diff options
author | netblue30 <netblue30@protonmail.com> | 2021-05-12 15:59:31 -0400 |
---|---|---|
committer | netblue30 <netblue30@protonmail.com> | 2021-05-12 15:59:31 -0400 |
commit | 13e699fe26cc0eda1d7cd1f214d2909e08a1dc58 (patch) | |
tree | d45983d62b3286f10391c062fa7df7c68ca66986 /src/fbuilder | |
parent | Update dino.profile (diff) | |
download | firejail-13e699fe26cc0eda1d7cd1f214d2909e08a1dc58.tar.gz firejail-13e699fe26cc0eda1d7cd1f214d2909e08a1dc58.tar.zst firejail-13e699fe26cc0eda1d7cd1f214d2909e08a1dc58.zip |
more --build
Diffstat (limited to 'src/fbuilder')
-rw-r--r-- | src/fbuilder/build_profile.c | 44 | ||||
-rw-r--r-- | src/fbuilder/main.c | 12 |
2 files changed, 37 insertions, 19 deletions
diff --git a/src/fbuilder/build_profile.c b/src/fbuilder/build_profile.c index fb53f70a6..1726b4dbb 100644 --- a/src/fbuilder/build_profile.c +++ b/src/fbuilder/build_profile.c | |||
@@ -145,9 +145,9 @@ void build_profile(int argc, char **argv, int index, FILE *fp) { | |||
145 | fprintf(fp, "# program name) in ~/.config/firejail directory. Firejail will find it\n"); | 145 | fprintf(fp, "# program name) in ~/.config/firejail directory. Firejail will find it\n"); |
146 | fprintf(fp, "# automatically every time you sandbox your application.\n#\n"); | 146 | fprintf(fp, "# automatically every time you sandbox your application.\n#\n"); |
147 | fprintf(fp, "# Run \"firejail application\" to test it. In the file there are\n"); | 147 | fprintf(fp, "# Run \"firejail application\" to test it. In the file there are\n"); |
148 | fprintf(fp, "# some other commands you can try. Enable them by removing the \"#\".\n"); | 148 | fprintf(fp, "# some other commands you can try. Enable them by removing the \"#\".\n\n"); |
149 | 149 | ||
150 | fprintf(fp, "\n# Firejail profile for %s\n", argv[index]); | 150 | fprintf(fp, "# Firejail profile for %s\n", argv[index]); |
151 | fprintf(fp, "# Persistent local customizations\n"); | 151 | fprintf(fp, "# Persistent local customizations\n"); |
152 | fprintf(fp, "#include %s.local\n", argv[index]); | 152 | fprintf(fp, "#include %s.local\n", argv[index]); |
153 | fprintf(fp, "# Persistent global definitions\n"); | 153 | fprintf(fp, "# Persistent global definitions\n"); |
@@ -164,6 +164,7 @@ void build_profile(int argc, char **argv, int index, FILE *fp) { | |||
164 | fprintf(fp, "#include disable-interpreters.inc\n"); | 164 | fprintf(fp, "#include disable-interpreters.inc\n"); |
165 | fprintf(fp, "include disable-passwdmgr.inc\n"); | 165 | fprintf(fp, "include disable-passwdmgr.inc\n"); |
166 | fprintf(fp, "include disable-programs.inc\n"); | 166 | fprintf(fp, "include disable-programs.inc\n"); |
167 | fprintf(fp, "#include disable-shell.inc\n"); | ||
167 | fprintf(fp, "#include disable-xdg.inc\n"); | 168 | fprintf(fp, "#include disable-xdg.inc\n"); |
168 | fprintf(fp, "\n"); | 169 | fprintf(fp, "\n"); |
169 | 170 | ||
@@ -171,29 +172,27 @@ void build_profile(int argc, char **argv, int index, FILE *fp) { | |||
171 | fprintf(fp, "### If something goes wrong, this section is the first one to comment out.\n"); | 172 | fprintf(fp, "### If something goes wrong, this section is the first one to comment out.\n"); |
172 | fprintf(fp, "### Instead, you'll have to relay on the basic blacklisting above.\n"); | 173 | fprintf(fp, "### Instead, you'll have to relay on the basic blacklisting above.\n"); |
173 | build_home(trace_output, fp); | 174 | build_home(trace_output, fp); |
175 | fprintf(fp, "\n"); | ||
174 | 176 | ||
175 | fprintf(fp, "\n### The Rest of the Filesystem ###\n"); | 177 | fprintf(fp, "### Filesystem Whitelisting ###\n"); |
176 | build_share(trace_output, fp); | 178 | build_share(trace_output, fp); |
179 | //todo: include whitelist-runuser-common.inc | ||
177 | build_var(trace_output, fp); | 180 | build_var(trace_output, fp); |
178 | build_bin(trace_output, fp); | 181 | fprintf(fp, "\n"); |
179 | build_dev(trace_output, fp); | ||
180 | fprintf(fp, "#nodvd\n"); | ||
181 | fprintf(fp, "#noinput\n"); | ||
182 | fprintf(fp, "#notv\n"); | ||
183 | fprintf(fp, "#nou2f\n"); | ||
184 | fprintf(fp, "#novideo\n"); | ||
185 | build_etc(trace_output, fp); | ||
186 | build_tmp(trace_output, fp); | ||
187 | 182 | ||
188 | fprintf(fp, "\n### Security Filters ###\n"); | ||
189 | fprintf(fp, "#apparmor\n"); | 183 | fprintf(fp, "#apparmor\n"); |
190 | fprintf(fp, "caps.drop all\n"); | 184 | fprintf(fp, "caps.drop all\n"); |
185 | fprintf(fp, "ipc-namespace\n"); | ||
191 | fprintf(fp, "netfilter\n"); | 186 | fprintf(fp, "netfilter\n"); |
187 | fprintf(fp, "#nodvd\n"); | ||
192 | fprintf(fp, "#nogroups\n"); | 188 | fprintf(fp, "#nogroups\n"); |
193 | fprintf(fp, "#noroot\n"); | 189 | fprintf(fp, "#noinput\n"); |
194 | fprintf(fp, "nonewprivs\n"); | 190 | fprintf(fp, "nonewprivs\n"); |
191 | fprintf(fp, "noroot\n"); | ||
192 | fprintf(fp, "#notv\n"); | ||
193 | fprintf(fp, "#nou2f\n"); | ||
194 | fprintf(fp, "#novideo\n"); | ||
195 | build_protocol(trace_output, fp); | 195 | build_protocol(trace_output, fp); |
196 | |||
197 | fprintf(fp, "seccomp\n"); | 196 | fprintf(fp, "seccomp\n"); |
198 | if (!have_strace) { | 197 | if (!have_strace) { |
199 | fprintf(fp, "### If you install strace on your system, Firejail will also create a\n"); | 198 | fprintf(fp, "### If you install strace on your system, Firejail will also create a\n"); |
@@ -203,8 +202,21 @@ void build_profile(int argc, char **argv, int index, FILE *fp) { | |||
203 | fprintf(fp, "### Yama security module prevents creation of a whitelisted seccomp filter\n"); | 202 | fprintf(fp, "### Yama security module prevents creation of a whitelisted seccomp filter\n"); |
204 | else | 203 | else |
205 | build_seccomp(strace_output, fp); | 204 | build_seccomp(strace_output, fp); |
206 | fprintf(fp, "#shell none\n"); | 205 | fprintf(fp, "shell none\n"); |
207 | fprintf(fp, "#tracelog\n"); | 206 | fprintf(fp, "#tracelog\n"); |
207 | fprintf(fp, "\n"); | ||
208 | |||
209 | fprintf(fp, "#disable-mnt\n"); | ||
210 | build_bin(trace_output, fp); | ||
211 | fprintf(fp, "#private-lib\n"); | ||
212 | build_dev(trace_output, fp); | ||
213 | build_etc(trace_output, fp); | ||
214 | build_tmp(trace_output, fp); | ||
215 | fprintf(fp, "\n"); | ||
216 | |||
217 | fprintf(fp, "#dbus-user none\n"); | ||
218 | fprintf(fp, "#dbus-system none\n"); | ||
219 | fprintf(fp, "#memory-deny-write-execute\n"); | ||
208 | 220 | ||
209 | if (!arg_debug) { | 221 | if (!arg_debug) { |
210 | unlink(trace_output); | 222 | unlink(trace_output); |
diff --git a/src/fbuilder/main.c b/src/fbuilder/main.c index f4917aefc..35ec49519 100644 --- a/src/fbuilder/main.c +++ b/src/fbuilder/main.c | |||
@@ -58,10 +58,16 @@ printf("\n"); | |||
58 | exit(1); | 58 | exit(1); |
59 | } | 59 | } |
60 | 60 | ||
61 | // don't run if the file exists | ||
62 | if (access(argv[i] + 8, F_OK) == 0) { | ||
63 | fprintf(stderr, "Error: the profile file already exists. Please use a different file name.\n"); | ||
64 | exit(1); | ||
65 | } | ||
66 | |||
61 | // check file access | 67 | // check file access |
62 | fp = fopen(argv[i] + 8, "w"); | 68 | fp = fopen(argv[i] + 8, "w"); |
63 | if (!fp) { | 69 | if (!fp) { |
64 | fprintf(stderr, "Error fbuild: cannot open profile file.\n"); | 70 | fprintf(stderr, "Error: cannot open profile file.\n"); |
65 | exit(1); | 71 | exit(1); |
66 | } | 72 | } |
67 | prof_file = 1; | 73 | prof_file = 1; |
@@ -69,7 +75,7 @@ printf("\n"); | |||
69 | } | 75 | } |
70 | else { | 76 | else { |
71 | if (*argv[i] == '-') { | 77 | if (*argv[i] == '-') { |
72 | fprintf(stderr, "Error fbuilder: invalid program\n"); | 78 | fprintf(stderr, "Error: invalid program\n"); |
73 | usage(); | 79 | usage(); |
74 | exit(1); | 80 | exit(1); |
75 | } | 81 | } |
@@ -79,7 +85,7 @@ printf("\n"); | |||
79 | } | 85 | } |
80 | 86 | ||
81 | if (prog_index == 0) { | 87 | if (prog_index == 0) { |
82 | fprintf(stderr, "Error fbuilder: program and arguments required\n"); | 88 | fprintf(stderr, "Error : program and arguments required\n"); |
83 | usage(); | 89 | usage(); |
84 | if (prof_file) | 90 | if (prof_file) |
85 | fclose(fp); | 91 | fclose(fp); |