diff options
-rw-r--r-- | README.md | 63 | ||||
-rw-r--r-- | RELNOTES | 1 | ||||
-rw-r--r-- | etc/catfish.profile | 7 | ||||
-rw-r--r-- | etc/chromium.profile | 1 | ||||
-rw-r--r-- | etc/evince.profile | 2 | ||||
-rw-r--r-- | etc/firefox.profile | 1 | ||||
-rw-r--r-- | etc/galculator.profile | 1 | ||||
-rw-r--r-- | etc/gimp.profile | 2 | ||||
-rw-r--r-- | etc/gnome-calculator.profile | 1 | ||||
-rw-r--r-- | etc/inkscape.profile | 2 | ||||
-rw-r--r-- | etc/leafpad.profile | 2 | ||||
-rw-r--r-- | etc/mousepad.profile | 2 | ||||
-rw-r--r-- | etc/mpv.profile | 2 | ||||
-rw-r--r-- | etc/transmission-gtk.profile | 1 | ||||
-rw-r--r-- | etc/transmission-qt.profile | 1 | ||||
-rw-r--r-- | etc/vlc.profile | 2 | ||||
-rw-r--r-- | etc/whitelist-common.inc | 1 | ||||
-rw-r--r-- | etc/whitelist-var-common.inc | 10 | ||||
-rw-r--r-- | platform/debian/conffiles | 1 | ||||
-rw-r--r-- | src/fbuilder/build_fs.c | 6 | ||||
-rw-r--r-- | src/firejail/usage.c | 1 | ||||
-rw-r--r-- | src/man/firejail.txt | 12 |
22 files changed, 120 insertions, 2 deletions
@@ -98,6 +98,69 @@ Use this issue to request new profiles: [#1139](https://github.com/netblue30/fir | |||
98 | ````` | 98 | ````` |
99 | # Current development version: 0.9.51 | 99 | # Current development version: 0.9.51 |
100 | 100 | ||
101 | ## Whitelisting /var | ||
102 | |||
103 | Add "include /etc/firejail/whitelist-var-common.inc" to an application profile and test it. If it's working, | ||
104 | send a pull request. I did it so far for some more common applications like Firefox, Chromium etc. | ||
105 | |||
106 | ## Profile build tool | ||
107 | ````` | ||
108 | $ firejail --build appname | ||
109 | ````` | ||
110 | The command builds a whitelisted profile. If /usr/bin/strace is installed on the system, it also | ||
111 | builds a whitelisted seccomp profile. The program is run in a very relaxed sandbox, | ||
112 | with only --caps.drop=all and --nonewprivs. Programs that raise user privileges are not supported | ||
113 | in order to allow strace to run. Chromium and Chromium-based browsers will not work. | ||
114 | |||
115 | Example: | ||
116 | ````` | ||
117 | $ firejail --build vlc ~/Videos/test.mp4 | ||
118 | |||
119 | [...] | ||
120 | |||
121 | ############################################ | ||
122 | # vlc profile | ||
123 | ############################################ | ||
124 | # Persistent global definitions | ||
125 | # include /etc/firejail/globals.local | ||
126 | |||
127 | ### basic blacklisting | ||
128 | include /etc/firejail/disable-common.inc | ||
129 | # include /etc/firejail/disable-devel.inc | ||
130 | include /etc/firejail/disable-passwdmgr.inc | ||
131 | # include /etc/firejail/disable-programs.inc | ||
132 | |||
133 | ### home directory whitelisting | ||
134 | whitelist ~/Videos | ||
135 | whitelist ~/.local/share/vlc | ||
136 | whitelist ~/.config/vlc | ||
137 | include /etc/firejail/whitelist-common.inc | ||
138 | |||
139 | ### filesystem | ||
140 | private-tmp | ||
141 | private-dev | ||
142 | private-etc vdpau_wrapper.cfg,udev,drirc,fonts,xdg,gtk-3.0,machine-id,selinux, | ||
143 | whitelist /var/lib/menu-xdg | ||
144 | |||
145 | ### security filters | ||
146 | caps.drop all | ||
147 | nonewprivs | ||
148 | seccomp | ||
149 | # seccomp.keep futex,poll,rt_sigtimedwait,ioctl,fdatasync,stat,writev,read,recvmsg,mprotect,write,sendto,clock_nanosleep,open,dup3,mmap,rt_sigprocmask,close,fstat,lstat,lseek,munmap,brk,rt_sigaction,rt_sigreturn,access,madvise,shmget,shmat,shmctl,alarm,getpid,socket,connect,recvfrom,sendmsg,shutdown,getsockname,getpeername,setsockopt,getsockopt,clone,execve,uname,shmdt,fcntl,flock,ftruncate,getdents,rename,mkdir,unlink,readlink,chmod,getrlimit,sysinfo,getuid,getgid,setuid,setgid,geteuid,getegid,getppid,getpgrp,setresuid,getresuid,setresgid,getresgid,statfs,fstatfs,prctl,arch_prctl,sched_getaffinity,set_tid_address,fadvise64,clock_getres,tgkill,set_robust_list,eventfd2,pipe2,getrandom,memfd_create | ||
150 | # 82 syscalls total | ||
151 | # Probably you will need to add more syscalls to seccomp.keep. Look for | ||
152 | # seccomp errors in /var/log/syslog or /var/log/audit/audit.log while | ||
153 | # running your sandbox. | ||
154 | |||
155 | ### network | ||
156 | protocol unix,netlink, | ||
157 | net none | ||
158 | |||
159 | ### environment | ||
160 | shell none | ||
161 | $ | ||
162 | ````` | ||
163 | |||
101 | ## New command line options | 164 | ## New command line options |
102 | ````` | 165 | ````` |
103 | --writable-run-user | 166 | --writable-run-user |
@@ -1,6 +1,7 @@ | |||
1 | firejail (0.9.51) baseline; urgency=low | 1 | firejail (0.9.51) baseline; urgency=low |
2 | * work in progress! | 2 | * work in progress! |
3 | * feature: --writable-run-user | 3 | * feature: --writable-run-user |
4 | * feature: profile build tool (--build) | ||
4 | -- netblue30 <netblue30@yahoo.com> Thu, 14 Sep 2017 20:00:00 -0500 | 5 | -- netblue30 <netblue30@yahoo.com> Thu, 14 Sep 2017 20:00:00 -0500 |
5 | 6 | ||
6 | firejail (0.9.50~rc1) baseline; urgency=low | 7 | firejail (0.9.50~rc1) baseline; urgency=low |
diff --git a/etc/catfish.profile b/etc/catfish.profile index 498f3b6ee..5fc585d90 100644 --- a/etc/catfish.profile +++ b/etc/catfish.profile | |||
@@ -8,8 +8,13 @@ include /etc/firejail/globals.local | |||
8 | # We can't blacklist much since catfish | 8 | # We can't blacklist much since catfish |
9 | # is for finding files/content | 9 | # is for finding files/content |
10 | noblacklist ~/.config/catfish | 10 | noblacklist ~/.config/catfish |
11 | include /etc/firejail/disable-common.inc | ||
12 | # include /etc/firejail/disable-devel.inc | ||
13 | include /etc/firejail/disable-passwdmgr.inc | ||
14 | include /etc/firejail/disable-programs.inc | ||
11 | 15 | ||
12 | include /etc/firejail/disable-devel.inc | 16 | whitelist /var/lib/mlocate |
17 | include /etc/firejail/whitelist-var-common.inc | ||
13 | 18 | ||
14 | caps.drop all | 19 | caps.drop all |
15 | net none | 20 | net none |
diff --git a/etc/chromium.profile b/etc/chromium.profile index 9be99e68a..0c7058a11 100644 --- a/etc/chromium.profile +++ b/etc/chromium.profile | |||
@@ -23,6 +23,7 @@ whitelist ~/.config/chromium | |||
23 | whitelist ~/.config/chromium-flags.conf | 23 | whitelist ~/.config/chromium-flags.conf |
24 | whitelist ~/.pki | 24 | whitelist ~/.pki |
25 | include /etc/firejail/whitelist-common.inc | 25 | include /etc/firejail/whitelist-common.inc |
26 | include /etc/firejail/whitelist-var-common.inc | ||
26 | 27 | ||
27 | caps.keep sys_chroot,sys_admin | 28 | caps.keep sys_chroot,sys_admin |
28 | netfilter | 29 | netfilter |
diff --git a/etc/evince.profile b/etc/evince.profile index 5c6215bb2..f503b9a8e 100644 --- a/etc/evince.profile +++ b/etc/evince.profile | |||
@@ -12,6 +12,8 @@ include /etc/firejail/disable-devel.inc | |||
12 | include /etc/firejail/disable-passwdmgr.inc | 12 | include /etc/firejail/disable-passwdmgr.inc |
13 | include /etc/firejail/disable-programs.inc | 13 | include /etc/firejail/disable-programs.inc |
14 | 14 | ||
15 | include /etc/firejail/whitelist-var-common.inc | ||
16 | |||
15 | caps.drop all | 17 | caps.drop all |
16 | netfilter | 18 | netfilter |
17 | no3d | 19 | no3d |
diff --git a/etc/firefox.profile b/etc/firefox.profile index 1bd45ebd1..f65b020a9 100644 --- a/etc/firefox.profile +++ b/etc/firefox.profile | |||
@@ -59,6 +59,7 @@ whitelist ~/.wine-pipelight64 | |||
59 | whitelist ~/.zotero | 59 | whitelist ~/.zotero |
60 | whitelist ~/dwhelper | 60 | whitelist ~/dwhelper |
61 | include /etc/firejail/whitelist-common.inc | 61 | include /etc/firejail/whitelist-common.inc |
62 | include /etc/firejail/whitelist-var-common.inc | ||
62 | 63 | ||
63 | caps.drop all | 64 | caps.drop all |
64 | netfilter | 65 | netfilter |
diff --git a/etc/galculator.profile b/etc/galculator.profile index 37f147f0f..dbc22a889 100644 --- a/etc/galculator.profile +++ b/etc/galculator.profile | |||
@@ -15,6 +15,7 @@ include /etc/firejail/disable-programs.inc | |||
15 | mkdir ~/.config/galculator | 15 | mkdir ~/.config/galculator |
16 | whitelist ~/.config/galculator | 16 | whitelist ~/.config/galculator |
17 | include /etc/firejail/whitelist-common.inc | 17 | include /etc/firejail/whitelist-common.inc |
18 | include /etc/firejail/whitelist-var-common.inc | ||
18 | 19 | ||
19 | caps.drop all | 20 | caps.drop all |
20 | net none | 21 | net none |
diff --git a/etc/gimp.profile b/etc/gimp.profile index aa77d6105..292c2aac9 100644 --- a/etc/gimp.profile +++ b/etc/gimp.profile | |||
@@ -11,6 +11,8 @@ include /etc/firejail/disable-common.inc | |||
11 | include /etc/firejail/disable-passwdmgr.inc | 11 | include /etc/firejail/disable-passwdmgr.inc |
12 | include /etc/firejail/disable-programs.inc | 12 | include /etc/firejail/disable-programs.inc |
13 | 13 | ||
14 | include /etc/firejail/whitelist-var-common.inc | ||
15 | |||
14 | caps.drop all | 16 | caps.drop all |
15 | net none | 17 | net none |
16 | nodvd | 18 | nodvd |
diff --git a/etc/gnome-calculator.profile b/etc/gnome-calculator.profile index 6547c73df..326222426 100644 --- a/etc/gnome-calculator.profile +++ b/etc/gnome-calculator.profile | |||
@@ -11,6 +11,7 @@ include /etc/firejail/disable-devel.inc | |||
11 | include /etc/firejail/disable-passwdmgr.inc | 11 | include /etc/firejail/disable-passwdmgr.inc |
12 | include /etc/firejail/disable-programs.inc | 12 | include /etc/firejail/disable-programs.inc |
13 | include /etc/firejail/whitelist-common.inc | 13 | include /etc/firejail/whitelist-common.inc |
14 | include /etc/firejail/whitelist-var-common.inc | ||
14 | 15 | ||
15 | caps.drop all | 16 | caps.drop all |
16 | netfilter | 17 | netfilter |
diff --git a/etc/inkscape.profile b/etc/inkscape.profile index 1d24f5d7d..3266d8230 100644 --- a/etc/inkscape.profile +++ b/etc/inkscape.profile | |||
@@ -12,6 +12,8 @@ include /etc/firejail/disable-devel.inc | |||
12 | include /etc/firejail/disable-passwdmgr.inc | 12 | include /etc/firejail/disable-passwdmgr.inc |
13 | include /etc/firejail/disable-programs.inc | 13 | include /etc/firejail/disable-programs.inc |
14 | 14 | ||
15 | include /etc/firejail/whitelist-var-common.inc | ||
16 | |||
15 | caps.drop all | 17 | caps.drop all |
16 | netfilter | 18 | netfilter |
17 | nodvd | 19 | nodvd |
diff --git a/etc/leafpad.profile b/etc/leafpad.profile index e7557651b..c9addba21 100644 --- a/etc/leafpad.profile +++ b/etc/leafpad.profile | |||
@@ -12,6 +12,8 @@ include /etc/firejail/disable-devel.inc | |||
12 | include /etc/firejail/disable-passwdmgr.inc | 12 | include /etc/firejail/disable-passwdmgr.inc |
13 | include /etc/firejail/disable-programs.inc | 13 | include /etc/firejail/disable-programs.inc |
14 | 14 | ||
15 | include /etc/firejail/whitelist-var-common.inc | ||
16 | |||
15 | caps.drop all | 17 | caps.drop all |
16 | netfilter | 18 | netfilter |
17 | no3d | 19 | no3d |
diff --git a/etc/mousepad.profile b/etc/mousepad.profile index 36365fc2f..60205ffda 100644 --- a/etc/mousepad.profile +++ b/etc/mousepad.profile | |||
@@ -12,6 +12,8 @@ include /etc/firejail/disable-devel.inc | |||
12 | include /etc/firejail/disable-passwdmgr.inc | 12 | include /etc/firejail/disable-passwdmgr.inc |
13 | include /etc/firejail/disable-programs.inc | 13 | include /etc/firejail/disable-programs.inc |
14 | 14 | ||
15 | include /etc/firejail/whitelist-var-common.inc | ||
16 | |||
15 | caps.drop all | 17 | caps.drop all |
16 | netfilter | 18 | netfilter |
17 | nodvd | 19 | nodvd |
diff --git a/etc/mpv.profile b/etc/mpv.profile index 0592751ef..eb8a88a4b 100644 --- a/etc/mpv.profile +++ b/etc/mpv.profile | |||
@@ -13,6 +13,8 @@ include /etc/firejail/disable-devel.inc | |||
13 | include /etc/firejail/disable-passwdmgr.inc | 13 | include /etc/firejail/disable-passwdmgr.inc |
14 | include /etc/firejail/disable-programs.inc | 14 | include /etc/firejail/disable-programs.inc |
15 | 15 | ||
16 | include /etc/firejail/whitelist-var-common.inc | ||
17 | |||
16 | caps.drop all | 18 | caps.drop all |
17 | netfilter | 19 | netfilter |
18 | nogroups | 20 | nogroups |
diff --git a/etc/transmission-gtk.profile b/etc/transmission-gtk.profile index 0bb721c64..6a8d6c679 100644 --- a/etc/transmission-gtk.profile +++ b/etc/transmission-gtk.profile | |||
@@ -19,6 +19,7 @@ whitelist ${DOWNLOADS} | |||
19 | whitelist ~/.cache/transmission | 19 | whitelist ~/.cache/transmission |
20 | whitelist ~/.config/transmission | 20 | whitelist ~/.config/transmission |
21 | include /etc/firejail/whitelist-common.inc | 21 | include /etc/firejail/whitelist-common.inc |
22 | include /etc/firejail/whitelist-var-common.inc | ||
22 | 23 | ||
23 | caps.drop all | 24 | caps.drop all |
24 | netfilter | 25 | netfilter |
diff --git a/etc/transmission-qt.profile b/etc/transmission-qt.profile index 08964bbab..4db8e19ce 100644 --- a/etc/transmission-qt.profile +++ b/etc/transmission-qt.profile | |||
@@ -19,6 +19,7 @@ whitelist ${DOWNLOADS} | |||
19 | whitelist ~/.cache/transmission | 19 | whitelist ~/.cache/transmission |
20 | whitelist ~/.config/transmission | 20 | whitelist ~/.config/transmission |
21 | include /etc/firejail/whitelist-common.inc | 21 | include /etc/firejail/whitelist-common.inc |
22 | include /etc/firejail/whitelist-var-common.inc | ||
22 | 23 | ||
23 | caps.drop all | 24 | caps.drop all |
24 | netfilter | 25 | netfilter |
diff --git a/etc/vlc.profile b/etc/vlc.profile index bccde7a3d..c3a4d58d0 100644 --- a/etc/vlc.profile +++ b/etc/vlc.profile | |||
@@ -12,6 +12,8 @@ include /etc/firejail/disable-devel.inc | |||
12 | include /etc/firejail/disable-passwdmgr.inc | 12 | include /etc/firejail/disable-passwdmgr.inc |
13 | include /etc/firejail/disable-programs.inc | 13 | include /etc/firejail/disable-programs.inc |
14 | 14 | ||
15 | include /etc/firejail/whitelist-var-common.inc | ||
16 | |||
15 | caps.drop all | 17 | caps.drop all |
16 | netfilter | 18 | netfilter |
17 | # nogroups | 19 | # nogroups |
diff --git a/etc/whitelist-common.inc b/etc/whitelist-common.inc index ba4b91451..ef95a7e5e 100644 --- a/etc/whitelist-common.inc +++ b/etc/whitelist-common.inc | |||
@@ -16,6 +16,7 @@ whitelist ~/.drirc | |||
16 | whitelist ~/.mime.types | 16 | whitelist ~/.mime.types |
17 | whitelist ~/.local/share/applications | 17 | whitelist ~/.local/share/applications |
18 | read-only ~/.local/share/applications | 18 | read-only ~/.local/share/applications |
19 | whitelist ~/.config/ibus | ||
19 | 20 | ||
20 | # fonts | 21 | # fonts |
21 | whitelist ~/.fonts | 22 | whitelist ~/.fonts |
diff --git a/etc/whitelist-var-common.inc b/etc/whitelist-var-common.inc new file mode 100644 index 000000000..bd3473acc --- /dev/null +++ b/etc/whitelist-var-common.inc | |||
@@ -0,0 +1,10 @@ | |||
1 | # Local customizations come here | ||
2 | include /etc/firejail/whitelist-var-common.local | ||
3 | |||
4 | # common /var whitelist for all profiles | ||
5 | |||
6 | whitelist /var/lib/dbus | ||
7 | whitelist /var/lib/menu-xdg | ||
8 | whitelist /var/cache/fontconfig | ||
9 | whitelist /var/tmp | ||
10 | whitelist /var/run | ||
diff --git a/platform/debian/conffiles b/platform/debian/conffiles index d0e236e61..af6547f7f 100644 --- a/platform/debian/conffiles +++ b/platform/debian/conffiles | |||
@@ -357,3 +357,4 @@ | |||
357 | /etc/firejail/zoom.profile | 357 | /etc/firejail/zoom.profile |
358 | /etc/firejail/yandex-browser.profile | 358 | /etc/firejail/yandex-browser.profile |
359 | /etc/firejail/itch.profile | 359 | /etc/firejail/itch.profile |
360 | /etc/firejail/whitelist-var-common.inc | ||
diff --git a/src/fbuilder/build_fs.c b/src/fbuilder/build_fs.c index 76281a54d..dcd86e069 100644 --- a/src/fbuilder/build_fs.c +++ b/src/fbuilder/build_fs.c | |||
@@ -148,7 +148,11 @@ void build_etc(const char *fname) { | |||
148 | //******************************************* | 148 | //******************************************* |
149 | static FileDB *var_out = NULL; | 149 | static FileDB *var_out = NULL; |
150 | static void var_callback(char *ptr) { | 150 | static void var_callback(char *ptr) { |
151 | if (strncmp(ptr, "/var/lib/menu-xdg", 17) == 0) | 151 | if (strcmp(ptr, "/var/lib") == 0) |
152 | ; | ||
153 | else if (strcmp(ptr, "/var/cache") == 0) | ||
154 | ; | ||
155 | else if (strncmp(ptr, "/var/lib/menu-xdg", 17) == 0) | ||
152 | var_out = filedb_add(var_out, "/var/lib/menu-xdg"); | 156 | var_out = filedb_add(var_out, "/var/lib/menu-xdg"); |
153 | else if (strncmp(ptr, "/var/cache/fontconfig", 21) == 0) | 157 | else if (strncmp(ptr, "/var/cache/fontconfig", 21) == 0) |
154 | var_out = filedb_add(var_out, "/var/cache/fontconfig"); | 158 | var_out = filedb_add(var_out, "/var/cache/fontconfig"); |
diff --git a/src/firejail/usage.c b/src/firejail/usage.c index fc7dbd69c..f09eb6416 100644 --- a/src/firejail/usage.c +++ b/src/firejail/usage.c | |||
@@ -44,6 +44,7 @@ void usage(void) { | |||
44 | printf(" --bind=filename1,filename2 - mount-bind filename1 on top of filename2.\n"); | 44 | printf(" --bind=filename1,filename2 - mount-bind filename1 on top of filename2.\n"); |
45 | #endif | 45 | #endif |
46 | printf(" --blacklist=filename - blacklist directory or file.\n"); | 46 | printf(" --blacklist=filename - blacklist directory or file.\n"); |
47 | printf(" --build - build a whitelisted profile for the application.\n"); | ||
47 | printf(" -c - execute command and exit.\n"); | 48 | printf(" -c - execute command and exit.\n"); |
48 | printf(" --caps - enable default Linux capabilities filter.\n"); | 49 | printf(" --caps - enable default Linux capabilities filter.\n"); |
49 | printf(" --caps.drop=all - drop all capabilities.\n"); | 50 | printf(" --caps.drop=all - drop all capabilities.\n"); |
diff --git a/src/man/firejail.txt b/src/man/firejail.txt index 2dd3abbb7..f205bfa30 100644 --- a/src/man/firejail.txt +++ b/src/man/firejail.txt | |||
@@ -154,6 +154,18 @@ $ firejail "\-\-blacklist=/home/username/My Virtual Machines" | |||
154 | .br | 154 | .br |
155 | $ firejail \-\-blacklist=/home/username/My\\ Virtual\\ Machines | 155 | $ firejail \-\-blacklist=/home/username/My\\ Virtual\\ Machines |
156 | .TP | 156 | .TP |
157 | \fB\-\-build | ||
158 | The command builds a whitelisted profile. If /usr/bin/strace is installed on the system, it also | ||
159 | builds a whitelisted seccomp profile. The program is run in a very relaxed sandbox, | ||
160 | with only --caps.drop=all and --nonewprivs. Programs that raise user privileges are not supported | ||
161 | in order to allow strace to run. Chromium and Chromium-based browsers will not work. | ||
162 | .br | ||
163 | |||
164 | .br | ||
165 | Example: | ||
166 | .br | ||
167 | $ firejail --build vlc ~/Videos/test.mp4 | ||
168 | .TP | ||
157 | \fB\-c | 169 | \fB\-c |
158 | Execute command and exit. | 170 | Execute command and exit. |
159 | .TP | 171 | .TP |