diff options
author | netblue30 <netblue30@yahoo.com> | 2019-09-15 06:59:31 -0500 |
---|---|---|
committer | GitHub <noreply@github.com> | 2019-09-15 06:59:31 -0500 |
commit | 99da7745bfd2a7c3a8c982e15b7d9b38e4df9b4b (patch) | |
tree | aab0f8277a0ae1de922b8a9268b01428e8febd73 | |
parent | Make sure that we are unprivileged before creating the trace log file. (diff) | |
parent | Fix #2899 (diff) | |
download | firejail-99da7745bfd2a7c3a8c982e15b7d9b38e4df9b4b.tar.gz firejail-99da7745bfd2a7c3a8c982e15b7d9b38e4df9b4b.tar.zst firejail-99da7745bfd2a7c3a8c982e15b7d9b38e4df9b4b.zip |
Merge branch 'master' into fix-profile-builder
46 files changed, 312 insertions, 146 deletions
diff --git a/etc/Viber.profile b/etc/Viber.profile index ecc500769..925e130de 100644 --- a/etc/Viber.profile +++ b/etc/Viber.profile | |||
@@ -28,12 +28,10 @@ nonewprivs | |||
28 | noroot | 28 | noroot |
29 | notv | 29 | notv |
30 | protocol unix,inet,inet6 | 30 | protocol unix,inet,inet6 |
31 | seccomp | 31 | seccomp !chroot |
32 | shell none | 32 | shell none |
33 | 33 | ||
34 | disable-mnt | 34 | disable-mnt |
35 | private-bin awk,bash,dig,sh,Viber | 35 | private-bin awk,bash,dig,sh,Viber |
36 | private-etc alternatives,asound.conf,ca-certificates,crypto-policies,fonts,hosts,localtime,machine-id,mailcap,nsswitch.conf,pki,proxychains.conf,pulse,resolv.conf,ssl,X11 | 36 | private-etc alternatives,asound.conf,ca-certificates,crypto-policies,fonts,hosts,localtime,machine-id,mailcap,nsswitch.conf,pki,proxychains.conf,pulse,resolv.conf,ssl,X11 |
37 | private-tmp | 37 | private-tmp |
38 | |||
39 | env QTWEBENGINE_DISABLE_SANDBOX=1 | ||
diff --git a/etc/akonadi_control.profile b/etc/akonadi_control.profile index 904c784c6..ffc613f1e 100644 --- a/etc/akonadi_control.profile +++ b/etc/akonadi_control.profile | |||
@@ -47,7 +47,7 @@ notv | |||
47 | nou2f | 47 | nou2f |
48 | novideo | 48 | novideo |
49 | # protocol unix,inet,inet6,netlink | 49 | # protocol unix,inet,inet6,netlink |
50 | # seccomp.drop @cpu-emulation,@debug,@obsolete,@privileged,@resources,add_key,fanotify_init,io_cancel,io_destroy,kcmp,keyctl,name_to_handle_at,ni_syscall,open_by_handle_at,personality,process_vm_readv,ptrace,remap_file_pages,request_key,syslog,umount,userfaultfd,vmsplice | 50 | # seccomp !io_getevents,!io_setup,!io_submit,!ioprio_set |
51 | tracelog | 51 | tracelog |
52 | 52 | ||
53 | private-dev | 53 | private-dev |
diff --git a/etc/akregator.profile b/etc/akregator.profile index 466eff22d..34933f283 100644 --- a/etc/akregator.profile +++ b/etc/akregator.profile | |||
@@ -36,7 +36,7 @@ nou2f | |||
36 | novideo | 36 | novideo |
37 | protocol unix,inet,inet6,netlink | 37 | protocol unix,inet,inet6,netlink |
38 | # chroot syscalls are needed for setting up the built-in sandbox | 38 | # chroot syscalls are needed for setting up the built-in sandbox |
39 | seccomp.drop @clock,@cpu-emulation,@debug,@module,@obsolete,@raw-io,@reboot,@resources,@swap,acct,add_key,bpf,fanotify_init,io_cancel,io_destroy,io_getevents,io_setup,io_submit,ioprio_set,kcmp,keyctl,mount,name_to_handle_at,nfsservctl,ni_syscall,open_by_handle_at,personality,pivot_root,process_vm_readv,ptrace,remap_file_pages,request_key,setdomainname,sethostname,syslog,umount,umount2,userfaultfd,vhangup,vmsplice | 39 | seccomp !chroot |
40 | shell none | 40 | shell none |
41 | 41 | ||
42 | disable-mnt | 42 | disable-mnt |
diff --git a/etc/ar.profile b/etc/ar.profile new file mode 100644 index 000000000..6b1fb830c --- /dev/null +++ b/etc/ar.profile | |||
@@ -0,0 +1,43 @@ | |||
1 | # Firejail profile for ar | ||
2 | # Description: Create, modify, and extract from archives | ||
3 | # This file is overwritten after every install/update | ||
4 | quiet | ||
5 | # Persistent local customizations | ||
6 | include ar.local | ||
7 | # Persistent global definitions | ||
8 | include globals.local | ||
9 | |||
10 | include disable-common.inc | ||
11 | include disable-devel.inc | ||
12 | include disable-exec.inc | ||
13 | include disable-interpreters.inc | ||
14 | include disable-passwdmgr.inc | ||
15 | include disable-programs.inc | ||
16 | |||
17 | apparmor | ||
18 | caps.drop all | ||
19 | hostname ar | ||
20 | ipc-namespace | ||
21 | machine-id | ||
22 | net none | ||
23 | no3d | ||
24 | nodbus | ||
25 | nodvd | ||
26 | nogroups | ||
27 | nonewprivs | ||
28 | #noroot | ||
29 | nosound | ||
30 | notv | ||
31 | nou2f | ||
32 | novideo | ||
33 | protocol unix | ||
34 | seccomp | ||
35 | shell none | ||
36 | tracelog | ||
37 | x11 none | ||
38 | |||
39 | private-bin ar | ||
40 | private-cache | ||
41 | private-dev | ||
42 | |||
43 | memory-deny-write-execute | ||
diff --git a/etc/baloo_file.profile b/etc/baloo_file.profile index f46987cc7..6f7638fa3 100644 --- a/etc/baloo_file.profile +++ b/etc/baloo_file.profile | |||
@@ -39,7 +39,7 @@ nou2f | |||
39 | novideo | 39 | novideo |
40 | protocol unix | 40 | protocol unix |
41 | # blacklisting of ioprio_set system calls breaks baloo_file | 41 | # blacklisting of ioprio_set system calls breaks baloo_file |
42 | seccomp.drop @cpu-emulation,@debug,@obsolete,@privileged,@resources,add_key,fanotify_init,io_cancel,io_destroy,io_getevents,io_setup,io_submit,kcmp,keyctl,name_to_handle_at,ni_syscall,open_by_handle_at,personality,process_vm_readv,ptrace,remap_file_pages,request_key,syslog,umount,userfaultfd,vmsplice | 42 | seccomp !ioprio_set |
43 | shell none | 43 | shell none |
44 | # x11 xorg | 44 | # x11 xorg |
45 | 45 | ||
diff --git a/etc/basilisk.profile b/etc/basilisk.profile index 5bc91dc74..8dc3847a0 100644 --- a/etc/basilisk.profile +++ b/etc/basilisk.profile | |||
@@ -14,8 +14,8 @@ whitelist ${HOME}/.cache/moonchild productions/basilisk | |||
14 | whitelist ${HOME}/.moonchild productions | 14 | whitelist ${HOME}/.moonchild productions |
15 | 15 | ||
16 | # Basilisk can use the full firejail seccomp filter (unlike firefox >= 60) | 16 | # Basilisk can use the full firejail seccomp filter (unlike firefox >= 60) |
17 | ignore seccomp.drop | ||
18 | seccomp | 17 | seccomp |
18 | ignore seccomp | ||
19 | 19 | ||
20 | #private-bin basilisk | 20 | #private-bin basilisk |
21 | # private-etc must first be enabled in firefox-common.profile | 21 | # private-etc must first be enabled in firefox-common.profile |
diff --git a/etc/bibletime.profile b/etc/bibletime.profile index 4f1b05c88..0de3bc480 100644 --- a/etc/bibletime.profile +++ b/etc/bibletime.profile | |||
@@ -42,7 +42,7 @@ notv | |||
42 | nou2f | 42 | nou2f |
43 | novideo | 43 | novideo |
44 | protocol unix,inet,inet6,netlink | 44 | protocol unix,inet,inet6,netlink |
45 | seccomp.drop @clock,@cpu-emulation,@debug,@module,@obsolete,@raw-io,@reboot,@resources,@swap,acct,add_key,bpf,fanotify_init,io_cancel,io_destroy,io_getevents,io_setup,io_submit,ioprio_set,kcmp,keyctl,mount,name_to_handle_at,nfsservctl,ni_syscall,open_by_handle_at,personality,pivot_root,process_vm_readv,ptrace,remap_file_pages,request_key,setdomainname,sethostname,syslog,umount,umount2,userfaultfd,vhangup,vmsplice | 45 | seccomp !chroot |
46 | shell none | 46 | shell none |
47 | 47 | ||
48 | disable-mnt | 48 | disable-mnt |
diff --git a/etc/brackets.profile b/etc/brackets.profile index b7d560bbc..13a3bef79 100644 --- a/etc/brackets.profile +++ b/etc/brackets.profile | |||
@@ -27,7 +27,7 @@ notv | |||
27 | nou2f | 27 | nou2f |
28 | novideo | 28 | novideo |
29 | protocol unix,inet,inet6,netlink | 29 | protocol unix,inet,inet6,netlink |
30 | seccomp.drop @clock,@cpu-emulation,@debug,@module,@obsolete,@reboot,@resources,@swap,acct,add_key,bpf,fanotify_init,io_cancel,io_destroy,io_getevents,io_setup,io_submit,iopl,ioprio_set,kcmp,keyctl,mount,name_to_handle_at,nfsservctl,ni_syscall,open_by_handle_at,pciconfig_iobase,pciconfig_read,pciconfig_write,personality,pivot_root,process_vm_readv,ptrace,remap_file_pages,request_key,s390_mmio_read,s390_mmio_write,setdomainname,sethostname,syslog,umount,umount2,userfaultfd,vhangup,vmsplice | 30 | seccomp !chroot,!ioperm |
31 | shell none | 31 | shell none |
32 | 32 | ||
33 | private-cache | 33 | private-cache |
diff --git a/etc/clementine.profile b/etc/clementine.profile index 147b0de4b..4d92157d0 100644 --- a/etc/clementine.profile +++ b/etc/clementine.profile | |||
@@ -27,7 +27,7 @@ nou2f | |||
27 | novideo | 27 | novideo |
28 | protocol unix,inet,inet6 | 28 | protocol unix,inet,inet6 |
29 | # blacklisting of ioprio_set system calls breaks clementine | 29 | # blacklisting of ioprio_set system calls breaks clementine |
30 | seccomp.drop @cpu-emulation,@debug,@obsolete,@privileged,@resources,add_key,fanotify_init,io_cancel,io_destroy,io_getevents,io_setup,io_submit,kcmp,keyctl,name_to_handle_at,ni_syscall,open_by_handle_at,personality,process_vm_readv,ptrace,remap_file_pages,request_key,syslog,umount,userfaultfd,vmsplice | 30 | seccomp !ioprio_set |
31 | 31 | ||
32 | private-dev | 32 | private-dev |
33 | private-tmp | 33 | private-tmp |
diff --git a/etc/code.profile b/etc/code.profile index 7ac4e1619..6f8a25211 100644 --- a/etc/code.profile +++ b/etc/code.profile | |||
@@ -18,7 +18,6 @@ include disable-passwdmgr.inc | |||
18 | include disable-programs.inc | 18 | include disable-programs.inc |
19 | 19 | ||
20 | caps.drop all | 20 | caps.drop all |
21 | net none | ||
22 | netfilter | 21 | netfilter |
23 | nodvd | 22 | nodvd |
24 | nogroups | 23 | nogroups |
diff --git a/etc/falkon.profile b/etc/falkon.profile index ddcda6228..0024b6660 100644 --- a/etc/falkon.profile +++ b/etc/falkon.profile | |||
@@ -34,7 +34,7 @@ notv | |||
34 | nou2f | 34 | nou2f |
35 | protocol unix,inet,inet6,netlink | 35 | protocol unix,inet,inet6,netlink |
36 | # blacklisting of chroot system calls breaks falkon | 36 | # blacklisting of chroot system calls breaks falkon |
37 | seccomp.drop @clock,@cpu-emulation,@debug,@module,@obsolete,@raw-io,@reboot,@resources,@swap,acct,add_key,bpf,fanotify_init,io_cancel,io_destroy,io_getevents,io_setup,io_submit,ioprio_set,kcmp,keyctl,mount,name_to_handle_at,nfsservctl,ni_syscall,open_by_handle_at,personality,pivot_root,process_vm_readv,ptrace,remap_file_pages,request_key,setdomainname,sethostname,syslog,umount,umount2,userfaultfd,vhangup,vmsplice | 37 | seccomp !chroot |
38 | # tracelog | 38 | # tracelog |
39 | 39 | ||
40 | private-dev | 40 | private-dev |
diff --git a/etc/firefox-common.profile b/etc/firefox-common.profile index 6ad4a9bc2..02d6199a0 100644 --- a/etc/firefox-common.profile +++ b/etc/firefox-common.profile | |||
@@ -46,7 +46,7 @@ notv | |||
46 | ?BROWSER_DISABLE_U2F: nou2f | 46 | ?BROWSER_DISABLE_U2F: nou2f |
47 | protocol unix,inet,inet6,netlink | 47 | protocol unix,inet,inet6,netlink |
48 | # The below seccomp configuration still permits chroot syscall. See https://github.com/netblue30/firejail/issues/2506 for possible workarounds. | 48 | # The below seccomp configuration still permits chroot syscall. See https://github.com/netblue30/firejail/issues/2506 for possible workarounds. |
49 | seccomp.drop @clock,@cpu-emulation,@debug,@module,@obsolete,@raw-io,@reboot,@resources,@swap,acct,add_key,bpf,fanotify_init,io_cancel,io_destroy,io_getevents,io_setup,io_submit,ioprio_set,kcmp,keyctl,mount,name_to_handle_at,nfsservctl,ni_syscall,open_by_handle_at,personality,pivot_root,process_vm_readv,ptrace,remap_file_pages,request_key,setdomainname,sethostname,syslog,umount,umount2,userfaultfd,vhangup,vmsplice | 49 | seccomp !chroot |
50 | shell none | 50 | shell none |
51 | # Disable tracelog, it breaks or causes major issues with many firefox based browsers, see https://github.com/netblue30/firejail/issues/1930. | 51 | # Disable tracelog, it breaks or causes major issues with many firefox based browsers, see https://github.com/netblue30/firejail/issues/1930. |
52 | #tracelog | 52 | #tracelog |
diff --git a/etc/gnome-schedule.profile b/etc/gnome-schedule.profile index cbeb82465..30ca56094 100644 --- a/etc/gnome-schedule.profile +++ b/etc/gnome-schedule.profile | |||
@@ -58,6 +58,5 @@ tracelog | |||
58 | disable-mnt | 58 | disable-mnt |
59 | private-cache | 59 | private-cache |
60 | private-dev | 60 | private-dev |
61 | private-etc at.allow,at.deny,cron.allow,cron.deny,fonts,ld.so.preload,pam.d,shadow | ||
62 | writable-var | 61 | writable-var |
63 | 62 | ||
diff --git a/etc/keepassxc.profile b/etc/keepassxc.profile index 6ef02ad47..3e1e0a2ce 100644 --- a/etc/keepassxc.profile +++ b/etc/keepassxc.profile | |||
@@ -29,7 +29,9 @@ machine-id | |||
29 | net none | 29 | net none |
30 | no3d | 30 | no3d |
31 | nodvd | 31 | nodvd |
32 | nodbus | 32 | # Breaks 'Lock database when session is locked or lid is closed' (#2899), |
33 | # you can safely uncomment it or add to keepassxc.local if you don't need this feature. | ||
34 | #nodbus | ||
33 | nogroups | 35 | nogroups |
34 | nonewprivs | 36 | nonewprivs |
35 | noroot | 37 | noroot |
@@ -46,8 +48,5 @@ private-dev | |||
46 | private-etc alternatives,fonts,ld.so.cache,machine-id | 48 | private-etc alternatives,fonts,ld.so.cache,machine-id |
47 | private-tmp | 49 | private-tmp |
48 | 50 | ||
49 | # 2.2.4 crashes on database open | ||
50 | # memory-deny-write-execute | ||
51 | |||
52 | # Mutex is stored in /tmp by default, which is broken by private-tmp | 51 | # Mutex is stored in /tmp by default, which is broken by private-tmp |
53 | join-or-start keepassxc | 52 | join-or-start keepassxc |
diff --git a/etc/kiwix-desktop.profile b/etc/kiwix-desktop.profile index db8f7880c..8b7b12882 100644 --- a/etc/kiwix-desktop.profile +++ b/etc/kiwix-desktop.profile | |||
@@ -39,7 +39,7 @@ notv | |||
39 | nou2f | 39 | nou2f |
40 | novideo | 40 | novideo |
41 | protocol unix,inet,inet6,netlink | 41 | protocol unix,inet,inet6,netlink |
42 | seccomp.drop @clock,@cpu-emulation,@debug,@module,@obsolete,@raw-io,@reboot,@resources,@swap,acct,add_key,bpf,fanotify_init,io_cancel,io_destroy,io_getevents,io_setup,io_submit,ioprio_set,kcmp,keyctl,mount,name_to_handle_at,nfsservctl,ni_syscall,open_by_handle_at,personality,pivot_root,process_vm_readv,ptrace,remap_file_pages,request_key,setdomainname,sethostname,syslog,umount,umount2,userfaultfd,vhangup,vmsplice | 42 | seccomp !chroot |
43 | shell none | 43 | shell none |
44 | 44 | ||
45 | disable-mnt | 45 | disable-mnt |
diff --git a/etc/kmail.profile b/etc/kmail.profile index 0b602c79a..198b05a11 100644 --- a/etc/kmail.profile +++ b/etc/kmail.profile | |||
@@ -51,7 +51,7 @@ nou2f | |||
51 | novideo | 51 | novideo |
52 | protocol unix,inet,inet6,netlink | 52 | protocol unix,inet,inet6,netlink |
53 | # we need to allow chroot, io_getevents, ioprio_set, io_setup, io_submit system calls | 53 | # we need to allow chroot, io_getevents, ioprio_set, io_setup, io_submit system calls |
54 | seccomp.drop @clock,@cpu-emulation,@debug,@module,@obsolete,@raw-io,@reboot,@resources,@swap,acct,add_key,bpf,fanotify_init,io_cancel,io_destroy,kcmp,keyctl,mount,name_to_handle_at,nfsservctl,ni_syscall,open_by_handle_at,personality,pivot_root,process_vm_readv,ptrace,remap_file_pages,request_key,setdomainname,sethostname,syslog,umount,umount2,userfaultfd,vhangup,vmsplice | 54 | seccomp !chroot,!io_getevents,!io_setup,!io_submit,!ioprio_set |
55 | # tracelog | 55 | # tracelog |
56 | 56 | ||
57 | private-dev | 57 | private-dev |
diff --git a/etc/mpd.profile b/etc/mpd.profile index 0b5ebf705..6c5963793 100644 --- a/etc/mpd.profile +++ b/etc/mpd.profile | |||
@@ -31,7 +31,7 @@ novideo | |||
31 | protocol unix,inet,inet6 | 31 | protocol unix,inet,inet6 |
32 | # blacklisting of ioprio_set system calls breaks auto-updating of | 32 | # blacklisting of ioprio_set system calls breaks auto-updating of |
33 | # MPD's database when files in music_directory are changed | 33 | # MPD's database when files in music_directory are changed |
34 | seccomp.drop @cpu-emulation,@debug,@obsolete,@privileged,@resources,add_key,fanotify_init,io_cancel,io_destroy,io_getevents,io_setup,io_submit,kcmp,keyctl,name_to_handle_at,ni_syscall,open_by_handle_at,personality,process_vm_readv,ptrace,remap_file_pages,request_key,syslog,umount,userfaultfd,vmsplice | 34 | seccomp !ioprio_set |
35 | shell none | 35 | shell none |
36 | 36 | ||
37 | #private-bin bash,mpd | 37 | #private-bin bash,mpd |
diff --git a/etc/palemoon.profile b/etc/palemoon.profile index 11464e6cf..acb2ce176 100644 --- a/etc/palemoon.profile +++ b/etc/palemoon.profile | |||
@@ -14,8 +14,8 @@ whitelist ${HOME}/.cache/moonchild productions/pale moon | |||
14 | whitelist ${HOME}/.moonchild productions | 14 | whitelist ${HOME}/.moonchild productions |
15 | 15 | ||
16 | # Palemoon can use the full firejail seccomp filter (unlike firefox >= 60) | 16 | # Palemoon can use the full firejail seccomp filter (unlike firefox >= 60) |
17 | ignore seccomp.drop | ||
18 | seccomp | 17 | seccomp |
18 | ignore seccomp | ||
19 | 19 | ||
20 | #private-bin palemoon | 20 | #private-bin palemoon |
21 | # private-etc must first be enabled in firefox-common.profile | 21 | # private-etc must first be enabled in firefox-common.profile |
diff --git a/etc/qgis.profile b/etc/qgis.profile index 80a10efce..88ed0cd81 100644 --- a/etc/qgis.profile +++ b/etc/qgis.profile | |||
@@ -45,7 +45,7 @@ notv | |||
45 | nou2f | 45 | nou2f |
46 | novideo | 46 | novideo |
47 | # blacklisting of mbind system calls breaks old version | 47 | # blacklisting of mbind system calls breaks old version |
48 | seccomp.drop @cpu-emulation,@debug,@obsolete,@privileged,add_key,fanotify_init,io_cancel,io_destroy,io_getevents,io_setup,io_submit,ioprio_set,kcmp,keyctl,migrate_pages,mincore,move_pages,name_to_handle_at,ni_syscall,open_by_handle_at,remap_file_pages,request_key,set_mempolicy,syslog,umount,userfaultfd,vmsplice | 48 | seccomp !mbind |
49 | protocol unix,inet,inet6,netlink | 49 | protocol unix,inet,inet6,netlink |
50 | shell none | 50 | shell none |
51 | tracelog | 51 | tracelog |
diff --git a/etc/qpdfview.profile b/etc/qpdfview.profile index abbd76aff..863f57ba4 100644 --- a/etc/qpdfview.profile +++ b/etc/qpdfview.profile | |||
@@ -22,7 +22,8 @@ include whitelist-var-common.inc | |||
22 | 22 | ||
23 | caps.drop all | 23 | caps.drop all |
24 | machine-id | 24 | machine-id |
25 | nodbus | 25 | # needs D-Bus when started from a file manager |
26 | #nodbus | ||
26 | nodvd | 27 | nodvd |
27 | nogroups | 28 | nogroups |
28 | nonewprivs | 29 | nonewprivs |
diff --git a/etc/qupzilla.profile b/etc/qupzilla.profile index 3f3270dd6..7aa71c848 100644 --- a/etc/qupzilla.profile +++ b/etc/qupzilla.profile | |||
@@ -21,7 +21,5 @@ mkdir ${HOME}/.config/qupzilla | |||
21 | whitelist ${HOME}/.cache/qupzilla | 21 | whitelist ${HOME}/.cache/qupzilla |
22 | whitelist ${HOME}/.config/qupzilla | 22 | whitelist ${HOME}/.config/qupzilla |
23 | 23 | ||
24 | # private-tmp - interferes with the opening of downloaded files | ||
25 | |||
26 | # Redirect | 24 | # Redirect |
27 | include falkon.profile | 25 | include falkon.profile |
diff --git a/etc/qutebrowser.profile b/etc/qutebrowser.profile index a7ba18292..95c189458 100644 --- a/etc/qutebrowser.profile +++ b/etc/qutebrowser.profile | |||
@@ -36,5 +36,5 @@ noroot | |||
36 | notv | 36 | notv |
37 | protocol unix,inet,inet6,netlink | 37 | protocol unix,inet,inet6,netlink |
38 | # blacklisting of chroot system calls breaks qt webengine | 38 | # blacklisting of chroot system calls breaks qt webengine |
39 | seccomp.drop @clock,@cpu-emulation,@debug,@module,@obsolete,@raw-io,@reboot,@resources,@swap,acct,add_key,bpf,fanotify_init,io_cancel,io_destroy,io_getevents,io_setup,io_submit,ioprio_set,kcmp,keyctl,mount,name_to_handle_at,nfsservctl,ni_syscall,open_by_handle_at,personality,pivot_root,process_vm_readv,ptrace,remap_file_pages,request_key,setdomainname,sethostname,syslog,umount,umount2,userfaultfd,vhangup,vmsplice | 39 | seccomp !chroot |
40 | # tracelog | 40 | # tracelog |
diff --git a/etc/riot-desktop.profile b/etc/riot-desktop.profile index e6af4c2cb..4372fabe1 100644 --- a/etc/riot-desktop.profile +++ b/etc/riot-desktop.profile | |||
@@ -7,8 +7,7 @@ include riot-desktop.local | |||
7 | # added by included profile | 7 | # added by included profile |
8 | #include globals.local | 8 | #include globals.local |
9 | 9 | ||
10 | ignore seccomp | 10 | seccomp !chroot |
11 | seccomp.drop @clock,@cpu-emulation,@debug,@module,@obsolete,@raw-io,@reboot,@resources,@swap,acct,add_key,bpf,fanotify_init,io_cancel,io_destroy,io_getevents,io_setup,io_submit,ioprio_set,kcmp,keyctl,mincore,mount,name_to_handle_at,nfsservctl,ni_syscall,open_by_handle_at,pivot_root,remap_file_pages,request_key,setdomainname,sethostname,syslog,umount,umount2,userfaultfd,vhangup,vmsplice | ||
12 | 11 | ||
13 | # Redirect | 12 | # Redirect |
14 | include riot-web.profile | 13 | include riot-web.profile |
diff --git a/etc/seahorse.profile b/etc/seahorse.profile index b9a0fd149..fe29a6731 100644 --- a/etc/seahorse.profile +++ b/etc/seahorse.profile | |||
@@ -20,10 +20,8 @@ include disable-passwdmgr.inc | |||
20 | include disable-programs.inc | 20 | include disable-programs.inc |
21 | include disable-xdg.inc | 21 | include disable-xdg.inc |
22 | 22 | ||
23 | mkdir ${HOME}/.config/dconf | ||
24 | mkdir ${HOME}/.gnupg | 23 | mkdir ${HOME}/.gnupg |
25 | mkdir ${HOME}/.ssh | 24 | mkdir ${HOME}/.ssh |
26 | whitelist ${HOME}/.config/dconf | ||
27 | whitelist ${HOME}/.gnupg | 25 | whitelist ${HOME}/.gnupg |
28 | whitelist ${HOME}/.ssh | 26 | whitelist ${HOME}/.ssh |
29 | whitelist /tmp/ssh-* | 27 | whitelist /tmp/ssh-* |
diff --git a/etc/signal-desktop.profile b/etc/signal-desktop.profile index 04696a918..f810a37ec 100644 --- a/etc/signal-desktop.profile +++ b/etc/signal-desktop.profile | |||
@@ -22,16 +22,12 @@ whitelist ${HOME}/.config/Signal | |||
22 | include whitelist-common.inc | 22 | include whitelist-common.inc |
23 | include whitelist-var-common.inc | 23 | include whitelist-var-common.inc |
24 | 24 | ||
25 | caps.drop all | 25 | caps.keep sys_admin,sys_chroot |
26 | netfilter | 26 | netfilter |
27 | nodvd | 27 | nodvd |
28 | nogroups | 28 | nogroups |
29 | nonewprivs | ||
30 | noroot | ||
31 | notv | 29 | notv |
32 | nou2f | 30 | nou2f |
33 | protocol unix,inet,inet6,netlink | ||
34 | seccomp | ||
35 | shell none | 31 | shell none |
36 | 32 | ||
37 | disable-mnt | 33 | disable-mnt |
diff --git a/etc/simple-scan.profile b/etc/simple-scan.profile index 64441483d..a0c9e8303 100644 --- a/etc/simple-scan.profile +++ b/etc/simple-scan.profile | |||
@@ -27,7 +27,7 @@ notv | |||
27 | # novideo | 27 | # novideo |
28 | protocol unix,inet,inet6,netlink | 28 | protocol unix,inet,inet6,netlink |
29 | # blacklisting of ioperm system calls breaks simple-scan | 29 | # blacklisting of ioperm system calls breaks simple-scan |
30 | seccomp.drop @clock,@cpu-emulation,@debug,@module,@obsolete,@reboot,@resources,@swap,acct,add_key,bpf,chroot,fanotify_init,io_cancel,io_destroy,io_getevents,io_setup,io_submit,iopl,ioprio_set,kcmp,keyctl,mount,name_to_handle_at,nfsservctl,ni_syscall,open_by_handle_at,pciconfig_iobase,pciconfig_read,pciconfig_write,personality,pivot_root,process_vm_readv,ptrace,remap_file_pages,request_key,s390_mmio_read,s390_mmio_write,setdomainname,sethostname,syslog,umount,umount2,userfaultfd,vhangup,vmsplice | 30 | seccomp !ioperm |
31 | shell none | 31 | shell none |
32 | tracelog | 32 | tracelog |
33 | 33 | ||
diff --git a/etc/skanlite.profile b/etc/skanlite.profile index c10be717b..6f9bfd201 100644 --- a/etc/skanlite.profile +++ b/etc/skanlite.profile | |||
@@ -27,7 +27,7 @@ notv | |||
27 | # novideo | 27 | # novideo |
28 | protocol unix,inet,inet6,netlink | 28 | protocol unix,inet,inet6,netlink |
29 | # blacklisting of ioperm system calls breaks skanlite | 29 | # blacklisting of ioperm system calls breaks skanlite |
30 | seccomp.drop @clock,@cpu-emulation,@debug,@module,@obsolete,@reboot,@resources,@swap,acct,add_key,bpf,chroot,fanotify_init,io_cancel,io_destroy,io_getevents,io_setup,io_submit,iopl,ioprio_set,kcmp,keyctl,mount,name_to_handle_at,nfsservctl,ni_syscall,open_by_handle_at,pciconfig_iobase,pciconfig_read,pciconfig_write,personality,pivot_root,process_vm_readv,ptrace,remap_file_pages,request_key,s390_mmio_read,s390_mmio_write,setdomainname,sethostname,syslog,umount,umount2,userfaultfd,vhangup,vmsplice | 30 | seccomp !ioperm |
31 | shell none | 31 | shell none |
32 | 32 | ||
33 | # private-bin kbuildsycoca4,kdeinit4,skanlite | 33 | # private-bin kbuildsycoca4,kdeinit4,skanlite |
diff --git a/etc/skypeforlinux.profile b/etc/skypeforlinux.profile index 8a45f2465..341c25a95 100644 --- a/etc/skypeforlinux.profile +++ b/etc/skypeforlinux.profile | |||
@@ -16,16 +16,13 @@ include disable-exec.inc | |||
16 | include disable-interpreters.inc | 16 | include disable-interpreters.inc |
17 | include disable-passwdmgr.inc | 17 | include disable-passwdmgr.inc |
18 | include disable-programs.inc | 18 | include disable-programs.inc |
19 | include disable-xdg.inc | ||
19 | 20 | ||
20 | caps.drop all | 21 | caps.keep sys_admin,sys_chroot |
21 | netfilter | 22 | netfilter |
22 | nodvd | 23 | nodvd |
23 | nogroups | 24 | nogroups |
24 | nonewprivs | ||
25 | noroot | ||
26 | notv | 25 | notv |
27 | protocol unix,inet,inet6,netlink | ||
28 | seccomp.drop @clock,@cpu-emulation,@debug,@module,@obsolete,@raw-io,@reboot,@resources,@swap,acct,add_key,bpf,fanotify_init,io_cancel,io_destroy,io_getevents,io_setup,io_submit,ioprio_set,kcmp,keyctl,mount,name_to_handle_at,nfsservctl,ni_syscall,open_by_handle_at,pivot_root,remap_file_pages,request_key,setdomainname,sethostname,syslog,umount,umount2,userfaultfd,vhangup,vmsplice | ||
29 | shell none | 26 | shell none |
30 | 27 | ||
31 | disable-mnt | 28 | disable-mnt |
diff --git a/etc/standardnotes-desktop.profile b/etc/standardnotes-desktop.profile index 5703f932a..aa6902854 100644 --- a/etc/standardnotes-desktop.profile +++ b/etc/standardnotes-desktop.profile | |||
@@ -34,7 +34,7 @@ nosound | |||
34 | notv | 34 | notv |
35 | nou2f | 35 | nou2f |
36 | protocol unix,inet,inet6,netlink | 36 | protocol unix,inet,inet6,netlink |
37 | seccomp.drop @clock,@cpu-emulation,@debug,@module,@obsolete,@raw-io,@reboot,@resources,@swap,acct,add_key,bpf,fanotify_init,io_cancel,io_destroy,io_getevents,io_setup,io_submit,ioprio_set,kcmp,keyctl,mincore,mount,name_to_handle_at,nfsservctl,ni_syscall,open_by_handle_at,pivot_root,remap_file_pages,request_key,setdomainname,sethostname,syslog,umount,umount2,userfaultfd,vhangup,vmsplice | 37 | seccomp !chroot |
38 | 38 | ||
39 | disable-mnt | 39 | disable-mnt |
40 | private-dev | 40 | private-dev |
diff --git a/etc/start-tor-browser.profile b/etc/start-tor-browser.profile index 1c2a2cd10..a8b5d109e 100644 --- a/etc/start-tor-browser.profile +++ b/etc/start-tor-browser.profile | |||
@@ -28,7 +28,7 @@ notv | |||
28 | nou2f | 28 | nou2f |
29 | novideo | 29 | novideo |
30 | protocol unix,inet,inet6 | 30 | protocol unix,inet,inet6 |
31 | seccomp.drop @clock,@cpu-emulation,@debug,@module,@obsolete,@raw-io,@reboot,@resources,@swap,acct,add_key,bpf,fanotify_init,io_cancel,io_destroy,io_getevents,io_setup,io_submit,ioprio_set,kcmp,keyctl,mount,name_to_handle_at,nfsservctl,ni_syscall,open_by_handle_at,personality,pivot_root,process_vm_readv,ptrace,remap_file_pages,request_key,setdomainname,sethostname,syslog,umount,umount2,userfaultfd,vhangup,vmsplice | 31 | seccomp !chroot |
32 | shell none | 32 | shell none |
33 | # tracelog may cause issues, see github issue #1930 | 33 | # tracelog may cause issues, see github issue #1930 |
34 | #tracelog | 34 | #tracelog |
diff --git a/etc/tar.profile b/etc/tar.profile index cace89965..3fba96eee 100644 --- a/etc/tar.profile +++ b/etc/tar.profile | |||
@@ -40,7 +40,7 @@ tracelog | |||
40 | x11 none | 40 | x11 none |
41 | 41 | ||
42 | # support compressed archives | 42 | # support compressed archives |
43 | private-bin bash,bzip2,compress,gtar,gzip,lbzip2,lzip,lzma,lzop,sh,tar,xz | 43 | private-bin bash,bzip2,compress,firejail,gtar,gzip,lbzip2,lzip,lzma,lzop,sh,tar,xz |
44 | private-cache | 44 | private-cache |
45 | private-dev | 45 | private-dev |
46 | private-etc alternatives,group,localtime,passwd | 46 | private-etc alternatives,group,localtime,passwd |
diff --git a/etc/teamspeak3.profile b/etc/teamspeak3.profile index b34d15731..c1c666f58 100644 --- a/etc/teamspeak3.profile +++ b/etc/teamspeak3.profile | |||
@@ -33,7 +33,7 @@ notv | |||
33 | nou2f | 33 | nou2f |
34 | novideo | 34 | novideo |
35 | protocol unix,inet,inet6,netlink | 35 | protocol unix,inet,inet6,netlink |
36 | seccomp.drop @clock,@cpu-emulation,@debug,@module,@obsolete,@raw-io,@reboot,@resources,@swap,acct,add_key,bpf,fanotify_init,io_cancel,io_destroy,io_getevents,io_setup,io_submit,ioprio_set,kcmp,keyctl,mount,name_to_handle_at,nfsservctl,ni_syscall,open_by_handle_at,pivot_root,remap_file_pages,request_key,setdomainname,sethostname,syslog,umount,umount2,userfaultfd,vhangup,vmsplice | 36 | seccomp !chroot |
37 | shell none | 37 | shell none |
38 | 38 | ||
39 | disable-mnt | 39 | disable-mnt |
diff --git a/etc/templates/profile.template b/etc/templates/profile.template index 0d67e222f..10b5ee2ae 100644 --- a/etc/templates/profile.template +++ b/etc/templates/profile.template | |||
@@ -138,6 +138,7 @@ include globals.local | |||
138 | # - packet almost never | 138 | # - packet almost never |
139 | #protocol unix,inet,inet6,netlink,packet | 139 | #protocol unix,inet,inet6,netlink,packet |
140 | #seccomp | 140 | #seccomp |
141 | ##seccomp !chroot | ||
141 | ##seccomp.drop SYSCALLS (see syscalls.txt) | 142 | ##seccomp.drop SYSCALLS (see syscalls.txt) |
142 | #shell none | 143 | #shell none |
143 | #tracelog | 144 | #tracelog |
diff --git a/etc/templates/syscalls.txt b/etc/templates/syscalls.txt index bc45d9f9d..ea3b5a6b0 100644 --- a/etc/templates/syscalls.txt +++ b/etc/templates/syscalls.txt | |||
@@ -1,73 +1,107 @@ | |||
1 | Hints for writing seccomp.drop lines | 1 | Hints to write own seccomp filters |
2 | ==================================== | 2 | ================================== |
3 | |||
4 | |||
5 | The different seccomp commands | ||
6 | ------------------------------ | ||
7 | |||
8 | Always have a look at 'man 1 firejail'. | ||
9 | |||
10 | - seccomp | ||
11 | Blocks all syscalls in the default-group. | ||
12 | - The default-group is @default-nodebuggers, unless allow-debuggers is | ||
13 | specified, then @default is used. | ||
14 | - Listed syscalls and groups are also blocked. | ||
15 | - Exceptions are possible by putting a ! in before the name of a syscall. | ||
16 | - seccomp.block-secondary | ||
17 | Allows only native syscalls, all syscalls for other architectures are blocked. | ||
18 | - seccomp.drop | ||
19 | Blocks all listed syscalls. | ||
20 | - Exceptions are possible by putting a ! in before the name of a syscall. | ||
21 | - seccomp.keep | ||
22 | Allows only listed syscalls. | ||
23 | To write your own seccomp.keep line, see: | ||
24 | - https://firejail.wordpress.com/documentation-2/seccomp-guide/ | ||
25 | - https://github.com/netblue30/firejail/blob/master/contrib/syscalls.sh | ||
3 | 26 | ||
4 | Definition of groups | 27 | Definition of groups |
5 | -------------------- | 28 | -------------------- |
6 | 29 | ||
30 | @aio=io_cancel,io_destroy,io_getevents,io_pgetevents,io_setup,io_submit | ||
31 | @basic-io=_llseek,close,dup,dup2,dup3,lseek,pread64,preadv,preadv2,pwrite64,pwritev,pwritev2,read,readv,write,writev | ||
32 | @chown=chown,chown32,fchown,fchown32,fchownat,lchown,lchown32 | ||
7 | @clock=adjtimex,clock_adjtime,clock_settime,settimeofday,stime | 33 | @clock=adjtimex,clock_adjtime,clock_settime,settimeofday,stime |
8 | @module=delete_module,finit_module,init_module | ||
9 | @raw-io=ioperm,iopl,pciconfig_iobase,pciconfig_read,pciconfig_write,s390_mmio_read,s390_mmio_write | ||
10 | @reboot=kexec_file_load,kexec_load,reboot | ||
11 | @swap=swapoff,swapon | ||
12 | |||
13 | @privileged=@clock,@module,@raw-io,@reboot,@swap,acct,bpf,chroot,mount,nfsservctl,pivot_root,setdomainname,sethostname,umount2,vhangup | ||
14 | |||
15 | @cpu-emulation=modify_ldt,subpage_prot,switch_endian,vm86,vm86old | 34 | @cpu-emulation=modify_ldt,subpage_prot,switch_endian,vm86,vm86old |
16 | @debug=lookup_dcookie,perf_event_open,process_vm_writev,rtas,s390_runtime_instr,sys_debug_setcontext | 35 | @debug=lookup_dcookie,perf_event_open,process_vm_writev,rtas,s390_runtime_instr,sys_debug_setcontext |
17 | @obsolete=_sysctl,afs_syscall,bdflush,break,create_module,ftime,get_kernel_syms,getpmsg,gtty,lock,mpx,prof,profil,putpmsg,query_module,security,sgetmask,ssetmask,stty,sysfs,tuxcall,ulimit,uselib,ustat,vserver | 36 | @default=@clock,@cpu-emulation,@debug,@module,@obsolete,@raw-io,@reboot,@swap,open_by_handle_at,name_to_handle_at,ioprio_set,ni_syscall,syslog,fanotify_init,kcmp,add_key,request_key,mbind,migrate_pages,move_pages,keyctl,io_setup,io_destroy,io_getevents,io_submit,io_cancel,remap_file_pages,set_mempolicyvmsplice,umount,userfaultfd,acct,bpf,chroot,mount,nfsservctl,pivot_root,setdomainname,sethostname,umount2,vhangup |
18 | @resources=mbind,migrate_pages,move_pages,set_mempolicy | 37 | @default-nodebuggers=@default,ptrace,personality,process_vm_readv |
19 | |||
20 | @default=@cpu-emulation,@debug,@obsolete,@privileged,@resources,add_key,fanotify_init,io_cancel,io_destroy,io_getevents,io_setup,io_submit,ioprio_set,kcmp,keyctl,name_to_handle_at,ni_syscall,open_by_handle_at,remap_file_pages,request_key,syslog,umount,userfaultfd,vmsplice | ||
21 | |||
22 | @default-nodebuggers=@default,personality,process_vm_readv,ptrace | ||
23 | |||
24 | @default-keep=execve,prctl | 38 | @default-keep=execve,prctl |
39 | @file-system=access,chdir,chmod,close,creat,faccessat,fallocate,fchdir,fchmod,fchmodat,fcntl,fcntl64,fgetxattr,flistxattr,fremovexattr,fsetxattr,fstat,fstat64,fstatat64,fstatfs,fstatfs64,ftruncate,ftruncate64,futimesat,getcwd,getdents,getdents64,getxattr,inotify_add_watch,inotify_init,inotify_init1,inotify_rm_watch,lgetxattr,link,linkat,listxattr,llistxattr,lremovexattr,lsetxattr,lstat,lstat64,mkdir,mkdirat,mknod,mknodat,mmap,mmap2,munmap,newfstatat,oldfstat,oldlstat,oldstat,open,openat,readlink,readlinkat,removexattr,rename,renameat,renameat2,rmdir,setxattr,stat,stat64,statfs,statfs64,statx,symlink,symlinkat,truncate,truncate64,unlink,unlinkat,utime,utimensat,utimes | ||
40 | @io-event=_newselect,epoll_create,epoll_create1,epoll_ctl,epoll_ctl_old,epoll_pwait,epoll_wait,epoll_wait_old,eventfd,eventfd2,poll,ppoll,pselect6,select | ||
41 | @ipc=ipc,memfd_create,mq_getsetattr,mq_notify,mq_open,mq_timedreceive,mq_timedsend,mq_unlink,msgctl,msgget,msgrcv,msgsnd,pipe,pipe2,process_vm_readv,process_vm_writev,semctl,semget,semop,semtimedop,shmat,shmctl,shmdt,shmget | ||
42 | @keyring=add_key,keyctl,request_key | ||
43 | @memlock=mlock,mlock2,mlockall,munlock,munlockall | ||
44 | @module=delete_module,finit_module,init_module | ||
45 | @mount=chroot,mount,pivot_root,umount,umount2 | ||
46 | @network-io=accept,accept4,bind,connect,getpeername,getsockname,getsockopt,listen,recv,recvfrom,recvmmsg,recvmsg,send,sendmmsg,sendmsg,sendto,setsockopt,shutdown,socket,socketcall,socketpair | ||
47 | @obsolete=_sysctl,afs_syscall,bdflush,break,create_module,ftime,get_kernel_syms,getpmsg,gtty,idle,lock,mpx,prof,profil,putpmsg,query_module,security,sgetmask,ssetmask,stty,sysfs,tuxcall,ulimit,uselib,ustat,vserver | ||
48 | @privileged=@chown,@clock,@module,@raw-io,@reboot,@swap,_sysctl,acct,bpf,capset,chroot,fanotify_init,mount,nfsservctl,open_by_handle_at,pivot_root,quotactl,setdomainname,setfsuid,setfsuid32,setgroups,setgroups32,sethostname,setresuid,setresuid32,setreuid,setreuid32,setuid,setuid32,umount2,vhangup | ||
49 | @process=arch_prctl,capget,clone,execveat,fork,getrusage,kill,pidfd_send_signal,prctl,rt_sigqueueinfo,rt_tgsigqueueinfo,setns,swapcontext,tgkill,times,tkill,unshare,vfork,wait4,waitid,waitpid | ||
50 | @raw-io=ioperm,iopl,pciconfig_iobase,pciconfig_read,pciconfig_write,s390_mmio_read,s390_mmio_write | ||
51 | @reboot=kexec_load,kexec_file_load,reboot | ||
52 | @resources=ioprio_set,mbind,migrate_pages,move_pages,nice,sched_setaffinity,sched_setattr,sched_setparam,sched_setscheduler,set_mempolicy | ||
53 | @setuid=setgid,setgid32,setgroups,setgroups32,setregid,setregid32,setresgid,setresgid32,setresuid,setresuid32,setreuid,setreuid32,setuid,setuid32 | ||
54 | @signal=rt_sigaction,rt_sigpending,rt_sigprocmask,rt_sigsuspend,rt_sigtimedwait,sigaction,sigaltstack,signal,signalfd,signalfd4,sigpending,sigprocmask,sigsuspend | ||
55 | @swap=swapon,swapoff | ||
56 | @sync=fdatasync,fsync,msync,sync,sync_file_range,sync_file_range2,syncfs | ||
57 | @system-service=@aio,@basic-io,@chown,@default,@file-system,@io-event,@ipc,@keyring,@memlock,@network-io,@process,@resources,@setuid,@signal,@sync,@timer,brk,capget,capset,copy_file_range,fadvise64,fadvise64_64,flock,get_mempolicy,getcpu,getpriority,getrandom,ioctl,ioprio_get,kcmp,madvise,mprotect,mremap,name_to_handle_at,oldolduname,olduname,personality,readahead,readdir,remap_file_pages,sched_get_priority_max,sched_get_priority_min,sched_getaffinity,sched_getattr,sched_getparam,sched_getscheduler,sched_rr_get_interval,sched_yield,sendfile,sendfile64,setfsgid,setfsgid32,setfsuid,setfsuid32,setpgid,setsid,splice,sysinfo,tee,umask,uname,userfaultfd,vmsplice | ||
58 | @timer=alarm,getitimer,setitimer,timer_create,timer_delete,timer_getoverrun,timer_gettime,timer_settime,timerfd_create,timerfd_gettime,timerfd_settime,times | ||
25 | 59 | ||
26 | Inheritance of groups | 60 | Inheritance of groups |
27 | --------------------- | 61 | --------------------- |
28 | 62 | ||
29 | +---------+----------------+---------------+ | 63 | +---------------+ |
30 | | @clock | @cpu-emulation | @default-keep | | 64 | | @default-keep | |
31 | | @module | @debug | | | 65 | | @mount | |
32 | | @raw-io | @obsolete | | | 66 | +---------------+ |
33 | | @reboot | @resources | | | 67 | |
34 | | @swap | | | | 68 | +----------------+ +---------+ +--------+ +--------------+ |
35 | +---------+----------------+---------------+ | 69 | | @cpu-emulation | | @clock | | @chown | | @aio | |
36 | : : | 70 | | @debug | | @module | +--------+ | @basic-io | |
37 | +-------------+ : | 71 | | @obsolete | | @raw-io | : : | @file-system | |
38 | | @privileged | : | 72 | +----------------+ | @reboot | : : | @io-event | |
39 | +-------------+ : | 73 | : | @swap | : : | @ipc | |
40 | : : | 74 | : +---------+ : : | @keyring | |
41 | +----------+ : | 75 | : : : : : | @memlock | |
42 | | @default |........: | 76 | : ..............: : : : | @network-io | |
43 | +----------+ | 77 | : : : ........: : | @process | |
44 | : | 78 | : : : : : | @resources | |
45 | +----------------------+ | 79 | +----------+ +-------------+ : | @setuid | |
46 | | @default-nodebuggers | | 80 | | @default | | @privileged | : | @signal | |
47 | +----------------------+ | 81 | +----------+ +-------------+ : | @sync | |
48 | 82 | : : : | @timer | | |
49 | common used seccomp.drop lines | 83 | : :........................... : +--------------+ |
50 | ------------------------------ | 84 | : : : : |
51 | 85 | +----------------------+ +-----------------+ | |
52 | @default without chroot: @clock,@cpu-emulation,@debug,@module,@obsolete,@raw-io,@reboot,@resources,@swap,acct,add_key,bpf,fanotify_init,io_cancel,io_destroy,io_getevents,io_setup,io_submit,ioprio_set,kcmp,keyctl,mount,name_to_handle_at,nfsservctl,ni_syscall,open_by_handle_at,pivot_root,remap_file_pages,request_key,setdomainname,sethostname,syslog,umount,umount2,userfaultfd,vhangup,vmsplice | 86 | | @default-nodebuggers | | @system-service | |
53 | 87 | +----------------------+ +-----------------+ | |
54 | @default-nodebuggers without chroot: @clock,@cpu-emulation,@debug,@module,@obsolete,@raw-io,@reboot,@resources,@swap,acct,add_key,bpf,fanotify_init,io_cancel,io_destroy,io_getevents,io_setup,io_submit,ioprio_set,kcmp,keyctl,mount,name_to_handle_at,nfsservctl,ni_syscall,open_by_handle_at,personality,pivot_root,process_vm_readv,ptrace,remap_file_pages,request_key,setdomainname,sethostname,syslog,umount,umount2,userfaultfd,vhangup,vmsplice | 88 | |
55 | 89 | ||
56 | Building a seccomp.drop line if seccomp breaks a programm | 90 | What to do if seccomp breaks a program |
57 | --------------------------------------------------------- | 91 | -------------------------------------- |
58 | 92 | ||
59 | ``` | 93 | ``` |
60 | $ journalctl --grep=syscall --follow | 94 | $ journalctl --grep=syscall --follow |
61 | <...> audit[…]: SECCOMP <...> syscall=161 <...> | 95 | <...> audit[…]: SECCOMP <...> syscall=161 <...> |
62 | $ firejail --debug-syscalls | grep 161 | 96 | $ firejail --debug-syscalls | grep 161 |
63 | 161 - chroot | 97 | 161 - chroot |
64 | ``` | 98 | ``` |
99 | Profile: `seccomp -> seccomp !chroot` | ||
65 | 100 | ||
66 | TODO: write a short explanation | 101 | Start `journalctl --grep=syscall --follow` in a terminal, then start the broken |
67 | TODO: suggest to use `allow-debuggers` instead of `seccomp.drop` if possible | 102 | program. Now you see one or more long lines containing `syscall=NUMBER` somewhere. |
68 | 103 | Stop journalctl (^C) and execute `firejail --debug-syscalls | grep NUMBER`. You | |
69 | see also | 104 | will see something like `NUMBER - NAME`, because you now know the name of the |
70 | -------- | 105 | syscall, you can add an exception to seccomp by putting `!NAME` to seccomp. |
71 | 106 | ||
72 | - contrib/syscalls.sh | 107 | If the blocked syscall is ptrace, consider to add allow-debuggers to the profile. |
73 | - https://firejail.wordpress.com/documentation-2/seccomp-guide/ | ||
diff --git a/etc/torbrowser-launcher.profile b/etc/torbrowser-launcher.profile index 8485c0c4c..1183cd2f7 100644 --- a/etc/torbrowser-launcher.profile +++ b/etc/torbrowser-launcher.profile | |||
@@ -42,7 +42,7 @@ notv | |||
42 | nou2f | 42 | nou2f |
43 | novideo | 43 | novideo |
44 | protocol unix,inet,inet6 | 44 | protocol unix,inet,inet6 |
45 | seccomp.drop @clock,@cpu-emulation,@debug,@module,@obsolete,@raw-io,@reboot,@resources,@swap,acct,add_key,bpf,fanotify_init,io_cancel,io_destroy,io_getevents,io_setup,io_submit,ioprio_set,kcmp,keyctl,mount,name_to_handle_at,nfsservctl,ni_syscall,open_by_handle_at,personality,pivot_root,process_vm_readv,ptrace,remap_file_pages,request_key,setdomainname,sethostname,syslog,umount,umount2,userfaultfd,vhangup,vmsplice | 45 | seccomp !chroot |
46 | shell none | 46 | shell none |
47 | # tracelog may cause issues, see github issue #1930 | 47 | # tracelog may cause issues, see github issue #1930 |
48 | #tracelog | 48 | #tracelog |
diff --git a/etc/whitelist-common.inc b/etc/whitelist-common.inc index 9c1b7b92c..717c82379 100644 --- a/etc/whitelist-common.inc +++ b/etc/whitelist-common.inc | |||
@@ -20,10 +20,6 @@ whitelist ${HOME}/.local/share/icons | |||
20 | whitelist ${HOME}/.local/share/mime | 20 | whitelist ${HOME}/.local/share/mime |
21 | whitelist ${HOME}/.mime.types | 21 | whitelist ${HOME}/.mime.types |
22 | 22 | ||
23 | # dconf | ||
24 | mkdir ${HOME}/.config/dconf | ||
25 | whitelist ${HOME}/.config/dconf | ||
26 | |||
27 | # fonts | 23 | # fonts |
28 | whitelist ${HOME}/.cache/fontconfig | 24 | whitelist ${HOME}/.cache/fontconfig |
29 | whitelist ${HOME}/.config/fontconfig | 25 | whitelist ${HOME}/.config/fontconfig |
diff --git a/src/fcopy/main.c b/src/fcopy/main.c index 3f507a361..a08cc66b3 100644 --- a/src/fcopy/main.c +++ b/src/fcopy/main.c | |||
@@ -28,11 +28,10 @@ int arg_quiet = 0; | |||
28 | int arg_debug = 0; | 28 | int arg_debug = 0; |
29 | static int arg_follow_link = 0; | 29 | static int arg_follow_link = 0; |
30 | 30 | ||
31 | static int copy_limit = 500 * 1024 *1024; // 500 MB | 31 | static unsigned long long copy_limit = 500 * 1024 * 1024; // 500 MB |
32 | #define COPY_LIMIT ( | 32 | static unsigned long long size_cnt = 0; |
33 | static int size_limit_reached = 0; | 33 | static int size_limit_reached = 0; |
34 | static unsigned file_cnt = 0; | 34 | static unsigned file_cnt = 0; |
35 | static unsigned size_cnt = 0; | ||
36 | 35 | ||
37 | static char *outpath = NULL; | 36 | static char *outpath = NULL; |
38 | static char *inpath = NULL; | 37 | static char *inpath = NULL; |
@@ -187,7 +186,7 @@ static int fs_copydir(const char *infname, const struct stat *st, int ftype, str | |||
187 | 186 | ||
188 | // recalculate size | 187 | // recalculate size |
189 | if ((s.st_size + size_cnt) > copy_limit) { | 188 | if ((s.st_size + size_cnt) > copy_limit) { |
190 | fprintf(stderr, "Error fcopy: size limit of %dMB reached\n", (copy_limit / 1024) / 1024); | 189 | fprintf(stderr, "Error fcopy: size limit of %lluMB reached\n", (copy_limit / 1024) / 1024); |
191 | size_limit_reached = 1; | 190 | size_limit_reached = 1; |
192 | free(outfname); | 191 | free(outfname); |
193 | return 0; | 192 | return 0; |
@@ -392,9 +391,9 @@ int main(int argc, char **argv) { | |||
392 | // extract copy limit size from env variable, if any | 391 | // extract copy limit size from env variable, if any |
393 | char *cl = getenv("FIREJAIL_FILE_COPY_LIMIT"); | 392 | char *cl = getenv("FIREJAIL_FILE_COPY_LIMIT"); |
394 | if (cl) { | 393 | if (cl) { |
395 | copy_limit = atoi(cl) * 1024 * 1024; | 394 | copy_limit = strtoul(cl, NULL, 10) * 1024 * 1024; |
396 | if (arg_debug) | 395 | if (arg_debug) |
397 | printf("file copy limit %d bytes\n", copy_limit); | 396 | printf("file copy limit %llu bytes\n", copy_limit); |
398 | } | 397 | } |
399 | 398 | ||
400 | // copy files | 399 | // copy files |
diff --git a/src/firecfg/firecfg.config b/src/firecfg/firecfg.config index 6b2a92ad5..502449839 100644 --- a/src/firecfg/firecfg.config +++ b/src/firecfg/firecfg.config | |||
@@ -36,6 +36,7 @@ amule | |||
36 | android-studio | 36 | android-studio |
37 | anydesk | 37 | anydesk |
38 | apktool | 38 | apktool |
39 | ar | ||
39 | arch-audit | 40 | arch-audit |
40 | archaudit-report | 41 | archaudit-report |
41 | ardour4 | 42 | ardour4 |
diff --git a/src/fseccomp/syscall.c b/src/fseccomp/syscall.c index 5d83786bb..1683d3140 100644 --- a/src/fseccomp/syscall.c +++ b/src/fseccomp/syscall.c | |||
@@ -201,11 +201,14 @@ static const SyscallGroupList sysgroups[] = { | |||
201 | #endif | 201 | #endif |
202 | }, | 202 | }, |
203 | { .name = "@default", .list = | 203 | { .name = "@default", .list = |
204 | "@clock," | ||
204 | "@cpu-emulation," | 205 | "@cpu-emulation," |
205 | "@debug," | 206 | "@debug," |
207 | "@module," | ||
206 | "@obsolete," | 208 | "@obsolete," |
207 | "@privileged," | 209 | "@raw-io," |
208 | "@resources," | 210 | "@reboot," |
211 | "@swap," | ||
209 | #ifdef SYS_open_by_handle_at | 212 | #ifdef SYS_open_by_handle_at |
210 | "open_by_handle_at," | 213 | "open_by_handle_at," |
211 | #endif | 214 | #endif |
@@ -233,6 +236,15 @@ static const SyscallGroupList sysgroups[] = { | |||
233 | #ifdef SYS_request_key | 236 | #ifdef SYS_request_key |
234 | "request_key," | 237 | "request_key," |
235 | #endif | 238 | #endif |
239 | #ifdef SYS_mbind | ||
240 | "mbind," | ||
241 | #endif | ||
242 | #ifdef SYS_migrate_pages | ||
243 | "migrate_pages," | ||
244 | #endif | ||
245 | #ifdef SYS_move_pages | ||
246 | "move_pages," | ||
247 | #endif | ||
236 | #ifdef SYS_keyctl | 248 | #ifdef SYS_keyctl |
237 | "keyctl," | 249 | "keyctl," |
238 | #endif | 250 | #endif |
@@ -254,6 +266,9 @@ static const SyscallGroupList sysgroups[] = { | |||
254 | #ifdef SYS_remap_file_pages | 266 | #ifdef SYS_remap_file_pages |
255 | "remap_file_pages," | 267 | "remap_file_pages," |
256 | #endif | 268 | #endif |
269 | #ifdef SYS_set_mempolicy | ||
270 | "set_mempolicy" | ||
271 | #endif | ||
257 | #ifdef SYS_vmsplice | 272 | #ifdef SYS_vmsplice |
258 | "vmsplice," | 273 | "vmsplice," |
259 | #endif | 274 | #endif |
@@ -263,6 +278,36 @@ static const SyscallGroupList sysgroups[] = { | |||
263 | #ifdef SYS_userfaultfd | 278 | #ifdef SYS_userfaultfd |
264 | "userfaultfd," | 279 | "userfaultfd," |
265 | #endif | 280 | #endif |
281 | #ifdef SYS_acct | ||
282 | "acct," | ||
283 | #endif | ||
284 | #ifdef SYS_bpf | ||
285 | "bpf," | ||
286 | #endif | ||
287 | #ifdef SYS_chroot | ||
288 | "chroot," | ||
289 | #endif | ||
290 | #ifdef SYS_mount | ||
291 | "mount," | ||
292 | #endif | ||
293 | #ifdef SYS_nfsservctl | ||
294 | "nfsservctl," | ||
295 | #endif | ||
296 | #ifdef SYS_pivot_root | ||
297 | "pivot_root," | ||
298 | #endif | ||
299 | #ifdef SYS_setdomainname | ||
300 | "setdomainname," | ||
301 | #endif | ||
302 | #ifdef SYS_sethostname | ||
303 | "sethostname," | ||
304 | #endif | ||
305 | #ifdef SYS_umount2 | ||
306 | "umount2," | ||
307 | #endif | ||
308 | #ifdef SYS_vhangup | ||
309 | "vhangup" | ||
310 | #endif | ||
266 | //#ifdef SYS_mincore // 0.9.57 - problem fixed in Linux kernel 5.0; on 4.x it will break kodi, mpv, totem | 311 | //#ifdef SYS_mincore // 0.9.57 - problem fixed in Linux kernel 5.0; on 4.x it will break kodi, mpv, totem |
267 | // "mincore" | 312 | // "mincore" |
268 | //#endif | 313 | //#endif |
diff --git a/src/libtrace/libtrace.c b/src/libtrace/libtrace.c index b3f040e8f..0c21b9b70 100644 --- a/src/libtrace/libtrace.c +++ b/src/libtrace/libtrace.c | |||
@@ -52,10 +52,7 @@ static orig_access_t orig_access = NULL; | |||
52 | // | 52 | // |
53 | // library constructor/destructor | 53 | // library constructor/destructor |
54 | // | 54 | // |
55 | // Replacing printf with fprintf to /dev/tty in order to fix #561 | 55 | // Using fprintf to /dev/tty instead of printf in order to fix #561 |
56 | // If you really want to turn it off, comment the following line, but its a | ||
57 | // really bad idea. | ||
58 | #define PRINTF_DEVTTY | ||
59 | static FILE *ftty = NULL; | 56 | static FILE *ftty = NULL; |
60 | static pid_t mypid = 0; | 57 | static pid_t mypid = 0; |
61 | #define MAXNAME 16 | 58 | #define MAXNAME 16 |
@@ -75,12 +72,8 @@ void init(void) { | |||
75 | // if exists, log to trace file | 72 | // if exists, log to trace file |
76 | logfile = RUN_TRACE_FILE; | 73 | logfile = RUN_TRACE_FILE; |
77 | if (orig_access(logfile, F_OK)) | 74 | if (orig_access(logfile, F_OK)) |
78 | #ifdef PRINTF_DEVTTY | ||
79 | // else log to associated tty | 75 | // else log to associated tty |
80 | logfile = "/dev/tty"; | 76 | logfile = "/dev/tty"; |
81 | #else | ||
82 | logfile = "/proc/self/fd/2"; | ||
83 | #endif | ||
84 | } | 77 | } |
85 | 78 | ||
86 | // logfile | 79 | // logfile |
diff --git a/src/man/firejail.txt b/src/man/firejail.txt index 9f9d8e6ec..38bc0edc4 100644 --- a/src/man/firejail.txt +++ b/src/man/firejail.txt | |||
@@ -1762,25 +1762,22 @@ Example: | |||
1762 | $ firejail \-\-net=eth0 \-\-scan | 1762 | $ firejail \-\-net=eth0 \-\-scan |
1763 | .TP | 1763 | .TP |
1764 | \fB\-\-seccomp | 1764 | \fB\-\-seccomp |
1765 | Enable seccomp filter and blacklist the syscalls in the default list (@default). The default list is as follows: | 1765 | Enable seccomp filter and blacklist the syscalls in the default list, |
1766 | _sysctl, acct, add_key, adjtimex, afs_syscall, bdflush, bpf, break, chroot, clock_adjtime, clock_settime, | 1766 | which is @default-nodebuggers unless allow-debuggers is specified, |
1767 | create_module, delete_module, fanotify_init, finit_module, ftime, get_kernel_syms, getpmsg, gtty, init_module, | 1767 | then it is @default. |
1768 | io_cancel, io_destroy, io_getevents, io_setup, io_submit, ioperm, iopl, ioprio_set, kcmp, kexec_file_load, | ||
1769 | kexec_load, keyctl, lock, lookup_dcookie, mbind, migrate_pages, modify_ldt, mount, move_pages, mpx, | ||
1770 | name_to_handle_at, nfsservctl, ni_syscall, open_by_handle_at, pciconfig_iobase, pciconfig_read, pciconfig_write, perf_event_open, | ||
1771 | personality, pivot_root, process_vm_readv, process_vm_writev, prof, profil, ptrace, putpmsg, | ||
1772 | query_module, reboot, remap_file_pages, request_key, rtas, s390_mmio_read, s390_mmio_write, s390_runtime_instr, | ||
1773 | security, set_mempolicy, setdomainname, sethostname, settimeofday, sgetmask, ssetmask, stime, stty, subpage_prot, | ||
1774 | swapoff, swapon, switch_endian, sys_debug_setcontext, sysfs, syslog, tuxcall, ulimit, umount, umount2, uselib, userfaultfd, ustat, vhangup, | ||
1775 | vm86, vm86old, vmsplice and vserver. | ||
1776 | 1768 | ||
1777 | .br | 1769 | .br |
1778 | To help creating useful seccomp filters more easily, the following | 1770 | To help creating useful seccomp filters more easily, the following |
1779 | system call groups are defined: @clock, @cpu-emulation, @debug, | 1771 | system call groups are defined: @aio, @basic-io, @chown, @clock, |
1780 | @default, @default-nodebuggers, @default-keep, @module, @obsolete, | 1772 | @cpu-emulation, @debug, @default, @default-nodebuggers, @default-keep, |
1781 | @privileged, @raw-io, @reboot, @resources and @swap. In addition, a | 1773 | @file-system, @io-event, @ipc, @keyring, @memlock, @module, @mount, |
1782 | system call can be specified by its number instead of name with prefix | 1774 | @network-io, @obsolete, @privileged, @process, @raw-io, @reboot, |
1783 | $, so for example $165 would be equal to mount on i386. | 1775 | @resources, @setuid, @swap, @sync, @system-service and @timer. |
1776 | More informations about groups can be found in /usr/share/doc/firejail/syscalls.txt | ||
1777 | |||
1778 | In addition, a system call can be specified by its number instead of | ||
1779 | name with prefix $, so for example $165 would be equal to mount on i386. | ||
1780 | Exceptions can be allowed with prefix !. | ||
1784 | 1781 | ||
1785 | .br | 1782 | .br |
1786 | System architecture is strictly imposed only if flag | 1783 | System architecture is strictly imposed only if flag |
@@ -1798,8 +1795,10 @@ Example: | |||
1798 | .br | 1795 | .br |
1799 | $ firejail \-\-seccomp | 1796 | $ firejail \-\-seccomp |
1800 | .TP | 1797 | .TP |
1801 | \fB\-\-seccomp=syscall,@group | 1798 | \fB\-\-seccomp=syscall,@group,!syscall2 |
1802 | Enable seccomp filter, blacklist the default list (@default) and the syscalls or syscall groups specified by the command. | 1799 | Enable seccomp filter, whitelist "syscall2", but blacklist the default |
1800 | list and the syscalls or syscall groups specified by the | ||
1801 | command. | ||
1803 | .br | 1802 | .br |
1804 | 1803 | ||
1805 | .br | 1804 | .br |
@@ -1899,10 +1898,10 @@ rm: cannot remove `testfile': Operation not permitted | |||
1899 | 1898 | ||
1900 | 1899 | ||
1901 | .TP | 1900 | .TP |
1902 | \fB\-\-seccomp.keep=syscall,syscall,syscall | 1901 | \fB\-\-seccomp.keep=syscall,@group,!syscall2 |
1903 | Enable seccomp filter, and whitelist the syscalls specified by the | 1902 | Enable seccomp filter, blacklist all syscall not listed and "syscall2". |
1904 | command. The system calls needed by Firejail (group @default-keep: | 1903 | The system calls needed by Firejail (group @default-keep: prctl, execve) |
1905 | prctl, execve) are handled with the preload library. | 1904 | are handled with the preload library. |
1906 | .br | 1905 | .br |
1907 | 1906 | ||
1908 | .br | 1907 | .br |
diff --git a/test/appimage/appimage-args.exp b/test/appimage/appimage-args.exp index b8c7ee850..4c6a778b2 100755 --- a/test/appimage/appimage-args.exp +++ b/test/appimage/appimage-args.exp | |||
@@ -95,7 +95,7 @@ send -- "firejail --shutdown=appimage-test\r" | |||
95 | 95 | ||
96 | set spawn_id $appimage_id | 96 | set spawn_id $appimage_id |
97 | expect { | 97 | expect { |
98 | timeout {puts "TESTING ERROR 15\n";exit} | 98 | timeout {puts "shutdown\n";exit} |
99 | "AppImage unmounted" | 99 | "AppImage unmounted" |
100 | } | 100 | } |
101 | 101 | ||
diff --git a/test/appimage/appimage-trace.exp b/test/appimage/appimage-trace.exp new file mode 100755 index 000000000..574bd5a97 --- /dev/null +++ b/test/appimage/appimage-trace.exp | |||
@@ -0,0 +1,68 @@ | |||
1 | #!/usr/bin/expect -f | ||
2 | # This file is part of Firejail project | ||
3 | # Copyright (C) 2014-2019 Firejail Authors | ||
4 | # License GPL v2 | ||
5 | |||
6 | set timeout 10 | ||
7 | spawn $env(SHELL) | ||
8 | match_max 100000 | ||
9 | set appimage_id $spawn_id | ||
10 | |||
11 | send -- "firejail --trace --timeout=00:00:05 --appimage Leafpad-0.8.17-x86_64.AppImage\r" | ||
12 | expect { | ||
13 | timeout {puts "TESTING ERROR 1\n";exit} | ||
14 | "Child process initialized" | ||
15 | } | ||
16 | expect { | ||
17 | timeout {puts "TESTING ERROR 2\n";exit} | ||
18 | "leafpad:socket" | ||
19 | } | ||
20 | expect { | ||
21 | timeout {puts "TESTING ERROR 3\n";exit} | ||
22 | "leafpad:connect" | ||
23 | } | ||
24 | expect { | ||
25 | timeout {puts "TESTING ERROR 4\n";exit} | ||
26 | "X11-unix/X0" | ||
27 | } | ||
28 | expect { | ||
29 | timeout {puts "TESTING ERROR 5\n";exit} | ||
30 | "Parent is shutting down, bye" | ||
31 | } | ||
32 | expect { | ||
33 | timeout {puts "shutdown\n"} | ||
34 | "AppImage unmounted" | ||
35 | } | ||
36 | sleep 1 | ||
37 | |||
38 | send -- "firejail --trace --timeout=00:00:05 --appimage Leafpad-0.8.18.1.glibc2.4-x86_64.AppImage\r" | ||
39 | expect { | ||
40 | timeout {puts "TESTING ERROR 11\n";exit} | ||
41 | "Child process initialized" | ||
42 | } | ||
43 | expect { | ||
44 | timeout {puts "TESTING ERROR 12\n";exit} | ||
45 | "leafpad:socket" | ||
46 | } | ||
47 | expect { | ||
48 | timeout {puts "TESTING ERROR 13\n";exit} | ||
49 | "leafpad:connect" | ||
50 | } | ||
51 | expect { | ||
52 | timeout {puts "TESTING ERROR 14\n";exit} | ||
53 | "X11-unix/X0" | ||
54 | } | ||
55 | expect { | ||
56 | timeout {puts "TESTING ERROR 15\n";exit} | ||
57 | "Parent is shutting down, bye" | ||
58 | } | ||
59 | expect { | ||
60 | timeout {puts "shutdown\n"} | ||
61 | "AppImage unmounted" | ||
62 | } | ||
63 | sleep 1 | ||
64 | |||
65 | |||
66 | after 100 | ||
67 | |||
68 | puts "\nall done\n" | ||
diff --git a/test/appimage/appimage-v1.exp b/test/appimage/appimage-v1.exp index 07f7d0d17..4522afa9b 100755 --- a/test/appimage/appimage-v1.exp +++ b/test/appimage/appimage-v1.exp | |||
@@ -83,7 +83,7 @@ send -- "firejail --shutdown=appimage-test\r" | |||
83 | 83 | ||
84 | set spawn_id $appimage_id | 84 | set spawn_id $appimage_id |
85 | expect { | 85 | expect { |
86 | timeout {puts "TESTING ERROR 7\n";exit} | 86 | timeout {puts "shutdown\n"} |
87 | "AppImage unmounted" | 87 | "AppImage unmounted" |
88 | } | 88 | } |
89 | 89 | ||
diff --git a/test/appimage/appimage-v2.exp b/test/appimage/appimage-v2.exp index 7d3ba36c2..50466958d 100755 --- a/test/appimage/appimage-v2.exp +++ b/test/appimage/appimage-v2.exp | |||
@@ -82,7 +82,7 @@ spawn $env(SHELL) | |||
82 | send -- "firejail --shutdown=appimage-test\r" | 82 | send -- "firejail --shutdown=appimage-test\r" |
83 | set spawn_id $appimage_id | 83 | set spawn_id $appimage_id |
84 | expect { | 84 | expect { |
85 | timeout {puts "TESTING ERROR 7\n";exit} | 85 | timeout {puts "shutdown\n"} |
86 | "AppImage unmounted" | 86 | "AppImage unmounted" |
87 | } | 87 | } |
88 | 88 | ||
diff --git a/test/appimage/appimage.sh b/test/appimage/appimage.sh index bcd82750e..39c288199 100755 --- a/test/appimage/appimage.sh +++ b/test/appimage/appimage.sh | |||
@@ -17,3 +17,6 @@ echo "TESTING: AppImage file name (test/appimage/filename.exp)"; | |||
17 | 17 | ||
18 | echo "TESTING: AppImage argsv1 (test/appimage/appimage-args.exp)" | 18 | echo "TESTING: AppImage argsv1 (test/appimage/appimage-args.exp)" |
19 | ./appimage-args.exp | 19 | ./appimage-args.exp |
20 | |||
21 | echo "TESTING: AppImage trace (test/appimage/appimage-trace.exp)" | ||
22 | ./appimage-args.exp | ||