private-bin conversion

author: netblue30 <netblue30@yahoo.com> 2016-06-10 08:40:24 -0400
committer: netblue30 <netblue30@yahoo.com> 2016-06-10 08:40:24 -0400
commit: 783251e0749e27e28b3ac54b5047f10cf1c44016 (patch)
tree: 7fddeee60485e3183ed2d7590efad8e32ed27b53
parent: x11 work (diff)
download: firejail-783251e0749e27e28b3ac54b5047f10cf1c44016.tar.gz
firejail-783251e0749e27e28b3ac54b5047f10cf1c44016.tar.zst
firejail-783251e0749e27e28b3ac54b5047f10cf1c44016.zip
12 files changed, 125 insertions, 6 deletions
diff --git a/README.md b/README.md
index bc5717fb7..029a7c904 100644
--- a/README.md
+++ b/README.md
@@ -65,6 +65,10 @@ More packages build by AppImage developer Simon Peter: https://bintray.com/probo
 AppImage project home: https://github.com/probonopd/AppImageKit
+## Converting profiles to private-bin - work in progress
+BitTorrent profiles converted to private-bin: deluge, qbittorrent, rtorrent, transmission-gtk, transmission-qt
 ## New security profiles
 Gitter, gThumb, mpv, Franz messenger
diff --git a/etc/deluge.profile b/etc/deluge.profile
index 277ecc15e..87a17423b 100644
--- a/etc/deluge.profile
+++ b/etc/deluge.profile
@@ -1,4 +1,4 @@
-# deluge bittorernt client profile
+# deluge bittorrernt client profile
 include /etc/firejail/disable-common.inc
 include /etc/firejail/disable-programs.inc
 # deluge is using python on Debian
@@ -12,3 +12,6 @@ noroot
 nosound
 protocol unix,inet,inet6
 seccomp
+shell none
+private-bin deluge,sh,python,uname
diff --git a/etc/disable-devel.inc b/etc/disable-devel.inc
index 0c9d21d39..99f059c44 100644
--- a/etc/disable-devel.inc
+++ b/etc/disable-devel.inc
@@ -37,8 +37,7 @@ blacklist /usr/lib/php*
 blacklist /usr/bin/ruby
 blacklist /usr/lib/ruby
-# disabled temporarily pending globbing implementation
+# Programs using python: deluge, some firefox addons
-# in noblacklist command and firefox profile fix
 # Python 2
 #blacklist /usr/bin/python2*
 #blacklist /usr/lib/python2*
diff --git a/etc/mpv.profile b/etc/mpv.profile
index 0a8a6103f..cbed7e8c6 100644
--- a/etc/mpv.profile
+++ b/etc/mpv.profile
@@ -12,3 +12,7 @@ nonewprivs
 noroot
 protocol unix,inet,inet6
 seccomp
+# to test
+shell none
+private-bin mpv
diff --git a/etc/qbittorrent.profile b/etc/qbittorrent.profile
index cbf898502..bb97a880b 100644
--- a/etc/qbittorrent.profile
+++ b/etc/qbittorrent.profile
@@ -11,3 +11,6 @@ noroot
 nosound
 protocol unix,inet,inet6
 seccomp
+shell none
+private-bin qbittorrent
diff --git a/etc/rtorrent.profile b/etc/rtorrent.profile
index 0be5e15d1..c196370a2 100644
--- a/etc/rtorrent.profile
+++ b/etc/rtorrent.profile
@@ -11,3 +11,6 @@ noroot
 nosound
 protocol unix,inet,inet6
 seccomp
+shell none
+private-bin rtorrent
diff --git a/etc/transmission-gtk.profile b/etc/transmission-gtk.profile
index 5aef32d45..e8d0e25e7 100644
--- a/etc/transmission-gtk.profile
+++ b/etc/transmission-gtk.profile
@@ -1,4 +1,4 @@
-# transmission-gtk profile
+# transmission-gtk bittorrent profile
 noblacklist ${HOME}/.config/transmission
 noblacklist ${HOME}/.cache/transmission
@@ -15,3 +15,6 @@ nosound
 protocol unix,inet,inet6
 seccomp
 tracelog
+shell none
+private-bin transmission-gtk
diff --git a/etc/transmission-qt.profile b/etc/transmission-qt.profile
index d8ab1c60d..fd3a98aad 100644
--- a/etc/transmission-qt.profile
+++ b/etc/transmission-qt.profile
@@ -1,4 +1,4 @@
-# transmission-qt profile
+# transmission-qt bittorrent profile
 noblacklist ${HOME}/.config/transmission
 noblacklist ${HOME}/.cache/transmission
@@ -15,3 +15,6 @@ nosound
 protocol unix,inet,inet6
 seccomp
 tracelog
+shell none
+private-bin transmission-qt
diff --git a/etc/vlc.profile b/etc/vlc.profile
index f8eebd376..e225e80e9 100644
--- a/etc/vlc.profile
+++ b/etc/vlc.profile
@@ -12,3 +12,8 @@ nonewprivs
 noroot
 protocol unix,inet,inet6
 seccomp
+# to test
+shell none
+private-bin vlc
diff --git a/src/man/firejail.txt b/src/man/firejail.txt
index 71a73a02d..d72deab2f 100644
--- a/src/man/firejail.txt
+++ b/src/man/firejail.txt
@@ -1206,7 +1206,7 @@ sysfs,_sysctl, adjtimex, clock_adjtime, lookup_dcookie, perf_event_open, fanotif
 add_key, request_key, keyctl, uselib, acct, modify_ldt, pivot_root, io_setup,
 io_destroy, io_getevents, io_submit, io_cancel,
 remap_file_pages, mbind, get_mempolicy, set_mempolicy,
-migrate_pages, move_pages, vmsplice, perf_event_open, chroot,
+migrate_pages, move_pages, vmsplice, chroot,
 tuxcall, reboot, mfsservctl and get_kernel_syms.
 .br
diff --git a/test/apps/apps.sh b/test/apps/apps.sh
index 37d66d609..3ecc161a1 100755
--- a/test/apps/apps.sh
+++ b/test/apps/apps.sh
@@ -60,6 +60,15 @@ else
        echo "TESTING SKIP: transmission-qt not found"
 fi
+which qbittorrent
+if [ "$?" -eq 0 ];
+then
+        echo "TESTING: qbittorrent"
+        ./qbittorrent.exp
+else
+        echo "TESTING SKIP: qbittorrent not found"
+fi
 which evince
 if [ "$?" -eq 0 ];
 then
diff --git a/test/apps/qbittorrent.exp b/test/apps/qbittorrent.exp
new file mode 100755
index 000000000..4f3f7c362
--- /dev/null
+++ b/test/apps/qbittorrent.exp
@@ -0,0 +1,83 @@
+#!/usr/bin/expect -f
+# This file is part of Firejail project
+# Copyright (C) 2014-2016 Firejail Authors
+# License GPL v2
+set timeout 10
+spawn $env(SHELL)
+match_max 100000
+send -- "firejail qbittorrent\r"
+expect {
+        timeout {puts "TESTING ERROR 0\n";exit}
+        "Reading profile /etc/firejail/qbittorrent.profile"
+}
+expect {
+        timeout {puts "TESTING ERROR 1\n";exit}
+        "Child process initialized"
+}
+sleep 5
+spawn $env(SHELL)
+send -- "firejail --list\r"
+expect {
+        timeout {puts "TESTING ERROR 3\n";exit}
+        ":firejail"
+}
+expect {
+        timeout {puts "TESTING ERROR 3.1\n";exit}
+        "qbittorrent"
+}
+sleep 1
+# grsecurity exit
+send -- "file /proc/sys/kernel/grsecurity\r"
+expect {
+        timeout {puts "TESTING ERROR - grsecurity detection\n";exit}
+        "grsecurity: directory" {puts "grsecurity present, exiting...\n";exit}
+        "cannot open" {puts "grsecurity not present\n"}
+}
+send -- "firejail --name=blablabla\r"
+expect {
+        timeout {puts "TESTING ERROR 4\n";exit}
+        "Child process initialized"
+}
+sleep 2
+spawn $env(SHELL)
+send -- "firemon --seccomp\r"
+expect {
+        timeout {puts "TESTING ERROR 5\n";exit}
+        ":firejail qbittorrent"
+}
+expect {
+        timeout {puts "TESTING ERROR 5.1 (seccomp)\n";exit}
+        "Seccomp:       2"
+}
+expect {
+        timeout {puts "TESTING ERROR 5.1\n";exit}
+        "name=blablabla"
+}
+sleep 1
+send -- "firemon --caps\r"
+expect {
+        timeout {puts "TESTING ERROR 6\n";exit}
+        ":firejail qbittorrent"
+}
+expect {
+        timeout {puts "TESTING ERROR 6.1\n";exit}
+        "CapBnd:"
+}
+expect {
+        timeout {puts "TESTING ERROR 6.2\n";exit}
+        "0000000000000000"
+}
+expect {
+        timeout {puts "TESTING ERROR 6.3\n";exit}
+        "name=blablabla"
+}
+sleep 1
+puts "\n"
author	netblue30 <netblue30@yahoo.com>	2016-06-10 08:40:24 -0400
committer	netblue30 <netblue30@yahoo.com>	2016-06-10 08:40:24 -0400
commit	783251e0749e27e28b3ac54b5047f10cf1c44016 (patch)
tree	7fddeee60485e3183ed2d7590efad8e32ed27b53
parent	x11 work (diff)
download	firejail-783251e0749e27e28b3ac54b5047f10cf1c44016.tar.gz firejail-783251e0749e27e28b3ac54b5047f10cf1c44016.tar.zst firejail-783251e0749e27e28b3ac54b5047f10cf1c44016.zip

diff --git a/README.md b/README.md index bc5717fb7..029a7c904 100644 --- a/README.md +++ b/README.md
@@ -65,6 +65,10 @@ More packages build by AppImage developer Simon Peter: https://bintray.com/probo
65		65
66	AppImage project home: https://github.com/probonopd/AppImageKit	66	AppImage project home: https://github.com/probonopd/AppImageKit
67		67
		68	## Converting profiles to private-bin - work in progress
		69
		70	BitTorrent profiles converted to private-bin: deluge, qbittorrent, rtorrent, transmission-gtk, transmission-qt
		71
68	## New security profiles	72	## New security profiles
69		73
70	Gitter, gThumb, mpv, Franz messenger	74	Gitter, gThumb, mpv, Franz messenger


diff --git a/etc/deluge.profile b/etc/deluge.profile index 277ecc15e..87a17423b 100644 --- a/etc/deluge.profile +++ b/etc/deluge.profile
@@ -1,4 +1,4 @@
1	# deluge bittorernt client profile	1	# deluge bittorrernt client profile
2	include /etc/firejail/disable-common.inc	2	include /etc/firejail/disable-common.inc
3	include /etc/firejail/disable-programs.inc	3	include /etc/firejail/disable-programs.inc
4	# deluge is using python on Debian	4	# deluge is using python on Debian
@@ -12,3 +12,6 @@ noroot
12	nosound	12	nosound
13	protocol unix,inet,inet6	13	protocol unix,inet,inet6
14	seccomp	14	seccomp
		15
		16	shell none
		17	private-bin deluge,sh,python,uname


diff --git a/etc/disable-devel.inc b/etc/disable-devel.inc index 0c9d21d39..99f059c44 100644 --- a/etc/disable-devel.inc +++ b/etc/disable-devel.inc
@@ -37,8 +37,7 @@ blacklist /usr/lib/php*
37	blacklist /usr/bin/ruby	37	blacklist /usr/bin/ruby
38	blacklist /usr/lib/ruby	38	blacklist /usr/lib/ruby
39		39
40	# disabled temporarily pending globbing implementation	40	# Programs using python: deluge, some firefox addons
41	# in noblacklist command and firefox profile fix
42	# Python 2	41	# Python 2
43	#blacklist /usr/bin/python2*	42	#blacklist /usr/bin/python2*
44	#blacklist /usr/lib/python2*	43	#blacklist /usr/lib/python2*


diff --git a/etc/mpv.profile b/etc/mpv.profile index 0a8a6103f..cbed7e8c6 100644 --- a/etc/mpv.profile +++ b/etc/mpv.profile
@@ -12,3 +12,7 @@ nonewprivs
12	noroot	12	noroot
13	protocol unix,inet,inet6	13	protocol unix,inet,inet6
14	seccomp	14	seccomp
		15
		16	# to test
		17	shell none
		18	private-bin mpv


diff --git a/etc/qbittorrent.profile b/etc/qbittorrent.profile index cbf898502..bb97a880b 100644 --- a/etc/qbittorrent.profile +++ b/etc/qbittorrent.profile
@@ -11,3 +11,6 @@ noroot
11	nosound	11	nosound
12	protocol unix,inet,inet6	12	protocol unix,inet,inet6
13	seccomp	13	seccomp
		14
		15	shell none
		16	private-bin qbittorrent


diff --git a/etc/rtorrent.profile b/etc/rtorrent.profile index 0be5e15d1..c196370a2 100644 --- a/etc/rtorrent.profile +++ b/etc/rtorrent.profile
@@ -11,3 +11,6 @@ noroot
11	nosound	11	nosound
12	protocol unix,inet,inet6	12	protocol unix,inet,inet6
13	seccomp	13	seccomp
		14
		15	shell none
		16	private-bin rtorrent


diff --git a/etc/transmission-gtk.profile b/etc/transmission-gtk.profile index 5aef32d45..e8d0e25e7 100644 --- a/etc/transmission-gtk.profile +++ b/etc/transmission-gtk.profile
@@ -1,4 +1,4 @@
1	# transmission-gtk profile	1	# transmission-gtk bittorrent profile
2	noblacklist ${HOME}/.config/transmission	2	noblacklist ${HOME}/.config/transmission
3	noblacklist ${HOME}/.cache/transmission	3	noblacklist ${HOME}/.cache/transmission
4		4
@@ -15,3 +15,6 @@ nosound
15	protocol unix,inet,inet6	15	protocol unix,inet,inet6
16	seccomp	16	seccomp
17	tracelog	17	tracelog
		18
		19	shell none
		20	private-bin transmission-gtk


diff --git a/etc/transmission-qt.profile b/etc/transmission-qt.profile index d8ab1c60d..fd3a98aad 100644 --- a/etc/transmission-qt.profile +++ b/etc/transmission-qt.profile
@@ -1,4 +1,4 @@
1	# transmission-qt profile	1	# transmission-qt bittorrent profile
2	noblacklist ${HOME}/.config/transmission	2	noblacklist ${HOME}/.config/transmission
3	noblacklist ${HOME}/.cache/transmission	3	noblacklist ${HOME}/.cache/transmission
4		4
@@ -15,3 +15,6 @@ nosound
15	protocol unix,inet,inet6	15	protocol unix,inet,inet6
16	seccomp	16	seccomp
17	tracelog	17	tracelog
		18
		19	shell none
		20	private-bin transmission-qt


diff --git a/etc/vlc.profile b/etc/vlc.profile index f8eebd376..e225e80e9 100644 --- a/etc/vlc.profile +++ b/etc/vlc.profile
@@ -12,3 +12,8 @@ nonewprivs
12	noroot	12	noroot
13	protocol unix,inet,inet6	13	protocol unix,inet,inet6
14	seccomp	14	seccomp
		15
		16
		17	# to test
		18	shell none
		19	private-bin vlc


diff --git a/src/man/firejail.txt b/src/man/firejail.txt index 71a73a02d..d72deab2f 100644 --- a/src/man/firejail.txt +++ b/src/man/firejail.txt
@@ -1206,7 +1206,7 @@ sysfs,_sysctl, adjtimex, clock_adjtime, lookup_dcookie, perf_event_open, fanotif
1206	add_key, request_key, keyctl, uselib, acct, modify_ldt, pivot_root, io_setup,	1206	add_key, request_key, keyctl, uselib, acct, modify_ldt, pivot_root, io_setup,
1207	io_destroy, io_getevents, io_submit, io_cancel,	1207	io_destroy, io_getevents, io_submit, io_cancel,
1208	remap_file_pages, mbind, get_mempolicy, set_mempolicy,	1208	remap_file_pages, mbind, get_mempolicy, set_mempolicy,
1209	migrate_pages, move_pages, vmsplice, perf_event_open, chroot,	1209	migrate_pages, move_pages, vmsplice, chroot,
1210	tuxcall, reboot, mfsservctl and get_kernel_syms.	1210	tuxcall, reboot, mfsservctl and get_kernel_syms.
1211	.br	1211	.br
1212		1212


diff --git a/test/apps/apps.sh b/test/apps/apps.sh index 37d66d609..3ecc161a1 100755 --- a/test/apps/apps.sh +++ b/test/apps/apps.sh
@@ -60,6 +60,15 @@ else
60	echo "TESTING SKIP: transmission-qt not found"	60	echo "TESTING SKIP: transmission-qt not found"
61	fi	61	fi
62		62
		63	which qbittorrent
		64	if [ "$?" -eq 0 ];
		65	then
		66	echo "TESTING: qbittorrent"
		67	./qbittorrent.exp
		68	else
		69	echo "TESTING SKIP: qbittorrent not found"
		70	fi
		71
63	which evince	72	which evince
64	if [ "$?" -eq 0 ];	73	if [ "$?" -eq 0 ];
65	then	74	then


diff --git a/test/apps/qbittorrent.exp b/test/apps/qbittorrent.exp new file mode 100755 index 000000000..4f3f7c362 --- /dev/null +++ b/test/apps/qbittorrent.exp
@@ -0,0 +1,83 @@
		1	#!/usr/bin/expect -f
		2	# This file is part of Firejail project
		3	# Copyright (C) 2014-2016 Firejail Authors
		4	# License GPL v2
		5
		6	set timeout 10
		7	spawn $env(SHELL)
		8	match_max 100000
		9
		10	send -- "firejail qbittorrent\r"
		11	expect {
		12	timeout {puts "TESTING ERROR 0\n";exit}
		13	"Reading profile /etc/firejail/qbittorrent.profile"
		14	}
		15	expect {
		16	timeout {puts "TESTING ERROR 1\n";exit}
		17	"Child process initialized"
		18	}
		19	sleep 5
		20
		21	spawn $env(SHELL)
		22	send -- "firejail --list\r"
		23	expect {
		24	timeout {puts "TESTING ERROR 3\n";exit}
		25	":firejail"
		26	}
		27	expect {
		28	timeout {puts "TESTING ERROR 3.1\n";exit}
		29	"qbittorrent"
		30	}
		31	sleep 1
		32
		33	# grsecurity exit
		34	send -- "file /proc/sys/kernel/grsecurity\r"
		35	expect {
		36	timeout {puts "TESTING ERROR - grsecurity detection\n";exit}
		37	"grsecurity: directory" {puts "grsecurity present, exiting...\n";exit}
		38	"cannot open" {puts "grsecurity not present\n"}
		39	}
		40
		41	send -- "firejail --name=blablabla\r"
		42	expect {
		43	timeout {puts "TESTING ERROR 4\n";exit}
		44	"Child process initialized"
		45	}
		46	sleep 2
		47
		48	spawn $env(SHELL)
		49	send -- "firemon --seccomp\r"
		50	expect {
		51	timeout {puts "TESTING ERROR 5\n";exit}
		52	":firejail qbittorrent"
		53	}
		54	expect {
		55	timeout {puts "TESTING ERROR 5.1 (seccomp)\n";exit}
		56	"Seccomp: 2"
		57	}
		58	expect {
		59	timeout {puts "TESTING ERROR 5.1\n";exit}
		60	"name=blablabla"
		61	}
		62	sleep 1
		63	send -- "firemon --caps\r"
		64	expect {
		65	timeout {puts "TESTING ERROR 6\n";exit}
		66	":firejail qbittorrent"
		67	}
		68	expect {
		69	timeout {puts "TESTING ERROR 6.1\n";exit}
		70	"CapBnd:"
		71	}
		72	expect {
		73	timeout {puts "TESTING ERROR 6.2\n";exit}
		74	"0000000000000000"
		75	}
		76	expect {
		77	timeout {puts "TESTING ERROR 6.3\n";exit}
		78	"name=blablabla"
		79	}
		80	sleep 1
		81
		82	puts "\n"
		83