diff options
-rw-r--r-- | README | 2 | ||||
-rw-r--r-- | README.md | 10 | ||||
-rw-r--r-- | RELNOTES | 2 | ||||
-rw-r--r-- | etc/firejail.config | 2 | ||||
-rw-r--r-- | etc/gnome-chess.profile | 6 | ||||
-rw-r--r-- | etc/gpg.profile | 3 | ||||
-rw-r--r-- | etc/seahorse.profile | 2 | ||||
-rw-r--r-- | src/firecfg/firecfg.h | 4 | ||||
-rw-r--r-- | src/firejail/firejail.h | 1 | ||||
-rw-r--r-- | src/firejail/main.c | 4 | ||||
-rw-r--r-- | src/firejail/profile.c | 5 | ||||
-rw-r--r-- | src/firejail/sandbox.c | 7 | ||||
-rw-r--r-- | src/firejail/usage.c | 1 | ||||
-rw-r--r-- | src/man/firejail-profile.txt | 4 | ||||
-rw-r--r-- | src/man/firejail.txt | 4 | ||||
-rwxr-xr-x | test/environment/deterministic-exit-code.exp | 55 | ||||
-rwxr-xr-x | test/environment/environment.sh | 3 |
17 files changed, 105 insertions, 10 deletions
@@ -368,6 +368,8 @@ John Mullee (https://github.com/jmullee) | |||
368 | Jonas Heinrich (https://github.com/onny) | 368 | Jonas Heinrich (https://github.com/onny) |
369 | - added signal-desktop profile | 369 | - added signal-desktop profile |
370 | - fixed franz profile | 370 | - fixed franz profile |
371 | Jose Riha (https://github.com/jose1711) | ||
372 | - added meteo-qt profile | ||
371 | jrabe (https://github.com/jrabe) | 373 | jrabe (https://github.com/jrabe) |
372 | - disallow access to kdbx files | 374 | - disallow access to kdbx files |
373 | - Epiphany profile | 375 | - Epiphany profile |
@@ -33,6 +33,10 @@ FAQ: https://firejail.wordpress.com/support/ | |||
33 | Travis-CI status: https://travis-ci.org/netblue30/firejail | 33 | Travis-CI status: https://travis-ci.org/netblue30/firejail |
34 | 34 | ||
35 | 35 | ||
36 | ## Security vulnerabilities | ||
37 | |||
38 | We take security bugs very seriously. If you believe you have found one, please report it by emailing us at netblue30@yahoo.com | ||
39 | |||
36 | ## Compile and install | 40 | ## Compile and install |
37 | ````` | 41 | ````` |
38 | $ git clone https://github.com/netblue30/firejail.git | 42 | $ git clone https://github.com/netblue30/firejail.git |
@@ -95,7 +99,9 @@ If you keep additional Firejail security profiles in a public repository, please | |||
95 | 99 | ||
96 | Use this issue to request new profiles: [#1139](https://github.com/netblue30/firejail/issues/1139) | 100 | Use this issue to request new profiles: [#1139](https://github.com/netblue30/firejail/issues/1139) |
97 | 101 | ||
98 | We also keep a list of profile fixes for previous released versions in [etc-fixes](https://github.com/netblue30/firejail/tree/master/etc-fixes) directory . | 102 | You can also use this tool to get a list of syscalls needed by a program: [https://github.com/avilum/syscalls](https://github.com/avilum/syscalls). |
103 | |||
104 | We also keep a list of profile fixes for previous released versions in [etc-fixes](https://github.com/netblue30/firejail/tree/master/etc-fixes) directory. | ||
99 | ````` | 105 | ````` |
100 | 106 | ||
101 | ````` | 107 | ````` |
@@ -107,6 +113,6 @@ We also keep a list of profile fixes for previous released versions in [etc-fixe | |||
107 | anki, assogiate, autokey-gtk, autokey-qt, autokey-run, autokey-shell, bzflag, celluoid, cheese, code-oss, crawl, crawl-tiles, crow, d-feet, dconf, | 113 | anki, assogiate, autokey-gtk, autokey-qt, autokey-run, autokey-shell, bzflag, celluoid, cheese, code-oss, crawl, crawl-tiles, crow, d-feet, dconf, |
108 | dconf-editor, devhelp, exfalso, font-manager, freeciv, freecol, freeoffice-planmaker, freeoffice-presentations, freeoffice-textmaker, freemind, | 114 | dconf-editor, devhelp, exfalso, font-manager, freeciv, freecol, freeoffice-planmaker, freeoffice-presentations, freeoffice-textmaker, freemind, |
109 | gconf-editor, geekbench, gnome-keyring, gnome-nettool, gnome-system-log, gramps, gsettings, inkview kid3, kid3-cli, kid3-qt, lincity-ng, lugaru, | 115 | gconf-editor, geekbench, gnome-keyring, gnome-nettool, gnome-system-log, gramps, gsettings, inkview kid3, kid3-cli, kid3-qt, lincity-ng, lugaru, |
110 | Maelstrom, manaplus, megaglest, mp3splt-gtk, mpdris2, mypaint, nano, netactview, newsboat, nomacs, nyx, opencity, openclonk, openttd, ostrichriders, pavucontrol, | 116 | Maelstrom, manaplus, megaglest, meteo-qt, mp3splt-gtk, mpdris2, mypaint, nano, netactview, newsboat, nomacs, nyx, opencity, openclonk, openttd, ostrichriders, pavucontrol, |
111 | pioneer, pragha, redshift, regextester, seahorse, seahorse-tool, scorched3d, secret-tool, simplescreenrecorder, slashem, subdownloader, sysprof, | 117 | pioneer, pragha, redshift, regextester, seahorse, seahorse-tool, scorched3d, secret-tool, simplescreenrecorder, slashem, subdownloader, sysprof, |
112 | sysprof-cli, teeworlds, torcs, tremulous, transgui, utox, vulturesclaw, vultureseye, warsow, widelands, xfce4-mixer | 118 | sysprof-cli, teeworlds, torcs, tremulous, transgui, utox, vulturesclaw, vultureseye, warsow, widelands, xfce4-mixer |
@@ -15,7 +15,7 @@ firejail (0.9.60~rc2) baseline; urgency=low | |||
15 | * new profiles: oggsplt, flacsplt, gramps, newsboat, freeoffice-planmaker | 15 | * new profiles: oggsplt, flacsplt, gramps, newsboat, freeoffice-planmaker |
16 | * new profiles: autokey-gtk, autokey-qt, autokey-run, autokey-shell | 16 | * new profiles: autokey-gtk, autokey-qt, autokey-run, autokey-shell |
17 | * new profiles: freeoffice-presentations, freeoffice-textmaker, mp3wrap | 17 | * new profiles: freeoffice-presentations, freeoffice-textmaker, mp3wrap |
18 | * new profiles: inkview, mp3splt-gtk | 18 | * new profiles: inkview, meteo-qt, mp3splt-gtk |
19 | * memory-deny-write-execute now also blocks memfd_create | 19 | * memory-deny-write-execute now also blocks memfd_create |
20 | * drop support for flatpak/snap packages | 20 | * drop support for flatpak/snap packages |
21 | -- netblue30 <netblue30@yahoo.com> Sun, 21 Apr 2019 08:00:00 -0500 | 21 | -- netblue30 <netblue30@yahoo.com> Sun, 21 Apr 2019 08:00:00 -0500 |
diff --git a/etc/firejail.config b/etc/firejail.config index 497d9633e..92df8ad1a 100644 --- a/etc/firejail.config +++ b/etc/firejail.config | |||
@@ -32,7 +32,7 @@ | |||
32 | 32 | ||
33 | # Disable /mnt, /media, /run/mount and /run/media access. By default access | 33 | # Disable /mnt, /media, /run/mount and /run/media access. By default access |
34 | # to these directories is enabled. Unlike --disable-mnt profile option this | 34 | # to these directories is enabled. Unlike --disable-mnt profile option this |
35 | # cannot be overridden by --noblacklist. | 35 | # cannot be overridden by --noblacklist or --ignore. |
36 | # disable-mnt no | 36 | # disable-mnt no |
37 | 37 | ||
38 | # Enable or disable file transfer support, default enabled. | 38 | # Enable or disable file transfer support, default enabled. |
diff --git a/etc/gnome-chess.profile b/etc/gnome-chess.profile index 2f4626891..04409a5e4 100644 --- a/etc/gnome-chess.profile +++ b/etc/gnome-chess.profile | |||
@@ -18,7 +18,10 @@ include disable-xdg.inc | |||
18 | 18 | ||
19 | include whitelist-var-common.inc | 19 | include whitelist-var-common.inc |
20 | 20 | ||
21 | apparmor | ||
21 | caps.drop all | 22 | caps.drop all |
23 | machine-id | ||
24 | net none | ||
22 | no3d | 25 | no3d |
23 | nodvd | 26 | nodvd |
24 | nogroups | 27 | nogroups |
@@ -35,6 +38,7 @@ tracelog | |||
35 | 38 | ||
36 | disable-mnt | 39 | disable-mnt |
37 | private-bin fairymax,gnome-chess,hoichess,gnuchess | 40 | private-bin fairymax,gnome-chess,hoichess,gnuchess |
41 | private-cache | ||
38 | private-dev | 42 | private-dev |
39 | private-etc alternatives,fonts,gnome-chess | 43 | private-etc alternatives,dconf,fonts,gnome-chess,gtk-3.0 |
40 | private-tmp | 44 | private-tmp |
diff --git a/etc/gpg.profile b/etc/gpg.profile index 47e6e5265..51662b59c 100644 --- a/etc/gpg.profile +++ b/etc/gpg.profile | |||
@@ -29,8 +29,7 @@ nou2f | |||
29 | novideo | 29 | novideo |
30 | protocol unix,inet,inet6 | 30 | protocol unix,inet,inet6 |
31 | seccomp | 31 | seccomp |
32 | # Causes gpg to hang | 32 | shell none |
33 | #shell none | ||
34 | tracelog | 33 | tracelog |
35 | 34 | ||
36 | # private-bin gpg,gpg-agent | 35 | # private-bin gpg,gpg-agent |
diff --git a/etc/seahorse.profile b/etc/seahorse.profile index cd9f6c767..fc54a0716 100644 --- a/etc/seahorse.profile +++ b/etc/seahorse.profile | |||
@@ -50,7 +50,7 @@ nou2f | |||
50 | novideo | 50 | novideo |
51 | protocol unix,inet,inet6 | 51 | protocol unix,inet,inet6 |
52 | seccomp | 52 | seccomp |
53 | # shell none - causes gpg to hang | 53 | shell none |
54 | tracelog | 54 | tracelog |
55 | 55 | ||
56 | disable-mnt | 56 | disable-mnt |
diff --git a/src/firecfg/firecfg.h b/src/firecfg/firecfg.h index e847719cf..71e5d625d 100644 --- a/src/firecfg/firecfg.h +++ b/src/firecfg/firecfg.h | |||
@@ -17,6 +17,8 @@ | |||
17 | * with this program; if not, write to the Free Software Foundation, Inc., | 17 | * with this program; if not, write to the Free Software Foundation, Inc., |
18 | * 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA. | 18 | * 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA. |
19 | */ | 19 | */ |
20 | #ifndef FIRECFG_H | ||
21 | #define FIRECFG_H | ||
20 | #define _GNU_SOURCE | 22 | #define _GNU_SOURCE |
21 | #include <stdio.h> | 23 | #include <stdio.h> |
22 | #include <sys/types.h> | 24 | #include <sys/types.h> |
@@ -48,3 +50,5 @@ void sound(void); | |||
48 | 50 | ||
49 | // desktop_files.c | 51 | // desktop_files.c |
50 | void fix_desktop_files(char *homedir); | 52 | void fix_desktop_files(char *homedir); |
53 | |||
54 | #endif | ||
diff --git a/src/firejail/firejail.h b/src/firejail/firejail.h index bbdf279ce..f904d65d2 100644 --- a/src/firejail/firejail.h +++ b/src/firejail/firejail.h | |||
@@ -316,6 +316,7 @@ extern int arg_notv; // --notv | |||
316 | extern int arg_nodvd; // --nodvd | 316 | extern int arg_nodvd; // --nodvd |
317 | extern int arg_nou2f; // --nou2f | 317 | extern int arg_nou2f; // --nou2f |
318 | extern int arg_nodbus; // -nodbus | 318 | extern int arg_nodbus; // -nodbus |
319 | extern int arg_deterministic_exit_code; // always exit with first childs exit status | ||
319 | 320 | ||
320 | extern int login_shell; | 321 | extern int login_shell; |
321 | extern int parent_to_child_fds[2]; | 322 | extern int parent_to_child_fds[2]; |
diff --git a/src/firejail/main.c b/src/firejail/main.c index 2c7290854..7ac88f5a5 100644 --- a/src/firejail/main.c +++ b/src/firejail/main.c | |||
@@ -126,6 +126,7 @@ int arg_notv = 0; // --notv | |||
126 | int arg_nodvd = 0; // --nodvd | 126 | int arg_nodvd = 0; // --nodvd |
127 | int arg_nodbus = 0; // -nodbus | 127 | int arg_nodbus = 0; // -nodbus |
128 | int arg_nou2f = 0; // --nou2f | 128 | int arg_nou2f = 0; // --nou2f |
129 | int arg_deterministic_exit_code = 0; // always exit with first childs exit status | ||
129 | int login_shell = 0; | 130 | int login_shell = 0; |
130 | 131 | ||
131 | 132 | ||
@@ -2290,6 +2291,9 @@ int main(int argc, char **argv) { | |||
2290 | return 1; | 2291 | return 1; |
2291 | } | 2292 | } |
2292 | } | 2293 | } |
2294 | else if (strcmp(argv[i], "--deterministic-exit-code") == 0) { | ||
2295 | arg_deterministic_exit_code = 1; | ||
2296 | } | ||
2293 | else { | 2297 | else { |
2294 | // double dash - positional params to follow | 2298 | // double dash - positional params to follow |
2295 | if (strcmp(argv[i], "--") == 0) { | 2299 | if (strcmp(argv[i], "--") == 0) { |
diff --git a/src/firejail/profile.c b/src/firejail/profile.c index 801c8ba4c..8d228fae6 100644 --- a/src/firejail/profile.c +++ b/src/firejail/profile.c | |||
@@ -1313,6 +1313,11 @@ int profile_check_line(char *ptr, int lineno, const char *fname) { | |||
1313 | return 0; | 1313 | return 0; |
1314 | } | 1314 | } |
1315 | 1315 | ||
1316 | if (strcmp(ptr, "deterministic-exit-code") == 0) { | ||
1317 | arg_deterministic_exit_code = 1; | ||
1318 | return 0; | ||
1319 | } | ||
1320 | |||
1316 | // rest of filesystem | 1321 | // rest of filesystem |
1317 | if (strncmp(ptr, "blacklist ", 10) == 0) | 1322 | if (strncmp(ptr, "blacklist ", 10) == 0) |
1318 | ptr += 10; | 1323 | ptr += 10; |
diff --git a/src/firejail/sandbox.c b/src/firejail/sandbox.c index 250247f8a..58245fa38 100644 --- a/src/firejail/sandbox.c +++ b/src/firejail/sandbox.c | |||
@@ -271,6 +271,7 @@ static int monitor_application(pid_t app_pid) { | |||
271 | } | 271 | } |
272 | 272 | ||
273 | int status = 0; | 273 | int status = 0; |
274 | int app_status = 0; | ||
274 | while (monitored_pid) { | 275 | while (monitored_pid) { |
275 | usleep(20000); | 276 | usleep(20000); |
276 | char *msg; | 277 | char *msg; |
@@ -295,6 +296,8 @@ static int monitor_application(pid_t app_pid) { | |||
295 | sleep(1); | 296 | sleep(1); |
296 | break; | 297 | break; |
297 | } | 298 | } |
299 | else if (rv == app_pid) | ||
300 | app_status = status; | ||
298 | 301 | ||
299 | // handle --timeout | 302 | // handle --timeout |
300 | if (options) { | 303 | if (options) { |
@@ -352,8 +355,8 @@ static int monitor_application(pid_t app_pid) { | |||
352 | printf("Sandbox monitor: monitoring %d\n", monitored_pid); | 355 | printf("Sandbox monitor: monitoring %d\n", monitored_pid); |
353 | } | 356 | } |
354 | 357 | ||
355 | // return the latest exit status. | 358 | // return the appropriate exit status. |
356 | return status; | 359 | return arg_deterministic_exit_code ? app_status : status; |
357 | } | 360 | } |
358 | 361 | ||
359 | static void print_time(void) { | 362 | static void print_time(void) { |
diff --git a/src/firejail/usage.c b/src/firejail/usage.c index a8d5bfdda..af3bac839 100644 --- a/src/firejail/usage.c +++ b/src/firejail/usage.c | |||
@@ -66,6 +66,7 @@ static char *usage_str = | |||
66 | #ifdef HAVE_NETWORK | 66 | #ifdef HAVE_NETWORK |
67 | " --defaultgw=address - configure default gateway.\n" | 67 | " --defaultgw=address - configure default gateway.\n" |
68 | #endif | 68 | #endif |
69 | " --deterministic-exit-code - always exit with first childs status code.\n" | ||
69 | " --dns=address - set DNS server.\n" | 70 | " --dns=address - set DNS server.\n" |
70 | " --dns.print=name|pid - print DNS configuration.\n" | 71 | " --dns.print=name|pid - print DNS configuration.\n" |
71 | " --env=name=value - set environment variable.\n" | 72 | " --env=name=value - set environment variable.\n" |
diff --git a/src/man/firejail-profile.txt b/src/man/firejail-profile.txt index 23007725a..d3a563abd 100644 --- a/src/man/firejail-profile.txt +++ b/src/man/firejail-profile.txt | |||
@@ -667,6 +667,10 @@ instead of the default one. | |||
667 | Join the sandbox identified by name or start a new one. | 667 | Join the sandbox identified by name or start a new one. |
668 | Same as "firejail --join=sandboxname" command if sandbox with specified name exists, otherwise same as "name sandboxname". | 668 | Same as "firejail --join=sandboxname" command if sandbox with specified name exists, otherwise same as "name sandboxname". |
669 | 669 | ||
670 | .TP | ||
671 | \fBdeterministic-exit-code | ||
672 | Always exit firejail with the first childs exit status. The default behavior is to use the exit status of the final child to exit, which can be nondeterministic. | ||
673 | |||
670 | .SH FILES | 674 | .SH FILES |
671 | /etc/firejail/filename.profile, $HOME/.config/firejail/filename.profile | 675 | /etc/firejail/filename.profile, $HOME/.config/firejail/filename.profile |
672 | 676 | ||
diff --git a/src/man/firejail.txt b/src/man/firejail.txt index 1fa2a6546..c4e8b9175 100644 --- a/src/man/firejail.txt +++ b/src/man/firejail.txt | |||
@@ -410,6 +410,10 @@ Example: | |||
410 | $ firejail \-\-disable-mnt firefox | 410 | $ firejail \-\-disable-mnt firefox |
411 | 411 | ||
412 | .TP | 412 | .TP |
413 | \fB\-\-deterministic-exit-code | ||
414 | Always exit firejail with the first childs exit status. The default behavior is to use the exit status of the final child to exit, which can be nondeterministic. | ||
415 | |||
416 | .TP | ||
413 | \fB\-\-dns=address | 417 | \fB\-\-dns=address |
414 | Set a DNS server for the sandbox. Up to three DNS servers can be defined. | 418 | Set a DNS server for the sandbox. Up to three DNS servers can be defined. |
415 | Use this option if you don't trust the DNS setup on your network. | 419 | Use this option if you don't trust the DNS setup on your network. |
diff --git a/test/environment/deterministic-exit-code.exp b/test/environment/deterministic-exit-code.exp new file mode 100755 index 000000000..165b9ebe0 --- /dev/null +++ b/test/environment/deterministic-exit-code.exp | |||
@@ -0,0 +1,55 @@ | |||
1 | #!/usr/bin/expect -f | ||
2 | # This file is part of Firejail project | ||
3 | # Copyright (C) 2014-2019 Firejail Authors | ||
4 | # License GPL v2 | ||
5 | |||
6 | set timeout 4 | ||
7 | spawn $env(SHELL) | ||
8 | match_max 100000 | ||
9 | |||
10 | send -- "firejail\r" | ||
11 | expect { | ||
12 | timeout {puts "TESTING ERROR 0\n";exit} | ||
13 | "Child process initialized" | ||
14 | } | ||
15 | sleep 1 | ||
16 | |||
17 | send -- "({ nohup bash -c \"sleep 0.2; exit 53\" &> /dev/null & } &)\r" | ||
18 | send -- "exit 35\r" | ||
19 | expect { | ||
20 | timeout {puts "TESTING ERROR 1\n";exit} | ||
21 | "Parent is shutting down" | ||
22 | } | ||
23 | after 300 | ||
24 | |||
25 | send -- "echo $?\r" | ||
26 | expect { | ||
27 | timeout {puts "TESTING ERROR 2\n";exit} | ||
28 | "53" | ||
29 | } | ||
30 | after 100 | ||
31 | |||
32 | send -- "firejail --deterministic-exit-code\r" | ||
33 | expect { | ||
34 | timeout {puts "TESTING ERROR 3\n";exit} | ||
35 | "Child process initialized" | ||
36 | } | ||
37 | sleep 1 | ||
38 | |||
39 | send -- "({ nohup bash -c \"sleep 0.2; exit 53\" &> /dev/null & } &)\r" | ||
40 | send -- "exit 35\r" | ||
41 | expect { | ||
42 | timeout {puts "TESTING ERROR 4\n";exit} | ||
43 | "Parent is shutting down" | ||
44 | } | ||
45 | after 300 | ||
46 | |||
47 | send -- "echo $?\r" | ||
48 | expect { | ||
49 | timeout {puts "TESTING ERROR 5\n";exit} | ||
50 | "35" | ||
51 | } | ||
52 | after 100 | ||
53 | |||
54 | |||
55 | puts "\nall done\n" | ||
diff --git a/test/environment/environment.sh b/test/environment/environment.sh index 85d6c0873..5b4aa32f4 100755 --- a/test/environment/environment.sh +++ b/test/environment/environment.sh | |||
@@ -116,3 +116,6 @@ echo "TESTING: rlimit errors (test/environment/rlimit-bad.exp)" | |||
116 | 116 | ||
117 | echo "TESTING: rlimit errors profile (test/environment/rlimit-bad-profile.exp)" | 117 | echo "TESTING: rlimit errors profile (test/environment/rlimit-bad-profile.exp)" |
118 | ./rlimit-bad-profile.exp | 118 | ./rlimit-bad-profile.exp |
119 | |||
120 | echo "TESTING: deterministic exit code (test/environment/deterministic-exit-code.exp" | ||
121 | ./deterministic-exit-code.exp | ||