diff options
-rw-r--r-- | RELNOTES | 5 | ||||
-rw-r--r-- | etc/evince.profile | 2 | ||||
-rw-r--r-- | src/firejail/profile.c | 8 | ||||
-rw-r--r-- | src/man/firejail-profile.txt | 7 | ||||
-rw-r--r-- | src/man/firejail.txt | 4 | ||||
-rwxr-xr-x | test/net_none.exp | 32 | ||||
-rw-r--r-- | test/net_none.profile | 1 |
7 files changed, 57 insertions, 2 deletions
@@ -5,8 +5,11 @@ firejail (0.9.29) baseline; urgency=low | |||
5 | * added --private-etc option | 5 | * added --private-etc option |
6 | * support ${HOME} token in include directive in profile files | 6 | * support ${HOME} token in include directive in profile files |
7 | * --private.keep is transitioned to --private-home | 7 | * --private.keep is transitioned to --private-home |
8 | * support ~ and blanks in blacklist option | ||
9 | * support "net none" command in profile files | ||
10 | * added "net none" to Evince PDF viewer | ||
8 | * bugfixes | 11 | * bugfixes |
9 | -- netblue30 <netblue30@yahoo.com> Sat, 12 Aug 2015 20:25:00 -0500 | 12 | -- netblue30 <netblue30@yahoo.com> Sat, 22 Aug 2015 20:25:00 -0500 |
10 | 13 | ||
11 | firejail (0.9.28) baseline; urgency=low | 14 | firejail (0.9.28) baseline; urgency=low |
12 | * network scanning, --scan option | 15 | * network scanning, --scan option |
diff --git a/etc/evince.profile b/etc/evince.profile index e81044314..c90317ed8 100644 --- a/etc/evince.profile +++ b/etc/evince.profile | |||
@@ -5,5 +5,5 @@ include /etc/firejail/disable-common.inc | |||
5 | include /etc/firejail/disable-history.inc | 5 | include /etc/firejail/disable-history.inc |
6 | caps.drop all | 6 | caps.drop all |
7 | seccomp | 7 | seccomp |
8 | netfilter | 8 | net none |
9 | noroot | 9 | noroot |
diff --git a/src/firejail/profile.c b/src/firejail/profile.c index e9a2e55a3..86db82da0 100644 --- a/src/firejail/profile.c +++ b/src/firejail/profile.c | |||
@@ -128,6 +128,14 @@ int profile_check_line(char *ptr, int lineno) { | |||
128 | check_netfilter_file(arg_netfilter_file); | 128 | check_netfilter_file(arg_netfilter_file); |
129 | return 0; | 129 | return 0; |
130 | } | 130 | } |
131 | else if (strcmp(ptr, "net none") == 0) { | ||
132 | arg_nonetwork = 1; | ||
133 | cfg.bridge0.configured = 0; | ||
134 | cfg.bridge1.configured = 0; | ||
135 | cfg.bridge2.configured = 0; | ||
136 | cfg.bridge3.configured = 0; | ||
137 | return 0; | ||
138 | } | ||
131 | 139 | ||
132 | // seccomp drop list on top of default list | 140 | // seccomp drop list on top of default list |
133 | if (strncmp(ptr, "seccomp ", 8) == 0) { | 141 | if (strncmp(ptr, "seccomp ", 8) == 0) { |
diff --git a/src/man/firejail-profile.txt b/src/man/firejail-profile.txt index 7be5304c1..58ba39b00 100644 --- a/src/man/firejail-profile.txt +++ b/src/man/firejail-profile.txt | |||
@@ -180,6 +180,13 @@ netfilter filename | |||
180 | If a new network namespace is created, enabled the network filter in filename. | 180 | If a new network namespace is created, enabled the network filter in filename. |
181 | 181 | ||
182 | .TP | 182 | .TP |
183 | net none | ||
184 | Enable a new, unconnected network namespace. The only interface | ||
185 | available in the new namespace is a new loopback interface (lo). | ||
186 | Use this option to deny network access to programs that don't | ||
187 | really need network access. | ||
188 | |||
189 | .TP | ||
183 | dns address | 190 | dns address |
184 | Set a DNS server for the sandbox. Up to three DNS servers can be defined. | 191 | Set a DNS server for the sandbox. Up to three DNS servers can be defined. |
185 | 192 | ||
diff --git a/src/man/firejail.txt b/src/man/firejail.txt index 0b7ed1434..ffc698edd 100644 --- a/src/man/firejail.txt +++ b/src/man/firejail.txt | |||
@@ -97,6 +97,10 @@ Blacklist directory or file. | |||
97 | Example: | 97 | Example: |
98 | .br | 98 | .br |
99 | $ firejail \-\-blacklist=/sbin \-\-blacklist=/usr/sbin | 99 | $ firejail \-\-blacklist=/sbin \-\-blacklist=/usr/sbin |
100 | .br | ||
101 | $ firejail \-\-blacklist=~/.mozilla | ||
102 | .br | ||
103 | $ firejail "\-\-blacklist=My Virtual Machines" | ||
100 | .TP | 104 | .TP |
101 | \fB\-c | 105 | \fB\-c |
102 | Execute command and exit. | 106 | Execute command and exit. |
diff --git a/test/net_none.exp b/test/net_none.exp index dfa14a211..54b6cb946 100755 --- a/test/net_none.exp +++ b/test/net_none.exp | |||
@@ -4,6 +4,7 @@ set timeout 10 | |||
4 | spawn $env(SHELL) | 4 | spawn $env(SHELL) |
5 | match_max 100000 | 5 | match_max 100000 |
6 | 6 | ||
7 | # options | ||
7 | send -- "firejail --net=none\r" | 8 | send -- "firejail --net=none\r" |
8 | expect { | 9 | expect { |
9 | timeout {puts "TESTING ERROR 0\n";exit} | 10 | timeout {puts "TESTING ERROR 0\n";exit} |
@@ -30,7 +31,38 @@ expect { | |||
30 | "eth0" {puts "TESTING ERROR 2.1\n";exit} | 31 | "eth0" {puts "TESTING ERROR 2.1\n";exit} |
31 | "home" | 32 | "home" |
32 | } | 33 | } |
34 | send -- "exit\r" | ||
35 | sleep 1 | ||
36 | send -- "exit\r" | ||
37 | sleep 1 | ||
38 | |||
39 | # profile | ||
40 | send -- "firejail --profile=net_none.profile\r" | ||
41 | expect { | ||
42 | timeout {puts "TESTING ERROR 3\n";exit} | ||
43 | "eth0" {puts "TESTING ERROR 3.1\n";exit} | ||
44 | "Child process initialized" | ||
45 | } | ||
33 | sleep 1 | 46 | sleep 1 |
34 | 47 | ||
48 | # test default gw | ||
49 | send -- "bash\r" | ||
50 | sleep 1 | ||
51 | send -- "netstat -rn; pwd\r" | ||
52 | expect { | ||
53 | timeout {puts "TESTING ERROR 4\n";exit} | ||
54 | "0.0.0.0" {puts "TESTING ERROR 4.1\n";exit} | ||
55 | "home" | ||
56 | } | ||
57 | sleep 1 | ||
58 | |||
59 | # check again devices | ||
60 | send -- "cat /proc/1/net/dev;pwd\r" | ||
61 | expect { | ||
62 | timeout {puts "TESTING ERROR 5\n";exit} | ||
63 | "eth0" {puts "TESTING ERROR 5.1\n";exit} | ||
64 | "home" | ||
65 | } | ||
66 | sleep 1 | ||
35 | 67 | ||
36 | puts "\n" | 68 | puts "\n" |
diff --git a/test/net_none.profile b/test/net_none.profile new file mode 100644 index 000000000..079c08ea8 --- /dev/null +++ b/test/net_none.profile | |||
@@ -0,0 +1 @@ | |||
net none | |||