diff options
author | hawkeye116477 <hawkeye116477@gmail.com> | 2017-06-22 19:26:28 +0200 |
---|---|---|
committer | hawkeye116477 <hawkeye116477@gmail.com> | 2017-06-22 19:26:28 +0200 |
commit | 4ccb35df264267e00c38953f93dddd1dc9581fa5 (patch) | |
tree | 0700fd4306ef514d8f28ce11138c1a1ff1a29c87 | |
parent | Update profile for Cyberfox (diff) | |
parent | Merge pull request #1343 from BafDyce/fix-example-typo (diff) | |
download | firejail-4ccb35df264267e00c38953f93dddd1dc9581fa5.tar.gz firejail-4ccb35df264267e00c38953f93dddd1dc9581fa5.tar.zst firejail-4ccb35df264267e00c38953f93dddd1dc9581fa5.zip |
Merge remote-tracking branch 'upstream/master'
102 files changed, 540 insertions, 149 deletions
@@ -116,6 +116,7 @@ curiosity-seeker (https://github.com/curiosity-seeker) | |||
116 | - added guayadeque profile | 116 | - added guayadeque profile |
117 | - added VirtualBox.profile | 117 | - added VirtualBox.profile |
118 | - various other profile fixes | 118 | - various other profile fixes |
119 | - added digiKam profile | ||
119 | Daan Bakker (https://github.com/dbakker) | 120 | Daan Bakker (https://github.com/dbakker) |
120 | - protect shell startup files | 121 | - protect shell startup files |
121 | Dara Adib (https://github.com/daradib) | 122 | Dara Adib (https://github.com/daradib) |
@@ -186,6 +187,7 @@ Fred-Barclay (https://github.com/Fred-Barclay) | |||
186 | - added mousepad, qpicview, and cvlc profiles | 187 | - added mousepad, qpicview, and cvlc profiles |
187 | - added BibleTime profile | 188 | - added BibleTime profile |
188 | - added caja and galculator profiles | 189 | - added caja and galculator profiles |
190 | - added Catfish profile | ||
189 | G4JC (http://sourceforge.net/u/gaming4jc/profile/) | 191 | G4JC (http://sourceforge.net/u/gaming4jc/profile/) |
190 | - ARM support | 192 | - ARM support |
191 | - profile fixes | 193 | - profile fixes |
@@ -399,9 +401,11 @@ startx2017 (https://github.com/startx2017) | |||
399 | - firecfg fix: create ~/.local/share/applications directory if it doesn't exist | 401 | - firecfg fix: create ~/.local/share/applications directory if it doesn't exist |
400 | - firejail.config cleanup | 402 | - firejail.config cleanup |
401 | - --quiet fixes | 403 | - --quiet fixes |
402 | - 0.9.38-LTS branch maintainer | 404 | - bugfixes branches maintainer |
403 | - firemon --top speed-up | 405 | - firemon --top speed-up |
404 | - Blender and 2048-qt profiles | 406 | - Blender and 2048-qt profiles |
407 | - handbrake profile | ||
408 | - mplayer and smplayer profiles | ||
405 | thewisenerd (https://github.com/thewisenerd) | 409 | thewisenerd (https://github.com/thewisenerd) |
406 | - allow multiple private-home commands | 410 | - allow multiple private-home commands |
407 | - use $SHELL variable if the shell is not specified | 411 | - use $SHELL variable if the shell is not specified |
@@ -62,18 +62,9 @@ Use this issue to request new profiles: https://github.com/netblue30/firejail/is | |||
62 | ````` | 62 | ````` |
63 | 63 | ||
64 | ````` | 64 | ````` |
65 | # Current development version: 0.9.47 | 65 | # Current development version: 0.9.49 |
66 | 66 | ||
67 | ## Profile changes | 67 | ## New profiles: |
68 | 68 | ||
69 | All profiles include /etc/firejail/globals.local for persistent customizations across all applications. For example, you | 69 | curl, mplayer2, SMPlayer, Calibre, ebook-viewer |
70 | can set here a global DNS "dns 8.8.8.8". The file is not overwritten during software install. | ||
71 | 70 | ||
72 | **The following BitTorrent clients have been whitelisted: Transmission, Deluge, qBitTorrent, KTorrent. Configuration files and | ||
73 | ~/Downloads directory are real, everything else is placed on a temporary filesystem and discarded when the | ||
74 | sandboxed is closed. Please configure your client to put downloaded files in ~/Download directory. | ||
75 | The plan is to have all bittorrent clients whitelisted in the next release.** | ||
76 | |||
77 | ## New profiles | ||
78 | |||
79 | vym, darktable | ||
@@ -1,8 +1,22 @@ | |||
1 | firejail (0.9.47) baseline; urgency=low | 1 | firejail (0.9.49) baseline; urgency=low |
2 | * work in progress | 2 | * work in progress! |
3 | * added /etc/firejail/globals.local for global customizations | 3 | * new profiles: curl |
4 | * bugfixes | 4 | * bugfixes |
5 | -- netblue30 <netblue30@yahoo.com> Tue, 23 May 2017 08:00:00 -0500 | 5 | -- netblue30 <netblue30@yahoo.com> Mon, 12 Jun 2017 20:00:00 -0500 |
6 | |||
7 | firejail (0.9.48) baseline; urgency=low | ||
8 | * modifs: whitelisted Transmission, Deluge, qBitTorrent, KTorrent; | ||
9 | please use ~/Downloads directory for saving files | ||
10 | * modifs: AppArmor made optional; a warning is printed on the screen | ||
11 | if the sandbox fails to load the AppArmor profile | ||
12 | * feature: --novideo | ||
13 | * feature: drop discretionary access control capabilities for | ||
14 | root sandboxes | ||
15 | * feature: added /etc/firejail/globals.local for global customizations | ||
16 | * feature: profile support in overlayfs mode | ||
17 | * new profiles: vym, darktable, Waterfox, digiKam, Catfish, HandBrake | ||
18 | * bugfixes | ||
19 | -- netblue30 <netblue30@yahoo.com> Mon, 12 Jun 2017 08:00:00 -0500 | ||
6 | 20 | ||
7 | firejail (0.9.46) baseline; urgency=low | 21 | firejail (0.9.46) baseline; urgency=low |
8 | * security: split most of networking code in a separate executable | 22 | * security: split most of networking code in a separate executable |
@@ -1,6 +1,6 @@ | |||
1 | #! /bin/sh | 1 | #! /bin/sh |
2 | # Guess values for system-dependent variables and create Makefiles. | 2 | # Guess values for system-dependent variables and create Makefiles. |
3 | # Generated by GNU Autoconf 2.69 for firejail 0.9.47. | 3 | # Generated by GNU Autoconf 2.69 for firejail 0.9.49. |
4 | # | 4 | # |
5 | # Report bugs to <netblue30@yahoo.com>. | 5 | # Report bugs to <netblue30@yahoo.com>. |
6 | # | 6 | # |
@@ -580,8 +580,8 @@ MAKEFLAGS= | |||
580 | # Identity of this package. | 580 | # Identity of this package. |
581 | PACKAGE_NAME='firejail' | 581 | PACKAGE_NAME='firejail' |
582 | PACKAGE_TARNAME='firejail' | 582 | PACKAGE_TARNAME='firejail' |
583 | PACKAGE_VERSION='0.9.47' | 583 | PACKAGE_VERSION='0.9.49' |
584 | PACKAGE_STRING='firejail 0.9.47' | 584 | PACKAGE_STRING='firejail 0.9.49' |
585 | PACKAGE_BUGREPORT='netblue30@yahoo.com' | 585 | PACKAGE_BUGREPORT='netblue30@yahoo.com' |
586 | PACKAGE_URL='http://firejail.wordpress.com' | 586 | PACKAGE_URL='http://firejail.wordpress.com' |
587 | 587 | ||
@@ -1265,7 +1265,7 @@ if test "$ac_init_help" = "long"; then | |||
1265 | # Omit some internal or obsolete options to make the list less imposing. | 1265 | # Omit some internal or obsolete options to make the list less imposing. |
1266 | # This message is too long to be a string in the A/UX 3.1 sh. | 1266 | # This message is too long to be a string in the A/UX 3.1 sh. |
1267 | cat <<_ACEOF | 1267 | cat <<_ACEOF |
1268 | \`configure' configures firejail 0.9.47 to adapt to many kinds of systems. | 1268 | \`configure' configures firejail 0.9.49 to adapt to many kinds of systems. |
1269 | 1269 | ||
1270 | Usage: $0 [OPTION]... [VAR=VALUE]... | 1270 | Usage: $0 [OPTION]... [VAR=VALUE]... |
1271 | 1271 | ||
@@ -1326,7 +1326,7 @@ fi | |||
1326 | 1326 | ||
1327 | if test -n "$ac_init_help"; then | 1327 | if test -n "$ac_init_help"; then |
1328 | case $ac_init_help in | 1328 | case $ac_init_help in |
1329 | short | recursive ) echo "Configuration of firejail 0.9.47:";; | 1329 | short | recursive ) echo "Configuration of firejail 0.9.49:";; |
1330 | esac | 1330 | esac |
1331 | cat <<\_ACEOF | 1331 | cat <<\_ACEOF |
1332 | 1332 | ||
@@ -1434,7 +1434,7 @@ fi | |||
1434 | test -n "$ac_init_help" && exit $ac_status | 1434 | test -n "$ac_init_help" && exit $ac_status |
1435 | if $ac_init_version; then | 1435 | if $ac_init_version; then |
1436 | cat <<\_ACEOF | 1436 | cat <<\_ACEOF |
1437 | firejail configure 0.9.47 | 1437 | firejail configure 0.9.49 |
1438 | generated by GNU Autoconf 2.69 | 1438 | generated by GNU Autoconf 2.69 |
1439 | 1439 | ||
1440 | Copyright (C) 2012 Free Software Foundation, Inc. | 1440 | Copyright (C) 2012 Free Software Foundation, Inc. |
@@ -1736,7 +1736,7 @@ cat >config.log <<_ACEOF | |||
1736 | This file contains any messages produced by compilers while | 1736 | This file contains any messages produced by compilers while |
1737 | running configure, to aid debugging if configure makes a mistake. | 1737 | running configure, to aid debugging if configure makes a mistake. |
1738 | 1738 | ||
1739 | It was created by firejail $as_me 0.9.47, which was | 1739 | It was created by firejail $as_me 0.9.49, which was |
1740 | generated by GNU Autoconf 2.69. Invocation command line was | 1740 | generated by GNU Autoconf 2.69. Invocation command line was |
1741 | 1741 | ||
1742 | $ $0 $@ | 1742 | $ $0 $@ |
@@ -4355,7 +4355,7 @@ cat >>$CONFIG_STATUS <<\_ACEOF || ac_write_fail=1 | |||
4355 | # report actual input values of CONFIG_FILES etc. instead of their | 4355 | # report actual input values of CONFIG_FILES etc. instead of their |
4356 | # values after options handling. | 4356 | # values after options handling. |
4357 | ac_log=" | 4357 | ac_log=" |
4358 | This file was extended by firejail $as_me 0.9.47, which was | 4358 | This file was extended by firejail $as_me 0.9.49, which was |
4359 | generated by GNU Autoconf 2.69. Invocation command line was | 4359 | generated by GNU Autoconf 2.69. Invocation command line was |
4360 | 4360 | ||
4361 | CONFIG_FILES = $CONFIG_FILES | 4361 | CONFIG_FILES = $CONFIG_FILES |
@@ -4409,7 +4409,7 @@ _ACEOF | |||
4409 | cat >>$CONFIG_STATUS <<_ACEOF || ac_write_fail=1 | 4409 | cat >>$CONFIG_STATUS <<_ACEOF || ac_write_fail=1 |
4410 | ac_cs_config="`$as_echo "$ac_configure_args" | sed 's/^ //; s/[\\""\`\$]/\\\\&/g'`" | 4410 | ac_cs_config="`$as_echo "$ac_configure_args" | sed 's/^ //; s/[\\""\`\$]/\\\\&/g'`" |
4411 | ac_cs_version="\\ | 4411 | ac_cs_version="\\ |
4412 | firejail config.status 0.9.47 | 4412 | firejail config.status 0.9.49 |
4413 | configured by $0, generated by GNU Autoconf 2.69, | 4413 | configured by $0, generated by GNU Autoconf 2.69, |
4414 | with options \\"\$ac_cs_config\\" | 4414 | with options \\"\$ac_cs_config\\" |
4415 | 4415 | ||
diff --git a/configure.ac b/configure.ac index dc59e5b15..7f9b12d97 100644 --- a/configure.ac +++ b/configure.ac | |||
@@ -1,5 +1,5 @@ | |||
1 | AC_PREREQ([2.68]) | 1 | AC_PREREQ([2.68]) |
2 | AC_INIT(firejail, 0.9.47, netblue30@yahoo.com, , http://firejail.wordpress.com) | 2 | AC_INIT(firejail, 0.9.49, netblue30@yahoo.com, , http://firejail.wordpress.com) |
3 | AC_CONFIG_SRCDIR([src/firejail/main.c]) | 3 | AC_CONFIG_SRCDIR([src/firejail/main.c]) |
4 | #AC_CONFIG_HEADERS([config.h]) | 4 | #AC_CONFIG_HEADERS([config.h]) |
5 | 5 | ||
diff --git a/etc/0ad.profile b/etc/0ad.profile index 596cb845a..e946c1418 100644 --- a/etc/0ad.profile +++ b/etc/0ad.profile | |||
@@ -29,6 +29,7 @@ netfilter | |||
29 | nogroups | 29 | nogroups |
30 | nonewprivs | 30 | nonewprivs |
31 | noroot | 31 | noroot |
32 | novideo | ||
32 | protocol unix,inet,inet6 | 33 | protocol unix,inet,inet6 |
33 | seccomp | 34 | seccomp |
34 | shell none | 35 | shell none |
diff --git a/etc/7z.profile b/etc/7z.profile index f36735303..c7c857dc8 100644 --- a/etc/7z.profile +++ b/etc/7z.profile | |||
@@ -1,3 +1,4 @@ | |||
1 | quiet | ||
1 | # Persistent global definitions go here | 2 | # Persistent global definitions go here |
2 | include /etc/firejail/globals.local | 3 | include /etc/firejail/globals.local |
3 | 4 | ||
@@ -6,7 +7,6 @@ include /etc/firejail/globals.local | |||
6 | include /etc/firejail/7z.local | 7 | include /etc/firejail/7z.local |
7 | 8 | ||
8 | # 7zip crompression tool profile | 9 | # 7zip crompression tool profile |
9 | quiet | ||
10 | ignore noroot | 10 | ignore noroot |
11 | 11 | ||
12 | include /etc/firejail/default.profile | 12 | include /etc/firejail/default.profile |
@@ -15,6 +15,8 @@ blacklist /tmp/.X11-unix | |||
15 | 15 | ||
16 | tracelog | 16 | tracelog |
17 | net none | 17 | net none |
18 | nosound | ||
19 | novideo | ||
18 | shell none | 20 | shell none |
19 | private-dev | 21 | private-dev |
20 | nosound | 22 | nosound |
diff --git a/etc/atom-beta.profile b/etc/atom-beta.profile index 5a42e28e8..367aa5672 100644 --- a/etc/atom-beta.profile +++ b/etc/atom-beta.profile | |||
@@ -19,6 +19,7 @@ nogroups | |||
19 | nonewprivs | 19 | nonewprivs |
20 | noroot | 20 | noroot |
21 | nosound | 21 | nosound |
22 | novideo | ||
22 | protocol unix,inet,inet6,netlink | 23 | protocol unix,inet,inet6,netlink |
23 | seccomp | 24 | seccomp |
24 | shell none | 25 | shell none |
diff --git a/etc/atom.profile b/etc/atom.profile index fc9e49eab..726682617 100644 --- a/etc/atom.profile +++ b/etc/atom.profile | |||
@@ -19,6 +19,7 @@ nogroups | |||
19 | nonewprivs | 19 | nonewprivs |
20 | noroot | 20 | noroot |
21 | nosound | 21 | nosound |
22 | novideo | ||
22 | protocol unix,inet,inet6,netlink | 23 | protocol unix,inet,inet6,netlink |
23 | seccomp | 24 | seccomp |
24 | shell none | 25 | shell none |
diff --git a/etc/atool.profile b/etc/atool.profile index 3f4b60312..a66b4b1c5 100644 --- a/etc/atool.profile +++ b/etc/atool.profile | |||
@@ -16,6 +16,7 @@ nogroups | |||
16 | nonewprivs | 16 | nonewprivs |
17 | noroot | 17 | noroot |
18 | nosound | 18 | nosound |
19 | novideo | ||
19 | protocol unix | 20 | protocol unix |
20 | seccomp | 21 | seccomp |
21 | netfilter | 22 | netfilter |
diff --git a/etc/atril.profile b/etc/atril.profile index a9199f512..0abad494a 100644 --- a/etc/atril.profile +++ b/etc/atril.profile | |||
@@ -18,6 +18,7 @@ nogroups | |||
18 | nonewprivs | 18 | nonewprivs |
19 | noroot | 19 | noroot |
20 | nosound | 20 | nosound |
21 | novideo | ||
21 | protocol unix | 22 | protocol unix |
22 | seccomp | 23 | seccomp |
23 | shell none | 24 | shell none |
diff --git a/etc/audacity.profile b/etc/audacity.profile index 67b625f2b..5b38d84e8 100644 --- a/etc/audacity.profile +++ b/etc/audacity.profile | |||
@@ -21,6 +21,7 @@ no3d | |||
21 | nogroups | 21 | nogroups |
22 | nonewprivs | 22 | nonewprivs |
23 | noroot | 23 | noroot |
24 | novideo | ||
24 | protocol unix | 25 | protocol unix |
25 | seccomp | 26 | seccomp |
26 | shell none | 27 | shell none |
diff --git a/etc/aweather.profile b/etc/aweather.profile index 73bf1cc5a..9d8e336cd 100644 --- a/etc/aweather.profile +++ b/etc/aweather.profile | |||
@@ -22,6 +22,7 @@ nogroups | |||
22 | nonewprivs | 22 | nonewprivs |
23 | noroot | 23 | noroot |
24 | nosound | 24 | nosound |
25 | novideo | ||
25 | protocol unix,inet,inet6 | 26 | protocol unix,inet,inet6 |
26 | seccomp | 27 | seccomp |
27 | shell none | 28 | shell none |
diff --git a/etc/baloo_file.profile b/etc/baloo_file.profile index 9caef7508..2fe6d1927 100644 --- a/etc/baloo_file.profile +++ b/etc/baloo_file.profile | |||
@@ -22,6 +22,7 @@ nogroups | |||
22 | nonewprivs | 22 | nonewprivs |
23 | noroot | 23 | noroot |
24 | nosound | 24 | nosound |
25 | novideo | ||
25 | protocol unix | 26 | protocol unix |
26 | # Baloo makes ioprio_set system calls, which are blacklisted by default. | 27 | # Baloo makes ioprio_set system calls, which are blacklisted by default. |
27 | seccomp.drop mount,umount2,ptrace,kexec_load,kexec_file_load,name_to_handle_at,open_by_handle_at,create_module,init_module,finit_module,delete_module,iopl,ioperm,swapon,swapoff,syslog,process_vm_readv,process_vm_writev,sysfs,_sysctl,adjtimex,clock_adjtime,lookup_dcookie,perf_event_open,fanotify_init,kcmp,add_key,request_key,keyctl,uselib,acct,modify_ldt,pivot_root,io_setup,io_destroy,io_getevents,io_submit,io_cancel,remap_file_pages,mbind,get_mempolicy,set_mempolicy,migrate_pages,move_pages,vmsplice,chroot,tuxcall,reboot,mfsservctl,get_kernel_syms,bpf,clock_settime,personality,process_vm_writev,query_module,settimeofday,stime,umount,userfaultfd,ustat,vm86,vm86old | 28 | seccomp.drop mount,umount2,ptrace,kexec_load,kexec_file_load,name_to_handle_at,open_by_handle_at,create_module,init_module,finit_module,delete_module,iopl,ioperm,swapon,swapoff,syslog,process_vm_readv,process_vm_writev,sysfs,_sysctl,adjtimex,clock_adjtime,lookup_dcookie,perf_event_open,fanotify_init,kcmp,add_key,request_key,keyctl,uselib,acct,modify_ldt,pivot_root,io_setup,io_destroy,io_getevents,io_submit,io_cancel,remap_file_pages,mbind,get_mempolicy,set_mempolicy,migrate_pages,move_pages,vmsplice,chroot,tuxcall,reboot,mfsservctl,get_kernel_syms,bpf,clock_settime,personality,process_vm_writev,query_module,settimeofday,stime,umount,userfaultfd,ustat,vm86,vm86old |
diff --git a/etc/bibletime.profile b/etc/bibletime.profile index 9b205456a..2162151a1 100644 --- a/etc/bibletime.profile +++ b/etc/bibletime.profile | |||
@@ -29,6 +29,7 @@ nogroups | |||
29 | nonewprivs | 29 | nonewprivs |
30 | noroot | 30 | noroot |
31 | nosound | 31 | nosound |
32 | novideo | ||
32 | protocol unix,inet,inet6,netlink | 33 | protocol unix,inet,inet6,netlink |
33 | seccomp | 34 | seccomp |
34 | shell none | 35 | shell none |
diff --git a/etc/bleachbit.profile b/etc/bleachbit.profile index 40c7a5c83..345dd119a 100644 --- a/etc/bleachbit.profile +++ b/etc/bleachbit.profile | |||
@@ -20,6 +20,7 @@ nogroups | |||
20 | nonewprivs | 20 | nonewprivs |
21 | noroot | 21 | noroot |
22 | nosound | 22 | nosound |
23 | novideo | ||
23 | protocol unix | 24 | protocol unix |
24 | seccomp | 25 | seccomp |
25 | shell none | 26 | shell none |
diff --git a/etc/bless.profile b/etc/bless.profile index 436c06a15..c9ccfc02e 100644 --- a/etc/bless.profile +++ b/etc/bless.profile | |||
@@ -28,6 +28,7 @@ nogroups | |||
28 | nonewprivs | 28 | nonewprivs |
29 | noroot | 29 | noroot |
30 | nosound | 30 | nosound |
31 | novideo | ||
31 | protocol unix | 32 | protocol unix |
32 | seccomp | 33 | seccomp |
33 | shell none | 34 | shell none |
diff --git a/etc/brasero.profile b/etc/brasero.profile index ac9ea8a7c..d013e0b8e 100644 --- a/etc/brasero.profile +++ b/etc/brasero.profile | |||
@@ -20,9 +20,9 @@ nogroups | |||
20 | nonewprivs | 20 | nonewprivs |
21 | noroot | 21 | noroot |
22 | nosound | 22 | nosound |
23 | novideo | ||
23 | protocol unix | 24 | protocol unix |
24 | seccomp | 25 | seccomp |
25 | netfilter | ||
26 | shell none | 26 | shell none |
27 | tracelog | 27 | tracelog |
28 | 28 | ||
diff --git a/etc/calibre.profile b/etc/calibre.profile new file mode 100644 index 000000000..b75e0c276 --- /dev/null +++ b/etc/calibre.profile | |||
@@ -0,0 +1,35 @@ | |||
1 | # Persistent global definitions go here | ||
2 | include /etc/firejail/globals.local | ||
3 | |||
4 | # This file is overwritten during software install. | ||
5 | # Persistent customizations should go in a .local file. | ||
6 | include /etc/firejail/calibre.local | ||
7 | |||
8 | noblacklist ~/.config/calibre | ||
9 | noblacklist ~/.cache/calibre | ||
10 | |||
11 | include /etc/firejail/disable-common.inc | ||
12 | include /etc/firejail/disable-programs.inc | ||
13 | #include /etc/firejail/disable-devel.inc | ||
14 | include /etc/firejail/disable-passwdmgr.inc | ||
15 | |||
16 | caps.drop all | ||
17 | #ipc-namespace | ||
18 | netfilter | ||
19 | no3d | ||
20 | nogroups | ||
21 | nonewprivs | ||
22 | noroot | ||
23 | nosound | ||
24 | novideo | ||
25 | protocol unix,inet,inet6 | ||
26 | seccomp | ||
27 | shell none | ||
28 | tracelog | ||
29 | |||
30 | #private-bin | ||
31 | private-dev | ||
32 | private-tmp | ||
33 | |||
34 | noexec ${HOME} | ||
35 | noexec /tmp | ||
diff --git a/etc/catfish.profile b/etc/catfish.profile new file mode 100644 index 000000000..0deaca1b5 --- /dev/null +++ b/etc/catfish.profile | |||
@@ -0,0 +1,32 @@ | |||
1 | # Persistent global definitions go here | ||
2 | include /etc/firejail/globals.local | ||
3 | |||
4 | # This file is overwritten during software install. | ||
5 | # Persistent customizations should go in a .local file. | ||
6 | include /etc/firejail/catfish.local | ||
7 | |||
8 | # Firejail profile for catfish | ||
9 | noblacklist ~/.config/catfish | ||
10 | |||
11 | # We can't blacklist much since catfish | ||
12 | # is for finding files/content | ||
13 | include /etc/firejail/disable-devel.inc | ||
14 | |||
15 | caps.drop all | ||
16 | net none | ||
17 | no3d | ||
18 | nogroups | ||
19 | nonewprivs | ||
20 | noroot | ||
21 | nosound | ||
22 | novideo | ||
23 | protocol unix | ||
24 | seccomp | ||
25 | shell none | ||
26 | tracelog | ||
27 | |||
28 | # These options work but are disabled in case | ||
29 | # a users wants to search in these directories. | ||
30 | #private-bin bash,catfish,env,locate,ls,mlocate,python,python2,python2.7,python3,python3.5,python3.5m,python3m | ||
31 | #private-dev | ||
32 | #private-tmp | ||
diff --git a/etc/cherrytree.profile b/etc/cherrytree.profile index 258be50d6..0ac71ca3c 100644 --- a/etc/cherrytree.profile +++ b/etc/cherrytree.profile | |||
@@ -20,6 +20,7 @@ nogroups | |||
20 | nonewprivs | 20 | nonewprivs |
21 | noroot | 21 | noroot |
22 | nosound | 22 | nosound |
23 | novideo | ||
23 | seccomp | 24 | seccomp |
24 | protocol unix,inet,inet6,netlink | 25 | protocol unix,inet,inet6,netlink |
25 | tracelog | 26 | tracelog |
diff --git a/etc/chromium.profile b/etc/chromium.profile index 7e73634ec..2728bf74a 100644 --- a/etc/chromium.profile +++ b/etc/chromium.profile | |||
@@ -34,7 +34,7 @@ nogroups | |||
34 | shell none | 34 | shell none |
35 | 35 | ||
36 | private-dev | 36 | private-dev |
37 | private-tmp | 37 | #private-tmp - problems with multiple browser sessions |
38 | 38 | ||
39 | noexec ${HOME} | 39 | noexec ${HOME} |
40 | noexec /tmp | 40 | noexec /tmp |
diff --git a/etc/clementine.profile b/etc/clementine.profile index 0f585e43e..ccacc632d 100644 --- a/etc/clementine.profile +++ b/etc/clementine.profile | |||
@@ -14,6 +14,7 @@ include /etc/firejail/disable-passwdmgr.inc | |||
14 | caps.drop all | 14 | caps.drop all |
15 | nonewprivs | 15 | nonewprivs |
16 | noroot | 16 | noroot |
17 | novideo | ||
17 | protocol unix,inet,inet6 | 18 | protocol unix,inet,inet6 |
18 | # Clementine makes ioprio_set system calls, which are blacklisted by default. | 19 | # Clementine makes ioprio_set system calls, which are blacklisted by default. |
19 | seccomp.drop mount,umount2,ptrace,kexec_load,kexec_file_load,name_to_handle_at,open_by_handle_at,create_module,init_module,finit_module,delete_module,iopl,ioperm,swapon,swapoff,syslog,process_vm_readv,process_vm_writev,sysfs,_sysctl,adjtimex,clock_adjtime,lookup_dcookie,perf_event_open,fanotify_init,kcmp,add_key,request_key,keyctl,uselib,acct,modify_ldt,pivot_root,io_setup,io_destroy,io_getevents,io_submit,io_cancel,remap_file_pages,mbind,get_mempolicy,set_mempolicy,migrate_pages,move_pages,vmsplice,chroot,tuxcall,reboot,mfsservctl,get_kernel_syms,bpf,clock_settime,personality,process_vm_writev,query_module,settimeofday,stime,umount,userfaultfd,ustat,vm86,vm86old | 20 | seccomp.drop mount,umount2,ptrace,kexec_load,kexec_file_load,name_to_handle_at,open_by_handle_at,create_module,init_module,finit_module,delete_module,iopl,ioperm,swapon,swapoff,syslog,process_vm_readv,process_vm_writev,sysfs,_sysctl,adjtimex,clock_adjtime,lookup_dcookie,perf_event_open,fanotify_init,kcmp,add_key,request_key,keyctl,uselib,acct,modify_ldt,pivot_root,io_setup,io_destroy,io_getevents,io_submit,io_cancel,remap_file_pages,mbind,get_mempolicy,set_mempolicy,migrate_pages,move_pages,vmsplice,chroot,tuxcall,reboot,mfsservctl,get_kernel_syms,bpf,clock_settime,personality,process_vm_writev,query_module,settimeofday,stime,umount,userfaultfd,ustat,vm86,vm86old |
diff --git a/etc/clipit.profile b/etc/clipit.profile index cd744a022..b671b253b 100644 --- a/etc/clipit.profile +++ b/etc/clipit.profile | |||
@@ -15,6 +15,7 @@ caps.drop all | |||
15 | netfilter | 15 | netfilter |
16 | nonewprivs | 16 | nonewprivs |
17 | noroot | 17 | noroot |
18 | novideo | ||
18 | protocol unix,inet,inet6 | 19 | protocol unix,inet,inet6 |
19 | seccomp | 20 | seccomp |
20 | 21 | ||
diff --git a/etc/cpio.profile b/etc/cpio.profile index f38e0a6ce..fe1dc0408 100644 --- a/etc/cpio.profile +++ b/etc/cpio.profile | |||
@@ -1,3 +1,4 @@ | |||
1 | quiet | ||
1 | # Persistent global definitions go here | 2 | # Persistent global definitions go here |
2 | include /etc/firejail/globals.local | 3 | include /etc/firejail/globals.local |
3 | 4 | ||
@@ -8,7 +9,6 @@ include /etc/firejail/cpio.local | |||
8 | # cpio profile | 9 | # cpio profile |
9 | # /sbin and /usr/sbin are visible inside the sandbox | 10 | # /sbin and /usr/sbin are visible inside the sandbox |
10 | # /boot is not visible and /var is heavily modified | 11 | # /boot is not visible and /var is heavily modified |
11 | quiet | ||
12 | noblacklist /sbin | 12 | noblacklist /sbin |
13 | noblacklist /usr/sbin | 13 | noblacklist /usr/sbin |
14 | include /etc/firejail/disable-common.inc | 14 | include /etc/firejail/disable-common.inc |
diff --git a/etc/curl.profile b/etc/curl.profile new file mode 100644 index 000000000..58b5f050a --- /dev/null +++ b/etc/curl.profile | |||
@@ -0,0 +1,35 @@ | |||
1 | quiet | ||
2 | # Persistent global definitions go here | ||
3 | include /etc/firejail/globals.local | ||
4 | |||
5 | # This file is overwritten during software install. | ||
6 | # Persistent customizations should go in a .local file. | ||
7 | include /etc/firejail/curl.local | ||
8 | |||
9 | # curl profile | ||
10 | noblacklist ~/.curlrc | ||
11 | include /etc/firejail/disable-common.inc | ||
12 | include /etc/firejail/disable-programs.inc | ||
13 | include /etc/firejail/disable-passwdmgr.inc | ||
14 | |||
15 | caps.drop all | ||
16 | #ipc-namespace | ||
17 | netfilter | ||
18 | no3d | ||
19 | nogroups | ||
20 | nonewprivs | ||
21 | noroot | ||
22 | nosound | ||
23 | protocol unix,inet,inet6 | ||
24 | seccomp | ||
25 | shell none | ||
26 | |||
27 | blacklist /tmp/.X11-unix | ||
28 | |||
29 | # private-bin curl | ||
30 | private-dev | ||
31 | # private-etc resolv.conf | ||
32 | private-tmp | ||
33 | |||
34 | noexec ${HOME} | ||
35 | noexec /tmp | ||
diff --git a/etc/deadbeef.profile b/etc/deadbeef.profile index 8d50dedda..486df1d99 100644 --- a/etc/deadbeef.profile +++ b/etc/deadbeef.profile | |||
@@ -20,6 +20,7 @@ no3d | |||
20 | nogroups | 20 | nogroups |
21 | nonewprivs | 21 | nonewprivs |
22 | noroot | 22 | noroot |
23 | novideo | ||
23 | protocol unix,inet,inet6 | 24 | protocol unix,inet,inet6 |
24 | seccomp | 25 | seccomp |
25 | shell none | 26 | shell none |
diff --git a/etc/deluge.profile b/etc/deluge.profile index db2d339c7..4e7d90e53 100644 --- a/etc/deluge.profile +++ b/etc/deluge.profile | |||
@@ -24,6 +24,7 @@ netfilter | |||
24 | nonewprivs | 24 | nonewprivs |
25 | noroot | 25 | noroot |
26 | nosound | 26 | nosound |
27 | novideo | ||
27 | protocol unix,inet,inet6 | 28 | protocol unix,inet,inet6 |
28 | seccomp | 29 | seccomp |
29 | 30 | ||
diff --git a/etc/dia.profile b/etc/dia.profile index fc564b96d..4e009afd7 100644 --- a/etc/dia.profile +++ b/etc/dia.profile | |||
@@ -14,6 +14,7 @@ caps.drop all | |||
14 | netfilter | 14 | netfilter |
15 | nonewprivs | 15 | nonewprivs |
16 | noroot | 16 | noroot |
17 | novideo | ||
17 | protocol unix,inet,inet6 | 18 | protocol unix,inet,inet6 |
18 | seccomp | 19 | seccomp |
19 | 20 | ||
diff --git a/etc/digikam.profile b/etc/digikam.profile new file mode 100644 index 000000000..fd19953a0 --- /dev/null +++ b/etc/digikam.profile | |||
@@ -0,0 +1,33 @@ | |||
1 | # Persistent global definitions go here | ||
2 | include /etc/firejail/globals.local | ||
3 | |||
4 | # This file is overwritten during software install. | ||
5 | # Persistent customizations should go in a .local file. | ||
6 | include /etc/firejail/digikam.local | ||
7 | |||
8 | noblacklist ${HOME}/.kde4/share/apps/digikam | ||
9 | noblacklist ${HOME}/.kde/share/apps/digikam | ||
10 | noblacklist ${HOME}/.config/digikamrc | ||
11 | |||
12 | include /etc/firejail/disable-common.inc | ||
13 | include /etc/firejail/disable-programs.inc | ||
14 | include /etc/firejail/disable-passwdmgr.inc | ||
15 | include /etc/firejail/disable-devel.inc | ||
16 | |||
17 | caps.drop all | ||
18 | netfilter | ||
19 | nonewprivs | ||
20 | noroot | ||
21 | protocol unix,inet,inet6,netlink | ||
22 | |||
23 | # This is a seccomp whitelist profile for Debian jessie, Kubuntu 17.04. | ||
24 | # Uncomment seccomp.keep line and try it out. By default only the regular seccomp blacklist profile is enabled. | ||
25 | #seccomp.keep fallocate,getrusage,openat,access,arch_prctl,bind,brk,chdir,chmod,clock_getres,clone,close,connect,dup2,dup3,eventfd2,execve,fadvise64,fcntl,fdatasync,flock,fstat,fstatfs,ftruncate,futex,getcwd,getdents,getegid,geteuid,getgid,getpeername,getpgrp,getpid,getppid,getrandom,getresgid,getresuid,getrlimit,getsockname,getsockopt,gettid,getuid,inotify_add_watch,inotify_init,inotify_init1,inotify_rm_watch,ioctl,lseek,lstat,madvise,mbind,memfd_create,mkdir,mmap,mprotect,msync,munmap,nanosleep,open,pipe,pipe2,poll,ppoll,prctl,pread64,pwrite64,read,readlink,readlinkat,recvfrom,recvmsg,rename,rt_sigaction,rt_sigprocmask,rt_sigreturn,sched_getaffinity,sched_getparam,sched_get_priority_max,sched_get_priority_min,sched_getscheduler,sched_setscheduler,sched_yield,sendmsg,sendto,setgid,setresgid,setresuid,set_robust_list,setsid,setsockopt,set_tid_address,setuid,shmat,shmctl,shmdt,shmget,shutdown,socket,stat,statfs,sysinfo,timerfd_create,umask,uname,unlink,wait4,waitid,write,writev,fchmod,fchown,unshare,exit,exit_group | ||
26 | seccomp | ||
27 | |||
28 | nogroups | ||
29 | shell none | ||
30 | # private-bin program | ||
31 | # private-etc none | ||
32 | # private-dev - prevents libdc1394 loading; this lib is used to connect to a camera device | ||
33 | private-tmp | ||
diff --git a/etc/dino.profile b/etc/dino.profile index a979cad7c..6d63e894e 100644 --- a/etc/dino.profile +++ b/etc/dino.profile | |||
@@ -26,6 +26,7 @@ nogroups | |||
26 | nonewprivs | 26 | nonewprivs |
27 | noroot | 27 | noroot |
28 | nosound | 28 | nosound |
29 | novideo | ||
29 | protocol unix,inet,inet6 | 30 | protocol unix,inet,inet6 |
30 | seccomp | 31 | seccomp |
31 | shell none | 32 | shell none |
diff --git a/etc/disable-programs.inc b/etc/disable-programs.inc index af0bbfce6..7a3ca37ed 100644 --- a/etc/disable-programs.inc +++ b/etc/disable-programs.inc | |||
@@ -62,6 +62,8 @@ blacklist ${HOME}/.config/borg | |||
62 | blacklist ${HOME}/.config/brasero | 62 | blacklist ${HOME}/.config/brasero |
63 | blacklist ${HOME}/.config/brave | 63 | blacklist ${HOME}/.config/brave |
64 | blacklist ${HOME}/.config/caja | 64 | blacklist ${HOME}/.config/caja |
65 | blacklist ${HOME}/.config/calibre | ||
66 | blacklist ${HOME}/.config/catfish | ||
65 | blacklist ${HOME}/.config/cherrytree | 67 | blacklist ${HOME}/.config/cherrytree |
66 | blacklist ${HOME}/.config/chromium | 68 | blacklist ${HOME}/.config/chromium |
67 | blacklist ${HOME}/.config/chromium-dev | 69 | blacklist ${HOME}/.config/chromium-dev |
@@ -71,6 +73,7 @@ blacklist ${HOME}/.config/cmus | |||
71 | blacklist ${HOME}/.config/darktable | 73 | blacklist ${HOME}/.config/darktable |
72 | blacklist ${HOME}/.config/deadbeef | 74 | blacklist ${HOME}/.config/deadbeef |
73 | blacklist ${HOME}/.config/deluge | 75 | blacklist ${HOME}/.config/deluge |
76 | blacklist ${HOME}/.config/digikam | ||
74 | blacklist ${HOME}/.config/dolphinrc | 77 | blacklist ${HOME}/.config/dolphinrc |
75 | blacklist ${HOME}/.config/dragonplayerrc | 78 | blacklist ${HOME}/.config/dragonplayerrc |
76 | blacklist ${HOME}/.config/enchant | 79 | blacklist ${HOME}/.config/enchant |
@@ -85,11 +88,12 @@ blacklist ${HOME}/.config/galculator | |||
85 | blacklist ${HOME}/.config/geany | 88 | blacklist ${HOME}/.config/geany |
86 | blacklist ${HOME}/.config/geeqie | 89 | blacklist ${HOME}/.config/geeqie |
87 | blacklist ${HOME}/.config/gedit | 90 | blacklist ${HOME}/.config/gedit |
91 | blacklist ${HOME}/.config/ghb | ||
88 | blacklist ${HOME}/.config/globaltime | 92 | blacklist ${HOME}/.config/globaltime |
89 | blacklist ${HOME}/.config/google-chrome | 93 | blacklist ${HOME}/.config/google-chrome |
90 | blacklist ${HOME}/.config/google-chrome-beta | 94 | blacklist ${HOME}/.config/google-chrome-beta |
91 | blacklist ${HOME}/.config/google-chrome-unstable | 95 | blacklist ${HOME}/.config/google-chrome-unstable |
92 | blacklist ${HOME}./config/gpicview | 96 | blacklist ${HOME}/.config/gpicview |
93 | blacklist ${HOME}/.config/gthumb | 97 | blacklist ${HOME}/.config/gthumb |
94 | blacklist ${HOME}/.config/gwenviewrc | 98 | blacklist ${HOME}/.config/gwenviewrc |
95 | blacklist ${HOME}/.config/hexchat | 99 | blacklist ${HOME}/.config/hexchat |
@@ -103,6 +107,7 @@ blacklist ${HOME}/.config/katesyntaxhighlightingrc | |||
103 | blacklist ${HOME}/.config/katevirc | 107 | blacklist ${HOME}/.config/katevirc |
104 | blacklist ${HOME}/.config/kdeconnect | 108 | blacklist ${HOME}/.config/kdeconnect |
105 | blacklist ${HOME}/.config/knotesrc | 109 | blacklist ${HOME}/.config/knotesrc |
110 | blacklist ${HOME}/.config/ktorrentrc | ||
106 | blacklist ${HOME}/.config/leafpad | 111 | blacklist ${HOME}/.config/leafpad |
107 | blacklist ${HOME}/.config/libreoffice | 112 | blacklist ${HOME}/.config/libreoffice |
108 | blacklist ${HOME}/.config/lximage-qt | 113 | blacklist ${HOME}/.config/lximage-qt |
@@ -136,6 +141,7 @@ blacklist ${HOME}/.config/redshift.conf | |||
136 | blacklist ${HOME}/.config/scribus | 141 | blacklist ${HOME}/.config/scribus |
137 | blacklist ${HOME}/.config/skypeforlinux | 142 | blacklist ${HOME}/.config/skypeforlinux |
138 | blacklist ${HOME}/.config/slimjet | 143 | blacklist ${HOME}/.config/slimjet |
144 | blacklist ${HOME}/.config/smplayer | ||
139 | blacklist ${HOME}/.config/spotify | 145 | blacklist ${HOME}/.config/spotify |
140 | blacklist ${HOME}/.config/stellarium | 146 | blacklist ${HOME}/.config/stellarium |
141 | blacklist ${HOME}/.config/synfig | 147 | blacklist ${HOME}/.config/synfig |
@@ -166,6 +172,7 @@ blacklist ${HOME}/.config/xviewer | |||
166 | blacklist ${HOME}/.config/zathura | 172 | blacklist ${HOME}/.config/zathura |
167 | blacklist ${HOME}/.config/zoomus.conf | 173 | blacklist ${HOME}/.config/zoomus.conf |
168 | blacklist ${HOME}/.conkeror.mozdev.org | 174 | blacklist ${HOME}/.conkeror.mozdev.org |
175 | blacklist ${HOME}/.curlrc | ||
169 | blacklist ${HOME}/.dia | 176 | blacklist ${HOME}/.dia |
170 | blacklist ${HOME}/.dillo | 177 | blacklist ${HOME}/.dillo |
171 | blacklist ${HOME}/.dosbox | 178 | blacklist ${HOME}/.dosbox |
@@ -200,6 +207,7 @@ blacklist ${HOME}/.kde4/share/apps/okular | |||
200 | blacklist ${HOME}/.kde4/share/config/baloofilerc | 207 | blacklist ${HOME}/.kde4/share/config/baloofilerc |
201 | blacklist ${HOME}/.kde4/share/config/baloorc | 208 | blacklist ${HOME}/.kde4/share/config/baloorc |
202 | blacklist ${HOME}/.kde4/share/config/gwenviewrc | 209 | blacklist ${HOME}/.kde4/share/config/gwenviewrc |
210 | blacklist ${HOME}/.kde4/share/config/digikam | ||
203 | blacklist ${HOME}/.kde4/share/config/k3brc | 211 | blacklist ${HOME}/.kde4/share/config/k3brc |
204 | blacklist ${HOME}/.kde4/share/config/kcookiejarrc | 212 | blacklist ${HOME}/.kde4/share/config/kcookiejarrc |
205 | blacklist ${HOME}/.kde4/share/config/khtmlrc | 213 | blacklist ${HOME}/.kde4/share/config/khtmlrc |
@@ -217,6 +225,7 @@ blacklist ${HOME}/.kde/share/apps/konqueror | |||
217 | blacklist ${HOME}/.kde/share/apps/okular | 225 | blacklist ${HOME}/.kde/share/apps/okular |
218 | blacklist ${HOME}/.kde/share/config/baloofilerc | 226 | blacklist ${HOME}/.kde/share/config/baloofilerc |
219 | blacklist ${HOME}/.kde/share/config/baloorc | 227 | blacklist ${HOME}/.kde/share/config/baloorc |
228 | blacklist ${HOME}/.kde/share/config/digikam | ||
220 | blacklist ${HOME}/.kde/share/config/gwenviewrc | 229 | blacklist ${HOME}/.kde/share/config/gwenviewrc |
221 | blacklist ${HOME}/.kde/share/config/k3brc | 230 | blacklist ${HOME}/.kde/share/config/k3brc |
222 | blacklist ${HOME}/.kde/share/config/kcookiejarrc | 231 | blacklist ${HOME}/.kde/share/config/kcookiejarrc |
@@ -253,7 +262,7 @@ blacklist ${HOME}/.local/share/caja-python | |||
253 | blacklist ${HOME}/.local/share/cdprojektred | 262 | blacklist ${HOME}/.local/share/cdprojektred |
254 | blacklist ${HOME}/.local/share/clipit | 263 | blacklist ${HOME}/.local/share/clipit |
255 | blacklist ${HOME}/.local/share/data/Mumble | 264 | blacklist ${HOME}/.local/share/data/Mumble |
256 | blacklist ${HOME}./local/share/dino | 265 | blacklist ${HOME}/.local/share/dino |
257 | blacklist ${HOME}/.local/share/dolphin | 266 | blacklist ${HOME}/.local/share/dolphin |
258 | blacklist ${HOME}/.local/share/epiphany | 267 | blacklist ${HOME}/.local/share/epiphany |
259 | blacklist ${HOME}/.local/share/evolution | 268 | blacklist ${HOME}/.local/share/evolution |
@@ -265,6 +274,7 @@ blacklist ${HOME}/.local/share/gnome-chess | |||
265 | blacklist ${HOME}/.local/share/gnome-music | 274 | blacklist ${HOME}/.local/share/gnome-music |
266 | blacklist ${HOME}/.local/share/gnome-photos | 275 | blacklist ${HOME}/.local/share/gnome-photos |
267 | blacklist ${HOME}/.local/share/kate | 276 | blacklist ${HOME}/.local/share/kate |
277 | blacklist ${HOME}/.local/share/ktorrentrc | ||
268 | blacklist ${HOME}/.local/share/lollypop | 278 | blacklist ${HOME}/.local/share/lollypop |
269 | blacklist ${HOME}/.local/share/meld | 279 | blacklist ${HOME}/.local/share/meld |
270 | blacklist ${HOME}/.local/share/multimc5 | 280 | blacklist ${HOME}/.local/share/multimc5 |
@@ -298,6 +308,7 @@ blacklist ${HOME}/.mcabberrc | |||
298 | blacklist ${HOME}/.mediathek3 | 308 | blacklist ${HOME}/.mediathek3 |
299 | blacklist ${HOME}/.mozilla | 309 | blacklist ${HOME}/.mozilla |
300 | blacklist ${HOME}/.mpdconf | 310 | blacklist ${HOME}/.mpdconf |
311 | blacklist ${HOME}/.mplayer | ||
301 | blacklist ${HOME}/.msmtprc | 312 | blacklist ${HOME}/.msmtprc |
302 | blacklist ${HOME}/.multimc5 | 313 | blacklist ${HOME}/.multimc5 |
303 | blacklist ${HOME}/.mutt | 314 | blacklist ${HOME}/.mutt |
@@ -332,6 +343,7 @@ blacklist ${HOME}/.vst | |||
332 | blacklist ${HOME}/.w3m | 343 | blacklist ${HOME}/.w3m |
333 | blacklist ${HOME}/.warzone2100-3.* | 344 | blacklist ${HOME}/.warzone2100-3.* |
334 | blacklist ${HOME}/.weechat | 345 | blacklist ${HOME}/.weechat |
346 | blacklist ${HOME}/.wgetrc | ||
335 | blacklist ${HOME}/.wine | 347 | blacklist ${HOME}/.wine |
336 | blacklist ${HOME}/.wine64 | 348 | blacklist ${HOME}/.wine64 |
337 | blacklist ${HOME}/.xiphos | 349 | blacklist ${HOME}/.xiphos |
@@ -350,6 +362,7 @@ blacklist ${HOME}/.cache/INRIA | |||
350 | blacklist ${HOME}/.cache/QuiteRss | 362 | blacklist ${HOME}/.cache/QuiteRss |
351 | blacklist ${HOME}/.cache/attic | 363 | blacklist ${HOME}/.cache/attic |
352 | blacklist ${HOME}/.cache/borg | 364 | blacklist ${HOME}/.cache/borg |
365 | blacklist ${HOME}/.cache/calibre | ||
353 | blacklist ${HOME}/.cache/champlain | 366 | blacklist ${HOME}/.cache/champlain |
354 | blacklist ${HOME}/.cache/chromium | 367 | blacklist ${HOME}/.cache/chromium |
355 | blacklist ${HOME}/.cache/qupzilla | 368 | blacklist ${HOME}/.cache/qupzilla |
diff --git a/etc/dragon.profile b/etc/dragon.profile index 661f663c3..d099f1d9d 100644 --- a/etc/dragon.profile +++ b/etc/dragon.profile | |||
@@ -18,6 +18,7 @@ netfilter | |||
18 | nogroups | 18 | nogroups |
19 | nonewprivs | 19 | nonewprivs |
20 | noroot | 20 | noroot |
21 | novideo | ||
21 | shell none | 22 | shell none |
22 | seccomp | 23 | seccomp |
23 | protocol unix,inet,inet6 | 24 | protocol unix,inet,inet6 |
diff --git a/etc/dropbox.profile b/etc/dropbox.profile index e0097a8ea..19076704b 100644 --- a/etc/dropbox.profile +++ b/etc/dropbox.profile | |||
@@ -14,6 +14,7 @@ include /etc/firejail/disable-passwdmgr.inc | |||
14 | caps | 14 | caps |
15 | nonewprivs | 15 | nonewprivs |
16 | noroot | 16 | noroot |
17 | novideo | ||
17 | protocol unix,inet,inet6 | 18 | protocol unix,inet,inet6 |
18 | seccomp | 19 | seccomp |
19 | 20 | ||
diff --git a/etc/ebook-viewer.profile b/etc/ebook-viewer.profile new file mode 100644 index 000000000..ba28e3550 --- /dev/null +++ b/etc/ebook-viewer.profile | |||
@@ -0,0 +1,10 @@ | |||
1 | # Persistent global definitions go here | ||
2 | include /etc/firejail/globals.local | ||
3 | |||
4 | # This file is overwritten during software install. | ||
5 | # Persistent customizations should go in a .local file. | ||
6 | include /etc/firejail/ebook-viewer.local | ||
7 | |||
8 | # Firejail profile for ebook-viewer (Calibre) | ||
9 | include /etc/firejail/calibre.profile | ||
10 | net none | ||
diff --git a/etc/elinks.profile b/etc/elinks.profile index 76a7e6b94..597e43fb8 100644 --- a/etc/elinks.profile +++ b/etc/elinks.profile | |||
@@ -14,11 +14,12 @@ include /etc/firejail/disable-devel.inc | |||
14 | include /etc/firejail/disable-passwdmgr.inc | 14 | include /etc/firejail/disable-passwdmgr.inc |
15 | 15 | ||
16 | caps.drop all | 16 | caps.drop all |
17 | no3d | ||
17 | nogroups | 18 | nogroups |
18 | nonewprivs | 19 | nonewprivs |
19 | noroot | 20 | noroot |
20 | nosound | 21 | nosound |
21 | no3d | 22 | novideo |
22 | protocol unix,inet,inet6 | 23 | protocol unix,inet,inet6 |
23 | seccomp | 24 | seccomp |
24 | netfilter | 25 | netfilter |
diff --git a/etc/engrampa.profile b/etc/engrampa.profile index f409a8dd4..081a5f6b0 100644 --- a/etc/engrampa.profile +++ b/etc/engrampa.profile | |||
@@ -16,6 +16,7 @@ nogroups | |||
16 | nonewprivs | 16 | nonewprivs |
17 | noroot | 17 | noroot |
18 | nosound | 18 | nosound |
19 | novideo | ||
19 | protocol unix | 20 | protocol unix |
20 | seccomp | 21 | seccomp |
21 | netfilter | 22 | netfilter |
diff --git a/etc/eog.profile b/etc/eog.profile index 447a41a86..1b9926ec9 100644 --- a/etc/eog.profile +++ b/etc/eog.profile | |||
@@ -24,6 +24,7 @@ nogroups | |||
24 | nonewprivs | 24 | nonewprivs |
25 | noroot | 25 | noroot |
26 | nosound | 26 | nosound |
27 | novideo | ||
27 | protocol unix | 28 | protocol unix |
28 | seccomp | 29 | seccomp |
29 | shell none | 30 | shell none |
diff --git a/etc/eom.profile b/etc/eom.profile index d2622ebcf..b5eedd989 100644 --- a/etc/eom.profile +++ b/etc/eom.profile | |||
@@ -19,6 +19,7 @@ nogroups | |||
19 | nonewprivs | 19 | nonewprivs |
20 | noroot | 20 | noroot |
21 | nosound | 21 | nosound |
22 | novideo | ||
22 | protocol unix | 23 | protocol unix |
23 | seccomp | 24 | seccomp |
24 | shell none | 25 | shell none |
diff --git a/etc/evince.profile b/etc/evince.profile index 51ed3fbf3..6719244da 100644 --- a/etc/evince.profile +++ b/etc/evince.profile | |||
@@ -22,6 +22,7 @@ nogroups | |||
22 | nonewprivs | 22 | nonewprivs |
23 | noroot | 23 | noroot |
24 | nosound | 24 | nosound |
25 | novideo | ||
25 | protocol unix | 26 | protocol unix |
26 | seccomp | 27 | seccomp |
27 | shell none | 28 | shell none |
diff --git a/etc/file.profile b/etc/file.profile index a757dce5a..915bf1088 100644 --- a/etc/file.profile +++ b/etc/file.profile | |||
@@ -1,3 +1,4 @@ | |||
1 | quiet | ||
1 | # Persistent global definitions go here | 2 | # Persistent global definitions go here |
2 | include /etc/firejail/globals.local | 3 | include /etc/firejail/globals.local |
3 | 4 | ||
@@ -6,7 +7,6 @@ include /etc/firejail/globals.local | |||
6 | include /etc/firejail/file.local | 7 | include /etc/firejail/file.local |
7 | 8 | ||
8 | # file profile | 9 | # file profile |
9 | quiet | ||
10 | include /etc/firejail/disable-common.inc | 10 | include /etc/firejail/disable-common.inc |
11 | include /etc/firejail/disable-programs.inc | 11 | include /etc/firejail/disable-programs.inc |
12 | include /etc/firejail/disable-passwdmgr.inc | 12 | include /etc/firejail/disable-passwdmgr.inc |
diff --git a/etc/firefox.profile b/etc/firefox.profile index 9d047db97..70b41a240 100644 --- a/etc/firefox.profile +++ b/etc/firefox.profile | |||
@@ -13,7 +13,10 @@ noblacklist ~/.local/share/qpdfview | |||
13 | noblacklist ~/.kde4/share/apps/okular | 13 | noblacklist ~/.kde4/share/apps/okular |
14 | noblacklist ~/.kde/share/apps/okular | 14 | noblacklist ~/.kde/share/apps/okular |
15 | noblacklist ~/.local/share/okular | 15 | noblacklist ~/.local/share/okular |
16 | noblacklist ~/.config/okularpartrc | ||
17 | noblacklist ~/.config/okularrc | ||
16 | noblacklist ~/.pki | 18 | noblacklist ~/.pki |
19 | |||
17 | include /etc/firejail/disable-common.inc | 20 | include /etc/firejail/disable-common.inc |
18 | include /etc/firejail/disable-programs.inc | 21 | include /etc/firejail/disable-programs.inc |
19 | include /etc/firejail/disable-devel.inc | 22 | include /etc/firejail/disable-devel.inc |
@@ -48,6 +51,8 @@ whitelist ~/.pki | |||
48 | whitelist ~/.lastpass | 51 | whitelist ~/.lastpass |
49 | whitelist ~/.config/qpdfview | 52 | whitelist ~/.config/qpdfview |
50 | whitelist ~/.local/share/qpdfview | 53 | whitelist ~/.local/share/qpdfview |
54 | whitelist ~/.config/okularrc | ||
55 | whitelist ~/.config/okularpartrc | ||
51 | whitelist ~/.kde4/share/apps/okular | 56 | whitelist ~/.kde4/share/apps/okular |
52 | whitelist ~/.kde/share/apps/okular | 57 | whitelist ~/.kde/share/apps/okular |
53 | whitelist ~/.local/share/okular | 58 | whitelist ~/.local/share/okular |
diff --git a/etc/ghb.profile b/etc/ghb.profile new file mode 100644 index 000000000..2068c3136 --- /dev/null +++ b/etc/ghb.profile | |||
@@ -0,0 +1,9 @@ | |||
1 | # Persistent global definitions go here | ||
2 | include /etc/firejail/globals.local | ||
3 | |||
4 | # This file is overwritten during software install. | ||
5 | # Persistent customizations should go in a .local file. | ||
6 | include /etc/firejail/ghb.local | ||
7 | |||
8 | # HandBrake | ||
9 | include /etc/firejail/handbrake.profile | ||
diff --git a/etc/gimp-2.8.profile b/etc/gimp-2.8.profile index 1902fac72..ce6cee7a5 100644 --- a/etc/gimp-2.8.profile +++ b/etc/gimp-2.8.profile | |||
@@ -1,4 +1,8 @@ | |||
1 | # Persistent global definitions go here | 1 | # Persistent global definitions go here |
2 | include /etc/firejail/globals.local | 2 | include /etc/firejail/globals.local |
3 | 3 | ||
4 | # This file is overwritten during software install. | ||
5 | # Persistent customizations should go in a .local file. | ||
6 | include /etc/firejail/gimp-2.8.local | ||
7 | |||
4 | include /etc/firejail/gimp.profile | 8 | include /etc/firejail/gimp.profile |
diff --git a/etc/git.profile b/etc/git.profile index a8e7bf882..5fa3ef95e 100644 --- a/etc/git.profile +++ b/etc/git.profile | |||
@@ -1,3 +1,4 @@ | |||
1 | quiet | ||
1 | # Persistent global definitions go here | 2 | # Persistent global definitions go here |
2 | include /etc/firejail/globals.local | 3 | include /etc/firejail/globals.local |
3 | 4 | ||
@@ -6,7 +7,6 @@ include /etc/firejail/globals.local | |||
6 | include /etc/firejail/git.local | 7 | include /etc/firejail/git.local |
7 | 8 | ||
8 | # git profile | 9 | # git profile |
9 | quiet | ||
10 | noblacklist ~/.gitconfig | 10 | noblacklist ~/.gitconfig |
11 | noblacklist ~/.ssh | 11 | noblacklist ~/.ssh |
12 | noblacklist ~/.gnupg | 12 | noblacklist ~/.gnupg |
diff --git a/etc/gtar.profile b/etc/gtar.profile index cd15b7156..9a4325082 100644 --- a/etc/gtar.profile +++ b/etc/gtar.profile | |||
@@ -1,3 +1,4 @@ | |||
1 | quiet | ||
1 | # Persistent global definitions go here | 2 | # Persistent global definitions go here |
2 | include /etc/firejail/globals.local | 3 | include /etc/firejail/globals.local |
3 | 4 | ||
@@ -6,5 +7,4 @@ include /etc/firejail/globals.local | |||
6 | include /etc/firejail/gtar.local | 7 | include /etc/firejail/gtar.local |
7 | 8 | ||
8 | # gtar profile | 9 | # gtar profile |
9 | quiet | ||
10 | include /etc/firejail/tar.profile | 10 | include /etc/firejail/tar.profile |
diff --git a/etc/gzip.profile b/etc/gzip.profile index 2ba4e0b58..5a2a5d26e 100644 --- a/etc/gzip.profile +++ b/etc/gzip.profile | |||
@@ -1,3 +1,4 @@ | |||
1 | quiet | ||
1 | # Persistent global definitions go here | 2 | # Persistent global definitions go here |
2 | include /etc/firejail/globals.local | 3 | include /etc/firejail/globals.local |
3 | 4 | ||
@@ -6,7 +7,6 @@ include /etc/firejail/globals.local | |||
6 | include /etc/firejail/gzip.local | 7 | include /etc/firejail/gzip.local |
7 | 8 | ||
8 | # gzip profile | 9 | # gzip profile |
9 | quiet | ||
10 | ignore noroot | 10 | ignore noroot |
11 | include /etc/firejail/default.profile | 11 | include /etc/firejail/default.profile |
12 | 12 | ||
diff --git a/etc/handbrake-gtk.profile b/etc/handbrake-gtk.profile new file mode 100644 index 000000000..a162352de --- /dev/null +++ b/etc/handbrake-gtk.profile | |||
@@ -0,0 +1,9 @@ | |||
1 | # Persistent global definitions go here | ||
2 | include /etc/firejail/globals.local | ||
3 | |||
4 | # This file is overwritten during software install. | ||
5 | # Persistent customizations should go in a .local file. | ||
6 | include /etc/firejail/handbrake-gtk.local | ||
7 | |||
8 | # HandBrake | ||
9 | include /etc/firejail/handbrake.profile | ||
diff --git a/etc/handbrake.profile b/etc/handbrake.profile new file mode 100644 index 000000000..0f3f32250 --- /dev/null +++ b/etc/handbrake.profile | |||
@@ -0,0 +1,30 @@ | |||
1 | # Persistent global definitions go here | ||
2 | include /etc/firejail/globals.local | ||
3 | |||
4 | # This file is overwritten during software install. | ||
5 | # Persistent customizations should go in a .local file. | ||
6 | include /etc/firejail/handbrake.local | ||
7 | |||
8 | noblacklist ~/.config/ghb | ||
9 | include /etc/firejail/disable-common.inc | ||
10 | include /etc/firejail/disable-programs.inc | ||
11 | include /etc/firejail/disable-passwdmgr.inc | ||
12 | |||
13 | caps.drop all | ||
14 | netfilter | ||
15 | nonewprivs | ||
16 | noroot | ||
17 | # netlink required! | ||
18 | protocol unix,inet,inet6,netlink | ||
19 | seccomp | ||
20 | |||
21 | # | ||
22 | # depending on your usage, you can enable some of the commands below: | ||
23 | # | ||
24 | nogroups | ||
25 | shell none | ||
26 | # private-bin program | ||
27 | # private-etc none | ||
28 | #private-dev | ||
29 | private-tmp | ||
30 | nosound | ||
diff --git a/etc/keepassx.profile b/etc/keepassx.profile index 9aeed0057..34e260f8f 100644 --- a/etc/keepassx.profile +++ b/etc/keepassx.profile | |||
@@ -17,6 +17,7 @@ include /etc/firejail/disable-devel.inc | |||
17 | include /etc/firejail/disable-passwdmgr.inc | 17 | include /etc/firejail/disable-passwdmgr.inc |
18 | 18 | ||
19 | caps.drop all | 19 | caps.drop all |
20 | machine-id | ||
20 | net none | 21 | net none |
21 | no3d | 22 | no3d |
22 | nogroups | 23 | nogroups |
@@ -28,8 +29,8 @@ seccomp | |||
28 | shell none | 29 | shell none |
29 | tracelog | 30 | tracelog |
30 | 31 | ||
31 | private-bin keepassx | 32 | private-bin keepassx,keepassx2 |
32 | private-etc fonts | 33 | private-etc fonts,machine-id |
33 | private-dev | 34 | private-dev |
34 | private-tmp | 35 | private-tmp |
35 | 36 | ||
diff --git a/etc/ktorrent.profile b/etc/ktorrent.profile index 5b7e5e667..59c2827cd 100644 --- a/etc/ktorrent.profile +++ b/etc/ktorrent.profile | |||
@@ -8,6 +8,8 @@ include /etc/firejail/ktorrent.local | |||
8 | ################################ | 8 | ################################ |
9 | # Generic GUI application profile | 9 | # Generic GUI application profile |
10 | ################################ | 10 | ################################ |
11 | noblacklist ~/.config/ktorrentrc | ||
12 | noblacklist ~/.local/share/ktorrent | ||
11 | noblacklist ~/.kde/share/config/ktorrentrc | 13 | noblacklist ~/.kde/share/config/ktorrentrc |
12 | noblacklist ~/.kde4/share/config/ktorrentrc | 14 | noblacklist ~/.kde4/share/config/ktorrentrc |
13 | noblacklist ~/.kde/share/apps/ktorrent | 15 | noblacklist ~/.kde/share/apps/ktorrent |
@@ -16,7 +18,10 @@ include /etc/firejail/disable-common.inc | |||
16 | include /etc/firejail/disable-programs.inc | 18 | include /etc/firejail/disable-programs.inc |
17 | include /etc/firejail/disable-passwdmgr.inc | 19 | include /etc/firejail/disable-passwdmgr.inc |
18 | 20 | ||
19 | 21 | mkfile ~/.config/ktorrentrc | |
22 | whitelist ~/.config/ktorrentrc | ||
23 | mkdir ~/.local/share/ktorrent | ||
24 | whitelist ~/.local/share/ktorrent | ||
20 | mkdir ~/.kde/share/config/ktorrentrc | 25 | mkdir ~/.kde/share/config/ktorrentrc |
21 | whitelist ~/.kde/share/config/ktorrentrc | 26 | whitelist ~/.kde/share/config/ktorrentrc |
22 | mkdir ~/.kde4/share/config/ktorrentrc | 27 | mkdir ~/.kde4/share/config/ktorrentrc |
diff --git a/etc/less.profile b/etc/less.profile index 273b47a7a..dd63d3e2e 100644 --- a/etc/less.profile +++ b/etc/less.profile | |||
@@ -1,3 +1,4 @@ | |||
1 | quiet | ||
1 | # Persistent global definitions go here | 2 | # Persistent global definitions go here |
2 | include /etc/firejail/globals.local | 3 | include /etc/firejail/globals.local |
3 | 4 | ||
@@ -6,7 +7,6 @@ include /etc/firejail/globals.local | |||
6 | include /etc/firejail/less.local | 7 | include /etc/firejail/less.local |
7 | 8 | ||
8 | # less profile | 9 | # less profile |
9 | quiet | ||
10 | ignore noroot | 10 | ignore noroot |
11 | include /etc/firejail/default.profile | 11 | include /etc/firejail/default.profile |
12 | 12 | ||
diff --git a/etc/mate-calculator.profile b/etc/mate-calculator.profile index 67a9f244e..acc687b81 100644 --- a/etc/mate-calculator.profile +++ b/etc/mate-calculator.profile | |||
@@ -1,4 +1,8 @@ | |||
1 | # Persistent global definitions go here | 1 | # Persistent global definitions go here |
2 | include /etc/firejail/globals.local | 2 | include /etc/firejail/globals.local |
3 | 3 | ||
4 | # This file is overwritten during software install. | ||
5 | # Persistent customizations should go in a .local file. | ||
6 | include /etc/firejail/mate-calculator.local | ||
7 | |||
4 | #include /etc/firejail/mate-calc.profile | 8 | #include /etc/firejail/mate-calc.profile |
diff --git a/etc/mplayer.profile b/etc/mplayer.profile new file mode 100644 index 000000000..879223e1a --- /dev/null +++ b/etc/mplayer.profile | |||
@@ -0,0 +1,31 @@ | |||
1 | # Persistent global definitions go here | ||
2 | include /etc/firejail/globals.local | ||
3 | |||
4 | # This file is overwritten during software install. | ||
5 | # Persistent customizations should go in a .local file. | ||
6 | include /etc/firejail/mplayer.local | ||
7 | |||
8 | # mplayer profile | ||
9 | noblacklist ${HOME}/.mplayer | ||
10 | |||
11 | include /etc/firejail/disable-common.inc | ||
12 | include /etc/firejail/disable-programs.inc | ||
13 | include /etc/firejail/disable-devel.inc | ||
14 | include /etc/firejail/disable-passwdmgr.inc | ||
15 | |||
16 | caps.drop all | ||
17 | #ipc-namespace | ||
18 | netfilter | ||
19 | # nogroups | ||
20 | nonewprivs | ||
21 | noroot | ||
22 | protocol unix,inet,inet6,netlink | ||
23 | seccomp | ||
24 | shell none | ||
25 | |||
26 | private-dev | ||
27 | private-tmp | ||
28 | private-bin mplayer | ||
29 | |||
30 | noexec ${HOME} | ||
31 | noexec /tmp | ||
diff --git a/etc/qpdfview.profile b/etc/qpdfview.profile index 1fe0a1f63..97bd2b0b1 100644 --- a/etc/qpdfview.profile +++ b/etc/qpdfview.profile | |||
@@ -6,7 +6,7 @@ include /etc/firejail/globals.local | |||
6 | include /etc/firejail/qpdfview.local | 6 | include /etc/firejail/qpdfview.local |
7 | 7 | ||
8 | # qpdfview profile | 8 | # qpdfview profile |
9 | noblacklist ${HOME}./config/qt5ct | 9 | noblacklist ${HOME}/.config/qt5ct |
10 | noblacklist ${HOME}/.config/qpdfview | 10 | noblacklist ${HOME}/.config/qpdfview |
11 | noblacklist ${HOME}/.local/share/qpdfview | 11 | noblacklist ${HOME}/.local/share/qpdfview |
12 | 12 | ||
diff --git a/etc/server.profile b/etc/server.profile index 31a81b88f..2d79fa1c8 100644 --- a/etc/server.profile +++ b/etc/server.profile | |||
@@ -18,6 +18,7 @@ blacklist /tmp/.X11-unix | |||
18 | no3d | 18 | no3d |
19 | nosound | 19 | nosound |
20 | seccomp | 20 | seccomp |
21 | caps | ||
21 | 22 | ||
22 | private | 23 | private |
23 | private-dev | 24 | private-dev |
diff --git a/etc/smplayer.profile b/etc/smplayer.profile new file mode 100644 index 000000000..6a5c115b7 --- /dev/null +++ b/etc/smplayer.profile | |||
@@ -0,0 +1,32 @@ | |||
1 | # Persistent global definitions go here | ||
2 | include /etc/firejail/globals.local | ||
3 | |||
4 | # This file is overwritten during software install. | ||
5 | # Persistent customizations should go in a .local file. | ||
6 | include /etc/firejail/smplayer.local | ||
7 | |||
8 | # smplayer profile | ||
9 | noblacklist ${HOME}/.config/smplayer | ||
10 | noblacklist ${HOME}/.mplayer | ||
11 | |||
12 | include /etc/firejail/disable-common.inc | ||
13 | include /etc/firejail/disable-programs.inc | ||
14 | include /etc/firejail/disable-devel.inc | ||
15 | include /etc/firejail/disable-passwdmgr.inc | ||
16 | |||
17 | caps.drop all | ||
18 | #ipc-namespace | ||
19 | netfilter | ||
20 | # nogroups | ||
21 | nonewprivs | ||
22 | noroot | ||
23 | protocol unix,inet,inet6,netlink | ||
24 | seccomp | ||
25 | shell none | ||
26 | |||
27 | private-dev | ||
28 | private-tmp | ||
29 | private-bin smplayer,mplayer | ||
30 | |||
31 | noexec ${HOME} | ||
32 | noexec /tmp | ||
diff --git a/etc/ssh-agent.profile b/etc/ssh-agent.profile index bbb0baade..ab47067f1 100644 --- a/etc/ssh-agent.profile +++ b/etc/ssh-agent.profile | |||
@@ -1,3 +1,4 @@ | |||
1 | quiet | ||
1 | # Persistent global definitions go here | 2 | # Persistent global definitions go here |
2 | include /etc/firejail/globals.local | 3 | include /etc/firejail/globals.local |
3 | 4 | ||
@@ -6,7 +7,6 @@ include /etc/firejail/globals.local | |||
6 | include /etc/firejail/ssh-agent.local | 7 | include /etc/firejail/ssh-agent.local |
7 | 8 | ||
8 | # ssh-agent | 9 | # ssh-agent |
9 | quiet | ||
10 | noblacklist ~/.ssh | 10 | noblacklist ~/.ssh |
11 | noblacklist /tmp/ssh-* | 11 | noblacklist /tmp/ssh-* |
12 | noblacklist /etc/ssh | 12 | noblacklist /etc/ssh |
diff --git a/etc/ssh.profile b/etc/ssh.profile index 7ea78535d..e592841a1 100644 --- a/etc/ssh.profile +++ b/etc/ssh.profile | |||
@@ -1,3 +1,4 @@ | |||
1 | quiet | ||
1 | # Persistent global definitions go here | 2 | # Persistent global definitions go here |
2 | include /etc/firejail/globals.local | 3 | include /etc/firejail/globals.local |
3 | 4 | ||
@@ -6,7 +7,6 @@ include /etc/firejail/globals.local | |||
6 | include /etc/firejail/ssh.local | 7 | include /etc/firejail/ssh.local |
7 | 8 | ||
8 | # ssh client | 9 | # ssh client |
9 | quiet | ||
10 | noblacklist ~/.ssh | 10 | noblacklist ~/.ssh |
11 | noblacklist /tmp/ssh-* | 11 | noblacklist /tmp/ssh-* |
12 | noblacklist /etc/ssh | 12 | noblacklist /etc/ssh |
diff --git a/etc/strings.profile b/etc/strings.profile index b12c42f0d..a9301c652 100644 --- a/etc/strings.profile +++ b/etc/strings.profile | |||
@@ -1,3 +1,4 @@ | |||
1 | quiet | ||
1 | # Persistent global definitions go here | 2 | # Persistent global definitions go here |
2 | include /etc/firejail/globals.local | 3 | include /etc/firejail/globals.local |
3 | 4 | ||
@@ -6,7 +7,6 @@ include /etc/firejail/globals.local | |||
6 | include /etc/firejail/strings.local | 7 | include /etc/firejail/strings.local |
7 | 8 | ||
8 | # strings profile | 9 | # strings profile |
9 | quiet | ||
10 | ignore noroot | 10 | ignore noroot |
11 | include /etc/firejail/default.profile | 11 | include /etc/firejail/default.profile |
12 | 12 | ||
diff --git a/etc/tar.profile b/etc/tar.profile index 0661286b4..577e795f8 100644 --- a/etc/tar.profile +++ b/etc/tar.profile | |||
@@ -1,3 +1,4 @@ | |||
1 | quiet | ||
1 | # Persistent global definitions go here | 2 | # Persistent global definitions go here |
2 | include /etc/firejail/globals.local | 3 | include /etc/firejail/globals.local |
3 | 4 | ||
@@ -6,7 +7,6 @@ include /etc/firejail/globals.local | |||
6 | include /etc/firejail/tar.local | 7 | include /etc/firejail/tar.local |
7 | 8 | ||
8 | # tar profile | 9 | # tar profile |
9 | quiet | ||
10 | ignore noroot | 10 | ignore noroot |
11 | include /etc/firejail/default.profile | 11 | include /etc/firejail/default.profile |
12 | 12 | ||
diff --git a/etc/thunar.profile b/etc/thunar.profile index cd84acf39..d8389ebc8 100644 --- a/etc/thunar.profile +++ b/etc/thunar.profile | |||
@@ -1,4 +1,8 @@ | |||
1 | # Persistent global definitions go here | 1 | # Persistent global definitions go here |
2 | include /etc/firejail/globals.local | 2 | include /etc/firejail/globals.local |
3 | 3 | ||
4 | # This file is overwritten during software install. | ||
5 | # Persistent customizations should go in a .local file. | ||
6 | include /etc/firejail/thunar.local | ||
7 | |||
4 | include /etc/firejail/Thunar.profile | 8 | include /etc/firejail/Thunar.profile |
diff --git a/etc/thunderbird.profile b/etc/thunderbird.profile index 8a5bf1f7b..c693a53b3 100644 --- a/etc/thunderbird.profile +++ b/etc/thunderbird.profile | |||
@@ -25,6 +25,11 @@ noblacklist ~/.cache/thunderbird | |||
25 | mkdir ~/.cache/thunderbird | 25 | mkdir ~/.cache/thunderbird |
26 | whitelist ~/.cache/thunderbird | 26 | whitelist ~/.cache/thunderbird |
27 | 27 | ||
28 | whitelist ~/.config/mimeapps.list | ||
29 | read-only ~/.config/mimeapps.list | ||
30 | whitelist ~/.local/share/applications | ||
31 | read-only ~/.local/share/applications | ||
32 | |||
28 | # allow browsers | 33 | # allow browsers |
29 | ignore private-tmp | 34 | ignore private-tmp |
30 | include /etc/firejail/firefox.profile | 35 | include /etc/firejail/firefox.profile |
diff --git a/etc/unrar.profile b/etc/unrar.profile index 1375c9b48..62d6665ec 100644 --- a/etc/unrar.profile +++ b/etc/unrar.profile | |||
@@ -1,3 +1,4 @@ | |||
1 | quiet | ||
1 | # Persistent global definitions go here | 2 | # Persistent global definitions go here |
2 | include /etc/firejail/globals.local | 3 | include /etc/firejail/globals.local |
3 | 4 | ||
@@ -6,7 +7,6 @@ include /etc/firejail/globals.local | |||
6 | include /etc/firejail/unrar.local | 7 | include /etc/firejail/unrar.local |
7 | 8 | ||
8 | # unrar profile | 9 | # unrar profile |
9 | quiet | ||
10 | ignore noroot | 10 | ignore noroot |
11 | include /etc/firejail/default.profile | 11 | include /etc/firejail/default.profile |
12 | 12 | ||
diff --git a/etc/unzip.profile b/etc/unzip.profile index 581d65167..130e57ae9 100644 --- a/etc/unzip.profile +++ b/etc/unzip.profile | |||
@@ -1,3 +1,4 @@ | |||
1 | quiet | ||
1 | # Persistent global definitions go here | 2 | # Persistent global definitions go here |
2 | include /etc/firejail/globals.local | 3 | include /etc/firejail/globals.local |
3 | 4 | ||
@@ -6,7 +7,6 @@ include /etc/firejail/globals.local | |||
6 | include /etc/firejail/unzip.local | 7 | include /etc/firejail/unzip.local |
7 | 8 | ||
8 | # unzip profile | 9 | # unzip profile |
9 | quiet | ||
10 | ignore noroot | 10 | ignore noroot |
11 | include /etc/firejail/default.profile | 11 | include /etc/firejail/default.profile |
12 | blacklist /tmp/.X11-unix | 12 | blacklist /tmp/.X11-unix |
diff --git a/etc/uudeview.profile b/etc/uudeview.profile index c795619a0..46f28179b 100644 --- a/etc/uudeview.profile +++ b/etc/uudeview.profile | |||
@@ -1,3 +1,4 @@ | |||
1 | quiet | ||
1 | # Persistent global definitions go here | 2 | # Persistent global definitions go here |
2 | include /etc/firejail/globals.local | 3 | include /etc/firejail/globals.local |
3 | 4 | ||
@@ -6,7 +7,6 @@ include /etc/firejail/globals.local | |||
6 | include /etc/firejail/uudeview.local | 7 | include /etc/firejail/uudeview.local |
7 | 8 | ||
8 | # uudeview profile | 9 | # uudeview profile |
9 | quiet | ||
10 | ignore noroot | 10 | ignore noroot |
11 | include /etc/firejail/default.profile | 11 | include /etc/firejail/default.profile |
12 | 12 | ||
diff --git a/etc/vivaldi-beta.profile b/etc/vivaldi-beta.profile index 51954c643..f2c2f4cc0 100644 --- a/etc/vivaldi-beta.profile +++ b/etc/vivaldi-beta.profile | |||
@@ -6,4 +6,4 @@ include /etc/firejail/globals.local | |||
6 | include /etc/firejail/vivaldi-beta.local | 6 | include /etc/firejail/vivaldi-beta.local |
7 | 7 | ||
8 | # Vivaldi Beta browser profile | 8 | # Vivaldi Beta browser profile |
9 | include /etc/firejail/vivaldi-stable.profile | 9 | include /etc/firejail/vivaldi.profile |
diff --git a/etc/vivaldi-stable.profile b/etc/vivaldi-stable.profile index a57b2dd78..9b2ccd4f3 100644 --- a/etc/vivaldi-stable.profile +++ b/etc/vivaldi-stable.profile | |||
@@ -4,19 +4,5 @@ include /etc/firejail/globals.local | |||
4 | # This file is overwritten during software install. | 4 | # This file is overwritten during software install. |
5 | # Persistent customizations should go in a .local file. | 5 | # Persistent customizations should go in a .local file. |
6 | include /etc/firejail/vivaldi.local | 6 | include /etc/firejail/vivaldi.local |
7 | noblacklist ~/.cache/vivaldi | ||
8 | 7 | ||
9 | # Vivaldi browser profile | 8 | include /etc/firejail/vivaldi.profile |
10 | noblacklist ~/.config/vivaldi | ||
11 | include /etc/firejail/disable-common.inc | ||
12 | include /etc/firejail/disable-programs.inc | ||
13 | include /etc/firejail/disable-devel.inc | ||
14 | |||
15 | netfilter | ||
16 | |||
17 | whitelist ${DOWNLOADS} | ||
18 | mkdir ~/.config/vivaldi | ||
19 | whitelist ~/.config/vivaldi | ||
20 | mkdir ~/.cache/vivaldi | ||
21 | whitelist ~/.cache/vivaldi | ||
22 | include /etc/firejail/whitelist-common.inc | ||
diff --git a/etc/vivaldi.profile b/etc/vivaldi.profile index c01c6d608..25d78439d 100644 --- a/etc/vivaldi.profile +++ b/etc/vivaldi.profile | |||
@@ -6,4 +6,19 @@ include /etc/firejail/globals.local | |||
6 | include /etc/firejail/vivaldi.local | 6 | include /etc/firejail/vivaldi.local |
7 | 7 | ||
8 | # Vivaldi browser profile | 8 | # Vivaldi browser profile |
9 | include /etc/firejail/vivaldi-stable.profile | 9 | noblacklist ~/.cache/vivaldi |
10 | |||
11 | # Vivaldi browser profile | ||
12 | noblacklist ~/.config/vivaldi | ||
13 | include /etc/firejail/disable-common.inc | ||
14 | include /etc/firejail/disable-programs.inc | ||
15 | include /etc/firejail/disable-devel.inc | ||
16 | |||
17 | netfilter | ||
18 | |||
19 | whitelist ${DOWNLOADS} | ||
20 | mkdir ~/.config/vivaldi | ||
21 | whitelist ~/.config/vivaldi | ||
22 | mkdir ~/.cache/vivaldi | ||
23 | whitelist ~/.cache/vivaldi | ||
24 | include /etc/firejail/whitelist-common.inc | ||
diff --git a/etc/vlc.profile b/etc/vlc.profile index efd6d04a6..b36e844ff 100644 --- a/etc/vlc.profile +++ b/etc/vlc.profile | |||
@@ -24,7 +24,7 @@ seccomp | |||
24 | shell none | 24 | shell none |
25 | 25 | ||
26 | private-bin vlc,cvlc,nvlc,rvlc,qvlc,svlc | 26 | private-bin vlc,cvlc,nvlc,rvlc,qvlc,svlc |
27 | # private-dev | 27 | private-dev |
28 | private-tmp | 28 | private-tmp |
29 | 29 | ||
30 | noexec ${HOME} | 30 | noexec ${HOME} |
diff --git a/etc/wget.profile b/etc/wget.profile index 562c7bbf1..801e034ea 100644 --- a/etc/wget.profile +++ b/etc/wget.profile | |||
@@ -1,3 +1,4 @@ | |||
1 | quiet | ||
1 | # Persistent global definitions go here | 2 | # Persistent global definitions go here |
2 | include /etc/firejail/globals.local | 3 | include /etc/firejail/globals.local |
3 | 4 | ||
@@ -6,7 +7,7 @@ include /etc/firejail/globals.local | |||
6 | include /etc/firejail/wget.local | 7 | include /etc/firejail/wget.local |
7 | 8 | ||
8 | # wget profile | 9 | # wget profile |
9 | quiet | 10 | noblacklist ~/.wgetrc |
10 | include /etc/firejail/disable-common.inc | 11 | include /etc/firejail/disable-common.inc |
11 | include /etc/firejail/disable-programs.inc | 12 | include /etc/firejail/disable-programs.inc |
12 | include /etc/firejail/disable-passwdmgr.inc | 13 | include /etc/firejail/disable-passwdmgr.inc |
diff --git a/etc/xz.profile b/etc/xz.profile index f01906610..a3c1ab3ca 100644 --- a/etc/xz.profile +++ b/etc/xz.profile | |||
@@ -1,3 +1,4 @@ | |||
1 | quiet | ||
1 | # Persistent global definitions go here | 2 | # Persistent global definitions go here |
2 | include /etc/firejail/globals.local | 3 | include /etc/firejail/globals.local |
3 | 4 | ||
@@ -6,5 +7,4 @@ include /etc/firejail/globals.local | |||
6 | include /etc/firejail/xz.local | 7 | include /etc/firejail/xz.local |
7 | 8 | ||
8 | # xz profile | 9 | # xz profile |
9 | quiet | ||
10 | include /etc/firejail/cpio.profile | 10 | include /etc/firejail/cpio.profile |
diff --git a/etc/xzdec.profile b/etc/xzdec.profile index 21cb15556..2a84bf0ee 100644 --- a/etc/xzdec.profile +++ b/etc/xzdec.profile | |||
@@ -1,3 +1,4 @@ | |||
1 | quiet | ||
1 | # Persistent global definitions go here | 2 | # Persistent global definitions go here |
2 | include /etc/firejail/globals.local | 3 | include /etc/firejail/globals.local |
3 | 4 | ||
@@ -6,7 +7,6 @@ include /etc/firejail/globals.local | |||
6 | include /etc/firejail/xzdec.local | 7 | include /etc/firejail/xzdec.local |
7 | 8 | ||
8 | # xzdec profile | 9 | # xzdec profile |
9 | quiet | ||
10 | ignore noroot | 10 | ignore noroot |
11 | include /etc/firejail/default.profile | 11 | include /etc/firejail/default.profile |
12 | 12 | ||
diff --git a/etc/youtube-dl.profile b/etc/youtube-dl.profile index 8d925a354..e1ed3ccab 100644 --- a/etc/youtube-dl.profile +++ b/etc/youtube-dl.profile | |||
@@ -1,3 +1,4 @@ | |||
1 | quiet | ||
1 | # Persistent global definitions go here | 2 | # Persistent global definitions go here |
2 | include /etc/firejail/globals.local | 3 | include /etc/firejail/globals.local |
3 | 4 | ||
@@ -24,7 +25,6 @@ protocol unix,inet,inet6 | |||
24 | seccomp | 25 | seccomp |
25 | shell none | 26 | shell none |
26 | tracelog | 27 | tracelog |
27 | quiet | ||
28 | 28 | ||
29 | private-dev | 29 | private-dev |
30 | 30 | ||
diff --git a/platform/debian/conffiles b/platform/debian/conffiles index 9c99a918a..f35168735 100644 --- a/platform/debian/conffiles +++ b/platform/debian/conffiles | |||
@@ -32,6 +32,7 @@ | |||
32 | /etc/firejail/brasero.profile | 32 | /etc/firejail/brasero.profile |
33 | /etc/firejail/brave.profile | 33 | /etc/firejail/brave.profile |
34 | /etc/firejail/caja.profile | 34 | /etc/firejail/caja.profile |
35 | /etc/firejail/catfish.profile | ||
35 | /etc/firejail/cherrytree.profile | 36 | /etc/firejail/cherrytree.profile |
36 | /etc/firejail/chromium-browser.profile | 37 | /etc/firejail/chromium-browser.profile |
37 | /etc/firejail/chromium.profile | 38 | /etc/firejail/chromium.profile |
@@ -49,6 +50,7 @@ | |||
49 | /etc/firejail/default.profile | 50 | /etc/firejail/default.profile |
50 | /etc/firejail/deluge.profile | 51 | /etc/firejail/deluge.profile |
51 | /etc/firejail/dia.profile | 52 | /etc/firejail/dia.profile |
53 | /etc/firejail/digikam.profile | ||
52 | /etc/firejail/dillo.profile | 54 | /etc/firejail/dillo.profile |
53 | /etc/firejail/dino.profile | 55 | /etc/firejail/dino.profile |
54 | /etc/firejail/disable-common.inc | 56 | /etc/firejail/disable-common.inc |
@@ -303,3 +305,12 @@ | |||
303 | /etc/firejail/zoom.profile | 305 | /etc/firejail/zoom.profile |
304 | /etc/firejail/vym.profile | 306 | /etc/firejail/vym.profile |
305 | /etc/firejail/darktable.profile | 307 | /etc/firejail/darktable.profile |
308 | /etc/firejail/waterfox.profile | ||
309 | /etc/firejail/handbrake.profile | ||
310 | /etc/firejail/curl.profile | ||
311 | /etc/firejail/mplayer.profile | ||
312 | /etc/firejail/smplayer.profile | ||
313 | /etc/firejail/ebook-viewer.profile | ||
314 | /etc/firejail/calibre.profile | ||
315 | /etc/firejail/handbrake-gtk.profile | ||
316 | /etc/firejail/ghb.profile | ||
diff --git a/platform/rpm/old-mkrpm.sh b/platform/rpm/old-mkrpm.sh index 108759049..ef1a51c93 100755 --- a/platform/rpm/old-mkrpm.sh +++ b/platform/rpm/old-mkrpm.sh | |||
@@ -1,5 +1,5 @@ | |||
1 | #!/bin/bash | 1 | #!/bin/bash |
2 | VERSION="0.9.46" | 2 | VERSION="0.9.48" |
3 | rm -fr ~/rpmbuild | 3 | rm -fr ~/rpmbuild |
4 | rm -f firejail-$VERSION-1.x86_64.rpm | 4 | rm -f firejail-$VERSION-1.x86_64.rpm |
5 | 5 | ||
@@ -409,6 +409,13 @@ rm -rf %{buildroot} | |||
409 | %{_sysconfdir}/%{name}/xfce4-dict.profile | 409 | %{_sysconfdir}/%{name}/xfce4-dict.profile |
410 | %{_sysconfdir}/%{name}/xfce4-notes.profile | 410 | %{_sysconfdir}/%{name}/xfce4-notes.profile |
411 | %{_sysconfdir}/%{name}/youtube-dl.profile | 411 | %{_sysconfdir}/%{name}/youtube-dl.profile |
412 | %{_sysconfdir}/%{name}/catfish.profile | ||
413 | %{_sysconfdir}/%{name}/darktable.profile | ||
414 | %{_sysconfdir}/%{name}/digikam.profile | ||
415 | %{_sysconfdir}/%{name}/handbrake.profile | ||
416 | %{_sysconfdir}/%{name}/vym.profile | ||
417 | %{_sysconfdir}/%{name}/waterfox.profile | ||
418 | |||
412 | 419 | ||
413 | 420 | ||
414 | /usr/bin/firejail | 421 | /usr/bin/firejail |
@@ -451,6 +458,8 @@ rm -rf %{buildroot} | |||
451 | chmod u+s /usr/bin/firejail | 458 | chmod u+s /usr/bin/firejail |
452 | 459 | ||
453 | %changelog | 460 | %changelog |
461 | * Mon Jun 12 2017 netblue30 <netblue30@yahoo.com> 0.9.48-1 | ||
462 | |||
454 | * Mon May 15 2017 netblue30 <netblue30@yahoo.com> 0.9.46-1 | 463 | * Mon May 15 2017 netblue30 <netblue30@yahoo.com> 0.9.46-1 |
455 | 464 | ||
456 | * Fri Oct 21 2016 netblue30 <netblue30@yahoo.com> 0.9.44-1 | 465 | * Fri Oct 21 2016 netblue30 <netblue30@yahoo.com> 0.9.44-1 |
diff --git a/src/faudit/main.c b/src/faudit/main.c index 8ab0de5a6..57c709767 100644 --- a/src/faudit/main.c +++ b/src/faudit/main.c | |||
@@ -38,7 +38,7 @@ int main(int argc, char **argv) { | |||
38 | int i; | 38 | int i; |
39 | 39 | ||
40 | for (i = 1; i < argc; i++) { | 40 | for (i = 1; i < argc; i++) { |
41 | if (strcmp(argv[i], "syscall")) { | 41 | if (strcmp(argv[i], "syscall") == 0) { |
42 | syscall_helper(argc, argv); | 42 | syscall_helper(argc, argv); |
43 | return 0; | 43 | return 0; |
44 | } | 44 | } |
diff --git a/src/faudit/syscall.c b/src/faudit/syscall.c index 2925a6c30..9661f81e6 100644 --- a/src/faudit/syscall.c +++ b/src/faudit/syscall.c | |||
@@ -34,6 +34,9 @@ extern int pivot_root(const char *new_root, const char *put_old); | |||
34 | void syscall_helper(int argc, char **argv) { | 34 | void syscall_helper(int argc, char **argv) { |
35 | (void) argc; | 35 | (void) argc; |
36 | 36 | ||
37 | if (argc < 3) | ||
38 | return; | ||
39 | |||
37 | if (strcmp(argv[2], "mount") == 0) { | 40 | if (strcmp(argv[2], "mount") == 0) { |
38 | int rv = mount(NULL, NULL, NULL, 0, NULL); | 41 | int rv = mount(NULL, NULL, NULL, 0, NULL); |
39 | (void) rv; | 42 | (void) rv; |
diff --git a/src/firecfg/firecfg.config b/src/firecfg/firecfg.config index e58c8ee52..c68db372b 100644 --- a/src/firecfg/firecfg.config +++ b/src/firecfg/firecfg.config | |||
@@ -1,5 +1,5 @@ | |||
1 | # /usr/lib/firejail/firecfg.config - firecfg utility configuration file | 1 | # /usr/lib/firejail/firecfg.config - firecfg utility configuration file |
2 | # This is the list of programs in alfabetical order handled by firecfg utility | 2 | # This is the list of programs in alphabetical order handled by firecfg utility |
3 | # | 3 | # |
4 | 0ad | 4 | 0ad |
5 | 2048-qt | 5 | 2048-qt |
@@ -23,6 +23,8 @@ bless | |||
23 | blender | 23 | blender |
24 | brasero | 24 | brasero |
25 | brave | 25 | brave |
26 | calibre | ||
27 | catfish | ||
26 | cherrytree | 28 | cherrytree |
27 | chromium | 29 | chromium |
28 | chromium-browser | 30 | chromium-browser |
@@ -39,6 +41,7 @@ darktable | |||
39 | deadbeef | 41 | deadbeef |
40 | deluge | 42 | deluge |
41 | dia | 43 | dia |
44 | digikam | ||
42 | dillo | 45 | dillo |
43 | dino | 46 | dino |
44 | display | 47 | display |
@@ -48,6 +51,7 @@ dolphin | |||
48 | dosbox | 51 | dosbox |
49 | dragon | 52 | dragon |
50 | dropbox | 53 | dropbox |
54 | ebook-viewer | ||
51 | elinks | 55 | elinks |
52 | empathy | 56 | empathy |
53 | eog | 57 | eog |
@@ -70,6 +74,7 @@ galculator | |||
70 | geany | 74 | geany |
71 | gedit | 75 | gedit |
72 | geeqie | 76 | geeqie |
77 | ghb | ||
73 | gimp | 78 | gimp |
74 | gitter | 79 | gitter |
75 | gjs | 80 | gjs |
@@ -97,6 +102,8 @@ gpredict | |||
97 | gthumb | 102 | gthumb |
98 | gucharmap | 103 | gucharmap |
99 | gwenview | 104 | gwenview |
105 | handbrake | ||
106 | handbrake-gtk | ||
100 | hedgewars | 107 | hedgewars |
101 | hexchat | 108 | hexchat |
102 | highlight | 109 | highlight |
@@ -150,6 +157,7 @@ mediathekview | |||
150 | meld | 157 | meld |
151 | midori | 158 | midori |
152 | mousepad | 159 | mousepad |
160 | mplayer | ||
153 | mpv | 161 | mpv |
154 | multimc5 | 162 | multimc5 |
155 | mumble | 163 | mumble |
@@ -196,6 +204,7 @@ skanlite | |||
196 | skype | 204 | skype |
197 | skypeforlinux | 205 | skypeforlinux |
198 | slack | 206 | slack |
207 | smplayer | ||
199 | soffice | 208 | soffice |
200 | spectacle | 209 | spectacle |
201 | spotify | 210 | spotify |
@@ -224,6 +233,7 @@ vlc | |||
224 | vym | 233 | vym |
225 | w3m | 234 | w3m |
226 | warzone2100 | 235 | warzone2100 |
236 | waterfox | ||
227 | weechat | 237 | weechat |
228 | weechat-curses | 238 | weechat-curses |
229 | wesnot | 239 | wesnot |
diff --git a/src/firejail/appimage.c b/src/firejail/appimage.c index 976750f8f..0f7ab40ff 100644 --- a/src/firejail/appimage.c +++ b/src/firejail/appimage.c | |||
@@ -31,17 +31,19 @@ | |||
31 | static char *devloop = NULL; // device file | 31 | static char *devloop = NULL; // device file |
32 | static char *mntdir = NULL; // mount point in /tmp directory | 32 | static char *mntdir = NULL; // mount point in /tmp directory |
33 | 33 | ||
34 | #ifdef LOOP_CTL_GET_FREE // test for older kernels; this definition is found in /usr/include/linux/loop.h | ||
34 | static void err_loop(void) { | 35 | static void err_loop(void) { |
35 | fprintf(stderr, "Error: cannot configure loopback device\n"); | 36 | fprintf(stderr, "Error: cannot configure loopback device\n"); |
36 | exit(1); | 37 | exit(1); |
37 | } | 38 | } |
39 | #endif | ||
38 | 40 | ||
39 | void appimage_set(const char *appimage) { | 41 | void appimage_set(const char *appimage) { |
40 | assert(appimage); | 42 | assert(appimage); |
41 | assert(devloop == NULL); // don't call this twice! | 43 | assert(devloop == NULL); // don't call this twice! |
42 | EUID_ASSERT(); | 44 | EUID_ASSERT(); |
43 | 45 | ||
44 | #ifdef LOOP_CTL_GET_FREE // test for older kernels; this definition is found in /usr/include/linux/loop.h | 46 | #ifdef LOOP_CTL_GET_FREE |
45 | // check appimage file | 47 | // check appimage file |
46 | invalid_filename(appimage); | 48 | invalid_filename(appimage); |
47 | if (access(appimage, R_OK) == -1) { | 49 | if (access(appimage, R_OK) == -1) { |
diff --git a/src/firejail/caps.c b/src/firejail/caps.c index d45ba20ce..ff4d3a9d7 100644 --- a/src/firejail/caps.c +++ b/src/firejail/caps.c | |||
@@ -248,10 +248,19 @@ void caps_print(void) { | |||
248 | } | 248 | } |
249 | } | 249 | } |
250 | 250 | ||
251 | // drop discretionary access control capabilities for root sandboxes | ||
252 | void caps_drop_dac_override(void) { | ||
253 | if (getuid() == 0) { | ||
254 | if (prctl(PR_CAPBSET_DROP, CAP_DAC_OVERRIDE, 0, 0, 0)); | ||
255 | else if (arg_debug) | ||
256 | printf("Drop CAP_DAC_OVERRIDE\n"); | ||
257 | |||
258 | if (prctl(PR_CAPBSET_DROP, CAP_DAC_READ_SEARCH, 0, 0, 0)); | ||
259 | else if (arg_debug) | ||
260 | printf("Drop CAP_DAC_READ_SEARCH\n"); | ||
261 | } | ||
262 | } | ||
251 | 263 | ||
252 | |||
253 | |||
254 | // enabled by default | ||
255 | int caps_default_filter(void) { | 264 | int caps_default_filter(void) { |
256 | // drop capabilities | 265 | // drop capabilities |
257 | if (prctl(PR_CAPBSET_DROP, CAP_SYS_MODULE, 0, 0, 0)) | 266 | if (prctl(PR_CAPBSET_DROP, CAP_SYS_MODULE, 0, 0, 0)) |
diff --git a/src/firejail/firejail.h b/src/firejail/firejail.h index 91b9c7be7..8bf2a75c3 100644 --- a/src/firejail/firejail.h +++ b/src/firejail/firejail.h | |||
@@ -500,6 +500,7 @@ void fs_dev_shm(void); | |||
500 | void fs_private_dev(void); | 500 | void fs_private_dev(void); |
501 | void fs_dev_disable_sound(void); | 501 | void fs_dev_disable_sound(void); |
502 | void fs_dev_disable_3d(void); | 502 | void fs_dev_disable_3d(void); |
503 | void fs_dev_disable_video(void); | ||
503 | 504 | ||
504 | // fs_home.c | 505 | // fs_home.c |
505 | // private mode (--private) | 506 | // private mode (--private) |
@@ -533,6 +534,7 @@ void caps_check_list(const char *clist, void (*callback)(int)); | |||
533 | void caps_drop_list(const char *clist); | 534 | void caps_drop_list(const char *clist); |
534 | void caps_keep_list(const char *clist); | 535 | void caps_keep_list(const char *clist); |
535 | void caps_print_filter(pid_t pid); | 536 | void caps_print_filter(pid_t pid); |
537 | void caps_drop_dac_override(void); | ||
536 | 538 | ||
537 | // syscall.c | 539 | // syscall.c |
538 | const char *syscall_find_nr(int nr); | 540 | const char *syscall_find_nr(int nr); |
@@ -718,6 +720,7 @@ void build_appimage_cmdline(char **command_line, char **window_title, int argc, | |||
718 | // programs | 720 | // programs |
719 | #define PATH_FNET (LIBDIR "/firejail/fnet") | 721 | #define PATH_FNET (LIBDIR "/firejail/fnet") |
720 | #define PATH_FIREMON (PREFIX "/bin/firemon") | 722 | #define PATH_FIREMON (PREFIX "/bin/firemon") |
723 | #define PATH_FIREJAIL (PREFIX "/bin/firejail") | ||
721 | #define PATH_FSECCOMP (LIBDIR "/firejail/fseccomp") | 724 | #define PATH_FSECCOMP (LIBDIR "/firejail/fseccomp") |
722 | #define PATH_FCOPY (LIBDIR "/firejail/fcopy") | 725 | #define PATH_FCOPY (LIBDIR "/firejail/fcopy") |
723 | #define SBOX_STDIN_FILE "/run/firejail/mnt/sbox_stdin" | 726 | #define SBOX_STDIN_FILE "/run/firejail/mnt/sbox_stdin" |
diff --git a/src/firejail/fs_dev.c b/src/firejail/fs_dev.c index 159c8e654..fdaa0b355 100644 --- a/src/firejail/fs_dev.c +++ b/src/firejail/fs_dev.c | |||
@@ -35,37 +35,37 @@ typedef struct { | |||
35 | const char *dev_fname; | 35 | const char *dev_fname; |
36 | const char *run_fname; | 36 | const char *run_fname; |
37 | int sound; | 37 | int sound; |
38 | int video; | ||
39 | int hw3d; | 38 | int hw3d; |
39 | int video; | ||
40 | } DevEntry; | 40 | } DevEntry; |
41 | 41 | ||
42 | static DevEntry dev[] = { | 42 | static DevEntry dev[] = { |
43 | {"/dev/snd", RUN_DEV_DIR "/snd", 1, 0}, // sound device | 43 | {"/dev/snd", RUN_DEV_DIR "/snd", 1, 0, 0}, // sound device |
44 | {"/dev/dri", RUN_DEV_DIR "/dri", 0, 1}, // 3d device | 44 | {"/dev/dri", RUN_DEV_DIR "/dri", 0, 1, 0}, // 3d device |
45 | {"/dev/nvidia0", RUN_DEV_DIR "/nvidia0", 0, 1}, | 45 | {"/dev/nvidia0", RUN_DEV_DIR "/nvidia0", 0, 1, 0}, |
46 | {"/dev/nvidia1", RUN_DEV_DIR "/nvidia1", 0, 1}, | 46 | {"/dev/nvidia1", RUN_DEV_DIR "/nvidia1", 0, 1, 0}, |
47 | {"/dev/nvidia2", RUN_DEV_DIR "/nvidia2", 0, 1}, | 47 | {"/dev/nvidia2", RUN_DEV_DIR "/nvidia2", 0, 1, 0}, |
48 | {"/dev/nvidia3", RUN_DEV_DIR "/nvidia3", 0, 1}, | 48 | {"/dev/nvidia3", RUN_DEV_DIR "/nvidia3", 0, 1, 0}, |
49 | {"/dev/nvidia4", RUN_DEV_DIR "/nvidia4", 0, 1}, | 49 | {"/dev/nvidia4", RUN_DEV_DIR "/nvidia4", 0, 1, 0}, |
50 | {"/dev/nvidia5", RUN_DEV_DIR "/nvidia5", 0, 1}, | 50 | {"/dev/nvidia5", RUN_DEV_DIR "/nvidia5", 0, 1, 0}, |
51 | {"/dev/nvidia6", RUN_DEV_DIR "/nvidia6", 0, 1}, | 51 | {"/dev/nvidia6", RUN_DEV_DIR "/nvidia6", 0, 1, 0}, |
52 | {"/dev/nvidia7", RUN_DEV_DIR "/nvidia7", 0, 1}, | 52 | {"/dev/nvidia7", RUN_DEV_DIR "/nvidia7", 0, 1, 0}, |
53 | {"/dev/nvidia8", RUN_DEV_DIR "/nvidia8", 0, 1}, | 53 | {"/dev/nvidia8", RUN_DEV_DIR "/nvidia8", 0, 1, 0}, |
54 | {"/dev/nvidia9", RUN_DEV_DIR "/nvidia9", 0, 1}, | 54 | {"/dev/nvidia9", RUN_DEV_DIR "/nvidia9", 0, 1, 0}, |
55 | {"/dev/nvidiactl", RUN_DEV_DIR "/nvidiactl", 0, 1}, | 55 | {"/dev/nvidiactl", RUN_DEV_DIR "/nvidiactl", 0, 1, 0}, |
56 | {"/dev/nvidia-modeset", RUN_DEV_DIR "/nvidia-modeset", 0, 1}, | 56 | {"/dev/nvidia-modeset", RUN_DEV_DIR "/nvidia-modeset", 0, 1, 0}, |
57 | {"/dev/nvidia-uvm", RUN_DEV_DIR "/nvidia-uvm", 0, 1}, | 57 | {"/dev/nvidia-uvm", RUN_DEV_DIR "/nvidia-uvm", 0, 1, 0}, |
58 | {"/dev/video0", RUN_DEV_DIR "/video0", 0, 1}, | 58 | {"/dev/video0", RUN_DEV_DIR "/video0", 0, 0, 1}, // video camera devices |
59 | {"/dev/video1", RUN_DEV_DIR "/video1", 0, 1}, | 59 | {"/dev/video1", RUN_DEV_DIR "/video1", 0, 0, 1}, |
60 | {"/dev/video2", RUN_DEV_DIR "/video2", 0, 1}, | 60 | {"/dev/video2", RUN_DEV_DIR "/video2", 0, 0, 1}, |
61 | {"/dev/video3", RUN_DEV_DIR "/video3", 0, 1}, | 61 | {"/dev/video3", RUN_DEV_DIR "/video3", 0, 0, 1}, |
62 | {"/dev/video4", RUN_DEV_DIR "/video4", 0, 1}, | 62 | {"/dev/video4", RUN_DEV_DIR "/video4", 0, 0, 1}, |
63 | {"/dev/video5", RUN_DEV_DIR "/video5", 0, 1}, | 63 | {"/dev/video5", RUN_DEV_DIR "/video5", 0, 0, 1}, |
64 | {"/dev/video6", RUN_DEV_DIR "/video6", 0, 1}, | 64 | {"/dev/video6", RUN_DEV_DIR "/video6", 0, 0, 1}, |
65 | {"/dev/video7", RUN_DEV_DIR "/video7", 0, 1}, | 65 | {"/dev/video7", RUN_DEV_DIR "/video7", 0, 0, 1}, |
66 | {"/dev/video8", RUN_DEV_DIR "/video8", 0, 1}, | 66 | {"/dev/video8", RUN_DEV_DIR "/video8", 0, 0, 1}, |
67 | {"/dev/video9", RUN_DEV_DIR "/video9", 0, 1}, | 67 | {"/dev/video9", RUN_DEV_DIR "/video9", 0, 0, 1}, |
68 | {NULL, NULL, 0, 0} | 68 | {NULL, NULL, 0, 0, 0} |
69 | }; | 69 | }; |
70 | 70 | ||
71 | static void deventry_mount(void) { | 71 | static void deventry_mount(void) { |
diff --git a/src/firejail/fs_var.c b/src/firejail/fs_var.c index 9452d162d..11e9eabf5 100644 --- a/src/firejail/fs_var.c +++ b/src/firejail/fs_var.c | |||
@@ -326,7 +326,8 @@ void fs_var_utmp(void) { | |||
326 | endutent(); | 326 | endutent(); |
327 | 327 | ||
328 | // save new utmp file | 328 | // save new utmp file |
329 | fwrite(&u_boot, sizeof(u_boot), 1, fp); | 329 | int rv = fwrite(&u_boot, sizeof(u_boot), 1, fp); |
330 | (void) rv; | ||
330 | SET_PERMS_STREAM(fp, 0, utmp_group, S_IRUSR | S_IWRITE | S_IRGRP | S_IWGRP | S_IROTH); | 331 | SET_PERMS_STREAM(fp, 0, utmp_group, S_IRUSR | S_IWRITE | S_IRGRP | S_IWGRP | S_IROTH); |
331 | fclose(fp); | 332 | fclose(fp); |
332 | 333 | ||
diff --git a/src/firejail/join.c b/src/firejail/join.c index b5b45a3bf..4c0537413 100644 --- a/src/firejail/join.c +++ b/src/firejail/join.c | |||
@@ -242,6 +242,9 @@ void join(pid_t pid, int argc, char **argv, int index) { | |||
242 | if (child < 0) | 242 | if (child < 0) |
243 | errExit("fork"); | 243 | errExit("fork"); |
244 | if (child == 0) { | 244 | if (child == 0) { |
245 | // drop discretionary access control capabilities for root sandboxes | ||
246 | caps_drop_dac_override(); | ||
247 | |||
245 | // chroot into /proc/PID/root directory | 248 | // chroot into /proc/PID/root directory |
246 | char *rootdir; | 249 | char *rootdir; |
247 | if (asprintf(&rootdir, "/proc/%d/root", pid) == -1) | 250 | if (asprintf(&rootdir, "/proc/%d/root", pid) == -1) |
diff --git a/src/firejail/main.c b/src/firejail/main.c index 95c325f9f..cff61f64a 100644 --- a/src/firejail/main.c +++ b/src/firejail/main.c | |||
@@ -2272,9 +2272,9 @@ int main(int argc, char **argv) { | |||
2272 | if (cfg.chrootdir) { | 2272 | if (cfg.chrootdir) { |
2273 | fwarning("default profile disabled by --chroot option\n"); | 2273 | fwarning("default profile disabled by --chroot option\n"); |
2274 | } | 2274 | } |
2275 | else if (arg_overlay) { | 2275 | // else if (arg_overlay) { |
2276 | fwarning("default profile disabled by --overlay option\n"); | 2276 | // fwarning("default profile disabled by --overlay option\n"); |
2277 | } | 2277 | // } |
2278 | else { | 2278 | else { |
2279 | // try to load a default profile | 2279 | // try to load a default profile |
2280 | char *profile_name = DEFAULT_USER_PROFILE; | 2280 | char *profile_name = DEFAULT_USER_PROFILE; |
diff --git a/src/firejail/no_sandbox.c b/src/firejail/no_sandbox.c index b37c5abf7..07c42006d 100644 --- a/src/firejail/no_sandbox.c +++ b/src/firejail/no_sandbox.c | |||
@@ -209,6 +209,11 @@ void run_no_sandbox(int argc, char **argv) { | |||
209 | break; | 209 | break; |
210 | } | 210 | } |
211 | } | 211 | } |
212 | // if shell is /usr/bin/firejail, replace it with /bin/bash | ||
213 | if (strcmp(cfg.shell, PATH_FIREJAIL) == 0) { | ||
214 | cfg.shell = "/bin/bash"; | ||
215 | prog_index = 0; | ||
216 | } | ||
212 | 217 | ||
213 | if (prog_index == 0) { | 218 | if (prog_index == 0) { |
214 | cfg.command_line = cfg.shell; | 219 | cfg.command_line = cfg.shell; |
diff --git a/src/firejail/run_symlink.c b/src/firejail/run_symlink.c index a9298a33f..ed885d3b1 100644 --- a/src/firejail/run_symlink.c +++ b/src/firejail/run_symlink.c | |||
@@ -86,10 +86,6 @@ void run_symlink(int argc, char **argv) { | |||
86 | 86 | ||
87 | 87 | ||
88 | // start the argv[0] program in a new sandbox | 88 | // start the argv[0] program in a new sandbox |
89 | char *firejail; | ||
90 | if (asprintf(&firejail, "%s/bin/firejail", PREFIX) == -1) | ||
91 | errExit("asprintf"); | ||
92 | |||
93 | // drop privileges | 89 | // drop privileges |
94 | if (setgid(getgid()) < 0) | 90 | if (setgid(getgid()) < 0) |
95 | errExit("setgid/getgid"); | 91 | errExit("setgid/getgid"); |
@@ -98,7 +94,7 @@ void run_symlink(int argc, char **argv) { | |||
98 | 94 | ||
99 | // run command | 95 | // run command |
100 | char *a[3 + argc]; | 96 | char *a[3 + argc]; |
101 | a[0] = firejail; | 97 | a[0] =PATH_FIREJAIL; |
102 | a[1] = program; | 98 | a[1] = program; |
103 | int i; | 99 | int i; |
104 | for (i = 0; i < (argc - 1); i++) { | 100 | for (i = 0; i < (argc - 1); i++) { |
diff --git a/src/firejail/sandbox.c b/src/firejail/sandbox.c index 7f82e2253..4ee05d070 100644 --- a/src/firejail/sandbox.c +++ b/src/firejail/sandbox.c | |||
@@ -99,6 +99,9 @@ static void set_caps(void) { | |||
99 | caps_keep_list(arg_caps_list); | 99 | caps_keep_list(arg_caps_list); |
100 | else if (arg_caps_default_filter) | 100 | else if (arg_caps_default_filter) |
101 | caps_default_filter(); | 101 | caps_default_filter(); |
102 | |||
103 | // drop discretionary access control capabilities for root sandboxes | ||
104 | caps_drop_dac_override(); | ||
102 | } | 105 | } |
103 | 106 | ||
104 | void save_nogroups(void) { | 107 | void save_nogroups(void) { |
@@ -896,8 +899,7 @@ int sandbox(void* sandbox_arg) { | |||
896 | // set security filters | 899 | // set security filters |
897 | //**************************** | 900 | //**************************** |
898 | // set capabilities | 901 | // set capabilities |
899 | // if (!arg_noroot) | 902 | set_caps(); |
900 | set_caps(); | ||
901 | 903 | ||
902 | // set rlimits | 904 | // set rlimits |
903 | set_rlimits(); | 905 | set_rlimits(); |
@@ -989,10 +991,9 @@ int sandbox(void* sandbox_arg) { | |||
989 | if (arg_apparmor) { | 991 | if (arg_apparmor) { |
990 | errno = 0; | 992 | errno = 0; |
991 | if (aa_change_onexec("firejail-default")) { | 993 | if (aa_change_onexec("firejail-default")) { |
992 | fprintf(stderr, "Error: cannot confine the application using AppArmor.\n"); | 994 | fwarning("Cannot confine the application using AppArmor.\n" |
993 | fprintf(stderr, "Maybe firejail-default AppArmor profile is not loaded into the kernel.\n"); | 995 | "Maybe firejail-default AppArmor profile is not loaded into the kernel.\n" |
994 | fprintf(stderr, "As root, run \"aa-enforce firejail-default\" to load it.\n"); | 996 | "As root, run \"aa-enforce firejail-default\" to load it.\n"); |
995 | exit(1); | ||
996 | } | 997 | } |
997 | else if (arg_debug) | 998 | else if (arg_debug) |
998 | printf("AppArmor enabled\n"); | 999 | printf("AppArmor enabled\n"); |
diff --git a/src/firejail/seccomp.c b/src/firejail/seccomp.c index 72a5874f8..15379215c 100644 --- a/src/firejail/seccomp.c +++ b/src/firejail/seccomp.c | |||
@@ -68,7 +68,7 @@ int seccomp_load(const char *fname) { | |||
68 | goto errexit; | 68 | goto errexit; |
69 | unsigned short entries = (unsigned short) size / (unsigned short) sizeof(struct sock_filter); | 69 | unsigned short entries = (unsigned short) size / (unsigned short) sizeof(struct sock_filter); |
70 | if (arg_debug) | 70 | if (arg_debug) |
71 | printf("reading %d seccomp entries from %s\n", entries, fname); | 71 | printf("configuring %d seccomp entries from %s\n", entries, fname); |
72 | 72 | ||
73 | // read filter | 73 | // read filter |
74 | struct sock_filter *filter = malloc(size); | 74 | struct sock_filter *filter = malloc(size); |
@@ -205,6 +205,8 @@ int seccomp_filter_keep(void) { | |||
205 | printf("seccomp filter configured\n"); | 205 | printf("seccomp filter configured\n"); |
206 | 206 | ||
207 | 207 | ||
208 | if (arg_debug && access(PATH_FSECCOMP, X_OK) == 0) | ||
209 | sbox_run(SBOX_ROOT | SBOX_SECCOMP, 3, PATH_FSECCOMP, "print", RUN_SECCOMP_CFG); | ||
208 | return seccomp_load(RUN_SECCOMP_CFG); | 210 | return seccomp_load(RUN_SECCOMP_CFG); |
209 | } | 211 | } |
210 | 212 | ||
diff --git a/src/firejail/usage.c b/src/firejail/usage.c index 76930e1de..6f8298589 100644 --- a/src/firejail/usage.c +++ b/src/firejail/usage.c | |||
@@ -220,7 +220,7 @@ void usage(void) { | |||
220 | printf("\tstart Mozilla Firefox\n"); | 220 | printf("\tstart Mozilla Firefox\n"); |
221 | printf(" $ firejail --debug firefox\n"); | 221 | printf(" $ firejail --debug firefox\n"); |
222 | printf("\tdebug Firefox sandbox\n"); | 222 | printf("\tdebug Firefox sandbox\n"); |
223 | printf(" $ firejail --private --sna=8.8.8.8 firefox\n"); | 223 | printf(" $ firejail --private --dns=8.8.8.8 firefox\n"); |
224 | printf("\tstart Firefox with a new, empty home directory, and a well-known DNS\n"); | 224 | printf("\tstart Firefox with a new, empty home directory, and a well-known DNS\n"); |
225 | printf("\tserver setting.\n"); | 225 | printf("\tserver setting.\n"); |
226 | printf(" $ firejail --net=eth0 firefox\n"); | 226 | printf(" $ firejail --net=eth0 firefox\n"); |
diff --git a/src/firejail/x11.c b/src/firejail/x11.c index 5ce156603..79ebc3b1b 100644 --- a/src/firejail/x11.c +++ b/src/firejail/x11.c | |||
@@ -639,7 +639,7 @@ void x11_start_xpra(int argc, char **argv) { | |||
639 | 639 | ||
640 | // build the start command | 640 | // build the start command |
641 | char *server_argv[256] = { // rest initialyzed to NULL | 641 | char *server_argv[256] = { // rest initialyzed to NULL |
642 | "xpra", "start", display_str, "--no-daemon", | 642 | "xpra", "start", display_str, "--no-daemon", "--use-display", |
643 | }; | 643 | }; |
644 | unsigned pos = 0; | 644 | unsigned pos = 0; |
645 | while (server_argv[pos] != NULL) pos++; | 645 | while (server_argv[pos] != NULL) pos++; |
@@ -736,7 +736,7 @@ void x11_start_xpra(int argc, char **argv) { | |||
736 | } | 736 | } |
737 | 737 | ||
738 | // add a small delay, on some systems it takes some time for the server to start | 738 | // add a small delay, on some systems it takes some time for the server to start |
739 | sleep(1); | 739 | sleep(5); |
740 | 740 | ||
741 | // check X11 socket | 741 | // check X11 socket |
742 | char *fname; | 742 | char *fname; |
diff --git a/src/ftee/main.c b/src/ftee/main.c index 2628a77c5..6aede324c 100644 --- a/src/ftee/main.c +++ b/src/ftee/main.c | |||
@@ -129,7 +129,8 @@ static void log_write(const unsigned char *str, int len, const char *fname) { | |||
129 | out_cnt = len; | 129 | out_cnt = len; |
130 | } | 130 | } |
131 | 131 | ||
132 | fwrite(str, len, 1, out_fp); | 132 | int rv = fwrite(str, len, 1, out_fp); |
133 | (void) rv; | ||
133 | fflush(0); | 134 | fflush(0); |
134 | } | 135 | } |
135 | 136 | ||
@@ -230,7 +231,8 @@ int main(int argc, char **argv) { | |||
230 | if (n <= 0) | 231 | if (n <= 0) |
231 | break; | 232 | break; |
232 | 233 | ||
233 | fwrite(buf, n, 1, stdout); | 234 | int rv = fwrite(buf, n, 1, stdout); |
235 | (void) rv; | ||
234 | log_write(buf, n, fname); | 236 | log_write(buf, n, fname); |
235 | } | 237 | } |
236 | 238 | ||
diff --git a/src/man/firejail-profile.txt b/src/man/firejail-profile.txt index cbffa9ce4..e4ef90944 100644 --- a/src/man/firejail-profile.txt +++ b/src/man/firejail-profile.txt | |||
@@ -407,6 +407,7 @@ Disable sound system. | |||
407 | .TP | 407 | .TP |
408 | \fBnovideo | 408 | \fBnovideo |
409 | Disable video devices. | 409 | Disable video devices. |
410 | .TP | ||
410 | \fBno3d | 411 | \fBno3d |
411 | Disable 3D hardware acceleration. | 412 | Disable 3D hardware acceleration. |
412 | 413 | ||
diff --git a/test/apps-x11/chromium.exp b/test/apps-x11/chromium.exp index 3ec2bc049..a7eace125 100755 --- a/test/apps-x11/chromium.exp +++ b/test/apps-x11/chromium.exp | |||
@@ -71,7 +71,7 @@ expect { | |||
71 | } | 71 | } |
72 | expect { | 72 | expect { |
73 | timeout {puts "TESTING ERROR 6.2\n";exit} | 73 | timeout {puts "TESTING ERROR 6.2\n";exit} |
74 | "fffffffff" | 74 | "00240000" |
75 | } | 75 | } |
76 | expect { | 76 | expect { |
77 | timeout {puts "TESTING ERROR 6.3\n";exit} | 77 | timeout {puts "TESTING ERROR 6.3\n";exit} |
diff --git a/test/apps/chromium.exp b/test/apps/chromium.exp index 041918d7f..6b784e395 100755 --- a/test/apps/chromium.exp +++ b/test/apps/chromium.exp | |||
@@ -72,7 +72,7 @@ expect { | |||
72 | } | 72 | } |
73 | expect { | 73 | expect { |
74 | timeout {puts "TESTING ERROR 6.2\n";exit} | 74 | timeout {puts "TESTING ERROR 6.2\n";exit} |
75 | "fffffffff" | 75 | "00240000" |
76 | } | 76 | } |
77 | expect { | 77 | expect { |
78 | timeout {puts "TESTING ERROR 6.3\n";exit} | 78 | timeout {puts "TESTING ERROR 6.3\n";exit} |
diff --git a/test/arguments/joinrun.exp b/test/arguments/joinrun.exp index 097becacc..97972e5e8 100755 --- a/test/arguments/joinrun.exp +++ b/test/arguments/joinrun.exp | |||
@@ -35,10 +35,6 @@ expect { | |||
35 | timeout {puts "TESTING ERROR 3.2.3\n";exit} | 35 | timeout {puts "TESTING ERROR 3.2.3\n";exit} |
36 | "#arg2 tail#" | 36 | "#arg2 tail#" |
37 | } | 37 | } |
38 | |||
39 | # todo: remove exit and fix it | ||
40 | exit | ||
41 | |||
42 | expect { | 38 | expect { |
43 | timeout {puts "TESTING ERROR 3.3.1\n";exit} | 39 | timeout {puts "TESTING ERROR 3.3.1\n";exit} |
44 | "Arguments:" | 40 | "Arguments:" |
diff --git a/test/arguments/joinrun.sh b/test/arguments/joinrun.sh index 3ed166839..b00ea0e80 100755 --- a/test/arguments/joinrun.sh +++ b/test/arguments/joinrun.sh | |||
@@ -5,18 +5,18 @@ firejail --env=FIREJAIL_TEST_ARGUMENTS=yes --join=joinrun faudit arg1 arg2 | |||
5 | 5 | ||
6 | # simple quotes, testing spaces in file names | 6 | # simple quotes, testing spaces in file names |
7 | echo "TESTING: 3.2 - args with space and \"" | 7 | echo "TESTING: 3.2 - args with space and \"" |
8 | firejail--env=FIREJAIL_TEST_ARGUMENTS=yes --quiet faudit "arg1 tail" "arg2 tail" | 8 | firejail --env=FIREJAIL_TEST_ARGUMENTS=yes --join=joinrun faudit "arg1 tail" "arg2 tail" |
9 | 9 | ||
10 | echo "TESTING: 3.3 - args with space and '" | 10 | echo "TESTING: 3.3 - args with space and '" |
11 | firejail --env=FIREJAIL_TEST_ARGUMENTS=yes --quiet faudit 'arg1 tail' 'arg2 tail' | 11 | firejail --env=FIREJAIL_TEST_ARGUMENTS=yes --join=joinrun faudit 'arg1 tail' 'arg2 tail' |
12 | 12 | ||
13 | # escaped space in file names | 13 | # escaped space in file names |
14 | echo "TESTING: 3.4 - args with space and \\" | 14 | echo "TESTING: 3.4 - args with space and \\" |
15 | firejail--env=FIREJAIL_TEST_ARGUMENTS=yes --quiet faudit arg1\ tail arg2\ tail | 15 | firejail --env=FIREJAIL_TEST_ARGUMENTS=yes --join=joinrun faudit arg1\ tail arg2\ tail |
16 | 16 | ||
17 | # & char appears in URLs - URLs should be quoted | 17 | # & char appears in URLs - URLs should be quoted |
18 | echo "TESTING: 3.5 - args with & and \"" | 18 | echo "TESTING: 3.5 - args with & and \"" |
19 | firejail --env=FIREJAIL_TEST_ARGUMENTS=yes --quiet faudit "arg1&tail" "arg2&tail" | 19 | firejail --env=FIREJAIL_TEST_ARGUMENTS=yes --join=joinrun faudit "arg1&tail" "arg2&tail" |
20 | 20 | ||
21 | echo "TESTING: 3.6 - args with & and '" | 21 | echo "TESTING: 3.6 - args with & and '" |
22 | firejail --env=FIREJAIL_TEST_ARGUMENTS=yes --quiet faudit 'arg1&tail' 'arg2&tail' | 22 | firejail --env=FIREJAIL_TEST_ARGUMENTS=yes --join=joinrun faudit 'arg1&tail' 'arg2&tail' |
diff --git a/test/arguments/outrun.sh b/test/arguments/outrun.sh index e2b3046d6..5bc3b1e37 100755 --- a/test/arguments/outrun.sh +++ b/test/arguments/outrun.sh | |||
@@ -8,15 +8,15 @@ echo "TESTING: 4.2 - args with space and \"" | |||
8 | firejail --env=FIREJAIL_TEST_ARGUMENTS=yes --output=out faudit "arg1 tail" "arg2 tail" | 8 | firejail --env=FIREJAIL_TEST_ARGUMENTS=yes --output=out faudit "arg1 tail" "arg2 tail" |
9 | 9 | ||
10 | echo "TESTING: 4.3 - args with space and '" | 10 | echo "TESTING: 4.3 - args with space and '" |
11 | firejail--env=FIREJAIL_TEST_ARGUMENTS=yes --output=out faudit 'arg1 tail' 'arg2 tail' | 11 | firejail --env=FIREJAIL_TEST_ARGUMENTS=yes --output=out faudit 'arg1 tail' 'arg2 tail' |
12 | 12 | ||
13 | # escaped space in file names | 13 | # escaped space in file names |
14 | echo "TESTING: 4.4 - args with space and \\" | 14 | echo "TESTING: 4.4 - args with space and \\" |
15 | firejail--env=FIREJAIL_TEST_ARGUMENTS=yes --output=out faudit arg1\ tail arg2\ tail | 15 | firejail --env=FIREJAIL_TEST_ARGUMENTS=yes --output=out faudit arg1\ tail arg2\ tail |
16 | 16 | ||
17 | # & char appears in URLs - URLs should be quoted | 17 | # & char appears in URLs - URLs should be quoted |
18 | echo "TESTING: 4.5 - args with & and \"" | 18 | echo "TESTING: 4.5 - args with & and \"" |
19 | firejail --env=FIREJAIL_TEST_ARGUMENTS=yes --output=out faudit "arg1&tail" "arg2&tail" | 19 | firejail --env=FIREJAIL_TEST_ARGUMENTS=yes --output=out faudit "arg1&tail" "arg2&tail" |
20 | 20 | ||
21 | echo "TESTING: 4.6 - args with & and '" | 21 | echo "TESTING: 4.6 - args with & and '" |
22 | firejail--env=FIREJAIL_TEST_ARGUMENTS=yes --output=out faudit 'arg1&tail' 'arg2&tail' | 22 | firejail --env=FIREJAIL_TEST_ARGUMENTS=yes --output=out faudit 'arg1&tail' 'arg2&tail' |
diff --git a/test/arguments/symrun.sh b/test/arguments/symrun.sh index d28f024a8..db5f06835 100755 --- a/test/arguments/symrun.sh +++ b/test/arguments/symrun.sh | |||
@@ -1,30 +1,31 @@ | |||
1 | #!/bin/bash | 1 | #!/bin/bash |
2 | 2 | ||
3 | mkdir symtest | 3 | mkdir symtest |
4 | ln -s /usr/bin/firejail symtest/argtest | 4 | ln -s /usr/bin/firejail symtest/faudit |
5 | 5 | ||
6 | # search for argtest in current directory | 6 | # search for faudit in current directory |
7 | export PATH=$PATH:. | 7 | export PATH=$PATH:. |
8 | export FIREJAIL_TEST_ARGUMENTS=yes | ||
8 | 9 | ||
9 | echo "TESTING: 2.1 - simple args" | 10 | echo "TESTING: 2.1 - simple args" |
10 | symtest/argtest arg1 arg2 | 11 | symtest/faudit arg1 arg2 |
11 | 12 | ||
12 | # simple quotes, testing spaces in file names | 13 | # simple quotes, testing spaces in file names |
13 | echo "TESTING: 2.2 - args with space and \"" | 14 | echo "TESTING: 2.2 - args with space and \"" |
14 | symtest/argtest "arg1 tail" "arg2 tail" | 15 | symtest/faudit "arg1 tail" "arg2 tail" |
15 | 16 | ||
16 | echo "TESTING: 2.3 - args with space and '" | 17 | echo "TESTING: 2.3 - args with space and '" |
17 | symtest/argtest 'arg1 tail' 'arg2 tail' | 18 | symtest/faudit 'arg1 tail' 'arg2 tail' |
18 | 19 | ||
19 | # escaped space in file names | 20 | # escaped space in file names |
20 | echo "TESTING: 2.4 - args with space and \\" | 21 | echo "TESTING: 2.4 - args with space and \\" |
21 | symtest/argtest arg1\ tail arg2\ tail | 22 | symtest/faudit arg1\ tail arg2\ tail |
22 | 23 | ||
23 | # & char appears in URLs - URLs should be quoted | 24 | # & char appears in URLs - URLs should be quoted |
24 | echo "TESTING: 2.5 - args with & and \"" | 25 | echo "TESTING: 2.5 - args with & and \"" |
25 | symtest/argtest "arg1&tail" "arg2&tail" | 26 | symtest/faudit "arg1&tail" "arg2&tail" |
26 | 27 | ||
27 | echo "TESTING: 2.6 - args with & and '" | 28 | echo "TESTING: 2.6 - args with & and '" |
28 | symtest/argtest 'arg1&tail' 'arg2&tail' | 29 | symtest/faudit 'arg1&tail' 'arg2&tail' |
29 | 30 | ||
30 | rm -fr symtest | 31 | rm -fr symtest |
diff --git a/test/filters/syscall_test b/test/filters/syscall_test index 12edd2d64..bf29c5b99 100755 --- a/test/filters/syscall_test +++ b/test/filters/syscall_test | |||
Binary files differ | |||
diff --git a/test/filters/syscall_test32 b/test/filters/syscall_test32 index 29af1e073..8d72f58c4 100755 --- a/test/filters/syscall_test32 +++ b/test/filters/syscall_test32 | |||
Binary files differ | |||