diff options
65 files changed, 980 insertions, 157 deletions
@@ -97,6 +97,9 @@ announ (https://github.com/announ) | |||
97 | Antonio Russo (https://github.com/aerusso) | 97 | Antonio Russo (https://github.com/aerusso) |
98 | - enumerate root directories in apparmor profile | 98 | - enumerate root directories in apparmor profile |
99 | - fix join-or-start | 99 | - fix join-or-start |
100 | Austin Morton | ||
101 | - deterministic-exit-code option | ||
102 | - private-cwd options | ||
100 | Austin S. Hemmelgarn (https://github.com/Ferroin) | 103 | Austin S. Hemmelgarn (https://github.com/Ferroin) |
101 | - unbound profile update | 104 | - unbound profile update |
102 | avoidr (https://github.com/avoidr) | 105 | avoidr (https://github.com/avoidr) |
@@ -176,6 +179,8 @@ curiosity-seeker (https://github.com/curiosity-seeker) | |||
176 | - write-protection for thumbnailer dir | 179 | - write-protection for thumbnailer dir |
177 | - added gramps, newsboat, freeoffice-planmaker profiles | 180 | - added gramps, newsboat, freeoffice-planmaker profiles |
178 | - added freeoffice-textmaker, freeoffice-presentations profiles | 181 | - added freeoffice-textmaker, freeoffice-presentations profiles |
182 | - added cantata profile | ||
183 | - updated keypassxc profile | ||
179 | da2x (https://github.com/da2x) | 184 | da2x (https://github.com/da2x) |
180 | - matched RPM license tag | 185 | - matched RPM license tag |
181 | Daan Bakker (https://github.com/dbakker) | 186 | Daan Bakker (https://github.com/dbakker) |
@@ -304,6 +309,8 @@ greigdp (https://github.com/greigdp) | |||
304 | - fixed spotify profile | 309 | - fixed spotify profile |
305 | - added Slack profile | 310 | - added Slack profile |
306 | - add Spotify profile | 311 | - add Spotify profile |
312 | grizzlyuser (https://github.com/grizzlyuser) | ||
313 | - added support for youtube-dl in smplayer profile | ||
307 | GSI (https://github.com/GSI) | 314 | GSI (https://github.com/GSI) |
308 | - added Uzbl browser profile | 315 | - added Uzbl browser profile |
309 | hamzadis (https://github.com/hamzadis) | 316 | hamzadis (https://github.com/hamzadis) |
@@ -353,6 +360,7 @@ Jean Lucas (https://github.com/flacks) | |||
353 | - fix wire profile | 360 | - fix wire profile |
354 | - add Beaker profile | 361 | - add Beaker profile |
355 | - fixes for gnome-music | 362 | - fixes for gnome-music |
363 | - allow reading of system-wide Flatpak locale in gajim profile | ||
356 | Jericho (https://github.com/attritionorg) | 364 | Jericho (https://github.com/attritionorg) |
357 | - spelling | 365 | - spelling |
358 | Jesse Smith (https://github.com/slicer69) | 366 | Jesse Smith (https://github.com/slicer69) |
@@ -368,6 +376,8 @@ John Mullee (https://github.com/jmullee) | |||
368 | Jonas Heinrich (https://github.com/onny) | 376 | Jonas Heinrich (https://github.com/onny) |
369 | - added signal-desktop profile | 377 | - added signal-desktop profile |
370 | - fixed franz profile | 378 | - fixed franz profile |
379 | Jose Riha (https://github.com/jose1711) | ||
380 | - added meteo-qt profile | ||
371 | jrabe (https://github.com/jrabe) | 381 | jrabe (https://github.com/jrabe) |
372 | - disallow access to kdbx files | 382 | - disallow access to kdbx files |
373 | - Epiphany profile | 383 | - Epiphany profile |
@@ -513,6 +523,10 @@ pszxzsd (https://github.com/pszxzsd) | |||
513 | -uGet profile | 523 | -uGet profile |
514 | pwnage-pineapple (https://github.com/pwnage-pineapple) | 524 | pwnage-pineapple (https://github.com/pwnage-pineapple) |
515 | - update Okular profile | 525 | - update Okular profile |
526 | Quentin Minster (https://github.com/laomaiweng) | ||
527 | - propagate --quiet to children Firejail'ed processes | ||
528 | - nodbus enhancements/bugfixes | ||
529 | - added vim syntax and ftdetect files | ||
516 | Rafael Cavalcanti (https://github.com/rccavalcanti) | 530 | Rafael Cavalcanti (https://github.com/rccavalcanti) |
517 | - chromium profile fixes for Arch Linux | 531 | - chromium profile fixes for Arch Linux |
518 | Rahiel Kasim (https://github.com/rahiel) | 532 | Rahiel Kasim (https://github.com/rahiel) |
@@ -550,23 +564,11 @@ rusty-snake (https://github.com/rusty-snake) | |||
550 | - added profiles: klavaro, mypaint, mypaint-ora-thumbnailer, nano | 564 | - added profiles: klavaro, mypaint, mypaint-ora-thumbnailer, nano |
551 | - added profiles: gajim-history-manager, freemind, nomacs, kid3 | 565 | - added profiles: gajim-history-manager, freemind, nomacs, kid3 |
552 | - added profiles: kid3-qt, kid3-cli, anki, utox, mp3splt, mp3wrap | 566 | - added profiles: kid3-qt, kid3-cli, anki, utox, mp3splt, mp3wrap |
553 | - added profiles: oggsplt, flacsplt, cheese | 567 | - added profiles: oggsplt, flacsplt, cheese, inkview, mp3splt-gtk |
554 | - fixed profiles: kdenlive, bibletime, rhythmbox, gajim, seahorse | 568 | - added profiles: ktouch, yelp |
555 | - fixed profiles: libreoffice, gnome-maps, wget, seahorse-tool | 569 | - many profile fixing and hardening |
556 | - fixed profiles: gnome-logs, atom, brackets, gnome-builder, geany | ||
557 | - fixed profiles: vim, emacs, pycharm-community, gedit, klavaro | ||
558 | - fixed profiles: default, mpv, authenticator, gramps, webstorm | ||
559 | - fixed profiles: freeoffice-planmaker, freeoffice-presentations | ||
560 | - fixed profiles: freeoffice-textmaker, code, newsboat, aosp, clion | ||
561 | - fixed profiles: android-studio, git, gitg, github-desktop, idea.sh | ||
562 | - fixed profiles: ffmpeg, thunderbird, gnome-system-log, file-roller | ||
563 | - fixed profiles: eog, eom | ||
564 | - hardened profiles: disable-common.inc, disable-programs.inc | ||
565 | - hardened profiles: gajim, evince, ffmpeg, feh-network.inc, qtox | ||
566 | - hardened profiles: gnome-clocks, meld, minetest, youtube-dl | ||
567 | - hardened profiles: bibletime, whois, etr, display, feh, mpv | ||
568 | - gnome-mpv was renamed to celluloid | ||
569 | - some typo fixes | 570 | - some typo fixes |
571 | - added profile templates | ||
570 | Salvo 'LtWorf' Tomaselli (https://github.com/ltworf) | 572 | Salvo 'LtWorf' Tomaselli (https://github.com/ltworf) |
571 | - fixed ktorrent profile | 573 | - fixed ktorrent profile |
572 | sarneaud (https://github.com/sarneaud) | 574 | sarneaud (https://github.com/sarneaud) |
@@ -750,6 +752,8 @@ veloute (https://github.com/veloute) | |||
750 | - add anki profile | 752 | - add anki profile |
751 | Vincent43 (https://github.com/Vincent43) | 753 | Vincent43 (https://github.com/Vincent43) |
752 | - apparmor enhancements | 754 | - apparmor enhancements |
755 | Vincent Blillault (https://github.com/Feandil) | ||
756 | - fix mumble profile | ||
753 | vismir2 (https://github.com/vismir2) | 757 | vismir2 (https://github.com/vismir2) |
754 | - feh, ranger, 7z, keepass, keepassx and zathura profiles | 758 | - feh, ranger, 7z, keepass, keepassx and zathura profiles |
755 | - claws-mail, mutt, git, emacs, vim profiles | 759 | - claws-mail, mutt, git, emacs, vim profiles |
@@ -33,6 +33,10 @@ FAQ: https://firejail.wordpress.com/support/ | |||
33 | Travis-CI status: https://travis-ci.org/netblue30/firejail | 33 | Travis-CI status: https://travis-ci.org/netblue30/firejail |
34 | 34 | ||
35 | 35 | ||
36 | ## Security vulnerabilities | ||
37 | |||
38 | We take security bugs very seriously. If you believe you have found one, please report it by emailing us at netblue30@yahoo.com | ||
39 | |||
36 | ## Compile and install | 40 | ## Compile and install |
37 | ````` | 41 | ````` |
38 | $ git clone https://github.com/netblue30/firejail.git | 42 | $ git clone https://github.com/netblue30/firejail.git |
@@ -95,18 +99,14 @@ If you keep additional Firejail security profiles in a public repository, please | |||
95 | 99 | ||
96 | Use this issue to request new profiles: [#1139](https://github.com/netblue30/firejail/issues/1139) | 100 | Use this issue to request new profiles: [#1139](https://github.com/netblue30/firejail/issues/1139) |
97 | 101 | ||
98 | We also keep a list of profile fixes for previous released versions in [etc-fixes](https://github.com/netblue30/firejail/tree/master/etc-fixes) directory . | 102 | You can also use this tool to get a list of syscalls needed by a program: [https://github.com/avilum/syscalls](https://github.com/avilum/syscalls). |
103 | |||
104 | We also keep a list of profile fixes for previous released versions in [etc-fixes](https://github.com/netblue30/firejail/tree/master/etc-fixes) directory. | ||
99 | ````` | 105 | ````` |
100 | 106 | ||
101 | ````` | 107 | ````` |
102 | ## Current development version: 0.9.60-rc2 | 108 | ## Latest released version: 0.9.60 |
103 | 109 | ||
104 | ## 0.9.60-rc1 is out! | 110 | ## Current development version: 0.9.61 |
105 | 111 | ||
106 | ## New profiles: | 112 | ## New profiles: |
107 | anki, assogiate, autokey-gtk, autokey-qt, autokey-run, autokey-shell, bzflag, celluoid, cheese, code-oss, crawl, crawl-tiles, crow, d-feet, dconf, | ||
108 | dconf-editor, devhelp, exfalso, font-manager, freeciv, freecol, freeoffice-planmaker, freeoffice-presentations, freeoffice-textmaker, freemind, | ||
109 | gconf-editor, geekbench, gnome-keyring, gnome-nettool, gnome-system-log, gramps, gsettings, kid3, kid3-cli, kid3-qt, lincity-ng, lugaru, | ||
110 | Maelstrom, manaplus, megaglest, mpdris2, mypaint, nano, netactview, newsboat, nomacs, nyx, opencity, openclonk, openttd, ostrichriders, pavucontrol, | ||
111 | pioneer, pragha, redshift, regextester, seahorse, seahorse-tool, scorched3d, secret-tool, simplescreenrecorder, slashem, subdownloader, sysprof, | ||
112 | sysprof-cli, teeworlds, torcs, tremulous, transgui, utox, vulturesclaw, vultureseye, warsow, widelands, xfce4-mixer | ||
@@ -1,4 +1,19 @@ | |||
1 | firejail (0.9.60~rc2) baseline; urgency=low | 1 | firejail (0.9.60) baseline; urgency=low |
2 | * work in progress | ||
3 | * profile templates | ||
4 | -- netblue30 <netblue30@yahoo.com> Sun, 26 May 2019 08:00:00 -0500 | ||
5 | |||
6 | firejail (0.9.60) baseline; urgency=low | ||
7 | * security bug reported by Austin Morton: | ||
8 | Seccomp filters are copied into /run/firejail/mnt, and are writable | ||
9 | within the jail. A malicious process can modify files from inside the | ||
10 | jail. Processes that are later joined to the jail will not have seccomp | ||
11 | filters applied. | ||
12 | * memory-deny-write-execute now also blocks memfd_create | ||
13 | * add private-cwd option to control working directory within jail | ||
14 | * blocking system D-Bus socket with --nodbus | ||
15 | * bringing back Centos 6 support | ||
16 | * drop support for flatpak/snap packages | ||
2 | * new profiles: crow, nyx, mypaint, celluoid, nano, transgui, mpdris2 | 17 | * new profiles: crow, nyx, mypaint, celluoid, nano, transgui, mpdris2 |
3 | * new profiles: sysprof, simplescreenrecorder, geekbench, xfce4-mixer | 18 | * new profiles: sysprof, simplescreenrecorder, geekbench, xfce4-mixer |
4 | * new profiles: pavucontrol, d-feet, seahorse, secret-tool, gnome-keyring | 19 | * new profiles: pavucontrol, d-feet, seahorse, secret-tool, gnome-keyring |
@@ -15,9 +30,8 @@ firejail (0.9.60~rc2) baseline; urgency=low | |||
15 | * new profiles: oggsplt, flacsplt, gramps, newsboat, freeoffice-planmaker | 30 | * new profiles: oggsplt, flacsplt, gramps, newsboat, freeoffice-planmaker |
16 | * new profiles: autokey-gtk, autokey-qt, autokey-run, autokey-shell | 31 | * new profiles: autokey-gtk, autokey-qt, autokey-run, autokey-shell |
17 | * new profiles: freeoffice-presentations, freeoffice-textmaker, mp3wrap | 32 | * new profiles: freeoffice-presentations, freeoffice-textmaker, mp3wrap |
18 | * memory-deny-write-execute now also blocks memfd_create | 33 | * new profiles: inkview, meteo-qt, mp3splt-gtk, ktouch, yelp, cantata |
19 | * drop support for flatpak/snap packages | 34 | -- netblue30 <netblue30@yahoo.com> Sun, 26 May 2019 08:00:00 -0500 |
20 | -- netblue30 <netblue30@yahoo.com> Sun, 21 Apr 2019 08:00:00 -0500 | ||
21 | 35 | ||
22 | firejail (0.9.58,2) baseline; urgency=low | 36 | firejail (0.9.58,2) baseline; urgency=low |
23 | * cgroup flag in /etc/firejail/firejail.config file | 37 | * cgroup flag in /etc/firejail/firejail.config file |
diff --git a/SECURITY.md b/SECURITY.md new file mode 100644 index 000000000..96da4aff7 --- /dev/null +++ b/SECURITY.md | |||
@@ -0,0 +1,23 @@ | |||
1 | # Security Policy | ||
2 | |||
3 | ## Supported Versions | ||
4 | |||
5 | | Version | Supported by us | EOL | Supported by distribution | | ||
6 | | ------- | ------------------ | ---- | --------------------------- | ||
7 | | 0.9.60 | :heavy_check_mark: | | :white_check_mark: Debian experimental | ||
8 | | 0.9.58 |:heavy_check_mark: | | :white_check_mark: Ubuntu 19.04 & 19.10; Debian 9 (**backports**), 10, & Sid | ||
9 | | 0.9.56 | :x: | 27 Jan 2019 | | ||
10 | | 0.9.54 | :x: | | :white_check_mark: Ubuntu 18.10 | ||
11 | | 0.9.52 | :x: | | :white_check_mark: Ubuntu 18.04 LTS | ||
12 | | 0.9.50 | :x: | 12 Dec 2017 | | ||
13 | | 0.9.48 | :x: | 09 Sep 2017 | | ||
14 | | 0.9.46 | :x: | 12 Jun 2017 | | ||
15 | | 0.9.44 | :x: | | :white_check_mark: Debian 9 | ||
16 | | 0.9.42 | :x: | 22 Oct 2016 | | ||
17 | | 0.9.40 | :x: | 09 Sep 2016 | | ||
18 | | 0.9.38 | :x: | | :white_check_mark: Ubuntu 16.04 LTS | ||
19 | | <0.9.38 | :x: | Before 05 Feb 2016 | | ||
20 | |||
21 | ## Security vulnerabilities | ||
22 | |||
23 | We take security bugs very seriously. If you believe you have found one, please report it by emailing us at netblue30@yahoo.com | ||
@@ -1,6 +1,6 @@ | |||
1 | #! /bin/sh | 1 | #! /bin/sh |
2 | # Guess values for system-dependent variables and create Makefiles. | 2 | # Guess values for system-dependent variables and create Makefiles. |
3 | # Generated by GNU Autoconf 2.69 for firejail 0.9.60~rc2. | 3 | # Generated by GNU Autoconf 2.69 for firejail 0.9.61. |
4 | # | 4 | # |
5 | # Report bugs to <netblue30@yahoo.com>. | 5 | # Report bugs to <netblue30@yahoo.com>. |
6 | # | 6 | # |
@@ -580,8 +580,8 @@ MAKEFLAGS= | |||
580 | # Identity of this package. | 580 | # Identity of this package. |
581 | PACKAGE_NAME='firejail' | 581 | PACKAGE_NAME='firejail' |
582 | PACKAGE_TARNAME='firejail' | 582 | PACKAGE_TARNAME='firejail' |
583 | PACKAGE_VERSION='0.9.60~rc2' | 583 | PACKAGE_VERSION='0.9.61' |
584 | PACKAGE_STRING='firejail 0.9.60~rc2' | 584 | PACKAGE_STRING='firejail 0.9.61' |
585 | PACKAGE_BUGREPORT='netblue30@yahoo.com' | 585 | PACKAGE_BUGREPORT='netblue30@yahoo.com' |
586 | PACKAGE_URL='https://firejail.wordpress.com' | 586 | PACKAGE_URL='https://firejail.wordpress.com' |
587 | 587 | ||
@@ -1275,7 +1275,7 @@ if test "$ac_init_help" = "long"; then | |||
1275 | # Omit some internal or obsolete options to make the list less imposing. | 1275 | # Omit some internal or obsolete options to make the list less imposing. |
1276 | # This message is too long to be a string in the A/UX 3.1 sh. | 1276 | # This message is too long to be a string in the A/UX 3.1 sh. |
1277 | cat <<_ACEOF | 1277 | cat <<_ACEOF |
1278 | \`configure' configures firejail 0.9.60~rc2 to adapt to many kinds of systems. | 1278 | \`configure' configures firejail 0.9.61 to adapt to many kinds of systems. |
1279 | 1279 | ||
1280 | Usage: $0 [OPTION]... [VAR=VALUE]... | 1280 | Usage: $0 [OPTION]... [VAR=VALUE]... |
1281 | 1281 | ||
@@ -1337,7 +1337,7 @@ fi | |||
1337 | 1337 | ||
1338 | if test -n "$ac_init_help"; then | 1338 | if test -n "$ac_init_help"; then |
1339 | case $ac_init_help in | 1339 | case $ac_init_help in |
1340 | short | recursive ) echo "Configuration of firejail 0.9.60~rc2:";; | 1340 | short | recursive ) echo "Configuration of firejail 0.9.61:";; |
1341 | esac | 1341 | esac |
1342 | cat <<\_ACEOF | 1342 | cat <<\_ACEOF |
1343 | 1343 | ||
@@ -1442,7 +1442,7 @@ fi | |||
1442 | test -n "$ac_init_help" && exit $ac_status | 1442 | test -n "$ac_init_help" && exit $ac_status |
1443 | if $ac_init_version; then | 1443 | if $ac_init_version; then |
1444 | cat <<\_ACEOF | 1444 | cat <<\_ACEOF |
1445 | firejail configure 0.9.60~rc2 | 1445 | firejail configure 0.9.61 |
1446 | generated by GNU Autoconf 2.69 | 1446 | generated by GNU Autoconf 2.69 |
1447 | 1447 | ||
1448 | Copyright (C) 2012 Free Software Foundation, Inc. | 1448 | Copyright (C) 2012 Free Software Foundation, Inc. |
@@ -1744,7 +1744,7 @@ cat >config.log <<_ACEOF | |||
1744 | This file contains any messages produced by compilers while | 1744 | This file contains any messages produced by compilers while |
1745 | running configure, to aid debugging if configure makes a mistake. | 1745 | running configure, to aid debugging if configure makes a mistake. |
1746 | 1746 | ||
1747 | It was created by firejail $as_me 0.9.60~rc2, which was | 1747 | It was created by firejail $as_me 0.9.61, which was |
1748 | generated by GNU Autoconf 2.69. Invocation command line was | 1748 | generated by GNU Autoconf 2.69. Invocation command line was |
1749 | 1749 | ||
1750 | $ $0 $@ | 1750 | $ $0 $@ |
@@ -4379,7 +4379,7 @@ cat >>$CONFIG_STATUS <<\_ACEOF || ac_write_fail=1 | |||
4379 | # report actual input values of CONFIG_FILES etc. instead of their | 4379 | # report actual input values of CONFIG_FILES etc. instead of their |
4380 | # values after options handling. | 4380 | # values after options handling. |
4381 | ac_log=" | 4381 | ac_log=" |
4382 | This file was extended by firejail $as_me 0.9.60~rc2, which was | 4382 | This file was extended by firejail $as_me 0.9.61, which was |
4383 | generated by GNU Autoconf 2.69. Invocation command line was | 4383 | generated by GNU Autoconf 2.69. Invocation command line was |
4384 | 4384 | ||
4385 | CONFIG_FILES = $CONFIG_FILES | 4385 | CONFIG_FILES = $CONFIG_FILES |
@@ -4433,7 +4433,7 @@ _ACEOF | |||
4433 | cat >>$CONFIG_STATUS <<_ACEOF || ac_write_fail=1 | 4433 | cat >>$CONFIG_STATUS <<_ACEOF || ac_write_fail=1 |
4434 | ac_cs_config="`$as_echo "$ac_configure_args" | sed 's/^ //; s/[\\""\`\$]/\\\\&/g'`" | 4434 | ac_cs_config="`$as_echo "$ac_configure_args" | sed 's/^ //; s/[\\""\`\$]/\\\\&/g'`" |
4435 | ac_cs_version="\\ | 4435 | ac_cs_version="\\ |
4436 | firejail config.status 0.9.60~rc2 | 4436 | firejail config.status 0.9.61 |
4437 | configured by $0, generated by GNU Autoconf 2.69, | 4437 | configured by $0, generated by GNU Autoconf 2.69, |
4438 | with options \\"\$ac_cs_config\\" | 4438 | with options \\"\$ac_cs_config\\" |
4439 | 4439 | ||
diff --git a/configure.ac b/configure.ac index 4d0b847f5..40ead1604 100644 --- a/configure.ac +++ b/configure.ac | |||
@@ -1,5 +1,5 @@ | |||
1 | AC_PREREQ([2.68]) | 1 | AC_PREREQ([2.68]) |
2 | AC_INIT(firejail, 0.9.60~rc2, netblue30@yahoo.com, , https://firejail.wordpress.com) | 2 | AC_INIT(firejail, 0.9.61, netblue30@yahoo.com, , https://firejail.wordpress.com) |
3 | AC_CONFIG_SRCDIR([src/firejail/main.c]) | 3 | AC_CONFIG_SRCDIR([src/firejail/main.c]) |
4 | #AC_CONFIG_HEADERS([config.h]) | 4 | #AC_CONFIG_HEADERS([config.h]) |
5 | 5 | ||
diff --git a/etc-fixes/seccomp-join-bug/README b/etc-fixes/seccomp-join-bug/README new file mode 100644 index 000000000..9f85a0e00 --- /dev/null +++ b/etc-fixes/seccomp-join-bug/README | |||
@@ -0,0 +1,11 @@ | |||
1 | These are patches for various Firejail versions for the security bug reported by Austin Morton | ||
2 | on May 21, 2019: | ||
3 | |||
4 | Seccomp filters are copied into /run/firejail/mnt, and are writable | ||
5 | within the jail. A malicious process can modify files from inside the | ||
6 | jail. Processes that are later joined to the jail will not have seccomp | ||
7 | filters applied. | ||
8 | |||
9 | The original discussion thread: https://github.com/netblue30/firejail/issues/2718 | ||
10 | The fix on mainline: https://github.com/netblue30/firejail/commit/eecf35c2f8249489a1d3e512bb07f0d427183134 | ||
11 | |||
diff --git a/etc-fixes/seccomp-join-bug/eecf35c-backports.zip b/etc-fixes/seccomp-join-bug/eecf35c-backports.zip new file mode 100644 index 000000000..59782461e --- /dev/null +++ b/etc-fixes/seccomp-join-bug/eecf35c-backports.zip | |||
Binary files differ | |||
diff --git a/etc/Xephyr.profile b/etc/Xephyr.profile index a9960ebea..b4325cd74 100644 --- a/etc/Xephyr.profile +++ b/etc/Xephyr.profile | |||
@@ -40,4 +40,4 @@ private | |||
40 | # private-bin Xephyr,sh,xkbcomp,strace,bash,cat,ls | 40 | # private-bin Xephyr,sh,xkbcomp,strace,bash,cat,ls |
41 | private-dev | 41 | private-dev |
42 | # private-etc alternatives,ld.so.conf,ld.so.cache,resolv.conf,host.conf,nsswitch.conf,gai.conf,hosts,hostname | 42 | # private-etc alternatives,ld.so.conf,ld.so.cache,resolv.conf,host.conf,nsswitch.conf,gai.conf,hosts,hostname |
43 | private-tmp | 43 | #private-tmp |
diff --git a/etc/bitlbee.profile b/etc/bitlbee.profile index 2c2f88ed5..287e5f52e 100644 --- a/etc/bitlbee.profile +++ b/etc/bitlbee.profile | |||
@@ -33,6 +33,6 @@ private | |||
33 | private-cache | 33 | private-cache |
34 | private-dev | 34 | private-dev |
35 | private-tmp | 35 | private-tmp |
36 | read-write /var/lib/bitlbee | ||
37 | 36 | ||
38 | noexec /tmp | 37 | noexec /tmp |
38 | read-write /var/lib/bitlbee | ||
diff --git a/etc/cantata.profile b/etc/cantata.profile new file mode 100644 index 000000000..e4a4de9c1 --- /dev/null +++ b/etc/cantata.profile | |||
@@ -0,0 +1,40 @@ | |||
1 | # Firejail profile for Cantata | ||
2 | # Description: Multimedia player - Qt5 client for the music Player daemon (MPD) | ||
3 | # This file is overwritten during software install. | ||
4 | # Persistent local customizations | ||
5 | include cantata.local | ||
6 | # Persistent global definitions | ||
7 | include globals.local | ||
8 | |||
9 | noblacklist ${HOME}/.cache/cantata | ||
10 | noblacklist ${HOME}/.config/cantata | ||
11 | noblacklist ${HOME}/.local/share/cantata | ||
12 | noblacklist ${MUSIC} | ||
13 | |||
14 | noblacklist ${PATH}/perl | ||
15 | noblacklist /usr/lib/perl* | ||
16 | noblacklist /usr/share/perl* | ||
17 | |||
18 | include disable-common.inc | ||
19 | include disable-devel.inc | ||
20 | include disable-exec.inc | ||
21 | include disable-interpreters.inc | ||
22 | include disable-passwdmgr.inc | ||
23 | include disable-programs.inc | ||
24 | include disable-xdg.inc | ||
25 | |||
26 | # apparmor | ||
27 | caps.drop all | ||
28 | ipc-namespace | ||
29 | netfilter | ||
30 | nonewprivs | ||
31 | noroot | ||
32 | nou2f | ||
33 | novideo | ||
34 | protocol unix,inet,inet6,netlink | ||
35 | seccomp | ||
36 | shell none | ||
37 | |||
38 | # private-etc samba,gcrypt,drirc,fonts,mpd.conf,kde5rc,passwd,xdg,hosts,ssl | ||
39 | private-bin cantata,mpd,perl | ||
40 | private-dev | ||
diff --git a/etc/disable-programs.inc b/etc/disable-programs.inc index 7de2a620f..5481f976f 100644 --- a/etc/disable-programs.inc +++ b/etc/disable-programs.inc | |||
@@ -94,6 +94,7 @@ blacklist ${HOME}/.config/Nathan Osman | |||
94 | blacklist ${HOME}/.config/Nylas Mail | 94 | blacklist ${HOME}/.config/Nylas Mail |
95 | blacklist ${HOME}/.config/PBE | 95 | blacklist ${HOME}/.config/PBE |
96 | blacklist ${HOME}/.config/Qlipper | 96 | blacklist ${HOME}/.config/Qlipper |
97 | blacklist ${HOME}/.config/QGIS | ||
97 | blacklist ${HOME}/.config/QMediathekView | 98 | blacklist ${HOME}/.config/QMediathekView |
98 | blacklist ${HOME}/.config/QuiteRss | 99 | blacklist ${HOME}/.config/QuiteRss |
99 | blacklist ${HOME}/.config/QuiteRssrc | 100 | blacklist ${HOME}/.config/QuiteRssrc |
@@ -128,6 +129,7 @@ blacklist ${HOME}/.config/brasero | |||
128 | blacklist ${HOME}/.config/brave | 129 | blacklist ${HOME}/.config/brave |
129 | blacklist ${HOME}/.config/caja | 130 | blacklist ${HOME}/.config/caja |
130 | blacklist ${HOME}/.config/calibre | 131 | blacklist ${HOME}/.config/calibre |
132 | blacklist ${HOME}/.config/cantata | ||
131 | blacklist ${HOME}/.config/catfish | 133 | blacklist ${HOME}/.config/catfish |
132 | blacklist ${HOME}/.config/celluloid | 134 | blacklist ${HOME}/.config/celluloid |
133 | blacklist ${HOME}/.config/cherrytree | 135 | blacklist ${HOME}/.config/cherrytree |
@@ -208,6 +210,7 @@ blacklist ${HOME}/.config/kdeconnect | |||
208 | blacklist ${HOME}/.config/knotesrc | 210 | blacklist ${HOME}/.config/knotesrc |
209 | blacklist ${HOME}/.config/konversationrc | 211 | blacklist ${HOME}/.config/konversationrc |
210 | blacklist ${HOME}/.config/ktorrentrc | 212 | blacklist ${HOME}/.config/ktorrentrc |
213 | blacklist ${HOME}/.config/ktouch2rc | ||
211 | blacklist ${HOME}/.config/leafpad | 214 | blacklist ${HOME}/.config/leafpad |
212 | blacklist ${HOME}/.config/libreoffice | 215 | blacklist ${HOME}/.config/libreoffice |
213 | blacklist ${HOME}/.config/liferea | 216 | blacklist ${HOME}/.config/liferea |
@@ -218,6 +221,7 @@ blacklist ${HOME}/.config/mana | |||
218 | blacklist ${HOME}/.config/mate-calc | 221 | blacklist ${HOME}/.config/mate-calc |
219 | blacklist ${HOME}/.config/mate/eom | 222 | blacklist ${HOME}/.config/mate/eom |
220 | blacklist ${HOME}/.config/mate/mate-dictionary | 223 | blacklist ${HOME}/.config/mate/mate-dictionary |
224 | blacklist ${HOME}/.config/meteo-qt | ||
221 | blacklist ${HOME}/.config/mfusion | 225 | blacklist ${HOME}/.config/mfusion |
222 | blacklist ${HOME}/.config/midori | 226 | blacklist ${HOME}/.config/midori |
223 | blacklist ${HOME}/.config/mono | 227 | blacklist ${HOME}/.config/mono |
@@ -305,6 +309,7 @@ blacklist ${HOME}/.config/xreader | |||
305 | blacklist ${HOME}/.config/xviewer | 309 | blacklist ${HOME}/.config/xviewer |
306 | blacklist ${HOME}/.config/yandex-browser | 310 | blacklist ${HOME}/.config/yandex-browser |
307 | blacklist ${HOME}/.config/yandex-browser-beta | 311 | blacklist ${HOME}/.config/yandex-browser-beta |
312 | blacklist ${HOME}/.config/yelp | ||
308 | blacklist ${HOME}/.config/zathura | 313 | blacklist ${HOME}/.config/zathura |
309 | blacklist ${HOME}/.config/zoomus.conf | 314 | blacklist ${HOME}/.config/zoomus.conf |
310 | blacklist ${HOME}/.conkeror.mozdev.org | 315 | blacklist ${HOME}/.conkeror.mozdev.org |
@@ -436,6 +441,7 @@ blacklist ${HOME}/.local/share/JetBrains | |||
436 | blacklist ${HOME}/.local/share/Mendeley Ltd. | 441 | blacklist ${HOME}/.local/share/Mendeley Ltd. |
437 | blacklist ${HOME}/.local/share/Mumble | 442 | blacklist ${HOME}/.local/share/Mumble |
438 | blacklist ${HOME}/.local/share/PBE | 443 | blacklist ${HOME}/.local/share/PBE |
444 | blacklist ${HOME}/.local/share/QGIS | ||
439 | blacklist ${HOME}/.local/share/QMediathekView | 445 | blacklist ${HOME}/.local/share/QMediathekView |
440 | blacklist ${HOME}/.local/share/QuiteRss | 446 | blacklist ${HOME}/.local/share/QuiteRss |
441 | blacklist ${HOME}/.local/share/Ricochet | 447 | blacklist ${HOME}/.local/share/Ricochet |
@@ -451,6 +457,7 @@ blacklist ${HOME}/.local/share/aspyr-media | |||
451 | blacklist ${HOME}/.local/share/baloo | 457 | blacklist ${HOME}/.local/share/baloo |
452 | blacklist ${HOME}/.local/share/bibletime | 458 | blacklist ${HOME}/.local/share/bibletime |
453 | blacklist ${HOME}/.local/share/caja-python | 459 | blacklist ${HOME}/.local/share/caja-python |
460 | blacklist ${HOME}/.local/share/cantata | ||
454 | blacklist ${HOME}/.local/share/cdprojektred | 461 | blacklist ${HOME}/.local/share/cdprojektred |
455 | blacklist ${HOME}/.local/share/clipit | 462 | blacklist ${HOME}/.local/share/clipit |
456 | blacklist ${HOME}/.local/share/contacts | 463 | blacklist ${HOME}/.local/share/contacts |
@@ -491,6 +498,7 @@ blacklist ${HOME}/.local/share/knotes | |||
491 | blacklist ${HOME}/.local/share/krita | 498 | blacklist ${HOME}/.local/share/krita |
492 | blacklist ${HOME}/.local/share/ktorrentrc | 499 | blacklist ${HOME}/.local/share/ktorrentrc |
493 | blacklist ${HOME}/.local/share/ktorrent | 500 | blacklist ${HOME}/.local/share/ktorrent |
501 | blacklist ${HOME}/.local/share/ktouch | ||
494 | blacklist ${HOME}/.local/share/kwrite | 502 | blacklist ${HOME}/.local/share/kwrite |
495 | blacklist ${HOME}/.local/share/liferea | 503 | blacklist ${HOME}/.local/share/liferea |
496 | blacklist ${HOME}/.local/share/local-mail | 504 | blacklist ${HOME}/.local/share/local-mail |
@@ -549,6 +557,7 @@ blacklist ${HOME}/.minetest | |||
549 | blacklist ${HOME}/.moonchild productions/basilisk | 557 | blacklist ${HOME}/.moonchild productions/basilisk |
550 | blacklist ${HOME}/.moonchild productions/pale moon | 558 | blacklist ${HOME}/.moonchild productions/pale moon |
551 | blacklist ${HOME}/.mozilla | 559 | blacklist ${HOME}/.mozilla |
560 | blacklist ${HOME}/.mp3splt-gtk | ||
552 | blacklist ${HOME}/.mpd | 561 | blacklist ${HOME}/.mpd |
553 | blacklist ${HOME}/.mpdconf | 562 | blacklist ${HOME}/.mpdconf |
554 | blacklist ${HOME}/.mplayer | 563 | blacklist ${HOME}/.mplayer |
@@ -572,6 +581,7 @@ blacklist ${HOME}/.pingus | |||
572 | blacklist ${HOME}/.pioneer | 581 | blacklist ${HOME}/.pioneer |
573 | blacklist ${HOME}/.purple | 582 | blacklist ${HOME}/.purple |
574 | blacklist ${HOME}/.qemu-launcher | 583 | blacklist ${HOME}/.qemu-launcher |
584 | blacklist ${HOME}/.qgis2 | ||
575 | blacklist ${HOME}/.qmmp | 585 | blacklist ${HOME}/.qmmp |
576 | blacklist ${HOME}/.quodlibet | 586 | blacklist ${HOME}/.quodlibet |
577 | blacklist ${HOME}/.redeclipse | 587 | blacklist ${HOME}/.redeclipse |
@@ -648,6 +658,7 @@ blacklist ${HOME}/.cache/attic | |||
648 | blacklist ${HOME}/.cache/bnox | 658 | blacklist ${HOME}/.cache/bnox |
649 | blacklist ${HOME}/.cache/borg | 659 | blacklist ${HOME}/.cache/borg |
650 | blacklist ${HOME}/.cache/calibre | 660 | blacklist ${HOME}/.cache/calibre |
661 | blacklist ${HOME}/.cache/cantata | ||
651 | blacklist ${HOME}/.cache/champlain | 662 | blacklist ${HOME}/.cache/champlain |
652 | blacklist ${HOME}/.cache/chromium | 663 | blacklist ${HOME}/.cache/chromium |
653 | blacklist ${HOME}/.cache/chromium-dev | 664 | blacklist ${HOME}/.cache/chromium-dev |
diff --git a/etc/eo-common.profile b/etc/eo-common.profile new file mode 100644 index 000000000..ad18e10c4 --- /dev/null +++ b/etc/eo-common.profile | |||
@@ -0,0 +1,47 @@ | |||
1 | # Firejail profile for eo-common | ||
2 | # Description: Common profile for Eye of GNOME/MATE graphics viewer program | ||
3 | # This file is overwritten after every install/update | ||
4 | # Persistent local customizations | ||
5 | include eo-common.local | ||
6 | # Persistent global definitions | ||
7 | # already included by caller profile | ||
8 | #include globals.local | ||
9 | |||
10 | noblacklist ${HOME}/.local/share/Trash | ||
11 | noblacklist ${HOME}/.Steam | ||
12 | noblacklist ${HOME}/.steam | ||
13 | |||
14 | include disable-common.inc | ||
15 | include disable-devel.inc | ||
16 | include disable-exec.inc | ||
17 | include disable-interpreters.inc | ||
18 | include disable-passwdmgr.inc | ||
19 | include disable-programs.inc | ||
20 | |||
21 | include whitelist-var-common.inc | ||
22 | |||
23 | apparmor | ||
24 | caps.drop all | ||
25 | ipc-namespace | ||
26 | machine-id | ||
27 | no3d | ||
28 | nodvd | ||
29 | nogroups | ||
30 | nonewprivs | ||
31 | noroot | ||
32 | nosound | ||
33 | notv | ||
34 | nou2f | ||
35 | novideo | ||
36 | protocol unix,netlink | ||
37 | seccomp | ||
38 | shell none | ||
39 | tracelog | ||
40 | |||
41 | private-cache | ||
42 | private-dev | ||
43 | private-etc alternatives,dconf,fonts,gtk-3.0 | ||
44 | private-lib eog,eom,gdk-pixbuf-2.*,gio,girepository-1.*,gvfs,libgconf-2.so.* | ||
45 | private-tmp | ||
46 | |||
47 | #memory-deny-write-execute - breaks on Arch | ||
diff --git a/etc/eog.profile b/etc/eog.profile index 1dcc687fc..8e3aa42fe 100644 --- a/etc/eog.profile +++ b/etc/eog.profile | |||
@@ -6,46 +6,12 @@ include eog.local | |||
6 | # Persistent global definitions | 6 | # Persistent global definitions |
7 | include globals.local | 7 | include globals.local |
8 | 8 | ||
9 | noblacklist ${HOME}/.Steam | ||
10 | noblacklist ${HOME}/.config/eog | 9 | noblacklist ${HOME}/.config/eog |
11 | noblacklist ${HOME}/.local/share/Trash | ||
12 | noblacklist ${HOME}/.steam | ||
13 | |||
14 | include disable-common.inc | ||
15 | include disable-devel.inc | ||
16 | include disable-exec.inc | ||
17 | include disable-interpreters.inc | ||
18 | include disable-passwdmgr.inc | ||
19 | include disable-programs.inc | ||
20 | |||
21 | include whitelist-var-common.inc | ||
22 | |||
23 | apparmor | ||
24 | caps.drop all | ||
25 | ipc-namespace | ||
26 | machine-id | ||
27 | no3d | ||
28 | nodvd | ||
29 | nogroups | ||
30 | nonewprivs | ||
31 | noroot | ||
32 | nosound | ||
33 | notv | ||
34 | nou2f | ||
35 | novideo | ||
36 | protocol unix | ||
37 | seccomp | ||
38 | shell none | ||
39 | tracelog | ||
40 | 10 | ||
41 | # private-bin, private-etc and private-lib break 'Open With' / 'Open in file manager' | 11 | # private-bin, private-etc and private-lib break 'Open With' / 'Open in file manager' |
42 | # comment those if you need that functionality | 12 | # comment those if you need that functionality |
43 | # or put 'ignore private-bin', 'ignore private-etc' and 'ignore private-lib' in your eog.local | 13 | # or put 'ignore private-bin', 'ignore private-etc' and 'ignore private-lib' in your eog.local |
44 | private-bin eog | 14 | private-bin eog |
45 | private-cache | ||
46 | private-dev | ||
47 | private-etc alternatives,fonts | ||
48 | private-lib eog,gdk-pixbuf-2.*,gio,girepository-1.*,gvfs,libgconf-2.so.* | ||
49 | private-tmp | ||
50 | 15 | ||
51 | # memory-deny-write-execute | 16 | # Redirect |
17 | include eo-common.profile | ||
diff --git a/etc/eom.profile b/etc/eom.profile index 7cb3f98cd..437326d38 100644 --- a/etc/eom.profile +++ b/etc/eom.profile | |||
@@ -6,42 +6,12 @@ include eom.local | |||
6 | # Persistent global definitions | 6 | # Persistent global definitions |
7 | include globals.local | 7 | include globals.local |
8 | 8 | ||
9 | noblacklist ${HOME}/.Steam | ||
10 | noblacklist ${HOME}/.config/mate/eom | 9 | noblacklist ${HOME}/.config/mate/eom |
11 | noblacklist ${HOME}/.local/share/Trash | ||
12 | noblacklist ${HOME}/.steam | ||
13 | |||
14 | include disable-common.inc | ||
15 | include disable-devel.inc | ||
16 | include disable-exec.inc | ||
17 | include disable-interpreters.inc | ||
18 | include disable-passwdmgr.inc | ||
19 | include disable-programs.inc | ||
20 | |||
21 | include whitelist-var-common.inc | ||
22 | |||
23 | caps.drop all | ||
24 | no3d | ||
25 | nodvd | ||
26 | nogroups | ||
27 | nonewprivs | ||
28 | noroot | ||
29 | nosound | ||
30 | notv | ||
31 | nou2f | ||
32 | novideo | ||
33 | protocol unix | ||
34 | seccomp | ||
35 | shell none | ||
36 | tracelog | ||
37 | 10 | ||
38 | # private-bin, private-etc and private-lib break 'Open With' / 'Open in file manager' | 11 | # private-bin, private-etc and private-lib break 'Open With' / 'Open in file manager' |
39 | # comment those if you need that functionality | 12 | # comment those if you need that functionality |
40 | # or put 'ignore private-bin', 'ignore private-etc' and 'ignore private-lib' in your eom.local | 13 | # or put 'ignore private-bin', 'ignore private-etc' and 'ignore private-lib' in your eom.local |
41 | private-bin eom | 14 | private-bin eom |
42 | private-dev | ||
43 | private-etc alternatives,fonts | ||
44 | private-lib | ||
45 | private-tmp | ||
46 | 15 | ||
47 | #memory-deny-write-execute - breaks on Arch | 16 | # Redirect |
17 | include eo-common.profile | ||
diff --git a/etc/exiftool.profile b/etc/exiftool.profile index 2ee4aae6f..f694ea212 100644 --- a/etc/exiftool.profile +++ b/etc/exiftool.profile | |||
@@ -41,7 +41,7 @@ shell none | |||
41 | tracelog | 41 | tracelog |
42 | 42 | ||
43 | # To support exiftool in private-bin on Arch Linux (and derivatives), symlink /usr/bin/vendor_perl/exiftool to /usr/bin/exiftool and uncomment the below. | 43 | # To support exiftool in private-bin on Arch Linux (and derivatives), symlink /usr/bin/vendor_perl/exiftool to /usr/bin/exiftool and uncomment the below. |
44 | # Users on non-Arch Linux distributions can safely uncomment the below to enable extra hardening. | 44 | # Users on non-Arch Linux distributions can safely uncomment (or put in exiftool.local) the line below to enable extra hardening. |
45 | #private-bin exiftool,perl | 45 | #private-bin exiftool,perl |
46 | private-cache | 46 | private-cache |
47 | private-dev | 47 | private-dev |
diff --git a/etc/firefox-common.profile b/etc/firefox-common.profile index 080d9e81a..bccbb3412 100644 --- a/etc/firefox-common.profile +++ b/etc/firefox-common.profile | |||
@@ -9,7 +9,7 @@ include firefox-common.local | |||
9 | # noexec ${HOME} breaks DRM binaries. | 9 | # noexec ${HOME} breaks DRM binaries. |
10 | ?BROWSER_ALLOW_DRM: ignore noexec ${HOME} | 10 | ?BROWSER_ALLOW_DRM: ignore noexec ${HOME} |
11 | 11 | ||
12 | # Uncomment the following line to allow access to common programs/addons/plugins. | 12 | # Uncomment the following line (or put it in your firefox-common.local) to allow access to common programs/addons/plugins. |
13 | #include firefox-common-addons.inc | 13 | #include firefox-common-addons.inc |
14 | 14 | ||
15 | noblacklist ${HOME}/.pki | 15 | noblacklist ${HOME}/.pki |
diff --git a/etc/firejail.config b/etc/firejail.config index 497d9633e..92df8ad1a 100644 --- a/etc/firejail.config +++ b/etc/firejail.config | |||
@@ -32,7 +32,7 @@ | |||
32 | 32 | ||
33 | # Disable /mnt, /media, /run/mount and /run/media access. By default access | 33 | # Disable /mnt, /media, /run/mount and /run/media access. By default access |
34 | # to these directories is enabled. Unlike --disable-mnt profile option this | 34 | # to these directories is enabled. Unlike --disable-mnt profile option this |
35 | # cannot be overridden by --noblacklist. | 35 | # cannot be overridden by --noblacklist or --ignore. |
36 | # disable-mnt no | 36 | # disable-mnt no |
37 | 37 | ||
38 | # Enable or disable file transfer support, default enabled. | 38 | # Enable or disable file transfer support, default enabled. |
diff --git a/etc/gnome-chess.profile b/etc/gnome-chess.profile index 2f4626891..04409a5e4 100644 --- a/etc/gnome-chess.profile +++ b/etc/gnome-chess.profile | |||
@@ -18,7 +18,10 @@ include disable-xdg.inc | |||
18 | 18 | ||
19 | include whitelist-var-common.inc | 19 | include whitelist-var-common.inc |
20 | 20 | ||
21 | apparmor | ||
21 | caps.drop all | 22 | caps.drop all |
23 | machine-id | ||
24 | net none | ||
22 | no3d | 25 | no3d |
23 | nodvd | 26 | nodvd |
24 | nogroups | 27 | nogroups |
@@ -35,6 +38,7 @@ tracelog | |||
35 | 38 | ||
36 | disable-mnt | 39 | disable-mnt |
37 | private-bin fairymax,gnome-chess,hoichess,gnuchess | 40 | private-bin fairymax,gnome-chess,hoichess,gnuchess |
41 | private-cache | ||
38 | private-dev | 42 | private-dev |
39 | private-etc alternatives,fonts,gnome-chess | 43 | private-etc alternatives,dconf,fonts,gnome-chess,gtk-3.0 |
40 | private-tmp | 44 | private-tmp |
diff --git a/etc/gpg.profile b/etc/gpg.profile index 47e6e5265..51662b59c 100644 --- a/etc/gpg.profile +++ b/etc/gpg.profile | |||
@@ -29,8 +29,7 @@ nou2f | |||
29 | novideo | 29 | novideo |
30 | protocol unix,inet,inet6 | 30 | protocol unix,inet,inet6 |
31 | seccomp | 31 | seccomp |
32 | # Causes gpg to hang | 32 | shell none |
33 | #shell none | ||
34 | tracelog | 33 | tracelog |
35 | 34 | ||
36 | # private-bin gpg,gpg-agent | 35 | # private-bin gpg,gpg-agent |
diff --git a/etc/inkview.profile b/etc/inkview.profile new file mode 100644 index 000000000..6c0127f37 --- /dev/null +++ b/etc/inkview.profile | |||
@@ -0,0 +1,8 @@ | |||
1 | # Firejail profile for inkview | ||
2 | # Description: an SVG slideshow program | ||
3 | # This file is overwritten after every install/update | ||
4 | # Persistent local customizations | ||
5 | include inkview.local | ||
6 | |||
7 | # Redirect | ||
8 | include inkscape.profile | ||
diff --git a/etc/keepassxc.profile b/etc/keepassxc.profile index 33b4509b7..c1adfd516 100644 --- a/etc/keepassxc.profile +++ b/etc/keepassxc.profile | |||
@@ -41,7 +41,7 @@ protocol netlink,unix | |||
41 | seccomp | 41 | seccomp |
42 | shell none | 42 | shell none |
43 | 43 | ||
44 | private-bin keepassxc | 44 | private-bin keepassxc,keepassxc-proxy |
45 | private-dev | 45 | private-dev |
46 | private-etc alternatives,fonts,ld.so.cache,machine-id | 46 | private-etc alternatives,fonts,ld.so.cache,machine-id |
47 | private-tmp | 47 | private-tmp |
diff --git a/etc/ktouch.profile b/etc/ktouch.profile new file mode 100644 index 000000000..446bc50ee --- /dev/null +++ b/etc/ktouch.profile | |||
@@ -0,0 +1,50 @@ | |||
1 | # Firejail profile for KTouch | ||
2 | # Description: a typing tutor by KDE | ||
3 | # This file is overwritten after every install/update | ||
4 | # Persistent local customizations | ||
5 | include ktouch.local | ||
6 | # Persistent global definitions | ||
7 | include globals.local | ||
8 | |||
9 | noblacklist ${HOME}/.config/ktouch2rc | ||
10 | noblacklist ${HOME}/.local/share/ktouch | ||
11 | |||
12 | include disable-common.inc | ||
13 | include disable-devel.inc | ||
14 | include disable-exec.inc | ||
15 | include disable-interpreters.inc | ||
16 | include disable-passwdmgr.inc | ||
17 | include disable-programs.inc | ||
18 | include disable-xdg.inc | ||
19 | |||
20 | mkfile ${HOME}/.config/ktouch2rc | ||
21 | mkdir ${HOME}/.local/share/ktouch | ||
22 | whitelist ${HOME}/.config/ktouch2rc | ||
23 | whitelist ${HOME}/.local/share/ktouch | ||
24 | include whitelist-common.inc | ||
25 | include whitelist-var-common.inc | ||
26 | |||
27 | apparmor | ||
28 | caps.drop all | ||
29 | machine-id | ||
30 | net none | ||
31 | nodbus | ||
32 | nodvd | ||
33 | nogroups | ||
34 | nonewprivs | ||
35 | noroot | ||
36 | nosound | ||
37 | notv | ||
38 | nou2f | ||
39 | novideo | ||
40 | protocol unix,netlink | ||
41 | seccomp | ||
42 | shell none | ||
43 | tracelog | ||
44 | |||
45 | disable-mnt | ||
46 | private-bin ktouch | ||
47 | private-cache | ||
48 | private-dev | ||
49 | private-etc alternatives,fonts,kde5rc,machine-id | ||
50 | private-tmp | ||
diff --git a/etc/libreoffice.profile b/etc/libreoffice.profile index 6e77cd741..5bb943323 100644 --- a/etc/libreoffice.profile +++ b/etc/libreoffice.profile | |||
@@ -29,9 +29,7 @@ include whitelist-var-common.inc | |||
29 | # comment the next line to use the ubuntu profile instead of firejail's apparmor profile | 29 | # comment the next line to use the ubuntu profile instead of firejail's apparmor profile |
30 | apparmor | 30 | apparmor |
31 | caps.drop all | 31 | caps.drop all |
32 | #machine-id | ||
33 | netfilter | 32 | netfilter |
34 | #nodbus | ||
35 | nodvd | 33 | nodvd |
36 | nogroups | 34 | nogroups |
37 | # comment nonewprivs when using the ubuntu 18.04/debian 10 apparmor profile | 35 | # comment nonewprivs when using the ubuntu 18.04/debian 10 apparmor profile |
@@ -50,5 +48,4 @@ tracelog | |||
50 | private-dev | 48 | private-dev |
51 | private-tmp | 49 | private-tmp |
52 | 50 | ||
53 | |||
54 | join-or-start libreoffice | 51 | join-or-start libreoffice |
diff --git a/etc/masterpdfeditor.profile b/etc/masterpdfeditor.profile index ce6486115..e4da0c66a 100644 --- a/etc/masterpdfeditor.profile +++ b/etc/masterpdfeditor.profile | |||
@@ -20,9 +20,7 @@ include whitelist-var-common.inc | |||
20 | 20 | ||
21 | apparmor | 21 | apparmor |
22 | caps.drop all | 22 | caps.drop all |
23 | ipc-namespace | ||
24 | machine-id | 23 | machine-id |
25 | no3d | ||
26 | nodvd | 24 | nodvd |
27 | nogroups | 25 | nogroups |
28 | nonewprivs | 26 | nonewprivs |
@@ -36,7 +34,6 @@ seccomp | |||
36 | shell none | 34 | shell none |
37 | tracelog | 35 | tracelog |
38 | 36 | ||
39 | private-bin masterpdfedito* | ||
40 | private-cache | 37 | private-cache |
41 | private-dev | 38 | private-dev |
42 | private-etc alternatives,fonts | 39 | private-etc alternatives,fonts |
diff --git a/etc/meteo-qt.profile b/etc/meteo-qt.profile new file mode 100644 index 000000000..a769a97ec --- /dev/null +++ b/etc/meteo-qt.profile | |||
@@ -0,0 +1,53 @@ | |||
1 | # Firejail profile for meteo-qt | ||
2 | # Description: System tray application for weather status information | ||
3 | # This file is overwritten after every install/update | ||
4 | # Persistent local customizations | ||
5 | include meteo-qt.local | ||
6 | # Persistent global definitions | ||
7 | include globals.local | ||
8 | |||
9 | noblacklist ${HOME}/.config/autostart | ||
10 | noblacklist ${HOME}/.config/meteo-qt | ||
11 | |||
12 | # Allow python (blacklisted by disable-interpreters.inc) | ||
13 | noblacklist ${PATH}/python3* | ||
14 | noblacklist /usr/lib/python3* | ||
15 | noblacklist /usr/local/lib/python3* | ||
16 | |||
17 | include disable-common.inc | ||
18 | include disable-devel.inc | ||
19 | include disable-exec.inc | ||
20 | include disable-interpreters.inc | ||
21 | include disable-passwdmgr.inc | ||
22 | include disable-programs.inc | ||
23 | include disable-xdg.inc | ||
24 | |||
25 | whitelist ${HOME}/.config/autostart | ||
26 | mkdir ${HOME}/.config/meteo-qt | ||
27 | whitelist ${HOME}/.config/meteo-qt | ||
28 | include whitelist-common.inc | ||
29 | include whitelist-var-common.inc | ||
30 | |||
31 | caps.drop all | ||
32 | netfilter | ||
33 | nodbus | ||
34 | nodvd | ||
35 | nogroups | ||
36 | nonewprivs | ||
37 | noroot | ||
38 | nosound | ||
39 | notv | ||
40 | nou2f | ||
41 | novideo | ||
42 | protocol unix,inet,inet6 | ||
43 | seccomp | ||
44 | shell none | ||
45 | tracelog | ||
46 | |||
47 | disable-mnt | ||
48 | private-bin meteo-qt,python* | ||
49 | private-cache | ||
50 | private-dev | ||
51 | private-tmp | ||
52 | |||
53 | memory-deny-write-execute | ||
diff --git a/etc/mp3splt-gtk.profile b/etc/mp3splt-gtk.profile new file mode 100644 index 000000000..d14006112 --- /dev/null +++ b/etc/mp3splt-gtk.profile | |||
@@ -0,0 +1,41 @@ | |||
1 | # Firejail profile for mp3splt-gtk | ||
2 | # Description: Gtk utility for mp3/ogg splitting without decoding | ||
3 | # This file is overwritten after every install/update | ||
4 | # Persistent local customizations | ||
5 | include mp3splt-gtk.local | ||
6 | # Persistent global definitions | ||
7 | include globals.local | ||
8 | |||
9 | noblacklist ${HOME}/.mp3splt-gtk | ||
10 | |||
11 | include disable-common.inc | ||
12 | include disable-devel.inc | ||
13 | include disable-exec.inc | ||
14 | include disable-interpreters.inc | ||
15 | include disable-passwdmgr.inc | ||
16 | include disable-programs.inc | ||
17 | |||
18 | include whitelist-var-common.inc | ||
19 | |||
20 | apparmor | ||
21 | caps.drop all | ||
22 | net none | ||
23 | no3d | ||
24 | nodbus | ||
25 | nodvd | ||
26 | nogroups | ||
27 | nonewprivs | ||
28 | noroot | ||
29 | notv | ||
30 | nou2f | ||
31 | novideo | ||
32 | protocol unix | ||
33 | seccomp | ||
34 | shell none | ||
35 | tracelog | ||
36 | |||
37 | private-bin mp3splt-gtk | ||
38 | private-cache | ||
39 | private-dev | ||
40 | private-etc alsa,alternatives,asound.conf,fonts,gtk-3.0,dconf,machine-id,openal,pulse | ||
41 | private-tmp | ||
diff --git a/etc/ocenaudio.profile b/etc/ocenaudio.profile index ceeb59384..b2249f63b 100644 --- a/etc/ocenaudio.profile +++ b/etc/ocenaudio.profile | |||
@@ -24,7 +24,7 @@ ipc-namespace | |||
24 | # net none breaks AppArmor on Ubuntu systems | 24 | # net none breaks AppArmor on Ubuntu systems |
25 | netfilter | 25 | netfilter |
26 | no3d | 26 | no3d |
27 | # nodbus - breaks preferences, comment when needed | 27 | # nodbus - breaks preferences, comment (or put 'ignore nodbus' in your oceanaudio.local) when needed |
28 | nodbus | 28 | nodbus |
29 | nodvd | 29 | nodvd |
30 | nogroups | 30 | nogroups |
@@ -39,12 +39,10 @@ shell none | |||
39 | tracelog | 39 | tracelog |
40 | 40 | ||
41 | # disable-mnt | 41 | # disable-mnt |
42 | # private | ||
43 | private-bin ocenaudio | 42 | private-bin ocenaudio |
44 | private-cache | 43 | private-cache |
45 | private-dev | 44 | private-dev |
46 | private-etc alternatives,asound.conf,fonts,ld.so.cache,pulse | 45 | private-etc alternatives,asound.conf,fonts,ld.so.cache,pulse |
47 | # private-lib | ||
48 | private-tmp | 46 | private-tmp |
49 | 47 | ||
50 | # memory-deny-write-execute - breaks on Arch | 48 | # memory-deny-write-execute - breaks on Arch |
diff --git a/etc/orage.profile b/etc/orage.profile index 2c55ab909..4e12892d6 100644 --- a/etc/orage.profile +++ b/etc/orage.profile | |||
@@ -24,7 +24,7 @@ nodvd | |||
24 | nogroups | 24 | nogroups |
25 | nonewprivs | 25 | nonewprivs |
26 | noroot | 26 | noroot |
27 | nosound | 27 | # nosound - calendar application, It must be able to play sound to wake you up. |
28 | notv | 28 | notv |
29 | nou2f | 29 | nou2f |
30 | novideo | 30 | novideo |
diff --git a/etc/pidgin.profile b/etc/pidgin.profile index 444478149..bdd5404f5 100644 --- a/etc/pidgin.profile +++ b/etc/pidgin.profile | |||
@@ -6,9 +6,7 @@ include pidgin.local | |||
6 | # Persistent global definitions | 6 | # Persistent global definitions |
7 | include globals.local | 7 | include globals.local |
8 | 8 | ||
9 | mkdir ${HOME}/.purple | ||
10 | noblacklist ${HOME}/.purple | 9 | noblacklist ${HOME}/.purple |
11 | whitelist ${HOME}/.purple | ||
12 | 10 | ||
13 | ignore noexec ${RUNUSER} | 11 | ignore noexec ${RUNUSER} |
14 | ignore noexec /dev/shm | 12 | ignore noexec /dev/shm |
@@ -20,6 +18,9 @@ include disable-interpreters.inc | |||
20 | include disable-passwdmgr.inc | 18 | include disable-passwdmgr.inc |
21 | include disable-programs.inc | 19 | include disable-programs.inc |
22 | include disable-xdg.inc | 20 | include disable-xdg.inc |
21 | |||
22 | mkdir ${HOME}/.purple | ||
23 | whitelist ${HOME}/.purple | ||
23 | include whitelist-common.inc | 24 | include whitelist-common.inc |
24 | include whitelist-var-common.inc | 25 | include whitelist-var-common.inc |
25 | 26 | ||
diff --git a/etc/qgis.profile b/etc/qgis.profile new file mode 100644 index 000000000..45fe59cf7 --- /dev/null +++ b/etc/qgis.profile | |||
@@ -0,0 +1,60 @@ | |||
1 | # Firejail profile for qgis | ||
2 | # Description: GIS application | ||
3 | # This file is overwritten after every install/update | ||
4 | # Persistent local customizations | ||
5 | include qgis.local | ||
6 | # Persistent global definitions | ||
7 | include globals.local | ||
8 | |||
9 | noblacklist ${HOME}/.config/QtProject.conf | ||
10 | noblacklist ${HOME}/.config/QGIS | ||
11 | noblacklist ${HOME}/.local/share/QGIS | ||
12 | noblacklist ${HOME}/.qgis2 | ||
13 | noblacklist ${DOCUMENTS} | ||
14 | |||
15 | # Allow python (blacklisted by disable-interpreters.inc) | ||
16 | noblacklist ${PATH}/python3* | ||
17 | noblacklist /usr/lib/python3* | ||
18 | noblacklist /usr/local/lib/python3* | ||
19 | |||
20 | include disable-common.inc | ||
21 | include disable-devel.inc | ||
22 | include disable-exec.inc | ||
23 | include disable-interpreters.inc | ||
24 | include disable-passwdmgr.inc | ||
25 | include disable-programs.inc | ||
26 | include disable-xdg.inc | ||
27 | |||
28 | mkdir ${HOME}/.local/share/QGIS | ||
29 | mkdir ${HOME}/.qgis2 | ||
30 | mkdir ${HOME}/.config/QGIS | ||
31 | whitelist ${HOME}/.local/share/QGIS | ||
32 | whitelist ${HOME}/.qgis2 | ||
33 | whitelist ${HOME}/.config/QGIS | ||
34 | whitelist ${DOCUMENTS} | ||
35 | include whitelist-common.inc | ||
36 | include whitelist-var-common.inc | ||
37 | |||
38 | caps.drop all | ||
39 | netfilter | ||
40 | machine-id | ||
41 | nodbus | ||
42 | nodvd | ||
43 | nogroups | ||
44 | nonewprivs | ||
45 | noroot | ||
46 | nosound | ||
47 | notv | ||
48 | nou2f | ||
49 | novideo | ||
50 | # blacklisting of mbind system calls breaks old version | ||
51 | seccomp.drop @cpu-emulation,@debug,@obsolete,@privileged,set_mempolicy,migrate_pages,move_pages,open_by_handle_at,name_to_handle_at,ioprio_set,ni_syscall,syslog,fanotify_init,kcmp,add_key,request_key,keyctl,io_setup,io_destroy,io_getevents,io_submit,io_cancel,remap_file_pages,vmsplice,umount,userfaultfd,mincore | ||
52 | protocol unix,inet,inet6,netlink | ||
53 | shell none | ||
54 | tracelog | ||
55 | |||
56 | disable-mnt | ||
57 | private-cache | ||
58 | private-dev | ||
59 | private-etc alternatives,ca-certificates,crypto-policies,fonts,machine-id,pki,resolv.conf,ssl,QGIS,QGIS.conf,Trolltech.conf | ||
60 | private-tmp | ||
diff --git a/etc/seahorse.profile b/etc/seahorse.profile index cd9f6c767..fc54a0716 100644 --- a/etc/seahorse.profile +++ b/etc/seahorse.profile | |||
@@ -50,7 +50,7 @@ nou2f | |||
50 | novideo | 50 | novideo |
51 | protocol unix,inet,inet6 | 51 | protocol unix,inet,inet6 |
52 | seccomp | 52 | seccomp |
53 | # shell none - causes gpg to hang | 53 | shell none |
54 | tracelog | 54 | tracelog |
55 | 55 | ||
56 | disable-mnt | 56 | disable-mnt |
diff --git a/etc/spotify.profile b/etc/spotify.profile index 6f7f6ec85..00c2aabe2 100644 --- a/etc/spotify.profile +++ b/etc/spotify.profile | |||
@@ -6,9 +6,6 @@ include spotify.local | |||
6 | include globals.local | 6 | include globals.local |
7 | 7 | ||
8 | blacklist ${HOME}/.bashrc | 8 | blacklist ${HOME}/.bashrc |
9 | blacklist /lost+found | ||
10 | blacklist /sbin | ||
11 | blacklist /srv | ||
12 | 9 | ||
13 | noblacklist ${HOME}/.cache/spotify | 10 | noblacklist ${HOME}/.cache/spotify |
14 | noblacklist ${HOME}/.config/spotify | 11 | noblacklist ${HOME}/.config/spotify |
@@ -49,5 +46,6 @@ private-bin spotify,bash,sh,zenity | |||
49 | private-dev | 46 | private-dev |
50 | private-etc alternatives,fonts,group,ld.so.cache,machine-id,pulse,resolv.conf,hosts,nsswitch.conf,host.conf,ca-certificates,ssl,pki,crypto-policies | 47 | private-etc alternatives,fonts,group,ld.so.cache,machine-id,pulse,resolv.conf,hosts,nsswitch.conf,host.conf,ca-certificates,ssl,pki,crypto-policies |
51 | private-opt spotify | 48 | private-opt spotify |
49 | private-srv none | ||
52 | private-tmp | 50 | private-tmp |
53 | 51 | ||
diff --git a/etc/sysprof.profile b/etc/sysprof.profile index 3cfea5c5e..e978e03f2 100644 --- a/etc/sysprof.profile +++ b/etc/sysprof.profile | |||
@@ -24,7 +24,7 @@ no3d | |||
24 | nodvd | 24 | nodvd |
25 | nogroups | 25 | nogroups |
26 | nonewprivs | 26 | nonewprivs |
27 | # Ubuntu 16.04 version needs root privileges - uncomment if you don't use that | 27 | # Ubuntu 16.04 version needs root privileges - uncomment or put in sysprof.local if you don't use that |
28 | #noroot | 28 | #noroot |
29 | nosound | 29 | nosound |
30 | notv | 30 | notv |
diff --git a/etc/templates/Notes b/etc/templates/Notes new file mode 100644 index 000000000..a4170207b --- /dev/null +++ b/etc/templates/Notes | |||
@@ -0,0 +1,7 @@ | |||
1 | Notes | ||
2 | ===== | ||
3 | |||
4 | * Lines with one # are often used | ||
5 | * Lines with two ## are only in special situation needed | ||
6 | * Add programs specific paths like .config/program to disable-programs.inc | ||
7 | * Add the name of the profile/program to src/firecfg/firecfg.config | ||
diff --git a/etc/templates/profile.template b/etc/templates/profile.template new file mode 100644 index 000000000..d7da0ed20 --- /dev/null +++ b/etc/templates/profile.template | |||
@@ -0,0 +1,82 @@ | |||
1 | # Firejail profile for PROGRAM_NAME | ||
2 | # Description: DESCRIPTION | ||
3 | # This file is overwritten after every install/update | ||
4 | ##quiet | ||
5 | # Persistent local customizations | ||
6 | #include PROFILE.local | ||
7 | # Persistent global definitions | ||
8 | #include globals.local | ||
9 | |||
10 | ##ignore noexec ${HOME} | ||
11 | |||
12 | ##blacklist PATH | ||
13 | |||
14 | #noblacklist PATH | ||
15 | |||
16 | # Allow python (blacklisted by disable-interpreters.inc) | ||
17 | #noblacklist ${PATH}/python2* | ||
18 | #noblacklist ${PATH}/python3* | ||
19 | #noblacklist /usr/lib/python2* | ||
20 | #noblacklist /usr/lib/python3* | ||
21 | #noblacklist /usr/local/lib/python2* | ||
22 | #noblacklist /usr/local/lib/python3* | ||
23 | |||
24 | #include disable-common.inc | ||
25 | #include disable-devel.inc | ||
26 | #include disable-exec.inc | ||
27 | #include disable-interpreters.inc | ||
28 | #include disable-passwdmgr.inc | ||
29 | #include disable-programs.inc | ||
30 | #include disable-xdg.inc | ||
31 | |||
32 | #mkdir PATH | ||
33 | #mkfile PATH | ||
34 | #whitelist PATH | ||
35 | #include whitelist-common.inc | ||
36 | #include whitelist-var-common.inc | ||
37 | |||
38 | #apparmor | ||
39 | #caps.drop all | ||
40 | # CLI only | ||
41 | ##ipc-namespace | ||
42 | #machine-id | ||
43 | # 'net none' or 'netfilter' | ||
44 | #net none | ||
45 | #netfilter | ||
46 | #no3d | ||
47 | #nodbus | ||
48 | #nodvd | ||
49 | #nogroups | ||
50 | #nonewprivs | ||
51 | #noroot | ||
52 | #nosound | ||
53 | #notv | ||
54 | #nou2f | ||
55 | #novideo | ||
56 | #protocol unix,inet,inet6,netlink | ||
57 | #seccomp | ||
58 | ##seccomp.drop SYSCALLS | ||
59 | #shell none | ||
60 | #tracelog | ||
61 | |||
62 | #disable-mnt | ||
63 | ##private | ||
64 | #private-bin PROGRAMS | ||
65 | #private-cache | ||
66 | #private-dev | ||
67 | #private-etc FILES | ||
68 | # private-etc templates (see also #1734) | ||
69 | # Internet: ca-certificates,crypto-policies,nsswitch.conf,pki,resolv.conf,ssl | ||
70 | # Sound: alsa,asound.conf,machine-id,openal,pulse | ||
71 | # GTK: dconf,fonts,gtk-2.0,gtk-3.0,pango,xdg | ||
72 | # KDE/QT: fonts,kde4rc,kde5rc,ld.so.cache,machine-id,Trolltech.conf,xdg | ||
73 | # GUIs: fonts | ||
74 | # Alternatives: alternatives | ||
75 | ##private-lib LIBS | ||
76 | ##private-opt NAME | ||
77 | #private-tmp | ||
78 | |||
79 | ##env VAR=VALUE | ||
80 | #memory-deny-write-execute | ||
81 | ##read-only ${HOME} | ||
82 | ##join-or-start NAME | ||
diff --git a/etc/templates/redirect_alias-profile.template b/etc/templates/redirect_alias-profile.template new file mode 100644 index 000000000..56dd43ca4 --- /dev/null +++ b/etc/templates/redirect_alias-profile.template | |||
@@ -0,0 +1,36 @@ | |||
1 | # Firejail profile for PRGOGRAM_NAME | ||
2 | # Description: DESCRIPTION | ||
3 | # This file is overwritten after every install/update | ||
4 | # Persistent local customizations | ||
5 | include PROFILE.local | ||
6 | # Persistent global definitions | ||
7 | # added by included profile | ||
8 | #include globals.local | ||
9 | #NOTE: let include globals.local commented | ||
10 | |||
11 | # Additional blacklisting (if needed) | ||
12 | #blacklist PATH | ||
13 | |||
14 | # Additional noblacklisting (if needed) | ||
15 | #noblacklist PATH | ||
16 | |||
17 | # Additional whitelisting (if needed) | ||
18 | #mkdir PATH | ||
19 | #mkfile PATH | ||
20 | #whitelist PATH | ||
21 | |||
22 | # Additional options if needed (see firejail-profile.example) | ||
23 | |||
24 | # Add programs to private-bin (if needed) | ||
25 | #private-bin PROGRAMS | ||
26 | # Add files to private-etc (if needed) | ||
27 | #private-etc FILES | ||
28 | |||
29 | # Ignore something that is in the included profile | ||
30 | #ignore net none | ||
31 | #ignore private-bin | ||
32 | #ignore seccomp | ||
33 | #... | ||
34 | |||
35 | # Redirect | ||
36 | include PROFILE.profile | ||
diff --git a/etc/templates/syscalls.txt b/etc/templates/syscalls.txt new file mode 100644 index 000000000..ec8247517 --- /dev/null +++ b/etc/templates/syscalls.txt | |||
@@ -0,0 +1,43 @@ | |||
1 | Hints for writing seccomp.drop lines | ||
2 | ==================================== | ||
3 | |||
4 | @clock=adjtimex,clock_adjtime,clock_settime,settimeofday,stime | ||
5 | @module=delete_module,finit_module,init_module | ||
6 | @raw-io=ioperm,iopl,pciconfig_iobase,pciconfig_read,pciconfig_write,s390_mmio_read,s390_mmio_write | ||
7 | @reboot=kexec_load,kexec_file_load,reboot, | ||
8 | @swap=swapon,swapoff | ||
9 | |||
10 | @privileged=@clock,@module,@raw-io,@reboot,@swap,acct,bpf,chroot,mount,nfsservctl,pivot_root,setdomainname,sethostname,umount2,vhangup | ||
11 | |||
12 | @cpu-emulation=modify_ldt,subpage_prot,switch_endian,vm86,vm86old | ||
13 | @debug=lookup_dcookie,perf_event_open,process_vm_writev,rtas,s390_runtime_instr,sys_debug_setcontext | ||
14 | @obsolete=_sysctl,afs_syscall,bdflush,break,create_module,ftime,get_kernel_syms,getpmsg,gtty,lock,mpx,prof,profil,putpmsg,query_module,security,sgetmask,ssetmask,stty,sysfs,tuxcall,ulimit,uselib,ustat,vserver | ||
15 | @resources=set_mempolicy,migrate_pages,move_pages,mbind | ||
16 | |||
17 | @default=@cpu-emulation,@debug,@obsolete,@privileged,@resources,open_by_handle_at,name_to_handle_at,ioprio_set,ni_syscall,syslog,fanotify_init,kcmp,add_key,request_key,keyctl,io_setup,io_destroy,io_getevents,io_submit,io_cancel,remap_file_pages,vmsplice,umount,userfaultfd,mincore | ||
18 | |||
19 | @default-nodebuggers=@default,ptrace,personality,process_vm_readv | ||
20 | |||
21 | @default-keep=execve,prctl | ||
22 | |||
23 | |||
24 | +---------+----------------+---------------+ | ||
25 | | @clock | @cpu-emulation | @default-keep | | ||
26 | | @module | @debug | | | ||
27 | | @raw-io | @obsolete | | | ||
28 | | @reboot | @resources | | | ||
29 | | @swap | | | | ||
30 | +---------+----------------+---------------+ | ||
31 | : : | ||
32 | +-------------+ : | ||
33 | | @privileged | : | ||
34 | +-------------+ : | ||
35 | : : | ||
36 | +----------+ : | ||
37 | | @default |........: | ||
38 | +----------+ | ||
39 | : | ||
40 | +----------------------+ | ||
41 | | @default-nodebuggers | | ||
42 | +----------------------+ | ||
43 | |||
diff --git a/etc/transgui.profile b/etc/transgui.profile index 8043bfa01..0d09cef87 100644 --- a/etc/transgui.profile +++ b/etc/transgui.profile | |||
@@ -2,7 +2,7 @@ | |||
2 | # Description: Cross-platform Transmission BitTorrent client | 2 | # Description: Cross-platform Transmission BitTorrent client |
3 | # This file is overwritten after every install/update | 3 | # This file is overwritten after every install/update |
4 | # Persistent local customizations | 4 | # Persistent local customizations |
5 | include /etc/firejail/transgui.local | 5 | include transgui.local |
6 | # Persistent global definitions | 6 | # Persistent global definitions |
7 | include globals.local | 7 | include globals.local |
8 | 8 | ||
diff --git a/etc/xiphos.profile b/etc/xiphos.profile index 3ad03e2c6..33056395e 100644 --- a/etc/xiphos.profile +++ b/etc/xiphos.profile | |||
@@ -13,6 +13,7 @@ noblacklist ${HOME}/.xiphos | |||
13 | 13 | ||
14 | include disable-common.inc | 14 | include disable-common.inc |
15 | include disable-devel.inc | 15 | include disable-devel.inc |
16 | include disable-exec.inc | ||
16 | include disable-interpreters.inc | 17 | include disable-interpreters.inc |
17 | include disable-passwdmgr.inc | 18 | include disable-passwdmgr.inc |
18 | include disable-programs.inc | 19 | include disable-programs.inc |
@@ -20,8 +21,11 @@ include disable-programs.inc | |||
20 | whitelist ${HOME}/.sword | 21 | whitelist ${HOME}/.sword |
21 | whitelist ${HOME}/.xiphos | 22 | whitelist ${HOME}/.xiphos |
22 | include whitelist-common.inc | 23 | include whitelist-common.inc |
24 | include whitelist-var-common.inc | ||
23 | 25 | ||
26 | apparmor | ||
24 | caps.drop all | 27 | caps.drop all |
28 | machine-id | ||
25 | netfilter | 29 | netfilter |
26 | nodvd | 30 | nodvd |
27 | nogroups | 31 | nogroups |
@@ -36,7 +40,9 @@ seccomp | |||
36 | shell none | 40 | shell none |
37 | tracelog | 41 | tracelog |
38 | 42 | ||
43 | disable-mnt | ||
39 | private-bin xiphos | 44 | private-bin xiphos |
45 | private-cache | ||
40 | private-dev | 46 | private-dev |
41 | private-etc alternatives,fonts,resolv.conf,sword,ca-certificates,ssl,pki,crypto-policies | 47 | private-etc alternatives,fonts,resolv.conf,sword,ca-certificates,ssli,sword.conf,pki,crypto-policies |
42 | private-tmp | 48 | private-tmp |
diff --git a/etc/yelp.profile b/etc/yelp.profile new file mode 100644 index 000000000..66f094e1d --- /dev/null +++ b/etc/yelp.profile | |||
@@ -0,0 +1,51 @@ | |||
1 | # Firejail profile for yelp | ||
2 | # Description: Help browser for the GNOME desktop | ||
3 | # This file is overwritten after every install/update | ||
4 | # Persistent local customizations | ||
5 | include yelp.local | ||
6 | # Persistent global definitions | ||
7 | include globals.local | ||
8 | |||
9 | noblacklist ${HOME}/.config/yelp | ||
10 | |||
11 | include disable-common.inc | ||
12 | include disable-devel.inc | ||
13 | include disable-exec.inc | ||
14 | include disable-interpreters.inc | ||
15 | include disable-passwdmgr.inc | ||
16 | include disable-programs.inc | ||
17 | include disable-xdg.inc | ||
18 | |||
19 | mkdir ${HOME}/.config/yelp | ||
20 | whitelist ${HOME}/.config/yelp | ||
21 | include whitelist-common.inc | ||
22 | include whitelist-var-common.inc | ||
23 | |||
24 | apparmor | ||
25 | caps.drop all | ||
26 | net none | ||
27 | nodvd | ||
28 | nogroups | ||
29 | nonewprivs | ||
30 | noroot | ||
31 | notv | ||
32 | nou2f | ||
33 | novideo | ||
34 | protocol unix | ||
35 | seccomp | ||
36 | shell none | ||
37 | tracelog | ||
38 | |||
39 | disable-mnt | ||
40 | private-bin yelp | ||
41 | private-cache | ||
42 | private-dev | ||
43 | private-etc alsa,alternatives,asound.conf,crypto-policies,cups,dconf,drirc,fonts,gcrypt,gtk-3.0,machine-id,openal,os-release,pulse,sgml,xml | ||
44 | private-tmp | ||
45 | |||
46 | # read-only ${HOME} breaks some not necesarry featrues, comment it if | ||
47 | # you need them or put 'ignore read-only ${HOME}' into your yelp.local. | ||
48 | # broken features: | ||
49 | # 1. yelp --editor-mode | ||
50 | # 2. saving the window geometry | ||
51 | read-only ${HOME} | ||
diff --git a/src/firecfg/firecfg.config b/src/firecfg/firecfg.config index 2d4902b91..48789359d 100644 --- a/src/firecfg/firecfg.config +++ b/src/firecfg/firecfg.config | |||
@@ -92,6 +92,7 @@ calligraplanwork | |||
92 | calligrasheets | 92 | calligrasheets |
93 | calligrastage | 93 | calligrastage |
94 | calligrawords | 94 | calligrawords |
95 | cantata | ||
95 | catfish | 96 | catfish |
96 | celluloid | 97 | celluloid |
97 | checkbashisms | 98 | checkbashisms |
@@ -131,7 +132,6 @@ deluge | |||
131 | devhelp | 132 | devhelp |
132 | dex2jar | 133 | dex2jar |
133 | dia | 134 | dia |
134 | dig | ||
135 | digikam | 135 | digikam |
136 | dillo | 136 | dillo |
137 | dino | 137 | dino |
@@ -281,6 +281,7 @@ idea.sh | |||
281 | imagej | 281 | imagej |
282 | img2txt | 282 | img2txt |
283 | inkscape | 283 | inkscape |
284 | inkview | ||
284 | inox | 285 | inox |
285 | iridium | 286 | iridium |
286 | iridium-browser | 287 | iridium-browser |
@@ -313,6 +314,7 @@ kopete | |||
313 | krita | 314 | krita |
314 | # krunner | 315 | # krunner |
315 | ktorrent | 316 | ktorrent |
317 | ktouch | ||
316 | # kwin_x11 | 318 | # kwin_x11 |
317 | kwrite | 319 | kwrite |
318 | leafpad | 320 | leafpad |
@@ -360,11 +362,13 @@ megaglest_editor | |||
360 | meld | 362 | meld |
361 | mencoder | 363 | mencoder |
362 | mendeleydesktop | 364 | mendeleydesktop |
365 | meteo-qt | ||
363 | midori | 366 | midori |
364 | min | 367 | min |
365 | minetest | 368 | minetest |
366 | mousepad | 369 | mousepad |
367 | mp3splt | 370 | mp3splt |
371 | mp3splt-gtk | ||
368 | mp3wrap | 372 | mp3wrap |
369 | mpDris2 | 373 | mpDris2 |
370 | mplayer | 374 | mplayer |
@@ -446,6 +450,7 @@ pybitmessage | |||
446 | # pycharm-professional | 450 | # pycharm-professional |
447 | qbittorrent | 451 | qbittorrent |
448 | qemu-launcher | 452 | qemu-launcher |
453 | qgis | ||
449 | qlipper | 454 | qlipper |
450 | qmmp | 455 | qmmp |
451 | qpdfview | 456 | qpdfview |
@@ -632,6 +637,7 @@ xreader-previewer | |||
632 | xreader-thumbnailer | 637 | xreader-thumbnailer |
633 | xviewer | 638 | xviewer |
634 | yandex-browser | 639 | yandex-browser |
640 | yelp | ||
635 | youtube-dl | 641 | youtube-dl |
636 | zaproxy | 642 | zaproxy |
637 | zart | 643 | zart |
diff --git a/src/firecfg/firecfg.h b/src/firecfg/firecfg.h index e847719cf..71e5d625d 100644 --- a/src/firecfg/firecfg.h +++ b/src/firecfg/firecfg.h | |||
@@ -17,6 +17,8 @@ | |||
17 | * with this program; if not, write to the Free Software Foundation, Inc., | 17 | * with this program; if not, write to the Free Software Foundation, Inc., |
18 | * 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA. | 18 | * 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA. |
19 | */ | 19 | */ |
20 | #ifndef FIRECFG_H | ||
21 | #define FIRECFG_H | ||
20 | #define _GNU_SOURCE | 22 | #define _GNU_SOURCE |
21 | #include <stdio.h> | 23 | #include <stdio.h> |
22 | #include <sys/types.h> | 24 | #include <sys/types.h> |
@@ -48,3 +50,5 @@ void sound(void); | |||
48 | 50 | ||
49 | // desktop_files.c | 51 | // desktop_files.c |
50 | void fix_desktop_files(char *homedir); | 52 | void fix_desktop_files(char *homedir); |
53 | |||
54 | #endif | ||
diff --git a/src/firejail/dbus.c b/src/firejail/dbus.c index baa41e85e..b856ff809 100644 --- a/src/firejail/dbus.c +++ b/src/firejail/dbus.c | |||
@@ -19,7 +19,7 @@ | |||
19 | */ | 19 | */ |
20 | #include "firejail.h" | 20 | #include "firejail.h" |
21 | 21 | ||
22 | void dbus_session_disable(void) { | 22 | void dbus_disable(void) { |
23 | if (!checkcfg(CFG_DBUS)) { | 23 | if (!checkcfg(CFG_DBUS)) { |
24 | fwarning("D-Bus handling is disabled in Firejail configuration file\n"); | 24 | fwarning("D-Bus handling is disabled in Firejail configuration file\n"); |
25 | return; | 25 | return; |
@@ -29,7 +29,7 @@ void dbus_session_disable(void) { | |||
29 | if (asprintf(&path, "/run/user/%d/bus", getuid()) == -1) | 29 | if (asprintf(&path, "/run/user/%d/bus", getuid()) == -1) |
30 | errExit("asprintf"); | 30 | errExit("asprintf"); |
31 | char *env_var; | 31 | char *env_var; |
32 | if (asprintf(&env_var, "DBUS_SESSION_BUS_ADDRESS=unix:path=%s", path) == -1) | 32 | if (asprintf(&env_var, "unix:path=%s", path) == -1) |
33 | errExit("asprintf"); | 33 | errExit("asprintf"); |
34 | 34 | ||
35 | // set a new environment variable: DBUS_SESSION_BUS_ADDRESS=unix:path=/run/user/<UID>/bus | 35 | // set a new environment variable: DBUS_SESSION_BUS_ADDRESS=unix:path=/run/user/<UID>/bus |
@@ -43,6 +43,17 @@ void dbus_session_disable(void) { | |||
43 | free(path); | 43 | free(path); |
44 | free(env_var); | 44 | free(env_var); |
45 | 45 | ||
46 | |||
47 | // blacklist the dbus-launch user directory | ||
48 | if (asprintf(&path, "%s/.dbus", cfg.homedir) == -1) | ||
49 | errExit("asprintf"); | ||
50 | disable_file_or_dir(path); | ||
51 | free(path); | ||
52 | |||
53 | // blacklist also system D-Bus socket | ||
54 | disable_file_or_dir("/run/dbus/system_bus_socket"); | ||
55 | |||
56 | |||
46 | // look for a possible abstract unix socket | 57 | // look for a possible abstract unix socket |
47 | 58 | ||
48 | // --net=none | 59 | // --net=none |
diff --git a/src/firejail/env.c b/src/firejail/env.c index 2e9f516ba..f15e1362f 100644 --- a/src/firejail/env.c +++ b/src/firejail/env.c | |||
@@ -160,6 +160,11 @@ void env_defaults(void) { | |||
160 | // set the window title | 160 | // set the window title |
161 | if (!arg_quiet) | 161 | if (!arg_quiet) |
162 | printf("\033]0;firejail %s\007", cfg.window_title); | 162 | printf("\033]0;firejail %s\007", cfg.window_title); |
163 | |||
164 | // pass --quiet as an environment variable, in case the command calls further firejailed commands | ||
165 | if (arg_quiet) | ||
166 | setenv("FIREJAIL_QUIET", "yes", 1); | ||
167 | |||
163 | fflush(0); | 168 | fflush(0); |
164 | } | 169 | } |
165 | 170 | ||
diff --git a/src/firejail/firejail.h b/src/firejail/firejail.h index 2e04084e3..fd6cb9ff2 100644 --- a/src/firejail/firejail.h +++ b/src/firejail/firejail.h | |||
@@ -283,6 +283,7 @@ extern int arg_private_srv; // private srv directory | |||
283 | extern int arg_private_bin; // private bin directory | 283 | extern int arg_private_bin; // private bin directory |
284 | extern int arg_private_tmp; // private tmp directory | 284 | extern int arg_private_tmp; // private tmp directory |
285 | extern int arg_private_lib; // private lib directory | 285 | extern int arg_private_lib; // private lib directory |
286 | extern int arg_private_cwd; // private working directory | ||
286 | extern int arg_scan; // arp-scan all interfaces | 287 | extern int arg_scan; // arp-scan all interfaces |
287 | extern int arg_whitelist; // whitelist command | 288 | extern int arg_whitelist; // whitelist command |
288 | extern int arg_nosound; // disable sound | 289 | extern int arg_nosound; // disable sound |
@@ -315,6 +316,7 @@ extern int arg_notv; // --notv | |||
315 | extern int arg_nodvd; // --nodvd | 316 | extern int arg_nodvd; // --nodvd |
316 | extern int arg_nou2f; // --nou2f | 317 | extern int arg_nou2f; // --nou2f |
317 | extern int arg_nodbus; // -nodbus | 318 | extern int arg_nodbus; // -nodbus |
319 | extern int arg_deterministic_exit_code; // always exit with first child's exit status | ||
318 | 320 | ||
319 | extern int login_shell; | 321 | extern int login_shell; |
320 | extern int parent_to_child_fds[2]; | 322 | extern int parent_to_child_fds[2]; |
@@ -521,6 +523,8 @@ void fs_private(void); | |||
521 | void fs_private_homedir(void); | 523 | void fs_private_homedir(void); |
522 | // check new private home directory (--private= option) - exit if it fails | 524 | // check new private home directory (--private= option) - exit if it fails |
523 | void fs_check_private_dir(void); | 525 | void fs_check_private_dir(void); |
526 | // check new private working directory (--private-cwd= option) - exit if it fails | ||
527 | void fs_check_private_cwd(const char *dir); | ||
524 | void fs_private_home_list(void); | 528 | void fs_private_home_list(void); |
525 | 529 | ||
526 | 530 | ||
@@ -782,6 +786,6 @@ void set_x11_run_file(pid_t pid, int display); | |||
782 | void set_profile_run_file(pid_t pid, const char *fname); | 786 | void set_profile_run_file(pid_t pid, const char *fname); |
783 | 787 | ||
784 | // dbus.c | 788 | // dbus.c |
785 | void dbus_session_disable(void); | 789 | void dbus_disable(void); |
786 | 790 | ||
787 | #endif | 791 | #endif |
diff --git a/src/firejail/fs.c b/src/firejail/fs.c index f9d968427..f3ef97aeb 100644 --- a/src/firejail/fs.c +++ b/src/firejail/fs.c | |||
@@ -27,7 +27,11 @@ | |||
27 | #include <glob.h> | 27 | #include <glob.h> |
28 | #include <dirent.h> | 28 | #include <dirent.h> |
29 | #include <errno.h> | 29 | #include <errno.h> |
30 | |||
30 | #include <fcntl.h> | 31 | #include <fcntl.h> |
32 | #ifndef O_PATH | ||
33 | # define O_PATH 010000000 | ||
34 | #endif | ||
31 | 35 | ||
32 | #define MAX_BUF 4096 | 36 | #define MAX_BUF 4096 |
33 | #define EMPTY_STRING ("") | 37 | #define EMPTY_STRING ("") |
@@ -1515,6 +1519,8 @@ void fs_private_tmp(void) { | |||
1515 | 1519 | ||
1516 | // whitelist x11 directory | 1520 | // whitelist x11 directory |
1517 | profile_add("whitelist /tmp/.X11-unix"); | 1521 | profile_add("whitelist /tmp/.X11-unix"); |
1522 | // read-only x11 directory | ||
1523 | profile_add("read-only /tmp/.X11-unix"); | ||
1518 | 1524 | ||
1519 | // whitelist any pulse* file in /tmp directory | 1525 | // whitelist any pulse* file in /tmp directory |
1520 | // some distros use PulseAudio sockets under /tmp instead of the socket in /urn/user | 1526 | // some distros use PulseAudio sockets under /tmp instead of the socket in /urn/user |
diff --git a/src/firejail/fs_home.c b/src/firejail/fs_home.c index e35bf073d..3f6d78db4 100644 --- a/src/firejail/fs_home.c +++ b/src/firejail/fs_home.c | |||
@@ -22,7 +22,6 @@ | |||
22 | #include <linux/limits.h> | 22 | #include <linux/limits.h> |
23 | #include <glob.h> | 23 | #include <glob.h> |
24 | #include <dirent.h> | 24 | #include <dirent.h> |
25 | #include <fcntl.h> | ||
26 | #include <errno.h> | 25 | #include <errno.h> |
27 | #include <sys/stat.h> | 26 | #include <sys/stat.h> |
28 | #include <sys/types.h> | 27 | #include <sys/types.h> |
@@ -31,6 +30,11 @@ | |||
31 | #include <grp.h> | 30 | #include <grp.h> |
32 | //#include <ftw.h> | 31 | //#include <ftw.h> |
33 | 32 | ||
33 | #include <fcntl.h> | ||
34 | #ifndef O_PATH | ||
35 | # define O_PATH 010000000 | ||
36 | #endif | ||
37 | |||
34 | static void skel(const char *homedir, uid_t u, gid_t g) { | 38 | static void skel(const char *homedir, uid_t u, gid_t g) { |
35 | char *fname; | 39 | char *fname; |
36 | 40 | ||
@@ -366,6 +370,21 @@ void fs_check_private_dir(void) { | |||
366 | } | 370 | } |
367 | } | 371 | } |
368 | 372 | ||
373 | // check new private working directory (--private-cwd= option) - exit if it fails | ||
374 | void fs_check_private_cwd(const char *dir) { | ||
375 | EUID_ASSERT(); | ||
376 | invalid_filename(dir, 0); // no globbing | ||
377 | |||
378 | // Expand the working directory | ||
379 | cfg.cwd = expand_macros(dir); | ||
380 | |||
381 | // realpath/is_dir not used because path may not exist outside of jail | ||
382 | if (strstr(cfg.cwd, "..")) { | ||
383 | fprintf(stderr, "Error: invalid private working directory\n"); | ||
384 | exit(1); | ||
385 | } | ||
386 | } | ||
387 | |||
369 | //*********************************************************************************** | 388 | //*********************************************************************************** |
370 | // --private-home | 389 | // --private-home |
371 | //*********************************************************************************** | 390 | //*********************************************************************************** |
diff --git a/src/firejail/fs_whitelist.c b/src/firejail/fs_whitelist.c index d128065d3..bce44b9e5 100644 --- a/src/firejail/fs_whitelist.c +++ b/src/firejail/fs_whitelist.c | |||
@@ -24,9 +24,13 @@ | |||
24 | #include <fnmatch.h> | 24 | #include <fnmatch.h> |
25 | #include <glob.h> | 25 | #include <glob.h> |
26 | #include <dirent.h> | 26 | #include <dirent.h> |
27 | #include <fcntl.h> | ||
28 | #include <errno.h> | 27 | #include <errno.h> |
29 | 28 | ||
29 | #include <fcntl.h> | ||
30 | #ifndef O_PATH | ||
31 | # define O_PATH 010000000 | ||
32 | #endif | ||
33 | |||
30 | // mountinfo functionality test; | 34 | // mountinfo functionality test; |
31 | // 1. enable TEST_MOUNTINFO definition | 35 | // 1. enable TEST_MOUNTINFO definition |
32 | // 2. run firejail --whitelist=/any/directory | 36 | // 2. run firejail --whitelist=/any/directory |
diff --git a/src/firejail/main.c b/src/firejail/main.c index ece4c2cb5..c50ed4dc4 100644 --- a/src/firejail/main.c +++ b/src/firejail/main.c | |||
@@ -92,6 +92,7 @@ int arg_private_srv = 0; // private srv directory | |||
92 | int arg_private_bin = 0; // private bin directory | 92 | int arg_private_bin = 0; // private bin directory |
93 | int arg_private_tmp = 0; // private tmp directory | 93 | int arg_private_tmp = 0; // private tmp directory |
94 | int arg_private_lib = 0; // private lib directory | 94 | int arg_private_lib = 0; // private lib directory |
95 | int arg_private_cwd = 0; // private working directory | ||
95 | int arg_scan = 0; // arp-scan all interfaces | 96 | int arg_scan = 0; // arp-scan all interfaces |
96 | int arg_whitelist = 0; // whitelist command | 97 | int arg_whitelist = 0; // whitelist command |
97 | int arg_nosound = 0; // disable sound | 98 | int arg_nosound = 0; // disable sound |
@@ -125,6 +126,7 @@ int arg_notv = 0; // --notv | |||
125 | int arg_nodvd = 0; // --nodvd | 126 | int arg_nodvd = 0; // --nodvd |
126 | int arg_nodbus = 0; // -nodbus | 127 | int arg_nodbus = 0; // -nodbus |
127 | int arg_nou2f = 0; // --nou2f | 128 | int arg_nou2f = 0; // --nou2f |
129 | int arg_deterministic_exit_code = 0; // always exit with first child's exit status | ||
128 | int login_shell = 0; | 130 | int login_shell = 0; |
129 | 131 | ||
130 | 132 | ||
@@ -630,6 +632,10 @@ static void run_cmd_and_exit(int i, int argc, char **argv) { | |||
630 | else if (strncmp(argv[i], "--get=", 6) == 0) { | 632 | else if (strncmp(argv[i], "--get=", 6) == 0) { |
631 | if (checkcfg(CFG_FILE_TRANSFER)) { | 633 | if (checkcfg(CFG_FILE_TRANSFER)) { |
632 | logargs(argc, argv); | 634 | logargs(argc, argv); |
635 | if (arg_private_cwd) { | ||
636 | fprintf(stderr, "Error: --get and --private-cwd options are mutually exclusive\n"); | ||
637 | exit(1); | ||
638 | } | ||
633 | 639 | ||
634 | // verify path | 640 | // verify path |
635 | if ((i + 2) != argc) { | 641 | if ((i + 2) != argc) { |
@@ -654,6 +660,10 @@ static void run_cmd_and_exit(int i, int argc, char **argv) { | |||
654 | else if (strncmp(argv[i], "--put=", 6) == 0) { | 660 | else if (strncmp(argv[i], "--put=", 6) == 0) { |
655 | if (checkcfg(CFG_FILE_TRANSFER)) { | 661 | if (checkcfg(CFG_FILE_TRANSFER)) { |
656 | logargs(argc, argv); | 662 | logargs(argc, argv); |
663 | if (arg_private_cwd) { | ||
664 | fprintf(stderr, "Error: --put and --private-cwd options are mutually exclusive\n"); | ||
665 | exit(1); | ||
666 | } | ||
657 | 667 | ||
658 | // verify path | 668 | // verify path |
659 | if ((i + 3) != argc) { | 669 | if ((i + 3) != argc) { |
@@ -684,6 +694,10 @@ static void run_cmd_and_exit(int i, int argc, char **argv) { | |||
684 | else if (strncmp(argv[i], "--ls=", 5) == 0) { | 694 | else if (strncmp(argv[i], "--ls=", 5) == 0) { |
685 | if (checkcfg(CFG_FILE_TRANSFER)) { | 695 | if (checkcfg(CFG_FILE_TRANSFER)) { |
686 | logargs(argc, argv); | 696 | logargs(argc, argv); |
697 | if (arg_private_cwd) { | ||
698 | fprintf(stderr, "Error: --ls and --private-cwd options are mutually exclusive\n"); | ||
699 | exit(1); | ||
700 | } | ||
687 | 701 | ||
688 | // verify path | 702 | // verify path |
689 | if ((i + 2) != argc) { | 703 | if ((i + 2) != argc) { |
@@ -907,7 +921,8 @@ int main(int argc, char **argv) { | |||
907 | 921 | ||
908 | // get starting timestamp, process --quiet | 922 | // get starting timestamp, process --quiet |
909 | start_timestamp = getticks(); | 923 | start_timestamp = getticks(); |
910 | if (check_arg(argc, argv, "--quiet", 1)) | 924 | char *env_quiet = getenv("FIREJAIL_QUIET"); |
925 | if (check_arg(argc, argv, "--quiet", 1) || (env_quiet && strcmp(env_quiet, "yes") == 0)) | ||
911 | arg_quiet = 1; | 926 | arg_quiet = 1; |
912 | 927 | ||
913 | // cleanup at exit | 928 | // cleanup at exit |
@@ -1772,6 +1787,19 @@ int main(int argc, char **argv) { | |||
1772 | else | 1787 | else |
1773 | exit_err_feature("private-cache"); | 1788 | exit_err_feature("private-cache"); |
1774 | } | 1789 | } |
1790 | else if (strcmp(argv[i], "--private-cwd") == 0) { | ||
1791 | cfg.cwd = NULL; | ||
1792 | arg_private_cwd = 1; | ||
1793 | } | ||
1794 | else if (strncmp(argv[i], "--private-cwd=", 14) == 0) { | ||
1795 | if (*(argv[i] + 14) == '\0') { | ||
1796 | fprintf(stderr, "Error: invalid private-cwd option\n"); | ||
1797 | exit(1); | ||
1798 | } | ||
1799 | |||
1800 | fs_check_private_cwd(argv[i] + 14); | ||
1801 | arg_private_cwd = 1; | ||
1802 | } | ||
1775 | 1803 | ||
1776 | //************************************* | 1804 | //************************************* |
1777 | // hostname, etc | 1805 | // hostname, etc |
@@ -2274,6 +2302,9 @@ int main(int argc, char **argv) { | |||
2274 | return 1; | 2302 | return 1; |
2275 | } | 2303 | } |
2276 | } | 2304 | } |
2305 | else if (strcmp(argv[i], "--deterministic-exit-code") == 0) { | ||
2306 | arg_deterministic_exit_code = 1; | ||
2307 | } | ||
2277 | else { | 2308 | else { |
2278 | // double dash - positional params to follow | 2309 | // double dash - positional params to follow |
2279 | if (strcmp(argv[i], "--") == 0) { | 2310 | if (strcmp(argv[i], "--") == 0) { |
diff --git a/src/firejail/mountinfo.c b/src/firejail/mountinfo.c index 0717b2044..7369ad247 100644 --- a/src/firejail/mountinfo.c +++ b/src/firejail/mountinfo.c | |||
@@ -19,7 +19,11 @@ | |||
19 | */ | 19 | */ |
20 | 20 | ||
21 | #include "firejail.h" | 21 | #include "firejail.h" |
22 | |||
22 | #include <fcntl.h> | 23 | #include <fcntl.h> |
24 | #ifndef O_PATH | ||
25 | # define O_PATH 010000000 | ||
26 | #endif | ||
23 | 27 | ||
24 | #define MAX_BUF 4096 | 28 | #define MAX_BUF 4096 |
25 | 29 | ||
diff --git a/src/firejail/profile.c b/src/firejail/profile.c index c8619f7e2..99d83c16a 100644 --- a/src/firejail/profile.c +++ b/src/firejail/profile.c | |||
@@ -338,7 +338,7 @@ int profile_check_line(char *ptr, int lineno, const char *fname) { | |||
338 | arg_private = 1; | 338 | arg_private = 1; |
339 | return 0; | 339 | return 0; |
340 | } | 340 | } |
341 | if (strncmp(ptr, "private-home ", 13) == 0) { | 341 | else if (strncmp(ptr, "private-home ", 13) == 0) { |
342 | #ifdef HAVE_PRIVATE_HOME | 342 | #ifdef HAVE_PRIVATE_HOME |
343 | if (checkcfg(CFG_PRIVATE_HOME)) { | 343 | if (checkcfg(CFG_PRIVATE_HOME)) { |
344 | if (cfg.home_private_keep) { | 344 | if (cfg.home_private_keep) { |
@@ -353,6 +353,16 @@ int profile_check_line(char *ptr, int lineno, const char *fname) { | |||
353 | #endif | 353 | #endif |
354 | return 0; | 354 | return 0; |
355 | } | 355 | } |
356 | else if (strcmp(ptr, "private-cwd") == 0) { | ||
357 | cfg.cwd = NULL; | ||
358 | arg_private_cwd = 1; | ||
359 | return 0; | ||
360 | } | ||
361 | else if (strncmp(ptr, "private-cwd ", 12) == 0) { | ||
362 | fs_check_private_cwd(ptr + 12); | ||
363 | arg_private_cwd = 1; | ||
364 | return 0; | ||
365 | } | ||
356 | else if (strcmp(ptr, "allusers") == 0) { | 366 | else if (strcmp(ptr, "allusers") == 0) { |
357 | arg_allusers = 1; | 367 | arg_allusers = 1; |
358 | return 0; | 368 | return 0; |
@@ -1301,6 +1311,11 @@ int profile_check_line(char *ptr, int lineno, const char *fname) { | |||
1301 | return 0; | 1311 | return 0; |
1302 | } | 1312 | } |
1303 | 1313 | ||
1314 | if (strcmp(ptr, "deterministic-exit-code") == 0) { | ||
1315 | arg_deterministic_exit_code = 1; | ||
1316 | return 0; | ||
1317 | } | ||
1318 | |||
1304 | // rest of filesystem | 1319 | // rest of filesystem |
1305 | if (strncmp(ptr, "blacklist ", 10) == 0) | 1320 | if (strncmp(ptr, "blacklist ", 10) == 0) |
1306 | ptr += 10; | 1321 | ptr += 10; |
diff --git a/src/firejail/pulseaudio.c b/src/firejail/pulseaudio.c index 26beaf35a..e3f237b8e 100644 --- a/src/firejail/pulseaudio.c +++ b/src/firejail/pulseaudio.c | |||
@@ -24,7 +24,11 @@ | |||
24 | #include <sys/mount.h> | 24 | #include <sys/mount.h> |
25 | #include <dirent.h> | 25 | #include <dirent.h> |
26 | #include <sys/wait.h> | 26 | #include <sys/wait.h> |
27 | |||
27 | #include <fcntl.h> | 28 | #include <fcntl.h> |
29 | #ifndef O_PATH | ||
30 | # define O_PATH 010000000 | ||
31 | #endif | ||
28 | 32 | ||
29 | // disable pulseaudio socket | 33 | // disable pulseaudio socket |
30 | void pulseaudio_disable(void) { | 34 | void pulseaudio_disable(void) { |
diff --git a/src/firejail/sandbox.c b/src/firejail/sandbox.c index 101a16d00..2c5c5fc12 100644 --- a/src/firejail/sandbox.c +++ b/src/firejail/sandbox.c | |||
@@ -271,6 +271,7 @@ static int monitor_application(pid_t app_pid) { | |||
271 | } | 271 | } |
272 | 272 | ||
273 | int status = 0; | 273 | int status = 0; |
274 | int app_status = 0; | ||
274 | while (monitored_pid) { | 275 | while (monitored_pid) { |
275 | usleep(20000); | 276 | usleep(20000); |
276 | char *msg; | 277 | char *msg; |
@@ -295,6 +296,8 @@ static int monitor_application(pid_t app_pid) { | |||
295 | sleep(1); | 296 | sleep(1); |
296 | break; | 297 | break; |
297 | } | 298 | } |
299 | else if (rv == app_pid) | ||
300 | app_status = status; | ||
298 | 301 | ||
299 | // handle --timeout | 302 | // handle --timeout |
300 | if (options) { | 303 | if (options) { |
@@ -352,8 +355,8 @@ static int monitor_application(pid_t app_pid) { | |||
352 | printf("Sandbox monitor: monitoring %d\n", monitored_pid); | 355 | printf("Sandbox monitor: monitoring %d\n", monitored_pid); |
353 | } | 356 | } |
354 | 357 | ||
355 | // return the latest exit status. | 358 | // return the appropriate exit status. |
356 | return status; | 359 | return arg_deterministic_exit_code ? app_status : status; |
357 | } | 360 | } |
358 | 361 | ||
359 | static void print_time(void) { | 362 | static void print_time(void) { |
@@ -923,7 +926,7 @@ int sandbox(void* sandbox_arg) { | |||
923 | // Session D-BUS | 926 | // Session D-BUS |
924 | //**************************** | 927 | //**************************** |
925 | if (arg_nodbus) | 928 | if (arg_nodbus) |
926 | dbus_session_disable(); | 929 | dbus_disable(); |
927 | 930 | ||
928 | 931 | ||
929 | //**************************** | 932 | //**************************** |
@@ -1016,6 +1019,10 @@ int sandbox(void* sandbox_arg) { | |||
1016 | if (cfg.cwd) { | 1019 | if (cfg.cwd) { |
1017 | if (chdir(cfg.cwd) == 0) | 1020 | if (chdir(cfg.cwd) == 0) |
1018 | cwd = 1; | 1021 | cwd = 1; |
1022 | else if (arg_private_cwd) { | ||
1023 | fprintf(stderr, "Error: unable to enter private working directory: %s: %s\n", cfg.cwd, strerror(errno)); | ||
1024 | exit(1); | ||
1025 | } | ||
1019 | } | 1026 | } |
1020 | 1027 | ||
1021 | if (!cwd) { | 1028 | if (!cwd) { |
diff --git a/src/firejail/usage.c b/src/firejail/usage.c index 7620bba82..fbace7374 100644 --- a/src/firejail/usage.c +++ b/src/firejail/usage.c | |||
@@ -66,6 +66,7 @@ static char *usage_str = | |||
66 | #ifdef HAVE_NETWORK | 66 | #ifdef HAVE_NETWORK |
67 | " --defaultgw=address - configure default gateway.\n" | 67 | " --defaultgw=address - configure default gateway.\n" |
68 | #endif | 68 | #endif |
69 | " --deterministic-exit-code - always exit with first child's status code.\n" | ||
69 | " --dns=address - set DNS server.\n" | 70 | " --dns=address - set DNS server.\n" |
70 | " --dns.print=name|pid - print DNS configuration.\n" | 71 | " --dns.print=name|pid - print DNS configuration.\n" |
71 | " --env=name=value - set environment variable.\n" | 72 | " --env=name=value - set environment variable.\n" |
@@ -162,6 +163,8 @@ static char *usage_str = | |||
162 | " --private-etc=file,directory - build a new /etc in a temporary\n" | 163 | " --private-etc=file,directory - build a new /etc in a temporary\n" |
163 | "\tfilesystem, and copy the files and directories in the list.\n" | 164 | "\tfilesystem, and copy the files and directories in the list.\n" |
164 | " --private-tmp - mount a tmpfs on top of /tmp directory.\n" | 165 | " --private-tmp - mount a tmpfs on top of /tmp directory.\n" |
166 | " --private-cwd - do not inherit working directory inside jail.\n" | ||
167 | " --private-cwd=directory - set working directory inside jail.\n" | ||
165 | " --private-opt=file,directory - build a new /opt in a temporary filesystem.\n" | 168 | " --private-opt=file,directory - build a new /opt in a temporary filesystem.\n" |
166 | " --private-srv=file,directory - build a new /srv in a temporary filesystem.\n" | 169 | " --private-srv=file,directory - build a new /srv in a temporary filesystem.\n" |
167 | " --profile=filename|profile_name - use a custom profile.\n" | 170 | " --profile=filename|profile_name - use a custom profile.\n" |
diff --git a/src/firejail/util.c b/src/firejail/util.c index 3e2cd13d5..fff0bbf2f 100644 --- a/src/firejail/util.c +++ b/src/firejail/util.c | |||
@@ -29,7 +29,11 @@ | |||
29 | #include <sys/ioctl.h> | 29 | #include <sys/ioctl.h> |
30 | #include <termios.h> | 30 | #include <termios.h> |
31 | #include <sys/wait.h> | 31 | #include <sys/wait.h> |
32 | |||
32 | #include <fcntl.h> | 33 | #include <fcntl.h> |
34 | #ifndef O_PATH | ||
35 | # define O_PATH 010000000 | ||
36 | #endif | ||
33 | 37 | ||
34 | #define MAX_GROUPS 1024 | 38 | #define MAX_GROUPS 1024 |
35 | #define MAXBUF 4098 | 39 | #define MAXBUF 4098 |
diff --git a/src/firejail/x11.c b/src/firejail/x11.c index b0ed10b30..9d821d980 100644 --- a/src/firejail/x11.c +++ b/src/firejail/x11.c | |||
@@ -31,7 +31,11 @@ | |||
31 | #include <sys/wait.h> | 31 | #include <sys/wait.h> |
32 | #include <errno.h> | 32 | #include <errno.h> |
33 | #include <limits.h> | 33 | #include <limits.h> |
34 | |||
34 | #include <fcntl.h> | 35 | #include <fcntl.h> |
36 | #ifndef O_PATH | ||
37 | # define O_PATH 010000000 | ||
38 | #endif | ||
35 | 39 | ||
36 | 40 | ||
37 | // Parse the DISPLAY environment variable and return a display number. | 41 | // Parse the DISPLAY environment variable and return a display number. |
diff --git a/src/include/rundefs.h b/src/include/rundefs.h index 67d7cfa4f..67c693dce 100644 --- a/src/include/rundefs.h +++ b/src/include/rundefs.h | |||
@@ -51,13 +51,13 @@ | |||
51 | #define RUN_DNS_ETC "/run/firejail/mnt/dns-etc" | 51 | #define RUN_DNS_ETC "/run/firejail/mnt/dns-etc" |
52 | 52 | ||
53 | #define RUN_SECCOMP_DIR "/run/firejail/mnt/seccomp" | 53 | #define RUN_SECCOMP_DIR "/run/firejail/mnt/seccomp" |
54 | #define RUN_SECCOMP_LIST "/run/firejail/mnt/seccomp/seccomp.list" // list of seccomp files installed | 54 | #define RUN_SECCOMP_LIST (RUN_SECCOMP_DIR "/seccomp.list") // list of seccomp files installed |
55 | #define RUN_SECCOMP_PROTOCOL "/run/firejail/mnt/seccomp/seccomp.protocol" // protocol filter | 55 | #define RUN_SECCOMP_PROTOCOL (RUN_SECCOMP_DIR "/seccomp.protocol") // protocol filter |
56 | #define RUN_SECCOMP_CFG "/run/firejail/mnt/seccomp/seccomp" // configured filter | 56 | #define RUN_SECCOMP_CFG (RUN_SECCOMP_DIR "/seccomp") // configured filter |
57 | #define RUN_SECCOMP_32 "/run/firejail/mnt/seccomp/seccomp.32" // 32bit arch filter installed on 64bit architectures | 57 | #define RUN_SECCOMP_32 (RUN_SECCOMP_DIR "/seccomp.32") // 32bit arch filter installed on 64bit architectures |
58 | #define RUN_SECCOMP_MDWX "/run/firejail/mnt/seccomp/seccomp.mdwx" // filter for memory-deny-write-execute | 58 | #define RUN_SECCOMP_MDWX (RUN_SECCOMP_DIR "/seccomp.mdwx") // filter for memory-deny-write-execute |
59 | #define RUN_SECCOMP_BLOCK_SECONDARY "/run/firejail/mnt/seccomp/seccomp.block_secondary" // secondary arch blocking filter | 59 | #define RUN_SECCOMP_BLOCK_SECONDARY (RUN_SECCOMP_DIR "/seccomp.block_secondary") // secondary arch blocking filter |
60 | #define RUN_SECCOMP_POSTEXEC "/run/firejail/mnt/seccomp/seccomp.postexec" // filter for post-exec library | 60 | #define RUN_SECCOMP_POSTEXEC (RUN_SECCOMP_DIR "/seccomp.postexec") // filter for post-exec library |
61 | #define PATH_SECCOMP_DEFAULT (LIBDIR "/firejail/seccomp") // default filter built during make | 61 | #define PATH_SECCOMP_DEFAULT (LIBDIR "/firejail/seccomp") // default filter built during make |
62 | #define PATH_SECCOMP_DEFAULT_DEBUG (LIBDIR "/firejail/seccomp.debug") // default filter built during make | 62 | #define PATH_SECCOMP_DEFAULT_DEBUG (LIBDIR "/firejail/seccomp.debug") // default filter built during make |
63 | #define PATH_SECCOMP_32 (LIBDIR "/firejail/seccomp.32") // 32bit arch filter built during make | 63 | #define PATH_SECCOMP_32 (LIBDIR "/firejail/seccomp.32") // 32bit arch filter built during make |
diff --git a/src/man/firejail-profile.txt b/src/man/firejail-profile.txt index 703fac30f..8c9989970 100644 --- a/src/man/firejail-profile.txt +++ b/src/man/firejail-profile.txt | |||
@@ -288,6 +288,12 @@ All modifications are discarded when the sandbox is closed. | |||
288 | \fBprivate-tmp | 288 | \fBprivate-tmp |
289 | Mount an empty temporary filesystem on top of /tmp directory whitelisting /tmp/.X11-unix. | 289 | Mount an empty temporary filesystem on top of /tmp directory whitelisting /tmp/.X11-unix. |
290 | .TP | 290 | .TP |
291 | \fBprivate-cwd | ||
292 | Set working directory inside jail to the home directory, and failing that, the root directory. | ||
293 | .TP | ||
294 | \fBprivate-cwd directory | ||
295 | Set working directory inside the jail. | ||
296 | .TP | ||
291 | \fBread-only file_or_directory | 297 | \fBread-only file_or_directory |
292 | Make directory or file read-only. | 298 | Make directory or file read-only. |
293 | .TP | 299 | .TP |
@@ -661,6 +667,10 @@ instead of the default one. | |||
661 | Join the sandbox identified by name or start a new one. | 667 | Join the sandbox identified by name or start a new one. |
662 | Same as "firejail --join=sandboxname" command if sandbox with specified name exists, otherwise same as "name sandboxname". | 668 | Same as "firejail --join=sandboxname" command if sandbox with specified name exists, otherwise same as "name sandboxname". |
663 | 669 | ||
670 | .TP | ||
671 | \fBdeterministic-exit-code | ||
672 | Always exit firejail with the first child's exit status. The default behavior is to use the exit status of the final child to exit, which can be nondeterministic. | ||
673 | |||
664 | .SH FILES | 674 | .SH FILES |
665 | /etc/firejail/filename.profile, $HOME/.config/firejail/filename.profile | 675 | /etc/firejail/filename.profile, $HOME/.config/firejail/filename.profile |
666 | 676 | ||
diff --git a/src/man/firejail.txt b/src/man/firejail.txt index 1b56dedcd..67b84de0e 100644 --- a/src/man/firejail.txt +++ b/src/man/firejail.txt | |||
@@ -410,6 +410,10 @@ Example: | |||
410 | $ firejail \-\-disable-mnt firefox | 410 | $ firejail \-\-disable-mnt firefox |
411 | 411 | ||
412 | .TP | 412 | .TP |
413 | \fB\-\-deterministic-exit-code | ||
414 | Always exit firejail with the first child's exit status. The default behavior is to use the exit status of the final child to exit, which can be nondeterministic. | ||
415 | |||
416 | .TP | ||
413 | \fB\-\-dns=address | 417 | \fB\-\-dns=address |
414 | Set a DNS server for the sandbox. Up to three DNS servers can be defined. | 418 | Set a DNS server for the sandbox. Up to three DNS servers can be defined. |
415 | Use this option if you don't trust the DNS setup on your network. | 419 | Use this option if you don't trust the DNS setup on your network. |
@@ -1107,9 +1111,11 @@ $ nc dict.org 2628 | |||
1107 | .br | 1111 | .br |
1108 | .TP | 1112 | .TP |
1109 | \fB\-\-nodbus | 1113 | \fB\-\-nodbus |
1110 | Disable D-Bus access. Only the regular UNIX socket is handled by this command. To | 1114 | Disable D-Bus access (both system and session buses). Only the regular |
1111 | disable the abstract socket you would need to request a new network namespace using | 1115 | UNIX sockets are handled by this command. To disable the abstract |
1112 | \-\-net command. Another option is to remove unix from \-\-protocol set. | 1116 | sockets you would need to request a new network namespace using |
1117 | \-\-net command. Another option is to remove unix from \-\-protocol | ||
1118 | set. | ||
1113 | .br | 1119 | .br |
1114 | 1120 | ||
1115 | .br | 1121 | .br |
@@ -1566,6 +1572,48 @@ drwx------ 2 nobody nogroup 4096 Apr 30 10:52 pulse-PKdhtXMmr18n | |||
1566 | drwxrwxrwt 2 nobody nogroup 4096 Apr 30 10:52 .X11-unix | 1572 | drwxrwxrwt 2 nobody nogroup 4096 Apr 30 10:52 .X11-unix |
1567 | .br | 1573 | .br |
1568 | 1574 | ||
1575 | .TP | ||
1576 | \fB\-\-private-cwd | ||
1577 | Set working directory inside jail to the home directory, and failing that, the root directory. | ||
1578 | .br | ||
1579 | Does not impact working directory of profile include paths. | ||
1580 | .br | ||
1581 | |||
1582 | .br | ||
1583 | Example: | ||
1584 | .br | ||
1585 | $ pwd | ||
1586 | .br | ||
1587 | /tmp | ||
1588 | .br | ||
1589 | $ firejail \-\-private-cwd | ||
1590 | .br | ||
1591 | $ pwd | ||
1592 | .br | ||
1593 | /home/user | ||
1594 | .br | ||
1595 | |||
1596 | .TP | ||
1597 | \fB\-\-private-cwd=directory | ||
1598 | Set working directory inside the jail. | ||
1599 | .br | ||
1600 | Does not impact working directory of profile include paths. | ||
1601 | .br | ||
1602 | |||
1603 | .br | ||
1604 | Example: | ||
1605 | .br | ||
1606 | $ pwd | ||
1607 | .br | ||
1608 | /tmp | ||
1609 | .br | ||
1610 | $ firejail \-\-private-cwd=/opt | ||
1611 | .br | ||
1612 | $ pwd | ||
1613 | .br | ||
1614 | /opt | ||
1615 | .br | ||
1616 | |||
1569 | 1617 | ||
1570 | .TP | 1618 | .TP |
1571 | \fB\-\-profile=filename_or_profilename | 1619 | \fB\-\-profile=filename_or_profilename |
@@ -1631,6 +1679,10 @@ Put a file in sandbox container, see \fBFILE TRANSFER\fR section for more detail | |||
1631 | .TP | 1679 | .TP |
1632 | \fB\-\-quiet | 1680 | \fB\-\-quiet |
1633 | Turn off Firejail's output. | 1681 | Turn off Firejail's output. |
1682 | .br | ||
1683 | |||
1684 | .br | ||
1685 | The same effect can be obtained by setting an environment variable FIREJAIL_QUIET to yes. | ||
1634 | .TP | 1686 | .TP |
1635 | \fB\-\-read-only=dirname_or_filename | 1687 | \fB\-\-read-only=dirname_or_filename |
1636 | Set directory or file read-only. File globbing is supported, see \fBFILE GLOBBING\fR section for more details. | 1688 | Set directory or file read-only. File globbing is supported, see \fBFILE GLOBBING\fR section for more details. |
diff --git a/test/environment/deterministic-exit-code.exp b/test/environment/deterministic-exit-code.exp new file mode 100755 index 000000000..165b9ebe0 --- /dev/null +++ b/test/environment/deterministic-exit-code.exp | |||
@@ -0,0 +1,55 @@ | |||
1 | #!/usr/bin/expect -f | ||
2 | # This file is part of Firejail project | ||
3 | # Copyright (C) 2014-2019 Firejail Authors | ||
4 | # License GPL v2 | ||
5 | |||
6 | set timeout 4 | ||
7 | spawn $env(SHELL) | ||
8 | match_max 100000 | ||
9 | |||
10 | send -- "firejail\r" | ||
11 | expect { | ||
12 | timeout {puts "TESTING ERROR 0\n";exit} | ||
13 | "Child process initialized" | ||
14 | } | ||
15 | sleep 1 | ||
16 | |||
17 | send -- "({ nohup bash -c \"sleep 0.2; exit 53\" &> /dev/null & } &)\r" | ||
18 | send -- "exit 35\r" | ||
19 | expect { | ||
20 | timeout {puts "TESTING ERROR 1\n";exit} | ||
21 | "Parent is shutting down" | ||
22 | } | ||
23 | after 300 | ||
24 | |||
25 | send -- "echo $?\r" | ||
26 | expect { | ||
27 | timeout {puts "TESTING ERROR 2\n";exit} | ||
28 | "53" | ||
29 | } | ||
30 | after 100 | ||
31 | |||
32 | send -- "firejail --deterministic-exit-code\r" | ||
33 | expect { | ||
34 | timeout {puts "TESTING ERROR 3\n";exit} | ||
35 | "Child process initialized" | ||
36 | } | ||
37 | sleep 1 | ||
38 | |||
39 | send -- "({ nohup bash -c \"sleep 0.2; exit 53\" &> /dev/null & } &)\r" | ||
40 | send -- "exit 35\r" | ||
41 | expect { | ||
42 | timeout {puts "TESTING ERROR 4\n";exit} | ||
43 | "Parent is shutting down" | ||
44 | } | ||
45 | after 300 | ||
46 | |||
47 | send -- "echo $?\r" | ||
48 | expect { | ||
49 | timeout {puts "TESTING ERROR 5\n";exit} | ||
50 | "35" | ||
51 | } | ||
52 | after 100 | ||
53 | |||
54 | |||
55 | puts "\nall done\n" | ||
diff --git a/test/environment/environment.sh b/test/environment/environment.sh index 85d6c0873..5b4aa32f4 100755 --- a/test/environment/environment.sh +++ b/test/environment/environment.sh | |||
@@ -116,3 +116,6 @@ echo "TESTING: rlimit errors (test/environment/rlimit-bad.exp)" | |||
116 | 116 | ||
117 | echo "TESTING: rlimit errors profile (test/environment/rlimit-bad-profile.exp)" | 117 | echo "TESTING: rlimit errors profile (test/environment/rlimit-bad-profile.exp)" |
118 | ./rlimit-bad-profile.exp | 118 | ./rlimit-bad-profile.exp |
119 | |||
120 | echo "TESTING: deterministic exit code (test/environment/deterministic-exit-code.exp" | ||
121 | ./deterministic-exit-code.exp | ||
diff --git a/test/fs/fs.sh b/test/fs/fs.sh index 0fc216b20..7e1d46f0a 100755 --- a/test/fs/fs.sh +++ b/test/fs/fs.sh | |||
@@ -69,6 +69,9 @@ echo "TESTING: empty private-etc (test/fs/private-etc-empty.exp)" | |||
69 | echo "TESTING: private-bin (test/fs/private-bin.exp)" | 69 | echo "TESTING: private-bin (test/fs/private-bin.exp)" |
70 | ./private-bin.exp | 70 | ./private-bin.exp |
71 | 71 | ||
72 | echo "TESTING: private-cwd (test/fs/private-cwd.exp)" | ||
73 | ./private-cwd.exp | ||
74 | |||
72 | echo "TESTING: macros (test/fs/macro.exp)" | 75 | echo "TESTING: macros (test/fs/macro.exp)" |
73 | ./macro.exp | 76 | ./macro.exp |
74 | 77 | ||
diff --git a/test/fs/private-cwd.exp b/test/fs/private-cwd.exp new file mode 100755 index 000000000..0fa87a92f --- /dev/null +++ b/test/fs/private-cwd.exp | |||
@@ -0,0 +1,52 @@ | |||
1 | #!/usr/bin/expect -f | ||
2 | # This file is part of Firejail project | ||
3 | # Copyright (C) 2014-2019 Firejail Authors | ||
4 | # License GPL v2 | ||
5 | |||
6 | set timeout 10 | ||
7 | spawn $env(SHELL) | ||
8 | match_max 100000 | ||
9 | |||
10 | send -- "cd /tmp\r" | ||
11 | after 100 | ||
12 | |||
13 | # testing profile and private | ||
14 | send -- "firejail --private-cwd\r" | ||
15 | expect { | ||
16 | timeout {puts "TESTING ERROR 0\n";exit} | ||
17 | "Child process initialized" | ||
18 | } | ||
19 | sleep 1 | ||
20 | |||
21 | send -- "pwd\r" | ||
22 | expect { | ||
23 | timeout {puts "TESTING ERROR 1\n";exit} | ||
24 | "$env(HOME)" | ||
25 | } | ||
26 | after 100 | ||
27 | |||
28 | send -- "exit\r" | ||
29 | sleep 1 | ||
30 | |||
31 | send -- "cd /\r" | ||
32 | after 100 | ||
33 | |||
34 | # testing profile and private | ||
35 | send -- "firejail --private-cwd=/tmp\r" | ||
36 | expect { | ||
37 | timeout {puts "TESTING ERROR 3\n";exit} | ||
38 | "Child process initialized" | ||
39 | } | ||
40 | sleep 1 | ||
41 | |||
42 | send -- "pwd\r" | ||
43 | expect { | ||
44 | timeout {puts "TESTING ERROR 4\n";exit} | ||
45 | "/tmp" | ||
46 | } | ||
47 | after 100 | ||
48 | |||
49 | send -- "exit\r" | ||
50 | sleep 1 | ||
51 | |||
52 | puts "all done\n" | ||
diff --git a/test/private-lib/private-lib.sh b/test/private-lib/private-lib.sh index 5e9d75379..79913fed6 100755 --- a/test/private-lib/private-lib.sh +++ b/test/private-lib/private-lib.sh | |||
@@ -5,7 +5,7 @@ | |||
5 | 5 | ||
6 | export MALLOC_CHECK_=3g | 6 | export MALLOC_CHECK_=3g |
7 | export MALLOC_PERTURB_=$(($RANDOM % 255 + 1)) | 7 | export MALLOC_PERTURB_=$(($RANDOM % 255 + 1)) |
8 | LIST="gnome-logs gnome-system-log gnome-nettool pavucontrol dig whois evince galculator gnome-calculator gedit leafpad mousepad pluma transmission-gtk xcalc atril gpicview eom eog" | 8 | LIST="gnome-logs gnome-system-log gnome-nettool pavucontrol dig evince whois galculator gnome-calculator gedit leafpad mousepad pluma transmission-gtk xcalc atril gpicview eom eog" |
9 | 9 | ||
10 | 10 | ||
11 | for app in $LIST; do | 11 | for app in $LIST; do |