diff options
author | netblue30 <netblue30@protonmail.com> | 2022-03-24 08:36:09 -0400 |
---|---|---|
committer | netblue30 <netblue30@protonmail.com> | 2022-03-24 08:36:09 -0400 |
commit | b8c41ea8fdbfd48977cf9370e0656bbdd133be83 (patch) | |
tree | 3397e7e13b838cfb45de0e00f6a659e7e4883d42 | |
parent | merges (diff) | |
parent | Merge pull request #5061 from glitsj16/ping-fixes (diff) | |
download | firejail-b8c41ea8fdbfd48977cf9370e0656bbdd133be83.tar.gz firejail-b8c41ea8fdbfd48977cf9370e0656bbdd133be83.tar.zst firejail-b8c41ea8fdbfd48977cf9370e0656bbdd133be83.zip |
Merge branch 'master' of ssh://github.com/netblue30/firejail
-rw-r--r-- | etc/inc/allow-nodejs.inc | 2 | ||||
-rw-r--r-- | etc/profile-a-l/curl.profile | 4 | ||||
-rw-r--r-- | etc/profile-m-z/node-gyp.profile (renamed from etc/profile-m-z/nvm.profile) | 8 | ||||
-rw-r--r-- | etc/profile-m-z/nodejs-common.profile | 12 | ||||
-rw-r--r-- | etc/profile-m-z/npx.profile | 11 | ||||
-rw-r--r-- | etc/profile-m-z/ping-hardened.inc.profile | 11 | ||||
-rw-r--r-- | etc/profile-m-z/ping.profile | 21 | ||||
-rw-r--r-- | etc/profile-m-z/semver.profile | 11 | ||||
-rw-r--r-- | etc/profile-m-z/sha256sum.profile | 3 | ||||
-rw-r--r-- | etc/profile-m-z/tar.profile | 3 | ||||
-rw-r--r-- | etc/profile-m-z/webstorm.profile | 2 | ||||
-rw-r--r-- | etc/profile-m-z/webui-aria2.profile | 1 | ||||
-rw-r--r-- | etc/profile-m-z/wget.profile | 4 | ||||
-rw-r--r-- | src/man/firejail-profile.txt | 14 | ||||
-rw-r--r-- | src/man/firejail.txt | 12 |
15 files changed, 106 insertions, 13 deletions
diff --git a/etc/inc/allow-nodejs.inc b/etc/inc/allow-nodejs.inc index 351c94ab8..f69d9eee2 100644 --- a/etc/inc/allow-nodejs.inc +++ b/etc/inc/allow-nodejs.inc | |||
@@ -2,6 +2,8 @@ | |||
2 | # Persistent customizations should go in a .local file. | 2 | # Persistent customizations should go in a .local file. |
3 | include allow-nodejs.local | 3 | include allow-nodejs.local |
4 | 4 | ||
5 | ignore read-only ${HOME}/.nvm | ||
6 | noblacklist ${HOME}/.nvm | ||
5 | noblacklist ${PATH}/node | 7 | noblacklist ${PATH}/node |
6 | noblacklist /usr/include/node | 8 | noblacklist /usr/include/node |
7 | 9 | ||
diff --git a/etc/profile-a-l/curl.profile b/etc/profile-a-l/curl.profile index 448d8b655..7d7863b6a 100644 --- a/etc/profile-a-l/curl.profile +++ b/etc/profile-a-l/curl.profile | |||
@@ -18,6 +18,10 @@ noblacklist ${HOME}/.curlrc | |||
18 | blacklist /tmp/.X11-unix | 18 | blacklist /tmp/.X11-unix |
19 | blacklist ${RUNUSER} | 19 | blacklist ${RUNUSER} |
20 | 20 | ||
21 | # If you use nvm, add the below lines to your curl.local | ||
22 | #ignore read-only ${HOME}/.nvm | ||
23 | #noblacklist ${HOME}/.nvm | ||
24 | |||
21 | include disable-common.inc | 25 | include disable-common.inc |
22 | include disable-exec.inc | 26 | include disable-exec.inc |
23 | include disable-programs.inc | 27 | include disable-programs.inc |
diff --git a/etc/profile-m-z/nvm.profile b/etc/profile-m-z/node-gyp.profile index 80da22834..015607087 100644 --- a/etc/profile-m-z/nvm.profile +++ b/etc/profile-m-z/node-gyp.profile | |||
@@ -1,13 +1,11 @@ | |||
1 | # Firejail profile for nvm | 1 | # Firejail profile for node-gyp |
2 | # Description: Node Version Manager - Simple bash script to manage multiple active node.js versions | 2 | # Description: Part of the Node.js stack |
3 | quiet | 3 | quiet |
4 | # This file is overwritten after every install/update | 4 | # This file is overwritten after every install/update |
5 | # Persistent local customizations | 5 | # Persistent local customizations |
6 | include nvm.local | 6 | include node-gyp.local |
7 | # Persistent global definitions | 7 | # Persistent global definitions |
8 | include globals.local | 8 | include globals.local |
9 | 9 | ||
10 | ignore noroot | ||
11 | |||
12 | # Redirect | 10 | # Redirect |
13 | include nodejs-common.profile | 11 | include nodejs-common.profile |
diff --git a/etc/profile-m-z/nodejs-common.profile b/etc/profile-m-z/nodejs-common.profile index ab69136f6..dd3080ad9 100644 --- a/etc/profile-m-z/nodejs-common.profile +++ b/etc/profile-m-z/nodejs-common.profile | |||
@@ -7,7 +7,14 @@ include nodejs-common.local | |||
7 | # added by caller profile | 7 | # added by caller profile |
8 | #include globals.local | 8 | #include globals.local |
9 | 9 | ||
10 | blacklist /tmp/.X11-unix | 10 | # NOTE: gulp, node-gyp, npm, npx, semver and yarn are all node scripts |
11 | # using the `#!/usr/bin/env node` shebang. By sandboxing node the full | ||
12 | # node.js stack will be firejailed. The only exception is nvm, which is implemented | ||
13 | # as a sourced shell function, not an executable binary. Hence it is not | ||
14 | # directly firejailable. You can work around this by sandboxing the programs | ||
15 | # used by nvm: curl, sha256sum, tar and wget. We have comments in these | ||
16 | # profiles on how to enable nvm support via local overrides. | ||
17 | |||
11 | blacklist ${RUNUSER} | 18 | blacklist ${RUNUSER} |
12 | 19 | ||
13 | ignore read-only ${HOME}/.npm-packages | 20 | ignore read-only ${HOME}/.npm-packages |
@@ -25,13 +32,13 @@ noblacklist ${HOME}/.yarncache | |||
25 | noblacklist ${HOME}/.yarnrc | 32 | noblacklist ${HOME}/.yarnrc |
26 | 33 | ||
27 | ignore noexec ${HOME} | 34 | ignore noexec ${HOME} |
28 | |||
29 | include allow-bin-sh.inc | 35 | include allow-bin-sh.inc |
30 | 36 | ||
31 | include disable-common.inc | 37 | include disable-common.inc |
32 | include disable-exec.inc | 38 | include disable-exec.inc |
33 | include disable-programs.inc | 39 | include disable-programs.inc |
34 | include disable-shell.inc | 40 | include disable-shell.inc |
41 | include disable-X11.inc | ||
35 | include disable-xdg.inc | 42 | include disable-xdg.inc |
36 | 43 | ||
37 | # If you want whitelisting, change ${HOME}/Projects below to your node projects directory | 44 | # If you want whitelisting, change ${HOME}/Projects below to your node projects directory |
@@ -73,6 +80,7 @@ nodvd | |||
73 | nogroups | 80 | nogroups |
74 | noinput | 81 | noinput |
75 | nonewprivs | 82 | nonewprivs |
83 | noprinters | ||
76 | noroot | 84 | noroot |
77 | nosound | 85 | nosound |
78 | notv | 86 | notv |
diff --git a/etc/profile-m-z/npx.profile b/etc/profile-m-z/npx.profile new file mode 100644 index 000000000..6d5602c88 --- /dev/null +++ b/etc/profile-m-z/npx.profile | |||
@@ -0,0 +1,11 @@ | |||
1 | # Firejail profile for npx | ||
2 | # Description: Part of the Node.js stack | ||
3 | quiet | ||
4 | # This file is overwritten after every install/update | ||
5 | # Persistent local customizations | ||
6 | include npx.local | ||
7 | # Persistent global definitions | ||
8 | include globals.local | ||
9 | |||
10 | # Redirect | ||
11 | include nodejs-common.profile | ||
diff --git a/etc/profile-m-z/ping-hardened.inc.profile b/etc/profile-m-z/ping-hardened.inc.profile new file mode 100644 index 000000000..eda53654a --- /dev/null +++ b/etc/profile-m-z/ping-hardened.inc.profile | |||
@@ -0,0 +1,11 @@ | |||
1 | # This file is overwritten during software install. | ||
2 | # Persistent customizations should go in a .local file. | ||
3 | include ping-hardened.inc.local | ||
4 | |||
5 | caps.drop all | ||
6 | nonewprivs | ||
7 | noroot | ||
8 | protocol unix,inet,inet6 | ||
9 | seccomp | ||
10 | |||
11 | memory-deny-write-execute | ||
diff --git a/etc/profile-m-z/ping.profile b/etc/profile-m-z/ping.profile index b4923c38a..ed21bd1ce 100644 --- a/etc/profile-m-z/ping.profile +++ b/etc/profile-m-z/ping.profile | |||
@@ -7,23 +7,30 @@ include ping.local | |||
7 | # Persistent global definitions | 7 | # Persistent global definitions |
8 | include globals.local | 8 | include globals.local |
9 | 9 | ||
10 | blacklist /tmp/.X11-unix | ||
11 | blacklist ${RUNUSER} | 10 | blacklist ${RUNUSER} |
12 | 11 | ||
13 | include disable-common.inc | 12 | include disable-common.inc |
14 | include disable-devel.inc | 13 | include disable-devel.inc |
15 | include disable-exec.inc | 14 | include disable-exec.inc |
16 | include disable-interpreters.inc | 15 | include disable-interpreters.inc |
16 | include disable-proc.inc | ||
17 | include disable-programs.inc | 17 | include disable-programs.inc |
18 | include disable-X11.inc | ||
18 | include disable-xdg.inc | 19 | include disable-xdg.inc |
19 | 20 | ||
20 | include whitelist-common.inc | 21 | include whitelist-common.inc |
22 | include whitelist-run-common.inc | ||
23 | include whitelist-runuser-common.inc | ||
21 | include whitelist-usr-share-common.inc | 24 | include whitelist-usr-share-common.inc |
22 | include whitelist-var-common.inc | 25 | include whitelist-var-common.inc |
23 | 26 | ||
27 | # Add the next line to your ping.local if your kernel allows unprivileged userns clone. | ||
28 | #include ping-hardened.inc.profile | ||
29 | |||
24 | apparmor | 30 | apparmor |
25 | caps.keep net_raw | 31 | caps.keep net_raw |
26 | ipc-namespace | 32 | ipc-namespace |
33 | machine-id | ||
27 | #net tun0 | 34 | #net tun0 |
28 | #netfilter /etc/firejail/ping.net | 35 | #netfilter /etc/firejail/ping.net |
29 | netfilter | 36 | netfilter |
@@ -31,8 +38,9 @@ no3d | |||
31 | nodvd | 38 | nodvd |
32 | nogroups | 39 | nogroups |
33 | noinput | 40 | noinput |
34 | # ping needs to rise privileges, noroot and nonewprivs will kill it | 41 | # ping needs to raise privileges, nonewprivs and noroot will kill it |
35 | #nonewprivs | 42 | #nonewprivs |
43 | noprinters | ||
36 | #noroot | 44 | #noroot |
37 | nosound | 45 | nosound |
38 | notv | 46 | notv |
@@ -40,15 +48,18 @@ nou2f | |||
40 | novideo | 48 | novideo |
41 | # protocol command is built using seccomp; nonewprivs will kill it | 49 | # protocol command is built using seccomp; nonewprivs will kill it |
42 | #protocol unix,inet,inet6,netlink,packet | 50 | #protocol unix,inet,inet6,netlink,packet |
43 | # killed by no-new-privs | ||
44 | #seccomp | 51 | #seccomp |
52 | shell none | ||
53 | tracelog | ||
45 | 54 | ||
46 | disable-mnt | 55 | disable-mnt |
47 | private | 56 | private |
48 | #private-bin has mammoth problems with execvp: "No such file or directory" | 57 | #private-bin ping - has mammoth problems with execvp: "No such file or directory" |
58 | private-cache | ||
49 | private-dev | 59 | private-dev |
50 | # /etc/hosts is required in private-etc; however, just adding it to the list doesn't solve the problem! | 60 | # /etc/hosts is required in private-etc; however, just adding it to the list doesn't solve the problem! |
51 | #private-etc ca-certificates,crypto-policies,hosts,pki,resolv.conf,ssl | 61 | #private-etc ca-certificates,crypto-policies,hosts,pki,resolv.conf,ssl |
62 | private-lib | ||
52 | private-tmp | 63 | private-tmp |
53 | 64 | ||
54 | # memory-deny-write-execute is built using seccomp; nonewprivs will kill it | 65 | # memory-deny-write-execute is built using seccomp; nonewprivs will kill it |
@@ -56,3 +67,5 @@ private-tmp | |||
56 | 67 | ||
57 | dbus-user none | 68 | dbus-user none |
58 | dbus-system none | 69 | dbus-system none |
70 | |||
71 | read-only ${HOME} | ||
diff --git a/etc/profile-m-z/semver.profile b/etc/profile-m-z/semver.profile new file mode 100644 index 000000000..3e0c19b8b --- /dev/null +++ b/etc/profile-m-z/semver.profile | |||
@@ -0,0 +1,11 @@ | |||
1 | # Firejail profile for semver | ||
2 | # Description: Part of the Node.js stack | ||
3 | quiet | ||
4 | # This file is overwritten after every install/update | ||
5 | # Persistent local customizations | ||
6 | include semver.local | ||
7 | # Persistent global definitions | ||
8 | include globals.local | ||
9 | |||
10 | # Redirect | ||
11 | include nodejs-common.profile | ||
diff --git a/etc/profile-m-z/sha256sum.profile b/etc/profile-m-z/sha256sum.profile index 48944ebea..45ddecd2d 100644 --- a/etc/profile-m-z/sha256sum.profile +++ b/etc/profile-m-z/sha256sum.profile | |||
@@ -7,6 +7,9 @@ include sha256sum.local | |||
7 | # Persistent global definitions | 7 | # Persistent global definitions |
8 | include globals.local | 8 | include globals.local |
9 | 9 | ||
10 | # If you use nvm, add the below lines to your sha256sum.local | ||
11 | #noblacklist ${HOME}/.nvm | ||
12 | |||
10 | private-bin sha256sum | 13 | private-bin sha256sum |
11 | 14 | ||
12 | # Redirect | 15 | # Redirect |
diff --git a/etc/profile-m-z/tar.profile b/etc/profile-m-z/tar.profile index 0817adda8..a9d0a60d1 100644 --- a/etc/profile-m-z/tar.profile +++ b/etc/profile-m-z/tar.profile | |||
@@ -7,6 +7,9 @@ include tar.local | |||
7 | # Persistent global definitions | 7 | # Persistent global definitions |
8 | include globals.local | 8 | include globals.local |
9 | 9 | ||
10 | # If you use nvm, add the below lines to your tar.local | ||
11 | #noblacklist ${HOME}/.nvm | ||
12 | |||
10 | # Included in archiver-common.profile | 13 | # Included in archiver-common.profile |
11 | ignore include disable-shell.inc | 14 | ignore include disable-shell.inc |
12 | 15 | ||
diff --git a/etc/profile-m-z/webstorm.profile b/etc/profile-m-z/webstorm.profile index 4d849c582..52d2091fe 100644 --- a/etc/profile-m-z/webstorm.profile +++ b/etc/profile-m-z/webstorm.profile | |||
@@ -18,8 +18,8 @@ include allow-common-devel.inc | |||
18 | # Allow ssh (blacklisted by disable-common.inc) | 18 | # Allow ssh (blacklisted by disable-common.inc) |
19 | include allow-ssh.inc | 19 | include allow-ssh.inc |
20 | 20 | ||
21 | noblacklist ${PATH}/node | ||
22 | noblacklist ${HOME}/.nvm | 21 | noblacklist ${HOME}/.nvm |
22 | noblacklist ${PATH}/node | ||
23 | 23 | ||
24 | include disable-common.inc | 24 | include disable-common.inc |
25 | include disable-devel.inc | 25 | include disable-devel.inc |
diff --git a/etc/profile-m-z/webui-aria2.profile b/etc/profile-m-z/webui-aria2.profile index 2fe727b9c..1aa546a29 100644 --- a/etc/profile-m-z/webui-aria2.profile +++ b/etc/profile-m-z/webui-aria2.profile | |||
@@ -6,6 +6,7 @@ include webui-aria2.local | |||
6 | # Persistent global definitions | 6 | # Persistent global definitions |
7 | include globals.local | 7 | include globals.local |
8 | 8 | ||
9 | noblacklist ${HOME}/.nvm | ||
9 | noblacklist ${PATH}/node | 10 | noblacklist ${PATH}/node |
10 | 11 | ||
11 | include disable-common.inc | 12 | include disable-common.inc |
diff --git a/etc/profile-m-z/wget.profile b/etc/profile-m-z/wget.profile index 4c21d6965..82af30d2a 100644 --- a/etc/profile-m-z/wget.profile +++ b/etc/profile-m-z/wget.profile | |||
@@ -11,6 +11,10 @@ noblacklist ${HOME}/.netrc | |||
11 | noblacklist ${HOME}/.wget-hsts | 11 | noblacklist ${HOME}/.wget-hsts |
12 | noblacklist ${HOME}/.wgetrc | 12 | noblacklist ${HOME}/.wgetrc |
13 | 13 | ||
14 | # If you use nvm, add the below lines to your wget.local | ||
15 | #ignore read-only ${HOME}/.nvm | ||
16 | #noblacklist ${HOME}/.nvm | ||
17 | |||
14 | blacklist /tmp/.X11-unix | 18 | blacklist /tmp/.X11-unix |
15 | blacklist ${RUNUSER} | 19 | blacklist ${RUNUSER} |
16 | 20 | ||
diff --git a/src/man/firejail-profile.txt b/src/man/firejail-profile.txt index e962e18da..3dd339d94 100644 --- a/src/man/firejail-profile.txt +++ b/src/man/firejail-profile.txt | |||
@@ -343,6 +343,18 @@ closed. | |||
343 | .TP | 343 | .TP |
344 | \fBprivate directory | 344 | \fBprivate directory |
345 | Use directory as user home. | 345 | Use directory as user home. |
346 | --private and --private=directory cannot be used together. | ||
347 | .br | ||
348 | |||
349 | .br | ||
350 | Bug: Even with this enabled, some commands (such as mkdir, mkfile and | ||
351 | private-cache) will still operate on the original home directory. | ||
352 | Workaround: Disable the incompatible commands, such as by using "ignore mkdir" | ||
353 | and "ignore mkfile". | ||
354 | For details, see | ||
355 | .UR https://github.com/netblue30/firejail/issues/903 | ||
356 | #903 | ||
357 | .UE | ||
346 | .TP | 358 | .TP |
347 | \fBprivate-bin file,file | 359 | \fBprivate-bin file,file |
348 | Build a new /bin in a temporary filesystem, and copy the programs in the list. | 360 | Build a new /bin in a temporary filesystem, and copy the programs in the list. |
@@ -505,7 +517,7 @@ There is no root account (uid 0) defined in the namespace. | |||
505 | Enable protocol filter. The filter is based on seccomp and checks the | 517 | Enable protocol filter. The filter is based on seccomp and checks the |
506 | first argument to socket system call. Recognized values: \fBunix\fR, | 518 | first argument to socket system call. Recognized values: \fBunix\fR, |
507 | \fBinet\fR, \fBinet6\fR, \fBnetlink\fR, \fBpacket\fR, and \fBbluetooth\fR. | 519 | \fBinet\fR, \fBinet6\fR, \fBnetlink\fR, \fBpacket\fR, and \fBbluetooth\fR. |
508 | Multiple protocol commands are allowed. | 520 | Multiple protocol commands are allowed and they accumulate. |
509 | .TP | 521 | .TP |
510 | \fBseccomp | 522 | \fBseccomp |
511 | Enable seccomp filter and blacklist the syscalls in the default list. See man 1 firejail for more details. | 523 | Enable seccomp filter and blacklist the syscalls in the default list. See man 1 firejail for more details. |
diff --git a/src/man/firejail.txt b/src/man/firejail.txt index feb9e4e81..41171a4e7 100644 --- a/src/man/firejail.txt +++ b/src/man/firejail.txt | |||
@@ -1905,6 +1905,17 @@ Use directory as user home. | |||
1905 | Example: | 1905 | Example: |
1906 | .br | 1906 | .br |
1907 | $ firejail \-\-private=/home/netblue/firefox-home firefox | 1907 | $ firejail \-\-private=/home/netblue/firefox-home firefox |
1908 | .br | ||
1909 | |||
1910 | .br | ||
1911 | Bug: Even with this enabled, some commands (such as mkdir, mkfile and | ||
1912 | private-cache) will still operate on the original home directory. | ||
1913 | Workaround: Disable the incompatible commands, such as by using "ignore mkdir" | ||
1914 | and "ignore mkfile". | ||
1915 | For details, see | ||
1916 | .UR https://github.com/netblue30/firejail/issues/903 | ||
1917 | #903 | ||
1918 | .UE | ||
1908 | 1919 | ||
1909 | .TP | 1920 | .TP |
1910 | \fB\-\-private-bin=file,file | 1921 | \fB\-\-private-bin=file,file |
@@ -2171,6 +2182,7 @@ $ firejail \-\-profile.print=browser | |||
2171 | \fB\-\-protocol=protocol,protocol,protocol | 2182 | \fB\-\-protocol=protocol,protocol,protocol |
2172 | Enable protocol filter. The filter is based on seccomp and checks the first argument to socket system call. | 2183 | Enable protocol filter. The filter is based on seccomp and checks the first argument to socket system call. |
2173 | Recognized values: unix, inet, inet6, netlink, packet, and bluetooth. This option is not supported for i386 architecture. | 2184 | Recognized values: unix, inet, inet6, netlink, packet, and bluetooth. This option is not supported for i386 architecture. |
2185 | Multiple protocol commands are allowed and they accumulate. | ||
2174 | .br | 2186 | .br |
2175 | 2187 | ||
2176 | .br | 2188 | .br |