diff options
author | 2023-02-24 20:37:35 -0500 | |
---|---|---|
committer | 2023-02-24 20:37:35 -0500 | |
commit | 2531759b80fbfcfbe296bd4bab329c61b7757c92 (patch) | |
tree | cc428443a3dbf5578882100ac45a9f6239fb430d | |
parent | New profiles: qpdf and redirects (#5675) (diff) | |
download | firejail-2531759b80fbfcfbe296bd4bab329c61b7757c92.tar.gz firejail-2531759b80fbfcfbe296bd4bab329c61b7757c92.tar.zst firejail-2531759b80fbfcfbe296bd4bab329c61b7757c92.zip |
more private-etc
-rw-r--r-- | etc/profile-a-l/audacity.profile | 2 | ||||
-rw-r--r-- | etc/profile-a-l/gimp.profile | 2 | ||||
-rw-r--r-- | etc/profile-a-l/iagno.profile | 10 | ||||
-rw-r--r-- | etc/profile-m-z/rhythmbox.profile | 1 | ||||
-rw-r--r-- | etc/profile-m-z/totem.profile | 2 | ||||
-rw-r--r-- | src/include/etc_groups.h | 8 | ||||
-rwxr-xr-x | test/sysutils/less.exp | 20 | ||||
-rwxr-xr-x | test/sysutils/man.exp | 13 | ||||
-rwxr-xr-x | test/sysutils/sysutils.sh | 8 | ||||
-rwxr-xr-x | test/sysutils/xzdec.exp | 29 |
10 files changed, 39 insertions, 56 deletions
diff --git a/etc/profile-a-l/audacity.profile b/etc/profile-a-l/audacity.profile index 392b189f8..c2a482b61 100644 --- a/etc/profile-a-l/audacity.profile +++ b/etc/profile-a-l/audacity.profile | |||
@@ -50,7 +50,7 @@ tracelog | |||
50 | 50 | ||
51 | private-bin audacity | 51 | private-bin audacity |
52 | private-dev | 52 | private-dev |
53 | private-etc @tls-ca,@x11 | 53 | private-etc @x11 |
54 | private-tmp | 54 | private-tmp |
55 | 55 | ||
56 | # problems on Fedora 27 | 56 | # problems on Fedora 27 |
diff --git a/etc/profile-a-l/gimp.profile b/etc/profile-a-l/gimp.profile index 717519112..6f350f8ac 100644 --- a/etc/profile-a-l/gimp.profile +++ b/etc/profile-a-l/gimp.profile | |||
@@ -59,7 +59,7 @@ seccomp !mbind | |||
59 | tracelog | 59 | tracelog |
60 | 60 | ||
61 | private-dev | 61 | private-dev |
62 | private-etc @tls-ca,@x11,python* | 62 | private-etc @x11,python* |
63 | private-tmp | 63 | private-tmp |
64 | 64 | ||
65 | dbus-user none | 65 | dbus-user none |
diff --git a/etc/profile-a-l/iagno.profile b/etc/profile-a-l/iagno.profile index e16f3f1d5..82cba7887 100644 --- a/etc/profile-a-l/iagno.profile +++ b/etc/profile-a-l/iagno.profile | |||
@@ -13,6 +13,13 @@ include disable-interpreters.inc | |||
13 | include disable-programs.inc | 13 | include disable-programs.inc |
14 | include disable-shell.inc | 14 | include disable-shell.inc |
15 | 15 | ||
16 | whitelist ${HOME}/.local/share/glib-2.0/schemas | ||
17 | include whitelist-common.inc | ||
18 | |||
19 | include whitelist-runuser-common.inc | ||
20 | whitelist /usr/share/iagno | ||
21 | whitelist /usr/share/gdm | ||
22 | include whitelist-usr-share-common.inc | ||
16 | include whitelist-var-common.inc | 23 | include whitelist-var-common.inc |
17 | 24 | ||
18 | apparmor | 25 | apparmor |
@@ -28,11 +35,12 @@ nou2f | |||
28 | novideo | 35 | novideo |
29 | protocol unix | 36 | protocol unix |
30 | seccomp | 37 | seccomp |
38 | seccomp.block-secondary | ||
31 | 39 | ||
32 | disable-mnt | 40 | disable-mnt |
33 | private | ||
34 | private-bin iagno | 41 | private-bin iagno |
35 | private-dev | 42 | private-dev |
43 | private-etc @x11,gconf | ||
36 | private-tmp | 44 | private-tmp |
37 | 45 | ||
38 | # dbus-user none | 46 | # dbus-user none |
diff --git a/etc/profile-m-z/rhythmbox.profile b/etc/profile-m-z/rhythmbox.profile index dccd93429..77c032a53 100644 --- a/etc/profile-m-z/rhythmbox.profile +++ b/etc/profile-m-z/rhythmbox.profile | |||
@@ -51,6 +51,7 @@ tracelog | |||
51 | private-bin rhythmbox,rhythmbox-client | 51 | private-bin rhythmbox,rhythmbox-client |
52 | private-cache | 52 | private-cache |
53 | private-dev | 53 | private-dev |
54 | private-etc @tls-ca,@x11,python* | ||
54 | private-tmp | 55 | private-tmp |
55 | 56 | ||
56 | dbus-user filter | 57 | dbus-user filter |
diff --git a/etc/profile-m-z/totem.profile b/etc/profile-m-z/totem.profile index e21d37040..a4cb49171 100644 --- a/etc/profile-m-z/totem.profile +++ b/etc/profile-m-z/totem.profile | |||
@@ -51,7 +51,7 @@ private-bin totem | |||
51 | # totem needs access to ~/.cache/tracker or it exits | 51 | # totem needs access to ~/.cache/tracker or it exits |
52 | #private-cache | 52 | #private-cache |
53 | private-dev | 53 | private-dev |
54 | # private-etc alternatives,asound.conf,ca-certificates,crypto-policies,fonts,machine-id,pki,pulse,ssl | 54 | private-etc @tls-ca,@x11,python* |
55 | private-tmp | 55 | private-tmp |
56 | 56 | ||
57 | # makes settings immutable | 57 | # makes settings immutable |
diff --git a/src/include/etc_groups.h b/src/include/etc_groups.h index 0ed5d4e32..9e24256c0 100644 --- a/src/include/etc_groups.h +++ b/src/include/etc_groups.h | |||
@@ -28,6 +28,10 @@ | |||
28 | static char *etc_list[ETC_MAX + 1] = { // plus 1 for ending NULL pointer | 28 | static char *etc_list[ETC_MAX + 1] = { // plus 1 for ending NULL pointer |
29 | "alternatives", | 29 | "alternatives", |
30 | "fonts", | 30 | "fonts", |
31 | "gcrypt", // GNU crypto library - it contains configuration for specialized encryption | ||
32 | // and random number generators hardware. | ||
33 | // The directory is not installed in Debian. On Fedora it is an empty directory. | ||
34 | // The defaults in glibc cover the regular PC. | ||
31 | "group", | 35 | "group", |
32 | "ld.so.cache", | 36 | "ld.so.cache", |
33 | "ld.so.conf", | 37 | "ld.so.conf", |
@@ -49,7 +53,6 @@ static char *etc_group_games[] = { | |||
49 | "openal", // 3D sound | 53 | "openal", // 3D sound |
50 | "timidity", // MIDI | 54 | "timidity", // MIDI |
51 | "timidity.cfg", | 55 | "timidity.cfg", |
52 | "vulkan", // next generation OpenGL stack | ||
53 | NULL | 56 | NULL |
54 | }; | 57 | }; |
55 | 58 | ||
@@ -75,8 +78,6 @@ static char *etc_group_sound[] = { | |||
75 | static char *etc_group_tls_ca[] = { | 78 | static char *etc_group_tls_ca[] = { |
76 | "ca-certificates", | 79 | "ca-certificates", |
77 | "crypto-policies", | 80 | "crypto-policies", |
78 | "gcrypt", // GNU crypto library - contains hardware config for various encryption schemes | ||
79 | // and random number generators. The file is not installed by Debian. | ||
80 | "pki", | 81 | "pki", |
81 | "ssl", | 82 | "ssl", |
82 | NULL | 83 | NULL |
@@ -95,6 +96,7 @@ static char *etc_group_x11[] = { | |||
95 | "nvidia", // 3D | 96 | "nvidia", // 3D |
96 | "pango", // text rendering/internationalization | 97 | "pango", // text rendering/internationalization |
97 | "Trolltech.conf", // old QT config file | 98 | "Trolltech.conf", // old QT config file |
99 | "vulkan", // next generation OpenGL stack | ||
98 | "X11", | 100 | "X11", |
99 | "xdg", | 101 | "xdg", |
100 | NULL | 102 | NULL |
diff --git a/test/sysutils/less.exp b/test/sysutils/less.exp index 9e19af83a..182e259e1 100755 --- a/test/sysutils/less.exp +++ b/test/sysutils/less.exp | |||
@@ -7,17 +7,19 @@ set timeout 10 | |||
7 | spawn $env(SHELL) | 7 | spawn $env(SHELL) |
8 | match_max 100000 | 8 | match_max 100000 |
9 | 9 | ||
10 | send -- "firejail less sysutils.sh\r" | 10 | send -- "rm -f /tmp/tt\r" |
11 | after 500 | ||
12 | |||
13 | send -- "firejail less sysutils.sh > /tmp/t\r" | ||
14 | sleep 1 | ||
15 | |||
16 | send -- "cat /tmp/t | grep Authors\r" | ||
11 | expect { | 17 | expect { |
12 | timeout {puts "TESTING ERROR 1\n";exit} | 18 | timeout {puts "TESTING ERROR 0\n";exit} |
13 | "(press RETURN)" {puts "TESTING SKIP: terminal is not fully functional - 1.1\n";exit} | ||
14 | "Press RETURN to continue" {puts "TESTING SKIP: terminal is not fully functional - 1.2\n";exit} | ||
15 | "Firejail Authors" | 19 | "Firejail Authors" |
16 | } | 20 | } |
17 | expect { | ||
18 | timeout {puts "TESTING ERROR 2\n";exit} | ||
19 | "MALLOC_CHECK" | ||
20 | } | ||
21 | |||
22 | after 100 | 21 | after 100 |
22 | |||
23 | send -- "rm -f /tmp/t\r" | ||
24 | after 500 | ||
23 | puts "\nall done\n" | 25 | puts "\nall done\n" |
diff --git a/test/sysutils/man.exp b/test/sysutils/man.exp index f4fc5aa2c..0386b2e92 100755 --- a/test/sysutils/man.exp +++ b/test/sysutils/man.exp | |||
@@ -7,12 +7,19 @@ set timeout 10 | |||
7 | spawn $env(SHELL) | 7 | spawn $env(SHELL) |
8 | match_max 100000 | 8 | match_max 100000 |
9 | 9 | ||
10 | send -- "firejail man firejail\r" | 10 | send -- "rm -f /tmp/t\r" |
11 | after 500 | ||
12 | |||
13 | send -- "firejail man firejail > /tmp/t\r" | ||
14 | sleep 1 | ||
15 | |||
16 | send -- "cat /tmp/t\r" | ||
11 | expect { | 17 | expect { |
12 | timeout {puts "TESTING ERROR 0\n";exit} | 18 | timeout {puts "TESTING ERROR 0\n";exit} |
13 | "(press RETURN)" {puts "TESTING SKIP: terminal is not fully functional - 1.1\n";exit} | ||
14 | "Press RETURN to continue" {puts "TESTING SKIP: terminal is not fully functional - 1.2\n";exit} | ||
15 | "NAME" | 19 | "NAME" |
16 | } | 20 | } |
17 | after 100 | 21 | after 100 |
22 | |||
23 | send -- "rm -f /tmp/t\r" | ||
24 | after 500 | ||
18 | puts "\nall done\n" | 25 | puts "\nall done\n" |
diff --git a/test/sysutils/sysutils.sh b/test/sysutils/sysutils.sh index 34acca07d..231f5afa8 100755 --- a/test/sysutils/sysutils.sh +++ b/test/sysutils/sysutils.sh | |||
@@ -47,14 +47,6 @@ else | |||
47 | echo "TESTING SKIP: gzip not found" | 47 | echo "TESTING SKIP: gzip not found" |
48 | fi | 48 | fi |
49 | 49 | ||
50 | if command -v xzdec | ||
51 | then | ||
52 | echo "TESTING: xzdec" | ||
53 | ./xzdec.exp | ||
54 | else | ||
55 | echo "TESTING SKIP: xzdec not found" | ||
56 | fi | ||
57 | |||
58 | if command -v xz | 50 | if command -v xz |
59 | then | 51 | then |
60 | echo "TESTING: xz" | 52 | echo "TESTING: xz" |
diff --git a/test/sysutils/xzdec.exp b/test/sysutils/xzdec.exp deleted file mode 100755 index 62cc1c225..000000000 --- a/test/sysutils/xzdec.exp +++ /dev/null | |||
@@ -1,29 +0,0 @@ | |||
1 | #!/usr/bin/expect -f | ||
2 | # This file is part of Firejail project | ||
3 | # Copyright (C) 2014-2023 Firejail Authors | ||
4 | # License GPL v2 | ||
5 | |||
6 | set timeout 10 | ||
7 | spawn $env(SHELL) | ||
8 | match_max 100000 | ||
9 | |||
10 | send -- "/usr/bin/xz -c /usr/bin/firejail > firejail_t3\r" | ||
11 | sleep 1 | ||
12 | |||
13 | send -- "/usr/bin/xzdec -c firejail_t3 > firejail_t1\r" | ||
14 | sleep 1 | ||
15 | |||
16 | send -- "firejail /usr/bin/xzdec -c firejail_t3 > firejail_t2\r" | ||
17 | sleep 1 | ||
18 | |||
19 | send -- "diff -s firejail_t1 firejail_t2\r" | ||
20 | expect { | ||
21 | timeout {puts "TESTING ERROR 1\n";exit} | ||
22 | "firejail_t1 and firejail_t2 are identical" | ||
23 | } | ||
24 | |||
25 | send -- "rm firejail_t*\r" | ||
26 | sleep 1 | ||
27 | |||
28 | |||
29 | puts "\nall done\n" | ||