profile build tool

author: netblue30 <netblue30@yahoo.com> 2017-09-17 09:53:54 -0400
committer: netblue30 <netblue30@yahoo.com> 2017-09-17 09:53:54 -0400
commit: b3f2318759905dd58bbdc93782ccf9d63322bf05 (patch)
tree: 87e3793007593a4bdbe9123a415d58b6022e6b6b
parent: cleanup (diff)
download: firejail-b3f2318759905dd58bbdc93782ccf9d63322bf05.tar.gz
firejail-b3f2318759905dd58bbdc93782ccf9d63322bf05.tar.zst
firejail-b3f2318759905dd58bbdc93782ccf9d63322bf05.zip
4 files changed, 76 insertions, 1 deletions
diff --git a/README.md b/README.md
index 255384e2e..19d86f855 100644
--- a/README.md
+++ b/README.md
@@ -98,6 +98,64 @@ Use this issue to request new profiles: [#1139](https://github.com/netblue30/fir
 `````
 # Current development version: 0.9.51
+## Profile build  tool
+`````
+$ firejail --build appname
+`````
+The command builds a whitelisted profile. If /usr/bin/strace is installed on the system, it also
+builds a whitelisted seccomp profile. The program is run in a very relaxed sandbox,
+with only --caps.drop=all and --nonewprivs. Only programs that don't rise privileges are supported
+in order to allow strace to run. Chromium and Chromium-based browsers will not work.
+Example:
+`````
+$ firejail --build vlc ~/Videos/test.mp4
+[...]
+############################################
+# vlc profile
+############################################
+# Persistent global definitions
+# include /etc/firejail/globals.local
+### basic blacklisting
+include /etc/firejail/disable-common.inc
+# include /etc/firejail/disable-devel.inc
+include /etc/firejail/disable-passwdmgr.inc
+# include /etc/firejail/disable-programs.inc
+### home directory whitelisting
+whitelist ~/Videos
+whitelist ~/.local/share/vlc
+whitelist ~/.config/vlc
+include /etc/firejail/whitelist-common.inc
+### filesystem
+private-tmp
+private-dev
+private-etc vdpau_wrapper.cfg,udev,drirc,fonts,xdg,gtk-3.0,machine-id,selinux,
+whitelist /var/lib/menu-xdg
+### security filters
+caps.drop all
+nonewprivs
+seccomp
+# seccomp.keep futex,poll,rt_sigtimedwait,ioctl,fdatasync,stat,writev,read,recvmsg,mprotect,write,sendto,clock_nanosleep,open,dup3,mmap,rt_sigprocmask,close,fstat,lstat,lseek,munmap,brk,rt_sigaction,rt_sigreturn,access,madvise,shmget,shmat,shmctl,alarm,getpid,socket,connect,recvfrom,sendmsg,shutdown,getsockname,getpeername,setsockopt,getsockopt,clone,execve,uname,shmdt,fcntl,flock,ftruncate,getdents,rename,mkdir,unlink,readlink,chmod,getrlimit,sysinfo,getuid,getgid,setuid,setgid,geteuid,getegid,getppid,getpgrp,setresuid,getresuid,setresgid,getresgid,statfs,fstatfs,prctl,arch_prctl,sched_getaffinity,set_tid_address,fadvise64,clock_getres,tgkill,set_robust_list,eventfd2,pipe2,getrandom,memfd_create
+# 82 syscalls total
+# Probably you will need to add more syscalls to seccomp.keep. Look for
+# seccomp errors in /var/log/syslog or /var/log/audit/audit.log while
+# running your sandbox.
+### network
+protocol unix,netlink,
+net none
+### environment
+shell none
+$
+````
 ## New command line options
 `````
      --writable-run-user
diff --git a/src/fbuilder/build_fs.c b/src/fbuilder/build_fs.c
index 76281a54d..dcd86e069 100644
--- a/src/fbuilder/build_fs.c
+++ b/src/fbuilder/build_fs.c
@@ -148,7 +148,11 @@ void build_etc(const char *fname) {
 //*******************************************
 static FileDB *var_out = NULL;
 static void var_callback(char *ptr) {
-        if (strncmp(ptr, "/var/lib/menu-xdg", 17) == 0)
+        if (strcmp(ptr, "/var/lib") == 0)
+                ;
+        else if (strcmp(ptr, "/var/cache") == 0)
+                ;
+        else if (strncmp(ptr, "/var/lib/menu-xdg", 17) == 0)
                var_out = filedb_add(var_out, "/var/lib/menu-xdg");
        else if (strncmp(ptr, "/var/cache/fontconfig", 21) == 0)
                var_out = filedb_add(var_out, "/var/cache/fontconfig");
diff --git a/src/firejail/usage.c b/src/firejail/usage.c
index fc7dbd69c..f09eb6416 100644
--- a/src/firejail/usage.c
+++ b/src/firejail/usage.c
@@ -44,6 +44,7 @@ void usage(void) {
        printf("    --bind=filename1,filename2 - mount-bind filename1 on top of filename2.\n");
 #endif
        printf("    --blacklist=filename - blacklist directory or file.\n");
+        printf("    --build - build a whitelisted profile for the application.\n");
        printf("    -c - execute command and exit.\n");
        printf("    --caps - enable default Linux capabilities filter.\n");
        printf("    --caps.drop=all - drop all capabilities.\n");
diff --git a/src/man/firejail.txt b/src/man/firejail.txt
index 2dd3abbb7..36ae3166b 100644
--- a/src/man/firejail.txt
+++ b/src/man/firejail.txt
@@ -154,6 +154,18 @@ $ firejail "\-\-blacklist=/home/username/My Virtual Machines"
 .br
 $ firejail \-\-blacklist=/home/username/My\\ Virtual\\ Machines
 .TP
+\fB\-\-build
+The command builds a whitelisted profile. If /usr/bin/strace is installed on the system, it also
+builds a whitelisted seccomp profile. The program is run in a very relaxed sandbox,
+with only --caps.drop=all and --nonewprivs. Only programs that don't rise privileges are supported
+in order to allow strace to run. Chromium and Chromium-based browsers will not work.
+.br
+.br
+Example:
+.br
+$ firejail --build vlc ~/Videos/test.mp4
+.TP
 \fB\-c
 Execute command and exit.
 .TP
author	netblue30 <netblue30@yahoo.com>	2017-09-17 09:53:54 -0400
committer	netblue30 <netblue30@yahoo.com>	2017-09-17 09:53:54 -0400
commit	b3f2318759905dd58bbdc93782ccf9d63322bf05 (patch)
tree	87e3793007593a4bdbe9123a415d58b6022e6b6b
parent	cleanup (diff)
download	firejail-b3f2318759905dd58bbdc93782ccf9d63322bf05.tar.gz firejail-b3f2318759905dd58bbdc93782ccf9d63322bf05.tar.zst firejail-b3f2318759905dd58bbdc93782ccf9d63322bf05.zip

diff --git a/README.md b/README.md index 255384e2e..19d86f855 100644 --- a/README.md +++ b/README.md
@@ -98,6 +98,64 @@ Use this issue to request new profiles: [#1139](https://github.com/netblue30/fir
98	`````	98	`````
99	# Current development version: 0.9.51	99	# Current development version: 0.9.51
100		100
		101	## Profile build tool
		102	`````
		103	$ firejail --build appname
		104	`````
		105	The command builds a whitelisted profile. If /usr/bin/strace is installed on the system, it also
		106	builds a whitelisted seccomp profile. The program is run in a very relaxed sandbox,
		107	with only --caps.drop=all and --nonewprivs. Only programs that don't rise privileges are supported
		108	in order to allow strace to run. Chromium and Chromium-based browsers will not work.
		109
		110	Example:
		111	`````
		112	$ firejail --build vlc ~/Videos/test.mp4
		113
		114	[...]
		115
		116	############################################
		117	# vlc profile
		118	############################################
		119	# Persistent global definitions
		120	# include /etc/firejail/globals.local
		121
		122	### basic blacklisting
		123	include /etc/firejail/disable-common.inc
		124	# include /etc/firejail/disable-devel.inc
		125	include /etc/firejail/disable-passwdmgr.inc
		126	# include /etc/firejail/disable-programs.inc
		127
		128	### home directory whitelisting
		129	whitelist ~/Videos
		130	whitelist ~/.local/share/vlc
		131	whitelist ~/.config/vlc
		132	include /etc/firejail/whitelist-common.inc
		133
		134	### filesystem
		135	private-tmp
		136	private-dev
		137	private-etc vdpau_wrapper.cfg,udev,drirc,fonts,xdg,gtk-3.0,machine-id,selinux,
		138	whitelist /var/lib/menu-xdg
		139
		140	### security filters
		141	caps.drop all
		142	nonewprivs
		143	seccomp
		144	# seccomp.keep futex,poll,rt_sigtimedwait,ioctl,fdatasync,stat,writev,read,recvmsg,mprotect,write,sendto,clock_nanosleep,open,dup3,mmap,rt_sigprocmask,close,fstat,lstat,lseek,munmap,brk,rt_sigaction,rt_sigreturn,access,madvise,shmget,shmat,shmctl,alarm,getpid,socket,connect,recvfrom,sendmsg,shutdown,getsockname,getpeername,setsockopt,getsockopt,clone,execve,uname,shmdt,fcntl,flock,ftruncate,getdents,rename,mkdir,unlink,readlink,chmod,getrlimit,sysinfo,getuid,getgid,setuid,setgid,geteuid,getegid,getppid,getpgrp,setresuid,getresuid,setresgid,getresgid,statfs,fstatfs,prctl,arch_prctl,sched_getaffinity,set_tid_address,fadvise64,clock_getres,tgkill,set_robust_list,eventfd2,pipe2,getrandom,memfd_create
		145	# 82 syscalls total
		146	# Probably you will need to add more syscalls to seccomp.keep. Look for
		147	# seccomp errors in /var/log/syslog or /var/log/audit/audit.log while
		148	# running your sandbox.
		149
		150	### network
		151	protocol unix,netlink,
		152	net none
		153
		154	### environment
		155	shell none
		156	$
		157	````
		158
101	## New command line options	159	## New command line options
102	`````	160	`````
103	--writable-run-user	161	--writable-run-user


diff --git a/src/fbuilder/build_fs.c b/src/fbuilder/build_fs.c index 76281a54d..dcd86e069 100644 --- a/src/fbuilder/build_fs.c +++ b/src/fbuilder/build_fs.c
@@ -148,7 +148,11 @@ void build_etc(const char *fname) {
148	//*******************************************	148	//*******************************************
149	static FileDB *var_out = NULL;	149	static FileDB *var_out = NULL;
150	static void var_callback(char *ptr) {	150	static void var_callback(char *ptr) {
151	if (strncmp(ptr, "/var/lib/menu-xdg", 17) == 0)	151	if (strcmp(ptr, "/var/lib") == 0)
		152	;
		153	else if (strcmp(ptr, "/var/cache") == 0)
		154	;
		155	else if (strncmp(ptr, "/var/lib/menu-xdg", 17) == 0)
152	var_out = filedb_add(var_out, "/var/lib/menu-xdg");	156	var_out = filedb_add(var_out, "/var/lib/menu-xdg");
153	else if (strncmp(ptr, "/var/cache/fontconfig", 21) == 0)	157	else if (strncmp(ptr, "/var/cache/fontconfig", 21) == 0)
154	var_out = filedb_add(var_out, "/var/cache/fontconfig");	158	var_out = filedb_add(var_out, "/var/cache/fontconfig");


diff --git a/src/firejail/usage.c b/src/firejail/usage.c index fc7dbd69c..f09eb6416 100644 --- a/src/firejail/usage.c +++ b/src/firejail/usage.c
@@ -44,6 +44,7 @@ void usage(void) {
44	printf(" --bind=filename1,filename2 - mount-bind filename1 on top of filename2.\n");	44	printf(" --bind=filename1,filename2 - mount-bind filename1 on top of filename2.\n");
45	#endif	45	#endif
46	printf(" --blacklist=filename - blacklist directory or file.\n");	46	printf(" --blacklist=filename - blacklist directory or file.\n");
		47	printf(" --build - build a whitelisted profile for the application.\n");
47	printf(" -c - execute command and exit.\n");	48	printf(" -c - execute command and exit.\n");
48	printf(" --caps - enable default Linux capabilities filter.\n");	49	printf(" --caps - enable default Linux capabilities filter.\n");
49	printf(" --caps.drop=all - drop all capabilities.\n");	50	printf(" --caps.drop=all - drop all capabilities.\n");


diff --git a/src/man/firejail.txt b/src/man/firejail.txt index 2dd3abbb7..36ae3166b 100644 --- a/src/man/firejail.txt +++ b/src/man/firejail.txt
@@ -154,6 +154,18 @@ $ firejail "\-\-blacklist=/home/username/My Virtual Machines"
154	.br	154	.br
155	$ firejail \-\-blacklist=/home/username/My\\ Virtual\\ Machines	155	$ firejail \-\-blacklist=/home/username/My\\ Virtual\\ Machines
156	.TP	156	.TP
		157	\fB\-\-build
		158	The command builds a whitelisted profile. If /usr/bin/strace is installed on the system, it also
		159	builds a whitelisted seccomp profile. The program is run in a very relaxed sandbox,
		160	with only --caps.drop=all and --nonewprivs. Only programs that don't rise privileges are supported
		161	in order to allow strace to run. Chromium and Chromium-based browsers will not work.
		162	.br
		163
		164	.br
		165	Example:
		166	.br
		167	$ firejail --build vlc ~/Videos/test.mp4
		168	.TP
157	\fB\-c	169	\fB\-c
158	Execute command and exit.	170	Execute command and exit.
159	.TP	171	.TP