diff options
author | 2018-09-04 07:31:58 -0400 | |
---|---|---|
committer | 2018-09-04 07:31:58 -0400 | |
commit | 9a35f98f8f143bd2e15ce063972d0720a78a4126 (patch) | |
tree | e082879949b89d8520b07322eca78ab62b78dc2e | |
parent | mainline merge (diff) | |
parent | manpage cleanup (diff) | |
download | firejail-9a35f98f8f143bd2e15ce063972d0720a78a4126.tar.gz firejail-9a35f98f8f143bd2e15ce063972d0720a78a4126.tar.zst firejail-9a35f98f8f143bd2e15ce063972d0720a78a4126.zip |
mainline merge
-rw-r--r-- | Makefile.in | 2 | ||||
-rw-r--r-- | etc/dig.profile | 47 | ||||
-rwxr-xr-x | linecnt.sh | 3 | ||||
-rwxr-xr-x | platform/rpm/old-mkrpm.sh | 688 | ||||
-rw-r--r-- | src/firejail/cgroup.c | 119 | ||||
-rw-r--r-- | src/firejail/checkcfg.c | 190 | ||||
-rw-r--r-- | src/firejail/join.c | 6 | ||||
-rw-r--r-- | src/firejail/main.c | 9 | ||||
-rw-r--r-- | src/firejail/profile.c | 2 | ||||
-rw-r--r-- | src/firejail/restricted_shell.c | 132 | ||||
-rw-r--r-- | src/firejail/sandbox.c | 2 | ||||
-rw-r--r-- | src/firejail/usage.c | 54 | ||||
-rw-r--r-- | src/lib/firejail_user.c | 8 | ||||
-rw-r--r-- | src/man/firecfg.txt | 1 | ||||
-rw-r--r-- | src/man/firejail-login.txt | 41 | ||||
-rw-r--r-- | src/man/firejail-profile.txt | 119 | ||||
-rw-r--r-- | src/man/firejail-users.txt | 21 | ||||
-rw-r--r-- | src/man/firejail.txt | 569 | ||||
-rw-r--r-- | src/man/firemon.txt | 1 | ||||
-rwxr-xr-x | src/tools/check-caps.sh | 46 | ||||
-rw-r--r-- | src/tools/extract_caps.c | 83 | ||||
-rw-r--r-- | src/tools/extract_errnos.sh | 4 | ||||
-rw-r--r-- | src/tools/extract_syscalls.c | 93 | ||||
-rwxr-xr-x | src/tools/mkcoverit.sh | 45 | ||||
-rw-r--r-- | src/tools/testuid.c | 49 | ||||
-rw-r--r-- | src/tools/ttytest.c | 36 | ||||
-rwxr-xr-x | src/tools/unchroot.pl | 33 | ||||
-rw-r--r-- | src/tools/unixsocket.c | 29 | ||||
-rw-r--r-- | status | 11 |
29 files changed, 55 insertions, 2388 deletions
diff --git a/Makefile.in b/Makefile.in index 03dba1f61..557b0289e 100644 --- a/Makefile.in +++ b/Makefile.in | |||
@@ -1,7 +1,7 @@ | |||
1 | all: apps man filters | 1 | all: apps man filters |
2 | MYLIBS = src/lib | 2 | MYLIBS = src/lib |
3 | APPS = src/firejail src/firemon src/fsec-print src/fsec-optimize src/firecfg src/fnetfilter src/fnet src/fseccomp src/libpostexecseccomp | 3 | APPS = src/firejail src/firemon src/fsec-print src/fsec-optimize src/firecfg src/fnetfilter src/fnet src/fseccomp src/libpostexecseccomp |
4 | MANPAGES = firejail.1 firemon.1 firecfg.1 firejail-profile.5 firejail-login.5 firejail-users.5 | 4 | MANPAGES = firejail.1 firemon.1 firecfg.1 firejail-profile.5 firejail-users.5 |
5 | SECCOMP_FILTERS = seccomp seccomp.debug seccomp.32 seccomp.block_secondary seccomp.mdwx | 5 | SECCOMP_FILTERS = seccomp seccomp.debug seccomp.32 seccomp.block_secondary seccomp.mdwx |
6 | 6 | ||
7 | prefix=@prefix@ | 7 | prefix=@prefix@ |
diff --git a/etc/dig.profile b/etc/dig.profile deleted file mode 100644 index 4b6ab0975..000000000 --- a/etc/dig.profile +++ /dev/null | |||
@@ -1,47 +0,0 @@ | |||
1 | quiet | ||
2 | # Firejail profile for dig | ||
3 | # This file is overwritten after every install/update | ||
4 | # Persistent local customizations | ||
5 | include /etc/firejail/dig.local | ||
6 | # Persistent global definitions | ||
7 | include /etc/firejail/globals.local | ||
8 | |||
9 | include /etc/firejail/disable-common.inc | ||
10 | # include /etc/firejail/disable-devel.inc | ||
11 | # include /etc/firejail/disable-interpreters.inc | ||
12 | include /etc/firejail/disable-passwdmgr.inc | ||
13 | include /etc/firejail/disable-programs.inc | ||
14 | #include /etc/firejail/disable-xdg.inc | ||
15 | |||
16 | whitelist ~/.digrc | ||
17 | include /etc/firejail/whitelist-common.inc | ||
18 | include /etc/firejail/whitelist-var-common.inc | ||
19 | |||
20 | caps.drop all | ||
21 | # ipc-namespace | ||
22 | netfilter | ||
23 | no3d | ||
24 | nodbus | ||
25 | nodvd | ||
26 | nogroups | ||
27 | nonewprivs | ||
28 | noroot | ||
29 | nosound | ||
30 | notv | ||
31 | novideo | ||
32 | protocol unix,inet,inet6 | ||
33 | seccomp | ||
34 | shell none | ||
35 | |||
36 | disable-mnt | ||
37 | private | ||
38 | private-bin sh,bash,dig | ||
39 | private-cache | ||
40 | private-dev | ||
41 | # private-etc resolv.conf | ||
42 | private-lib | ||
43 | private-tmp | ||
44 | |||
45 | memory-deny-write-execute | ||
46 | # noexec ${HOME} | ||
47 | # noexec /tmp | ||
diff --git a/linecnt.sh b/linecnt.sh index 4048077e8..c0ba0df05 100755 --- a/linecnt.sh +++ b/linecnt.sh | |||
@@ -6,7 +6,6 @@ gcov_init() { | |||
6 | firemon --help > /dev/null | 6 | firemon --help > /dev/null |
7 | /usr/lib/firejail/fnet --help > /dev/null | 7 | /usr/lib/firejail/fnet --help > /dev/null |
8 | /usr/lib/firejail/fseccomp --help > /dev/null | 8 | /usr/lib/firejail/fseccomp --help > /dev/null |
9 | /usr/lib/firejail/ftee --help > /dev/null | ||
10 | firecfg --help > /dev/null | 9 | firecfg --help > /dev/null |
11 | 10 | ||
12 | /usr/lib/firejail/fnetfilter --help > /dev/null | 11 | /usr/lib/firejail/fnetfilter --help > /dev/null |
@@ -20,5 +19,5 @@ rm -fr gcov-dir | |||
20 | gcov_init | 19 | gcov_init |
21 | lcov -q --capture -d src/firejail -d src/firemon \ | 20 | lcov -q --capture -d src/firejail -d src/firemon \ |
22 | -d src/fnetfilter -d src/fsec-print -d src/fsec-optimize -d src/fseccomp \ | 21 | -d src/fnetfilter -d src/fsec-print -d src/fsec-optimize -d src/fseccomp \ |
23 | -d src/fnet -d src/ftee -d src/lib -d src/firecfg --output-file gcov-file | 22 | -d src/fnet -d src/lib -d src/firecfg --output-file gcov-file |
24 | genhtml -q gcov-file --output-directory gcov-dir | 23 | genhtml -q gcov-file --output-directory gcov-dir |
diff --git a/platform/rpm/old-mkrpm.sh b/platform/rpm/old-mkrpm.sh deleted file mode 100755 index bb321c4fe..000000000 --- a/platform/rpm/old-mkrpm.sh +++ /dev/null | |||
@@ -1,688 +0,0 @@ | |||
1 | #!/bin/bash | ||
2 | VERSION="0.9.52" | ||
3 | rm -fr ~/rpmbuild | ||
4 | rm -f firejail-$VERSION-1.x86_64.rpm | ||
5 | |||
6 | mkdir -p ~/rpmbuild/{RPMS,SRPMS,BUILD,SOURCES,SPECS,tmp} | ||
7 | cat <<EOF >~/.rpmmacros | ||
8 | %_topdir %(echo $HOME)/rpmbuild | ||
9 | %_tmppath %{_topdir}/tmp | ||
10 | EOF | ||
11 | |||
12 | cd ~/rpmbuild | ||
13 | echo "building directory tree" | ||
14 | |||
15 | mkdir -p firejail-$VERSION/usr/bin | ||
16 | install -m 755 /usr/bin/firejail firejail-$VERSION/usr/bin/. | ||
17 | install -m 755 /usr/bin/firemon firejail-$VERSION/usr/bin/. | ||
18 | install -m 755 /usr/bin/firecfg firejail-$VERSION/usr/bin/. | ||
19 | |||
20 | mkdir -p firejail-$VERSION/usr/lib/firejail | ||
21 | install -m 755 /usr/lib/firejail/faudit firejail-$VERSION/usr/lib/firejail/. | ||
22 | install -m 755 /usr/lib/firejail/fcopy firejail-$VERSION/usr/lib/firejail/. | ||
23 | install -m 755 /usr/lib/firejail/fgit-install.sh firejail-$VERSION/usr/lib/firejail/. | ||
24 | install -m 755 /usr/lib/firejail/fgit-uninstall.sh firejail-$VERSION/usr/lib/firejail/. | ||
25 | install -m 644 /usr/lib/firejail/firecfg.config firejail-$VERSION/usr/lib/firejail/. | ||
26 | # Python 3 is not available on CentOS | ||
27 | #install -m 755 /usr/lib/firejail/fix_private-bin.py firejail-$VERSION/usr/lib/firejail/. | ||
28 | #install -m 755 /usr/lib/firejail/fjclip.py firejail-$VERSION/usr/lib/firejail/. | ||
29 | #install -m 755 /usr/lib/firejail/fjdisplay.py firejail-$VERSION/usr/lib/firejail/. | ||
30 | #install -m 755 /usr/lib/firejail/fjresize.py firejail-$VERSION/usr/lib/firejail/. | ||
31 | install -m 755 /usr/lib/firejail/fldd firejail-$VERSION/usr/lib/firejail/. | ||
32 | install -m 755 /usr/lib/firejail/fnet firejail-$VERSION/usr/lib/firejail/. | ||
33 | install -m 755 /usr/lib/firejail/fseccomp firejail-$VERSION/usr/lib/firejail/. | ||
34 | install -m 755 /usr/lib/firejail/fshaper.sh firejail-$VERSION/usr/lib/firejail/. | ||
35 | install -m 755 /usr/lib/firejail/ftee firejail-$VERSION/usr/lib/firejail/. | ||
36 | install -m 755 /usr/lib/firejail/fbuilder firejail-$VERSION/usr/lib/firejail/. | ||
37 | install -m 644 /usr/lib/firejail/libtracelog.so firejail-$VERSION/usr/lib/firejail/. | ||
38 | install -m 644 /usr/lib/firejail/libtrace.so firejail-$VERSION/usr/lib/firejail/. | ||
39 | install -m 644 /usr/lib/firejail/libpostexecseccomp.so firejail-$VERSION/usr/lib/firejail/. | ||
40 | install -m 644 /usr/lib/firejail/seccomp firejail-$VERSION/usr/lib/firejail/. | ||
41 | install -m 644 /usr/lib/firejail/seccomp.64 firejail-$VERSION/usr/lib/firejail/. | ||
42 | install -m 644 /usr/lib/firejail/seccomp.debug firejail-$VERSION/usr/lib/firejail/. | ||
43 | install -m 644 /usr/lib/firejail/seccomp.32 firejail-$VERSION/usr/lib/firejail/. | ||
44 | install -m 644 /usr/lib/firejail/seccomp.block_secondary firejail-$VERSION/usr/lib/firejail/. | ||
45 | install -m 644 /usr/lib/firejail/seccomp.mdwx firejail-$VERSION/usr/lib/firejail/. | ||
46 | |||
47 | mkdir -p firejail-$VERSION/usr/share/man/man1 | ||
48 | install -m 644 /usr/share/man/man1/firejail.1.gz firejail-$VERSION/usr/share/man/man1/. | ||
49 | install -m 644 /usr/share/man/man1/firemon.1.gz firejail-$VERSION/usr/share/man/man1/. | ||
50 | install -m 644 /usr/share/man/man1/firecfg.1.gz firejail-$VERSION/usr/share/man/man1/. | ||
51 | |||
52 | mkdir -p firejail-$VERSION/usr/share/man/man5 | ||
53 | install -m 644 /usr/share/man/man5/firejail-profile.5.gz firejail-$VERSION/usr/share/man/man5/. | ||
54 | install -m 644 /usr/share/man/man5/firejail-login.5.gz firejail-$VERSION/usr/share/man/man5/. | ||
55 | |||
56 | mkdir -p firejail-$VERSION/usr/share/doc/packages/firejail | ||
57 | install -m 644 /usr/share/doc/firejail/COPYING firejail-$VERSION/usr/share/doc/packages/firejail/. | ||
58 | install -m 644 /usr/share/doc/firejail/README firejail-$VERSION/usr/share/doc/packages/firejail/. | ||
59 | install -m 644 /usr/share/doc/firejail/RELNOTES firejail-$VERSION/usr/share/doc/packages/firejail/. | ||
60 | |||
61 | mkdir -p firejail-$VERSION/etc/firejail | ||
62 | install -m 644 /etc/firejail/* firejail-$VERSION/etc/firejail/. | ||
63 | |||
64 | mkdir -p firejail-$VERSION/usr/share/bash-completion/completions | ||
65 | install -m 644 /usr/share/bash-completion/completions/firejail firejail-$VERSION/usr/share/bash-completion/completions/. | ||
66 | install -m 644 /usr/share/bash-completion/completions/firemon firejail-$VERSION/usr/share/bash-completion/completions/. | ||
67 | install -m 644 /usr/share/bash-completion/completions/firecfg firejail-$VERSION/usr/share/bash-completion/completions/. | ||
68 | |||
69 | echo "building tar.gz archive" | ||
70 | tar -czvf firejail-$VERSION.tar.gz firejail-$VERSION | ||
71 | |||
72 | cp firejail-$VERSION.tar.gz SOURCES/. | ||
73 | |||
74 | echo "building config spec" | ||
75 | cat <<EOF > SPECS/firejail.spec | ||
76 | %define __spec_install_post %{nil} | ||
77 | %define debug_package %{nil} | ||
78 | %define __os_install_post %{_dbpath}/brp-compress | ||
79 | |||
80 | Summary: Linux namepaces sandbox program | ||
81 | Name: firejail | ||
82 | Version: $VERSION | ||
83 | Release: 1 | ||
84 | License: GPL+ | ||
85 | Group: Development/Tools | ||
86 | SOURCE0 : %{name}-%{version}.tar.gz | ||
87 | URL: http://firejail.wordpress.com | ||
88 | |||
89 | BuildRoot: %{_tmppath}/%{name}-%{version}-%{release}-root | ||
90 | |||
91 | %description | ||
92 | Firejail is a SUID sandbox program that reduces the risk of security | ||
93 | breaches by restricting the running environment of untrusted applications | ||
94 | using Linux namespaces. It includes a sandbox profile for Mozilla Firefox. | ||
95 | |||
96 | %prep | ||
97 | %setup -q | ||
98 | |||
99 | %build | ||
100 | |||
101 | %install | ||
102 | rm -rf %{buildroot} | ||
103 | mkdir -p %{buildroot} | ||
104 | |||
105 | cp -a * %{buildroot} | ||
106 | |||
107 | |||
108 | %clean | ||
109 | rm -rf %{buildroot} | ||
110 | |||
111 | %files | ||
112 | %defattr(-,root,root,-) | ||
113 | %{_sysconfdir}/%{name}/0ad.profile | ||
114 | %{_sysconfdir}/%{name}/abrowser.profile | ||
115 | %{_sysconfdir}/%{name}/atom-beta.profile | ||
116 | %{_sysconfdir}/%{name}/atom.profile | ||
117 | %{_sysconfdir}/%{name}/atril.profile | ||
118 | %{_sysconfdir}/%{name}/audacious.profile | ||
119 | %{_sysconfdir}/%{name}/audacity.profile | ||
120 | %{_sysconfdir}/%{name}/aweather.profile | ||
121 | %{_sysconfdir}/%{name}/bitlbee.profile | ||
122 | %{_sysconfdir}/%{name}/brave.profile | ||
123 | %{_sysconfdir}/%{name}/cherrytree.profile | ||
124 | %{_sysconfdir}/%{name}/chromium-browser.profile | ||
125 | %{_sysconfdir}/%{name}/chromium.profile | ||
126 | %{_sysconfdir}/%{name}/clementine.profile | ||
127 | %{_sysconfdir}/%{name}/cmus.profile | ||
128 | %{_sysconfdir}/%{name}/conkeror.profile | ||
129 | %{_sysconfdir}/%{name}/corebird.profile | ||
130 | %{_sysconfdir}/%{name}/cpio.profile | ||
131 | %{_sysconfdir}/%{name}/cyberfox.profile | ||
132 | %{_sysconfdir}/%{name}/Cyberfox.profile | ||
133 | %{_sysconfdir}/%{name}/deadbeef.profile | ||
134 | %{_sysconfdir}/%{name}/default.profile | ||
135 | %{_sysconfdir}/%{name}/deluge.profile | ||
136 | %{_sysconfdir}/%{name}/dillo.profile | ||
137 | %{_sysconfdir}/%{name}/disable-common.inc | ||
138 | %{_sysconfdir}/%{name}/disable-devel.inc | ||
139 | %{_sysconfdir}/%{name}/disable-passwdmgr.inc | ||
140 | %{_sysconfdir}/%{name}/disable-programs.inc | ||
141 | %{_sysconfdir}/%{name}/dnscrypt-proxy.profile | ||
142 | %{_sysconfdir}/%{name}/dnsmasq.profile | ||
143 | %{_sysconfdir}/%{name}/dosbox.profile | ||
144 | %{_sysconfdir}/%{name}/dropbox.profile | ||
145 | %{_sysconfdir}/%{name}/empathy.profile | ||
146 | %{_sysconfdir}/%{name}/eom.profile | ||
147 | %{_sysconfdir}/%{name}/epiphany.profile | ||
148 | %{_sysconfdir}/%{name}/evince.profile | ||
149 | %{_sysconfdir}/%{name}/fbreader.profile | ||
150 | %{_sysconfdir}/%{name}/file.profile | ||
151 | %{_sysconfdir}/%{name}/filezilla.profile | ||
152 | %{_sysconfdir}/%{name}/firefox-esr.profile | ||
153 | %{_sysconfdir}/%{name}/firefox.profile | ||
154 | %config(noreplace) %{_sysconfdir}/%{name}/firejail.config | ||
155 | %{_sysconfdir}/%{name}/flashpeak-slimjet.profile | ||
156 | %{_sysconfdir}/%{name}/franz.profile | ||
157 | %{_sysconfdir}/%{name}/gajim.profile | ||
158 | %{_sysconfdir}/%{name}/gitter.profile | ||
159 | %{_sysconfdir}/%{name}/gnome-chess.profile | ||
160 | %{_sysconfdir}/%{name}/gnome-mplayer.profile | ||
161 | %{_sysconfdir}/%{name}/google-chrome-beta.profile | ||
162 | %{_sysconfdir}/%{name}/google-chrome.profile | ||
163 | %{_sysconfdir}/%{name}/google-chrome-stable.profile | ||
164 | %{_sysconfdir}/%{name}/google-chrome-unstable.profile | ||
165 | %{_sysconfdir}/%{name}/google-play-music-desktop-player.profile | ||
166 | %{_sysconfdir}/%{name}/gpredict.profile | ||
167 | %{_sysconfdir}/%{name}/gtar.profile | ||
168 | %{_sysconfdir}/%{name}/gthumb.profile | ||
169 | %{_sysconfdir}/%{name}/gwenview.profile | ||
170 | %{_sysconfdir}/%{name}/gzip.profile | ||
171 | %{_sysconfdir}/%{name}/hedgewars.profile | ||
172 | %{_sysconfdir}/%{name}/hexchat.profile | ||
173 | %{_sysconfdir}/%{name}/icecat.profile | ||
174 | %{_sysconfdir}/%{name}/icedove.profile | ||
175 | %{_sysconfdir}/%{name}/iceweasel.profile | ||
176 | %{_sysconfdir}/%{name}/inox.profile | ||
177 | %{_sysconfdir}/%{name}/jitsi.profile | ||
178 | %{_sysconfdir}/%{name}/kmail.profile | ||
179 | %{_sysconfdir}/%{name}/konversation.profile | ||
180 | %{_sysconfdir}/%{name}/less.profile | ||
181 | %{_sysconfdir}/%{name}/libreoffice.profile | ||
182 | %{_sysconfdir}/%{name}/localc.profile | ||
183 | %{_sysconfdir}/%{name}/lodraw.profile | ||
184 | %{_sysconfdir}/%{name}/loffice.profile | ||
185 | %{_sysconfdir}/%{name}/lofromtemplate.profile | ||
186 | %config(noreplace) %{_sysconfdir}/%{name}/login.users | ||
187 | %{_sysconfdir}/%{name}/loimpress.profile | ||
188 | %{_sysconfdir}/%{name}/lomath.profile | ||
189 | %{_sysconfdir}/%{name}/loweb.profile | ||
190 | %{_sysconfdir}/%{name}/lowriter.profile | ||
191 | %{_sysconfdir}/%{name}/mathematica.profile | ||
192 | %{_sysconfdir}/%{name}/Mathematica.profile | ||
193 | %{_sysconfdir}/%{name}/mcabber.profile | ||
194 | %{_sysconfdir}/%{name}/midori.profile | ||
195 | %{_sysconfdir}/%{name}/mpv.profile | ||
196 | %{_sysconfdir}/%{name}/mupen64plus.profile | ||
197 | %{_sysconfdir}/%{name}/netsurf.profile | ||
198 | %{_sysconfdir}/%{name}/nolocal.net | ||
199 | %{_sysconfdir}/%{name}/okular.profile | ||
200 | %{_sysconfdir}/%{name}/openbox.profile | ||
201 | %{_sysconfdir}/%{name}/opera-beta.profile | ||
202 | %{_sysconfdir}/%{name}/opera.profile | ||
203 | %{_sysconfdir}/%{name}/palemoon.profile | ||
204 | %{_sysconfdir}/%{name}/parole.profile | ||
205 | %{_sysconfdir}/%{name}/pidgin.profile | ||
206 | %{_sysconfdir}/%{name}/pix.profile | ||
207 | %{_sysconfdir}/%{name}/polari.profile | ||
208 | %{_sysconfdir}/%{name}/psi-plus.profile | ||
209 | %{_sysconfdir}/%{name}/qbittorrent.profile | ||
210 | %{_sysconfdir}/%{name}/qtox.profile | ||
211 | %{_sysconfdir}/%{name}/quassel.profile | ||
212 | %{_sysconfdir}/%{name}/quiterss.profile | ||
213 | %{_sysconfdir}/%{name}/qutebrowser.profile | ||
214 | %{_sysconfdir}/%{name}/rhythmbox.profile | ||
215 | %{_sysconfdir}/%{name}/rtorrent.profile | ||
216 | %{_sysconfdir}/%{name}/seamonkey-bin.profile | ||
217 | %{_sysconfdir}/%{name}/seamonkey.profile | ||
218 | %{_sysconfdir}/%{name}/server.profile | ||
219 | %{_sysconfdir}/%{name}/skypeforlinux.profile | ||
220 | %{_sysconfdir}/%{name}/skype.profile | ||
221 | %{_sysconfdir}/%{name}/slack.profile | ||
222 | %{_sysconfdir}/%{name}/snap.profile | ||
223 | %{_sysconfdir}/%{name}/soffice.profile | ||
224 | %{_sysconfdir}/%{name}/spotify.profile | ||
225 | %{_sysconfdir}/%{name}/ssh.profile | ||
226 | %{_sysconfdir}/%{name}/steam.profile | ||
227 | %{_sysconfdir}/%{name}/stellarium.profile | ||
228 | %{_sysconfdir}/%{name}/strings.profile | ||
229 | %{_sysconfdir}/%{name}/tar.profile | ||
230 | %{_sysconfdir}/%{name}/telegram.profile | ||
231 | %{_sysconfdir}/%{name}/Telegram.profile | ||
232 | %{_sysconfdir}/%{name}/thunderbird.profile | ||
233 | %{_sysconfdir}/%{name}/totem.profile | ||
234 | %{_sysconfdir}/%{name}/transmission-gtk.profile | ||
235 | %{_sysconfdir}/%{name}/transmission-qt.profile | ||
236 | %{_sysconfdir}/%{name}/uget-gtk.profile | ||
237 | %{_sysconfdir}/%{name}/unbound.profile | ||
238 | %{_sysconfdir}/%{name}/unrar.profile | ||
239 | %{_sysconfdir}/%{name}/unzip.profile | ||
240 | %{_sysconfdir}/%{name}/uudeview.profile | ||
241 | %{_sysconfdir}/%{name}/vivaldi-beta.profile | ||
242 | %{_sysconfdir}/%{name}/vivaldi.profile | ||
243 | %{_sysconfdir}/%{name}/vlc.profile | ||
244 | %{_sysconfdir}/%{name}/warzone2100.profile | ||
245 | %{_sysconfdir}/%{name}/webserver.net | ||
246 | %{_sysconfdir}/%{name}/weechat-curses.profile | ||
247 | %{_sysconfdir}/%{name}/weechat.profile | ||
248 | %{_sysconfdir}/%{name}/wesnoth.profile | ||
249 | %{_sysconfdir}/%{name}/whitelist-common.inc | ||
250 | %{_sysconfdir}/%{name}/wine.profile | ||
251 | %{_sysconfdir}/%{name}/xchat.profile | ||
252 | %{_sysconfdir}/%{name}/xplayer.profile | ||
253 | %{_sysconfdir}/%{name}/xreader.profile | ||
254 | %{_sysconfdir}/%{name}/xviewer.profile | ||
255 | %{_sysconfdir}/%{name}/xzdec.profile | ||
256 | %{_sysconfdir}/%{name}/xz.profile | ||
257 | %{_sysconfdir}/%{name}/zathura.profile | ||
258 | %{_sysconfdir}/%{name}/7z.profile | ||
259 | %{_sysconfdir}/%{name}/keepass.profile | ||
260 | %{_sysconfdir}/%{name}/keepassx.profile | ||
261 | %{_sysconfdir}/%{name}/claws-mail.profile | ||
262 | %{_sysconfdir}/%{name}/mutt.profile | ||
263 | %{_sysconfdir}/%{name}/git.profile | ||
264 | %{_sysconfdir}/%{name}/emacs.profile | ||
265 | %{_sysconfdir}/%{name}/vim.profile | ||
266 | %{_sysconfdir}/%{name}/xpdf.profile | ||
267 | %{_sysconfdir}/%{name}/virtualbox.profile | ||
268 | %{_sysconfdir}/%{name}/openshot.profile | ||
269 | %{_sysconfdir}/%{name}/flowblade.profile | ||
270 | %{_sysconfdir}/%{name}/eog.profile | ||
271 | %{_sysconfdir}/%{name}/evolution.profile | ||
272 | %{_sysconfdir}/%{name}/feh.profile | ||
273 | %{_sysconfdir}/%{name}/inkscape.profile | ||
274 | %{_sysconfdir}/%{name}/gimp.profile | ||
275 | %{_sysconfdir}/%{name}/luminance-hdr.profile | ||
276 | %{_sysconfdir}/%{name}/mupdf.profile | ||
277 | %{_sysconfdir}/%{name}/qpdfview.profile | ||
278 | %{_sysconfdir}/%{name}/ranger.profile | ||
279 | %{_sysconfdir}/%{name}/synfigstudio.profile | ||
280 | # 0.9.45 | ||
281 | %{_sysconfdir}/%{name}/Cryptocat.profile | ||
282 | %{_sysconfdir}/%{name}/FossaMail.profile | ||
283 | %{_sysconfdir}/%{name}/Thunar.profile | ||
284 | %{_sysconfdir}/%{name}/VirtualBox.profile | ||
285 | %{_sysconfdir}/%{name}/Wire.profile | ||
286 | %{_sysconfdir}/%{name}/amarok.profile | ||
287 | %{_sysconfdir}/%{name}/ark.profile | ||
288 | %{_sysconfdir}/%{name}/atool.profile | ||
289 | %{_sysconfdir}/%{name}/bleachbit.profile | ||
290 | %{_sysconfdir}/%{name}/bless.profile | ||
291 | %{_sysconfdir}/%{name}/brasero.profile | ||
292 | %{_sysconfdir}/%{name}/cryptocat.profile | ||
293 | %{_sysconfdir}/%{name}/cvlc.profile | ||
294 | %{_sysconfdir}/%{name}/display.profile | ||
295 | %{_sysconfdir}/%{name}/dolphin.profile | ||
296 | %{_sysconfdir}/%{name}/dragon.profile | ||
297 | %{_sysconfdir}/%{name}/elinks.profile | ||
298 | %{_sysconfdir}/%{name}/enchant.profile | ||
299 | %{_sysconfdir}/%{name}/engrampa.profile | ||
300 | %{_sysconfdir}/%{name}/exiftool.profile | ||
301 | %{_sysconfdir}/%{name}/file-roller.profile | ||
302 | %{_sysconfdir}/%{name}/fossamail.profile | ||
303 | %{_sysconfdir}/%{name}/gedit.profile | ||
304 | %{_sysconfdir}/%{name}/geeqie.profile | ||
305 | %{_sysconfdir}/%{name}/gjs.profile | ||
306 | %{_sysconfdir}/%{name}/gnome-2048.profile | ||
307 | %{_sysconfdir}/%{name}/gnome-books.profile | ||
308 | %{_sysconfdir}/%{name}/gnome-calculator.profile | ||
309 | %{_sysconfdir}/%{name}/gnome-clocks.profile | ||
310 | %{_sysconfdir}/%{name}/gnome-contacts.profile | ||
311 | %{_sysconfdir}/%{name}/gnome-documents.profile | ||
312 | %{_sysconfdir}/%{name}/gnome-maps.profile | ||
313 | %{_sysconfdir}/%{name}/gnome-music.profile | ||
314 | %{_sysconfdir}/%{name}/gnome-photos.profile | ||
315 | %{_sysconfdir}/%{name}/gnome-weather.profile | ||
316 | %{_sysconfdir}/%{name}/goobox.profile | ||
317 | %{_sysconfdir}/%{name}/gpa.profile | ||
318 | %{_sysconfdir}/%{name}/gpg-agent.profile | ||
319 | %{_sysconfdir}/%{name}/gpg.profile | ||
320 | %{_sysconfdir}/%{name}/gpicview.profile | ||
321 | %{_sysconfdir}/%{name}/guayadeque.profile | ||
322 | %{_sysconfdir}/%{name}/highlight.profile | ||
323 | %{_sysconfdir}/%{name}/img2txt.profile | ||
324 | %{_sysconfdir}/%{name}/iridium-browser.profile | ||
325 | %{_sysconfdir}/%{name}/iridium.profile | ||
326 | %{_sysconfdir}/%{name}/jd-gui.profile | ||
327 | %{_sysconfdir}/%{name}/k3b.profile | ||
328 | %{_sysconfdir}/%{name}/kate.profile | ||
329 | %{_sysconfdir}/%{name}/keepass2.profile | ||
330 | %{_sysconfdir}/%{name}/keepassx2.profile | ||
331 | %{_sysconfdir}/%{name}/keepassxc.profile | ||
332 | %{_sysconfdir}/%{name}/kino.profile | ||
333 | %{_sysconfdir}/%{name}/lollypop.profile | ||
334 | %{_sysconfdir}/%{name}/lynx.profile | ||
335 | %{_sysconfdir}/%{name}/mediainfo.profile | ||
336 | %{_sysconfdir}/%{name}/mediathekview.profile | ||
337 | %{_sysconfdir}/%{name}/mousepad.profile | ||
338 | %{_sysconfdir}/%{name}/multimc5.profile | ||
339 | %{_sysconfdir}/%{name}/mumble.profile | ||
340 | %{_sysconfdir}/%{name}/nautilus.profile | ||
341 | %{_sysconfdir}/%{name}/odt2txt.profile | ||
342 | %{_sysconfdir}/%{name}/pdfsam.profile | ||
343 | %{_sysconfdir}/%{name}/pdftotext.profile | ||
344 | %{_sysconfdir}/%{name}/pithos.profile | ||
345 | %{_sysconfdir}/%{name}/pluma.profile | ||
346 | %{_sysconfdir}/%{name}/qemu-launcher.profile | ||
347 | %{_sysconfdir}/%{name}/qemu-system-x86_64.profile | ||
348 | %{_sysconfdir}/%{name}/qupzilla.profile | ||
349 | %{_sysconfdir}/%{name}/scribus.profile | ||
350 | %{_sysconfdir}/%{name}/simple-scan.profile | ||
351 | %{_sysconfdir}/%{name}/skanlite.profile | ||
352 | %{_sysconfdir}/%{name}/ssh-agent.profile | ||
353 | %{_sysconfdir}/%{name}/start-tor-browser.profile | ||
354 | %{_sysconfdir}/%{name}/thunar.profile | ||
355 | %{_sysconfdir}/%{name}/tracker.profile | ||
356 | %{_sysconfdir}/%{name}/transmission-cli.profile | ||
357 | %{_sysconfdir}/%{name}/transmission-show.profile | ||
358 | %{_sysconfdir}/%{name}/uzbl-browser.profile | ||
359 | %{_sysconfdir}/%{name}/vivaldi-stable.profile | ||
360 | %{_sysconfdir}/%{name}/w3m.profile | ||
361 | %{_sysconfdir}/%{name}/wget.profile | ||
362 | %{_sysconfdir}/%{name}/wire.profile | ||
363 | %{_sysconfdir}/%{name}/wireshark.profile | ||
364 | %{_sysconfdir}/%{name}/xed.profile | ||
365 | %{_sysconfdir}/%{name}/xfburn.profile | ||
366 | %{_sysconfdir}/%{name}/xiphos.profile | ||
367 | %{_sysconfdir}/%{name}/xmms.profile | ||
368 | %{_sysconfdir}/%{name}/xonotic-glx.profile | ||
369 | %{_sysconfdir}/%{name}/xonotic-sdl.profile | ||
370 | %{_sysconfdir}/%{name}/xonotic.profile | ||
371 | %{_sysconfdir}/%{name}/xpra.profile | ||
372 | %{_sysconfdir}/%{name}/zoom.profile | ||
373 | %{_sysconfdir}/%{name}/2048-qt.profile | ||
374 | %{_sysconfdir}/%{name}/Xephyr.profile | ||
375 | %{_sysconfdir}/%{name}/Xvfb.profile | ||
376 | %{_sysconfdir}/%{name}/akregator.profile | ||
377 | %{_sysconfdir}/%{name}/arduino.profile | ||
378 | %{_sysconfdir}/%{name}/baloo_file.profile | ||
379 | %{_sysconfdir}/%{name}/bibletime.profile | ||
380 | %{_sysconfdir}/%{name}/blender.profile | ||
381 | %{_sysconfdir}/%{name}/caja.profile | ||
382 | %{_sysconfdir}/%{name}/clipit.profile | ||
383 | %{_sysconfdir}/%{name}/dia.profile | ||
384 | %{_sysconfdir}/%{name}/dino.profile | ||
385 | %{_sysconfdir}/%{name}/fontforge.profile | ||
386 | %{_sysconfdir}/%{name}/galculator.profile | ||
387 | %{_sysconfdir}/%{name}/geany.profile | ||
388 | %{_sysconfdir}/%{name}/gimp-2.8.profile | ||
389 | %{_sysconfdir}/%{name}/globaltime.profile | ||
390 | %{_sysconfdir}/%{name}/gnome-font-viewer.profile | ||
391 | %{_sysconfdir}/%{name}/gucharmap.profile | ||
392 | %{_sysconfdir}/%{name}/hugin.profile | ||
393 | %{_sysconfdir}/%{name}/kcalc.profile | ||
394 | %{_sysconfdir}/%{name}/knotes.profile | ||
395 | %{_sysconfdir}/%{name}/kodi.profile | ||
396 | %{_sysconfdir}/%{name}/ktorrent.profile | ||
397 | %{_sysconfdir}/%{name}/leafpad.profile | ||
398 | %{_sysconfdir}/%{name}/lximage-qt.profile | ||
399 | %{_sysconfdir}/%{name}/lxmusic.profile | ||
400 | %{_sysconfdir}/%{name}/mate-calc.profile | ||
401 | %{_sysconfdir}/%{name}/mate-calculator.profile | ||
402 | %{_sysconfdir}/%{name}/mate-color-select.profile | ||
403 | %{_sysconfdir}/%{name}/mate-dictionary.profile | ||
404 | %{_sysconfdir}/%{name}/meld.profile | ||
405 | %{_sysconfdir}/%{name}/nemo.profile | ||
406 | %{_sysconfdir}/%{name}/nylas.profile | ||
407 | %{_sysconfdir}/%{name}/orage.profile | ||
408 | %{_sysconfdir}/%{name}/pcmanfm.profile | ||
409 | %{_sysconfdir}/%{name}/qlipper.profile | ||
410 | %{_sysconfdir}/%{name}/ristretto.profile | ||
411 | %{_sysconfdir}/%{name}/viewnior.profile | ||
412 | %{_sysconfdir}/%{name}/viking.profile | ||
413 | %{_sysconfdir}/%{name}/xfce4-dict.profile | ||
414 | %{_sysconfdir}/%{name}/xfce4-notes.profile | ||
415 | %{_sysconfdir}/%{name}/youtube-dl.profile | ||
416 | %{_sysconfdir}/%{name}/catfish.profile | ||
417 | %{_sysconfdir}/%{name}/darktable.profile | ||
418 | %{_sysconfdir}/%{name}/digikam.profile | ||
419 | %{_sysconfdir}/%{name}/handbrake.profile | ||
420 | %{_sysconfdir}/%{name}/vym.profile | ||
421 | %{_sysconfdir}/%{name}/waterfox.profile | ||
422 | # 0.9.49 | ||
423 | %{_sysconfdir}/%{name}/Gitter.profile | ||
424 | %{_sysconfdir}/%{name}/android-studio.profile | ||
425 | %{_sysconfdir}/%{name}/apktool.profile | ||
426 | %{_sysconfdir}/%{name}/arm.profile | ||
427 | %{_sysconfdir}/%{name}/baobab.profile | ||
428 | %{_sysconfdir}/%{name}/calibre.profile | ||
429 | %{_sysconfdir}/%{name}/curl.profile | ||
430 | %{_sysconfdir}/%{name}/dex2jar.profile | ||
431 | %{_sysconfdir}/%{name}/ebook-viewer.profile | ||
432 | %{_sysconfdir}/%{name}/electron.profile | ||
433 | %{_sysconfdir}/%{name}/etr.profile | ||
434 | %{_sysconfdir}/%{name}/firefox-nightly.profile | ||
435 | %{_sysconfdir}/%{name}/frozen-bubble.profile | ||
436 | %{_sysconfdir}/%{name}/geary.profile | ||
437 | %{_sysconfdir}/%{name}/ghb.profile | ||
438 | %{_sysconfdir}/%{name}/gitg.profile | ||
439 | %{_sysconfdir}/%{name}/gnome-twitch.profile | ||
440 | %{_sysconfdir}/%{name}/handbrake-gtk.profile | ||
441 | %{_sysconfdir}/%{name}/hashcat.profile | ||
442 | %{_sysconfdir}/%{name}/idea.sh.profile | ||
443 | %{_sysconfdir}/%{name}/kwrite.profile | ||
444 | %{_sysconfdir}/%{name}/liferea.profile | ||
445 | %{_sysconfdir}/%{name}/mplayer.profile | ||
446 | %{_sysconfdir}/%{name}/musescore.profile | ||
447 | %{_sysconfdir}/%{name}/neverball.profile | ||
448 | %{_sysconfdir}/%{name}/obs.profile | ||
449 | %{_sysconfdir}/%{name}/open-invaders.profile | ||
450 | %{_sysconfdir}/%{name}/peek.profile | ||
451 | %{_sysconfdir}/%{name}/picard.profile | ||
452 | %{_sysconfdir}/%{name}/pingus.profile | ||
453 | %{_sysconfdir}/%{name}/rambox.profile | ||
454 | %{_sysconfdir}/%{name}/remmina.profile | ||
455 | %{_sysconfdir}/%{name}/riot-web.profile | ||
456 | %{_sysconfdir}/%{name}/sdat2img.profile | ||
457 | %{_sysconfdir}/%{name}/silentarmy.profile | ||
458 | %{_sysconfdir}/%{name}/simutrans.profile | ||
459 | %{_sysconfdir}/%{name}/smplayer.profile | ||
460 | %{_sysconfdir}/%{name}/soundconverter.profile | ||
461 | %{_sysconfdir}/%{name}/sqlitebrowser.profile | ||
462 | %{_sysconfdir}/%{name}/supertux2.profile | ||
463 | %{_sysconfdir}/%{name}/telegram-desktop.profile | ||
464 | %{_sysconfdir}/%{name}/torbrowser-launcher.profile | ||
465 | %{_sysconfdir}/%{name}/truecraft.profile | ||
466 | %{_sysconfdir}/%{name}/tuxguitar.profile | ||
467 | %{_sysconfdir}/%{name}/unknown-horizons.profile | ||
468 | %{_sysconfdir}/%{name}/wireshark-gtk.profile | ||
469 | %{_sysconfdir}/%{name}/wireshark-qt.profile | ||
470 | %{_sysconfdir}/%{name}/itch.profile | ||
471 | %{_sysconfdir}/%{name}/minetest.profile | ||
472 | %{_sysconfdir}/%{name}/yandex-browser.profile | ||
473 | # 0.9.52 | ||
474 | %{_sysconfdir}/%{name}/Natron.profile | ||
475 | %{_sysconfdir}/%{name}/Viber.profile | ||
476 | %{_sysconfdir}/%{name}/amule.profile | ||
477 | %{_sysconfdir}/%{name}/arch-audit.profile | ||
478 | %{_sysconfdir}/%{name}/ardour4.profile | ||
479 | %{_sysconfdir}/%{name}/ardour5.profile | ||
480 | %{_sysconfdir}/%{name}/bluefish.profile | ||
481 | %{_sysconfdir}/%{name}/brackets.profile | ||
482 | %{_sysconfdir}/%{name}/calligra.profile | ||
483 | %{_sysconfdir}/%{name}/calligraauthor.profile | ||
484 | %{_sysconfdir}/%{name}/calligraconverter.profile | ||
485 | %{_sysconfdir}/%{name}/calligraflow.profile | ||
486 | %{_sysconfdir}/%{name}/calligraplan.profile | ||
487 | %{_sysconfdir}/%{name}/calligraplanwork.profile | ||
488 | %{_sysconfdir}/%{name}/calligrasheets.profile | ||
489 | %{_sysconfdir}/%{name}/calligrastage.profile | ||
490 | %{_sysconfdir}/%{name}/calligrawords.profile | ||
491 | %{_sysconfdir}/%{name}/cin.profile | ||
492 | %{_sysconfdir}/%{name}/cinelerra.profile | ||
493 | %{_sysconfdir}/%{name}/clamav.profile | ||
494 | %{_sysconfdir}/%{name}/clamdscan.profile | ||
495 | %{_sysconfdir}/%{name}/clamdtop.profile | ||
496 | %{_sysconfdir}/%{name}/clamscan.profile | ||
497 | %{_sysconfdir}/%{name}/cliqz.profile | ||
498 | %{_sysconfdir}/%{name}/conky.profile | ||
499 | %{_sysconfdir}/%{name}/dooble-qt4.profile | ||
500 | %{_sysconfdir}/%{name}/dooble.profile | ||
501 | %{_sysconfdir}/%{name}/fetchmail.profile | ||
502 | %{_sysconfdir}/%{name}/ffmpeg.profile | ||
503 | %{_sysconfdir}/%{name}/freecad.profile | ||
504 | %{_sysconfdir}/%{name}/freecadcmd.profile | ||
505 | %{_sysconfdir}/%{name}/freshclam.profile | ||
506 | %{_sysconfdir}/%{name}/google-earth.profile | ||
507 | %{_sysconfdir}/%{name}/imagej.profile | ||
508 | %{_sysconfdir}/%{name}/karbon.profile | ||
509 | %{_sysconfdir}/%{name}/kdenlive.profile | ||
510 | %{_sysconfdir}/%{name}/krita.profile | ||
511 | %{_sysconfdir}/%{name}/linphone.profile | ||
512 | %{_sysconfdir}/%{name}/lmms.profile | ||
513 | %{_sysconfdir}/%{name}/macrofusion.profile | ||
514 | %{_sysconfdir}/%{name}/mpd.profile | ||
515 | %{_sysconfdir}/%{name}/natron.profile | ||
516 | %{_sysconfdir}/%{name}/openshot-qt.profile | ||
517 | %{_sysconfdir}/%{name}/pinta.profile | ||
518 | %{_sysconfdir}/%{name}/ricochet.profile | ||
519 | %{_sysconfdir}/%{name}/rocketchat.profile | ||
520 | %{_sysconfdir}/%{name}/shotcut.profile | ||
521 | %{_sysconfdir}/%{name}/smtube.profile | ||
522 | %{_sysconfdir}/%{name}/surf.profile | ||
523 | %{_sysconfdir}/%{name}/teamspeak3.profile | ||
524 | %{_sysconfdir}/%{name}/terasology.profile | ||
525 | %{_sysconfdir}/%{name}/tor-browser-en.profile | ||
526 | %{_sysconfdir}/%{name}/tor.profile | ||
527 | %{_sysconfdir}/%{name}/uefitool.profile | ||
528 | %{_sysconfdir}/%{name}/whitelist-var-common.inc | ||
529 | %{_sysconfdir}/%{name}/x-terminal-emulator.profile | ||
530 | %{_sysconfdir}/%{name}/xmr-stak-cpu.profile | ||
531 | %{_sysconfdir}/%{name}/zart.profile | ||
532 | %{_sysconfdir}/%{name}/aosp.profile | ||
533 | %{_sysconfdir}/%{name}/archaudit-report.profile | ||
534 | %{_sysconfdir}/%{name}/bnox.profile | ||
535 | %{_sysconfdir}/%{name}/bsdtar.profile | ||
536 | %{_sysconfdir}/%{name}/cower.profile | ||
537 | %{_sysconfdir}/%{name}/dnox.profile | ||
538 | %{_sysconfdir}/%{name}/enpass.profile | ||
539 | %{_sysconfdir}/%{name}/gnome-ring.profile | ||
540 | %{_sysconfdir}/%{name}/kdeinit4.profile | ||
541 | %{_sysconfdir}/%{name}/kget.profile | ||
542 | %{_sysconfdir}/%{name}/kopete.profile | ||
543 | %{_sysconfdir}/%{name}/krunner.profile | ||
544 | %{_sysconfdir}/%{name}/kwin_x11.profile | ||
545 | %{_sysconfdir}/%{name}/makepkg.profile | ||
546 | %{_sysconfdir}/%{name}/nheko.profile | ||
547 | %{_sysconfdir}/%{name}/pdfmod.profile | ||
548 | %{_sysconfdir}/%{name}/ping.profile | ||
549 | %{_sysconfdir}/%{name}/runenpass.sh.profile | ||
550 | %{_sysconfdir}/%{name}/signal-desktop.profile | ||
551 | %{_sysconfdir}/%{name}/tcpserver.net | ||
552 | %{_sysconfdir}/%{name}/xcalc.profile | ||
553 | %{_sysconfdir}/%{name}/zaproxy.profile | ||
554 | |||
555 | /usr/bin/firejail | ||
556 | /usr/bin/firemon | ||
557 | /usr/bin/firecfg | ||
558 | |||
559 | /usr/lib/firejail/libtrace.so | ||
560 | /usr/lib/firejail/libtracelog.so | ||
561 | /usr/lib/firejail/libpostexecseccomp.so | ||
562 | /usr/lib/firejail/faudit | ||
563 | /usr/lib/firejail/ftee | ||
564 | /usr/lib/firejail/fbuilder | ||
565 | /usr/lib/firejail/firecfg.config | ||
566 | /usr/lib/firejail/fshaper.sh | ||
567 | /usr/lib/firejail/fcopy | ||
568 | /usr/lib/firejail/fgit-install.sh | ||
569 | /usr/lib/firejail/fgit-uninstall.sh | ||
570 | #/usr/lib/firejail/fix_private-bin.py | ||
571 | #/usr/lib/firejail/fjclip.py | ||
572 | #/usr/lib/firejail/fjdisplay.py | ||
573 | #/usr/lib/firejail/fjresize.py | ||
574 | /usr/lib/firejail/fnet | ||
575 | /usr/lib/firejail/fldd | ||
576 | /usr/lib/firejail/fseccomp | ||
577 | /usr/lib/firejail/seccomp | ||
578 | /usr/lib/firejail/seccomp.64 | ||
579 | /usr/lib/firejail/seccomp.debug | ||
580 | /usr/lib/firejail/seccomp.32 | ||
581 | /usr/lib/firejail/seccomp.block_secondary | ||
582 | /usr/lib/firejail/seccomp.mdwx | ||
583 | |||
584 | /usr/share/doc/packages/firejail/COPYING | ||
585 | /usr/share/doc/packages/firejail/README | ||
586 | /usr/share/doc/packages/firejail/RELNOTES | ||
587 | /usr/share/man/man1/firejail.1.gz | ||
588 | /usr/share/man/man1/firemon.1.gz | ||
589 | /usr/share/man/man1/firecfg.1.gz | ||
590 | /usr/share/man/man5/firejail-profile.5.gz | ||
591 | /usr/share/man/man5/firejail-login.5.gz | ||
592 | /usr/share/bash-completion/completions/firejail | ||
593 | /usr/share/bash-completion/completions/firemon | ||
594 | /usr/share/bash-completion/completions/firecfg | ||
595 | |||
596 | %post | ||
597 | chmod u+s /usr/bin/firejail | ||
598 | |||
599 | %changelog | ||
600 | * Tue Dec 12 2017 netblue30 <netblue30@yahoo.com> 0.9.52-1 | ||
601 | |||
602 | * Fri Sep 8 2017 netblue30 <netblue30@yahoo.com> 0.9.50-1 | ||
603 | |||
604 | * Mon Jun 12 2017 netblue30 <netblue30@yahoo.com> 0.9.48-1 | ||
605 | |||
606 | * Mon May 15 2017 netblue30 <netblue30@yahoo.com> 0.9.46-1 | ||
607 | |||
608 | * Fri Oct 21 2016 netblue30 <netblue30@yahoo.com> 0.9.44-1 | ||
609 | - CVE-2016-7545 submitted by Aleksey Manevich | ||
610 | - modifs: removed man firejail-config | ||
611 | - modifs: --private-tmp whitelists /tmp/.X11-unix directory | ||
612 | - modifs: Nvidia drivers added to --private-dev | ||
613 | - modifs: /srv supported by --whitelist | ||
614 | - feature: allow user access to /sys/fs (--noblacklist=/sys/fs) | ||
615 | - feature: support starting/joining sandbox is a single command | ||
616 | (--join-or-start) | ||
617 | - feature: X11 detection support for --audit | ||
618 | - feature: assign a name to the interface connected to the bridge | ||
619 | (--veth-name) | ||
620 | - feature: all user home directories are visible (--allusers) | ||
621 | - feature: add files to sandbox container (--put) | ||
622 | - feature: blocking x11 (--x11=block) | ||
623 | - feature: X11 security extension (--x11=xorg) | ||
624 | - feature: disable 3D hardware acceleration (--no3d) | ||
625 | - feature: x11 xpra, x11 xephyr, x11 block, allusers, no3d profile commands | ||
626 | - feature: move files in sandbox (--put) | ||
627 | - feature: accept wildcard patterns in user name field of restricted | ||
628 | shell login feature | ||
629 | - new profiles: qpdfview, mupdf, Luminance HDR, Synfig Studio, Gimp, Inkscape | ||
630 | - new profiles: feh, ranger, zathura, 7z, keepass, keepassx, | ||
631 | - new profiles: claws-mail, mutt, git, emacs, vim, xpdf, VirtualBox, OpenShot | ||
632 | - new profiles: Flowblade, Eye of GNOME (eog), Evolution | ||
633 | - bugfixes | ||
634 | |||
635 | * Thu Sep 8 2016 netblue30 <netblue30@yahoo.com> 0.9.42-1 | ||
636 | - security: --whitelist deleted files, submitted by Vasya Novikov | ||
637 | - security: disable x32 ABI in seccomp, submitted by Jann Horn | ||
638 | - security: tighten --chroot, submitted by Jann Horn | ||
639 | - security: terminal sandbox escape, submitted by Stephan Sokolow | ||
640 | - security: several TOCTOU fixes submitted by Aleksey Manevich | ||
641 | - modifs: bringing back --private-home option | ||
642 | - modifs: deprecated --user option, please use "sudo -u username firejail" | ||
643 | - modifs: allow symlinks in home directory for --whitelist option | ||
644 | - modifs: Firejail prompt is enabled by env variable FIREJAIL_PROMPT="yes" | ||
645 | - modifs: recursive mkdir | ||
646 | - modifs: include /dev/snd in --private-dev | ||
647 | - modifs: seccomp filter update | ||
648 | - modifs: release archives moved to .xz format | ||
649 | - feature: AppImage support (--appimage) | ||
650 | - feature: AppArmor support (--apparmor) | ||
651 | - feature: Ubuntu snap support (/etc/firejail/snap.profile) | ||
652 | - feature: Sandbox auditing support (--audit) | ||
653 | - feature: remove environment variable (--rmenv) | ||
654 | - feature: noexec support (--noexec) | ||
655 | - feature: clean local overlay storage directory (--overlay-clean) | ||
656 | - feature: store and reuse overlay (--overlay-named) | ||
657 | - feature: allow debugging inside the sandbox with gdb and strace | ||
658 | (--allow-debuggers) | ||
659 | - feature: mkfile profile command | ||
660 | - feature: quiet profile command | ||
661 | - feature: x11 profile command | ||
662 | - feature: option to fix desktop files (firecfg --fix) | ||
663 | - compile time: Busybox support (--enable-busybox-workaround) | ||
664 | - compile time: disable overlayfs (--disable-overlayfs) | ||
665 | - compile time: disable whitelisting (--disable-whitelist) | ||
666 | - compile time: disable global config (--disable-globalcfg) | ||
667 | - run time: enable/disable overlayfs (overlayfs yes/no) | ||
668 | - run time: enable/disable quiet as default (quiet-by-default yes/no) | ||
669 | - run time: user-defined network filter (netfilter-default) | ||
670 | - run time: enable/disable whitelisting (whitelist yes/no) | ||
671 | - run time: enable/disable remounting of /proc and /sys | ||
672 | (remount-proc-sys yes/no) | ||
673 | - run time: enable/disable chroot desktop features (chroot-desktop yes/no) | ||
674 | - profiles: Gitter, gThumb, mpv, Franz messenger, LibreOffice | ||
675 | - profiles: pix, audacity, xz, xzdec, gzip, cpio, less | ||
676 | - profiles: Atom Beta, Atom, jitsi, eom, uudeview | ||
677 | - profiles: tar (gtar), unzip, unrar, file, skypeforlinux, | ||
678 | - profiles: inox, Slack, gnome-chess. Gajim IM client, DOSBox | ||
679 | - bugfixes | ||
680 | |||
681 | EOF | ||
682 | |||
683 | echo "building rpm" | ||
684 | rpmbuild -ba SPECS/firejail.spec | ||
685 | rpm -qpl RPMS/x86_64/firejail-$VERSION-1.x86_64.rpm | ||
686 | cd .. | ||
687 | rm -f firejail-$VERSION-1.x86_64.rpm | ||
688 | cp rpmbuild/RPMS/x86_64/firejail-$VERSION-1.x86_64.rpm . | ||
diff --git a/src/firejail/cgroup.c b/src/firejail/cgroup.c deleted file mode 100644 index 8eb61bf78..000000000 --- a/src/firejail/cgroup.c +++ /dev/null | |||
@@ -1,119 +0,0 @@ | |||
1 | /* | ||
2 | * Copyright (C) 2014-2018 Firejail Authors | ||
3 | * | ||
4 | * This file is part of firejail project | ||
5 | * | ||
6 | * This program is free software; you can redistribute it and/or modify | ||
7 | * it under the terms of the GNU General Public License as published by | ||
8 | * the Free Software Foundation; either version 2 of the License, or | ||
9 | * (at your option) any later version. | ||
10 | * | ||
11 | * This program is distributed in the hope that it will be useful, | ||
12 | * but WITHOUT ANY WARRANTY; without even the implied warranty of | ||
13 | * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the | ||
14 | * GNU General Public License for more details. | ||
15 | * | ||
16 | * You should have received a copy of the GNU General Public License along | ||
17 | * with this program; if not, write to the Free Software Foundation, Inc., | ||
18 | * 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA. | ||
19 | */ | ||
20 | #include "firejail.h" | ||
21 | #include <sys/stat.h> | ||
22 | |||
23 | #define MAXBUF 4096 | ||
24 | |||
25 | void save_cgroup(void) { | ||
26 | if (cfg.cgroup == NULL) | ||
27 | return; | ||
28 | |||
29 | FILE *fp = fopen(RUN_CGROUP_CFG, "w"); | ||
30 | if (fp) { | ||
31 | fprintf(fp, "%s", cfg.cgroup); | ||
32 | fflush(0); | ||
33 | SET_PERMS_STREAM(fp, 0, 0, 0644); | ||
34 | if (fclose(fp)) | ||
35 | goto errout; | ||
36 | } | ||
37 | else | ||
38 | goto errout; | ||
39 | |||
40 | return; | ||
41 | |||
42 | errout: | ||
43 | fprintf(stderr, "Error: cannot save cgroup\n"); | ||
44 | exit(1); | ||
45 | } | ||
46 | |||
47 | void load_cgroup(const char *fname) { | ||
48 | if (!fname) | ||
49 | return; | ||
50 | |||
51 | FILE *fp = fopen(fname, "r"); | ||
52 | if (fp) { | ||
53 | char buf[MAXBUF]; | ||
54 | if (fgets(buf, MAXBUF, fp)) { | ||
55 | cfg.cgroup = strdup(buf); | ||
56 | if (!cfg.cgroup) | ||
57 | errExit("strdup"); | ||
58 | } | ||
59 | else | ||
60 | goto errout; | ||
61 | |||
62 | fclose(fp); | ||
63 | return; | ||
64 | } | ||
65 | errout: | ||
66 | fwarning("cannot load control group\n"); | ||
67 | if (fp) | ||
68 | fclose(fp); | ||
69 | } | ||
70 | |||
71 | |||
72 | void set_cgroup(const char *path) { | ||
73 | EUID_ASSERT(); | ||
74 | |||
75 | invalid_filename(path, 0); // no globbing | ||
76 | |||
77 | // path starts with /sys/fs/cgroup | ||
78 | if (strncmp(path, "/sys/fs/cgroup", 14) != 0) | ||
79 | goto errout; | ||
80 | |||
81 | // path ends in tasks | ||
82 | char *ptr = strstr(path, "tasks"); | ||
83 | if (!ptr) | ||
84 | goto errout; | ||
85 | if (*(ptr + 5) != '\0') | ||
86 | goto errout; | ||
87 | |||
88 | // no .. traversal | ||
89 | ptr = strstr(path, ".."); | ||
90 | if (ptr) | ||
91 | goto errout; | ||
92 | |||
93 | // tasks file exists | ||
94 | struct stat s; | ||
95 | if (stat(path, &s) == -1) | ||
96 | goto errout; | ||
97 | |||
98 | // task file belongs to the user running the sandbox | ||
99 | if (s.st_uid != getuid() && s.st_gid != getgid()) | ||
100 | goto errout2; | ||
101 | |||
102 | // add the task to cgroup | ||
103 | /* coverity[toctou] */ | ||
104 | FILE *fp = fopen(path, "a"); | ||
105 | if (!fp) | ||
106 | goto errout; | ||
107 | pid_t pid = getpid(); | ||
108 | int rv = fprintf(fp, "%d\n", pid); | ||
109 | (void) rv; | ||
110 | fclose(fp); | ||
111 | return; | ||
112 | |||
113 | errout: | ||
114 | fprintf(stderr, "Error: invalid cgroup\n"); | ||
115 | exit(1); | ||
116 | errout2: | ||
117 | fprintf(stderr, "Error: you don't have permissions to use this control group\n"); | ||
118 | exit(1); | ||
119 | } | ||
diff --git a/src/firejail/checkcfg.c b/src/firejail/checkcfg.c index 0cceea17b..430771a13 100644 --- a/src/firejail/checkcfg.c +++ b/src/firejail/checkcfg.c | |||
@@ -76,17 +76,6 @@ int checkcfg(int val) { | |||
76 | if (!ptr) | 76 | if (!ptr) |
77 | continue; | 77 | continue; |
78 | 78 | ||
79 | #ifndef LTS | ||
80 | // file transfer | ||
81 | else if (strncmp(ptr, "file-transfer ", 14) == 0) { | ||
82 | if (strcmp(ptr + 14, "yes") == 0) | ||
83 | cfg_val[CFG_FILE_TRANSFER] = 1; | ||
84 | else if (strcmp(ptr + 14, "no") == 0) | ||
85 | cfg_val[CFG_FILE_TRANSFER] = 0; | ||
86 | else | ||
87 | goto errout; | ||
88 | } | ||
89 | #endif | ||
90 | // dbus | 79 | // dbus |
91 | else if (strncmp(ptr, "dbus ", 5) == 0) { | 80 | else if (strncmp(ptr, "dbus ", 5) == 0) { |
92 | if (strcmp(ptr + 5, "yes") == 0) | 81 | if (strcmp(ptr + 5, "yes") == 0) |
@@ -105,17 +94,6 @@ int checkcfg(int val) { | |||
105 | else | 94 | else |
106 | goto errout; | 95 | goto errout; |
107 | } | 96 | } |
108 | #ifndef LTS | ||
109 | // x11 | ||
110 | else if (strncmp(ptr, "x11 ", 4) == 0) { | ||
111 | if (strcmp(ptr + 4, "yes") == 0) | ||
112 | cfg_val[CFG_X11] = 1; | ||
113 | else if (strcmp(ptr + 4, "no") == 0) | ||
114 | cfg_val[CFG_X11] = 0; | ||
115 | else | ||
116 | goto errout; | ||
117 | } | ||
118 | #endif | ||
119 | // apparmor | 97 | // apparmor |
120 | else if (strncmp(ptr, "apparmor ", 9) == 0) { | 98 | else if (strncmp(ptr, "apparmor ", 9) == 0) { |
121 | if (strcmp(ptr + 9, "yes") == 0) | 99 | if (strcmp(ptr + 9, "yes") == 0) |
@@ -143,17 +121,6 @@ int checkcfg(int val) { | |||
143 | else | 121 | else |
144 | goto errout; | 122 | goto errout; |
145 | } | 123 | } |
146 | #ifndef LTS | ||
147 | // chroot | ||
148 | else if (strncmp(ptr, "chroot ", 7) == 0) { | ||
149 | if (strcmp(ptr + 7, "yes") == 0) | ||
150 | cfg_val[CFG_CHROOT] = 1; | ||
151 | else if (strcmp(ptr + 7, "no") == 0) | ||
152 | cfg_val[CFG_CHROOT] = 0; | ||
153 | else | ||
154 | goto errout; | ||
155 | } | ||
156 | #endif | ||
157 | // prompt | 124 | // prompt |
158 | else if (strncmp(ptr, "firejail-prompt ", 16) == 0) { | 125 | else if (strncmp(ptr, "firejail-prompt ", 16) == 0) { |
159 | if (strcmp(ptr + 16, "yes") == 0) | 126 | if (strcmp(ptr + 16, "yes") == 0) |
@@ -241,70 +208,6 @@ int checkcfg(int val) { | |||
241 | if (arg_debug) | 208 | if (arg_debug) |
242 | printf("netfilter default file %s\n", fname); | 209 | printf("netfilter default file %s\n", fname); |
243 | } | 210 | } |
244 | |||
245 | #ifndef LTS | ||
246 | // Xephyr screen size | ||
247 | else if (strncmp(ptr, "xephyr-screen ", 14) == 0) { | ||
248 | // expecting two numbers and an x between them | ||
249 | int n1; | ||
250 | int n2; | ||
251 | int rv = sscanf(ptr + 14, "%dx%d", &n1, &n2); | ||
252 | if (rv != 2) | ||
253 | goto errout; | ||
254 | if (asprintf(&xephyr_screen, "%dx%d", n1, n2) == -1) | ||
255 | errExit("asprintf"); | ||
256 | } | ||
257 | |||
258 | // xephyr window title | ||
259 | else if (strncmp(ptr, "xephyr-window-title ", 20) == 0) { | ||
260 | if (strcmp(ptr + 20, "yes") == 0) | ||
261 | cfg_val[CFG_XEPHYR_WINDOW_TITLE] = 1; | ||
262 | else if (strcmp(ptr + 20, "no") == 0) | ||
263 | cfg_val[CFG_XEPHYR_WINDOW_TITLE] = 0; | ||
264 | else | ||
265 | goto errout; | ||
266 | } | ||
267 | |||
268 | // Xephyr command extra parameters | ||
269 | else if (strncmp(ptr, "xephyr-extra-params ", 20) == 0) { | ||
270 | if (*xephyr_extra_params != '\0') | ||
271 | goto errout; | ||
272 | xephyr_extra_params = strdup(ptr + 20); | ||
273 | if (!xephyr_extra_params) | ||
274 | errExit("strdup"); | ||
275 | } | ||
276 | |||
277 | // xpra server extra parameters | ||
278 | else if (strncmp(ptr, "xpra-extra-params ", 18) == 0) { | ||
279 | if (*xpra_extra_params != '\0') | ||
280 | goto errout; | ||
281 | xpra_extra_params = strdup(ptr + 18); | ||
282 | if (!xpra_extra_params) | ||
283 | errExit("strdup"); | ||
284 | } | ||
285 | |||
286 | // Xvfb screen size | ||
287 | else if (strncmp(ptr, "xvfb-screen ", 12) == 0) { | ||
288 | // expecting three numbers separated by x's | ||
289 | unsigned int n1; | ||
290 | unsigned int n2; | ||
291 | unsigned int n3; | ||
292 | int rv = sscanf(ptr + 12, "%ux%ux%u", &n1, &n2, &n3); | ||
293 | if (rv != 3) | ||
294 | goto errout; | ||
295 | if (asprintf(&xvfb_screen, "%ux%ux%u", n1, n2, n3) == -1) | ||
296 | errExit("asprintf"); | ||
297 | } | ||
298 | |||
299 | // Xvfb extra parameters | ||
300 | else if (strncmp(ptr, "xvfb-extra-params ", 18) == 0) { | ||
301 | if (*xvfb_extra_params != '\0') | ||
302 | goto errout; | ||
303 | xvfb_extra_params = strdup(ptr + 18); | ||
304 | if (!xvfb_extra_params) | ||
305 | errExit("strdup"); | ||
306 | } | ||
307 | #endif | ||
308 | // quiet by default | 211 | // quiet by default |
309 | else if (strncmp(ptr, "quiet-by-default ", 17) == 0) { | 212 | else if (strncmp(ptr, "quiet-by-default ", 17) == 0) { |
310 | if (strcmp(ptr + 17, "yes") == 0) | 213 | if (strcmp(ptr + 17, "yes") == 0) |
@@ -314,40 +217,6 @@ int checkcfg(int val) { | |||
314 | else | 217 | else |
315 | goto errout; | 218 | goto errout; |
316 | } | 219 | } |
317 | #ifndef LTS | ||
318 | else if (strncmp(ptr, "overlayfs ", 10) == 0) { | ||
319 | if (strcmp(ptr + 10, "yes") == 0) | ||
320 | cfg_val[CFG_OVERLAYFS] = 1; | ||
321 | else if (strcmp(ptr + 10, "no") == 0) | ||
322 | cfg_val[CFG_OVERLAYFS] = 0; | ||
323 | else | ||
324 | goto errout; | ||
325 | } | ||
326 | else if (strncmp(ptr, "private-home ", 13) == 0) { | ||
327 | if (strcmp(ptr + 13, "yes") == 0) | ||
328 | cfg_val[CFG_PRIVATE_HOME] = 1; | ||
329 | else if (strcmp(ptr + 13, "no") == 0) | ||
330 | cfg_val[CFG_PRIVATE_HOME] = 0; | ||
331 | else | ||
332 | goto errout; | ||
333 | } | ||
334 | else if (strncmp(ptr, "private-lib ", 12) == 0) { | ||
335 | if (strcmp(ptr + 12, "yes") == 0) | ||
336 | cfg_val[CFG_PRIVATE_LIB] = 1; | ||
337 | else if (strcmp(ptr + 12, "no") == 0) | ||
338 | cfg_val[CFG_PRIVATE_LIB] = 0; | ||
339 | else | ||
340 | goto errout; | ||
341 | } | ||
342 | else if (strncmp(ptr, "private-bin-no-local ", 21) == 0) { | ||
343 | if (strcmp(ptr + 21, "yes") == 0) | ||
344 | cfg_val[CFG_PRIVATE_BIN_NO_LOCAL] = 1; | ||
345 | else if (strcmp(ptr + 21, "no") == 0) | ||
346 | cfg_val[CFG_PRIVATE_BIN_NO_LOCAL] = 0; | ||
347 | else | ||
348 | goto errout; | ||
349 | } | ||
350 | #endif | ||
351 | else if (strncmp(ptr, "disable-mnt ", 12) == 0) { | 220 | else if (strncmp(ptr, "disable-mnt ", 12) == 0) { |
352 | if (strcmp(ptr + 12, "yes") == 0) | 221 | if (strcmp(ptr + 12, "yes") == 0) |
353 | cfg_val[CFG_DISABLE_MNT] = 1; | 222 | cfg_val[CFG_DISABLE_MNT] = 1; |
@@ -363,17 +232,6 @@ int checkcfg(int val) { | |||
363 | goto errout; | 232 | goto errout; |
364 | cfg_val[CFG_ARP_PROBES] = arp_probes; | 233 | cfg_val[CFG_ARP_PROBES] = arp_probes; |
365 | } | 234 | } |
366 | #ifndef LTS | ||
367 | // xpra-attach | ||
368 | else if (strncmp(ptr, "xpra-attach ", 12) == 0) { | ||
369 | if (strcmp(ptr + 12, "yes") == 0) | ||
370 | cfg_val[CFG_XPRA_ATTACH] = 1; | ||
371 | else if (strcmp(ptr + 12, "no") == 0) | ||
372 | cfg_val[CFG_XPRA_ATTACH] = 0; | ||
373 | else | ||
374 | goto errout; | ||
375 | } | ||
376 | #endif | ||
377 | else | 235 | else |
378 | goto errout; | 236 | goto errout; |
379 | 237 | ||
@@ -421,22 +279,6 @@ void print_compiletime_support(void) { | |||
421 | #endif | 279 | #endif |
422 | ); | 280 | ); |
423 | 281 | ||
424 | printf("\t- bind support is %s\n", | ||
425 | #ifdef HAVE_BIND | ||
426 | "enabled" | ||
427 | #else | ||
428 | "disabled" | ||
429 | #endif | ||
430 | ); | ||
431 | |||
432 | printf("\t- chroot support is %s\n", | ||
433 | #ifdef HAVE_CHROOT | ||
434 | "enabled" | ||
435 | #else | ||
436 | "disabled" | ||
437 | #endif | ||
438 | ); | ||
439 | |||
440 | printf("\t- file and directory whitelisting support is %s\n", | 282 | printf("\t- file and directory whitelisting support is %s\n", |
441 | #ifdef HAVE_WHITELIST | 283 | #ifdef HAVE_WHITELIST |
442 | "enabled" | 284 | "enabled" |
@@ -445,14 +287,6 @@ void print_compiletime_support(void) { | |||
445 | #endif | 287 | #endif |
446 | ); | 288 | ); |
447 | 289 | ||
448 | printf("\t- file transfer support is %s\n", | ||
449 | #ifdef HAVE_FILE_TRANSFER | ||
450 | "enabled" | ||
451 | #else | ||
452 | "disabled" | ||
453 | #endif | ||
454 | ); | ||
455 | |||
456 | printf("\t- networking support is %s\n", | 290 | printf("\t- networking support is %s\n", |
457 | #ifdef HAVE_NETWORK | 291 | #ifdef HAVE_NETWORK |
458 | "enabled" | 292 | "enabled" |
@@ -461,22 +295,6 @@ void print_compiletime_support(void) { | |||
461 | #endif | 295 | #endif |
462 | ); | 296 | ); |
463 | 297 | ||
464 | printf("\t- overlayfs support is %s\n", | ||
465 | #ifdef HAVE_OVERLAYFS | ||
466 | "enabled" | ||
467 | #else | ||
468 | "disabled" | ||
469 | #endif | ||
470 | ); | ||
471 | |||
472 | printf("\t- private-home support is %s\n", | ||
473 | #ifdef HAVE_PRIVATE_HOME | ||
474 | "enabled" | ||
475 | #else | ||
476 | "disabled" | ||
477 | #endif | ||
478 | ); | ||
479 | |||
480 | printf("\t- seccomp-bpf support is %s\n", | 298 | printf("\t- seccomp-bpf support is %s\n", |
481 | #ifdef HAVE_SECCOMP | 299 | #ifdef HAVE_SECCOMP |
482 | "enabled" | 300 | "enabled" |
@@ -492,12 +310,4 @@ void print_compiletime_support(void) { | |||
492 | "disabled" | 310 | "disabled" |
493 | #endif | 311 | #endif |
494 | ); | 312 | ); |
495 | |||
496 | printf("\t- X11 sandboxing support is %s\n", | ||
497 | #ifdef HAVE_X11 | ||
498 | "enabled" | ||
499 | #else | ||
500 | "disabled" | ||
501 | #endif | ||
502 | ); | ||
503 | } | 313 | } |
diff --git a/src/firejail/join.c b/src/firejail/join.c index cdd95b6a8..bf421d5d1 100644 --- a/src/firejail/join.c +++ b/src/firejail/join.c | |||
@@ -121,6 +121,7 @@ static void extract_cpu(pid_t pid) { | |||
121 | free(fname); | 121 | free(fname); |
122 | } | 122 | } |
123 | 123 | ||
124 | #ifndef LTS | ||
124 | static void extract_cgroup(pid_t pid) { | 125 | static void extract_cgroup(pid_t pid) { |
125 | char *fname; | 126 | char *fname; |
126 | if (asprintf(&fname, "/proc/%d/root%s", pid, RUN_CGROUP_CFG) == -1) | 127 | if (asprintf(&fname, "/proc/%d/root%s", pid, RUN_CGROUP_CFG) == -1) |
@@ -134,6 +135,7 @@ static void extract_cgroup(pid_t pid) { | |||
134 | load_cgroup(fname); | 135 | load_cgroup(fname); |
135 | free(fname); | 136 | free(fname); |
136 | } | 137 | } |
138 | #endif | ||
137 | 139 | ||
138 | static void extract_caps_seccomp(pid_t pid) { | 140 | static void extract_caps_seccomp(pid_t pid) { |
139 | // open stat file | 141 | // open stat file |
@@ -287,14 +289,18 @@ void join(pid_t pid, int argc, char **argv, int index) { | |||
287 | if (getuid() != 0) { | 289 | if (getuid() != 0) { |
288 | extract_caps_seccomp(pid); | 290 | extract_caps_seccomp(pid); |
289 | extract_cpu(pid); | 291 | extract_cpu(pid); |
292 | #ifndef LTS | ||
290 | extract_cgroup(pid); | 293 | extract_cgroup(pid); |
294 | #endif | ||
291 | extract_nogroups(pid); | 295 | extract_nogroups(pid); |
292 | extract_user_namespace(pid); | 296 | extract_user_namespace(pid); |
293 | } | 297 | } |
294 | 298 | ||
299 | #ifndef LTS | ||
295 | // set cgroup | 300 | // set cgroup |
296 | if (cfg.cgroup) // not available for uid 0 | 301 | if (cfg.cgroup) // not available for uid 0 |
297 | set_cgroup(cfg.cgroup); | 302 | set_cgroup(cfg.cgroup); |
303 | #endif | ||
298 | 304 | ||
299 | // get umask, it will be set by start_application() | 305 | // get umask, it will be set by start_application() |
300 | extract_umask(pid); | 306 | extract_umask(pid); |
diff --git a/src/firejail/main.c b/src/firejail/main.c index b3664ee2e..c87032f6d 100644 --- a/src/firejail/main.c +++ b/src/firejail/main.c | |||
@@ -968,6 +968,7 @@ int main(int argc, char **argv) { | |||
968 | delete_run_files(sandbox_pid); | 968 | delete_run_files(sandbox_pid); |
969 | EUID_USER(); | 969 | EUID_USER(); |
970 | 970 | ||
971 | #ifndef LTS | ||
971 | //check if the parent is sshd daemon | 972 | //check if the parent is sshd daemon |
972 | int parent_sshd = 0; | 973 | int parent_sshd = 0; |
973 | { | 974 | { |
@@ -1066,12 +1067,11 @@ int main(int argc, char **argv) { | |||
1066 | #endif | 1067 | #endif |
1067 | } | 1068 | } |
1068 | } | 1069 | } |
1069 | #ifndef LTS | ||
1070 | else { | 1070 | else { |
1071 | // check --output option and execute it; | 1071 | // check --output option and execute it; |
1072 | check_output(argc, argv); // the function will not return if --output or --output-stderr option was found | 1072 | check_output(argc, argv); // the function will not return if --output or --output-stderr option was found |
1073 | } | 1073 | } |
1074 | #endif | 1074 | #endif // LTS |
1075 | EUID_ASSERT(); | 1075 | EUID_ASSERT(); |
1076 | 1076 | ||
1077 | 1077 | ||
@@ -1264,6 +1264,7 @@ int main(int argc, char **argv) { | |||
1264 | cfg.nice = 0; | 1264 | cfg.nice = 0; |
1265 | arg_nice = 1; | 1265 | arg_nice = 1; |
1266 | } | 1266 | } |
1267 | #ifndef LTS | ||
1267 | else if (strncmp(argv[i], "--cgroup=", 9) == 0) { | 1268 | else if (strncmp(argv[i], "--cgroup=", 9) == 0) { |
1268 | if (option_cgroup) { | 1269 | if (option_cgroup) { |
1269 | fprintf(stderr, "Error: only a cgroup can be defined\n"); | 1270 | fprintf(stderr, "Error: only a cgroup can be defined\n"); |
@@ -1276,13 +1277,12 @@ int main(int argc, char **argv) { | |||
1276 | errExit("strdup"); | 1277 | errExit("strdup"); |
1277 | set_cgroup(cfg.cgroup); | 1278 | set_cgroup(cfg.cgroup); |
1278 | } | 1279 | } |
1279 | 1280 | #endif | |
1280 | //************************************* | 1281 | //************************************* |
1281 | // filesystem | 1282 | // filesystem |
1282 | //************************************* | 1283 | //************************************* |
1283 | else if (strcmp(argv[i], "--allusers") == 0) | 1284 | else if (strcmp(argv[i], "--allusers") == 0) |
1284 | arg_allusers = 1; | 1285 | arg_allusers = 1; |
1285 | #ifdef HAVE_BIND | ||
1286 | else if (strncmp(argv[i], "--bind=", 7) == 0) { | 1286 | else if (strncmp(argv[i], "--bind=", 7) == 0) { |
1287 | if (checkcfg(CFG_BIND)) { | 1287 | if (checkcfg(CFG_BIND)) { |
1288 | char *line; | 1288 | char *line; |
@@ -1295,7 +1295,6 @@ int main(int argc, char **argv) { | |||
1295 | else | 1295 | else |
1296 | exit_err_feature("bind"); | 1296 | exit_err_feature("bind"); |
1297 | } | 1297 | } |
1298 | #endif | ||
1299 | else if (strncmp(argv[i], "--tmpfs=", 8) == 0) { | 1298 | else if (strncmp(argv[i], "--tmpfs=", 8) == 0) { |
1300 | char *line; | 1299 | char *line; |
1301 | if (asprintf(&line, "tmpfs %s", argv[i] + 8) == -1) | 1300 | if (asprintf(&line, "tmpfs %s", argv[i] + 8) == -1) |
diff --git a/src/firejail/profile.c b/src/firejail/profile.c index ea069de76..a90a5e7d6 100644 --- a/src/firejail/profile.c +++ b/src/firejail/profile.c | |||
@@ -748,11 +748,13 @@ int profile_check_line(char *ptr, int lineno, const char *fname) { | |||
748 | return 0; | 748 | return 0; |
749 | } | 749 | } |
750 | 750 | ||
751 | #ifndef LTS | ||
751 | // cgroup | 752 | // cgroup |
752 | if (strncmp(ptr, "cgroup ", 7) == 0) { | 753 | if (strncmp(ptr, "cgroup ", 7) == 0) { |
753 | set_cgroup(ptr + 7); | 754 | set_cgroup(ptr + 7); |
754 | return 0; | 755 | return 0; |
755 | } | 756 | } |
757 | #endif | ||
756 | 758 | ||
757 | // writable-etc | 759 | // writable-etc |
758 | if (strcmp(ptr, "writable-etc") == 0) { | 760 | if (strcmp(ptr, "writable-etc") == 0) { |
diff --git a/src/firejail/restricted_shell.c b/src/firejail/restricted_shell.c deleted file mode 100644 index 9beb01655..000000000 --- a/src/firejail/restricted_shell.c +++ /dev/null | |||
@@ -1,132 +0,0 @@ | |||
1 | /* | ||
2 | * Copyright (C) 2014-2018 Firejail Authors | ||
3 | * | ||
4 | * This file is part of firejail project | ||
5 | * | ||
6 | * This program is free software; you can redistribute it and/or modify | ||
7 | * it under the terms of the GNU General Public License as published by | ||
8 | * the Free Software Foundation; either version 2 of the License, or | ||
9 | * (at your option) any later version. | ||
10 | * | ||
11 | * This program is distributed in the hope that it will be useful, | ||
12 | * but WITHOUT ANY WARRANTY; without even the implied warranty of | ||
13 | * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the | ||
14 | * GNU General Public License for more details. | ||
15 | * | ||
16 | * You should have received a copy of the GNU General Public License along | ||
17 | * with this program; if not, write to the Free Software Foundation, Inc., | ||
18 | * 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA. | ||
19 | */ | ||
20 | #include "firejail.h" | ||
21 | #include <fnmatch.h> | ||
22 | |||
23 | #define MAX_READ 4096 // maximum line length | ||
24 | char *restricted_user = NULL; | ||
25 | |||
26 | |||
27 | int restricted_shell(const char *user) { | ||
28 | EUID_ASSERT(); | ||
29 | assert(user); | ||
30 | |||
31 | // open profile file: | ||
32 | char *fname; | ||
33 | if (asprintf(&fname, "%s/login.users", SYSCONFDIR) == -1) | ||
34 | errExit("asprintf"); | ||
35 | FILE *fp = fopen(fname, "r"); | ||
36 | free(fname); | ||
37 | if (fp == NULL) | ||
38 | return 0; | ||
39 | |||
40 | int lineno = 0; | ||
41 | char buf[MAX_READ]; | ||
42 | while (fgets(buf, MAX_READ, fp)) { | ||
43 | lineno++; | ||
44 | |||
45 | // remove empty spaces at the beginning of the line | ||
46 | char *ptr = buf; | ||
47 | while (*ptr == ' ' || *ptr == '\t') { | ||
48 | ptr++; | ||
49 | } | ||
50 | if (*ptr == '\n' || *ptr == '#') | ||
51 | continue; | ||
52 | |||
53 | // | ||
54 | // parse line | ||
55 | // | ||
56 | |||
57 | // extract users | ||
58 | char *usr = ptr; | ||
59 | char *args = strchr(usr, ':'); | ||
60 | if (args == NULL) { | ||
61 | fprintf(stderr, "Error: users.conf line %d\n", lineno); | ||
62 | exit(1); | ||
63 | } | ||
64 | |||
65 | *args = '\0'; | ||
66 | args++; | ||
67 | ptr = strchr(args, '\n'); | ||
68 | if (ptr) | ||
69 | *ptr = '\0'; | ||
70 | |||
71 | // extract firejail command line arguments | ||
72 | char *ptr2 = args; | ||
73 | int found = 0; | ||
74 | while (*ptr2 != '\0') { | ||
75 | if (*ptr2 != ' ' && *ptr2 != '\t') { | ||
76 | found = 1; | ||
77 | break; | ||
78 | } | ||
79 | ptr2++; | ||
80 | } | ||
81 | // if nothing follows, continue | ||
82 | if (!found) | ||
83 | continue; | ||
84 | |||
85 | // user name globbing | ||
86 | if (fnmatch(usr, user, 0) == 0) { | ||
87 | // process program arguments | ||
88 | |||
89 | fullargv[0] = "firejail"; | ||
90 | int i; | ||
91 | ptr = args; | ||
92 | for (i = 1; i < MAX_ARGS; i++) { | ||
93 | // skip blanks | ||
94 | while (*ptr == ' ' || *ptr == '\t') | ||
95 | ptr++; | ||
96 | fullargv[i] = ptr; | ||
97 | #ifdef DEBUG_RESTRICTED_SHELL | ||
98 | {EUID_ROOT(); | ||
99 | FILE *fp = fopen("/firelog", "a"); | ||
100 | if (fp) { | ||
101 | fprintf(fp, "i %d ptr #%s#\n", i, fullargv[i]); | ||
102 | fclose(fp); | ||
103 | } | ||
104 | EUID_USER();} | ||
105 | #endif | ||
106 | |||
107 | if (*ptr != '\0') { | ||
108 | // go to the end of the word | ||
109 | while (*ptr != ' ' && *ptr != '\t' && *ptr != '\0') | ||
110 | ptr++; | ||
111 | *ptr ='\0'; | ||
112 | fullargv[i] = strdup(fullargv[i]); | ||
113 | if (fullargv[i] == NULL) | ||
114 | errExit("strdup"); | ||
115 | ptr++; | ||
116 | while (*ptr == ' ' || *ptr == '\t') | ||
117 | ptr++; | ||
118 | if (*ptr != '\0') | ||
119 | continue; | ||
120 | } | ||
121 | fullargv[i] = strdup(fullargv[i]); | ||
122 | fclose(fp); | ||
123 | return i + 1; | ||
124 | } | ||
125 | fprintf(stderr, "Error: too many program arguments in users.conf line %d\n", lineno); | ||
126 | exit(1); | ||
127 | } | ||
128 | } | ||
129 | fclose(fp); | ||
130 | |||
131 | return 0; | ||
132 | } | ||
diff --git a/src/firejail/sandbox.c b/src/firejail/sandbox.c index 919a2b84e..380257223 100644 --- a/src/firejail/sandbox.c +++ b/src/firejail/sandbox.c | |||
@@ -1061,9 +1061,11 @@ int sandbox(void* sandbox_arg) { | |||
1061 | EUID_ROOT(); | 1061 | EUID_ROOT(); |
1062 | } | 1062 | } |
1063 | 1063 | ||
1064 | #ifndef LTS | ||
1064 | // save cgroup in CGROUP_CFG file | 1065 | // save cgroup in CGROUP_CFG file |
1065 | if (cfg.cgroup) | 1066 | if (cfg.cgroup) |
1066 | save_cgroup(); | 1067 | save_cgroup(); |
1068 | #endif | ||
1067 | 1069 | ||
1068 | // set seccomp | 1070 | // set seccomp |
1069 | #ifdef HAVE_SECCOMP | 1071 | #ifdef HAVE_SECCOMP |
diff --git a/src/firejail/usage.c b/src/firejail/usage.c index c8866da3a..73af66be2 100644 --- a/src/firejail/usage.c +++ b/src/firejail/usage.c | |||
@@ -33,25 +33,18 @@ static char *usage_str = | |||
33 | " --apparmor - enable AppArmor confinement.\n" | 33 | " --apparmor - enable AppArmor confinement.\n" |
34 | " --apparmor.print=name|pid - print apparmor status.\n" | 34 | " --apparmor.print=name|pid - print apparmor status.\n" |
35 | " --appimage - sandbox an AppImage application.\n" | 35 | " --appimage - sandbox an AppImage application.\n" |
36 | " --audit[=test-program] - audit the sandbox.\n" | ||
37 | #ifdef HAVE_NETWORK | 36 | #ifdef HAVE_NETWORK |
38 | " --bandwidth=name|pid - set bandwidth limits.\n" | 37 | " --bandwidth=name|pid - set bandwidth limits.\n" |
39 | #endif | 38 | #endif |
40 | " --bind=dirname1,dirname2 - mount-bind dirname1 on top of dirname2.\n" | 39 | " --bind=dirname1,dirname2 - mount-bind dirname1 on top of dirname2.\n" |
41 | " --bind=filename1,filename2 - mount-bind filename1 on top of filename2.\n" | 40 | " --bind=filename1,filename2 - mount-bind filename1 on top of filename2.\n" |
42 | " --blacklist=filename - blacklist directory or file.\n" | 41 | " --blacklist=filename - blacklist directory or file.\n" |
43 | " --build - build a whitelisted profile for the application.\n" | ||
44 | " --build=filename - build a whitelisted profile for the application.\n" | ||
45 | " -c - execute command and exit.\n" | 42 | " -c - execute command and exit.\n" |
46 | " --caps - enable default Linux capabilities filter.\n" | 43 | " --caps - enable default Linux capabilities filter.\n" |
47 | " --caps.drop=all - drop all capabilities.\n" | 44 | " --caps.drop=all - drop all capabilities.\n" |
48 | " --caps.drop=capability,capability - blacklist capabilities filter.\n" | 45 | " --caps.drop=capability,capability - blacklist capabilities filter.\n" |
49 | " --caps.keep=capability,capability - whitelist capabilities filter.\n" | 46 | " --caps.keep=capability,capability - whitelist capabilities filter.\n" |
50 | " --caps.print=name|pid - print the caps filter.\n" | 47 | " --caps.print=name|pid - print the caps filter.\n" |
51 | " --cgroup=tasks-file - place the sandbox in the specified control group.\n" | ||
52 | #ifdef HAVE_CHROOT | ||
53 | " --chroot=dirname - chroot into directory.\n" | ||
54 | #endif | ||
55 | " --cpu=cpu-number,cpu-number - set cpu affinity.\n" | 48 | " --cpu=cpu-number,cpu-number - set cpu affinity.\n" |
56 | " --cpu.print=name|pid - print the cpus in use.\n" | 49 | " --cpu.print=name|pid - print the cpus in use.\n" |
57 | " --debug - print sandbox debug messages.\n" | 50 | " --debug - print sandbox debug messages.\n" |
@@ -71,9 +64,6 @@ static char *usage_str = | |||
71 | " --dns.print=name|pid - print DNS configuration.\n" | 64 | " --dns.print=name|pid - print DNS configuration.\n" |
72 | " --env=name=value - set environment variable.\n" | 65 | " --env=name=value - set environment variable.\n" |
73 | " --fs.print=name|pid - print the filesystem log.\n" | 66 | " --fs.print=name|pid - print the filesystem log.\n" |
74 | #ifdef HAVE_FILE_TRANSFER | ||
75 | " --get=name|pid filename - get a file from sandbox container.\n" | ||
76 | #endif | ||
77 | " --help, -? - this help screen.\n" | 67 | " --help, -? - this help screen.\n" |
78 | " --hostname=name - set sandbox hostname.\n" | 68 | " --hostname=name - set sandbox hostname.\n" |
79 | " --hosts-file=file - use file as /etc/hosts.\n" | 69 | " --hosts-file=file - use file as /etc/hosts.\n" |
@@ -141,52 +131,22 @@ static char *usage_str = | |||
141 | " --novideo - disable video devices.\n" | 131 | " --novideo - disable video devices.\n" |
142 | " --nou2f - disable U2F devices.\n" | 132 | " --nou2f - disable U2F devices.\n" |
143 | " --nowhitelist=filename - disable whitelist for file or directory .\n" | 133 | " --nowhitelist=filename - disable whitelist for file or directory .\n" |
144 | " --output=logfile - stdout logging and log rotation.\n" | ||
145 | " --output-stderr=logfile - stdout and stderr logging and log rotation.\n" | ||
146 | " --overlay - mount a filesystem overlay on top of the current filesystem.\n" | ||
147 | " --overlay-named=name - mount a filesystem overlay on top of the current\n" | ||
148 | "\tfilesystem, and store it in name directory.\n" | ||
149 | " --overlay-tmpfs - mount a temporary filesystem overlay on top of the\n" | ||
150 | "\tcurrent filesystem.\n" | ||
151 | " --overlay-clean - clean all overlays stored in $HOME/.firejail directory.\n" | ||
152 | " --private - temporary home directory.\n" | 134 | " --private - temporary home directory.\n" |
153 | " --private=directory - use directory as user home.\n" | 135 | " --private=directory - use directory as user home.\n" |
154 | " --private-cache - temporary ~/.cache directory.\n" | 136 | " --private-cache - temporary ~/.cache directory.\n" |
155 | " --private-home=file,directory - build a new user home in a temporary\n" | ||
156 | "\tfilesystem, and copy the files and directories in the list in\n" | ||
157 | "\tthe new home.\n" | ||
158 | " --private-bin=file,file - build a new /bin in a temporary filesystem,\n" | ||
159 | "\tand copy the programs in the list.\n" | ||
160 | " --private-dev - create a new /dev directory with a small number of\n" | 137 | " --private-dev - create a new /dev directory with a small number of\n" |
161 | "\tcommon device files.\n" | 138 | "\tcommon device files.\n" |
162 | " --private-etc=file,directory - build a new /etc in a temporary\n" | ||
163 | "\tfilesystem, and copy the files and directories in the list.\n" | ||
164 | " --private-tmp - mount a tmpfs on top of /tmp directory.\n" | 139 | " --private-tmp - mount a tmpfs on top of /tmp directory.\n" |
165 | " --private-opt=file,directory - build a new /opt in a temporary filesystem.\n" | ||
166 | " --private-srv=file,directory - build a new /srv in a temporary filesystem.\n" | ||
167 | " --profile=filename - use a custom profile.\n" | 140 | " --profile=filename - use a custom profile.\n" |
168 | " --profile.print=name|pid - print the name of profile file.\n" | 141 | " --profile.print=name|pid - print the name of profile file.\n" |
169 | " --profile-path=directory - use this directory to look for profile files.\n" | 142 | " --profile-path=directory - use this directory to look for profile files.\n" |
170 | " --protocol=protocol,protocol,protocol - enable protocol filter.\n" | 143 | " --protocol=protocol,protocol,protocol - enable protocol filter.\n" |
171 | " --protocol.print=name|pid - print the protocol filter.\n" | 144 | " --protocol.print=name|pid - print the protocol filter.\n" |
172 | #ifdef HAVE_FILE_TRANSFER | ||
173 | " --put=name|pid src-filename dest-filename - put a file in sandbox\n" | ||
174 | "\tcontainer.\n" | ||
175 | #endif | ||
176 | " --quiet - turn off Firejail's output.\n" | 145 | " --quiet - turn off Firejail's output.\n" |
177 | " --read-only=filename - set directory or file read-only..\n" | 146 | " --read-only=filename - set directory or file read-only..\n" |
178 | " --read-write=filename - set directory or file read-write.\n" | 147 | " --read-write=filename - set directory or file read-write.\n" |
179 | " --rlimit-as=number - set the maximum size of the process's virtual memory\n" | 148 | " --rlimit-as=number - set the maximum size of the process's virtual memory\n" |
180 | "\t(address space) in bytes.\n" | 149 | "\t(address space) in bytes.\n" |
181 | " --rlimit-cpu=number - set the maximum CPU time in seconds.\n" | ||
182 | " --rlimit-fsize=number - set the maximum file size that can be created\n" | ||
183 | "\tby a process.\n" | ||
184 | " --rlimit-nofile=number - set the maximum number of files that can be\n" | ||
185 | "\topened by a process.\n" | ||
186 | " --rlimit-nproc=number - set the maximum number of processes that can be\n" | ||
187 | "\tcreated for the real user ID of the calling process.\n" | ||
188 | " --rlimit-sigpending=number - set the maximum number of pending signals\n" | ||
189 | "\tfor a process.\n" | ||
190 | " --rmenv=name - remove environment variable in the new sandbox.\n" | 150 | " --rmenv=name - remove environment variable in the new sandbox.\n" |
191 | #ifdef HAVE_NETWORK | 151 | #ifdef HAVE_NETWORK |
192 | " --scan - ARP-scan all the networks from inside a network namespace.\n" | 152 | " --scan - ARP-scan all the networks from inside a network namespace.\n" |
@@ -210,9 +170,6 @@ static char *usage_str = | |||
210 | "\thas elapsed.\n" | 170 | "\thas elapsed.\n" |
211 | " --tmpfs=dirname - mount a tmpfs filesystem on directory dirname.\n" | 171 | " --tmpfs=dirname - mount a tmpfs filesystem on directory dirname.\n" |
212 | " --top - monitor the most CPU-intensive sandboxes.\n" | 172 | " --top - monitor the most CPU-intensive sandboxes.\n" |
213 | " --trace - trace open, access and connect system calls.\n" | ||
214 | " --tracelog - add a syslog message for every access to files or\n" | ||
215 | "\tdirectories blacklisted by the security profile.\n" | ||
216 | " --tree - print a tree of all sandboxed processes.\n" | 173 | " --tree - print a tree of all sandboxed processes.\n" |
217 | " --version - print program version and exit.\n" | 174 | " --version - print program version and exit.\n" |
218 | #ifdef HAVE_NETWORK | 175 | #ifdef HAVE_NETWORK |
@@ -226,17 +183,6 @@ static char *usage_str = | |||
226 | "\t/run/user/$UID/gnupg.\n" | 183 | "\t/run/user/$UID/gnupg.\n" |
227 | " --writable-var - /var directory is mounted read-write.\n" | 184 | " --writable-var - /var directory is mounted read-write.\n" |
228 | " --writable-var-log - use the real /var/log directory, not a clone.\n" | 185 | " --writable-var-log - use the real /var/log directory, not a clone.\n" |
229 | #ifdef HAVE_X11 | ||
230 | " --x11 - enable X11 sandboxing. The software checks first if Xpra is\n" | ||
231 | "\tinstalled, then it checks if Xephyr is installed. If all fails, it will\n" | ||
232 | "\tattempt to use X11 security extension.\n" | ||
233 | " --x11=none - disable access to X11 sockets.\n" | ||
234 | " --x11=xephyr - enable Xephyr X11 server. The window size is 800x600.\n" | ||
235 | " --x11=xorg - enable X11 security extension.\n" | ||
236 | " --x11=xpra - enable Xpra X11 server.\n" | ||
237 | " --x11=xvfb - enable Xvfb X11 server.\n" | ||
238 | " --xephyr-screen=WIDTHxHEIGHT - set screen size for --x11=xephyr.\n" | ||
239 | #endif | ||
240 | "\n" | 186 | "\n" |
241 | "Examples:\n" | 187 | "Examples:\n" |
242 | " $ firejail firefox\n" | 188 | " $ firejail firefox\n" |
diff --git a/src/lib/firejail_user.c b/src/lib/firejail_user.c index c7af14254..b0f56a19a 100644 --- a/src/lib/firejail_user.c +++ b/src/lib/firejail_user.c | |||
@@ -107,10 +107,8 @@ int firejail_user_check(const char *name) { | |||
107 | if (strcmp(name, "root") == 0) | 107 | if (strcmp(name, "root") == 0) |
108 | return 1; | 108 | return 1; |
109 | 109 | ||
110 | // other system users will run the program as is | 110 | // user nobody is never allowed |
111 | uid_t uid = getuid(); | 111 | if (strcmp(name, "root") == 0) |
112 | assert(uid_min > 0); | ||
113 | if (((int) uid < uid_min && uid != 0) || strcmp(name, "nobody") == 0) | ||
114 | return 0; | 112 | return 0; |
115 | 113 | ||
116 | // check file existence | 114 | // check file existence |
@@ -155,7 +153,7 @@ void firejail_user_add(const char *name) { | |||
155 | struct passwd *pw = getpwnam(name); | 153 | struct passwd *pw = getpwnam(name); |
156 | if (!pw) { | 154 | if (!pw) { |
157 | fprintf(stderr, "Error: user %s not found on this system.\n", name); | 155 | fprintf(stderr, "Error: user %s not found on this system.\n", name); |
158 | return; | 156 | exit(1); |
159 | } | 157 | } |
160 | 158 | ||
161 | // check the user is not already in the database | 159 | // check the user is not already in the database |
diff --git a/src/man/firecfg.txt b/src/man/firecfg.txt index 80cb201d9..8811e17e5 100644 --- a/src/man/firecfg.txt +++ b/src/man/firecfg.txt | |||
@@ -123,5 +123,4 @@ Homepage: https://firejail.wordpress.com | |||
123 | \&\flfirejail\fR\|(1), | 123 | \&\flfirejail\fR\|(1), |
124 | \&\flfiremon\fR\|(1), | 124 | \&\flfiremon\fR\|(1), |
125 | \&\flfirejail-profile\fR\|(5), | 125 | \&\flfirejail-profile\fR\|(5), |
126 | \&\flfirejail-login\fR\|(5) | ||
127 | \&\flfirejail-users\fR\|(5) | 126 | \&\flfirejail-users\fR\|(5) |
diff --git a/src/man/firejail-login.txt b/src/man/firejail-login.txt deleted file mode 100644 index c2fa63dc4..000000000 --- a/src/man/firejail-login.txt +++ /dev/null | |||
@@ -1,41 +0,0 @@ | |||
1 | .TH FIREJAIL-LOGIN 5 "MONTH YEAR" "VERSION" "login.users man page" | ||
2 | .SH NAME | ||
3 | login.users \- Login file syntax for Firejail | ||
4 | |||
5 | .SH DESCRIPTION | ||
6 | /etc/firejail/login.users file describes additional arguments passed to firejail executable | ||
7 | upon user logging into a Firejail restricted shell. Each user entry in the file consists of | ||
8 | a user name followed by the arguments passed to firejail. The format is as follows: | ||
9 | |||
10 | user_name: arguments | ||
11 | |||
12 | Example: | ||
13 | |||
14 | netblue:--net=none --protocol=unix | ||
15 | |||
16 | Wildcard patterns are accepted in the user name field: | ||
17 | |||
18 | user*: --private | ||
19 | |||
20 | .SH RESTRICTED SHELL | ||
21 | To configure a restricted shell, replace /bin/bash with /usr/bin/firejail in | ||
22 | /etc/passwd file for each user that needs to be restricted. Alternatively, | ||
23 | you can specify /usr/bin/firejail using adduser or usermod commands: | ||
24 | |||
25 | adduser \-\-shell /usr/bin/firejail username | ||
26 | .br | ||
27 | usermod \-\-shell /usr/bin/firejail username | ||
28 | |||
29 | .SH FILES | ||
30 | /etc/firejail/login.users | ||
31 | |||
32 | .SH LICENSE | ||
33 | Firejail is free software; you can redistribute it and/or modify it under the terms of the GNU General Public License as published by the Free Software Foundation; either version 2 of the License, or (at your option) any later version. | ||
34 | .PP | ||
35 | Homepage: https://firejail.wordpress.com | ||
36 | .SH SEE ALSO | ||
37 | \&\flfirejail\fR\|(1), | ||
38 | \&\flfiremon\fR\|(1), | ||
39 | \&\flfirecfg\fR\|(1), | ||
40 | \&\flfirejail-profile\fR\|(5) | ||
41 | \&\flfirejail-users\fR\|(5) | ||
diff --git a/src/man/firejail-profile.txt b/src/man/firejail-profile.txt index 17562c503..92e95f165 100644 --- a/src/man/firejail-profile.txt +++ b/src/man/firejail-profile.txt | |||
@@ -197,18 +197,6 @@ The file is created if it doesn't already exist. | |||
197 | \fBnoexec file_or_directory | 197 | \fBnoexec file_or_directory |
198 | Remount the file or the directory noexec, nodev and nosuid. | 198 | Remount the file or the directory noexec, nodev and nosuid. |
199 | .TP | 199 | .TP |
200 | \fBoverlay | ||
201 | Mount a filesystem overlay on top of the current filesystem. | ||
202 | The overlay is stored in $HOME/.firejail/<PID> directory. | ||
203 | .TP | ||
204 | \fBoverlay-named name | ||
205 | Mount a filesystem overlay on top of the current filesystem. | ||
206 | The overlay is stored in $HOME/.firejail/name directory. | ||
207 | .TP | ||
208 | \fBoverlay-tmpfs | ||
209 | Mount a filesystem overlay on top of the current filesystem. | ||
210 | All filesystem modifications are discarded when the sandbox is closed. | ||
211 | .TP | ||
212 | \fBprivate | 200 | \fBprivate |
213 | Mount new /root and /home/user directories in temporary | 201 | Mount new /root and /home/user directories in temporary |
214 | filesystems. All modifications are discarded when the sandbox is | 202 | filesystems. All modifications are discarded when the sandbox is |
@@ -217,20 +205,10 @@ closed. | |||
217 | \fBprivate directory | 205 | \fBprivate directory |
218 | Use directory as user home. | 206 | Use directory as user home. |
219 | .TP | 207 | .TP |
220 | \fBprivate-home file,directory | ||
221 | Build a new user home in a temporary | ||
222 | filesystem, and copy the files and directories in the list in the | ||
223 | new home. All modifications are discarded when the sandbox is | ||
224 | closed. | ||
225 | .TP | ||
226 | \fBprivate-cache | 208 | \fBprivate-cache |
227 | Mount an empty temporary filesystem on top of the .cache directory in user home. All | 209 | Mount an empty temporary filesystem on top of the .cache directory in user home. All |
228 | modifications are discarded when the sandbox is closed. | 210 | modifications are discarded when the sandbox is closed. |
229 | .TP | 211 | .TP |
230 | \fBprivate-bin file,file | ||
231 | Build a new /bin in a temporary filesystem, and copy the programs in the list. | ||
232 | The same directory is also bind-mounted over /sbin, /usr/bin and /usr/sbin. | ||
233 | .TP | ||
234 | \fBprivate-dev | 212 | \fBprivate-dev |
235 | Create a new /dev directory. Only disc, dri, null, full, zero, tty, pts, ptmx, | 213 | Create a new /dev directory. Only disc, dri, null, full, zero, tty, pts, ptmx, |
236 | random, snd, urandom, video, log and shm devices are available. | 214 | random, snd, urandom, video, log and shm devices are available. |
@@ -238,25 +216,6 @@ random, snd, urandom, video, log and shm devices are available. | |||
238 | \fBkeep-dev-shm | 216 | \fBkeep-dev-shm |
239 | /dev/shm directory is untouched (even with private-dev). | 217 | /dev/shm directory is untouched (even with private-dev). |
240 | .TP | 218 | .TP |
241 | \fBprivate-etc file,directory | ||
242 | Build a new /etc in a temporary | ||
243 | filesystem, and copy the files and directories in the list. | ||
244 | All modifications are discarded when the sandbox is closed. | ||
245 | .TP | ||
246 | \fBprivate-lib file,directory | ||
247 | Build a new /lib directory and bring in the libraries required by the application to run. | ||
248 | This feature is still under development, see \fBman 1 firejail\fR for some examples. | ||
249 | .TP | ||
250 | \fBprivate-opt file,directory | ||
251 | Build a new /optin a temporary | ||
252 | filesystem, and copy the files and directories in the list. | ||
253 | All modifications are discarded when the sandbox is closed. | ||
254 | .TP | ||
255 | \fBprivate-srv file,directory | ||
256 | Build a new /srv in a temporary | ||
257 | filesystem, and copy the files and directories in the list. | ||
258 | All modifications are discarded when the sandbox is closed. | ||
259 | .TP | ||
260 | \fBprivate-tmp | 219 | \fBprivate-tmp |
261 | Mount an empty temporary filesystem on top of /tmp directory whitelisting /tmp/.X11-unix. | 220 | Mount an empty temporary filesystem on top of /tmp directory whitelisting /tmp/.X11-unix. |
262 | .TP | 221 | .TP |
@@ -269,9 +228,6 @@ Make directory or file read-write. | |||
269 | \fBtmpfs directory | 228 | \fBtmpfs directory |
270 | Mount an empty tmpfs filesystem on top of directory. This option is available only when running the sandbox as root. | 229 | Mount an empty tmpfs filesystem on top of directory. This option is available only when running the sandbox as root. |
271 | .TP | 230 | .TP |
272 | \fBtracelog | ||
273 | Blacklist violations logged to syslog. | ||
274 | .TP | ||
275 | \fBwhitelist file_or_directory | 231 | \fBwhitelist file_or_directory |
276 | Whitelist directory or file. A temporary file system is mounted on the top directory, and the | 232 | Whitelist directory or file. A temporary file system is mounted on the top directory, and the |
277 | whitelisted files are mount-binded inside. Modifications to whitelisted files are persistent, | 233 | whitelisted files are mount-binded inside. Modifications to whitelisted files are persistent, |
@@ -350,82 +306,26 @@ does not result in an increase of privilege. | |||
350 | \fBnoroot | 306 | \fBnoroot |
351 | Use this command to enable an user namespace. The namespace has only one user, the current user. | 307 | Use this command to enable an user namespace. The namespace has only one user, the current user. |
352 | There is no root account (uid 0) defined in the namespace. | 308 | There is no root account (uid 0) defined in the namespace. |
353 | .TP | ||
354 | \fBx11 | ||
355 | Enable X11 sandboxing. | ||
356 | .TP | ||
357 | \fBx11 none | ||
358 | Blacklist /tmp/.X11-unix directory, ${HOME}/.Xauthority and file specified in ${XAUTHORITY} environment variable. | ||
359 | Remove DISPLAY and XAUTHORITY environment variables. | ||
360 | Stop with error message if X11 abstract socket will be accessible in jail. | ||
361 | .TP | ||
362 | \fBx11 xephyr | ||
363 | Enable X11 sandboxing with Xephyr server. | ||
364 | .TP | ||
365 | \fBx11 xorg | ||
366 | Enable X11 sandboxing with X11 security extension. | ||
367 | .TP | ||
368 | \fBx11 xpra | ||
369 | Enable X11 sandboxing with Xpra server. | ||
370 | .TP | ||
371 | \fBx11 xvfb | ||
372 | Enable X11 sandboxing with Xvfb server. | ||
373 | .TP | ||
374 | \fBxephyr-screen WIDTHxHEIGHT | ||
375 | Set screen size for x11 xephyr. This command should be included in the profile file before x11 xephyr command. | ||
376 | .br | ||
377 | 309 | ||
378 | .br | 310 | |
379 | Example: | 311 | .SH User Environment |
312 | |||
313 | .TP | ||
314 | \fBcpu cpu-number,cpu-number,cpu-number | ||
315 | Set CPU affinity. Example: | ||
380 | .br | 316 | .br |
381 | 317 | ||
382 | .br | 318 | .br |
383 | xephyr-screen 640x480 | 319 | cpu 0,1,2 |
384 | .br | 320 | .br |
385 | x11 xephyr | ||
386 | |||
387 | |||
388 | |||
389 | .SH Resource limits, CPU affinity, Control Groups | ||
390 | These profile entries define the limits on system resources (rlimits) for the processes inside the sandbox. | ||
391 | The limits can be modified inside the sandbox using the regular \fBulimit\fR command. \fBcpu\fR command | ||
392 | configures the CPU cores available, and \fBcgroup\fR command | ||
393 | place the sandbox in an existing control group. | ||
394 | |||
395 | Examples: | ||
396 | 321 | ||
397 | .TP | 322 | .TP |
398 | \fBrlimit-as 123456789012 | 323 | \fBnice value |
399 | Set the maximum size of the process's virtual memory to 123456789012 bytes. | 324 | Set nice value for all processes running inside the sandbox. |
400 | .TP | ||
401 | \fBrlimit-cpu 123 | ||
402 | Set the maximum CPU time in seconds. | ||
403 | .TP | ||
404 | \fBrlimit-fsize 1024 | ||
405 | Set the maximum file size that can be created by a process to 1024 bytes. | ||
406 | .TP | ||
407 | \fBrlimit-nproc 1000 | ||
408 | Set the maximum number of processes that can be created for the real user ID of the calling process to 1000. | ||
409 | .TP | ||
410 | \fBrlimit-nofile 500 | ||
411 | Set the maximum number of files that can be opened by a process to 500. | ||
412 | .TP | ||
413 | \fBrlimit-sigpending 200 | ||
414 | Set the maximum number of processes that can be created for the real user ID of the calling process to 200. | ||
415 | .TP | ||
416 | \fBcpu 0,1,2 | ||
417 | Use only CPU cores 0, 1 and 2. | ||
418 | .TP | ||
419 | \fBnice -5 | ||
420 | Set a nice value of -5 to all processes running inside the sandbox. | ||
421 | .TP | ||
422 | \fBcgroup /sys/fs/cgroup/g1/tasks | ||
423 | The sandbox is placed in g1 control group. | ||
424 | .TP | 325 | .TP |
425 | \fBtimeout hh:mm:ss | 326 | \fBtimeout hh:mm:ss |
426 | Kill the sandbox automatically after the time has elapsed. The time is specified in hours/minutes/seconds format. | 327 | Kill the sandbox automatically after the time has elapsed. The time is specified in hours/minutes/seconds format. |
427 | 328 | ||
428 | .SH User Environment | ||
429 | .TP | 329 | .TP |
430 | \fBallusers | 330 | \fBallusers |
431 | All user home directories are visible inside the sandbox. By default, only current user home directory is visible. | 331 | All user home directories are visible inside the sandbox. By default, only current user home directory is visible. |
@@ -644,5 +544,4 @@ Homepage: https://firejail.wordpress.com | |||
644 | \&\flfirejail\fR\|(1), | 544 | \&\flfirejail\fR\|(1), |
645 | \&\flfiremon\fR\|(1), | 545 | \&\flfiremon\fR\|(1), |
646 | \&\flfirecfg\fR\|(1), | 546 | \&\flfirecfg\fR\|(1), |
647 | \&\flfirejail-login\fR\|(5) | ||
648 | \&\flfirejail-users\fR\|(5) | 547 | \&\flfirejail-users\fR\|(5) |
diff --git a/src/man/firejail-users.txt b/src/man/firejail-users.txt index c29de0705..aa81bd304 100644 --- a/src/man/firejail-users.txt +++ b/src/man/firejail-users.txt | |||
@@ -4,13 +4,13 @@ firejail.users \- Firejail user access database | |||
4 | 4 | ||
5 | .SH DESCRIPTION | 5 | .SH DESCRIPTION |
6 | /etc/firejail/firejail.users lists the users allowed to run firejail SUID executable. | 6 | /etc/firejail/firejail.users lists the users allowed to run firejail SUID executable. |
7 | If the file is not present in the system, all users are allowed to use the sandbox. | 7 | root user is allowed by default, user nobody is never allowed. |
8 | root user is allowed by default. Other system users (users with an ID below UID_MIN value | ||
9 | defined in /etc/login.defs, typically 1000) are not allowed to start the sandbox. | ||
10 | 8 | ||
11 | If the user is not allowed to start the sandbox, Firejail will attempt to run the | 9 | If the user is not allowed to start the sandbox, Firejail will attempt to run the |
12 | program without sandboxing it. | 10 | program without sandboxing it. |
13 | 11 | ||
12 | If the file is not present in the system, all users are allowed to use the sandbox. | ||
13 | |||
14 | Example: | 14 | Example: |
15 | 15 | ||
16 | $ cat /etc/firejail/firejail.users | 16 | $ cat /etc/firejail/firejail.users |
@@ -34,11 +34,23 @@ By default, running firecfg creates the file and adds the current user to the li | |||
34 | 34 | ||
35 | See \fBman 1 firecfg\fR for details. | 35 | See \fBman 1 firecfg\fR for details. |
36 | 36 | ||
37 | .SH ALTERNATIVE SOLUTION | ||
38 | An alternative way of restricting user access to firejail executable is to create a special firejail user group and | ||
39 | allow only users in this group to run the sandbox: | ||
40 | |||
41 | # addgroup firejail | ||
42 | .br | ||
43 | # chown root:firejail /usr/bin/firejail | ||
44 | .br | ||
45 | # chmod 4750 /usr/bin/firejail | ||
46 | |||
47 | |||
37 | .SH FILES | 48 | .SH FILES |
38 | /etc/firejail/firejail.users | 49 | /etc/firejail/firejail.users |
39 | 50 | ||
40 | .SH LICENSE | 51 | .SH LICENSE |
41 | Firejail is free software; you can redistribute it and/or modify it under the terms of the GNU General Public License as published by the Free Software Foundation; either version 2 of the License, or (at your option) any later version. | 52 | Firejail is free software; you can redistribute it and/or modify it under the terms of the GNU General Public License |
53 | as published by the Free Software Foundation; either version 2 of the License, or (at your option) any later version. | ||
42 | .PP | 54 | .PP |
43 | Homepage: https://firejail.wordpress.com | 55 | Homepage: https://firejail.wordpress.com |
44 | .SH SEE ALSO | 56 | .SH SEE ALSO |
@@ -46,4 +58,3 @@ Homepage: https://firejail.wordpress.com | |||
46 | \&\flfiremon\fR\|(1), | 58 | \&\flfiremon\fR\|(1), |
47 | \&\flfirecfg\fR\|(1), | 59 | \&\flfirecfg\fR\|(1), |
48 | \&\flfirejail-profile\fR\|(5) | 60 | \&\flfirejail-profile\fR\|(5) |
49 | \&\flfirejail-login\fR\|(5) | ||
diff --git a/src/man/firejail.txt b/src/man/firejail.txt index 7de1bff50..b2ad2cba5 100644 --- a/src/man/firejail.txt +++ b/src/man/firejail.txt | |||
@@ -8,12 +8,6 @@ Start a sandbox: | |||
8 | firejail [OPTIONS] [program and arguments] | 8 | firejail [OPTIONS] [program and arguments] |
9 | .RE | 9 | .RE |
10 | .PP | 10 | .PP |
11 | File transfer from an existing sandbox | ||
12 | .PP | ||
13 | .RS | ||
14 | firejail {\-\-ls | \-\-get | \-\-put} dir_or_filename | ||
15 | .RE | ||
16 | .PP | ||
17 | Network traffic shaping for an existing sandbox: | 11 | Network traffic shaping for an existing sandbox: |
18 | .PP | 12 | .PP |
19 | .RS | 13 | .RS |
@@ -127,12 +121,6 @@ $ firejail \-\-apparmor.print=browser | |||
127 | AppArmor: firejail-default enforce | 121 | AppArmor: firejail-default enforce |
128 | 122 | ||
129 | .TP | 123 | .TP |
130 | \fB\-\-audit | ||
131 | Audit the sandbox, see \fBAUDIT\fR section for more details. | ||
132 | .TP | ||
133 | \fB\-\-audit=test-program | ||
134 | Audit the sandbox, see \fBAUDIT\fR section for more details. | ||
135 | .TP | ||
136 | \fB\-\-bandwidth=name|pid | 124 | \fB\-\-bandwidth=name|pid |
137 | Set bandwidth limits for the sandbox identified by name or PID, see \fBTRAFFIC SHAPING\fR section for more details. | 125 | Set bandwidth limits for the sandbox identified by name or PID, see \fBTRAFFIC SHAPING\fR section for more details. |
138 | .TP | 126 | .TP |
@@ -159,30 +147,7 @@ $ firejail \-\-blacklist=~/.mozilla | |||
159 | $ firejail "\-\-blacklist=/home/username/My Virtual Machines" | 147 | $ firejail "\-\-blacklist=/home/username/My Virtual Machines" |
160 | .br | 148 | .br |
161 | $ firejail \-\-blacklist=/home/username/My\\ Virtual\\ Machines | 149 | $ firejail \-\-blacklist=/home/username/My\\ Virtual\\ Machines |
162 | .TP | ||
163 | \fB\-\-build | ||
164 | The command builds a whitelisted profile. The profile is printed on the screen. If /usr/bin/strace is installed on the system, it also | ||
165 | builds a whitelisted seccomp profile. The program is run in a very relaxed sandbox, | ||
166 | with only --caps.drop=all and --nonewprivs. Programs that raise user privileges are not supported | ||
167 | in order to allow strace to run. Chromium and Chromium-based browsers will not work. | ||
168 | .br | ||
169 | |||
170 | .br | ||
171 | Example: | ||
172 | .br | ||
173 | $ firejail --build vlc ~/Videos/test.mp4 | ||
174 | .TP | ||
175 | \fB\-\-build=profile-file | ||
176 | The command builds a whitelisted profile, and saves it in profile-file. If /usr/bin/strace is installed on the system, it also | ||
177 | builds a whitelisted seccomp profile. The program is run in a very relaxed sandbox, | ||
178 | with only --caps.drop=all and --nonewprivs. Programs that raise user privileges are not supported | ||
179 | in order to allow strace to run. Chromium and Chromium-based browsers will not work. | ||
180 | .br | ||
181 | 150 | ||
182 | .br | ||
183 | Example: | ||
184 | .br | ||
185 | $ firejail --build=vlc.profile vlc ~/Videos/test.mp4 | ||
186 | .TP | 151 | .TP |
187 | \fB\-c | 152 | \fB\-c |
188 | Execute command and exit. | 153 | Execute command and exit. |
@@ -259,29 +224,6 @@ $ firejail \-\-list | |||
259 | $ firejail \-\-caps.print=3272 | 224 | $ firejail \-\-caps.print=3272 |
260 | 225 | ||
261 | .TP | 226 | .TP |
262 | \fB\-\-cgroup=tasks-file | ||
263 | Place the sandbox in the specified control group. tasks-file is the full path of cgroup tasks file. | ||
264 | .br | ||
265 | |||
266 | .br | ||
267 | Example: | ||
268 | .br | ||
269 | # firejail \-\-cgroup=/sys/fs/cgroup/g1/tasks | ||
270 | |||
271 | .TP | ||
272 | \fB\-\-chroot=dirname | ||
273 | Chroot the sandbox into a root filesystem. Unlike the regular filesystem container, | ||
274 | the system directories are mounted read-write. If the sandbox is started as a | ||
275 | regular user, default seccomp and capabilities filters are enabled. This | ||
276 | option is not available on Grsecurity systems. | ||
277 | .br | ||
278 | |||
279 | .br | ||
280 | Example: | ||
281 | .br | ||
282 | $ firejail \-\-chroot=/media/ubuntu warzone2100 | ||
283 | |||
284 | .TP | ||
285 | \fB\-\-cpu=cpu-number,cpu-number,cpu-number | 227 | \fB\-\-cpu=cpu-number,cpu-number,cpu-number |
286 | Set CPU affinity. | 228 | Set CPU affinity. |
287 | .br | 229 | .br |
@@ -472,10 +414,6 @@ $ firejail \-\-list | |||
472 | $ firejail \-\-fs.print=3272 | 414 | $ firejail \-\-fs.print=3272 |
473 | 415 | ||
474 | .TP | 416 | .TP |
475 | \fB\-\-get=name|pid filename | ||
476 | Get a file from sandbox container, see \fBFILE TRANSFER\fR section for more details. | ||
477 | |||
478 | .TP | ||
479 | \fB\-?\fR, \fB\-\-help\fR | 417 | \fB\-?\fR, \fB\-\-help\fR |
480 | Print options end exit. | 418 | Print options end exit. |
481 | 419 | ||
@@ -699,10 +637,6 @@ Example: | |||
699 | $ firejail --keep-var-tmp | 637 | $ firejail --keep-var-tmp |
700 | 638 | ||
701 | .TP | 639 | .TP |
702 | \fB\-\-ls=name|pid dir_or_filename | ||
703 | List files in sandbox container, see \fBFILE TRANSFER\fR section for more details. | ||
704 | |||
705 | .TP | ||
706 | \fB\-\-list | 640 | \fB\-\-list |
707 | List all sandboxes, see \fBMONITORING\fR section for more details. | 641 | List all sandboxes, see \fBMONITORING\fR section for more details. |
708 | .br | 642 | .br |
@@ -1233,101 +1167,6 @@ Disable video devices. | |||
1233 | Disable whitelist for this directory or file. | 1167 | Disable whitelist for this directory or file. |
1234 | 1168 | ||
1235 | .TP | 1169 | .TP |
1236 | \fB\-\-output=logfile | ||
1237 | stdout logging and log rotation. Copy stdout to logfile, and keep the size of the file under 500KB using log | ||
1238 | rotation. Five files with prefixes .1 to .5 are used in rotation. | ||
1239 | .br | ||
1240 | |||
1241 | .br | ||
1242 | Example: | ||
1243 | .br | ||
1244 | $ firejail \-\-output=sandboxlog /bin/bash | ||
1245 | .br | ||
1246 | [...] | ||
1247 | .br | ||
1248 | $ ls -l sandboxlog* | ||
1249 | .br | ||
1250 | -rw-r--r-- 1 netblue netblue 333890 Jun 2 07:48 sandboxlog | ||
1251 | .br | ||
1252 | -rw-r--r-- 1 netblue netblue 511488 Jun 2 07:48 sandboxlog.1 | ||
1253 | .br | ||
1254 | -rw-r--r-- 1 netblue netblue 511488 Jun 2 07:48 sandboxlog.2 | ||
1255 | .br | ||
1256 | -rw-r--r-- 1 netblue netblue 511488 Jun 2 07:48 sandboxlog.3 | ||
1257 | .br | ||
1258 | -rw-r--r-- 1 netblue netblue 511488 Jun 2 07:48 sandboxlog.4 | ||
1259 | .br | ||
1260 | -rw-r--r-- 1 netblue netblue 511488 Jun 2 07:48 sandboxlog.5 | ||
1261 | |||
1262 | .TP | ||
1263 | \fB\-\-output-stderr=logfile | ||
1264 | Similar to \-\-output, but stderr is also stored. | ||
1265 | |||
1266 | .TP | ||
1267 | \fB\-\-overlay | ||
1268 | Mount a filesystem overlay on top of the current filesystem. Unlike the regular filesystem container, | ||
1269 | the system directories are mounted read-write. All filesystem modifications go into the overlay. | ||
1270 | The overlay is stored in $HOME/.firejail/<PID> directory. | ||
1271 | .br | ||
1272 | |||
1273 | .br | ||
1274 | OverlayFS support is required in Linux kernel for this option to work. | ||
1275 | OverlayFS was officially introduced in Linux kernel version 3.18. | ||
1276 | This option is not available on Grsecurity systems. | ||
1277 | .br | ||
1278 | |||
1279 | .br | ||
1280 | Example: | ||
1281 | .br | ||
1282 | $ firejail \-\-overlay firefox | ||
1283 | |||
1284 | .TP | ||
1285 | \fB\-\-overlay-named=name | ||
1286 | Mount a filesystem overlay on top of the current filesystem. Unlike the regular filesystem container, | ||
1287 | the system directories are mounted read-write. All filesystem modifications go into the overlay. | ||
1288 | The overlay is stored in $HOME/.firejail/<NAME> directory. The created overlay can be reused between multiple | ||
1289 | sessions. | ||
1290 | .br | ||
1291 | |||
1292 | .br | ||
1293 | OverlayFS support is required in Linux kernel for this option to work. | ||
1294 | OverlayFS was officially introduced in Linux kernel version 3.18. | ||
1295 | This option is not available on Grsecurity systems. | ||
1296 | .br | ||
1297 | |||
1298 | .br | ||
1299 | Example: | ||
1300 | .br | ||
1301 | $ firejail \-\-overlay-named=jail1 firefox | ||
1302 | |||
1303 | .TP | ||
1304 | \fB\-\-overlay-tmpfs | ||
1305 | Mount a filesystem overlay on top of the current filesystem. All filesystem modifications | ||
1306 | are discarded when the sandbox is closed. | ||
1307 | .br | ||
1308 | |||
1309 | .br | ||
1310 | OverlayFS support is required in Linux kernel for this option to work. | ||
1311 | OverlayFS was officially introduced in Linux kernel version 3.18. | ||
1312 | This option is not available on Grsecurity systems. | ||
1313 | .br | ||
1314 | |||
1315 | .br | ||
1316 | Example: | ||
1317 | .br | ||
1318 | $ firejail \-\-overlay-tmpfs firefox | ||
1319 | |||
1320 | .TP | ||
1321 | \fB\-\-overlay-clean | ||
1322 | Clean all overlays stored in $HOME/.firejail directory. | ||
1323 | .br | ||
1324 | |||
1325 | .br | ||
1326 | Example: | ||
1327 | .br | ||
1328 | $ firejail \-\-overlay-clean | ||
1329 | |||
1330 | .TP | ||
1331 | \fB\-\-private | 1170 | \fB\-\-private |
1332 | Mount new /root and /home/user directories in temporary | 1171 | Mount new /root and /home/user directories in temporary |
1333 | filesystems. All modifications are discarded when the sandbox is | 1172 | filesystems. All modifications are discarded when the sandbox is |
@@ -1349,19 +1188,6 @@ Example: | |||
1349 | $ firejail \-\-private=/home/netblue/firefox-home firefox | 1188 | $ firejail \-\-private=/home/netblue/firefox-home firefox |
1350 | 1189 | ||
1351 | .TP | 1190 | .TP |
1352 | \fB\-\-private-home=file,directory | ||
1353 | Build a new user home in a temporary | ||
1354 | filesystem, and copy the files and directories in the list in the | ||
1355 | new home. All modifications are discarded when the sandbox is | ||
1356 | closed. | ||
1357 | .br | ||
1358 | |||
1359 | .br | ||
1360 | Example: | ||
1361 | .br | ||
1362 | $ firejail \-\-private-home=.mozilla firefox | ||
1363 | |||
1364 | .TP | ||
1365 | \fB\-\-private-cache | 1191 | \fB\-\-private-cache |
1366 | Mount an empty temporary filesystem on top of the .cache directory in user home. All | 1192 | Mount an empty temporary filesystem on top of the .cache directory in user home. All |
1367 | modifications are discarded when the sandbox is closed. | 1193 | modifications are discarded when the sandbox is closed. |
@@ -1373,79 +1199,6 @@ Example: | |||
1373 | $ firejail \-\-private-cache openbox | 1199 | $ firejail \-\-private-cache openbox |
1374 | 1200 | ||
1375 | .TP | 1201 | .TP |
1376 | \fB\-\-private-bin=file,file | ||
1377 | Build a new /bin in a temporary filesystem, and copy the programs in the list. | ||
1378 | If no listed file is found, /bin directory will be empty. | ||
1379 | The same directory is also bind-mounted over /sbin, /usr/bin, /usr/sbin and /usr/local/bin. | ||
1380 | All modifications are discarded when the sandbox is closed. File globbing is supported, | ||
1381 | see \fBFILE GLOBBING\fR section for more details. | ||
1382 | .br | ||
1383 | |||
1384 | .br | ||
1385 | Example: | ||
1386 | .br | ||
1387 | $ firejail \-\-private-bin=bash,sed,ls,cat | ||
1388 | .br | ||
1389 | Parent pid 20841, child pid 20842 | ||
1390 | .br | ||
1391 | Child process initialized | ||
1392 | .br | ||
1393 | $ ls /bin | ||
1394 | .br | ||
1395 | bash cat ls sed | ||
1396 | |||
1397 | .TP | ||
1398 | \fB\-\-private-lib=file,directory | ||
1399 | This feature is currently under heavy development. Only amd64 platforms are supported at this moment. | ||
1400 | The idea is to build a new /lib in a temporary filesystem, | ||
1401 | with only the library files necessary to run the application. | ||
1402 | It could be as simple as: | ||
1403 | .br | ||
1404 | |||
1405 | .br | ||
1406 | $ firejail --private-lib galculator | ||
1407 | .br | ||
1408 | |||
1409 | .br | ||
1410 | but it gets complicated really fast: | ||
1411 | .br | ||
1412 | |||
1413 | .br | ||
1414 | $ firejail --private-lib=x86_64-linux-gnu/xed,x86_64-linux-gnu/gdk-pixbuf-2.0,libenchant.so.1,librsvg-2.so.2 xed | ||
1415 | .br | ||
1416 | |||
1417 | .br | ||
1418 | The feature is integrated with \-\-private-bin: | ||
1419 | .br | ||
1420 | |||
1421 | .br | ||
1422 | $ firejail --private-lib --private-bin=bash,ls,ps | ||
1423 | .br | ||
1424 | $ ls /lib | ||
1425 | .br | ||
1426 | ld-linux-x86-64.so.2 libgpg-error.so.0 libprocps.so.6 libsystemd.so.0 | ||
1427 | .br | ||
1428 | libc.so.6 liblz4.so.1 libpthread.so.0 libtinfo.so.5 | ||
1429 | .br | ||
1430 | libdl.so.2 liblzma.so.5 librt.so.1 x86_64-linux-gnu | ||
1431 | .br | ||
1432 | libgcrypt.so.20 libpcre.so.3 libselinux.so.1 | ||
1433 | .br | ||
1434 | $ ps | ||
1435 | .br | ||
1436 | PID TTY TIME CMD | ||
1437 | .br | ||
1438 | 1 pts/0 00:00:00 firejail | ||
1439 | .br | ||
1440 | 45 pts/0 00:00:00 bash | ||
1441 | .br | ||
1442 | 48 pts/0 00:00:00 ps | ||
1443 | .br | ||
1444 | $ | ||
1445 | .br | ||
1446 | |||
1447 | |||
1448 | .TP | ||
1449 | \fB\-\-private-dev | 1202 | \fB\-\-private-dev |
1450 | Create a new /dev directory. Only disc, dri, null, full, zero, tty, pts, ptmx, random, snd, urandom, video, log and shm devices are available. | 1203 | Create a new /dev directory. Only disc, dri, null, full, zero, tty, pts, ptmx, random, snd, urandom, video, log and shm devices are available. |
1451 | .br | 1204 | .br |
@@ -1464,46 +1217,6 @@ $ ls /dev | |||
1464 | cdrom cdrw dri dvd dvdrw full log null ptmx pts random shm snd sr0 tty urandom zero | 1217 | cdrom cdrw dri dvd dvdrw full log null ptmx pts random shm snd sr0 tty urandom zero |
1465 | .br | 1218 | .br |
1466 | $ | 1219 | $ |
1467 | .TP | ||
1468 | \fB\-\-private-etc=file,directory | ||
1469 | Build a new /etc in a temporary | ||
1470 | filesystem, and copy the files and directories in the list. | ||
1471 | If no listed file is found, /etc directory will be empty. | ||
1472 | All modifications are discarded when the sandbox is closed. | ||
1473 | .br | ||
1474 | |||
1475 | .br | ||
1476 | Example: | ||
1477 | .br | ||
1478 | $ firejail --private-etc=group,hostname,localtime, \\ | ||
1479 | .br | ||
1480 | nsswitch.conf,passwd,resolv.conf | ||
1481 | |||
1482 | .TP | ||
1483 | \fB\-\-private-opt=file,directory | ||
1484 | Build a new /opt in a temporary | ||
1485 | filesystem, and copy the files and directories in the list. | ||
1486 | If no listed file is found, /opt directory will be empty. | ||
1487 | All modifications are discarded when the sandbox is closed. | ||
1488 | .br | ||
1489 | |||
1490 | .br | ||
1491 | Example: | ||
1492 | .br | ||
1493 | $ firejail --private-opt=firefox /opt/firefox/firefox | ||
1494 | |||
1495 | .TP | ||
1496 | \fB\-\-private-srv=file,directory | ||
1497 | Build a new /srv in a temporary | ||
1498 | filesystem, and copy the files and directories in the list. | ||
1499 | If no listed file is found, /srv directory will be empty. | ||
1500 | All modifications are discarded when the sandbox is closed. | ||
1501 | .br | ||
1502 | |||
1503 | .br | ||
1504 | Example: | ||
1505 | .br | ||
1506 | # firejail --private-srv=www /etc/init.d/apache2 start | ||
1507 | 1220 | ||
1508 | .TP | 1221 | .TP |
1509 | \fB\-\-private-tmp | 1222 | \fB\-\-private-tmp |
@@ -1586,9 +1299,6 @@ $ firejail \-\-protocol.print=3272 | |||
1586 | .br | 1299 | .br |
1587 | unix,inet,inet6,netlink | 1300 | unix,inet,inet6,netlink |
1588 | .TP | 1301 | .TP |
1589 | \fB\-\-put=name|pid src-filename dest-filename | ||
1590 | Put a file in sandbox container, see \fBFILE TRANSFER\fR section for more details. | ||
1591 | .TP | ||
1592 | \fB\-\-quiet | 1302 | \fB\-\-quiet |
1593 | Turn off Firejail's output. | 1303 | Turn off Firejail's output. |
1594 | .TP | 1304 | .TP |
@@ -1625,33 +1335,6 @@ $ touch ~/test/a | |||
1625 | .br | 1335 | .br |
1626 | $ firejail --read-only=~/test --read-write=~/test/a | 1336 | $ firejail --read-only=~/test --read-write=~/test/a |
1627 | 1337 | ||
1628 | |||
1629 | .TP | ||
1630 | \fB\-\-rlimit-as=number | ||
1631 | Set the maximum size of the process's virtual memory (address space) in bytes. | ||
1632 | |||
1633 | .TP | ||
1634 | \fB\-\-rlimit-cpu=number | ||
1635 | Set the maximum limit, in seconds, for the amount of CPU time each | ||
1636 | sandboxed process can consume. When the limit is reached, the processes are killed. | ||
1637 | |||
1638 | The CPU limit is a limit on CPU seconds rather than elapsed time. CPU seconds is basically how many seconds | ||
1639 | the CPU has been in use and does not necessarily directly relate to the elapsed time. Linux kernel keeps | ||
1640 | track of CPU seconds for each process independently. | ||
1641 | |||
1642 | .TP | ||
1643 | \fB\-\-rlimit-fsize=number | ||
1644 | Set the maximum file size that can be created by a process. | ||
1645 | .TP | ||
1646 | \fB\-\-rlimit-nofile=number | ||
1647 | Set the maximum number of files that can be opened by a process. | ||
1648 | .TP | ||
1649 | \fB\-\-rlimit-nproc=number | ||
1650 | Set the maximum number of processes that can be created for the real user ID of the calling process. | ||
1651 | .TP | ||
1652 | \fB\-\-rlimit-sigpending=number | ||
1653 | Set the maximum number of pending signals for a process. | ||
1654 | |||
1655 | .TP | 1338 | .TP |
1656 | \fB\-\-rmenv=name | 1339 | \fB\-\-rmenv=name |
1657 | Remove environment variable in the new sandbox. | 1340 | Remove environment variable in the new sandbox. |
@@ -2082,30 +1765,7 @@ Reading profile /etc/firejail/wget.profile | |||
2082 | 1765 | ||
2083 | .br | 1766 | .br |
2084 | parent is shutting down, bye... | 1767 | parent is shutting down, bye... |
2085 | .TP | ||
2086 | \fB\-\-tracelog | ||
2087 | This option enables auditing blacklisted files and directories. A message | ||
2088 | is sent to syslog in case the file or the directory is accessed. | ||
2089 | .br | ||
2090 | |||
2091 | .br | ||
2092 | Example: | ||
2093 | .br | ||
2094 | $ firejail --tracelog firefox | ||
2095 | .br | ||
2096 | 1768 | ||
2097 | .br | ||
2098 | Sample messages: | ||
2099 | .br | ||
2100 | $ sudo tail -f /var/log/syslog | ||
2101 | .br | ||
2102 | [...] | ||
2103 | .br | ||
2104 | Dec 3 11:43:25 debian firejail[70]: blacklist violation - sandbox 26370, exe firefox, syscall open64, path /etc/shadow | ||
2105 | .br | ||
2106 | Dec 3 11:46:17 debian firejail[70]: blacklist violation - sandbox 26370, exe firefox, syscall opendir, path /boot | ||
2107 | .br | ||
2108 | [...] | ||
2109 | .TP | 1769 | .TP |
2110 | \fB\-\-tree | 1770 | \fB\-\-tree |
2111 | Print a tree of all sandboxed processes, see \fBMONITORING\fR section for more details. | 1771 | Print a tree of all sandboxed processes, see \fBMONITORING\fR section for more details. |
@@ -2213,167 +1873,6 @@ Example: | |||
2213 | $ sudo firejail --writable-var-log | 1873 | $ sudo firejail --writable-var-log |
2214 | 1874 | ||
2215 | 1875 | ||
2216 | .TP | ||
2217 | \fB\-\-x11 | ||
2218 | Sandbox the application using Xpra, Xephyr, Xvfb or Xorg security extension. | ||
2219 | The sandbox will prevents screenshot and keylogger applications started inside the sandbox from accessing | ||
2220 | clients running outside the sandbox. | ||
2221 | Firejail will try first Xpra, and if Xpra is not installed on the system, it will try to find Xephyr. | ||
2222 | If all fails, Firejail will not attempt to use Xvfb or X11 security extension. | ||
2223 | .br | ||
2224 | |||
2225 | .br | ||
2226 | Xpra, Xephyr and Xvfb modes require a network namespace to be instantiated in order to disable | ||
2227 | X11 abstract Unix socket. If this is not possible, the user can disable the abstract socket | ||
2228 | by adding "-nolisten local" on Xorg command line at system level. | ||
2229 | .br | ||
2230 | |||
2231 | .br | ||
2232 | Example: | ||
2233 | .br | ||
2234 | $ firejail \-\-x11 --net=eth0 firefox | ||
2235 | |||
2236 | .TP | ||
2237 | \fB\-\-x11=none | ||
2238 | Blacklist /tmp/.X11-unix directory, ${HOME}/.Xauthority and the file specified in ${XAUTHORITY} environment variable. | ||
2239 | Remove DISPLAY and XAUTHORITY environment variables. | ||
2240 | Stop with error message if X11 abstract socket will be accessible in jail. | ||
2241 | |||
2242 | .TP | ||
2243 | \fB\-\-x11=xephyr | ||
2244 | Start Xephyr and attach the sandbox to this server. | ||
2245 | Xephyr is a display server implementing the X11 display server protocol. | ||
2246 | A network namespace needs to be instantiated in order to deny access to X11 abstract Unix domain socket. | ||
2247 | .br | ||
2248 | |||
2249 | .br | ||
2250 | Xephyr runs in a window just like any other X11 application. The default window size is 800x600. | ||
2251 | This can be modified in /etc/firejail/firejail.config file. | ||
2252 | .br | ||
2253 | |||
2254 | .br | ||
2255 | The recommended way to use this feature is to run a window manager inside the sandbox. | ||
2256 | A security profile for OpenBox is provided. | ||
2257 | .br | ||
2258 | |||
2259 | .br | ||
2260 | Xephyr is developed by Xorg project. On Debian platforms it is installed with the command \fBsudo apt-get install xserver-xephyr\fR. | ||
2261 | This feature is not available when running as root. | ||
2262 | .br | ||
2263 | |||
2264 | .br | ||
2265 | Example: | ||
2266 | .br | ||
2267 | $ firejail \-\-x11=xephyr --net=eth0 openbox | ||
2268 | |||
2269 | .TP | ||
2270 | \fB\-\-x11=xorg | ||
2271 | Sandbox the application using the untrusted mode implemented by X11 security extension. | ||
2272 | The extension is available in Xorg package | ||
2273 | and it is installed by default on most Linux distributions. It provides support for a simple trusted/untrusted | ||
2274 | connection model. Untrusted clients are restricted in certain ways to prevent them from reading window | ||
2275 | contents of other clients, stealing input events, etc. | ||
2276 | |||
2277 | The untrusted mode has several limitations. A lot of regular programs assume they are a trusted X11 clients | ||
2278 | and will crash or lock up when run in untrusted mode. Chromium browser and xterm are two examples. | ||
2279 | Firefox and transmission-gtk seem to be working fine. | ||
2280 | A network namespace is not required for this option. | ||
2281 | .br | ||
2282 | |||
2283 | .br | ||
2284 | Example: | ||
2285 | .br | ||
2286 | $ firejail \-\-x11=xorg firefox | ||
2287 | |||
2288 | .TP | ||
2289 | \fB\-\-x11=xpra | ||
2290 | Start Xpra (https://xpra.org) and attach the sandbox to this server. | ||
2291 | Xpra is a persistent remote display server and client for forwarding X11 applications and desktop screens. | ||
2292 | A network namespace needs to be instantiated in order to deny access to X11 abstract Unix domain socket. | ||
2293 | .br | ||
2294 | |||
2295 | .br | ||
2296 | On Debian platforms Xpra is installed with the command \fBsudo apt-get install xpra\fR. | ||
2297 | This feature is not available when running as root. | ||
2298 | .br | ||
2299 | |||
2300 | .br | ||
2301 | Example: | ||
2302 | .br | ||
2303 | $ firejail \-\-x11=xpra --net=eth0 firefox | ||
2304 | |||
2305 | |||
2306 | .TP | ||
2307 | \fB\-\-x11=xvfb | ||
2308 | Start Xvfb X11 server and attach the sandbox to this server. | ||
2309 | Xvfb, short for X virtual framebuffer, performs all graphical operations in memory | ||
2310 | without showing any screen output. Xvfb is mainly used for remote access and software | ||
2311 | testing on headless servers. | ||
2312 | .br | ||
2313 | |||
2314 | .br | ||
2315 | On Debian platforms Xvfb is installed with the command \fBsudo apt-get install xvfb\fR. | ||
2316 | This feature is not available when running as root. | ||
2317 | .br | ||
2318 | |||
2319 | .br | ||
2320 | Example: remote VNC access | ||
2321 | .br | ||
2322 | |||
2323 | .br | ||
2324 | On the server we start a sandbox using Xvfb and openbox | ||
2325 | window manager. The default size of Xvfb screen is 800x600 - it can be changed | ||
2326 | in /etc/firejail/firejail.config (xvfb-screen). Some sort of networking (--net) is required | ||
2327 | in order to isolate the abstract sockets used by other X servers. | ||
2328 | .br | ||
2329 | |||
2330 | .br | ||
2331 | $ firejail --net=none --x11=xvfb openbox | ||
2332 | .br | ||
2333 | |||
2334 | .br | ||
2335 | *** Attaching to Xvfb display 792 *** | ||
2336 | .br | ||
2337 | |||
2338 | .br | ||
2339 | Reading profile /etc/firejail/openbox.profile | ||
2340 | .br | ||
2341 | Reading profile /etc/firejail/disable-common.inc | ||
2342 | .br | ||
2343 | Reading profile /etc/firejail/disable-common.local | ||
2344 | .br | ||
2345 | Parent pid 5400, child pid 5401 | ||
2346 | .br | ||
2347 | |||
2348 | .br | ||
2349 | On the server we also start a VNC server and attach it to the display handled by our | ||
2350 | Xvfb server (792). | ||
2351 | .br | ||
2352 | |||
2353 | .br | ||
2354 | $ x11vnc -display :792 | ||
2355 | .br | ||
2356 | |||
2357 | .br | ||
2358 | On the client machine we start a VNC viewer and use it to connect to our server: | ||
2359 | .br | ||
2360 | |||
2361 | .br | ||
2362 | $ vncviewer | ||
2363 | .br | ||
2364 | |||
2365 | .TP | ||
2366 | \fB\-\-xephyr-screen=WIDTHxHEIGHT | ||
2367 | Set screen size for --x11=xephyr. The setting will overwrite the default set in /etc/firejail/firejail.config | ||
2368 | for the current sandbox. Run xrandr to get a list of supported resolutions on your computer. | ||
2369 | .br | ||
2370 | |||
2371 | .br | ||
2372 | Example: | ||
2373 | .br | ||
2374 | $ firejail --net=eth0 --x11=xephyr --xephyr-screen=640x480 firefox | ||
2375 | .br | ||
2376 | |||
2377 | .SH DESKTOP INTEGRATION | 1876 | .SH DESKTOP INTEGRATION |
2378 | A symbolic link to /usr/bin/firejail under the name of a program, will start the program in Firejail sandbox. | 1877 | A symbolic link to /usr/bin/firejail under the name of a program, will start the program in Firejail sandbox. |
2379 | The symbolic link should be placed in the first $PATH position. On most systems, a good place | 1878 | The symbolic link should be placed in the first $PATH position. On most systems, a good place |
@@ -2506,54 +2005,6 @@ To enable AppArmor confinement on top of your current Firejail security features | |||
2506 | .br | 2005 | .br |
2507 | $ firejail --apparmor firefox | 2006 | $ firejail --apparmor firefox |
2508 | 2007 | ||
2509 | .SH FILE TRANSFER | ||
2510 | These features allow the user to inspect the filesystem container of an existing sandbox | ||
2511 | and transfer files from the container to the host filesystem. | ||
2512 | |||
2513 | .TP | ||
2514 | \fB\-\-get=name|pid filename | ||
2515 | Retrieve the container file and store it on the host in the current working directory. | ||
2516 | The container is specified by name or PID. | ||
2517 | |||
2518 | .TP | ||
2519 | \fB\-\-ls=name|pid dir_or_filename | ||
2520 | List container files. The container is specified by name or PID. | ||
2521 | |||
2522 | .TP | ||
2523 | \fB\-\-put=name|pid src-filename dest-filename | ||
2524 | Put src-filename in sandbox container. | ||
2525 | The container is specified by name or PID. | ||
2526 | |||
2527 | .TP | ||
2528 | Examples: | ||
2529 | .br | ||
2530 | |||
2531 | .br | ||
2532 | $ firejail \-\-name=mybrowser --private firefox | ||
2533 | .br | ||
2534 | |||
2535 | .br | ||
2536 | $ firejail \-\-ls=mybrowser ~/Downloads | ||
2537 | .br | ||
2538 | drwxr-xr-x netblue netblue 4096 . | ||
2539 | .br | ||
2540 | drwxr-xr-x netblue netblue 4096 .. | ||
2541 | .br | ||
2542 | -rw-r--r-- netblue netblue 7847 x11-x305.png | ||
2543 | .br | ||
2544 | -rw-r--r-- netblue netblue 6800 x11-x642.png | ||
2545 | .br | ||
2546 | -rw-r--r-- netblue netblue 34139 xpra-clipboard.png | ||
2547 | .br | ||
2548 | |||
2549 | .br | ||
2550 | $ firejail \-\-get=mybrowser ~/Downloads/xpra-clipboard.png | ||
2551 | .br | ||
2552 | |||
2553 | .br | ||
2554 | $ firejail \-\-put=mybrowser xpra-clipboard.png ~/Downloads/xpra-clipboard.png | ||
2555 | .br | ||
2556 | |||
2557 | .SH TRAFFIC SHAPING | 2008 | .SH TRAFFIC SHAPING |
2558 | Network bandwidth is an expensive resource shared among all sandboxes running on a system. | 2009 | Network bandwidth is an expensive resource shared among all sandboxes running on a system. |
2559 | Traffic shaping allows the user to increase network performance by controlling | 2010 | Traffic shaping allows the user to increase network performance by controlling |
@@ -2596,25 +2047,6 @@ Example: | |||
2596 | .br | 2047 | .br |
2597 | $ firejail \-\-bandwidth=mybrowser clear eth0 | 2048 | $ firejail \-\-bandwidth=mybrowser clear eth0 |
2598 | 2049 | ||
2599 | .SH AUDIT | ||
2600 | Audit feature allows the user to point out gaps in security profiles. The | ||
2601 | implementation replaces the program to be sandboxed with a test program. By | ||
2602 | default, we use faudit program distributed with Firejail. A custom test program | ||
2603 | can also be supplied by the user. Examples: | ||
2604 | |||
2605 | Running the default audit program: | ||
2606 | .br | ||
2607 | $ firejail --audit transmission-gtk | ||
2608 | |||
2609 | Running a custom audit program: | ||
2610 | .br | ||
2611 | $ firejail --audit=~/sandbox-test transmission-gtk | ||
2612 | |||
2613 | In the examples above, the sandbox configures transmission-gtk profile and | ||
2614 | starts the test program. The real program, transmission-gtk, will not be | ||
2615 | started. | ||
2616 | |||
2617 | Limitations: audit feature is not implemented for --x11 commands. | ||
2618 | 2050 | ||
2619 | .SH MONITORING | 2051 | .SH MONITORING |
2620 | Option \-\-list prints a list of all sandboxes. The format | 2052 | Option \-\-list prints a list of all sandboxes. The format |
@@ -2778,5 +2210,4 @@ Homepage: https://firejail.wordpress.com | |||
2778 | \&\flfiremon\fR\|(1), | 2210 | \&\flfiremon\fR\|(1), |
2779 | \&\flfirecfg\fR\|(1), | 2211 | \&\flfirecfg\fR\|(1), |
2780 | \&\flfirejail-profile\fR\|(5), | 2212 | \&\flfirejail-profile\fR\|(5), |
2781 | \&\flfirejail-login\fR\|(5) | ||
2782 | \&\flfirejail-users\fR\|(5) | 2213 | \&\flfirejail-users\fR\|(5) |
diff --git a/src/man/firemon.txt b/src/man/firemon.txt index 214fcac44..bcc1820bf 100644 --- a/src/man/firemon.txt +++ b/src/man/firemon.txt | |||
@@ -110,5 +110,4 @@ Homepage: https://firejail.wordpress.com | |||
110 | \&\flfirejail\fR\|(1), | 110 | \&\flfirejail\fR\|(1), |
111 | \&\flfirecfg\fR\|(1), | 111 | \&\flfirecfg\fR\|(1), |
112 | \&\flfirejail-profile\fR\|(5), | 112 | \&\flfirejail-profile\fR\|(5), |
113 | \&\flfirejail-login\fR\|(5) | ||
114 | \&\flfirejail-users\fR\|(5) | 113 | \&\flfirejail-users\fR\|(5) |
diff --git a/src/tools/check-caps.sh b/src/tools/check-caps.sh deleted file mode 100755 index 13525677b..000000000 --- a/src/tools/check-caps.sh +++ /dev/null | |||
@@ -1,46 +0,0 @@ | |||
1 | #!/bin/bash | ||
2 | |||
3 | if [ $# -eq 0 ] | ||
4 | then | ||
5 | echo "Usage: check-caps.sh program-and-arguments" | ||
6 | echo | ||
7 | fi | ||
8 | |||
9 | set -x | ||
10 | |||
11 | firejail --caps.drop=chown "$1" | ||
12 | firejail --caps.drop=dac_override "$1" | ||
13 | firejail --caps.drop=dac_read_search "$1" | ||
14 | firejail --caps.drop=fowner "$1" | ||
15 | firejail --caps.drop=fsetid "$1" | ||
16 | firejail --caps.drop=kill "$1" | ||
17 | firejail --caps.drop=setgid "$1" | ||
18 | firejail --caps.drop=setuid "$1" | ||
19 | firejail --caps.drop=setpcap "$1" | ||
20 | firejail --caps.drop=linux_immutable "$1" | ||
21 | firejail --caps.drop=net_bind_service "$1" | ||
22 | firejail --caps.drop=net_broadcast "$1" | ||
23 | firejail --caps.drop=net_admin "$1" | ||
24 | firejail --caps.drop=net_raw "$1" | ||
25 | firejail --caps.drop=ipc_lock "$1" | ||
26 | firejail --caps.drop=ipc_owner "$1" | ||
27 | firejail --caps.drop=sys_module "$1" | ||
28 | firejail --caps.drop=sys_rawio "$1" | ||
29 | firejail --caps.drop=sys_chroot "$1" | ||
30 | firejail --caps.drop=sys_ptrace "$1" | ||
31 | firejail --caps.drop=sys_pacct "$1" | ||
32 | firejail --caps.drop=sys_admin "$1" | ||
33 | firejail --caps.drop=sys_boot "$1" | ||
34 | firejail --caps.drop=sys_nice "$1" | ||
35 | firejail --caps.drop=sys_resource "$1" | ||
36 | firejail --caps.drop=sys_time "$1" | ||
37 | firejail --caps.drop=sys_tty_config "$1" | ||
38 | firejail --caps.drop=mknod "$1" | ||
39 | firejail --caps.drop=lease "$1" | ||
40 | firejail --caps.drop=audit_write "$1" | ||
41 | firejail --caps.drop=audit_control "$1" | ||
42 | firejail --caps.drop=setfcap "$1" | ||
43 | firejail --caps.drop=mac_override "$1" | ||
44 | firejail --caps.drop=mac_admin "$1" | ||
45 | firejail --caps.drop=syslog "$1" | ||
46 | firejail --caps.drop=wake_alarm "$1" | ||
diff --git a/src/tools/extract_caps.c b/src/tools/extract_caps.c deleted file mode 100644 index 9769fb071..000000000 --- a/src/tools/extract_caps.c +++ /dev/null | |||
@@ -1,83 +0,0 @@ | |||
1 | /* | ||
2 | * Copyright (C) 2014-2018 Firejail Authors | ||
3 | * | ||
4 | * This file is part of firejail project | ||
5 | * | ||
6 | * This program is free software; you can redistribute it and/or modify | ||
7 | * it under the terms of the GNU General Public License as published by | ||
8 | * the Free Software Foundation; either version 2 of the License, or | ||
9 | * (at your option) any later version. | ||
10 | * | ||
11 | * This program is distributed in the hope that it will be useful, | ||
12 | * but WITHOUT ANY WARRANTY; without even the implied warranty of | ||
13 | * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the | ||
14 | * GNU General Public License for more details. | ||
15 | * | ||
16 | * You should have received a copy of the GNU General Public License along | ||
17 | * with this program; if not, write to the Free Software Foundation, Inc., | ||
18 | * 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA. | ||
19 | */ | ||
20 | #include <stdio.h> | ||
21 | #include <stdlib.h> | ||
22 | #include <string.h> | ||
23 | #include <assert.h> | ||
24 | |||
25 | #define BUFMAX 4096 | ||
26 | |||
27 | int main(int argc, char **argv) { | ||
28 | if (argc != 2) { | ||
29 | printf("usage: %s /usr/include/linux/capability.h\n", argv[0]); | ||
30 | return 1; | ||
31 | } | ||
32 | |||
33 | //open file | ||
34 | FILE *fp = fopen(argv[1], "r"); | ||
35 | if (!fp) { | ||
36 | fprintf(stderr, "Error: cannot open file\n"); | ||
37 | return 1; | ||
38 | } | ||
39 | |||
40 | // read file | ||
41 | char buf[BUFMAX]; | ||
42 | while (fgets(buf, BUFMAX, fp)) { | ||
43 | // cleanup | ||
44 | char *start = buf; | ||
45 | while (*start == ' ' || *start == '\t') | ||
46 | start++; | ||
47 | char *end = strchr(start, '\n'); | ||
48 | if (end) | ||
49 | *end = '\0'; | ||
50 | |||
51 | // parsing | ||
52 | if (strncmp(start, "#define CAP_", 12) == 0) { | ||
53 | if (strstr(start, "CAP_LAST_CAP")) | ||
54 | break; | ||
55 | |||
56 | char *ptr1 = start + 8; | ||
57 | char *ptr2 = ptr1; | ||
58 | while (*ptr2 == ' ' || *ptr2 == '\t') | ||
59 | ptr2++; | ||
60 | while (*ptr2 != ' ' && *ptr2 != '\t') | ||
61 | ptr2++; | ||
62 | *ptr2 = '\0'; | ||
63 | |||
64 | ptr2 = strdup(ptr1); | ||
65 | assert(ptr2); | ||
66 | ptr2 += 4; | ||
67 | char *ptr3 = ptr2; | ||
68 | while (*ptr3 != '\0') { | ||
69 | *ptr3 = tolower(*ptr3); | ||
70 | ptr3++; | ||
71 | } | ||
72 | |||
73 | |||
74 | printf("#ifdef %s\n", ptr1); | ||
75 | printf("\t{\"%s\", %s },\n", ptr2, ptr1); | ||
76 | printf("#endif\n"); | ||
77 | |||
78 | } | ||
79 | |||
80 | } | ||
81 | fclose(fp); | ||
82 | return 0; | ||
83 | } | ||
diff --git a/src/tools/extract_errnos.sh b/src/tools/extract_errnos.sh deleted file mode 100644 index 43b225828..000000000 --- a/src/tools/extract_errnos.sh +++ /dev/null | |||
@@ -1,4 +0,0 @@ | |||
1 | echo -e "#include <errno.h>\n#include <attr/xattr.h>" | \ | ||
2 | cpp -dD | \ | ||
3 | grep "^#define E" | \ | ||
4 | sed -e '{s/#define \(.*\) .*/\t"\1", \1,/g}' | ||
diff --git a/src/tools/extract_syscalls.c b/src/tools/extract_syscalls.c deleted file mode 100644 index d7e16e912..000000000 --- a/src/tools/extract_syscalls.c +++ /dev/null | |||
@@ -1,93 +0,0 @@ | |||
1 | /* | ||
2 | * Copyright (C) 2014-2018 Firejail Authors | ||
3 | * | ||
4 | * This file is part of firejail project | ||
5 | * | ||
6 | * This program is free software; you can redistribute it and/or modify | ||
7 | * it under the terms of the GNU General Public License as published by | ||
8 | * the Free Software Foundation; either version 2 of the License, or | ||
9 | * (at your option) any later version. | ||
10 | * | ||
11 | * This program is distributed in the hope that it will be useful, | ||
12 | * but WITHOUT ANY WARRANTY; without even the implied warranty of | ||
13 | * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the | ||
14 | * GNU General Public License for more details. | ||
15 | * | ||
16 | * You should have received a copy of the GNU General Public License along | ||
17 | * with this program; if not, write to the Free Software Foundation, Inc., | ||
18 | * 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA. | ||
19 | */ | ||
20 | #include <stdio.h> | ||
21 | #include <stdlib.h> | ||
22 | #include <string.h> | ||
23 | |||
24 | #define BUFMAX 4096 | ||
25 | |||
26 | int main(int argc, char **argv) { | ||
27 | if (argc != 2) { | ||
28 | printf("usage: %s /usr/include/x86_64-linux-gnu/bits/syscall.h\n", argv[0]); | ||
29 | return 1; | ||
30 | } | ||
31 | |||
32 | //open file | ||
33 | FILE *fp = fopen(argv[1], "r"); | ||
34 | if (!fp) { | ||
35 | fprintf(stderr, "Error: cannot open file\n"); | ||
36 | return 1; | ||
37 | } | ||
38 | |||
39 | // read file | ||
40 | char buf[BUFMAX]; | ||
41 | while (fgets(buf, BUFMAX, fp)) { | ||
42 | // cleanup | ||
43 | char *start = buf; | ||
44 | while (*start == ' ' || *start == '\t') | ||
45 | start++; | ||
46 | char *end = strchr(start, '\n'); | ||
47 | if (end) | ||
48 | *end = '\0'; | ||
49 | |||
50 | // parsing | ||
51 | if (strncmp(start, "# error", 7) == 0) | ||
52 | continue; | ||
53 | if (strncmp(start, "#endif", 6) == 0) | ||
54 | printf("%s\n", start); | ||
55 | if (strncmp(start, "#endif", 6) == 0) | ||
56 | printf("%s\n", start); | ||
57 | else if (strncmp(start, "#if", 3) == 0) | ||
58 | printf("%s\n", start); | ||
59 | else if (strncmp(start, "#define", 7) == 0) { | ||
60 | // extract data | ||
61 | char *ptr1 = strstr(start, "SYS_"); | ||
62 | char *ptr2 = strstr(start, "__NR_"); | ||
63 | if (!ptr1 || !ptr2) { | ||
64 | fprintf(stderr, "Error: cannot parse \"%s\"\n", start); | ||
65 | fclose(fp); | ||
66 | return 1; | ||
67 | } | ||
68 | *(ptr2 - 1) = '\0'; | ||
69 | |||
70 | char *ptr3 = ptr1; | ||
71 | while (*ptr3 != ' ' && *ptr3 != '\t' && *ptr3 != '\0') | ||
72 | ptr3++; | ||
73 | *ptr3 = '\0'; | ||
74 | ptr3 = ptr2; | ||
75 | while (*ptr3 != ' ' && *ptr3 != '\t' && *ptr3 != '\0') | ||
76 | ptr3++; | ||
77 | *ptr3 = '\0'; | ||
78 | |||
79 | ptr3 = ptr1; | ||
80 | while (*ptr3 != '_') | ||
81 | ptr3++; | ||
82 | ptr3++; | ||
83 | |||
84 | printf("#ifdef %s\n", ptr1); | ||
85 | printf("#ifdef %s\n", ptr2); | ||
86 | printf("\t{\"%s\", %s},\n", ptr3, ptr2); | ||
87 | printf("#endif\n"); | ||
88 | printf("#endif\n"); | ||
89 | } | ||
90 | } | ||
91 | fclose(fp); | ||
92 | return 0; | ||
93 | } | ||
diff --git a/src/tools/mkcoverit.sh b/src/tools/mkcoverit.sh deleted file mode 100755 index d4a68e397..000000000 --- a/src/tools/mkcoverit.sh +++ /dev/null | |||
@@ -1,45 +0,0 @@ | |||
1 | #!/bin/bash | ||
2 | |||
3 | # unpack firejail archive | ||
4 | ARCFIREJAIL=`ls *.tar.xz| grep firejail` | ||
5 | if [ "$?" -eq 0 ]; | ||
6 | then | ||
7 | echo "preparing $ARCFIREJAIL" | ||
8 | DIRFIREJAIL=`basename $ARCFIREJAIL .tar.xz` | ||
9 | rm -fr $DIRFIREJAIL | ||
10 | tar -xJvf $ARCFIREJAIL | ||
11 | cd $DIRFIREJAIL | ||
12 | ./configure --prefix=/usr | ||
13 | cd .. | ||
14 | else | ||
15 | echo "Error: firejail source archive missing" | ||
16 | exit 1 | ||
17 | fi | ||
18 | |||
19 | |||
20 | # unpack firetools archive | ||
21 | ARCFIRETOOLS=`ls *.tar.bz2 | grep firetools` | ||
22 | if [ "$?" -eq 0 ]; | ||
23 | then | ||
24 | echo "preparing $ARCFIRETOOLS" | ||
25 | DIRFIRETOOLS=`basename $ARCFIRETOOLS .tar.bz2` | ||
26 | rm -fr $DIRFIRETOOLS | ||
27 | tar -xjvf $ARCFIRETOOLS | ||
28 | cd $DIRFIRETOOLS | ||
29 | pwd | ||
30 | ./configure --prefix=/usr | ||
31 | cd .. | ||
32 | |||
33 | else | ||
34 | echo "Error: firetools source archive missing" | ||
35 | exit 1 | ||
36 | fi | ||
37 | |||
38 | # move firetools in firejail source tree | ||
39 | mkdir -p $DIRFIREJAIL/extras | ||
40 | mv $DIRFIRETOOLS $DIRFIREJAIL/extras/firetools | ||
41 | |||
42 | # build | ||
43 | cd $DIRFIREJAIL | ||
44 | cov-build --dir cov-int make -j 4 extras | ||
45 | tar czvf myproject.tgz cov-int | ||
diff --git a/src/tools/testuid.c b/src/tools/testuid.c deleted file mode 100644 index 633b9773e..000000000 --- a/src/tools/testuid.c +++ /dev/null | |||
@@ -1,49 +0,0 @@ | |||
1 | /* | ||
2 | * Copyright (C) 2014-2018 Firejail Authors | ||
3 | * | ||
4 | * This file is part of firejail project | ||
5 | * | ||
6 | * This program is free software; you can redistribute it and/or modify | ||
7 | * it under the terms of the GNU General Public License as published by | ||
8 | * the Free Software Foundation; either version 2 of the License, or | ||
9 | * (at your option) any later version. | ||
10 | * | ||
11 | * This program is distributed in the hope that it will be useful, | ||
12 | * but WITHOUT ANY WARRANTY; without even the implied warranty of | ||
13 | * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the | ||
14 | * GNU General Public License for more details. | ||
15 | * | ||
16 | * You should have received a copy of the GNU General Public License along | ||
17 | * with this program; if not, write to the Free Software Foundation, Inc., | ||
18 | * 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA. | ||
19 | */ | ||
20 | |||
21 | // compile: gcc -o testuid testuid.c | ||
22 | |||
23 | #include <stdio.h> | ||
24 | #include <stdlib.h> | ||
25 | #include <string.h> | ||
26 | #include <unistd.h> | ||
27 | #include <sys/types.h> | ||
28 | |||
29 | |||
30 | static void print_status(void) { | ||
31 | FILE *fp = fopen("/proc/self/status", "r"); | ||
32 | if (!fp) { | ||
33 | fprintf(stderr, "Error, cannot open staus file\n"); | ||
34 | exit(1); | ||
35 | } | ||
36 | |||
37 | char buf[4096]; | ||
38 | while (fgets(buf, 4096, fp)) { | ||
39 | if (strncmp(buf, "Uid", 3) == 0 || strncmp(buf, "Gid", 3) == 0) | ||
40 | printf("%s", buf); | ||
41 | } | ||
42 | |||
43 | fclose(fp); | ||
44 | } | ||
45 | |||
46 | int main(void) { | ||
47 | print_status(); | ||
48 | return 0; | ||
49 | } | ||
diff --git a/src/tools/ttytest.c b/src/tools/ttytest.c deleted file mode 100644 index a449bf9ba..000000000 --- a/src/tools/ttytest.c +++ /dev/null | |||
@@ -1,36 +0,0 @@ | |||
1 | #define _XOPEN_SOURCE 600 | ||
2 | #include <stdlib.h> | ||
3 | #include <stdio.h> | ||
4 | #include <fcntl.h> | ||
5 | #include <errno.h> | ||
6 | |||
7 | int main(void) { | ||
8 | int fdm; | ||
9 | int rc; | ||
10 | |||
11 | // initial | ||
12 | system("ls -l /dev/pts"); | ||
13 | |||
14 | fdm = posix_openpt(O_RDWR); | ||
15 | if (fdm < 0) { | ||
16 | perror("posix_openpt"); | ||
17 | return 1; | ||
18 | } | ||
19 | |||
20 | rc = grantpt(fdm); | ||
21 | if (rc != 0) { | ||
22 | perror("grantpt"); | ||
23 | return 1; | ||
24 | } | ||
25 | |||
26 | rc = unlockpt(fdm); | ||
27 | if (rc != 0) { | ||
28 | perror("unlockpt"); | ||
29 | return 1; | ||
30 | } | ||
31 | |||
32 | // final | ||
33 | system("ls -l /dev/pts"); | ||
34 | |||
35 | return 0; | ||
36 | } | ||
diff --git a/src/tools/unchroot.pl b/src/tools/unchroot.pl deleted file mode 100755 index bd30ffe76..000000000 --- a/src/tools/unchroot.pl +++ /dev/null | |||
@@ -1,33 +0,0 @@ | |||
1 | #!/usr/bin/perl -w | ||
2 | use strict; | ||
3 | # unchroot.pl Dec 2007 | ||
4 | # http://pentestmonkey.net/blog/chroot-breakout-perl | ||
5 | |||
6 | # This script may be used for legal purposes only. | ||
7 | |||
8 | # Go to the root of the jail | ||
9 | chdir "/"; | ||
10 | |||
11 | # Open filehandle to root of jail | ||
12 | opendir JAILROOT, "." or die "ERROR: Couldn't get file handle to root of jailn"; | ||
13 | |||
14 | # Create a subdir, move into it | ||
15 | mkdir "mysubdir"; | ||
16 | chdir "mysubdir"; | ||
17 | |||
18 | # Lock ourselves in a new jail | ||
19 | chroot "."; | ||
20 | |||
21 | # Use our filehandle to get back to the root of the old jail | ||
22 | chdir(*JAILROOT); | ||
23 | |||
24 | # Get to the real root | ||
25 | while ((stat("."))[0] != (stat(".."))[0] or (stat("."))[1] != (stat(".."))[1]) { | ||
26 | chdir ".."; | ||
27 | } | ||
28 | |||
29 | # Lock ourselves in real root - so we're not really in a jail at all now | ||
30 | chroot "."; | ||
31 | |||
32 | # Start an un-jailed shell | ||
33 | system("/bin/sh"); | ||
diff --git a/src/tools/unixsocket.c b/src/tools/unixsocket.c deleted file mode 100644 index c4302eed3..000000000 --- a/src/tools/unixsocket.c +++ /dev/null | |||
@@ -1,29 +0,0 @@ | |||
1 | #include <stdio.h> | ||
2 | #include <sys/types.h> | ||
3 | #include <sys/socket.h> | ||
4 | #include <sys/un.h> | ||
5 | |||
6 | int main(void) { | ||
7 | struct sockaddr_un addr; | ||
8 | int s; | ||
9 | const char *socketpath = "/var/run/minissdpd.sock"; | ||
10 | // const char *socketpath = "/var/run/acipd.sock"; | ||
11 | |||
12 | s = socket(AF_UNIX, SOCK_STREAM, 0); | ||
13 | if(s < 0) { | ||
14 | fprintf(stderr, "Error: cannot open socket\n"); | ||
15 | return 1; | ||
16 | } | ||
17 | |||
18 | addr.sun_family = AF_UNIX; | ||
19 | strncpy(addr.sun_path, socketpath, sizeof(addr.sun_path)); | ||
20 | if(connect(s, (struct sockaddr *)&addr, sizeof(struct sockaddr_un)) < 0) { | ||
21 | fprintf(stderr, "Error: cannot connect to socket\n"); | ||
22 | return 1; | ||
23 | } | ||
24 | |||
25 | printf("connected to %s\n", socketpath); | ||
26 | close(s); | ||
27 | |||
28 | return 0; | ||
29 | } | ||
@@ -1,3 +1,14 @@ | |||
1 | possible cleanup: --fs.print, --timeout | ||
2 | |||
3 | usage.c cleanup: | ||
4 | --audit, --build, --chroot, --output, --overlay-*, --rlimit*, --trace*, --x11*, --ls, --get, --put, --cgroup | ||
5 | --private-home, private-etc, private-bin, --private-lib, --private-opt, --private-srv | ||
6 | |||
7 | |||
8 | main:14864, LTS 10890 | ||
9 | removed restricted-shell | ||
10 | |||
11 | |||
1 | Aug 26 - merge mainline | 12 | Aug 26 - merge mainline |
2 | 13 | ||
3 | Phase 2 | 14 | Phase 2 |