diff options
| -rw-r--r-- | etc/waterfox.profile | 9 | ||||
| -rw-r--r-- | etc/whitelist-common.inc | 4 | ||||
| -rw-r--r-- | platform/debian/conffiles | 1 | ||||
| -rwxr-xr-x | platform/rpm/old-mkrpm.sh | 9 | ||||
| -rw-r--r-- | src/fseccomp/syscall.c | 6 | ||||
| -rw-r--r-- | src/include/euid_common.h | 2 | ||||
| -rw-r--r-- | src/include/seccomp.h | 26 | ||||
| -rw-r--r-- | src/man/firejail.txt | 2 |
8 files changed, 54 insertions, 5 deletions
diff --git a/etc/waterfox.profile b/etc/waterfox.profile index 6520057b4..2322c1fae 100644 --- a/etc/waterfox.profile +++ b/etc/waterfox.profile | |||
| @@ -11,7 +11,11 @@ noblacklist ~/.config/okularpartrc | |||
| 11 | noblacklist ~/.config/okularrc | 11 | noblacklist ~/.config/okularrc |
| 12 | noblacklist ~/.config/qpdfview | 12 | noblacklist ~/.config/qpdfview |
| 13 | noblacklist ~/.kde/share/apps/okular | 13 | noblacklist ~/.kde/share/apps/okular |
| 14 | noblacklist ~/.kde/share/config/okularpartrc | ||
| 15 | noblacklist ~/.kde/share/config/okularrc | ||
| 14 | noblacklist ~/.kde4/share/apps/okular | 16 | noblacklist ~/.kde4/share/apps/okular |
| 17 | noblacklist ~/.kde4/share/config/okularpartrc | ||
| 18 | noblacklist ~/.kde4/share/config/okularrc | ||
| 15 | noblacklist ~/.local/share/gnome-shell/extensions | 19 | noblacklist ~/.local/share/gnome-shell/extensions |
| 16 | noblacklist ~/.local/share/okular | 20 | noblacklist ~/.local/share/okular |
| 17 | noblacklist ~/.local/share/qpdfview | 21 | noblacklist ~/.local/share/qpdfview |
| @@ -39,7 +43,11 @@ whitelist ~/.config/pipelight-silverlight5.1 | |||
| 39 | whitelist ~/.config/pipelight-widevine | 43 | whitelist ~/.config/pipelight-widevine |
| 40 | whitelist ~/.config/qpdfview | 44 | whitelist ~/.config/qpdfview |
| 41 | whitelist ~/.kde/share/apps/okular | 45 | whitelist ~/.kde/share/apps/okular |
| 46 | whitelist ~/.kde/share/config/okularpartrc | ||
| 47 | whitelist ~/.kde/share/config/okularrc | ||
| 42 | whitelist ~/.kde4/share/apps/okular | 48 | whitelist ~/.kde4/share/apps/okular |
| 49 | whitelist ~/.kde4/share/config/okularpartrc | ||
| 50 | whitelist ~/.kde4/share/config/okularrc | ||
| 43 | whitelist ~/.keysnail.js | 51 | whitelist ~/.keysnail.js |
| 44 | whitelist ~/.lastpass | 52 | whitelist ~/.lastpass |
| 45 | whitelist ~/.local/share/gnome-shell/extensions | 53 | whitelist ~/.local/share/gnome-shell/extensions |
| @@ -72,7 +80,6 @@ tracelog | |||
| 72 | 80 | ||
| 73 | # private-bin waterfox,which,sh,dbus-launch,dbus-send,env | 81 | # private-bin waterfox,which,sh,dbus-launch,dbus-send,env |
| 74 | private-dev | 82 | private-dev |
| 75 | # private-dev might prevent video calls going out | ||
| 76 | # private-etc passwd,group,hostname,hosts,localtime,nsswitch.conf,resolv.conf,xdg,gtk-2.0,gtk-3.0,X11,pango,fonts,waterfox,mime.types,mailcap,asound.conf,pulse | 83 | # private-etc passwd,group,hostname,hosts,localtime,nsswitch.conf,resolv.conf,xdg,gtk-2.0,gtk-3.0,X11,pango,fonts,waterfox,mime.types,mailcap,asound.conf,pulse |
| 77 | private-tmp | 84 | private-tmp |
| 78 | 85 | ||
diff --git a/etc/whitelist-common.inc b/etc/whitelist-common.inc index d5d1c19ec..ddec19d27 100644 --- a/etc/whitelist-common.inc +++ b/etc/whitelist-common.inc | |||
| @@ -11,6 +11,8 @@ whitelist ~/.config/user-dirs.dirs | |||
| 11 | read-only ~/.config/user-dirs.dirs | 11 | read-only ~/.config/user-dirs.dirs |
| 12 | whitelist ~/.asoundrc | 12 | whitelist ~/.asoundrc |
| 13 | whitelist ~/.config/Trolltech.conf | 13 | whitelist ~/.config/Trolltech.conf |
| 14 | whitelist ~/.local/share/mime | ||
| 15 | whitelist ~/.drirc | ||
| 14 | 16 | ||
| 15 | # fonts | 17 | # fonts |
| 16 | whitelist ~/.fonts | 18 | whitelist ~/.fonts |
| @@ -25,9 +27,11 @@ whitelist ~/.cache/fontconfig | |||
| 25 | # gtk | 27 | # gtk |
| 26 | whitelist ~/.gtkrc | 28 | whitelist ~/.gtkrc |
| 27 | whitelist ~/.gtkrc-2.0 | 29 | whitelist ~/.gtkrc-2.0 |
| 30 | whitelist ~/.gtk-2.0 | ||
| 28 | whitelist ~/.config/gtk-2.0 | 31 | whitelist ~/.config/gtk-2.0 |
| 29 | whitelist ~/.config/gtk-3.0 | 32 | whitelist ~/.config/gtk-3.0 |
| 30 | whitelist ~/.themes | 33 | whitelist ~/.themes |
| 34 | whitelist ~/.local/share/themes | ||
| 31 | whitelist ~/.kde/share/config/gtkrc | 35 | whitelist ~/.kde/share/config/gtkrc |
| 32 | whitelist ~/.kde/share/config/gtkrc-2.0 | 36 | whitelist ~/.kde/share/config/gtkrc-2.0 |
| 33 | whitelist ~/.gnome2 | 37 | whitelist ~/.gnome2 |
diff --git a/platform/debian/conffiles b/platform/debian/conffiles index d87d1fc08..d0e236e61 100644 --- a/platform/debian/conffiles +++ b/platform/debian/conffiles | |||
| @@ -356,3 +356,4 @@ | |||
| 356 | /etc/firejail/zathura.profile | 356 | /etc/firejail/zathura.profile |
| 357 | /etc/firejail/zoom.profile | 357 | /etc/firejail/zoom.profile |
| 358 | /etc/firejail/yandex-browser.profile | 358 | /etc/firejail/yandex-browser.profile |
| 359 | /etc/firejail/itch.profile | ||
diff --git a/platform/rpm/old-mkrpm.sh b/platform/rpm/old-mkrpm.sh index 7d817c7e2..50f9f0512 100755 --- a/platform/rpm/old-mkrpm.sh +++ b/platform/rpm/old-mkrpm.sh | |||
| @@ -1,5 +1,5 @@ | |||
| 1 | #!/bin/bash | 1 | #!/bin/bash |
| 2 | VERSION="0.9.50~rc1" | 2 | VERSION="0.9.50" |
| 3 | rm -fr ~/rpmbuild | 3 | rm -fr ~/rpmbuild |
| 4 | rm -f firejail-$VERSION-1.x86_64.rpm | 4 | rm -f firejail-$VERSION-1.x86_64.rpm |
| 5 | 5 | ||
| @@ -28,6 +28,7 @@ install -m 644 /usr/lib/firejail/firecfg.config firejail-$VERSION/usr/lib/firej | |||
| 28 | #install -m 755 /usr/lib/firejail/fjclip.py firejail-$VERSION/usr/lib/firejail/. | 28 | #install -m 755 /usr/lib/firejail/fjclip.py firejail-$VERSION/usr/lib/firejail/. |
| 29 | #install -m 755 /usr/lib/firejail/fjdisplay.py firejail-$VERSION/usr/lib/firejail/. | 29 | #install -m 755 /usr/lib/firejail/fjdisplay.py firejail-$VERSION/usr/lib/firejail/. |
| 30 | #install -m 755 /usr/lib/firejail/fjresize.py firejail-$VERSION/usr/lib/firejail/. | 30 | #install -m 755 /usr/lib/firejail/fjresize.py firejail-$VERSION/usr/lib/firejail/. |
| 31 | install -m 755 /usr/lib/firejail/fldd firejail-$VERSION/usr/lib/firejail/. | ||
| 31 | install -m 755 /usr/lib/firejail/fnet firejail-$VERSION/usr/lib/firejail/. | 32 | install -m 755 /usr/lib/firejail/fnet firejail-$VERSION/usr/lib/firejail/. |
| 32 | install -m 755 /usr/lib/firejail/fseccomp firejail-$VERSION/usr/lib/firejail/. | 33 | install -m 755 /usr/lib/firejail/fseccomp firejail-$VERSION/usr/lib/firejail/. |
| 33 | install -m 755 /usr/lib/firejail/fshaper.sh firejail-$VERSION/usr/lib/firejail/. | 34 | install -m 755 /usr/lib/firejail/fshaper.sh firejail-$VERSION/usr/lib/firejail/. |
| @@ -466,6 +467,9 @@ rm -rf %{buildroot} | |||
| 466 | %{_sysconfdir}/%{name}/unknown-horizons.profile | 467 | %{_sysconfdir}/%{name}/unknown-horizons.profile |
| 467 | %{_sysconfdir}/%{name}/wireshark-gtk.profile | 468 | %{_sysconfdir}/%{name}/wireshark-gtk.profile |
| 468 | %{_sysconfdir}/%{name}/wireshark-qt.profile | 469 | %{_sysconfdir}/%{name}/wireshark-qt.profile |
| 470 | %{_sysconfdir}/%{name}/itch.profile | ||
| 471 | %{_sysconfdir}/%{name}/minetest.profile | ||
| 472 | %{_sysconfdir}/%{name}/yandex-browser.profile | ||
| 469 | 473 | ||
| 470 | 474 | ||
| 471 | 475 | ||
| @@ -490,6 +494,7 @@ rm -rf %{buildroot} | |||
| 490 | #/usr/lib/firejail/fjdisplay.py | 494 | #/usr/lib/firejail/fjdisplay.py |
| 491 | #/usr/lib/firejail/fjresize.py | 495 | #/usr/lib/firejail/fjresize.py |
| 492 | /usr/lib/firejail/fnet | 496 | /usr/lib/firejail/fnet |
| 497 | /usr/lib/firejail/fldd | ||
| 493 | /usr/lib/firejail/fseccomp | 498 | /usr/lib/firejail/fseccomp |
| 494 | /usr/lib/firejail/seccomp | 499 | /usr/lib/firejail/seccomp |
| 495 | /usr/lib/firejail/seccomp.64 | 500 | /usr/lib/firejail/seccomp.64 |
| @@ -514,7 +519,7 @@ rm -rf %{buildroot} | |||
| 514 | chmod u+s /usr/bin/firejail | 519 | chmod u+s /usr/bin/firejail |
| 515 | 520 | ||
| 516 | %changelog | 521 | %changelog |
| 517 | * Mon Aug 28 2017 netblue30 <netblue30@yahoo.com> 0.9.50~rc1-1 | 522 | * Fri Sep 8 2017 netblue30 <netblue30@yahoo.com> 0.9.50-1 |
| 518 | 523 | ||
| 519 | * Mon Jun 12 2017 netblue30 <netblue30@yahoo.com> 0.9.48-1 | 524 | * Mon Jun 12 2017 netblue30 <netblue30@yahoo.com> 0.9.48-1 |
| 520 | 525 | ||
diff --git a/src/fseccomp/syscall.c b/src/fseccomp/syscall.c index d0692b2ef..69b6e5271 100644 --- a/src/fseccomp/syscall.c +++ b/src/fseccomp/syscall.c | |||
| @@ -274,6 +274,9 @@ static const SyscallGroupList sysgroups[] = { | |||
| 274 | #ifdef SYS_vserver | 274 | #ifdef SYS_vserver |
| 275 | "vserver" | 275 | "vserver" |
| 276 | #endif | 276 | #endif |
| 277 | #if !defined(SYS__sysctl) && !defined(SYS_afs_syscall) && !defined(SYS_bdflush) && !defined(SYS_break) && !defined(SYS_create_module) && !defined(SYS_ftime) && !defined(SYS_get_kernel_syms) && !defined(SYS_getpmsg) && !defined(SYS_gtty) && !defined(SYS_lock) && !defined(SYS_mpx) && !defined(SYS_prof) && !defined(SYS_profil) && !defined(SYS_putpmsg) && !defined(SYS_query_module) && !defined(SYS_security) && !defined(SYS_sgetmask) && !defined(SYS_ssetmask) && !defined(SYS_stty) && !defined(SYS_sysfs) && !defined(SYS_tuxcall) && !defined(SYS_ulimit) && !defined(SYS_uselib) && !defined(SYS_ustat) && !defined(SYS_vserver) | ||
| 278 | "__dummy_syscall__" // workaround for arm64 which doesn't have any of above defined and empty syscall lists are not allowed | ||
| 279 | #endif | ||
| 277 | }, | 280 | }, |
| 278 | { .name = "@privileged", .list = | 281 | { .name = "@privileged", .list = |
| 279 | "@clock," | 282 | "@clock," |
| @@ -334,6 +337,9 @@ static const SyscallGroupList sysgroups[] = { | |||
| 334 | #ifdef SYS_s390_mmio_write | 337 | #ifdef SYS_s390_mmio_write |
| 335 | "s390_mmio_write" | 338 | "s390_mmio_write" |
| 336 | #endif | 339 | #endif |
| 340 | #if !defined(SYS_ioperm) && !defined(SYS_iopl) && !defined(SYS_pciconfig_iobase) && !defined(SYS_pciconfig_read) && !defined(SYS_pciconfig_write) && !defined(SYS_s390_mmio_read) && !defined(SYS_s390_mmio_write) | ||
| 341 | "__dummy_syscall__" // workaround for s390x which doesn't have any of above defined and empty syscall lists are not allowed | ||
| 342 | #endif | ||
| 337 | }, | 343 | }, |
| 338 | { .name = "@reboot", .list = | 344 | { .name = "@reboot", .list = |
| 339 | #ifdef SYS_kexec_load | 345 | #ifdef SYS_kexec_load |
diff --git a/src/include/euid_common.h b/src/include/euid_common.h index f343d77bb..4e6db514d 100644 --- a/src/include/euid_common.h +++ b/src/include/euid_common.h | |||
| @@ -35,7 +35,7 @@ extern uid_t firejail_gid; | |||
| 35 | 35 | ||
| 36 | static inline void EUID_ROOT(void) { | 36 | static inline void EUID_ROOT(void) { |
| 37 | int rv = seteuid(0); | 37 | int rv = seteuid(0); |
| 38 | rv = setegid(0); | 38 | rv |= setegid(0); |
| 39 | (void) rv; | 39 | (void) rv; |
| 40 | } | 40 | } |
| 41 | 41 | ||
diff --git a/src/include/seccomp.h b/src/include/seccomp.h index 133b6ce72..b8bfce96b 100644 --- a/src/include/seccomp.h +++ b/src/include/seccomp.h | |||
| @@ -149,9 +149,35 @@ struct seccomp_data { | |||
| 149 | # define ARCH_NR AUDIT_ARCH_S390 | 149 | # define ARCH_NR AUDIT_ARCH_S390 |
| 150 | # define ARCH_32 AUDIT_ARCH_S390 | 150 | # define ARCH_32 AUDIT_ARCH_S390 |
| 151 | # define ARCH_64 AUDIT_ARCH_S390X | 151 | # define ARCH_64 AUDIT_ARCH_S390X |
| 152 | #elif defined(__sh64__) && __BYTE_ORDER == __BIG_ENDIAN | ||
| 153 | # define ARCH_NR AUDIT_ARCH_SH64 | ||
| 154 | # define ARCH_32 AUDIT_ARCH_SH | ||
| 155 | # define ARCH_64 AUDIT_ARCH_SH64 | ||
| 156 | #elif defined(__sh64__) && __BYTE_ORDER == __LITTLE_ENDIAN | ||
| 157 | # define ARCH_NR AUDIT_ARCH_SHEL64 | ||
| 158 | # define ARCH_32 AUDIT_ARCH_SHEL | ||
| 159 | # define ARCH_64 AUDIT_ARCH_SHEL64 | ||
| 160 | #elif defined(__sh__) && __BYTE_ORDER == __BIG_ENDIAN | ||
| 161 | # define ARCH_NR AUDIT_ARCH_SH | ||
| 162 | # define ARCH_32 AUDIT_ARCH_SH | ||
| 163 | # define ARCH_64 AUDIT_ARCH_SH64 | ||
| 164 | #elif defined(__sh__) && __BYTE_ORDER == __LITTLE_ENDIAN | ||
| 165 | # define ARCH_NR AUDIT_ARCH_SHEL | ||
| 166 | # define ARCH_32 AUDIT_ARCH_SHEL | ||
| 167 | # define ARCH_64 AUDIT_ARCH_SHEL64 | ||
| 168 | #elif defined(__sparc64__) | ||
| 169 | # define ARCH_NR AUDIT_ARCH_SPARC64 | ||
| 170 | # define ARCH_32 AUDIT_ARCH_SPARC | ||
| 171 | # define ARCH_64 AUDIT_ARCH_SPARC64 | ||
| 172 | #elif defined(__sparc__) | ||
| 173 | # define ARCH_NR AUDIT_ARCH_SPARC | ||
| 174 | # define ARCH_32 AUDIT_ARCH_SPARC | ||
| 175 | # define ARCH_64 AUDIT_ARCH_SPARC64 | ||
| 152 | #else | 176 | #else |
| 153 | # warning "Platform does not support seccomp filter yet" | 177 | # warning "Platform does not support seccomp filter yet" |
| 154 | # define ARCH_NR 0 | 178 | # define ARCH_NR 0 |
| 179 | # define ARCH_32 0 | ||
| 180 | # define ARCH_64 0 | ||
| 155 | #endif | 181 | #endif |
| 156 | 182 | ||
| 157 | #define VALIDATE_ARCHITECTURE \ | 183 | #define VALIDATE_ARCHITECTURE \ |
diff --git a/src/man/firejail.txt b/src/man/firejail.txt index a70f662fd..c9d57b87b 100644 --- a/src/man/firejail.txt +++ b/src/man/firejail.txt | |||
| @@ -1131,7 +1131,7 @@ Disable whitelist for this directory or file. | |||
| 1131 | 1131 | ||
| 1132 | .TP | 1132 | .TP |
| 1133 | \fB\-\-output=logfile | 1133 | \fB\-\-output=logfile |
| 1134 | stdout logging and log rotation. Copy stdout and stderr to logfile, and keep the size of the file under 500KB using log | 1134 | stdout logging and log rotation. Copy stdout to logfile, and keep the size of the file under 500KB using log |
| 1135 | rotation. Five files with prefixes .1 to .5 are used in rotation. | 1135 | rotation. Five files with prefixes .1 to .5 are used in rotation. |
| 1136 | .br | 1136 | .br |
| 1137 | 1137 | ||