diff options
author | netblue30 <netblue30@yahoo.com> | 2016-06-10 08:40:24 -0400 |
---|---|---|
committer | netblue30 <netblue30@yahoo.com> | 2016-06-10 08:40:24 -0400 |
commit | 783251e0749e27e28b3ac54b5047f10cf1c44016 (patch) | |
tree | 7fddeee60485e3183ed2d7590efad8e32ed27b53 | |
parent | x11 work (diff) | |
download | firejail-783251e0749e27e28b3ac54b5047f10cf1c44016.tar.gz firejail-783251e0749e27e28b3ac54b5047f10cf1c44016.tar.zst firejail-783251e0749e27e28b3ac54b5047f10cf1c44016.zip |
private-bin conversion
-rw-r--r-- | README.md | 4 | ||||
-rw-r--r-- | etc/deluge.profile | 5 | ||||
-rw-r--r-- | etc/disable-devel.inc | 3 | ||||
-rw-r--r-- | etc/mpv.profile | 4 | ||||
-rw-r--r-- | etc/qbittorrent.profile | 3 | ||||
-rw-r--r-- | etc/rtorrent.profile | 3 | ||||
-rw-r--r-- | etc/transmission-gtk.profile | 5 | ||||
-rw-r--r-- | etc/transmission-qt.profile | 5 | ||||
-rw-r--r-- | etc/vlc.profile | 5 | ||||
-rw-r--r-- | src/man/firejail.txt | 2 | ||||
-rwxr-xr-x | test/apps/apps.sh | 9 | ||||
-rwxr-xr-x | test/apps/qbittorrent.exp | 83 |
12 files changed, 125 insertions, 6 deletions
@@ -65,6 +65,10 @@ More packages build by AppImage developer Simon Peter: https://bintray.com/probo | |||
65 | 65 | ||
66 | AppImage project home: https://github.com/probonopd/AppImageKit | 66 | AppImage project home: https://github.com/probonopd/AppImageKit |
67 | 67 | ||
68 | ## Converting profiles to private-bin - work in progress | ||
69 | |||
70 | BitTorrent profiles converted to private-bin: deluge, qbittorrent, rtorrent, transmission-gtk, transmission-qt | ||
71 | |||
68 | ## New security profiles | 72 | ## New security profiles |
69 | 73 | ||
70 | Gitter, gThumb, mpv, Franz messenger | 74 | Gitter, gThumb, mpv, Franz messenger |
diff --git a/etc/deluge.profile b/etc/deluge.profile index 277ecc15e..87a17423b 100644 --- a/etc/deluge.profile +++ b/etc/deluge.profile | |||
@@ -1,4 +1,4 @@ | |||
1 | # deluge bittorernt client profile | 1 | # deluge bittorrernt client profile |
2 | include /etc/firejail/disable-common.inc | 2 | include /etc/firejail/disable-common.inc |
3 | include /etc/firejail/disable-programs.inc | 3 | include /etc/firejail/disable-programs.inc |
4 | # deluge is using python on Debian | 4 | # deluge is using python on Debian |
@@ -12,3 +12,6 @@ noroot | |||
12 | nosound | 12 | nosound |
13 | protocol unix,inet,inet6 | 13 | protocol unix,inet,inet6 |
14 | seccomp | 14 | seccomp |
15 | |||
16 | shell none | ||
17 | private-bin deluge,sh,python,uname | ||
diff --git a/etc/disable-devel.inc b/etc/disable-devel.inc index 0c9d21d39..99f059c44 100644 --- a/etc/disable-devel.inc +++ b/etc/disable-devel.inc | |||
@@ -37,8 +37,7 @@ blacklist /usr/lib/php* | |||
37 | blacklist /usr/bin/ruby | 37 | blacklist /usr/bin/ruby |
38 | blacklist /usr/lib/ruby | 38 | blacklist /usr/lib/ruby |
39 | 39 | ||
40 | # disabled temporarily pending globbing implementation | 40 | # Programs using python: deluge, some firefox addons |
41 | # in noblacklist command and firefox profile fix | ||
42 | # Python 2 | 41 | # Python 2 |
43 | #blacklist /usr/bin/python2* | 42 | #blacklist /usr/bin/python2* |
44 | #blacklist /usr/lib/python2* | 43 | #blacklist /usr/lib/python2* |
diff --git a/etc/mpv.profile b/etc/mpv.profile index 0a8a6103f..cbed7e8c6 100644 --- a/etc/mpv.profile +++ b/etc/mpv.profile | |||
@@ -12,3 +12,7 @@ nonewprivs | |||
12 | noroot | 12 | noroot |
13 | protocol unix,inet,inet6 | 13 | protocol unix,inet,inet6 |
14 | seccomp | 14 | seccomp |
15 | |||
16 | # to test | ||
17 | shell none | ||
18 | private-bin mpv | ||
diff --git a/etc/qbittorrent.profile b/etc/qbittorrent.profile index cbf898502..bb97a880b 100644 --- a/etc/qbittorrent.profile +++ b/etc/qbittorrent.profile | |||
@@ -11,3 +11,6 @@ noroot | |||
11 | nosound | 11 | nosound |
12 | protocol unix,inet,inet6 | 12 | protocol unix,inet,inet6 |
13 | seccomp | 13 | seccomp |
14 | |||
15 | shell none | ||
16 | private-bin qbittorrent | ||
diff --git a/etc/rtorrent.profile b/etc/rtorrent.profile index 0be5e15d1..c196370a2 100644 --- a/etc/rtorrent.profile +++ b/etc/rtorrent.profile | |||
@@ -11,3 +11,6 @@ noroot | |||
11 | nosound | 11 | nosound |
12 | protocol unix,inet,inet6 | 12 | protocol unix,inet,inet6 |
13 | seccomp | 13 | seccomp |
14 | |||
15 | shell none | ||
16 | private-bin rtorrent | ||
diff --git a/etc/transmission-gtk.profile b/etc/transmission-gtk.profile index 5aef32d45..e8d0e25e7 100644 --- a/etc/transmission-gtk.profile +++ b/etc/transmission-gtk.profile | |||
@@ -1,4 +1,4 @@ | |||
1 | # transmission-gtk profile | 1 | # transmission-gtk bittorrent profile |
2 | noblacklist ${HOME}/.config/transmission | 2 | noblacklist ${HOME}/.config/transmission |
3 | noblacklist ${HOME}/.cache/transmission | 3 | noblacklist ${HOME}/.cache/transmission |
4 | 4 | ||
@@ -15,3 +15,6 @@ nosound | |||
15 | protocol unix,inet,inet6 | 15 | protocol unix,inet,inet6 |
16 | seccomp | 16 | seccomp |
17 | tracelog | 17 | tracelog |
18 | |||
19 | shell none | ||
20 | private-bin transmission-gtk | ||
diff --git a/etc/transmission-qt.profile b/etc/transmission-qt.profile index d8ab1c60d..fd3a98aad 100644 --- a/etc/transmission-qt.profile +++ b/etc/transmission-qt.profile | |||
@@ -1,4 +1,4 @@ | |||
1 | # transmission-qt profile | 1 | # transmission-qt bittorrent profile |
2 | noblacklist ${HOME}/.config/transmission | 2 | noblacklist ${HOME}/.config/transmission |
3 | noblacklist ${HOME}/.cache/transmission | 3 | noblacklist ${HOME}/.cache/transmission |
4 | 4 | ||
@@ -15,3 +15,6 @@ nosound | |||
15 | protocol unix,inet,inet6 | 15 | protocol unix,inet,inet6 |
16 | seccomp | 16 | seccomp |
17 | tracelog | 17 | tracelog |
18 | |||
19 | shell none | ||
20 | private-bin transmission-qt | ||
diff --git a/etc/vlc.profile b/etc/vlc.profile index f8eebd376..e225e80e9 100644 --- a/etc/vlc.profile +++ b/etc/vlc.profile | |||
@@ -12,3 +12,8 @@ nonewprivs | |||
12 | noroot | 12 | noroot |
13 | protocol unix,inet,inet6 | 13 | protocol unix,inet,inet6 |
14 | seccomp | 14 | seccomp |
15 | |||
16 | |||
17 | # to test | ||
18 | shell none | ||
19 | private-bin vlc | ||
diff --git a/src/man/firejail.txt b/src/man/firejail.txt index 71a73a02d..d72deab2f 100644 --- a/src/man/firejail.txt +++ b/src/man/firejail.txt | |||
@@ -1206,7 +1206,7 @@ sysfs,_sysctl, adjtimex, clock_adjtime, lookup_dcookie, perf_event_open, fanotif | |||
1206 | add_key, request_key, keyctl, uselib, acct, modify_ldt, pivot_root, io_setup, | 1206 | add_key, request_key, keyctl, uselib, acct, modify_ldt, pivot_root, io_setup, |
1207 | io_destroy, io_getevents, io_submit, io_cancel, | 1207 | io_destroy, io_getevents, io_submit, io_cancel, |
1208 | remap_file_pages, mbind, get_mempolicy, set_mempolicy, | 1208 | remap_file_pages, mbind, get_mempolicy, set_mempolicy, |
1209 | migrate_pages, move_pages, vmsplice, perf_event_open, chroot, | 1209 | migrate_pages, move_pages, vmsplice, chroot, |
1210 | tuxcall, reboot, mfsservctl and get_kernel_syms. | 1210 | tuxcall, reboot, mfsservctl and get_kernel_syms. |
1211 | .br | 1211 | .br |
1212 | 1212 | ||
diff --git a/test/apps/apps.sh b/test/apps/apps.sh index 37d66d609..3ecc161a1 100755 --- a/test/apps/apps.sh +++ b/test/apps/apps.sh | |||
@@ -60,6 +60,15 @@ else | |||
60 | echo "TESTING SKIP: transmission-qt not found" | 60 | echo "TESTING SKIP: transmission-qt not found" |
61 | fi | 61 | fi |
62 | 62 | ||
63 | which qbittorrent | ||
64 | if [ "$?" -eq 0 ]; | ||
65 | then | ||
66 | echo "TESTING: qbittorrent" | ||
67 | ./qbittorrent.exp | ||
68 | else | ||
69 | echo "TESTING SKIP: qbittorrent not found" | ||
70 | fi | ||
71 | |||
63 | which evince | 72 | which evince |
64 | if [ "$?" -eq 0 ]; | 73 | if [ "$?" -eq 0 ]; |
65 | then | 74 | then |
diff --git a/test/apps/qbittorrent.exp b/test/apps/qbittorrent.exp new file mode 100755 index 000000000..4f3f7c362 --- /dev/null +++ b/test/apps/qbittorrent.exp | |||
@@ -0,0 +1,83 @@ | |||
1 | #!/usr/bin/expect -f | ||
2 | # This file is part of Firejail project | ||
3 | # Copyright (C) 2014-2016 Firejail Authors | ||
4 | # License GPL v2 | ||
5 | |||
6 | set timeout 10 | ||
7 | spawn $env(SHELL) | ||
8 | match_max 100000 | ||
9 | |||
10 | send -- "firejail qbittorrent\r" | ||
11 | expect { | ||
12 | timeout {puts "TESTING ERROR 0\n";exit} | ||
13 | "Reading profile /etc/firejail/qbittorrent.profile" | ||
14 | } | ||
15 | expect { | ||
16 | timeout {puts "TESTING ERROR 1\n";exit} | ||
17 | "Child process initialized" | ||
18 | } | ||
19 | sleep 5 | ||
20 | |||
21 | spawn $env(SHELL) | ||
22 | send -- "firejail --list\r" | ||
23 | expect { | ||
24 | timeout {puts "TESTING ERROR 3\n";exit} | ||
25 | ":firejail" | ||
26 | } | ||
27 | expect { | ||
28 | timeout {puts "TESTING ERROR 3.1\n";exit} | ||
29 | "qbittorrent" | ||
30 | } | ||
31 | sleep 1 | ||
32 | |||
33 | # grsecurity exit | ||
34 | send -- "file /proc/sys/kernel/grsecurity\r" | ||
35 | expect { | ||
36 | timeout {puts "TESTING ERROR - grsecurity detection\n";exit} | ||
37 | "grsecurity: directory" {puts "grsecurity present, exiting...\n";exit} | ||
38 | "cannot open" {puts "grsecurity not present\n"} | ||
39 | } | ||
40 | |||
41 | send -- "firejail --name=blablabla\r" | ||
42 | expect { | ||
43 | timeout {puts "TESTING ERROR 4\n";exit} | ||
44 | "Child process initialized" | ||
45 | } | ||
46 | sleep 2 | ||
47 | |||
48 | spawn $env(SHELL) | ||
49 | send -- "firemon --seccomp\r" | ||
50 | expect { | ||
51 | timeout {puts "TESTING ERROR 5\n";exit} | ||
52 | ":firejail qbittorrent" | ||
53 | } | ||
54 | expect { | ||
55 | timeout {puts "TESTING ERROR 5.1 (seccomp)\n";exit} | ||
56 | "Seccomp: 2" | ||
57 | } | ||
58 | expect { | ||
59 | timeout {puts "TESTING ERROR 5.1\n";exit} | ||
60 | "name=blablabla" | ||
61 | } | ||
62 | sleep 1 | ||
63 | send -- "firemon --caps\r" | ||
64 | expect { | ||
65 | timeout {puts "TESTING ERROR 6\n";exit} | ||
66 | ":firejail qbittorrent" | ||
67 | } | ||
68 | expect { | ||
69 | timeout {puts "TESTING ERROR 6.1\n";exit} | ||
70 | "CapBnd:" | ||
71 | } | ||
72 | expect { | ||
73 | timeout {puts "TESTING ERROR 6.2\n";exit} | ||
74 | "0000000000000000" | ||
75 | } | ||
76 | expect { | ||
77 | timeout {puts "TESTING ERROR 6.3\n";exit} | ||
78 | "name=blablabla" | ||
79 | } | ||
80 | sleep 1 | ||
81 | |||
82 | puts "\n" | ||
83 | |||