diff options
author | smitsohu <smitsohu@gmail.com> | 2021-07-24 15:31:40 +0200 |
---|---|---|
committer | smitsohu <smitsohu@gmail.com> | 2021-07-24 15:31:40 +0200 |
commit | 1ba2024d8a833eaf93436218fb25943600f303bc (patch) | |
tree | b247db3bde21484c4ce9f5e85db655d9b32c8286 /src | |
parent | organize program startup (diff) | |
parent | Complete 42a03511d0877690276da83bf548635d7e8ca693 (diff) | |
download | firejail-1ba2024d8a833eaf93436218fb25943600f303bc.tar.gz firejail-1ba2024d8a833eaf93436218fb25943600f303bc.tar.zst firejail-1ba2024d8a833eaf93436218fb25943600f303bc.zip |
Merge branch 'master' of https://github.com/netblue30/firejail
Diffstat (limited to 'src')
31 files changed, 648 insertions, 430 deletions
diff --git a/src/common.mk.in b/src/common.mk.in index f88da55ac..5ae8bf204 100644 --- a/src/common.mk.in +++ b/src/common.mk.in | |||
@@ -15,7 +15,6 @@ HAVE_NETWORK=@HAVE_NETWORK@ | |||
15 | HAVE_USERNS=@HAVE_USERNS@ | 15 | HAVE_USERNS=@HAVE_USERNS@ |
16 | HAVE_X11=@HAVE_X11@ | 16 | HAVE_X11=@HAVE_X11@ |
17 | HAVE_FILE_TRANSFER=@HAVE_FILE_TRANSFER@ | 17 | HAVE_FILE_TRANSFER=@HAVE_FILE_TRANSFER@ |
18 | HAVE_WHITELIST=@HAVE_WHITELIST@ | ||
19 | HAVE_GLOBALCFG=@HAVE_GLOBALCFG@ | 18 | HAVE_GLOBALCFG=@HAVE_GLOBALCFG@ |
20 | HAVE_APPARMOR=@HAVE_APPARMOR@ | 19 | HAVE_APPARMOR=@HAVE_APPARMOR@ |
21 | HAVE_OVERLAYFS=@HAVE_OVERLAYFS@ | 20 | HAVE_OVERLAYFS=@HAVE_OVERLAYFS@ |
@@ -42,7 +41,7 @@ BINOBJS = $(foreach file, $(OBJS), $file) | |||
42 | CFLAGS = @CFLAGS@ | 41 | CFLAGS = @CFLAGS@ |
43 | CFLAGS += -ggdb $(HAVE_FATAL_WARNINGS) -O2 -DVERSION='"$(VERSION)"' $(HAVE_GCOV) | 42 | CFLAGS += -ggdb $(HAVE_FATAL_WARNINGS) -O2 -DVERSION='"$(VERSION)"' $(HAVE_GCOV) |
44 | CFLAGS += -DPREFIX='"$(prefix)"' -DSYSCONFDIR='"$(sysconfdir)/firejail"' -DLIBDIR='"$(libdir)"' -DBINDIR='"$(bindir)"' | 43 | CFLAGS += -DPREFIX='"$(prefix)"' -DSYSCONFDIR='"$(sysconfdir)/firejail"' -DLIBDIR='"$(libdir)"' -DBINDIR='"$(bindir)"' |
45 | MANFLAGS = $(HAVE_LTS) $(HAVE_OUTPUT) $(HAVE_X11) $(HAVE_PRIVATE_HOME) $(HAVE_APPARMOR) $(HAVE_OVERLAYFS) $(HAVE_USERTMPFS) $(HAVE_DBUSPROXY) $(HAVE_FIRETUNNEL) $(HAVE_GLOBALCFG) $(HAVE_CHROOT) $(HAVE_NETWORK) $(HAVE_USERNS) $(HAVE_FILE_TRANSFER) $(HAVE_WHITELIST) $(HAVE_SELINUX) $(HAVE_SUID) $(HAVE_FORCE_NONEWPRIVS) | 44 | MANFLAGS = $(HAVE_LTS) $(HAVE_OUTPUT) $(HAVE_X11) $(HAVE_PRIVATE_HOME) $(HAVE_APPARMOR) $(HAVE_OVERLAYFS) $(HAVE_USERTMPFS) $(HAVE_DBUSPROXY) $(HAVE_FIRETUNNEL) $(HAVE_GLOBALCFG) $(HAVE_CHROOT) $(HAVE_NETWORK) $(HAVE_USERNS) $(HAVE_FILE_TRANSFER) $(HAVE_SELINUX) $(HAVE_SUID) $(HAVE_FORCE_NONEWPRIVS) |
46 | CFLAGS += $(MANFLAGS) | 45 | CFLAGS += $(MANFLAGS) |
47 | CFLAGS += -fstack-protector-all -D_FORTIFY_SOURCE=2 -fPIE -Wformat -Wformat-security | 46 | CFLAGS += -fstack-protector-all -D_FORTIFY_SOURCE=2 -fPIE -Wformat -Wformat-security |
48 | LDFLAGS += -pie -fPIE -Wl,-z,relro -Wl,-z,now -lpthread | 47 | LDFLAGS += -pie -fPIE -Wl,-z,relro -Wl,-z,now -lpthread |
diff --git a/src/fbuilder/build_fs.c b/src/fbuilder/build_fs.c index 8700e0ba1..019c3ac5a 100644 --- a/src/fbuilder/build_fs.c +++ b/src/fbuilder/build_fs.c | |||
@@ -182,12 +182,12 @@ static void var_callback(char *ptr) { | |||
182 | void build_var(const char *fname, FILE *fp) { | 182 | void build_var(const char *fname, FILE *fp) { |
183 | assert(fname); | 183 | assert(fname); |
184 | 184 | ||
185 | var_skip = filedb_load_whitelist(var_skip, "whitelist-var-common.inc", "whitelist /var/"); | 185 | var_skip = filedb_load_whitelist(var_skip, "whitelist-var-common.inc", "allow /var/"); |
186 | process_files(fname, "/var", var_callback); | 186 | process_files(fname, "/var", var_callback); |
187 | 187 | ||
188 | // always whitelist /var | 188 | // always whitelist /var |
189 | if (var_out) | 189 | if (var_out) |
190 | filedb_print(var_out, "whitelist /var/", fp); | 190 | filedb_print(var_out, "allow /var/", fp); |
191 | fprintf(fp, "include whitelist-var-common.inc\n"); | 191 | fprintf(fp, "include whitelist-var-common.inc\n"); |
192 | } | 192 | } |
193 | 193 | ||
@@ -222,12 +222,12 @@ static void share_callback(char *ptr) { | |||
222 | void build_share(const char *fname, FILE *fp) { | 222 | void build_share(const char *fname, FILE *fp) { |
223 | assert(fname); | 223 | assert(fname); |
224 | 224 | ||
225 | share_skip = filedb_load_whitelist(share_skip, "whitelist-usr-share-common.inc", "whitelist /usr/share/"); | 225 | share_skip = filedb_load_whitelist(share_skip, "whitelist-usr-share-common.inc", "allow /usr/share/"); |
226 | process_files(fname, "/usr/share", share_callback); | 226 | process_files(fname, "/usr/share", share_callback); |
227 | 227 | ||
228 | // always whitelist /usr/share | 228 | // always whitelist /usr/share |
229 | if (share_out) | 229 | if (share_out) |
230 | filedb_print(share_out, "whitelist /usr/share/", fp); | 230 | filedb_print(share_out, "allow /usr/share/", fp); |
231 | fprintf(fp, "include whitelist-usr-share-common.inc\n"); | 231 | fprintf(fp, "include whitelist-usr-share-common.inc\n"); |
232 | } | 232 | } |
233 | 233 | ||
diff --git a/src/fbuilder/build_home.c b/src/fbuilder/build_home.c index b3ec6cffd..f283a0cce 100644 --- a/src/fbuilder/build_home.c +++ b/src/fbuilder/build_home.c | |||
@@ -138,7 +138,7 @@ void build_home(const char *fname, FILE *fp) { | |||
138 | assert(fname); | 138 | assert(fname); |
139 | 139 | ||
140 | // load whitelist common | 140 | // load whitelist common |
141 | db_skip = filedb_load_whitelist(db_skip, "whitelist-common.inc", "whitelist ${HOME}/"); | 141 | db_skip = filedb_load_whitelist(db_skip, "whitelist-common.inc", "allow ${HOME}/"); |
142 | 142 | ||
143 | // find user home directory | 143 | // find user home directory |
144 | struct passwd *pw = getpwuid(getuid()); | 144 | struct passwd *pw = getpwuid(getuid()); |
@@ -166,7 +166,7 @@ void build_home(const char *fname, FILE *fp) { | |||
166 | 166 | ||
167 | // print the out list if any | 167 | // print the out list if any |
168 | if (db_out) { | 168 | if (db_out) { |
169 | filedb_print(db_out, "whitelist ${HOME}/", fp); | 169 | filedb_print(db_out, "allow ${HOME}/", fp); |
170 | fprintf(fp, "include whitelist-common.inc\n"); | 170 | fprintf(fp, "include whitelist-common.inc\n"); |
171 | } | 171 | } |
172 | else | 172 | else |
diff --git a/src/firecfg/firecfg.config b/src/firecfg/firecfg.config index e58fe39ec..3b0ad0aed 100644 --- a/src/firecfg/firecfg.config +++ b/src/firecfg/firecfg.config | |||
@@ -45,8 +45,8 @@ amule | |||
45 | amuled | 45 | amuled |
46 | android-studio | 46 | android-studio |
47 | anydesk | 47 | anydesk |
48 | apostrophe | ||
49 | apktool | 48 | apktool |
49 | apostrophe | ||
50 | # ar - disable until we fix CLI archivers for makepkg on Arch (see discussion in #3095) | 50 | # ar - disable until we fix CLI archivers for makepkg on Arch (see discussion in #3095) |
51 | arch-audit | 51 | arch-audit |
52 | archaudit-report | 52 | archaudit-report |
@@ -142,8 +142,9 @@ claws-mail | |||
142 | clawsker | 142 | clawsker |
143 | clementine | 143 | clementine |
144 | clion | 144 | clion |
145 | clipit | 145 | clion-eap |
146 | clipgrab | 146 | clipgrab |
147 | clipit | ||
147 | cliqz | 148 | cliqz |
148 | clocks | 149 | clocks |
149 | cmus | 150 | cmus |
@@ -167,6 +168,7 @@ crow | |||
167 | cryptocat | 168 | cryptocat |
168 | cvlc | 169 | cvlc |
169 | cyberfox | 170 | cyberfox |
171 | d-feet | ||
170 | darktable | 172 | darktable |
171 | dconf-editor | 173 | dconf-editor |
172 | ddgr | 174 | ddgr |
@@ -197,13 +199,12 @@ dragon | |||
197 | drawio | 199 | drawio |
198 | drill | 200 | drill |
199 | dropbox | 201 | dropbox |
200 | d-feet | ||
201 | easystroke | 202 | easystroke |
202 | ebook-viewer | ||
203 | ebook-convert | 203 | ebook-convert |
204 | ebook-edit | 204 | ebook-edit |
205 | ebook-meta | 205 | ebook-meta |
206 | ebook-polish | 206 | ebook-polish |
207 | ebook-viewer | ||
207 | electron-mail | 208 | electron-mail |
208 | electrum | 209 | electrum |
209 | element-desktop | 210 | element-desktop |
@@ -294,8 +295,8 @@ gimp-2.10 | |||
294 | gimp-2.8 | 295 | gimp-2.8 |
295 | gist | 296 | gist |
296 | gist-paste | 297 | gist-paste |
297 | gitg | ||
298 | git-cola | 298 | git-cola |
299 | gitg | ||
299 | github-desktop | 300 | github-desktop |
300 | gitter | 301 | gitter |
301 | # gjs -- https://github.com/netblue30/firejail/issues/3333#issuecomment-612601102 | 302 | # gjs -- https://github.com/netblue30/firejail/issues/3333#issuecomment-612601102 |
@@ -386,14 +387,15 @@ icecat | |||
386 | icedove | 387 | icedove |
387 | iceweasel | 388 | iceweasel |
388 | idea | 389 | idea |
389 | ideaIC | ||
390 | idea.sh | 390 | idea.sh |
391 | ideaIC | ||
391 | imagej | 392 | imagej |
392 | img2txt | 393 | img2txt |
393 | impressive | 394 | impressive |
394 | inkscape | 395 | inkscape |
395 | inkview | 396 | inkview |
396 | inox | 397 | inox |
398 | io.github.lainsce.Notejot | ||
397 | ipcalc | 399 | ipcalc |
398 | ipcalc-ng | 400 | ipcalc-ng |
399 | iridium | 401 | iridium |
@@ -452,6 +454,7 @@ librecad | |||
452 | libreoffice | 454 | libreoffice |
453 | librewolf | 455 | librewolf |
454 | librewolf-nightly | 456 | librewolf-nightly |
457 | lifeograph | ||
455 | liferea | 458 | liferea |
456 | lightsoff | 459 | lightsoff |
457 | lincity-ng | 460 | lincity-ng |
@@ -507,6 +510,7 @@ mendeleydesktop | |||
507 | menulibre | 510 | menulibre |
508 | meteo-qt | 511 | meteo-qt |
509 | microsoft-edge | 512 | microsoft-edge |
513 | microsoft-edge-beta | ||
510 | microsoft-edge-dev | 514 | microsoft-edge-dev |
511 | midori | 515 | midori |
512 | min | 516 | min |
@@ -523,7 +527,6 @@ mp3splt-gtk | |||
523 | mp3wrap | 527 | mp3wrap |
524 | mpDris2 | 528 | mpDris2 |
525 | mpg123 | 529 | mpg123 |
526 | mpg123.bin | ||
527 | mpg123-alsa | 530 | mpg123-alsa |
528 | mpg123-id3dump | 531 | mpg123-id3dump |
529 | mpg123-jack | 532 | mpg123-jack |
@@ -533,6 +536,7 @@ mpg123-oss | |||
533 | mpg123-portaudio | 536 | mpg123-portaudio |
534 | mpg123-pulse | 537 | mpg123-pulse |
535 | mpg123-strip | 538 | mpg123-strip |
539 | mpg123.bin | ||
536 | mplayer | 540 | mplayer |
537 | mpsyt | 541 | mpsyt |
538 | mpv | 542 | mpv |
@@ -674,6 +678,7 @@ qupzilla | |||
674 | qutebrowser | 678 | qutebrowser |
675 | rambox | 679 | rambox |
676 | redeclipse | 680 | redeclipse |
681 | rednotebook | ||
677 | redshift | 682 | redshift |
678 | regextester | 683 | regextester |
679 | remmina | 684 | remmina |
@@ -734,8 +739,8 @@ steam | |||
734 | steam-native | 739 | steam-native |
735 | steam-runtime | 740 | steam-runtime |
736 | stellarium | 741 | stellarium |
737 | strawberry | ||
738 | straw-viewer | 742 | straw-viewer |
743 | strawberry | ||
739 | strings | 744 | strings |
740 | studio.sh | 745 | studio.sh |
741 | subdownloader | 746 | subdownloader |
@@ -862,10 +867,10 @@ wire-desktop | |||
862 | wireshark | 867 | wireshark |
863 | wireshark-gtk | 868 | wireshark-gtk |
864 | wireshark-qt | 869 | wireshark-qt |
870 | wordwarvi | ||
865 | wpp | 871 | wpp |
866 | wps | 872 | wps |
867 | wpspdf | 873 | wpspdf |
868 | wordwarvi | ||
869 | x2goclient | 874 | x2goclient |
870 | xbill | 875 | xbill |
871 | xcalc | 876 | xcalc |
@@ -907,6 +912,7 @@ zaproxy | |||
907 | zart | 912 | zart |
908 | zathura | 913 | zathura |
909 | zeal | 914 | zeal |
915 | zim | ||
910 | zoom | 916 | zoom |
911 | # zpaq - disable until we fix CLI archivers for makepkg on Arch (see discussion in #3095) | 917 | # zpaq - disable until we fix CLI archivers for makepkg on Arch (see discussion in #3095) |
912 | # zstd - disable until we fix CLI archivers for makepkg on Arch (see discussion in #3095) | 918 | # zstd - disable until we fix CLI archivers for makepkg on Arch (see discussion in #3095) |
diff --git a/src/firejail/appimage.c b/src/firejail/appimage.c index a96415985..2266fa499 100644 --- a/src/firejail/appimage.c +++ b/src/firejail/appimage.c | |||
@@ -21,6 +21,7 @@ | |||
21 | // sudo mount -o loop krita-3.0-x86_64.appimage mnt | 21 | // sudo mount -o loop krita-3.0-x86_64.appimage mnt |
22 | 22 | ||
23 | #include "firejail.h" | 23 | #include "firejail.h" |
24 | #include "../include/gcov_wrapper.h" | ||
24 | #include <sys/types.h> | 25 | #include <sys/types.h> |
25 | #include <sys/stat.h> | 26 | #include <sys/stat.h> |
26 | #include <sys/mount.h> | 27 | #include <sys/mount.h> |
@@ -28,10 +29,6 @@ | |||
28 | #include <linux/loop.h> | 29 | #include <linux/loop.h> |
29 | #include <errno.h> | 30 | #include <errno.h> |
30 | 31 | ||
31 | #ifdef HAVE_GCOV | ||
32 | #include <gcov.h> | ||
33 | #endif | ||
34 | |||
35 | static char *devloop = NULL; // device file | 32 | static char *devloop = NULL; // device file |
36 | static long unsigned size = 0; // offset into appimage file | 33 | static long unsigned size = 0; // offset into appimage file |
37 | #define MAXBUF 4096 | 34 | #define MAXBUF 4096 |
@@ -144,9 +141,8 @@ void appimage_set(const char *appimage) { | |||
144 | 141 | ||
145 | if (cfg.cwd) | 142 | if (cfg.cwd) |
146 | env_store_name_val("OWD", cfg.cwd, SETENV); | 143 | env_store_name_val("OWD", cfg.cwd, SETENV); |
147 | #ifdef HAVE_GCOV | 144 | |
148 | __gcov_flush(); | 145 | __gcov_flush(); |
149 | #endif | ||
150 | #else | 146 | #else |
151 | fprintf(stderr, "Error: /dev/loop-control interface is not supported by your kernel\n"); | 147 | fprintf(stderr, "Error: /dev/loop-control interface is not supported by your kernel\n"); |
152 | exit(1); | 148 | exit(1); |
diff --git a/src/firejail/checkcfg.c b/src/firejail/checkcfg.c index 1e9f4b641..06e6f0ccb 100644 --- a/src/firejail/checkcfg.c +++ b/src/firejail/checkcfg.c | |||
@@ -106,7 +106,6 @@ int checkcfg(int val) { | |||
106 | PARSE_YESNO(CFG_FIREJAIL_PROMPT, "firejail-prompt") | 106 | PARSE_YESNO(CFG_FIREJAIL_PROMPT, "firejail-prompt") |
107 | PARSE_YESNO(CFG_FORCE_NONEWPRIVS, "force-nonewprivs") | 107 | PARSE_YESNO(CFG_FORCE_NONEWPRIVS, "force-nonewprivs") |
108 | PARSE_YESNO(CFG_SECCOMP, "seccomp") | 108 | PARSE_YESNO(CFG_SECCOMP, "seccomp") |
109 | PARSE_YESNO(CFG_WHITELIST, "whitelist") | ||
110 | PARSE_YESNO(CFG_NETWORK, "network") | 109 | PARSE_YESNO(CFG_NETWORK, "network") |
111 | PARSE_YESNO(CFG_RESTRICTED_NETWORK, "restricted-network") | 110 | PARSE_YESNO(CFG_RESTRICTED_NETWORK, "restricted-network") |
112 | PARSE_YESNO(CFG_XEPHYR_WINDOW_TITLE, "xephyr-window-title") | 111 | PARSE_YESNO(CFG_XEPHYR_WINDOW_TITLE, "xephyr-window-title") |
@@ -342,14 +341,6 @@ void print_compiletime_support(void) { | |||
342 | #endif | 341 | #endif |
343 | ); | 342 | ); |
344 | 343 | ||
345 | printf("\t- file and directory whitelisting support is %s\n", | ||
346 | #ifdef HAVE_WHITELIST | ||
347 | "enabled" | ||
348 | #else | ||
349 | "disabled" | ||
350 | #endif | ||
351 | ); | ||
352 | |||
353 | printf("\t- file transfer support is %s\n", | 344 | printf("\t- file transfer support is %s\n", |
354 | #ifdef HAVE_FILE_TRANSFER | 345 | #ifdef HAVE_FILE_TRANSFER |
355 | "enabled" | 346 | "enabled" |
diff --git a/src/firejail/chroot.c b/src/firejail/chroot.c index edc31cdea..37ec22117 100644 --- a/src/firejail/chroot.c +++ b/src/firejail/chroot.c | |||
@@ -20,6 +20,7 @@ | |||
20 | 20 | ||
21 | #ifdef HAVE_CHROOT | 21 | #ifdef HAVE_CHROOT |
22 | #include "firejail.h" | 22 | #include "firejail.h" |
23 | #include "../include/gcov_wrapper.h" | ||
23 | #include <sys/mount.h> | 24 | #include <sys/mount.h> |
24 | #include <sys/sendfile.h> | 25 | #include <sys/sendfile.h> |
25 | #include <errno.h> | 26 | #include <errno.h> |
@@ -29,10 +30,6 @@ | |||
29 | #define O_PATH 010000000 | 30 | #define O_PATH 010000000 |
30 | #endif | 31 | #endif |
31 | 32 | ||
32 | #ifdef HAVE_GCOV | ||
33 | #include <gcov.h> | ||
34 | #endif | ||
35 | |||
36 | // exit if error | 33 | // exit if error |
37 | void fs_check_chroot_dir(void) { | 34 | void fs_check_chroot_dir(void) { |
38 | EUID_ASSERT(); | 35 | EUID_ASSERT(); |
@@ -263,9 +260,8 @@ void fs_chroot(const char *rootdir) { | |||
263 | // update chroot resolv.conf | 260 | // update chroot resolv.conf |
264 | update_file(parentfd, "etc/resolv.conf"); | 261 | update_file(parentfd, "etc/resolv.conf"); |
265 | 262 | ||
266 | #ifdef HAVE_GCOV | ||
267 | __gcov_flush(); | 263 | __gcov_flush(); |
268 | #endif | 264 | |
269 | // create /run/firejail/mnt/oroot | 265 | // create /run/firejail/mnt/oroot |
270 | char *oroot = RUN_OVERLAY_ROOT; | 266 | char *oroot = RUN_OVERLAY_ROOT; |
271 | if (mkdir(oroot, 0755) == -1) | 267 | if (mkdir(oroot, 0755) == -1) |
diff --git a/src/firejail/firejail.h b/src/firejail/firejail.h index 9971d30b6..545573c08 100644 --- a/src/firejail/firejail.h +++ b/src/firejail/firejail.h | |||
@@ -156,6 +156,8 @@ typedef struct config_t { | |||
156 | 156 | ||
157 | // filesystem | 157 | // filesystem |
158 | ProfileEntry *profile; | 158 | ProfileEntry *profile; |
159 | ProfileEntry *profile_rebuild_etc; // blacklist files in /etc directory used by fs_rebuild_etc() | ||
160 | |||
159 | #define MAX_PROFILE_IGNORE 32 | 161 | #define MAX_PROFILE_IGNORE 32 |
160 | char *profile_ignore[MAX_PROFILE_IGNORE]; | 162 | char *profile_ignore[MAX_PROFILE_IGNORE]; |
161 | char *chrootdir; // chroot directory | 163 | char *chrootdir; // chroot directory |
@@ -625,7 +627,6 @@ void fs_trace(void); | |||
625 | 627 | ||
626 | // fs_hostname.c | 628 | // fs_hostname.c |
627 | void fs_hostname(const char *hostname); | 629 | void fs_hostname(const char *hostname); |
628 | void fs_resolvconf(void); | ||
629 | char *fs_check_hosts_file(const char *fname); | 630 | char *fs_check_hosts_file(const char *fname); |
630 | void fs_store_hosts_file(void); | 631 | void fs_store_hosts_file(void); |
631 | void fs_mount_hosts_file(void); | 632 | void fs_mount_hosts_file(void); |
@@ -668,6 +669,7 @@ void fs_machineid(void); | |||
668 | void fs_private_dir_copy(const char *private_dir, const char *private_run_dir, const char *private_list); | 669 | void fs_private_dir_copy(const char *private_dir, const char *private_run_dir, const char *private_list); |
669 | void fs_private_dir_mount(const char *private_dir, const char *private_run_dir); | 670 | void fs_private_dir_mount(const char *private_dir, const char *private_run_dir); |
670 | void fs_private_dir_list(const char *private_dir, const char *private_run_dir, const char *private_list); | 671 | void fs_private_dir_list(const char *private_dir, const char *private_run_dir, const char *private_list); |
672 | void fs_rebuild_etc(void); | ||
671 | 673 | ||
672 | // no_sandbox.c | 674 | // no_sandbox.c |
673 | int check_namespace_virt(void); | 675 | int check_namespace_virt(void); |
@@ -776,7 +778,6 @@ enum { | |||
776 | CFG_NETWORK, | 778 | CFG_NETWORK, |
777 | CFG_RESTRICTED_NETWORK, | 779 | CFG_RESTRICTED_NETWORK, |
778 | CFG_FORCE_NONEWPRIVS, | 780 | CFG_FORCE_NONEWPRIVS, |
779 | CFG_WHITELIST, | ||
780 | CFG_XEPHYR_WINDOW_TITLE, | 781 | CFG_XEPHYR_WINDOW_TITLE, |
781 | CFG_OVERLAYFS, | 782 | CFG_OVERLAYFS, |
782 | CFG_PRIVATE_BIN, | 783 | CFG_PRIVATE_BIN, |
diff --git a/src/firejail/fs.c b/src/firejail/fs.c index 4ae7dbfa4..5ac2da164 100644 --- a/src/firejail/fs.c +++ b/src/firejail/fs.c | |||
@@ -18,6 +18,7 @@ | |||
18 | * 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA. | 18 | * 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA. |
19 | */ | 19 | */ |
20 | #include "firejail.h" | 20 | #include "firejail.h" |
21 | #include "../include/gcov_wrapper.h" | ||
21 | #include <sys/mount.h> | 22 | #include <sys/mount.h> |
22 | #include <sys/stat.h> | 23 | #include <sys/stat.h> |
23 | #include <sys/statvfs.h> | 24 | #include <sys/statvfs.h> |
@@ -33,10 +34,6 @@ | |||
33 | #define O_PATH 010000000 | 34 | #define O_PATH 010000000 |
34 | #endif | 35 | #endif |
35 | 36 | ||
36 | #ifdef HAVE_GCOV | ||
37 | #include <gcov.h> | ||
38 | #endif | ||
39 | |||
40 | #define MAX_BUF 4096 | 37 | #define MAX_BUF 4096 |
41 | #define EMPTY_STRING ("") | 38 | #define EMPTY_STRING ("") |
42 | // check noblacklist statements not matched by a proper blacklist in disable-*.inc files | 39 | // check noblacklist statements not matched by a proper blacklist in disable-*.inc files |
@@ -165,6 +162,19 @@ static void disable_file(OPERATION op, const char *filename) { | |||
165 | fs_logger2("blacklist", fname); | 162 | fs_logger2("blacklist", fname); |
166 | else | 163 | else |
167 | fs_logger2("blacklist-nolog", fname); | 164 | fs_logger2("blacklist-nolog", fname); |
165 | |||
166 | // files in /etc will be reprocessed during /etc rebuild | ||
167 | if (strncmp(fname, "/etc/", 5) == 0) { | ||
168 | ProfileEntry *prf = malloc(sizeof(ProfileEntry)); | ||
169 | if (!prf) | ||
170 | errExit("malloc"); | ||
171 | memset(prf, 0, sizeof(ProfileEntry)); | ||
172 | prf->data = strdup(fname); | ||
173 | if (!prf->data) | ||
174 | errExit("strdup"); | ||
175 | prf->next = cfg.profile_rebuild_etc; | ||
176 | cfg.profile_rebuild_etc = prf; | ||
177 | } | ||
168 | } | 178 | } |
169 | } | 179 | } |
170 | else if (op == MOUNT_READONLY || op == MOUNT_RDWR || op == MOUNT_NOEXEC) { | 180 | else if (op == MOUNT_READONLY || op == MOUNT_RDWR || op == MOUNT_NOEXEC) { |
@@ -492,7 +502,7 @@ void fs_tmpfs(const char *dir, unsigned check_owner) { | |||
492 | struct statvfs buf; | 502 | struct statvfs buf; |
493 | if (fstatvfs(fd, &buf) == -1) | 503 | if (fstatvfs(fd, &buf) == -1) |
494 | errExit("fstatvfs"); | 504 | errExit("fstatvfs"); |
495 | unsigned long flags = buf.f_flag & ~(MS_RDONLY|MS_BIND); | 505 | unsigned long flags = buf.f_flag & ~(MS_RDONLY|MS_BIND|MS_REMOUNT); |
496 | // mount via the symbolic link in /proc/self/fd | 506 | // mount via the symbolic link in /proc/self/fd |
497 | EUID_ROOT(); | 507 | EUID_ROOT(); |
498 | char *proc; | 508 | char *proc; |
@@ -1213,9 +1223,8 @@ void fs_overlayfs(void) { | |||
1213 | fs_logger("whitelist /tmp"); | 1223 | fs_logger("whitelist /tmp"); |
1214 | 1224 | ||
1215 | // chroot in the new filesystem | 1225 | // chroot in the new filesystem |
1216 | #ifdef HAVE_GCOV | ||
1217 | __gcov_flush(); | 1226 | __gcov_flush(); |
1218 | #endif | 1227 | |
1219 | if (chroot(oroot) == -1) | 1228 | if (chroot(oroot) == -1) |
1220 | errExit("chroot"); | 1229 | errExit("chroot"); |
1221 | 1230 | ||
@@ -1281,6 +1290,9 @@ void fs_private_tmp(void) { | |||
1281 | // read-only x11 directory | 1290 | // read-only x11 directory |
1282 | profile_add("read-only /tmp/.X11-unix"); | 1291 | profile_add("read-only /tmp/.X11-unix"); |
1283 | 1292 | ||
1293 | // whitelist sndio directory | ||
1294 | profile_add("whitelist /tmp/sndio"); | ||
1295 | |||
1284 | // whitelist any pulse* file in /tmp directory | 1296 | // whitelist any pulse* file in /tmp directory |
1285 | // some distros use PulseAudio sockets under /tmp instead of the socket in /urn/user | 1297 | // some distros use PulseAudio sockets under /tmp instead of the socket in /urn/user |
1286 | DIR *dir; | 1298 | DIR *dir; |
diff --git a/src/firejail/fs_etc.c b/src/firejail/fs_etc.c index b0e1e1bf1..76054b485 100644 --- a/src/firejail/fs_etc.c +++ b/src/firejail/fs_etc.c | |||
@@ -24,6 +24,7 @@ | |||
24 | #include <sys/types.h> | 24 | #include <sys/types.h> |
25 | #include <time.h> | 25 | #include <time.h> |
26 | #include <unistd.h> | 26 | #include <unistd.h> |
27 | #include <dirent.h> | ||
27 | 28 | ||
28 | // spoof /etc/machine_id | 29 | // spoof /etc/machine_id |
29 | void fs_machineid(void) { | 30 | void fs_machineid(void) { |
@@ -250,3 +251,128 @@ void fs_private_dir_list(const char *private_dir, const char *private_run_dir, c | |||
250 | fs_private_dir_mount(private_dir, private_run_dir); | 251 | fs_private_dir_mount(private_dir, private_run_dir); |
251 | fmessage("Private %s installed in %0.2f ms\n", private_dir, timetrace_end()); | 252 | fmessage("Private %s installed in %0.2f ms\n", private_dir, timetrace_end()); |
252 | } | 253 | } |
254 | |||
255 | void fs_rebuild_etc(void) { | ||
256 | int have_dhcp = 1; | ||
257 | if (cfg.dns1 == NULL && !any_dhcp()) | ||
258 | have_dhcp = 0; | ||
259 | |||
260 | if (arg_debug) | ||
261 | printf("rebuilding /etc directory\n"); | ||
262 | if (mkdir(RUN_DNS_ETC, 0755)) | ||
263 | errExit("mkdir"); | ||
264 | selinux_relabel_path(RUN_DNS_ETC, "/etc"); | ||
265 | fs_logger("tmpfs /etc"); | ||
266 | |||
267 | DIR *dir = opendir("/etc"); | ||
268 | if (!dir) | ||
269 | errExit("opendir"); | ||
270 | |||
271 | struct stat s; | ||
272 | struct dirent *entry; | ||
273 | while ((entry = readdir(dir))) { | ||
274 | if (strcmp(entry->d_name, ".") == 0 || strcmp(entry->d_name, "..") == 0) | ||
275 | continue; | ||
276 | |||
277 | // skip files in cfg.profile_rebuild_etc list | ||
278 | // these files are already blacklisted | ||
279 | { | ||
280 | ProfileEntry *prf = cfg.profile_rebuild_etc; | ||
281 | int found = 0; | ||
282 | while (prf) { | ||
283 | if (strcmp(entry->d_name, prf->data + 5) == 0) { // 5 is strlen("/etc/") | ||
284 | found = 1; | ||
285 | break; | ||
286 | } | ||
287 | prf = prf->next; | ||
288 | } | ||
289 | if (found) | ||
290 | continue; | ||
291 | } | ||
292 | |||
293 | // for resolv.conf we might have to create a brand new file later | ||
294 | if (have_dhcp && | ||
295 | (strcmp(entry->d_name, "resolv.conf") == 0 || | ||
296 | strcmp(entry->d_name, "resolv.conf.dhclient-new") == 0)) | ||
297 | continue; | ||
298 | // printf("linking %s\n", entry->d_name); | ||
299 | |||
300 | char *src; | ||
301 | if (asprintf(&src, "/etc/%s", entry->d_name) == -1) | ||
302 | errExit("asprintf"); | ||
303 | if (stat(src, &s) != 0) { | ||
304 | free(src); | ||
305 | continue; | ||
306 | } | ||
307 | |||
308 | char *dest; | ||
309 | if (asprintf(&dest, "%s/%s", RUN_DNS_ETC, entry->d_name) == -1) | ||
310 | errExit("asprintf"); | ||
311 | |||
312 | int symlink_done = 0; | ||
313 | if (is_link(src)) { | ||
314 | char *rp =realpath(src, NULL); | ||
315 | if (rp == NULL) { | ||
316 | free(src); | ||
317 | free(dest); | ||
318 | continue; | ||
319 | } | ||
320 | if (symlink(rp, dest)) | ||
321 | errExit("symlink"); | ||
322 | else | ||
323 | symlink_done = 1; | ||
324 | } | ||
325 | else if (S_ISDIR(s.st_mode)) | ||
326 | create_empty_dir_as_root(dest, s.st_mode); | ||
327 | else | ||
328 | create_empty_file_as_root(dest, s.st_mode); | ||
329 | |||
330 | // bind-mount src on top of dest | ||
331 | if (!symlink_done) { | ||
332 | if (mount(src, dest, NULL, MS_BIND|MS_REC, NULL) < 0) | ||
333 | errExit("mount bind mirroring /etc"); | ||
334 | } | ||
335 | fs_logger2("clone", src); | ||
336 | |||
337 | free(src); | ||
338 | free(dest); | ||
339 | } | ||
340 | closedir(dir); | ||
341 | |||
342 | // mount bind our private etc directory on top of /etc | ||
343 | if (arg_debug) | ||
344 | printf("Mount-bind %s on top of /etc\n", RUN_DNS_ETC); | ||
345 | if (mount(RUN_DNS_ETC, "/etc", NULL, MS_BIND|MS_REC, NULL) < 0) | ||
346 | errExit("mount bind mirroring /etc"); | ||
347 | fs_logger("mount /etc"); | ||
348 | |||
349 | if (have_dhcp == 0) | ||
350 | return; | ||
351 | |||
352 | if (arg_debug) | ||
353 | printf("Creating a new /etc/resolv.conf file\n"); | ||
354 | FILE *fp = fopen("/etc/resolv.conf", "wxe"); | ||
355 | if (!fp) { | ||
356 | fprintf(stderr, "Error: cannot create /etc/resolv.conf file\n"); | ||
357 | exit(1); | ||
358 | } | ||
359 | |||
360 | if (cfg.dns1) { | ||
361 | if (any_dhcp()) | ||
362 | fwarning("network setup uses DHCP, nameservers will likely be overwritten\n"); | ||
363 | fprintf(fp, "nameserver %s\n", cfg.dns1); | ||
364 | } | ||
365 | if (cfg.dns2) | ||
366 | fprintf(fp, "nameserver %s\n", cfg.dns2); | ||
367 | if (cfg.dns3) | ||
368 | fprintf(fp, "nameserver %s\n", cfg.dns3); | ||
369 | if (cfg.dns4) | ||
370 | fprintf(fp, "nameserver %s\n", cfg.dns4); | ||
371 | |||
372 | // mode and owner | ||
373 | SET_PERMS_STREAM(fp, 0, 0, 0644); | ||
374 | |||
375 | fclose(fp); | ||
376 | |||
377 | fs_logger("create /etc/resolv.conf"); | ||
378 | } | ||
diff --git a/src/firejail/fs_hostname.c b/src/firejail/fs_hostname.c index 80046f7ae..1a9a78ceb 100644 --- a/src/firejail/fs_hostname.c +++ b/src/firejail/fs_hostname.c | |||
@@ -88,109 +88,6 @@ errexit: | |||
88 | exit(1); | 88 | exit(1); |
89 | } | 89 | } |
90 | 90 | ||
91 | void fs_resolvconf(void) { | ||
92 | if (cfg.dns1 == NULL && !any_dhcp()) | ||
93 | return; | ||
94 | |||
95 | if (arg_debug) | ||
96 | printf("mirroring /etc directory\n"); | ||
97 | if (mkdir(RUN_DNS_ETC, 0755)) | ||
98 | errExit("mkdir"); | ||
99 | selinux_relabel_path(RUN_DNS_ETC, "/etc"); | ||
100 | fs_logger("tmpfs /etc"); | ||
101 | |||
102 | DIR *dir = opendir("/etc"); | ||
103 | if (!dir) | ||
104 | errExit("opendir"); | ||
105 | |||
106 | struct stat s; | ||
107 | struct dirent *entry; | ||
108 | while ((entry = readdir(dir))) { | ||
109 | if (strcmp(entry->d_name, ".") == 0 || strcmp(entry->d_name, "..") == 0) | ||
110 | continue; | ||
111 | // for resolv.conf we create a brand new file | ||
112 | if (strcmp(entry->d_name, "resolv.conf") == 0 || | ||
113 | strcmp(entry->d_name, "resolv.conf.dhclient-new") == 0) | ||
114 | continue; | ||
115 | // printf("linking %s\n", entry->d_name); | ||
116 | |||
117 | char *src; | ||
118 | if (asprintf(&src, "/etc/%s", entry->d_name) == -1) | ||
119 | errExit("asprintf"); | ||
120 | if (stat(src, &s) != 0) { | ||
121 | free(src); | ||
122 | continue; | ||
123 | } | ||
124 | |||
125 | char *dest; | ||
126 | if (asprintf(&dest, "%s/%s", RUN_DNS_ETC, entry->d_name) == -1) | ||
127 | errExit("asprintf"); | ||
128 | |||
129 | int symlink_done = 0; | ||
130 | if (is_link(src)) { | ||
131 | char *rp =realpath(src, NULL); | ||
132 | if (rp == NULL) { | ||
133 | free(src); | ||
134 | free(dest); | ||
135 | continue; | ||
136 | } | ||
137 | if (symlink(rp, dest)) | ||
138 | errExit("symlink"); | ||
139 | else | ||
140 | symlink_done = 1; | ||
141 | } | ||
142 | else if (S_ISDIR(s.st_mode)) | ||
143 | create_empty_dir_as_root(dest, s.st_mode); | ||
144 | else | ||
145 | create_empty_file_as_root(dest, s.st_mode); | ||
146 | |||
147 | // bind-mount src on top of dest | ||
148 | if (!symlink_done) { | ||
149 | if (mount(src, dest, NULL, MS_BIND|MS_REC, NULL) < 0) | ||
150 | errExit("mount bind mirroring /etc"); | ||
151 | } | ||
152 | fs_logger2("clone", src); | ||
153 | |||
154 | free(src); | ||
155 | free(dest); | ||
156 | } | ||
157 | closedir(dir); | ||
158 | |||
159 | // mount bind our private etc directory on top of /etc | ||
160 | if (arg_debug) | ||
161 | printf("Mount-bind %s on top of /etc\n", RUN_DNS_ETC); | ||
162 | if (mount(RUN_DNS_ETC, "/etc", NULL, MS_BIND|MS_REC, NULL) < 0) | ||
163 | errExit("mount bind mirroring /etc"); | ||
164 | fs_logger("mount /etc"); | ||
165 | |||
166 | if (arg_debug) | ||
167 | printf("Creating a new /etc/resolv.conf file\n"); | ||
168 | FILE *fp = fopen("/etc/resolv.conf", "wxe"); | ||
169 | if (!fp) { | ||
170 | fprintf(stderr, "Error: cannot create /etc/resolv.conf file\n"); | ||
171 | exit(1); | ||
172 | } | ||
173 | |||
174 | if (cfg.dns1) { | ||
175 | if (any_dhcp()) | ||
176 | fwarning("network setup uses DHCP, nameservers will likely be overwritten\n"); | ||
177 | fprintf(fp, "nameserver %s\n", cfg.dns1); | ||
178 | } | ||
179 | if (cfg.dns2) | ||
180 | fprintf(fp, "nameserver %s\n", cfg.dns2); | ||
181 | if (cfg.dns3) | ||
182 | fprintf(fp, "nameserver %s\n", cfg.dns3); | ||
183 | if (cfg.dns4) | ||
184 | fprintf(fp, "nameserver %s\n", cfg.dns4); | ||
185 | |||
186 | // mode and owner | ||
187 | SET_PERMS_STREAM(fp, 0, 0, 0644); | ||
188 | |||
189 | fclose(fp); | ||
190 | |||
191 | fs_logger("create /etc/resolv.conf"); | ||
192 | } | ||
193 | |||
194 | char *fs_check_hosts_file(const char *fname) { | 91 | char *fs_check_hosts_file(const char *fname) { |
195 | assert(fname); | 92 | assert(fname); |
196 | invalid_filename(fname, 0); // no globbing | 93 | invalid_filename(fname, 0); // no globbing |
diff --git a/src/firejail/fs_mkdir.c b/src/firejail/fs_mkdir.c index bbc2aa938..4983db0a0 100644 --- a/src/firejail/fs_mkdir.c +++ b/src/firejail/fs_mkdir.c | |||
@@ -18,6 +18,7 @@ | |||
18 | * 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA. | 18 | * 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA. |
19 | */ | 19 | */ |
20 | #include "firejail.h" | 20 | #include "firejail.h" |
21 | #include "../include/gcov_wrapper.h" | ||
21 | #include <sys/types.h> | 22 | #include <sys/types.h> |
22 | #include <sys/stat.h> | 23 | #include <sys/stat.h> |
23 | #include <unistd.h> | 24 | #include <unistd.h> |
@@ -25,10 +26,6 @@ | |||
25 | #include <sys/wait.h> | 26 | #include <sys/wait.h> |
26 | #include <string.h> | 27 | #include <string.h> |
27 | 28 | ||
28 | #ifdef HAVE_GCOV | ||
29 | #include <gcov.h> | ||
30 | #endif | ||
31 | |||
32 | static void check(const char *fname) { | 29 | static void check(const char *fname) { |
33 | // manufacture /run/user directory | 30 | // manufacture /run/user directory |
34 | char *runuser; | 31 | char *runuser; |
@@ -98,9 +95,9 @@ void fs_mkdir(const char *name) { | |||
98 | 95 | ||
99 | // create directory | 96 | // create directory |
100 | mkdir_recursive(expanded); | 97 | mkdir_recursive(expanded); |
101 | #ifdef HAVE_GCOV | 98 | |
102 | __gcov_flush(); | 99 | __gcov_flush(); |
103 | #endif | 100 | |
104 | _exit(0); | 101 | _exit(0); |
105 | } | 102 | } |
106 | // wait for the child to finish | 103 | // wait for the child to finish |
diff --git a/src/firejail/ls.c b/src/firejail/ls.c index 6ee557648..70985ba9e 100644 --- a/src/firejail/ls.c +++ b/src/firejail/ls.c | |||
@@ -19,6 +19,7 @@ | |||
19 | */ | 19 | */ |
20 | 20 | ||
21 | #include "firejail.h" | 21 | #include "firejail.h" |
22 | #include "../include/gcov_wrapper.h" | ||
22 | #include <sys/types.h> | 23 | #include <sys/types.h> |
23 | #include <sys/stat.h> | 24 | #include <sys/stat.h> |
24 | #include <sys/wait.h> | 25 | #include <sys/wait.h> |
@@ -31,10 +32,6 @@ | |||
31 | //#include <stdio.h> | 32 | //#include <stdio.h> |
32 | //#include <stdlib.h> | 33 | //#include <stdlib.h> |
33 | 34 | ||
34 | #ifdef HAVE_GCOV | ||
35 | #include <gcov.h> | ||
36 | #endif | ||
37 | |||
38 | // uid/gid cache | 35 | // uid/gid cache |
39 | static uid_t c_uid = 0; | 36 | static uid_t c_uid = 0; |
40 | static char *c_uid_name = NULL; | 37 | static char *c_uid_name = NULL; |
@@ -353,9 +350,8 @@ void sandboxfs(int op, pid_t pid, const char *path1, const char *path2) { | |||
353 | ls(fname1); | 350 | ls(fname1); |
354 | else | 351 | else |
355 | cat(fname1); | 352 | cat(fname1); |
356 | #ifdef HAVE_GCOV | 353 | |
357 | __gcov_flush(); | 354 | __gcov_flush(); |
358 | #endif | ||
359 | } | 355 | } |
360 | // get file from host and store it in the sandbox | 356 | // get file from host and store it in the sandbox |
361 | else if (op == SANDBOX_FS_PUT && path2) { | 357 | else if (op == SANDBOX_FS_PUT && path2) { |
@@ -387,9 +383,9 @@ void sandboxfs(int op, pid_t pid, const char *path1, const char *path2) { | |||
387 | // copy the file | 383 | // copy the file |
388 | if (copy_file(src_fname, tmp_fname, getuid(), getgid(), 0600)) // already a regular user | 384 | if (copy_file(src_fname, tmp_fname, getuid(), getgid(), 0600)) // already a regular user |
389 | _exit(1); | 385 | _exit(1); |
390 | #ifdef HAVE_GCOV | 386 | |
391 | __gcov_flush(); | 387 | __gcov_flush(); |
392 | #endif | 388 | |
393 | _exit(0); | 389 | _exit(0); |
394 | } | 390 | } |
395 | 391 | ||
@@ -419,9 +415,9 @@ void sandboxfs(int op, pid_t pid, const char *path1, const char *path2) { | |||
419 | // copy the file | 415 | // copy the file |
420 | if (copy_file(tmp_fname, dest_fname, getuid(), getgid(), 0600)) // already a regular user | 416 | if (copy_file(tmp_fname, dest_fname, getuid(), getgid(), 0600)) // already a regular user |
421 | _exit(1); | 417 | _exit(1); |
422 | #ifdef HAVE_GCOV | 418 | |
423 | __gcov_flush(); | 419 | __gcov_flush(); |
424 | #endif | 420 | |
425 | _exit(0); | 421 | _exit(0); |
426 | } | 422 | } |
427 | 423 | ||
diff --git a/src/firejail/main.c b/src/firejail/main.c index a59d508e5..655e6e9d0 100644 --- a/src/firejail/main.c +++ b/src/firejail/main.c | |||
@@ -20,6 +20,7 @@ | |||
20 | #include "firejail.h" | 20 | #include "firejail.h" |
21 | #include "../include/pid.h" | 21 | #include "../include/pid.h" |
22 | #include "../include/firejail_user.h" | 22 | #include "../include/firejail_user.h" |
23 | #include "../include/gcov_wrapper.h" | ||
23 | #include "../include/syscall.h" | 24 | #include "../include/syscall.h" |
24 | #include "../include/seccomp.h" | 25 | #include "../include/seccomp.h" |
25 | #define _GNU_SOURCE | 26 | #define _GNU_SOURCE |
@@ -44,10 +45,6 @@ | |||
44 | #define O_PATH 010000000 | 45 | #define O_PATH 010000000 |
45 | #endif | 46 | #endif |
46 | 47 | ||
47 | #ifdef HAVE_GCOV | ||
48 | #include <gcov.h> | ||
49 | #endif | ||
50 | |||
51 | #ifdef __ia64__ | 48 | #ifdef __ia64__ |
52 | /* clone(2) has a different interface on ia64, as it needs to know | 49 | /* clone(2) has a different interface on ia64, as it needs to know |
53 | the size of the stack */ | 50 | the size of the stack */ |
@@ -1262,9 +1259,9 @@ int main(int argc, char **argv, char **envp) { | |||
1262 | arg_debug = 1; | 1259 | arg_debug = 1; |
1263 | arg_quiet = 0; | 1260 | arg_quiet = 0; |
1264 | } | 1261 | } |
1265 | else if (strcmp(argv[i], "--debug-blacklists") == 0) | 1262 | else if (strcmp(argv[i], "--debug-deny") == 0) |
1266 | arg_debug_blacklists = 1; | 1263 | arg_debug_blacklists = 1; |
1267 | else if (strcmp(argv[i], "--debug-whitelists") == 0) | 1264 | else if (strcmp(argv[i], "--debug-allow") == 0) |
1268 | arg_debug_whitelists = 1; | 1265 | arg_debug_whitelists = 1; |
1269 | else if (strcmp(argv[i], "--debug-private-lib") == 0) | 1266 | else if (strcmp(argv[i], "--debug-private-lib") == 0) |
1270 | arg_debug_private_lib = 1; | 1267 | arg_debug_private_lib = 1; |
@@ -1564,6 +1561,8 @@ int main(int argc, char **argv, char **envp) { | |||
1564 | profile_check_line(line, 0, NULL); // will exit if something wrong | 1561 | profile_check_line(line, 0, NULL); // will exit if something wrong |
1565 | profile_add(line); | 1562 | profile_add(line); |
1566 | } | 1563 | } |
1564 | |||
1565 | // blacklist/deny | ||
1567 | else if (strncmp(argv[i], "--blacklist=", 12) == 0) { | 1566 | else if (strncmp(argv[i], "--blacklist=", 12) == 0) { |
1568 | char *line; | 1567 | char *line; |
1569 | if (asprintf(&line, "blacklist %s", argv[i] + 12) == -1) | 1568 | if (asprintf(&line, "blacklist %s", argv[i] + 12) == -1) |
@@ -1572,6 +1571,14 @@ int main(int argc, char **argv, char **envp) { | |||
1572 | profile_check_line(line, 0, NULL); // will exit if something wrong | 1571 | profile_check_line(line, 0, NULL); // will exit if something wrong |
1573 | profile_add(line); | 1572 | profile_add(line); |
1574 | } | 1573 | } |
1574 | else if (strncmp(argv[i], "--deny=", 7) == 0) { | ||
1575 | char *line; | ||
1576 | if (asprintf(&line, "blacklist %s", argv[i] + 7) == -1) | ||
1577 | errExit("asprintf"); | ||
1578 | |||
1579 | profile_check_line(line, 0, NULL); // will exit if something wrong | ||
1580 | profile_add(line); | ||
1581 | } | ||
1575 | else if (strncmp(argv[i], "--noblacklist=", 14) == 0) { | 1582 | else if (strncmp(argv[i], "--noblacklist=", 14) == 0) { |
1576 | char *line; | 1583 | char *line; |
1577 | if (asprintf(&line, "noblacklist %s", argv[i] + 14) == -1) | 1584 | if (asprintf(&line, "noblacklist %s", argv[i] + 14) == -1) |
@@ -1580,19 +1587,31 @@ int main(int argc, char **argv, char **envp) { | |||
1580 | profile_check_line(line, 0, NULL); // will exit if something wrong | 1587 | profile_check_line(line, 0, NULL); // will exit if something wrong |
1581 | profile_add(line); | 1588 | profile_add(line); |
1582 | } | 1589 | } |
1590 | else if (strncmp(argv[i], "--nodeny=", 9) == 0) { | ||
1591 | char *line; | ||
1592 | if (asprintf(&line, "noblacklist %s", argv[i] + 9) == -1) | ||
1593 | errExit("asprintf"); | ||
1594 | |||
1595 | profile_check_line(line, 0, NULL); // will exit if something wrong | ||
1596 | profile_add(line); | ||
1597 | } | ||
1583 | 1598 | ||
1584 | #ifdef HAVE_WHITELIST | 1599 | // whitelist |
1585 | else if (strncmp(argv[i], "--whitelist=", 12) == 0) { | 1600 | else if (strncmp(argv[i], "--whitelist=", 12) == 0) { |
1586 | if (checkcfg(CFG_WHITELIST)) { | 1601 | char *line; |
1587 | char *line; | 1602 | if (asprintf(&line, "whitelist %s", argv[i] + 12) == -1) |
1588 | if (asprintf(&line, "whitelist %s", argv[i] + 12) == -1) | 1603 | errExit("asprintf"); |
1589 | errExit("asprintf"); | ||
1590 | 1604 | ||
1591 | profile_check_line(line, 0, NULL); // will exit if something wrong | 1605 | profile_check_line(line, 0, NULL); // will exit if something wrong |
1592 | profile_add(line); | 1606 | profile_add(line); |
1593 | } | 1607 | } |
1594 | else | 1608 | else if (strncmp(argv[i], "--allow=", 8) == 0) { |
1595 | exit_err_feature("whitelist"); | 1609 | char *line; |
1610 | if (asprintf(&line, "whitelist %s", argv[i] + 8) == -1) | ||
1611 | errExit("asprintf"); | ||
1612 | |||
1613 | profile_check_line(line, 0, NULL); // will exit if something wrong | ||
1614 | profile_add(line); | ||
1596 | } | 1615 | } |
1597 | else if (strncmp(argv[i], "--nowhitelist=", 14) == 0) { | 1616 | else if (strncmp(argv[i], "--nowhitelist=", 14) == 0) { |
1598 | char *line; | 1617 | char *line; |
@@ -1602,7 +1621,16 @@ int main(int argc, char **argv, char **envp) { | |||
1602 | profile_check_line(line, 0, NULL); // will exit if something wrong | 1621 | profile_check_line(line, 0, NULL); // will exit if something wrong |
1603 | profile_add(line); | 1622 | profile_add(line); |
1604 | } | 1623 | } |
1605 | #endif | 1624 | else if (strncmp(argv[i], "--noallow=", 10) == 0) { |
1625 | char *line; | ||
1626 | if (asprintf(&line, "nowhitelist %s", argv[i] + 10) == -1) | ||
1627 | errExit("asprintf"); | ||
1628 | |||
1629 | profile_check_line(line, 0, NULL); // will exit if something wrong | ||
1630 | profile_add(line); | ||
1631 | } | ||
1632 | |||
1633 | |||
1606 | else if (strncmp(argv[i], "--mkdir=", 8) == 0) { | 1634 | else if (strncmp(argv[i], "--mkdir=", 8) == 0) { |
1607 | char *line; | 1635 | char *line; |
1608 | if (asprintf(&line, "mkdir %s", argv[i] + 8) == -1) | 1636 | if (asprintf(&line, "mkdir %s", argv[i] + 8) == -1) |
@@ -3036,9 +3064,9 @@ int main(int argc, char **argv, char **envp) { | |||
3036 | network_main(child); | 3064 | network_main(child); |
3037 | if (arg_debug) | 3065 | if (arg_debug) |
3038 | printf("Host network configured\n"); | 3066 | printf("Host network configured\n"); |
3039 | #ifdef HAVE_GCOV | 3067 | |
3040 | __gcov_flush(); | 3068 | __gcov_flush(); |
3041 | #endif | 3069 | |
3042 | _exit(0); | 3070 | _exit(0); |
3043 | } | 3071 | } |
3044 | 3072 | ||
diff --git a/src/firejail/output.c b/src/firejail/output.c index 835dff2db..ce10ab157 100644 --- a/src/firejail/output.c +++ b/src/firejail/output.c | |||
@@ -50,13 +50,21 @@ void check_output(int argc, char **argv) { | |||
50 | if (!outindex) | 50 | if (!outindex) |
51 | return; | 51 | return; |
52 | 52 | ||
53 | |||
54 | // check filename | ||
55 | drop_privs(0); | 53 | drop_privs(0); |
56 | char *outfile = argv[outindex]; | 54 | char *outfile = argv[outindex]; |
57 | outfile += (enable_stderr)? 16:9; | 55 | outfile += (enable_stderr)? 16:9; |
56 | |||
57 | // check filename | ||
58 | invalid_filename(outfile, 0); // no globbing | 58 | invalid_filename(outfile, 0); // no globbing |
59 | 59 | ||
60 | // expand user home directory | ||
61 | if (outfile[0] == '~') { | ||
62 | char *full; | ||
63 | if (asprintf(&full, "%s%s", cfg.homedir, outfile + 1) == -1) | ||
64 | errExit("asprintf"); | ||
65 | outfile = full; | ||
66 | } | ||
67 | |||
60 | // do not accept directories, links, and files with ".." | 68 | // do not accept directories, links, and files with ".." |
61 | if (strstr(outfile, "..") || is_link(outfile) || is_dir(outfile)) { | 69 | if (strstr(outfile, "..") || is_link(outfile) || is_dir(outfile)) { |
62 | fprintf(stderr, "Error: invalid output file. Links, directories and files with \"..\" are not allowed.\n"); | 70 | fprintf(stderr, "Error: invalid output file. Links, directories and files with \"..\" are not allowed.\n"); |
diff --git a/src/firejail/profile.c b/src/firejail/profile.c index 5b1478918..b7c7185a6 100644 --- a/src/firejail/profile.c +++ b/src/firejail/profile.c | |||
@@ -18,15 +18,12 @@ | |||
18 | * 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA. | 18 | * 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA. |
19 | */ | 19 | */ |
20 | #include "firejail.h" | 20 | #include "firejail.h" |
21 | #include "../include/gcov_wrapper.h" | ||
21 | #include "../include/seccomp.h" | 22 | #include "../include/seccomp.h" |
22 | #include "../include/syscall.h" | 23 | #include "../include/syscall.h" |
23 | #include <dirent.h> | 24 | #include <dirent.h> |
24 | #include <sys/stat.h> | 25 | #include <sys/stat.h> |
25 | 26 | ||
26 | #ifdef HAVE_GCOV | ||
27 | #include <gcov.h> | ||
28 | #endif | ||
29 | |||
30 | extern char *xephyr_screen; | 27 | extern char *xephyr_screen; |
31 | 28 | ||
32 | #define MAX_READ 8192 // line buffer for profile files | 29 | #define MAX_READ 8192 // line buffer for profile files |
@@ -1592,22 +1589,8 @@ int profile_check_line(char *ptr, int lineno, const char *fname) { | |||
1592 | else if (strncmp(ptr, "noblacklist ", 12) == 0) | 1589 | else if (strncmp(ptr, "noblacklist ", 12) == 0) |
1593 | ptr += 12; | 1590 | ptr += 12; |
1594 | else if (strncmp(ptr, "whitelist ", 10) == 0) { | 1591 | else if (strncmp(ptr, "whitelist ", 10) == 0) { |
1595 | #ifdef HAVE_WHITELIST | 1592 | arg_whitelist = 1; |
1596 | if (checkcfg(CFG_WHITELIST)) { | 1593 | ptr += 10; |
1597 | arg_whitelist = 1; | ||
1598 | ptr += 10; | ||
1599 | } | ||
1600 | else { | ||
1601 | static int whitelist_warning_printed = 0; | ||
1602 | if (!whitelist_warning_printed) { | ||
1603 | warning_feature_disabled("whitelist"); | ||
1604 | whitelist_warning_printed = 1; | ||
1605 | } | ||
1606 | return 0; | ||
1607 | } | ||
1608 | #else | ||
1609 | return 0; | ||
1610 | #endif | ||
1611 | } | 1594 | } |
1612 | else if (strncmp(ptr, "nowhitelist ", 12) == 0) | 1595 | else if (strncmp(ptr, "nowhitelist ", 12) == 0) |
1613 | ptr += 12; | 1596 | ptr += 12; |
@@ -1753,6 +1736,44 @@ void profile_read(const char *fname) { | |||
1753 | continue; | 1736 | continue; |
1754 | } | 1737 | } |
1755 | 1738 | ||
1739 | // translate allow/deny to whitelist/blacklist | ||
1740 | if (strncmp(ptr, "allow ", 6) == 0) { | ||
1741 | char *tmp; | ||
1742 | if (asprintf(&tmp, "whitelist %s", ptr + 6) == -1) | ||
1743 | errExit("asprintf"); | ||
1744 | free(ptr); | ||
1745 | ptr = tmp; | ||
1746 | } | ||
1747 | else if (strncmp(ptr, "deny ", 5) == 0) { | ||
1748 | char *tmp; | ||
1749 | if (asprintf(&tmp, "blacklist %s", ptr + 5) == -1) | ||
1750 | errExit("asprintf"); | ||
1751 | free(ptr); | ||
1752 | ptr = tmp; | ||
1753 | } | ||
1754 | else if (strncmp(ptr, "deny-nolog ", 11) == 0) { | ||
1755 | char *tmp; | ||
1756 | if (asprintf(&tmp, "blacklist-nolog %s", ptr + 11) == -1) | ||
1757 | errExit("asprintf"); | ||
1758 | free(ptr); | ||
1759 | ptr = tmp; | ||
1760 | } | ||
1761 | // translate noallow/nodeny to nowhitelist/noblacklist | ||
1762 | else if (strncmp(ptr, "noallow ", 8) == 0) { | ||
1763 | char *tmp; | ||
1764 | if (asprintf(&tmp, "nowhitelist %s", ptr + 8) == -1) | ||
1765 | errExit("asprintf"); | ||
1766 | free(ptr); | ||
1767 | ptr = tmp; | ||
1768 | } | ||
1769 | else if (strncmp(ptr, "nodeny ", 7) == 0) { | ||
1770 | char *tmp; | ||
1771 | if (asprintf(&tmp, "noblacklist %s", ptr + 7) == -1) | ||
1772 | errExit("asprintf"); | ||
1773 | free(ptr); | ||
1774 | ptr = tmp; | ||
1775 | } | ||
1776 | |||
1756 | // process quiet | 1777 | // process quiet |
1757 | // todo: a quiet in the profile file cannot be disabled by --ignore on command line | 1778 | // todo: a quiet in the profile file cannot be disabled by --ignore on command line |
1758 | if (strcmp(ptr, "quiet") == 0) { | 1779 | if (strcmp(ptr, "quiet") == 0) { |
@@ -1805,9 +1826,8 @@ void profile_read(const char *fname) { | |||
1805 | // else { | 1826 | // else { |
1806 | // free(ptr); | 1827 | // free(ptr); |
1807 | // } | 1828 | // } |
1808 | #ifdef HAVE_GCOV | 1829 | |
1809 | __gcov_flush(); | 1830 | __gcov_flush(); |
1810 | #endif | ||
1811 | } | 1831 | } |
1812 | fclose(fp); | 1832 | fclose(fp); |
1813 | } | 1833 | } |
diff --git a/src/firejail/rlimit.c b/src/firejail/rlimit.c index dd6fec972..f177f4b89 100644 --- a/src/firejail/rlimit.c +++ b/src/firejail/rlimit.c | |||
@@ -18,13 +18,10 @@ | |||
18 | * 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA. | 18 | * 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA. |
19 | */ | 19 | */ |
20 | #include "firejail.h" | 20 | #include "firejail.h" |
21 | #include "../include/gcov_wrapper.h" | ||
21 | #include <sys/time.h> | 22 | #include <sys/time.h> |
22 | #include <sys/resource.h> | 23 | #include <sys/resource.h> |
23 | 24 | ||
24 | #ifdef HAVE_GCOV | ||
25 | #include <gcov.h> | ||
26 | #endif | ||
27 | |||
28 | void set_rlimits(void) { | 25 | void set_rlimits(void) { |
29 | EUID_ASSERT(); | 26 | EUID_ASSERT(); |
30 | // resource limits | 27 | // resource limits |
@@ -37,9 +34,9 @@ void set_rlimits(void) { | |||
37 | // set the new limit | 34 | // set the new limit |
38 | rl.rlim_cur = (rlim_t) cfg.rlimit_cpu; | 35 | rl.rlim_cur = (rlim_t) cfg.rlimit_cpu; |
39 | rl.rlim_max = (rlim_t) cfg.rlimit_cpu; | 36 | rl.rlim_max = (rlim_t) cfg.rlimit_cpu; |
40 | #ifdef HAVE_GCOV | 37 | |
41 | __gcov_dump(); | 38 | __gcov_dump(); |
42 | #endif | 39 | |
43 | if (setrlimit(RLIMIT_CPU, &rl) == -1) | 40 | if (setrlimit(RLIMIT_CPU, &rl) == -1) |
44 | errExit("setrlimit"); | 41 | errExit("setrlimit"); |
45 | if (arg_debug) | 42 | if (arg_debug) |
@@ -54,9 +51,10 @@ void set_rlimits(void) { | |||
54 | // set the new limit | 51 | // set the new limit |
55 | rl.rlim_cur = (rlim_t) cfg.rlimit_nofile; | 52 | rl.rlim_cur = (rlim_t) cfg.rlimit_nofile; |
56 | rl.rlim_max = (rlim_t) cfg.rlimit_nofile; | 53 | rl.rlim_max = (rlim_t) cfg.rlimit_nofile; |
57 | #ifdef HAVE_GCOV // gcov-instrumented programs might crash at this point | 54 | |
55 | // gcov-instrumented programs might crash at this point | ||
58 | __gcov_dump(); | 56 | __gcov_dump(); |
59 | #endif | 57 | |
60 | if (setrlimit(RLIMIT_NOFILE, &rl) == -1) | 58 | if (setrlimit(RLIMIT_NOFILE, &rl) == -1) |
61 | errExit("setrlimit"); | 59 | errExit("setrlimit"); |
62 | if (arg_debug) | 60 | if (arg_debug) |
@@ -71,9 +69,9 @@ void set_rlimits(void) { | |||
71 | // set the new limit | 69 | // set the new limit |
72 | rl.rlim_cur = (rlim_t) cfg.rlimit_nproc; | 70 | rl.rlim_cur = (rlim_t) cfg.rlimit_nproc; |
73 | rl.rlim_max = (rlim_t) cfg.rlimit_nproc; | 71 | rl.rlim_max = (rlim_t) cfg.rlimit_nproc; |
74 | #ifdef HAVE_GCOV | 72 | |
75 | __gcov_dump(); | 73 | __gcov_dump(); |
76 | #endif | 74 | |
77 | if (setrlimit(RLIMIT_NPROC, &rl) == -1) | 75 | if (setrlimit(RLIMIT_NPROC, &rl) == -1) |
78 | errExit("setrlimit"); | 76 | errExit("setrlimit"); |
79 | if (arg_debug) | 77 | if (arg_debug) |
@@ -88,9 +86,9 @@ void set_rlimits(void) { | |||
88 | // set the new limit | 86 | // set the new limit |
89 | rl.rlim_cur = (rlim_t) cfg.rlimit_fsize; | 87 | rl.rlim_cur = (rlim_t) cfg.rlimit_fsize; |
90 | rl.rlim_max = (rlim_t) cfg.rlimit_fsize; | 88 | rl.rlim_max = (rlim_t) cfg.rlimit_fsize; |
91 | #ifdef HAVE_GCOV | 89 | |
92 | __gcov_dump(); | 90 | __gcov_dump(); |
93 | #endif | 91 | |
94 | if (setrlimit(RLIMIT_FSIZE, &rl) == -1) | 92 | if (setrlimit(RLIMIT_FSIZE, &rl) == -1) |
95 | errExit("setrlimit"); | 93 | errExit("setrlimit"); |
96 | if (arg_debug) | 94 | if (arg_debug) |
@@ -105,9 +103,9 @@ void set_rlimits(void) { | |||
105 | // set the new limit | 103 | // set the new limit |
106 | rl.rlim_cur = (rlim_t) cfg.rlimit_sigpending; | 104 | rl.rlim_cur = (rlim_t) cfg.rlimit_sigpending; |
107 | rl.rlim_max = (rlim_t) cfg.rlimit_sigpending; | 105 | rl.rlim_max = (rlim_t) cfg.rlimit_sigpending; |
108 | #ifdef HAVE_GCOV | 106 | |
109 | __gcov_dump(); | 107 | __gcov_dump(); |
110 | #endif | 108 | |
111 | if (setrlimit(RLIMIT_SIGPENDING, &rl) == -1) | 109 | if (setrlimit(RLIMIT_SIGPENDING, &rl) == -1) |
112 | errExit("setrlimit"); | 110 | errExit("setrlimit"); |
113 | if (arg_debug) | 111 | if (arg_debug) |
@@ -122,9 +120,9 @@ void set_rlimits(void) { | |||
122 | // set the new limit | 120 | // set the new limit |
123 | rl.rlim_cur = (rlim_t) cfg.rlimit_as; | 121 | rl.rlim_cur = (rlim_t) cfg.rlimit_as; |
124 | rl.rlim_max = (rlim_t) cfg.rlimit_as; | 122 | rl.rlim_max = (rlim_t) cfg.rlimit_as; |
125 | #ifdef HAVE_GCOV | 123 | |
126 | __gcov_dump(); | 124 | __gcov_dump(); |
127 | #endif | 125 | |
128 | if (setrlimit(RLIMIT_AS, &rl) == -1) | 126 | if (setrlimit(RLIMIT_AS, &rl) == -1) |
129 | errExit("setrlimit"); | 127 | errExit("setrlimit"); |
130 | if (arg_debug) | 128 | if (arg_debug) |
diff --git a/src/firejail/sandbox.c b/src/firejail/sandbox.c index 95be3335f..59ddfb855 100644 --- a/src/firejail/sandbox.c +++ b/src/firejail/sandbox.c | |||
@@ -19,6 +19,7 @@ | |||
19 | */ | 19 | */ |
20 | 20 | ||
21 | #include "firejail.h" | 21 | #include "firejail.h" |
22 | #include "../include/gcov_wrapper.h" | ||
22 | #include "../include/seccomp.h" | 23 | #include "../include/seccomp.h" |
23 | #include <sys/mman.h> | 24 | #include <sys/mman.h> |
24 | #include <sys/mount.h> | 25 | #include <sys/mount.h> |
@@ -49,10 +50,6 @@ | |||
49 | #include <sys/apparmor.h> | 50 | #include <sys/apparmor.h> |
50 | #endif | 51 | #endif |
51 | 52 | ||
52 | #ifdef HAVE_GCOV | ||
53 | #include <gcov.h> | ||
54 | #endif | ||
55 | |||
56 | static int force_nonewprivs = 0; | 53 | static int force_nonewprivs = 0; |
57 | 54 | ||
58 | static int monitored_pid = 0; | 55 | static int monitored_pid = 0; |
@@ -507,9 +504,8 @@ void start_application(int no_sandbox, int fd, char *set_sandbox_status) { | |||
507 | exit(1); | 504 | exit(1); |
508 | } | 505 | } |
509 | 506 | ||
510 | #ifdef HAVE_GCOV | ||
511 | __gcov_dump(); | 507 | __gcov_dump(); |
512 | #endif | 508 | |
513 | seccomp_install_filters(); | 509 | seccomp_install_filters(); |
514 | 510 | ||
515 | if (set_sandbox_status) | 511 | if (set_sandbox_status) |
@@ -563,9 +559,8 @@ void start_application(int no_sandbox, int fd, char *set_sandbox_status) { | |||
563 | if (!arg_command && !arg_quiet) | 559 | if (!arg_command && !arg_quiet) |
564 | print_time(); | 560 | print_time(); |
565 | 561 | ||
566 | #ifdef HAVE_GCOV | ||
567 | __gcov_dump(); | 562 | __gcov_dump(); |
568 | #endif | 563 | |
569 | seccomp_install_filters(); | 564 | seccomp_install_filters(); |
570 | 565 | ||
571 | if (set_sandbox_status) | 566 | if (set_sandbox_status) |
@@ -1048,7 +1043,7 @@ int sandbox(void* sandbox_arg) { | |||
1048 | //**************************** | 1043 | //**************************** |
1049 | // set dns | 1044 | // set dns |
1050 | //**************************** | 1045 | //**************************** |
1051 | fs_resolvconf(); | 1046 | fs_rebuild_etc(); |
1052 | 1047 | ||
1053 | //**************************** | 1048 | //**************************** |
1054 | // start dhcp client | 1049 | // start dhcp client |
diff --git a/src/firejail/usage.c b/src/firejail/usage.c index 888a6ffed..b4f3021c7 100644 --- a/src/firejail/usage.c +++ b/src/firejail/usage.c | |||
@@ -28,6 +28,7 @@ static char *usage_str = | |||
28 | "\n" | 28 | "\n" |
29 | "Options:\n" | 29 | "Options:\n" |
30 | " -- - signal the end of options and disables further option processing.\n" | 30 | " -- - signal the end of options and disables further option processing.\n" |
31 | " --allow=filename - allow file system access.\n" | ||
31 | " --allow-debuggers - allow tools such as strace and gdb inside the sandbox.\n" | 32 | " --allow-debuggers - allow tools such as strace and gdb inside the sandbox.\n" |
32 | " --allusers - all user home directories are visible inside the sandbox.\n" | 33 | " --allusers - all user home directories are visible inside the sandbox.\n" |
33 | " --apparmor - enable AppArmor confinement.\n" | 34 | " --apparmor - enable AppArmor confinement.\n" |
@@ -38,13 +39,12 @@ static char *usage_str = | |||
38 | #endif | 39 | #endif |
39 | " --bind=dirname1,dirname2 - mount-bind dirname1 on top of dirname2.\n" | 40 | " --bind=dirname1,dirname2 - mount-bind dirname1 on top of dirname2.\n" |
40 | " --bind=filename1,filename2 - mount-bind filename1 on top of filename2.\n" | 41 | " --bind=filename1,filename2 - mount-bind filename1 on top of filename2.\n" |
41 | " --blacklist=filename - blacklist directory or file.\n" | 42 | " --build - build a profile for the application.\n" |
42 | " --build - build a whitelisted profile for the application.\n" | 43 | " --build=filename - build a profile for the application.\n" |
43 | " --build=filename - build a whitelisted profile for the application.\n" | ||
44 | " --caps - enable default Linux capabilities filter.\n" | 44 | " --caps - enable default Linux capabilities filter.\n" |
45 | " --caps.drop=all - drop all capabilities.\n" | 45 | " --caps.drop=all - drop all capabilities.\n" |
46 | " --caps.drop=capability,capability - blacklist capabilities filter.\n" | 46 | " --caps.drop=capability,capability - drop capabilities.\n" |
47 | " --caps.keep=capability,capability - whitelist capabilities filter.\n" | 47 | " --caps.keep=capability,capability - allow capabilities.\n" |
48 | " --caps.print=name|pid - print the caps filter.\n" | 48 | " --caps.print=name|pid - print the caps filter.\n" |
49 | #ifdef HAVE_FILE_TRANSFER | 49 | #ifdef HAVE_FILE_TRANSFER |
50 | " --cat=name|pid filename - print content of file from sandbox container.\n" | 50 | " --cat=name|pid filename - print content of file from sandbox container.\n" |
@@ -58,34 +58,35 @@ static char *usage_str = | |||
58 | #ifdef HAVE_DBUSPROXY | 58 | #ifdef HAVE_DBUSPROXY |
59 | " --dbus-log=file - set DBus log file location.\n" | 59 | " --dbus-log=file - set DBus log file location.\n" |
60 | " --dbus-system=filter|none - set system DBus access policy.\n" | 60 | " --dbus-system=filter|none - set system DBus access policy.\n" |
61 | " --dbus-system.broadcast=rule - allow signals on the system DBus according to rule.\n" | 61 | " --dbus-system.broadcast=rule - allow signals on the system DBus according\n" |
62 | "\tto rule.\n" | ||
62 | " --dbus-system.call=rule - allow calls on the system DBus according to rule.\n" | 63 | " --dbus-system.call=rule - allow calls on the system DBus according to rule.\n" |
63 | " --dbus-system.log - turn on logging for the system DBus." | 64 | " --dbus-system.log - turn on logging for the system DBus.\n" |
64 | " --dbus-system.own=name - allow ownership of name on the system DBus.\n" | 65 | " --dbus-system.own=name - allow ownership of name on the system DBus.\n" |
65 | " --dbus-system.see=name - allow seeing name on the system DBus.\n" | 66 | " --dbus-system.see=name - allow seeing name on the system DBus.\n" |
66 | " --dbus-system.talk=name - allow talking to name on the system DBus.\n" | 67 | " --dbus-system.talk=name - allow talking to name on the system DBus.\n" |
67 | " --dbus-user=filter|none - set session DBus access policy.\n" | 68 | " --dbus-user=filter|none - set session DBus access policy.\n" |
68 | " --dbus-user.broadcast=rule - allow signals on the session DBus according to rule.\n" | 69 | " --dbus-user.broadcast=rule - allow signals on the session DBus according\n" |
70 | "\tto rule.\n" | ||
69 | " --dbus-user.call=rule - allow calls on the session DBus according to rule.\n" | 71 | " --dbus-user.call=rule - allow calls on the session DBus according to rule.\n" |
70 | " --dbus-user.log - turn on logging for the user DBus." | 72 | " --dbus-user.log - turn on logging for the user DBus.\n" |
71 | " --dbus-user.own=name - allow ownership of name on the session DBus.\n" | 73 | " --dbus-user.own=name - allow ownership of name on the session DBus.\n" |
72 | " --dbus-user.see=name - allow seeing name on the session DBus.\n" | 74 | " --dbus-user.see=name - allow seeing name on the session DBus.\n" |
73 | " --dbus-user.talk=name - allow talking to name on the session DBus.\n" | 75 | " --dbus-user.talk=name - allow talking to name on the session DBus.\n" |
74 | #endif | 76 | #endif |
75 | " --debug - print sandbox debug messages.\n" | 77 | " --debug - print sandbox debug messages.\n" |
76 | " --debug-blacklists - debug blacklisting.\n" | 78 | " --debug-allow - debug file system access.\n" |
79 | " --debug-deny - debug file system access.\n" | ||
77 | " --debug-caps - print all recognized capabilities.\n" | 80 | " --debug-caps - print all recognized capabilities.\n" |
78 | " --debug-errnos - print all recognized error numbers.\n" | 81 | " --debug-errnos - print all recognized error numbers.\n" |
79 | " --debug-private-lib - debug for --private-lib option.\n" | 82 | " --debug-private-lib - debug for --private-lib option.\n" |
80 | " --debug-protocols - print all recognized protocols.\n" | 83 | " --debug-protocols - print all recognized protocols.\n" |
81 | " --debug-syscalls - print all recognized system calls.\n" | 84 | " --debug-syscalls - print all recognized system calls.\n" |
82 | " --debug-syscalls32 - print all recognized 32 bit system calls.\n" | 85 | " --debug-syscalls32 - print all recognized 32 bit system calls.\n" |
83 | #ifdef HAVE_WHITELIST | ||
84 | " --debug-whitelists - debug whitelisting.\n" | ||
85 | #endif | ||
86 | #ifdef HAVE_NETWORK | 86 | #ifdef HAVE_NETWORK |
87 | " --defaultgw=address - configure default gateway.\n" | 87 | " --defaultgw=address - configure default gateway.\n" |
88 | #endif | 88 | #endif |
89 | " --deny=filename - deny access to directory or file.\n" | ||
89 | " --deterministic-exit-code - always exit with first child's status code.\n" | 90 | " --deterministic-exit-code - always exit with first child's status code.\n" |
90 | " --dns=address - set DNS server.\n" | 91 | " --dns=address - set DNS server.\n" |
91 | " --dns.print=name|pid - print DNS configuration.\n" | 92 | " --dns.print=name|pid - print DNS configuration.\n" |
@@ -143,14 +144,15 @@ static char *usage_str = | |||
143 | " --netfilter.print=name|pid - print the firewall.\n" | 144 | " --netfilter.print=name|pid - print the firewall.\n" |
144 | " --netfilter6=filename - enable IPv6 firewall.\n" | 145 | " --netfilter6=filename - enable IPv6 firewall.\n" |
145 | " --netfilter6.print=name|pid - print the IPv6 firewall.\n" | 146 | " --netfilter6.print=name|pid - print the IPv6 firewall.\n" |
146 | " --netmask=address - define a network mask when dealing with unconfigured" | 147 | " --netmask=address - define a network mask when dealing with unconfigured\n" |
147 | "\tparrent interfaces.\n" | 148 | "\tparrent interfaces.\n" |
148 | " --netns=name - Run the program in a named, persistent network namespace.\n" | 149 | " --netns=name - Run the program in a named, persistent network namespace.\n" |
149 | " --netstats - monitor network statistics.\n" | 150 | " --netstats - monitor network statistics.\n" |
150 | #endif | 151 | #endif |
151 | " --nice=value - set nice value.\n" | 152 | " --nice=value - set nice value.\n" |
152 | " --no3d - disable 3D hardware acceleration.\n" | 153 | " --no3d - disable 3D hardware acceleration.\n" |
153 | " --noblacklist=filename - disable blacklist for file or directory.\n" | 154 | " --noallow=filename - disable allow command for file or directory.\n" |
155 | " --nodeny=filename - disable deny command for file or directory.\n" | ||
154 | " --nodbus - disable D-Bus access.\n" | 156 | " --nodbus - disable D-Bus access.\n" |
155 | " --nodvd - disable DVD and audio CD devices.\n" | 157 | " --nodvd - disable DVD and audio CD devices.\n" |
156 | " --noexec=filename - remount the file or directory noexec nosuid and nodev.\n" | 158 | " --noexec=filename - remount the file or directory noexec nosuid and nodev.\n" |
@@ -165,7 +167,6 @@ static char *usage_str = | |||
165 | " --noautopulse - disable automatic ~/.config/pulse init.\n" | 167 | " --noautopulse - disable automatic ~/.config/pulse init.\n" |
166 | " --novideo - disable video devices.\n" | 168 | " --novideo - disable video devices.\n" |
167 | " --nou2f - disable U2F devices.\n" | 169 | " --nou2f - disable U2F devices.\n" |
168 | " --nowhitelist=filename - disable whitelist for file or directory.\n" | ||
169 | #ifdef HAVE_OUTPUT | 170 | #ifdef HAVE_OUTPUT |
170 | " --output=logfile - stdout logging and log rotation.\n" | 171 | " --output=logfile - stdout logging and log rotation.\n" |
171 | " --output-stderr=logfile - stdout and stderr logging and log rotation.\n" | 172 | " --output-stderr=logfile - stdout and stderr logging and log rotation.\n" |
@@ -222,14 +223,14 @@ static char *usage_str = | |||
222 | #ifdef HAVE_NETWORK | 223 | #ifdef HAVE_NETWORK |
223 | " --scan - ARP-scan all the networks from inside a network namespace.\n" | 224 | " --scan - ARP-scan all the networks from inside a network namespace.\n" |
224 | #endif | 225 | #endif |
225 | " --seccomp - enable seccomp filter and apply the default blacklist.\n" | 226 | " --seccomp - enable seccomp filter and drop the default syscalls.\n" |
226 | " --seccomp=syscall,syscall,syscall - enable seccomp filter, blacklist the\n" | 227 | " --seccomp=syscall,syscall,syscall - enable seccomp filter, drop the\n" |
227 | "\tdefault syscall list and the syscalls specified by the command.\n" | 228 | "\tdefault syscall list and the syscalls specified by the command.\n" |
228 | " --seccomp.block-secondary - build only the native architecture filters.\n" | 229 | " --seccomp.block-secondary - build only the native architecture filters.\n" |
229 | " --seccomp.drop=syscall,syscall,syscall - enable seccomp filter, and\n" | 230 | " --seccomp.drop=syscall,syscall,syscall - enable seccomp filter, and\n" |
230 | "\tblacklist the syscalls specified by the command.\n" | 231 | "\tdrop the syscalls specified by the command.\n" |
231 | " --seccomp.keep=syscall,syscall,syscall - enable seccomp filter, and\n" | 232 | " --seccomp.keep=syscall,syscall,syscall - enable seccomp filter, and\n" |
232 | "\twhitelist the syscalls specified by the command.\n" | 233 | "\tallow the syscalls specified by the command.\n" |
233 | " --seccomp.print=name|pid - print the seccomp filter for the sandbox\n" | 234 | " --seccomp.print=name|pid - print the seccomp filter for the sandbox\n" |
234 | "\tidentified by name or PID.\n" | 235 | "\tidentified by name or PID.\n" |
235 | " --seccomp.32[.drop,.keep][=syscall] - like above but for 32 bit architecture.\n" | 236 | " --seccomp.32[.drop,.keep][=syscall] - like above but for 32 bit architecture.\n" |
@@ -244,7 +245,7 @@ static char *usage_str = | |||
244 | " --top - monitor the most CPU-intensive sandboxes.\n" | 245 | " --top - monitor the most CPU-intensive sandboxes.\n" |
245 | " --trace - trace open, access and connect system calls.\n" | 246 | " --trace - trace open, access and connect system calls.\n" |
246 | " --tracelog - add a syslog message for every access to files or\n" | 247 | " --tracelog - add a syslog message for every access to files or\n" |
247 | "\tdirectories blacklisted by the security profile.\n" | 248 | "\tdirectories dropped by the security profile.\n" |
248 | " --tree - print a tree of all sandboxed processes.\n" | 249 | " --tree - print a tree of all sandboxed processes.\n" |
249 | " --tunnel[=devname] - connect the sandbox to a tunnel created by\n" | 250 | " --tunnel[=devname] - connect the sandbox to a tunnel created by\n" |
250 | "\tfiretunnel utility.\n" | 251 | "\tfiretunnel utility.\n" |
@@ -252,9 +253,6 @@ static char *usage_str = | |||
252 | #ifdef HAVE_NETWORK | 253 | #ifdef HAVE_NETWORK |
253 | " --veth-name=name - use this name for the interface connected to the bridge.\n" | 254 | " --veth-name=name - use this name for the interface connected to the bridge.\n" |
254 | #endif | 255 | #endif |
255 | #ifdef HAVE_WHITELIST | ||
256 | " --whitelist=filename - whitelist directory or file.\n" | ||
257 | #endif | ||
258 | " --writable-etc - /etc directory is mounted read-write.\n" | 256 | " --writable-etc - /etc directory is mounted read-write.\n" |
259 | " --writable-run-user - allow access to /run/user/$UID/systemd and\n" | 257 | " --writable-run-user - allow access to /run/user/$UID/systemd and\n" |
260 | "\t/run/user/$UID/gnupg.\n" | 258 | "\t/run/user/$UID/gnupg.\n" |
diff --git a/src/firejail/util.c b/src/firejail/util.c index 2ff2d2973..094a68c60 100644 --- a/src/firejail/util.c +++ b/src/firejail/util.c | |||
@@ -19,6 +19,7 @@ | |||
19 | */ | 19 | */ |
20 | #define _XOPEN_SOURCE 500 | 20 | #define _XOPEN_SOURCE 500 |
21 | #include "firejail.h" | 21 | #include "firejail.h" |
22 | #include "../include/gcov_wrapper.h" | ||
22 | #include <ftw.h> | 23 | #include <ftw.h> |
23 | #include <sys/stat.h> | 24 | #include <sys/stat.h> |
24 | #include <sys/mount.h> | 25 | #include <sys/mount.h> |
@@ -44,10 +45,6 @@ | |||
44 | #include <linux/openat2.h> | 45 | #include <linux/openat2.h> |
45 | #endif | 46 | #endif |
46 | 47 | ||
47 | #ifdef HAVE_GCOV | ||
48 | #include <gcov.h> | ||
49 | #endif | ||
50 | |||
51 | #define MAX_GROUPS 1024 | 48 | #define MAX_GROUPS 1024 |
52 | #define MAXBUF 4098 | 49 | #define MAXBUF 4098 |
53 | #define EMPTY_STRING ("") | 50 | #define EMPTY_STRING ("") |
@@ -382,9 +379,9 @@ void copy_file_as_user(const char *srcname, const char *destname, mode_t mode) { | |||
382 | int rv = copy_file(srcname, destname, -1, -1, mode); // already a regular user | 379 | int rv = copy_file(srcname, destname, -1, -1, mode); // already a regular user |
383 | if (rv) | 380 | if (rv) |
384 | fwarning("cannot copy %s\n", srcname); | 381 | fwarning("cannot copy %s\n", srcname); |
385 | #ifdef HAVE_GCOV | 382 | |
386 | __gcov_flush(); | 383 | __gcov_flush(); |
387 | #endif | 384 | |
388 | _exit(0); | 385 | _exit(0); |
389 | } | 386 | } |
390 | // wait for the child to finish | 387 | // wait for the child to finish |
@@ -416,9 +413,9 @@ void copy_file_from_user_to_root(const char *srcname, const char *destname, uid_ | |||
416 | close(src); | 413 | close(src); |
417 | } | 414 | } |
418 | close(dst); | 415 | close(dst); |
419 | #ifdef HAVE_GCOV | 416 | |
420 | __gcov_flush(); | 417 | __gcov_flush(); |
421 | #endif | 418 | |
422 | _exit(0); | 419 | _exit(0); |
423 | } | 420 | } |
424 | // wait for the child to finish | 421 | // wait for the child to finish |
@@ -447,9 +444,9 @@ void touch_file_as_user(const char *fname, mode_t mode) { | |||
447 | } | 444 | } |
448 | else | 445 | else |
449 | fwarning("cannot create %s\n", fname); | 446 | fwarning("cannot create %s\n", fname); |
450 | #ifdef HAVE_GCOV | 447 | |
451 | __gcov_flush(); | 448 | __gcov_flush(); |
452 | #endif | 449 | |
453 | _exit(0); | 450 | _exit(0); |
454 | } | 451 | } |
455 | // wait for the child to finish | 452 | // wait for the child to finish |
@@ -1056,9 +1053,9 @@ int remove_overlay_directory(void) { | |||
1056 | // remove ~/.firejail | 1053 | // remove ~/.firejail |
1057 | if (rmdir(path) == -1) | 1054 | if (rmdir(path) == -1) |
1058 | errExit("rmdir"); | 1055 | errExit("rmdir"); |
1059 | #ifdef HAVE_GCOV | 1056 | |
1060 | __gcov_flush(); | 1057 | __gcov_flush(); |
1061 | #endif | 1058 | |
1062 | _exit(0); | 1059 | _exit(0); |
1063 | } | 1060 | } |
1064 | // wait for the child to finish | 1061 | // wait for the child to finish |
@@ -1114,9 +1111,9 @@ int create_empty_dir_as_user(const char *dir, mode_t mode) { | |||
1114 | } | 1111 | } |
1115 | else if (arg_debug) | 1112 | else if (arg_debug) |
1116 | printf("Directory %s not created: %s\n", dir, strerror(errno)); | 1113 | printf("Directory %s not created: %s\n", dir, strerror(errno)); |
1117 | #ifdef HAVE_GCOV | 1114 | |
1118 | __gcov_flush(); | 1115 | __gcov_flush(); |
1119 | #endif | 1116 | |
1120 | _exit(0); | 1117 | _exit(0); |
1121 | } | 1118 | } |
1122 | waitpid(child, NULL, 0); | 1119 | waitpid(child, NULL, 0); |
diff --git a/src/firemon/interface.c b/src/firemon/interface.c index b93d4a5a2..780e3d706 100644 --- a/src/firemon/interface.c +++ b/src/firemon/interface.c | |||
@@ -18,6 +18,7 @@ | |||
18 | * 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA. | 18 | * 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA. |
19 | */ | 19 | */ |
20 | #include "firemon.h" | 20 | #include "firemon.h" |
21 | #include "../include/gcov_wrapper.h" | ||
21 | #include <sys/types.h> | 22 | #include <sys/types.h> |
22 | #include <sys/wait.h> | 23 | #include <sys/wait.h> |
23 | #include <netdb.h> | 24 | #include <netdb.h> |
@@ -33,10 +34,6 @@ | |||
33 | //#include <net/route.h> | 34 | //#include <net/route.h> |
34 | //#include <linux/if_bridge.h> | 35 | //#include <linux/if_bridge.h> |
35 | 36 | ||
36 | #ifdef HAVE_GCOV | ||
37 | #include <gcov.h> | ||
38 | #endif | ||
39 | |||
40 | // print IP addresses for all interfaces | 37 | // print IP addresses for all interfaces |
41 | static void net_ifprint(void) { | 38 | static void net_ifprint(void) { |
42 | uint32_t ip; | 39 | uint32_t ip; |
@@ -149,9 +146,9 @@ static void print_sandbox(pid_t pid) { | |||
149 | if (rv) | 146 | if (rv) |
150 | return; | 147 | return; |
151 | net_ifprint(); | 148 | net_ifprint(); |
152 | #ifdef HAVE_GCOV | 149 | |
153 | __gcov_flush(); | 150 | __gcov_flush(); |
154 | #endif | 151 | |
155 | _exit(0); | 152 | _exit(0); |
156 | } | 153 | } |
157 | 154 | ||
diff --git a/src/firemon/netstats.c b/src/firemon/netstats.c index 23d228e26..9d8e5d7f5 100644 --- a/src/firemon/netstats.c +++ b/src/firemon/netstats.c | |||
@@ -18,16 +18,13 @@ | |||
18 | * 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA. | 18 | * 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA. |
19 | */ | 19 | */ |
20 | #include "firemon.h" | 20 | #include "firemon.h" |
21 | #include "../include/gcov_wrapper.h" | ||
21 | #include <termios.h> | 22 | #include <termios.h> |
22 | #include <sys/ioctl.h> | 23 | #include <sys/ioctl.h> |
23 | #include <sys/types.h> | 24 | #include <sys/types.h> |
24 | #include <sys/stat.h> | 25 | #include <sys/stat.h> |
25 | #include <unistd.h> | 26 | #include <unistd.h> |
26 | 27 | ||
27 | #ifdef HAVE_GCOV | ||
28 | #include <gcov.h> | ||
29 | #endif | ||
30 | |||
31 | #define MAXBUF 4096 | 28 | #define MAXBUF 4096 |
32 | 29 | ||
33 | // ip -s link: device stats | 30 | // ip -s link: device stats |
@@ -246,8 +243,7 @@ void netstats(void) { | |||
246 | print_proc(i, itv, col); | 243 | print_proc(i, itv, col); |
247 | } | 244 | } |
248 | } | 245 | } |
249 | #ifdef HAVE_GCOV | 246 | |
250 | __gcov_flush(); | 247 | __gcov_flush(); |
251 | #endif | ||
252 | } | 248 | } |
253 | } | 249 | } |
diff --git a/src/firemon/procevent.c b/src/firemon/procevent.c index 4e809681e..716a9cba4 100644 --- a/src/firemon/procevent.c +++ b/src/firemon/procevent.c | |||
@@ -18,6 +18,7 @@ | |||
18 | * 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA. | 18 | * 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA. |
19 | */ | 19 | */ |
20 | #include "firemon.h" | 20 | #include "firemon.h" |
21 | #include "../include/gcov_wrapper.h" | ||
21 | #include <sys/socket.h> | 22 | #include <sys/socket.h> |
22 | #include <linux/connector.h> | 23 | #include <linux/connector.h> |
23 | #include <linux/netlink.h> | 24 | #include <linux/netlink.h> |
@@ -30,10 +31,6 @@ | |||
30 | #include <fcntl.h> | 31 | #include <fcntl.h> |
31 | #include <sys/uio.h> | 32 | #include <sys/uio.h> |
32 | 33 | ||
33 | #ifdef HAVE_GCOV | ||
34 | #include <gcov.h> | ||
35 | #endif | ||
36 | |||
37 | #define PIDS_BUFLEN 4096 | 34 | #define PIDS_BUFLEN 4096 |
38 | #define SERVER_PORT 889 // 889-899 is left unassigned by IANA | 35 | #define SERVER_PORT 889 // 889-899 is left unassigned by IANA |
39 | 36 | ||
@@ -234,9 +231,7 @@ static void __attribute__((noreturn)) procevent_monitor(const int sock, pid_t my | |||
234 | tv.tv_usec = 0; | 231 | tv.tv_usec = 0; |
235 | 232 | ||
236 | while (1) { | 233 | while (1) { |
237 | #ifdef HAVE_GCOV | ||
238 | __gcov_flush(); | 234 | __gcov_flush(); |
239 | #endif | ||
240 | 235 | ||
241 | #define BUFFSIZE 4096 | 236 | #define BUFFSIZE 4096 |
242 | char __attribute__ ((aligned(NLMSG_ALIGNTO)))buf[BUFFSIZE]; | 237 | char __attribute__ ((aligned(NLMSG_ALIGNTO)))buf[BUFFSIZE]; |
diff --git a/src/firemon/top.c b/src/firemon/top.c index 9d6f34991..2217cc7de 100644 --- a/src/firemon/top.c +++ b/src/firemon/top.c | |||
@@ -18,16 +18,13 @@ | |||
18 | * 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA. | 18 | * 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA. |
19 | */ | 19 | */ |
20 | #include "firemon.h" | 20 | #include "firemon.h" |
21 | #include "../include/gcov_wrapper.h" | ||
21 | #include <termios.h> | 22 | #include <termios.h> |
22 | #include <sys/ioctl.h> | 23 | #include <sys/ioctl.h> |
23 | #include <sys/types.h> | 24 | #include <sys/types.h> |
24 | #include <sys/stat.h> | 25 | #include <sys/stat.h> |
25 | #include <unistd.h> | 26 | #include <unistd.h> |
26 | 27 | ||
27 | #ifdef HAVE_GCOV | ||
28 | #include <gcov.h> | ||
29 | #endif | ||
30 | |||
31 | static unsigned pgs_rss = 0; | 28 | static unsigned pgs_rss = 0; |
32 | static unsigned pgs_shared = 0; | 29 | static unsigned pgs_shared = 0; |
33 | static unsigned clocktick = 0; | 30 | static unsigned clocktick = 0; |
@@ -330,8 +327,7 @@ void top(void) { | |||
330 | } | 327 | } |
331 | } | 328 | } |
332 | head_print(col, row); | 329 | head_print(col, row); |
333 | #ifdef HAVE_GCOV | 330 | |
334 | __gcov_flush(); | 331 | __gcov_flush(); |
335 | #endif | ||
336 | } | 332 | } |
337 | } | 333 | } |
diff --git a/src/include/gcov_wrapper.h b/src/include/gcov_wrapper.h new file mode 100644 index 000000000..4aafb8e18 --- /dev/null +++ b/src/include/gcov_wrapper.h | |||
@@ -0,0 +1,46 @@ | |||
1 | /* | ||
2 | * Copyright (C) 2021 Firejail Authors | ||
3 | * | ||
4 | * This file is part of firejail project | ||
5 | * | ||
6 | * This program is free software; you can redistribute it and/or modify | ||
7 | * it under the terms of the GNU General Public License as published by | ||
8 | * the Free Software Foundation; either version 2 of the License, or | ||
9 | * (at your option) any later version. | ||
10 | * | ||
11 | * This program is distributed in the hope that it will be useful, | ||
12 | * but WITHOUT ANY WARRANTY; without even the implied warranty of | ||
13 | * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the | ||
14 | * GNU General Public License for more details. | ||
15 | * | ||
16 | * You should have received a copy of the GNU General Public License along | ||
17 | * with this program; if not, write to the Free Software Foundation, Inc., | ||
18 | * 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA. | ||
19 | */ | ||
20 | |||
21 | #ifndef GCOV_WRAPPER_H | ||
22 | #define GCOV_WRAPPER_H | ||
23 | |||
24 | #ifdef HAS_GCOV | ||
25 | #include <gcov.h> | ||
26 | |||
27 | /* | ||
28 | * __gcov_flush was removed on gcc 11.1.0 (as it's no longer needed), but it | ||
29 | * appears to be the safe/"correct" way to do things on previous versions (as | ||
30 | * it ensured proper locking, which is now done elsewhere). Thus, keep using | ||
31 | * it in the code and ensure that it exists, in order to support gcc <11.1.0 | ||
32 | * and gcc >=11.1.0, respectively. | ||
33 | */ | ||
34 | #if __GNUC__ > 11 || (__GNUC__ == 11 && __GNUC_MINOR__ >= 1) | ||
35 | static void __gcov_flush(void) { | ||
36 | __gcov_dump(); | ||
37 | __gcov_reset(); | ||
38 | } | ||
39 | #endif | ||
40 | #else | ||
41 | #define __gcov_dump() ((void)0) | ||
42 | #define __gcov_reset() ((void)0) | ||
43 | #define __gcov_flush() ((void)0) | ||
44 | #endif /* HAS_GCOV */ | ||
45 | |||
46 | #endif /* GCOV_WRAPPER_H */ | ||
diff --git a/src/lib/syscall.c b/src/lib/syscall.c index b3131ac17..d0d9ff5aa 100644 --- a/src/lib/syscall.c +++ b/src/lib/syscall.c | |||
@@ -253,9 +253,6 @@ static const SyscallGroupList sysgroups[] = { | |||
253 | #ifdef SYS_fanotify_init | 253 | #ifdef SYS_fanotify_init |
254 | "fanotify_init," | 254 | "fanotify_init," |
255 | #endif | 255 | #endif |
256 | #ifdef SYS_kcmp | ||
257 | "kcmp," | ||
258 | #endif | ||
259 | #ifdef SYS_add_key | 256 | #ifdef SYS_add_key |
260 | "add_key," | 257 | "add_key," |
261 | #endif | 258 | #endif |
diff --git a/src/man/firejail-profile.txt b/src/man/firejail-profile.txt index db58e0910..34f5e8bf9 100644 --- a/src/man/firejail-profile.txt +++ b/src/man/firejail-profile.txt | |||
@@ -156,7 +156,7 @@ Scripting commands: | |||
156 | \fBFile and directory names | 156 | \fBFile and directory names |
157 | File and directory names containing spaces are supported. The space character ' ' should not be escaped. | 157 | File and directory names containing spaces are supported. The space character ' ' should not be escaped. |
158 | 158 | ||
159 | Example: "blacklist ~/My Virtual Machines" | 159 | Example: "deny ~/My Virtual Machines" |
160 | 160 | ||
161 | .TP | 161 | .TP |
162 | \fB# this is a comment | 162 | \fB# this is a comment |
@@ -170,9 +170,9 @@ net none # this command creates an empty network namespace | |||
170 | \fB?CONDITIONAL: profile line | 170 | \fB?CONDITIONAL: profile line |
171 | Conditionally add profile line. | 171 | Conditionally add profile line. |
172 | 172 | ||
173 | Example: "?HAS_APPIMAGE: whitelist ${HOME}/special/appimage/dir" | 173 | Example: "?HAS_APPIMAGE: allow ${HOME}/special/appimage/dir" |
174 | 174 | ||
175 | This example will load the whitelist profile line only if the \-\-appimage option has been specified on the command line. | 175 | This example will load the profile line only if the \-\-appimage option has been specified on the command line. |
176 | 176 | ||
177 | Currently the only conditionals supported this way are HAS_APPIMAGE, HAS_NET, HAS_NODBUS, HAS_NOSOUND, HAS_PRIVATE and HAS_X11. The conditionals BROWSER_DISABLE_U2F and BROWSER_ALLOW_DRM | 177 | Currently the only conditionals supported this way are HAS_APPIMAGE, HAS_NET, HAS_NODBUS, HAS_NOSOUND, HAS_PRIVATE and HAS_X11. The conditionals BROWSER_DISABLE_U2F and BROWSER_ALLOW_DRM |
178 | can be enabled or disabled globally in Firejail's configuration file. | 178 | can be enabled or disabled globally in Firejail's configuration file. |
@@ -205,16 +205,16 @@ storing modifications to the persistent configuration. Persistent .local files | |||
205 | are included at the start of regular profile files. | 205 | are included at the start of regular profile files. |
206 | 206 | ||
207 | .TP | 207 | .TP |
208 | \fBnoblacklist file_name | 208 | \fBnoallow file_name |
209 | If the file name matches file_name, the file will not be blacklisted in any blacklist commands that follow. | 209 | If the file name matches file_name, the file will not be allowed in any allow commands that follow. |
210 | 210 | ||
211 | Example: "noblacklist ${HOME}/.mozilla" | 211 | Example: "nowhitelist ~/.config" |
212 | 212 | ||
213 | .TP | 213 | .TP |
214 | \fBnowhitelist file_name | 214 | \fBnodeny file_name |
215 | If the file name matches file_name, the file will not be whitelisted in any whitelist commands that follow. | 215 | If the file name matches file_name, the file will not be denied any deny commands that follow. |
216 | 216 | ||
217 | Example: "nowhitelist ~/.config" | 217 | Example: "nodeny ${HOME}/.mozilla" |
218 | 218 | ||
219 | .TP | 219 | .TP |
220 | \fBignore | 220 | \fBignore |
@@ -242,19 +242,17 @@ HOME directories are searched, see the \fBfirejail\f(1) \fBFILE GLOBBING\fR sect | |||
242 | for more details. | 242 | for more details. |
243 | Examples: | 243 | Examples: |
244 | .TP | 244 | .TP |
245 | \fBblacklist file_or_directory | 245 | \fBallow file_or_directory |
246 | Blacklist directory or file. Examples: | 246 | Allow directory or file. A temporary file system is mounted on the top directory, and the |
247 | allowed files are mount-binded inside. Modifications to allowd files are persistent, | ||
248 | everything else is discarded when the sandbox is closed. The top directory can be | ||
249 | all directories in / (except /proc and /sys), /sys/module, /run/user/$UID, $HOME and | ||
250 | all directories in /usr. | ||
247 | .br | 251 | .br |
248 | 252 | ||
249 | .br | 253 | .br |
250 | blacklist /usr/bin | 254 | Symbolic link handling: with the exception of user home, both the link and the real file should be in |
251 | .br | 255 | the same top directory. For user home, both the link and the real file should be owned by the user. |
252 | blacklist /usr/bin/gcc* | ||
253 | .br | ||
254 | blacklist ${PATH}/ifconfig | ||
255 | .br | ||
256 | blacklist ${HOME}/.ssh | ||
257 | |||
258 | .TP | 256 | .TP |
259 | \fBblacklist-nolog file_or_directory | 257 | \fBblacklist-nolog file_or_directory |
260 | When --tracelog flag is set, blacklisting generates syslog messages if the sandbox tries to access the file or directory. | 258 | When --tracelog flag is set, blacklisting generates syslog messages if the sandbox tries to access the file or directory. |
@@ -273,6 +271,20 @@ Mount-bind directory1 on top of directory2. This option is only available when r | |||
273 | \fBbind file1,file2 | 271 | \fBbind file1,file2 |
274 | Mount-bind file1 on top of file2. This option is only available when running as root. | 272 | Mount-bind file1 on top of file2. This option is only available when running as root. |
275 | .TP | 273 | .TP |
274 | \fBdeny file_or_directory | ||
275 | Deny access to directory or file. Examples: | ||
276 | .br | ||
277 | |||
278 | .br | ||
279 | deny /usr/bin | ||
280 | .br | ||
281 | deny /usr/bin/gcc* | ||
282 | .br | ||
283 | deny ${PATH}/ifconfig | ||
284 | .br | ||
285 | deny ${HOME}/.ssh | ||
286 | |||
287 | .TP | ||
276 | \fBdisable-mnt | 288 | \fBdisable-mnt |
277 | Disable /mnt, /media, /run/mount and /run/media access. | 289 | Disable /mnt, /media, /run/mount and /run/media access. |
278 | .TP | 290 | .TP |
@@ -292,7 +304,7 @@ The directory is created if it doesn't already exist. | |||
292 | .br | 304 | .br |
293 | 305 | ||
294 | .br | 306 | .br |
295 | Use this command for whitelisted directories you need to preserve | 307 | Use this command for allowed directories you need to preserve |
296 | when the sandbox is closed. Without it, the application will create the directory, and the directory | 308 | when the sandbox is closed. Without it, the application will create the directory, and the directory |
297 | will be deleted when the sandbox is closed. Subdirectories are recursively created. Example from | 309 | will be deleted when the sandbox is closed. Subdirectories are recursively created. Example from |
298 | firefox profile: | 310 | firefox profile: |
@@ -305,7 +317,7 @@ whitelist ~/.mozilla | |||
305 | .br | 317 | .br |
306 | mkdir ~/.cache/mozilla/firefox | 318 | mkdir ~/.cache/mozilla/firefox |
307 | .br | 319 | .br |
308 | whitelist ~/.cache/mozilla/firefox | 320 | allow ~/.cache/mozilla/firefox |
309 | .br | 321 | .br |
310 | 322 | ||
311 | .br | 323 | .br |
@@ -411,7 +423,7 @@ expressed as foo/bar -- is disallowed). | |||
411 | All modifications are discarded when the sandbox is closed. | 423 | All modifications are discarded when the sandbox is closed. |
412 | .TP | 424 | .TP |
413 | \fBprivate-tmp | 425 | \fBprivate-tmp |
414 | Mount an empty temporary filesystem on top of /tmp directory whitelisting /tmp/.X11-unix. | 426 | Mount an empty temporary filesystem on top of /tmp directory allowing /tmp/.X11-unix. |
415 | .TP | 427 | .TP |
416 | \fBread-only file_or_directory | 428 | \fBread-only file_or_directory |
417 | Make directory or file read-only. | 429 | Make directory or file read-only. |
@@ -423,25 +435,13 @@ Make directory or file read-write. | |||
423 | Mount an empty tmpfs filesystem on top of directory. Directories outside user home or not owned by the user are not allowed. Sandboxes running as root are exempt from these restrictions. | 435 | Mount an empty tmpfs filesystem on top of directory. Directories outside user home or not owned by the user are not allowed. Sandboxes running as root are exempt from these restrictions. |
424 | .TP | 436 | .TP |
425 | \fBtracelog | 437 | \fBtracelog |
426 | Blacklist violations logged to syslog. | 438 | File system deny violations logged to syslog. |
427 | .TP | ||
428 | \fBwhitelist file_or_directory | ||
429 | Whitelist directory or file. A temporary file system is mounted on the top directory, and the | ||
430 | whitelisted files are mount-binded inside. Modifications to whitelisted files are persistent, | ||
431 | everything else is discarded when the sandbox is closed. The top directory can be | ||
432 | all directories in / (except /proc and /sys), /sys/module, /run/user/$UID, $HOME and | ||
433 | all directories in /usr. | ||
434 | .br | ||
435 | |||
436 | .br | ||
437 | Symbolic link handling: with the exception of user home, both the link and the real file should be in | ||
438 | the same top directory. For user home, both the link and the real file should be owned by the user. | ||
439 | .TP | 439 | .TP |
440 | \fBwritable-etc | 440 | \fBwritable-etc |
441 | Mount /etc directory read-write. | 441 | Mount /etc directory read-write. |
442 | .TP | 442 | .TP |
443 | \fBwritable-run-user | 443 | \fBwritable-run-user |
444 | Disable the default blacklisting of run/user/$UID/systemd and /run/user/$UID/gnupg. | 444 | Disable the default denying of run/user/$UID/systemd and /run/user/$UID/gnupg. |
445 | .TP | 445 | .TP |
446 | \fBwritable-var | 446 | \fBwritable-var |
447 | Mount /var directory read-write. | 447 | Mount /var directory read-write. |
@@ -455,7 +455,7 @@ The following security filters are currently implemented: | |||
455 | 455 | ||
456 | .TP | 456 | .TP |
457 | \fBallow-debuggers | 457 | \fBallow-debuggers |
458 | Allow tools such as strace and gdb inside the sandbox by whitelisting system calls ptrace and process_vm_readv. | 458 | Allow tools such as strace and gdb inside the sandbox by allowing system calls ptrace and process_vm_readv. |
459 | #ifdef HAVE_APPARMOR | 459 | #ifdef HAVE_APPARMOR |
460 | .TP | 460 | .TP |
461 | \fBapparmor | 461 | \fBapparmor |
@@ -466,13 +466,13 @@ Enable AppArmor confinement. | |||
466 | Enable default Linux capabilities filter. | 466 | Enable default Linux capabilities filter. |
467 | .TP | 467 | .TP |
468 | \fBcaps.drop capability,capability,capability | 468 | \fBcaps.drop capability,capability,capability |
469 | Blacklist given Linux capabilities. | 469 | Deny given Linux capabilities. |
470 | .TP | 470 | .TP |
471 | \fBcaps.drop all | 471 | \fBcaps.drop all |
472 | Blacklist all Linux capabilities. | 472 | Deny all Linux capabilities. |
473 | .TP | 473 | .TP |
474 | \fBcaps.keep capability,capability,capability | 474 | \fBcaps.keep capability,capability,capability |
475 | Whitelist given Linux capabilities. | 475 | Allow given Linux capabilities. |
476 | .TP | 476 | .TP |
477 | \fBmemory-deny-write-execute | 477 | \fBmemory-deny-write-execute |
478 | Install a seccomp filter to block attempts to create memory mappings | 478 | Install a seccomp filter to block attempts to create memory mappings |
@@ -497,32 +497,32 @@ first argument to socket system call. Recognized values: \fBunix\fR, | |||
497 | \fBinet\fR, \fBinet6\fR, \fBnetlink\fR, \fBpacket\fR and \fBbluetooth\fR. | 497 | \fBinet\fR, \fBinet6\fR, \fBnetlink\fR, \fBpacket\fR and \fBbluetooth\fR. |
498 | .TP | 498 | .TP |
499 | \fBseccomp | 499 | \fBseccomp |
500 | Enable seccomp filter and blacklist the syscalls in the default list. See man 1 firejail for more details. | 500 | Enable seccomp filter and deny the syscalls in the default list. See man 1 firejail for more details. |
501 | .TP | 501 | .TP |
502 | \fBseccomp.32 | 502 | \fBseccomp.32 |
503 | Enable seccomp filter and blacklist the syscalls in the default list for 32 bit system calls on a 64 bit architecture system. | 503 | Enable seccomp filter and deny the syscalls in the default list for 32 bit system calls on a 64 bit architecture system. |
504 | .TP | 504 | .TP |
505 | \fBseccomp syscall,syscall,syscall | 505 | \fBseccomp syscall,syscall,syscall |
506 | Enable seccomp filter and blacklist the system calls in the list on top of default seccomp filter. | 506 | Enable seccomp filter and deny the system calls in the list on top of default seccomp filter. |
507 | .TP | 507 | .TP |
508 | \fBseccomp.32 syscall,syscall,syscall | 508 | \fBseccomp.32 syscall,syscall,syscall |
509 | Enable seccomp filter and blacklist the system calls in the list on top of default seccomp filter for 32 bit system calls on a 64 bit architecture system. | 509 | Enable seccomp filter and deny the system calls in the list on top of default seccomp filter for 32 bit system calls on a 64 bit architecture system. |
510 | .TP | 510 | .TP |
511 | \fBseccomp.block-secondary | 511 | \fBseccomp.block-secondary |
512 | Enable seccomp filter and filter system call architectures | 512 | Enable seccomp filter and filter system call architectures |
513 | so that only the native architecture is allowed. | 513 | so that only the native architecture is allowed. |
514 | .TP | 514 | .TP |
515 | \fBseccomp.drop syscall,syscall,syscall | 515 | \fBseccomp.drop syscall,syscall,syscall |
516 | Enable seccomp filter and blacklist the system calls in the list. | 516 | Enable seccomp filter and deny the system calls in the list. |
517 | .TP | 517 | .TP |
518 | \fBseccomp.32.drop syscall,syscall,syscall | 518 | \fBseccomp.32.drop syscall,syscall,syscall |
519 | Enable seccomp filter and blacklist the system calls in the list for 32 bit system calls on a 64 bit architecture system. | 519 | Enable seccomp filter and deny the system calls in the list for 32 bit system calls on a 64 bit architecture system. |
520 | .TP | 520 | .TP |
521 | \fBseccomp.keep syscall,syscall,syscall | 521 | \fBseccomp.keep syscall,syscall,syscall |
522 | Enable seccomp filter and whitelist the system calls in the list. | 522 | Enable seccomp filter and allow the system calls in the list. |
523 | .TP | 523 | .TP |
524 | \fBseccomp.32.keep syscall,syscall,syscall | 524 | \fBseccomp.32.keep syscall,syscall,syscall |
525 | Enable seccomp filter and whitelist the system calls in the list for 32 bit system calls on a 64 bit architecture system. | 525 | Enable seccomp filter and allow the system calls in the list for 32 bit system calls on a 64 bit architecture system. |
526 | .TP | 526 | .TP |
527 | \fBseccomp-error-action kill | log | ERRNO | 527 | \fBseccomp-error-action kill | log | ERRNO |
528 | Return a different error instead of EPERM to the process, kill it when | 528 | Return a different error instead of EPERM to the process, kill it when |
@@ -534,7 +534,7 @@ attempt. | |||
534 | Enable X11 sandboxing. | 534 | Enable X11 sandboxing. |
535 | .TP | 535 | .TP |
536 | \fBx11 none | 536 | \fBx11 none |
537 | Blacklist /tmp/.X11-unix directory, ${HOME}/.Xauthority and file specified in ${XAUTHORITY} environment variable. | 537 | Deny access to /tmp/.X11-unix directory, ${HOME}/.Xauthority and file specified in ${XAUTHORITY} environment variable. |
538 | Remove DISPLAY and XAUTHORITY environment variables. | 538 | Remove DISPLAY and XAUTHORITY environment variables. |
539 | Stop with error message if X11 abstract socket will be accessible in jail. | 539 | Stop with error message if X11 abstract socket will be accessible in jail. |
540 | .TP | 540 | .TP |
diff --git a/src/man/firejail.txt b/src/man/firejail.txt index 0462705c0..498ff9aa9 100644 --- a/src/man/firejail.txt +++ b/src/man/firejail.txt | |||
@@ -99,6 +99,40 @@ $ firejail [OPTIONS] firefox # starting Mozilla Firefox | |||
99 | \fB\-\- | 99 | \fB\-\- |
100 | Signal the end of options and disables further option processing. | 100 | Signal the end of options and disables further option processing. |
101 | .TP | 101 | .TP |
102 | \fB\-\-allow=dirname_or_filename | ||
103 | Allow access to a directory or file. A temporary file system is mounted on the top directory, and the | ||
104 | allowed files are mount-binded inside. Modifications to allowed files are persistent, | ||
105 | everything else is discarded when the sandbox is closed. The top directory can be | ||
106 | all directories in / (except /proc and /sys), /sys/module, /run/user/$UID, $HOME and | ||
107 | all directories in /usr. | ||
108 | .br | ||
109 | |||
110 | .br | ||
111 | Symbolic link handling: with the exception of user home, both the link and the real file should be in | ||
112 | the same top directory. For user home, both the link and the real file should be owned by the user. | ||
113 | .br | ||
114 | |||
115 | .br | ||
116 | File globbing is supported, see \fBFILE GLOBBING\fR section for more details. | ||
117 | .br | ||
118 | |||
119 | .br | ||
120 | Example: | ||
121 | .br | ||
122 | $ firejail \-\-noprofile \-\-allow=~/.mozilla | ||
123 | .br | ||
124 | $ firejail \-\-allow=/tmp/.X11-unix --allow=/dev/null | ||
125 | .br | ||
126 | $ firejail "\-\-allow=/home/username/My Virtual Machines" | ||
127 | .br | ||
128 | $ firejail \-\-allow=~/work* \-\-allow=/var/backups* | ||
129 | |||
130 | |||
131 | |||
132 | |||
133 | |||
134 | |||
135 | .TP | ||
102 | \fB\-\-allow-debuggers | 136 | \fB\-\-allow-debuggers |
103 | Allow tools such as strace and gdb inside the sandbox by whitelisting | 137 | Allow tools such as strace and gdb inside the sandbox by whitelisting |
104 | system calls ptrace and process_vm_readv. This option is only | 138 | system calls ptrace and process_vm_readv. This option is only |
@@ -169,21 +203,6 @@ Example: | |||
169 | .br | 203 | .br |
170 | # firejail \-\-bind=/config/etc/passwd,/etc/passwd | 204 | # firejail \-\-bind=/config/etc/passwd,/etc/passwd |
171 | .TP | 205 | .TP |
172 | \fB\-\-blacklist=dirname_or_filename | ||
173 | Blacklist directory or file. File globbing is supported, see \fBFILE GLOBBING\fR section for more details. | ||
174 | .br | ||
175 | |||
176 | .br | ||
177 | Example: | ||
178 | .br | ||
179 | $ firejail \-\-blacklist=/sbin \-\-blacklist=/usr/sbin | ||
180 | .br | ||
181 | $ firejail \-\-blacklist=~/.mozilla | ||
182 | .br | ||
183 | $ firejail "\-\-blacklist=/home/username/My Virtual Machines" | ||
184 | .br | ||
185 | $ firejail \-\-blacklist=/home/username/My\\ Virtual\\ Machines | ||
186 | .TP | ||
187 | \fB\-\-build | 206 | \fB\-\-build |
188 | The command builds a whitelisted profile. The profile is printed on the screen. If /usr/bin/strace is installed on the system, it also | 207 | The command builds a whitelisted profile. The profile is printed on the screen. If /usr/bin/strace is installed on the system, it also |
189 | builds a whitelisted seccomp profile. The program is run in a very relaxed sandbox, | 208 | builds a whitelisted seccomp profile. The program is run in a very relaxed sandbox, |
@@ -243,7 +262,7 @@ $ firejail \-\-caps.drop=all warzone2100 | |||
243 | 262 | ||
244 | .TP | 263 | .TP |
245 | \fB\-\-caps.drop=capability,capability,capability | 264 | \fB\-\-caps.drop=capability,capability,capability |
246 | Define a custom blacklist Linux capabilities filter. | 265 | Define a custom Linux capabilities filter. |
247 | .br | 266 | .br |
248 | 267 | ||
249 | .br | 268 | .br |
@@ -624,14 +643,14 @@ Example: | |||
624 | $ firejail \-\-debug firefox | 643 | $ firejail \-\-debug firefox |
625 | 644 | ||
626 | .TP | 645 | .TP |
627 | \fB\-\-debug-blacklists\fR | 646 | \fB\-\-debug-allow\fR |
628 | Debug blacklisting. | 647 | Debug file system access. |
629 | .br | 648 | .br |
630 | 649 | ||
631 | .br | 650 | .br |
632 | Example: | 651 | Example: |
633 | .br | 652 | .br |
634 | $ firejail \-\-debug-blacklists firefox | 653 | $ firejail \-\-debug-allow firefox |
635 | 654 | ||
636 | .TP | 655 | .TP |
637 | \fB\-\-debug-caps | 656 | \fB\-\-debug-caps |
@@ -644,6 +663,16 @@ Example: | |||
644 | $ firejail \-\-debug-caps | 663 | $ firejail \-\-debug-caps |
645 | 664 | ||
646 | .TP | 665 | .TP |
666 | \fB\-\-debug-deny\fR | ||
667 | Debug file access. | ||
668 | .br | ||
669 | |||
670 | .br | ||
671 | Example: | ||
672 | .br | ||
673 | $ firejail \-\-debug-deny firefox | ||
674 | |||
675 | .TP | ||
647 | \fB\-\-debug-errnos | 676 | \fB\-\-debug-errnos |
648 | Print all recognized error numbers in the current Firejail software build and exit. | 677 | Print all recognized error numbers in the current Firejail software build and exit. |
649 | .br | 678 | .br |
@@ -677,15 +706,7 @@ $ firejail \-\-debug-syscalls | |||
677 | \fB\-\-debug-syscalls32 | 706 | \fB\-\-debug-syscalls32 |
678 | Print all recognized 32 bit system calls in the current Firejail software build and exit. | 707 | Print all recognized 32 bit system calls in the current Firejail software build and exit. |
679 | .br | 708 | .br |
680 | .TP | ||
681 | \fB\-\-debug-whitelists\fR | ||
682 | Debug whitelisting. | ||
683 | .br | ||
684 | 709 | ||
685 | .br | ||
686 | Example: | ||
687 | .br | ||
688 | $ firejail \-\-debug-whitelists firefox | ||
689 | #ifdef HAVE_NETWORK | 710 | #ifdef HAVE_NETWORK |
690 | .TP | 711 | .TP |
691 | \fB\-\-defaultgw=address | 712 | \fB\-\-defaultgw=address |
@@ -697,13 +718,32 @@ Example: | |||
697 | .br | 718 | .br |
698 | $ firejail \-\-net=eth0 \-\-defaultgw=10.10.20.1 firefox | 719 | $ firejail \-\-net=eth0 \-\-defaultgw=10.10.20.1 firefox |
699 | #endif | 720 | #endif |
721 | |||
722 | .TP | ||
723 | \fB\-\-deny=dirname_or_filename | ||
724 | Deny access to directory or file. File globbing is supported, see \fBFILE GLOBBING\fR section for more details. | ||
725 | .br | ||
726 | |||
727 | .br | ||
728 | Example: | ||
729 | .br | ||
730 | $ firejail \-\-deny=/sbin \-\-deny=/usr/sbin | ||
731 | .br | ||
732 | $ firejail \-\-deny=~/.mozilla | ||
733 | .br | ||
734 | $ firejail "\-\-deny=/home/username/My Virtual Machines" | ||
735 | .br | ||
736 | $ firejail \-\-deny=/home/username/My\\ Virtual\\ Machines | ||
737 | |||
738 | |||
739 | |||
700 | .TP | 740 | .TP |
701 | \fB\-\-deterministic-exit-code | 741 | \fB\-\-deterministic-exit-code |
702 | Always exit firejail with the first child's exit status. The default behavior is to use the exit status of the final child to exit, which can be nondeterministic. | 742 | Always exit firejail with the first child's exit status. The default behavior is to use the exit status of the final child to exit, which can be nondeterministic. |
703 | .br | 743 | .br |
704 | .TP | 744 | .TP |
705 | \fB\-\-disable-mnt | 745 | \fB\-\-disable-mnt |
706 | Blacklist /mnt, /media, /run/mount and /run/media access. | 746 | Deny access to /mnt, /media, /run/mount and /run/media. |
707 | .br | 747 | .br |
708 | 748 | ||
709 | .br | 749 | .br |
@@ -1471,12 +1511,16 @@ Example: | |||
1471 | $ firejail --no3d firefox | 1511 | $ firejail --no3d firefox |
1472 | 1512 | ||
1473 | .TP | 1513 | .TP |
1514 | \fB\-\-noallow=dirname_or_filename | ||
1515 | Disable \-\-allow for this directory or file. | ||
1516 | |||
1517 | .TP | ||
1474 | \fB\-\-noautopulse \fR(deprecated) | 1518 | \fB\-\-noautopulse \fR(deprecated) |
1475 | See --keep-config-pulse. | 1519 | See --keep-config-pulse. |
1476 | 1520 | ||
1477 | .TP | 1521 | .TP |
1478 | \fB\-\-noblacklist=dirname_or_filename | 1522 | \fB\-\-nodeny=dirname_or_filename |
1479 | Disable blacklist for this directory or file. | 1523 | Disable \-\-deny for this directory or file. |
1480 | .br | 1524 | .br |
1481 | 1525 | ||
1482 | .br | 1526 | .br |
@@ -1492,7 +1536,7 @@ $ exit | |||
1492 | .br | 1536 | .br |
1493 | 1537 | ||
1494 | .br | 1538 | .br |
1495 | $ firejail --noblacklist=/bin/nc | 1539 | $ firejail --nodeny=/bin/nc |
1496 | .br | 1540 | .br |
1497 | $ nc dict.org 2628 | 1541 | $ nc dict.org 2628 |
1498 | .br | 1542 | .br |
@@ -1666,10 +1710,6 @@ $ firejail \-\-nou2f | |||
1666 | Disable video devices. | 1710 | Disable video devices. |
1667 | .br | 1711 | .br |
1668 | 1712 | ||
1669 | .TP | ||
1670 | \fB\-\-nowhitelist=dirname_or_filename | ||
1671 | Disable whitelist for this directory or file. | ||
1672 | |||
1673 | #ifdef HAVE_OUTPUT | 1713 | #ifdef HAVE_OUTPUT |
1674 | .TP | 1714 | .TP |
1675 | \fB\-\-output=logfile | 1715 | \fB\-\-output=logfile |
@@ -2733,34 +2773,6 @@ Example: | |||
2733 | .br | 2773 | .br |
2734 | $ firejail \-\-net=br0 --veth-name=if0 | 2774 | $ firejail \-\-net=br0 --veth-name=if0 |
2735 | #endif | 2775 | #endif |
2736 | .TP | ||
2737 | \fB\-\-whitelist=dirname_or_filename | ||
2738 | Whitelist directory or file. A temporary file system is mounted on the top directory, and the | ||
2739 | whitelisted files are mount-binded inside. Modifications to whitelisted files are persistent, | ||
2740 | everything else is discarded when the sandbox is closed. The top directory can be | ||
2741 | all directories in / (except /proc and /sys), /sys/module, /run/user/$UID, $HOME and | ||
2742 | all directories in /usr. | ||
2743 | .br | ||
2744 | |||
2745 | .br | ||
2746 | Symbolic link handling: with the exception of user home, both the link and the real file should be in | ||
2747 | the same top directory. For user home, both the link and the real file should be owned by the user. | ||
2748 | .br | ||
2749 | |||
2750 | .br | ||
2751 | File globbing is supported, see \fBFILE GLOBBING\fR section for more details. | ||
2752 | .br | ||
2753 | |||
2754 | .br | ||
2755 | Example: | ||
2756 | .br | ||
2757 | $ firejail \-\-noprofile \-\-whitelist=~/.mozilla | ||
2758 | .br | ||
2759 | $ firejail \-\-whitelist=/tmp/.X11-unix --whitelist=/dev/null | ||
2760 | .br | ||
2761 | $ firejail "\-\-whitelist=/home/username/My Virtual Machines" | ||
2762 | .br | ||
2763 | $ firejail \-\-whitelist=~/work* \-\-whitelist=/var/backups* | ||
2764 | 2776 | ||
2765 | .TP | 2777 | .TP |
2766 | \fB\-\-writable-etc | 2778 | \fB\-\-writable-etc |
diff --git a/src/tools/profcleaner.c b/src/tools/profcleaner.c new file mode 100644 index 000000000..93bb3f73d --- /dev/null +++ b/src/tools/profcleaner.c | |||
@@ -0,0 +1,75 @@ | |||
1 | /* | ||
2 | * Copyright (C) 2014-2021 Firejail Authors | ||
3 | * | ||
4 | * This file is part of firejail project | ||
5 | * | ||
6 | * This program is free software; you can redistribute it and/or modify | ||
7 | * it under the terms of the GNU General Public License as published by | ||
8 | * the Free Software Foundation; either version 2 of the License, or | ||
9 | * (at your option) any later version. | ||
10 | * | ||
11 | * This program is distributed in the hope that it will be useful, | ||
12 | * but WITHOUT ANY WARRANTY; without even the implied warranty of | ||
13 | * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the | ||
14 | * GNU General Public License for more details. | ||
15 | * | ||
16 | * You should have received a copy of the GNU General Public License along | ||
17 | * with this program; if not, write to the Free Software Foundation, Inc., | ||
18 | * 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA. | ||
19 | */ | ||
20 | |||
21 | //************************************************************* | ||
22 | // Small utility program to convert profiles from blacklist/whitelist to deny/allow | ||
23 | // Compile: | ||
24 | // gcc -o profcleaner profcleaner.c | ||
25 | // Usage: | ||
26 | // profcleaner *.profile | ||
27 | //************************************************************* | ||
28 | |||
29 | #include <stdio.h> | ||
30 | #include <stdlib.h> | ||
31 | #include <string.h> | ||
32 | #include <unistd.h> | ||
33 | #define MAXBUF 4096 | ||
34 | |||
35 | int main(int argc, char **argv) { | ||
36 | printf("Usage: profcleaner files\n"); | ||
37 | int i; | ||
38 | |||
39 | for (i = 1; i < argc; i++) { | ||
40 | FILE *fp = fopen(argv[i], "r"); | ||
41 | if (!fp) { | ||
42 | fprintf(stderr, "Error: cannot open %s\n", argv[i]); | ||
43 | return 1; | ||
44 | } | ||
45 | |||
46 | FILE *fpout = fopen("profcleaner-tmp", "w"); | ||
47 | if (!fpout) { | ||
48 | fprintf(stderr, "Error: cannot open output file\n"); | ||
49 | return 1; | ||
50 | } | ||
51 | |||
52 | char buf[MAXBUF]; | ||
53 | while (fgets(buf, MAXBUF, fp)) { | ||
54 | if (strncmp(buf, "blacklist-nolog", 15) == 0) | ||
55 | fprintf(fpout, "deny-nolog %s", buf + 15); | ||
56 | else if (strncmp(buf, "blacklist", 9) == 0) | ||
57 | fprintf(fpout, "deny %s", buf + 9); | ||
58 | else if (strncmp(buf, "noblacklist", 11) == 0) | ||
59 | fprintf(fpout, "nodeny %s", buf + 11); | ||
60 | else if (strncmp(buf, "whitelist", 9) == 0) | ||
61 | fprintf(fpout, "allow %s", buf + 9); | ||
62 | else if (strncmp(buf, "nowhitelist", 11) == 0) | ||
63 | fprintf(fpout, "noallow %s", buf + 11); | ||
64 | else | ||
65 | fprintf(fpout, "%s", buf); | ||
66 | } | ||
67 | |||
68 | fclose(fp); | ||
69 | fclose(fpout); | ||
70 | unlink(argv[i]); | ||
71 | rename("profcleaner-tmp", argv[i]); | ||
72 | } | ||
73 | |||
74 | return 0; | ||
75 | } \ No newline at end of file | ||
diff --git a/src/tools/profcleaner.sh b/src/tools/profcleaner.sh new file mode 100755 index 000000000..709008e08 --- /dev/null +++ b/src/tools/profcleaner.sh | |||
@@ -0,0 +1,45 @@ | |||
1 | #!/bin/bash | ||
2 | |||
3 | # Copyright (C) 2021 Firejail Authors | ||
4 | # | ||
5 | # This file is part of firejail project | ||
6 | # | ||
7 | # This program is free software; you can redistribute it and/or modify | ||
8 | # it under the terms of the GNU General Public License as published by | ||
9 | # the Free Software Foundation; either version 2 of the License, or | ||
10 | # (at your option) any later version. | ||
11 | # | ||
12 | # This program is distributed in the hope that it will be useful, | ||
13 | # but WITHOUT ANY WARRANTY; without even the implied warranty of | ||
14 | # MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the | ||
15 | # GNU General Public License for more details. | ||
16 | # | ||
17 | # You should have received a copy of the GNU General Public License along | ||
18 | # with this program; if not, write to the Free Software Foundation, Inc., | ||
19 | # 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA. | ||
20 | |||
21 | if [[ $1 == --help ]]; then | ||
22 | cat <<-EOM | ||
23 | USAGE: | ||
24 | profcleaner.sh --help Show this help message and exit | ||
25 | profcleaner.sh --system Clean all profiles in /etc/firejail | ||
26 | profcleaner.sh --user Clean all profiles in ~/.config/firejail | ||
27 | profcleaner.sh /path/to/profile1 /path/to/profile2 ... | ||
28 | EOM | ||
29 | exit 0 | ||
30 | fi | ||
31 | |||
32 | if [[ $1 == --system ]]; then | ||
33 | profiles=(/etc/firejail/*.{inc,local,profile}) | ||
34 | elif [[ $1 == --user ]]; then | ||
35 | profiles=("$HOME"/.config/firejail/*.{inc,local,profile}) | ||
36 | else | ||
37 | profiles=("$@") | ||
38 | fi | ||
39 | |||
40 | sed -i -E \ | ||
41 | -e "s/^(# |#)?blacklist/\1deny/" \ | ||
42 | -e "s/^(# |#)?noblacklist/\1nodeny/" \ | ||
43 | -e "s/^(# |#)?whitelist/\1allow/" \ | ||
44 | -e "s/^(# |#)?nowhitelist/\1noallow/" \ | ||
45 | "${profiles[@]}" | ||
diff --git a/src/zsh_completion/_firejail.in b/src/zsh_completion/_firejail.in index f1a19b86d..b703783b0 100644 --- a/src/zsh_completion/_firejail.in +++ b/src/zsh_completion/_firejail.in | |||
@@ -48,8 +48,8 @@ _firejail_args=( | |||
48 | '*::arguments:_normal' | 48 | '*::arguments:_normal' |
49 | 49 | ||
50 | '--appimage[sandbox an AppImage application]' | 50 | '--appimage[sandbox an AppImage application]' |
51 | '--build[build a whitelisted profile for the application and print it on stdout]' | 51 | '--build[build a profile for the application and print it on stdout]' |
52 | '--build=-[build a whitelisted profile for the application and save it]: :_files' | 52 | '--build=-[build a profile for the application and save it]: :_files' |
53 | # Ignore that you can do -? too as it's the only short option | 53 | # Ignore that you can do -? too as it's the only short option |
54 | '--help[this help screen]' | 54 | '--help[this help screen]' |
55 | '--join=-[join the sandbox name|pid]: :_all_firejails' | 55 | '--join=-[join the sandbox name|pid]: :_all_firejails' |
@@ -63,14 +63,14 @@ _firejail_args=( | |||
63 | '--version[print program version and exit]' | 63 | '--version[print program version and exit]' |
64 | 64 | ||
65 | '--debug[print sandbox debug messages]' | 65 | '--debug[print sandbox debug messages]' |
66 | '--debug-blacklists[debug blacklisting]' | 66 | '--debug-allow[debug file system access]' |
67 | '--debug-caps[print all recognized capabilities]' | 67 | '--debug-caps[print all recognized capabilities]' |
68 | '--debug-deny[debug file system access]' | ||
68 | '--debug-errnos[print all recognized error numbers]' | 69 | '--debug-errnos[print all recognized error numbers]' |
69 | '--debug-private-lib[debug for --private-lib option]' | 70 | '--debug-private-lib[debug for --private-lib option]' |
70 | '--debug-protocols[print all recognized protocols]' | 71 | '--debug-protocols[print all recognized protocols]' |
71 | '--debug-syscalls[print all recognized system calls]' | 72 | '--debug-syscalls[print all recognized system calls]' |
72 | '--debug-syscalls32[print all recognized 32 bit system calls]' | 73 | '--debug-syscalls32[print all recognized 32 bit system calls]' |
73 | '--debug-whitelists[debug whitelisting]' | ||
74 | 74 | ||
75 | '--caps.print=-[print the caps filter name|pid]:firejail:_all_firejails' | 75 | '--caps.print=-[print the caps filter name|pid]:firejail:_all_firejails' |
76 | '--cpu.print=-[print the cpus in use name|pid]: :_all_firejails' | 76 | '--cpu.print=-[print the cpus in use name|pid]: :_all_firejails' |
@@ -83,13 +83,13 @@ _firejail_args=( | |||
83 | '--allusers[all user home directories are visible inside the sandbox]' | 83 | '--allusers[all user home directories are visible inside the sandbox]' |
84 | # Should be _files, a comma and files or files -/ | 84 | # Should be _files, a comma and files or files -/ |
85 | '*--bind=-[mount-bind dirname1/filename1 on top of dirname2/filename2]: :(file1,file2 dir1,dir2)' | 85 | '*--bind=-[mount-bind dirname1/filename1 on top of dirname2/filename2]: :(file1,file2 dir1,dir2)' |
86 | '*--blacklist=-[blacklist directory or file]: :_files' | ||
87 | '--caps[enable default Linux capabilities filter]' | 86 | '--caps[enable default Linux capabilities filter]' |
88 | '--caps.drop=all[drop all capabilities]' | 87 | '--caps.drop=all[drop all capabilities]' |
89 | '*--caps.drop=-[drop capabilities: all|cap1,cap2,...]: :_caps' | 88 | '*--caps.drop=-[drop capabilities: all|cap1,cap2,...]: :_caps' |
90 | '*--caps.keep=-[keep capabilities: cap1,cap2,...]: :_caps' | 89 | '*--caps.keep=-[keep capabilities: cap1,cap2,...]: :_caps' |
91 | '--cgroup=-[place the sandbox in the specified control group]: :' | 90 | '--cgroup=-[place the sandbox in the specified control group]: :' |
92 | '--cpu=-[set cpu affinity]: :->cpus' | 91 | '--cpu=-[set cpu affinity]: :->cpus' |
92 | '*--deny=-[deny access to directory or file]: :_files' | ||
93 | "--deterministic-exit-code[always exit with first child's status code]" | 93 | "--deterministic-exit-code[always exit with first child's status code]" |
94 | '*--dns=-[set DNS server]: :' | 94 | '*--dns=-[set DNS server]: :' |
95 | '*--env=-[set environment variable]: :' | 95 | '*--env=-[set environment variable]: :' |
@@ -112,7 +112,7 @@ _firejail_args=( | |||
112 | '--nice=-[set nice value]: :(1 10 15 20)' | 112 | '--nice=-[set nice value]: :(1 10 15 20)' |
113 | '--no3d[disable 3D hardware acceleration]' | 113 | '--no3d[disable 3D hardware acceleration]' |
114 | '--noautopulse[disable automatic ~/.config/pulse init]' | 114 | '--noautopulse[disable automatic ~/.config/pulse init]' |
115 | '--noblacklist=-[disable blacklist for file or directory]: :_files' | 115 | '--nodeny=-[disable deny command for file or directory]: :_files' |
116 | '--nodbus[disable D-Bus access]' | 116 | '--nodbus[disable D-Bus access]' |
117 | '--nodvd[disable DVD and audio CD devices]' | 117 | '--nodvd[disable DVD and audio CD devices]' |
118 | '*--noexec=-[remount the file or directory noexec nosuid and nodev]: :_files' | 118 | '*--noexec=-[remount the file or directory noexec nosuid and nodev]: :_files' |
@@ -143,13 +143,13 @@ _firejail_args=( | |||
143 | '--rlimit-nproc=-[set the maximum number of processes that can be created for the real user ID of the calling process]: :' | 143 | '--rlimit-nproc=-[set the maximum number of processes that can be created for the real user ID of the calling process]: :' |
144 | '--rlimit-sigpending=-[set the maximum number of pending signals for a process]: :' | 144 | '--rlimit-sigpending=-[set the maximum number of pending signals for a process]: :' |
145 | '*--rmenv=-[remove environment variable in the new sandbox]: :_values environment-variables $(env | cut -d= -f1)' | 145 | '*--rmenv=-[remove environment variable in the new sandbox]: :_values environment-variables $(env | cut -d= -f1)' |
146 | '--seccomp[enable seccomp filter and apply the default blacklist]: :' | 146 | '--seccomp[enable seccomp filter and drop the default syscalls]: :' |
147 | '--seccomp=-[enable seccomp filter, blacklist the default syscall list and the syscalls specified by the command]: :->seccomp' | 147 | '--seccomp=-[enable seccomp filter, drop the default syscall list and the syscalls specified by the command]: :->seccomp' |
148 | '--seccomp.block-secondary[build only the native architecture filters]' | 148 | '--seccomp.block-secondary[build only the native architecture filters]' |
149 | '*--seccomp.drop=-[enable seccomp filter, and blacklist the syscalls specified by the command]: :->seccomp' | 149 | '*--seccomp.drop=-[enable seccomp filter, and drop the syscalls specified by the command]: :->seccomp' |
150 | '*--seccomp.keep=-[enable seccomp filter, and whitelist the syscalls specified by the command]: :->seccomp' | 150 | '*--seccomp.keep=-[enable seccomp filter, and allow the syscalls specified by the command]: :->seccomp' |
151 | '*--seccomp.32.drop=-[enable seccomp filter, and blacklist the 32 bit syscalls specified by the command]: :' | 151 | '*--seccomp.32.drop=-[enable seccomp filter, and drop the 32 bit syscalls specified by the command]: :' |
152 | '*--seccomp.32.keep=-[enable seccomp filter, and whitelist the 32 bit syscalls specified by the command]: :' | 152 | '*--seccomp.32.keep=-[enable seccomp filter, and drop the 32 bit syscalls specified by the command]: :' |
153 | # FIXME: Add errnos | 153 | # FIXME: Add errnos |
154 | '--seccomp-error-action=-[change error code, kill process or log the attempt]: :(kill log)' | 154 | '--seccomp-error-action=-[change error code, kill process or log the attempt]: :(kill log)' |
155 | '--shell=none[run the program directly without a user shell]' | 155 | '--shell=none[run the program directly without a user shell]' |
@@ -157,7 +157,7 @@ _firejail_args=( | |||
157 | '--timeout=-[kill the sandbox automatically after the time has elapsed]: :' | 157 | '--timeout=-[kill the sandbox automatically after the time has elapsed]: :' |
158 | #'(--tracelog)--trace[trace open, access and connect system calls]' | 158 | #'(--tracelog)--trace[trace open, access and connect system calls]' |
159 | '(--tracelog)--trace=-[trace open, access and connect system calls]: :_files' | 159 | '(--tracelog)--trace=-[trace open, access and connect system calls]: :_files' |
160 | '(--trace)--tracelog[add a syslog message for every access to files or directories blacklisted by the security profile]' | 160 | '(--trace)--tracelog[add a syslog message for every access to files or directories dropped by the security profile]' |
161 | '(--private-etc)--writable-etc[/etc directory is mounted read-write]' | 161 | '(--private-etc)--writable-etc[/etc directory is mounted read-write]' |
162 | '--writable-run-user[allow access to /run/user/$UID/systemd and /run/user/$UID/gnupg]' | 162 | '--writable-run-user[allow access to /run/user/$UID/systemd and /run/user/$UID/gnupg]' |
163 | '--writable-var[/var directory is mounted read-write]' | 163 | '--writable-var[/var directory is mounted read-write]' |
@@ -251,10 +251,8 @@ _firejail_args=( | |||
251 | '*--tmpfs=-[mount a tmpfs filesystem on directory dirname]: :_files -/' | 251 | '*--tmpfs=-[mount a tmpfs filesystem on directory dirname]: :_files -/' |
252 | #endif | 252 | #endif |
253 | 253 | ||
254 | #ifdef HAVE_WHITELIST | 254 | '*--noallow=-[disable allow command for file or directory]: :_files' |
255 | '*--nowhitelist=-[disable whitelist for file or directory]: :_files' | 255 | '*--allow=-[allow file system access]: :_files' |
256 | '*--whitelist=-[whitelist directory or file]: :_files' | ||
257 | #endif | ||
258 | 256 | ||
259 | #ifdef HAVE_X11 | 257 | #ifdef HAVE_X11 |
260 | '--x11[enable X11 sandboxing. The software checks first if Xpra is installed, then it checks if Xephyr is installed. If all fails, it will attempt to use X11 security extension]' | 258 | '--x11[enable X11 sandboxing. The software checks first if Xpra is installed, then it checks if Xephyr is installed. If all fails, it will attempt to use X11 security extension]' |