diff options
author | 2018-09-10 09:00:39 -0400 | |
---|---|---|
committer | 2018-09-10 09:00:39 -0400 | |
commit | f7b22a4764de898eef9ada813baa5c7f4a8f2c07 (patch) | |
tree | aeb02c2cf225c6f7932bac3e0734bdff1ab71b9e | |
parent | testing version 0.9.56-LTS~rc1 (diff) | |
download | firejail-f7b22a4764de898eef9ada813baa5c7f4a8f2c07.tar.gz firejail-f7b22a4764de898eef9ada813baa5c7f4a8f2c07.tar.zst firejail-f7b22a4764de898eef9ada813baa5c7f4a8f2c07.zip |
cleanup
-rw-r--r-- | etc/firejail.config | 49 | ||||
-rw-r--r-- | src/firejail/checkcfg.c | 118 | ||||
-rw-r--r-- | src/firejail/firejail.h | 35 | ||||
-rw-r--r-- | src/firejail/main.c | 27 | ||||
-rw-r--r-- | src/firejail/usage.c | 2 | ||||
-rw-r--r-- | src/fseccomp/syscall.c | 5 | ||||
-rw-r--r-- | src/man/firejail.txt | 19 | ||||
-rwxr-xr-x | test/blacklist-link.exp | 82 | ||||
-rwxr-xr-x | test/blacklist.exp | 75 | ||||
-rw-r--r-- | test/blacklist1.profile | 1 | ||||
-rw-r--r-- | test/blacklist2.profile | 1 | ||||
-rw-r--r-- | test/blacklist3.profile | 1 | ||||
-rwxr-xr-x | test/fs/private-home-dir.exp | 2 |
13 files changed, 115 insertions, 302 deletions
diff --git a/etc/firejail.config b/etc/firejail.config index 1f47f77d0..f4acfe7f8 100644 --- a/etc/firejail.config +++ b/etc/firejail.config | |||
@@ -15,9 +15,6 @@ | |||
15 | # Enable or disable bind support, default enabled. | 15 | # Enable or disable bind support, default enabled. |
16 | # bind yes | 16 | # bind yes |
17 | 17 | ||
18 | # Enable or disable chroot support, default enabled. | ||
19 | # chroot yes | ||
20 | |||
21 | # Enable or disable dbus handling by --nodbus flag, default enabled. | 18 | # Enable or disable dbus handling by --nodbus flag, default enabled. |
22 | # dbus yes | 19 | # dbus yes |
23 | 20 | ||
@@ -50,18 +47,6 @@ | |||
50 | # Enable or disable networking features, default enabled. | 47 | # Enable or disable networking features, default enabled. |
51 | # network yes | 48 | # network yes |
52 | 49 | ||
53 | # Enable or disable overlayfs features, default enabled. | ||
54 | # overlayfs yes | ||
55 | |||
56 | # Remove /usr/local directories from private-bin list, default disabled. | ||
57 | # private-bin-no-local no | ||
58 | |||
59 | # Enable or disable private-home feature, default enabled | ||
60 | # private-home yes | ||
61 | |||
62 | # Enable or disable private-lib feature, default enabled | ||
63 | # private-lib yes | ||
64 | |||
65 | # Enable --quiet as default every time the sandbox is started. Default disabled. | 50 | # Enable --quiet as default every time the sandbox is started. Default disabled. |
66 | # quiet-by-default no | 51 | # quiet-by-default no |
67 | 52 | ||
@@ -86,37 +71,3 @@ | |||
86 | 71 | ||
87 | # Enable or disable whitelisting support, default enabled. | 72 | # Enable or disable whitelisting support, default enabled. |
88 | # whitelist yes | 73 | # whitelist yes |
89 | |||
90 | # Enable or disable X11 sandboxing support, default enabled. | ||
91 | # x11 yes | ||
92 | |||
93 | # Screen size for --x11=xephyr, default 800x600. Run /usr/bin/xrandr for | ||
94 | # a full list of resolutions available on your specific setup. | ||
95 | # xephyr-screen 640x480 | ||
96 | # xephyr-screen 800x600 | ||
97 | # xephyr-screen 1024x768 | ||
98 | # xephyr-screen 1280x1024 | ||
99 | |||
100 | # Firejail window title in Xephyr, default enabled. | ||
101 | # xephyr-window-title yes | ||
102 | |||
103 | # Xephyr command extra parameters. None by default; these are examples. | ||
104 | # xephyr-extra-params -keybd ephyr,,,xkbmodel=evdev | ||
105 | # xephyr-extra-params -grayscale | ||
106 | |||
107 | # Xpra server command extra parameters. None by default; this is an example. | ||
108 | # xpra-extra-params --dpi 96 | ||
109 | |||
110 | # Enable this option if you have a version of Xpra that supports --attach switch | ||
111 | # for start command, default disabled. | ||
112 | # xpra-attach no | ||
113 | |||
114 | # Screen size for --x11=xvfb, default 800x600x24. The third dimension is | ||
115 | # color depth; use 24 unless you know exactly what you're doing. | ||
116 | # xvfb-screen 640x480x24 | ||
117 | # xvfb-screen 800x600x24 | ||
118 | # xvfb-screen 1024x768x24 | ||
119 | # xvfb-screen 1280x1024x24 | ||
120 | |||
121 | # Xvfb command extra parameters. None by default; this is an example. | ||
122 | # xvfb-extra-params -pixdepths 8 24 32 | ||
diff --git a/src/firejail/checkcfg.c b/src/firejail/checkcfg.c index 430771a13..8786c018e 100644 --- a/src/firejail/checkcfg.c +++ b/src/firejail/checkcfg.c | |||
@@ -25,11 +25,6 @@ | |||
25 | 25 | ||
26 | static int initialized = 0; | 26 | static int initialized = 0; |
27 | static int cfg_val[CFG_MAX]; | 27 | static int cfg_val[CFG_MAX]; |
28 | char *xephyr_screen = "800x600"; | ||
29 | char *xephyr_extra_params = ""; | ||
30 | char *xpra_extra_params = ""; | ||
31 | char *xvfb_screen = "800x600x24"; | ||
32 | char *xvfb_extra_params = ""; | ||
33 | char *netfilter_default = NULL; | 28 | char *netfilter_default = NULL; |
34 | 29 | ||
35 | int checkcfg(int val) { | 30 | int checkcfg(int val) { |
@@ -45,11 +40,9 @@ int checkcfg(int val) { | |||
45 | cfg_val[i] = 1; // most of them are enabled by default | 40 | cfg_val[i] = 1; // most of them are enabled by default |
46 | cfg_val[CFG_RESTRICTED_NETWORK] = 0; // disabled by default | 41 | cfg_val[CFG_RESTRICTED_NETWORK] = 0; // disabled by default |
47 | cfg_val[CFG_FORCE_NONEWPRIVS] = 0; | 42 | cfg_val[CFG_FORCE_NONEWPRIVS] = 0; |
48 | cfg_val[CFG_PRIVATE_BIN_NO_LOCAL] = 0; | ||
49 | cfg_val[CFG_FIREJAIL_PROMPT] = 0; | 43 | cfg_val[CFG_FIREJAIL_PROMPT] = 0; |
50 | cfg_val[CFG_DISABLE_MNT] = 0; | 44 | cfg_val[CFG_DISABLE_MNT] = 0; |
51 | cfg_val[CFG_ARP_PROBES] = DEFAULT_ARP_PROBES; | 45 | cfg_val[CFG_ARP_PROBES] = DEFAULT_ARP_PROBES; |
52 | cfg_val[CFG_XPRA_ATTACH] = 0; | ||
53 | 46 | ||
54 | // open configuration file | 47 | // open configuration file |
55 | const char *fname = SYSCONFDIR "/firejail.config"; | 48 | const char *fname = SYSCONFDIR "/firejail.config"; |
@@ -75,25 +68,6 @@ int checkcfg(int val) { | |||
75 | ptr = line_remove_spaces(buf); | 68 | ptr = line_remove_spaces(buf); |
76 | if (!ptr) | 69 | if (!ptr) |
77 | continue; | 70 | continue; |
78 | |||
79 | // dbus | ||
80 | else if (strncmp(ptr, "dbus ", 5) == 0) { | ||
81 | if (strcmp(ptr + 5, "yes") == 0) | ||
82 | cfg_val[CFG_DBUS] = 1; | ||
83 | else if (strcmp(ptr + 5, "no") == 0) | ||
84 | cfg_val[CFG_DBUS] = 0; | ||
85 | else | ||
86 | goto errout; | ||
87 | } | ||
88 | // join | ||
89 | else if (strncmp(ptr, "join ", 5) == 0) { | ||
90 | if (strcmp(ptr + 5, "yes") == 0) | ||
91 | cfg_val[CFG_JOIN] = 1; | ||
92 | else if (strcmp(ptr + 5, "no") == 0) | ||
93 | cfg_val[CFG_JOIN] = 0; | ||
94 | else | ||
95 | goto errout; | ||
96 | } | ||
97 | // apparmor | 71 | // apparmor |
98 | else if (strncmp(ptr, "apparmor ", 9) == 0) { | 72 | else if (strncmp(ptr, "apparmor ", 9) == 0) { |
99 | if (strcmp(ptr + 9, "yes") == 0) | 73 | if (strcmp(ptr + 9, "yes") == 0) |
@@ -103,6 +77,13 @@ int checkcfg(int val) { | |||
103 | else | 77 | else |
104 | goto errout; | 78 | goto errout; |
105 | } | 79 | } |
80 | // arp probes | ||
81 | else if (strncmp(ptr, "arp-probes ", 11) == 0) { | ||
82 | int arp_probes = atoi(ptr + 11); | ||
83 | if (arp_probes <= 1 || arp_probes > 30) | ||
84 | goto errout; | ||
85 | cfg_val[CFG_ARP_PROBES] = arp_probes; | ||
86 | } | ||
106 | // bind | 87 | // bind |
107 | else if (strncmp(ptr, "bind ", 5) == 0) { | 88 | else if (strncmp(ptr, "bind ", 5) == 0) { |
108 | if (strcmp(ptr + 5, "yes") == 0) | 89 | if (strcmp(ptr + 5, "yes") == 0) |
@@ -112,12 +93,20 @@ int checkcfg(int val) { | |||
112 | else | 93 | else |
113 | goto errout; | 94 | goto errout; |
114 | } | 95 | } |
115 | // user namespace | 96 | // dbus |
116 | else if (strncmp(ptr, "userns ", 7) == 0) { | 97 | else if (strncmp(ptr, "dbus ", 5) == 0) { |
117 | if (strcmp(ptr + 7, "yes") == 0) | 98 | if (strcmp(ptr + 5, "yes") == 0) |
118 | cfg_val[CFG_USERNS] = 1; | 99 | cfg_val[CFG_DBUS] = 1; |
119 | else if (strcmp(ptr + 7, "no") == 0) | 100 | else if (strcmp(ptr + 5, "no") == 0) |
120 | cfg_val[CFG_USERNS] = 0; | 101 | cfg_val[CFG_DBUS] = 0; |
102 | else | ||
103 | goto errout; | ||
104 | } | ||
105 | else if (strncmp(ptr, "disable-mnt ", 12) == 0) { | ||
106 | if (strcmp(ptr + 12, "yes") == 0) | ||
107 | cfg_val[CFG_DISABLE_MNT] = 1; | ||
108 | else if (strcmp(ptr + 12, "no") == 0) | ||
109 | cfg_val[CFG_DISABLE_MNT] = 0; | ||
121 | else | 110 | else |
122 | goto errout; | 111 | goto errout; |
123 | } | 112 | } |
@@ -148,21 +137,12 @@ int checkcfg(int val) { | |||
148 | else | 137 | else |
149 | goto errout; | 138 | goto errout; |
150 | } | 139 | } |
151 | // seccomp | 140 | // join |
152 | else if (strncmp(ptr, "seccomp ", 8) == 0) { | 141 | else if (strncmp(ptr, "join ", 5) == 0) { |
153 | if (strcmp(ptr + 8, "yes") == 0) | 142 | if (strcmp(ptr + 5, "yes") == 0) |
154 | cfg_val[CFG_SECCOMP] = 1; | 143 | cfg_val[CFG_JOIN] = 1; |
155 | else if (strcmp(ptr + 8, "no") == 0) | 144 | else if (strcmp(ptr + 5, "no") == 0) |
156 | cfg_val[CFG_SECCOMP] = 0; | 145 | cfg_val[CFG_JOIN] = 0; |
157 | else | ||
158 | goto errout; | ||
159 | } | ||
160 | // whitelist | ||
161 | else if (strncmp(ptr, "whitelist ", 10) == 0) { | ||
162 | if (strcmp(ptr + 10, "yes") == 0) | ||
163 | cfg_val[CFG_WHITELIST] = 1; | ||
164 | else if (strcmp(ptr + 10, "no") == 0) | ||
165 | cfg_val[CFG_WHITELIST] = 0; | ||
166 | else | 146 | else |
167 | goto errout; | 147 | goto errout; |
168 | } | 148 | } |
@@ -175,6 +155,15 @@ int checkcfg(int val) { | |||
175 | else | 155 | else |
176 | goto errout; | 156 | goto errout; |
177 | } | 157 | } |
158 | // quiet by default | ||
159 | else if (strncmp(ptr, "quiet-by-default ", 17) == 0) { | ||
160 | if (strcmp(ptr + 17, "yes") == 0) | ||
161 | arg_quiet = 1; | ||
162 | else if (strcmp(ptr + 17, "no") == 0) | ||
163 | arg_quiet = 0; | ||
164 | else | ||
165 | goto errout; | ||
166 | } | ||
178 | // network | 167 | // network |
179 | else if (strncmp(ptr, "restricted-network ", 19) == 0) { | 168 | else if (strncmp(ptr, "restricted-network ", 19) == 0) { |
180 | if (strcmp(ptr + 19, "yes") == 0) | 169 | if (strcmp(ptr + 19, "yes") == 0) |
@@ -208,29 +197,32 @@ int checkcfg(int val) { | |||
208 | if (arg_debug) | 197 | if (arg_debug) |
209 | printf("netfilter default file %s\n", fname); | 198 | printf("netfilter default file %s\n", fname); |
210 | } | 199 | } |
211 | // quiet by default | 200 | // seccomp |
212 | else if (strncmp(ptr, "quiet-by-default ", 17) == 0) { | 201 | else if (strncmp(ptr, "seccomp ", 8) == 0) { |
213 | if (strcmp(ptr + 17, "yes") == 0) | 202 | if (strcmp(ptr + 8, "yes") == 0) |
214 | arg_quiet = 1; | 203 | cfg_val[CFG_SECCOMP] = 1; |
215 | else if (strcmp(ptr + 17, "no") == 0) | 204 | else if (strcmp(ptr + 8, "no") == 0) |
216 | arg_quiet = 0; | 205 | cfg_val[CFG_SECCOMP] = 0; |
217 | else | 206 | else |
218 | goto errout; | 207 | goto errout; |
219 | } | 208 | } |
220 | else if (strncmp(ptr, "disable-mnt ", 12) == 0) { | 209 | // user namespace |
221 | if (strcmp(ptr + 12, "yes") == 0) | 210 | else if (strncmp(ptr, "userns ", 7) == 0) { |
222 | cfg_val[CFG_DISABLE_MNT] = 1; | 211 | if (strcmp(ptr + 7, "yes") == 0) |
223 | else if (strcmp(ptr + 12, "no") == 0) | 212 | cfg_val[CFG_USERNS] = 1; |
224 | cfg_val[CFG_DISABLE_MNT] = 0; | 213 | else if (strcmp(ptr + 7, "no") == 0) |
214 | cfg_val[CFG_USERNS] = 0; | ||
225 | else | 215 | else |
226 | goto errout; | 216 | goto errout; |
227 | } | 217 | } |
228 | // arp probes | 218 | // whitelist |
229 | else if (strncmp(ptr, "arp-probes ", 11) == 0) { | 219 | else if (strncmp(ptr, "whitelist ", 10) == 0) { |
230 | int arp_probes = atoi(ptr + 11); | 220 | if (strcmp(ptr + 10, "yes") == 0) |
231 | if (arp_probes <= 1 || arp_probes > 30) | 221 | cfg_val[CFG_WHITELIST] = 1; |
222 | else if (strcmp(ptr + 10, "no") == 0) | ||
223 | cfg_val[CFG_WHITELIST] = 0; | ||
224 | else | ||
232 | goto errout; | 225 | goto errout; |
233 | cfg_val[CFG_ARP_PROBES] = arp_probes; | ||
234 | } | 226 | } |
235 | else | 227 | else |
236 | goto errout; | 228 | goto errout; |
diff --git a/src/firejail/firejail.h b/src/firejail/firejail.h index 2ab4a0b85..533ed880a 100644 --- a/src/firejail/firejail.h +++ b/src/firejail/firejail.h | |||
@@ -650,40 +650,25 @@ void restrict_users(void); | |||
650 | // checkcfg.c | 650 | // checkcfg.c |
651 | #define DEFAULT_ARP_PROBES 2 | 651 | #define DEFAULT_ARP_PROBES 2 |
652 | enum { | 652 | enum { |
653 | CFG_FILE_TRANSFER = 0, | 653 | CFG_APPARMOR = 0, |
654 | CFG_X11, | 654 | CFG_ARP_PROBES, |
655 | CFG_BIND, | 655 | CFG_BIND, |
656 | CFG_USERNS, | 656 | CFG_DBUS, |
657 | CFG_CHROOT, | 657 | CFG_DISABLE_MNT, |
658 | CFG_SECCOMP, | ||
659 | CFG_NETWORK, | ||
660 | CFG_RESTRICTED_NETWORK, | ||
661 | CFG_FORCE_NONEWPRIVS, | ||
662 | CFG_WHITELIST, | ||
663 | CFG_XEPHYR_WINDOW_TITLE, | ||
664 | CFG_OVERLAYFS, | ||
665 | CFG_PRIVATE_HOME, | ||
666 | CFG_PRIVATE_BIN_NO_LOCAL, | ||
667 | CFG_FIREJAIL_PROMPT, | 658 | CFG_FIREJAIL_PROMPT, |
668 | CFG_FOLLOW_SYMLINK_AS_USER, | 659 | CFG_FOLLOW_SYMLINK_AS_USER, |
669 | CFG_DISABLE_MNT, | 660 | CFG_FORCE_NONEWPRIVS, |
670 | CFG_JOIN, | 661 | CFG_JOIN, |
671 | CFG_ARP_PROBES, | 662 | CFG_NETWORK, |
672 | CFG_XPRA_ATTACH, | 663 | CFG_RESTRICTED_NETWORK, |
673 | CFG_PRIVATE_LIB, | 664 | CFG_SECCOMP, |
674 | CFG_APPARMOR, | 665 | CFG_USERNS, |
675 | CFG_DBUS, | 666 | CFG_WHITELIST, |
676 | CFG_MAX // this should always be the last entry | 667 | CFG_MAX // this should always be the last entry |
677 | }; | 668 | }; |
678 | extern char *xephyr_screen; | ||
679 | extern char *xephyr_extra_params; | ||
680 | extern char *xpra_extra_params; | ||
681 | extern char *xvfb_screen; | ||
682 | extern char *xvfb_extra_params; | ||
683 | extern char *netfilter_default; | 669 | extern char *netfilter_default; |
684 | int checkcfg(int val); | 670 | int checkcfg(int val); |
685 | void print_compiletime_support(void); | 671 | void print_compiletime_support(void); |
686 | void x11_xorg(void); | ||
687 | 672 | ||
688 | // appimage.c | 673 | // appimage.c |
689 | void appimage_set(const char *appimage_path); | 674 | void appimage_set(const char *appimage_path); |
diff --git a/src/firejail/main.c b/src/firejail/main.c index 594a6d83c..c4944c7d5 100644 --- a/src/firejail/main.c +++ b/src/firejail/main.c | |||
@@ -1011,6 +1011,33 @@ int main(int argc, char **argv) { | |||
1011 | } | 1011 | } |
1012 | else if (strcmp(argv[i], "--disable-mnt") == 0) | 1012 | else if (strcmp(argv[i], "--disable-mnt") == 0) |
1013 | arg_disable_mnt = 1; | 1013 | arg_disable_mnt = 1; |
1014 | else if (strcmp(argv[i], "--tunnel") == 0) { | ||
1015 | // try to connect to the default client side of the tunnel | ||
1016 | // if this fails, try the default server side of the tunnel | ||
1017 | if (access("/run/firetunnel/ftc", R_OK) == 0) | ||
1018 | profile_read("/run/firetunnel/ftc"); | ||
1019 | else if (access("/run/firetunnel/fts", R_OK) == 0) | ||
1020 | profile_read("/run/firetunnel/fts"); | ||
1021 | else { | ||
1022 | fprintf(stderr, "Error: no default firetunnel found, please specify it using --tunnel=devname option\n"); | ||
1023 | exit(1); | ||
1024 | } | ||
1025 | } | ||
1026 | else if (strncmp(argv[i], "--tunnel=", 9) == 0) { | ||
1027 | char *fname; | ||
1028 | if (asprintf(&fname, "/run/firetunnel/%s", argv[i] + 9) == -1) | ||
1029 | errExit("asprintf"); | ||
1030 | invalid_filename(fname, 0); // no globbing | ||
1031 | if (access(fname, R_OK) == 0) | ||
1032 | profile_read(fname); | ||
1033 | else { | ||
1034 | fprintf(stderr, "Error: tunnel not found\n"); | ||
1035 | exit(1); | ||
1036 | } | ||
1037 | } | ||
1038 | |||
1039 | |||
1040 | |||
1014 | else if (strncmp(argv[i], "--profile=", 10) == 0) { | 1041 | else if (strncmp(argv[i], "--profile=", 10) == 0) { |
1015 | // multiple profile files are allowed! | 1042 | // multiple profile files are allowed! |
1016 | 1043 | ||
diff --git a/src/firejail/usage.c b/src/firejail/usage.c index 73af66be2..d5033c4a1 100644 --- a/src/firejail/usage.c +++ b/src/firejail/usage.c | |||
@@ -171,6 +171,8 @@ static char *usage_str = | |||
171 | " --tmpfs=dirname - mount a tmpfs filesystem on directory dirname.\n" | 171 | " --tmpfs=dirname - mount a tmpfs filesystem on directory dirname.\n" |
172 | " --top - monitor the most CPU-intensive sandboxes.\n" | 172 | " --top - monitor the most CPU-intensive sandboxes.\n" |
173 | " --tree - print a tree of all sandboxed processes.\n" | 173 | " --tree - print a tree of all sandboxed processes.\n" |
174 | " --tunnel[=devname] - connect the sandbox to a tunnel created by\n" | ||
175 | "\tfiretunnel utility.\n" | ||
174 | " --version - print program version and exit.\n" | 176 | " --version - print program version and exit.\n" |
175 | #ifdef HAVE_NETWORK | 177 | #ifdef HAVE_NETWORK |
176 | " --veth-name=name - use this name for the interface connected to the bridge.\n" | 178 | " --veth-name=name - use this name for the interface connected to the bridge.\n" |
diff --git a/src/fseccomp/syscall.c b/src/fseccomp/syscall.c index bc51d04f6..3b10c4473 100644 --- a/src/fseccomp/syscall.c +++ b/src/fseccomp/syscall.c | |||
@@ -495,10 +495,7 @@ int syscall_check_list(const char *slist, void (*callback)(int fd, int syscall, | |||
495 | } | 495 | } |
496 | else { | 496 | else { |
497 | syscall_process_name(ptr, &syscall_nr, &error_nr); | 497 | syscall_process_name(ptr, &syscall_nr, &error_nr); |
498 | if (syscall_nr == -1) { | 498 | if (syscall_nr == -1) {;} |
499 | if (!arg_quiet) | ||
500 | fprintf(stderr, "Warning fseccomp: syscall \"%s\" not available on this platform\n", ptr); | ||
501 | } | ||
502 | else if (callback != NULL) { | 499 | else if (callback != NULL) { |
503 | if (error_nr != -1 && fd != 0) { | 500 | if (error_nr != -1 && fd != 0) { |
504 | filter_add_errno(fd, syscall_nr, error_nr, ptrarg); | 501 | filter_add_errno(fd, syscall_nr, error_nr, ptrarg); |
diff --git a/src/man/firejail.txt b/src/man/firejail.txt index 11dedbf35..0bc1c1b5d 100644 --- a/src/man/firejail.txt +++ b/src/man/firejail.txt | |||
@@ -1788,6 +1788,25 @@ $ firejail \-\-tree | |||
1788 | 11970:netblue:transmission-gtk | 1788 | 11970:netblue:transmission-gtk |
1789 | 1789 | ||
1790 | .TP | 1790 | .TP |
1791 | \fB\-\-tunnel[=devname] | ||
1792 | Connect the sandbox to a network overlay/VPN tunnel created by firetunnel utility. This options | ||
1793 | tries first the client side of the tunnel. If this fails, it tries the server side. If multiple tunnels are active, | ||
1794 | please specify the tunnel device using \-\-tunnel=devname. | ||
1795 | .br | ||
1796 | .br | ||
1797 | The available tunnel devices are listed in /etc/firetunnel directory, one file for each device. | ||
1798 | The files are regular firejail profile files containing the network configuration, | ||
1799 | and are created and managed by firetunnel utility. | ||
1800 | By default ftc is the client-side device and fts is the server-side device. For more information | ||
1801 | please see man 1 firetunnel. | ||
1802 | .br | ||
1803 | .br | ||
1804 | Example: | ||
1805 | .br | ||
1806 | $ firejail --tunnel firefox | ||
1807 | .br | ||
1808 | |||
1809 | .TP | ||
1791 | \fB\-\-version | 1810 | \fB\-\-version |
1792 | Print program version and exit. | 1811 | Print program version and exit. |
1793 | .br | 1812 | .br |
diff --git a/test/blacklist-link.exp b/test/blacklist-link.exp deleted file mode 100755 index 4252f875a..000000000 --- a/test/blacklist-link.exp +++ /dev/null | |||
@@ -1,82 +0,0 @@ | |||
1 | #!/usr/bin/expect -f | ||
2 | |||
3 | set timeout 10 | ||
4 | spawn $env(SHELL) | ||
5 | match_max 100000 | ||
6 | |||
7 | # blacklist a directory symlink | ||
8 | send -- "firejail --blacklist=auto2\r" | ||
9 | expect { | ||
10 | timeout {puts "TESTING ERROR 1\n";exit} | ||
11 | "Child process initialized" | ||
12 | } | ||
13 | sleep 1 | ||
14 | |||
15 | send -- "ls auto2\r" | ||
16 | expect { | ||
17 | timeout {puts "TESTING ERROR 2\n";exit} | ||
18 | "cannot open directory" | ||
19 | } | ||
20 | send -- "exit\r" | ||
21 | sleep 1 | ||
22 | |||
23 | # blacklist a directory symlink from a profile file | ||
24 | send -- "firejail --profile=blacklist3.profile\r" | ||
25 | expect { | ||
26 | timeout {puts "TESTING ERROR 3\n";exit} | ||
27 | "Child process initialized" | ||
28 | } | ||
29 | sleep 1 | ||
30 | |||
31 | send -- "ls auto2\r" | ||
32 | expect { | ||
33 | timeout {puts "TESTING ERROR 4\n";exit} | ||
34 | "cannot open directory" | ||
35 | } | ||
36 | send -- "exit\r" | ||
37 | sleep 1 | ||
38 | |||
39 | # do not blacklist /bin | ||
40 | send -- "firejail --blacklist=auto3\r" | ||
41 | expect { | ||
42 | timeout {puts "TESTING ERROR 5\n";exit} | ||
43 | "auto3 directory link was not blacklisted" | ||
44 | } | ||
45 | expect { | ||
46 | timeout {puts "TESTING ERROR 5.1\n";exit} | ||
47 | "Child process initialized" | ||
48 | } | ||
49 | sleep 1 | ||
50 | |||
51 | send -- "ls auto3; pwd\r" | ||
52 | expect { | ||
53 | timeout {puts "TESTING ERROR 6\n";exit} | ||
54 | "cannot open directory" {puts "TESTING ERROR 6.1\n";exit} | ||
55 | "home" | ||
56 | } | ||
57 | send -- "exit\r" | ||
58 | sleep 1 | ||
59 | |||
60 | # do not blacklist /usr/bin | ||
61 | send -- "firejail --blacklist=auto3\r" | ||
62 | expect { | ||
63 | timeout {puts "TESTING ERROR 7\n";exit} | ||
64 | "auto3 directory link was not blacklisted" | ||
65 | } | ||
66 | expect { | ||
67 | timeout {puts "TESTING ERROR 7.1\n";exit} | ||
68 | "Child process initialized" | ||
69 | } | ||
70 | sleep 1 | ||
71 | |||
72 | send -- "ls auto3; pwd\r" | ||
73 | expect { | ||
74 | timeout {puts "TESTING ERROR 8\n";exit} | ||
75 | "cannot open directory" {puts "TESTING ERROR 9.1\n";exit} | ||
76 | "home" | ||
77 | } | ||
78 | send -- "exit\r" | ||
79 | sleep 1 | ||
80 | |||
81 | |||
82 | puts "all done\n" | ||
diff --git a/test/blacklist.exp b/test/blacklist.exp deleted file mode 100755 index 9c3dddf1f..000000000 --- a/test/blacklist.exp +++ /dev/null | |||
@@ -1,75 +0,0 @@ | |||
1 | #!/usr/bin/expect -f | ||
2 | |||
3 | set timeout 10 | ||
4 | spawn $env(SHELL) | ||
5 | match_max 100000 | ||
6 | |||
7 | # directory with ~ | ||
8 | send -- "firejail --blacklist=~/.config\r" | ||
9 | expect { | ||
10 | timeout {puts "TESTING ERROR 1\n";exit} | ||
11 | "Child process initialized" | ||
12 | } | ||
13 | sleep 1 | ||
14 | |||
15 | send -- "ls -al ~/.config\r" | ||
16 | expect { | ||
17 | timeout {puts "TESTING ERROR 2\n";exit} | ||
18 | "cannot open directory" | ||
19 | } | ||
20 | |||
21 | send -- "exit\r" | ||
22 | sleep 1 | ||
23 | |||
24 | # directory with ~ in profile file | ||
25 | send -- "firejail --profile=blacklist1.profile\r" | ||
26 | expect { | ||
27 | timeout {puts "TESTING ERROR 3\n";exit} | ||
28 | "Child process initialized" | ||
29 | } | ||
30 | sleep 1 | ||
31 | |||
32 | send -- "ls -al ~/.config\r" | ||
33 | expect { | ||
34 | timeout {puts "TESTING ERROR 4\n";exit} | ||
35 | "cannot open directory" | ||
36 | } | ||
37 | |||
38 | send -- "exit\r" | ||
39 | sleep 1 | ||
40 | |||
41 | |||
42 | # directory with space | ||
43 | send -- "firejail \"--blacklist=dir with space\"\r" | ||
44 | expect { | ||
45 | timeout {puts "TESTING ERROR 5\n";exit} | ||
46 | "Child process initialized" | ||
47 | } | ||
48 | sleep 1 | ||
49 | |||
50 | send -- "ls -al \"dir with space\"\r" | ||
51 | expect { | ||
52 | timeout {puts "TESTING ERROR 6\n";exit} | ||
53 | "cannot open directory" | ||
54 | } | ||
55 | |||
56 | send -- "exit\r" | ||
57 | sleep 1 | ||
58 | |||
59 | # directory with space in profile | ||
60 | send -- "firejail --profile=blacklist2.profile\r" | ||
61 | expect { | ||
62 | timeout {puts "TESTING ERROR 7\n";exit} | ||
63 | "Child process initialized" | ||
64 | } | ||
65 | sleep 1 | ||
66 | |||
67 | send -- "ls -al \"dir with space\"\r" | ||
68 | expect { | ||
69 | timeout {puts "TESTING ERROR 8\n";exit} | ||
70 | "cannot open directory" | ||
71 | } | ||
72 | |||
73 | |||
74 | |||
75 | puts "\n" | ||
diff --git a/test/blacklist1.profile b/test/blacklist1.profile deleted file mode 100644 index f12facd05..000000000 --- a/test/blacklist1.profile +++ /dev/null | |||
@@ -1 +0,0 @@ | |||
1 | blacklist ~/.config | ||
diff --git a/test/blacklist2.profile b/test/blacklist2.profile deleted file mode 100644 index 4bb603db2..000000000 --- a/test/blacklist2.profile +++ /dev/null | |||
@@ -1 +0,0 @@ | |||
1 | blacklist dir with space | ||
diff --git a/test/blacklist3.profile b/test/blacklist3.profile deleted file mode 100644 index 08f754f3f..000000000 --- a/test/blacklist3.profile +++ /dev/null | |||
@@ -1 +0,0 @@ | |||
1 | blacklist auto2 | ||
diff --git a/test/fs/private-home-dir.exp b/test/fs/private-home-dir.exp index 320fb73fa..41820b919 100755 --- a/test/fs/private-home-dir.exp +++ b/test/fs/private-home-dir.exp | |||
@@ -64,7 +64,7 @@ sleep 1 | |||
64 | send -- "firejail --private=/etc\r" | 64 | send -- "firejail --private=/etc\r" |
65 | expect { | 65 | expect { |
66 | timeout {puts "TESTING ERROR 5\n";exit} | 66 | timeout {puts "TESTING ERROR 5\n";exit} |
67 | "private directory should be owned by the current user" | 67 | "private directory is not owned by the current user" |
68 | } | 68 | } |
69 | sleep 1 | 69 | sleep 1 |
70 | send -- "mkdir ~/_firejail_test_dir_/test_dir_2\r" | 70 | send -- "mkdir ~/_firejail_test_dir_/test_dir_2\r" |