GTK/QT/Gnome/KDE programs add GUI group as a parameter. | 195 | For X11/GTK/QT/Gnome/KDE programs add @x11 group as a parameâ |
196 | Example: | 196 | ter. Example: |
197 | 197 | ||
198 | $ firejail --private-etc=GUI,python* gimp | 198 | $ firejail --private-etc=@x11,gcrypt,python* gimp |
199 | 199 | ||
200 | /etc/python* directories are not part of the generic GUI group. | 200 | gcrypt and /etc/python* directories are not part of the generic |
201 | These directories are reuqired by Gimp plugin system. File globâ | 201 | @x11 group. File globbing is supported. |
202 | bing is supported. | ||
203 | 202 | ||
204 | For games, add GAMES group: | 203 | For games, add @games group: |
205 | 204 | ||
206 | $ firejail --private-etc=GUI,GAMES warzone2100 | 205 | $ firejail --private-etc=@games,@x11 warzone2100 |
207 | 206 | ||
208 | Sound and networking files are included automatically, unless | 207 | Sound and networking files are included automatically, unless |
209 | --nosound or --net=none are specified. Files for encrypted | 208 | --nosound or --net=none are specified. Files for encrypted |
210 | TLS/SSL protocol are in TLS-CA group. | 209 | TLS/SSL protocol are in @tls-ca group. |
211 | 210 | ||
212 | $ firejail --private-etc=TLS-CA,wgetrc wget https://debian.org | 211 | $ firejail --private-etc=@tls-ca,wgetrc wget https://debian.org |
213 | 212 | ||
214 | Note: The easiest way to extract the list of /etc files accessed | 213 | Note: The easiest way to extract the list of /etc files accessed |
215 | by your program is using strace utility: | 214 | by your program is using strace utility: |
@@ -1,6 +1,7 @@ | |||
1 | firejail (0.9.73) baseline; urgency=low | 1 | firejail (0.9.73) baseline; urgency=low |
2 | * work in progress | 2 | * work in progress |
3 | * modif: Stop forwarding own double-dash to the shell (#5599 #5600) | 3 | * modif: Stop forwarding own double-dash to the shell (#5599 #5600) |
4 | * modif: prevent sandbox name from containing only digits (#5578) | ||
4 | * docs: remove apparmor options in --help when building without apparmor | 5 | * docs: remove apparmor options in --help when building without apparmor |
5 | support (#5589) | 6 | support (#5589) |
6 | * fix: qutebrowser not opening tabs (#5601) | 7 | * fix: qutebrowser not opening tabs (#5601) |
diff --git a/contrib/syntax/files/example.in b/contrib/syntax/files/example.in new file mode 100644 index 000000000..74bcdc079 --- /dev/null +++ b/contrib/syntax/files/example.in | |||
@@ -0,0 +1,16 @@ | |||
1 | # @make_input@ | ||
2 | # Example file to check the values of input variables. | ||
3 | |||
4 | FJ_PROFILE_COMMANDS_ARG0 = @FJ_PROFILE_COMMANDS_ARG0@ | ||
5 | |||
6 | FJ_PROFILE_COMMANDS_ARG1 = @FJ_PROFILE_COMMANDS_ARG1@ | ||
7 | |||
8 | FJ_PROFILE_CONDITIONALS = @FJ_PROFILE_CONDITIONALS@ | ||
9 | |||
10 | FJ_PROFILE_MACROS = @FJ_PROFILE_MACROS@ | ||
11 | |||
12 | FJ_SYSCALLS = @FJ_SYSCALLS@ | ||
13 | |||
14 | FJ_SYSCALL_GROUPS = @FJ_SYSCALL_GROUPS@ | ||
15 | |||
16 | FJ_SYSTEM_ERRNOS = @FJ_SYSTEM_ERRNOS@ | ||
diff --git a/contrib/gtksourceview-5/language-specs/firejail-profile.lang b/contrib/syntax/files/firejail-profile.lang.in index 61c37f98f..acd5c86ce 100644 --- a/contrib/gtksourceview-5/language-specs/firejail-profile.lang +++ b/contrib/syntax/files/firejail-profile.lang.in | |||
@@ -1,4 +1,5 @@ | |||
1 | <?xml version="1.0" encoding="UTF-8"?> | 1 | <?xml version="1.0" encoding="UTF-8"?> |
2 | <!-- @make_input@ --> | ||
2 | <!-- vim: set ts=2 sts=2 sw=2 et: --> | 3 | <!-- vim: set ts=2 sts=2 sw=2 et: --> |
3 | <!-- | 4 | <!-- |
4 | https://gitlab.gnome.org/GNOME/gtksourceview/-/blob/master/docs/lang-tutorial.md | 5 | https://gitlab.gnome.org/GNOME/gtksourceview/-/blob/master/docs/lang-tutorial.md |
@@ -20,15 +21,15 @@ | |||
20 | 21 | ||
21 | <definitions> | 22 | <definitions> |
22 | <define-regex id="commands-with-arguments" extended="true"> | 23 | <define-regex id="commands-with-arguments" extended="true"> |
23 | (apparmor|bind|blacklist-nolog|blacklist|caps.drop|caps.keep|cpu|dbus-system.broadcast|dbus-system.call|dbus-system.own|dbus-system.see|dbus-system.talk|dbus-system|dbus-user.broadcast|dbus-user.call|dbus-user.own|dbus-user.see|dbus-user.talk|dbus-user|defaultgw|dns|env|hostname|hosts-file|ignore|include|ip6|ip|iprange|join-or-start|keep-fd|mac|mkdir|mkfile|mtu|name|net|netfilter6|netfilter|netmask|netns|nice|noblacklist|noexec|nowhitelist|overlay-named|private-bin|private-cwd|private-etc|private-home|private-lib|private-opt|private-srv|private|protocol|read-only|read-write|restrict-namespaces|rlimit-as|rlimit-cpu|rlimit-fsize|rlimit-nofile|rlimit-nproc|rlimit-sigpending|rlimit|rmenv|seccomp-error-action|seccomp.32.drop|seccomp.32.keep|seccomp.32|seccomp.drop|seccomp.keep|seccomp|shell|timeout|tmpfs|veth-name|whitelist-ro|whitelist|x11|xephyr-screen) | 24 | (@FJ_PROFILE_COMMANDS_ARG1@) |
24 | </define-regex> | 25 | </define-regex> |
25 | 26 | ||
26 | <define-regex id="commands-without-arguments" extended="true"> | 27 | <define-regex id="commands-without-arguments" extended="true"> |
27 | (allow-debuggers|allusers|apparmor|caps|deterministic-exit-code|deterministic-shutdown|disable-mnt|ipc-namespace|keep-config-pulse|keep-dev-shm|keep-fd|keep-var-tmp|machine-id|memory-deny-write-execute|netfilter|no3d|noautopulse|nodbus|nodvd|nogroups|noinput|nonewprivs|noprinters|noroot|nosound|notv|nou2f|novideo|overlay-tmpfs|overlay|private-cache|private-cwd|private-dev|private-lib|private-tmp|private|quiet|restrict-namespaces|seccomp.32|seccomp.block-secondary|seccomp|tab|tracelog|writable-etc|writable-run-user|writable-var-log|writable-var|x11) | 28 | (@FJ_PROFILE_COMMANDS_ARG0@) |
28 | </define-regex> | 29 | </define-regex> |
29 | 30 | ||
30 | <define-regex id="conditions" extended="true"> | 31 | <define-regex id="conditions" extended="true"> |
31 | (ALLOW_TRAY|BROWSER_ALLOW_DRM|BROWSER_DISABLE_U2F|HAS_APPIMAGE|HAS_NET|HAS_NODBUS|HAS_NOSOUND|HAS_X11) | 32 | (@FJ_PROFILE_CONDITIONALS@) |
32 | </define-regex> | 33 | </define-regex> |
33 | 34 | ||
34 | <context id="conditional-line"> | 35 | <context id="conditional-line"> |
diff --git a/contrib/syntax/files/firejail.vim.in b/contrib/syntax/files/firejail.vim.in new file mode 100644 index 000000000..ec6b29e4f --- /dev/null +++ b/contrib/syntax/files/firejail.vim.in | |||
@@ -0,0 +1,99 @@ | |||
1 | " @make_input@ | ||
2 | " Vim syntax file | ||
3 | " Language: Firejail security sandbox profile | ||
4 | " URL: https://github.com/netblue30/firejail | ||
5 | |||
6 | if exists("b:current_syntax") | ||
7 | finish | ||
8 | endif | ||
9 | |||
10 | |||
11 | syn iskeyword @,48-57,_,.,- | ||
12 | |||
13 | |||
14 | syn keyword fjTodo TODO FIXME XXX NOTE contained | ||
15 | syn match fjComment "#.*$" contains=fjTodo | ||
16 | |||
17 | "TODO: highlight "dangerous" capabilities differently, as is done in apparmor.vim? | ||
18 | syn keyword fjCapability audit_control audit_read audit_write block_suspend chown dac_override dac_read_search fowner fsetid ipc_lock ipc_owner kill lease linux_immutable mac_admin mac_override mknod net_admin net_bind_service net_broadcast net_raw setgid setfcap setpcap setuid sys_admin sys_boot sys_chroot sys_module sys_nice sys_pacct sys_ptrace sys_rawio sys_resource sys_time sys_tty_config syslog wake_alarm nextgroup=fjCapabilityList contained | ||
19 | syn match fjCapabilityList /,/ nextgroup=fjCapability contained | ||
20 | |||
21 | syn keyword fjNamespaces cgroup ipc net mnt pid time user uts nextgroup=fjNamespacesList contained | ||
22 | syn match fjNamespacesList /,/ nextgroup=fjNamespaces contained | ||
23 | |||
24 | syn keyword fjProtocol unix inet inet6 netlink packet nextgroup=fjProtocolList contained | ||
25 | syn match fjProtocolList /,/ nextgroup=fjProtocol contained | ||
26 | |||
27 | " Syscalls (auto-generated) | ||
28 | syn keyword fjSyscall @FJ_SYSCALLS@ nextgroup=fjSyscallErrno contained | ||
29 | " Syscall groups (auto-generated) | ||
30 | syn match fjSyscall /\v\@(@FJ_SYSCALL_GROUPS@)>/ nextgroup=fjSyscallErrno contained | ||
31 | syn match fjSyscall /\$[0-9]\+/ nextgroup=fjSyscallErrno contained | ||
32 | " Errnos (auto-generated) | ||
33 | syn match fjSyscallErrno /\v(:(@FJ_SYSTEM_ERRNOS@)>)?/ nextgroup=fjSyscallList contained | ||
34 | syn match fjSyscallList /,/ nextgroup=fjSyscall contained | ||
35 | |||
36 | syn keyword fjX11Sandbox none xephyr xorg xpra xvfb contained | ||
37 | syn keyword fjSeccompAction kill log ERRNO contained | ||
38 | |||
39 | syn match fjEnvVar "[A-Za-z0-9_]\+=" contained | ||
40 | syn match fjRmenvVar "[A-Za-z0-9_]\+" contained | ||
41 | |||
42 | syn keyword fjAll all contained | ||
43 | syn keyword fjNone none contained | ||
44 | syn keyword fjLo lo contained | ||
45 | syn keyword fjFilter filter contained | ||
46 | |||
47 | " Variable names (auto-generated) | ||
48 | syn match fjVar /\v\$\{(@FJ_PROFILE_MACROS@)}/ | ||
49 | |||
50 | " Profile commands with 1 argument (auto-generated) | ||
51 | syn match fjCommand /\v(@FJ_PROFILE_COMMANDS_ARG1@) / skipwhite contained | ||
52 | " Profile commands with 0 arguments (auto-generated) | ||
53 | syn match fjCommand /\v(@FJ_PROFILE_COMMANDS_ARG0@)$/ contained | ||
54 | syn match fjCommand /ignore / nextgroup=fjCommand,fjCommandNoCond skipwhite contained | ||
55 | syn match fjCommand /caps\.drop / nextgroup=fjCapability,fjAll skipwhite contained | ||
56 | syn match fjCommand /caps\.keep / nextgroup=fjCapability skipwhite contained | ||
57 | syn match fjCommand /protocol / nextgroup=fjProtocol skipwhite contained | ||
58 | syn match fjCommand /restrict-namespaces / nextgroup=fjNamespaces skipwhite contained | ||
59 | syn match fjCommand /\vseccomp(\.32)?(\.drop|\.keep)? / nextgroup=fjSyscall skipwhite contained | ||
60 | syn match fjCommand /x11 / nextgroup=fjX11Sandbox skipwhite contained | ||
61 | syn match fjCommand /env / nextgroup=fjEnvVar skipwhite contained | ||
62 | syn match fjCommand /rmenv / nextgroup=fjRmenvVar skipwhite contained | ||
63 | syn match fjCommand /shell / nextgroup=fjNone skipwhite contained | ||
64 | syn match fjCommand /net / nextgroup=fjNone,fjLo skipwhite contained | ||
65 | syn match fjCommand /ip / nextgroup=fjNone skipwhite contained | ||
66 | syn match fjCommand /seccomp-error-action / nextgroup=fjSeccompAction skipwhite contained | ||
67 | syn match fjCommand /\vdbus-(user|system) / nextgroup=fjFilter,fjNone skipwhite contained | ||
68 | syn match fjCommand /\vdbus-(user|system)\.(broadcast|call|own|see|talk) / skipwhite contained | ||
69 | " Commands that can't be inside a ?CONDITIONAL: statement | ||
70 | syn match fjCommandNoCond /include / skipwhite contained | ||
71 | syn match fjCommandNoCond /quiet$/ contained | ||
72 | |||
73 | " Conditionals (auto-generated) | ||
74 | syn match fjConditional /\v\?(@FJ_PROFILE_CONDITIONALS@) ?:/ nextgroup=fjCommand skipwhite contained | ||
75 | |||
76 | " A line is either a command, a conditional or a comment | ||
77 | syn match fjStatement /^/ nextgroup=fjCommand,fjCommandNoCond,fjConditional,fjComment | ||
78 | |||
79 | hi def link fjTodo Todo | ||
80 | hi def link fjComment Comment | ||
81 | hi def link fjCommand Statement | ||
82 | hi def link fjCommandNoCond Statement | ||
83 | hi def link fjConditional Macro | ||
84 | hi def link fjVar Identifier | ||
85 | hi def link fjCapability Type | ||
86 | hi def link fjProtocol Type | ||
87 | hi def link fjSyscall Type | ||
88 | hi def link fjSyscallErrno Constant | ||
89 | hi def link fjX11Sandbox Type | ||
90 | hi def link fjEnvVar Type | ||
91 | hi def link fjRmenvVar Type | ||
92 | hi def link fjAll Type | ||
93 | hi def link fjNone Type | ||
94 | hi def link fjLo Type | ||
95 | hi def link fjFilter Type | ||
96 | hi def link fjSeccompAction Type | ||
97 | |||
98 | |||
99 | let b:current_syntax = "firejail" | ||
diff --git a/contrib/syntax/lists/profile_commands_arg0.list b/contrib/syntax/lists/profile_commands_arg0.list new file mode 100644 index 000000000..a402671a6 --- /dev/null +++ b/contrib/syntax/lists/profile_commands_arg0.list | |||
@@ -0,0 +1,50 @@ | |||
1 | allow-debuggers | ||
2 | allusers | ||
3 | apparmor | ||
4 | apparmor-replace | ||
5 | apparmor-stack | ||
6 | caps | ||
7 | deterministic-exit-code | ||
8 | deterministic-shutdown | ||
9 | disable-mnt | ||
10 | ipc-namespace | ||
11 | keep-config-pulse | ||
12 | keep-dev-shm | ||
13 | keep-var-tmp | ||
14 | machine-id | ||
15 | memory-deny-write-execute | ||
16 | netfilter | ||
17 | netlock | ||
18 | no3d | ||
19 | noautopulse | ||
20 | nodbus | ||
21 | nodvd | ||
22 | nogroups | ||
23 | noinput | ||
24 | nonewprivs | ||
25 | noprinters | ||
26 | noroot | ||
27 | nosound | ||
28 | notv | ||
29 | nou2f | ||
30 | novideo | ||
31 | overlay | ||
32 | overlay-tmpfs | ||
33 | private | ||
34 | private-cache | ||
35 | private-cwd | ||
36 | private-dev | ||
37 | private-etc | ||
38 | private-lib | ||
39 | private-tmp | ||
40 | quiet | ||
41 | restrict-namespaces | ||
42 | seccomp | ||
43 | seccomp\.block-secondary | ||
44 | tab | ||
45 | tracelog | ||
46 | writable-etc | ||
47 | writable-run-user | ||
48 | writable-var | ||
49 | writable-var-log | ||
50 | x11 | ||
diff --git a/contrib/syntax/lists/profile_commands_arg1.list b/contrib/syntax/lists/profile_commands_arg1.list new file mode 100644 index 000000000..c703f2257 --- /dev/null +++ b/contrib/syntax/lists/profile_commands_arg1.list | |||
@@ -0,0 +1,76 @@ | |||
1 | apparmor | ||
2 | bind | ||
3 | blacklist | ||
4 | blacklist-nolog | ||
5 | caps.drop | ||
6 | caps.keep | ||
7 | cpu | ||
8 | dbus-system.broadcast | ||
9 | dbus-system.call | ||
10 | dbus-system.own | ||
11 | dbus-system.see | ||
12 | dbus-system.talk | ||
13 | dbus-user.broadcast | ||
14 | dbus-user.call | ||
15 | dbus-user.own | ||
16 | dbus-user.see | ||
17 | dbus-user.talk | ||
18 | defaultgw | ||
19 | dns | ||
20 | env | ||
21 | hostname | ||
22 | hosts-file | ||
23 | ignore | ||
24 | include | ||
25 | ip | ||
26 | ip6 | ||
27 | iprange | ||
28 | join-or-start | ||
29 | keep-fd | ||
30 | mac | ||
31 | mkdir | ||
32 | mkfile | ||
33 | mtu | ||
34 | name | ||
35 | net | ||
36 | netfilter | ||
37 | netfilter6 | ||
38 | netmask | ||
39 | netns | ||
40 | nice | ||
41 | noblacklist | ||
42 | noexec | ||
43 | nowhitelist | ||
44 | overlay-named | ||
45 | private | ||
46 | private-bin | ||
47 | private-cwd | ||
48 | private-etc | ||
49 | private-home | ||
50 | private-lib | ||
51 | private-opt | ||
52 | private-srv | ||
53 | protocol | ||
54 | read-only | ||
55 | read-write | ||
56 | restrict-namespaces | ||
57 | rlimit-as | ||
58 | rlimit-cpu | ||
59 | rlimit-fsize | ||
60 | rlimit-nofile | ||
61 | rlimit-nproc | ||
62 | rlimit-sigpending | ||
63 | rmenv | ||
64 | seccomp | ||
65 | seccomp-error-action | ||
66 | seccomp.32 | ||
67 | seccomp.32.drop | ||
68 | seccomp.32.keep | ||
69 | seccomp.drop | ||
70 | seccomp.keep | ||
71 | timeout | ||
72 | tmpfs | ||
73 | veth-name | ||
74 | whitelist | ||
75 | whitelist-ro | ||
76 | xephyr-screen | ||
diff --git a/contrib/syntax/lists/profile_conditionals.list b/contrib/syntax/lists/profile_conditionals.list new file mode 100644 index 000000000..2cae76c96 --- /dev/null +++ b/contrib/syntax/lists/profile_conditionals.list | |||
@@ -0,0 +1,9 @@ | |||
1 | ALLOW_TRAY | ||
2 | BROWSER_ALLOW_DRM | ||
3 | BROWSER_DISABLE_U2F | ||
4 | HAS_APPIMAGE | ||
5 | HAS_NET | ||
6 | HAS_NODBUS | ||
7 | HAS_NOSOUND | ||
8 | HAS_PRIVATE | ||
9 | HAS_X11 | ||
diff --git a/contrib/syntax/lists/profile_macros.list b/contrib/syntax/lists/profile_macros.list new file mode 100644 index 000000000..4ba780f11 --- /dev/null +++ b/contrib/syntax/lists/profile_macros.list | |||
@@ -0,0 +1,10 @@ | |||
1 | CFG | ||
2 | DESKTOP | ||
3 | DOCUMENTS | ||
4 | DOWNLOADS | ||
5 | HOME | ||
6 | MUSIC | ||
7 | PATH | ||
8 | PICTURES | ||
9 | RUNUSER | ||
10 | VIDEOS | ||
diff --git a/contrib/syntax/lists/syscall_groups.list b/contrib/syntax/lists/syscall_groups.list new file mode 100644 index 000000000..fb42ae5f7 --- /dev/null +++ b/contrib/syntax/lists/syscall_groups.list | |||
@@ -0,0 +1,29 @@ | |||
1 | aio | ||
2 | basic-io | ||
3 | chown | ||
4 | clock | ||
5 | cpu-emulation | ||
6 | debug | ||
7 | default | ||
8 | default-keep | ||
9 | default-nodebuggers | ||
10 | file-system | ||
11 | io-event | ||
12 | ipc | ||
13 | keyring | ||
14 | memlock | ||
15 | module | ||
16 | mount | ||
17 | network-io | ||
18 | obsolete | ||
19 | privileged | ||
20 | process | ||
21 | raw-io | ||
22 | reboot | ||
23 | resources | ||
24 | setuid | ||
25 | signal | ||
26 | swap | ||
27 | sync | ||
28 | system-service | ||
29 | timer | ||
diff --git a/contrib/syntax/lists/syscalls.list b/contrib/syntax/lists/syscalls.list new file mode 100644 index 000000000..abb740b24 --- /dev/null +++ b/contrib/syntax/lists/syscalls.list | |||
@@ -0,0 +1,454 @@ | |||
1 | _llseek | ||
2 | _newselect | ||
3 | _sysctl | ||
4 | accept | ||
5 | accept4 | ||
6 | access | ||
7 | acct | ||
8 | add_key | ||
9 | adjtimex | ||
10 | afs_syscall | ||
11 | alarm | ||
12 | arch_prctl | ||
13 | arm_fadvise64_64 | ||
14 | arm_sync_file_range | ||
15 | bdflush | ||
16 | bind | ||
17 | bpf | ||
18 | break | ||
19 | brk | ||
20 | capget | ||
21 | capset | ||
22 | chdir | ||
23 | chmod | ||
24 | chown | ||
25 | chown32 | ||
26 | chroot | ||
27 | clock_adjtime | ||
28 | clock_adjtime64 | ||
29 | clock_getres | ||
30 | clock_getres_time64 | ||
31 | clock_gettime | ||
32 | clock_gettime64 | ||
33 | clock_nanosleep | ||
34 | clock_nanosleep_time64 | ||
35 | clock_settime | ||
36 | clock_settime64 | ||
37 | clone | ||
38 | clone3 | ||
39 | close | ||
40 | close_range | ||
41 | connect | ||
42 | copy_file_range | ||
43 | creat | ||
44 | create_module | ||
45 | delete_module | ||
46 | dup | ||
47 | dup2 | ||
48 | dup3 | ||
49 | epoll_create | ||
50 | epoll_create1 | ||
51 | epoll_ctl | ||
52 | epoll_ctl_old | ||
53 | epoll_pwait | ||
54 | epoll_pwait2 | ||
55 | epoll_wait | ||
56 | epoll_wait_old | ||
57 | eventfd | ||
58 | eventfd2 | ||
59 | execve | ||
60 | execveat | ||
61 | exit | ||
62 | exit_group | ||
63 | faccessat | ||
64 | faccessat2 | ||
65 | fadvise64 | ||
66 | fadvise64_64 | ||
67 | fallocate | ||
68 | fanotify_init | ||
69 | fanotify_mark | ||
70 | fchdir | ||
71 | fchmod | ||
72 | fchmodat | ||
73 | fchown | ||
74 | fchown32 | ||
75 | fchownat | ||
76 | fcntl | ||
77 | fcntl64 | ||
78 | fdatasync | ||
79 | fgetxattr | ||
80 | finit_module | ||
81 | flistxattr | ||
82 | flock | ||
83 | fork | ||
84 | fremovexattr | ||
85 | fsconfig | ||
86 | fsetxattr | ||
87 | fsmount | ||
88 | fsopen | ||
89 | fspick | ||
90 | fstat | ||
91 | fstat64 | ||
92 | fstatat64 | ||
93 | fstatfs | ||
94 | fstatfs64 | ||
95 | fsync | ||
96 | ftime | ||
97 | ftruncate | ||
98 | ftruncate64 | ||
99 | futex | ||
100 | futex_time64 | ||
101 | futex_waitv | ||
102 | futimesat | ||
103 | get_kernel_syms | ||
104 | get_mempolicy | ||
105 | get_robust_list | ||
106 | get_thread_area | ||
107 | getcpu | ||
108 | getcwd | ||
109 | getdents | ||
110 | getdents64 | ||
111 | getegid | ||
112 | getegid32 | ||
113 | geteuid | ||
114 | geteuid32 | ||
115 | getgid | ||
116 | getgid32 | ||
117 | getgroups | ||
118 | getgroups32 | ||
119 | getitimer | ||
120 | getpeername | ||
121 | getpgid | ||
122 | getpgrp | ||
123 | getpid | ||
124 | getpmsg | ||
125 | getppid | ||
126 | getpriority | ||
127 | getrandom | ||
128 | getresgid | ||
129 | getresgid32 | ||
130 | getresuid | ||
131 | getresuid32 | ||
132 | getrlimit | ||
133 | getrusage | ||
134 | getsid | ||
135 | getsockname | ||
136 | getsockopt | ||
137 | gettid | ||
138 | gettimeofday | ||
139 | getuid | ||
140 | getuid32 | ||
141 | getxattr | ||
142 | gtty | ||
143 | idle | ||
144 | init_module | ||
145 | inotify_add_watch | ||
146 | inotify_init | ||
147 | inotify_init1 | ||
148 | inotify_rm_watch | ||
149 | io_cancel | ||
150 | io_destroy | ||
151 | io_getevents | ||
152 | io_pgetevents | ||
153 | io_pgetevents_time64 | ||
154 | io_setup | ||
155 | io_submit | ||
156 | io_uring_enter | ||
157 | io_uring_register | ||
158 | io_uring_setup | ||
159 | ioctl | ||
160 | ioperm | ||
161 | iopl | ||
162 | ioprio_get | ||
163 | ioprio_set | ||
164 | ipc | ||
165 | kcmp | ||
166 | kexec_file_load | ||
167 | kexec_load | ||
168 | keyctl | ||
169 | kill | ||
170 | landlock_add_rule | ||
171 | landlock_create_ruleset | ||
172 | landlock_restrict_self | ||
173 | lchown | ||
174 | lchown32 | ||
175 | lgetxattr | ||
176 | link | ||
177 | linkat | ||
178 | listen | ||
179 | listxattr | ||
180 | llistxattr | ||
181 | lock | ||
182 | lookup_dcookie | ||
183 | lremovexattr | ||
184 | lseek | ||
185 | lsetxattr | ||
186 | lstat | ||
187 | lstat64 | ||
188 | madvise | ||
189 | mbind | ||
190 | membarrier | ||
191 | memfd_create | ||
192 | migrate_pages | ||
193 | mincore | ||
194 | mkdir | ||
195 | mkdirat | ||
196 | mknod | ||
197 | mknodat | ||
198 | mlock | ||
199 | mlock2 | ||
200 | mlockall | ||
201 | mmap | ||
202 | mmap2 | ||
203 | modify_ldt | ||
204 | mount | ||
205 | mount_setattr | ||
206 | move_mount | ||
207 | move_pages | ||
208 | mprotect | ||
209 | mpx | ||
210 | mq_getsetattr | ||
211 | mq_notify | ||
212 | mq_open | ||
213 | mq_timedreceive | ||
214 | mq_timedreceive_time64 | ||
215 | mq_timedsend | ||
216 | mq_timedsend_time64 | ||
217 | mq_unlink | ||
218 | mremap | ||
219 | msgctl | ||
220 | msgget | ||
221 | msgrcv | ||
222 | msgsnd | ||
223 | msync | ||
224 | munlock | ||
225 | munlockall | ||
226 | munmap | ||
227 | name_to_handle_at | ||
228 | nanosleep | ||
229 | newfstatat | ||
230 | nfsservctl | ||
231 | nice | ||
232 | oldfstat | ||
233 | oldlstat | ||
234 | oldolduname | ||
235 | oldstat | ||
236 | olduname | ||
237 | open | ||
238 | open_by_handle_at | ||
239 | open_tree | ||
240 | openat | ||
241 | openat2 | ||
242 | pause | ||
243 | pciconfig_iobase | ||
244 | pciconfig_read | ||
245 | pciconfig_write | ||
246 | perf_event_open | ||
247 | personality | ||
248 | pidfd_getfd | ||
249 | pidfd_open | ||
250 | pidfd_send_signal | ||
251 | pipe | ||
252 | pipe2 | ||
253 | pivot_root | ||
254 | pkey_alloc | ||
255 | pkey_free | ||
256 | pkey_mprotect | ||
257 | poll | ||
258 | ppoll | ||
259 | ppoll_time64 | ||
260 | prctl | ||
261 | pread64 | ||
262 | preadv | ||
263 | preadv2 | ||
264 | prlimit64 | ||
265 | process_madvise | ||
266 | process_mrelease | ||
267 | process_vm_readv | ||
268 | process_vm_writev | ||
269 | prof | ||
270 | profil | ||
271 | pselect6 | ||
272 | pselect6_time64 | ||
273 | ptrace | ||
274 | putpmsg | ||
275 | pwrite64 | ||
276 | pwritev | ||
277 | pwritev2 | ||
278 | query_module | ||
279 | quotactl | ||
280 | quotactl_fd | ||
281 | read | ||
282 | readahead | ||
283 | readdir | ||
284 | readlink | ||
285 | readlinkat | ||
286 | readv | ||
287 | reboot | ||
288 | recv | ||
289 | recvfrom | ||
290 | recvmmsg | ||
291 | recvmmsg_time64 | ||
292 | recvmsg | ||
293 | remap_file_pages | ||
294 | removexattr | ||
295 | rename | ||
296 | renameat | ||
297 | renameat2 | ||
298 | request_key | ||
299 | restart_syscall | ||
300 | rmdir | ||
301 | rseq | ||
302 | rt_sigaction | ||
303 | rt_sigpending | ||
304 | rt_sigprocmask | ||
305 | rt_sigqueueinfo | ||
306 | rt_sigreturn | ||
307 | rt_sigsuspend | ||
308 | rt_sigtimedwait | ||
309 | rt_sigtimedwait_time64 | ||
310 | rt_tgsigqueueinfo | ||
311 | sched_get_priority_max | ||
312 | sched_get_priority_min | ||
313 | sched_getaffinity | ||
314 | sched_getattr | ||
315 | sched_getparam | ||
316 | sched_getscheduler | ||
317 | sched_rr_get_interval | ||
318 | sched_rr_get_interval_time64 | ||
319 | sched_setaffinity | ||
320 | sched_setattr | ||
321 | sched_setparam | ||
322 | sched_setscheduler | ||
323 | sched_yield | ||
324 | seccomp | ||
325 | security | ||
326 | select | ||
327 | semctl | ||
328 | semget | ||
329 | semop | ||
330 | semtimedop | ||
331 | semtimedop_time64 | ||
332 | send | ||
333 | sendfile | ||
334 | sendfile64 | ||
335 | sendmmsg | ||
336 | sendmsg | ||
337 | sendto | ||
338 | set_mempolicy | ||
339 | set_robust_list | ||
340 | set_thread_area | ||
341 | set_tid_address | ||
342 | setdomainname | ||
343 | setfsgid | ||
344 | setfsgid32 | ||
345 | setfsuid | ||
346 | setfsuid32 | ||
347 | setgid | ||
348 | setgid32 | ||
349 | setgroups | ||
350 | setgroups32 | ||
351 | sethostname | ||
352 | setitimer | ||
353 | setns | ||
354 | setpgid | ||
355 | setpriority | ||
356 | setregid | ||
357 | setregid32 | ||
358 | setresgid | ||
359 | setresgid32 | ||
360 | setresuid | ||
361 | setresuid32 | ||
362 | setreuid | ||
363 | setreuid32 | ||
364 | setrlimit | ||
365 | setsid | ||
366 | setsockopt | ||
367 | settimeofday | ||
368 | setuid | ||
369 | setuid32 | ||
370 | setxattr | ||
371 | sgetmask | ||
372 | shmat | ||
373 | shmctl | ||
374 | shmdt | ||
375 | shmget | ||
376 | shutdown | ||
377 | sigaction | ||
378 | sigaltstack | ||
379 | signal | ||
380 | signalfd | ||
381 | signalfd4 | ||
382 | sigpending | ||
383 | sigprocmask | ||
384 | sigreturn | ||
385 | sigsuspend | ||
386 | socket | ||
387 | socketcall | ||
388 | socketpair | ||
389 | splice | ||
390 | ssetmask | ||
391 | stat | ||
392 | stat64 | ||
393 | statfs | ||
394 | statfs64 | ||
395 | statx | ||
396 | stime | ||
397 | stty | ||
398 | swapoff | ||
399 | swapon | ||
400 | symlink | ||
401 | symlinkat | ||
402 | sync | ||
403 | sync_file_range | ||
404 | syncfs | ||
405 | sysfs | ||
406 | sysinfo | ||
407 | syslog | ||
408 | tee | ||
409 | tgkill | ||
410 | time | ||
411 | timer_create | ||
412 | timer_delete | ||
413 | timer_getoverrun | ||
414 | timer_gettime | ||
415 | timer_gettime64 | ||
416 | timer_settime | ||
417 | timer_settime64 | ||
418 | timerfd_create | ||
419 | timerfd_gettime | ||
420 | timerfd_gettime64 | ||
421 | timerfd_settime | ||
422 | timerfd_settime64 | ||
423 | times | ||
424 | tkill | ||
425 | truncate | ||
426 | truncate64 | ||
427 | tuxcall | ||
428 | ugetrlimit | ||
429 | ulimit | ||
430 | umask | ||
431 | umount | ||
432 | umount2 | ||
433 | uname | ||
434 | unlink | ||
435 | unlinkat | ||
436 | unshare | ||
437 | uselib | ||
438 | userfaultfd | ||
439 | ustat | ||
440 | utime | ||
441 | utimensat | ||
442 | utimensat_time64 | ||
443 | utimes | ||
444 | vfork | ||
445 | vhangup | ||
446 | vm86 | ||
447 | vm86old | ||
448 | vmsplice | ||
449 | vserver | ||
450 | wait4 | ||
451 | waitid | ||
452 | waitpid | ||
453 | write | ||
454 | writev | ||
diff --git a/contrib/syntax/lists/system_errnos.list b/contrib/syntax/lists/system_errnos.list new file mode 100644 index 000000000..f0f816943 --- /dev/null +++ b/contrib/syntax/lists/system_errnos.list | |||
@@ -0,0 +1,135 @@ | |||
1 | E2BIG | ||
2 | EACCES | ||
3 | EADDRINUSE | ||
4 | EADDRNOTAVAIL | ||
5 | EADV | ||
6 | EAFNOSUPPORT | ||
7 | EAGAIN | ||
8 | EALREADY | ||
9 | EBADE | ||
10 | EBADF | ||
11 | EBADFD | ||
12 | EBADMSG | ||
13 | EBADR | ||
14 | EBADRQC | ||
15 | EBADSLT | ||
16 | EBFONT | ||
17 | EBUSY | ||
18 | ECANCELED | ||
19 | ECHILD | ||
20 | ECHRNG | ||
21 | ECOMM | ||
22 | ECONNABORTED | ||
23 | ECONNREFUSED | ||
24 | ECONNRESET | ||
25 | EDEADLK | ||
26 | EDEADLOCK | ||
27 | EDESTADDRREQ | ||
28 | EDOM | ||
29 | EDOTDOT | ||
30 | EDQUOT | ||
31 | EEXIST | ||
32 | EFAULT | ||
33 | EFBIG | ||
34 | EHOSTDOWN | ||
35 | EHOSTUNREACH | ||
36 | EHWPOISON | ||
37 | EIDRM | ||
38 | EILSEQ | ||
39 | EINPROGRESS | ||
40 | EINTR | ||
41 | EINVAL | ||
42 | EIO | ||
43 | EISCONN | ||
44 | EISDIR | ||
45 | EISNAM | ||
46 | EKEYEXPIRED | ||
47 | EKEYREJECTED | ||
48 | EKEYREVOKED | ||
49 | EL2HLT | ||
50 | EL2NSYNC | ||
51 | EL3HLT | ||
52 | EL3RST | ||
53 | ELIBACC | ||
54 | ELIBBAD | ||
55 | ELIBEXEC | ||
56 | ELIBMAX | ||
57 | ELIBSCN | ||
58 | ELNRNG | ||
59 | ELOOP | ||
60 | EMEDIUMTYPE | ||
61 | EMFILE | ||
62 | EMLINK | ||
63 | EMSGSIZE | ||
64 | EMULTIHOP | ||
65 | ENAMETOOLONG | ||
66 | ENAVAIL | ||
67 | ENETDOWN | ||
68 | ENETRESET | ||
69 | ENETUNREACH | ||
70 | ENFILE | ||
71 | ENOANO | ||
72 | ENOATTR | ||
73 | ENOBUFS | ||
74 | ENOCSI | ||
75 | ENODATA | ||
76 | ENODEV | ||
77 | ENOENT | ||
78 | ENOEXEC | ||
79 | ENOKEY | ||
80 | ENOLCK | ||
81 | ENOLINK | ||
82 | ENOMEDIUM | ||
83 | ENOMEM | ||
84 | ENOMSG | ||
85 | ENONET | ||
86 | ENOPKG | ||
87 | ENOPROTOOPT | ||
88 | ENOSPC | ||
89 | ENOSR | ||
90 | ENOSTR | ||
91 | ENOSYS | ||
92 | ENOTBLK | ||
93 | ENOTCONN | ||
94 | ENOTDIR | ||
95 | ENOTEMPTY | ||
96 | ENOTNAM | ||
97 | ENOTRECOVERABLE | ||
98 | ENOTSOCK | ||
99 | ENOTSUP | ||
100 | ENOTTY | ||
101 | ENOTUNIQ | ||
102 | ENXIO | ||
103 | EOPNOTSUPP | ||
104 | EOVERFLOW | ||
105 | EOWNERDEAD | ||
106 | EPERM | ||
107 | EPFNOSUPPORT | ||
108 | EPIPE | ||
109 | EPROTO | ||
110 | EPROTONOSUPPORT | ||
111 | EPROTOTYPE | ||
112 | ERANGE | ||
113 | EREMCHG | ||
114 | EREMOTE | ||
115 | EREMOTEIO | ||
116 | ERESTART | ||
117 | ERFKILL | ||
118 | EROFS | ||
119 | ESHUTDOWN | ||
120 | ESOCKTNOSUPPORT | ||
121 | ESPIPE | ||
122 | ESRCH | ||
123 | ESRMNT | ||
124 | ESTALE | ||
125 | ESTRPIPE | ||
126 | ETIME | ||
127 | ETIMEDOUT | ||
128 | ETOOMANYREFS | ||
129 | ETXTBSY | ||
130 | EUCLEAN | ||
131 | EUNATCH | ||
132 | EUSERS | ||
133 | EWOULDBLOCK | ||
134 | EXDEV | ||
135 | EXFULL | ||
diff --git a/contrib/vim/syntax/firejail.vim b/contrib/vim/syntax/firejail.vim deleted file mode 100644 index c844350d8..000000000 --- a/contrib/vim/syntax/firejail.vim +++ /dev/null | |||
@@ -1,104 +0,0 @@ | |||
1 | " Vim syntax file | ||
2 | " Language: Firejail security sandbox profile | ||
3 | " URL: https://github.com/netblue30/firejail | ||
4 | |||
5 | if exists("b:current_syntax") | ||
6 | finish | ||
7 | endif | ||
8 | |||
9 | |||
10 | syn iskeyword @,48-57,_,.,- | ||
11 | |||
12 | |||
13 | syn keyword fjTodo TODO FIXME XXX NOTE contained | ||
14 | syn match fjComment "#.*$" contains=fjTodo | ||
15 | |||
16 | "TODO: highlight "dangerous" capabilities differently, as is done in apparmor.vim? | ||
17 | syn keyword fjCapability audit_control audit_read audit_write block_suspend chown dac_override dac_read_search fowner fsetid ipc_lock ipc_owner kill lease linux_immutable mac_admin mac_override mknod net_admin net_bind_service net_broadcast net_raw setgid setfcap setpcap setuid sys_admin sys_boot sys_chroot sys_module sys_nice sys_pacct sys_ptrace sys_rawio sys_resource sys_time sys_tty_config syslog wake_alarm nextgroup=fjCapabilityList contained | ||
18 | syn match fjCapabilityList /,/ nextgroup=fjCapability contained | ||
19 | |||
20 | syn keyword fjNamespaces cgroup ipc net mnt pid time user uts nextgroup=fjNamespacesList contained | ||
21 | syn match fjNamespacesList /,/ nextgroup=fjNamespaces contained | ||
22 | |||
23 | syn keyword fjProtocol unix inet inet6 netlink packet nextgroup=fjProtocolList contained | ||
24 | syn match fjProtocolList /,/ nextgroup=fjProtocol contained | ||
25 | |||
26 | " Syscalls grabbed from: src/include/syscall*.h | ||
27 | " Generate list with: sed -n 's/{\s\+"\([^"]\+\)",.*},/\1/p' src/include/syscall*.h | sort -u | tr '\n' ' ' | ||
28 | syn keyword fjSyscall _llseek _newselect _sysctl accept accept4 access acct add_key adjtimex afs_syscall alarm arch_prctl arm_fadvise64_64 arm_sync_file_range bdflush bind bpf break brk capget capset chdir chmod chown chown32 chroot clock_adjtime clock_adjtime64 clock_getres clock_getres_time64 clock_gettime clock_gettime64 clock_nanosleep clock_nanosleep_time64 clock_settime clock_settime64 clone clone3 close connect copy_file_range creat create_module delete_module dup dup2 dup3 epoll_create epoll_create1 epoll_ctl epoll_ctl_old epoll_pwait epoll_wait epoll_wait_old eventfd eventfd2 execve execveat exit exit_group faccessat faccessat2 fadvise64 fadvise64_64 fallocate fanotify_init fanotify_mark fchdir fchmod fchmodat fchown fchown32 fchownat fcntl fcntl64 fdatasync fgetxattr finit_module flistxattr flock fork fremovexattr fsconfig fsetxattr fsmount fsopen fspick fstat fstat64 fstatat64 fstatfs fstatfs64 fsync ftime ftruncate ftruncate64 futex futex_time64 futimesat getcpu getcwd getdents getdents64 getegid getegid32 geteuid geteuid32 getgid getgid32 getgroups getgroups32 getitimer get_kernel_syms get_mempolicy getpeername getpgid getpgrp getpid getpmsg getppid getpriority getrandom getresgid getresgid32 getresuid getresuid32 getrlimit get_robust_list getrusage getsid getsockname getsockopt get_thread_area gettid gettimeofday getuid getuid32 getxattr gtty idle init_module inotify_add_watch inotify_init inotify_init1 inotify_rm_watch io_cancel ioctl io_destroy io_getevents ioperm io_pgetevents io_pgetevents_time64 iopl ioprio_get ioprio_set io_setup io_submit io_uring_enter io_uring_register io_uring_setup ipc kcmp kexec_file_load kexec_load keyctl kill lchown lchown32 lgetxattr link linkat listen listxattr llistxattr lock lookup_dcookie lremovexattr lseek lsetxattr lstat lstat64 madvise mbind membarrier memfd_create migrate_pages mincore mkdir mkdirat mknod mknodat mlock mlock2 mlockall mmap mmap2 modify_ldt mount move_mount move_pages mprotect mpx mq_getsetattr mq_notify mq_open mq_timedreceive mq_timedreceive_time64 mq_timedsend mq_timedsend_time64 mq_unlink mremap msgctl msgget msgrcv msgsnd msync munlock munlockall munmap name_to_handle_at nanosleep newfstatat nfsservctl nice oldfstat oldlstat oldolduname oldstat olduname open openat open_by_handle_at open_tree pause pciconfig_iobase pciconfig_read pciconfig_write perf_event_open personality pidfd_open pidfd_send_signal pipe pipe2 pivot_root pkey_alloc pkey_free pkey_mprotect poll ppoll ppoll_time64 prctl pread64 preadv preadv2 prlimit64 process_vm_readv process_vm_writev prof profil pselect6 pselect6_time64 ptrace putpmsg pwrite64 pwritev pwritev2 query_module quotactl read readahead readdir readlink readlinkat readv reboot recv recvfrom recvmmsg recvmmsg_time64 recvmsg remap_file_pages removexattr rename renameat renameat2 request_key restart_syscall rmdir rseq rt_sigaction rt_sigpending rt_sigprocmask rt_sigqueueinfo rt_sigreturn rt_sigsuspend rt_sigtimedwait rt_sigtimedwait_time64 rt_tgsigqueueinfo sched_getaffinity sched_getattr sched_getparam sched_get_priority_max sched_get_priority_min sched_getscheduler sched_rr_get_interval sched_rr_get_interval_time64 sched_setaffinity sched_setattr sched_setparam sched_setscheduler sched_yield seccomp security select semctl semget semop semtimedop semtimedop_time64 send sendfile sendfile64 sendmmsg sendmsg sendto setdomainname setfsgid setfsgid32 setfsuid setfsuid32 setgid setgid32 setgroups setgroups32 sethostname setitimer set_mempolicy setns setpgid setpriority setregid setregid32 setresgid setresgid32 setresuid setresuid32 setreuid setreuid32 setrlimit set_robust_list setsid setsockopt set_thread_area set_tid_address settimeofday setuid setuid32 setxattr sgetmask shmat shmctl shmdt shmget shutdown sigaction sigaltstack signal signalfd signalfd4 sigpending sigprocmask sigreturn sigsuspend socket socketcall socketpair splice ssetmask stat stat64 statfs statfs64 statx stime stty swapoff swapon symlink symlinkat sync sync_file_range sync_file_range2 syncfs syscall sysfs sysinfo syslog tee tgkill time timer_create timer_delete timerfd_create timerfd_gettime timerfd_gettime64 timerfd_settime timerfd_settime64 timer_getoverrun timer_gettime timer_gettime64 timer_settime timer_settime64 times tkill truncate truncate64 tuxcall ugetrlimit ulimit umask umount umount2 uname unlink unlinkat unshare uselib userfaultfd ustat utime utimensat utimensat_time64 utimes vfork vhangup vm86 vm86old vmsplice vserver wait4 waitid waitpid write writev nextgroup=fjSyscallErrno contained | ||
29 | " Syscall groups grabbed from: src/fseccomp/syscall.c | ||
30 | " Generate list with: sed -En 's/.*"@([^",]+).*/\1/p' src/lib/syscall.c | sort -u | tr '\n' '|' | ||
31 | syn match fjSyscall /\v\@(aio|basic-io|chown|clock|cpu-emulation|debug|default|default-keep|default-nodebuggers|file-system|io-event|ipc|keyring|memlock|module|mount|network-io|obsolete|privileged|process|raw-io|reboot|resources|setuid|signal|swap|sync|system-service|timer)>/ nextgroup=fjSyscallErrno contained | ||
32 | syn match fjSyscall /\$[0-9]\+/ nextgroup=fjSyscallErrno contained | ||
33 | " Errnos grabbed from: src/fseccomp/errno.c | ||
34 | " Generate list with: sed -En 's/.*"(E[^"]+).*/\1/p' src/lib/errno.c | sort -u | tr '\n' '|' | ||
35 | syn match fjSyscallErrno /\v(:(E2BIG|EACCES|EADDRINUSE|EADDRNOTAVAIL|EADV|EAFNOSUPPORT|EAGAIN|EALREADY|EBADE|EBADF|EBADFD|EBADMSG|EBADR|EBADRQC|EBADSLT|EBFONT|EBUSY|ECANCELED|ECHILD|ECHRNG|ECOMM|ECONNABORTED|ECONNREFUSED|ECONNRESET|EDEADLK|EDEADLOCK|EDESTADDRREQ|EDOM|EDOTDOT|EDQUOT|EEXIST|EFAULT|EFBIG|EHOSTDOWN|EHOSTUNREACH|EHWPOISON|EIDRM|EILSEQ|EINPROGRESS|EINTR|EINVAL|EIO|EISCONN|EISDIR|EISNAM|EKEYEXPIRED|EKEYREJECTED|EKEYREVOKED|EL2HLT|EL2NSYNC|EL3HLT|EL3RST|ELIBACC|ELIBBAD|ELIBEXEC|ELIBMAX|ELIBSCN|ELNRNG|ELOOP|EMEDIUMTYPE|EMFILE|EMLINK|EMSGSIZE|EMULTIHOP|ENAMETOOLONG|ENAVAIL|ENETDOWN|ENETRESET|ENETUNREACH|ENFILE|ENOANO|ENOATTR|ENOBUFS|ENOCSI|ENODATA|ENODEV|ENOENT|ENOEXEC|ENOKEY|ENOLCK|ENOLINK|ENOMEDIUM|ENOMEM|ENOMSG|ENONET|ENOPKG|ENOPROTOOPT|ENOSPC|ENOSR|ENOSTR|ENOSYS|ENOTBLK|ENOTCONN|ENOTDIR|ENOTEMPTY|ENOTNAM|ENOTRECOVERABLE|ENOTSOCK|ENOTSUP|ENOTTY|ENOTUNIQ|ENXIO|EOPNOTSUPP|EOVERFLOW|EOWNERDEAD|EPERM|EPFNOSUPPORT|EPIPE|EPROTO|EPROTONOSUPPORT|EPROTOTYPE|ERANGE|EREMCHG|EREMOTE|EREMOTEIO|ERESTART|ERFKILL|EROFS|ESHUTDOWN|ESOCKTNOSUPPORT|ESPIPE|ESRCH|ESRMNT|ESTALE|ESTRPIPE|ETIME|ETIMEDOUT|ETOOMANYREFS|ETXTBSY|EUCLEAN|EUNATCH|EUSERS|EWOULDBLOCK|EXDEV|EXFULL)>)?/ nextgroup=fjSyscallList contained | ||
36 | syn match fjSyscallList /,/ nextgroup=fjSyscall contained | ||
37 | |||
38 | syn keyword fjX11Sandbox none xephyr xorg xpra xvfb contained | ||
39 | syn keyword fjSeccompAction kill log ERRNO contained | ||
40 | |||
41 | syn match fjEnvVar "[A-Za-z0-9_]\+=" contained | ||
42 | syn match fjRmenvVar "[A-Za-z0-9_]\+" contained | ||
43 | |||
44 | syn keyword fjAll all contained | ||
45 | syn keyword fjNone none contained | ||
46 | syn keyword fjLo lo contained | ||
47 | syn keyword fjFilter filter contained | ||
48 | |||
49 | " Variable names grabbed from: src/firejail/macros.c | ||
50 | " Generate list with: sed -En 's/.*\$\{([^}]+)\}.*/\1/p' src/firejail/macros.c | sort -u | tr '\n' '|' | ||
51 | syn match fjVar /\v\$\{(CFG|DESKTOP|DOCUMENTS|DOWNLOADS|HOME|MUSIC|PATH|PICTURES|RUNUSER|VIDEOS)}/ | ||
52 | |||
53 | " Commands grabbed from: src/firejail/profile.c | ||
54 | " Generate list with: { sed -En 's/.*strn?cmp\(ptr, "([^"]+) ".*/\1/p' src/firejail/profile.c; echo private-lib; } | grep -Ev '^(include|ignore|caps\.drop|caps\.keep|protocol|restrict-namespaces|seccomp|seccomp\.drop|seccomp\.keep|env|rmenv|net|ip)$' | sort -u | tr '\n' '|' # private-lib is special-cased in the code and doesn't match the regex; grep-ed patterns are handled later with 'syn match nextgroup=' directives (except for include which is special-cased as a fjCommandNoCond keyword) | ||
55 | syn match fjCommand /\v(apparmor|bind|blacklist|blacklist-nolog|cpu|defaultgw|dns|hostname|hosts-file|ip6|iprange|join-or-start|mac|mkdir|mkfile|mtu|name|netfilter|netfilter6|netmask|nice|noblacklist|noexec|nowhitelist|overlay-named|private|private-bin|private-cwd|private-etc|private-home|private-lib|private-opt|private-srv|read-only|read-write|rlimit-as|rlimit-cpu|rlimit-fsize|rlimit-nofile|rlimit-nproc|rlimit-sigpending|timeout|tmpfs|veth-name|whitelist|xephyr-screen) / skipwhite contained | ||
56 | " Generate list with: sed -En 's/.*strn?cmp\(ptr, "([^ "]*[^ ])".*/\1/p' src/firejail/profile.c | grep -Ev '^(include|rlimit|quiet)$' | sed 's/\./\\./' | sort -u | tr '\n' '|' # include/rlimit are false positives, quiet is special-cased below | ||
57 | syn match fjCommand /\v(allow-debuggers|allusers|apparmor|caps|deterministic-exit-code|deterministic-shutdown|disable-mnt|ipc-namespace|keep-config-pulse|keep-dev-shm|keep-fd|keep-var-tmp|machine-id|memory-deny-write-execute|netfilter|no3d|noautopulse|nodbus|nodvd|nogroups|noinput|nonewprivs|noprinters|noroot|nosound|notv|nou2f|novideo|overlay|overlay-tmpfs|private|private-cache|private-cwd|private-dev|private-lib|private-tmp|seccomp|seccomp\.32|seccomp\.block-secondary|tracelog|writable-etc|writable-run-user|writable-var|writable-var-log|x11)$/ contained | ||
58 | syn match fjCommand /ignore / nextgroup=fjCommand,fjCommandNoCond skipwhite contained | ||
59 | syn match fjCommand /caps\.drop / nextgroup=fjCapability,fjAll skipwhite contained | ||
60 | syn match fjCommand /caps\.keep / nextgroup=fjCapability skipwhite contained | ||
61 | syn match fjCommand /protocol / nextgroup=fjProtocol skipwhite contained | ||
62 | syn match fjCommand /restrict-namespaces / nextgroup=fjNamespaces skipwhite contained | ||
63 | syn match fjCommand /\vseccomp(\.32)?(\.drop|\.keep)? / nextgroup=fjSyscall skipwhite contained | ||
64 | syn match fjCommand /x11 / nextgroup=fjX11Sandbox skipwhite contained | ||
65 | syn match fjCommand /env / nextgroup=fjEnvVar skipwhite contained | ||
66 | syn match fjCommand /rmenv / nextgroup=fjRmenvVar skipwhite contained | ||
67 | syn match fjCommand /shell / nextgroup=fjNone skipwhite contained | ||
68 | syn match fjCommand /net / nextgroup=fjNone,fjLo skipwhite contained | ||
69 | syn match fjCommand /ip / nextgroup=fjNone skipwhite contained | ||
70 | syn match fjCommand /seccomp-error-action / nextgroup=fjSeccompAction skipwhite contained | ||
71 | syn match fjCommand /\vdbus-(user|system) / nextgroup=fjFilter,fjNone skipwhite contained | ||
72 | syn match fjCommand /\vdbus-(user|system)\.(broadcast|call|own|see|talk) / skipwhite contained | ||
73 | " Commands that can't be inside a ?CONDITIONAL: statement | ||
74 | syn match fjCommandNoCond /include / skipwhite contained | ||
75 | syn match fjCommandNoCond /quiet$/ contained | ||
76 | |||
77 | " Conditionals grabbed from: src/firejail/profile.c | ||
78 | " Generate list with: awk -- 'BEGIN {process=0;} /^Cond conditionals\[\] = \{$/ {process=1;} /\t*\{"[^"]+".*/ { if (process) {print gensub(/^\t*\{"([^"]+)".*$/, "\\1", 1);} } /^\t\{ NULL, NULL \}$/ {process=0;}' src/firejail/profile.c | sort -u | tr '\n' '|' | ||
79 | syn match fjConditional /\v\?(ALLOW_TRAY|BROWSER_ALLOW_DRM|BROWSER_DISABLE_U2F|HAS_APPIMAGE|HAS_NET|HAS_NODBUS|HAS_NOSOUND|HAS_X11) ?:/ nextgroup=fjCommand skipwhite contained | ||
80 | |||
81 | " A line is either a command, a conditional or a comment | ||
82 | syn match fjStatement /^/ nextgroup=fjCommand,fjCommandNoCond,fjConditional,fjComment | ||
83 | |||
84 | hi def link fjTodo Todo | ||
85 | hi def link fjComment Comment | ||
86 | hi def link fjCommand Statement | ||
87 | hi def link fjCommandNoCond Statement | ||
88 | hi def link fjConditional Macro | ||
89 | hi def link fjVar Identifier | ||
90 | hi def link fjCapability Type | ||
91 | hi def link fjProtocol Type | ||
92 | hi def link fjSyscall Type | ||
93 | hi def link fjSyscallErrno Constant | ||
94 | hi def link fjX11Sandbox Type | ||
95 | hi def link fjEnvVar Type | ||
96 | hi def link fjRmenvVar Type | ||
97 | hi def link fjAll Type | ||
98 | hi def link fjNone Type | ||
99 | hi def link fjLo Type | ||
100 | hi def link fjFilter Type | ||
101 | hi def link fjSeccompAction Type | ||
102 | |||
103 | |||
104 | let b:current_syntax = "firejail" | ||
diff --git a/etc/inc/disable-common.inc b/etc/inc/disable-common.inc index 44e45d416..66a309d85 100644 --- a/etc/inc/disable-common.inc +++ b/etc/inc/disable-common.inc | |||
@@ -18,6 +18,7 @@ blacklist-nolog ${HOME}/.histfile | |||
18 | blacklist-nolog ${HOME}/.history | 18 | blacklist-nolog ${HOME}/.history |
19 | blacklist-nolog ${HOME}/.kde/share/apps/klipper | 19 | blacklist-nolog ${HOME}/.kde/share/apps/klipper |
20 | blacklist-nolog ${HOME}/.kde4/share/apps/klipper | 20 | blacklist-nolog ${HOME}/.kde4/share/apps/klipper |
21 | blacklist-nolog ${HOME}/.lesshst | ||
21 | blacklist-nolog ${HOME}/.local/share/fish/fish_history | 22 | blacklist-nolog ${HOME}/.local/share/fish/fish_history |
22 | blacklist-nolog ${HOME}/.local/share/ibus-typing-booster | 23 | blacklist-nolog ${HOME}/.local/share/ibus-typing-booster |
23 | blacklist-nolog ${HOME}/.local/share/klipper | 24 | blacklist-nolog ${HOME}/.local/share/klipper |
@@ -25,10 +26,9 @@ blacklist-nolog ${HOME}/.local/share/nvim | |||
25 | blacklist-nolog ${HOME}/.local/state/nvim | 26 | blacklist-nolog ${HOME}/.local/state/nvim |
26 | blacklist-nolog ${HOME}/.macromedia | 27 | blacklist-nolog ${HOME}/.macromedia |
27 | blacklist-nolog ${HOME}/.mupdf.history | 28 | blacklist-nolog ${HOME}/.mupdf.history |
29 | blacklist-nolog ${HOME}/.mutthistory | ||
28 | blacklist-nolog ${HOME}/.python-history | 30 | blacklist-nolog ${HOME}/.python-history |
29 | blacklist-nolog ${HOME}/.python_history | ||
30 | blacklist-nolog ${HOME}/.pythonhist | 31 | blacklist-nolog ${HOME}/.pythonhist |
31 | blacklist-nolog ${HOME}/.lesshst | ||
32 | blacklist-nolog ${HOME}/.viminfo | 32 | blacklist-nolog ${HOME}/.viminfo |
33 | blacklist-nolog /tmp/clipmenu* | 33 | blacklist-nolog /tmp/clipmenu* |
34 | 34 | ||
diff --git a/etc/profile-a-l/atool.profile b/etc/profile-a-l/atool.profile index 6399bc1a3..b2bc17c67 100644 --- a/etc/profile-a-l/atool.profile +++ b/etc/profile-a-l/atool.profile | |||
@@ -13,7 +13,7 @@ include allow-perl.inc | |||
13 | noroot | 13 | noroot |
14 | 14 | ||
15 | # without login.defs atool complains and uses UID/GID 1000 by default | 15 | # without login.defs atool complains and uses UID/GID 1000 by default |
16 | private-etc alternatives,group,ld.so.cache,ld.so.preload,login.defs,passwd | 16 | private-etc alternatives,group,ld.so.cache,ld.so.preload,login.defs,passwd,resolv.conf |
17 | private-tmp | 17 | private-tmp |
18 | 18 | ||
19 | # Redirect | 19 | # Redirect |
diff --git a/etc/profile-a-l/curl.profile b/etc/profile-a-l/curl.profile index 88b29cfbd..bfe8764d5 100644 --- a/etc/profile-a-l/curl.profile +++ b/etc/profile-a-l/curl.profile | |||
@@ -54,7 +54,7 @@ tracelog | |||
54 | private-cache | 54 | private-cache |
55 | private-dev | 55 | private-dev |
56 | # private-etc alternatives,ca-certificates,crypto-policies,pki,resolv.conf,ssl | 56 | # private-etc alternatives,ca-certificates,crypto-policies,pki,resolv.conf,ssl |
57 | private-etc TLS-CA | 57 | private-etc @tls-ca |
58 | private-tmp | 58 | private-tmp |
59 | 59 | ||
60 | dbus-user none | 60 | dbus-user none |
diff --git a/etc/profile-a-l/firefox-common.profile b/etc/profile-a-l/firefox-common.profile index 3365c0829..57c9b5dfb 100644 --- a/etc/profile-a-l/firefox-common.profile +++ b/etc/profile-a-l/firefox-common.profile | |||
@@ -60,7 +60,7 @@ disable-mnt | |||
60 | # private-etc below works fine on most distributions. There are some problems on CentOS. | 60 | # private-etc below works fine on most distributions. There are some problems on CentOS. |
61 | # Add it to your firefox-common.local if you want to enable it. | 61 | # Add it to your firefox-common.local if you want to enable it. |
62 | #private-etc alternatives,asound.conf,ca-certificates,crypto-policies,dconf,fonts,group,gtk-2.0,gtk-3.0,hostname,hosts,ld.so.cache,ld.so.conf,ld.so.conf.d,ld.so.preload,localtime,machine-id,mailcap,mime.types,nsswitch.conf,pango,passwd,pki,pulse,resolv.conf,selinux,ssl,X11,xdg | 62 | #private-etc alternatives,asound.conf,ca-certificates,crypto-policies,dconf,fonts,group,gtk-2.0,gtk-3.0,hostname,hosts,ld.so.cache,ld.so.conf,ld.so.conf.d,ld.so.preload,localtime,machine-id,mailcap,mime.types,nsswitch.conf,pango,passwd,pki,pulse,resolv.conf,selinux,ssl,X11,xdg |
63 | private-etc GUI,mailcap,mime.types,NETWORK,os-release,TLS-CA | 63 | private-etc @tls-ca,@x11,mailcap,mime.types,os-release |
64 | private-tmp | 64 | private-tmp |
65 | 65 | ||
66 | blacklist ${PATH}/curl | 66 | blacklist ${PATH}/curl |
diff --git a/etc/profile-a-l/gimp.profile b/etc/profile-a-l/gimp.profile index d9515c867..f29929a72 100644 --- a/etc/profile-a-l/gimp.profile +++ b/etc/profile-a-l/gimp.profile | |||
@@ -59,7 +59,7 @@ seccomp !mbind | |||
59 | tracelog | 59 | tracelog |
60 | 60 | ||
61 | private-dev | 61 | private-dev |
62 | private-etc gcrypt,GUI,python* | 62 | private-etc @x11,gcrypt,python* |
63 | private-tmp | 63 | private-tmp |
64 | 64 | ||
65 | dbus-user none | 65 | dbus-user none |
diff --git a/etc/profile-a-l/inkscape.profile b/etc/profile-a-l/inkscape.profile index 702bebf36..ea01e8c47 100644 --- a/etc/profile-a-l/inkscape.profile +++ b/etc/profile-a-l/inkscape.profile | |||
@@ -65,7 +65,7 @@ tracelog | |||
65 | # private-bin inkscape,potrace,python* - problems on Debian stretch | 65 | # private-bin inkscape,potrace,python* - problems on Debian stretch |
66 | private-cache | 66 | private-cache |
67 | private-dev | 67 | private-dev |
68 | private-etc ImageMagick*,inkscape: GUI,python* | 68 | private-etc @x11,ImageMagick*,python* |
69 | private-tmp | 69 | private-tmp |
70 | 70 | ||
71 | dbus-user filter | 71 | dbus-user filter |
diff --git a/etc/profile-m-z/mutt.profile b/etc/profile-m-z/mutt.profile index 52d30669f..bce56743a 100644 --- a/etc/profile-m-z/mutt.profile +++ b/etc/profile-m-z/mutt.profile | |||
@@ -23,6 +23,7 @@ noblacklist ${HOME}/.mail | |||
23 | noblacklist ${HOME}/.mailcap | 23 | noblacklist ${HOME}/.mailcap |
24 | noblacklist ${HOME}/.msmtprc | 24 | noblacklist ${HOME}/.msmtprc |
25 | noblacklist ${HOME}/.mutt | 25 | noblacklist ${HOME}/.mutt |
26 | noblacklist ${HOME}/.mutthistory | ||
26 | noblacklist ${HOME}/.muttrc | 27 | noblacklist ${HOME}/.muttrc |
27 | noblacklist ${HOME}/.nanorc | 28 | noblacklist ${HOME}/.nanorc |
28 | noblacklist ${HOME}/.signature | 29 | noblacklist ${HOME}/.signature |
@@ -51,29 +52,18 @@ include disable-programs.inc | |||
51 | include disable-xdg.inc | 52 | include disable-xdg.inc |
52 | 53 | ||
53 | mkdir ${HOME}/.Mail | 54 | mkdir ${HOME}/.Mail |
54 | mkdir ${HOME}/.bogofilter | ||
55 | mkdir ${HOME}/.cache/mutt | 55 | mkdir ${HOME}/.cache/mutt |
56 | mkdir ${HOME}/.config/mutt | 56 | mkdir ${HOME}/.config/mutt |
57 | mkdir ${HOME}/.config/nano | ||
58 | mkdir ${HOME}/.elinks | ||
59 | mkdir ${HOME}/.emacs.d | ||
60 | mkdir ${HOME}/.gnupg | 57 | mkdir ${HOME}/.gnupg |
61 | mkdir ${HOME}/.mail | 58 | mkdir ${HOME}/.mail |
62 | mkdir ${HOME}/.mutt | 59 | mkdir ${HOME}/.mutt |
63 | mkdir ${HOME}/.vim | ||
64 | mkdir ${HOME}/.w3m | ||
65 | mkdir ${HOME}/Mail | 60 | mkdir ${HOME}/Mail |
66 | mkdir ${HOME}/mail | 61 | mkdir ${HOME}/mail |
67 | mkdir ${HOME}/postponed | 62 | mkdir ${HOME}/postponed |
68 | mkdir ${HOME}/sent | 63 | mkdir ${HOME}/sent |
69 | mkfile ${HOME}/.emacs | ||
70 | mkfile ${HOME}/.mailcap | 64 | mkfile ${HOME}/.mailcap |
71 | mkfile ${HOME}/.msmtprc | ||
72 | mkfile ${HOME}/.muttrc | 65 | mkfile ${HOME}/.muttrc |
73 | mkfile ${HOME}/.nanorc | ||
74 | mkfile ${HOME}/.signature | 66 | mkfile ${HOME}/.signature |
75 | mkfile ${HOME}/.viminfo | ||
76 | mkfile ${HOME}/.vimrc | ||
77 | whitelist ${DOCUMENTS} | 67 | whitelist ${DOCUMENTS} |
78 | whitelist ${DOWNLOADS} | 68 | whitelist ${DOWNLOADS} |
79 | whitelist ${HOME}/.Mail | 69 | whitelist ${HOME}/.Mail |
@@ -89,6 +79,7 @@ whitelist ${HOME}/.mail | |||
89 | whitelist ${HOME}/.mailcap | 79 | whitelist ${HOME}/.mailcap |
90 | whitelist ${HOME}/.msmtprc | 80 | whitelist ${HOME}/.msmtprc |
91 | whitelist ${HOME}/.mutt | 81 | whitelist ${HOME}/.mutt |
82 | whitelist ${HOME}/.mutthistory | ||
92 | whitelist ${HOME}/.muttrc | 83 | whitelist ${HOME}/.muttrc |
93 | whitelist ${HOME}/.nanorc | 84 | whitelist ${HOME}/.nanorc |
94 | whitelist ${HOME}/.signature | 85 | whitelist ${HOME}/.signature |
diff --git a/etc/profile-m-z/warzone2100.profile b/etc/profile-m-z/warzone2100.profile index 6000bd98f..b0eea4380 100644 --- a/etc/profile-m-z/warzone2100.profile +++ b/etc/profile-m-z/warzone2100.profile | |||
@@ -46,7 +46,7 @@ tracelog | |||
46 | disable-mnt | 46 | disable-mnt |
47 | private-bin bash,dash,sh,warzone2100,which | 47 | private-bin bash,dash,sh,warzone2100,which |
48 | private-dev | 48 | private-dev |
49 | private-etc GAMES,GUI | 49 | private-etc @games,@x11 |
50 | private-tmp | 50 | private-tmp |
51 | 51 | ||
52 | restrict-namespaces | 52 | restrict-namespaces |
diff --git a/src/firejail/fs_etc.c b/src/firejail/fs_etc.c index ad5e8585d..83f140d80 100644 --- a/src/firejail/fs_etc.c +++ b/src/firejail/fs_etc.c | |||
@@ -77,15 +77,15 @@ char *fs_etc_build(char *str) { | |||
77 | char* ptr = strtok(str, ","); | 77 | char* ptr = strtok(str, ","); |
78 | while (ptr) { | 78 | while (ptr) { |
79 | // look for standard groups | 79 | // look for standard groups |
80 | if (strcmp(ptr, "TLS-CA") == 0) | 80 | if (strcmp(ptr, "@tls-ca") == 0) |
81 | etc_copy_group(&etc_group_tls_ca[0]); | 81 | etc_copy_group(&etc_group_tls_ca[0]); |
82 | if (strcmp(ptr, "GUI") == 0) | 82 | if (strcmp(ptr, "@x11") == 0) |
83 | etc_copy_group(&etc_group_gui[0]); | 83 | etc_copy_group(&etc_group_x11[0]); |
84 | if (strcmp(ptr, "SOUND") == 0) | 84 | if (strcmp(ptr, "@sound") == 0) |
85 | etc_copy_group(&etc_group_sound[0]); | 85 | etc_copy_group(&etc_group_sound[0]); |
86 | if (strcmp(ptr, "NETWORK") == 0) | 86 | if (strcmp(ptr, "@network") == 0) |
87 | etc_copy_group(&etc_group_network[0]); | 87 | etc_copy_group(&etc_group_network[0]); |
88 | if (strcmp(ptr, "GAMES") == 0) | 88 | if (strcmp(ptr, "@games") == 0) |
89 | etc_copy_group(&etc_group_games[0]); | 89 | etc_copy_group(&etc_group_games[0]); |
90 | else | 90 | else |
91 | etc_add(ptr); | 91 | etc_add(ptr); |
diff --git a/src/firejail/main.c b/src/firejail/main.c index 57fe4fb22..02fcb77d7 100644 --- a/src/firejail/main.c +++ b/src/firejail/main.c | |||
@@ -2172,11 +2172,24 @@ int main(int argc, char **argv, char **envp) { | |||
2172 | // hostname, etc | 2172 | // hostname, etc |
2173 | //************************************* | 2173 | //************************************* |
2174 | else if (strncmp(argv[i], "--name=", 7) == 0) { | 2174 | else if (strncmp(argv[i], "--name=", 7) == 0) { |
2175 | int only_numbers = 1; | ||
2175 | cfg.name = argv[i] + 7; | 2176 | cfg.name = argv[i] + 7; |
2176 | if (strlen(cfg.name) == 0) { | 2177 | if (strlen(cfg.name) == 0) { |
2177 | fprintf(stderr, "Error: please provide a name for sandbox\n"); | 2178 | fprintf(stderr, "Error: please provide a name for sandbox\n"); |
2178 | return 1; | 2179 | return 1; |
2179 | } | 2180 | } |
2181 | const char *c = cfg.name; | ||
2182 | while (*c) { | ||
2183 | if (!isdigit(*c)) { | ||
2184 | only_numbers = 0; | ||
2185 | break; | ||
2186 | } | ||
2187 | ++c; | ||
2188 | } | ||
2189 | if (only_numbers) { | ||
2190 | fprintf(stderr, "Error: invalid sandbox name: it only contains digits\n"); | ||
2191 | return 1; | ||
2192 | } | ||
2180 | } | 2193 | } |
2181 | else if (strncmp(argv[i], "--hostname=", 11) == 0) { | 2194 | else if (strncmp(argv[i], "--hostname=", 11) == 0) { |
2182 | cfg.hostname = argv[i] + 11; | 2195 | cfg.hostname = argv[i] + 11; |
diff --git a/src/firejail/profile.c b/src/firejail/profile.c index a64198e68..d01999ec5 100644 --- a/src/firejail/profile.c +++ b/src/firejail/profile.c | |||
@@ -326,11 +326,24 @@ int profile_check_line(char *ptr, int lineno, const char *fname) { | |||
326 | } | 326 | } |
327 | // sandbox name | 327 | // sandbox name |
328 | else if (strncmp(ptr, "name ", 5) == 0) { | 328 | else if (strncmp(ptr, "name ", 5) == 0) { |
329 | int only_numbers = 1; | ||
329 | cfg.name = ptr + 5; | 330 | cfg.name = ptr + 5; |
330 | if (strlen(cfg.name) == 0) { | 331 | if (strlen(cfg.name) == 0) { |
331 | fprintf(stderr, "Error: invalid sandbox name\n"); | 332 | fprintf(stderr, "Error: invalid sandbox name\n"); |
332 | exit(1); | 333 | exit(1); |
333 | } | 334 | } |
335 | const char *c = cfg.name; | ||
336 | while (*c) { | ||
337 | if (!isdigit(*c)) { | ||
338 | only_numbers = 0; | ||
339 | break; | ||
340 | } | ||
341 | ++c; | ||
342 | } | ||
343 | if (only_numbers) { | ||
344 | fprintf(stderr, "Error: invalid sandbox name: it only contains digits\n"); | ||
345 | exit(1); | ||
346 | } | ||
334 | return 0; | 347 | return 0; |
335 | } | 348 | } |
336 | else if (strcmp(ptr, "ipc-namespace") == 0) { | 349 | else if (strcmp(ptr, "ipc-namespace") == 0) { |
diff --git a/src/include/etc_groups.h b/src/include/etc_groups.h index 421837fbb..fcb824778 100644 --- a/src/include/etc_groups.h +++ b/src/include/etc_groups.h | |||
@@ -23,7 +23,7 @@ | |||
23 | 23 | ||
24 | #define ETC_MAX 256 | 24 | #define ETC_MAX 256 |
25 | 25 | ||
26 | // DEFAULT | 26 | // @default |
27 | static char *etc_list[ETC_MAX + 1] = { // plus 1 for ending NULL pointer | 27 | static char *etc_list[ETC_MAX + 1] = { // plus 1 for ending NULL pointer |
28 | "alternatives", | 28 | "alternatives", |
29 | "fonts", | 29 | "fonts", |
@@ -42,7 +42,7 @@ static char *etc_list[ETC_MAX + 1] = { // plus 1 for ending NULL pointer | |||
42 | NULL | 42 | NULL |
43 | }; | 43 | }; |
44 | 44 | ||
45 | // SOUND | 45 | // @sound |
46 | static char *etc_group_sound[] = { | 46 | static char *etc_group_sound[] = { |
47 | "alsa", | 47 | "alsa", |
48 | "asound.conf", | 48 | "asound.conf", |
@@ -51,7 +51,7 @@ static char *etc_group_sound[] = { | |||
51 | NULL | 51 | NULL |
52 | }; | 52 | }; |
53 | 53 | ||
54 | // NETWORK | 54 | // @network |
55 | static char*etc_group_network[] = { | 55 | static char*etc_group_network[] = { |
56 | "hostname", | 56 | "hostname", |
57 | "hosts", | 57 | "hosts", |
@@ -60,7 +60,7 @@ static char*etc_group_network[] = { | |||
60 | NULL | 60 | NULL |
61 | }; | 61 | }; |
62 | 62 | ||
63 | // TLS-CA | 63 | // @tls-ca |
64 | static char *etc_group_tls_ca[] = { | 64 | static char *etc_group_tls_ca[] = { |
65 | "ca-certificates", | 65 | "ca-certificates", |
66 | "crypto-policies", | 66 | "crypto-policies", |
@@ -70,8 +70,8 @@ static char *etc_group_tls_ca[] = { | |||
70 | NULL | 70 | NULL |
71 | }; | 71 | }; |
72 | 72 | ||
73 | // GUI | 73 | // @x11 |
74 | static char *etc_group_gui[] = { | 74 | static char *etc_group_x11[] = { |
75 | "xdg", | 75 | "xdg", |
76 | "drirc", | 76 | "drirc", |
77 | "dconf", | 77 | "dconf", |
@@ -80,10 +80,12 @@ static char *etc_group_gui[] = { | |||
80 | "kde4rc", | 80 | "kde4rc", |
81 | "kde5rc", | 81 | "kde5rc", |
82 | "pango", // text rendering/internationalization | 82 | "pango", // text rendering/internationalization |
83 | "nvidia", | ||
84 | "X11", | ||
83 | NULL | 85 | NULL |
84 | }; | 86 | }; |
85 | 87 | ||
86 | // GAMES | 88 | // @games |
87 | static char *etc_group_games[] = { | 89 | static char *etc_group_games[] = { |
88 | "timidity", // MIDI | 90 | "timidity", // MIDI |
89 | "timidity.cfg", | 91 | "timidity.cfg", |
diff --git a/src/man/firejail.txt b/src/man/firejail.txt index e60c139a5..1b051ab57 100644 --- a/src/man/firejail.txt +++ b/src/man/firejail.txt | |||
@@ -1330,6 +1330,7 @@ $ firejail \-\-net=eth0 \-\-mtu=1492 | |||
1330 | \fB\-\-name=name | 1330 | \fB\-\-name=name |
1331 | Set sandbox name. Several options, such as \-\-join and \-\-shutdown, can use | 1331 | Set sandbox name. Several options, such as \-\-join and \-\-shutdown, can use |
1332 | this name to identify a sandbox. | 1332 | this name to identify a sandbox. |
1333 | The name cannot contain only digits, as that is treated as a PID in the other options, such as in \-\-join. | ||
1333 | 1334 | ||
1334 | In case the name supplied by the user is already in use by another sandbox, Firejail will assign a | 1335 | In case the name supplied by the user is already in use by another sandbox, Firejail will assign a |
1335 | new name as "name-PID", where PID is the process ID of the sandbox. This functionality | 1336 | new name as "name-PID", where PID is the process ID of the sandbox. This functionality |
@@ -2127,27 +2128,27 @@ cdrom cdrw dri dvd dvdrw full log null ptmx pts random shm snd sr0 | |||
2127 | .br | 2128 | .br |
2128 | $ | 2129 | $ |
2129 | .TP | 2130 | .TP |
2130 | \fB\-\-private-etc, \-\-private-etc=file,directory | 2131 | \fB\-\-private-etc, \-\-private-etc=file,directory,@group |
2131 | The files installed by \-\-private-etc are copies of the original system files from /etc directory. | 2132 | The files installed by \-\-private-etc are copies of the original system files from /etc directory. |
2132 | By default, the command brings in a skeleton of files and directories used by most console tools: | 2133 | By default, the command brings in a skeleton of files and directories used by most console tools: |
2133 | 2134 | ||
2134 | $ firejail --private-etc dig debian.org | 2135 | $ firejail --private-etc dig debian.org |
2135 | 2136 | ||
2136 | For X11/GTK/QT/Gnome/KDE programs add GUI group as a parameter. Example: | 2137 | For X11/GTK/QT/Gnome/KDE programs add @x11 group as a parameter. Example: |
2137 | 2138 | ||
2138 | $ firejail --private-etc=GUI,python* gimp | 2139 | $ firejail --private-etc=@x11,gcrypt,python* gimp |
2139 | 2140 | ||
2140 | /etc/python* directories are not part of the generic GUI group. | 2141 | gcrypt and /etc/python* directories are not part of the generic @x11 group. |
2141 | These directories are reuqired by Gimp plugin system. File globbing is supported. | 2142 | File globbing is supported. |
2142 | 2143 | ||
2143 | For games, add GAMES group: | 2144 | For games, add @games group: |
2144 | 2145 | ||
2145 | $ firejail --private-etc=GUI,GAMES warzone2100 | 2146 | $ firejail --private-etc=@games,@x11 warzone2100 |
2146 | 2147 | ||
2147 | Sound and networking files are included automatically, unless \-\-nosound or \-\-net=none are specified. | 2148 | Sound and networking files are included automatically, unless \-\-nosound or \-\-net=none are specified. |
2148 | Files for encrypted TLS/SSL protocol are in TLS-CA group. | 2149 | Files for encrypted TLS/SSL protocol are in @tls-ca group. |
2149 | 2150 | ||
2150 | $ firejail --private-etc=TLS-CA,wgetrc wget https://debian.org | 2151 | $ firejail --private-etc=@tls-ca,wgetrc wget https://debian.org |
2151 | 2152 | ||
2152 | 2153 | ||
2153 | Note: The easiest way to extract the list of /etc files accessed by your program is using strace utility: | 2154 | Note: The easiest way to extract the list of /etc files accessed by your program is using strace utility: |