diff options
author | netblue30 <netblue30@yahoo.com> | 2015-11-28 07:37:32 -0500 |
---|---|---|
committer | netblue30 <netblue30@yahoo.com> | 2015-11-28 07:37:32 -0500 |
commit | 2b8b8e54968d068599d5800f88869efcadd316ac (patch) | |
tree | 692c29ee317a72c9c9a4bb11101084ca910bb651 | |
parent | weechat profile integration (diff) | |
download | firejail-2b8b8e54968d068599d5800f88869efcadd316ac.tar.gz firejail-2b8b8e54968d068599d5800f88869efcadd316ac.tar.zst firejail-2b8b8e54968d068599d5800f88869efcadd316ac.zip |
profile cleanup, addinghexchat profile
-rw-r--r-- | Makefile.in | 2 | ||||
-rw-r--r-- | RELNOTES | 2 | ||||
-rw-r--r-- | etc/disable-common.inc | 1 | ||||
-rw-r--r-- | etc/hexchat.profile | 10 | ||||
-rw-r--r-- | etc/weechat-curses.profile | 2 | ||||
-rw-r--r-- | etc/wine.profile | 1 | ||||
-rw-r--r-- | etc/xchat.profile | 1 | ||||
-rw-r--r-- | platform/debian/conffiles | 2 | ||||
-rwxr-xr-x | test/evince.exp | 2 | ||||
-rwxr-xr-x | test/fbreader.exp | 2 | ||||
-rwxr-xr-x | test/hexchat.exp | 71 | ||||
-rwxr-xr-x | test/test.sh | 35 | ||||
-rwxr-xr-x | test/vlc.exp | 2 | ||||
-rwxr-xr-x | test/weechat.exp | 71 | ||||
-rwxr-xr-x | test/wine.exp | 30 | ||||
-rwxr-xr-x | test/xchat.exp | 71 | ||||
-rw-r--r-- | todo | 12 |
17 files changed, 313 insertions, 4 deletions
diff --git a/Makefile.in b/Makefile.in index 89383bb27..c074c97e5 100644 --- a/Makefile.in +++ b/Makefile.in | |||
@@ -119,6 +119,8 @@ realinstall: | |||
119 | install -c -m 0644 .etc/webserver.net $(DESTDIR)/$(sysconfdir)/firejail/. | 119 | install -c -m 0644 .etc/webserver.net $(DESTDIR)/$(sysconfdir)/firejail/. |
120 | install -c -m 0644 .etc/bitlbee.profile $(DESTDIR)/$(sysconfdir)/firejail/. | 120 | install -c -m 0644 .etc/bitlbee.profile $(DESTDIR)/$(sysconfdir)/firejail/. |
121 | install -c -m 0644 .etc/weechat.profile $(DESTDIR)/$(sysconfdir)/firejail/. | 121 | install -c -m 0644 .etc/weechat.profile $(DESTDIR)/$(sysconfdir)/firejail/. |
122 | install -c -m 0644 .etc/weechat-curses.profile $(DESTDIR)/$(sysconfdir)/firejail/. | ||
123 | install -c -m 0644 .etc/hexchat.profile $(DESTDIR)/$(sysconfdir)/firejail/. | ||
122 | bash -c "if [ ! -f $(DESTDIR)/$(sysconfdir)/firejail/login.users ]; then install -c -m 0644 etc/login.users $(DESTDIR)/$(sysconfdir)/firejail/.; fi;" | 124 | bash -c "if [ ! -f $(DESTDIR)/$(sysconfdir)/firejail/login.users ]; then install -c -m 0644 etc/login.users $(DESTDIR)/$(sysconfdir)/firejail/.; fi;" |
123 | rm -fr .etc | 125 | rm -fr .etc |
124 | # man pages | 126 | # man pages |
@@ -1,5 +1,5 @@ | |||
1 | firejail (0.9.35) baseline; urgency=low | 1 | firejail (0.9.35) baseline; urgency=low |
2 | * added unbound, dnscrypt-proxy, BitlBee, and WeeChat profiles | 2 | * added unbound, dnscrypt-proxy, BitlBee, HexChat and WeeChat profiles |
3 | * added --noblacklist option | 3 | * added --noblacklist option |
4 | * whitelist command enhancements | 4 | * whitelist command enhancements |
5 | * prevent leaking user information by modifying /home directory, | 5 | * prevent leaking user information by modifying /home directory, |
diff --git a/etc/disable-common.inc b/etc/disable-common.inc index a363d1369..177588f5b 100644 --- a/etc/disable-common.inc +++ b/etc/disable-common.inc | |||
@@ -38,6 +38,7 @@ blacklist ${HOME}/.remmina | |||
38 | # Other | 38 | # Other |
39 | blacklist ${HOME}/.tconn | 39 | blacklist ${HOME}/.tconn |
40 | blacklist ${HOME}/.FBReader | 40 | blacklist ${HOME}/.FBReader |
41 | blacklist ${HOME}/.wine | ||
41 | 42 | ||
42 | # X11 session autostart | 43 | # X11 session autostart |
43 | blacklist ${HOME}/.xinitrc | 44 | blacklist ${HOME}/.xinitrc |
diff --git a/etc/hexchat.profile b/etc/hexchat.profile new file mode 100644 index 000000000..61c9ac5bb --- /dev/null +++ b/etc/hexchat.profile | |||
@@ -0,0 +1,10 @@ | |||
1 | # HexChat profile | ||
2 | noblacklist ${HOME}/.config/hexchat | ||
3 | include /etc/firejail/disable-mgmt.inc | ||
4 | include /etc/firejail/disable-secret.inc | ||
5 | include /etc/firejail/disable-common.inc | ||
6 | include /etc/firejail/disable-devel.inc | ||
7 | caps.drop all | ||
8 | seccomp | ||
9 | protocol unix,inet,inet6 | ||
10 | noroot | ||
diff --git a/etc/weechat-curses.profile b/etc/weechat-curses.profile new file mode 100644 index 000000000..f7c1b6590 --- /dev/null +++ b/etc/weechat-curses.profile | |||
@@ -0,0 +1,2 @@ | |||
1 | # Weechat profile (Debian) | ||
2 | include /etc/firejail/weechat.profile | ||
diff --git a/etc/wine.profile b/etc/wine.profile index e3dd081eb..8a7f66773 100644 --- a/etc/wine.profile +++ b/etc/wine.profile | |||
@@ -1,6 +1,7 @@ | |||
1 | # wine profile | 1 | # wine profile |
2 | noblacklist ${HOME}/.steam | 2 | noblacklist ${HOME}/.steam |
3 | noblacklist ${HOME}/.local/share/steam | 3 | noblacklist ${HOME}/.local/share/steam |
4 | noblacklist ${HOME}/.wine | ||
4 | include /etc/firejail/disable-mgmt.inc | 5 | include /etc/firejail/disable-mgmt.inc |
5 | include /etc/firejail/disable-secret.inc | 6 | include /etc/firejail/disable-secret.inc |
6 | include /etc/firejail/disable-common.inc | 7 | include /etc/firejail/disable-common.inc |
diff --git a/etc/xchat.profile b/etc/xchat.profile index a9f56cda4..37e1371e6 100644 --- a/etc/xchat.profile +++ b/etc/xchat.profile | |||
@@ -1,4 +1,5 @@ | |||
1 | # XChat profile | 1 | # XChat profile |
2 | noblacklist ${HOME}/.config/xchat | ||
2 | include /etc/firejail/disable-mgmt.inc | 3 | include /etc/firejail/disable-mgmt.inc |
3 | include /etc/firejail/disable-secret.inc | 4 | include /etc/firejail/disable-secret.inc |
4 | include /etc/firejail/disable-common.inc | 5 | include /etc/firejail/disable-common.inc |
diff --git a/platform/debian/conffiles b/platform/debian/conffiles index fd82a4e8c..c0d07a446 100644 --- a/platform/debian/conffiles +++ b/platform/debian/conffiles | |||
@@ -46,3 +46,5 @@ | |||
46 | /etc/firejail/webserver.net | 46 | /etc/firejail/webserver.net |
47 | /etc/firejail/bitlbee.profile | 47 | /etc/firejail/bitlbee.profile |
48 | /etc/firejail/weechat.profile | 48 | /etc/firejail/weechat.profile |
49 | /etc/firejail/weechat-curses.profile | ||
50 | /etc/firejail/hexchat.profile | ||
diff --git a/test/evince.exp b/test/evince.exp index 7b115144c..ba6ca1b6d 100755 --- a/test/evince.exp +++ b/test/evince.exp | |||
@@ -13,7 +13,7 @@ expect { | |||
13 | timeout {puts "TESTING ERROR 1\n";exit} | 13 | timeout {puts "TESTING ERROR 1\n";exit} |
14 | "Child process initialized" | 14 | "Child process initialized" |
15 | } | 15 | } |
16 | sleep 10 | 16 | sleep 3 |
17 | 17 | ||
18 | spawn $env(SHELL) | 18 | spawn $env(SHELL) |
19 | send -- "firejail --list\r" | 19 | send -- "firejail --list\r" |
diff --git a/test/fbreader.exp b/test/fbreader.exp index 546710b97..a4df50932 100755 --- a/test/fbreader.exp +++ b/test/fbreader.exp | |||
@@ -13,7 +13,7 @@ expect { | |||
13 | timeout {puts "TESTING ERROR 1\n";exit} | 13 | timeout {puts "TESTING ERROR 1\n";exit} |
14 | "Child process initialized" | 14 | "Child process initialized" |
15 | } | 15 | } |
16 | sleep 10 | 16 | sleep 3 |
17 | 17 | ||
18 | spawn $env(SHELL) | 18 | spawn $env(SHELL) |
19 | send -- "firejail --list\r" | 19 | send -- "firejail --list\r" |
diff --git a/test/hexchat.exp b/test/hexchat.exp new file mode 100755 index 000000000..0653bcb13 --- /dev/null +++ b/test/hexchat.exp | |||
@@ -0,0 +1,71 @@ | |||
1 | #!/usr/bin/expect -f | ||
2 | |||
3 | set timeout 10 | ||
4 | spawn $env(SHELL) | ||
5 | match_max 100000 | ||
6 | |||
7 | send -- "firejail hexchat\r" | ||
8 | expect { | ||
9 | timeout {puts "TESTING ERROR 0\n";exit} | ||
10 | "Reading profile /etc/firejail/hexchat.profile" | ||
11 | } | ||
12 | expect { | ||
13 | timeout {puts "TESTING ERROR 1\n";exit} | ||
14 | "Child process initialized" | ||
15 | } | ||
16 | sleep 3 | ||
17 | |||
18 | spawn $env(SHELL) | ||
19 | send -- "firejail --list\r" | ||
20 | expect { | ||
21 | timeout {puts "TESTING ERROR 3\n";exit} | ||
22 | ":firejail" | ||
23 | } | ||
24 | expect { | ||
25 | timeout {puts "TESTING ERROR 3.1\n";exit} | ||
26 | "hexchat" | ||
27 | } | ||
28 | sleep 1 | ||
29 | send -- "firejail --name=blablabla\r" | ||
30 | expect { | ||
31 | timeout {puts "TESTING ERROR 4\n";exit} | ||
32 | "Child process initialized" | ||
33 | } | ||
34 | sleep 2 | ||
35 | |||
36 | spawn $env(SHELL) | ||
37 | send -- "firemon --seccomp\r" | ||
38 | expect { | ||
39 | timeout {puts "TESTING ERROR 5\n";exit} | ||
40 | "hexchat" | ||
41 | } | ||
42 | expect { | ||
43 | timeout {puts "TESTING ERROR 5.1 (seccomp)\n";exit} | ||
44 | "Seccomp: 2" | ||
45 | } | ||
46 | expect { | ||
47 | timeout {puts "TESTING ERROR 5.1\n";exit} | ||
48 | "name=blablabla" | ||
49 | } | ||
50 | sleep 1 | ||
51 | send -- "firemon --caps\r" | ||
52 | expect { | ||
53 | timeout {puts "TESTING ERROR 6\n";exit} | ||
54 | "hexchat" | ||
55 | } | ||
56 | expect { | ||
57 | timeout {puts "TESTING ERROR 6.1\n";exit} | ||
58 | "CapBnd:" | ||
59 | } | ||
60 | expect { | ||
61 | timeout {puts "TESTING ERROR 6.2\n";exit} | ||
62 | "0000000000000000" | ||
63 | } | ||
64 | expect { | ||
65 | timeout {puts "TESTING ERROR 6.3\n";exit} | ||
66 | "name=blablabla" | ||
67 | } | ||
68 | sleep 1 | ||
69 | |||
70 | puts "\n" | ||
71 | |||
diff --git a/test/test.sh b/test/test.sh index fdb1f8ed7..aaae2a981 100755 --- a/test/test.sh +++ b/test/test.sh | |||
@@ -260,6 +260,41 @@ else | |||
260 | echo "TESTING: gnome-mplayer not found" | 260 | echo "TESTING: gnome-mplayer not found" |
261 | fi | 261 | fi |
262 | 262 | ||
263 | which xchat | ||
264 | if [ "$?" -eq 0 ]; | ||
265 | then | ||
266 | echo "TESTING: xchat" | ||
267 | ./xchat.exp | ||
268 | else | ||
269 | echo "TESTING: xchat not found" | ||
270 | fi | ||
271 | |||
272 | which hexchat | ||
273 | if [ "$?" -eq 0 ]; | ||
274 | then | ||
275 | echo "TESTING: hexchat" | ||
276 | ./hexchat.exp | ||
277 | else | ||
278 | echo "TESTING: hexchat not found" | ||
279 | fi | ||
280 | |||
281 | which weechat-curses | ||
282 | if [ "$?" -eq 0 ]; | ||
283 | then | ||
284 | echo "TESTING: weechat" | ||
285 | ./weechat.exp | ||
286 | else | ||
287 | echo "TESTING: weechat not found" | ||
288 | fi | ||
289 | |||
290 | #which wine | ||
291 | #if [ "$?" -eq 0 ]; | ||
292 | #then | ||
293 | # echo "TESTING: wine" | ||
294 | # ./wine.exp | ||
295 | #else | ||
296 | # echo "TESTING: wine not found" | ||
297 | #fi | ||
263 | 298 | ||
264 | 299 | ||
265 | 300 | ||
diff --git a/test/vlc.exp b/test/vlc.exp index 8ab5aa2ce..53d25c9dd 100755 --- a/test/vlc.exp +++ b/test/vlc.exp | |||
@@ -13,7 +13,7 @@ expect { | |||
13 | timeout {puts "TESTING ERROR 1\n";exit} | 13 | timeout {puts "TESTING ERROR 1\n";exit} |
14 | "Child process initialized" | 14 | "Child process initialized" |
15 | } | 15 | } |
16 | sleep 10 | 16 | sleep 3 |
17 | 17 | ||
18 | spawn $env(SHELL) | 18 | spawn $env(SHELL) |
19 | send -- "firejail --list\r" | 19 | send -- "firejail --list\r" |
diff --git a/test/weechat.exp b/test/weechat.exp new file mode 100755 index 000000000..ac2430280 --- /dev/null +++ b/test/weechat.exp | |||
@@ -0,0 +1,71 @@ | |||
1 | #!/usr/bin/expect -f | ||
2 | |||
3 | set timeout 10 | ||
4 | spawn $env(SHELL) | ||
5 | match_max 100000 | ||
6 | |||
7 | send -- "firejail weechat-curses\r" | ||
8 | expect { | ||
9 | timeout {puts "TESTING ERROR 0\n";exit} | ||
10 | "Reading profile /etc/firejail/weechat.profile" | ||
11 | } | ||
12 | expect { | ||
13 | timeout {puts "TESTING ERROR 1\n";exit} | ||
14 | "Child process initialized" | ||
15 | } | ||
16 | sleep 3 | ||
17 | |||
18 | spawn $env(SHELL) | ||
19 | send -- "firejail --list\r" | ||
20 | expect { | ||
21 | timeout {puts "TESTING ERROR 3\n";exit} | ||
22 | ":firejail" | ||
23 | } | ||
24 | expect { | ||
25 | timeout {puts "TESTING ERROR 3.1\n";exit} | ||
26 | "weechat-curses" | ||
27 | } | ||
28 | sleep 1 | ||
29 | send -- "firejail --name=blablabla\r" | ||
30 | expect { | ||
31 | timeout {puts "TESTING ERROR 4\n";exit} | ||
32 | "Child process initialized" | ||
33 | } | ||
34 | sleep 2 | ||
35 | |||
36 | spawn $env(SHELL) | ||
37 | send -- "firemon --seccomp\r" | ||
38 | expect { | ||
39 | timeout {puts "TESTING ERROR 5\n";exit} | ||
40 | "weechat-curses" | ||
41 | } | ||
42 | expect { | ||
43 | timeout {puts "TESTING ERROR 5.1 (seccomp)\n";exit} | ||
44 | "Seccomp: 2" | ||
45 | } | ||
46 | expect { | ||
47 | timeout {puts "TESTING ERROR 5.1\n";exit} | ||
48 | "name=blablabla" | ||
49 | } | ||
50 | sleep 1 | ||
51 | send -- "firemon --caps\r" | ||
52 | expect { | ||
53 | timeout {puts "TESTING ERROR 6\n";exit} | ||
54 | "weechat-curses" | ||
55 | } | ||
56 | expect { | ||
57 | timeout {puts "TESTING ERROR 6.1\n";exit} | ||
58 | "CapBnd:" | ||
59 | } | ||
60 | expect { | ||
61 | timeout {puts "TESTING ERROR 6.2\n";exit} | ||
62 | "0000000000000000" | ||
63 | } | ||
64 | expect { | ||
65 | timeout {puts "TESTING ERROR 6.3\n";exit} | ||
66 | "name=blablabla" | ||
67 | } | ||
68 | sleep 1 | ||
69 | |||
70 | puts "\n" | ||
71 | |||
diff --git a/test/wine.exp b/test/wine.exp new file mode 100755 index 000000000..d87c1f205 --- /dev/null +++ b/test/wine.exp | |||
@@ -0,0 +1,30 @@ | |||
1 | #!/usr/bin/expect -f | ||
2 | |||
3 | set timeout 10 | ||
4 | spawn $env(SHELL) | ||
5 | match_max 100000 | ||
6 | |||
7 | send -- "firejail wine --help\r" | ||
8 | expect { | ||
9 | timeout {puts "TESTING ERROR 0\n";exit} | ||
10 | "Reading profile /etc/firejail/wine.profile" | ||
11 | } | ||
12 | expect { | ||
13 | timeout {puts "TESTING ERROR 1\n";exit} | ||
14 | "Child process initialized" | ||
15 | } | ||
16 | expect { | ||
17 | timeout {puts "TESTING ERROR 2\n";exit} | ||
18 | "Usage: wine PROGRAM" | ||
19 | } | ||
20 | expect { | ||
21 | timeout {puts "TESTING ERROR 3\n";exit} | ||
22 | "wine --version" | ||
23 | } | ||
24 | expect { | ||
25 | timeout {puts "TESTING ERROR 4\n";exit} | ||
26 | "parent is shutting down, bye..." | ||
27 | } | ||
28 | |||
29 | puts "\nall done\n" | ||
30 | |||
diff --git a/test/xchat.exp b/test/xchat.exp new file mode 100755 index 000000000..babbcf87d --- /dev/null +++ b/test/xchat.exp | |||
@@ -0,0 +1,71 @@ | |||
1 | #!/usr/bin/expect -f | ||
2 | |||
3 | set timeout 10 | ||
4 | spawn $env(SHELL) | ||
5 | match_max 100000 | ||
6 | |||
7 | send -- "firejail xchat\r" | ||
8 | expect { | ||
9 | timeout {puts "TESTING ERROR 0\n";exit} | ||
10 | "Reading profile /etc/firejail/xchat.profile" | ||
11 | } | ||
12 | expect { | ||
13 | timeout {puts "TESTING ERROR 1\n";exit} | ||
14 | "Child process initialized" | ||
15 | } | ||
16 | sleep 3 | ||
17 | |||
18 | spawn $env(SHELL) | ||
19 | send -- "firejail --list\r" | ||
20 | expect { | ||
21 | timeout {puts "TESTING ERROR 3\n";exit} | ||
22 | ":firejail" | ||
23 | } | ||
24 | expect { | ||
25 | timeout {puts "TESTING ERROR 3.1\n";exit} | ||
26 | "xchat" | ||
27 | } | ||
28 | sleep 1 | ||
29 | send -- "firejail --name=blablabla\r" | ||
30 | expect { | ||
31 | timeout {puts "TESTING ERROR 4\n";exit} | ||
32 | "Child process initialized" | ||
33 | } | ||
34 | sleep 2 | ||
35 | |||
36 | spawn $env(SHELL) | ||
37 | send -- "firemon --seccomp\r" | ||
38 | expect { | ||
39 | timeout {puts "TESTING ERROR 5\n";exit} | ||
40 | " xchat" | ||
41 | } | ||
42 | expect { | ||
43 | timeout {puts "TESTING ERROR 5.1 (seccomp)\n";exit} | ||
44 | "Seccomp: 2" | ||
45 | } | ||
46 | expect { | ||
47 | timeout {puts "TESTING ERROR 5.1\n";exit} | ||
48 | "name=blablabla" | ||
49 | } | ||
50 | sleep 1 | ||
51 | send -- "firemon --caps\r" | ||
52 | expect { | ||
53 | timeout {puts "TESTING ERROR 6\n";exit} | ||
54 | " xchat" | ||
55 | } | ||
56 | expect { | ||
57 | timeout {puts "TESTING ERROR 6.1\n";exit} | ||
58 | "CapBnd:" | ||
59 | } | ||
60 | expect { | ||
61 | timeout {puts "TESTING ERROR 6.2\n";exit} | ||
62 | "0000000000000000" | ||
63 | } | ||
64 | expect { | ||
65 | timeout {puts "TESTING ERROR 6.3\n";exit} | ||
66 | "name=blablabla" | ||
67 | } | ||
68 | sleep 1 | ||
69 | |||
70 | puts "\n" | ||
71 | |||
@@ -150,3 +150,15 @@ mount tmpfs on /sys/power | |||
150 | 150 | ||
151 | 20. Try --overlay on a Ubuntu 14.04 32bit.Without adding --dns, there will be no network connectivity - see issue 151 | 151 | 20. Try --overlay on a Ubuntu 14.04 32bit.Without adding --dns, there will be no network connectivity - see issue 151 |
152 | 152 | ||
153 | 21. Check this out: | ||
154 | |||
155 | I was messing around with my fstab, and found out that firejail can't have /usr/bin mounted in read-only. | ||
156 | Here's what my fstab looks like now: | ||
157 | |||
158 | /dev/mapper/asdf-home /home ext4 nosuid,noatime,nodev 0 2 | ||
159 | /dev/mapper/asdf-opt /opt ext4 discard,noatime,nosuid 0 2 | ||
160 | /dev/mapper/asdf-usr--bin /usr/bin ext4 defaults,nosuid,noatime,rw 0 2 | ||
161 | /dev/mapper/asdf-usr--local /usr/local ext4 defaults,nosuid,noatime,ro 0 2 | ||
162 | /dev/mapper/asdf-usr--sbin /usr/sbin ext4 defaults,nosuid,,noatime,ro 0 2 | ||
163 | /dev/mapper/asdf-var /var ext4 discard,noatime,nodev,nosuid 0 2 | ||
164 | tmpfs /tmp tmpfs noatime,nosuid,nodev,size=2G 0 1 \ No newline at end of file | ||