diff options
author | smitsohu <smitsohu@gmail.com> | 2018-10-13 21:58:52 +0200 |
---|---|---|
committer | smitsohu <smitsohu@gmail.com> | 2018-10-13 21:58:52 +0200 |
commit | f64ec79cd3dc91f19ebf8c41306e812548102b1f (patch) | |
tree | f6a5958418ac6e41ec00064eb69f7df013b2f5d6 | |
parent | improve clean_pathname() function: drop realloc (diff) | |
parent | Update gnome-pie profile (#2191) (diff) | |
download | firejail-f64ec79cd3dc91f19ebf8c41306e812548102b1f.tar.gz firejail-f64ec79cd3dc91f19ebf8c41306e812548102b1f.tar.zst firejail-f64ec79cd3dc91f19ebf8c41306e812548102b1f.zip |
Merge branch 'master' of https://github.com/netblue30/firejail
46 files changed, 508 insertions, 18 deletions
@@ -123,6 +123,8 @@ bn0785ac (https://github.com/bn0785ac) | |||
123 | - fix inox, add snox profile | 123 | - fix inox, add snox profile |
124 | BogDan Vatra (https://github.com/bog-dan-ro) | 124 | BogDan Vatra (https://github.com/bog-dan-ro) |
125 | - zoom profile | 125 | - zoom profile |
126 | Brad Ackerman | ||
127 | - blacklist Bitwarden config in disable-passwdmgr.inc | ||
126 | Bruno Nova (https://github.com/brunonova) | 128 | Bruno Nova (https://github.com/brunonova) |
127 | - whitelist fix | 129 | - whitelist fix |
128 | - bash arguments fix | 130 | - bash arguments fix |
@@ -277,7 +279,13 @@ glitsj16 (https://github.com/glitsj16) | |||
277 | - profile fixes: file, strings, claws-mail, | 279 | - profile fixes: file, strings, claws-mail, |
278 | - new profiles: QMediathekView, aria2c, Authenticator, checkbashisms | 280 | - new profiles: QMediathekView, aria2c, Authenticator, checkbashisms |
279 | - new profiles: devilspie, devilspie2, easystroke, github-desktop, min | 281 | - new profiles: devilspie, devilspie2, easystroke, github-desktop, min |
280 | - new profiles: bsdcat, bsdcpio, bsdtar, lzmadec | 282 | - new profiles: bsdcat, bsdcpio, bsdtar, lzmadec, lbunzip2, lbzcat |
283 | - new profiles: lbzip2, lzcat, lzcmp, lzdiff, lzegrep, lzfgrep, lzgrep | ||
284 | - new profiles: lzless, lzma, lzmainfo, lzmore, unlzma, unxz, xzcat | ||
285 | - new profiles: xzcmp, xzdiff, xzegrep, xzfgrep, xzgrep, xzless, xzmore | ||
286 | - new profiles: lzip, artha, nitroshare, nitroshare-cli, nitroshare-nmh | ||
287 | - new profiles: nirtoshare-send, nitroshare-ui, mencoder, gnome-pie | ||
288 | - new profiles: masterpdfeditor | ||
281 | graywolf (https://github.com/graywolf) | 289 | graywolf (https://github.com/graywolf) |
282 | - spelling fix | 290 | - spelling fix |
283 | greigdp (https://github.com/greigdp) | 291 | greigdp (https://github.com/greigdp) |
@@ -134,5 +134,8 @@ The new LTS branch is here: https://github.com/netblue30/firejail/tree/LTSbase | |||
134 | # New profiles: | 134 | # New profiles: |
135 | 135 | ||
136 | QMediathekView, aria2c, Authenticator, checkbashisms, devilspie, devilspie2, easystroke, github-desktop, min, | 136 | QMediathekView, aria2c, Authenticator, checkbashisms, devilspie, devilspie2, easystroke, github-desktop, min, |
137 | bsdcat, bsdcpio, bsdtar, lzmadec | 137 | bsdcat, bsdcpio, bsdtar, lzmadec, lbunzip2, lbzcat, lbzip2, lzcat, lzcmp, lzdiff, lzegrep, lzfgrep, lzgrep, |
138 | lzless, lzma, lzmainfo, lzmore, unlzma, unxz, xzcat, xzcmp, xzdiff, xzegrep, xzfgrep, xzgrep, xzless, xzmore, | ||
139 | lzip, artha, nitroshare, nitroshare-cli, nitroshare-nmh, nirtoshare-send, nitroshare-ui, mencoder, gnome-pie, | ||
140 | masterpdfeditor | ||
138 | 141 | ||
@@ -3,7 +3,13 @@ firejail (0.9.56.1) baseline; urgency=low | |||
3 | * --disable-mnt rework | 3 | * --disable-mnt rework |
4 | * new profiles: QMediathekView, aria2c, Authenticator, checkbashisms | 4 | * new profiles: QMediathekView, aria2c, Authenticator, checkbashisms |
5 | * new profiles: devilspie, devilspie2, easystroke, github-desktop, min | 5 | * new profiles: devilspie, devilspie2, easystroke, github-desktop, min |
6 | * new profiles: bsdcat, bsdcpio, bsdtar, lzmadec | 6 | * new profiles: bsdcat, bsdcpio, bsdtar, lzmadec, lbunzip2, lbzcat |
7 | * new profiles: lbzip2, lzcat, lzcmp, lzdiff, lzegrep, lzfgrep, lzgrep | ||
8 | * new profiles: lzless, lzma, lzmainfo, lzmore, unlzma, unxz, xzcat | ||
9 | * new profiles: xzcmp, xzdiff, xzegrep, xzfgrep, xzgrep, xzless, xzmore | ||
10 | * new profiles: lzip, artha, nitroshare, nitroshare-cli, nitroshare-nmh | ||
11 | * new profiles: nirtoshare-send, nitroshare-ui, mencoder, gnome-pie | ||
12 | * new profiles: masterpdfeditor | ||
7 | -- netblue30 <netblue30@yahoo.com> Thu, 11 Oct 2018 08:00:00 -0500 | 13 | -- netblue30 <netblue30@yahoo.com> Thu, 11 Oct 2018 08:00:00 -0500 |
8 | 14 | ||
9 | firejail (0.9.56) baseline; urgency=low | 15 | firejail (0.9.56) baseline; urgency=low |
diff --git a/etc/artha.profile b/etc/artha.profile new file mode 100644 index 000000000..befe9295f --- /dev/null +++ b/etc/artha.profile | |||
@@ -0,0 +1,46 @@ | |||
1 | # Firejail profile for artha | ||
2 | # Description: A free cross-platform English thesaurus based on WordNet | ||
3 | # This file is overwritten after every install/update | ||
4 | # Persistent local customizations | ||
5 | include /etc/firejail/artha.local | ||
6 | # Persistent global definitions | ||
7 | include /etc/firejail/globals.local | ||
8 | |||
9 | noblacklist ${HOME}/.config/artha.conf | ||
10 | noblacklist ${HOME}/.config/enchant | ||
11 | |||
12 | include /etc/firejail/disable-common.inc | ||
13 | include /etc/firejail/disable-devel.inc | ||
14 | include /etc/firejail/disable-interpreters.inc | ||
15 | include /etc/firejail/disable-passwdmgr.inc | ||
16 | include /etc/firejail/disable-programs.inc | ||
17 | |||
18 | caps.drop all | ||
19 | ipc-namespace | ||
20 | machine-id | ||
21 | net none | ||
22 | no3d | ||
23 | # nodbus | ||
24 | nodvd | ||
25 | nogroups | ||
26 | nonewprivs | ||
27 | noroot | ||
28 | nosound | ||
29 | notv | ||
30 | nou2f | ||
31 | novideo | ||
32 | protocol unix | ||
33 | seccomp | ||
34 | shell none | ||
35 | |||
36 | disable-mnt | ||
37 | private-bin artha,enchant,notify-send | ||
38 | private-cache | ||
39 | private-dev | ||
40 | private-etc fonts | ||
41 | private-lib libnotify.so.* | ||
42 | private-tmp | ||
43 | |||
44 | memory-deny-write-execute | ||
45 | noexec ${HOME} | ||
46 | noexec /tmp | ||
diff --git a/etc/disable-passwdmgr.inc b/etc/disable-passwdmgr.inc index 6ef11780e..19fd871d3 100644 --- a/etc/disable-passwdmgr.inc +++ b/etc/disable-passwdmgr.inc | |||
@@ -2,6 +2,7 @@ | |||
2 | # Persistent customizations should go in a .local file. | 2 | # Persistent customizations should go in a .local file. |
3 | include /etc/firejail/disable-passwdmgr.local | 3 | include /etc/firejail/disable-passwdmgr.local |
4 | 4 | ||
5 | blacklist ${HOME}/.config/Bitwarden | ||
5 | blacklist ${HOME}/.config/KeePass | 6 | blacklist ${HOME}/.config/KeePass |
6 | blacklist ${HOME}/.config/keepass | 7 | blacklist ${HOME}/.config/keepass |
7 | blacklist ${HOME}/.config/keepassx | 8 | blacklist ${HOME}/.config/keepassx |
diff --git a/etc/disable-programs.inc b/etc/disable-programs.inc index 251362b77..0f48a320b 100644 --- a/etc/disable-programs.inc +++ b/etc/disable-programs.inc | |||
@@ -52,6 +52,7 @@ blacklist ${HOME}/.config/Beaker Browser | |||
52 | blacklist ${HOME}/.config/Brackets | 52 | blacklist ${HOME}/.config/Brackets |
53 | blacklist ${HOME}/.config/Clementine | 53 | blacklist ${HOME}/.config/Clementine |
54 | blacklist ${HOME}/.config/Code | 54 | blacklist ${HOME}/.config/Code |
55 | blacklist ${HOME}/.config/Code Industry | ||
55 | blacklist ${HOME}/.config/Cryptocat | 56 | blacklist ${HOME}/.config/Cryptocat |
56 | blacklist ${HOME}/.config/Franz | 57 | blacklist ${HOME}/.config/Franz |
57 | blacklist ${HOME}/.config/FreeCAD | 58 | blacklist ${HOME}/.config/FreeCAD |
@@ -72,6 +73,7 @@ blacklist ${HOME}/.config/Mumble | |||
72 | blacklist ${HOME}/.config/MusE | 73 | blacklist ${HOME}/.config/MusE |
73 | blacklist ${HOME}/.config/MuseScore | 74 | blacklist ${HOME}/.config/MuseScore |
74 | blacklist ${HOME}/.config/MusicBrainz | 75 | blacklist ${HOME}/.config/MusicBrainz |
76 | blacklist ${HOME}/.config/Nathan Osman | ||
75 | blacklist ${HOME}/.config/Nylas Mail | 77 | blacklist ${HOME}/.config/Nylas Mail |
76 | blacklist ${HOME}/.config/Qlipper | 78 | blacklist ${HOME}/.config/Qlipper |
77 | blacklist ${HOME}/.config/QMediathekView | 79 | blacklist ${HOME}/.config/QMediathekView |
@@ -91,6 +93,7 @@ blacklist ${HOME}/.config/akregatorrc | |||
91 | blacklist ${HOME}/.config/ardour4 | 93 | blacklist ${HOME}/.config/ardour4 |
92 | blacklist ${HOME}/.config/ardour5 | 94 | blacklist ${HOME}/.config/ardour5 |
93 | blacklist ${HOME}/.config/arkrc | 95 | blacklist ${HOME}/.config/arkrc |
96 | blacklist ${HOME}/.config/artha.conf | ||
94 | blacklist ${HOME}/.config/asunder | 97 | blacklist ${HOME}/.config/asunder |
95 | blacklist ${HOME}/.config/atril | 98 | blacklist ${HOME}/.config/atril |
96 | blacklist ${HOME}/.config/audacious | 99 | blacklist ${HOME}/.config/audacious |
@@ -142,6 +145,7 @@ blacklist ${HOME}/.config/ghb | |||
142 | blacklist ${HOME}/.config/globaltime | 145 | blacklist ${HOME}/.config/globaltime |
143 | blacklist ${HOME}/.config/gnome-mplayer | 146 | blacklist ${HOME}/.config/gnome-mplayer |
144 | blacklist ${HOME}/.config/gnome-mpv | 147 | blacklist ${HOME}/.config/gnome-mpv |
148 | blacklist ${HOME}/.config/gnome-pie | ||
145 | blacklist ${HOME}/.config/google-chrome | 149 | blacklist ${HOME}/.config/google-chrome |
146 | blacklist ${HOME}/.config/google-chrome-beta | 150 | blacklist ${HOME}/.config/google-chrome-beta |
147 | blacklist ${HOME}/.config/google-chrome-unstable | 151 | blacklist ${HOME}/.config/google-chrome-unstable |
@@ -191,6 +195,7 @@ blacklist ${HOME}/.config/nautilus | |||
191 | blacklist ${HOME}/.config/nemo | 195 | blacklist ${HOME}/.config/nemo |
192 | blacklist ${HOME}/.config/netsurf | 196 | blacklist ${HOME}/.config/netsurf |
193 | blacklist ${HOME}/.config/nheko | 197 | blacklist ${HOME}/.config/nheko |
198 | blacklist ${HOME}/.config/NitroShare | ||
194 | blacklist ${HOME}/.config/okularpartrc | 199 | blacklist ${HOME}/.config/okularpartrc |
195 | blacklist ${HOME}/.config/okularrc | 200 | blacklist ${HOME}/.config/okularrc |
196 | blacklist ${HOME}/.config/onionshare | 201 | blacklist ${HOME}/.config/onionshare |
@@ -458,6 +463,7 @@ blacklist ${HOME}/.local/share/xplayer | |||
458 | blacklist ${HOME}/.local/share/xreader | 463 | blacklist ${HOME}/.local/share/xreader |
459 | blacklist ${HOME}/.local/share/zathura | 464 | blacklist ${HOME}/.local/share/zathura |
460 | blacklist ${HOME}/.lv2 | 465 | blacklist ${HOME}/.lv2 |
466 | blacklist ${HOME}/.masterpdfeditor | ||
461 | blacklist ${HOME}/.mcabber | 467 | blacklist ${HOME}/.mcabber |
462 | blacklist ${HOME}/.mcabberrc | 468 | blacklist ${HOME}/.mcabberrc |
463 | blacklist ${HOME}/.mediathek3 | 469 | blacklist ${HOME}/.mediathek3 |
diff --git a/etc/gnome-pie.profile b/etc/gnome-pie.profile new file mode 100644 index 000000000..41f6de346 --- /dev/null +++ b/etc/gnome-pie.profile | |||
@@ -0,0 +1,43 @@ | |||
1 | # Firejail profile for gnome-pie | ||
2 | # Description: Alternative AppMenu | ||
3 | # This file is overwritten after every install/update | ||
4 | # Persistent local customizations | ||
5 | include /etc/firejail/gnome-pie.local | ||
6 | # Persistent global definitions | ||
7 | include /etc/firejail/globals.local | ||
8 | |||
9 | noblacklist ${HOME}/.config/gnome-pie | ||
10 | |||
11 | #include /etc/firejail/disable-common.inc | ||
12 | include /etc/firejail/disable-devel.inc | ||
13 | #include /etc/firejail/disable-interpreters.inc | ||
14 | include /etc/firejail/disable-passwdmgr.inc | ||
15 | #include /etc/firejail/disable-programs.inc | ||
16 | |||
17 | caps.drop all | ||
18 | ipc-namespace | ||
19 | machine-id | ||
20 | net none | ||
21 | no3d | ||
22 | nodvd | ||
23 | nogroups | ||
24 | nonewprivs | ||
25 | noroot | ||
26 | nosound | ||
27 | notv | ||
28 | nou2f | ||
29 | novideo | ||
30 | protocol unix | ||
31 | seccomp | ||
32 | shell none | ||
33 | |||
34 | disable-mnt | ||
35 | private-cache | ||
36 | private-dev | ||
37 | private-etc fonts | ||
38 | private-lib gdk-pixbuf-2.*,gio,gvfs/libgvfscommon.so,libgconf-2.so.*,librsvg-2.so.* | ||
39 | private-tmp | ||
40 | |||
41 | memory-deny-write-execute | ||
42 | noexec ${HOME} | ||
43 | noexec /tmp | ||
diff --git a/etc/lbunzip2.profile b/etc/lbunzip2.profile new file mode 100644 index 000000000..180eea2c8 --- /dev/null +++ b/etc/lbunzip2.profile | |||
@@ -0,0 +1,7 @@ | |||
1 | # Firejail profile alias for gzip | ||
2 | # Description: GNU compression utilities | ||
3 | # This file is overwritten after every install/update | ||
4 | |||
5 | |||
6 | # Redirect | ||
7 | include /etc/firejail/gzip.profile | ||
diff --git a/etc/lbzcat.profile b/etc/lbzcat.profile new file mode 100644 index 000000000..180eea2c8 --- /dev/null +++ b/etc/lbzcat.profile | |||
@@ -0,0 +1,7 @@ | |||
1 | # Firejail profile alias for gzip | ||
2 | # Description: GNU compression utilities | ||
3 | # This file is overwritten after every install/update | ||
4 | |||
5 | |||
6 | # Redirect | ||
7 | include /etc/firejail/gzip.profile | ||
diff --git a/etc/lbzip2.profile b/etc/lbzip2.profile new file mode 100644 index 000000000..180eea2c8 --- /dev/null +++ b/etc/lbzip2.profile | |||
@@ -0,0 +1,7 @@ | |||
1 | # Firejail profile alias for gzip | ||
2 | # Description: GNU compression utilities | ||
3 | # This file is overwritten after every install/update | ||
4 | |||
5 | |||
6 | # Redirect | ||
7 | include /etc/firejail/gzip.profile | ||
diff --git a/etc/lzcat.profile b/etc/lzcat.profile new file mode 100644 index 000000000..cd79eebc6 --- /dev/null +++ b/etc/lzcat.profile | |||
@@ -0,0 +1,7 @@ | |||
1 | # Firejail profile alias for cpio | ||
2 | # Description: Library and command line tools for XZ and LZMA compressed files | ||
3 | # This file is overwritten after every install/update | ||
4 | |||
5 | |||
6 | # Redirect | ||
7 | include /etc/firejail/cpio.profile | ||
diff --git a/etc/lzcmp.profile b/etc/lzcmp.profile new file mode 100644 index 000000000..cd79eebc6 --- /dev/null +++ b/etc/lzcmp.profile | |||
@@ -0,0 +1,7 @@ | |||
1 | # Firejail profile alias for cpio | ||
2 | # Description: Library and command line tools for XZ and LZMA compressed files | ||
3 | # This file is overwritten after every install/update | ||
4 | |||
5 | |||
6 | # Redirect | ||
7 | include /etc/firejail/cpio.profile | ||
diff --git a/etc/lzdiff.profile b/etc/lzdiff.profile new file mode 100644 index 000000000..cd79eebc6 --- /dev/null +++ b/etc/lzdiff.profile | |||
@@ -0,0 +1,7 @@ | |||
1 | # Firejail profile alias for cpio | ||
2 | # Description: Library and command line tools for XZ and LZMA compressed files | ||
3 | # This file is overwritten after every install/update | ||
4 | |||
5 | |||
6 | # Redirect | ||
7 | include /etc/firejail/cpio.profile | ||
diff --git a/etc/lzegrep.profile b/etc/lzegrep.profile new file mode 100644 index 000000000..cd79eebc6 --- /dev/null +++ b/etc/lzegrep.profile | |||
@@ -0,0 +1,7 @@ | |||
1 | # Firejail profile alias for cpio | ||
2 | # Description: Library and command line tools for XZ and LZMA compressed files | ||
3 | # This file is overwritten after every install/update | ||
4 | |||
5 | |||
6 | # Redirect | ||
7 | include /etc/firejail/cpio.profile | ||
diff --git a/etc/lzfgrep.profile b/etc/lzfgrep.profile new file mode 100644 index 000000000..cd79eebc6 --- /dev/null +++ b/etc/lzfgrep.profile | |||
@@ -0,0 +1,7 @@ | |||
1 | # Firejail profile alias for cpio | ||
2 | # Description: Library and command line tools for XZ and LZMA compressed files | ||
3 | # This file is overwritten after every install/update | ||
4 | |||
5 | |||
6 | # Redirect | ||
7 | include /etc/firejail/cpio.profile | ||
diff --git a/etc/lzgrep.profile b/etc/lzgrep.profile new file mode 100644 index 000000000..cd79eebc6 --- /dev/null +++ b/etc/lzgrep.profile | |||
@@ -0,0 +1,7 @@ | |||
1 | # Firejail profile alias for cpio | ||
2 | # Description: Library and command line tools for XZ and LZMA compressed files | ||
3 | # This file is overwritten after every install/update | ||
4 | |||
5 | |||
6 | # Redirect | ||
7 | include /etc/firejail/cpio.profile | ||
diff --git a/etc/lzip.profile b/etc/lzip.profile new file mode 100644 index 000000000..cd79eebc6 --- /dev/null +++ b/etc/lzip.profile | |||
@@ -0,0 +1,7 @@ | |||
1 | # Firejail profile alias for cpio | ||
2 | # Description: Library and command line tools for XZ and LZMA compressed files | ||
3 | # This file is overwritten after every install/update | ||
4 | |||
5 | |||
6 | # Redirect | ||
7 | include /etc/firejail/cpio.profile | ||
diff --git a/etc/lzless.profile b/etc/lzless.profile new file mode 100644 index 000000000..cd79eebc6 --- /dev/null +++ b/etc/lzless.profile | |||
@@ -0,0 +1,7 @@ | |||
1 | # Firejail profile alias for cpio | ||
2 | # Description: Library and command line tools for XZ and LZMA compressed files | ||
3 | # This file is overwritten after every install/update | ||
4 | |||
5 | |||
6 | # Redirect | ||
7 | include /etc/firejail/cpio.profile | ||
diff --git a/etc/lzma.profile b/etc/lzma.profile new file mode 100644 index 000000000..cd79eebc6 --- /dev/null +++ b/etc/lzma.profile | |||
@@ -0,0 +1,7 @@ | |||
1 | # Firejail profile alias for cpio | ||
2 | # Description: Library and command line tools for XZ and LZMA compressed files | ||
3 | # This file is overwritten after every install/update | ||
4 | |||
5 | |||
6 | # Redirect | ||
7 | include /etc/firejail/cpio.profile | ||
diff --git a/etc/lzmainfo.profile b/etc/lzmainfo.profile new file mode 100644 index 000000000..cd79eebc6 --- /dev/null +++ b/etc/lzmainfo.profile | |||
@@ -0,0 +1,7 @@ | |||
1 | # Firejail profile alias for cpio | ||
2 | # Description: Library and command line tools for XZ and LZMA compressed files | ||
3 | # This file is overwritten after every install/update | ||
4 | |||
5 | |||
6 | # Redirect | ||
7 | include /etc/firejail/cpio.profile | ||
diff --git a/etc/lzmore.profile b/etc/lzmore.profile new file mode 100644 index 000000000..cd79eebc6 --- /dev/null +++ b/etc/lzmore.profile | |||
@@ -0,0 +1,7 @@ | |||
1 | # Firejail profile alias for cpio | ||
2 | # Description: Library and command line tools for XZ and LZMA compressed files | ||
3 | # This file is overwritten after every install/update | ||
4 | |||
5 | |||
6 | # Redirect | ||
7 | include /etc/firejail/cpio.profile | ||
diff --git a/etc/masterpdfeditor.profile b/etc/masterpdfeditor.profile new file mode 100644 index 000000000..cc80679fc --- /dev/null +++ b/etc/masterpdfeditor.profile | |||
@@ -0,0 +1,50 @@ | |||
1 | # Firejail profile for masterpdfeditor | ||
2 | # Description: A complete solution for creating and editing PDF files | ||
3 | # This file is overwritten after every install/update | ||
4 | # Persistent local customizations | ||
5 | include /etc/firejail/masterpdfeditor.local | ||
6 | # Persistent global definitions | ||
7 | include /etc/firejail/globals.local | ||
8 | |||
9 | noblacklist ${HOME}/.config/Code Industry | ||
10 | noblacklist ${HOME}/.masterpdfeditor | ||
11 | |||
12 | include /etc/firejail/disable-common.inc | ||
13 | include /etc/firejail/disable-devel.inc | ||
14 | include /etc/firejail/disable-interpreters.inc | ||
15 | include /etc/firejail/disable-passwdmgr.inc | ||
16 | include /etc/firejail/disable-programs.inc | ||
17 | |||
18 | include /etc/firejail/whitelist-var-common.inc | ||
19 | |||
20 | caps.drop all | ||
21 | ipc-namespace | ||
22 | machine-id | ||
23 | net none | ||
24 | no3d | ||
25 | nodbus | ||
26 | nodvd | ||
27 | nogroups | ||
28 | nonewprivs | ||
29 | noroot | ||
30 | nosound | ||
31 | notv | ||
32 | nou2f | ||
33 | novideo | ||
34 | protocol unix | ||
35 | seccomp | ||
36 | shell none | ||
37 | tracelog | ||
38 | |||
39 | # disable-mnt | ||
40 | # private | ||
41 | private-bin masterpdfeditor* | ||
42 | private-cache | ||
43 | private-dev | ||
44 | private-etc fonts | ||
45 | # private-lib | ||
46 | private-tmp | ||
47 | |||
48 | # memory-deny-write-execute | ||
49 | noexec ${HOME} | ||
50 | noexec /tmp | ||
diff --git a/etc/masterpdfeditor4.profile b/etc/masterpdfeditor4.profile new file mode 100644 index 000000000..7ab9c9421 --- /dev/null +++ b/etc/masterpdfeditor4.profile | |||
@@ -0,0 +1,12 @@ | |||
1 | # Firejail profile for masterpdfeditor4 | ||
2 | # Description: A complete solution for creating and editing PDF files | ||
3 | # This file is overwritten after every install/update | ||
4 | # Persistent local customizations | ||
5 | include /etc/firejail/masterpdfeditor4.local | ||
6 | # Persistent global definitions | ||
7 | # added by included profile | ||
8 | #include /etc/firejail/globals.local | ||
9 | |||
10 | |||
11 | # Redirect | ||
12 | include /etc/firejail/masterpdfeditor.profile | ||
diff --git a/etc/masterpdfeditor5.profile b/etc/masterpdfeditor5.profile new file mode 100644 index 000000000..86faf5da0 --- /dev/null +++ b/etc/masterpdfeditor5.profile | |||
@@ -0,0 +1,12 @@ | |||
1 | # Firejail profile for masterpdfeditor5 | ||
2 | # Description: A complete solution for creating and editing PDF files | ||
3 | # This file is overwritten after every install/update | ||
4 | # Persistent local customizations | ||
5 | include /etc/firejail/masterpdfeditor5.local | ||
6 | # Persistent global definitions | ||
7 | # added by included profile | ||
8 | #include /etc/firejail/globals.local | ||
9 | |||
10 | |||
11 | # Redirect | ||
12 | include /etc/firejail/masterpdfeditor.profile | ||
diff --git a/etc/mencoder.profile b/etc/mencoder.profile new file mode 100644 index 000000000..9306d268e --- /dev/null +++ b/etc/mencoder.profile | |||
@@ -0,0 +1,28 @@ | |||
1 | # Firejail profile for mencoder | ||
2 | # Description: Free command line video decoding, encoding and filtering tool | ||
3 | # This file is overwritten after every install/update | ||
4 | # Persistent local customizations | ||
5 | include /etc/firejail/mencoder.local | ||
6 | # Persistent global definitions | ||
7 | # added by included profile | ||
8 | #include /etc/firejail/globals.local | ||
9 | |||
10 | include /etc/firejail/disable-common.inc | ||
11 | include /etc/firejail/disable-devel.inc | ||
12 | include /etc/firejail/disable-interpreters.inc | ||
13 | include /etc/firejail/disable-passwdmgr.inc | ||
14 | include /etc/firejail/disable-programs.inc | ||
15 | |||
16 | net none | ||
17 | no3d | ||
18 | nodbus | ||
19 | nosound | ||
20 | notv | ||
21 | nou2f | ||
22 | protocol unix | ||
23 | seccomp | ||
24 | shell none | ||
25 | |||
26 | private-bin mencoder | ||
27 | |||
28 | include /etc/firejail/mplayer.profile | ||
diff --git a/etc/nitroshare-cli.profile b/etc/nitroshare-cli.profile new file mode 100644 index 000000000..a9ad197e9 --- /dev/null +++ b/etc/nitroshare-cli.profile | |||
@@ -0,0 +1,7 @@ | |||
1 | # Firejail profile alias for nitroshare | ||
2 | # Description: Network File Transfer Application | ||
3 | # This file is overwritten after every install/update | ||
4 | |||
5 | |||
6 | # Redirect | ||
7 | include /etc/firejail/nitroshare.profile | ||
diff --git a/etc/nitroshare-nmh.profile b/etc/nitroshare-nmh.profile new file mode 100644 index 000000000..a9ad197e9 --- /dev/null +++ b/etc/nitroshare-nmh.profile | |||
@@ -0,0 +1,7 @@ | |||
1 | # Firejail profile alias for nitroshare | ||
2 | # Description: Network File Transfer Application | ||
3 | # This file is overwritten after every install/update | ||
4 | |||
5 | |||
6 | # Redirect | ||
7 | include /etc/firejail/nitroshare.profile | ||
diff --git a/etc/nitroshare-send.profile b/etc/nitroshare-send.profile new file mode 100644 index 000000000..a9ad197e9 --- /dev/null +++ b/etc/nitroshare-send.profile | |||
@@ -0,0 +1,7 @@ | |||
1 | # Firejail profile alias for nitroshare | ||
2 | # Description: Network File Transfer Application | ||
3 | # This file is overwritten after every install/update | ||
4 | |||
5 | |||
6 | # Redirect | ||
7 | include /etc/firejail/nitroshare.profile | ||
diff --git a/etc/nitroshare-ui.profile b/etc/nitroshare-ui.profile new file mode 100644 index 000000000..a9ad197e9 --- /dev/null +++ b/etc/nitroshare-ui.profile | |||
@@ -0,0 +1,7 @@ | |||
1 | # Firejail profile alias for nitroshare | ||
2 | # Description: Network File Transfer Application | ||
3 | # This file is overwritten after every install/update | ||
4 | |||
5 | |||
6 | # Redirect | ||
7 | include /etc/firejail/nitroshare.profile | ||
diff --git a/etc/nitroshare.profile b/etc/nitroshare.profile new file mode 100644 index 000000000..f02599ac6 --- /dev/null +++ b/etc/nitroshare.profile | |||
@@ -0,0 +1,50 @@ | |||
1 | # Firejail profile for nitroshare | ||
2 | # Description: Network File Transfer Application | ||
3 | # This file is overwritten after every install/update | ||
4 | # Persistent local customizations | ||
5 | include /etc/firejail/nitroshare.local | ||
6 | # Persistent global definitions | ||
7 | include /etc/firejail/globals.local | ||
8 | |||
9 | noblacklist ${HOME}/.config/Nathan Osman | ||
10 | noblacklist ${HOME}/.config/NitroShare | ||
11 | |||
12 | # Allow python (blacklisted by disable-interpreters.inc) | ||
13 | noblacklist ${PATH}/python2* | ||
14 | noblacklist ${PATH}/python3* | ||
15 | noblacklist /usr/lib/python2* | ||
16 | noblacklist /usr/lib/python3* | ||
17 | |||
18 | include /etc/firejail/disable-common.inc | ||
19 | include /etc/firejail/disable-devel.inc | ||
20 | include /etc/firejail/disable-interpreters.inc | ||
21 | include /etc/firejail/disable-passwdmgr.inc | ||
22 | include /etc/firejail/disable-programs.inc | ||
23 | |||
24 | caps.drop all | ||
25 | netfilter | ||
26 | no3d | ||
27 | # nodbus | ||
28 | nodvd | ||
29 | nogroups | ||
30 | nonewprivs | ||
31 | noroot | ||
32 | nosound | ||
33 | notv | ||
34 | nou2f | ||
35 | novideo | ||
36 | protocol unix,inet,inet6,netlink | ||
37 | seccomp | ||
38 | shell none | ||
39 | |||
40 | disable-mnt | ||
41 | private-bin awk,grep,nitroshare,nitroshare-cli,nitroshare-nmh,nitroshare-send,nitroshare-ui | ||
42 | private-cache | ||
43 | private-dev | ||
44 | private-etc ca-certificates,dconf,fonts,hostname,hosts,ld.so.cache,machine-id,nsswitch.conf,ssl | ||
45 | # private-lib libnitroshare.so.*,libqhttpengine.so.*,libqmdnsengine.so.*,nitroshare | ||
46 | private-tmp | ||
47 | |||
48 | # memory-deny-write-execute | ||
49 | noexec ${HOME} | ||
50 | noexec /tmp | ||
diff --git a/etc/unlzma.profile b/etc/unlzma.profile new file mode 100644 index 000000000..cd79eebc6 --- /dev/null +++ b/etc/unlzma.profile | |||
@@ -0,0 +1,7 @@ | |||
1 | # Firejail profile alias for cpio | ||
2 | # Description: Library and command line tools for XZ and LZMA compressed files | ||
3 | # This file is overwritten after every install/update | ||
4 | |||
5 | |||
6 | # Redirect | ||
7 | include /etc/firejail/cpio.profile | ||
diff --git a/etc/unxz.profile b/etc/unxz.profile new file mode 100644 index 000000000..cd79eebc6 --- /dev/null +++ b/etc/unxz.profile | |||
@@ -0,0 +1,7 @@ | |||
1 | # Firejail profile alias for cpio | ||
2 | # Description: Library and command line tools for XZ and LZMA compressed files | ||
3 | # This file is overwritten after every install/update | ||
4 | |||
5 | |||
6 | # Redirect | ||
7 | include /etc/firejail/cpio.profile | ||
diff --git a/etc/xzcat.profile b/etc/xzcat.profile new file mode 100644 index 000000000..cd79eebc6 --- /dev/null +++ b/etc/xzcat.profile | |||
@@ -0,0 +1,7 @@ | |||
1 | # Firejail profile alias for cpio | ||
2 | # Description: Library and command line tools for XZ and LZMA compressed files | ||
3 | # This file is overwritten after every install/update | ||
4 | |||
5 | |||
6 | # Redirect | ||
7 | include /etc/firejail/cpio.profile | ||
diff --git a/etc/xzcmp.profile b/etc/xzcmp.profile new file mode 100644 index 000000000..cd79eebc6 --- /dev/null +++ b/etc/xzcmp.profile | |||
@@ -0,0 +1,7 @@ | |||
1 | # Firejail profile alias for cpio | ||
2 | # Description: Library and command line tools for XZ and LZMA compressed files | ||
3 | # This file is overwritten after every install/update | ||
4 | |||
5 | |||
6 | # Redirect | ||
7 | include /etc/firejail/cpio.profile | ||
diff --git a/etc/xzdiff.profile b/etc/xzdiff.profile new file mode 100644 index 000000000..cd79eebc6 --- /dev/null +++ b/etc/xzdiff.profile | |||
@@ -0,0 +1,7 @@ | |||
1 | # Firejail profile alias for cpio | ||
2 | # Description: Library and command line tools for XZ and LZMA compressed files | ||
3 | # This file is overwritten after every install/update | ||
4 | |||
5 | |||
6 | # Redirect | ||
7 | include /etc/firejail/cpio.profile | ||
diff --git a/etc/xzegrep.profile b/etc/xzegrep.profile new file mode 100644 index 000000000..cd79eebc6 --- /dev/null +++ b/etc/xzegrep.profile | |||
@@ -0,0 +1,7 @@ | |||
1 | # Firejail profile alias for cpio | ||
2 | # Description: Library and command line tools for XZ and LZMA compressed files | ||
3 | # This file is overwritten after every install/update | ||
4 | |||
5 | |||
6 | # Redirect | ||
7 | include /etc/firejail/cpio.profile | ||
diff --git a/etc/xzfgrep.profile b/etc/xzfgrep.profile new file mode 100644 index 000000000..cd79eebc6 --- /dev/null +++ b/etc/xzfgrep.profile | |||
@@ -0,0 +1,7 @@ | |||
1 | # Firejail profile alias for cpio | ||
2 | # Description: Library and command line tools for XZ and LZMA compressed files | ||
3 | # This file is overwritten after every install/update | ||
4 | |||
5 | |||
6 | # Redirect | ||
7 | include /etc/firejail/cpio.profile | ||
diff --git a/etc/xzgrep.profile b/etc/xzgrep.profile new file mode 100644 index 000000000..cd79eebc6 --- /dev/null +++ b/etc/xzgrep.profile | |||
@@ -0,0 +1,7 @@ | |||
1 | # Firejail profile alias for cpio | ||
2 | # Description: Library and command line tools for XZ and LZMA compressed files | ||
3 | # This file is overwritten after every install/update | ||
4 | |||
5 | |||
6 | # Redirect | ||
7 | include /etc/firejail/cpio.profile | ||
diff --git a/etc/xzless.profile b/etc/xzless.profile new file mode 100644 index 000000000..cd79eebc6 --- /dev/null +++ b/etc/xzless.profile | |||
@@ -0,0 +1,7 @@ | |||
1 | # Firejail profile alias for cpio | ||
2 | # Description: Library and command line tools for XZ and LZMA compressed files | ||
3 | # This file is overwritten after every install/update | ||
4 | |||
5 | |||
6 | # Redirect | ||
7 | include /etc/firejail/cpio.profile | ||
diff --git a/etc/xzmore.profile b/etc/xzmore.profile new file mode 100644 index 000000000..cd79eebc6 --- /dev/null +++ b/etc/xzmore.profile | |||
@@ -0,0 +1,7 @@ | |||
1 | # Firejail profile alias for cpio | ||
2 | # Description: Library and command line tools for XZ and LZMA compressed files | ||
3 | # This file is overwritten after every install/update | ||
4 | |||
5 | |||
6 | # Redirect | ||
7 | include /etc/firejail/cpio.profile | ||
diff --git a/src/firecfg/firecfg.config b/src/firecfg/firecfg.config index ddc4b676d..dba078ca2 100644 --- a/src/firecfg/firecfg.config +++ b/src/firecfg/firecfg.config | |||
@@ -35,6 +35,7 @@ ardour5 | |||
35 | arduino | 35 | arduino |
36 | ark | 36 | ark |
37 | arm | 37 | arm |
38 | artha | ||
38 | # atom | 39 | # atom |
39 | # atom-beta | 40 | # atom-beta |
40 | asunder | 41 | asunder |
@@ -270,6 +271,8 @@ lximage-qt | |||
270 | lxmusic | 271 | lxmusic |
271 | lynx | 272 | lynx |
272 | macrofusion | 273 | macrofusion |
274 | masterpdfeditor4 | ||
275 | masterpdfeditor5 | ||
273 | mate-calc | 276 | mate-calc |
274 | mate-calculator | 277 | mate-calculator |
275 | mate-color-select | 278 | mate-color-select |
@@ -305,6 +308,7 @@ ncdu | |||
305 | netsurf | 308 | netsurf |
306 | neverball | 309 | neverball |
307 | nheko | 310 | nheko |
311 | nitroshare | ||
308 | nylas | 312 | nylas |
309 | obs | 313 | obs |
310 | odt2txt | 314 | odt2txt |
diff --git a/src/firejail/firejail.h b/src/firejail/firejail.h index cae767667..441042233 100644 --- a/src/firejail/firejail.h +++ b/src/firejail/firejail.h | |||
@@ -32,6 +32,7 @@ | |||
32 | #define RUN_FIREJAIL_DIR "/run/firejail" | 32 | #define RUN_FIREJAIL_DIR "/run/firejail" |
33 | #define RUN_FIREJAIL_APPIMAGE_DIR "/run/firejail/appimage" | 33 | #define RUN_FIREJAIL_APPIMAGE_DIR "/run/firejail/appimage" |
34 | #define RUN_FIREJAIL_NAME_DIR "/run/firejail/name" // also used in src/lib/pid.c - todo: move it in a common place | 34 | #define RUN_FIREJAIL_NAME_DIR "/run/firejail/name" // also used in src/lib/pid.c - todo: move it in a common place |
35 | #define RUN_FIREJAIL_LIB_DIR "/run/firejail/lib" | ||
35 | #define RUN_FIREJAIL_X11_DIR "/run/firejail/x11" | 36 | #define RUN_FIREJAIL_X11_DIR "/run/firejail/x11" |
36 | #define RUN_FIREJAIL_NETWORK_DIR "/run/firejail/network" | 37 | #define RUN_FIREJAIL_NETWORK_DIR "/run/firejail/network" |
37 | #define RUN_FIREJAIL_BANDWIDTH_DIR "/run/firejail/bandwidth" | 38 | #define RUN_FIREJAIL_BANDWIDTH_DIR "/run/firejail/bandwidth" |
@@ -790,16 +791,32 @@ void build_appimage_cmdline(char **command_line, char **window_title, int argc, | |||
790 | 791 | ||
791 | // sbox.c | 792 | // sbox.c |
792 | // programs | 793 | // programs |
793 | #define PATH_FNET (LIBDIR "/firejail/fnet") | 794 | #define PATH_FNET_MAIN (LIBDIR "/firejail/fnet") // when called from main thread |
794 | #define PATH_FNETFILTER (LIBDIR "/firejail/fnetfilter") | 795 | #define PATH_FNET (RUN_FIREJAIL_LIB_DIR "/fnet") // when called from sandbox thread |
796 | |||
797 | //#define PATH_FNETFILTER (LIBDIR "/firejail/fnetfilter") | ||
798 | #define PATH_FNETFILTER (RUN_FIREJAIL_LIB_DIR "/fnetfilter") | ||
799 | |||
795 | #define PATH_FIREMON (PREFIX "/bin/firemon") | 800 | #define PATH_FIREMON (PREFIX "/bin/firemon") |
796 | #define PATH_FIREJAIL (PREFIX "/bin/firejail") | 801 | #define PATH_FIREJAIL (PREFIX "/bin/firejail") |
797 | #define PATH_FSECCOMP (LIBDIR "/firejail/fseccomp") | 802 | |
803 | //#define PATH_FSECCOMP (LIBDIR "/firejail/fseccomp") | ||
804 | #define PATH_FSECCOMP ( RUN_FIREJAIL_LIB_DIR "/fseccomp") | ||
805 | |||
806 | // FSEC_PRINT is run outside of sandbox by --seccomp.print | ||
807 | // it is also run from inside the sandbox by --debug; in this case we do an access(filename, X_OK) test first | ||
798 | #define PATH_FSEC_PRINT (LIBDIR "/firejail/fsec-print") | 808 | #define PATH_FSEC_PRINT (LIBDIR "/firejail/fsec-print") |
799 | #define PATH_FSEC_OPTIMIZE (LIBDIR "/firejail/fsec-optimize") | 809 | |
800 | #define PATH_FCOPY (LIBDIR "/firejail/fcopy") | 810 | //#define PATH_FSEC_OPTIMIZE (LIBDIR "/firejail/fsec-optimize") |
811 | #define PATH_FSEC_OPTIMIZE (RUN_FIREJAIL_LIB_DIR "/fsec-optimize") | ||
812 | |||
813 | //#define PATH_FCOPY (LIBDIR "/firejail/fcopy") | ||
814 | #define PATH_FCOPY (RUN_FIREJAIL_LIB_DIR "/fcopy") | ||
815 | |||
801 | #define SBOX_STDIN_FILE "/run/firejail/mnt/sbox_stdin" | 816 | #define SBOX_STDIN_FILE "/run/firejail/mnt/sbox_stdin" |
802 | #define PATH_FLDD (LIBDIR "/firejail/fldd") | 817 | |
818 | //#define PATH_FLDD (LIBDIR "/firejail/fldd") | ||
819 | #define PATH_FLDD (RUN_FIREJAIL_LIB_DIR "/fldd") | ||
803 | 820 | ||
804 | // bitmapped filters for sbox_run | 821 | // bitmapped filters for sbox_run |
805 | #define SBOX_ROOT (1 << 0) // run the sandbox as root | 822 | #define SBOX_ROOT (1 << 0) // run the sandbox as root |
diff --git a/src/firejail/fs_lib2.c b/src/firejail/fs_lib2.c index ea5edfabe..2c21e5dc7 100644 --- a/src/firejail/fs_lib2.c +++ b/src/firejail/fs_lib2.c | |||
@@ -38,6 +38,7 @@ typedef struct liblist_t { | |||
38 | 38 | ||
39 | static LibList libc_list[] = { | 39 | static LibList libc_list[] = { |
40 | { "libselinux.so.", 0 }, | 40 | { "libselinux.so.", 0 }, |
41 | { "libapparmor.so.", 0}, | ||
41 | { "ld-linux-x86-64.so.", 0 }, | 42 | { "ld-linux-x86-64.so.", 0 }, |
42 | { "libanl.so.", 0 }, | 43 | { "libanl.so.", 0 }, |
43 | { "libc.so.", 0 }, | 44 | { "libc.so.", 0 }, |
diff --git a/src/firejail/network_main.c b/src/firejail/network_main.c index e3c750767..cdb4c6514 100644 --- a/src/firejail/network_main.c +++ b/src/firejail/network_main.c | |||
@@ -157,7 +157,7 @@ void net_configure_veth_pair(Bridge *br, const char *ifname, pid_t child) { | |||
157 | char *cstr; | 157 | char *cstr; |
158 | if (asprintf(&cstr, "%d", child) == -1) | 158 | if (asprintf(&cstr, "%d", child) == -1) |
159 | errExit("asprintf"); | 159 | errExit("asprintf"); |
160 | sbox_run(SBOX_ROOT | SBOX_CAPS_NETWORK | SBOX_SECCOMP, 7, PATH_FNET, "create", "veth", dev, ifname, br->dev, cstr); | 160 | sbox_run(SBOX_ROOT | SBOX_CAPS_NETWORK | SBOX_SECCOMP, 7, PATH_FNET_MAIN, "create", "veth", dev, ifname, br->dev, cstr); |
161 | free(cstr); | 161 | free(cstr); |
162 | 162 | ||
163 | char *msg; | 163 | char *msg; |
@@ -332,42 +332,42 @@ void network_main(pid_t child) { | |||
332 | net_configure_veth_pair(&cfg.bridge0, "eth0", child); | 332 | net_configure_veth_pair(&cfg.bridge0, "eth0", child); |
333 | } | 333 | } |
334 | else | 334 | else |
335 | sbox_run(SBOX_ROOT | SBOX_CAPS_NETWORK | SBOX_SECCOMP, 6, PATH_FNET, "create", "macvlan", cfg.bridge0.devsandbox, cfg.bridge0.dev, cstr); | 335 | sbox_run(SBOX_ROOT | SBOX_CAPS_NETWORK | SBOX_SECCOMP, 6, PATH_FNET_MAIN, "create", "macvlan", cfg.bridge0.devsandbox, cfg.bridge0.dev, cstr); |
336 | } | 336 | } |
337 | 337 | ||
338 | if (cfg.bridge1.configured) { | 338 | if (cfg.bridge1.configured) { |
339 | if (cfg.bridge1.macvlan == 0) | 339 | if (cfg.bridge1.macvlan == 0) |
340 | net_configure_veth_pair(&cfg.bridge1, "eth1", child); | 340 | net_configure_veth_pair(&cfg.bridge1, "eth1", child); |
341 | else | 341 | else |
342 | sbox_run(SBOX_ROOT | SBOX_CAPS_NETWORK | SBOX_SECCOMP, 6, PATH_FNET, "create", "macvlan", cfg.bridge1.devsandbox, cfg.bridge1.dev, cstr); | 342 | sbox_run(SBOX_ROOT | SBOX_CAPS_NETWORK | SBOX_SECCOMP, 6, PATH_FNET_MAIN, "create", "macvlan", cfg.bridge1.devsandbox, cfg.bridge1.dev, cstr); |
343 | } | 343 | } |
344 | 344 | ||
345 | if (cfg.bridge2.configured) { | 345 | if (cfg.bridge2.configured) { |
346 | if (cfg.bridge2.macvlan == 0) | 346 | if (cfg.bridge2.macvlan == 0) |
347 | net_configure_veth_pair(&cfg.bridge2, "eth2", child); | 347 | net_configure_veth_pair(&cfg.bridge2, "eth2", child); |
348 | else | 348 | else |
349 | sbox_run(SBOX_ROOT | SBOX_CAPS_NETWORK | SBOX_SECCOMP, 6, PATH_FNET, "create", "macvlan", cfg.bridge2.devsandbox, cfg.bridge2.dev, cstr); | 349 | sbox_run(SBOX_ROOT | SBOX_CAPS_NETWORK | SBOX_SECCOMP, 6, PATH_FNET_MAIN, "create", "macvlan", cfg.bridge2.devsandbox, cfg.bridge2.dev, cstr); |
350 | } | 350 | } |
351 | 351 | ||
352 | if (cfg.bridge3.configured) { | 352 | if (cfg.bridge3.configured) { |
353 | if (cfg.bridge3.macvlan == 0) | 353 | if (cfg.bridge3.macvlan == 0) |
354 | net_configure_veth_pair(&cfg.bridge3, "eth3", child); | 354 | net_configure_veth_pair(&cfg.bridge3, "eth3", child); |
355 | else | 355 | else |
356 | sbox_run(SBOX_ROOT | SBOX_CAPS_NETWORK | SBOX_SECCOMP, 6, PATH_FNET, "create", "macvlan", cfg.bridge3.devsandbox, cfg.bridge3.dev, cstr); | 356 | sbox_run(SBOX_ROOT | SBOX_CAPS_NETWORK | SBOX_SECCOMP, 6, PATH_FNET_MAIN, "create", "macvlan", cfg.bridge3.devsandbox, cfg.bridge3.dev, cstr); |
357 | } | 357 | } |
358 | 358 | ||
359 | // move interfaces in sandbox | 359 | // move interfaces in sandbox |
360 | if (cfg.interface0.configured) { | 360 | if (cfg.interface0.configured) { |
361 | sbox_run(SBOX_ROOT | SBOX_CAPS_NETWORK | SBOX_SECCOMP, 4, PATH_FNET, "moveif", cfg.interface0.dev, cstr); | 361 | sbox_run(SBOX_ROOT | SBOX_CAPS_NETWORK | SBOX_SECCOMP, 4, PATH_FNET_MAIN, "moveif", cfg.interface0.dev, cstr); |
362 | } | 362 | } |
363 | if (cfg.interface1.configured) { | 363 | if (cfg.interface1.configured) { |
364 | sbox_run(SBOX_ROOT | SBOX_CAPS_NETWORK | SBOX_SECCOMP, 4, PATH_FNET, "moveif", cfg.interface1.dev, cstr); | 364 | sbox_run(SBOX_ROOT | SBOX_CAPS_NETWORK | SBOX_SECCOMP, 4, PATH_FNET_MAIN, "moveif", cfg.interface1.dev, cstr); |
365 | } | 365 | } |
366 | if (cfg.interface2.configured) { | 366 | if (cfg.interface2.configured) { |
367 | sbox_run(SBOX_ROOT | SBOX_CAPS_NETWORK | SBOX_SECCOMP, 4, PATH_FNET, "moveif", cfg.interface2.dev, cstr); | 367 | sbox_run(SBOX_ROOT | SBOX_CAPS_NETWORK | SBOX_SECCOMP, 4, PATH_FNET_MAIN, "moveif", cfg.interface2.dev, cstr); |
368 | } | 368 | } |
369 | if (cfg.interface3.configured) { | 369 | if (cfg.interface3.configured) { |
370 | sbox_run(SBOX_ROOT | SBOX_CAPS_NETWORK | SBOX_SECCOMP, 4, PATH_FNET, "moveif", cfg.interface3.dev, cstr); | 370 | sbox_run(SBOX_ROOT | SBOX_CAPS_NETWORK | SBOX_SECCOMP, 4, PATH_FNET_MAIN, "moveif", cfg.interface3.dev, cstr); |
371 | } | 371 | } |
372 | 372 | ||
373 | free(cstr); | 373 | free(cstr); |
diff --git a/src/firejail/preproc.c b/src/firejail/preproc.c index f519ed85f..236f7f427 100644 --- a/src/firejail/preproc.c +++ b/src/firejail/preproc.c | |||
@@ -62,6 +62,10 @@ void preproc_build_firejail_dir(void) { | |||
62 | create_empty_dir_as_root(RUN_FIREJAIL_APPIMAGE_DIR, 0755); | 62 | create_empty_dir_as_root(RUN_FIREJAIL_APPIMAGE_DIR, 0755); |
63 | } | 63 | } |
64 | 64 | ||
65 | if (stat(RUN_FIREJAIL_LIB_DIR, &s)) { | ||
66 | create_empty_dir_as_root(RUN_FIREJAIL_LIB_DIR, 0755); | ||
67 | } | ||
68 | |||
65 | if (stat(RUN_MNT_DIR, &s)) { | 69 | if (stat(RUN_MNT_DIR, &s)) { |
66 | create_empty_dir_as_root(RUN_MNT_DIR, 0755); | 70 | create_empty_dir_as_root(RUN_MNT_DIR, 0755); |
67 | } | 71 | } |
diff --git a/src/firejail/sandbox.c b/src/firejail/sandbox.c index 8eede6f93..3abeb174e 100644 --- a/src/firejail/sandbox.c +++ b/src/firejail/sandbox.c | |||
@@ -587,6 +587,9 @@ int sandbox(void* sandbox_arg) { | |||
587 | } | 587 | } |
588 | // ... and mount a tmpfs on top of /run/firejail/mnt directory | 588 | // ... and mount a tmpfs on top of /run/firejail/mnt directory |
589 | preproc_mount_mnt_dir(); | 589 | preproc_mount_mnt_dir(); |
590 | // bind-mount firejail binaries and helper programs | ||
591 | if (mount(LIBDIR "/firejail", RUN_FIREJAIL_LIB_DIR, "none", MS_BIND, NULL) < 0) | ||
592 | errExit("mounting " RUN_FIREJAIL_LIB_DIR); | ||
590 | 593 | ||
591 | //**************************** | 594 | //**************************** |
592 | // log sandbox data | 595 | // log sandbox data |