diff options
author | smitsohu <smitsohu@gmail.com> | 2018-11-10 15:07:12 +0100 |
---|---|---|
committer | smitsohu <smitsohu@gmail.com> | 2018-11-10 15:07:12 +0100 |
commit | 8f707a5f23e193f411930421ef2555282404c775 (patch) | |
tree | 9a69739b655eba1c6940f75611242bcbf7e93b91 | |
parent | unreadable firejail.users database fixes (diff) | |
parent | Merge pull request #2253 from crass/fix-appimage-double-dash-handling (diff) | |
download | firejail-8f707a5f23e193f411930421ef2555282404c775.tar.gz firejail-8f707a5f23e193f411930421ef2555282404c775.tar.zst firejail-8f707a5f23e193f411930421ef2555282404c775.zip |
Merge branch 'master' of https://github.com/netblue30/firejail
-rw-r--r-- | README.md | 8 | ||||
-rw-r--r-- | etc/chromium-common.profile | 2 | ||||
-rw-r--r-- | etc/disable-common.inc | 10 | ||||
-rw-r--r-- | etc/disable-devel.inc | 49 | ||||
-rw-r--r-- | etc/disable-interpreters.inc | 2 | ||||
-rw-r--r-- | etc/disable-passwdmgr.inc | 2 | ||||
-rw-r--r-- | etc/disable-programs.inc | 8 | ||||
-rw-r--r-- | etc/firefox-common.profile | 2 | ||||
-rw-r--r-- | etc/firejail.config | 3 | ||||
-rw-r--r-- | etc/whitelist-common.inc | 10 | ||||
-rw-r--r-- | src/firejail/checkcfg.c | 9 | ||||
-rw-r--r-- | src/firejail/firejail.h | 2 | ||||
-rw-r--r-- | src/firejail/main.c | 21 | ||||
-rw-r--r-- | src/firejail/profile.c | 13 | ||||
-rw-r--r-- | src/man/firejail-profile.txt | 2 | ||||
-rwxr-xr-x | test/profiles/profile_appname.exp | 25 | ||||
-rwxr-xr-x | test/profiles/profile_noperm.exp | 2 | ||||
-rwxr-xr-x | test/profiles/profile_recursivity.exp | 25 | ||||
-rwxr-xr-x | test/profiles/profile_syntax2.exp | 27 | ||||
-rwxr-xr-x | test/profiles/profiles.sh | 27 | ||||
-rw-r--r-- | test/profiles/test2.profile | 4 | ||||
-rw-r--r-- | test/profiles/test3.profile | 1 |
22 files changed, 165 insertions, 89 deletions
@@ -101,17 +101,15 @@ We also keep a list of profile fixes for previous released versions in [etc-fixe | |||
101 | ````` | 101 | ````` |
102 | ## Current development version: 0.9.57 | 102 | ## Current development version: 0.9.57 |
103 | 103 | ||
104 | ## New Long Term Support (LTS) version | 104 | ## New Long Term Support (0.9.56-LTS) version released |
105 | 105 | ||
106 | We are rebasing our Long Term Support branch of Firejail. The current LTS version (0.9.38.x) is more than two years old. | ||
107 | The new version updates the code base to 0.9.56. We target a reduction of approx. 40% of the code by removing rarely | 106 | The new version updates the code base to 0.9.56. We target a reduction of approx. 40% of the code by removing rarely |
108 | used features (chroot, overlay, rlimits, cgroups), incomplete features (private-bin, private-lib), | 107 | used features (chroot, overlay, rlimits, cgroups), incomplete features (private-bin, private-lib), |
109 | and a lot of instrumentation (build profile feature, tracing, auditing, etc). Sandbox-specific security features such as | 108 | and a lot of instrumentation (build profile feature, tracing, auditing, etc). Sandbox-specific security features such as |
110 | seccomp, capabilities, filesystem whitelist/blacklist and networking are updated and hardened. | 109 | seccomp, capabilities, filesystem whitelist/blacklist and networking are updated and hardened. |
111 | 110 | ||
112 | We have an rc1 release out, the final version will follow in the next few weeks: | ||
113 | ````` | 111 | ````` |
114 | firejail (0.9.56-LTS~rc1) baseline; urgency=low | 112 | firejail (0.9.56-LTS) baseline; urgency=low |
115 | * code based on Firejail version 0.9.56 | 113 | * code based on Firejail version 0.9.56 |
116 | * much smaller code base for SUID executable | 114 | * much smaller code base for SUID executable |
117 | * command line options removed: | 115 | * command line options removed: |
@@ -124,7 +122,7 @@ firejail (0.9.56-LTS~rc1) baseline; urgency=low | |||
124 | --disable-globalcfg, --disable-network, --disable-userns, | 122 | --disable-globalcfg, --disable-network, --disable-userns, |
125 | --disable-whitelist, --disable-suid, --enable-fatal-warnings, | 123 | --disable-whitelist, --disable-suid, --enable-fatal-warnings, |
126 | --enable-busybox-workaround | 124 | --enable-busybox-workaround |
127 | -- netblue30 <netblue30@yahoo.com> Wed, 3 Oct 2018 08:00:00 -0500 | 125 | -- netblue30 <netblue30@yahoo.com> Sun, 21 Oct 2018 08:00:00 -0500 |
128 | ````` | 126 | ````` |
129 | 127 | ||
130 | The new LTS branch is here: https://github.com/netblue30/firejail/tree/LTSbase | 128 | The new LTS branch is here: https://github.com/netblue30/firejail/tree/LTSbase |
diff --git a/etc/chromium-common.profile b/etc/chromium-common.profile index e7062c5b8..13ed13058 100644 --- a/etc/chromium-common.profile +++ b/etc/chromium-common.profile | |||
@@ -27,7 +27,7 @@ nodbus | |||
27 | nodvd | 27 | nodvd |
28 | nogroups | 28 | nogroups |
29 | notv | 29 | notv |
30 | nou2f | 30 | ?BROWSER_DISABLE_U2F: nou2f |
31 | shell none | 31 | shell none |
32 | 32 | ||
33 | disable-mnt | 33 | disable-mnt |
diff --git a/etc/disable-common.inc b/etc/disable-common.inc index d220f381b..74b653385 100644 --- a/etc/disable-common.inc +++ b/etc/disable-common.inc | |||
@@ -3,9 +3,9 @@ | |||
3 | include disable-common.local | 3 | include disable-common.local |
4 | 4 | ||
5 | # The following block breaks trash functionality in file managers | 5 | # The following block breaks trash functionality in file managers |
6 | #read-only ${HOME}/.local | 6 | #read-only ${HOME}/.local |
7 | #read-write ${HOME}/.local/share | 7 | #read-write ${HOME}/.local/share |
8 | blacklist ${HOME}/.local/share/Trash | 8 | blacklist ${HOME}/.local/share/Trash |
9 | 9 | ||
10 | # History files in $HOME and clipboard managers | 10 | # History files in $HOME and clipboard managers |
11 | blacklist-nolog ${HOME}/.*_history | 11 | blacklist-nolog ${HOME}/.*_history |
@@ -122,7 +122,7 @@ read-only ${HOME}/.local/share/kssl | |||
122 | blacklist /run/user/*/kdeinit5__* | 122 | blacklist /run/user/*/kdeinit5__* |
123 | # blacklist /run/user/*/ksocket-*/kdeinit4__* | 123 | # blacklist /run/user/*/ksocket-*/kdeinit4__* |
124 | # blacklist /tmp/ksocket-*/kdeinit4__* | 124 | # blacklist /tmp/ksocket-*/kdeinit4__* |
125 | # - causes issues when kdeinit4 gets killed; enable on KDE Plasma 4 | 125 | # causes issues when kdeinit4 gets killed; enable on KDE Plasma 4 |
126 | 126 | ||
127 | # gnome | 127 | # gnome |
128 | # contains extensions, last used times of applications, and notifications | 128 | # contains extensions, last used times of applications, and notifications |
@@ -133,7 +133,7 @@ blacklist ${HOME}/.config/systemd | |||
133 | blacklist ${HOME}/.local/share/systemd | 133 | blacklist ${HOME}/.local/share/systemd |
134 | blacklist /var/lib/systemd | 134 | blacklist /var/lib/systemd |
135 | # blacklist /var/run/systemd | 135 | # blacklist /var/run/systemd |
136 | # - creates problems on Arch where /etc/resolv.conf is a symlink to /var/run/systemd/resolve/resolv.conf | 136 | # creates problems on Arch where /etc/resolv.conf is a symlink to /var/run/systemd/resolve/resolv.conf |
137 | 137 | ||
138 | # VirtualBox | 138 | # VirtualBox |
139 | blacklist ${HOME}/.VirtualBox | 139 | blacklist ${HOME}/.VirtualBox |
@@ -173,7 +173,7 @@ blacklist /var/lib/mysqld/mysql.sock | |||
173 | blacklist /var/lib/pacman | 173 | blacklist /var/lib/pacman |
174 | blacklist /var/lib/upower | 174 | blacklist /var/lib/upower |
175 | # blacklist /var/log - a virtual /var/log directory (mostly empty) is build up by default for | 175 | # blacklist /var/log - a virtual /var/log directory (mostly empty) is build up by default for |
176 | # every sandbox, unless --writeble-var-log switch is activated | 176 | # every sandbox, unless --writeble-var-log switch is activated |
177 | blacklist /var/mail | 177 | blacklist /var/mail |
178 | blacklist /var/opt | 178 | blacklist /var/opt |
179 | blacklist /var/run/acpid.socket | 179 | blacklist /var/run/acpid.socket |
diff --git a/etc/disable-devel.inc b/etc/disable-devel.inc index 5c41692da..43ccb358b 100644 --- a/etc/disable-devel.inc +++ b/etc/disable-devel.inc | |||
@@ -4,8 +4,14 @@ include disable-devel.local | |||
4 | 4 | ||
5 | # development tools | 5 | # development tools |
6 | 6 | ||
7 | # clang/llvm | ||
8 | blacklist ${PATH}/clang* | ||
9 | blacklist ${PATH}/lldb* | ||
10 | blacklist ${PATH}/llvm* | ||
11 | # see issue #2106 - it disables hardware acceleration in Firefox on Radeon GPU | ||
12 | # blacklist /usr/lib/llvm* | ||
13 | |||
7 | # GCC | 14 | # GCC |
8 | #blacklist /usr/lib/gcc - seems to create problems on Gentoo | ||
9 | blacklist ${PATH}/as | 15 | blacklist ${PATH}/as |
10 | blacklist ${PATH}/cc | 16 | blacklist ${PATH}/cc |
11 | blacklist ${PATH}/c++* | 17 | blacklist ${PATH}/c++* |
@@ -21,40 +27,35 @@ blacklist ${PATH}/*-g++* | |||
21 | blacklist ${PATH}/*-gcc* | 27 | blacklist ${PATH}/*-gcc* |
22 | blacklist ${PATH}/*-g++* | 28 | blacklist ${PATH}/*-g++* |
23 | blacklist /usr/include | 29 | blacklist /usr/include |
30 | # seems to create problems on Gentoo | ||
31 | #blacklist /usr/lib/gcc | ||
24 | 32 | ||
25 | # clang/llvm | 33 | #Go |
26 | blacklist ${PATH}/clang* | 34 | blacklist ${PATH}/gccgo |
27 | blacklist ${PATH}/lldb* | 35 | blacklist ${PATH}/go |
28 | blacklist ${PATH}/llvm* | 36 | blacklist ${PATH}/gofmt |
29 | # see issue #2106 - it disables hardware acceleration in Firefox on Radeon GPU | ||
30 | # blacklist /usr/lib/llvm* | ||
31 | |||
32 | # tcc - Tiny C Compiler | ||
33 | blacklist ${PATH}/tcc | ||
34 | blacklist ${PATH}/x86_64-tcc | ||
35 | blacklist /usr/lib/tcc | ||
36 | |||
37 | # Valgrind | ||
38 | blacklist ${PATH}/valgrind* | ||
39 | blacklist /usr/lib/valgrind | ||
40 | 37 | ||
41 | # Java | 38 | # Java |
42 | blacklist ${PATH}/java | 39 | blacklist ${PATH}/java |
43 | blacklist ${PATH}/javac | 40 | blacklist ${PATH}/javac |
44 | blacklist /usr/lib/java | ||
45 | blacklist /etc/java | 41 | blacklist /etc/java |
42 | blacklist /usr/lib/java | ||
46 | blacklist /usr/share/java | 43 | blacklist /usr/share/java |
47 | 44 | ||
48 | #Go | 45 | #OpenSSL |
49 | blacklist ${PATH}/gccgo | 46 | blacklist ${PATH}/openssl |
50 | blacklist ${PATH}/go | 47 | blacklist ${PATH}/openssl-1.0 |
51 | blacklist ${PATH}/gofmt | ||
52 | 48 | ||
53 | #Rust | 49 | #Rust |
54 | blacklist ${PATH}/rust-gdb | 50 | blacklist ${PATH}/rust-gdb |
55 | blacklist ${PATH}/rust-lldb | 51 | blacklist ${PATH}/rust-lldb |
56 | blacklist ${PATH}/rustc | 52 | blacklist ${PATH}/rustc |
57 | 53 | ||
58 | #OpenSSL | 54 | # tcc - Tiny C Compiler |
59 | blacklist ${PATH}/openssl | 55 | blacklist ${PATH}/tcc |
60 | blacklist ${PATH}/openssl-1.0 | 56 | blacklist ${PATH}/x86_64-tcc |
57 | blacklist /usr/lib/tcc | ||
58 | |||
59 | # Valgrind | ||
60 | blacklist ${PATH}/valgrind* | ||
61 | blacklist /usr/lib/valgrind | ||
diff --git a/etc/disable-interpreters.inc b/etc/disable-interpreters.inc index 0d5f5737e..22f58bb85 100644 --- a/etc/disable-interpreters.inc +++ b/etc/disable-interpreters.inc | |||
@@ -4,8 +4,8 @@ include disable-interpreters.local | |||
4 | 4 | ||
5 | # Lua | 5 | # Lua |
6 | blacklist ${PATH}/lua* | 6 | blacklist ${PATH}/lua* |
7 | blacklist /usr/lib/lua | ||
8 | blacklist /usr/include/lua* | 7 | blacklist /usr/include/lua* |
8 | blacklist /usr/lib/lua | ||
9 | blacklist /usr/share/lua | 9 | blacklist /usr/share/lua |
10 | 10 | ||
11 | # Node.js | 11 | # Node.js |
diff --git a/etc/disable-passwdmgr.inc b/etc/disable-passwdmgr.inc index 72e1a66ee..316378cb8 100644 --- a/etc/disable-passwdmgr.inc +++ b/etc/disable-passwdmgr.inc | |||
@@ -8,6 +8,7 @@ blacklist ${HOME}/.config/keepass | |||
8 | blacklist ${HOME}/.config/keepassx | 8 | blacklist ${HOME}/.config/keepassx |
9 | blacklist ${HOME}/.config/keepassxc | 9 | blacklist ${HOME}/.config/keepassxc |
10 | blacklist ${HOME}/.config/Sinew Software Systems | 10 | blacklist ${HOME}/.config/Sinew Software Systems |
11 | blacklist ${HOME}/.fpm | ||
11 | blacklist ${HOME}/.keepass | 12 | blacklist ${HOME}/.keepass |
12 | blacklist ${HOME}/.keepassx | 13 | blacklist ${HOME}/.keepassx |
13 | blacklist ${HOME}/.keepassxc | 14 | blacklist ${HOME}/.keepassxc |
@@ -15,4 +16,3 @@ blacklist ${HOME}/.lastpass | |||
15 | blacklist ${HOME}/.local/share/KeePass | 16 | blacklist ${HOME}/.local/share/KeePass |
16 | blacklist ${HOME}/.local/share/keepass | 17 | blacklist ${HOME}/.local/share/keepass |
17 | blacklist ${HOME}/.password-store | 18 | blacklist ${HOME}/.password-store |
18 | blacklist ${HOME}/.fpm | ||
diff --git a/etc/disable-programs.inc b/etc/disable-programs.inc index 9e94d8aa1..4ef0f2f53 100644 --- a/etc/disable-programs.inc +++ b/etc/disable-programs.inc | |||
@@ -2,10 +2,12 @@ | |||
2 | # Persistent customizations should go in a .local file. | 2 | # Persistent customizations should go in a .local file. |
3 | include disable-programs.local | 3 | include disable-programs.local |
4 | 4 | ||
5 | blacklist ${HOME}/Arduino | ||
5 | blacklist ${HOME}/Monero/wallets | 6 | blacklist ${HOME}/Monero/wallets |
6 | blacklist ${HOME}/Nextcloud/Notes | 7 | blacklist ${HOME}/Nextcloud/Notes |
7 | blacklist ${HOME}/Standard Notes Backups | 8 | blacklist ${HOME}/Standard Notes Backups |
8 | blacklist ${HOME}/snap | 9 | blacklist ${HOME}/snap |
10 | blacklist ${HOME}/wallet.dat | ||
9 | blacklist ${HOME}/.*coin | 11 | blacklist ${HOME}/.*coin |
10 | blacklist ${HOME}/.8pecxstudios | 12 | blacklist ${HOME}/.8pecxstudios |
11 | blacklist ${HOME}/.AndroidStudio* | 13 | blacklist ${HOME}/.AndroidStudio* |
@@ -35,9 +37,9 @@ blacklist ${HOME}/.anydesk | |||
35 | blacklist ${HOME}/.arduino15 | 37 | blacklist ${HOME}/.arduino15 |
36 | blacklist ${HOME}/.aria2 | 38 | blacklist ${HOME}/.aria2 |
37 | blacklist ${HOME}/.arm | 39 | blacklist ${HOME}/.arm |
40 | blacklist ${HOME}/.asunder_album_artist | ||
38 | blacklist ${HOME}/.asunder_album_genre | 41 | blacklist ${HOME}/.asunder_album_genre |
39 | blacklist ${HOME}/.asunder_album_title | 42 | blacklist ${HOME}/.asunder_album_title |
40 | blacklist ${HOME}/.asunder_album_artist | ||
41 | blacklist ${HOME}/.atom | 43 | blacklist ${HOME}/.atom |
42 | blacklist ${HOME}/.attic | 44 | blacklist ${HOME}/.attic |
43 | blacklist ${HOME}/.audacity-data | 45 | blacklist ${HOME}/.audacity-data |
@@ -315,9 +317,9 @@ blacklist ${HOME}/.kde/share/apps/khtml | |||
315 | blacklist ${HOME}/.kde/share/apps/konqsidebartng | 317 | blacklist ${HOME}/.kde/share/apps/konqsidebartng |
316 | blacklist ${HOME}/.kde/share/apps/konqueror | 318 | blacklist ${HOME}/.kde/share/apps/konqueror |
317 | blacklist ${HOME}/.kde/share/apps/kopete | 319 | blacklist ${HOME}/.kde/share/apps/kopete |
318 | blacklist ${HOME}/.kde/share/apps/okular | ||
319 | blacklist ${HOME}/.kde/share/apps/khtml | 320 | blacklist ${HOME}/.kde/share/apps/khtml |
320 | blacklist ${HOME}/.kde/share/apps/ktorrent | 321 | blacklist ${HOME}/.kde/share/apps/ktorrent |
322 | blacklist ${HOME}/.kde/share/apps/okular | ||
321 | blacklist ${HOME}/.kde/share/config/baloofilerc | 323 | blacklist ${HOME}/.kde/share/config/baloofilerc |
322 | blacklist ${HOME}/.kde/share/config/baloorc | 324 | blacklist ${HOME}/.kde/share/config/baloorc |
323 | blacklist ${HOME}/.kde/share/config/digikam | 325 | blacklist ${HOME}/.kde/share/config/digikam |
@@ -540,8 +542,6 @@ blacklist ${HOME}/.xmr-stak | |||
540 | blacklist ${HOME}/.xonotic | 542 | blacklist ${HOME}/.xonotic |
541 | blacklist ${HOME}/.xpdfrc | 543 | blacklist ${HOME}/.xpdfrc |
542 | blacklist ${HOME}/.zoom | 544 | blacklist ${HOME}/.zoom |
543 | blacklist ${HOME}/Arduino | ||
544 | blacklist ${HOME}/wallet.dat | ||
545 | blacklist /tmp/akonadi-* | 545 | blacklist /tmp/akonadi-* |
546 | blacklist /tmp/ssh-* | 546 | blacklist /tmp/ssh-* |
547 | 547 | ||
diff --git a/etc/firefox-common.profile b/etc/firefox-common.profile index 31b071fe1..722a398cb 100644 --- a/etc/firefox-common.profile +++ b/etc/firefox-common.profile | |||
@@ -37,7 +37,7 @@ nogroups | |||
37 | nonewprivs | 37 | nonewprivs |
38 | noroot | 38 | noroot |
39 | notv | 39 | notv |
40 | nou2f | 40 | ?BROWSER_DISABLE_U2F: nou2f |
41 | protocol unix,inet,inet6,netlink | 41 | protocol unix,inet,inet6,netlink |
42 | seccomp.drop @clock,@cpu-emulation,@debug,@module,@obsolete,@raw-io,@reboot,@resources,@swap,acct,add_key,bpf,fanotify_init,io_cancel,io_destroy,io_getevents,io_setup,io_submit,ioprio_set,kcmp,keyctl,mount,name_to_handle_at,nfsservctl,ni_syscall,open_by_handle_at,personality,pivot_root,process_vm_readv,ptrace,remap_file_pages,request_key,setdomainname,sethostname,syslog,umount,umount2,userfaultfd,vhangup,vmsplice | 42 | seccomp.drop @clock,@cpu-emulation,@debug,@module,@obsolete,@raw-io,@reboot,@resources,@swap,acct,add_key,bpf,fanotify_init,io_cancel,io_destroy,io_getevents,io_setup,io_submit,ioprio_set,kcmp,keyctl,mount,name_to_handle_at,nfsservctl,ni_syscall,open_by_handle_at,personality,pivot_root,process_vm_readv,ptrace,remap_file_pages,request_key,setdomainname,sethostname,syslog,umount,umount2,userfaultfd,vhangup,vmsplice |
43 | shell none | 43 | shell none |
diff --git a/etc/firejail.config b/etc/firejail.config index d7106e76c..00f2c1b5d 100644 --- a/etc/firejail.config +++ b/etc/firejail.config | |||
@@ -5,6 +5,9 @@ | |||
5 | # Enable AppArmor functionality, default enabled. | 5 | # Enable AppArmor functionality, default enabled. |
6 | # apparmor yes | 6 | # apparmor yes |
7 | 7 | ||
8 | # Disable U2F in browsers, default enabled. | ||
9 | # browser-disable-u2f yes | ||
10 | |||
8 | # Number of ARP probes sent when assigning an IP address for --net option, | 11 | # Number of ARP probes sent when assigning an IP address for --net option, |
9 | # default 2. This is a partial implementation of RFC 5227. A 0.5 seconds | 12 | # default 2. This is a partial implementation of RFC 5227. A 0.5 seconds |
10 | # timeout is implemented for each probe. Increase this number to 4 if your | 13 | # timeout is implemented for each probe. Increase this number to 4 if your |
diff --git a/etc/whitelist-common.inc b/etc/whitelist-common.inc index 38ec5d85d..9c1b7b92c 100644 --- a/etc/whitelist-common.inc +++ b/etc/whitelist-common.inc | |||
@@ -20,6 +20,10 @@ whitelist ${HOME}/.local/share/icons | |||
20 | whitelist ${HOME}/.local/share/mime | 20 | whitelist ${HOME}/.local/share/mime |
21 | whitelist ${HOME}/.mime.types | 21 | whitelist ${HOME}/.mime.types |
22 | 22 | ||
23 | # dconf | ||
24 | mkdir ${HOME}/.config/dconf | ||
25 | whitelist ${HOME}/.config/dconf | ||
26 | |||
23 | # fonts | 27 | # fonts |
24 | whitelist ${HOME}/.cache/fontconfig | 28 | whitelist ${HOME}/.cache/fontconfig |
25 | whitelist ${HOME}/.config/fontconfig | 29 | whitelist ${HOME}/.config/fontconfig |
@@ -48,11 +52,8 @@ whitelist ${HOME}/.kde4/share/config/gtkrc-2.0 | |||
48 | whitelist ${HOME}/.local/share/themes | 52 | whitelist ${HOME}/.local/share/themes |
49 | whitelist ${HOME}/.themes | 53 | whitelist ${HOME}/.themes |
50 | 54 | ||
51 | # dconf | ||
52 | mkdir ${HOME}/.config/dconf | ||
53 | whitelist ${HOME}/.config/dconf | ||
54 | |||
55 | # qt/kde | 55 | # qt/kde |
56 | whitelist ${HOME}/.cache/kioexec/krun | ||
56 | whitelist ${HOME}/.config/Kvantum | 57 | whitelist ${HOME}/.config/Kvantum |
57 | whitelist ${HOME}/.config/Trolltech.conf | 58 | whitelist ${HOME}/.config/Trolltech.conf |
58 | whitelist ${HOME}/.config/kdeglobals | 59 | whitelist ${HOME}/.config/kdeglobals |
@@ -73,4 +74,3 @@ whitelist ${HOME}/.kde4/share/config/ksslcablacklist | |||
73 | whitelist ${HOME}/.kde4/share/config/oxygenrc | 74 | whitelist ${HOME}/.kde4/share/config/oxygenrc |
74 | whitelist ${HOME}/.kde4/share/icons | 75 | whitelist ${HOME}/.kde4/share/icons |
75 | whitelist ${HOME}/.local/share/qt5ct | 76 | whitelist ${HOME}/.local/share/qt5ct |
76 | whitelist ${HOME}/.cache/kioexec/krun | ||
diff --git a/src/firejail/checkcfg.c b/src/firejail/checkcfg.c index 50f952e91..45e28fe40 100644 --- a/src/firejail/checkcfg.c +++ b/src/firejail/checkcfg.c | |||
@@ -371,6 +371,15 @@ int checkcfg(int val) { | |||
371 | else | 371 | else |
372 | goto errout; | 372 | goto errout; |
373 | } | 373 | } |
374 | // browser-disable-u2f | ||
375 | else if (strncmp(ptr, "browser-disable-u2f ", 20) == 0) { | ||
376 | if (strcmp(ptr + 20, "yes") == 0) | ||
377 | cfg_val[CFG_BROWSER_DISABLE_U2F] = 1; | ||
378 | else if (strcmp(ptr + 20, "no") == 0) | ||
379 | cfg_val[CFG_BROWSER_DISABLE_U2F] = 0; | ||
380 | else | ||
381 | goto errout; | ||
382 | } | ||
374 | else | 383 | else |
375 | goto errout; | 384 | goto errout; |
376 | 385 | ||
diff --git a/src/firejail/firejail.h b/src/firejail/firejail.h index 7f6ed2586..8a397e3d8 100644 --- a/src/firejail/firejail.h +++ b/src/firejail/firejail.h | |||
@@ -461,7 +461,6 @@ void fs_mnt(const int enforce); | |||
461 | 461 | ||
462 | // profile.c | 462 | // profile.c |
463 | // find and read the profile specified by name from dir directory | 463 | // find and read the profile specified by name from dir directory |
464 | int profile_find(const char *name, const char *dir, int add_ext); | ||
465 | int profile_find_firejail(const char *name, int add_ext); | 464 | int profile_find_firejail(const char *name, int add_ext); |
466 | // read a profile file | 465 | // read a profile file |
467 | void profile_read(const char *fname); | 466 | void profile_read(const char *fname); |
@@ -771,6 +770,7 @@ enum { | |||
771 | CFG_JOIN, | 770 | CFG_JOIN, |
772 | CFG_ARP_PROBES, | 771 | CFG_ARP_PROBES, |
773 | CFG_XPRA_ATTACH, | 772 | CFG_XPRA_ATTACH, |
773 | CFG_BROWSER_DISABLE_U2F, | ||
774 | CFG_PRIVATE_LIB, | 774 | CFG_PRIVATE_LIB, |
775 | CFG_APPARMOR, | 775 | CFG_APPARMOR, |
776 | CFG_DBUS, | 776 | CFG_DBUS, |
diff --git a/src/firejail/main.c b/src/firejail/main.c index 23d9a1d51..4cb87aaa6 100644 --- a/src/firejail/main.c +++ b/src/firejail/main.c | |||
@@ -2244,21 +2244,18 @@ int main(int argc, char **argv) { | |||
2244 | return 1; | 2244 | return 1; |
2245 | } | 2245 | } |
2246 | } | 2246 | } |
2247 | else if (strcmp(argv[i], "--") == 0) { | 2247 | else { |
2248 | // double dash - positional params to follow | 2248 | // double dash - positional params to follow |
2249 | arg_doubledash = 1; | 2249 | if (strcmp(argv[i], "--") == 0) { |
2250 | i++; | 2250 | arg_doubledash = 1; |
2251 | if (i >= argc) { | 2251 | i++; |
2252 | fprintf(stderr, "Error: program name not found\n"); | 2252 | if (i >= argc) { |
2253 | exit(1); | 2253 | fprintf(stderr, "Error: program name not found\n"); |
2254 | exit(1); | ||
2255 | } | ||
2254 | } | 2256 | } |
2255 | extract_command_name(i, argv); | ||
2256 | prog_index = i; | ||
2257 | break; | ||
2258 | } | ||
2259 | else { | ||
2260 | // is this an invalid option? | 2257 | // is this an invalid option? |
2261 | if (*argv[i] == '-') { | 2258 | else if (*argv[i] == '-') { |
2262 | fprintf(stderr, "Error: invalid %s command line option\n", argv[i]); | 2259 | fprintf(stderr, "Error: invalid %s command line option\n", argv[i]); |
2263 | return 1; | 2260 | return 1; |
2264 | } | 2261 | } |
diff --git a/src/firejail/profile.c b/src/firejail/profile.c index c7c8fd9fa..5f5d94ddf 100644 --- a/src/firejail/profile.c +++ b/src/firejail/profile.c | |||
@@ -25,7 +25,8 @@ extern char *xephyr_screen; | |||
25 | #define MAX_READ 8192 // line buffer for profile files | 25 | #define MAX_READ 8192 // line buffer for profile files |
26 | 26 | ||
27 | // find and read the profile specified by name from dir directory | 27 | // find and read the profile specified by name from dir directory |
28 | int profile_find(const char *name, const char *dir, int add_ext) { | 28 | // return 1 if a profile was found |
29 | static int profile_find(const char *name, const char *dir, int add_ext) { | ||
29 | EUID_ASSERT(); | 30 | EUID_ASSERT(); |
30 | assert(name); | 31 | assert(name); |
31 | assert(dir); | 32 | assert(dir); |
@@ -64,6 +65,7 @@ int profile_find(const char *name, const char *dir, int add_ext) { | |||
64 | } | 65 | } |
65 | 66 | ||
66 | // search and read the profile specified by name from firejail directories | 67 | // search and read the profile specified by name from firejail directories |
68 | // return 1 if a profile was found | ||
67 | int profile_find_firejail(const char *name, int add_ext) { | 69 | int profile_find_firejail(const char *name, int add_ext) { |
68 | // look for a profile in ~/.config/firejail directory | 70 | // look for a profile in ~/.config/firejail directory |
69 | char *usercfgdir; | 71 | char *usercfgdir; |
@@ -139,6 +141,7 @@ int profile_check_conditional(char *ptr, int lineno, const char *fname) { | |||
139 | bool value; // true if set | 141 | bool value; // true if set |
140 | } conditionals[] = { | 142 | } conditionals[] = { |
141 | {"HAS_APPIMAGE", strlen("HAS_APPIMAGE"), arg_appimage!=0}, | 143 | {"HAS_APPIMAGE", strlen("HAS_APPIMAGE"), arg_appimage!=0}, |
144 | {"BROWSER_DISABLE_U2F", strlen("BROWSER_DISABLE_U2F"), checkcfg(CFG_BROWSER_DISABLE_U2F)!=0}, | ||
142 | NULL | 145 | NULL |
143 | }, *cond = conditionals; | 146 | }, *cond = conditionals; |
144 | char *tmp = ptr, *msg = NULL; | 147 | char *tmp = ptr, *msg = NULL; |
@@ -1437,7 +1440,13 @@ void profile_read(const char *fname) { | |||
1437 | ptr2++; | 1440 | ptr2++; |
1438 | // profile path contains no / chars, do a search | 1441 | // profile path contains no / chars, do a search |
1439 | if (*ptr2 == '\0') { | 1442 | if (*ptr2 == '\0') { |
1440 | profile_find_firejail(newprofile, 0); | 1443 | int rv = profile_find_firejail(newprofile, 0); // returns 1 if a profile was found in sysconfig directory |
1444 | if (!rv) { | ||
1445 | // maybe this is a file in the local working directory? | ||
1446 | // it will stop the sandbox if not! | ||
1447 | // Note: if the file ends in .local it will not stop the program | ||
1448 | profile_read(newprofile); | ||
1449 | } | ||
1441 | } | 1450 | } |
1442 | else { | 1451 | else { |
1443 | profile_read(newprofile); | 1452 | profile_read(newprofile); |
diff --git a/src/man/firejail-profile.txt b/src/man/firejail-profile.txt index e26b5f989..251346bd5 100644 --- a/src/man/firejail-profile.txt +++ b/src/man/firejail-profile.txt | |||
@@ -94,7 +94,7 @@ Example: "?HAS_APPIMAGE: whitelist ${HOME}/special/appimage/dir" | |||
94 | 94 | ||
95 | This example will load the whitelist profile line only if the \-\-appimage option has been specified on the command line. | 95 | This example will load the whitelist profile line only if the \-\-appimage option has been specified on the command line. |
96 | 96 | ||
97 | Currently the only conditional supported is HAS_APPIMAGE. | 97 | Currently the only conditionals supported are HAS_APPIMAGE and BROWSER_DISABLE_U2F. |
98 | 98 | ||
99 | The profile line may be any profile line that you would normally use in a profile \fBexcept\fR for "quiet" and "include" lines. | 99 | The profile line may be any profile line that you would normally use in a profile \fBexcept\fR for "quiet" and "include" lines. |
100 | 100 | ||
diff --git a/test/profiles/profile_appname.exp b/test/profiles/profile_appname.exp new file mode 100755 index 000000000..c70e7ad57 --- /dev/null +++ b/test/profiles/profile_appname.exp | |||
@@ -0,0 +1,25 @@ | |||
1 | #!/usr/bin/expect -f | ||
2 | # This file is part of Firejail project | ||
3 | # Copyright (C) 2014-2018 Firejail Authors | ||
4 | # License GPL v2 | ||
5 | |||
6 | set timeout 10 | ||
7 | spawn $env(SHELL) | ||
8 | match_max 100000 | ||
9 | |||
10 | send -- "firejail --profile=firefox\r" | ||
11 | expect { | ||
12 | timeout {puts "TESTING ERROR 0\n";exit} | ||
13 | "Reading profile /etc/firejail/firefox.profile" | ||
14 | } | ||
15 | expect { | ||
16 | timeout {puts "TESTING ERROR 1\n";exit} | ||
17 | "Reading profile /etc/firejail/firefox-common.profile" | ||
18 | } | ||
19 | expect { | ||
20 | timeout {puts "TESTING ERROR 2\n";exit} | ||
21 | "shell=none configured, but no program specified" | ||
22 | } | ||
23 | |||
24 | after 100 | ||
25 | puts "\nall done\n" | ||
diff --git a/test/profiles/profile_noperm.exp b/test/profiles/profile_noperm.exp index b3b031cb2..9f8cb54e2 100755 --- a/test/profiles/profile_noperm.exp +++ b/test/profiles/profile_noperm.exp | |||
@@ -7,7 +7,7 @@ match_max 100000 | |||
7 | send -- "firejail --profile=/etc/shadow\r" | 7 | send -- "firejail --profile=/etc/shadow\r" |
8 | expect { | 8 | expect { |
9 | timeout {puts "TESTING ERROR 0\n";exit} | 9 | timeout {puts "TESTING ERROR 0\n";exit} |
10 | "cannot access profile" | 10 | "inaccessible profile file" |
11 | } | 11 | } |
12 | after 100 | 12 | after 100 |
13 | puts "\nall done\n" | 13 | puts "\nall done\n" |
diff --git a/test/profiles/profile_recursivity.exp b/test/profiles/profile_recursivity.exp new file mode 100755 index 000000000..66e4510bf --- /dev/null +++ b/test/profiles/profile_recursivity.exp | |||
@@ -0,0 +1,25 @@ | |||
1 | #!/usr/bin/expect -f | ||
2 | # This file is part of Firejail project | ||
3 | # Copyright (C) 2014-2018 Firejail Authors | ||
4 | # License GPL v2 | ||
5 | |||
6 | set timeout 10 | ||
7 | spawn $env(SHELL) | ||
8 | match_max 100000 | ||
9 | |||
10 | send -- "firejail --profile=test3.profile\r" | ||
11 | expect { | ||
12 | timeout {puts "TESTING ERROR 0\n";exit} | ||
13 | "Reading profile test3.profile" | ||
14 | } | ||
15 | expect { | ||
16 | timeout {puts "TESTING ERROR 1\n";exit} | ||
17 | "Reading profile test3.profile" | ||
18 | } | ||
19 | expect { | ||
20 | timeout {puts "TESTING ERROR 2\n";exit} | ||
21 | "maximum profile include level was reached" | ||
22 | } | ||
23 | |||
24 | after 100 | ||
25 | puts "\nall done\n" | ||
diff --git a/test/profiles/profile_syntax2.exp b/test/profiles/profile_syntax2.exp index 4d621f3ec..da34b67e8 100755 --- a/test/profiles/profile_syntax2.exp +++ b/test/profiles/profile_syntax2.exp | |||
@@ -7,7 +7,7 @@ set timeout 10 | |||
7 | spawn $env(SHELL) | 7 | spawn $env(SHELL) |
8 | match_max 100000 | 8 | match_max 100000 |
9 | 9 | ||
10 | send -- "firejail --debug --profile=test2.profile\r" | 10 | send -- "firejail --profile=test2.profile\r" |
11 | expect { | 11 | expect { |
12 | timeout {puts "TESTING ERROR 0\n";exit} | 12 | timeout {puts "TESTING ERROR 0\n";exit} |
13 | "Reading profile test2.profile" | 13 | "Reading profile test2.profile" |
@@ -18,29 +18,8 @@ expect { | |||
18 | } | 18 | } |
19 | expect { | 19 | expect { |
20 | timeout {puts "TESTING ERROR 2\n";exit} | 20 | timeout {puts "TESTING ERROR 2\n";exit} |
21 | "Mounting a new /home directory" | 21 | "cannot access profile file" |
22 | } | 22 | } |
23 | expect { | 23 | |
24 | timeout {puts "TESTING ERROR 3\n";exit} | ||
25 | "Disable /bin/rmdir" {puts "Most Linux platforms\n"} | ||
26 | "Disable /usr/bin/rmdir" { puts "OpenSUSE platform\n"} | ||
27 | } | ||
28 | expect { | ||
29 | timeout {puts "TESTING ERROR 4\n";exit} | ||
30 | "Drop CAP_SYS_MODULE" | ||
31 | } | ||
32 | expect { | ||
33 | timeout {puts "TESTING ERROR 5\n";exit} | ||
34 | "seccomp entries in /run/firejail/mnt/seccomp" | ||
35 | } | ||
36 | expect { | ||
37 | timeout {puts "TESTING ERROR 7\n";exit} | ||
38 | "jeq mount" | ||
39 | } | ||
40 | expect { | ||
41 | timeout {puts "TESTING ERROR 8\n";exit} | ||
42 | "Child process initialized" | ||
43 | } | ||
44 | send -- "exit\r" | ||
45 | after 100 | 24 | after 100 |
46 | puts "\nall done\n" | 25 | puts "\nall done\n" |
diff --git a/test/profiles/profiles.sh b/test/profiles/profiles.sh index 7c3549aea..a3d24ac0c 100755 --- a/test/profiles/profiles.sh +++ b/test/profiles/profiles.sh | |||
@@ -6,6 +6,33 @@ | |||
6 | export MALLOC_CHECK_=3 | 6 | export MALLOC_CHECK_=3 |
7 | export MALLOC_PERTURB_=$(($RANDOM % 255 + 1)) | 7 | export MALLOC_PERTURB_=$(($RANDOM % 255 + 1)) |
8 | 8 | ||
9 | echo "TESTING: profile recursivity (test/profiles/profile_recursivity.exp)" | ||
10 | ./profile_recursivity.exp | ||
11 | |||
12 | echo "TESTING: profile application name (test/profiles/profile_appname.exp)" | ||
13 | ./profile_appname.exp | ||
14 | |||
15 | echo "TESTING: profile syntax (test/profiles/profile_syntax.exp)" | ||
16 | ./profile_syntax.exp | ||
17 | |||
18 | echo "TESTING: profile syntax 2 (test/profiles/profile_syntax2.exp)" | ||
19 | ./profile_syntax2.exp | ||
20 | |||
21 | echo "TESTING: ignore command (test/profiles/ignore.exp)" | ||
22 | ./ignore.exp | ||
23 | |||
24 | echo "TESTING: profile read-only (test/profiles/profile_readonly.exp)" | ||
25 | ./profile_readonly.exp | ||
26 | |||
27 | echo "TESTING: profile read-only links (test/profiles/profile_readonly.exp)" | ||
28 | ./profile_followlnk.exp | ||
29 | |||
30 | echo "TESTING: profile no permissions (test/profiles/profile_noperm.exp)" | ||
31 | ./profile_noperm.exp | ||
32 | |||
33 | |||
34 | |||
35 | |||
9 | echo "TESTING: default profiles installed in /etc" | 36 | echo "TESTING: default profiles installed in /etc" |
10 | PROFILES=`ls /etc/firejail/*.profile` | 37 | PROFILES=`ls /etc/firejail/*.profile` |
11 | for PROFILE in $PROFILES | 38 | for PROFILE in $PROFILES |
diff --git a/test/profiles/test2.profile b/test/profiles/test2.profile index e219d800d..9fbd5219a 100644 --- a/test/profiles/test2.profile +++ b/test/profiles/test2.profile | |||
@@ -1,4 +1,6 @@ | |||
1 | caps | 1 | caps |
2 | seccomp | 2 | seccomp |
3 | private | 3 | private |
4 | include test.profile | 4 | include test.profile |
5 | include test.local | ||
6 | include test25.profile | ||
diff --git a/test/profiles/test3.profile b/test/profiles/test3.profile new file mode 100644 index 000000000..c28ddadb5 --- /dev/null +++ b/test/profiles/test3.profile | |||
@@ -0,0 +1 @@ | |||
include test3.profile \ No newline at end of file | |||