aboutsummaryrefslogtreecommitdiffstats
diff options
context:
space:
mode:
authorLibravatar glitsj16 <glitsj16@users.noreply.github.com>2023-01-31 02:25:56 +0000
committerLibravatar GitHub <noreply@github.com>2023-01-31 02:25:56 +0000
commitad9cf975ae14e5de0c2b1d42beea6487696c1256 (patch)
tree65aa0ff826319129b72c786569316707cfaf1559
parentinkscape: additional hardening and settings saving functionality via D-Bus (diff)
parentmerges (diff)
downloadfirejail-ad9cf975ae14e5de0c2b1d42beea6487696c1256.tar.gz
firejail-ad9cf975ae14e5de0c2b1d42beea6487696c1256.tar.zst
firejail-ad9cf975ae14e5de0c2b1d42beea6487696c1256.zip
Merge branch 'netblue30:master' into inkscape
Diffstat
-rw-r--r--.github/workflows/build-extra.yml8
-rw-r--r--.github/workflows/codeql-analysis.yml14
-rw-r--r--.gitignore3
-rw-r--r--CONTRIBUTING.md3
-rw-r--r--Makefile110
-rw-r--r--README4
-rw-r--r--README.md25
-rw-r--r--RELNOTES1
-rw-r--r--contrib/syntax/files/example.in16
-rw-r--r--contrib/syntax/files/firejail-profile.lang.in (renamed from contrib/gtksourceview-5/language-specs/firejail-profile.lang)7
-rw-r--r--contrib/syntax/files/firejail.vim.in99
-rw-r--r--contrib/syntax/lists/profile_commands_arg0.list50
-rw-r--r--contrib/syntax/lists/profile_commands_arg1.list76
-rw-r--r--contrib/syntax/lists/profile_conditionals.list9
-rw-r--r--contrib/syntax/lists/profile_macros.list10
-rw-r--r--contrib/syntax/lists/syscall_groups.list29
-rw-r--r--contrib/syntax/lists/syscalls.list454
-rw-r--r--contrib/syntax/lists/system_errnos.list135
-rw-r--r--contrib/vim/syntax/firejail.vim104
-rw-r--r--etc/inc/disable-common.inc4
-rw-r--r--etc/profile-a-l/atool.profile2
-rw-r--r--etc/profile-a-l/curl.profile2
-rw-r--r--etc/profile-a-l/firefox-common.profile2
-rw-r--r--etc/profile-a-l/gimp.profile2
-rw-r--r--etc/profile-a-l/inkscape.profile2
-rw-r--r--etc/profile-m-z/mutt.profile13
-rw-r--r--etc/profile-m-z/warzone2100.profile2
-rw-r--r--src/firejail/fs_etc.c12
-rw-r--r--src/firejail/main.c13
-rw-r--r--src/firejail/profile.c13
-rw-r--r--src/include/etc_groups.h16
-rw-r--r--src/man/firejail.txt19
32 files changed, 1072 insertions, 187 deletions
diff --git a/.github/workflows/build-extra.yml b/.github/workflows/build-extra.yml
index c1c240922..a7b7c8a3e 100644
--- a/.github/workflows/build-extra.yml
+++ b/.github/workflows/build-extra.yml
@@ -5,9 +5,9 @@ on:
5 branches: [ master ] 5 branches: [ master ]
6 paths-ignore: 6 paths-ignore:
7 - '.github/ISSUE_TEMPLATE/*' 7 - '.github/ISSUE_TEMPLATE/*'
8 - 'etc/**' 8 - 'contrib/syntax/**'
9 - 'contrib/gtksourceview-5/**'
10 - 'contrib/vim/**' 9 - 'contrib/vim/**'
10 - 'etc/**'
11 - 'src/man/*.txt' 11 - 'src/man/*.txt'
12 - .git-blame-ignore-revs 12 - .git-blame-ignore-revs
13 - .github/dependabot.yml 13 - .github/dependabot.yml
@@ -27,9 +27,9 @@ on:
27 branches: [ master ] 27 branches: [ master ]
28 paths-ignore: 28 paths-ignore:
29 - '.github/ISSUE_TEMPLATE/*' 29 - '.github/ISSUE_TEMPLATE/*'
30 - 'etc/**' 30 - 'contrib/syntax/**'
31 - 'contrib/gtksourceview-5/**'
32 - 'contrib/vim/**' 31 - 'contrib/vim/**'
32 - 'etc/**'
33 - 'src/man/*.txt' 33 - 'src/man/*.txt'
34 - .git-blame-ignore-revs 34 - .git-blame-ignore-revs
35 - .github/dependabot.yml 35 - .github/dependabot.yml
diff --git a/.github/workflows/codeql-analysis.yml b/.github/workflows/codeql-analysis.yml
index b86d432f9..9cf216492 100644
--- a/.github/workflows/codeql-analysis.yml
+++ b/.github/workflows/codeql-analysis.yml
@@ -10,9 +10,9 @@ on:
10 branches: [ master ] 10 branches: [ master ]
11 paths-ignore: 11 paths-ignore:
12 - '.github/ISSUE_TEMPLATE/*' 12 - '.github/ISSUE_TEMPLATE/*'
13 - 'etc/**' 13 - 'contrib/syntax/**'
14 - 'contrib/gtksourceview-5/**'
15 - 'contrib/vim/**' 14 - 'contrib/vim/**'
15 - 'etc/**'
16 - 'src/man/*.txt' 16 - 'src/man/*.txt'
17 - .git-blame-ignore-revs 17 - .git-blame-ignore-revs
18 - .github/dependabot.yml 18 - .github/dependabot.yml
@@ -32,9 +32,9 @@ on:
32 branches: [ master ] 32 branches: [ master ]
33 paths-ignore: 33 paths-ignore:
34 - '.github/ISSUE_TEMPLATE/*' 34 - '.github/ISSUE_TEMPLATE/*'
35 - 'etc/**' 35 - 'contrib/syntax/**'
36 - 'contrib/gtksourceview-5/**'
37 - 'contrib/vim/**' 36 - 'contrib/vim/**'
37 - 'etc/**'
38 - 'src/man/*.txt' 38 - 'src/man/*.txt'
39 - .git-blame-ignore-revs 39 - .git-blame-ignore-revs
40 - .github/dependabot.yml 40 - .github/dependabot.yml
@@ -88,7 +88,7 @@ jobs:
88 88
89 # Initializes the CodeQL tools for scanning. 89 # Initializes the CodeQL tools for scanning.
90 - name: Initialize CodeQL 90 - name: Initialize CodeQL
91 uses: github/codeql-action/init@a34ca99b4610d924e04c68db79e503e1f79f9f02 91 uses: github/codeql-action/init@3ebbd71c74ef574dbc558c82f70e52732c8b44fe
92 with: 92 with:
93 languages: ${{ matrix.language }} 93 languages: ${{ matrix.language }}
94 # If you wish to specify custom queries, you can do so here or in a config file. 94 # If you wish to specify custom queries, you can do so here or in a config file.
@@ -99,7 +99,7 @@ jobs:
99 # Autobuild attempts to build any compiled languages (C/C++, C#, or Java). 99 # Autobuild attempts to build any compiled languages (C/C++, C#, or Java).
100 # If this step fails, then you should remove it and run the build manually (see below) 100 # If this step fails, then you should remove it and run the build manually (see below)
101 - name: Autobuild 101 - name: Autobuild
102 uses: github/codeql-action/autobuild@a34ca99b4610d924e04c68db79e503e1f79f9f02 102 uses: github/codeql-action/autobuild@3ebbd71c74ef574dbc558c82f70e52732c8b44fe
103 103
104 # ℹī¸ Command-line programs to run using the OS shell. 104 # ℹī¸ Command-line programs to run using the OS shell.
105 # 📚 https://git.io/JvXDl 105 # 📚 https://git.io/JvXDl
@@ -113,4 +113,4 @@ jobs:
113 # make release 113 # make release
114 114
115 - name: Perform CodeQL Analysis 115 - name: Perform CodeQL Analysis
116 uses: github/codeql-action/analyze@a34ca99b4610d924e04c68db79e503e1f79f9f02 116 uses: github/codeql-action/analyze@3ebbd71c74ef574dbc558c82f70e52732c8b44fe
diff --git a/.gitignore b/.gitignore
index 7333b1c8d..db3b16893 100644
--- a/.gitignore
+++ b/.gitignore
@@ -16,6 +16,9 @@ config.log
16config.mk 16config.mk
17config.sh 17config.sh
18config.status 18config.status
19contrib/syntax/files/example
20contrib/syntax/files/firejail-profile.lang
21contrib/syntax/files/firejail.vim
19firejail-*.tar.xz 22firejail-*.tar.xz
20firejail-login.5 23firejail-login.5
21firejail-profile.5 24firejail-profile.5
diff --git a/CONTRIBUTING.md b/CONTRIBUTING.md
index 9a5f19b54..97730e533 100644
--- a/CONTRIBUTING.md
+++ b/CONTRIBUTING.md
@@ -38,8 +38,7 @@ If you add a new command, here's the checklist:
38 38
39 - [ ] Update manpages: firejail(1) and firejail-profile(5) 39 - [ ] Update manpages: firejail(1) and firejail-profile(5)
40 - [ ] Update shell completions 40 - [ ] Update shell completions
41 - [ ] Update vim syntax files 41 - [ ] Update syntax files (run `make syntax` or just `make`)
42 - [ ] Update gtksourceview language specs
43 - [ ] Update --help 42 - [ ] Update --help
44 43
45# Editing the wiki 44# Editing the wiki
diff --git a/Makefile b/Makefile
index 119bf6b4b..443c3183f 100644
--- a/Makefile
+++ b/Makefile
@@ -6,6 +6,10 @@ MAN_TARGET = man
6MAN_SRC = src/man 6MAN_SRC = src/man
7endif 7endif
8 8
9ifneq ($(HAVE_CONTRIB_INSTALL),no)
10CONTRIB_TARGET = contrib
11endif
12
9COMPLETIONDIRS = src/zsh_completion src/bash_completion 13COMPLETIONDIRS = src/zsh_completion src/bash_completion
10 14
11APPS = src/firecfg/firecfg src/firejail/firejail src/firemon/firemon src/profstats/profstats src/jailcheck/jailcheck 15APPS = src/firecfg/firecfg src/firejail/firejail src/firemon/firemon src/profstats/profstats src/jailcheck/jailcheck
@@ -17,16 +21,32 @@ SBOX_APPS_NON_DUMPABLE += src/fnettrace-icmp/fnettrace-icmp
17MYDIRS = src/lib $(MAN_SRC) $(COMPLETIONDIRS) 21MYDIRS = src/lib $(MAN_SRC) $(COMPLETIONDIRS)
18MYLIBS = src/libpostexecseccomp/libpostexecseccomp.so src/libtrace/libtrace.so src/libtracelog/libtracelog.so 22MYLIBS = src/libpostexecseccomp/libpostexecseccomp.so src/libtrace/libtrace.so src/libtracelog/libtracelog.so
19COMPLETIONS = src/zsh_completion/_firejail src/bash_completion/firejail.bash_completion 23COMPLETIONS = src/zsh_completion/_firejail src/bash_completion/firejail.bash_completion
20MANPAGES = firejail.1 firemon.1 firecfg.1 firejail-profile.5 firejail-login.5 firejail-users.5 jailcheck.1
21SECCOMP_FILTERS = seccomp seccomp.debug seccomp.32 seccomp.block_secondary seccomp.mdwx seccomp.mdwx.32 24SECCOMP_FILTERS = seccomp seccomp.debug seccomp.32 seccomp.block_secondary seccomp.mdwx seccomp.mdwx.32
25MANPAGES = firejail.1 firemon.1 firecfg.1 firejail-profile.5 firejail-login.5 firejail-users.5 jailcheck.1
26
27SYSCALL_HEADERS := $(sort $(wildcard src/include/syscall*.h))
28
29# Lists of keywords used in profiles; used for generating syntax files.
30SYNTAX_LISTS = \
31 contrib/syntax/lists/profile_commands_arg0.list \
32 contrib/syntax/lists/profile_commands_arg1.list \
33 contrib/syntax/lists/profile_conditionals.list \
34 contrib/syntax/lists/profile_macros.list \
35 contrib/syntax/lists/syscall_groups.list \
36 contrib/syntax/lists/syscalls.list \
37 contrib/syntax/lists/system_errnos.list
38
39SYNTAX_FILES_IN := $(sort $(wildcard contrib/syntax/files/*.in))
40SYNTAX_FILES := $(SYNTAX_FILES_IN:.in=)
41
22ALL_ITEMS = $(APPS) $(SBOX_APPS) $(SBOX_APPS_NON_DUMPABLE) $(MYLIBS) 42ALL_ITEMS = $(APPS) $(SBOX_APPS) $(SBOX_APPS_NON_DUMPABLE) $(MYLIBS)
23 43
24.PHONY: all 44.PHONY: all
25all: all_items mydirs $(MAN_TARGET) filters 45all: all_items mydirs filters $(MAN_TARGET) $(CONTRIB_TARGET)
26 46
27config.mk config.sh: 47config.mk config.sh:
28 printf 'run ./configure to generate %s\n' "$@" >&2 48 @printf 'error: run ./configure to generate %s\n' "$@" >&2
29 false 49 @false
30 50
31.PHONY: all_items $(ALL_ITEMS) 51.PHONY: all_items $(ALL_ITEMS)
32all_items: $(ALL_ITEMS) 52all_items: $(ALL_ITEMS)
@@ -38,11 +58,6 @@ mydirs: $(MYDIRS)
38$(MYDIRS): 58$(MYDIRS):
39 $(MAKE) -C $@ 59 $(MAKE) -C $@
40 60
41$(MANPAGES): src/man config.mk
42 ./mkman.sh $(VERSION) src/man/$(basename $@).man $@
43
44man: $(MANPAGES)
45
46filters: $(SECCOMP_FILTERS) $(SBOX_APPS_NON_DUMPABLE) 61filters: $(SECCOMP_FILTERS) $(SBOX_APPS_NON_DUMPABLE)
47seccomp: src/fseccomp/fseccomp src/fsec-optimize/fsec-optimize 62seccomp: src/fseccomp/fseccomp src/fsec-optimize/fsec-optimize
48 src/fseccomp/fseccomp default seccomp 63 src/fseccomp/fseccomp default seccomp
@@ -65,14 +80,83 @@ seccomp.mdwx: src/fseccomp/fseccomp
65seccomp.mdwx.32: src/fseccomp/fseccomp 80seccomp.mdwx.32: src/fseccomp/fseccomp
66 src/fseccomp/fseccomp memory-deny-write-execute.32 seccomp.mdwx.32 81 src/fseccomp/fseccomp memory-deny-write-execute.32 seccomp.mdwx.32
67 82
83$(MANPAGES): src/man config.mk
84 ./mkman.sh $(VERSION) src/man/$(basename $@).man $@
85
86man: $(MANPAGES)
87
88# Makes all targets in contrib/
89.PHONY: contrib
90contrib: syntax
91
92.PHONY: syntax
93syntax: $(SYNTAX_FILES)
94
95# TODO: include/rlimit are false positives
96contrib/syntax/lists/profile_commands_arg0.list: src/firejail/profile.c
97 @sed -En 's/.*strn?cmp\(ptr, "([^ "]*[^ ])".*/\1/p' $< | \
98 grep -Ev '^(include|rlimit)$$' | sed 's/\./\\./' | LC_ALL=C sort -u >$@
99
100# TODO: private-lib is special-cased in the code and doesn't match the regex
101contrib/syntax/lists/profile_commands_arg1.list: src/firejail/profile.c
102 @{ sed -En 's/.*strn?cmp\(ptr, "([^"]+) ".*/\1/p' $<; echo private-lib; } | \
103 LC_ALL=C sort -u >$@
104
105contrib/syntax/lists/profile_conditionals.list: src/firejail/profile.c
106 @awk -- 'BEGIN {process=0;} /^Cond conditionals\[\] = \{$$/ {process=1;} \
107 /\t*\{"[^"]+".*/ \
108 { if (process) {print gensub(/^\t*\{"([^"]+)".*$$/, "\\1", 1);} } \
109 /^\t\{ NULL, NULL \}$$/ {process=0;}' \
110 $< | LC_ALL=C sort -u >$@
111
112contrib/syntax/lists/profile_macros.list: src/firejail/macros.c
113 @sed -En 's/.*\$$\{([^}]+)\}.*/\1/p' $< | LC_ALL=C sort -u >$@
114
115contrib/syntax/lists/syscall_groups.list: src/lib/syscall.c
116 @sed -En 's/.*"@([^",]+).*/\1/p' $< | LC_ALL=C sort -u >$@
117
118contrib/syntax/lists/syscalls.list: $(SYSCALL_HEADERS)
119 @sed -n 's/{\s\+"\([^"]\+\)",.*},/\1/p' $(SYSCALL_HEADERS) | \
120 LC_ALL=C sort -u >$@
121
122contrib/syntax/lists/system_errnos.list: src/lib/errno.c
123 @sed -En 's/.*"(E[^"]+).*/\1/p' $< | LC_ALL=C sort -u >$@
124
125pipe_fromlf = { tr '\n' '|' | sed 's/|$$//'; }
126space_fromlf = { tr '\n' ' ' | sed 's/ $$//'; }
127edit_syntax_file = sed \
128 -e "s/@make_input@/$$(basename $@). Generated from $$(basename $<) by make./" \
129 -e "s/@FJ_PROFILE_COMMANDS_ARG0@/$$($(pipe_fromlf) <contrib/syntax/lists/profile_commands_arg0.list)/" \
130 -e "s/@FJ_PROFILE_COMMANDS_ARG1@/$$($(pipe_fromlf) <contrib/syntax/lists/profile_commands_arg1.list)/" \
131 -e "s/@FJ_PROFILE_CONDITIONALS@/$$($(pipe_fromlf) <contrib/syntax/lists/profile_conditionals.list)/" \
132 -e "s/@FJ_PROFILE_MACROS@/$$($(pipe_fromlf) <contrib/syntax/lists/profile_macros.list)/" \
133 -e "s/@FJ_SYSCALLS@/$$($(space_fromlf) <contrib/syntax/lists/syscalls.list)/" \
134 -e "s/@FJ_SYSCALL_GROUPS@/$$($(pipe_fromlf) <contrib/syntax/lists/syscall_groups.list)/" \
135 -e "s/@FJ_SYSTEM_ERRNOS@/$$($(pipe_fromlf) <contrib/syntax/lists/system_errnos.list)/"
136
137contrib/syntax/files/example: contrib/syntax/files/example.in $(SYNTAX_LISTS)
138 @printf 'Generating %s from %s\n' $@ $<
139 @$(edit_syntax_file) $< >$@
140
141# gtksourceview language-specs
142contrib/syntax/files/%.lang: contrib/syntax/files/%.lang.in $(SYNTAX_LISTS)
143 @printf 'Generating %s from %s\n' $@ $<
144 @$(edit_syntax_file) $< >$@
145
146# vim syntax files
147contrib/syntax/files/%.vim: contrib/syntax/files/%.vim.in $(SYNTAX_LISTS)
148 @printf 'Generating %s from %s\n' $@ $<
149 @$(edit_syntax_file) $< >$@
150
68.PHONY: clean 151.PHONY: clean
69clean: 152clean:
70 for dir in $$(dirname $(ALL_ITEMS)) $(MYDIRS); do \ 153 for dir in $$(dirname $(ALL_ITEMS)) $(MYDIRS); do \
71 $(MAKE) -C $$dir clean; \ 154 $(MAKE) -C $$dir clean; \
72 done 155 done
73 $(MAKE) -C test clean 156 $(MAKE) -C test clean
74 rm -f $(MANPAGES) $(MANPAGES:%=%.gz) firejail*.rpm
75 rm -f $(SECCOMP_FILTERS) 157 rm -f $(SECCOMP_FILTERS)
158 rm -f $(MANPAGES) $(MANPAGES:%=%.gz) firejail*.rpm
159 rm -f $(SYNTAX_FILES)
76 rm -f test/utils/index.html* 160 rm -f test/utils/index.html*
77 rm -f test/utils/wget-log 161 rm -f test/utils/wget-log
78 rm -f test/utils/firejail-test-file* 162 rm -f test/utils/firejail-test-file*
@@ -124,10 +208,10 @@ ifeq ($(HAVE_CONTRIB_INSTALL),yes)
124 install -m 0755 -d $(DESTDIR)$(datarootdir)/vim/vimfiles/ftdetect 208 install -m 0755 -d $(DESTDIR)$(datarootdir)/vim/vimfiles/ftdetect
125 install -m 0755 -d $(DESTDIR)$(datarootdir)/vim/vimfiles/syntax 209 install -m 0755 -d $(DESTDIR)$(datarootdir)/vim/vimfiles/syntax
126 install -m 0644 contrib/vim/ftdetect/firejail.vim $(DESTDIR)$(datarootdir)/vim/vimfiles/ftdetect 210 install -m 0644 contrib/vim/ftdetect/firejail.vim $(DESTDIR)$(datarootdir)/vim/vimfiles/ftdetect
127 install -m 0644 contrib/vim/syntax/firejail.vim $(DESTDIR)$(datarootdir)/vim/vimfiles/syntax 211 install -m 0644 contrib/syntax/files/firejail.vim $(DESTDIR)$(datarootdir)/vim/vimfiles/syntax
128 # gtksourceview-5 language-specs 212 # gtksourceview language-specs
129 install -m 0755 -d $(DESTDIR)$(datarootdir)/gtksourceview-5/language-specs 213 install -m 0755 -d $(DESTDIR)$(datarootdir)/gtksourceview-5/language-specs
130 install -m 0644 contrib/gtksourceview-5/language-specs/firejail-profile.lang $(DESTDIR)$(datarootdir)/gtksourceview-5/language-specs 214 install -m 0644 contrib/syntax/files/firejail-profile.lang $(DESTDIR)$(datarootdir)/gtksourceview-5/language-specs
131endif 215endif
132 # documents 216 # documents
133 install -m 0755 -d $(DESTDIR)$(docdir) 217 install -m 0755 -d $(DESTDIR)$(docdir)
diff --git a/README b/README
index 74318fa16..762668a88 100644
--- a/README
+++ b/README
@@ -125,6 +125,8 @@ Alexander Stein (https://github.com/ajstein)
125alkim0 (https://github.com/alkim0) 125alkim0 (https://github.com/alkim0)
126 - warn when encountering EIO during remount 126 - warn when encountering EIO during remount
127 - Add profile for chafa 127 - Add profile for chafa
128amano-kenji (https://github.com/amano-kenji)
129 - fix private-etc in qutebrowser profile
128Amin Vakil (https://github.com/aminvakil) 130Amin Vakil (https://github.com/aminvakil)
129 - whois profile fix 131 - whois profile fix
130 - added profile for strawberry 132 - added profile for strawberry
@@ -679,6 +681,8 @@ Laurent Declercq (https://github.com/nuxwin)
679 - fixed test for shell interpreter in chroots 681 - fixed test for shell interpreter in chroots
680LaurentGH (https://github.com/LaurentGH) 682LaurentGH (https://github.com/LaurentGH)
681 - allow private-bin parameters to be absolute paths 683 - allow private-bin parameters to be absolute paths
684layderv (https://github.com/layderv)
685 - prevent sandbox name from containing only digits
682lecso7 (https://github.com/lecso7) 686lecso7 (https://github.com/lecso7)
683 - added goldendict profile 687 - added goldendict profile
684 - allow evince to read .cbz file format 688 - allow evince to read .cbz file format
diff --git a/README.md b/README.md
index f261da2a3..7d1c88c65 100644
--- a/README.md
+++ b/README.md
@@ -184,7 +184,7 @@ We also keep a list of profile fixes for previous released versions in [etc-fixe
184 184
185### private-etc rework 185### private-etc rework
186````` 186`````
187 --private-etc, --private-etc=file,directory 187 --private-etc, --private-etc=file,directory,@group
188 The files installed by --private-etc are copies of the original 188 The files installed by --private-etc are copies of the original
189 system files from /etc directory. By default, the command 189 system files from /etc directory. By default, the command
190 brings in a skeleton of files and directories used by most con‐ 190 brings in a skeleton of files and directories used by most con‐
@@ -192,24 +192,23 @@ We also keep a list of profile fixes for previous released versions in [etc-fixe
192 192
193 $ firejail --private-etc dig debian.org 193 $ firejail --private-etc dig debian.org
194 194
195 For X11/GTK/QT/Gnome/KDE programs add GUI group as a parameter. 195 For X11/GTK/QT/Gnome/KDE programs add @x11 group as a parame‐
196 Example: 196 ter. Example:
197 197
198 $ firejail --private-etc=GUI,python* gimp 198 $ firejail --private-etc=@x11,gcrypt,python* gimp
199 199
200 /etc/python* directories are not part of the generic GUI group. 200 gcrypt and /etc/python* directories are not part of the generic
201 These directories are reuqired by Gimp plugin system. File glob‐ 201 @x11 group. File globbing is supported.
202 bing is supported.
203 202
204 For games, add GAMES group: 203 For games, add @games group:
205 204
206 $ firejail --private-etc=GUI,GAMES warzone2100 205 $ firejail --private-etc=@games,@x11 warzone2100
207 206
208 Sound and networking files are included automatically, unless 207 Sound and networking files are included automatically, unless
209 --nosound or --net=none are specified. Files for encrypted 208 --nosound or --net=none are specified. Files for encrypted
210 TLS/SSL protocol are in TLS-CA group. 209 TLS/SSL protocol are in @tls-ca group.
211 210
212 $ firejail --private-etc=TLS-CA,wgetrc wget https://debian.org 211 $ firejail --private-etc=@tls-ca,wgetrc wget https://debian.org
213 212
214 Note: The easiest way to extract the list of /etc files accessed 213 Note: The easiest way to extract the list of /etc files accessed
215 by your program is using strace utility: 214 by your program is using strace utility:
diff --git a/RELNOTES b/RELNOTES
index 478bf297d..6230fe81b 100644
--- a/RELNOTES
+++ b/RELNOTES
@@ -1,6 +1,7 @@
1firejail (0.9.73) baseline; urgency=low 1firejail (0.9.73) baseline; urgency=low
2 * work in progress 2 * work in progress
3 * modif: Stop forwarding own double-dash to the shell (#5599 #5600) 3 * modif: Stop forwarding own double-dash to the shell (#5599 #5600)
4 * modif: prevent sandbox name from containing only digits (#5578)
4 * docs: remove apparmor options in --help when building without apparmor 5 * docs: remove apparmor options in --help when building without apparmor
5 support (#5589) 6 support (#5589)
6 * fix: qutebrowser not opening tabs (#5601) 7 * fix: qutebrowser not opening tabs (#5601)
diff --git a/contrib/syntax/files/example.in b/contrib/syntax/files/example.in
new file mode 100644
index 000000000..74bcdc079
--- /dev/null
+++ b/contrib/syntax/files/example.in
@@ -0,0 +1,16 @@
1# @make_input@
2# Example file to check the values of input variables.
3
4FJ_PROFILE_COMMANDS_ARG0 = @FJ_PROFILE_COMMANDS_ARG0@
5
6FJ_PROFILE_COMMANDS_ARG1 = @FJ_PROFILE_COMMANDS_ARG1@
7
8FJ_PROFILE_CONDITIONALS = @FJ_PROFILE_CONDITIONALS@
9
10FJ_PROFILE_MACROS = @FJ_PROFILE_MACROS@
11
12FJ_SYSCALLS = @FJ_SYSCALLS@
13
14FJ_SYSCALL_GROUPS = @FJ_SYSCALL_GROUPS@
15
16FJ_SYSTEM_ERRNOS = @FJ_SYSTEM_ERRNOS@
diff --git a/contrib/gtksourceview-5/language-specs/firejail-profile.lang b/contrib/syntax/files/firejail-profile.lang.in
index 61c37f98f..acd5c86ce 100644
--- a/contrib/gtksourceview-5/language-specs/firejail-profile.lang
+++ b/contrib/syntax/files/firejail-profile.lang.in
@@ -1,4 +1,5 @@
1<?xml version="1.0" encoding="UTF-8"?> 1<?xml version="1.0" encoding="UTF-8"?>
2<!-- @make_input@ -->
2<!-- vim: set ts=2 sts=2 sw=2 et: --> 3<!-- vim: set ts=2 sts=2 sw=2 et: -->
3<!-- 4<!--
4 https://gitlab.gnome.org/GNOME/gtksourceview/-/blob/master/docs/lang-tutorial.md 5 https://gitlab.gnome.org/GNOME/gtksourceview/-/blob/master/docs/lang-tutorial.md
@@ -20,15 +21,15 @@
20 21
21 <definitions> 22 <definitions>
22 <define-regex id="commands-with-arguments" extended="true"> 23 <define-regex id="commands-with-arguments" extended="true">
23 (apparmor|bind|blacklist-nolog|blacklist|caps.drop|caps.keep|cpu|dbus-system.broadcast|dbus-system.call|dbus-system.own|dbus-system.see|dbus-system.talk|dbus-system|dbus-user.broadcast|dbus-user.call|dbus-user.own|dbus-user.see|dbus-user.talk|dbus-user|defaultgw|dns|env|hostname|hosts-file|ignore|include|ip6|ip|iprange|join-or-start|keep-fd|mac|mkdir|mkfile|mtu|name|net|netfilter6|netfilter|netmask|netns|nice|noblacklist|noexec|nowhitelist|overlay-named|private-bin|private-cwd|private-etc|private-home|private-lib|private-opt|private-srv|private|protocol|read-only|read-write|restrict-namespaces|rlimit-as|rlimit-cpu|rlimit-fsize|rlimit-nofile|rlimit-nproc|rlimit-sigpending|rlimit|rmenv|seccomp-error-action|seccomp.32.drop|seccomp.32.keep|seccomp.32|seccomp.drop|seccomp.keep|seccomp|shell|timeout|tmpfs|veth-name|whitelist-ro|whitelist|x11|xephyr-screen) 24 (@FJ_PROFILE_COMMANDS_ARG1@)
24 </define-regex> 25 </define-regex>
25 26
26 <define-regex id="commands-without-arguments" extended="true"> 27 <define-regex id="commands-without-arguments" extended="true">
27 (allow-debuggers|allusers|apparmor|caps|deterministic-exit-code|deterministic-shutdown|disable-mnt|ipc-namespace|keep-config-pulse|keep-dev-shm|keep-fd|keep-var-tmp|machine-id|memory-deny-write-execute|netfilter|no3d|noautopulse|nodbus|nodvd|nogroups|noinput|nonewprivs|noprinters|noroot|nosound|notv|nou2f|novideo|overlay-tmpfs|overlay|private-cache|private-cwd|private-dev|private-lib|private-tmp|private|quiet|restrict-namespaces|seccomp.32|seccomp.block-secondary|seccomp|tab|tracelog|writable-etc|writable-run-user|writable-var-log|writable-var|x11) 28 (@FJ_PROFILE_COMMANDS_ARG0@)
28 </define-regex> 29 </define-regex>
29 30
30 <define-regex id="conditions" extended="true"> 31 <define-regex id="conditions" extended="true">
31 (ALLOW_TRAY|BROWSER_ALLOW_DRM|BROWSER_DISABLE_U2F|HAS_APPIMAGE|HAS_NET|HAS_NODBUS|HAS_NOSOUND|HAS_X11) 32 (@FJ_PROFILE_CONDITIONALS@)
32 </define-regex> 33 </define-regex>
33 34
34 <context id="conditional-line"> 35 <context id="conditional-line">
diff --git a/contrib/syntax/files/firejail.vim.in b/contrib/syntax/files/firejail.vim.in
new file mode 100644
index 000000000..ec6b29e4f
--- /dev/null
+++ b/contrib/syntax/files/firejail.vim.in
@@ -0,0 +1,99 @@
1" @make_input@
2" Vim syntax file
3" Language: Firejail security sandbox profile
4" URL: https://github.com/netblue30/firejail
5
6if exists("b:current_syntax")
7 finish
8endif
9
10
11syn iskeyword @,48-57,_,.,-
12
13
14syn keyword fjTodo TODO FIXME XXX NOTE contained
15syn match fjComment "#.*$" contains=fjTodo
16
17"TODO: highlight "dangerous" capabilities differently, as is done in apparmor.vim?
18syn keyword fjCapability audit_control audit_read audit_write block_suspend chown dac_override dac_read_search fowner fsetid ipc_lock ipc_owner kill lease linux_immutable mac_admin mac_override mknod net_admin net_bind_service net_broadcast net_raw setgid setfcap setpcap setuid sys_admin sys_boot sys_chroot sys_module sys_nice sys_pacct sys_ptrace sys_rawio sys_resource sys_time sys_tty_config syslog wake_alarm nextgroup=fjCapabilityList contained
19syn match fjCapabilityList /,/ nextgroup=fjCapability contained
20
21syn keyword fjNamespaces cgroup ipc net mnt pid time user uts nextgroup=fjNamespacesList contained
22syn match fjNamespacesList /,/ nextgroup=fjNamespaces contained
23
24syn keyword fjProtocol unix inet inet6 netlink packet nextgroup=fjProtocolList contained
25syn match fjProtocolList /,/ nextgroup=fjProtocol contained
26
27" Syscalls (auto-generated)
28syn keyword fjSyscall @FJ_SYSCALLS@ nextgroup=fjSyscallErrno contained
29" Syscall groups (auto-generated)
30syn match fjSyscall /\v\@(@FJ_SYSCALL_GROUPS@)>/ nextgroup=fjSyscallErrno contained
31syn match fjSyscall /\$[0-9]\+/ nextgroup=fjSyscallErrno contained
32" Errnos (auto-generated)
33syn match fjSyscallErrno /\v(:(@FJ_SYSTEM_ERRNOS@)>)?/ nextgroup=fjSyscallList contained
34syn match fjSyscallList /,/ nextgroup=fjSyscall contained
35
36syn keyword fjX11Sandbox none xephyr xorg xpra xvfb contained
37syn keyword fjSeccompAction kill log ERRNO contained
38
39syn match fjEnvVar "[A-Za-z0-9_]\+=" contained
40syn match fjRmenvVar "[A-Za-z0-9_]\+" contained
41
42syn keyword fjAll all contained
43syn keyword fjNone none contained
44syn keyword fjLo lo contained
45syn keyword fjFilter filter contained
46
47" Variable names (auto-generated)
48syn match fjVar /\v\$\{(@FJ_PROFILE_MACROS@)}/
49
50" Profile commands with 1 argument (auto-generated)
51syn match fjCommand /\v(@FJ_PROFILE_COMMANDS_ARG1@) / skipwhite contained
52" Profile commands with 0 arguments (auto-generated)
53syn match fjCommand /\v(@FJ_PROFILE_COMMANDS_ARG0@)$/ contained
54syn match fjCommand /ignore / nextgroup=fjCommand,fjCommandNoCond skipwhite contained
55syn match fjCommand /caps\.drop / nextgroup=fjCapability,fjAll skipwhite contained
56syn match fjCommand /caps\.keep / nextgroup=fjCapability skipwhite contained
57syn match fjCommand /protocol / nextgroup=fjProtocol skipwhite contained
58syn match fjCommand /restrict-namespaces / nextgroup=fjNamespaces skipwhite contained
59syn match fjCommand /\vseccomp(\.32)?(\.drop|\.keep)? / nextgroup=fjSyscall skipwhite contained
60syn match fjCommand /x11 / nextgroup=fjX11Sandbox skipwhite contained
61syn match fjCommand /env / nextgroup=fjEnvVar skipwhite contained
62syn match fjCommand /rmenv / nextgroup=fjRmenvVar skipwhite contained
63syn match fjCommand /shell / nextgroup=fjNone skipwhite contained
64syn match fjCommand /net / nextgroup=fjNone,fjLo skipwhite contained
65syn match fjCommand /ip / nextgroup=fjNone skipwhite contained
66syn match fjCommand /seccomp-error-action / nextgroup=fjSeccompAction skipwhite contained
67syn match fjCommand /\vdbus-(user|system) / nextgroup=fjFilter,fjNone skipwhite contained
68syn match fjCommand /\vdbus-(user|system)\.(broadcast|call|own|see|talk) / skipwhite contained
69" Commands that can't be inside a ?CONDITIONAL: statement
70syn match fjCommandNoCond /include / skipwhite contained
71syn match fjCommandNoCond /quiet$/ contained
72
73" Conditionals (auto-generated)
74syn match fjConditional /\v\?(@FJ_PROFILE_CONDITIONALS@) ?:/ nextgroup=fjCommand skipwhite contained
75
76" A line is either a command, a conditional or a comment
77syn match fjStatement /^/ nextgroup=fjCommand,fjCommandNoCond,fjConditional,fjComment
78
79hi def link fjTodo Todo
80hi def link fjComment Comment
81hi def link fjCommand Statement
82hi def link fjCommandNoCond Statement
83hi def link fjConditional Macro
84hi def link fjVar Identifier
85hi def link fjCapability Type
86hi def link fjProtocol Type
87hi def link fjSyscall Type
88hi def link fjSyscallErrno Constant
89hi def link fjX11Sandbox Type
90hi def link fjEnvVar Type
91hi def link fjRmenvVar Type
92hi def link fjAll Type
93hi def link fjNone Type
94hi def link fjLo Type
95hi def link fjFilter Type
96hi def link fjSeccompAction Type
97
98
99let b:current_syntax = "firejail"
diff --git a/contrib/syntax/lists/profile_commands_arg0.list b/contrib/syntax/lists/profile_commands_arg0.list
new file mode 100644
index 000000000..a402671a6
--- /dev/null
+++ b/contrib/syntax/lists/profile_commands_arg0.list
@@ -0,0 +1,50 @@
1allow-debuggers
2allusers
3apparmor
4apparmor-replace
5apparmor-stack
6caps
7deterministic-exit-code
8deterministic-shutdown
9disable-mnt
10ipc-namespace
11keep-config-pulse
12keep-dev-shm
13keep-var-tmp
14machine-id
15memory-deny-write-execute
16netfilter
17netlock
18no3d
19noautopulse
20nodbus
21nodvd
22nogroups
23noinput
24nonewprivs
25noprinters
26noroot
27nosound
28notv
29nou2f
30novideo
31overlay
32overlay-tmpfs
33private
34private-cache
35private-cwd
36private-dev
37private-etc
38private-lib
39private-tmp
40quiet
41restrict-namespaces
42seccomp
43seccomp\.block-secondary
44tab
45tracelog
46writable-etc
47writable-run-user
48writable-var
49writable-var-log
50x11
diff --git a/contrib/syntax/lists/profile_commands_arg1.list b/contrib/syntax/lists/profile_commands_arg1.list
new file mode 100644
index 000000000..c703f2257
--- /dev/null
+++ b/contrib/syntax/lists/profile_commands_arg1.list
@@ -0,0 +1,76 @@
1apparmor
2bind
3blacklist
4blacklist-nolog
5caps.drop
6caps.keep
7cpu
8dbus-system.broadcast
9dbus-system.call
10dbus-system.own
11dbus-system.see
12dbus-system.talk
13dbus-user.broadcast
14dbus-user.call
15dbus-user.own
16dbus-user.see
17dbus-user.talk
18defaultgw
19dns
20env
21hostname
22hosts-file
23ignore
24include
25ip
26ip6
27iprange
28join-or-start
29keep-fd
30mac
31mkdir
32mkfile
33mtu
34name
35net
36netfilter
37netfilter6
38netmask
39netns
40nice
41noblacklist
42noexec
43nowhitelist
44overlay-named
45private
46private-bin
47private-cwd
48private-etc
49private-home
50private-lib
51private-opt
52private-srv
53protocol
54read-only
55read-write
56restrict-namespaces
57rlimit-as
58rlimit-cpu
59rlimit-fsize
60rlimit-nofile
61rlimit-nproc
62rlimit-sigpending
63rmenv
64seccomp
65seccomp-error-action
66seccomp.32
67seccomp.32.drop
68seccomp.32.keep
69seccomp.drop
70seccomp.keep
71timeout
72tmpfs
73veth-name
74whitelist
75whitelist-ro
76xephyr-screen
diff --git a/contrib/syntax/lists/profile_conditionals.list b/contrib/syntax/lists/profile_conditionals.list
new file mode 100644
index 000000000..2cae76c96
--- /dev/null
+++ b/contrib/syntax/lists/profile_conditionals.list
@@ -0,0 +1,9 @@
1ALLOW_TRAY
2BROWSER_ALLOW_DRM
3BROWSER_DISABLE_U2F
4HAS_APPIMAGE
5HAS_NET
6HAS_NODBUS
7HAS_NOSOUND
8HAS_PRIVATE
9HAS_X11
diff --git a/contrib/syntax/lists/profile_macros.list b/contrib/syntax/lists/profile_macros.list
new file mode 100644
index 000000000..4ba780f11
--- /dev/null
+++ b/contrib/syntax/lists/profile_macros.list
@@ -0,0 +1,10 @@
1CFG
2DESKTOP
3DOCUMENTS
4DOWNLOADS
5HOME
6MUSIC
7PATH
8PICTURES
9RUNUSER
10VIDEOS
diff --git a/contrib/syntax/lists/syscall_groups.list b/contrib/syntax/lists/syscall_groups.list
new file mode 100644
index 000000000..fb42ae5f7
--- /dev/null
+++ b/contrib/syntax/lists/syscall_groups.list
@@ -0,0 +1,29 @@
1aio
2basic-io
3chown
4clock
5cpu-emulation
6debug
7default
8default-keep
9default-nodebuggers
10file-system
11io-event
12ipc
13keyring
14memlock
15module
16mount
17network-io
18obsolete
19privileged
20process
21raw-io
22reboot
23resources
24setuid
25signal
26swap
27sync
28system-service
29timer
diff --git a/contrib/syntax/lists/syscalls.list b/contrib/syntax/lists/syscalls.list
new file mode 100644
index 000000000..abb740b24
--- /dev/null
+++ b/contrib/syntax/lists/syscalls.list
@@ -0,0 +1,454 @@
1_llseek
2_newselect
3_sysctl
4accept
5accept4
6access
7acct
8add_key
9adjtimex
10afs_syscall
11alarm
12arch_prctl
13arm_fadvise64_64
14arm_sync_file_range
15bdflush
16bind
17bpf
18break
19brk
20capget
21capset
22chdir
23chmod
24chown
25chown32
26chroot
27clock_adjtime
28clock_adjtime64
29clock_getres
30clock_getres_time64
31clock_gettime
32clock_gettime64
33clock_nanosleep
34clock_nanosleep_time64
35clock_settime
36clock_settime64
37clone
38clone3
39close
40close_range
41connect
42copy_file_range
43creat
44create_module
45delete_module
46dup
47dup2
48dup3
49epoll_create
50epoll_create1
51epoll_ctl
52epoll_ctl_old
53epoll_pwait
54epoll_pwait2
55epoll_wait
56epoll_wait_old
57eventfd
58eventfd2
59execve
60execveat
61exit
62exit_group
63faccessat
64faccessat2
65fadvise64
66fadvise64_64
67fallocate
68fanotify_init
69fanotify_mark
70fchdir
71fchmod
72fchmodat
73fchown
74fchown32
75fchownat
76fcntl
77fcntl64
78fdatasync
79fgetxattr
80finit_module
81flistxattr
82flock
83fork
84fremovexattr
85fsconfig
86fsetxattr
87fsmount
88fsopen
89fspick
90fstat
91fstat64
92fstatat64
93fstatfs
94fstatfs64
95fsync
96ftime
97ftruncate
98ftruncate64
99futex
100futex_time64
101futex_waitv
102futimesat
103get_kernel_syms
104get_mempolicy
105get_robust_list
106get_thread_area
107getcpu
108getcwd
109getdents
110getdents64
111getegid
112getegid32
113geteuid
114geteuid32
115getgid
116getgid32
117getgroups
118getgroups32
119getitimer
120getpeername
121getpgid
122getpgrp
123getpid
124getpmsg
125getppid
126getpriority
127getrandom
128getresgid
129getresgid32
130getresuid
131getresuid32
132getrlimit
133getrusage
134getsid
135getsockname
136getsockopt
137gettid
138gettimeofday
139getuid
140getuid32
141getxattr
142gtty
143idle
144init_module
145inotify_add_watch
146inotify_init
147inotify_init1
148inotify_rm_watch
149io_cancel
150io_destroy
151io_getevents
152io_pgetevents
153io_pgetevents_time64
154io_setup
155io_submit
156io_uring_enter
157io_uring_register
158io_uring_setup
159ioctl
160ioperm
161iopl
162ioprio_get
163ioprio_set
164ipc
165kcmp
166kexec_file_load
167kexec_load
168keyctl
169kill
170landlock_add_rule
171landlock_create_ruleset
172landlock_restrict_self
173lchown
174lchown32
175lgetxattr
176link
177linkat
178listen
179listxattr
180llistxattr
181lock
182lookup_dcookie
183lremovexattr
184lseek
185lsetxattr
186lstat
187lstat64
188madvise
189mbind
190membarrier
191memfd_create
192migrate_pages
193mincore
194mkdir
195mkdirat
196mknod
197mknodat
198mlock
199mlock2
200mlockall
201mmap
202mmap2
203modify_ldt
204mount
205mount_setattr
206move_mount
207move_pages
208mprotect
209mpx
210mq_getsetattr
211mq_notify
212mq_open
213mq_timedreceive
214mq_timedreceive_time64
215mq_timedsend
216mq_timedsend_time64
217mq_unlink
218mremap
219msgctl
220msgget
221msgrcv
222msgsnd
223msync
224munlock
225munlockall
226munmap
227name_to_handle_at
228nanosleep
229newfstatat
230nfsservctl
231nice
232oldfstat
233oldlstat
234oldolduname
235oldstat
236olduname
237open
238open_by_handle_at
239open_tree
240openat
241openat2
242pause
243pciconfig_iobase
244pciconfig_read
245pciconfig_write
246perf_event_open
247personality
248pidfd_getfd
249pidfd_open
250pidfd_send_signal
251pipe
252pipe2
253pivot_root
254pkey_alloc
255pkey_free
256pkey_mprotect
257poll
258ppoll
259ppoll_time64
260prctl
261pread64
262preadv
263preadv2
264prlimit64
265process_madvise
266process_mrelease
267process_vm_readv
268process_vm_writev
269prof
270profil
271pselect6
272pselect6_time64
273ptrace
274putpmsg
275pwrite64
276pwritev
277pwritev2
278query_module
279quotactl
280quotactl_fd
281read
282readahead
283readdir
284readlink
285readlinkat
286readv
287reboot
288recv
289recvfrom
290recvmmsg
291recvmmsg_time64
292recvmsg
293remap_file_pages
294removexattr
295rename
296renameat
297renameat2
298request_key
299restart_syscall
300rmdir
301rseq
302rt_sigaction
303rt_sigpending
304rt_sigprocmask
305rt_sigqueueinfo
306rt_sigreturn
307rt_sigsuspend
308rt_sigtimedwait
309rt_sigtimedwait_time64
310rt_tgsigqueueinfo
311sched_get_priority_max
312sched_get_priority_min
313sched_getaffinity
314sched_getattr
315sched_getparam
316sched_getscheduler
317sched_rr_get_interval
318sched_rr_get_interval_time64
319sched_setaffinity
320sched_setattr
321sched_setparam
322sched_setscheduler
323sched_yield
324seccomp
325security
326select
327semctl
328semget
329semop
330semtimedop
331semtimedop_time64
332send
333sendfile
334sendfile64
335sendmmsg
336sendmsg
337sendto
338set_mempolicy
339set_robust_list
340set_thread_area
341set_tid_address
342setdomainname
343setfsgid
344setfsgid32
345setfsuid
346setfsuid32
347setgid
348setgid32
349setgroups
350setgroups32
351sethostname
352setitimer
353setns
354setpgid
355setpriority
356setregid
357setregid32
358setresgid
359setresgid32
360setresuid
361setresuid32
362setreuid
363setreuid32
364setrlimit
365setsid
366setsockopt
367settimeofday
368setuid
369setuid32
370setxattr
371sgetmask
372shmat
373shmctl
374shmdt
375shmget
376shutdown
377sigaction
378sigaltstack
379signal
380signalfd
381signalfd4
382sigpending
383sigprocmask
384sigreturn
385sigsuspend
386socket
387socketcall
388socketpair
389splice
390ssetmask
391stat
392stat64
393statfs
394statfs64
395statx
396stime
397stty
398swapoff
399swapon
400symlink
401symlinkat
402sync
403sync_file_range
404syncfs
405sysfs
406sysinfo
407syslog
408tee
409tgkill
410time
411timer_create
412timer_delete
413timer_getoverrun
414timer_gettime
415timer_gettime64
416timer_settime
417timer_settime64
418timerfd_create
419timerfd_gettime
420timerfd_gettime64
421timerfd_settime
422timerfd_settime64
423times
424tkill
425truncate
426truncate64
427tuxcall
428ugetrlimit
429ulimit
430umask
431umount
432umount2
433uname
434unlink
435unlinkat
436unshare
437uselib
438userfaultfd
439ustat
440utime
441utimensat
442utimensat_time64
443utimes
444vfork
445vhangup
446vm86
447vm86old
448vmsplice
449vserver
450wait4
451waitid
452waitpid
453write
454writev
diff --git a/contrib/syntax/lists/system_errnos.list b/contrib/syntax/lists/system_errnos.list
new file mode 100644
index 000000000..f0f816943
--- /dev/null
+++ b/contrib/syntax/lists/system_errnos.list
@@ -0,0 +1,135 @@
1E2BIG
2EACCES
3EADDRINUSE
4EADDRNOTAVAIL
5EADV
6EAFNOSUPPORT
7EAGAIN
8EALREADY
9EBADE
10EBADF
11EBADFD
12EBADMSG
13EBADR
14EBADRQC
15EBADSLT
16EBFONT
17EBUSY
18ECANCELED
19ECHILD
20ECHRNG
21ECOMM
22ECONNABORTED
23ECONNREFUSED
24ECONNRESET
25EDEADLK
26EDEADLOCK
27EDESTADDRREQ
28EDOM
29EDOTDOT
30EDQUOT
31EEXIST
32EFAULT
33EFBIG
34EHOSTDOWN
35EHOSTUNREACH
36EHWPOISON
37EIDRM
38EILSEQ
39EINPROGRESS
40EINTR
41EINVAL
42EIO
43EISCONN
44EISDIR
45EISNAM
46EKEYEXPIRED
47EKEYREJECTED
48EKEYREVOKED
49EL2HLT
50EL2NSYNC
51EL3HLT
52EL3RST
53ELIBACC
54ELIBBAD
55ELIBEXEC
56ELIBMAX
57ELIBSCN
58ELNRNG
59ELOOP
60EMEDIUMTYPE
61EMFILE
62EMLINK
63EMSGSIZE
64EMULTIHOP
65ENAMETOOLONG
66ENAVAIL
67ENETDOWN
68ENETRESET
69ENETUNREACH
70ENFILE
71ENOANO
72ENOATTR
73ENOBUFS
74ENOCSI
75ENODATA
76ENODEV
77ENOENT
78ENOEXEC
79ENOKEY
80ENOLCK
81ENOLINK
82ENOMEDIUM
83ENOMEM
84ENOMSG
85ENONET
86ENOPKG
87ENOPROTOOPT
88ENOSPC
89ENOSR
90ENOSTR
91ENOSYS
92ENOTBLK
93ENOTCONN
94ENOTDIR
95ENOTEMPTY
96ENOTNAM
97ENOTRECOVERABLE
98ENOTSOCK
99ENOTSUP
100ENOTTY
101ENOTUNIQ
102ENXIO
103EOPNOTSUPP
104EOVERFLOW
105EOWNERDEAD
106EPERM
107EPFNOSUPPORT
108EPIPE
109EPROTO
110EPROTONOSUPPORT
111EPROTOTYPE
112ERANGE
113EREMCHG
114EREMOTE
115EREMOTEIO
116ERESTART
117ERFKILL
118EROFS
119ESHUTDOWN
120ESOCKTNOSUPPORT
121ESPIPE
122ESRCH
123ESRMNT
124ESTALE
125ESTRPIPE
126ETIME
127ETIMEDOUT
128ETOOMANYREFS
129ETXTBSY
130EUCLEAN
131EUNATCH
132EUSERS
133EWOULDBLOCK
134EXDEV
135EXFULL
diff --git a/contrib/vim/syntax/firejail.vim b/contrib/vim/syntax/firejail.vim
deleted file mode 100644
index c844350d8..000000000
--- a/contrib/vim/syntax/firejail.vim
+++ /dev/null
@@ -1,104 +0,0 @@
1" Vim syntax file
2" Language: Firejail security sandbox profile
3" URL: https://github.com/netblue30/firejail
4
5if exists("b:current_syntax")
6 finish
7endif
8
9
10syn iskeyword @,48-57,_,.,-
11
12
13syn keyword fjTodo TODO FIXME XXX NOTE contained
14syn match fjComment "#.*$" contains=fjTodo
15
16"TODO: highlight "dangerous" capabilities differently, as is done in apparmor.vim?
17syn keyword fjCapability audit_control audit_read audit_write block_suspend chown dac_override dac_read_search fowner fsetid ipc_lock ipc_owner kill lease linux_immutable mac_admin mac_override mknod net_admin net_bind_service net_broadcast net_raw setgid setfcap setpcap setuid sys_admin sys_boot sys_chroot sys_module sys_nice sys_pacct sys_ptrace sys_rawio sys_resource sys_time sys_tty_config syslog wake_alarm nextgroup=fjCapabilityList contained
18syn match fjCapabilityList /,/ nextgroup=fjCapability contained
19
20syn keyword fjNamespaces cgroup ipc net mnt pid time user uts nextgroup=fjNamespacesList contained
21syn match fjNamespacesList /,/ nextgroup=fjNamespaces contained
22
23syn keyword fjProtocol unix inet inet6 netlink packet nextgroup=fjProtocolList contained
24syn match fjProtocolList /,/ nextgroup=fjProtocol contained
25
26" Syscalls grabbed from: src/include/syscall*.h
27" Generate list with: sed -n 's/{\s\+"\([^"]\+\)",.*},/\1/p' src/include/syscall*.h | sort -u | tr '\n' ' '
28syn keyword fjSyscall _llseek _newselect _sysctl accept accept4 access acct add_key adjtimex afs_syscall alarm arch_prctl arm_fadvise64_64 arm_sync_file_range bdflush bind bpf break brk capget capset chdir chmod chown chown32 chroot clock_adjtime clock_adjtime64 clock_getres clock_getres_time64 clock_gettime clock_gettime64 clock_nanosleep clock_nanosleep_time64 clock_settime clock_settime64 clone clone3 close connect copy_file_range creat create_module delete_module dup dup2 dup3 epoll_create epoll_create1 epoll_ctl epoll_ctl_old epoll_pwait epoll_wait epoll_wait_old eventfd eventfd2 execve execveat exit exit_group faccessat faccessat2 fadvise64 fadvise64_64 fallocate fanotify_init fanotify_mark fchdir fchmod fchmodat fchown fchown32 fchownat fcntl fcntl64 fdatasync fgetxattr finit_module flistxattr flock fork fremovexattr fsconfig fsetxattr fsmount fsopen fspick fstat fstat64 fstatat64 fstatfs fstatfs64 fsync ftime ftruncate ftruncate64 futex futex_time64 futimesat getcpu getcwd getdents getdents64 getegid getegid32 geteuid geteuid32 getgid getgid32 getgroups getgroups32 getitimer get_kernel_syms get_mempolicy getpeername getpgid getpgrp getpid getpmsg getppid getpriority getrandom getresgid getresgid32 getresuid getresuid32 getrlimit get_robust_list getrusage getsid getsockname getsockopt get_thread_area gettid gettimeofday getuid getuid32 getxattr gtty idle init_module inotify_add_watch inotify_init inotify_init1 inotify_rm_watch io_cancel ioctl io_destroy io_getevents ioperm io_pgetevents io_pgetevents_time64 iopl ioprio_get ioprio_set io_setup io_submit io_uring_enter io_uring_register io_uring_setup ipc kcmp kexec_file_load kexec_load keyctl kill lchown lchown32 lgetxattr link linkat listen listxattr llistxattr lock lookup_dcookie lremovexattr lseek lsetxattr lstat lstat64 madvise mbind membarrier memfd_create migrate_pages mincore mkdir mkdirat mknod mknodat mlock mlock2 mlockall mmap mmap2 modify_ldt mount move_mount move_pages mprotect mpx mq_getsetattr mq_notify mq_open mq_timedreceive mq_timedreceive_time64 mq_timedsend mq_timedsend_time64 mq_unlink mremap msgctl msgget msgrcv msgsnd msync munlock munlockall munmap name_to_handle_at nanosleep newfstatat nfsservctl nice oldfstat oldlstat oldolduname oldstat olduname open openat open_by_handle_at open_tree pause pciconfig_iobase pciconfig_read pciconfig_write perf_event_open personality pidfd_open pidfd_send_signal pipe pipe2 pivot_root pkey_alloc pkey_free pkey_mprotect poll ppoll ppoll_time64 prctl pread64 preadv preadv2 prlimit64 process_vm_readv process_vm_writev prof profil pselect6 pselect6_time64 ptrace putpmsg pwrite64 pwritev pwritev2 query_module quotactl read readahead readdir readlink readlinkat readv reboot recv recvfrom recvmmsg recvmmsg_time64 recvmsg remap_file_pages removexattr rename renameat renameat2 request_key restart_syscall rmdir rseq rt_sigaction rt_sigpending rt_sigprocmask rt_sigqueueinfo rt_sigreturn rt_sigsuspend rt_sigtimedwait rt_sigtimedwait_time64 rt_tgsigqueueinfo sched_getaffinity sched_getattr sched_getparam sched_get_priority_max sched_get_priority_min sched_getscheduler sched_rr_get_interval sched_rr_get_interval_time64 sched_setaffinity sched_setattr sched_setparam sched_setscheduler sched_yield seccomp security select semctl semget semop semtimedop semtimedop_time64 send sendfile sendfile64 sendmmsg sendmsg sendto setdomainname setfsgid setfsgid32 setfsuid setfsuid32 setgid setgid32 setgroups setgroups32 sethostname setitimer set_mempolicy setns setpgid setpriority setregid setregid32 setresgid setresgid32 setresuid setresuid32 setreuid setreuid32 setrlimit set_robust_list setsid setsockopt set_thread_area set_tid_address settimeofday setuid setuid32 setxattr sgetmask shmat shmctl shmdt shmget shutdown sigaction sigaltstack signal signalfd signalfd4 sigpending sigprocmask sigreturn sigsuspend socket socketcall socketpair splice ssetmask stat stat64 statfs statfs64 statx stime stty swapoff swapon symlink symlinkat sync sync_file_range sync_file_range2 syncfs syscall sysfs sysinfo syslog tee tgkill time timer_create timer_delete timerfd_create timerfd_gettime timerfd_gettime64 timerfd_settime timerfd_settime64 timer_getoverrun timer_gettime timer_gettime64 timer_settime timer_settime64 times tkill truncate truncate64 tuxcall ugetrlimit ulimit umask umount umount2 uname unlink unlinkat unshare uselib userfaultfd ustat utime utimensat utimensat_time64 utimes vfork vhangup vm86 vm86old vmsplice vserver wait4 waitid waitpid write writev nextgroup=fjSyscallErrno contained
29" Syscall groups grabbed from: src/fseccomp/syscall.c
30" Generate list with: sed -En 's/.*"@([^",]+).*/\1/p' src/lib/syscall.c | sort -u | tr '\n' '|'
31syn match fjSyscall /\v\@(aio|basic-io|chown|clock|cpu-emulation|debug|default|default-keep|default-nodebuggers|file-system|io-event|ipc|keyring|memlock|module|mount|network-io|obsolete|privileged|process|raw-io|reboot|resources|setuid|signal|swap|sync|system-service|timer)>/ nextgroup=fjSyscallErrno contained
32syn match fjSyscall /\$[0-9]\+/ nextgroup=fjSyscallErrno contained
33" Errnos grabbed from: src/fseccomp/errno.c
34" Generate list with: sed -En 's/.*"(E[^"]+).*/\1/p' src/lib/errno.c | sort -u | tr '\n' '|'
35syn match fjSyscallErrno /\v(:(E2BIG|EACCES|EADDRINUSE|EADDRNOTAVAIL|EADV|EAFNOSUPPORT|EAGAIN|EALREADY|EBADE|EBADF|EBADFD|EBADMSG|EBADR|EBADRQC|EBADSLT|EBFONT|EBUSY|ECANCELED|ECHILD|ECHRNG|ECOMM|ECONNABORTED|ECONNREFUSED|ECONNRESET|EDEADLK|EDEADLOCK|EDESTADDRREQ|EDOM|EDOTDOT|EDQUOT|EEXIST|EFAULT|EFBIG|EHOSTDOWN|EHOSTUNREACH|EHWPOISON|EIDRM|EILSEQ|EINPROGRESS|EINTR|EINVAL|EIO|EISCONN|EISDIR|EISNAM|EKEYEXPIRED|EKEYREJECTED|EKEYREVOKED|EL2HLT|EL2NSYNC|EL3HLT|EL3RST|ELIBACC|ELIBBAD|ELIBEXEC|ELIBMAX|ELIBSCN|ELNRNG|ELOOP|EMEDIUMTYPE|EMFILE|EMLINK|EMSGSIZE|EMULTIHOP|ENAMETOOLONG|ENAVAIL|ENETDOWN|ENETRESET|ENETUNREACH|ENFILE|ENOANO|ENOATTR|ENOBUFS|ENOCSI|ENODATA|ENODEV|ENOENT|ENOEXEC|ENOKEY|ENOLCK|ENOLINK|ENOMEDIUM|ENOMEM|ENOMSG|ENONET|ENOPKG|ENOPROTOOPT|ENOSPC|ENOSR|ENOSTR|ENOSYS|ENOTBLK|ENOTCONN|ENOTDIR|ENOTEMPTY|ENOTNAM|ENOTRECOVERABLE|ENOTSOCK|ENOTSUP|ENOTTY|ENOTUNIQ|ENXIO|EOPNOTSUPP|EOVERFLOW|EOWNERDEAD|EPERM|EPFNOSUPPORT|EPIPE|EPROTO|EPROTONOSUPPORT|EPROTOTYPE|ERANGE|EREMCHG|EREMOTE|EREMOTEIO|ERESTART|ERFKILL|EROFS|ESHUTDOWN|ESOCKTNOSUPPORT|ESPIPE|ESRCH|ESRMNT|ESTALE|ESTRPIPE|ETIME|ETIMEDOUT|ETOOMANYREFS|ETXTBSY|EUCLEAN|EUNATCH|EUSERS|EWOULDBLOCK|EXDEV|EXFULL)>)?/ nextgroup=fjSyscallList contained
36syn match fjSyscallList /,/ nextgroup=fjSyscall contained
37
38syn keyword fjX11Sandbox none xephyr xorg xpra xvfb contained
39syn keyword fjSeccompAction kill log ERRNO contained
40
41syn match fjEnvVar "[A-Za-z0-9_]\+=" contained
42syn match fjRmenvVar "[A-Za-z0-9_]\+" contained
43
44syn keyword fjAll all contained
45syn keyword fjNone none contained
46syn keyword fjLo lo contained
47syn keyword fjFilter filter contained
48
49" Variable names grabbed from: src/firejail/macros.c
50" Generate list with: sed -En 's/.*\$\{([^}]+)\}.*/\1/p' src/firejail/macros.c | sort -u | tr '\n' '|'
51syn match fjVar /\v\$\{(CFG|DESKTOP|DOCUMENTS|DOWNLOADS|HOME|MUSIC|PATH|PICTURES|RUNUSER|VIDEOS)}/
52
53" Commands grabbed from: src/firejail/profile.c
54" Generate list with: { sed -En 's/.*strn?cmp\(ptr, "([^"]+) ".*/\1/p' src/firejail/profile.c; echo private-lib; } | grep -Ev '^(include|ignore|caps\.drop|caps\.keep|protocol|restrict-namespaces|seccomp|seccomp\.drop|seccomp\.keep|env|rmenv|net|ip)$' | sort -u | tr '\n' '|' # private-lib is special-cased in the code and doesn't match the regex; grep-ed patterns are handled later with 'syn match nextgroup=' directives (except for include which is special-cased as a fjCommandNoCond keyword)
55syn match fjCommand /\v(apparmor|bind|blacklist|blacklist-nolog|cpu|defaultgw|dns|hostname|hosts-file|ip6|iprange|join-or-start|mac|mkdir|mkfile|mtu|name|netfilter|netfilter6|netmask|nice|noblacklist|noexec|nowhitelist|overlay-named|private|private-bin|private-cwd|private-etc|private-home|private-lib|private-opt|private-srv|read-only|read-write|rlimit-as|rlimit-cpu|rlimit-fsize|rlimit-nofile|rlimit-nproc|rlimit-sigpending|timeout|tmpfs|veth-name|whitelist|xephyr-screen) / skipwhite contained
56" Generate list with: sed -En 's/.*strn?cmp\(ptr, "([^ "]*[^ ])".*/\1/p' src/firejail/profile.c | grep -Ev '^(include|rlimit|quiet)$' | sed 's/\./\\./' | sort -u | tr '\n' '|' # include/rlimit are false positives, quiet is special-cased below
57syn match fjCommand /\v(allow-debuggers|allusers|apparmor|caps|deterministic-exit-code|deterministic-shutdown|disable-mnt|ipc-namespace|keep-config-pulse|keep-dev-shm|keep-fd|keep-var-tmp|machine-id|memory-deny-write-execute|netfilter|no3d|noautopulse|nodbus|nodvd|nogroups|noinput|nonewprivs|noprinters|noroot|nosound|notv|nou2f|novideo|overlay|overlay-tmpfs|private|private-cache|private-cwd|private-dev|private-lib|private-tmp|seccomp|seccomp\.32|seccomp\.block-secondary|tracelog|writable-etc|writable-run-user|writable-var|writable-var-log|x11)$/ contained
58syn match fjCommand /ignore / nextgroup=fjCommand,fjCommandNoCond skipwhite contained
59syn match fjCommand /caps\.drop / nextgroup=fjCapability,fjAll skipwhite contained
60syn match fjCommand /caps\.keep / nextgroup=fjCapability skipwhite contained
61syn match fjCommand /protocol / nextgroup=fjProtocol skipwhite contained
62syn match fjCommand /restrict-namespaces / nextgroup=fjNamespaces skipwhite contained
63syn match fjCommand /\vseccomp(\.32)?(\.drop|\.keep)? / nextgroup=fjSyscall skipwhite contained
64syn match fjCommand /x11 / nextgroup=fjX11Sandbox skipwhite contained
65syn match fjCommand /env / nextgroup=fjEnvVar skipwhite contained
66syn match fjCommand /rmenv / nextgroup=fjRmenvVar skipwhite contained
67syn match fjCommand /shell / nextgroup=fjNone skipwhite contained
68syn match fjCommand /net / nextgroup=fjNone,fjLo skipwhite contained
69syn match fjCommand /ip / nextgroup=fjNone skipwhite contained
70syn match fjCommand /seccomp-error-action / nextgroup=fjSeccompAction skipwhite contained
71syn match fjCommand /\vdbus-(user|system) / nextgroup=fjFilter,fjNone skipwhite contained
72syn match fjCommand /\vdbus-(user|system)\.(broadcast|call|own|see|talk) / skipwhite contained
73" Commands that can't be inside a ?CONDITIONAL: statement
74syn match fjCommandNoCond /include / skipwhite contained
75syn match fjCommandNoCond /quiet$/ contained
76
77" Conditionals grabbed from: src/firejail/profile.c
78" Generate list with: awk -- 'BEGIN {process=0;} /^Cond conditionals\[\] = \{$/ {process=1;} /\t*\{"[^"]+".*/ { if (process) {print gensub(/^\t*\{"([^"]+)".*$/, "\\1", 1);} } /^\t\{ NULL, NULL \}$/ {process=0;}' src/firejail/profile.c | sort -u | tr '\n' '|'
79syn match fjConditional /\v\?(ALLOW_TRAY|BROWSER_ALLOW_DRM|BROWSER_DISABLE_U2F|HAS_APPIMAGE|HAS_NET|HAS_NODBUS|HAS_NOSOUND|HAS_X11) ?:/ nextgroup=fjCommand skipwhite contained
80
81" A line is either a command, a conditional or a comment
82syn match fjStatement /^/ nextgroup=fjCommand,fjCommandNoCond,fjConditional,fjComment
83
84hi def link fjTodo Todo
85hi def link fjComment Comment
86hi def link fjCommand Statement
87hi def link fjCommandNoCond Statement
88hi def link fjConditional Macro
89hi def link fjVar Identifier
90hi def link fjCapability Type
91hi def link fjProtocol Type
92hi def link fjSyscall Type
93hi def link fjSyscallErrno Constant
94hi def link fjX11Sandbox Type
95hi def link fjEnvVar Type
96hi def link fjRmenvVar Type
97hi def link fjAll Type
98hi def link fjNone Type
99hi def link fjLo Type
100hi def link fjFilter Type
101hi def link fjSeccompAction Type
102
103
104let b:current_syntax = "firejail"
diff --git a/etc/inc/disable-common.inc b/etc/inc/disable-common.inc
index 44e45d416..66a309d85 100644
--- a/etc/inc/disable-common.inc
+++ b/etc/inc/disable-common.inc
@@ -18,6 +18,7 @@ blacklist-nolog ${HOME}/.histfile
18blacklist-nolog ${HOME}/.history 18blacklist-nolog ${HOME}/.history
19blacklist-nolog ${HOME}/.kde/share/apps/klipper 19blacklist-nolog ${HOME}/.kde/share/apps/klipper
20blacklist-nolog ${HOME}/.kde4/share/apps/klipper 20blacklist-nolog ${HOME}/.kde4/share/apps/klipper
21blacklist-nolog ${HOME}/.lesshst
21blacklist-nolog ${HOME}/.local/share/fish/fish_history 22blacklist-nolog ${HOME}/.local/share/fish/fish_history
22blacklist-nolog ${HOME}/.local/share/ibus-typing-booster 23blacklist-nolog ${HOME}/.local/share/ibus-typing-booster
23blacklist-nolog ${HOME}/.local/share/klipper 24blacklist-nolog ${HOME}/.local/share/klipper
@@ -25,10 +26,9 @@ blacklist-nolog ${HOME}/.local/share/nvim
25blacklist-nolog ${HOME}/.local/state/nvim 26blacklist-nolog ${HOME}/.local/state/nvim
26blacklist-nolog ${HOME}/.macromedia 27blacklist-nolog ${HOME}/.macromedia
27blacklist-nolog ${HOME}/.mupdf.history 28blacklist-nolog ${HOME}/.mupdf.history
29blacklist-nolog ${HOME}/.mutthistory
28blacklist-nolog ${HOME}/.python-history 30blacklist-nolog ${HOME}/.python-history
29blacklist-nolog ${HOME}/.python_history
30blacklist-nolog ${HOME}/.pythonhist 31blacklist-nolog ${HOME}/.pythonhist
31blacklist-nolog ${HOME}/.lesshst
32blacklist-nolog ${HOME}/.viminfo 32blacklist-nolog ${HOME}/.viminfo
33blacklist-nolog /tmp/clipmenu* 33blacklist-nolog /tmp/clipmenu*
34 34
diff --git a/etc/profile-a-l/atool.profile b/etc/profile-a-l/atool.profile
index 6399bc1a3..b2bc17c67 100644
--- a/etc/profile-a-l/atool.profile
+++ b/etc/profile-a-l/atool.profile
@@ -13,7 +13,7 @@ include allow-perl.inc
13noroot 13noroot
14 14
15# without login.defs atool complains and uses UID/GID 1000 by default 15# without login.defs atool complains and uses UID/GID 1000 by default
16private-etc alternatives,group,ld.so.cache,ld.so.preload,login.defs,passwd 16private-etc alternatives,group,ld.so.cache,ld.so.preload,login.defs,passwd,resolv.conf
17private-tmp 17private-tmp
18 18
19# Redirect 19# Redirect
diff --git a/etc/profile-a-l/curl.profile b/etc/profile-a-l/curl.profile
index 88b29cfbd..bfe8764d5 100644
--- a/etc/profile-a-l/curl.profile
+++ b/etc/profile-a-l/curl.profile
@@ -54,7 +54,7 @@ tracelog
54private-cache 54private-cache
55private-dev 55private-dev
56# private-etc alternatives,ca-certificates,crypto-policies,pki,resolv.conf,ssl 56# private-etc alternatives,ca-certificates,crypto-policies,pki,resolv.conf,ssl
57private-etc TLS-CA 57private-etc @tls-ca
58private-tmp 58private-tmp
59 59
60dbus-user none 60dbus-user none
diff --git a/etc/profile-a-l/firefox-common.profile b/etc/profile-a-l/firefox-common.profile
index 3365c0829..57c9b5dfb 100644
--- a/etc/profile-a-l/firefox-common.profile
+++ b/etc/profile-a-l/firefox-common.profile
@@ -60,7 +60,7 @@ disable-mnt
60# private-etc below works fine on most distributions. There are some problems on CentOS. 60# private-etc below works fine on most distributions. There are some problems on CentOS.
61# Add it to your firefox-common.local if you want to enable it. 61# Add it to your firefox-common.local if you want to enable it.
62#private-etc alternatives,asound.conf,ca-certificates,crypto-policies,dconf,fonts,group,gtk-2.0,gtk-3.0,hostname,hosts,ld.so.cache,ld.so.conf,ld.so.conf.d,ld.so.preload,localtime,machine-id,mailcap,mime.types,nsswitch.conf,pango,passwd,pki,pulse,resolv.conf,selinux,ssl,X11,xdg 62#private-etc alternatives,asound.conf,ca-certificates,crypto-policies,dconf,fonts,group,gtk-2.0,gtk-3.0,hostname,hosts,ld.so.cache,ld.so.conf,ld.so.conf.d,ld.so.preload,localtime,machine-id,mailcap,mime.types,nsswitch.conf,pango,passwd,pki,pulse,resolv.conf,selinux,ssl,X11,xdg
63private-etc GUI,mailcap,mime.types,NETWORK,os-release,TLS-CA 63private-etc @tls-ca,@x11,mailcap,mime.types,os-release
64private-tmp 64private-tmp
65 65
66blacklist ${PATH}/curl 66blacklist ${PATH}/curl
diff --git a/etc/profile-a-l/gimp.profile b/etc/profile-a-l/gimp.profile
index d9515c867..f29929a72 100644
--- a/etc/profile-a-l/gimp.profile
+++ b/etc/profile-a-l/gimp.profile
@@ -59,7 +59,7 @@ seccomp !mbind
59tracelog 59tracelog
60 60
61private-dev 61private-dev
62private-etc gcrypt,GUI,python* 62private-etc @x11,gcrypt,python*
63private-tmp 63private-tmp
64 64
65dbus-user none 65dbus-user none
diff --git a/etc/profile-a-l/inkscape.profile b/etc/profile-a-l/inkscape.profile
index 702bebf36..ea01e8c47 100644
--- a/etc/profile-a-l/inkscape.profile
+++ b/etc/profile-a-l/inkscape.profile
@@ -65,7 +65,7 @@ tracelog
65# private-bin inkscape,potrace,python* - problems on Debian stretch 65# private-bin inkscape,potrace,python* - problems on Debian stretch
66private-cache 66private-cache
67private-dev 67private-dev
68private-etc ImageMagick*,inkscape: GUI,python* 68private-etc @x11,ImageMagick*,python*
69private-tmp 69private-tmp
70 70
71dbus-user filter 71dbus-user filter
diff --git a/etc/profile-m-z/mutt.profile b/etc/profile-m-z/mutt.profile
index 52d30669f..bce56743a 100644
--- a/etc/profile-m-z/mutt.profile
+++ b/etc/profile-m-z/mutt.profile
@@ -23,6 +23,7 @@ noblacklist ${HOME}/.mail
23noblacklist ${HOME}/.mailcap 23noblacklist ${HOME}/.mailcap
24noblacklist ${HOME}/.msmtprc 24noblacklist ${HOME}/.msmtprc
25noblacklist ${HOME}/.mutt 25noblacklist ${HOME}/.mutt
26noblacklist ${HOME}/.mutthistory
26noblacklist ${HOME}/.muttrc 27noblacklist ${HOME}/.muttrc
27noblacklist ${HOME}/.nanorc 28noblacklist ${HOME}/.nanorc
28noblacklist ${HOME}/.signature 29noblacklist ${HOME}/.signature
@@ -51,29 +52,18 @@ include disable-programs.inc
51include disable-xdg.inc 52include disable-xdg.inc
52 53
53mkdir ${HOME}/.Mail 54mkdir ${HOME}/.Mail
54mkdir ${HOME}/.bogofilter
55mkdir ${HOME}/.cache/mutt 55mkdir ${HOME}/.cache/mutt
56mkdir ${HOME}/.config/mutt 56mkdir ${HOME}/.config/mutt
57mkdir ${HOME}/.config/nano
58mkdir ${HOME}/.elinks
59mkdir ${HOME}/.emacs.d
60mkdir ${HOME}/.gnupg 57mkdir ${HOME}/.gnupg
61mkdir ${HOME}/.mail 58mkdir ${HOME}/.mail
62mkdir ${HOME}/.mutt 59mkdir ${HOME}/.mutt
63mkdir ${HOME}/.vim
64mkdir ${HOME}/.w3m
65mkdir ${HOME}/Mail 60mkdir ${HOME}/Mail
66mkdir ${HOME}/mail 61mkdir ${HOME}/mail
67mkdir ${HOME}/postponed 62mkdir ${HOME}/postponed
68mkdir ${HOME}/sent 63mkdir ${HOME}/sent
69mkfile ${HOME}/.emacs
70mkfile ${HOME}/.mailcap 64mkfile ${HOME}/.mailcap
71mkfile ${HOME}/.msmtprc
72mkfile ${HOME}/.muttrc 65mkfile ${HOME}/.muttrc
73mkfile ${HOME}/.nanorc
74mkfile ${HOME}/.signature 66mkfile ${HOME}/.signature
75mkfile ${HOME}/.viminfo
76mkfile ${HOME}/.vimrc
77whitelist ${DOCUMENTS} 67whitelist ${DOCUMENTS}
78whitelist ${DOWNLOADS} 68whitelist ${DOWNLOADS}
79whitelist ${HOME}/.Mail 69whitelist ${HOME}/.Mail
@@ -89,6 +79,7 @@ whitelist ${HOME}/.mail
89whitelist ${HOME}/.mailcap 79whitelist ${HOME}/.mailcap
90whitelist ${HOME}/.msmtprc 80whitelist ${HOME}/.msmtprc
91whitelist ${HOME}/.mutt 81whitelist ${HOME}/.mutt
82whitelist ${HOME}/.mutthistory
92whitelist ${HOME}/.muttrc 83whitelist ${HOME}/.muttrc
93whitelist ${HOME}/.nanorc 84whitelist ${HOME}/.nanorc
94whitelist ${HOME}/.signature 85whitelist ${HOME}/.signature
diff --git a/etc/profile-m-z/warzone2100.profile b/etc/profile-m-z/warzone2100.profile
index 6000bd98f..b0eea4380 100644
--- a/etc/profile-m-z/warzone2100.profile
+++ b/etc/profile-m-z/warzone2100.profile
@@ -46,7 +46,7 @@ tracelog
46disable-mnt 46disable-mnt
47private-bin bash,dash,sh,warzone2100,which 47private-bin bash,dash,sh,warzone2100,which
48private-dev 48private-dev
49private-etc GAMES,GUI 49private-etc @games,@x11
50private-tmp 50private-tmp
51 51
52restrict-namespaces 52restrict-namespaces
diff --git a/src/firejail/fs_etc.c b/src/firejail/fs_etc.c
index ad5e8585d..83f140d80 100644
--- a/src/firejail/fs_etc.c
+++ b/src/firejail/fs_etc.c
@@ -77,15 +77,15 @@ char *fs_etc_build(char *str) {
77 char* ptr = strtok(str, ","); 77 char* ptr = strtok(str, ",");
78 while (ptr) { 78 while (ptr) {
79 // look for standard groups 79 // look for standard groups
80 if (strcmp(ptr, "TLS-CA") == 0) 80 if (strcmp(ptr, "@tls-ca") == 0)
81 etc_copy_group(&etc_group_tls_ca[0]); 81 etc_copy_group(&etc_group_tls_ca[0]);
82 if (strcmp(ptr, "GUI") == 0) 82 if (strcmp(ptr, "@x11") == 0)
83 etc_copy_group(&etc_group_gui[0]); 83 etc_copy_group(&etc_group_x11[0]);
84 if (strcmp(ptr, "SOUND") == 0) 84 if (strcmp(ptr, "@sound") == 0)
85 etc_copy_group(&etc_group_sound[0]); 85 etc_copy_group(&etc_group_sound[0]);
86 if (strcmp(ptr, "NETWORK") == 0) 86 if (strcmp(ptr, "@network") == 0)
87 etc_copy_group(&etc_group_network[0]); 87 etc_copy_group(&etc_group_network[0]);
88 if (strcmp(ptr, "GAMES") == 0) 88 if (strcmp(ptr, "@games") == 0)
89 etc_copy_group(&etc_group_games[0]); 89 etc_copy_group(&etc_group_games[0]);
90 else 90 else
91 etc_add(ptr); 91 etc_add(ptr);
diff --git a/src/firejail/main.c b/src/firejail/main.c
index 57fe4fb22..02fcb77d7 100644
--- a/src/firejail/main.c
+++ b/src/firejail/main.c
@@ -2172,11 +2172,24 @@ int main(int argc, char **argv, char **envp) {
2172 // hostname, etc 2172 // hostname, etc
2173 //************************************* 2173 //*************************************
2174 else if (strncmp(argv[i], "--name=", 7) == 0) { 2174 else if (strncmp(argv[i], "--name=", 7) == 0) {
2175 int only_numbers = 1;
2175 cfg.name = argv[i] + 7; 2176 cfg.name = argv[i] + 7;
2176 if (strlen(cfg.name) == 0) { 2177 if (strlen(cfg.name) == 0) {
2177 fprintf(stderr, "Error: please provide a name for sandbox\n"); 2178 fprintf(stderr, "Error: please provide a name for sandbox\n");
2178 return 1; 2179 return 1;
2179 } 2180 }
2181 const char *c = cfg.name;
2182 while (*c) {
2183 if (!isdigit(*c)) {
2184 only_numbers = 0;
2185 break;
2186 }
2187 ++c;
2188 }
2189 if (only_numbers) {
2190 fprintf(stderr, "Error: invalid sandbox name: it only contains digits\n");
2191 return 1;
2192 }
2180 } 2193 }
2181 else if (strncmp(argv[i], "--hostname=", 11) == 0) { 2194 else if (strncmp(argv[i], "--hostname=", 11) == 0) {
2182 cfg.hostname = argv[i] + 11; 2195 cfg.hostname = argv[i] + 11;
diff --git a/src/firejail/profile.c b/src/firejail/profile.c
index a64198e68..d01999ec5 100644
--- a/src/firejail/profile.c
+++ b/src/firejail/profile.c
@@ -326,11 +326,24 @@ int profile_check_line(char *ptr, int lineno, const char *fname) {
326 } 326 }
327 // sandbox name 327 // sandbox name
328 else if (strncmp(ptr, "name ", 5) == 0) { 328 else if (strncmp(ptr, "name ", 5) == 0) {
329 int only_numbers = 1;
329 cfg.name = ptr + 5; 330 cfg.name = ptr + 5;
330 if (strlen(cfg.name) == 0) { 331 if (strlen(cfg.name) == 0) {
331 fprintf(stderr, "Error: invalid sandbox name\n"); 332 fprintf(stderr, "Error: invalid sandbox name\n");
332 exit(1); 333 exit(1);
333 } 334 }
335 const char *c = cfg.name;
336 while (*c) {
337 if (!isdigit(*c)) {
338 only_numbers = 0;
339 break;
340 }
341 ++c;
342 }
343 if (only_numbers) {
344 fprintf(stderr, "Error: invalid sandbox name: it only contains digits\n");
345 exit(1);
346 }
334 return 0; 347 return 0;
335 } 348 }
336 else if (strcmp(ptr, "ipc-namespace") == 0) { 349 else if (strcmp(ptr, "ipc-namespace") == 0) {
diff --git a/src/include/etc_groups.h b/src/include/etc_groups.h
index 421837fbb..fcb824778 100644
--- a/src/include/etc_groups.h
+++ b/src/include/etc_groups.h
@@ -23,7 +23,7 @@
23 23
24#define ETC_MAX 256 24#define ETC_MAX 256
25 25
26// DEFAULT 26// @default
27static char *etc_list[ETC_MAX + 1] = { // plus 1 for ending NULL pointer 27static char *etc_list[ETC_MAX + 1] = { // plus 1 for ending NULL pointer
28 "alternatives", 28 "alternatives",
29 "fonts", 29 "fonts",
@@ -42,7 +42,7 @@ static char *etc_list[ETC_MAX + 1] = { // plus 1 for ending NULL pointer
42 NULL 42 NULL
43}; 43};
44 44
45// SOUND 45// @sound
46static char *etc_group_sound[] = { 46static char *etc_group_sound[] = {
47 "alsa", 47 "alsa",
48 "asound.conf", 48 "asound.conf",
@@ -51,7 +51,7 @@ static char *etc_group_sound[] = {
51 NULL 51 NULL
52}; 52};
53 53
54// NETWORK 54// @network
55static char*etc_group_network[] = { 55static char*etc_group_network[] = {
56 "hostname", 56 "hostname",
57 "hosts", 57 "hosts",
@@ -60,7 +60,7 @@ static char*etc_group_network[] = {
60 NULL 60 NULL
61}; 61};
62 62
63// TLS-CA 63// @tls-ca
64static char *etc_group_tls_ca[] = { 64static char *etc_group_tls_ca[] = {
65 "ca-certificates", 65 "ca-certificates",
66 "crypto-policies", 66 "crypto-policies",
@@ -70,8 +70,8 @@ static char *etc_group_tls_ca[] = {
70 NULL 70 NULL
71}; 71};
72 72
73// GUI 73// @x11
74static char *etc_group_gui[] = { 74static char *etc_group_x11[] = {
75 "xdg", 75 "xdg",
76 "drirc", 76 "drirc",
77 "dconf", 77 "dconf",
@@ -80,10 +80,12 @@ static char *etc_group_gui[] = {
80 "kde4rc", 80 "kde4rc",
81 "kde5rc", 81 "kde5rc",
82 "pango", // text rendering/internationalization 82 "pango", // text rendering/internationalization
83 "nvidia",
84 "X11",
83 NULL 85 NULL
84}; 86};
85 87
86// GAMES 88// @games
87static char *etc_group_games[] = { 89static char *etc_group_games[] = {
88 "timidity", // MIDI 90 "timidity", // MIDI
89 "timidity.cfg", 91 "timidity.cfg",
diff --git a/src/man/firejail.txt b/src/man/firejail.txt
index e60c139a5..1b051ab57 100644
--- a/src/man/firejail.txt
+++ b/src/man/firejail.txt
@@ -1330,6 +1330,7 @@ $ firejail \-\-net=eth0 \-\-mtu=1492
1330\fB\-\-name=name 1330\fB\-\-name=name
1331Set sandbox name. Several options, such as \-\-join and \-\-shutdown, can use 1331Set sandbox name. Several options, such as \-\-join and \-\-shutdown, can use
1332this name to identify a sandbox. 1332this name to identify a sandbox.
1333The name cannot contain only digits, as that is treated as a PID in the other options, such as in \-\-join.
1333 1334
1334In case the name supplied by the user is already in use by another sandbox, Firejail will assign a 1335In case the name supplied by the user is already in use by another sandbox, Firejail will assign a
1335new name as "name-PID", where PID is the process ID of the sandbox. This functionality 1336new name as "name-PID", where PID is the process ID of the sandbox. This functionality
@@ -2127,27 +2128,27 @@ cdrom cdrw dri dvd dvdrw full log null ptmx pts random shm snd sr0
2127.br 2128.br
2128$ 2129$
2129.TP 2130.TP
2130\fB\-\-private-etc, \-\-private-etc=file,directory 2131\fB\-\-private-etc, \-\-private-etc=file,directory,@group
2131The files installed by \-\-private-etc are copies of the original system files from /etc directory. 2132The files installed by \-\-private-etc are copies of the original system files from /etc directory.
2132By default, the command brings in a skeleton of files and directories used by most console tools: 2133By default, the command brings in a skeleton of files and directories used by most console tools:
2133 2134
2134$ firejail --private-etc dig debian.org 2135$ firejail --private-etc dig debian.org
2135 2136
2136For X11/GTK/QT/Gnome/KDE programs add GUI group as a parameter. Example: 2137For X11/GTK/QT/Gnome/KDE programs add @x11 group as a parameter. Example:
2137 2138
2138$ firejail --private-etc=GUI,python* gimp 2139$ firejail --private-etc=@x11,gcrypt,python* gimp
2139 2140
2140/etc/python* directories are not part of the generic GUI group. 2141gcrypt and /etc/python* directories are not part of the generic @x11 group.
2141These directories are reuqired by Gimp plugin system. File globbing is supported. 2142File globbing is supported.
2142 2143
2143For games, add GAMES group: 2144For games, add @games group:
2144 2145
2145$ firejail --private-etc=GUI,GAMES warzone2100 2146$ firejail --private-etc=@games,@x11 warzone2100
2146 2147
2147Sound and networking files are included automatically, unless \-\-nosound or \-\-net=none are specified. 2148Sound and networking files are included automatically, unless \-\-nosound or \-\-net=none are specified.
2148Files for encrypted TLS/SSL protocol are in TLS-CA group. 2149Files for encrypted TLS/SSL protocol are in @tls-ca group.
2149 2150
2150$ firejail --private-etc=TLS-CA,wgetrc wget https://debian.org 2151$ firejail --private-etc=@tls-ca,wgetrc wget https://debian.org
2151 2152
2152 2153
2153Note: The easiest way to extract the list of /etc files accessed by your program is using strace utility: 2154Note: The easiest way to extract the list of /etc files accessed by your program is using strace utility:
generated by cgit v1.2.3-54-g00ecf (git 2.45.2) at 2024-06-29 09:36:05 +0000