diff options
author | netblue30 <netblue30@protonmail.com> | 2021-05-06 15:39:36 -0400 |
---|---|---|
committer | netblue30 <netblue30@protonmail.com> | 2021-05-06 15:39:36 -0400 |
commit | 43e47483ff94753655ade1e633e973725d8fb505 (patch) | |
tree | f4f69043bcb37fd62c6d60da57cad5b6027f46c5 /src/fbuilder/build_profile.c | |
parent | some wireshark hardening (#4245) (diff) | |
download | firejail-43e47483ff94753655ade1e633e973725d8fb505.tar.gz firejail-43e47483ff94753655ade1e633e973725d8fb505.tar.zst firejail-43e47483ff94753655ade1e633e973725d8fb505.zip |
more --build
Diffstat (limited to 'src/fbuilder/build_profile.c')
-rw-r--r-- | src/fbuilder/build_profile.c | 53 |
1 files changed, 33 insertions, 20 deletions
diff --git a/src/fbuilder/build_profile.c b/src/fbuilder/build_profile.c index 100630eb9..fb53f70a6 100644 --- a/src/fbuilder/build_profile.c +++ b/src/fbuilder/build_profile.c | |||
@@ -141,57 +141,70 @@ void build_profile(int argc, char **argv, int index, FILE *fp) { | |||
141 | if (WIFEXITED(status) && WEXITSTATUS(status) == 0) { | 141 | if (WIFEXITED(status) && WEXITSTATUS(status) == 0) { |
142 | if (fp == stdout) | 142 | if (fp == stdout) |
143 | printf("--- Built profile beings after this line ---\n"); | 143 | printf("--- Built profile beings after this line ---\n"); |
144 | fprintf(fp, "# Firejail profile for %s\n", argv[index]); | 144 | fprintf(fp, "# Save this file as \"application.profile\" (change \"application\" with the\n"); |
145 | fprintf(fp, "# program name) in ~/.config/firejail directory. Firejail will find it\n"); | ||
146 | fprintf(fp, "# automatically every time you sandbox your application.\n#\n"); | ||
147 | fprintf(fp, "# Run \"firejail application\" to test it. In the file there are\n"); | ||
148 | fprintf(fp, "# some other commands you can try. Enable them by removing the \"#\".\n"); | ||
149 | |||
150 | fprintf(fp, "\n# Firejail profile for %s\n", argv[index]); | ||
145 | fprintf(fp, "# Persistent local customizations\n"); | 151 | fprintf(fp, "# Persistent local customizations\n"); |
146 | fprintf(fp, "#include %s.local\n", argv[index]); | 152 | fprintf(fp, "#include %s.local\n", argv[index]); |
147 | fprintf(fp, "# Persistent global definitions\n"); | 153 | fprintf(fp, "# Persistent global definitions\n"); |
148 | fprintf(fp, "#include globals.local\n"); | 154 | fprintf(fp, "#include globals.local\n"); |
149 | fprintf(fp, "\n"); | 155 | fprintf(fp, "\n"); |
150 | 156 | ||
151 | fprintf(fp, "### basic blacklisting\n"); | 157 | fprintf(fp, "### Basic Blacklisting ###\n"); |
158 | fprintf(fp, "### Enable as many of them as you can! A very important one is\n"); | ||
159 | fprintf(fp, "### \"disable-exec.inc\". This will make among other things your home\n"); | ||
160 | fprintf(fp, "### and /tmp directories non-executable.\n"); | ||
152 | fprintf(fp, "include disable-common.inc\n"); | 161 | fprintf(fp, "include disable-common.inc\n"); |
153 | fprintf(fp, "#include disable-devel.inc\n"); | 162 | fprintf(fp, "#include disable-devel.inc\n"); |
154 | fprintf(fp, "#include disable-exec.inc\n"); | 163 | fprintf(fp, "#include disable-exec.inc\n"); |
155 | fprintf(fp, "#include disable-interpreters.inc\n"); | 164 | fprintf(fp, "#include disable-interpreters.inc\n"); |
156 | fprintf(fp, "include disable-passwdmgr.inc\n"); | 165 | fprintf(fp, "include disable-passwdmgr.inc\n"); |
157 | fprintf(fp, "#include disable-programs.inc\n"); | 166 | fprintf(fp, "include disable-programs.inc\n"); |
158 | fprintf(fp, "#include disable-xdg.inc\n"); | 167 | fprintf(fp, "#include disable-xdg.inc\n"); |
159 | fprintf(fp, "\n"); | 168 | fprintf(fp, "\n"); |
160 | 169 | ||
161 | fprintf(fp, "### home directory whitelisting\n"); | 170 | fprintf(fp, "### Home Directory Whitelisting ###\n"); |
171 | fprintf(fp, "### If something goes wrong, this section is the first one to comment out.\n"); | ||
172 | fprintf(fp, "### Instead, you'll have to relay on the basic blacklisting above.\n"); | ||
162 | build_home(trace_output, fp); | 173 | build_home(trace_output, fp); |
163 | 174 | ||
164 | fprintf(fp, "\n### /usr/share:\n"); | 175 | fprintf(fp, "\n### The Rest of the Filesystem ###\n"); |
165 | build_share(trace_output, fp); | 176 | build_share(trace_output, fp); |
166 | fprintf(fp, "\n### /var:\n"); | ||
167 | build_var(trace_output, fp); | 177 | build_var(trace_output, fp); |
168 | fprintf(fp, "\n### /bin:\n"); | ||
169 | build_bin(trace_output, fp); | 178 | build_bin(trace_output, fp); |
170 | fprintf(fp, "\n### /dev:\n"); | ||
171 | build_dev(trace_output, fp); | 179 | build_dev(trace_output, fp); |
172 | fprintf(fp, "\n### /etc:\n"); | 180 | fprintf(fp, "#nodvd\n"); |
181 | fprintf(fp, "#noinput\n"); | ||
182 | fprintf(fp, "#notv\n"); | ||
183 | fprintf(fp, "#nou2f\n"); | ||
184 | fprintf(fp, "#novideo\n"); | ||
173 | build_etc(trace_output, fp); | 185 | build_etc(trace_output, fp); |
174 | fprintf(fp, "\n### /tmp:\n"); | ||
175 | build_tmp(trace_output, fp); | 186 | build_tmp(trace_output, fp); |
176 | 187 | ||
177 | fprintf(fp, "\n### security filters\n"); | 188 | fprintf(fp, "\n### Security Filters ###\n"); |
189 | fprintf(fp, "#apparmor\n"); | ||
178 | fprintf(fp, "caps.drop all\n"); | 190 | fprintf(fp, "caps.drop all\n"); |
191 | fprintf(fp, "netfilter\n"); | ||
192 | fprintf(fp, "#nogroups\n"); | ||
193 | fprintf(fp, "#noroot\n"); | ||
179 | fprintf(fp, "nonewprivs\n"); | 194 | fprintf(fp, "nonewprivs\n"); |
195 | build_protocol(trace_output, fp); | ||
196 | |||
180 | fprintf(fp, "seccomp\n"); | 197 | fprintf(fp, "seccomp\n"); |
181 | if (!have_strace) { | 198 | if (!have_strace) { |
182 | fprintf(fp, "# If you install strace on your system, Firejail will also create a\n"); | 199 | fprintf(fp, "### If you install strace on your system, Firejail will also create a\n"); |
183 | fprintf(fp, "# whitelisted seccomp filter.\n"); | 200 | fprintf(fp, "### whitelisted seccomp filter.\n"); |
184 | } | 201 | } |
185 | else if (!have_yama_permission) | 202 | else if (!have_yama_permission) |
186 | fprintf(fp, "# Yama security module prevents creation of a whitelisted seccomp filter\n"); | 203 | fprintf(fp, "### Yama security module prevents creation of a whitelisted seccomp filter\n"); |
187 | else | 204 | else |
188 | build_seccomp(strace_output, fp); | 205 | build_seccomp(strace_output, fp); |
189 | 206 | fprintf(fp, "#shell none\n"); | |
190 | fprintf(fp, "\n### network\n"); | 207 | fprintf(fp, "#tracelog\n"); |
191 | build_protocol(trace_output, fp); | ||
192 | |||
193 | fprintf(fp, "\n### environment\n"); | ||
194 | fprintf(fp, "shell none\n"); | ||
195 | 208 | ||
196 | if (!arg_debug) { | 209 | if (!arg_debug) { |
197 | unlink(trace_output); | 210 | unlink(trace_output); |