aboutsummaryrefslogtreecommitdiffstats
path: root/src/fbuilder/build_profile.c
diff options
context:
space:
mode:
authorLibravatar netblue30 <netblue30@protonmail.com>2021-05-06 15:39:36 -0400
committerLibravatar netblue30 <netblue30@protonmail.com>2021-05-06 15:39:36 -0400
commit43e47483ff94753655ade1e633e973725d8fb505 (patch)
treef4f69043bcb37fd62c6d60da57cad5b6027f46c5 /src/fbuilder/build_profile.c
parentsome wireshark hardening (#4245) (diff)
downloadfirejail-43e47483ff94753655ade1e633e973725d8fb505.tar.gz
firejail-43e47483ff94753655ade1e633e973725d8fb505.tar.zst
firejail-43e47483ff94753655ade1e633e973725d8fb505.zip
more --build
Diffstat (limited to 'src/fbuilder/build_profile.c')
-rw-r--r--src/fbuilder/build_profile.c53
1 files changed, 33 insertions, 20 deletions
diff --git a/src/fbuilder/build_profile.c b/src/fbuilder/build_profile.c
index 100630eb9..fb53f70a6 100644
--- a/src/fbuilder/build_profile.c
+++ b/src/fbuilder/build_profile.c
@@ -141,57 +141,70 @@ void build_profile(int argc, char **argv, int index, FILE *fp) {
141 if (WIFEXITED(status) && WEXITSTATUS(status) == 0) { 141 if (WIFEXITED(status) && WEXITSTATUS(status) == 0) {
142 if (fp == stdout) 142 if (fp == stdout)
143 printf("--- Built profile beings after this line ---\n"); 143 printf("--- Built profile beings after this line ---\n");
144 fprintf(fp, "# Firejail profile for %s\n", argv[index]); 144 fprintf(fp, "# Save this file as \"application.profile\" (change \"application\" with the\n");
145 fprintf(fp, "# program name) in ~/.config/firejail directory. Firejail will find it\n");
146 fprintf(fp, "# automatically every time you sandbox your application.\n#\n");
147 fprintf(fp, "# Run \"firejail application\" to test it. In the file there are\n");
148 fprintf(fp, "# some other commands you can try. Enable them by removing the \"#\".\n");
149
150 fprintf(fp, "\n# Firejail profile for %s\n", argv[index]);
145 fprintf(fp, "# Persistent local customizations\n"); 151 fprintf(fp, "# Persistent local customizations\n");
146 fprintf(fp, "#include %s.local\n", argv[index]); 152 fprintf(fp, "#include %s.local\n", argv[index]);
147 fprintf(fp, "# Persistent global definitions\n"); 153 fprintf(fp, "# Persistent global definitions\n");
148 fprintf(fp, "#include globals.local\n"); 154 fprintf(fp, "#include globals.local\n");
149 fprintf(fp, "\n"); 155 fprintf(fp, "\n");
150 156
151 fprintf(fp, "### basic blacklisting\n"); 157 fprintf(fp, "### Basic Blacklisting ###\n");
158 fprintf(fp, "### Enable as many of them as you can! A very important one is\n");
159 fprintf(fp, "### \"disable-exec.inc\". This will make among other things your home\n");
160 fprintf(fp, "### and /tmp directories non-executable.\n");
152 fprintf(fp, "include disable-common.inc\n"); 161 fprintf(fp, "include disable-common.inc\n");
153 fprintf(fp, "#include disable-devel.inc\n"); 162 fprintf(fp, "#include disable-devel.inc\n");
154 fprintf(fp, "#include disable-exec.inc\n"); 163 fprintf(fp, "#include disable-exec.inc\n");
155 fprintf(fp, "#include disable-interpreters.inc\n"); 164 fprintf(fp, "#include disable-interpreters.inc\n");
156 fprintf(fp, "include disable-passwdmgr.inc\n"); 165 fprintf(fp, "include disable-passwdmgr.inc\n");
157 fprintf(fp, "#include disable-programs.inc\n"); 166 fprintf(fp, "include disable-programs.inc\n");
158 fprintf(fp, "#include disable-xdg.inc\n"); 167 fprintf(fp, "#include disable-xdg.inc\n");
159 fprintf(fp, "\n"); 168 fprintf(fp, "\n");
160 169
161 fprintf(fp, "### home directory whitelisting\n"); 170 fprintf(fp, "### Home Directory Whitelisting ###\n");
171 fprintf(fp, "### If something goes wrong, this section is the first one to comment out.\n");
172 fprintf(fp, "### Instead, you'll have to relay on the basic blacklisting above.\n");
162 build_home(trace_output, fp); 173 build_home(trace_output, fp);
163 174
164 fprintf(fp, "\n### /usr/share:\n"); 175 fprintf(fp, "\n### The Rest of the Filesystem ###\n");
165 build_share(trace_output, fp); 176 build_share(trace_output, fp);
166 fprintf(fp, "\n### /var:\n");
167 build_var(trace_output, fp); 177 build_var(trace_output, fp);
168 fprintf(fp, "\n### /bin:\n");
169 build_bin(trace_output, fp); 178 build_bin(trace_output, fp);
170 fprintf(fp, "\n### /dev:\n");
171 build_dev(trace_output, fp); 179 build_dev(trace_output, fp);
172 fprintf(fp, "\n### /etc:\n"); 180 fprintf(fp, "#nodvd\n");
181 fprintf(fp, "#noinput\n");
182 fprintf(fp, "#notv\n");
183 fprintf(fp, "#nou2f\n");
184 fprintf(fp, "#novideo\n");
173 build_etc(trace_output, fp); 185 build_etc(trace_output, fp);
174 fprintf(fp, "\n### /tmp:\n");
175 build_tmp(trace_output, fp); 186 build_tmp(trace_output, fp);
176 187
177 fprintf(fp, "\n### security filters\n"); 188 fprintf(fp, "\n### Security Filters ###\n");
189 fprintf(fp, "#apparmor\n");
178 fprintf(fp, "caps.drop all\n"); 190 fprintf(fp, "caps.drop all\n");
191 fprintf(fp, "netfilter\n");
192 fprintf(fp, "#nogroups\n");
193 fprintf(fp, "#noroot\n");
179 fprintf(fp, "nonewprivs\n"); 194 fprintf(fp, "nonewprivs\n");
195 build_protocol(trace_output, fp);
196
180 fprintf(fp, "seccomp\n"); 197 fprintf(fp, "seccomp\n");
181 if (!have_strace) { 198 if (!have_strace) {
182 fprintf(fp, "# If you install strace on your system, Firejail will also create a\n"); 199 fprintf(fp, "### If you install strace on your system, Firejail will also create a\n");
183 fprintf(fp, "# whitelisted seccomp filter.\n"); 200 fprintf(fp, "### whitelisted seccomp filter.\n");
184 } 201 }
185 else if (!have_yama_permission) 202 else if (!have_yama_permission)
186 fprintf(fp, "# Yama security module prevents creation of a whitelisted seccomp filter\n"); 203 fprintf(fp, "### Yama security module prevents creation of a whitelisted seccomp filter\n");
187 else 204 else
188 build_seccomp(strace_output, fp); 205 build_seccomp(strace_output, fp);
189 206 fprintf(fp, "#shell none\n");
190 fprintf(fp, "\n### network\n"); 207 fprintf(fp, "#tracelog\n");
191 build_protocol(trace_output, fp);
192
193 fprintf(fp, "\n### environment\n");
194 fprintf(fp, "shell none\n");
195 208
196 if (!arg_debug) { 209 if (!arg_debug) {
197 unlink(trace_output); 210 unlink(trace_output);