diff options
-rw-r--r-- | Makefile.in | 19 | ||||
-rw-r--r-- | README | 28 | ||||
-rw-r--r-- | README.md | 11 | ||||
-rw-r--r-- | RELNOTES | 8 | ||||
-rwxr-xr-x | configure | 18 | ||||
-rw-r--r-- | configure.ac | 2 | ||||
-rw-r--r-- | etc/atril.profile | 7 | ||||
-rw-r--r-- | etc/aweather.profile | 23 | ||||
-rw-r--r-- | etc/cherrytree.profile | 2 | ||||
-rw-r--r-- | etc/disable-common.inc | 10 | ||||
-rw-r--r-- | etc/disable-programs.inc | 10 | ||||
-rw-r--r-- | etc/google-play-music-desktop-player.profile | 17 | ||||
-rw-r--r-- | etc/gpredict.profile | 23 | ||||
-rw-r--r-- | etc/gwenview.profile | 19 | ||||
-rw-r--r-- | etc/hexchat.profile | 6 | ||||
-rw-r--r-- | etc/netsurf.profile | 34 | ||||
-rw-r--r-- | etc/okular.profile | 21 | ||||
-rw-r--r-- | etc/stellarium.profile | 27 | ||||
-rw-r--r-- | etc/warzone2100.profile | 19 | ||||
-rw-r--r-- | platform/debian/conffiles | 8 | ||||
-rw-r--r-- | platform/rpm/firejail.spec | 5 | ||||
-rw-r--r-- | src/firecfg/firecfg.config | 12 | ||||
-rw-r--r-- | src/firecfg/main.c | 7 | ||||
-rw-r--r-- | src/firejail/firejail.h | 7 | ||||
-rw-r--r-- | src/firejail/fs.c | 34 | ||||
-rw-r--r-- | src/firejail/fs_rdwr.c | 93 | ||||
-rw-r--r-- | src/firejail/main.c | 75 | ||||
-rw-r--r-- | src/firejail/profile.c | 159 | ||||
-rw-r--r-- | src/firejail/usage.c | 7 | ||||
-rw-r--r-- | src/firejail/x11.c | 6 | ||||
-rw-r--r-- | src/firemon/netstats.c | 4 | ||||
-rw-r--r-- | src/man/firecfg.txt | 2 | ||||
-rw-r--r-- | src/man/firejail-profile.txt | 92 | ||||
-rw-r--r-- | src/man/firejail.txt | 48 | ||||
-rwxr-xr-x | test/apps/apps.sh (renamed from test/test-apps.sh) | 12 | ||||
-rwxr-xr-x | test/apps/chromium.exp (renamed from test/chromium.exp) | 0 | ||||
-rwxr-xr-x | test/apps/deluge.exp (renamed from test/deluge.exp) | 0 | ||||
-rwxr-xr-x | test/apps/evince.exp (renamed from test/evince.exp) | 0 | ||||
-rwxr-xr-x | test/apps/fbreader.exp (renamed from test/fbreader.exp) | 0 | ||||
-rwxr-xr-x | test/apps/firefox.exp (renamed from test/firefox.exp) | 0 | ||||
-rwxr-xr-x | test/apps/gnome-mplayer.exp (renamed from test/gnome-mplayer.exp) | 0 | ||||
-rwxr-xr-x | test/apps/hexchat.exp (renamed from test/hexchat.exp) | 0 | ||||
-rwxr-xr-x | test/apps/icedove.exp (renamed from test/icedove.exp) | 0 | ||||
-rwxr-xr-x | test/apps/midori.exp (renamed from test/midori.exp) | 0 | ||||
-rwxr-xr-x | test/apps/opera.exp (renamed from test/opera.exp) | 0 | ||||
-rwxr-xr-x | test/apps/transmission-gtk.exp (renamed from test/transmission-gtk.exp) | 0 | ||||
-rwxr-xr-x | test/apps/transmission-qt.exp (renamed from test/transmission-qt.exp) | 0 | ||||
-rwxr-xr-x | test/apps/vlc.exp (renamed from test/vlc.exp) | 0 | ||||
-rwxr-xr-x | test/apps/weechat.exp (renamed from test/weechat.exp) | 0 | ||||
-rwxr-xr-x | test/apps/wine.exp (renamed from test/wine.exp) | 0 | ||||
-rwxr-xr-x | test/apps/xchat.exp (renamed from test/xchat.exp) | 0 | ||||
-rwxr-xr-x | test/icedove-x11.exp | 82 | ||||
-rw-r--r-- | test/net-profile.profile | 10 | ||||
-rwxr-xr-x | test/net_profile.exp | 73 | ||||
-rwxr-xr-x | test/profiles/profile_syntax.exp (renamed from test/profile_syntax.exp) | 3 | ||||
-rwxr-xr-x | test/profiles/profile_syntax2.exp (renamed from test/profile_syntax2.exp) | 3 | ||||
-rwxr-xr-x | test/profiles/profiles.sh | 22 | ||||
-rwxr-xr-x | test/profiles/test-profile.exp (renamed from test/test-profile.exp) | 3 | ||||
-rw-r--r-- | test/profiles/test.profile (renamed from test/test.profile) | 0 | ||||
-rw-r--r-- | test/profiles/test2.profile (renamed from test/test2.profile) | 0 | ||||
-rwxr-xr-x | test/test-apps-x11.sh | 20 | ||||
-rwxr-xr-x | test/test-profiles.sh | 10 | ||||
-rwxr-xr-x | test/test.sh | 12 | ||||
-rwxr-xr-x | test/xterm-x11.exp | 82 | ||||
-rw-r--r-- | todo | 8 |
65 files changed, 1093 insertions, 110 deletions
diff --git a/Makefile.in b/Makefile.in index 16f8e8717..fbe9b24c4 100644 --- a/Makefile.in +++ b/Makefile.in | |||
@@ -164,6 +164,14 @@ realinstall: | |||
164 | install -c -m 0644 .etc/icedove.profile $(DESTDIR)/$(sysconfdir)/firejail/. | 164 | install -c -m 0644 .etc/icedove.profile $(DESTDIR)/$(sysconfdir)/firejail/. |
165 | install -c -m 0644 .etc/abrowser.profile $(DESTDIR)/$(sysconfdir)/firejail/. | 165 | install -c -m 0644 .etc/abrowser.profile $(DESTDIR)/$(sysconfdir)/firejail/. |
166 | install -c -m 0644 .etc/0ad.profile $(DESTDIR)/$(sysconfdir)/firejail/. | 166 | install -c -m 0644 .etc/0ad.profile $(DESTDIR)/$(sysconfdir)/firejail/. |
167 | install -c -m 0644 .etc/netsurf.profile $(DESTDIR)/$(sysconfdir)/firejail/. | ||
168 | install -c -m 0644 .etc/warzone2100.profile $(DESTDIR)/$(sysconfdir)/firejail/. | ||
169 | install -c -m 0644 .etc/okular.profile $(DESTDIR)/$(sysconfdir)/firejail/. | ||
170 | install -c -m 0644 .etc/gwenview.profile $(DESTDIR)/$(sysconfdir)/firejail/. | ||
171 | install -c -m 0644 .etc/gpredict.profile $(DESTDIR)/$(sysconfdir)/firejail/. | ||
172 | install -c -m 0644 .etc/aweather.profile $(DESTDIR)/$(sysconfdir)/firejail/. | ||
173 | install -c -m 0644 .etc/stellarium.profile $(DESTDIR)/$(sysconfdir)/firejail/. | ||
174 | install -c -m 0644 .etc/google-play-music-desktop-player.profile $(DESTDIR)/$(sysconfdir)/firejail/. | ||
167 | sh -c "if [ ! -f $(DESTDIR)/$(sysconfdir)/firejail/login.users ]; then install -c -m 0644 etc/login.users $(DESTDIR)/$(sysconfdir)/firejail/.; fi;" | 175 | sh -c "if [ ! -f $(DESTDIR)/$(sysconfdir)/firejail/login.users ]; then install -c -m 0644 etc/login.users $(DESTDIR)/$(sysconfdir)/firejail/.; fi;" |
168 | sh -c "if [ ! -f $(DESTDIR)/$(sysconfdir)/firejail/firejail.config ]; then install -c -m 0644 etc/firejail.config $(DESTDIR)/$(sysconfdir)/firejail/.; fi;" | 176 | sh -c "if [ ! -f $(DESTDIR)/$(sysconfdir)/firejail/firejail.config ]; then install -c -m 0644 etc/firejail.config $(DESTDIR)/$(sysconfdir)/firejail/.; fi;" |
169 | rm -fr .etc | 177 | rm -fr .etc |
@@ -231,6 +239,8 @@ dist: | |||
231 | cd $(NAME)-$(VERSION); cp -a ../src .; cp -a ../etc .; cp -a ../platform .; rm -fr src/tools; cd .. | 239 | cd $(NAME)-$(VERSION); cp -a ../src .; cp -a ../etc .; cp -a ../platform .; rm -fr src/tools; cd .. |
232 | cd $(NAME)-$(VERSION); cp -a ../configure .; cp -a ../configure.ac .; cp -a ../Makefile.in .; cp -a ../install.sh .; cp -a ../mkman.sh .; cp -a ../mketc.sh .; cp -a ../mkdeb.sh .;cd .. | 240 | cd $(NAME)-$(VERSION); cp -a ../configure .; cp -a ../configure.ac .; cp -a ../Makefile.in .; cp -a ../install.sh .; cp -a ../mkman.sh .; cp -a ../mketc.sh .; cp -a ../mkdeb.sh .;cd .. |
233 | cd $(NAME)-$(VERSION); cp -a ../COPYING .; cp -a ../README .; cp -a ../RELNOTES .; cd .. | 241 | cd $(NAME)-$(VERSION); cp -a ../COPYING .; cp -a ../README .; cp -a ../RELNOTES .; cd .. |
242 | cd $(NAME)-$(VERSION); mkdir -p test; cp -a ../test/profiles test/.; cd .. | ||
243 | cd $(NAME)-$(VERSION); mkdir -p test; cp -a ../test/apps test/.; cd .. | ||
234 | cd $(NAME)-$(VERSION); rm -fr `find . -name .svn`; rm -fr $(NAME)-$(VERSION); cd .. | 244 | cd $(NAME)-$(VERSION); rm -fr `find . -name .svn`; rm -fr $(NAME)-$(VERSION); cd .. |
235 | tar -cjvf $(NAME)-$(VERSION).tar.bz2 $(NAME)-$(VERSION) | 245 | tar -cjvf $(NAME)-$(VERSION).tar.bz2 $(NAME)-$(VERSION) |
236 | rm -fr $(NAME)-$(VERSION) | 246 | rm -fr $(NAME)-$(VERSION) |
@@ -250,5 +260,14 @@ cppcheck: clean | |||
250 | 260 | ||
251 | scan-build: clean | 261 | scan-build: clean |
252 | scan-build make | 262 | scan-build make |
263 | |||
253 | asc:; ./mkasc.sh $(VERSION) | 264 | asc:; ./mkasc.sh $(VERSION) |
254 | 265 | ||
266 | test-profiles: | ||
267 | cd test/profiles; ./profiles.sh | grep TESTING | ||
268 | |||
269 | test-apps: | ||
270 | cd test/apps; ./apps.sh | grep TESTING | ||
271 | |||
272 | test: test-profiles test-apps | ||
273 | echo "TEST COMPLETE" | ||
@@ -18,13 +18,32 @@ License: GPL v2 | |||
18 | Firejail Authors: | 18 | Firejail Authors: |
19 | 19 | ||
20 | netblue30 (netblue30@yahoo.com) | 20 | netblue30 (netblue30@yahoo.com) |
21 | Vasya Novikov (https://github.com/vn971) | ||
22 | - Wesnoth profile | ||
23 | - Hedegewars profile | ||
24 | - manpage fixes | ||
25 | - fixed firecfg clean/clear issue | ||
26 | curiosity-seeker (https://github.com/curiosity-seeker) | ||
27 | - tightening unbound and dnscrypt-proxy profiles | ||
28 | - dnsmasq profile | ||
29 | - okular and gwenview profiles | ||
30 | - cherrytree profile fixes | ||
31 | Matthew Gyurgyik (https://github.com/pyther) | ||
32 | - rpm spec and several fixes | ||
21 | Joan Figueras (https://github.com/figue) | 33 | Joan Figueras (https://github.com/figue) |
22 | - added abrowser profile | 34 | - added abrowser profile |
35 | - added Google-Play-Music-Desktop-Player | ||
23 | Fred-Barclay (https://github.com/Fred-Barclay) | 36 | Fred-Barclay (https://github.com/Fred-Barclay) |
24 | - added Vivaldi, Atril profiles | 37 | - added Vivaldi, Atril profiles |
25 | - added PaleMoon profile | 38 | - added PaleMoon profile |
26 | - split Icedove and Thunderbird profiles | 39 | - split Icedove and Thunderbird profiles |
27 | - added 0ad profile | 40 | - added 0ad profile |
41 | - fixed version for .deb packages | ||
42 | - added Warzone2100 profile | ||
43 | - blacklisted VeraCrypt | ||
44 | - added Gpredict profile | ||
45 | - added Aweather, Stellarium profiles | ||
46 | - fixed HexChat and Atril profiles | ||
28 | avoidr (https://github.com/avoidr) | 47 | avoidr (https://github.com/avoidr) |
29 | - whitelist fix | 48 | - whitelist fix |
30 | - recently-used.xbel fix | 49 | - recently-used.xbel fix |
@@ -52,10 +71,6 @@ dshmgh (https://github.com/dshmgh) | |||
52 | yumkam (https://github.com/yumkam) | 71 | yumkam (https://github.com/yumkam) |
53 | - add compile-time option to restrict --net= to root only | 72 | - add compile-time option to restrict --net= to root only |
54 | - man page fixes | 73 | - man page fixes |
55 | Vasya Novikov (https://github.com/vn971) | ||
56 | - Wesnoth profile | ||
57 | - Hedegewars profile | ||
58 | - manpage fixes | ||
59 | mahdi1234 (https://github.com/mahdi1234) | 74 | mahdi1234 (https://github.com/mahdi1234) |
60 | - cherrytree profile | 75 | - cherrytree profile |
61 | jrabe (https://github.com/jrabe) | 76 | jrabe (https://github.com/jrabe) |
@@ -81,9 +96,6 @@ Rahiel Kasim (https://github.com/rahiel) | |||
81 | - Mathematica profile | 96 | - Mathematica profile |
82 | creideiki (https://github.com/creideiki) | 97 | creideiki (https://github.com/creideiki) |
83 | - make the sandbox process reap all children | 98 | - make the sandbox process reap all children |
84 | curiosity-seeker (https://github.com/curiosity-seeker) | ||
85 | - tightening unbound and dnscrypt-proxy profiles | ||
86 | - dnsmasq profile | ||
87 | sinkuu (https://github.com/sinkuu) | 99 | sinkuu (https://github.com/sinkuu) |
88 | - blacklisting kwalletd | 100 | - blacklisting kwalletd |
89 | - fix symlink invocation for programs placing symlinks in $PATH | 101 | - fix symlink invocation for programs placing symlinks in $PATH |
@@ -132,8 +144,6 @@ andrew160 (https://github.com/andrew160) | |||
132 | - profile and man pages fixes | 144 | - profile and man pages fixes |
133 | Loïc Damien (https://github.com/dzamlo) | 145 | Loïc Damien (https://github.com/dzamlo) |
134 | - small fixes | 146 | - small fixes |
135 | Matthew Gyurgyik (https://github.com/pyther) | ||
136 | - rpm spec and several fixes | ||
137 | greigdp (https://github.com/greigdp) | 147 | greigdp (https://github.com/greigdp) |
138 | - add Spotify profile | 148 | - add Spotify profile |
139 | Mattias Wadman (https://github.com/wader) | 149 | Mattias Wadman (https://github.com/wader) |
@@ -34,7 +34,7 @@ FAQ: https://firejail.wordpress.com/support/frequently-asked-questions/ | |||
34 | ````` | 34 | ````` |
35 | 35 | ||
36 | ````` | 36 | ````` |
37 | # Current development version: 0.9.40-rc2 | 37 | # Current development version: 0.9.40~rc2 |
38 | Version 0.9.40-rc1 released! | 38 | Version 0.9.40-rc1 released! |
39 | 39 | ||
40 | ## X11 sandboxing support | 40 | ## X11 sandboxing support |
@@ -143,8 +143,8 @@ DESCRIPTION | |||
143 | see DESKTOP INTEGRATION section in man 1 firejail. | 143 | see DESKTOP INTEGRATION section in man 1 firejail. |
144 | 144 | ||
145 | OPTIONS | 145 | OPTIONS |
146 | --clear | 146 | --clean |
147 | Clear all firejail symbolic links | 147 | Remove all firejail symbolic links |
148 | 148 | ||
149 | -?, --help | 149 | -?, --help |
150 | Print options end exit. | 150 | Print options end exit. |
@@ -164,7 +164,7 @@ OPTIONS | |||
164 | /usr/local/bin/firefox | 164 | /usr/local/bin/firefox |
165 | /usr/local/bin/vlc | 165 | /usr/local/bin/vlc |
166 | [...] | 166 | [...] |
167 | $ sudo firecfg --clear | 167 | $ sudo firecfg --clean |
168 | /usr/local/bin/firefox removed | 168 | /usr/local/bin/firefox removed |
169 | /usr/local/bin/vlc removed | 169 | /usr/local/bin/vlc removed |
170 | [...] | 170 | [...] |
@@ -281,5 +281,6 @@ $ man firejail-profile | |||
281 | 281 | ||
282 | ## New security profiles | 282 | ## New security profiles |
283 | lxterminal, Epiphany, cherrytree, Polari, Vivaldi, Atril, qutebrowser, SlimJet, Battle for Wesnoth, Hedgewars, qTox, | 283 | lxterminal, Epiphany, cherrytree, Polari, Vivaldi, Atril, qutebrowser, SlimJet, Battle for Wesnoth, Hedgewars, qTox, |
284 | OpenSSH client, OpenBox window manager, Dillo, cmus, dnsmasq, PaleMoon, Icedove, abrowser, 0ad | 284 | OpenSSH client, OpenBox window manager, Dillo, cmus, dnsmasq, PaleMoon, Icedove, abrowser, 0ad, netsurf, |
285 | Warzone2100, okular, gwenview, Gpredict, Aweather, Stellarium, Google-Play-Music-Desktop-Player | ||
285 | 286 | ||
@@ -5,8 +5,10 @@ firejail (0.9.40-rc1) baseline; urgency=low | |||
5 | * added --x11=xephyr option | 5 | * added --x11=xephyr option |
6 | * added --cpu.print option | 6 | * added --cpu.print option |
7 | * added filetransfer options --ls and --get | 7 | * added filetransfer options --ls and --get |
8 | * added --writable-etc and --writable-var options | ||
9 | * added --read-only option | ||
8 | * added mkdir, ipc-namespace, and nosound profile commands | 10 | * added mkdir, ipc-namespace, and nosound profile commands |
9 | * added net iface, and iprange profile commands | 11 | * added net, ip, defaultgw, ip6, mac, mtu and iprange profile commands |
10 | * --version also prints compile options | 12 | * --version also prints compile options |
11 | * --output option also redirects stderr | 13 | * --output option also redirects stderr |
12 | * added compile-time option to restrict --net= to root only | 14 | * added compile-time option to restrict --net= to root only |
@@ -18,7 +20,9 @@ firejail (0.9.40-rc1) baseline; urgency=low | |||
18 | * new profiles: lxterminal, Epiphany, cherrytree, Polari, Vivaldi, Atril | 20 | * new profiles: lxterminal, Epiphany, cherrytree, Polari, Vivaldi, Atril |
19 | * new profiles: qutebrowser, SlimJet, Battle for Wesnoth, Hedgewars | 21 | * new profiles: qutebrowser, SlimJet, Battle for Wesnoth, Hedgewars |
20 | * new profiles: qTox, OpenSSH client, OpenBox, Dillo, cmus, dnsmasq | 22 | * new profiles: qTox, OpenSSH client, OpenBox, Dillo, cmus, dnsmasq |
21 | * new profiles: PaleMoon, Icedove, abrowser, 0ad | 23 | * new profiles: PaleMoon, Icedove, abrowser, 0ad, netsurf, Warzone2100 |
24 | * new profiles: okular, gwenview, Google-Play-Music-Desktop-Player | ||
25 | * new profiles: Aweather, Stellarium, gpredict | ||
22 | * build rpm packages using "make rpms" | 26 | * build rpm packages using "make rpms" |
23 | * bugfixes | 27 | * bugfixes |
24 | -- netblue30 <netblue30@yahoo.com> Sun, 3 Apr 2016 08:00:00 -0500 | 28 | -- netblue30 <netblue30@yahoo.com> Sun, 3 Apr 2016 08:00:00 -0500 |
@@ -1,6 +1,6 @@ | |||
1 | #! /bin/sh | 1 | #! /bin/sh |
2 | # Guess values for system-dependent variables and create Makefiles. | 2 | # Guess values for system-dependent variables and create Makefiles. |
3 | # Generated by GNU Autoconf 2.69 for firejail 0.9.40-rc2. | 3 | # Generated by GNU Autoconf 2.69 for firejail 0.9.40~rc2. |
4 | # | 4 | # |
5 | # Report bugs to <netblue30@yahoo.com>. | 5 | # Report bugs to <netblue30@yahoo.com>. |
6 | # | 6 | # |
@@ -580,8 +580,8 @@ MAKEFLAGS= | |||
580 | # Identity of this package. | 580 | # Identity of this package. |
581 | PACKAGE_NAME='firejail' | 581 | PACKAGE_NAME='firejail' |
582 | PACKAGE_TARNAME='firejail' | 582 | PACKAGE_TARNAME='firejail' |
583 | PACKAGE_VERSION='0.9.40-rc2' | 583 | PACKAGE_VERSION='0.9.40~rc2' |
584 | PACKAGE_STRING='firejail 0.9.40-rc2' | 584 | PACKAGE_STRING='firejail 0.9.40~rc2' |
585 | PACKAGE_BUGREPORT='netblue30@yahoo.com' | 585 | PACKAGE_BUGREPORT='netblue30@yahoo.com' |
586 | PACKAGE_URL='http://firejail.wordpress.com' | 586 | PACKAGE_URL='http://firejail.wordpress.com' |
587 | 587 | ||
@@ -1246,7 +1246,7 @@ if test "$ac_init_help" = "long"; then | |||
1246 | # Omit some internal or obsolete options to make the list less imposing. | 1246 | # Omit some internal or obsolete options to make the list less imposing. |
1247 | # This message is too long to be a string in the A/UX 3.1 sh. | 1247 | # This message is too long to be a string in the A/UX 3.1 sh. |
1248 | cat <<_ACEOF | 1248 | cat <<_ACEOF |
1249 | \`configure' configures firejail 0.9.40-rc2 to adapt to many kinds of systems. | 1249 | \`configure' configures firejail 0.9.40~rc2 to adapt to many kinds of systems. |
1250 | 1250 | ||
1251 | Usage: $0 [OPTION]... [VAR=VALUE]... | 1251 | Usage: $0 [OPTION]... [VAR=VALUE]... |
1252 | 1252 | ||
@@ -1307,7 +1307,7 @@ fi | |||
1307 | 1307 | ||
1308 | if test -n "$ac_init_help"; then | 1308 | if test -n "$ac_init_help"; then |
1309 | case $ac_init_help in | 1309 | case $ac_init_help in |
1310 | short | recursive ) echo "Configuration of firejail 0.9.40-rc2:";; | 1310 | short | recursive ) echo "Configuration of firejail 0.9.40~rc2:";; |
1311 | esac | 1311 | esac |
1312 | cat <<\_ACEOF | 1312 | cat <<\_ACEOF |
1313 | 1313 | ||
@@ -1403,7 +1403,7 @@ fi | |||
1403 | test -n "$ac_init_help" && exit $ac_status | 1403 | test -n "$ac_init_help" && exit $ac_status |
1404 | if $ac_init_version; then | 1404 | if $ac_init_version; then |
1405 | cat <<\_ACEOF | 1405 | cat <<\_ACEOF |
1406 | firejail configure 0.9.40-rc2 | 1406 | firejail configure 0.9.40~rc2 |
1407 | generated by GNU Autoconf 2.69 | 1407 | generated by GNU Autoconf 2.69 |
1408 | 1408 | ||
1409 | Copyright (C) 2012 Free Software Foundation, Inc. | 1409 | Copyright (C) 2012 Free Software Foundation, Inc. |
@@ -1705,7 +1705,7 @@ cat >config.log <<_ACEOF | |||
1705 | This file contains any messages produced by compilers while | 1705 | This file contains any messages produced by compilers while |
1706 | running configure, to aid debugging if configure makes a mistake. | 1706 | running configure, to aid debugging if configure makes a mistake. |
1707 | 1707 | ||
1708 | It was created by firejail $as_me 0.9.40-rc2, which was | 1708 | It was created by firejail $as_me 0.9.40~rc2, which was |
1709 | generated by GNU Autoconf 2.69. Invocation command line was | 1709 | generated by GNU Autoconf 2.69. Invocation command line was |
1710 | 1710 | ||
1711 | $ $0 $@ | 1711 | $ $0 $@ |
@@ -4184,7 +4184,7 @@ cat >>$CONFIG_STATUS <<\_ACEOF || ac_write_fail=1 | |||
4184 | # report actual input values of CONFIG_FILES etc. instead of their | 4184 | # report actual input values of CONFIG_FILES etc. instead of their |
4185 | # values after options handling. | 4185 | # values after options handling. |
4186 | ac_log=" | 4186 | ac_log=" |
4187 | This file was extended by firejail $as_me 0.9.40-rc2, which was | 4187 | This file was extended by firejail $as_me 0.9.40~rc2, which was |
4188 | generated by GNU Autoconf 2.69. Invocation command line was | 4188 | generated by GNU Autoconf 2.69. Invocation command line was |
4189 | 4189 | ||
4190 | CONFIG_FILES = $CONFIG_FILES | 4190 | CONFIG_FILES = $CONFIG_FILES |
@@ -4238,7 +4238,7 @@ _ACEOF | |||
4238 | cat >>$CONFIG_STATUS <<_ACEOF || ac_write_fail=1 | 4238 | cat >>$CONFIG_STATUS <<_ACEOF || ac_write_fail=1 |
4239 | ac_cs_config="`$as_echo "$ac_configure_args" | sed 's/^ //; s/[\\""\`\$]/\\\\&/g'`" | 4239 | ac_cs_config="`$as_echo "$ac_configure_args" | sed 's/^ //; s/[\\""\`\$]/\\\\&/g'`" |
4240 | ac_cs_version="\\ | 4240 | ac_cs_version="\\ |
4241 | firejail config.status 0.9.40-rc2 | 4241 | firejail config.status 0.9.40~rc2 |
4242 | configured by $0, generated by GNU Autoconf 2.69, | 4242 | configured by $0, generated by GNU Autoconf 2.69, |
4243 | with options \\"\$ac_cs_config\\" | 4243 | with options \\"\$ac_cs_config\\" |
4244 | 4244 | ||
diff --git a/configure.ac b/configure.ac index a4486b3ff..09b1076c4 100644 --- a/configure.ac +++ b/configure.ac | |||
@@ -1,5 +1,5 @@ | |||
1 | AC_PREREQ([2.68]) | 1 | AC_PREREQ([2.68]) |
2 | AC_INIT(firejail, 0.9.40-rc2, netblue30@yahoo.com, , http://firejail.wordpress.com) | 2 | AC_INIT(firejail, 0.9.40~rc2, netblue30@yahoo.com, , http://firejail.wordpress.com) |
3 | AC_CONFIG_SRCDIR([src/firejail/main.c]) | 3 | AC_CONFIG_SRCDIR([src/firejail/main.c]) |
4 | #AC_CONFIG_HEADERS([config.h]) | 4 | #AC_CONFIG_HEADERS([config.h]) |
5 | 5 | ||
diff --git a/etc/atril.profile b/etc/atril.profile index e078c1d20..c5b2abc48 100644 --- a/etc/atril.profile +++ b/etc/atril.profile | |||
@@ -1,4 +1,5 @@ | |||
1 | # Atril profile | 1 | # Atril profile |
2 | noblacklist ~/.config/atril | ||
2 | include /etc/firejail/disable-common.inc | 3 | include /etc/firejail/disable-common.inc |
3 | include /etc/firejail/disable-programs.inc | 4 | include /etc/firejail/disable-programs.inc |
4 | include /etc/firejail/disable-devel.inc | 5 | include /etc/firejail/disable-devel.inc |
@@ -7,6 +8,10 @@ include /etc/firejail/disable-passwdmgr.inc | |||
7 | caps.drop all | 8 | caps.drop all |
8 | seccomp | 9 | seccomp |
9 | protocol unix,inet,inet6 | 10 | protocol unix,inet,inet6 |
10 | netfilter | 11 | net none |
11 | noroot | 12 | noroot |
12 | tracelog | 13 | tracelog |
14 | |||
15 | mkdir ~/.config | ||
16 | mkdir ~/.config/atril | ||
17 | whitelist ~/.config/atril | ||
diff --git a/etc/aweather.profile b/etc/aweather.profile new file mode 100644 index 000000000..d7f510a7e --- /dev/null +++ b/etc/aweather.profile | |||
@@ -0,0 +1,23 @@ | |||
1 | # Firejail profile for aweather. | ||
2 | |||
3 | # Noblacklist | ||
4 | noblacklist ~/.config/aweather | ||
5 | |||
6 | # Include | ||
7 | include /etc/firejail/disable-common.inc | ||
8 | include /etc/firejail/disable-devel.inc | ||
9 | include /etc/firejail/disable-passwdmgr.inc | ||
10 | include /etc/firejail/disable-programs.inc | ||
11 | |||
12 | # Call these options | ||
13 | caps.drop all | ||
14 | netfilter | ||
15 | noroot | ||
16 | protocol unix,inet,inet6,netlink | ||
17 | seccomp | ||
18 | tracelog | ||
19 | |||
20 | # Whitelist | ||
21 | mkdir ~/.config | ||
22 | mkdir ~/.config/aweather | ||
23 | whitelist ~/.config/aweather | ||
diff --git a/etc/cherrytree.profile b/etc/cherrytree.profile index 7bcc61e98..77fa79e11 100644 --- a/etc/cherrytree.profile +++ b/etc/cherrytree.profile | |||
@@ -1,4 +1,6 @@ | |||
1 | # cherrytree note taking application | 1 | # cherrytree note taking application |
2 | noblacklist /usr/bin/python2* | ||
3 | noblacklist /usr/lib/python2* | ||
2 | include /etc/firejail/disable-common.inc | 4 | include /etc/firejail/disable-common.inc |
3 | include /etc/firejail/disable-programs.inc | 5 | include /etc/firejail/disable-programs.inc |
4 | include /etc/firejail/disable-devel.inc | 6 | include /etc/firejail/disable-devel.inc |
diff --git a/etc/disable-common.inc b/etc/disable-common.inc index b1133f28f..9faa2aa6a 100644 --- a/etc/disable-common.inc +++ b/etc/disable-common.inc | |||
@@ -26,6 +26,14 @@ blacklist ${HOME}/.VirtualBox | |||
26 | blacklist ${HOME}/VirtualBox VMs | 26 | blacklist ${HOME}/VirtualBox VMs |
27 | blacklist ${HOME}/.config/VirtualBox | 27 | blacklist ${HOME}/.config/VirtualBox |
28 | 28 | ||
29 | # VeraCrypt | ||
30 | blacklist ${PATH}/veracrypt | ||
31 | blacklist ${PATH}/veracrypt-uninstall.sh | ||
32 | blacklist /usr/share/veracrypt | ||
33 | blacklist /usr/share/applications/veracrypt.* | ||
34 | blacklist /usr/share/pixmaps/veracrypt.* | ||
35 | blacklist ${HOME}/.VeraCrypt | ||
36 | |||
29 | # var | 37 | # var |
30 | blacklist /var/spool/cron | 38 | blacklist /var/spool/cron |
31 | blacklist /var/spool/anacron | 39 | blacklist /var/spool/anacron |
@@ -133,3 +141,5 @@ blacklist ${PATH}/gnome-terminal | |||
133 | blacklist ${PATH}/gnome-terminal.wrapper | 141 | blacklist ${PATH}/gnome-terminal.wrapper |
134 | blacklist ${PATH}/xfce4-terminal | 142 | blacklist ${PATH}/xfce4-terminal |
135 | blacklist ${PATH}/xfce4-terminal.wrapper | 143 | blacklist ${PATH}/xfce4-terminal.wrapper |
144 | blacklist ${PATH}/mate-terminal | ||
145 | blacklist ${PATH}/mate-terminal.wrapper | ||
diff --git a/etc/disable-programs.inc b/etc/disable-programs.inc index 7f18aa16f..317ac082f 100644 --- a/etc/disable-programs.inc +++ b/etc/disable-programs.inc | |||
@@ -5,9 +5,18 @@ blacklist ${HOME}/.FBReader | |||
5 | blacklist ${HOME}/.wine | 5 | blacklist ${HOME}/.wine |
6 | blacklist ${HOME}/.Mathematica | 6 | blacklist ${HOME}/.Mathematica |
7 | blacklist ${HOME}/.Wolfram Research | 7 | blacklist ${HOME}/.Wolfram Research |
8 | blacklist ${HOME}/.stellarium | ||
8 | blacklist ${HOME}/.config/mupen64plus | 9 | blacklist ${HOME}/.config/mupen64plus |
9 | blacklist ${HOME}/.config/transmission | 10 | blacklist ${HOME}/.config/transmission |
10 | blacklist ${HOME}/.config/uGet | 11 | blacklist ${HOME}/.config/uGet |
12 | blacklist ${HOME}/.config/Gpredict | ||
13 | blacklist ${HOME}/.config/aweather | ||
14 | blacklist ${HOME}/.config/stellarium | ||
15 | blacklist ~/.kde/share/apps/okular | ||
16 | blacklist ~/.kde/share/config/okularrc | ||
17 | blacklist ~/.kde/share/config/okularpartrc | ||
18 | blacklist ~/.kde/share/apps/gwenview | ||
19 | blacklist ~/.kde/share/config/gwenviewrc | ||
11 | 20 | ||
12 | # Media players | 21 | # Media players |
13 | blacklist ${HOME}/.config/cmus | 22 | blacklist ${HOME}/.config/cmus |
@@ -54,6 +63,7 @@ blacklist ${HOME}/.hedgewars | |||
54 | blacklist ${HOME}/.steam | 63 | blacklist ${HOME}/.steam |
55 | blacklist ${HOME}/.config/wesnoth | 64 | blacklist ${HOME}/.config/wesnoth |
56 | blacklist ${HOME}/.config/0ad | 65 | blacklist ${HOME}/.config/0ad |
66 | blacklist ${HOME}/.warzone2100-3.1 | ||
57 | 67 | ||
58 | # Cryptocoins | 68 | # Cryptocoins |
59 | blacklist ${HOME}/.*coin | 69 | blacklist ${HOME}/.*coin |
diff --git a/etc/google-play-music-desktop-player.profile b/etc/google-play-music-desktop-player.profile new file mode 100644 index 000000000..7fe43f1f6 --- /dev/null +++ b/etc/google-play-music-desktop-player.profile | |||
@@ -0,0 +1,17 @@ | |||
1 | # Google Play Music desktop player profile | ||
2 | noblacklist ~/.config/Google Play Music Desktop Player | ||
3 | |||
4 | include /etc/firejail/disable-common.inc | ||
5 | include /etc/firejail/disable-programs.inc | ||
6 | include /etc/firejail/disable-devel.inc | ||
7 | include /etc/firejail/disable-passwdmgr.inc | ||
8 | |||
9 | caps.drop all | ||
10 | seccomp | ||
11 | protocol unix,inet,inet6,netlink | ||
12 | noroot | ||
13 | netfilter | ||
14 | |||
15 | #whitelist ~/.pulse | ||
16 | #whitelist ~/.config/pulse | ||
17 | whitelist ~/.config/Google Play Music Desktop Player | ||
diff --git a/etc/gpredict.profile b/etc/gpredict.profile new file mode 100644 index 000000000..f53cb1b4f --- /dev/null +++ b/etc/gpredict.profile | |||
@@ -0,0 +1,23 @@ | |||
1 | # Firejail profile for gpredict. | ||
2 | |||
3 | # Noblacklist | ||
4 | noblacklist ~/.config/Gpredict | ||
5 | |||
6 | # Include | ||
7 | include /etc/firejail/disable-common.inc | ||
8 | include /etc/firejail/disable-devel.inc | ||
9 | include /etc/firejail/disable-passwdmgr.inc | ||
10 | include /etc/firejail/disable-programs.inc | ||
11 | |||
12 | # Call these options | ||
13 | caps.drop all | ||
14 | netfilter | ||
15 | noroot | ||
16 | protocol unix,inet,inet6,netlink | ||
17 | seccomp | ||
18 | tracelog | ||
19 | |||
20 | # Whitelist | ||
21 | mkdir ~/.config | ||
22 | mkdir ~/.config/Gpredict | ||
23 | whitelist ~/.config/Gpredict | ||
diff --git a/etc/gwenview.profile b/etc/gwenview.profile new file mode 100644 index 000000000..d61c57adc --- /dev/null +++ b/etc/gwenview.profile | |||
@@ -0,0 +1,19 @@ | |||
1 | # KDE gwenview profile | ||
2 | noblacklist ~/.kde/share/apps/gwenview | ||
3 | noblacklist ~/.kde/share/config/gwenviewrc | ||
4 | include /etc/firejail/disable-common.inc | ||
5 | include /etc/firejail/disable-programs.inc | ||
6 | include /etc/firejail/disable-devel.inc | ||
7 | include /etc/firejail/disable-passwdmgr.inc | ||
8 | caps.drop all | ||
9 | seccomp | ||
10 | protocol unix | ||
11 | noroot | ||
12 | nogroups | ||
13 | private-dev | ||
14 | |||
15 | #Experimental: | ||
16 | #shell none | ||
17 | #private-bin gwenview | ||
18 | #private-etc X11 | ||
19 | |||
diff --git a/etc/hexchat.profile b/etc/hexchat.profile index 8f6fd6217..7978960c8 100644 --- a/etc/hexchat.profile +++ b/etc/hexchat.profile | |||
@@ -1,5 +1,6 @@ | |||
1 | # HexChat instant messaging profile | 1 | # HexChat instant messaging profile |
2 | noblacklist ${HOME}/.config/hexchat | 2 | noblacklist ${HOME}/.config/hexchat |
3 | noblacklist /usr/lib/python2* | ||
3 | include /etc/firejail/disable-common.inc | 4 | include /etc/firejail/disable-common.inc |
4 | include /etc/firejail/disable-programs.inc | 5 | include /etc/firejail/disable-programs.inc |
5 | include /etc/firejail/disable-devel.inc | 6 | include /etc/firejail/disable-devel.inc |
@@ -8,3 +9,8 @@ caps.drop all | |||
8 | seccomp | 9 | seccomp |
9 | protocol unix,inet,inet6 | 10 | protocol unix,inet,inet6 |
10 | noroot | 11 | noroot |
12 | netfilter | ||
13 | |||
14 | mkdir ~/.config | ||
15 | mkdir ~/.config/hexchat | ||
16 | whitelist ~/.config/hexchat | ||
diff --git a/etc/netsurf.profile b/etc/netsurf.profile new file mode 100644 index 000000000..26b621126 --- /dev/null +++ b/etc/netsurf.profile | |||
@@ -0,0 +1,34 @@ | |||
1 | # Firejail profile for Mozilla Firefox (Iceweasel in Debian) | ||
2 | |||
3 | noblacklist ~/.config/netsurf | ||
4 | noblacklist ~/.cache/netsurf | ||
5 | include /etc/firejail/disable-common.inc | ||
6 | include /etc/firejail/disable-programs.inc | ||
7 | include /etc/firejail/disable-devel.inc | ||
8 | |||
9 | caps.drop all | ||
10 | seccomp | ||
11 | protocol unix,inet,inet6,netlink | ||
12 | netfilter | ||
13 | tracelog | ||
14 | noroot | ||
15 | |||
16 | whitelist ${DOWNLOADS} | ||
17 | mkdir ~/.config | ||
18 | mkdir ~/.config/netsurf | ||
19 | whitelist ~/.config/netsurf | ||
20 | mkdir ~/.cache | ||
21 | mkdir ~/.cache/netsurf | ||
22 | whitelist ~/.cache/netsurf | ||
23 | |||
24 | # lastpass, keepassx | ||
25 | whitelist ~/.keepassx | ||
26 | whitelist ~/.config/keepassx | ||
27 | whitelist ~/keepassx.kdbx | ||
28 | whitelist ~/.lastpass | ||
29 | whitelist ~/.config/lastpass | ||
30 | |||
31 | include /etc/firejail/whitelist-common.inc | ||
32 | |||
33 | |||
34 | |||
diff --git a/etc/okular.profile b/etc/okular.profile new file mode 100644 index 000000000..7929a8796 --- /dev/null +++ b/etc/okular.profile | |||
@@ -0,0 +1,21 @@ | |||
1 | # KDE okular profile | ||
2 | noblacklist ~/.kde/share/apps/okular | ||
3 | noblacklist ~/.kde/share/config/okularrc | ||
4 | noblacklist ~/.kde/share/config/okularpartrc | ||
5 | include /etc/firejail/disable-common.inc | ||
6 | include /etc/firejail/disable-programs.inc | ||
7 | include /etc/firejail/disable-devel.inc | ||
8 | include /etc/firejail/disable-passwdmgr.inc | ||
9 | caps.drop all | ||
10 | seccomp | ||
11 | protocol unix | ||
12 | noroot | ||
13 | nogroups | ||
14 | private-dev | ||
15 | |||
16 | #Experimental: | ||
17 | #net none | ||
18 | #shell none | ||
19 | #private-bin okular,kbuildsycoca4,kbuildsycoca5 | ||
20 | #private-etc X11 | ||
21 | |||
diff --git a/etc/stellarium.profile b/etc/stellarium.profile new file mode 100644 index 000000000..7cb74eeaa --- /dev/null +++ b/etc/stellarium.profile | |||
@@ -0,0 +1,27 @@ | |||
1 | # Firejail profile for Stellarium. | ||
2 | |||
3 | # Noblacklist | ||
4 | noblacklist ~/.stellarium | ||
5 | noblacklist ~/.config/stellarium | ||
6 | |||
7 | # Include | ||
8 | include /etc/firejail/disable-common.inc | ||
9 | include /etc/firejail/disable-devel.inc | ||
10 | include /etc/firejail/disable-passwdmgr.inc | ||
11 | include /etc/firejail/disable-programs.inc | ||
12 | |||
13 | # Call these options | ||
14 | caps.drop all | ||
15 | netfilter | ||
16 | noroot | ||
17 | protocol unix,inet,inet6,netlink | ||
18 | seccomp | ||
19 | tracelog | ||
20 | |||
21 | # Whitelist | ||
22 | mkdir ~/.stellarium | ||
23 | whitelist ~/.stellarium | ||
24 | |||
25 | mkdir ~/.config | ||
26 | mkdir ~/.config/stellarium | ||
27 | whitelist ~/.config/stellarium | ||
diff --git a/etc/warzone2100.profile b/etc/warzone2100.profile new file mode 100644 index 000000000..7588da657 --- /dev/null +++ b/etc/warzone2100.profile | |||
@@ -0,0 +1,19 @@ | |||
1 | # Firejail profile for warzone2100 | ||
2 | # Currently supports warzone2100-3.1 | ||
3 | noblacklist ~/.warzone2100-3.1 | ||
4 | include /etc/firejail/disable-common.inc | ||
5 | include /etc/firejail/disable-devel.inc | ||
6 | include /etc/firejail/disable-passwdmgr.inc | ||
7 | include /etc/firejail/disable-programs.inc | ||
8 | |||
9 | # Call these options | ||
10 | caps.drop all | ||
11 | netfilter | ||
12 | noroot | ||
13 | protocol unix,inet,inet6,netlink | ||
14 | seccomp | ||
15 | tracelog | ||
16 | |||
17 | # Whitelist | ||
18 | mkdir ~/.warzone2100-3.1 | ||
19 | whitelist ~/.warzone2100-3.1 | ||
diff --git a/platform/debian/conffiles b/platform/debian/conffiles index dc8640147..a5ca6d072 100644 --- a/platform/debian/conffiles +++ b/platform/debian/conffiles | |||
@@ -83,3 +83,11 @@ | |||
83 | /etc/firejail/palemoon.profile | 83 | /etc/firejail/palemoon.profile |
84 | /etc/firejail/abrowser.profile | 84 | /etc/firejail/abrowser.profile |
85 | /etc/firejail/0ad.profile | 85 | /etc/firejail/0ad.profile |
86 | /etc/firejail/netsurf.profile | ||
87 | /etc/firejail/warzone2100.profile | ||
88 | /etc/firejail/okular.profile | ||
89 | /etc/firejail/gwenview.profile | ||
90 | /etc/firejail/gpredict.profile | ||
91 | /etc/firejail/aweather.profile | ||
92 | /etc/firejail/stellarium.profile | ||
93 | /etc/firejail/google-play-music-desktop-player.profile | ||
diff --git a/platform/rpm/firejail.spec b/platform/rpm/firejail.spec index e365af2d6..e1799d7a6 100644 --- a/platform/rpm/firejail.spec +++ b/platform/rpm/firejail.spec | |||
@@ -33,16 +33,21 @@ rm -rf %{buildroot} | |||
33 | %doc | 33 | %doc |
34 | %defattr(-, root, root, -) | 34 | %defattr(-, root, root, -) |
35 | %attr(4755, -, -) %{_bindir}/__NAME__ | 35 | %attr(4755, -, -) %{_bindir}/__NAME__ |
36 | %{_bindir}/firecfg | ||
36 | %{_bindir}/firemon | 37 | %{_bindir}/firemon |
38 | %{_libdir}/__NAME__/firecfg.config | ||
37 | %{_libdir}/__NAME__/ftee | 39 | %{_libdir}/__NAME__/ftee |
38 | %{_libdir}/__NAME__/fshaper.sh | 40 | %{_libdir}/__NAME__/fshaper.sh |
39 | %{_libdir}/__NAME__/libtrace.so | 41 | %{_libdir}/__NAME__/libtrace.so |
40 | %{_libdir}/__NAME__/libtracelog.so | 42 | %{_libdir}/__NAME__/libtracelog.so |
41 | %{_datarootdir}/bash-completion/completions/__NAME__ | 43 | %{_datarootdir}/bash-completion/completions/__NAME__ |
44 | %{_datarootdir}/bash-completion/completions/firecfg | ||
42 | %{_datarootdir}/bash-completion/completions/firemon | 45 | %{_datarootdir}/bash-completion/completions/firemon |
43 | %{_docdir}/__NAME__ | 46 | %{_docdir}/__NAME__ |
44 | %{_mandir}/man1/__NAME__.1.gz | 47 | %{_mandir}/man1/__NAME__.1.gz |
48 | %{_mandir}/man1/firecfg.1.gz | ||
45 | %{_mandir}/man1/firemon.1.gz | 49 | %{_mandir}/man1/firemon.1.gz |
50 | %{_mandir}/man5/__NAME__-config.5.gz | ||
46 | %{_mandir}/man5/__NAME__-login.5.gz | 51 | %{_mandir}/man5/__NAME__-login.5.gz |
47 | %{_mandir}/man5/__NAME__-profile.5.gz | 52 | %{_mandir}/man5/__NAME__-profile.5.gz |
48 | %config %{_sysconfdir}/__NAME__ | 53 | %config %{_sysconfdir}/__NAME__ |
diff --git a/src/firecfg/firecfg.config b/src/firecfg/firecfg.config index c28f8e352..3812ee7d8 100644 --- a/src/firecfg/firecfg.config +++ b/src/firecfg/firecfg.config | |||
@@ -2,6 +2,13 @@ | |||
2 | # This is the list of programs handled by firecfg utility | 2 | # This is the list of programs handled by firecfg utility |
3 | # | 3 | # |
4 | 4 | ||
5 | # astronomy | ||
6 | gpredict | ||
7 | stellarium | ||
8 | |||
9 | # weather/climate | ||
10 | aweather | ||
11 | |||
5 | # browsers/email | 12 | # browsers/email |
6 | firefox | 13 | firefox |
7 | iceweasel | 14 | iceweasel |
@@ -27,6 +34,7 @@ seamonkey-bin | |||
27 | vivaldi-beta | 34 | vivaldi-beta |
28 | vivaldi | 35 | vivaldi |
29 | dillo | 36 | dillo |
37 | netsurf | ||
30 | 38 | ||
31 | # bittorrent/ftp | 39 | # bittorrent/ftp |
32 | deluge | 40 | deluge |
@@ -50,6 +58,8 @@ loweb | |||
50 | lowriter | 58 | lowriter |
51 | Mathematica | 59 | Mathematica |
52 | mathematica | 60 | mathematica |
61 | gwenview | ||
62 | okular | ||
53 | 63 | ||
54 | # Media | 64 | # Media |
55 | vlc | 65 | vlc |
@@ -72,5 +82,7 @@ quassel | |||
72 | xchat | 82 | xchat |
73 | 83 | ||
74 | # games | 84 | # games |
85 | 0ad | ||
75 | hedgewars | 86 | hedgewars |
76 | wesnot | 87 | wesnot |
88 | warzone2100 | ||
diff --git a/src/firecfg/main.c b/src/firecfg/main.c index 70d29a3ed..f0f2aaeb7 100644 --- a/src/firecfg/main.c +++ b/src/firecfg/main.c | |||
@@ -49,7 +49,7 @@ static void usage(void) { | |||
49 | printf(" /usr/local/bin/firefox\n"); | 49 | printf(" /usr/local/bin/firefox\n"); |
50 | printf(" /usr/local/bin/vlc\n"); | 50 | printf(" /usr/local/bin/vlc\n"); |
51 | printf(" [...]\n"); | 51 | printf(" [...]\n"); |
52 | printf(" $ sudo firecfg --clear\n"); | 52 | printf(" $ sudo firecfg --clean\n"); |
53 | printf(" /usr/local/bin/firefox removed\n"); | 53 | printf(" /usr/local/bin/firefox removed\n"); |
54 | printf(" /usr/local/bin/vlc removed\n"); | 54 | printf(" /usr/local/bin/vlc removed\n"); |
55 | printf(" [...]\n"); | 55 | printf(" [...]\n"); |
@@ -79,7 +79,8 @@ static int find(const char *program, const char *directory) { | |||
79 | static int which(const char *program) { | 79 | static int which(const char *program) { |
80 | // check some well-known paths | 80 | // check some well-known paths |
81 | if (find(program, "/bin") || find(program, "/usr/bin") || | 81 | if (find(program, "/bin") || find(program, "/usr/bin") || |
82 | find(program, "/sbin") || find(program, "/usr/sbin")) | 82 | find(program, "/sbin") || find(program, "/usr/sbin") || |
83 | find(program, "/usr/games")) | ||
83 | return 1; | 84 | return 1; |
84 | 85 | ||
85 | // check environment | 86 | // check environment |
@@ -268,7 +269,7 @@ static void set(void) { | |||
268 | // empty line | 269 | // empty line |
269 | if (*start == '\0') | 270 | if (*start == '\0') |
270 | continue; | 271 | continue; |
271 | 272 | ||
272 | // set link | 273 | // set link |
273 | set_file(start, firejail_exec); | 274 | set_file(start, firejail_exec); |
274 | } | 275 | } |
diff --git a/src/firejail/firejail.h b/src/firejail/firejail.h index 24ea53476..302883310 100644 --- a/src/firejail/firejail.h +++ b/src/firejail/firejail.h | |||
@@ -256,6 +256,8 @@ extern int arg_join_network; // join only the network namespace | |||
256 | extern int arg_join_filesystem; // join only the mount namespace | 256 | extern int arg_join_filesystem; // join only the mount namespace |
257 | extern int arg_nice; // nice value configured | 257 | extern int arg_nice; // nice value configured |
258 | extern int arg_ipc; // enable ipc namespace | 258 | extern int arg_ipc; // enable ipc namespace |
259 | extern int arg_writable_etc; // writable etc | ||
260 | extern int arg_writable_var; // writable var | ||
259 | 261 | ||
260 | extern int parent_to_child_fds[2]; | 262 | extern int parent_to_child_fds[2]; |
261 | extern int child_to_parent_fds[2]; | 263 | extern int child_to_parent_fds[2]; |
@@ -566,5 +568,10 @@ void sandboxfs(int op, pid_t pid, const char *patqh); | |||
566 | #define CFG_MAX 8 // this should always be the last entry | 568 | #define CFG_MAX 8 // this should always be the last entry |
567 | int checkcfg(int val); | 569 | int checkcfg(int val); |
568 | 570 | ||
571 | // fs_rdwr.c | ||
572 | void fs_rdwr_add(const char *path); | ||
573 | void fs_rdwr(void); | ||
574 | |||
575 | |||
569 | #endif | 576 | #endif |
570 | 577 | ||
diff --git a/src/firejail/fs.c b/src/firejail/fs.c index 7ee76d096..171b4848c 100644 --- a/src/firejail/fs.c +++ b/src/firejail/fs.c | |||
@@ -726,7 +726,14 @@ static void disable_firejail_config(void) { | |||
726 | // build a basic read-only filesystem | 726 | // build a basic read-only filesystem |
727 | void fs_basic_fs(void) { | 727 | void fs_basic_fs(void) { |
728 | if (arg_debug) | 728 | if (arg_debug) |
729 | printf("Mounting read-only /bin, /sbin, /lib, /lib32, /lib64, /usr, /etc, /var\n"); | 729 | printf("Mounting read-only /bin, /sbin, /lib, /lib32, /lib64, /usr"); |
730 | if (!arg_writable_etc) { | ||
731 | fs_rdonly("/etc"); | ||
732 | } | ||
733 | if (!arg_writable_var) { | ||
734 | fs_rdonly("/var"); | ||
735 | } | ||
736 | if (arg_debug) printf("\n"); | ||
730 | fs_rdonly("/bin"); | 737 | fs_rdonly("/bin"); |
731 | fs_rdonly("/sbin"); | 738 | fs_rdonly("/sbin"); |
732 | fs_rdonly("/lib"); | 739 | fs_rdonly("/lib"); |
@@ -734,8 +741,6 @@ void fs_basic_fs(void) { | |||
734 | fs_rdonly("/lib32"); | 741 | fs_rdonly("/lib32"); |
735 | fs_rdonly("/libx32"); | 742 | fs_rdonly("/libx32"); |
736 | fs_rdonly("/usr"); | 743 | fs_rdonly("/usr"); |
737 | fs_rdonly("/etc"); | ||
738 | fs_rdonly("/var"); | ||
739 | 744 | ||
740 | // update /var directory in order to support multiple sandboxes running on the same root directory | 745 | // update /var directory in order to support multiple sandboxes running on the same root directory |
741 | if (!arg_private_dev) | 746 | if (!arg_private_dev) |
@@ -750,7 +755,16 @@ void fs_basic_fs(void) { | |||
750 | // don't leak user information | 755 | // don't leak user information |
751 | restrict_users(); | 756 | restrict_users(); |
752 | 757 | ||
753 | disable_firejail_config(); | 758 | // when starting as root, firejail config is not disabled; |
759 | // this mode could be used to install and test new software by chaining | ||
760 | // firejail sandboxes (firejail --force) | ||
761 | if (getuid() != 0) | ||
762 | disable_firejail_config(); | ||
763 | else | ||
764 | fprintf(stderr, "Warning: masking /etc/firejail disabled when starting the sandbox as root\n"); | ||
765 | |||
766 | if (getuid() == 0) | ||
767 | fs_rdwr(); | ||
754 | } | 768 | } |
755 | 769 | ||
756 | 770 | ||
@@ -967,13 +981,13 @@ void fs_overlayfs(void) { | |||
967 | // don't leak user information | 981 | // don't leak user information |
968 | restrict_users(); | 982 | restrict_users(); |
969 | 983 | ||
970 | // when starting as root in overlay mode, firejail config is not disabled; | 984 | // when starting as root, firejail config is not disabled; |
971 | // this mode could be used to install and test new software by chaining | 985 | // this mode could be used to install and test new software by chaining |
972 | // firejail sandboxes (firejail --force) | 986 | // firejail sandboxes (firejail --force) |
973 | if (getuid() != 0) | 987 | if (getuid() != 0) |
974 | disable_firejail_config(); | 988 | disable_firejail_config(); |
975 | else | 989 | else |
976 | fprintf(stderr, "Warning: masking /etc/firejail disabled when starting the sandbox as root using --overlay option\n"); | 990 | fprintf(stderr, "Warning: masking /etc/firejail disabled when starting the sandbox as root\n"); |
977 | 991 | ||
978 | // cleanup and exit | 992 | // cleanup and exit |
979 | free(option); | 993 | free(option); |
@@ -1104,7 +1118,13 @@ void fs_chroot(const char *rootdir) { | |||
1104 | // don't leak user information | 1118 | // don't leak user information |
1105 | restrict_users(); | 1119 | restrict_users(); |
1106 | 1120 | ||
1107 | disable_firejail_config(); | 1121 | // when starting as root, firejail config is not disabled; |
1122 | // this mode could be used to install and test new software by chaining | ||
1123 | // firejail sandboxes (firejail --force) | ||
1124 | if (getuid() != 0) | ||
1125 | disable_firejail_config(); | ||
1126 | else | ||
1127 | fprintf(stderr, "Warning: masking /etc/firejail disabled when starting the sandbox as root\n"); | ||
1108 | } | 1128 | } |
1109 | #endif | 1129 | #endif |
1110 | 1130 | ||
diff --git a/src/firejail/fs_rdwr.c b/src/firejail/fs_rdwr.c new file mode 100644 index 000000000..68df6465f --- /dev/null +++ b/src/firejail/fs_rdwr.c | |||
@@ -0,0 +1,93 @@ | |||
1 | /* | ||
2 | * Copyright (C) 2014-2016 Firejail Authors | ||
3 | * | ||
4 | * This file is part of firejail project | ||
5 | * | ||
6 | * This program is free software; you can redistribute it and/or modify | ||
7 | * it under the terms of the GNU General Public License as published by | ||
8 | * the Free Software Foundation; either version 2 of the License, or | ||
9 | * (at your option) any later version. | ||
10 | * | ||
11 | * This program is distributed in the hope that it will be useful, | ||
12 | * but WITHOUT ANY WARRANTY; without even the implied warranty of | ||
13 | * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the | ||
14 | * GNU General Public License for more details. | ||
15 | * | ||
16 | * You should have received a copy of the GNU General Public License along | ||
17 | * with this program; if not, write to the Free Software Foundation, Inc., | ||
18 | * 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA. | ||
19 | */ | ||
20 | #include "firejail.h" | ||
21 | #include <sys/mount.h> | ||
22 | #include <sys/stat.h> | ||
23 | #include <sys/types.h> | ||
24 | #include <sys/wait.h> | ||
25 | #include <unistd.h> | ||
26 | |||
27 | typedef struct rdwr_t { | ||
28 | struct rdwr_t *next; | ||
29 | const char *path; | ||
30 | } RDWR; | ||
31 | |||
32 | RDWR *rdwr = NULL; | ||
33 | |||
34 | void fs_rdwr_add(const char *path) { | ||
35 | // verify path | ||
36 | if (*path != '/') { | ||
37 | fprintf(stderr, "Error: invalid path for read-write command\n"); | ||
38 | exit(1); | ||
39 | } | ||
40 | invalid_filename(path); | ||
41 | if (is_link(path)) { | ||
42 | fprintf(stderr, "Error: invalid symbolic link for read-write command\n"); | ||
43 | exit(1); | ||
44 | } | ||
45 | if (strstr(path, "..")) { | ||
46 | fprintf(stderr, "Error: invalid path for read-write command\n"); | ||
47 | exit(1); | ||
48 | } | ||
49 | |||
50 | // print warning if the file doesn't exist | ||
51 | struct stat s; | ||
52 | if (stat(path, &s) == -1) { | ||
53 | fprintf(stderr, "Warning: %s not found, skipping read-write command\n", path); | ||
54 | return; | ||
55 | } | ||
56 | |||
57 | // build list entry | ||
58 | RDWR *r = malloc(sizeof(RDWR)); | ||
59 | if (!r) | ||
60 | errExit("malloc"); | ||
61 | memset(r, 0, sizeof(RDWR)); | ||
62 | r->path = path; | ||
63 | |||
64 | // add | ||
65 | r->next = rdwr; | ||
66 | rdwr = r; | ||
67 | } | ||
68 | |||
69 | static void mount_rdwr(const char *path) { | ||
70 | assert(path); | ||
71 | // check directory exists | ||
72 | struct stat s; | ||
73 | int rv = stat(path, &s); | ||
74 | if (rv == 0) { | ||
75 | // mount --bind /bin /bin | ||
76 | if (mount(path, path, NULL, MS_BIND|MS_REC, NULL) < 0) | ||
77 | errExit("mount read-write"); | ||
78 | // mount --bind -o remount,rw /bin | ||
79 | if (mount(NULL, path, NULL, MS_BIND|MS_REMOUNT|MS_REC, NULL) < 0) | ||
80 | errExit("mount read-write"); | ||
81 | fs_logger2("read-write", path); | ||
82 | } | ||
83 | } | ||
84 | |||
85 | void fs_rdwr(void) { | ||
86 | RDWR *ptr = rdwr; | ||
87 | |||
88 | while (ptr) { | ||
89 | mount_rdwr(ptr->path); | ||
90 | ptr = ptr->next; | ||
91 | } | ||
92 | } | ||
93 | |||
diff --git a/src/firejail/main.c b/src/firejail/main.c index bdf960b96..54b9c05f0 100644 --- a/src/firejail/main.c +++ b/src/firejail/main.c | |||
@@ -96,6 +96,8 @@ int arg_join_network = 0; // join only the network namespace | |||
96 | int arg_join_filesystem = 0; // join only the mount namespace | 96 | int arg_join_filesystem = 0; // join only the mount namespace |
97 | int arg_nice = 0; // nice value configured | 97 | int arg_nice = 0; // nice value configured |
98 | int arg_ipc = 0; // enable ipc namespace | 98 | int arg_ipc = 0; // enable ipc namespace |
99 | int arg_writable_etc = 0; // writable etc | ||
100 | int arg_writable_var = 0; // writable var | ||
99 | 101 | ||
100 | int parent_to_child_fds[2]; | 102 | int parent_to_child_fds[2]; |
101 | int child_to_parent_fds[2]; | 103 | int child_to_parent_fds[2]; |
@@ -1095,6 +1097,14 @@ int main(int argc, char **argv) { | |||
1095 | profile_check_line(line, 0, NULL); // will exit if something wrong | 1097 | profile_check_line(line, 0, NULL); // will exit if something wrong |
1096 | profile_add(line); | 1098 | profile_add(line); |
1097 | } | 1099 | } |
1100 | else if (strncmp(argv[i], "--read-write=", 13) == 0) { | ||
1101 | char *line; | ||
1102 | if (asprintf(&line, "read-write %s", argv[i] + 13) == -1) | ||
1103 | errExit("asprintf"); | ||
1104 | |||
1105 | profile_check_line(line, 0, NULL); // will exit if something wrong | ||
1106 | // profile_add(line); is not necessary | ||
1107 | } | ||
1098 | else if (strcmp(argv[i], "--overlay") == 0) { | 1108 | else if (strcmp(argv[i], "--overlay") == 0) { |
1099 | if (cfg.chrootdir) { | 1109 | if (cfg.chrootdir) { |
1100 | fprintf(stderr, "Error: --overlay and --chroot options are mutually exclusive\n"); | 1110 | fprintf(stderr, "Error: --overlay and --chroot options are mutually exclusive\n"); |
@@ -1154,23 +1164,27 @@ int main(int argc, char **argv) { | |||
1154 | fprintf(stderr, "Error: --noprofile and --profile options are mutually exclusive\n"); | 1164 | fprintf(stderr, "Error: --noprofile and --profile options are mutually exclusive\n"); |
1155 | exit(1); | 1165 | exit(1); |
1156 | } | 1166 | } |
1157 | invalid_filename(argv[i] + 10); | 1167 | |
1168 | char *ppath = expand_home(argv[i] + 10, cfg.homedir); | ||
1169 | if (!ppath) | ||
1170 | errExit("strdup"); | ||
1171 | invalid_filename(ppath); | ||
1158 | 1172 | ||
1159 | // multiple profile files are allowed! | 1173 | // multiple profile files are allowed! |
1160 | char *ptr = argv[i] + 10; | 1174 | if (is_dir(ppath) || is_link(ppath) || strstr(ppath, "..")) { |
1161 | if (is_dir(ptr) || is_link(ptr) || strstr(ptr, "..")) { | ||
1162 | fprintf(stderr, "Error: invalid profile file\n"); | 1175 | fprintf(stderr, "Error: invalid profile file\n"); |
1163 | exit(1); | 1176 | exit(1); |
1164 | } | 1177 | } |
1165 | 1178 | ||
1166 | // access call checks as real UID/GID, not as effective UID/GID | 1179 | // access call checks as real UID/GID, not as effective UID/GID |
1167 | if (access(argv[i] + 10, R_OK)) { | 1180 | if (access(ppath, R_OK)) { |
1168 | fprintf(stderr, "Error: cannot access profile file\n"); | 1181 | fprintf(stderr, "Error: cannot access profile file\n"); |
1169 | return 1; | 1182 | return 1; |
1170 | } | 1183 | } |
1171 | 1184 | ||
1172 | profile_read(argv[i] + 10); | 1185 | profile_read(ppath); |
1173 | custom_profile = 1; | 1186 | custom_profile = 1; |
1187 | free(ppath); | ||
1174 | } | 1188 | } |
1175 | else if (strncmp(argv[i], "--profile-path=", 15) == 0) { | 1189 | else if (strncmp(argv[i], "--profile-path=", 15) == 0) { |
1176 | if (arg_noprofile) { | 1190 | if (arg_noprofile) { |
@@ -1268,6 +1282,24 @@ int main(int argc, char **argv) { | |||
1268 | 1282 | ||
1269 | } | 1283 | } |
1270 | #endif | 1284 | #endif |
1285 | else if (strcmp(argv[i], "--writable-etc") == 0) { | ||
1286 | if (getuid() != 0) { | ||
1287 | fprintf(stderr, "Error: --writable-etc is available only for root user\n"); | ||
1288 | exit(1); | ||
1289 | } | ||
1290 | if (cfg.etc_private_keep) { | ||
1291 | fprintf(stderr, "Error: --private-etc and --writable-etc are mutually exclusive\n"); | ||
1292 | exit(1); | ||
1293 | } | ||
1294 | arg_writable_etc = 1; | ||
1295 | } | ||
1296 | else if (strcmp(argv[i], "--writable-var") == 0) { | ||
1297 | if (getuid() != 0) { | ||
1298 | fprintf(stderr, "Error: --writable-var is available only for root user\n"); | ||
1299 | exit(1); | ||
1300 | } | ||
1301 | arg_writable_var = 1; | ||
1302 | } | ||
1271 | else if (strcmp(argv[i], "--private") == 0) | 1303 | else if (strcmp(argv[i], "--private") == 0) |
1272 | arg_private = 1; | 1304 | arg_private = 1; |
1273 | else if (strncmp(argv[i], "--private=", 10) == 0) { | 1305 | else if (strncmp(argv[i], "--private=", 10) == 0) { |
@@ -1284,6 +1316,11 @@ int main(int argc, char **argv) { | |||
1284 | arg_private_dev = 1; | 1316 | arg_private_dev = 1; |
1285 | } | 1317 | } |
1286 | else if (strncmp(argv[i], "--private-etc=", 14) == 0) { | 1318 | else if (strncmp(argv[i], "--private-etc=", 14) == 0) { |
1319 | if (arg_writable_etc) { | ||
1320 | fprintf(stderr, "Error: --private-etc and --writable-etc are mutually exclusive\n"); | ||
1321 | exit(1); | ||
1322 | } | ||
1323 | |||
1287 | // extract private etc list | 1324 | // extract private etc list |
1288 | cfg.etc_private_keep = argv[i] + 14; | 1325 | cfg.etc_private_keep = argv[i] + 14; |
1289 | if (*cfg.etc_private_keep == '\0') { | 1326 | if (*cfg.etc_private_keep == '\0') { |
@@ -1522,17 +1559,17 @@ int main(int argc, char **argv) { | |||
1522 | Bridge *br = last_bridge_configured(); | 1559 | Bridge *br = last_bridge_configured(); |
1523 | if (br == NULL) { | 1560 | if (br == NULL) { |
1524 | fprintf(stderr, "Error: no network device configured\n"); | 1561 | fprintf(stderr, "Error: no network device configured\n"); |
1525 | return 1; | 1562 | exit(1); |
1526 | } | 1563 | } |
1527 | if (mac_not_zero(br->macsandbox)) { | 1564 | if (mac_not_zero(br->macsandbox)) { |
1528 | fprintf(stderr, "Error: cannot configure the MAC address twice for the same interface\n"); | 1565 | fprintf(stderr, "Error: cannot configure the MAC address twice for the same interface\n"); |
1529 | return 1; | 1566 | exit(1); |
1530 | } | 1567 | } |
1531 | 1568 | ||
1532 | // read the address | 1569 | // read the address |
1533 | if (atomac(argv[i] + 6, br->macsandbox)) { | 1570 | if (atomac(argv[i] + 6, br->macsandbox)) { |
1534 | fprintf(stderr, "Error: invalid MAC address\n"); | 1571 | fprintf(stderr, "Error: invalid MAC address\n"); |
1535 | return 1; | 1572 | exit(1); |
1536 | } | 1573 | } |
1537 | } | 1574 | } |
1538 | else { | 1575 | else { |
@@ -1546,12 +1583,12 @@ int main(int argc, char **argv) { | |||
1546 | Bridge *br = last_bridge_configured(); | 1583 | Bridge *br = last_bridge_configured(); |
1547 | if (br == NULL) { | 1584 | if (br == NULL) { |
1548 | fprintf(stderr, "Error: no network device configured\n"); | 1585 | fprintf(stderr, "Error: no network device configured\n"); |
1549 | return 1; | 1586 | exit(1); |
1550 | } | 1587 | } |
1551 | 1588 | ||
1552 | if (sscanf(argv[i] + 6, "%d", &br->mtu) != 1 || br->mtu < 576 || br->mtu > 9198) { | 1589 | if (sscanf(argv[i] + 6, "%d", &br->mtu) != 1 || br->mtu < 576 || br->mtu > 9198) { |
1553 | fprintf(stderr, "Error: invalid mtu value\n"); | 1590 | fprintf(stderr, "Error: invalid mtu value\n"); |
1554 | return 1; | 1591 | exit(1); |
1555 | } | 1592 | } |
1556 | } | 1593 | } |
1557 | else { | 1594 | else { |
@@ -1565,11 +1602,11 @@ int main(int argc, char **argv) { | |||
1565 | Bridge *br = last_bridge_configured(); | 1602 | Bridge *br = last_bridge_configured(); |
1566 | if (br == NULL) { | 1603 | if (br == NULL) { |
1567 | fprintf(stderr, "Error: no network device configured\n"); | 1604 | fprintf(stderr, "Error: no network device configured\n"); |
1568 | return 1; | 1605 | exit(1); |
1569 | } | 1606 | } |
1570 | if (br->arg_ip_none || br->ipsandbox) { | 1607 | if (br->arg_ip_none || br->ipsandbox) { |
1571 | fprintf(stderr, "Error: cannot configure the IP address twice for the same interface\n"); | 1608 | fprintf(stderr, "Error: cannot configure the IP address twice for the same interface\n"); |
1572 | return 1; | 1609 | exit(1); |
1573 | } | 1610 | } |
1574 | 1611 | ||
1575 | // configure this IP address for the last bridge defined | 1612 | // configure this IP address for the last bridge defined |
@@ -1578,7 +1615,7 @@ int main(int argc, char **argv) { | |||
1578 | else { | 1615 | else { |
1579 | if (atoip(argv[i] + 5, &br->ipsandbox)) { | 1616 | if (atoip(argv[i] + 5, &br->ipsandbox)) { |
1580 | fprintf(stderr, "Error: invalid IP address\n"); | 1617 | fprintf(stderr, "Error: invalid IP address\n"); |
1581 | return 1; | 1618 | exit(1); |
1582 | } | 1619 | } |
1583 | } | 1620 | } |
1584 | } | 1621 | } |
@@ -1593,11 +1630,11 @@ int main(int argc, char **argv) { | |||
1593 | Bridge *br = last_bridge_configured(); | 1630 | Bridge *br = last_bridge_configured(); |
1594 | if (br == NULL) { | 1631 | if (br == NULL) { |
1595 | fprintf(stderr, "Error: no network device configured\n"); | 1632 | fprintf(stderr, "Error: no network device configured\n"); |
1596 | return 1; | 1633 | exit(1); |
1597 | } | 1634 | } |
1598 | if (br->arg_ip_none || br->ip6sandbox) { | 1635 | if (br->arg_ip_none || br->ip6sandbox) { |
1599 | fprintf(stderr, "Error: cannot configure the IP address twice for the same interface\n"); | 1636 | fprintf(stderr, "Error: cannot configure the IP address twice for the same interface\n"); |
1600 | return 1; | 1637 | exit(1); |
1601 | } | 1638 | } |
1602 | 1639 | ||
1603 | // configure this IP address for the last bridge defined | 1640 | // configure this IP address for the last bridge defined |
@@ -1605,7 +1642,7 @@ int main(int argc, char **argv) { | |||
1605 | br->ip6sandbox = argv[i] + 6; | 1642 | br->ip6sandbox = argv[i] + 6; |
1606 | // if (atoip(argv[i] + 5, &br->ipsandbox)) { | 1643 | // if (atoip(argv[i] + 5, &br->ipsandbox)) { |
1607 | // fprintf(stderr, "Error: invalid IP address\n"); | 1644 | // fprintf(stderr, "Error: invalid IP address\n"); |
1608 | // return 1; | 1645 | // exit(1); |
1609 | // } | 1646 | // } |
1610 | } | 1647 | } |
1611 | else { | 1648 | else { |
@@ -1619,7 +1656,7 @@ int main(int argc, char **argv) { | |||
1619 | if (checkcfg(CFG_NETWORK)) { | 1656 | if (checkcfg(CFG_NETWORK)) { |
1620 | if (atoip(argv[i] + 12, &cfg.defaultgw)) { | 1657 | if (atoip(argv[i] + 12, &cfg.defaultgw)) { |
1621 | fprintf(stderr, "Error: invalid IP address\n"); | 1658 | fprintf(stderr, "Error: invalid IP address\n"); |
1622 | return 1; | 1659 | exit(1); |
1623 | } | 1660 | } |
1624 | } | 1661 | } |
1625 | else { | 1662 | else { |
@@ -2084,8 +2121,10 @@ int main(int argc, char **argv) { | |||
2084 | close(parent_to_child_fds[1]); | 2121 | close(parent_to_child_fds[1]); |
2085 | 2122 | ||
2086 | EUID_ROOT(); | 2123 | EUID_ROOT(); |
2087 | if (lockfd != -1) | 2124 | if (lockfd != -1) { |
2088 | flock(lockfd, LOCK_UN); | 2125 | flock(lockfd, LOCK_UN); |
2126 | close(lockfd); | ||
2127 | } | ||
2089 | 2128 | ||
2090 | // create name file under /run/firejail | 2129 | // create name file under /run/firejail |
2091 | 2130 | ||
diff --git a/src/firejail/profile.c b/src/firejail/profile.c index 6ded0ca2f..d358594d9 100644 --- a/src/firejail/profile.c +++ b/src/firejail/profile.c | |||
@@ -319,7 +319,126 @@ int profile_check_line(char *ptr, int lineno, const char *fname) { | |||
319 | return 0; | 319 | return 0; |
320 | } | 320 | } |
321 | 321 | ||
322 | 322 | ||
323 | // from here | ||
324 | else if (strncmp(ptr, "mac ", 4) == 0) { | ||
325 | #ifdef HAVE_NETWORK | ||
326 | if (checkcfg(CFG_NETWORK)) { | ||
327 | Bridge *br = last_bridge_configured(); | ||
328 | if (br == NULL) { | ||
329 | fprintf(stderr, "Error: no network device configured\n"); | ||
330 | exit(1); | ||
331 | } | ||
332 | |||
333 | if (mac_not_zero(br->macsandbox)) { | ||
334 | fprintf(stderr, "Error: cannot configure the MAC address twice for the same interface\n"); | ||
335 | exit(1); | ||
336 | } | ||
337 | |||
338 | // read the address | ||
339 | if (atomac(ptr + 4, br->macsandbox)) { | ||
340 | fprintf(stderr, "Error: invalid MAC address\n"); | ||
341 | exit(1); | ||
342 | } | ||
343 | } | ||
344 | else | ||
345 | fprintf(stderr, "Warning: networking features are disabled in Firejail configuration file\n"); | ||
346 | #endif | ||
347 | return 0; | ||
348 | } | ||
349 | |||
350 | else if (strncmp(ptr, "mtu ", 4) == 0) { | ||
351 | #ifdef HAVE_NETWORK | ||
352 | if (checkcfg(CFG_NETWORK)) { | ||
353 | Bridge *br = last_bridge_configured(); | ||
354 | if (br == NULL) { | ||
355 | fprintf(stderr, "Error: no network device configured\n"); | ||
356 | exit(1); | ||
357 | } | ||
358 | |||
359 | if (sscanf(ptr + 4, "%d", &br->mtu) != 1 || br->mtu < 576 || br->mtu > 9198) { | ||
360 | fprintf(stderr, "Error: invalid mtu value\n"); | ||
361 | exit(1); | ||
362 | } | ||
363 | } | ||
364 | else | ||
365 | fprintf(stderr, "Warning: networking features are disabled in Firejail configuration file\n"); | ||
366 | #endif | ||
367 | return 0; | ||
368 | } | ||
369 | |||
370 | else if (strncmp(ptr, "ip ", 3) == 0) { | ||
371 | #ifdef HAVE_NETWORK | ||
372 | if (checkcfg(CFG_NETWORK)) { | ||
373 | Bridge *br = last_bridge_configured(); | ||
374 | if (br == NULL) { | ||
375 | fprintf(stderr, "Error: no network device configured\n"); | ||
376 | exit(1); | ||
377 | } | ||
378 | if (br->arg_ip_none || br->ipsandbox) { | ||
379 | fprintf(stderr, "Error: cannot configure the IP address twice for the same interface\n"); | ||
380 | exit(1); | ||
381 | } | ||
382 | |||
383 | // configure this IP address for the last bridge defined | ||
384 | if (strcmp(ptr + 3, "none") == 0) | ||
385 | br->arg_ip_none = 1; | ||
386 | else { | ||
387 | if (atoip(ptr + 3, &br->ipsandbox)) { | ||
388 | fprintf(stderr, "Error: invalid IP address\n"); | ||
389 | exit(1); | ||
390 | } | ||
391 | } | ||
392 | } | ||
393 | else | ||
394 | fprintf(stderr, "Warning: networking features are disabled in Firejail configuration file\n"); | ||
395 | #endif | ||
396 | return 0; | ||
397 | } | ||
398 | |||
399 | else if (strncmp(ptr, "ip6 ", 4) == 0) { | ||
400 | #ifdef HAVE_NETWORK | ||
401 | if (checkcfg(CFG_NETWORK)) { | ||
402 | Bridge *br = last_bridge_configured(); | ||
403 | if (br == NULL) { | ||
404 | fprintf(stderr, "Error: no network device configured\n"); | ||
405 | exit(1); | ||
406 | } | ||
407 | if (br->arg_ip_none || br->ip6sandbox) { | ||
408 | fprintf(stderr, "Error: cannot configure the IP address twice for the same interface\n"); | ||
409 | exit(1); | ||
410 | } | ||
411 | |||
412 | // configure this IP address for the last bridge defined | ||
413 | // todo: verify ipv6 syntax | ||
414 | br->ip6sandbox = ptr + 4; | ||
415 | // if (atoip(argv[i] + 5, &br->ipsandbox)) { | ||
416 | // fprintf(stderr, "Error: invalid IP address\n"); | ||
417 | // exit(1); | ||
418 | // } | ||
419 | |||
420 | } | ||
421 | else | ||
422 | fprintf(stderr, "Warning: networking features are disabled in Firejail configuration file\n"); | ||
423 | #endif | ||
424 | return 0; | ||
425 | } | ||
426 | |||
427 | else if (strncmp(ptr, "defaultgw ", 10) == 0) { | ||
428 | #ifdef HAVE_NETWORK | ||
429 | if (checkcfg(CFG_NETWORK)) { | ||
430 | Bridge *br = last_bridge_configured(); | ||
431 | if (atoip(ptr + 10, &cfg.defaultgw)) { | ||
432 | fprintf(stderr, "Error: invalid IP address\n"); | ||
433 | exit(1); | ||
434 | } | ||
435 | } | ||
436 | else | ||
437 | fprintf(stderr, "Warning: networking features are disabled in Firejail configuration file\n"); | ||
438 | #endif | ||
439 | return 0; | ||
440 | } | ||
441 | |||
323 | if (strncmp(ptr, "protocol ", 9) == 0) { | 442 | if (strncmp(ptr, "protocol ", 9) == 0) { |
324 | #ifdef HAVE_SECCOMP | 443 | #ifdef HAVE_SECCOMP |
325 | if (checkcfg(CFG_SECCOMP)) | 444 | if (checkcfg(CFG_SECCOMP)) |
@@ -451,6 +570,30 @@ int profile_check_line(char *ptr, int lineno, const char *fname) { | |||
451 | return 0; | 570 | return 0; |
452 | } | 571 | } |
453 | 572 | ||
573 | // writable-etc | ||
574 | if (strcmp(ptr, "writable-etc") == 0) { | ||
575 | if (getuid() != 0) { | ||
576 | fprintf(stderr, "Error: writable-etc is available only for root user\n"); | ||
577 | exit(1); | ||
578 | } | ||
579 | if (cfg.etc_private_keep) { | ||
580 | fprintf(stderr, "Error: private-etc and writable-etc are mutually exclusive\n"); | ||
581 | exit(1); | ||
582 | } | ||
583 | arg_writable_etc = 1; | ||
584 | return 0; | ||
585 | } | ||
586 | |||
587 | // writable-var | ||
588 | if (strcmp(ptr, "writable-var") == 0) { | ||
589 | if (getuid() != 0) { | ||
590 | fprintf(stderr, "Error: writable-var is available only for root user\n"); | ||
591 | exit(1); | ||
592 | } | ||
593 | arg_writable_var = 1; | ||
594 | return 0; | ||
595 | } | ||
596 | |||
454 | // private directory | 597 | // private directory |
455 | if (strncmp(ptr, "private ", 8) == 0) { | 598 | if (strncmp(ptr, "private ", 8) == 0) { |
456 | cfg.home_private = ptr + 8; | 599 | cfg.home_private = ptr + 8; |
@@ -461,6 +604,10 @@ int profile_check_line(char *ptr, int lineno, const char *fname) { | |||
461 | 604 | ||
462 | // private /etc list of files and directories | 605 | // private /etc list of files and directories |
463 | if (strncmp(ptr, "private-etc ", 12) == 0) { | 606 | if (strncmp(ptr, "private-etc ", 12) == 0) { |
607 | if (arg_writable_etc) { | ||
608 | fprintf(stderr, "Error: --private-etc and --writable-etc are mutually exclusive\n"); | ||
609 | exit(1); | ||
610 | } | ||
464 | cfg.etc_private_keep = ptr + 12; | 611 | cfg.etc_private_keep = ptr + 12; |
465 | fs_check_etc_list(); | 612 | fs_check_etc_list(); |
466 | if (*cfg.etc_private_keep != '\0') | 613 | if (*cfg.etc_private_keep != '\0') |
@@ -569,6 +716,16 @@ int profile_check_line(char *ptr, int lineno, const char *fname) { | |||
569 | return 0; | 716 | return 0; |
570 | } | 717 | } |
571 | 718 | ||
719 | // read-write | ||
720 | if (strncmp(ptr, "read-write ", 11) == 0) { | ||
721 | if (getuid() != 0) { | ||
722 | fprintf(stderr, "Error: read-write command is available only for root user\n"); | ||
723 | exit(1); | ||
724 | } | ||
725 | fs_rdwr_add(ptr + 11); | ||
726 | return 0; | ||
727 | } | ||
728 | |||
572 | // rest of filesystem | 729 | // rest of filesystem |
573 | if (strncmp(ptr, "blacklist ", 10) == 0) | 730 | if (strncmp(ptr, "blacklist ", 10) == 0) |
574 | ptr += 10; | 731 | ptr += 10; |
diff --git a/src/firejail/usage.c b/src/firejail/usage.c index 539785f21..8c738a0fc 100644 --- a/src/firejail/usage.c +++ b/src/firejail/usage.c | |||
@@ -209,6 +209,7 @@ void usage(void) { | |||
209 | printf("\tcreated for the real user ID of the calling process.\n\n"); | 209 | printf("\tcreated for the real user ID of the calling process.\n\n"); |
210 | printf(" --rlimit-sigpending=number - set the maximum number of pending signals\n"); | 210 | printf(" --rlimit-sigpending=number - set the maximum number of pending signals\n"); |
211 | printf("\tfor a process.\n\n"); | 211 | printf("\tfor a process.\n\n"); |
212 | printf(" --read-write=dirname_or_filename - set directory or file read-write..\n\n"); | ||
212 | #ifdef HAVE_NETWORK | 213 | #ifdef HAVE_NETWORK |
213 | printf(" --scan - ARP-scan all the networks from inside a network namespace.\n"); | 214 | printf(" --scan - ARP-scan all the networks from inside a network namespace.\n"); |
214 | printf("\tThis makes it possible to detect macvlan kernel device drivers\n"); | 215 | printf("\tThis makes it possible to detect macvlan kernel device drivers\n"); |
@@ -246,6 +247,12 @@ void usage(void) { | |||
246 | printf(" --user=new_user - switch the user before starting the sandbox.\n\n"); | 247 | printf(" --user=new_user - switch the user before starting the sandbox.\n\n"); |
247 | printf(" --version - print program version and exit.\n\n"); | 248 | printf(" --version - print program version and exit.\n\n"); |
248 | printf(" --whitelist=dirname_or_filename - whitelist directory or file.\n\n"); | 249 | printf(" --whitelist=dirname_or_filename - whitelist directory or file.\n\n"); |
250 | |||
251 | printf(" --writable-etc - /etc directory is mounted read-write. This option is\n"); | ||
252 | printf("\tavailable only when running the sandbox as root user.\n\n"); | ||
253 | printf(" --writable-var - /var directory is mounted read-write. This option is\n"); | ||
254 | printf("\tavailable only when running the sandbox as root user.\n\n"); | ||
255 | |||
249 | printf(" --x11 - enable X11 server. The software checks first if Xpra is installed,\n"); | 256 | printf(" --x11 - enable X11 server. The software checks first if Xpra is installed,\n"); |
250 | printf("\tthen it checks if Xephyr is installed.\n\n"); | 257 | printf("\tthen it checks if Xephyr is installed.\n\n"); |
251 | printf(" --x11=xpra - enable Xpra X11 server.\n\n"); | 258 | printf(" --x11=xpra - enable Xpra X11 server.\n\n"); |
diff --git a/src/firejail/x11.c b/src/firejail/x11.c index ef1095a49..985ca9337 100644 --- a/src/firejail/x11.c +++ b/src/firejail/x11.c | |||
@@ -170,7 +170,7 @@ void x11_start_xephyr(int argc, char **argv) { | |||
170 | 170 | ||
171 | // unfortunately, xephyr does a number of weird things when started by root user!!! | 171 | // unfortunately, xephyr does a number of weird things when started by root user!!! |
172 | if (getuid() == 0) { | 172 | if (getuid() == 0) { |
173 | fprintf(stderr, "Error: this feature is not available when running as root\n"); | 173 | fprintf(stderr, "Error: X11 sandboxing is not available when running as root\n"); |
174 | exit(1); | 174 | exit(1); |
175 | } | 175 | } |
176 | 176 | ||
@@ -292,7 +292,7 @@ void x11_start_xpra(int argc, char **argv) { | |||
292 | 292 | ||
293 | // unfortunately, xpra does a number of weird things when started by root user!!! | 293 | // unfortunately, xpra does a number of weird things when started by root user!!! |
294 | if (getuid() == 0) { | 294 | if (getuid() == 0) { |
295 | fprintf(stderr, "Error: this feature is not available when running as root\n"); | 295 | fprintf(stderr, "Error: X11 sandboxing is not available when running as root\n"); |
296 | exit(1); | 296 | exit(1); |
297 | } | 297 | } |
298 | 298 | ||
@@ -410,7 +410,7 @@ void x11_start(int argc, char **argv) { | |||
410 | 410 | ||
411 | // unfortunately, xpra does a number of weird things when started by root user!!! | 411 | // unfortunately, xpra does a number of weird things when started by root user!!! |
412 | if (getuid() == 0) { | 412 | if (getuid() == 0) { |
413 | fprintf(stderr, "Error: this feature is not available when running as root\n"); | 413 | fprintf(stderr, "Error: X11 sandboxing is not available when running as root\n"); |
414 | exit(1); | 414 | exit(1); |
415 | } | 415 | } |
416 | 416 | ||
diff --git a/src/firemon/netstats.c b/src/firemon/netstats.c index 89e4202bd..0ff0dd33d 100644 --- a/src/firemon/netstats.c +++ b/src/firemon/netstats.c | |||
@@ -26,6 +26,10 @@ | |||
26 | 26 | ||
27 | #define MAXBUF 4096 | 27 | #define MAXBUF 4096 |
28 | 28 | ||
29 | // ip -s link: device stats | ||
30 | // ss -s: socket stats | ||
31 | |||
32 | |||
29 | static char *get_header(void) { | 33 | static char *get_header(void) { |
30 | char *rv; | 34 | char *rv; |
31 | if (asprintf(&rv, "%-5.5s %-9.9s %-10.10s %-10.10s %s", | 35 | if (asprintf(&rv, "%-5.5s %-9.9s %-10.10s %-10.10s %s", |
diff --git a/src/man/firecfg.txt b/src/man/firecfg.txt index decc1af73..e2e4229b0 100644 --- a/src/man/firecfg.txt +++ b/src/man/firecfg.txt | |||
@@ -48,7 +48,7 @@ $ firecfg --list | |||
48 | .br | 48 | .br |
49 | [...] | 49 | [...] |
50 | .br | 50 | .br |
51 | $ sudo firecfg --clear | 51 | $ sudo firecfg --clean |
52 | .br | 52 | .br |
53 | /usr/local/bin/firefox removed | 53 | /usr/local/bin/firefox removed |
54 | .br | 54 | .br |
diff --git a/src/man/firejail-profile.txt b/src/man/firejail-profile.txt index 9045c1122..19063f5ef 100644 --- a/src/man/firejail-profile.txt +++ b/src/man/firejail-profile.txt | |||
@@ -122,12 +122,6 @@ blacklist ${PATH}/ifconfig | |||
122 | blacklist ${HOME}/.ssh | 122 | blacklist ${HOME}/.ssh |
123 | 123 | ||
124 | .TP | 124 | .TP |
125 | \fBread-only file_or_directory | ||
126 | Make directory or file read-only. | ||
127 | .TP | ||
128 | \fBtmpfs directory | ||
129 | Mount an empty tmpfs filesystem on top of directory. This option is available only when running the sandbox as root. | ||
130 | .TP | ||
131 | \fBbind directory1,directory2 | 125 | \fBbind directory1,directory2 |
132 | Mount-bind directory1 on top of directory2. This option is only available when running as root. | 126 | Mount-bind directory1 on top of directory2. This option is only available when running as root. |
133 | .TP | 127 | .TP |
@@ -135,8 +129,14 @@ Mount-bind directory1 on top of directory2. This option is only available when r | |||
135 | Mount-bind file1 on top of file2. This option is only available when running as root. | 129 | Mount-bind file1 on top of file2. This option is only available when running as root. |
136 | .TP | 130 | .TP |
137 | \fBmkdir directory | 131 | \fBmkdir directory |
138 | Create a directory in user home. Use this command for whitelisted directories you need to preserve | 132 | Create a directory in user home before the sandbox is started. |
139 | when the sandbox is closed. Subdirectories also need to be created using mkdir. Example from | 133 | The directory is created if it doesn't already exist. |
134 | .br | ||
135 | |||
136 | .br | ||
137 | Use this command for whitelisted directories you need to preserve | ||
138 | when the sandbox is closed. Without it, the application will create the directory, and the directory | ||
139 | will be deleted when the sandbox is closed. Subdirectories also need to be created using mkdir. Example from | ||
140 | firefox profile: | 140 | firefox profile: |
141 | .br | 141 | .br |
142 | 142 | ||
@@ -176,13 +176,30 @@ All modifications are discarded when the sandbox is closed. | |||
176 | \fBprivate-tmp | 176 | \fBprivate-tmp |
177 | Mount an empty temporary filesystem on top of /tmp directory. | 177 | Mount an empty temporary filesystem on top of /tmp directory. |
178 | .TP | 178 | .TP |
179 | \fBread-only file_or_directory | ||
180 | Make directory or file read-only. | ||
181 | .TP | ||
182 | \fBread-write file_or_directory | ||
183 | Make directory or file read-write. | ||
184 | .TP | ||
185 | \fBtmpfs directory | ||
186 | Mount an empty tmpfs filesystem on top of directory. This option is available only when running the sandbox as root. | ||
187 | .TP | ||
188 | \fBtracelog | ||
189 | Blacklist violations logged to syslog. | ||
190 | .TP | ||
179 | \fBwhitelist file_or_directory | 191 | \fBwhitelist file_or_directory |
180 | Build a new user home in a temporary filesystem, and mount-bind file_or_directory. | 192 | Build a new user home in a temporary filesystem, and mount-bind file_or_directory. |
181 | The modifications to file_or_directory are persistent, everything else is discarded | 193 | The modifications to file_or_directory are persistent, everything else is discarded |
182 | when the sandbox is closed. | 194 | when the sandbox is closed. |
183 | .TP | 195 | .TP |
184 | \fBtracelog | 196 | \fBwritable-etc |
185 | Blacklist violations logged to syslog. | 197 | Mount /etc directory read-write. This option is available only |
198 | when running the sandbox as root user. | ||
199 | .TP | ||
200 | \fBwritable-var | ||
201 | Mount /var directory read-write. This option is available only | ||
202 | when running the sandbox as root user. | ||
186 | .SH Security filters | 203 | .SH Security filters |
187 | The following security filters are currently implemented: | 204 | The following security filters are currently implemented: |
188 | 205 | ||
@@ -284,9 +301,15 @@ Enable IPC namespace. | |||
284 | .TP | 301 | .TP |
285 | \fBnosound | 302 | \fBnosound |
286 | Disable sound system. | 303 | Disable sound system. |
304 | |||
287 | .SH Networking | 305 | .SH Networking |
288 | Networking features available in profile files. | 306 | Networking features available in profile files. |
289 | 307 | ||
308 | .TP | ||
309 | \fBdefaultgw address | ||
310 | Use this address as default gateway in the new network namespace. | ||
311 | |||
312 | .TP | ||
290 | \fBdns address | 313 | \fBdns address |
291 | Set a DNS server for the sandbox. Up to three DNS servers can be defined. | 314 | Set a DNS server for the sandbox. Up to three DNS servers can be defined. |
292 | 315 | ||
@@ -295,6 +318,45 @@ Set a DNS server for the sandbox. Up to three DNS servers can be defined. | |||
295 | Set a hostname for the sandbox. | 318 | Set a hostname for the sandbox. |
296 | 319 | ||
297 | .TP | 320 | .TP |
321 | \fBip address | ||
322 | Assign IP addresses to the last network interface defined by a net command. A | ||
323 | default gateway is assigned by default. | ||
324 | .br | ||
325 | |||
326 | .br | ||
327 | Example: | ||
328 | .br | ||
329 | net eth0 | ||
330 | .br | ||
331 | ip 10.10.20.56 | ||
332 | |||
333 | .TP | ||
334 | \fBip none | ||
335 | No IP address and no default gateway are configured for the last interface | ||
336 | defined by a net command. Use this option | ||
337 | in case you intend to start an external DHCP client in the sandbox. | ||
338 | .br | ||
339 | |||
340 | .br | ||
341 | Example: | ||
342 | .br | ||
343 | net eth0 | ||
344 | .br | ||
345 | ip none | ||
346 | |||
347 | .TP | ||
348 | \fBip6 address | ||
349 | Assign IPv6 addresses to the last network interface defined by a net command. | ||
350 | .br | ||
351 | |||
352 | .br | ||
353 | Example: | ||
354 | .br | ||
355 | net eth0 | ||
356 | .br | ||
357 | ip6 2001:0db8:0:f101::1/64 | ||
358 | |||
359 | .TP | ||
298 | \fBiprange address,address | 360 | \fBiprange address,address |
299 | Assign an IP address in the provided range to the last network | 361 | Assign an IP address in the provided range to the last network |
300 | interface defined by a net command. A default gateway is assigned by default. | 362 | interface defined by a net command. A default gateway is assigned by default. |
@@ -311,6 +373,16 @@ iprange 192.168.1.150,192.168.1.160 | |||
311 | .br | 373 | .br |
312 | 374 | ||
313 | .TP | 375 | .TP |
376 | \fBmac address | ||
377 | Assign MAC addresses to the last network interface defined by a net command. | ||
378 | |||
379 | .TP | ||
380 | \fBmtu number | ||
381 | Assign a MTU value to the last network interface defined by a net command. | ||
382 | |||
383 | |||
384 | |||
385 | .TP | ||
314 | \fBnetfilter | 386 | \fBnetfilter |
315 | If a new network namespace is created, enabled default network filter. | 387 | If a new network namespace is created, enabled default network filter. |
316 | 388 | ||
diff --git a/src/man/firejail.txt b/src/man/firejail.txt index 23db832c1..19415a332 100644 --- a/src/man/firejail.txt +++ b/src/man/firejail.txt | |||
@@ -50,15 +50,16 @@ of applications. The software includes security profiles for a number of more co | |||
50 | Linux programs, such as Mozilla Firefox, Chromium, VLC, Transmission etc. | 50 | Linux programs, such as Mozilla Firefox, Chromium, VLC, Transmission etc. |
51 | 51 | ||
52 | .SH USAGE | 52 | .SH USAGE |
53 | Without any options, the sandbox consists of a chroot filesystem build in a new mount namespace, | 53 | Without any options, the sandbox consists of a filesystem build in a new mount namespace, |
54 | and new PID and UTS namespaces. IPC, network and user namespaces can be added using the command line options. | 54 | and new PID and UTS namespaces. IPC, network and user namespaces can be added using the |
55 | The default Firejail filesystem is based on the host filesystem with the main directories mounted read-only. | 55 | command line options. The default Firejail filesystem is based on the host filesystem with the main |
56 | Only /home and /tmp are writable. | 56 | system directories mounted read-only. These directories are /etc, /var, /usr, /bin, /sbin, /lib, /lib32, |
57 | /libx32 and /lib64. Only /home and /tmp are writable. | ||
57 | .PP | 58 | .PP |
58 | As it starts up, Firejail tries to find a security profile based on the name of the application. | 59 | As it starts up, Firejail tries to find a security profile based on the name of the application. |
59 | If an appropriate profile is not found, Firejail will use a default profile. | 60 | If an appropriate profile is not found, Firejail will use a default profile. |
60 | The default profile is quite restrictive. In case the application doesn't work, use --noprofile option | 61 | The default profile is quite restrictive. In case the application doesn't work, use --noprofile option |
61 | to disable it. For more information, please see \fBSECURITY PROFILES\fR section. | 62 | to disable it. For more information, please see \fBSECURITY PROFILES\fR section below. |
62 | .PP | 63 | .PP |
63 | If a program argument is not specified, Firejail starts /bin/bash shell. | 64 | If a program argument is not specified, Firejail starts /bin/bash shell. |
64 | Examples: | 65 | Examples: |
@@ -194,7 +195,8 @@ Example: | |||
194 | 195 | ||
195 | .TP | 196 | .TP |
196 | \fB\-\-chroot=dirname | 197 | \fB\-\-chroot=dirname |
197 | Chroot the sandbox into a root filesystem. If the sandbox is started as a | 198 | Chroot the sandbox into a root filesystem. Unlike the regular filesystem container, |
199 | the system directories are mounted read-write. If the sandbox is started as a | ||
198 | regular user, default seccomp and capabilities filters are enabled. This | 200 | regular user, default seccomp and capabilities filters are enabled. This |
199 | option is not available on Grsecurity systems. | 201 | option is not available on Grsecurity systems. |
200 | .br | 202 | .br |
@@ -946,7 +948,8 @@ $ ls -l sandboxlog* | |||
946 | 948 | ||
947 | .TP | 949 | .TP |
948 | \fB\-\-overlay | 950 | \fB\-\-overlay |
949 | Mount a filesystem overlay on top of the current filesystem. All filesystem modifications go into the overlay. | 951 | Mount a filesystem overlay on top of the current filesystem. Unlike the regular filesystem container, |
952 | the system directories are mounted read-write. All filesystem modifications go into the overlay. | ||
950 | The overlay is stored in $HOME/.firejail directory. This option is not available on Grsecurity systems. | 953 | The overlay is stored in $HOME/.firejail directory. This option is not available on Grsecurity systems. |
951 | .br | 954 | .br |
952 | 955 | ||
@@ -1143,6 +1146,16 @@ Set the maximum number of processes that can be created for the real user ID of | |||
1143 | .TP | 1146 | .TP |
1144 | \fB\-\-rlimit-sigpending=number | 1147 | \fB\-\-rlimit-sigpending=number |
1145 | Set the maximum number of pending signals for a process. | 1148 | Set the maximum number of pending signals for a process. |
1149 | |||
1150 | .TP | ||
1151 | \fB\-\-read-write=dirname_or_filename | ||
1152 | By default, the sandbox mounts system directories read-only. | ||
1153 | These directories are /etc, /var, /usr, /bin, /sbin, /lib, /lib32, /libx32 and /lib64. | ||
1154 | Use this option to mount read-write files or directories inside the system directories. | ||
1155 | |||
1156 | This option is available only to root user. It has no effect when --chroot or --overlay are also set. In these | ||
1157 | cases the system directories are mounted read-write. | ||
1158 | |||
1146 | .TP | 1159 | .TP |
1147 | \fB\-\-scan | 1160 | \fB\-\-scan |
1148 | ARP-scan all the networks from inside a network namespace. | 1161 | ARP-scan all the networks from inside a network namespace. |
@@ -1462,6 +1475,27 @@ $ firejail \-\-whitelist=/tmp/.X11-unix --whitelist=/dev/null | |||
1462 | $ firejail "\-\-whitelist=/home/username/My Virtual Machines" | 1475 | $ firejail "\-\-whitelist=/home/username/My Virtual Machines" |
1463 | 1476 | ||
1464 | .TP | 1477 | .TP |
1478 | \fB\-\-writable-etc | ||
1479 | Mount /etc directory read-write. This option is available only when running the sandbox as root user. | ||
1480 | .br | ||
1481 | |||
1482 | .br | ||
1483 | Example: | ||
1484 | .br | ||
1485 | $ sudo firejail --writable-etc | ||
1486 | |||
1487 | .TP | ||
1488 | \fB\-\-writable-var | ||
1489 | Mount /var directory read-write. This option is available only when running the sandbox as root user. | ||
1490 | .br | ||
1491 | |||
1492 | .br | ||
1493 | Example: | ||
1494 | .br | ||
1495 | $ sudo firejail --writable-var | ||
1496 | |||
1497 | |||
1498 | .TP | ||
1465 | \fB\-\-x11 | 1499 | \fB\-\-x11 |
1466 | Start a new X11 server using Xpra or Xephyr and attach the sandbox to this server. | 1500 | Start a new X11 server using Xpra or Xephyr and attach the sandbox to this server. |
1467 | The regular X11 server (display 0) is not visible in the sandbox. This prevents screenshot and keylogger | 1501 | The regular X11 server (display 0) is not visible in the sandbox. This prevents screenshot and keylogger |
diff --git a/test/test-apps.sh b/test/apps/apps.sh index 5ada20549..ff561ef31 100755 --- a/test/test-apps.sh +++ b/test/apps/apps.sh | |||
@@ -1,5 +1,8 @@ | |||
1 | #!/bin/bash | 1 | #!/bin/bash |
2 | 2 | ||
3 | export MALLOC_CHECK_=3 | ||
4 | export MALLOC_PERTURB_=$(($RANDOM % 255 + 1)) | ||
5 | |||
3 | which firefox | 6 | which firefox |
4 | if [ "$?" -eq 0 ]; | 7 | if [ "$?" -eq 0 ]; |
5 | then | 8 | then |
@@ -27,15 +30,6 @@ else | |||
27 | echo "TESTING: chromium not found" | 30 | echo "TESTING: chromium not found" |
28 | fi | 31 | fi |
29 | 32 | ||
30 | which google-chrome | ||
31 | if [ "$?" -eq 0 ]; | ||
32 | then | ||
33 | echo "TESTING: google-chrome" | ||
34 | ./chromium.exp | ||
35 | else | ||
36 | echo "TESTING: google-chrome not found" | ||
37 | fi | ||
38 | |||
39 | which opera | 33 | which opera |
40 | if [ "$?" -eq 0 ]; | 34 | if [ "$?" -eq 0 ]; |
41 | then | 35 | then |
diff --git a/test/chromium.exp b/test/apps/chromium.exp index 676f7e314..676f7e314 100755 --- a/test/chromium.exp +++ b/test/apps/chromium.exp | |||
diff --git a/test/deluge.exp b/test/apps/deluge.exp index 9f5063495..9f5063495 100755 --- a/test/deluge.exp +++ b/test/apps/deluge.exp | |||
diff --git a/test/evince.exp b/test/apps/evince.exp index 3c3ad4bdd..3c3ad4bdd 100755 --- a/test/evince.exp +++ b/test/apps/evince.exp | |||
diff --git a/test/fbreader.exp b/test/apps/fbreader.exp index d2bee880e..d2bee880e 100755 --- a/test/fbreader.exp +++ b/test/apps/fbreader.exp | |||
diff --git a/test/firefox.exp b/test/apps/firefox.exp index 2585e4b5c..2585e4b5c 100755 --- a/test/firefox.exp +++ b/test/apps/firefox.exp | |||
diff --git a/test/gnome-mplayer.exp b/test/apps/gnome-mplayer.exp index 6965322fc..6965322fc 100755 --- a/test/gnome-mplayer.exp +++ b/test/apps/gnome-mplayer.exp | |||
diff --git a/test/hexchat.exp b/test/apps/hexchat.exp index 7e99c8cdf..7e99c8cdf 100755 --- a/test/hexchat.exp +++ b/test/apps/hexchat.exp | |||
diff --git a/test/icedove.exp b/test/apps/icedove.exp index 344febb93..344febb93 100755 --- a/test/icedove.exp +++ b/test/apps/icedove.exp | |||
diff --git a/test/midori.exp b/test/apps/midori.exp index 470f5de77..470f5de77 100755 --- a/test/midori.exp +++ b/test/apps/midori.exp | |||
diff --git a/test/opera.exp b/test/apps/opera.exp index 23eed5504..23eed5504 100755 --- a/test/opera.exp +++ b/test/apps/opera.exp | |||
diff --git a/test/transmission-gtk.exp b/test/apps/transmission-gtk.exp index 1acfc6f94..1acfc6f94 100755 --- a/test/transmission-gtk.exp +++ b/test/apps/transmission-gtk.exp | |||
diff --git a/test/transmission-qt.exp b/test/apps/transmission-qt.exp index 944fd28a2..944fd28a2 100755 --- a/test/transmission-qt.exp +++ b/test/apps/transmission-qt.exp | |||
diff --git a/test/vlc.exp b/test/apps/vlc.exp index 290c0fc2f..290c0fc2f 100755 --- a/test/vlc.exp +++ b/test/apps/vlc.exp | |||
diff --git a/test/weechat.exp b/test/apps/weechat.exp index 630af55ee..630af55ee 100755 --- a/test/weechat.exp +++ b/test/apps/weechat.exp | |||
diff --git a/test/wine.exp b/test/apps/wine.exp index f5b7d12b4..f5b7d12b4 100755 --- a/test/wine.exp +++ b/test/apps/wine.exp | |||
diff --git a/test/xchat.exp b/test/apps/xchat.exp index cde89d754..cde89d754 100755 --- a/test/xchat.exp +++ b/test/apps/xchat.exp | |||
diff --git a/test/icedove-x11.exp b/test/icedove-x11.exp new file mode 100755 index 000000000..6f8eee90d --- /dev/null +++ b/test/icedove-x11.exp | |||
@@ -0,0 +1,82 @@ | |||
1 | #!/usr/bin/expect -f | ||
2 | |||
3 | set timeout 10 | ||
4 | spawn $env(SHELL) | ||
5 | match_max 100000 | ||
6 | |||
7 | send -- "firejail --name=test --net=br0 --x11 icedove\r" | ||
8 | sleep 10 | ||
9 | |||
10 | spawn $env(SHELL) | ||
11 | send -- "firejail --list\r" | ||
12 | expect { | ||
13 | timeout {puts "TESTING ERROR 3\n";exit} | ||
14 | ":firejail" | ||
15 | } | ||
16 | expect { | ||
17 | timeout {puts "TESTING ERROR 3.1\n";exit} | ||
18 | "icedove" | ||
19 | } | ||
20 | sleep 1 | ||
21 | |||
22 | # grsecurity exit | ||
23 | send -- "file /proc/sys/kernel/grsecurity\r" | ||
24 | expect { | ||
25 | timeout {puts "TESTING ERROR - grsecurity detection\n";exit} | ||
26 | "grsecurity: directory" {puts "grsecurity present, exiting...\n";exit} | ||
27 | "cannot open" {puts "grsecurity not present\n"} | ||
28 | } | ||
29 | |||
30 | send -- "firejail --name=blablabla\r" | ||
31 | expect { | ||
32 | timeout {puts "TESTING ERROR 4\n";exit} | ||
33 | "Child process initialized" | ||
34 | } | ||
35 | sleep 2 | ||
36 | |||
37 | spawn $env(SHELL) | ||
38 | send -- "firemon --seccomp\r" | ||
39 | expect { | ||
40 | timeout {puts "TESTING ERROR 5\n";exit} | ||
41 | ":firejail" | ||
42 | } | ||
43 | expect { | ||
44 | timeout {puts "TESTING ERROR 5.0\n";exit} | ||
45 | "icedove" | ||
46 | } | ||
47 | expect { | ||
48 | timeout {puts "TESTING ERROR 5.1 (seccomp)\n";exit} | ||
49 | "Seccomp: 2" | ||
50 | } | ||
51 | expect { | ||
52 | timeout {puts "TESTING ERROR 5.1\n";exit} | ||
53 | "name=blablabla" | ||
54 | } | ||
55 | sleep 2 | ||
56 | send -- "firemon --caps\r" | ||
57 | expect { | ||
58 | timeout {puts "TESTING ERROR 6\n";exit} | ||
59 | ":firejail" | ||
60 | } | ||
61 | expect { | ||
62 | timeout {puts "TESTING ERROR 6.0\n";exit} | ||
63 | "icedove" | ||
64 | } | ||
65 | expect { | ||
66 | timeout {puts "TESTING ERROR 6.1\n";exit} | ||
67 | "CapBnd" | ||
68 | } | ||
69 | expect { | ||
70 | timeout {puts "TESTING ERROR 6.2\n";exit} | ||
71 | "0000000000000000" | ||
72 | } | ||
73 | expect { | ||
74 | timeout {puts "TESTING ERROR 6.3\n";exit} | ||
75 | "name=blablabla" | ||
76 | } | ||
77 | sleep 1 | ||
78 | send -- "firejail --shutdown=test\r" | ||
79 | sleep 3 | ||
80 | |||
81 | puts "\nall done\n" | ||
82 | |||
diff --git a/test/net-profile.profile b/test/net-profile.profile new file mode 100644 index 000000000..05052b6dc --- /dev/null +++ b/test/net-profile.profile | |||
@@ -0,0 +1,10 @@ | |||
1 | net br0 | ||
2 | mac 00:11:22:33:44:55 | ||
3 | mtu 1000 | ||
4 | net br1 | ||
5 | ip 10.10.30.50 | ||
6 | net br2 | ||
7 | ip 10.10.40.100 | ||
8 | net br3 | ||
9 | defaultgw 10.10.20.2 | ||
10 | |||
diff --git a/test/net_profile.exp b/test/net_profile.exp new file mode 100755 index 000000000..37043c906 --- /dev/null +++ b/test/net_profile.exp | |||
@@ -0,0 +1,73 @@ | |||
1 | #!/usr/bin/expect -f | ||
2 | |||
3 | set timeout 10 | ||
4 | spawn $env(SHELL) | ||
5 | match_max 100000 | ||
6 | |||
7 | # check eth0 | ||
8 | send -- "firejail --profile=net-profile.profile\r" | ||
9 | expect { | ||
10 | timeout {puts "TESTING ERROR 0.0\n";exit} | ||
11 | "eth0" | ||
12 | } | ||
13 | expect { | ||
14 | timeout {puts "TESTING ERROR 0.1\n";exit} | ||
15 | "00:11:22:33:44:55" | ||
16 | } | ||
17 | expect { | ||
18 | timeout {puts "TESTING ERROR 0.1\n";exit} | ||
19 | "10.10.20" | ||
20 | } | ||
21 | expect { | ||
22 | timeout {puts "TESTING ERROR 0.2\n";exit} | ||
23 | "255.255.255.248" | ||
24 | } | ||
25 | expect { | ||
26 | timeout {puts "TESTING ERROR 0.3\n";exit} | ||
27 | "UP" | ||
28 | } | ||
29 | expect { | ||
30 | timeout {puts "TESTING ERROR 0.4\n";exit} | ||
31 | "Child process initialized" | ||
32 | } | ||
33 | sleep 2 | ||
34 | |||
35 | send -- "ip route show\r" | ||
36 | expect { | ||
37 | timeout {puts "TESTING ERROR 1\n";exit} | ||
38 | "10.10.30.0/24 dev eth1 proto kernel scope link src 10.10.30.50" | ||
39 | } | ||
40 | |||
41 | send -- "ip route show\r" | ||
42 | expect { | ||
43 | timeout {puts "TESTING ERROR 2\n";exit} | ||
44 | "10.10.40.0/24 dev eth2 proto kernel scope link src 10.10.40.100" | ||
45 | } | ||
46 | |||
47 | |||
48 | # check default gw | ||
49 | send -- "ip route show\r" | ||
50 | expect { | ||
51 | timeout {puts "TESTING ERROR 3\n";exit} | ||
52 | "default via 10.10.20.2 dev eth0" | ||
53 | } | ||
54 | |||
55 | # check mtu | ||
56 | send -- "ip link show\r" | ||
57 | expect { | ||
58 | timeout {puts "TESTING ERROR 4\n";exit} | ||
59 | "eth0" | ||
60 | } | ||
61 | expect { | ||
62 | timeout {puts "TESTING ERROR 5\n";exit} | ||
63 | "mtu 1000" | ||
64 | } | ||
65 | expect { | ||
66 | timeout {puts "TESTING ERROR 6\n";exit} | ||
67 | "state UP" | ||
68 | } | ||
69 | |||
70 | sleep 1 | ||
71 | |||
72 | puts "\nall done\n" | ||
73 | |||
diff --git a/test/profile_syntax.exp b/test/profiles/profile_syntax.exp index 559947276..ecad1043b 100755 --- a/test/profile_syntax.exp +++ b/test/profiles/profile_syntax.exp | |||
@@ -1,4 +1,7 @@ | |||
1 | #!/usr/bin/expect -f | 1 | #!/usr/bin/expect -f |
2 | # This file is part of Firejail project | ||
3 | # Copyright (C) 2014-2016 Firejail Authors | ||
4 | # License GPL v2 | ||
2 | 5 | ||
3 | set timeout 10 | 6 | set timeout 10 |
4 | spawn $env(SHELL) | 7 | spawn $env(SHELL) |
diff --git a/test/profile_syntax2.exp b/test/profiles/profile_syntax2.exp index 96e85ba93..ba83731be 100755 --- a/test/profile_syntax2.exp +++ b/test/profiles/profile_syntax2.exp | |||
@@ -1,4 +1,7 @@ | |||
1 | #!/usr/bin/expect -f | 1 | #!/usr/bin/expect -f |
2 | # This file is part of Firejail project | ||
3 | # Copyright (C) 2014-2016 Firejail Authors | ||
4 | # License GPL v2 | ||
2 | 5 | ||
3 | set timeout 10 | 6 | set timeout 10 |
4 | spawn $env(SHELL) | 7 | spawn $env(SHELL) |
diff --git a/test/profiles/profiles.sh b/test/profiles/profiles.sh new file mode 100755 index 000000000..a20ed5432 --- /dev/null +++ b/test/profiles/profiles.sh | |||
@@ -0,0 +1,22 @@ | |||
1 | #!/bin/bash | ||
2 | # This file is part of Firejail project | ||
3 | # Copyright (C) 2014-2016 Firejail Authors | ||
4 | # License GPL v2 | ||
5 | |||
6 | export MALLOC_CHECK_=3 | ||
7 | export MALLOC_PERTURB_=$(($RANDOM % 255 + 1)) | ||
8 | |||
9 | echo "TESTING: default profiles installed in /etc" | ||
10 | PROFILES=`ls /etc/firejail/*.profile` | ||
11 | for PROFILE in $PROFILES | ||
12 | do | ||
13 | echo "TESTING: $PROFILE" | ||
14 | ./test-profile.exp $PROFILE | ||
15 | done | ||
16 | |||
17 | echo "TESTING: profile syntax (profiles/profile_syntax.exp)" | ||
18 | ./profile_syntax.exp | ||
19 | |||
20 | echo "TESTING: profile syntax 2 (profiles/profile_syntax2.exp)" | ||
21 | ./profile_syntax2.exp | ||
22 | |||
diff --git a/test/test-profile.exp b/test/profiles/test-profile.exp index a03e8db31..590b42652 100755 --- a/test/test-profile.exp +++ b/test/profiles/test-profile.exp | |||
@@ -1,4 +1,7 @@ | |||
1 | #!/usr/bin/expect -f | 1 | #!/usr/bin/expect -f |
2 | # This file is part of Firejail project | ||
3 | # Copyright (C) 2014-2016 Firejail Authors | ||
4 | # License GPL v2 | ||
2 | 5 | ||
3 | set timeout 10 | 6 | set timeout 10 |
4 | spawn $env(SHELL) | 7 | spawn $env(SHELL) |
diff --git a/test/test.profile b/test/profiles/test.profile index 1d69cc960..1d69cc960 100644 --- a/test/test.profile +++ b/test/profiles/test.profile | |||
diff --git a/test/test2.profile b/test/profiles/test2.profile index d7e1a1f21..d7e1a1f21 100644 --- a/test/test2.profile +++ b/test/profiles/test2.profile | |||
diff --git a/test/test-apps-x11.sh b/test/test-apps-x11.sh index 6521fa2b0..93d984501 100755 --- a/test/test-apps-x11.sh +++ b/test/test-apps-x11.sh | |||
@@ -1,5 +1,14 @@ | |||
1 | #!/bin/bash | 1 | #!/bin/bash |
2 | 2 | ||
3 | which xterm | ||
4 | if [ "$?" -eq 0 ]; | ||
5 | then | ||
6 | echo "TESTING: xterm x11" | ||
7 | ./xterm-x11.exp | ||
8 | else | ||
9 | echo "TESTING: xterm not found" | ||
10 | fi | ||
11 | |||
3 | which firefox | 12 | which firefox |
4 | if [ "$?" -eq 0 ]; | 13 | if [ "$?" -eq 0 ]; |
5 | then | 14 | then |
@@ -22,8 +31,17 @@ which transmission-gtk | |||
22 | if [ "$?" -eq 0 ]; | 31 | if [ "$?" -eq 0 ]; |
23 | then | 32 | then |
24 | echo "TESTING: transmission-gtk x11" | 33 | echo "TESTING: transmission-gtk x11" |
25 | ./transmission-gtk.exp | 34 | ./transmission-gtk-x11.exp |
26 | else | 35 | else |
27 | echo "TESTING: transmission-gtk not found" | 36 | echo "TESTING: transmission-gtk not found" |
28 | fi | 37 | fi |
29 | 38 | ||
39 | which icedove | ||
40 | if [ "$?" -eq 0 ]; | ||
41 | then | ||
42 | echo "TESTING: icedove x11" | ||
43 | ./icedove-x11.exp | ||
44 | else | ||
45 | echo "TESTING: chromium not found" | ||
46 | fi | ||
47 | |||
diff --git a/test/test-profiles.sh b/test/test-profiles.sh deleted file mode 100755 index d9142885b..000000000 --- a/test/test-profiles.sh +++ /dev/null | |||
@@ -1,10 +0,0 @@ | |||
1 | #!/bin/bash | ||
2 | |||
3 | echo "TESTING: default profiles installed in /etc" | ||
4 | PROFILES=`ls /etc/firejail/*.profile` | ||
5 | for PROFILE in $PROFILES | ||
6 | do | ||
7 | echo "TESTING: $PROFILE" | ||
8 | ./test-profile.exp $PROFILE | ||
9 | done | ||
10 | |||
diff --git a/test/test.sh b/test/test.sh index c6fe4f299..1204d8208 100755 --- a/test/test.sh +++ b/test/test.sh | |||
@@ -2,14 +2,15 @@ | |||
2 | 2 | ||
3 | ./chk_config.exp | 3 | ./chk_config.exp |
4 | 4 | ||
5 | ./test-profiles.sh | ||
6 | |||
7 | ./fscheck.sh | 5 | ./fscheck.sh |
8 | 6 | ||
9 | echo "TESTING: cpu.print (cpu-print.exp)" | 7 | echo "TESTING: cpu.print (cpu-print.exp)" |
10 | echo "TESTING: failing under VirtualBox where there is only one CPU" | 8 | echo "TESTING: failing under VirtualBox where there is only one CPU" |
11 | ./cpu-print.exp | 9 | ./cpu-print.exp |
12 | 10 | ||
11 | echo "TESTING: network profile (net_profile.exp)" | ||
12 | ./net_profile.exp | ||
13 | |||
13 | echo "TESTING: bandwidth (bandwidth.exp)" | 14 | echo "TESTING: bandwidth (bandwidth.exp)" |
14 | ./bandwidth.exp | 15 | ./bandwidth.exp |
15 | 16 | ||
@@ -205,7 +206,6 @@ else | |||
205 | echo "TESTING: dash not found" | 206 | echo "TESTING: dash not found" |
206 | fi | 207 | fi |
207 | 208 | ||
208 | ./test-apps.sh | ||
209 | ./test-apps-x11.sh | 209 | ./test-apps-x11.sh |
210 | 210 | ||
211 | echo "TESTING: PID (pid.exp)" | 211 | echo "TESTING: PID (pid.exp)" |
@@ -217,12 +217,6 @@ echo "TESTING: output (output.exp)" | |||
217 | echo "TESTING: profile no permissions (profile_noperm.exp)" | 217 | echo "TESTING: profile no permissions (profile_noperm.exp)" |
218 | ./profile_noperm.exp | 218 | ./profile_noperm.exp |
219 | 219 | ||
220 | echo "TESTING: profile syntax (profile_syntax.exp)" | ||
221 | ./profile_syntax.exp | ||
222 | |||
223 | echo "TESTING: profile syntax 2 (profile_syntax2.exp)" | ||
224 | ./profile_syntax2.exp | ||
225 | |||
226 | echo "TESTING: profile rlimit (profile_rlimit.exp)" | 220 | echo "TESTING: profile rlimit (profile_rlimit.exp)" |
227 | ./profile_rlimit.exp | 221 | ./profile_rlimit.exp |
228 | 222 | ||
diff --git a/test/xterm-x11.exp b/test/xterm-x11.exp new file mode 100755 index 000000000..592f77659 --- /dev/null +++ b/test/xterm-x11.exp | |||
@@ -0,0 +1,82 @@ | |||
1 | #!/usr/bin/expect -f | ||
2 | |||
3 | set timeout 10 | ||
4 | spawn $env(SHELL) | ||
5 | match_max 100000 | ||
6 | |||
7 | send -- "firejail --name=test --net=br0 --x11 xterm\r" | ||
8 | sleep 10 | ||
9 | |||
10 | spawn $env(SHELL) | ||
11 | send -- "firejail --list\r" | ||
12 | expect { | ||
13 | timeout {puts "TESTING ERROR 3\n";exit} | ||
14 | ":firejail" | ||
15 | } | ||
16 | expect { | ||
17 | timeout {puts "TESTING ERROR 3.1\n";exit} | ||
18 | "xterm" | ||
19 | } | ||
20 | sleep 1 | ||
21 | |||
22 | # grsecurity exit | ||
23 | send -- "file /proc/sys/kernel/grsecurity\r" | ||
24 | expect { | ||
25 | timeout {puts "TESTING ERROR - grsecurity detection\n";exit} | ||
26 | "grsecurity: directory" {puts "grsecurity present, exiting...\n";exit} | ||
27 | "cannot open" {puts "grsecurity not present\n"} | ||
28 | } | ||
29 | |||
30 | send -- "firejail --name=blablabla\r" | ||
31 | expect { | ||
32 | timeout {puts "TESTING ERROR 4\n";exit} | ||
33 | "Child process initialized" | ||
34 | } | ||
35 | sleep 2 | ||
36 | |||
37 | spawn $env(SHELL) | ||
38 | send -- "firemon --seccomp\r" | ||
39 | expect { | ||
40 | timeout {puts "TESTING ERROR 5\n";exit} | ||
41 | ":firejail" | ||
42 | } | ||
43 | expect { | ||
44 | timeout {puts "TESTING ERROR 5.0\n";exit} | ||
45 | "xterm" | ||
46 | } | ||
47 | expect { | ||
48 | timeout {puts "TESTING ERROR 5.1 (seccomp)\n";exit} | ||
49 | "Seccomp: 2" | ||
50 | } | ||
51 | expect { | ||
52 | timeout {puts "TESTING ERROR 5.1\n";exit} | ||
53 | "name=blablabla" | ||
54 | } | ||
55 | sleep 1 | ||
56 | send -- "firemon --caps\r" | ||
57 | expect { | ||
58 | timeout {puts "TESTING ERROR 6\n";exit} | ||
59 | ":firejail" | ||
60 | } | ||
61 | expect { | ||
62 | timeout {puts "TESTING ERROR 6.0\n";exit} | ||
63 | "xterm" | ||
64 | } | ||
65 | expect { | ||
66 | timeout {puts "TESTING ERROR 6.1\n";exit} | ||
67 | "CapBnd" | ||
68 | } | ||
69 | expect { | ||
70 | timeout {puts "TESTING ERROR 6.2\n";exit} | ||
71 | "0000000000000000" | ||
72 | } | ||
73 | expect { | ||
74 | timeout {puts "TESTING ERROR 6.3\n";exit} | ||
75 | "name=blablabla" | ||
76 | } | ||
77 | sleep 1 | ||
78 | send -- "firejail --shutdown=test\r" | ||
79 | sleep 3 | ||
80 | |||
81 | puts "\nall done\n" | ||
82 | |||
@@ -74,11 +74,11 @@ CapEff: 0000000000000000 | |||
74 | CapBnd: 0000003fffffffff | 74 | CapBnd: 0000003fffffffff |
75 | CapAmb: 0000000000000000 | 75 | CapAmb: 0000000000000000 |
76 | 76 | ||
77 | 11. cleanup thunderbird profile - disable-common was commented out | 77 | 11. check seccomp on Docker: https://docs.docker.com/engine/security/seccomp/ |
78 | |||
79 | 12. check seccomp on Docker: https://docs.docker.com/engine/security/seccomp/ | ||
80 | Seccomp lists: | 78 | Seccomp lists: |
81 | https://github.com/torvalds/linux/blob/1e75a9f34a5ed5902707fb74b468356c55142b71/arch/x86/entry/syscalls/syscall_64.tbl | 79 | https://github.com/torvalds/linux/blob/1e75a9f34a5ed5902707fb74b468356c55142b71/arch/x86/entry/syscalls/syscall_64.tbl |
82 | https://github.com/torvalds/linux/blob/1e75a9f34a5ed5902707fb74b468356c55142b71/arch/x86/entry/syscalls/syscall_32.tbl | 80 | https://github.com/torvalds/linux/blob/1e75a9f34a5ed5902707fb74b468356c55142b71/arch/x86/entry/syscalls/syscall_32.tbl |
83 | 81 | ||
84 | 13. check for --chroot why .config/pulse dir is not created | 82 | 12. check for --chroot why .config/pulse dir is not created |
83 | |||
84 | 13. print error line number for profile files in profile_check_line() | ||