private-bin conversion

author: netblue30 <netblue30@yahoo.com> 2016-06-10 10:41:57 -0400
committer: netblue30 <netblue30@yahoo.com> 2016-06-10 10:41:57 -0400
commit: e3abab47dcda4dba4a1412261e35cb1608ffd900 (patch)
tree: c1b75716185ea40aa77ff947991c868f7d5d8628
parent: private-bin conversion (diff)
download: firejail-e3abab47dcda4dba4a1412261e35cb1608ffd900.tar.gz
firejail-e3abab47dcda4dba4a1412261e35cb1608ffd900.tar.zst
firejail-e3abab47dcda4dba4a1412261e35cb1608ffd900.zip
11 files changed, 118 insertions, 4 deletions
diff --git a/README.md b/README.md
index 36fb99f3d..db0625d43 100644
--- a/README.md
+++ b/README.md
@@ -71,6 +71,10 @@ BitTorrent profiles converted to private-bin: deluge, qbittorrent, rtorrent, tra
 File transfer: filezilla
+Media: vlc, mpv, gnome-mplayer
+Office: evince, gthumb, fbreader
 ## New security profiles
 Gitter, gThumb, mpv, Franz messenger
diff --git a/etc/cherrytree.profile b/etc/cherrytree.profile
index bc6fe1d86..7b6238d98 100644
--- a/etc/cherrytree.profile
+++ b/etc/cherrytree.profile
@@ -24,3 +24,12 @@ protocol unix,inet,inet6,netlink
 tracelog
 include /etc/firejail/whitelist-common.inc
+# no private-bin support for various reasons:
+#10:25:34 exec 11249 (root) NEW SANDBOX: /usr/bin/firejail /usr/bin/cherrytree 
+#10:25:34 exec 11252 (netblue) /bin/bash -c "/usr/bin/cherrytree"  
+#10:25:34 exec 11252 (netblue) /usr/bin/python /usr/bin/cherrytree 
+#10:25:34 exec 11253 (netblue) sh -c /sbin/ldconfig -p 2>/dev/null 
+#10:25:34 exec 11255 (netblue) sh -c if type gcc >/dev/null 2>&1; then CC=gcc; elif type cc >/dev/null 2>&1; then CC=cc;else exit 10; fi;LANG=C LC_ALL=C $CC -Wl,-t -o /tmp/tmpiYr44S 2>&1 -llibc 
+# it requires acces to browser to show the online help
+# it doesn't play nicely with expect
diff --git a/etc/disable-devel.inc b/etc/disable-devel.inc
index 8c18ec2c3..071a82f76 100644
--- a/etc/disable-devel.inc
+++ b/etc/disable-devel.inc
@@ -37,7 +37,7 @@ blacklist /usr/lib/php*
 blacklist /usr/bin/ruby
 blacklist /usr/lib/ruby
-# Programs using python: deluge, some firefox addons, filezilla
+# Programs using python: deluge, firefox addons, filezilla, cherrytree
 # Python 2
 #blacklist /usr/bin/python2*
 #blacklist /usr/lib/python2*
diff --git a/etc/evince.profile b/etc/evince.profile
index 8c84a1daa..8671c1251 100644
--- a/etc/evince.profile
+++ b/etc/evince.profile
@@ -10,3 +10,6 @@ noroot
 nosound
 protocol unix,inet,inet6
 seccomp
+shell none
+private-bin evince,evince-previewer,evince-thumbnailer
diff --git a/etc/fbreader.profile b/etc/fbreader.profile
index c4d84691c..df359e50a 100644
--- a/etc/fbreader.profile
+++ b/etc/fbreader.profile
@@ -13,3 +13,6 @@ noroot
 nosound
 protocol unix,inet,inet6
 seccomp
+shell none
+private-bin fbreader,FBReader
+\ No newline at end of file
diff --git a/etc/gnome-mplayer.profile b/etc/gnome-mplayer.profile
index f15778534..1caea177d 100644
--- a/etc/gnome-mplayer.profile
+++ b/etc/gnome-mplayer.profile
@@ -9,3 +9,6 @@ nonewprivs
 noroot
 protocol unix,inet,inet6
 seccomp
+shell none
+private-bin gnome-mplayer
diff --git a/etc/gthumb.profile b/etc/gthumb.profile
index 55041b5cc..68d6a52d9 100644
--- a/etc/gthumb.profile
+++ b/etc/gthumb.profile
@@ -13,5 +13,5 @@ noroot
 protocol unix,inet,inet6
 seccomp
-private-bin gthumb
 shell none
+private-bin gthumb
diff --git a/etc/vlc.profile b/etc/vlc.profile
index e225e80e9..1a6e5a151 100644
--- a/etc/vlc.profile
+++ b/etc/vlc.profile
@@ -16,4 +16,4 @@ seccomp
 # to test
 shell none
-private-bin vlc
+private-bin vlc,cvlc,nvlc,rvlc,qvlc,svlc
diff --git a/src/firejail/main.c b/src/firejail/main.c
index 1621d810f..d027eb697 100644
--- a/src/firejail/main.c
+++ b/src/firejail/main.c
@@ -135,7 +135,6 @@ static void myexit(int rv) {
 }
 static void my_handler(int s){
-printf("**************************\n");
        EUID_ROOT();
        if (!arg_quiet) {
                printf("\nParent received signal %d, shutting down the child process...\n", s);
diff --git a/test/apps/apps.sh b/test/apps/apps.sh
index fa56ce370..bbfe2a606 100755
--- a/test/apps/apps.sh
+++ b/test/apps/apps.sh
@@ -87,6 +87,16 @@ else
        echo "TESTING SKIP: evince not found"
 fi
+which gthumb
+if [ "$?" -eq 0 ];
+then
+        echo "TESTING: gthumb"
+        ./gthumb.exp
+else
+        echo "TESTING SKIP: gthumb not found"
+fi
 which icedove
 if [ "$?" -eq 0 ];
 then
diff --git a/test/apps/gthumb.exp b/test/apps/gthumb.exp
new file mode 100755
index 000000000..86bb975ba
--- /dev/null
+++ b/test/apps/gthumb.exp
@@ -0,0 +1,83 @@
+#!/usr/bin/expect -f
+# This file is part of Firejail project
+# Copyright (C) 2014-2016 Firejail Authors
+# License GPL v2
+set timeout 10
+spawn $env(SHELL)
+match_max 100000
+send -- "firejail gthumb\r"
+expect {
+        timeout {puts "TESTING ERROR 0\n";exit}
+        "Reading profile /etc/firejail/gthumb.profile"
+}
+expect {
+        timeout {puts "TESTING ERROR 1\n";exit}
+        "Child process initialized"
+}
+sleep 3
+spawn $env(SHELL)
+send -- "firejail --list\r"
+expect {
+        timeout {puts "TESTING ERROR 3\n";exit}
+        ":firejail"
+}
+expect {
+        timeout {puts "TESTING ERROR 3.1\n";exit}
+        "gthumb"
+}
+sleep 1
+# grsecurity exit
+send -- "file /proc/sys/kernel/grsecurity\r"
+expect {
+        timeout {puts "TESTING ERROR - grsecurity detection\n";exit}
+        "grsecurity: directory" {puts "grsecurity present, exiting...\n";exit}
+        "cannot open" {puts "grsecurity not present\n"}
+}
+send -- "firejail --name=blablabla\r"
+expect {
+        timeout {puts "TESTING ERROR 4\n";exit}
+        "Child process initialized"
+}
+sleep 2
+spawn $env(SHELL)
+send -- "firemon --seccomp\r"
+expect {
+        timeout {puts "TESTING ERROR 5\n";exit}
+        ":firejail gthumb"
+}
+expect {
+        timeout {puts "TESTING ERROR 5.1 (seccomp)\n";exit}
+        "Seccomp:       2"
+}
+expect {
+        timeout {puts "TESTING ERROR 5.1\n";exit}
+        "name=blablabla"
+}
+sleep 1
+send -- "firemon --caps\r"
+expect {
+        timeout {puts "TESTING ERROR 6\n";exit}
+        ":firejail gthumb"
+}
+expect {
+        timeout {puts "TESTING ERROR 6.1\n";exit}
+        "CapBnd:"
+}
+expect {
+        timeout {puts "TESTING ERROR 6.2\n";exit}
+        "0000000000000000"
+}
+expect {
+        timeout {puts "TESTING ERROR 6.3\n";exit}
+        "name=blablabla"
+}
+sleep 1
+puts "\nall done\n"
author	netblue30 <netblue30@yahoo.com>	2016-06-10 10:41:57 -0400
committer	netblue30 <netblue30@yahoo.com>	2016-06-10 10:41:57 -0400
commit	e3abab47dcda4dba4a1412261e35cb1608ffd900 (patch)
tree	c1b75716185ea40aa77ff947991c868f7d5d8628
parent	private-bin conversion (diff)
download	firejail-e3abab47dcda4dba4a1412261e35cb1608ffd900.tar.gz firejail-e3abab47dcda4dba4a1412261e35cb1608ffd900.tar.zst firejail-e3abab47dcda4dba4a1412261e35cb1608ffd900.zip

diff --git a/README.md b/README.md index 36fb99f3d..db0625d43 100644 --- a/README.md +++ b/README.md
@@ -71,6 +71,10 @@ BitTorrent profiles converted to private-bin: deluge, qbittorrent, rtorrent, tra
71		71
72	File transfer: filezilla	72	File transfer: filezilla
73		73
		74	Media: vlc, mpv, gnome-mplayer
		75
		76	Office: evince, gthumb, fbreader
		77
74	## New security profiles	78	## New security profiles
75		79
76	Gitter, gThumb, mpv, Franz messenger	80	Gitter, gThumb, mpv, Franz messenger


diff --git a/etc/cherrytree.profile b/etc/cherrytree.profile index bc6fe1d86..7b6238d98 100644 --- a/etc/cherrytree.profile +++ b/etc/cherrytree.profile
@@ -24,3 +24,12 @@ protocol unix,inet,inet6,netlink
24	tracelog	24	tracelog
25		25
26	include /etc/firejail/whitelist-common.inc	26	include /etc/firejail/whitelist-common.inc
		27
		28	# no private-bin support for various reasons:
		29	#10:25:34 exec 11249 (root) NEW SANDBOX: /usr/bin/firejail /usr/bin/cherrytree
		30	#10:25:34 exec 11252 (netblue) /bin/bash -c "/usr/bin/cherrytree"
		31	#10:25:34 exec 11252 (netblue) /usr/bin/python /usr/bin/cherrytree
		32	#10:25:34 exec 11253 (netblue) sh -c /sbin/ldconfig -p 2>/dev/null
		33	#10:25:34 exec 11255 (netblue) sh -c if type gcc >/dev/null 2>&1; then CC=gcc; elif type cc >/dev/null 2>&1; then CC=cc;else exit 10; fi;LANG=C LC_ALL=C $CC -Wl,-t -o /tmp/tmpiYr44S 2>&1 -llibc
		34	# it requires acces to browser to show the online help
		35	# it doesn't play nicely with expect


diff --git a/etc/disable-devel.inc b/etc/disable-devel.inc index 8c18ec2c3..071a82f76 100644 --- a/etc/disable-devel.inc +++ b/etc/disable-devel.inc
@@ -37,7 +37,7 @@ blacklist /usr/lib/php*
37	blacklist /usr/bin/ruby	37	blacklist /usr/bin/ruby
38	blacklist /usr/lib/ruby	38	blacklist /usr/lib/ruby
39		39
40	# Programs using python: deluge, some firefox addons, filezilla	40	# Programs using python: deluge, firefox addons, filezilla, cherrytree
41	# Python 2	41	# Python 2
42	#blacklist /usr/bin/python2*	42	#blacklist /usr/bin/python2*
43	#blacklist /usr/lib/python2*	43	#blacklist /usr/lib/python2*


diff --git a/etc/evince.profile b/etc/evince.profile index 8c84a1daa..8671c1251 100644 --- a/etc/evince.profile +++ b/etc/evince.profile
@@ -10,3 +10,6 @@ noroot
10	nosound	10	nosound
11	protocol unix,inet,inet6	11	protocol unix,inet,inet6
12	seccomp	12	seccomp
		13
		14	shell none
		15	private-bin evince,evince-previewer,evince-thumbnailer


diff --git a/etc/fbreader.profile b/etc/fbreader.profile index c4d84691c..df359e50a 100644 --- a/etc/fbreader.profile +++ b/etc/fbreader.profile
@@ -13,3 +13,6 @@ noroot
13	nosound	13	nosound
14	protocol unix,inet,inet6	14	protocol unix,inet,inet6
15	seccomp	15	seccomp
		16
		17	shell none
		18	private-bin fbreader,FBReader \ No newline at end of file


diff --git a/etc/gnome-mplayer.profile b/etc/gnome-mplayer.profile index f15778534..1caea177d 100644 --- a/etc/gnome-mplayer.profile +++ b/etc/gnome-mplayer.profile
@@ -9,3 +9,6 @@ nonewprivs
9	noroot	9	noroot
10	protocol unix,inet,inet6	10	protocol unix,inet,inet6
11	seccomp	11	seccomp
		12
		13	shell none
		14	private-bin gnome-mplayer


diff --git a/etc/gthumb.profile b/etc/gthumb.profile index 55041b5cc..68d6a52d9 100644 --- a/etc/gthumb.profile +++ b/etc/gthumb.profile
@@ -13,5 +13,5 @@ noroot
13	protocol unix,inet,inet6	13	protocol unix,inet,inet6
14	seccomp	14	seccomp
15		15
16	private-bin gthumb
17	shell none	16	shell none
		17	private-bin gthumb


diff --git a/etc/vlc.profile b/etc/vlc.profile index e225e80e9..1a6e5a151 100644 --- a/etc/vlc.profile +++ b/etc/vlc.profile
@@ -16,4 +16,4 @@ seccomp
16		16
17	# to test	17	# to test
18	shell none	18	shell none
19	private-bin vlc	19	private-bin vlc,cvlc,nvlc,rvlc,qvlc,svlc


diff --git a/src/firejail/main.c b/src/firejail/main.c index 1621d810f..d027eb697 100644 --- a/src/firejail/main.c +++ b/src/firejail/main.c
@@ -135,7 +135,6 @@ static void myexit(int rv) {
135	}	135	}
136		136
137	static void my_handler(int s){	137	static void my_handler(int s){
138	printf("**************************\n");
139	EUID_ROOT();	138	EUID_ROOT();
140	if (!arg_quiet) {	139	if (!arg_quiet) {
141	printf("\nParent received signal %d, shutting down the child process...\n", s);	140	printf("\nParent received signal %d, shutting down the child process...\n", s);


diff --git a/test/apps/apps.sh b/test/apps/apps.sh index fa56ce370..bbfe2a606 100755 --- a/test/apps/apps.sh +++ b/test/apps/apps.sh
@@ -87,6 +87,16 @@ else
87	echo "TESTING SKIP: evince not found"	87	echo "TESTING SKIP: evince not found"
88	fi	88	fi
89		89
		90
		91	which gthumb
		92	if [ "$?" -eq 0 ];
		93	then
		94	echo "TESTING: gthumb"
		95	./gthumb.exp
		96	else
		97	echo "TESTING SKIP: gthumb not found"
		98	fi
		99
90	which icedove	100	which icedove
91	if [ "$?" -eq 0 ];	101	if [ "$?" -eq 0 ];
92	then	102	then


diff --git a/test/apps/gthumb.exp b/test/apps/gthumb.exp new file mode 100755 index 000000000..86bb975ba --- /dev/null +++ b/test/apps/gthumb.exp
@@ -0,0 +1,83 @@
		1	#!/usr/bin/expect -f
		2	# This file is part of Firejail project
		3	# Copyright (C) 2014-2016 Firejail Authors
		4	# License GPL v2
		5
		6	set timeout 10
		7	spawn $env(SHELL)
		8	match_max 100000
		9
		10	send -- "firejail gthumb\r"
		11	expect {
		12	timeout {puts "TESTING ERROR 0\n";exit}
		13	"Reading profile /etc/firejail/gthumb.profile"
		14	}
		15	expect {
		16	timeout {puts "TESTING ERROR 1\n";exit}
		17	"Child process initialized"
		18	}
		19	sleep 3
		20
		21	spawn $env(SHELL)
		22	send -- "firejail --list\r"
		23	expect {
		24	timeout {puts "TESTING ERROR 3\n";exit}
		25	":firejail"
		26	}
		27	expect {
		28	timeout {puts "TESTING ERROR 3.1\n";exit}
		29	"gthumb"
		30	}
		31	sleep 1
		32
		33	# grsecurity exit
		34	send -- "file /proc/sys/kernel/grsecurity\r"
		35	expect {
		36	timeout {puts "TESTING ERROR - grsecurity detection\n";exit}
		37	"grsecurity: directory" {puts "grsecurity present, exiting...\n";exit}
		38	"cannot open" {puts "grsecurity not present\n"}
		39	}
		40
		41	send -- "firejail --name=blablabla\r"
		42	expect {
		43	timeout {puts "TESTING ERROR 4\n";exit}
		44	"Child process initialized"
		45	}
		46	sleep 2
		47
		48	spawn $env(SHELL)
		49	send -- "firemon --seccomp\r"
		50	expect {
		51	timeout {puts "TESTING ERROR 5\n";exit}
		52	":firejail gthumb"
		53	}
		54	expect {
		55	timeout {puts "TESTING ERROR 5.1 (seccomp)\n";exit}
		56	"Seccomp: 2"
		57	}
		58	expect {
		59	timeout {puts "TESTING ERROR 5.1\n";exit}
		60	"name=blablabla"
		61	}
		62	sleep 1
		63	send -- "firemon --caps\r"
		64	expect {
		65	timeout {puts "TESTING ERROR 6\n";exit}
		66	":firejail gthumb"
		67	}
		68	expect {
		69	timeout {puts "TESTING ERROR 6.1\n";exit}
		70	"CapBnd:"
		71	}
		72	expect {
		73	timeout {puts "TESTING ERROR 6.2\n";exit}
		74	"0000000000000000"
		75	}
		76	expect {
		77	timeout {puts "TESTING ERROR 6.3\n";exit}
		78	"name=blablabla"
		79	}
		80	sleep 1
		81
		82	puts "\nall done\n"
		83