diff options
-rw-r--r-- | README | 5 | ||||
-rw-r--r-- | RELNOTES | 1 | ||||
-rw-r--r-- | etc/file.profile | 1 | ||||
-rw-r--r-- | etc/tar.profile | 1 | ||||
-rw-r--r-- | etc/unrar.profile | 1 | ||||
-rw-r--r-- | etc/unzip.profile | 1 | ||||
-rw-r--r-- | src/firejail/cmdline.c | 10 | ||||
-rw-r--r-- | src/firejail/firejail.h | 3 | ||||
-rw-r--r-- | src/firejail/fs_bin.c | 2 | ||||
-rw-r--r-- | src/firejail/main.c | 5 | ||||
-rwxr-xr-x | test/sysutils/file.exp | 16 | ||||
-rwxr-xr-x | test/sysutils/sysutils.sh | 18 | ||||
-rwxr-xr-x | test/sysutils/tar.exp | 35 | ||||
-rw-r--r-- | todo | 6 |
14 files changed, 98 insertions, 7 deletions
@@ -25,6 +25,9 @@ Reiner Herrmann (https://github.com/reinerh) | |||
25 | - clang-analyzer fixes | 25 | - clang-analyzer fixes |
26 | - Debian reproducible build | 26 | - Debian reproducible build |
27 | - unit testing framework | 27 | - unit testing framework |
28 | - moved build to .xz | ||
29 | - detached signatures for source archive | ||
30 | - recursive mkdir | ||
28 | xee5ch (https://github.com/xee5ch) | 31 | xee5ch (https://github.com/xee5ch) |
29 | - skypeforlinux profile | 32 | - skypeforlinux profile |
30 | Peter Hogg (https://github.com/pigmonkey) | 33 | Peter Hogg (https://github.com/pigmonkey) |
@@ -39,6 +42,7 @@ Thomas Jarosch (https://github.com/thomasjfox) | |||
39 | - improved profile list | 42 | - improved profile list |
40 | - fixed small variable glitch in stat64() / lstat64() (libtracelog) | 43 | - fixed small variable glitch in stat64() / lstat64() (libtracelog) |
41 | - added lstat() / lstat64() support to libtrace | 44 | - added lstat() / lstat64() support to libtrace |
45 | - include mkuid.sh in make dist | ||
42 | Niklas Haas (https://github.com/haasn) | 46 | Niklas Haas (https://github.com/haasn) |
43 | - blacklisting for keybase.io's client | 47 | - blacklisting for keybase.io's client |
44 | Aleksey Manevich (https://github.com/manevich) | 48 | Aleksey Manevich (https://github.com/manevich) |
@@ -48,6 +52,7 @@ Aleksey Manevich (https://github.com/manevich) | |||
48 | - fix double quotes/single quotes problem | 52 | - fix double quotes/single quotes problem |
49 | - big rework of argument processing subsystem | 53 | - big rework of argument processing subsystem |
50 | - --join fixes | 54 | - --join fixes |
55 | - spliting up cmdline.c | ||
51 | Fred-Barclay (https://github.com/Fred-Barclay) | 56 | Fred-Barclay (https://github.com/Fred-Barclay) |
52 | - added Vivaldi, Atril profiles | 57 | - added Vivaldi, Atril profiles |
53 | - added PaleMoon profile | 58 | - added PaleMoon profile |
@@ -9,6 +9,7 @@ firejail (0.9.42~rc2) baseline; urgency=low | |||
9 | * Ubuntu snap support | 9 | * Ubuntu snap support |
10 | * include /dev/snd in --private-dev | 10 | * include /dev/snd in --private-dev |
11 | * added mkfile profile command | 11 | * added mkfile profile command |
12 | * recursive mkdir | ||
12 | * seccomp filter updated | 13 | * seccomp filter updated |
13 | * compile time and run time support to disable whitelists | 14 | * compile time and run time support to disable whitelists |
14 | * compile time support to disable global configuration file | 15 | * compile time support to disable global configuration file |
diff --git a/etc/file.profile b/etc/file.profile index 357576040..1569b42c7 100644 --- a/etc/file.profile +++ b/etc/file.profile | |||
@@ -1,4 +1,5 @@ | |||
1 | # file profile | 1 | # file profile |
2 | ignore noroot | ||
2 | include /etc/firejail/default.profile | 3 | include /etc/firejail/default.profile |
3 | 4 | ||
4 | tracelog | 5 | tracelog |
diff --git a/etc/tar.profile b/etc/tar.profile index 4ce3e59f0..769a3cd4e 100644 --- a/etc/tar.profile +++ b/etc/tar.profile | |||
@@ -1,4 +1,5 @@ | |||
1 | # tar profile | 1 | # tar profile |
2 | ignore noroot | ||
2 | include /etc/firejail/default.profile | 3 | include /etc/firejail/default.profile |
3 | 4 | ||
4 | tracelog | 5 | tracelog |
diff --git a/etc/unrar.profile b/etc/unrar.profile index ccd144699..74079e7b9 100644 --- a/etc/unrar.profile +++ b/etc/unrar.profile | |||
@@ -1,4 +1,5 @@ | |||
1 | # unrar profile | 1 | # unrar profile |
2 | ignore noroot | ||
2 | include /etc/firejail/default.profile | 3 | include /etc/firejail/default.profile |
3 | 4 | ||
4 | tracelog | 5 | tracelog |
diff --git a/etc/unzip.profile b/etc/unzip.profile index d4862004c..502839b98 100644 --- a/etc/unzip.profile +++ b/etc/unzip.profile | |||
@@ -1,4 +1,5 @@ | |||
1 | # unzip profile | 1 | # unzip profile |
2 | ignore noroot | ||
2 | include /etc/firejail/default.profile | 3 | include /etc/firejail/default.profile |
3 | 4 | ||
4 | tracelog | 5 | tracelog |
diff --git a/src/firejail/cmdline.c b/src/firejail/cmdline.c index 517124d9e..48cbaffb7 100644 --- a/src/firejail/cmdline.c +++ b/src/firejail/cmdline.c | |||
@@ -27,9 +27,9 @@ | |||
27 | #include <errno.h> | 27 | #include <errno.h> |
28 | 28 | ||
29 | int cmdline_length(int argc, char **argv, int index) { | 29 | int cmdline_length(int argc, char **argv, int index) { |
30 | int i,j; | 30 | unsigned i,j; |
31 | int len = 0; | 31 | int len = 0; |
32 | int argcnt = argc - index; | 32 | unsigned argcnt = argc - index; |
33 | bool in_quotes = false; | 33 | bool in_quotes = false; |
34 | 34 | ||
35 | for (i = 0; i < argcnt; i++) { | 35 | for (i = 0; i < argcnt; i++) { |
@@ -63,8 +63,8 @@ int cmdline_length(int argc, char **argv, int index) { | |||
63 | } | 63 | } |
64 | 64 | ||
65 | void quote_cmdline(char *command_line, char *window_title, int len, int argc, char **argv, int index) { | 65 | void quote_cmdline(char *command_line, char *window_title, int len, int argc, char **argv, int index) { |
66 | int i,j; | 66 | unsigned i,j; |
67 | int argcnt = argc - index; | 67 | unsigned argcnt = argc - index; |
68 | bool in_quotes = false; | 68 | bool in_quotes = false; |
69 | char *ptr1 = command_line; | 69 | char *ptr1 = command_line; |
70 | char *ptr2 = window_title; | 70 | char *ptr2 = window_title; |
@@ -127,7 +127,7 @@ void quote_cmdline(char *command_line, char *window_title, int len, int argc, ch | |||
127 | ptr2 += strlen(ptr2); | 127 | ptr2 += strlen(ptr2); |
128 | } | 128 | } |
129 | 129 | ||
130 | assert(len == strlen(command_line)); | 130 | assert((unsigned) len == strlen(command_line)); |
131 | } | 131 | } |
132 | 132 | ||
133 | void build_cmdline(char **command_line, char **window_title, int argc, char **argv, int index) { | 133 | void build_cmdline(char **command_line, char **window_title, int argc, char **argv, int index) { |
diff --git a/src/firejail/firejail.h b/src/firejail/firejail.h index 7a538327d..1546dc403 100644 --- a/src/firejail/firejail.h +++ b/src/firejail/firejail.h | |||
@@ -590,5 +590,8 @@ void appimage_set(const char *appimage_path); | |||
590 | void appimage_clear(void); | 590 | void appimage_clear(void); |
591 | const char *appimage_getdir(void); | 591 | const char *appimage_getdir(void); |
592 | 592 | ||
593 | // cmdline.c | ||
594 | void build_cmdline(char **command_line, char **window_title, int argc, char **argv, int index); | ||
595 | |||
593 | #endif | 596 | #endif |
594 | 597 | ||
diff --git a/src/firejail/fs_bin.c b/src/firejail/fs_bin.c index ac731c246..dca66888c 100644 --- a/src/firejail/fs_bin.c +++ b/src/firejail/fs_bin.c | |||
@@ -136,7 +136,7 @@ void fs_check_bin_list(void) { | |||
136 | ptr = strrchr(newlist, ','); | 136 | ptr = strrchr(newlist, ','); |
137 | assert(ptr); | 137 | assert(ptr); |
138 | *ptr = '\0'; | 138 | *ptr = '\0'; |
139 | if (notfound) | 139 | if (notfound && !arg_quiet) |
140 | fprintf(stderr, "Warning: not all executables from --private-bin list were found. The current list is %s\n", newlist); | 140 | fprintf(stderr, "Warning: not all executables from --private-bin list were found. The current list is %s\n", newlist); |
141 | 141 | ||
142 | cfg.bin_private_keep = newlist; | 142 | cfg.bin_private_keep = newlist; |
diff --git a/src/firejail/main.c b/src/firejail/main.c index e86d78ff1..d5ac7ad1d 100644 --- a/src/firejail/main.c +++ b/src/firejail/main.c | |||
@@ -704,6 +704,11 @@ static void detect_quiet(int argc, char **argv) { | |||
704 | "gzip", | 704 | "gzip", |
705 | "xz", | 705 | "xz", |
706 | "xzdec", | 706 | "xzdec", |
707 | "file", | ||
708 | "gtar", | ||
709 | "tar", | ||
710 | "unrar", | ||
711 | "unzip", | ||
707 | NULL | 712 | NULL |
708 | }; | 713 | }; |
709 | 714 | ||
diff --git a/test/sysutils/file.exp b/test/sysutils/file.exp new file mode 100755 index 000000000..e40b83197 --- /dev/null +++ b/test/sysutils/file.exp | |||
@@ -0,0 +1,16 @@ | |||
1 | #!/usr/bin/expect -f | ||
2 | # This file is part of Firejail project | ||
3 | # Copyright (C) 2014-2016 Firejail Authors | ||
4 | # License GPL v2 | ||
5 | |||
6 | set timeout 10 | ||
7 | spawn $env(SHELL) | ||
8 | match_max 100000 | ||
9 | |||
10 | send -- "firejail file ~/.bashrc\r" | ||
11 | expect { | ||
12 | timeout {puts "TESTING ERROR 1\n";exit} | ||
13 | "ASCII text" | ||
14 | } | ||
15 | |||
16 | puts "\nall done\n" | ||
diff --git a/test/sysutils/sysutils.sh b/test/sysutils/sysutils.sh index d75738f97..315b73c9d 100755 --- a/test/sysutils/sysutils.sh +++ b/test/sysutils/sysutils.sh | |||
@@ -60,3 +60,21 @@ else | |||
60 | echo "TESTING SKIP: less not found" | 60 | echo "TESTING SKIP: less not found" |
61 | fi | 61 | fi |
62 | 62 | ||
63 | which file | ||
64 | if [ "$?" -eq 0 ]; | ||
65 | then | ||
66 | echo "TESTING: file" | ||
67 | ./file.exp | ||
68 | else | ||
69 | echo "TESTING SKIP: file not found" | ||
70 | fi | ||
71 | |||
72 | which tar | ||
73 | if [ "$?" -eq 0 ]; | ||
74 | then | ||
75 | echo "TESTING: tar" | ||
76 | ./tar.exp | ||
77 | else | ||
78 | echo "TESTING SKIP: tar not found" | ||
79 | fi | ||
80 | |||
diff --git a/test/sysutils/tar.exp b/test/sysutils/tar.exp new file mode 100755 index 000000000..af569f5ac --- /dev/null +++ b/test/sysutils/tar.exp | |||
@@ -0,0 +1,35 @@ | |||
1 | #!/usr/bin/expect -f | ||
2 | # This file is part of Firejail project | ||
3 | # Copyright (C) 2014-2016 Firejail Authors | ||
4 | # License GPL v2 | ||
5 | |||
6 | set timeout 10 | ||
7 | spawn $env(SHELL) | ||
8 | match_max 100000 | ||
9 | |||
10 | send -- "firejail /bin/tar -cjvf firejail_t2 /usr/share/doc/firejail\r" | ||
11 | expect { | ||
12 | timeout {puts "TESTING ERROR 1\n";exit} | ||
13 | "/usr/share/doc/firejail/README" | ||
14 | } | ||
15 | after 100 | ||
16 | |||
17 | send -- "firejail /bin/tar --compare --file=firejail_t2 -C / | wc\r" | ||
18 | expect { | ||
19 | timeout {puts "TESTING ERROR 2\n";exit} | ||
20 | " 0 0 0" | ||
21 | } | ||
22 | sleep 1 | ||
23 | send -- "/bin/tar --compare --file=firejail_t2 -C / | wc\r" | ||
24 | expect { | ||
25 | timeout {puts "TESTING ERROR 3\n";exit} | ||
26 | " 0 0 0" | ||
27 | } | ||
28 | sleep 1 | ||
29 | |||
30 | |||
31 | send -- "rm firejail_t*\r" | ||
32 | sleep 1 | ||
33 | |||
34 | |||
35 | puts "\nall done\n" | ||
@@ -250,10 +250,14 @@ References | |||
250 | 250 | ||
251 | 23. AppArmor | 251 | 23. AppArmor |
252 | 252 | ||
253 | $ sudo apt-get install apparmor apparmor-profiles apparmor-utils apparmor-notify | ||
254 | |||
253 | $ sudo perl -pi -e 's,GRUB_CMDLINE_LINUX="(.*)"$,GRUB_CMDLINE_LINUX="$1 apparmor=1 security=apparmor",' /etc/default/grub | 255 | $ sudo perl -pi -e 's,GRUB_CMDLINE_LINUX="(.*)"$,GRUB_CMDLINE_LINUX="$1 apparmor=1 security=apparmor",' /etc/default/grub |
254 | $ sudo update-grub | 256 | $ sudo update-grub |
255 | $ sudo reboot | 257 | $ sudo reboot |
256 | 258 | ||
257 | $ ps auxZ | grep -v '^unconfined' | 259 | If you are using auditd, start aa-notify to get notification whenever a program causes a DENIED message. |
260 | $ sudo aa-notify -p -f /var/log/audit/audit.log | ||
261 | |||
258 | 262 | ||
259 | 263 | ||