diff options
author | netblue30 <netblue30@protonmail.com> | 2021-07-01 08:59:59 -0400 |
---|---|---|
committer | netblue30 <netblue30@protonmail.com> | 2021-07-01 08:59:59 -0400 |
commit | 0562ceb658efff25583ff619846ef2c0ab697e37 (patch) | |
tree | 98aef0cb248780c30bec7ee97cd569c4a823e265 | |
parent | Merge pull request #4365 from lxeiqr/sndio-fix (diff) | |
download | firejail-0562ceb658efff25583ff619846ef2c0ab697e37.tar.gz firejail-0562ceb658efff25583ff619846ef2c0ab697e37.tar.zst firejail-0562ceb658efff25583ff619846ef2c0ab697e37.zip |
cleanup for the next development cycle
-rw-r--r-- | README | 2 | ||||
-rw-r--r-- | README.md | 153 | ||||
-rw-r--r-- | etc/inc/allow-opengl-game.inc | 4 |
3 files changed, 33 insertions, 126 deletions
@@ -603,6 +603,8 @@ Lukáš Krejčí (https://github.com/lskrejci) | |||
603 | - fixed parsing of --keep-var-tmp | 603 | - fixed parsing of --keep-var-tmp |
604 | luzpaz (https://github.com/luzpaz) | 604 | luzpaz (https://github.com/luzpaz) |
605 | - code spelling fixes | 605 | - code spelling fixes |
606 | lxeiqr (https://github.com/lxeiqr) | ||
607 | - fix sndio support | ||
606 | Mace Muilman (https://github.com/mace015) | 608 | Mace Muilman (https://github.com/mace015) |
607 | - google-chrome{,beta,unstable} flags | 609 | - google-chrome{,beta,unstable} flags |
608 | maces (https://github.com/maces) | 610 | maces (https://github.com/maces) |
@@ -189,107 +189,18 @@ You can also use this tool to get a list of syscalls needed by a program: [contr | |||
189 | 189 | ||
190 | We also keep a list of profile fixes for previous released versions in [etc-fixes](https://github.com/netblue30/firejail/tree/master/etc-fixes) directory. | 190 | We also keep a list of profile fixes for previous released versions in [etc-fixes](https://github.com/netblue30/firejail/tree/master/etc-fixes) directory. |
191 | 191 | ||
192 | ## Latest released version: 0.9.64 | 192 | ## Latest released version: 0.9.66 |
193 | 193 | ||
194 | ## Current development version: 0.9.65 | 194 | ## Current development version: 0.9.67 |
195 | 195 | ||
196 | Milestone page: https://github.com/netblue30/firejail/milestone/1 | 196 | Milestone page: https://github.com/netblue30/firejail/milestone/1 |
197 | Release discussion: https://github.com/netblue30/firejail/issues/3696 | 197 | Release discussion: https://github.com/netblue30/firejail/issues/3696 |
198 | 198 | ||
199 | ### jailcheck | 199 | Moving from whitelist/blacklist to allow/deny is under way! We are still open to other options, so it might change! |
200 | ````` | ||
201 | JAILCHECK(1) JAILCHECK man page JAILCHECK(1) | ||
202 | |||
203 | NAME | ||
204 | jailcheck - Simple utility program to test running sandboxes | ||
205 | |||
206 | SYNOPSIS | ||
207 | sudo jailcheck [OPTIONS] [directory] | ||
208 | |||
209 | DESCRIPTION | ||
210 | jailcheck attaches itself to all sandboxes started by the user and per‐ | ||
211 | forms some basic tests on the sandbox filesystem: | ||
212 | |||
213 | 1. Virtual directories | ||
214 | jailcheck extracts a list with the main virtual directories in‐ | ||
215 | stalled by the sandbox. These directories are build by firejail | ||
216 | at startup using --private* and --whitelist commands. | ||
217 | |||
218 | 2. Noexec test | ||
219 | jailcheck inserts executable programs in /home/username, /tmp, | ||
220 | and /var/tmp directories and tries to run them from inside the | ||
221 | sandbox, thus testing if the directory is executable or not. | ||
222 | |||
223 | 3. Read access test | ||
224 | jailcheck creates test files in the directories specified by the | ||
225 | user and tries to read them from inside the sandbox. | ||
226 | |||
227 | 4. AppArmor test | ||
228 | |||
229 | 5. Seccomp test | ||
230 | |||
231 | The program is started as root using sudo. | ||
232 | |||
233 | OPTIONS | ||
234 | --debug | ||
235 | Print debug messages. | ||
236 | |||
237 | -?, --help | ||
238 | Print options and exit. | ||
239 | |||
240 | --version | ||
241 | Print program version and exit. | ||
242 | |||
243 | [directory] | ||
244 | One or more directories in user home to test for read access. | ||
245 | ~/.ssh and ~/.gnupg are tested by default. | ||
246 | 200 | ||
247 | OUTPUT | 201 | The old whitelist/blacklist will remain as aliasses for the next one or two releases |
248 | For each sandbox detected we print the following line: | 202 | in order to give users a chance to switch their local profiles. |
249 | 203 | The latest discussion on this issue is here: https://github.com/netblue30/firejail/issues/4379 | |
250 | PID:USER:Sandbox Name:Command | ||
251 | |||
252 | It is followed by relevant sandbox information, such as the virtual di‐ | ||
253 | rectories and various warnings. | ||
254 | |||
255 | EXAMPLE | ||
256 | $ sudo jailcheck | ||
257 | 2014:netblue::firejail /usr/bin/gimp | ||
258 | Virtual dirs: /tmp, /var/tmp, /dev, /usr/share, | ||
259 | Warning: I can run programs in /home/netblue | ||
260 | |||
261 | 2055:netblue::firejail /usr/bin/ssh -X netblue@x.y.z.net | ||
262 | Virtual dirs: /var/tmp, /dev, /usr/share, /run/user/1000, | ||
263 | Warning: I can read ~/.ssh | ||
264 | |||
265 | 2186:netblue:libreoffice:firejail --appimage /opt/LibreOffice-fresh.ap‐ | ||
266 | pimage | ||
267 | Virtual dirs: /tmp, /var/tmp, /dev, | ||
268 | |||
269 | 26090:netblue::/usr/bin/firejail /opt/firefox/firefox | ||
270 | Virtual dirs: /home/netblue, /tmp, /var/tmp, /dev, /etc, /usr/share, | ||
271 | /run/user/1000, | ||
272 | |||
273 | 26160:netblue:tor:firejail --private=~/tor-browser_en-US ./start-tor | ||
274 | Warning: AppArmor not enabled | ||
275 | Virtual dirs: /home/netblue, /tmp, /var/tmp, /dev, /etc, /bin, | ||
276 | /usr/share, /run/user/1000, | ||
277 | Warning: I can run programs in /home/netblue | ||
278 | |||
279 | LICENSE | ||
280 | This program is free software; you can redistribute it and/or modify it | ||
281 | under the terms of the GNU General Public License as published by the | ||
282 | Free Software Foundation; either version 2 of the License, or (at your | ||
283 | option) any later version. | ||
284 | |||
285 | Homepage: https://firejail.wordpress.com | ||
286 | |||
287 | SEE ALSO | ||
288 | firejail(1), firemon(1), firecfg(1), firejail-profile(5), firejail-lo‐ | ||
289 | gin(5), firejail-users(5), | ||
290 | |||
291 | 0.9.65 May 2021 JAILCHECK(1) | ||
292 | ````` | ||
293 | 204 | ||
294 | ### Profile Statistics | 205 | ### Profile Statistics |
295 | 206 | ||
@@ -298,40 +209,30 @@ A small tool to print profile statistics. Compile as usual and run in /etc/profi | |||
298 | $ sudo cp src/profstats/profstats /etc/firejail/. | 209 | $ sudo cp src/profstats/profstats /etc/firejail/. |
299 | $ cd /etc/firejail | 210 | $ cd /etc/firejail |
300 | $ ./profstats *.profile | 211 | $ ./profstats *.profile |
301 | Stats: | 212 | profiles 1150 |
302 | profiles 1135 | 213 | include local profile 1150 (include profile-name.local) |
303 | include local profile 1135 (include profile-name.local) | 214 | include globals 1120 (include globals.local) |
304 | include globals 1106 (include globals.local) | 215 | blacklist ~/.ssh 1026 (include disable-common.inc) |
305 | blacklist ~/.ssh 1009 (include disable-common.inc) | 216 | seccomp 1050 |
306 | seccomp 1035 | 217 | capabilities 1146 |
307 | capabilities 1130 | 218 | noexec 1030 (include disable-exec.inc) |
308 | noexec 1011 (include disable-exec.inc) | 219 | noroot 959 |
309 | noroot 944 | 220 | memory-deny-write-execute 253 |
310 | memory-deny-write-execute 242 | 221 | apparmor 681 |
311 | apparmor 667 | 222 | private-bin 667 |
312 | private-bin 635 | 223 | private-dev 1009 |
313 | private-dev 992 | 224 | private-etc 523 |
314 | private-etc 508 | 225 | private-tmp 883 |
315 | private-tmp 866 | 226 | whitelist home directory 547 |
316 | whitelist home directory 542 | 227 | whitelist var 818 (include whitelist-var-common.inc) |
317 | whitelist var 799 (include whitelist-var-common.inc) | 228 | whitelist run/user 616 (include whitelist-runuser-common.inc |
318 | whitelist run/user 597 (include whitelist-runuser-common.inc | ||
319 | or blacklist ${RUNUSER}) | 229 | or blacklist ${RUNUSER}) |
320 | whitelist usr/share 569 (include whitelist-usr-share-common.inc | 230 | whitelist usr/share 591 (include whitelist-usr-share-common.inc |
321 | net none 389 | 231 | net none 391 |
322 | dbus-user none 619 | 232 | dbus-user none 641 |
323 | dbus-user filter 105 | 233 | dbus-user filter 105 |
324 | dbus-system none 770 | 234 | dbus-system none 792 |
325 | dbus-system filter 7 | 235 | dbus-system filter 7 |
326 | ``` | 236 | ``` |
327 | 237 | ||
328 | ### New profiles: | 238 | ### New profiles: |
329 | |||
330 | vmware-view, display-im6.q16, ipcalc, ipcalc-ng, ebook-convert, ebook-edit, ebook-meta, ebook-polish, lzop, | ||
331 | avidemux, calligragemini, vmware-player, vmware-workstation, gget, com.github.phase1geo.minder, nextcloud-desktop, | ||
332 | pcsxr, PPSSPPSDL, openmw, openmw-launcher, jami-gnome, PCSX2, bcompare, b2sum, cksum, md5sum, sha1sum, sha224sum, | ||
333 | sha256sum, sha384sum, sha512sum, sum, librewold-nightly, Quodlibet, tmux, sway, alienarena, alienarena-wrapper, | ||
334 | ballbuster, ballbuster-wrapper, colorful, colorful-wrapper, gl-117, gl-117-wrapper, glaxium, glaxium-wrapper, | ||
335 | pinball, pinball-wrapper, etr-wrapper, neverball-wrapper, neverputt-wrapper, supertuxkart-wrapper, firedragon, | ||
336 | neochat, node, nvm, cargo, LibreCAD, blobby, funnyboat, pipe-viewer, gtk-pipe-viewer, links2, xlinks2, googler, ddgr, | ||
337 | tin | ||
diff --git a/etc/inc/allow-opengl-game.inc b/etc/inc/allow-opengl-game.inc index b5ff1bd50..5d2d6c5c1 100644 --- a/etc/inc/allow-opengl-game.inc +++ b/etc/inc/allow-opengl-game.inc | |||
@@ -1,3 +1,7 @@ | |||
1 | # This file is overwritten during software install. | ||
2 | # Persistent customizations should go in a .local file. | ||
3 | include allow-opengl-game.local | ||
4 | |||
1 | noblacklist ${PATH}/bash | 5 | noblacklist ${PATH}/bash |
2 | whitelist /usr/share/opengl-games-utils/opengl-game-functions.sh | 6 | whitelist /usr/share/opengl-games-utils/opengl-game-functions.sh |
3 | private-bin basename,bash,cut,glxinfo,grep,head,sed,zenity | 7 | private-bin basename,bash,cut,glxinfo,grep,head,sed,zenity |