more private-etc

author: netblue30 <netblue30@protonmail.com> 2023-02-24 20:37:35 -0500
committer: netblue30 <netblue30@protonmail.com> 2023-02-24 20:37:35 -0500
commit: 2531759b80fbfcfbe296bd4bab329c61b7757c92 (patch)
tree: cc428443a3dbf5578882100ac45a9f6239fb430d
parent: New profiles: qpdf and redirects (#5675) (diff)
download: firejail-2531759b80fbfcfbe296bd4bab329c61b7757c92.tar.gz
firejail-2531759b80fbfcfbe296bd4bab329c61b7757c92.tar.zst
firejail-2531759b80fbfcfbe296bd4bab329c61b7757c92.zip
10 files changed, 39 insertions, 56 deletions
diff --git a/etc/profile-a-l/audacity.profile b/etc/profile-a-l/audacity.profile
index 392b189f8..c2a482b61 100644
--- a/etc/profile-a-l/audacity.profile
+++ b/etc/profile-a-l/audacity.profile
@@ -50,7 +50,7 @@ tracelog
 private-bin audacity
 private-dev
-private-etc @tls-ca,@x11
+private-etc @x11
 private-tmp
 # problems on Fedora 27
diff --git a/etc/profile-a-l/gimp.profile b/etc/profile-a-l/gimp.profile
index 717519112..6f350f8ac 100644
--- a/etc/profile-a-l/gimp.profile
+++ b/etc/profile-a-l/gimp.profile
@@ -59,7 +59,7 @@ seccomp !mbind
 tracelog
 private-dev
-private-etc @tls-ca,@x11,python*
+private-etc @x11,python*
 private-tmp
 dbus-user none
diff --git a/etc/profile-a-l/iagno.profile b/etc/profile-a-l/iagno.profile
index e16f3f1d5..82cba7887 100644
--- a/etc/profile-a-l/iagno.profile
+++ b/etc/profile-a-l/iagno.profile
@@ -13,6 +13,13 @@ include disable-interpreters.inc
 include disable-programs.inc
 include disable-shell.inc
+whitelist ${HOME}/.local/share/glib-2.0/schemas
+include whitelist-common.inc
+include whitelist-runuser-common.inc
+whitelist /usr/share/iagno
+whitelist /usr/share/gdm
+include whitelist-usr-share-common.inc
 include whitelist-var-common.inc
 apparmor
@@ -28,11 +35,12 @@ nou2f
 novideo
 protocol unix
 seccomp
+seccomp.block-secondary
 disable-mnt
-private
 private-bin iagno
 private-dev
+private-etc @x11,gconf
 private-tmp
 # dbus-user none
diff --git a/etc/profile-m-z/rhythmbox.profile b/etc/profile-m-z/rhythmbox.profile
index dccd93429..77c032a53 100644
--- a/etc/profile-m-z/rhythmbox.profile
+++ b/etc/profile-m-z/rhythmbox.profile
@@ -51,6 +51,7 @@ tracelog
 private-bin rhythmbox,rhythmbox-client
 private-cache
 private-dev
+private-etc @tls-ca,@x11,python*
 private-tmp
 dbus-user filter
diff --git a/etc/profile-m-z/totem.profile b/etc/profile-m-z/totem.profile
index e21d37040..a4cb49171 100644
--- a/etc/profile-m-z/totem.profile
+++ b/etc/profile-m-z/totem.profile
@@ -51,7 +51,7 @@ private-bin totem
 # totem needs access to ~/.cache/tracker or it exits
 #private-cache
 private-dev
-# private-etc alternatives,asound.conf,ca-certificates,crypto-policies,fonts,machine-id,pki,pulse,ssl
+private-etc @tls-ca,@x11,python*
 private-tmp
 # makes settings immutable
diff --git a/src/include/etc_groups.h b/src/include/etc_groups.h
index 0ed5d4e32..9e24256c0 100644
--- a/src/include/etc_groups.h
+++ b/src/include/etc_groups.h
@@ -28,6 +28,10 @@
 static char *etc_list[ETC_MAX + 1] = { // plus 1 for ending NULL pointer
        "alternatives",
        "fonts",
+        "gcrypt",       // GNU crypto library - it contains configuration for specialized encryption
+                // and random number generators hardware.
+                // The directory is not installed in Debian. On Fedora it is an empty directory.
+                // The defaults in glibc cover the regular PC.
        "group",
        "ld.so.cache",
        "ld.so.conf",
@@ -49,7 +53,6 @@ static char *etc_group_games[] = {
        "openal", // 3D sound
        "timidity", // MIDI
        "timidity.cfg",
-        "vulkan", // next generation OpenGL stack
        NULL
 };
@@ -75,8 +78,6 @@ static char *etc_group_sound[] = {
 static char *etc_group_tls_ca[] = {
        "ca-certificates",
        "crypto-policies",
-        "gcrypt", // GNU crypto library - contains hardware config for various encryption schemes
-                // and random number generators. The file is not installed by Debian.
        "pki",
        "ssl",
        NULL
@@ -95,6 +96,7 @@ static char *etc_group_x11[] = {
        "nvidia", // 3D
        "pango", // text rendering/internationalization
        "Trolltech.conf", // old QT config file
+        "vulkan", // next generation OpenGL stack
        "X11",
        "xdg",
        NULL
diff --git a/test/sysutils/less.exp b/test/sysutils/less.exp
index 9e19af83a..182e259e1 100755
--- a/test/sysutils/less.exp
+++ b/test/sysutils/less.exp
@@ -7,17 +7,19 @@ set timeout 10
 spawn $env(SHELL)
 match_max 100000
-send -- "firejail less sysutils.sh\r"
+send -- "rm -f /tmp/tt\r"
+after 500
+send -- "firejail less sysutils.sh > /tmp/t\r"
+sleep 1
+send -- "cat /tmp/t | grep Authors\r"
 expect {
-        timeout {puts "TESTING ERROR 1\n";exit}
+        timeout {puts "TESTING ERROR 0\n";exit}
-        "(press RETURN)" {puts "TESTING SKIP: terminal is not fully functional - 1.1\n";exit}
-        "Press RETURN to continue" {puts "TESTING SKIP: terminal is not fully functional - 1.2\n";exit}
        "Firejail Authors"
 }
-expect {
-        timeout {puts "TESTING ERROR 2\n";exit}
-        "MALLOC_CHECK"
-}
 after 100
+send -- "rm -f /tmp/t\r"
+after 500
 puts "\nall done\n"
diff --git a/test/sysutils/man.exp b/test/sysutils/man.exp
index f4fc5aa2c..0386b2e92 100755
--- a/test/sysutils/man.exp
+++ b/test/sysutils/man.exp
@@ -7,12 +7,19 @@ set timeout 10
 spawn $env(SHELL)
 match_max 100000
-send -- "firejail man firejail\r"
+send -- "rm -f /tmp/t\r"
+after 500
+send -- "firejail man firejail > /tmp/t\r"
+sleep 1
+send -- "cat /tmp/t\r"
 expect {
        timeout {puts "TESTING ERROR 0\n";exit}
-        "(press RETURN)" {puts "TESTING SKIP: terminal is not fully functional - 1.1\n";exit}
-        "Press RETURN to continue" {puts "TESTING SKIP: terminal is not fully functional - 1.2\n";exit}
        "NAME"
 }
 after 100
+send -- "rm -f /tmp/t\r"
+after 500
 puts "\nall done\n"
diff --git a/test/sysutils/sysutils.sh b/test/sysutils/sysutils.sh
index 34acca07d..231f5afa8 100755
--- a/test/sysutils/sysutils.sh
+++ b/test/sysutils/sysutils.sh
@@ -47,14 +47,6 @@ else
        echo "TESTING SKIP: gzip not found"
 fi
-if command -v xzdec
-then
-        echo "TESTING: xzdec"
-        ./xzdec.exp
-else
-        echo "TESTING SKIP: xzdec not found"
-fi
 if command -v xz
 then
        echo "TESTING: xz"
diff --git a/test/sysutils/xzdec.exp b/test/sysutils/xzdec.exp
deleted file mode 100755
index 62cc1c225..000000000
--- a/test/sysutils/xzdec.exp
+++ /dev/null
@@ -1,29 +0,0 @@
-#!/usr/bin/expect -f
-# This file is part of Firejail project
-# Copyright (C) 2014-2023 Firejail Authors
-# License GPL v2
-set timeout 10
-spawn $env(SHELL)
-match_max 100000
-send -- "/usr/bin/xz -c /usr/bin/firejail > firejail_t3\r"
-sleep 1
-send -- "/usr/bin/xzdec -c firejail_t3 > firejail_t1\r"
-sleep 1
-send -- "firejail /usr/bin/xzdec -c firejail_t3 > firejail_t2\r"
-sleep 1
-send -- "diff -s firejail_t1 firejail_t2\r"
-expect {
-        timeout {puts "TESTING ERROR 1\n";exit}
-        "firejail_t1 and firejail_t2 are identical"
-}
-send -- "rm firejail_t*\r"
-sleep 1
-puts "\nall done\n"
author	netblue30 <netblue30@protonmail.com>	2023-02-24 20:37:35 -0500
committer	netblue30 <netblue30@protonmail.com>	2023-02-24 20:37:35 -0500
commit	2531759b80fbfcfbe296bd4bab329c61b7757c92 (patch)
tree	cc428443a3dbf5578882100ac45a9f6239fb430d
parent	New profiles: qpdf and redirects (#5675) (diff)
download	firejail-2531759b80fbfcfbe296bd4bab329c61b7757c92.tar.gz firejail-2531759b80fbfcfbe296bd4bab329c61b7757c92.tar.zst firejail-2531759b80fbfcfbe296bd4bab329c61b7757c92.zip