Merge branch 'master' of https://github.com/netblue30/firejail

author: netblue30 <netblue30@yahoo.com> 2016-04-19 08:21:22 -0400
committer: netblue30 <netblue30@yahoo.com> 2016-04-19 08:21:22 -0400
commit: c14364ff5ffe9a9415f5879248804cfde57cb793 (patch)
tree: 9d85d8ffa7fc206d4408650a1b70603b0f272f1d
parent: close lock file (diff)
parent: Merge pull request #457 from Fred-Barclay/proposed (diff)
download: firejail-c14364ff5ffe9a9415f5879248804cfde57cb793.tar.gz
firejail-c14364ff5ffe9a9415f5879248804cfde57cb793.tar.zst
firejail-c14364ff5ffe9a9415f5879248804cfde57cb793.zip
10 files changed, 93 insertions, 9 deletions
diff --git a/Makefile.in b/Makefile.in
index cb897c23d..c15ecd7dd 100644
--- a/Makefile.in
+++ b/Makefile.in
@@ -169,6 +169,8 @@ realinstall:
        install -c -m 0644 .etc/okular.profile $(DESTDIR)/$(sysconfdir)/firejail/.
        install -c -m 0644 .etc/gwenview.profile $(DESTDIR)/$(sysconfdir)/firejail/.
        install -c -m 0644 .etc/gpredict.profile $(DESTDIR)/$(sysconfdir)/firejail/.
+        install -c -m 0644 .etc/aweather.profile $(DESTDIR)/$(sysconfdir)/firejail/.
+        install -c -m 0644 .etc/stellarium.profile $(DESTDIR)/$(sysconfdir)/firejail/.
        sh -c "if [ ! -f $(DESTDIR)/$(sysconfdir)/firejail/login.users ]; then install -c -m 0644 etc/login.users $(DESTDIR)/$(sysconfdir)/firejail/.; fi;"
        sh -c "if [ ! -f $(DESTDIR)/$(sysconfdir)/firejail/firejail.config ]; then install -c -m 0644 etc/firejail.config $(DESTDIR)/$(sysconfdir)/firejail/.; fi;"
        rm -fr .etc
diff --git a/README b/README
index d0a7aaf8d..7919bdaad 100644
--- a/README
+++ b/README
@@ -19,9 +19,9 @@ Firejail Authors:
 netblue30 (netblue30@yahoo.com)
 curiosity-seeker (https://github.com/curiosity-seeker)
-        - tightening unbound and dnscrypt-proxy profiles
+    - tightening unbound and dnscrypt-proxy profiles
-        - dnsmasq profile
+    - dnsmasq profile
-        - okular and gwenview profiles
+    - okular and gwenview profiles
 Matthew Gyurgyik (https://github.com/pyther)
        - rpm spec and several fixes
 Joan Figueras (https://github.com/figue)
@@ -35,6 +35,7 @@ Fred-Barclay (https://github.com/Fred-Barclay)
        - added Warzone2100 profile
        - blacklisted VeraCrypt
        - added Gpredict profile
+        - added Aweather, Stellarium profiles
 avoidr (https://github.com/avoidr)
        - whitelist fix
        - recently-used.xbel fix
diff --git a/README.md b/README.md
index ca7927fff..5b2626288 100644
--- a/README.md
+++ b/README.md
@@ -282,5 +282,5 @@ $ man firejail-profile
 ## New security profiles
 lxterminal, Epiphany, cherrytree, Polari, Vivaldi, Atril, qutebrowser, SlimJet, Battle for Wesnoth, Hedgewars, qTox,
 OpenSSH client, OpenBox window manager, Dillo, cmus, dnsmasq, PaleMoon, Icedove, abrowser, 0ad, netsurf,
-Warzone2100, okular, gwenview, Gpredict
+Warzone2100, okular, gwenview, Gpredict, Aweather, Stellarium
diff --git a/etc/aweather.profile b/etc/aweather.profile
new file mode 100644
index 000000000..d7f510a7e
--- /dev/null
+++ b/etc/aweather.profile
@@ -0,0 +1,23 @@
+# Firejail profile for aweather.
+# Noblacklist
+noblacklist ~/.config/aweather
+# Include
+include /etc/firejail/disable-common.inc
+include /etc/firejail/disable-devel.inc
+include /etc/firejail/disable-passwdmgr.inc
+include /etc/firejail/disable-programs.inc
+# Call these options
+caps.drop all
+netfilter
+noroot
+protocol unix,inet,inet6,netlink
+seccomp
+tracelog
+# Whitelist
+mkdir ~/.config
+mkdir ~/.config/aweather
+whitelist ~/.config/aweather
diff --git a/etc/disable-programs.inc b/etc/disable-programs.inc
index 6c5515894..317ac082f 100644
--- a/etc/disable-programs.inc
+++ b/etc/disable-programs.inc
@@ -5,10 +5,13 @@ blacklist ${HOME}/.FBReader
 blacklist ${HOME}/.wine
 blacklist ${HOME}/.Mathematica
 blacklist ${HOME}/.Wolfram Research
+blacklist ${HOME}/.stellarium
 blacklist ${HOME}/.config/mupen64plus
 blacklist ${HOME}/.config/transmission
 blacklist ${HOME}/.config/uGet
 blacklist ${HOME}/.config/Gpredict
+blacklist ${HOME}/.config/aweather
+blacklist ${HOME}/.config/stellarium
 blacklist ~/.kde/share/apps/okular
 blacklist ~/.kde/share/config/okularrc
 blacklist ~/.kde/share/config/okularpartrc
diff --git a/etc/google-play-music-desktop-player.profile b/etc/google-play-music-desktop-player.profile
new file mode 100644
index 000000000..56d09d5b2
--- /dev/null
+++ b/etc/google-play-music-desktop-player.profile
@@ -0,0 +1,16 @@
+# Google Play Music desktop player profile
+noblacklist ~/.config/Google Play Music Desktop Player
+include /etc/firejail/disable-common.inc
+include /etc/firejail/disable-programs.inc
+include /etc/firejail/disable-devel.inc
+include /etc/firejail/disable-passwdmgr.inc
+caps.drop all
+seccomp
+protocol unix,inet,inet6,netlink
+noroot
+#whitelist ~/.pulse
+#whitelist ~/.config/pulse
+whitelist ~/.config/Google Play Music Desktop Player
diff --git a/etc/stellarium.profile b/etc/stellarium.profile
new file mode 100644
index 000000000..7cb74eeaa
--- /dev/null
+++ b/etc/stellarium.profile
@@ -0,0 +1,27 @@
+# Firejail profile for Stellarium.
+# Noblacklist
+noblacklist ~/.stellarium
+noblacklist ~/.config/stellarium
+# Include
+include /etc/firejail/disable-common.inc
+include /etc/firejail/disable-devel.inc
+include /etc/firejail/disable-passwdmgr.inc
+include /etc/firejail/disable-programs.inc
+# Call these options
+caps.drop all
+netfilter
+noroot
+protocol unix,inet,inet6,netlink
+seccomp
+tracelog
+# Whitelist
+mkdir ~/.stellarium
+whitelist ~/.stellarium
+mkdir ~/.config
+mkdir ~/.config/stellarium
+whitelist ~/.config/stellarium
diff --git a/platform/debian/conffiles b/platform/debian/conffiles
index 6f5b564a0..7ce729d6e 100644
--- a/platform/debian/conffiles
+++ b/platform/debian/conffiles
@@ -88,3 +88,5 @@
 /etc/firejail/okular.profile
 /etc/firejail/gwenview.profile
 /etc/firejail/gpredict.profile
+/etc/firejail/aweather.profile
+/etc/firejail/stellarium.profile
diff --git a/src/firecfg/firecfg.config b/src/firecfg/firecfg.config
index 8bebf76af..3812ee7d8 100644
--- a/src/firecfg/firecfg.config
+++ b/src/firecfg/firecfg.config
@@ -4,6 +4,10 @@
 # astronomy
 gpredict
+stellarium
+# weather/climate
+aweather
 # browsers/email
 firefox
@@ -78,6 +82,7 @@ quassel
 xchat
 # games
+0ad
 hedgewars
 wesnot
 warzone2100
diff --git a/src/firejail/fs.c b/src/firejail/fs.c
index af1ddf93b..4c2510021 100644
--- a/src/firejail/fs.c
+++ b/src/firejail/fs.c
@@ -726,7 +726,16 @@ static void disable_firejail_config(void) {
 // build a basic read-only filesystem
 void fs_basic_fs(void) {
        if (arg_debug)
-                printf("Mounting read-only /bin, /sbin, /lib, /lib32, /lib64, /usr, /etc, /var\n");
+                printf("Mounting read-only /bin, /sbin, /lib, /lib32, /lib64, /usr");
+        if (!arg_writable_etc) {
+                fs_rdonly("/etc");
+                if (arg_debug) printf(", /etc");
+        }
+        if (!arg_writable_var) {
+                fs_rdonly("/var");
+                if (arg_debug) printf(", /var");
+        }
+        if (arg_debug) printf("\n");
        fs_rdonly("/bin");
        fs_rdonly("/sbin");
        fs_rdonly("/lib");
@@ -734,10 +743,6 @@ void fs_basic_fs(void) {
        fs_rdonly("/lib32");
        fs_rdonly("/libx32");
        fs_rdonly("/usr");
-        if (!arg_writable_etc)
-                fs_rdonly("/etc");
-        if (!arg_writable_var)
-                fs_rdonly("/var");
        // update /var directory in order to support multiple sandboxes running on the same root directory
        if (!arg_private_dev)
author	netblue30 <netblue30@yahoo.com>	2016-04-19 08:21:22 -0400
committer	netblue30 <netblue30@yahoo.com>	2016-04-19 08:21:22 -0400
commit	c14364ff5ffe9a9415f5879248804cfde57cb793 (patch)
tree	9d85d8ffa7fc206d4408650a1b70603b0f272f1d
parent	close lock file (diff)
parent	Merge pull request #457 from Fred-Barclay/proposed (diff)
download	firejail-c14364ff5ffe9a9415f5879248804cfde57cb793.tar.gz firejail-c14364ff5ffe9a9415f5879248804cfde57cb793.tar.zst firejail-c14364ff5ffe9a9415f5879248804cfde57cb793.zip

diff --git a/Makefile.in b/Makefile.in index cb897c23d..c15ecd7dd 100644 --- a/Makefile.in +++ b/Makefile.in
@@ -169,6 +169,8 @@ realinstall:
169	install -c -m 0644 .etc/okular.profile $(DESTDIR)/$(sysconfdir)/firejail/.	169	install -c -m 0644 .etc/okular.profile $(DESTDIR)/$(sysconfdir)/firejail/.
170	install -c -m 0644 .etc/gwenview.profile $(DESTDIR)/$(sysconfdir)/firejail/.	170	install -c -m 0644 .etc/gwenview.profile $(DESTDIR)/$(sysconfdir)/firejail/.
171	install -c -m 0644 .etc/gpredict.profile $(DESTDIR)/$(sysconfdir)/firejail/.	171	install -c -m 0644 .etc/gpredict.profile $(DESTDIR)/$(sysconfdir)/firejail/.
		172	install -c -m 0644 .etc/aweather.profile $(DESTDIR)/$(sysconfdir)/firejail/.
		173	install -c -m 0644 .etc/stellarium.profile $(DESTDIR)/$(sysconfdir)/firejail/.
172	sh -c "if [ ! -f $(DESTDIR)/$(sysconfdir)/firejail/login.users ]; then install -c -m 0644 etc/login.users $(DESTDIR)/$(sysconfdir)/firejail/.; fi;"	174	sh -c "if [ ! -f $(DESTDIR)/$(sysconfdir)/firejail/login.users ]; then install -c -m 0644 etc/login.users $(DESTDIR)/$(sysconfdir)/firejail/.; fi;"
173	sh -c "if [ ! -f $(DESTDIR)/$(sysconfdir)/firejail/firejail.config ]; then install -c -m 0644 etc/firejail.config $(DESTDIR)/$(sysconfdir)/firejail/.; fi;"	175	sh -c "if [ ! -f $(DESTDIR)/$(sysconfdir)/firejail/firejail.config ]; then install -c -m 0644 etc/firejail.config $(DESTDIR)/$(sysconfdir)/firejail/.; fi;"
174	rm -fr .etc	176	rm -fr .etc


diff --git a/README b/README index d0a7aaf8d..7919bdaad 100644 --- a/README +++ b/README
@@ -19,9 +19,9 @@ Firejail Authors:
19		19
20	netblue30 (netblue30@yahoo.com)	20	netblue30 (netblue30@yahoo.com)
21	curiosity-seeker (https://github.com/curiosity-seeker)	21	curiosity-seeker (https://github.com/curiosity-seeker)
22	- tightening unbound and dnscrypt-proxy profiles	22	- tightening unbound and dnscrypt-proxy profiles
23	- dnsmasq profile	23	- dnsmasq profile
24	- okular and gwenview profiles	24	- okular and gwenview profiles
25	Matthew Gyurgyik (https://github.com/pyther)	25	Matthew Gyurgyik (https://github.com/pyther)
26	- rpm spec and several fixes	26	- rpm spec and several fixes
27	Joan Figueras (https://github.com/figue)	27	Joan Figueras (https://github.com/figue)
@@ -35,6 +35,7 @@ Fred-Barclay (https://github.com/Fred-Barclay)
35	- added Warzone2100 profile	35	- added Warzone2100 profile
36	- blacklisted VeraCrypt	36	- blacklisted VeraCrypt
37	- added Gpredict profile	37	- added Gpredict profile
		38	- added Aweather, Stellarium profiles
38	avoidr (https://github.com/avoidr)	39	avoidr (https://github.com/avoidr)
39	- whitelist fix	40	- whitelist fix
40	- recently-used.xbel fix	41	- recently-used.xbel fix


diff --git a/README.md b/README.md index ca7927fff..5b2626288 100644 --- a/README.md +++ b/README.md
@@ -282,5 +282,5 @@ $ man firejail-profile
282	## New security profiles	282	## New security profiles
283	lxterminal, Epiphany, cherrytree, Polari, Vivaldi, Atril, qutebrowser, SlimJet, Battle for Wesnoth, Hedgewars, qTox,	283	lxterminal, Epiphany, cherrytree, Polari, Vivaldi, Atril, qutebrowser, SlimJet, Battle for Wesnoth, Hedgewars, qTox,
284	OpenSSH client, OpenBox window manager, Dillo, cmus, dnsmasq, PaleMoon, Icedove, abrowser, 0ad, netsurf,	284	OpenSSH client, OpenBox window manager, Dillo, cmus, dnsmasq, PaleMoon, Icedove, abrowser, 0ad, netsurf,
285	Warzone2100, okular, gwenview, Gpredict	285	Warzone2100, okular, gwenview, Gpredict, Aweather, Stellarium
286		286


diff --git a/etc/aweather.profile b/etc/aweather.profile new file mode 100644 index 000000000..d7f510a7e --- /dev/null +++ b/etc/aweather.profile
@@ -0,0 +1,23 @@
		1	# Firejail profile for aweather.
		2
		3	# Noblacklist
		4	noblacklist ~/.config/aweather
		5
		6	# Include
		7	include /etc/firejail/disable-common.inc
		8	include /etc/firejail/disable-devel.inc
		9	include /etc/firejail/disable-passwdmgr.inc
		10	include /etc/firejail/disable-programs.inc
		11
		12	# Call these options
		13	caps.drop all
		14	netfilter
		15	noroot
		16	protocol unix,inet,inet6,netlink
		17	seccomp
		18	tracelog
		19
		20	# Whitelist
		21	mkdir ~/.config
		22	mkdir ~/.config/aweather
		23	whitelist ~/.config/aweather


diff --git a/etc/disable-programs.inc b/etc/disable-programs.inc index 6c5515894..317ac082f 100644 --- a/etc/disable-programs.inc +++ b/etc/disable-programs.inc
@@ -5,10 +5,13 @@ blacklist ${HOME}/.FBReader
5	blacklist ${HOME}/.wine	5	blacklist ${HOME}/.wine
6	blacklist ${HOME}/.Mathematica	6	blacklist ${HOME}/.Mathematica
7	blacklist ${HOME}/.Wolfram Research	7	blacklist ${HOME}/.Wolfram Research
		8	blacklist ${HOME}/.stellarium
8	blacklist ${HOME}/.config/mupen64plus	9	blacklist ${HOME}/.config/mupen64plus
9	blacklist ${HOME}/.config/transmission	10	blacklist ${HOME}/.config/transmission
10	blacklist ${HOME}/.config/uGet	11	blacklist ${HOME}/.config/uGet
11	blacklist ${HOME}/.config/Gpredict	12	blacklist ${HOME}/.config/Gpredict
		13	blacklist ${HOME}/.config/aweather
		14	blacklist ${HOME}/.config/stellarium
12	blacklist ~/.kde/share/apps/okular	15	blacklist ~/.kde/share/apps/okular
13	blacklist ~/.kde/share/config/okularrc	16	blacklist ~/.kde/share/config/okularrc
14	blacklist ~/.kde/share/config/okularpartrc	17	blacklist ~/.kde/share/config/okularpartrc


diff --git a/etc/google-play-music-desktop-player.profile b/etc/google-play-music-desktop-player.profile new file mode 100644 index 000000000..56d09d5b2 --- /dev/null +++ b/etc/google-play-music-desktop-player.profile
@@ -0,0 +1,16 @@
		1	# Google Play Music desktop player profile
		2	noblacklist ~/.config/Google Play Music Desktop Player
		3
		4	include /etc/firejail/disable-common.inc
		5	include /etc/firejail/disable-programs.inc
		6	include /etc/firejail/disable-devel.inc
		7	include /etc/firejail/disable-passwdmgr.inc
		8
		9	caps.drop all
		10	seccomp
		11	protocol unix,inet,inet6,netlink
		12	noroot
		13
		14	#whitelist ~/.pulse
		15	#whitelist ~/.config/pulse
		16	whitelist ~/.config/Google Play Music Desktop Player


diff --git a/etc/stellarium.profile b/etc/stellarium.profile new file mode 100644 index 000000000..7cb74eeaa --- /dev/null +++ b/etc/stellarium.profile
@@ -0,0 +1,27 @@
		1	# Firejail profile for Stellarium.
		2
		3	# Noblacklist
		4	noblacklist ~/.stellarium
		5	noblacklist ~/.config/stellarium
		6
		7	# Include
		8	include /etc/firejail/disable-common.inc
		9	include /etc/firejail/disable-devel.inc
		10	include /etc/firejail/disable-passwdmgr.inc
		11	include /etc/firejail/disable-programs.inc
		12
		13	# Call these options
		14	caps.drop all
		15	netfilter
		16	noroot
		17	protocol unix,inet,inet6,netlink
		18	seccomp
		19	tracelog
		20
		21	# Whitelist
		22	mkdir ~/.stellarium
		23	whitelist ~/.stellarium
		24
		25	mkdir ~/.config
		26	mkdir ~/.config/stellarium
		27	whitelist ~/.config/stellarium


diff --git a/platform/debian/conffiles b/platform/debian/conffiles index 6f5b564a0..7ce729d6e 100644 --- a/platform/debian/conffiles +++ b/platform/debian/conffiles
@@ -88,3 +88,5 @@
88	/etc/firejail/okular.profile	88	/etc/firejail/okular.profile
89	/etc/firejail/gwenview.profile	89	/etc/firejail/gwenview.profile
90	/etc/firejail/gpredict.profile	90	/etc/firejail/gpredict.profile
		91	/etc/firejail/aweather.profile
		92	/etc/firejail/stellarium.profile


diff --git a/src/firecfg/firecfg.config b/src/firecfg/firecfg.config index 8bebf76af..3812ee7d8 100644 --- a/src/firecfg/firecfg.config +++ b/src/firecfg/firecfg.config
@@ -4,6 +4,10 @@
4		4
5	# astronomy	5	# astronomy
6	gpredict	6	gpredict
		7	stellarium
		8
		9	# weather/climate
		10	aweather
7		11
8	# browsers/email	12	# browsers/email
9	firefox	13	firefox
@@ -78,6 +82,7 @@ quassel
78	xchat	82	xchat
79		83
80	# games	84	# games
		85	0ad
81	hedgewars	86	hedgewars
82	wesnot	87	wesnot
83	warzone2100	88	warzone2100


diff --git a/src/firejail/fs.c b/src/firejail/fs.c index af1ddf93b..4c2510021 100644 --- a/src/firejail/fs.c +++ b/src/firejail/fs.c
@@ -726,7 +726,16 @@ static void disable_firejail_config(void) {
726	// build a basic read-only filesystem	726	// build a basic read-only filesystem
727	void fs_basic_fs(void) {	727	void fs_basic_fs(void) {
728	if (arg_debug)	728	if (arg_debug)
729	printf("Mounting read-only /bin, /sbin, /lib, /lib32, /lib64, /usr, /etc, /var\n");	729	printf("Mounting read-only /bin, /sbin, /lib, /lib32, /lib64, /usr");
		730	if (!arg_writable_etc) {
		731	fs_rdonly("/etc");
		732	if (arg_debug) printf(", /etc");
		733	}
		734	if (!arg_writable_var) {
		735	fs_rdonly("/var");
		736	if (arg_debug) printf(", /var");
		737	}
		738	if (arg_debug) printf("\n");
730	fs_rdonly("/bin");	739	fs_rdonly("/bin");
731	fs_rdonly("/sbin");	740	fs_rdonly("/sbin");
732	fs_rdonly("/lib");	741	fs_rdonly("/lib");
@@ -734,10 +743,6 @@ void fs_basic_fs(void) {
734	fs_rdonly("/lib32");	743	fs_rdonly("/lib32");
735	fs_rdonly("/libx32");	744	fs_rdonly("/libx32");
736	fs_rdonly("/usr");	745	fs_rdonly("/usr");
737	if (!arg_writable_etc)
738	fs_rdonly("/etc");
739	if (!arg_writable_var)
740	fs_rdonly("/var");
741		746
742	// update /var directory in order to support multiple sandboxes running on the same root directory	747	// update /var directory in order to support multiple sandboxes running on the same root directory
743	if (!arg_private_dev)	748	if (!arg_private_dev)