diff options
author | netblue30 <netblue30@protonmail.com> | 2021-05-20 21:38:01 -0400 |
---|---|---|
committer | netblue30 <netblue30@protonmail.com> | 2021-05-20 21:38:01 -0400 |
commit | 4222217198ceedc3e5fd7c356bcd798548eb94ff (patch) | |
tree | e48e5c450c41cb67b9a33a77afa891c5fa9363cf /src | |
parent | add support for cargo toml/non-toml files (#4286) (diff) | |
download | firejail-4222217198ceedc3e5fd7c356bcd798548eb94ff.tar.gz firejail-4222217198ceedc3e5fd7c356bcd798548eb94ff.tar.zst firejail-4222217198ceedc3e5fd7c356bcd798548eb94ff.zip |
--buid fixes
Diffstat (limited to 'src')
-rw-r--r-- | src/fbuilder/build_profile.c | 54 | ||||
-rw-r--r-- | src/fbuilder/build_seccomp.c | 29 | ||||
-rw-r--r-- | src/man/firejail-profile.txt | 11 |
3 files changed, 45 insertions, 49 deletions
diff --git a/src/fbuilder/build_profile.c b/src/fbuilder/build_profile.c index 1726b4dbb..5df19f511 100644 --- a/src/fbuilder/build_profile.c +++ b/src/fbuilder/build_profile.c | |||
@@ -24,21 +24,6 @@ | |||
24 | #define TRACE_OUTPUT "/tmp/firejail-trace.XXXXXX" | 24 | #define TRACE_OUTPUT "/tmp/firejail-trace.XXXXXX" |
25 | #define STRACE_OUTPUT "/tmp/firejail-strace.XXXXXX" | 25 | #define STRACE_OUTPUT "/tmp/firejail-strace.XXXXXX" |
26 | 26 | ||
27 | /* static char *cmdlist[] = { */ | ||
28 | /* "/usr/bin/firejail", */ | ||
29 | /* "--quiet", */ | ||
30 | /* "--output=" TRACE_OUTPUT, */ | ||
31 | /* "--noprofile", */ | ||
32 | /* "--caps.drop=all", */ | ||
33 | /* "--nonewprivs", */ | ||
34 | /* "--trace", */ | ||
35 | /* "--shell=none", */ | ||
36 | /* "/usr/bin/strace", // also used as a marker in build_profile() */ | ||
37 | /* "-c", */ | ||
38 | /* "-f", */ | ||
39 | /* "-o" STRACE_OUTPUT, */ | ||
40 | /* }; */ | ||
41 | |||
42 | void build_profile(int argc, char **argv, int index, FILE *fp) { | 27 | void build_profile(int argc, char **argv, int index, FILE *fp) { |
43 | // next index is the application name | 28 | // next index is the application name |
44 | if (index >= argc) { | 29 | if (index >= argc) { |
@@ -158,14 +143,14 @@ void build_profile(int argc, char **argv, int index, FILE *fp) { | |||
158 | fprintf(fp, "### Enable as many of them as you can! A very important one is\n"); | 143 | fprintf(fp, "### Enable as many of them as you can! A very important one is\n"); |
159 | fprintf(fp, "### \"disable-exec.inc\". This will make among other things your home\n"); | 144 | fprintf(fp, "### \"disable-exec.inc\". This will make among other things your home\n"); |
160 | fprintf(fp, "### and /tmp directories non-executable.\n"); | 145 | fprintf(fp, "### and /tmp directories non-executable.\n"); |
161 | fprintf(fp, "include disable-common.inc\n"); | 146 | fprintf(fp, "include disable-common.inc\t# dangerous directories like ~/.ssh and ~/.gnupg\n"); |
162 | fprintf(fp, "#include disable-devel.inc\n"); | 147 | fprintf(fp, "#include disable-devel.inc\t# development tools such as gcc and gdb\n"); |
163 | fprintf(fp, "#include disable-exec.inc\n"); | 148 | fprintf(fp, "#include disable-exec.inc\t# non-executable directories such as /var, /tmp, and /home\n"); |
164 | fprintf(fp, "#include disable-interpreters.inc\n"); | 149 | fprintf(fp, "#include disable-interpreters.inc\t# perl, python, lua etc.\n"); |
165 | fprintf(fp, "include disable-passwdmgr.inc\n"); | 150 | fprintf(fp, "include disable-passwdmgr.inc\t# password managers\n"); |
166 | fprintf(fp, "include disable-programs.inc\n"); | 151 | fprintf(fp, "include disable-programs.inc\t# user configuration for programs such as firefox, vlc etc.\n"); |
167 | fprintf(fp, "#include disable-shell.inc\n"); | 152 | fprintf(fp, "#include disable-shell.inc\t# sh, bash, zsh etc.\n"); |
168 | fprintf(fp, "#include disable-xdg.inc\n"); | 153 | fprintf(fp, "#include disable-xdg.inc\t# standard user directories: Documents, Pictures, Videos, Music\n"); |
169 | fprintf(fp, "\n"); | 154 | fprintf(fp, "\n"); |
170 | 155 | ||
171 | fprintf(fp, "### Home Directory Whitelisting ###\n"); | 156 | fprintf(fp, "### Home Directory Whitelisting ###\n"); |
@@ -180,18 +165,19 @@ void build_profile(int argc, char **argv, int index, FILE *fp) { | |||
180 | build_var(trace_output, fp); | 165 | build_var(trace_output, fp); |
181 | fprintf(fp, "\n"); | 166 | fprintf(fp, "\n"); |
182 | 167 | ||
183 | fprintf(fp, "#apparmor\n"); | 168 | fprintf(fp, "#apparmor\t# if you have AppArmor running, try this one!\n"); |
184 | fprintf(fp, "caps.drop all\n"); | 169 | fprintf(fp, "caps.drop all\n"); |
185 | fprintf(fp, "ipc-namespace\n"); | 170 | fprintf(fp, "ipc-namespace\n"); |
186 | fprintf(fp, "netfilter\n"); | 171 | fprintf(fp, "netfilter\n"); |
187 | fprintf(fp, "#nodvd\n"); | 172 | fprintf(fp, "#no3d\t# disable 3D acceleration\n"); |
188 | fprintf(fp, "#nogroups\n"); | 173 | fprintf(fp, "#nodvd\t# disable DVD and CD devices\n"); |
189 | fprintf(fp, "#noinput\n"); | 174 | fprintf(fp, "#nogroups\t# disable supplementary user groups\n"); |
175 | fprintf(fp, "#noinput\t# disable input devices\n"); | ||
190 | fprintf(fp, "nonewprivs\n"); | 176 | fprintf(fp, "nonewprivs\n"); |
191 | fprintf(fp, "noroot\n"); | 177 | fprintf(fp, "noroot\n"); |
192 | fprintf(fp, "#notv\n"); | 178 | fprintf(fp, "#notv\t# disable DVB TV devices\n"); |
193 | fprintf(fp, "#nou2f\n"); | 179 | fprintf(fp, "#nou2f\t# disable U2F devices\n"); |
194 | fprintf(fp, "#novideo\n"); | 180 | fprintf(fp, "#novideo\t# disable video capture devices\n"); |
195 | build_protocol(trace_output, fp); | 181 | build_protocol(trace_output, fp); |
196 | fprintf(fp, "seccomp\n"); | 182 | fprintf(fp, "seccomp\n"); |
197 | if (!have_strace) { | 183 | if (!have_strace) { |
@@ -203,19 +189,21 @@ void build_profile(int argc, char **argv, int index, FILE *fp) { | |||
203 | else | 189 | else |
204 | build_seccomp(strace_output, fp); | 190 | build_seccomp(strace_output, fp); |
205 | fprintf(fp, "shell none\n"); | 191 | fprintf(fp, "shell none\n"); |
206 | fprintf(fp, "#tracelog\n"); | 192 | fprintf(fp, "tracelog\n"); |
207 | fprintf(fp, "\n"); | 193 | fprintf(fp, "\n"); |
208 | 194 | ||
209 | fprintf(fp, "#disable-mnt\n"); | 195 | fprintf(fp, "#disable-mnt\t# no access to /mnt, /media, /run/mount and /run/media\n"); |
210 | build_bin(trace_output, fp); | 196 | build_bin(trace_output, fp); |
211 | fprintf(fp, "#private-lib\n"); | 197 | fprintf(fp, "#private-cache\t# run with an empty ~/.cache directory\n"); |
212 | build_dev(trace_output, fp); | 198 | build_dev(trace_output, fp); |
213 | build_etc(trace_output, fp); | 199 | build_etc(trace_output, fp); |
200 | fprintf(fp, "#private-lib\n"); | ||
214 | build_tmp(trace_output, fp); | 201 | build_tmp(trace_output, fp); |
215 | fprintf(fp, "\n"); | 202 | fprintf(fp, "\n"); |
216 | 203 | ||
217 | fprintf(fp, "#dbus-user none\n"); | 204 | fprintf(fp, "#dbus-user none\n"); |
218 | fprintf(fp, "#dbus-system none\n"); | 205 | fprintf(fp, "#dbus-system none\n"); |
206 | fprintf(fp, "\n"); | ||
219 | fprintf(fp, "#memory-deny-write-execute\n"); | 207 | fprintf(fp, "#memory-deny-write-execute\n"); |
220 | 208 | ||
221 | if (!arg_debug) { | 209 | if (!arg_debug) { |
diff --git a/src/fbuilder/build_seccomp.c b/src/fbuilder/build_seccomp.c index dc3cce456..b3187227e 100644 --- a/src/fbuilder/build_seccomp.c +++ b/src/fbuilder/build_seccomp.c | |||
@@ -82,11 +82,12 @@ void build_seccomp(const char *fname, FILE *fp) { | |||
82 | //*************************************** | 82 | //*************************************** |
83 | // protocol | 83 | // protocol |
84 | //*************************************** | 84 | //*************************************** |
85 | int unix_s = 0; | 85 | static int unix_s = 0; |
86 | int inet = 0; | 86 | static int inet = 0; |
87 | int inet6 = 0; | 87 | static int inet6 = 0; |
88 | int netlink = 0; | 88 | static int netlink = 0; |
89 | int packet = 0; | 89 | static int packet = 0; |
90 | static int bluetooth = 0; | ||
90 | static void process_protocol(const char *fname) { | 91 | static void process_protocol(const char *fname) { |
91 | assert(fname); | 92 | assert(fname); |
92 | 93 | ||
@@ -135,6 +136,8 @@ static void process_protocol(const char *fname) { | |||
135 | netlink = 1; | 136 | netlink = 1; |
136 | else if (strncmp(ptr, "AF_PACKET ", 10) == 0) | 137 | else if (strncmp(ptr, "AF_PACKET ", 10) == 0) |
137 | packet = 1; | 138 | packet = 1; |
139 | else if (strncmp(ptr, "AF_BLUETOOTH ", 13) == 0) | ||
140 | bluetooth = 1; | ||
138 | } | 141 | } |
139 | 142 | ||
140 | fclose(fp); | 143 | fclose(fp); |
@@ -161,22 +164,22 @@ void build_protocol(const char *fname, FILE *fp) { | |||
161 | } | 164 | } |
162 | 165 | ||
163 | int net = 0; | 166 | int net = 0; |
164 | if (unix_s || inet || inet6 || netlink || packet) { | 167 | if (unix_s || inet || inet6 || netlink || packet || bluetooth) { |
165 | fprintf(fp, "protocol "); | 168 | fprintf(fp, "protocol "); |
166 | if (unix_s) | 169 | if (unix_s) |
167 | fprintf(fp, "unix,"); | 170 | fprintf(fp, "unix,"); |
168 | if (inet) { | 171 | if (inet || inet6) { |
169 | fprintf(fp, "inet,"); | 172 | fprintf(fp, "inet,inet6,"); |
170 | net = 1; | ||
171 | } | ||
172 | if (inet6) { | ||
173 | fprintf(fp, "inet6,"); | ||
174 | net = 1; | 173 | net = 1; |
175 | } | 174 | } |
176 | if (netlink) | 175 | if (netlink) |
177 | fprintf(fp, "netlink,"); | 176 | fprintf(fp, "netlink,"); |
178 | if (packet) { | 177 | if (packet) { |
179 | fprintf(fp, "packet"); | 178 | fprintf(fp, "packet,"); |
179 | net = 1; | ||
180 | } | ||
181 | if (bluetooth) { | ||
182 | fprintf(fp, "bluetooth"); | ||
180 | net = 1; | 183 | net = 1; |
181 | } | 184 | } |
182 | fprintf(fp, "\n"); | 185 | fprintf(fp, "\n"); |
diff --git a/src/man/firejail-profile.txt b/src/man/firejail-profile.txt index 3d59705b9..12e841af5 100644 --- a/src/man/firejail-profile.txt +++ b/src/man/firejail-profile.txt | |||
@@ -160,6 +160,11 @@ Example: "blacklist ~/My Virtual Machines" | |||
160 | 160 | ||
161 | .TP | 161 | .TP |
162 | \fB# this is a comment | 162 | \fB# this is a comment |
163 | Example: | ||
164 | |||
165 | # disable networking | ||
166 | .br | ||
167 | net none # this command creates an empty network namespace | ||
163 | 168 | ||
164 | .TP | 169 | .TP |
165 | \fB?CONDITIONAL: profile line | 170 | \fB?CONDITIONAL: profile line |
@@ -731,6 +736,9 @@ Disable DVD and audio CD devices. | |||
731 | \fBnogroups | 736 | \fBnogroups |
732 | Disable supplementary user groups | 737 | Disable supplementary user groups |
733 | .TP | 738 | .TP |
739 | \fBnoinput | ||
740 | Disable input devices. | ||
741 | .TP | ||
734 | \fBnosound | 742 | \fBnosound |
735 | Disable sound system. | 743 | Disable sound system. |
736 | .TP | 744 | .TP |
@@ -743,9 +751,6 @@ Disable U2F devices. | |||
743 | \fBnovideo | 751 | \fBnovideo |
744 | Disable video capture devices. | 752 | Disable video capture devices. |
745 | .TP | 753 | .TP |
746 | \fBnoinput | ||
747 | Disable input devices. | ||
748 | .TP | ||
749 | \fBshell none | 754 | \fBshell none |
750 | Run the program directly, without a shell. | 755 | Run the program directly, without a shell. |
751 | 756 | ||