Merge pull request #1 from netblue30/master

merge upstream
author: SYN-cook <vinumconsult@posteo.de> 2016-12-27 20:33:14 +0100
committer: GitHub <noreply@github.com> 2016-12-27 20:33:14 +0100
commit: 702e15dfcb0f1028c25933328a376cbfab98b0ac (patch)
tree: 16109908b0fc81b0465c3c6ac13769c7b7e0ed59
parent: don't whitelist keepassx in browser profiles (diff)
parent: fixes (diff)
download: firejail-702e15dfcb0f1028c25933328a376cbfab98b0ac.tar.gz
firejail-702e15dfcb0f1028c25933328a376cbfab98b0ac.tar.zst
firejail-702e15dfcb0f1028c25933328a376cbfab98b0ac.zip
28 files changed, 147 insertions, 22 deletions
diff --git a/README b/README
index 5dc50c9bf..751480868 100644
--- a/README
+++ b/README
@@ -97,6 +97,13 @@ valoq (https://github.com/valoq)
        - added skanlite, ssh-agent, transmission-cli, tracker, transmission-show, w3m, xfburn, xpra profiles
        - added wget profile
        - disable gnupg and systemd directories under /run/user
+eventyrer (https://github.com/eventyrer)
+        - update gnome-mplayer.profile
+thewisenerd (https://github.com/thewisenerd)
+        - allow multiple private-home commands
+        - use $SHELL variable if the shell is not specified
+SYN-cook (https://github.com/SYN-cook)
+        - keepass/keepassx browser fixes
 thewisenerd (https://github.com/thewisenerd)
        - appimage: pass commandline arguments
 KOLANICH (https://github.com/KOLANICH)
diff --git a/etc/7z.profile b/etc/7z.profile
index 0cb72ff8d..319126540 100644
--- a/etc/7z.profile
+++ b/etc/7z.profile
@@ -1,9 +1,14 @@
 # 7zip crompression tool profile
 quiet
 ignore noroot
 include /etc/firejail/default.profile
+blacklist /tmp/.X11-unix
 tracelog
 net none
 shell none
 private-dev
 nosound
+no3d
diff --git a/etc/atool.profile b/etc/atool.profile
index 3fbfb9fc7..578a88fc7 100644
--- a/etc/atool.profile
+++ b/etc/atool.profile
@@ -13,9 +13,12 @@ protocol unix
 seccomp
 netfilter
 net none
+no3d
 shell none
 tracelog
+blacklist /tmp/.X11-unix
 # private-bin atool
 private-tmp
 private-dev
diff --git a/etc/cpio.profile b/etc/cpio.profile
index 519bd244c..cf89acdac 100644
--- a/etc/cpio.profile
+++ b/etc/cpio.profile
@@ -16,6 +16,7 @@ shell none
 tracelog
 net none
 nosound
+no3d
+blacklist /tmp/.X11-unix
diff --git a/etc/elinks.profile b/etc/elinks.profile
index df817ea56..ade15f203 100644
--- a/etc/elinks.profile
+++ b/etc/elinks.profile
@@ -11,12 +11,15 @@ nogroups
 nonewprivs
 noroot
 nosound
+no3d
 protocol unix,inet,inet6
 seccomp
 netfilter
 shell none
 tracelog
+blacklist /tmp/.X11-unix
 # private-bin elinks
 private-tmp
 private-dev
diff --git a/etc/exiftool.profile b/etc/exiftool.profile
index 384695473..1cae8c093 100644
--- a/etc/exiftool.profile
+++ b/etc/exiftool.profile
@@ -17,9 +17,12 @@ protocol unix
 seccomp
 netfilter
 net none
+no3d
 shell none
 tracelog
+blacklist /tmp/.X11-unix
 # private-bin exiftool,perl
 private-tmp
 private-dev
diff --git a/etc/git.profile b/etc/git.profile
index d60e58c03..80e534e20 100644
--- a/etc/git.profile
+++ b/etc/git.profile
@@ -12,15 +12,17 @@ include /etc/firejail/disable-common.inc
 include /etc/firejail/disable-programs.inc
 include /etc/firejail/disable-passwdmgr.inc
 caps.drop all
 netfilter
 nogroups
 nonewprivs
 noroot
 nosound
+no3d
 protocol unix,inet,inet6
 seccomp
 shell none
+blacklist /tmp/.X11-unix
 private-dev
diff --git a/etc/gnome-mplayer.profile b/etc/gnome-mplayer.profile
index 1b0fc9807..488c7e0b8 100644
--- a/etc/gnome-mplayer.profile
+++ b/etc/gnome-mplayer.profile
@@ -12,6 +12,6 @@ protocol unix,inet,inet6
 seccomp
 shell none
-private-bin gnome-mplayer
+private-bin gnome-mplayer,mplayer
 private-dev
 private-tmp
diff --git a/etc/gpg-agent.profile b/etc/gpg-agent.profile
index b0ebdf43c..59c7383d7 100644
--- a/etc/gpg-agent.profile
+++ b/etc/gpg-agent.profile
@@ -14,9 +14,12 @@ nosound
 protocol unix
 seccomp
 netfilter
+no3d
 shell none
 tracelog
+blacklist /tmp/.X11-unix
 # private-bin gpg-agent,gpg
 private-tmp
 private-dev
diff --git a/etc/gpg.profile b/etc/gpg.profile
index 31372eb90..d711c6f3e 100644
--- a/etc/gpg.profile
+++ b/etc/gpg.profile
@@ -15,9 +15,12 @@ protocol unix
 seccomp
 netfilter
 net none
+no3d
 shell none
 tracelog
+blacklist /tmp/.X11-unix
 # private-bin gpg,gpg-agent
 private-tmp
 private-dev
diff --git a/etc/highlight.profile b/etc/highlight.profile
index f95f3924a..4bab18349 100644
--- a/etc/highlight.profile
+++ b/etc/highlight.profile
@@ -13,10 +13,14 @@ protocol unix
 seccomp
 netfilter
 net none
+no3d
 shell none
 tracelog
+blacklist /tmp/.X11-unix
 private-bin highlight
+# private-etc none
 private-tmp
 private-dev
diff --git a/etc/less.profile b/etc/less.profile
index 08758aead..c01dfc466 100644
--- a/etc/less.profile
+++ b/etc/less.profile
@@ -5,7 +5,10 @@ include /etc/firejail/default.profile
 net none
 nosound
+no3d
 shell none
 tracelog
+blacklist /tmp/.X11-unix
 private-dev
diff --git a/etc/lynx.profile b/etc/lynx.profile
index 6e150f62e..3e8d72103 100644
--- a/etc/lynx.profile
+++ b/etc/lynx.profile
@@ -9,12 +9,15 @@ nogroups
 nonewprivs
 noroot
 nosound
+no3d
 protocol unix,inet,inet6
 seccomp
 netfilter
 shell none
 tracelog
+blacklist /tmp/.X11-unix
 # private-bin lynx
 private-tmp
 private-dev
diff --git a/etc/mediainfo.profile b/etc/mediainfo.profile
index c07a9a9e8..65d12c49e 100644
--- a/etc/mediainfo.profile
+++ b/etc/mediainfo.profile
@@ -9,6 +9,7 @@ nogroups
 nonewprivs
 noroot
 nosound
+no3d
 protocol unix
 seccomp
 netfilter
@@ -16,6 +17,8 @@ net none
 shell none
 tracelog
+blacklist /tmp/.X11-unix
 private-bin mediainfo
 private-tmp
 private-dev
diff --git a/etc/mutt.profile b/etc/mutt.profile
index 2718421c5..5a714de4a 100644
--- a/etc/mutt.profile
+++ b/etc/mutt.profile
@@ -33,8 +33,11 @@ nogroups
 nonewprivs
 noroot
 nosound
+no3d
 protocol unix,inet,inet6
 seccomp
 shell none
+blacklist /tmp/.X11-unix
 private-dev
diff --git a/etc/odt2txt.profile b/etc/odt2txt.profile
index 329275022..c4e28f70e 100644
--- a/etc/odt2txt.profile
+++ b/etc/odt2txt.profile
@@ -13,9 +13,12 @@ protocol unix
 seccomp
 netfilter
 net none
+no3d
 shell none
 tracelog
+blacklist /tmp/.X11-unix
 private-bin odt2txt
 private-tmp
 private-dev
diff --git a/etc/pdftotext.profile b/etc/pdftotext.profile
index 632c9d15e..fe9e9e3cd 100644
--- a/etc/pdftotext.profile
+++ b/etc/pdftotext.profile
@@ -13,9 +13,12 @@ protocol unix
 seccomp
 netfilter
 net none
+no3d
 shell none
 tracelog
+blacklist /tmp/.X11-unix
 private-bin pdftotext
 private-tmp
 private-dev
diff --git a/etc/ssh-agent.profile b/etc/ssh-agent.profile
index 548ede37d..bea3a6061 100644
--- a/etc/ssh-agent.profile
+++ b/etc/ssh-agent.profile
@@ -12,5 +12,8 @@ caps.drop all
 netfilter
 nonewprivs
 noroot
+no3d
 protocol unix,inet,inet6
 seccomp
+blacklist /tmp/.X11-unix
diff --git a/etc/strings.profile b/etc/strings.profile
index 2b7724b11..2bbab1366 100644
--- a/etc/strings.profile
+++ b/etc/strings.profile
@@ -7,5 +7,6 @@ net none
 nosound
 shell none
 tracelog
 private-dev
+no3d
+blacklist /tmp/.X11-unix
diff --git a/etc/tracker.profile b/etc/tracker.profile
index 217631216..7f4f371eb 100644
--- a/etc/tracker.profile
+++ b/etc/tracker.profile
@@ -12,12 +12,15 @@ nogroups
 nonewprivs
 noroot
 nosound
+no3d
 protocol unix
 seccomp
 netfilter
 shell none
 tracelog
+blacklist /tmp/.X11-unix
 # private-bin tracker
 # private-tmp
 # private-dev
diff --git a/etc/w3m.profile b/etc/w3m.profile
index d765217cf..7ee91bb70 100644
--- a/etc/w3m.profile
+++ b/etc/w3m.profile
@@ -11,12 +11,15 @@ nogroups
 nonewprivs
 noroot
 nosound
+no3d
 protocol unix,inet,inet6
 seccomp
 netfilter
 shell none
 tracelog
+blacklist /tmp/.X11-unix
 # private-bin w3m
 private-tmp
 private-dev
diff --git a/etc/wget.profile b/etc/wget.profile
index d9bca2acc..ff4b92bae 100644
--- a/etc/wget.profile
+++ b/etc/wget.profile
@@ -10,10 +10,12 @@ nonewprivs
 noroot
 nogroups
 nosound
+no3d
 protocol unix,inet,inet6
 seccomp
 shell none
+blacklist /tmp/.X11-unix
 # private-bin wget
 # private-etc resolv.conf
diff --git a/etc/xpra.profile b/etc/xpra.profile
index 8584e4e5b..32be90b19 100644
--- a/etc/xpra.profile
+++ b/etc/xpra.profile
@@ -14,6 +14,8 @@ shell none
 seccomp
 protocol unix,inet,inet6
+# blacklist /tmp/.X11-unix
 # private-bin 
 private-dev
 private-tmp
diff --git a/src/firejail/cmdline.c b/src/firejail/cmdline.c
index dcb0a5424..a17758f8b 100644
--- a/src/firejail/cmdline.c
+++ b/src/firejail/cmdline.c
@@ -163,7 +163,7 @@ void build_appimage_cmdline(char **command_line, char **window_title, int argc,
        // the program should exit with an error before entering this function
        assert(index != -1);
-        unsigned argcount = argc - index;
+//      unsigned argcount = argc - index;
        int len1 = cmdline_length(argc, argv, index);  // length of argv w/o changes
        int len2 = cmdline_length(1, &argv[index], 0); // apptest.AppImage
diff --git a/src/firejail/fs_whitelist.c b/src/firejail/fs_whitelist.c
index b10858411..0970642db 100644
--- a/src/firejail/fs_whitelist.c
+++ b/src/firejail/fs_whitelist.c
@@ -95,9 +95,10 @@ static char *resolve_downloads(void) {
                                        if (asprintf(&fname, "%s/%s", cfg.homedir, ptr1) == -1)
                                                errExit("asprintf");
                                        
-                                        if (stat(fname, &s) == -1)
+                                        if (stat(fname, &s) == -1) {
                                                free(fname);
                                                goto errout;
+                                        }
                                
                                        char *rv;
                                        if (asprintf(&rv, "whitelist ~/%s", ptr + 24) == -1)
diff --git a/src/firejail/main.c b/src/firejail/main.c
index 15820f7dd..e70e20eec 100644
--- a/src/firejail/main.c
+++ b/src/firejail/main.c
@@ -754,12 +754,21 @@ static void delete_x11_file(pid_t pid) {
 char *guess_shell(void) {
        char *shell = NULL;
+        struct stat s;
+        shell = getenv("SHELL");
+        if (shell) {
+                // TODO: handle rogue shell variables?
+                if (stat(shell, &s) == 0 && access(shell, R_OK) == 0) {
+                        return shell;
+                }
+        }
        // shells in order of preference
        char *shells[] = {"/bin/bash", "/bin/csh", "/usr/bin/zsh", "/bin/sh", "/bin/ash", NULL };
        int i = 0;
        while (shells[i] != NULL) {
-                struct stat s;
                // access call checks as real UID/GID, not as effective UID/GID
                if (stat(shells[i], &s) == 0 && access(shells[i], R_OK) == 0) {
                        shell = shells[i];
@@ -1500,7 +1509,15 @@ int main(int argc, char **argv) {
                                }
                                
                                // extract private home dirname
-                                cfg.home_private_keep = argv[i] + 15;
+                                if (*(argv[i] + 15) == '\0') {
+                                        fprintf(stderr, "Error: invalid private-home option\n");
+                                        exit(1);
+                                }
+                                if (cfg.home_private_keep) {
+                                        if ( asprintf(&cfg.home_private_keep, "%s,%s", cfg.home_private_keep, argv[i] + 15) < 0 )
+                                                errExit("asprintf");
+                                } else
+                                        cfg.home_private_keep = argv[i] + 15;
                                arg_private = 1;
                        }
                        else
@@ -1517,38 +1534,54 @@ int main(int argc, char **argv) {
                        }
                        
                        // extract private etc list
-                        cfg.etc_private_keep = argv[i] + 14;
+                        if (*(argv[i] + 14) == '\0') {
-                        if (*cfg.etc_private_keep == '\0') {
                                fprintf(stderr, "Error: invalid private-etc option\n");
                                exit(1);
                        }
+                        if (cfg.etc_private_keep) {
+                                if ( asprintf(&cfg.etc_private_keep, "%s,%s", cfg.etc_private_keep, argv[i] + 14) < 0 )
+                                        errExit("asprintf");
+                        } else
+                                cfg.etc_private_keep = argv[i] + 14;
                        arg_private_etc = 1;
                }
                else if (strncmp(argv[i], "--private-opt=", 14) == 0) {
                        // extract private opt list
-                        cfg.opt_private_keep = argv[i] + 14;
+                        if (*(argv[i] + 14) == '\0') {
-                        if (*cfg.opt_private_keep == '\0') {
                                fprintf(stderr, "Error: invalid private-opt option\n");
                                exit(1);
                        }
+                        if (cfg.opt_private_keep) {
+                                if ( asprintf(&cfg.opt_private_keep, "%s,%s", cfg.opt_private_keep, argv[i] + 14) < 0 )
+                                        errExit("asprintf");
+                        } else
+                                cfg.opt_private_keep = argv[i] + 14;
                        arg_private_opt = 1;
                }
                else if (strncmp(argv[i], "--private-srv=", 14) == 0) {
                        // extract private srv list
-                        cfg.srv_private_keep = argv[i] + 14;
+                        if (*(argv[i] + 14) == '\0') {
-                        if (*cfg.srv_private_keep == '\0') {
                                fprintf(stderr, "Error: invalid private-etc option\n");
                                exit(1);
                        }
+                        if (cfg.srv_private_keep) {
+                                if ( asprintf(&cfg.srv_private_keep, "%s,%s", cfg.srv_private_keep, argv[i] + 14) < 0 )
+                                        errExit("asprintf");
+                        } else
+                                cfg.srv_private_keep = argv[i] + 14;
                        arg_private_srv = 1;
                }
                else if (strncmp(argv[i], "--private-bin=", 14) == 0) {
                        // extract private bin list
-                        cfg.bin_private_keep = argv[i] + 14;
+                        if (*(argv[i] + 14) == '\0') {
-                        if (*cfg.bin_private_keep == '\0') {
                                fprintf(stderr, "Error: invalid private-bin option\n");
                                exit(1);
                        }
+                        if (cfg.bin_private_keep) {
+                                if ( asprintf(&cfg.bin_private_keep, "%s,%s", cfg.bin_private_keep, argv[i] + 14) < 0 )
+                                        errExit("asprintf");
+                        } else
+                                cfg.bin_private_keep = argv[i] + 14;
                        arg_private_bin = 1;
                }
                else if (strcmp(argv[i], "--private-tmp") == 0) {
diff --git a/src/firejail/profile.c b/src/firejail/profile.c
index da3daf95a..fab4f1efa 100644
--- a/src/firejail/profile.c
+++ b/src/firejail/profile.c
@@ -179,7 +179,11 @@ int profile_check_line(char *ptr, int lineno, const char *fname) {
        if (strncmp(ptr, "private-home ", 13) == 0) {
 #ifdef HAVE_PRIVATE_HOME
                if (checkcfg(CFG_PRIVATE_HOME)) {
-                        cfg.home_private_keep = ptr + 13;
+                        if (cfg.home_private_keep) {
+                                if ( asprintf(&cfg.home_private_keep, "%s,%s", cfg.home_private_keep, ptr + 13) < 0 )
+                                        errExit("asprintf");
+                        } else
+                                cfg.home_private_keep = ptr + 13;
                        arg_private = 1;
                }
                else
@@ -748,7 +752,12 @@ int profile_check_line(char *ptr, int lineno, const char *fname) {
                        fprintf(stderr, "Error: --private-etc and --writable-etc are mutually exclusive\n");
                        exit(1);
                }
-                cfg.etc_private_keep = ptr + 12;
+                if (cfg.etc_private_keep) {
+                        if ( asprintf(&cfg.etc_private_keep, "%s,%s", cfg.etc_private_keep, ptr + 12) < 0 )
+                                errExit("asprintf");
+                } else {
+                        cfg.etc_private_keep = ptr + 12;
+                }
                arg_private_etc = 1;
                
                return 0;
@@ -756,7 +765,12 @@ int profile_check_line(char *ptr, int lineno, const char *fname) {
        // private /opt list of files and directories
        if (strncmp(ptr, "private-opt ", 12) == 0) {
-                cfg.opt_private_keep = ptr + 12;
+                if (cfg.opt_private_keep) {
+                        if ( asprintf(&cfg.opt_private_keep, "%s,%s", cfg.opt_private_keep, ptr + 12) < 0 )
+                                errExit("asprintf");
+                } else {
+                        cfg.opt_private_keep = ptr + 12;
+                }
                arg_private_opt = 1;
                
                return 0;
@@ -764,7 +778,12 @@ int profile_check_line(char *ptr, int lineno, const char *fname) {
        // private /srv list of files and directories
        if (strncmp(ptr, "private-srv ", 12) == 0) {
-                cfg.srv_private_keep = ptr + 12;
+                if (cfg.srv_private_keep) {
+                        if ( asprintf(&cfg.srv_private_keep, "%s,%s", cfg.srv_private_keep, ptr + 12) < 0 )
+                                errExit("asprintf");
+                } else {
+                        cfg.srv_private_keep = ptr + 12;
+                }
                arg_private_srv = 1;
                
                return 0;
@@ -772,7 +791,12 @@ int profile_check_line(char *ptr, int lineno, const char *fname) {
        // private /bin list of files
        if (strncmp(ptr, "private-bin ", 12) == 0) {
-                cfg.bin_private_keep = ptr + 12;
+                if (cfg.bin_private_keep) {
+                        if ( asprintf(&cfg.bin_private_keep, "%s,%s", cfg.bin_private_keep, ptr + 12) < 0 )
+                                errExit("asprintf");
+                } else {
+                        cfg.bin_private_keep = ptr + 12;
+                }
                arg_private_bin = 1;
                return 0;
        }
diff --git a/test/fs/whitelist-dev.exp b/test/fs/whitelist-dev.exp
index a2002bc0a..827f32126 100755
--- a/test/fs/whitelist-dev.exp
+++ b/test/fs/whitelist-dev.exp
@@ -33,7 +33,8 @@ sleep 1
 send -- "ls -l /dev | wc -l\r"
 expect {
        timeout {puts "TESTING ERROR 3\n";exit}
-        "13"
+        "13" {puts "OK\n"}
+        "12" {puts "OK\n"}
 }
 after 100
 send -- "exit\r"
author	SYN-cook <vinumconsult@posteo.de>	2016-12-27 20:33:14 +0100
committer	GitHub <noreply@github.com>	2016-12-27 20:33:14 +0100
commit	702e15dfcb0f1028c25933328a376cbfab98b0ac (patch)
tree	16109908b0fc81b0465c3c6ac13769c7b7e0ed59
parent	don't whitelist keepassx in browser profiles (diff)
parent	fixes (diff)
download	firejail-702e15dfcb0f1028c25933328a376cbfab98b0ac.tar.gz firejail-702e15dfcb0f1028c25933328a376cbfab98b0ac.tar.zst firejail-702e15dfcb0f1028c25933328a376cbfab98b0ac.zip

diff --git a/README b/README index 5dc50c9bf..751480868 100644 --- a/README +++ b/README
@@ -97,6 +97,13 @@ valoq (https://github.com/valoq)
97	- added skanlite, ssh-agent, transmission-cli, tracker, transmission-show, w3m, xfburn, xpra profiles	97	- added skanlite, ssh-agent, transmission-cli, tracker, transmission-show, w3m, xfburn, xpra profiles
98	- added wget profile	98	- added wget profile
99	- disable gnupg and systemd directories under /run/user	99	- disable gnupg and systemd directories under /run/user
		100	eventyrer (https://github.com/eventyrer)
		101	- update gnome-mplayer.profile
		102	thewisenerd (https://github.com/thewisenerd)
		103	- allow multiple private-home commands
		104	- use $SHELL variable if the shell is not specified
		105	SYN-cook (https://github.com/SYN-cook)
		106	- keepass/keepassx browser fixes
100	thewisenerd (https://github.com/thewisenerd)	107	thewisenerd (https://github.com/thewisenerd)
101	- appimage: pass commandline arguments	108	- appimage: pass commandline arguments
102	KOLANICH (https://github.com/KOLANICH)	109	KOLANICH (https://github.com/KOLANICH)


diff --git a/etc/7z.profile b/etc/7z.profile index 0cb72ff8d..319126540 100644 --- a/etc/7z.profile +++ b/etc/7z.profile
@@ -1,9 +1,14 @@
1	# 7zip crompression tool profile	1	# 7zip crompression tool profile
2	quiet	2	quiet
3	ignore noroot	3	ignore noroot
		4
4	include /etc/firejail/default.profile	5	include /etc/firejail/default.profile
		6
		7	blacklist /tmp/.X11-unix
		8
5	tracelog	9	tracelog
6	net none	10	net none
7	shell none	11	shell none
8	private-dev	12	private-dev
9	nosound	13	nosound
		14	no3d


diff --git a/etc/atool.profile b/etc/atool.profile index 3fbfb9fc7..578a88fc7 100644 --- a/etc/atool.profile +++ b/etc/atool.profile
@@ -13,9 +13,12 @@ protocol unix
13	seccomp	13	seccomp
14	netfilter	14	netfilter
15	net none	15	net none
		16	no3d
16	shell none	17	shell none
17	tracelog	18	tracelog
18		19
		20	blacklist /tmp/.X11-unix
		21
19	# private-bin atool	22	# private-bin atool
20	private-tmp	23	private-tmp
21	private-dev	24	private-dev


diff --git a/etc/cpio.profile b/etc/cpio.profile index 519bd244c..cf89acdac 100644 --- a/etc/cpio.profile +++ b/etc/cpio.profile
@@ -16,6 +16,7 @@ shell none
16	tracelog	16	tracelog
17	net none	17	net none
18	nosound	18	nosound
		19	no3d
19		20
20		21	blacklist /tmp/.X11-unix
21		22


diff --git a/etc/elinks.profile b/etc/elinks.profile index df817ea56..ade15f203 100644 --- a/etc/elinks.profile +++ b/etc/elinks.profile
@@ -11,12 +11,15 @@ nogroups
11	nonewprivs	11	nonewprivs
12	noroot	12	noroot
13	nosound	13	nosound
		14	no3d
14	protocol unix,inet,inet6	15	protocol unix,inet,inet6
15	seccomp	16	seccomp
16	netfilter	17	netfilter
17	shell none	18	shell none
18	tracelog	19	tracelog
19		20
		21	blacklist /tmp/.X11-unix
		22
20	# private-bin elinks	23	# private-bin elinks
21	private-tmp	24	private-tmp
22	private-dev	25	private-dev


diff --git a/etc/exiftool.profile b/etc/exiftool.profile index 384695473..1cae8c093 100644 --- a/etc/exiftool.profile +++ b/etc/exiftool.profile
@@ -17,9 +17,12 @@ protocol unix
17	seccomp	17	seccomp
18	netfilter	18	netfilter
19	net none	19	net none
		20	no3d
20	shell none	21	shell none
21	tracelog	22	tracelog
22		23
		24	blacklist /tmp/.X11-unix
		25
23	# private-bin exiftool,perl	26	# private-bin exiftool,perl
24	private-tmp	27	private-tmp
25	private-dev	28	private-dev


diff --git a/etc/git.profile b/etc/git.profile index d60e58c03..80e534e20 100644 --- a/etc/git.profile +++ b/etc/git.profile
@@ -12,15 +12,17 @@ include /etc/firejail/disable-common.inc
12	include /etc/firejail/disable-programs.inc	12	include /etc/firejail/disable-programs.inc
13	include /etc/firejail/disable-passwdmgr.inc	13	include /etc/firejail/disable-passwdmgr.inc
14		14
15
16	caps.drop all	15	caps.drop all
17	netfilter	16	netfilter
18	nogroups	17	nogroups
19	nonewprivs	18	nonewprivs
20	noroot	19	noroot
21	nosound	20	nosound
		21	no3d
22	protocol unix,inet,inet6	22	protocol unix,inet,inet6
23	seccomp	23	seccomp
24	shell none	24	shell none
25		25
		26	blacklist /tmp/.X11-unix
		27
26	private-dev	28	private-dev


diff --git a/etc/gnome-mplayer.profile b/etc/gnome-mplayer.profile index 1b0fc9807..488c7e0b8 100644 --- a/etc/gnome-mplayer.profile +++ b/etc/gnome-mplayer.profile
@@ -12,6 +12,6 @@ protocol unix,inet,inet6
12	seccomp	12	seccomp
13	shell none	13	shell none
14		14
15	private-bin gnome-mplayer	15	private-bin gnome-mplayer,mplayer
16	private-dev	16	private-dev
17	private-tmp	17	private-tmp


diff --git a/etc/gpg-agent.profile b/etc/gpg-agent.profile index b0ebdf43c..59c7383d7 100644 --- a/etc/gpg-agent.profile +++ b/etc/gpg-agent.profile
@@ -14,9 +14,12 @@ nosound
14	protocol unix	14	protocol unix
15	seccomp	15	seccomp
16	netfilter	16	netfilter
		17	no3d
17	shell none	18	shell none
18	tracelog	19	tracelog
19		20
		21	blacklist /tmp/.X11-unix
		22
20	# private-bin gpg-agent,gpg	23	# private-bin gpg-agent,gpg
21	private-tmp	24	private-tmp
22	private-dev	25	private-dev


diff --git a/etc/gpg.profile b/etc/gpg.profile index 31372eb90..d711c6f3e 100644 --- a/etc/gpg.profile +++ b/etc/gpg.profile
@@ -15,9 +15,12 @@ protocol unix
15	seccomp	15	seccomp
16	netfilter	16	netfilter
17	net none	17	net none
		18	no3d
18	shell none	19	shell none
19	tracelog	20	tracelog
20		21
		22	blacklist /tmp/.X11-unix
		23
21	# private-bin gpg,gpg-agent	24	# private-bin gpg,gpg-agent
22	private-tmp	25	private-tmp
23	private-dev	26	private-dev


diff --git a/etc/highlight.profile b/etc/highlight.profile index f95f3924a..4bab18349 100644 --- a/etc/highlight.profile +++ b/etc/highlight.profile
@@ -13,10 +13,14 @@ protocol unix
13	seccomp	13	seccomp
14	netfilter	14	netfilter
15	net none	15	net none
		16	no3d
16	shell none	17	shell none
17	tracelog	18	tracelog
18		19
		20	blacklist /tmp/.X11-unix
		21
19	private-bin highlight	22	private-bin highlight
		23	# private-etc none
20	private-tmp	24	private-tmp
21	private-dev	25	private-dev
22		26


diff --git a/etc/less.profile b/etc/less.profile index 08758aead..c01dfc466 100644 --- a/etc/less.profile +++ b/etc/less.profile
@@ -5,7 +5,10 @@ include /etc/firejail/default.profile
5		5
6	net none	6	net none
7	nosound	7	nosound
		8	no3d
8	shell none	9	shell none
9	tracelog	10	tracelog
10		11
		12	blacklist /tmp/.X11-unix
		13
11	private-dev	14	private-dev


diff --git a/etc/lynx.profile b/etc/lynx.profile index 6e150f62e..3e8d72103 100644 --- a/etc/lynx.profile +++ b/etc/lynx.profile
@@ -9,12 +9,15 @@ nogroups
9	nonewprivs	9	nonewprivs
10	noroot	10	noroot
11	nosound	11	nosound
		12	no3d
12	protocol unix,inet,inet6	13	protocol unix,inet,inet6
13	seccomp	14	seccomp
14	netfilter	15	netfilter
15	shell none	16	shell none
16	tracelog	17	tracelog
17		18
		19	blacklist /tmp/.X11-unix
		20
18	# private-bin lynx	21	# private-bin lynx
19	private-tmp	22	private-tmp
20	private-dev	23	private-dev


diff --git a/etc/mediainfo.profile b/etc/mediainfo.profile index c07a9a9e8..65d12c49e 100644 --- a/etc/mediainfo.profile +++ b/etc/mediainfo.profile
@@ -9,6 +9,7 @@ nogroups
9	nonewprivs	9	nonewprivs
10	noroot	10	noroot
11	nosound	11	nosound
		12	no3d
12	protocol unix	13	protocol unix
13	seccomp	14	seccomp
14	netfilter	15	netfilter
@@ -16,6 +17,8 @@ net none
16	shell none	17	shell none
17	tracelog	18	tracelog
18		19
		20	blacklist /tmp/.X11-unix
		21
19	private-bin mediainfo	22	private-bin mediainfo
20	private-tmp	23	private-tmp
21	private-dev	24	private-dev


diff --git a/etc/mutt.profile b/etc/mutt.profile index 2718421c5..5a714de4a 100644 --- a/etc/mutt.profile +++ b/etc/mutt.profile
@@ -33,8 +33,11 @@ nogroups
33	nonewprivs	33	nonewprivs
34	noroot	34	noroot
35	nosound	35	nosound
		36	no3d
36	protocol unix,inet,inet6	37	protocol unix,inet,inet6
37	seccomp	38	seccomp
38	shell none	39	shell none
39		40
		41	blacklist /tmp/.X11-unix
		42
40	private-dev	43	private-dev


diff --git a/etc/odt2txt.profile b/etc/odt2txt.profile index 329275022..c4e28f70e 100644 --- a/etc/odt2txt.profile +++ b/etc/odt2txt.profile
@@ -13,9 +13,12 @@ protocol unix
13	seccomp	13	seccomp
14	netfilter	14	netfilter
15	net none	15	net none
		16	no3d
16	shell none	17	shell none
17	tracelog	18	tracelog
18		19
		20	blacklist /tmp/.X11-unix
		21
19	private-bin odt2txt	22	private-bin odt2txt
20	private-tmp	23	private-tmp
21	private-dev	24	private-dev


diff --git a/etc/pdftotext.profile b/etc/pdftotext.profile index 632c9d15e..fe9e9e3cd 100644 --- a/etc/pdftotext.profile +++ b/etc/pdftotext.profile
@@ -13,9 +13,12 @@ protocol unix
13	seccomp	13	seccomp
14	netfilter	14	netfilter
15	net none	15	net none
		16	no3d
16	shell none	17	shell none
17	tracelog	18	tracelog
18		19
		20	blacklist /tmp/.X11-unix
		21
19	private-bin pdftotext	22	private-bin pdftotext
20	private-tmp	23	private-tmp
21	private-dev	24	private-dev


diff --git a/etc/ssh-agent.profile b/etc/ssh-agent.profile index 548ede37d..bea3a6061 100644 --- a/etc/ssh-agent.profile +++ b/etc/ssh-agent.profile
@@ -12,5 +12,8 @@ caps.drop all
12	netfilter	12	netfilter
13	nonewprivs	13	nonewprivs
14	noroot	14	noroot
		15	no3d
15	protocol unix,inet,inet6	16	protocol unix,inet,inet6
16	seccomp	17	seccomp
		18
		19	blacklist /tmp/.X11-unix


diff --git a/etc/strings.profile b/etc/strings.profile index 2b7724b11..2bbab1366 100644 --- a/etc/strings.profile +++ b/etc/strings.profile
@@ -7,5 +7,6 @@ net none
7	nosound	7	nosound
8	shell none	8	shell none
9	tracelog	9	tracelog
10
11	private-dev	10	private-dev
		11	no3d
		12	blacklist /tmp/.X11-unix


diff --git a/etc/tracker.profile b/etc/tracker.profile index 217631216..7f4f371eb 100644 --- a/etc/tracker.profile +++ b/etc/tracker.profile
@@ -12,12 +12,15 @@ nogroups
12	nonewprivs	12	nonewprivs
13	noroot	13	noroot
14	nosound	14	nosound
		15	no3d
15	protocol unix	16	protocol unix
16	seccomp	17	seccomp
17	netfilter	18	netfilter
18	shell none	19	shell none
19	tracelog	20	tracelog
20		21
		22	blacklist /tmp/.X11-unix
		23
21	# private-bin tracker	24	# private-bin tracker
22	# private-tmp	25	# private-tmp
23	# private-dev	26	# private-dev


diff --git a/etc/w3m.profile b/etc/w3m.profile index d765217cf..7ee91bb70 100644 --- a/etc/w3m.profile +++ b/etc/w3m.profile
@@ -11,12 +11,15 @@ nogroups
11	nonewprivs	11	nonewprivs
12	noroot	12	noroot
13	nosound	13	nosound
		14	no3d
14	protocol unix,inet,inet6	15	protocol unix,inet,inet6
15	seccomp	16	seccomp
16	netfilter	17	netfilter
17	shell none	18	shell none
18	tracelog	19	tracelog
19		20
		21	blacklist /tmp/.X11-unix
		22
20	# private-bin w3m	23	# private-bin w3m
21	private-tmp	24	private-tmp
22	private-dev	25	private-dev


diff --git a/etc/wget.profile b/etc/wget.profile index d9bca2acc..ff4b92bae 100644 --- a/etc/wget.profile +++ b/etc/wget.profile
@@ -10,10 +10,12 @@ nonewprivs
10	noroot	10	noroot
11	nogroups	11	nogroups
12	nosound	12	nosound
		13	no3d
13	protocol unix,inet,inet6	14	protocol unix,inet,inet6
14	seccomp	15	seccomp
15	shell none	16	shell none
16		17
		18	blacklist /tmp/.X11-unix
17		19
18	# private-bin wget	20	# private-bin wget
19	# private-etc resolv.conf	21	# private-etc resolv.conf


diff --git a/etc/xpra.profile b/etc/xpra.profile index 8584e4e5b..32be90b19 100644 --- a/etc/xpra.profile +++ b/etc/xpra.profile
@@ -14,6 +14,8 @@ shell none
14	seccomp	14	seccomp
15	protocol unix,inet,inet6	15	protocol unix,inet,inet6
16		16
		17	# blacklist /tmp/.X11-unix
		18
17	# private-bin	19	# private-bin
18	private-dev	20	private-dev
19	private-tmp	21	private-tmp


diff --git a/src/firejail/cmdline.c b/src/firejail/cmdline.c index dcb0a5424..a17758f8b 100644 --- a/src/firejail/cmdline.c +++ b/src/firejail/cmdline.c
@@ -163,7 +163,7 @@ void build_appimage_cmdline(char command_line, char window_title, int argc,
163	// the program should exit with an error before entering this function	163	// the program should exit with an error before entering this function
164	assert(index != -1);	164	assert(index != -1);
165		165
166	unsigned argcount = argc - index;	166	// unsigned argcount = argc - index;
167		167
168	int len1 = cmdline_length(argc, argv, index); // length of argv w/o changes	168	int len1 = cmdline_length(argc, argv, index); // length of argv w/o changes
169	int len2 = cmdline_length(1, &argv[index], 0); // apptest.AppImage	169	int len2 = cmdline_length(1, &argv[index], 0); // apptest.AppImage


diff --git a/src/firejail/fs_whitelist.c b/src/firejail/fs_whitelist.c index b10858411..0970642db 100644 --- a/src/firejail/fs_whitelist.c +++ b/src/firejail/fs_whitelist.c
@@ -95,9 +95,10 @@ static char *resolve_downloads(void) {
95	if (asprintf(&fname, "%s/%s", cfg.homedir, ptr1) == -1)	95	if (asprintf(&fname, "%s/%s", cfg.homedir, ptr1) == -1)
96	errExit("asprintf");	96	errExit("asprintf");
97		97
98	if (stat(fname, &s) == -1)	98	if (stat(fname, &s) == -1) {
99	free(fname);	99	free(fname);
100	goto errout;	100	goto errout;
		101	}
101		102
102	char *rv;	103	char *rv;
103	if (asprintf(&rv, "whitelist ~/%s", ptr + 24) == -1)	104	if (asprintf(&rv, "whitelist ~/%s", ptr + 24) == -1)


diff --git a/src/firejail/main.c b/src/firejail/main.c index 15820f7dd..e70e20eec 100644 --- a/src/firejail/main.c +++ b/src/firejail/main.c
@@ -754,12 +754,21 @@ static void delete_x11_file(pid_t pid) {
754		754
755	char *guess_shell(void) {	755	char *guess_shell(void) {
756	char *shell = NULL;	756	char *shell = NULL;
		757	struct stat s;
		758
		759	shell = getenv("SHELL");
		760	if (shell) {
		761	// TODO: handle rogue shell variables?
		762	if (stat(shell, &s) == 0 && access(shell, R_OK) == 0) {
		763	return shell;
		764	}
		765	}
		766
757	// shells in order of preference	767	// shells in order of preference
758	char *shells[] = {"/bin/bash", "/bin/csh", "/usr/bin/zsh", "/bin/sh", "/bin/ash", NULL };	768	char *shells[] = {"/bin/bash", "/bin/csh", "/usr/bin/zsh", "/bin/sh", "/bin/ash", NULL };
759		769
760	int i = 0;	770	int i = 0;
761	while (shells[i] != NULL) {	771	while (shells[i] != NULL) {
762	struct stat s;
763	// access call checks as real UID/GID, not as effective UID/GID	772	// access call checks as real UID/GID, not as effective UID/GID
764	if (stat(shells[i], &s) == 0 && access(shells[i], R_OK) == 0) {	773	if (stat(shells[i], &s) == 0 && access(shells[i], R_OK) == 0) {
765	shell = shells[i];	774	shell = shells[i];
@@ -1500,7 +1509,15 @@ int main(int argc, char **argv) {
1500	}	1509	}
1501		1510
1502	// extract private home dirname	1511	// extract private home dirname
1503	cfg.home_private_keep = argv[i] + 15;	1512	if (*(argv[i] + 15) == '\0') {
		1513	fprintf(stderr, "Error: invalid private-home option\n");
		1514	exit(1);
		1515	}
		1516	if (cfg.home_private_keep) {
		1517	if ( asprintf(&cfg.home_private_keep, "%s,%s", cfg.home_private_keep, argv[i] + 15) < 0 )
		1518	errExit("asprintf");
		1519	} else
		1520	cfg.home_private_keep = argv[i] + 15;
1504	arg_private = 1;	1521	arg_private = 1;
1505	}	1522	}
1506	else	1523	else
@@ -1517,38 +1534,54 @@ int main(int argc, char **argv) {
1517	}	1534	}
1518		1535
1519	// extract private etc list	1536	// extract private etc list
1520	cfg.etc_private_keep = argv[i] + 14;	1537	if (*(argv[i] + 14) == '\0') {
1521	if (*cfg.etc_private_keep == '\0') {
1522	fprintf(stderr, "Error: invalid private-etc option\n");	1538	fprintf(stderr, "Error: invalid private-etc option\n");
1523	exit(1);	1539	exit(1);
1524	}	1540	}
		1541	if (cfg.etc_private_keep) {
		1542	if ( asprintf(&cfg.etc_private_keep, "%s,%s", cfg.etc_private_keep, argv[i] + 14) < 0 )
		1543	errExit("asprintf");
		1544	} else
		1545	cfg.etc_private_keep = argv[i] + 14;
1525	arg_private_etc = 1;	1546	arg_private_etc = 1;
1526	}	1547	}
1527	else if (strncmp(argv[i], "--private-opt=", 14) == 0) {	1548	else if (strncmp(argv[i], "--private-opt=", 14) == 0) {
1528	// extract private opt list	1549	// extract private opt list
1529	cfg.opt_private_keep = argv[i] + 14;	1550	if (*(argv[i] + 14) == '\0') {
1530	if (*cfg.opt_private_keep == '\0') {
1531	fprintf(stderr, "Error: invalid private-opt option\n");	1551	fprintf(stderr, "Error: invalid private-opt option\n");
1532	exit(1);	1552	exit(1);
1533	}	1553	}
		1554	if (cfg.opt_private_keep) {
		1555	if ( asprintf(&cfg.opt_private_keep, "%s,%s", cfg.opt_private_keep, argv[i] + 14) < 0 )
		1556	errExit("asprintf");
		1557	} else
		1558	cfg.opt_private_keep = argv[i] + 14;
1534	arg_private_opt = 1;	1559	arg_private_opt = 1;
1535	}	1560	}
1536	else if (strncmp(argv[i], "--private-srv=", 14) == 0) {	1561	else if (strncmp(argv[i], "--private-srv=", 14) == 0) {
1537	// extract private srv list	1562	// extract private srv list
1538	cfg.srv_private_keep = argv[i] + 14;	1563	if (*(argv[i] + 14) == '\0') {
1539	if (*cfg.srv_private_keep == '\0') {
1540	fprintf(stderr, "Error: invalid private-etc option\n");	1564	fprintf(stderr, "Error: invalid private-etc option\n");
1541	exit(1);	1565	exit(1);
1542	}	1566	}
		1567	if (cfg.srv_private_keep) {
		1568	if ( asprintf(&cfg.srv_private_keep, "%s,%s", cfg.srv_private_keep, argv[i] + 14) < 0 )
		1569	errExit("asprintf");
		1570	} else
		1571	cfg.srv_private_keep = argv[i] + 14;
1543	arg_private_srv = 1;	1572	arg_private_srv = 1;
1544	}	1573	}
1545	else if (strncmp(argv[i], "--private-bin=", 14) == 0) {	1574	else if (strncmp(argv[i], "--private-bin=", 14) == 0) {
1546	// extract private bin list	1575	// extract private bin list
1547	cfg.bin_private_keep = argv[i] + 14;	1576	if (*(argv[i] + 14) == '\0') {
1548	if (*cfg.bin_private_keep == '\0') {
1549	fprintf(stderr, "Error: invalid private-bin option\n");	1577	fprintf(stderr, "Error: invalid private-bin option\n");
1550	exit(1);	1578	exit(1);
1551	}	1579	}
		1580	if (cfg.bin_private_keep) {
		1581	if ( asprintf(&cfg.bin_private_keep, "%s,%s", cfg.bin_private_keep, argv[i] + 14) < 0 )
		1582	errExit("asprintf");
		1583	} else
		1584	cfg.bin_private_keep = argv[i] + 14;
1552	arg_private_bin = 1;	1585	arg_private_bin = 1;
1553	}	1586	}
1554	else if (strcmp(argv[i], "--private-tmp") == 0) {	1587	else if (strcmp(argv[i], "--private-tmp") == 0) {


diff --git a/src/firejail/profile.c b/src/firejail/profile.c index da3daf95a..fab4f1efa 100644 --- a/src/firejail/profile.c +++ b/src/firejail/profile.c
@@ -179,7 +179,11 @@ int profile_check_line(char ptr, int lineno, const char fname) {
179	if (strncmp(ptr, "private-home ", 13) == 0) {	179	if (strncmp(ptr, "private-home ", 13) == 0) {
180	#ifdef HAVE_PRIVATE_HOME	180	#ifdef HAVE_PRIVATE_HOME
181	if (checkcfg(CFG_PRIVATE_HOME)) {	181	if (checkcfg(CFG_PRIVATE_HOME)) {
182	cfg.home_private_keep = ptr + 13;	182	if (cfg.home_private_keep) {
		183	if ( asprintf(&cfg.home_private_keep, "%s,%s", cfg.home_private_keep, ptr + 13) < 0 )
		184	errExit("asprintf");
		185	} else
		186	cfg.home_private_keep = ptr + 13;
183	arg_private = 1;	187	arg_private = 1;
184	}	188	}
185	else	189	else
@@ -748,7 +752,12 @@ int profile_check_line(char ptr, int lineno, const char fname) {
748	fprintf(stderr, "Error: --private-etc and --writable-etc are mutually exclusive\n");	752	fprintf(stderr, "Error: --private-etc and --writable-etc are mutually exclusive\n");
749	exit(1);	753	exit(1);
750	}	754	}
751	cfg.etc_private_keep = ptr + 12;	755	if (cfg.etc_private_keep) {
		756	if ( asprintf(&cfg.etc_private_keep, "%s,%s", cfg.etc_private_keep, ptr + 12) < 0 )
		757	errExit("asprintf");
		758	} else {
		759	cfg.etc_private_keep = ptr + 12;
		760	}
752	arg_private_etc = 1;	761	arg_private_etc = 1;
753		762
754	return 0;	763	return 0;
@@ -756,7 +765,12 @@ int profile_check_line(char ptr, int lineno, const char fname) {
756		765
757	// private /opt list of files and directories	766	// private /opt list of files and directories
758	if (strncmp(ptr, "private-opt ", 12) == 0) {	767	if (strncmp(ptr, "private-opt ", 12) == 0) {
759	cfg.opt_private_keep = ptr + 12;	768	if (cfg.opt_private_keep) {
		769	if ( asprintf(&cfg.opt_private_keep, "%s,%s", cfg.opt_private_keep, ptr + 12) < 0 )
		770	errExit("asprintf");
		771	} else {
		772	cfg.opt_private_keep = ptr + 12;
		773	}
760	arg_private_opt = 1;	774	arg_private_opt = 1;
761		775
762	return 0;	776	return 0;
@@ -764,7 +778,12 @@ int profile_check_line(char ptr, int lineno, const char fname) {
764		778
765	// private /srv list of files and directories	779	// private /srv list of files and directories
766	if (strncmp(ptr, "private-srv ", 12) == 0) {	780	if (strncmp(ptr, "private-srv ", 12) == 0) {
767	cfg.srv_private_keep = ptr + 12;	781	if (cfg.srv_private_keep) {
		782	if ( asprintf(&cfg.srv_private_keep, "%s,%s", cfg.srv_private_keep, ptr + 12) < 0 )
		783	errExit("asprintf");
		784	} else {
		785	cfg.srv_private_keep = ptr + 12;
		786	}
768	arg_private_srv = 1;	787	arg_private_srv = 1;
769		788
770	return 0;	789	return 0;
@@ -772,7 +791,12 @@ int profile_check_line(char ptr, int lineno, const char fname) {
772		791
773	// private /bin list of files	792	// private /bin list of files
774	if (strncmp(ptr, "private-bin ", 12) == 0) {	793	if (strncmp(ptr, "private-bin ", 12) == 0) {
775	cfg.bin_private_keep = ptr + 12;	794	if (cfg.bin_private_keep) {
		795	if ( asprintf(&cfg.bin_private_keep, "%s,%s", cfg.bin_private_keep, ptr + 12) < 0 )
		796	errExit("asprintf");
		797	} else {
		798	cfg.bin_private_keep = ptr + 12;
		799	}
776	arg_private_bin = 1;	800	arg_private_bin = 1;
777	return 0;	801	return 0;
778	}	802	}


diff --git a/test/fs/whitelist-dev.exp b/test/fs/whitelist-dev.exp index a2002bc0a..827f32126 100755 --- a/test/fs/whitelist-dev.exp +++ b/test/fs/whitelist-dev.exp
@@ -33,7 +33,8 @@ sleep 1
33	send -- "ls -l /dev \| wc -l\r"	33	send -- "ls -l /dev \| wc -l\r"
34	expect {	34	expect {
35	timeout {puts "TESTING ERROR 3\n";exit}	35	timeout {puts "TESTING ERROR 3\n";exit}
36	"13"	36	"13" {puts "OK\n"}
		37	"12" {puts "OK\n"}
37	}	38	}
38	after 100	39	after 100
39	send -- "exit\r"	40	send -- "exit\r"