diff options
author | netblue30 <netblue30@yahoo.com> | 2018-02-27 07:52:49 -0500 |
---|---|---|
committer | netblue30 <netblue30@yahoo.com> | 2018-02-27 07:52:49 -0500 |
commit | 1738bbf7181d6c3b6d9f82bfa5b3f6d21ad503c3 (patch) | |
tree | 7a26fe8c3292cda28a65a0ab49a46a87fac53bb5 | |
parent | Sync start-tor-browser with torbrowser-launcher profile' (diff) | |
download | firejail-1738bbf7181d6c3b6d9f82bfa5b3f6d21ad503c3.tar.gz firejail-1738bbf7181d6c3b6d9f82bfa5b3f6d21ad503c3.tar.zst firejail-1738bbf7181d6c3b6d9f82bfa5b3f6d21ad503c3.zip |
appimage enhancements
-rw-r--r-- | README.md | 14 | ||||
-rw-r--r-- | RELNOTES | 4 | ||||
-rw-r--r-- | src/firejail/main.c | 3 | ||||
-rw-r--r-- | src/firejail/sandbox.c | 6 |
4 files changed, 25 insertions, 2 deletions
@@ -98,6 +98,20 @@ Use this issue to request new profiles: [#1139](https://github.com/netblue30/fir | |||
98 | ````` | 98 | ````` |
99 | # Current development version: 0.9.53 | 99 | # Current development version: 0.9.53 |
100 | 100 | ||
101 | ## AppImage development | ||
102 | |||
103 | Support for private-bin, private-lib and shell none has been disabled while running AppImage archives. | ||
104 | This allows us to use our regular profile files for appimages. We don't have a way to extract the name | ||
105 | of the executable, so the profile will have to be passed on the command line. Example: | ||
106 | ````` | ||
107 | $ firejail --profile=/etc/firejail/kdenlive.profile --appimage --apparmor ~/bin/Kdenlive-17.12.0d-x86_64.AppImage | ||
108 | ````` | ||
109 | Also, we have full AppArmor support for AppImages: | ||
110 | ````` | ||
111 | |||
112 | $ firejail --apparmor --appimage ~/bin/Kdenlive-17.12.0d-x86_64.AppImage | ||
113 | ````` | ||
114 | |||
101 | ## Seccomp development | 115 | ## Seccomp development |
102 | 116 | ||
103 | Replaced the our seccomp disassembler with a real disassembler lifted from | 117 | Replaced the our seccomp disassembler with a real disassembler lifted from |
@@ -1,5 +1,8 @@ | |||
1 | firejail (0.9.53) baseline; urgency=low | 1 | firejail (0.9.53) baseline; urgency=low |
2 | * work in progress | 2 | * work in progress |
3 | * modif: support for private-bin, private-lib and shell none has been | ||
4 | disabled while running AppImage archives in order to be able to use | ||
5 | our regular profile files with AppImages. | ||
3 | * modif: restrictions for /proc, /sys and /run/user directories | 6 | * modif: restrictions for /proc, /sys and /run/user directories |
4 | are moved from AppArmor profile into firejail executable | 7 | are moved from AppArmor profile into firejail executable |
5 | * modif: unifying Chromium and Firefox browsers profiles. | 8 | * modif: unifying Chromium and Firefox browsers profiles. |
@@ -7,6 +10,7 @@ firejail (0.9.53) baseline; urgency=low | |||
7 | that read/write from ${HOME} will need to uncomment the includes for | 10 | that read/write from ${HOME} will need to uncomment the includes for |
8 | firefox-common-addons.inc in firefox-common.profile. | 11 | firefox-common-addons.inc in firefox-common.profile. |
9 | * AppArmor support for overlayfs and chroot sandboxes | 12 | * AppArmor support for overlayfs and chroot sandboxes |
13 | * AppArmor support for AppImages | ||
10 | * Enable AppArmor by default for Firefox, Chromium, Transmission | 14 | * Enable AppArmor by default for Firefox, Chromium, Transmission |
11 | VLC and mpv | 15 | VLC and mpv |
12 | * firejail --apparmor.print option | 16 | * firejail --apparmor.print option |
diff --git a/src/firejail/main.c b/src/firejail/main.c index 7543c5f4b..e8556de2d 100644 --- a/src/firejail/main.c +++ b/src/firejail/main.c | |||
@@ -2321,6 +2321,9 @@ int main(int argc, char **argv) { | |||
2321 | cfg.command_name = strdup(argv[i]); | 2321 | cfg.command_name = strdup(argv[i]); |
2322 | if (!cfg.command_name) | 2322 | if (!cfg.command_name) |
2323 | errExit("strdup"); | 2323 | errExit("strdup"); |
2324 | |||
2325 | // disable shell=* for appimages | ||
2326 | arg_shell_none = 0; | ||
2324 | } | 2327 | } |
2325 | else | 2328 | else |
2326 | extract_command_name(i, argv); | 2329 | extract_command_name(i, argv); |
diff --git a/src/firejail/sandbox.c b/src/firejail/sandbox.c index 503d822a9..96b7b267b 100644 --- a/src/firejail/sandbox.c +++ b/src/firejail/sandbox.c | |||
@@ -799,7 +799,8 @@ int sandbox(void* sandbox_arg) { | |||
799 | } | 799 | } |
800 | } | 800 | } |
801 | 801 | ||
802 | if (arg_private_bin) { | 802 | // private-bin is disabled for appimages |
803 | if (arg_private_bin && !arg_appimage) { | ||
803 | if (cfg.chrootdir) | 804 | if (cfg.chrootdir) |
804 | fwarning("private-bin feature is disabled in chroot\n"); | 805 | fwarning("private-bin feature is disabled in chroot\n"); |
805 | else if (arg_overlay) | 806 | else if (arg_overlay) |
@@ -818,7 +819,8 @@ int sandbox(void* sandbox_arg) { | |||
818 | } | 819 | } |
819 | } | 820 | } |
820 | 821 | ||
821 | if (arg_private_lib) { | 822 | // private-lib is disabled for appimages |
823 | if (arg_private_lib && !arg_appimage) { | ||
822 | if (cfg.chrootdir) | 824 | if (cfg.chrootdir) |
823 | fwarning("private-lib feature is disabled in chroot\n"); | 825 | fwarning("private-lib feature is disabled in chroot\n"); |
824 | else if (arg_overlay) | 826 | else if (arg_overlay) |