diff options
-rw-r--r-- | Makefile.in | 4 | ||||
-rw-r--r-- | README.md | 33 | ||||
-rw-r--r-- | etc/disable-programs.inc | 1 | ||||
-rw-r--r-- | etc/gnome-chess.profile | 1 | ||||
-rw-r--r-- | src/fbuilder/build_bin.c | 2 | ||||
-rw-r--r-- | src/profstats/main.c | 26 |
6 files changed, 47 insertions, 20 deletions
diff --git a/Makefile.in b/Makefile.in index 39a5359b2..ecbbb5600 100644 --- a/Makefile.in +++ b/Makefile.in | |||
@@ -73,7 +73,7 @@ distclean: clean | |||
73 | for dir in $(APPS) $(MYLIBS); do \ | 73 | for dir in $(APPS) $(MYLIBS); do \ |
74 | $(MAKE) -C $$dir distclean; \ | 74 | $(MAKE) -C $$dir distclean; \ |
75 | done | 75 | done |
76 | rm -fr Makefile autom4te.cache config.log config.status config.h dummy.o src/common.mk | 76 | rm -fr Makefile autom4te.cache config.log config.status config.h src/common.mk |
77 | 77 | ||
78 | realinstall: | 78 | realinstall: |
79 | # firejail executable | 79 | # firejail executable |
@@ -200,7 +200,7 @@ uninstall: | |||
200 | rm -f $(DESTDIR)/$(datarootdir)/bash-completion/completions/firecfg | 200 | rm -f $(DESTDIR)/$(datarootdir)/bash-completion/completions/firecfg |
201 | @echo "If you want to install a different version of firejail, you might also need to run 'rm -fr $(DESTDIR)/$(sysconfdir)/firejail', see #2038." | 201 | @echo "If you want to install a different version of firejail, you might also need to run 'rm -fr $(DESTDIR)/$(sysconfdir)/firejail', see #2038." |
202 | 202 | ||
203 | DISTFILES = "src etc m4 platform contrib configure configure.ac dummy.c Makefile.in install.sh mkman.sh mketc.sh mkdeb.sh mkdeb-apparmor.sh COPYING README RELNOTES" | 203 | DISTFILES = "src etc m4 platform contrib configure configure.ac Makefile.in install.sh mkman.sh mketc.sh mkdeb.sh mkdeb-apparmor.sh COPYING README RELNOTES" |
204 | DISTFILES_TEST = "test/apps test/apps-x11 test/apps-x11-xorg test/root test/fcopy test/environment test/profiles test/utils test/compile test/filters test/network test/arguments test/fs test/sysutils test/chroot" | 204 | DISTFILES_TEST = "test/apps test/apps-x11 test/apps-x11-xorg test/root test/fcopy test/environment test/profiles test/utils test/compile test/filters test/network test/arguments test/fs test/sysutils test/chroot" |
205 | 205 | ||
206 | dist: | 206 | dist: |
@@ -156,21 +156,24 @@ A small tool to print profile statistics. Compile as usual and run: | |||
156 | $ make | 156 | $ make |
157 | $ cd etc | 157 | $ cd etc |
158 | $ ./profstats *.profile | 158 | $ ./profstats *.profile |
159 | Stats: | 159 | profiles 966 |
160 | profiles 949 | 160 | include local profile 966 (include profile-name.local) |
161 | include local profile 949 (include profile-name.local) | 161 | include globals 966 (include globals.local) |
162 | include globals 949 (include globals.local) | 162 | blacklist ~/.ssh 951 (include disable-common.inc) |
163 | blacklist ~/.ssh 934 (include disable-common.inc) | 163 | seccomp 908 |
164 | seccomp 892 | 164 | capabilities 965 |
165 | capabilities 948 | 165 | noexec 830 (include disable-exec.inc) |
166 | noexec 813 (include disable-exec.inc) | 166 | memory-deny-write-execute 214 |
167 | apparmor 471 | 167 | apparmor 488 |
168 | private-dev 812 | 168 | private-bin 483 |
169 | private-tmp 711 | 169 | private-dev 829 |
170 | whitelist var 621 (include whitelist-var-common.inc) | 170 | private-etc 366 |
171 | whitelist run/user 105 (include whitelist-runuser-common.inc) | 171 | private-tmp 726 |
172 | whitelist usr/share 257 (include whitelist-usr-share-common.inc) | 172 | whitelist var 638 (include whitelist-var-common.inc) |
173 | net none 297 | 173 | whitelist run/user 282 (include whitelist-runuser-common.inc |
174 | or blacklist ${RUNUSER}) | ||
175 | whitelist usr/share 275 (include whitelist-usr-share-common.inc | ||
176 | net none 313 | ||
174 | ````` | 177 | ````` |
175 | 178 | ||
176 | Run ./profstats -h for help. | 179 | Run ./profstats -h for help. |
diff --git a/etc/disable-programs.inc b/etc/disable-programs.inc index afedd0966..a0670df80 100644 --- a/etc/disable-programs.inc +++ b/etc/disable-programs.inc | |||
@@ -197,6 +197,7 @@ blacklist ${HOME}/.config/git | |||
197 | blacklist ${HOME}/.config/globaltime | 197 | blacklist ${HOME}/.config/globaltime |
198 | blacklist ${HOME}/.config/gmpc | 198 | blacklist ${HOME}/.config/gmpc |
199 | blacklist ${HOME}/.config/gnome-builder | 199 | blacklist ${HOME}/.config/gnome-builder |
200 | blacklist ${HOME}/.config/gnome-chess | ||
200 | blacklist ${HOME}/.config/gnome-latex | 201 | blacklist ${HOME}/.config/gnome-latex |
201 | blacklist ${HOME}/.config/gnome-mplayer | 202 | blacklist ${HOME}/.config/gnome-mplayer |
202 | blacklist ${HOME}/.config/gnome-mpv | 203 | blacklist ${HOME}/.config/gnome-mpv |
diff --git a/etc/gnome-chess.profile b/etc/gnome-chess.profile index a80e1ca6d..2e2e86ac9 100644 --- a/etc/gnome-chess.profile +++ b/etc/gnome-chess.profile | |||
@@ -6,6 +6,7 @@ include gnome-chess.local | |||
6 | # Persistent global definitions | 6 | # Persistent global definitions |
7 | include globals.local | 7 | include globals.local |
8 | 8 | ||
9 | noblacklist ${HOME}/.config/gnome-chess | ||
9 | noblacklist ${HOME}/.local/share/gnome-chess | 10 | noblacklist ${HOME}/.local/share/gnome-chess |
10 | 11 | ||
11 | include disable-common.inc | 12 | include disable-common.inc |
diff --git a/src/fbuilder/build_bin.c b/src/fbuilder/build_bin.c index a44546699..c6f84dfbc 100644 --- a/src/fbuilder/build_bin.c +++ b/src/fbuilder/build_bin.c | |||
@@ -71,7 +71,7 @@ static void process_bin(const char *fname) { | |||
71 | else if (strncmp(ptr, "/usr/local/sbin/", 16) == 0) | 71 | else if (strncmp(ptr, "/usr/local/sbin/", 16) == 0) |
72 | ptr += 16; | 72 | ptr += 16; |
73 | else if (strncmp(ptr, "/usr/games/", 11) == 0) | 73 | else if (strncmp(ptr, "/usr/games/", 11) == 0) |
74 | ptr += 12; | 74 | ptr += 11; |
75 | else if (strncmp(ptr, "/usr/local/games/", 17) == 0) | 75 | else if (strncmp(ptr, "/usr/local/games/", 17) == 0) |
76 | ptr += 17; | 76 | ptr += 17; |
77 | else | 77 | else |
diff --git a/src/profstats/main.c b/src/profstats/main.c index 29acdc7bd..b94fdd213 100644 --- a/src/profstats/main.c +++ b/src/profstats/main.c | |||
@@ -32,8 +32,10 @@ static int cnt_dotlocal = 0; | |||
32 | static int cnt_globalsdotlocal = 0; | 32 | static int cnt_globalsdotlocal = 0; |
33 | static int cnt_netnone = 0; | 33 | static int cnt_netnone = 0; |
34 | static int cnt_noexec = 0; // include disable-exec.inc | 34 | static int cnt_noexec = 0; // include disable-exec.inc |
35 | static int cnt_privatebin = 0; | ||
35 | static int cnt_privatedev = 0; | 36 | static int cnt_privatedev = 0; |
36 | static int cnt_privatetmp = 0; | 37 | static int cnt_privatetmp = 0; |
38 | static int cnt_privateetc = 0; | ||
37 | static int cnt_whitelistvar = 0; // include whitelist-var-common.inc | 39 | static int cnt_whitelistvar = 0; // include whitelist-var-common.inc |
38 | static int cnt_whitelistrunuser = 0; // include whitelist-runuser-common.inc | 40 | static int cnt_whitelistrunuser = 0; // include whitelist-runuser-common.inc |
39 | static int cnt_whitelistusrshare = 0; // include whitelist-usr-share-common.inc | 41 | static int cnt_whitelistusrshare = 0; // include whitelist-usr-share-common.inc |
@@ -46,8 +48,10 @@ static int arg_apparmor = 0; | |||
46 | static int arg_caps = 0; | 48 | static int arg_caps = 0; |
47 | static int arg_seccomp = 0; | 49 | static int arg_seccomp = 0; |
48 | static int arg_noexec = 0; | 50 | static int arg_noexec = 0; |
51 | static int arg_privatebin = 0; | ||
49 | static int arg_privatedev = 0; | 52 | static int arg_privatedev = 0; |
50 | static int arg_privatetmp = 0; | 53 | static int arg_privatetmp = 0; |
54 | static int arg_privateetc = 0; | ||
51 | static int arg_whitelistvar = 0; | 55 | static int arg_whitelistvar = 0; |
52 | static int arg_whitelistrunuser = 0; | 56 | static int arg_whitelistrunuser = 0; |
53 | static int arg_whitelistusrshare = 0; | 57 | static int arg_whitelistusrshare = 0; |
@@ -65,7 +69,9 @@ static void usage(void) { | |||
65 | printf(" --caps - print profiles without caps\n"); | 69 | printf(" --caps - print profiles without caps\n"); |
66 | printf(" --ssh - print profiles without \"include disable-common.inc\"\n"); | 70 | printf(" --ssh - print profiles without \"include disable-common.inc\"\n"); |
67 | printf(" --noexec - print profiles without \"include disable-exec.inc\"\n"); | 71 | printf(" --noexec - print profiles without \"include disable-exec.inc\"\n"); |
72 | printf(" --private-bin - print profiles without private-bin\n"); | ||
68 | printf(" --private-dev - print profiles without private-dev\n"); | 73 | printf(" --private-dev - print profiles without private-dev\n"); |
74 | printf(" --private-etc - print profiles without private-etc\n"); | ||
69 | printf(" --private-tmp - print profiles without private-tmp\n"); | 75 | printf(" --private-tmp - print profiles without private-tmp\n"); |
70 | printf(" --seccomp - print profiles without seccomp\n"); | 76 | printf(" --seccomp - print profiles without seccomp\n"); |
71 | printf(" --memory-deny-write-execute - profile without \"memory-deny-write-execute\"\n"); | 77 | printf(" --memory-deny-write-execute - profile without \"memory-deny-write-execute\"\n"); |
@@ -124,10 +130,14 @@ void process_file(const char *fname) { | |||
124 | cnt_netnone++; | 130 | cnt_netnone++; |
125 | else if (strncmp(ptr, "apparmor", 8) == 0) | 131 | else if (strncmp(ptr, "apparmor", 8) == 0) |
126 | cnt_apparmor++; | 132 | cnt_apparmor++; |
133 | else if (strncmp(ptr, "private-bin", 11) == 0) | ||
134 | cnt_privatebin++; | ||
127 | else if (strncmp(ptr, "private-dev", 11) == 0) | 135 | else if (strncmp(ptr, "private-dev", 11) == 0) |
128 | cnt_privatedev++; | 136 | cnt_privatedev++; |
129 | else if (strncmp(ptr, "private-tmp", 11) == 0) | 137 | else if (strncmp(ptr, "private-tmp", 11) == 0) |
130 | cnt_privatetmp++; | 138 | cnt_privatetmp++; |
139 | else if (strncmp(ptr, "private-etc", 11) == 0) | ||
140 | cnt_privateetc++; | ||
131 | else if (strncmp(ptr, "include ", 8) == 0) { | 141 | else if (strncmp(ptr, "include ", 8) == 0) { |
132 | // not processing .local files | 142 | // not processing .local files |
133 | if (strstr(ptr, ".local")) { | 143 | if (strstr(ptr, ".local")) { |
@@ -171,10 +181,14 @@ int main(int argc, char **argv) { | |||
171 | arg_mdwx = 1; | 181 | arg_mdwx = 1; |
172 | else if (strcmp(argv[i], "--noexec") == 0) | 182 | else if (strcmp(argv[i], "--noexec") == 0) |
173 | arg_noexec = 1; | 183 | arg_noexec = 1; |
184 | else if (strcmp(argv[i], "--private-bin") == 0) | ||
185 | arg_privatebin = 1; | ||
174 | else if (strcmp(argv[i], "--private-dev") == 0) | 186 | else if (strcmp(argv[i], "--private-dev") == 0) |
175 | arg_privatedev = 1; | 187 | arg_privatedev = 1; |
176 | else if (strcmp(argv[i], "--private-tmp") == 0) | 188 | else if (strcmp(argv[i], "--private-tmp") == 0) |
177 | arg_privatetmp = 1; | 189 | arg_privatetmp = 1; |
190 | else if (strcmp(argv[i], "--private-etc") == 0) | ||
191 | arg_privateetc = 1; | ||
178 | else if (strcmp(argv[i], "--whitelist-var") == 0) | 192 | else if (strcmp(argv[i], "--whitelist-var") == 0) |
179 | arg_whitelistvar = 1; | 193 | arg_whitelistvar = 1; |
180 | else if (strcmp(argv[i], "--whitelist-runuser") == 0) | 194 | else if (strcmp(argv[i], "--whitelist-runuser") == 0) |
@@ -205,8 +219,10 @@ int main(int argc, char **argv) { | |||
205 | int caps = cnt_caps; | 219 | int caps = cnt_caps; |
206 | int apparmor = cnt_apparmor; | 220 | int apparmor = cnt_apparmor; |
207 | int noexec = cnt_noexec; | 221 | int noexec = cnt_noexec; |
222 | int privatebin = cnt_privatebin; | ||
208 | int privatetmp = cnt_privatetmp; | 223 | int privatetmp = cnt_privatetmp; |
209 | int privatedev = cnt_privatedev; | 224 | int privatedev = cnt_privatedev; |
225 | int privateetc = cnt_privateetc; | ||
210 | int dotlocal = cnt_dotlocal; | 226 | int dotlocal = cnt_dotlocal; |
211 | int globalsdotlocal = cnt_globalsdotlocal; | 227 | int globalsdotlocal = cnt_globalsdotlocal; |
212 | int whitelistvar = cnt_whitelistvar; | 228 | int whitelistvar = cnt_whitelistvar; |
@@ -241,8 +257,12 @@ int main(int argc, char **argv) { | |||
241 | printf("No include disable-exec.inc found in %s\n", argv[i]); | 257 | printf("No include disable-exec.inc found in %s\n", argv[i]); |
242 | if (arg_privatedev && privatedev == cnt_privatedev) | 258 | if (arg_privatedev && privatedev == cnt_privatedev) |
243 | printf("No private-dev found in %s\n", argv[i]); | 259 | printf("No private-dev found in %s\n", argv[i]); |
260 | if (arg_privatebin && privatebin == cnt_privatebin) | ||
261 | printf("No private-bin found in %s\n", argv[i]); | ||
244 | if (arg_privatetmp && privatetmp == cnt_privatetmp) | 262 | if (arg_privatetmp && privatetmp == cnt_privatetmp) |
245 | printf("No private-tmp found in %s\n", argv[i]); | 263 | printf("No private-tmp found in %s\n", argv[i]); |
264 | if (arg_privateetc && privateetc == cnt_privateetc) | ||
265 | printf("No private-etc found in %s\n", argv[i]); | ||
246 | if (arg_whitelistvar && whitelistvar == cnt_whitelistvar) | 266 | if (arg_whitelistvar && whitelistvar == cnt_whitelistvar) |
247 | printf("No include whitelist-var-common.inc found in %s\n", argv[i]); | 267 | printf("No include whitelist-var-common.inc found in %s\n", argv[i]); |
248 | if (arg_whitelistrunuser && whitelistrunuser == cnt_whitelistrunuser) | 268 | if (arg_whitelistrunuser && whitelistrunuser == cnt_whitelistrunuser) |
@@ -268,12 +288,14 @@ int main(int argc, char **argv) { | |||
268 | printf(" noexec\t\t\t%d (include disable-exec.inc)\n", cnt_noexec); | 288 | printf(" noexec\t\t\t%d (include disable-exec.inc)\n", cnt_noexec); |
269 | printf(" memory-deny-write-execute\t%d\n", cnt_mdwx); | 289 | printf(" memory-deny-write-execute\t%d\n", cnt_mdwx); |
270 | printf(" apparmor\t\t\t%d\n", cnt_apparmor); | 290 | printf(" apparmor\t\t\t%d\n", cnt_apparmor); |
291 | printf(" private-bin\t\t\t%d\n", cnt_privatebin); | ||
271 | printf(" private-dev\t\t\t%d\n", cnt_privatedev); | 292 | printf(" private-dev\t\t\t%d\n", cnt_privatedev); |
293 | printf(" private-etc\t\t\t%d\n", cnt_privateetc); | ||
272 | printf(" private-tmp\t\t\t%d\n", cnt_privatetmp); | 294 | printf(" private-tmp\t\t\t%d\n", cnt_privatetmp); |
273 | printf(" whitelist var\t\t%d (include whitelist-var-common.inc)\n", cnt_whitelistvar); | 295 | printf(" whitelist var\t\t%d (include whitelist-var-common.inc)\n", cnt_whitelistvar); |
274 | printf(" whitelist run/user\t\t%d (include whitelist-runuser-common.inc)\n", cnt_whitelistrunuser); | 296 | printf(" whitelist run/user\t\t%d (include whitelist-runuser-common.inc\n", cnt_whitelistrunuser); |
275 | printf(" whitelist usr/share\t\t%d (include whitelist-usr-share-common.inc\n", cnt_whitelistusrshare); | ||
276 | printf("\t\t\t\t\tor blacklist ${RUNUSER})\n"); | 297 | printf("\t\t\t\t\tor blacklist ${RUNUSER})\n"); |
298 | printf(" whitelist usr/share\t\t%d (include whitelist-usr-share-common.inc\n", cnt_whitelistusrshare); | ||
277 | printf(" net none\t\t\t%d\n", cnt_netnone); | 299 | printf(" net none\t\t\t%d\n", cnt_netnone); |
278 | printf("\n"); | 300 | printf("\n"); |
279 | return 0; | 301 | return 0; |