cleanup

author: netblue30 <netblue30@yahoo.com> 2018-09-10 09:00:39 -0400
committer: netblue30 <netblue30@yahoo.com> 2018-09-10 09:00:39 -0400
commit: f7b22a4764de898eef9ada813baa5c7f4a8f2c07 (patch)
tree: aeb02c2cf225c6f7932bac3e0734bdff1ab71b9e
parent: testing version 0.9.56-LTS~rc1 (diff)
download: firejail-f7b22a4764de898eef9ada813baa5c7f4a8f2c07.tar.gz
firejail-f7b22a4764de898eef9ada813baa5c7f4a8f2c07.tar.zst
firejail-f7b22a4764de898eef9ada813baa5c7f4a8f2c07.zip
13 files changed, 115 insertions, 302 deletions
diff --git a/etc/firejail.config b/etc/firejail.config
index 1f47f77d0..f4acfe7f8 100644
--- a/etc/firejail.config
+++ b/etc/firejail.config
@@ -15,9 +15,6 @@
 # Enable or disable bind support, default enabled.
 # bind yes
-# Enable or disable chroot support, default enabled.
-# chroot yes
 # Enable or disable dbus handling by --nodbus flag, default enabled.
 # dbus yes
@@ -50,18 +47,6 @@
 # Enable or disable networking features, default enabled.
 # network yes
-# Enable or disable overlayfs features, default enabled.
-# overlayfs yes
-# Remove /usr/local directories from private-bin list, default disabled.
-# private-bin-no-local no
-# Enable or disable private-home feature, default enabled
-# private-home yes
-# Enable or disable private-lib feature, default enabled
-# private-lib yes
 # Enable --quiet as default every time the sandbox is started. Default disabled.
 # quiet-by-default no
@@ -86,37 +71,3 @@
 # Enable or disable whitelisting support, default enabled.
 # whitelist yes
-# Enable or disable X11 sandboxing support, default enabled.
-# x11 yes
-# Screen size for --x11=xephyr, default 800x600. Run /usr/bin/xrandr for
-# a full list of resolutions available on your specific setup.
-# xephyr-screen 640x480
-# xephyr-screen 800x600
-# xephyr-screen 1024x768
-# xephyr-screen 1280x1024
-# Firejail window title in Xephyr, default enabled.
-# xephyr-window-title yes
-# Xephyr command extra parameters. None by default; these are examples.
-# xephyr-extra-params -keybd ephyr,,,xkbmodel=evdev
-# xephyr-extra-params -grayscale
-# Xpra server command extra parameters. None by default; this is an example.
-# xpra-extra-params --dpi 96
-# Enable this option if you have a version of Xpra that supports --attach switch
-# for start command, default disabled.
-# xpra-attach no
-# Screen size for --x11=xvfb, default 800x600x24.  The third dimension is
-# color depth; use 24 unless you know exactly what you're doing.
-# xvfb-screen 640x480x24
-# xvfb-screen 800x600x24
-# xvfb-screen 1024x768x24
-# xvfb-screen 1280x1024x24
-# Xvfb command extra parameters.  None by default; this is an example.
-# xvfb-extra-params -pixdepths 8 24 32
diff --git a/src/firejail/checkcfg.c b/src/firejail/checkcfg.c
index 430771a13..8786c018e 100644
--- a/src/firejail/checkcfg.c
+++ b/src/firejail/checkcfg.c
@@ -25,11 +25,6 @@
 static int initialized = 0;
 static int cfg_val[CFG_MAX];
-char *xephyr_screen = "800x600";
-char *xephyr_extra_params = "";
-char *xpra_extra_params = "";
-char *xvfb_screen = "800x600x24";
-char *xvfb_extra_params = "";
 char *netfilter_default = NULL;
 int checkcfg(int val) {
@@ -45,11 +40,9 @@ int checkcfg(int val) {
                        cfg_val[i] = 1; // most of them are enabled by default
                cfg_val[CFG_RESTRICTED_NETWORK] = 0; // disabled by default
                cfg_val[CFG_FORCE_NONEWPRIVS] = 0;
-                cfg_val[CFG_PRIVATE_BIN_NO_LOCAL] = 0;
                cfg_val[CFG_FIREJAIL_PROMPT] = 0;
                cfg_val[CFG_DISABLE_MNT] = 0;
                cfg_val[CFG_ARP_PROBES] = DEFAULT_ARP_PROBES;
-                cfg_val[CFG_XPRA_ATTACH] = 0;
                // open configuration file
                const char *fname = SYSCONFDIR "/firejail.config";
@@ -75,25 +68,6 @@ int checkcfg(int val) {
                        ptr = line_remove_spaces(buf);
                        if (!ptr)
                                continue;
-                        // dbus
-                        else if (strncmp(ptr, "dbus ", 5) == 0) {
-                                if (strcmp(ptr + 5, "yes") == 0)
-                                        cfg_val[CFG_DBUS] = 1;
-                                else if (strcmp(ptr + 5, "no") == 0)
-                                        cfg_val[CFG_DBUS] = 0;
-                                else
-                                        goto errout;
-                        }
-                        // join
-                        else if (strncmp(ptr, "join ", 5) == 0) {
-                                if (strcmp(ptr + 5, "yes") == 0)
-                                        cfg_val[CFG_JOIN] = 1;
-                                else if (strcmp(ptr + 5, "no") == 0)
-                                        cfg_val[CFG_JOIN] = 0;
-                                else
-                                        goto errout;
-                        }
                        // apparmor
                        else if (strncmp(ptr, "apparmor ", 9) == 0) {
                                if (strcmp(ptr + 9, "yes") == 0)
@@ -103,6 +77,13 @@ int checkcfg(int val) {
                                else
                                        goto errout;
                        }
+                        // arp probes
+                        else if (strncmp(ptr, "arp-probes ", 11) == 0) {
+                                int arp_probes = atoi(ptr + 11);
+                                if (arp_probes <= 1 || arp_probes > 30)
+                                        goto errout;
+                                cfg_val[CFG_ARP_PROBES] = arp_probes;
+                        }
                        // bind
                        else if (strncmp(ptr, "bind ", 5) == 0) {
                                if (strcmp(ptr + 5, "yes") == 0)
@@ -112,12 +93,20 @@ int checkcfg(int val) {
                                else
                                        goto errout;
                        }
-                        // user namespace
+                        // dbus
-                        else if (strncmp(ptr, "userns ", 7) == 0) {
+                        else if (strncmp(ptr, "dbus ", 5) == 0) {
-                                if (strcmp(ptr + 7, "yes") == 0)
+                                if (strcmp(ptr + 5, "yes") == 0)
-                                        cfg_val[CFG_USERNS] = 1;
+                                        cfg_val[CFG_DBUS] = 1;
-                                else if (strcmp(ptr + 7, "no") == 0)
+                                else if (strcmp(ptr + 5, "no") == 0)
-                                        cfg_val[CFG_USERNS] = 0;
+                                        cfg_val[CFG_DBUS] = 0;
+                                else
+                                        goto errout;
+                        }
+                        else if (strncmp(ptr, "disable-mnt ", 12) == 0) {
+                                if (strcmp(ptr + 12, "yes") == 0)
+                                        cfg_val[CFG_DISABLE_MNT] = 1;
+                                else if (strcmp(ptr + 12, "no") == 0)
+                                        cfg_val[CFG_DISABLE_MNT] = 0;
                                else
                                        goto errout;
                        }
@@ -148,21 +137,12 @@ int checkcfg(int val) {
                                else
                                        goto errout;
                        }
-                        // seccomp
+                        // join
-                        else if (strncmp(ptr, "seccomp ", 8) == 0) {
+                        else if (strncmp(ptr, "join ", 5) == 0) {
-                                if (strcmp(ptr + 8, "yes") == 0)
+                                if (strcmp(ptr + 5, "yes") == 0)
-                                        cfg_val[CFG_SECCOMP] = 1;
+                                        cfg_val[CFG_JOIN] = 1;
-                                else if (strcmp(ptr + 8, "no") == 0)
+                                else if (strcmp(ptr + 5, "no") == 0)
-                                        cfg_val[CFG_SECCOMP] = 0;
+                                        cfg_val[CFG_JOIN] = 0;
-                                else
-                                        goto errout;
-                        }
-                        // whitelist
-                        else if (strncmp(ptr, "whitelist ", 10) == 0) {
-                                if (strcmp(ptr + 10, "yes") == 0)
-                                        cfg_val[CFG_WHITELIST] = 1;
-                                else if (strcmp(ptr + 10, "no") == 0)
-                                        cfg_val[CFG_WHITELIST] = 0;
                                else
                                        goto errout;
                        }
@@ -175,6 +155,15 @@ int checkcfg(int val) {
                                else
                                        goto errout;
                        }
+                        // quiet by default
+                        else if (strncmp(ptr, "quiet-by-default ", 17) == 0) {
+                                if (strcmp(ptr + 17, "yes") == 0)
+                                        arg_quiet = 1;
+                                else if (strcmp(ptr + 17, "no") == 0)
+                                        arg_quiet = 0;
+                                else
+                                        goto errout;
+                        }
                        // network
                        else if (strncmp(ptr, "restricted-network ", 19) == 0) {
                                if (strcmp(ptr + 19, "yes") == 0)
@@ -208,29 +197,32 @@ int checkcfg(int val) {
                                if (arg_debug)
                                        printf("netfilter default file %s\n", fname);
                        }
-                        // quiet by default
+                        // seccomp
-                        else if (strncmp(ptr, "quiet-by-default ", 17) == 0) {
+                        else if (strncmp(ptr, "seccomp ", 8) == 0) {
-                                if (strcmp(ptr + 17, "yes") == 0)
+                                if (strcmp(ptr + 8, "yes") == 0)
-                                        arg_quiet = 1;
+                                        cfg_val[CFG_SECCOMP] = 1;
-                                else if (strcmp(ptr + 17, "no") == 0)
+                                else if (strcmp(ptr + 8, "no") == 0)
-                                        arg_quiet = 0;
+                                        cfg_val[CFG_SECCOMP] = 0;
                                else
                                        goto errout;
                        }
-                        else if (strncmp(ptr, "disable-mnt ", 12) == 0) {
+                        // user namespace
-                                if (strcmp(ptr + 12, "yes") == 0)
+                        else if (strncmp(ptr, "userns ", 7) == 0) {
-                                        cfg_val[CFG_DISABLE_MNT] = 1;
+                                if (strcmp(ptr + 7, "yes") == 0)
-                                else if (strcmp(ptr + 12, "no") == 0)
+                                        cfg_val[CFG_USERNS] = 1;
-                                        cfg_val[CFG_DISABLE_MNT] = 0;
+                                else if (strcmp(ptr + 7, "no") == 0)
+                                        cfg_val[CFG_USERNS] = 0;
                                else
                                        goto errout;
                        }
-                        // arp probes
+                        // whitelist
-                        else if (strncmp(ptr, "arp-probes ", 11) == 0) {
+                        else if (strncmp(ptr, "whitelist ", 10) == 0) {
-                                int arp_probes = atoi(ptr + 11);
+                                if (strcmp(ptr + 10, "yes") == 0)
-                                if (arp_probes <= 1 || arp_probes > 30)
+                                        cfg_val[CFG_WHITELIST] = 1;
+                                else if (strcmp(ptr + 10, "no") == 0)
+                                        cfg_val[CFG_WHITELIST] = 0;
+                                else
                                        goto errout;
-                                cfg_val[CFG_ARP_PROBES] = arp_probes;
                        }
                        else
                                goto errout;
diff --git a/src/firejail/firejail.h b/src/firejail/firejail.h
index 2ab4a0b85..533ed880a 100644
--- a/src/firejail/firejail.h
+++ b/src/firejail/firejail.h
@@ -650,40 +650,25 @@ void restrict_users(void);
 // checkcfg.c
 #define DEFAULT_ARP_PROBES 2
 enum {
-        CFG_FILE_TRANSFER = 0,
+        CFG_APPARMOR = 0,
-        CFG_X11,
+        CFG_ARP_PROBES,
        CFG_BIND,
-        CFG_USERNS,
+        CFG_DBUS,
-        CFG_CHROOT,
+        CFG_DISABLE_MNT,
-        CFG_SECCOMP,
-        CFG_NETWORK,
-        CFG_RESTRICTED_NETWORK,
-        CFG_FORCE_NONEWPRIVS,
-        CFG_WHITELIST,
-        CFG_XEPHYR_WINDOW_TITLE,
-        CFG_OVERLAYFS,
-        CFG_PRIVATE_HOME,
-        CFG_PRIVATE_BIN_NO_LOCAL,
        CFG_FIREJAIL_PROMPT,
        CFG_FOLLOW_SYMLINK_AS_USER,
-        CFG_DISABLE_MNT,
+        CFG_FORCE_NONEWPRIVS,
        CFG_JOIN,
-        CFG_ARP_PROBES,
+        CFG_NETWORK,
-        CFG_XPRA_ATTACH,
+        CFG_RESTRICTED_NETWORK,
-        CFG_PRIVATE_LIB,
+        CFG_SECCOMP,
-        CFG_APPARMOR,
+        CFG_USERNS,
-        CFG_DBUS,
+        CFG_WHITELIST,
        CFG_MAX // this should always be the last entry
 };
-extern char *xephyr_screen;
-extern char *xephyr_extra_params;
-extern char *xpra_extra_params;
-extern char *xvfb_screen;
-extern char *xvfb_extra_params;
 extern char *netfilter_default;
 int checkcfg(int val);
 void print_compiletime_support(void);
-void x11_xorg(void);
 // appimage.c
 void appimage_set(const char *appimage_path);
diff --git a/src/firejail/main.c b/src/firejail/main.c
index 594a6d83c..c4944c7d5 100644
--- a/src/firejail/main.c
+++ b/src/firejail/main.c
@@ -1011,6 +1011,33 @@ int main(int argc, char **argv) {
                }
                else if (strcmp(argv[i], "--disable-mnt") == 0)
                        arg_disable_mnt = 1;
+                else if (strcmp(argv[i], "--tunnel") == 0) {
+                        // try to connect to the default client side of the tunnel
+                        // if this fails, try the default server side of the tunnel
+                        if (access("/run/firetunnel/ftc", R_OK) == 0)
+                                profile_read("/run/firetunnel/ftc");
+                        else if (access("/run/firetunnel/fts", R_OK) == 0)
+                                profile_read("/run/firetunnel/fts");
+                        else {
+                                fprintf(stderr, "Error: no default firetunnel found, please specify it using --tunnel=devname option\n");
+                                exit(1);
+                        }
+                }
+                else if (strncmp(argv[i], "--tunnel=", 9) == 0) {
+                        char *fname;
+                        if (asprintf(&fname, "/run/firetunnel/%s", argv[i] + 9) == -1)
+                                errExit("asprintf");
+                        invalid_filename(fname, 0); // no globbing
+                        if (access(fname, R_OK) == 0)
+                                profile_read(fname);
+                        else {
+                                fprintf(stderr, "Error: tunnel not found\n");
+                                exit(1);
+                        }
+                }
                else if (strncmp(argv[i], "--profile=", 10) == 0) {
                        // multiple profile files are allowed!
diff --git a/src/firejail/usage.c b/src/firejail/usage.c
index 73af66be2..d5033c4a1 100644
--- a/src/firejail/usage.c
+++ b/src/firejail/usage.c
@@ -171,6 +171,8 @@ static char *usage_str =
        "    --tmpfs=dirname - mount a tmpfs filesystem on directory dirname.\n"
        "    --top - monitor the most CPU-intensive sandboxes.\n"
        "    --tree - print a tree of all sandboxed processes.\n"
+        "    --tunnel[=devname] - connect the sandbox to a tunnel created by\n"
+        "\tfiretunnel utility.\n"
        "    --version - print program version and exit.\n"
 #ifdef HAVE_NETWORK
        "    --veth-name=name - use this name for the interface connected to the bridge.\n"
diff --git a/src/fseccomp/syscall.c b/src/fseccomp/syscall.c
index bc51d04f6..3b10c4473 100644
--- a/src/fseccomp/syscall.c
+++ b/src/fseccomp/syscall.c
@@ -495,10 +495,7 @@ int syscall_check_list(const char *slist, void (*callback)(int fd, int syscall,
                }
                else {
                        syscall_process_name(ptr, &syscall_nr, &error_nr);
-                        if (syscall_nr == -1) {
+                        if (syscall_nr == -1) {;}
-                                if (!arg_quiet)
-                                        fprintf(stderr, "Warning fseccomp: syscall \"%s\" not available on this platform\n", ptr);
-                        }
                        else if (callback != NULL) {
                                if (error_nr != -1 && fd != 0) {
                                        filter_add_errno(fd, syscall_nr, error_nr, ptrarg);
diff --git a/src/man/firejail.txt b/src/man/firejail.txt
index 11dedbf35..0bc1c1b5d 100644
--- a/src/man/firejail.txt
+++ b/src/man/firejail.txt
@@ -1788,6 +1788,25 @@ $ firejail \-\-tree
  11970:netblue:transmission-gtk
 .TP
+\fB\-\-tunnel[=devname]
+Connect the sandbox to a network overlay/VPN tunnel created by firetunnel utility. This options
+tries first the client side of the tunnel. If this fails, it tries the server side. If multiple tunnels are active,
+please specify the tunnel device using \-\-tunnel=devname.
+.br
+.br
+The available tunnel devices are listed in /etc/firetunnel directory, one file for each device.
+The files are regular firejail profile files containing the network configuration,
+and are created and managed by firetunnel utility.
+By default ftc is the client-side device and fts is the server-side device. For more information
+please see man 1 firetunnel.
+.br
+.br
+Example:
+.br
+$ firejail --tunnel firefox
+.br
+.TP
 \fB\-\-version
 Print program version and exit.
 .br
diff --git a/test/blacklist-link.exp b/test/blacklist-link.exp
deleted file mode 100755
index 4252f875a..000000000
--- a/test/blacklist-link.exp
+++ /dev/null
@@ -1,82 +0,0 @@
-#!/usr/bin/expect -f
-set timeout 10
-spawn $env(SHELL)
-match_max 100000
-# blacklist a directory symlink
-send -- "firejail --blacklist=auto2\r"
-expect {
-        timeout {puts "TESTING ERROR 1\n";exit}
-        "Child process initialized"
-}
-sleep 1
-send -- "ls auto2\r"
-expect {
-        timeout {puts "TESTING ERROR 2\n";exit}
-        "cannot open directory"
-}
-send -- "exit\r"
-sleep 1
-# blacklist a directory symlink from a profile file
-send -- "firejail --profile=blacklist3.profile\r"
-expect {
-        timeout {puts "TESTING ERROR 3\n";exit}
-        "Child process initialized"
-}
-sleep 1
-send -- "ls auto2\r"
-expect {
-        timeout {puts "TESTING ERROR 4\n";exit}
-        "cannot open directory"
-}
-send -- "exit\r"
-sleep 1
-# do not blacklist /bin
-send -- "firejail --blacklist=auto3\r"
-expect {
-        timeout {puts "TESTING ERROR 5\n";exit}
-        "auto3 directory link was not blacklisted"
-}
-expect {
-        timeout {puts "TESTING ERROR 5.1\n";exit}
-        "Child process initialized"
-}
-sleep 1
-send -- "ls auto3; pwd\r"
-expect {
-        timeout {puts "TESTING ERROR 6\n";exit}
-        "cannot open directory" {puts "TESTING ERROR 6.1\n";exit}
-        "home"
-}
-send -- "exit\r"
-sleep 1
-# do not blacklist /usr/bin
-send -- "firejail --blacklist=auto3\r"
-expect {
-        timeout {puts "TESTING ERROR 7\n";exit}
-        "auto3 directory link was not blacklisted"
-}
-expect {
-        timeout {puts "TESTING ERROR 7.1\n";exit}
-        "Child process initialized"
-}
-sleep 1
-send -- "ls auto3; pwd\r"
-expect {
-        timeout {puts "TESTING ERROR 8\n";exit}
-        "cannot open directory" {puts "TESTING ERROR 9.1\n";exit}
-        "home"
-}
-send -- "exit\r"
-sleep 1
-puts "all done\n"
diff --git a/test/blacklist.exp b/test/blacklist.exp
deleted file mode 100755
index 9c3dddf1f..000000000
--- a/test/blacklist.exp
+++ /dev/null
@@ -1,75 +0,0 @@
-#!/usr/bin/expect -f
-set timeout 10
-spawn $env(SHELL)
-match_max 100000
-# directory with ~
-send -- "firejail --blacklist=~/.config\r"
-expect {
-        timeout {puts "TESTING ERROR 1\n";exit}
-        "Child process initialized"
-}
-sleep 1
-send -- "ls -al ~/.config\r"
-expect {
-        timeout {puts "TESTING ERROR 2\n";exit}
-        "cannot open directory"
-}
-send -- "exit\r"
-sleep 1
-# directory with ~ in profile file
-send -- "firejail --profile=blacklist1.profile\r"
-expect {
-        timeout {puts "TESTING ERROR 3\n";exit}
-        "Child process initialized"
-}
-sleep 1
-send -- "ls -al ~/.config\r"
-expect {
-        timeout {puts "TESTING ERROR 4\n";exit}
-        "cannot open directory"
-}
-send -- "exit\r"
-sleep 1
-# directory with space
-send -- "firejail \"--blacklist=dir with space\"\r"
-expect {
-        timeout {puts "TESTING ERROR 5\n";exit}
-        "Child process initialized"
-}
-sleep 1
-send -- "ls -al \"dir with space\"\r"
-expect {
-        timeout {puts "TESTING ERROR 6\n";exit}
-        "cannot open directory"
-}
-send -- "exit\r"
-sleep 1
-# directory with space in profile
-send -- "firejail --profile=blacklist2.profile\r"
-expect {
-        timeout {puts "TESTING ERROR 7\n";exit}
-        "Child process initialized"
-}
-sleep 1
-send -- "ls -al \"dir with space\"\r"
-expect {
-        timeout {puts "TESTING ERROR 8\n";exit}
-        "cannot open directory"
-}
-puts "\n"
diff --git a/test/blacklist1.profile b/test/blacklist1.profile
deleted file mode 100644
index f12facd05..000000000
--- a/test/blacklist1.profile
+++ /dev/null
@@ -1 +0,0 @@
-blacklist ~/.config
diff --git a/test/blacklist2.profile b/test/blacklist2.profile
deleted file mode 100644
index 4bb603db2..000000000
--- a/test/blacklist2.profile
+++ /dev/null
@@ -1 +0,0 @@
-blacklist dir with space
diff --git a/test/blacklist3.profile b/test/blacklist3.profile
deleted file mode 100644
index 08f754f3f..000000000
--- a/test/blacklist3.profile
+++ /dev/null
@@ -1 +0,0 @@
-blacklist auto2
diff --git a/test/fs/private-home-dir.exp b/test/fs/private-home-dir.exp
index 320fb73fa..41820b919 100755
--- a/test/fs/private-home-dir.exp
+++ b/test/fs/private-home-dir.exp
@@ -64,7 +64,7 @@ sleep 1
 send -- "firejail --private=/etc\r"
 expect {
        timeout {puts "TESTING ERROR 5\n";exit}
-        "private directory should be owned by the current user"
+        "private directory is not owned by the current user"
 }
 sleep 1
 send -- "mkdir ~/_firejail_test_dir_/test_dir_2\r"
author	netblue30 <netblue30@yahoo.com>	2018-09-10 09:00:39 -0400
committer	netblue30 <netblue30@yahoo.com>	2018-09-10 09:00:39 -0400
commit	f7b22a4764de898eef9ada813baa5c7f4a8f2c07 (patch)
tree	aeb02c2cf225c6f7932bac3e0734bdff1ab71b9e
parent	testing version 0.9.56-LTS~rc1 (diff)
download	firejail-f7b22a4764de898eef9ada813baa5c7f4a8f2c07.tar.gz firejail-f7b22a4764de898eef9ada813baa5c7f4a8f2c07.tar.zst firejail-f7b22a4764de898eef9ada813baa5c7f4a8f2c07.zip

diff --git a/etc/firejail.config b/etc/firejail.config index 1f47f77d0..f4acfe7f8 100644 --- a/etc/firejail.config +++ b/etc/firejail.config
@@ -15,9 +15,6 @@
15	# Enable or disable bind support, default enabled.	15	# Enable or disable bind support, default enabled.
16	# bind yes	16	# bind yes
17		17
18	# Enable or disable chroot support, default enabled.
19	# chroot yes
20
21	# Enable or disable dbus handling by --nodbus flag, default enabled.	18	# Enable or disable dbus handling by --nodbus flag, default enabled.
22	# dbus yes	19	# dbus yes
23		20
@@ -50,18 +47,6 @@
50	# Enable or disable networking features, default enabled.	47	# Enable or disable networking features, default enabled.
51	# network yes	48	# network yes
52		49
53	# Enable or disable overlayfs features, default enabled.
54	# overlayfs yes
55
56	# Remove /usr/local directories from private-bin list, default disabled.
57	# private-bin-no-local no
58
59	# Enable or disable private-home feature, default enabled
60	# private-home yes
61
62	# Enable or disable private-lib feature, default enabled
63	# private-lib yes
64
65	# Enable --quiet as default every time the sandbox is started. Default disabled.	50	# Enable --quiet as default every time the sandbox is started. Default disabled.
66	# quiet-by-default no	51	# quiet-by-default no
67		52
@@ -86,37 +71,3 @@
86		71
87	# Enable or disable whitelisting support, default enabled.	72	# Enable or disable whitelisting support, default enabled.
88	# whitelist yes	73	# whitelist yes
89
90	# Enable or disable X11 sandboxing support, default enabled.
91	# x11 yes
92
93	# Screen size for --x11=xephyr, default 800x600. Run /usr/bin/xrandr for
94	# a full list of resolutions available on your specific setup.
95	# xephyr-screen 640x480
96	# xephyr-screen 800x600
97	# xephyr-screen 1024x768
98	# xephyr-screen 1280x1024
99
100	# Firejail window title in Xephyr, default enabled.
101	# xephyr-window-title yes
102
103	# Xephyr command extra parameters. None by default; these are examples.
104	# xephyr-extra-params -keybd ephyr,,,xkbmodel=evdev
105	# xephyr-extra-params -grayscale
106
107	# Xpra server command extra parameters. None by default; this is an example.
108	# xpra-extra-params --dpi 96
109
110	# Enable this option if you have a version of Xpra that supports --attach switch
111	# for start command, default disabled.
112	# xpra-attach no
113
114	# Screen size for --x11=xvfb, default 800x600x24. The third dimension is
115	# color depth; use 24 unless you know exactly what you're doing.
116	# xvfb-screen 640x480x24
117	# xvfb-screen 800x600x24
118	# xvfb-screen 1024x768x24
119	# xvfb-screen 1280x1024x24
120
121	# Xvfb command extra parameters. None by default; this is an example.
122	# xvfb-extra-params -pixdepths 8 24 32


diff --git a/src/firejail/checkcfg.c b/src/firejail/checkcfg.c index 430771a13..8786c018e 100644 --- a/src/firejail/checkcfg.c +++ b/src/firejail/checkcfg.c
@@ -25,11 +25,6 @@
25		25
26	static int initialized = 0;	26	static int initialized = 0;
27	static int cfg_val[CFG_MAX];	27	static int cfg_val[CFG_MAX];
28	char *xephyr_screen = "800x600";
29	char *xephyr_extra_params = "";
30	char *xpra_extra_params = "";
31	char *xvfb_screen = "800x600x24";
32	char *xvfb_extra_params = "";
33	char *netfilter_default = NULL;	28	char *netfilter_default = NULL;
34		29
35	int checkcfg(int val) {	30	int checkcfg(int val) {
@@ -45,11 +40,9 @@ int checkcfg(int val) {
45	cfg_val[i] = 1; // most of them are enabled by default	40	cfg_val[i] = 1; // most of them are enabled by default
46	cfg_val[CFG_RESTRICTED_NETWORK] = 0; // disabled by default	41	cfg_val[CFG_RESTRICTED_NETWORK] = 0; // disabled by default
47	cfg_val[CFG_FORCE_NONEWPRIVS] = 0;	42	cfg_val[CFG_FORCE_NONEWPRIVS] = 0;
48	cfg_val[CFG_PRIVATE_BIN_NO_LOCAL] = 0;
49	cfg_val[CFG_FIREJAIL_PROMPT] = 0;	43	cfg_val[CFG_FIREJAIL_PROMPT] = 0;
50	cfg_val[CFG_DISABLE_MNT] = 0;	44	cfg_val[CFG_DISABLE_MNT] = 0;
51	cfg_val[CFG_ARP_PROBES] = DEFAULT_ARP_PROBES;	45	cfg_val[CFG_ARP_PROBES] = DEFAULT_ARP_PROBES;
52	cfg_val[CFG_XPRA_ATTACH] = 0;
53		46
54	// open configuration file	47	// open configuration file
55	const char *fname = SYSCONFDIR "/firejail.config";	48	const char *fname = SYSCONFDIR "/firejail.config";
@@ -75,25 +68,6 @@ int checkcfg(int val) {
75	ptr = line_remove_spaces(buf);	68	ptr = line_remove_spaces(buf);
76	if (!ptr)	69	if (!ptr)
77	continue;	70	continue;
78
79	// dbus
80	else if (strncmp(ptr, "dbus ", 5) == 0) {
81	if (strcmp(ptr + 5, "yes") == 0)
82	cfg_val[CFG_DBUS] = 1;
83	else if (strcmp(ptr + 5, "no") == 0)
84	cfg_val[CFG_DBUS] = 0;
85	else
86	goto errout;
87	}
88	// join
89	else if (strncmp(ptr, "join ", 5) == 0) {
90	if (strcmp(ptr + 5, "yes") == 0)
91	cfg_val[CFG_JOIN] = 1;
92	else if (strcmp(ptr + 5, "no") == 0)
93	cfg_val[CFG_JOIN] = 0;
94	else
95	goto errout;
96	}
97	// apparmor	71	// apparmor
98	else if (strncmp(ptr, "apparmor ", 9) == 0) {	72	else if (strncmp(ptr, "apparmor ", 9) == 0) {
99	if (strcmp(ptr + 9, "yes") == 0)	73	if (strcmp(ptr + 9, "yes") == 0)
@@ -103,6 +77,13 @@ int checkcfg(int val) {
103	else	77	else
104	goto errout;	78	goto errout;
105	}	79	}
		80	// arp probes
		81	else if (strncmp(ptr, "arp-probes ", 11) == 0) {
		82	int arp_probes = atoi(ptr + 11);
		83	if (arp_probes <= 1 \|\| arp_probes > 30)
		84	goto errout;
		85	cfg_val[CFG_ARP_PROBES] = arp_probes;
		86	}
106	// bind	87	// bind
107	else if (strncmp(ptr, "bind ", 5) == 0) {	88	else if (strncmp(ptr, "bind ", 5) == 0) {
108	if (strcmp(ptr + 5, "yes") == 0)	89	if (strcmp(ptr + 5, "yes") == 0)
@@ -112,12 +93,20 @@ int checkcfg(int val) {
112	else	93	else
113	goto errout;	94	goto errout;
114	}	95	}
115	// user namespace	96	// dbus
116	else if (strncmp(ptr, "userns ", 7) == 0) {	97	else if (strncmp(ptr, "dbus ", 5) == 0) {
117	if (strcmp(ptr + 7, "yes") == 0)	98	if (strcmp(ptr + 5, "yes") == 0)
118	cfg_val[CFG_USERNS] = 1;	99	cfg_val[CFG_DBUS] = 1;
119	else if (strcmp(ptr + 7, "no") == 0)	100	else if (strcmp(ptr + 5, "no") == 0)
120	cfg_val[CFG_USERNS] = 0;	101	cfg_val[CFG_DBUS] = 0;
		102	else
		103	goto errout;
		104	}
		105	else if (strncmp(ptr, "disable-mnt ", 12) == 0) {
		106	if (strcmp(ptr + 12, "yes") == 0)
		107	cfg_val[CFG_DISABLE_MNT] = 1;
		108	else if (strcmp(ptr + 12, "no") == 0)
		109	cfg_val[CFG_DISABLE_MNT] = 0;
121	else	110	else
122	goto errout;	111	goto errout;
123	}	112	}
@@ -148,21 +137,12 @@ int checkcfg(int val) {
148	else	137	else
149	goto errout;	138	goto errout;
150	}	139	}
151	// seccomp	140	// join
152	else if (strncmp(ptr, "seccomp ", 8) == 0) {	141	else if (strncmp(ptr, "join ", 5) == 0) {
153	if (strcmp(ptr + 8, "yes") == 0)	142	if (strcmp(ptr + 5, "yes") == 0)
154	cfg_val[CFG_SECCOMP] = 1;	143	cfg_val[CFG_JOIN] = 1;
155	else if (strcmp(ptr + 8, "no") == 0)	144	else if (strcmp(ptr + 5, "no") == 0)
156	cfg_val[CFG_SECCOMP] = 0;	145	cfg_val[CFG_JOIN] = 0;
157	else
158	goto errout;
159	}
160	// whitelist
161	else if (strncmp(ptr, "whitelist ", 10) == 0) {
162	if (strcmp(ptr + 10, "yes") == 0)
163	cfg_val[CFG_WHITELIST] = 1;
164	else if (strcmp(ptr + 10, "no") == 0)
165	cfg_val[CFG_WHITELIST] = 0;
166	else	146	else
167	goto errout;	147	goto errout;
168	}	148	}
@@ -175,6 +155,15 @@ int checkcfg(int val) {
175	else	155	else
176	goto errout;	156	goto errout;
177	}	157	}
		158	// quiet by default
		159	else if (strncmp(ptr, "quiet-by-default ", 17) == 0) {
		160	if (strcmp(ptr + 17, "yes") == 0)
		161	arg_quiet = 1;
		162	else if (strcmp(ptr + 17, "no") == 0)
		163	arg_quiet = 0;
		164	else
		165	goto errout;
		166	}
178	// network	167	// network
179	else if (strncmp(ptr, "restricted-network ", 19) == 0) {	168	else if (strncmp(ptr, "restricted-network ", 19) == 0) {
180	if (strcmp(ptr + 19, "yes") == 0)	169	if (strcmp(ptr + 19, "yes") == 0)
@@ -208,29 +197,32 @@ int checkcfg(int val) {
208	if (arg_debug)	197	if (arg_debug)
209	printf("netfilter default file %s\n", fname);	198	printf("netfilter default file %s\n", fname);
210	}	199	}
211	// quiet by default	200	// seccomp
212	else if (strncmp(ptr, "quiet-by-default ", 17) == 0) {	201	else if (strncmp(ptr, "seccomp ", 8) == 0) {
213	if (strcmp(ptr + 17, "yes") == 0)	202	if (strcmp(ptr + 8, "yes") == 0)
214	arg_quiet = 1;	203	cfg_val[CFG_SECCOMP] = 1;
215	else if (strcmp(ptr + 17, "no") == 0)	204	else if (strcmp(ptr + 8, "no") == 0)
216	arg_quiet = 0;	205	cfg_val[CFG_SECCOMP] = 0;
217	else	206	else
218	goto errout;	207	goto errout;
219	}	208	}
220	else if (strncmp(ptr, "disable-mnt ", 12) == 0) {	209	// user namespace
221	if (strcmp(ptr + 12, "yes") == 0)	210	else if (strncmp(ptr, "userns ", 7) == 0) {
222	cfg_val[CFG_DISABLE_MNT] = 1;	211	if (strcmp(ptr + 7, "yes") == 0)
223	else if (strcmp(ptr + 12, "no") == 0)	212	cfg_val[CFG_USERNS] = 1;
224	cfg_val[CFG_DISABLE_MNT] = 0;	213	else if (strcmp(ptr + 7, "no") == 0)
		214	cfg_val[CFG_USERNS] = 0;
225	else	215	else
226	goto errout;	216	goto errout;
227	}	217	}
228	// arp probes	218	// whitelist
229	else if (strncmp(ptr, "arp-probes ", 11) == 0) {	219	else if (strncmp(ptr, "whitelist ", 10) == 0) {
230	int arp_probes = atoi(ptr + 11);	220	if (strcmp(ptr + 10, "yes") == 0)
231	if (arp_probes <= 1 \|\| arp_probes > 30)	221	cfg_val[CFG_WHITELIST] = 1;
		222	else if (strcmp(ptr + 10, "no") == 0)
		223	cfg_val[CFG_WHITELIST] = 0;
		224	else
232	goto errout;	225	goto errout;
233	cfg_val[CFG_ARP_PROBES] = arp_probes;
234	}	226	}
235	else	227	else
236	goto errout;	228	goto errout;


diff --git a/src/firejail/firejail.h b/src/firejail/firejail.h index 2ab4a0b85..533ed880a 100644 --- a/src/firejail/firejail.h +++ b/src/firejail/firejail.h
@@ -650,40 +650,25 @@ void restrict_users(void);
650	// checkcfg.c	650	// checkcfg.c
651	#define DEFAULT_ARP_PROBES 2	651	#define DEFAULT_ARP_PROBES 2
652	enum {	652	enum {
653	CFG_FILE_TRANSFER = 0,	653	CFG_APPARMOR = 0,
654	CFG_X11,	654	CFG_ARP_PROBES,
655	CFG_BIND,	655	CFG_BIND,
656	CFG_USERNS,	656	CFG_DBUS,
657	CFG_CHROOT,	657	CFG_DISABLE_MNT,
658	CFG_SECCOMP,
659	CFG_NETWORK,
660	CFG_RESTRICTED_NETWORK,
661	CFG_FORCE_NONEWPRIVS,
662	CFG_WHITELIST,
663	CFG_XEPHYR_WINDOW_TITLE,
664	CFG_OVERLAYFS,
665	CFG_PRIVATE_HOME,
666	CFG_PRIVATE_BIN_NO_LOCAL,
667	CFG_FIREJAIL_PROMPT,	658	CFG_FIREJAIL_PROMPT,
668	CFG_FOLLOW_SYMLINK_AS_USER,	659	CFG_FOLLOW_SYMLINK_AS_USER,
669	CFG_DISABLE_MNT,	660	CFG_FORCE_NONEWPRIVS,
670	CFG_JOIN,	661	CFG_JOIN,
671	CFG_ARP_PROBES,	662	CFG_NETWORK,
672	CFG_XPRA_ATTACH,	663	CFG_RESTRICTED_NETWORK,
673	CFG_PRIVATE_LIB,	664	CFG_SECCOMP,
674	CFG_APPARMOR,	665	CFG_USERNS,
675	CFG_DBUS,	666	CFG_WHITELIST,
676	CFG_MAX // this should always be the last entry	667	CFG_MAX // this should always be the last entry
677	};	668	};
678	extern char *xephyr_screen;
679	extern char *xephyr_extra_params;
680	extern char *xpra_extra_params;
681	extern char *xvfb_screen;
682	extern char *xvfb_extra_params;
683	extern char *netfilter_default;	669	extern char *netfilter_default;
684	int checkcfg(int val);	670	int checkcfg(int val);
685	void print_compiletime_support(void);	671	void print_compiletime_support(void);
686	void x11_xorg(void);
687		672
688	// appimage.c	673	// appimage.c
689	void appimage_set(const char *appimage_path);	674	void appimage_set(const char *appimage_path);


diff --git a/src/firejail/main.c b/src/firejail/main.c index 594a6d83c..c4944c7d5 100644 --- a/src/firejail/main.c +++ b/src/firejail/main.c
@@ -1011,6 +1011,33 @@ int main(int argc, char **argv) {
1011	}	1011	}
1012	else if (strcmp(argv[i], "--disable-mnt") == 0)	1012	else if (strcmp(argv[i], "--disable-mnt") == 0)
1013	arg_disable_mnt = 1;	1013	arg_disable_mnt = 1;
		1014	else if (strcmp(argv[i], "--tunnel") == 0) {
		1015	// try to connect to the default client side of the tunnel
		1016	// if this fails, try the default server side of the tunnel
		1017	if (access("/run/firetunnel/ftc", R_OK) == 0)
		1018	profile_read("/run/firetunnel/ftc");
		1019	else if (access("/run/firetunnel/fts", R_OK) == 0)
		1020	profile_read("/run/firetunnel/fts");
		1021	else {
		1022	fprintf(stderr, "Error: no default firetunnel found, please specify it using --tunnel=devname option\n");
		1023	exit(1);
		1024	}
		1025	}
		1026	else if (strncmp(argv[i], "--tunnel=", 9) == 0) {
		1027	char *fname;
		1028	if (asprintf(&fname, "/run/firetunnel/%s", argv[i] + 9) == -1)
		1029	errExit("asprintf");
		1030	invalid_filename(fname, 0); // no globbing
		1031	if (access(fname, R_OK) == 0)
		1032	profile_read(fname);
		1033	else {
		1034	fprintf(stderr, "Error: tunnel not found\n");
		1035	exit(1);
		1036	}
		1037	}
		1038
		1039
		1040
1014	else if (strncmp(argv[i], "--profile=", 10) == 0) {	1041	else if (strncmp(argv[i], "--profile=", 10) == 0) {
1015	// multiple profile files are allowed!	1042	// multiple profile files are allowed!
1016		1043


diff --git a/src/firejail/usage.c b/src/firejail/usage.c index 73af66be2..d5033c4a1 100644 --- a/src/firejail/usage.c +++ b/src/firejail/usage.c
@@ -171,6 +171,8 @@ static char *usage_str =
171	" --tmpfs=dirname - mount a tmpfs filesystem on directory dirname.\n"	171	" --tmpfs=dirname - mount a tmpfs filesystem on directory dirname.\n"
172	" --top - monitor the most CPU-intensive sandboxes.\n"	172	" --top - monitor the most CPU-intensive sandboxes.\n"
173	" --tree - print a tree of all sandboxed processes.\n"	173	" --tree - print a tree of all sandboxed processes.\n"
		174	" --tunnel[=devname] - connect the sandbox to a tunnel created by\n"
		175	"\tfiretunnel utility.\n"
174	" --version - print program version and exit.\n"	176	" --version - print program version and exit.\n"
175	#ifdef HAVE_NETWORK	177	#ifdef HAVE_NETWORK
176	" --veth-name=name - use this name for the interface connected to the bridge.\n"	178	" --veth-name=name - use this name for the interface connected to the bridge.\n"


diff --git a/src/fseccomp/syscall.c b/src/fseccomp/syscall.c index bc51d04f6..3b10c4473 100644 --- a/src/fseccomp/syscall.c +++ b/src/fseccomp/syscall.c
@@ -495,10 +495,7 @@ int syscall_check_list(const char slist, void (callback)(int fd, int syscall,
495	}	495	}
496	else {	496	else {
497	syscall_process_name(ptr, &syscall_nr, &error_nr);	497	syscall_process_name(ptr, &syscall_nr, &error_nr);
498	if (syscall_nr == -1) {	498	if (syscall_nr == -1) {;}
499	if (!arg_quiet)
500	fprintf(stderr, "Warning fseccomp: syscall \"%s\" not available on this platform\n", ptr);
501	}
502	else if (callback != NULL) {	499	else if (callback != NULL) {
503	if (error_nr != -1 && fd != 0) {	500	if (error_nr != -1 && fd != 0) {
504	filter_add_errno(fd, syscall_nr, error_nr, ptrarg);	501	filter_add_errno(fd, syscall_nr, error_nr, ptrarg);


diff --git a/src/man/firejail.txt b/src/man/firejail.txt index 11dedbf35..0bc1c1b5d 100644 --- a/src/man/firejail.txt +++ b/src/man/firejail.txt
@@ -1788,6 +1788,25 @@ $ firejail \-\-tree
1788	11970:netblue:transmission-gtk	1788	11970:netblue:transmission-gtk
1789		1789
1790	.TP	1790	.TP
		1791	\fB\-\-tunnel[=devname]
		1792	Connect the sandbox to a network overlay/VPN tunnel created by firetunnel utility. This options
		1793	tries first the client side of the tunnel. If this fails, it tries the server side. If multiple tunnels are active,
		1794	please specify the tunnel device using \-\-tunnel=devname.
		1795	.br
		1796	.br
		1797	The available tunnel devices are listed in /etc/firetunnel directory, one file for each device.
		1798	The files are regular firejail profile files containing the network configuration,
		1799	and are created and managed by firetunnel utility.
		1800	By default ftc is the client-side device and fts is the server-side device. For more information
		1801	please see man 1 firetunnel.
		1802	.br
		1803	.br
		1804	Example:
		1805	.br
		1806	$ firejail --tunnel firefox
		1807	.br
		1808
		1809	.TP
1791	\fB\-\-version	1810	\fB\-\-version
1792	Print program version and exit.	1811	Print program version and exit.
1793	.br	1812	.br


diff --git a/test/blacklist-link.exp b/test/blacklist-link.exp deleted file mode 100755 index 4252f875a..000000000 --- a/test/blacklist-link.exp +++ /dev/null
@@ -1,82 +0,0 @@
1	#!/usr/bin/expect -f
2
3	set timeout 10
4	spawn $env(SHELL)
5	match_max 100000
6
7	# blacklist a directory symlink
8	send -- "firejail --blacklist=auto2\r"
9	expect {
10	timeout {puts "TESTING ERROR 1\n";exit}
11	"Child process initialized"
12	}
13	sleep 1
14
15	send -- "ls auto2\r"
16	expect {
17	timeout {puts "TESTING ERROR 2\n";exit}
18	"cannot open directory"
19	}
20	send -- "exit\r"
21	sleep 1
22
23	# blacklist a directory symlink from a profile file
24	send -- "firejail --profile=blacklist3.profile\r"
25	expect {
26	timeout {puts "TESTING ERROR 3\n";exit}
27	"Child process initialized"
28	}
29	sleep 1
30
31	send -- "ls auto2\r"
32	expect {
33	timeout {puts "TESTING ERROR 4\n";exit}
34	"cannot open directory"
35	}
36	send -- "exit\r"
37	sleep 1
38
39	# do not blacklist /bin
40	send -- "firejail --blacklist=auto3\r"
41	expect {
42	timeout {puts "TESTING ERROR 5\n";exit}
43	"auto3 directory link was not blacklisted"
44	}
45	expect {
46	timeout {puts "TESTING ERROR 5.1\n";exit}
47	"Child process initialized"
48	}
49	sleep 1
50
51	send -- "ls auto3; pwd\r"
52	expect {
53	timeout {puts "TESTING ERROR 6\n";exit}
54	"cannot open directory" {puts "TESTING ERROR 6.1\n";exit}
55	"home"
56	}
57	send -- "exit\r"
58	sleep 1
59
60	# do not blacklist /usr/bin
61	send -- "firejail --blacklist=auto3\r"
62	expect {
63	timeout {puts "TESTING ERROR 7\n";exit}
64	"auto3 directory link was not blacklisted"
65	}
66	expect {
67	timeout {puts "TESTING ERROR 7.1\n";exit}
68	"Child process initialized"
69	}
70	sleep 1
71
72	send -- "ls auto3; pwd\r"
73	expect {
74	timeout {puts "TESTING ERROR 8\n";exit}
75	"cannot open directory" {puts "TESTING ERROR 9.1\n";exit}
76	"home"
77	}
78	send -- "exit\r"
79	sleep 1
80
81
82	puts "all done\n"


diff --git a/test/blacklist.exp b/test/blacklist.exp deleted file mode 100755 index 9c3dddf1f..000000000 --- a/test/blacklist.exp +++ /dev/null
@@ -1,75 +0,0 @@
1	#!/usr/bin/expect -f
2
3	set timeout 10
4	spawn $env(SHELL)
5	match_max 100000
6
7	# directory with ~
8	send -- "firejail --blacklist=~/.config\r"
9	expect {
10	timeout {puts "TESTING ERROR 1\n";exit}
11	"Child process initialized"
12	}
13	sleep 1
14
15	send -- "ls -al ~/.config\r"
16	expect {
17	timeout {puts "TESTING ERROR 2\n";exit}
18	"cannot open directory"
19	}
20
21	send -- "exit\r"
22	sleep 1
23
24	# directory with ~ in profile file
25	send -- "firejail --profile=blacklist1.profile\r"
26	expect {
27	timeout {puts "TESTING ERROR 3\n";exit}
28	"Child process initialized"
29	}
30	sleep 1
31
32	send -- "ls -al ~/.config\r"
33	expect {
34	timeout {puts "TESTING ERROR 4\n";exit}
35	"cannot open directory"
36	}
37
38	send -- "exit\r"
39	sleep 1
40
41
42	# directory with space
43	send -- "firejail \"--blacklist=dir with space\"\r"
44	expect {
45	timeout {puts "TESTING ERROR 5\n";exit}
46	"Child process initialized"
47	}
48	sleep 1
49
50	send -- "ls -al \"dir with space\"\r"
51	expect {
52	timeout {puts "TESTING ERROR 6\n";exit}
53	"cannot open directory"
54	}
55
56	send -- "exit\r"
57	sleep 1
58
59	# directory with space in profile
60	send -- "firejail --profile=blacklist2.profile\r"
61	expect {
62	timeout {puts "TESTING ERROR 7\n";exit}
63	"Child process initialized"
64	}
65	sleep 1
66
67	send -- "ls -al \"dir with space\"\r"
68	expect {
69	timeout {puts "TESTING ERROR 8\n";exit}
70	"cannot open directory"
71	}
72
73
74
75	puts "\n"


diff --git a/test/blacklist1.profile b/test/blacklist1.profile deleted file mode 100644 index f12facd05..000000000 --- a/test/blacklist1.profile +++ /dev/null
@@ -1 +0,0 @@
1	blacklist ~/.config


diff --git a/test/blacklist2.profile b/test/blacklist2.profile deleted file mode 100644 index 4bb603db2..000000000 --- a/test/blacklist2.profile +++ /dev/null
@@ -1 +0,0 @@
1	blacklist dir with space


diff --git a/test/blacklist3.profile b/test/blacklist3.profile deleted file mode 100644 index 08f754f3f..000000000 --- a/test/blacklist3.profile +++ /dev/null
@@ -1 +0,0 @@
1	blacklist auto2


diff --git a/test/fs/private-home-dir.exp b/test/fs/private-home-dir.exp index 320fb73fa..41820b919 100755 --- a/test/fs/private-home-dir.exp +++ b/test/fs/private-home-dir.exp
@@ -64,7 +64,7 @@ sleep 1
64	send -- "firejail --private=/etc\r"	64	send -- "firejail --private=/etc\r"
65	expect {	65	expect {
66	timeout {puts "TESTING ERROR 5\n";exit}	66	timeout {puts "TESTING ERROR 5\n";exit}
67	"private directory should be owned by the current user"	67	"private directory is not owned by the current user"
68	}	68	}
69	sleep 1	69	sleep 1
70	send -- "mkdir ~/_firejail_test_dir_/test_dir_2\r"	70	send -- "mkdir ~/_firejail_test_dir_/test_dir_2\r"