diff options
author | netblue30 <netblue30@protonmail.com> | 2021-12-28 18:48:13 +0000 |
---|---|---|
committer | GitHub <noreply@github.com> | 2021-12-28 18:48:13 +0000 |
commit | 92f438cf87234236939ed90db86162f4ae8bac76 (patch) | |
tree | 4f6f8fd560ca3c3ef978ce809d32213f1264a0c3 | |
parent | Implement a `whitelist-ro` command (diff) | |
parent | Merge pull request #4755 from kmk3/mpv-add-yt-dlp (diff) | |
download | firejail-92f438cf87234236939ed90db86162f4ae8bac76.tar.gz firejail-92f438cf87234236939ed90db86162f4ae8bac76.tar.zst firejail-92f438cf87234236939ed90db86162f4ae8bac76.zip |
Merge branch 'master' into whitelist-ro
64 files changed, 1163 insertions, 686 deletions
diff --git a/.github/dependabot.yml b/.github/dependabot.yml new file mode 100644 index 000000000..30242923d --- /dev/null +++ b/.github/dependabot.yml | |||
@@ -0,0 +1,7 @@ | |||
1 | version: 2 | ||
2 | updates: | ||
3 | - package-ecosystem: "github-actions" | ||
4 | directory: "/" | ||
5 | schedule: | ||
6 | interval: "weekly" | ||
7 | open-pull-requests-limit: 2 | ||
diff --git a/.github/workflows/build-extra.yml b/.github/workflows/build-extra.yml index fd1f23954..b598c40e3 100644 --- a/.github/workflows/build-extra.yml +++ b/.github/workflows/build-extra.yml | |||
@@ -30,7 +30,7 @@ jobs: | |||
30 | build-clang: | 30 | build-clang: |
31 | runs-on: ubuntu-20.04 | 31 | runs-on: ubuntu-20.04 |
32 | steps: | 32 | steps: |
33 | - uses: actions/checkout@v2 | 33 | - uses: actions/checkout@ec3a7ce113134d7a93b817d10a8272cb61118579 |
34 | - name: configure | 34 | - name: configure |
35 | run: CC=clang-11 ./configure --enable-fatal-warnings | 35 | run: CC=clang-11 ./configure --enable-fatal-warnings |
36 | - name: make | 36 | - name: make |
@@ -38,7 +38,7 @@ jobs: | |||
38 | scan-build: | 38 | scan-build: |
39 | runs-on: ubuntu-20.04 | 39 | runs-on: ubuntu-20.04 |
40 | steps: | 40 | steps: |
41 | - uses: actions/checkout@v2 | 41 | - uses: actions/checkout@ec3a7ce113134d7a93b817d10a8272cb61118579 |
42 | - name: install clang-tools-11 | 42 | - name: install clang-tools-11 |
43 | run: sudo apt-get install clang-tools-11 | 43 | run: sudo apt-get install clang-tools-11 |
44 | - name: configure | 44 | - name: configure |
@@ -48,7 +48,7 @@ jobs: | |||
48 | cppcheck: | 48 | cppcheck: |
49 | runs-on: ubuntu-20.04 | 49 | runs-on: ubuntu-20.04 |
50 | steps: | 50 | steps: |
51 | - uses: actions/checkout@v2 | 51 | - uses: actions/checkout@ec3a7ce113134d7a93b817d10a8272cb61118579 |
52 | - name: install cppcheck | 52 | - name: install cppcheck |
53 | run: sudo apt-get install cppcheck | 53 | run: sudo apt-get install cppcheck |
54 | - name: cppcheck | 54 | - name: cppcheck |
diff --git a/.github/workflows/build.yml b/.github/workflows/build.yml index 141e43168..f321b5f7f 100644 --- a/.github/workflows/build.yml +++ b/.github/workflows/build.yml | |||
@@ -22,7 +22,7 @@ jobs: | |||
22 | build_and_test: | 22 | build_and_test: |
23 | runs-on: ubuntu-20.04 | 23 | runs-on: ubuntu-20.04 |
24 | steps: | 24 | steps: |
25 | - uses: actions/checkout@v2 | 25 | - uses: actions/checkout@ec3a7ce113134d7a93b817d10a8272cb61118579 |
26 | - name: install dependencies | 26 | - name: install dependencies |
27 | run: sudo apt-get install gcc-11 libapparmor-dev libselinux1-dev expect xzdec | 27 | run: sudo apt-get install gcc-11 libapparmor-dev libselinux1-dev expect xzdec |
28 | - name: configure | 28 | - name: configure |
diff --git a/.github/workflows/codeql-analysis.yml b/.github/workflows/codeql-analysis.yml index 4476963b5..b69bb728e 100644 --- a/.github/workflows/codeql-analysis.yml +++ b/.github/workflows/codeql-analysis.yml | |||
@@ -43,11 +43,11 @@ jobs: | |||
43 | 43 | ||
44 | steps: | 44 | steps: |
45 | - name: Checkout repository | 45 | - name: Checkout repository |
46 | uses: actions/checkout@v2 | 46 | uses: actions/checkout@ec3a7ce113134d7a93b817d10a8272cb61118579 |
47 | 47 | ||
48 | # Initializes the CodeQL tools for scanning. | 48 | # Initializes the CodeQL tools for scanning. |
49 | - name: Initialize CodeQL | 49 | - name: Initialize CodeQL |
50 | uses: github/codeql-action/init@v1 | 50 | uses: github/codeql-action/init@5f532563584d71fdef14ee64d17bafb34f751ce5 |
51 | with: | 51 | with: |
52 | languages: ${{ matrix.language }} | 52 | languages: ${{ matrix.language }} |
53 | # If you wish to specify custom queries, you can do so here or in a config file. | 53 | # If you wish to specify custom queries, you can do so here or in a config file. |
@@ -58,7 +58,7 @@ jobs: | |||
58 | # Autobuild attempts to build any compiled languages (C/C++, C#, or Java). | 58 | # Autobuild attempts to build any compiled languages (C/C++, C#, or Java). |
59 | # If this step fails, then you should remove it and run the build manually (see below) | 59 | # If this step fails, then you should remove it and run the build manually (see below) |
60 | - name: Autobuild | 60 | - name: Autobuild |
61 | uses: github/codeql-action/autobuild@v1 | 61 | uses: github/codeql-action/autobuild@5f532563584d71fdef14ee64d17bafb34f751ce5 |
62 | 62 | ||
63 | # âšī¸ Command-line programs to run using the OS shell. | 63 | # âšī¸ Command-line programs to run using the OS shell. |
64 | # đ https://git.io/JvXDl | 64 | # đ https://git.io/JvXDl |
@@ -72,4 +72,4 @@ jobs: | |||
72 | # make release | 72 | # make release |
73 | 73 | ||
74 | - name: Perform CodeQL Analysis | 74 | - name: Perform CodeQL Analysis |
75 | uses: github/codeql-action/analyze@v1 | 75 | uses: github/codeql-action/analyze@5f532563584d71fdef14ee64d17bafb34f751ce5 |
diff --git a/.github/workflows/profile-checks.yml b/.github/workflows/profile-checks.yml index 951a8b8cf..57a978d55 100644 --- a/.github/workflows/profile-checks.yml +++ b/.github/workflows/profile-checks.yml | |||
@@ -20,7 +20,7 @@ jobs: | |||
20 | profile-checks: | 20 | profile-checks: |
21 | runs-on: ubuntu-20.04 | 21 | runs-on: ubuntu-20.04 |
22 | steps: | 22 | steps: |
23 | - uses: actions/checkout@v2 | 23 | - uses: actions/checkout@ec3a7ce113134d7a93b817d10a8272cb61118579 |
24 | - name: sort.py | 24 | - name: sort.py |
25 | run: ./ci/check/profiles/sort.py etc/inc/*.inc etc/{profile-a-l,profile-m-z}/*.profile | 25 | run: ./ci/check/profiles/sort.py etc/inc/*.inc etc/{profile-a-l,profile-m-z}/*.profile |
26 | - name: private-etc-always-required.sh | 26 | - name: private-etc-always-required.sh |
diff --git a/.gitignore b/.gitignore index ace86f218..29e0b63d6 100644 --- a/.gitignore +++ b/.gitignore | |||
@@ -43,6 +43,7 @@ src/profstats/profstats | |||
43 | src/bash_completion/firejail.bash_completion | 43 | src/bash_completion/firejail.bash_completion |
44 | src/zsh_completion/_firejail | 44 | src/zsh_completion/_firejail |
45 | src/jailcheck/jailcheck | 45 | src/jailcheck/jailcheck |
46 | src/fnettrace/fnettrace | ||
46 | uids.h | 47 | uids.h |
47 | seccomp | 48 | seccomp |
48 | seccomp.debug | 49 | seccomp.debug |
diff --git a/Makefile.in b/Makefile.in index abc86c2c3..4422cf8a9 100644 --- a/Makefile.in +++ b/Makefile.in | |||
@@ -28,11 +28,12 @@ all: all_items mydirs $(MAN_TARGET) filters | |||
28 | APPS = src/firecfg/firecfg src/firejail/firejail src/firemon/firemon src/profstats/profstats src/jailcheck/jailcheck | 28 | APPS = src/firecfg/firecfg src/firejail/firejail src/firemon/firemon src/profstats/profstats src/jailcheck/jailcheck |
29 | SBOX_APPS = src/fbuilder/fbuilder src/ftee/ftee src/fids/fids | 29 | SBOX_APPS = src/fbuilder/fbuilder src/ftee/ftee src/fids/fids |
30 | SBOX_APPS_NON_DUMPABLE = src/fcopy/fcopy src/fldd/fldd src/fnet/fnet src/fnetfilter/fnetfilter | 30 | SBOX_APPS_NON_DUMPABLE = src/fcopy/fcopy src/fldd/fldd src/fnet/fnet src/fnetfilter/fnetfilter |
31 | SBOX_APPS_NON_DUMPABLE += src/fsec-optimize/fsec-optimize src/fsec-print/fsec-print src/fseccomp/fseccomp | ||
32 | SBOX_APPS_NON_DUMPABLE += src/fnettrace/fnettrace | ||
31 | MYDIRS = src/lib $(MAN_SRC) $(COMPLETIONDIRS) | 33 | MYDIRS = src/lib $(MAN_SRC) $(COMPLETIONDIRS) |
32 | MYLIBS = src/libpostexecseccomp/libpostexecseccomp.so src/libtrace/libtrace.so src/libtracelog/libtracelog.so | 34 | MYLIBS = src/libpostexecseccomp/libpostexecseccomp.so src/libtrace/libtrace.so src/libtracelog/libtracelog.so |
33 | COMPLETIONS = src/zsh_completion/_firejail src/bash_completion/firejail.bash_completion | 35 | COMPLETIONS = src/zsh_completion/_firejail src/bash_completion/firejail.bash_completion |
34 | MANPAGES = firejail.1 firemon.1 firecfg.1 firejail-profile.5 firejail-login.5 firejail-users.5 jailcheck.1 | 36 | MANPAGES = firejail.1 firemon.1 firecfg.1 firejail-profile.5 firejail-login.5 firejail-users.5 jailcheck.1 |
35 | SBOX_APPS_NON_DUMPABLE += src/fsec-optimize/fsec-optimize src/fsec-print/fsec-print src/fseccomp/fseccomp | ||
36 | SECCOMP_FILTERS = seccomp seccomp.debug seccomp.32 seccomp.block_secondary seccomp.mdwx seccomp.mdwx.32 | 37 | SECCOMP_FILTERS = seccomp seccomp.debug seccomp.32 seccomp.block_secondary seccomp.mdwx seccomp.mdwx.32 |
37 | ALL_ITEMS = $(APPS) $(SBOX_APPS) $(SBOX_APPS_NON_DUMPABLE) $(MYLIBS) | 38 | ALL_ITEMS = $(APPS) $(SBOX_APPS) $(SBOX_APPS_NON_DUMPABLE) $(MYLIBS) |
38 | 39 | ||
@@ -83,6 +84,7 @@ clean: | |||
83 | rm -f $(SECCOMP_FILTERS) | 84 | rm -f $(SECCOMP_FILTERS) |
84 | rm -f test/utils/index.html* | 85 | rm -f test/utils/index.html* |
85 | rm -f test/utils/wget-log | 86 | rm -f test/utils/wget-log |
87 | rm -f test/utils/firejail-test-file* | ||
86 | rm -f test/utils/lstesting | 88 | rm -f test/utils/lstesting |
87 | rm -f test/environment/index.html* | 89 | rm -f test/environment/index.html* |
88 | rm -f test/environment/wget-log* | 90 | rm -f test/environment/wget-log* |
@@ -138,8 +140,6 @@ endif | |||
138 | install -m 0644 -t $(DESTDIR)$(sysconfdir)/firejail src/firecfg/firecfg.config | 140 | install -m 0644 -t $(DESTDIR)$(sysconfdir)/firejail src/firecfg/firecfg.config |
139 | install -m 0644 -t $(DESTDIR)$(sysconfdir)/firejail etc/profile-a-l/*.profile etc/profile-m-z/*.profile etc/inc/*.inc etc/net/*.net etc/firejail.config etc/ids.config | 141 | install -m 0644 -t $(DESTDIR)$(sysconfdir)/firejail etc/profile-a-l/*.profile etc/profile-m-z/*.profile etc/inc/*.inc etc/net/*.net etc/firejail.config etc/ids.config |
140 | sh -c "if [ ! -f $(DESTDIR)/$(sysconfdir)/firejail/login.users ]; then install -c -m 0644 etc/login.users $(DESTDIR)/$(sysconfdir)/firejail/.; fi;" | 142 | sh -c "if [ ! -f $(DESTDIR)/$(sysconfdir)/firejail/login.users ]; then install -c -m 0644 etc/login.users $(DESTDIR)/$(sysconfdir)/firejail/.; fi;" |
141 | # program used track profile statistics during development - no manpage, this is not a user program | ||
142 | install -m 755 -t $(DESTDIR)$(sysconfdir)/firejail src/profstats/profstats | ||
143 | ifeq ($(BUSYBOX_WORKAROUND),yes) | 143 | ifeq ($(BUSYBOX_WORKAROUND),yes) |
144 | ./mketc.sh $(DESTDIR)$(sysconfdir)/firejail/disable-common.inc | 144 | ./mketc.sh $(DESTDIR)$(sysconfdir)/firejail/disable-common.inc |
145 | endif | 145 | endif |
@@ -256,6 +256,7 @@ crass (https://github.com/crass) | |||
256 | croket (https://github.com/crocket) | 256 | croket (https://github.com/crocket) |
257 | - fix librewolf profile | 257 | - fix librewolf profile |
258 | - added profiles for imv, retroarch, and torbrowser | 258 | - added profiles for imv, retroarch, and torbrowser |
259 | - fix dino profile | ||
259 | curiosity-seeker (https://github.com/curiosity-seeker - old) | 260 | curiosity-seeker (https://github.com/curiosity-seeker - old) |
260 | curiosityseeker (https://github.com/curiosityseeker - new) | 261 | curiosityseeker (https://github.com/curiosityseeker - new) |
261 | - tightening unbound and dnscrypt-proxy profiles | 262 | - tightening unbound and dnscrypt-proxy profiles |
@@ -343,6 +344,7 @@ Felipe Barriga Richards (https://github.com/fbarriga) | |||
343 | - --private-etc fix | 344 | - --private-etc fix |
344 | fenuks (https://github.com/fenuks) | 345 | fenuks (https://github.com/fenuks) |
345 | - fix sound in games using FMOD | 346 | - fix sound in games using FMOD |
347 | - allow /opt/tor-browser for Tor Browser profile | ||
346 | Florian Begusch (https://github.com/florianbegusch) | 348 | Florian Begusch (https://github.com/florianbegusch) |
347 | - (la)tex profiles | 349 | - (la)tex profiles |
348 | - fixed transmission-common.profile | 350 | - fixed transmission-common.profile |
@@ -471,6 +473,7 @@ hlein (https://github.com/hlein) | |||
471 | - strip out \r's from jail prober | 473 | - strip out \r's from jail prober |
472 | - make env/arg sanity check failure messages more useful | 474 | - make env/arg sanity check failure messages more useful |
473 | - relocate firecfg.config to /etc/firejail/ | 475 | - relocate firecfg.config to /etc/firejail/ |
476 | - fix display profile for Gentoo distribution | ||
474 | Holger Heinz (https://github.com/hheinz) | 477 | Holger Heinz (https://github.com/hheinz) |
475 | - manpage work | 478 | - manpage work |
476 | Haowei Yu (https://github.com/sfc-gh-hyu) | 479 | Haowei Yu (https://github.com/sfc-gh-hyu) |
@@ -559,6 +562,8 @@ Jose Riha (https://github.com/jose1711) | |||
559 | - improve hints for allowing browser access to Gnome extensions connector | 562 | - improve hints for allowing browser access to Gnome extensions connector |
560 | - fix warshow, jumpnbump, tremulous, blobwars profile fixes | 563 | - fix warshow, jumpnbump, tremulous, blobwars profile fixes |
561 | - drop noinput for games with gampad/joystick support | 564 | - drop noinput for games with gampad/joystick support |
565 | - goldendict profile fix | ||
566 | - whitelist /usr/share/nextcloud to allow access to translation files | ||
562 | jrabe (https://github.com/jrabe) | 567 | jrabe (https://github.com/jrabe) |
563 | - disallow access to kdbx files | 568 | - disallow access to kdbx files |
564 | - Epiphany profile | 569 | - Epiphany profile |
@@ -879,6 +884,8 @@ Sebastian Hafner (https://github.com/DropNib) | |||
879 | Senemu (https://github.com/Senemu) | 884 | Senemu (https://github.com/Senemu) |
880 | - protection for .pythonrc.py | 885 | - protection for .pythonrc.py |
881 | - fixed evince | 886 | - fixed evince |
887 | Seonwoo Lee (https://github.com/seonwoolee) | ||
888 | - fix teams ignoring input sources e.g. microphones | ||
882 | Sergey Alirzaev (https://github.com/l29ah) | 889 | Sergey Alirzaev (https://github.com/l29ah) |
883 | - firejail.h enum fix | 890 | - firejail.h enum fix |
884 | - firefox-common-addons.inc: + tridactyl | 891 | - firefox-common-addons.inc: + tridactyl |
@@ -1098,8 +1105,14 @@ Vladislav Nepogodin (https://github.com/vnepogodin) | |||
1098 | - added Sway profile | 1105 | - added Sway profile |
1099 | - fix CLion profile | 1106 | - fix CLion profile |
1100 | - fixes for disable-programs.inc | 1107 | - fixes for disable-programs.inc |
1108 | - CachyBrowser profile | ||
1109 | Hugo Osvaldo Barrera (https://github.com/WhyNotHugo) | ||
1110 | - Skype profile tweaks | ||
1101 | xee5ch (https://github.com/xee5ch) | 1111 | xee5ch (https://github.com/xee5ch) |
1102 | - skypeforlinux profile | 1112 | - skypeforlinux profile |
1113 | York Zhao (https://github.com/YorkZ) | ||
1114 | - tor browser profile fix | ||
1115 | - allow telegram to open hyperlinks | ||
1103 | Ypnose (https://github.com/Ypnose) | 1116 | Ypnose (https://github.com/Ypnose) |
1104 | - disable-shell.inc: add mksh shell | 1117 | - disable-shell.inc: add mksh shell |
1105 | yumkam (https://github.com/yumkam) | 1118 | yumkam (https://github.com/yumkam) |
@@ -94,9 +94,49 @@ https://unparalleled.eu/blog/2021/20210208-rigged-race-against-firejail-for-loca | |||
94 | 94 | ||
95 | ## Installing | 95 | ## Installing |
96 | 96 | ||
97 | Try installing Firejail from your system packages first. Firejail is included in Alpine, ALT Linux, Arch, Artix, Chakra, Debian, Deepin, Devuan, Fedora, Gentoo, Manjaro, Mint, NixOS, Parabola, Parrot, PCLinuxOS, ROSA, Solus, Slackware/SlackBuilds, Trisquel, Ubuntu, Void and possibly others. | 97 | ### Debian |
98 | 98 | ||
99 | The firejail 0.9.52-LTS version is deprecated. On Ubuntu 18.04 LTS users are advised to use the [PPA](https://launchpad.net/~deki/+archive/ubuntu/firejail). On Debian stable (bullseye) we recommend to use the [backports](https://packages.debian.org/bullseye-backports/firejail) package. | 99 | Debian stable (bullseye): We recommend to use the [backports](https://packages.debian.org/bullseye-backports/firejail) package. |
100 | |||
101 | ### Ubuntu | ||
102 | |||
103 | For Ubuntu 18.04+ and derivatives (such as Linux Mint), users are **strongly advised** to use the [PPA](https://launchpad.net/~deki/+archive/ubuntu/firejail). | ||
104 | |||
105 | How to add and install from the PPA: | ||
106 | |||
107 | ```sh | ||
108 | sudo add-apt-repository ppa:deki/firejail | ||
109 | sudo apt-get update | ||
110 | sudo apt-get install firejail firejail-profiles | ||
111 | ``` | ||
112 | |||
113 | Reason: The firejail package for Ubuntu 20.04 has been left vulnerable to CVE-2021-26910 for months after a patch for it was posted on Launchpad: | ||
114 | |||
115 | * [firejail version in Ubuntu 20.04 LTS is vulnerable to CVE-2021-26910](https://bugs.launchpad.net/ubuntu/+source/firejail/+bug/1916767) | ||
116 | |||
117 | See also <https://wiki.ubuntu.com/SecurityTeam/FAQ>: | ||
118 | |||
119 | > What software is supported by the Ubuntu Security team? | ||
120 | > | ||
121 | > Ubuntu is currently divided into four components: main, restricted, universe | ||
122 | > and multiverse. All binary packages in main and restricted are supported by | ||
123 | > the Ubuntu Security team for the life of an Ubuntu release, while binary | ||
124 | > packages in universe and multiverse are supported by the Ubuntu community. | ||
125 | |||
126 | Additionally, the PPA version is likely to be more recent and to contain more profile fixes. | ||
127 | |||
128 | See the following discussions for details: | ||
129 | |||
130 | * [Should I keep using the version of firejail available in my distro repos?](https://github.com/netblue30/firejail/discussions/4666) | ||
131 | * [How to install the latest version on Ubuntu and derivatives](https://github.com/netblue30/firejail/discussions/4663) | ||
132 | |||
133 | ### Other | ||
134 | |||
135 | Try installing Firejail from your distribution. | ||
136 | |||
137 | Firejail is included in Alpine, ALT Linux, Arch, Artix, Chakra, Debian, Deepin, Devuan, Fedora, Gentoo, Manjaro, Mint, NixOS, Parabola, Parrot, PCLinuxOS, ROSA, Solus, Slackware/SlackBuilds, Trisquel, Ubuntu, Void and possibly others. | ||
138 | |||
139 | Note: The firejail 0.9.52-LTS version is deprecated. | ||
100 | 140 | ||
101 | You can also install one of the [released packages](http://sourceforge.net/projects/firejail/files/firejail), or clone Firejailâs source code from our Git repository and compile manually: | 141 | You can also install one of the [released packages](http://sourceforge.net/projects/firejail/files/firejail), or clone Firejailâs source code from our Git repository and compile manually: |
102 | 142 | ||
@@ -256,40 +296,61 @@ INTRUSION DETECTION SYSTEM (IDS) | |||
256 | as it contains running processes. | 296 | as it contains running processes. |
257 | ````` | 297 | ````` |
258 | 298 | ||
299 | ### Network Monitor | ||
300 | ````` | ||
301 | --nettrace=name|pid | ||
302 | Monitor TCP and UDP traffic coming into the sandbox specified by | ||
303 | name or pid. Only networked sandboxes created with --net are | ||
304 | supported. | ||
305 | |||
306 | $ firejail --nettrace=browser | ||
307 | 9.9.9.9:53 => 192.168.1.60 UDP: 122 B/sec | ||
308 | 72.21.91.29:80 => 192.168.1.60 TCP: 257 B/sec | ||
309 | 80.92.126.65:123 => 192.168.1.60 UDP: 25 B/sec | ||
310 | 69.30.241.50:443 => 192.168.1.60 TCP: 88 KB/sec | ||
311 | 140.82.112.4:443 => 192.168.1.60 TCP: 1861 B/sec | ||
312 | |||
313 | (14 streams in the last one minute) | ||
314 | |||
315 | ````` | ||
316 | |||
259 | ### Profile Statistics | 317 | ### Profile Statistics |
260 | 318 | ||
261 | A small tool to print profile statistics. Compile as usual and run in /etc/profiles: | 319 | A small tool to print profile statistics. Compile and install as usual. The tool is installed in /usr/lib/firejail directory. |
320 | Run it over the profiles in /etc/profiles: | ||
262 | ``` | 321 | ``` |
263 | $ sudo cp src/profstats/profstats /etc/firejail/. | 322 | $ /usr/lib/firejail/profstats /etc/firejail/*.profile |
264 | $ cd /etc/firejail | 323 | No include .local found in /etc/firejail/noprofile.profile |
265 | $ ./profstats *.profile | 324 | Warning: multiple caps in /etc/firejail/transmission-daemon.profile |
266 | profiles 1167 | 325 | |
267 | include local profile 1167 (include profile-name.local) | 326 | Stats: |
268 | include globals 1136 (include globals.local) | 327 | profiles 1176 |
269 | blacklist ~/.ssh 1042 (include disable-common.inc) | 328 | include local profile 1175 (include profile-name.local) |
270 | seccomp 1062 | 329 | include globals 1144 (include globals.local) |
271 | capabilities 1163 | 330 | blacklist ~/.ssh 1050 (include disable-common.inc) |
272 | noexec 1049 (include disable-exec.inc) | 331 | seccomp 1070 |
273 | noroot 971 | 332 | capabilities 1171 |
274 | memory-deny-write-execute 256 | 333 | noexec 1057 (include disable-exec.inc) |
275 | apparmor 693 | 334 | noroot 979 |
276 | private-bin 677 | 335 | memory-deny-write-execute 258 |
277 | private-dev 1027 | 336 | apparmor 700 |
278 | private-etc 532 | 337 | private-bin 681 |
279 | private-tmp 897 | 338 | private-dev 1033 |
280 | whitelist home directory 557 | 339 | private-etc 533 |
281 | whitelist var 836 (include whitelist-var-common.inc) | 340 | private-tmp 905 |
282 | whitelist run/user 1137 (include whitelist-runuser-common.inc | 341 | whitelist home directory 562 |
342 | whitelist var 842 (include whitelist-var-common.inc) | ||
343 | whitelist run/user 1145 (include whitelist-runuser-common.inc | ||
283 | or blacklist ${RUNUSER}) | 344 | or blacklist ${RUNUSER}) |
284 | whitelist usr/share 609 (include whitelist-usr-share-common.inc | 345 | whitelist usr/share 614 (include whitelist-usr-share-common.inc |
285 | net none 396 | 346 | net none 399 |
286 | dbus-user none 656 | 347 | dbus-user none 662 |
287 | dbus-user filter 108 | 348 | dbus-user filter 113 |
288 | dbus-system none 808 | 349 | dbus-system none 816 |
289 | dbus-system filter 10 | 350 | dbus-system filter 10 |
290 | ``` | 351 | ``` |
291 | 352 | ||
292 | ### New profiles: | 353 | ### New profiles: |
293 | 354 | ||
294 | clion-eap, lifeograph, io.github.lainsce.Notejot, rednotebook, zim, microsoft-edge-beta, ncdu2, gallery-dl, yt-dlp, goldendict, bundle, | 355 | clion-eap, lifeograph, io.github.lainsce.Notejot, rednotebook, zim, microsoft-edge-beta, ncdu2, gallery-dl, yt-dlp, goldendict, bundle, |
295 | cmake, make, meson, pip, codium, telnet, ftp, OpenStego, imv, retroarch, torbrowser | 356 | cmake, make, meson, pip, codium, telnet, ftp, OpenStego, imv, retroarch, torbrowser, CachyBrowser |
@@ -1,21 +1,23 @@ | |||
1 | firejail (0.9.67) baseline; urgency=low | 1 | firejail (0.9.67) baseline; urgency=low |
2 | * work in progress | 2 | * work in progress |
3 | * exit code: distinguish fatal signals by adding 128 | 3 | * exit code: distinguish fatal signals by adding 128 (#4533) |
4 | * intrusion detection system (--ids-init, --ids-check) | 4 | * intrusion detection system (--ids-init, --ids-check) |
5 | * deterministic shutdown (--deterministic-exit-code, | 5 | * deterministic shutdown (--deterministic-exit-code, |
6 | --deterministic-shutdown) | 6 | --deterministic-shutdown) (#4635) |
7 | * noprinters command (#4607) | ||
8 | * network monitor (--nettrace) | ||
7 | * build: firecfg.config is now installed to /etc/firejail/ (#4669) | 9 | * build: firecfg.config is now installed to /etc/firejail/ (#4669) |
8 | * deprecated --disable-whitelist at compile time | 10 | * removed --disable-whitelist at compile time |
9 | * deprecated whitelist=yes/no in /etc/firejail/firejail.config | 11 | * removed whitelist=yes/no in /etc/firejail/firejail.config |
10 | * new condition: ALLOW_TRAY | 12 | * new condition: ALLOW_TRAY (#4510 #4599) |
11 | * remove (some) environment variables with auth-tokens | 13 | * remove (some) environment variables with auth-tokens (#4157) |
12 | * new includes: whitelist-run-common.inc, disable-X11.inc | 14 | * new includes: whitelist-run-common.inc (#4288), disable-X11.inc (#4462) |
13 | * removed includes: disable-passwordmgr.inc | 15 | * removed includes: disable-passwordmgr.inc (#4461) |
14 | * new profiles: microsoft-edge-beta, clion-eap, lifeograph, zim | 16 | * new profiles: microsoft-edge-beta, clion-eap, lifeograph, zim |
15 | * new profiles: io.github.lainsce.Notejot, rednotebook, gallery-dl | 17 | * new profiles: io.github.lainsce.Notejot, rednotebook, gallery-dl |
16 | * new profiles: yt-dlp, goldendict, goldendict, bundle, cmake | 18 | * new profiles: yt-dlp, goldendict, goldendict, bundle, cmake |
17 | * new profiles: make, meson, pip, codium, telnet, ftp, OpenStego | 19 | * new profiles: make, meson, pip, codium, telnet, ftp, OpenStego |
18 | * new profiles: imv, retroarch, torbrowser | 20 | * new profiles: imv, retroarch, torbrowser, CachyBrowser |
19 | -- netblue30 <netblue30@yahoo.com> Thu, 29 Jul 2021 09:00:00 -0500 | 21 | -- netblue30 <netblue30@yahoo.com> Thu, 29 Jul 2021 09:00:00 -0500 |
20 | 22 | ||
21 | firejail (0.9.66) baseline; urgency=low | 23 | firejail (0.9.66) baseline; urgency=low |
@@ -4271,7 +4271,7 @@ fi | |||
4271 | 4271 | ||
4272 | ac_config_files="$ac_config_files mkdeb.sh" | 4272 | ac_config_files="$ac_config_files mkdeb.sh" |
4273 | 4273 | ||
4274 | ac_config_files="$ac_config_files Makefile src/common.mk src/lib/Makefile src/fcopy/Makefile src/fnet/Makefile src/firejail/Makefile src/fnetfilter/Makefile src/firemon/Makefile src/libtrace/Makefile src/libtracelog/Makefile src/firecfg/Makefile src/fbuilder/Makefile src/fsec-print/Makefile src/ftee/Makefile src/fseccomp/Makefile src/fldd/Makefile src/libpostexecseccomp/Makefile src/fsec-optimize/Makefile src/profstats/Makefile src/man/Makefile src/zsh_completion/Makefile src/bash_completion/Makefile test/Makefile src/jailcheck/Makefile src/fids/Makefile" | 4274 | ac_config_files="$ac_config_files Makefile src/common.mk src/lib/Makefile src/fcopy/Makefile src/fnet/Makefile src/firejail/Makefile src/fnetfilter/Makefile src/firemon/Makefile src/libtrace/Makefile src/libtracelog/Makefile src/firecfg/Makefile src/fbuilder/Makefile src/fsec-print/Makefile src/ftee/Makefile src/fseccomp/Makefile src/fldd/Makefile src/libpostexecseccomp/Makefile src/fsec-optimize/Makefile src/profstats/Makefile src/man/Makefile src/zsh_completion/Makefile src/bash_completion/Makefile test/Makefile src/jailcheck/Makefile src/fids/Makefile src/fnettrace/Makefile" |
4275 | 4275 | ||
4276 | cat >confcache <<\_ACEOF | 4276 | cat >confcache <<\_ACEOF |
4277 | # This file is a shell script that caches the results of configure | 4277 | # This file is a shell script that caches the results of configure |
@@ -5006,6 +5006,7 @@ do | |||
5006 | "test/Makefile") CONFIG_FILES="$CONFIG_FILES test/Makefile" ;; | 5006 | "test/Makefile") CONFIG_FILES="$CONFIG_FILES test/Makefile" ;; |
5007 | "src/jailcheck/Makefile") CONFIG_FILES="$CONFIG_FILES src/jailcheck/Makefile" ;; | 5007 | "src/jailcheck/Makefile") CONFIG_FILES="$CONFIG_FILES src/jailcheck/Makefile" ;; |
5008 | "src/fids/Makefile") CONFIG_FILES="$CONFIG_FILES src/fids/Makefile" ;; | 5008 | "src/fids/Makefile") CONFIG_FILES="$CONFIG_FILES src/fids/Makefile" ;; |
5009 | "src/fnettrace/Makefile") CONFIG_FILES="$CONFIG_FILES src/fnettrace/Makefile" ;; | ||
5009 | 5010 | ||
5010 | *) as_fn_error $? "invalid argument: \`$ac_config_target'" "$LINENO" 5;; | 5011 | *) as_fn_error $? "invalid argument: \`$ac_config_target'" "$LINENO" 5;; |
5011 | esac | 5012 | esac |
diff --git a/configure.ac b/configure.ac index bf501506d..232d49e1e 100644 --- a/configure.ac +++ b/configure.ac | |||
@@ -272,7 +272,7 @@ AC_CONFIG_FILES([Makefile src/common.mk src/lib/Makefile src/fcopy/Makefile src/ | |||
272 | src/firemon/Makefile src/libtrace/Makefile src/libtracelog/Makefile src/firecfg/Makefile src/fbuilder/Makefile src/fsec-print/Makefile \ | 272 | src/firemon/Makefile src/libtrace/Makefile src/libtracelog/Makefile src/firecfg/Makefile src/fbuilder/Makefile src/fsec-print/Makefile \ |
273 | src/ftee/Makefile src/fseccomp/Makefile src/fldd/Makefile src/libpostexecseccomp/Makefile src/fsec-optimize/Makefile \ | 273 | src/ftee/Makefile src/fseccomp/Makefile src/fldd/Makefile src/libpostexecseccomp/Makefile src/fsec-optimize/Makefile \ |
274 | src/profstats/Makefile src/man/Makefile src/zsh_completion/Makefile src/bash_completion/Makefile test/Makefile \ | 274 | src/profstats/Makefile src/man/Makefile src/zsh_completion/Makefile src/bash_completion/Makefile test/Makefile \ |
275 | src/jailcheck/Makefile src/fids/Makefile]) | 275 | src/jailcheck/Makefile src/fids/Makefile src/fnettrace/Makefile]) |
276 | AC_OUTPUT | 276 | AC_OUTPUT |
277 | 277 | ||
278 | cat <<EOF | 278 | cat <<EOF |
diff --git a/etc/inc/disable-common.inc b/etc/inc/disable-common.inc index 3ec13e482..b1ec25987 100644 --- a/etc/inc/disable-common.inc +++ b/etc/inc/disable-common.inc | |||
@@ -630,3 +630,5 @@ blacklist ${RUNUSER}/inaccessible | |||
630 | blacklist ${RUNUSER}/pk-debconf-socket | 630 | blacklist ${RUNUSER}/pk-debconf-socket |
631 | blacklist ${RUNUSER}/update-notifier.pid | 631 | blacklist ${RUNUSER}/update-notifier.pid |
632 | 632 | ||
633 | # tor-browser | ||
634 | blacklist ${HOME}/.local/opt/tor-browser | ||
diff --git a/etc/inc/disable-programs.inc b/etc/inc/disable-programs.inc index 4e440de1e..9226bb0f2 100644 --- a/etc/inc/disable-programs.inc +++ b/etc/inc/disable-programs.inc | |||
@@ -85,6 +85,7 @@ blacklist ${HOME}/.cache/attic | |||
85 | blacklist ${HOME}/.cache/babl | 85 | blacklist ${HOME}/.cache/babl |
86 | blacklist ${HOME}/.cache/bnox | 86 | blacklist ${HOME}/.cache/bnox |
87 | blacklist ${HOME}/.cache/borg | 87 | blacklist ${HOME}/.cache/borg |
88 | blacklist ${HOME}/.cache/cachy | ||
88 | blacklist ${HOME}/.cache/calibre | 89 | blacklist ${HOME}/.cache/calibre |
89 | blacklist ${HOME}/.cache/cantata | 90 | blacklist ${HOME}/.cache/cantata |
90 | blacklist ${HOME}/.cache/champlain | 91 | blacklist ${HOME}/.cache/champlain |
@@ -223,6 +224,7 @@ blacklist ${HOME}/.cache/youtube-dl | |||
223 | blacklist ${HOME}/.cache/youtube-viewer | 224 | blacklist ${HOME}/.cache/youtube-viewer |
224 | blacklist ${HOME}/.cache/yt-dlp | 225 | blacklist ${HOME}/.cache/yt-dlp |
225 | blacklist ${HOME}/.cache/zim | 226 | blacklist ${HOME}/.cache/zim |
227 | blacklist ${HOME}/.cachy | ||
226 | blacklist ${HOME}/.cargo | 228 | blacklist ${HOME}/.cargo |
227 | blacklist ${HOME}/.claws-mail | 229 | blacklist ${HOME}/.claws-mail |
228 | blacklist ${HOME}/.clion* | 230 | blacklist ${HOME}/.clion* |
@@ -239,6 +241,7 @@ blacklist ${HOME}/.config/Bitwarden | |||
239 | blacklist ${HOME}/.config/Brackets | 241 | blacklist ${HOME}/.config/Brackets |
240 | blacklist ${HOME}/.config/BraveSoftware | 242 | blacklist ${HOME}/.config/BraveSoftware |
241 | blacklist ${HOME}/.config/Clementine | 243 | blacklist ${HOME}/.config/Clementine |
244 | blacklist ${HOME}/.config/ClipGrab | ||
242 | blacklist ${HOME}/.config/Code | 245 | blacklist ${HOME}/.config/Code |
243 | blacklist ${HOME}/.config/Code - OSS | 246 | blacklist ${HOME}/.config/Code - OSS |
244 | blacklist ${HOME}/.config/Code Industry | 247 | blacklist ${HOME}/.config/Code Industry |
@@ -635,6 +638,7 @@ blacklist ${HOME}/.config/youtube-music-desktop-app | |||
635 | blacklist ${HOME}/.config/youtube-viewer | 638 | blacklist ${HOME}/.config/youtube-viewer |
636 | blacklist ${HOME}/.config/youtubemusic-nativefier-040164 | 639 | blacklist ${HOME}/.config/youtubemusic-nativefier-040164 |
637 | blacklist ${HOME}/.config/yt-dlp | 640 | blacklist ${HOME}/.config/yt-dlp |
641 | blacklist ${HOME}/.config/yt-dlp.conf | ||
638 | blacklist ${HOME}/.config/zathura | 642 | blacklist ${HOME}/.config/zathura |
639 | blacklist ${HOME}/.config/zim | 643 | blacklist ${HOME}/.config/zim |
640 | blacklist ${HOME}/.config/zoomus.conf | 644 | blacklist ${HOME}/.config/zoomus.conf |
@@ -1126,6 +1130,7 @@ blacklist ${HOME}/mps | |||
1126 | blacklist ${HOME}/openstego.ini | 1130 | blacklist ${HOME}/openstego.ini |
1127 | blacklist ${HOME}/wallet.dat | 1131 | blacklist ${HOME}/wallet.dat |
1128 | blacklist ${HOME}/yt-dlp.conf | 1132 | blacklist ${HOME}/yt-dlp.conf |
1133 | blacklist ${HOME}/yt-dlp.conf.txt | ||
1129 | blacklist ${RUNUSER}/*firefox* | 1134 | blacklist ${RUNUSER}/*firefox* |
1130 | blacklist /tmp/.wine-* | 1135 | blacklist /tmp/.wine-* |
1131 | blacklist /tmp/akonadi-* | 1136 | blacklist /tmp/akonadi-* |
diff --git a/etc/profile-a-l/cachy-browser.profile b/etc/profile-a-l/cachy-browser.profile new file mode 100644 index 000000000..7a14d9464 --- /dev/null +++ b/etc/profile-a-l/cachy-browser.profile | |||
@@ -0,0 +1,56 @@ | |||
1 | # Firejail profile for Cachy-Browser | ||
2 | # Description: Librewolf fork based on enhanced privacy with gentoo patchset | ||
3 | # This file is overwritten after every install/update | ||
4 | # Persistent local customizations | ||
5 | include cachy-browser.local | ||
6 | # Persistent global definitions | ||
7 | include globals.local | ||
8 | |||
9 | noblacklist ${HOME}/.cache/cachy | ||
10 | noblacklist ${HOME}/.cachy | ||
11 | |||
12 | mkdir ${HOME}/.cache/cachy | ||
13 | mkdir ${HOME}/.cachy | ||
14 | whitelist ${HOME}/.cache/cachy | ||
15 | whitelist ${HOME}/.cachy | ||
16 | |||
17 | # Add the next lines to your cachy-browser.local if you want to use the migration wizard. | ||
18 | #noblacklist ${HOME}/.mozilla | ||
19 | #whitelist ${HOME}/.mozilla | ||
20 | |||
21 | # To enable KeePassXC Plugin add one of the following lines to your cachy-browser.local. | ||
22 | # NOTE: start KeePassXC before CachyBrowser and keep it open to allow communication between them. | ||
23 | #whitelist ${RUNUSER}/kpxc_server | ||
24 | #whitelist ${RUNUSER}/org.keepassxc.KeePassXC.BrowserServer | ||
25 | |||
26 | whitelist /usr/share/doc | ||
27 | whitelist /usr/share/gtk-doc/html | ||
28 | whitelist /usr/share/mozilla | ||
29 | whitelist /usr/share/webext | ||
30 | include whitelist-usr-share-common.inc | ||
31 | |||
32 | # Add the next line to your cachy-browser.local to enable private-bin (Arch Linux). | ||
33 | #private-bin dbus-launch,dbus-send,cachy-browser,sh | ||
34 | # Add the next line to your cachy-browser.local to enable private-etc. | ||
35 | # NOTE: private-etc must first be enabled in firefox-common.local. | ||
36 | #private-etc cachy-browser | ||
37 | |||
38 | dbus-user filter | ||
39 | dbus-user.own org.mozilla.cachybrowser.* | ||
40 | # Add the next line to your cachy-browser.local to enable native notifications. | ||
41 | #dbus-user.talk org.freedesktop.Notifications | ||
42 | # Add the next line to your cachy-browser.local to allow inhibiting screensavers. | ||
43 | #dbus-user.talk org.freedesktop.ScreenSaver | ||
44 | # Add the next lines to your cachy-browser.local for plasma browser integration. | ||
45 | #dbus-user.own org.mpris.MediaPlayer2.plasma-browser-integration | ||
46 | #dbus-user.talk org.kde.JobViewServer | ||
47 | #dbus-user.talk org.kde.kuiserver | ||
48 | # Add the next line to your cachy-browser.local to allow screensharing under Wayland. | ||
49 | #dbus-user.talk org.freedesktop.portal.Desktop | ||
50 | # Also add the next line to your cachy-browser.local if screensharing does not work with | ||
51 | # the above lines (depends on the portal implementation). | ||
52 | #ignore noroot | ||
53 | ignore dbus-user none | ||
54 | |||
55 | # Redirect | ||
56 | include firefox-common.profile | ||
diff --git a/etc/profile-a-l/chromium-common.profile b/etc/profile-a-l/chromium-common.profile index 7bfb61688..2992a2d6f 100644 --- a/etc/profile-a-l/chromium-common.profile +++ b/etc/profile-a-l/chromium-common.profile | |||
@@ -53,6 +53,9 @@ private-cache | |||
53 | ?BROWSER_DISABLE_U2F: private-dev | 53 | ?BROWSER_DISABLE_U2F: private-dev |
54 | #private-tmp - issues when using multiple browser sessions | 54 | #private-tmp - issues when using multiple browser sessions |
55 | 55 | ||
56 | blacklist ${PATH}/curl | ||
57 | blacklist ${PATH}/wget | ||
58 | |||
56 | #dbus-user none - prevents access to passwords saved in GNOME Keyring and KWallet, also breaks Gnome connector. | 59 | #dbus-user none - prevents access to passwords saved in GNOME Keyring and KWallet, also breaks Gnome connector. |
57 | dbus-system none | 60 | dbus-system none |
58 | 61 | ||
diff --git a/etc/profile-a-l/clipgrab.profile b/etc/profile-a-l/clipgrab.profile index f3c77fa77..084f0ccad 100644 --- a/etc/profile-a-l/clipgrab.profile +++ b/etc/profile-a-l/clipgrab.profile | |||
@@ -6,10 +6,14 @@ include clipgrab.local | |||
6 | # Persistent global definitions | 6 | # Persistent global definitions |
7 | include globals.local | 7 | include globals.local |
8 | 8 | ||
9 | noblacklist ${HOME}/.config/ClipGrab | ||
9 | noblacklist ${HOME}/.config/Philipp Schmieder | 10 | noblacklist ${HOME}/.config/Philipp Schmieder |
10 | noblacklist ${HOME}/.pki | 11 | noblacklist ${HOME}/.pki |
11 | noblacklist ${VIDEOS} | 12 | noblacklist ${VIDEOS} |
12 | 13 | ||
14 | # Allow python (blacklisted by disable-interpreters.inc) | ||
15 | include allow-python3.inc | ||
16 | |||
13 | include disable-common.inc | 17 | include disable-common.inc |
14 | include disable-devel.inc | 18 | include disable-devel.inc |
15 | include disable-exec.inc | 19 | include disable-exec.inc |
diff --git a/etc/profile-a-l/com.github.tchx84.Flatseal.profile b/etc/profile-a-l/com.github.tchx84.Flatseal.profile new file mode 100644 index 000000000..a095104f0 --- /dev/null +++ b/etc/profile-a-l/com.github.tchx84.Flatseal.profile | |||
@@ -0,0 +1,65 @@ | |||
1 | # Firejail profile for flatseal | ||
2 | # This file is overwritten after every install/update | ||
3 | # Persistent local customizations | ||
4 | include com.github.tchx84.Flatseal.local | ||
5 | # Persistent global definitions | ||
6 | include globals.local | ||
7 | |||
8 | noblacklist ${HOME}/.local/share/flatpak/overrides | ||
9 | noblacklist /var/lib/flatpak/app | ||
10 | |||
11 | # Allow gjs (blacklisted by disable-interpreters.inc) | ||
12 | include allow-gjs.inc | ||
13 | |||
14 | include disable-common.inc | ||
15 | include disable-devel.inc | ||
16 | include disable-exec.inc | ||
17 | include disable-interpreters.inc | ||
18 | include disable-proc.inc | ||
19 | include disable-programs.inc | ||
20 | include disable-shell.inc | ||
21 | include disable-xdg.inc | ||
22 | |||
23 | mkdir ${HOME}/.local/share/flatpak/overrides | ||
24 | whitelist ${HOME}/.local/share/flatpak/overrides | ||
25 | include whitelist-common.inc | ||
26 | include whitelist-run-common.inc | ||
27 | include whitelist-runuser-common.inc | ||
28 | include whitelist-usr-share-common.inc | ||
29 | include whitelist-var-common.inc | ||
30 | |||
31 | apparmor | ||
32 | caps.drop all | ||
33 | net none | ||
34 | no3d | ||
35 | nodvd | ||
36 | nogroups | ||
37 | noinput | ||
38 | nonewprivs | ||
39 | noprinters | ||
40 | noroot | ||
41 | nosound | ||
42 | notv | ||
43 | nou2f | ||
44 | novideo | ||
45 | protocol unix | ||
46 | seccomp | ||
47 | seccomp.block-secondary | ||
48 | shell none | ||
49 | tracelog | ||
50 | |||
51 | disable-mnt | ||
52 | private-bin com.github.tchx84.Flatseal,gjs | ||
53 | private-cache | ||
54 | private-dev | ||
55 | private-etc alternatives,dconf,fonts,gtk-3.0,ld.so.cache,ld.so.preload | ||
56 | private-tmp | ||
57 | |||
58 | dbus-user filter | ||
59 | dbus-user.own com.github.tchx84.Flatseal | ||
60 | dbus-user.talk ca.desrt.dconf | ||
61 | dbus-user.talk org.freedesktop.impl.portal.PermissionStore | ||
62 | dbus-user.talk org.gnome.Software | ||
63 | dbus-system none | ||
64 | |||
65 | read-write ${HOME}/.local/share/flatpak/overrides | ||
diff --git a/etc/profile-a-l/dino.profile b/etc/profile-a-l/dino.profile index b1a9550f1..3c5a64215 100644 --- a/etc/profile-a-l/dino.profile +++ b/etc/profile-a-l/dino.profile | |||
@@ -32,7 +32,7 @@ nonewprivs | |||
32 | noroot | 32 | noroot |
33 | notv | 33 | notv |
34 | nou2f | 34 | nou2f |
35 | protocol unix,inet,inet6 | 35 | protocol unix,inet,inet6,netlink |
36 | seccomp | 36 | seccomp |
37 | seccomp.block-secondary | 37 | seccomp.block-secondary |
38 | shell none | 38 | shell none |
diff --git a/etc/profile-a-l/elinks.profile b/etc/profile-a-l/elinks.profile index 5a29eb24b..a3596bb5e 100644 --- a/etc/profile-a-l/elinks.profile +++ b/etc/profile-a-l/elinks.profile | |||
@@ -9,6 +9,9 @@ include globals.local | |||
9 | 9 | ||
10 | noblacklist ${HOME}/.elinks | 10 | noblacklist ${HOME}/.elinks |
11 | 11 | ||
12 | # Allow lua (blacklisted by disable-interpreters.inc) | ||
13 | include allow-lua.inc | ||
14 | |||
12 | mkdir ${HOME}/.elinks | 15 | mkdir ${HOME}/.elinks |
13 | whitelist ${HOME}/.elinks | 16 | whitelist ${HOME}/.elinks |
14 | 17 | ||
diff --git a/etc/profile-a-l/firefox-common.profile b/etc/profile-a-l/firefox-common.profile index ef647b5a0..e7d438b46 100644 --- a/etc/profile-a-l/firefox-common.profile +++ b/etc/profile-a-l/firefox-common.profile | |||
@@ -59,6 +59,9 @@ disable-mnt | |||
59 | #private-etc alternatives,asound.conf,ca-certificates,crypto-policies,dconf,fonts,group,gtk-2.0,gtk-3.0,hostname,hosts,ld.so.cache,ld.so.conf,ld.so.conf.d,ld.so.preload,localtime,machine-id,mailcap,mime.types,nsswitch.conf,pango,passwd,pki,pulse,resolv.conf,selinux,ssl,X11,xdg | 59 | #private-etc alternatives,asound.conf,ca-certificates,crypto-policies,dconf,fonts,group,gtk-2.0,gtk-3.0,hostname,hosts,ld.so.cache,ld.so.conf,ld.so.conf.d,ld.so.preload,localtime,machine-id,mailcap,mime.types,nsswitch.conf,pango,passwd,pki,pulse,resolv.conf,selinux,ssl,X11,xdg |
60 | private-tmp | 60 | private-tmp |
61 | 61 | ||
62 | blacklist ${PATH}/curl | ||
63 | blacklist ${PATH}/wget | ||
64 | |||
62 | # 'dbus-user none' breaks various desktop integration features like global menus, native notifications, | 65 | # 'dbus-user none' breaks various desktop integration features like global menus, native notifications, |
63 | # Gnome connector, KDE connect and power management on KDE Plasma. | 66 | # Gnome connector, KDE connect and power management on KDE Plasma. |
64 | dbus-user none | 67 | dbus-user none |
diff --git a/etc/profile-a-l/highlight.profile b/etc/profile-a-l/highlight.profile index 0145f7ceb..97f190723 100644 --- a/etc/profile-a-l/highlight.profile +++ b/etc/profile-a-l/highlight.profile | |||
@@ -8,6 +8,9 @@ include globals.local | |||
8 | 8 | ||
9 | blacklist ${RUNUSER} | 9 | blacklist ${RUNUSER} |
10 | 10 | ||
11 | # Allow lua (blacklisted by disable-interpreters.inc) | ||
12 | include allow-lua.inc | ||
13 | |||
11 | include disable-common.inc | 14 | include disable-common.inc |
12 | include disable-devel.inc | 15 | include disable-devel.inc |
13 | include disable-interpreters.inc | 16 | include disable-interpreters.inc |
diff --git a/etc/profile-m-z/mpv.profile b/etc/profile-m-z/mpv.profile index e6faba78a..e58beec0c 100644 --- a/etc/profile-m-z/mpv.profile +++ b/etc/profile-m-z/mpv.profile | |||
@@ -26,7 +26,11 @@ include globals.local | |||
26 | 26 | ||
27 | noblacklist ${HOME}/.config/mpv | 27 | noblacklist ${HOME}/.config/mpv |
28 | noblacklist ${HOME}/.config/youtube-dl | 28 | noblacklist ${HOME}/.config/youtube-dl |
29 | noblacklist ${HOME}/.config/yt-dlp | ||
30 | noblacklist ${HOME}/.config/yt-dlp.conf | ||
29 | noblacklist ${HOME}/.netrc | 31 | noblacklist ${HOME}/.netrc |
32 | noblacklist ${HOME}/yt-dlp.conf | ||
33 | noblacklist ${HOME}/yt-dlp.conf.txt | ||
30 | 34 | ||
31 | # Allow lua (blacklisted by disable-interpreters.inc) | 35 | # Allow lua (blacklisted by disable-interpreters.inc) |
32 | include allow-lua.inc | 36 | include allow-lua.inc |
@@ -46,16 +50,19 @@ include disable-shell.inc | |||
46 | 50 | ||
47 | read-only ${DESKTOP} | 51 | read-only ${DESKTOP} |
48 | mkdir ${HOME}/.config/mpv | 52 | mkdir ${HOME}/.config/mpv |
49 | mkdir ${HOME}/.config/youtube-dl | ||
50 | mkfile ${HOME}/.netrc | 53 | mkfile ${HOME}/.netrc |
51 | whitelist ${HOME}/.config/mpv | 54 | whitelist ${HOME}/.config/mpv |
52 | whitelist ${HOME}/.config/youtube-dl | 55 | whitelist ${HOME}/.config/youtube-dl |
56 | whitelist ${HOME}/.config/yt-dlp | ||
57 | whitelist ${HOME}/.config/yt-dlp.conf | ||
53 | whitelist ${HOME}/.netrc | 58 | whitelist ${HOME}/.netrc |
54 | include whitelist-common.inc | 59 | whitelist ${HOME}/yt-dlp.conf |
55 | include whitelist-player-common.inc | 60 | whitelist ${HOME}/yt-dlp.conf.txt |
56 | whitelist /usr/share/lua | 61 | whitelist /usr/share/lua |
57 | whitelist /usr/share/lua* | 62 | whitelist /usr/share/lua* |
58 | whitelist /usr/share/vulkan | 63 | whitelist /usr/share/vulkan |
64 | include whitelist-common.inc | ||
65 | include whitelist-player-common.inc | ||
59 | include whitelist-usr-share-common.inc | 66 | include whitelist-usr-share-common.inc |
60 | include whitelist-var-common.inc | 67 | include whitelist-var-common.inc |
61 | 68 | ||
diff --git a/etc/profile-m-z/nextcloud.profile b/etc/profile-m-z/nextcloud.profile index 354d3351e..2e4a95125 100644 --- a/etc/profile-m-z/nextcloud.profile +++ b/etc/profile-m-z/nextcloud.profile | |||
@@ -29,6 +29,7 @@ mkdir ${HOME}/.local/share/Nextcloud | |||
29 | whitelist ${HOME}/Nextcloud | 29 | whitelist ${HOME}/Nextcloud |
30 | whitelist ${HOME}/.config/Nextcloud | 30 | whitelist ${HOME}/.config/Nextcloud |
31 | whitelist ${HOME}/.local/share/Nextcloud | 31 | whitelist ${HOME}/.local/share/Nextcloud |
32 | whitelist /usr/share/nextcloud | ||
32 | # Add the next lines to your nextcloud.local to allow sync in more directories. | 33 | # Add the next lines to your nextcloud.local to allow sync in more directories. |
33 | #whitelist ${DOCUMENTS} | 34 | #whitelist ${DOCUMENTS} |
34 | #whitelist ${MUSIC} | 35 | #whitelist ${MUSIC} |
diff --git a/etc/profile-m-z/skypeforlinux.profile b/etc/profile-m-z/skypeforlinux.profile index ed04eda8e..3ddebb765 100644 --- a/etc/profile-m-z/skypeforlinux.profile +++ b/etc/profile-m-z/skypeforlinux.profile | |||
@@ -14,8 +14,8 @@ ignore include whitelist-var-common.inc | |||
14 | ignore nou2f | 14 | ignore nou2f |
15 | ignore novideo | 15 | ignore novideo |
16 | ignore private-dev | 16 | ignore private-dev |
17 | |||
17 | ignore dbus-user none | 18 | ignore dbus-user none |
18 | ignore dbus-system none | ||
19 | 19 | ||
20 | # breaks Skype | 20 | # breaks Skype |
21 | ignore apparmor | 21 | ignore apparmor |
@@ -23,7 +23,16 @@ ignore noexec /tmp | |||
23 | 23 | ||
24 | noblacklist ${HOME}/.config/skypeforlinux | 24 | noblacklist ${HOME}/.config/skypeforlinux |
25 | 25 | ||
26 | mkdir ${HOME}/.config/skypeforlinux | ||
27 | whitelist ${HOME}/.config/skypeforlinux | ||
28 | |||
26 | # private-dev - needs /dev/disk | 29 | # private-dev - needs /dev/disk |
27 | 30 | ||
31 | dbus-user filter | ||
32 | dbus-user.talk org.freedesktop.Notifications | ||
33 | dbus-user.talk org.freedesktop.secrets | ||
34 | # Note: Skype will log out the current session on start-up without this: | ||
35 | dbus-user.talk org.kde.StatusNotifierWatcher | ||
36 | |||
28 | # Redirect | 37 | # Redirect |
29 | include electron.profile | 38 | include electron.profile |
diff --git a/etc/profile-m-z/teams-for-linux.profile b/etc/profile-m-z/teams-for-linux.profile index ee19bcd00..5711c1b36 100644 --- a/etc/profile-m-z/teams-for-linux.profile +++ b/etc/profile-m-z/teams-for-linux.profile | |||
@@ -11,6 +11,8 @@ ignore include disable-xdg.inc | |||
11 | ignore include whitelist-runuser-common.inc | 11 | ignore include whitelist-runuser-common.inc |
12 | ignore include whitelist-usr-share-common.inc | 12 | ignore include whitelist-usr-share-common.inc |
13 | 13 | ||
14 | ignore noinput | ||
15 | |||
14 | ignore dbus-user none | 16 | ignore dbus-user none |
15 | ignore dbus-system none | 17 | ignore dbus-system none |
16 | 18 | ||
diff --git a/etc/profile-m-z/teams.profile b/etc/profile-m-z/teams.profile index c8d98cbaa..ad52ca45f 100644 --- a/etc/profile-m-z/teams.profile +++ b/etc/profile-m-z/teams.profile | |||
@@ -13,6 +13,8 @@ ignore include whitelist-usr-share-common.inc | |||
13 | ignore novideo | 13 | ignore novideo |
14 | ignore private-tmp | 14 | ignore private-tmp |
15 | 15 | ||
16 | ignore novideo | ||
17 | |||
16 | # see #3404 | 18 | # see #3404 |
17 | ignore apparmor | 19 | ignore apparmor |
18 | ignore dbus-user none | 20 | ignore dbus-user none |
diff --git a/etc/profile-m-z/telegram.profile b/etc/profile-m-z/telegram.profile index dc1f77664..ce0119078 100644 --- a/etc/profile-m-z/telegram.profile +++ b/etc/profile-m-z/telegram.profile | |||
@@ -8,6 +8,9 @@ include globals.local | |||
8 | noblacklist ${HOME}/.TelegramDesktop | 8 | noblacklist ${HOME}/.TelegramDesktop |
9 | noblacklist ${HOME}/.local/share/TelegramDesktop | 9 | noblacklist ${HOME}/.local/share/TelegramDesktop |
10 | 10 | ||
11 | # Allow opening hyperlinks | ||
12 | include allow-bin-sh.inc | ||
13 | |||
11 | include disable-common.inc | 14 | include disable-common.inc |
12 | include disable-devel.inc | 15 | include disable-devel.inc |
13 | include disable-exec.inc | 16 | include disable-exec.inc |
@@ -41,7 +44,7 @@ seccomp.block-secondary | |||
41 | shell none | 44 | shell none |
42 | 45 | ||
43 | disable-mnt | 46 | disable-mnt |
44 | private-bin telegram,Telegram,telegram-desktop | 47 | private-bin bash,sh,telegram,Telegram,telegram-desktop,xdg-open |
45 | private-cache | 48 | private-cache |
46 | private-dev | 49 | private-dev |
47 | private-etc alsa,alternatives,ca-certificates,crypto-policies,fonts,group,ld.so.cache,ld.so.preload,localtime,machine-id,os-release,passwd,pki,pulse,resolv.conf,ssl,xdg | 50 | private-etc alsa,alternatives,ca-certificates,crypto-policies,fonts,group,ld.so.cache,ld.so.preload,localtime,machine-id,os-release,passwd,pki,pulse,resolv.conf,ssl,xdg |
diff --git a/etc/profile-m-z/tor-browser.profile b/etc/profile-m-z/tor-browser.profile index 76a0e1fa5..13f422b0a 100644 --- a/etc/profile-m-z/tor-browser.profile +++ b/etc/profile-m-z/tor-browser.profile | |||
@@ -7,9 +7,12 @@ include tor-browser.local | |||
7 | #include globals.local | 7 | #include globals.local |
8 | 8 | ||
9 | noblacklist ${HOME}/.tor-browser | 9 | noblacklist ${HOME}/.tor-browser |
10 | noblacklist ${HOME}/.local/opt/tor-browser | ||
10 | 11 | ||
11 | mkdir ${HOME}/.tor-browser | 12 | mkdir ${HOME}/.tor-browser |
12 | whitelist ${HOME}/.tor-browser | 13 | whitelist ${HOME}/.tor-browser |
14 | mkdir ${HOME}/.local/opt/tor-browser | ||
15 | whitelist ${HOME}/.local/opt/tor-browser | ||
13 | 16 | ||
14 | # Redirect | 17 | # Redirect |
15 | include torbrowser-launcher.profile | 18 | include torbrowser-launcher.profile |
diff --git a/etc/profile-m-z/torbrowser-launcher.profile b/etc/profile-m-z/torbrowser-launcher.profile index e7b8ecd3f..469e99d02 100644 --- a/etc/profile-m-z/torbrowser-launcher.profile +++ b/etc/profile-m-z/torbrowser-launcher.profile | |||
@@ -15,7 +15,6 @@ noblacklist ${HOME}/.local/share/torbrowser | |||
15 | include allow-python2.inc | 15 | include allow-python2.inc |
16 | include allow-python3.inc | 16 | include allow-python3.inc |
17 | 17 | ||
18 | blacklist /opt | ||
19 | blacklist /srv | 18 | blacklist /srv |
20 | 19 | ||
21 | include disable-common.inc | 20 | include disable-common.inc |
@@ -30,6 +29,7 @@ mkdir ${HOME}/.local/share/torbrowser | |||
30 | whitelist ${DOWNLOADS} | 29 | whitelist ${DOWNLOADS} |
31 | whitelist ${HOME}/.config/torbrowser | 30 | whitelist ${HOME}/.config/torbrowser |
32 | whitelist ${HOME}/.local/share/torbrowser | 31 | whitelist ${HOME}/.local/share/torbrowser |
32 | whitelist /opt/tor-browser | ||
33 | whitelist /usr/share/torbrowser-launcher | 33 | whitelist /usr/share/torbrowser-launcher |
34 | include whitelist-common.inc | 34 | include whitelist-common.inc |
35 | include whitelist-var-common.inc | 35 | include whitelist-var-common.inc |
diff --git a/etc/profile-m-z/yt-dlp.profile b/etc/profile-m-z/yt-dlp.profile index 32e873aa5..6e835b03f 100644 --- a/etc/profile-m-z/yt-dlp.profile +++ b/etc/profile-m-z/yt-dlp.profile | |||
@@ -10,7 +10,9 @@ include yt-dlp.local | |||
10 | 10 | ||
11 | noblacklist ${HOME}/.cache/yt-dlp | 11 | noblacklist ${HOME}/.cache/yt-dlp |
12 | noblacklist ${HOME}/.config/yt-dlp | 12 | noblacklist ${HOME}/.config/yt-dlp |
13 | noblacklist ${HOME}/.config/yt-dlp.conf | ||
13 | noblacklist ${HOME}/yt-dlp.conf | 14 | noblacklist ${HOME}/yt-dlp.conf |
15 | noblacklist ${HOME}/yt-dlp.conf.txt | ||
14 | 16 | ||
15 | private-bin ffprobe,yt-dlp | 17 | private-bin ffprobe,yt-dlp |
16 | private-etc alternatives,ld.so.cache,ld.so.preload,yt-dlp.conf | 18 | private-etc alternatives,ld.so.cache,ld.so.preload,yt-dlp.conf |
diff --git a/src/firecfg/desktop_files.c b/src/firecfg/desktop_files.c index 06b0a117f..c1aaf740c 100644 --- a/src/firecfg/desktop_files.c +++ b/src/firecfg/desktop_files.c | |||
@@ -168,9 +168,9 @@ void fix_desktop_files(char *homedir) { | |||
168 | 168 | ||
169 | char *filename = entry->d_name; | 169 | char *filename = entry->d_name; |
170 | 170 | ||
171 | // skip links | 171 | // skip links - Discord on Arch #4235 seems to be a symlink to /opt directory |
172 | if (is_link(filename)) | 172 | // if (is_link(filename)) |
173 | continue; | 173 | // continue; |
174 | 174 | ||
175 | // no profile in /etc/firejail, no desktop file fixing | 175 | // no profile in /etc/firejail, no desktop file fixing |
176 | if (!have_profile(filename, homedir)) | 176 | if (!have_profile(filename, homedir)) |
diff --git a/src/firecfg/firecfg.config b/src/firecfg/firecfg.config index 117c6f6ae..4bfdb7e57 100644 --- a/src/firecfg/firecfg.config +++ b/src/firecfg/firecfg.config | |||
@@ -109,6 +109,7 @@ brave-browser-stable | |||
109 | # bzcat - disable until we fix CLI archivers for makepkg on Arch (see discussion in #3095) | 109 | # bzcat - disable until we fix CLI archivers for makepkg on Arch (see discussion in #3095) |
110 | bzflag | 110 | bzflag |
111 | # bzip2 - disable until we fix CLI archivers for makepkg on Arch (see discussion in #3095) | 111 | # bzip2 - disable until we fix CLI archivers for makepkg on Arch (see discussion in #3095) |
112 | cachy-browser | ||
112 | calibre | 113 | calibre |
113 | calligra | 114 | calligra |
114 | calligraauthor | 115 | calligraauthor |
@@ -157,6 +158,7 @@ com.github.bleakgrey.tootle | |||
157 | com.github.dahenson.agenda | 158 | com.github.dahenson.agenda |
158 | com.github.johnfactotum.Foliate | 159 | com.github.johnfactotum.Foliate |
159 | com.github.phase1geo.minder | 160 | com.github.phase1geo.minder |
161 | com.github.tchx84.Flatseal | ||
160 | com.gitlab.newsflash | 162 | com.gitlab.newsflash |
161 | conkeror | 163 | conkeror |
162 | conky | 164 | conky |
diff --git a/src/firejail/firejail.h b/src/firejail/firejail.h index a7673ae20..bc4cfe3fc 100644 --- a/src/firejail/firejail.h +++ b/src/firejail/firejail.h | |||
@@ -506,7 +506,8 @@ void errLogExit(char* fmt, ...) __attribute__((noreturn)); | |||
506 | void fwarning(char* fmt, ...); | 506 | void fwarning(char* fmt, ...); |
507 | void fmessage(char* fmt, ...); | 507 | void fmessage(char* fmt, ...); |
508 | long long unsigned parse_arg_size(char *str); | 508 | long long unsigned parse_arg_size(char *str); |
509 | void drop_privs(int nogroups); | 509 | int check_can_drop_all_groups(); |
510 | void drop_privs(int force_nogroups); | ||
510 | int mkpath_as_root(const char* path); | 511 | int mkpath_as_root(const char* path); |
511 | void extract_command_name(int index, char **argv); | 512 | void extract_command_name(int index, char **argv); |
512 | void logsignal(int s); | 513 | void logsignal(int s); |
@@ -657,6 +658,8 @@ void set_cgroup(const char *fname, pid_t pid); | |||
657 | void check_output(int argc, char **argv); | 658 | void check_output(int argc, char **argv); |
658 | 659 | ||
659 | // netfilter.c | 660 | // netfilter.c |
661 | void netfilter_netlock(pid_t pid); | ||
662 | void netfilter_trace(pid_t pid); | ||
660 | void check_netfilter_file(const char *fname); | 663 | void check_netfilter_file(const char *fname); |
661 | void netfilter(const char *fname); | 664 | void netfilter(const char *fname); |
662 | void netfilter6(const char *fname); | 665 | void netfilter6(const char *fname); |
diff --git a/src/firejail/fs_home.c b/src/firejail/fs_home.c index 4558934da..b410ba68e 100644 --- a/src/firejail/fs_home.c +++ b/src/firejail/fs_home.c | |||
@@ -456,15 +456,20 @@ void fs_check_private_dir(void) { | |||
456 | void fs_check_private_cwd(const char *dir) { | 456 | void fs_check_private_cwd(const char *dir) { |
457 | EUID_ASSERT(); | 457 | EUID_ASSERT(); |
458 | invalid_filename(dir, 0); // no globbing | 458 | invalid_filename(dir, 0); // no globbing |
459 | if (strcmp(dir, ".") == 0 || *dir != '/') | ||
460 | goto errout; | ||
459 | 461 | ||
460 | // Expand the working directory | 462 | // Expand the working directory |
461 | cfg.cwd = expand_macros(dir); | 463 | cfg.cwd = expand_macros(dir); |
462 | 464 | ||
463 | // realpath/is_dir not used because path may not exist outside of jail | 465 | // realpath/is_dir not used because path may not exist outside of jail |
464 | if (strstr(cfg.cwd, "..")) { | 466 | if (strstr(cfg.cwd, "..")) |
465 | fprintf(stderr, "Error: invalid private working directory\n"); | 467 | goto errout; |
466 | exit(1); | 468 | |
467 | } | 469 | return; |
470 | errout: | ||
471 | fprintf(stderr, "Error: invalid private working directory\n"); | ||
472 | exit(1); | ||
468 | } | 473 | } |
469 | 474 | ||
470 | //*********************************************************************************** | 475 | //*********************************************************************************** |
diff --git a/src/firejail/main.c b/src/firejail/main.c index 59e88bdc6..3b12f7ca1 100644 --- a/src/firejail/main.c +++ b/src/firejail/main.c | |||
@@ -408,6 +408,10 @@ static void run_cmd_and_exit(int i, int argc, char **argv) { | |||
408 | } | 408 | } |
409 | #endif | 409 | #endif |
410 | #ifdef HAVE_NETWORK | 410 | #ifdef HAVE_NETWORK |
411 | else if (strncmp(argv[i], "--nettrace=", 11) == 0) { | ||
412 | pid_t pid = require_pid(argv[i] + 11); | ||
413 | netfilter_trace(pid); | ||
414 | } | ||
411 | else if (strncmp(argv[i], "--bandwidth=", 12) == 0) { | 415 | else if (strncmp(argv[i], "--bandwidth=", 12) == 0) { |
412 | if (checkcfg(CFG_NETWORK)) { | 416 | if (checkcfg(CFG_NETWORK)) { |
413 | logargs(argc, argv); | 417 | logargs(argc, argv); |
@@ -990,8 +994,10 @@ int main(int argc, char **argv, char **envp) { | |||
990 | int option_cgroup = 0; | 994 | int option_cgroup = 0; |
991 | int custom_profile = 0; // custom profile loaded | 995 | int custom_profile = 0; // custom profile loaded |
992 | int arg_caps_cmdline = 0; // caps requested on command line (used to break out of --chroot) | 996 | int arg_caps_cmdline = 0; // caps requested on command line (used to break out of --chroot) |
997 | int arg_netlock = 0; | ||
993 | char **ptr; | 998 | char **ptr; |
994 | 999 | ||
1000 | |||
995 | // sanitize the umask | 1001 | // sanitize the umask |
996 | orig_umask = umask(022); | 1002 | orig_umask = umask(022); |
997 | 1003 | ||
@@ -1013,10 +1019,10 @@ int main(int argc, char **argv, char **envp) { | |||
1013 | 1019 | ||
1014 | // sanity check for arguments | 1020 | // sanity check for arguments |
1015 | for (i = 0; i < argc; i++) { | 1021 | for (i = 0; i < argc; i++) { |
1016 | if (*argv[i] == 0) { | 1022 | // if (*argv[i] == 0) { // see #4395 - bug reported by Debian |
1017 | fprintf(stderr, "Error: too short arguments: argv[%d] is empty\n", i); | 1023 | // fprintf(stderr, "Error: too short arguments: argv[%d] is empty\n", i); |
1018 | exit(1); | 1024 | // exit(1); |
1019 | } | 1025 | // } |
1020 | if (strlen(argv[i]) >= MAX_ARG_LEN) { | 1026 | if (strlen(argv[i]) >= MAX_ARG_LEN) { |
1021 | fprintf(stderr, "Error: too long arguments: argv[%d] len (%zu) >= MAX_ARG_LEN (%d)\n", i, strlen(argv[i]), MAX_ARG_LEN); | 1027 | fprintf(stderr, "Error: too long arguments: argv[%d] len (%zu) >= MAX_ARG_LEN (%d)\n", i, strlen(argv[i]), MAX_ARG_LEN); |
1022 | exit(1); | 1028 | exit(1); |
@@ -1574,7 +1580,6 @@ int main(int argc, char **argv, char **envp) { | |||
1574 | profile_add(line); | 1580 | profile_add(line); |
1575 | } | 1581 | } |
1576 | 1582 | ||
1577 | // blacklist/deny | ||
1578 | else if (strncmp(argv[i], "--blacklist=", 12) == 0) { | 1583 | else if (strncmp(argv[i], "--blacklist=", 12) == 0) { |
1579 | char *line; | 1584 | char *line; |
1580 | if (asprintf(&line, "blacklist %s", argv[i] + 12) == -1) | 1585 | if (asprintf(&line, "blacklist %s", argv[i] + 12) == -1) |
@@ -1583,14 +1588,6 @@ int main(int argc, char **argv, char **envp) { | |||
1583 | profile_check_line(line, 0, NULL); // will exit if something wrong | 1588 | profile_check_line(line, 0, NULL); // will exit if something wrong |
1584 | profile_add(line); | 1589 | profile_add(line); |
1585 | } | 1590 | } |
1586 | else if (strncmp(argv[i], "--deny=", 7) == 0) { | ||
1587 | char *line; | ||
1588 | if (asprintf(&line, "blacklist %s", argv[i] + 7) == -1) | ||
1589 | errExit("asprintf"); | ||
1590 | |||
1591 | profile_check_line(line, 0, NULL); // will exit if something wrong | ||
1592 | profile_add(line); | ||
1593 | } | ||
1594 | else if (strncmp(argv[i], "--noblacklist=", 14) == 0) { | 1591 | else if (strncmp(argv[i], "--noblacklist=", 14) == 0) { |
1595 | char *line; | 1592 | char *line; |
1596 | if (asprintf(&line, "noblacklist %s", argv[i] + 14) == -1) | 1593 | if (asprintf(&line, "noblacklist %s", argv[i] + 14) == -1) |
@@ -1599,16 +1596,6 @@ int main(int argc, char **argv, char **envp) { | |||
1599 | profile_check_line(line, 0, NULL); // will exit if something wrong | 1596 | profile_check_line(line, 0, NULL); // will exit if something wrong |
1600 | profile_add(line); | 1597 | profile_add(line); |
1601 | } | 1598 | } |
1602 | else if (strncmp(argv[i], "--nodeny=", 9) == 0) { | ||
1603 | char *line; | ||
1604 | if (asprintf(&line, "noblacklist %s", argv[i] + 9) == -1) | ||
1605 | errExit("asprintf"); | ||
1606 | |||
1607 | profile_check_line(line, 0, NULL); // will exit if something wrong | ||
1608 | profile_add(line); | ||
1609 | } | ||
1610 | |||
1611 | // whitelist | ||
1612 | else if (strncmp(argv[i], "--whitelist=", 12) == 0) { | 1599 | else if (strncmp(argv[i], "--whitelist=", 12) == 0) { |
1613 | char *line; | 1600 | char *line; |
1614 | if (asprintf(&line, "whitelist %s", argv[i] + 12) == -1) | 1601 | if (asprintf(&line, "whitelist %s", argv[i] + 12) == -1) |
@@ -1617,14 +1604,6 @@ int main(int argc, char **argv, char **envp) { | |||
1617 | profile_check_line(line, 0, NULL); // will exit if something wrong | 1604 | profile_check_line(line, 0, NULL); // will exit if something wrong |
1618 | profile_add(line); | 1605 | profile_add(line); |
1619 | } | 1606 | } |
1620 | else if (strncmp(argv[i], "--allow=", 8) == 0) { | ||
1621 | char *line; | ||
1622 | if (asprintf(&line, "whitelist %s", argv[i] + 8) == -1) | ||
1623 | errExit("asprintf"); | ||
1624 | |||
1625 | profile_check_line(line, 0, NULL); // will exit if something wrong | ||
1626 | profile_add(line); | ||
1627 | } | ||
1628 | else if (strncmp(argv[i], "--nowhitelist=", 14) == 0) { | 1607 | else if (strncmp(argv[i], "--nowhitelist=", 14) == 0) { |
1629 | char *line; | 1608 | char *line; |
1630 | if (asprintf(&line, "nowhitelist %s", argv[i] + 14) == -1) | 1609 | if (asprintf(&line, "nowhitelist %s", argv[i] + 14) == -1) |
@@ -1633,15 +1612,6 @@ int main(int argc, char **argv, char **envp) { | |||
1633 | profile_check_line(line, 0, NULL); // will exit if something wrong | 1612 | profile_check_line(line, 0, NULL); // will exit if something wrong |
1634 | profile_add(line); | 1613 | profile_add(line); |
1635 | } | 1614 | } |
1636 | else if (strncmp(argv[i], "--noallow=", 10) == 0) { | ||
1637 | char *line; | ||
1638 | if (asprintf(&line, "nowhitelist %s", argv[i] + 10) == -1) | ||
1639 | errExit("asprintf"); | ||
1640 | |||
1641 | profile_check_line(line, 0, NULL); // will exit if something wrong | ||
1642 | profile_add(line); | ||
1643 | } | ||
1644 | |||
1645 | 1615 | ||
1646 | else if (strncmp(argv[i], "--mkdir=", 8) == 0) { | 1616 | else if (strncmp(argv[i], "--mkdir=", 8) == 0) { |
1647 | char *line; | 1617 | char *line; |
@@ -2324,6 +2294,12 @@ int main(int argc, char **argv, char **envp) { | |||
2324 | //************************************* | 2294 | //************************************* |
2325 | // network | 2295 | // network |
2326 | //************************************* | 2296 | //************************************* |
2297 | else if (strcmp(argv[i], "--netlock") == 0) | ||
2298 | arg_netlock = 1; | ||
2299 | else if (strncmp(argv[i], "--netlock=", 10) == 0) { | ||
2300 | pid_t pid = require_pid(argv[i] + 10); | ||
2301 | netfilter_netlock(pid); | ||
2302 | } | ||
2327 | else if (strcmp(argv[i], "--net=none") == 0) { | 2303 | else if (strcmp(argv[i], "--net=none") == 0) { |
2328 | arg_nonetwork = 1; | 2304 | arg_nonetwork = 1; |
2329 | cfg.bridge0.configured = 0; | 2305 | cfg.bridge0.configured = 0; |
@@ -2642,7 +2618,7 @@ int main(int argc, char **argv, char **envp) { | |||
2642 | else if (cfg.dns4 == NULL) | 2618 | else if (cfg.dns4 == NULL) |
2643 | cfg.dns4 = dns; | 2619 | cfg.dns4 = dns; |
2644 | else { | 2620 | else { |
2645 | fwarning("Warning: up to 4 DNS servers can be specified, %s ignored\n", dns); | 2621 | fwarning("up to 4 DNS servers can be specified, %s ignored\n", dns); |
2646 | free(dns); | 2622 | free(dns); |
2647 | } | 2623 | } |
2648 | } | 2624 | } |
@@ -3155,62 +3131,64 @@ int main(int argc, char **argv, char **envp) { | |||
3155 | ptr += strlen(ptr); | 3131 | ptr += strlen(ptr); |
3156 | 3132 | ||
3157 | gid_t g; | 3133 | gid_t g; |
3158 | // add audio group | 3134 | if (!arg_nogroups || !check_can_drop_all_groups()) { |
3159 | if (!arg_nosound) { | 3135 | // add audio group |
3160 | g = get_group_id("audio"); | 3136 | if (!arg_nosound) { |
3161 | if (g) { | 3137 | g = get_group_id("audio"); |
3162 | sprintf(ptr, "%d %d 1\n", g, g); | 3138 | if (g) { |
3163 | ptr += strlen(ptr); | 3139 | sprintf(ptr, "%d %d 1\n", g, g); |
3140 | ptr += strlen(ptr); | ||
3141 | } | ||
3164 | } | 3142 | } |
3165 | } | ||
3166 | 3143 | ||
3167 | // add video group | 3144 | // add video group |
3168 | if (!arg_novideo) { | 3145 | if (!arg_novideo) { |
3169 | g = get_group_id("video"); | 3146 | g = get_group_id("video"); |
3170 | if (g) { | 3147 | if (g) { |
3171 | sprintf(ptr, "%d %d 1\n", g, g); | 3148 | sprintf(ptr, "%d %d 1\n", g, g); |
3172 | ptr += strlen(ptr); | 3149 | ptr += strlen(ptr); |
3150 | } | ||
3173 | } | 3151 | } |
3174 | } | ||
3175 | 3152 | ||
3176 | // add render group | 3153 | // add render group |
3177 | if (!arg_no3d) { | 3154 | if (!arg_no3d) { |
3178 | g = get_group_id("render"); | 3155 | g = get_group_id("render"); |
3179 | if (g) { | 3156 | if (g) { |
3180 | sprintf(ptr, "%d %d 1\n", g, g); | 3157 | sprintf(ptr, "%d %d 1\n", g, g); |
3181 | ptr += strlen(ptr); | 3158 | ptr += strlen(ptr); |
3159 | } | ||
3182 | } | 3160 | } |
3183 | } | ||
3184 | 3161 | ||
3185 | // add lp group | 3162 | // add lp group |
3186 | if (!arg_noprinters) { | 3163 | if (!arg_noprinters) { |
3187 | g = get_group_id("lp"); | 3164 | g = get_group_id("lp"); |
3188 | if (g) { | 3165 | if (g) { |
3189 | sprintf(ptr, "%d %d 1\n", g, g); | 3166 | sprintf(ptr, "%d %d 1\n", g, g); |
3190 | ptr += strlen(ptr); | 3167 | ptr += strlen(ptr); |
3168 | } | ||
3191 | } | 3169 | } |
3192 | } | ||
3193 | 3170 | ||
3194 | // add cdrom/optical groups | 3171 | // add cdrom/optical groups |
3195 | if (!arg_nodvd) { | 3172 | if (!arg_nodvd) { |
3196 | g = get_group_id("cdrom"); | 3173 | g = get_group_id("cdrom"); |
3197 | if (g) { | 3174 | if (g) { |
3198 | sprintf(ptr, "%d %d 1\n", g, g); | 3175 | sprintf(ptr, "%d %d 1\n", g, g); |
3199 | ptr += strlen(ptr); | 3176 | ptr += strlen(ptr); |
3200 | } | 3177 | } |
3201 | g = get_group_id("optical"); | 3178 | g = get_group_id("optical"); |
3202 | if (g) { | 3179 | if (g) { |
3203 | sprintf(ptr, "%d %d 1\n", g, g); | 3180 | sprintf(ptr, "%d %d 1\n", g, g); |
3204 | ptr += strlen(ptr); | 3181 | ptr += strlen(ptr); |
3182 | } | ||
3205 | } | 3183 | } |
3206 | } | ||
3207 | 3184 | ||
3208 | // add input group | 3185 | // add input group |
3209 | if (!arg_noinput) { | 3186 | if (!arg_noinput) { |
3210 | g = get_group_id("input"); | 3187 | g = get_group_id("input"); |
3211 | if (g) { | 3188 | if (g) { |
3212 | sprintf(ptr, "%d %d 1\n", g, g); | 3189 | sprintf(ptr, "%d %d 1\n", g, g); |
3213 | ptr += strlen(ptr); | 3190 | ptr += strlen(ptr); |
3191 | } | ||
3214 | } | 3192 | } |
3215 | } | 3193 | } |
3216 | 3194 | ||
@@ -3254,6 +3232,16 @@ int main(int argc, char **argv, char **envp) { | |||
3254 | } | 3232 | } |
3255 | EUID_USER(); | 3233 | EUID_USER(); |
3256 | 3234 | ||
3235 | // lock netfilter firewall | ||
3236 | if (arg_netlock) { | ||
3237 | char *cmd; | ||
3238 | if (asprintf(&cmd, "firejail --netlock=%d&", getpid()) == -1) | ||
3239 | errExit("asprintf"); | ||
3240 | int rv = system(cmd); | ||
3241 | (void) rv; | ||
3242 | free(cmd); | ||
3243 | } | ||
3244 | |||
3257 | int status = 0; | 3245 | int status = 0; |
3258 | //***************************** | 3246 | //***************************** |
3259 | // following code is signal-safe | 3247 | // following code is signal-safe |
@@ -3271,26 +3259,6 @@ int main(int argc, char **argv, char **envp) { | |||
3271 | // end of signal-safe code | 3259 | // end of signal-safe code |
3272 | //***************************** | 3260 | //***************************** |
3273 | 3261 | ||
3274 | #if 0 | ||
3275 | // at this point the sandbox was closed and we are on our way out | ||
3276 | // it would make sense to move this before waitpid above to free some memory | ||
3277 | // crash for now as of issue #3662 from dhcp code | ||
3278 | // free globals | ||
3279 | if (cfg.profile) { | ||
3280 | ProfileEntry *prf = cfg.profile; | ||
3281 | while (prf != NULL) { | ||
3282 | ProfileEntry *next = prf->next; | ||
3283 | printf("data #%s#\n", prf->data); | ||
3284 | if (prf->data) | ||
3285 | free(prf->data); | ||
3286 | printf("link #%s#\n", prf->link); | ||
3287 | if (prf->link) | ||
3288 | free(prf->link); | ||
3289 | free(prf); | ||
3290 | prf = next; | ||
3291 | } | ||
3292 | } | ||
3293 | #endif | ||
3294 | 3262 | ||
3295 | 3263 | ||
3296 | if (WIFEXITED(status)){ | 3264 | if (WIFEXITED(status)){ |
diff --git a/src/firejail/netfilter.c b/src/firejail/netfilter.c index fc79dddec..f412950f2 100644 --- a/src/firejail/netfilter.c +++ b/src/firejail/netfilter.c | |||
@@ -24,6 +24,91 @@ | |||
24 | #include <sys/wait.h> | 24 | #include <sys/wait.h> |
25 | #include <fcntl.h> | 25 | #include <fcntl.h> |
26 | 26 | ||
27 | void netfilter_netlock(pid_t pid) { | ||
28 | EUID_ASSERT(); | ||
29 | |||
30 | // give the sandbox a chance to start up before entering the network namespace | ||
31 | sleep(1); | ||
32 | enter_network_namespace(pid); | ||
33 | |||
34 | char *flog; | ||
35 | if (asprintf(&flog, "/run/firejail/network/%d-netlock", getpid()) == -1) | ||
36 | errExit("asprintf"); | ||
37 | FILE *fp = fopen(flog, "w"); | ||
38 | if (!fp) | ||
39 | errExit("fopen"); | ||
40 | fclose(fp); | ||
41 | |||
42 | // try to find a X terminal | ||
43 | char *terminal = NULL; | ||
44 | if (access("/usr/bin/lxterminal", X_OK) == 0) | ||
45 | terminal = "/usr/bin/lxterminal"; | ||
46 | else if (access("/usr/bin/xterm", X_OK) == 0) | ||
47 | terminal = "/usr/bin/xterm"; | ||
48 | else if (access("/usr/bin/xfce4-terminal", X_OK) == 0) | ||
49 | terminal = "/usr/bin/xfce4-terminal"; | ||
50 | else if (access("/usr/bin/konsole", X_OK) == 0) | ||
51 | terminal = "/usr/bin/konsole"; | ||
52 | // problem: newer gnome-terminal versions don't support -e command line option??? | ||
53 | // else if (access("/usr/bin/gnome-terminal", X_OK) == 0) | ||
54 | // terminal = "/usr/bin/gnome-terminal"; | ||
55 | |||
56 | if (terminal) { | ||
57 | pid_t p = fork(); | ||
58 | if (p == -1) | ||
59 | ; // run without terminal logger | ||
60 | else if (p == 0) { // child | ||
61 | drop_privs(0); | ||
62 | |||
63 | char *cmd; | ||
64 | if (asprintf(&cmd, "%s -e \"tail -f %s\"", terminal, flog) == -1) | ||
65 | errExit("asprintf"); | ||
66 | int rv = system(cmd); | ||
67 | (void) rv; | ||
68 | exit(0); | ||
69 | } | ||
70 | } | ||
71 | |||
72 | char *cmd; | ||
73 | if (asprintf(&cmd, "%s/firejail/fnettrace --netfilter --log=%s", LIBDIR, flog) == -1) | ||
74 | errExit("asprintf"); | ||
75 | free(flog); | ||
76 | |||
77 | //************************ | ||
78 | // build command | ||
79 | //************************ | ||
80 | char *arg[4]; | ||
81 | arg[0] = "/bin/sh"; | ||
82 | arg[1] = "-c"; | ||
83 | arg[2] = cmd; | ||
84 | arg[3] = NULL; | ||
85 | clearenv(); | ||
86 | sbox_exec_v(SBOX_ROOT | SBOX_CAPS_NETWORK | SBOX_SECCOMP, arg); | ||
87 | // it will never get here!! | ||
88 | } | ||
89 | |||
90 | void netfilter_trace(pid_t pid) { | ||
91 | EUID_ASSERT(); | ||
92 | |||
93 | enter_network_namespace(pid); | ||
94 | char *cmd; | ||
95 | if (asprintf(&cmd, "%s/firejail/fnettrace", LIBDIR) == -1) | ||
96 | errExit("asprintf"); | ||
97 | |||
98 | //************************ | ||
99 | // build command | ||
100 | //************************ | ||
101 | char *arg[4]; | ||
102 | arg[0] = "/bin/sh"; | ||
103 | arg[1] = "-c"; | ||
104 | arg[2] = cmd; | ||
105 | arg[3] = NULL; | ||
106 | |||
107 | clearenv(); | ||
108 | sbox_exec_v(SBOX_ROOT | SBOX_CAPS_NETWORK | SBOX_SECCOMP, arg); | ||
109 | // it will never get here!! | ||
110 | } | ||
111 | |||
27 | void check_netfilter_file(const char *fname) { | 112 | void check_netfilter_file(const char *fname) { |
28 | EUID_ASSERT(); | 113 | EUID_ASSERT(); |
29 | 114 | ||
diff --git a/src/firejail/profile.c b/src/firejail/profile.c index 7757c1814..92dbecac1 100644 --- a/src/firejail/profile.c +++ b/src/firejail/profile.c | |||
@@ -1106,7 +1106,7 @@ int profile_check_line(char *ptr, int lineno, const char *fname) { | |||
1106 | else if (cfg.dns4 == NULL) | 1106 | else if (cfg.dns4 == NULL) |
1107 | cfg.dns4 = dns; | 1107 | cfg.dns4 = dns; |
1108 | else { | 1108 | else { |
1109 | fwarning("Warning: up to 4 DNS servers can be specified, %s ignored\n", dns); | 1109 | fwarning("up to 4 DNS servers can be specified, %s ignored\n", dns); |
1110 | free(dns); | 1110 | free(dns); |
1111 | } | 1111 | } |
1112 | return 0; | 1112 | return 0; |
@@ -1752,44 +1752,7 @@ void profile_read(const char *fname) { | |||
1752 | continue; | 1752 | continue; |
1753 | } | 1753 | } |
1754 | 1754 | ||
1755 | // translate allow/deny to whitelist/blacklist | 1755 | if (strncmp(ptr, "whitelist-ro ", 13) == 0) { |
1756 | if (strncmp(ptr, "allow ", 6) == 0) { | ||
1757 | char *tmp; | ||
1758 | if (asprintf(&tmp, "whitelist %s", ptr + 6) == -1) | ||
1759 | errExit("asprintf"); | ||
1760 | free(ptr); | ||
1761 | ptr = tmp; | ||
1762 | } | ||
1763 | else if (strncmp(ptr, "deny ", 5) == 0) { | ||
1764 | char *tmp; | ||
1765 | if (asprintf(&tmp, "blacklist %s", ptr + 5) == -1) | ||
1766 | errExit("asprintf"); | ||
1767 | free(ptr); | ||
1768 | ptr = tmp; | ||
1769 | } | ||
1770 | else if (strncmp(ptr, "deny-nolog ", 11) == 0) { | ||
1771 | char *tmp; | ||
1772 | if (asprintf(&tmp, "blacklist-nolog %s", ptr + 11) == -1) | ||
1773 | errExit("asprintf"); | ||
1774 | free(ptr); | ||
1775 | ptr = tmp; | ||
1776 | } | ||
1777 | // translate noallow/nodeny to nowhitelist/noblacklist | ||
1778 | else if (strncmp(ptr, "noallow ", 8) == 0) { | ||
1779 | char *tmp; | ||
1780 | if (asprintf(&tmp, "nowhitelist %s", ptr + 8) == -1) | ||
1781 | errExit("asprintf"); | ||
1782 | free(ptr); | ||
1783 | ptr = tmp; | ||
1784 | } | ||
1785 | else if (strncmp(ptr, "nodeny ", 7) == 0) { | ||
1786 | char *tmp; | ||
1787 | if (asprintf(&tmp, "noblacklist %s", ptr + 7) == -1) | ||
1788 | errExit("asprintf"); | ||
1789 | free(ptr); | ||
1790 | ptr = tmp; | ||
1791 | } | ||
1792 | else if (strncmp(ptr, "whitelist-ro ", 13) == 0) { | ||
1793 | char *whitelist, *readonly; | 1756 | char *whitelist, *readonly; |
1794 | if (asprintf(&whitelist, "whitelist %s", ptr + 13) == -1) | 1757 | if (asprintf(&whitelist, "whitelist %s", ptr + 13) == -1) |
1795 | errExit("asprintf"); | 1758 | errExit("asprintf"); |
diff --git a/src/firejail/sandbox.c b/src/firejail/sandbox.c index 3887b5701..53b1e6914 100644 --- a/src/firejail/sandbox.c +++ b/src/firejail/sandbox.c | |||
@@ -1058,6 +1058,11 @@ int sandbox(void* sandbox_arg) { | |||
1058 | EUID_USER(); | 1058 | EUID_USER(); |
1059 | int cwd = 0; | 1059 | int cwd = 0; |
1060 | if (cfg.cwd) { | 1060 | if (cfg.cwd) { |
1061 | if (is_link(cfg.cwd)) { | ||
1062 | fprintf(stderr, "Error: unable to enter private working directory: %s\n", cfg.cwd); | ||
1063 | exit(1); | ||
1064 | } | ||
1065 | |||
1061 | if (chdir(cfg.cwd) == 0) | 1066 | if (chdir(cfg.cwd) == 0) |
1062 | cwd = 1; | 1067 | cwd = 1; |
1063 | else if (arg_private_cwd) { | 1068 | else if (arg_private_cwd) { |
@@ -1225,7 +1230,7 @@ int sandbox(void* sandbox_arg) { | |||
1225 | //**************************************** | 1230 | //**************************************** |
1226 | // drop privileges | 1231 | // drop privileges |
1227 | //**************************************** | 1232 | //**************************************** |
1228 | drop_privs(arg_nogroups); | 1233 | drop_privs(0); |
1229 | 1234 | ||
1230 | // kill the sandbox in case the parent died | 1235 | // kill the sandbox in case the parent died |
1231 | prctl(PR_SET_PDEATHSIG, SIGKILL, 0, 0, 0); | 1236 | prctl(PR_SET_PDEATHSIG, SIGKILL, 0, 0, 0); |
diff --git a/src/firejail/usage.c b/src/firejail/usage.c index 4a0f05528..b993cb80c 100644 --- a/src/firejail/usage.c +++ b/src/firejail/usage.c | |||
@@ -150,6 +150,7 @@ static char *usage_str = | |||
150 | "\tparent interfaces.\n" | 150 | "\tparent interfaces.\n" |
151 | " --netns=name - Run the program in a named, persistent network namespace.\n" | 151 | " --netns=name - Run the program in a named, persistent network namespace.\n" |
152 | " --netstats - monitor network statistics.\n" | 152 | " --netstats - monitor network statistics.\n" |
153 | " --nettrace - monitor TCP and UDP traffic coming into the sandbox.\n" | ||
153 | #endif | 154 | #endif |
154 | " --nice=value - set nice value.\n" | 155 | " --nice=value - set nice value.\n" |
155 | " --no3d - disable 3D hardware acceleration.\n" | 156 | " --no3d - disable 3D hardware acceleration.\n" |
diff --git a/src/firejail/util.c b/src/firejail/util.c index 97afe9649..c1c31b43c 100644 --- a/src/firejail/util.c +++ b/src/firejail/util.c | |||
@@ -103,6 +103,41 @@ void errLogExit(char* fmt, ...) { | |||
103 | exit(1); | 103 | exit(1); |
104 | } | 104 | } |
105 | 105 | ||
106 | // Returns whether all supplementary groups can be safely dropped | ||
107 | int check_can_drop_all_groups() { | ||
108 | static int can_drop_all_groups = -1; | ||
109 | |||
110 | // Avoid needlessly checking (and printing) things twice | ||
111 | if (can_drop_all_groups != -1) | ||
112 | goto out; | ||
113 | |||
114 | // nvidia cards require video group; ignore nogroups | ||
115 | if (access("/dev/nvidiactl", R_OK) == 0 && arg_no3d == 0) { | ||
116 | fwarning("NVIDIA card detected, nogroups command ignored\n"); | ||
117 | can_drop_all_groups = 0; | ||
118 | goto out; | ||
119 | } | ||
120 | |||
121 | /* When we are not sure that the system has working seat-based ACLs | ||
122 | * (e.g.: probably yes on (e)udev + (e)logind, probably not on eudev + | ||
123 | * seatd), supplementary groups (e.g.: audio and input) might be needed | ||
124 | * to avoid breakage (e.g.: audio or gamepads not working). See #4600 | ||
125 | * and #4603. | ||
126 | */ | ||
127 | if (access("/run/systemd/seats/", F_OK) != 0) { | ||
128 | fwarning("logind not detected, nogroups command ignored\n"); | ||
129 | can_drop_all_groups = 0; | ||
130 | goto out; | ||
131 | } | ||
132 | |||
133 | if (arg_debug) | ||
134 | fprintf(stderr, "nogroups command not ignored\n"); | ||
135 | can_drop_all_groups = 1; | ||
136 | |||
137 | out: | ||
138 | return can_drop_all_groups; | ||
139 | } | ||
140 | |||
106 | static int find_group(gid_t group, const gid_t *groups, int ngroups) { | 141 | static int find_group(gid_t group, const gid_t *groups, int ngroups) { |
107 | int i; | 142 | int i; |
108 | for (i = 0; i < ngroups; i++) { | 143 | for (i = 0; i < ngroups; i++) { |
@@ -141,6 +176,9 @@ static void clean_supplementary_groups(gid_t gid) { | |||
141 | if (rv == -1) | 176 | if (rv == -1) |
142 | goto clean_all; | 177 | goto clean_all; |
143 | 178 | ||
179 | if (arg_nogroups && check_can_drop_all_groups()) | ||
180 | goto clean_all; | ||
181 | |||
144 | // clean supplementary group list | 182 | // clean supplementary group list |
145 | gid_t new_groups[MAX_GROUPS]; | 183 | gid_t new_groups[MAX_GROUPS]; |
146 | int new_ngroups = 0; | 184 | int new_ngroups = 0; |
@@ -215,21 +253,22 @@ clean_all: | |||
215 | 253 | ||
216 | 254 | ||
217 | // drop privileges | 255 | // drop privileges |
218 | // - for root group or if nogroups is set, supplementary groups are not configured | 256 | // - for root group or if force_nogroups is set, supplementary groups are not configured |
219 | void drop_privs(int nogroups) { | 257 | void drop_privs(int force_nogroups) { |
220 | gid_t gid = getgid(); | 258 | gid_t gid = getgid(); |
221 | if (arg_debug) | 259 | if (arg_debug) |
222 | printf("Drop privileges: pid %d, uid %d, gid %d, nogroups %d\n", getpid(), getuid(), gid, nogroups); | 260 | printf("Drop privileges: pid %d, uid %d, gid %d, force_nogroups %d\n", |
261 | getpid(), getuid(), gid, force_nogroups); | ||
223 | 262 | ||
224 | // configure supplementary groups | 263 | // configure supplementary groups |
225 | EUID_ROOT(); | 264 | EUID_ROOT(); |
226 | if (gid == 0 || nogroups) { | 265 | if (gid == 0 || force_nogroups) { |
227 | if (setgroups(0, NULL) < 0) | 266 | if (setgroups(0, NULL) < 0) |
228 | errExit("setgroups"); | 267 | errExit("setgroups"); |
229 | if (arg_debug) | 268 | if (arg_debug) |
230 | printf("No supplementary groups\n"); | 269 | printf("No supplementary groups\n"); |
231 | } | 270 | } |
232 | else if (arg_noroot) | 271 | else if (arg_noroot || arg_nogroups) |
233 | clean_supplementary_groups(gid); | 272 | clean_supplementary_groups(gid); |
234 | 273 | ||
235 | // set uid/gid | 274 | // set uid/gid |
diff --git a/src/fnettrace/Makefile.in b/src/fnettrace/Makefile.in new file mode 100644 index 000000000..755ddcc3a --- /dev/null +++ b/src/fnettrace/Makefile.in | |||
@@ -0,0 +1,17 @@ | |||
1 | .PHONY: all | ||
2 | all: fnettrace | ||
3 | |||
4 | include ../common.mk | ||
5 | |||
6 | %.o : %.c $(H_FILE_LIST) | ||
7 | $(CC) $(CFLAGS) $(EXTRA_CFLAGS) $(INCLUDE) -c $< -o $@ | ||
8 | |||
9 | fnettrace: $(OBJS) | ||
10 | $(CC) $(LDFLAGS) -o $@ $(OBJS) $(LIBS) $(EXTRA_LDFLAGS) | ||
11 | |||
12 | .PHONY: clean | ||
13 | clean:; rm -fr *.o fnettrace *.gcov *.gcda *.gcno *.plist | ||
14 | |||
15 | .PHONY: distclean | ||
16 | distclean: clean | ||
17 | rm -fr Makefile | ||
diff --git a/src/fnettrace/fnettrace.h b/src/fnettrace/fnettrace.h new file mode 100644 index 000000000..9c34e17ca --- /dev/null +++ b/src/fnettrace/fnettrace.h | |||
@@ -0,0 +1,64 @@ | |||
1 | #ifndef FNETTRACE_H | ||
2 | #define FNETTRACE_H | ||
3 | |||
4 | #include "../include/common.h" | ||
5 | #include <unistd.h> | ||
6 | #include <sys/stat.h> | ||
7 | #include <sys/socket.h> | ||
8 | #include <netinet/in.h> | ||
9 | #include <time.h> | ||
10 | #include <stdarg.h> | ||
11 | |||
12 | //#define NETLOCK_INTERVAL 60 | ||
13 | #define NETLOCK_INTERVAL 60 | ||
14 | #define DISPLAY_INTERVAL 3 | ||
15 | |||
16 | void logprintf(char* fmt, ...); | ||
17 | |||
18 | static inline void ansi_topleft(int tolog) { | ||
19 | char str[] = {0x1b, '[', '1', ';', '1', 'H', '\0'}; | ||
20 | if (tolog) | ||
21 | logprintf("%s", str); | ||
22 | else | ||
23 | printf("%s", str); | ||
24 | fflush(0); | ||
25 | } | ||
26 | |||
27 | static inline void ansi_clrscr(int tolog) { | ||
28 | ansi_topleft(tolog); | ||
29 | char str[] = {0x1b, '[', '0', 'J', '\0'}; | ||
30 | if (tolog) | ||
31 | logprintf("%s", str); | ||
32 | else | ||
33 | printf("%s", str); | ||
34 | fflush(0); | ||
35 | } | ||
36 | |||
37 | static inline void ansi_linestart(int tolog) { | ||
38 | char str[] = {0x1b, '[', '0', 'G', '\0'}; | ||
39 | if (tolog) | ||
40 | logprintf("%s", str); | ||
41 | else | ||
42 | printf("%s", str); | ||
43 | fflush(0); | ||
44 | } | ||
45 | |||
46 | static inline void ansi_clrline(int tolog) { | ||
47 | ansi_linestart(tolog); | ||
48 | char str[] = {0x1b, '[', '0', 'K', '\0'}; | ||
49 | if (tolog) | ||
50 | logprintf("%s", str); | ||
51 | else | ||
52 | printf("%s", str); | ||
53 | fflush(0); | ||
54 | } | ||
55 | |||
56 | static inline uint8_t hash(uint32_t ip) { | ||
57 | uint8_t *ptr = (uint8_t *) &ip; | ||
58 | // simple byte xor | ||
59 | return *ptr ^ *(ptr + 1) ^ *(ptr + 2) ^ *(ptr + 3); | ||
60 | } | ||
61 | |||
62 | |||
63 | |||
64 | #endif \ No newline at end of file | ||
diff --git a/src/fnettrace/main.c b/src/fnettrace/main.c new file mode 100644 index 000000000..f036d0c9e --- /dev/null +++ b/src/fnettrace/main.c | |||
@@ -0,0 +1,433 @@ | |||
1 | #include "fnettrace.h" | ||
2 | #define MAX_BUF_SIZE (64 * 1024) | ||
3 | |||
4 | static int arg_netfilter = 0; | ||
5 | static char *arg_log = NULL; | ||
6 | |||
7 | typedef struct hlist_t { | ||
8 | struct hlist_t *next; | ||
9 | uint32_t ip_src; | ||
10 | uint32_t ip_dst; | ||
11 | uint16_t port_src; | ||
12 | uint64_t bytes; | ||
13 | int instance; | ||
14 | #define MAX_TTL 20 // 20 * DISPLAY_INTERVAL = 1 minute | ||
15 | short ttl; | ||
16 | uint8_t protocol; | ||
17 | } HList; | ||
18 | |||
19 | #define HMAX 256 | ||
20 | HList *htable[HMAX] = {NULL}; | ||
21 | static int htable_empty = 1; | ||
22 | |||
23 | static void hlist_add(uint32_t ip_src, uint32_t ip_dst, uint8_t protocol, uint16_t port_src, uint64_t bytes) { | ||
24 | uint8_t h = hash(ip_src); | ||
25 | htable_empty = 0; | ||
26 | |||
27 | // find | ||
28 | int instance = 0; | ||
29 | HList *ptr = htable[h]; | ||
30 | while (ptr) { | ||
31 | if (ptr->ip_src == ip_src) { | ||
32 | instance++; | ||
33 | if (ptr->ip_dst == ip_dst && ptr->port_src == port_src && ptr->protocol == protocol) { | ||
34 | ptr->bytes += bytes; | ||
35 | ptr->ttl = MAX_TTL; | ||
36 | return; | ||
37 | } | ||
38 | } | ||
39 | ptr = ptr->next; | ||
40 | } | ||
41 | |||
42 | HList *hnew = malloc(sizeof(HList)); | ||
43 | hnew->ip_src = ip_src; | ||
44 | hnew->ip_dst = ip_dst; | ||
45 | hnew->port_src = port_src; | ||
46 | hnew->protocol = protocol; | ||
47 | hnew->next = NULL; | ||
48 | hnew->bytes = bytes; | ||
49 | hnew->ttl = MAX_TTL; | ||
50 | hnew->instance = instance + 1; | ||
51 | if (htable[h] == NULL) | ||
52 | htable[h] = hnew; | ||
53 | else { | ||
54 | hnew->next = htable[h]; | ||
55 | htable[h] = hnew; | ||
56 | } | ||
57 | |||
58 | ansi_clrline(1); | ||
59 | logprintf(" %u.%u.%u.%u\n", PRINT_IP(hnew->ip_src)); | ||
60 | } | ||
61 | |||
62 | // remove entries with a ttl <= 0 | ||
63 | static void hlist_clean_ttl() { | ||
64 | if (htable_empty) | ||
65 | return; | ||
66 | |||
67 | int i; | ||
68 | for (i = 0; i < HMAX; i++) { | ||
69 | HList *ptr = htable[i]; | ||
70 | HList *parent = NULL; | ||
71 | while (ptr) { | ||
72 | if (--ptr->ttl <= 0) { | ||
73 | HList *tmp = ptr; | ||
74 | ptr = ptr->next; | ||
75 | if (parent) | ||
76 | parent->next = ptr; | ||
77 | else | ||
78 | htable[i] = ptr; | ||
79 | free(tmp); | ||
80 | } | ||
81 | else { | ||
82 | parent = ptr; | ||
83 | ptr = ptr->next; | ||
84 | } | ||
85 | } | ||
86 | } | ||
87 | } | ||
88 | |||
89 | static void hlist_print() { | ||
90 | ansi_clrscr(0); | ||
91 | if (htable_empty) | ||
92 | return; | ||
93 | if (arg_netfilter) | ||
94 | printf("\n\n"); | ||
95 | static int clear_cnt = 0; | ||
96 | |||
97 | int i; | ||
98 | int cnt = 0; | ||
99 | int cnt_printed = 0; | ||
100 | for (i = 0; i < HMAX; i++) { | ||
101 | HList *ptr = htable[i]; | ||
102 | while (ptr) { | ||
103 | if (ptr->bytes) { | ||
104 | cnt_printed++; | ||
105 | char ip_src[30]; | ||
106 | sprintf(ip_src, "%u.%u.%u.%u:%u", PRINT_IP(ptr->ip_src), ptr->port_src); | ||
107 | char ip_dst[30]; | ||
108 | sprintf(ip_dst, "%u.%u.%u.%u", PRINT_IP(ptr->ip_dst)); | ||
109 | printf("%-25s => %-25s\t%s:", | ||
110 | ip_src, | ||
111 | ip_dst, | ||
112 | (ptr->protocol == 6)? "TCP": "UDP"); | ||
113 | |||
114 | if (ptr->bytes > (DISPLAY_INTERVAL * 1024 * 2)) // > 2 KB/second | ||
115 | printf(" %lu KB/sec\n", | ||
116 | ptr->bytes / (DISPLAY_INTERVAL * 1024)); | ||
117 | else | ||
118 | printf(" %lu B/sec\n", | ||
119 | ptr->bytes / DISPLAY_INTERVAL); | ||
120 | ptr->bytes = 0; | ||
121 | } | ||
122 | |||
123 | ptr = ptr->next; | ||
124 | cnt++; | ||
125 | } | ||
126 | } | ||
127 | |||
128 | if (cnt_printed < 7) { | ||
129 | for (i = 0; i < 7 - cnt_printed; i++) | ||
130 | printf("\n"); | ||
131 | } | ||
132 | |||
133 | if (!arg_netfilter) { | ||
134 | printf("(%d %s in the last one minute)\n", cnt, (cnt == 1)? "stream": "streams"); | ||
135 | hlist_clean_ttl(); | ||
136 | } | ||
137 | } | ||
138 | |||
139 | static void run_trace(void) { | ||
140 | logprintf("accumulating traffic for %d seconds...\n", NETLOCK_INTERVAL); | ||
141 | |||
142 | // trace only rx ipv4 tcp and upd | ||
143 | int s1 = socket(AF_INET, SOCK_RAW, IPPROTO_TCP); | ||
144 | int s2 = socket(AF_INET, SOCK_RAW, IPPROTO_UDP); | ||
145 | if (s1 < 0 || s2 < 0) | ||
146 | errExit("socket"); | ||
147 | |||
148 | unsigned start = time(NULL); | ||
149 | unsigned last_print_traces = 0; | ||
150 | unsigned last_print_remaining = 0; | ||
151 | unsigned char buf[MAX_BUF_SIZE]; | ||
152 | int progress_cnt = 0; | ||
153 | while (1) { | ||
154 | unsigned end = time(NULL); | ||
155 | if (arg_netfilter && end - start >= NETLOCK_INTERVAL) { | ||
156 | ansi_clrline(1); | ||
157 | break; | ||
158 | } | ||
159 | if (end % DISPLAY_INTERVAL == 1 && last_print_traces != end) { // first print after 1 second | ||
160 | hlist_print(); | ||
161 | last_print_traces = end; | ||
162 | } | ||
163 | if (arg_netfilter && last_print_remaining != end) { | ||
164 | ansi_clrline(1); | ||
165 | int secs = NETLOCK_INTERVAL - (end - start); | ||
166 | logprintf("%d %s remaining ", secs, (secs == 1)? "second": "seconds"); | ||
167 | last_print_remaining = end; | ||
168 | } | ||
169 | |||
170 | fd_set rfds; | ||
171 | FD_ZERO(&rfds); | ||
172 | FD_SET(s1, &rfds); | ||
173 | FD_SET(s2, &rfds); | ||
174 | int maxfd = (s1 > s2) ? s1 : s2; | ||
175 | maxfd++; | ||
176 | struct timeval tv; | ||
177 | tv.tv_sec = 1; | ||
178 | tv.tv_usec = 0; | ||
179 | int rv = select(maxfd, &rfds, NULL, NULL, &tv); | ||
180 | if (rv < 0) | ||
181 | errExit("select"); | ||
182 | else if (rv == 0) | ||
183 | continue; | ||
184 | |||
185 | |||
186 | |||
187 | int sock = (FD_ISSET(s1, &rfds)) ? s1 : s2; | ||
188 | |||
189 | unsigned char buf[MAX_BUF_SIZE]; | ||
190 | unsigned bytes = recvfrom(sock, buf, MAX_BUF_SIZE, 0, NULL, NULL); | ||
191 | if (bytes >= 20) { // size of IP header | ||
192 | // filter out loopback traffic | ||
193 | if (buf[12] != 127) { | ||
194 | uint32_t ip_src; | ||
195 | memcpy(&ip_src, buf + 12, 4); | ||
196 | ip_src = ntohl(ip_src); | ||
197 | |||
198 | uint32_t ip_dst; | ||
199 | memcpy(&ip_dst, buf + 16, 4); | ||
200 | ip_dst = ntohl(ip_dst); | ||
201 | |||
202 | uint8_t hlen = (buf[0] & 0x0f) * 4; | ||
203 | uint16_t port_src; | ||
204 | memcpy(&port_src, buf + hlen, 2); | ||
205 | port_src = ntohs(port_src); | ||
206 | |||
207 | hlist_add(ip_src, ip_dst, buf[9], port_src, (uint64_t) bytes); | ||
208 | } | ||
209 | } | ||
210 | } | ||
211 | |||
212 | close(s1); | ||
213 | close(s2); | ||
214 | } | ||
215 | |||
216 | static char *filter_start = | ||
217 | "*filter\n" | ||
218 | ":INPUT DROP [0:0]\n" | ||
219 | ":FORWARD DROP [0:0]\n" | ||
220 | ":OUTPUT DROP [0:0]\n"; | ||
221 | |||
222 | // return 1 if error | ||
223 | static int print_filter(FILE *fp) { | ||
224 | if (htable_empty) | ||
225 | return 1; | ||
226 | fprintf(fp, "%s\n", filter_start); | ||
227 | fprintf(fp, "-A INPUT -s 127.0.0.0/8 -j ACCEPT\n"); | ||
228 | fprintf(fp, "-A OUTPUT -d 127.0.0.0/8 -j ACCEPT\n"); | ||
229 | fprintf(fp, "\n"); | ||
230 | |||
231 | int i; | ||
232 | for (i = 0; i < HMAX; i++) { | ||
233 | HList *ptr = htable[i]; | ||
234 | while (ptr) { | ||
235 | if (ptr->instance == 1) { | ||
236 | char *protocol = (ptr->protocol == 6)? "tcp": "udp"; | ||
237 | fprintf(fp, "-A INPUT -s %u.%u.%u.%u -sport %u -p %s -j ACCEPT\n", | ||
238 | PRINT_IP(ptr->ip_src), | ||
239 | ptr->port_src, | ||
240 | protocol); | ||
241 | fprintf(fp, "-A OUTPUT -d %u.%u.%u.%u -dport %u -p %s -j ACCEPT\n", | ||
242 | PRINT_IP(ptr->ip_src), | ||
243 | ptr->port_src, | ||
244 | protocol); | ||
245 | fprintf(fp, "\n"); | ||
246 | } | ||
247 | ptr = ptr->next; | ||
248 | } | ||
249 | } | ||
250 | fprintf(fp, "COMMIT\n"); | ||
251 | |||
252 | return 0; | ||
253 | } | ||
254 | |||
255 | static char *flush_rules[] = { | ||
256 | "-P INPUT ACCEPT", | ||
257 | "-P FORWARD ACCEPT", | ||
258 | "-P OUTPUT ACCEPT", | ||
259 | "-F", | ||
260 | "-X", | ||
261 | "-t nat -F", | ||
262 | "-t nat -X", | ||
263 | "-t mangle -F", | ||
264 | "-t mangle -X", | ||
265 | "iptables -t raw -F", | ||
266 | "-t raw -X", | ||
267 | NULL | ||
268 | }; | ||
269 | |||
270 | static void flush_netfilter(void) { | ||
271 | // find iptables command | ||
272 | struct stat s; | ||
273 | char *iptables = NULL; | ||
274 | if (stat("/sbin/iptables", &s) == 0) | ||
275 | iptables = "/sbin/iptables"; | ||
276 | else if (stat("/usr/sbin/iptables", &s) == 0) | ||
277 | iptables = "/usr/sbin/iptables"; | ||
278 | if (iptables == NULL) { | ||
279 | fprintf(stderr, "Error: iptables command not found, netfilter not configured\n"); | ||
280 | exit(1); | ||
281 | } | ||
282 | |||
283 | int i = 0; | ||
284 | while (flush_rules[i]) { | ||
285 | char *cmd; | ||
286 | if (asprintf(&cmd, "%s %s", iptables, flush_rules[i]) == -1) | ||
287 | errExit("asprintf"); | ||
288 | int rv = system(cmd); | ||
289 | (void) rv; | ||
290 | free(cmd); | ||
291 | i++; | ||
292 | } | ||
293 | } | ||
294 | |||
295 | static void deploy_netfilter(void) { | ||
296 | int rv; | ||
297 | char *cmd; | ||
298 | |||
299 | // create temporary file | ||
300 | char fname[] = "/tmp/firejail-XXXXXX"; | ||
301 | int fd = mkstemp(fname); | ||
302 | if (fd == -1) { | ||
303 | fprintf(stderr, "Error: cannot create temporary configuration file\n"); | ||
304 | exit(1); | ||
305 | } | ||
306 | |||
307 | FILE* fp = fdopen(fd, "w"); | ||
308 | if (!fp) { | ||
309 | rv = unlink(fname); | ||
310 | (void) rv; | ||
311 | fprintf(stderr, "Error: cannot create temporary configuration file\n"); | ||
312 | exit(1); | ||
313 | } | ||
314 | print_filter(fp); | ||
315 | fclose(fp); | ||
316 | |||
317 | if (arg_log) { | ||
318 | logprintf("\n"); | ||
319 | logprintf(">>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>\n"); | ||
320 | if (asprintf(&cmd, "cat %s >> %s", fname, arg_log) == -1) | ||
321 | errExit("asprintf"); | ||
322 | rv = system(cmd); | ||
323 | (void) rv; | ||
324 | free(cmd); | ||
325 | logprintf("<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<\n"); | ||
326 | } | ||
327 | |||
328 | // find iptables command | ||
329 | struct stat s; | ||
330 | char *iptables = NULL; | ||
331 | char *iptables_restore = NULL; | ||
332 | if (stat("/sbin/iptables", &s) == 0) { | ||
333 | iptables = "/sbin/iptables"; | ||
334 | iptables_restore = "/sbin/iptables-restore"; | ||
335 | } | ||
336 | else if (stat("/usr/sbin/iptables", &s) == 0) { | ||
337 | iptables = "/usr/sbin/iptables"; | ||
338 | iptables_restore = "/usr/sbin/iptables-restore"; | ||
339 | } | ||
340 | if (iptables == NULL || iptables_restore == NULL) { | ||
341 | fprintf(stderr, "Error: iptables command not found, netfilter not configured\n"); | ||
342 | rv = unlink(fname); | ||
343 | (void) rv; | ||
344 | exit(1); | ||
345 | } | ||
346 | |||
347 | // configuring | ||
348 | if (asprintf(&cmd, "%s %s", iptables_restore, fname) == -1) | ||
349 | errExit("asprintf"); | ||
350 | rv = system(cmd); | ||
351 | if (rv) | ||
352 | fprintf(stdout, "Warning: possible netfilter problem!"); | ||
353 | free(cmd); | ||
354 | |||
355 | sleep(1); | ||
356 | if (asprintf(&cmd, "%s %s", iptables_restore, fname) == -1) | ||
357 | errExit("asprintf"); | ||
358 | rv = system(cmd); | ||
359 | free(cmd); | ||
360 | |||
361 | printf("Current firewall configuration:\n\n"); | ||
362 | if (asprintf(&cmd, "%s -vL -n", iptables) == -1) | ||
363 | errExit("asprintf"); | ||
364 | rv = system(cmd); | ||
365 | |||
366 | rv = unlink(fname); | ||
367 | (void) rv; | ||
368 | logprintf("\nfirewall deployed\n"); | ||
369 | } | ||
370 | |||
371 | void logprintf(char* fmt, ...) { | ||
372 | if (!arg_log) | ||
373 | return; | ||
374 | |||
375 | FILE *fp = fopen(arg_log, "a"); | ||
376 | if (fp) { // disregard if error | ||
377 | va_list args; | ||
378 | va_start(args,fmt); | ||
379 | vfprintf(fp, fmt, args); | ||
380 | va_end(args); | ||
381 | fclose(fp); | ||
382 | } | ||
383 | } | ||
384 | |||
385 | static void usage(void) { | ||
386 | printf("Usage: fnetlock [OPTIONS]\n"); | ||
387 | printf("Options:\n"); | ||
388 | printf(" --help, -? - this help screen\n"); | ||
389 | printf(" --netfilter - build the firewall rules and commit them.\n"); | ||
390 | printf(" --log=filename - logfile\n"); | ||
391 | printf("\n"); | ||
392 | } | ||
393 | |||
394 | int main(int argc, char **argv) { | ||
395 | int i; | ||
396 | printf("\n\n"); | ||
397 | |||
398 | if (getuid() != 0) { | ||
399 | fprintf(stderr, "Error: you need to be root to run this program\n"); | ||
400 | return 1; | ||
401 | } | ||
402 | |||
403 | for (i = 1; i < argc; i++) { | ||
404 | if (strcmp(argv[i], "--help") == 0 || strcmp(argv[i], "-?") == 0) { | ||
405 | usage(); | ||
406 | return 0; | ||
407 | } | ||
408 | else if (strcmp(argv[i], "--netfilter") == 0) | ||
409 | arg_netfilter = 1; | ||
410 | else if (strncmp(argv[i], "--log=", 6) == 0) | ||
411 | arg_log = argv[i] + 6; | ||
412 | else { | ||
413 | fprintf(stderr, "Error: invalid argument\n"); | ||
414 | return 1; | ||
415 | } | ||
416 | } | ||
417 | |||
418 | if (arg_netfilter) { | ||
419 | logprintf("starting network lockdown\n"); | ||
420 | flush_netfilter(); | ||
421 | } | ||
422 | |||
423 | ansi_clrscr(0); | ||
424 | run_trace(); | ||
425 | if (arg_netfilter) { | ||
426 | deploy_netfilter(); | ||
427 | sleep(3); | ||
428 | if (arg_log) | ||
429 | unlink(arg_log); | ||
430 | } | ||
431 | |||
432 | return 0; | ||
433 | } | ||
diff --git a/src/man/firejail-profile.txt b/src/man/firejail-profile.txt index f6c905d59..9c251ec34 100644 --- a/src/man/firejail-profile.txt +++ b/src/man/firejail-profile.txt | |||
@@ -358,7 +358,7 @@ modifications are discarded when the sandbox is closed. | |||
358 | Set working directory inside jail to the home directory, and failing that, the root directory. | 358 | Set working directory inside jail to the home directory, and failing that, the root directory. |
359 | .TP | 359 | .TP |
360 | \fBprivate-cwd directory | 360 | \fBprivate-cwd directory |
361 | Set working directory inside the jail. | 361 | Set working directory inside the jail. Full directory path is required. Symbolic links are not allowed. |
362 | .TP | 362 | .TP |
363 | \fBprivate-dev | 363 | \fBprivate-dev |
364 | Create a new /dev directory. Only disc, dri, dvb, hidraw, null, full, zero, tty, pts, ptmx, | 364 | Create a new /dev directory. Only disc, dri, dvb, hidraw, null, full, zero, tty, pts, ptmx, |
diff --git a/src/man/firejail.txt b/src/man/firejail.txt index b5cb1e7c2..b366fed7c 100644 --- a/src/man/firejail.txt +++ b/src/man/firejail.txt | |||
@@ -1256,7 +1256,7 @@ $ firejail \-\-net=br0 \-\-net=br1 | |||
1256 | .TP | 1256 | .TP |
1257 | \fB\-\-net=ethernet_interface|wireless_interface | 1257 | \fB\-\-net=ethernet_interface|wireless_interface |
1258 | Enable a new network namespace and connect it | 1258 | Enable a new network namespace and connect it |
1259 | to this ethernet interface using the standard Linux macvlan|ipvaln | 1259 | to this ethernet interface using the standard Linux macvlan|ipvlan |
1260 | driver. Unless specified with option \-\-ip and \-\-defaultgw, an | 1260 | driver. Unless specified with option \-\-ip and \-\-defaultgw, an |
1261 | IP address and a default gateway will be assigned automatically | 1261 | IP address and a default gateway will be assigned automatically |
1262 | to the sandbox. The IP address is verified using ARP before | 1262 | to the sandbox. The IP address is verified using ARP before |
@@ -1479,6 +1479,29 @@ PID User RX(KB/s) TX(KB/s) Command | |||
1479 | 1294 netblue 53.355 1.473 firejail \-\-net=eth0 firefox | 1479 | 1294 netblue 53.355 1.473 firejail \-\-net=eth0 firefox |
1480 | .br | 1480 | .br |
1481 | 7383 netblue 9.045 0.112 firejail \-\-net=eth0 transmission | 1481 | 7383 netblue 9.045 0.112 firejail \-\-net=eth0 transmission |
1482 | .TP | ||
1483 | \fB\-\-nettrace=name|pid | ||
1484 | Monitor TCP and UDP traffic coming into the sandbox specified by name or pid. Only networked sandboxes | ||
1485 | created with \-\-net are supported. | ||
1486 | .br | ||
1487 | |||
1488 | .br | ||
1489 | $ firejail --nettrace=browser | ||
1490 | .br | ||
1491 | 9.9.9.9:53 => 192.168.1.60 UDP: 122 B/sec | ||
1492 | .br | ||
1493 | 72.21.91.29:80 => 192.168.1.60 TCP: 257 B/sec | ||
1494 | .br | ||
1495 | 80.92.126.65:123 => 192.168.1.60 UDP: 25 B/sec | ||
1496 | .br | ||
1497 | 69.30.241.50:443 => 192.168.1.60 TCP: 88 KB/sec | ||
1498 | .br | ||
1499 | 140.82.112.4:443 => 192.168.1.60 TCP: 1861 B/sec | ||
1500 | .br | ||
1501 | |||
1502 | .br | ||
1503 | (14 streams in the last one minute) | ||
1504 | |||
1482 | #endif | 1505 | #endif |
1483 | .TP | 1506 | .TP |
1484 | \fB\-\-nice=value | 1507 | \fB\-\-nice=value |
@@ -1863,7 +1886,6 @@ $ firejail \-\-private-cache openbox | |||
1863 | .TP | 1886 | .TP |
1864 | \fB\-\-private-cwd | 1887 | \fB\-\-private-cwd |
1865 | Set working directory inside jail to the home directory, and failing that, the root directory. | 1888 | Set working directory inside jail to the home directory, and failing that, the root directory. |
1866 | .br | ||
1867 | Does not impact working directory of profile include paths. | 1889 | Does not impact working directory of profile include paths. |
1868 | .br | 1890 | .br |
1869 | 1891 | ||
@@ -1884,7 +1906,7 @@ $ pwd | |||
1884 | .TP | 1906 | .TP |
1885 | \fB\-\-private-cwd=directory | 1907 | \fB\-\-private-cwd=directory |
1886 | Set working directory inside the jail. | 1908 | Set working directory inside the jail. |
1887 | .br | 1909 | Full directory path is required. Symbolic links are not allowed. |
1888 | Does not impact working directory of profile include paths. | 1910 | Does not impact working directory of profile include paths. |
1889 | .br | 1911 | .br |
1890 | 1912 | ||
diff --git a/src/profstats/Makefile.in b/src/profstats/Makefile.in index e025f5939..fa1b4f200 100644 --- a/src/profstats/Makefile.in +++ b/src/profstats/Makefile.in | |||
@@ -3,7 +3,7 @@ all: profstats | |||
3 | 3 | ||
4 | include ../common.mk | 4 | include ../common.mk |
5 | 5 | ||
6 | %.o : %.c $(H_FILE_LIST) | 6 | %.o : %.c $(H_FILE_LIST) ../include/common.h |
7 | $(CC) $(CFLAGS) $(EXTRA_CFLAGS) $(INCLUDE) -c $< -o $@ | 7 | $(CC) $(CFLAGS) $(EXTRA_CFLAGS) $(INCLUDE) -c $< -o $@ |
8 | 8 | ||
9 | profstats: $(OBJS) | 9 | profstats: $(OBJS) |
diff --git a/src/profstats/main.c b/src/profstats/main.c index 9ddbb2633..bc5047bfe 100644 --- a/src/profstats/main.c +++ b/src/profstats/main.c | |||
@@ -10,17 +10,15 @@ | |||
10 | * | 10 | * |
11 | * This program is distributed in the hope that it will be useful, | 11 | * This program is distributed in the hope that it will be useful, |
12 | * but WITHOUT ANY WARRANTY; without even the implied warranty of | 12 | * but WITHOUT ANY WARRANTY; without even the implied warranty of |
13 | * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the | 13 | * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the |
14 | * GNU General Public License for more details. | 14 | * GNU General Public License for more details. |
15 | * | 15 | * |
16 | * You should have received a copy of the GNU General Public License along | 16 | * You should have received a copy of the GNU General Public License along |
17 | * with this program; if not, write to the Free Software Foundation, Inc., | 17 | * with this program; if not, write to the Free Software Foundation, Inc., |
18 | * 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA. | 18 | * 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA. |
19 | */ | 19 | */ |
20 | #include <stdio.h> | 20 | |
21 | #include <stdlib.h> | 21 | #include "../include/common.h" |
22 | #include <string.h> | ||
23 | #include <assert.h> | ||
24 | 22 | ||
25 | #define MAXBUF 2048 | 23 | #define MAXBUF 2048 |
26 | // stats | 24 | // stats |
@@ -99,8 +97,9 @@ static void usage(void) { | |||
99 | printf("\n"); | 97 | printf("\n"); |
100 | } | 98 | } |
101 | 99 | ||
102 | void process_file(const char *fname) { | 100 | static void process_file(char *fname) { |
103 | assert(fname); | 101 | assert(fname); |
102 | char *tmpfname = NULL; | ||
104 | 103 | ||
105 | if (arg_debug) | 104 | if (arg_debug) |
106 | printf("processing #%s#\n", fname); | 105 | printf("processing #%s#\n", fname); |
@@ -109,9 +108,19 @@ void process_file(const char *fname) { | |||
109 | 108 | ||
110 | FILE *fp = fopen(fname, "r"); | 109 | FILE *fp = fopen(fname, "r"); |
111 | if (!fp) { | 110 | if (!fp) { |
112 | fprintf(stderr, "Warning: cannot open %s, while processing %s\n", fname, profile); | 111 | // the file was not found in the current directory |
113 | level--; | 112 | // look for it in /etc/firejail directory |
114 | return; | 113 | if (asprintf(&tmpfname, "%s/%s", SYSCONFDIR, fname) == -1) |
114 | errExit("asprintf"); | ||
115 | |||
116 | fp = fopen(tmpfname, "r"); | ||
117 | if (!fp) { | ||
118 | fprintf(stderr, "Warning: cannot open %s or %s, while processing %s\n", fname, tmpfname, profile); | ||
119 | free(tmpfname); | ||
120 | level--; | ||
121 | return; | ||
122 | } | ||
123 | fname = tmpfname; | ||
115 | } | 124 | } |
116 | 125 | ||
117 | int have_include_local = 0; | 126 | int have_include_local = 0; |
@@ -204,6 +213,8 @@ void process_file(const char *fname) { | |||
204 | if (!have_include_local) | 213 | if (!have_include_local) |
205 | printf("No include .local found in %s\n", fname); | 214 | printf("No include .local found in %s\n", fname); |
206 | level--; | 215 | level--; |
216 | if (tmpfname) | ||
217 | free(tmpfname); | ||
207 | } | 218 | } |
208 | 219 | ||
209 | int main(int argc, char **argv) { | 220 | int main(int argc, char **argv) { |
diff --git a/src/tools/profcleaner.c b/src/tools/profcleaner.c deleted file mode 100644 index beff93199..000000000 --- a/src/tools/profcleaner.c +++ /dev/null | |||
@@ -1,75 +0,0 @@ | |||
1 | /* | ||
2 | * Copyright (C) 2014-2021 Firejail Authors | ||
3 | * | ||
4 | * This file is part of firejail project | ||
5 | * | ||
6 | * This program is free software; you can redistribute it and/or modify | ||
7 | * it under the terms of the GNU General Public License as published by | ||
8 | * the Free Software Foundation; either version 2 of the License, or | ||
9 | * (at your option) any later version. | ||
10 | * | ||
11 | * This program is distributed in the hope that it will be useful, | ||
12 | * but WITHOUT ANY WARRANTY; without even the implied warranty of | ||
13 | * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the | ||
14 | * GNU General Public License for more details. | ||
15 | * | ||
16 | * You should have received a copy of the GNU General Public License along | ||
17 | * with this program; if not, write to the Free Software Foundation, Inc., | ||
18 | * 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA. | ||
19 | */ | ||
20 | |||
21 | //************************************************************* | ||
22 | // Small utility program to convert profiles from blacklist/whitelist to deny/allow | ||
23 | // Compile: | ||
24 | // gcc -o profcleaner profcleaner.c | ||
25 | // Usage: | ||
26 | // profcleaner *.profile | ||
27 | //************************************************************* | ||
28 | |||
29 | #include <stdio.h> | ||
30 | #include <stdlib.h> | ||
31 | #include <string.h> | ||
32 | #include <unistd.h> | ||
33 | #define MAXBUF 4096 | ||
34 | |||
35 | int main(int argc, char **argv) { | ||
36 | printf("Usage: profcleaner files\n"); | ||
37 | int i; | ||
38 | |||
39 | for (i = 1; i < argc; i++) { | ||
40 | FILE *fp = fopen(argv[i], "r"); | ||
41 | if (!fp) { | ||
42 | fprintf(stderr, "Error: cannot open %s\n", argv[i]); | ||
43 | return 1; | ||
44 | } | ||
45 | |||
46 | FILE *fpout = fopen("profcleaner-tmp", "w"); | ||
47 | if (!fpout) { | ||
48 | fprintf(stderr, "Error: cannot open output file\n"); | ||
49 | return 1; | ||
50 | } | ||
51 | |||
52 | char buf[MAXBUF]; | ||
53 | while (fgets(buf, MAXBUF, fp)) { | ||
54 | if (strncmp(buf, "blacklist-nolog", 15) == 0) | ||
55 | fprintf(fpout, "deny-nolog %s", buf + 15); | ||
56 | else if (strncmp(buf, "blacklist", 9) == 0) | ||
57 | fprintf(fpout, "deny %s", buf + 9); | ||
58 | else if (strncmp(buf, "noblacklist", 11) == 0) | ||
59 | fprintf(fpout, "nodeny %s", buf + 11); | ||
60 | else if (strncmp(buf, "whitelist", 9) == 0) | ||
61 | fprintf(fpout, "allow %s", buf + 9); | ||
62 | else if (strncmp(buf, "nowhitelist", 11) == 0) | ||
63 | fprintf(fpout, "noallow %s", buf + 11); | ||
64 | else | ||
65 | fprintf(fpout, "%s", buf); | ||
66 | } | ||
67 | |||
68 | fclose(fp); | ||
69 | fclose(fpout); | ||
70 | unlink(argv[i]); | ||
71 | rename("profcleaner-tmp", argv[i]); | ||
72 | } | ||
73 | |||
74 | return 0; | ||
75 | } | ||
diff --git a/src/tools/profcleaner.sh b/src/tools/profcleaner.sh deleted file mode 100755 index 96402aed6..000000000 --- a/src/tools/profcleaner.sh +++ /dev/null | |||
@@ -1,45 +0,0 @@ | |||
1 | #!/bin/bash | ||
2 | |||
3 | # Copyright (C) 2021 Firejail Authors | ||
4 | # | ||
5 | # This file is part of firejail project | ||
6 | # | ||
7 | # This program is free software; you can redistribute it and/or modify | ||
8 | # it under the terms of the GNU General Public License as published by | ||
9 | # the Free Software Foundation; either version 2 of the License, or | ||
10 | # (at your option) any later version. | ||
11 | # | ||
12 | # This program is distributed in the hope that it will be useful, | ||
13 | # but WITHOUT ANY WARRANTY; without even the implied warranty of | ||
14 | # MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the | ||
15 | # GNU General Public License for more details. | ||
16 | # | ||
17 | # You should have received a copy of the GNU General Public License along | ||
18 | # with this program; if not, write to the Free Software Foundation, Inc., | ||
19 | # 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA. | ||
20 | |||
21 | if [[ $1 == --help ]]; then | ||
22 | cat <<-EOM | ||
23 | USAGE: | ||
24 | profcleaner.sh --help Show this help message and exit | ||
25 | profcleaner.sh --system Clean all profiles in /etc/firejail | ||
26 | profcleaner.sh --user Clean all profiles in ~/.config/firejail | ||
27 | profcleaner.sh /path/to/profile1 /path/to/profile2 ... | ||
28 | EOM | ||
29 | exit 0 | ||
30 | fi | ||
31 | |||
32 | if [[ $1 == --system ]]; then | ||
33 | profiles=(/etc/firejail/*.{inc,local,profile}) | ||
34 | elif [[ $1 == --user ]]; then | ||
35 | profiles=("$HOME"/.config/firejail/*.{inc,local,profile}) | ||
36 | else | ||
37 | profiles=("$@") | ||
38 | fi | ||
39 | |||
40 | sed -i -E \ | ||
41 | -e "s/^(# |#)?(ignore )?blacklist/\1\2deny/" \ | ||
42 | -e "s/^(# |#)?(ignore )?noblacklist/\1\2nodeny/" \ | ||
43 | -e "s/^(# |#)?(ignore )?whitelist/\1\2allow/" \ | ||
44 | -e "s/^(# |#)?(ignore )?nowhitelist/\1\2noallow/" \ | ||
45 | "${profiles[@]}" | ||
diff --git a/src/zsh_completion/_firejail.in b/src/zsh_completion/_firejail.in index 6ce71aed8..8c1d758cc 100644 --- a/src/zsh_completion/_firejail.in +++ b/src/zsh_completion/_firejail.in | |||
@@ -48,8 +48,8 @@ _firejail_args=( | |||
48 | '*::arguments:_normal' | 48 | '*::arguments:_normal' |
49 | 49 | ||
50 | '--appimage[sandbox an AppImage application]' | 50 | '--appimage[sandbox an AppImage application]' |
51 | '--build[build a profile for the application and print it on stdout]' | 51 | '--build[build a whitelisted profile for the application and print it on stdout]' |
52 | '--build=-[build a profile for the application and save it]: :_files' | 52 | '--build=-[build a whitelisted profile for the application and save it]: :_files' |
53 | # Ignore that you can do -? too as it's the only short option | 53 | # Ignore that you can do -? too as it's the only short option |
54 | '--help[this help screen]' | 54 | '--help[this help screen]' |
55 | '--join=-[join the sandbox name|pid]: :_all_firejails' | 55 | '--join=-[join the sandbox name|pid]: :_all_firejails' |
@@ -66,14 +66,14 @@ _firejail_args=( | |||
66 | '--ids-init[initialize IDS database]' | 66 | '--ids-init[initialize IDS database]' |
67 | 67 | ||
68 | '--debug[print sandbox debug messages]' | 68 | '--debug[print sandbox debug messages]' |
69 | '--debug-allow[debug file system access]' | 69 | '--debug-blacklists[debug blacklisting]' |
70 | '--debug-caps[print all recognized capabilities]' | 70 | '--debug-caps[print all recognized capabilities]' |
71 | '--debug-deny[debug file system access]' | ||
72 | '--debug-errnos[print all recognized error numbers]' | 71 | '--debug-errnos[print all recognized error numbers]' |
73 | '--debug-private-lib[debug for --private-lib option]' | 72 | '--debug-private-lib[debug for --private-lib option]' |
74 | '--debug-protocols[print all recognized protocols]' | 73 | '--debug-protocols[print all recognized protocols]' |
75 | '--debug-syscalls[print all recognized system calls]' | 74 | '--debug-syscalls[print all recognized system calls]' |
76 | '--debug-syscalls32[print all recognized 32 bit system calls]' | 75 | '--debug-syscalls32[print all recognized 32 bit system calls]' |
76 | '--debug-whitelists[debug whitelisting]' | ||
77 | 77 | ||
78 | '--caps.print=-[print the caps filter name|pid]:firejail:_all_firejails' | 78 | '--caps.print=-[print the caps filter name|pid]:firejail:_all_firejails' |
79 | '--cpu.print=-[print the cpus in use name|pid]: :_all_firejails' | 79 | '--cpu.print=-[print the cpus in use name|pid]: :_all_firejails' |
@@ -86,13 +86,13 @@ _firejail_args=( | |||
86 | '--allusers[all user home directories are visible inside the sandbox]' | 86 | '--allusers[all user home directories are visible inside the sandbox]' |
87 | # Should be _files, a comma and files or files -/ | 87 | # Should be _files, a comma and files or files -/ |
88 | '*--bind=-[mount-bind dirname1/filename1 on top of dirname2/filename2]: :(file1,file2 dir1,dir2)' | 88 | '*--bind=-[mount-bind dirname1/filename1 on top of dirname2/filename2]: :(file1,file2 dir1,dir2)' |
89 | '*--blacklist=-[blacklist directory or file]: :_files' | ||
89 | '--caps[enable default Linux capabilities filter]' | 90 | '--caps[enable default Linux capabilities filter]' |
90 | '--caps.drop=all[drop all capabilities]' | 91 | '--caps.drop=all[drop all capabilities]' |
91 | '*--caps.drop=-[drop capabilities: all|cap1,cap2,...]: :_caps' | 92 | '*--caps.drop=-[drop capabilities: all|cap1,cap2,...]: :_caps' |
92 | '*--caps.keep=-[keep capabilities: cap1,cap2,...]: :_caps' | 93 | '*--caps.keep=-[keep capabilities: cap1,cap2,...]: :_caps' |
93 | '--cgroup=-[place the sandbox in the specified control group]: :' | 94 | '--cgroup=-[place the sandbox in the specified control group]: :' |
94 | '--cpu=-[set cpu affinity]: :->cpus' | 95 | '--cpu=-[set cpu affinity]: :->cpus' |
95 | '*--deny=-[deny access to directory or file]: :_files' | ||
96 | "--deterministic-exit-code[always exit with first child's status code]" | 96 | "--deterministic-exit-code[always exit with first child's status code]" |
97 | '--deterministic-shutdown[terminate orphan processes]' | 97 | '--deterministic-shutdown[terminate orphan processes]' |
98 | '*--dns=-[set DNS server]: :' | 98 | '*--dns=-[set DNS server]: :' |
@@ -116,7 +116,7 @@ _firejail_args=( | |||
116 | '--nice=-[set nice value]: :(1 10 15 20)' | 116 | '--nice=-[set nice value]: :(1 10 15 20)' |
117 | '--no3d[disable 3D hardware acceleration]' | 117 | '--no3d[disable 3D hardware acceleration]' |
118 | '--noautopulse[disable automatic ~/.config/pulse init]' | 118 | '--noautopulse[disable automatic ~/.config/pulse init]' |
119 | '--nodeny=-[disable deny command for file or directory]: :_files' | 119 | '--noblacklist=-[disable blacklist for file or directory]: :_files' |
120 | '--nodbus[disable D-Bus access]' | 120 | '--nodbus[disable D-Bus access]' |
121 | '--nodvd[disable DVD and audio CD devices]' | 121 | '--nodvd[disable DVD and audio CD devices]' |
122 | '*--noexec=-[remount the file or directory noexec nosuid and nodev]: :_files' | 122 | '*--noexec=-[remount the file or directory noexec nosuid and nodev]: :_files' |
@@ -147,13 +147,13 @@ _firejail_args=( | |||
147 | '--rlimit-nproc=-[set the maximum number of processes that can be created for the real user ID of the calling process]: :' | 147 | '--rlimit-nproc=-[set the maximum number of processes that can be created for the real user ID of the calling process]: :' |
148 | '--rlimit-sigpending=-[set the maximum number of pending signals for a process]: :' | 148 | '--rlimit-sigpending=-[set the maximum number of pending signals for a process]: :' |
149 | '*--rmenv=-[remove environment variable in the new sandbox]: :_values environment-variables $(env | cut -d= -f1)' | 149 | '*--rmenv=-[remove environment variable in the new sandbox]: :_values environment-variables $(env | cut -d= -f1)' |
150 | '--seccomp[enable seccomp filter and drop the default syscalls]: :' | 150 | '--seccomp[enable seccomp filter and apply the default blacklist]: :' |
151 | '--seccomp=-[enable seccomp filter, drop the default syscall list and the syscalls specified by the command]: :->seccomp' | 151 | '--seccomp=-[enable seccomp filter, blacklist the default syscall list and the syscalls specified by the command]: :->seccomp' |
152 | '--seccomp.block-secondary[build only the native architecture filters]' | 152 | '--seccomp.block-secondary[build only the native architecture filters]' |
153 | '*--seccomp.drop=-[enable seccomp filter, and drop the syscalls specified by the command]: :->seccomp' | 153 | '*--seccomp.drop=-[enable seccomp filter, and blacklist the syscalls specified by the command]: :->seccomp' |
154 | '*--seccomp.keep=-[enable seccomp filter, and allow the syscalls specified by the command]: :->seccomp' | 154 | '*--seccomp.keep=-[enable seccomp filter, and whitelist the syscalls specified by the command]: :->seccomp' |
155 | '*--seccomp.32.drop=-[enable seccomp filter, and drop the 32 bit syscalls specified by the command]: :' | 155 | '*--seccomp.32.drop=-[enable seccomp filter, and blacklist the 32 bit syscalls specified by the command]: :' |
156 | '*--seccomp.32.keep=-[enable seccomp filter, and drop the 32 bit syscalls specified by the command]: :' | 156 | '*--seccomp.32.keep=-[enable seccomp filter, and whitelist the 32 bit syscalls specified by the command]: :' |
157 | # FIXME: Add errnos | 157 | # FIXME: Add errnos |
158 | '--seccomp-error-action=-[change error code, kill process or log the attempt]: :(kill log)' | 158 | '--seccomp-error-action=-[change error code, kill process or log the attempt]: :(kill log)' |
159 | '--shell=none[run the program directly without a user shell]' | 159 | '--shell=none[run the program directly without a user shell]' |
@@ -161,7 +161,7 @@ _firejail_args=( | |||
161 | '--timeout=-[kill the sandbox automatically after the time has elapsed]: :' | 161 | '--timeout=-[kill the sandbox automatically after the time has elapsed]: :' |
162 | #'(--tracelog)--trace[trace open, access and connect system calls]' | 162 | #'(--tracelog)--trace[trace open, access and connect system calls]' |
163 | '(--tracelog)--trace=-[trace open, access and connect system calls]: :_files' | 163 | '(--tracelog)--trace=-[trace open, access and connect system calls]: :_files' |
164 | '(--trace)--tracelog[add a syslog message for every access to files or directories dropped by the security profile]' | 164 | '(--trace)--tracelog[add a syslog message for every access to files or directories blacklisted by the security profile]' |
165 | '(--private-etc)--writable-etc[/etc directory is mounted read-write]' | 165 | '(--private-etc)--writable-etc[/etc directory is mounted read-write]' |
166 | '--writable-run-user[allow access to /run/user/$UID/systemd and /run/user/$UID/gnupg]' | 166 | '--writable-run-user[allow access to /run/user/$UID/systemd and /run/user/$UID/gnupg]' |
167 | '--writable-var[/var directory is mounted read-write]' | 167 | '--writable-var[/var directory is mounted read-write]' |
@@ -255,8 +255,8 @@ _firejail_args=( | |||
255 | '*--tmpfs=-[mount a tmpfs filesystem on directory dirname]: :_files -/' | 255 | '*--tmpfs=-[mount a tmpfs filesystem on directory dirname]: :_files -/' |
256 | #endif | 256 | #endif |
257 | 257 | ||
258 | '*--noallow=-[disable allow command for file or directory]: :_files' | 258 | '*--nowhitelist=-[disable whitelist for file or directory]: :_files' |
259 | '*--allow=-[allow file system access]: :_files' | 259 | '*--whitelist=-[whitelist directory or file]: :_files' |
260 | 260 | ||
261 | #ifdef HAVE_X11 | 261 | #ifdef HAVE_X11 |
262 | '--x11[enable X11 sandboxing. The software checks first if Xpra is installed, then it checks if Xephyr is installed. If all fails, it will attempt to use X11 security extension]' | 262 | '--x11[enable X11 sandboxing. The software checks first if Xpra is installed, then it checks if Xephyr is installed. If all fails, it will attempt to use X11 security extension]' |
diff --git a/test/filters/filters.sh b/test/filters/filters.sh index a9f06b60a..eb4e4702c 100755 --- a/test/filters/filters.sh +++ b/test/filters/filters.sh | |||
@@ -115,13 +115,6 @@ echo "TESTING: seccomp numeric (test/filters/seccomp-numeric.exp)" | |||
115 | ./seccomp-numeric.exp | 115 | ./seccomp-numeric.exp |
116 | 116 | ||
117 | if [ "$(uname -m)" = "x86_64" ]; then | 117 | if [ "$(uname -m)" = "x86_64" ]; then |
118 | echo "TESTING: seccomp dual filter (test/filters/seccomp-dualfilter.exp)" | ||
119 | ./seccomp-dualfilter.exp | ||
120 | else | ||
121 | echo "TESTING SKIP: seccomp dual, not running on x86_64" | ||
122 | fi | ||
123 | |||
124 | if [ "$(uname -m)" = "x86_64" ]; then | ||
125 | echo "TESTING: seccomp join (test/filters/seccomp-join.exp)" | 118 | echo "TESTING: seccomp join (test/filters/seccomp-join.exp)" |
126 | ./seccomp-join.exp | 119 | ./seccomp-join.exp |
127 | else | 120 | else |
diff --git a/test/filters/fseccomp.exp b/test/filters/fseccomp.exp index 59f812d6d..6becbff22 100755 --- a/test/filters/fseccomp.exp +++ b/test/filters/fseccomp.exp | |||
@@ -111,7 +111,7 @@ expect { | |||
111 | } | 111 | } |
112 | expect { | 112 | expect { |
113 | timeout {puts "TESTING ERROR 9.3\n";exit} | 113 | timeout {puts "TESTING ERROR 9.3\n";exit} |
114 | "ret KILL" | 114 | "ret ERRNO" |
115 | } | 115 | } |
116 | 116 | ||
117 | 117 | ||
diff --git a/test/filters/memwrexe b/test/filters/memwrexe index 669f0d320..1173cdc07 100755 --- a/test/filters/memwrexe +++ b/test/filters/memwrexe | |||
Binary files differ | |||
diff --git a/test/filters/memwrexe-32 b/test/filters/memwrexe-32 index 70c98b796..bdf71dcb4 100755 --- a/test/filters/memwrexe-32 +++ b/test/filters/memwrexe-32 | |||
Binary files differ | |||
diff --git a/test/filters/memwrexe.c b/test/filters/memwrexe.c index 4fbf05f78..d8bf4edaa 100644 --- a/test/filters/memwrexe.c +++ b/test/filters/memwrexe.c | |||
@@ -42,6 +42,11 @@ int main(int argc, char **argv) { | |||
42 | } | 42 | } |
43 | 43 | ||
44 | void *p = mmap (0, size, PROT_WRITE|PROT_READ|PROT_EXEC, MAP_SHARED, fd, 0); | 44 | void *p = mmap (0, size, PROT_WRITE|PROT_READ|PROT_EXEC, MAP_SHARED, fd, 0); |
45 | if (p == MAP_FAILED) { | ||
46 | printf("mmap failed\n"); | ||
47 | return 0; | ||
48 | } | ||
49 | |||
45 | printf("mmap successful\n"); | 50 | printf("mmap successful\n"); |
46 | 51 | ||
47 | // wait for expect to timeout | 52 | // wait for expect to timeout |
@@ -70,7 +75,12 @@ int main(int argc, char **argv) { | |||
70 | return 1; | 75 | return 1; |
71 | } | 76 | } |
72 | 77 | ||
73 | mprotect(p, size, PROT_READ|PROT_WRITE|PROT_EXEC); | 78 | int rv = mprotect(p, size, PROT_READ|PROT_WRITE|PROT_EXEC); |
79 | if (rv) { | ||
80 | printf("mprotect failed\n"); | ||
81 | return 1; | ||
82 | } | ||
83 | |||
74 | printf("mprotect successful\n"); | 84 | printf("mprotect successful\n"); |
75 | 85 | ||
76 | // wait for expect to timeout | 86 | // wait for expect to timeout |
@@ -82,7 +92,7 @@ int main(int argc, char **argv) { | |||
82 | else if (strcmp(argv[1], "memfd_create") == 0) { | 92 | else if (strcmp(argv[1], "memfd_create") == 0) { |
83 | int fd = syscall(SYS_memfd_create, "memfd_create", 0); | 93 | int fd = syscall(SYS_memfd_create, "memfd_create", 0); |
84 | if (fd == -1) { | 94 | if (fd == -1) { |
85 | fprintf(stderr, "TESTING ERROR: cannot run memfd_create test\n"); | 95 | printf("memfd_create failed\n"); |
86 | return 1; | 96 | return 1; |
87 | } | 97 | } |
88 | printf("memfd_create successful\n"); | 98 | printf("memfd_create successful\n"); |
diff --git a/test/filters/noroot.exp b/test/filters/noroot.exp index 64f72f610..5fc16c47f 100755 --- a/test/filters/noroot.exp +++ b/test/filters/noroot.exp | |||
@@ -72,7 +72,7 @@ expect { | |||
72 | send -- "cat /proc/self/gid_map | wc -l\r" | 72 | send -- "cat /proc/self/gid_map | wc -l\r" |
73 | expect { | 73 | expect { |
74 | timeout {puts "TESTING ERROR 12\n";exit} | 74 | timeout {puts "TESTING ERROR 12\n";exit} |
75 | "5" | 75 | "9" |
76 | } | 76 | } |
77 | 77 | ||
78 | 78 | ||
@@ -104,7 +104,7 @@ expect { | |||
104 | send -- "cat /proc/self/gid_map | wc -l\r" | 104 | send -- "cat /proc/self/gid_map | wc -l\r" |
105 | expect { | 105 | expect { |
106 | timeout {puts "TESTING ERROR 17\n";exit} | 106 | timeout {puts "TESTING ERROR 17\n";exit} |
107 | "5" | 107 | "9" |
108 | } | 108 | } |
109 | 109 | ||
110 | # check seccomp disabled and all caps enabled | 110 | # check seccomp disabled and all caps enabled |
diff --git a/test/filters/protocol.exp b/test/filters/protocol.exp index 071460e4c..09c742378 100755 --- a/test/filters/protocol.exp +++ b/test/filters/protocol.exp | |||
@@ -7,179 +7,38 @@ set timeout 10 | |||
7 | spawn $env(SHELL) | 7 | spawn $env(SHELL) |
8 | match_max 100000 | 8 | match_max 100000 |
9 | 9 | ||
10 | send -- "firejail --noprofile --protocol=unix ./syscall_test socket\r" | 10 | send -- "firejail --noprofile --protocol=unix --debug\r" |
11 | expect { | 11 | expect { |
12 | timeout {puts "TESTING ERROR 1\n";exit} | 12 | timeout {puts "TESTING ERROR 1\n";exit} |
13 | "Permission denied" {puts "TESTING SKIP: permission denied\n"; exit} | 13 | "0009: 20 00 00 00000000 ld data.syscall-number" |
14 | "Child process initialized" | ||
15 | } | 14 | } |
16 | expect { | 15 | expect { |
17 | timeout {puts "TESTING ERROR 1.1\n";exit} | ||
18 | "Permission denied" {puts "TESTING SKIP: permission denied\n"; exit} | ||
19 | "socket AF_INET" | ||
20 | } | ||
21 | expect { | ||
22 | timeout {puts "TESTING ERROR 1.2\n";exit} | ||
23 | "Operation not supported" | ||
24 | } | ||
25 | expect { | ||
26 | timeout {puts "TESTING ERROR 1.3\n";exit} | ||
27 | "socket AF_INET6" | ||
28 | } | ||
29 | expect { | ||
30 | timeout {puts "TESTING ERROR 1.4\n";exit} | ||
31 | "Operation not supported" | ||
32 | } | ||
33 | expect { | ||
34 | timeout {puts "TESTING ERROR 1.5\n";exit} | ||
35 | "socket AF_NETLINK" | ||
36 | } | ||
37 | expect { | ||
38 | timeout {puts "TESTING ERROR 1.6\n";exit} | ||
39 | "Operation not supported" | ||
40 | } | ||
41 | expect { | ||
42 | timeout {puts "TESTING ERROR 1.7\n";exit} | ||
43 | "socket AF_UNIX" | ||
44 | } | ||
45 | expect { | ||
46 | timeout {puts "TESTING ERROR 1.8\n";exit} | ||
47 | "socket AF_PACKETX" | ||
48 | } | ||
49 | expect { | ||
50 | timeout {puts "TESTING ERROR 1.9\n";exit} | ||
51 | "Operation not supported" | ||
52 | } | ||
53 | sleep 1 | ||
54 | |||
55 | send -- "firejail --noprofile --protocol=inet6,packet ./syscall_test socket\r" | ||
56 | expect { | ||
57 | timeout {puts "TESTING ERROR 2\n";exit} | 16 | timeout {puts "TESTING ERROR 2\n";exit} |
58 | "Child process initialized" | 17 | "000a: 15 01 00 00000029 jeq socket 000c (false 000b)" |
59 | } | ||
60 | expect { | ||
61 | timeout {puts "TESTING ERROR 2.1\n";exit} | ||
62 | "socket AF_INET" | ||
63 | } | ||
64 | expect { | ||
65 | timeout {puts "TESTING ERROR 2.2\n";exit} | ||
66 | "Operation not supported" | ||
67 | } | ||
68 | expect { | ||
69 | timeout {puts "TESTING ERROR 2.3\n";exit} | ||
70 | "socket AF_INET6" | ||
71 | } | ||
72 | expect { | ||
73 | timeout {puts "TESTING ERROR 2.4\n";exit} | ||
74 | "socket AF_NETLINK" | ||
75 | } | ||
76 | expect { | ||
77 | timeout {puts "TESTING ERROR 2.5\n";exit} | ||
78 | "Operation not supported" | ||
79 | } | ||
80 | expect { | ||
81 | timeout {puts "TESTING ERROR 2.6\n";exit} | ||
82 | "socket AF_UNIX" | ||
83 | } | ||
84 | expect { | ||
85 | timeout {puts "TESTING ERROR 2.7\n";exit} | ||
86 | "Operation not supported" | ||
87 | } | ||
88 | expect { | ||
89 | timeout {puts "TESTING ERROR 2.8\n";exit} | ||
90 | "socket AF_PACKETX" | ||
91 | } | ||
92 | expect { | ||
93 | timeout {puts "TESTING ERROR 2.9\n";exit} | ||
94 | "after socket" | ||
95 | } | 18 | } |
96 | sleep 1 | ||
97 | |||
98 | # profile testing | ||
99 | send -- "firejail --profile=protocol1.profile ./syscall_test socket\r" | ||
100 | expect { | 19 | expect { |
101 | timeout {puts "TESTING ERROR 3\n";exit} | 20 | timeout {puts "TESTING ERROR 3\n";exit} |
102 | "Child process initialized" | 21 | "000b: 06 00 00 7fff0000 ret ALLOW" |
103 | } | ||
104 | expect { | ||
105 | timeout {puts "TESTING ERROR 3.1\n";exit} | ||
106 | "socket AF_INET" | ||
107 | } | ||
108 | expect { | ||
109 | timeout {puts "TESTING ERROR 3.2\n";exit} | ||
110 | "Operation not supported" | ||
111 | } | ||
112 | expect { | ||
113 | timeout {puts "TESTING ERROR 3.3\n";exit} | ||
114 | "socket AF_INET6" | ||
115 | } | ||
116 | expect { | ||
117 | timeout {puts "TESTING ERROR 3.4\n";exit} | ||
118 | "Operation not supported" | ||
119 | } | ||
120 | expect { | ||
121 | timeout {puts "TESTING ERROR 3.5\n";exit} | ||
122 | "socket AF_NETLINK" | ||
123 | } | ||
124 | expect { | ||
125 | timeout {puts "TESTING ERROR 3.6\n";exit} | ||
126 | "Operation not supported" | ||
127 | } | ||
128 | expect { | ||
129 | timeout {puts "TESTING ERROR 3.7\n";exit} | ||
130 | "socket AF_UNIX" | ||
131 | } | ||
132 | expect { | ||
133 | timeout {puts "TESTING ERROR 3.8\n";exit} | ||
134 | "socket AF_PACKETX" | ||
135 | } | 22 | } |
136 | expect { | 23 | expect { |
137 | timeout {puts "TESTING ERROR 3.9\n";exit} | ||
138 | "Operation not supported" | ||
139 | } | ||
140 | sleep 1 | ||
141 | |||
142 | send -- "firejail --profile=protocol2.profile ./syscall_test socket\r" | ||
143 | expect { | ||
144 | timeout {puts "TESTING ERROR 4\n";exit} | 24 | timeout {puts "TESTING ERROR 4\n";exit} |
145 | "Child process initialized" | 25 | "000c: 20 00 00 00000010 ld data.args" |
146 | } | ||
147 | expect { | ||
148 | timeout {puts "TESTING ERROR 4.1\n";exit} | ||
149 | "socket AF_INET" | ||
150 | } | ||
151 | expect { | ||
152 | timeout {puts "TESTING ERROR 4.2\n";exit} | ||
153 | "Operation not supported" | ||
154 | } | ||
155 | expect { | ||
156 | timeout {puts "TESTING ERROR 4.3\n";exit} | ||
157 | "socket AF_INET6" | ||
158 | } | 26 | } |
159 | expect { | 27 | expect { |
160 | timeout {puts "TESTING ERROR 4.4\n";exit} | 28 | timeout {puts "TESTING ERROR 5\n";exit} |
161 | "socket AF_NETLINK" | 29 | "000d: 15 00 01 00000001 jeq 1 000e (false 000f)" |
162 | } | 30 | } |
163 | expect { | 31 | expect { |
164 | timeout {puts "TESTING ERROR 4.5\n";exit} | 32 | timeout {puts "TESTING ERROR 6\n";exit} |
165 | "Operation not supported" | 33 | "000e: 06 00 00 7fff0000 ret ALLOW" |
34 | "" | ||
166 | } | 35 | } |
167 | expect { | 36 | expect { |
168 | timeout {puts "TESTING ERROR 4.6\n";exit} | 37 | timeout {puts "TESTING ERROR 7\n";exit} |
169 | "socket AF_UNIX" | 38 | "000f: 06 00 00 0005005f ret ERRNO(95)" |
170 | } | 39 | } |
171 | expect { | ||
172 | timeout {puts "TESTING ERROR 4.7\n";exit} | ||
173 | "Operation not supported" | ||
174 | } | ||
175 | expect { | ||
176 | timeout {puts "TESTING ERROR 4.8\n";exit} | ||
177 | "socket AF_PACKETX" | ||
178 | } | ||
179 | expect { | ||
180 | timeout {puts "TESTING ERROR 4.9\n";exit} | ||
181 | "after socket" | ||
182 | } | ||
183 | after 100 | ||
184 | 40 | ||
41 | after 100 | ||
42 | send -- "exit\r" | ||
43 | after 100 | ||
185 | puts "\nall done\n" | 44 | puts "\nall done\n" |
diff --git a/test/filters/seccomp-dualfilter.exp b/test/filters/seccomp-dualfilter.exp deleted file mode 100755 index e655be848..000000000 --- a/test/filters/seccomp-dualfilter.exp +++ /dev/null | |||
@@ -1,55 +0,0 @@ | |||
1 | #!/usr/bin/expect -f | ||
2 | # This file is part of Firejail project | ||
3 | # Copyright (C) 2014-2021 Firejail Authors | ||
4 | # License GPL v2 | ||
5 | |||
6 | set timeout 1 | ||
7 | spawn $env(SHELL) | ||
8 | match_max 100000 | ||
9 | |||
10 | send -- "./syscall_test\r" | ||
11 | expect { | ||
12 | timeout {puts "\nTESTING SKIP: 64-bit support missing\n";exit} | ||
13 | "Usage" | ||
14 | } | ||
15 | |||
16 | send -- "./syscall_test32\r" | ||
17 | expect { | ||
18 | timeout {puts "\nTESTING SKIP: 32-bit support missing\n";exit} | ||
19 | "Usage" | ||
20 | } | ||
21 | |||
22 | set timeout 10 | ||
23 | send -- "firejail ./syscall_test mount\r" | ||
24 | expect { | ||
25 | timeout {puts "TESTING ERROR 0\n";exit} | ||
26 | "Child process initialized" | ||
27 | } | ||
28 | expect { | ||
29 | timeout {puts "TESTING ERROR 1\n";exit} | ||
30 | "before mount" | ||
31 | } | ||
32 | expect { | ||
33 | timeout {puts "TESTING ERROR 2\n";exit} | ||
34 | "after mount" {puts "TESTING ERROR 3\n";exit} | ||
35 | "Parent is shutting down" | ||
36 | } | ||
37 | sleep 1 | ||
38 | |||
39 | send -- "firejail ./syscall_test32 mount\r" | ||
40 | expect { | ||
41 | timeout {puts "TESTING ERROR 4\n";exit} | ||
42 | "Child process initialized" | ||
43 | } | ||
44 | expect { | ||
45 | timeout {puts "TESTING ERROR 5\n";exit} | ||
46 | "before mount" | ||
47 | } | ||
48 | expect { | ||
49 | timeout {puts "TESTING ERROR 6\n";exit} | ||
50 | "after mount" {puts "TESTING ERROR 7\n";exit} | ||
51 | "Parent is shutting down" | ||
52 | } | ||
53 | |||
54 | after 100 | ||
55 | puts "\nall done\n" | ||
diff --git a/test/filters/seccomp-postexec.exp b/test/filters/seccomp-postexec.exp index 18263520a..fe0e40e60 100755 --- a/test/filters/seccomp-postexec.exp +++ b/test/filters/seccomp-postexec.exp | |||
@@ -14,20 +14,17 @@ expect { | |||
14 | } | 14 | } |
15 | expect { | 15 | expect { |
16 | timeout {puts "TESTING ERROR 1\n";exit} | 16 | timeout {puts "TESTING ERROR 1\n";exit} |
17 | "data.architecture" | ||
18 | } | ||
19 | expect { | ||
20 | timeout {puts "TESTING ERROR 2\n";exit} | ||
21 | "monitoring pid" | 17 | "monitoring pid" |
22 | } | 18 | } |
19 | sleep 1 | ||
20 | |||
21 | send -- "ls\r" | ||
23 | expect { | 22 | expect { |
24 | timeout {puts "TESTING ERROR 3\n";exit} | 23 | timeout {puts "TESTING ERROR 2\n";exit} |
25 | "Sandbox monitor: waitpid" | 24 | "not permitted" |
26 | } | ||
27 | expect { | ||
28 | timeout {puts "TESTING ERROR 4\n";exit} | ||
29 | "Parent is shutting down" | ||
30 | } | 25 | } |
31 | sleep 1 | ||
32 | 26 | ||
27 | |||
28 | send -- "exit\r" | ||
29 | after 100 | ||
33 | puts "all done\n" | 30 | puts "all done\n" |
diff --git a/test/filters/seccomp-ptrace.exp b/test/filters/seccomp-ptrace.exp index ec8ab615c..05fd6eabb 100755 --- a/test/filters/seccomp-ptrace.exp +++ b/test/filters/seccomp-ptrace.exp | |||
@@ -17,8 +17,7 @@ sleep 2 | |||
17 | send -- "strace ls\r" | 17 | send -- "strace ls\r" |
18 | expect { | 18 | expect { |
19 | timeout {puts "TESTING ERROR 1\n";exit} | 19 | timeout {puts "TESTING ERROR 1\n";exit} |
20 | "Bad system call" {puts "version 1\n";} | 20 | "not permitted" |
21 | " unexpected signal 31" {puts "version 2\n"} | ||
22 | } | 21 | } |
23 | 22 | ||
24 | send -- "exit\r" | 23 | send -- "exit\r" |
diff --git a/test/filters/syscall_test b/test/filters/syscall_test deleted file mode 100755 index bf29c5b99..000000000 --- a/test/filters/syscall_test +++ /dev/null | |||
Binary files differ | |||
diff --git a/test/filters/syscall_test.c b/test/filters/syscall_test.c deleted file mode 100644 index 55ee31afb..000000000 --- a/test/filters/syscall_test.c +++ /dev/null | |||
@@ -1,82 +0,0 @@ | |||
1 | // This file is part of Firejail project | ||
2 | // Copyright (C) 2014-2021 Firejail Authors | ||
3 | // License GPL v2 | ||
4 | |||
5 | #include <stdlib.h> | ||
6 | #include <stdio.h> | ||
7 | #include <unistd.h> | ||
8 | #include <sys/types.h> | ||
9 | #include <sys/socket.h> | ||
10 | #include <linux/netlink.h> | ||
11 | #include <net/ethernet.h> | ||
12 | #include <sys/mount.h> | ||
13 | |||
14 | int main(int argc, char **argv) { | ||
15 | if (argc != 2) { | ||
16 | printf("Usage: test [sleep|socket|mkdir|mount]\n"); | ||
17 | return 1; | ||
18 | } | ||
19 | |||
20 | if (strcmp(argv[1], "sleep") == 0) { | ||
21 | printf("before sleep\n"); | ||
22 | sleep(1); | ||
23 | printf("after sleep\n"); | ||
24 | } | ||
25 | else if (strcmp(argv[1], "socket") == 0) { | ||
26 | int sock; | ||
27 | |||
28 | printf("testing socket AF_INET\n"); | ||
29 | if ((sock = socket(AF_INET, SOCK_STREAM, 0)) < 0) { | ||
30 | perror("socket"); | ||
31 | } | ||
32 | else | ||
33 | close(sock); | ||
34 | |||
35 | printf("testing socket AF_INET6\n"); | ||
36 | if ((sock = socket(AF_INET6, SOCK_STREAM, 0)) < 0) { | ||
37 | perror("socket"); | ||
38 | } | ||
39 | else | ||
40 | close(sock); | ||
41 | |||
42 | printf("testing socket AF_NETLINK\n"); | ||
43 | if ((sock = socket(AF_NETLINK, SOCK_RAW, NETLINK_ROUTE)) < 0) { | ||
44 | perror("socket"); | ||
45 | } | ||
46 | else | ||
47 | close(sock); | ||
48 | |||
49 | printf("testing socket AF_UNIX\n"); | ||
50 | if ((sock = socket(AF_UNIX, SOCK_STREAM, 0)) < 0) { | ||
51 | perror("socket"); | ||
52 | } | ||
53 | else | ||
54 | close(sock); | ||
55 | |||
56 | // root needed to be able to handle this | ||
57 | printf("testing socket AF_PACKETX\n"); | ||
58 | if ((sock = socket(AF_PACKET, SOCK_DGRAM, htons(ETH_P_ARP))) < 0) { | ||
59 | perror("socket"); | ||
60 | } | ||
61 | else | ||
62 | close(sock); | ||
63 | printf("after socket\n"); | ||
64 | } | ||
65 | else if (strcmp(argv[1], "mkdir") == 0) { | ||
66 | printf("before mkdir\n"); | ||
67 | mkdir("tmp", 0777); | ||
68 | printf("after mkdir\n"); | ||
69 | } | ||
70 | else if (strcmp(argv[1], "mount") == 0) { | ||
71 | printf("before mount\n"); | ||
72 | if (mount("tmpfs", "/tmp", "tmpfs", MS_NOSUID | MS_STRICTATIME, "mode=755,gid=0") < 0) { | ||
73 | perror("mount"); | ||
74 | } | ||
75 | printf("after mount\n"); | ||
76 | } | ||
77 | else { | ||
78 | fprintf(stderr, "Error: invalid argument\n"); | ||
79 | return 1; | ||
80 | } | ||
81 | return 0; | ||
82 | } | ||
diff --git a/test/filters/syscall_test32 b/test/filters/syscall_test32 deleted file mode 100755 index 8d72f58c4..000000000 --- a/test/filters/syscall_test32 +++ /dev/null | |||
Binary files differ | |||