diff options
author | netblue30 <netblue30@protonmail.com> | 2023-01-12 12:25:38 -0500 |
---|---|---|
committer | netblue30 <netblue30@protonmail.com> | 2023-01-12 12:25:38 -0500 |
commit | ac815a4e61556f4f4a58c524b8d0b697d90ceb9d (patch) | |
tree | 1ce4bf13e433a7b7f43c190832125ace1eed3f30 | |
parent | rel 0.9.72 testing: cleanup make test-private-lib (diff) | |
download | firejail-ac815a4e61556f4f4a58c524b8d0b697d90ceb9d.tar.gz firejail-ac815a4e61556f4f4a58c524b8d0b697d90ceb9d.tar.zst firejail-ac815a4e61556f4f4a58c524b8d0b697d90ceb9d.zip |
rel 0.9.72 testing: disable whitelisting /dev directory
-rw-r--r-- | RELNOTES | 1 | ||||
-rw-r--r-- | src/man/firejail.txt | 4 | ||||
-rwxr-xr-x | test/fs/fs.sh | 5 | ||||
-rwxr-xr-x | test/fs/whitelist-empty.exp | 2 |
4 files changed, 7 insertions, 5 deletions
@@ -25,6 +25,7 @@ firejail (0.9.72) baseline; urgency=low | |||
25 | * modif: disabled tracelog by default in /etc/firejail/firejail.config | 25 | * modif: disabled tracelog by default in /etc/firejail/firejail.config |
26 | (#5190) | 26 | (#5190) |
27 | * modif: removed grsecurity support | 27 | * modif: removed grsecurity support |
28 | * modif: disabled whitelisting for /dev directory | ||
28 | * bugfix: Flood of seccomp audit log entries (#5207) | 29 | * bugfix: Flood of seccomp audit log entries (#5207) |
29 | * bugfix: --netlock does not work (Error: no valid sandbox) (#5312) | 30 | * bugfix: --netlock does not work (Error: no valid sandbox) (#5312) |
30 | * build: deduplicate configure-time vars into new config files (#5140 #5284) | 31 | * build: deduplicate configure-time vars into new config files (#5140 #5284) |
diff --git a/src/man/firejail.txt b/src/man/firejail.txt index 39c81312c..4320ae4fc 100644 --- a/src/man/firejail.txt +++ b/src/man/firejail.txt | |||
@@ -3040,7 +3040,7 @@ $ firejail \-\-net=br0 --veth-name=if0 | |||
3040 | Whitelist directory or file. A temporary file system is mounted on the top directory, and the | 3040 | Whitelist directory or file. A temporary file system is mounted on the top directory, and the |
3041 | whitelisted files are mount-binded inside. Modifications to whitelisted files are persistent, | 3041 | whitelisted files are mount-binded inside. Modifications to whitelisted files are persistent, |
3042 | everything else is discarded when the sandbox is closed. The top directory can be | 3042 | everything else is discarded when the sandbox is closed. The top directory can be |
3043 | all directories in / (except /proc and /sys), /sys/module, /run/user/$UID, $HOME and | 3043 | all directories in / (except /dev, /proc and /sys), /sys/module, /run/user/$UID, $HOME and |
3044 | all directories in /usr. | 3044 | all directories in /usr. |
3045 | .br | 3045 | .br |
3046 | 3046 | ||
@@ -3064,7 +3064,7 @@ Example: | |||
3064 | .br | 3064 | .br |
3065 | $ firejail \-\-noprofile \-\-whitelist=~/.mozilla | 3065 | $ firejail \-\-noprofile \-\-whitelist=~/.mozilla |
3066 | .br | 3066 | .br |
3067 | $ firejail \-\-whitelist=/tmp/.X11-unix --whitelist=/dev/null | 3067 | $ firejail \-\-whitelist=/tmp/.X11-unix |
3068 | .br | 3068 | .br |
3069 | $ firejail "\-\-whitelist=/home/username/My Virtual Machines" | 3069 | $ firejail "\-\-whitelist=/home/username/My Virtual Machines" |
3070 | .br | 3070 | .br |
diff --git a/test/fs/fs.sh b/test/fs/fs.sh index 677b753fc..7c8573661 100755 --- a/test/fs/fs.sh +++ b/test/fs/fs.sh | |||
@@ -142,8 +142,9 @@ echo "TESTING: whitelist (test/fs/whitelist.exp)" | |||
142 | ./whitelist.exp | 142 | ./whitelist.exp |
143 | rm -fr ~/_firejail_test_* | 143 | rm -fr ~/_firejail_test_* |
144 | 144 | ||
145 | echo "TESTING: whitelist dev, var(test/fs/whitelist-dev.exp)" | 145 | # TODO: whitelist /dev broken in 0.9.72 |
146 | ./whitelist-dev.exp | 146 | #echo "TESTING: whitelist dev, var(test/fs/whitelist-dev.exp)" |
147 | #./whitelist-dev.exp | ||
147 | 148 | ||
148 | echo "TESTING: whitelist noexec (test/fs/whitelist-noexec.exp)" | 149 | echo "TESTING: whitelist noexec (test/fs/whitelist-noexec.exp)" |
149 | ./whitelist-noexec.exp | 150 | ./whitelist-noexec.exp |
diff --git a/test/fs/whitelist-empty.exp b/test/fs/whitelist-empty.exp index 18d4561d6..fc860f219 100755 --- a/test/fs/whitelist-empty.exp +++ b/test/fs/whitelist-empty.exp | |||
@@ -7,7 +7,7 @@ set timeout 30 | |||
7 | spawn $env(SHELL) | 7 | spawn $env(SHELL) |
8 | match_max 100000 | 8 | match_max 100000 |
9 | 9 | ||
10 | send -- "firejail --whitelist=~/blablabla --whitelist=/tmp/blablabla --whitelist=/media/blablabla --whitelist=/var/blablabla --whitelist=/dev/blablabla --whitelist=/opt/blablabla\r" | 10 | send -- "firejail --whitelist=~/blablabla --whitelist=/tmp/blablabla --whitelist=/media/blablabla --whitelist=/var/blablabla --whitelist=/opt/blablabla\r" |
11 | expect { | 11 | expect { |
12 | timeout {puts "TESTING ERROR 0\n";exit} | 12 | timeout {puts "TESTING ERROR 0\n";exit} |
13 | -re "Child process initialized in \[0-9\]+.\[0-9\]+ ms" | 13 | -re "Child process initialized in \[0-9\]+.\[0-9\]+ ms" |