diff options
-rw-r--r-- | .gitignore | 5 | ||||
-rw-r--r-- | Makefile.in | 274 | ||||
-rw-r--r-- | README | 140 | ||||
-rw-r--r-- | README.md | 174 | ||||
-rw-r--r-- | RELNOTES | 51 | ||||
-rwxr-xr-x | configure | 63 | ||||
-rw-r--r-- | configure.ac | 28 | ||||
-rw-r--r-- | etc/0ad.profile | 35 | ||||
-rw-r--r-- | etc/Cyberfox.profile | 3 | ||||
-rw-r--r-- | etc/Mathematica.profile | 13 | ||||
-rw-r--r-- | etc/Telegram.profile | 2 | ||||
-rw-r--r-- | etc/abrowser.profile | 52 | ||||
-rw-r--r-- | etc/atom-beta.profile | 19 | ||||
-rw-r--r-- | etc/atom.profile | 18 | ||||
-rw-r--r-- | etc/atril.profile | 17 | ||||
-rw-r--r-- | etc/audacious.profile | 17 | ||||
-rw-r--r-- | etc/audacity.profile | 19 | ||||
-rw-r--r-- | etc/aweather.profile | 25 | ||||
-rw-r--r-- | etc/bitlbee.profile | 11 | ||||
-rw-r--r-- | etc/brave.profile | 19 | ||||
-rw-r--r-- | etc/cherrytree.profile | 24 | ||||
-rw-r--r-- | etc/chromium.profile | 5 | ||||
-rw-r--r-- | etc/clementine.profile | 17 | ||||
-rw-r--r-- | etc/cmus.profile | 18 | ||||
-rw-r--r-- | etc/conkeror.profile | 13 | ||||
-rw-r--r-- | etc/corebird.profile | 12 | ||||
-rw-r--r-- | etc/cpio.profile | 22 | ||||
-rw-r--r-- | etc/cyberfox.profile | 51 | ||||
-rw-r--r-- | etc/deadbeef.profile | 19 | ||||
-rw-r--r-- | etc/default.profile | 15 | ||||
-rw-r--r-- | etc/deluge.profile | 26 | ||||
-rw-r--r-- | etc/dillo.profile | 23 | ||||
-rw-r--r-- | etc/disable-common.inc | 144 | ||||
-rw-r--r-- | etc/disable-devel.inc | 27 | ||||
-rw-r--r-- | etc/disable-mgmt.inc | 17 | ||||
-rw-r--r-- | etc/disable-passwdmgr.inc | 7 | ||||
-rw-r--r-- | etc/disable-programs.inc | 129 | ||||
-rw-r--r-- | etc/disable-secret.inc | 23 | ||||
-rw-r--r-- | etc/disable-terminals.inc | 6 | ||||
-rw-r--r-- | etc/dnscrypt-proxy.profile | 7 | ||||
-rw-r--r-- | etc/dnsmasq.profile | 16 | ||||
-rw-r--r-- | etc/dropbox.profile | 27 | ||||
-rw-r--r-- | etc/empathy.profile | 12 | ||||
-rw-r--r-- | etc/eom.profile | 20 | ||||
-rw-r--r-- | etc/epiphany.profile | 16 | ||||
-rw-r--r-- | etc/evince.profile | 21 | ||||
-rw-r--r-- | etc/fbreader.profile | 22 | ||||
-rw-r--r-- | etc/filezilla.profile | 20 | ||||
-rw-r--r-- | etc/firefox-esr.profile | 2 | ||||
-rw-r--r-- | etc/firefox.profile | 20 | ||||
-rw-r--r-- | etc/firejail.config | 45 | ||||
-rw-r--r-- | etc/flashpeak-slimjet.profile | 41 | ||||
-rw-r--r-- | etc/franz.profile | 26 | ||||
-rw-r--r-- | etc/generic.profile | 17 | ||||
-rw-r--r-- | etc/gitter.profile | 18 | ||||
-rw-r--r-- | etc/gnome-mplayer.profile | 19 | ||||
-rw-r--r-- | etc/google-chrome-beta.profile | 5 | ||||
-rw-r--r-- | etc/google-chrome-unstable.profile | 5 | ||||
-rw-r--r-- | etc/google-chrome.profile | 5 | ||||
-rw-r--r-- | etc/google-play-music-desktop-player.profile | 18 | ||||
-rw-r--r-- | etc/gpredict.profile | 25 | ||||
-rw-r--r-- | etc/gthumb.profile | 21 | ||||
-rw-r--r-- | etc/gwenview.profile | 21 | ||||
-rw-r--r-- | etc/gzip.profile | 8 | ||||
-rw-r--r-- | etc/hedgewars.profile | 10 | ||||
-rw-r--r-- | etc/hexchat.profile | 20 | ||||
-rw-r--r-- | etc/icedove.profile | 20 | ||||
-rw-r--r-- | etc/jitsi.profile | 16 | ||||
-rw-r--r-- | etc/kmail.profile | 19 | ||||
-rw-r--r-- | etc/konversation.profile | 12 | ||||
-rw-r--r-- | etc/less.profile | 8 | ||||
-rw-r--r-- | etc/libreoffice.profile | 19 | ||||
-rw-r--r-- | etc/localc.profile | 5 | ||||
-rw-r--r-- | etc/lodraw.profile | 5 | ||||
-rw-r--r-- | etc/loffice.profile | 5 | ||||
-rw-r--r-- | etc/lofromtemplate.profile | 5 | ||||
-rw-r--r-- | etc/login.users | 2 | ||||
-rw-r--r-- | etc/loimpress.profile | 5 | ||||
-rw-r--r-- | etc/lomath.profile | 5 | ||||
-rw-r--r-- | etc/loweb.profile | 5 | ||||
-rw-r--r-- | etc/lowriter.profile | 5 | ||||
-rw-r--r-- | etc/lxterminal.profile | 18 | ||||
-rw-r--r-- | etc/mcabber.profile | 21 | ||||
-rw-r--r-- | etc/midori.profile | 11 | ||||
-rw-r--r-- | etc/mpv.profile | 18 | ||||
-rw-r--r-- | etc/mupen64plus.profile | 15 | ||||
-rw-r--r-- | etc/netsurf.profile | 32 | ||||
-rw-r--r-- | etc/nolocal.net | 3 | ||||
-rw-r--r-- | etc/okular.profile | 23 | ||||
-rw-r--r-- | etc/openbox.profile | 11 | ||||
-rw-r--r-- | etc/opera-beta.profile | 5 | ||||
-rw-r--r-- | etc/opera.profile | 8 | ||||
-rw-r--r-- | etc/palemoon.profile | 58 | ||||
-rw-r--r-- | etc/parole.profile | 16 | ||||
-rw-r--r-- | etc/pidgin.profile | 20 | ||||
-rw-r--r-- | etc/pix.profile | 23 | ||||
-rw-r--r-- | etc/polari.profile | 14 | ||||
-rw-r--r-- | etc/psi-plus.profile | 27 | ||||
-rw-r--r-- | etc/qbittorrent.profile | 23 | ||||
-rw-r--r-- | etc/qtox.profile | 22 | ||||
-rw-r--r-- | etc/quassel.profile | 12 | ||||
-rw-r--r-- | etc/quiterss.profile | 32 | ||||
-rw-r--r-- | etc/qutebrowser.profile | 23 | ||||
-rw-r--r-- | etc/rhythmbox.profile | 23 | ||||
-rw-r--r-- | etc/rtorrent.profile | 17 | ||||
-rw-r--r-- | etc/seamonkey.profile | 21 | ||||
-rw-r--r-- | etc/server.profile | 6 | ||||
-rw-r--r-- | etc/skype.profile | 8 | ||||
-rw-r--r-- | etc/snap.profile | 14 | ||||
-rw-r--r-- | etc/soffice.profile | 5 | ||||
-rw-r--r-- | etc/spotify.profile | 20 | ||||
-rw-r--r-- | etc/ssh.profile | 13 | ||||
-rw-r--r-- | etc/steam.profile | 9 | ||||
-rw-r--r-- | etc/stellarium.profile | 29 | ||||
-rw-r--r-- | etc/strings.profile | 8 | ||||
-rw-r--r-- | etc/telegram.profile | 14 | ||||
-rw-r--r-- | etc/thunderbird.profile | 35 | ||||
-rw-r--r-- | etc/totem.profile | 19 | ||||
-rw-r--r-- | etc/transmission-gtk.profile | 29 | ||||
-rw-r--r-- | etc/transmission-qt.profile | 28 | ||||
-rw-r--r-- | etc/uget-gtk.profile | 20 | ||||
-rw-r--r-- | etc/unbound.profile | 7 | ||||
-rw-r--r-- | etc/uudeview.profile | 13 | ||||
-rw-r--r-- | etc/vivaldi.profile | 6 | ||||
-rw-r--r-- | etc/vlc.profile | 24 | ||||
-rw-r--r-- | etc/warzone2100.profile | 25 | ||||
-rw-r--r-- | etc/weechat.profile | 15 | ||||
-rw-r--r-- | etc/wesnoth.profile | 13 | ||||
-rw-r--r-- | etc/whitelist-common.inc | 1 | ||||
-rw-r--r-- | etc/wine.profile | 7 | ||||
-rw-r--r-- | etc/xchat.profile | 14 | ||||
-rw-r--r-- | etc/xplayer.profile | 21 | ||||
-rw-r--r-- | etc/xreader.profile | 22 | ||||
-rw-r--r-- | etc/xviewer.profile | 19 | ||||
-rw-r--r-- | etc/xz.profile | 2 | ||||
-rw-r--r-- | etc/xzdec.profile | 8 | ||||
-rwxr-xr-x | mkuid.sh | 20 | ||||
-rw-r--r-- | platform/debian/conffiles | 176 | ||||
-rw-r--r-- | platform/rpm/firejail.spec | 6 | ||||
-rwxr-xr-x | platform/snap/snap.sh | 20 | ||||
-rw-r--r-- | platform/snap/snapcraft.yaml | 21 | ||||
-rw-r--r-- | src/bash_completion/firecfg.bash_completion | 39 | ||||
-rw-r--r-- | src/bash_completion/firejail.bash_completion | 8 | ||||
-rw-r--r-- | src/faudit/Makefile.in | 25 | ||||
-rw-r--r-- | src/faudit/caps.c | 79 | ||||
-rw-r--r-- | src/faudit/dbus.c | 74 | ||||
-rw-r--r-- | src/faudit/dev.c | 47 | ||||
-rw-r--r-- | src/faudit/faudit.h | 64 | ||||
-rw-r--r-- | src/faudit/files.c | 75 | ||||
-rw-r--r-- | src/faudit/main.c | 80 | ||||
-rw-r--r-- | src/faudit/network.c | 101 | ||||
-rw-r--r-- | src/faudit/pid.c | 101 | ||||
-rw-r--r-- | src/faudit/seccomp.c | 101 | ||||
-rw-r--r-- | src/faudit/syscall.c | 100 | ||||
-rw-r--r-- | src/firecfg/Makefile.in | 38 | ||||
-rw-r--r-- | src/firecfg/firecfg.config | 136 | ||||
-rw-r--r-- | src/firecfg/main.c | 315 | ||||
-rw-r--r-- | src/firejail/Makefile.in | 5 | ||||
-rw-r--r-- | src/firejail/appimage.c | 129 | ||||
-rw-r--r-- | src/firejail/bandwidth.c | 101 | ||||
-rw-r--r-- | src/firejail/caps.c | 8 | ||||
-rw-r--r-- | src/firejail/checkcfg.c | 159 | ||||
-rw-r--r-- | src/firejail/cpu.c | 78 | ||||
-rw-r--r-- | src/firejail/env.c | 55 | ||||
-rw-r--r-- | src/firejail/firejail.h | 76 | ||||
-rw-r--r-- | src/firejail/fs.c | 308 | ||||
-rw-r--r-- | src/firejail/fs_bin.c | 108 | ||||
-rw-r--r-- | src/firejail/fs_dev.c | 42 | ||||
-rw-r--r-- | src/firejail/fs_etc.c | 63 | ||||
-rw-r--r-- | src/firejail/fs_home.c | 38 | ||||
-rw-r--r-- | src/firejail/fs_logger.c | 2 | ||||
-rw-r--r-- | src/firejail/fs_mkdir.c | 58 | ||||
-rw-r--r-- | src/firejail/fs_var.c | 22 | ||||
-rw-r--r-- | src/firejail/fs_whitelist.c | 99 | ||||
-rw-r--r-- | src/firejail/join.c | 114 | ||||
-rw-r--r-- | src/firejail/list.c | 46 | ||||
-rw-r--r-- | src/firejail/ls.c | 5 | ||||
-rw-r--r-- | src/firejail/main.c | 1502 | ||||
-rw-r--r-- | src/firejail/netfilter.c | 9 | ||||
-rw-r--r-- | src/firejail/network_main.c | 58 | ||||
-rw-r--r-- | src/firejail/no_sandbox.c | 78 | ||||
-rw-r--r-- | src/firejail/output.c | 6 | ||||
-rw-r--r-- | src/firejail/paths.c | 6 | ||||
-rw-r--r-- | src/firejail/profile.c | 444 | ||||
-rw-r--r-- | src/firejail/protocol.c | 4 | ||||
-rw-r--r-- | src/firejail/pulseaudio.c | 70 | ||||
-rw-r--r-- | src/firejail/restrict_users.c | 9 | ||||
-rw-r--r-- | src/firejail/restricted_shell.c | 15 | ||||
-rw-r--r-- | src/firejail/run_symlink.c | 9 | ||||
-rw-r--r-- | src/firejail/sandbox.c | 165 | ||||
-rw-r--r-- | src/firejail/seccomp.c | 31 | ||||
-rw-r--r-- | src/firejail/shutdown.c | 60 | ||||
-rw-r--r-- | src/firejail/syscall.h | 135 | ||||
-rw-r--r-- | src/firejail/usage.c | 53 | ||||
-rw-r--r-- | src/firejail/user.c | 115 | ||||
-rw-r--r-- | src/firejail/util.c | 18 | ||||
-rw-r--r-- | src/firejail/x11.c | 232 | ||||
-rw-r--r-- | src/firemon/firemon.c | 9 | ||||
-rw-r--r-- | src/firemon/netstats.c | 14 | ||||
-rw-r--r-- | src/firemon/procevent.c | 3 | ||||
-rw-r--r-- | src/firemon/usage.c | 3 | ||||
-rw-r--r-- | src/include/euid_common.h | 4 | ||||
-rw-r--r-- | src/lib/libnetlink.c | 4 | ||||
-rw-r--r-- | src/lib/pid.c | 6 | ||||
-rw-r--r-- | src/libtracelog/libtracelog.c | 66 | ||||
-rw-r--r-- | src/man/firecfg.txt | 70 | ||||
-rw-r--r-- | src/man/firejail-config.txt | 109 | ||||
-rw-r--r-- | src/man/firejail-login.txt | 7 | ||||
-rw-r--r-- | src/man/firejail-profile.txt | 165 | ||||
-rw-r--r-- | src/man/firejail.txt | 554 | ||||
-rw-r--r-- | src/man/firemon.txt | 5 | ||||
-rw-r--r-- | src/tools/config-4.4.0-1-grsec-amd64 | 7430 | ||||
-rw-r--r-- | src/tools/grsec.conf | 98 | ||||
-rwxr-xr-x | test/apps-x11/apps-x11.sh | 70 | ||||
-rwxr-xr-x | test/apps-x11/chromium.exp (renamed from test/chromium-x11.exp) | 12 | ||||
-rwxr-xr-x | test/apps-x11/firefox.exp (renamed from test/firefox-x11.exp) | 24 | ||||
-rwxr-xr-x | test/apps-x11/icedove.exp | 85 | ||||
-rwxr-xr-x | test/apps-x11/transmission-gtk.exp (renamed from test/transmission-gtk-x11.exp) | 13 | ||||
-rwxr-xr-x | test/apps-x11/xterm.exp | 85 | ||||
-rwxr-xr-x | test/apps/apps.sh (renamed from test/test-apps.sh) | 84 | ||||
-rwxr-xr-x | test/apps/chromium.exp (renamed from test/chromium.exp) | 17 | ||||
-rwxr-xr-x | test/apps/deluge.exp (renamed from test/deluge.exp) | 17 | ||||
-rwxr-xr-x | test/apps/evince.exp (renamed from test/evince.exp) | 17 | ||||
-rwxr-xr-x | test/apps/fbreader.exp (renamed from test/fbreader.exp) | 17 | ||||
-rwxr-xr-x | test/apps/filezilla.exp | 83 | ||||
-rwxr-xr-x | test/apps/firefox.exp (renamed from test/firefox.exp) | 33 | ||||
-rwxr-xr-x | test/apps/gnome-mplayer.exp (renamed from test/gnome-mplayer.exp) | 19 | ||||
-rwxr-xr-x | test/apps/gthumb.exp | 83 | ||||
-rwxr-xr-x | test/apps/hexchat.exp (renamed from test/hexchat.exp) | 18 | ||||
-rwxr-xr-x | test/apps/icedove.exp (renamed from test/icedove.exp) | 17 | ||||
-rwxr-xr-x | test/apps/midori.exp (renamed from test/midori.exp) | 19 | ||||
-rwxr-xr-x | test/apps/opera.exp (renamed from test/opera.exp) | 17 | ||||
-rwxr-xr-x | test/apps/qbittorrent.exp | 83 | ||||
-rwxr-xr-x | test/apps/transmission-gtk.exp (renamed from test/transmission-gtk.exp) | 18 | ||||
-rwxr-xr-x | test/apps/transmission-qt.exp (renamed from test/transmission-qt.exp) | 19 | ||||
-rwxr-xr-x | test/apps/uget-gtk.exp | 83 | ||||
-rwxr-xr-x | test/apps/vlc.exp (renamed from test/vlc.exp) | 17 | ||||
-rwxr-xr-x | test/apps/weechat.exp (renamed from test/weechat.exp) | 18 | ||||
-rwxr-xr-x | test/apps/wine.exp (renamed from test/wine.exp) | 5 | ||||
-rwxr-xr-x | test/apps/xchat.exp (renamed from test/xchat.exp) | 18 | ||||
-rw-r--r-- | test/arguments/Makefile | 13 | ||||
-rwxr-xr-x | test/arguments/arguments.sh | 19 | ||||
-rwxr-xr-x | test/arguments/bashrun.exp | 86 | ||||
-rwxr-xr-x | test/arguments/bashrun.sh | 22 | ||||
-rwxr-xr-x | test/arguments/joinrun.exp | 91 | ||||
-rwxr-xr-x | test/arguments/joinrun.sh | 22 | ||||
-rw-r--r-- | test/arguments/main.c | 31 | ||||
-rwxr-xr-x | test/arguments/outrun.exp | 90 | ||||
-rwxr-xr-x | test/arguments/outrun.sh | 22 | ||||
-rw-r--r-- | test/arguments/readme | 9 | ||||
-rwxr-xr-x | test/arguments/symrun.exp | 71 | ||||
-rwxr-xr-x | test/arguments/symrun.sh | 30 | ||||
-rwxr-xr-x | test/auto/autotest.sh | 202 | ||||
-rwxr-xr-x | test/compile/compile.sh | 29 | ||||
-rwxr-xr-x | test/configure | 2 | ||||
-rwxr-xr-x | test/dist-compile/compile.sh | 289 | ||||
-rwxr-xr-x | test/dns.exp | 69 | ||||
-rwxr-xr-x | test/environment/csh.exp (renamed from test/shell_csh.exp) | 16 | ||||
-rwxr-xr-x | test/environment/dash.exp (renamed from test/shell_dash.exp) | 1 | ||||
-rwxr-xr-x | test/environment/dns.exp | 30 | ||||
-rwxr-xr-x | test/environment/doubledash.exp (renamed from test/doubledash.exp) | 10 | ||||
-rwxr-xr-x | test/environment/env.exp (renamed from test/env.exp) | 3 | ||||
-rw-r--r-- | test/environment/env.profile (renamed from test/env.profile) | 0 | ||||
-rwxr-xr-x | test/environment/environment.sh | 85 | ||||
-rwxr-xr-x | test/environment/extract_command.exp (renamed from test/extract_command.exp) | 6 | ||||
-rwxr-xr-x | test/environment/firejail-in-firejail.exp (renamed from test/firejail-in-firejail.exp) | 3 | ||||
-rwxr-xr-x | test/environment/firejail-in-firejail2.exp (renamed from test/firejail-in-firejail2.exp) | 3 | ||||
-rwxr-xr-x | test/environment/nice.exp (renamed from test/nice.exp) | 11 | ||||
-rw-r--r-- | test/environment/nice.profile (renamed from test/nice.profile) | 0 | ||||
-rwxr-xr-x | test/environment/output.exp (renamed from test/output.exp) | 7 | ||||
-rwxr-xr-x | test/environment/output.sh (renamed from test/output.sh) | 0 | ||||
-rwxr-xr-x | test/environment/quiet.exp | 21 | ||||
-rwxr-xr-x | test/environment/rlimit-profile.exp (renamed from test/profile_rlimit.exp) | 9 | ||||
-rwxr-xr-x | test/environment/rlimit.exp (renamed from test/option_rlimit.exp) | 1 | ||||
-rw-r--r-- | test/environment/rlimit.profile (renamed from test/rlimit.profile) | 0 | ||||
-rwxr-xr-x | test/environment/shell-none.exp (renamed from test/seccomp-dualfilter.exp) | 34 | ||||
-rw-r--r-- | test/environment/shell-none.profile | 1 | ||||
-rwxr-xr-x | test/environment/sound.exp (renamed from test/sound.exp) | 16 | ||||
-rw-r--r-- | test/environment/sound.profile (renamed from test/sound.profile) | 0 | ||||
-rwxr-xr-x | test/environment/zsh.exp (renamed from test/shell_zsh.exp) | 16 | ||||
-rwxr-xr-x | test/features/1.1.exp | 3 | ||||
-rwxr-xr-x | test/features/1.10.exp | 3 | ||||
-rwxr-xr-x | test/features/1.2.exp | 9 | ||||
-rwxr-xr-x | test/features/1.4.exp | 3 | ||||
-rwxr-xr-x | test/features/1.5.exp | 3 | ||||
-rwxr-xr-x | test/features/1.6.exp | 3 | ||||
-rwxr-xr-x | test/features/1.7.exp | 3 | ||||
-rwxr-xr-x | test/features/1.8.exp | 99 | ||||
-rwxr-xr-x | test/features/2.1.exp | 3 | ||||
-rwxr-xr-x | test/features/2.2.exp | 3 | ||||
-rwxr-xr-x | test/features/2.3.exp | 3 | ||||
-rwxr-xr-x | test/features/2.4.exp | 3 | ||||
-rwxr-xr-x | test/features/2.5.exp | 3 | ||||
-rwxr-xr-x | test/features/2.6.exp | 21 | ||||
-rwxr-xr-x | test/features/3.1.exp | 7 | ||||
-rwxr-xr-x | test/features/3.10.exp | 3 | ||||
-rwxr-xr-x | test/features/3.11.exp | 3 | ||||
-rwxr-xr-x | test/features/3.2.exp | 3 | ||||
-rwxr-xr-x | test/features/3.3.exp | 3 | ||||
-rwxr-xr-x | test/features/3.4.exp | 3 | ||||
-rwxr-xr-x | test/features/3.5.exp | 13 | ||||
-rwxr-xr-x | test/features/3.6.exp | 4 | ||||
-rwxr-xr-x | test/features/3.7.exp | 3 | ||||
-rwxr-xr-x | test/features/3.8.exp | 3 | ||||
-rwxr-xr-x | test/features/3.9.exp | 3 | ||||
-rw-r--r-- | test/features/features.txt | 2 | ||||
-rwxr-xr-x | test/features/test.sh | 2 | ||||
-rwxr-xr-x | test/filters/caps.exp | 72 | ||||
-rwxr-xr-x | test/filters/filters.sh | 61 | ||||
-rwxr-xr-x | test/filters/noroot.exp | 159 | ||||
-rwxr-xr-x | test/filters/protocol.exp (renamed from test/protocol.exp) | 17 | ||||
-rw-r--r-- | test/filters/protocol1.profile (renamed from test/protocol1.profile) | 0 | ||||
-rw-r--r-- | test/filters/protocol2.profile (renamed from test/protocol2.profile) | 0 | ||||
-rwxr-xr-x | test/filters/seccomp-bad-empty.exp (renamed from test/seccomp-bad-empty.exp) | 3 | ||||
-rw-r--r-- | test/filters/seccomp-bad-empty.profile (renamed from test/seccomp-bad-empty.profile) | 0 | ||||
-rw-r--r-- | test/filters/seccomp-bad-empty2.profile (renamed from test/seccomp-bad-empty2.profile) | 0 | ||||
-rwxr-xr-x | test/filters/seccomp-chmod-profile.exp (renamed from test/seccomp-chmod-profile.exp) | 33 | ||||
-rwxr-xr-x | test/filters/seccomp-chmod.exp (renamed from test/seccomp-chmod.exp) | 33 | ||||
-rwxr-xr-x | test/filters/seccomp-chown.exp (renamed from test/seccomp-chown.exp) | 3 | ||||
-rwxr-xr-x | test/filters/seccomp-debug.exp (renamed from test/seccomp-debug.exp) | 3 | ||||
-rwxr-xr-x | test/filters/seccomp-dualfilter.exp | 54 | ||||
-rwxr-xr-x | test/filters/seccomp-empty.exp (renamed from test/seccomp-empty.exp) | 3 | ||||
-rw-r--r-- | test/filters/seccomp-empty.profile (renamed from test/seccomp-empty.profile) | 0 | ||||
-rwxr-xr-x | test/filters/seccomp-errno.exp (renamed from test/seccomp-errno.exp) | 3 | ||||
-rwxr-xr-x | test/filters/seccomp-ptrace.exp (renamed from test/seccomp-ptrace.exp) | 3 | ||||
-rwxr-xr-x | test/filters/seccomp-su.exp (renamed from test/seccomp-su.exp) | 12 | ||||
-rwxr-xr-x | test/filters/seccomp-umount.exp (renamed from test/seccomp-umount.exp) | 3 | ||||
-rw-r--r-- | test/filters/seccomp.profile (renamed from test/seccomp.profile) | 0 | ||||
-rwxr-xr-x | test/filters/syscall_test (renamed from src/tools/syscall_test) | bin | 9552 -> 9552 bytes | |||
-rw-r--r-- | test/filters/syscall_test.c (renamed from src/tools/syscall_test.c) | 4 | ||||
-rwxr-xr-x | test/filters/syscall_test32 (renamed from src/tools/syscall_test32) | bin | 6868 -> 6868 bytes | |||
-rwxr-xr-x | test/fs/fs.sh | 55 | ||||
-rwxr-xr-x | test/fs/fs_dev_shm.exp (renamed from test/fs_dev_shm.exp) | 61 | ||||
-rwxr-xr-x | test/fs/fs_var_lock.exp (renamed from test/fs_var_lock.exp) | 61 | ||||
-rwxr-xr-x | test/fs/fs_var_tmp.exp (renamed from test/fs_var_tmp.exp) | 61 | ||||
-rwxr-xr-x | test/fs/invalid_filename.exp (renamed from test/invalid_filename.exp) | 27 | ||||
-rwxr-xr-x | test/fs/kmsg.exp (renamed from test/kmsg.exp) | 7 | ||||
-rwxr-xr-x | test/fs/option_bind_user.exp (renamed from test/option_bind_user.exp) | 0 | ||||
-rwxr-xr-x | test/fs/option_blacklist.exp (renamed from test/option_blacklist.exp) | 11 | ||||
-rwxr-xr-x | test/fs/option_blacklist_file.exp (renamed from test/option_blacklist_file.exp) | 4 | ||||
-rwxr-xr-x | test/fs/option_blacklist_glob.exp | 32 | ||||
-rwxr-xr-x | test/fs/private-bin.exp (renamed from test/private-bin.exp) | 6 | ||||
-rw-r--r-- | test/fs/private-bin.profile (renamed from test/private-bin.profile) | 0 | ||||
-rwxr-xr-x | test/fs/private-etc-empty.exp | 38 | ||||
-rw-r--r-- | test/fs/private-etc-empty.profile | 1 | ||||
-rwxr-xr-x | test/fs/private-etc.exp (renamed from test/private-etc.exp) | 17 | ||||
-rwxr-xr-x | test/fs/private-whitelist.exp (renamed from test/private-whitelist.exp) | 13 | ||||
-rwxr-xr-x | test/fs/private.exp | 59 | ||||
-rw-r--r-- | test/fs/testdir1/.directory/file | 0 | ||||
-rw-r--r-- | test/fs/testdir1/.file | 0 | ||||
-rwxr-xr-x | test/fs/whitelist-empty.exp (renamed from test/whitelist-empty.exp) | 3 | ||||
-rwxr-xr-x | test/fs_chroot.exp | 3 | ||||
-rwxr-xr-x | test/fs_overlay.exp | 1 | ||||
-rwxr-xr-x | test/google-chrome.exp | 72 | ||||
-rwxr-xr-x | test/net_defaultgw2.exp | 65 | ||||
-rwxr-xr-x | test/network/4bridges_arp.exp (renamed from test/4bridges_arp.exp) | 40 | ||||
-rwxr-xr-x | test/network/4bridges_ip.exp (renamed from test/4bridges_ip.exp) | 38 | ||||
-rw-r--r-- | test/network/README | 15 | ||||
-rwxr-xr-x | test/network/bandwidth.exp | 65 | ||||
-rwxr-xr-x | test/network/configure | 27 | ||||
-rwxr-xr-x | test/network/hostname.exp (renamed from test/hostname.exp) | 9 | ||||
-rwxr-xr-x | test/network/ip6.exp (renamed from test/ip6.exp) | 4 | ||||
-rw-r--r-- | test/network/ipv6.net (renamed from test/ipv6.net) | 0 | ||||
-rw-r--r-- | test/network/net-profile.profile | 10 | ||||
-rwxr-xr-x | test/network/net_arp.exp (renamed from test/net_arp.exp) | 3 | ||||
-rwxr-xr-x | test/network/net_badip.exp (renamed from test/net_badip.exp) | 3 | ||||
-rwxr-xr-x | test/network/net_defaultgw.exp (renamed from test/net_defaultgw.exp) | 38 | ||||
-rwxr-xr-x | test/network/net_defaultgw2.exp | 43 | ||||
-rwxr-xr-x | test/network/net_defaultgw3.exp (renamed from test/net_defaultgw3.exp) | 3 | ||||
-rwxr-xr-x | test/network/net_interface.exp (renamed from test/net_interface.exp) | 3 | ||||
-rwxr-xr-x | test/network/net_ip.exp (renamed from test/net_ip.exp) | 36 | ||||
-rwxr-xr-x | test/network/net_local.exp (renamed from test/net_local.exp) | 3 | ||||
-rwxr-xr-x | test/network/net_mac.exp (renamed from test/net_mac.exp) | 3 | ||||
-rwxr-xr-x | test/network/net_macvlan.exp (renamed from test/net_macvlan.exp) | 3 | ||||
-rwxr-xr-x | test/network/net_mtu.exp (renamed from test/net_mtu.exp) | 3 | ||||
-rwxr-xr-x | test/network/net_netfilter.exp (renamed from test/net_netfilter.exp) | 3 | ||||
-rwxr-xr-x | test/network/net_noip.exp (renamed from test/net_noip.exp) | 11 | ||||
-rwxr-xr-x | test/network/net_noip2.exp (renamed from test/net_noip2.exp) | 11 | ||||
-rwxr-xr-x | test/network/net_none.exp (renamed from test/net_none.exp) | 21 | ||||
-rw-r--r-- | test/network/net_none.profile (renamed from test/net_none.profile) | 0 | ||||
-rwxr-xr-x | test/network/net_profile.exp | 76 | ||||
-rw-r--r-- | test/network/netfilter.filter (renamed from test/netfilter.filter) | 0 | ||||
-rw-r--r-- | test/network/netfilter.profile (renamed from test/netfilter.profile) | 0 | ||||
-rwxr-xr-x | test/network/network.sh | 62 | ||||
-rwxr-xr-x | test/noroot.exp | 117 | ||||
-rw-r--r-- | test/notes | 13 | ||||
-rwxr-xr-x | test/option-trace.exp | 25 | ||||
-rwxr-xr-x | test/option_chroot_overlay.exp | 3 | ||||
-rwxr-xr-x | test/private.exp | 97 | ||||
-rwxr-xr-x | test/private_dir.exp | 4 | ||||
-rwxr-xr-x | test/private_dir_profile.exp | 6 | ||||
-rwxr-xr-x | test/profiles/ignore.exp (renamed from test/ignore.exp) | 3 | ||||
-rw-r--r-- | test/profiles/ignore.profile (renamed from test/ignore.profile) | 0 | ||||
-rw-r--r-- | test/profiles/ignore2.profile (renamed from test/ignore2.profile) | 0 | ||||
-rwxr-xr-x | test/profiles/profile_followlnk.exp (renamed from test/profile_followlnk.exp) | 37 | ||||
-rwxr-xr-x | test/profiles/profile_noperm.exp (renamed from test/profile_noperm.exp) | 2 | ||||
-rwxr-xr-x | test/profiles/profile_readonly.exp (renamed from test/profile_readonly.exp) | 38 | ||||
-rwxr-xr-x | test/profiles/profile_syntax.exp (renamed from test/profile_syntax.exp) | 23 | ||||
-rwxr-xr-x | test/profiles/profile_syntax2.exp (renamed from test/profile_syntax2.exp) | 3 | ||||
-rwxr-xr-x | test/profiles/profiles.sh | 34 | ||||
-rw-r--r-- | test/profiles/readonly-lnk.profile (renamed from test/readonly-lnk.profile) | 0 | ||||
-rw-r--r-- | test/profiles/readonly.profile (renamed from test/readonly.profile) | 0 | ||||
-rwxr-xr-x | test/profiles/test-profile.exp (renamed from test/test-profile.exp) | 5 | ||||
-rw-r--r-- | test/profiles/test.profile (renamed from test/test.profile) | 0 | ||||
-rw-r--r-- | test/profiles/test2.profile (renamed from test/test2.profile) | 0 | ||||
-rwxr-xr-x | test/quiet.exp | 17 | ||||
-rwxr-xr-x | test/sysutils/cpio.exp | 26 | ||||
-rwxr-xr-x | test/sysutils/gzip.exp | 26 | ||||
-rwxr-xr-x | test/sysutils/less.exp | 20 | ||||
-rwxr-xr-x | test/sysutils/strings.exp | 26 | ||||
-rwxr-xr-x | test/sysutils/sysutils.sh | 62 | ||||
-rwxr-xr-x | test/sysutils/xz.exp | 26 | ||||
-rwxr-xr-x | test/sysutils/xzdec.exp | 29 | ||||
-rwxr-xr-x | test/test-apps-x11.sh | 29 | ||||
-rwxr-xr-x | test/test-nonet.sh | 44 | ||||
-rwxr-xr-x | test/test-profiles.sh | 10 | ||||
-rwxr-xr-x | test/test-root.sh | 45 | ||||
-rwxr-xr-x | test/test.sh | 260 | ||||
-rwxr-xr-x | test/utils/caps-print.exp | 32 | ||||
-rwxr-xr-x | test/utils/caps.exp (renamed from test/firemon-caps.exp) | 3 | ||||
-rw-r--r-- | test/utils/caps1.profile (renamed from test/caps1.profile) | 0 | ||||
-rw-r--r-- | test/utils/caps2.profile (renamed from test/caps2.profile) | 0 | ||||
-rwxr-xr-x | test/utils/catchsignal-master.sh | 4 | ||||
-rwxr-xr-x | test/utils/catchsignal.sh | 27 | ||||
-rwxr-xr-x | test/utils/catchsignal2.sh | 49 | ||||
-rwxr-xr-x | test/utils/cpu-print.exp | 24 | ||||
-rwxr-xr-x | test/utils/dns-print.exp | 24 | ||||
-rwxr-xr-x | test/utils/fs-print.exp | 32 | ||||
-rwxr-xr-x | test/utils/help.exp (renamed from test/option_help.exp) | 3 | ||||
-rwxr-xr-x | test/utils/join-profile.exp (renamed from test/option-join-profile.exp) | 26 | ||||
-rwxr-xr-x | test/utils/join.exp (renamed from test/option-join.exp) | 29 | ||||
-rwxr-xr-x | test/utils/join2.exp (renamed from test/option-join3.exp) | 29 | ||||
-rwxr-xr-x | test/utils/join3.exp (renamed from test/option-join2.exp) | 29 | ||||
-rwxr-xr-x | test/utils/list.exp (renamed from test/option_list.exp) | 3 | ||||
-rwxr-xr-x | test/utils/ls.exp | 41 | ||||
-rwxr-xr-x | test/utils/man.exp (renamed from test/option_man.exp) | 3 | ||||
-rw-r--r-- | test/utils/name.profile (renamed from test/name.profile) | 0 | ||||
-rwxr-xr-x | test/utils/protocol-print.exp | 24 | ||||
-rwxr-xr-x | test/utils/seccomp-print.exp | 36 | ||||
-rwxr-xr-x | test/utils/seccomp.exp (renamed from test/firemon-seccomp.exp) | 5 | ||||
-rwxr-xr-x | test/utils/shutdown.exp (renamed from test/option-shutdown.exp) | 19 | ||||
-rwxr-xr-x | test/utils/shutdown2.exp (renamed from test/pid.exp) | 37 | ||||
-rwxr-xr-x | test/utils/shutdown3.exp | 65 | ||||
-rwxr-xr-x | test/utils/shutdown4.exp | 65 | ||||
-rwxr-xr-x | test/utils/trace.exp (renamed from test/trace.exp) | 22 | ||||
-rwxr-xr-x | test/utils/tree.exp (renamed from test/option_tree.exp) | 3 | ||||
-rwxr-xr-x | test/utils/utils.sh | 90 | ||||
-rwxr-xr-x | test/utils/version.exp (renamed from test/option_version.exp) | 3 | ||||
-rw-r--r-- | todo | 211 |
449 files changed, 20094 insertions, 3909 deletions
diff --git a/.gitignore b/.gitignore index 408290b85..34a228a76 100644 --- a/.gitignore +++ b/.gitignore | |||
@@ -8,9 +8,14 @@ config.log | |||
8 | config.status | 8 | config.status |
9 | firejail-login.5 | 9 | firejail-login.5 |
10 | firejail-profile.5 | 10 | firejail-profile.5 |
11 | firejail-config.5 | ||
11 | firejail.1 | 12 | firejail.1 |
12 | firemon.1 | 13 | firemon.1 |
14 | firecfg.1 | ||
13 | src/firejail/firejail | 15 | src/firejail/firejail |
14 | src/firemon/firemon | 16 | src/firemon/firemon |
17 | src/firecfg/firecfg | ||
15 | src/ftee/ftee | 18 | src/ftee/ftee |
16 | src/tags | 19 | src/tags |
20 | src/faudit/faudit | ||
21 | |||
diff --git a/Makefile.in b/Makefile.in index 1a22700e8..44833021e 100644 --- a/Makefile.in +++ b/Makefile.in | |||
@@ -1,6 +1,6 @@ | |||
1 | all: apps firejail.1 firemon.1 firejail-profile.5 firejail-login.5 | 1 | all: apps firejail.1 firemon.1 firecfg.1 firejail-profile.5 firejail-login.5 firejail-config.5 |
2 | MYLIBS = src/lib | 2 | MYLIBS = src/lib |
3 | APPS = src/firejail src/firemon src/libtrace src/libtracelog src/ftee | 3 | APPS = src/firejail src/firemon src/firecfg src/libtrace src/libtracelog src/ftee src/faudit |
4 | 4 | ||
5 | prefix=@prefix@ | 5 | prefix=@prefix@ |
6 | exec_prefix=@exec_prefix@ | 6 | exec_prefix=@exec_prefix@ |
@@ -29,10 +29,14 @@ firemon.1: src/man/firemon.txt | |||
29 | ./mkman.sh $(VERSION) src/man/firemon.txt firemon.1 | 29 | ./mkman.sh $(VERSION) src/man/firemon.txt firemon.1 |
30 | firejail.1: src/man/firejail.txt | 30 | firejail.1: src/man/firejail.txt |
31 | ./mkman.sh $(VERSION) src/man/firejail.txt firejail.1 | 31 | ./mkman.sh $(VERSION) src/man/firejail.txt firejail.1 |
32 | firecfg.1: src/man/firecfg.txt | ||
33 | ./mkman.sh $(VERSION) src/man/firecfg.txt firecfg.1 | ||
32 | firejail-profile.5: src/man/firejail-profile.txt | 34 | firejail-profile.5: src/man/firejail-profile.txt |
33 | ./mkman.sh $(VERSION) src/man/firejail-profile.txt firejail-profile.5 | 35 | ./mkman.sh $(VERSION) src/man/firejail-profile.txt firejail-profile.5 |
34 | firejail-login.5: src/man/firejail-login.txt | 36 | firejail-login.5: src/man/firejail-login.txt |
35 | ./mkman.sh $(VERSION) src/man/firejail-login.txt firejail-login.5 | 37 | ./mkman.sh $(VERSION) src/man/firejail-login.txt firejail-login.5 |
38 | firejail-config.5: src/man/firejail-config.txt | ||
39 | ./mkman.sh $(VERSION) src/man/firejail-config.txt firejail-config.5 | ||
36 | 40 | ||
37 | clean: | 41 | clean: |
38 | for dir in $(APPS); do \ | 42 | for dir in $(APPS); do \ |
@@ -41,7 +45,19 @@ clean: | |||
41 | for dir in $(MYLIBS); do \ | 45 | for dir in $(MYLIBS); do \ |
42 | $(MAKE) -C $$dir clean; \ | 46 | $(MAKE) -C $$dir clean; \ |
43 | done | 47 | done |
44 | rm -f firejail.1 firejail.1.gz firemon.1 firemon.1.gz firejail-profile.5 firejail-profile.5.gz firejail-login.5 firejail-login.5.gz firejail*.rpm | 48 | rm -f firejail.1 firejail.1.gz firemon.1 firemon.1.gz firecfg.1 firecfg.gz firejail-profile.5 firejail-profile.5.gz firejail-login.5 firejail-login.5.gz firejail-config.5 firejail-config.5.gz firejail*.rpm |
49 | rm -f test/utils/index.html* | ||
50 | rm -f test/utils/wget-log | ||
51 | rm -f test/utils/lstesting | ||
52 | rm -f test/environment/index.html* | ||
53 | rm -f test/environment/wget-log* | ||
54 | rm -fr test/environment/-testdir | ||
55 | rm -f test/environment/logfile* | ||
56 | rm -f test/environment/index.html | ||
57 | rm -f test/environment/wget-log | ||
58 | rm -f test/sysutils/firejail_t* | ||
59 | cd test/compile; ./compile.sh --clean; cd ../.. | ||
60 | cd test/dist-compile; ./compile.sh --clean; cd ../.. | ||
45 | 61 | ||
46 | distclean: clean | 62 | distclean: clean |
47 | for dir in $(APPS); do \ | 63 | for dir in $(APPS); do \ |
@@ -50,7 +66,7 @@ distclean: clean | |||
50 | for dir in $(MYLIBS); do \ | 66 | for dir in $(MYLIBS); do \ |
51 | $(MAKE) -C $$dir distclean; \ | 67 | $(MAKE) -C $$dir distclean; \ |
52 | done | 68 | done |
53 | rm -fr Makefile autom4te.cache config.log config.status config.h | 69 | rm -fr Makefile autom4te.cache config.log config.status config.h uids.h |
54 | 70 | ||
55 | realinstall: | 71 | realinstall: |
56 | # firejail executable | 72 | # firejail executable |
@@ -59,12 +75,16 @@ realinstall: | |||
59 | chmod u+s $(DESTDIR)/$(bindir)/firejail | 75 | chmod u+s $(DESTDIR)/$(bindir)/firejail |
60 | # firemon executable | 76 | # firemon executable |
61 | install -c -m 0755 src/firemon/firemon $(DESTDIR)/$(bindir)/. | 77 | install -c -m 0755 src/firemon/firemon $(DESTDIR)/$(bindir)/. |
78 | # firecfg executable | ||
79 | install -c -m 0755 src/firecfg/firecfg $(DESTDIR)/$(bindir)/. | ||
62 | # libraries and plugins | 80 | # libraries and plugins |
63 | install -m 0755 -d $(DESTDIR)/$(libdir)/firejail | 81 | install -m 0755 -d $(DESTDIR)/$(libdir)/firejail |
64 | install -c -m 0644 src/libtrace/libtrace.so $(DESTDIR)/$(libdir)/firejail/. | 82 | install -c -m 0644 src/libtrace/libtrace.so $(DESTDIR)/$(libdir)/firejail/. |
65 | install -c -m 0644 src/libtracelog/libtracelog.so $(DESTDIR)/$(libdir)/firejail/. | 83 | install -c -m 0644 src/libtracelog/libtracelog.so $(DESTDIR)/$(libdir)/firejail/. |
66 | install -c -m 0755 src/ftee/ftee $(DESTDIR)/$(libdir)/firejail/. | 84 | install -c -m 0755 src/ftee/ftee $(DESTDIR)/$(libdir)/firejail/. |
67 | install -c -m 0755 src/fshaper/fshaper.sh $(DESTDIR)/$(libdir)/firejail/. | 85 | install -c -m 0755 src/fshaper/fshaper.sh $(DESTDIR)/$(libdir)/firejail/. |
86 | install -c -m 0644 src/firecfg/firecfg.config $(DESTDIR)/$(libdir)/firejail/. | ||
87 | install -c -m 0755 src/faudit/faudit $(DESTDIR)/$(libdir)/firejail/. | ||
68 | # documents | 88 | # documents |
69 | install -m 0755 -d $(DESTDIR)/$(DOCDIR) | 89 | install -m 0755 -d $(DESTDIR)/$(DOCDIR) |
70 | install -c -m 0644 COPYING $(DESTDIR)/$(DOCDIR)/. | 90 | install -c -m 0644 COPYING $(DESTDIR)/$(DOCDIR)/. |
@@ -73,103 +93,168 @@ realinstall: | |||
73 | # etc files | 93 | # etc files |
74 | ./mketc.sh $(sysconfdir) | 94 | ./mketc.sh $(sysconfdir) |
75 | install -m 0755 -d $(DESTDIR)/$(sysconfdir)/firejail | 95 | install -m 0755 -d $(DESTDIR)/$(sysconfdir)/firejail |
96 | install -c -m 0644 .etc/0ad.profile $(DESTDIR)/$(sysconfdir)/firejail/. | ||
97 | install -c -m 0644 .etc/Cyberfox.profile $(DESTDIR)/$(sysconfdir)/firejail/. | ||
98 | install -c -m 0644 .etc/Mathematica.profile $(DESTDIR)/$(sysconfdir)/firejail/. | ||
99 | install -c -m 0644 .etc/Telegram.profile $(DESTDIR)/$(sysconfdir)/firejail/. | ||
100 | install -c -m 0644 .etc/abrowser.profile $(DESTDIR)/$(sysconfdir)/firejail/. | ||
101 | install -c -m 0644 .etc/atom-beta.profile $(DESTDIR)/$(sysconfdir)/firejail/. | ||
102 | install -c -m 0644 .etc/atom.profile $(DESTDIR)/$(sysconfdir)/firejail/. | ||
103 | install -c -m 0644 .etc/atril.profile $(DESTDIR)/$(sysconfdir)/firejail/. | ||
76 | install -c -m 0644 .etc/audacious.profile $(DESTDIR)/$(sysconfdir)/firejail/. | 104 | install -c -m 0644 .etc/audacious.profile $(DESTDIR)/$(sysconfdir)/firejail/. |
105 | install -c -m 0644 .etc/audacity.profile $(DESTDIR)/$(sysconfdir)/firejail/. | ||
106 | install -c -m 0644 .etc/aweather.profile $(DESTDIR)/$(sysconfdir)/firejail/. | ||
107 | install -c -m 0644 .etc/bitlbee.profile $(DESTDIR)/$(sysconfdir)/firejail/. | ||
108 | install -c -m 0644 .etc/brave.profile $(DESTDIR)/$(sysconfdir)/firejail/. | ||
109 | install -c -m 0644 .etc/cherrytree.profile $(DESTDIR)/$(sysconfdir)/firejail/. | ||
110 | install -c -m 0644 .etc/chromium-browser.profile $(DESTDIR)/$(sysconfdir)/firejail/. | ||
111 | install -c -m 0644 .etc/chromium.profile $(DESTDIR)/$(sysconfdir)/firejail/. | ||
77 | install -c -m 0644 .etc/clementine.profile $(DESTDIR)/$(sysconfdir)/firejail/. | 112 | install -c -m 0644 .etc/clementine.profile $(DESTDIR)/$(sysconfdir)/firejail/. |
113 | install -c -m 0644 .etc/cmus.profile $(DESTDIR)/$(sysconfdir)/firejail/. | ||
114 | install -c -m 0644 .etc/conkeror.profile $(DESTDIR)/$(sysconfdir)/firejail/. | ||
115 | install -c -m 0644 .etc/corebird.profile $(DESTDIR)/$(sysconfdir)/firejail/. | ||
116 | install -c -m 0644 .etc/cpio.profile $(DESTDIR)/$(sysconfdir)/firejail/. | ||
117 | install -c -m 0644 .etc/cyberfox.profile $(DESTDIR)/$(sysconfdir)/firejail/. | ||
118 | install -c -m 0644 .etc/deadbeef.profile $(DESTDIR)/$(sysconfdir)/firejail/. | ||
119 | install -c -m 0644 .etc/default.profile $(DESTDIR)/$(sysconfdir)/firejail/. | ||
120 | install -c -m 0644 .etc/deluge.profile $(DESTDIR)/$(sysconfdir)/firejail/. | ||
121 | install -c -m 0644 .etc/dillo.profile $(DESTDIR)/$(sysconfdir)/firejail/. | ||
122 | install -c -m 0644 .etc/disable-common.inc $(DESTDIR)/$(sysconfdir)/firejail/. | ||
123 | install -c -m 0644 .etc/disable-devel.inc $(DESTDIR)/$(sysconfdir)/firejail/. | ||
124 | install -c -m 0644 .etc/disable-passwdmgr.inc $(DESTDIR)/$(sysconfdir)/firejail/. | ||
125 | install -c -m 0644 .etc/disable-programs.inc $(DESTDIR)/$(sysconfdir)/firejail/. | ||
126 | install -c -m 0644 .etc/dnscrypt-proxy.profile $(DESTDIR)/$(sysconfdir)/firejail/. | ||
127 | install -c -m 0644 .etc/dnsmasq.profile $(DESTDIR)/$(sysconfdir)/firejail/. | ||
128 | install -c -m 0644 .etc/dropbox.profile $(DESTDIR)/$(sysconfdir)/firejail/. | ||
129 | install -c -m 0644 .etc/empathy.profile $(DESTDIR)/$(sysconfdir)/firejail/. | ||
130 | install -c -m 0644 .etc/eom.profile $(DESTDIR)/$(sysconfdir)/firejail/. | ||
78 | install -c -m 0644 .etc/epiphany.profile $(DESTDIR)/$(sysconfdir)/firejail/. | 131 | install -c -m 0644 .etc/epiphany.profile $(DESTDIR)/$(sysconfdir)/firejail/. |
79 | install -c -m 0644 .etc/polari.profile $(DESTDIR)/$(sysconfdir)/firejail/. | 132 | install -c -m 0644 .etc/evince.profile $(DESTDIR)/$(sysconfdir)/firejail/. |
80 | install -c -m 0644 .etc/gnome-mplayer.profile $(DESTDIR)/$(sysconfdir)/firejail/. | 133 | install -c -m 0644 .etc/fbreader.profile $(DESTDIR)/$(sysconfdir)/firejail/. |
81 | install -c -m 0644 .etc/rhythmbox.profile $(DESTDIR)/$(sysconfdir)/firejail/. | 134 | install -c -m 0644 .etc/filezilla.profile $(DESTDIR)/$(sysconfdir)/firejail/. |
82 | install -c -m 0644 .etc/totem.profile $(DESTDIR)/$(sysconfdir)/firejail/. | 135 | install -c -m 0644 .etc/firefox-esr.profile $(DESTDIR)/$(sysconfdir)/firejail/. |
83 | install -c -m 0644 .etc/firefox.profile $(DESTDIR)/$(sysconfdir)/firejail/. | 136 | install -c -m 0644 .etc/firefox.profile $(DESTDIR)/$(sysconfdir)/firejail/. |
137 | install -c -m 0644 .etc/flashpeak-slimjet.profile $(DESTDIR)/$(sysconfdir)/firejail/. | ||
138 | install -c -m 0644 .etc/franz.profile $(DESTDIR)/$(sysconfdir)/firejail/. | ||
139 | install -c -m 0644 .etc/gitter.profile $(DESTDIR)/$(sysconfdir)/firejail/. | ||
140 | install -c -m 0644 .etc/gnome-mplayer.profile $(DESTDIR)/$(sysconfdir)/firejail/. | ||
141 | install -c -m 0644 .etc/google-chrome-beta.profile $(DESTDIR)/$(sysconfdir)/firejail/. | ||
142 | install -c -m 0644 .etc/google-chrome-stable.profile $(DESTDIR)/$(sysconfdir)/firejail/. | ||
143 | install -c -m 0644 .etc/google-chrome-unstable.profile $(DESTDIR)/$(sysconfdir)/firejail/. | ||
144 | install -c -m 0644 .etc/google-chrome.profile $(DESTDIR)/$(sysconfdir)/firejail/. | ||
145 | install -c -m 0644 .etc/google-play-music-desktop-player.profile $(DESTDIR)/$(sysconfdir)/firejail/. | ||
146 | install -c -m 0644 .etc/gpredict.profile $(DESTDIR)/$(sysconfdir)/firejail/. | ||
147 | install -c -m 0644 .etc/gthumb.profile $(DESTDIR)/$(sysconfdir)/firejail/. | ||
148 | install -c -m 0644 .etc/gwenview.profile $(DESTDIR)/$(sysconfdir)/firejail/. | ||
149 | install -c -m 0644 .etc/gzip.profile $(DESTDIR)/$(sysconfdir)/firejail/. | ||
150 | install -c -m 0644 .etc/hedgewars.profile $(DESTDIR)/$(sysconfdir)/firejail/. | ||
151 | install -c -m 0644 .etc/hexchat.profile $(DESTDIR)/$(sysconfdir)/firejail/. | ||
152 | install -c -m 0644 .etc/icecat.profile $(DESTDIR)/$(sysconfdir)/firejail/. | ||
84 | install -c -m 0644 .etc/icedove.profile $(DESTDIR)/$(sysconfdir)/firejail/. | 153 | install -c -m 0644 .etc/icedove.profile $(DESTDIR)/$(sysconfdir)/firejail/. |
85 | install -c -m 0644 .etc/iceweasel.profile $(DESTDIR)/$(sysconfdir)/firejail/. | 154 | install -c -m 0644 .etc/iceweasel.profile $(DESTDIR)/$(sysconfdir)/firejail/. |
155 | install -c -m 0644 .etc/jitsi.profile $(DESTDIR)/$(sysconfdir)/firejail/. | ||
156 | install -c -m 0644 .etc/kmail.profile $(DESTDIR)/$(sysconfdir)/firejail/. | ||
157 | install -c -m 0644 .etc/konversation.profile $(DESTDIR)/$(sysconfdir)/firejail/. | ||
158 | install -c -m 0644 .etc/less.profile $(DESTDIR)/$(sysconfdir)/firejail/. | ||
159 | install -c -m 0644 .etc/libreoffice.profile $(DESTDIR)/$(sysconfdir)/firejail/. | ||
160 | install -c -m 0644 .etc/localc.profile $(DESTDIR)/$(sysconfdir)/firejail/. | ||
161 | install -c -m 0644 .etc/lodraw.profile $(DESTDIR)/$(sysconfdir)/firejail/. | ||
162 | install -c -m 0644 .etc/loffice.profile $(DESTDIR)/$(sysconfdir)/firejail/. | ||
163 | install -c -m 0644 .etc/lofromtemplate.profile $(DESTDIR)/$(sysconfdir)/firejail/. | ||
164 | install -c -m 0644 .etc/loimpress.profile $(DESTDIR)/$(sysconfdir)/firejail/. | ||
165 | install -c -m 0644 .etc/lomath.profile $(DESTDIR)/$(sysconfdir)/firejail/. | ||
166 | install -c -m 0644 .etc/loweb.profile $(DESTDIR)/$(sysconfdir)/firejail/. | ||
167 | install -c -m 0644 .etc/lowriter.profile $(DESTDIR)/$(sysconfdir)/firejail/. | ||
168 | install -c -m 0644 .etc/lxterminal.profile $(DESTDIR)/$(sysconfdir)/firejail/. | ||
169 | install -c -m 0644 .etc/mathematica.profile $(DESTDIR)/$(sysconfdir)/firejail/. | ||
170 | install -c -m 0644 .etc/mcabber.profile $(DESTDIR)/$(sysconfdir)/firejail/. | ||
86 | install -c -m 0644 .etc/midori.profile $(DESTDIR)/$(sysconfdir)/firejail/. | 171 | install -c -m 0644 .etc/midori.profile $(DESTDIR)/$(sysconfdir)/firejail/. |
87 | install -c -m 0644 .etc/evince.profile $(DESTDIR)/$(sysconfdir)/firejail/. | 172 | install -c -m 0644 .etc/mpv.profile $(DESTDIR)/$(sysconfdir)/firejail/. |
88 | install -c -m 0644 .etc/chromium-browser.profile $(DESTDIR)/$(sysconfdir)/firejail/. | 173 | install -c -m 0644 .etc/mupen64plus.profile $(DESTDIR)/$(sysconfdir)/firejail/. |
89 | install -c -m 0644 .etc/chromium.profile $(DESTDIR)/$(sysconfdir)/firejail/. | 174 | install -c -m 0644 .etc/netsurf.profile $(DESTDIR)/$(sysconfdir)/firejail/. |
90 | install -c -m 0644 .etc/google-chrome.profile $(DESTDIR)/$(sysconfdir)/firejail/. | 175 | install -c -m 0644 .etc/nolocal.net $(DESTDIR)/$(sysconfdir)/firejail/. |
91 | install -c -m 0644 .etc/google-chrome-stable.profile $(DESTDIR)/$(sysconfdir)/firejail/. | 176 | install -c -m 0644 .etc/okular.profile $(DESTDIR)/$(sysconfdir)/firejail/. |
92 | install -c -m 0644 .etc/google-chrome-beta.profile $(DESTDIR)/$(sysconfdir)/firejail/. | 177 | install -c -m 0644 .etc/openbox.profile $(DESTDIR)/$(sysconfdir)/firejail/. |
93 | install -c -m 0644 .etc/google-chrome-unstable.profile $(DESTDIR)/$(sysconfdir)/firejail/. | ||
94 | install -c -m 0644 .etc/disable-mgmt.inc $(DESTDIR)/$(sysconfdir)/firejail/. | ||
95 | install -c -m 0644 .etc/disable-secret.inc $(DESTDIR)/$(sysconfdir)/firejail/. | ||
96 | install -c -m 0644 .etc/disable-common.inc $(DESTDIR)/$(sysconfdir)/firejail/. | ||
97 | install -c -m 0644 .etc/dropbox.profile $(DESTDIR)/$(sysconfdir)/firejail/. | ||
98 | install -c -m 0644 .etc/opera.profile $(DESTDIR)/$(sysconfdir)/firejail/. | ||
99 | install -c -m 0644 .etc/opera-beta.profile $(DESTDIR)/$(sysconfdir)/firejail/. | 178 | install -c -m 0644 .etc/opera-beta.profile $(DESTDIR)/$(sysconfdir)/firejail/. |
100 | install -c -m 0644 .etc/thunderbird.profile $(DESTDIR)/$(sysconfdir)/firejail/. | 179 | install -c -m 0644 .etc/opera.profile $(DESTDIR)/$(sysconfdir)/firejail/. |
101 | install -c -m 0644 .etc/transmission-gtk.profile $(DESTDIR)/$(sysconfdir)/firejail/. | 180 | install -c -m 0644 .etc/palemoon.profile $(DESTDIR)/$(sysconfdir)/firejail/. |
102 | install -c -m 0644 .etc/transmission-qt.profile $(DESTDIR)/$(sysconfdir)/firejail/. | 181 | install -c -m 0644 .etc/parole.profile $(DESTDIR)/$(sysconfdir)/firejail/. |
103 | install -c -m 0644 .etc/vlc.profile $(DESTDIR)/$(sysconfdir)/firejail/. | ||
104 | install -c -m 0644 .etc/deluge.profile $(DESTDIR)/$(sysconfdir)/firejail/. | ||
105 | install -c -m 0644 .etc/qbittorrent.profile $(DESTDIR)/$(sysconfdir)/firejail/. | ||
106 | install -c -m 0644 .etc/generic.profile $(DESTDIR)/$(sysconfdir)/firejail/. | ||
107 | install -c -m 0644 .etc/pidgin.profile $(DESTDIR)/$(sysconfdir)/firejail/. | 182 | install -c -m 0644 .etc/pidgin.profile $(DESTDIR)/$(sysconfdir)/firejail/. |
108 | install -c -m 0644 .etc/xchat.profile $(DESTDIR)/$(sysconfdir)/firejail/. | 183 | install -c -m 0644 .etc/pix.profile $(DESTDIR)/$(sysconfdir)/firejail/. |
109 | install -c -m 0644 .etc/empathy.profile $(DESTDIR)/$(sysconfdir)/firejail/. | 184 | install -c -m 0644 .etc/polari.profile $(DESTDIR)/$(sysconfdir)/firejail/. |
110 | install -c -m 0644 .etc/server.profile $(DESTDIR)/$(sysconfdir)/firejail/. | 185 | install -c -m 0644 .etc/psi-plus.profile $(DESTDIR)/$(sysconfdir)/firejail/. |
111 | install -c -m 0644 .etc/icecat.profile $(DESTDIR)/$(sysconfdir)/firejail/. | 186 | install -c -m 0644 .etc/qbittorrent.profile $(DESTDIR)/$(sysconfdir)/firejail/. |
187 | install -c -m 0644 .etc/qtox.profile $(DESTDIR)/$(sysconfdir)/firejail/. | ||
112 | install -c -m 0644 .etc/quassel.profile $(DESTDIR)/$(sysconfdir)/firejail/. | 188 | install -c -m 0644 .etc/quassel.profile $(DESTDIR)/$(sysconfdir)/firejail/. |
113 | install -c -m 0644 .etc/deadbeef.profile $(DESTDIR)/$(sysconfdir)/firejail/. | 189 | install -c -m 0644 .etc/quiterss.profile $(DESTDIR)/$(sysconfdir)/firejail/. |
114 | install -c -m 0644 .etc/filezilla.profile $(DESTDIR)/$(sysconfdir)/firejail/. | 190 | install -c -m 0644 .etc/qutebrowser.profile $(DESTDIR)/$(sysconfdir)/firejail/. |
115 | install -c -m 0644 .etc/fbreader.profile $(DESTDIR)/$(sysconfdir)/firejail/. | 191 | install -c -m 0644 .etc/rhythmbox.profile $(DESTDIR)/$(sysconfdir)/firejail/. |
192 | install -c -m 0644 .etc/rtorrent.profile $(DESTDIR)/$(sysconfdir)/firejail/. | ||
193 | install -c -m 0644 .etc/seamonkey-bin.profile $(DESTDIR)/$(sysconfdir)/firejail/. | ||
194 | install -c -m 0644 .etc/seamonkey.profile $(DESTDIR)/$(sysconfdir)/firejail/. | ||
195 | install -c -m 0644 .etc/server.profile $(DESTDIR)/$(sysconfdir)/firejail/. | ||
196 | install -c -m 0644 .etc/skype.profile $(DESTDIR)/$(sysconfdir)/firejail/. | ||
197 | install -c -m 0644 .etc/snap.profile $(DESTDIR)/$(sysconfdir)/firejail/. | ||
198 | install -c -m 0644 .etc/soffice.profile $(DESTDIR)/$(sysconfdir)/firejail/. | ||
116 | install -c -m 0644 .etc/spotify.profile $(DESTDIR)/$(sysconfdir)/firejail/. | 199 | install -c -m 0644 .etc/spotify.profile $(DESTDIR)/$(sysconfdir)/firejail/. |
200 | install -c -m 0644 .etc/ssh.profile $(DESTDIR)/$(sysconfdir)/firejail/. | ||
117 | install -c -m 0644 .etc/steam.profile $(DESTDIR)/$(sysconfdir)/firejail/. | 201 | install -c -m 0644 .etc/steam.profile $(DESTDIR)/$(sysconfdir)/firejail/. |
118 | install -c -m 0644 .etc/skype.profile $(DESTDIR)/$(sysconfdir)/firejail/. | 202 | install -c -m 0644 .etc/stellarium.profile $(DESTDIR)/$(sysconfdir)/firejail/. |
119 | install -c -m 0644 .etc/wine.profile $(DESTDIR)/$(sysconfdir)/firejail/. | 203 | install -c -m 0644 .etc/strings.profile $(DESTDIR)/$(sysconfdir)/firejail/. |
120 | install -c -m 0644 .etc/disable-devel.inc $(DESTDIR)/$(sysconfdir)/firejail/. | 204 | install -c -m 0644 .etc/telegram.profile $(DESTDIR)/$(sysconfdir)/firejail/. |
121 | install -c -m 0644 .etc/conkeror.profile $(DESTDIR)/$(sysconfdir)/firejail/. | 205 | install -c -m 0644 .etc/thunderbird.profile $(DESTDIR)/$(sysconfdir)/firejail/. |
206 | install -c -m 0644 .etc/totem.profile $(DESTDIR)/$(sysconfdir)/firejail/. | ||
207 | install -c -m 0644 .etc/transmission-gtk.profile $(DESTDIR)/$(sysconfdir)/firejail/. | ||
208 | install -c -m 0644 .etc/transmission-qt.profile $(DESTDIR)/$(sysconfdir)/firejail/. | ||
209 | install -c -m 0644 .etc/uget-gtk.profile $(DESTDIR)/$(sysconfdir)/firejail/. | ||
122 | install -c -m 0644 .etc/unbound.profile $(DESTDIR)/$(sysconfdir)/firejail/. | 210 | install -c -m 0644 .etc/unbound.profile $(DESTDIR)/$(sysconfdir)/firejail/. |
123 | install -c -m 0644 .etc/dnscrypt-proxy.profile $(DESTDIR)/$(sysconfdir)/firejail/. | 211 | install -c -m 0644 .etc/uudeview.profile $(DESTDIR)/$(sysconfdir)/firejail/. |
124 | install -c -m 0644 .etc/whitelist-common.inc $(DESTDIR)/$(sysconfdir)/firejail/. | 212 | install -c -m 0644 .etc/vivaldi-beta.profile $(DESTDIR)/$(sysconfdir)/firejail/. |
125 | install -c -m 0644 .etc/nolocal.net $(DESTDIR)/$(sysconfdir)/firejail/. | 213 | install -c -m 0644 .etc/vivaldi.profile $(DESTDIR)/$(sysconfdir)/firejail/. |
214 | install -c -m 0644 .etc/vlc.profile $(DESTDIR)/$(sysconfdir)/firejail/. | ||
215 | install -c -m 0644 .etc/warzone2100.profile $(DESTDIR)/$(sysconfdir)/firejail/. | ||
126 | install -c -m 0644 .etc/webserver.net $(DESTDIR)/$(sysconfdir)/firejail/. | 216 | install -c -m 0644 .etc/webserver.net $(DESTDIR)/$(sysconfdir)/firejail/. |
127 | install -c -m 0644 .etc/bitlbee.profile $(DESTDIR)/$(sysconfdir)/firejail/. | ||
128 | install -c -m 0644 .etc/weechat.profile $(DESTDIR)/$(sysconfdir)/firejail/. | ||
129 | install -c -m 0644 .etc/weechat-curses.profile $(DESTDIR)/$(sysconfdir)/firejail/. | 217 | install -c -m 0644 .etc/weechat-curses.profile $(DESTDIR)/$(sysconfdir)/firejail/. |
130 | install -c -m 0644 .etc/hexchat.profile $(DESTDIR)/$(sysconfdir)/firejail/. | 218 | install -c -m 0644 .etc/weechat.profile $(DESTDIR)/$(sysconfdir)/firejail/. |
131 | install -c -m 0644 .etc/rtorrent.profile $(DESTDIR)/$(sysconfdir)/firejail/. | ||
132 | install -c -m 0644 .etc/parole.profile $(DESTDIR)/$(sysconfdir)/firejail/. | ||
133 | install -c -m 0644 .etc/kmail.profile $(DESTDIR)/$(sysconfdir)/firejail/. | ||
134 | install -c -m 0644 .etc/seamonkey.profile $(DESTDIR)/$(sysconfdir)/firejail/. | ||
135 | install -c -m 0644 .etc/seamonkey-bin.profile $(DESTDIR)/$(sysconfdir)/firejail/. | ||
136 | install -c -m 0644 .etc/telegram.profile $(DESTDIR)/$(sysconfdir)/firejail/. | ||
137 | install -c -m 0644 .etc/mathematica.profile $(DESTDIR)/$(sysconfdir)/firejail/. | ||
138 | install -c -m 0644 .etc/Mathematica.profile $(DESTDIR)/$(sysconfdir)/firejail/. | ||
139 | install -c -m 0644 .etc/uget-gtk.profile $(DESTDIR)/$(sysconfdir)/firejail/. | ||
140 | install -c -m 0644 .etc/mupen64plus.profile $(DESTDIR)/$(sysconfdir)/firejail/. | ||
141 | install -c -m 0644 .etc/disable-terminals.inc $(DESTDIR)/$(sysconfdir)/firejail/. | ||
142 | install -c -m 0644 .etc/lxterminal.profile $(DESTDIR)/$(sysconfdir)/firejail/. | ||
143 | install -c -m 0644 .etc/cherrytree.profile $(DESTDIR)/$(sysconfdir)/firejail/. | ||
144 | install -c -m 0644 .etc/wesnoth.profile $(DESTDIR)/$(sysconfdir)/firejail/. | 219 | install -c -m 0644 .etc/wesnoth.profile $(DESTDIR)/$(sysconfdir)/firejail/. |
145 | install -c -m 0644 .etc/hedgewars.profile $(DESTDIR)/$(sysconfdir)/firejail/. | 220 | install -c -m 0644 .etc/whitelist-common.inc $(DESTDIR)/$(sysconfdir)/firejail/. |
146 | install -c -m 0644 .etc/vivaldi.profile $(DESTDIR)/$(sysconfdir)/firejail/. | 221 | install -c -m 0644 .etc/wine.profile $(DESTDIR)/$(sysconfdir)/firejail/. |
147 | install -c -m 0644 .etc/vivaldi-beta.profile $(DESTDIR)/$(sysconfdir)/firejail/. | 222 | install -c -m 0644 .etc/xchat.profile $(DESTDIR)/$(sysconfdir)/firejail/. |
148 | install -c -m 0644 .etc/atril.profile $(DESTDIR)/$(sysconfdir)/firejail/. | 223 | install -c -m 0644 .etc/xplayer.profile $(DESTDIR)/$(sysconfdir)/firejail/. |
224 | install -c -m 0644 .etc/xreader.profile $(DESTDIR)/$(sysconfdir)/firejail/. | ||
225 | install -c -m 0644 .etc/xviewer.profile $(DESTDIR)/$(sysconfdir)/firejail/. | ||
226 | install -c -m 0644 .etc/xz.profile $(DESTDIR)/$(sysconfdir)/firejail/. | ||
227 | install -c -m 0644 .etc/xzdec.profile $(DESTDIR)/$(sysconfdir)/firejail/. | ||
149 | sh -c "if [ ! -f $(DESTDIR)/$(sysconfdir)/firejail/login.users ]; then install -c -m 0644 etc/login.users $(DESTDIR)/$(sysconfdir)/firejail/.; fi;" | 228 | sh -c "if [ ! -f $(DESTDIR)/$(sysconfdir)/firejail/login.users ]; then install -c -m 0644 etc/login.users $(DESTDIR)/$(sysconfdir)/firejail/.; fi;" |
150 | sh -c "if [ ! -f $(DESTDIR)/$(sysconfdir)/firejail/firejail.config ]; then install -c -m 0644 etc/firejail.config $(DESTDIR)/$(sysconfdir)/firejail/.; fi;" | 229 | install -c -m 0644 etc/firejail.config $(DESTDIR)/$(sysconfdir)/firejail/. |
151 | rm -fr .etc | 230 | rm -fr .etc |
152 | # man pages | 231 | # man pages |
153 | rm -f firejail.1.gz | 232 | rm -f firejail.1.gz |
154 | gzip -9n firejail.1 | 233 | gzip -9n firejail.1 |
155 | rm -f firemon.1.gz | 234 | rm -f firemon.1.gz |
156 | gzip -9n firemon.1 | 235 | gzip -9n firemon.1 |
236 | rm -f firecfg.1.gz | ||
237 | gzip -9n firecfg.1 | ||
157 | rm -f firejail-profile.5.gz | 238 | rm -f firejail-profile.5.gz |
158 | gzip -9n firejail-profile.5 | 239 | gzip -9n firejail-profile.5 |
159 | rm -f firejail-login.5.gz | 240 | rm -f firejail-login.5.gz |
160 | gzip -9n firejail-login.5 | 241 | gzip -9n firejail-login.5 |
242 | rm -f firejail-config.5.gz | ||
243 | gzip -9n firejail-config.5 | ||
161 | install -m 0755 -d $(DESTDIR)/$(mandir)/man1 | 244 | install -m 0755 -d $(DESTDIR)/$(mandir)/man1 |
162 | install -c -m 0644 firejail.1.gz $(DESTDIR)/$(mandir)/man1/. | 245 | install -c -m 0644 firejail.1.gz $(DESTDIR)/$(mandir)/man1/. |
163 | install -c -m 0644 firemon.1.gz $(DESTDIR)/$(mandir)/man1/. | 246 | install -c -m 0644 firemon.1.gz $(DESTDIR)/$(mandir)/man1/. |
247 | install -c -m 0644 firecfg.1.gz $(DESTDIR)/$(mandir)/man1/. | ||
164 | install -m 0755 -d $(DESTDIR)/$(mandir)/man5 | 248 | install -m 0755 -d $(DESTDIR)/$(mandir)/man5 |
165 | install -c -m 0644 firejail-profile.5.gz $(DESTDIR)/$(mandir)/man5/. | 249 | install -c -m 0644 firejail-profile.5.gz $(DESTDIR)/$(mandir)/man5/. |
166 | install -c -m 0644 firejail-login.5.gz $(DESTDIR)/$(mandir)/man5/. | 250 | install -c -m 0644 firejail-login.5.gz $(DESTDIR)/$(mandir)/man5/. |
167 | rm -f firejail.1.gz firemon.1.gz firejail-profile.5.gz firejail-login.5.gz | 251 | install -c -m 0644 firejail-config.5.gz $(DESTDIR)/$(mandir)/man5/. |
252 | rm -f firejail.1.gz firemon.1.gz firecfg.1.gz firejail-profile.5.gz firejail-login.5.gz firejail-config.5.gz | ||
168 | # bash completion | 253 | # bash completion |
169 | install -m 0755 -d $(DESTDIR)/$(datarootdir)/bash-completion/completions | 254 | install -m 0755 -d $(DESTDIR)/$(datarootdir)/bash-completion/completions |
170 | install -c -m 0644 src/bash_completion/firejail.bash_completion $(DESTDIR)/$(datarootdir)/bash-completion/completions/firejail | 255 | install -c -m 0644 src/bash_completion/firejail.bash_completion $(DESTDIR)/$(datarootdir)/bash-completion/completions/firejail |
171 | install -c -m 0644 src/bash_completion/firemon.bash_completion $(DESTDIR)/$(datarootdir)/bash-completion/completions/firemon | 256 | install -c -m 0644 src/bash_completion/firemon.bash_completion $(DESTDIR)/$(datarootdir)/bash-completion/completions/firemon |
172 | 257 | install -c -m 0644 src/bash_completion/firecfg.bash_completion $(DESTDIR)/$(datarootdir)/bash-completion/completions/firecfg | |
173 | 258 | ||
174 | install: all | 259 | install: all |
175 | $(MAKE) realinstall | 260 | $(MAKE) realinstall |
@@ -177,37 +262,58 @@ install: all | |||
177 | install-strip: all | 262 | install-strip: all |
178 | strip src/firejail/firejail | 263 | strip src/firejail/firejail |
179 | strip src/firemon/firemon | 264 | strip src/firemon/firemon |
265 | strip src/firecfg/firecfg | ||
180 | strip src/libtrace/libtrace.so | 266 | strip src/libtrace/libtrace.so |
181 | strip src/libtracelog/libtracelog.so | 267 | strip src/libtracelog/libtracelog.so |
182 | strip src/ftee/ftee | 268 | strip src/ftee/ftee |
269 | strip src/faudit/faudit | ||
183 | $(MAKE) realinstall | 270 | $(MAKE) realinstall |
184 | 271 | ||
185 | uninstall: | 272 | uninstall: |
186 | rm -f $(DESTDIR)/$(bindir)/firejail | 273 | rm -f $(DESTDIR)/$(bindir)/firejail |
187 | rm -f $(DESTDIR)/$(bindir)/firemon | 274 | rm -f $(DESTDIR)/$(bindir)/firemon |
275 | rm -f $(DESTDIR)/$(bindir)/firecfg | ||
188 | rm -fr $(DESTDIR)/$(libdir)/firejail | 276 | rm -fr $(DESTDIR)/$(libdir)/firejail |
189 | rm -fr $(DESTDIR)/$(datarootdir)/doc/firejail | 277 | rm -fr $(DESTDIR)/$(datarootdir)/doc/firejail |
190 | rm -f $(DESTDIR)/$(mandir)/man1/firejail.1* | 278 | rm -f $(DESTDIR)/$(mandir)/man1/firejail.1* |
191 | rm -f $(DESTDIR)/$(mandir)/man1/firemon.1* | 279 | rm -f $(DESTDIR)/$(mandir)/man1/firemon.1* |
280 | rm -f $(DESTDIR)/$(mandir)/man1/firecfg.1* | ||
192 | rm -f $(DESTDIR)/$(mandir)/man5/firejail-profile.5* | 281 | rm -f $(DESTDIR)/$(mandir)/man5/firejail-profile.5* |
193 | rm -f $(DESTDIR)/$(mandir)/man5/firejail-login.5* | 282 | rm -f $(DESTDIR)/$(mandir)/man5/firejail-login.5* |
283 | rm -f $(DESTDIR)/$(mandir)/man5/firejail-config.5* | ||
194 | rm -f $(DESTDIR)/$(datarootdir)/bash-completion/completions/firejail | 284 | rm -f $(DESTDIR)/$(datarootdir)/bash-completion/completions/firejail |
195 | rm -f $(DESTDIR)/$(datarootdir)/bash-completion/completions/firemon | 285 | rm -f $(DESTDIR)/$(datarootdir)/bash-completion/completions/firemon |
286 | rm -f $(DESTDIR)/$(datarootdir)/bash-completion/completions/firecfg | ||
196 | 287 | ||
288 | DISTFILES = "src etc platform configure configure.ac Makefile.in install.sh mkman.sh mketc.sh mkdeb.sh COPYING README RELNOTES" | ||
289 | DISTFILES_TEST = "test/apps test/apps-x11 test/environment test/profiles test/utils test/compile test/dist-compile test/filters test/network test/fs test/sysutils" | ||
290 | |||
197 | dist: | 291 | dist: |
198 | make distclean | 292 | make distclean |
199 | rm -fr $(NAME)-$(VERSION) $(NAME)-$(VERSION).tar.bz2 | 293 | rm -fr $(NAME)-$(VERSION) $(NAME)-$(VERSION).tar.bz2 |
200 | mkdir $(NAME)-$(VERSION) | 294 | mkdir -p $(NAME)-$(VERSION)/test |
201 | cd $(NAME)-$(VERSION); cp -a ../src .; cp -a ../etc .; cp -a ../platform .; rm -fr src/tools; cd .. | 295 | cp -a "$(DISTFILES)" $(NAME)-$(VERSION) |
202 | cd $(NAME)-$(VERSION); cp -a ../configure .; cp -a ../configure.ac .; cp -a ../Makefile.in .; cp -a ../install.sh .; cp -a ../mkman.sh .; cp -a ../mketc.sh .; cp -a ../mkdeb.sh .;cd .. | 296 | cp -a "$(DISTFILES_TEST)" $(NAME)-$(VERSION)/test |
203 | cd $(NAME)-$(VERSION); cp -a ../COPYING .; cp -a ../README .; cp -a ../RELNOTES .; cd .. | 297 | rm -rf $(NAME)-$(VERSION)/src/tools |
204 | cd $(NAME)-$(VERSION); rm -fr `find . -name .svn`; rm -fr $(NAME)-$(VERSION); cd .. | 298 | find $(NAME)-$(VERSION) -name .svn -delete |
205 | tar -cjvf $(NAME)-$(VERSION).tar.bz2 $(NAME)-$(VERSION) | 299 | tar -cjvf $(NAME)-$(VERSION).tar.bz2 $(NAME)-$(VERSION) |
206 | rm -fr $(NAME)-$(VERSION) | 300 | rm -fr $(NAME)-$(VERSION) |
207 | 301 | ||
208 | deb: dist | 302 | deb: dist |
209 | ./mkdeb.sh $(NAME) $(VERSION) | 303 | ./mkdeb.sh $(NAME) $(VERSION) |
210 | 304 | ||
305 | snap: all | ||
306 | cd platform/snap; ./snap.sh | ||
307 | |||
308 | install-snap: snap | ||
309 | sudo snap remove faudit; sudo snap install faudit*.snap | ||
310 | |||
311 | github-compile: | ||
312 | cd test/compile; ./compile.sh | ||
313 | |||
314 | dist-compile: dist | ||
315 | cd test/dist-compile; ./compile.sh $(NAME)-$(VERSION) | ||
316 | |||
211 | .PHONY: rpms | 317 | .PHONY: rpms |
212 | rpms: | 318 | rpms: |
213 | ./platform/rpm/mkrpm.sh $(NAME) $(VERSION) | 319 | ./platform/rpm/mkrpm.sh $(NAME) $(VERSION) |
@@ -220,5 +326,35 @@ cppcheck: clean | |||
220 | 326 | ||
221 | scan-build: clean | 327 | scan-build: clean |
222 | scan-build make | 328 | scan-build make |
329 | |||
223 | asc:; ./mkasc.sh $(VERSION) | 330 | asc:; ./mkasc.sh $(VERSION) |
224 | 331 | ||
332 | test-profiles: | ||
333 | cd test/profiles; ./profiles.sh | grep TESTING | ||
334 | |||
335 | test-apps: | ||
336 | cd test/apps; ./apps.sh | grep TESTING | ||
337 | |||
338 | test-apps-x11: | ||
339 | cd test/apps-x11; ./apps-x11.sh | grep TESTING | ||
340 | |||
341 | test-sysutils: | ||
342 | cd test/sysutils; ./sysutils.sh | grep TESTING | ||
343 | |||
344 | test-utils: | ||
345 | cd test/utils; ./utils.sh | grep TESTING | ||
346 | |||
347 | test-environment: | ||
348 | cd test/environment; ./environment.sh | grep TESTING | ||
349 | |||
350 | test-filters: | ||
351 | cd test/filters; ./filters.sh | grep TESTING | ||
352 | |||
353 | test-network: | ||
354 | echo "Please read test/network/README file and run the test manually" | ||
355 | |||
356 | test-fs: | ||
357 | cd test/fs; ./fs.sh | grep TESTING | ||
358 | |||
359 | test: test-profiles test-fs test-utils test-environment test-sysutils test-apps test-apps-x11 test-filters | ||
360 | echo "TEST COMPLETE" | ||
@@ -18,25 +18,131 @@ License: GPL v2 | |||
18 | Firejail Authors: | 18 | Firejail Authors: |
19 | 19 | ||
20 | netblue30 (netblue30@yahoo.com) | 20 | netblue30 (netblue30@yahoo.com) |
21 | Benjamin Kampmann (https://github.com/ligthyear) | 21 | Reiner Herrmann (https://github.com/reinerh) |
22 | - Forward exit code from child process | 22 | - a number of build patches |
23 | dshmgh (https://github.com/dshmgh) | 23 | - man page fixes |
24 | - overlayfs fix for systems with /home mounted on a separate partition | 24 | - Debian and Ubuntu integration |
25 | - clang-analyzer fixes | ||
26 | - Debian reproducible build | ||
27 | - unit testing framework | ||
28 | Thomas Jarosch (https://github.com/thomasjfox) | ||
29 | - disable keepassx in disable-passwdmgr.inc | ||
30 | - added uudeview profile | ||
31 | Niklas Haas (https://github.com/haasn) | ||
32 | - blacklisting for keybase.io's client | ||
33 | Aleksey Manevich (https://github.com/manevich) | ||
34 | - several profile fixes | ||
35 | - fix problem with relative path in storage_find function | ||
36 | - fix build for systems without bash | ||
37 | - fix double quotes/single quotes problem | ||
38 | - big rework of argument processing subsytem | ||
39 | - --join fixes | ||
25 | Fred-Barclay (https://github.com/Fred-Barclay) | 40 | Fred-Barclay (https://github.com/Fred-Barclay) |
26 | - added Vivaldi, Atril profiles | 41 | - added Vivaldi, Atril profiles |
27 | yumkam (https://github.com/yumkam) | 42 | - added PaleMoon profile |
28 | - add compile-time option to restrict --net= to root only | 43 | - split Icedove and Thunderbird profiles |
44 | - added 0ad profile | ||
45 | - fixed version for .deb packages | ||
46 | - added Warzone2100 profile | ||
47 | - blacklisted VeraCrypt | ||
48 | - added Gpredict profile | ||
49 | - added Aweather, Stellarium profiles | ||
50 | - fixed HexChat and Atril profiles | ||
51 | - fixed disable-common.inc for mate-terminal | ||
52 | - blacklisted escape-happy terminals in disable-common.inc | ||
53 | - blacklisted g++ | ||
54 | - added xplayer, xreader, and xviewer profiles | ||
55 | - added Brave profile | ||
56 | - added Gitter profile | ||
57 | - various organising | ||
58 | - added LibreOffice profile | ||
59 | - added pix profile | ||
60 | - added audacity profile | ||
61 | - fixed Telegram and qtox profiles | ||
62 | - added Atom Beta and Atom profiles | ||
63 | - tightened 0ad, atril, evince, gthumb, pix, qtox, and xreader profiles. | ||
64 | - several private-bin conversions | ||
65 | - added jitsi profile | ||
66 | - pidgin private-bin conversion | ||
67 | - added eom profile | ||
68 | Jaykishan Mutkawoa (https://github.com/jmutkawoa) | ||
69 | - cpio profile | ||
70 | Paupiah Yash (https://github.com/CaffeinatedStud) | ||
71 | - gzip profile | ||
72 | Akhil Hans Maulloo (https://github.com/kouul) | ||
73 | - xz profile | ||
74 | Rahul Golam (https://github.com/technoLord) | ||
75 | - strings profile | ||
76 | geg2048 (https://github.com/geg2048) | ||
77 | - kwallet profile fixes | ||
78 | Simon Peter (https://github.com/probonopd) | ||
79 | - set $APPIMAGE and $APPDIR environment variables | ||
80 | maces (https://github.com/maces) | ||
81 | - Franz messenger profile | ||
82 | KellerFuchs (https://github.com/KellerFuchs) | ||
83 | - nonewpriv support, extended profiles for this feature | ||
84 | - make `restricted-network` prevent use of netfilter | ||
85 | - disable-common.inc additions | ||
86 | ValdikSS (https://github.com/ValdikSS) | ||
87 | - Psi+, Corebird, Konversation profiles | ||
88 | - various profile fixes | ||
89 | avoidr (https://github.com/avoidr) | ||
90 | - whitelist fix | ||
91 | - recently-used.xbel fix | ||
92 | - added parole profile | ||
93 | - blacklist ncat | ||
94 | - hostname support in profile file | ||
95 | - Google Chrome profile rework | ||
96 | - added cmus profile | ||
29 | - man page fixes | 97 | - man page fixes |
98 | - add net iface support in profile files | ||
99 | - paths fix | ||
100 | - lots of profile fixes | ||
101 | - added mcabber profile | ||
102 | - fixed mpv profile | ||
103 | - various other fixes | ||
104 | Ruan (https://github.com/ruany) | ||
105 | - fixed hexchat profile | ||
30 | Vasya Novikov (https://github.com/vn971) | 106 | Vasya Novikov (https://github.com/vn971) |
31 | - Wesnoth profile | 107 | - Wesnoth profile |
32 | - Hedegewars profile | 108 | - Hedegewars profile |
33 | - manpage fixes | 109 | - manpage fixes |
110 | - fixed firecfg clean/clear issue | ||
111 | curiosity-seeker (https://github.com/curiosity-seeker) | ||
112 | - tightening unbound and dnscrypt-proxy profiles | ||
113 | - dnsmasq profile | ||
114 | - okular and gwenview profiles | ||
115 | - cherrytree profile fixes | ||
116 | - added quiterss profile | ||
117 | Matthew Gyurgyik (https://github.com/pyther) | ||
118 | - rpm spec and several fixes | ||
119 | Joan Figueras (https://github.com/figue) | ||
120 | - added abrowser profile | ||
121 | - added Google-Play-Music-Desktop-Player | ||
122 | - added cyberfox profile | ||
123 | Petter Reinholdtsen (pere@hungry.com) | ||
124 | - Opera profile patch | ||
125 | n1trux (https://github.com/n1trux) | ||
126 | - fix flashpeak-slimjet profile typos | ||
127 | Felipe Barriga Richards (https://github.com/fbarriga) | ||
128 | - --private-etc fix | ||
129 | Alexander Stein (https://github.com/ajstein) | ||
130 | - added profile for qutebrowser | ||
131 | Benjamin Kampmann (https://github.com/ligthyear) | ||
132 | - Forward exit code from child process | ||
133 | dshmgh (https://github.com/dshmgh) | ||
134 | - overlayfs fix for systems with /home mounted on a separate partition | ||
135 | yumkam (https://github.com/yumkam) | ||
136 | - add compile-time option to restrict --net= to root only | ||
137 | - man page fixes | ||
34 | mahdi1234 (https://github.com/mahdi1234) | 138 | mahdi1234 (https://github.com/mahdi1234) |
35 | - cherrytree profile | 139 | - cherrytree profile |
36 | jrabe (https://github.com/jrabe) | 140 | jrabe (https://github.com/jrabe) |
37 | - disallow access to kdbx files | 141 | - disallow access to kdbx files |
38 | - Epiphany profile | 142 | - Epiphany profile |
39 | - Polari profile | 143 | - Polari profile |
144 | - qTox profile | ||
145 | - X11 fixes | ||
40 | jgriffiths (https://github.com/jgriffiths) | 146 | jgriffiths (https://github.com/jgriffiths) |
41 | - make rpm packages support | 147 | - make rpm packages support |
42 | Tom Mellor (https://github.com/kalegrill) | 148 | Tom Mellor (https://github.com/kalegrill) |
@@ -44,18 +150,13 @@ Tom Mellor (https://github.com/kalegrill) | |||
44 | Martin Carpenter (https://github.com/mcarpenter) | 150 | Martin Carpenter (https://github.com/mcarpenter) |
45 | - security audit and bug fixes | 151 | - security audit and bug fixes |
46 | - Centos 6.x support | 152 | - Centos 6.x support |
47 | Aleksey Manevich (https://github.com/manevich) | ||
48 | - several profile fixes | ||
49 | - fix problem with relative path in storage_find function | ||
50 | - fix build for systems without bash | ||
51 | pszxzsd (https://github.com/pszxzsd) | 153 | pszxzsd (https://github.com/pszxzsd) |
52 | -uGet profile | 154 | -uGet profile |
53 | Rahiel Kasim (https://github.com/rahiel) | 155 | Rahiel Kasim (https://github.com/rahiel) |
54 | - Mathematica profile | 156 | - Mathematica profile |
157 | - whitelisted Dropbox profile | ||
55 | creideiki (https://github.com/creideiki) | 158 | creideiki (https://github.com/creideiki) |
56 | - make the sandbox process reap all children | 159 | - make the sandbox process reap all children |
57 | curiosity-seeker (https://github.com/curiosity-seeker) | ||
58 | - tightening unbound and dnscrypt-proxy profiles | ||
59 | sinkuu (https://github.com/sinkuu) | 160 | sinkuu (https://github.com/sinkuu) |
60 | - blacklisting kwalletd | 161 | - blacklisting kwalletd |
61 | - fix symlink invocation for programs placing symlinks in $PATH | 162 | - fix symlink invocation for programs placing symlinks in $PATH |
@@ -84,13 +185,6 @@ Peter Hogg (https://github.com/pigmonkey) | |||
84 | - rtorrent profile | 185 | - rtorrent profile |
85 | rogshdo (https://github.com/rogshdo) | 186 | rogshdo (https://github.com/rogshdo) |
86 | - BitlBee profile | 187 | - BitlBee profile |
87 | avoidr (https://github.com/avoidr) | ||
88 | - whitelist fix | ||
89 | - recently-used.xbel fix | ||
90 | - added parole profile | ||
91 | - blacklist ncat, manpage fixes, | ||
92 | - hostname support in profile file | ||
93 | - Google Chrome profile rework | ||
94 | Bruno Nova (https://github.com/brunonova) | 188 | Bruno Nova (https://github.com/brunonova) |
95 | - whitelist fix | 189 | - whitelist fix |
96 | - bash arguments fix | 190 | - bash arguments fix |
@@ -111,8 +205,6 @@ andrew160 (https://github.com/andrew160) | |||
111 | - profile and man pages fixes | 205 | - profile and man pages fixes |
112 | Loïc Damien (https://github.com/dzamlo) | 206 | Loïc Damien (https://github.com/dzamlo) |
113 | - small fixes | 207 | - small fixes |
114 | Matthew Gyurgyik (https://github.com/pyther) | ||
115 | - rpm spec and several fixes | ||
116 | greigdp (https://github.com/greigdp) | 208 | greigdp (https://github.com/greigdp) |
117 | - add Spotify profile | 209 | - add Spotify profile |
118 | Mattias Wadman (https://github.com/wader) | 210 | Mattias Wadman (https://github.com/wader) |
@@ -129,12 +221,6 @@ sarneaud (https://github.com/sarneaud) | |||
129 | - various enhancements and bug fixes | 221 | - various enhancements and bug fixes |
130 | Patrick Toomey (http://sourceforge.net/u/ptoomey/profile/) | 222 | Patrick Toomey (http://sourceforge.net/u/ptoomey/profile/) |
131 | - user namespace implementation | 223 | - user namespace implementation |
132 | Reiner Herrmann | ||
133 | - a number of build patches | ||
134 | - man page fixes | ||
135 | - Debian and Ubuntu integration | ||
136 | - clang-analyzer fixes | ||
137 | - Debian reproducible build | ||
138 | sshirokov (http://sourceforge.net/u/yshirokov/profile/) | 224 | sshirokov (http://sourceforge.net/u/yshirokov/profile/) |
139 | - Patch to output "Reading profile" to stderr instead of stdout | 225 | - Patch to output "Reading profile" to stderr instead of stdout |
140 | G4JC (http://sourceforge.net/u/gaming4jc/profile/) | 226 | G4JC (http://sourceforge.net/u/gaming4jc/profile/) |
@@ -34,124 +34,126 @@ FAQ: https://firejail.wordpress.com/support/frequently-asked-questions/ | |||
34 | ````` | 34 | ````` |
35 | 35 | ||
36 | ````` | 36 | ````` |
37 | # Current development version: 0.9.39 | 37 | # Current development version: 0.9.42~rc2 |
38 | ````` | ||
39 | 38 | ||
40 | ````` | 39 | Version 0.9.41~rc1 was released. |
41 | 40 | ||
42 | ## X11 sandboxing support | 41 | ## Deprecated --user |
43 | 42 | ||
44 | X11 support is built around Xpra (http://xpra.org/). | 43 | --user option was deprecated, please use "sudo -u username firejail application" instead. |
45 | So far I've seen it working on Debian 7 and 8, and Ubuntu 14.04. If you manage to run it on another | ||
46 | distribution, please let me know. Example: | ||
47 | ````` | ||
48 | $ firejail --x11 --net=eth0 firefox | ||
49 | ````` | ||
50 | --x11 starts the server, --net is required in order to remove the main X11 server socket from the sandbox. | ||
51 | More information here: https://firejail.wordpress.com/documentation-2/x11-guide/ | ||
52 | 44 | ||
53 | ## File transfers | 45 | ## --whitelist rework |
54 | ````` | ||
55 | FILE TRANSFER | ||
56 | These features allow the user to inspect the file system container of | ||
57 | an existing sandbox and transfer files from the container to the host | ||
58 | file system. | ||
59 | 46 | ||
60 | --get=name filename | 47 | Symlinks outside user home directories are allowed: |
61 | Retrieve the container file and store it on the host in the cur‐ | 48 | ````` |
62 | rent working directory. The container is spececified by name | 49 | --whitelist=dirname_or_filename |
63 | (--name option). Full path is needed for filename. | 50 | Whitelist directory or file. This feature is implemented only |
51 | for user home, /dev, /media, /opt, /var, and /tmp directories. | ||
52 | With the exception of user home, both the link and the real file | ||
53 | should be in the same top directory. For /home, both the link | ||
54 | and the real file should be owned by the user. | ||
64 | 55 | ||
65 | --get=pid filename | 56 | Example: |
66 | Retrieve the container file and store it on the host in the cur‐ | 57 | $ firejail --noprofile --whitelist=~/.mozilla |
67 | rent working directory. The container is spececified by process | 58 | $ firejail --whitelist=/tmp/.X11-unix --whitelist=/dev/null |
68 | ID. Full path is needed for filename. | 59 | $ firejail "--whitelist=/home/username/My Virtual Machines" |
60 | ````` | ||
69 | 61 | ||
70 | --ls=name dir_or_filename | ||
71 | List container files. The container is spececified by name | ||
72 | (--name option). Full path is needed for dir_or_filename. | ||
73 | 62 | ||
74 | --ls=pid dir_or_filename | 63 | ## AppImage |
75 | List container files. The container is spececified by process | ||
76 | ID. Full path is needed for dir_or_filename. | ||
77 | 64 | ||
78 | Examples: | 65 | AppImage (http://appimage.org/) is a distribution-agnostic packaging format. |
66 | The package is a regular ISO file containing all binaries, libraries and resources | ||
67 | necessary for the program to run. | ||
79 | 68 | ||
80 | $ firejail --name=mybrowser --private firefox | 69 | We introduce in this release support for sandboxing AppImage applications. Example: |
70 | ````` | ||
71 | $ firejail --appimage krita-3.0-x86_64.appimage | ||
72 | ````` | ||
73 | All Firejail sandboxing options should be available. A private home directory: | ||
74 | ````` | ||
75 | $ firejail --appimage --private krita-3.0-x86_64.appimage | ||
76 | ````` | ||
77 | or some basic X11 sandboxing: | ||
78 | ````` | ||
79 | $ firejail --appimage --net=none --x11 krita-3.0-x86_64.appimage | ||
80 | ````` | ||
81 | Major software applications distributing AppImage packages: | ||
81 | 82 | ||
82 | $ firejail --ls=mybrowser ~/Downloads | 83 | * Krita: https://krita.org/download/krita-desktop/ |
83 | drwxr-xr-x netblue netblue 4096 . | 84 | * OpenShot: http://www.openshot.org/download/ |
84 | drwxr-xr-x netblue netblue 4096 .. | 85 | * Scribus: https://www.scribus.net/downloads/unstable-branch/ |
85 | -rw-r--r-- netblue netblue 7847 x11-x305.png | 86 | * MuseScore: https://musescore.org/en/download |
86 | -rw-r--r-- netblue netblue 6800 x11-x642.png | ||
87 | -rw-r--r-- netblue netblue 34139 xpra-clipboard.png | ||
88 | 87 | ||
89 | $ firejail --get=mybrowser ~/Downloads/xpra-clipboard.png | 88 | More packages build by AppImage developer Simon Peter: https://bintray.com/probono/AppImages |
90 | 89 | ||
90 | AppImage project home: https://github.com/probonopd/AppImageKit | ||
91 | 91 | ||
92 | ## Sandbox auditing | ||
92 | ````` | 93 | ````` |
94 | AUDIT | ||
95 | Audit feature allows the user to point out gaps in security profiles. | ||
96 | The implementation replaces the program to be sandboxed with a test | ||
97 | program. By default, we use faudit program distributed with Firejail. A | ||
98 | custom test program can also be supplied by the user. Examples: | ||
93 | 99 | ||
94 | ## Default seccomp filter update | 100 | Running the default audit program: |
101 | $ firejail --audit transmission-gtk | ||
95 | 102 | ||
96 | Currently 50 syscalls are blacklisted by default, out of a total of 318 calls (AMD64, Debian Jessie). | 103 | Running a custom audit program: |
104 | $ firejail --audit=~/sandbox-test transmission-gtk | ||
97 | 105 | ||
98 | ## STUN/WebRTC disabled in default netfilter configuration | 106 | In the examples above, the sandbox configures transmission-gtk profile |
107 | and starts the test program. The real program, transmission-gtk, will | ||
108 | not be started. | ||
99 | 109 | ||
100 | The current netfilter configuration (--netfilter option) looks like this: | 110 | Limitations: audit feature is not implemented for --x11 commands. |
101 | ````` | ||
102 | *filter | ||
103 | :INPUT DROP [0:0] | ||
104 | :FORWARD DROP [0:0] | ||
105 | :OUTPUT ACCEPT [0:0] | ||
106 | -A INPUT -i lo -j ACCEPT | ||
107 | -A INPUT -m state --state RELATED,ESTABLISHED -j ACCEPT | ||
108 | # allow ping | ||
109 | -A INPUT -p icmp --icmp-type destination-unreachable -j ACCEPT | ||
110 | -A INPUT -p icmp --icmp-type time-exceeded -j ACCEPT | ||
111 | -A INPUT -p icmp --icmp-type echo-request -j ACCEPT | ||
112 | # drop STUN (WebRTC) requests | ||
113 | -A OUTPUT -p udp --dport 3478 -j DROP | ||
114 | -A OUTPUT -p udp --dport 3479 -j DROP | ||
115 | -A OUTPUT -p tcp --dport 3478 -j DROP | ||
116 | -A OUTPUT -p tcp --dport 3479 -j DROP | ||
117 | COMMIT | ||
118 | ````` | 111 | ````` |
119 | 112 | ||
120 | The filter is loaded by default for Firefox if a network namespace is configured: | 113 | ## --noexec |
121 | ````` | 114 | ````` |
122 | $ firejail --net=eth0 firefox | 115 | --noexec=dirname_or_filename |
116 | Remount directory or file noexec, nodev and nosuid. | ||
117 | |||
118 | Example: | ||
119 | $ firejail --noexec=/tmp | ||
120 | |||
121 | /etc and /var are noexec by default. If there are more than one | ||
122 | mount operation on the path of the file or directory, noexec | ||
123 | should be applied to the last one. Always check if the change | ||
124 | took effect inside the sandbox. | ||
123 | ````` | 125 | ````` |
124 | 126 | ||
125 | ## Set sandbox nice value | 127 | ## --rmenv |
126 | ````` | 128 | ````` |
127 | --nice=value | 129 | --rmenv=name |
128 | Set nice value for all processes running inside the sandbox. | 130 | Remove environment variable in the new sandbox. |
129 | 131 | ||
130 | Example: | 132 | Example: |
131 | $ firejail --nice=-5 firefox | 133 | $ firejail --rmenv=DBUS_SESSION_BUS_ADDRESS |
132 | ````` | 134 | ````` |
133 | 135 | ||
134 | ## mkdir | 136 | ## Converting profiles to private-bin - work in progress! |
135 | 137 | ||
136 | ````` | 138 | BitTorrent: deluge, qbittorrent, rtorrent, transmission-gtk, transmission-qt, uget-gtk |
137 | $ man firejail-profile | ||
138 | [...] | ||
139 | mkdir directory | ||
140 | Create a directory in user home. Use this command for | ||
141 | whitelisted directories you need to preserve when the sandbox is | ||
142 | closed. Subdirectories also need to be created using mkdir. | ||
143 | Example from firefox profile: | ||
144 | 139 | ||
145 | mkdir ~/.mozilla | 140 | File transfer: filezilla |
146 | whitelist ~/.mozilla | ||
147 | mkdir ~/.cache | ||
148 | mkdir ~/.cache/mozilla | ||
149 | mkdir ~/.cache/mozilla/firefox | ||
150 | whitelist ~/.cache/mozilla/firefox | ||
151 | 141 | ||
152 | [...] | 142 | Media: vlc, mpv, gnome-mplayer, audacity, rhythmbox, spotify, xplayer, xviewer, eom |
153 | ````` | 143 | |
144 | Office: evince, gthumb, fbreader, pix, atril, xreader, | ||
145 | |||
146 | Chat/messaging: qtox, gitter, pidgin | ||
147 | |||
148 | Games: warzone2100 | ||
149 | |||
150 | Weather/climate: aweather | ||
151 | |||
152 | Astronomy: gpredict, stellarium | ||
153 | |||
154 | Browsers: Palemoon | ||
154 | 155 | ||
155 | ## New security profiles | 156 | ## New security profiles |
156 | 157 | ||
157 | lxterminal, Epiphany, cherrytree, Battle for Wesnoth, Hedgewars | 158 | Gitter, gThumb, mpv, Franz messenger, LibreOffice, pix, audacity, strings, xz, xzdec, gzip, cpio, less, Atom Beta, Atom, jitsi, eom, uudeview |
159 | |||
@@ -1,16 +1,55 @@ | |||
1 | firejail (0.9.39) baseline; urgency=low | 1 | firejail (0.9.42~rc2) baseline; urgency=low |
2 | * default seccomp filter update | 2 | * deprecated --user option, please use "sudo -u username firejail" instead |
3 | * disable STUN/WebRTC in default netfilter configuration | 3 | * --read-write option rework |
4 | * allow symlinks in home directory for --whitelist option | ||
5 | * AppImage support (--appimage) | ||
6 | * Sandbox auditing support (--audit) | ||
7 | * remove environment variable (--rmenv) | ||
8 | * noexec support (--noexec) | ||
9 | * Ubuntu snap support | ||
10 | * include /dev/snd in --private-dev | ||
11 | * added mkfile profile command | ||
12 | * seccomp filter updated | ||
13 | * compile time and run time support to disable whitelists | ||
14 | * compile time support to disable global configuration file | ||
15 | * added netfilter-default config option in /etc/firejail/firejail.config | ||
16 | * new profiles: Gitter, gThumb, mpv, Franz messenger, LibreOffice | ||
17 | * new profiles: pix, audacity, strings, xz, xzdec, gzip, cpio, less | ||
18 | * new profiles: Atom Beta, Atom, jitsi, eom, uudeview | ||
19 | -- netblue30 <netblue30@yahoo.com> Thu, 21 Jul 2016 08:00:00 -0500 | ||
20 | |||
21 | firejail (0.9.40) baseline; urgency=low | ||
4 | * added --nice option | 22 | * added --nice option |
5 | * added --x11 option | 23 | * added --x11 option |
24 | * added --x11=xpra option | ||
25 | * added --x11=xephyr option | ||
26 | * added --cpu.print option | ||
6 | * added filetransfer options --ls and --get | 27 | * added filetransfer options --ls and --get |
7 | * added mkdir, ipc-namespace and nosound profile commands | 28 | * added --writable-etc and --writable-var options |
29 | * added --read-only option | ||
30 | * added mkdir, ipc-namespace, and nosound profile commands | ||
31 | * added net, ip, defaultgw, ip6, mac, mtu and iprange profile commands | ||
8 | * --version also prints compile options | 32 | * --version also prints compile options |
33 | * --output option also redirects stderr | ||
9 | * added compile-time option to restrict --net= to root only | 34 | * added compile-time option to restrict --net= to root only |
10 | * build rpm packages using "make rpms" | 35 | * run time config support, man firejail-config |
36 | * added firecfg utility | ||
37 | * AppArmor fixes | ||
38 | * default seccomp filter update | ||
39 | * disable STUN/WebRTC in default netfilter configuration | ||
11 | * new profiles: lxterminal, Epiphany, cherrytree, Polari, Vivaldi, Atril | 40 | * new profiles: lxterminal, Epiphany, cherrytree, Polari, Vivaldi, Atril |
41 | * new profiles: qutebrowser, SlimJet, Battle for Wesnoth, Hedgewars | ||
42 | * new profiles: qTox, OpenSSH client, OpenBox, Dillo, cmus, dnsmasq | ||
43 | * new profiles: PaleMoon, Icedove, abrowser, 0ad, netsurf, Warzone2100 | ||
44 | * new profiles: okular, gwenview, Google-Play-Music-Desktop-Player | ||
45 | * new profiles: Aweather, Stellarium, gpredict, quiterss, cyberfox | ||
46 | * new profiles: generic Ubuntu snap application profile, xplayer | ||
47 | * new profiles: xreader, xviewer, mcabber, Psi+, Corebird, Konversation | ||
48 | * new profiles: Brave, Gitter | ||
49 | * generic.profile renamed default.profile | ||
50 | * build rpm packages using "make rpms" | ||
12 | * bugfixes | 51 | * bugfixes |
13 | -- netblue30 <netblue30@yahoo.com> Wed, 3 Mar 2016 08:00:00 -0500 | 52 | -- netblue30 <netblue30@yahoo.com> Sun, 29 May 2016 08:00:00 -0500 |
14 | 53 | ||
15 | firejail (0.9.38) baseline; urgency=low | 54 | firejail (0.9.38) baseline; urgency=low |
16 | * IPv6 support (--ip6 and --netfilter6) | 55 | * IPv6 support (--ip6 and --netfilter6) |
@@ -1,6 +1,6 @@ | |||
1 | #! /bin/sh | 1 | #! /bin/sh |
2 | # Guess values for system-dependent variables and create Makefiles. | 2 | # Guess values for system-dependent variables and create Makefiles. |
3 | # Generated by GNU Autoconf 2.69 for firejail 0.9.39. | 3 | # Generated by GNU Autoconf 2.69 for firejail 0.9.42~rc2. |
4 | # | 4 | # |
5 | # Report bugs to <netblue30@yahoo.com>. | 5 | # Report bugs to <netblue30@yahoo.com>. |
6 | # | 6 | # |
@@ -580,8 +580,8 @@ MAKEFLAGS= | |||
580 | # Identity of this package. | 580 | # Identity of this package. |
581 | PACKAGE_NAME='firejail' | 581 | PACKAGE_NAME='firejail' |
582 | PACKAGE_TARNAME='firejail' | 582 | PACKAGE_TARNAME='firejail' |
583 | PACKAGE_VERSION='0.9.39' | 583 | PACKAGE_VERSION='0.9.42~rc2' |
584 | PACKAGE_STRING='firejail 0.9.39' | 584 | PACKAGE_STRING='firejail 0.9.42~rc2' |
585 | PACKAGE_BUGREPORT='netblue30@yahoo.com' | 585 | PACKAGE_BUGREPORT='netblue30@yahoo.com' |
586 | PACKAGE_URL='http://firejail.wordpress.com' | 586 | PACKAGE_URL='http://firejail.wordpress.com' |
587 | 587 | ||
@@ -629,10 +629,12 @@ EGREP | |||
629 | GREP | 629 | GREP |
630 | CPP | 630 | CPP |
631 | HAVE_FATAL_WARNINGS | 631 | HAVE_FATAL_WARNINGS |
632 | HAVE_WHITELIST | ||
632 | HAVE_FILE_TRANSFER | 633 | HAVE_FILE_TRANSFER |
633 | HAVE_X11 | 634 | HAVE_X11 |
634 | HAVE_USERNS | 635 | HAVE_USERNS |
635 | HAVE_NETWORK | 636 | HAVE_NETWORK |
637 | HAVE_GLOBALCFG | ||
636 | HAVE_BIND | 638 | HAVE_BIND |
637 | HAVE_CHROOT | 639 | HAVE_CHROOT |
638 | HAVE_SECCOMP | 640 | HAVE_SECCOMP |
@@ -691,10 +693,12 @@ enable_option_checking | |||
691 | enable_seccomp | 693 | enable_seccomp |
692 | enable_chroot | 694 | enable_chroot |
693 | enable_bind | 695 | enable_bind |
696 | enable_globalcfg | ||
694 | enable_network | 697 | enable_network |
695 | enable_userns | 698 | enable_userns |
696 | enable_x11 | 699 | enable_x11 |
697 | enable_file_transfer | 700 | enable_file_transfer |
701 | enable_whitelist | ||
698 | enable_fatal_warnings | 702 | enable_fatal_warnings |
699 | ' | 703 | ' |
700 | ac_precious_vars='build_alias | 704 | ac_precious_vars='build_alias |
@@ -1246,7 +1250,7 @@ if test "$ac_init_help" = "long"; then | |||
1246 | # Omit some internal or obsolete options to make the list less imposing. | 1250 | # Omit some internal or obsolete options to make the list less imposing. |
1247 | # This message is too long to be a string in the A/UX 3.1 sh. | 1251 | # This message is too long to be a string in the A/UX 3.1 sh. |
1248 | cat <<_ACEOF | 1252 | cat <<_ACEOF |
1249 | \`configure' configures firejail 0.9.39 to adapt to many kinds of systems. | 1253 | \`configure' configures firejail 0.9.42~rc2 to adapt to many kinds of systems. |
1250 | 1254 | ||
1251 | Usage: $0 [OPTION]... [VAR=VALUE]... | 1255 | Usage: $0 [OPTION]... [VAR=VALUE]... |
1252 | 1256 | ||
@@ -1307,7 +1311,7 @@ fi | |||
1307 | 1311 | ||
1308 | if test -n "$ac_init_help"; then | 1312 | if test -n "$ac_init_help"; then |
1309 | case $ac_init_help in | 1313 | case $ac_init_help in |
1310 | short | recursive ) echo "Configuration of firejail 0.9.39:";; | 1314 | short | recursive ) echo "Configuration of firejail 0.9.42~rc2:";; |
1311 | esac | 1315 | esac |
1312 | cat <<\_ACEOF | 1316 | cat <<\_ACEOF |
1313 | 1317 | ||
@@ -1318,12 +1322,15 @@ Optional Features: | |||
1318 | --disable-seccomp disable seccomp | 1322 | --disable-seccomp disable seccomp |
1319 | --disable-chroot disable chroot | 1323 | --disable-chroot disable chroot |
1320 | --disable-bind disable bind | 1324 | --disable-bind disable bind |
1325 | --disable-globalcfg if the global config file firejail.cfg is not | ||
1326 | present, continue the program using defaults | ||
1321 | --disable-network disable network | 1327 | --disable-network disable network |
1322 | --enable-network=restricted | 1328 | --enable-network=restricted |
1323 | restrict --net= to root only | 1329 | restrict --net= to root only |
1324 | --disable-userns disable user namespace | 1330 | --disable-userns disable user namespace |
1325 | --disable-x11 disable X11 sandboxing support | 1331 | --disable-x11 disable X11 sandboxing support |
1326 | --disable-file-transfer disable file transfer | 1332 | --disable-file-transfer disable file transfer |
1333 | --disable-whitelist disable whitelist | ||
1327 | --enable-fatal-warnings -W -Wall -Werror | 1334 | --enable-fatal-warnings -W -Wall -Werror |
1328 | 1335 | ||
1329 | Some influential environment variables: | 1336 | Some influential environment variables: |
@@ -1403,7 +1410,7 @@ fi | |||
1403 | test -n "$ac_init_help" && exit $ac_status | 1410 | test -n "$ac_init_help" && exit $ac_status |
1404 | if $ac_init_version; then | 1411 | if $ac_init_version; then |
1405 | cat <<\_ACEOF | 1412 | cat <<\_ACEOF |
1406 | firejail configure 0.9.39 | 1413 | firejail configure 0.9.42~rc2 |
1407 | generated by GNU Autoconf 2.69 | 1414 | generated by GNU Autoconf 2.69 |
1408 | 1415 | ||
1409 | Copyright (C) 2012 Free Software Foundation, Inc. | 1416 | Copyright (C) 2012 Free Software Foundation, Inc. |
@@ -1705,7 +1712,7 @@ cat >config.log <<_ACEOF | |||
1705 | This file contains any messages produced by compilers while | 1712 | This file contains any messages produced by compilers while |
1706 | running configure, to aid debugging if configure makes a mistake. | 1713 | running configure, to aid debugging if configure makes a mistake. |
1707 | 1714 | ||
1708 | It was created by firejail $as_me 0.9.39, which was | 1715 | It was created by firejail $as_me 0.9.42~rc2, which was |
1709 | generated by GNU Autoconf 2.69. Invocation command line was | 1716 | generated by GNU Autoconf 2.69. Invocation command line was |
1710 | 1717 | ||
1711 | $ $0 $@ | 1718 | $ $0 $@ |
@@ -3101,6 +3108,19 @@ if test "x$enable_bind" != "xno"; then : | |||
3101 | 3108 | ||
3102 | fi | 3109 | fi |
3103 | 3110 | ||
3111 | HAVE_GLOBALCFG="" | ||
3112 | # Check whether --enable-globalcfg was given. | ||
3113 | if test "${enable_globalcfg+set}" = set; then : | ||
3114 | enableval=$enable_globalcfg; | ||
3115 | fi | ||
3116 | |||
3117 | if test "x$enable_globalcfg" != "xno"; then : | ||
3118 | |||
3119 | HAVE_GLOBALCFG="-DHAVE_GLOBALCFG" | ||
3120 | |||
3121 | |||
3122 | fi | ||
3123 | |||
3104 | HAVE_NETWORK="" | 3124 | HAVE_NETWORK="" |
3105 | # Check whether --enable-network was given. | 3125 | # Check whether --enable-network was given. |
3106 | if test "${enable_network+set}" = set; then : | 3126 | if test "${enable_network+set}" = set; then : |
@@ -3163,6 +3183,19 @@ if test "x$enable_file_transfer" != "xno"; then : | |||
3163 | 3183 | ||
3164 | fi | 3184 | fi |
3165 | 3185 | ||
3186 | HAVE_WHITELIST="" | ||
3187 | # Check whether --enable-whitelist was given. | ||
3188 | if test "${enable_whitelist+set}" = set; then : | ||
3189 | enableval=$enable_whitelist; | ||
3190 | fi | ||
3191 | |||
3192 | if test "x$enable_whitelist" != "xno"; then : | ||
3193 | |||
3194 | HAVE_WHITELIST="-DHAVE_WHITELIST" | ||
3195 | |||
3196 | |||
3197 | fi | ||
3198 | |||
3166 | HAVE_FATAL_WARNINGS="" | 3199 | HAVE_FATAL_WARNINGS="" |
3167 | # Check whether --enable-fatal_warnings was given. | 3200 | # Check whether --enable-fatal_warnings was given. |
3168 | if test "${enable_fatal_warnings+set}" = set; then : | 3201 | if test "${enable_fatal_warnings+set}" = set; then : |
@@ -3640,7 +3673,10 @@ if test "$prefix" = /usr; then | |||
3640 | sysconfdir="/etc" | 3673 | sysconfdir="/etc" |
3641 | fi | 3674 | fi |
3642 | 3675 | ||
3643 | ac_config_files="$ac_config_files Makefile src/lib/Makefile src/firejail/Makefile src/firemon/Makefile src/libtrace/Makefile src/libtracelog/Makefile src/ftee/Makefile" | 3676 | # extract UID_MIN and GID_MIN from login.def |
3677 | ./mkuid.sh | ||
3678 | |||
3679 | ac_config_files="$ac_config_files Makefile src/lib/Makefile src/firejail/Makefile src/firemon/Makefile src/libtrace/Makefile src/libtracelog/Makefile src/firecfg/Makefile src/ftee/Makefile src/faudit/Makefile" | ||
3644 | 3680 | ||
3645 | cat >confcache <<\_ACEOF | 3681 | cat >confcache <<\_ACEOF |
3646 | # This file is a shell script that caches the results of configure | 3682 | # This file is a shell script that caches the results of configure |
@@ -4184,7 +4220,7 @@ cat >>$CONFIG_STATUS <<\_ACEOF || ac_write_fail=1 | |||
4184 | # report actual input values of CONFIG_FILES etc. instead of their | 4220 | # report actual input values of CONFIG_FILES etc. instead of their |
4185 | # values after options handling. | 4221 | # values after options handling. |
4186 | ac_log=" | 4222 | ac_log=" |
4187 | This file was extended by firejail $as_me 0.9.39, which was | 4223 | This file was extended by firejail $as_me 0.9.42~rc2, which was |
4188 | generated by GNU Autoconf 2.69. Invocation command line was | 4224 | generated by GNU Autoconf 2.69. Invocation command line was |
4189 | 4225 | ||
4190 | CONFIG_FILES = $CONFIG_FILES | 4226 | CONFIG_FILES = $CONFIG_FILES |
@@ -4238,7 +4274,7 @@ _ACEOF | |||
4238 | cat >>$CONFIG_STATUS <<_ACEOF || ac_write_fail=1 | 4274 | cat >>$CONFIG_STATUS <<_ACEOF || ac_write_fail=1 |
4239 | ac_cs_config="`$as_echo "$ac_configure_args" | sed 's/^ //; s/[\\""\`\$]/\\\\&/g'`" | 4275 | ac_cs_config="`$as_echo "$ac_configure_args" | sed 's/^ //; s/[\\""\`\$]/\\\\&/g'`" |
4240 | ac_cs_version="\\ | 4276 | ac_cs_version="\\ |
4241 | firejail config.status 0.9.39 | 4277 | firejail config.status 0.9.42~rc2 |
4242 | configured by $0, generated by GNU Autoconf 2.69, | 4278 | configured by $0, generated by GNU Autoconf 2.69, |
4243 | with options \\"\$ac_cs_config\\" | 4279 | with options \\"\$ac_cs_config\\" |
4244 | 4280 | ||
@@ -4355,7 +4391,9 @@ do | |||
4355 | "src/firemon/Makefile") CONFIG_FILES="$CONFIG_FILES src/firemon/Makefile" ;; | 4391 | "src/firemon/Makefile") CONFIG_FILES="$CONFIG_FILES src/firemon/Makefile" ;; |
4356 | "src/libtrace/Makefile") CONFIG_FILES="$CONFIG_FILES src/libtrace/Makefile" ;; | 4392 | "src/libtrace/Makefile") CONFIG_FILES="$CONFIG_FILES src/libtrace/Makefile" ;; |
4357 | "src/libtracelog/Makefile") CONFIG_FILES="$CONFIG_FILES src/libtracelog/Makefile" ;; | 4393 | "src/libtracelog/Makefile") CONFIG_FILES="$CONFIG_FILES src/libtracelog/Makefile" ;; |
4394 | "src/firecfg/Makefile") CONFIG_FILES="$CONFIG_FILES src/firecfg/Makefile" ;; | ||
4358 | "src/ftee/Makefile") CONFIG_FILES="$CONFIG_FILES src/ftee/Makefile" ;; | 4395 | "src/ftee/Makefile") CONFIG_FILES="$CONFIG_FILES src/ftee/Makefile" ;; |
4396 | "src/faudit/Makefile") CONFIG_FILES="$CONFIG_FILES src/faudit/Makefile" ;; | ||
4359 | 4397 | ||
4360 | *) as_fn_error $? "invalid argument: \`$ac_config_target'" "$LINENO" 5;; | 4398 | *) as_fn_error $? "invalid argument: \`$ac_config_target'" "$LINENO" 5;; |
4361 | esac | 4399 | esac |
@@ -4817,13 +4855,18 @@ echo " prefix: $prefix" | |||
4817 | echo " sysconfdir: $sysconfdir" | 4855 | echo " sysconfdir: $sysconfdir" |
4818 | echo " seccomp: $HAVE_SECCOMP" | 4856 | echo " seccomp: $HAVE_SECCOMP" |
4819 | echo " <linux/seccomp.h>: $HAVE_SECCOMP_H" | 4857 | echo " <linux/seccomp.h>: $HAVE_SECCOMP_H" |
4858 | echo " global config: $HAVE_GLOBALCFG" | ||
4820 | echo " chroot: $HAVE_CHROOT" | 4859 | echo " chroot: $HAVE_CHROOT" |
4821 | echo " bind: $HAVE_BIND" | 4860 | echo " bind: $HAVE_BIND" |
4822 | echo " network: $HAVE_NETWORK" | 4861 | echo " network: $HAVE_NETWORK" |
4823 | echo " user namespace: $HAVE_USERNS" | 4862 | echo " user namespace: $HAVE_USERNS" |
4824 | echo " X11 sandboxing support: $HAVE_X11" | 4863 | echo " X11 sandboxing support: $HAVE_X11" |
4864 | echo " whitelisting: $HAVE_WHITELIST" | ||
4825 | echo " file transfer support: $HAVE_FILE_TRANSFER" | 4865 | echo " file transfer support: $HAVE_FILE_TRANSFER" |
4826 | echo " fatal warnings: $HAVE_FATAL_WARNINGS" | 4866 | echo " fatal warnings: $HAVE_FATAL_WARNINGS" |
4867 | printf " uid_min: "; grep UID_MIN uids.h | ||
4868 | printf " gid_min: "; grep GID_MIN uids.h | ||
4827 | echo | 4869 | echo |
4828 | 4870 | ||
4829 | 4871 | ||
4872 | |||
diff --git a/configure.ac b/configure.ac index c59f5a28b..a84396ad4 100644 --- a/configure.ac +++ b/configure.ac | |||
@@ -1,5 +1,5 @@ | |||
1 | AC_PREREQ([2.68]) | 1 | AC_PREREQ([2.68]) |
2 | AC_INIT(firejail, 0.9.39, netblue30@yahoo.com, , http://firejail.wordpress.com) | 2 | AC_INIT(firejail, 0.9.42~rc2, netblue30@yahoo.com, , http://firejail.wordpress.com) |
3 | AC_CONFIG_SRCDIR([src/firejail/main.c]) | 3 | AC_CONFIG_SRCDIR([src/firejail/main.c]) |
4 | #AC_CONFIG_HEADERS([config.h]) | 4 | #AC_CONFIG_HEADERS([config.h]) |
5 | 5 | ||
@@ -33,6 +33,14 @@ AS_IF([test "x$enable_bind" != "xno"], [ | |||
33 | AC_SUBST(HAVE_BIND) | 33 | AC_SUBST(HAVE_BIND) |
34 | ]) | 34 | ]) |
35 | 35 | ||
36 | HAVE_GLOBALCFG="" | ||
37 | AC_ARG_ENABLE([globalcfg], | ||
38 | AS_HELP_STRING([--disable-globalcfg], [if the global config file firejail.cfg is not present, continue the program using defaults])) | ||
39 | AS_IF([test "x$enable_globalcfg" != "xno"], [ | ||
40 | HAVE_GLOBALCFG="-DHAVE_GLOBALCFG" | ||
41 | AC_SUBST(HAVE_GLOBALCFG) | ||
42 | ]) | ||
43 | |||
36 | HAVE_NETWORK="" | 44 | HAVE_NETWORK="" |
37 | AC_ARG_ENABLE([network], | 45 | AC_ARG_ENABLE([network], |
38 | AS_HELP_STRING([--disable-network], [disable network])) | 46 | AS_HELP_STRING([--disable-network], [disable network])) |
@@ -70,6 +78,14 @@ AS_IF([test "x$enable_file_transfer" != "xno"], [ | |||
70 | AC_SUBST(HAVE_FILE_TRANSFER) | 78 | AC_SUBST(HAVE_FILE_TRANSFER) |
71 | ]) | 79 | ]) |
72 | 80 | ||
81 | HAVE_WHITELIST="" | ||
82 | AC_ARG_ENABLE([whitelist], | ||
83 | AS_HELP_STRING([--disable-whitelist], [disable whitelist])) | ||
84 | AS_IF([test "x$enable_whitelist" != "xno"], [ | ||
85 | HAVE_WHITELIST="-DHAVE_WHITELIST" | ||
86 | AC_SUBST(HAVE_WHITELIST) | ||
87 | ]) | ||
88 | |||
73 | HAVE_FATAL_WARNINGS="" | 89 | HAVE_FATAL_WARNINGS="" |
74 | AC_ARG_ENABLE([fatal_warnings], | 90 | AC_ARG_ENABLE([fatal_warnings], |
75 | AS_HELP_STRING([--enable-fatal-warnings], [-W -Wall -Werror])) | 91 | AS_HELP_STRING([--enable-fatal-warnings], [-W -Wall -Werror])) |
@@ -90,7 +106,10 @@ if test "$prefix" = /usr; then | |||
90 | sysconfdir="/etc" | 106 | sysconfdir="/etc" |
91 | fi | 107 | fi |
92 | 108 | ||
93 | AC_OUTPUT(Makefile src/lib/Makefile src/firejail/Makefile src/firemon/Makefile src/libtrace/Makefile src/libtracelog/Makefile src/ftee/Makefile) | 109 | # extract UID_MIN and GID_MIN from login.def |
110 | ./mkuid.sh | ||
111 | |||
112 | AC_OUTPUT(Makefile src/lib/Makefile src/firejail/Makefile src/firemon/Makefile src/libtrace/Makefile src/libtracelog/Makefile src/firecfg/Makefile src/ftee/Makefile src/faudit/Makefile) | ||
94 | 113 | ||
95 | echo | 114 | echo |
96 | echo "Configuration options:" | 115 | echo "Configuration options:" |
@@ -98,13 +117,18 @@ echo " prefix: $prefix" | |||
98 | echo " sysconfdir: $sysconfdir" | 117 | echo " sysconfdir: $sysconfdir" |
99 | echo " seccomp: $HAVE_SECCOMP" | 118 | echo " seccomp: $HAVE_SECCOMP" |
100 | echo " <linux/seccomp.h>: $HAVE_SECCOMP_H" | 119 | echo " <linux/seccomp.h>: $HAVE_SECCOMP_H" |
120 | echo " global config: $HAVE_GLOBALCFG" | ||
101 | echo " chroot: $HAVE_CHROOT" | 121 | echo " chroot: $HAVE_CHROOT" |
102 | echo " bind: $HAVE_BIND" | 122 | echo " bind: $HAVE_BIND" |
103 | echo " network: $HAVE_NETWORK" | 123 | echo " network: $HAVE_NETWORK" |
104 | echo " user namespace: $HAVE_USERNS" | 124 | echo " user namespace: $HAVE_USERNS" |
105 | echo " X11 sandboxing support: $HAVE_X11" | 125 | echo " X11 sandboxing support: $HAVE_X11" |
126 | echo " whitelisting: $HAVE_WHITELIST" | ||
106 | echo " file transfer support: $HAVE_FILE_TRANSFER" | 127 | echo " file transfer support: $HAVE_FILE_TRANSFER" |
107 | echo " fatal warnings: $HAVE_FATAL_WARNINGS" | 128 | echo " fatal warnings: $HAVE_FATAL_WARNINGS" |
129 | printf " uid_min: "; grep UID_MIN uids.h | ||
130 | printf " gid_min: "; grep GID_MIN uids.h | ||
108 | echo | 131 | echo |
109 | 132 | ||
110 | 133 | ||
134 | |||
diff --git a/etc/0ad.profile b/etc/0ad.profile new file mode 100644 index 000000000..11fb45463 --- /dev/null +++ b/etc/0ad.profile | |||
@@ -0,0 +1,35 @@ | |||
1 | # Firejail profile for 0ad. | ||
2 | noblacklist ~/.cache/0ad | ||
3 | noblacklist ~/.config/0ad | ||
4 | noblacklist ~/.local/share/0ad | ||
5 | include /etc/firejail/disable-common.inc | ||
6 | include /etc/firejail/disable-devel.inc | ||
7 | include /etc/firejail/disable-passwdmgr.inc | ||
8 | include /etc/firejail/disable-programs.inc | ||
9 | |||
10 | # Whitelists | ||
11 | mkdir ~/.cache | ||
12 | mkdir ~/.cache/0ad | ||
13 | whitelist ~/.cache/0ad | ||
14 | |||
15 | mkdir ~/.config | ||
16 | mkdir ~/.config/0ad | ||
17 | whitelist ~/.config/0ad | ||
18 | |||
19 | mkdir ~/.local | ||
20 | mkdir ~/.local/share | ||
21 | mkdir ~/.local/share/0ad | ||
22 | whitelist ~/.local/share/0ad | ||
23 | |||
24 | caps.drop all | ||
25 | netfilter | ||
26 | nonewprivs | ||
27 | nogroups | ||
28 | noroot | ||
29 | protocol unix,inet,inet6 | ||
30 | seccomp | ||
31 | shell none | ||
32 | tracelog | ||
33 | |||
34 | private-dev | ||
35 | |||
diff --git a/etc/Cyberfox.profile b/etc/Cyberfox.profile new file mode 100644 index 000000000..1f74606ce --- /dev/null +++ b/etc/Cyberfox.profile | |||
@@ -0,0 +1,3 @@ | |||
1 | # Firejail profile for Cyberfox (based on Mozilla Firefox) | ||
2 | |||
3 | include /etc/firejail/cyberfox.profile | ||
diff --git a/etc/Mathematica.profile b/etc/Mathematica.profile index 73fb0c9e0..e719f070f 100644 --- a/etc/Mathematica.profile +++ b/etc/Mathematica.profile | |||
@@ -1,15 +1,20 @@ | |||
1 | # Mathematica profile | 1 | # Mathematica profile |
2 | noblacklist ${HOME}/.Mathematica | ||
3 | noblacklist ${HOME}/.Wolfram Research | ||
4 | |||
2 | mkdir ~/.Mathematica | 5 | mkdir ~/.Mathematica |
3 | whitelist ~/.Mathematica | 6 | whitelist ~/.Mathematica |
4 | mkdir ~/.Wolfram Research | 7 | mkdir ~/.Wolfram Research |
5 | whitelist ~/.Wolfram Research | 8 | whitelist ~/.Wolfram Research |
6 | whitelist ~/Documents/Wolfram Mathematica | 9 | whitelist ~/Documents/Wolfram Mathematica |
7 | include /etc/firejail/whitelist-common.inc | 10 | include /etc/firejail/whitelist-common.inc |
8 | include /etc/firejail/disable-mgmt.inc | 11 | |
9 | include /etc/firejail/disable-secret.inc | ||
10 | include /etc/firejail/disable-common.inc | 12 | include /etc/firejail/disable-common.inc |
13 | include /etc/firejail/disable-programs.inc | ||
11 | include /etc/firejail/disable-devel.inc | 14 | include /etc/firejail/disable-devel.inc |
12 | include /etc/firejail/disable-terminals.inc | 15 | include /etc/firejail/disable-passwdmgr.inc |
16 | |||
13 | caps.drop all | 17 | caps.drop all |
14 | seccomp | 18 | nonewprivs |
15 | noroot | 19 | noroot |
20 | seccomp | ||
diff --git a/etc/Telegram.profile b/etc/Telegram.profile new file mode 100644 index 000000000..2e0f97821 --- /dev/null +++ b/etc/Telegram.profile | |||
@@ -0,0 +1,2 @@ | |||
1 | # Telegram IRC profile | ||
2 | include /etc/firejail/telegram.profile | ||
diff --git a/etc/abrowser.profile b/etc/abrowser.profile new file mode 100644 index 000000000..65247e7d3 --- /dev/null +++ b/etc/abrowser.profile | |||
@@ -0,0 +1,52 @@ | |||
1 | # Firejail profile for Abrowser | ||
2 | |||
3 | noblacklist ~/.mozilla | ||
4 | noblacklist ~/.cache/mozilla | ||
5 | include /etc/firejail/disable-common.inc | ||
6 | include /etc/firejail/disable-programs.inc | ||
7 | include /etc/firejail/disable-devel.inc | ||
8 | |||
9 | caps.drop all | ||
10 | netfilter | ||
11 | nonewprivs | ||
12 | noroot | ||
13 | protocol unix,inet,inet6,netlink | ||
14 | seccomp | ||
15 | tracelog | ||
16 | |||
17 | whitelist ${DOWNLOADS} | ||
18 | mkdir ~/.mozilla | ||
19 | whitelist ~/.mozilla | ||
20 | mkdir ~/.cache | ||
21 | mkdir ~/.cache/mozilla | ||
22 | mkdir ~/.cache/mozilla/abrowser | ||
23 | whitelist ~/.cache/mozilla/abrowser | ||
24 | whitelist ~/dwhelper | ||
25 | whitelist ~/.zotero | ||
26 | whitelist ~/.vimperatorrc | ||
27 | whitelist ~/.vimperator | ||
28 | whitelist ~/.pentadactylrc | ||
29 | whitelist ~/.pentadactyl | ||
30 | whitelist ~/.keysnail.js | ||
31 | whitelist ~/.config/gnome-mplayer | ||
32 | whitelist ~/.cache/gnome-mplayer/plugin | ||
33 | whitelist ~/.pki | ||
34 | |||
35 | # lastpass, keepassx | ||
36 | whitelist ~/.keepassx | ||
37 | whitelist ~/.config/keepassx | ||
38 | whitelist ~/keepassx.kdbx | ||
39 | whitelist ~/.lastpass | ||
40 | whitelist ~/.config/lastpass | ||
41 | |||
42 | |||
43 | #silverlight | ||
44 | whitelist ~/.wine-pipelight | ||
45 | whitelist ~/.wine-pipelight64 | ||
46 | whitelist ~/.config/pipelight-widevine | ||
47 | whitelist ~/.config/pipelight-silverlight5.1 | ||
48 | |||
49 | include /etc/firejail/whitelist-common.inc | ||
50 | |||
51 | # experimental features | ||
52 | #private-etc passwd,group,hostname,hosts,localtime,nsswitch.conf,resolv.conf,gtk-2.0,pango,fonts,iceweasel,firefox,adobe,mime.types,mailcap,asound.conf,pulse | ||
diff --git a/etc/atom-beta.profile b/etc/atom-beta.profile new file mode 100644 index 000000000..3c753e86c --- /dev/null +++ b/etc/atom-beta.profile | |||
@@ -0,0 +1,19 @@ | |||
1 | # Firjail profile for Atom Beta. | ||
2 | noblacklist ~/.atom | ||
3 | noblacklist ~/.config/Atom | ||
4 | |||
5 | include /etc/firejail/disable-common.inc | ||
6 | include /etc/firejail/disable-programs.inc | ||
7 | include /etc/firejail/disable-passwdmgr.inc | ||
8 | |||
9 | caps.drop all | ||
10 | netfilter | ||
11 | nonewprivs | ||
12 | nogroups | ||
13 | noroot | ||
14 | seccomp | ||
15 | shell none | ||
16 | |||
17 | private-dev | ||
18 | nosound | ||
19 | |||
diff --git a/etc/atom.profile b/etc/atom.profile new file mode 100644 index 000000000..8304cd379 --- /dev/null +++ b/etc/atom.profile | |||
@@ -0,0 +1,18 @@ | |||
1 | # Firjail profile for Atom. | ||
2 | noblacklist ~/.atom | ||
3 | noblacklist ~/.config/Atom | ||
4 | |||
5 | include /etc/firejail/disable-common.inc | ||
6 | include /etc/firejail/disable-programs.inc | ||
7 | include /etc/firejail/disable-passwdmgr.inc | ||
8 | |||
9 | caps.drop all | ||
10 | netfilter | ||
11 | nonewprivs | ||
12 | nogroups | ||
13 | noroot | ||
14 | seccomp | ||
15 | shell none | ||
16 | |||
17 | private-dev | ||
18 | nosound | ||
diff --git a/etc/atril.profile b/etc/atril.profile index d87781c7d..bfe731bec 100644 --- a/etc/atril.profile +++ b/etc/atril.profile | |||
@@ -1,7 +1,20 @@ | |||
1 | # Atril profile | 1 | # Atril profile |
2 | noblacklist ~/.config/atril | ||
3 | noblacklist ~/.local/share | ||
4 | include /etc/firejail/disable-common.inc | ||
5 | include /etc/firejail/disable-programs.inc | ||
2 | include /etc/firejail/disable-devel.inc | 6 | include /etc/firejail/disable-devel.inc |
3 | include /etc/firejail/generic.profile | 7 | include /etc/firejail/disable-passwdmgr.inc |
4 | blacklist ${HOME}/.wine | ||
5 | 8 | ||
9 | caps.drop all | ||
10 | nonewprivs | ||
11 | nogroups | ||
12 | noroot | ||
13 | nosound | ||
14 | protocol unix | ||
15 | seccomp | ||
16 | shell none | ||
6 | tracelog | 17 | tracelog |
7 | 18 | ||
19 | private-bin atril, atril-previewer, atril-thumbnailer | ||
20 | private-dev | ||
diff --git a/etc/audacious.profile b/etc/audacious.profile index b9ce11c0e..e5275213c 100644 --- a/etc/audacious.profile +++ b/etc/audacious.profile | |||
@@ -1,16 +1,11 @@ | |||
1 | # Audacious media player profile | 1 | # Audacious media player profile |
2 | include /etc/firejail/disable-mgmt.inc | ||
3 | include /etc/firejail/disable-secret.inc | ||
4 | include /etc/firejail/disable-common.inc | 2 | include /etc/firejail/disable-common.inc |
3 | include /etc/firejail/disable-programs.inc | ||
5 | include /etc/firejail/disable-devel.inc | 4 | include /etc/firejail/disable-devel.inc |
6 | include /etc/firejail/disable-terminals.inc | 5 | include /etc/firejail/disable-passwdmgr.inc |
7 | blacklist ${HOME}/.pki/nssdb | 6 | |
8 | blacklist ${HOME}/.lastpass | ||
9 | blacklist ${HOME}/.keepassx | ||
10 | blacklist ${HOME}/.password-store | ||
11 | blacklist ${HOME}/.wine | ||
12 | caps.drop all | 7 | caps.drop all |
13 | seccomp | 8 | nonewprivs |
14 | protocol unix,inet,inet6 | ||
15 | noroot | 9 | noroot |
16 | 10 | protocol unix,inet,inet6 | |
11 | seccomp | ||
diff --git a/etc/audacity.profile b/etc/audacity.profile new file mode 100644 index 000000000..162201cb8 --- /dev/null +++ b/etc/audacity.profile | |||
@@ -0,0 +1,19 @@ | |||
1 | # Audacity profile | ||
2 | noblacklist ~/.audacity-data | ||
3 | |||
4 | include /etc/firejail/disable-common.inc | ||
5 | include /etc/firejail/disable-devel.inc | ||
6 | include /etc/firejail/disable-passwdmgr.inc | ||
7 | include /etc/firejail/disable-programs.inc | ||
8 | |||
9 | caps.drop all | ||
10 | nonewprivs | ||
11 | nogroups | ||
12 | noroot | ||
13 | protocol unix | ||
14 | seccomp | ||
15 | shell none | ||
16 | tracelog | ||
17 | |||
18 | private-bin audacity | ||
19 | private-dev | ||
diff --git a/etc/aweather.profile b/etc/aweather.profile new file mode 100644 index 000000000..d617fb701 --- /dev/null +++ b/etc/aweather.profile | |||
@@ -0,0 +1,25 @@ | |||
1 | # Firejail profile for aweather. | ||
2 | noblacklist ~/.config/aweather | ||
3 | include /etc/firejail/disable-common.inc | ||
4 | include /etc/firejail/disable-devel.inc | ||
5 | include /etc/firejail/disable-passwdmgr.inc | ||
6 | include /etc/firejail/disable-programs.inc | ||
7 | |||
8 | # Whitelist | ||
9 | mkdir ~/.config | ||
10 | mkdir ~/.config/aweather | ||
11 | whitelist ~/.config/aweather | ||
12 | |||
13 | caps.drop all | ||
14 | netfilter | ||
15 | nonewprivs | ||
16 | nogroups | ||
17 | noroot | ||
18 | nosound | ||
19 | protocol unix,inet,inet6,netlink | ||
20 | seccomp | ||
21 | shell none | ||
22 | tracelog | ||
23 | |||
24 | private-bin aweather | ||
25 | private-dev | ||
diff --git a/etc/bitlbee.profile b/etc/bitlbee.profile index ca9e87818..87d2e843a 100644 --- a/etc/bitlbee.profile +++ b/etc/bitlbee.profile | |||
@@ -1,11 +1,14 @@ | |||
1 | # BitlBee instant messaging profile | 1 | # BitlBee instant messaging profile |
2 | noblacklist /sbin | 2 | noblacklist /sbin |
3 | noblacklist /usr/sbin | 3 | noblacklist /usr/sbin |
4 | include /etc/firejail/disable-mgmt.inc | ||
5 | include /etc/firejail/disable-common.inc | 4 | include /etc/firejail/disable-common.inc |
6 | include /etc/firejail/disable-terminals.inc | 5 | include /etc/firejail/disable-programs.inc |
7 | protocol unix,inet,inet6 | 6 | |
7 | netfilter | ||
8 | nonewprivs | ||
8 | private | 9 | private |
9 | private-dev | 10 | private-dev |
11 | protocol unix,inet,inet6 | ||
10 | seccomp | 12 | seccomp |
11 | netfilter | 13 | nosound |
14 | read-write /var/lib/bitlbee | ||
diff --git a/etc/brave.profile b/etc/brave.profile new file mode 100644 index 000000000..4c42e9faa --- /dev/null +++ b/etc/brave.profile | |||
@@ -0,0 +1,19 @@ | |||
1 | # Profile for Brave browser | ||
2 | |||
3 | noblacklist ~/.config/brave | ||
4 | include /etc/firejail/disable-common.inc | ||
5 | include /etc/firejail/disable-programs.inc | ||
6 | include /etc/firejail/disable-devel.inc | ||
7 | |||
8 | caps.drop all | ||
9 | netfilter | ||
10 | nonewprivs | ||
11 | noroot | ||
12 | protocol unix,inet,inet6,netlink | ||
13 | seccomp | ||
14 | |||
15 | whitelist ${DOWNLOADS} | ||
16 | |||
17 | mkdir ~/.config | ||
18 | mkdir ~/.config/brave | ||
19 | whitelist ~/.config/brave | ||
diff --git a/etc/cherrytree.profile b/etc/cherrytree.profile index d1e1c71d9..7b6238d98 100644 --- a/etc/cherrytree.profile +++ b/etc/cherrytree.profile | |||
@@ -1,8 +1,10 @@ | |||
1 | # cherrytree note taking application | 1 | # cherrytree note taking application |
2 | include /etc/firejail/disable-mgmt.inc | 2 | noblacklist /usr/bin/python2* |
3 | include /etc/firejail/disable-secret.inc | 3 | noblacklist /usr/lib/python3* |
4 | include /etc/firejail/disable-common.inc | 4 | include /etc/firejail/disable-common.inc |
5 | include /etc/firejail/disable-programs.inc | ||
5 | include /etc/firejail/disable-devel.inc | 6 | include /etc/firejail/disable-devel.inc |
7 | include /etc/firejail/disable-passwdmgr.inc | ||
6 | 8 | ||
7 | whitelist ${HOME}/cherrytree | 9 | whitelist ${HOME}/cherrytree |
8 | mkdir ~/.config | 10 | mkdir ~/.config |
@@ -11,11 +13,23 @@ whitelist ${HOME}/.config/cherrytree/ | |||
11 | mkdir ~/.local | 13 | mkdir ~/.local |
12 | mkdir ~/.local/share | 14 | mkdir ~/.local/share |
13 | whitelist ${HOME}/.local/share/ | 15 | whitelist ${HOME}/.local/share/ |
16 | |||
14 | caps.drop all | 17 | caps.drop all |
18 | netfilter | ||
19 | nonewprivs | ||
20 | noroot | ||
21 | nosound | ||
15 | seccomp | 22 | seccomp |
16 | protocol unix,inet,inet6,netlink | 23 | protocol unix,inet,inet6,netlink |
17 | netfilter | ||
18 | tracelog | 24 | tracelog |
19 | noroot | 25 | |
20 | include /etc/firejail/whitelist-common.inc | 26 | include /etc/firejail/whitelist-common.inc |
21 | nosound | 27 | |
28 | # no private-bin support for various reasons: | ||
29 | #10:25:34 exec 11249 (root) NEW SANDBOX: /usr/bin/firejail /usr/bin/cherrytree | ||
30 | #10:25:34 exec 11252 (netblue) /bin/bash -c "/usr/bin/cherrytree" | ||
31 | #10:25:34 exec 11252 (netblue) /usr/bin/python /usr/bin/cherrytree | ||
32 | #10:25:34 exec 11253 (netblue) sh -c /sbin/ldconfig -p 2>/dev/null | ||
33 | #10:25:34 exec 11255 (netblue) sh -c if type gcc >/dev/null 2>&1; then CC=gcc; elif type cc >/dev/null 2>&1; then CC=cc;else exit 10; fi;LANG=C LC_ALL=C $CC -Wl,-t -o /tmp/tmpiYr44S 2>&1 -llibc | ||
34 | # it requires acces to browser to show the online help | ||
35 | # it doesn't play nicely with expect | ||
diff --git a/etc/chromium.profile b/etc/chromium.profile index b58931b8d..7cf2853ca 100644 --- a/etc/chromium.profile +++ b/etc/chromium.profile | |||
@@ -1,11 +1,8 @@ | |||
1 | # Chromium browser profile | 1 | # Chromium browser profile |
2 | noblacklist ~/.config/chromium | 2 | noblacklist ~/.config/chromium |
3 | noblacklist ~/.cache/chromium | 3 | noblacklist ~/.cache/chromium |
4 | noblacklist ~/keepassx.kdbx | ||
5 | include /etc/firejail/disable-mgmt.inc | ||
6 | include /etc/firejail/disable-secret.inc | ||
7 | include /etc/firejail/disable-common.inc | 4 | include /etc/firejail/disable-common.inc |
8 | include /etc/firejail/disable-terminals.inc | 5 | include /etc/firejail/disable-programs.inc |
9 | 6 | ||
10 | # chromium is distributed with a perl script on Arch | 7 | # chromium is distributed with a perl script on Arch |
11 | # include /etc/firejail/disable-devel.inc | 8 | # include /etc/firejail/disable-devel.inc |
diff --git a/etc/clementine.profile b/etc/clementine.profile index 21b5a58ab..5ce085358 100644 --- a/etc/clementine.profile +++ b/etc/clementine.profile | |||
@@ -1,16 +1,11 @@ | |||
1 | # Clementine media player profile | 1 | # Clementine media player profile |
2 | include /etc/firejail/disable-mgmt.inc | ||
3 | include /etc/firejail/disable-secret.inc | ||
4 | include /etc/firejail/disable-common.inc | 2 | include /etc/firejail/disable-common.inc |
5 | include /etc/firejail/disable-terminals.inc | 3 | include /etc/firejail/disable-programs.inc |
6 | include /etc/firejail/disable-devel.inc | 4 | include /etc/firejail/disable-devel.inc |
7 | include /etc/firejail/disable-terminals.inc | 5 | include /etc/firejail/disable-passwdmgr.inc |
8 | blacklist ${HOME}/.pki/nssdb | 6 | |
9 | blacklist ${HOME}/.lastpass | ||
10 | blacklist ${HOME}/.keepassx | ||
11 | blacklist ${HOME}/.password-store | ||
12 | blacklist ${HOME}/.wine | ||
13 | caps.drop all | 7 | caps.drop all |
14 | seccomp | 8 | nonewprivs |
15 | protocol unix,inet,inet6 | ||
16 | noroot | 9 | noroot |
10 | protocol unix,inet,inet6 | ||
11 | seccomp | ||
diff --git a/etc/cmus.profile b/etc/cmus.profile new file mode 100644 index 000000000..2e2a6940c --- /dev/null +++ b/etc/cmus.profile | |||
@@ -0,0 +1,18 @@ | |||
1 | # cmus profile | ||
2 | noblacklist ${HOME}/.config/cmus | ||
3 | |||
4 | include /etc/firejail/disable-common.inc | ||
5 | include /etc/firejail/disable-programs.inc | ||
6 | include /etc/firejail/disable-devel.inc | ||
7 | include /etc/firejail/disable-passwdmgr.inc | ||
8 | |||
9 | caps.drop all | ||
10 | netfilter | ||
11 | nonewprivs | ||
12 | noroot | ||
13 | protocol unix,inet,inet6 | ||
14 | seccomp | ||
15 | |||
16 | private-bin cmus | ||
17 | private-etc group | ||
18 | shell none | ||
diff --git a/etc/conkeror.profile b/etc/conkeror.profile index 2d6323d3b..e82eeec4c 100644 --- a/etc/conkeror.profile +++ b/etc/conkeror.profile | |||
@@ -1,14 +1,15 @@ | |||
1 | # Firejail profile for Conkeror web browser profile | 1 | # Firejail profile for Conkeror web browser profile |
2 | noblacklist ${HOME}/.conkeror.mozdev.org | 2 | noblacklist ${HOME}/.conkeror.mozdev.org |
3 | include /etc/firejail/disable-mgmt.inc | ||
4 | include /etc/firejail/disable-secret.inc | ||
5 | include /etc/firejail/disable-common.inc | 3 | include /etc/firejail/disable-common.inc |
6 | include /etc/firejail/disable-terminals.inc | 4 | include /etc/firejail/disable-programs.inc |
5 | |||
7 | caps.drop all | 6 | caps.drop all |
8 | seccomp | ||
9 | protocol unix,inet,inet6 | ||
10 | netfilter | 7 | netfilter |
8 | nonewprivs | ||
11 | noroot | 9 | noroot |
10 | protocol unix,inet,inet6 | ||
11 | seccomp | ||
12 | |||
12 | whitelist ~/.conkeror.mozdev.org | 13 | whitelist ~/.conkeror.mozdev.org |
13 | whitelist ~/Downloads | 14 | whitelist ~/Downloads |
14 | whitelist ~/dwhelper | 15 | whitelist ~/dwhelper |
@@ -20,6 +21,4 @@ whitelist ~/.vimperator | |||
20 | whitelist ~/.pentadactylrc | 21 | whitelist ~/.pentadactylrc |
21 | whitelist ~/.pentadactyl | 22 | whitelist ~/.pentadactyl |
22 | whitelist ~/.conkerorrc | 23 | whitelist ~/.conkerorrc |
23 | |||
24 | # common | ||
25 | include /etc/firejail/whitelist-common.inc | 24 | include /etc/firejail/whitelist-common.inc |
diff --git a/etc/corebird.profile b/etc/corebird.profile new file mode 100644 index 000000000..077ae30d0 --- /dev/null +++ b/etc/corebird.profile | |||
@@ -0,0 +1,12 @@ | |||
1 | # Firejail corebird profile | ||
2 | |||
3 | include /etc/firejail/disable-common.inc | ||
4 | include /etc/firejail/disable-programs.inc | ||
5 | include /etc/firejail/disable-devel.inc | ||
6 | include /etc/firejail/disable-passwdmgr.inc | ||
7 | |||
8 | caps.drop all | ||
9 | netfilter | ||
10 | noroot | ||
11 | protocol unix,inet,inet6 | ||
12 | seccomp | ||
diff --git a/etc/cpio.profile b/etc/cpio.profile new file mode 100644 index 000000000..b4d232496 --- /dev/null +++ b/etc/cpio.profile | |||
@@ -0,0 +1,22 @@ | |||
1 | # cpio profile | ||
2 | # /sbin and /usr/sbin are visible inside the sandbox | ||
3 | # /boot is not visible and /var is heavily modified | ||
4 | |||
5 | noblacklist /sbin | ||
6 | noblacklist /usr/sbin | ||
7 | include /etc/firejail/disable-common.inc | ||
8 | include /etc/firejail/disable-programs.inc | ||
9 | include /etc/firejail/disable-passwdmgr.inc | ||
10 | |||
11 | private-dev | ||
12 | private-tmp | ||
13 | seccomp | ||
14 | caps.drop all | ||
15 | net none | ||
16 | shell none | ||
17 | tracelog | ||
18 | net none | ||
19 | nosound | ||
20 | |||
21 | |||
22 | |||
diff --git a/etc/cyberfox.profile b/etc/cyberfox.profile new file mode 100644 index 000000000..afa77d1d4 --- /dev/null +++ b/etc/cyberfox.profile | |||
@@ -0,0 +1,51 @@ | |||
1 | # Firejail profile for Cyberfox (based on Mozilla Firefox) | ||
2 | |||
3 | noblacklist ~/.8pecxstudios | ||
4 | noblacklist ~/.cache/8pecxstudios | ||
5 | include /etc/firejail/disable-common.inc | ||
6 | include /etc/firejail/disable-programs.inc | ||
7 | include /etc/firejail/disable-devel.inc | ||
8 | |||
9 | caps.drop all | ||
10 | netfilter | ||
11 | nonewprivs | ||
12 | noroot | ||
13 | protocol unix,inet,inet6,netlink | ||
14 | seccomp | ||
15 | tracelog | ||
16 | |||
17 | whitelist ${DOWNLOADS} | ||
18 | mkdir ~/.8pecxstudios | ||
19 | whitelist ~/.8pecxstudios | ||
20 | mkdir ~/.cache | ||
21 | mkdir ~/.cache/8pecxstudios | ||
22 | whitelist ~/.cache/8pecxstudios | ||
23 | whitelist ~/dwhelper | ||
24 | whitelist ~/.zotero | ||
25 | whitelist ~/.vimperatorrc | ||
26 | whitelist ~/.vimperator | ||
27 | whitelist ~/.pentadactylrc | ||
28 | whitelist ~/.pentadactyl | ||
29 | whitelist ~/.keysnail.js | ||
30 | whitelist ~/.config/gnome-mplayer | ||
31 | whitelist ~/.cache/gnome-mplayer/plugin | ||
32 | whitelist ~/.pki | ||
33 | |||
34 | # lastpass, keepassx | ||
35 | whitelist ~/.keepassx | ||
36 | whitelist ~/.config/keepassx | ||
37 | whitelist ~/keepassx.kdbx | ||
38 | whitelist ~/.lastpass | ||
39 | whitelist ~/.config/lastpass | ||
40 | |||
41 | |||
42 | #silverlight | ||
43 | whitelist ~/.wine-pipelight | ||
44 | whitelist ~/.wine-pipelight64 | ||
45 | whitelist ~/.config/pipelight-widevine | ||
46 | whitelist ~/.config/pipelight-silverlight5.1 | ||
47 | |||
48 | include /etc/firejail/whitelist-common.inc | ||
49 | |||
50 | # experimental features | ||
51 | #private-etc passwd,group,hostname,hosts,localtime,nsswitch.conf,resolv.conf,gtk-2.0,pango,fonts,iceweasel,firefox,adobe,mime.types,mailcap,asound.conf,pulse | ||
diff --git a/etc/deadbeef.profile b/etc/deadbeef.profile index ec9fcd0f0..04abd0a92 100644 --- a/etc/deadbeef.profile +++ b/etc/deadbeef.profile | |||
@@ -1,16 +1,13 @@ | |||
1 | # DeaDBeeF media player profile | 1 | # DeaDBeeF media player profile |
2 | include /etc/firejail/disable-mgmt.inc | 2 | noblacklist ${HOME}/.config/deadbeef |
3 | include /etc/firejail/disable-secret.inc | 3 | |
4 | include /etc/firejail/disable-common.inc | 4 | include /etc/firejail/disable-common.inc |
5 | include /etc/firejail/disable-programs.inc | ||
5 | include /etc/firejail/disable-devel.inc | 6 | include /etc/firejail/disable-devel.inc |
6 | include /etc/firejail/disable-terminals.inc | 7 | include /etc/firejail/disable-passwdmgr.inc |
7 | blacklist ${HOME}/.pki/nssdb | 8 | |
8 | blacklist ${HOME}/.lastpass | ||
9 | blacklist ${HOME}/.keepassx | ||
10 | blacklist ${HOME}/.password-store | ||
11 | blacklist ${HOME}/.wine | ||
12 | caps.drop all | 9 | caps.drop all |
13 | seccomp | 10 | nonewprivs |
14 | protocol unix,inet,inet6 | ||
15 | noroot | 11 | noroot |
16 | 12 | protocol unix,inet,inet6 | |
13 | seccomp | ||
diff --git a/etc/default.profile b/etc/default.profile new file mode 100644 index 000000000..a2de72695 --- /dev/null +++ b/etc/default.profile | |||
@@ -0,0 +1,15 @@ | |||
1 | ################################ | ||
2 | # Generic GUI application profile | ||
3 | ################################ | ||
4 | include /etc/firejail/disable-common.inc | ||
5 | include /etc/firejail/disable-programs.inc | ||
6 | include /etc/firejail/disable-passwdmgr.inc | ||
7 | |||
8 | #blacklist ${HOME}/.wine | ||
9 | |||
10 | caps.drop all | ||
11 | netfilter | ||
12 | nonewprivs | ||
13 | noroot | ||
14 | protocol unix,inet,inet6 | ||
15 | seccomp | ||
diff --git a/etc/deluge.profile b/etc/deluge.profile index bcd754952..8fde9acf9 100644 --- a/etc/deluge.profile +++ b/etc/deluge.profile | |||
@@ -1,19 +1,21 @@ | |||
1 | # deluge bittorernt client profile | 1 | # deluge bittorrernt client profile |
2 | include /etc/firejail/disable-mgmt.inc | ||
3 | include /etc/firejail/disable-secret.inc | ||
4 | include /etc/firejail/disable-common.inc | 2 | include /etc/firejail/disable-common.inc |
5 | include /etc/firejail/disable-devel.inc | 3 | include /etc/firejail/disable-programs.inc |
6 | include /etc/firejail/disable-terminals.inc | 4 | # deluge is using python on Debian |
7 | blacklist ${HOME}/.pki/nssdb | 5 | #include /etc/firejail/disable-devel.inc |
8 | blacklist ${HOME}/.lastpass | 6 | include /etc/firejail/disable-passwdmgr.inc |
9 | blacklist ${HOME}/.keepassx | 7 | |
10 | blacklist ${HOME}/.password-store | ||
11 | blacklist ${HOME}/.wine | ||
12 | caps.drop all | 8 | caps.drop all |
13 | seccomp | ||
14 | protocol unix,inet,inet6 | ||
15 | netfilter | 9 | netfilter |
10 | nonewprivs | ||
16 | noroot | 11 | noroot |
17 | nosound | 12 | nosound |
13 | protocol unix,inet,inet6 | ||
14 | seccomp | ||
18 | 15 | ||
16 | shell none | ||
17 | private-bin deluge,sh,python,uname | ||
18 | whitelist /tmp/.X11-unix | ||
19 | private-dev | ||
20 | nosound | ||
19 | 21 | ||
diff --git a/etc/dillo.profile b/etc/dillo.profile new file mode 100644 index 000000000..2ddd363cb --- /dev/null +++ b/etc/dillo.profile | |||
@@ -0,0 +1,23 @@ | |||
1 | # Firejail profile for Dillo web browser | ||
2 | |||
3 | noblacklist ~/.dillo | ||
4 | include /etc/firejail/disable-common.inc | ||
5 | include /etc/firejail/disable-programs.inc | ||
6 | include /etc/firejail/disable-devel.inc | ||
7 | include /etc/firejail/disable-passwdmgr.inc | ||
8 | |||
9 | caps.drop all | ||
10 | netfilter | ||
11 | nonewprivs | ||
12 | noroot | ||
13 | protocol unix,inet,inet6 | ||
14 | seccomp | ||
15 | tracelog | ||
16 | |||
17 | whitelist ${DOWNLOADS} | ||
18 | mkdir ~/.dillo | ||
19 | whitelist ~/.dillo | ||
20 | mkdir ~/.fltk | ||
21 | whitelist ~/.fltk | ||
22 | |||
23 | include /etc/firejail/whitelist-common.inc | ||
diff --git a/etc/disable-common.inc b/etc/disable-common.inc index 88ce42976..d18ee0287 100644 --- a/etc/disable-common.inc +++ b/etc/disable-common.inc | |||
@@ -1,53 +1,10 @@ | |||
1 | # various programs | ||
2 | blacklist ${HOME}/.config/vlc | ||
3 | |||
4 | # History files in $HOME | 1 | # History files in $HOME |
5 | blacklist-nolog ${HOME}/.history | 2 | blacklist-nolog ${HOME}/.history |
6 | blacklist-nolog ${HOME}/.*_history | 3 | blacklist-nolog ${HOME}/.*_history |
7 | 4 | blacklist ${HOME}/.local/share/systemd | |
8 | # HTTP / FTP / Mail | ||
9 | blacklist-nolog ${HOME}/.adobe | 5 | blacklist-nolog ${HOME}/.adobe |
10 | blacklist-nolog ${HOME}/.macromedia | 6 | blacklist-nolog ${HOME}/.macromedia |
11 | blacklist ${HOME}/.icedove | 7 | read-only ${HOME}/.local/share/applications |
12 | blacklist ${HOME}/.thunderbird | ||
13 | blacklist ${HOME}/.sylpheed-2.0 | ||
14 | blacklist ${HOME}/.config/midori | ||
15 | |||
16 | blacklist ${HOME}/.mozilla | ||
17 | blacklist ${HOME}/.config/chromium | ||
18 | blacklist ${HOME}/.config/google-chrome | ||
19 | blacklist ${HOME}/.config/google-chrome-beta | ||
20 | blacklist ${HOME}/.config/google-chrome-unstable | ||
21 | blacklist ${HOME}/.config/opera | ||
22 | blacklist ${HOME}/.config/opera-beta | ||
23 | blacklist ~/.config/vivaldi | ||
24 | |||
25 | blacklist ${HOME}/.filezilla | ||
26 | blacklist ${HOME}/.config/filezilla | ||
27 | blacklist ${HOME}/.local/share/systemd | ||
28 | |||
29 | # Instant Messaging | ||
30 | blacklist ${HOME}/.config/hexchat | ||
31 | blacklist ${HOME}/.mcabber | ||
32 | blacklist ${HOME}/.purple | ||
33 | blacklist ${HOME}/.config/psi+ | ||
34 | blacklist ${HOME}/.retroshare | ||
35 | blacklist ${HOME}/.weechat | ||
36 | blacklist ${HOME}/.config/xchat | ||
37 | blacklist ${HOME}/.Skype | ||
38 | |||
39 | # Cryptocoins | ||
40 | blacklist ${HOME}/.*coin | ||
41 | blacklist ${HOME}/.electrum* | ||
42 | blacklist ${HOME}/wallet.dat | ||
43 | |||
44 | # VNC | ||
45 | blacklist ${HOME}/.remmina | ||
46 | |||
47 | # Other | ||
48 | blacklist ${HOME}/.tconn | ||
49 | blacklist ${HOME}/.FBReader | ||
50 | blacklist ${HOME}/.wine | ||
51 | 8 | ||
52 | # X11 session autostart | 9 | # X11 session autostart |
53 | blacklist ${HOME}/.xinitrc | 10 | blacklist ${HOME}/.xinitrc |
@@ -63,16 +20,21 @@ blacklist ${HOME}/.config/lxsession/LXDE/autostart | |||
63 | blacklist ${HOME}/.fluxbox/startup | 20 | blacklist ${HOME}/.fluxbox/startup |
64 | blacklist ${HOME}/.config/openbox/autostart | 21 | blacklist ${HOME}/.config/openbox/autostart |
65 | blacklist ${HOME}/.config/openbox/environment | 22 | blacklist ${HOME}/.config/openbox/environment |
23 | blacklist ${HOME}/.gnomerc | ||
24 | blacklist /etc/X11/Xsession.d/ | ||
66 | 25 | ||
67 | # VirtualBox | 26 | # VirtualBox |
68 | blacklist ${HOME}/.VirtualBox | 27 | blacklist ${HOME}/.VirtualBox |
69 | blacklist ${HOME}/VirtualBox VMs | 28 | blacklist ${HOME}/VirtualBox VMs |
70 | blacklist ${HOME}/.config/VirtualBox | 29 | blacklist ${HOME}/.config/VirtualBox |
71 | 30 | ||
72 | # git, subversion | 31 | # VeraCrypt |
73 | blacklist ${HOME}/.subversion | 32 | blacklist ${PATH}/veracrypt |
74 | blacklist ${HOME}/.gitconfig | 33 | blacklist ${PATH}/veracrypt-uninstall.sh |
75 | blacklist ${HOME}/.git-credential-cache | 34 | blacklist /usr/share/veracrypt |
35 | blacklist /usr/share/applications/veracrypt.* | ||
36 | blacklist /usr/share/pixmaps/veracrypt.* | ||
37 | blacklist ${HOME}/.VeraCrypt | ||
76 | 38 | ||
77 | # var | 39 | # var |
78 | blacklist /var/spool/cron | 40 | blacklist /var/spool/cron |
@@ -98,11 +60,15 @@ read-only ${HOME}/.xserverrc | |||
98 | read-only ${HOME}/.profile | 60 | read-only ${HOME}/.profile |
99 | 61 | ||
100 | # Shell startup files | 62 | # Shell startup files |
63 | read-only ${HOME}/.antigen | ||
101 | read-only ${HOME}/.bash_login | 64 | read-only ${HOME}/.bash_login |
102 | read-only ${HOME}/.bashrc | 65 | read-only ${HOME}/.bashrc |
103 | read-only ${HOME}/.bash_profile | 66 | read-only ${HOME}/.bash_profile |
104 | read-only ${HOME}/.bash_logout | 67 | read-only ${HOME}/.bash_logout |
68 | read-only ${HOME}/.zsh.d | ||
69 | read-only ${HOME}/.zshenv | ||
105 | read-only ${HOME}/.zshrc | 70 | read-only ${HOME}/.zshrc |
71 | read-only ${HOME}/.zshrc.local | ||
106 | read-only ${HOME}/.zlogin | 72 | read-only ${HOME}/.zlogin |
107 | read-only ${HOME}/.zprofile | 73 | read-only ${HOME}/.zprofile |
108 | read-only ${HOME}/.zlogout | 74 | read-only ${HOME}/.zlogout |
@@ -110,8 +76,12 @@ read-only ${HOME}/.zsh_files | |||
110 | read-only ${HOME}/.tcshrc | 76 | read-only ${HOME}/.tcshrc |
111 | read-only ${HOME}/.cshrc | 77 | read-only ${HOME}/.cshrc |
112 | read-only ${HOME}/.csh_files | 78 | read-only ${HOME}/.csh_files |
79 | read-only ${HOME}/.profile | ||
113 | 80 | ||
114 | # Initialization files that allow arbitrary command execution | 81 | # Initialization files that allow arbitrary command execution |
82 | read-only ${HOME}/.caffrc | ||
83 | read-only ${HOME}/.dotfiles | ||
84 | read-only ${HOME}/dotfiles | ||
115 | read-only ${HOME}/.mailcap | 85 | read-only ${HOME}/.mailcap |
116 | read-only ${HOME}/.exrc | 86 | read-only ${HOME}/.exrc |
117 | read-only ${HOME}/_exrc | 87 | read-only ${HOME}/_exrc |
@@ -121,22 +91,80 @@ read-only ${HOME}/.gvimrc | |||
121 | read-only ${HOME}/_gvimrc | 91 | read-only ${HOME}/_gvimrc |
122 | read-only ${HOME}/.vim | 92 | read-only ${HOME}/.vim |
123 | read-only ${HOME}/.emacs | 93 | read-only ${HOME}/.emacs |
94 | read-only ${HOME}/.emacs.d | ||
95 | read-only ${HOME}/.nano | ||
124 | read-only ${HOME}/.tmux.conf | 96 | read-only ${HOME}/.tmux.conf |
125 | read-only ${HOME}/.iscreenrc | 97 | read-only ${HOME}/.iscreenrc |
126 | read-only ${HOME}/.muttrc | 98 | read-only ${HOME}/.muttrc |
127 | read-only ${HOME}/.mutt/muttrc | 99 | read-only ${HOME}/.mutt/muttrc |
100 | read-only ${HOME}/.msmtprc | ||
101 | read-only ${HOME}/.reportbugrc | ||
128 | read-only ${HOME}/.xmonad | 102 | read-only ${HOME}/.xmonad |
129 | read-only ${HOME}/.xscreensaver | 103 | read-only ${HOME}/.xscreensaver |
130 | 104 | ||
131 | # The user ~/bin directory can override commands such as ls | 105 | # The user ~/bin directory can override commands such as ls |
132 | read-only ${HOME}/bin | 106 | read-only ${HOME}/bin |
133 | 107 | ||
134 | # cache | 108 | # top secret |
135 | blacklist ~/.cache/mozilla | 109 | blacklist ${HOME}/.ssh |
136 | blacklist ~/.cache/chromium | 110 | blacklist ${HOME}/.cert |
137 | blacklist ~/.cache/google-chrome | 111 | blacklist ${HOME}/.gnome2/keyrings |
138 | blacklist ~/.cache/google-chrome-beta | 112 | blacklist ${HOME}/.kde4/share/apps/kwallet |
139 | blacklist ~/.cache/google-chrome-unstable | 113 | blacklist ${HOME}/.kde/share/apps/kwallet |
140 | blacklist ~/.cache/opera | 114 | blacklist ${HOME}/.local/share/kwalletd |
141 | blacklist ~/.cache/opera-beta | 115 | blacklist ${HOME}/.config/keybase |
142 | blacklist ~/.cache/vivaldi | 116 | blacklist ${HOME}/.netrc |
117 | blacklist ${HOME}/.gnupg | ||
118 | blacklist ${HOME}/.caff | ||
119 | blacklist ${HOME}/.smbcredentials | ||
120 | blacklist ${HOME}/*.kdbx | ||
121 | blacklist ${HOME}/*.kdb | ||
122 | blacklist ${HOME}/*.key | ||
123 | blacklist /etc/shadow | ||
124 | blacklist /etc/gshadow | ||
125 | blacklist /etc/passwd- | ||
126 | blacklist /etc/group- | ||
127 | blacklist /etc/shadow- | ||
128 | blacklist /etc/gshadow- | ||
129 | blacklist /etc/passwd+ | ||
130 | blacklist /etc/group+ | ||
131 | blacklist /etc/shadow+ | ||
132 | blacklist /etc/gshadow+ | ||
133 | blacklist /etc/ssh | ||
134 | blacklist /var/backup | ||
135 | |||
136 | # system management | ||
137 | blacklist ${PATH}/umount | ||
138 | blacklist ${PATH}/mount | ||
139 | blacklist ${PATH}/fusermount | ||
140 | blacklist ${PATH}/su | ||
141 | blacklist ${PATH}/sudo | ||
142 | blacklist ${PATH}/xinput | ||
143 | blacklist ${PATH}/evtest | ||
144 | blacklist ${PATH}/xev | ||
145 | blacklist ${PATH}/strace | ||
146 | blacklist ${PATH}/nc | ||
147 | blacklist ${PATH}/ncat | ||
148 | |||
149 | # system directories | ||
150 | blacklist /sbin | ||
151 | blacklist /usr/sbin | ||
152 | blacklist /usr/local/sbin | ||
153 | |||
154 | # prevent lxterminal connecting to an existing lxterminal session | ||
155 | blacklist /tmp/.lxterminal-socket* | ||
156 | |||
157 | # disable terminals running as server | ||
158 | blacklist ${PATH}/gnome-terminal | ||
159 | blacklist ${PATH}/gnome-terminal.wrapper | ||
160 | blacklist ${PATH}/xfce4-terminal | ||
161 | blacklist ${PATH}/xfce4-terminal.wrapper | ||
162 | blacklist ${PATH}/mate-terminal | ||
163 | blacklist ${PATH}/mate-terminal.wrapper | ||
164 | blacklist ${PATH}/lilyterm | ||
165 | blacklist ${PATH}/pantheon-terminal | ||
166 | blacklist ${PATH}/roxterm | ||
167 | blacklist ${PATH}/roxterm-config | ||
168 | blacklist ${PATH}/terminix | ||
169 | blacklist ${PATH}/urxvtc | ||
170 | blacklist ${PATH}/urxvtcd | ||
diff --git a/etc/disable-devel.inc b/etc/disable-devel.inc index 65b31ba9b..963cf6da0 100644 --- a/etc/disable-devel.inc +++ b/etc/disable-devel.inc | |||
@@ -2,13 +2,20 @@ | |||
2 | 2 | ||
3 | # GCC | 3 | # GCC |
4 | blacklist /usr/include | 4 | blacklist /usr/include |
5 | blacklist /usr/lib/gcc | ||
5 | blacklist /usr/bin/gcc* | 6 | blacklist /usr/bin/gcc* |
6 | blacklist /usr/bin/cpp* | 7 | blacklist /usr/bin/cpp* |
7 | blacklist /usr/bin/c9* | 8 | blacklist /usr/bin/c9* |
8 | blacklist /usr/bin/c8* | 9 | blacklist /usr/bin/c8* |
9 | blacklist /usr/bin/c++* | 10 | blacklist /usr/bin/c++* |
11 | blacklist /usr/bin/as | ||
10 | blacklist /usr/bin/ld | 12 | blacklist /usr/bin/ld |
11 | blacklist /usr/bin/gdb | 13 | blacklist /usr/bin/gdb |
14 | blacklist /usr/bin/g++* | ||
15 | blacklist /usr/bin/x86_64-linux-gnu-g++* | ||
16 | blacklist /usr/bin/x86_64-linux-gnu-gcc* | ||
17 | blacklist /usr/bin/x86_64-unknown-linux-gnu-g++* | ||
18 | blacklist /usr/bin/x86_64-unknown-linux-gnu-gcc* | ||
12 | 19 | ||
13 | # clang/llvm | 20 | # clang/llvm |
14 | blacklist /usr/bin/clang* | 21 | blacklist /usr/bin/clang* |
@@ -16,6 +23,11 @@ blacklist /usr/bin/llvm* | |||
16 | blacklist /usb/bin/lldb* | 23 | blacklist /usb/bin/lldb* |
17 | blacklist /usr/lib/llvm* | 24 | blacklist /usr/lib/llvm* |
18 | 25 | ||
26 | # tcc - Tiny C Compiler | ||
27 | blacklist /usr/bin/tcc | ||
28 | blacklist /usr/bin/x86_64-tcc | ||
29 | blacklist /usr/lib/tcc | ||
30 | |||
19 | # Valgrind | 31 | # Valgrind |
20 | blacklist /usr/bin/valgrind* | 32 | blacklist /usr/bin/valgrind* |
21 | blacklist /usr/lib/valgrind | 33 | blacklist /usr/lib/valgrind |
@@ -34,3 +46,18 @@ blacklist /usr/lib/php* | |||
34 | # Ruby | 46 | # Ruby |
35 | blacklist /usr/bin/ruby | 47 | blacklist /usr/bin/ruby |
36 | blacklist /usr/lib/ruby | 48 | blacklist /usr/lib/ruby |
49 | |||
50 | # Programs using python: deluge, firefox addons, filezilla, cherrytree, xchat, hexchat, libreoffice | ||
51 | # Python 2 | ||
52 | #blacklist /usr/bin/python2* | ||
53 | #blacklist /usr/lib/python2* | ||
54 | #blacklist /usr/local/lib/python2* | ||
55 | #blacklist /usr/include/python2* | ||
56 | #blacklist /usr/share/python2* | ||
57 | # | ||
58 | # Python 3 | ||
59 | #blacklist /usr/bin/python3* | ||
60 | #blacklist /usr/lib/python3* | ||
61 | #blacklist /usr/local/lib/python3* | ||
62 | #blacklist /usr/share/python3* | ||
63 | #blacklist /usr/include/python3* | ||
diff --git a/etc/disable-mgmt.inc b/etc/disable-mgmt.inc deleted file mode 100644 index 0a11d6728..000000000 --- a/etc/disable-mgmt.inc +++ /dev/null | |||
@@ -1,17 +0,0 @@ | |||
1 | # system directories | ||
2 | blacklist /sbin | ||
3 | blacklist /usr/sbin | ||
4 | blacklist /usr/local/sbin | ||
5 | |||
6 | # system management | ||
7 | blacklist ${PATH}/umount | ||
8 | blacklist ${PATH}/mount | ||
9 | blacklist ${PATH}/fusermount | ||
10 | blacklist ${PATH}/su | ||
11 | blacklist ${PATH}/sudo | ||
12 | blacklist ${PATH}/xinput | ||
13 | blacklist ${PATH}/evtest | ||
14 | blacklist ${PATH}/xev | ||
15 | blacklist ${PATH}/strace | ||
16 | blacklist ${PATH}/nc | ||
17 | blacklist ${PATH}/ncat | ||
diff --git a/etc/disable-passwdmgr.inc b/etc/disable-passwdmgr.inc new file mode 100644 index 000000000..6db9073ab --- /dev/null +++ b/etc/disable-passwdmgr.inc | |||
@@ -0,0 +1,7 @@ | |||
1 | blacklist ${HOME}/.pki/nssdb | ||
2 | blacklist ${HOME}/.lastpass | ||
3 | blacklist ${HOME}/.keepassx | ||
4 | blacklist ${HOME}/.password-store | ||
5 | blacklist ${HOME}/keepassx.kdbx | ||
6 | blacklist ${HOME}/.config/keepassx | ||
7 | |||
diff --git a/etc/disable-programs.inc b/etc/disable-programs.inc new file mode 100644 index 000000000..0f155351d --- /dev/null +++ b/etc/disable-programs.inc | |||
@@ -0,0 +1,129 @@ | |||
1 | # various programs | ||
2 | blacklist ${HOME}/.Atom | ||
3 | blacklist ${HOME}/.remmina | ||
4 | blacklist ${HOME}/.tconn | ||
5 | blacklist ${HOME}/.FBReader | ||
6 | blacklist ${HOME}/.wine | ||
7 | blacklist ${HOME}/.Mathematica | ||
8 | blacklist ${HOME}/.Wolfram Research | ||
9 | blacklist ${HOME}/.stellarium | ||
10 | blacklist ${HOME}/.config/Atom | ||
11 | blacklist ${HOME}/.config/gthumb | ||
12 | blacklist ${HOME}/.config/mupen64plus | ||
13 | blacklist ${HOME}/.config/transmission | ||
14 | blacklist ${HOME}/.config/uGet | ||
15 | blacklist ${HOME}/.config/Gpredict | ||
16 | blacklist ${HOME}/.config/aweather | ||
17 | blacklist ${HOME}/.config/stellarium | ||
18 | blacklist ${HOME}/.config/atril | ||
19 | blacklist ${HOME}/.config/xreader | ||
20 | blacklist ${HOME}/.config/xviewer | ||
21 | blacklist ${HOME}/.config/libreoffice | ||
22 | blacklist ${HOME}/.config/pix | ||
23 | blacklist ${HOME}/.config/mate/eom | ||
24 | blacklist ${HOME}/.kde/share/apps/okular | ||
25 | blacklist ${HOME}/.kde/share/config/okularrc | ||
26 | blacklist ${HOME}/.kde/share/config/okularpartrc | ||
27 | blacklist ${HOME}/.kde/share/apps/gwenview | ||
28 | blacklist ${HOME}/.kde/share/config/gwenviewrc | ||
29 | |||
30 | # Media players | ||
31 | blacklist ${HOME}/.config/cmus | ||
32 | blacklist ${HOME}/.config/deadbeef | ||
33 | blacklist ${HOME}/.config/spotify | ||
34 | blacklist ${HOME}/.config/vlc | ||
35 | blacklist ${HOME}/.config/mpv | ||
36 | blacklist ${HOME}/.config/totem | ||
37 | blacklist ${HOME}/.config/xplayer | ||
38 | blacklist ${HOME}/.audacity-data | ||
39 | |||
40 | # HTTP / FTP / Mail | ||
41 | blacklist ${HOME}/.icedove | ||
42 | blacklist ${HOME}/.thunderbird | ||
43 | blacklist ${HOME}/.sylpheed-2.0 | ||
44 | blacklist ${HOME}/.config/midori | ||
45 | blacklist ${HOME}/.mozilla | ||
46 | blacklist ${HOME}/.config/chromium | ||
47 | blacklist ${HOME}/.config/google-chrome | ||
48 | blacklist ${HOME}/.config/google-chrome-beta | ||
49 | blacklist ${HOME}/.config/google-chrome-unstable | ||
50 | blacklist ${HOME}/.config/opera | ||
51 | blacklist ${HOME}/.config/opera-beta | ||
52 | blacklist ${HOME}/.opera | ||
53 | blacklist ${HOME}/.config/vivaldi | ||
54 | blacklist ${HOME}/.filezilla | ||
55 | blacklist ${HOME}/.config/filezilla | ||
56 | blacklist ${HOME}/.dillo | ||
57 | blacklist ${HOME}/.conkeror.mozdev.org | ||
58 | blacklist ${HOME}/.config/epiphany | ||
59 | blacklist ${HOME}/.config/slimjet | ||
60 | blacklist ${HOME}/.config/qutebrowser | ||
61 | blacklist ${HOME}/.8pecxstudios | ||
62 | blacklist ${HOME}/.config/brave | ||
63 | |||
64 | # Instant Messaging | ||
65 | blacklist ${HOME}/.config/hexchat | ||
66 | blacklist ${HOME}/.mcabber | ||
67 | blacklist ${HOME}/.mcabberrc | ||
68 | blacklist ${HOME}/.purple | ||
69 | blacklist ${HOME}/.config/psi+ | ||
70 | blacklist ${HOME}/.retroshare | ||
71 | blacklist ${HOME}/.weechat | ||
72 | blacklist ${HOME}/.config/xchat | ||
73 | blacklist ${HOME}/.Skype | ||
74 | blacklist ${HOME}/.config/tox | ||
75 | blacklist ${HOME}/.TelegramDesktop | ||
76 | blacklist ${HOME}/.config/Gitter | ||
77 | blacklist ${HOME}/.config/Franz | ||
78 | blacklist ${HOME}/.jitsi | ||
79 | |||
80 | # Games | ||
81 | blacklist ${HOME}/.hedgewars | ||
82 | blacklist ${HOME}/.steam | ||
83 | blacklist ${HOME}/.config/wesnoth | ||
84 | blacklist ${HOME}/.config/0ad | ||
85 | blacklist ${HOME}/.warzone2100-3.1 | ||
86 | |||
87 | # Cryptocoins | ||
88 | blacklist ${HOME}/.*coin | ||
89 | blacklist ${HOME}/.electrum* | ||
90 | blacklist ${HOME}/wallet.dat | ||
91 | |||
92 | # git, subversion | ||
93 | blacklist ${HOME}/.subversion | ||
94 | blacklist ${HOME}/.gitconfig | ||
95 | blacklist ${HOME}/.git-credential-cache | ||
96 | |||
97 | # cache | ||
98 | blacklist ${HOME}/.cache/mozilla | ||
99 | blacklist ${HOME}/.cache/chromium | ||
100 | blacklist ${HOME}/.cache/google-chrome | ||
101 | blacklist ${HOME}/.cache/google-chrome-beta | ||
102 | blacklist ${HOME}/.cache/google-chrome-unstable | ||
103 | blacklist ${HOME}/.cache/opera | ||
104 | blacklist ${HOME}/.cache/opera-beta | ||
105 | blacklist ${HOME}/.cache/vivaldi | ||
106 | blacklist ${HOME}/.cache/epiphany | ||
107 | blacklist ${HOME}/.cache/slimjet | ||
108 | blacklist ${HOME}/.cache/qutebrowser | ||
109 | blacklist ${HOME}/.cache/spotify | ||
110 | blacklist ${HOME}/.cache/thunderbird | ||
111 | blacklist ${HOME}/.cache/icedove | ||
112 | blacklist ${HOME}/.cache/transmission | ||
113 | blacklist ${HOME}/.cache/wesnoth | ||
114 | blacklist ${HOME}/.cache/0ad | ||
115 | blacklist ${HOME}/.cache/8pecxstudios | ||
116 | blacklist ${HOME}/.cache/xreader | ||
117 | blacklist ${HOME}/.cache/Franz | ||
118 | |||
119 | # share | ||
120 | blacklist ${HOME}/.local/share/epiphany | ||
121 | blacklist ${HOME}/.local/share/mupen64plus | ||
122 | blacklist ${HOME}/.local/share/spotify | ||
123 | blacklist ${HOME}/.local/share/steam | ||
124 | blacklist ${HOME}/.local/share/wesnoth | ||
125 | blacklist ${HOME}/.local/share/0ad | ||
126 | blacklist ${HOME}/.local/share/xplayer | ||
127 | blacklist ${HOME}/.local/share/totem | ||
128 | blacklist ${HOME}/.local/share/psi+ | ||
129 | blacklist ${HOME}/.local/share/pix | ||
diff --git a/etc/disable-secret.inc b/etc/disable-secret.inc deleted file mode 100644 index 7d29cda31..000000000 --- a/etc/disable-secret.inc +++ /dev/null | |||
@@ -1,23 +0,0 @@ | |||
1 | # HOME directory | ||
2 | blacklist ${HOME}/.ssh | ||
3 | blacklist ${HOME}/.gnome2/keyrings | ||
4 | blacklist ${HOME}/kde4/share/apps/kwallet | ||
5 | blacklist ${HOME}/kde/share/apps/kwallet | ||
6 | blacklist ${HOME}/.local/share/kwalletd | ||
7 | blacklist ${HOME}/.netrc | ||
8 | blacklist ${HOME}/.gnupg | ||
9 | blacklist ${HOME}/*.kdbx | ||
10 | blacklist ${HOME}/*.kdb | ||
11 | blacklist ${HOME}/*.key | ||
12 | blacklist /etc/shadow | ||
13 | blacklist /etc/gshadow | ||
14 | blacklist /etc/passwd- | ||
15 | blacklist /etc/group- | ||
16 | blacklist /etc/shadow- | ||
17 | blacklist /etc/gshadow- | ||
18 | blacklist /etc/passwd+ | ||
19 | blacklist /etc/group+ | ||
20 | blacklist /etc/shadow+ | ||
21 | blacklist /etc/gshadow+ | ||
22 | blacklist /etc/ssh | ||
23 | blacklist /var/backup | ||
diff --git a/etc/disable-terminals.inc b/etc/disable-terminals.inc deleted file mode 100644 index 9631e7f62..000000000 --- a/etc/disable-terminals.inc +++ /dev/null | |||
@@ -1,6 +0,0 @@ | |||
1 | # disable terminals running as server | ||
2 | blacklist ${PATH}/lxterminal | ||
3 | blacklist ${PATH}/gnome-terminal | ||
4 | blacklist ${PATH}/gnome-terminal.wrapper | ||
5 | blacklist ${PATH}/xfce4-terminal | ||
6 | blacklist ${PATH}/xfce4-terminal.wrapper | ||
diff --git a/etc/dnscrypt-proxy.profile b/etc/dnscrypt-proxy.profile index 0bc7ac78e..90c244e03 100644 --- a/etc/dnscrypt-proxy.profile +++ b/etc/dnscrypt-proxy.profile | |||
@@ -1,12 +1,13 @@ | |||
1 | # security profile for dnscrypt-proxy | 1 | # security profile for dnscrypt-proxy |
2 | noblacklist /sbin | 2 | noblacklist /sbin |
3 | noblacklist /usr/sbin | 3 | noblacklist /usr/sbin |
4 | include /etc/firejail/disable-mgmt.inc | ||
5 | include /etc/firejail/disable-common.inc | 4 | include /etc/firejail/disable-common.inc |
5 | include /etc/firejail/disable-programs.inc | ||
6 | include /etc/firejail/disable-devel.inc | 6 | include /etc/firejail/disable-devel.inc |
7 | include /etc/firejail/disable-secret.inc | 7 | include /etc/firejail/disable-passwdmgr.inc |
8 | include /etc/firejail/disable-terminals.inc | 8 | |
9 | private | 9 | private |
10 | private-dev | 10 | private-dev |
11 | nosound | ||
11 | seccomp.drop mount,umount2,ptrace,kexec_load,kexec_file_load,open_by_handle_at,init_module,finit_module,delete_module,iopl,ioperm,swapon,swapoff,syslog,process_vm_readv,process_vm_writev,sysfs,_sysctl,adjtimex,clock_adjtime,lookup_dcookie,perf_event_open,fanotify_init,kcmp,add_key,request_key,keyctl,uselib,acct,modify_ldt,pivot_root,io_setup,io_destroy,io_getevents,io_submit,io_cancel,remap_file_pages,mbind,get_mempolicy,set_mempolicy,migrate_pages,move_pages,vmsplice,perf_event_open | 12 | seccomp.drop mount,umount2,ptrace,kexec_load,kexec_file_load,open_by_handle_at,init_module,finit_module,delete_module,iopl,ioperm,swapon,swapoff,syslog,process_vm_readv,process_vm_writev,sysfs,_sysctl,adjtimex,clock_adjtime,lookup_dcookie,perf_event_open,fanotify_init,kcmp,add_key,request_key,keyctl,uselib,acct,modify_ldt,pivot_root,io_setup,io_destroy,io_getevents,io_submit,io_cancel,remap_file_pages,mbind,get_mempolicy,set_mempolicy,migrate_pages,move_pages,vmsplice,perf_event_open |
12 | 13 | ||
diff --git a/etc/dnsmasq.profile b/etc/dnsmasq.profile new file mode 100644 index 000000000..1c01d44e4 --- /dev/null +++ b/etc/dnsmasq.profile | |||
@@ -0,0 +1,16 @@ | |||
1 | # dnsmasq profile | ||
2 | noblacklist /sbin | ||
3 | noblacklist /usr/sbin | ||
4 | include /etc/firejail/disable-common.inc | ||
5 | include /etc/firejail/disable-programs.inc | ||
6 | include /etc/firejail/disable-passwdmgr.inc | ||
7 | include /etc/firejail/disable-devel.inc | ||
8 | |||
9 | caps | ||
10 | netfilter | ||
11 | nonewprivs | ||
12 | private | ||
13 | private-dev | ||
14 | nosound | ||
15 | protocol unix,inet,inet6,netlink | ||
16 | seccomp | ||
diff --git a/etc/dropbox.profile b/etc/dropbox.profile index 9d2c612de..71e019f8c 100644 --- a/etc/dropbox.profile +++ b/etc/dropbox.profile | |||
@@ -1,15 +1,22 @@ | |||
1 | # dropbox profile | 1 | # dropbox profile |
2 | include /etc/firejail/disable-mgmt.inc | 2 | noblacklist ~/.config/autostart |
3 | include /etc/firejail/disable-secret.inc | ||
4 | include /etc/firejail/disable-common.inc | 3 | include /etc/firejail/disable-common.inc |
5 | include /etc/firejail/disable-terminals.inc | 4 | include /etc/firejail/disable-programs.inc |
6 | blacklist ${HOME}/.pki/nssdb | 5 | include /etc/firejail/disable-passwdmgr.inc |
7 | blacklist ${HOME}/.lastpass | 6 | |
8 | blacklist ${HOME}/.keepassx | ||
9 | blacklist ${HOME}/.password-store | ||
10 | blacklist ${HOME}/.wine | ||
11 | caps | 7 | caps |
12 | seccomp | 8 | nonewprivs |
13 | protocol unix,inet,inet6 | ||
14 | noroot | 9 | noroot |
10 | protocol unix,inet,inet6 | ||
11 | seccomp | ||
12 | |||
13 | mkdir ~/Dropbox | ||
14 | whitelist ~/Dropbox | ||
15 | mkdir ~/.dropbox | ||
16 | whitelist ~/.dropbox | ||
17 | mkdir ~/.dropbox-dist | ||
18 | whitelist ~/.dropbox-dist | ||
15 | 19 | ||
20 | mkdir ~/.config/autostart | ||
21 | mkfile ~/.config/autostart/dropbox.desktop | ||
22 | whitelist ~/.config/autostart/dropbox.desktop | ||
diff --git a/etc/empathy.profile b/etc/empathy.profile index adaf03e23..371100814 100644 --- a/etc/empathy.profile +++ b/etc/empathy.profile | |||
@@ -1,12 +1,10 @@ | |||
1 | # Empathy instant messaging profile | 1 | # Empathy instant messaging profile |
2 | include /etc/firejail/disable-mgmt.inc | ||
3 | include /etc/firejail/disable-secret.inc | ||
4 | include /etc/firejail/disable-common.inc | 2 | include /etc/firejail/disable-common.inc |
3 | include /etc/firejail/disable-programs.inc | ||
5 | include /etc/firejail/disable-devel.inc | 4 | include /etc/firejail/disable-devel.inc |
6 | include /etc/firejail/disable-terminals.inc | 5 | |
7 | blacklist ${HOME}/.wine | ||
8 | caps.drop all | 6 | caps.drop all |
9 | seccomp | ||
10 | protocol unix,inet,inet6 | ||
11 | netfilter | 7 | netfilter |
12 | 8 | nonewprivs | |
9 | protocol unix,inet,inet6 | ||
10 | seccomp | ||
diff --git a/etc/eom.profile b/etc/eom.profile new file mode 100644 index 000000000..81d993e96 --- /dev/null +++ b/etc/eom.profile | |||
@@ -0,0 +1,20 @@ | |||
1 | # Firejail profile for Eye of Mate (eom) | ||
2 | noblacklist ~/.config/mate/eom | ||
3 | |||
4 | include /etc/firejail/disable-common.inc | ||
5 | include /etc/firejail/disable-programs.inc | ||
6 | include /etc/firejail/disable-devel.inc | ||
7 | include /etc/firejail/disable-passwdmgr.inc | ||
8 | |||
9 | caps.drop all | ||
10 | nogroups | ||
11 | nonewprivs | ||
12 | noroot | ||
13 | nosound | ||
14 | protocol unix | ||
15 | seccomp | ||
16 | shell none | ||
17 | tracelog | ||
18 | |||
19 | private-bin eom | ||
20 | private-dev | ||
diff --git a/etc/epiphany.profile b/etc/epiphany.profile index c7031da71..57191429a 100644 --- a/etc/epiphany.profile +++ b/etc/epiphany.profile | |||
@@ -1,9 +1,12 @@ | |||
1 | # Epiphany browser profile | 1 | # Epiphany browser profile |
2 | include /etc/firejail/disable-mgmt.inc | 2 | noblacklist ${HOME}/.config/epiphany |
3 | include /etc/firejail/disable-secret.inc | 3 | noblacklist ${HOME}/.cache/epiphany |
4 | noblacklist ${HOME}/.local/share/epiphany | ||
5 | |||
4 | include /etc/firejail/disable-common.inc | 6 | include /etc/firejail/disable-common.inc |
7 | include /etc/firejail/disable-programs.inc | ||
5 | include /etc/firejail/disable-devel.inc | 8 | include /etc/firejail/disable-devel.inc |
6 | include /etc/firejail/disable-terminals.inc | 9 | |
7 | whitelist ${DOWNLOADS} | 10 | whitelist ${DOWNLOADS} |
8 | mkdir ${HOME}/.local | 11 | mkdir ${HOME}/.local |
9 | mkdir ${HOME}/.local/share | 12 | mkdir ${HOME}/.local/share |
@@ -16,8 +19,9 @@ mkdir ${HOME}/.cache | |||
16 | mkdir ${HOME}/.cache/epiphany | 19 | mkdir ${HOME}/.cache/epiphany |
17 | whitelist ${HOME}/.cache/epiphany | 20 | whitelist ${HOME}/.cache/epiphany |
18 | include /etc/firejail/whitelist-common.inc | 21 | include /etc/firejail/whitelist-common.inc |
22 | |||
19 | caps.drop all | 23 | caps.drop all |
20 | seccomp | ||
21 | protocol unix,inet,inet6 | ||
22 | netfilter | 24 | netfilter |
23 | 25 | nonewprivs | |
26 | protocol unix,inet,inet6 | ||
27 | seccomp | ||
diff --git a/etc/evince.profile b/etc/evince.profile index 81878462b..530ce959a 100644 --- a/etc/evince.profile +++ b/etc/evince.profile | |||
@@ -1,17 +1,18 @@ | |||
1 | # evince pdf reader profile | 1 | # evince pdf reader profile |
2 | include /etc/firejail/disable-mgmt.inc | ||
3 | include /etc/firejail/disable-secret.inc | ||
4 | include /etc/firejail/disable-common.inc | 2 | include /etc/firejail/disable-common.inc |
3 | include /etc/firejail/disable-programs.inc | ||
5 | include /etc/firejail/disable-devel.inc | 4 | include /etc/firejail/disable-devel.inc |
6 | include /etc/firejail/disable-terminals.inc | 5 | include /etc/firejail/disable-passwdmgr.inc |
7 | blacklist ${HOME}/.pki/nssdb | 6 | |
8 | blacklist ${HOME}/.lastpass | ||
9 | blacklist ${HOME}/.keepassx | ||
10 | blacklist ${HOME}/.password-store | ||
11 | blacklist ${HOME}/.wine | ||
12 | caps.drop all | 7 | caps.drop all |
13 | seccomp | 8 | nonewprivs |
14 | protocol unix,inet,inet6 | 9 | nogroups |
15 | noroot | 10 | noroot |
16 | nosound | 11 | nosound |
12 | protocol unix | ||
13 | seccomp | ||
17 | 14 | ||
15 | shell none | ||
16 | private-bin evince,evince-previewer,evince-thumbnailer | ||
17 | whitelist /tmp/.X11-unix | ||
18 | private-dev | ||
diff --git a/etc/fbreader.profile b/etc/fbreader.profile index 4ed942138..de31ce8de 100644 --- a/etc/fbreader.profile +++ b/etc/fbreader.profile | |||
@@ -1,19 +1,21 @@ | |||
1 | # fbreader ebook reader profile | 1 | # fbreader ebook reader profile |
2 | noblacklist ${HOME}/.FBReader | 2 | noblacklist ${HOME}/.FBReader |
3 | include /etc/firejail/disable-mgmt.inc | 3 | |
4 | include /etc/firejail/disable-secret.inc | ||
5 | include /etc/firejail/disable-common.inc | 4 | include /etc/firejail/disable-common.inc |
5 | include /etc/firejail/disable-programs.inc | ||
6 | include /etc/firejail/disable-devel.inc | 6 | include /etc/firejail/disable-devel.inc |
7 | include /etc/firejail/disable-terminals.inc | 7 | include /etc/firejail/disable-passwdmgr.inc |
8 | blacklist ${HOME}/.pki/nssdb | 8 | |
9 | blacklist ${HOME}/.lastpass | ||
10 | blacklist ${HOME}/.keepassx | ||
11 | blacklist ${HOME}/.password-store | ||
12 | blacklist ${HOME}/.wine | ||
13 | caps.drop all | 9 | caps.drop all |
14 | seccomp | ||
15 | protocol unix,inet,inet6 | ||
16 | netfilter | 10 | netfilter |
11 | nonewprivs | ||
17 | noroot | 12 | noroot |
18 | nosound | 13 | nosound |
14 | protocol unix,inet,inet6 | ||
15 | seccomp | ||
19 | 16 | ||
17 | shell none | ||
18 | private-bin fbreader,FBReader | ||
19 | whitelist /tmp/.X11-unix | ||
20 | private-dev | ||
21 | nosound | ||
diff --git a/etc/filezilla.profile b/etc/filezilla.profile index 0eabf9a88..551c17a78 100644 --- a/etc/filezilla.profile +++ b/etc/filezilla.profile | |||
@@ -1,18 +1,22 @@ | |||
1 | # FileZilla ftp profile | 1 | # FileZilla ftp profile |
2 | noblacklist ${HOME}/.filezilla | 2 | noblacklist ${HOME}/.filezilla |
3 | noblacklist ${HOME}/.config/filezilla | 3 | noblacklist ${HOME}/.config/filezilla |
4 | include /etc/firejail/disable-mgmt.inc | 4 | |
5 | include /etc/firejail/disable-secret.inc | ||
6 | include /etc/firejail/disable-common.inc | 5 | include /etc/firejail/disable-common.inc |
6 | include /etc/firejail/disable-programs.inc | ||
7 | include /etc/firejail/disable-devel.inc | 7 | include /etc/firejail/disable-devel.inc |
8 | include /etc/firejail/disable-terminals.inc | 8 | |
9 | blacklist ${HOME}/.wine | ||
10 | caps.drop all | 9 | caps.drop all |
11 | seccomp | ||
12 | protocol unix,inet,inet6 | ||
13 | noroot | ||
14 | netfilter | 10 | netfilter |
11 | nonewprivs | ||
12 | noroot | ||
15 | nosound | 13 | nosound |
14 | protocol unix,inet,inet6 | ||
15 | seccomp | ||
16 | 16 | ||
17 | 17 | shell none | |
18 | private-bin filezilla,uname,sh,python,lsb_release,fzputtygen,fzsftp | ||
19 | whitelist /tmp/.X11-unix | ||
20 | private-dev | ||
21 | nosound | ||
18 | 22 | ||
diff --git a/etc/firefox-esr.profile b/etc/firefox-esr.profile new file mode 100644 index 000000000..d2fde9a3f --- /dev/null +++ b/etc/firefox-esr.profile | |||
@@ -0,0 +1,2 @@ | |||
1 | # Firejail profile for Mozilla Firefox ESR | ||
2 | include /etc/firejail/firefox.profile | ||
diff --git a/etc/firefox.profile b/etc/firefox.profile index b06dfa6da..2cc4d3cd8 100644 --- a/etc/firefox.profile +++ b/etc/firefox.profile | |||
@@ -2,19 +2,17 @@ | |||
2 | 2 | ||
3 | noblacklist ~/.mozilla | 3 | noblacklist ~/.mozilla |
4 | noblacklist ~/.cache/mozilla | 4 | noblacklist ~/.cache/mozilla |
5 | noblacklist ~/keepassx.kdbx | ||
6 | include /etc/firejail/disable-mgmt.inc | ||
7 | include /etc/firejail/disable-secret.inc | ||
8 | include /etc/firejail/disable-common.inc | 5 | include /etc/firejail/disable-common.inc |
6 | include /etc/firejail/disable-programs.inc | ||
9 | include /etc/firejail/disable-devel.inc | 7 | include /etc/firejail/disable-devel.inc |
10 | include /etc/firejail/disable-terminals.inc | ||
11 | 8 | ||
12 | caps.drop all | 9 | caps.drop all |
13 | seccomp | ||
14 | protocol unix,inet,inet6,netlink | ||
15 | netfilter | 10 | netfilter |
16 | tracelog | 11 | nonewprivs |
17 | noroot | 12 | noroot |
13 | protocol unix,inet,inet6,netlink | ||
14 | seccomp | ||
15 | tracelog | ||
18 | 16 | ||
19 | whitelist ${DOWNLOADS} | 17 | whitelist ${DOWNLOADS} |
20 | mkdir ~/.mozilla | 18 | mkdir ~/.mozilla |
@@ -43,14 +41,12 @@ whitelist ~/.config/lastpass | |||
43 | 41 | ||
44 | 42 | ||
45 | #silverlight | 43 | #silverlight |
46 | whitelist ~/.wine-pipelight | 44 | whitelist ~/.wine-pipelight |
47 | whitelist ~/.wine-pipelight64 | 45 | whitelist ~/.wine-pipelight64 |
48 | whitelist ~/.config/pipelight-widevine | 46 | whitelist ~/.config/pipelight-widevine |
49 | whitelist ~/.config/pipelight-silverlight5.1 | 47 | whitelist ~/.config/pipelight-silverlight5.1 |
50 | 48 | ||
51 | include /etc/firejail/whitelist-common.inc | 49 | include /etc/firejail/whitelist-common.inc |
52 | 50 | ||
53 | # experimental features | 51 | # experimental features |
54 | #private-etc passwd,group,hostname,hosts,localtime,nsswitch.conf,resolv.conf,gtk-2.0,pango,fonts,iceweasel,firefox,adobe,mime.types,mailcap,asound.conf,pulse | 52 | #private-etc passwd,group,hostname,hosts,localtime,nsswitch.conf,resolv.conf,gtk-2.0,pango,fonts,iceweasel,firefox,adobe,mime.types,mailcap,asound.conf,pulse |
55 | |||
56 | |||
diff --git a/etc/firejail.config b/etc/firejail.config index 19525c942..20c4d7a5f 100644 --- a/etc/firejail.config +++ b/etc/firejail.config | |||
@@ -3,28 +3,59 @@ | |||
3 | # Most features are enabled by default. Use 'yes' or 'no' as configuration | 3 | # Most features are enabled by default. Use 'yes' or 'no' as configuration |
4 | # values. | 4 | # values. |
5 | 5 | ||
6 | # Enable or disable seccomp support, default enabled. | 6 | # Enable or disable bind support, default enabled. |
7 | # seccomp yes | 7 | # bind yes |
8 | 8 | ||
9 | # Enable or disable chroot support, default enabled. | 9 | # Enable or disable chroot support, default enabled. |
10 | # chroot yes | 10 | # chroot yes |
11 | 11 | ||
12 | # Enable or disable bind support, default enabled. | 12 | # Enable or disable file transfer support, default enabled. |
13 | # bind yes | 13 | # file-transfer yes |
14 | |||
15 | # Force use of nonewprivs. This mitigates the possibility of | ||
16 | # a user abusing firejail's features to trick a privileged (suid | ||
17 | # or file capabilities) process into loading code or configuration | ||
18 | # that is partially under their control. Default disabled | ||
19 | # force-nonewprivs no | ||
14 | 20 | ||
15 | # Enable or disable networking features, default enabled. | 21 | # Enable or disable networking features, default enabled. |
16 | # network yes | 22 | # network yes |
17 | 23 | ||
18 | # Enable or disable restricted network support, default disabled. If enabled, | 24 | # Enable or disable restricted network support, default disabled. If enabled, |
19 | # networking features (network yes) above should also be enabled. | 25 | # networking features should also be enabled (network yes). |
26 | # Restricted networking grants access to --interface, --net=ethXXX and | ||
27 | # --netfilter only to root user. Regular users are only allowed --net=none. | ||
20 | # restricted-network no | 28 | # restricted-network no |
21 | 29 | ||
30 | # Change default netfilter configuration. When using --netfilter option without | ||
31 | # a file argument, the default filter is hardcoded (see man 1 firejail). This | ||
32 | # configuration entry allows the user to change the default by specifying | ||
33 | # a file containing the filter configuration. The filter file format is the | ||
34 | # format of iptables-save and iptable-restore commands. Example: | ||
35 | # netfilter-default /etc/iptables.iptables.rules | ||
36 | |||
37 | # Enable or disable seccomp support, default enabled. | ||
38 | # seccomp yes | ||
39 | |||
22 | # Enable or disable user namespace support, default enabled. | 40 | # Enable or disable user namespace support, default enabled. |
23 | # userns yes | 41 | # userns yes |
24 | 42 | ||
43 | # Enable or disable whitelisting support, default enabled. | ||
44 | # whitelist yes | ||
45 | |||
25 | # Enable or disable X11 sandboxing support, default enabled. | 46 | # Enable or disable X11 sandboxing support, default enabled. |
26 | # x11 yes | 47 | # x11 yes |
27 | 48 | ||
28 | # Enable or disable file transfer support, default enabled. | 49 | # Screen size for --x11=xephyr, default 800x600. Run /usr/bin/xrandr for |
29 | # file-transfer yes | 50 | # a full list of resolutions available on your specific setup. |
51 | # xephyr-screen 640x480 | ||
52 | # xephyr-screen 800x600 | ||
53 | # xephyr-screen 1024x768 | ||
54 | # xephyr-screen 1280x1024 | ||
55 | |||
56 | # Firejail window title in Xephyr, default enabled. | ||
57 | # xephyr-window-title yes | ||
30 | 58 | ||
59 | # Xephyr command extra parameters. None by default, and the declaration is commented out. | ||
60 | # xephyr-extra-params -keybd ephyr,,,xkbmodel=evdev | ||
61 | # xephyr-extra-params -grayscale | ||
diff --git a/etc/flashpeak-slimjet.profile b/etc/flashpeak-slimjet.profile new file mode 100644 index 000000000..f248c385a --- /dev/null +++ b/etc/flashpeak-slimjet.profile | |||
@@ -0,0 +1,41 @@ | |||
1 | # SlimJet browser profile | ||
2 | # This is a whitelisted profile, the internal browser sandbox | ||
3 | # is disabled because it requires sudo password. The command | ||
4 | # to run it is as follows: | ||
5 | # | ||
6 | # firejail flashpeak-slimjet --no-sandbox | ||
7 | # | ||
8 | noblacklist ~/.config/slimjet | ||
9 | noblacklist ~/.cache/slimjet | ||
10 | include /etc/firejail/disable-common.inc | ||
11 | include /etc/firejail/disable-programs.inc | ||
12 | |||
13 | # chromium is distributed with a perl script on Arch | ||
14 | # include /etc/firejail/disable-devel.inc | ||
15 | # | ||
16 | |||
17 | caps.drop all | ||
18 | netfilter | ||
19 | nonewprivs | ||
20 | noroot | ||
21 | protocol unix,inet,inet6,netlink | ||
22 | seccomp | ||
23 | |||
24 | whitelist ${DOWNLOADS} | ||
25 | mkdir ~/.config | ||
26 | mkdir ~/.config/slimjet | ||
27 | whitelist ~/.config/slimjet | ||
28 | mkdir ~/.cache | ||
29 | mkdir ~/.cache/slimjet | ||
30 | whitelist ~/.cache/slimjet | ||
31 | mkdir ~/.pki | ||
32 | whitelist ~/.pki | ||
33 | |||
34 | # lastpass, keepassx | ||
35 | whitelist ~/.keepassx | ||
36 | whitelist ~/.config/keepassx | ||
37 | whitelist ~/keepassx.kdbx | ||
38 | whitelist ~/.lastpass | ||
39 | whitelist ~/.config/lastpass | ||
40 | |||
41 | include /etc/firejail/whitelist-common.inc | ||
diff --git a/etc/franz.profile b/etc/franz.profile new file mode 100644 index 000000000..fc4a665de --- /dev/null +++ b/etc/franz.profile | |||
@@ -0,0 +1,26 @@ | |||
1 | # Franz profile | ||
2 | noblacklist ~/.config/Franz | ||
3 | noblacklist ~/.cache/Franz | ||
4 | include /etc/firejail/disable-common.inc | ||
5 | include /etc/firejail/disable-programs.inc | ||
6 | include /etc/firejail/disable-devel.inc | ||
7 | |||
8 | caps.drop all | ||
9 | seccomp | ||
10 | protocol unix,inet,inet6,netlink | ||
11 | netfilter | ||
12 | #tracelog | ||
13 | nonewprivs | ||
14 | noroot | ||
15 | |||
16 | whitelist ${DOWNLOADS} | ||
17 | mkdir ~/.config | ||
18 | mkdir ~/.config/Franz | ||
19 | whitelist ~/.config/Franz | ||
20 | mkdir ~/.cache | ||
21 | mkdir ~/.cache/Franz | ||
22 | whitelist ~/.cache/Franz | ||
23 | mkdir ~/.pki | ||
24 | whitelist ~/.pki | ||
25 | |||
26 | include /etc/firejail/whitelist-common.inc | ||
diff --git a/etc/generic.profile b/etc/generic.profile deleted file mode 100644 index 5618a555e..000000000 --- a/etc/generic.profile +++ /dev/null | |||
@@ -1,17 +0,0 @@ | |||
1 | ################################ | ||
2 | # Generic GUI application profile | ||
3 | ################################ | ||
4 | include /etc/firejail/disable-mgmt.inc | ||
5 | include /etc/firejail/disable-secret.inc | ||
6 | include /etc/firejail/disable-common.inc | ||
7 | include /etc/firejail/disable-terminals.inc | ||
8 | blacklist ${HOME}/.pki/nssdb | ||
9 | blacklist ${HOME}/.lastpass | ||
10 | blacklist ${HOME}/.keepassx | ||
11 | blacklist ${HOME}/.password-store | ||
12 | caps.drop all | ||
13 | seccomp | ||
14 | protocol unix,inet,inet6 | ||
15 | netfilter | ||
16 | noroot | ||
17 | |||
diff --git a/etc/gitter.profile b/etc/gitter.profile new file mode 100644 index 000000000..2882c59a6 --- /dev/null +++ b/etc/gitter.profile | |||
@@ -0,0 +1,18 @@ | |||
1 | # Firejail profile for Gitter | ||
2 | noblacklist ~/.config/Gitter | ||
3 | include /etc/firejail/disable-common.inc | ||
4 | include /etc/firejail/disable-passwdmgr.inc | ||
5 | include /etc/firejail/disable-programs.inc | ||
6 | include /etc/firejail/disable-devel.inc | ||
7 | |||
8 | caps.drop all | ||
9 | netfilter | ||
10 | nonewprivs | ||
11 | nogroups | ||
12 | noroot | ||
13 | protocol unix,inet,inet6,netlink | ||
14 | seccomp | ||
15 | shell none | ||
16 | |||
17 | private-bin gitter | ||
18 | private-dev | ||
diff --git a/etc/gnome-mplayer.profile b/etc/gnome-mplayer.profile index 8062c859a..1caea177d 100644 --- a/etc/gnome-mplayer.profile +++ b/etc/gnome-mplayer.profile | |||
@@ -1,15 +1,14 @@ | |||
1 | # GNOME MPlayer profile | 1 | # GNOME MPlayer profile |
2 | include /etc/firejail/disable-mgmt.inc | ||
3 | include /etc/firejail/disable-secret.inc | ||
4 | include /etc/firejail/disable-common.inc | 2 | include /etc/firejail/disable-common.inc |
3 | include /etc/firejail/disable-programs.inc | ||
5 | include /etc/firejail/disable-devel.inc | 4 | include /etc/firejail/disable-devel.inc |
6 | include /etc/firejail/disable-terminals.inc | 5 | include /etc/firejail/disable-passwdmgr.inc |
7 | blacklist ${HOME}/.pki/nssdb | 6 | |
8 | blacklist ${HOME}/.lastpass | ||
9 | blacklist ${HOME}/.keepassx | ||
10 | blacklist ${HOME}/.password-store | ||
11 | blacklist ${HOME}/.wine | ||
12 | caps.drop all | 7 | caps.drop all |
13 | seccomp | 8 | nonewprivs |
14 | protocol unix,inet,inet6 | ||
15 | noroot | 9 | noroot |
10 | protocol unix,inet,inet6 | ||
11 | seccomp | ||
12 | |||
13 | shell none | ||
14 | private-bin gnome-mplayer | ||
diff --git a/etc/google-chrome-beta.profile b/etc/google-chrome-beta.profile index 3396585eb..11f9f9e33 100644 --- a/etc/google-chrome-beta.profile +++ b/etc/google-chrome-beta.profile | |||
@@ -1,11 +1,8 @@ | |||
1 | # Google Chrome beta browser profile | 1 | # Google Chrome beta browser profile |
2 | noblacklist ~/.config/google-chrome-beta | 2 | noblacklist ~/.config/google-chrome-beta |
3 | noblacklist ~/.cache/google-chrome-beta | 3 | noblacklist ~/.cache/google-chrome-beta |
4 | noblacklist ~/keepassx.kdbx | ||
5 | include /etc/firejail/disable-mgmt.inc | ||
6 | include /etc/firejail/disable-secret.inc | ||
7 | include /etc/firejail/disable-common.inc | 4 | include /etc/firejail/disable-common.inc |
8 | include /etc/firejail/disable-terminals.inc | 5 | include /etc/firejail/disable-programs.inc |
9 | 6 | ||
10 | # chromium is distributed with a perl script on Arch | 7 | # chromium is distributed with a perl script on Arch |
11 | # include /etc/firejail/disable-devel.inc | 8 | # include /etc/firejail/disable-devel.inc |
diff --git a/etc/google-chrome-unstable.profile b/etc/google-chrome-unstable.profile index ed4332862..f253e5a90 100644 --- a/etc/google-chrome-unstable.profile +++ b/etc/google-chrome-unstable.profile | |||
@@ -1,11 +1,8 @@ | |||
1 | # Google Chrome unstable browser profile | 1 | # Google Chrome unstable browser profile |
2 | noblacklist ~/.config/google-chrome-unstable | 2 | noblacklist ~/.config/google-chrome-unstable |
3 | noblacklist ~/.cache/google-chrome-unstable | 3 | noblacklist ~/.cache/google-chrome-unstable |
4 | noblacklist ~/keepassx.kdbx | ||
5 | include /etc/firejail/disable-mgmt.inc | ||
6 | include /etc/firejail/disable-secret.inc | ||
7 | include /etc/firejail/disable-common.inc | 4 | include /etc/firejail/disable-common.inc |
8 | include /etc/firejail/disable-terminals.inc | 5 | include /etc/firejail/disable-programs.inc |
9 | 6 | ||
10 | # chromium is distributed with a perl script on Arch | 7 | # chromium is distributed with a perl script on Arch |
11 | # include /etc/firejail/disable-devel.inc | 8 | # include /etc/firejail/disable-devel.inc |
diff --git a/etc/google-chrome.profile b/etc/google-chrome.profile index 985af38eb..5e168aae5 100644 --- a/etc/google-chrome.profile +++ b/etc/google-chrome.profile | |||
@@ -1,11 +1,8 @@ | |||
1 | # Google Chrome browser profile | 1 | # Google Chrome browser profile |
2 | noblacklist ~/.config/google-chrome | 2 | noblacklist ~/.config/google-chrome |
3 | noblacklist ~/.cache/google-chrome | 3 | noblacklist ~/.cache/google-chrome |
4 | noblacklist ~/keepassx.kdbx | ||
5 | include /etc/firejail/disable-mgmt.inc | ||
6 | include /etc/firejail/disable-secret.inc | ||
7 | include /etc/firejail/disable-common.inc | 4 | include /etc/firejail/disable-common.inc |
8 | include /etc/firejail/disable-terminals.inc | 5 | include /etc/firejail/disable-programs.inc |
9 | 6 | ||
10 | # chromium is distributed with a perl script on Arch | 7 | # chromium is distributed with a perl script on Arch |
11 | # include /etc/firejail/disable-devel.inc | 8 | # include /etc/firejail/disable-devel.inc |
diff --git a/etc/google-play-music-desktop-player.profile b/etc/google-play-music-desktop-player.profile new file mode 100644 index 000000000..b4cf8d9ac --- /dev/null +++ b/etc/google-play-music-desktop-player.profile | |||
@@ -0,0 +1,18 @@ | |||
1 | # Google Play Music desktop player profile | ||
2 | noblacklist ~/.config/Google Play Music Desktop Player | ||
3 | |||
4 | include /etc/firejail/disable-common.inc | ||
5 | include /etc/firejail/disable-programs.inc | ||
6 | include /etc/firejail/disable-devel.inc | ||
7 | include /etc/firejail/disable-passwdmgr.inc | ||
8 | |||
9 | caps.drop all | ||
10 | nonewprivs | ||
11 | noroot | ||
12 | netfilter | ||
13 | protocol unix,inet,inet6,netlink | ||
14 | seccomp | ||
15 | |||
16 | #whitelist ~/.pulse | ||
17 | #whitelist ~/.config/pulse | ||
18 | whitelist ~/.config/Google Play Music Desktop Player | ||
diff --git a/etc/gpredict.profile b/etc/gpredict.profile new file mode 100644 index 000000000..02bb4d24d --- /dev/null +++ b/etc/gpredict.profile | |||
@@ -0,0 +1,25 @@ | |||
1 | # Firejail profile for gpredict. | ||
2 | noblacklist ~/.config/Gpredict | ||
3 | include /etc/firejail/disable-common.inc | ||
4 | include /etc/firejail/disable-devel.inc | ||
5 | include /etc/firejail/disable-passwdmgr.inc | ||
6 | include /etc/firejail/disable-programs.inc | ||
7 | |||
8 | # Whitelist | ||
9 | mkdir ~/.config | ||
10 | mkdir ~/.config/Gpredict | ||
11 | whitelist ~/.config/Gpredict | ||
12 | |||
13 | caps.drop all | ||
14 | netfilter | ||
15 | nonewprivs | ||
16 | nogroups | ||
17 | noroot | ||
18 | nosound | ||
19 | protocol unix,inet,inet6,netlink | ||
20 | seccomp | ||
21 | shell none | ||
22 | tracelog | ||
23 | |||
24 | private-bin gpredict | ||
25 | private-dev | ||
diff --git a/etc/gthumb.profile b/etc/gthumb.profile new file mode 100644 index 000000000..3c02576aa --- /dev/null +++ b/etc/gthumb.profile | |||
@@ -0,0 +1,21 @@ | |||
1 | # gthumb profile | ||
2 | noblacklist ${HOME}/.config/gthumb | ||
3 | |||
4 | include /etc/firejail/disable-common.inc | ||
5 | include /etc/firejail/disable-programs.inc | ||
6 | include /etc/firejail/disable-devel.inc | ||
7 | include /etc/firejail/disable-passwdmgr.inc | ||
8 | |||
9 | caps.drop all | ||
10 | nonewprivs | ||
11 | nogroups | ||
12 | noroot | ||
13 | nosound | ||
14 | protocol unix | ||
15 | seccomp | ||
16 | shell none | ||
17 | tracelog | ||
18 | |||
19 | private-bin gthumb | ||
20 | whitelist /tmp/.X11-unix | ||
21 | private-dev | ||
diff --git a/etc/gwenview.profile b/etc/gwenview.profile new file mode 100644 index 000000000..67f10c4e1 --- /dev/null +++ b/etc/gwenview.profile | |||
@@ -0,0 +1,21 @@ | |||
1 | # KDE gwenview profile | ||
2 | noblacklist ~/.kde/share/apps/gwenview | ||
3 | noblacklist ~/.kde/share/config/gwenviewrc | ||
4 | include /etc/firejail/disable-common.inc | ||
5 | include /etc/firejail/disable-programs.inc | ||
6 | include /etc/firejail/disable-devel.inc | ||
7 | include /etc/firejail/disable-passwdmgr.inc | ||
8 | |||
9 | caps.drop all | ||
10 | nonewprivs | ||
11 | noroot | ||
12 | nogroups | ||
13 | private-dev | ||
14 | protocol unix | ||
15 | seccomp | ||
16 | nosound | ||
17 | |||
18 | #Experimental: | ||
19 | #shell none | ||
20 | #private-bin gwenview | ||
21 | #private-etc X11 | ||
diff --git a/etc/gzip.profile b/etc/gzip.profile new file mode 100644 index 000000000..cc19e7608 --- /dev/null +++ b/etc/gzip.profile | |||
@@ -0,0 +1,8 @@ | |||
1 | # gzip profile | ||
2 | include /etc/firejail/default.profile | ||
3 | tracelog | ||
4 | net none | ||
5 | shell none | ||
6 | private-dev | ||
7 | private-tmp | ||
8 | nosound | ||
diff --git a/etc/hedgewars.profile b/etc/hedgewars.profile index ab0e067c7..c5d863bd5 100644 --- a/etc/hedgewars.profile +++ b/etc/hedgewars.profile | |||
@@ -1,18 +1,18 @@ | |||
1 | # whitelist profile for Hedgewars (game) | 1 | # whitelist profile for Hedgewars (game) |
2 | noblacklist ${HOME}/.hedgewars | ||
2 | 3 | ||
3 | include /etc/firejail/disable-common.inc | 4 | include /etc/firejail/disable-common.inc |
5 | include /etc/firejail/disable-programs.inc | ||
4 | include /etc/firejail/disable-devel.inc | 6 | include /etc/firejail/disable-devel.inc |
5 | include /etc/firejail/disable-mgmt.inc | 7 | include /etc/firejail/disable-passwdmgr.inc |
6 | include /etc/firejail/disable-secret.inc | ||
7 | include /etc/firejail/disable-terminals.inc | ||
8 | 8 | ||
9 | caps.drop all | 9 | caps.drop all |
10 | nonewprivs | ||
10 | noroot | 11 | noroot |
11 | private-dev | 12 | private-dev |
12 | whitelist /tmp/.X11-unix | ||
13 | seccomp | 13 | seccomp |
14 | tracelog | 14 | tracelog |
15 | netfilter | ||
16 | 15 | ||
17 | mkdir ~/.hedgewars | 16 | mkdir ~/.hedgewars |
18 | whitelist ~/.hedgewars | 17 | whitelist ~/.hedgewars |
18 | include /etc/firejail/whitelist-common.inc | ||
diff --git a/etc/hexchat.profile b/etc/hexchat.profile index 8f9e71b44..4e829c379 100644 --- a/etc/hexchat.profile +++ b/etc/hexchat.profile | |||
@@ -1,11 +1,21 @@ | |||
1 | # HexChat instant messaging profile | 1 | # HexChat instant messaging profile |
2 | noblacklist ${HOME}/.config/hexchat | 2 | noblacklist ${HOME}/.config/hexchat |
3 | include /etc/firejail/disable-mgmt.inc | 3 | noblacklist /usr/lib/python2* |
4 | include /etc/firejail/disable-secret.inc | 4 | noblacklist /usr/lib/python3* |
5 | include /etc/firejail/disable-common.inc | 5 | include /etc/firejail/disable-common.inc |
6 | include /etc/firejail/disable-programs.inc | ||
6 | include /etc/firejail/disable-devel.inc | 7 | include /etc/firejail/disable-devel.inc |
7 | include /etc/firejail/disable-terminals.inc | 8 | |
8 | caps.drop all | 9 | caps.drop all |
9 | seccomp | 10 | nonewprivs |
10 | protocol unix,inet,inet6 | ||
11 | noroot | 11 | noroot |
12 | netfilter | ||
13 | protocol unix,inet,inet6 | ||
14 | seccomp | ||
15 | |||
16 | mkdir ~/.config | ||
17 | mkdir ~/.config/hexchat | ||
18 | whitelist ~/.config/hexchat | ||
19 | include /etc/firejail/whitelist-common.inc | ||
20 | |||
21 | # private-bin requires perl, python, etc. | ||
diff --git a/etc/icedove.profile b/etc/icedove.profile index 057e0c9ef..e9a63c8dd 100644 --- a/etc/icedove.profile +++ b/etc/icedove.profile | |||
@@ -1,3 +1,19 @@ | |||
1 | # Firejail profile for Mozilla Thunderbird (Icedove in Debian) | 1 | # Firejail profile for Mozilla Thunderbird (Icedove in Debian Stable) |
2 | include /etc/firejail/thunderbird.profile | 2 | # Users have icedove set to open a browser by clicking a link in an email |
3 | # We are not allowed to blacklist browser-specific directories | ||
4 | |||
5 | noblacklist ~/.gnupg | ||
6 | mkdir ~/.gnupg | ||
7 | whitelist ~/.gnupg | ||
8 | |||
9 | noblacklist ~/.icedove | ||
10 | mkdir ~/.icedove | ||
11 | whitelist ~/.icedove | ||
12 | |||
13 | noblacklist ~/.cache/icedove | ||
14 | mkdir ~/.cache | ||
15 | mkdir ~/.cache/icedove | ||
16 | whitelist ~/.cache/icedove | ||
17 | |||
18 | include /etc/firejail/firefox.profile | ||
3 | 19 | ||
diff --git a/etc/jitsi.profile b/etc/jitsi.profile new file mode 100644 index 000000000..8baf1ad94 --- /dev/null +++ b/etc/jitsi.profile | |||
@@ -0,0 +1,16 @@ | |||
1 | # Firejail profile for jitsi | ||
2 | noblacklist ~/.jitsi | ||
3 | include /etc/firejail/disable-common.inc | ||
4 | include /etc/firejail/disable-devel.inc | ||
5 | include /etc/firejail/disable-passwdmgr.inc | ||
6 | include /etc/firejail/disable-programs.inc | ||
7 | |||
8 | caps.drop all | ||
9 | nonewprivs | ||
10 | nogroups | ||
11 | noroot | ||
12 | protocol unix,inet,inet6 | ||
13 | seccomp | ||
14 | shell none | ||
15 | tracelog | ||
16 | |||
diff --git a/etc/kmail.profile b/etc/kmail.profile index ca29675a0..44a53e258 100644 --- a/etc/kmail.profile +++ b/etc/kmail.profile | |||
@@ -1,20 +1,15 @@ | |||
1 | # kmail profile | 1 | # kmail profile |
2 | noblacklist ${HOME}/.gnupg | 2 | noblacklist ${HOME}/.gnupg |
3 | include /etc/firejail/disable-mgmt.inc | 3 | |
4 | include /etc/firejail/disable-secret.inc | ||
5 | include /etc/firejail/disable-common.inc | 4 | include /etc/firejail/disable-common.inc |
5 | include /etc/firejail/disable-programs.inc | ||
6 | include /etc/firejail/disable-devel.inc | 6 | include /etc/firejail/disable-devel.inc |
7 | include /etc/firejail/disable-terminals.inc | 7 | include /etc/firejail/disable-passwdmgr.inc |
8 | blacklist ${HOME}/.pki/nssdb | 8 | |
9 | blacklist ${HOME}/.lastpass | ||
10 | blacklist ${HOME}/.keepassx | ||
11 | blacklist ${HOME}/.password-store | ||
12 | blacklist ${HOME}/.wine | ||
13 | caps.drop all | 9 | caps.drop all |
14 | seccomp | ||
15 | protocol unix,inet,inet6,netlink | ||
16 | netfilter | 10 | netfilter |
11 | nonewprivs | ||
17 | noroot | 12 | noroot |
13 | protocol unix,inet,inet6,netlink | ||
14 | seccomp | ||
18 | tracelog | 15 | tracelog |
19 | |||
20 | |||
diff --git a/etc/konversation.profile b/etc/konversation.profile new file mode 100644 index 000000000..190061618 --- /dev/null +++ b/etc/konversation.profile | |||
@@ -0,0 +1,12 @@ | |||
1 | # Firejail konversation profile | ||
2 | |||
3 | include /etc/firejail/disable-common.inc | ||
4 | include /etc/firejail/disable-programs.inc | ||
5 | include /etc/firejail/disable-devel.inc | ||
6 | include /etc/firejail/disable-passwdmgr.inc | ||
7 | |||
8 | caps.drop all | ||
9 | netfilter | ||
10 | noroot | ||
11 | seccomp | ||
12 | protocol unix,inet,inet6 | ||
diff --git a/etc/less.profile b/etc/less.profile new file mode 100644 index 000000000..0c43111d7 --- /dev/null +++ b/etc/less.profile | |||
@@ -0,0 +1,8 @@ | |||
1 | # less profile | ||
2 | include /etc/firejail/default.profile | ||
3 | tracelog | ||
4 | net none | ||
5 | shell none | ||
6 | private-dev | ||
7 | private-tmp | ||
8 | nosound | ||
diff --git a/etc/libreoffice.profile b/etc/libreoffice.profile new file mode 100644 index 000000000..77a00ebef --- /dev/null +++ b/etc/libreoffice.profile | |||
@@ -0,0 +1,19 @@ | |||
1 | # Firejail profile for LibreOffice | ||
2 | noblacklist ~/.config/libreoffice | ||
3 | include /etc/firejail/disable-common.inc | ||
4 | include /etc/firejail/disable-programs.inc | ||
5 | include /etc/firejail/disable-devel.inc | ||
6 | include /etc/firejail/disable-passwdmgr.inc | ||
7 | |||
8 | caps.drop all | ||
9 | netfilter | ||
10 | nonewprivs | ||
11 | noroot | ||
12 | protocol unix,inet,inet6,netlink | ||
13 | seccomp | ||
14 | tracelog | ||
15 | |||
16 | private-dev | ||
17 | whitelist /tmp/.X11-unix/ | ||
18 | nosound | ||
19 | |||
diff --git a/etc/localc.profile b/etc/localc.profile new file mode 100644 index 000000000..fecd08822 --- /dev/null +++ b/etc/localc.profile | |||
@@ -0,0 +1,5 @@ | |||
1 | ################################ | ||
2 | # LibreOffice profile | ||
3 | ################################ | ||
4 | include /etc/firejail/libreoffice.profile | ||
5 | |||
diff --git a/etc/lodraw.profile b/etc/lodraw.profile new file mode 100644 index 000000000..fecd08822 --- /dev/null +++ b/etc/lodraw.profile | |||
@@ -0,0 +1,5 @@ | |||
1 | ################################ | ||
2 | # LibreOffice profile | ||
3 | ################################ | ||
4 | include /etc/firejail/libreoffice.profile | ||
5 | |||
diff --git a/etc/loffice.profile b/etc/loffice.profile new file mode 100644 index 000000000..fecd08822 --- /dev/null +++ b/etc/loffice.profile | |||
@@ -0,0 +1,5 @@ | |||
1 | ################################ | ||
2 | # LibreOffice profile | ||
3 | ################################ | ||
4 | include /etc/firejail/libreoffice.profile | ||
5 | |||
diff --git a/etc/lofromtemplate.profile b/etc/lofromtemplate.profile new file mode 100644 index 000000000..fecd08822 --- /dev/null +++ b/etc/lofromtemplate.profile | |||
@@ -0,0 +1,5 @@ | |||
1 | ################################ | ||
2 | # LibreOffice profile | ||
3 | ################################ | ||
4 | include /etc/firejail/libreoffice.profile | ||
5 | |||
diff --git a/etc/login.users b/etc/login.users index 5d5969091..bc6ac4b09 100644 --- a/etc/login.users +++ b/etc/login.users | |||
@@ -7,7 +7,7 @@ | |||
7 | # | 7 | # |
8 | # For example: | 8 | # For example: |
9 | # | 9 | # |
10 | # netblue:--debug --net=none | 10 | # netblue:--net=none --protocol=unix |
11 | # | 11 | # |
12 | # The extra arguments are inserted into program command line if firejail | 12 | # The extra arguments are inserted into program command line if firejail |
13 | # was started as a login shell. | 13 | # was started as a login shell. |
diff --git a/etc/loimpress.profile b/etc/loimpress.profile new file mode 100644 index 000000000..fecd08822 --- /dev/null +++ b/etc/loimpress.profile | |||
@@ -0,0 +1,5 @@ | |||
1 | ################################ | ||
2 | # LibreOffice profile | ||
3 | ################################ | ||
4 | include /etc/firejail/libreoffice.profile | ||
5 | |||
diff --git a/etc/lomath.profile b/etc/lomath.profile new file mode 100644 index 000000000..fecd08822 --- /dev/null +++ b/etc/lomath.profile | |||
@@ -0,0 +1,5 @@ | |||
1 | ################################ | ||
2 | # LibreOffice profile | ||
3 | ################################ | ||
4 | include /etc/firejail/libreoffice.profile | ||
5 | |||
diff --git a/etc/loweb.profile b/etc/loweb.profile new file mode 100644 index 000000000..fecd08822 --- /dev/null +++ b/etc/loweb.profile | |||
@@ -0,0 +1,5 @@ | |||
1 | ################################ | ||
2 | # LibreOffice profile | ||
3 | ################################ | ||
4 | include /etc/firejail/libreoffice.profile | ||
5 | |||
diff --git a/etc/lowriter.profile b/etc/lowriter.profile new file mode 100644 index 000000000..fecd08822 --- /dev/null +++ b/etc/lowriter.profile | |||
@@ -0,0 +1,5 @@ | |||
1 | ################################ | ||
2 | # LibreOffice profile | ||
3 | ################################ | ||
4 | include /etc/firejail/libreoffice.profile | ||
5 | |||
diff --git a/etc/lxterminal.profile b/etc/lxterminal.profile index a614a8dbf..d1d0b8a0d 100644 --- a/etc/lxterminal.profile +++ b/etc/lxterminal.profile | |||
@@ -1,19 +1,11 @@ | |||
1 | # lxterminal (LXDE) profile | 1 | # lxterminal (LXDE) profile |
2 | 2 | ||
3 | include /etc/firejail/disable-mgmt.inc | ||
4 | include /etc/firejail/disable-secret.inc | ||
5 | include /etc/firejail/disable-common.inc | 3 | include /etc/firejail/disable-common.inc |
6 | blacklist ${HOME}/.pki/nssdb | 4 | include /etc/firejail/disable-programs.inc |
7 | blacklist ${HOME}/.lastpass | 5 | include /etc/firejail/disable-passwdmgr.inc |
8 | blacklist ${HOME}/.keepassx | 6 | |
9 | blacklist ${HOME}/.password-store | ||
10 | caps.drop all | 7 | caps.drop all |
11 | seccomp | ||
12 | protocol unix,inet,inet6 | ||
13 | netfilter | 8 | netfilter |
14 | 9 | protocol unix,inet,inet6 | |
10 | seccomp | ||
15 | #noroot - somehow this breaks on Debian Jessie! | 11 | #noroot - somehow this breaks on Debian Jessie! |
16 | |||
17 | # lxterminal is a single-instence program | ||
18 | # blacklist any existing lxterminal socket in order to force a second process instance | ||
19 | blacklist /tmp/.lxterminal-socket* | ||
diff --git a/etc/mcabber.profile b/etc/mcabber.profile new file mode 100644 index 000000000..48b46dba0 --- /dev/null +++ b/etc/mcabber.profile | |||
@@ -0,0 +1,21 @@ | |||
1 | # mcabber profile | ||
2 | noblacklist ${HOME}/.mcabber | ||
3 | noblacklist ${HOME}/.mcabberrc | ||
4 | |||
5 | include /etc/firejail/disable-common.inc | ||
6 | include /etc/firejail/disable-programs.inc | ||
7 | include /etc/firejail/disable-devel.inc | ||
8 | include /etc/firejail/disable-passwdmgr.inc | ||
9 | |||
10 | caps.drop all | ||
11 | netfilter | ||
12 | nonewprivs | ||
13 | noroot | ||
14 | protocol inet,inet6 | ||
15 | seccomp | ||
16 | |||
17 | private-bin mcabber | ||
18 | private-etc null | ||
19 | private-dev | ||
20 | shell none | ||
21 | nosound | ||
diff --git a/etc/midori.profile b/etc/midori.profile index e46a6baa2..046c45d94 100644 --- a/etc/midori.profile +++ b/etc/midori.profile | |||
@@ -1,12 +1,13 @@ | |||
1 | # Midori browser profile | 1 | # Midori browser profile |
2 | noblacklist ${HOME}/.config/midori | 2 | noblacklist ${HOME}/.config/midori |
3 | include /etc/firejail/disable-mgmt.inc | ||
4 | include /etc/firejail/disable-secret.inc | ||
5 | include /etc/firejail/disable-common.inc | 3 | include /etc/firejail/disable-common.inc |
4 | include /etc/firejail/disable-programs.inc | ||
6 | include /etc/firejail/disable-devel.inc | 5 | include /etc/firejail/disable-devel.inc |
7 | include /etc/firejail/disable-terminals.inc | 6 | |
8 | caps.drop all | 7 | caps.drop all |
9 | seccomp | ||
10 | protocol unix,inet,inet6 | ||
11 | netfilter | 8 | netfilter |
9 | nonewprivs | ||
10 | # noroot - noroot break midori on Ubuntu 14.04 | ||
11 | protocol unix,inet,inet6 | ||
12 | seccomp | ||
12 | 13 | ||
diff --git a/etc/mpv.profile b/etc/mpv.profile new file mode 100644 index 000000000..80f8de54a --- /dev/null +++ b/etc/mpv.profile | |||
@@ -0,0 +1,18 @@ | |||
1 | # mpv media player profile | ||
2 | noblacklist ${HOME}/.config/mpv | ||
3 | |||
4 | include /etc/firejail/disable-common.inc | ||
5 | include /etc/firejail/disable-programs.inc | ||
6 | include /etc/firejail/disable-devel.inc | ||
7 | include /etc/firejail/disable-passwdmgr.inc | ||
8 | |||
9 | caps.drop all | ||
10 | netfilter | ||
11 | nonewprivs | ||
12 | noroot | ||
13 | protocol unix,inet,inet6 | ||
14 | seccomp | ||
15 | |||
16 | # to test | ||
17 | shell none | ||
18 | private-bin mpv,youtube-dl,python2.7 | ||
diff --git a/etc/mupen64plus.profile b/etc/mupen64plus.profile index 239ab3a80..d4b442df8 100644 --- a/etc/mupen64plus.profile +++ b/etc/mupen64plus.profile | |||
@@ -1,10 +1,13 @@ | |||
1 | # mupen64plus profile | 1 | # mupen64plus profile |
2 | # manually whitelist ROM files | 2 | # manually whitelist ROM files |
3 | include /etc/firejail/disable-mgmt.inc | 3 | noblacklist ${HOME}/.config/mupen64plus |
4 | include /etc/firejail/disable-secret.inc | 4 | noblacklist ${HOME}/.local/share/mupen64plus |
5 | |||
5 | include /etc/firejail/disable-common.inc | 6 | include /etc/firejail/disable-common.inc |
7 | include /etc/firejail/disable-programs.inc | ||
6 | include /etc/firejail/disable-devel.inc | 8 | include /etc/firejail/disable-devel.inc |
7 | include /etc/firejail/disable-terminals.inc | 9 | include /etc/firejail/disable-passwdmgr.inc |
10 | |||
8 | mkdir ${HOME}/.local | 11 | mkdir ${HOME}/.local |
9 | mkdir ${HOME}/.local/share | 12 | mkdir ${HOME}/.local/share |
10 | mkdir ${HOME}/.local/share/mupen64plus | 13 | mkdir ${HOME}/.local/share/mupen64plus |
@@ -12,7 +15,9 @@ whitelist ${HOME}/.local/share/mupen64plus/ | |||
12 | mkdir ${HOME}/.config | 15 | mkdir ${HOME}/.config |
13 | mkdir ${HOME}/.config/mupen64plus | 16 | mkdir ${HOME}/.config/mupen64plus |
14 | whitelist ${HOME}/.config/mupen64plus/ | 17 | whitelist ${HOME}/.config/mupen64plus/ |
15 | noroot | 18 | |
16 | caps.drop all | 19 | caps.drop all |
17 | seccomp | ||
18 | net none | 20 | net none |
21 | nonewprivs | ||
22 | noroot | ||
23 | seccomp | ||
diff --git a/etc/netsurf.profile b/etc/netsurf.profile new file mode 100644 index 000000000..3de6be238 --- /dev/null +++ b/etc/netsurf.profile | |||
@@ -0,0 +1,32 @@ | |||
1 | # Firejail profile for Mozilla Firefox (Iceweasel in Debian) | ||
2 | |||
3 | noblacklist ~/.config/netsurf | ||
4 | noblacklist ~/.cache/netsurf | ||
5 | include /etc/firejail/disable-common.inc | ||
6 | include /etc/firejail/disable-programs.inc | ||
7 | include /etc/firejail/disable-devel.inc | ||
8 | |||
9 | caps.drop all | ||
10 | netfilter | ||
11 | nonewprivs | ||
12 | noroot | ||
13 | protocol unix,inet,inet6,netlink | ||
14 | seccomp | ||
15 | tracelog | ||
16 | |||
17 | whitelist ${DOWNLOADS} | ||
18 | mkdir ~/.config | ||
19 | mkdir ~/.config/netsurf | ||
20 | whitelist ~/.config/netsurf | ||
21 | mkdir ~/.cache | ||
22 | mkdir ~/.cache/netsurf | ||
23 | whitelist ~/.cache/netsurf | ||
24 | |||
25 | # lastpass, keepassx | ||
26 | whitelist ~/.keepassx | ||
27 | whitelist ~/.config/keepassx | ||
28 | whitelist ~/keepassx.kdbx | ||
29 | whitelist ~/.lastpass | ||
30 | whitelist ~/.config/lastpass | ||
31 | |||
32 | include /etc/firejail/whitelist-common.inc | ||
diff --git a/etc/nolocal.net b/etc/nolocal.net index 9c0c6e125..9fa785450 100644 --- a/etc/nolocal.net +++ b/etc/nolocal.net | |||
@@ -4,7 +4,8 @@ | |||
4 | :OUTPUT ACCEPT [0:0] | 4 | :OUTPUT ACCEPT [0:0] |
5 | 5 | ||
6 | ################################################################### | 6 | ################################################################### |
7 | # Client filter rejecting local network traffic, with the exception of DNS traffic | 7 | # Client filter rejecting local network traffic, with the exception of |
8 | # DNS traffic | ||
8 | # | 9 | # |
9 | # Usage: | 10 | # Usage: |
10 | # firejail --net=eth0 --netfilter=/etc/firejail/nolocal.net firefox | 11 | # firejail --net=eth0 --netfilter=/etc/firejail/nolocal.net firefox |
diff --git a/etc/okular.profile b/etc/okular.profile new file mode 100644 index 000000000..c9c342b15 --- /dev/null +++ b/etc/okular.profile | |||
@@ -0,0 +1,23 @@ | |||
1 | # KDE okular profile | ||
2 | noblacklist ~/.kde/share/apps/okular | ||
3 | noblacklist ~/.kde/share/config/okularrc | ||
4 | noblacklist ~/.kde/share/config/okularpartrc | ||
5 | include /etc/firejail/disable-common.inc | ||
6 | include /etc/firejail/disable-programs.inc | ||
7 | include /etc/firejail/disable-devel.inc | ||
8 | include /etc/firejail/disable-passwdmgr.inc | ||
9 | |||
10 | caps.drop all | ||
11 | nonewprivs | ||
12 | nogroups | ||
13 | noroot | ||
14 | private-dev | ||
15 | protocol unix | ||
16 | seccomp | ||
17 | nosound | ||
18 | |||
19 | #Experimental: | ||
20 | #net none | ||
21 | #shell none | ||
22 | #private-bin okular,kbuildsycoca4,kbuildsycoca5 | ||
23 | #private-etc X11 | ||
diff --git a/etc/openbox.profile b/etc/openbox.profile new file mode 100644 index 000000000..f812768a1 --- /dev/null +++ b/etc/openbox.profile | |||
@@ -0,0 +1,11 @@ | |||
1 | ####################################### | ||
2 | # OpenBox window manager profile | ||
3 | # - all applications started in OpenBox will run in this profile | ||
4 | ####################################### | ||
5 | include /etc/firejail/disable-common.inc | ||
6 | |||
7 | caps.drop all | ||
8 | netfilter | ||
9 | noroot | ||
10 | protocol unix,inet,inet6 | ||
11 | seccomp | ||
diff --git a/etc/opera-beta.profile b/etc/opera-beta.profile index 91eb10787..3d6edb286 100644 --- a/etc/opera-beta.profile +++ b/etc/opera-beta.profile | |||
@@ -1,12 +1,9 @@ | |||
1 | # Opera-beta browser profile | 1 | # Opera-beta browser profile |
2 | noblacklist ~/.config/opera-beta | 2 | noblacklist ~/.config/opera-beta |
3 | noblacklist ~/.cache/opera-beta | 3 | noblacklist ~/.cache/opera-beta |
4 | noblacklist ~/keepassx.kdbx | ||
5 | include /etc/firejail/disable-mgmt.inc | ||
6 | include /etc/firejail/disable-secret.inc | ||
7 | include /etc/firejail/disable-common.inc | 4 | include /etc/firejail/disable-common.inc |
5 | include /etc/firejail/disable-programs.inc | ||
8 | include /etc/firejail/disable-devel.inc | 6 | include /etc/firejail/disable-devel.inc |
9 | include /etc/firejail/disable-terminals.inc | ||
10 | 7 | ||
11 | netfilter | 8 | netfilter |
12 | 9 | ||
diff --git a/etc/opera.profile b/etc/opera.profile index 08bbd5a06..ff00eb349 100644 --- a/etc/opera.profile +++ b/etc/opera.profile | |||
@@ -1,12 +1,10 @@ | |||
1 | # Opera browser profile | 1 | # Opera browser profile |
2 | noblacklist ~/.config/opera | 2 | noblacklist ~/.config/opera |
3 | noblacklist ~/.cache/opera | 3 | noblacklist ~/.cache/opera |
4 | noblacklist ~/keepassx.kdbx | 4 | noblacklist ~/.opera |
5 | include /etc/firejail/disable-mgmt.inc | ||
6 | include /etc/firejail/disable-secret.inc | ||
7 | include /etc/firejail/disable-common.inc | 5 | include /etc/firejail/disable-common.inc |
6 | include /etc/firejail/disable-programs.inc | ||
8 | include /etc/firejail/disable-devel.inc | 7 | include /etc/firejail/disable-devel.inc |
9 | include /etc/firejail/disable-terminals.inc | ||
10 | 8 | ||
11 | netfilter | 9 | netfilter |
12 | 10 | ||
@@ -17,6 +15,8 @@ whitelist ~/.config/opera | |||
17 | mkdir ~/.cache | 15 | mkdir ~/.cache |
18 | mkdir ~/.cache/opera | 16 | mkdir ~/.cache/opera |
19 | whitelist ~/.cache/opera | 17 | whitelist ~/.cache/opera |
18 | mkdir ~/.opera | ||
19 | whitelist ~/.opera | ||
20 | mkdir ~/.pki | 20 | mkdir ~/.pki |
21 | whitelist ~/.pki | 21 | whitelist ~/.pki |
22 | include /etc/firejail/whitelist-common.inc | 22 | include /etc/firejail/whitelist-common.inc |
diff --git a/etc/palemoon.profile b/etc/palemoon.profile new file mode 100644 index 000000000..302c20d7d --- /dev/null +++ b/etc/palemoon.profile | |||
@@ -0,0 +1,58 @@ | |||
1 | # Firejail profile for Pale Moon | ||
2 | noblacklist ~/.moonchild productions/pale moon | ||
3 | noblacklist ~/.cache/moonchild productions/pale moon | ||
4 | include /etc/firejail/disable-common.inc | ||
5 | include /etc/firejail/disable-programs.inc | ||
6 | include /etc/firejail/disable-devel.inc | ||
7 | include /etc/firejail/whitelist-common.inc | ||
8 | |||
9 | whitelist ${DOWNLOADS} | ||
10 | mkdir ~/.moonchild productions | ||
11 | whitelist ~/.moonchild productions | ||
12 | mkdir ~/.cache | ||
13 | mkdir ~/.cache/moonchild productions | ||
14 | mkdir ~/.cache/moonchild productions/pale moon | ||
15 | whitelist ~/.cache/moonchild productions/pale moon | ||
16 | |||
17 | caps.drop all | ||
18 | netfilter | ||
19 | nogroups | ||
20 | nonewprivs | ||
21 | noroot | ||
22 | protocol unix,inet,inet6,netlink | ||
23 | seccomp | ||
24 | shell none | ||
25 | tracelog | ||
26 | |||
27 | private-bin palemoon | ||
28 | |||
29 | # These are uncommented in the Firefox profile. If you run into trouble you may | ||
30 | # want to uncomment (some of) them. | ||
31 | #whitelist ~/dwhelper | ||
32 | #whitelist ~/.zotero | ||
33 | #whitelist ~/.vimperatorrc | ||
34 | #whitelist ~/.vimperator | ||
35 | #whitelist ~/.pentadactylrc | ||
36 | #whitelist ~/.pentadactyl | ||
37 | #whitelist ~/.keysnail.js | ||
38 | #whitelist ~/.config/gnome-mplayer | ||
39 | #whitelist ~/.cache/gnome-mplayer/plugin | ||
40 | #whitelist ~/.pki | ||
41 | |||
42 | # For silverlight | ||
43 | #whitelist ~/.wine-pipelight | ||
44 | #whitelist ~/.wine-pipelight64 | ||
45 | #whitelist ~/.config/pipelight-widevine | ||
46 | #whitelist ~/.config/pipelight-silverlight5.1 | ||
47 | |||
48 | |||
49 | # lastpass, keepassx | ||
50 | whitelist ~/.keepassx | ||
51 | whitelist ~/.config/keepassx | ||
52 | whitelist ~/keepassx.kdbx | ||
53 | whitelist ~/.lastpass | ||
54 | whitelist ~/.config/lastpass | ||
55 | |||
56 | # experimental features | ||
57 | #private-etc passwd,group,hostname,hosts,localtime,nsswitch.conf,resolv.conf,gtk-2.0,pango,fonts,iceweasel,firefox,adobe,mime.types,mailcap,asound.conf,pulse | ||
58 | #private-dev (disabled for now as it will interfere with webcam use in palemoon) | ||
diff --git a/etc/parole.profile b/etc/parole.profile index fd49bcf07..1440a9ef7 100644 --- a/etc/parole.profile +++ b/etc/parole.profile | |||
@@ -1,18 +1,16 @@ | |||
1 | # Profile for Parole, the default XFCE4 media player | 1 | # Profile for Parole, the default XFCE4 media player |
2 | include /etc/firejail/disable-mgmt.inc | ||
3 | include /etc/firejail/disable-secret.inc | ||
4 | include /etc/firejail/disable-common.inc | 2 | include /etc/firejail/disable-common.inc |
3 | include /etc/firejail/disable-programs.inc | ||
5 | include /etc/firejail/disable-devel.inc | 4 | include /etc/firejail/disable-devel.inc |
6 | include /etc/firejail/disable-terminals.inc | 5 | include /etc/firejail/disable-passwdmgr.inc |
6 | |||
7 | private-etc passwd,group,fonts | 7 | private-etc passwd,group,fonts |
8 | private-bin parole,dbus-launch | 8 | private-bin parole,dbus-launch |
9 | blacklist ${HOME}/.pki/nssdb | 9 | |
10 | blacklist ${HOME}/.lastpass | ||
11 | blacklist ${HOME}/.keepassx | ||
12 | blacklist ${HOME}/.password-store | ||
13 | caps.drop all | 10 | caps.drop all |
14 | seccomp | ||
15 | protocol unix,inet,inet6 | ||
16 | netfilter | 11 | netfilter |
12 | nonewprivs | ||
17 | noroot | 13 | noroot |
14 | protocol unix,inet,inet6 | ||
15 | seccomp | ||
18 | shell none | 16 | shell none |
diff --git a/etc/pidgin.profile b/etc/pidgin.profile index 54bedccc8..3df2cafa6 100644 --- a/etc/pidgin.profile +++ b/etc/pidgin.profile | |||
@@ -1,12 +1,20 @@ | |||
1 | # Pidgin profile | 1 | # Pidgin profile |
2 | noblacklist ${HOME}/.purple | 2 | noblacklist ${HOME}/.purple |
3 | include /etc/firejail/disable-mgmt.inc | 3 | |
4 | include /etc/firejail/disable-secret.inc | ||
5 | include /etc/firejail/disable-common.inc | 4 | include /etc/firejail/disable-common.inc |
6 | include /etc/firejail/disable-devel.inc | 5 | include /etc/firejail/disable-devel.inc |
7 | include /etc/firejail/disable-terminals.inc | 6 | include /etc/firejail/disable-passwdmgr.inc |
8 | blacklist ${HOME}/.wine | 7 | include /etc/firejail/disable-programs.inc |
8 | |||
9 | caps.drop all | 9 | caps.drop all |
10 | seccomp | 10 | netfilter |
11 | protocol unix,inet,inet6 | 11 | nonewprivs |
12 | nogroups | ||
12 | noroot | 13 | noroot |
14 | protocol unix,inet,inet6 | ||
15 | seccomp | ||
16 | shell none | ||
17 | tracelog | ||
18 | |||
19 | private-bin pidgin | ||
20 | private-dev | ||
diff --git a/etc/pix.profile b/etc/pix.profile new file mode 100644 index 000000000..80c05fd09 --- /dev/null +++ b/etc/pix.profile | |||
@@ -0,0 +1,23 @@ | |||
1 | # Firejail profile for pix | ||
2 | noblacklist ${HOME}/.config/pix | ||
3 | noblacklist ${HOME}/.local/share/pix | ||
4 | |||
5 | include /etc/firejail/disable-common.inc | ||
6 | include /etc/firejail/disable-programs.inc | ||
7 | include /etc/firejail/disable-devel.inc | ||
8 | include /etc/firejail/disable-passwdmgr.inc | ||
9 | |||
10 | caps.drop all | ||
11 | nonewprivs | ||
12 | nogroups | ||
13 | noroot | ||
14 | nosound | ||
15 | protocol unix | ||
16 | seccomp | ||
17 | shell none | ||
18 | tracelog | ||
19 | |||
20 | private-bin pix | ||
21 | whitelist /tmp/.X11-unix | ||
22 | private-dev | ||
23 | |||
diff --git a/etc/polari.profile b/etc/polari.profile index 26d5ff27b..366883c83 100644 --- a/etc/polari.profile +++ b/etc/polari.profile | |||
@@ -1,9 +1,8 @@ | |||
1 | # Polari IRC profile | 1 | # Polari IRC profile |
2 | include /etc/firejail/disable-mgmt.inc | ||
3 | include /etc/firejail/disable-secret.inc | ||
4 | include /etc/firejail/disable-common.inc | 2 | include /etc/firejail/disable-common.inc |
3 | include /etc/firejail/disable-programs.inc | ||
5 | include /etc/firejail/disable-devel.inc | 4 | include /etc/firejail/disable-devel.inc |
6 | include /etc/firejail/disable-terminals.inc | 5 | |
7 | mkdir ${HOME}/.local | 6 | mkdir ${HOME}/.local |
8 | mkdir ${HOME}/.local/share/ | 7 | mkdir ${HOME}/.local/share/ |
9 | mkdir ${HOME}/.local/share/Empathy | 8 | mkdir ${HOME}/.local/share/Empathy |
@@ -21,9 +20,10 @@ whitelist ${HOME}/.cache/telepathy | |||
21 | mkdir ${HOME}/.purple | 20 | mkdir ${HOME}/.purple |
22 | whitelist ${HOME}/.purple | 21 | whitelist ${HOME}/.purple |
23 | include /etc/firejail/whitelist-common.inc | 22 | include /etc/firejail/whitelist-common.inc |
23 | |||
24 | caps.drop all | 24 | caps.drop all |
25 | seccomp | ||
26 | protocol unix,inet,inet6 | ||
27 | noroot | ||
28 | netfilter | 25 | netfilter |
29 | 26 | nonewprivs | |
27 | noroot | ||
28 | protocol unix,inet,inet6 | ||
29 | seccomp | ||
diff --git a/etc/psi-plus.profile b/etc/psi-plus.profile new file mode 100644 index 000000000..9380237be --- /dev/null +++ b/etc/psi-plus.profile | |||
@@ -0,0 +1,27 @@ | |||
1 | # Firejail profile for Psi+ | ||
2 | |||
3 | noblacklist ${HOME}/.config/psi+ | ||
4 | noblacklist ${HOME}/.local/share/psi+ | ||
5 | include /etc/firejail/disable-common.inc | ||
6 | include /etc/firejail/disable-programs.inc | ||
7 | include /etc/firejail/disable-passwdmgr.inc | ||
8 | |||
9 | whitelist ${DOWNLOADS} | ||
10 | mkdir ~/.config | ||
11 | mkdir ~/.config/psi+ | ||
12 | whitelist ~/.config/psi+ | ||
13 | mkdir ~/.local | ||
14 | mkdir ~/.local/share | ||
15 | mkdir ~/.local/share/psi+ | ||
16 | whitelist ~/.local/share/psi+ | ||
17 | mkdir ~/.cache | ||
18 | mkdir ~/.cache/psi+ | ||
19 | whitelist ~/.cache/psi+ | ||
20 | |||
21 | include /etc/firejail/whitelist-common.inc | ||
22 | |||
23 | caps.drop all | ||
24 | netfilter | ||
25 | noroot | ||
26 | protocol unix,inet,inet6 | ||
27 | seccomp | ||
diff --git a/etc/qbittorrent.profile b/etc/qbittorrent.profile index f067aaa99..138b6db55 100644 --- a/etc/qbittorrent.profile +++ b/etc/qbittorrent.profile | |||
@@ -1,19 +1,20 @@ | |||
1 | # qbittorrent bittorrent profile | 1 | # qbittorrent bittorrent profile |
2 | include /etc/firejail/disable-mgmt.inc | ||
3 | include /etc/firejail/disable-secret.inc | ||
4 | include /etc/firejail/disable-common.inc | 2 | include /etc/firejail/disable-common.inc |
3 | include /etc/firejail/disable-programs.inc | ||
5 | include /etc/firejail/disable-devel.inc | 4 | include /etc/firejail/disable-devel.inc |
6 | include /etc/firejail/disable-terminals.inc | 5 | include /etc/firejail/disable-passwdmgr.inc |
7 | blacklist ${HOME}/.pki/nssdb | 6 | |
8 | blacklist ${HOME}/.lastpass | ||
9 | blacklist ${HOME}/.keepassx | ||
10 | blacklist ${HOME}/.password-store | ||
11 | blacklist ${HOME}/.wine | ||
12 | caps.drop all | 7 | caps.drop all |
13 | seccomp | ||
14 | protocol unix,inet,inet6 | ||
15 | netfilter | 8 | netfilter |
9 | nonewprivs | ||
16 | noroot | 10 | noroot |
17 | nosound | 11 | nosound |
12 | protocol unix,inet,inet6 | ||
13 | seccomp | ||
18 | 14 | ||
19 | 15 | # there are some problems with "Open destination folder", see bug #536 | |
16 | #shell none | ||
17 | #private-bin qbittorrent | ||
18 | whitelist /tmp/.X11-unix | ||
19 | private-dev | ||
20 | nosound | ||
diff --git a/etc/qtox.profile b/etc/qtox.profile new file mode 100644 index 000000000..0cac18573 --- /dev/null +++ b/etc/qtox.profile | |||
@@ -0,0 +1,22 @@ | |||
1 | # qTox instant messaging profile | ||
2 | noblacklist ${HOME}/.config/tox | ||
3 | include /etc/firejail/disable-common.inc | ||
4 | include /etc/firejail/disable-programs.inc | ||
5 | include /etc/firejail/disable-devel.inc | ||
6 | include /etc/firejail/disable-passwdmgr.inc | ||
7 | |||
8 | mkdir ${HOME}/.config/tox | ||
9 | whitelist ${HOME}/.config/tox | ||
10 | whitelist ${DOWNLOADS} | ||
11 | |||
12 | caps.drop all | ||
13 | netfilter | ||
14 | nonewprivs | ||
15 | nogroups | ||
16 | noroot | ||
17 | protocol unix,inet,inet6 | ||
18 | seccomp | ||
19 | shell none | ||
20 | tracelog | ||
21 | |||
22 | private-bin qtox | ||
diff --git a/etc/quassel.profile b/etc/quassel.profile index bc8c76915..f92dfeb9f 100644 --- a/etc/quassel.profile +++ b/etc/quassel.profile | |||
@@ -1,13 +1,11 @@ | |||
1 | # Quassel IRC profile | 1 | # Quassel IRC profile |
2 | include /etc/firejail/disable-mgmt.inc | ||
3 | include /etc/firejail/disable-secret.inc | ||
4 | include /etc/firejail/disable-common.inc | 2 | include /etc/firejail/disable-common.inc |
3 | include /etc/firejail/disable-programs.inc | ||
5 | include /etc/firejail/disable-devel.inc | 4 | include /etc/firejail/disable-devel.inc |
6 | include /etc/firejail/disable-terminals.inc | 5 | |
7 | blacklist ${HOME}/.wine | ||
8 | caps.drop all | 6 | caps.drop all |
9 | seccomp | 7 | nonewprivs |
10 | protocol unix,inet,inet6 | ||
11 | noroot | 8 | noroot |
12 | netfilter | 9 | netfilter |
13 | 10 | protocol unix,inet,inet6 | |
11 | seccomp | ||
diff --git a/etc/quiterss.profile b/etc/quiterss.profile new file mode 100644 index 000000000..f2b9959f6 --- /dev/null +++ b/etc/quiterss.profile | |||
@@ -0,0 +1,32 @@ | |||
1 | include /etc/firejail/disable-common.inc | ||
2 | include /etc/firejail/disable-programs.inc | ||
3 | include /etc/firejail/disable-passwdmgr.inc | ||
4 | include /etc/firejail/disable-devel.inc | ||
5 | |||
6 | whitelist ${HOME}/quiterssfeeds.opml | ||
7 | mkdir ~/.config | ||
8 | mkdir ~/.config/QuiteRss | ||
9 | whitelist ${HOME}/.config/QuiteRss/ | ||
10 | whitelist ${HOME}/.config/QuiteRssrc | ||
11 | mkdir ~/.local | ||
12 | mkdir ~/.local/share | ||
13 | whitelist ${HOME}/.local/share/ | ||
14 | mkdir ~/.cache | ||
15 | mkdir ~/.cache/QuiteRss | ||
16 | whitelist ${HOME}/.cache/QuiteRss | ||
17 | |||
18 | caps.drop all | ||
19 | netfilter | ||
20 | nonewprivs | ||
21 | nogroups | ||
22 | noroot | ||
23 | private-bin quiterss | ||
24 | private-dev | ||
25 | nosound | ||
26 | #private-etc X11,ssl | ||
27 | protocol unix,inet,inet6 | ||
28 | seccomp | ||
29 | shell none | ||
30 | tracelog | ||
31 | |||
32 | include /etc/firejail/whitelist-common.inc | ||
diff --git a/etc/qutebrowser.profile b/etc/qutebrowser.profile new file mode 100644 index 000000000..b590f0ef1 --- /dev/null +++ b/etc/qutebrowser.profile | |||
@@ -0,0 +1,23 @@ | |||
1 | # Firejail profile for Qutebrowser (Qt5-Webkit+Python) browser | ||
2 | |||
3 | noblacklist ~/.config/qutebrowser | ||
4 | noblacklist ~/.cache/qutebrowser | ||
5 | include /etc/firejail/disable-common.inc | ||
6 | include /etc/firejail/disable-programs.inc | ||
7 | include /etc/firejail/disable-devel.inc | ||
8 | |||
9 | caps.drop all | ||
10 | netfilter | ||
11 | nonewprivs | ||
12 | noroot | ||
13 | protocol unix,inet,inet6,netlink | ||
14 | seccomp | ||
15 | tracelog | ||
16 | |||
17 | whitelist ${DOWNLOADS} | ||
18 | mkdir ~/.config/qutebrowser | ||
19 | whitelist ~/.config/qutebrowser | ||
20 | mkdir ~/.cache | ||
21 | mkdir ~/.cache/qutebrowser | ||
22 | whitelist ~/.cache/qutebrowser | ||
23 | include /etc/firejail/whitelist-common.inc | ||
diff --git a/etc/rhythmbox.profile b/etc/rhythmbox.profile index a1a20a863..9f087ea1d 100644 --- a/etc/rhythmbox.profile +++ b/etc/rhythmbox.profile | |||
@@ -1,17 +1,18 @@ | |||
1 | # Rhythmbox media player profile | 1 | # Rhythmbox media player profile |
2 | include /etc/firejail/disable-mgmt.inc | ||
3 | include /etc/firejail/disable-secret.inc | ||
4 | include /etc/firejail/disable-common.inc | 2 | include /etc/firejail/disable-common.inc |
3 | include /etc/firejail/disable-programs.inc | ||
5 | include /etc/firejail/disable-devel.inc | 4 | include /etc/firejail/disable-devel.inc |
6 | include /etc/firejail/disable-terminals.inc | 5 | include /etc/firejail/disable-passwdmgr.inc |
7 | blacklist ${HOME}/.pki/nssdb | 6 | |
8 | blacklist ${HOME}/.lastpass | ||
9 | blacklist ${HOME}/.keepassx | ||
10 | blacklist ${HOME}/.password-store | ||
11 | blacklist ${HOME}/.wine | ||
12 | caps.drop all | 7 | caps.drop all |
13 | seccomp | 8 | nogroups |
14 | protocol unix,inet,inet6 | ||
15 | noroot | ||
16 | netfilter | 9 | netfilter |
10 | nonewprivs | ||
11 | noroot | ||
12 | protocol unix,inet,inet6 | ||
13 | seccomp | ||
14 | shell none | ||
15 | tracelog | ||
17 | 16 | ||
17 | private-bin rhythmbox | ||
18 | private-dev | ||
diff --git a/etc/rtorrent.profile b/etc/rtorrent.profile index 6041052af..15df2c374 100644 --- a/etc/rtorrent.profile +++ b/etc/rtorrent.profile | |||
@@ -1,12 +1,19 @@ | |||
1 | # rtorrent bittorrent profile | 1 | # rtorrent bittorrent profile |
2 | include /etc/firejail/disable-mgmt.inc | ||
3 | include /etc/firejail/disable-secret.inc | ||
4 | include /etc/firejail/disable-common.inc | 2 | include /etc/firejail/disable-common.inc |
3 | include /etc/firejail/disable-programs.inc | ||
5 | include /etc/firejail/disable-devel.inc | 4 | include /etc/firejail/disable-devel.inc |
6 | include /etc/firejail/disable-terminals.inc | 5 | include /etc/firejail/disable-passwdmgr.inc |
6 | |||
7 | caps.drop all | 7 | caps.drop all |
8 | seccomp | ||
9 | protocol unix,inet,inet6 | ||
10 | netfilter | 8 | netfilter |
9 | nonewprivs | ||
11 | noroot | 10 | noroot |
12 | nosound | 11 | nosound |
12 | protocol unix,inet,inet6 | ||
13 | seccomp | ||
14 | |||
15 | shell none | ||
16 | private-bin rtorrent | ||
17 | whitelist /tmp/.X11-unix | ||
18 | private-dev | ||
19 | nosound | ||
diff --git a/etc/seamonkey.profile b/etc/seamonkey.profile index b896af97a..9ce4164c1 100644 --- a/etc/seamonkey.profile +++ b/etc/seamonkey.profile | |||
@@ -1,19 +1,17 @@ | |||
1 | # Firejail profile for Seamoneky based off Mozilla Firefox | 1 | # Firejail profile for Seamoneky based off Mozilla Firefox |
2 | noblacklist ~/.mozilla | 2 | noblacklist ~/.mozilla |
3 | noblacklist ~/.cache/mozilla | 3 | noblacklist ~/.cache/mozilla |
4 | noblacklist ~/keepassx.kdbx | ||
5 | include /etc/firejail/disable-mgmt.inc | ||
6 | include /etc/firejail/disable-secret.inc | ||
7 | include /etc/firejail/disable-common.inc | 4 | include /etc/firejail/disable-common.inc |
5 | include /etc/firejail/disable-programs.inc | ||
8 | include /etc/firejail/disable-devel.inc | 6 | include /etc/firejail/disable-devel.inc |
9 | include /etc/firejail/disable-terminals.inc | ||
10 | 7 | ||
11 | caps.drop all | 8 | caps.drop all |
12 | seccomp | ||
13 | protocol unix,inet,inet6,netlink | ||
14 | netfilter | 9 | netfilter |
15 | tracelog | 10 | nonewprivs |
16 | noroot | 11 | noroot |
12 | protocol unix,inet,inet6,netlink | ||
13 | seccomp | ||
14 | tracelog | ||
17 | 15 | ||
18 | whitelist ${DOWNLOADS} | 16 | whitelist ${DOWNLOADS} |
19 | mkdir ~/.mozilla | 17 | mkdir ~/.mozilla |
@@ -44,13 +42,10 @@ whitelist ~/.lastpass | |||
44 | whitelist ~/.config/lastpass | 42 | whitelist ~/.config/lastpass |
45 | 43 | ||
46 | #silverlight | 44 | #silverlight |
47 | whitelist ~/.wine-pipelight | 45 | whitelist ~/.wine-pipelight |
48 | whitelist ~/.wine-pipelight64 | 46 | whitelist ~/.wine-pipelight64 |
49 | whitelist ~/.config/pipelight-widevine | 47 | whitelist ~/.config/pipelight-widevine |
50 | whitelist ~/.config/pipelight-silverlight5.1 | 48 | whitelist ~/.config/pipelight-silverlight5.1 |
51 | 49 | ||
52 | |||
53 | |||
54 | # experimental features | 50 | # experimental features |
55 | #private-etc passwd,group,hostname,hosts,localtime,nsswitch.conf,resolv.conf,gtk-2.0,pango,fonts,iceweasel,firefox,adobe,mime.types,mailcap,asound.conf,pulse | 51 | #private-etc passwd,group,hostname,hosts,localtime,nsswitch.conf,resolv.conf,gtk-2.0,pango,fonts,iceweasel,firefox,adobe,mime.types,mailcap,asound.conf,pulse |
56 | |||
diff --git a/etc/server.profile b/etc/server.profile index 5471aed91..88331d951 100644 --- a/etc/server.profile +++ b/etc/server.profile | |||
@@ -2,9 +2,13 @@ | |||
2 | # it allows /sbin and /usr/sbin directories - this is where servers are installed | 2 | # it allows /sbin and /usr/sbin directories - this is where servers are installed |
3 | noblacklist /sbin | 3 | noblacklist /sbin |
4 | noblacklist /usr/sbin | 4 | noblacklist /usr/sbin |
5 | include /etc/firejail/disable-mgmt.inc | 5 | include /etc/firejail/disable-common.inc |
6 | include /etc/firejail/disable-programs.inc | ||
7 | include /etc/firejail/disable-passwdmgr.inc | ||
8 | |||
6 | private | 9 | private |
7 | private-dev | 10 | private-dev |
11 | nosound | ||
8 | private-tmp | 12 | private-tmp |
9 | seccomp | 13 | seccomp |
10 | 14 | ||
diff --git a/etc/skype.profile b/etc/skype.profile index a33cc339d..9cbcd5117 100644 --- a/etc/skype.profile +++ b/etc/skype.profile | |||
@@ -1,12 +1,12 @@ | |||
1 | # Skype profile | 1 | # Skype profile |
2 | noblacklist ${HOME}/.Skype | 2 | noblacklist ${HOME}/.Skype |
3 | include /etc/firejail/disable-mgmt.inc | ||
4 | include /etc/firejail/disable-secret.inc | ||
5 | include /etc/firejail/disable-common.inc | 3 | include /etc/firejail/disable-common.inc |
4 | include /etc/firejail/disable-programs.inc | ||
6 | include /etc/firejail/disable-devel.inc | 5 | include /etc/firejail/disable-devel.inc |
7 | include /etc/firejail/disable-terminals.inc | 6 | |
8 | caps.drop all | 7 | caps.drop all |
9 | netfilter | 8 | netfilter |
9 | nonewprivs | ||
10 | noroot | 10 | noroot |
11 | seccomp | ||
12 | protocol unix,inet,inet6 | 11 | protocol unix,inet,inet6 |
12 | seccomp | ||
diff --git a/etc/snap.profile b/etc/snap.profile new file mode 100644 index 000000000..270fdf1a5 --- /dev/null +++ b/etc/snap.profile | |||
@@ -0,0 +1,14 @@ | |||
1 | ################################ | ||
2 | # Generic Ubuntu snap application profile | ||
3 | ################################ | ||
4 | include /etc/firejail/disable-common.inc | ||
5 | include /etc/firejail/disable-programs.inc | ||
6 | include /etc/firejail/disable-passwdmgr.inc | ||
7 | |||
8 | whitelist ~/snap | ||
9 | whitelist ${DOWNLOADS} | ||
10 | include /etc/firejail/whitelist-common.inc | ||
11 | |||
12 | caps.keep chown,sys_admin | ||
13 | |||
14 | |||
diff --git a/etc/soffice.profile b/etc/soffice.profile new file mode 100644 index 000000000..fecd08822 --- /dev/null +++ b/etc/soffice.profile | |||
@@ -0,0 +1,5 @@ | |||
1 | ################################ | ||
2 | # LibreOffice profile | ||
3 | ################################ | ||
4 | include /etc/firejail/libreoffice.profile | ||
5 | |||
diff --git a/etc/spotify.profile b/etc/spotify.profile index 1986a513c..ca575970b 100644 --- a/etc/spotify.profile +++ b/etc/spotify.profile | |||
@@ -1,11 +1,14 @@ | |||
1 | # Spotify media player profile | 1 | # Spotify media player profile |
2 | include /etc/firejail/disable-mgmt.inc | 2 | noblacklist ${HOME}/.config/spotify |
3 | include /etc/firejail/disable-secret.inc | 3 | noblacklist ${HOME}/.cache/spotify |
4 | noblacklist ${HOME}/.local/share/spotify | ||
4 | include /etc/firejail/disable-common.inc | 5 | include /etc/firejail/disable-common.inc |
6 | include /etc/firejail/disable-programs.inc | ||
5 | include /etc/firejail/disable-devel.inc | 7 | include /etc/firejail/disable-devel.inc |
8 | include /etc/firejail/disable-passwdmgr.inc | ||
6 | 9 | ||
7 | # Whitelist the folders needed by Spotify - This is more restrictive | 10 | # Whitelist the folders needed by Spotify - This is more restrictive |
8 | # than a blacklist though, but this is all spotify requires for | 11 | # than a blacklist though, but this is all spotify requires for |
9 | # streaming audio | 12 | # streaming audio |
10 | mkdir ${HOME}/.config | 13 | mkdir ${HOME}/.config |
11 | mkdir ${HOME}/.config/spotify | 14 | mkdir ${HOME}/.config/spotify |
@@ -20,8 +23,13 @@ whitelist ${HOME}/.cache/spotify | |||
20 | include /etc/firejail/whitelist-common.inc | 23 | include /etc/firejail/whitelist-common.inc |
21 | 24 | ||
22 | caps.drop all | 25 | caps.drop all |
23 | seccomp | ||
24 | protocol unix,inet,inet6,netlink | ||
25 | netfilter | 26 | netfilter |
27 | nogroups | ||
28 | nonewprivs | ||
26 | noroot | 29 | noroot |
30 | protocol unix,inet,inet6,netlink | ||
31 | seccomp | ||
32 | shell none | ||
27 | 33 | ||
34 | private-bin spotify | ||
35 | private-dev | ||
diff --git a/etc/ssh.profile b/etc/ssh.profile new file mode 100644 index 000000000..a6d52c5a5 --- /dev/null +++ b/etc/ssh.profile | |||
@@ -0,0 +1,13 @@ | |||
1 | # ssh client | ||
2 | noblacklist ~/.ssh | ||
3 | |||
4 | include /etc/firejail/disable-common.inc | ||
5 | include /etc/firejail/disable-programs.inc | ||
6 | include /etc/firejail/disable-passwdmgr.inc | ||
7 | |||
8 | caps.drop all | ||
9 | netfilter | ||
10 | nonewprivs | ||
11 | noroot | ||
12 | protocol unix,inet,inet6 | ||
13 | seccomp | ||
diff --git a/etc/steam.profile b/etc/steam.profile index dc17c7a0f..b15a54be9 100644 --- a/etc/steam.profile +++ b/etc/steam.profile | |||
@@ -1,13 +1,14 @@ | |||
1 | # Steam profile (applies to games/apps launched from Steam as well) | 1 | # Steam profile (applies to games/apps launched from Steam as well) |
2 | noblacklist ${HOME}/.steam | 2 | noblacklist ${HOME}/.steam |
3 | noblacklist ${HOME}/.local/share/steam | 3 | noblacklist ${HOME}/.local/share/steam |
4 | include /etc/firejail/disable-mgmt.inc | ||
5 | include /etc/firejail/disable-secret.inc | ||
6 | include /etc/firejail/disable-common.inc | 4 | include /etc/firejail/disable-common.inc |
5 | include /etc/firejail/disable-programs.inc | ||
7 | include /etc/firejail/disable-devel.inc | 6 | include /etc/firejail/disable-devel.inc |
8 | include /etc/firejail/disable-terminals.inc | 7 | include /etc/firejail/disable-passwdmgr.inc |
8 | |||
9 | caps.drop all | 9 | caps.drop all |
10 | netfilter | 10 | netfilter |
11 | nonewprivs | ||
11 | noroot | 12 | noroot |
12 | seccomp | ||
13 | protocol unix,inet,inet6 | 13 | protocol unix,inet,inet6 |
14 | seccomp | ||
diff --git a/etc/stellarium.profile b/etc/stellarium.profile new file mode 100644 index 000000000..d0c1326b3 --- /dev/null +++ b/etc/stellarium.profile | |||
@@ -0,0 +1,29 @@ | |||
1 | # Firejail profile for Stellarium. | ||
2 | noblacklist ~/.stellarium | ||
3 | noblacklist ~/.config/stellarium | ||
4 | include /etc/firejail/disable-common.inc | ||
5 | include /etc/firejail/disable-devel.inc | ||
6 | include /etc/firejail/disable-passwdmgr.inc | ||
7 | include /etc/firejail/disable-programs.inc | ||
8 | |||
9 | # Whitelist | ||
10 | mkdir ~/.stellarium | ||
11 | whitelist ~/.stellarium | ||
12 | mkdir ~/.config | ||
13 | mkdir ~/.config/stellarium | ||
14 | whitelist ~/.config/stellarium | ||
15 | |||
16 | caps.drop all | ||
17 | netfilter | ||
18 | nogroups | ||
19 | nonewprivs | ||
20 | noroot | ||
21 | nosound | ||
22 | protocol unix,inet,inet6,netlink | ||
23 | seccomp | ||
24 | shell none | ||
25 | tracelog | ||
26 | |||
27 | private-bin stellarium | ||
28 | private-dev | ||
29 | |||
diff --git a/etc/strings.profile b/etc/strings.profile new file mode 100644 index 000000000..881edf4ad --- /dev/null +++ b/etc/strings.profile | |||
@@ -0,0 +1,8 @@ | |||
1 | # strings profile | ||
2 | include /etc/firejail/default.profile | ||
3 | tracelog | ||
4 | net none | ||
5 | shell none | ||
6 | private-dev | ||
7 | private-tmp | ||
8 | nosound | ||
diff --git a/etc/telegram.profile b/etc/telegram.profile index 94167675c..8e91e426b 100644 --- a/etc/telegram.profile +++ b/etc/telegram.profile | |||
@@ -1,17 +1,13 @@ | |||
1 | # Telegram IRC profile | 1 | # Telegram IRC profile |
2 | noblacklist ${HOME}/.TelegramDesktop | 2 | noblacklist ${HOME}/.TelegramDesktop |
3 | include /etc/firejail/disable-mgmt.inc | ||
4 | include /etc/firejail/disable-secret.inc | ||
5 | include /etc/firejail/disable-common.inc | 3 | include /etc/firejail/disable-common.inc |
4 | include /etc/firejail/disable-programs.inc | ||
6 | include /etc/firejail/disable-devel.inc | 5 | include /etc/firejail/disable-devel.inc |
7 | include /etc/firejail/disable-terminals.inc | ||
8 | 6 | ||
9 | caps.drop all | 7 | caps.drop all |
10 | seccomp | ||
11 | protocol unix,inet,inet6 | ||
12 | noroot | ||
13 | netfilter | 8 | netfilter |
9 | nonewprivs | ||
10 | noroot | ||
11 | protocol unix,inet,inet6 | ||
12 | seccomp | ||
14 | 13 | ||
15 | whitelist ~/Downloads/Telegram Desktop | ||
16 | mkdir ${HOME}/.TelegramDesktop | ||
17 | whitelist ~/.TelegramDesktop | ||
diff --git a/etc/thunderbird.profile b/etc/thunderbird.profile index f608f5467..7882367b9 100644 --- a/etc/thunderbird.profile +++ b/etc/thunderbird.profile | |||
@@ -1,26 +1,19 @@ | |||
1 | # Firejail profile for Mozilla Thunderbird (Icedove in Debian) | 1 | # Firejail profile for Mozilla Thunderbird |
2 | noblacklist ${HOME}/.gnupg | ||
3 | include /etc/firejail/disable-mgmt.inc | ||
4 | include /etc/firejail/disable-secret.inc | ||
5 | include /etc/firejail/disable-devel.inc | ||
6 | |||
7 | # Users have thunderbird set to open a browser by clicking a link in an email | 2 | # Users have thunderbird set to open a browser by clicking a link in an email |
8 | # We are not allowed to blacklist browser-specific directories | 3 | # We are not allowed to blacklist browser-specific directories |
9 | #include /etc/firejail/disable-common.inc thunderbird icedove | ||
10 | blacklist ${HOME}/.adobe | ||
11 | blacklist ${HOME}/.macromedia | ||
12 | blacklist ${HOME}/.filezilla | ||
13 | blacklist ${HOME}/.config/filezilla | ||
14 | blacklist ${HOME}/.purple | ||
15 | blacklist ${HOME}/.config/psi+ | ||
16 | blacklist ${HOME}/.remmina | ||
17 | blacklist ${HOME}/.tconn | ||
18 | 4 | ||
5 | noblacklist ~/.gnupg | ||
6 | mkdir ~/.gnupg | ||
7 | whitelist ~/.gnupg | ||
8 | |||
9 | noblacklist ~/.thunderbird | ||
10 | mkdir ~/.thunderbird | ||
11 | whitelist ~/.thunderbird | ||
12 | |||
13 | noblacklist ~/.cache/thunderbird | ||
14 | mkdir ~/.cache | ||
15 | mkdir ~/.cache/thunderbird | ||
16 | whitelist ~/.cache/thunderbird | ||
19 | 17 | ||
20 | caps.drop all | 18 | include /etc/firejail/firefox.profile |
21 | seccomp | ||
22 | protocol unix,inet,inet6 | ||
23 | netfilter | ||
24 | tracelog | ||
25 | noroot | ||
26 | 19 | ||
diff --git a/etc/totem.profile b/etc/totem.profile index f2485a2d0..252b46979 100644 --- a/etc/totem.profile +++ b/etc/totem.profile | |||
@@ -1,16 +1,15 @@ | |||
1 | # Totem media player profile | 1 | # Totem media player profile |
2 | include /etc/firejail/disable-mgmt.inc | 2 | noblacklist ~/.config/totem |
3 | include /etc/firejail/disable-secret.inc | 3 | noblacklist ~/.local/share/totem |
4 | |||
4 | include /etc/firejail/disable-common.inc | 5 | include /etc/firejail/disable-common.inc |
6 | include /etc/firejail/disable-programs.inc | ||
5 | include /etc/firejail/disable-devel.inc | 7 | include /etc/firejail/disable-devel.inc |
6 | include /etc/firejail/disable-terminals.inc | 8 | include /etc/firejail/disable-passwdmgr.inc |
7 | blacklist ${HOME}/.pki/nssdb | 9 | |
8 | blacklist ${HOME}/.lastpass | ||
9 | blacklist ${HOME}/.keepassx | ||
10 | blacklist ${HOME}/.password-store | ||
11 | blacklist ${HOME}/.wine | ||
12 | caps.drop all | 10 | caps.drop all |
13 | seccomp | 11 | nonewprivs |
14 | protocol unix,inet,inet6 | ||
15 | noroot | 12 | noroot |
16 | netfilter | 13 | netfilter |
14 | protocol unix,inet,inet6 | ||
15 | seccomp | ||
diff --git a/etc/transmission-gtk.profile b/etc/transmission-gtk.profile index 18356a91e..fa5c3b22b 100644 --- a/etc/transmission-gtk.profile +++ b/etc/transmission-gtk.profile | |||
@@ -1,22 +1,23 @@ | |||
1 | # transmission-gtk profile | 1 | # transmission-gtk bittorrent profile |
2 | include /etc/firejail/disable-mgmt.inc | 2 | noblacklist ${HOME}/.config/transmission |
3 | include /etc/firejail/disable-secret.inc | 3 | noblacklist ${HOME}/.cache/transmission |
4 | |||
4 | include /etc/firejail/disable-common.inc | 5 | include /etc/firejail/disable-common.inc |
6 | include /etc/firejail/disable-programs.inc | ||
5 | include /etc/firejail/disable-devel.inc | 7 | include /etc/firejail/disable-devel.inc |
6 | include /etc/firejail/disable-terminals.inc | 8 | include /etc/firejail/disable-passwdmgr.inc |
7 | blacklist ${HOME}/.pki/nssdb | 9 | |
8 | blacklist ${HOME}/.lastpass | ||
9 | blacklist ${HOME}/.keepassx | ||
10 | blacklist ${HOME}/.password-store | ||
11 | blacklist ${HOME}/.wine | ||
12 | caps.drop all | 10 | caps.drop all |
13 | seccomp | ||
14 | protocol unix,inet,inet6 | ||
15 | netfilter | 11 | netfilter |
12 | nonewprivs | ||
16 | noroot | 13 | noroot |
17 | tracelog | ||
18 | nosound | 14 | nosound |
15 | protocol unix,inet,inet6 | ||
16 | seccomp | ||
17 | tracelog | ||
19 | 18 | ||
20 | 19 | shell none | |
21 | 20 | private-bin transmission-gtk | |
21 | whitelist /tmp/.X11-unix | ||
22 | private-dev | ||
22 | 23 | ||
diff --git a/etc/transmission-qt.profile b/etc/transmission-qt.profile index cd07f35c7..754211a63 100644 --- a/etc/transmission-qt.profile +++ b/etc/transmission-qt.profile | |||
@@ -1,20 +1,22 @@ | |||
1 | # transmission-qt profile | 1 | # transmission-qt bittorrent profile |
2 | include /etc/firejail/disable-mgmt.inc | 2 | noblacklist ${HOME}/.config/transmission |
3 | include /etc/firejail/disable-secret.inc | 3 | noblacklist ${HOME}/.cache/transmission |
4 | |||
4 | include /etc/firejail/disable-common.inc | 5 | include /etc/firejail/disable-common.inc |
6 | include /etc/firejail/disable-programs.inc | ||
5 | include /etc/firejail/disable-devel.inc | 7 | include /etc/firejail/disable-devel.inc |
6 | include /etc/firejail/disable-terminals.inc | 8 | include /etc/firejail/disable-passwdmgr.inc |
7 | blacklist ${HOME}/.pki/nssdb | 9 | |
8 | blacklist ${HOME}/.lastpass | ||
9 | blacklist ${HOME}/.keepassx | ||
10 | blacklist ${HOME}/.password-store | ||
11 | blacklist ${HOME}/.wine | ||
12 | caps.drop all | 10 | caps.drop all |
13 | seccomp | ||
14 | protocol unix,inet,inet6 | ||
15 | netfilter | 11 | netfilter |
12 | nonewprivs | ||
16 | noroot | 13 | noroot |
17 | tracelog | ||
18 | nosound | 14 | nosound |
15 | protocol unix,inet,inet6 | ||
16 | seccomp | ||
17 | tracelog | ||
19 | 18 | ||
20 | 19 | shell none | |
20 | private-bin transmission-qt | ||
21 | whitelist /tmp/.X11-unix | ||
22 | private-dev | ||
diff --git a/etc/uget-gtk.profile b/etc/uget-gtk.profile index 3b27c00ba..269f8f0fd 100644 --- a/etc/uget-gtk.profile +++ b/etc/uget-gtk.profile | |||
@@ -1,16 +1,26 @@ | |||
1 | # uGet profile | 1 | # uGet profile |
2 | include /etc/firejail/disable-mgmt.inc | 2 | noblacklist ${HOME}/.config/uGet |
3 | include /etc/firejail/disable-secret.inc | 3 | |
4 | include /etc/firejail/disable-common.inc | 4 | include /etc/firejail/disable-common.inc |
5 | include /etc/firejail/disable-programs.inc | ||
5 | include /etc/firejail/disable-devel.inc | 6 | include /etc/firejail/disable-devel.inc |
6 | include /etc/firejail/disable-terminals.inc | 7 | |
7 | caps.drop all | 8 | caps.drop all |
8 | seccomp | ||
9 | protocol unix,inet,inet6 | ||
10 | netfilter | 9 | netfilter |
10 | nonewprivs | ||
11 | noroot | 11 | noroot |
12 | protocol unix,inet,inet6 | ||
13 | seccomp | ||
14 | |||
12 | whitelist ${DOWNLOADS} | 15 | whitelist ${DOWNLOADS} |
13 | mkdir ~/.config | 16 | mkdir ~/.config |
14 | mkdir ~/.config/uGet | 17 | mkdir ~/.config/uGet |
15 | whitelist ~/.config/uGet | 18 | whitelist ~/.config/uGet |
16 | include /etc/firejail/whitelist-common.inc | 19 | include /etc/firejail/whitelist-common.inc |
20 | |||
21 | shell none | ||
22 | private-bin uget-gtk | ||
23 | whitelist /tmp/.X11-unix | ||
24 | private-dev | ||
25 | nosound | ||
26 | |||
diff --git a/etc/unbound.profile b/etc/unbound.profile index c4f009159..5e2cb5f65 100644 --- a/etc/unbound.profile +++ b/etc/unbound.profile | |||
@@ -1,12 +1,13 @@ | |||
1 | # security profile for unbound (https://unbound.net) | 1 | # security profile for unbound (https://unbound.net) |
2 | noblacklist /sbin | 2 | noblacklist /sbin |
3 | noblacklist /usr/sbin | 3 | noblacklist /usr/sbin |
4 | include /etc/firejail/disable-mgmt.inc | ||
5 | include /etc/firejail/disable-common.inc | 4 | include /etc/firejail/disable-common.inc |
5 | include /etc/firejail/disable-programs.inc | ||
6 | include /etc/firejail/disable-devel.inc | 6 | include /etc/firejail/disable-devel.inc |
7 | include /etc/firejail/disable-secret.inc | 7 | include /etc/firejail/disable-passwdmgr.inc |
8 | include /etc/firejail/disable-terminals.inc | 8 | |
9 | private | 9 | private |
10 | private-dev | 10 | private-dev |
11 | nosound | ||
11 | seccomp.drop mount,umount2,ptrace,kexec_load,kexec_file_load,open_by_handle_at,init_module,finit_module,delete_module,iopl,ioperm,swapon,swapoff,syslog,process_vm_readv,process_vm_writev,sysfs,_sysctl,adjtimex,clock_adjtime,lookup_dcookie,perf_event_open,fanotify_init,kcmp,add_key,request_key,keyctl,uselib,acct,modify_ldt,pivot_root,io_setup,io_destroy,io_getevents,io_submit,io_cancel,remap_file_pages,mbind,get_mempolicy,set_mempolicy,migrate_pages,move_pages,vmsplice,perf_event_open | 12 | seccomp.drop mount,umount2,ptrace,kexec_load,kexec_file_load,open_by_handle_at,init_module,finit_module,delete_module,iopl,ioperm,swapon,swapoff,syslog,process_vm_readv,process_vm_writev,sysfs,_sysctl,adjtimex,clock_adjtime,lookup_dcookie,perf_event_open,fanotify_init,kcmp,add_key,request_key,keyctl,uselib,acct,modify_ldt,pivot_root,io_setup,io_destroy,io_getevents,io_submit,io_cancel,remap_file_pages,mbind,get_mempolicy,set_mempolicy,migrate_pages,move_pages,vmsplice,perf_event_open |
12 | 13 | ||
diff --git a/etc/uudeview.profile b/etc/uudeview.profile new file mode 100644 index 000000000..8218ac959 --- /dev/null +++ b/etc/uudeview.profile | |||
@@ -0,0 +1,13 @@ | |||
1 | # uudeview profile | ||
2 | # the default profile will disable root user, enable seccomp filter etc. | ||
3 | include /etc/firejail/default.profile | ||
4 | |||
5 | tracelog | ||
6 | net none | ||
7 | shell none | ||
8 | private-bin uudeview | ||
9 | private-dev | ||
10 | private-tmp | ||
11 | private-etc nonexisting_fakefile_for_empty_etc | ||
12 | hostname uudeview | ||
13 | nosound | ||
diff --git a/etc/vivaldi.profile b/etc/vivaldi.profile index daab0b81a..2049d2bd9 100644 --- a/etc/vivaldi.profile +++ b/etc/vivaldi.profile | |||
@@ -1,14 +1,12 @@ | |||
1 | # Vivaldi browser profile | 1 | # Vivaldi browser profile |
2 | noblacklist ~/.config/vivaldi | 2 | noblacklist ~/.config/vivaldi |
3 | noblacklist ~/.cache/vivaldi | 3 | noblacklist ~/.cache/vivaldi |
4 | noblacklist ~/keepassx.kdbx | ||
5 | include /etc/firejail/disable-mgmt.inc | ||
6 | include /etc/firejail/disable-secret.inc | ||
7 | include /etc/firejail/disable-common.inc | 4 | include /etc/firejail/disable-common.inc |
5 | include /etc/firejail/disable-programs.inc | ||
8 | include /etc/firejail/disable-devel.inc | 6 | include /etc/firejail/disable-devel.inc |
9 | include /etc/firejail/disable-terminals.inc | ||
10 | 7 | ||
11 | netfilter | 8 | netfilter |
9 | nonewprivs | ||
12 | 10 | ||
13 | whitelist ${DOWNLOADS} | 11 | whitelist ${DOWNLOADS} |
14 | mkdir ~/.config | 12 | mkdir ~/.config |
diff --git a/etc/vlc.profile b/etc/vlc.profile index adcfbb119..1a6e5a151 100644 --- a/etc/vlc.profile +++ b/etc/vlc.profile | |||
@@ -1,17 +1,19 @@ | |||
1 | # VLC media player profile | 1 | # VLC media player profile |
2 | noblacklist ${HOME}/.config/vlc | 2 | noblacklist ${HOME}/.config/vlc |
3 | include /etc/firejail/disable-mgmt.inc | 3 | |
4 | include /etc/firejail/disable-secret.inc | ||
5 | include /etc/firejail/disable-common.inc | 4 | include /etc/firejail/disable-common.inc |
5 | include /etc/firejail/disable-programs.inc | ||
6 | include /etc/firejail/disable-devel.inc | 6 | include /etc/firejail/disable-devel.inc |
7 | include /etc/firejail/disable-terminals.inc | 7 | include /etc/firejail/disable-passwdmgr.inc |
8 | blacklist ${HOME}/.pki/nssdb | 8 | |
9 | blacklist ${HOME}/.lastpass | ||
10 | blacklist ${HOME}/.keepassx | ||
11 | blacklist ${HOME}/.password-store | ||
12 | blacklist ${HOME}/.wine | ||
13 | caps.drop all | 9 | caps.drop all |
14 | seccomp | ||
15 | protocol unix,inet,inet6 | ||
16 | noroot | ||
17 | netfilter | 10 | netfilter |
11 | nonewprivs | ||
12 | noroot | ||
13 | protocol unix,inet,inet6 | ||
14 | seccomp | ||
15 | |||
16 | |||
17 | # to test | ||
18 | shell none | ||
19 | private-bin vlc,cvlc,nvlc,rvlc,qvlc,svlc | ||
diff --git a/etc/warzone2100.profile b/etc/warzone2100.profile new file mode 100644 index 000000000..ff37e2800 --- /dev/null +++ b/etc/warzone2100.profile | |||
@@ -0,0 +1,25 @@ | |||
1 | # Firejail profile for warzone2100 | ||
2 | # Currently supports warzone2100-3.1 | ||
3 | noblacklist ~/.warzone2100-3.1 | ||
4 | include /etc/firejail/disable-common.inc | ||
5 | include /etc/firejail/disable-devel.inc | ||
6 | include /etc/firejail/disable-passwdmgr.inc | ||
7 | include /etc/firejail/disable-programs.inc | ||
8 | |||
9 | # Whitelist | ||
10 | mkdir ~/.warzone2100-3.1 | ||
11 | whitelist ~/.warzone2100-3.1 | ||
12 | |||
13 | # Call these options | ||
14 | caps.drop all | ||
15 | netfilter | ||
16 | nogroups | ||
17 | nonewprivs | ||
18 | noroot | ||
19 | protocol unix,inet,inet6,netlink | ||
20 | seccomp | ||
21 | shell none | ||
22 | tracelog | ||
23 | |||
24 | private-bin warzone2100 | ||
25 | private-dev | ||
diff --git a/etc/weechat.profile b/etc/weechat.profile index 3fbce62ca..410061278 100644 --- a/etc/weechat.profile +++ b/etc/weechat.profile | |||
@@ -1,12 +1,15 @@ | |||
1 | # Weechat IRC profile | 1 | # Weechat IRC profile |
2 | noblacklist ${HOME}/.weechat | 2 | noblacklist ${HOME}/.weechat |
3 | include /etc/firejail/disable-mgmt.inc | ||
4 | include /etc/firejail/disable-common.inc | 3 | include /etc/firejail/disable-common.inc |
5 | include /etc/firejail/disable-secret.inc | 4 | include /etc/firejail/disable-programs.inc |
6 | include /etc/firejail/disable-terminals.inc | 5 | |
7 | caps.drop all | 6 | caps.drop all |
8 | seccomp | ||
9 | protocol unix,inet,inet6 | ||
10 | netfilter | 7 | netfilter |
8 | nonewprivs | ||
11 | noroot | 9 | noroot |
12 | netfilter | 10 | protocol unix,inet,inet6 |
11 | seccomp | ||
12 | |||
13 | # no private-bin support for various reasons: | ||
14 | # Plugins loaded: alias, aspell, charset, exec, fifo, guile, irc, | ||
15 | # logger, lua, perl, python, relay, ruby, script, tcl, trigger, xferloading plugins \ No newline at end of file | ||
diff --git a/etc/wesnoth.profile b/etc/wesnoth.profile index a5b6127df..cd0c6406f 100644 --- a/etc/wesnoth.profile +++ b/etc/wesnoth.profile | |||
@@ -1,15 +1,18 @@ | |||
1 | # Whitelist-based profile for "Battle for Wesnoth" (game). | 1 | # Whitelist-based profile for "Battle for Wesnoth" (game). |
2 | noblacklist ${HOME}/.config/wesnoth | ||
3 | noblacklist ${HOME}/.cache/wesnoth | ||
4 | noblacklist ${HOME}/.local/share/wesnoth | ||
2 | 5 | ||
3 | include /etc/firejail/disable-common.inc | 6 | include /etc/firejail/disable-common.inc |
7 | include /etc/firejail/disable-programs.inc | ||
4 | include /etc/firejail/disable-devel.inc | 8 | include /etc/firejail/disable-devel.inc |
5 | include /etc/firejail/disable-mgmt.inc | 9 | include /etc/firejail/disable-passwdmgr.inc |
6 | include /etc/firejail/disable-secret.inc | ||
7 | include /etc/firejail/disable-terminals.inc | ||
8 | 10 | ||
9 | caps.drop all | 11 | caps.drop all |
10 | seccomp | 12 | nonewprivs |
11 | protocol unix,inet,inet6 | ||
12 | noroot | 13 | noroot |
14 | protocol unix,inet,inet6 | ||
15 | seccomp | ||
13 | 16 | ||
14 | private-dev | 17 | private-dev |
15 | 18 | ||
diff --git a/etc/whitelist-common.inc b/etc/whitelist-common.inc index 9d5ef3d96..b3a1a1d30 100644 --- a/etc/whitelist-common.inc +++ b/etc/whitelist-common.inc | |||
@@ -1,5 +1,6 @@ | |||
1 | # common whitelist for all profiles | 1 | # common whitelist for all profiles |
2 | 2 | ||
3 | whitelist ~/.XCompose | ||
3 | whitelist ~/.config/mimeapps.list | 4 | whitelist ~/.config/mimeapps.list |
4 | whitelist ~/.icons | 5 | whitelist ~/.icons |
5 | whitelist ~/.config/user-dirs.dirs | 6 | whitelist ~/.config/user-dirs.dirs |
diff --git a/etc/wine.profile b/etc/wine.profile index ae1f5d1b6..18e5346af 100644 --- a/etc/wine.profile +++ b/etc/wine.profile | |||
@@ -2,12 +2,13 @@ | |||
2 | noblacklist ${HOME}/.steam | 2 | noblacklist ${HOME}/.steam |
3 | noblacklist ${HOME}/.local/share/steam | 3 | noblacklist ${HOME}/.local/share/steam |
4 | noblacklist ${HOME}/.wine | 4 | noblacklist ${HOME}/.wine |
5 | include /etc/firejail/disable-mgmt.inc | 5 | |
6 | include /etc/firejail/disable-secret.inc | ||
7 | include /etc/firejail/disable-common.inc | 6 | include /etc/firejail/disable-common.inc |
7 | include /etc/firejail/disable-programs.inc | ||
8 | include /etc/firejail/disable-devel.inc | 8 | include /etc/firejail/disable-devel.inc |
9 | include /etc/firejail/disable-terminals.inc | 9 | |
10 | caps.drop all | 10 | caps.drop all |
11 | netfilter | 11 | netfilter |
12 | nonewprivs | ||
12 | noroot | 13 | noroot |
13 | seccomp | 14 | seccomp |
diff --git a/etc/xchat.profile b/etc/xchat.profile index e2dcadc0e..1f2865cab 100644 --- a/etc/xchat.profile +++ b/etc/xchat.profile | |||
@@ -1,12 +1,14 @@ | |||
1 | # XChat IRC profile | 1 | # XChat IRC profile |
2 | noblacklist ${HOME}/.config/xchat | 2 | noblacklist ${HOME}/.config/xchat |
3 | include /etc/firejail/disable-mgmt.inc | 3 | |
4 | include /etc/firejail/disable-secret.inc | ||
5 | include /etc/firejail/disable-common.inc | 4 | include /etc/firejail/disable-common.inc |
5 | include /etc/firejail/disable-programs.inc | ||
6 | include /etc/firejail/disable-devel.inc | 6 | include /etc/firejail/disable-devel.inc |
7 | include /etc/firejail/disable-terminals.inc | 7 | |
8 | blacklist ${HOME}/.wine | ||
9 | caps.drop all | 8 | caps.drop all |
10 | seccomp | 9 | nonewprivs |
11 | protocol unix,inet,inet6 | ||
12 | noroot | 10 | noroot |
11 | protocol unix,inet,inet6 | ||
12 | seccomp | ||
13 | |||
14 | # private-bin requires perl, python, etc. | ||
diff --git a/etc/xplayer.profile b/etc/xplayer.profile new file mode 100644 index 000000000..a46b2fa06 --- /dev/null +++ b/etc/xplayer.profile | |||
@@ -0,0 +1,21 @@ | |||
1 | # Xplayer profile | ||
2 | noblacklist ~/.config/xplayer | ||
3 | noblacklist ~/.local/share/xplayer | ||
4 | |||
5 | include /etc/firejail/disable-common.inc | ||
6 | include /etc/firejail/disable-programs.inc | ||
7 | include /etc/firejail/disable-devel.inc | ||
8 | include /etc/firejail/disable-passwdmgr.inc | ||
9 | |||
10 | caps.drop all | ||
11 | netfilter | ||
12 | nonewprivs | ||
13 | nogroups | ||
14 | noroot | ||
15 | protocol unix,inet,inet6 | ||
16 | seccomp | ||
17 | shell none | ||
18 | tracelog | ||
19 | |||
20 | private-bin xplayer,xplayer-audio-preview,xplayer-video-thumbnailer | ||
21 | private-dev | ||
diff --git a/etc/xreader.profile b/etc/xreader.profile new file mode 100644 index 000000000..ac7d34022 --- /dev/null +++ b/etc/xreader.profile | |||
@@ -0,0 +1,22 @@ | |||
1 | # Xreader profile | ||
2 | noblacklist ~/.config/xreader | ||
3 | noblacklist ~/.cache/xreader | ||
4 | noblacklist ~/.local/share | ||
5 | |||
6 | include /etc/firejail/disable-common.inc | ||
7 | include /etc/firejail/disable-programs.inc | ||
8 | include /etc/firejail/disable-devel.inc | ||
9 | include /etc/firejail/disable-passwdmgr.inc | ||
10 | |||
11 | caps.drop all | ||
12 | nogroups | ||
13 | nonewprivs | ||
14 | noroot | ||
15 | nosound | ||
16 | protocol unix | ||
17 | seccomp | ||
18 | shell none | ||
19 | tracelog | ||
20 | |||
21 | private-bin xreader, xreader-previewer, xreader-thumbnailer | ||
22 | private-dev | ||
diff --git a/etc/xviewer.profile b/etc/xviewer.profile new file mode 100644 index 000000000..7a4ae4858 --- /dev/null +++ b/etc/xviewer.profile | |||
@@ -0,0 +1,19 @@ | |||
1 | noblacklist ~/.config/xviewer | ||
2 | |||
3 | include /etc/firejail/disable-common.inc | ||
4 | include /etc/firejail/disable-programs.inc | ||
5 | include /etc/firejail/disable-devel.inc | ||
6 | include /etc/firejail/disable-passwdmgr.inc | ||
7 | |||
8 | caps.drop all | ||
9 | nonewprivs | ||
10 | nogroups | ||
11 | noroot | ||
12 | nosound | ||
13 | protocol unix | ||
14 | seccomp | ||
15 | shell none | ||
16 | tracelog | ||
17 | |||
18 | private-dev | ||
19 | private-bin xviewer | ||
diff --git a/etc/xz.profile b/etc/xz.profile new file mode 100644 index 000000000..709585acd --- /dev/null +++ b/etc/xz.profile | |||
@@ -0,0 +1,2 @@ | |||
1 | # xz profile | ||
2 | include /etc/firejail/cpio.profile | ||
diff --git a/etc/xzdec.profile b/etc/xzdec.profile new file mode 100644 index 000000000..ddf2061bf --- /dev/null +++ b/etc/xzdec.profile | |||
@@ -0,0 +1,8 @@ | |||
1 | # xzdec profile | ||
2 | include /etc/firejail/default.profile | ||
3 | tracelog | ||
4 | net none | ||
5 | shell none | ||
6 | private-dev | ||
7 | private-tmp | ||
8 | nosound | ||
diff --git a/mkuid.sh b/mkuid.sh new file mode 100755 index 000000000..f03fdaf94 --- /dev/null +++ b/mkuid.sh | |||
@@ -0,0 +1,20 @@ | |||
1 | #!/bin/bash | ||
2 | |||
3 | echo "extracting UID_MIN and GID_MIN" | ||
4 | echo "#ifndef FIREJAIL_UIDS_H" > uids.h | ||
5 | echo "#define FIREJAIL_UIDS_H" >> uids.h | ||
6 | |||
7 | if [ -f /etc/login.defs ] | ||
8 | then | ||
9 | echo "// using values extracted from /etc/login.defs" >> uids.h | ||
10 | UID_MIN=`awk '/^\s*UID_MIN\s*([0-9]*).*?$/ {print $2}' /etc/login.defs` | ||
11 | GID_MIN=`awk '/^\s*GID_MIN\s*([0-9]*).*?$/ {print $2}' /etc/login.defs` | ||
12 | echo "#define UID_MIN $UID_MIN" >> uids.h | ||
13 | echo "#define GID_MIN $GID_MIN" >> uids.h | ||
14 | else | ||
15 | echo "// using default values" >> uids.h | ||
16 | echo "#define UID_MIN 1000" >> uids.h | ||
17 | echo "#define GID_MIN 1000" >> uids.h | ||
18 | fi | ||
19 | |||
20 | echo "#endif" >> uids.h | ||
diff --git a/platform/debian/conffiles b/platform/debian/conffiles index 5240d87a6..5367edfe5 100644 --- a/platform/debian/conffiles +++ b/platform/debian/conffiles | |||
@@ -1,74 +1,134 @@ | |||
1 | /etc/firejail/evince.profile | 1 | /etc/firejail/0ad.profile |
2 | /etc/firejail/disable-secret.inc | 2 | /etc/firejail/Cyberfox.profile |
3 | /etc/firejail/chromium.profile | 3 | /etc/firejail/Mathematica.profile |
4 | /etc/firejail/Telegram.profile | ||
5 | /etc/firejail/abrowser.profile | ||
6 | /etc/firejail/atom-beta.profile | ||
7 | /etc/firejail/atom.profile | ||
8 | /etc/firejail/atril.profile | ||
9 | /etc/firejail/audacious.profile | ||
10 | /etc/firejail/audacity.profile | ||
11 | /etc/firejail/aweather.profile | ||
12 | /etc/firejail/bitlbee.profile | ||
13 | /etc/firejail/brave.profile | ||
14 | /etc/firejail/cherrytree.profile | ||
4 | /etc/firejail/chromium-browser.profile | 15 | /etc/firejail/chromium-browser.profile |
5 | /etc/firejail/google-chrome.profile | 16 | /etc/firejail/chromium.profile |
6 | /etc/firejail/google-chrome-stable.profile | 17 | /etc/firejail/clementine.profile |
18 | /etc/firejail/cmus.profile | ||
19 | /etc/firejail/conkeror.profile | ||
20 | /etc/firejail/corebird.profile | ||
21 | /etc/firejail/cpio.profile | ||
22 | /etc/firejail/cyberfox.profile | ||
23 | /etc/firejail/deadbeef.profile | ||
24 | /etc/firejail/default.profile | ||
25 | /etc/firejail/deluge.profile | ||
26 | /etc/firejail/dillo.profile | ||
27 | /etc/firejail/disable-common.inc | ||
28 | /etc/firejail/disable-devel.inc | ||
29 | /etc/firejail/disable-passwdmgr.inc | ||
30 | /etc/firejail/disable-programs.inc | ||
31 | /etc/firejail/dnscrypt-proxy.profile | ||
32 | /etc/firejail/dnsmasq.profile | ||
33 | /etc/firejail/dropbox.profile | ||
34 | /etc/firejail/empathy.profile | ||
35 | /etc/firejail/eom.profile | ||
36 | /etc/firejail/epiphany.profile | ||
37 | /etc/firejail/evince.profile | ||
38 | /etc/firejail/fbreader.profile | ||
39 | /etc/firejail/filezilla.profile | ||
40 | /etc/firejail/firefox-esr.profile | ||
41 | /etc/firejail/firefox.profile | ||
42 | /etc/firejail/firejail.config | ||
43 | /etc/firejail/flashpeak-slimjet.profile | ||
44 | /etc/firejail/franz.profile | ||
45 | /etc/firejail/gitter.profile | ||
46 | /etc/firejail/gnome-mplayer.profile | ||
7 | /etc/firejail/google-chrome-beta.profile | 47 | /etc/firejail/google-chrome-beta.profile |
48 | /etc/firejail/google-chrome-stable.profile | ||
8 | /etc/firejail/google-chrome-unstable.profile | 49 | /etc/firejail/google-chrome-unstable.profile |
9 | /etc/firejail/midori.profile | 50 | /etc/firejail/google-chrome.profile |
51 | /etc/firejail/google-play-music-desktop-player.profile | ||
52 | /etc/firejail/gpredict.profile | ||
53 | /etc/firejail/gthumb.profile | ||
54 | /etc/firejail/gwenview.profile | ||
55 | /etc/firejail/gzip.profile | ||
56 | /etc/firejail/hedgewars.profile | ||
57 | /etc/firejail/hexchat.profile | ||
58 | /etc/firejail/icecat.profile | ||
10 | /etc/firejail/icedove.profile | 59 | /etc/firejail/icedove.profile |
11 | /etc/firejail/iceweasel.profile | 60 | /etc/firejail/iceweasel.profile |
12 | /etc/firejail/dropbox.profile | 61 | /etc/firejail/jitsi.profile |
62 | /etc/firejail/kmail.profile | ||
63 | /etc/firejail/konversation.profile | ||
64 | /etc/firejail/less.profile | ||
65 | /etc/firejail/libreoffice.profile | ||
66 | /etc/firejail/localc.profile | ||
67 | /etc/firejail/lodraw.profile | ||
68 | /etc/firejail/loffice.profile | ||
69 | /etc/firejail/lofromtemplate.profile | ||
13 | /etc/firejail/login.users | 70 | /etc/firejail/login.users |
14 | /etc/firejail/disable-mgmt.inc | 71 | /etc/firejail/loimpress.profile |
15 | /etc/firejail/firefox.profile | 72 | /etc/firejail/lomath.profile |
16 | /etc/firejail/opera.profile | 73 | /etc/firejail/loweb.profile |
74 | /etc/firejail/lowriter.profile | ||
75 | /etc/firejail/lxterminal.profile | ||
76 | /etc/firejail/mathematica.profile | ||
77 | /etc/firejail/mcabber.profile | ||
78 | /etc/firejail/midori.profile | ||
79 | /etc/firejail/mpv.profile | ||
80 | /etc/firejail/mupen64plus.profile | ||
81 | /etc/firejail/netsurf.profile | ||
82 | /etc/firejail/nolocal.net | ||
83 | /etc/firejail/okular.profile | ||
84 | /etc/firejail/openbox.profile | ||
17 | /etc/firejail/opera-beta.profile | 85 | /etc/firejail/opera-beta.profile |
18 | /etc/firejail/thunderbird.profile | 86 | /etc/firejail/opera.profile |
19 | /etc/firejail/transmission-gtk.profile | 87 | /etc/firejail/palemoon.profile |
20 | /etc/firejail/transmission-qt.profile | 88 | /etc/firejail/parole.profile |
21 | /etc/firejail/vlc.profile | 89 | /etc/firejail/pidgin.profile |
22 | /etc/firejail/audacious.profile | 90 | /etc/firejail/pix.profile |
23 | /etc/firejail/clementine.profile | ||
24 | /etc/firejail/epiphany.profile | ||
25 | /etc/firejail/polari.profile | 91 | /etc/firejail/polari.profile |
26 | /etc/firejail/gnome-mplayer.profile | 92 | /etc/firejail/psi-plus.profile |
27 | /etc/firejail/rhythmbox.profile | ||
28 | /etc/firejail/totem.profile | ||
29 | /etc/firejail/deluge.profile | ||
30 | /etc/firejail/qbittorrent.profile | 93 | /etc/firejail/qbittorrent.profile |
31 | /etc/firejail/generic.profile | 94 | /etc/firejail/qtox.profile |
32 | /etc/firejail/xchat.profile | ||
33 | /etc/firejail/server.profile | ||
34 | /etc/firejail/quassel.profile | 95 | /etc/firejail/quassel.profile |
35 | /etc/firejail/pidgin.profile | 96 | /etc/firejail/quiterss.profile |
36 | /etc/firejail/filezilla.profile | 97 | /etc/firejail/qutebrowser.profile |
37 | /etc/firejail/empathy.profile | 98 | /etc/firejail/rhythmbox.profile |
38 | /etc/firejail/disable-common.inc | 99 | /etc/firejail/rtorrent.profile |
39 | /etc/firejail/deadbeef.profile | 100 | /etc/firejail/seamonkey-bin.profile |
40 | /etc/firejail/icecat.profile | 101 | /etc/firejail/seamonkey.profile |
41 | /etc/firejail/fbreader.profile | 102 | /etc/firejail/server.profile |
42 | /etc/firejail/spotify.profile | ||
43 | /etc/firejail/skype.profile | 103 | /etc/firejail/skype.profile |
104 | /etc/firejail/snap.profile | ||
105 | /etc/firejail/soffice.profile | ||
106 | /etc/firejail/spotify.profile | ||
107 | /etc/firejail/ssh.profile | ||
44 | /etc/firejail/steam.profile | 108 | /etc/firejail/steam.profile |
45 | /etc/firejail/wine.profile | 109 | /etc/firejail/stellarium.profile |
46 | /etc/firejail/disable-devel.inc | 110 | /etc/firejail/strings.profile |
47 | /etc/firejail/conkeror.profile | 111 | /etc/firejail/telegram.profile |
112 | /etc/firejail/thunderbird.profile | ||
113 | /etc/firejail/totem.profile | ||
114 | /etc/firejail/transmission-gtk.profile | ||
115 | /etc/firejail/transmission-qt.profile | ||
116 | /etc/firejail/uget-gtk.profile | ||
48 | /etc/firejail/unbound.profile | 117 | /etc/firejail/unbound.profile |
49 | /etc/firejail/dnscrypt-proxy.profile | 118 | /etc/firejail/uudeview.profile |
50 | /etc/firejail/whitelist-common.inc | 119 | /etc/firejail/vivaldi-beta.profile |
51 | /etc/firejail/nolocal.net | 120 | /etc/firejail/vivaldi.profile |
121 | /etc/firejail/vlc.profile | ||
122 | /etc/firejail/warzone2100.profile | ||
52 | /etc/firejail/webserver.net | 123 | /etc/firejail/webserver.net |
53 | /etc/firejail/bitlbee.profile | ||
54 | /etc/firejail/weechat.profile | ||
55 | /etc/firejail/weechat-curses.profile | 124 | /etc/firejail/weechat-curses.profile |
56 | /etc/firejail/hexchat.profile | 125 | /etc/firejail/weechat.profile |
57 | /etc/firejail/rtorrent.profile | ||
58 | /etc/firejail/parole.profile | ||
59 | /etc/firejail/kmail.profile | ||
60 | /etc/firejail/seamonkey.profile | ||
61 | /etc/firejail/seamonkey-bin.profile | ||
62 | /etc/firejail/telegram.profile | ||
63 | /etc/firejail/mathematica.profile | ||
64 | /etc/firejail/Mathematica.profile | ||
65 | /etc/firejail/uget-gtk.profile | ||
66 | /etc/firejail/mupen64plus.profile | ||
67 | /etc/firejail/disable-terminals.inc | ||
68 | /etc/firejail/lxterminal.profile | ||
69 | /etc/firejail/cherrytree.profile | ||
70 | /etc/firejail/wesnoth.profile | 126 | /etc/firejail/wesnoth.profile |
71 | /etc/firejail/hedgewars.profile | 127 | /etc/firejail/whitelist-common.inc |
72 | /etc/firejail/vivaldi.profile | 128 | /etc/firejail/wine.profile |
73 | /etc/firejail/vivaldi-beta.profile | 129 | /etc/firejail/xchat.profile |
74 | /etc/firejail/atril.profile | 130 | /etc/firejail/xplayer.profile |
131 | /etc/firejail/xreader.profile | ||
132 | /etc/firejail/xviewer.profile | ||
133 | /etc/firejail/xz.profile | ||
134 | /etc/firejail/xzdec.profile | ||
diff --git a/platform/rpm/firejail.spec b/platform/rpm/firejail.spec index e365af2d6..67280921a 100644 --- a/platform/rpm/firejail.spec +++ b/platform/rpm/firejail.spec | |||
@@ -33,16 +33,22 @@ rm -rf %{buildroot} | |||
33 | %doc | 33 | %doc |
34 | %defattr(-, root, root, -) | 34 | %defattr(-, root, root, -) |
35 | %attr(4755, -, -) %{_bindir}/__NAME__ | 35 | %attr(4755, -, -) %{_bindir}/__NAME__ |
36 | %{_bindir}/firecfg | ||
36 | %{_bindir}/firemon | 37 | %{_bindir}/firemon |
38 | %{_libdir}/__NAME__/firecfg.config | ||
37 | %{_libdir}/__NAME__/ftee | 39 | %{_libdir}/__NAME__/ftee |
40 | %{_libdir}/__NAME__/faudit | ||
38 | %{_libdir}/__NAME__/fshaper.sh | 41 | %{_libdir}/__NAME__/fshaper.sh |
39 | %{_libdir}/__NAME__/libtrace.so | 42 | %{_libdir}/__NAME__/libtrace.so |
40 | %{_libdir}/__NAME__/libtracelog.so | 43 | %{_libdir}/__NAME__/libtracelog.so |
41 | %{_datarootdir}/bash-completion/completions/__NAME__ | 44 | %{_datarootdir}/bash-completion/completions/__NAME__ |
45 | %{_datarootdir}/bash-completion/completions/firecfg | ||
42 | %{_datarootdir}/bash-completion/completions/firemon | 46 | %{_datarootdir}/bash-completion/completions/firemon |
43 | %{_docdir}/__NAME__ | 47 | %{_docdir}/__NAME__ |
44 | %{_mandir}/man1/__NAME__.1.gz | 48 | %{_mandir}/man1/__NAME__.1.gz |
49 | %{_mandir}/man1/firecfg.1.gz | ||
45 | %{_mandir}/man1/firemon.1.gz | 50 | %{_mandir}/man1/firemon.1.gz |
51 | %{_mandir}/man5/__NAME__-config.5.gz | ||
46 | %{_mandir}/man5/__NAME__-login.5.gz | 52 | %{_mandir}/man5/__NAME__-login.5.gz |
47 | %{_mandir}/man5/__NAME__-profile.5.gz | 53 | %{_mandir}/man5/__NAME__-profile.5.gz |
48 | %config %{_sysconfdir}/__NAME__ | 54 | %config %{_sysconfdir}/__NAME__ |
diff --git a/platform/snap/snap.sh b/platform/snap/snap.sh new file mode 100755 index 000000000..d7f924293 --- /dev/null +++ b/platform/snap/snap.sh | |||
@@ -0,0 +1,20 @@ | |||
1 | #!/bin/bash | ||
2 | |||
3 | rm -fr faudit-snap | ||
4 | rm -f faudit_*.snap | ||
5 | mkdir faudit-snap | ||
6 | cd faudit-snap | ||
7 | snapcraft init | ||
8 | cp ../snapcraft.yaml . | ||
9 | #snapcraft stage | ||
10 | mkdir -p stage/usr/lib/firejail | ||
11 | cp ../../../src/faudit/faudit stage/usr/lib/firejail/. | ||
12 | find stage | ||
13 | snapcraft stage | ||
14 | snapcraft snap | ||
15 | cd .. | ||
16 | mv faudit-snap/faudit_*.snap ../../. | ||
17 | rm -fr faudit-snap | ||
18 | |||
19 | |||
20 | |||
diff --git a/platform/snap/snapcraft.yaml b/platform/snap/snapcraft.yaml new file mode 100644 index 000000000..7b04a2ca1 --- /dev/null +++ b/platform/snap/snapcraft.yaml | |||
@@ -0,0 +1,21 @@ | |||
1 | name: faudit # the name of the snap | ||
2 | version: 0 # the version of the snap | ||
3 | summary: Fireajail audit snap edition # 79 char long summary | ||
4 | description: faudit program extracted from Firejail and packaged as a snap # a longer description for the snap | ||
5 | confinement: strict # use "strict" to enforce system access only via declared interfaces | ||
6 | |||
7 | apps: | ||
8 | faudit: | ||
9 | command: /usr/lib/firejail/faudit | ||
10 | |||
11 | parts: | ||
12 | faudit: # Replace with a part name of your liking | ||
13 | # Get more information about plugins by running | ||
14 | # snapcraft help plugins | ||
15 | # and more information about the available plugins | ||
16 | # by running | ||
17 | # snapcraft list-plugins | ||
18 | plugin: nil | ||
19 | snap: | ||
20 | - usr/lib/firejail/faudit | ||
21 | |||
diff --git a/src/bash_completion/firecfg.bash_completion b/src/bash_completion/firecfg.bash_completion new file mode 100644 index 000000000..79b74e49d --- /dev/null +++ b/src/bash_completion/firecfg.bash_completion | |||
@@ -0,0 +1,39 @@ | |||
1 | # bash completion for firecfg -*- shell-script -*- | ||
2 | #******************************************************************** | ||
3 | # Script based on completions/configure script in bash-completion package in | ||
4 | # Debian. The original package is release under GPL v2 license, the webpage is | ||
5 | # http://bash-completion.alioth.debian.org | ||
6 | #******************************************************************* | ||
7 | |||
8 | _firecfg() | ||
9 | { | ||
10 | local cur prev words cword split | ||
11 | _init_completion -s || return | ||
12 | |||
13 | case $prev in | ||
14 | --help|--version) | ||
15 | return | ||
16 | ;; | ||
17 | esac | ||
18 | |||
19 | $split && return 0 | ||
20 | |||
21 | # if $COMP_CONFIGURE_HINTS is not null, then completions of the form | ||
22 | # --option=SETTING will include 'SETTING' as a contextual hint | ||
23 | [[ "$cur" != -* ]] && return 0 | ||
24 | |||
25 | if [[ -n $COMP_CONFIGURE_HINTS ]]; then | ||
26 | COMPREPLY=( $( compgen -W "$( $1 --help 2>&1 | \ | ||
27 | awk '/^ --[A-Za-z]/ { print $1; \ | ||
28 | if ($2 ~ /--[A-Za-z]/) print $2 }' | sed -e 's/[[,].*//g' )" \ | ||
29 | -- "$cur" ) ) | ||
30 | [[ $COMPREPLY == *=* ]] && compopt -o nospace | ||
31 | else | ||
32 | COMPREPLY=( $( compgen -W '$( _parse_help "$1" )' -- "$cur" ) ) | ||
33 | [[ $COMPREPLY == *= ]] && compopt -o nospace | ||
34 | fi | ||
35 | } && | ||
36 | complete -F _firecfg firecfg | ||
37 | |||
38 | |||
39 | |||
diff --git a/src/bash_completion/firejail.bash_completion b/src/bash_completion/firejail.bash_completion index 21e28c98b..d3dcd57d0 100644 --- a/src/bash_completion/firejail.bash_completion +++ b/src/bash_completion/firejail.bash_completion | |||
@@ -47,6 +47,10 @@ _firejail() | |||
47 | _filedir | 47 | _filedir |
48 | return 0 | 48 | return 0 |
49 | ;; | 49 | ;; |
50 | --read-write) | ||
51 | _filedir | ||
52 | return 0 | ||
53 | ;; | ||
50 | --bind) | 54 | --bind) |
51 | _filedir | 55 | _filedir |
52 | return 0 | 56 | return 0 |
@@ -63,6 +67,10 @@ _firejail() | |||
63 | _filedir | 67 | _filedir |
64 | return 0 | 68 | return 0 |
65 | ;; | 69 | ;; |
70 | --audit) | ||
71 | _filedir | ||
72 | return 0 | ||
73 | ;; | ||
66 | --net) | 74 | --net) |
67 | comps=$(__interfaces) | 75 | comps=$(__interfaces) |
68 | COMPREPLY=( $(compgen -W '$comps' -- "$cur") ) | 76 | COMPREPLY=( $(compgen -W '$comps' -- "$cur") ) |
diff --git a/src/faudit/Makefile.in b/src/faudit/Makefile.in new file mode 100644 index 000000000..995a0bf49 --- /dev/null +++ b/src/faudit/Makefile.in | |||
@@ -0,0 +1,25 @@ | |||
1 | all: faudit | ||
2 | |||
3 | PREFIX=@prefix@ | ||
4 | VERSION=@PACKAGE_VERSION@ | ||
5 | NAME=@PACKAGE_NAME@ | ||
6 | HAVE_FATAL_WARNINGS=@HAVE_FATAL_WARNINGS@ | ||
7 | |||
8 | H_FILE_LIST = $(sort $(wildcard *.[h])) | ||
9 | C_FILE_LIST = $(sort $(wildcard *.c)) | ||
10 | OBJS = $(C_FILE_LIST:.c=.o) | ||
11 | BINOBJS = $(foreach file, $(OBJS), $file) | ||
12 | CFLAGS += -ggdb $(HAVE_FATAL_WARNINGS) -O2 -DVERSION='"$(VERSION)"' -DPREFIX='"$(PREFIX)"' -fstack-protector-all -D_FORTIFY_SOURCE=2 -fPIE -pie -Wformat -Wformat-security | ||
13 | LDFLAGS += -pie -Wl,-z,relro -Wl,-z,now -lpthread | ||
14 | |||
15 | %.o : %.c $(H_FILE_LIST) | ||
16 | $(CC) $(CFLAGS) $(INCLUDE) -c $< -o $@ | ||
17 | |||
18 | faudit: $(OBJS) | ||
19 | $(CC) $(LDFLAGS) -o $@ $(OBJS) | ||
20 | |||
21 | clean:; rm -f *.o faudit | ||
22 | |||
23 | distclean: clean | ||
24 | rm -fr Makefile | ||
25 | |||
diff --git a/src/faudit/caps.c b/src/faudit/caps.c new file mode 100644 index 000000000..d4a62b34f --- /dev/null +++ b/src/faudit/caps.c | |||
@@ -0,0 +1,79 @@ | |||
1 | /* | ||
2 | * Copyright (C) 2014-2016 Firejail Authors | ||
3 | * | ||
4 | * This file is part of firejail project | ||
5 | * | ||
6 | * This program is free software; you can redistribute it and/or modify | ||
7 | * it under the terms of the GNU General Public License as published by | ||
8 | * the Free Software Foundation; either version 2 of the License, or | ||
9 | * (at your option) any later version. | ||
10 | * | ||
11 | * This program is distributed in the hope that it will be useful, | ||
12 | * but WITHOUT ANY WARRANTY; without even the implied warranty of | ||
13 | * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the | ||
14 | * GNU General Public License for more details. | ||
15 | * | ||
16 | * You should have received a copy of the GNU General Public License along | ||
17 | * with this program; if not, write to the Free Software Foundation, Inc., | ||
18 | * 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA. | ||
19 | */ | ||
20 | |||
21 | #include "faudit.h" | ||
22 | #include <linux/capability.h> | ||
23 | |||
24 | #define MAXBUF 4098 | ||
25 | static int extract_caps(uint64_t *val) { | ||
26 | FILE *fp = fopen("/proc/self/status", "r"); | ||
27 | if (!fp) | ||
28 | return 1; | ||
29 | |||
30 | char buf[MAXBUF]; | ||
31 | while (fgets(buf, MAXBUF, fp)) { | ||
32 | if (strncmp(buf, "CapBnd:\t", 8) == 0) { | ||
33 | char *ptr = buf + 8; | ||
34 | unsigned long long tmp; | ||
35 | sscanf(ptr, "%llx", &tmp); | ||
36 | *val = tmp; | ||
37 | fclose(fp); | ||
38 | return 0; | ||
39 | } | ||
40 | } | ||
41 | |||
42 | fclose(fp); | ||
43 | return 1; | ||
44 | } | ||
45 | |||
46 | // return 1 if the capability is in tbe map | ||
47 | static int check_capability(uint64_t map, int cap) { | ||
48 | int i; | ||
49 | uint64_t mask = 1ULL; | ||
50 | |||
51 | for (i = 0; i < 64; i++, mask <<= 1) { | ||
52 | if ((i == cap) && (mask & map)) | ||
53 | return 1; | ||
54 | } | ||
55 | |||
56 | return 0; | ||
57 | } | ||
58 | |||
59 | void caps_test(void) { | ||
60 | uint64_t caps_val; | ||
61 | |||
62 | if (extract_caps(&caps_val)) { | ||
63 | printf("SKIP: cannot extract capabilities on this platform.\n"); | ||
64 | return; | ||
65 | } | ||
66 | |||
67 | if (caps_val) { | ||
68 | printf("BAD: the capability map is %llx, it should be all zero. ", (unsigned long long) caps_val); | ||
69 | printf("Use \"firejail --caps.drop=all\" to fix it.\n"); | ||
70 | |||
71 | if (check_capability(caps_val, CAP_SYS_ADMIN)) | ||
72 | printf("UGLY: CAP_SYS_ADMIN is enabled.\n"); | ||
73 | if (check_capability(caps_val, CAP_SYS_BOOT)) | ||
74 | printf("UGLY: CAP_SYS_BOOT is enabled.\n"); | ||
75 | } | ||
76 | else | ||
77 | printf("GOOD: all capabilities are disabled.\n"); | ||
78 | } | ||
79 | |||
diff --git a/src/faudit/dbus.c b/src/faudit/dbus.c new file mode 100644 index 000000000..1edce5802 --- /dev/null +++ b/src/faudit/dbus.c | |||
@@ -0,0 +1,74 @@ | |||
1 | /* | ||
2 | * Copyright (C) 2014-2016 Firejail Authors | ||
3 | * | ||
4 | * This file is part of firejail project | ||
5 | * | ||
6 | * This program is free software; you can redistribute it and/or modify | ||
7 | * it under the terms of the GNU General Public License as published by | ||
8 | * the Free Software Foundation; either version 2 of the License, or | ||
9 | * (at your option) any later version. | ||
10 | * | ||
11 | * This program is distributed in the hope that it will be useful, | ||
12 | * but WITHOUT ANY WARRANTY; without even the implied warranty of | ||
13 | * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the | ||
14 | * GNU General Public License for more details. | ||
15 | * | ||
16 | * You should have received a copy of the GNU General Public License along | ||
17 | * with this program; if not, write to the Free Software Foundation, Inc., | ||
18 | * 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA. | ||
19 | */ | ||
20 | #include "faudit.h" | ||
21 | #include <sys/socket.h> | ||
22 | #include <sys/un.h> | ||
23 | |||
24 | void check_session_bus(const char *sockfile) { | ||
25 | assert(sockfile); | ||
26 | |||
27 | // open socket | ||
28 | int sock = socket(AF_UNIX, SOCK_STREAM, 0); | ||
29 | if (sock == -1) { | ||
30 | printf("GOOD: I cannot connect to session bus. If the application misbehaves, please log a bug with the application developer.\n"); | ||
31 | return; | ||
32 | } | ||
33 | |||
34 | // connect | ||
35 | struct sockaddr_un remote; | ||
36 | memset(&remote, 0, sizeof(struct sockaddr_un)); | ||
37 | remote.sun_family = AF_UNIX; | ||
38 | strcpy(remote.sun_path, sockfile); | ||
39 | int len = strlen(remote.sun_path) + sizeof(remote.sun_family); | ||
40 | remote.sun_path[0] = '\0'; | ||
41 | if (connect(sock, (struct sockaddr *)&remote, len) == -1) { | ||
42 | printf("GOOD: I cannot connect to session bus. If the application misbehaves, please log a bug with the application developer.\n"); | ||
43 | } | ||
44 | else { | ||
45 | printf("MAYBE: I can connect to session bus. It could be a good idea to disable it by creating a new network namespace using \"--net=none\" or \"--net=eth0\".\n"); | ||
46 | } | ||
47 | |||
48 | close(sock); | ||
49 | } | ||
50 | |||
51 | void dbus_test(void) { | ||
52 | // check the session bus | ||
53 | char *str = getenv("DBUS_SESSION_BUS_ADDRESS"); | ||
54 | if (str) { | ||
55 | char *bus = strdup(str); | ||
56 | if (!bus) | ||
57 | errExit("strdup"); | ||
58 | char *sockfile = strstr(bus, "unix:abstract="); | ||
59 | if (sockfile) { | ||
60 | sockfile += 13; | ||
61 | *sockfile = '@'; | ||
62 | char *ptr = strchr(sockfile, ','); | ||
63 | if (ptr) | ||
64 | *ptr = '\0'; | ||
65 | check_session_bus(sockfile); | ||
66 | |||
67 | sockfile -= 13; | ||
68 | } | ||
69 | free(bus); | ||
70 | } | ||
71 | } | ||
72 | |||
73 | |||
74 | |||
diff --git a/src/faudit/dev.c b/src/faudit/dev.c new file mode 100644 index 000000000..92f615958 --- /dev/null +++ b/src/faudit/dev.c | |||
@@ -0,0 +1,47 @@ | |||
1 | /* | ||
2 | * Copyright (C) 2014-2016 Firejail Authors | ||
3 | * | ||
4 | * This file is part of firejail project | ||
5 | * | ||
6 | * This program is free software; you can redistribute it and/or modify | ||
7 | * it under the terms of the GNU General Public License as published by | ||
8 | * the Free Software Foundation; either version 2 of the License, or | ||
9 | * (at your option) any later version. | ||
10 | * | ||
11 | * This program is distributed in the hope that it will be useful, | ||
12 | * but WITHOUT ANY WARRANTY; without even the implied warranty of | ||
13 | * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the | ||
14 | * GNU General Public License for more details. | ||
15 | * | ||
16 | * You should have received a copy of the GNU General Public License along | ||
17 | * with this program; if not, write to the Free Software Foundation, Inc., | ||
18 | * 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA. | ||
19 | */ | ||
20 | #include "faudit.h" | ||
21 | #include <dirent.h> | ||
22 | |||
23 | void dev_test(void) { | ||
24 | DIR *dir; | ||
25 | if (!(dir = opendir("/dev"))) { | ||
26 | fprintf(stderr, "Error: cannot open /dev directory\n"); | ||
27 | return; | ||
28 | } | ||
29 | |||
30 | struct dirent *entry; | ||
31 | printf("INFO: files visible in /dev directory: "); | ||
32 | int cnt = 0; | ||
33 | while ((entry = readdir(dir)) != NULL) { | ||
34 | if (strcmp(entry->d_name, ".") == 0 || strcmp(entry->d_name, "..") == 0) | ||
35 | continue; | ||
36 | |||
37 | printf("%s, ", entry->d_name); | ||
38 | cnt++; | ||
39 | } | ||
40 | printf("\n"); | ||
41 | |||
42 | if (cnt > 20) | ||
43 | printf("MAYBE: /dev directory seems to be fully populated. Use --private-dev or --whitelist to restrict the access.\n"); | ||
44 | else | ||
45 | printf("GOOD: Access to /dev directory is restricted.\n"); | ||
46 | closedir(dir); | ||
47 | } | ||
diff --git a/src/faudit/faudit.h b/src/faudit/faudit.h new file mode 100644 index 000000000..93fb4b709 --- /dev/null +++ b/src/faudit/faudit.h | |||
@@ -0,0 +1,64 @@ | |||
1 | /* | ||
2 | * Copyright (C) 2014-2016 Firejail Authors | ||
3 | * | ||
4 | * This file is part of firejail project | ||
5 | * | ||
6 | * This program is free software; you can redistribute it and/or modify | ||
7 | * it under the terms of the GNU General Public License as published by | ||
8 | * the Free Software Foundation; either version 2 of the License, or | ||
9 | * (at your option) any later version. | ||
10 | * | ||
11 | * This program is distributed in the hope that it will be useful, | ||
12 | * but WITHOUT ANY WARRANTY; without even the implied warranty of | ||
13 | * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the | ||
14 | * GNU General Public License for more details. | ||
15 | * | ||
16 | * You should have received a copy of the GNU General Public License along | ||
17 | * with this program; if not, write to the Free Software Foundation, Inc., | ||
18 | * 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA. | ||
19 | */ | ||
20 | |||
21 | #ifndef FAUDIT_H | ||
22 | #define FAUDIT_H | ||
23 | #define _GNU_SOURCE | ||
24 | #include <stdio.h> | ||
25 | #include <stdlib.h> | ||
26 | #include <stdint.h> | ||
27 | #include <string.h> | ||
28 | #include <unistd.h> | ||
29 | #include <sys/types.h> | ||
30 | #include <sys/stat.h> | ||
31 | #include <sys/mount.h> | ||
32 | #include <assert.h> | ||
33 | |||
34 | #define errExit(msg) do { char msgout[500]; sprintf(msgout, "Error %s:%s(%d)", msg, __FUNCTION__, __LINE__); perror(msgout); exit(1);} while (0) | ||
35 | |||
36 | // main.c | ||
37 | extern char *prog; | ||
38 | |||
39 | // pid.c | ||
40 | void pid_test(void); | ||
41 | |||
42 | // caps.c | ||
43 | void caps_test(void); | ||
44 | |||
45 | // seccomp.c | ||
46 | void seccomp_test(void); | ||
47 | |||
48 | // syscall.c | ||
49 | void syscall_helper(int argc, char **argv); | ||
50 | void syscall_run(const char *name); | ||
51 | |||
52 | // files.c | ||
53 | void files_test(void); | ||
54 | |||
55 | // network.c | ||
56 | void network_test(void); | ||
57 | |||
58 | // dbus.c | ||
59 | void dbus_test(void); | ||
60 | |||
61 | // dev.c | ||
62 | void dev_test(void); | ||
63 | |||
64 | #endif | ||
diff --git a/src/faudit/files.c b/src/faudit/files.c new file mode 100644 index 000000000..67b43f22b --- /dev/null +++ b/src/faudit/files.c | |||
@@ -0,0 +1,75 @@ | |||
1 | /* | ||
2 | * Copyright (C) 2014-2016 Firejail Authors | ||
3 | * | ||
4 | * This file is part of firejail project | ||
5 | * | ||
6 | * This program is free software; you can redistribute it and/or modify | ||
7 | * it under the terms of the GNU General Public License as published by | ||
8 | * the Free Software Foundation; either version 2 of the License, or | ||
9 | * (at your option) any later version. | ||
10 | * | ||
11 | * This program is distributed in the hope that it will be useful, | ||
12 | * but WITHOUT ANY WARRANTY; without even the implied warranty of | ||
13 | * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the | ||
14 | * GNU General Public License for more details. | ||
15 | * | ||
16 | * You should have received a copy of the GNU General Public License along | ||
17 | * with this program; if not, write to the Free Software Foundation, Inc., | ||
18 | * 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA. | ||
19 | */ | ||
20 | #include "faudit.h" | ||
21 | #include <fcntl.h> | ||
22 | #include <pwd.h> | ||
23 | |||
24 | static char *username = NULL; | ||
25 | static char *homedir = NULL; | ||
26 | |||
27 | static void check_home_file(const char *name) { | ||
28 | assert(homedir); | ||
29 | |||
30 | char *fname; | ||
31 | if (asprintf(&fname, "%s/%s", homedir, name) == -1) | ||
32 | errExit("asprintf"); | ||
33 | |||
34 | if (access(fname, R_OK) == 0) { | ||
35 | printf("UGLY: I can access files in %s directory. ", fname); | ||
36 | printf("Use \"firejail --blacklist=%s\" to block it.\n", fname); | ||
37 | } | ||
38 | else | ||
39 | printf("GOOD: I cannot access files in %s directory.\n", fname); | ||
40 | |||
41 | free(fname); | ||
42 | } | ||
43 | |||
44 | void files_test(void) { | ||
45 | struct passwd *pw = getpwuid(getuid()); | ||
46 | if (!pw) { | ||
47 | fprintf(stderr, "Error: cannot retrieve user account information\n"); | ||
48 | return; | ||
49 | } | ||
50 | |||
51 | username = strdup(pw->pw_name); | ||
52 | if (!username) | ||
53 | errExit("strdup"); | ||
54 | homedir = strdup(pw->pw_dir); | ||
55 | if (!homedir) | ||
56 | errExit("strdup"); | ||
57 | |||
58 | // check access to .ssh directory | ||
59 | check_home_file(".ssh"); | ||
60 | |||
61 | // check access to .gnupg directory | ||
62 | check_home_file(".gnupg"); | ||
63 | |||
64 | // check access to Firefox browser directory | ||
65 | check_home_file(".mozilla"); | ||
66 | |||
67 | // check access to Chromium browser directory | ||
68 | check_home_file(".config/chromium"); | ||
69 | |||
70 | // check access to Debian Icedove directory | ||
71 | check_home_file(".icedove"); | ||
72 | |||
73 | // check access to Thunderbird directory | ||
74 | check_home_file(".thunderbird"); | ||
75 | } | ||
diff --git a/src/faudit/main.c b/src/faudit/main.c new file mode 100644 index 000000000..6ff938d98 --- /dev/null +++ b/src/faudit/main.c | |||
@@ -0,0 +1,80 @@ | |||
1 | /* | ||
2 | * Copyright (C) 2014-2016 Firejail Authors | ||
3 | * | ||
4 | * This file is part of firejail project | ||
5 | * | ||
6 | * This program is free software; you can redistribute it and/or modify | ||
7 | * it under the terms of the GNU General Public License as published by | ||
8 | * the Free Software Foundation; either version 2 of the License, or | ||
9 | * (at your option) any later version. | ||
10 | * | ||
11 | * This program is distributed in the hope that it will be useful, | ||
12 | * but WITHOUT ANY WARRANTY; without even the implied warranty of | ||
13 | * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the | ||
14 | * GNU General Public License for more details. | ||
15 | * | ||
16 | * You should have received a copy of the GNU General Public License along | ||
17 | * with this program; if not, write to the Free Software Foundation, Inc., | ||
18 | * 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA. | ||
19 | */ | ||
20 | #include "faudit.h" | ||
21 | char *prog; | ||
22 | |||
23 | int main(int argc, char **argv) { | ||
24 | if (argc != 1) { | ||
25 | int i; | ||
26 | |||
27 | for (i = 1; i < argc; i++) { | ||
28 | if (strcmp(argv[i], "syscall")) { | ||
29 | syscall_helper(argc, argv); | ||
30 | return 0; | ||
31 | } | ||
32 | } | ||
33 | return 1; | ||
34 | } | ||
35 | |||
36 | printf("\n---------------- Firejail Audit: the GOOD, the BAD and the UGLY ----------------\n"); | ||
37 | |||
38 | // extract program name | ||
39 | prog = realpath(argv[0], NULL); | ||
40 | if (prog == NULL) { | ||
41 | prog = strdup("faudit"); | ||
42 | if (!prog) | ||
43 | errExit("strdup"); | ||
44 | } | ||
45 | printf("INFO: starting %s.\n", prog); | ||
46 | |||
47 | |||
48 | // check pid namespace | ||
49 | pid_test(); | ||
50 | printf("\n"); | ||
51 | |||
52 | // check seccomp | ||
53 | seccomp_test(); | ||
54 | printf("\n"); | ||
55 | |||
56 | // check capabilities | ||
57 | caps_test(); | ||
58 | printf("\n"); | ||
59 | |||
60 | // check some well-known problematic files and directories | ||
61 | files_test(); | ||
62 | printf("\n"); | ||
63 | |||
64 | // network | ||
65 | network_test(); | ||
66 | printf("\n"); | ||
67 | |||
68 | // dbus | ||
69 | dbus_test(); | ||
70 | printf("\n"); | ||
71 | |||
72 | // /dev test | ||
73 | dev_test(); | ||
74 | printf("\n"); | ||
75 | |||
76 | free(prog); | ||
77 | printf("--------------------------------------------------------------------------------\n"); | ||
78 | |||
79 | return 0; | ||
80 | } | ||
diff --git a/src/faudit/network.c b/src/faudit/network.c new file mode 100644 index 000000000..cf1eede69 --- /dev/null +++ b/src/faudit/network.c | |||
@@ -0,0 +1,101 @@ | |||
1 | /* | ||
2 | * Copyright (C) 2014-2016 Firejail Authors | ||
3 | * | ||
4 | * This file is part of firejail project | ||
5 | * | ||
6 | * This program is free software; you can redistribute it and/or modify | ||
7 | * it under the terms of the GNU General Public License as published by | ||
8 | * the Free Software Foundation; either version 2 of the License, or | ||
9 | * (at your option) any later version. | ||
10 | * | ||
11 | * This program is distributed in the hope that it will be useful, | ||
12 | * but WITHOUT ANY WARRANTY; without even the implied warranty of | ||
13 | * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the | ||
14 | * GNU General Public License for more details. | ||
15 | * | ||
16 | * You should have received a copy of the GNU General Public License along | ||
17 | * with this program; if not, write to the Free Software Foundation, Inc., | ||
18 | * 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA. | ||
19 | */ | ||
20 | #include "faudit.h" | ||
21 | #include <sys/socket.h> | ||
22 | #include <arpa/inet.h> | ||
23 | #include <linux/netlink.h> | ||
24 | #include <linux/rtnetlink.h> | ||
25 | |||
26 | static void check_ssh(void) { | ||
27 | // open socket | ||
28 | int sock = socket(AF_INET, SOCK_STREAM, 0); | ||
29 | if (sock == -1) { | ||
30 | printf("GOOD: SSH server not available on localhost.\n"); | ||
31 | return; | ||
32 | } | ||
33 | |||
34 | // connect to localhost | ||
35 | struct sockaddr_in server; | ||
36 | server.sin_addr.s_addr = inet_addr("127.0.0.1"); | ||
37 | server.sin_family = AF_INET; | ||
38 | server.sin_port = htons(22); | ||
39 | |||
40 | if (connect(sock , (struct sockaddr *)&server , sizeof(server)) < 0) | ||
41 | printf("GOOD: SSH server not available on localhost.\n"); | ||
42 | else { | ||
43 | printf("MAYBE: an SSH server is accessible on localhost. "); | ||
44 | printf("It could be a good idea to create a new network namespace using \"--net=none\" or \"--net=eth0\".\n"); | ||
45 | } | ||
46 | |||
47 | close(sock); | ||
48 | } | ||
49 | |||
50 | static void check_http(void) { | ||
51 | // open socket | ||
52 | int sock = socket(AF_INET, SOCK_STREAM, 0); | ||
53 | if (sock == -1) { | ||
54 | printf("GOOD: HTTP server not available on localhost.\n"); | ||
55 | return; | ||
56 | } | ||
57 | |||
58 | // connect to localhost | ||
59 | struct sockaddr_in server; | ||
60 | server.sin_addr.s_addr = inet_addr("127.0.0.1"); | ||
61 | server.sin_family = AF_INET; | ||
62 | server.sin_port = htons(80); | ||
63 | |||
64 | if (connect(sock , (struct sockaddr *)&server , sizeof(server)) < 0) | ||
65 | printf("GOOD: HTTP server not available on localhost.\n"); | ||
66 | else { | ||
67 | printf("MAYBE: an HTTP server is accessible on localhost. "); | ||
68 | printf("It could be a good idea to create a new network namespace using \"--net=none\" or \"--net=eth0\".\n"); | ||
69 | } | ||
70 | |||
71 | close(sock); | ||
72 | } | ||
73 | |||
74 | void check_netlink(void) { | ||
75 | int sock = socket(AF_NETLINK, SOCK_RAW | SOCK_CLOEXEC, 0); | ||
76 | if (sock == -1) { | ||
77 | printf("GOOD: I cannot connect to netlink socket. Network utilities such as iproute2 will not work in the sandbox.\n"); | ||
78 | return; | ||
79 | } | ||
80 | |||
81 | struct sockaddr_nl local; | ||
82 | memset(&local, 0, sizeof(local)); | ||
83 | local.nl_family = AF_NETLINK; | ||
84 | local.nl_groups = 0; //subscriptions; | ||
85 | |||
86 | if (bind(sock, (struct sockaddr*)&local, sizeof(local)) < 0) { | ||
87 | printf("GOOD: I cannot connect to netlink socket. Network utilities such as iproute2 will not work in the sandbox.\n"); | ||
88 | close(sock); | ||
89 | return; | ||
90 | } | ||
91 | |||
92 | close(sock); | ||
93 | printf("MAYBE: I can connect to netlink socket. Network utilities such as iproute2 will work fine in the sandbox. "); | ||
94 | printf("You can use \"--protocol\" to disable the socket.\n"); | ||
95 | } | ||
96 | |||
97 | void network_test(void) { | ||
98 | check_ssh(); | ||
99 | check_http(); | ||
100 | check_netlink(); | ||
101 | } | ||
diff --git a/src/faudit/pid.c b/src/faudit/pid.c new file mode 100644 index 000000000..a0fb1d921 --- /dev/null +++ b/src/faudit/pid.c | |||
@@ -0,0 +1,101 @@ | |||
1 | /* | ||
2 | * Copyright (C) 2014-2016 Firejail Authors | ||
3 | * | ||
4 | * This file is part of firejail project | ||
5 | * | ||
6 | * This program is free software; you can redistribute it and/or modify | ||
7 | * it under the terms of the GNU General Public License as published by | ||
8 | * the Free Software Foundation; either version 2 of the License, or | ||
9 | * (at your option) any later version. | ||
10 | * | ||
11 | * This program is distributed in the hope that it will be useful, | ||
12 | * but WITHOUT ANY WARRANTY; without even the implied warranty of | ||
13 | * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the | ||
14 | * GNU General Public License for more details. | ||
15 | * | ||
16 | * You should have received a copy of the GNU General Public License along | ||
17 | * with this program; if not, write to the Free Software Foundation, Inc., | ||
18 | * 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA. | ||
19 | */ | ||
20 | #include "faudit.h" | ||
21 | |||
22 | void pid_test(void) { | ||
23 | char *kern_proc[] = { | ||
24 | "kthreadd", | ||
25 | "ksoftirqd", | ||
26 | "kworker", | ||
27 | "rcu_sched", | ||
28 | "rcu_bh", | ||
29 | NULL // NULL terminated list | ||
30 | }; | ||
31 | int i; | ||
32 | |||
33 | // look at the first 10 processes | ||
34 | int not_visible = 1; | ||
35 | for (i = 1; i <= 10; i++) { | ||
36 | struct stat s; | ||
37 | char *fname; | ||
38 | if (asprintf(&fname, "/proc/%d/comm", i) == -1) | ||
39 | errExit("asprintf"); | ||
40 | if (stat(fname, &s) == -1) { | ||
41 | free(fname); | ||
42 | continue; | ||
43 | } | ||
44 | |||
45 | // open file | ||
46 | /* coverity[toctou] */ | ||
47 | FILE *fp = fopen(fname, "r"); | ||
48 | if (!fp) { | ||
49 | // fprintf(stderr, "Warning: cannot open %s\n", fname); | ||
50 | free(fname); | ||
51 | continue; | ||
52 | } | ||
53 | |||
54 | // read file | ||
55 | char buf[100]; | ||
56 | if (fgets(buf, 10, fp) == NULL) { | ||
57 | // fprintf(stderr, "Warning: cannot read %s\n", fname); | ||
58 | fclose(fp); | ||
59 | free(fname); | ||
60 | continue; | ||
61 | } | ||
62 | not_visible = 0; | ||
63 | |||
64 | // clean /n | ||
65 | char *ptr; | ||
66 | if ((ptr = strchr(buf, '\n')) != NULL) | ||
67 | *ptr = '\0'; | ||
68 | |||
69 | // check process name against the kernel list | ||
70 | int j = 0; | ||
71 | while (kern_proc[j] != NULL) { | ||
72 | if (strncmp(buf, kern_proc[j], strlen(kern_proc[j])) == 0) { | ||
73 | fclose(fp); | ||
74 | free(fname); | ||
75 | printf("BAD: Process %d is not running in a PID namespace. ", getpid()); | ||
76 | printf("Are you sure you're running in a sandbox?\n"); | ||
77 | return; | ||
78 | } | ||
79 | j++; | ||
80 | } | ||
81 | |||
82 | fclose(fp); | ||
83 | free(fname); | ||
84 | } | ||
85 | |||
86 | pid_t pid = getpid(); | ||
87 | if (not_visible && pid > 100) | ||
88 | printf("BAD: Process %d is not running in a PID namespace.\n", pid); | ||
89 | else | ||
90 | printf("GOOD: process %d is running in a PID namespace.\n", pid); | ||
91 | |||
92 | // try to guess the type of container/sandbox | ||
93 | char *str = getenv("container"); | ||
94 | if (str) | ||
95 | printf("INFO: container/sandbox %s.\n", str); | ||
96 | else { | ||
97 | str = getenv("SNAP"); | ||
98 | if (str) | ||
99 | printf("INFO: this is a snap package\n"); | ||
100 | } | ||
101 | } | ||
diff --git a/src/faudit/seccomp.c b/src/faudit/seccomp.c new file mode 100644 index 000000000..7b2999467 --- /dev/null +++ b/src/faudit/seccomp.c | |||
@@ -0,0 +1,101 @@ | |||
1 | /* | ||
2 | * Copyright (C) 2014-2016 Firejail Authors | ||
3 | * | ||
4 | * This file is part of firejail project | ||
5 | * | ||
6 | * This program is free software; you can redistribute it and/or modify | ||
7 | * it under the terms of the GNU General Public License as published by | ||
8 | * the Free Software Foundation; either version 2 of the License, or | ||
9 | * (at your option) any later version. | ||
10 | * | ||
11 | * This program is distributed in the hope that it will be useful, | ||
12 | * but WITHOUT ANY WARRANTY; without even the implied warranty of | ||
13 | * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the | ||
14 | * GNU General Public License for more details. | ||
15 | * | ||
16 | * You should have received a copy of the GNU General Public License along | ||
17 | * with this program; if not, write to the Free Software Foundation, Inc., | ||
18 | * 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA. | ||
19 | */ | ||
20 | #include "faudit.h" | ||
21 | |||
22 | #define MAXBUF 4098 | ||
23 | static int extract_seccomp(int *val) { | ||
24 | FILE *fp = fopen("/proc/self/status", "r"); | ||
25 | if (!fp) | ||
26 | return 1; | ||
27 | |||
28 | char buf[MAXBUF]; | ||
29 | while (fgets(buf, MAXBUF, fp)) { | ||
30 | if (strncmp(buf, "Seccomp:\t", 8) == 0) { | ||
31 | char *ptr = buf + 8; | ||
32 | int tmp; | ||
33 | sscanf(ptr, "%d", &tmp); | ||
34 | *val = tmp; | ||
35 | fclose(fp); | ||
36 | return 0; | ||
37 | } | ||
38 | } | ||
39 | |||
40 | fclose(fp); | ||
41 | return 1; | ||
42 | } | ||
43 | |||
44 | void seccomp_test(void) { | ||
45 | int seccomp_status; | ||
46 | int rv = extract_seccomp(&seccomp_status); | ||
47 | |||
48 | if (rv) { | ||
49 | printf("INFO: cannot extract seccomp configuration on this platform.\n"); | ||
50 | return; | ||
51 | } | ||
52 | |||
53 | if (seccomp_status == 0) { | ||
54 | printf("BAD: seccomp disabled. Use \"firejail --seccomp\" to enable it.\n"); | ||
55 | } | ||
56 | else if (seccomp_status == 1) | ||
57 | printf("GOOD: seccomp strict mode - only read, write, _exit, and sigreturn are allowd.\n"); | ||
58 | else if (seccomp_status == 2) { | ||
59 | printf("GOOD: seccomp BPF enabled.\n"); | ||
60 | |||
61 | printf("checking syscalls: "); fflush(0); | ||
62 | printf("mount... "); fflush(0); | ||
63 | syscall_run("mount"); | ||
64 | |||
65 | printf("umount2... "); fflush(0); | ||
66 | syscall_run("umount2"); | ||
67 | |||
68 | printf("ptrace... "); fflush(0); | ||
69 | syscall_run("ptrace"); | ||
70 | |||
71 | printf("swapon... "); fflush(0); | ||
72 | syscall_run("swapon"); | ||
73 | |||
74 | printf("swapoff... "); fflush(0); | ||
75 | syscall_run("swapoff"); | ||
76 | |||
77 | printf("init_module... "); fflush(0); | ||
78 | syscall_run("init_module"); | ||
79 | |||
80 | printf("delete_module... "); fflush(0); | ||
81 | syscall_run("delete_module"); | ||
82 | |||
83 | printf("chroot... "); fflush(0); | ||
84 | syscall_run("chroot"); | ||
85 | |||
86 | printf("pivot_root... "); fflush(0); | ||
87 | syscall_run("pivot_root"); | ||
88 | |||
89 | #if defined(__i386__) || defined(__x86_64__) | ||
90 | printf("iopl... "); fflush(0); | ||
91 | syscall_run("iopl"); | ||
92 | |||
93 | printf("ioperm... "); fflush(0); | ||
94 | syscall_run("ioperm"); | ||
95 | #endif | ||
96 | printf("\n"); | ||
97 | } | ||
98 | else | ||
99 | fprintf(stderr, "Error: unrecognized seccomp mode\n"); | ||
100 | |||
101 | } | ||
diff --git a/src/faudit/syscall.c b/src/faudit/syscall.c new file mode 100644 index 000000000..9924be00f --- /dev/null +++ b/src/faudit/syscall.c | |||
@@ -0,0 +1,100 @@ | |||
1 | /* | ||
2 | * Copyright (C) 2014-2016 Firejail Authors | ||
3 | * | ||
4 | * This file is part of firejail project | ||
5 | * | ||
6 | * This program is free software; you can redistribute it and/or modify | ||
7 | * it under the terms of the GNU General Public License as published by | ||
8 | * the Free Software Foundation; either version 2 of the License, or | ||
9 | * (at your option) any later version. | ||
10 | * | ||
11 | * This program is distributed in the hope that it will be useful, | ||
12 | * but WITHOUT ANY WARRANTY; without even the implied warranty of | ||
13 | * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the | ||
14 | * GNU General Public License for more details. | ||
15 | * | ||
16 | * You should have received a copy of the GNU General Public License along | ||
17 | * with this program; if not, write to the Free Software Foundation, Inc., | ||
18 | * 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA. | ||
19 | */ | ||
20 | #include "faudit.h" | ||
21 | #include <sys/ptrace.h> | ||
22 | #include <sys/swap.h> | ||
23 | #if defined(__i386__) || defined(__x86_64__) | ||
24 | #include <sys/io.h> | ||
25 | #endif | ||
26 | #include <sys/wait.h> | ||
27 | extern int init_module(void *module_image, unsigned long len, | ||
28 | const char *param_values); | ||
29 | extern int finit_module(int fd, const char *param_values, | ||
30 | int flags); | ||
31 | extern int delete_module(const char *name, int flags); | ||
32 | extern int pivot_root(const char *new_root, const char *put_old); | ||
33 | |||
34 | void syscall_helper(int argc, char **argv) { | ||
35 | (void) argc; | ||
36 | |||
37 | if (strcmp(argv[2], "mount") == 0) { | ||
38 | mount(NULL, NULL, NULL, 0, NULL); | ||
39 | printf("\nUGLY: mount syscall permitted.\n"); | ||
40 | } | ||
41 | else if (strcmp(argv[2], "umount2") == 0) { | ||
42 | umount2(NULL, 0); | ||
43 | printf("\nUGLY: umount2 syscall permitted.\n"); | ||
44 | } | ||
45 | else if (strcmp(argv[2], "ptrace") == 0) { | ||
46 | ptrace(0, 0, NULL, NULL); | ||
47 | printf("\nUGLY: ptrace syscall permitted.\n"); | ||
48 | } | ||
49 | else if (strcmp(argv[2], "swapon") == 0) { | ||
50 | swapon(NULL, 0); | ||
51 | printf("\nUGLY: swapon syscall permitted.\n"); | ||
52 | } | ||
53 | else if (strcmp(argv[2], "swapoff") == 0) { | ||
54 | swapoff(NULL); | ||
55 | printf("\nUGLY: swapoff syscall permitted.\n"); | ||
56 | } | ||
57 | else if (strcmp(argv[2], "init_module") == 0) { | ||
58 | init_module(NULL, 0, NULL); | ||
59 | printf("\nUGLY: init_module syscall permitted.\n"); | ||
60 | } | ||
61 | else if (strcmp(argv[2], "delete_module") == 0) { | ||
62 | delete_module(NULL, 0); | ||
63 | printf("\nUGLY: delete_module syscall permitted.\n"); | ||
64 | } | ||
65 | else if (strcmp(argv[2], "chroot") == 0) { | ||
66 | int rv = chroot("/blablabla-57281292"); | ||
67 | (void) rv; | ||
68 | printf("\nUGLY: chroot syscall permitted.\n"); | ||
69 | } | ||
70 | else if (strcmp(argv[2], "pivot_root") == 0) { | ||
71 | pivot_root(NULL, NULL); | ||
72 | printf("\nUGLY: pivot_root syscall permitted.\n"); | ||
73 | } | ||
74 | #if defined(__i386__) || defined(__x86_64__) | ||
75 | else if (strcmp(argv[2], "iopl") == 0) { | ||
76 | iopl(0L); | ||
77 | printf("\nUGLY: iopl syscall permitted.\n"); | ||
78 | } | ||
79 | else if (strcmp(argv[2], "ioperm") == 0) { | ||
80 | ioperm(0, 0, 0); | ||
81 | printf("\nUGLY: ioperm syscall permitted.\n"); | ||
82 | } | ||
83 | #endif | ||
84 | exit(0); | ||
85 | } | ||
86 | |||
87 | void syscall_run(const char *name) { | ||
88 | assert(prog); | ||
89 | |||
90 | pid_t child = fork(); | ||
91 | if (child < 0) | ||
92 | errExit("fork"); | ||
93 | if (child == 0) { | ||
94 | execl(prog, prog, "syscall", name, NULL); | ||
95 | exit(1); | ||
96 | } | ||
97 | |||
98 | // wait for the child to finish | ||
99 | waitpid(child, NULL, 0); | ||
100 | } | ||
diff --git a/src/firecfg/Makefile.in b/src/firecfg/Makefile.in new file mode 100644 index 000000000..11f8b1e8d --- /dev/null +++ b/src/firecfg/Makefile.in | |||
@@ -0,0 +1,38 @@ | |||
1 | all: firecfg | ||
2 | |||
3 | prefix=@prefix@ | ||
4 | exec_prefix=@exec_prefix@ | ||
5 | libdir=@libdir@ | ||
6 | sysconfdir=@sysconfdir@ | ||
7 | |||
8 | VERSION=@PACKAGE_VERSION@ | ||
9 | NAME=@PACKAGE_NAME@ | ||
10 | HAVE_SECCOMP_H=@HAVE_SECCOMP_H@ | ||
11 | HAVE_SECCOMP=@HAVE_SECCOMP@ | ||
12 | HAVE_CHROOT=@HAVE_CHROOT@ | ||
13 | HAVE_BIND=@HAVE_BIND@ | ||
14 | HAVE_FATAL_WARNINGS=@HAVE_FATAL_WARNINGS@ | ||
15 | HAVE_NETWORK=@HAVE_NETWORK@ | ||
16 | HAVE_USERNS=@HAVE_USERNS@ | ||
17 | HAVE_X11=@HAVE_X11@ | ||
18 | HAVE_FILE_TRANSFER=@HAVE_FILE_TRANSFER@ | ||
19 | |||
20 | |||
21 | H_FILE_LIST = $(sort $(wildcard *.[h])) | ||
22 | C_FILE_LIST = $(sort $(wildcard *.c)) | ||
23 | OBJS = $(C_FILE_LIST:.c=.o) | ||
24 | BINOBJS = $(foreach file, $(OBJS), $file) | ||
25 | CFLAGS += -ggdb $(HAVE_FATAL_WARNINGS) -O2 -DVERSION='"$(VERSION)"' -DPREFIX='"$(prefix)"' -DSYSCONFDIR='"$(sysconfdir)/firejail"' -DLIBDIR='"$(libdir)"' $(HAVE_X11) $(HAVE_SECCOMP) $(HAVE_SECCOMP_H) $(HAVE_CHROOT) $(HAVE_NETWORK) $(HAVE_USERNS) $(HAVE_BIND) $(HAVE_FILE_TRANSFER) -fstack-protector-all -D_FORTIFY_SOURCE=2 -fPIE -pie -Wformat -Wformat-security | ||
26 | LDFLAGS += -pie -Wl,-z,relro -Wl,-z,now -lpthread | ||
27 | |||
28 | %.o : %.c $(H_FILE_LIST) ../include/common.h ../include/euid_common.h ../include/libnetlink.h ../include/pid.h | ||
29 | $(CC) $(CFLAGS) $(INCLUDE) -c $< -o $@ | ||
30 | |||
31 | firecfg: $(OBJS) ../lib/common.o | ||
32 | $(CC) $(LDFLAGS) -o $@ $(OBJS) ../lib/common.o $(LIBS) | ||
33 | |||
34 | clean:; rm -f *.o firecfg firecfg.1 firecfg.1.gz | ||
35 | |||
36 | distclean: clean | ||
37 | rm -fr Makefile | ||
38 | |||
diff --git a/src/firecfg/firecfg.config b/src/firecfg/firecfg.config new file mode 100644 index 000000000..48e205a58 --- /dev/null +++ b/src/firecfg/firecfg.config | |||
@@ -0,0 +1,136 @@ | |||
1 | # /usr/lib/firejail/firecfg.config - firecfg utility configuration file | ||
2 | # This is the list of programs handled by firecfg utility | ||
3 | # | ||
4 | |||
5 | # astronomy | ||
6 | gpredict | ||
7 | stellarium | ||
8 | |||
9 | # bittorrent/ftp | ||
10 | deluge | ||
11 | dropbox | ||
12 | filezilla | ||
13 | qbittorrent | ||
14 | rtorrent | ||
15 | transmission-gtk | ||
16 | transmission-qt | ||
17 | uget-gtk | ||
18 | |||
19 | # browsers/email | ||
20 | abrowser | ||
21 | brave | ||
22 | chromium | ||
23 | chromium-browser | ||
24 | conkeror | ||
25 | cyberfox | ||
26 | firefox | ||
27 | firefox-esr | ||
28 | flashpeak-slimjet | ||
29 | epiphany | ||
30 | dillo | ||
31 | google-chrome | ||
32 | google-chrome-beta | ||
33 | google-chrome-stable | ||
34 | google-chrome-unstable | ||
35 | iceweasel | ||
36 | icecat | ||
37 | icedove | ||
38 | kmail | ||
39 | midori | ||
40 | netsurf | ||
41 | opera-beta | ||
42 | opera | ||
43 | palemoon | ||
44 | qutebrowser | ||
45 | seamonkey | ||
46 | seamonkey-bin | ||
47 | thunderbird | ||
48 | vivaldi-beta | ||
49 | vivaldi | ||
50 | |||
51 | # chat/messaging | ||
52 | bitlbee | ||
53 | corebird | ||
54 | empathy | ||
55 | gitter | ||
56 | hexchat | ||
57 | jitsi | ||
58 | konversation | ||
59 | pidgin | ||
60 | polari | ||
61 | psi-plus | ||
62 | qtox | ||
63 | quassel | ||
64 | skype | ||
65 | telegram | ||
66 | weechat | ||
67 | weechat-curses | ||
68 | xchat | ||
69 | |||
70 | # dns | ||
71 | dnscrypt-proxy | ||
72 | dnsmaq | ||
73 | unbound | ||
74 | |||
75 | # emulators/compatibility layers | ||
76 | mupen64plus | ||
77 | wine | ||
78 | |||
79 | # games | ||
80 | 0ad | ||
81 | hedgewars | ||
82 | steam | ||
83 | wesnot | ||
84 | warzone2100 | ||
85 | |||
86 | # Media | ||
87 | audacious | ||
88 | audacity | ||
89 | clementine | ||
90 | cmus | ||
91 | deadbeef | ||
92 | gnome-mplayer | ||
93 | google-play-music-desktop-player | ||
94 | mpv | ||
95 | parole | ||
96 | rhythmbox | ||
97 | spotify | ||
98 | totem | ||
99 | vlc | ||
100 | xplayer | ||
101 | xviewer | ||
102 | eom | ||
103 | |||
104 | # news readers | ||
105 | quiterss | ||
106 | |||
107 | # office | ||
108 | atril | ||
109 | cherrytree | ||
110 | evince | ||
111 | fbreader | ||
112 | gwenview | ||
113 | gthumb | ||
114 | libreoffice | ||
115 | localc | ||
116 | lodraw | ||
117 | loffice | ||
118 | lofromtemplate | ||
119 | loimpress | ||
120 | lomath | ||
121 | loweb | ||
122 | lowriter | ||
123 | soffice | ||
124 | Mathematica | ||
125 | mathematica | ||
126 | okular | ||
127 | pix | ||
128 | xreader | ||
129 | |||
130 | # other | ||
131 | ssh | ||
132 | atom-beta | ||
133 | atom | ||
134 | |||
135 | # weather/climate | ||
136 | aweather | ||
diff --git a/src/firecfg/main.c b/src/firecfg/main.c new file mode 100644 index 000000000..f0f2aaeb7 --- /dev/null +++ b/src/firecfg/main.c | |||
@@ -0,0 +1,315 @@ | |||
1 | /* | ||
2 | * Copyright (C) 2014-2016 netblue30 (netblue30@yahoo.com) | ||
3 | * | ||
4 | * This file is part of firejail project | ||
5 | * | ||
6 | * This program is free software; you can redistribute it and/or modify | ||
7 | * it under the terms of the GNU General Public License as published by | ||
8 | * the Free Software Foundation; either version 2 of the License, or | ||
9 | * (at your option) any later version. | ||
10 | * | ||
11 | * This program is distributed in the hope that it will be useful, | ||
12 | * but WITHOUT ANY WARRANTY; without even the implied warranty of | ||
13 | * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the | ||
14 | * GNU General Public License for more details. | ||
15 | * | ||
16 | * You should have received a copy of the GNU General Public License along | ||
17 | * with this program; if not, write to the Free Software Foundation, Inc., | ||
18 | * 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA. | ||
19 | */ | ||
20 | |||
21 | #define _GNU_SOURCE | ||
22 | #include <stdio.h> | ||
23 | #include <sys/types.h> | ||
24 | #include <dirent.h> | ||
25 | #include <sys/types.h> | ||
26 | #include <sys/stat.h> | ||
27 | #include <unistd.h> | ||
28 | #include "../include/common.h" | ||
29 | |||
30 | static void usage(void) { | ||
31 | printf("firecfg - version %s\n\n", VERSION); | ||
32 | printf("Firecfg is the desktop configuration utility for Firejail software. The utility\n"); | ||
33 | printf("creates several symbolic links to firejail executable. This allows the user to\n"); | ||
34 | printf("sandbox applications automatically, just by clicking on a regular desktop\n"); | ||
35 | printf("menus and icons.\n\n"); | ||
36 | printf("The symbolic links are placed in /usr/local/bin. For more information, see\n"); | ||
37 | printf("DESKTOP INTEGRATION section in man 1 firejail.\n\n"); | ||
38 | printf("Usage: firecfg [OPTIONS]\n\n"); | ||
39 | printf(" --clean - remove all firejail symbolic links.\n\n"); | ||
40 | printf(" --help, -? - this help screen.\n\n"); | ||
41 | printf(" --list - list all firejail symbolic links.\n\n"); | ||
42 | printf(" --version - print program version and exit.\n\n"); | ||
43 | printf("Example:\n\n"); | ||
44 | printf(" $ sudo firecfg\n"); | ||
45 | printf(" /usr/local/bin/firefox created\n"); | ||
46 | printf(" /usr/local/bin/vlc created\n"); | ||
47 | printf(" [...]\n"); | ||
48 | printf(" $ firecfg --list\n"); | ||
49 | printf(" /usr/local/bin/firefox\n"); | ||
50 | printf(" /usr/local/bin/vlc\n"); | ||
51 | printf(" [...]\n"); | ||
52 | printf(" $ sudo firecfg --clean\n"); | ||
53 | printf(" /usr/local/bin/firefox removed\n"); | ||
54 | printf(" /usr/local/bin/vlc removed\n"); | ||
55 | printf(" [...]\n"); | ||
56 | printf("\n"); | ||
57 | printf("License GPL version 2 or later\n"); | ||
58 | printf("Homepage: http://firejail.wordpress.com\n\n"); | ||
59 | } | ||
60 | |||
61 | // return 1 if the program is found | ||
62 | static int find(const char *program, const char *directory) { | ||
63 | int retval = 0; | ||
64 | |||
65 | char *fname; | ||
66 | if (asprintf(&fname, "/%s/%s", directory, program) == -1) | ||
67 | errExit("asprintf"); | ||
68 | |||
69 | struct stat s; | ||
70 | if (stat(fname, &s) == 0) | ||
71 | retval = 1; | ||
72 | |||
73 | free(fname); | ||
74 | return retval; | ||
75 | } | ||
76 | |||
77 | |||
78 | // return 1 if program is installed on the system | ||
79 | static int which(const char *program) { | ||
80 | // check some well-known paths | ||
81 | if (find(program, "/bin") || find(program, "/usr/bin") || | ||
82 | find(program, "/sbin") || find(program, "/usr/sbin") || | ||
83 | find(program, "/usr/games")) | ||
84 | return 1; | ||
85 | |||
86 | // check environment | ||
87 | char *path1 = getenv("PATH"); | ||
88 | if (path1) { | ||
89 | char *path2 = strdup(path1); | ||
90 | if (!path2) | ||
91 | errExit("strdup"); | ||
92 | |||
93 | // use path2 to count the entries | ||
94 | char *ptr = strtok(path2, ":"); | ||
95 | while (ptr) { | ||
96 | if (find(program, ptr)) { | ||
97 | free(path2); | ||
98 | return 1; | ||
99 | } | ||
100 | ptr = strtok(NULL, ":"); | ||
101 | } | ||
102 | free(path2); | ||
103 | } | ||
104 | |||
105 | return 0; | ||
106 | } | ||
107 | |||
108 | // return 1 if the file is a link | ||
109 | static int is_link(const char *fname) { | ||
110 | assert(fname); | ||
111 | if (*fname == '\0') | ||
112 | return 0; | ||
113 | |||
114 | struct stat s; | ||
115 | if (lstat(fname, &s) == 0) { | ||
116 | if (S_ISLNK(s.st_mode)) | ||
117 | return 1; | ||
118 | } | ||
119 | |||
120 | return 0; | ||
121 | } | ||
122 | |||
123 | static void list(void) { | ||
124 | DIR *dir = opendir("/usr/local/bin"); | ||
125 | if (!dir) { | ||
126 | fprintf(stderr, "Error: cannot open /usr/local/bin directory\n"); | ||
127 | exit(1); | ||
128 | } | ||
129 | |||
130 | char *firejail_exec; | ||
131 | if (asprintf(&firejail_exec, "%s/bin/firejail", PREFIX) == -1) | ||
132 | errExit("asprintf"); | ||
133 | |||
134 | struct dirent *entry; | ||
135 | while ((entry = readdir(dir)) != NULL) { | ||
136 | if (strcmp(entry->d_name, ".") == 0 || strcmp(entry->d_name, "..") == 0) | ||
137 | continue; | ||
138 | |||
139 | char *fullname; | ||
140 | if (asprintf(&fullname, "/usr/local/bin/%s", entry->d_name) == -1) | ||
141 | errExit("asprintf"); | ||
142 | |||
143 | if (is_link(fullname)) { | ||
144 | char* fname = realpath(fullname, NULL); | ||
145 | if (fname) { | ||
146 | if (strcmp(fname, firejail_exec) == 0) | ||
147 | printf("%s\n", fullname); | ||
148 | free(fname); | ||
149 | } | ||
150 | } | ||
151 | free(fullname); | ||
152 | } | ||
153 | |||
154 | closedir(dir); | ||
155 | free(firejail_exec); | ||
156 | } | ||
157 | |||
158 | static void clear(void) { | ||
159 | if (getuid() != 0) { | ||
160 | fprintf(stderr, "Error: you need to be root to run this command\n"); | ||
161 | exit(1); | ||
162 | } | ||
163 | |||
164 | DIR *dir = opendir("/usr/local/bin"); | ||
165 | if (!dir) { | ||
166 | fprintf(stderr, "Error: cannot open /usr/local/bin directory\n"); | ||
167 | exit(1); | ||
168 | } | ||
169 | |||
170 | char *firejail_exec; | ||
171 | if (asprintf(&firejail_exec, "%s/bin/firejail", PREFIX) == -1) | ||
172 | errExit("asprintf"); | ||
173 | |||
174 | struct dirent *entry; | ||
175 | while ((entry = readdir(dir)) != NULL) { | ||
176 | if (strcmp(entry->d_name, ".") == 0 || strcmp(entry->d_name, "..") == 0) | ||
177 | continue; | ||
178 | |||
179 | char *fullname; | ||
180 | if (asprintf(&fullname, "/usr/local/bin/%s", entry->d_name) == -1) | ||
181 | errExit("asprintf"); | ||
182 | |||
183 | if (is_link(fullname)) { | ||
184 | char* fname = realpath(fullname, NULL); | ||
185 | if (fname) { | ||
186 | if (strcmp(fname, firejail_exec) == 0) { | ||
187 | printf("%s removed\n", fullname); | ||
188 | unlink(fullname); | ||
189 | } | ||
190 | free(fname); | ||
191 | } | ||
192 | } | ||
193 | free(fullname); | ||
194 | } | ||
195 | |||
196 | closedir(dir); | ||
197 | free(firejail_exec); | ||
198 | } | ||
199 | |||
200 | static void set_file(const char *name, const char *firejail_exec) { | ||
201 | if (which(name) == 0) | ||
202 | return; | ||
203 | |||
204 | char *fname; | ||
205 | if (asprintf(&fname, "/usr/local/bin/%s", name) == -1) | ||
206 | errExit("asprintf"); | ||
207 | |||
208 | struct stat s; | ||
209 | if (stat(fname, &s) == 0) | ||
210 | ; //printf("%s already present\n", fname); | ||
211 | else { | ||
212 | int rv = symlink(firejail_exec, fname); | ||
213 | if (rv) { | ||
214 | fprintf(stderr, "Error: cannot create %s symbolic link\n", fname); | ||
215 | perror("symlink"); | ||
216 | } | ||
217 | else | ||
218 | printf("%s created\n", fname); | ||
219 | } | ||
220 | |||
221 | free(fname); | ||
222 | } | ||
223 | |||
224 | #define MAX_BUF 1024 | ||
225 | static void set(void) { | ||
226 | if (getuid() != 0) { | ||
227 | fprintf(stderr, "Error: you need to be root to run this command\n"); | ||
228 | exit(1); | ||
229 | } | ||
230 | |||
231 | char *cfgfile; | ||
232 | if (asprintf(&cfgfile, "%s/firejail/firecfg.config", LIBDIR) == -1) | ||
233 | errExit("asprintf"); | ||
234 | |||
235 | char *firejail_exec; | ||
236 | if (asprintf(&firejail_exec, "%s/bin/firejail", PREFIX) == -1) | ||
237 | errExit("asprintf"); | ||
238 | |||
239 | FILE *fp = fopen(cfgfile, "r"); | ||
240 | if (!fp) { | ||
241 | fprintf(stderr, "Error: cannot open %s\n", cfgfile); | ||
242 | exit(1); | ||
243 | } | ||
244 | |||
245 | char buf[MAX_BUF]; | ||
246 | int lineno = 0; | ||
247 | while (fgets(buf, MAX_BUF,fp)) { | ||
248 | lineno++; | ||
249 | if (*buf == '#') // comments | ||
250 | continue; | ||
251 | |||
252 | // do not accept .. and/or / in file name | ||
253 | if (strstr(buf, "..") || strchr(buf, '/')) { | ||
254 | fprintf(stderr, "Error: invalid line %d in %s\n", lineno, cfgfile); | ||
255 | exit(1); | ||
256 | } | ||
257 | |||
258 | // remove \n | ||
259 | char *ptr = strchr(buf, '\n'); | ||
260 | if (ptr) | ||
261 | *ptr = '\0'; | ||
262 | |||
263 | // trim spaces | ||
264 | ptr = buf; | ||
265 | while (*ptr == ' ' || *ptr == '\t') | ||
266 | ptr++; | ||
267 | char *start = ptr; | ||
268 | |||
269 | // empty line | ||
270 | if (*start == '\0') | ||
271 | continue; | ||
272 | |||
273 | // set link | ||
274 | set_file(start, firejail_exec); | ||
275 | } | ||
276 | |||
277 | fclose(fp); | ||
278 | free(cfgfile); | ||
279 | free(firejail_exec); | ||
280 | } | ||
281 | |||
282 | int main(int argc, char **argv) { | ||
283 | int i; | ||
284 | |||
285 | for (i = 1; i < argc; i++) { | ||
286 | // default options | ||
287 | if (strcmp(argv[i], "--help") == 0 || | ||
288 | strcmp(argv[i], "-?") == 0) { | ||
289 | usage(); | ||
290 | return 0; | ||
291 | } | ||
292 | else if (strcmp(argv[i], "--version") == 0) { | ||
293 | printf("firecfg version %s\n\n", VERSION); | ||
294 | return 0; | ||
295 | } | ||
296 | else if (strcmp(argv[i], "--clean") == 0) { | ||
297 | clear(); | ||
298 | return 0; | ||
299 | } | ||
300 | else if (strcmp(argv[i], "--list") == 0) { | ||
301 | list(); | ||
302 | return 0; | ||
303 | } | ||
304 | else { | ||
305 | fprintf(stderr, "Error: invalid command line option\n"); | ||
306 | usage(); | ||
307 | return 1; | ||
308 | } | ||
309 | } | ||
310 | |||
311 | set(); | ||
312 | |||
313 | return 0; | ||
314 | } | ||
315 | |||
diff --git a/src/firejail/Makefile.in b/src/firejail/Makefile.in index 3ad4ba75e..21f415ba5 100644 --- a/src/firejail/Makefile.in +++ b/src/firejail/Makefile.in | |||
@@ -16,13 +16,14 @@ HAVE_NETWORK=@HAVE_NETWORK@ | |||
16 | HAVE_USERNS=@HAVE_USERNS@ | 16 | HAVE_USERNS=@HAVE_USERNS@ |
17 | HAVE_X11=@HAVE_X11@ | 17 | HAVE_X11=@HAVE_X11@ |
18 | HAVE_FILE_TRANSFER=@HAVE_FILE_TRANSFER@ | 18 | HAVE_FILE_TRANSFER=@HAVE_FILE_TRANSFER@ |
19 | 19 | HAVE_WHITELIST=@HAVE_WHITELIST@ | |
20 | HAVE_GLOBALCFG=@HAVE_GLOBALCFG@ | ||
20 | 21 | ||
21 | H_FILE_LIST = $(sort $(wildcard *.[h])) | 22 | H_FILE_LIST = $(sort $(wildcard *.[h])) |
22 | C_FILE_LIST = $(sort $(wildcard *.c)) | 23 | C_FILE_LIST = $(sort $(wildcard *.c)) |
23 | OBJS = $(C_FILE_LIST:.c=.o) | 24 | OBJS = $(C_FILE_LIST:.c=.o) |
24 | BINOBJS = $(foreach file, $(OBJS), $file) | 25 | BINOBJS = $(foreach file, $(OBJS), $file) |
25 | CFLAGS += -ggdb $(HAVE_FATAL_WARNINGS) -O2 -DVERSION='"$(VERSION)"' -DPREFIX='"$(prefix)"' -DSYSCONFDIR='"$(sysconfdir)/firejail"' -DLIBDIR='"$(libdir)"' $(HAVE_X11) $(HAVE_SECCOMP) $(HAVE_SECCOMP_H) $(HAVE_CHROOT) $(HAVE_NETWORK) $(HAVE_USERNS) $(HAVE_BIND) $(HAVE_FILE_TRANSFER) -fstack-protector-all -D_FORTIFY_SOURCE=2 -fPIE -pie -Wformat -Wformat-security | 26 | CFLAGS += -ggdb $(HAVE_FATAL_WARNINGS) -O2 -DVERSION='"$(VERSION)"' -DPREFIX='"$(prefix)"' -DSYSCONFDIR='"$(sysconfdir)/firejail"' -DLIBDIR='"$(libdir)"' $(HAVE_X11) $(HAVE_SECCOMP) $(HAVE_GLOBALCFG) $(HAVE_SECCOMP_H) $(HAVE_CHROOT) $(HAVE_NETWORK) $(HAVE_USERNS) $(HAVE_BIND) $(HAVE_FILE_TRANSFER) $(HAVE_WHITELIST) -fstack-protector-all -D_FORTIFY_SOURCE=2 -fPIE -pie -Wformat -Wformat-security |
26 | LDFLAGS += -pie -Wl,-z,relro -Wl,-z,now -lpthread | 27 | LDFLAGS += -pie -Wl,-z,relro -Wl,-z,now -lpthread |
27 | 28 | ||
28 | %.o : %.c $(H_FILE_LIST) ../include/common.h ../include/euid_common.h ../include/libnetlink.h ../include/pid.h | 29 | %.o : %.c $(H_FILE_LIST) ../include/common.h ../include/euid_common.h ../include/libnetlink.h ../include/pid.h |
diff --git a/src/firejail/appimage.c b/src/firejail/appimage.c new file mode 100644 index 000000000..db9382dc3 --- /dev/null +++ b/src/firejail/appimage.c | |||
@@ -0,0 +1,129 @@ | |||
1 | /* | ||
2 | * Copyright (C) 2014-2016 Firejail Authors | ||
3 | * | ||
4 | * This file is part of firejail project | ||
5 | * | ||
6 | * This program is free software; you can redistribute it and/or modify | ||
7 | * it under the terms of the GNU General Public License as published by | ||
8 | * the Free Software Foundation; either version 2 of the License, or | ||
9 | * (at your option) any later version. | ||
10 | * | ||
11 | * This program is distributed in the hope that it will be useful, | ||
12 | * but WITHOUT ANY WARRANTY; without even the implied warranty of | ||
13 | * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the | ||
14 | * GNU General Public License for more details. | ||
15 | * | ||
16 | * You should have received a copy of the GNU General Public License along | ||
17 | * with this program; if not, write to the Free Software Foundation, Inc., | ||
18 | * 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA. | ||
19 | */ | ||
20 | // http://git.kernel.org/cgit/linux/kernel/git/torvalds/linux.git/commit/?id=770fe30a46a12b6fb6b63fbe1737654d28e84844 | ||
21 | // sudo mount -o loop krita-3.0-x86_64.appimage mnt | ||
22 | |||
23 | #include "firejail.h" | ||
24 | #include <sys/types.h> | ||
25 | #include <sys/stat.h> | ||
26 | #include <sys/mount.h> | ||
27 | #include <fcntl.h> | ||
28 | #include <linux/loop.h> | ||
29 | #include <errno.h> | ||
30 | |||
31 | static char *devloop = NULL; // device file | ||
32 | static char *mntdir = NULL; // mount point in /tmp directory | ||
33 | |||
34 | const char *appimage_getdir(void) { | ||
35 | return mntdir; | ||
36 | } | ||
37 | |||
38 | void appimage_set(const char *appimage_path) { | ||
39 | assert(appimage_path); | ||
40 | assert(devloop == NULL); // don't call this twice! | ||
41 | EUID_ASSERT(); | ||
42 | |||
43 | // check appimage_path | ||
44 | if (access(appimage_path, R_OK) == -1) { | ||
45 | fprintf(stderr, "Error: cannot access AppImage file\n"); | ||
46 | exit(1); | ||
47 | } | ||
48 | |||
49 | EUID_ROOT(); | ||
50 | |||
51 | // find or allocate a free loop device to use | ||
52 | int cfd = open("/dev/loop-control", O_RDWR); | ||
53 | int devnr = ioctl(cfd, LOOP_CTL_GET_FREE); | ||
54 | if (devnr == -1) { | ||
55 | fprintf(stderr, "Error: cannot allocate a new loopback device\n"); | ||
56 | exit(1); | ||
57 | } | ||
58 | close(cfd); | ||
59 | if (asprintf(&devloop, "/dev/loop%d", devnr) == -1) | ||
60 | errExit("asprintf"); | ||
61 | |||
62 | int ffd = open(appimage_path, O_RDONLY|O_CLOEXEC); | ||
63 | int lfd = open(devloop, O_RDONLY); | ||
64 | if (ioctl(lfd, LOOP_SET_FD, ffd) == -1) { | ||
65 | fprintf(stderr, "Error: cannot configure the loopback device\n"); | ||
66 | exit(1); | ||
67 | } | ||
68 | close(lfd); | ||
69 | close(ffd); | ||
70 | |||
71 | char dirname[] = "/tmp/firejail-mnt-XXXXXX"; | ||
72 | mntdir = strdup(mkdtemp(dirname)); | ||
73 | if (mntdir == NULL) { | ||
74 | fprintf(stderr, "Error: cannot create temporary directory\n"); | ||
75 | exit(1); | ||
76 | } | ||
77 | mkdir(mntdir, 755); | ||
78 | if (chown(mntdir, getuid(), getgid()) == -1) | ||
79 | errExit("chown"); | ||
80 | if (chmod(mntdir, 755) == -1) | ||
81 | errExit("chmod"); | ||
82 | |||
83 | char *mode; | ||
84 | if (asprintf(&mode, "mode=755,uid=%d,gid=%d", getuid(), getgid()) == -1) | ||
85 | errExit("asprintf"); | ||
86 | |||
87 | if (mount(devloop, mntdir, "iso9660",MS_MGC_VAL|MS_RDONLY, mode) < 0) | ||
88 | errExit("mounting appimage"); | ||
89 | |||
90 | |||
91 | if (arg_debug) | ||
92 | printf("appimage mounted on %s\n", mntdir); | ||
93 | EUID_USER(); | ||
94 | |||
95 | if (appimage_path && setenv("APPIMAGE", appimage_path, 1) < 0) | ||
96 | errExit("setenv"); | ||
97 | |||
98 | if (mntdir && setenv("APPDIR", mntdir, 1) < 0) | ||
99 | errExit("setenv"); | ||
100 | |||
101 | // build new command line | ||
102 | if (asprintf(&cfg.command_line, "%s/AppRun", mntdir) == -1) | ||
103 | errExit("asprintf"); | ||
104 | |||
105 | free(mode); | ||
106 | } | ||
107 | |||
108 | void appimage_clear(void) { | ||
109 | int rv; | ||
110 | |||
111 | if (mntdir) { | ||
112 | rv = umount2(mntdir, MNT_FORCE); | ||
113 | if (rv == -1 && errno == EBUSY) { | ||
114 | sleep(1); | ||
115 | rv = umount2(mntdir, MNT_FORCE); | ||
116 | (void) rv; | ||
117 | |||
118 | } | ||
119 | rmdir(mntdir); | ||
120 | free(mntdir); | ||
121 | } | ||
122 | |||
123 | if (devloop) { | ||
124 | int lfd = open(devloop, O_RDONLY); | ||
125 | rv = ioctl(lfd, LOOP_CLR_FD, 0); | ||
126 | (void) rv; | ||
127 | close(lfd); | ||
128 | } | ||
129 | } | ||
diff --git a/src/firejail/bandwidth.c b/src/firejail/bandwidth.c index 0be23b9bc..34c5ca509 100644 --- a/src/firejail/bandwidth.c +++ b/src/firejail/bandwidth.c | |||
@@ -112,28 +112,11 @@ int fibw_count(void) { | |||
112 | 112 | ||
113 | 113 | ||
114 | //*********************************** | 114 | //*********************************** |
115 | // shm file handling | 115 | // run file handling |
116 | //*********************************** | 116 | //*********************************** |
117 | void shm_create_firejail_dir(void) { | 117 | static void bandwidth_create_run_file(pid_t pid) { |
118 | struct stat s; | ||
119 | if (stat("/dev/shm/firejail", &s) == -1) { | ||
120 | /* coverity[toctou] */ | ||
121 | if (mkdir("/dev/shm/firejail", 0644) == -1) | ||
122 | errExit("mkdir"); | ||
123 | if (chown("/dev/shm/firejail", 0, 0) == -1) | ||
124 | errExit("chown"); | ||
125 | } | ||
126 | else { // check /dev/shm/firejail directory belongs to root end exit if doesn't! | ||
127 | if (s.st_uid != 0 || s.st_gid != 0) { | ||
128 | fprintf(stderr, "Error: non-root %s directory, exiting...\n", "/dev/shm/firejail"); | ||
129 | exit(1); | ||
130 | } | ||
131 | } | ||
132 | } | ||
133 | |||
134 | static void shm_create_bandwidth_file(pid_t pid) { | ||
135 | char *fname; | 118 | char *fname; |
136 | if (asprintf(&fname, "/dev/shm/firejail/%d-bandwidth", (int) pid) == -1) | 119 | if (asprintf(&fname, "%s/%d-bandwidth", RUN_FIREJAIL_BANDWIDTH_DIR, (int) pid) == -1) |
137 | errExit("asprintf"); | 120 | errExit("asprintf"); |
138 | 121 | ||
139 | // if the file already exists, do nothing | 122 | // if the file already exists, do nothing |
@@ -157,33 +140,33 @@ static void shm_create_bandwidth_file(pid_t pid) { | |||
157 | errExit("chown"); | 140 | errExit("chown"); |
158 | } | 141 | } |
159 | else { | 142 | else { |
160 | fprintf(stderr, "Error: cannot create bandwidth file in /dev/shm/firejail directory\n"); | 143 | fprintf(stderr, "Error: cannot create bandwidth file\n"); |
161 | exit(1); | 144 | exit(1); |
162 | } | 145 | } |
163 | 146 | ||
164 | free(fname); | 147 | free(fname); |
165 | } | 148 | } |
166 | 149 | ||
167 | // delete shm bandwidth file | 150 | // delete bandwidth file |
168 | void bandwidth_shm_del_file(pid_t pid) { | 151 | void bandwidth_del_run_file(pid_t pid) { |
169 | char *fname; | 152 | char *fname; |
170 | if (asprintf(&fname, "/dev/shm/firejail/%d-bandwidth", (int) pid) == -1) | 153 | if (asprintf(&fname, "%s/%d-bandwidth", RUN_FIREJAIL_BANDWIDTH_DIR, (int) pid) == -1) |
171 | errExit("asprintf"); | 154 | errExit("asprintf"); |
172 | unlink(fname); | 155 | unlink(fname); |
173 | free(fname); | 156 | free(fname); |
174 | } | 157 | } |
175 | 158 | ||
176 | void network_shm_del_file(pid_t pid) { | 159 | void network_del_run_file(pid_t pid) { |
177 | char *fname; | 160 | char *fname; |
178 | if (asprintf(&fname, "/dev/shm/firejail/%d-netmap", (int) pid) == -1) | 161 | if (asprintf(&fname, "%s/%d-netmap", RUN_FIREJAIL_NETWORK_DIR, (int) pid) == -1) |
179 | errExit("asprintf"); | 162 | errExit("asprintf"); |
180 | unlink(fname); | 163 | unlink(fname); |
181 | free(fname); | 164 | free(fname); |
182 | } | 165 | } |
183 | 166 | ||
184 | void network_shm_set_file(pid_t pid) { | 167 | void network_set_run_file(pid_t pid) { |
185 | char *fname; | 168 | char *fname; |
186 | if (asprintf(&fname, "/dev/shm/firejail/%d-netmap", (int) pid) == -1) | 169 | if (asprintf(&fname, "%s/%d-netmap", RUN_FIREJAIL_NETWORK_DIR, (int) pid) == -1) |
187 | errExit("asprintf"); | 170 | errExit("asprintf"); |
188 | 171 | ||
189 | // create an empty file and set mod and ownership | 172 | // create an empty file and set mod and ownership |
@@ -205,7 +188,7 @@ void network_shm_set_file(pid_t pid) { | |||
205 | errExit("chown"); | 188 | errExit("chown"); |
206 | } | 189 | } |
207 | else { | 190 | else { |
208 | fprintf(stderr, "Error: cannot create network map file in /dev/shm/firejail directory\n"); | 191 | fprintf(stderr, "Error: cannot create network map file\n"); |
209 | exit(1); | 192 | exit(1); |
210 | } | 193 | } |
211 | 194 | ||
@@ -213,11 +196,11 @@ void network_shm_set_file(pid_t pid) { | |||
213 | } | 196 | } |
214 | 197 | ||
215 | 198 | ||
216 | void shm_read_bandwidth_file(pid_t pid) { | 199 | static void read_bandwidth_file(pid_t pid) { |
217 | assert(ifbw == NULL); | 200 | assert(ifbw == NULL); |
218 | 201 | ||
219 | char *fname; | 202 | char *fname; |
220 | if (asprintf(&fname, "/dev/shm/firejail/%d-bandwidth", (int) pid) == -1) | 203 | if (asprintf(&fname, "%s/%d-bandwidth", RUN_FIREJAIL_BANDWIDTH_DIR, (int) pid) == -1) |
221 | errExit("asprintf"); | 204 | errExit("asprintf"); |
222 | 205 | ||
223 | FILE *fp = fopen(fname, "r"); | 206 | FILE *fp = fopen(fname, "r"); |
@@ -248,12 +231,12 @@ void shm_read_bandwidth_file(pid_t pid) { | |||
248 | } | 231 | } |
249 | } | 232 | } |
250 | 233 | ||
251 | void shm_write_bandwidth_file(pid_t pid) { | 234 | static void write_bandwidth_file(pid_t pid) { |
252 | if (ifbw == NULL) | 235 | if (ifbw == NULL) |
253 | return; // nothing to do | 236 | return; // nothing to do |
254 | 237 | ||
255 | char *fname; | 238 | char *fname; |
256 | if (asprintf(&fname, "/dev/shm/firejail/%d-bandwidth", (int) pid) == -1) | 239 | if (asprintf(&fname, "%s/%d-bandwidth", RUN_FIREJAIL_BANDWIDTH_DIR, (int) pid) == -1) |
257 | errExit("asprintf"); | 240 | errExit("asprintf"); |
258 | 241 | ||
259 | FILE *fp = fopen(fname, "w"); | 242 | FILE *fp = fopen(fname, "w"); |
@@ -279,33 +262,30 @@ errout: | |||
279 | // add or remove interfaces | 262 | // add or remove interfaces |
280 | //*********************************** | 263 | //*********************************** |
281 | 264 | ||
282 | // remove interface from shm file | 265 | // remove interface from run file |
283 | void bandwidth_shm_remove(pid_t pid, const char *dev) { | 266 | void bandwidth_remove(pid_t pid, const char *dev) { |
284 | // create bandwidth directory & file in case they are not in the filesystem yet | 267 | bandwidth_create_run_file(pid); |
285 | shm_create_firejail_dir(); | ||
286 | shm_create_bandwidth_file(pid); | ||
287 | 268 | ||
288 | // read bandwidth file | 269 | // read bandwidth file |
289 | shm_read_bandwidth_file(pid); | 270 | read_bandwidth_file(pid); |
290 | 271 | ||
291 | // find the element and remove it | 272 | // find the element and remove it |
292 | IFBW *elem = ifbw_find(dev); | 273 | IFBW *elem = ifbw_find(dev); |
293 | if (elem) { | 274 | if (elem) { |
294 | ifbw_remove(elem); | 275 | ifbw_remove(elem); |
295 | shm_write_bandwidth_file(pid) ; | 276 | write_bandwidth_file(pid) ; |
296 | } | 277 | } |
297 | 278 | ||
298 | // remove the file if there are no entries in the list | 279 | // remove the file if there are no entries in the list |
299 | if (ifbw == NULL) { | 280 | if (ifbw == NULL) { |
300 | bandwidth_shm_del_file(pid); | 281 | bandwidth_del_run_file(pid); |
301 | } | 282 | } |
302 | } | 283 | } |
303 | 284 | ||
304 | // add interface to shm file | 285 | // add interface to run file |
305 | void bandwidth_shm_set(pid_t pid, const char *dev, int down, int up) { | 286 | void bandwidth_set(pid_t pid, const char *dev, int down, int up) { |
306 | // create bandwidth directory & file in case they are not in the filesystem yet | 287 | // create bandwidth directory & file in case they are not in the filesystem yet |
307 | shm_create_firejail_dir(); | 288 | bandwidth_create_run_file(pid); |
308 | shm_create_bandwidth_file(pid); | ||
309 | 289 | ||
310 | // create the new text entry | 290 | // create the new text entry |
311 | char *txt; | 291 | char *txt; |
@@ -313,7 +293,7 @@ void bandwidth_shm_set(pid_t pid, const char *dev, int down, int up) { | |||
313 | errExit("asprintf"); | 293 | errExit("asprintf"); |
314 | 294 | ||
315 | // read bandwidth file | 295 | // read bandwidth file |
316 | shm_read_bandwidth_file(pid); | 296 | read_bandwidth_file(pid); |
317 | 297 | ||
318 | // look for an existing entry and replace the text | 298 | // look for an existing entry and replace the text |
319 | IFBW *ptr = ifbw_find(dev); | 299 | IFBW *ptr = ifbw_find(dev); |
@@ -333,7 +313,7 @@ void bandwidth_shm_set(pid_t pid, const char *dev, int down, int up) { | |||
333 | // add it to the linked list | 313 | // add it to the linked list |
334 | ifbw_add(ifbw_new); | 314 | ifbw_add(ifbw_new); |
335 | } | 315 | } |
336 | shm_write_bandwidth_file(pid) ; | 316 | write_bandwidth_file(pid) ; |
337 | } | 317 | } |
338 | 318 | ||
339 | 319 | ||
@@ -341,6 +321,7 @@ void bandwidth_shm_set(pid_t pid, const char *dev, int down, int up) { | |||
341 | // command execution | 321 | // command execution |
342 | //*********************************** | 322 | //*********************************** |
343 | void bandwidth_name(const char *name, const char *command, const char *dev, int down, int up) { | 323 | void bandwidth_name(const char *name, const char *command, const char *dev, int down, int up) { |
324 | EUID_ASSERT(); | ||
344 | if (!name || strlen(name) == 0) { | 325 | if (!name || strlen(name) == 0) { |
345 | fprintf(stderr, "Error: invalid sandbox name\n"); | 326 | fprintf(stderr, "Error: invalid sandbox name\n"); |
346 | exit(1); | 327 | exit(1); |
@@ -355,10 +336,13 @@ void bandwidth_name(const char *name, const char *command, const char *dev, int | |||
355 | } | 336 | } |
356 | 337 | ||
357 | void bandwidth_pid(pid_t pid, const char *command, const char *dev, int down, int up) { | 338 | void bandwidth_pid(pid_t pid, const char *command, const char *dev, int down, int up) { |
339 | EUID_ASSERT(); | ||
358 | //************************ | 340 | //************************ |
359 | // verify sandbox | 341 | // verify sandbox |
360 | //************************ | 342 | //************************ |
343 | EUID_ROOT(); | ||
361 | char *comm = pid_proc_comm(pid); | 344 | char *comm = pid_proc_comm(pid); |
345 | EUID_USER(); | ||
362 | if (!comm) { | 346 | if (!comm) { |
363 | fprintf(stderr, "Error: cannot find sandbox\n"); | 347 | fprintf(stderr, "Error: cannot find sandbox\n"); |
364 | exit(1); | 348 | exit(1); |
@@ -372,13 +356,14 @@ void bandwidth_pid(pid_t pid, const char *command, const char *dev, int down, in | |||
372 | free(comm); | 356 | free(comm); |
373 | 357 | ||
374 | // check network namespace | 358 | // check network namespace |
375 | char *cmd = pid_proc_cmdline(pid); | 359 | char *name; |
376 | if (!cmd || strstr(cmd, "--net") == NULL) { | 360 | if (asprintf(&name, "/run/firejail/network/%d-netmap", pid) == -1) |
361 | errExit("asprintf"); | ||
362 | struct stat s; | ||
363 | if (stat(name, &s) == -1) { | ||
377 | fprintf(stderr, "Error: the sandbox doesn't use a new network namespace\n"); | 364 | fprintf(stderr, "Error: the sandbox doesn't use a new network namespace\n"); |
378 | exit(1); | 365 | exit(1); |
379 | } | 366 | } |
380 | free(cmd); | ||
381 | |||
382 | 367 | ||
383 | //************************ | 368 | //************************ |
384 | // join the network namespace | 369 | // join the network namespace |
@@ -388,25 +373,27 @@ void bandwidth_pid(pid_t pid, const char *command, const char *dev, int down, in | |||
388 | fprintf(stderr, "Error: cannot join the network namespace\n"); | 373 | fprintf(stderr, "Error: cannot join the network namespace\n"); |
389 | exit(1); | 374 | exit(1); |
390 | } | 375 | } |
376 | |||
377 | EUID_ROOT(); | ||
391 | if (join_namespace(child, "net")) { | 378 | if (join_namespace(child, "net")) { |
392 | fprintf(stderr, "Error: cannot join the network namespace\n"); | 379 | fprintf(stderr, "Error: cannot join the network namespace\n"); |
393 | exit(1); | 380 | exit(1); |
394 | } | 381 | } |
395 | 382 | ||
396 | // set shm file | 383 | // set run file |
397 | if (strcmp(command, "set") == 0) | 384 | if (strcmp(command, "set") == 0) |
398 | bandwidth_shm_set(pid, dev, down, up); | 385 | bandwidth_set(pid, dev, down, up); |
399 | else if (strcmp(command, "clear") == 0) | 386 | else if (strcmp(command, "clear") == 0) |
400 | bandwidth_shm_remove(pid, dev); | 387 | bandwidth_remove(pid, dev); |
401 | 388 | ||
402 | //************************ | 389 | //************************ |
403 | // build command | 390 | // build command |
404 | //************************ | 391 | //************************ |
405 | char *devname = NULL; | 392 | char *devname = NULL; |
406 | if (dev) { | 393 | if (dev) { |
407 | // read shm network map file | 394 | // read network map file |
408 | char *fname; | 395 | char *fname; |
409 | if (asprintf(&fname, "/dev/shm/firejail/%d-netmap", (int) pid) == -1) | 396 | if (asprintf(&fname, "%s/%d-netmap", RUN_FIREJAIL_NETWORK_DIR, (int) pid) == -1) |
410 | errExit("asprintf"); | 397 | errExit("asprintf"); |
411 | FILE *fp = fopen(fname, "r"); | 398 | FILE *fp = fopen(fname, "r"); |
412 | if (!fp) { | 399 | if (!fp) { |
@@ -441,7 +428,7 @@ void bandwidth_pid(pid_t pid, const char *command, const char *dev, int down, in | |||
441 | } | 428 | } |
442 | 429 | ||
443 | // build fshaper.sh command | 430 | // build fshaper.sh command |
444 | cmd = NULL; | 431 | char *cmd = NULL; |
445 | if (devname) { | 432 | if (devname) { |
446 | if (strcmp(command, "set") == 0) { | 433 | if (strcmp(command, "set") == 0) { |
447 | if (asprintf(&cmd, "%s/firejail/fshaper.sh --%s %s %d %d", | 434 | if (asprintf(&cmd, "%s/firejail/fshaper.sh --%s %s %d %d", |
diff --git a/src/firejail/caps.c b/src/firejail/caps.c index de7c93b48..2d42c7d8a 100644 --- a/src/firejail/caps.c +++ b/src/firejail/caps.c | |||
@@ -247,11 +247,13 @@ void caps_print(void) { | |||
247 | // check current caps supported by the kernel | 247 | // check current caps supported by the kernel |
248 | int cnt = 0; | 248 | int cnt = 0; |
249 | unsigned long cap; | 249 | unsigned long cap; |
250 | EUID_ROOT(); // grsecurity fix | ||
250 | for (cap=0; cap <= 63; cap++) { | 251 | for (cap=0; cap <= 63; cap++) { |
251 | int code = prctl(PR_CAPBSET_DROP, cap, 0, 0, 0); | 252 | int code = prctl(PR_CAPBSET_DROP, cap, 0, 0, 0); |
252 | if (code == 0) | 253 | if (code == 0) |
253 | cnt++; | 254 | cnt++; |
254 | } | 255 | } |
256 | EUID_USER(); | ||
255 | printf("Your kernel supports %d capabilities.\n", cnt); | 257 | printf("Your kernel supports %d capabilities.\n", cnt); |
256 | 258 | ||
257 | for (i = 0; i < elems; i++) { | 259 | for (i = 0; i < elems; i++) { |
@@ -373,7 +375,9 @@ static uint64_t extract_caps(int pid) { | |||
373 | exit(1); | 375 | exit(1); |
374 | } | 376 | } |
375 | 377 | ||
378 | EUID_ROOT(); // grsecurity | ||
376 | FILE *fp = fopen(file, "r"); | 379 | FILE *fp = fopen(file, "r"); |
380 | EUID_USER(); // grsecurity | ||
377 | if (!fp) { | 381 | if (!fp) { |
378 | printf("Error: cannot open %s\n", file); | 382 | printf("Error: cannot open %s\n", file); |
379 | free(file); | 383 | free(file); |
@@ -417,7 +421,9 @@ void caps_print_filter(pid_t pid) { | |||
417 | EUID_ASSERT(); | 421 | EUID_ASSERT(); |
418 | 422 | ||
419 | // if the pid is that of a firejail process, use the pid of the first child process | 423 | // if the pid is that of a firejail process, use the pid of the first child process |
424 | EUID_ROOT(); // grsecurity | ||
420 | char *comm = pid_proc_comm(pid); | 425 | char *comm = pid_proc_comm(pid); |
426 | EUID_USER(); // grsecurity | ||
421 | if (comm) { | 427 | if (comm) { |
422 | if (strcmp(comm, "firejail") == 0) { | 428 | if (strcmp(comm, "firejail") == 0) { |
423 | pid_t child; | 429 | pid_t child; |
@@ -439,8 +445,6 @@ void caps_print_filter(pid_t pid) { | |||
439 | } | 445 | } |
440 | 446 | ||
441 | uint64_t caps = extract_caps(pid); | 447 | uint64_t caps = extract_caps(pid); |
442 | drop_privs(1); | ||
443 | |||
444 | int i; | 448 | int i; |
445 | uint64_t mask; | 449 | uint64_t mask; |
446 | int elems = sizeof(capslist) / sizeof(capslist[0]); | 450 | int elems = sizeof(capslist) / sizeof(capslist[0]); |
diff --git a/src/firejail/checkcfg.c b/src/firejail/checkcfg.c index 9ac08b1a6..7de491f5f 100644 --- a/src/firejail/checkcfg.c +++ b/src/firejail/checkcfg.c | |||
@@ -24,6 +24,9 @@ | |||
24 | 24 | ||
25 | static int initialized = 0; | 25 | static int initialized = 0; |
26 | static int cfg_val[CFG_MAX]; | 26 | static int cfg_val[CFG_MAX]; |
27 | char *xephyr_screen = "800x600"; | ||
28 | char *xephyr_extra_params = ""; | ||
29 | char *netfilter_default = NULL; | ||
27 | 30 | ||
28 | int checkcfg(int val) { | 31 | int checkcfg(int val) { |
29 | EUID_ASSERT(); | 32 | EUID_ASSERT(); |
@@ -35,6 +38,9 @@ int checkcfg(int val) { | |||
35 | int i; | 38 | int i; |
36 | for (i = 0; i < CFG_MAX; i++) | 39 | for (i = 0; i < CFG_MAX; i++) |
37 | cfg_val[i] = 1; // most of them are enabled by default | 40 | cfg_val[i] = 1; // most of them are enabled by default |
41 | |||
42 | cfg_val[CFG_RESTRICTED_NETWORK] = 0; // disabled by default | ||
43 | cfg_val[CFG_FORCE_NONEWPRIVS] = 0; // disabled by default | ||
38 | 44 | ||
39 | // open configuration file | 45 | // open configuration file |
40 | char *fname; | 46 | char *fname; |
@@ -43,10 +49,24 @@ int checkcfg(int val) { | |||
43 | 49 | ||
44 | FILE *fp = fopen(fname, "r"); | 50 | FILE *fp = fopen(fname, "r"); |
45 | if (!fp) { | 51 | if (!fp) { |
46 | fprintf(stderr, "Error: Firejail configuration file %s not found\n", fname); | 52 | #ifdef HAVE_GLOBALCFG |
53 | fprintf(stderr, "Warning: Firejail configuration file %s not found\n", fname); | ||
47 | exit(1); | 54 | exit(1); |
55 | #else | ||
56 | initialized = 1; | ||
57 | return cfg_val[val]; | ||
58 | #endif | ||
48 | } | 59 | } |
49 | 60 | ||
61 | // if the file exists, it should be owned by root | ||
62 | struct stat s; | ||
63 | if (stat(fname, &s) == -1) | ||
64 | errExit("stat"); | ||
65 | if (s.st_uid != 0 || s.st_gid != 0) { | ||
66 | fprintf(stderr, "Error: configuration file should be owned by root\n"); | ||
67 | exit(1); | ||
68 | } | ||
69 | |||
50 | // read configuration file | 70 | // read configuration file |
51 | char buf[MAX_READ]; | 71 | char buf[MAX_READ]; |
52 | while (fgets(buf,MAX_READ, fp)) { | 72 | while (fgets(buf,MAX_READ, fp)) { |
@@ -58,7 +78,8 @@ int checkcfg(int val) { | |||
58 | char *ptr = line_remove_spaces(buf); | 78 | char *ptr = line_remove_spaces(buf); |
59 | if (!ptr) | 79 | if (!ptr) |
60 | continue; | 80 | continue; |
61 | 81 | ||
82 | // file transfer | ||
62 | if (strncmp(ptr, "file-transfer ", 14) == 0) { | 83 | if (strncmp(ptr, "file-transfer ", 14) == 0) { |
63 | if (strcmp(ptr + 14, "yes") == 0) | 84 | if (strcmp(ptr + 14, "yes") == 0) |
64 | cfg_val[CFG_FILE_TRANSFER] = 1; | 85 | cfg_val[CFG_FILE_TRANSFER] = 1; |
@@ -67,8 +88,142 @@ int checkcfg(int val) { | |||
67 | else | 88 | else |
68 | goto errout; | 89 | goto errout; |
69 | } | 90 | } |
91 | // x11 | ||
92 | else if (strncmp(ptr, "x11 ", 4) == 0) { | ||
93 | if (strcmp(ptr + 4, "yes") == 0) | ||
94 | cfg_val[CFG_X11] = 1; | ||
95 | else if (strcmp(ptr + 4, "no") == 0) | ||
96 | cfg_val[CFG_X11] = 0; | ||
97 | else | ||
98 | goto errout; | ||
99 | } | ||
100 | // bind | ||
101 | else if (strncmp(ptr, "bind ", 5) == 0) { | ||
102 | if (strcmp(ptr + 5, "yes") == 0) | ||
103 | cfg_val[CFG_BIND] = 1; | ||
104 | else if (strcmp(ptr + 5, "no") == 0) | ||
105 | cfg_val[CFG_BIND] = 0; | ||
106 | else | ||
107 | goto errout; | ||
108 | } | ||
109 | // user namespace | ||
110 | else if (strncmp(ptr, "userns ", 7) == 0) { | ||
111 | if (strcmp(ptr + 7, "yes") == 0) | ||
112 | cfg_val[CFG_USERNS] = 1; | ||
113 | else if (strcmp(ptr + 7, "no") == 0) | ||
114 | cfg_val[CFG_USERNS] = 0; | ||
115 | else | ||
116 | goto errout; | ||
117 | } | ||
118 | // chroot | ||
119 | else if (strncmp(ptr, "chroot ", 7) == 0) { | ||
120 | if (strcmp(ptr + 7, "yes") == 0) | ||
121 | cfg_val[CFG_CHROOT] = 1; | ||
122 | else if (strcmp(ptr + 7, "no") == 0) | ||
123 | cfg_val[CFG_CHROOT] = 0; | ||
124 | else | ||
125 | goto errout; | ||
126 | } | ||
127 | // nonewprivs | ||
128 | else if (strncmp(ptr, "force-nonewprivs ", 17) == 0) { | ||
129 | if (strcmp(ptr + 17, "yes") == 0) | ||
130 | cfg_val[CFG_SECCOMP] = 1; | ||
131 | else if (strcmp(ptr + 17, "no") == 0) | ||
132 | cfg_val[CFG_SECCOMP] = 0; | ||
133 | else | ||
134 | goto errout; | ||
135 | } | ||
136 | // seccomp | ||
137 | else if (strncmp(ptr, "seccomp ", 8) == 0) { | ||
138 | if (strcmp(ptr + 8, "yes") == 0) | ||
139 | cfg_val[CFG_SECCOMP] = 1; | ||
140 | else if (strcmp(ptr + 8, "no") == 0) | ||
141 | cfg_val[CFG_SECCOMP] = 0; | ||
142 | else | ||
143 | goto errout; | ||
144 | } | ||
145 | // whitelist | ||
146 | else if (strncmp(ptr, "whitelist ", 10) == 0) { | ||
147 | if (strcmp(ptr + 10, "yes") == 0) | ||
148 | cfg_val[CFG_WHITELIST] = 1; | ||
149 | else if (strcmp(ptr + 10, "no") == 0) | ||
150 | cfg_val[CFG_WHITELIST] = 0; | ||
151 | else | ||
152 | goto errout; | ||
153 | } | ||
154 | // network | ||
155 | else if (strncmp(ptr, "network ", 8) == 0) { | ||
156 | if (strcmp(ptr + 8, "yes") == 0) | ||
157 | cfg_val[CFG_NETWORK] = 1; | ||
158 | else if (strcmp(ptr + 8, "no") == 0) | ||
159 | cfg_val[CFG_NETWORK] = 0; | ||
160 | else | ||
161 | goto errout; | ||
162 | } | ||
163 | // network | ||
164 | else if (strncmp(ptr, "restricted-network ", 19) == 0) { | ||
165 | if (strcmp(ptr + 19, "yes") == 0) | ||
166 | cfg_val[CFG_RESTRICTED_NETWORK] = 1; | ||
167 | else if (strcmp(ptr + 19, "no") == 0) | ||
168 | cfg_val[CFG_RESTRICTED_NETWORK] = 0; | ||
169 | else | ||
170 | goto errout; | ||
171 | } | ||
172 | // netfilter | ||
173 | else if (strncmp(ptr, "netfilter-default ", 18) == 0) { | ||
174 | char *fname = ptr + 18; | ||
175 | while (*fname == ' ' || *fname == '\t') | ||
176 | ptr++; | ||
177 | char *end = strchr(fname, ' '); | ||
178 | if (end) | ||
179 | *end = '\0'; | ||
180 | |||
181 | // is the file present? | ||
182 | struct stat s; | ||
183 | if (stat(fname, &s) == -1) { | ||
184 | fprintf(stderr, "Error: netfilter-default file %s not available\n", fname); | ||
185 | exit(1); | ||
186 | } | ||
187 | |||
188 | netfilter_default = strdup(fname); | ||
189 | if (!netfilter_default) | ||
190 | errExit("strdup"); | ||
191 | if (arg_debug) | ||
192 | printf("netfilter default file %s\n", fname); | ||
193 | } | ||
194 | |||
195 | // Xephyr screen size | ||
196 | else if (strncmp(ptr, "xephyr-screen ", 14) == 0) { | ||
197 | // expecting two numbers and an x between them | ||
198 | int n1; | ||
199 | int n2; | ||
200 | int rv = sscanf(ptr + 14, "%dx%d", &n1, &n2); | ||
201 | if (rv != 2) | ||
202 | goto errout; | ||
203 | if (asprintf(&xephyr_screen, "%dx%d", n1, n2) == -1) | ||
204 | errExit("asprintf"); | ||
205 | } | ||
206 | |||
207 | // xephyr window title | ||
208 | else if (strncmp(ptr, "xephyr-window-title ", 20) == 0) { | ||
209 | if (strcmp(ptr + 20, "yes") == 0) | ||
210 | cfg_val[CFG_XEPHYR_WINDOW_TITLE] = 1; | ||
211 | else if (strcmp(ptr + 20, "no") == 0) | ||
212 | cfg_val[CFG_XEPHYR_WINDOW_TITLE] = 0; | ||
213 | else | ||
214 | goto errout; | ||
215 | } | ||
216 | |||
217 | // Xephyr command extra parameters | ||
218 | else if (strncmp(ptr, "xephyr-extra-params ", 19) == 0) { | ||
219 | xephyr_extra_params = strdup(ptr + 19); | ||
220 | if (!xephyr_extra_params) | ||
221 | errExit("strdup"); | ||
222 | } | ||
223 | |||
70 | else | 224 | else |
71 | goto errout; | 225 | goto errout; |
226 | |||
72 | free(ptr); | 227 | free(ptr); |
73 | } | 228 | } |
74 | 229 | ||
diff --git a/src/firejail/cpu.c b/src/firejail/cpu.c index 23906ae48..1802ad5e1 100644 --- a/src/firejail/cpu.c +++ b/src/firejail/cpu.c | |||
@@ -139,3 +139,81 @@ void set_cpu_affinity(void) { | |||
139 | printf("CPU affinity not set\n"); | 139 | printf("CPU affinity not set\n"); |
140 | } | 140 | } |
141 | } | 141 | } |
142 | |||
143 | static void print_cpu(int pid) { | ||
144 | char *file; | ||
145 | if (asprintf(&file, "/proc/%d/status", pid) == -1) { | ||
146 | errExit("asprintf"); | ||
147 | exit(1); | ||
148 | } | ||
149 | |||
150 | EUID_ROOT(); // grsecurity | ||
151 | FILE *fp = fopen(file, "r"); | ||
152 | EUID_USER(); // grsecurity | ||
153 | if (!fp) { | ||
154 | printf(" Error: cannot open %s\n", file); | ||
155 | free(file); | ||
156 | return; | ||
157 | } | ||
158 | |||
159 | #define MAXBUF 4096 | ||
160 | char buf[MAXBUF]; | ||
161 | while (fgets(buf, MAXBUF, fp)) { | ||
162 | if (strncmp(buf, "Cpus_allowed_list:", 18) == 0) { | ||
163 | printf(" %s", buf); | ||
164 | fflush(0); | ||
165 | free(file); | ||
166 | fclose(fp); | ||
167 | return; | ||
168 | } | ||
169 | } | ||
170 | fclose(fp); | ||
171 | free(file); | ||
172 | } | ||
173 | |||
174 | void cpu_print_filter_name(const char *name) { | ||
175 | EUID_ASSERT(); | ||
176 | if (!name || strlen(name) == 0) { | ||
177 | fprintf(stderr, "Error: invalid sandbox name\n"); | ||
178 | exit(1); | ||
179 | } | ||
180 | pid_t pid; | ||
181 | if (name2pid(name, &pid)) { | ||
182 | fprintf(stderr, "Error: cannot find sandbox %s\n", name); | ||
183 | exit(1); | ||
184 | } | ||
185 | |||
186 | cpu_print_filter(pid); | ||
187 | } | ||
188 | |||
189 | void cpu_print_filter(pid_t pid) { | ||
190 | EUID_ASSERT(); | ||
191 | |||
192 | // if the pid is that of a firejail process, use the pid of the first child process | ||
193 | EUID_ROOT(); // grsecurity | ||
194 | char *comm = pid_proc_comm(pid); | ||
195 | EUID_USER(); // grsecurity | ||
196 | if (comm) { | ||
197 | if (strcmp(comm, "firejail") == 0) { | ||
198 | pid_t child; | ||
199 | if (find_child(pid, &child) == 0) { | ||
200 | pid = child; | ||
201 | } | ||
202 | } | ||
203 | free(comm); | ||
204 | } | ||
205 | |||
206 | // check privileges for non-root users | ||
207 | uid_t uid = getuid(); | ||
208 | if (uid != 0) { | ||
209 | uid_t sandbox_uid = pid_get_uid(pid); | ||
210 | if (uid != sandbox_uid) { | ||
211 | fprintf(stderr, "Error: permission denied.\n"); | ||
212 | exit(1); | ||
213 | } | ||
214 | } | ||
215 | |||
216 | print_cpu(pid); | ||
217 | exit(0); | ||
218 | } | ||
219 | |||
diff --git a/src/firejail/env.c b/src/firejail/env.c index 54a6b0036..1a6236407 100644 --- a/src/firejail/env.c +++ b/src/firejail/env.c | |||
@@ -27,12 +27,27 @@ typedef struct env_t { | |||
27 | struct env_t *next; | 27 | struct env_t *next; |
28 | char *name; | 28 | char *name; |
29 | char *value; | 29 | char *value; |
30 | ENV_OP op; | ||
30 | } Env; | 31 | } Env; |
31 | static Env *envlist = NULL; | 32 | static Env *envlist = NULL; |
32 | 33 | ||
33 | static void env_add(Env *env) { | 34 | static void env_add(Env *env) { |
34 | env->next = envlist; | 35 | env->next = NULL; |
35 | envlist = env; | 36 | |
37 | // add the new entry at the end of the list | ||
38 | if (envlist == NULL) { | ||
39 | envlist = env; | ||
40 | return; | ||
41 | } | ||
42 | |||
43 | Env *ptr = envlist; | ||
44 | while (1) { | ||
45 | if (ptr->next == NULL) { | ||
46 | ptr->next = env; | ||
47 | break; | ||
48 | } | ||
49 | ptr = ptr->next; | ||
50 | } | ||
36 | } | 51 | } |
37 | 52 | ||
38 | // load IBUS env variables | 53 | // load IBUS env variables |
@@ -87,7 +102,7 @@ void env_ibus_load(void) { | |||
87 | if (arg_debug) | 102 | if (arg_debug) |
88 | printf("%s\n", buf); | 103 | printf("%s\n", buf); |
89 | EUID_USER(); | 104 | EUID_USER(); |
90 | env_store(buf); | 105 | env_store(buf, SETENV); |
91 | EUID_ROOT(); | 106 | EUID_ROOT(); |
92 | } | 107 | } |
93 | 108 | ||
@@ -126,7 +141,7 @@ void env_defaults(void) { | |||
126 | } | 141 | } |
127 | 142 | ||
128 | // parse and store the environment setting | 143 | // parse and store the environment setting |
129 | void env_store(const char *str) { | 144 | void env_store(const char *str, ENV_OP op) { |
130 | EUID_ASSERT(); | 145 | EUID_ASSERT(); |
131 | assert(str); | 146 | assert(str); |
132 | 147 | ||
@@ -134,11 +149,13 @@ void env_store(const char *str) { | |||
134 | if (*str == '\0') | 149 | if (*str == '\0') |
135 | goto errexit; | 150 | goto errexit; |
136 | char *ptr = strchr(str, '='); | 151 | char *ptr = strchr(str, '='); |
137 | if (!ptr) | 152 | if (op == SETENV) { |
138 | goto errexit; | 153 | if (!ptr) |
139 | ptr++; | 154 | goto errexit; |
140 | if (*ptr == '\0') | 155 | ptr++; |
141 | goto errexit; | 156 | if (*ptr == '\0') |
157 | goto errexit; | ||
158 | } | ||
142 | 159 | ||
143 | // build list entry | 160 | // build list entry |
144 | Env *env = malloc(sizeof(Env)); | 161 | Env *env = malloc(sizeof(Env)); |
@@ -148,10 +165,13 @@ void env_store(const char *str) { | |||
148 | env->name = strdup(str); | 165 | env->name = strdup(str); |
149 | if (env->name == NULL) | 166 | if (env->name == NULL) |
150 | errExit("strdup"); | 167 | errExit("strdup"); |
151 | char *ptr2 = strchr(env->name, '='); | 168 | if (op == SETENV) { |
152 | assert(ptr2); | 169 | char *ptr2 = strchr(env->name, '='); |
153 | *ptr2 = '\0'; | 170 | assert(ptr2); |
154 | env->value = ptr2 + 1; | 171 | *ptr2 = '\0'; |
172 | env->value = ptr2 + 1; | ||
173 | } | ||
174 | env->op = op; | ||
155 | 175 | ||
156 | // add entry to the list | 176 | // add entry to the list |
157 | env_add(env); | 177 | env_add(env); |
@@ -167,8 +187,13 @@ void env_apply(void) { | |||
167 | Env *env = envlist; | 187 | Env *env = envlist; |
168 | 188 | ||
169 | while (env) { | 189 | while (env) { |
170 | if (setenv(env->name, env->value, 1) < 0) | 190 | if (env->op == SETENV) { |
171 | errExit("setenv"); | 191 | if (setenv(env->name, env->value, 1) < 0) |
192 | errExit("setenv"); | ||
193 | } | ||
194 | else if (env->op == RMENV) { | ||
195 | unsetenv(env->name); | ||
196 | } | ||
172 | env = env->next; | 197 | env = env->next; |
173 | } | 198 | } |
174 | } | 199 | } |
diff --git a/src/firejail/firejail.h b/src/firejail/firejail.h index bf0937f35..7a538327d 100644 --- a/src/firejail/firejail.h +++ b/src/firejail/firejail.h | |||
@@ -44,6 +44,7 @@ | |||
44 | #define RUN_ETC_DIR "/run/firejail/mnt/etc" | 44 | #define RUN_ETC_DIR "/run/firejail/mnt/etc" |
45 | #define RUN_BIN_DIR "/run/firejail/mnt/bin" | 45 | #define RUN_BIN_DIR "/run/firejail/mnt/bin" |
46 | #define RUN_DRI_DIR "/run/firejail/mnt/dri" | 46 | #define RUN_DRI_DIR "/run/firejail/mnt/dri" |
47 | #define RUN_SND_DIR "/run/firejail/mnt/snd" | ||
47 | #define RUN_PULSE_DIR "/run/firejail/mnt/pulse" | 48 | #define RUN_PULSE_DIR "/run/firejail/mnt/pulse" |
48 | #define RUN_DEVLOG_FILE "/run/firejail/mnt/devlog" | 49 | #define RUN_DEVLOG_FILE "/run/firejail/mnt/devlog" |
49 | 50 | ||
@@ -68,7 +69,7 @@ | |||
68 | #define RUN_FSLOGGER_FILE "/run/firejail/mnt/fslogger" | 69 | #define RUN_FSLOGGER_FILE "/run/firejail/mnt/fslogger" |
69 | 70 | ||
70 | // profiles | 71 | // profiles |
71 | #define DEFAULT_USER_PROFILE "generic" | 72 | #define DEFAULT_USER_PROFILE "default" |
72 | #define DEFAULT_ROOT_PROFILE "server" | 73 | #define DEFAULT_ROOT_PROFILE "server" |
73 | #define MAX_INCLUDE_LEVEL 6 // include levels in profile files | 74 | #define MAX_INCLUDE_LEVEL 6 // include levels in profile files |
74 | 75 | ||
@@ -182,6 +183,19 @@ typedef struct config_t { | |||
182 | } Config; | 183 | } Config; |
183 | extern Config cfg; | 184 | extern Config cfg; |
184 | 185 | ||
186 | static inline Bridge *last_bridge_configured(void) { | ||
187 | if (cfg.bridge3.configured) | ||
188 | return &cfg.bridge3; | ||
189 | else if (cfg.bridge2.configured) | ||
190 | return &cfg.bridge2; | ||
191 | else if (cfg.bridge1.configured) | ||
192 | return &cfg.bridge1; | ||
193 | else if (cfg.bridge0.configured) | ||
194 | return &cfg.bridge0; | ||
195 | else | ||
196 | return NULL; | ||
197 | } | ||
198 | |||
185 | static inline int any_bridge_configured(void) { | 199 | static inline int any_bridge_configured(void) { |
186 | if (cfg.bridge0.configured || cfg.bridge1.configured || cfg.bridge2.configured || cfg.bridge3.configured) | 200 | if (cfg.bridge0.configured || cfg.bridge1.configured || cfg.bridge2.configured || cfg.bridge3.configured) |
187 | return 1; | 201 | return 1; |
@@ -195,6 +209,7 @@ static inline int any_interface_configured(void) { | |||
195 | else | 209 | else |
196 | return 0; | 210 | return 0; |
197 | } | 211 | } |
212 | void clear_run_files(pid_t pid); | ||
198 | 213 | ||
199 | extern int arg_private; // mount private /home | 214 | extern int arg_private; // mount private /home |
200 | extern int arg_debug; // print debug messages | 215 | extern int arg_debug; // print debug messages |
@@ -223,6 +238,7 @@ extern int arg_rlimit_nproc; // rlimit nproc | |||
223 | extern int arg_rlimit_fsize; // rlimit fsize | 238 | extern int arg_rlimit_fsize; // rlimit fsize |
224 | extern int arg_rlimit_sigpending;// rlimit sigpending | 239 | extern int arg_rlimit_sigpending;// rlimit sigpending |
225 | extern int arg_nogroups; // disable supplementary groups | 240 | extern int arg_nogroups; // disable supplementary groups |
241 | extern int arg_nonewprivs; // set the NO_NEW_PRIVS prctl | ||
226 | extern int arg_noroot; // create a new user namespace and disable root user | 242 | extern int arg_noroot; // create a new user namespace and disable root user |
227 | extern int arg_netfilter; // enable netfilter | 243 | extern int arg_netfilter; // enable netfilter |
228 | extern int arg_netfilter6; // enable netfilter6 | 244 | extern int arg_netfilter6; // enable netfilter6 |
@@ -242,6 +258,11 @@ extern int arg_join_network; // join only the network namespace | |||
242 | extern int arg_join_filesystem; // join only the mount namespace | 258 | extern int arg_join_filesystem; // join only the mount namespace |
243 | extern int arg_nice; // nice value configured | 259 | extern int arg_nice; // nice value configured |
244 | extern int arg_ipc; // enable ipc namespace | 260 | extern int arg_ipc; // enable ipc namespace |
261 | extern int arg_writable_etc; // writable etc | ||
262 | extern int arg_writable_var; // writable var | ||
263 | extern int arg_appimage; // appimage | ||
264 | extern int arg_audit; // audit | ||
265 | extern char *arg_audit_prog; // audit | ||
245 | 266 | ||
246 | extern int parent_to_child_fds[2]; | 267 | extern int parent_to_child_fds[2]; |
247 | extern int child_to_parent_fds[2]; | 268 | extern int child_to_parent_fds[2]; |
@@ -264,6 +285,7 @@ void net_configure_veth_pair(Bridge *br, const char *ifname, pid_t child); | |||
264 | void net_check_cfg(void); | 285 | void net_check_cfg(void); |
265 | void net_dns_print_name(const char *name); | 286 | void net_dns_print_name(const char *name); |
266 | void net_dns_print(pid_t pid); | 287 | void net_dns_print(pid_t pid); |
288 | void network_main(pid_t child); | ||
267 | 289 | ||
268 | // network.c | 290 | // network.c |
269 | void net_if_up(const char *ifname); | 291 | void net_if_up(const char *ifname); |
@@ -291,6 +313,8 @@ void fs_delete_cp_command(void) ; | |||
291 | void fs_blacklist(void); | 313 | void fs_blacklist(void); |
292 | // remount a directory read-only | 314 | // remount a directory read-only |
293 | void fs_rdonly(const char *dir); | 315 | void fs_rdonly(const char *dir); |
316 | // remount a directory noexec, nodev and nosuid | ||
317 | void fs_noexec(const char *dir); | ||
294 | // mount /proc and /sys directories | 318 | // mount /proc and /sys directories |
295 | void fs_proc_sys_dev_boot(void); | 319 | void fs_proc_sys_dev_boot(void); |
296 | // build a basic read-only filesystem | 320 | // build a basic read-only filesystem |
@@ -370,6 +394,7 @@ const char *gnu_basename(const char *path); | |||
370 | uid_t pid_get_uid(pid_t pid); | 394 | uid_t pid_get_uid(pid_t pid); |
371 | void invalid_filename(const char *fname); | 395 | void invalid_filename(const char *fname); |
372 | uid_t get_tty_gid(void); | 396 | uid_t get_tty_gid(void); |
397 | uid_t get_audio_gid(void); | ||
373 | 398 | ||
374 | // fs_var.c | 399 | // fs_var.c |
375 | void fs_var_log(void); // mounting /var/log | 400 | void fs_var_log(void); // mounting /var/log |
@@ -384,6 +409,7 @@ void dbg_test_dir(const char *dir); | |||
384 | // fs_dev.c | 409 | // fs_dev.c |
385 | void fs_dev_shm(void); | 410 | void fs_dev_shm(void); |
386 | void fs_private_dev(void); | 411 | void fs_private_dev(void); |
412 | void fs_dev_disable_sound(); | ||
387 | 413 | ||
388 | // fs_home.c | 414 | // fs_home.c |
389 | // private mode (--private) | 415 | // private mode (--private) |
@@ -436,6 +462,8 @@ void read_cpu_list(const char *str); | |||
436 | void set_cpu_affinity(void); | 462 | void set_cpu_affinity(void); |
437 | void load_cpu(const char *fname); | 463 | void load_cpu(const char *fname); |
438 | void save_cpu(void); | 464 | void save_cpu(void); |
465 | void cpu_print_filter_name(const char *name); | ||
466 | void cpu_print_filter(pid_t pid); | ||
439 | 467 | ||
440 | // cgroup.c | 468 | // cgroup.c |
441 | void save_cgroup(void); | 469 | void save_cgroup(void); |
@@ -451,24 +479,28 @@ void netfilter(const char *fname); | |||
451 | void netfilter6(const char *fname); | 479 | void netfilter6(const char *fname); |
452 | 480 | ||
453 | // bandwidth.c | 481 | // bandwidth.c |
454 | void shm_create_firejail_dir(void); | 482 | void bandwidth_del_run_file(pid_t pid); |
455 | void bandwidth_shm_del_file(pid_t pid); | ||
456 | void bandwidth_shm_set(pid_t pid, const char *dev, int down, int up); | ||
457 | void bandwidth_name(const char *name, const char *command, const char *dev, int down, int up); | 483 | void bandwidth_name(const char *name, const char *command, const char *dev, int down, int up); |
458 | void bandwidth_pid(pid_t pid, const char *command, const char *dev, int down, int up); | 484 | void bandwidth_pid(pid_t pid, const char *command, const char *dev, int down, int up); |
459 | void network_shm_del_file(pid_t pid); | 485 | void network_del_run_file(pid_t pid); |
460 | void network_shm_set_file(pid_t pid); | 486 | void network_set_run_file(pid_t pid); |
461 | 487 | ||
462 | // fs_etc.c | 488 | // fs_etc.c |
463 | void fs_check_etc_list(void); | 489 | void fs_check_etc_list(void); |
464 | void fs_private_etc_list(void); | 490 | void fs_private_etc_list(void); |
465 | 491 | ||
466 | // no_sandbox.c | 492 | // no_sandbox.c |
493 | int check_namespace_virt(void); | ||
467 | int check_kernel_procs(void); | 494 | int check_kernel_procs(void); |
468 | void run_no_sandbox(int argc, char **argv); | 495 | void run_no_sandbox(int argc, char **argv); |
469 | 496 | ||
470 | // env.c | 497 | // env.c |
471 | void env_store(const char *str); | 498 | typedef enum { |
499 | SETENV = 0, | ||
500 | RMENV | ||
501 | } ENV_OP; | ||
502 | |||
503 | void env_store(const char *str, ENV_OP op); | ||
472 | void env_apply(void); | 504 | void env_apply(void); |
473 | void env_defaults(void); | 505 | void env_defaults(void); |
474 | void env_ibus_load(void); | 506 | void env_ibus_load(void); |
@@ -515,21 +547,19 @@ void fs_logger_print_log(pid_t pid); | |||
515 | // run_symlink.c | 547 | // run_symlink.c |
516 | void run_symlink(int argc, char **argv); | 548 | void run_symlink(int argc, char **argv); |
517 | 549 | ||
518 | // user.c | ||
519 | void check_user(int argc, char **argv); | ||
520 | |||
521 | // paths.c | 550 | // paths.c |
522 | char **build_paths(void); | 551 | char **build_paths(void); |
523 | 552 | ||
524 | // fs_mkdir.c | 553 | // fs_mkdir.c |
525 | void fs_mkdir(const char *name); | 554 | void fs_mkdir(const char *name); |
555 | void fs_mkfile(const char *name); | ||
526 | 556 | ||
527 | // x11.c | 557 | // x11.c |
528 | void fs_x11(void); | 558 | void fs_x11(void); |
529 | void x11_start(int argc, char **argv); | ||
530 | int x11_display(void); | 559 | int x11_display(void); |
531 | // return 1 if xpra is installed on the system | 560 | void x11_start(int argc, char **argv); |
532 | int x11_check_xpra(void); | 561 | void x11_start_xpra(int argc, char **argv); |
562 | void x11_start_xephyr(int argc, char **argv); | ||
533 | 563 | ||
534 | // ls.c | 564 | // ls.c |
535 | #define SANDBOX_FS_LS 0 | 565 | #define SANDBOX_FS_LS 0 |
@@ -539,8 +569,26 @@ void sandboxfs(int op, pid_t pid, const char *patqh); | |||
539 | 569 | ||
540 | // checkcfg.c | 570 | // checkcfg.c |
541 | #define CFG_FILE_TRANSFER 0 | 571 | #define CFG_FILE_TRANSFER 0 |
542 | #define CFG_MAX 1 // this should always be the last entry | 572 | #define CFG_X11 1 |
573 | #define CFG_BIND 2 | ||
574 | #define CFG_USERNS 3 | ||
575 | #define CFG_CHROOT 4 | ||
576 | #define CFG_SECCOMP 5 | ||
577 | #define CFG_NETWORK 6 | ||
578 | #define CFG_RESTRICTED_NETWORK 7 | ||
579 | #define CFG_FORCE_NONEWPRIVS 8 | ||
580 | #define CFG_WHITELIST 9 | ||
581 | #define CFG_XEPHYR_WINDOW_TITLE 10 | ||
582 | #define CFG_MAX 11 // this should always be the last entry | ||
583 | extern char *xephyr_screen; | ||
584 | extern char *xephyr_extra_params; | ||
585 | extern char *netfilter_default; | ||
543 | int checkcfg(int val); | 586 | int checkcfg(int val); |
544 | 587 | ||
588 | // appimage.c | ||
589 | void appimage_set(const char *appimage_path); | ||
590 | void appimage_clear(void); | ||
591 | const char *appimage_getdir(void); | ||
592 | |||
545 | #endif | 593 | #endif |
546 | 594 | ||
diff --git a/src/firejail/fs.c b/src/firejail/fs.c index acee0ba1d..ff5887c10 100644 --- a/src/firejail/fs.c +++ b/src/firejail/fs.c | |||
@@ -27,6 +27,8 @@ | |||
27 | #include <fcntl.h> | 27 | #include <fcntl.h> |
28 | #include <errno.h> | 28 | #include <errno.h> |
29 | 29 | ||
30 | static void fs_rdwr(const char *dir); | ||
31 | |||
30 | static void create_empty_dir(void) { | 32 | static void create_empty_dir(void) { |
31 | struct stat s; | 33 | struct stat s; |
32 | 34 | ||
@@ -228,6 +230,8 @@ typedef enum { | |||
228 | BLACKLIST_NOLOG, | 230 | BLACKLIST_NOLOG, |
229 | MOUNT_READONLY, | 231 | MOUNT_READONLY, |
230 | MOUNT_TMPFS, | 232 | MOUNT_TMPFS, |
233 | MOUNT_NOEXEC, | ||
234 | MOUNT_RDWR, | ||
231 | OPERATION_MAX | 235 | OPERATION_MAX |
232 | } OPERATION; | 236 | } OPERATION; |
233 | 237 | ||
@@ -248,8 +252,6 @@ static void disable_file(OPERATION op, const char *filename) { | |||
248 | // Resolve all symlinks | 252 | // Resolve all symlinks |
249 | char* fname = realpath(filename, NULL); | 253 | char* fname = realpath(filename, NULL); |
250 | if (fname == NULL && errno != EACCES) { | 254 | if (fname == NULL && errno != EACCES) { |
251 | if (arg_debug) | ||
252 | printf("Warning (realpath): %s is an invalid file, skipping...\n", filename); | ||
253 | return; | 255 | return; |
254 | } | 256 | } |
255 | if (fname == NULL && errno == EACCES) { | 257 | if (fname == NULL && errno == EACCES) { |
@@ -332,6 +334,18 @@ static void disable_file(OPERATION op, const char *filename) { | |||
332 | fs_rdonly(fname); | 334 | fs_rdonly(fname); |
333 | // todo: last_disable = SUCCESSFUL; | 335 | // todo: last_disable = SUCCESSFUL; |
334 | } | 336 | } |
337 | else if (op == MOUNT_RDWR) { | ||
338 | if (arg_debug) | ||
339 | printf("Mounting read-only %s\n", fname); | ||
340 | fs_rdwr(fname); | ||
341 | // todo: last_disable = SUCCESSFUL; | ||
342 | } | ||
343 | else if (op == MOUNT_NOEXEC) { | ||
344 | if (arg_debug) | ||
345 | printf("Mounting noexec %s\n", fname); | ||
346 | fs_noexec(fname); | ||
347 | // todo: last_disable = SUCCESSFUL; | ||
348 | } | ||
335 | else if (op == MOUNT_TMPFS) { | 349 | else if (op == MOUNT_TMPFS) { |
336 | if (S_ISDIR(s.st_mode)) { | 350 | if (S_ISDIR(s.st_mode)) { |
337 | if (arg_debug) | 351 | if (arg_debug) |
@@ -361,7 +375,7 @@ static void globbing(OPERATION op, const char *pattern, const char *noblacklist[ | |||
361 | glob_t globbuf; | 375 | glob_t globbuf; |
362 | // Profiles contain blacklists for files that might not exist on a user's machine. | 376 | // Profiles contain blacklists for files that might not exist on a user's machine. |
363 | // GLOB_NOCHECK makes that okay. | 377 | // GLOB_NOCHECK makes that okay. |
364 | int globerr = glob(pattern, GLOB_NOCHECK | GLOB_NOSORT, NULL, &globbuf); | 378 | int globerr = glob(pattern, GLOB_NOCHECK | GLOB_NOSORT | GLOB_PERIOD, NULL, &globbuf); |
365 | if (globerr) { | 379 | if (globerr) { |
366 | fprintf(stderr, "Error: failed to glob pattern %s\n", pattern); | 380 | fprintf(stderr, "Error: failed to glob pattern %s\n", pattern); |
367 | exit(1); | 381 | exit(1); |
@@ -435,12 +449,12 @@ void fs_blacklist(void) { | |||
435 | } | 449 | } |
436 | struct stat s; | 450 | struct stat s; |
437 | if (stat(dname1, &s) == -1) { | 451 | if (stat(dname1, &s) == -1) { |
438 | fprintf(stderr, "Error: cannot find directories for bind command\n"); | 452 | fprintf(stderr, "Error: cannot find %s for bind command\n", dname1); |
439 | entry = entry->next; | 453 | entry = entry->next; |
440 | continue; | 454 | continue; |
441 | } | 455 | } |
442 | if (stat(dname2, &s) == -1) { | 456 | if (stat(dname2, &s) == -1) { |
443 | fprintf(stderr, "Error: cannot find directories for bind command\n"); | 457 | fprintf(stderr, "Error: cannot find %s for bind command\n", dname2); |
444 | entry = entry->next; | 458 | entry = entry->next; |
445 | continue; | 459 | continue; |
446 | } | 460 | } |
@@ -465,13 +479,11 @@ void fs_blacklist(void) { | |||
465 | // Process noblacklist command | 479 | // Process noblacklist command |
466 | if (strncmp(entry->data, "noblacklist ", 12) == 0) { | 480 | if (strncmp(entry->data, "noblacklist ", 12) == 0) { |
467 | if (noblacklist_c >= noblacklist_m) { | 481 | if (noblacklist_c >= noblacklist_m) { |
468 | noblacklist_m *= 2; | 482 | noblacklist_m *= 2; |
469 | noblacklist = realloc(noblacklist, sizeof(*noblacklist) * noblacklist_m); | 483 | noblacklist = realloc(noblacklist, sizeof(*noblacklist) * noblacklist_m); |
470 | if (noblacklist == NULL) | 484 | if (noblacklist == NULL) |
471 | errExit("failed increasing memory for noblacklist entries"); | 485 | errExit("failed increasing memory for noblacklist entries");} |
472 | } | 486 | noblacklist[noblacklist_c++] = expand_home(entry->data + 12, homedir); |
473 | else | ||
474 | noblacklist[noblacklist_c++] = expand_home(entry->data + 12, homedir); | ||
475 | entry = entry->next; | 487 | entry = entry->next; |
476 | continue; | 488 | continue; |
477 | } | 489 | } |
@@ -489,6 +501,14 @@ void fs_blacklist(void) { | |||
489 | ptr = entry->data + 10; | 501 | ptr = entry->data + 10; |
490 | op = MOUNT_READONLY; | 502 | op = MOUNT_READONLY; |
491 | } | 503 | } |
504 | else if (strncmp(entry->data, "read-write ", 11) == 0) { | ||
505 | ptr = entry->data + 11; | ||
506 | op = MOUNT_RDWR; | ||
507 | } | ||
508 | else if (strncmp(entry->data, "noexec ", 7) == 0) { | ||
509 | ptr = entry->data + 7; | ||
510 | op = MOUNT_NOEXEC; | ||
511 | } | ||
492 | else if (strncmp(entry->data, "tmpfs ", 6) == 0) { | 512 | else if (strncmp(entry->data, "tmpfs ", 6) == 0) { |
493 | ptr = entry->data + 6; | 513 | ptr = entry->data + 6; |
494 | op = MOUNT_TMPFS; | 514 | op = MOUNT_TMPFS; |
@@ -503,12 +523,12 @@ void fs_blacklist(void) { | |||
503 | char *new_name = expand_home(ptr, homedir); | 523 | char *new_name = expand_home(ptr, homedir); |
504 | ptr = new_name; | 524 | ptr = new_name; |
505 | 525 | ||
506 | // expand path macro - look for the file in /bin, /usr/bin, /sbin and /usr/sbin directories | 526 | // expand path macro - look for the file in /usr/local/bin, /usr/local/sbin, /bin, /usr/bin, /sbin and /usr/sbin directories |
507 | if (ptr) { | 527 | if (ptr) { |
508 | if (strncmp(ptr, "${PATH}", 7) == 0) { | 528 | if (strncmp(ptr, "${PATH}", 7) == 0) { |
509 | char *fname = ptr + 7; | 529 | char *fname = ptr + 7; |
510 | size_t fname_len = strlen(fname); | 530 | size_t fname_len = strlen(fname); |
511 | char **paths = build_paths(); //{"/bin", "/sbin", "/usr/bin", "/usr/sbin", NULL}; | 531 | char **paths = build_paths(); //{"/usr/local/bin", "/usr/local/sbin", "/bin", "/usr/bin/", "/sbin", "/usr/sbin", NULL}; |
512 | int i = 0; | 532 | int i = 0; |
513 | while (paths[i] != NULL) { | 533 | while (paths[i] != NULL) { |
514 | char *path = paths[i]; | 534 | char *path = paths[i]; |
@@ -552,6 +572,48 @@ void fs_rdonly(const char *dir) { | |||
552 | fs_logger2("read-only", dir); | 572 | fs_logger2("read-only", dir); |
553 | } | 573 | } |
554 | } | 574 | } |
575 | |||
576 | static void fs_rdwr(const char *dir) { | ||
577 | assert(dir); | ||
578 | // check directory exists | ||
579 | struct stat s; | ||
580 | int rv = stat(dir, &s); | ||
581 | if (rv == 0) { | ||
582 | // if the file is outside /home directory, allow only root user | ||
583 | uid_t u = getuid(); | ||
584 | if (u != 0 && s.st_uid != u) { | ||
585 | fprintf(stderr, "Warning: you are not allowed to change %s to read-write\n", dir); | ||
586 | return; | ||
587 | } | ||
588 | |||
589 | // mount --bind /bin /bin | ||
590 | if (mount(dir, dir, NULL, MS_BIND|MS_REC, NULL) < 0) | ||
591 | errExit("mount read-write"); | ||
592 | // mount --bind -o remount,rw /bin | ||
593 | if (mount(NULL, dir, NULL, MS_BIND|MS_REMOUNT|MS_REC, NULL) < 0) | ||
594 | errExit("mount read-write"); | ||
595 | fs_logger2("read-write", dir); | ||
596 | } | ||
597 | } | ||
598 | |||
599 | void fs_noexec(const char *dir) { | ||
600 | assert(dir); | ||
601 | // check directory exists | ||
602 | struct stat s; | ||
603 | int rv = stat(dir, &s); | ||
604 | if (rv == 0) { | ||
605 | // mount --bind /bin /bin | ||
606 | if (mount(dir, dir, NULL, MS_BIND|MS_REC, NULL) < 0) | ||
607 | errExit("mount noexec"); | ||
608 | // mount --bind -o remount,ro /bin | ||
609 | if (mount(NULL, dir, NULL, MS_BIND|MS_REMOUNT|MS_NOEXEC|MS_NODEV|MS_NOSUID|MS_REC, NULL) < 0) | ||
610 | errExit("mount read-only"); | ||
611 | fs_logger2("noexec", dir); | ||
612 | } | ||
613 | } | ||
614 | |||
615 | |||
616 | |||
555 | void fs_rdonly_noexit(const char *dir) { | 617 | void fs_rdonly_noexit(const char *dir) { |
556 | assert(dir); | 618 | assert(dir); |
557 | // check directory exists | 619 | // check directory exists |
@@ -574,8 +636,6 @@ void fs_rdonly_noexit(const char *dir) { | |||
574 | 636 | ||
575 | // mount /proc and /sys directories | 637 | // mount /proc and /sys directories |
576 | void fs_proc_sys_dev_boot(void) { | 638 | void fs_proc_sys_dev_boot(void) { |
577 | struct stat s; | ||
578 | |||
579 | if (arg_debug) | 639 | if (arg_debug) |
580 | printf("Remounting /proc and /proc/sys filesystems\n"); | 640 | printf("Remounting /proc and /proc/sys filesystems\n"); |
581 | if (mount("proc", "/proc", "proc", MS_NOSUID | MS_NOEXEC | MS_NODEV | MS_REC, NULL) < 0) | 641 | if (mount("proc", "/proc", "proc", MS_NOSUID | MS_NOEXEC | MS_NODEV | MS_REC, NULL) < 0) |
@@ -603,132 +663,107 @@ void fs_proc_sys_dev_boot(void) { | |||
603 | fs_logger("remount /sys"); | 663 | fs_logger("remount /sys"); |
604 | } | 664 | } |
605 | 665 | ||
606 | if (stat("/sys/firmware", &s) == 0) { | 666 | disable_file(BLACKLIST_FILE, "/sys/firmware"); |
607 | disable_file(BLACKLIST_FILE, "/sys/firmware"); | 667 | disable_file(BLACKLIST_FILE, "/sys/hypervisor"); |
608 | } | 668 | disable_file(BLACKLIST_FILE, "/sys/fs"); |
609 | 669 | disable_file(BLACKLIST_FILE, "/sys/module"); | |
610 | if (stat("/sys/hypervisor", &s) == 0) { | 670 | disable_file(BLACKLIST_FILE, "/sys/power"); |
611 | disable_file(BLACKLIST_FILE, "/sys/hypervisor"); | 671 | disable_file(BLACKLIST_FILE, "/sys/kernel/debug"); |
612 | } | 672 | disable_file(BLACKLIST_FILE, "/sys/kernel/vmcoreinfo"); |
613 | 673 | disable_file(BLACKLIST_FILE, "/sys/kernel/uevent_helper"); | |
614 | if (stat("/sys/fs", &s) == 0) { | ||
615 | disable_file(BLACKLIST_FILE, "/sys/fs"); | ||
616 | } | ||
617 | |||
618 | if (stat("/sys/module", &s) == 0) { | ||
619 | disable_file(BLACKLIST_FILE, "/sys/module"); | ||
620 | } | ||
621 | |||
622 | if (stat("/sys/power", &s) == 0) { | ||
623 | disable_file(BLACKLIST_FILE, "/sys/power"); | ||
624 | } | ||
625 | 674 | ||
626 | // if (mount("sysfs", "/sys", "sysfs", MS_RDONLY|MS_NOSUID|MS_NOEXEC|MS_NODEV|MS_REC, NULL) < 0) | 675 | // if (mount("sysfs", "/sys", "sysfs", MS_RDONLY|MS_NOSUID|MS_NOEXEC|MS_NODEV|MS_REC, NULL) < 0) |
627 | // errExit("mounting /sys"); | 676 | // errExit("mounting /sys"); |
628 | 677 | ||
629 | // Disable SysRq | ||
630 | // a linux box can be shut down easily using the following commands (as root): | ||
631 | // # echo 1 > /proc/sys/kernel/sysrq | ||
632 | // #echo b > /proc/sysrq-trigger | ||
633 | // for more information see https://www.kernel.org/doc/Documentation/sysrq.txt | ||
634 | if (arg_debug) | ||
635 | printf("Disable /proc/sysrq-trigger\n"); | ||
636 | fs_rdonly_noexit("/proc/sysrq-trigger"); | ||
637 | |||
638 | // disable hotplug and uevent_helper | ||
639 | if (arg_debug) | ||
640 | printf("Disable /proc/sys/kernel/hotplug\n"); | ||
641 | fs_rdonly_noexit("/proc/sys/kernel/hotplug"); | ||
642 | if (arg_debug) | ||
643 | printf("Disable /sys/kernel/uevent_helper\n"); | ||
644 | fs_rdonly_noexit("/sys/kernel/uevent_helper"); | ||
645 | |||
646 | // read-only /proc/irq and /proc/bus | ||
647 | if (arg_debug) | ||
648 | printf("Disable /proc/irq\n"); | ||
649 | fs_rdonly_noexit("/proc/irq"); | ||
650 | if (arg_debug) | ||
651 | printf("Disable /proc/bus\n"); | ||
652 | fs_rdonly_noexit("/proc/bus"); | ||
653 | |||
654 | // disable /proc/kcore | ||
655 | disable_file(BLACKLIST_FILE, "/proc/kcore"); | ||
656 | 678 | ||
657 | // disable /proc/kallsyms | 679 | // various /proc/sys files |
680 | disable_file(BLACKLIST_FILE, "/proc/sys/security"); | ||
681 | disable_file(BLACKLIST_FILE, "/proc/sys/efi/vars"); | ||
682 | disable_file(BLACKLIST_FILE, "/proc/sys/fs/binfmt_misc"); | ||
683 | disable_file(BLACKLIST_FILE, "/proc/sys/kernel/core_pattern"); | ||
684 | disable_file(BLACKLIST_FILE, "/proc/sys/kernel/modprobe"); | ||
685 | disable_file(BLACKLIST_FILE, "/proc/sysrq-trigger"); | ||
686 | disable_file(BLACKLIST_FILE, "/proc/sys/kernel/hotplug"); | ||
687 | disable_file(BLACKLIST_FILE, "/proc/sys/vm/panic_on_oom"); | ||
688 | |||
689 | |||
690 | // various /proc files | ||
691 | disable_file(BLACKLIST_FILE, "/proc/irq"); | ||
692 | disable_file(BLACKLIST_FILE, "/proc/bus"); | ||
693 | disable_file(BLACKLIST_FILE, "/proc/config.gz"); | ||
694 | disable_file(BLACKLIST_FILE, "/proc/sched_debug"); | ||
695 | disable_file(BLACKLIST_FILE, "/proc/timer_list"); | ||
696 | disable_file(BLACKLIST_FILE, "/proc/timer_stats"); | ||
697 | disable_file(BLACKLIST_FILE, "/proc/kcore"); | ||
658 | disable_file(BLACKLIST_FILE, "/proc/kallsyms"); | 698 | disable_file(BLACKLIST_FILE, "/proc/kallsyms"); |
699 | disable_file(BLACKLIST_FILE, "/proc/mem"); | ||
700 | disable_file(BLACKLIST_FILE, "/proc/kmem"); | ||
659 | 701 | ||
660 | // disable /boot | 702 | // disable /boot |
661 | if (stat("/boot", &s) == 0) { | 703 | disable_file(BLACKLIST_FILE, "/boot"); |
662 | if (arg_debug) | ||
663 | printf("Disable /boot directory\n"); | ||
664 | disable_file(BLACKLIST_FILE, "/boot"); | ||
665 | } | ||
666 | 704 | ||
667 | // disable /selinux | 705 | // disable /selinux |
668 | if (stat("/selinux", &s) == 0) { | 706 | disable_file(BLACKLIST_FILE, "/selinux"); |
669 | if (arg_debug) | ||
670 | printf("Disable /selinux directory\n"); | ||
671 | disable_file(BLACKLIST_FILE, "/selinux"); | ||
672 | } | ||
673 | 707 | ||
674 | // disable /dev/port | 708 | // disable /dev/port |
675 | if (stat("/dev/port", &s) == 0) { | 709 | disable_file(BLACKLIST_FILE, "/dev/port"); |
676 | disable_file(BLACKLIST_FILE, "/dev/port"); | ||
677 | } | ||
678 | 710 | ||
679 | if (getuid() != 0) { | 711 | if (getuid() != 0) { |
680 | // disable /dev/kmsg | 712 | // disable /dev/kmsg and /proc/kmsg |
681 | if (stat("/dev/kmsg", &s) == 0) { | 713 | disable_file(BLACKLIST_FILE, "/dev/kmsg"); |
682 | disable_file(BLACKLIST_FILE, "/dev/kmsg"); | 714 | disable_file(BLACKLIST_FILE, "/proc/kmsg"); |
683 | } | ||
684 | |||
685 | // disable /proc/kmsg | ||
686 | if (stat("/proc/kmsg", &s) == 0) { | ||
687 | disable_file(BLACKLIST_FILE, "/proc/kmsg"); | ||
688 | } | ||
689 | } | 715 | } |
690 | } | 716 | } |
691 | 717 | ||
692 | // disable firejail configuration in /etc/firejail and in ~/.config/firejail | 718 | // disable firejail configuration in /etc/firejail and in ~/.config/firejail |
693 | static void disable_firejail_config(void) { | 719 | static void disable_config(void) { |
694 | struct stat s; | 720 | struct stat s; |
695 | if (stat("/etc/firejail", &s) == 0) | ||
696 | disable_file(BLACKLIST_FILE, "/etc/firejail"); | ||
697 | 721 | ||
698 | char *fname; | 722 | char *fname; |
699 | if (asprintf(&fname, "%s/.config/firejail", cfg.homedir) == -1) | 723 | if (asprintf(&fname, "%s/.config/firejail", cfg.homedir) == -1) |
700 | errExit("asprintf"); | 724 | errExit("asprintf"); |
701 | if (stat(fname, &s) == 0) | 725 | if (stat(fname, &s) == 0) |
702 | disable_file(BLACKLIST_FILE, fname); | 726 | disable_file(BLACKLIST_FILE, fname); |
703 | |||
704 | if (stat("/usr/local/etc/firejail", &s) == 0) | ||
705 | disable_file(BLACKLIST_FILE, "/usr/local/etc/firejail"); | ||
706 | |||
707 | if (strcmp(PREFIX, "/usr/local")) { | ||
708 | if (asprintf(&fname, "%s/etc/firejail", PREFIX) == -1) | ||
709 | errExit("asprintf"); | ||
710 | if (stat(fname, &s) == 0) | ||
711 | disable_file(BLACKLIST_FILE, fname); | ||
712 | } | ||
713 | |||
714 | |||
715 | |||
716 | free(fname); | 727 | free(fname); |
728 | |||
729 | // disable run time information | ||
730 | if (stat(RUN_FIREJAIL_NETWORK_DIR, &s) == 0) | ||
731 | disable_file(BLACKLIST_FILE, RUN_FIREJAIL_NETWORK_DIR); | ||
732 | if (stat(RUN_FIREJAIL_BANDWIDTH_DIR, &s) == 0) | ||
733 | disable_file(BLACKLIST_FILE, RUN_FIREJAIL_BANDWIDTH_DIR); | ||
734 | if (stat(RUN_FIREJAIL_NAME_DIR, &s) == 0) | ||
735 | disable_file(BLACKLIST_FILE, RUN_FIREJAIL_NAME_DIR); | ||
736 | if (stat(RUN_FIREJAIL_X11_DIR, &s) == 0) | ||
737 | disable_file(BLACKLIST_FILE, RUN_FIREJAIL_X11_DIR); | ||
717 | } | 738 | } |
718 | 739 | ||
719 | 740 | ||
720 | // build a basic read-only filesystem | 741 | // build a basic read-only filesystem |
721 | void fs_basic_fs(void) { | 742 | void fs_basic_fs(void) { |
743 | uid_t uid = getuid(); | ||
744 | |||
722 | if (arg_debug) | 745 | if (arg_debug) |
723 | printf("Mounting read-only /bin, /sbin, /lib, /lib32, /lib64, /usr, /etc, /var\n"); | 746 | printf("Mounting read-only /bin, /sbin, /lib, /lib32, /lib64, /usr"); |
747 | if (!arg_writable_etc) { | ||
748 | fs_rdonly("/etc"); | ||
749 | if (uid) | ||
750 | fs_noexec("/etc"); | ||
751 | if (arg_debug) printf(", /etc"); | ||
752 | } | ||
753 | if (!arg_writable_var) { | ||
754 | fs_rdonly("/var"); | ||
755 | if (uid) | ||
756 | fs_noexec("/var"); | ||
757 | if (arg_debug) printf(", /var"); | ||
758 | } | ||
759 | if (arg_debug) printf("\n"); | ||
724 | fs_rdonly("/bin"); | 760 | fs_rdonly("/bin"); |
725 | fs_rdonly("/sbin"); | 761 | fs_rdonly("/sbin"); |
726 | fs_rdonly("/lib"); | 762 | fs_rdonly("/lib"); |
727 | fs_rdonly("/lib64"); | 763 | fs_rdonly("/lib64"); |
728 | fs_rdonly("/lib32"); | 764 | fs_rdonly("/lib32"); |
765 | fs_rdonly("/libx32"); | ||
729 | fs_rdonly("/usr"); | 766 | fs_rdonly("/usr"); |
730 | fs_rdonly("/etc"); | ||
731 | fs_rdonly("/var"); | ||
732 | 767 | ||
733 | // update /var directory in order to support multiple sandboxes running on the same root directory | 768 | // update /var directory in order to support multiple sandboxes running on the same root directory |
734 | if (!arg_private_dev) | 769 | if (!arg_private_dev) |
@@ -743,7 +778,11 @@ void fs_basic_fs(void) { | |||
743 | // don't leak user information | 778 | // don't leak user information |
744 | restrict_users(); | 779 | restrict_users(); |
745 | 780 | ||
746 | disable_firejail_config(); | 781 | // when starting as root, firejail config is not disabled; |
782 | // this mode could be used to install and test new software by chaining | ||
783 | // firejail sandboxes (firejail --force) | ||
784 | if (uid) | ||
785 | disable_config(); | ||
747 | } | 786 | } |
748 | 787 | ||
749 | 788 | ||
@@ -943,6 +982,21 @@ void fs_overlayfs(void) { | |||
943 | errExit("mounting /run"); | 982 | errExit("mounting /run"); |
944 | fs_logger("whitelist /run"); | 983 | fs_logger("whitelist /run"); |
945 | 984 | ||
985 | // mount-bind /tmp/.X11-unix directory | ||
986 | struct stat s; | ||
987 | if (stat("/tmp/.X11-unix", &s) == 0) { | ||
988 | if (arg_debug) | ||
989 | printf("Mounting /tmp/.X11-unix\n"); | ||
990 | char *x11; | ||
991 | if (asprintf(&x11, "%s/tmp/.X11-unix", oroot) == -1) | ||
992 | errExit("asprintf"); | ||
993 | if (mount("/tmp/.X11-unix", x11, NULL, MS_BIND|MS_REC, NULL) < 0) | ||
994 | fprintf(stderr, "Warning: cannot mount /tmp/.X11-unix in overlay\n"); | ||
995 | else | ||
996 | fs_logger("whitelist /tmp/.X11-unix"); | ||
997 | free(x11); | ||
998 | } | ||
999 | |||
946 | // chroot in the new filesystem | 1000 | // chroot in the new filesystem |
947 | if (chroot(oroot) == -1) | 1001 | if (chroot(oroot) == -1) |
948 | errExit("chroot"); | 1002 | errExit("chroot"); |
@@ -960,7 +1014,11 @@ void fs_overlayfs(void) { | |||
960 | // don't leak user information | 1014 | // don't leak user information |
961 | restrict_users(); | 1015 | restrict_users(); |
962 | 1016 | ||
963 | disable_firejail_config(); | 1017 | // when starting as root, firejail config is not disabled; |
1018 | // this mode could be used to install and test new software by chaining | ||
1019 | // firejail sandboxes (firejail --force) | ||
1020 | if (getuid() != 0) | ||
1021 | disable_config(); | ||
964 | 1022 | ||
965 | // cleanup and exit | 1023 | // cleanup and exit |
966 | free(option); | 1024 | free(option); |
@@ -1005,7 +1063,7 @@ int fs_check_chroot_dir(const char *rootdir) { | |||
1005 | } | 1063 | } |
1006 | free(name); | 1064 | free(name); |
1007 | 1065 | ||
1008 | // check /proc | 1066 | // check /tmp |
1009 | if (asprintf(&name, "%s/tmp", rootdir) == -1) | 1067 | if (asprintf(&name, "%s/tmp", rootdir) == -1) |
1010 | errExit("asprintf"); | 1068 | errExit("asprintf"); |
1011 | if (stat(name, &s) == -1) { | 1069 | if (stat(name, &s) == -1) { |
@@ -1013,7 +1071,7 @@ int fs_check_chroot_dir(const char *rootdir) { | |||
1013 | return 1; | 1071 | return 1; |
1014 | } | 1072 | } |
1015 | free(name); | 1073 | free(name); |
1016 | 1074 | ||
1017 | // check /bin/bash | 1075 | // check /bin/bash |
1018 | if (asprintf(&name, "%s/bin/bash", rootdir) == -1) | 1076 | if (asprintf(&name, "%s/bin/bash", rootdir) == -1) |
1019 | errExit("asprintf"); | 1077 | errExit("asprintf"); |
@@ -1023,6 +1081,18 @@ int fs_check_chroot_dir(const char *rootdir) { | |||
1023 | } | 1081 | } |
1024 | free(name); | 1082 | free(name); |
1025 | 1083 | ||
1084 | // check x11 socket directory | ||
1085 | if (getenv("FIREJAIL_X11")) { | ||
1086 | char *name; | ||
1087 | if (asprintf(&name, "%s/tmp/.X11-unix", rootdir) == -1) | ||
1088 | errExit("asprintf"); | ||
1089 | if (stat(name, &s) == -1) { | ||
1090 | fprintf(stderr, "Error: cannot find /tmp/.X11-unix in chroot directory\n"); | ||
1091 | return 1; | ||
1092 | } | ||
1093 | free(name); | ||
1094 | } | ||
1095 | |||
1026 | return 0; | 1096 | return 0; |
1027 | } | 1097 | } |
1028 | 1098 | ||
@@ -1030,10 +1100,7 @@ int fs_check_chroot_dir(const char *rootdir) { | |||
1030 | void fs_chroot(const char *rootdir) { | 1100 | void fs_chroot(const char *rootdir) { |
1031 | assert(rootdir); | 1101 | assert(rootdir); |
1032 | 1102 | ||
1033 | //*********************************** | ||
1034 | // mount-bind a /dev in rootdir | 1103 | // mount-bind a /dev in rootdir |
1035 | //*********************************** | ||
1036 | // mount /dev | ||
1037 | char *newdev; | 1104 | char *newdev; |
1038 | if (asprintf(&newdev, "%s/dev", rootdir) == -1) | 1105 | if (asprintf(&newdev, "%s/dev", rootdir) == -1) |
1039 | errExit("asprintf"); | 1106 | errExit("asprintf"); |
@@ -1041,6 +1108,19 @@ void fs_chroot(const char *rootdir) { | |||
1041 | printf("Mounting /dev on %s\n", newdev); | 1108 | printf("Mounting /dev on %s\n", newdev); |
1042 | if (mount("/dev", newdev, NULL, MS_BIND|MS_REC, NULL) < 0) | 1109 | if (mount("/dev", newdev, NULL, MS_BIND|MS_REC, NULL) < 0) |
1043 | errExit("mounting /dev"); | 1110 | errExit("mounting /dev"); |
1111 | free(newdev); | ||
1112 | |||
1113 | // x11 | ||
1114 | if (getenv("FIREJAIL_X11")) { | ||
1115 | char *newx11; | ||
1116 | if (asprintf(&newx11, "%s/tmp/.X11-unix", rootdir) == -1) | ||
1117 | errExit("asprintf"); | ||
1118 | if (arg_debug) | ||
1119 | printf("Mounting /tmp/.X11-unix on %s\n", newx11); | ||
1120 | if (mount("/tmp/.X11-unix", newx11, NULL, MS_BIND|MS_REC, NULL) < 0) | ||
1121 | errExit("mounting /tmp/.X11-unix"); | ||
1122 | free(newx11); | ||
1123 | } | ||
1044 | 1124 | ||
1045 | // some older distros don't have a /run directory | 1125 | // some older distros don't have a /run directory |
1046 | // create one by default | 1126 | // create one by default |
@@ -1091,7 +1171,11 @@ void fs_chroot(const char *rootdir) { | |||
1091 | // don't leak user information | 1171 | // don't leak user information |
1092 | restrict_users(); | 1172 | restrict_users(); |
1093 | 1173 | ||
1094 | disable_firejail_config(); | 1174 | // when starting as root, firejail config is not disabled; |
1175 | // this mode could be used to install and test new software by chaining | ||
1176 | // firejail sandboxes (firejail --force) | ||
1177 | if (getuid() != 0) | ||
1178 | disable_config(); | ||
1095 | } | 1179 | } |
1096 | #endif | 1180 | #endif |
1097 | 1181 | ||
diff --git a/src/firejail/fs_bin.c b/src/firejail/fs_bin.c index 2ee7f7504..ac731c246 100644 --- a/src/firejail/fs_bin.c +++ b/src/firejail/fs_bin.c | |||
@@ -25,10 +25,12 @@ | |||
25 | #include <unistd.h> | 25 | #include <unistd.h> |
26 | 26 | ||
27 | static char *paths[] = { | 27 | static char *paths[] = { |
28 | "/bin", | 28 | "/usr/local/bin", |
29 | "/sbin", | ||
30 | "/usr/bin", | 29 | "/usr/bin", |
30 | "/bin", | ||
31 | "/usr/local/sbin", | ||
31 | "/usr/sbin", | 32 | "/usr/sbin", |
33 | "/sbin", | ||
32 | NULL | 34 | NULL |
33 | }; | 35 | }; |
34 | 36 | ||
@@ -46,8 +48,27 @@ static char *check_dir_or_file(const char *name) { | |||
46 | errExit("asprintf"); | 48 | errExit("asprintf"); |
47 | if (arg_debug) | 49 | if (arg_debug) |
48 | printf("Checking %s/%s\n", paths[i], name); | 50 | printf("Checking %s/%s\n", paths[i], name); |
49 | if (stat(fname, &s) == 0 && !S_ISDIR(s.st_mode)) // do not allow directories | 51 | if (stat(fname, &s) == 0 && !S_ISDIR(s.st_mode)) { // do not allow directories |
52 | // check symlink to firejail executable in /usr/local/bin | ||
53 | if (strcmp(paths[i], "/usr/local/bin") == 0 && is_link(fname)) { | ||
54 | char *actual_path = realpath(fname, NULL); | ||
55 | if (actual_path) { | ||
56 | char *ptr = strstr(actual_path, "/firejail"); | ||
57 | if (ptr && strlen(ptr) == strlen("/firejail")) { | ||
58 | if (arg_debug) | ||
59 | printf("firejail exec symlink detected\n"); | ||
60 | free(actual_path); | ||
61 | free(fname); | ||
62 | fname = NULL; | ||
63 | i++; | ||
64 | continue; | ||
65 | } | ||
66 | free(actual_path); | ||
67 | } | ||
68 | |||
69 | } | ||
50 | break; // file found | 70 | break; // file found |
71 | } | ||
51 | 72 | ||
52 | free(fname); | 73 | free(fname); |
53 | fname = NULL; | 74 | fname = NULL; |
@@ -106,9 +127,9 @@ void fs_check_bin_list(void) { | |||
106 | } | 127 | } |
107 | 128 | ||
108 | if (*newlist == '\0') { | 129 | if (*newlist == '\0') { |
109 | fprintf(stderr, "Warning: no --private-bin list executable found, option disabled\n"); | 130 | // fprintf(stderr, "Warning: no --private-bin list executable found, option disabled\n"); |
110 | cfg.bin_private_keep = NULL; | 131 | // cfg.bin_private_keep = NULL; |
111 | arg_private_bin = 0; | 132 | // arg_private_bin = 0; |
112 | free(newlist); | 133 | free(newlist); |
113 | } | 134 | } |
114 | else { | 135 | else { |
@@ -129,7 +150,7 @@ static void duplicate(char *fname) { | |||
129 | char *path = check_dir_or_file(fname); | 150 | char *path = check_dir_or_file(fname); |
130 | if (!path) | 151 | if (!path) |
131 | return; | 152 | return; |
132 | 153 | ||
133 | // expand path, just in case this is a symbolic link | 154 | // expand path, just in case this is a symbolic link |
134 | char *full_path; | 155 | char *full_path; |
135 | if (asprintf(&full_path, "%s/%s", path, fname) == -1) | 156 | if (asprintf(&full_path, "%s/%s", path, fname) == -1) |
@@ -137,14 +158,28 @@ static void duplicate(char *fname) { | |||
137 | 158 | ||
138 | char *actual_path = realpath(full_path, NULL); | 159 | char *actual_path = realpath(full_path, NULL); |
139 | if (actual_path) { | 160 | if (actual_path) { |
140 | // copy the file | 161 | // if the file is a symbolic link not under path, make a symbolic link |
141 | if (asprintf(&cmd, "%s -a %s %s/%s", RUN_CP_COMMAND, actual_path, RUN_BIN_DIR, fname) == -1) | 162 | if (is_link(full_path) && strncmp(actual_path, path, strlen(path))) { |
142 | errExit("asprintf"); | 163 | char *lnkname; |
143 | if (arg_debug) | 164 | if (asprintf(&lnkname, "%s/%s", RUN_BIN_DIR, fname) == -1) |
144 | printf("%s\n", cmd); | 165 | errExit("asprintf"); |
145 | if (system(cmd)) | 166 | int rv = symlink(actual_path, lnkname); |
146 | errExit("system cp -a"); | 167 | if (rv) |
147 | free(cmd); | 168 | fprintf(stderr, "Warning cannot create symbolic link %s\n", lnkname); |
169 | else if (arg_debug) | ||
170 | printf("Created symbolic link %s -> %s\n", lnkname, actual_path); | ||
171 | free(lnkname); | ||
172 | } | ||
173 | else { | ||
174 | // copy the file | ||
175 | if (asprintf(&cmd, "%s -a %s %s/%s", RUN_CP_COMMAND, actual_path, RUN_BIN_DIR, fname) == -1) | ||
176 | errExit("asprintf"); | ||
177 | if (arg_debug) | ||
178 | printf("%s\n", cmd); | ||
179 | if (system(cmd)) | ||
180 | errExit("system cp -a"); | ||
181 | free(cmd); | ||
182 | } | ||
148 | free(actual_path); | 183 | free(actual_path); |
149 | } | 184 | } |
150 | 185 | ||
@@ -156,17 +191,6 @@ void fs_private_bin_list(void) { | |||
156 | char *private_list = cfg.bin_private_keep; | 191 | char *private_list = cfg.bin_private_keep; |
157 | assert(private_list); | 192 | assert(private_list); |
158 | 193 | ||
159 | // check bin paths | ||
160 | int i = 0; | ||
161 | while (paths[i]) { | ||
162 | struct stat s; | ||
163 | if (stat(paths[i], &s) == -1) { | ||
164 | fprintf(stderr, "Error: cannot find %s directory\n", paths[i]); | ||
165 | exit(1); | ||
166 | } | ||
167 | i++; | ||
168 | } | ||
169 | |||
170 | // create /tmp/firejail/mnt/bin directory | 194 | // create /tmp/firejail/mnt/bin directory |
171 | fs_build_mnt_dir(); | 195 | fs_build_mnt_dir(); |
172 | int rv = mkdir(RUN_BIN_DIR, 0755); | 196 | int rv = mkdir(RUN_BIN_DIR, 0755); |
@@ -212,15 +236,18 @@ void fs_private_bin_list(void) { | |||
212 | // wait for the child to finish | 236 | // wait for the child to finish |
213 | waitpid(child, NULL, 0); | 237 | waitpid(child, NULL, 0); |
214 | 238 | ||
215 | // moun-bind | 239 | // mount-bind |
216 | i = 0; | 240 | int i = 0; |
217 | while (paths[i]) { | 241 | while (paths[i]) { |
218 | if (arg_debug) | 242 | struct stat s; |
219 | printf("Mount-bind %s on top of %s\n", RUN_BIN_DIR, paths[i]); | 243 | if (stat(paths[i], &s) == 0) { |
220 | if (mount(RUN_BIN_DIR, paths[i], NULL, MS_BIND|MS_REC, NULL) < 0) | 244 | if (arg_debug) |
221 | errExit("mount bind"); | 245 | printf("Mount-bind %s on top of %s\n", RUN_BIN_DIR, paths[i]); |
222 | fs_logger2("tmpfs", paths[i]); | 246 | if (mount(RUN_BIN_DIR, paths[i], NULL, MS_BIND|MS_REC, NULL) < 0) |
223 | fs_logger2("mount", paths[i]); | 247 | errExit("mount bind"); |
248 | fs_logger2("tmpfs", paths[i]); | ||
249 | fs_logger2("mount", paths[i]); | ||
250 | } | ||
224 | i++; | 251 | i++; |
225 | } | 252 | } |
226 | 253 | ||
@@ -234,11 +261,14 @@ void fs_private_bin_list(void) { | |||
234 | while (ptr) { | 261 | while (ptr) { |
235 | i = 0; | 262 | i = 0; |
236 | while (paths[i]) { | 263 | while (paths[i]) { |
237 | char *fname; | 264 | struct stat s; |
238 | if (asprintf(&fname, "%s/%s", paths[i], ptr) == -1) | 265 | if (stat(paths[i], &s) == 0) { |
239 | errExit("asprintf"); | 266 | char *fname; |
240 | fs_logger2("clone", fname); | 267 | if (asprintf(&fname, "%s/%s", paths[i], ptr) == -1) |
241 | free(fname); | 268 | errExit("asprintf"); |
269 | fs_logger2("clone", fname); | ||
270 | free(fname); | ||
271 | } | ||
242 | i++; | 272 | i++; |
243 | } | 273 | } |
244 | ptr = strtok(NULL, ","); | 274 | ptr = strtok(NULL, ","); |
diff --git a/src/firejail/fs_dev.c b/src/firejail/fs_dev.c index 2fd450391..c7a27115f 100644 --- a/src/firejail/fs_dev.c +++ b/src/firejail/fs_dev.c | |||
@@ -68,9 +68,12 @@ void fs_private_dev(void){ | |||
68 | printf("Mounting tmpfs on /dev\n"); | 68 | printf("Mounting tmpfs on /dev\n"); |
69 | 69 | ||
70 | int have_dri = 0; | 70 | int have_dri = 0; |
71 | int have_snd = 0; | ||
71 | struct stat s; | 72 | struct stat s; |
72 | if (stat("/dev/dri", &s) == 0) | 73 | if (stat("/dev/dri", &s) == 0) |
73 | have_dri = 1; | 74 | have_dri = 1; |
75 | if (stat("/dev/snd", &s) == 0) | ||
76 | have_snd = 1; | ||
74 | 77 | ||
75 | // create DRI_DIR | 78 | // create DRI_DIR |
76 | fs_build_mnt_dir(); | 79 | fs_build_mnt_dir(); |
@@ -89,7 +92,23 @@ void fs_private_dev(void){ | |||
89 | errExit("mounting /dev/dri"); | 92 | errExit("mounting /dev/dri"); |
90 | } | 93 | } |
91 | 94 | ||
92 | // restore /dev/log | 95 | // create SND_DIR |
96 | if (have_snd) { | ||
97 | /* coverity[toctou] */ | ||
98 | rv = mkdir(RUN_SND_DIR, 0755); | ||
99 | if (rv == -1) | ||
100 | errExit("mkdir"); | ||
101 | if (chown(RUN_SND_DIR, 0, 0) < 0) | ||
102 | errExit("chown"); | ||
103 | if (chmod(RUN_SND_DIR, 0755) < 0) | ||
104 | errExit("chmod"); | ||
105 | |||
106 | // keep a copy of /dev/dri under DRI_DIR | ||
107 | if (mount("/dev/snd", RUN_SND_DIR, NULL, MS_BIND|MS_REC, NULL) < 0) | ||
108 | errExit("mounting /dev/snd"); | ||
109 | } | ||
110 | |||
111 | // create DEVLOG_FILE | ||
93 | int have_devlog = 0; | 112 | int have_devlog = 0; |
94 | if (stat("/dev/log", &s) == 0) { | 113 | if (stat("/dev/log", &s) == 0) { |
95 | have_devlog = 1; | 114 | have_devlog = 1; |
@@ -121,6 +140,21 @@ void fs_private_dev(void){ | |||
121 | } | 140 | } |
122 | } | 141 | } |
123 | 142 | ||
143 | // bring back the /dev/snd directory | ||
144 | if (have_snd) { | ||
145 | /* coverity[toctou] */ | ||
146 | rv = mkdir("/dev/snd", 0755); | ||
147 | if (rv == -1) | ||
148 | errExit("mkdir"); | ||
149 | if (chown("/dev/snd", 0, 0) < 0) | ||
150 | errExit("chown"); | ||
151 | if (chmod("/dev/snd",0755) < 0) | ||
152 | errExit("chmod"); | ||
153 | if (mount(RUN_SND_DIR, "/dev/snd", NULL, MS_BIND|MS_REC, NULL) < 0) | ||
154 | errExit("mounting /dev/snd"); | ||
155 | fs_logger("whitelist /dev/snd"); | ||
156 | } | ||
157 | |||
124 | // bring back the /dev/dri directory | 158 | // bring back the /dev/dri directory |
125 | if (have_dri) { | 159 | if (have_dri) { |
126 | /* coverity[toctou] */ | 160 | /* coverity[toctou] */ |
@@ -243,3 +277,9 @@ void fs_dev_shm(void) { | |||
243 | 277 | ||
244 | } | 278 | } |
245 | } | 279 | } |
280 | |||
281 | void fs_dev_disable_sound() { | ||
282 | if (mount(RUN_RO_DIR, "/dev/snd", "none", MS_BIND, "mode=400,gid=0") < 0) | ||
283 | errExit("disable /dev/snd"); | ||
284 | fs_logger("blacklist /dev/snd"); | ||
285 | } | ||
diff --git a/src/firejail/fs_etc.c b/src/firejail/fs_etc.c index bb33b4c76..2ff36f5d2 100644 --- a/src/firejail/fs_etc.c +++ b/src/firejail/fs_etc.c | |||
@@ -96,7 +96,8 @@ static void duplicate(char *fname) { | |||
96 | if (arg_debug) | 96 | if (arg_debug) |
97 | printf("%s\n", cmd); | 97 | printf("%s\n", cmd); |
98 | if (system(cmd)) | 98 | if (system(cmd)) |
99 | errExit("system cp -a --parents"); | 99 | fprintf(stderr, "Warning (fs_etc): error copying file /etc/%s, skipping...\n", fname); |
100 | |||
100 | free(cmd); | 101 | free(cmd); |
101 | 102 | ||
102 | char *name; | 103 | char *name; |
@@ -128,40 +129,44 @@ void fs_private_etc_list(void) { | |||
128 | errExit("chmod"); | 129 | errExit("chmod"); |
129 | fs_logger("tmpfs /etc"); | 130 | fs_logger("tmpfs /etc"); |
130 | 131 | ||
131 | // copy the list of files in the new etc directory | ||
132 | // using a new child process without root privileges | ||
133 | fs_logger_print(); // save the current log | 132 | fs_logger_print(); // save the current log |
134 | pid_t child = fork(); | ||
135 | if (child < 0) | ||
136 | errExit("fork"); | ||
137 | if (child == 0) { | ||
138 | if (arg_debug) | ||
139 | printf("Copying files in the new etc directory:\n"); | ||
140 | 133 | ||
141 | // elevate privileges - files in the new /etc directory belong to root | ||
142 | if (setreuid(0, 0) < 0) | ||
143 | errExit("setreuid"); | ||
144 | if (setregid(0, 0) < 0) | ||
145 | errExit("setregid"); | ||
146 | |||
147 | // copy the list of files in the new home directory | ||
148 | char *dlist = strdup(private_list); | ||
149 | if (!dlist) | ||
150 | errExit("strdup"); | ||
151 | |||
152 | 134 | ||
153 | char *ptr = strtok(dlist, ","); | 135 | // copy the list of files in the new etc directory |
154 | duplicate(ptr); | 136 | // using a new child process without root privileges |
137 | if (*private_list != '\0') { | ||
138 | pid_t child = fork(); | ||
139 | if (child < 0) | ||
140 | errExit("fork"); | ||
141 | if (child == 0) { | ||
142 | if (arg_debug) | ||
143 | printf("Copying files in the new etc directory:\n"); | ||
144 | |||
145 | // elevate privileges - files in the new /etc directory belong to root | ||
146 | if (setreuid(0, 0) < 0) | ||
147 | errExit("setreuid"); | ||
148 | if (setregid(0, 0) < 0) | ||
149 | errExit("setregid"); | ||
150 | |||
151 | // copy the list of files in the new home directory | ||
152 | char *dlist = strdup(private_list); | ||
153 | if (!dlist) | ||
154 | errExit("strdup"); | ||
155 | |||
155 | 156 | ||
156 | while ((ptr = strtok(NULL, ",")) != NULL) | 157 | char *ptr = strtok(dlist, ","); |
157 | duplicate(ptr); | 158 | duplicate(ptr); |
158 | free(dlist); | 159 | |
159 | fs_logger_print(); | 160 | while ((ptr = strtok(NULL, ",")) != NULL) |
160 | exit(0); | 161 | duplicate(ptr); |
162 | free(dlist); | ||
163 | fs_logger_print(); | ||
164 | exit(0); | ||
165 | } | ||
166 | // wait for the child to finish | ||
167 | waitpid(child, NULL, 0); | ||
161 | } | 168 | } |
162 | // wait for the child to finish | 169 | |
163 | waitpid(child, NULL, 0); | ||
164 | |||
165 | if (arg_debug) | 170 | if (arg_debug) |
166 | printf("Mount-bind %s on top of /etc\n", RUN_ETC_DIR); | 171 | printf("Mount-bind %s on top of /etc\n", RUN_ETC_DIR); |
167 | if (mount(RUN_ETC_DIR, "/etc", NULL, MS_BIND|MS_REC, NULL) < 0) | 172 | if (mount(RUN_ETC_DIR, "/etc", NULL, MS_BIND|MS_REC, NULL) < 0) |
diff --git a/src/firejail/fs_home.c b/src/firejail/fs_home.c index 8a3484b06..41092de2b 100644 --- a/src/firejail/fs_home.c +++ b/src/firejail/fs_home.c | |||
@@ -41,10 +41,6 @@ static void skel(const char *homedir, uid_t u, gid_t g) { | |||
41 | if (stat(fname, &s) == 0) | 41 | if (stat(fname, &s) == 0) |
42 | return; | 42 | return; |
43 | if (stat("/etc/skel/.zshrc", &s) == 0) { | 43 | if (stat("/etc/skel/.zshrc", &s) == 0) { |
44 | if (is_link("/etc/skel/.zshrc")) { | ||
45 | fprintf(stderr, "Error: invalid /etc/skel/.zshrc file\n"); | ||
46 | exit(1); | ||
47 | } | ||
48 | if (copy_file("/etc/skel/.zshrc", fname) == 0) { | 44 | if (copy_file("/etc/skel/.zshrc", fname) == 0) { |
49 | if (chown(fname, u, g) == -1) | 45 | if (chown(fname, u, g) == -1) |
50 | errExit("chown"); | 46 | errExit("chown"); |
@@ -75,10 +71,6 @@ static void skel(const char *homedir, uid_t u, gid_t g) { | |||
75 | if (stat(fname, &s) == 0) | 71 | if (stat(fname, &s) == 0) |
76 | return; | 72 | return; |
77 | if (stat("/etc/skel/.cshrc", &s) == 0) { | 73 | if (stat("/etc/skel/.cshrc", &s) == 0) { |
78 | if (is_link("/etc/skel/.cshrc")) { | ||
79 | fprintf(stderr, "Error: invalid /etc/skel/.cshrc file\n"); | ||
80 | exit(1); | ||
81 | } | ||
82 | if (copy_file("/etc/skel/.cshrc", fname) == 0) { | 74 | if (copy_file("/etc/skel/.cshrc", fname) == 0) { |
83 | if (chown(fname, u, g) == -1) | 75 | if (chown(fname, u, g) == -1) |
84 | errExit("chown"); | 76 | errExit("chown"); |
@@ -110,10 +102,6 @@ static void skel(const char *homedir, uid_t u, gid_t g) { | |||
110 | if (stat(fname, &s) == 0) | 102 | if (stat(fname, &s) == 0) |
111 | return; | 103 | return; |
112 | if (stat("/etc/skel/.bashrc", &s) == 0) { | 104 | if (stat("/etc/skel/.bashrc", &s) == 0) { |
113 | if (is_link("/etc/skel/.bashrc")) { | ||
114 | fprintf(stderr, "Error: invalid /etc/skel/.bashrc file\n"); | ||
115 | exit(1); | ||
116 | } | ||
117 | if (copy_file("/etc/skel/.bashrc", fname) == 0) { | 105 | if (copy_file("/etc/skel/.bashrc", fname) == 0) { |
118 | /* coverity[toctou] */ | 106 | /* coverity[toctou] */ |
119 | if (chown(fname, u, g) == -1) | 107 | if (chown(fname, u, g) == -1) |
@@ -162,10 +150,19 @@ static int store_asoundrc(void) { | |||
162 | errExit("asprintf"); | 150 | errExit("asprintf"); |
163 | 151 | ||
164 | struct stat s; | 152 | struct stat s; |
165 | if (stat(src, &s) == 0) { | 153 | if (stat(src, &s) == 0) { |
166 | if (is_link(src)) { | 154 | if (is_link(src)) { |
167 | fprintf(stderr, "Error: invalid .asoundrc file\n"); | 155 | // make sure the real path of the file is inside the home directory |
168 | exit(1); | 156 | char* rp = realpath(src, NULL); |
157 | if (!rp) { | ||
158 | fprintf(stderr, "Error: Cannot access %s\n", src); | ||
159 | exit(1); | ||
160 | } | ||
161 | if (strncmp(rp, cfg.homedir, strlen(cfg.homedir)) != 0) { | ||
162 | fprintf(stderr, "Error: .asoundrc is a symbolic link pointing to a file outside home directory\n"); | ||
163 | exit(1); | ||
164 | } | ||
165 | free(rp); | ||
169 | } | 166 | } |
170 | 167 | ||
171 | int rv = copy_file(src, dest); | 168 | int rv = copy_file(src, dest); |
@@ -251,7 +248,7 @@ void fs_private_homedir(void) { | |||
251 | // mount bind private_homedir on top of homedir | 248 | // mount bind private_homedir on top of homedir |
252 | if (arg_debug) | 249 | if (arg_debug) |
253 | printf("Mount-bind %s on top of %s\n", private_homedir, homedir); | 250 | printf("Mount-bind %s on top of %s\n", private_homedir, homedir); |
254 | if (mount(private_homedir, homedir, NULL, MS_BIND|MS_REC, NULL) < 0) | 251 | if (mount(private_homedir, homedir, NULL, MS_NOSUID | MS_NODEV | MS_BIND | MS_REC, NULL) < 0) |
255 | errExit("mount bind"); | 252 | errExit("mount bind"); |
256 | fs_logger3("mount-bind", private_homedir, cfg.homedir); | 253 | fs_logger3("mount-bind", private_homedir, cfg.homedir); |
257 | fs_logger2("whitelist", cfg.homedir); | 254 | fs_logger2("whitelist", cfg.homedir); |
@@ -265,7 +262,7 @@ void fs_private_homedir(void) { | |||
265 | // mask /root | 262 | // mask /root |
266 | if (arg_debug) | 263 | if (arg_debug) |
267 | printf("Mounting a new /root directory\n"); | 264 | printf("Mounting a new /root directory\n"); |
268 | if (mount("tmpfs", "/root", "tmpfs", MS_NOSUID | MS_NODEV | MS_STRICTATIME | MS_REC, "mode=700,gid=0") < 0) | 265 | if (mount("tmpfs", "/root", "tmpfs", MS_NOSUID | MS_NODEV | MS_NOEXEC | MS_STRICTATIME | MS_REC, "mode=700,gid=0") < 0) |
269 | errExit("mounting home directory"); | 266 | errExit("mounting home directory"); |
270 | fs_logger("tmpfs /root"); | 267 | fs_logger("tmpfs /root"); |
271 | } | 268 | } |
@@ -273,7 +270,7 @@ void fs_private_homedir(void) { | |||
273 | // mask /home | 270 | // mask /home |
274 | if (arg_debug) | 271 | if (arg_debug) |
275 | printf("Mounting a new /home directory\n"); | 272 | printf("Mounting a new /home directory\n"); |
276 | if (mount("tmpfs", "/home", "tmpfs", MS_NOSUID | MS_NODEV | MS_STRICTATIME | MS_REC, "mode=755,gid=0") < 0) | 273 | if (mount("tmpfs", "/home", "tmpfs", MS_NOSUID | MS_NODEV | MS_NOEXEC | MS_STRICTATIME | MS_REC, "mode=755,gid=0") < 0) |
277 | errExit("mounting home directory"); | 274 | errExit("mounting home directory"); |
278 | fs_logger("tmpfs /home"); | 275 | fs_logger("tmpfs /home"); |
279 | } | 276 | } |
@@ -303,14 +300,14 @@ void fs_private(void) { | |||
303 | // mask /home | 300 | // mask /home |
304 | if (arg_debug) | 301 | if (arg_debug) |
305 | printf("Mounting a new /home directory\n"); | 302 | printf("Mounting a new /home directory\n"); |
306 | if (mount("tmpfs", "/home", "tmpfs", MS_NOSUID | MS_NODEV | MS_STRICTATIME | MS_REC, "mode=755,gid=0") < 0) | 303 | if (mount("tmpfs", "/home", "tmpfs", MS_NOSUID | MS_NODEV | MS_NOEXEC | MS_STRICTATIME | MS_REC, "mode=755,gid=0") < 0) |
307 | errExit("mounting home directory"); | 304 | errExit("mounting home directory"); |
308 | fs_logger("tmpfs /home"); | 305 | fs_logger("tmpfs /home"); |
309 | 306 | ||
310 | // mask /root | 307 | // mask /root |
311 | if (arg_debug) | 308 | if (arg_debug) |
312 | printf("Mounting a new /root directory\n"); | 309 | printf("Mounting a new /root directory\n"); |
313 | if (mount("tmpfs", "/root", "tmpfs", MS_NOSUID | MS_NODEV | MS_STRICTATIME | MS_REC, "mode=700,gid=0") < 0) | 310 | if (mount("tmpfs", "/root", "tmpfs", MS_NOSUID | MS_NODEV | MS_NOEXEC | MS_STRICTATIME | MS_REC, "mode=700,gid=0") < 0) |
314 | errExit("mounting root directory"); | 311 | errExit("mounting root directory"); |
315 | fs_logger("tmpfs /root"); | 312 | fs_logger("tmpfs /root"); |
316 | 313 | ||
@@ -334,6 +331,7 @@ void fs_private(void) { | |||
334 | copy_xauthority(); | 331 | copy_xauthority(); |
335 | if (aflag) | 332 | if (aflag) |
336 | copy_asoundrc(); | 333 | copy_asoundrc(); |
334 | |||
337 | } | 335 | } |
338 | 336 | ||
339 | 337 | ||
diff --git a/src/firejail/fs_logger.c b/src/firejail/fs_logger.c index 227a66cd7..30b0fe438 100644 --- a/src/firejail/fs_logger.c +++ b/src/firejail/fs_logger.c | |||
@@ -141,7 +141,9 @@ void fs_logger_print_log(pid_t pid) { | |||
141 | EUID_ASSERT(); | 141 | EUID_ASSERT(); |
142 | 142 | ||
143 | // if the pid is that of a firejail process, use the pid of the first child process | 143 | // if the pid is that of a firejail process, use the pid of the first child process |
144 | EUID_ROOT(); | ||
144 | char *comm = pid_proc_comm(pid); | 145 | char *comm = pid_proc_comm(pid); |
146 | EUID_USER(); | ||
145 | if (comm) { | 147 | if (comm) { |
146 | if (strcmp(comm, "firejail") == 0) { | 148 | if (strcmp(comm, "firejail") == 0) { |
147 | pid_t child; | 149 | pid_t child; |
diff --git a/src/firejail/fs_mkdir.c b/src/firejail/fs_mkdir.c index 398c534bf..50bcc613b 100644 --- a/src/firejail/fs_mkdir.c +++ b/src/firejail/fs_mkdir.c | |||
@@ -42,9 +42,63 @@ void fs_mkdir(const char *name) { | |||
42 | } | 42 | } |
43 | 43 | ||
44 | // create directory | 44 | // create directory |
45 | if (mkdir(expanded, 0700) == -1) | 45 | pid_t child = fork(); |
46 | fprintf(stderr, "Warning: cannot create %s directory\n", expanded); | 46 | if (child < 0) |
47 | errExit("fork"); | ||
48 | if (child == 0) { | ||
49 | // drop privileges | ||
50 | drop_privs(0); | ||
51 | |||
52 | // create directory | ||
53 | if (mkdir(expanded, 0700) == -1) | ||
54 | fprintf(stderr, "Warning: cannot create %s directory\n", expanded); | ||
55 | exit(0); | ||
56 | } | ||
57 | // wait for the child to finish | ||
58 | waitpid(child, NULL, 0); | ||
47 | 59 | ||
48 | doexit: | 60 | doexit: |
49 | free(expanded); | 61 | free(expanded); |
50 | } | 62 | } |
63 | |||
64 | void fs_mkfile(const char *name) { | ||
65 | EUID_ASSERT(); | ||
66 | |||
67 | // check file name | ||
68 | invalid_filename(name); | ||
69 | char *expanded = expand_home(name, cfg.homedir); | ||
70 | if (strncmp(expanded, cfg.homedir, strlen(cfg.homedir)) != 0) { | ||
71 | fprintf(stderr, "Error: only files in user home are supported by mkfile\n"); | ||
72 | exit(1); | ||
73 | } | ||
74 | |||
75 | struct stat s; | ||
76 | if (stat(expanded, &s) == 0) { | ||
77 | // file exists, do nothing | ||
78 | goto doexit; | ||
79 | } | ||
80 | |||
81 | // create file | ||
82 | pid_t child = fork(); | ||
83 | if (child < 0) | ||
84 | errExit("fork"); | ||
85 | if (child == 0) { | ||
86 | // drop privileges | ||
87 | drop_privs(0); | ||
88 | |||
89 | FILE *fp = fopen(expanded, "w"); | ||
90 | if (!fp) | ||
91 | fprintf(stderr, "Warning: cannot create %s file\n", expanded); | ||
92 | else { | ||
93 | fclose(fp); | ||
94 | int rv = chmod(expanded, 0600); | ||
95 | (void) rv; | ||
96 | } | ||
97 | exit(0); | ||
98 | } | ||
99 | // wait for the child to finish | ||
100 | waitpid(child, NULL, 0); | ||
101 | |||
102 | doexit: | ||
103 | free(expanded); | ||
104 | } \ No newline at end of file | ||
diff --git a/src/firejail/fs_var.c b/src/firejail/fs_var.c index f904fa5d9..1516d684f 100644 --- a/src/firejail/fs_var.c +++ b/src/firejail/fs_var.c | |||
@@ -121,7 +121,7 @@ void fs_var_log(void) { | |||
121 | // mount a tmpfs on top of /var/log | 121 | // mount a tmpfs on top of /var/log |
122 | if (arg_debug) | 122 | if (arg_debug) |
123 | printf("Mounting tmpfs on /var/log\n"); | 123 | printf("Mounting tmpfs on /var/log\n"); |
124 | if (mount("tmpfs", "/var/log", "tmpfs", MS_NOSUID | MS_STRICTATIME | MS_REC, "mode=755,gid=0") < 0) | 124 | if (mount("tmpfs", "/var/log", "tmpfs", MS_NOSUID | MS_NOEXEC | MS_NODEV | MS_STRICTATIME | MS_REC, "mode=755,gid=0") < 0) |
125 | errExit("mounting /var/log"); | 125 | errExit("mounting /var/log"); |
126 | fs_logger("tmpfs /var/log"); | 126 | fs_logger("tmpfs /var/log"); |
127 | 127 | ||
@@ -160,7 +160,7 @@ void fs_var_lib(void) { | |||
160 | if (stat("/var/lib/dhcp", &s) == 0) { | 160 | if (stat("/var/lib/dhcp", &s) == 0) { |
161 | if (arg_debug) | 161 | if (arg_debug) |
162 | printf("Mounting tmpfs on /var/lib/dhcp\n"); | 162 | printf("Mounting tmpfs on /var/lib/dhcp\n"); |
163 | if (mount("tmpfs", "/var/lib/dhcp", "tmpfs", MS_NOSUID | MS_STRICTATIME | MS_REC, "mode=755,gid=0") < 0) | 163 | if (mount("tmpfs", "/var/lib/dhcp", "tmpfs", MS_NOSUID | MS_NOEXEC | MS_NODEV | MS_STRICTATIME | MS_REC, "mode=755,gid=0") < 0) |
164 | errExit("mounting /var/lib/dhcp"); | 164 | errExit("mounting /var/lib/dhcp"); |
165 | fs_logger("tmpfs /var/lib/dhcp"); | 165 | fs_logger("tmpfs /var/lib/dhcp"); |
166 | 166 | ||
@@ -182,7 +182,7 @@ void fs_var_lib(void) { | |||
182 | if (stat("/var/lib/nginx", &s) == 0) { | 182 | if (stat("/var/lib/nginx", &s) == 0) { |
183 | if (arg_debug) | 183 | if (arg_debug) |
184 | printf("Mounting tmpfs on /var/lib/nginx\n"); | 184 | printf("Mounting tmpfs on /var/lib/nginx\n"); |
185 | if (mount("tmpfs", "/var/lib/nginx", "tmpfs", MS_NOSUID | MS_STRICTATIME | MS_REC, "mode=755,gid=0") < 0) | 185 | if (mount("tmpfs", "/var/lib/nginx", "tmpfs", MS_NOSUID | MS_NOEXEC | MS_NODEV | MS_STRICTATIME | MS_REC, "mode=755,gid=0") < 0) |
186 | errExit("mounting /var/lib/nginx"); | 186 | errExit("mounting /var/lib/nginx"); |
187 | fs_logger("tmpfs /var/lib/nginx"); | 187 | fs_logger("tmpfs /var/lib/nginx"); |
188 | } | 188 | } |
@@ -191,7 +191,7 @@ void fs_var_lib(void) { | |||
191 | if (stat("/var/lib/snmp", &s) == 0) { | 191 | if (stat("/var/lib/snmp", &s) == 0) { |
192 | if (arg_debug) | 192 | if (arg_debug) |
193 | printf("Mounting tmpfs on /var/lib/snmp\n"); | 193 | printf("Mounting tmpfs on /var/lib/snmp\n"); |
194 | if (mount("tmpfs", "/var/lib/snmp", "tmpfs", MS_NOSUID | MS_STRICTATIME | MS_REC, "mode=755,gid=0") < 0) | 194 | if (mount("tmpfs", "/var/lib/snmp", "tmpfs", MS_NOSUID | MS_NOEXEC | MS_NODEV | MS_STRICTATIME | MS_REC, "mode=755,gid=0") < 0) |
195 | errExit("mounting /var/lib/snmp"); | 195 | errExit("mounting /var/lib/snmp"); |
196 | fs_logger("tmpfs /var/lib/snmp"); | 196 | fs_logger("tmpfs /var/lib/snmp"); |
197 | } | 197 | } |
@@ -200,7 +200,7 @@ void fs_var_lib(void) { | |||
200 | if (stat("/var/lib/sudo", &s) == 0) { | 200 | if (stat("/var/lib/sudo", &s) == 0) { |
201 | if (arg_debug) | 201 | if (arg_debug) |
202 | printf("Mounting tmpfs on /var/lib/sudo\n"); | 202 | printf("Mounting tmpfs on /var/lib/sudo\n"); |
203 | if (mount("tmpfs", "/var/lib/sudo", "tmpfs", MS_NOSUID | MS_STRICTATIME | MS_REC, "mode=755,gid=0") < 0) | 203 | if (mount("tmpfs", "/var/lib/sudo", "tmpfs", MS_NOSUID | MS_NOEXEC | MS_NODEV | MS_STRICTATIME | MS_REC, "mode=755,gid=0") < 0) |
204 | errExit("mounting /var/lib/sudo"); | 204 | errExit("mounting /var/lib/sudo"); |
205 | fs_logger("tmpfs /var/lib/sudo"); | 205 | fs_logger("tmpfs /var/lib/sudo"); |
206 | } | 206 | } |
@@ -212,7 +212,7 @@ void fs_var_cache(void) { | |||
212 | if (stat("/var/cache/apache2", &s) == 0) { | 212 | if (stat("/var/cache/apache2", &s) == 0) { |
213 | if (arg_debug) | 213 | if (arg_debug) |
214 | printf("Mounting tmpfs on /var/cache/apache2\n"); | 214 | printf("Mounting tmpfs on /var/cache/apache2\n"); |
215 | if (mount("tmpfs", "/var/cache/apache2", "tmpfs", MS_NOSUID | MS_STRICTATIME | MS_REC, "mode=755,gid=0") < 0) | 215 | if (mount("tmpfs", "/var/cache/apache2", "tmpfs", MS_NOSUID | MS_NOEXEC | MS_NODEV | MS_STRICTATIME | MS_REC, "mode=755,gid=0") < 0) |
216 | errExit("mounting /var/cache/apache2"); | 216 | errExit("mounting /var/cache/apache2"); |
217 | fs_logger("tmpfs /var/cache/apache2"); | 217 | fs_logger("tmpfs /var/cache/apache2"); |
218 | } | 218 | } |
@@ -220,7 +220,7 @@ void fs_var_cache(void) { | |||
220 | if (stat("/var/cache/lighttpd", &s) == 0) { | 220 | if (stat("/var/cache/lighttpd", &s) == 0) { |
221 | if (arg_debug) | 221 | if (arg_debug) |
222 | printf("Mounting tmpfs on /var/cache/lighttpd\n"); | 222 | printf("Mounting tmpfs on /var/cache/lighttpd\n"); |
223 | if (mount("tmpfs", "/var/cache/lighttpd", "tmpfs", MS_NOSUID | MS_STRICTATIME | MS_REC, "mode=755,gid=0") < 0) | 223 | if (mount("tmpfs", "/var/cache/lighttpd", "tmpfs", MS_NOSUID | MS_NOEXEC | MS_NODEV | MS_STRICTATIME | MS_REC, "mode=755,gid=0") < 0) |
224 | errExit("mounting /var/cache/lighttpd"); | 224 | errExit("mounting /var/cache/lighttpd"); |
225 | fs_logger("tmpfs /var/cache/lighttpd"); | 225 | fs_logger("tmpfs /var/cache/lighttpd"); |
226 | 226 | ||
@@ -268,7 +268,7 @@ void fs_var_lock(void) { | |||
268 | if (is_dir("/var/lock")) { | 268 | if (is_dir("/var/lock")) { |
269 | if (arg_debug) | 269 | if (arg_debug) |
270 | printf("Mounting tmpfs on /var/lock\n"); | 270 | printf("Mounting tmpfs on /var/lock\n"); |
271 | if (mount("tmpfs", "/var/lock", "tmpfs", MS_NOSUID | MS_STRICTATIME | MS_REC, "mode=1777,gid=0") < 0) | 271 | if (mount("tmpfs", "/var/lock", "tmpfs", MS_NOSUID | MS_NOEXEC | MS_NODEV | MS_STRICTATIME | MS_REC, "mode=1777,gid=0") < 0) |
272 | errExit("mounting /lock"); | 272 | errExit("mounting /lock"); |
273 | fs_logger("tmpfs /var/lock"); | 273 | fs_logger("tmpfs /var/lock"); |
274 | } | 274 | } |
@@ -286,7 +286,7 @@ void fs_var_lock(void) { | |||
286 | } | 286 | } |
287 | if (arg_debug) | 287 | if (arg_debug) |
288 | printf("Mounting tmpfs on %s on behalf of /var/lock\n", lnk); | 288 | printf("Mounting tmpfs on %s on behalf of /var/lock\n", lnk); |
289 | if (mount("tmpfs", lnk, "tmpfs", MS_NOSUID | MS_STRICTATIME | MS_REC, "mode=1777,gid=0") < 0) | 289 | if (mount("tmpfs", lnk, "tmpfs", MS_NOSUID | MS_NOEXEC | MS_NODEV | MS_STRICTATIME | MS_REC, "mode=1777,gid=0") < 0) |
290 | errExit("mounting /var/lock"); | 290 | errExit("mounting /var/lock"); |
291 | free(lnk); | 291 | free(lnk); |
292 | fs_logger("tmpfs /var/lock"); | 292 | fs_logger("tmpfs /var/lock"); |
@@ -304,7 +304,7 @@ void fs_var_tmp(void) { | |||
304 | if (!is_link("/var/tmp")) { | 304 | if (!is_link("/var/tmp")) { |
305 | if (arg_debug) | 305 | if (arg_debug) |
306 | printf("Mounting tmpfs on /var/tmp\n"); | 306 | printf("Mounting tmpfs on /var/tmp\n"); |
307 | if (mount("tmpfs", "/var/tmp", "tmpfs", MS_NOSUID | MS_STRICTATIME | MS_REC, "mode=1777,gid=0") < 0) | 307 | if (mount("tmpfs", "/var/tmp", "tmpfs", MS_NOSUID | MS_NOEXEC | MS_NODEV | MS_STRICTATIME | MS_REC, "mode=1777,gid=0") < 0) |
308 | errExit("mounting /var/tmp"); | 308 | errExit("mounting /var/tmp"); |
309 | fs_logger("tmpfs /var/tmp"); | 309 | fs_logger("tmpfs /var/tmp"); |
310 | } | 310 | } |
@@ -362,7 +362,7 @@ void fs_var_utmp(void) { | |||
362 | // mount the new utmp file | 362 | // mount the new utmp file |
363 | if (arg_debug) | 363 | if (arg_debug) |
364 | printf("Mount the new utmp file\n"); | 364 | printf("Mount the new utmp file\n"); |
365 | if (mount(RUN_UTMP_FILE, UTMP_FILE, NULL, MS_BIND|MS_REC, NULL) < 0) | 365 | if (mount(RUN_UTMP_FILE, UTMP_FILE, NULL, MS_BIND|MS_NOSUID|MS_NOEXEC | MS_NODEV | MS_REC, NULL) < 0) |
366 | errExit("mount bind utmp"); | 366 | errExit("mount bind utmp"); |
367 | fs_logger("create /var/run/utmp"); | 367 | fs_logger("create /var/run/utmp"); |
368 | } | 368 | } |
diff --git a/src/firejail/fs_whitelist.c b/src/firejail/fs_whitelist.c index 7e61bfde5..f94040d0f 100644 --- a/src/firejail/fs_whitelist.c +++ b/src/firejail/fs_whitelist.c | |||
@@ -181,11 +181,15 @@ static void whitelist_path(ProfileEntry *entry) { | |||
181 | char *wfile = NULL; | 181 | char *wfile = NULL; |
182 | 182 | ||
183 | if (entry->home_dir) { | 183 | if (entry->home_dir) { |
184 | fname = path + strlen(cfg.homedir); | 184 | if (strncmp(path, cfg.homedir, strlen(cfg.homedir)) == 0) { |
185 | if (*fname == '\0') { | 185 | fname = path + strlen(cfg.homedir); |
186 | fprintf(stderr, "Error: file %s is not in user home directory, exiting...\n", path); | 186 | if (*fname == '\0') { |
187 | exit(1); | 187 | fprintf(stderr, "Error: file %s is not in user home directory, exiting...\n", path); |
188 | exit(1); | ||
189 | } | ||
188 | } | 190 | } |
191 | else | ||
192 | fname = path; | ||
189 | 193 | ||
190 | if (asprintf(&wfile, "%s/%s", RUN_WHITELIST_HOME_USER_DIR, fname) == -1) | 194 | if (asprintf(&wfile, "%s/%s", RUN_WHITELIST_HOME_USER_DIR, fname) == -1) |
191 | errExit("asprintf"); | 195 | errExit("asprintf"); |
@@ -248,9 +252,6 @@ static void whitelist_path(ProfileEntry *entry) { | |||
248 | printf("Whitelisting %s\n", path); | 252 | printf("Whitelisting %s\n", path); |
249 | } | 253 | } |
250 | else { | 254 | else { |
251 | if (arg_debug || arg_debug_whitelists) { | ||
252 | fprintf(stderr, "Warning (whitelisting): %s is an invalid file, skipping...\n", path); | ||
253 | } | ||
254 | return; | 255 | return; |
255 | } | 256 | } |
256 | 257 | ||
@@ -390,12 +391,16 @@ void fs_whitelist(void) { | |||
390 | 391 | ||
391 | entry->home_dir = 1; | 392 | entry->home_dir = 1; |
392 | home_dir = 1; | 393 | home_dir = 1; |
394 | if (arg_debug || arg_debug_whitelists) | ||
395 | fprintf(stderr, "Debug %d: fname #%s#, cfg.homedir #%s#\n", | ||
396 | __LINE__, fname, cfg.homedir); | ||
397 | |||
393 | // both path and absolute path are under /home | 398 | // both path and absolute path are under /home |
394 | if (strncmp(fname, cfg.homedir, strlen(cfg.homedir)) != 0) { | 399 | if (strncmp(fname, cfg.homedir, strlen(cfg.homedir)) != 0) { |
395 | if (arg_debug) | 400 | // check if the file is owned by the user |
396 | fprintf(stderr, "Debug %d: fname #%s#, cfg.homedir #%s#\n", | 401 | struct stat s; |
397 | __LINE__, fname, cfg.homedir); | 402 | if (stat(fname, &s) == 0 && s.st_uid != getuid()) |
398 | goto errexit; | 403 | goto errexit; |
399 | } | 404 | } |
400 | } | 405 | } |
401 | else if (strncmp(new_name, "/tmp/", 5) == 0) { | 406 | else if (strncmp(new_name, "/tmp/", 5) == 0) { |
@@ -422,7 +427,12 @@ void fs_whitelist(void) { | |||
422 | entry->var_dir = 1; | 427 | entry->var_dir = 1; |
423 | var_dir = 1; | 428 | var_dir = 1; |
424 | // both path and absolute path are under /var | 429 | // both path and absolute path are under /var |
425 | if (strncmp(fname, "/var/", 5) != 0) { | 430 | // exceptions: /var/run and /var/lock |
431 | if (strcmp(new_name, "/var/run")== 0) | ||
432 | ; | ||
433 | else if (strcmp(new_name, "/var/lock")== 0) | ||
434 | ; | ||
435 | else if (strncmp(fname, "/var/", 5) != 0) { | ||
426 | if (arg_debug) | 436 | if (arg_debug) |
427 | fprintf(stderr, "Debug %d: fname #%s#\n", __LINE__, fname); | 437 | fprintf(stderr, "Debug %d: fname #%s#\n", __LINE__, fname); |
428 | goto errexit; | 438 | goto errexit; |
@@ -499,7 +509,7 @@ void fs_whitelist(void) { | |||
499 | 509 | ||
500 | // /tmp mountpoint | 510 | // /tmp mountpoint |
501 | if (tmp_dir) { | 511 | if (tmp_dir) { |
502 | // keep a copy of real /tmp directory in WHITELIST_TMP_DIR | 512 | // keep a copy of real /tmp directory in |
503 | int rv = mkdir(RUN_WHITELIST_TMP_DIR, 1777); | 513 | int rv = mkdir(RUN_WHITELIST_TMP_DIR, 1777); |
504 | if (rv == -1) | 514 | if (rv == -1) |
505 | errExit("mkdir"); | 515 | errExit("mkdir"); |
@@ -517,6 +527,29 @@ void fs_whitelist(void) { | |||
517 | if (mount("tmpfs", "/tmp", "tmpfs", MS_NOSUID | MS_STRICTATIME | MS_REC, "mode=1777,gid=0") < 0) | 527 | if (mount("tmpfs", "/tmp", "tmpfs", MS_NOSUID | MS_STRICTATIME | MS_REC, "mode=1777,gid=0") < 0) |
518 | errExit("mounting tmpfs on /tmp"); | 528 | errExit("mounting tmpfs on /tmp"); |
519 | fs_logger("tmpfs /tmp"); | 529 | fs_logger("tmpfs /tmp"); |
530 | |||
531 | // mount appimage directory if necessary | ||
532 | if (arg_appimage) { | ||
533 | const char *dir = appimage_getdir(); | ||
534 | assert(dir); | ||
535 | char *wdir; | ||
536 | if (asprintf(&wdir, "%s/%s", RUN_WHITELIST_TMP_DIR, dir + 4) == -1) | ||
537 | errExit("asprintf"); | ||
538 | |||
539 | // create directory | ||
540 | if (mkdir(dir, 0755) < 0) | ||
541 | errExit("mkdir"); | ||
542 | if (chown(dir, getuid(), getgid()) < 0) | ||
543 | errExit("chown"); | ||
544 | if (chmod(dir, 0755) < 0) | ||
545 | errExit("chmod"); | ||
546 | |||
547 | // mount | ||
548 | if (mount(wdir, dir, NULL, MS_BIND|MS_REC, NULL) < 0) | ||
549 | errExit("mount bind"); | ||
550 | fs_logger2("whitelist", dir); | ||
551 | free(wdir); | ||
552 | } | ||
520 | } | 553 | } |
521 | 554 | ||
522 | // /media mountpoint | 555 | // /media mountpoint |
@@ -618,21 +651,31 @@ void fs_whitelist(void) { | |||
618 | 651 | ||
619 | //printf("here %d#%s#\n", __LINE__, entry->data); | 652 | //printf("here %d#%s#\n", __LINE__, entry->data); |
620 | // whitelist the real file | 653 | // whitelist the real file |
621 | whitelist_path(entry); | 654 | if (strcmp(entry->data, "whitelist /run") == 0 && |
622 | 655 | (strcmp(entry->link, "/var/run") == 0 || strcmp(entry->link, "/var/lock") == 0)) { | |
623 | // create the link if any | 656 | int rv = symlink(entry->data + 10, entry->link); |
624 | if (entry->link) { | 657 | if (rv) |
625 | // if the link is already there, do not bother | 658 | fprintf(stderr, "Warning cannot create symbolic link %s\n", entry->link); |
626 | struct stat s; | 659 | else if (arg_debug || arg_debug_whitelists) |
627 | if (stat(entry->link, &s) != 0) { | 660 | printf("Created symbolic link %s -> %s\n", entry->link, entry->data + 10); |
628 | // create the path if necessary | 661 | } |
629 | mkpath(entry->link, s.st_mode); | 662 | else { |
630 | 663 | whitelist_path(entry); | |
631 | int rv = symlink(entry->data + 10, entry->link); | 664 | |
632 | if (rv) | 665 | // create the link if any |
633 | fprintf(stderr, "Warning cannot create symbolic link %s\n", entry->link); | 666 | if (entry->link) { |
634 | else if (arg_debug || arg_debug_whitelists) | 667 | // if the link is already there, do not bother |
635 | printf("Created symbolic link %s -> %s\n", entry->link, entry->data + 10); | 668 | struct stat s; |
669 | if (stat(entry->link, &s) != 0) { | ||
670 | // create the path if necessary | ||
671 | mkpath(entry->link, s.st_mode); | ||
672 | |||
673 | int rv = symlink(entry->data + 10, entry->link); | ||
674 | if (rv) | ||
675 | fprintf(stderr, "Warning cannot create symbolic link %s\n", entry->link); | ||
676 | else if (arg_debug || arg_debug_whitelists) | ||
677 | printf("Created symbolic link %s -> %s\n", entry->link, entry->data + 10); | ||
678 | } | ||
636 | } | 679 | } |
637 | } | 680 | } |
638 | 681 | ||
diff --git a/src/firejail/join.c b/src/firejail/join.c index 251260091..c14108986 100644 --- a/src/firejail/join.c +++ b/src/firejail/join.c | |||
@@ -23,6 +23,7 @@ | |||
23 | #include <fcntl.h> | 23 | #include <fcntl.h> |
24 | #include <unistd.h> | 24 | #include <unistd.h> |
25 | #include <sys/prctl.h> | 25 | #include <sys/prctl.h> |
26 | #include <errno.h> | ||
26 | 27 | ||
27 | static int apply_caps = 0; | 28 | static int apply_caps = 0; |
28 | static uint64_t caps = 0; | 29 | static uint64_t caps = 0; |
@@ -53,7 +54,7 @@ static void extract_command(int argc, char **argv, int index) { | |||
53 | int i; | 54 | int i; |
54 | // calculate command length | 55 | // calculate command length |
55 | for (i = index; i < argc; i++) { | 56 | for (i = index; i < argc; i++) { |
56 | len += strlen(argv[i]) + 1; | 57 | len += strlen(argv[i]) + 3; |
57 | } | 58 | } |
58 | assert(len > 0); | 59 | assert(len > 0); |
59 | 60 | ||
@@ -61,8 +62,15 @@ static void extract_command(int argc, char **argv, int index) { | |||
61 | cfg.command_line = malloc(len + 1); | 62 | cfg.command_line = malloc(len + 1); |
62 | *cfg.command_line = '\0'; | 63 | *cfg.command_line = '\0'; |
63 | for (i = index; i < argc; i++) { | 64 | for (i = index; i < argc; i++) { |
64 | strcat(cfg.command_line, argv[i]); | 65 | if (strchr(argv[i], '&')) { |
65 | strcat(cfg.command_line, " "); | 66 | strcat(cfg.command_line, "\'"); |
67 | strcat(cfg.command_line, argv[i]); | ||
68 | strcat(cfg.command_line, "\' "); | ||
69 | } | ||
70 | else { | ||
71 | strcat(cfg.command_line, argv[i]); | ||
72 | strcat(cfg.command_line, " "); | ||
73 | } | ||
66 | } | 74 | } |
67 | if (arg_debug) | 75 | if (arg_debug) |
68 | printf("Extracted command #%s#\n", cfg.command_line); | 76 | printf("Extracted command #%s#\n", cfg.command_line); |
@@ -201,7 +209,9 @@ void join(pid_t pid, int argc, char **argv, int index) { | |||
201 | extract_command(argc, argv, index); | 209 | extract_command(argc, argv, index); |
202 | 210 | ||
203 | // if the pid is that of a firejail process, use the pid of the first child process | 211 | // if the pid is that of a firejail process, use the pid of the first child process |
212 | EUID_ROOT(); | ||
204 | char *comm = pid_proc_comm(pid); | 213 | char *comm = pid_proc_comm(pid); |
214 | EUID_USER(); | ||
205 | if (comm) { | 215 | if (comm) { |
206 | if (strcmp(comm, "firejail") == 0) { | 216 | if (strcmp(comm, "firejail") == 0) { |
207 | pid_t child; | 217 | pid_t child; |
@@ -329,19 +339,38 @@ void join(pid_t pid, int argc, char **argv, int index) { | |||
329 | if (setenv("PROMPT_COMMAND", "export PS1=\"\\[\\e[1;32m\\][\\u@\\h \\W]\\$\\[\\e[0m\\] \"", 1) < 0) | 339 | if (setenv("PROMPT_COMMAND", "export PS1=\"\\[\\e[1;32m\\][\\u@\\h \\W]\\$\\[\\e[0m\\] \"", 1) < 0) |
330 | errExit("setenv"); | 340 | errExit("setenv"); |
331 | 341 | ||
342 | // set nice | ||
343 | if (arg_nice) { | ||
344 | errno = 0; | ||
345 | int rv = nice(cfg.nice); | ||
346 | (void) rv; | ||
347 | if (errno) { | ||
348 | fprintf(stderr, "Warning: cannot set nice value\n"); | ||
349 | errno = 0; | ||
350 | } | ||
351 | } | ||
352 | |||
332 | // run cmdline trough /bin/bash | 353 | // run cmdline trough /bin/bash |
333 | if (cfg.command_line == NULL) { | 354 | if (cfg.command_line == NULL) { |
334 | struct stat s; | ||
335 | 355 | ||
336 | // replace the process with a shell | 356 | // replace the process with a shell |
337 | if (stat("/bin/bash", &s) == 0) | 357 | if (cfg.shell) |
338 | execlp("/bin/bash", "/bin/bash", NULL); | 358 | execlp(cfg.shell, cfg.shell, NULL); |
339 | else if (stat("/usr/bin/zsh", &s) == 0) | 359 | else if (arg_zsh) |
340 | execlp("/usr/bin/zsh", "/usr/bin/zsh", NULL); | 360 | execlp("/usr/bin/zsh", "/usr/bin/zsh", NULL); |
341 | else if (stat("/bin/csh", &s) == 0) | 361 | else if (arg_csh) |
342 | execlp("/bin/csh", "/bin/csh", NULL); | 362 | execlp("/bin/csh", "/bin/csh", NULL); |
343 | else if (stat("/bin/sh", &s) == 0) | 363 | else { |
344 | execlp("/bin/sh", "/bin/sh", NULL); | 364 | struct stat s; |
365 | if (stat("/bin/bash", &s) == 0) | ||
366 | execlp("/bin/bash", "/bin/bash", NULL); | ||
367 | else if (stat("/usr/bin/zsh", &s) == 0) | ||
368 | execlp("/usr/bin/zsh", "/usr/bin/zsh", NULL); | ||
369 | else if (stat("/bin/csh", &s) == 0) | ||
370 | execlp("/bin/csh", "/bin/csh", NULL); | ||
371 | else if (stat("/bin/sh", &s) == 0) | ||
372 | execlp("/bin/sh", "/bin/sh", NULL); | ||
373 | } | ||
345 | 374 | ||
346 | // no shell found, print an error and exit | 375 | // no shell found, print an error and exit |
347 | fprintf(stderr, "Error: no POSIX shell found\n"); | 376 | fprintf(stderr, "Error: no POSIX shell found\n"); |
@@ -368,21 +397,54 @@ void join(pid_t pid, int argc, char **argv, int index) { | |||
368 | } | 397 | } |
369 | } | 398 | } |
370 | 399 | ||
371 | char *arg[5]; | 400 | if (arg_shell_none) { |
372 | arg[0] = "/bin/bash"; | 401 | if (arg_debug) { |
373 | arg[1] = "-c"; | 402 | int i; |
374 | if (arg_debug) | 403 | for (i = cfg.original_program_index; i < cfg.original_argc; i++) { |
375 | printf("Starting %s\n", cfg.command_line); | 404 | if (cfg.original_argv[i] == NULL) |
376 | if (!arg_doubledash) { | 405 | break; |
377 | arg[2] = cfg.command_line; | 406 | printf("execvp argument %d: %s\n", i - cfg.original_program_index, cfg.original_argv[i]); |
378 | arg[3] = NULL; | 407 | } |
379 | } | 408 | } |
380 | else { | 409 | |
381 | arg[2] = "--"; | 410 | if (cfg.original_program_index == 0) { |
382 | arg[3] = cfg.command_line; | 411 | fprintf(stderr, "Error: --shell=none configured, but no program specified\n"); |
383 | arg[4] = NULL; | 412 | exit(1); |
413 | } | ||
414 | |||
415 | if (!arg_command && !arg_quiet) | ||
416 | printf("Child process initialized\n"); | ||
417 | |||
418 | execvp(cfg.original_argv[cfg.original_program_index], &cfg.original_argv[cfg.original_program_index]); | ||
419 | exit(1); | ||
420 | } else { | ||
421 | // choose the shell requested by the user, or use bash as default | ||
422 | char *sh; | ||
423 | if (cfg.shell) | ||
424 | sh = cfg.shell; | ||
425 | else if (arg_zsh) | ||
426 | sh = "/usr/bin/zsh"; | ||
427 | else if (arg_csh) | ||
428 | sh = "/bin/csh"; | ||
429 | else | ||
430 | sh = "/bin/bash"; | ||
431 | |||
432 | char *arg[5]; | ||
433 | arg[0] = sh; | ||
434 | arg[1] = "-c"; | ||
435 | if (arg_debug) | ||
436 | printf("Starting %s\n", cfg.command_line); | ||
437 | if (!arg_doubledash) { | ||
438 | arg[2] = cfg.command_line; | ||
439 | arg[3] = NULL; | ||
440 | } | ||
441 | else { | ||
442 | arg[2] = "--"; | ||
443 | arg[3] = cfg.command_line; | ||
444 | arg[4] = NULL; | ||
445 | } | ||
446 | execvp("/bin/bash", arg); | ||
384 | } | 447 | } |
385 | execvp("/bin/bash", arg); | ||
386 | } | 448 | } |
387 | 449 | ||
388 | // it will never get here!!! | 450 | // it will never get here!!! |
diff --git a/src/firejail/list.c b/src/firejail/list.c index 676df6a14..d093a1f85 100644 --- a/src/firejail/list.c +++ b/src/firejail/list.c | |||
@@ -18,47 +18,83 @@ | |||
18 | * 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA. | 18 | * 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA. |
19 | */ | 19 | */ |
20 | #include "firejail.h" | 20 | #include "firejail.h" |
21 | #include <sys/types.h> | ||
22 | #include <sys/stat.h> | ||
23 | |||
24 | static void set_privileges(void) { | ||
25 | struct stat s; | ||
26 | if (stat("/proc/sys/kernel/grsecurity", &s) == 0) { | ||
27 | EUID_ROOT(); | ||
28 | |||
29 | // elevate privileges | ||
30 | if (setreuid(0, 0)) | ||
31 | errExit("setreuid"); | ||
32 | if (setregid(0, 0)) | ||
33 | errExit("setregid"); | ||
34 | } | ||
35 | else | ||
36 | drop_privs(1); | ||
37 | } | ||
38 | |||
39 | static char *get_firemon_path(const char *cmd) { | ||
40 | assert(cmd); | ||
41 | |||
42 | // start the argv[0] program in a new sandbox | ||
43 | char *firemon; | ||
44 | if (asprintf(&firemon, "%s/bin/firemon %s", PREFIX, cmd) == -1) | ||
45 | errExit("asprintf"); | ||
46 | |||
47 | return firemon; | ||
48 | } | ||
21 | 49 | ||
22 | void top(void) { | 50 | void top(void) { |
23 | EUID_ASSERT(); | 51 | EUID_ASSERT(); |
24 | 52 | drop_privs(1); | |
53 | char *cmd = get_firemon_path("--top"); | ||
54 | |||
25 | char *arg[4]; | 55 | char *arg[4]; |
26 | arg[0] = "bash"; | 56 | arg[0] = "bash"; |
27 | arg[1] = "-c"; | 57 | arg[1] = "-c"; |
28 | arg[2] = "firemon --top"; | 58 | arg[2] = cmd; |
29 | arg[3] = NULL; | 59 | arg[3] = NULL; |
30 | execvp("/bin/bash", arg); | 60 | execvp("/bin/bash", arg); |
31 | } | 61 | } |
32 | 62 | ||
33 | void netstats(void) { | 63 | void netstats(void) { |
34 | EUID_ASSERT(); | 64 | EUID_ASSERT(); |
65 | set_privileges(); | ||
66 | char *cmd = get_firemon_path("--netstats"); | ||
35 | 67 | ||
36 | char *arg[4]; | 68 | char *arg[4]; |
37 | arg[0] = "bash"; | 69 | arg[0] = "bash"; |
38 | arg[1] = "-c"; | 70 | arg[1] = "-c"; |
39 | arg[2] = "firemon --netstats"; | 71 | arg[2] = cmd; |
40 | arg[3] = NULL; | 72 | arg[3] = NULL; |
41 | execvp("/bin/bash", arg); | 73 | execvp("/bin/bash", arg); |
42 | } | 74 | } |
43 | 75 | ||
44 | void list(void) { | 76 | void list(void) { |
45 | EUID_ASSERT(); | 77 | EUID_ASSERT(); |
78 | drop_privs(1); | ||
79 | char *cmd = get_firemon_path("--list"); | ||
46 | 80 | ||
47 | char *arg[4]; | 81 | char *arg[4]; |
48 | arg[0] = "bash"; | 82 | arg[0] = "bash"; |
49 | arg[1] = "-c"; | 83 | arg[1] = "-c"; |
50 | arg[2] = "firemon --list"; | 84 | arg[2] = cmd; |
51 | arg[3] = NULL; | 85 | arg[3] = NULL; |
52 | execvp("/bin/bash", arg); | 86 | execvp("/bin/bash", arg); |
53 | } | 87 | } |
54 | 88 | ||
55 | void tree(void) { | 89 | void tree(void) { |
56 | EUID_ASSERT(); | 90 | EUID_ASSERT(); |
91 | drop_privs(1); | ||
92 | char *cmd = get_firemon_path("--tree"); | ||
57 | 93 | ||
58 | char *arg[4]; | 94 | char *arg[4]; |
59 | arg[0] = "bash"; | 95 | arg[0] = "bash"; |
60 | arg[1] = "-c"; | 96 | arg[1] = "-c"; |
61 | arg[2] = "firemon --tree"; | 97 | arg[2] = cmd; |
62 | arg[3] = NULL; | 98 | arg[3] = NULL; |
63 | execvp("/bin/bash", arg); | 99 | execvp("/bin/bash", arg); |
64 | } | 100 | } |
diff --git a/src/firejail/ls.c b/src/firejail/ls.c index 983927cf1..09577fb0c 100644 --- a/src/firejail/ls.c +++ b/src/firejail/ls.c | |||
@@ -205,7 +205,9 @@ void sandboxfs(int op, pid_t pid, const char *path) { | |||
205 | EUID_ASSERT(); | 205 | EUID_ASSERT(); |
206 | 206 | ||
207 | // if the pid is that of a firejail process, use the pid of the first child process | 207 | // if the pid is that of a firejail process, use the pid of the first child process |
208 | EUID_ROOT(); | ||
208 | char *comm = pid_proc_comm(pid); | 209 | char *comm = pid_proc_comm(pid); |
210 | EUID_USER(); | ||
209 | if (comm) { | 211 | if (comm) { |
210 | if (strcmp(comm, "firejail") == 0) { | 212 | if (strcmp(comm, "firejail") == 0) { |
211 | pid_t child; | 213 | pid_t child; |
@@ -341,7 +343,7 @@ void sandboxfs(int op, pid_t pid, const char *path) { | |||
341 | } | 343 | } |
342 | 344 | ||
343 | // wait for the child to finish | 345 | // wait for the child to finish |
344 | int status = NULL; | 346 | int status = 0; |
345 | waitpid(child, &status, 0); | 347 | waitpid(child, &status, 0); |
346 | if (WIFEXITED(status) && WEXITSTATUS(status) == 0); | 348 | if (WIFEXITED(status) && WEXITSTATUS(status) == 0); |
347 | else | 349 | else |
@@ -377,6 +379,7 @@ void sandboxfs(int op, pid_t pid, const char *path) { | |||
377 | errExit("chown"); | 379 | errExit("chown"); |
378 | if (chmod(dest_fname, 0644) == -1) | 380 | if (chmod(dest_fname, 0644) == -1) |
379 | errExit("chmod"); | 381 | errExit("chmod"); |
382 | printf("Transfer complete\n"); | ||
380 | EUID_USER(); | 383 | EUID_USER(); |
381 | } | 384 | } |
382 | 385 | ||
diff --git a/src/firejail/main.c b/src/firejail/main.c index 0a02d0918..cbc3d57cf 100644 --- a/src/firejail/main.c +++ b/src/firejail/main.c | |||
@@ -77,6 +77,7 @@ int arg_rlimit_nproc = 0; // rlimit nproc | |||
77 | int arg_rlimit_fsize = 0; // rlimit fsize | 77 | int arg_rlimit_fsize = 0; // rlimit fsize |
78 | int arg_rlimit_sigpending = 0; // rlimit fsize | 78 | int arg_rlimit_sigpending = 0; // rlimit fsize |
79 | int arg_nogroups = 0; // disable supplementary groups | 79 | int arg_nogroups = 0; // disable supplementary groups |
80 | int arg_nonewprivs = 0; // set the NO_NEW_PRIVS prctl | ||
80 | int arg_noroot = 0; // create a new user namespace and disable root user | 81 | int arg_noroot = 0; // create a new user namespace and disable root user |
81 | int arg_netfilter; // enable netfilter | 82 | int arg_netfilter; // enable netfilter |
82 | int arg_netfilter6; // enable netfilter6 | 83 | int arg_netfilter6; // enable netfilter6 |
@@ -96,6 +97,11 @@ int arg_join_network = 0; // join only the network namespace | |||
96 | int arg_join_filesystem = 0; // join only the mount namespace | 97 | int arg_join_filesystem = 0; // join only the mount namespace |
97 | int arg_nice = 0; // nice value configured | 98 | int arg_nice = 0; // nice value configured |
98 | int arg_ipc = 0; // enable ipc namespace | 99 | int arg_ipc = 0; // enable ipc namespace |
100 | int arg_writable_etc = 0; // writable etc | ||
101 | int arg_writable_var = 0; // writable var | ||
102 | int arg_appimage = 0; // appimage | ||
103 | int arg_audit = 0; // audit | ||
104 | char *arg_audit_prog; // audit | ||
99 | 105 | ||
100 | int parent_to_child_fds[2]; | 106 | int parent_to_child_fds[2]; |
101 | int child_to_parent_fds[2]; | 107 | int child_to_parent_fds[2]; |
@@ -105,46 +111,43 @@ int fullargc = 0; | |||
105 | static pid_t child = 0; | 111 | static pid_t child = 0; |
106 | pid_t sandbox_pid; | 112 | pid_t sandbox_pid; |
107 | 113 | ||
108 | static void set_name_file(uid_t pid); | 114 | static void set_name_file(pid_t pid); |
109 | static void delete_name_file(uid_t pid); | 115 | static void delete_name_file(pid_t pid); |
110 | static void set_x11_file(uid_t pid, int display); | 116 | static void set_x11_file(pid_t pid, int display); |
111 | static void delete_x11_file(uid_t pid); | 117 | static void delete_x11_file(pid_t pid); |
118 | |||
119 | void clear_run_files(pid_t pid) { | ||
120 | bandwidth_del_run_file(pid); // bandwidth file | ||
121 | network_del_run_file(pid); // network map file | ||
122 | delete_name_file(pid); | ||
123 | delete_x11_file(pid); | ||
124 | } | ||
112 | 125 | ||
113 | static void myexit(int rv) { | 126 | static void myexit(int rv) { |
114 | logmsg("exiting..."); | 127 | logmsg("exiting..."); |
115 | if (!arg_command && !arg_quiet) | 128 | if (!arg_command && !arg_quiet) |
116 | printf("\nparent is shutting down, bye...\n"); | 129 | printf("\nParent is shutting down, bye...\n"); |
117 | 130 | ||
131 | |||
118 | // delete sandbox files in shared memory | 132 | // delete sandbox files in shared memory |
119 | bandwidth_shm_del_file(sandbox_pid); // bandwidth file | 133 | EUID_ROOT(); |
120 | network_shm_del_file(sandbox_pid); // network map file | 134 | clear_run_files(sandbox_pid); |
121 | delete_name_file(sandbox_pid); | 135 | appimage_clear(); |
122 | delete_x11_file(sandbox_pid); | 136 | |
123 | |||
124 | exit(rv); | 137 | exit(rv); |
125 | } | 138 | } |
126 | 139 | ||
127 | static void my_handler(int s){ | 140 | static void my_handler(int s){ |
128 | if (!arg_quiet) | 141 | EUID_ROOT(); |
129 | printf("\nSignal %d caught, shutting down the child process\n", s); | 142 | if (!arg_quiet) { |
143 | printf("\nParent received signal %d, shutting down the child process...\n", s); | ||
144 | fflush(0); | ||
145 | } | ||
130 | logsignal(s); | 146 | logsignal(s); |
131 | kill(child, SIGKILL); | 147 | kill(child, SIGTERM); |
132 | myexit(1); | 148 | myexit(1); |
133 | } | 149 | } |
134 | 150 | ||
135 | static inline Bridge *last_bridge_configured(void) { | ||
136 | if (cfg.bridge3.configured) | ||
137 | return &cfg.bridge3; | ||
138 | else if (cfg.bridge2.configured) | ||
139 | return &cfg.bridge2; | ||
140 | else if (cfg.bridge1.configured) | ||
141 | return &cfg.bridge1; | ||
142 | else if (cfg.bridge0.configured) | ||
143 | return &cfg.bridge0; | ||
144 | else | ||
145 | return NULL; | ||
146 | } | ||
147 | |||
148 | // return 1 if error, 0 if a valid pid was found | 151 | // return 1 if error, 0 if a valid pid was found |
149 | static inline int read_pid(char *str, pid_t *pid) { | 152 | static inline int read_pid(char *str, pid_t *pid) { |
150 | char *endptr; | 153 | char *endptr; |
@@ -174,9 +177,11 @@ static void init_cfg(int argc, char **argv) { | |||
174 | cfg.bridge3.devsandbox = "eth3"; | 177 | cfg.bridge3.devsandbox = "eth3"; |
175 | 178 | ||
176 | // extract user data | 179 | // extract user data |
180 | EUID_ROOT(); // rise permissions for grsecurity | ||
177 | struct passwd *pw = getpwuid(getuid()); | 181 | struct passwd *pw = getpwuid(getuid()); |
178 | if (!pw) | 182 | if (!pw) |
179 | errExit("getpwuid"); | 183 | errExit("getpwuid"); |
184 | EUID_USER(); | ||
180 | cfg.username = strdup(pw->pw_name); | 185 | cfg.username = strdup(pw->pw_name); |
181 | if (!cfg.username) | 186 | if (!cfg.username) |
182 | errExit("strdup"); | 187 | errExit("strdup"); |
@@ -274,74 +279,108 @@ static void run_cmd_and_exit(int i, int argc, char **argv) { | |||
274 | #ifndef HAVE_FILE_TRANSFER | 279 | #ifndef HAVE_FILE_TRANSFER |
275 | printf("File transfer support is disabled.\n"); | 280 | printf("File transfer support is disabled.\n"); |
276 | #endif | 281 | #endif |
282 | #ifndef HAVE_WHITELIST | ||
283 | printf("whitelisting support is disabled.\n"); | ||
284 | #endif | ||
277 | exit(0); | 285 | exit(0); |
278 | } | 286 | } |
279 | #ifdef HAVE_X11 | 287 | #ifdef HAVE_X11 |
280 | else if (strcmp(argv[i], "--x11") == 0) { | 288 | else if (strcmp(argv[i], "--x11") == 0) { |
281 | x11_start(argc, argv); | 289 | if (checkcfg(CFG_X11)) { |
282 | exit(0); | 290 | x11_start(argc, argv); |
291 | exit(0); | ||
292 | } | ||
293 | else { | ||
294 | fprintf(stderr, "Error: --x11 feature is disabled in Firejail configuration file\n"); | ||
295 | exit(1); | ||
296 | } | ||
283 | } | 297 | } |
284 | #endif | 298 | else if (strcmp(argv[i], "--x11=xpra") == 0) { |
285 | #ifdef HAVE_NETWORK | 299 | if (checkcfg(CFG_X11)) { |
286 | else if (strncmp(argv[i], "--bandwidth=", 12) == 0) { | 300 | x11_start_xpra(argc, argv); |
287 | logargs(argc, argv); | 301 | exit(0); |
288 | 302 | } | |
289 | // extract the command | 303 | else { |
290 | if ((i + 1) == argc) { | 304 | fprintf(stderr, "Error: --x11 feature is disabled in Firejail configuration file\n"); |
291 | fprintf(stderr, "Error: command expected after --bandwidth option\n"); | ||
292 | exit(1); | 305 | exit(1); |
293 | } | 306 | } |
294 | char *cmd = argv[i + 1]; | 307 | } |
295 | if (strcmp(cmd, "status") && strcmp(cmd, "clear") && strcmp(cmd, "set")) { | 308 | else if (strcmp(argv[i], "--x11=xephyr") == 0) { |
296 | fprintf(stderr, "Error: invalid --bandwidth command.\nValid commands: set, clear, status.\n"); | 309 | if (checkcfg(CFG_X11)) { |
310 | x11_start_xephyr(argc, argv); | ||
311 | exit(0); | ||
312 | } | ||
313 | else { | ||
314 | fprintf(stderr, "Error: --x11 feature is disabled in Firejail configuration file\n"); | ||
297 | exit(1); | 315 | exit(1); |
298 | } | 316 | } |
299 | 317 | } | |
300 | // extract network name | 318 | #endif |
301 | char *dev = NULL; | 319 | #ifdef HAVE_NETWORK |
302 | int down = 0; | 320 | else if (strncmp(argv[i], "--bandwidth=", 12) == 0) { |
303 | int up = 0; | 321 | if (checkcfg(CFG_NETWORK)) { |
304 | if (strcmp(cmd, "set") == 0 || strcmp(cmd, "clear") == 0) { | 322 | logargs(argc, argv); |
305 | // extract device name | 323 | |
306 | if ((i + 2) == argc) { | 324 | // extract the command |
307 | fprintf(stderr, "Error: network name expected after --bandwidth %s option\n", cmd); | 325 | if ((i + 1) == argc) { |
326 | fprintf(stderr, "Error: command expected after --bandwidth option\n"); | ||
308 | exit(1); | 327 | exit(1); |
309 | } | 328 | } |
310 | dev = argv[i + 2]; | 329 | char *cmd = argv[i + 1]; |
311 | 330 | if (strcmp(cmd, "status") && strcmp(cmd, "clear") && strcmp(cmd, "set")) { | |
312 | // check device name | 331 | fprintf(stderr, "Error: invalid --bandwidth command.\nValid commands: set, clear, status.\n"); |
313 | if (if_nametoindex(dev) == 0) { | ||
314 | fprintf(stderr, "Error: network device %s not found\n", dev); | ||
315 | exit(1); | 332 | exit(1); |
316 | } | 333 | } |
317 | 334 | ||
318 | // extract bandwidth | 335 | // extract network name |
319 | if (strcmp(cmd, "set") == 0) { | 336 | char *dev = NULL; |
320 | if ((i + 4) >= argc) { | 337 | int down = 0; |
321 | fprintf(stderr, "Error: invalid --bandwidth set command\n"); | 338 | int up = 0; |
339 | if (strcmp(cmd, "set") == 0 || strcmp(cmd, "clear") == 0) { | ||
340 | // extract device name | ||
341 | if ((i + 2) == argc) { | ||
342 | fprintf(stderr, "Error: network name expected after --bandwidth %s option\n", cmd); | ||
322 | exit(1); | 343 | exit(1); |
323 | } | 344 | } |
324 | 345 | dev = argv[i + 2]; | |
325 | down = atoi(argv[i + 3]); | 346 | |
326 | if (down < 0) { | 347 | // check device name |
327 | fprintf(stderr, "Error: invalid download speed\n"); | 348 | if (if_nametoindex(dev) == 0) { |
349 | fprintf(stderr, "Error: network device %s not found\n", dev); | ||
328 | exit(1); | 350 | exit(1); |
329 | } | 351 | } |
330 | up = atoi(argv[i + 4]); | 352 | |
331 | if (up < 0) { | 353 | // extract bandwidth |
332 | fprintf(stderr, "Error: invalid upload speed\n"); | 354 | if (strcmp(cmd, "set") == 0) { |
333 | exit(1); | 355 | if ((i + 4) >= argc) { |
356 | fprintf(stderr, "Error: invalid --bandwidth set command\n"); | ||
357 | exit(1); | ||
358 | } | ||
359 | |||
360 | down = atoi(argv[i + 3]); | ||
361 | if (down < 0) { | ||
362 | fprintf(stderr, "Error: invalid download speed\n"); | ||
363 | exit(1); | ||
364 | } | ||
365 | up = atoi(argv[i + 4]); | ||
366 | if (up < 0) { | ||
367 | fprintf(stderr, "Error: invalid upload speed\n"); | ||
368 | exit(1); | ||
369 | } | ||
334 | } | 370 | } |
335 | } | 371 | } |
336 | } | 372 | |
337 | 373 | // extract pid or sandbox name | |
338 | // extract pid or sandbox name | 374 | pid_t pid; |
339 | pid_t pid; | 375 | if (read_pid(argv[i] + 12, &pid) == 0) |
340 | EUID_ROOT(); | 376 | bandwidth_pid(pid, cmd, dev, down, up); |
341 | if (read_pid(argv[i] + 12, &pid) == 0) | 377 | else |
342 | bandwidth_pid(pid, cmd, dev, down, up); | 378 | bandwidth_name(argv[i] + 12, cmd, dev, down, up); |
343 | else | 379 | } |
344 | bandwidth_name(argv[i] + 12, cmd, dev, down, up); | 380 | else { |
381 | fprintf(stderr, "Error: networking features are disabled in Firejail configuration file\n"); | ||
382 | exit(1); | ||
383 | } | ||
345 | exit(0); | 384 | exit(0); |
346 | } | 385 | } |
347 | #endif | 386 | #endif |
@@ -350,20 +389,38 @@ static void run_cmd_and_exit(int i, int argc, char **argv) { | |||
350 | //************************************* | 389 | //************************************* |
351 | #ifdef HAVE_SECCOMP | 390 | #ifdef HAVE_SECCOMP |
352 | else if (strcmp(argv[i], "--debug-syscalls") == 0) { | 391 | else if (strcmp(argv[i], "--debug-syscalls") == 0) { |
353 | syscall_print(); | 392 | if (checkcfg(CFG_SECCOMP)) { |
354 | exit(0); | 393 | syscall_print(); |
394 | exit(0); | ||
395 | } | ||
396 | else { | ||
397 | fprintf(stderr, "Error: seccomp feature is disabled in Firejail configuration file\n"); | ||
398 | exit(1); | ||
399 | } | ||
355 | } | 400 | } |
356 | else if (strcmp(argv[i], "--debug-errnos") == 0) { | 401 | else if (strcmp(argv[i], "--debug-errnos") == 0) { |
357 | errno_print(); | 402 | if (checkcfg(CFG_SECCOMP)) { |
403 | errno_print(); | ||
404 | } | ||
405 | else { | ||
406 | fprintf(stderr, "Error: seccomp feature is disabled in Firejail configuration file\n"); | ||
407 | exit(1); | ||
408 | } | ||
358 | exit(0); | 409 | exit(0); |
359 | } | 410 | } |
360 | else if (strncmp(argv[i], "--seccomp.print=", 16) == 0) { | 411 | else if (strncmp(argv[i], "--seccomp.print=", 16) == 0) { |
361 | // print seccomp filter for a sandbox specified by pid or by name | 412 | if (checkcfg(CFG_SECCOMP)) { |
362 | pid_t pid; | 413 | // print seccomp filter for a sandbox specified by pid or by name |
363 | if (read_pid(argv[i] + 16, &pid) == 0) | 414 | pid_t pid; |
364 | seccomp_print_filter(pid); | 415 | if (read_pid(argv[i] + 16, &pid) == 0) |
365 | else | 416 | seccomp_print_filter(pid); |
366 | seccomp_print_filter_name(argv[i] + 16); | 417 | else |
418 | seccomp_print_filter_name(argv[i] + 16); | ||
419 | } | ||
420 | else { | ||
421 | fprintf(stderr, "Error: seccomp feature is disabled in Firejail configuration file\n"); | ||
422 | exit(1); | ||
423 | } | ||
367 | exit(0); | 424 | exit(0); |
368 | } | 425 | } |
369 | else if (strcmp(argv[i], "--debug-protocols") == 0) { | 426 | else if (strcmp(argv[i], "--debug-protocols") == 0) { |
@@ -371,15 +428,30 @@ static void run_cmd_and_exit(int i, int argc, char **argv) { | |||
371 | exit(0); | 428 | exit(0); |
372 | } | 429 | } |
373 | else if (strncmp(argv[i], "--protocol.print=", 17) == 0) { | 430 | else if (strncmp(argv[i], "--protocol.print=", 17) == 0) { |
374 | // print seccomp filter for a sandbox specified by pid or by name | 431 | if (checkcfg(CFG_SECCOMP)) { |
432 | // print seccomp filter for a sandbox specified by pid or by name | ||
433 | pid_t pid; | ||
434 | if (read_pid(argv[i] + 17, &pid) == 0) | ||
435 | protocol_print_filter(pid); | ||
436 | else | ||
437 | protocol_print_filter_name(argv[i] + 17); | ||
438 | } | ||
439 | else { | ||
440 | fprintf(stderr, "Error: seccomp feature is disabled in Firejail configuration file\n"); | ||
441 | exit(1); | ||
442 | } | ||
443 | exit(0); | ||
444 | } | ||
445 | #endif | ||
446 | else if (strncmp(argv[i], "--cpu.print=", 12) == 0) { | ||
447 | // join sandbox by pid or by name | ||
375 | pid_t pid; | 448 | pid_t pid; |
376 | if (read_pid(argv[i] + 17, &pid) == 0) | 449 | if (read_pid(argv[i] + 12, &pid) == 0) |
377 | protocol_print_filter(pid); | 450 | cpu_print_filter(pid); |
378 | else | 451 | else |
379 | protocol_print_filter_name(argv[i] + 17); | 452 | cpu_print_filter_name(argv[i] + 12); |
380 | exit(0); | 453 | exit(0); |
381 | } | 454 | } |
382 | #endif | ||
383 | else if (strncmp(argv[i], "--caps.print=", 13) == 0) { | 455 | else if (strncmp(argv[i], "--caps.print=", 13) == 0) { |
384 | // join sandbox by pid or by name | 456 | // join sandbox by pid or by name |
385 | pid_t pid; | 457 | pid_t pid; |
@@ -425,7 +497,13 @@ static void run_cmd_and_exit(int i, int argc, char **argv) { | |||
425 | } | 497 | } |
426 | #ifdef HAVE_NETWORK | 498 | #ifdef HAVE_NETWORK |
427 | else if (strcmp(argv[i], "--netstats") == 0) { | 499 | else if (strcmp(argv[i], "--netstats") == 0) { |
428 | netstats(); | 500 | if (checkcfg(CFG_NETWORK)) { |
501 | netstats(); | ||
502 | } | ||
503 | else { | ||
504 | fprintf(stderr, "Error: networking features are disabled in Firejail configuration file\n"); | ||
505 | exit(1); | ||
506 | } | ||
429 | exit(0); | 507 | exit(0); |
430 | } | 508 | } |
431 | #endif | 509 | #endif |
@@ -455,7 +533,7 @@ static void run_cmd_and_exit(int i, int argc, char **argv) { | |||
455 | exit(0); | 533 | exit(0); |
456 | } | 534 | } |
457 | else { | 535 | else { |
458 | fprintf(stderr, "Error: this feature is disabled in Firejail configuration file\n"); | 536 | fprintf(stderr, "Error: --get feature is disabled in Firejail configuration file\n"); |
459 | exit(1); | 537 | exit(1); |
460 | } | 538 | } |
461 | } | 539 | } |
@@ -484,7 +562,7 @@ static void run_cmd_and_exit(int i, int argc, char **argv) { | |||
484 | exit(0); | 562 | exit(0); |
485 | } | 563 | } |
486 | else { | 564 | else { |
487 | fprintf(stderr, "Error: this feature is disabled in Firejail configuration file\n"); | 565 | fprintf(stderr, "Error: --ls feature is disabled in Firejail configuration file\n"); |
488 | exit(1); | 566 | exit(1); |
489 | } | 567 | } |
490 | } | 568 | } |
@@ -502,19 +580,26 @@ static void run_cmd_and_exit(int i, int argc, char **argv) { | |||
502 | } | 580 | } |
503 | #ifdef HAVE_NETWORK | 581 | #ifdef HAVE_NETWORK |
504 | else if (strncmp(argv[i], "--join-network=", 15) == 0) { | 582 | else if (strncmp(argv[i], "--join-network=", 15) == 0) { |
505 | logargs(argc, argv); | 583 | if (checkcfg(CFG_NETWORK)) { |
506 | arg_join_network = 1; | 584 | logargs(argc, argv); |
507 | if (getuid() != 0) { | 585 | arg_join_network = 1; |
508 | fprintf(stderr, "Error: --join-network is only available to root user\n"); | 586 | if (getuid() != 0) { |
587 | fprintf(stderr, "Error: --join-network is only available to root user\n"); | ||
588 | exit(1); | ||
589 | } | ||
590 | |||
591 | // join sandbox by pid or by name | ||
592 | pid_t pid; | ||
593 | if (read_pid(argv[i] + 15, &pid) == 0) | ||
594 | join(pid, argc, argv, i + 1); | ||
595 | else | ||
596 | join_name(argv[i] + 15, argc, argv, i + 1); | ||
597 | } | ||
598 | else { | ||
599 | fprintf(stderr, "Error: networking features are disabled in Firejail configuration file\n"); | ||
509 | exit(1); | 600 | exit(1); |
510 | } | 601 | } |
511 | 602 | ||
512 | // join sandbox by pid or by name | ||
513 | pid_t pid; | ||
514 | if (read_pid(argv[i] + 15, &pid) == 0) | ||
515 | join(pid, argc, argv, i + 1); | ||
516 | else | ||
517 | join_name(argv[i] + 15, argc, argv, i + 1); | ||
518 | exit(0); | 603 | exit(0); |
519 | } | 604 | } |
520 | #endif | 605 | #endif |
@@ -548,7 +633,7 @@ static void run_cmd_and_exit(int i, int argc, char **argv) { | |||
548 | 633 | ||
549 | } | 634 | } |
550 | 635 | ||
551 | static void set_name_file(uid_t pid) { | 636 | static void set_name_file(pid_t pid) { |
552 | char *fname; | 637 | char *fname; |
553 | if (asprintf(&fname, "%s/%d", RUN_FIREJAIL_NAME_DIR, pid) == -1) | 638 | if (asprintf(&fname, "%s/%d", RUN_FIREJAIL_NAME_DIR, pid) == -1) |
554 | errExit("asprintf"); | 639 | errExit("asprintf"); |
@@ -570,15 +655,16 @@ static void set_name_file(uid_t pid) { | |||
570 | 655 | ||
571 | } | 656 | } |
572 | 657 | ||
573 | static void delete_name_file(uid_t pid) { | 658 | static void delete_name_file(pid_t pid) { |
574 | char *fname; | 659 | char *fname; |
575 | if (asprintf(&fname, "%s/%d", RUN_FIREJAIL_NAME_DIR, pid) == -1) | 660 | if (asprintf(&fname, "%s/%d", RUN_FIREJAIL_NAME_DIR, pid) == -1) |
576 | errExit("asprintf"); | 661 | errExit("asprintf"); |
577 | int rv = unlink(fname); | 662 | int rv = unlink(fname); |
578 | (void) rv; | 663 | (void) rv; |
664 | free(fname); | ||
579 | } | 665 | } |
580 | 666 | ||
581 | static void set_x11_file(uid_t pid, int display) { | 667 | static void set_x11_file(pid_t pid, int display) { |
582 | char *fname; | 668 | char *fname; |
583 | if (asprintf(&fname, "%s/%d", RUN_FIREJAIL_X11_DIR, pid) == -1) | 669 | if (asprintf(&fname, "%s/%d", RUN_FIREJAIL_X11_DIR, pid) == -1) |
584 | errExit("asprintf"); | 670 | errExit("asprintf"); |
@@ -600,12 +686,60 @@ static void set_x11_file(uid_t pid, int display) { | |||
600 | 686 | ||
601 | } | 687 | } |
602 | 688 | ||
603 | static void delete_x11_file(uid_t pid) { | 689 | static void delete_x11_file(pid_t pid) { |
604 | char *fname; | 690 | char *fname; |
605 | if (asprintf(&fname, "%s/%d", RUN_FIREJAIL_X11_DIR, pid) == -1) | 691 | if (asprintf(&fname, "%s/%d", RUN_FIREJAIL_X11_DIR, pid) == -1) |
606 | errExit("asprintf"); | 692 | errExit("asprintf"); |
607 | int rv = unlink(fname); | 693 | int rv = unlink(fname); |
608 | (void) rv; | 694 | (void) rv; |
695 | free(fname); | ||
696 | } | ||
697 | |||
698 | static void detect_quiet(int argc, char **argv) { | ||
699 | int i; | ||
700 | char *progs[] = { | ||
701 | "less", | ||
702 | "cpio", | ||
703 | "strings", | ||
704 | "gzip", | ||
705 | "xz", | ||
706 | "xzdec", | ||
707 | NULL | ||
708 | }; | ||
709 | |||
710 | // detect --quiet | ||
711 | for (i = 1; i < argc; i++) { | ||
712 | if (strcmp(argv[i], "--quiet") == 0) { | ||
713 | arg_quiet = 1; | ||
714 | break; | ||
715 | } | ||
716 | |||
717 | // detect end of firejail params | ||
718 | if (strcmp(argv[i], "--") == 0) | ||
719 | break; | ||
720 | if (strncmp(argv[i], "--", 2) != 0) | ||
721 | break; | ||
722 | } | ||
723 | |||
724 | // argv[i] is the program name if --quiet was not already detected | ||
725 | if (arg_quiet || i == argc) | ||
726 | return; | ||
727 | |||
728 | // extract the name of the program without the leading path | ||
729 | char *ptr = strrchr(argv[i], '/'); | ||
730 | char *name = (ptr)? (ptr + 1): argv[i]; | ||
731 | if (*name == '\0') | ||
732 | return; | ||
733 | |||
734 | // look for the program in the list | ||
735 | int j = 0; | ||
736 | while (progs[j] != NULL) { | ||
737 | if (strcmp(name, progs[j]) == 0) { | ||
738 | arg_quiet = 1; | ||
739 | return; | ||
740 | } | ||
741 | j++; | ||
742 | } | ||
609 | } | 743 | } |
610 | 744 | ||
611 | //******************************************* | 745 | //******************************************* |
@@ -615,14 +749,17 @@ int main(int argc, char **argv) { | |||
615 | int i; | 749 | int i; |
616 | int prog_index = -1; // index in argv where the program command starts | 750 | int prog_index = -1; // index in argv where the program command starts |
617 | int lockfd = -1; | 751 | int lockfd = -1; |
618 | int arg_cgroup = 0; | 752 | int option_cgroup = 0; |
753 | int option_force = 0; | ||
619 | int custom_profile = 0; // custom profile loaded | 754 | int custom_profile = 0; // custom profile loaded |
620 | char *custom_profile_dir = NULL; // custom profile directory | 755 | char *custom_profile_dir = NULL; // custom profile directory |
621 | int arg_noprofile = 0; // use generic.profile if none other found/specified | 756 | int arg_noprofile = 0; // use default.profile if none other found/specified |
622 | #ifdef HAVE_SECCOMP | 757 | #ifdef HAVE_SECCOMP |
623 | int highest_errno = errno_highest_nr(); | 758 | int highest_errno = errno_highest_nr(); |
624 | #endif | 759 | #endif |
625 | 760 | ||
761 | detect_quiet(argc, argv); | ||
762 | |||
626 | // drop permissions by default and rise them when required | 763 | // drop permissions by default and rise them when required |
627 | EUID_INIT(); | 764 | EUID_INIT(); |
628 | EUID_USER(); | 765 | EUID_USER(); |
@@ -632,33 +769,87 @@ int main(int argc, char **argv) { | |||
632 | run_symlink(argc, argv); | 769 | run_symlink(argc, argv); |
633 | 770 | ||
634 | // check if we already have a sandbox running | 771 | // check if we already have a sandbox running |
635 | int rv = check_kernel_procs(); | 772 | // If LXC is detected, start firejail sandbox |
636 | if (rv == 0) { | 773 | // otherwise try to detect a PID namespace by looking under /proc for specific kernel processes and: |
637 | // if --force option is passed to the program, disregard the existing sandbox | 774 | // - if --force flag is set, start firejail sandbox |
638 | int found = 0; | 775 | // -- if --force flag is not set, start the application in a /bin/bash shell |
776 | if (check_namespace_virt() == 0) { | ||
777 | EUID_ROOT(); | ||
778 | int rv = check_kernel_procs(); | ||
779 | EUID_USER(); | ||
780 | if (rv == 0) { | ||
781 | // if --force option is passed to the program, disregard the existing sandbox | ||
782 | int found = 0; | ||
783 | for (i = 1; i < argc; i++) { | ||
784 | if (strcmp(argv[i], "--force") == 0 || | ||
785 | strcmp(argv[i], "--list") == 0 || | ||
786 | strcmp(argv[i], "--netstats") == 0 || | ||
787 | strcmp(argv[i], "--tree") == 0 || | ||
788 | strcmp(argv[i], "--top") == 0 || | ||
789 | strncmp(argv[i], "--ls=", 5) == 0 || | ||
790 | strncmp(argv[i], "--get=", 6) == 0 || | ||
791 | strcmp(argv[i], "--debug-caps") == 0 || | ||
792 | strcmp(argv[i], "--debug-errnos") == 0 || | ||
793 | strcmp(argv[i], "--debug-syscalls") == 0 || | ||
794 | strcmp(argv[i], "--debug-protocols") == 0 || | ||
795 | strcmp(argv[i], "--help") == 0 || | ||
796 | strcmp(argv[i], "--version") == 0 || | ||
797 | strncmp(argv[i], "--dns.print=", 12) == 0 || | ||
798 | strncmp(argv[i], "--bandwidth=", 12) == 0 || | ||
799 | strncmp(argv[i], "--caps.print=", 13) == 0 || | ||
800 | strncmp(argv[i], "--cpu.print=", 12) == 0 || | ||
801 | //******************************************************************************** | ||
802 | // todo: fix the following problems | ||
803 | strncmp(argv[i], "--join=", 7) == 0 || | ||
804 | //[netblue@debian Downloads]$ firejail --join=896 | ||
805 | //Switching to pid 897, the first child process inside the sandbox | ||
806 | //Error: seccomp file not found | ||
807 | //******************************************************************************** | ||
808 | |||
809 | strncmp(argv[i], "--join-filesystem=", 18) == 0 || | ||
810 | strncmp(argv[i], "--join-network=", 15) == 0 || | ||
811 | strncmp(argv[i], "--fs.print=", 11) == 0 || | ||
812 | strncmp(argv[i], "--protocol.print=", 17) == 0 || | ||
813 | strncmp(argv[i], "--seccomp.print", 15) == 0 || | ||
814 | strncmp(argv[i], "--shutdown=", 11) == 0) { | ||
815 | found = 1; | ||
816 | break; | ||
817 | } | ||
818 | |||
819 | // detect end of firejail params | ||
820 | if (strcmp(argv[i], "--") == 0) | ||
821 | break; | ||
822 | if (strncmp(argv[i], "--", 2) != 0) | ||
823 | break; | ||
824 | } | ||
825 | |||
826 | if (found == 0) { | ||
827 | // start the program directly without sandboxing | ||
828 | run_no_sandbox(argc, argv); | ||
829 | // it will never get here! | ||
830 | assert(0); | ||
831 | } | ||
832 | else | ||
833 | option_force = 1; | ||
834 | } | ||
835 | } | ||
836 | |||
837 | // check root/suid | ||
838 | EUID_ROOT(); | ||
839 | if (geteuid()) { | ||
840 | // detect --version | ||
639 | for (i = 1; i < argc; i++) { | 841 | for (i = 1; i < argc; i++) { |
640 | if (strcmp(argv[i], "--force") == 0) { | 842 | if (strcmp(argv[i], "--version") == 0) { |
641 | found = 1; | 843 | printf("firejail version %s\n", VERSION); |
642 | break; | 844 | exit(0); |
643 | } | 845 | } |
846 | |||
847 | // detect end of firejail params | ||
644 | if (strcmp(argv[i], "--") == 0) | 848 | if (strcmp(argv[i], "--") == 0) |
645 | break; | 849 | break; |
646 | if (strncmp(argv[i], "--", 2) != 0) | 850 | if (strncmp(argv[i], "--", 2) != 0) |
647 | break; | 851 | break; |
648 | } | 852 | } |
649 | |||
650 | if (found == 0) { | ||
651 | // start the program directly without sandboxing | ||
652 | run_no_sandbox(argc, argv); | ||
653 | // it will never get here! | ||
654 | assert(0); | ||
655 | } | ||
656 | } | ||
657 | |||
658 | // check root/suid | ||
659 | EUID_ROOT(); | ||
660 | if (geteuid()) { | ||
661 | fprintf(stderr, "Error: the sandbox is not setuid root\n"); | ||
662 | exit(1); | 853 | exit(1); |
663 | } | 854 | } |
664 | EUID_USER(); | 855 | EUID_USER(); |
@@ -670,24 +861,30 @@ int main(int argc, char **argv) { | |||
670 | // check firejail directories | 861 | // check firejail directories |
671 | EUID_ROOT(); | 862 | EUID_ROOT(); |
672 | fs_build_firejail_dir(); | 863 | fs_build_firejail_dir(); |
673 | // todo: deprecate shm functions | 864 | bandwidth_del_run_file(sandbox_pid); |
674 | shm_create_firejail_dir(); | 865 | network_del_run_file(sandbox_pid); |
675 | bandwidth_shm_del_file(sandbox_pid); | 866 | delete_name_file(sandbox_pid); |
867 | delete_x11_file(sandbox_pid); | ||
868 | |||
676 | EUID_USER(); | 869 | EUID_USER(); |
677 | 870 | ||
678 | //check if the parent is sshd daemon | 871 | //check if the parent is sshd daemon |
679 | int parent_sshd = 0; | 872 | int parent_sshd = 0; |
680 | { | 873 | { |
681 | pid_t ppid = getppid(); | 874 | pid_t ppid = getppid(); |
875 | EUID_ROOT(); | ||
682 | char *comm = pid_proc_comm(ppid); | 876 | char *comm = pid_proc_comm(ppid); |
877 | EUID_USER(); | ||
683 | if (comm) { | 878 | if (comm) { |
684 | if (strcmp(comm, "sshd") == 0) | 879 | if (strcmp(comm, "sshd") == 0) { |
880 | arg_quiet = 1; | ||
685 | parent_sshd = 1; | 881 | parent_sshd = 1; |
882 | } | ||
686 | free(comm); | 883 | free(comm); |
687 | } | 884 | } |
688 | } | 885 | } |
689 | 886 | ||
690 | // is this a login shell, or a command passed by sshd insert command line options from /etc/firejail/login.users | 887 | // is this a login shell, or a command passed by sshd, insert command line options from /etc/firejail/login.users |
691 | if (*argv[0] == '-' || parent_sshd) { | 888 | if (*argv[0] == '-' || parent_sshd) { |
692 | fullargc = restricted_shell(cfg.username); | 889 | fullargc = restricted_shell(cfg.username); |
693 | if (fullargc) { | 890 | if (fullargc) { |
@@ -703,96 +900,144 @@ int main(int argc, char **argv) { | |||
703 | else { | 900 | else { |
704 | // check --output option and execute it; | 901 | // check --output option and execute it; |
705 | check_output(argc, argv); // the function will not return if --output option was found | 902 | check_output(argc, argv); // the function will not return if --output option was found |
706 | check_user(argc, argv); // the function will not return if --user option was found | ||
707 | } | 903 | } |
708 | 904 | ||
905 | |||
906 | // check for force-nonewprivs in /etc/firejail/firejail.config file | ||
907 | if (checkcfg(CFG_FORCE_NONEWPRIVS)) | ||
908 | arg_nonewprivs = 1; | ||
909 | |||
709 | // parse arguments | 910 | // parse arguments |
710 | for (i = 1; i < argc; i++) { | 911 | for (i = 1; i < argc; i++) { |
711 | run_cmd_and_exit(i, argc, argv); // will exit if the command is recognized | 912 | run_cmd_and_exit(i, argc, argv); // will exit if the command is recognized |
712 | 913 | ||
713 | if (strcmp(argv[i], "--debug") == 0) | 914 | if (strcmp(argv[i], "--debug") == 0) { |
714 | arg_debug = 1; | 915 | if (!arg_quiet) { |
916 | arg_debug = 1; | ||
917 | if (option_force) | ||
918 | printf("Entering sandbox-in-sandbox mode\n"); | ||
919 | } | ||
920 | } | ||
715 | else if (strcmp(argv[i], "--debug-check-filename") == 0) | 921 | else if (strcmp(argv[i], "--debug-check-filename") == 0) |
716 | arg_debug_check_filename = 1; | 922 | arg_debug_check_filename = 1; |
717 | else if (strcmp(argv[i], "--debug-blacklists") == 0) | 923 | else if (strcmp(argv[i], "--debug-blacklists") == 0) |
718 | arg_debug_blacklists = 1; | 924 | arg_debug_blacklists = 1; |
719 | else if (strcmp(argv[i], "--debug-whitelists") == 0) | 925 | else if (strcmp(argv[i], "--debug-whitelists") == 0) |
720 | arg_debug_whitelists = 1; | 926 | arg_debug_whitelists = 1; |
721 | else if (strcmp(argv[i], "--quiet") == 0) | 927 | else if (strcmp(argv[i], "--quiet") == 0) { |
722 | arg_quiet = 1; | 928 | arg_quiet = 1; |
929 | arg_debug = 0; | ||
930 | } | ||
723 | else if (strcmp(argv[i], "--force") == 0) | 931 | else if (strcmp(argv[i], "--force") == 0) |
724 | ; | 932 | ; |
725 | 933 | ||
726 | //************************************* | 934 | //************************************* |
727 | // filtering | 935 | // filtering |
728 | //************************************* | 936 | //************************************* |
729 | #ifdef HAVE_SECCOMP | 937 | #ifdef HAVE_SECCOMP |
730 | else if (strncmp(argv[i], "--protocol=", 11) == 0) | 938 | else if (strncmp(argv[i], "--protocol=", 11) == 0) { |
731 | protocol_store(argv[i] + 11); | 939 | if (checkcfg(CFG_SECCOMP)) { |
940 | protocol_store(argv[i] + 11); | ||
941 | } | ||
942 | else { | ||
943 | fprintf(stderr, "Error: seccomp feature is disabled in Firejail configuration file\n"); | ||
944 | exit(1); | ||
945 | } | ||
946 | } | ||
732 | else if (strcmp(argv[i], "--seccomp") == 0) { | 947 | else if (strcmp(argv[i], "--seccomp") == 0) { |
733 | if (arg_seccomp) { | 948 | if (checkcfg(CFG_SECCOMP)) { |
734 | fprintf(stderr, "Error: seccomp already enabled\n"); | 949 | if (arg_seccomp) { |
950 | fprintf(stderr, "Error: seccomp already enabled\n"); | ||
951 | exit(1); | ||
952 | } | ||
953 | arg_seccomp = 1; | ||
954 | } | ||
955 | else { | ||
956 | fprintf(stderr, "Error: seccomp feature is disabled in Firejail configuration file\n"); | ||
735 | exit(1); | 957 | exit(1); |
736 | } | 958 | } |
737 | arg_seccomp = 1; | ||
738 | } | 959 | } |
739 | else if (strncmp(argv[i], "--seccomp=", 10) == 0) { | 960 | else if (strncmp(argv[i], "--seccomp=", 10) == 0) { |
740 | if (arg_seccomp) { | 961 | if (checkcfg(CFG_SECCOMP)) { |
741 | fprintf(stderr, "Error: seccomp already enabled\n"); | 962 | if (arg_seccomp) { |
963 | fprintf(stderr, "Error: seccomp already enabled\n"); | ||
964 | exit(1); | ||
965 | } | ||
966 | arg_seccomp = 1; | ||
967 | cfg.seccomp_list = strdup(argv[i] + 10); | ||
968 | if (!cfg.seccomp_list) | ||
969 | errExit("strdup"); | ||
970 | } | ||
971 | else { | ||
972 | fprintf(stderr, "Error: seccomp feature is disabled in Firejail configuration file\n"); | ||
742 | exit(1); | 973 | exit(1); |
743 | } | 974 | } |
744 | arg_seccomp = 1; | ||
745 | cfg.seccomp_list = strdup(argv[i] + 10); | ||
746 | if (!cfg.seccomp_list) | ||
747 | errExit("strdup"); | ||
748 | } | 975 | } |
749 | else if (strncmp(argv[i], "--seccomp.drop=", 15) == 0) { | 976 | else if (strncmp(argv[i], "--seccomp.drop=", 15) == 0) { |
750 | if (arg_seccomp) { | 977 | if (checkcfg(CFG_SECCOMP)) { |
751 | fprintf(stderr, "Error: seccomp already enabled\n"); | 978 | if (arg_seccomp) { |
979 | fprintf(stderr, "Error: seccomp already enabled\n"); | ||
980 | exit(1); | ||
981 | } | ||
982 | arg_seccomp = 1; | ||
983 | cfg.seccomp_list_drop = strdup(argv[i] + 15); | ||
984 | if (!cfg.seccomp_list_drop) | ||
985 | errExit("strdup"); | ||
986 | } | ||
987 | else { | ||
988 | fprintf(stderr, "Error: seccomp feature is disabled in Firejail configuration file\n"); | ||
752 | exit(1); | 989 | exit(1); |
753 | } | 990 | } |
754 | arg_seccomp = 1; | ||
755 | cfg.seccomp_list_drop = strdup(argv[i] + 15); | ||
756 | if (!cfg.seccomp_list_drop) | ||
757 | errExit("strdup"); | ||
758 | } | 991 | } |
759 | else if (strncmp(argv[i], "--seccomp.keep=", 15) == 0) { | 992 | else if (strncmp(argv[i], "--seccomp.keep=", 15) == 0) { |
760 | if (arg_seccomp) { | 993 | if (checkcfg(CFG_SECCOMP)) { |
761 | fprintf(stderr, "Error: seccomp already enabled\n"); | 994 | if (arg_seccomp) { |
995 | fprintf(stderr, "Error: seccomp already enabled\n"); | ||
996 | exit(1); | ||
997 | } | ||
998 | arg_seccomp = 1; | ||
999 | cfg.seccomp_list_keep = strdup(argv[i] + 15); | ||
1000 | if (!cfg.seccomp_list_keep) | ||
1001 | errExit("strdup"); | ||
1002 | } | ||
1003 | else { | ||
1004 | fprintf(stderr, "Error: seccomp feature is disabled in Firejail configuration file\n"); | ||
762 | exit(1); | 1005 | exit(1); |
763 | } | 1006 | } |
764 | arg_seccomp = 1; | ||
765 | cfg.seccomp_list_keep = strdup(argv[i] + 15); | ||
766 | if (!cfg.seccomp_list_keep) | ||
767 | errExit("strdup"); | ||
768 | } | 1007 | } |
769 | else if (strncmp(argv[i], "--seccomp.e", 11) == 0 && strchr(argv[i], '=')) { | 1008 | else if (strncmp(argv[i], "--seccomp.e", 11) == 0 && strchr(argv[i], '=')) { |
770 | if (arg_seccomp && !cfg.seccomp_list_errno) { | 1009 | if (checkcfg(CFG_SECCOMP)) { |
771 | fprintf(stderr, "Error: seccomp already enabled\n"); | 1010 | if (arg_seccomp && !cfg.seccomp_list_errno) { |
772 | exit(1); | 1011 | fprintf(stderr, "Error: seccomp already enabled\n"); |
773 | } | 1012 | exit(1); |
774 | char *eq = strchr(argv[i], '='); | 1013 | } |
775 | char *errnoname = strndup(argv[i] + 10, eq - (argv[i] + 10)); | 1014 | char *eq = strchr(argv[i], '='); |
776 | int nr = errno_find_name(errnoname); | 1015 | char *errnoname = strndup(argv[i] + 10, eq - (argv[i] + 10)); |
777 | if (nr == -1) { | 1016 | int nr = errno_find_name(errnoname); |
778 | fprintf(stderr, "Error: unknown errno %s\n", errnoname); | 1017 | if (nr == -1) { |
1018 | fprintf(stderr, "Error: unknown errno %s\n", errnoname); | ||
1019 | free(errnoname); | ||
1020 | exit(1); | ||
1021 | } | ||
1022 | |||
1023 | if (!cfg.seccomp_list_errno) | ||
1024 | cfg.seccomp_list_errno = calloc(highest_errno+1, sizeof(cfg.seccomp_list_errno[0])); | ||
1025 | |||
1026 | if (cfg.seccomp_list_errno[nr]) { | ||
1027 | fprintf(stderr, "Error: errno %s already configured\n", errnoname); | ||
1028 | free(errnoname); | ||
1029 | exit(1); | ||
1030 | } | ||
1031 | arg_seccomp = 1; | ||
1032 | cfg.seccomp_list_errno[nr] = strdup(eq+1); | ||
1033 | if (!cfg.seccomp_list_errno[nr]) | ||
1034 | errExit("strdup"); | ||
779 | free(errnoname); | 1035 | free(errnoname); |
780 | exit(1); | ||
781 | } | 1036 | } |
782 | 1037 | else { | |
783 | if (!cfg.seccomp_list_errno) | 1038 | fprintf(stderr, "Error: seccomp feature is disabled in Firejail configuration file\n"); |
784 | cfg.seccomp_list_errno = calloc(highest_errno+1, sizeof(cfg.seccomp_list_errno[0])); | ||
785 | |||
786 | if (cfg.seccomp_list_errno[nr]) { | ||
787 | fprintf(stderr, "Error: errno %s already configured\n", errnoname); | ||
788 | free(errnoname); | ||
789 | exit(1); | 1039 | exit(1); |
790 | } | 1040 | } |
791 | arg_seccomp = 1; | ||
792 | cfg.seccomp_list_errno[nr] = strdup(eq+1); | ||
793 | if (!cfg.seccomp_list_errno[nr]) | ||
794 | errExit("strdup"); | ||
795 | free(errnoname); | ||
796 | } | 1041 | } |
797 | #endif | 1042 | #endif |
798 | else if (strcmp(argv[i], "--caps") == 0) | 1043 | else if (strcmp(argv[i], "--caps") == 0) |
@@ -861,15 +1106,17 @@ int main(int argc, char **argv) { | |||
861 | read_cpu_list(argv[i] + 6); | 1106 | read_cpu_list(argv[i] + 6); |
862 | else if (strncmp(argv[i], "--nice=", 7) == 0) { | 1107 | else if (strncmp(argv[i], "--nice=", 7) == 0) { |
863 | cfg.nice = atoi(argv[i] + 7); | 1108 | cfg.nice = atoi(argv[i] + 7); |
1109 | if (getuid() != 0 &&cfg.nice < 0) | ||
1110 | cfg.nice = 0; | ||
864 | arg_nice = 1; | 1111 | arg_nice = 1; |
865 | } | 1112 | } |
866 | else if (strncmp(argv[i], "--cgroup=", 9) == 0) { | 1113 | else if (strncmp(argv[i], "--cgroup=", 9) == 0) { |
867 | if (arg_cgroup) { | 1114 | if (option_cgroup) { |
868 | fprintf(stderr, "Error: only a cgroup can be defined\n"); | 1115 | fprintf(stderr, "Error: only a cgroup can be defined\n"); |
869 | exit(1); | 1116 | exit(1); |
870 | } | 1117 | } |
871 | 1118 | ||
872 | arg_cgroup = 1; | 1119 | option_cgroup = 1; |
873 | cfg.cgroup = strdup(argv[i] + 9); | 1120 | cfg.cgroup = strdup(argv[i] + 9); |
874 | if (!cfg.cgroup) | 1121 | if (!cfg.cgroup) |
875 | errExit("strdup"); | 1122 | errExit("strdup"); |
@@ -881,12 +1128,18 @@ int main(int argc, char **argv) { | |||
881 | //************************************* | 1128 | //************************************* |
882 | #ifdef HAVE_BIND | 1129 | #ifdef HAVE_BIND |
883 | else if (strncmp(argv[i], "--bind=", 7) == 0) { | 1130 | else if (strncmp(argv[i], "--bind=", 7) == 0) { |
884 | char *line; | 1131 | if (checkcfg(CFG_BIND)) { |
885 | if (asprintf(&line, "bind %s", argv[i] + 7) == -1) | 1132 | char *line; |
886 | errExit("asprintf"); | 1133 | if (asprintf(&line, "bind %s", argv[i] + 7) == -1) |
887 | 1134 | errExit("asprintf"); | |
888 | profile_check_line(line, 0, NULL); // will exit if something wrong | 1135 | |
889 | profile_add(line); | 1136 | profile_check_line(line, 0, NULL); // will exit if something wrong |
1137 | profile_add(line); | ||
1138 | } | ||
1139 | else { | ||
1140 | fprintf(stderr, "Error: --bind feature is disabled in Firejail configuration file\n"); | ||
1141 | exit(1); | ||
1142 | } | ||
890 | } | 1143 | } |
891 | #endif | 1144 | #endif |
892 | else if (strncmp(argv[i], "--tmpfs=", 8) == 0) { | 1145 | else if (strncmp(argv[i], "--tmpfs=", 8) == 0) { |
@@ -913,17 +1166,43 @@ int main(int argc, char **argv) { | |||
913 | profile_check_line(line, 0, NULL); // will exit if something wrong | 1166 | profile_check_line(line, 0, NULL); // will exit if something wrong |
914 | profile_add(line); | 1167 | profile_add(line); |
915 | } | 1168 | } |
1169 | |||
1170 | #ifdef HAVE_WHITELIST | ||
916 | else if (strncmp(argv[i], "--whitelist=", 12) == 0) { | 1171 | else if (strncmp(argv[i], "--whitelist=", 12) == 0) { |
1172 | if (checkcfg(CFG_WHITELIST)) { | ||
1173 | char *line; | ||
1174 | if (asprintf(&line, "whitelist %s", argv[i] + 12) == -1) | ||
1175 | errExit("asprintf"); | ||
1176 | |||
1177 | profile_check_line(line, 0, NULL); // will exit if something wrong | ||
1178 | profile_add(line); | ||
1179 | } | ||
1180 | else { | ||
1181 | fprintf(stderr, "Error: whitelist feature is disabled in Firejail configuration file\n"); | ||
1182 | exit(1); | ||
1183 | } | ||
1184 | } | ||
1185 | #endif | ||
1186 | |||
1187 | else if (strncmp(argv[i], "--read-only=", 12) == 0) { | ||
917 | char *line; | 1188 | char *line; |
918 | if (asprintf(&line, "whitelist %s", argv[i] + 12) == -1) | 1189 | if (asprintf(&line, "read-only %s", argv[i] + 12) == -1) |
919 | errExit("asprintf"); | 1190 | errExit("asprintf"); |
920 | 1191 | ||
921 | profile_check_line(line, 0, NULL); // will exit if something wrong | 1192 | profile_check_line(line, 0, NULL); // will exit if something wrong |
922 | profile_add(line); | 1193 | profile_add(line); |
923 | } | 1194 | } |
924 | else if (strncmp(argv[i], "--read-only=", 12) == 0) { | 1195 | else if (strncmp(argv[i], "--noexec=", 9) == 0) { |
925 | char *line; | 1196 | char *line; |
926 | if (asprintf(&line, "read-only %s", argv[i] + 12) == -1) | 1197 | if (asprintf(&line, "noexec %s", argv[i] + 9) == -1) |
1198 | errExit("asprintf"); | ||
1199 | |||
1200 | profile_check_line(line, 0, NULL); // will exit if something wrong | ||
1201 | profile_add(line); | ||
1202 | } | ||
1203 | else if (strncmp(argv[i], "--read-write=", 13) == 0) { | ||
1204 | char *line; | ||
1205 | if (asprintf(&line, "read-write %s", argv[i] + 13) == -1) | ||
927 | errExit("asprintf"); | 1206 | errExit("asprintf"); |
928 | 1207 | ||
929 | profile_check_line(line, 0, NULL); // will exit if something wrong | 1208 | profile_check_line(line, 0, NULL); // will exit if something wrong |
@@ -934,6 +1213,11 @@ int main(int argc, char **argv) { | |||
934 | fprintf(stderr, "Error: --overlay and --chroot options are mutually exclusive\n"); | 1213 | fprintf(stderr, "Error: --overlay and --chroot options are mutually exclusive\n"); |
935 | exit(1); | 1214 | exit(1); |
936 | } | 1215 | } |
1216 | struct stat s; | ||
1217 | if (stat("/proc/sys/kernel/grsecurity", &s) == 0) { | ||
1218 | fprintf(stderr, "Error: --overlay option is not available on Grsecurity systems\n"); | ||
1219 | exit(1); | ||
1220 | } | ||
937 | arg_overlay = 1; | 1221 | arg_overlay = 1; |
938 | arg_overlay_keep = 1; | 1222 | arg_overlay_keep = 1; |
939 | 1223 | ||
@@ -941,7 +1225,6 @@ int main(int argc, char **argv) { | |||
941 | char *dirname; | 1225 | char *dirname; |
942 | if (asprintf(&dirname, "%s/.firejail", cfg.homedir) == -1) | 1226 | if (asprintf(&dirname, "%s/.firejail", cfg.homedir) == -1) |
943 | errExit("asprintf"); | 1227 | errExit("asprintf"); |
944 | struct stat s; | ||
945 | if (stat(dirname, &s) == -1) { | 1228 | if (stat(dirname, &s) == -1) { |
946 | /* coverity[toctou] */ | 1229 | /* coverity[toctou] */ |
947 | if (mkdir(dirname, 0700)) | 1230 | if (mkdir(dirname, 0700)) |
@@ -972,6 +1255,11 @@ int main(int argc, char **argv) { | |||
972 | fprintf(stderr, "Error: --overlay and --chroot options are mutually exclusive\n"); | 1255 | fprintf(stderr, "Error: --overlay and --chroot options are mutually exclusive\n"); |
973 | exit(1); | 1256 | exit(1); |
974 | } | 1257 | } |
1258 | struct stat s; | ||
1259 | if (stat("/proc/sys/kernel/grsecurity", &s) == 0) { | ||
1260 | fprintf(stderr, "Error: --overlay option is not available on Grsecurity systems\n"); | ||
1261 | exit(1); | ||
1262 | } | ||
975 | arg_overlay = 1; | 1263 | arg_overlay = 1; |
976 | } | 1264 | } |
977 | else if (strncmp(argv[i], "--profile=", 10) == 0) { | 1265 | else if (strncmp(argv[i], "--profile=", 10) == 0) { |
@@ -979,23 +1267,27 @@ int main(int argc, char **argv) { | |||
979 | fprintf(stderr, "Error: --noprofile and --profile options are mutually exclusive\n"); | 1267 | fprintf(stderr, "Error: --noprofile and --profile options are mutually exclusive\n"); |
980 | exit(1); | 1268 | exit(1); |
981 | } | 1269 | } |
982 | invalid_filename(argv[i] + 10); | 1270 | |
1271 | char *ppath = expand_home(argv[i] + 10, cfg.homedir); | ||
1272 | if (!ppath) | ||
1273 | errExit("strdup"); | ||
1274 | invalid_filename(ppath); | ||
983 | 1275 | ||
984 | // multiple profile files are allowed! | 1276 | // multiple profile files are allowed! |
985 | char *ptr = argv[i] + 10; | 1277 | if (is_dir(ppath) || is_link(ppath) || strstr(ppath, "..")) { |
986 | if (is_dir(ptr) || is_link(ptr) || strstr(ptr, "..")) { | ||
987 | fprintf(stderr, "Error: invalid profile file\n"); | 1278 | fprintf(stderr, "Error: invalid profile file\n"); |
988 | exit(1); | 1279 | exit(1); |
989 | } | 1280 | } |
990 | 1281 | ||
991 | // access call checks as real UID/GID, not as effective UID/GID | 1282 | // access call checks as real UID/GID, not as effective UID/GID |
992 | if (access(argv[i] + 10, R_OK)) { | 1283 | if (access(ppath, R_OK)) { |
993 | fprintf(stderr, "Error: cannot access profile file\n"); | 1284 | fprintf(stderr, "Error: cannot access profile file\n"); |
994 | return 1; | 1285 | return 1; |
995 | } | 1286 | } |
996 | 1287 | ||
997 | profile_read(argv[i] + 10); | 1288 | profile_read(ppath); |
998 | custom_profile = 1; | 1289 | custom_profile = 1; |
1290 | free(ppath); | ||
999 | } | 1291 | } |
1000 | else if (strncmp(argv[i], "--profile-path=", 15) == 0) { | 1292 | else if (strncmp(argv[i], "--profile-path=", 15) == 0) { |
1001 | if (arg_noprofile) { | 1293 | if (arg_noprofile) { |
@@ -1049,35 +1341,60 @@ int main(int argc, char **argv) { | |||
1049 | } | 1341 | } |
1050 | #ifdef HAVE_CHROOT | 1342 | #ifdef HAVE_CHROOT |
1051 | else if (strncmp(argv[i], "--chroot=", 9) == 0) { | 1343 | else if (strncmp(argv[i], "--chroot=", 9) == 0) { |
1052 | if (arg_overlay) { | 1344 | if (checkcfg(CFG_CHROOT)) { |
1053 | fprintf(stderr, "Error: --overlay and --chroot options are mutually exclusive\n"); | 1345 | if (arg_overlay) { |
1054 | exit(1); | 1346 | fprintf(stderr, "Error: --overlay and --chroot options are mutually exclusive\n"); |
1055 | } | 1347 | exit(1); |
1056 | invalid_filename(argv[i] + 9); | 1348 | } |
1057 | 1349 | ||
1058 | // extract chroot dirname | 1350 | struct stat s; |
1059 | cfg.chrootdir = argv[i] + 9; | 1351 | if (stat("/proc/sys/kernel/grsecurity", &s) == 0) { |
1060 | // if the directory starts with ~, expand the home directory | 1352 | fprintf(stderr, "Error: --chroot option is not available on Grsecurity systems\n"); |
1061 | if (*cfg.chrootdir == '~') { | 1353 | exit(1); |
1062 | char *tmp; | 1354 | } |
1063 | if (asprintf(&tmp, "%s%s", cfg.homedir, cfg.chrootdir + 1) == -1) | 1355 | |
1064 | errExit("asprintf"); | 1356 | |
1065 | cfg.chrootdir = tmp; | 1357 | invalid_filename(argv[i] + 9); |
1066 | } | 1358 | |
1067 | 1359 | // extract chroot dirname | |
1068 | // check chroot dirname exists | 1360 | cfg.chrootdir = argv[i] + 9; |
1069 | if (strstr(cfg.chrootdir, "..") || !is_dir(cfg.chrootdir) || is_link(cfg.chrootdir)) { | 1361 | // if the directory starts with ~, expand the home directory |
1070 | fprintf(stderr, "Error: invalid directory %s\n", cfg.chrootdir); | 1362 | if (*cfg.chrootdir == '~') { |
1071 | return 1; | 1363 | char *tmp; |
1364 | if (asprintf(&tmp, "%s%s", cfg.homedir, cfg.chrootdir + 1) == -1) | ||
1365 | errExit("asprintf"); | ||
1366 | cfg.chrootdir = tmp; | ||
1367 | } | ||
1368 | |||
1369 | // check chroot dirname exists | ||
1370 | if (strstr(cfg.chrootdir, "..") || !is_dir(cfg.chrootdir) || is_link(cfg.chrootdir)) { | ||
1371 | fprintf(stderr, "Error: invalid directory %s\n", cfg.chrootdir); | ||
1372 | return 1; | ||
1373 | } | ||
1374 | |||
1375 | // check chroot directory structure | ||
1376 | if (fs_check_chroot_dir(cfg.chrootdir)) { | ||
1377 | fprintf(stderr, "Error: invalid chroot\n"); | ||
1378 | exit(1); | ||
1379 | } | ||
1072 | } | 1380 | } |
1073 | 1381 | else { | |
1074 | // check chroot directory structure | 1382 | fprintf(stderr, "Error: --chroot feature is disabled in Firejail configuration file\n"); |
1075 | if (fs_check_chroot_dir(cfg.chrootdir)) { | ||
1076 | fprintf(stderr, "Error: invalid chroot\n"); | ||
1077 | exit(1); | 1383 | exit(1); |
1078 | } | 1384 | } |
1385 | |||
1079 | } | 1386 | } |
1080 | #endif | 1387 | #endif |
1388 | else if (strcmp(argv[i], "--writable-etc") == 0) { | ||
1389 | if (cfg.etc_private_keep) { | ||
1390 | fprintf(stderr, "Error: --private-etc and --writable-etc are mutually exclusive\n"); | ||
1391 | exit(1); | ||
1392 | } | ||
1393 | arg_writable_etc = 1; | ||
1394 | } | ||
1395 | else if (strcmp(argv[i], "--writable-var") == 0) { | ||
1396 | arg_writable_var = 1; | ||
1397 | } | ||
1081 | else if (strcmp(argv[i], "--private") == 0) | 1398 | else if (strcmp(argv[i], "--private") == 0) |
1082 | arg_private = 1; | 1399 | arg_private = 1; |
1083 | else if (strncmp(argv[i], "--private=", 10) == 0) { | 1400 | else if (strncmp(argv[i], "--private=", 10) == 0) { |
@@ -1094,6 +1411,11 @@ int main(int argc, char **argv) { | |||
1094 | arg_private_dev = 1; | 1411 | arg_private_dev = 1; |
1095 | } | 1412 | } |
1096 | else if (strncmp(argv[i], "--private-etc=", 14) == 0) { | 1413 | else if (strncmp(argv[i], "--private-etc=", 14) == 0) { |
1414 | if (arg_writable_etc) { | ||
1415 | fprintf(stderr, "Error: --private-etc and --writable-etc are mutually exclusive\n"); | ||
1416 | exit(1); | ||
1417 | } | ||
1418 | |||
1097 | // extract private etc list | 1419 | // extract private etc list |
1098 | cfg.etc_private_keep = argv[i] + 14; | 1420 | cfg.etc_private_keep = argv[i] + 14; |
1099 | if (*cfg.etc_private_keep == '\0') { | 1421 | if (*cfg.etc_private_keep == '\0') { |
@@ -1101,12 +1423,7 @@ int main(int argc, char **argv) { | |||
1101 | exit(1); | 1423 | exit(1); |
1102 | } | 1424 | } |
1103 | fs_check_etc_list(); | 1425 | fs_check_etc_list(); |
1104 | if (*cfg.etc_private_keep != '\0') | 1426 | arg_private_etc = 1; |
1105 | arg_private_etc = 1; | ||
1106 | else { | ||
1107 | arg_private_etc = 0; | ||
1108 | fprintf(stderr, "Warning: private-etc disabled, no file found\n"); | ||
1109 | } | ||
1110 | } | 1427 | } |
1111 | else if (strncmp(argv[i], "--private-bin=", 14) == 0) { | 1428 | else if (strncmp(argv[i], "--private-bin=", 14) == 0) { |
1112 | // extract private bin list | 1429 | // extract private bin list |
@@ -1115,8 +1432,8 @@ int main(int argc, char **argv) { | |||
1115 | fprintf(stderr, "Error: invalid private-bin option\n"); | 1432 | fprintf(stderr, "Error: invalid private-bin option\n"); |
1116 | exit(1); | 1433 | exit(1); |
1117 | } | 1434 | } |
1118 | fs_check_bin_list(); | ||
1119 | arg_private_bin = 1; | 1435 | arg_private_bin = 1; |
1436 | fs_check_bin_list(); | ||
1120 | } | 1437 | } |
1121 | else if (strcmp(argv[i], "--private-tmp") == 0) { | 1438 | else if (strcmp(argv[i], "--private-tmp") == 0) { |
1122 | arg_private_tmp = 1; | 1439 | arg_private_tmp = 1; |
@@ -1143,14 +1460,23 @@ int main(int argc, char **argv) { | |||
1143 | arg_nogroups = 1; | 1460 | arg_nogroups = 1; |
1144 | #ifdef HAVE_USERNS | 1461 | #ifdef HAVE_USERNS |
1145 | else if (strcmp(argv[i], "--noroot") == 0) { | 1462 | else if (strcmp(argv[i], "--noroot") == 0) { |
1146 | check_user_namespace(); | 1463 | if (checkcfg(CFG_USERNS)) |
1464 | check_user_namespace(); | ||
1465 | else { | ||
1466 | fprintf(stderr, "Error: --noroot feature is disabled in Firejail configuration file\n"); | ||
1467 | exit(1); | ||
1468 | } | ||
1147 | } | 1469 | } |
1148 | #endif | 1470 | #endif |
1471 | else if (strcmp(argv[i], "--nonewprivs") == 0) { | ||
1472 | arg_nonewprivs = 1; | ||
1473 | } | ||
1149 | else if (strncmp(argv[i], "--env=", 6) == 0) | 1474 | else if (strncmp(argv[i], "--env=", 6) == 0) |
1150 | env_store(argv[i] + 6); | 1475 | env_store(argv[i] + 6, SETENV); |
1151 | else if (strncmp(argv[i], "--nosound", 9) == 0) { | 1476 | else if (strncmp(argv[i], "--rmenv=", 8) == 0) |
1477 | env_store(argv[i] + 8, RMENV); | ||
1478 | else if (strcmp(argv[i], "--nosound") == 0) { | ||
1152 | arg_nosound = 1; | 1479 | arg_nosound = 1; |
1153 | arg_private_dev = 1; | ||
1154 | } | 1480 | } |
1155 | 1481 | ||
1156 | //************************************* | 1482 | //************************************* |
@@ -1158,204 +1484,278 @@ int main(int argc, char **argv) { | |||
1158 | //************************************* | 1484 | //************************************* |
1159 | #ifdef HAVE_NETWORK | 1485 | #ifdef HAVE_NETWORK |
1160 | else if (strncmp(argv[i], "--interface=", 12) == 0) { | 1486 | else if (strncmp(argv[i], "--interface=", 12) == 0) { |
1487 | if (checkcfg(CFG_NETWORK)) { | ||
1161 | #ifdef HAVE_NETWORK_RESTRICTED | 1488 | #ifdef HAVE_NETWORK_RESTRICTED |
1162 | if (getuid() != 0) { | 1489 | // compile time restricted networking |
1163 | fprintf(stderr, "Error: --interface is allowed only to root user\n"); | 1490 | if (getuid() != 0) { |
1164 | exit(1); | 1491 | fprintf(stderr, "Error: --interface is allowed only to root user\n"); |
1165 | } | 1492 | exit(1); |
1493 | } | ||
1166 | #endif | 1494 | #endif |
1167 | // checks | 1495 | // run time restricted networking |
1168 | if (arg_nonetwork) { | 1496 | if (checkcfg(CFG_RESTRICTED_NETWORK) && getuid() != 0) { |
1169 | fprintf(stderr, "Error: --network=none and --interface are incompatible\n"); | 1497 | fprintf(stderr, "Error: --interface is allowed only to root user\n"); |
1170 | exit(1); | 1498 | exit(1); |
1171 | } | 1499 | } |
1172 | if (strcmp(argv[i] + 12, "lo") == 0) { | 1500 | |
1173 | fprintf(stderr, "Error: cannot use lo device in --interface command\n"); | 1501 | // checks |
1174 | exit(1); | 1502 | if (arg_nonetwork) { |
1175 | } | 1503 | fprintf(stderr, "Error: --network=none and --interface are incompatible\n"); |
1176 | int ifindex = if_nametoindex(argv[i] + 12); | 1504 | exit(1); |
1177 | if (ifindex <= 0) { | 1505 | } |
1178 | fprintf(stderr, "Error: cannot find interface %s\n", argv[i] + 12); | 1506 | if (strcmp(argv[i] + 12, "lo") == 0) { |
1179 | exit(1); | 1507 | fprintf(stderr, "Error: cannot use lo device in --interface command\n"); |
1508 | exit(1); | ||
1509 | } | ||
1510 | int ifindex = if_nametoindex(argv[i] + 12); | ||
1511 | if (ifindex <= 0) { | ||
1512 | fprintf(stderr, "Error: cannot find interface %s\n", argv[i] + 12); | ||
1513 | exit(1); | ||
1514 | } | ||
1515 | |||
1516 | Interface *intf; | ||
1517 | if (cfg.interface0.configured == 0) | ||
1518 | intf = &cfg.interface0; | ||
1519 | else if (cfg.interface1.configured == 0) | ||
1520 | intf = &cfg.interface1; | ||
1521 | else if (cfg.interface2.configured == 0) | ||
1522 | intf = &cfg.interface2; | ||
1523 | else if (cfg.interface3.configured == 0) | ||
1524 | intf = &cfg.interface3; | ||
1525 | else { | ||
1526 | fprintf(stderr, "Error: maximum 4 interfaces are allowed\n"); | ||
1527 | return 1; | ||
1528 | } | ||
1529 | |||
1530 | intf->dev = strdup(argv[i] + 12); | ||
1531 | if (!intf->dev) | ||
1532 | errExit("strdup"); | ||
1533 | |||
1534 | if (net_get_if_addr(intf->dev, &intf->ip, &intf->mask, intf->mac, &intf->mtu)) { | ||
1535 | fprintf(stderr, "Warning: interface %s is not configured\n", intf->dev); | ||
1536 | } | ||
1537 | intf->configured = 1; | ||
1180 | } | 1538 | } |
1181 | |||
1182 | Interface *intf; | ||
1183 | if (cfg.interface0.configured == 0) | ||
1184 | intf = &cfg.interface0; | ||
1185 | else if (cfg.interface1.configured == 0) | ||
1186 | intf = &cfg.interface1; | ||
1187 | else if (cfg.interface2.configured == 0) | ||
1188 | intf = &cfg.interface2; | ||
1189 | else if (cfg.interface3.configured == 0) | ||
1190 | intf = &cfg.interface3; | ||
1191 | else { | 1539 | else { |
1192 | fprintf(stderr, "Error: maximum 4 interfaces are allowed\n"); | 1540 | fprintf(stderr, "Error: networking features are disabled in Firejail configuration file\n"); |
1193 | return 1; | 1541 | exit(1); |
1194 | } | ||
1195 | |||
1196 | intf->dev = strdup(argv[i] + 12); | ||
1197 | if (!intf->dev) | ||
1198 | errExit("strdup"); | ||
1199 | |||
1200 | if (net_get_if_addr(intf->dev, &intf->ip, &intf->mask, intf->mac, &intf->mtu)) { | ||
1201 | fprintf(stderr, "Warning: interface %s is not configured\n", intf->dev); | ||
1202 | } | 1542 | } |
1203 | intf->configured = 1; | ||
1204 | } | 1543 | } |
1544 | |||
1205 | else if (strncmp(argv[i], "--net=", 6) == 0) { | 1545 | else if (strncmp(argv[i], "--net=", 6) == 0) { |
1206 | if (strcmp(argv[i] + 6, "none") == 0) { | 1546 | if (checkcfg(CFG_NETWORK)) { |
1207 | arg_nonetwork = 1; | 1547 | if (strcmp(argv[i] + 6, "none") == 0) { |
1208 | cfg.bridge0.configured = 0; | 1548 | arg_nonetwork = 1; |
1209 | cfg.bridge1.configured = 0; | 1549 | cfg.bridge0.configured = 0; |
1210 | cfg.bridge2.configured = 0; | 1550 | cfg.bridge1.configured = 0; |
1211 | cfg.bridge3.configured = 0; | 1551 | cfg.bridge2.configured = 0; |
1212 | cfg.interface0.configured = 0; | 1552 | cfg.bridge3.configured = 0; |
1213 | cfg.interface1.configured = 0; | 1553 | cfg.interface0.configured = 0; |
1214 | cfg.interface2.configured = 0; | 1554 | cfg.interface1.configured = 0; |
1215 | cfg.interface3.configured = 0; | 1555 | cfg.interface2.configured = 0; |
1216 | continue; | 1556 | cfg.interface3.configured = 0; |
1217 | } | 1557 | continue; |
1558 | } | ||
1559 | |||
1218 | #ifdef HAVE_NETWORK_RESTRICTED | 1560 | #ifdef HAVE_NETWORK_RESTRICTED |
1219 | if (getuid() != 0) { | 1561 | // compile time restricted networking |
1220 | fprintf(stderr, "Error: only --net=none is allowed to non-root users\n"); | 1562 | if (getuid() != 0) { |
1221 | exit(1); | 1563 | fprintf(stderr, "Error: only --net=none is allowed to non-root users\n"); |
1222 | } | 1564 | exit(1); |
1565 | } | ||
1223 | #endif | 1566 | #endif |
1224 | if (strcmp(argv[i] + 6, "lo") == 0) { | 1567 | // run time restricted networking |
1225 | fprintf(stderr, "Error: cannot attach to lo device\n"); | 1568 | if (checkcfg(CFG_RESTRICTED_NETWORK) && getuid() != 0) { |
1226 | exit(1); | 1569 | fprintf(stderr, "Error: only --net=none is allowed to non-root users\n"); |
1570 | exit(1); | ||
1571 | } | ||
1572 | if (strcmp(argv[i] + 6, "lo") == 0) { | ||
1573 | fprintf(stderr, "Error: cannot attach to lo device\n"); | ||
1574 | exit(1); | ||
1575 | } | ||
1576 | |||
1577 | Bridge *br; | ||
1578 | if (cfg.bridge0.configured == 0) | ||
1579 | br = &cfg.bridge0; | ||
1580 | else if (cfg.bridge1.configured == 0) | ||
1581 | br = &cfg.bridge1; | ||
1582 | else if (cfg.bridge2.configured == 0) | ||
1583 | br = &cfg.bridge2; | ||
1584 | else if (cfg.bridge3.configured == 0) | ||
1585 | br = &cfg.bridge3; | ||
1586 | else { | ||
1587 | fprintf(stderr, "Error: maximum 4 network devices are allowed\n"); | ||
1588 | return 1; | ||
1589 | } | ||
1590 | net_configure_bridge(br, argv[i] + 6); | ||
1227 | } | 1591 | } |
1228 | |||
1229 | Bridge *br; | ||
1230 | if (cfg.bridge0.configured == 0) | ||
1231 | br = &cfg.bridge0; | ||
1232 | else if (cfg.bridge1.configured == 0) | ||
1233 | br = &cfg.bridge1; | ||
1234 | else if (cfg.bridge2.configured == 0) | ||
1235 | br = &cfg.bridge2; | ||
1236 | else if (cfg.bridge3.configured == 0) | ||
1237 | br = &cfg.bridge3; | ||
1238 | else { | 1592 | else { |
1239 | fprintf(stderr, "Error: maximum 4 network devices are allowed\n"); | 1593 | fprintf(stderr, "Error: networking features are disabled in Firejail configuration file\n"); |
1240 | return 1; | 1594 | exit(1); |
1241 | } | 1595 | } |
1242 | net_configure_bridge(br, argv[i] + 6); | ||
1243 | } | 1596 | } |
1597 | |||
1244 | else if (strcmp(argv[i], "--scan") == 0) { | 1598 | else if (strcmp(argv[i], "--scan") == 0) { |
1245 | arg_scan = 1; | 1599 | if (checkcfg(CFG_NETWORK)) { |
1246 | } | 1600 | arg_scan = 1; |
1247 | else if (strncmp(argv[i], "--iprange=", 10) == 0) { | ||
1248 | Bridge *br = last_bridge_configured(); | ||
1249 | if (br == NULL) { | ||
1250 | fprintf(stderr, "Error: no network device configured\n"); | ||
1251 | return 1; | ||
1252 | } | 1601 | } |
1253 | if (br->iprange_start || br->iprange_end) { | 1602 | else { |
1254 | fprintf(stderr, "Error: cannot configure the IP range twice for the same interface\n"); | 1603 | fprintf(stderr, "Error: networking features are disabled in Firejail configuration file\n"); |
1255 | return 1; | 1604 | exit(1); |
1256 | } | 1605 | } |
1257 | 1606 | } | |
1258 | // parse option arguments | 1607 | else if (strncmp(argv[i], "--iprange=", 10) == 0) { |
1259 | char *firstip = argv[i] + 10; | 1608 | if (checkcfg(CFG_NETWORK)) { |
1260 | char *secondip = firstip; | 1609 | Bridge *br = last_bridge_configured(); |
1261 | while (*secondip != '\0') { | 1610 | if (br == NULL) { |
1262 | if (*secondip == ',') | 1611 | fprintf(stderr, "Error: no network device configured\n"); |
1263 | break; | 1612 | return 1; |
1613 | } | ||
1614 | if (br->iprange_start || br->iprange_end) { | ||
1615 | fprintf(stderr, "Error: cannot configure the IP range twice for the same interface\n"); | ||
1616 | return 1; | ||
1617 | } | ||
1618 | |||
1619 | // parse option arguments | ||
1620 | char *firstip = argv[i] + 10; | ||
1621 | char *secondip = firstip; | ||
1622 | while (*secondip != '\0') { | ||
1623 | if (*secondip == ',') | ||
1624 | break; | ||
1625 | secondip++; | ||
1626 | } | ||
1627 | if (*secondip == '\0') { | ||
1628 | fprintf(stderr, "Error: invalid IP range\n"); | ||
1629 | return 1; | ||
1630 | } | ||
1631 | *secondip = '\0'; | ||
1264 | secondip++; | 1632 | secondip++; |
1633 | |||
1634 | // check addresses | ||
1635 | if (atoip(firstip, &br->iprange_start) || atoip(secondip, &br->iprange_end) || | ||
1636 | br->iprange_start >= br->iprange_end) { | ||
1637 | fprintf(stderr, "Error: invalid IP range\n"); | ||
1638 | return 1; | ||
1639 | } | ||
1640 | if (in_netrange(br->iprange_start, br->ip, br->mask) || in_netrange(br->iprange_end, br->ip, br->mask)) { | ||
1641 | fprintf(stderr, "Error: IP range addresses not in network range\n"); | ||
1642 | return 1; | ||
1643 | } | ||
1265 | } | 1644 | } |
1266 | if (*secondip == '\0') { | 1645 | else { |
1267 | fprintf(stderr, "Error: invalid IP range\n"); | 1646 | fprintf(stderr, "Error: networking features are disabled in Firejail configuration file\n"); |
1268 | return 1; | 1647 | exit(1); |
1269 | } | ||
1270 | *secondip = '\0'; | ||
1271 | secondip++; | ||
1272 | |||
1273 | // check addresses | ||
1274 | if (atoip(firstip, &br->iprange_start) || atoip(secondip, &br->iprange_end) || | ||
1275 | br->iprange_start >= br->iprange_end) { | ||
1276 | fprintf(stderr, "Error: invalid IP range\n"); | ||
1277 | return 1; | ||
1278 | } | ||
1279 | if (in_netrange(br->iprange_start, br->ip, br->mask) || in_netrange(br->iprange_end, br->ip, br->mask)) { | ||
1280 | fprintf(stderr, "Error: IP range addresses not in network range\n"); | ||
1281 | return 1; | ||
1282 | } | 1648 | } |
1283 | } | 1649 | } |
1650 | |||
1284 | else if (strncmp(argv[i], "--mac=", 6) == 0) { | 1651 | else if (strncmp(argv[i], "--mac=", 6) == 0) { |
1285 | Bridge *br = last_bridge_configured(); | 1652 | if (checkcfg(CFG_NETWORK)) { |
1286 | if (br == NULL) { | 1653 | Bridge *br = last_bridge_configured(); |
1287 | fprintf(stderr, "Error: no network device configured\n"); | 1654 | if (br == NULL) { |
1288 | return 1; | 1655 | fprintf(stderr, "Error: no network device configured\n"); |
1289 | } | 1656 | exit(1); |
1290 | if (mac_not_zero(br->macsandbox)) { | 1657 | } |
1291 | fprintf(stderr, "Error: cannot configure the MAC address twice for the same interface\n"); | 1658 | if (mac_not_zero(br->macsandbox)) { |
1292 | return 1; | 1659 | fprintf(stderr, "Error: cannot configure the MAC address twice for the same interface\n"); |
1660 | exit(1); | ||
1661 | } | ||
1662 | |||
1663 | // read the address | ||
1664 | if (atomac(argv[i] + 6, br->macsandbox)) { | ||
1665 | fprintf(stderr, "Error: invalid MAC address\n"); | ||
1666 | exit(1); | ||
1667 | } | ||
1293 | } | 1668 | } |
1294 | 1669 | else { | |
1295 | // read the address | 1670 | fprintf(stderr, "Error: networking features are disabled in Firejail configuration file\n"); |
1296 | if (atomac(argv[i] + 6, br->macsandbox)) { | 1671 | exit(1); |
1297 | fprintf(stderr, "Error: invalid MAC address\n"); | ||
1298 | return 1; | ||
1299 | } | 1672 | } |
1300 | } | 1673 | } |
1674 | |||
1301 | else if (strncmp(argv[i], "--mtu=", 6) == 0) { | 1675 | else if (strncmp(argv[i], "--mtu=", 6) == 0) { |
1302 | Bridge *br = last_bridge_configured(); | 1676 | if (checkcfg(CFG_NETWORK)) { |
1303 | if (br == NULL) { | 1677 | Bridge *br = last_bridge_configured(); |
1304 | fprintf(stderr, "Error: no network device configured\n"); | 1678 | if (br == NULL) { |
1305 | return 1; | 1679 | fprintf(stderr, "Error: no network device configured\n"); |
1680 | exit(1); | ||
1681 | } | ||
1682 | |||
1683 | if (sscanf(argv[i] + 6, "%d", &br->mtu) != 1 || br->mtu < 576 || br->mtu > 9198) { | ||
1684 | fprintf(stderr, "Error: invalid mtu value\n"); | ||
1685 | exit(1); | ||
1686 | } | ||
1306 | } | 1687 | } |
1307 | 1688 | else { | |
1308 | if (sscanf(argv[i] + 6, "%d", &br->mtu) != 1 || br->mtu < 576 || br->mtu > 9198) { | 1689 | fprintf(stderr, "Error: networking features are disabled in Firejail configuration file\n"); |
1309 | fprintf(stderr, "Error: invalid mtu value\n"); | 1690 | exit(1); |
1310 | return 1; | ||
1311 | } | 1691 | } |
1312 | } | 1692 | } |
1693 | |||
1313 | else if (strncmp(argv[i], "--ip=", 5) == 0) { | 1694 | else if (strncmp(argv[i], "--ip=", 5) == 0) { |
1314 | Bridge *br = last_bridge_configured(); | 1695 | if (checkcfg(CFG_NETWORK)) { |
1315 | if (br == NULL) { | 1696 | Bridge *br = last_bridge_configured(); |
1316 | fprintf(stderr, "Error: no network device configured\n"); | 1697 | if (br == NULL) { |
1317 | return 1; | 1698 | fprintf(stderr, "Error: no network device configured\n"); |
1318 | } | 1699 | exit(1); |
1319 | if (br->arg_ip_none || br->ipsandbox) { | 1700 | } |
1320 | fprintf(stderr, "Error: cannot configure the IP address twice for the same interface\n"); | 1701 | if (br->arg_ip_none || br->ipsandbox) { |
1321 | return 1; | 1702 | fprintf(stderr, "Error: cannot configure the IP address twice for the same interface\n"); |
1703 | exit(1); | ||
1704 | } | ||
1705 | |||
1706 | // configure this IP address for the last bridge defined | ||
1707 | if (strcmp(argv[i] + 5, "none") == 0) | ||
1708 | br->arg_ip_none = 1; | ||
1709 | else { | ||
1710 | if (atoip(argv[i] + 5, &br->ipsandbox)) { | ||
1711 | fprintf(stderr, "Error: invalid IP address\n"); | ||
1712 | exit(1); | ||
1713 | } | ||
1714 | } | ||
1322 | } | 1715 | } |
1323 | |||
1324 | // configure this IP address for the last bridge defined | ||
1325 | if (strcmp(argv[i] + 5, "none") == 0) | ||
1326 | br->arg_ip_none = 1; | ||
1327 | else { | 1716 | else { |
1328 | if (atoip(argv[i] + 5, &br->ipsandbox)) { | 1717 | fprintf(stderr, "Error: networking features are disabled in Firejail configuration file\n"); |
1329 | fprintf(stderr, "Error: invalid IP address\n"); | 1718 | exit(1); |
1330 | return 1; | ||
1331 | } | ||
1332 | } | 1719 | } |
1333 | } | 1720 | } |
1334 | else if (strncmp(argv[i], "--ip6=", 6) == 0) { | ||
1335 | Bridge *br = last_bridge_configured(); | ||
1336 | if (br == NULL) { | ||
1337 | fprintf(stderr, "Error: no network device configured\n"); | ||
1338 | return 1; | ||
1339 | } | ||
1340 | if (br->arg_ip_none || br->ip6sandbox) { | ||
1341 | fprintf(stderr, "Error: cannot configure the IP address twice for the same interface\n"); | ||
1342 | return 1; | ||
1343 | } | ||
1344 | 1721 | ||
1345 | // configure this IP address for the last bridge defined | 1722 | else if (strncmp(argv[i], "--ip6=", 6) == 0) { |
1346 | // todo: verify ipv6 syntax | 1723 | if (checkcfg(CFG_NETWORK)) { |
1347 | br->ip6sandbox = argv[i] + 6; | 1724 | Bridge *br = last_bridge_configured(); |
1725 | if (br == NULL) { | ||
1726 | fprintf(stderr, "Error: no network device configured\n"); | ||
1727 | exit(1); | ||
1728 | } | ||
1729 | if (br->arg_ip_none || br->ip6sandbox) { | ||
1730 | fprintf(stderr, "Error: cannot configure the IP address twice for the same interface\n"); | ||
1731 | exit(1); | ||
1732 | } | ||
1733 | |||
1734 | // configure this IP address for the last bridge defined | ||
1735 | // todo: verify ipv6 syntax | ||
1736 | br->ip6sandbox = argv[i] + 6; | ||
1348 | // if (atoip(argv[i] + 5, &br->ipsandbox)) { | 1737 | // if (atoip(argv[i] + 5, &br->ipsandbox)) { |
1349 | // fprintf(stderr, "Error: invalid IP address\n"); | 1738 | // fprintf(stderr, "Error: invalid IP address\n"); |
1350 | // return 1; | 1739 | // exit(1); |
1351 | // } | 1740 | // } |
1741 | } | ||
1742 | else { | ||
1743 | fprintf(stderr, "Error: networking features are disabled in Firejail configuration file\n"); | ||
1744 | exit(1); | ||
1745 | } | ||
1352 | } | 1746 | } |
1353 | 1747 | ||
1354 | 1748 | ||
1355 | else if (strncmp(argv[i], "--defaultgw=", 12) == 0) { | 1749 | else if (strncmp(argv[i], "--defaultgw=", 12) == 0) { |
1356 | if (atoip(argv[i] + 12, &cfg.defaultgw)) { | 1750 | if (checkcfg(CFG_NETWORK)) { |
1357 | fprintf(stderr, "Error: invalid IP address\n"); | 1751 | if (atoip(argv[i] + 12, &cfg.defaultgw)) { |
1358 | return 1; | 1752 | fprintf(stderr, "Error: invalid IP address\n"); |
1753 | exit(1); | ||
1754 | } | ||
1755 | } | ||
1756 | else { | ||
1757 | fprintf(stderr, "Error: networking features are disabled in Firejail configuration file\n"); | ||
1758 | exit(1); | ||
1359 | } | 1759 | } |
1360 | } | 1760 | } |
1361 | #endif | 1761 | #endif |
@@ -1377,25 +1777,89 @@ int main(int argc, char **argv) { | |||
1377 | return 1; | 1777 | return 1; |
1378 | } | 1778 | } |
1379 | } | 1779 | } |
1780 | |||
1380 | #ifdef HAVE_NETWORK | 1781 | #ifdef HAVE_NETWORK |
1381 | else if (strcmp(argv[i], "--netfilter") == 0) | 1782 | else if (strcmp(argv[i], "--netfilter") == 0) { |
1382 | arg_netfilter = 1; | 1783 | #ifdef HAVE_NETWORK_RESTRICTED |
1784 | // compile time restricted networking | ||
1785 | if (getuid() != 0) { | ||
1786 | fprintf(stderr, "Error: --netfilter is only allowed for root\n"); | ||
1787 | exit(1); | ||
1788 | } | ||
1789 | #endif | ||
1790 | // run time restricted networking | ||
1791 | if (checkcfg(CFG_RESTRICTED_NETWORK) && getuid() != 0) { | ||
1792 | fprintf(stderr, "Error: --netfilter is only allowed for root\n"); | ||
1793 | exit(1); | ||
1794 | } | ||
1795 | if (checkcfg(CFG_NETWORK)) { | ||
1796 | arg_netfilter = 1; | ||
1797 | } | ||
1798 | else { | ||
1799 | fprintf(stderr, "Error: networking features are disabled in Firejail configuration file\n"); | ||
1800 | exit(1); | ||
1801 | } | ||
1802 | } | ||
1803 | |||
1383 | else if (strncmp(argv[i], "--netfilter=", 12) == 0) { | 1804 | else if (strncmp(argv[i], "--netfilter=", 12) == 0) { |
1384 | arg_netfilter = 1; | 1805 | #ifdef HAVE_NETWORK_RESTRICTED |
1385 | arg_netfilter_file = argv[i] + 12; | 1806 | // compile time restricted networking |
1386 | check_netfilter_file(arg_netfilter_file); | 1807 | if (getuid() != 0) { |
1808 | fprintf(stderr, "Error: --netfilter is only allowed for root\n"); | ||
1809 | exit(1); | ||
1810 | } | ||
1811 | #endif | ||
1812 | // run time restricted networking | ||
1813 | if (checkcfg(CFG_RESTRICTED_NETWORK) && getuid() != 0) { | ||
1814 | fprintf(stderr, "Error: --netfilter is only allowed for root\n"); | ||
1815 | exit(1); | ||
1816 | } | ||
1817 | if (checkcfg(CFG_NETWORK)) { | ||
1818 | arg_netfilter = 1; | ||
1819 | arg_netfilter_file = argv[i] + 12; | ||
1820 | check_netfilter_file(arg_netfilter_file); | ||
1821 | } | ||
1822 | else { | ||
1823 | fprintf(stderr, "Error: networking features are disabled in Firejail configuration file\n"); | ||
1824 | exit(1); | ||
1825 | } | ||
1387 | } | 1826 | } |
1827 | |||
1388 | else if (strncmp(argv[i], "--netfilter6=", 13) == 0) { | 1828 | else if (strncmp(argv[i], "--netfilter6=", 13) == 0) { |
1389 | arg_netfilter6 = 1; | 1829 | if (checkcfg(CFG_NETWORK)) { |
1390 | arg_netfilter6_file = argv[i] + 13; | 1830 | arg_netfilter6 = 1; |
1391 | check_netfilter_file(arg_netfilter6_file); | 1831 | arg_netfilter6_file = argv[i] + 13; |
1832 | check_netfilter_file(arg_netfilter6_file); | ||
1833 | } | ||
1834 | else { | ||
1835 | fprintf(stderr, "Error: networking features are disabled in Firejail configuration file\n"); | ||
1836 | exit(1); | ||
1837 | } | ||
1392 | } | 1838 | } |
1393 | #endif | 1839 | #endif |
1394 | //************************************* | 1840 | //************************************* |
1395 | // command | 1841 | // command |
1396 | //************************************* | 1842 | //************************************* |
1843 | else if (strcmp(argv[i], "--audit") == 0) { | ||
1844 | if (asprintf(&arg_audit_prog, "%s/firejail/faudit", LIBDIR) == -1) | ||
1845 | errExit("asprintf"); | ||
1846 | arg_audit = 1; | ||
1847 | } | ||
1848 | else if (strncmp(argv[i], "--audit=", 8) == 0) { | ||
1849 | if (strlen(argv[i] + 8) == 0) { | ||
1850 | fprintf(stderr, "Error: invalid audit program\n"); | ||
1851 | exit(1); | ||
1852 | } | ||
1853 | arg_audit_prog = strdup(argv[i] + 8); | ||
1854 | if (!arg_audit_prog) | ||
1855 | errExit("strdup"); | ||
1856 | arg_audit = 1; | ||
1857 | } | ||
1858 | else if (strcmp(argv[i], "--appimage") == 0) | ||
1859 | arg_appimage = 1; | ||
1397 | else if (strcmp(argv[i], "--csh") == 0) { | 1860 | else if (strcmp(argv[i], "--csh") == 0) { |
1398 | if (arg_shell_none) { | 1861 | if (arg_shell_none) { |
1862 | |||
1399 | fprintf(stderr, "Error: --shell=none was already specified.\n"); | 1863 | fprintf(stderr, "Error: --shell=none was already specified.\n"); |
1400 | return 1; | 1864 | return 1; |
1401 | } | 1865 | } |
@@ -1474,15 +1938,18 @@ int main(int argc, char **argv) { | |||
1474 | } | 1938 | } |
1475 | 1939 | ||
1476 | // we have a program name coming | 1940 | // we have a program name coming |
1477 | extract_command_name(i, argv); | 1941 | if (arg_appimage) { |
1942 | cfg.command_name = strdup(argv[i]); | ||
1943 | if (!cfg.command_name) | ||
1944 | errExit("strdup"); | ||
1945 | } | ||
1946 | else | ||
1947 | extract_command_name(i, argv); | ||
1478 | prog_index = i; | 1948 | prog_index = i; |
1479 | break; | 1949 | break; |
1480 | } | 1950 | } |
1481 | } | 1951 | } |
1482 | 1952 | ||
1483 | // check network configuration options - it will exit if anything went wrong | ||
1484 | net_check_cfg(); | ||
1485 | |||
1486 | // check trace configuration | 1953 | // check trace configuration |
1487 | if (arg_trace && arg_tracelog) | 1954 | if (arg_trace && arg_tracelog) |
1488 | fprintf(stderr, "Warning: --trace and --tracelog are mutually exclusive; --tracelog disabled\n"); | 1955 | fprintf(stderr, "Warning: --trace and --tracelog are mutually exclusive; --tracelog disabled\n"); |
@@ -1530,13 +1997,46 @@ int main(int argc, char **argv) { | |||
1530 | cfg.window_title = "/bin/bash"; | 1997 | cfg.window_title = "/bin/bash"; |
1531 | cfg.command_name = "bash"; | 1998 | cfg.command_name = "bash"; |
1532 | } | 1999 | } |
2000 | else if (arg_appimage) { | ||
2001 | if (arg_debug) | ||
2002 | printf("Configuring appimage environment\n"); | ||
2003 | appimage_set(cfg.command_name); | ||
2004 | cfg.window_title = "appimage"; | ||
2005 | } | ||
1533 | else { | 2006 | else { |
1534 | // calculate the length of the command | 2007 | // calculate the length of the command |
1535 | int i; | 2008 | int i; |
1536 | int len = 0; | 2009 | int len = 0; |
1537 | int argcnt = argc - prog_index; | 2010 | int argcnt = argc - prog_index; |
1538 | for (i = 0; i < argcnt; i++) | 2011 | int j; |
1539 | len += strlen(argv[i + prog_index]) + 3; // + ' ' + 2 '"' | 2012 | bool in_quotes = false; |
2013 | |||
2014 | for (i = 0; i < argcnt; i++) { | ||
2015 | in_quotes = false; | ||
2016 | for (j = 0; j < strlen(argv[i + prog_index]); j++) { | ||
2017 | if (argv[i + prog_index][j] == '\'') { | ||
2018 | if (in_quotes) | ||
2019 | len++; | ||
2020 | if (j > 0 && argv[i + prog_index][j-1] == '\'') | ||
2021 | len++; | ||
2022 | else | ||
2023 | len += 3; | ||
2024 | in_quotes = false; | ||
2025 | } else { | ||
2026 | if (!in_quotes) | ||
2027 | len++; | ||
2028 | len++; | ||
2029 | in_quotes = true; | ||
2030 | } | ||
2031 | } | ||
2032 | if (in_quotes) { | ||
2033 | len++; | ||
2034 | } | ||
2035 | if (strlen(argv[i + prog_index]) == 0) { | ||
2036 | len += 2; | ||
2037 | } | ||
2038 | len++; | ||
2039 | } | ||
1540 | 2040 | ||
1541 | // build the string | 2041 | // build the string |
1542 | cfg.command_line = malloc(len + 1); // + '\0' | 2042 | cfg.command_line = malloc(len + 1); // + '\0' |
@@ -1549,26 +2049,70 @@ int main(int argc, char **argv) { | |||
1549 | char *ptr1 = cfg.command_line; | 2049 | char *ptr1 = cfg.command_line; |
1550 | char *ptr2 = cfg.window_title; | 2050 | char *ptr2 = cfg.window_title; |
1551 | for (i = 0; i < argcnt; i++) { | 2051 | for (i = 0; i < argcnt; i++) { |
1552 | // detect bash commands | 2052 | |
1553 | if (strstr(argv[i + prog_index], "&&") || strstr(argv[i + prog_index], "||")) { | 2053 | // enclose args by single quotes, |
1554 | sprintf(ptr1, "%s ", argv[i + prog_index]); | 2054 | // and since single quote can't be represented in single quoted text |
2055 | // each occurence of it should be enclosed by double quotes | ||
2056 | in_quotes = false; | ||
2057 | for (j = 0; j < strlen(argv[i + prog_index]); j++) { | ||
2058 | // single quote | ||
2059 | if (argv[i + prog_index][j] == '\'') { | ||
2060 | if (in_quotes) { | ||
2061 | // close quotes | ||
2062 | ptr1[0] = '\''; | ||
2063 | ptr1++; | ||
2064 | } | ||
2065 | // previous char was single quote too | ||
2066 | if (j > 0 && argv[i + prog_index][j-1] == '\'') { | ||
2067 | ptr1--; | ||
2068 | sprintf(ptr1, "\'\""); | ||
2069 | } | ||
2070 | // this first in series | ||
2071 | else | ||
2072 | { | ||
2073 | sprintf(ptr1, "\"\'\""); | ||
2074 | } | ||
2075 | ptr1 += strlen(ptr1); | ||
2076 | in_quotes = false; | ||
2077 | } | ||
2078 | // anything other | ||
2079 | else | ||
2080 | { | ||
2081 | if (!in_quotes) { | ||
2082 | // open quotes | ||
2083 | ptr1[0] = '\''; | ||
2084 | ptr1++; | ||
2085 | } | ||
2086 | ptr1[0] = argv[i + prog_index][j]; | ||
2087 | ptr1++; | ||
2088 | in_quotes = true; | ||
2089 | } | ||
1555 | } | 2090 | } |
1556 | else if (arg_command){ | 2091 | // close quotes |
1557 | sprintf(ptr1, "%s ", argv[i + prog_index]); | 2092 | if (in_quotes) { |
2093 | ptr1[0] = '\''; | ||
2094 | ptr1++; | ||
1558 | } | 2095 | } |
1559 | else { | 2096 | // handle empty argument case |
1560 | sprintf(ptr1, "\"%s\" ", argv[i + prog_index]); | 2097 | if (strlen(argv[i + prog_index]) == 0) { |
2098 | sprintf(ptr1, "\'\'"); | ||
2099 | ptr1 += strlen(ptr1); | ||
1561 | } | 2100 | } |
1562 | sprintf(ptr2, "%s ", argv[i + prog_index]); | 2101 | // add space |
1563 | 2102 | sprintf(ptr1, " "); | |
1564 | ptr1 += strlen(ptr1); | 2103 | ptr1 += strlen(ptr1); |
2104 | |||
2105 | sprintf(ptr2, "%s ", argv[i + prog_index]); | ||
1565 | ptr2 += strlen(ptr2); | 2106 | ptr2 += strlen(ptr2); |
1566 | } | 2107 | } |
2108 | |||
2109 | assert(len == strlen(cfg.command_line)); | ||
1567 | } | 2110 | } |
1568 | 2111 | ||
1569 | assert(cfg.command_name); | 2112 | assert(cfg.command_name); |
1570 | if (arg_debug) | 2113 | if (arg_debug) |
1571 | printf("Command name #%s#\n", cfg.command_name); | 2114 | printf("Command name #%s#\n", cfg.command_name); |
2115 | |||
1572 | 2116 | ||
1573 | // load the profile | 2117 | // load the profile |
1574 | if (!arg_noprofile) { | 2118 | if (!arg_noprofile) { |
@@ -1592,14 +2136,12 @@ int main(int argc, char **argv) { | |||
1592 | } | 2136 | } |
1593 | } | 2137 | } |
1594 | 2138 | ||
1595 | // use generic.profile as the default | 2139 | // use default.profile as the default |
1596 | if (!custom_profile && !arg_noprofile) { | 2140 | if (!custom_profile && !arg_noprofile) { |
1597 | if (cfg.chrootdir) | 2141 | if (cfg.chrootdir) |
1598 | fprintf(stderr, "Warning: default profile disabled by --chroot option\n"); | 2142 | fprintf(stderr, "Warning: default profile disabled by --chroot option\n"); |
1599 | else if (arg_overlay) | 2143 | else if (arg_overlay) |
1600 | fprintf(stderr, "Warning: default profile disabled by --overlay option\n"); | 2144 | fprintf(stderr, "Warning: default profile disabled by --overlay option\n"); |
1601 | // else if (cfg.home_private_keep) | ||
1602 | // fprintf(stderr, "Warning: default profile disabled by --private-home option\n"); | ||
1603 | else { | 2145 | else { |
1604 | // try to load a default profile | 2146 | // try to load a default profile |
1605 | char *profile_name = DEFAULT_USER_PROFILE; | 2147 | char *profile_name = DEFAULT_USER_PROFILE; |
@@ -1622,12 +2164,19 @@ int main(int argc, char **argv) { | |||
1622 | else | 2164 | else |
1623 | custom_profile = profile_find(profile_name, SYSCONFDIR); | 2165 | custom_profile = profile_find(profile_name, SYSCONFDIR); |
1624 | } | 2166 | } |
2167 | if (!custom_profile) { | ||
2168 | fprintf(stderr, "Error: no default.profile installed\n"); | ||
2169 | exit(1); | ||
2170 | } | ||
1625 | 2171 | ||
1626 | if (custom_profile && !arg_quiet) | 2172 | if (custom_profile && !arg_quiet) |
1627 | printf("\n** Note: you can use --noprofile to disable %s.profile **\n\n", profile_name); | 2173 | printf("\n** Note: you can use --noprofile to disable %s.profile **\n\n", profile_name); |
1628 | } | 2174 | } |
1629 | } | 2175 | } |
1630 | 2176 | ||
2177 | // check network configuration options - it will exit if anything went wrong | ||
2178 | net_check_cfg(); | ||
2179 | |||
1631 | // check and assign an IP address - for macvlan it will be done again in the sandbox! | 2180 | // check and assign an IP address - for macvlan it will be done again in the sandbox! |
1632 | if (any_bridge_configured()) { | 2181 | if (any_bridge_configured()) { |
1633 | EUID_ROOT(); | 2182 | EUID_ROOT(); |
@@ -1644,7 +2193,7 @@ int main(int argc, char **argv) { | |||
1644 | check_network(&cfg.bridge3); | 2193 | check_network(&cfg.bridge3); |
1645 | 2194 | ||
1646 | // save network mapping in shared memory | 2195 | // save network mapping in shared memory |
1647 | network_shm_set_file(sandbox_pid); | 2196 | network_set_run_file(sandbox_pid); |
1648 | EUID_USER(); | 2197 | EUID_USER(); |
1649 | } | 2198 | } |
1650 | 2199 | ||
@@ -1706,54 +2255,27 @@ int main(int argc, char **argv) { | |||
1706 | printf("The new log directory is /proc/%d/root/var/log\n", child); | 2255 | printf("The new log directory is /proc/%d/root/var/log\n", child); |
1707 | } | 2256 | } |
1708 | 2257 | ||
1709 | |||
1710 | EUID_ROOT(); | ||
1711 | if (!arg_nonetwork) { | 2258 | if (!arg_nonetwork) { |
1712 | // create veth pair or macvlan device | 2259 | EUID_ROOT(); |
1713 | if (cfg.bridge0.configured) { | 2260 | pid_t net_child = fork(); |
1714 | if (cfg.bridge0.macvlan == 0) { | 2261 | if (net_child < 0) |
1715 | net_configure_veth_pair(&cfg.bridge0, "eth0", child); | 2262 | errExit("fork"); |
1716 | } | 2263 | if (net_child == 0) { |
1717 | else | 2264 | // elevate privileges in order to get grsecurity working |
1718 | net_create_macvlan(cfg.bridge0.devsandbox, cfg.bridge0.dev, child); | 2265 | if (setreuid(0, 0)) |
1719 | } | 2266 | errExit("setreuid"); |
1720 | 2267 | if (setregid(0, 0)) | |
1721 | if (cfg.bridge1.configured) { | 2268 | errExit("setregid"); |
1722 | if (cfg.bridge1.macvlan == 0) | 2269 | network_main(child); |
1723 | net_configure_veth_pair(&cfg.bridge1, "eth1", child); | 2270 | if (arg_debug) |
1724 | else | 2271 | printf("Host network configured\n"); |
1725 | net_create_macvlan(cfg.bridge1.devsandbox, cfg.bridge1.dev, child); | 2272 | exit(0); |
1726 | } | ||
1727 | |||
1728 | if (cfg.bridge2.configured) { | ||
1729 | if (cfg.bridge2.macvlan == 0) | ||
1730 | net_configure_veth_pair(&cfg.bridge2, "eth2", child); | ||
1731 | else | ||
1732 | net_create_macvlan(cfg.bridge2.devsandbox, cfg.bridge2.dev, child); | ||
1733 | } | ||
1734 | |||
1735 | if (cfg.bridge3.configured) { | ||
1736 | if (cfg.bridge3.macvlan == 0) | ||
1737 | net_configure_veth_pair(&cfg.bridge3, "eth3", child); | ||
1738 | else | ||
1739 | net_create_macvlan(cfg.bridge3.devsandbox, cfg.bridge3.dev, child); | ||
1740 | } | ||
1741 | |||
1742 | // move interfaces in sandbox | ||
1743 | if (cfg.interface0.configured) { | ||
1744 | net_move_interface(cfg.interface0.dev, child); | ||
1745 | } | ||
1746 | if (cfg.interface1.configured) { | ||
1747 | net_move_interface(cfg.interface1.dev, child); | ||
1748 | } | ||
1749 | if (cfg.interface2.configured) { | ||
1750 | net_move_interface(cfg.interface2.dev, child); | ||
1751 | } | ||
1752 | if (cfg.interface3.configured) { | ||
1753 | net_move_interface(cfg.interface3.dev, child); | ||
1754 | } | 2273 | } |
2274 | |||
2275 | // wait for the child to finish | ||
2276 | waitpid(net_child, NULL, 0); | ||
2277 | EUID_USER(); | ||
1755 | } | 2278 | } |
1756 | EUID_USER(); | ||
1757 | 2279 | ||
1758 | // close each end of the unused pipes | 2280 | // close each end of the unused pipes |
1759 | close(parent_to_child_fds[0]); | 2281 | close(parent_to_child_fds[0]); |
@@ -1772,6 +2294,7 @@ int main(int argc, char **argv) { | |||
1772 | char *map_path; | 2294 | char *map_path; |
1773 | if (asprintf(&map_path, "/proc/%d/uid_map", child) == -1) | 2295 | if (asprintf(&map_path, "/proc/%d/uid_map", child) == -1) |
1774 | errExit("asprintf"); | 2296 | errExit("asprintf"); |
2297 | |||
1775 | char *map; | 2298 | char *map; |
1776 | uid_t uid = getuid(); | 2299 | uid_t uid = getuid(); |
1777 | if (asprintf(&map, "%d %d 1", uid, uid) == -1) | 2300 | if (asprintf(&map, "%d %d 1", uid, uid) == -1) |
@@ -1782,23 +2305,34 @@ int main(int argc, char **argv) { | |||
1782 | free(map); | 2305 | free(map); |
1783 | free(map_path); | 2306 | free(map_path); |
1784 | 2307 | ||
1785 | //gid | 2308 | // gid file |
1786 | if (asprintf(&map_path, "/proc/%d/gid_map", child) == -1) | 2309 | if (asprintf(&map_path, "/proc/%d/gid_map", child) == -1) |
1787 | errExit("asprintf"); | 2310 | errExit("asprintf"); |
2311 | char gidmap[1024]; | ||
2312 | char *ptr = gidmap; | ||
2313 | *ptr = '\0'; | ||
2314 | |||
2315 | // add user group | ||
1788 | gid_t gid = getgid(); | 2316 | gid_t gid = getgid(); |
2317 | sprintf(ptr, "%d %d 1\n", gid, gid); | ||
2318 | ptr += strlen(ptr); | ||
2319 | |||
2320 | // add tty group | ||
1789 | gid_t ttygid = get_tty_gid(); | 2321 | gid_t ttygid = get_tty_gid(); |
1790 | if (ttygid == 0) { | 2322 | if (ttygid) { |
1791 | if (asprintf(&map, "%d %d 1", gid, gid) == -1) | 2323 | sprintf(ptr, "%d %d 1\n", ttygid, ttygid); |
1792 | errExit("asprintf"); | 2324 | ptr += strlen(ptr); |
1793 | } | 2325 | } |
1794 | else { | 2326 | |
1795 | if (asprintf(&map, "%d %d 1\n%d %d 1", gid, gid, ttygid, ttygid) == -1) | 2327 | // add audio group |
1796 | errExit("asprintf"); | 2328 | gid_t audiogid = get_audio_gid(); |
1797 | } | 2329 | if (ttygid) { |
2330 | sprintf(ptr, "%d %d 1\n", audiogid, audiogid); | ||
2331 | } | ||
2332 | |||
1798 | EUID_ROOT(); | 2333 | EUID_ROOT(); |
1799 | update_map(map, map_path); | 2334 | update_map(gidmap, map_path); |
1800 | EUID_USER(); | 2335 | EUID_USER(); |
1801 | free(map); | ||
1802 | free(map_path); | 2336 | free(map_path); |
1803 | } | 2337 | } |
1804 | 2338 | ||
@@ -1807,8 +2341,10 @@ int main(int argc, char **argv) { | |||
1807 | close(parent_to_child_fds[1]); | 2341 | close(parent_to_child_fds[1]); |
1808 | 2342 | ||
1809 | EUID_ROOT(); | 2343 | EUID_ROOT(); |
1810 | if (lockfd != -1) | 2344 | if (lockfd != -1) { |
1811 | flock(lockfd, LOCK_UN); | 2345 | flock(lockfd, LOCK_UN); |
2346 | close(lockfd); | ||
2347 | } | ||
1812 | 2348 | ||
1813 | // create name file under /run/firejail | 2349 | // create name file under /run/firejail |
1814 | 2350 | ||
@@ -1816,9 +2352,11 @@ int main(int argc, char **argv) { | |||
1816 | // handle CTRL-C in parent | 2352 | // handle CTRL-C in parent |
1817 | signal (SIGINT, my_handler); | 2353 | signal (SIGINT, my_handler); |
1818 | signal (SIGTERM, my_handler); | 2354 | signal (SIGTERM, my_handler); |
2355 | |||
1819 | 2356 | ||
1820 | // wait for the child to finish | 2357 | // wait for the child to finish |
1821 | int status = NULL; | 2358 | EUID_USER(); |
2359 | int status = 0; | ||
1822 | waitpid(child, &status, 0); | 2360 | waitpid(child, &status, 0); |
1823 | 2361 | ||
1824 | // free globals | 2362 | // free globals |
diff --git a/src/firejail/netfilter.c b/src/firejail/netfilter.c index 4a5499699..b50d61039 100644 --- a/src/firejail/netfilter.c +++ b/src/firejail/netfilter.c | |||
@@ -66,6 +66,8 @@ void netfilter(const char *fname) { | |||
66 | 66 | ||
67 | // custom filter | 67 | // custom filter |
68 | int allocated = 0; | 68 | int allocated = 0; |
69 | if (netfilter_default) | ||
70 | fname = netfilter_default; | ||
69 | if (fname) { | 71 | if (fname) { |
70 | // buffer the filter | 72 | // buffer the filter |
71 | struct stat s; | 73 | struct stat s; |
@@ -139,7 +141,6 @@ void netfilter(const char *fname) { | |||
139 | exit(1); | 141 | exit(1); |
140 | } | 142 | } |
141 | dup2(fd,STDIN_FILENO); | 143 | dup2(fd,STDIN_FILENO); |
142 | close(fd); | ||
143 | 144 | ||
144 | // wipe out environment variables | 145 | // wipe out environment variables |
145 | environ = NULL; | 146 | environ = NULL; |
@@ -155,6 +156,11 @@ void netfilter(const char *fname) { | |||
155 | if (child < 0) | 156 | if (child < 0) |
156 | errExit("fork"); | 157 | errExit("fork"); |
157 | if (child == 0) { | 158 | if (child == 0) { |
159 | // elevate privileges in order to get grsecurity working | ||
160 | if (setreuid(0, 0)) | ||
161 | errExit("setreuid"); | ||
162 | if (setregid(0, 0)) | ||
163 | errExit("setregid"); | ||
158 | environ = NULL; | 164 | environ = NULL; |
159 | execl(iptables, iptables, "-vL", NULL); | 165 | execl(iptables, iptables, "-vL", NULL); |
160 | // it will never get here!!! | 166 | // it will never get here!!! |
@@ -246,7 +252,6 @@ void netfilter6(const char *fname) { | |||
246 | exit(1); | 252 | exit(1); |
247 | } | 253 | } |
248 | dup2(fd,STDIN_FILENO); | 254 | dup2(fd,STDIN_FILENO); |
249 | close(fd); | ||
250 | 255 | ||
251 | // wipe out environment variables | 256 | // wipe out environment variables |
252 | environ = NULL; | 257 | environ = NULL; |
diff --git a/src/firejail/network_main.c b/src/firejail/network_main.c index 3fb79b9f4..396c612b1 100644 --- a/src/firejail/network_main.c +++ b/src/firejail/network_main.c | |||
@@ -56,9 +56,12 @@ void net_configure_bridge(Bridge *br, char *dev_name) { | |||
56 | } | 56 | } |
57 | } | 57 | } |
58 | 58 | ||
59 | // allow unconfigured interfaces | ||
59 | if (net_get_if_addr(br->dev, &br->ip, &br->mask, br->mac, &br->mtu)) { | 60 | if (net_get_if_addr(br->dev, &br->ip, &br->mask, br->mac, &br->mtu)) { |
60 | fprintf(stderr, "Error: interface %s is not configured\n", br->dev); | 61 | fprintf(stderr, "Warning: the network interface %s is not configured\n", br->dev); |
61 | exit(1); | 62 | br->configured = 1; |
63 | br->arg_ip_none = 1; | ||
64 | return; | ||
62 | } | 65 | } |
63 | if (arg_debug) { | 66 | if (arg_debug) { |
64 | if (br->macvlan == 0) | 67 | if (br->macvlan == 0) |
@@ -212,7 +215,10 @@ void net_check_cfg(void) { | |||
212 | // first network is a mac device | 215 | // first network is a mac device |
213 | else { | 216 | else { |
214 | // get the host default gw | 217 | // get the host default gw |
218 | EUID_ROOT(); // rise permissions for grsecurity | ||
219 | // Error fopen:network_get_defaultgw(479): Permission denied | ||
215 | uint32_t gw = network_get_defaultgw(); | 220 | uint32_t gw = network_get_defaultgw(); |
221 | EUID_USER(); | ||
216 | // check the gateway is network range | 222 | // check the gateway is network range |
217 | if (in_netrange(gw, cfg.bridge0.ip, cfg.bridge0.mask)) | 223 | if (in_netrange(gw, cfg.bridge0.ip, cfg.bridge0.mask)) |
218 | gw = 0; | 224 | gw = 0; |
@@ -244,7 +250,9 @@ void net_dns_print(pid_t pid) { | |||
244 | // drop privileges - will not be able to read /etc/resolv.conf for --noroot option | 250 | // drop privileges - will not be able to read /etc/resolv.conf for --noroot option |
245 | 251 | ||
246 | // if the pid is that of a firejail process, use the pid of the first child process | 252 | // if the pid is that of a firejail process, use the pid of the first child process |
253 | EUID_ROOT(); | ||
247 | char *comm = pid_proc_comm(pid); | 254 | char *comm = pid_proc_comm(pid); |
255 | EUID_USER(); | ||
248 | if (comm) { | 256 | if (comm) { |
249 | if (strcmp(comm, "firejail") == 0) { | 257 | if (strcmp(comm, "firejail") == 0) { |
250 | pid_t child; | 258 | pid_t child; |
@@ -275,3 +283,49 @@ void net_dns_print(pid_t pid) { | |||
275 | free(fname); | 283 | free(fname); |
276 | exit(0); | 284 | exit(0); |
277 | } | 285 | } |
286 | |||
287 | void network_main(pid_t child) { | ||
288 | // create veth pair or macvlan device | ||
289 | if (cfg.bridge0.configured) { | ||
290 | if (cfg.bridge0.macvlan == 0) { | ||
291 | net_configure_veth_pair(&cfg.bridge0, "eth0", child); | ||
292 | } | ||
293 | else | ||
294 | net_create_macvlan(cfg.bridge0.devsandbox, cfg.bridge0.dev, child); | ||
295 | } | ||
296 | |||
297 | if (cfg.bridge1.configured) { | ||
298 | if (cfg.bridge1.macvlan == 0) | ||
299 | net_configure_veth_pair(&cfg.bridge1, "eth1", child); | ||
300 | else | ||
301 | net_create_macvlan(cfg.bridge1.devsandbox, cfg.bridge1.dev, child); | ||
302 | } | ||
303 | |||
304 | if (cfg.bridge2.configured) { | ||
305 | if (cfg.bridge2.macvlan == 0) | ||
306 | net_configure_veth_pair(&cfg.bridge2, "eth2", child); | ||
307 | else | ||
308 | net_create_macvlan(cfg.bridge2.devsandbox, cfg.bridge2.dev, child); | ||
309 | } | ||
310 | |||
311 | if (cfg.bridge3.configured) { | ||
312 | if (cfg.bridge3.macvlan == 0) | ||
313 | net_configure_veth_pair(&cfg.bridge3, "eth3", child); | ||
314 | else | ||
315 | net_create_macvlan(cfg.bridge3.devsandbox, cfg.bridge3.dev, child); | ||
316 | } | ||
317 | |||
318 | // move interfaces in sandbox | ||
319 | if (cfg.interface0.configured) { | ||
320 | net_move_interface(cfg.interface0.dev, child); | ||
321 | } | ||
322 | if (cfg.interface1.configured) { | ||
323 | net_move_interface(cfg.interface1.dev, child); | ||
324 | } | ||
325 | if (cfg.interface2.configured) { | ||
326 | net_move_interface(cfg.interface2.dev, child); | ||
327 | } | ||
328 | if (cfg.interface3.configured) { | ||
329 | net_move_interface(cfg.interface3.dev, child); | ||
330 | } | ||
331 | } | ||
diff --git a/src/firejail/no_sandbox.c b/src/firejail/no_sandbox.c index 9f9ace527..f1fd04aec 100644 --- a/src/firejail/no_sandbox.c +++ b/src/firejail/no_sandbox.c | |||
@@ -23,11 +23,72 @@ | |||
23 | #include <unistd.h> | 23 | #include <unistd.h> |
24 | #include <grp.h> | 24 | #include <grp.h> |
25 | 25 | ||
26 | #define MAX_BUF 4096 | ||
27 | |||
28 | int is_container(const char *str) { | ||
29 | assert(str); | ||
30 | if (strcmp(str, "lxc") == 0 || | ||
31 | strcmp(str, "docker") == 0 || | ||
32 | strcmp(str, "lxc-libvirt") == 0 || | ||
33 | strcmp(str, "systemd-nspawn") == 0 || | ||
34 | strcmp(str, "rkt") == 0) | ||
35 | return 1; | ||
36 | return 0; | ||
37 | } | ||
38 | |||
39 | // returns 1 if we are running under LXC | ||
40 | int check_namespace_virt(void) { | ||
41 | EUID_ASSERT(); | ||
42 | |||
43 | // check container environment variable | ||
44 | char *str = getenv("container"); | ||
45 | if (str && is_container(str)) | ||
46 | return 1; | ||
47 | |||
48 | // check PID 1 container environment variable | ||
49 | EUID_ROOT(); | ||
50 | FILE *fp = fopen("/proc/1/environ", "r"); | ||
51 | if (fp) { | ||
52 | int c = 0; | ||
53 | while (c != EOF) { | ||
54 | // read one line | ||
55 | char buf[MAX_BUF]; | ||
56 | int i = 0; | ||
57 | while ((c = fgetc(fp)) != EOF) { | ||
58 | if (c == 0) | ||
59 | break; | ||
60 | buf[i] = (char) c; | ||
61 | if (++i == (MAX_BUF - 1)) | ||
62 | break; | ||
63 | } | ||
64 | buf[i] = '\0'; | ||
65 | |||
66 | // check env var name | ||
67 | if (strncmp(buf, "container=", 10) == 0) { | ||
68 | // found it | ||
69 | if (is_container(buf + 10)) { | ||
70 | fclose(fp); | ||
71 | EUID_USER(); | ||
72 | return 1; | ||
73 | } | ||
74 | } | ||
75 | // printf("i %d c %d, buf #%s#\n", i, c, buf); | ||
76 | } | ||
77 | |||
78 | fclose(fp); | ||
79 | } | ||
80 | |||
81 | EUID_USER(); | ||
82 | return 0; | ||
83 | } | ||
84 | |||
26 | // check process space for kernel processes | 85 | // check process space for kernel processes |
27 | // return 1 if found, 0 if not found | 86 | // return 1 if found, 0 if not found |
28 | int check_kernel_procs(void) { | 87 | int check_kernel_procs(void) { |
29 | EUID_ASSERT(); | 88 | // we run this function with EUID set in order to detect grsecurity |
30 | 89 | // only user processes are available in /proc when running grsecurity | |
90 | // EUID_ASSERT(); | ||
91 | |||
31 | char *kern_proc[] = { | 92 | char *kern_proc[] = { |
32 | "kthreadd", | 93 | "kthreadd", |
33 | "ksoftirqd", | 94 | "ksoftirqd", |
@@ -117,7 +178,7 @@ void run_no_sandbox(int argc, char **argv) { | |||
117 | } | 178 | } |
118 | int start_index = i; | 179 | int start_index = i; |
119 | for (i = start_index; i < argc; i++) | 180 | for (i = start_index; i < argc; i++) |
120 | len += strlen(argv[i]) + 1; | 181 | len += strlen(argv[i]) + 3; |
121 | 182 | ||
122 | // allocate | 183 | // allocate |
123 | command = malloc(len + 1); | 184 | command = malloc(len + 1); |
@@ -128,8 +189,15 @@ void run_no_sandbox(int argc, char **argv) { | |||
128 | 189 | ||
129 | // copy | 190 | // copy |
130 | for (i = start_index; i < argc; i++) { | 191 | for (i = start_index; i < argc; i++) { |
131 | strcat(command, argv[i]); | 192 | if (strchr(argv[i], '&')) { |
132 | strcat(command, " "); | 193 | strcat(command, "\""); |
194 | strcat(command, argv[i]); | ||
195 | strcat(command, "\" "); | ||
196 | } | ||
197 | else { | ||
198 | strcat(command, argv[i]); | ||
199 | strcat(command, " "); | ||
200 | } | ||
133 | } | 201 | } |
134 | } | 202 | } |
135 | 203 | ||
diff --git a/src/firejail/output.c b/src/firejail/output.c index a554b76aa..91fe7f164 100644 --- a/src/firejail/output.c +++ b/src/firejail/output.c | |||
@@ -27,7 +27,6 @@ void check_output(int argc, char **argv) { | |||
27 | 27 | ||
28 | int i; | 28 | int i; |
29 | char *outfile = NULL; | 29 | char *outfile = NULL; |
30 | // drop_privs(0); | ||
31 | 30 | ||
32 | int found = 0; | 31 | int found = 0; |
33 | for (i = 1; i < argc; i++) { | 32 | for (i = 1; i < argc; i++) { |
@@ -76,7 +75,7 @@ void check_output(int argc, char **argv) { | |||
76 | for (i = 0; i < argc; i++) { | 75 | for (i = 0; i < argc; i++) { |
77 | len += strlen(argv[i]) + 1; // + ' ' | 76 | len += strlen(argv[i]) + 1; // + ' ' |
78 | } | 77 | } |
79 | len += 50 + strlen(outfile); // tee command | 78 | len += 100 + strlen(LIBDIR) + strlen(outfile); // tee command |
80 | 79 | ||
81 | char *cmd = malloc(len + 1); // + '\0' | 80 | char *cmd = malloc(len + 1); // + '\0' |
82 | if (!cmd) | 81 | if (!cmd) |
@@ -88,9 +87,10 @@ void check_output(int argc, char **argv) { | |||
88 | continue; | 87 | continue; |
89 | ptr += sprintf(ptr, "%s ", argv[i]); | 88 | ptr += sprintf(ptr, "%s ", argv[i]); |
90 | } | 89 | } |
91 | sprintf(ptr, "| %s/firejail/ftee %s", LIBDIR, outfile); | 90 | sprintf(ptr, "2>&1 | %s/firejail/ftee %s", LIBDIR, outfile); |
92 | 91 | ||
93 | // run command | 92 | // run command |
93 | drop_privs(0); | ||
94 | char *a[4]; | 94 | char *a[4]; |
95 | a[0] = "/bin/bash"; | 95 | a[0] = "/bin/bash"; |
96 | a[1] = "-c"; | 96 | a[1] = "-c"; |
diff --git a/src/firejail/paths.c b/src/firejail/paths.c index 3d4b8cd8e..97a1d5a98 100644 --- a/src/firejail/paths.c +++ b/src/firejail/paths.c | |||
@@ -75,10 +75,12 @@ char **build_paths(void) { | |||
75 | memset(paths, 0, sizeof(char *) * cnt); | 75 | memset(paths, 0, sizeof(char *) * cnt); |
76 | 76 | ||
77 | // add default paths | 77 | // add default paths |
78 | add_path("/bin"); | 78 | add_path("/usr/local/bin"); |
79 | add_path("/sbin"); | ||
80 | add_path("/usr/bin"); | 79 | add_path("/usr/bin"); |
80 | add_path("/bin"); | ||
81 | add_path("/usr/local/sbin"); | ||
81 | add_path("/usr/sbin"); | 82 | add_path("/usr/sbin"); |
83 | add_path("/sbin"); | ||
82 | 84 | ||
83 | path2 = strdup(path1); | 85 | path2 = strdup(path1); |
84 | if (!path2) | 86 | if (!path2) |
diff --git a/src/firejail/profile.c b/src/firejail/profile.c index 461bcb941..46ef0921d 100644 --- a/src/firejail/profile.c +++ b/src/firejail/profile.c | |||
@@ -107,6 +107,11 @@ int profile_check_line(char *ptr, int lineno, const char *fname) { | |||
107 | fs_mkdir(ptr + 6); | 107 | fs_mkdir(ptr + 6); |
108 | return 0; | 108 | return 0; |
109 | } | 109 | } |
110 | // mkfile | ||
111 | if (strncmp(ptr, "mkfile ", 7) == 0) { | ||
112 | fs_mkfile(ptr + 7); | ||
113 | return 0; | ||
114 | } | ||
110 | // sandbox name | 115 | // sandbox name |
111 | else if (strncmp(ptr, "name ", 5) == 0) { | 116 | else if (strncmp(ptr, "name ", 5) == 0) { |
112 | cfg.name = ptr + 5; | 117 | cfg.name = ptr + 5; |
@@ -123,12 +128,25 @@ int profile_check_line(char *ptr, int lineno, const char *fname) { | |||
123 | // seccomp, caps, private, user namespace | 128 | // seccomp, caps, private, user namespace |
124 | else if (strcmp(ptr, "noroot") == 0) { | 129 | else if (strcmp(ptr, "noroot") == 0) { |
125 | #if HAVE_USERNS | 130 | #if HAVE_USERNS |
126 | check_user_namespace(); | 131 | if (checkcfg(CFG_USERNS)) |
132 | check_user_namespace(); | ||
133 | else | ||
134 | fprintf(stderr, "Warning: user namespace feature is disabled in Firejail configuration file\n"); | ||
127 | #endif | 135 | #endif |
136 | |||
137 | return 0; | ||
138 | } | ||
139 | else if (strcmp(ptr, "nonewprivs") == 0) { | ||
140 | arg_nonewprivs = 1; | ||
128 | return 0; | 141 | return 0; |
129 | } | 142 | } |
130 | else if (strcmp(ptr, "seccomp") == 0) { | 143 | else if (strcmp(ptr, "seccomp") == 0) { |
131 | arg_seccomp = 1; | 144 | #ifdef HAVE_SECCOMP |
145 | if (checkcfg(CFG_SECCOMP)) | ||
146 | arg_seccomp = 1; | ||
147 | else | ||
148 | fprintf(stderr, "Warning: user seccomp feature is disabled in Firejail configuration file\n"); | ||
149 | #endif | ||
132 | return 0; | 150 | return 0; |
133 | } | 151 | } |
134 | else if (strcmp(ptr, "caps") == 0) { | 152 | else if (strcmp(ptr, "caps") == 0) { |
@@ -165,88 +183,331 @@ int profile_check_line(char *ptr, int lineno, const char *fname) { | |||
165 | } | 183 | } |
166 | else if (strcmp(ptr, "nosound") == 0) { | 184 | else if (strcmp(ptr, "nosound") == 0) { |
167 | arg_nosound = 1; | 185 | arg_nosound = 1; |
168 | arg_private_dev = 1; | ||
169 | return 0; | 186 | return 0; |
170 | } | 187 | } |
171 | else if (strcmp(ptr, "netfilter") == 0) { | 188 | else if (strcmp(ptr, "netfilter") == 0) { |
172 | #ifdef HAVE_NETWORK | 189 | #ifdef HAVE_NETWORK |
173 | arg_netfilter = 1; | 190 | if (checkcfg(CFG_NETWORK)) |
191 | arg_netfilter = 1; | ||
192 | else | ||
193 | fprintf(stderr, "Warning: networking features are disabled in Firejail configuration file\n"); | ||
174 | #endif | 194 | #endif |
175 | return 0; | 195 | return 0; |
176 | } | 196 | } |
177 | else if (strncmp(ptr, "netfilter ", 10) == 0) { | 197 | else if (strncmp(ptr, "netfilter ", 10) == 0) { |
178 | #ifdef HAVE_NETWORK | 198 | #ifdef HAVE_NETWORK |
179 | arg_netfilter = 1; | 199 | if (checkcfg(CFG_NETWORK)) { |
180 | arg_netfilter_file = strdup(ptr + 10); | 200 | arg_netfilter = 1; |
181 | if (!arg_netfilter_file) | 201 | arg_netfilter_file = strdup(ptr + 10); |
182 | errExit("strdup"); | 202 | if (!arg_netfilter_file) |
183 | check_netfilter_file(arg_netfilter_file); | 203 | errExit("strdup"); |
204 | check_netfilter_file(arg_netfilter_file); | ||
205 | } | ||
206 | else | ||
207 | fprintf(stderr, "Warning: networking features are disabled in Firejail configuration file\n"); | ||
184 | #endif | 208 | #endif |
185 | return 0; | 209 | return 0; |
186 | } | 210 | } |
187 | else if (strncmp(ptr, "netfilter6 ", 11) == 0) { | 211 | else if (strncmp(ptr, "netfilter6 ", 11) == 0) { |
188 | #ifdef HAVE_NETWORK | 212 | #ifdef HAVE_NETWORK |
189 | arg_netfilter6 = 1; | 213 | if (checkcfg(CFG_NETWORK)) { |
190 | arg_netfilter6_file = strdup(ptr + 11); | 214 | arg_netfilter6 = 1; |
191 | if (!arg_netfilter6_file) | 215 | arg_netfilter6_file = strdup(ptr + 11); |
192 | errExit("strdup"); | 216 | if (!arg_netfilter6_file) |
193 | check_netfilter_file(arg_netfilter6_file); | 217 | errExit("strdup"); |
218 | check_netfilter_file(arg_netfilter6_file); | ||
219 | } | ||
220 | else | ||
221 | fprintf(stderr, "Warning: networking features are disabled in Firejail configuration file\n"); | ||
194 | #endif | 222 | #endif |
195 | return 0; | 223 | return 0; |
196 | } | 224 | } |
197 | else if (strcmp(ptr, "net none") == 0) { | 225 | else if (strcmp(ptr, "net none") == 0) { |
198 | #ifdef HAVE_NETWORK | 226 | #ifdef HAVE_NETWORK |
199 | arg_nonetwork = 1; | 227 | if (checkcfg(CFG_NETWORK)) { |
200 | cfg.bridge0.configured = 0; | 228 | arg_nonetwork = 1; |
201 | cfg.bridge1.configured = 0; | 229 | cfg.bridge0.configured = 0; |
202 | cfg.bridge2.configured = 0; | 230 | cfg.bridge1.configured = 0; |
203 | cfg.bridge3.configured = 0; | 231 | cfg.bridge2.configured = 0; |
232 | cfg.bridge3.configured = 0; | ||
233 | cfg.interface0.configured = 0; | ||
234 | cfg.interface1.configured = 0; | ||
235 | cfg.interface2.configured = 0; | ||
236 | cfg.interface3.configured = 0; | ||
237 | } | ||
238 | else | ||
239 | fprintf(stderr, "Warning: networking features are disabled in Firejail configuration file\n"); | ||
240 | #endif | ||
241 | return 0; | ||
242 | } | ||
243 | else if (strncmp(ptr, "net ", 4) == 0) { | ||
244 | #ifdef HAVE_NETWORK | ||
245 | if (checkcfg(CFG_NETWORK)) { | ||
246 | #ifdef HAVE_NETWORK_RESTRICTED | ||
247 | // compile time restricted networking | ||
248 | if (getuid() != 0) { | ||
249 | fprintf(stderr, "Error: only \"net none\" is allowed to non-root users\n"); | ||
250 | exit(1); | ||
251 | } | ||
252 | #endif | ||
253 | // run time restricted networking | ||
254 | if (checkcfg(CFG_RESTRICTED_NETWORK) && getuid() != 0) { | ||
255 | fprintf(stderr, "Error: only \"net none\" is allowed to non-root users\n"); | ||
256 | exit(1); | ||
257 | } | ||
258 | |||
259 | if (strcmp(ptr + 4, "lo") == 0) { | ||
260 | fprintf(stderr, "Error: cannot attach to lo device\n"); | ||
261 | exit(1); | ||
262 | } | ||
263 | |||
264 | Bridge *br; | ||
265 | if (cfg.bridge0.configured == 0) | ||
266 | br = &cfg.bridge0; | ||
267 | else if (cfg.bridge1.configured == 0) | ||
268 | br = &cfg.bridge1; | ||
269 | else if (cfg.bridge2.configured == 0) | ||
270 | br = &cfg.bridge2; | ||
271 | else if (cfg.bridge3.configured == 0) | ||
272 | br = &cfg.bridge3; | ||
273 | else { | ||
274 | fprintf(stderr, "Error: maximum 4 network devices are allowed\n"); | ||
275 | exit(1); | ||
276 | } | ||
277 | net_configure_bridge(br, ptr + 4); | ||
278 | } | ||
279 | else | ||
280 | fprintf(stderr, "Warning: networking features are disabled in Firejail configuration file\n"); | ||
204 | #endif | 281 | #endif |
205 | return 0; | 282 | return 0; |
206 | } | 283 | } |
207 | 284 | ||
208 | #ifdef HAVE_SECCOMP | 285 | else if (strncmp(ptr, "iprange ", 8) == 0) { |
209 | if (strncmp(ptr, "protocol ", 9) == 0) { | 286 | #ifdef HAVE_NETWORK |
210 | protocol_store(ptr + 9); | 287 | if (checkcfg(CFG_NETWORK)) { |
288 | Bridge *br = last_bridge_configured(); | ||
289 | if (br == NULL) { | ||
290 | fprintf(stderr, "Error: no network device configured\n"); | ||
291 | exit(1); | ||
292 | } | ||
293 | if (br->iprange_start || br->iprange_end) { | ||
294 | fprintf(stderr, "Error: cannot configure the IP range twice for the same interface\n"); | ||
295 | exit(1); | ||
296 | } | ||
297 | |||
298 | // parse option arguments | ||
299 | char *firstip = ptr + 8; | ||
300 | char *secondip = firstip; | ||
301 | while (*secondip != '\0') { | ||
302 | if (*secondip == ',') | ||
303 | break; | ||
304 | secondip++; | ||
305 | } | ||
306 | if (*secondip == '\0') { | ||
307 | fprintf(stderr, "Error: invalid IP range\n"); | ||
308 | exit(1); | ||
309 | } | ||
310 | *secondip = '\0'; | ||
311 | secondip++; | ||
312 | |||
313 | // check addresses | ||
314 | if (atoip(firstip, &br->iprange_start) || atoip(secondip, &br->iprange_end) || | ||
315 | br->iprange_start >= br->iprange_end) { | ||
316 | fprintf(stderr, "Error: invalid IP range\n"); | ||
317 | exit(1); | ||
318 | } | ||
319 | if (in_netrange(br->iprange_start, br->ip, br->mask) || in_netrange(br->iprange_end, br->ip, br->mask)) { | ||
320 | fprintf(stderr, "Error: IP range addresses not in network range\n"); | ||
321 | exit(1); | ||
322 | } | ||
323 | } | ||
324 | else | ||
325 | fprintf(stderr, "Warning: networking features are disabled in Firejail configuration file\n"); | ||
326 | #endif | ||
211 | return 0; | 327 | return 0; |
212 | } | 328 | } |
329 | |||
330 | |||
331 | // from here | ||
332 | else if (strncmp(ptr, "mac ", 4) == 0) { | ||
333 | #ifdef HAVE_NETWORK | ||
334 | if (checkcfg(CFG_NETWORK)) { | ||
335 | Bridge *br = last_bridge_configured(); | ||
336 | if (br == NULL) { | ||
337 | fprintf(stderr, "Error: no network device configured\n"); | ||
338 | exit(1); | ||
339 | } | ||
340 | |||
341 | if (mac_not_zero(br->macsandbox)) { | ||
342 | fprintf(stderr, "Error: cannot configure the MAC address twice for the same interface\n"); | ||
343 | exit(1); | ||
344 | } | ||
345 | |||
346 | // read the address | ||
347 | if (atomac(ptr + 4, br->macsandbox)) { | ||
348 | fprintf(stderr, "Error: invalid MAC address\n"); | ||
349 | exit(1); | ||
350 | } | ||
351 | } | ||
352 | else | ||
353 | fprintf(stderr, "Warning: networking features are disabled in Firejail configuration file\n"); | ||
213 | #endif | 354 | #endif |
355 | return 0; | ||
356 | } | ||
357 | |||
358 | else if (strncmp(ptr, "mtu ", 4) == 0) { | ||
359 | #ifdef HAVE_NETWORK | ||
360 | if (checkcfg(CFG_NETWORK)) { | ||
361 | Bridge *br = last_bridge_configured(); | ||
362 | if (br == NULL) { | ||
363 | fprintf(stderr, "Error: no network device configured\n"); | ||
364 | exit(1); | ||
365 | } | ||
366 | |||
367 | if (sscanf(ptr + 4, "%d", &br->mtu) != 1 || br->mtu < 576 || br->mtu > 9198) { | ||
368 | fprintf(stderr, "Error: invalid mtu value\n"); | ||
369 | exit(1); | ||
370 | } | ||
371 | } | ||
372 | else | ||
373 | fprintf(stderr, "Warning: networking features are disabled in Firejail configuration file\n"); | ||
374 | #endif | ||
375 | return 0; | ||
376 | } | ||
377 | |||
378 | else if (strncmp(ptr, "ip ", 3) == 0) { | ||
379 | #ifdef HAVE_NETWORK | ||
380 | if (checkcfg(CFG_NETWORK)) { | ||
381 | Bridge *br = last_bridge_configured(); | ||
382 | if (br == NULL) { | ||
383 | fprintf(stderr, "Error: no network device configured\n"); | ||
384 | exit(1); | ||
385 | } | ||
386 | if (br->arg_ip_none || br->ipsandbox) { | ||
387 | fprintf(stderr, "Error: cannot configure the IP address twice for the same interface\n"); | ||
388 | exit(1); | ||
389 | } | ||
390 | |||
391 | // configure this IP address for the last bridge defined | ||
392 | if (strcmp(ptr + 3, "none") == 0) | ||
393 | br->arg_ip_none = 1; | ||
394 | else { | ||
395 | if (atoip(ptr + 3, &br->ipsandbox)) { | ||
396 | fprintf(stderr, "Error: invalid IP address\n"); | ||
397 | exit(1); | ||
398 | } | ||
399 | } | ||
400 | } | ||
401 | else | ||
402 | fprintf(stderr, "Warning: networking features are disabled in Firejail configuration file\n"); | ||
403 | #endif | ||
404 | return 0; | ||
405 | } | ||
406 | |||
407 | else if (strncmp(ptr, "ip6 ", 4) == 0) { | ||
408 | #ifdef HAVE_NETWORK | ||
409 | if (checkcfg(CFG_NETWORK)) { | ||
410 | Bridge *br = last_bridge_configured(); | ||
411 | if (br == NULL) { | ||
412 | fprintf(stderr, "Error: no network device configured\n"); | ||
413 | exit(1); | ||
414 | } | ||
415 | if (br->arg_ip_none || br->ip6sandbox) { | ||
416 | fprintf(stderr, "Error: cannot configure the IP address twice for the same interface\n"); | ||
417 | exit(1); | ||
418 | } | ||
419 | |||
420 | // configure this IP address for the last bridge defined | ||
421 | // todo: verify ipv6 syntax | ||
422 | br->ip6sandbox = ptr + 4; | ||
423 | // if (atoip(argv[i] + 5, &br->ipsandbox)) { | ||
424 | // fprintf(stderr, "Error: invalid IP address\n"); | ||
425 | // exit(1); | ||
426 | // } | ||
427 | |||
428 | } | ||
429 | else | ||
430 | fprintf(stderr, "Warning: networking features are disabled in Firejail configuration file\n"); | ||
431 | #endif | ||
432 | return 0; | ||
433 | } | ||
434 | |||
435 | else if (strncmp(ptr, "defaultgw ", 10) == 0) { | ||
436 | #ifdef HAVE_NETWORK | ||
437 | if (checkcfg(CFG_NETWORK)) { | ||
438 | if (atoip(ptr + 10, &cfg.defaultgw)) { | ||
439 | fprintf(stderr, "Error: invalid IP address\n"); | ||
440 | exit(1); | ||
441 | } | ||
442 | } | ||
443 | else | ||
444 | fprintf(stderr, "Warning: networking features are disabled in Firejail configuration file\n"); | ||
445 | #endif | ||
446 | return 0; | ||
447 | } | ||
448 | |||
449 | if (strncmp(ptr, "protocol ", 9) == 0) { | ||
450 | #ifdef HAVE_SECCOMP | ||
451 | if (checkcfg(CFG_SECCOMP)) | ||
452 | protocol_store(ptr + 9); | ||
453 | else | ||
454 | fprintf(stderr, "Warning: user seccomp feature is disabled in Firejail configuration file\n"); | ||
455 | #endif | ||
456 | return 0; | ||
457 | } | ||
214 | 458 | ||
215 | if (strncmp(ptr, "env ", 4) == 0) { | 459 | if (strncmp(ptr, "env ", 4) == 0) { |
216 | env_store(ptr + 4); | 460 | env_store(ptr + 4, SETENV); |
461 | return 0; | ||
462 | } | ||
463 | if (strncmp(ptr, "rmenv ", 6) == 0) { | ||
464 | env_store(ptr + 6, RMENV); | ||
217 | return 0; | 465 | return 0; |
218 | } | 466 | } |
219 | 467 | ||
220 | // seccomp drop list on top of default list | 468 | // seccomp drop list on top of default list |
221 | if (strncmp(ptr, "seccomp ", 8) == 0) { | 469 | if (strncmp(ptr, "seccomp ", 8) == 0) { |
222 | arg_seccomp = 1; | ||
223 | #ifdef HAVE_SECCOMP | 470 | #ifdef HAVE_SECCOMP |
224 | cfg.seccomp_list = strdup(ptr + 8); | 471 | if (checkcfg(CFG_SECCOMP)) { |
225 | if (!cfg.seccomp_list) | 472 | arg_seccomp = 1; |
226 | errExit("strdup"); | 473 | cfg.seccomp_list = strdup(ptr + 8); |
474 | if (!cfg.seccomp_list) | ||
475 | errExit("strdup"); | ||
476 | } | ||
477 | else | ||
478 | fprintf(stderr, "Warning: user seccomp feature is disabled in Firejail configuration file\n"); | ||
227 | #endif | 479 | #endif |
480 | |||
228 | return 0; | 481 | return 0; |
229 | } | 482 | } |
230 | 483 | ||
231 | // seccomp drop list without default list | 484 | // seccomp drop list without default list |
232 | if (strncmp(ptr, "seccomp.drop ", 13) == 0) { | 485 | if (strncmp(ptr, "seccomp.drop ", 13) == 0) { |
233 | arg_seccomp = 1; | ||
234 | #ifdef HAVE_SECCOMP | 486 | #ifdef HAVE_SECCOMP |
235 | cfg.seccomp_list_drop = strdup(ptr + 13); | 487 | if (checkcfg(CFG_SECCOMP)) { |
236 | if (!cfg.seccomp_list_drop) | 488 | arg_seccomp = 1; |
237 | errExit("strdup"); | 489 | cfg.seccomp_list_drop = strdup(ptr + 13); |
238 | #endif | 490 | if (!cfg.seccomp_list_drop) |
491 | errExit("strdup"); | ||
492 | } | ||
493 | else | ||
494 | fprintf(stderr, "Warning: user seccomp feature is disabled in Firejail configuration file\n"); | ||
495 | #endif | ||
239 | return 0; | 496 | return 0; |
240 | } | 497 | } |
241 | 498 | ||
242 | // seccomp keep list | 499 | // seccomp keep list |
243 | if (strncmp(ptr, "seccomp.keep ", 13) == 0) { | 500 | if (strncmp(ptr, "seccomp.keep ", 13) == 0) { |
244 | arg_seccomp = 1; | ||
245 | #ifdef HAVE_SECCOMP | 501 | #ifdef HAVE_SECCOMP |
246 | cfg.seccomp_list_keep= strdup(ptr + 13); | 502 | if (checkcfg(CFG_SECCOMP)) { |
247 | if (!cfg.seccomp_list_keep) | 503 | arg_seccomp = 1; |
248 | errExit("strdup"); | 504 | cfg.seccomp_list_keep= strdup(ptr + 13); |
249 | #endif | 505 | if (!cfg.seccomp_list_keep) |
506 | errExit("strdup"); | ||
507 | } | ||
508 | else | ||
509 | fprintf(stderr, "Warning: user seccomp feature is disabled in Firejail configuration file\n"); | ||
510 | #endif | ||
250 | return 0; | 511 | return 0; |
251 | } | 512 | } |
252 | 513 | ||
@@ -310,6 +571,8 @@ int profile_check_line(char *ptr, int lineno, const char *fname) { | |||
310 | // nice value | 571 | // nice value |
311 | if (strncmp(ptr, "nice ", 4) == 0) { | 572 | if (strncmp(ptr, "nice ", 4) == 0) { |
312 | cfg.nice = atoi(ptr + 5); | 573 | cfg.nice = atoi(ptr + 5); |
574 | if (getuid() != 0 &&cfg.nice < 0) | ||
575 | cfg.nice = 0; | ||
313 | arg_nice = 1; | 576 | arg_nice = 1; |
314 | return 0; | 577 | return 0; |
315 | } | 578 | } |
@@ -320,6 +583,22 @@ int profile_check_line(char *ptr, int lineno, const char *fname) { | |||
320 | return 0; | 583 | return 0; |
321 | } | 584 | } |
322 | 585 | ||
586 | // writable-etc | ||
587 | if (strcmp(ptr, "writable-etc") == 0) { | ||
588 | if (cfg.etc_private_keep) { | ||
589 | fprintf(stderr, "Error: private-etc and writable-etc are mutually exclusive\n"); | ||
590 | exit(1); | ||
591 | } | ||
592 | arg_writable_etc = 1; | ||
593 | return 0; | ||
594 | } | ||
595 | |||
596 | // writable-var | ||
597 | if (strcmp(ptr, "writable-var") == 0) { | ||
598 | arg_writable_var = 1; | ||
599 | return 0; | ||
600 | } | ||
601 | |||
323 | // private directory | 602 | // private directory |
324 | if (strncmp(ptr, "private ", 8) == 0) { | 603 | if (strncmp(ptr, "private ", 8) == 0) { |
325 | cfg.home_private = ptr + 8; | 604 | cfg.home_private = ptr + 8; |
@@ -330,14 +609,13 @@ int profile_check_line(char *ptr, int lineno, const char *fname) { | |||
330 | 609 | ||
331 | // private /etc list of files and directories | 610 | // private /etc list of files and directories |
332 | if (strncmp(ptr, "private-etc ", 12) == 0) { | 611 | if (strncmp(ptr, "private-etc ", 12) == 0) { |
612 | if (arg_writable_etc) { | ||
613 | fprintf(stderr, "Error: --private-etc and --writable-etc are mutually exclusive\n"); | ||
614 | exit(1); | ||
615 | } | ||
333 | cfg.etc_private_keep = ptr + 12; | 616 | cfg.etc_private_keep = ptr + 12; |
334 | fs_check_etc_list(); | 617 | fs_check_etc_list(); |
335 | if (*cfg.etc_private_keep != '\0') | 618 | arg_private_etc = 1; |
336 | arg_private_etc = 1; | ||
337 | else { | ||
338 | arg_private_etc = 0; | ||
339 | fprintf(stderr, "Warning: private-etc disabled, no file found\n"); | ||
340 | } | ||
341 | 619 | ||
342 | return 0; | 620 | return 0; |
343 | } | 621 | } |
@@ -345,41 +623,51 @@ int profile_check_line(char *ptr, int lineno, const char *fname) { | |||
345 | // private /bin list of files | 623 | // private /bin list of files |
346 | if (strncmp(ptr, "private-bin ", 12) == 0) { | 624 | if (strncmp(ptr, "private-bin ", 12) == 0) { |
347 | cfg.bin_private_keep = ptr + 12; | 625 | cfg.bin_private_keep = ptr + 12; |
348 | fs_check_bin_list(); | ||
349 | arg_private_bin = 1; | 626 | arg_private_bin = 1; |
627 | fs_check_bin_list(); | ||
350 | return 0; | 628 | return 0; |
351 | } | 629 | } |
352 | 630 | ||
353 | // filesystem bind | 631 | // filesystem bind |
354 | if (strncmp(ptr, "bind ", 5) == 0) { | 632 | if (strncmp(ptr, "bind ", 5) == 0) { |
355 | if (getuid() != 0) { | 633 | #ifdef HAVE_BIND |
356 | fprintf(stderr, "Error: --bind option is available only if running as root\n"); | 634 | if (checkcfg(CFG_BIND)) { |
357 | exit(1); | 635 | if (getuid() != 0) { |
358 | } | 636 | fprintf(stderr, "Error: --bind option is available only if running as root\n"); |
359 | 637 | exit(1); | |
360 | // extract two directories | 638 | } |
361 | char *dname1 = ptr + 5; | 639 | |
362 | char *dname2 = split_comma(dname1); // this inserts a '0 to separate the two dierctories | 640 | // extract two directories |
363 | if (dname2 == NULL) { | 641 | char *dname1 = ptr + 5; |
364 | fprintf(stderr, "Error: missing second directory for bind\n"); | 642 | char *dname2 = split_comma(dname1); // this inserts a '0 to separate the two dierctories |
365 | exit(1); | 643 | if (dname2 == NULL) { |
366 | } | 644 | fprintf(stderr, "Error: missing second directory for bind\n"); |
367 | 645 | exit(1); | |
368 | // check directories | 646 | } |
369 | invalid_filename(dname1); | 647 | |
370 | invalid_filename(dname2); | 648 | // check directories |
371 | if (strstr(dname1, "..") || strstr(dname2, "..")) { | 649 | invalid_filename(dname1); |
372 | fprintf(stderr, "Error: invalid file name.\n"); | 650 | invalid_filename(dname2); |
373 | exit(1); | 651 | if (strstr(dname1, "..") || strstr(dname2, "..")) { |
652 | fprintf(stderr, "Error: invalid file name.\n"); | ||
653 | exit(1); | ||
654 | } | ||
655 | if (is_link(dname1) || is_link(dname2)) { | ||
656 | fprintf(stderr, "Symbolic links are not allowed for bind command\n"); | ||
657 | exit(1); | ||
658 | } | ||
659 | |||
660 | // insert comma back | ||
661 | *(dname2 - 1) = ','; | ||
662 | return 1; | ||
374 | } | 663 | } |
375 | if (is_link(dname1) || is_link(dname2)) { | 664 | else { |
376 | fprintf(stderr, "Symbolic links are not allowed for bind command\n"); | 665 | fprintf(stderr, "Warning: bind feature is disabled in Firejail configuration file\n"); |
377 | exit(1); | 666 | return 0; |
378 | } | 667 | } |
379 | 668 | #else | |
380 | // insert comma back | 669 | return 0; |
381 | *(dname2 - 1) = ','; | 670 | #endif |
382 | return 1; | ||
383 | } | 671 | } |
384 | 672 | ||
385 | // rlimit | 673 | // rlimit |
@@ -436,11 +724,23 @@ int profile_check_line(char *ptr, int lineno, const char *fname) { | |||
436 | else if (strncmp(ptr, "noblacklist ", 12) == 0) | 724 | else if (strncmp(ptr, "noblacklist ", 12) == 0) |
437 | ptr += 12; | 725 | ptr += 12; |
438 | else if (strncmp(ptr, "whitelist ", 10) == 0) { | 726 | else if (strncmp(ptr, "whitelist ", 10) == 0) { |
439 | arg_whitelist = 1; | 727 | #ifdef HAVE_WHITELIST |
440 | ptr += 10; | 728 | if (checkcfg(CFG_WHITELIST)) { |
729 | arg_whitelist = 1; | ||
730 | ptr += 10; | ||
731 | } | ||
732 | else | ||
733 | return 0; | ||
734 | #else | ||
735 | return 0; | ||
736 | #endif | ||
441 | } | 737 | } |
442 | else if (strncmp(ptr, "read-only ", 10) == 0) | 738 | else if (strncmp(ptr, "read-only ", 10) == 0) |
443 | ptr += 10; | 739 | ptr += 10; |
740 | else if (strncmp(ptr, "read-write ", 11) == 0) | ||
741 | ptr += 11; | ||
742 | else if (strncmp(ptr, "noexec ", 7) == 0) | ||
743 | ptr += 7; | ||
444 | else if (strncmp(ptr, "tmpfs ", 6) == 0) { | 744 | else if (strncmp(ptr, "tmpfs ", 6) == 0) { |
445 | if (getuid() != 0) { | 745 | if (getuid() != 0) { |
446 | fprintf(stderr, "Error: tmpfs available only when running the sandbox as root\n"); | 746 | fprintf(stderr, "Error: tmpfs available only when running the sandbox as root\n"); |
diff --git a/src/firejail/protocol.c b/src/firejail/protocol.c index 3e81f13dc..7e5ab7dfb 100644 --- a/src/firejail/protocol.c +++ b/src/firejail/protocol.c | |||
@@ -122,7 +122,7 @@ void protocol_store(const char *prlist) { | |||
122 | EUID_ASSERT(); | 122 | EUID_ASSERT(); |
123 | assert(prlist); | 123 | assert(prlist); |
124 | 124 | ||
125 | if (cfg.protocol) { | 125 | if (cfg.protocol && !arg_quiet) { |
126 | fprintf(stderr, "Warning: a protocol list is present, the new list \"%s\" will not be installed\n", prlist); | 126 | fprintf(stderr, "Warning: a protocol list is present, the new list \"%s\" will not be installed\n", prlist); |
127 | return; | 127 | return; |
128 | } | 128 | } |
@@ -339,7 +339,9 @@ void protocol_print_filter(pid_t pid) { | |||
339 | (void) pid; | 339 | (void) pid; |
340 | #ifdef SYS_socket | 340 | #ifdef SYS_socket |
341 | // if the pid is that of a firejail process, use the pid of the first child process | 341 | // if the pid is that of a firejail process, use the pid of the first child process |
342 | EUID_ROOT(); | ||
342 | char *comm = pid_proc_comm(pid); | 343 | char *comm = pid_proc_comm(pid); |
344 | EUID_USER(); | ||
343 | if (comm) { | 345 | if (comm) { |
344 | if (strcmp(comm, "firejail") == 0) { | 346 | if (strcmp(comm, "firejail") == 0) { |
345 | pid_t child; | 347 | pid_t child; |
diff --git a/src/firejail/pulseaudio.c b/src/firejail/pulseaudio.c index 8bf8d8303..908ef1d25 100644 --- a/src/firejail/pulseaudio.c +++ b/src/firejail/pulseaudio.c | |||
@@ -56,13 +56,27 @@ void pulseaudio_disable(void) { | |||
56 | // blacklist user config directory | 56 | // blacklist user config directory |
57 | disable_file(cfg.homedir, ".config/pulse"); | 57 | disable_file(cfg.homedir, ".config/pulse"); |
58 | 58 | ||
59 | |||
60 | // blacklist pulseaudio socket in XDG_RUNTIME_DIR | ||
61 | char *name = getenv("XDG_RUNTIME_DIR"); | ||
62 | if (name) | ||
63 | disable_file(name, "pulse/native"); | ||
64 | |||
65 | // try the default location anyway | ||
66 | char *path; | ||
67 | if (asprintf(&path, "/run/user/%d", getuid()) == -1) | ||
68 | errExit("asprintf"); | ||
69 | disable_file(path, "pulse/native"); | ||
70 | free(path); | ||
71 | |||
72 | |||
73 | |||
59 | // blacklist any pulse* file in /tmp directory | 74 | // blacklist any pulse* file in /tmp directory |
60 | DIR *dir; | 75 | DIR *dir; |
61 | if (!(dir = opendir("/tmp"))) { | 76 | if (!(dir = opendir("/tmp"))) { |
62 | // sleep 2 seconds and try again | 77 | // sleep 2 seconds and try again |
63 | sleep(2); | 78 | sleep(2); |
64 | if (!(dir = opendir("/tmp"))) { | 79 | if (!(dir = opendir("/tmp"))) { |
65 | fprintf(stderr, "Warning: cannot open /tmp directory. PulseAudio sockets are not disabled\n"); | ||
66 | return; | 80 | return; |
67 | } | 81 | } |
68 | } | 82 | } |
@@ -76,10 +90,6 @@ void pulseaudio_disable(void) { | |||
76 | 90 | ||
77 | closedir(dir); | 91 | closedir(dir); |
78 | 92 | ||
79 | // blacklist XDG_RUNTIME_DIR | ||
80 | char *name = getenv("XDG_RUNTIME_DIR"); | ||
81 | if (name) | ||
82 | disable_file(name, "pulse/native"); | ||
83 | } | 93 | } |
84 | 94 | ||
85 | 95 | ||
@@ -104,10 +114,6 @@ void pulseaudio_init(void) { | |||
104 | char *pulsecfg = NULL; | 114 | char *pulsecfg = NULL; |
105 | if (asprintf(&pulsecfg, "%s/client.conf", RUN_PULSE_DIR) == -1) | 115 | if (asprintf(&pulsecfg, "%s/client.conf", RUN_PULSE_DIR) == -1) |
106 | errExit("asprintf"); | 116 | errExit("asprintf"); |
107 | if (is_link("/etc/pulse/client.conf")) { | ||
108 | fprintf(stderr, "Error: invalid /etc/pulse/client.conf file\n"); | ||
109 | exit(1); | ||
110 | } | ||
111 | if (copy_file("/etc/pulse/client.conf", pulsecfg)) | 117 | if (copy_file("/etc/pulse/client.conf", pulsecfg)) |
112 | errExit("copy_file"); | 118 | errExit("copy_file"); |
113 | FILE *fp = fopen(pulsecfg, "a+"); | 119 | FILE *fp = fopen(pulsecfg, "a+"); |
@@ -120,9 +126,49 @@ void pulseaudio_init(void) { | |||
120 | if (chown(pulsecfg, getuid(), getgid()) == -1) | 126 | if (chown(pulsecfg, getuid(), getgid()) == -1) |
121 | errExit("chown"); | 127 | errExit("chown"); |
122 | 128 | ||
123 | // set environment | 129 | // create ~/.config/pulse directory if not present |
124 | if (setenv("PULSE_CLIENTCONFIG", pulsecfg, 1) < 0) | 130 | char *dir1; |
125 | errExit("setenv"); | 131 | if (asprintf(&dir1, "%s/.config", cfg.homedir) == -1) |
132 | errExit("asprintf"); | ||
133 | if (stat(dir1, &s) == -1) { | ||
134 | int rv = mkdir(dir1, 0755); | ||
135 | if (rv == 0) { | ||
136 | rv = chown(dir1, getuid(), getgid()); | ||
137 | (void) rv; | ||
138 | rv = chmod(dir1, 0755); | ||
139 | (void) rv; | ||
140 | } | ||
141 | } | ||
142 | free(dir1); | ||
143 | if (asprintf(&dir1, "%s/.config/pulse", cfg.homedir) == -1) | ||
144 | errExit("asprintf"); | ||
145 | if (stat(dir1, &s) == -1) { | ||
146 | int rv = mkdir(dir1, 0700); | ||
147 | if (rv == 0) { | ||
148 | rv = chown(dir1, getuid(), getgid()); | ||
149 | (void) rv; | ||
150 | rv = chmod(dir1, 0700); | ||
151 | (void) rv; | ||
152 | } | ||
153 | } | ||
154 | free(dir1); | ||
126 | 155 | ||
156 | |||
157 | // if we have ~/.config/pulse mount the new directory, else set environment variable | ||
158 | char *homeusercfg; | ||
159 | if (asprintf(&homeusercfg, "%s/.config/pulse", cfg.homedir) == -1) | ||
160 | errExit("asprintf"); | ||
161 | if (stat(homeusercfg, &s) == 0) { | ||
162 | if (mount(RUN_PULSE_DIR, homeusercfg, "none", MS_BIND, NULL) < 0) | ||
163 | errExit("mount pulseaudio"); | ||
164 | fs_logger2("tmpfs", homeusercfg); | ||
165 | } | ||
166 | else { | ||
167 | // set environment | ||
168 | if (setenv("PULSE_CLIENTCONFIG", pulsecfg, 1) < 0) | ||
169 | errExit("setenv"); | ||
170 | } | ||
171 | |||
127 | free(pulsecfg); | 172 | free(pulsecfg); |
173 | free(homeusercfg); | ||
128 | } | 174 | } |
diff --git a/src/firejail/restrict_users.c b/src/firejail/restrict_users.c index 5a41c441b..de798037f 100644 --- a/src/firejail/restrict_users.c +++ b/src/firejail/restrict_users.c | |||
@@ -26,6 +26,7 @@ | |||
26 | #include <dirent.h> | 26 | #include <dirent.h> |
27 | #include <fcntl.h> | 27 | #include <fcntl.h> |
28 | #include <errno.h> | 28 | #include <errno.h> |
29 | #include "../../uids.h" | ||
29 | 30 | ||
30 | #define MAXBUF 1024 | 31 | #define MAXBUF 1024 |
31 | 32 | ||
@@ -118,7 +119,7 @@ static void sanitize_passwd(void) { | |||
118 | if (stat("/etc/passwd", &s) == -1) | 119 | if (stat("/etc/passwd", &s) == -1) |
119 | return; | 120 | return; |
120 | if (arg_debug) | 121 | if (arg_debug) |
121 | printf("Sanitizing /etc/passwd\n"); | 122 | printf("Sanitizing /etc/passwd, UID_MIN %d\n", UID_MIN); |
122 | if (is_link("/etc/passwd")) { | 123 | if (is_link("/etc/passwd")) { |
123 | fprintf(stderr, "Error: invalid /etc/passwd\n"); | 124 | fprintf(stderr, "Error: invalid /etc/passwd\n"); |
124 | exit(1); | 125 | exit(1); |
@@ -170,7 +171,7 @@ static void sanitize_passwd(void) { | |||
170 | int rv = sscanf(ptr, "%d:", &uid); | 171 | int rv = sscanf(ptr, "%d:", &uid); |
171 | if (rv == 0 || uid < 0) | 172 | if (rv == 0 || uid < 0) |
172 | goto errout; | 173 | goto errout; |
173 | if (uid < 1000) { // todo extract UID_MIN from /etc/login.def | 174 | if (uid < UID_MIN) { |
174 | fprintf(fpout, "%s", buf); | 175 | fprintf(fpout, "%s", buf); |
175 | continue; | 176 | continue; |
176 | } | 177 | } |
@@ -255,7 +256,7 @@ static void sanitize_group(void) { | |||
255 | if (stat("/etc/group", &s) == -1) | 256 | if (stat("/etc/group", &s) == -1) |
256 | return; | 257 | return; |
257 | if (arg_debug) | 258 | if (arg_debug) |
258 | printf("Sanitizing /etc/group\n"); | 259 | printf("Sanitizing /etc/group, GID_MIN %d\n", GID_MIN); |
259 | if (is_link("/etc/group")) { | 260 | if (is_link("/etc/group")) { |
260 | fprintf(stderr, "Error: invalid /etc/group\n"); | 261 | fprintf(stderr, "Error: invalid /etc/group\n"); |
261 | exit(1); | 262 | exit(1); |
@@ -306,7 +307,7 @@ static void sanitize_group(void) { | |||
306 | int rv = sscanf(ptr, "%d:", &gid); | 307 | int rv = sscanf(ptr, "%d:", &gid); |
307 | if (rv == 0 || gid < 0) | 308 | if (rv == 0 || gid < 0) |
308 | goto errout; | 309 | goto errout; |
309 | if (gid < 1000) { // todo extract GID_MIN from /etc/login.def | 310 | if (gid < GID_MIN) { |
310 | if (copy_line(fpout, buf, ptr)) | 311 | if (copy_line(fpout, buf, ptr)) |
311 | goto errout; | 312 | goto errout; |
312 | continue; | 313 | continue; |
diff --git a/src/firejail/restricted_shell.c b/src/firejail/restricted_shell.c index da4e9d332..ee6e94957 100644 --- a/src/firejail/restricted_shell.c +++ b/src/firejail/restricted_shell.c | |||
@@ -61,7 +61,20 @@ int restricted_shell(const char *user) { | |||
61 | ptr = strchr(args, '\n'); | 61 | ptr = strchr(args, '\n'); |
62 | if (ptr) | 62 | if (ptr) |
63 | *ptr = '\0'; | 63 | *ptr = '\0'; |
64 | 64 | ||
65 | // if nothing follows, continue | ||
66 | char *ptr2 = args; | ||
67 | int found = 0; | ||
68 | while (*ptr2 != '\0') { | ||
69 | if (*ptr2 != ' ' && *ptr2 != '\t') { | ||
70 | found = 1; | ||
71 | break; | ||
72 | } | ||
73 | } | ||
74 | if (!found) | ||
75 | continue; | ||
76 | |||
77 | // process user | ||
65 | if (strcmp(user, usr) == 0) { | 78 | if (strcmp(user, usr) == 0) { |
66 | restricted_user = strdup(user); | 79 | restricted_user = strdup(user); |
67 | // extract program arguments | 80 | // extract program arguments |
diff --git a/src/firejail/run_symlink.c b/src/firejail/run_symlink.c index d57816e12..020e70b80 100644 --- a/src/firejail/run_symlink.c +++ b/src/firejail/run_symlink.c | |||
@@ -91,13 +91,20 @@ void run_symlink(int argc, char **argv) { | |||
91 | 91 | ||
92 | printf("Redirecting symlink to %s\n", program); | 92 | printf("Redirecting symlink to %s\n", program); |
93 | 93 | ||
94 | // drop privileges | ||
95 | if (setgid(getgid()) < 0) | ||
96 | errExit("setgid/getgid"); | ||
97 | if (setuid(getuid()) < 0) | ||
98 | errExit("setuid/getuid"); | ||
99 | |||
94 | // run command | 100 | // run command |
95 | char *a[3 + argc]; | 101 | char *a[3 + argc]; |
96 | a[0] = firejail; | 102 | a[0] = firejail; |
97 | a[1] = program; | 103 | a[1] = program; |
98 | int i; | 104 | int i; |
99 | for (i = 0; i < (argc - 1); i++) | 105 | for (i = 0; i < (argc - 1); i++) { |
100 | a[i + 2] = argv[i + 1]; | 106 | a[i + 2] = argv[i + 1]; |
107 | } | ||
101 | a[i + 2] = NULL; | 108 | a[i + 2] = NULL; |
102 | execvp(a[0], a); | 109 | execvp(a[0], a); |
103 | 110 | ||
diff --git a/src/firejail/sandbox.c b/src/firejail/sandbox.c index 5bd86019a..0fd81979f 100644 --- a/src/firejail/sandbox.c +++ b/src/firejail/sandbox.c | |||
@@ -34,6 +34,55 @@ | |||
34 | #define CLONE_NEWUSER 0x10000000 | 34 | #define CLONE_NEWUSER 0x10000000 |
35 | #endif | 35 | #endif |
36 | 36 | ||
37 | #include <sys/prctl.h> | ||
38 | #ifndef PR_SET_NO_NEW_PRIVS | ||
39 | # define PR_SET_NO_NEW_PRIVS 38 | ||
40 | #endif | ||
41 | |||
42 | |||
43 | |||
44 | static int monitored_pid = 0; | ||
45 | static void sandbox_handler(int sig){ | ||
46 | if (!arg_quiet) { | ||
47 | printf("\nChild received signal %d, shutting down the sandbox...\n", sig); | ||
48 | fflush(0); | ||
49 | } | ||
50 | |||
51 | // broadcast sigterm to all processes in the group | ||
52 | kill(-1, SIGTERM); | ||
53 | sleep(1); | ||
54 | |||
55 | if (monitored_pid) { | ||
56 | int monsec = 9; | ||
57 | char *monfile; | ||
58 | if (asprintf(&monfile, "/proc/%d/cmdline", monitored_pid) == -1) | ||
59 | errExit("asprintf"); | ||
60 | while (monsec) { | ||
61 | FILE *fp = fopen(monfile, "r"); | ||
62 | if (!fp) | ||
63 | break; | ||
64 | |||
65 | char c; | ||
66 | size_t count = fread(&c, 1, 1, fp); | ||
67 | fclose(fp); | ||
68 | if (count == 0) | ||
69 | break; | ||
70 | |||
71 | if (arg_debug) | ||
72 | printf("Waiting on PID %d to finish\n", monitored_pid); | ||
73 | sleep(1); | ||
74 | monsec--; | ||
75 | } | ||
76 | free(monfile); | ||
77 | |||
78 | } | ||
79 | |||
80 | // broadcast a SIGKILL | ||
81 | kill(-1, SIGKILL); | ||
82 | exit(sig); | ||
83 | } | ||
84 | |||
85 | |||
37 | static void set_caps(void) { | 86 | static void set_caps(void) { |
38 | if (arg_caps_drop_all) | 87 | if (arg_caps_drop_all) |
39 | caps_drop_all(); | 88 | caps_drop_all(); |
@@ -131,9 +180,20 @@ static void chk_chroot(void) { | |||
131 | } | 180 | } |
132 | 181 | ||
133 | static int monitor_application(pid_t app_pid) { | 182 | static int monitor_application(pid_t app_pid) { |
134 | int status; | 183 | monitored_pid = app_pid; |
135 | while (app_pid) { | 184 | signal (SIGTERM, sandbox_handler); |
185 | EUID_USER(); | ||
186 | |||
187 | int status = 0; | ||
188 | while (monitored_pid) { | ||
136 | usleep(20000); | 189 | usleep(20000); |
190 | char *msg; | ||
191 | if (asprintf(&msg, "monitoring pid %d\n", monitored_pid) == -1) | ||
192 | errExit("asprintf"); | ||
193 | logmsg(msg); | ||
194 | if (arg_debug) | ||
195 | printf("%s\n", msg); | ||
196 | free(msg); | ||
137 | 197 | ||
138 | pid_t rv; | 198 | pid_t rv; |
139 | do { | 199 | do { |
@@ -141,9 +201,9 @@ static int monitor_application(pid_t app_pid) { | |||
141 | if (rv == -1) | 201 | if (rv == -1) |
142 | break; | 202 | break; |
143 | } | 203 | } |
144 | while(rv != app_pid); | 204 | while(rv != monitored_pid); |
145 | if (arg_debug) | 205 | if (arg_debug) |
146 | printf("Sandbox monitor: waitpid %u retval %d status %d\n", app_pid, rv, status); | 206 | printf("Sandbox monitor: waitpid %u retval %d status %d\n", monitored_pid, rv, status); |
147 | 207 | ||
148 | DIR *dir; | 208 | DIR *dir; |
149 | if (!(dir = opendir("/proc"))) { | 209 | if (!(dir = opendir("/proc"))) { |
@@ -156,20 +216,30 @@ static int monitor_application(pid_t app_pid) { | |||
156 | } | 216 | } |
157 | 217 | ||
158 | struct dirent *entry; | 218 | struct dirent *entry; |
159 | app_pid = 0; | 219 | monitored_pid = 0; |
160 | while ((entry = readdir(dir)) != NULL) { | 220 | while ((entry = readdir(dir)) != NULL) { |
161 | unsigned pid; | 221 | unsigned pid; |
162 | if (sscanf(entry->d_name, "%u", &pid) != 1) | 222 | if (sscanf(entry->d_name, "%u", &pid) != 1) |
163 | continue; | 223 | continue; |
164 | if (pid == 1) | 224 | if (pid == 1) |
165 | continue; | 225 | continue; |
166 | app_pid = pid; | 226 | |
227 | // todo: make this generic | ||
228 | // Dillo browser leaves a dpid process running, we need to shut it down | ||
229 | if (strcmp(cfg.command_name, "dillo") == 0) { | ||
230 | char *pidname = pid_proc_comm(pid); | ||
231 | if (pidname && strcmp(pidname, "dpid") == 0) | ||
232 | break; | ||
233 | free(pidname); | ||
234 | } | ||
235 | |||
236 | monitored_pid = pid; | ||
167 | break; | 237 | break; |
168 | } | 238 | } |
169 | closedir(dir); | 239 | closedir(dir); |
170 | 240 | ||
171 | if (app_pid != 0 && arg_debug) | 241 | if (monitored_pid != 0 && arg_debug) |
172 | printf("Sandbox monitor: monitoring %u\n", app_pid); | 242 | printf("Sandbox monitor: monitoring %u\n", monitored_pid); |
173 | } | 243 | } |
174 | 244 | ||
175 | // return the latest exit status. | 245 | // return the latest exit status. |
@@ -202,12 +272,32 @@ static int monitor_application(pid_t app_pid) { | |||
202 | #endif | 272 | #endif |
203 | } | 273 | } |
204 | 274 | ||
275 | void start_audit(void) { | ||
276 | char *audit_prog; | ||
277 | if (asprintf(&audit_prog, "%s/firejail/faudit", LIBDIR) == -1) | ||
278 | errExit("asprintf"); | ||
279 | execl(audit_prog, audit_prog, NULL); | ||
280 | perror("execl"); | ||
281 | exit(1); | ||
282 | } | ||
205 | 283 | ||
206 | static void start_application(void) { | 284 | static void start_application(void) { |
207 | //**************************************** | 285 | //**************************************** |
286 | // audit | ||
287 | //**************************************** | ||
288 | if (arg_audit) { | ||
289 | assert(arg_audit_prog); | ||
290 | struct stat s; | ||
291 | if (stat(arg_audit_prog, &s) != 0) { | ||
292 | fprintf(stderr, "Error: cannot find the audit program\n"); | ||
293 | exit(1); | ||
294 | } | ||
295 | execl(arg_audit_prog, arg_audit_prog, NULL); | ||
296 | } | ||
297 | //**************************************** | ||
208 | // start the program without using a shell | 298 | // start the program without using a shell |
209 | //**************************************** | 299 | //**************************************** |
210 | if (arg_shell_none) { | 300 | else if (arg_shell_none) { |
211 | if (arg_debug) { | 301 | if (arg_debug) { |
212 | int i; | 302 | int i; |
213 | for (i = cfg.original_program_index; i < cfg.original_argc; i++) { | 303 | for (i = cfg.original_program_index; i < cfg.original_argc; i++) { |
@@ -217,9 +307,16 @@ static void start_application(void) { | |||
217 | } | 307 | } |
218 | } | 308 | } |
219 | 309 | ||
310 | if (cfg.original_program_index == 0) { | ||
311 | fprintf(stderr, "Error: --shell=none configured, but no program specified\n"); | ||
312 | exit(1); | ||
313 | } | ||
314 | |||
220 | if (!arg_command && !arg_quiet) | 315 | if (!arg_command && !arg_quiet) |
221 | printf("Child process initialized\n"); | 316 | printf("Child process initialized\n"); |
317 | |||
222 | execvp(cfg.original_argv[cfg.original_program_index], &cfg.original_argv[cfg.original_program_index]); | 318 | execvp(cfg.original_argv[cfg.original_program_index], &cfg.original_argv[cfg.original_program_index]); |
319 | exit(1); | ||
223 | } | 320 | } |
224 | //**************************************** | 321 | //**************************************** |
225 | // start the program using a shell | 322 | // start the program using a shell |
@@ -462,14 +559,20 @@ int sandbox(void* sandbox_arg) { | |||
462 | //**************************** | 559 | //**************************** |
463 | // --nosound and fix for pulseaudio 7.0 | 560 | // --nosound and fix for pulseaudio 7.0 |
464 | //**************************** | 561 | //**************************** |
465 | if (arg_nosound) | 562 | if (arg_nosound) { |
563 | // disable pulseaudio | ||
466 | pulseaudio_disable(); | 564 | pulseaudio_disable(); |
565 | |||
566 | // disable /dev/snd | ||
567 | fs_dev_disable_sound(); | ||
568 | } | ||
467 | else | 569 | else |
468 | pulseaudio_init(); | 570 | pulseaudio_init(); |
469 | 571 | ||
470 | //**************************** | 572 | //**************************** |
471 | // networking | 573 | // networking |
472 | //**************************** | 574 | //**************************** |
575 | int gw_cfg_failed = 0; // default gw configuration flag | ||
473 | if (arg_nonetwork) { | 576 | if (arg_nonetwork) { |
474 | net_if_up("lo"); | 577 | net_if_up("lo"); |
475 | if (arg_debug) | 578 | if (arg_debug) |
@@ -495,13 +598,6 @@ int sandbox(void* sandbox_arg) { | |||
495 | net_config_mac(cfg.bridge3.devsandbox, cfg.bridge3.macsandbox); | 598 | net_config_mac(cfg.bridge3.devsandbox, cfg.bridge3.macsandbox); |
496 | sandbox_if_up(&cfg.bridge3); | 599 | sandbox_if_up(&cfg.bridge3); |
497 | 600 | ||
498 | // add a default route | ||
499 | if (cfg.defaultgw) { | ||
500 | // set the default route | ||
501 | if (net_add_route(0, 0, cfg.defaultgw)) | ||
502 | fprintf(stderr, "Warning: cannot configure default route\n"); | ||
503 | } | ||
504 | |||
505 | // enable interfaces | 601 | // enable interfaces |
506 | if (cfg.interface0.configured && cfg.interface0.ip) { | 602 | if (cfg.interface0.configured && cfg.interface0.ip) { |
507 | if (arg_debug) | 603 | if (arg_debug) |
@@ -528,6 +624,15 @@ int sandbox(void* sandbox_arg) { | |||
528 | net_if_up(cfg.interface3.dev); | 624 | net_if_up(cfg.interface3.dev); |
529 | } | 625 | } |
530 | 626 | ||
627 | // add a default route | ||
628 | if (cfg.defaultgw) { | ||
629 | // set the default route | ||
630 | if (net_add_route(0, 0, cfg.defaultgw)) { | ||
631 | fprintf(stderr, "Warning: cannot configure default route\n"); | ||
632 | gw_cfg_failed = 1; | ||
633 | } | ||
634 | } | ||
635 | |||
531 | if (arg_debug) | 636 | if (arg_debug) |
532 | printf("Network namespace enabled\n"); | 637 | printf("Network namespace enabled\n"); |
533 | } | 638 | } |
@@ -543,8 +648,12 @@ int sandbox(void* sandbox_arg) { | |||
543 | printf("\n"); | 648 | printf("\n"); |
544 | if (any_bridge_configured() || any_interface_configured()) | 649 | if (any_bridge_configured() || any_interface_configured()) |
545 | net_ifprint(); | 650 | net_ifprint(); |
546 | if (cfg.defaultgw != 0) | 651 | if (cfg.defaultgw != 0) { |
547 | printf("Default gateway %d.%d.%d.%d\n", PRINT_IP(cfg.defaultgw)); | 652 | if (gw_cfg_failed) |
653 | printf("Default gateway configuration failed\n"); | ||
654 | else | ||
655 | printf("Default gateway %d.%d.%d.%d\n", PRINT_IP(cfg.defaultgw)); | ||
656 | } | ||
548 | if (cfg.dns1 != 0) | 657 | if (cfg.dns1 != 0) |
549 | printf("DNS server %d.%d.%d.%d\n", PRINT_IP(cfg.dns1)); | 658 | printf("DNS server %d.%d.%d.%d\n", PRINT_IP(cfg.dns1)); |
550 | if (cfg.dns2 != 0) | 659 | if (cfg.dns2 != 0) |
@@ -604,7 +713,7 @@ int sandbox(void* sandbox_arg) { | |||
604 | // set security filters | 713 | // set security filters |
605 | //**************************** | 714 | //**************************** |
606 | // set capabilities | 715 | // set capabilities |
607 | if (!arg_noroot) | 716 | // if (!arg_noroot) |
608 | set_caps(); | 717 | set_caps(); |
609 | 718 | ||
610 | // set rlimits | 719 | // set rlimits |
@@ -646,8 +755,7 @@ int sandbox(void* sandbox_arg) { | |||
646 | if (arg_noroot) { | 755 | if (arg_noroot) { |
647 | int rv = unshare(CLONE_NEWUSER); | 756 | int rv = unshare(CLONE_NEWUSER); |
648 | if (rv == -1) { | 757 | if (rv == -1) { |
649 | fprintf(stderr, "Warning: cannot mount a new user namespace, going forward without it\n"); | 758 | fprintf(stderr, "Warning: cannot create a new user namespace, going forward without it...\n"); |
650 | perror("unshare"); | ||
651 | drop_privs(arg_nogroups); | 759 | drop_privs(arg_nogroups); |
652 | arg_noroot = 0; | 760 | arg_noroot = 0; |
653 | } | 761 | } |
@@ -667,11 +775,22 @@ int sandbox(void* sandbox_arg) { | |||
667 | // somehow, the new user namespace resets capabilities; | 775 | // somehow, the new user namespace resets capabilities; |
668 | // we need to do them again | 776 | // we need to do them again |
669 | if (arg_noroot) { | 777 | if (arg_noroot) { |
670 | set_caps(); | ||
671 | if (arg_debug) | 778 | if (arg_debug) |
672 | printf("noroot user namespace installed\n"); | 779 | printf("noroot user namespace installed\n"); |
780 | set_caps(); | ||
673 | } | 781 | } |
782 | |||
783 | //**************************************** | ||
784 | // Set NO_NEW_PRIVS if desired | ||
785 | //**************************************** | ||
786 | if (arg_nonewprivs) { | ||
787 | int no_new_privs = prctl(PR_SET_NO_NEW_PRIVS, 1, 0, 0, 0); | ||
674 | 788 | ||
789 | if(no_new_privs != 0) | ||
790 | fprintf(stderr, "Warning: NO_NEW_PRIVS disabled, it requires a Linux kernel version 3.5 or newer.\n"); | ||
791 | else if (arg_debug) | ||
792 | printf("NO_NEW_PRIVS set\n"); | ||
793 | } | ||
675 | 794 | ||
676 | //**************************************** | 795 | //**************************************** |
677 | // fork the application and monitor it | 796 | // fork the application and monitor it |
diff --git a/src/firejail/seccomp.c b/src/firejail/seccomp.c index a5a77abab..efe24a211 100644 --- a/src/firejail/seccomp.c +++ b/src/firejail/seccomp.c | |||
@@ -261,7 +261,7 @@ static void filter_end_whitelist(void) { | |||
261 | } | 261 | } |
262 | 262 | ||
263 | 263 | ||
264 | // save seccomp filter in /tmp/firejail/mnt/seccomp | 264 | // save seccomp filter in /run/firejail/mnt/seccomp |
265 | static void write_seccomp_file(void) { | 265 | static void write_seccomp_file(void) { |
266 | fs_build_mnt_dir(); | 266 | fs_build_mnt_dir(); |
267 | assert(sfilter); | 267 | assert(sfilter); |
@@ -283,15 +283,15 @@ static void write_seccomp_file(void) { | |||
283 | errExit("chown"); | 283 | errExit("chown"); |
284 | } | 284 | } |
285 | 285 | ||
286 | // read seccomp filter from /tmp/firejail/mnt/seccomp | 286 | // read seccomp filter from /run/firejail/mnt/seccomp |
287 | static void read_seccomp_file(const char *fname) { | 287 | static void read_seccomp_file(const char *fname) { |
288 | assert(sfilter == NULL && sfilter_index == 0); | 288 | assert(sfilter == NULL && sfilter_index == 0); |
289 | 289 | ||
290 | // check file | 290 | // check file |
291 | struct stat s; | 291 | struct stat s; |
292 | if (stat(fname, &s) == -1) { | 292 | if (stat(fname, &s) == -1) { |
293 | fprintf(stderr, "Error: seccomp file not found\n"); | 293 | fprintf(stderr, "Warning: seccomp file not found\n"); |
294 | exit(1); | 294 | return; |
295 | } | 295 | } |
296 | ssize_t sz = s.st_size; | 296 | ssize_t sz = s.st_size; |
297 | if (sz == 0 || (sz % sizeof(struct sock_filter)) != 0) { | 297 | if (sz == 0 || (sz % sizeof(struct sock_filter)) != 0) { |
@@ -334,12 +334,15 @@ void seccomp_filter_32(void) { | |||
334 | BLACKLIST(52), // umount2 | 334 | BLACKLIST(52), // umount2 |
335 | BLACKLIST(26), // ptrace | 335 | BLACKLIST(26), // ptrace |
336 | BLACKLIST(283), // kexec_load | 336 | BLACKLIST(283), // kexec_load |
337 | BLACKLIST(341), // name_to_handle_at | ||
337 | BLACKLIST(342), // open_by_handle_at | 338 | BLACKLIST(342), // open_by_handle_at |
339 | BLACKLIST(127), // create_module | ||
338 | BLACKLIST(128), // init_module | 340 | BLACKLIST(128), // init_module |
339 | BLACKLIST(350), // finit_module | 341 | BLACKLIST(350), // finit_module |
340 | BLACKLIST(129), // delete_module | 342 | BLACKLIST(129), // delete_module |
341 | BLACKLIST(110), // iopl | 343 | BLACKLIST(110), // iopl |
342 | BLACKLIST(101), // ioperm | 344 | BLACKLIST(101), // ioperm |
345 | BLACKLIST(289), // ioprio_set | ||
343 | BLACKLIST(87), // swapon | 346 | BLACKLIST(87), // swapon |
344 | BLACKLIST(115), // swapoff | 347 | BLACKLIST(115), // swapoff |
345 | BLACKLIST(103), // syslog | 348 | BLACKLIST(103), // syslog |
@@ -376,6 +379,7 @@ void seccomp_filter_32(void) { | |||
376 | BLACKLIST(88), // reboot | 379 | BLACKLIST(88), // reboot |
377 | BLACKLIST(169), // nfsservctl | 380 | BLACKLIST(169), // nfsservctl |
378 | BLACKLIST(130), // get_kernel_syms | 381 | BLACKLIST(130), // get_kernel_syms |
382 | |||
379 | RETURN_ALLOW | 383 | RETURN_ALLOW |
380 | }; | 384 | }; |
381 | 385 | ||
@@ -403,11 +407,14 @@ void seccomp_filter_64(void) { | |||
403 | BLACKLIST(101), // ptrace | 407 | BLACKLIST(101), // ptrace |
404 | BLACKLIST(246), // kexec_load | 408 | BLACKLIST(246), // kexec_load |
405 | BLACKLIST(304), // open_by_handle_at | 409 | BLACKLIST(304), // open_by_handle_at |
410 | BLACKLIST(303), // name_to_handle_at | ||
411 | BLACKLIST(174), // create_module | ||
406 | BLACKLIST(175), // init_module | 412 | BLACKLIST(175), // init_module |
407 | BLACKLIST(313), // finit_module | 413 | BLACKLIST(313), // finit_module |
408 | BLACKLIST(176), // delete_module | 414 | BLACKLIST(176), // delete_module |
409 | BLACKLIST(172), // iopl | 415 | BLACKLIST(172), // iopl |
410 | BLACKLIST(173), // ioperm | 416 | BLACKLIST(173), // ioperm |
417 | BLACKLIST(251), // ioprio_set | ||
411 | BLACKLIST(167), // swapon | 418 | BLACKLIST(167), // swapon |
412 | BLACKLIST(168), // swapoff | 419 | BLACKLIST(168), // swapoff |
413 | BLACKLIST(103), // syslog | 420 | BLACKLIST(103), // syslog |
@@ -445,6 +452,7 @@ void seccomp_filter_64(void) { | |||
445 | BLACKLIST(169), // reboot | 452 | BLACKLIST(169), // reboot |
446 | BLACKLIST(180), // nfsservctl | 453 | BLACKLIST(180), // nfsservctl |
447 | BLACKLIST(177), // get_kernel_syms | 454 | BLACKLIST(177), // get_kernel_syms |
455 | |||
448 | RETURN_ALLOW | 456 | RETURN_ALLOW |
449 | }; | 457 | }; |
450 | 458 | ||
@@ -493,12 +501,18 @@ int seccomp_filter_drop(int enforce_seccomp) { | |||
493 | #ifdef SYS_open_by_handle_at | 501 | #ifdef SYS_open_by_handle_at |
494 | filter_add_blacklist(SYS_open_by_handle_at, 0); | 502 | filter_add_blacklist(SYS_open_by_handle_at, 0); |
495 | #endif | 503 | #endif |
504 | #ifdef SYS_name_to_handle_at | ||
505 | filter_add_blacklist(SYS_name_to_handle_at, 0); | ||
506 | #endif | ||
496 | #ifdef SYS_init_module | 507 | #ifdef SYS_init_module |
497 | filter_add_blacklist(SYS_init_module, 0); | 508 | filter_add_blacklist(SYS_init_module, 0); |
498 | #endif | 509 | #endif |
499 | #ifdef SYS_finit_module // introduced in 2013 | 510 | #ifdef SYS_finit_module // introduced in 2013 |
500 | filter_add_blacklist(SYS_finit_module, 0); | 511 | filter_add_blacklist(SYS_finit_module, 0); |
501 | #endif | 512 | #endif |
513 | #ifdef SYS_create_module | ||
514 | filter_add_blacklist(SYS_create_module, 0); | ||
515 | #endif | ||
502 | #ifdef SYS_delete_module | 516 | #ifdef SYS_delete_module |
503 | filter_add_blacklist(SYS_delete_module, 0); | 517 | filter_add_blacklist(SYS_delete_module, 0); |
504 | #endif | 518 | #endif |
@@ -508,6 +522,9 @@ int seccomp_filter_drop(int enforce_seccomp) { | |||
508 | #ifdef SYS_ioperm | 522 | #ifdef SYS_ioperm |
509 | filter_add_blacklist(SYS_ioperm, 0); | 523 | filter_add_blacklist(SYS_ioperm, 0); |
510 | #endif | 524 | #endif |
525 | #ifdef SYS_ioprio_set | ||
526 | filter_add_blacklist(SYS_ioprio_set, 0); | ||
527 | #endif | ||
511 | #ifdef SYS_ni_syscall // new io permissions call on arm devices | 528 | #ifdef SYS_ni_syscall // new io permissions call on arm devices |
512 | filter_add_blacklist(SYS_ni_syscall, 0); | 529 | filter_add_blacklist(SYS_ni_syscall, 0); |
513 | #endif | 530 | #endif |
@@ -648,6 +665,7 @@ int seccomp_filter_drop(int enforce_seccomp) { | |||
648 | #ifdef SYS_get_kernel_syms | 665 | #ifdef SYS_get_kernel_syms |
649 | filter_add_blacklist(SYS_get_kernel_syms, 0); | 666 | filter_add_blacklist(SYS_get_kernel_syms, 0); |
650 | #endif | 667 | #endif |
668 | |||
651 | } | 669 | } |
652 | 670 | ||
653 | // default seccomp filter with additional drop list | 671 | // default seccomp filter with additional drop list |
@@ -816,9 +834,11 @@ void seccomp_print_filter_name(const char *name) { | |||
816 | 834 | ||
817 | void seccomp_print_filter(pid_t pid) { | 835 | void seccomp_print_filter(pid_t pid) { |
818 | EUID_ASSERT(); | 836 | EUID_ASSERT(); |
819 | 837 | ||
820 | // if the pid is that of a firejail process, use the pid of the first child process | 838 | // if the pid is that of a firejail process, use the pid of the first child process |
839 | EUID_ROOT(); | ||
821 | char *comm = pid_proc_comm(pid); | 840 | char *comm = pid_proc_comm(pid); |
841 | EUID_USER(); | ||
822 | if (comm) { | 842 | if (comm) { |
823 | if (strcmp(comm, "firejail") == 0) { | 843 | if (strcmp(comm, "firejail") == 0) { |
824 | pid_t child; | 844 | pid_t child; |
@@ -839,7 +859,6 @@ void seccomp_print_filter(pid_t pid) { | |||
839 | } | 859 | } |
840 | } | 860 | } |
841 | 861 | ||
842 | |||
843 | // find the seccomp filter | 862 | // find the seccomp filter |
844 | EUID_ROOT(); | 863 | EUID_ROOT(); |
845 | char *fname; | 864 | char *fname; |
diff --git a/src/firejail/shutdown.c b/src/firejail/shutdown.c index 3671901d0..8d8035bfb 100644 --- a/src/firejail/shutdown.c +++ b/src/firejail/shutdown.c | |||
@@ -44,7 +44,9 @@ void shut(pid_t pid) { | |||
44 | 44 | ||
45 | pid_t parent = pid; | 45 | pid_t parent = pid; |
46 | // if the pid is that of a firejail process, use the pid of a child process inside the sandbox | 46 | // if the pid is that of a firejail process, use the pid of a child process inside the sandbox |
47 | EUID_ROOT(); | ||
47 | char *comm = pid_proc_comm(pid); | 48 | char *comm = pid_proc_comm(pid); |
49 | EUID_USER(); | ||
48 | if (comm) { | 50 | if (comm) { |
49 | if (strcmp(comm, "firejail") == 0) { | 51 | if (strcmp(comm, "firejail") == 0) { |
50 | pid_t child; | 52 | pid_t child; |
@@ -75,25 +77,47 @@ void shut(pid_t pid) { | |||
75 | EUID_ROOT(); | 77 | EUID_ROOT(); |
76 | printf("Sending SIGTERM to %u\n", pid); | 78 | printf("Sending SIGTERM to %u\n", pid); |
77 | kill(pid, SIGTERM); | 79 | kill(pid, SIGTERM); |
78 | sleep(2); | ||
79 | 80 | ||
80 | // if the process is still running, terminate it using SIGKILL | 81 | // wait for not more than 10 seconds |
81 | // try to open stat file | 82 | sleep(2); |
82 | char *file; | 83 | int monsec = 8; |
83 | if (asprintf(&file, "/proc/%u/status", pid) == -1) { | 84 | char *monfile; |
84 | perror("asprintf"); | 85 | if (asprintf(&monfile, "/proc/%d/cmdline", pid) == -1) |
85 | exit(1); | 86 | errExit("asprintf"); |
87 | int killdone = 0; | ||
88 | |||
89 | while (monsec) { | ||
90 | FILE *fp = fopen(monfile, "r"); | ||
91 | if (!fp) { | ||
92 | killdone = 1; | ||
93 | break; | ||
94 | } | ||
95 | |||
96 | char c; | ||
97 | size_t count = fread(&c, 1, 1, fp); | ||
98 | fclose(fp); | ||
99 | if (count == 0) { | ||
100 | // all done | ||
101 | killdone = 1; | ||
102 | break; | ||
103 | } | ||
104 | |||
105 | sleep(1); | ||
106 | monsec--; | ||
86 | } | 107 | } |
87 | FILE *fp = fopen(file, "r"); | 108 | free(monfile); |
88 | if (!fp) | 109 | |
89 | return; | 110 | |
90 | fclose(fp); | 111 | // force SIGKILL |
91 | 112 | if (!killdone) { | |
92 | // kill the process and also the parent | 113 | // kill the process and also the parent |
93 | printf("Sending SIGKILL to %u\n", pid); | 114 | printf("Sending SIGKILL to %u\n", pid); |
94 | kill(pid, SIGKILL); | 115 | kill(pid, SIGKILL); |
95 | if (parent != pid) { | 116 | if (parent != pid) { |
96 | printf("Sending SIGKILL to %u\n", parent); | 117 | printf("Sending SIGKILL to %u\n", parent); |
97 | kill(parent, SIGKILL); | 118 | kill(parent, SIGKILL); |
119 | } | ||
98 | } | 120 | } |
121 | |||
122 | clear_run_files(parent); | ||
99 | } | 123 | } |
diff --git a/src/firejail/syscall.h b/src/firejail/syscall.h index 5b2cb4915..68d4b5736 100644 --- a/src/firejail/syscall.h +++ b/src/firejail/syscall.h | |||
@@ -37,6 +37,11 @@ | |||
37 | {"_sysctl", __NR__sysctl}, | 37 | {"_sysctl", __NR__sysctl}, |
38 | #endif | 38 | #endif |
39 | #endif | 39 | #endif |
40 | #ifdef SYS_accept4 | ||
41 | #ifdef __NR_accept4 | ||
42 | {"accept4", __NR_accept4}, | ||
43 | #endif | ||
44 | #endif | ||
40 | #ifdef SYS_access | 45 | #ifdef SYS_access |
41 | #ifdef __NR_access | 46 | #ifdef __NR_access |
42 | {"access", __NR_access}, | 47 | {"access", __NR_access}, |
@@ -72,6 +77,11 @@ | |||
72 | {"bdflush", __NR_bdflush}, | 77 | {"bdflush", __NR_bdflush}, |
73 | #endif | 78 | #endif |
74 | #endif | 79 | #endif |
80 | #ifdef SYS_bind | ||
81 | #ifdef __NR_bind | ||
82 | {"bind", __NR_bind}, | ||
83 | #endif | ||
84 | #endif | ||
75 | #ifdef SYS_bpf | 85 | #ifdef SYS_bpf |
76 | #ifdef __NR_bpf | 86 | #ifdef __NR_bpf |
77 | {"bpf", __NR_bpf}, | 87 | {"bpf", __NR_bpf}, |
@@ -157,6 +167,16 @@ | |||
157 | {"close", __NR_close}, | 167 | {"close", __NR_close}, |
158 | #endif | 168 | #endif |
159 | #endif | 169 | #endif |
170 | #ifdef SYS_connect | ||
171 | #ifdef __NR_connect | ||
172 | {"connect", __NR_connect}, | ||
173 | #endif | ||
174 | #endif | ||
175 | #ifdef SYS_copy_file_range | ||
176 | #ifdef __NR_copy_file_range | ||
177 | {"copy_file_range", __NR_copy_file_range}, | ||
178 | #endif | ||
179 | #endif | ||
160 | #ifdef SYS_creat | 180 | #ifdef SYS_creat |
161 | #ifdef __NR_creat | 181 | #ifdef __NR_creat |
162 | {"creat", __NR_creat}, | 182 | {"creat", __NR_creat}, |
@@ -492,6 +512,11 @@ | |||
492 | {"getitimer", __NR_getitimer}, | 512 | {"getitimer", __NR_getitimer}, |
493 | #endif | 513 | #endif |
494 | #endif | 514 | #endif |
515 | #ifdef SYS_getpeername | ||
516 | #ifdef __NR_getpeername | ||
517 | {"getpeername", __NR_getpeername}, | ||
518 | #endif | ||
519 | #endif | ||
495 | #ifdef SYS_getpgid | 520 | #ifdef SYS_getpgid |
496 | #ifdef __NR_getpgid | 521 | #ifdef __NR_getpgid |
497 | {"getpgid", __NR_getpgid}, | 522 | {"getpgid", __NR_getpgid}, |
@@ -562,6 +587,16 @@ | |||
562 | {"getsid", __NR_getsid}, | 587 | {"getsid", __NR_getsid}, |
563 | #endif | 588 | #endif |
564 | #endif | 589 | #endif |
590 | #ifdef SYS_getsockname | ||
591 | #ifdef __NR_getsockname | ||
592 | {"getsockname", __NR_getsockname}, | ||
593 | #endif | ||
594 | #endif | ||
595 | #ifdef SYS_getsockopt | ||
596 | #ifdef __NR_getsockopt | ||
597 | {"getsockopt", __NR_getsockopt}, | ||
598 | #endif | ||
599 | #endif | ||
565 | #ifdef SYS_gettid | 600 | #ifdef SYS_gettid |
566 | #ifdef __NR_gettid | 601 | #ifdef __NR_gettid |
567 | {"gettid", __NR_gettid}, | 602 | {"gettid", __NR_gettid}, |
@@ -722,6 +757,11 @@ | |||
722 | {"linkat", __NR_linkat}, | 757 | {"linkat", __NR_linkat}, |
723 | #endif | 758 | #endif |
724 | #endif | 759 | #endif |
760 | #ifdef SYS_listen | ||
761 | #ifdef __NR_listen | ||
762 | {"listen", __NR_listen}, | ||
763 | #endif | ||
764 | #endif | ||
725 | #ifdef SYS_listxattr | 765 | #ifdef SYS_listxattr |
726 | #ifdef __NR_listxattr | 766 | #ifdef __NR_listxattr |
727 | {"listxattr", __NR_listxattr}, | 767 | {"listxattr", __NR_listxattr}, |
@@ -777,6 +817,11 @@ | |||
777 | {"mbind", __NR_mbind}, | 817 | {"mbind", __NR_mbind}, |
778 | #endif | 818 | #endif |
779 | #endif | 819 | #endif |
820 | #ifdef SYS_membarrier | ||
821 | #ifdef __NR_membarrier | ||
822 | {"membarrier", __NR_membarrier}, | ||
823 | #endif | ||
824 | #endif | ||
780 | #ifdef SYS_memfd_create | 825 | #ifdef SYS_memfd_create |
781 | #ifdef __NR_memfd_create | 826 | #ifdef __NR_memfd_create |
782 | {"memfd_create", __NR_memfd_create}, | 827 | {"memfd_create", __NR_memfd_create}, |
@@ -817,6 +862,11 @@ | |||
817 | {"mlock", __NR_mlock}, | 862 | {"mlock", __NR_mlock}, |
818 | #endif | 863 | #endif |
819 | #endif | 864 | #endif |
865 | #ifdef SYS_mlock2 | ||
866 | #ifdef __NR_mlock2 | ||
867 | {"mlock2", __NR_mlock2}, | ||
868 | #endif | ||
869 | #endif | ||
820 | #ifdef SYS_mlockall | 870 | #ifdef SYS_mlockall |
821 | #ifdef __NR_mlockall | 871 | #ifdef __NR_mlockall |
822 | {"mlockall", __NR_mlockall}, | 872 | {"mlockall", __NR_mlockall}, |
@@ -1122,11 +1172,21 @@ | |||
1122 | {"reboot", __NR_reboot}, | 1172 | {"reboot", __NR_reboot}, |
1123 | #endif | 1173 | #endif |
1124 | #endif | 1174 | #endif |
1175 | #ifdef SYS_recvfrom | ||
1176 | #ifdef __NR_recvfrom | ||
1177 | {"recvfrom", __NR_recvfrom}, | ||
1178 | #endif | ||
1179 | #endif | ||
1125 | #ifdef SYS_recvmmsg | 1180 | #ifdef SYS_recvmmsg |
1126 | #ifdef __NR_recvmmsg | 1181 | #ifdef __NR_recvmmsg |
1127 | {"recvmmsg", __NR_recvmmsg}, | 1182 | {"recvmmsg", __NR_recvmmsg}, |
1128 | #endif | 1183 | #endif |
1129 | #endif | 1184 | #endif |
1185 | #ifdef SYS_recvmsg | ||
1186 | #ifdef __NR_recvmsg | ||
1187 | {"recvmsg", __NR_recvmsg}, | ||
1188 | #endif | ||
1189 | #endif | ||
1130 | #ifdef SYS_remap_file_pages | 1190 | #ifdef SYS_remap_file_pages |
1131 | #ifdef __NR_remap_file_pages | 1191 | #ifdef __NR_remap_file_pages |
1132 | {"remap_file_pages", __NR_remap_file_pages}, | 1192 | {"remap_file_pages", __NR_remap_file_pages}, |
@@ -1292,6 +1352,16 @@ | |||
1292 | {"sendmmsg", __NR_sendmmsg}, | 1352 | {"sendmmsg", __NR_sendmmsg}, |
1293 | #endif | 1353 | #endif |
1294 | #endif | 1354 | #endif |
1355 | #ifdef SYS_sendmsg | ||
1356 | #ifdef __NR_sendmsg | ||
1357 | {"sendmsg", __NR_sendmsg}, | ||
1358 | #endif | ||
1359 | #endif | ||
1360 | #ifdef SYS_sendto | ||
1361 | #ifdef __NR_sendto | ||
1362 | {"sendto", __NR_sendto}, | ||
1363 | #endif | ||
1364 | #endif | ||
1295 | #ifdef SYS_set_mempolicy | 1365 | #ifdef SYS_set_mempolicy |
1296 | #ifdef __NR_set_mempolicy | 1366 | #ifdef __NR_set_mempolicy |
1297 | {"set_mempolicy", __NR_set_mempolicy}, | 1367 | {"set_mempolicy", __NR_set_mempolicy}, |
@@ -1432,6 +1502,11 @@ | |||
1432 | {"setsid", __NR_setsid}, | 1502 | {"setsid", __NR_setsid}, |
1433 | #endif | 1503 | #endif |
1434 | #endif | 1504 | #endif |
1505 | #ifdef SYS_setsockopt | ||
1506 | #ifdef __NR_setsockopt | ||
1507 | {"setsockopt", __NR_setsockopt}, | ||
1508 | #endif | ||
1509 | #endif | ||
1435 | #ifdef SYS_settimeofday | 1510 | #ifdef SYS_settimeofday |
1436 | #ifdef __NR_settimeofday | 1511 | #ifdef __NR_settimeofday |
1437 | {"settimeofday", __NR_settimeofday}, | 1512 | {"settimeofday", __NR_settimeofday}, |
@@ -1457,6 +1532,11 @@ | |||
1457 | {"sgetmask", __NR_sgetmask}, | 1532 | {"sgetmask", __NR_sgetmask}, |
1458 | #endif | 1533 | #endif |
1459 | #endif | 1534 | #endif |
1535 | #ifdef SYS_shutdown | ||
1536 | #ifdef __NR_shutdown | ||
1537 | {"shutdown", __NR_shutdown}, | ||
1538 | #endif | ||
1539 | #endif | ||
1460 | #ifdef SYS_sigaction | 1540 | #ifdef SYS_sigaction |
1461 | #ifdef __NR_sigaction | 1541 | #ifdef __NR_sigaction |
1462 | {"sigaction", __NR_sigaction}, | 1542 | {"sigaction", __NR_sigaction}, |
@@ -1502,11 +1582,21 @@ | |||
1502 | {"sigsuspend", __NR_sigsuspend}, | 1582 | {"sigsuspend", __NR_sigsuspend}, |
1503 | #endif | 1583 | #endif |
1504 | #endif | 1584 | #endif |
1585 | #ifdef SYS_socket | ||
1586 | #ifdef __NR_socket | ||
1587 | {"socket", __NR_socket}, | ||
1588 | #endif | ||
1589 | #endif | ||
1505 | #ifdef SYS_socketcall | 1590 | #ifdef SYS_socketcall |
1506 | #ifdef __NR_socketcall | 1591 | #ifdef __NR_socketcall |
1507 | {"socketcall", __NR_socketcall}, | 1592 | {"socketcall", __NR_socketcall}, |
1508 | #endif | 1593 | #endif |
1509 | #endif | 1594 | #endif |
1595 | #ifdef SYS_socketpair | ||
1596 | #ifdef __NR_socketpair | ||
1597 | {"socketpair", __NR_socketpair}, | ||
1598 | #endif | ||
1599 | #endif | ||
1510 | #ifdef SYS_splice | 1600 | #ifdef SYS_splice |
1511 | #ifdef __NR_splice | 1601 | #ifdef __NR_splice |
1512 | {"splice", __NR_splice}, | 1602 | {"splice", __NR_splice}, |
@@ -1722,6 +1812,11 @@ | |||
1722 | {"uselib", __NR_uselib}, | 1812 | {"uselib", __NR_uselib}, |
1723 | #endif | 1813 | #endif |
1724 | #endif | 1814 | #endif |
1815 | #ifdef SYS_userfaultfd | ||
1816 | #ifdef __NR_userfaultfd | ||
1817 | {"userfaultfd", __NR_userfaultfd}, | ||
1818 | #endif | ||
1819 | #endif | ||
1725 | #ifdef SYS_ustat | 1820 | #ifdef SYS_ustat |
1726 | #ifdef __NR_ustat | 1821 | #ifdef __NR_ustat |
1727 | {"ustat", __NR_ustat}, | 1822 | {"ustat", __NR_ustat}, |
@@ -1934,6 +2029,11 @@ | |||
1934 | {"connect", __NR_connect}, | 2029 | {"connect", __NR_connect}, |
1935 | #endif | 2030 | #endif |
1936 | #endif | 2031 | #endif |
2032 | #ifdef SYS_copy_file_range | ||
2033 | #ifdef __NR_copy_file_range | ||
2034 | {"copy_file_range", __NR_copy_file_range}, | ||
2035 | #endif | ||
2036 | #endif | ||
1937 | #ifdef SYS_creat | 2037 | #ifdef SYS_creat |
1938 | #ifdef __NR_creat | 2038 | #ifdef __NR_creat |
1939 | {"creat", __NR_creat}, | 2039 | {"creat", __NR_creat}, |
@@ -2484,6 +2584,11 @@ | |||
2484 | {"mbind", __NR_mbind}, | 2584 | {"mbind", __NR_mbind}, |
2485 | #endif | 2585 | #endif |
2486 | #endif | 2586 | #endif |
2587 | #ifdef SYS_membarrier | ||
2588 | #ifdef __NR_membarrier | ||
2589 | {"membarrier", __NR_membarrier}, | ||
2590 | #endif | ||
2591 | #endif | ||
2487 | #ifdef SYS_memfd_create | 2592 | #ifdef SYS_memfd_create |
2488 | #ifdef __NR_memfd_create | 2593 | #ifdef __NR_memfd_create |
2489 | {"memfd_create", __NR_memfd_create}, | 2594 | {"memfd_create", __NR_memfd_create}, |
@@ -2524,6 +2629,11 @@ | |||
2524 | {"mlock", __NR_mlock}, | 2629 | {"mlock", __NR_mlock}, |
2525 | #endif | 2630 | #endif |
2526 | #endif | 2631 | #endif |
2632 | #ifdef SYS_mlock2 | ||
2633 | #ifdef __NR_mlock2 | ||
2634 | {"mlock2", __NR_mlock2}, | ||
2635 | #endif | ||
2636 | #endif | ||
2527 | #ifdef SYS_mlockall | 2637 | #ifdef SYS_mlockall |
2528 | #ifdef __NR_mlockall | 2638 | #ifdef __NR_mlockall |
2529 | {"mlockall", __NR_mlockall}, | 2639 | {"mlockall", __NR_mlockall}, |
@@ -3354,6 +3464,11 @@ | |||
3354 | {"uselib", __NR_uselib}, | 3464 | {"uselib", __NR_uselib}, |
3355 | #endif | 3465 | #endif |
3356 | #endif | 3466 | #endif |
3467 | #ifdef SYS_userfaultfd | ||
3468 | #ifdef __NR_userfaultfd | ||
3469 | {"userfaultfd", __NR_userfaultfd}, | ||
3470 | #endif | ||
3471 | #endif | ||
3357 | #ifdef SYS_ustat | 3472 | #ifdef SYS_ustat |
3358 | #ifdef __NR_ustat | 3473 | #ifdef __NR_ustat |
3359 | {"ustat", __NR_ustat}, | 3474 | {"ustat", __NR_ustat}, |
@@ -3546,6 +3661,11 @@ | |||
3546 | {"connect", __NR_connect}, | 3661 | {"connect", __NR_connect}, |
3547 | #endif | 3662 | #endif |
3548 | #endif | 3663 | #endif |
3664 | #ifdef SYS_copy_file_range | ||
3665 | #ifdef __NR_copy_file_range | ||
3666 | {"copy_file_range", __NR_copy_file_range}, | ||
3667 | #endif | ||
3668 | #endif | ||
3549 | #ifdef SYS_creat | 3669 | #ifdef SYS_creat |
3550 | #ifdef __NR_creat | 3670 | #ifdef __NR_creat |
3551 | {"creat", __NR_creat}, | 3671 | {"creat", __NR_creat}, |
@@ -4071,6 +4191,11 @@ | |||
4071 | {"mbind", __NR_mbind}, | 4191 | {"mbind", __NR_mbind}, |
4072 | #endif | 4192 | #endif |
4073 | #endif | 4193 | #endif |
4194 | #ifdef SYS_membarrier | ||
4195 | #ifdef __NR_membarrier | ||
4196 | {"membarrier", __NR_membarrier}, | ||
4197 | #endif | ||
4198 | #endif | ||
4074 | #ifdef SYS_memfd_create | 4199 | #ifdef SYS_memfd_create |
4075 | #ifdef __NR_memfd_create | 4200 | #ifdef __NR_memfd_create |
4076 | {"memfd_create", __NR_memfd_create}, | 4201 | {"memfd_create", __NR_memfd_create}, |
@@ -4111,6 +4236,11 @@ | |||
4111 | {"mlock", __NR_mlock}, | 4236 | {"mlock", __NR_mlock}, |
4112 | #endif | 4237 | #endif |
4113 | #endif | 4238 | #endif |
4239 | #ifdef SYS_mlock2 | ||
4240 | #ifdef __NR_mlock2 | ||
4241 | {"mlock2", __NR_mlock2}, | ||
4242 | #endif | ||
4243 | #endif | ||
4114 | #ifdef SYS_mlockall | 4244 | #ifdef SYS_mlockall |
4115 | #ifdef __NR_mlockall | 4245 | #ifdef __NR_mlockall |
4116 | {"mlockall", __NR_mlockall}, | 4246 | {"mlockall", __NR_mlockall}, |
@@ -4921,6 +5051,11 @@ | |||
4921 | {"unshare", __NR_unshare}, | 5051 | {"unshare", __NR_unshare}, |
4922 | #endif | 5052 | #endif |
4923 | #endif | 5053 | #endif |
5054 | #ifdef SYS_userfaultfd | ||
5055 | #ifdef __NR_userfaultfd | ||
5056 | {"userfaultfd", __NR_userfaultfd}, | ||
5057 | #endif | ||
5058 | #endif | ||
4924 | #ifdef SYS_ustat | 5059 | #ifdef SYS_ustat |
4925 | #ifdef __NR_ustat | 5060 | #ifdef __NR_ustat |
4926 | {"ustat", __NR_ustat}, | 5061 | {"ustat", __NR_ustat}, |
diff --git a/src/firejail/usage.c b/src/firejail/usage.c index 7bc6ea47a..f7a93174f 100644 --- a/src/firejail/usage.c +++ b/src/firejail/usage.c | |||
@@ -34,6 +34,9 @@ void usage(void) { | |||
34 | printf("\n"); | 34 | printf("\n"); |
35 | printf("Options:\n\n"); | 35 | printf("Options:\n\n"); |
36 | printf(" -- - signal the end of options and disables further option processing.\n\n"); | 36 | printf(" -- - signal the end of options and disables further option processing.\n\n"); |
37 | printf(" --appimage - sandbox an AppImage application\n\n"); | ||
38 | printf(" --audit - audit the sandbox, see Audit section for more details\n\n"); | ||
39 | printf(" --audit=test-program - audit the sandbox, see Audit section for more details\n\n"); | ||
37 | #ifdef HAVE_NETWORK | 40 | #ifdef HAVE_NETWORK |
38 | printf(" --bandwidth=name|pid - set bandwidth limits for the sandbox identified\n"); | 41 | printf(" --bandwidth=name|pid - set bandwidth limits for the sandbox identified\n"); |
39 | printf("\tby name or PID, see Traffic Shaping section fo more details.\n\n"); | 42 | printf("\tby name or PID, see Traffic Shaping section fo more details.\n\n"); |
@@ -56,6 +59,8 @@ void usage(void) { | |||
56 | printf(" --chroot=dirname - chroot into directory.\n\n"); | 59 | printf(" --chroot=dirname - chroot into directory.\n\n"); |
57 | #endif | 60 | #endif |
58 | printf(" --cpu=cpu-number,cpu-number - set cpu affinity.\n\n"); | 61 | printf(" --cpu=cpu-number,cpu-number - set cpu affinity.\n\n"); |
62 | printf(" --cpu.print=name|pid - print the cup in use by the sandbox identified\n"); | ||
63 | printf("\tby name or PID.\n\n"); | ||
59 | printf(" --csh - use /bin/csh as default shell.\n\n"); | 64 | printf(" --csh - use /bin/csh as default shell.\n\n"); |
60 | 65 | ||
61 | printf(" --debug - print sandbox debug messages.\n\n"); | 66 | printf(" --debug - print sandbox debug messages.\n\n"); |
@@ -69,8 +74,9 @@ void usage(void) { | |||
69 | printf("\tsoftware build.\n\n"); | 74 | printf("\tsoftware build.\n\n"); |
70 | printf(" --debug-syscalls - print all recognized system calls in the current Firejail\n"); | 75 | printf(" --debug-syscalls - print all recognized system calls in the current Firejail\n"); |
71 | printf("\tsoftware build.\n\n"); | 76 | printf("\tsoftware build.\n\n"); |
77 | #ifdef HAVE_WHITELIST | ||
72 | printf(" --debug-whitelists - debug whitelisting.\n\n"); | 78 | printf(" --debug-whitelists - debug whitelisting.\n\n"); |
73 | 79 | #endif | |
74 | 80 | ||
75 | 81 | ||
76 | #ifdef HAVE_NETWORK | 82 | #ifdef HAVE_NETWORK |
@@ -141,9 +147,11 @@ void usage(void) { | |||
141 | printf(" --nice=value - set nice value\n\n"); | 147 | printf(" --nice=value - set nice value\n\n"); |
142 | printf(" --noblacklist=dirname_or_filename - disable blacklist for directory or\n"); | 148 | printf(" --noblacklist=dirname_or_filename - disable blacklist for directory or\n"); |
143 | printf("\tfile.\n\n"); | 149 | printf("\tfile.\n\n"); |
150 | printf(" --noexec=dirname_of_filenam - remount the file or directory noexec\n"); | ||
151 | printf("\tnosuid and nodev\n\n"); | ||
144 | printf(" --nogroups - disable supplementary groups. Without this option,\n"); | 152 | printf(" --nogroups - disable supplementary groups. Without this option,\n"); |
145 | printf("\tsupplementary groups are enabled for the user starting the sandbox.\n"); | 153 | printf("\tsupplementary groups are enabled for the user starting the sandbox.\n"); |
146 | printf("\t For root, groups are always disabled.\n\n"); | 154 | printf("\tFor root, groups are always disabled.\n\n"); |
147 | 155 | ||
148 | printf(" --noprofile - do not use a profile. Profile priority is use the one\n"); | 156 | printf(" --noprofile - do not use a profile. Profile priority is use the one\n"); |
149 | printf("\tspecified on the command line, next try to find one that\n"); | 157 | printf("\tspecified on the command line, next try to find one that\n"); |
@@ -155,10 +163,13 @@ void usage(void) { | |||
155 | printf("\tuser. root user does not exist in the new namespace. This option\n"); | 163 | printf("\tuser. root user does not exist in the new namespace. This option\n"); |
156 | printf("\tis not supported for --chroot and --overlay configurations.\n\n"); | 164 | printf("\tis not supported for --chroot and --overlay configurations.\n\n"); |
157 | #endif | 165 | #endif |
166 | printf(" --nonewprivs - sets the NO_NEW_PRIVS prctl - the child processes\n"); | ||
167 | printf("\tcannot gain privileges using execve(2); in particular, this prevents\n"); | ||
168 | printf("\tgaining privileges by calling a suid binary\n\n"); | ||
158 | printf(" --nosound - disable sound system.\n\n"); | 169 | printf(" --nosound - disable sound system.\n\n"); |
159 | 170 | ||
160 | printf(" --output=logfile - stdout logging and log rotation. Copy stdout to\n"); | 171 | printf(" --output=logfile - stdout logging and log rotation. Copy stdout and stderr\n"); |
161 | printf("\tlogfile, and keep the size of the file under 500KB using log\n"); | 172 | printf("\tto logfile, and keep the size of the file under 500KB using log\n"); |
162 | printf("\trotation. Five files with prefixes .1 to .5 are used in\n"); | 173 | printf("\trotation. Five files with prefixes .1 to .5 are used in\n"); |
163 | printf("\trotation.\n\n"); | 174 | printf("\trotation.\n\n"); |
164 | 175 | ||
@@ -178,11 +189,10 @@ void usage(void) { | |||
178 | printf(" --private=directory - use directory as user home.\n\n"); | 189 | printf(" --private=directory - use directory as user home.\n\n"); |
179 | 190 | ||
180 | printf(" --private-bin=file,file - build a new /bin in a temporary filesystem,\n"); | 191 | printf(" --private-bin=file,file - build a new /bin in a temporary filesystem,\n"); |
181 | printf("\tand copy the programs in the list. The same directory is\n"); | 192 | printf("\tand copy the programs in the list.\n\n"); |
182 | printf("\talso bind-mounted over /sbin, /usr/bin and /usr/sbin.\n\n"); | ||
183 | 193 | ||
184 | printf(" --private-dev - create a new /dev directory. Only dri, null, full, zero,\n"); | 194 | printf(" --private-dev - create a new /dev directory. Only dri, null, full, zero,\n"); |
185 | printf("\ttty, pst, ptms, random, urandom, log and shm devices are available.\n\n"); | 195 | printf("\ttty, pst, ptms, random, snd, urandom, log and shm devices are available.\n\n"); |
186 | 196 | ||
187 | printf(" --private-etc=file,directory - build a new /etc in a temporary\n"); | 197 | printf(" --private-etc=file,directory - build a new /etc in a temporary\n"); |
188 | printf("\tfilesystem, and copy the files and directories in the list.\n"); | 198 | printf("\tfilesystem, and copy the files and directories in the list.\n"); |
@@ -200,6 +210,7 @@ void usage(void) { | |||
200 | 210 | ||
201 | printf(" --quiet - turn off Firejail's output.\n\n"); | 211 | printf(" --quiet - turn off Firejail's output.\n\n"); |
202 | printf(" --read-only=dirname_or_filename - set directory or file read-only..\n\n"); | 212 | printf(" --read-only=dirname_or_filename - set directory or file read-only..\n\n"); |
213 | printf(" --read-write=dirname_or_filename - set directory or file read-write..\n\n"); | ||
203 | printf(" --rlimit-fsize=number - set the maximum file size that can be created\n"); | 214 | printf(" --rlimit-fsize=number - set the maximum file size that can be created\n"); |
204 | printf("\tby a process.\n\n"); | 215 | printf("\tby a process.\n\n"); |
205 | printf(" --rlimit-nofile=number - set the maximum number of files that can be\n"); | 216 | printf(" --rlimit-nofile=number - set the maximum number of files that can be\n"); |
@@ -208,6 +219,7 @@ void usage(void) { | |||
208 | printf("\tcreated for the real user ID of the calling process.\n\n"); | 219 | printf("\tcreated for the real user ID of the calling process.\n\n"); |
209 | printf(" --rlimit-sigpending=number - set the maximum number of pending signals\n"); | 220 | printf(" --rlimit-sigpending=number - set the maximum number of pending signals\n"); |
210 | printf("\tfor a process.\n\n"); | 221 | printf("\tfor a process.\n\n"); |
222 | printf(" --rmenv=name - remove environment variable in the new sandbox.\n\n"); | ||
211 | #ifdef HAVE_NETWORK | 223 | #ifdef HAVE_NETWORK |
212 | printf(" --scan - ARP-scan all the networks from inside a network namespace.\n"); | 224 | printf(" --scan - ARP-scan all the networks from inside a network namespace.\n"); |
213 | printf("\tThis makes it possible to detect macvlan kernel device drivers\n"); | 225 | printf("\tThis makes it possible to detect macvlan kernel device drivers\n"); |
@@ -242,10 +254,17 @@ void usage(void) { | |||
242 | printf(" --tracelog - add a syslog message for every access to files or\n"); | 254 | printf(" --tracelog - add a syslog message for every access to files or\n"); |
243 | printf("\tdirectoires blacklisted by the security profile.\n\n"); | 255 | printf("\tdirectoires blacklisted by the security profile.\n\n"); |
244 | printf(" --tree - print a tree of all sandboxed processes.\n\n"); | 256 | printf(" --tree - print a tree of all sandboxed processes.\n\n"); |
245 | printf(" --user=new_user - switch the user before starting the sandbox.\n\n"); | ||
246 | printf(" --version - print program version and exit.\n\n"); | 257 | printf(" --version - print program version and exit.\n\n"); |
258 | #ifdef HAVE_WHITELIST | ||
247 | printf(" --whitelist=dirname_or_filename - whitelist directory or file.\n\n"); | 259 | printf(" --whitelist=dirname_or_filename - whitelist directory or file.\n\n"); |
248 | printf(" --x11 - enable x11 server.\n\n"); | 260 | #endif |
261 | printf(" --writable-etc - /etc directory is mounted read-write.\n\n"); | ||
262 | printf(" --writable-var - /var directory is mounted read-write.\n\n"); | ||
263 | |||
264 | printf(" --x11 - enable X11 server. The software checks first if Xpra is installed,\n"); | ||
265 | printf("\tthen it checks if Xephyr is installed.\n\n"); | ||
266 | printf(" --x11=xpra - enable Xpra X11 server.\n\n"); | ||
267 | printf(" --x11=xephyr - enable Xephyr X11 server. The window size is 800x600.\n\n"); | ||
249 | printf(" --zsh - use /usr/bin/zsh as default shell.\n\n"); | 268 | printf(" --zsh - use /usr/bin/zsh as default shell.\n\n"); |
250 | printf("\n"); | 269 | printf("\n"); |
251 | printf("\n"); | 270 | printf("\n"); |
@@ -283,7 +302,19 @@ void usage(void) { | |||
283 | printf("\n"); | 302 | printf("\n"); |
284 | #endif | 303 | #endif |
285 | 304 | ||
286 | 305 | printf("Audit\n\n"); | |
306 | printf("Audit feature allows the user to point out gaps in security profiles. The\n"); | ||
307 | printf("implementation replaces the program to be sandboxed with a test program. By\n"); | ||
308 | printf("default, we use faudit program distributed with Firejail. A custom test program\n"); | ||
309 | printf("can also be supplied by the user. Examples:\n\n"); | ||
310 | printf("Running the default audit program:\n"); | ||
311 | printf(" $ firejail --audit transmission-gtk\n\n"); | ||
312 | printf("Running a custom audit program:\n"); | ||
313 | printf(" $ firejail --audit=~/sandbox-test transmission-gtk\n\n"); | ||
314 | printf("In the examples above, the sandbox configures transmission-gtk profile and\n"); | ||
315 | printf("starts the test program. The real program, transmission-gtk, will not be\n"); | ||
316 | printf("started.\n\n\n"); | ||
317 | |||
287 | printf("Monitoring\n\n"); | 318 | printf("Monitoring\n\n"); |
288 | 319 | ||
289 | printf("Option --list prints a list of all sandboxes. The format for each entry is as\n"); | 320 | printf("Option --list prints a list of all sandboxes. The format for each entry is as\n"); |
@@ -321,7 +352,7 @@ void usage(void) { | |||
321 | printf("\n"); | 352 | printf("\n"); |
322 | printf("Restricted shell\n\n"); | 353 | printf("Restricted shell\n\n"); |
323 | printf("To configure a restricted shell, replace /bin/bash with /usr/bin/firejail in\n"); | 354 | printf("To configure a restricted shell, replace /bin/bash with /usr/bin/firejail in\n"); |
324 | printf("/etc/password file for each user that needs to be restricted.\n"); | 355 | printf("/etc/passwd file for each user that needs to be restricted.\n"); |
325 | printf("Alternatively, you can specify /usr/bin/firejail in adduser command:\n\n"); | 356 | printf("Alternatively, you can specify /usr/bin/firejail in adduser command:\n\n"); |
326 | printf(" adduser --shell /usr/bin/firejail username\n\n"); | 357 | printf(" adduser --shell /usr/bin/firejail username\n\n"); |
327 | printf("Arguments to be passed to firejail executable upon login are declared in\n"); | 358 | printf("Arguments to be passed to firejail executable upon login are declared in\n"); |
diff --git a/src/firejail/user.c b/src/firejail/user.c deleted file mode 100644 index a2f34392c..000000000 --- a/src/firejail/user.c +++ /dev/null | |||
@@ -1,115 +0,0 @@ | |||
1 | /* | ||
2 | * Copyright (C) 2014-2016 Firejail Authors | ||
3 | * | ||
4 | * This file is part of firejail project | ||
5 | * | ||
6 | * This program is free software; you can redistribute it and/or modify | ||
7 | * it under the terms of the GNU General Public License as published by | ||
8 | * the Free Software Foundation; either version 2 of the License, or | ||
9 | * (at your option) any later version. | ||
10 | * | ||
11 | * This program is distributed in the hope that it will be useful, | ||
12 | * but WITHOUT ANY WARRANTY; without even the implied warranty of | ||
13 | * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the | ||
14 | * GNU General Public License for more details. | ||
15 | * | ||
16 | * You should have received a copy of the GNU General Public License along | ||
17 | * with this program; if not, write to the Free Software Foundation, Inc., | ||
18 | * 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA. | ||
19 | */ | ||
20 | #include "firejail.h" | ||
21 | #include <sys/types.h> | ||
22 | #include <sys/stat.h> | ||
23 | #include <unistd.h> | ||
24 | #include <grp.h> | ||
25 | #include <pwd.h> | ||
26 | |||
27 | |||
28 | void check_user(int argc, char **argv) { | ||
29 | EUID_ASSERT(); | ||
30 | int i; | ||
31 | char *user = NULL; | ||
32 | |||
33 | int found = 0; | ||
34 | for (i = 1; i < argc; i++) { | ||
35 | // check options | ||
36 | if (strcmp(argv[i], "--") == 0) | ||
37 | break; | ||
38 | if (strncmp(argv[i], "--", 2) != 0) | ||
39 | break; | ||
40 | |||
41 | // check user option | ||
42 | if (strncmp(argv[i], "--user=", 7) == 0) { | ||
43 | found = 1; | ||
44 | user = argv[i] + 7; | ||
45 | break; | ||
46 | } | ||
47 | } | ||
48 | if (!found) | ||
49 | return; | ||
50 | |||
51 | // check root | ||
52 | if (getuid() != 0) { | ||
53 | fprintf(stderr, "Error: you need to be root to use --user command line option\n"); | ||
54 | exit(1); | ||
55 | } | ||
56 | |||
57 | // switch user | ||
58 | struct passwd *pw = getpwnam(user); | ||
59 | if (!pw) { | ||
60 | fprintf(stderr, "Error: cannot find user %s\n", user); | ||
61 | exit(1); | ||
62 | } | ||
63 | |||
64 | printf("Switching to user %s, UID %d, GID %d\n", user, pw->pw_uid, pw->pw_gid); | ||
65 | int rv = initgroups(user, pw->pw_gid); | ||
66 | if (rv == -1) { | ||
67 | perror("initgroups"); | ||
68 | fprintf(stderr, "Error: cannot switch to user %s\n", user); | ||
69 | } | ||
70 | |||
71 | rv = setgid(pw->pw_gid); | ||
72 | if (rv == -1) { | ||
73 | perror("setgid"); | ||
74 | fprintf(stderr, "Error: cannot switch to user %s\n", user); | ||
75 | } | ||
76 | |||
77 | rv = setuid(pw->pw_uid); | ||
78 | if (rv == -1) { | ||
79 | perror("setuid"); | ||
80 | fprintf(stderr, "Error: cannot switch to user %s\n", user); | ||
81 | } | ||
82 | |||
83 | // build the new command line | ||
84 | int len = 0; | ||
85 | for (i = 0; i < argc; i++) { | ||
86 | len += strlen(argv[i]) + 1; // + ' ' | ||
87 | } | ||
88 | |||
89 | char *cmd = malloc(len + 1); // + '\0' | ||
90 | if (!cmd) | ||
91 | errExit("malloc"); | ||
92 | |||
93 | char *ptr = cmd; | ||
94 | int first = 1; | ||
95 | for (i = 0; i < argc; i++) { | ||
96 | if (strncmp(argv[i], "--user=", 7) == 0 && first) { | ||
97 | first = 0; | ||
98 | continue; | ||
99 | } | ||
100 | |||
101 | ptr += sprintf(ptr, "%s ", argv[i]); | ||
102 | } | ||
103 | |||
104 | // run command | ||
105 | char *a[4]; | ||
106 | a[0] = "/bin/bash"; | ||
107 | a[1] = "-c"; | ||
108 | a[2] = cmd; | ||
109 | a[3] = NULL; | ||
110 | |||
111 | execvp(a[0], a); | ||
112 | |||
113 | perror("execvp"); | ||
114 | exit(1); | ||
115 | } | ||
diff --git a/src/firejail/util.c b/src/firejail/util.c index 04b564370..dc906532f 100644 --- a/src/firejail/util.c +++ b/src/firejail/util.c | |||
@@ -29,6 +29,7 @@ | |||
29 | // drop privileges | 29 | // drop privileges |
30 | // - for root group or if nogroups is set, supplementary groups are not configured | 30 | // - for root group or if nogroups is set, supplementary groups are not configured |
31 | void drop_privs(int nogroups) { | 31 | void drop_privs(int nogroups) { |
32 | EUID_ROOT(); | ||
32 | gid_t gid = getgid(); | 33 | gid_t gid = getgid(); |
33 | 34 | ||
34 | // configure supplementary groups | 35 | // configure supplementary groups |
@@ -346,6 +347,7 @@ int find_child(pid_t parent, pid_t *child) { | |||
346 | *child = 0; // use it to flag a found child | 347 | *child = 0; // use it to flag a found child |
347 | 348 | ||
348 | DIR *dir; | 349 | DIR *dir; |
350 | EUID_ROOT(); // grsecurity fix | ||
349 | if (!(dir = opendir("/proc"))) { | 351 | if (!(dir = opendir("/proc"))) { |
350 | // sleep 2 seconds and try again | 352 | // sleep 2 seconds and try again |
351 | sleep(2); | 353 | sleep(2); |
@@ -397,7 +399,7 @@ int find_child(pid_t parent, pid_t *child) { | |||
397 | free(file); | 399 | free(file); |
398 | } | 400 | } |
399 | closedir(dir); | 401 | closedir(dir); |
400 | 402 | EUID_USER(); | |
401 | return (*child)? 0:1; // 0 = found, 1 = not found | 403 | return (*child)? 0:1; // 0 = found, 1 = not found |
402 | } | 404 | } |
403 | 405 | ||
@@ -547,7 +549,7 @@ char *expand_home(const char *path, const char* homedir) { | |||
547 | errExit("asprintf"); | 549 | errExit("asprintf"); |
548 | return new_name; | 550 | return new_name; |
549 | } | 551 | } |
550 | else if (strncmp(path, "~/", 2) == 0) { | 552 | else if (*path == '~') { |
551 | if (asprintf(&new_name, "%s%s", homedir, path + 1) == -1) | 553 | if (asprintf(&new_name, "%s%s", homedir, path + 1) == -1) |
552 | errExit("asprintf"); | 554 | errExit("asprintf"); |
553 | return new_name; | 555 | return new_name; |
@@ -576,6 +578,7 @@ uid_t pid_get_uid(pid_t pid) { | |||
576 | perror("asprintf"); | 578 | perror("asprintf"); |
577 | exit(1); | 579 | exit(1); |
578 | } | 580 | } |
581 | EUID_ROOT(); // grsecurity fix | ||
579 | FILE *fp = fopen(file, "r"); | 582 | FILE *fp = fopen(file, "r"); |
580 | if (!fp) { | 583 | if (!fp) { |
581 | free(file); | 584 | free(file); |
@@ -602,6 +605,7 @@ uid_t pid_get_uid(pid_t pid) { | |||
602 | 605 | ||
603 | fclose(fp); | 606 | fclose(fp); |
604 | free(file); | 607 | free(file); |
608 | EUID_USER(); // grsecurity fix | ||
605 | 609 | ||
606 | if (rv == 0) { | 610 | if (rv == 0) { |
607 | fprintf(stderr, "Error: cannot read /proc file\n"); | 611 | fprintf(stderr, "Error: cannot read /proc file\n"); |
@@ -642,3 +646,13 @@ uid_t get_tty_gid(void) { | |||
642 | 646 | ||
643 | return ttygid; | 647 | return ttygid; |
644 | } | 648 | } |
649 | |||
650 | uid_t get_audio_gid(void) { | ||
651 | // find tty group id | ||
652 | gid_t audiogid = 0; | ||
653 | struct group *g = getgrnam("audio"); | ||
654 | if (g) | ||
655 | audiogid = g->gr_gid; | ||
656 | |||
657 | return audiogid; | ||
658 | } | ||
diff --git a/src/firejail/x11.c b/src/firejail/x11.c index 8c781c67a..2accaeb71 100644 --- a/src/firejail/x11.c +++ b/src/firejail/x11.c | |||
@@ -26,8 +26,9 @@ | |||
26 | #include <dirent.h> | 26 | #include <dirent.h> |
27 | #include <sys/mount.h> | 27 | #include <sys/mount.h> |
28 | 28 | ||
29 | #ifdef HAVE_X11 | ||
29 | // return 1 if xpra is installed on the system | 30 | // return 1 if xpra is installed on the system |
30 | int x11_check_xpra(void) { | 31 | static int x11_check_xpra(void) { |
31 | struct stat s; | 32 | struct stat s; |
32 | 33 | ||
33 | // check xpra | 34 | // check xpra |
@@ -37,6 +38,43 @@ int x11_check_xpra(void) { | |||
37 | return 1; | 38 | return 1; |
38 | } | 39 | } |
39 | 40 | ||
41 | // return 1 if xephyr is installed on the system | ||
42 | static int x11_check_xephyr(void) { | ||
43 | struct stat s; | ||
44 | |||
45 | // check xephyr | ||
46 | if (stat("/usr/bin/Xephyr", &s) == -1) | ||
47 | return 0; | ||
48 | |||
49 | return 1; | ||
50 | } | ||
51 | |||
52 | static int random_display_number(void) { | ||
53 | int i; | ||
54 | int found = 1; | ||
55 | int display; | ||
56 | for (i = 0; i < 100; i++) { | ||
57 | display = rand() % 1024; | ||
58 | if (display < 10) | ||
59 | continue; | ||
60 | char *fname; | ||
61 | if (asprintf(&fname, "/tmp/.X11-unix/X%d", display) == -1) | ||
62 | errExit("asprintf"); | ||
63 | struct stat s; | ||
64 | if (stat(fname, &s) == -1) { | ||
65 | found = 1; | ||
66 | break; | ||
67 | } | ||
68 | } | ||
69 | if (!found) { | ||
70 | fprintf(stderr, "Error: cannot pick up a random X11 display number, exiting...\n"); | ||
71 | exit(1); | ||
72 | } | ||
73 | |||
74 | return display; | ||
75 | } | ||
76 | #endif | ||
77 | |||
40 | // return display number, -1 if not configured | 78 | // return display number, -1 if not configured |
41 | int x11_display(void) { | 79 | int x11_display(void) { |
42 | // extract display | 80 | // extract display |
@@ -120,38 +158,163 @@ void fs_x11(void) { | |||
120 | 158 | ||
121 | 159 | ||
122 | #ifdef HAVE_X11 | 160 | #ifdef HAVE_X11 |
123 | void x11_start(int argc, char **argv) { | 161 | //$ Xephyr -ac -br -noreset -screen 800x600 :22 & |
162 | //$ DISPLAY=:22 firejail --net=eth0 --blacklist=/tmp/.X11-unix/x0 firefox | ||
163 | void x11_start_xephyr(int argc, char **argv) { | ||
124 | EUID_ASSERT(); | 164 | EUID_ASSERT(); |
125 | int i; | 165 | int i; |
126 | struct stat s; | 166 | struct stat s; |
127 | pid_t client = 0; | 167 | pid_t client = 0; |
128 | pid_t server = 0; | 168 | pid_t server = 0; |
129 | 169 | ||
130 | // check xpra | 170 | |
131 | if (x11_check_xpra() == 0) { | 171 | setenv("FIREJAIL_X11", "yes", 1); |
132 | fprintf(stderr, "\nError: Xpra program was not found in /usr/bin directory, please install it:\n"); | 172 | |
133 | fprintf(stderr, " Debian/Ubuntu/Mint: sudo apt-get install xpra\n"); | 173 | // unfortunately, xephyr does a number of weird things when started by root user!!! |
174 | if (getuid() == 0) { | ||
175 | fprintf(stderr, "Error: X11 sandboxing is not available when running as root\n"); | ||
176 | exit(1); | ||
177 | } | ||
178 | drop_privs(0); | ||
179 | |||
180 | // check xephyr | ||
181 | if (x11_check_xephyr() == 0) { | ||
182 | fprintf(stderr, "\nError: Xephyr program was not found in /usr/bin directory, please install it:\n"); | ||
183 | fprintf(stderr, " Debian/Ubuntu/Mint: sudo apt-get install xserver-xephyr\n"); | ||
184 | fprintf(stderr, " Arch: sudo pacman -S xorg-server-xephyr\n"); | ||
134 | exit(0); | 185 | exit(0); |
135 | } | 186 | } |
136 | 187 | ||
137 | int display; | 188 | int display = random_display_number(); |
138 | int found = 1; | 189 | |
139 | for (i = 0; i < 100; i++) { | 190 | // start xephyr |
140 | display = rand() % 1024; | 191 | char *cmd1; |
141 | if (display < 10) | 192 | if (checkcfg(CFG_XEPHYR_WINDOW_TITLE)) { |
142 | continue; | 193 | if (asprintf(&cmd1, "Xephyr -ac -br -title \"firejail x11 sandbox\" %s -noreset -screen %s :%d", xephyr_extra_params, xephyr_screen, display) == -1) |
143 | char *fname; | ||
144 | if (asprintf(&fname, "/tmp/.X11-unix/X%d", display) == -1) | ||
145 | errExit("asprintf"); | 194 | errExit("asprintf"); |
146 | if (stat(fname, &s) == -1) { | 195 | } |
147 | found = 1; | 196 | else { |
197 | if (asprintf(&cmd1, "Xephyr -ac -br %s -noreset -screen %s :%d", xephyr_extra_params, xephyr_screen, display) == -1) | ||
198 | errExit("asprintf"); | ||
199 | } | ||
200 | |||
201 | int len = 50; // DISPLAY... | ||
202 | for (i = 0; i < argc; i++) { | ||
203 | len += strlen(argv[i]) + 1; // + ' ' | ||
204 | } | ||
205 | |||
206 | char *cmd2 = malloc(len + 1); // + '\0' | ||
207 | if (!cmd2) | ||
208 | errExit("malloc"); | ||
209 | |||
210 | sprintf(cmd2, "DISPLAY=:%d ", display); | ||
211 | char *ptr = cmd2 + strlen(cmd2); | ||
212 | for (i = 0; i < argc; i++) { | ||
213 | if (strcmp(argv[i], "--x11") == 0) | ||
214 | continue; | ||
215 | if (strcmp(argv[i], "--x11=xpra") == 0) | ||
216 | continue; | ||
217 | if (strcmp(argv[i], "--x11=xephyr") == 0) | ||
218 | continue; | ||
219 | ptr += sprintf(ptr, "%s ", argv[i]); | ||
220 | } | ||
221 | if (arg_debug) | ||
222 | printf("xephyr server: %s\n", cmd1); | ||
223 | if (arg_debug) | ||
224 | printf("xephyr client: %s\n", cmd2); | ||
225 | |||
226 | signal(SIGHUP,SIG_IGN); // fix sleep(1) below | ||
227 | server = fork(); | ||
228 | if (server < 0) | ||
229 | errExit("fork"); | ||
230 | if (server == 0) { | ||
231 | if (arg_debug) | ||
232 | printf("Starting xephyr...\n"); | ||
233 | |||
234 | char *a[4]; | ||
235 | a[0] = "/bin/bash"; | ||
236 | a[1] = "-c"; | ||
237 | a[2] = cmd1; | ||
238 | a[3] = NULL; | ||
239 | |||
240 | execvp(a[0], a); | ||
241 | perror("execvp"); | ||
242 | exit(1); | ||
243 | } | ||
244 | |||
245 | // check X11 socket | ||
246 | char *fname; | ||
247 | if (asprintf(&fname, "/tmp/.X11-unix/X%d", display) == -1) | ||
248 | errExit("asprintf"); | ||
249 | int n = 0; | ||
250 | // wait for x11 server to start | ||
251 | while (++n < 10) { | ||
252 | sleep(1); | ||
253 | if (stat(fname, &s) == 0) | ||
148 | break; | 254 | break; |
149 | } | 255 | }; |
256 | |||
257 | if (n == 10) { | ||
258 | fprintf(stderr, "Error: failed to start xephyr\n"); | ||
259 | exit(1); | ||
150 | } | 260 | } |
151 | if (!found) { | 261 | free(fname); |
152 | fprintf(stderr, "Error: cannot pick up a random X11 display number, exiting...\n"); | 262 | sleep(1); |
263 | |||
264 | if (arg_debug) { | ||
265 | printf("X11 sockets: "); fflush(0); | ||
266 | int rv = system("ls /tmp/.X11-unix"); | ||
267 | (void) rv; | ||
268 | } | ||
269 | |||
270 | // run attach command | ||
271 | client = fork(); | ||
272 | if (client < 0) | ||
273 | errExit("fork"); | ||
274 | if (client == 0) { | ||
275 | printf("\n*** Attaching to Xephyr display %d ***\n\n", display); | ||
276 | char *a[4]; | ||
277 | a[0] = "/bin/bash"; | ||
278 | a[1] = "-c"; | ||
279 | a[2] = cmd2; | ||
280 | a[3] = NULL; | ||
281 | |||
282 | execvp(a[0], a); | ||
283 | perror("execvp"); | ||
153 | exit(1); | 284 | exit(1); |
154 | } | 285 | } |
286 | sleep(1); | ||
287 | |||
288 | if (!arg_quiet) | ||
289 | printf("Xephyr server pid %d, client pid %d\n", server, client); | ||
290 | |||
291 | exit(0); | ||
292 | } | ||
293 | |||
294 | void x11_start_xpra(int argc, char **argv) { | ||
295 | EUID_ASSERT(); | ||
296 | int i; | ||
297 | struct stat s; | ||
298 | pid_t client = 0; | ||
299 | pid_t server = 0; | ||
300 | |||
301 | setenv("FIREJAIL_X11", "yes", 1); | ||
302 | |||
303 | // unfortunately, xpra does a number of weird things when started by root user!!! | ||
304 | if (getuid() == 0) { | ||
305 | fprintf(stderr, "Error: X11 sandboxing is not available when running as root\n"); | ||
306 | exit(1); | ||
307 | } | ||
308 | drop_privs(0); | ||
309 | |||
310 | // check xpra | ||
311 | if (x11_check_xpra() == 0) { | ||
312 | fprintf(stderr, "\nError: Xpra program was not found in /usr/bin directory, please install it:\n"); | ||
313 | fprintf(stderr, " Debian/Ubuntu/Mint: sudo apt-get install xpra\n"); | ||
314 | exit(0); | ||
315 | } | ||
316 | |||
317 | int display = random_display_number(); | ||
155 | 318 | ||
156 | // build the start command | 319 | // build the start command |
157 | int len = 50; // xpra start... | 320 | int len = 50; // xpra start... |
@@ -168,6 +331,10 @@ void x11_start(int argc, char **argv) { | |||
168 | for (i = 0; i < argc; i++) { | 331 | for (i = 0; i < argc; i++) { |
169 | if (strcmp(argv[i], "--x11") == 0) | 332 | if (strcmp(argv[i], "--x11") == 0) |
170 | continue; | 333 | continue; |
334 | if (strcmp(argv[i], "--x11=xpra") == 0) | ||
335 | continue; | ||
336 | if (strcmp(argv[i], "--x11=xephyr") == 0) | ||
337 | continue; | ||
171 | ptr += sprintf(ptr, "%s ", argv[i]); | 338 | ptr += sprintf(ptr, "%s ", argv[i]); |
172 | } | 339 | } |
173 | sprintf(ptr, "\""); | 340 | sprintf(ptr, "\""); |
@@ -176,12 +343,12 @@ void x11_start(int argc, char **argv) { | |||
176 | 343 | ||
177 | // build the attach command | 344 | // build the attach command |
178 | char *cmd2; | 345 | char *cmd2; |
179 | if (asprintf(&cmd2, "xpra attach :%d", display) == -1) | 346 | if (asprintf(&cmd2, "xpra --title=\"firejail x11 sandbox\" attach :%d", display) == -1) |
180 | errExit("asprintf"); | 347 | errExit("asprintf"); |
181 | if (arg_debug) | 348 | if (arg_debug) |
182 | printf("xpra client: %s\n", cmd2); | 349 | printf("xpra client: %s\n", cmd2); |
183 | 350 | ||
184 | signal(SIGHUP,SIG_IGN); // fix sleep(1`) below | 351 | signal(SIGHUP,SIG_IGN); // fix sleep(1) below |
185 | server = fork(); | 352 | server = fork(); |
186 | if (server < 0) | 353 | if (server < 0) |
187 | errExit("fork"); | 354 | errExit("fork"); |
@@ -248,4 +415,27 @@ void x11_start(int argc, char **argv) { | |||
248 | 415 | ||
249 | exit(0); | 416 | exit(0); |
250 | } | 417 | } |
418 | |||
419 | void x11_start(int argc, char **argv) { | ||
420 | EUID_ASSERT(); | ||
421 | |||
422 | // unfortunately, xpra does a number of weird things when started by root user!!! | ||
423 | if (getuid() == 0) { | ||
424 | fprintf(stderr, "Error: X11 sandboxing is not available when running as root\n"); | ||
425 | exit(1); | ||
426 | } | ||
427 | |||
428 | // check xpra | ||
429 | if (x11_check_xpra() == 1) | ||
430 | x11_start_xpra(argc, argv); | ||
431 | else if (x11_check_xephyr() == 1) | ||
432 | x11_start_xephyr(argc, argv); | ||
433 | else { | ||
434 | fprintf(stderr, "\nError: Xpra or Xephyr not found in /usr/bin directory, please install one of them:\n"); | ||
435 | fprintf(stderr, " Debian/Ubuntu/Mint: sudo apt-get install xpra\n"); | ||
436 | fprintf(stderr, " Debian/Ubuntu/Mint: sudo apt-get install xserver-xephyr\n"); | ||
437 | exit(0); | ||
438 | } | ||
439 | } | ||
440 | |||
251 | #endif | 441 | #endif |
diff --git a/src/firemon/firemon.c b/src/firemon/firemon.c index 0e38696ac..3140c5f70 100644 --- a/src/firemon/firemon.c +++ b/src/firemon/firemon.c | |||
@@ -23,7 +23,8 @@ | |||
23 | #include <sys/ioctl.h> | 23 | #include <sys/ioctl.h> |
24 | #include <sys/prctl.h> | 24 | #include <sys/prctl.h> |
25 | #include <grp.h> | 25 | #include <grp.h> |
26 | 26 | #include <sys/stat.h> | |
27 | |||
27 | 28 | ||
28 | static int arg_route = 0; | 29 | static int arg_route = 0; |
29 | static int arg_arp = 0; | 30 | static int arg_arp = 0; |
@@ -136,6 +137,12 @@ int main(int argc, char **argv) { | |||
136 | return 0; | 137 | return 0; |
137 | } | 138 | } |
138 | else if (strcmp(argv[i], "--netstats") == 0) { | 139 | else if (strcmp(argv[i], "--netstats") == 0) { |
140 | struct stat s; | ||
141 | if (getuid() != 0 && stat("/proc/sys/kernel/grsecurity", &s) == 0) { | ||
142 | fprintf(stderr, "Error: this feature is not available on Grsecurity systems\n"); | ||
143 | exit(1); | ||
144 | } | ||
145 | |||
139 | netstats(); | 146 | netstats(); |
140 | return 0; | 147 | return 0; |
141 | } | 148 | } |
diff --git a/src/firemon/netstats.c b/src/firemon/netstats.c index 3b6c128ae..0ff0dd33d 100644 --- a/src/firemon/netstats.c +++ b/src/firemon/netstats.c | |||
@@ -26,6 +26,10 @@ | |||
26 | 26 | ||
27 | #define MAXBUF 4096 | 27 | #define MAXBUF 4096 |
28 | 28 | ||
29 | // ip -s link: device stats | ||
30 | // ss -s: socket stats | ||
31 | |||
32 | |||
29 | static char *get_header(void) { | 33 | static char *get_header(void) { |
30 | char *rv; | 34 | char *rv; |
31 | if (asprintf(&rv, "%-5.5s %-9.9s %-10.10s %-10.10s %s", | 35 | if (asprintf(&rv, "%-5.5s %-9.9s %-10.10s %-10.10s %s", |
@@ -117,8 +121,14 @@ static void print_proc(int index, int itv, int col) { | |||
117 | } | 121 | } |
118 | else | 122 | else |
119 | ptrcmd = cmd; | 123 | ptrcmd = cmd; |
120 | // if the command doesn't have a --net= option, don't print | 124 | |
121 | if (strstr(ptrcmd, "--net=") == NULL) { | 125 | // check network namespace |
126 | char *name; | ||
127 | if (asprintf(&name, "/run/firejail/network/%d-netmap", index) == -1) | ||
128 | errExit("asprintf"); | ||
129 | struct stat s; | ||
130 | if (stat(name, &s) == -1) { | ||
131 | // the sandbox doesn't have a --net= option, don't print | ||
122 | if (cmd) | 132 | if (cmd) |
123 | free(cmd); | 133 | free(cmd); |
124 | return; | 134 | return; |
diff --git a/src/firemon/procevent.c b/src/firemon/procevent.c index e2dd5aaa2..7c961adde 100644 --- a/src/firemon/procevent.c +++ b/src/firemon/procevent.c | |||
@@ -89,7 +89,8 @@ static int pid_is_firejail(pid_t pid) { | |||
89 | 89 | ||
90 | // list of firejail arguments that don't trigger sandbox creation | 90 | // list of firejail arguments that don't trigger sandbox creation |
91 | // the initial -- is not included | 91 | // the initial -- is not included |
92 | char *firejail_args = "ls list tree x11 help version top netstats debug-syscalls debug-errnos debug-protocols"; | 92 | char *firejail_args = "ls list tree x11 help version top netstats debug-syscalls debug-errnos debug-protocols " |
93 | "protocol.print debug.caps shutdown bandwidth caps.print cpu.print debug-caps fs.print get "; | ||
93 | 94 | ||
94 | int i; | 95 | int i; |
95 | char *start; | 96 | char *start; |
diff --git a/src/firemon/usage.c b/src/firemon/usage.c index 926e1c89f..74a2a61f0 100644 --- a/src/firemon/usage.c +++ b/src/firemon/usage.c | |||
@@ -24,7 +24,8 @@ void usage(void) { | |||
24 | printf("Usage: firemon [OPTIONS] [PID]\n\n"); | 24 | printf("Usage: firemon [OPTIONS] [PID]\n\n"); |
25 | printf("Monitor processes started in a Firejail sandbox. Without any PID specified,\n"); | 25 | printf("Monitor processes started in a Firejail sandbox. Without any PID specified,\n"); |
26 | printf("all processes started by Firejail are monitored. Descendants of these processes\n"); | 26 | printf("all processes started by Firejail are monitored. Descendants of these processes\n"); |
27 | printf("are also being monitored.\n\n"); | 27 | printf("are also being monitored. On Grsecurity systems only root user\n"); |
28 | printf("can run this program.\n\n"); | ||
28 | printf("Options:\n"); | 29 | printf("Options:\n"); |
29 | printf("\t--arp - print ARP table for each sandbox.\n\n"); | 30 | printf("\t--arp - print ARP table for each sandbox.\n\n"); |
30 | printf("\t--caps - print capabilities configuration for each sandbox.\n\n"); | 31 | printf("\t--caps - print capabilities configuration for each sandbox.\n\n"); |
diff --git a/src/include/euid_common.h b/src/include/euid_common.h index f07cf2868..b6d341bf4 100644 --- a/src/include/euid_common.h +++ b/src/include/euid_common.h | |||
@@ -36,12 +36,12 @@ extern uid_t firejail_uid; | |||
36 | 36 | ||
37 | static inline void EUID_ROOT(void) { | 37 | static inline void EUID_ROOT(void) { |
38 | if (seteuid(0) == -1) | 38 | if (seteuid(0) == -1) |
39 | fprintf(stderr, "Error: cannot switch euid to root\n"); | 39 | fprintf(stderr, "Warning: cannot switch euid to root\n"); |
40 | } | 40 | } |
41 | 41 | ||
42 | static inline void EUID_USER(void) { | 42 | static inline void EUID_USER(void) { |
43 | if (seteuid(firejail_uid) == -1) | 43 | if (seteuid(firejail_uid) == -1) |
44 | fprintf(stderr, "Error: cannot switch euid to user\n"); | 44 | fprintf(stderr, "Warning: cannot switch euid to user\n"); |
45 | } | 45 | } |
46 | 46 | ||
47 | static inline void EUID_PRINT(void) { | 47 | static inline void EUID_PRINT(void) { |
diff --git a/src/lib/libnetlink.c b/src/lib/libnetlink.c index 07457eefe..836cf417d 100644 --- a/src/lib/libnetlink.c +++ b/src/lib/libnetlink.c | |||
@@ -723,7 +723,7 @@ int rta_addattr32(struct rtattr *rta, int maxlen, int type, __u32 data) | |||
723 | int len = RTA_LENGTH(4); | 723 | int len = RTA_LENGTH(4); |
724 | struct rtattr *subrta; | 724 | struct rtattr *subrta; |
725 | 725 | ||
726 | if (RTA_ALIGN(rta->rta_len) + len > maxlen) { | 726 | if ((int) (RTA_ALIGN(rta->rta_len) + len) > maxlen) { |
727 | fprintf(stderr,"rta_addattr32: Error! max allowed bound %d exceeded\n",maxlen); | 727 | fprintf(stderr,"rta_addattr32: Error! max allowed bound %d exceeded\n",maxlen); |
728 | return -1; | 728 | return -1; |
729 | } | 729 | } |
@@ -741,7 +741,7 @@ int rta_addattr_l(struct rtattr *rta, int maxlen, int type, | |||
741 | struct rtattr *subrta; | 741 | struct rtattr *subrta; |
742 | int len = RTA_LENGTH(alen); | 742 | int len = RTA_LENGTH(alen); |
743 | 743 | ||
744 | if (RTA_ALIGN(rta->rta_len) + RTA_ALIGN(len) > maxlen) { | 744 | if ((int) (RTA_ALIGN(rta->rta_len) + RTA_ALIGN(len)) > maxlen) { |
745 | fprintf(stderr,"rta_addattr_l: Error! max allowed bound %d exceeded\n",maxlen); | 745 | fprintf(stderr,"rta_addattr_l: Error! max allowed bound %d exceeded\n",maxlen); |
746 | return -1; | 746 | return -1; |
747 | } | 747 | } |
diff --git a/src/lib/pid.c b/src/lib/pid.c index a89ac434b..d1ade389e 100644 --- a/src/lib/pid.c +++ b/src/lib/pid.c | |||
@@ -310,7 +310,11 @@ void pid_read(pid_t mon_pid) { | |||
310 | continue; | 310 | continue; |
311 | if (pid == mypid) | 311 | if (pid == mypid) |
312 | continue; | 312 | continue; |
313 | 313 | ||
314 | // skip PID 1 just in case we run a sandbox-in-sandbox | ||
315 | if (pid == 1) | ||
316 | continue; | ||
317 | |||
314 | // open stat file | 318 | // open stat file |
315 | char *file; | 319 | char *file; |
316 | if (asprintf(&file, "/proc/%u/status", pid) == -1) { | 320 | if (asprintf(&file, "/proc/%u/status", pid) == -1) { |
diff --git a/src/libtracelog/libtracelog.c b/src/libtracelog/libtracelog.c index c3fd40a67..3e65587c4 100644 --- a/src/libtracelog/libtracelog.c +++ b/src/libtracelog/libtracelog.c | |||
@@ -91,9 +91,9 @@ static void storage_add(const char *str) { | |||
91 | storage[h] = ptr; | 91 | storage[h] = ptr; |
92 | } | 92 | } |
93 | 93 | ||
94 | char* cwd = NULL; // global variable for keeping current working directory | 94 | // global variable to keep current working directory |
95 | typedef int (*orig_chdir_t)(const char *pathname); | 95 | static char* cwd = NULL; |
96 | static orig_chdir_t orig_chdir = NULL; | 96 | |
97 | static char *storage_find(const char *str) { | 97 | static char *storage_find(const char *str) { |
98 | #ifdef DEBUG | 98 | #ifdef DEBUG |
99 | printf("storage find %s\n", str); | 99 | printf("storage find %s\n", str); |
@@ -107,17 +107,23 @@ static char *storage_find(const char *str) { | |||
107 | const char *tofind = str; | 107 | const char *tofind = str; |
108 | int allocated = 0; | 108 | int allocated = 0; |
109 | 109 | ||
110 | if (strstr(str, "..") || strstr(str, "/./") || strstr(str, "//") || str[0]!='/') { | 110 | if (strstr(str, "..") || strstr(str, "/./") || strstr(str, "//") || str[0] != '/') { |
111 | if (!orig_chdir) | 111 | if (cwd != NULL && str[0] != '/') { |
112 | orig_chdir = (orig_chdir_t)dlsym(RTLD_NEXT, "chdir"); | 112 | char *fullpath=malloc(PATH_MAX); |
113 | if (!orig_chdir(cwd)) { | 113 | if (!fullpath) { |
114 | #ifdef DEBUG | 114 | fprintf(stderr, "Error: cannot allocate memory\n"); |
115 | printf("chdir failed\n"); | 115 | return NULL; |
116 | #endif | 116 | } |
117 | return NULL; | 117 | if (snprintf(fullpath, PATH_MAX, "%s/%s", cwd, str)<3) { |
118 | fprintf(stderr, "Error: snprintf failed\n"); | ||
119 | free(fullpath); | ||
120 | return NULL; | ||
121 | } | ||
122 | tofind = realpath(fullpath, NULL); | ||
123 | free(fullpath); | ||
124 | } else { | ||
125 | tofind = realpath(str, NULL); | ||
118 | } | 126 | } |
119 | |||
120 | tofind = realpath(str, NULL); | ||
121 | if (!tofind) { | 127 | if (!tofind) { |
122 | #ifdef DEBUG | 128 | #ifdef DEBUG |
123 | printf("realpath failed\n"); | 129 | printf("realpath failed\n"); |
@@ -641,9 +647,8 @@ DIR *opendir(const char *pathname) { | |||
641 | } | 647 | } |
642 | 648 | ||
643 | // chdir | 649 | // chdir |
644 | // definition of orig_chdir placed before storage_find function | 650 | typedef int (*orig_chdir_t)(const char *pathname); |
645 | //typedef int (*orig_chdir_t)(const char *pathname); | 651 | static orig_chdir_t orig_chdir = NULL; |
646 | //static orig_chdir_t orig_chdir = NULL; | ||
647 | int chdir(const char *pathname) { | 652 | int chdir(const char *pathname) { |
648 | #ifdef DEBUG | 653 | #ifdef DEBUG |
649 | printf("%s %s\n", __FUNCTION__, pathname); | 654 | printf("%s %s\n", __FUNCTION__, pathname); |
@@ -662,3 +667,32 @@ int chdir(const char *pathname) { | |||
662 | int rv = orig_chdir(pathname); | 667 | int rv = orig_chdir(pathname); |
663 | return rv; | 668 | return rv; |
664 | } | 669 | } |
670 | |||
671 | // fchdir | ||
672 | typedef int (*orig_fchdir_t)(int fd); | ||
673 | static orig_fchdir_t orig_fchdir = NULL; | ||
674 | int fchdir(int fd) { | ||
675 | #ifdef DEBUG | ||
676 | printf("%s %d\n", __FUNCTION__, fd); | ||
677 | #endif | ||
678 | if (!orig_fchdir) | ||
679 | orig_fchdir = (orig_fchdir_t)dlsym(RTLD_NEXT, "fchdir"); | ||
680 | |||
681 | free(cwd); | ||
682 | char *pathname=malloc(PATH_MAX); | ||
683 | if (pathname) { | ||
684 | if (snprintf(pathname,PATH_MAX,"/proc/self/fd/%d", fd)>0) { | ||
685 | cwd = realpath(pathname, NULL); | ||
686 | } else { | ||
687 | cwd = NULL; | ||
688 | fprintf(stderr, "Error: snprintf failed\n"); | ||
689 | } | ||
690 | free(pathname); | ||
691 | } else { | ||
692 | fprintf(stderr, "Error: cannot allocate memory\n"); | ||
693 | cwd = NULL; | ||
694 | } | ||
695 | |||
696 | int rv = orig_fchdir(fd); | ||
697 | return rv; | ||
698 | } | ||
diff --git a/src/man/firecfg.txt b/src/man/firecfg.txt new file mode 100644 index 000000000..c12bf7731 --- /dev/null +++ b/src/man/firecfg.txt | |||
@@ -0,0 +1,70 @@ | |||
1 | .TH FIRECFG 1 "MONTH YEAR" "VERSION" "firecfg man page" | ||
2 | .SH NAME | ||
3 | Firecfg \- Desktop configuration program for Firejail software. | ||
4 | .SH SYNOPSIS | ||
5 | firecfg [OPTIONS] | ||
6 | .SH DESCRIPTION | ||
7 | Firecfg is the desktop configuration utility for Firejail software. The utility | ||
8 | creates several symbolic links to firejail executable. This allows the user to | ||
9 | sandbox applications automatically, just by clicking on a regular desktop | ||
10 | menus and icons. | ||
11 | |||
12 | The symbolic links are placed in /usr/local/bin. For more information, see | ||
13 | \fBDESKTOP INTEGRATION\fR section in \fBman 1 firejail\fR. | ||
14 | |||
15 | .SH OPTIONS | ||
16 | .TP | ||
17 | \fB\-\-clean | ||
18 | Remove all firejail symbolic links. | ||
19 | .TP | ||
20 | \fB\-?\fR, \fB\-\-help\fR | ||
21 | Print options end exit. | ||
22 | .TP | ||
23 | \fB\-\-list | ||
24 | List all firejail symbolic links | ||
25 | .TP | ||
26 | \fB\-\-version | ||
27 | Print program version and exit. | ||
28 | |||
29 | |||
30 | .PP | ||
31 | Example: | ||
32 | .br | ||
33 | |||
34 | .br | ||
35 | $ sudo firecfg | ||
36 | .br | ||
37 | /usr/local/bin/firefox created | ||
38 | .br | ||
39 | /usr/local/bin/vlc created | ||
40 | .br | ||
41 | [...] | ||
42 | .br | ||
43 | $ firecfg --list | ||
44 | .br | ||
45 | /usr/local/bin/firefox | ||
46 | .br | ||
47 | /usr/local/bin/vlc | ||
48 | .br | ||
49 | [...] | ||
50 | .br | ||
51 | $ sudo firecfg --clean | ||
52 | .br | ||
53 | /usr/local/bin/firefox removed | ||
54 | .br | ||
55 | /usr/local/bin/vlc removed | ||
56 | .br | ||
57 | [...] | ||
58 | |||
59 | .SH LICENSE | ||
60 | This program is free software; you can redistribute it and/or modify it under the terms of the GNU General Public License as published by the Free Software Foundation; either version 2 of the License, or (at your option) any later version. | ||
61 | .PP | ||
62 | Homepage: http://firejail.wordpress.com | ||
63 | .SH SEE ALSO | ||
64 | \&\flfirejail\fR\|(1), | ||
65 | \&\flfiremon\fR\|(1), | ||
66 | \&\flfirejail-profile\fR\|(5), | ||
67 | \&\flfirejail-login\fR\|(5) | ||
68 | \&\flfirejail-config\fR\|(5) | ||
69 | |||
70 | |||
diff --git a/src/man/firejail-config.txt b/src/man/firejail-config.txt new file mode 100644 index 000000000..386eda976 --- /dev/null +++ b/src/man/firejail-config.txt | |||
@@ -0,0 +1,109 @@ | |||
1 | .TH FIREJAIL-CONFIG 5 "MONTH YEAR" "VERSION" "firejail.config man page" | ||
2 | .SH NAME | ||
3 | firejail.config \- Firejail run time configuration file | ||
4 | |||
5 | .SH DESCRIPTION | ||
6 | /etc/firejail/firejail.config is the system-wide configuration file for Firejail. | ||
7 | It allows the system administrator to enable or disable a number of | ||
8 | features and Linux kernel security technologies used by Firejail sandbox. | ||
9 | The file contains keyword-argument pairs, one per line. | ||
10 | Use 'yes' or 'no' as configuration values. | ||
11 | |||
12 | Note that some of these features can also be enabled or disabled at compile | ||
13 | time. Most features are enabled by default both at compile time and | ||
14 | at run time. | ||
15 | |||
16 | .TP | ||
17 | \fBbind | ||
18 | Enable or disable bind support, default enabled. | ||
19 | |||
20 | .TP | ||
21 | \fBchroot | ||
22 | Enable or disable chroot support, default enabled. | ||
23 | |||
24 | .TP | ||
25 | \fBfile-transfer | ||
26 | Enable or disable file transfer support, default enabled. | ||
27 | |||
28 | .TP | ||
29 | \fBforce-nonewprivs | ||
30 | Force use of nonewprivs. This mitigates the possibility of | ||
31 | a user abusing firejail's features to trick a privileged (suid | ||
32 | or file capabilities) process into loading code or configuration | ||
33 | that is partially under their control. Default disabled. | ||
34 | |||
35 | .TP | ||
36 | \fBnetwork | ||
37 | Enable or disable networking features, default enabled. | ||
38 | |||
39 | .TP | ||
40 | \fBrestricted-network | ||
41 | Enable or disable restricted network support, default disabled. If enabled, | ||
42 | networking features should also be enabled (network yes). | ||
43 | Restricted networking grants access to --interface, --net=ethXXX and | ||
44 | \-\-netfilter only to root user. Regular users are only allowed --net=none. | ||
45 | |||
46 | .TP | ||
47 | \fBsecomp | ||
48 | Enable or disable seccomp support, default enabled. | ||
49 | |||
50 | .TP | ||
51 | \fBuserns | ||
52 | Enable or disable user namespace support, default enabled. | ||
53 | |||
54 | .TP | ||
55 | \fBwhitelist | ||
56 | Enable or disable whitelisting support, default enabled. | ||
57 | |||
58 | .TP | ||
59 | \fBx11 | ||
60 | Enable or disable X11 sandboxing support, default enabled. | ||
61 | |||
62 | .TP | ||
63 | \fBxephyr-screen | ||
64 | Screen size for --x11=xephyr, default 800x600. Run /usr/bin/xrandr for | ||
65 | a full list of resolutions available on your specific setup. Examples: | ||
66 | .br | ||
67 | |||
68 | .br | ||
69 | xephyr-screen 640x480 | ||
70 | .br | ||
71 | xephyr-screen 800x600 | ||
72 | .br | ||
73 | xephyr-screen 1024x768 | ||
74 | .br | ||
75 | xephyr-screen 1280x1024 | ||
76 | |||
77 | .TP | ||
78 | \fBxephyr-window-title | ||
79 | Firejail window title in Xephyr, default enabled. | ||
80 | |||
81 | .TP | ||
82 | \fBxephyr-extra-params | ||
83 | Xephyr command extra parameters. None by default, and the declaration is commented out. Examples: | ||
84 | .br | ||
85 | |||
86 | .br | ||
87 | xephyr-extra-params -keybd ephyr,,,xkbmodel=evdev | ||
88 | .br | ||
89 | xephyr-extra-params -grayscale | ||
90 | |||
91 | .SH COMPILE TIME CONFIGURATION | ||
92 | Most of the features described in this file can also be configured at compile time, please run \fB./configure --help\fR for more details. | ||
93 | |||
94 | .SH FILES | ||
95 | /etc/firejail/firejail.config | ||
96 | |||
97 | .SH LICENSE | ||
98 | Firejail is free software; you can redistribute it and/or modify it under the terms of the GNU General Public License as published by the Free Software Foundation; either version 2 of the License, or (at your option) any later version. | ||
99 | .PP | ||
100 | Homepage: http://firejail.wordpress.com | ||
101 | .SH SEE ALSO | ||
102 | \&\flfirejail\fR\|(1), | ||
103 | \&\flfiremon\fR\|(1), | ||
104 | \&\flfirecfg\fR\|(1), | ||
105 | \&\flfirejail-profile\fR\|(5) | ||
106 | \&\flfirejail-login\fR\|(5) | ||
107 | |||
108 | |||
109 | |||
diff --git a/src/man/firejail-login.txt b/src/man/firejail-login.txt index e5bcf9436..464551202 100644 --- a/src/man/firejail-login.txt +++ b/src/man/firejail-login.txt | |||
@@ -11,11 +11,11 @@ a user name followed by the arguments passed to firejail. The format is as follo | |||
11 | 11 | ||
12 | Example: | 12 | Example: |
13 | 13 | ||
14 | netblue:--debug --net=none | 14 | netblue:--net=none --protocol=unix |
15 | 15 | ||
16 | .SH RESTRICTED SHELL | 16 | .SH RESTRICTED SHELL |
17 | To configure a restricted shell, replace /bin/bash with /usr/bin/firejail in | 17 | To configure a restricted shell, replace /bin/bash with /usr/bin/firejail in |
18 | /etc/password file for each user that needs to be restricted. Alternatively, | 18 | /etc/passwd file for each user that needs to be restricted. Alternatively, |
19 | you can specify /usr/bin/firejail using adduser or usermod commands: | 19 | you can specify /usr/bin/firejail using adduser or usermod commands: |
20 | 20 | ||
21 | adduser \-\-shell /usr/bin/firejail username | 21 | adduser \-\-shell /usr/bin/firejail username |
@@ -32,7 +32,8 @@ Homepage: http://firejail.wordpress.com | |||
32 | .SH SEE ALSO | 32 | .SH SEE ALSO |
33 | \&\flfirejail\fR\|(1), | 33 | \&\flfirejail\fR\|(1), |
34 | \&\flfiremon\fR\|(1), | 34 | \&\flfiremon\fR\|(1), |
35 | \&\flfirecfg\fR\|(1), | ||
35 | \&\flfirejail-profile\fR\|(5) | 36 | \&\flfirejail-profile\fR\|(5) |
36 | 37 | \&\flfirejail-config\fR\|(5) | |
37 | 38 | ||
38 | 39 | ||
diff --git a/src/man/firejail-profile.txt b/src/man/firejail-profile.txt index c5de79118..504842a9e 100644 --- a/src/man/firejail-profile.txt +++ b/src/man/firejail-profile.txt | |||
@@ -44,7 +44,7 @@ To disable default profile loading, use --noprofile command option. Example: | |||
44 | .RS | 44 | .RS |
45 | $ firejail | 45 | $ firejail |
46 | .br | 46 | .br |
47 | Reading profile /etc/firejail/generic.profile | 47 | Reading profile /etc/firejail/default.profile |
48 | .br | 48 | .br |
49 | Parent pid 8553, child pid 8554 | 49 | Parent pid 8553, child pid 8554 |
50 | .br | 50 | .br |
@@ -122,12 +122,6 @@ blacklist ${PATH}/ifconfig | |||
122 | blacklist ${HOME}/.ssh | 122 | blacklist ${HOME}/.ssh |
123 | 123 | ||
124 | .TP | 124 | .TP |
125 | \fBread-only file_or_directory | ||
126 | Make directory or file read-only. | ||
127 | .TP | ||
128 | \fBtmpfs directory | ||
129 | Mount an empty tmpfs filesystem on top of directory. This option is available only when running the sandbox as root. | ||
130 | .TP | ||
131 | \fBbind directory1,directory2 | 125 | \fBbind directory1,directory2 |
132 | Mount-bind directory1 on top of directory2. This option is only available when running as root. | 126 | Mount-bind directory1 on top of directory2. This option is only available when running as root. |
133 | .TP | 127 | .TP |
@@ -135,8 +129,14 @@ Mount-bind directory1 on top of directory2. This option is only available when r | |||
135 | Mount-bind file1 on top of file2. This option is only available when running as root. | 129 | Mount-bind file1 on top of file2. This option is only available when running as root. |
136 | .TP | 130 | .TP |
137 | \fBmkdir directory | 131 | \fBmkdir directory |
138 | Create a directory in user home. Use this command for whitelisted directories you need to preserve | 132 | Create a directory in user home before the sandbox is started. |
139 | when the sandbox is closed. Subdirectories also need to be created using mkdir. Example from | 133 | The directory is created if it doesn't already exist. |
134 | .br | ||
135 | |||
136 | .br | ||
137 | Use this command for whitelisted directories you need to preserve | ||
138 | when the sandbox is closed. Without it, the application will create the directory, and the directory | ||
139 | will be deleted when the sandbox is closed. Subdirectories also need to be created using mkdir. Example from | ||
140 | firefox profile: | 140 | firefox profile: |
141 | .br | 141 | .br |
142 | 142 | ||
@@ -153,6 +153,13 @@ mkdir ~/.cache/mozilla/firefox | |||
153 | .br | 153 | .br |
154 | whitelist ~/.cache/mozilla/firefox | 154 | whitelist ~/.cache/mozilla/firefox |
155 | .TP | 155 | .TP |
156 | \fBmkfile file | ||
157 | Similar to mkdir, this command creates a file in user home before the sandbox is started. | ||
158 | The file is created if it doesn't already exist. | ||
159 | .TP | ||
160 | \fBnoexec file_or_directory | ||
161 | Remount the file or the directory noexec, nodev and nosuid. | ||
162 | .TP | ||
156 | \fBprivate | 163 | \fBprivate |
157 | Mount new /root and /home/user directories in temporary | 164 | Mount new /root and /home/user directories in temporary |
158 | filesystems. All modifications are discarded when the sandbox is | 165 | filesystems. All modifications are discarded when the sandbox is |
@@ -176,13 +183,28 @@ All modifications are discarded when the sandbox is closed. | |||
176 | \fBprivate-tmp | 183 | \fBprivate-tmp |
177 | Mount an empty temporary filesystem on top of /tmp directory. | 184 | Mount an empty temporary filesystem on top of /tmp directory. |
178 | .TP | 185 | .TP |
186 | \fBread-only file_or_directory | ||
187 | Make directory or file read-only. | ||
188 | .TP | ||
189 | \fBread-write file_or_directory | ||
190 | Make directory or file read-write. | ||
191 | .TP | ||
192 | \fBtmpfs directory | ||
193 | Mount an empty tmpfs filesystem on top of directory. This option is available only when running the sandbox as root. | ||
194 | .TP | ||
195 | \fBtracelog | ||
196 | Blacklist violations logged to syslog. | ||
197 | .TP | ||
179 | \fBwhitelist file_or_directory | 198 | \fBwhitelist file_or_directory |
180 | Build a new user home in a temporary filesystem, and mount-bind file_or_directory. | 199 | Build a new user home in a temporary filesystem, and mount-bind file_or_directory. |
181 | The modifications to file_or_directory are persistent, everything else is discarded | 200 | The modifications to file_or_directory are persistent, everything else is discarded |
182 | when the sandbox is closed. | 201 | when the sandbox is closed. |
183 | .TP | 202 | .TP |
184 | \fBtracelog | 203 | \fBwritable-etc |
185 | Blacklist violations logged to syslog. | 204 | Mount /etc directory read-write. |
205 | .TP | ||
206 | \fBwritable-var | ||
207 | Mount /var directory read-write. | ||
186 | .SH Security filters | 208 | .SH Security filters |
187 | The following security filters are currently implemented: | 209 | The following security filters are currently implemented: |
188 | 210 | ||
@@ -205,10 +227,7 @@ first argument to socket system call. Recognized values: \fBunix\fR, | |||
205 | \fBinet\fR, \fBinet6\fR, \fBnetlink\fR and \fBpacket\fR. | 227 | \fBinet\fR, \fBinet6\fR, \fBnetlink\fR and \fBpacket\fR. |
206 | .TP | 228 | .TP |
207 | \fBseccomp | 229 | \fBseccomp |
208 | Enable default seccomp filter. The default list is as follows: | 230 | Enable seccomp filter and blacklist the syscalls in the default list. See man 1 firejail for more details. |
209 | mount, umount2, ptrace, kexec_load, open_by_handle_at, init_module, finit_module, delete_module, | ||
210 | iopl, ioperm, swapon, swapoff, syslog, process_vm_readv and process_vm_writev, | ||
211 | sysfs,_sysctl, adjtimex, clock_adjtime, lookup_dcookie, perf_event_open, fanotify_init and kcmp. | ||
212 | .TP | 231 | .TP |
213 | \fBseccomp syscall,syscall,syscall | 232 | \fBseccomp syscall,syscall,syscall |
214 | Enable seccomp filter and blacklist the system calls in the list on top of default seccomp filter. | 233 | Enable seccomp filter and blacklist the system calls in the list on top of default seccomp filter. |
@@ -219,6 +238,12 @@ Enable seccomp filter and blacklist the system calls in the list. | |||
219 | \fBseccomp.keep syscall,syscall,syscall | 238 | \fBseccomp.keep syscall,syscall,syscall |
220 | Enable seccomp filter and whitelist the system calls in the list. | 239 | Enable seccomp filter and whitelist the system calls in the list. |
221 | .TP | 240 | .TP |
241 | \fBnonewprivs | ||
242 | Sets the NO_NEW_PRIVS prctl. This ensures that child processes | ||
243 | cannot acquire new privileges using execve(2); in particular, | ||
244 | this means that calling a suid binary (or one with file capabilities) | ||
245 | does not result in an increase of privilege. | ||
246 | .TP | ||
222 | \fBnoroot | 247 | \fBnoroot |
223 | Use this command to enable an user namespace. The namespace has only one user, the current user. | 248 | Use this command to enable an user namespace. The namespace has only one user, the current user. |
224 | There is no root account (uid 0) defined in the namespace. | 249 | There is no root account (uid 0) defined in the namespace. |
@@ -284,10 +309,88 @@ Enable IPC namespace. | |||
284 | .TP | 309 | .TP |
285 | \fBnosound | 310 | \fBnosound |
286 | Disable sound system. | 311 | Disable sound system. |
312 | |||
287 | .SH Networking | 313 | .SH Networking |
288 | Networking features available in profile files. | 314 | Networking features available in profile files. |
289 | 315 | ||
290 | .TP | 316 | .TP |
317 | \fBdefaultgw address | ||
318 | Use this address as default gateway in the new network namespace. | ||
319 | |||
320 | .TP | ||
321 | \fBdns address | ||
322 | Set a DNS server for the sandbox. Up to three DNS servers can be defined. | ||
323 | |||
324 | .TP | ||
325 | \fBhostname name | ||
326 | Set a hostname for the sandbox. | ||
327 | |||
328 | .TP | ||
329 | \fBip address | ||
330 | Assign IP addresses to the last network interface defined by a net command. A | ||
331 | default gateway is assigned by default. | ||
332 | .br | ||
333 | |||
334 | .br | ||
335 | Example: | ||
336 | .br | ||
337 | net eth0 | ||
338 | .br | ||
339 | ip 10.10.20.56 | ||
340 | |||
341 | .TP | ||
342 | \fBip none | ||
343 | No IP address and no default gateway are configured for the last interface | ||
344 | defined by a net command. Use this option | ||
345 | in case you intend to start an external DHCP client in the sandbox. | ||
346 | .br | ||
347 | |||
348 | .br | ||
349 | Example: | ||
350 | .br | ||
351 | net eth0 | ||
352 | .br | ||
353 | ip none | ||
354 | |||
355 | .TP | ||
356 | \fBip6 address | ||
357 | Assign IPv6 addresses to the last network interface defined by a net command. | ||
358 | .br | ||
359 | |||
360 | .br | ||
361 | Example: | ||
362 | .br | ||
363 | net eth0 | ||
364 | .br | ||
365 | ip6 2001:0db8:0:f101::1/64 | ||
366 | |||
367 | .TP | ||
368 | \fBiprange address,address | ||
369 | Assign an IP address in the provided range to the last network | ||
370 | interface defined by a net command. A default gateway is assigned by default. | ||
371 | .br | ||
372 | |||
373 | .br | ||
374 | Example: | ||
375 | .br | ||
376 | |||
377 | .br | ||
378 | net eth0 | ||
379 | .br | ||
380 | iprange 192.168.1.150,192.168.1.160 | ||
381 | .br | ||
382 | |||
383 | .TP | ||
384 | \fBmac address | ||
385 | Assign MAC addresses to the last network interface defined by a net command. | ||
386 | |||
387 | .TP | ||
388 | \fBmtu number | ||
389 | Assign a MTU value to the last network interface defined by a net command. | ||
390 | |||
391 | |||
392 | |||
393 | .TP | ||
291 | \fBnetfilter | 394 | \fBnetfilter |
292 | If a new network namespace is created, enabled default network filter. | 395 | If a new network namespace is created, enabled default network filter. |
293 | 396 | ||
@@ -296,19 +399,31 @@ If a new network namespace is created, enabled default network filter. | |||
296 | If a new network namespace is created, enabled the network filter in filename. | 399 | If a new network namespace is created, enabled the network filter in filename. |
297 | 400 | ||
298 | .TP | 401 | .TP |
299 | \fBnet none | 402 | \fBnet bridge_interface |
300 | Enable a new, unconnected network namespace. The only interface | 403 | Enable a new network namespace and connect it to this bridge interface. |
301 | available in the new namespace is a new loopback interface (lo). | 404 | Unless specified with option \-\-ip and \-\-defaultgw, an IP address and a default gateway will be assigned |
302 | Use this option to deny network access to programs that don't | 405 | automatically to the sandbox. The IP address is verified using ARP before assignment. The address |
303 | really need network access. | 406 | configured as default gateway is the bridge device IP address. Up to four \-\-net |
407 | bridge devices can be defined. Mixing bridge and macvlan devices is allowed. | ||
304 | 408 | ||
305 | .TP | 409 | .TP |
306 | \fBdns address | 410 | \fBnet ethernet_interface |
307 | Set a DNS server for the sandbox. Up to three DNS servers can be defined. | 411 | Enable a new network namespace and connect it |
412 | to this ethernet interface using the standard Linux macvlan | ||
413 | driver. Unless specified with option \-\-ip and \-\-defaultgw, an | ||
414 | IP address and a default gateway will be assigned automatically | ||
415 | to the sandbox. The IP address is verified using ARP before | ||
416 | assignment. The address configured as default gateway is the | ||
417 | default gateway of the host. Up to four \-\-net devices can | ||
418 | be defined. Mixing bridge and macvlan devices is allowed. | ||
419 | Note: wlan devices are not supported for this option. | ||
308 | 420 | ||
309 | .TP | 421 | .TP |
310 | \fBhostname name | 422 | \fBnet none |
311 | Set a hostname for the sandbox. | 423 | Enable a new, unconnected network namespace. The only interface |
424 | available in the new namespace is a new loopback interface (lo). | ||
425 | Use this option to deny network access to programs that don't | ||
426 | really need network access. | ||
312 | 427 | ||
313 | .SH RELOCATING PROFILES | 428 | .SH RELOCATING PROFILES |
314 | For various reasons some users might want to keep the profile files in a different directory. | 429 | For various reasons some users might want to keep the profile files in a different directory. |
@@ -351,7 +466,9 @@ Homepage: http://firejail.wordpress.com | |||
351 | .SH SEE ALSO | 466 | .SH SEE ALSO |
352 | \&\flfirejail\fR\|(1), | 467 | \&\flfirejail\fR\|(1), |
353 | \&\flfiremon\fR\|(1), | 468 | \&\flfiremon\fR\|(1), |
469 | \&\flfirecfg\fR\|(1), | ||
354 | \&\flfirejail-login\fR\|(5) | 470 | \&\flfirejail-login\fR\|(5) |
471 | \&\flfirejail-config\fR\|(5) | ||
355 | 472 | ||
356 | 473 | ||
357 | 474 | ||
diff --git a/src/man/firejail.txt b/src/man/firejail.txt index fead4eaf5..d34cfdb20 100644 --- a/src/man/firejail.txt +++ b/src/man/firejail.txt | |||
@@ -50,15 +50,16 @@ of applications. The software includes security profiles for a number of more co | |||
50 | Linux programs, such as Mozilla Firefox, Chromium, VLC, Transmission etc. | 50 | Linux programs, such as Mozilla Firefox, Chromium, VLC, Transmission etc. |
51 | 51 | ||
52 | .SH USAGE | 52 | .SH USAGE |
53 | Without any options, the sandbox consists of a chroot filesystem build in a new mount namespace, | 53 | Without any options, the sandbox consists of a filesystem build in a new mount namespace, |
54 | and new PID and UTS namespaces. IPC, network and user namespaces can be added using the command line options. | 54 | and new PID and UTS namespaces. IPC, network and user namespaces can be added using the |
55 | The default Firejail filesystem is based on the host filesystem with the main directories mounted read-only. | 55 | command line options. The default Firejail filesystem is based on the host filesystem with the main |
56 | Only /home and /tmp are writable. | 56 | system directories mounted read-only. These directories are /etc, /var, /usr, /bin, /sbin, /lib, /lib32, |
57 | /libx32 and /lib64. Only /home and /tmp are writable. | ||
57 | .PP | 58 | .PP |
58 | As it starts up, Firejail tries to find a security profile based on the name of the application. | 59 | As it starts up, Firejail tries to find a security profile based on the name of the application. |
59 | If an appropriate profile is not found, Firejail will use a default profile. | 60 | If an appropriate profile is not found, Firejail will use a default profile. |
60 | The default profile is quite restrictive. In case the application doesn't work, use --noprofile option | 61 | The default profile is quite restrictive. In case the application doesn't work, use --noprofile option |
61 | to disable it. For more information, please see \fBSECURITY PROFILES\fR section. | 62 | to disable it. For more information, please see \fBSECURITY PROFILES\fR section below. |
62 | .PP | 63 | .PP |
63 | If a program argument is not specified, Firejail starts /bin/bash shell. | 64 | If a program argument is not specified, Firejail starts /bin/bash shell. |
64 | Examples: | 65 | Examples: |
@@ -74,6 +75,25 @@ $ firejail [OPTIONS] firefox # starting Mozilla Firefox | |||
74 | \fB\-\- | 75 | \fB\-\- |
75 | Signal the end of options and disables further option processing. | 76 | Signal the end of options and disables further option processing. |
76 | .TP | 77 | .TP |
78 | \fB\-\-appimage | ||
79 | Sandbox an AppImage (http://appimage.org/) application. | ||
80 | .br | ||
81 | |||
82 | .br | ||
83 | Example: | ||
84 | .br | ||
85 | $ firejail --appimage krita-3.0-x86_64.appimage | ||
86 | .br | ||
87 | $ firejail --appimage --private krita-3.0-x86_64.appimage | ||
88 | .br | ||
89 | $ firejail --appimage --net=none --x11 krita-3.0-x86_64.appimage | ||
90 | .TP | ||
91 | \fB\-\-audit | ||
92 | Audit the sandbox, see \fBAUDIT\fR section for more details. | ||
93 | .TP | ||
94 | \fB\-\-audit=test-program | ||
95 | Audit the sandbox, see \fBAUDIT\fR section for more details. | ||
96 | .TP | ||
77 | \fB\-\-bandwidth=name|pid | 97 | \fB\-\-bandwidth=name|pid |
78 | Set bandwidth limits for the sandbox identified by name or PID, see \fBTRAFFIC SHAPING\fR section for more details. | 98 | Set bandwidth limits for the sandbox identified by name or PID, see \fBTRAFFIC SHAPING\fR section for more details. |
79 | .TP | 99 | .TP |
@@ -118,7 +138,7 @@ The filter is applied to all processes started in the sandbox. | |||
118 | .br | 138 | .br |
119 | Example: | 139 | Example: |
120 | .br | 140 | .br |
121 | $ sudo firejail \-\-caps "/etc/init.d/nginx start && sleep inf" | 141 | $ sudo firejail \-\-caps /etc/init.d/nginx start |
122 | 142 | ||
123 | .TP | 143 | .TP |
124 | \fB\-\-caps.drop=all | 144 | \fB\-\-caps.drop=all |
@@ -152,17 +172,10 @@ Example: | |||
152 | .br | 172 | .br |
153 | $ sudo firejail \-\-caps.keep=chown,net_bind_service,setgid,\\ | 173 | $ sudo firejail \-\-caps.keep=chown,net_bind_service,setgid,\\ |
154 | setuid /etc/init.d/nginx start | 174 | setuid /etc/init.d/nginx start |
155 | .br | ||
156 | 175 | ||
157 | .br | ||
158 | A short note about mixing \-\-whitelist and \-\-read-only options. Whitelisted directories | ||
159 | should be made read-only independently. Making a parent directory read-only, will not | ||
160 | make the whitelist read-only. Example: | ||
161 | .br | ||
162 | $ firejail --whitelist=~/work --read-only=~/ --read-only=~/work | ||
163 | .TP | 176 | .TP |
164 | \fB\-\-caps.print=name | 177 | \fB\-\-caps.print=name|pid |
165 | Print the caps filter for the sandbox identified by name. | 178 | Print the caps filter for the sandbox identified by name or by PID. |
166 | .br | 179 | .br |
167 | 180 | ||
168 | .br | 181 | .br |
@@ -170,13 +183,7 @@ Example: | |||
170 | .br | 183 | .br |
171 | $ firejail \-\-name=mygame \-\-caps.drop=all warzone2100 & | 184 | $ firejail \-\-name=mygame \-\-caps.drop=all warzone2100 & |
172 | .br | 185 | .br |
173 | [...] | ||
174 | .br | ||
175 | $ firejail \-\-caps.print=mygame | 186 | $ firejail \-\-caps.print=mygame |
176 | |||
177 | .TP | ||
178 | \fB\-\-caps.print=pid | ||
179 | Print the caps filter for a sandbox identified by PID. | ||
180 | .br | 187 | .br |
181 | 188 | ||
182 | .br | 189 | .br |
@@ -200,8 +207,10 @@ Example: | |||
200 | 207 | ||
201 | .TP | 208 | .TP |
202 | \fB\-\-chroot=dirname | 209 | \fB\-\-chroot=dirname |
203 | Chroot the sandbox into a root filesystem. If the sandbox is started as a | 210 | Chroot the sandbox into a root filesystem. Unlike the regular filesystem container, |
204 | regular user, default seccomp and capabilities filters are enabled. | 211 | the system directories are mounted read-write. If the sandbox is started as a |
212 | regular user, default seccomp and capabilities filters are enabled. This | ||
213 | option is not available on Grsecurity systems. | ||
205 | .br | 214 | .br |
206 | 215 | ||
207 | .br | 216 | .br |
@@ -220,6 +229,28 @@ Example: | |||
220 | $ firejail \-\-cpu=0,1 handbrake | 229 | $ firejail \-\-cpu=0,1 handbrake |
221 | 230 | ||
222 | .TP | 231 | .TP |
232 | \fB\-\-cpu.print=name|pid | ||
233 | Print the CPU cores in use by the sandbox identified by name or by PID. | ||
234 | .br | ||
235 | |||
236 | .br | ||
237 | Example: | ||
238 | .br | ||
239 | $ firejail \-\-name=mygame \-\-caps.drop=all warzone2100 & | ||
240 | .br | ||
241 | $ firejail \-\-cpu.print=mygame | ||
242 | .br | ||
243 | |||
244 | .br | ||
245 | Example: | ||
246 | .br | ||
247 | $ firejail \-\-list | ||
248 | .br | ||
249 | 3272:netblue:firejail \-\-private firefox | ||
250 | .br | ||
251 | $ firejail \-\-cpu.print=3272 | ||
252 | |||
253 | .TP | ||
223 | \fB\-\-csh | 254 | \fB\-\-csh |
224 | Use /bin/csh as default user shell. | 255 | Use /bin/csh as default user shell. |
225 | .br | 256 | .br |
@@ -326,8 +357,8 @@ Example: | |||
326 | $ firejail \-\-dns=8.8.8.8 \-\-dns=8.8.4.4 firefox | 357 | $ firejail \-\-dns=8.8.8.8 \-\-dns=8.8.4.4 firefox |
327 | 358 | ||
328 | .TP | 359 | .TP |
329 | \fB\-\-dns.print=name | 360 | \fB\-\-dns.print=name|pid |
330 | Print DNS configuration for a sandbox identified by name. | 361 | Print DNS configuration for a sandbox identified by name or by PID. |
331 | .br | 362 | .br |
332 | 363 | ||
333 | .br | 364 | .br |
@@ -335,13 +366,7 @@ Example: | |||
335 | .br | 366 | .br |
336 | $ firejail \-\-name=mygame \-\-caps.drop=all warzone2100 & | 367 | $ firejail \-\-name=mygame \-\-caps.drop=all warzone2100 & |
337 | .br | 368 | .br |
338 | [...] | ||
339 | .br | ||
340 | $ firejail \-\-dns.print=mygame | 369 | $ firejail \-\-dns.print=mygame |
341 | |||
342 | .TP | ||
343 | \fB\-\-dns.print=pid | ||
344 | Print DNS configuration for a sandbox identified by PID. | ||
345 | .br | 370 | .br |
346 | 371 | ||
347 | .br | 372 | .br |
@@ -371,8 +396,8 @@ There could be lots of reasons for it to fail, for example if the existing sandb | |||
371 | admin capabilities, SUID binaries, or if it runs seccomp. | 396 | admin capabilities, SUID binaries, or if it runs seccomp. |
372 | 397 | ||
373 | .TP | 398 | .TP |
374 | \fB\-\-fs.print=name | 399 | \fB\-\-fs.print=name|print |
375 | Print the filesystem log for the sandbox identified by name. | 400 | Print the filesystem log for the sandbox identified by name or by PID. |
376 | .br | 401 | .br |
377 | 402 | ||
378 | .br | 403 | .br |
@@ -380,13 +405,7 @@ Example: | |||
380 | .br | 405 | .br |
381 | $ firejail \-\-name=mygame \-\-caps.drop=all warzone2100 & | 406 | $ firejail \-\-name=mygame \-\-caps.drop=all warzone2100 & |
382 | .br | 407 | .br |
383 | [...] | ||
384 | .br | ||
385 | $ firejail \-\-fs.print=mygame | 408 | $ firejail \-\-fs.print=mygame |
386 | |||
387 | .TP | ||
388 | \fB\-\-fs.print=pid | ||
389 | Print the filesystem log for a sandbox identified by PID. | ||
390 | .br | 409 | .br |
391 | 410 | ||
392 | .br | 411 | .br |
@@ -460,6 +479,11 @@ in case you intend to start an external DHCP client in the sandbox. | |||
460 | Example: | 479 | Example: |
461 | .br | 480 | .br |
462 | $ firejail \-\-net=eth0 \-\-\ip=none | 481 | $ firejail \-\-net=eth0 \-\-\ip=none |
482 | .br | ||
483 | |||
484 | .br | ||
485 | If the corresponding interface doesn't have an IP address configured, this | ||
486 | option is enabled by default. | ||
463 | 487 | ||
464 | .TP | 488 | .TP |
465 | \fB\-\-ip6=address | 489 | \fB\-\-ip6=address |
@@ -495,13 +519,12 @@ Example: | |||
495 | .br | 519 | .br |
496 | $ firejail \-\-ipc-namespace firefox | 520 | $ firejail \-\-ipc-namespace firefox |
497 | .TP | 521 | .TP |
498 | \fB\-\-join=name | 522 | \fB\-\-join=name|pid |
499 | Join the sandbox identified by name. By default a /bin/bash shell is started after joining the sandbox. | 523 | Join the sandbox identified by name or by PID. By default a /bin/bash shell is started after joining the sandbox. |
500 | If a program is specified, the program is run in the sandbox. If \-\-join command is issued as a regular user, | 524 | If a program is specified, the program is run in the sandbox. If \-\-join command is issued as a regular user, |
501 | all security filters are configured for the new process the same they are configured in the sandbox. | 525 | all security filters are configured for the new process the same they are configured in the sandbox. |
502 | If \-\-join command is issued as root, the security filters, cgroups and cpus configurations are not applied | 526 | If \-\-join command is issued as root, the security filters, cgroups and cpus configurations are not applied |
503 | to the process joining the sandbox. | 527 | to the process joining the sandbox. |
504 | |||
505 | .br | 528 | .br |
506 | 529 | ||
507 | .br | 530 | .br |
@@ -509,18 +532,7 @@ Example: | |||
509 | .br | 532 | .br |
510 | $ firejail \-\-name=mygame \-\-caps.drop=all warzone2100 & | 533 | $ firejail \-\-name=mygame \-\-caps.drop=all warzone2100 & |
511 | .br | 534 | .br |
512 | [...] | ||
513 | .br | ||
514 | $ firejail \-\-join=mygame | 535 | $ firejail \-\-join=mygame |
515 | |||
516 | |||
517 | .TP | ||
518 | \fB\-\-join=pid | ||
519 | Join the sandbox identified by process ID. By default a /bin/bash shell is started after joining the sandbox. | ||
520 | If a program is specified, the program is run in the sandbox. If \-\-join command is issued as a regular user, | ||
521 | all security filters are configured for the new process the same they are configured in the sandbox. | ||
522 | If \-\-join command is issued as root, the security filters, cgroups and cpus configurations are not applied | ||
523 | to the process joining the sandbox. | ||
524 | .br | 536 | .br |
525 | 537 | ||
526 | .br | 538 | .br |
@@ -533,37 +545,71 @@ $ firejail \-\-list | |||
533 | $ firejail \-\-join=3272 | 545 | $ firejail \-\-join=3272 |
534 | 546 | ||
535 | .TP | 547 | .TP |
536 | \fB\-\-join-filesystem=name | 548 | \fB\-\-join-filesystem=name|pid |
537 | Join the mount namespace of the sandbox identified by name. By default a /bin/bash shell is started after joining the sandbox. | 549 | Join the mount namespace of the sandbox identified by name or PID. By default a /bin/bash shell is started after joining the sandbox. |
538 | If a program is specified, the program is run in the sandbox. This command is available only to root user. | 550 | If a program is specified, the program is run in the sandbox. This command is available only to root user. |
539 | Security filters, cgroups and cpus configurations are not applied to the process joining the sandbox. | 551 | Security filters, cgroups and cpus configurations are not applied to the process joining the sandbox. |
540 | 552 | ||
541 | .TP | 553 | .TP |
542 | \fB\-\-join-filesystem=pid | 554 | \fB\-\-join-network=name|PID |
543 | Join the mount namespace of the sandbox identified by process ID. By default a /bin/bash shell is started after joining the sandbox. | ||
544 | If a program is specified, the program is run in the sandbox. This command is available only to root user. | ||
545 | Security filters, cgroups and cpus configurations are not applied to the process joining the sandbox. | ||
546 | |||
547 | .TP | ||
548 | \fB\-\-join-network=name | ||
549 | Join the network namespace of the sandbox identified by name. By default a /bin/bash shell is started after joining the sandbox. | 555 | Join the network namespace of the sandbox identified by name. By default a /bin/bash shell is started after joining the sandbox. |
550 | If a program is specified, the program is run in the sandbox. This command is available only to root user. | 556 | If a program is specified, the program is run in the sandbox. This command is available only to root user. |
551 | Security filters, cgroups and cpus configurations are not applied to the process joining the sandbox. | 557 | Security filters, cgroups and cpus configurations are not applied to the process joining the sandbox. Example: |
558 | .br | ||
552 | 559 | ||
553 | .TP | 560 | .br |
554 | \fB\-\-join-network=pid | 561 | # start firefox |
555 | Join the network namespace of the sandbox identified by process ID. By default a /bin/bash shell is started after joining the sandbox. | 562 | .br |
556 | If a program is specified, the program is run in the sandbox. This command is available only to root user. | 563 | $ firejail --net=eth0 --name=browser firefox & |
557 | Security filters, cgroups and cpus configurations are not applied to the process joining the sandbox. | 564 | .br |
558 | 565 | ||
566 | .br | ||
567 | # change netfilter configuration | ||
568 | .br | ||
569 | $ sudo firejail --join-network=browser "cat /etc/firejail/nolocal.net | /sbin/iptables-restore" | ||
570 | .br | ||
559 | 571 | ||
572 | .br | ||
573 | # verify netfilter configuration | ||
574 | .br | ||
575 | $ sudo firejail --join-network=browser "/sbin/iptables -vL" | ||
576 | .br | ||
577 | |||
578 | .br | ||
579 | # verify IP addresses | ||
580 | .br | ||
581 | $ sudo firejail --join-network=browser "ip addr" | ||
582 | .br | ||
583 | Switching to pid 1932, the first child process inside the sandbox | ||
584 | .br | ||
585 | 1: lo: <LOOPBACK,UP,LOWER_UP> mtu 65536 qdisc noqueue state UNKNOWN group default | ||
586 | .br | ||
587 | link/loopback 00:00:00:00:00:00 brd 00:00:00:00:00:00 | ||
588 | .br | ||
589 | inet 127.0.0.1/8 scope host lo | ||
590 | .br | ||
591 | valid_lft forever preferred_lft forever | ||
592 | .br | ||
593 | inet6 ::1/128 scope host | ||
594 | .br | ||
595 | valid_lft forever preferred_lft forever | ||
596 | .br | ||
597 | 2: eth0-1931: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc noqueue state UNKNOWN group default | ||
598 | .br | ||
599 | link/ether 76:58:14:42:78:e4 brd ff:ff:ff:ff:ff:ff | ||
600 | .br | ||
601 | inet 192.168.1.158/24 brd 192.168.1.255 scope global eth0-1931 | ||
602 | .br | ||
603 | valid_lft forever preferred_lft forever | ||
604 | .br | ||
605 | inet6 fe80::7458:14ff:fe42:78e4/64 scope link | ||
606 | .br | ||
607 | valid_lft forever preferred_lft forever | ||
560 | 608 | ||
561 | .TP | 609 | .TP |
562 | \fB\-\-ls=name|pid dir_or_filename | 610 | \fB\-\-ls=name|pid dir_or_filename |
563 | List files in sandbox container, see \fBFILE TRANSFER\fR section for more details. | 611 | List files in sandbox container, see \fBFILE TRANSFER\fR section for more details. |
564 | 612 | ||
565 | \fB | ||
566 | |||
567 | .TP | 613 | .TP |
568 | \fB\-\-list | 614 | \fB\-\-list |
569 | List all sandboxes, see \fBMONITORING\fR section for more details. | 615 | List all sandboxes, see \fBMONITORING\fR section for more details. |
@@ -771,12 +817,13 @@ PID User RX(KB/s) TX(KB/s) Command | |||
771 | .TP | 817 | .TP |
772 | \fB\-\-nice=value | 818 | \fB\-\-nice=value |
773 | Set nice value for all processes running inside the sandbox. | 819 | Set nice value for all processes running inside the sandbox. |
820 | Only root may specify a negative value. | ||
774 | .br | 821 | .br |
775 | 822 | ||
776 | .br | 823 | .br |
777 | Example: | 824 | Example: |
778 | .br | 825 | .br |
779 | $ firejail --nice=-5 firefox | 826 | $ firejail --nice=2 firefox |
780 | 827 | ||
781 | 828 | ||
782 | .TP | 829 | .TP |
@@ -804,6 +851,21 @@ $ nc dict.org 2628 | |||
804 | 220 pan.alephnull.com dictd 1.12.1/rf on Linux 3.14-1-amd64 | 851 | 220 pan.alephnull.com dictd 1.12.1/rf on Linux 3.14-1-amd64 |
805 | .br | 852 | .br |
806 | .TP | 853 | .TP |
854 | \fB\-\-noexec=dirname_or_filename | ||
855 | Remount directory or file noexec, nodev and nosuid. | ||
856 | .br | ||
857 | |||
858 | .br | ||
859 | Example: | ||
860 | .br | ||
861 | $ firejail \-\-noexec=/tmp | ||
862 | .br | ||
863 | |||
864 | .br | ||
865 | /etc and /var are noexec by default if the sandbox was started as a regular user. If there are more than one mount operation | ||
866 | on the path of the file or directory, noexec should be applied to the last one. Always check if the change took effect inside the sandbox. | ||
867 | |||
868 | .TP | ||
807 | \fB\-\-nogroups | 869 | \fB\-\-nogroups |
808 | Disable supplementary groups. Without this option, supplementary groups are enabled for the user starting the | 870 | Disable supplementary groups. Without this option, supplementary groups are enabled for the user starting the |
809 | sandbox. For root user supplementary groups are always disabled. | 871 | sandbox. For root user supplementary groups are always disabled. |
@@ -838,7 +900,7 @@ Example: | |||
838 | .br | 900 | .br |
839 | $ firejail | 901 | $ firejail |
840 | .br | 902 | .br |
841 | Reading profile /etc/firejail/generic.profile | 903 | Reading profile /etc/firejail/default.profile |
842 | .br | 904 | .br |
843 | Parent pid 8553, child pid 8554 | 905 | Parent pid 8553, child pid 8554 |
844 | .br | 906 | .br |
@@ -881,6 +943,14 @@ ping: icmp open socket: Operation not permitted | |||
881 | $ | 943 | $ |
882 | 944 | ||
883 | .TP | 945 | .TP |
946 | \fB\-\-nonewprivs | ||
947 | Sets the NO_NEW_PRIVS prctl. This ensures that child processes | ||
948 | cannot acquire new privileges using execve(2); in particular, | ||
949 | this means that calling a suid binary (or one with file capabilities) | ||
950 | does not result in an increase of privilege. This option | ||
951 | is enabled by default if seccomp filter is activated. | ||
952 | |||
953 | .TP | ||
884 | \fB\-\-nosound | 954 | \fB\-\-nosound |
885 | Disable sound system. | 955 | Disable sound system. |
886 | .br | 956 | .br |
@@ -892,7 +962,7 @@ $ firejail \-\-nosound firefox | |||
892 | 962 | ||
893 | .TP | 963 | .TP |
894 | \fB\-\-output=logfile | 964 | \fB\-\-output=logfile |
895 | stdout logging and log rotation. Copy stdout to logfile, and keep the size of the file under 500KB using log | 965 | stdout logging and log rotation. Copy stdout and stderr to logfile, and keep the size of the file under 500KB using log |
896 | rotation. Five files with prefixes .1 to .5 are used in rotation. | 966 | rotation. Five files with prefixes .1 to .5 are used in rotation. |
897 | .br | 967 | .br |
898 | 968 | ||
@@ -919,8 +989,9 @@ $ ls -l sandboxlog* | |||
919 | 989 | ||
920 | .TP | 990 | .TP |
921 | \fB\-\-overlay | 991 | \fB\-\-overlay |
922 | Mount a filesystem overlay on top of the current filesystem. All filesystem modifications go into the overlay. | 992 | Mount a filesystem overlay on top of the current filesystem. Unlike the regular filesystem container, |
923 | The overlay is stored in $HOME/.firejail directory. | 993 | the system directories are mounted read-write. All filesystem modifications go into the overlay. |
994 | The overlay is stored in $HOME/.firejail directory. This option is not available on Grsecurity systems. | ||
924 | .br | 995 | .br |
925 | 996 | ||
926 | .br | 997 | .br |
@@ -936,7 +1007,7 @@ $ firejail \-\-overlay firefox | |||
936 | .TP | 1007 | .TP |
937 | \fB\-\-overlay-tmpfs | 1008 | \fB\-\-overlay-tmpfs |
938 | Mount a filesystem overlay on top of the current filesystem. All filesystem modifications go into the overlay, | 1009 | Mount a filesystem overlay on top of the current filesystem. All filesystem modifications go into the overlay, |
939 | and are discarded when the sandbox is closed. | 1010 | and are discarded when the sandbox is closed. This option is not available on Grsecurity systems. |
940 | .br | 1011 | .br |
941 | 1012 | ||
942 | .br | 1013 | .br |
@@ -973,7 +1044,9 @@ $ firejail \-\-private=/home/netblue/firefox-home firefox | |||
973 | .TP | 1044 | .TP |
974 | \fB\-\-private-bin=file,file | 1045 | \fB\-\-private-bin=file,file |
975 | Build a new /bin in a temporary filesystem, and copy the programs in the list. | 1046 | Build a new /bin in a temporary filesystem, and copy the programs in the list. |
976 | The same directory is also bind-mounted over /sbin, /usr/bin and /usr/sbin. | 1047 | If no listed file is found, /bin directory will be empty. |
1048 | The same directory is also bind-mounted over /sbin, /usr/bin, /usr/sbin and /usr/local/bin. | ||
1049 | All modifications are discarded when the sandbox is closed. | ||
977 | .br | 1050 | .br |
978 | 1051 | ||
979 | .br | 1052 | .br |
@@ -991,7 +1064,7 @@ bash cat ls sed | |||
991 | 1064 | ||
992 | .TP | 1065 | .TP |
993 | \fB\-\-private-dev | 1066 | \fB\-\-private-dev |
994 | Create a new /dev directory. Only dri, null, full, zero, tty, pts, ptmx, random, urandom, log and shm devices are available. | 1067 | Create a new /dev directory. Only dri, null, full, zero, tty, pts, ptmx, random, snd, urandom, log and shm devices are available. |
995 | .br | 1068 | .br |
996 | 1069 | ||
997 | .br | 1070 | .br |
@@ -1005,14 +1078,15 @@ Child process initialized | |||
1005 | .br | 1078 | .br |
1006 | $ ls /dev | 1079 | $ ls /dev |
1007 | .br | 1080 | .br |
1008 | dri full log null ptmx pts random shm tty urandom zero | 1081 | dri full log null ptmx pts random shm snd tty urandom zero |
1009 | .br | 1082 | .br |
1010 | $ | 1083 | $ |
1011 | .TP | 1084 | .TP |
1012 | \fB\-\-private-etc=file,directory | 1085 | \fB\-\-private-etc=file,directory |
1013 | Build a new /etc in a temporary | 1086 | Build a new /etc in a temporary |
1014 | filesystem, and copy the files and directories in the list. | 1087 | filesystem, and copy the files and directories in the list. |
1015 | All modifications are discarded when the sandbox is closed. | 1088 | If no listed file is found, /etc directory will be empty. |
1089 | All modifications are discarded when the sandbox is closed. | ||
1016 | .br | 1090 | .br |
1017 | 1091 | ||
1018 | .br | 1092 | .br |
@@ -1068,8 +1142,8 @@ Example: | |||
1068 | .br | 1142 | .br |
1069 | $ firejail \-\-protocol=unix,inet,inet6 firefox | 1143 | $ firejail \-\-protocol=unix,inet,inet6 firefox |
1070 | .TP | 1144 | .TP |
1071 | \fB\-\-protocol.print=name | 1145 | \fB\-\-protocol.print=name|pid |
1072 | Print the protocol filter for the sandbox identified by name. | 1146 | Print the protocol filter for the sandbox identified by name or PID. |
1073 | .br | 1147 | .br |
1074 | 1148 | ||
1075 | .br | 1149 | .br |
@@ -1077,15 +1151,9 @@ Example: | |||
1077 | .br | 1151 | .br |
1078 | $ firejail \-\-name=mybrowser firefox & | 1152 | $ firejail \-\-name=mybrowser firefox & |
1079 | .br | 1153 | .br |
1080 | [...] | ||
1081 | .br | ||
1082 | $ firejail \-\-protocol.print=mybrowser | 1154 | $ firejail \-\-protocol.print=mybrowser |
1083 | .br | 1155 | .br |
1084 | unix,inet,inet6,netlink | 1156 | unix,inet,inet6,netlink |
1085 | |||
1086 | .TP | ||
1087 | \fB\-\-protocol.print=pid | ||
1088 | Print the protocol filter for a sandbox identified by PID. | ||
1089 | .br | 1157 | .br |
1090 | 1158 | ||
1091 | .br | 1159 | .br |
@@ -1110,6 +1178,31 @@ Set directory or file read-only. | |||
1110 | Example: | 1178 | Example: |
1111 | .br | 1179 | .br |
1112 | $ firejail \-\-read-only=~/.mozilla firefox | 1180 | $ firejail \-\-read-only=~/.mozilla firefox |
1181 | .br | ||
1182 | |||
1183 | .br | ||
1184 | A short note about mixing \-\-whitelist and \-\-read-only options. Whitelisted directories | ||
1185 | should be made read-only independently. Making a parent directory read-only, will not | ||
1186 | make the whitelist read-only. Example: | ||
1187 | .br | ||
1188 | |||
1189 | .br | ||
1190 | $ firejail --whitelist=~/work --read-only=~ --read-only=~/work | ||
1191 | |||
1192 | .TP | ||
1193 | \fB\-\-read-write=dirname_or_filename | ||
1194 | Set directory or file read-write. Only files or directories belonging to the current user are allowed for | ||
1195 | this operation. Example: | ||
1196 | .br | ||
1197 | |||
1198 | .br | ||
1199 | $ mkdir ~/test | ||
1200 | .br | ||
1201 | $ touch ~/test/a | ||
1202 | .br | ||
1203 | $ firejail --read-only=~/test --read-write=~/test/a | ||
1204 | |||
1205 | |||
1113 | .TP | 1206 | .TP |
1114 | \fB\-\-rlimit-fsize=number | 1207 | \fB\-\-rlimit-fsize=number |
1115 | Set the maximum file size that can be created by a process. | 1208 | Set the maximum file size that can be created by a process. |
@@ -1122,6 +1215,17 @@ Set the maximum number of processes that can be created for the real user ID of | |||
1122 | .TP | 1215 | .TP |
1123 | \fB\-\-rlimit-sigpending=number | 1216 | \fB\-\-rlimit-sigpending=number |
1124 | Set the maximum number of pending signals for a process. | 1217 | Set the maximum number of pending signals for a process. |
1218 | |||
1219 | .TP | ||
1220 | \fB\-\-rmenv=name | ||
1221 | Remove environment variable in the new sandbox. | ||
1222 | .br | ||
1223 | |||
1224 | .br | ||
1225 | Example: | ||
1226 | .br | ||
1227 | $ firejail \-\-rmenv=DBUS_SESSION_BUS_ADDRESS | ||
1228 | |||
1125 | .TP | 1229 | .TP |
1126 | \fB\-\-scan | 1230 | \fB\-\-scan |
1127 | ARP-scan all the networks from inside a network namespace. | 1231 | ARP-scan all the networks from inside a network namespace. |
@@ -1135,13 +1239,13 @@ $ firejail \-\-net=eth0 \-\-scan | |||
1135 | .TP | 1239 | .TP |
1136 | \fB\-\-seccomp | 1240 | \fB\-\-seccomp |
1137 | Enable seccomp filter and blacklist the syscalls in the default list. The default list is as follows: | 1241 | Enable seccomp filter and blacklist the syscalls in the default list. The default list is as follows: |
1138 | mount, umount2, ptrace, kexec_load, kexec_file_load, open_by_handle_at, init_module, finit_module, delete_module, | 1242 | mount, umount2, ptrace, kexec_load, kexec_file_load, name_to_handle_at, open_by_handle_at, create_module, init_module, finit_module, delete_module, |
1139 | iopl, ioperm, swapon, swapoff, syslog, process_vm_readv, process_vm_writev, | 1243 | iopl, ioperm, ioprio_set, swapon, swapoff, syslog, process_vm_readv, process_vm_writev, |
1140 | sysfs,_sysctl, adjtimex, clock_adjtime, lookup_dcookie, perf_event_open, fanotify_init, kcmp, | 1244 | sysfs,_sysctl, adjtimex, clock_adjtime, lookup_dcookie, perf_event_open, fanotify_init, kcmp, |
1141 | add_key, request_key, keyctl, uselib, acct, modify_ldt, pivot_root, io_setup, | 1245 | add_key, request_key, keyctl, uselib, acct, modify_ldt, pivot_root, io_setup, |
1142 | io_destroy, io_getevents, io_submit, io_cancel, | 1246 | io_destroy, io_getevents, io_submit, io_cancel, |
1143 | remap_file_pages, mbind, get_mempolicy, set_mempolicy, | 1247 | remap_file_pages, mbind, get_mempolicy, set_mempolicy, |
1144 | migrate_pages, move_pages, vmsplice, perf_event_open, chroot, | 1248 | migrate_pages, move_pages, vmsplice, chroot, |
1145 | tuxcall, reboot, mfsservctl and get_kernel_syms. | 1249 | tuxcall, reboot, mfsservctl and get_kernel_syms. |
1146 | .br | 1250 | .br |
1147 | 1251 | ||
@@ -1205,8 +1309,8 @@ $ rm testfile | |||
1205 | rm: cannot remove `testfile': Operation not permitted | 1309 | rm: cannot remove `testfile': Operation not permitted |
1206 | 1310 | ||
1207 | .TP | 1311 | .TP |
1208 | \fB\-\-seccomp.print=name | 1312 | \fB\-\-seccomp.print=name|PID |
1209 | Print the seccomp filter for the sandbox started using \-\-name option. | 1313 | Print the seccomp filter for the sandbox identified by name or PID. |
1210 | .br | 1314 | .br |
1211 | 1315 | ||
1212 | .br | 1316 | .br |
@@ -1270,72 +1374,6 @@ SECCOMP Filter: | |||
1270 | .br | 1374 | .br |
1271 | $ | 1375 | $ |
1272 | .TP | 1376 | .TP |
1273 | \fB\-\-seccomp.print=pid | ||
1274 | Print the seccomp filter for the sandbox specified by process ID. Use \-\-list option to get a list of all active sandboxes. | ||
1275 | .br | ||
1276 | |||
1277 | .br | ||
1278 | Example: | ||
1279 | .br | ||
1280 | $ firejail \-\-list | ||
1281 | .br | ||
1282 | 10786:netblue:firejail \-\-name=browser firefox | ||
1283 | $ firejail \-\-seccomp.print=10786 | ||
1284 | .br | ||
1285 | SECCOMP Filter: | ||
1286 | .br | ||
1287 | VALIDATE_ARCHITECTURE | ||
1288 | .br | ||
1289 | EXAMINE_SYSCAL | ||
1290 | .br | ||
1291 | BLACKLIST 165 mount | ||
1292 | .br | ||
1293 | BLACKLIST 166 umount2 | ||
1294 | .br | ||
1295 | BLACKLIST 101 ptrace | ||
1296 | .br | ||
1297 | BLACKLIST 246 kexec_load | ||
1298 | .br | ||
1299 | BLACKLIST 304 open_by_handle_at | ||
1300 | .br | ||
1301 | BLACKLIST 175 init_module | ||
1302 | .br | ||
1303 | BLACKLIST 176 delete_module | ||
1304 | .br | ||
1305 | BLACKLIST 172 iopl | ||
1306 | .br | ||
1307 | BLACKLIST 173 ioperm | ||
1308 | .br | ||
1309 | BLACKLIST 167 swapon | ||
1310 | .br | ||
1311 | BLACKLIST 168 swapoff | ||
1312 | .br | ||
1313 | BLACKLIST 103 syslog | ||
1314 | .br | ||
1315 | BLACKLIST 310 process_vm_readv | ||
1316 | .br | ||
1317 | BLACKLIST 311 process_vm_writev | ||
1318 | .br | ||
1319 | BLACKLIST 133 mknod | ||
1320 | .br | ||
1321 | BLACKLIST 139 sysfs | ||
1322 | .br | ||
1323 | BLACKLIST 156 _sysctl | ||
1324 | .br | ||
1325 | BLACKLIST 159 adjtimex | ||
1326 | .br | ||
1327 | BLACKLIST 305 clock_adjtime | ||
1328 | .br | ||
1329 | BLACKLIST 212 lookup_dcookie | ||
1330 | .br | ||
1331 | BLACKLIST 298 perf_event_open | ||
1332 | .br | ||
1333 | BLACKLIST 300 fanotify_init | ||
1334 | .br | ||
1335 | RETURN_ALLOW | ||
1336 | .br | ||
1337 | $ | ||
1338 | .TP | ||
1339 | \fB\-\-shell=none | 1377 | \fB\-\-shell=none |
1340 | Run the program directly, without a user shell. | 1378 | Run the program directly, without a user shell. |
1341 | .br | 1379 | .br |
@@ -1356,8 +1394,8 @@ shell. | |||
1356 | Example: | 1394 | Example: |
1357 | $firejail \-\-shell=/bin/dash script.sh | 1395 | $firejail \-\-shell=/bin/dash script.sh |
1358 | .TP | 1396 | .TP |
1359 | \fB\-\-shutdown=name | 1397 | \fB\-\-shutdown=name|PID |
1360 | Shutdown the sandbox started using \-\-name option. | 1398 | Shutdown the sandbox identified by name or PID. |
1361 | .br | 1399 | .br |
1362 | 1400 | ||
1363 | .br | 1401 | .br |
@@ -1365,12 +1403,7 @@ Example: | |||
1365 | .br | 1403 | .br |
1366 | $ firejail \-\-name=mygame \-\-caps.drop=all warzone2100 & | 1404 | $ firejail \-\-name=mygame \-\-caps.drop=all warzone2100 & |
1367 | .br | 1405 | .br |
1368 | [...] | ||
1369 | .br | ||
1370 | $ firejail \-\-shutdown=mygame | 1406 | $ firejail \-\-shutdown=mygame |
1371 | .TP | ||
1372 | \fB\-\-shutdown=pid | ||
1373 | Shutdown the sandbox specified by process ID. Use \-\-list option to get a list of all active sandboxes. | ||
1374 | .br | 1407 | .br |
1375 | 1408 | ||
1376 | .br | 1409 | .br |
@@ -1475,15 +1508,7 @@ $ firejail \-\-tree | |||
1475 | 11969:netblue:firejail \-\-net=eth0 transmission-gtk | 1508 | 11969:netblue:firejail \-\-net=eth0 transmission-gtk |
1476 | .br | 1509 | .br |
1477 | 11970:netblue:transmission-gtk | 1510 | 11970:netblue:transmission-gtk |
1478 | .TP | ||
1479 | \fB\-\-user=new-user | ||
1480 | Switch the user before starting the sandbox. This command should be run as root. | ||
1481 | .br | ||
1482 | 1511 | ||
1483 | .br | ||
1484 | Example: | ||
1485 | .br | ||
1486 | # firejail \-\-user=www-data | ||
1487 | .TP | 1512 | .TP |
1488 | \fB\-\-version | 1513 | \fB\-\-version |
1489 | Print program version and exit. | 1514 | Print program version and exit. |
@@ -1498,25 +1523,51 @@ firejail version 0.9.27 | |||
1498 | .TP | 1523 | .TP |
1499 | \fB\-\-whitelist=dirname_or_filename | 1524 | \fB\-\-whitelist=dirname_or_filename |
1500 | Whitelist directory or file. This feature is implemented only for user home, /dev, /media, /opt, /var, and /tmp directories. | 1525 | Whitelist directory or file. This feature is implemented only for user home, /dev, /media, /opt, /var, and /tmp directories. |
1501 | When whitlisting symbolic links, both the link and the real file should be in the same top directory | 1526 | With the exception of user home, both the link and the real file should be in |
1502 | (home user, /media, /var etc.) | 1527 | the same top directory. For /home, both the link and the real file should be owned by the user. |
1503 | .br | 1528 | .br |
1504 | 1529 | ||
1505 | .br | 1530 | .br |
1506 | Example: | 1531 | Example: |
1507 | .br | 1532 | .br |
1508 | $ firejail \-\-whitelist=~/.mozilla \-\-whitelist=~/Downloads | 1533 | $ firejail \-\-noprofile \-\-whitelist=~/.mozilla |
1509 | .br | 1534 | .br |
1510 | $ firejail \-\-whitelist=/tmp/.X11-unix --whitelist=/dev/null | 1535 | $ firejail \-\-whitelist=/tmp/.X11-unix --whitelist=/dev/null |
1511 | .br | 1536 | .br |
1512 | $ firejail "\-\-whitelist=/home/username/My Virtual Machines" | 1537 | $ firejail "\-\-whitelist=/home/username/My Virtual Machines" |
1513 | 1538 | ||
1514 | .TP | 1539 | .TP |
1540 | \fB\-\-writable-etc | ||
1541 | Mount /etc directory read-write. | ||
1542 | .br | ||
1543 | |||
1544 | .br | ||
1545 | Example: | ||
1546 | .br | ||
1547 | $ sudo firejail --writable-etc | ||
1548 | |||
1549 | .TP | ||
1550 | \fB\-\-writable-var | ||
1551 | Mount /var directory read-write. | ||
1552 | .br | ||
1553 | |||
1554 | .br | ||
1555 | Example: | ||
1556 | .br | ||
1557 | $ sudo firejail --writable-var | ||
1558 | |||
1559 | |||
1560 | .TP | ||
1515 | \fB\-\-x11 | 1561 | \fB\-\-x11 |
1516 | Start a new X11 server using Xpra (http://xpra.org) and attach the sandbox to this server. | 1562 | Start a new X11 server using Xpra or Xephyr and attach the sandbox to this server. |
1517 | Xpra is a persistent remote display server and client for forwarding X11 applications and desktop screens. | ||
1518 | The regular X11 server (display 0) is not visible in the sandbox. This prevents screenshot and keylogger | 1563 | The regular X11 server (display 0) is not visible in the sandbox. This prevents screenshot and keylogger |
1519 | applications started in the sandbox from accessing display 0. | 1564 | applications started in the sandbox from accessing other X11 displays. |
1565 | A network namespace needs to be instantiated in order to deny access to X11 abstract Unix domain socket. | ||
1566 | .br | ||
1567 | |||
1568 | .br | ||
1569 | Firejail will try first Xpra, and if Xpra is not installed on the system, it will try to find Xephyr. | ||
1570 | This feature is not available when running as root. | ||
1520 | .br | 1571 | .br |
1521 | 1572 | ||
1522 | .br | 1573 | .br |
@@ -1525,6 +1576,40 @@ Example: | |||
1525 | $ firejail \-\-x11 --net=eth0 firefox | 1576 | $ firejail \-\-x11 --net=eth0 firefox |
1526 | 1577 | ||
1527 | .TP | 1578 | .TP |
1579 | \fB\-\-x11=xpra | ||
1580 | Start a new X11 server using Xpra (http://xpra.org) and attach the sandbox to this server. | ||
1581 | Xpra is a persistent remote display server and client for forwarding X11 applications and desktop screens. | ||
1582 | On Debian platforms Xpra is installed with the command \fBsudo apt-get install xpra\fR. | ||
1583 | This feature is not available when running as root. | ||
1584 | .br | ||
1585 | |||
1586 | .br | ||
1587 | Example: | ||
1588 | .br | ||
1589 | $ firejail \-\-x11=xpra --net=eth0 firefox | ||
1590 | |||
1591 | .TP | ||
1592 | \fB\-\-x11=xephyr | ||
1593 | Start a new X11 server using Xephyr and attach the sandbox to this server. | ||
1594 | Xephyr is a display server implementing the X11 display server protocol. | ||
1595 | It runs in a window just like other X applications, but it is an X server itself in which you can run other software. | ||
1596 | The default Xephyr window size is 800x600. This can be modified in /etc/firejail/firejail.config file, | ||
1597 | see \fBman 5 firejail-config\fR for more details. | ||
1598 | .br | ||
1599 | |||
1600 | .br | ||
1601 | The recommended way to use this feature is to run a window manager inside the sandbox. | ||
1602 | A security profile for OpenBox is provided. | ||
1603 | On Debian platforms Xephyr is installed with the command \fBsudo apt-get install xserver-xephyr\fR. | ||
1604 | This feature is not available when running as root. | ||
1605 | .br | ||
1606 | |||
1607 | .br | ||
1608 | Example: | ||
1609 | .br | ||
1610 | $ firejail \-\-x11=xephyr --net=eth0 openbox | ||
1611 | |||
1612 | .TP | ||
1528 | \fB\-\-zsh | 1613 | \fB\-\-zsh |
1529 | Use /usr/bin/zsh as default user shell. | 1614 | Use /usr/bin/zsh as default user shell. |
1530 | .br | 1615 | .br |
@@ -1534,30 +1619,71 @@ Example: | |||
1534 | .br | 1619 | .br |
1535 | $ firejail \-\-zsh | 1620 | $ firejail \-\-zsh |
1536 | 1621 | ||
1537 | .SH FILE TRANSFER | 1622 | .SH DESKTOP INTEGRATION |
1538 | These features allow the user to inspect the file system container of an existing sandbox | 1623 | A symbolic link to /usr/bin/firejail under the name of a program, will start the program in Firejail sandbox. |
1539 | and transfer files from the container to the host file system. | 1624 | The symbolic link should be placed in the first $PATH position. On most systems, a good place |
1625 | is /usr/local/bin directory. Example: | ||
1626 | .PP | ||
1627 | .RS | ||
1628 | .br | ||
1540 | 1629 | ||
1541 | .TP | 1630 | .br |
1542 | \fB\-\-get=name filename | 1631 | Make a firefox symlink to /usr/bin/firejail: |
1543 | Retrieve the container file and store it on the host in the current working directory. | 1632 | .br |
1544 | The container is spececified by name (\-\-name option). Full path is needed for filename. | ||
1545 | 1633 | ||
1546 | .TP | 1634 | .br |
1547 | \fB\-\-get=pid filename | 1635 | $ ln -s /usr/bin/firejail /usr/local/bin/firefox |
1548 | Retrieve the container file and store it on the host in the current working directory. | 1636 | .br |
1549 | The container is spececified by process ID. Full path is needed for filename. | 1637 | |
1638 | .br | ||
1639 | Verify $PATH | ||
1640 | .br | ||
1641 | |||
1642 | .br | ||
1643 | $ which -a firefox | ||
1644 | .br | ||
1645 | /usr/local/bin/firefox | ||
1646 | .br | ||
1647 | /usr/bin/firefox | ||
1648 | .br | ||
1649 | |||
1650 | .br | ||
1651 | Starting firefox in this moment, automatically invokes “firejail firefox”. | ||
1652 | .RE | ||
1653 | .br | ||
1654 | |||
1655 | .br | ||
1656 | This works for clicking on desktop environment icons, menus etc. Use "firejail --tree" | ||
1657 | to verify the program is sandboxed. | ||
1658 | .PP | ||
1659 | .RS | ||
1660 | .br | ||
1661 | |||
1662 | .br | ||
1663 | .br | ||
1664 | $ firejail --tree | ||
1665 | .br | ||
1666 | 1189:netblue:firejail firefox | ||
1667 | .br | ||
1668 | 1190:netblue:firejail firefox | ||
1669 | .br | ||
1670 | 1220:netblue:/bin/sh -c "/usr/lib/firefox/firefox" | ||
1671 | .br | ||
1672 | 1221:netblue:/usr/lib/firefox/firefox | ||
1673 | .RE | ||
1674 | |||
1675 | .SH FILE TRANSFER | ||
1676 | These features allow the user to inspect the filesystem container of an existing sandbox | ||
1677 | and transfer files from the container to the host filesystem. | ||
1550 | 1678 | ||
1551 | .TP | 1679 | .TP |
1552 | \fB\-\-ls=name dir_or_filename | 1680 | \fB\-\-get=name|pid filename |
1553 | List container files. | 1681 | Retrieve the container file and store it on the host in the current working directory. |
1554 | The container is spececified by name (\-\-name option). | 1682 | The container is specified by name or PID. Full path is needed for filename. |
1555 | Full path is needed for dir_or_filename. | ||
1556 | 1683 | ||
1557 | .TP | 1684 | .TP |
1558 | \fB\-\-ls=pid dir_or_filename | 1685 | \fB\-\-ls=name|pid dir_or_filename |
1559 | List container files. | 1686 | List container files. The container is specified by name or PID. |
1560 | The container is spececified by process ID. | ||
1561 | Full path is needed for dir_or_filename. | 1687 | Full path is needed for dir_or_filename. |
1562 | 1688 | ||
1563 | .TP | 1689 | .TP |
@@ -1596,15 +1722,15 @@ The shaper works at sandbox level, and can be used only for sandboxes configured | |||
1596 | 1722 | ||
1597 | Set rate-limits: | 1723 | Set rate-limits: |
1598 | 1724 | ||
1599 | firejail --bandwidth={name|pid} set network download upload | 1725 | $ firejail --bandwidth=name|pid set network download upload |
1600 | 1726 | ||
1601 | Clear rate-limits: | 1727 | Clear rate-limits: |
1602 | 1728 | ||
1603 | firejail --bandwidth={name|pid} clear network | 1729 | $ firejail --bandwidth=name|pid clear network |
1604 | 1730 | ||
1605 | Status: | 1731 | Status: |
1606 | 1732 | ||
1607 | firejail --bandwidth={name|pid} status | 1733 | $ firejail --bandwidth=name|pid status |
1608 | 1734 | ||
1609 | where: | 1735 | where: |
1610 | .br | 1736 | .br |
@@ -1628,6 +1754,26 @@ Example: | |||
1628 | .br | 1754 | .br |
1629 | $ firejail \-\-bandwidth=mybrowser clear eth0 | 1755 | $ firejail \-\-bandwidth=mybrowser clear eth0 |
1630 | 1756 | ||
1757 | .SH AUDIT | ||
1758 | Audit feature allows the user to point out gaps in security profiles. The | ||
1759 | implementation replaces the program to be sandboxed with a test program. By | ||
1760 | default, we use faudit program distributed with Firejail. A custom test program | ||
1761 | can also be supplied by the user. Examples: | ||
1762 | |||
1763 | Running the default audit program: | ||
1764 | .br | ||
1765 | $ firejail --audit transmission-gtk | ||
1766 | |||
1767 | Running a custom audit program: | ||
1768 | .br | ||
1769 | $ firejail --audit=~/sandbox-test transmission-gtk | ||
1770 | |||
1771 | In the examples above, the sandbox configures transmission-gtk profile and | ||
1772 | starts the test program. The real program, transmission-gtk, will not be | ||
1773 | started. | ||
1774 | |||
1775 | Limitations: audit feature is not implemented for --x11 commands. | ||
1776 | |||
1631 | .SH MONITORING | 1777 | .SH MONITORING |
1632 | Option \-\-list prints a list of all sandboxes. The format | 1778 | Option \-\-list prints a list of all sandboxes. The format |
1633 | for each process entry is as follows: | 1779 | for each process entry is as follows: |
@@ -1721,7 +1867,7 @@ To disable default profile loading, use --noprofile command option. Example: | |||
1721 | .RS | 1867 | .RS |
1722 | $ firejail | 1868 | $ firejail |
1723 | .br | 1869 | .br |
1724 | Reading profile /etc/firejail/generic.profile | 1870 | Reading profile /etc/firejail/default.profile |
1725 | .br | 1871 | .br |
1726 | Parent pid 8553, child pid 8554 | 1872 | Parent pid 8553, child pid 8554 |
1727 | .br | 1873 | .br |
@@ -1744,7 +1890,7 @@ See man 5 firejail-profile for profile file syntax information. | |||
1744 | 1890 | ||
1745 | .SH RESTRICTED SHELL | 1891 | .SH RESTRICTED SHELL |
1746 | To configure a restricted shell, replace /bin/bash with /usr/bin/firejail in | 1892 | To configure a restricted shell, replace /bin/bash with /usr/bin/firejail in |
1747 | /etc/password file for each user that needs to be restricted. Alternatively, | 1893 | /etc/passwd file for each user that needs to be restricted. Alternatively, |
1748 | you can specify /usr/bin/firejail in adduser command: | 1894 | you can specify /usr/bin/firejail in adduser command: |
1749 | 1895 | ||
1750 | adduser \-\-shell /usr/bin/firejail username | 1896 | adduser \-\-shell /usr/bin/firejail username |
@@ -1785,8 +1931,10 @@ This program is free software; you can redistribute it and/or modify it under th | |||
1785 | Homepage: http://firejail.wordpress.com | 1931 | Homepage: http://firejail.wordpress.com |
1786 | .SH SEE ALSO | 1932 | .SH SEE ALSO |
1787 | \&\flfiremon\fR\|(1), | 1933 | \&\flfiremon\fR\|(1), |
1934 | \&\flfirecfg\fR\|(1), | ||
1788 | \&\flfirejail-profile\fR\|(5), | 1935 | \&\flfirejail-profile\fR\|(5), |
1789 | \&\flfirejail-login\fR\|(5) | 1936 | \&\flfirejail-login\fR\|(5) |
1937 | \&\flfirejail-config\fR\|(5) | ||
1790 | 1938 | ||
1791 | 1939 | ||
1792 | 1940 | ||
diff --git a/src/man/firemon.txt b/src/man/firemon.txt index 88b2ce59f..ef99b0927 100644 --- a/src/man/firemon.txt +++ b/src/man/firemon.txt | |||
@@ -6,7 +6,8 @@ firemon [OPTIONS] [PID] | |||
6 | .SH DESCRIPTION | 6 | .SH DESCRIPTION |
7 | Firemon monitors programs started in a Firejail sandbox. | 7 | Firemon monitors programs started in a Firejail sandbox. |
8 | Without a PID specified, all processes started by Firejail are monitored. Descendants of | 8 | Without a PID specified, all processes started by Firejail are monitored. Descendants of |
9 | these processes are also being monitored. | 9 | these processes are also being monitored. On Grsecurity systems only root user |
10 | can run this program. | ||
10 | .SH OPTIONS | 11 | .SH OPTIONS |
11 | .TP | 12 | .TP |
12 | \fB\-\-arp | 13 | \fB\-\-arp |
@@ -105,7 +106,9 @@ This program is free software; you can redistribute it and/or modify it under th | |||
105 | Homepage: http://firejail.wordpress.com | 106 | Homepage: http://firejail.wordpress.com |
106 | .SH SEE ALSO | 107 | .SH SEE ALSO |
107 | \&\flfirejail\fR\|(1), | 108 | \&\flfirejail\fR\|(1), |
109 | \&\flfirecfg\fR\|(1), | ||
108 | \&\flfirejail-profile\fR\|(5), | 110 | \&\flfirejail-profile\fR\|(5), |
109 | \&\flfirejail-login\fR\|(5) | 111 | \&\flfirejail-login\fR\|(5) |
112 | \&\flfirejail-config\fR\|(5) | ||
110 | 113 | ||
111 | 114 | ||
diff --git a/src/tools/config-4.4.0-1-grsec-amd64 b/src/tools/config-4.4.0-1-grsec-amd64 new file mode 100644 index 000000000..82215c460 --- /dev/null +++ b/src/tools/config-4.4.0-1-grsec-amd64 | |||
@@ -0,0 +1,7430 @@ | |||
1 | # | ||
2 | # Automatically generated file; DO NOT EDIT. | ||
3 | # Linux/x86 4.4.6 Kernel Configuration | ||
4 | # | ||
5 | CONFIG_64BIT=y | ||
6 | CONFIG_X86_64=y | ||
7 | CONFIG_X86=y | ||
8 | CONFIG_INSTRUCTION_DECODER=y | ||
9 | CONFIG_PERF_EVENTS_INTEL_UNCORE=y | ||
10 | CONFIG_OUTPUT_FORMAT="elf64-x86-64" | ||
11 | CONFIG_ARCH_DEFCONFIG="arch/x86/configs/x86_64_defconfig" | ||
12 | CONFIG_LOCKDEP_SUPPORT=y | ||
13 | CONFIG_STACKTRACE_SUPPORT=y | ||
14 | CONFIG_HAVE_LATENCYTOP_SUPPORT=y | ||
15 | CONFIG_MMU=y | ||
16 | CONFIG_NEED_DMA_MAP_STATE=y | ||
17 | CONFIG_NEED_SG_DMA_LENGTH=y | ||
18 | CONFIG_GENERIC_ISA_DMA=y | ||
19 | CONFIG_GENERIC_BUG=y | ||
20 | CONFIG_GENERIC_BUG_RELATIVE_POINTERS=y | ||
21 | CONFIG_GENERIC_HWEIGHT=y | ||
22 | CONFIG_ARCH_MAY_HAVE_PC_FDC=y | ||
23 | CONFIG_RWSEM_XCHGADD_ALGORITHM=y | ||
24 | CONFIG_GENERIC_CALIBRATE_DELAY=y | ||
25 | CONFIG_ARCH_HAS_CPU_RELAX=y | ||
26 | CONFIG_ARCH_HAS_CACHE_LINE_SIZE=y | ||
27 | CONFIG_HAVE_SETUP_PER_CPU_AREA=y | ||
28 | CONFIG_NEED_PER_CPU_EMBED_FIRST_CHUNK=y | ||
29 | CONFIG_NEED_PER_CPU_PAGE_FIRST_CHUNK=y | ||
30 | CONFIG_ARCH_HIBERNATION_POSSIBLE=y | ||
31 | CONFIG_ARCH_SUSPEND_POSSIBLE=y | ||
32 | CONFIG_ARCH_WANT_HUGE_PMD_SHARE=y | ||
33 | CONFIG_ARCH_WANT_GENERAL_HUGETLB=y | ||
34 | CONFIG_ZONE_DMA32=y | ||
35 | CONFIG_AUDIT_ARCH=y | ||
36 | CONFIG_ARCH_SUPPORTS_OPTIMIZED_INLINING=y | ||
37 | CONFIG_ARCH_SUPPORTS_DEBUG_PAGEALLOC=y | ||
38 | CONFIG_HAVE_INTEL_TXT=y | ||
39 | CONFIG_X86_64_SMP=y | ||
40 | CONFIG_ARCH_HWEIGHT_CFLAGS="-fcall-saved-rdi -fcall-saved-rsi -fcall-saved-rdx -fcall-saved-rcx -fcall-saved-r8 -fcall-saved-r9 -fcall-saved-r10 -fcall-saved-r11" | ||
41 | CONFIG_ARCH_SUPPORTS_UPROBES=y | ||
42 | CONFIG_FIX_EARLYCON_MEM=y | ||
43 | CONFIG_PGTABLE_LEVELS=4 | ||
44 | CONFIG_DEFCONFIG_LIST="/lib/modules/$UNAME_RELEASE/.config" | ||
45 | CONFIG_IRQ_WORK=y | ||
46 | CONFIG_BUILDTIME_EXTABLE_SORT=y | ||
47 | |||
48 | # | ||
49 | # General setup | ||
50 | # | ||
51 | CONFIG_INIT_ENV_ARG_LIMIT=32 | ||
52 | CONFIG_CROSS_COMPILE="" | ||
53 | # CONFIG_COMPILE_TEST is not set | ||
54 | CONFIG_LOCALVERSION="" | ||
55 | # CONFIG_LOCALVERSION_AUTO is not set | ||
56 | CONFIG_HAVE_KERNEL_GZIP=y | ||
57 | CONFIG_HAVE_KERNEL_BZIP2=y | ||
58 | CONFIG_HAVE_KERNEL_LZMA=y | ||
59 | CONFIG_HAVE_KERNEL_XZ=y | ||
60 | CONFIG_HAVE_KERNEL_LZO=y | ||
61 | CONFIG_HAVE_KERNEL_LZ4=y | ||
62 | # CONFIG_KERNEL_GZIP is not set | ||
63 | # CONFIG_KERNEL_BZIP2 is not set | ||
64 | # CONFIG_KERNEL_LZMA is not set | ||
65 | CONFIG_KERNEL_XZ=y | ||
66 | # CONFIG_KERNEL_LZO is not set | ||
67 | # CONFIG_KERNEL_LZ4 is not set | ||
68 | CONFIG_DEFAULT_HOSTNAME="(none)" | ||
69 | CONFIG_SWAP=y | ||
70 | CONFIG_SYSVIPC=y | ||
71 | CONFIG_SYSVIPC_SYSCTL=y | ||
72 | CONFIG_POSIX_MQUEUE=y | ||
73 | CONFIG_POSIX_MQUEUE_SYSCTL=y | ||
74 | CONFIG_CROSS_MEMORY_ATTACH=y | ||
75 | CONFIG_FHANDLE=y | ||
76 | CONFIG_AUDIT=y | ||
77 | CONFIG_HAVE_ARCH_AUDITSYSCALL=y | ||
78 | CONFIG_AUDITSYSCALL=y | ||
79 | CONFIG_AUDIT_WATCH=y | ||
80 | CONFIG_AUDIT_TREE=y | ||
81 | |||
82 | # | ||
83 | # IRQ subsystem | ||
84 | # | ||
85 | CONFIG_GENERIC_IRQ_PROBE=y | ||
86 | CONFIG_GENERIC_IRQ_SHOW=y | ||
87 | CONFIG_GENERIC_PENDING_IRQ=y | ||
88 | CONFIG_GENERIC_IRQ_CHIP=y | ||
89 | CONFIG_IRQ_DOMAIN=y | ||
90 | CONFIG_IRQ_DOMAIN_HIERARCHY=y | ||
91 | CONFIG_GENERIC_MSI_IRQ=y | ||
92 | CONFIG_GENERIC_MSI_IRQ_DOMAIN=y | ||
93 | CONFIG_IRQ_FORCED_THREADING=y | ||
94 | CONFIG_SPARSE_IRQ=y | ||
95 | CONFIG_CLOCKSOURCE_WATCHDOG=y | ||
96 | CONFIG_ARCH_CLOCKSOURCE_DATA=y | ||
97 | CONFIG_CLOCKSOURCE_VALIDATE_LAST_CYCLE=y | ||
98 | CONFIG_GENERIC_TIME_VSYSCALL=y | ||
99 | CONFIG_GENERIC_CLOCKEVENTS=y | ||
100 | CONFIG_GENERIC_CLOCKEVENTS_BROADCAST=y | ||
101 | CONFIG_GENERIC_CLOCKEVENTS_MIN_ADJUST=y | ||
102 | CONFIG_GENERIC_CMOS_UPDATE=y | ||
103 | |||
104 | # | ||
105 | # Timers subsystem | ||
106 | # | ||
107 | CONFIG_TICK_ONESHOT=y | ||
108 | CONFIG_NO_HZ_COMMON=y | ||
109 | # CONFIG_HZ_PERIODIC is not set | ||
110 | CONFIG_NO_HZ_IDLE=y | ||
111 | # CONFIG_NO_HZ_FULL is not set | ||
112 | # CONFIG_NO_HZ is not set | ||
113 | CONFIG_HIGH_RES_TIMERS=y | ||
114 | |||
115 | # | ||
116 | # CPU/Task time and stats accounting | ||
117 | # | ||
118 | CONFIG_TICK_CPU_ACCOUNTING=y | ||
119 | # CONFIG_VIRT_CPU_ACCOUNTING_GEN is not set | ||
120 | # CONFIG_IRQ_TIME_ACCOUNTING is not set | ||
121 | CONFIG_BSD_PROCESS_ACCT=y | ||
122 | CONFIG_BSD_PROCESS_ACCT_V3=y | ||
123 | CONFIG_TASKSTATS=y | ||
124 | CONFIG_TASK_DELAY_ACCT=y | ||
125 | CONFIG_TASK_XACCT=y | ||
126 | CONFIG_TASK_IO_ACCOUNTING=y | ||
127 | |||
128 | # | ||
129 | # RCU Subsystem | ||
130 | # | ||
131 | CONFIG_TREE_RCU=y | ||
132 | # CONFIG_RCU_EXPERT is not set | ||
133 | CONFIG_SRCU=y | ||
134 | # CONFIG_TASKS_RCU is not set | ||
135 | CONFIG_RCU_STALL_COMMON=y | ||
136 | # CONFIG_RCU_EXPEDITE_BOOT is not set | ||
137 | CONFIG_BUILD_BIN2C=y | ||
138 | # CONFIG_IKCONFIG is not set | ||
139 | CONFIG_LOG_BUF_SHIFT=17 | ||
140 | CONFIG_LOG_CPU_MAX_BUF_SHIFT=12 | ||
141 | CONFIG_HAVE_UNSTABLE_SCHED_CLOCK=y | ||
142 | CONFIG_ARCH_SUPPORTS_NUMA_BALANCING=y | ||
143 | CONFIG_ARCH_WANT_BATCHED_UNMAP_TLB_FLUSH=y | ||
144 | CONFIG_NUMA_BALANCING=y | ||
145 | # CONFIG_NUMA_BALANCING_DEFAULT_ENABLED is not set | ||
146 | CONFIG_CGROUPS=y | ||
147 | # CONFIG_CGROUP_DEBUG is not set | ||
148 | CONFIG_CGROUP_FREEZER=y | ||
149 | CONFIG_CGROUP_PIDS=y | ||
150 | CONFIG_CGROUP_DEVICE=y | ||
151 | CONFIG_CPUSETS=y | ||
152 | CONFIG_PROC_PID_CPUSET=y | ||
153 | CONFIG_CGROUP_CPUACCT=y | ||
154 | CONFIG_PAGE_COUNTER=y | ||
155 | CONFIG_MEMCG=y | ||
156 | CONFIG_MEMCG_DISABLED=y | ||
157 | CONFIG_MEMCG_SWAP=y | ||
158 | # CONFIG_MEMCG_SWAP_ENABLED is not set | ||
159 | # CONFIG_MEMCG_KMEM is not set | ||
160 | # CONFIG_CGROUP_HUGETLB is not set | ||
161 | CONFIG_CGROUP_PERF=y | ||
162 | CONFIG_CGROUP_SCHED=y | ||
163 | CONFIG_FAIR_GROUP_SCHED=y | ||
164 | CONFIG_CFS_BANDWIDTH=y | ||
165 | # CONFIG_RT_GROUP_SCHED is not set | ||
166 | CONFIG_BLK_CGROUP=y | ||
167 | # CONFIG_DEBUG_BLK_CGROUP is not set | ||
168 | CONFIG_CGROUP_WRITEBACK=y | ||
169 | CONFIG_NAMESPACES=y | ||
170 | CONFIG_UTS_NS=y | ||
171 | CONFIG_IPC_NS=y | ||
172 | CONFIG_USER_NS=y | ||
173 | CONFIG_PID_NS=y | ||
174 | CONFIG_NET_NS=y | ||
175 | CONFIG_SCHED_AUTOGROUP=y | ||
176 | # CONFIG_SYSFS_DEPRECATED is not set | ||
177 | CONFIG_RELAY=y | ||
178 | CONFIG_BLK_DEV_INITRD=y | ||
179 | CONFIG_INITRAMFS_SOURCE="" | ||
180 | CONFIG_RD_GZIP=y | ||
181 | CONFIG_RD_BZIP2=y | ||
182 | CONFIG_RD_LZMA=y | ||
183 | CONFIG_RD_XZ=y | ||
184 | CONFIG_RD_LZO=y | ||
185 | CONFIG_RD_LZ4=y | ||
186 | # CONFIG_CC_OPTIMIZE_FOR_SIZE is not set | ||
187 | CONFIG_SYSCTL=y | ||
188 | CONFIG_ANON_INODES=y | ||
189 | CONFIG_HAVE_UID16=y | ||
190 | CONFIG_SYSCTL_EXCEPTION_TRACE=y | ||
191 | CONFIG_HAVE_PCSPKR_PLATFORM=y | ||
192 | CONFIG_BPF=y | ||
193 | CONFIG_EXPERT=y | ||
194 | CONFIG_UID16=y | ||
195 | CONFIG_MULTIUSER=y | ||
196 | CONFIG_SGETMASK_SYSCALL=y | ||
197 | CONFIG_SYSFS_SYSCALL=y | ||
198 | # CONFIG_SYSCTL_SYSCALL is not set | ||
199 | CONFIG_KALLSYMS=y | ||
200 | CONFIG_KALLSYMS_ALL=y | ||
201 | CONFIG_PRINTK=y | ||
202 | CONFIG_BUG=y | ||
203 | CONFIG_ELF_CORE=y | ||
204 | CONFIG_PCSPKR_PLATFORM=y | ||
205 | CONFIG_BASE_FULL=y | ||
206 | CONFIG_FUTEX=y | ||
207 | CONFIG_EPOLL=y | ||
208 | CONFIG_SIGNALFD=y | ||
209 | CONFIG_TIMERFD=y | ||
210 | CONFIG_EVENTFD=y | ||
211 | CONFIG_BPF_SYSCALL=y | ||
212 | CONFIG_SHMEM=y | ||
213 | CONFIG_AIO=y | ||
214 | CONFIG_ADVISE_SYSCALLS=y | ||
215 | # CONFIG_USERFAULTFD is not set | ||
216 | CONFIG_PCI_QUIRKS=y | ||
217 | CONFIG_MEMBARRIER=y | ||
218 | # CONFIG_EMBEDDED is not set | ||
219 | CONFIG_HAVE_PERF_EVENTS=y | ||
220 | |||
221 | # | ||
222 | # Kernel Performance Events And Counters | ||
223 | # | ||
224 | CONFIG_PERF_EVENTS=y | ||
225 | # CONFIG_DEBUG_PERF_USE_VMALLOC is not set | ||
226 | CONFIG_VM_EVENT_COUNTERS=y | ||
227 | # CONFIG_COMPAT_BRK is not set | ||
228 | CONFIG_SLAB=y | ||
229 | # CONFIG_SLUB is not set | ||
230 | # CONFIG_SLOB is not set | ||
231 | # CONFIG_SYSTEM_DATA_VERIFICATION is not set | ||
232 | CONFIG_PROFILING=y | ||
233 | CONFIG_OPROFILE=m | ||
234 | # CONFIG_OPROFILE_EVENT_MULTIPLEX is not set | ||
235 | CONFIG_HAVE_OPROFILE=y | ||
236 | CONFIG_OPROFILE_NMI_TIMER=y | ||
237 | CONFIG_KPROBES=y | ||
238 | CONFIG_JUMP_LABEL=y | ||
239 | # CONFIG_STATIC_KEYS_SELFTEST is not set | ||
240 | CONFIG_OPTPROBES=y | ||
241 | # CONFIG_UPROBES is not set | ||
242 | # CONFIG_HAVE_64BIT_ALIGNED_ACCESS is not set | ||
243 | CONFIG_HAVE_EFFICIENT_UNALIGNED_ACCESS=y | ||
244 | CONFIG_ARCH_USE_BUILTIN_BSWAP=y | ||
245 | CONFIG_KRETPROBES=y | ||
246 | CONFIG_USER_RETURN_NOTIFIER=y | ||
247 | CONFIG_HAVE_IOREMAP_PROT=y | ||
248 | CONFIG_HAVE_KPROBES=y | ||
249 | CONFIG_HAVE_KRETPROBES=y | ||
250 | CONFIG_HAVE_OPTPROBES=y | ||
251 | CONFIG_HAVE_KPROBES_ON_FTRACE=y | ||
252 | CONFIG_HAVE_ARCH_TRACEHOOK=y | ||
253 | CONFIG_HAVE_DMA_ATTRS=y | ||
254 | CONFIG_HAVE_DMA_CONTIGUOUS=y | ||
255 | CONFIG_GENERIC_SMP_IDLE_THREAD=y | ||
256 | CONFIG_HAVE_REGS_AND_STACK_ACCESS_API=y | ||
257 | CONFIG_HAVE_CLK=y | ||
258 | CONFIG_HAVE_DMA_API_DEBUG=y | ||
259 | CONFIG_HAVE_HW_BREAKPOINT=y | ||
260 | CONFIG_HAVE_MIXED_BREAKPOINTS_REGS=y | ||
261 | CONFIG_HAVE_USER_RETURN_NOTIFIER=y | ||
262 | CONFIG_HAVE_PERF_EVENTS_NMI=y | ||
263 | CONFIG_HAVE_PERF_REGS=y | ||
264 | CONFIG_HAVE_PERF_USER_STACK_DUMP=y | ||
265 | CONFIG_HAVE_ARCH_JUMP_LABEL=y | ||
266 | CONFIG_ARCH_HAVE_NMI_SAFE_CMPXCHG=y | ||
267 | CONFIG_HAVE_CMPXCHG_LOCAL=y | ||
268 | CONFIG_HAVE_CMPXCHG_DOUBLE=y | ||
269 | CONFIG_ARCH_WANT_COMPAT_IPC_PARSE_VERSION=y | ||
270 | CONFIG_ARCH_WANT_OLD_COMPAT_IPC=y | ||
271 | CONFIG_HAVE_ARCH_SECCOMP_FILTER=y | ||
272 | CONFIG_SECCOMP_FILTER=y | ||
273 | CONFIG_HAVE_CC_STACKPROTECTOR=y | ||
274 | CONFIG_CC_STACKPROTECTOR=y | ||
275 | # CONFIG_CC_STACKPROTECTOR_NONE is not set | ||
276 | # CONFIG_CC_STACKPROTECTOR_REGULAR is not set | ||
277 | CONFIG_CC_STACKPROTECTOR_STRONG=y | ||
278 | CONFIG_HAVE_CONTEXT_TRACKING=y | ||
279 | CONFIG_HAVE_VIRT_CPU_ACCOUNTING_GEN=y | ||
280 | CONFIG_HAVE_IRQ_TIME_ACCOUNTING=y | ||
281 | CONFIG_HAVE_ARCH_TRANSPARENT_HUGEPAGE=y | ||
282 | CONFIG_HAVE_ARCH_HUGE_VMAP=y | ||
283 | CONFIG_HAVE_ARCH_SOFT_DIRTY=y | ||
284 | CONFIG_MODULES_USE_ELF_RELA=y | ||
285 | CONFIG_HAVE_IRQ_EXIT_ON_IRQ_STACK=y | ||
286 | CONFIG_ARCH_HAS_ELF_RANDOMIZE=y | ||
287 | CONFIG_HAVE_COPY_THREAD_TLS=y | ||
288 | CONFIG_OLD_SIGSUSPEND3=y | ||
289 | CONFIG_COMPAT_OLD_SIGACTION=y | ||
290 | |||
291 | # | ||
292 | # GCOV-based kernel profiling | ||
293 | # | ||
294 | CONFIG_ARCH_HAS_GCOV_PROFILE_ALL=y | ||
295 | # CONFIG_HAVE_GENERIC_DMA_COHERENT is not set | ||
296 | CONFIG_SLABINFO=y | ||
297 | CONFIG_RT_MUTEXES=y | ||
298 | CONFIG_BASE_SMALL=0 | ||
299 | CONFIG_MODULES=y | ||
300 | CONFIG_MODULE_FORCE_LOAD=y | ||
301 | CONFIG_MODULE_UNLOAD=y | ||
302 | CONFIG_MODULE_FORCE_UNLOAD=y | ||
303 | CONFIG_MODVERSIONS=y | ||
304 | # CONFIG_MODULE_SRCVERSION_ALL is not set | ||
305 | # CONFIG_MODULE_SIG is not set | ||
306 | # CONFIG_MODULE_COMPRESS is not set | ||
307 | CONFIG_MODULES_TREE_LOOKUP=y | ||
308 | CONFIG_BLOCK=y | ||
309 | CONFIG_BLK_DEV_BSG=y | ||
310 | CONFIG_BLK_DEV_BSGLIB=y | ||
311 | CONFIG_BLK_DEV_INTEGRITY=y | ||
312 | CONFIG_BLK_DEV_THROTTLING=y | ||
313 | # CONFIG_BLK_CMDLINE_PARSER is not set | ||
314 | |||
315 | # | ||
316 | # Partition Types | ||
317 | # | ||
318 | CONFIG_PARTITION_ADVANCED=y | ||
319 | CONFIG_ACORN_PARTITION=y | ||
320 | # CONFIG_ACORN_PARTITION_CUMANA is not set | ||
321 | # CONFIG_ACORN_PARTITION_EESOX is not set | ||
322 | CONFIG_ACORN_PARTITION_ICS=y | ||
323 | # CONFIG_ACORN_PARTITION_ADFS is not set | ||
324 | # CONFIG_ACORN_PARTITION_POWERTEC is not set | ||
325 | CONFIG_ACORN_PARTITION_RISCIX=y | ||
326 | # CONFIG_AIX_PARTITION is not set | ||
327 | CONFIG_OSF_PARTITION=y | ||
328 | CONFIG_AMIGA_PARTITION=y | ||
329 | CONFIG_ATARI_PARTITION=y | ||
330 | CONFIG_MAC_PARTITION=y | ||
331 | CONFIG_MSDOS_PARTITION=y | ||
332 | CONFIG_BSD_DISKLABEL=y | ||
333 | CONFIG_MINIX_SUBPARTITION=y | ||
334 | CONFIG_SOLARIS_X86_PARTITION=y | ||
335 | CONFIG_UNIXWARE_DISKLABEL=y | ||
336 | CONFIG_LDM_PARTITION=y | ||
337 | # CONFIG_LDM_DEBUG is not set | ||
338 | CONFIG_SGI_PARTITION=y | ||
339 | CONFIG_ULTRIX_PARTITION=y | ||
340 | CONFIG_SUN_PARTITION=y | ||
341 | CONFIG_KARMA_PARTITION=y | ||
342 | CONFIG_EFI_PARTITION=y | ||
343 | # CONFIG_SYSV68_PARTITION is not set | ||
344 | # CONFIG_CMDLINE_PARTITION is not set | ||
345 | CONFIG_BLOCK_COMPAT=y | ||
346 | |||
347 | # | ||
348 | # IO Schedulers | ||
349 | # | ||
350 | CONFIG_IOSCHED_NOOP=y | ||
351 | CONFIG_IOSCHED_DEADLINE=y | ||
352 | CONFIG_IOSCHED_CFQ=y | ||
353 | CONFIG_CFQ_GROUP_IOSCHED=y | ||
354 | # CONFIG_DEFAULT_DEADLINE is not set | ||
355 | CONFIG_DEFAULT_CFQ=y | ||
356 | # CONFIG_DEFAULT_NOOP is not set | ||
357 | CONFIG_DEFAULT_IOSCHED="cfq" | ||
358 | CONFIG_PREEMPT_NOTIFIERS=y | ||
359 | CONFIG_PADATA=y | ||
360 | CONFIG_ASN1=m | ||
361 | CONFIG_INLINE_SPIN_UNLOCK_IRQ=y | ||
362 | CONFIG_INLINE_READ_UNLOCK=y | ||
363 | CONFIG_INLINE_READ_UNLOCK_IRQ=y | ||
364 | CONFIG_INLINE_WRITE_UNLOCK=y | ||
365 | CONFIG_INLINE_WRITE_UNLOCK_IRQ=y | ||
366 | CONFIG_ARCH_SUPPORTS_ATOMIC_RMW=y | ||
367 | CONFIG_MUTEX_SPIN_ON_OWNER=y | ||
368 | CONFIG_RWSEM_SPIN_ON_OWNER=y | ||
369 | CONFIG_LOCK_SPIN_ON_OWNER=y | ||
370 | CONFIG_ARCH_USE_QUEUED_SPINLOCKS=y | ||
371 | CONFIG_QUEUED_SPINLOCKS=y | ||
372 | CONFIG_ARCH_USE_QUEUED_RWLOCKS=y | ||
373 | CONFIG_QUEUED_RWLOCKS=y | ||
374 | CONFIG_FREEZER=y | ||
375 | |||
376 | # | ||
377 | # Processor type and features | ||
378 | # | ||
379 | # CONFIG_ZONE_DMA is not set | ||
380 | CONFIG_SMP=y | ||
381 | CONFIG_X86_FEATURE_NAMES=y | ||
382 | CONFIG_X86_X2APIC=y | ||
383 | CONFIG_X86_MPPARSE=y | ||
384 | # CONFIG_X86_EXTENDED_PLATFORM is not set | ||
385 | CONFIG_X86_INTEL_LPSS=y | ||
386 | CONFIG_X86_AMD_PLATFORM_DEVICE=y | ||
387 | CONFIG_IOSF_MBI=m | ||
388 | CONFIG_X86_SUPPORTS_MEMORY_FAILURE=y | ||
389 | CONFIG_SCHED_OMIT_FRAME_POINTER=y | ||
390 | CONFIG_HYPERVISOR_GUEST=y | ||
391 | CONFIG_PARAVIRT=y | ||
392 | # CONFIG_PARAVIRT_DEBUG is not set | ||
393 | CONFIG_PARAVIRT_SPINLOCKS=y | ||
394 | # CONFIG_XEN is not set | ||
395 | CONFIG_KVM_GUEST=y | ||
396 | # CONFIG_PARAVIRT_TIME_ACCOUNTING is not set | ||
397 | CONFIG_PARAVIRT_CLOCK=y | ||
398 | CONFIG_NO_BOOTMEM=y | ||
399 | # CONFIG_MK8 is not set | ||
400 | # CONFIG_MPSC is not set | ||
401 | # CONFIG_MCORE2 is not set | ||
402 | # CONFIG_MATOM is not set | ||
403 | CONFIG_GENERIC_CPU=y | ||
404 | CONFIG_X86_INTERNODE_CACHE_SHIFT=6 | ||
405 | CONFIG_X86_L1_CACHE_SHIFT=6 | ||
406 | CONFIG_X86_TSC=y | ||
407 | CONFIG_X86_CMPXCHG64=y | ||
408 | CONFIG_X86_CMOV=y | ||
409 | CONFIG_X86_MINIMUM_CPU_FAMILY=64 | ||
410 | CONFIG_X86_DEBUGCTLMSR=y | ||
411 | # CONFIG_PROCESSOR_SELECT is not set | ||
412 | CONFIG_CPU_SUP_INTEL=y | ||
413 | CONFIG_CPU_SUP_AMD=y | ||
414 | CONFIG_CPU_SUP_CENTAUR=y | ||
415 | CONFIG_HPET_TIMER=y | ||
416 | CONFIG_HPET_EMULATE_RTC=y | ||
417 | CONFIG_DMI=y | ||
418 | CONFIG_GART_IOMMU=y | ||
419 | CONFIG_CALGARY_IOMMU=y | ||
420 | CONFIG_CALGARY_IOMMU_ENABLED_BY_DEFAULT=y | ||
421 | CONFIG_SWIOTLB=y | ||
422 | CONFIG_IOMMU_HELPER=y | ||
423 | # CONFIG_MAXSMP is not set | ||
424 | CONFIG_NR_CPUS=512 | ||
425 | CONFIG_SCHED_SMT=y | ||
426 | CONFIG_SCHED_MC=y | ||
427 | # CONFIG_PREEMPT_NONE is not set | ||
428 | CONFIG_PREEMPT_VOLUNTARY=y | ||
429 | # CONFIG_PREEMPT is not set | ||
430 | CONFIG_X86_LOCAL_APIC=y | ||
431 | CONFIG_X86_IO_APIC=y | ||
432 | CONFIG_X86_REROUTE_FOR_BROKEN_BOOT_IRQS=y | ||
433 | CONFIG_X86_MCE=y | ||
434 | CONFIG_X86_MCE_INTEL=y | ||
435 | CONFIG_X86_MCE_AMD=y | ||
436 | CONFIG_X86_MCE_THRESHOLD=y | ||
437 | CONFIG_X86_MCE_INJECT=m | ||
438 | CONFIG_X86_THERMAL_VECTOR=y | ||
439 | # CONFIG_VM86 is not set | ||
440 | CONFIG_X86_VSYSCALL_EMULATION=y | ||
441 | CONFIG_I8K=m | ||
442 | CONFIG_MICROCODE=y | ||
443 | CONFIG_MICROCODE_INTEL=y | ||
444 | CONFIG_MICROCODE_AMD=y | ||
445 | CONFIG_MICROCODE_OLD_INTERFACE=y | ||
446 | CONFIG_X86_MSR=m | ||
447 | CONFIG_X86_CPUID=m | ||
448 | CONFIG_ARCH_PHYS_ADDR_T_64BIT=y | ||
449 | CONFIG_ARCH_DMA_ADDR_T_64BIT=y | ||
450 | CONFIG_X86_DIRECT_GBPAGES=y | ||
451 | CONFIG_NUMA=y | ||
452 | CONFIG_AMD_NUMA=y | ||
453 | CONFIG_X86_64_ACPI_NUMA=y | ||
454 | CONFIG_NODES_SPAN_OTHER_NODES=y | ||
455 | CONFIG_NUMA_EMU=y | ||
456 | CONFIG_NODES_SHIFT=6 | ||
457 | CONFIG_ARCH_SPARSEMEM_ENABLE=y | ||
458 | CONFIG_ARCH_SPARSEMEM_DEFAULT=y | ||
459 | CONFIG_ARCH_SELECT_MEMORY_MODEL=y | ||
460 | # CONFIG_ARCH_MEMORY_PROBE is not set | ||
461 | CONFIG_ILLEGAL_POINTER_VALUE=0xdead000000000000 | ||
462 | CONFIG_SELECT_MEMORY_MODEL=y | ||
463 | CONFIG_SPARSEMEM_MANUAL=y | ||
464 | CONFIG_SPARSEMEM=y | ||
465 | CONFIG_NEED_MULTIPLE_NODES=y | ||
466 | CONFIG_HAVE_MEMORY_PRESENT=y | ||
467 | CONFIG_SPARSEMEM_EXTREME=y | ||
468 | CONFIG_SPARSEMEM_VMEMMAP_ENABLE=y | ||
469 | CONFIG_SPARSEMEM_ALLOC_MEM_MAP_TOGETHER=y | ||
470 | CONFIG_SPARSEMEM_VMEMMAP=y | ||
471 | CONFIG_HAVE_MEMBLOCK=y | ||
472 | CONFIG_HAVE_MEMBLOCK_NODE_MAP=y | ||
473 | CONFIG_ARCH_DISCARD_MEMBLOCK=y | ||
474 | CONFIG_MEMORY_ISOLATION=y | ||
475 | # CONFIG_MOVABLE_NODE is not set | ||
476 | CONFIG_HAVE_BOOTMEM_INFO_NODE=y | ||
477 | CONFIG_MEMORY_HOTPLUG=y | ||
478 | CONFIG_MEMORY_HOTPLUG_SPARSE=y | ||
479 | CONFIG_MEMORY_HOTREMOVE=y | ||
480 | CONFIG_SPLIT_PTLOCK_CPUS=4 | ||
481 | CONFIG_ARCH_ENABLE_SPLIT_PMD_PTLOCK=y | ||
482 | CONFIG_MEMORY_BALLOON=y | ||
483 | CONFIG_BALLOON_COMPACTION=y | ||
484 | CONFIG_COMPACTION=y | ||
485 | CONFIG_MIGRATION=y | ||
486 | CONFIG_ARCH_ENABLE_HUGEPAGE_MIGRATION=y | ||
487 | CONFIG_PHYS_ADDR_T_64BIT=y | ||
488 | CONFIG_ZONE_DMA_FLAG=0 | ||
489 | CONFIG_VIRT_TO_BUS=y | ||
490 | CONFIG_MMU_NOTIFIER=y | ||
491 | CONFIG_KSM=y | ||
492 | CONFIG_DEFAULT_MMAP_MIN_ADDR=65536 | ||
493 | CONFIG_ARCH_SUPPORTS_MEMORY_FAILURE=y | ||
494 | CONFIG_MEMORY_FAILURE=y | ||
495 | CONFIG_TRANSPARENT_HUGEPAGE=y | ||
496 | # CONFIG_TRANSPARENT_HUGEPAGE_ALWAYS is not set | ||
497 | CONFIG_TRANSPARENT_HUGEPAGE_MADVISE=y | ||
498 | # CONFIG_CLEANCACHE is not set | ||
499 | CONFIG_FRONTSWAP=y | ||
500 | # CONFIG_CMA is not set | ||
501 | CONFIG_ZSWAP=y | ||
502 | CONFIG_ZPOOL=y | ||
503 | CONFIG_ZBUD=y | ||
504 | CONFIG_ZSMALLOC=m | ||
505 | # CONFIG_PGTABLE_MAPPING is not set | ||
506 | CONFIG_GENERIC_EARLY_IOREMAP=y | ||
507 | CONFIG_ARCH_SUPPORTS_DEFERRED_STRUCT_PAGE_INIT=y | ||
508 | # CONFIG_DEFERRED_STRUCT_PAGE_INIT is not set | ||
509 | # CONFIG_IDLE_PAGE_TRACKING is not set | ||
510 | CONFIG_ZONE_DEVICE=y | ||
511 | CONFIG_FRAME_VECTOR=y | ||
512 | CONFIG_X86_PMEM_LEGACY_DEVICE=y | ||
513 | CONFIG_X86_PMEM_LEGACY=m | ||
514 | # CONFIG_X86_CHECK_BIOS_CORRUPTION is not set | ||
515 | CONFIG_X86_RESERVE_LOW=64 | ||
516 | CONFIG_MTRR=y | ||
517 | CONFIG_MTRR_SANITIZER=y | ||
518 | CONFIG_MTRR_SANITIZER_ENABLE_DEFAULT=0 | ||
519 | CONFIG_MTRR_SANITIZER_SPARE_REG_NR_DEFAULT=1 | ||
520 | CONFIG_X86_PAT=y | ||
521 | CONFIG_ARCH_USES_PG_UNCACHED=y | ||
522 | CONFIG_ARCH_RANDOM=y | ||
523 | CONFIG_X86_SMAP=y | ||
524 | CONFIG_X86_INTEL_MPX=y | ||
525 | CONFIG_EFI=y | ||
526 | CONFIG_EFI_STUB=y | ||
527 | CONFIG_EFI_MIXED=y | ||
528 | CONFIG_SECCOMP=y | ||
529 | # CONFIG_HZ_100 is not set | ||
530 | CONFIG_HZ_250=y | ||
531 | # CONFIG_HZ_300 is not set | ||
532 | # CONFIG_HZ_1000 is not set | ||
533 | CONFIG_HZ=250 | ||
534 | CONFIG_SCHED_HRTICK=y | ||
535 | # CONFIG_KEXEC_FILE is not set | ||
536 | CONFIG_CRASH_DUMP=y | ||
537 | CONFIG_PHYSICAL_START=0x1000000 | ||
538 | CONFIG_RELOCATABLE=y | ||
539 | CONFIG_RANDOMIZE_BASE=y | ||
540 | CONFIG_RANDOMIZE_BASE_MAX_OFFSET=0x40000000 | ||
541 | CONFIG_X86_NEED_RELOCS=y | ||
542 | CONFIG_PHYSICAL_ALIGN=0x1000000 | ||
543 | CONFIG_HOTPLUG_CPU=y | ||
544 | # CONFIG_BOOTPARAM_HOTPLUG_CPU0 is not set | ||
545 | # CONFIG_DEBUG_HOTPLUG_CPU0 is not set | ||
546 | CONFIG_LEGACY_VSYSCALL_EMULATE=y | ||
547 | # CONFIG_LEGACY_VSYSCALL_NONE is not set | ||
548 | # CONFIG_CMDLINE_BOOL is not set | ||
549 | CONFIG_MODIFY_LDT_SYSCALL=y | ||
550 | CONFIG_DEFAULT_MODIFY_LDT_SYSCALL=y | ||
551 | CONFIG_HAVE_LIVEPATCH=y | ||
552 | CONFIG_ARCH_ENABLE_MEMORY_HOTPLUG=y | ||
553 | CONFIG_ARCH_ENABLE_MEMORY_HOTREMOVE=y | ||
554 | CONFIG_USE_PERCPU_NUMA_NODE_ID=y | ||
555 | |||
556 | # | ||
557 | # Power management and ACPI options | ||
558 | # | ||
559 | CONFIG_SUSPEND=y | ||
560 | CONFIG_SUSPEND_FREEZER=y | ||
561 | # CONFIG_SUSPEND_SKIP_SYNC is not set | ||
562 | CONFIG_PM_SLEEP=y | ||
563 | CONFIG_PM_SLEEP_SMP=y | ||
564 | # CONFIG_PM_AUTOSLEEP is not set | ||
565 | # CONFIG_PM_WAKELOCKS is not set | ||
566 | CONFIG_PM=y | ||
567 | CONFIG_PM_DEBUG=y | ||
568 | CONFIG_PM_ADVANCED_DEBUG=y | ||
569 | # CONFIG_PM_TEST_SUSPEND is not set | ||
570 | CONFIG_PM_SLEEP_DEBUG=y | ||
571 | # CONFIG_DPM_WATCHDOG is not set | ||
572 | # CONFIG_PM_TRACE_RTC is not set | ||
573 | CONFIG_PM_CLK=y | ||
574 | # CONFIG_WQ_POWER_EFFICIENT_DEFAULT is not set | ||
575 | CONFIG_ACPI=y | ||
576 | CONFIG_ACPI_LEGACY_TABLES_LOOKUP=y | ||
577 | CONFIG_ARCH_MIGHT_HAVE_ACPI_PDC=y | ||
578 | CONFIG_ACPI_SYSTEM_POWER_STATES_SUPPORT=y | ||
579 | # CONFIG_ACPI_DEBUGGER is not set | ||
580 | CONFIG_ACPI_SLEEP=y | ||
581 | # CONFIG_ACPI_PROCFS_POWER is not set | ||
582 | CONFIG_ACPI_REV_OVERRIDE_POSSIBLE=y | ||
583 | # CONFIG_ACPI_EC_DEBUGFS is not set | ||
584 | CONFIG_ACPI_AC=m | ||
585 | CONFIG_ACPI_BATTERY=m | ||
586 | CONFIG_ACPI_BUTTON=m | ||
587 | CONFIG_ACPI_VIDEO=m | ||
588 | CONFIG_ACPI_FAN=m | ||
589 | CONFIG_ACPI_DOCK=y | ||
590 | CONFIG_ACPI_CPU_FREQ_PSS=y | ||
591 | CONFIG_ACPI_PROCESSOR_IDLE=y | ||
592 | CONFIG_ACPI_PROCESSOR=m | ||
593 | CONFIG_ACPI_IPMI=m | ||
594 | CONFIG_ACPI_HOTPLUG_CPU=y | ||
595 | CONFIG_ACPI_PROCESSOR_AGGREGATOR=m | ||
596 | CONFIG_ACPI_THERMAL=m | ||
597 | CONFIG_ACPI_NUMA=y | ||
598 | # CONFIG_ACPI_CUSTOM_DSDT is not set | ||
599 | CONFIG_ACPI_INITRD_TABLE_OVERRIDE=y | ||
600 | # CONFIG_ACPI_DEBUG is not set | ||
601 | CONFIG_ACPI_PCI_SLOT=y | ||
602 | CONFIG_X86_PM_TIMER=y | ||
603 | CONFIG_ACPI_CONTAINER=y | ||
604 | CONFIG_ACPI_HOTPLUG_MEMORY=y | ||
605 | CONFIG_ACPI_HOTPLUG_IOAPIC=y | ||
606 | CONFIG_ACPI_SBS=m | ||
607 | CONFIG_ACPI_HED=y | ||
608 | CONFIG_ACPI_BGRT=y | ||
609 | # CONFIG_ACPI_REDUCED_HARDWARE_ONLY is not set | ||
610 | CONFIG_ACPI_NFIT=m | ||
611 | CONFIG_HAVE_ACPI_APEI=y | ||
612 | CONFIG_HAVE_ACPI_APEI_NMI=y | ||
613 | CONFIG_ACPI_APEI=y | ||
614 | CONFIG_ACPI_APEI_GHES=y | ||
615 | CONFIG_ACPI_APEI_PCIEAER=y | ||
616 | CONFIG_ACPI_APEI_MEMORY_FAILURE=y | ||
617 | # CONFIG_ACPI_APEI_ERST_DEBUG is not set | ||
618 | CONFIG_ACPI_EXTLOG=y | ||
619 | # CONFIG_PMIC_OPREGION is not set | ||
620 | CONFIG_SFI=y | ||
621 | |||
622 | # | ||
623 | # CPU Frequency scaling | ||
624 | # | ||
625 | CONFIG_CPU_FREQ=y | ||
626 | CONFIG_CPU_FREQ_GOV_COMMON=y | ||
627 | CONFIG_CPU_FREQ_STAT=m | ||
628 | # CONFIG_CPU_FREQ_STAT_DETAILS is not set | ||
629 | # CONFIG_CPU_FREQ_DEFAULT_GOV_PERFORMANCE is not set | ||
630 | # CONFIG_CPU_FREQ_DEFAULT_GOV_POWERSAVE is not set | ||
631 | # CONFIG_CPU_FREQ_DEFAULT_GOV_USERSPACE is not set | ||
632 | CONFIG_CPU_FREQ_DEFAULT_GOV_ONDEMAND=y | ||
633 | # CONFIG_CPU_FREQ_DEFAULT_GOV_CONSERVATIVE is not set | ||
634 | CONFIG_CPU_FREQ_GOV_PERFORMANCE=y | ||
635 | CONFIG_CPU_FREQ_GOV_POWERSAVE=m | ||
636 | CONFIG_CPU_FREQ_GOV_USERSPACE=m | ||
637 | CONFIG_CPU_FREQ_GOV_ONDEMAND=y | ||
638 | CONFIG_CPU_FREQ_GOV_CONSERVATIVE=m | ||
639 | |||
640 | # | ||
641 | # CPU frequency scaling drivers | ||
642 | # | ||
643 | CONFIG_X86_INTEL_PSTATE=y | ||
644 | CONFIG_X86_PCC_CPUFREQ=m | ||
645 | CONFIG_X86_ACPI_CPUFREQ=m | ||
646 | CONFIG_X86_ACPI_CPUFREQ_CPB=y | ||
647 | CONFIG_X86_POWERNOW_K8=m | ||
648 | CONFIG_X86_AMD_FREQ_SENSITIVITY=m | ||
649 | CONFIG_X86_SPEEDSTEP_CENTRINO=m | ||
650 | CONFIG_X86_P4_CLOCKMOD=m | ||
651 | |||
652 | # | ||
653 | # shared options | ||
654 | # | ||
655 | CONFIG_X86_SPEEDSTEP_LIB=m | ||
656 | |||
657 | # | ||
658 | # CPU Idle | ||
659 | # | ||
660 | CONFIG_CPU_IDLE=y | ||
661 | CONFIG_CPU_IDLE_GOV_LADDER=y | ||
662 | CONFIG_CPU_IDLE_GOV_MENU=y | ||
663 | # CONFIG_ARCH_NEEDS_CPU_IDLE_COUPLED is not set | ||
664 | CONFIG_INTEL_IDLE=y | ||
665 | |||
666 | # | ||
667 | # Memory power savings | ||
668 | # | ||
669 | CONFIG_I7300_IDLE_IOAT_CHANNEL=y | ||
670 | CONFIG_I7300_IDLE=m | ||
671 | |||
672 | # | ||
673 | # Bus options (PCI etc.) | ||
674 | # | ||
675 | CONFIG_PCI=y | ||
676 | CONFIG_PCI_DIRECT=y | ||
677 | CONFIG_PCI_MMCONFIG=y | ||
678 | CONFIG_PCI_DOMAINS=y | ||
679 | # CONFIG_PCI_CNB20LE_QUIRK is not set | ||
680 | CONFIG_PCIEPORTBUS=y | ||
681 | CONFIG_HOTPLUG_PCI_PCIE=y | ||
682 | CONFIG_PCIEAER=y | ||
683 | # CONFIG_PCIE_ECRC is not set | ||
684 | CONFIG_PCIEAER_INJECT=m | ||
685 | CONFIG_PCIEASPM=y | ||
686 | # CONFIG_PCIEASPM_DEBUG is not set | ||
687 | CONFIG_PCIEASPM_DEFAULT=y | ||
688 | # CONFIG_PCIEASPM_POWERSAVE is not set | ||
689 | # CONFIG_PCIEASPM_PERFORMANCE is not set | ||
690 | CONFIG_PCIE_PME=y | ||
691 | CONFIG_PCI_BUS_ADDR_T_64BIT=y | ||
692 | CONFIG_PCI_MSI=y | ||
693 | CONFIG_PCI_MSI_IRQ_DOMAIN=y | ||
694 | # CONFIG_PCI_DEBUG is not set | ||
695 | CONFIG_PCI_REALLOC_ENABLE_AUTO=y | ||
696 | CONFIG_PCI_STUB=m | ||
697 | CONFIG_HT_IRQ=y | ||
698 | CONFIG_PCI_ATS=y | ||
699 | CONFIG_PCI_IOV=y | ||
700 | CONFIG_PCI_PRI=y | ||
701 | CONFIG_PCI_PASID=y | ||
702 | CONFIG_PCI_LABEL=y | ||
703 | |||
704 | # | ||
705 | # PCI host controller drivers | ||
706 | # | ||
707 | CONFIG_ISA_DMA_API=y | ||
708 | CONFIG_AMD_NB=y | ||
709 | CONFIG_PCCARD=m | ||
710 | CONFIG_PCMCIA=m | ||
711 | CONFIG_PCMCIA_LOAD_CIS=y | ||
712 | CONFIG_CARDBUS=y | ||
713 | |||
714 | # | ||
715 | # PC-card bridges | ||
716 | # | ||
717 | CONFIG_YENTA=m | ||
718 | CONFIG_YENTA_O2=y | ||
719 | CONFIG_YENTA_RICOH=y | ||
720 | CONFIG_YENTA_TI=y | ||
721 | CONFIG_YENTA_ENE_TUNE=y | ||
722 | CONFIG_YENTA_TOSHIBA=y | ||
723 | CONFIG_PD6729=m | ||
724 | CONFIG_I82092=m | ||
725 | CONFIG_PCCARD_NONSTATIC=y | ||
726 | CONFIG_HOTPLUG_PCI=y | ||
727 | CONFIG_HOTPLUG_PCI_ACPI=y | ||
728 | CONFIG_HOTPLUG_PCI_ACPI_IBM=m | ||
729 | CONFIG_HOTPLUG_PCI_CPCI=y | ||
730 | CONFIG_HOTPLUG_PCI_CPCI_ZT5550=m | ||
731 | CONFIG_HOTPLUG_PCI_CPCI_GENERIC=m | ||
732 | CONFIG_HOTPLUG_PCI_SHPC=m | ||
733 | # CONFIG_RAPIDIO is not set | ||
734 | CONFIG_X86_SYSFB=y | ||
735 | |||
736 | # | ||
737 | # Executable file formats / Emulations | ||
738 | # | ||
739 | CONFIG_BINFMT_ELF=y | ||
740 | CONFIG_COMPAT_BINFMT_ELF=y | ||
741 | CONFIG_CORE_DUMP_DEFAULT_ELF_HEADERS=y | ||
742 | CONFIG_BINFMT_SCRIPT=y | ||
743 | # CONFIG_HAVE_AOUT is not set | ||
744 | CONFIG_BINFMT_MISC=m | ||
745 | CONFIG_COREDUMP=y | ||
746 | CONFIG_IA32_EMULATION=y | ||
747 | CONFIG_IA32_AOUT=y | ||
748 | # CONFIG_X86_X32 is not set | ||
749 | CONFIG_COMPAT=y | ||
750 | CONFIG_COMPAT_FOR_U64_ALIGNMENT=y | ||
751 | CONFIG_SYSVIPC_COMPAT=y | ||
752 | CONFIG_KEYS_COMPAT=y | ||
753 | CONFIG_X86_DEV_DMA_OPS=y | ||
754 | CONFIG_PMC_ATOM=y | ||
755 | CONFIG_NET=y | ||
756 | CONFIG_COMPAT_NETLINK_MESSAGES=y | ||
757 | CONFIG_NET_INGRESS=y | ||
758 | |||
759 | # | ||
760 | # Networking options | ||
761 | # | ||
762 | CONFIG_PACKET=y | ||
763 | CONFIG_PACKET_DIAG=m | ||
764 | CONFIG_UNIX=y | ||
765 | CONFIG_UNIX_DIAG=m | ||
766 | CONFIG_XFRM=y | ||
767 | CONFIG_XFRM_ALGO=m | ||
768 | CONFIG_XFRM_USER=m | ||
769 | CONFIG_XFRM_SUB_POLICY=y | ||
770 | CONFIG_XFRM_MIGRATE=y | ||
771 | # CONFIG_XFRM_STATISTICS is not set | ||
772 | CONFIG_XFRM_IPCOMP=m | ||
773 | CONFIG_NET_KEY=m | ||
774 | CONFIG_NET_KEY_MIGRATE=y | ||
775 | CONFIG_INET=y | ||
776 | CONFIG_IP_MULTICAST=y | ||
777 | CONFIG_IP_ADVANCED_ROUTER=y | ||
778 | CONFIG_IP_FIB_TRIE_STATS=y | ||
779 | CONFIG_IP_MULTIPLE_TABLES=y | ||
780 | CONFIG_IP_ROUTE_MULTIPATH=y | ||
781 | CONFIG_IP_ROUTE_VERBOSE=y | ||
782 | CONFIG_IP_ROUTE_CLASSID=y | ||
783 | # CONFIG_IP_PNP is not set | ||
784 | CONFIG_NET_IPIP=m | ||
785 | CONFIG_NET_IPGRE_DEMUX=m | ||
786 | CONFIG_NET_IP_TUNNEL=m | ||
787 | CONFIG_NET_IPGRE=m | ||
788 | CONFIG_NET_IPGRE_BROADCAST=y | ||
789 | CONFIG_IP_MROUTE=y | ||
790 | CONFIG_IP_MROUTE_MULTIPLE_TABLES=y | ||
791 | CONFIG_IP_PIMSM_V1=y | ||
792 | CONFIG_IP_PIMSM_V2=y | ||
793 | CONFIG_SYN_COOKIES=y | ||
794 | CONFIG_NET_IPVTI=m | ||
795 | CONFIG_NET_UDP_TUNNEL=m | ||
796 | CONFIG_NET_FOU=m | ||
797 | CONFIG_NET_FOU_IP_TUNNELS=y | ||
798 | CONFIG_INET_AH=m | ||
799 | CONFIG_INET_ESP=m | ||
800 | CONFIG_INET_IPCOMP=m | ||
801 | CONFIG_INET_XFRM_TUNNEL=m | ||
802 | CONFIG_INET_TUNNEL=m | ||
803 | CONFIG_INET_XFRM_MODE_TRANSPORT=m | ||
804 | CONFIG_INET_XFRM_MODE_TUNNEL=m | ||
805 | CONFIG_INET_XFRM_MODE_BEET=m | ||
806 | CONFIG_INET_LRO=m | ||
807 | CONFIG_INET_DIAG=m | ||
808 | CONFIG_INET_TCP_DIAG=m | ||
809 | CONFIG_INET_UDP_DIAG=m | ||
810 | CONFIG_TCP_CONG_ADVANCED=y | ||
811 | CONFIG_TCP_CONG_BIC=m | ||
812 | CONFIG_TCP_CONG_CUBIC=y | ||
813 | CONFIG_TCP_CONG_WESTWOOD=m | ||
814 | CONFIG_TCP_CONG_HTCP=m | ||
815 | CONFIG_TCP_CONG_HSTCP=m | ||
816 | CONFIG_TCP_CONG_HYBLA=m | ||
817 | CONFIG_TCP_CONG_VEGAS=m | ||
818 | CONFIG_TCP_CONG_SCALABLE=m | ||
819 | CONFIG_TCP_CONG_LP=m | ||
820 | CONFIG_TCP_CONG_VENO=m | ||
821 | CONFIG_TCP_CONG_YEAH=m | ||
822 | CONFIG_TCP_CONG_ILLINOIS=m | ||
823 | CONFIG_TCP_CONG_DCTCP=m | ||
824 | CONFIG_TCP_CONG_CDG=m | ||
825 | CONFIG_DEFAULT_CUBIC=y | ||
826 | # CONFIG_DEFAULT_RENO is not set | ||
827 | CONFIG_DEFAULT_TCP_CONG="cubic" | ||
828 | CONFIG_TCP_MD5SIG=y | ||
829 | CONFIG_IPV6=y | ||
830 | CONFIG_IPV6_ROUTER_PREF=y | ||
831 | CONFIG_IPV6_ROUTE_INFO=y | ||
832 | CONFIG_IPV6_OPTIMISTIC_DAD=y | ||
833 | CONFIG_INET6_AH=m | ||
834 | CONFIG_INET6_ESP=m | ||
835 | CONFIG_INET6_IPCOMP=m | ||
836 | CONFIG_IPV6_MIP6=y | ||
837 | # CONFIG_IPV6_ILA is not set | ||
838 | CONFIG_INET6_XFRM_TUNNEL=m | ||
839 | CONFIG_INET6_TUNNEL=m | ||
840 | CONFIG_INET6_XFRM_MODE_TRANSPORT=m | ||
841 | CONFIG_INET6_XFRM_MODE_TUNNEL=m | ||
842 | CONFIG_INET6_XFRM_MODE_BEET=m | ||
843 | CONFIG_INET6_XFRM_MODE_ROUTEOPTIMIZATION=m | ||
844 | CONFIG_IPV6_VTI=m | ||
845 | CONFIG_IPV6_SIT=m | ||
846 | CONFIG_IPV6_SIT_6RD=y | ||
847 | CONFIG_IPV6_NDISC_NODETYPE=y | ||
848 | CONFIG_IPV6_TUNNEL=m | ||
849 | CONFIG_IPV6_GRE=m | ||
850 | CONFIG_IPV6_MULTIPLE_TABLES=y | ||
851 | CONFIG_IPV6_SUBTREES=y | ||
852 | CONFIG_IPV6_MROUTE=y | ||
853 | CONFIG_IPV6_MROUTE_MULTIPLE_TABLES=y | ||
854 | CONFIG_IPV6_PIMSM_V2=y | ||
855 | # CONFIG_NETLABEL is not set | ||
856 | CONFIG_NETWORK_SECMARK=y | ||
857 | CONFIG_NET_PTP_CLASSIFY=y | ||
858 | # CONFIG_NETWORK_PHY_TIMESTAMPING is not set | ||
859 | CONFIG_NETFILTER=y | ||
860 | # CONFIG_NETFILTER_DEBUG is not set | ||
861 | CONFIG_NETFILTER_ADVANCED=y | ||
862 | CONFIG_BRIDGE_NETFILTER=m | ||
863 | |||
864 | # | ||
865 | # Core Netfilter Configuration | ||
866 | # | ||
867 | CONFIG_NETFILTER_INGRESS=y | ||
868 | CONFIG_NETFILTER_NETLINK=m | ||
869 | CONFIG_NETFILTER_NETLINK_ACCT=m | ||
870 | CONFIG_NETFILTER_NETLINK_QUEUE=m | ||
871 | CONFIG_NETFILTER_NETLINK_LOG=m | ||
872 | CONFIG_NF_CONNTRACK=m | ||
873 | CONFIG_NF_LOG_COMMON=m | ||
874 | CONFIG_NF_CONNTRACK_MARK=y | ||
875 | CONFIG_NF_CONNTRACK_SECMARK=y | ||
876 | CONFIG_NF_CONNTRACK_ZONES=y | ||
877 | CONFIG_NF_CONNTRACK_PROCFS=y | ||
878 | CONFIG_NF_CONNTRACK_EVENTS=y | ||
879 | CONFIG_NF_CONNTRACK_TIMEOUT=y | ||
880 | CONFIG_NF_CONNTRACK_TIMESTAMP=y | ||
881 | CONFIG_NF_CONNTRACK_LABELS=y | ||
882 | CONFIG_NF_CT_PROTO_DCCP=m | ||
883 | CONFIG_NF_CT_PROTO_GRE=m | ||
884 | CONFIG_NF_CT_PROTO_SCTP=m | ||
885 | CONFIG_NF_CT_PROTO_UDPLITE=m | ||
886 | CONFIG_NF_CONNTRACK_AMANDA=m | ||
887 | CONFIG_NF_CONNTRACK_FTP=m | ||
888 | CONFIG_NF_CONNTRACK_H323=m | ||
889 | CONFIG_NF_CONNTRACK_IRC=m | ||
890 | CONFIG_NF_CONNTRACK_BROADCAST=m | ||
891 | CONFIG_NF_CONNTRACK_NETBIOS_NS=m | ||
892 | CONFIG_NF_CONNTRACK_SNMP=m | ||
893 | CONFIG_NF_CONNTRACK_PPTP=m | ||
894 | CONFIG_NF_CONNTRACK_SANE=m | ||
895 | CONFIG_NF_CONNTRACK_SIP=m | ||
896 | CONFIG_NF_CONNTRACK_TFTP=m | ||
897 | CONFIG_NF_CT_NETLINK=m | ||
898 | CONFIG_NF_CT_NETLINK_TIMEOUT=m | ||
899 | CONFIG_NF_CT_NETLINK_HELPER=m | ||
900 | CONFIG_NETFILTER_NETLINK_GLUE_CT=y | ||
901 | CONFIG_NF_NAT=m | ||
902 | CONFIG_NF_NAT_NEEDED=y | ||
903 | CONFIG_NF_NAT_PROTO_DCCP=m | ||
904 | CONFIG_NF_NAT_PROTO_UDPLITE=m | ||
905 | CONFIG_NF_NAT_PROTO_SCTP=m | ||
906 | CONFIG_NF_NAT_AMANDA=m | ||
907 | CONFIG_NF_NAT_FTP=m | ||
908 | CONFIG_NF_NAT_IRC=m | ||
909 | CONFIG_NF_NAT_SIP=m | ||
910 | CONFIG_NF_NAT_TFTP=m | ||
911 | CONFIG_NF_NAT_REDIRECT=m | ||
912 | CONFIG_NETFILTER_SYNPROXY=m | ||
913 | CONFIG_NF_TABLES=m | ||
914 | CONFIG_NF_TABLES_INET=m | ||
915 | CONFIG_NF_TABLES_NETDEV=m | ||
916 | CONFIG_NFT_EXTHDR=m | ||
917 | CONFIG_NFT_META=m | ||
918 | CONFIG_NFT_CT=m | ||
919 | CONFIG_NFT_RBTREE=m | ||
920 | CONFIG_NFT_HASH=m | ||
921 | CONFIG_NFT_COUNTER=m | ||
922 | CONFIG_NFT_LOG=m | ||
923 | CONFIG_NFT_LIMIT=m | ||
924 | CONFIG_NFT_MASQ=m | ||
925 | CONFIG_NFT_REDIR=m | ||
926 | CONFIG_NFT_NAT=m | ||
927 | CONFIG_NFT_QUEUE=m | ||
928 | CONFIG_NFT_REJECT=m | ||
929 | CONFIG_NFT_REJECT_INET=m | ||
930 | CONFIG_NFT_COMPAT=m | ||
931 | CONFIG_NETFILTER_XTABLES=m | ||
932 | |||
933 | # | ||
934 | # Xtables combined modules | ||
935 | # | ||
936 | CONFIG_NETFILTER_XT_MARK=m | ||
937 | CONFIG_NETFILTER_XT_CONNMARK=m | ||
938 | CONFIG_NETFILTER_XT_SET=m | ||
939 | |||
940 | # | ||
941 | # Xtables targets | ||
942 | # | ||
943 | CONFIG_NETFILTER_XT_TARGET_AUDIT=m | ||
944 | CONFIG_NETFILTER_XT_TARGET_CHECKSUM=m | ||
945 | CONFIG_NETFILTER_XT_TARGET_CLASSIFY=m | ||
946 | CONFIG_NETFILTER_XT_TARGET_CONNMARK=m | ||
947 | CONFIG_NETFILTER_XT_TARGET_CONNSECMARK=m | ||
948 | CONFIG_NETFILTER_XT_TARGET_CT=m | ||
949 | CONFIG_NETFILTER_XT_TARGET_DSCP=m | ||
950 | CONFIG_NETFILTER_XT_TARGET_HL=m | ||
951 | CONFIG_NETFILTER_XT_TARGET_HMARK=m | ||
952 | CONFIG_NETFILTER_XT_TARGET_IDLETIMER=m | ||
953 | CONFIG_NETFILTER_XT_TARGET_LED=m | ||
954 | CONFIG_NETFILTER_XT_TARGET_LOG=m | ||
955 | CONFIG_NETFILTER_XT_TARGET_MARK=m | ||
956 | CONFIG_NETFILTER_XT_NAT=m | ||
957 | CONFIG_NETFILTER_XT_TARGET_NETMAP=m | ||
958 | CONFIG_NETFILTER_XT_TARGET_NFLOG=m | ||
959 | CONFIG_NETFILTER_XT_TARGET_NFQUEUE=m | ||
960 | # CONFIG_NETFILTER_XT_TARGET_NOTRACK is not set | ||
961 | CONFIG_NETFILTER_XT_TARGET_RATEEST=m | ||
962 | CONFIG_NETFILTER_XT_TARGET_REDIRECT=m | ||
963 | CONFIG_NETFILTER_XT_TARGET_TEE=m | ||
964 | CONFIG_NETFILTER_XT_TARGET_TPROXY=m | ||
965 | CONFIG_NETFILTER_XT_TARGET_TRACE=m | ||
966 | CONFIG_NETFILTER_XT_TARGET_SECMARK=m | ||
967 | CONFIG_NETFILTER_XT_TARGET_TCPMSS=m | ||
968 | CONFIG_NETFILTER_XT_TARGET_TCPOPTSTRIP=m | ||
969 | |||
970 | # | ||
971 | # Xtables matches | ||
972 | # | ||
973 | CONFIG_NETFILTER_XT_MATCH_ADDRTYPE=m | ||
974 | CONFIG_NETFILTER_XT_MATCH_BPF=m | ||
975 | CONFIG_NETFILTER_XT_MATCH_CGROUP=m | ||
976 | CONFIG_NETFILTER_XT_MATCH_CLUSTER=m | ||
977 | CONFIG_NETFILTER_XT_MATCH_COMMENT=m | ||
978 | CONFIG_NETFILTER_XT_MATCH_CONNBYTES=m | ||
979 | CONFIG_NETFILTER_XT_MATCH_CONNLABEL=m | ||
980 | CONFIG_NETFILTER_XT_MATCH_CONNLIMIT=m | ||
981 | CONFIG_NETFILTER_XT_MATCH_CONNMARK=m | ||
982 | CONFIG_NETFILTER_XT_MATCH_CONNTRACK=m | ||
983 | CONFIG_NETFILTER_XT_MATCH_CPU=m | ||
984 | CONFIG_NETFILTER_XT_MATCH_DCCP=m | ||
985 | CONFIG_NETFILTER_XT_MATCH_DEVGROUP=m | ||
986 | CONFIG_NETFILTER_XT_MATCH_DSCP=m | ||
987 | CONFIG_NETFILTER_XT_MATCH_ECN=m | ||
988 | CONFIG_NETFILTER_XT_MATCH_ESP=m | ||
989 | # CONFIG_NETFILTER_XT_MATCH_GRADM is not set | ||
990 | CONFIG_NETFILTER_XT_MATCH_HASHLIMIT=m | ||
991 | CONFIG_NETFILTER_XT_MATCH_HELPER=m | ||
992 | CONFIG_NETFILTER_XT_MATCH_HL=m | ||
993 | CONFIG_NETFILTER_XT_MATCH_IPCOMP=m | ||
994 | CONFIG_NETFILTER_XT_MATCH_IPRANGE=m | ||
995 | CONFIG_NETFILTER_XT_MATCH_IPVS=m | ||
996 | CONFIG_NETFILTER_XT_MATCH_L2TP=m | ||
997 | CONFIG_NETFILTER_XT_MATCH_LENGTH=m | ||
998 | CONFIG_NETFILTER_XT_MATCH_LIMIT=m | ||
999 | CONFIG_NETFILTER_XT_MATCH_MAC=m | ||
1000 | CONFIG_NETFILTER_XT_MATCH_MARK=m | ||
1001 | CONFIG_NETFILTER_XT_MATCH_MULTIPORT=m | ||
1002 | CONFIG_NETFILTER_XT_MATCH_NFACCT=m | ||
1003 | CONFIG_NETFILTER_XT_MATCH_OSF=m | ||
1004 | CONFIG_NETFILTER_XT_MATCH_OWNER=m | ||
1005 | CONFIG_NETFILTER_XT_MATCH_POLICY=m | ||
1006 | CONFIG_NETFILTER_XT_MATCH_PHYSDEV=m | ||
1007 | CONFIG_NETFILTER_XT_MATCH_PKTTYPE=m | ||
1008 | CONFIG_NETFILTER_XT_MATCH_QUOTA=m | ||
1009 | CONFIG_NETFILTER_XT_MATCH_RATEEST=m | ||
1010 | CONFIG_NETFILTER_XT_MATCH_REALM=m | ||
1011 | CONFIG_NETFILTER_XT_MATCH_RECENT=m | ||
1012 | CONFIG_NETFILTER_XT_MATCH_SCTP=m | ||
1013 | CONFIG_NETFILTER_XT_MATCH_SOCKET=m | ||
1014 | CONFIG_NETFILTER_XT_MATCH_STATE=m | ||
1015 | CONFIG_NETFILTER_XT_MATCH_STATISTIC=m | ||
1016 | CONFIG_NETFILTER_XT_MATCH_STRING=m | ||
1017 | CONFIG_NETFILTER_XT_MATCH_TCPMSS=m | ||
1018 | CONFIG_NETFILTER_XT_MATCH_TIME=m | ||
1019 | CONFIG_NETFILTER_XT_MATCH_U32=m | ||
1020 | CONFIG_IP_SET=m | ||
1021 | CONFIG_IP_SET_MAX=256 | ||
1022 | CONFIG_IP_SET_BITMAP_IP=m | ||
1023 | CONFIG_IP_SET_BITMAP_IPMAC=m | ||
1024 | CONFIG_IP_SET_BITMAP_PORT=m | ||
1025 | CONFIG_IP_SET_HASH_IP=m | ||
1026 | CONFIG_IP_SET_HASH_IPMARK=m | ||
1027 | CONFIG_IP_SET_HASH_IPPORT=m | ||
1028 | CONFIG_IP_SET_HASH_IPPORTIP=m | ||
1029 | CONFIG_IP_SET_HASH_IPPORTNET=m | ||
1030 | CONFIG_IP_SET_HASH_MAC=m | ||
1031 | CONFIG_IP_SET_HASH_NETPORTNET=m | ||
1032 | CONFIG_IP_SET_HASH_NET=m | ||
1033 | CONFIG_IP_SET_HASH_NETNET=m | ||
1034 | CONFIG_IP_SET_HASH_NETPORT=m | ||
1035 | CONFIG_IP_SET_HASH_NETIFACE=m | ||
1036 | CONFIG_IP_SET_LIST_SET=m | ||
1037 | CONFIG_IP_VS=m | ||
1038 | CONFIG_IP_VS_IPV6=y | ||
1039 | # CONFIG_IP_VS_DEBUG is not set | ||
1040 | CONFIG_IP_VS_TAB_BITS=12 | ||
1041 | |||
1042 | # | ||
1043 | # IPVS transport protocol load balancing support | ||
1044 | # | ||
1045 | CONFIG_IP_VS_PROTO_TCP=y | ||
1046 | CONFIG_IP_VS_PROTO_UDP=y | ||
1047 | CONFIG_IP_VS_PROTO_AH_ESP=y | ||
1048 | CONFIG_IP_VS_PROTO_ESP=y | ||
1049 | CONFIG_IP_VS_PROTO_AH=y | ||
1050 | CONFIG_IP_VS_PROTO_SCTP=y | ||
1051 | |||
1052 | # | ||
1053 | # IPVS scheduler | ||
1054 | # | ||
1055 | CONFIG_IP_VS_RR=m | ||
1056 | CONFIG_IP_VS_WRR=m | ||
1057 | CONFIG_IP_VS_LC=m | ||
1058 | CONFIG_IP_VS_WLC=m | ||
1059 | CONFIG_IP_VS_FO=m | ||
1060 | CONFIG_IP_VS_OVF=m | ||
1061 | CONFIG_IP_VS_LBLC=m | ||
1062 | CONFIG_IP_VS_LBLCR=m | ||
1063 | CONFIG_IP_VS_DH=m | ||
1064 | CONFIG_IP_VS_SH=m | ||
1065 | CONFIG_IP_VS_SED=m | ||
1066 | CONFIG_IP_VS_NQ=m | ||
1067 | |||
1068 | # | ||
1069 | # IPVS SH scheduler | ||
1070 | # | ||
1071 | CONFIG_IP_VS_SH_TAB_BITS=8 | ||
1072 | |||
1073 | # | ||
1074 | # IPVS application helper | ||
1075 | # | ||
1076 | CONFIG_IP_VS_FTP=m | ||
1077 | CONFIG_IP_VS_NFCT=y | ||
1078 | CONFIG_IP_VS_PE_SIP=m | ||
1079 | |||
1080 | # | ||
1081 | # IP: Netfilter Configuration | ||
1082 | # | ||
1083 | CONFIG_NF_DEFRAG_IPV4=m | ||
1084 | CONFIG_NF_CONNTRACK_IPV4=m | ||
1085 | CONFIG_NF_CONNTRACK_PROC_COMPAT=y | ||
1086 | CONFIG_NF_TABLES_IPV4=m | ||
1087 | CONFIG_NFT_CHAIN_ROUTE_IPV4=m | ||
1088 | CONFIG_NFT_REJECT_IPV4=m | ||
1089 | CONFIG_NFT_DUP_IPV4=m | ||
1090 | CONFIG_NF_TABLES_ARP=m | ||
1091 | CONFIG_NF_DUP_IPV4=m | ||
1092 | CONFIG_NF_LOG_ARP=m | ||
1093 | CONFIG_NF_LOG_IPV4=m | ||
1094 | CONFIG_NF_REJECT_IPV4=m | ||
1095 | CONFIG_NF_NAT_IPV4=m | ||
1096 | CONFIG_NFT_CHAIN_NAT_IPV4=m | ||
1097 | CONFIG_NF_NAT_MASQUERADE_IPV4=m | ||
1098 | CONFIG_NFT_MASQ_IPV4=m | ||
1099 | CONFIG_NFT_REDIR_IPV4=m | ||
1100 | CONFIG_NF_NAT_SNMP_BASIC=m | ||
1101 | CONFIG_NF_NAT_PROTO_GRE=m | ||
1102 | CONFIG_NF_NAT_PPTP=m | ||
1103 | CONFIG_NF_NAT_H323=m | ||
1104 | CONFIG_IP_NF_IPTABLES=m | ||
1105 | CONFIG_IP_NF_MATCH_AH=m | ||
1106 | CONFIG_IP_NF_MATCH_ECN=m | ||
1107 | CONFIG_IP_NF_MATCH_RPFILTER=m | ||
1108 | CONFIG_IP_NF_MATCH_TTL=m | ||
1109 | CONFIG_IP_NF_FILTER=m | ||
1110 | CONFIG_IP_NF_TARGET_REJECT=m | ||
1111 | CONFIG_IP_NF_TARGET_SYNPROXY=m | ||
1112 | CONFIG_IP_NF_NAT=m | ||
1113 | CONFIG_IP_NF_TARGET_MASQUERADE=m | ||
1114 | CONFIG_IP_NF_TARGET_NETMAP=m | ||
1115 | CONFIG_IP_NF_TARGET_REDIRECT=m | ||
1116 | CONFIG_IP_NF_MANGLE=m | ||
1117 | CONFIG_IP_NF_TARGET_CLUSTERIP=m | ||
1118 | CONFIG_IP_NF_TARGET_ECN=m | ||
1119 | CONFIG_IP_NF_TARGET_TTL=m | ||
1120 | CONFIG_IP_NF_RAW=m | ||
1121 | CONFIG_IP_NF_SECURITY=m | ||
1122 | CONFIG_IP_NF_ARPTABLES=m | ||
1123 | CONFIG_IP_NF_ARPFILTER=m | ||
1124 | CONFIG_IP_NF_ARP_MANGLE=m | ||
1125 | |||
1126 | # | ||
1127 | # IPv6: Netfilter Configuration | ||
1128 | # | ||
1129 | CONFIG_NF_DEFRAG_IPV6=m | ||
1130 | CONFIG_NF_CONNTRACK_IPV6=m | ||
1131 | CONFIG_NF_TABLES_IPV6=m | ||
1132 | CONFIG_NFT_CHAIN_ROUTE_IPV6=m | ||
1133 | CONFIG_NFT_REJECT_IPV6=m | ||
1134 | CONFIG_NFT_DUP_IPV6=m | ||
1135 | CONFIG_NF_DUP_IPV6=m | ||
1136 | CONFIG_NF_REJECT_IPV6=m | ||
1137 | CONFIG_NF_LOG_IPV6=m | ||
1138 | CONFIG_NF_NAT_IPV6=m | ||
1139 | CONFIG_NFT_CHAIN_NAT_IPV6=m | ||
1140 | CONFIG_NF_NAT_MASQUERADE_IPV6=m | ||
1141 | CONFIG_NFT_MASQ_IPV6=m | ||
1142 | CONFIG_NFT_REDIR_IPV6=m | ||
1143 | CONFIG_IP6_NF_IPTABLES=m | ||
1144 | CONFIG_IP6_NF_MATCH_AH=m | ||
1145 | CONFIG_IP6_NF_MATCH_EUI64=m | ||
1146 | CONFIG_IP6_NF_MATCH_FRAG=m | ||
1147 | CONFIG_IP6_NF_MATCH_OPTS=m | ||
1148 | CONFIG_IP6_NF_MATCH_HL=m | ||
1149 | CONFIG_IP6_NF_MATCH_IPV6HEADER=m | ||
1150 | CONFIG_IP6_NF_MATCH_MH=m | ||
1151 | CONFIG_IP6_NF_MATCH_RPFILTER=m | ||
1152 | CONFIG_IP6_NF_MATCH_RT=m | ||
1153 | CONFIG_IP6_NF_TARGET_HL=m | ||
1154 | CONFIG_IP6_NF_FILTER=m | ||
1155 | CONFIG_IP6_NF_TARGET_REJECT=m | ||
1156 | CONFIG_IP6_NF_TARGET_SYNPROXY=m | ||
1157 | CONFIG_IP6_NF_MANGLE=m | ||
1158 | CONFIG_IP6_NF_RAW=m | ||
1159 | CONFIG_IP6_NF_SECURITY=m | ||
1160 | CONFIG_IP6_NF_NAT=m | ||
1161 | CONFIG_IP6_NF_TARGET_MASQUERADE=m | ||
1162 | CONFIG_IP6_NF_TARGET_NPT=m | ||
1163 | |||
1164 | # | ||
1165 | # DECnet: Netfilter Configuration | ||
1166 | # | ||
1167 | CONFIG_DECNET_NF_GRABULATOR=m | ||
1168 | CONFIG_NF_TABLES_BRIDGE=m | ||
1169 | CONFIG_NFT_BRIDGE_META=m | ||
1170 | CONFIG_NFT_BRIDGE_REJECT=m | ||
1171 | CONFIG_NF_LOG_BRIDGE=m | ||
1172 | CONFIG_BRIDGE_NF_EBTABLES=m | ||
1173 | CONFIG_BRIDGE_EBT_BROUTE=m | ||
1174 | CONFIG_BRIDGE_EBT_T_FILTER=m | ||
1175 | CONFIG_BRIDGE_EBT_T_NAT=m | ||
1176 | CONFIG_BRIDGE_EBT_802_3=m | ||
1177 | CONFIG_BRIDGE_EBT_AMONG=m | ||
1178 | CONFIG_BRIDGE_EBT_ARP=m | ||
1179 | CONFIG_BRIDGE_EBT_IP=m | ||
1180 | CONFIG_BRIDGE_EBT_IP6=m | ||
1181 | CONFIG_BRIDGE_EBT_LIMIT=m | ||
1182 | CONFIG_BRIDGE_EBT_MARK=m | ||
1183 | CONFIG_BRIDGE_EBT_PKTTYPE=m | ||
1184 | CONFIG_BRIDGE_EBT_STP=m | ||
1185 | CONFIG_BRIDGE_EBT_VLAN=m | ||
1186 | CONFIG_BRIDGE_EBT_ARPREPLY=m | ||
1187 | CONFIG_BRIDGE_EBT_DNAT=m | ||
1188 | CONFIG_BRIDGE_EBT_MARK_T=m | ||
1189 | CONFIG_BRIDGE_EBT_REDIRECT=m | ||
1190 | CONFIG_BRIDGE_EBT_SNAT=m | ||
1191 | CONFIG_BRIDGE_EBT_LOG=m | ||
1192 | CONFIG_BRIDGE_EBT_NFLOG=m | ||
1193 | CONFIG_IP_DCCP=m | ||
1194 | CONFIG_INET_DCCP_DIAG=m | ||
1195 | |||
1196 | # | ||
1197 | # DCCP CCIDs Configuration | ||
1198 | # | ||
1199 | # CONFIG_IP_DCCP_CCID2_DEBUG is not set | ||
1200 | CONFIG_IP_DCCP_CCID3=y | ||
1201 | # CONFIG_IP_DCCP_CCID3_DEBUG is not set | ||
1202 | CONFIG_IP_DCCP_TFRC_LIB=y | ||
1203 | |||
1204 | # | ||
1205 | # DCCP Kernel Hacking | ||
1206 | # | ||
1207 | # CONFIG_IP_DCCP_DEBUG is not set | ||
1208 | CONFIG_NET_DCCPPROBE=m | ||
1209 | CONFIG_IP_SCTP=m | ||
1210 | CONFIG_NET_SCTPPROBE=m | ||
1211 | # CONFIG_SCTP_DBG_OBJCNT is not set | ||
1212 | CONFIG_SCTP_DEFAULT_COOKIE_HMAC_MD5=y | ||
1213 | # CONFIG_SCTP_DEFAULT_COOKIE_HMAC_SHA1 is not set | ||
1214 | # CONFIG_SCTP_DEFAULT_COOKIE_HMAC_NONE is not set | ||
1215 | CONFIG_SCTP_COOKIE_HMAC_MD5=y | ||
1216 | CONFIG_SCTP_COOKIE_HMAC_SHA1=y | ||
1217 | CONFIG_RDS=m | ||
1218 | CONFIG_RDS_RDMA=m | ||
1219 | CONFIG_RDS_TCP=m | ||
1220 | # CONFIG_RDS_DEBUG is not set | ||
1221 | CONFIG_TIPC=m | ||
1222 | CONFIG_TIPC_MEDIA_IB=y | ||
1223 | CONFIG_TIPC_MEDIA_UDP=y | ||
1224 | CONFIG_ATM=m | ||
1225 | CONFIG_ATM_CLIP=m | ||
1226 | # CONFIG_ATM_CLIP_NO_ICMP is not set | ||
1227 | CONFIG_ATM_LANE=m | ||
1228 | CONFIG_ATM_MPOA=m | ||
1229 | CONFIG_ATM_BR2684=m | ||
1230 | # CONFIG_ATM_BR2684_IPFILTER is not set | ||
1231 | CONFIG_L2TP=m | ||
1232 | CONFIG_L2TP_V3=y | ||
1233 | CONFIG_L2TP_IP=m | ||
1234 | CONFIG_L2TP_ETH=m | ||
1235 | CONFIG_STP=m | ||
1236 | CONFIG_GARP=m | ||
1237 | CONFIG_MRP=m | ||
1238 | CONFIG_BRIDGE=m | ||
1239 | CONFIG_BRIDGE_IGMP_SNOOPING=y | ||
1240 | CONFIG_BRIDGE_VLAN_FILTERING=y | ||
1241 | CONFIG_HAVE_NET_DSA=y | ||
1242 | CONFIG_VLAN_8021Q=m | ||
1243 | CONFIG_VLAN_8021Q_GVRP=y | ||
1244 | CONFIG_VLAN_8021Q_MVRP=y | ||
1245 | CONFIG_DECNET=m | ||
1246 | # CONFIG_DECNET_ROUTER is not set | ||
1247 | CONFIG_LLC=m | ||
1248 | CONFIG_LLC2=m | ||
1249 | CONFIG_IPX=m | ||
1250 | # CONFIG_IPX_INTERN is not set | ||
1251 | CONFIG_ATALK=m | ||
1252 | CONFIG_DEV_APPLETALK=m | ||
1253 | CONFIG_IPDDP=m | ||
1254 | CONFIG_IPDDP_ENCAP=y | ||
1255 | # CONFIG_X25 is not set | ||
1256 | CONFIG_LAPB=m | ||
1257 | CONFIG_PHONET=m | ||
1258 | CONFIG_6LOWPAN=m | ||
1259 | CONFIG_6LOWPAN_NHC=m | ||
1260 | CONFIG_6LOWPAN_NHC_DEST=m | ||
1261 | CONFIG_6LOWPAN_NHC_FRAGMENT=m | ||
1262 | CONFIG_6LOWPAN_NHC_HOP=m | ||
1263 | CONFIG_6LOWPAN_NHC_IPV6=m | ||
1264 | CONFIG_6LOWPAN_NHC_MOBILITY=m | ||
1265 | CONFIG_6LOWPAN_NHC_ROUTING=m | ||
1266 | CONFIG_6LOWPAN_NHC_UDP=m | ||
1267 | CONFIG_IEEE802154=m | ||
1268 | # CONFIG_IEEE802154_NL802154_EXPERIMENTAL is not set | ||
1269 | CONFIG_IEEE802154_SOCKET=m | ||
1270 | CONFIG_IEEE802154_6LOWPAN=m | ||
1271 | # CONFIG_MAC802154 is not set | ||
1272 | CONFIG_NET_SCHED=y | ||
1273 | |||
1274 | # | ||
1275 | # Queueing/Scheduling | ||
1276 | # | ||
1277 | CONFIG_NET_SCH_CBQ=m | ||
1278 | CONFIG_NET_SCH_HTB=m | ||
1279 | CONFIG_NET_SCH_HFSC=m | ||
1280 | CONFIG_NET_SCH_ATM=m | ||
1281 | CONFIG_NET_SCH_PRIO=m | ||
1282 | CONFIG_NET_SCH_MULTIQ=m | ||
1283 | CONFIG_NET_SCH_RED=m | ||
1284 | CONFIG_NET_SCH_SFB=m | ||
1285 | CONFIG_NET_SCH_SFQ=m | ||
1286 | CONFIG_NET_SCH_TEQL=m | ||
1287 | CONFIG_NET_SCH_TBF=m | ||
1288 | CONFIG_NET_SCH_GRED=m | ||
1289 | CONFIG_NET_SCH_DSMARK=m | ||
1290 | CONFIG_NET_SCH_NETEM=m | ||
1291 | CONFIG_NET_SCH_DRR=m | ||
1292 | CONFIG_NET_SCH_MQPRIO=m | ||
1293 | CONFIG_NET_SCH_CHOKE=m | ||
1294 | CONFIG_NET_SCH_QFQ=m | ||
1295 | CONFIG_NET_SCH_CODEL=m | ||
1296 | CONFIG_NET_SCH_FQ_CODEL=m | ||
1297 | CONFIG_NET_SCH_FQ=m | ||
1298 | CONFIG_NET_SCH_HHF=m | ||
1299 | CONFIG_NET_SCH_PIE=m | ||
1300 | CONFIG_NET_SCH_INGRESS=m | ||
1301 | CONFIG_NET_SCH_PLUG=m | ||
1302 | |||
1303 | # | ||
1304 | # Classification | ||
1305 | # | ||
1306 | CONFIG_NET_CLS=y | ||
1307 | CONFIG_NET_CLS_BASIC=m | ||
1308 | CONFIG_NET_CLS_TCINDEX=m | ||
1309 | CONFIG_NET_CLS_ROUTE4=m | ||
1310 | CONFIG_NET_CLS_FW=m | ||
1311 | CONFIG_NET_CLS_U32=m | ||
1312 | CONFIG_CLS_U32_PERF=y | ||
1313 | CONFIG_CLS_U32_MARK=y | ||
1314 | CONFIG_NET_CLS_RSVP=m | ||
1315 | CONFIG_NET_CLS_RSVP6=m | ||
1316 | CONFIG_NET_CLS_FLOW=m | ||
1317 | CONFIG_NET_CLS_CGROUP=m | ||
1318 | CONFIG_NET_CLS_BPF=m | ||
1319 | CONFIG_NET_CLS_FLOWER=m | ||
1320 | CONFIG_NET_EMATCH=y | ||
1321 | CONFIG_NET_EMATCH_STACK=32 | ||
1322 | CONFIG_NET_EMATCH_CMP=m | ||
1323 | CONFIG_NET_EMATCH_NBYTE=m | ||
1324 | CONFIG_NET_EMATCH_U32=m | ||
1325 | CONFIG_NET_EMATCH_META=m | ||
1326 | CONFIG_NET_EMATCH_TEXT=m | ||
1327 | CONFIG_NET_EMATCH_CANID=m | ||
1328 | CONFIG_NET_EMATCH_IPSET=m | ||
1329 | CONFIG_NET_CLS_ACT=y | ||
1330 | CONFIG_NET_ACT_POLICE=m | ||
1331 | CONFIG_NET_ACT_GACT=m | ||
1332 | CONFIG_GACT_PROB=y | ||
1333 | CONFIG_NET_ACT_MIRRED=m | ||
1334 | CONFIG_NET_ACT_IPT=m | ||
1335 | CONFIG_NET_ACT_NAT=m | ||
1336 | CONFIG_NET_ACT_PEDIT=m | ||
1337 | CONFIG_NET_ACT_SIMP=m | ||
1338 | CONFIG_NET_ACT_SKBEDIT=m | ||
1339 | CONFIG_NET_ACT_CSUM=m | ||
1340 | CONFIG_NET_ACT_VLAN=m | ||
1341 | CONFIG_NET_ACT_BPF=m | ||
1342 | CONFIG_NET_ACT_CONNMARK=m | ||
1343 | CONFIG_NET_CLS_IND=y | ||
1344 | CONFIG_NET_SCH_FIFO=y | ||
1345 | CONFIG_DCB=y | ||
1346 | CONFIG_DNS_RESOLVER=m | ||
1347 | CONFIG_BATMAN_ADV=m | ||
1348 | CONFIG_BATMAN_ADV_BLA=y | ||
1349 | CONFIG_BATMAN_ADV_DAT=y | ||
1350 | CONFIG_BATMAN_ADV_NC=y | ||
1351 | CONFIG_BATMAN_ADV_MCAST=y | ||
1352 | CONFIG_OPENVSWITCH=m | ||
1353 | CONFIG_OPENVSWITCH_GRE=m | ||
1354 | CONFIG_OPENVSWITCH_VXLAN=m | ||
1355 | CONFIG_OPENVSWITCH_GENEVE=m | ||
1356 | CONFIG_VSOCKETS=m | ||
1357 | CONFIG_VMWARE_VMCI_VSOCKETS=m | ||
1358 | CONFIG_NETLINK_MMAP=y | ||
1359 | CONFIG_NETLINK_DIAG=m | ||
1360 | CONFIG_MPLS=y | ||
1361 | CONFIG_NET_MPLS_GSO=y | ||
1362 | CONFIG_MPLS_ROUTING=m | ||
1363 | CONFIG_MPLS_IPTUNNEL=m | ||
1364 | # CONFIG_HSR is not set | ||
1365 | # CONFIG_NET_SWITCHDEV is not set | ||
1366 | CONFIG_NET_L3_MASTER_DEV=y | ||
1367 | CONFIG_RPS=y | ||
1368 | CONFIG_RFS_ACCEL=y | ||
1369 | CONFIG_XPS=y | ||
1370 | CONFIG_CGROUP_NET_PRIO=y | ||
1371 | CONFIG_CGROUP_NET_CLASSID=y | ||
1372 | CONFIG_NET_RX_BUSY_POLL=y | ||
1373 | CONFIG_BQL=y | ||
1374 | CONFIG_BPF_JIT=y | ||
1375 | CONFIG_NET_FLOW_LIMIT=y | ||
1376 | |||
1377 | # | ||
1378 | # Network testing | ||
1379 | # | ||
1380 | CONFIG_NET_PKTGEN=m | ||
1381 | # CONFIG_NET_TCPPROBE is not set | ||
1382 | CONFIG_HAMRADIO=y | ||
1383 | |||
1384 | # | ||
1385 | # Packet Radio protocols | ||
1386 | # | ||
1387 | CONFIG_AX25=m | ||
1388 | # CONFIG_AX25_DAMA_SLAVE is not set | ||
1389 | CONFIG_NETROM=m | ||
1390 | CONFIG_ROSE=m | ||
1391 | |||
1392 | # | ||
1393 | # AX.25 network device drivers | ||
1394 | # | ||
1395 | CONFIG_MKISS=m | ||
1396 | CONFIG_6PACK=m | ||
1397 | CONFIG_BPQETHER=m | ||
1398 | CONFIG_BAYCOM_SER_FDX=m | ||
1399 | CONFIG_BAYCOM_SER_HDX=m | ||
1400 | CONFIG_BAYCOM_PAR=m | ||
1401 | CONFIG_YAM=m | ||
1402 | CONFIG_CAN=m | ||
1403 | CONFIG_CAN_RAW=m | ||
1404 | CONFIG_CAN_BCM=m | ||
1405 | CONFIG_CAN_GW=m | ||
1406 | |||
1407 | # | ||
1408 | # CAN Device Drivers | ||
1409 | # | ||
1410 | CONFIG_CAN_VCAN=m | ||
1411 | CONFIG_CAN_SLCAN=m | ||
1412 | CONFIG_CAN_DEV=m | ||
1413 | CONFIG_CAN_CALC_BITTIMING=y | ||
1414 | # CONFIG_CAN_LEDS is not set | ||
1415 | CONFIG_CAN_SJA1000=m | ||
1416 | CONFIG_CAN_SJA1000_ISA=m | ||
1417 | # CONFIG_CAN_SJA1000_PLATFORM is not set | ||
1418 | CONFIG_CAN_EMS_PCMCIA=m | ||
1419 | CONFIG_CAN_EMS_PCI=m | ||
1420 | CONFIG_CAN_PEAK_PCMCIA=m | ||
1421 | CONFIG_CAN_PEAK_PCI=m | ||
1422 | CONFIG_CAN_PEAK_PCIEC=y | ||
1423 | CONFIG_CAN_KVASER_PCI=m | ||
1424 | CONFIG_CAN_PLX_PCI=m | ||
1425 | # CONFIG_CAN_C_CAN is not set | ||
1426 | # CONFIG_CAN_M_CAN is not set | ||
1427 | # CONFIG_CAN_CC770 is not set | ||
1428 | |||
1429 | # | ||
1430 | # CAN SPI interfaces | ||
1431 | # | ||
1432 | # CONFIG_CAN_MCP251X is not set | ||
1433 | |||
1434 | # | ||
1435 | # CAN USB interfaces | ||
1436 | # | ||
1437 | CONFIG_CAN_EMS_USB=m | ||
1438 | CONFIG_CAN_ESD_USB2=m | ||
1439 | CONFIG_CAN_GS_USB=m | ||
1440 | CONFIG_CAN_KVASER_USB=m | ||
1441 | CONFIG_CAN_PEAK_USB=m | ||
1442 | CONFIG_CAN_8DEV_USB=m | ||
1443 | CONFIG_CAN_SOFTING=m | ||
1444 | CONFIG_CAN_SOFTING_CS=m | ||
1445 | # CONFIG_CAN_DEBUG_DEVICES is not set | ||
1446 | CONFIG_IRDA=m | ||
1447 | |||
1448 | # | ||
1449 | # IrDA protocols | ||
1450 | # | ||
1451 | CONFIG_IRLAN=m | ||
1452 | CONFIG_IRNET=m | ||
1453 | CONFIG_IRCOMM=m | ||
1454 | # CONFIG_IRDA_ULTRA is not set | ||
1455 | |||
1456 | # | ||
1457 | # IrDA options | ||
1458 | # | ||
1459 | CONFIG_IRDA_CACHE_LAST_LSAP=y | ||
1460 | CONFIG_IRDA_FAST_RR=y | ||
1461 | # CONFIG_IRDA_DEBUG is not set | ||
1462 | |||
1463 | # | ||
1464 | # Infrared-port device drivers | ||
1465 | # | ||
1466 | |||
1467 | # | ||
1468 | # SIR device drivers | ||
1469 | # | ||
1470 | CONFIG_IRTTY_SIR=m | ||
1471 | |||
1472 | # | ||
1473 | # Dongle support | ||
1474 | # | ||
1475 | CONFIG_DONGLE=y | ||
1476 | CONFIG_ESI_DONGLE=m | ||
1477 | CONFIG_ACTISYS_DONGLE=m | ||
1478 | CONFIG_TEKRAM_DONGLE=m | ||
1479 | CONFIG_TOIM3232_DONGLE=m | ||
1480 | CONFIG_LITELINK_DONGLE=m | ||
1481 | CONFIG_MA600_DONGLE=m | ||
1482 | CONFIG_GIRBIL_DONGLE=m | ||
1483 | CONFIG_MCP2120_DONGLE=m | ||
1484 | CONFIG_OLD_BELKIN_DONGLE=m | ||
1485 | CONFIG_ACT200L_DONGLE=m | ||
1486 | CONFIG_KINGSUN_DONGLE=m | ||
1487 | CONFIG_KSDAZZLE_DONGLE=m | ||
1488 | CONFIG_KS959_DONGLE=m | ||
1489 | |||
1490 | # | ||
1491 | # FIR device drivers | ||
1492 | # | ||
1493 | CONFIG_USB_IRDA=m | ||
1494 | CONFIG_SIGMATEL_FIR=m | ||
1495 | CONFIG_NSC_FIR=m | ||
1496 | CONFIG_WINBOND_FIR=m | ||
1497 | CONFIG_SMC_IRCC_FIR=m | ||
1498 | CONFIG_ALI_FIR=m | ||
1499 | CONFIG_VLSI_FIR=m | ||
1500 | CONFIG_VIA_FIR=m | ||
1501 | CONFIG_MCS_FIR=m | ||
1502 | CONFIG_BT=m | ||
1503 | CONFIG_BT_BREDR=y | ||
1504 | CONFIG_BT_RFCOMM=m | ||
1505 | CONFIG_BT_RFCOMM_TTY=y | ||
1506 | CONFIG_BT_BNEP=m | ||
1507 | CONFIG_BT_BNEP_MC_FILTER=y | ||
1508 | CONFIG_BT_BNEP_PROTO_FILTER=y | ||
1509 | CONFIG_BT_CMTP=m | ||
1510 | CONFIG_BT_HIDP=m | ||
1511 | CONFIG_BT_HS=y | ||
1512 | CONFIG_BT_LE=y | ||
1513 | CONFIG_BT_6LOWPAN=m | ||
1514 | # CONFIG_BT_SELFTEST is not set | ||
1515 | |||
1516 | # | ||
1517 | # Bluetooth device drivers | ||
1518 | # | ||
1519 | CONFIG_BT_INTEL=m | ||
1520 | CONFIG_BT_BCM=m | ||
1521 | CONFIG_BT_RTL=m | ||
1522 | CONFIG_BT_QCA=m | ||
1523 | CONFIG_BT_HCIBTUSB=m | ||
1524 | CONFIG_BT_HCIBTUSB_BCM=y | ||
1525 | CONFIG_BT_HCIBTUSB_RTL=y | ||
1526 | CONFIG_BT_HCIBTSDIO=m | ||
1527 | CONFIG_BT_HCIUART=m | ||
1528 | CONFIG_BT_HCIUART_H4=y | ||
1529 | CONFIG_BT_HCIUART_BCSP=y | ||
1530 | CONFIG_BT_HCIUART_ATH3K=y | ||
1531 | CONFIG_BT_HCIUART_LL=y | ||
1532 | CONFIG_BT_HCIUART_3WIRE=y | ||
1533 | CONFIG_BT_HCIUART_INTEL=y | ||
1534 | CONFIG_BT_HCIUART_BCM=y | ||
1535 | CONFIG_BT_HCIUART_QCA=y | ||
1536 | CONFIG_BT_HCIBCM203X=m | ||
1537 | CONFIG_BT_HCIBPA10X=m | ||
1538 | CONFIG_BT_HCIBFUSB=m | ||
1539 | CONFIG_BT_HCIDTL1=m | ||
1540 | CONFIG_BT_HCIBT3C=m | ||
1541 | CONFIG_BT_HCIBLUECARD=m | ||
1542 | # CONFIG_BT_HCIBTUART is not set | ||
1543 | CONFIG_BT_HCIVHCI=m | ||
1544 | CONFIG_BT_MRVL=m | ||
1545 | CONFIG_BT_MRVL_SDIO=m | ||
1546 | CONFIG_BT_ATH3K=m | ||
1547 | CONFIG_AF_RXRPC=m | ||
1548 | # CONFIG_AF_RXRPC_DEBUG is not set | ||
1549 | CONFIG_RXKAD=m | ||
1550 | CONFIG_FIB_RULES=y | ||
1551 | CONFIG_WIRELESS=y | ||
1552 | CONFIG_WIRELESS_EXT=y | ||
1553 | CONFIG_WEXT_CORE=y | ||
1554 | CONFIG_WEXT_PROC=y | ||
1555 | CONFIG_WEXT_SPY=y | ||
1556 | CONFIG_WEXT_PRIV=y | ||
1557 | CONFIG_CFG80211=m | ||
1558 | # CONFIG_NL80211_TESTMODE is not set | ||
1559 | # CONFIG_CFG80211_DEVELOPER_WARNINGS is not set | ||
1560 | # CONFIG_CFG80211_REG_DEBUG is not set | ||
1561 | # CONFIG_CFG80211_CERTIFICATION_ONUS is not set | ||
1562 | CONFIG_CFG80211_DEFAULT_PS=y | ||
1563 | # CONFIG_CFG80211_INTERNAL_REGDB is not set | ||
1564 | CONFIG_CFG80211_CRDA_SUPPORT=y | ||
1565 | CONFIG_CFG80211_WEXT=y | ||
1566 | CONFIG_CFG80211_WEXT_EXPORT=y | ||
1567 | CONFIG_LIB80211=m | ||
1568 | CONFIG_LIB80211_CRYPT_WEP=m | ||
1569 | CONFIG_LIB80211_CRYPT_CCMP=m | ||
1570 | CONFIG_LIB80211_CRYPT_TKIP=m | ||
1571 | # CONFIG_LIB80211_DEBUG is not set | ||
1572 | CONFIG_MAC80211=m | ||
1573 | CONFIG_MAC80211_HAS_RC=y | ||
1574 | CONFIG_MAC80211_RC_MINSTREL=y | ||
1575 | CONFIG_MAC80211_RC_MINSTREL_HT=y | ||
1576 | # CONFIG_MAC80211_RC_MINSTREL_VHT is not set | ||
1577 | CONFIG_MAC80211_RC_DEFAULT_MINSTREL=y | ||
1578 | CONFIG_MAC80211_RC_DEFAULT="minstrel_ht" | ||
1579 | CONFIG_MAC80211_MESH=y | ||
1580 | CONFIG_MAC80211_LEDS=y | ||
1581 | # CONFIG_MAC80211_MESSAGE_TRACING is not set | ||
1582 | # CONFIG_MAC80211_DEBUG_MENU is not set | ||
1583 | CONFIG_MAC80211_STA_HASH_MAX_SIZE=0 | ||
1584 | CONFIG_WIMAX=m | ||
1585 | CONFIG_WIMAX_DEBUG_LEVEL=8 | ||
1586 | CONFIG_RFKILL=m | ||
1587 | CONFIG_RFKILL_LEDS=y | ||
1588 | CONFIG_RFKILL_INPUT=y | ||
1589 | # CONFIG_RFKILL_GPIO is not set | ||
1590 | CONFIG_NET_9P=m | ||
1591 | CONFIG_NET_9P_VIRTIO=m | ||
1592 | CONFIG_NET_9P_RDMA=m | ||
1593 | # CONFIG_NET_9P_DEBUG is not set | ||
1594 | # CONFIG_CAIF is not set | ||
1595 | CONFIG_CEPH_LIB=m | ||
1596 | # CONFIG_CEPH_LIB_PRETTYDEBUG is not set | ||
1597 | # CONFIG_CEPH_LIB_USE_DNS_RESOLVER is not set | ||
1598 | CONFIG_NFC=m | ||
1599 | CONFIG_NFC_DIGITAL=m | ||
1600 | # CONFIG_NFC_NCI is not set | ||
1601 | CONFIG_NFC_HCI=m | ||
1602 | # CONFIG_NFC_SHDLC is not set | ||
1603 | |||
1604 | # | ||
1605 | # Near Field Communication (NFC) devices | ||
1606 | # | ||
1607 | CONFIG_NFC_PN533=m | ||
1608 | # CONFIG_NFC_TRF7970A is not set | ||
1609 | CONFIG_NFC_MEI_PHY=m | ||
1610 | CONFIG_NFC_SIM=m | ||
1611 | CONFIG_NFC_PORT100=m | ||
1612 | CONFIG_NFC_PN544=m | ||
1613 | CONFIG_NFC_PN544_MEI=m | ||
1614 | # CONFIG_NFC_MICROREAD_MEI is not set | ||
1615 | # CONFIG_NFC_ST21NFCA is not set | ||
1616 | CONFIG_LWTUNNEL=y | ||
1617 | CONFIG_HAVE_BPF_JIT=y | ||
1618 | |||
1619 | # | ||
1620 | # Device Drivers | ||
1621 | # | ||
1622 | |||
1623 | # | ||
1624 | # Generic Driver Options | ||
1625 | # | ||
1626 | # CONFIG_UEVENT_HELPER is not set | ||
1627 | CONFIG_DEVTMPFS=y | ||
1628 | # CONFIG_DEVTMPFS_MOUNT is not set | ||
1629 | CONFIG_STANDALONE=y | ||
1630 | CONFIG_PREVENT_FIRMWARE_BUILD=y | ||
1631 | CONFIG_FW_LOADER=y | ||
1632 | # CONFIG_FIRMWARE_IN_KERNEL is not set | ||
1633 | CONFIG_EXTRA_FIRMWARE="" | ||
1634 | CONFIG_FW_LOADER_USER_HELPER=y | ||
1635 | # CONFIG_FW_LOADER_USER_HELPER_FALLBACK is not set | ||
1636 | CONFIG_WANT_DEV_COREDUMP=y | ||
1637 | CONFIG_ALLOW_DEV_COREDUMP=y | ||
1638 | CONFIG_DEV_COREDUMP=y | ||
1639 | # CONFIG_DEBUG_DRIVER is not set | ||
1640 | # CONFIG_DEBUG_DEVRES is not set | ||
1641 | # CONFIG_SYS_HYPERVISOR is not set | ||
1642 | # CONFIG_GENERIC_CPU_DEVICES is not set | ||
1643 | CONFIG_GENERIC_CPU_AUTOPROBE=y | ||
1644 | CONFIG_REGMAP=y | ||
1645 | CONFIG_REGMAP_I2C=m | ||
1646 | CONFIG_REGMAP_SPI=m | ||
1647 | CONFIG_DMA_SHARED_BUFFER=y | ||
1648 | # CONFIG_FENCE_TRACE is not set | ||
1649 | |||
1650 | # | ||
1651 | # Bus devices | ||
1652 | # | ||
1653 | CONFIG_CONNECTOR=y | ||
1654 | CONFIG_PROC_EVENTS=y | ||
1655 | CONFIG_MTD=m | ||
1656 | # CONFIG_MTD_TESTS is not set | ||
1657 | CONFIG_MTD_REDBOOT_PARTS=m | ||
1658 | CONFIG_MTD_REDBOOT_DIRECTORY_BLOCK=-1 | ||
1659 | # CONFIG_MTD_REDBOOT_PARTS_UNALLOCATED is not set | ||
1660 | # CONFIG_MTD_REDBOOT_PARTS_READONLY is not set | ||
1661 | # CONFIG_MTD_CMDLINE_PARTS is not set | ||
1662 | CONFIG_MTD_AR7_PARTS=m | ||
1663 | |||
1664 | # | ||
1665 | # User Modules And Translation Layers | ||
1666 | # | ||
1667 | CONFIG_MTD_BLKDEVS=m | ||
1668 | CONFIG_MTD_BLOCK=m | ||
1669 | CONFIG_MTD_BLOCK_RO=m | ||
1670 | CONFIG_FTL=m | ||
1671 | CONFIG_NFTL=m | ||
1672 | CONFIG_NFTL_RW=y | ||
1673 | CONFIG_INFTL=m | ||
1674 | CONFIG_RFD_FTL=m | ||
1675 | CONFIG_SSFDC=m | ||
1676 | # CONFIG_SM_FTL is not set | ||
1677 | CONFIG_MTD_OOPS=m | ||
1678 | CONFIG_MTD_SWAP=m | ||
1679 | # CONFIG_MTD_PARTITIONED_MASTER is not set | ||
1680 | |||
1681 | # | ||
1682 | # RAM/ROM/Flash chip drivers | ||
1683 | # | ||
1684 | CONFIG_MTD_CFI=m | ||
1685 | CONFIG_MTD_JEDECPROBE=m | ||
1686 | CONFIG_MTD_GEN_PROBE=m | ||
1687 | # CONFIG_MTD_CFI_ADV_OPTIONS is not set | ||
1688 | CONFIG_MTD_MAP_BANK_WIDTH_1=y | ||
1689 | CONFIG_MTD_MAP_BANK_WIDTH_2=y | ||
1690 | CONFIG_MTD_MAP_BANK_WIDTH_4=y | ||
1691 | # CONFIG_MTD_MAP_BANK_WIDTH_8 is not set | ||
1692 | # CONFIG_MTD_MAP_BANK_WIDTH_16 is not set | ||
1693 | # CONFIG_MTD_MAP_BANK_WIDTH_32 is not set | ||
1694 | CONFIG_MTD_CFI_I1=y | ||
1695 | CONFIG_MTD_CFI_I2=y | ||
1696 | # CONFIG_MTD_CFI_I4 is not set | ||
1697 | # CONFIG_MTD_CFI_I8 is not set | ||
1698 | CONFIG_MTD_CFI_INTELEXT=m | ||
1699 | CONFIG_MTD_CFI_AMDSTD=m | ||
1700 | CONFIG_MTD_CFI_STAA=m | ||
1701 | CONFIG_MTD_CFI_UTIL=m | ||
1702 | CONFIG_MTD_RAM=m | ||
1703 | CONFIG_MTD_ROM=m | ||
1704 | CONFIG_MTD_ABSENT=m | ||
1705 | |||
1706 | # | ||
1707 | # Mapping drivers for chip access | ||
1708 | # | ||
1709 | CONFIG_MTD_COMPLEX_MAPPINGS=y | ||
1710 | CONFIG_MTD_PHYSMAP=m | ||
1711 | # CONFIG_MTD_PHYSMAP_COMPAT is not set | ||
1712 | CONFIG_MTD_SBC_GXX=m | ||
1713 | # CONFIG_MTD_AMD76XROM is not set | ||
1714 | # CONFIG_MTD_ICHXROM is not set | ||
1715 | # CONFIG_MTD_ESB2ROM is not set | ||
1716 | # CONFIG_MTD_CK804XROM is not set | ||
1717 | # CONFIG_MTD_SCB2_FLASH is not set | ||
1718 | CONFIG_MTD_NETtel=m | ||
1719 | # CONFIG_MTD_L440GX is not set | ||
1720 | CONFIG_MTD_PCI=m | ||
1721 | CONFIG_MTD_PCMCIA=m | ||
1722 | # CONFIG_MTD_PCMCIA_ANONYMOUS is not set | ||
1723 | # CONFIG_MTD_GPIO_ADDR is not set | ||
1724 | CONFIG_MTD_INTEL_VR_NOR=m | ||
1725 | CONFIG_MTD_PLATRAM=m | ||
1726 | # CONFIG_MTD_LATCH_ADDR is not set | ||
1727 | |||
1728 | # | ||
1729 | # Self-contained MTD device drivers | ||
1730 | # | ||
1731 | # CONFIG_MTD_PMC551 is not set | ||
1732 | CONFIG_MTD_DATAFLASH=m | ||
1733 | # CONFIG_MTD_DATAFLASH_WRITE_VERIFY is not set | ||
1734 | # CONFIG_MTD_DATAFLASH_OTP is not set | ||
1735 | CONFIG_MTD_M25P80=m | ||
1736 | CONFIG_MTD_SST25L=m | ||
1737 | CONFIG_MTD_SLRAM=m | ||
1738 | CONFIG_MTD_PHRAM=m | ||
1739 | CONFIG_MTD_MTDRAM=m | ||
1740 | CONFIG_MTDRAM_TOTAL_SIZE=4096 | ||
1741 | CONFIG_MTDRAM_ERASE_SIZE=128 | ||
1742 | CONFIG_MTD_BLOCK2MTD=m | ||
1743 | |||
1744 | # | ||
1745 | # Disk-On-Chip Device Drivers | ||
1746 | # | ||
1747 | # CONFIG_MTD_DOCG3 is not set | ||
1748 | CONFIG_MTD_NAND_ECC=m | ||
1749 | # CONFIG_MTD_NAND_ECC_SMC is not set | ||
1750 | CONFIG_MTD_NAND=m | ||
1751 | CONFIG_MTD_NAND_BCH=m | ||
1752 | CONFIG_MTD_NAND_ECC_BCH=y | ||
1753 | CONFIG_MTD_SM_COMMON=m | ||
1754 | # CONFIG_MTD_NAND_DENALI_PCI is not set | ||
1755 | # CONFIG_MTD_NAND_DENALI_DT is not set | ||
1756 | # CONFIG_MTD_NAND_GPIO is not set | ||
1757 | # CONFIG_MTD_NAND_OMAP_BCH_BUILD is not set | ||
1758 | CONFIG_MTD_NAND_IDS=m | ||
1759 | CONFIG_MTD_NAND_RICOH=m | ||
1760 | CONFIG_MTD_NAND_DISKONCHIP=m | ||
1761 | # CONFIG_MTD_NAND_DISKONCHIP_PROBE_ADVANCED is not set | ||
1762 | CONFIG_MTD_NAND_DISKONCHIP_PROBE_ADDRESS=0 | ||
1763 | # CONFIG_MTD_NAND_DISKONCHIP_BBTWRITE is not set | ||
1764 | # CONFIG_MTD_NAND_DOCG4 is not set | ||
1765 | CONFIG_MTD_NAND_CAFE=m | ||
1766 | CONFIG_MTD_NAND_NANDSIM=m | ||
1767 | # CONFIG_MTD_NAND_PLATFORM is not set | ||
1768 | # CONFIG_MTD_NAND_HISI504 is not set | ||
1769 | CONFIG_MTD_ONENAND=m | ||
1770 | CONFIG_MTD_ONENAND_VERIFY_WRITE=y | ||
1771 | # CONFIG_MTD_ONENAND_GENERIC is not set | ||
1772 | # CONFIG_MTD_ONENAND_OTP is not set | ||
1773 | CONFIG_MTD_ONENAND_2X_PROGRAM=y | ||
1774 | |||
1775 | # | ||
1776 | # LPDDR & LPDDR2 PCM memory drivers | ||
1777 | # | ||
1778 | CONFIG_MTD_LPDDR=m | ||
1779 | CONFIG_MTD_QINFO_PROBE=m | ||
1780 | CONFIG_MTD_SPI_NOR=m | ||
1781 | CONFIG_MTD_SPI_NOR_USE_4K_SECTORS=y | ||
1782 | CONFIG_MTD_UBI=m | ||
1783 | CONFIG_MTD_UBI_WL_THRESHOLD=4096 | ||
1784 | CONFIG_MTD_UBI_BEB_LIMIT=20 | ||
1785 | # CONFIG_MTD_UBI_FASTMAP is not set | ||
1786 | # CONFIG_MTD_UBI_GLUEBI is not set | ||
1787 | CONFIG_MTD_UBI_BLOCK=y | ||
1788 | # CONFIG_OF is not set | ||
1789 | CONFIG_ARCH_MIGHT_HAVE_PC_PARPORT=y | ||
1790 | CONFIG_PARPORT=m | ||
1791 | CONFIG_PARPORT_PC=m | ||
1792 | CONFIG_PARPORT_SERIAL=m | ||
1793 | # CONFIG_PARPORT_PC_FIFO is not set | ||
1794 | # CONFIG_PARPORT_PC_SUPERIO is not set | ||
1795 | CONFIG_PARPORT_PC_PCMCIA=m | ||
1796 | # CONFIG_PARPORT_GSC is not set | ||
1797 | # CONFIG_PARPORT_AX88796 is not set | ||
1798 | CONFIG_PARPORT_1284=y | ||
1799 | CONFIG_PARPORT_NOT_PC=y | ||
1800 | CONFIG_PNP=y | ||
1801 | # CONFIG_PNP_DEBUG_MESSAGES is not set | ||
1802 | |||
1803 | # | ||
1804 | # Protocols | ||
1805 | # | ||
1806 | CONFIG_PNPACPI=y | ||
1807 | CONFIG_BLK_DEV=y | ||
1808 | CONFIG_BLK_DEV_NULL_BLK=m | ||
1809 | CONFIG_BLK_DEV_FD=m | ||
1810 | # CONFIG_PARIDE is not set | ||
1811 | CONFIG_BLK_DEV_PCIESSD_MTIP32XX=m | ||
1812 | CONFIG_ZRAM=m | ||
1813 | CONFIG_ZRAM_LZ4_COMPRESS=y | ||
1814 | CONFIG_BLK_CPQ_CISS_DA=m | ||
1815 | CONFIG_CISS_SCSI_TAPE=y | ||
1816 | CONFIG_BLK_DEV_DAC960=m | ||
1817 | CONFIG_BLK_DEV_UMEM=m | ||
1818 | # CONFIG_BLK_DEV_COW_COMMON is not set | ||
1819 | CONFIG_BLK_DEV_LOOP=m | ||
1820 | CONFIG_BLK_DEV_LOOP_MIN_COUNT=8 | ||
1821 | # CONFIG_BLK_DEV_CRYPTOLOOP is not set | ||
1822 | CONFIG_BLK_DEV_DRBD=m | ||
1823 | # CONFIG_DRBD_FAULT_INJECTION is not set | ||
1824 | CONFIG_BLK_DEV_NBD=m | ||
1825 | CONFIG_BLK_DEV_SKD=m | ||
1826 | CONFIG_BLK_DEV_OSD=m | ||
1827 | CONFIG_BLK_DEV_SX8=m | ||
1828 | CONFIG_BLK_DEV_RAM=m | ||
1829 | CONFIG_BLK_DEV_RAM_COUNT=16 | ||
1830 | CONFIG_BLK_DEV_RAM_SIZE=16384 | ||
1831 | # CONFIG_BLK_DEV_RAM_DAX is not set | ||
1832 | CONFIG_CDROM_PKTCDVD=m | ||
1833 | CONFIG_CDROM_PKTCDVD_BUFFERS=8 | ||
1834 | # CONFIG_CDROM_PKTCDVD_WCACHE is not set | ||
1835 | CONFIG_ATA_OVER_ETH=m | ||
1836 | CONFIG_VIRTIO_BLK=m | ||
1837 | # CONFIG_BLK_DEV_HD is not set | ||
1838 | CONFIG_BLK_DEV_RBD=m | ||
1839 | CONFIG_BLK_DEV_RSXX=m | ||
1840 | CONFIG_BLK_DEV_NVME=m | ||
1841 | |||
1842 | # | ||
1843 | # Misc devices | ||
1844 | # | ||
1845 | CONFIG_SENSORS_LIS3LV02D=m | ||
1846 | CONFIG_AD525X_DPOT=m | ||
1847 | CONFIG_AD525X_DPOT_I2C=m | ||
1848 | CONFIG_AD525X_DPOT_SPI=m | ||
1849 | # CONFIG_DUMMY_IRQ is not set | ||
1850 | CONFIG_IBM_ASM=m | ||
1851 | CONFIG_PHANTOM=m | ||
1852 | CONFIG_SGI_IOC4=m | ||
1853 | CONFIG_TIFM_CORE=m | ||
1854 | CONFIG_TIFM_7XX1=m | ||
1855 | CONFIG_ICS932S401=m | ||
1856 | CONFIG_ENCLOSURE_SERVICES=m | ||
1857 | CONFIG_HP_ILO=m | ||
1858 | CONFIG_APDS9802ALS=m | ||
1859 | CONFIG_ISL29003=m | ||
1860 | CONFIG_ISL29020=m | ||
1861 | CONFIG_SENSORS_TSL2550=m | ||
1862 | CONFIG_SENSORS_BH1780=m | ||
1863 | CONFIG_SENSORS_BH1770=m | ||
1864 | CONFIG_SENSORS_APDS990X=m | ||
1865 | CONFIG_HMC6352=m | ||
1866 | CONFIG_DS1682=m | ||
1867 | CONFIG_TI_DAC7512=m | ||
1868 | CONFIG_VMWARE_BALLOON=m | ||
1869 | # CONFIG_BMP085_I2C is not set | ||
1870 | # CONFIG_BMP085_SPI is not set | ||
1871 | # CONFIG_USB_SWITCH_FSA9480 is not set | ||
1872 | # CONFIG_LATTICE_ECP3_CONFIG is not set | ||
1873 | # CONFIG_SRAM is not set | ||
1874 | CONFIG_C2PORT=m | ||
1875 | CONFIG_C2PORT_DURAMAR_2150=m | ||
1876 | |||
1877 | # | ||
1878 | # EEPROM support | ||
1879 | # | ||
1880 | CONFIG_EEPROM_AT24=m | ||
1881 | CONFIG_EEPROM_AT25=m | ||
1882 | CONFIG_EEPROM_LEGACY=m | ||
1883 | CONFIG_EEPROM_MAX6875=m | ||
1884 | CONFIG_EEPROM_93CX6=m | ||
1885 | # CONFIG_EEPROM_93XX46 is not set | ||
1886 | CONFIG_CB710_CORE=m | ||
1887 | # CONFIG_CB710_DEBUG is not set | ||
1888 | CONFIG_CB710_DEBUG_ASSUMPTIONS=y | ||
1889 | |||
1890 | # | ||
1891 | # Texas Instruments shared transport line discipline | ||
1892 | # | ||
1893 | # CONFIG_TI_ST is not set | ||
1894 | CONFIG_SENSORS_LIS3_I2C=m | ||
1895 | |||
1896 | # | ||
1897 | # Altera FPGA firmware download module | ||
1898 | # | ||
1899 | CONFIG_ALTERA_STAPL=m | ||
1900 | CONFIG_INTEL_MEI=m | ||
1901 | CONFIG_INTEL_MEI_ME=m | ||
1902 | # CONFIG_INTEL_MEI_TXE is not set | ||
1903 | CONFIG_VMWARE_VMCI=m | ||
1904 | |||
1905 | # | ||
1906 | # Intel MIC Bus Driver | ||
1907 | # | ||
1908 | CONFIG_INTEL_MIC_BUS=m | ||
1909 | |||
1910 | # | ||
1911 | # SCIF Bus Driver | ||
1912 | # | ||
1913 | CONFIG_SCIF_BUS=m | ||
1914 | |||
1915 | # | ||
1916 | # Intel MIC Host Driver | ||
1917 | # | ||
1918 | CONFIG_INTEL_MIC_HOST=m | ||
1919 | |||
1920 | # | ||
1921 | # Intel MIC Card Driver | ||
1922 | # | ||
1923 | # CONFIG_INTEL_MIC_CARD is not set | ||
1924 | |||
1925 | # | ||
1926 | # SCIF Driver | ||
1927 | # | ||
1928 | CONFIG_SCIF=m | ||
1929 | |||
1930 | # | ||
1931 | # Intel MIC Coprocessor State Management (COSM) Drivers | ||
1932 | # | ||
1933 | CONFIG_MIC_COSM=m | ||
1934 | # CONFIG_GENWQE is not set | ||
1935 | # CONFIG_ECHO is not set | ||
1936 | # CONFIG_CXL_BASE is not set | ||
1937 | # CONFIG_CXL_KERNEL_API is not set | ||
1938 | # CONFIG_CXL_EEH is not set | ||
1939 | CONFIG_HAVE_IDE=y | ||
1940 | # CONFIG_IDE is not set | ||
1941 | |||
1942 | # | ||
1943 | # SCSI device support | ||
1944 | # | ||
1945 | CONFIG_SCSI_MOD=m | ||
1946 | CONFIG_RAID_ATTRS=m | ||
1947 | CONFIG_SCSI=m | ||
1948 | CONFIG_SCSI_DMA=y | ||
1949 | CONFIG_SCSI_NETLINK=y | ||
1950 | # CONFIG_SCSI_MQ_DEFAULT is not set | ||
1951 | # CONFIG_SCSI_PROC_FS is not set | ||
1952 | |||
1953 | # | ||
1954 | # SCSI support type (disk, tape, CD-ROM) | ||
1955 | # | ||
1956 | CONFIG_BLK_DEV_SD=m | ||
1957 | CONFIG_CHR_DEV_ST=m | ||
1958 | CONFIG_CHR_DEV_OSST=m | ||
1959 | CONFIG_BLK_DEV_SR=m | ||
1960 | CONFIG_BLK_DEV_SR_VENDOR=y | ||
1961 | CONFIG_CHR_DEV_SG=m | ||
1962 | CONFIG_CHR_DEV_SCH=m | ||
1963 | CONFIG_SCSI_ENCLOSURE=m | ||
1964 | CONFIG_SCSI_CONSTANTS=y | ||
1965 | CONFIG_SCSI_LOGGING=y | ||
1966 | CONFIG_SCSI_SCAN_ASYNC=y | ||
1967 | |||
1968 | # | ||
1969 | # SCSI Transports | ||
1970 | # | ||
1971 | CONFIG_SCSI_SPI_ATTRS=m | ||
1972 | CONFIG_SCSI_FC_ATTRS=m | ||
1973 | CONFIG_SCSI_ISCSI_ATTRS=m | ||
1974 | CONFIG_SCSI_SAS_ATTRS=m | ||
1975 | CONFIG_SCSI_SAS_LIBSAS=m | ||
1976 | CONFIG_SCSI_SAS_ATA=y | ||
1977 | CONFIG_SCSI_SAS_HOST_SMP=y | ||
1978 | CONFIG_SCSI_SRP_ATTRS=m | ||
1979 | CONFIG_SCSI_LOWLEVEL=y | ||
1980 | CONFIG_ISCSI_TCP=m | ||
1981 | CONFIG_ISCSI_BOOT_SYSFS=m | ||
1982 | CONFIG_SCSI_CXGB3_ISCSI=m | ||
1983 | CONFIG_SCSI_CXGB4_ISCSI=m | ||
1984 | CONFIG_SCSI_BNX2_ISCSI=m | ||
1985 | CONFIG_SCSI_BNX2X_FCOE=m | ||
1986 | CONFIG_BE2ISCSI=m | ||
1987 | CONFIG_BLK_DEV_3W_XXXX_RAID=m | ||
1988 | CONFIG_SCSI_HPSA=m | ||
1989 | CONFIG_SCSI_3W_9XXX=m | ||
1990 | CONFIG_SCSI_3W_SAS=m | ||
1991 | CONFIG_SCSI_ACARD=m | ||
1992 | CONFIG_SCSI_AACRAID=m | ||
1993 | CONFIG_SCSI_AIC7XXX=m | ||
1994 | CONFIG_AIC7XXX_CMDS_PER_DEVICE=8 | ||
1995 | CONFIG_AIC7XXX_RESET_DELAY_MS=15000 | ||
1996 | CONFIG_AIC7XXX_DEBUG_ENABLE=y | ||
1997 | CONFIG_AIC7XXX_DEBUG_MASK=0 | ||
1998 | CONFIG_AIC7XXX_REG_PRETTY_PRINT=y | ||
1999 | CONFIG_SCSI_AIC79XX=m | ||
2000 | CONFIG_AIC79XX_CMDS_PER_DEVICE=32 | ||
2001 | CONFIG_AIC79XX_RESET_DELAY_MS=15000 | ||
2002 | CONFIG_AIC79XX_DEBUG_ENABLE=y | ||
2003 | CONFIG_AIC79XX_DEBUG_MASK=0 | ||
2004 | CONFIG_AIC79XX_REG_PRETTY_PRINT=y | ||
2005 | CONFIG_SCSI_AIC94XX=m | ||
2006 | # CONFIG_AIC94XX_DEBUG is not set | ||
2007 | CONFIG_SCSI_MVSAS=m | ||
2008 | # CONFIG_SCSI_MVSAS_DEBUG is not set | ||
2009 | # CONFIG_SCSI_MVSAS_TASKLET is not set | ||
2010 | CONFIG_SCSI_MVUMI=m | ||
2011 | CONFIG_SCSI_DPT_I2O=m | ||
2012 | CONFIG_SCSI_ADVANSYS=m | ||
2013 | CONFIG_SCSI_ARCMSR=m | ||
2014 | CONFIG_SCSI_ESAS2R=m | ||
2015 | CONFIG_MEGARAID_NEWGEN=y | ||
2016 | CONFIG_MEGARAID_MM=m | ||
2017 | CONFIG_MEGARAID_MAILBOX=m | ||
2018 | CONFIG_MEGARAID_LEGACY=m | ||
2019 | CONFIG_MEGARAID_SAS=m | ||
2020 | CONFIG_SCSI_MPT3SAS=m | ||
2021 | CONFIG_SCSI_MPT2SAS_MAX_SGE=128 | ||
2022 | CONFIG_SCSI_MPT3SAS_MAX_SGE=128 | ||
2023 | CONFIG_SCSI_MPT2SAS=m | ||
2024 | CONFIG_SCSI_UFSHCD=m | ||
2025 | CONFIG_SCSI_UFSHCD_PCI=m | ||
2026 | # CONFIG_SCSI_UFSHCD_PLATFORM is not set | ||
2027 | CONFIG_SCSI_HPTIOP=m | ||
2028 | CONFIG_SCSI_BUSLOGIC=m | ||
2029 | # CONFIG_SCSI_FLASHPOINT is not set | ||
2030 | CONFIG_VMWARE_PVSCSI=m | ||
2031 | CONFIG_HYPERV_STORAGE=m | ||
2032 | CONFIG_LIBFC=m | ||
2033 | CONFIG_LIBFCOE=m | ||
2034 | CONFIG_FCOE=m | ||
2035 | CONFIG_FCOE_FNIC=m | ||
2036 | CONFIG_SCSI_SNIC=m | ||
2037 | CONFIG_SCSI_DMX3191D=m | ||
2038 | CONFIG_SCSI_EATA=m | ||
2039 | CONFIG_SCSI_EATA_TAGGED_QUEUE=y | ||
2040 | CONFIG_SCSI_EATA_LINKED_COMMANDS=y | ||
2041 | CONFIG_SCSI_EATA_MAX_TAGS=16 | ||
2042 | CONFIG_SCSI_FUTURE_DOMAIN=m | ||
2043 | CONFIG_SCSI_GDTH=m | ||
2044 | CONFIG_SCSI_ISCI=m | ||
2045 | CONFIG_SCSI_IPS=m | ||
2046 | CONFIG_SCSI_INITIO=m | ||
2047 | CONFIG_SCSI_INIA100=m | ||
2048 | # CONFIG_SCSI_PPA is not set | ||
2049 | # CONFIG_SCSI_IMM is not set | ||
2050 | CONFIG_SCSI_STEX=m | ||
2051 | CONFIG_SCSI_SYM53C8XX_2=m | ||
2052 | CONFIG_SCSI_SYM53C8XX_DMA_ADDRESSING_MODE=1 | ||
2053 | CONFIG_SCSI_SYM53C8XX_DEFAULT_TAGS=16 | ||
2054 | CONFIG_SCSI_SYM53C8XX_MAX_TAGS=64 | ||
2055 | CONFIG_SCSI_SYM53C8XX_MMIO=y | ||
2056 | CONFIG_SCSI_IPR=m | ||
2057 | # CONFIG_SCSI_IPR_TRACE is not set | ||
2058 | # CONFIG_SCSI_IPR_DUMP is not set | ||
2059 | CONFIG_SCSI_QLOGIC_1280=m | ||
2060 | CONFIG_SCSI_QLA_FC=m | ||
2061 | CONFIG_TCM_QLA2XXX=m | ||
2062 | CONFIG_SCSI_QLA_ISCSI=m | ||
2063 | CONFIG_SCSI_LPFC=m | ||
2064 | CONFIG_SCSI_DC395x=m | ||
2065 | CONFIG_SCSI_AM53C974=m | ||
2066 | CONFIG_SCSI_WD719X=m | ||
2067 | CONFIG_SCSI_DEBUG=m | ||
2068 | CONFIG_SCSI_PMCRAID=m | ||
2069 | CONFIG_SCSI_PM8001=m | ||
2070 | CONFIG_SCSI_BFA_FC=m | ||
2071 | CONFIG_SCSI_VIRTIO=m | ||
2072 | CONFIG_SCSI_CHELSIO_FCOE=m | ||
2073 | CONFIG_SCSI_LOWLEVEL_PCMCIA=y | ||
2074 | CONFIG_PCMCIA_AHA152X=m | ||
2075 | CONFIG_PCMCIA_FDOMAIN=m | ||
2076 | CONFIG_PCMCIA_QLOGIC=m | ||
2077 | CONFIG_PCMCIA_SYM53C500=m | ||
2078 | CONFIG_SCSI_DH=y | ||
2079 | CONFIG_SCSI_DH_RDAC=m | ||
2080 | CONFIG_SCSI_DH_HP_SW=m | ||
2081 | CONFIG_SCSI_DH_EMC=m | ||
2082 | CONFIG_SCSI_DH_ALUA=m | ||
2083 | CONFIG_SCSI_OSD_INITIATOR=m | ||
2084 | CONFIG_SCSI_OSD_ULD=m | ||
2085 | CONFIG_SCSI_OSD_DPRINT_SENSE=1 | ||
2086 | # CONFIG_SCSI_OSD_DEBUG is not set | ||
2087 | CONFIG_ATA=m | ||
2088 | # CONFIG_ATA_NONSTANDARD is not set | ||
2089 | CONFIG_ATA_VERBOSE_ERROR=y | ||
2090 | CONFIG_ATA_ACPI=y | ||
2091 | CONFIG_SATA_ZPODD=y | ||
2092 | CONFIG_SATA_PMP=y | ||
2093 | |||
2094 | # | ||
2095 | # Controllers with non-SFF native interface | ||
2096 | # | ||
2097 | CONFIG_SATA_AHCI=m | ||
2098 | # CONFIG_SATA_AHCI_PLATFORM is not set | ||
2099 | # CONFIG_SATA_INIC162X is not set | ||
2100 | CONFIG_SATA_ACARD_AHCI=m | ||
2101 | CONFIG_SATA_SIL24=m | ||
2102 | CONFIG_ATA_SFF=y | ||
2103 | |||
2104 | # | ||
2105 | # SFF controllers with custom DMA interface | ||
2106 | # | ||
2107 | CONFIG_PDC_ADMA=m | ||
2108 | CONFIG_SATA_QSTOR=m | ||
2109 | CONFIG_SATA_SX4=m | ||
2110 | CONFIG_ATA_BMDMA=y | ||
2111 | |||
2112 | # | ||
2113 | # SATA SFF controllers with BMDMA | ||
2114 | # | ||
2115 | CONFIG_ATA_PIIX=m | ||
2116 | CONFIG_SATA_MV=m | ||
2117 | CONFIG_SATA_NV=m | ||
2118 | CONFIG_SATA_PROMISE=m | ||
2119 | CONFIG_SATA_SIL=m | ||
2120 | CONFIG_SATA_SIS=m | ||
2121 | CONFIG_SATA_SVW=m | ||
2122 | CONFIG_SATA_ULI=m | ||
2123 | CONFIG_SATA_VIA=m | ||
2124 | CONFIG_SATA_VITESSE=m | ||
2125 | |||
2126 | # | ||
2127 | # PATA SFF controllers with BMDMA | ||
2128 | # | ||
2129 | CONFIG_PATA_ALI=m | ||
2130 | CONFIG_PATA_AMD=m | ||
2131 | CONFIG_PATA_ARTOP=m | ||
2132 | CONFIG_PATA_ATIIXP=m | ||
2133 | CONFIG_PATA_ATP867X=m | ||
2134 | CONFIG_PATA_CMD64X=m | ||
2135 | # CONFIG_PATA_CYPRESS is not set | ||
2136 | CONFIG_PATA_EFAR=m | ||
2137 | CONFIG_PATA_HPT366=m | ||
2138 | CONFIG_PATA_HPT37X=m | ||
2139 | # CONFIG_PATA_HPT3X2N is not set | ||
2140 | # CONFIG_PATA_HPT3X3 is not set | ||
2141 | CONFIG_PATA_IT8213=m | ||
2142 | CONFIG_PATA_IT821X=m | ||
2143 | CONFIG_PATA_JMICRON=m | ||
2144 | CONFIG_PATA_MARVELL=m | ||
2145 | CONFIG_PATA_NETCELL=m | ||
2146 | CONFIG_PATA_NINJA32=m | ||
2147 | CONFIG_PATA_NS87415=m | ||
2148 | CONFIG_PATA_OLDPIIX=m | ||
2149 | # CONFIG_PATA_OPTIDMA is not set | ||
2150 | CONFIG_PATA_PDC2027X=m | ||
2151 | CONFIG_PATA_PDC_OLD=m | ||
2152 | # CONFIG_PATA_RADISYS is not set | ||
2153 | CONFIG_PATA_RDC=m | ||
2154 | CONFIG_PATA_SCH=m | ||
2155 | CONFIG_PATA_SERVERWORKS=m | ||
2156 | CONFIG_PATA_SIL680=m | ||
2157 | CONFIG_PATA_SIS=m | ||
2158 | CONFIG_PATA_TOSHIBA=m | ||
2159 | CONFIG_PATA_TRIFLEX=m | ||
2160 | CONFIG_PATA_VIA=m | ||
2161 | # CONFIG_PATA_WINBOND is not set | ||
2162 | |||
2163 | # | ||
2164 | # PIO-only SFF controllers | ||
2165 | # | ||
2166 | # CONFIG_PATA_CMD640_PCI is not set | ||
2167 | CONFIG_PATA_MPIIX=m | ||
2168 | CONFIG_PATA_NS87410=m | ||
2169 | # CONFIG_PATA_OPTI is not set | ||
2170 | CONFIG_PATA_PCMCIA=m | ||
2171 | # CONFIG_PATA_PLATFORM is not set | ||
2172 | CONFIG_PATA_RZ1000=m | ||
2173 | |||
2174 | # | ||
2175 | # Generic fallback / legacy drivers | ||
2176 | # | ||
2177 | # CONFIG_PATA_ACPI is not set | ||
2178 | CONFIG_ATA_GENERIC=m | ||
2179 | # CONFIG_PATA_LEGACY is not set | ||
2180 | CONFIG_MD=y | ||
2181 | CONFIG_BLK_DEV_MD=m | ||
2182 | CONFIG_MD_LINEAR=m | ||
2183 | CONFIG_MD_RAID0=m | ||
2184 | CONFIG_MD_RAID1=m | ||
2185 | CONFIG_MD_RAID10=m | ||
2186 | CONFIG_MD_RAID456=m | ||
2187 | CONFIG_MD_MULTIPATH=m | ||
2188 | CONFIG_MD_FAULTY=m | ||
2189 | # CONFIG_MD_CLUSTER is not set | ||
2190 | CONFIG_BCACHE=m | ||
2191 | # CONFIG_BCACHE_DEBUG is not set | ||
2192 | CONFIG_BLK_DEV_DM_BUILTIN=y | ||
2193 | CONFIG_BLK_DEV_DM=m | ||
2194 | # CONFIG_DM_MQ_DEFAULT is not set | ||
2195 | # CONFIG_DM_DEBUG is not set | ||
2196 | CONFIG_DM_BUFIO=m | ||
2197 | CONFIG_DM_BIO_PRISON=m | ||
2198 | CONFIG_DM_PERSISTENT_DATA=m | ||
2199 | # CONFIG_DM_DEBUG_BLOCK_STACK_TRACING is not set | ||
2200 | CONFIG_DM_CRYPT=m | ||
2201 | CONFIG_DM_SNAPSHOT=m | ||
2202 | CONFIG_DM_THIN_PROVISIONING=m | ||
2203 | CONFIG_DM_CACHE=m | ||
2204 | CONFIG_DM_CACHE_MQ=m | ||
2205 | CONFIG_DM_CACHE_SMQ=m | ||
2206 | CONFIG_DM_CACHE_CLEANER=m | ||
2207 | CONFIG_DM_ERA=m | ||
2208 | CONFIG_DM_MIRROR=m | ||
2209 | CONFIG_DM_LOG_USERSPACE=m | ||
2210 | CONFIG_DM_RAID=m | ||
2211 | CONFIG_DM_ZERO=m | ||
2212 | CONFIG_DM_MULTIPATH=m | ||
2213 | CONFIG_DM_MULTIPATH_QL=m | ||
2214 | CONFIG_DM_MULTIPATH_ST=m | ||
2215 | CONFIG_DM_DELAY=m | ||
2216 | CONFIG_DM_UEVENT=y | ||
2217 | CONFIG_DM_FLAKEY=m | ||
2218 | CONFIG_DM_VERITY=m | ||
2219 | CONFIG_DM_SWITCH=m | ||
2220 | CONFIG_DM_LOG_WRITES=m | ||
2221 | CONFIG_TARGET_CORE=m | ||
2222 | CONFIG_TCM_IBLOCK=m | ||
2223 | CONFIG_TCM_FILEIO=m | ||
2224 | CONFIG_TCM_PSCSI=m | ||
2225 | CONFIG_TCM_USER2=m | ||
2226 | CONFIG_LOOPBACK_TARGET=m | ||
2227 | CONFIG_TCM_FC=m | ||
2228 | CONFIG_ISCSI_TARGET=m | ||
2229 | CONFIG_SBP_TARGET=m | ||
2230 | CONFIG_FUSION=y | ||
2231 | CONFIG_FUSION_SPI=m | ||
2232 | CONFIG_FUSION_FC=m | ||
2233 | CONFIG_FUSION_SAS=m | ||
2234 | CONFIG_FUSION_MAX_SGE=128 | ||
2235 | CONFIG_FUSION_CTL=m | ||
2236 | CONFIG_FUSION_LAN=m | ||
2237 | # CONFIG_FUSION_LOGGING is not set | ||
2238 | |||
2239 | # | ||
2240 | # IEEE 1394 (FireWire) support | ||
2241 | # | ||
2242 | CONFIG_FIREWIRE=m | ||
2243 | CONFIG_FIREWIRE_OHCI=m | ||
2244 | CONFIG_FIREWIRE_SBP2=m | ||
2245 | CONFIG_FIREWIRE_NET=m | ||
2246 | CONFIG_FIREWIRE_NOSY=m | ||
2247 | CONFIG_MACINTOSH_DRIVERS=y | ||
2248 | CONFIG_MAC_EMUMOUSEBTN=y | ||
2249 | CONFIG_NETDEVICES=y | ||
2250 | CONFIG_MII=m | ||
2251 | CONFIG_NET_CORE=y | ||
2252 | CONFIG_BONDING=m | ||
2253 | CONFIG_DUMMY=m | ||
2254 | CONFIG_EQUALIZER=m | ||
2255 | CONFIG_NET_FC=y | ||
2256 | CONFIG_IFB=m | ||
2257 | CONFIG_NET_TEAM=m | ||
2258 | CONFIG_NET_TEAM_MODE_BROADCAST=m | ||
2259 | CONFIG_NET_TEAM_MODE_ROUNDROBIN=m | ||
2260 | CONFIG_NET_TEAM_MODE_RANDOM=m | ||
2261 | CONFIG_NET_TEAM_MODE_ACTIVEBACKUP=m | ||
2262 | CONFIG_NET_TEAM_MODE_LOADBALANCE=m | ||
2263 | CONFIG_MACVLAN=m | ||
2264 | CONFIG_MACVTAP=m | ||
2265 | CONFIG_IPVLAN=m | ||
2266 | CONFIG_VXLAN=m | ||
2267 | CONFIG_GENEVE=m | ||
2268 | CONFIG_NETCONSOLE=m | ||
2269 | CONFIG_NETCONSOLE_DYNAMIC=y | ||
2270 | CONFIG_NETPOLL=y | ||
2271 | CONFIG_NET_POLL_CONTROLLER=y | ||
2272 | CONFIG_TUN=m | ||
2273 | # CONFIG_TUN_VNET_CROSS_LE is not set | ||
2274 | CONFIG_VETH=m | ||
2275 | CONFIG_VIRTIO_NET=m | ||
2276 | CONFIG_NLMON=m | ||
2277 | CONFIG_NET_VRF=m | ||
2278 | CONFIG_SUNGEM_PHY=m | ||
2279 | CONFIG_ARCNET=m | ||
2280 | CONFIG_ARCNET_1201=m | ||
2281 | CONFIG_ARCNET_1051=m | ||
2282 | CONFIG_ARCNET_RAW=m | ||
2283 | CONFIG_ARCNET_CAP=m | ||
2284 | CONFIG_ARCNET_COM90xx=m | ||
2285 | CONFIG_ARCNET_COM90xxIO=m | ||
2286 | CONFIG_ARCNET_RIM_I=m | ||
2287 | CONFIG_ARCNET_COM20020=m | ||
2288 | CONFIG_ARCNET_COM20020_PCI=m | ||
2289 | CONFIG_ARCNET_COM20020_CS=m | ||
2290 | CONFIG_ATM_DRIVERS=y | ||
2291 | CONFIG_ATM_DUMMY=m | ||
2292 | CONFIG_ATM_TCP=m | ||
2293 | CONFIG_ATM_LANAI=m | ||
2294 | CONFIG_ATM_ENI=m | ||
2295 | # CONFIG_ATM_ENI_DEBUG is not set | ||
2296 | # CONFIG_ATM_ENI_TUNE_BURST is not set | ||
2297 | CONFIG_ATM_FIRESTREAM=m | ||
2298 | CONFIG_ATM_ZATM=m | ||
2299 | # CONFIG_ATM_ZATM_DEBUG is not set | ||
2300 | CONFIG_ATM_NICSTAR=m | ||
2301 | CONFIG_ATM_NICSTAR_USE_SUNI=y | ||
2302 | CONFIG_ATM_NICSTAR_USE_IDT77105=y | ||
2303 | CONFIG_ATM_IDT77252=m | ||
2304 | # CONFIG_ATM_IDT77252_DEBUG is not set | ||
2305 | # CONFIG_ATM_IDT77252_RCV_ALL is not set | ||
2306 | CONFIG_ATM_IDT77252_USE_SUNI=y | ||
2307 | CONFIG_ATM_AMBASSADOR=m | ||
2308 | # CONFIG_ATM_AMBASSADOR_DEBUG is not set | ||
2309 | CONFIG_ATM_HORIZON=m | ||
2310 | # CONFIG_ATM_HORIZON_DEBUG is not set | ||
2311 | CONFIG_ATM_IA=m | ||
2312 | # CONFIG_ATM_IA_DEBUG is not set | ||
2313 | CONFIG_ATM_FORE200E=m | ||
2314 | # CONFIG_ATM_FORE200E_USE_TASKLET is not set | ||
2315 | CONFIG_ATM_FORE200E_TX_RETRY=16 | ||
2316 | CONFIG_ATM_FORE200E_DEBUG=0 | ||
2317 | CONFIG_ATM_HE=m | ||
2318 | CONFIG_ATM_HE_USE_SUNI=y | ||
2319 | CONFIG_ATM_SOLOS=m | ||
2320 | |||
2321 | # | ||
2322 | # CAIF transport drivers | ||
2323 | # | ||
2324 | CONFIG_VHOST_NET=m | ||
2325 | CONFIG_VHOST_SCSI=m | ||
2326 | CONFIG_VHOST_RING=m | ||
2327 | CONFIG_VHOST=m | ||
2328 | # CONFIG_VHOST_CROSS_ENDIAN_LEGACY is not set | ||
2329 | |||
2330 | # | ||
2331 | # Distributed Switch Architecture drivers | ||
2332 | # | ||
2333 | # CONFIG_NET_DSA_MV88E6XXX is not set | ||
2334 | # CONFIG_NET_DSA_MV88E6XXX_NEED_PPU is not set | ||
2335 | CONFIG_ETHERNET=y | ||
2336 | CONFIG_MDIO=m | ||
2337 | CONFIG_NET_VENDOR_3COM=y | ||
2338 | CONFIG_PCMCIA_3C574=m | ||
2339 | CONFIG_PCMCIA_3C589=m | ||
2340 | CONFIG_VORTEX=m | ||
2341 | CONFIG_TYPHOON=m | ||
2342 | CONFIG_NET_VENDOR_ADAPTEC=y | ||
2343 | CONFIG_ADAPTEC_STARFIRE=m | ||
2344 | CONFIG_NET_VENDOR_AGERE=y | ||
2345 | CONFIG_ET131X=m | ||
2346 | CONFIG_NET_VENDOR_ALTEON=y | ||
2347 | CONFIG_ACENIC=m | ||
2348 | # CONFIG_ACENIC_OMIT_TIGON_I is not set | ||
2349 | # CONFIG_ALTERA_TSE is not set | ||
2350 | CONFIG_NET_VENDOR_AMD=y | ||
2351 | CONFIG_AMD8111_ETH=m | ||
2352 | CONFIG_PCNET32=m | ||
2353 | CONFIG_PCMCIA_NMCLAN=m | ||
2354 | # CONFIG_NET_VENDOR_ARC is not set | ||
2355 | CONFIG_NET_VENDOR_ATHEROS=y | ||
2356 | CONFIG_ATL2=m | ||
2357 | CONFIG_ATL1=m | ||
2358 | CONFIG_ATL1E=m | ||
2359 | CONFIG_ATL1C=m | ||
2360 | CONFIG_ALX=m | ||
2361 | # CONFIG_NET_VENDOR_AURORA is not set | ||
2362 | CONFIG_NET_CADENCE=y | ||
2363 | # CONFIG_MACB is not set | ||
2364 | CONFIG_NET_VENDOR_BROADCOM=y | ||
2365 | CONFIG_B44=m | ||
2366 | CONFIG_B44_PCI_AUTOSELECT=y | ||
2367 | CONFIG_B44_PCICORE_AUTOSELECT=y | ||
2368 | CONFIG_B44_PCI=y | ||
2369 | # CONFIG_BCMGENET is not set | ||
2370 | CONFIG_BNX2=m | ||
2371 | CONFIG_CNIC=m | ||
2372 | CONFIG_TIGON3=m | ||
2373 | CONFIG_BNX2X=m | ||
2374 | CONFIG_BNX2X_SRIOV=y | ||
2375 | CONFIG_BNX2X_VXLAN=y | ||
2376 | CONFIG_BNXT=m | ||
2377 | CONFIG_BNXT_SRIOV=y | ||
2378 | CONFIG_NET_VENDOR_BROCADE=y | ||
2379 | CONFIG_BNA=m | ||
2380 | CONFIG_NET_VENDOR_CAVIUM=y | ||
2381 | # CONFIG_THUNDER_NIC_PF is not set | ||
2382 | # CONFIG_THUNDER_NIC_VF is not set | ||
2383 | # CONFIG_THUNDER_NIC_BGX is not set | ||
2384 | CONFIG_LIQUIDIO=m | ||
2385 | CONFIG_NET_VENDOR_CHELSIO=y | ||
2386 | CONFIG_CHELSIO_T1=m | ||
2387 | CONFIG_CHELSIO_T1_1G=y | ||
2388 | CONFIG_CHELSIO_T3=m | ||
2389 | CONFIG_CHELSIO_T4=m | ||
2390 | CONFIG_CHELSIO_T4_DCB=y | ||
2391 | # CONFIG_CHELSIO_T4_FCOE is not set | ||
2392 | CONFIG_CHELSIO_T4VF=m | ||
2393 | CONFIG_NET_VENDOR_CISCO=y | ||
2394 | CONFIG_ENIC=m | ||
2395 | # CONFIG_CX_ECAT is not set | ||
2396 | # CONFIG_DNET is not set | ||
2397 | CONFIG_NET_VENDOR_DEC=y | ||
2398 | CONFIG_NET_TULIP=y | ||
2399 | CONFIG_DE2104X=m | ||
2400 | CONFIG_DE2104X_DSL=0 | ||
2401 | CONFIG_TULIP=m | ||
2402 | # CONFIG_TULIP_MWI is not set | ||
2403 | # CONFIG_TULIP_MMIO is not set | ||
2404 | CONFIG_TULIP_NAPI=y | ||
2405 | CONFIG_TULIP_NAPI_HW_MITIGATION=y | ||
2406 | # CONFIG_DE4X5 is not set | ||
2407 | CONFIG_WINBOND_840=m | ||
2408 | CONFIG_DM9102=m | ||
2409 | CONFIG_ULI526X=m | ||
2410 | CONFIG_PCMCIA_XIRCOM=m | ||
2411 | CONFIG_NET_VENDOR_DLINK=y | ||
2412 | CONFIG_DL2K=m | ||
2413 | CONFIG_SUNDANCE=m | ||
2414 | # CONFIG_SUNDANCE_MMIO is not set | ||
2415 | CONFIG_NET_VENDOR_EMULEX=y | ||
2416 | CONFIG_BE2NET=m | ||
2417 | CONFIG_BE2NET_HWMON=y | ||
2418 | CONFIG_BE2NET_VXLAN=y | ||
2419 | CONFIG_NET_VENDOR_EZCHIP=y | ||
2420 | CONFIG_NET_VENDOR_EXAR=y | ||
2421 | CONFIG_S2IO=m | ||
2422 | CONFIG_VXGE=m | ||
2423 | # CONFIG_VXGE_DEBUG_TRACE_ALL is not set | ||
2424 | CONFIG_NET_VENDOR_FUJITSU=y | ||
2425 | CONFIG_PCMCIA_FMVJ18X=m | ||
2426 | CONFIG_NET_VENDOR_HP=y | ||
2427 | CONFIG_HP100=m | ||
2428 | CONFIG_NET_VENDOR_INTEL=y | ||
2429 | CONFIG_E100=m | ||
2430 | CONFIG_E1000=m | ||
2431 | CONFIG_E1000E=m | ||
2432 | CONFIG_IGB=m | ||
2433 | CONFIG_IGB_HWMON=y | ||
2434 | CONFIG_IGB_DCA=y | ||
2435 | CONFIG_IGBVF=m | ||
2436 | CONFIG_IXGB=m | ||
2437 | CONFIG_IXGBE=m | ||
2438 | CONFIG_IXGBE_VXLAN=y | ||
2439 | CONFIG_IXGBE_HWMON=y | ||
2440 | CONFIG_IXGBE_DCA=y | ||
2441 | CONFIG_IXGBE_DCB=y | ||
2442 | CONFIG_IXGBEVF=m | ||
2443 | CONFIG_I40E=m | ||
2444 | CONFIG_I40E_VXLAN=y | ||
2445 | CONFIG_I40E_DCB=y | ||
2446 | CONFIG_I40E_FCOE=y | ||
2447 | CONFIG_I40EVF=m | ||
2448 | # CONFIG_FM10K is not set | ||
2449 | CONFIG_NET_VENDOR_I825XX=y | ||
2450 | CONFIG_JME=m | ||
2451 | CONFIG_NET_VENDOR_MARVELL=y | ||
2452 | # CONFIG_MVMDIO is not set | ||
2453 | CONFIG_SKGE=m | ||
2454 | CONFIG_SKGE_GENESIS=y | ||
2455 | CONFIG_SKY2=m | ||
2456 | CONFIG_NET_VENDOR_MELLANOX=y | ||
2457 | CONFIG_MLX4_EN=m | ||
2458 | CONFIG_MLX4_EN_DCB=y | ||
2459 | CONFIG_MLX4_EN_VXLAN=y | ||
2460 | CONFIG_MLX4_CORE=m | ||
2461 | CONFIG_MLX4_DEBUG=y | ||
2462 | CONFIG_MLX5_CORE=m | ||
2463 | CONFIG_MLX5_CORE_EN=y | ||
2464 | # CONFIG_MLXSW_CORE is not set | ||
2465 | CONFIG_NET_VENDOR_MICREL=y | ||
2466 | # CONFIG_KS8842 is not set | ||
2467 | # CONFIG_KS8851 is not set | ||
2468 | # CONFIG_KS8851_MLL is not set | ||
2469 | CONFIG_KSZ884X_PCI=m | ||
2470 | CONFIG_NET_VENDOR_MICROCHIP=y | ||
2471 | # CONFIG_ENC28J60 is not set | ||
2472 | # CONFIG_ENCX24J600 is not set | ||
2473 | CONFIG_NET_VENDOR_MYRI=y | ||
2474 | CONFIG_MYRI10GE=m | ||
2475 | CONFIG_MYRI10GE_DCA=y | ||
2476 | CONFIG_FEALNX=m | ||
2477 | CONFIG_NET_VENDOR_NATSEMI=y | ||
2478 | CONFIG_NATSEMI=m | ||
2479 | CONFIG_NS83820=m | ||
2480 | CONFIG_NET_VENDOR_8390=y | ||
2481 | CONFIG_PCMCIA_AXNET=m | ||
2482 | CONFIG_NE2K_PCI=m | ||
2483 | CONFIG_PCMCIA_PCNET=m | ||
2484 | CONFIG_NET_VENDOR_NVIDIA=y | ||
2485 | CONFIG_FORCEDETH=m | ||
2486 | CONFIG_NET_VENDOR_OKI=y | ||
2487 | # CONFIG_ETHOC is not set | ||
2488 | CONFIG_NET_PACKET_ENGINE=y | ||
2489 | CONFIG_HAMACHI=m | ||
2490 | CONFIG_YELLOWFIN=m | ||
2491 | CONFIG_NET_VENDOR_QLOGIC=y | ||
2492 | CONFIG_QLA3XXX=m | ||
2493 | CONFIG_QLCNIC=m | ||
2494 | CONFIG_QLCNIC_SRIOV=y | ||
2495 | CONFIG_QLCNIC_DCB=y | ||
2496 | CONFIG_QLCNIC_VXLAN=y | ||
2497 | CONFIG_QLCNIC_HWMON=y | ||
2498 | CONFIG_QLGE=m | ||
2499 | CONFIG_NETXEN_NIC=m | ||
2500 | CONFIG_QED=m | ||
2501 | CONFIG_QEDE=m | ||
2502 | CONFIG_NET_VENDOR_QUALCOMM=y | ||
2503 | CONFIG_NET_VENDOR_REALTEK=y | ||
2504 | # CONFIG_ATP is not set | ||
2505 | CONFIG_8139CP=m | ||
2506 | CONFIG_8139TOO=m | ||
2507 | # CONFIG_8139TOO_PIO is not set | ||
2508 | CONFIG_8139TOO_TUNE_TWISTER=y | ||
2509 | CONFIG_8139TOO_8129=y | ||
2510 | # CONFIG_8139_OLD_RX_RESET is not set | ||
2511 | CONFIG_R8169=m | ||
2512 | CONFIG_NET_VENDOR_RENESAS=y | ||
2513 | CONFIG_NET_VENDOR_RDC=y | ||
2514 | CONFIG_R6040=m | ||
2515 | CONFIG_NET_VENDOR_ROCKER=y | ||
2516 | CONFIG_NET_VENDOR_SAMSUNG=y | ||
2517 | # CONFIG_SXGBE_ETH is not set | ||
2518 | # CONFIG_NET_VENDOR_SEEQ is not set | ||
2519 | CONFIG_NET_VENDOR_SILAN=y | ||
2520 | CONFIG_SC92031=m | ||
2521 | CONFIG_NET_VENDOR_SIS=y | ||
2522 | CONFIG_SIS900=m | ||
2523 | CONFIG_SIS190=m | ||
2524 | CONFIG_SFC=m | ||
2525 | CONFIG_SFC_MTD=y | ||
2526 | CONFIG_SFC_MCDI_MON=y | ||
2527 | CONFIG_SFC_SRIOV=y | ||
2528 | CONFIG_SFC_MCDI_LOGGING=y | ||
2529 | CONFIG_NET_VENDOR_SMSC=y | ||
2530 | CONFIG_PCMCIA_SMC91C92=m | ||
2531 | CONFIG_EPIC100=m | ||
2532 | # CONFIG_SMSC911X is not set | ||
2533 | CONFIG_SMSC9420=m | ||
2534 | CONFIG_NET_VENDOR_STMICRO=y | ||
2535 | # CONFIG_STMMAC_ETH is not set | ||
2536 | CONFIG_NET_VENDOR_SUN=y | ||
2537 | CONFIG_HAPPYMEAL=m | ||
2538 | CONFIG_SUNGEM=m | ||
2539 | CONFIG_CASSINI=m | ||
2540 | CONFIG_NIU=m | ||
2541 | CONFIG_NET_VENDOR_SYNOPSYS=y | ||
2542 | CONFIG_NET_VENDOR_TEHUTI=y | ||
2543 | CONFIG_TEHUTI=m | ||
2544 | CONFIG_NET_VENDOR_TI=y | ||
2545 | # CONFIG_TI_CPSW_ALE is not set | ||
2546 | CONFIG_TLAN=m | ||
2547 | CONFIG_NET_VENDOR_VIA=y | ||
2548 | CONFIG_VIA_RHINE=m | ||
2549 | # CONFIG_VIA_RHINE_MMIO is not set | ||
2550 | CONFIG_VIA_VELOCITY=m | ||
2551 | CONFIG_NET_VENDOR_WIZNET=y | ||
2552 | # CONFIG_WIZNET_W5100 is not set | ||
2553 | # CONFIG_WIZNET_W5300 is not set | ||
2554 | CONFIG_NET_VENDOR_XIRCOM=y | ||
2555 | CONFIG_PCMCIA_XIRC2PS=m | ||
2556 | CONFIG_FDDI=y | ||
2557 | CONFIG_DEFXX=m | ||
2558 | # CONFIG_DEFXX_MMIO is not set | ||
2559 | CONFIG_SKFP=m | ||
2560 | CONFIG_HIPPI=y | ||
2561 | CONFIG_ROADRUNNER=m | ||
2562 | # CONFIG_ROADRUNNER_LARGE_RINGS is not set | ||
2563 | CONFIG_NET_SB1000=m | ||
2564 | CONFIG_PHYLIB=m | ||
2565 | |||
2566 | # | ||
2567 | # MII PHY device drivers | ||
2568 | # | ||
2569 | CONFIG_AQUANTIA_PHY=m | ||
2570 | CONFIG_AT803X_PHY=m | ||
2571 | CONFIG_AMD_PHY=m | ||
2572 | CONFIG_MARVELL_PHY=m | ||
2573 | CONFIG_DAVICOM_PHY=m | ||
2574 | CONFIG_QSEMI_PHY=m | ||
2575 | CONFIG_LXT_PHY=m | ||
2576 | CONFIG_CICADA_PHY=m | ||
2577 | CONFIG_VITESSE_PHY=m | ||
2578 | CONFIG_TERANETICS_PHY=m | ||
2579 | CONFIG_SMSC_PHY=m | ||
2580 | CONFIG_BCM_NET_PHYLIB=m | ||
2581 | CONFIG_BROADCOM_PHY=m | ||
2582 | # CONFIG_BCM7XXX_PHY is not set | ||
2583 | CONFIG_BCM87XX_PHY=m | ||
2584 | CONFIG_ICPLUS_PHY=m | ||
2585 | CONFIG_REALTEK_PHY=m | ||
2586 | CONFIG_NATIONAL_PHY=m | ||
2587 | CONFIG_STE10XP=m | ||
2588 | CONFIG_LSI_ET1011C_PHY=m | ||
2589 | CONFIG_MICREL_PHY=m | ||
2590 | CONFIG_DP83848_PHY=m | ||
2591 | CONFIG_DP83867_PHY=m | ||
2592 | CONFIG_MICROCHIP_PHY=m | ||
2593 | # CONFIG_FIXED_PHY is not set | ||
2594 | # CONFIG_MDIO_BITBANG is not set | ||
2595 | # CONFIG_MDIO_OCTEON is not set | ||
2596 | # CONFIG_MDIO_BCM_UNIMAC is not set | ||
2597 | # CONFIG_MICREL_KS8995MA is not set | ||
2598 | CONFIG_PLIP=m | ||
2599 | CONFIG_PPP=m | ||
2600 | CONFIG_PPP_BSDCOMP=m | ||
2601 | CONFIG_PPP_DEFLATE=m | ||
2602 | CONFIG_PPP_FILTER=y | ||
2603 | CONFIG_PPP_MPPE=m | ||
2604 | CONFIG_PPP_MULTILINK=y | ||
2605 | CONFIG_PPPOATM=m | ||
2606 | CONFIG_PPPOE=m | ||
2607 | CONFIG_PPTP=m | ||
2608 | CONFIG_PPPOL2TP=m | ||
2609 | CONFIG_PPP_ASYNC=m | ||
2610 | CONFIG_PPP_SYNC_TTY=m | ||
2611 | CONFIG_SLIP=m | ||
2612 | CONFIG_SLHC=m | ||
2613 | CONFIG_SLIP_COMPRESSED=y | ||
2614 | CONFIG_SLIP_SMART=y | ||
2615 | CONFIG_SLIP_MODE_SLIP6=y | ||
2616 | |||
2617 | # | ||
2618 | # Host-side USB support is needed for USB Network Adapter support | ||
2619 | # | ||
2620 | CONFIG_USB_NET_DRIVERS=m | ||
2621 | CONFIG_USB_CATC=m | ||
2622 | CONFIG_USB_KAWETH=m | ||
2623 | CONFIG_USB_PEGASUS=m | ||
2624 | CONFIG_USB_RTL8150=m | ||
2625 | CONFIG_USB_RTL8152=m | ||
2626 | CONFIG_USB_LAN78XX=m | ||
2627 | CONFIG_USB_USBNET=m | ||
2628 | CONFIG_USB_NET_AX8817X=m | ||
2629 | CONFIG_USB_NET_AX88179_178A=m | ||
2630 | CONFIG_USB_NET_CDCETHER=m | ||
2631 | CONFIG_USB_NET_CDC_EEM=m | ||
2632 | CONFIG_USB_NET_CDC_NCM=m | ||
2633 | CONFIG_USB_NET_HUAWEI_CDC_NCM=m | ||
2634 | CONFIG_USB_NET_CDC_MBIM=m | ||
2635 | CONFIG_USB_NET_DM9601=m | ||
2636 | CONFIG_USB_NET_SR9700=m | ||
2637 | CONFIG_USB_NET_SR9800=m | ||
2638 | CONFIG_USB_NET_SMSC75XX=m | ||
2639 | CONFIG_USB_NET_SMSC95XX=m | ||
2640 | CONFIG_USB_NET_GL620A=m | ||
2641 | CONFIG_USB_NET_NET1080=m | ||
2642 | CONFIG_USB_NET_PLUSB=m | ||
2643 | CONFIG_USB_NET_MCS7830=m | ||
2644 | CONFIG_USB_NET_RNDIS_HOST=m | ||
2645 | CONFIG_USB_NET_CDC_SUBSET=m | ||
2646 | CONFIG_USB_ALI_M5632=y | ||
2647 | CONFIG_USB_AN2720=y | ||
2648 | CONFIG_USB_BELKIN=y | ||
2649 | CONFIG_USB_ARMLINUX=y | ||
2650 | CONFIG_USB_EPSON2888=y | ||
2651 | CONFIG_USB_KC2190=y | ||
2652 | CONFIG_USB_NET_ZAURUS=m | ||
2653 | CONFIG_USB_NET_CX82310_ETH=m | ||
2654 | CONFIG_USB_NET_KALMIA=m | ||
2655 | CONFIG_USB_NET_QMI_WWAN=m | ||
2656 | CONFIG_USB_HSO=m | ||
2657 | CONFIG_USB_NET_INT51X1=m | ||
2658 | CONFIG_USB_CDC_PHONET=m | ||
2659 | CONFIG_USB_IPHETH=m | ||
2660 | CONFIG_USB_SIERRA_NET=m | ||
2661 | CONFIG_USB_VL600=m | ||
2662 | CONFIG_USB_NET_CH9200=m | ||
2663 | CONFIG_WLAN=y | ||
2664 | CONFIG_PCMCIA_RAYCS=m | ||
2665 | CONFIG_LIBERTAS_THINFIRM=m | ||
2666 | # CONFIG_LIBERTAS_THINFIRM_DEBUG is not set | ||
2667 | CONFIG_LIBERTAS_THINFIRM_USB=m | ||
2668 | CONFIG_AIRO=m | ||
2669 | CONFIG_ATMEL=m | ||
2670 | CONFIG_PCI_ATMEL=m | ||
2671 | CONFIG_PCMCIA_ATMEL=m | ||
2672 | CONFIG_AT76C50X_USB=m | ||
2673 | CONFIG_AIRO_CS=m | ||
2674 | CONFIG_PCMCIA_WL3501=m | ||
2675 | # CONFIG_PRISM54 is not set | ||
2676 | CONFIG_USB_ZD1201=m | ||
2677 | CONFIG_USB_NET_RNDIS_WLAN=m | ||
2678 | CONFIG_ADM8211=m | ||
2679 | CONFIG_RTL8180=m | ||
2680 | CONFIG_RTL8187=m | ||
2681 | CONFIG_RTL8187_LEDS=y | ||
2682 | CONFIG_MAC80211_HWSIM=m | ||
2683 | CONFIG_MWL8K=m | ||
2684 | CONFIG_ATH_COMMON=m | ||
2685 | CONFIG_ATH_CARDS=m | ||
2686 | # CONFIG_ATH_DEBUG is not set | ||
2687 | CONFIG_ATH5K=m | ||
2688 | # CONFIG_ATH5K_DEBUG is not set | ||
2689 | CONFIG_ATH5K_PCI=y | ||
2690 | CONFIG_ATH9K_HW=m | ||
2691 | CONFIG_ATH9K_COMMON=m | ||
2692 | CONFIG_ATH9K_BTCOEX_SUPPORT=y | ||
2693 | CONFIG_ATH9K=m | ||
2694 | CONFIG_ATH9K_PCI=y | ||
2695 | # CONFIG_ATH9K_AHB is not set | ||
2696 | # CONFIG_ATH9K_DYNACK is not set | ||
2697 | # CONFIG_ATH9K_WOW is not set | ||
2698 | CONFIG_ATH9K_RFKILL=y | ||
2699 | # CONFIG_ATH9K_CHANNEL_CONTEXT is not set | ||
2700 | CONFIG_ATH9K_PCOEM=y | ||
2701 | CONFIG_ATH9K_HTC=m | ||
2702 | CONFIG_CARL9170=m | ||
2703 | CONFIG_CARL9170_LEDS=y | ||
2704 | CONFIG_CARL9170_WPC=y | ||
2705 | # CONFIG_CARL9170_HWRNG is not set | ||
2706 | CONFIG_ATH6KL=m | ||
2707 | CONFIG_ATH6KL_SDIO=m | ||
2708 | CONFIG_ATH6KL_USB=m | ||
2709 | # CONFIG_ATH6KL_DEBUG is not set | ||
2710 | CONFIG_AR5523=m | ||
2711 | CONFIG_WIL6210=m | ||
2712 | CONFIG_WIL6210_ISR_COR=y | ||
2713 | CONFIG_ATH10K=m | ||
2714 | CONFIG_ATH10K_PCI=m | ||
2715 | # CONFIG_ATH10K_DEBUG is not set | ||
2716 | # CONFIG_WCN36XX is not set | ||
2717 | CONFIG_B43=m | ||
2718 | CONFIG_B43_BCMA=y | ||
2719 | CONFIG_B43_SSB=y | ||
2720 | CONFIG_B43_BUSES_BCMA_AND_SSB=y | ||
2721 | # CONFIG_B43_BUSES_BCMA is not set | ||
2722 | # CONFIG_B43_BUSES_SSB is not set | ||
2723 | CONFIG_B43_PCI_AUTOSELECT=y | ||
2724 | CONFIG_B43_PCICORE_AUTOSELECT=y | ||
2725 | CONFIG_B43_SDIO=y | ||
2726 | CONFIG_B43_BCMA_PIO=y | ||
2727 | CONFIG_B43_PIO=y | ||
2728 | CONFIG_B43_PHY_G=y | ||
2729 | CONFIG_B43_PHY_N=y | ||
2730 | CONFIG_B43_PHY_LP=y | ||
2731 | CONFIG_B43_PHY_HT=y | ||
2732 | CONFIG_B43_LEDS=y | ||
2733 | CONFIG_B43_HWRNG=y | ||
2734 | # CONFIG_B43_DEBUG is not set | ||
2735 | CONFIG_B43LEGACY=m | ||
2736 | CONFIG_B43LEGACY_PCI_AUTOSELECT=y | ||
2737 | CONFIG_B43LEGACY_PCICORE_AUTOSELECT=y | ||
2738 | CONFIG_B43LEGACY_LEDS=y | ||
2739 | CONFIG_B43LEGACY_HWRNG=y | ||
2740 | CONFIG_B43LEGACY_DEBUG=y | ||
2741 | CONFIG_B43LEGACY_DMA=y | ||
2742 | CONFIG_B43LEGACY_PIO=y | ||
2743 | CONFIG_B43LEGACY_DMA_AND_PIO_MODE=y | ||
2744 | # CONFIG_B43LEGACY_DMA_MODE is not set | ||
2745 | # CONFIG_B43LEGACY_PIO_MODE is not set | ||
2746 | CONFIG_BRCMUTIL=m | ||
2747 | CONFIG_BRCMSMAC=m | ||
2748 | CONFIG_BRCMFMAC=m | ||
2749 | CONFIG_BRCMFMAC_PROTO_BCDC=y | ||
2750 | CONFIG_BRCMFMAC_PROTO_MSGBUF=y | ||
2751 | CONFIG_BRCMFMAC_SDIO=y | ||
2752 | CONFIG_BRCMFMAC_USB=y | ||
2753 | CONFIG_BRCMFMAC_PCIE=y | ||
2754 | # CONFIG_BRCM_TRACING is not set | ||
2755 | # CONFIG_BRCMDBG is not set | ||
2756 | CONFIG_HOSTAP=m | ||
2757 | CONFIG_HOSTAP_FIRMWARE=y | ||
2758 | # CONFIG_HOSTAP_FIRMWARE_NVRAM is not set | ||
2759 | CONFIG_HOSTAP_PLX=m | ||
2760 | CONFIG_HOSTAP_PCI=m | ||
2761 | CONFIG_HOSTAP_CS=m | ||
2762 | # CONFIG_IPW2100 is not set | ||
2763 | CONFIG_IPW2200=m | ||
2764 | CONFIG_IPW2200_MONITOR=y | ||
2765 | CONFIG_IPW2200_RADIOTAP=y | ||
2766 | CONFIG_IPW2200_PROMISCUOUS=y | ||
2767 | CONFIG_IPW2200_QOS=y | ||
2768 | # CONFIG_IPW2200_DEBUG is not set | ||
2769 | CONFIG_LIBIPW=m | ||
2770 | # CONFIG_LIBIPW_DEBUG is not set | ||
2771 | CONFIG_IWLWIFI=m | ||
2772 | CONFIG_IWLWIFI_LEDS=y | ||
2773 | CONFIG_IWLDVM=m | ||
2774 | CONFIG_IWLMVM=m | ||
2775 | CONFIG_IWLWIFI_OPMODE_MODULAR=y | ||
2776 | # CONFIG_IWLWIFI_BCAST_FILTERING is not set | ||
2777 | # CONFIG_IWLWIFI_UAPSD is not set | ||
2778 | |||
2779 | # | ||
2780 | # Debugging Options | ||
2781 | # | ||
2782 | # CONFIG_IWLWIFI_DEBUG is not set | ||
2783 | CONFIG_IWLEGACY=m | ||
2784 | CONFIG_IWL4965=m | ||
2785 | CONFIG_IWL3945=m | ||
2786 | |||
2787 | # | ||
2788 | # iwl3945 / iwl4965 Debugging Options | ||
2789 | # | ||
2790 | # CONFIG_IWLEGACY_DEBUG is not set | ||
2791 | CONFIG_LIBERTAS=m | ||
2792 | CONFIG_LIBERTAS_USB=m | ||
2793 | CONFIG_LIBERTAS_CS=m | ||
2794 | CONFIG_LIBERTAS_SDIO=m | ||
2795 | # CONFIG_LIBERTAS_SPI is not set | ||
2796 | # CONFIG_LIBERTAS_DEBUG is not set | ||
2797 | CONFIG_LIBERTAS_MESH=y | ||
2798 | CONFIG_HERMES=m | ||
2799 | # CONFIG_HERMES_PRISM is not set | ||
2800 | CONFIG_HERMES_CACHE_FW_ON_INIT=y | ||
2801 | CONFIG_PLX_HERMES=m | ||
2802 | CONFIG_TMD_HERMES=m | ||
2803 | CONFIG_NORTEL_HERMES=m | ||
2804 | CONFIG_PCMCIA_HERMES=m | ||
2805 | CONFIG_PCMCIA_SPECTRUM=m | ||
2806 | CONFIG_ORINOCO_USB=m | ||
2807 | CONFIG_P54_COMMON=m | ||
2808 | CONFIG_P54_USB=m | ||
2809 | CONFIG_P54_PCI=m | ||
2810 | # CONFIG_P54_SPI is not set | ||
2811 | CONFIG_P54_LEDS=y | ||
2812 | CONFIG_RT2X00=m | ||
2813 | CONFIG_RT2400PCI=m | ||
2814 | CONFIG_RT2500PCI=m | ||
2815 | CONFIG_RT61PCI=m | ||
2816 | CONFIG_RT2800PCI=m | ||
2817 | CONFIG_RT2800PCI_RT33XX=y | ||
2818 | CONFIG_RT2800PCI_RT35XX=y | ||
2819 | CONFIG_RT2800PCI_RT53XX=y | ||
2820 | CONFIG_RT2800PCI_RT3290=y | ||
2821 | CONFIG_RT2500USB=m | ||
2822 | CONFIG_RT73USB=m | ||
2823 | CONFIG_RT2800USB=m | ||
2824 | CONFIG_RT2800USB_RT33XX=y | ||
2825 | CONFIG_RT2800USB_RT35XX=y | ||
2826 | CONFIG_RT2800USB_RT3573=y | ||
2827 | CONFIG_RT2800USB_RT53XX=y | ||
2828 | CONFIG_RT2800USB_RT55XX=y | ||
2829 | # CONFIG_RT2800USB_UNKNOWN is not set | ||
2830 | CONFIG_RT2800_LIB=m | ||
2831 | CONFIG_RT2800_LIB_MMIO=m | ||
2832 | CONFIG_RT2X00_LIB_MMIO=m | ||
2833 | CONFIG_RT2X00_LIB_PCI=m | ||
2834 | CONFIG_RT2X00_LIB_USB=m | ||
2835 | CONFIG_RT2X00_LIB=m | ||
2836 | CONFIG_RT2X00_LIB_FIRMWARE=y | ||
2837 | CONFIG_RT2X00_LIB_CRYPTO=y | ||
2838 | CONFIG_RT2X00_LIB_LEDS=y | ||
2839 | # CONFIG_RT2X00_DEBUG is not set | ||
2840 | CONFIG_WL_MEDIATEK=y | ||
2841 | CONFIG_MT7601U=m | ||
2842 | CONFIG_RTL_CARDS=m | ||
2843 | CONFIG_RTL8192CE=m | ||
2844 | CONFIG_RTL8192SE=m | ||
2845 | CONFIG_RTL8192DE=m | ||
2846 | CONFIG_RTL8723AE=m | ||
2847 | CONFIG_RTL8723BE=m | ||
2848 | CONFIG_RTL8188EE=m | ||
2849 | CONFIG_RTL8192EE=m | ||
2850 | CONFIG_RTL8821AE=m | ||
2851 | CONFIG_RTL8192CU=m | ||
2852 | CONFIG_RTLWIFI=m | ||
2853 | CONFIG_RTLWIFI_PCI=m | ||
2854 | CONFIG_RTLWIFI_USB=m | ||
2855 | # CONFIG_RTLWIFI_DEBUG is not set | ||
2856 | CONFIG_RTL8192C_COMMON=m | ||
2857 | CONFIG_RTL8723_COMMON=m | ||
2858 | CONFIG_RTLBTCOEXIST=m | ||
2859 | # CONFIG_RTL8XXXU is not set | ||
2860 | # CONFIG_WL_TI is not set | ||
2861 | CONFIG_ZD1211RW=m | ||
2862 | # CONFIG_ZD1211RW_DEBUG is not set | ||
2863 | CONFIG_MWIFIEX=m | ||
2864 | CONFIG_MWIFIEX_SDIO=m | ||
2865 | CONFIG_MWIFIEX_PCIE=m | ||
2866 | CONFIG_MWIFIEX_USB=m | ||
2867 | # CONFIG_CW1200 is not set | ||
2868 | CONFIG_RSI_91X=m | ||
2869 | CONFIG_RSI_DEBUGFS=y | ||
2870 | # CONFIG_RSI_SDIO is not set | ||
2871 | CONFIG_RSI_USB=m | ||
2872 | |||
2873 | # | ||
2874 | # WiMAX Wireless Broadband devices | ||
2875 | # | ||
2876 | CONFIG_WIMAX_I2400M=m | ||
2877 | CONFIG_WIMAX_I2400M_USB=m | ||
2878 | CONFIG_WIMAX_I2400M_DEBUG_LEVEL=8 | ||
2879 | CONFIG_WAN=y | ||
2880 | CONFIG_LANMEDIA=m | ||
2881 | CONFIG_HDLC=m | ||
2882 | CONFIG_HDLC_RAW=m | ||
2883 | CONFIG_HDLC_RAW_ETH=m | ||
2884 | CONFIG_HDLC_CISCO=m | ||
2885 | CONFIG_HDLC_FR=m | ||
2886 | CONFIG_HDLC_PPP=m | ||
2887 | # CONFIG_HDLC_X25 is not set | ||
2888 | CONFIG_PCI200SYN=m | ||
2889 | CONFIG_WANXL=m | ||
2890 | # CONFIG_PC300TOO is not set | ||
2891 | CONFIG_FARSYNC=m | ||
2892 | CONFIG_DSCC4=m | ||
2893 | CONFIG_DSCC4_PCISYNC=y | ||
2894 | CONFIG_DSCC4_PCI_RST=y | ||
2895 | CONFIG_DLCI=m | ||
2896 | CONFIG_DLCI_MAX=8 | ||
2897 | # CONFIG_SBNI is not set | ||
2898 | CONFIG_IEEE802154_DRIVERS=m | ||
2899 | CONFIG_VMXNET3=m | ||
2900 | CONFIG_FUJITSU_ES=m | ||
2901 | CONFIG_HYPERV_NET=m | ||
2902 | CONFIG_ISDN=y | ||
2903 | # CONFIG_ISDN_I4L is not set | ||
2904 | CONFIG_ISDN_CAPI=m | ||
2905 | CONFIG_CAPI_TRACE=y | ||
2906 | CONFIG_ISDN_CAPI_CAPI20=m | ||
2907 | CONFIG_ISDN_CAPI_MIDDLEWARE=y | ||
2908 | |||
2909 | # | ||
2910 | # CAPI hardware drivers | ||
2911 | # | ||
2912 | CONFIG_CAPI_AVM=y | ||
2913 | CONFIG_ISDN_DRV_AVMB1_B1PCI=m | ||
2914 | CONFIG_ISDN_DRV_AVMB1_B1PCIV4=y | ||
2915 | CONFIG_ISDN_DRV_AVMB1_B1PCMCIA=m | ||
2916 | CONFIG_ISDN_DRV_AVMB1_AVM_CS=m | ||
2917 | CONFIG_ISDN_DRV_AVMB1_T1PCI=m | ||
2918 | CONFIG_ISDN_DRV_AVMB1_C4=m | ||
2919 | CONFIG_CAPI_EICON=y | ||
2920 | CONFIG_ISDN_DIVAS=m | ||
2921 | CONFIG_ISDN_DIVAS_BRIPCI=y | ||
2922 | CONFIG_ISDN_DIVAS_PRIPCI=y | ||
2923 | CONFIG_ISDN_DIVAS_DIVACAPI=m | ||
2924 | CONFIG_ISDN_DIVAS_USERIDI=m | ||
2925 | CONFIG_ISDN_DIVAS_MAINT=m | ||
2926 | CONFIG_ISDN_DRV_GIGASET=m | ||
2927 | CONFIG_GIGASET_CAPI=y | ||
2928 | # CONFIG_GIGASET_DUMMYLL is not set | ||
2929 | CONFIG_GIGASET_BASE=m | ||
2930 | CONFIG_GIGASET_M105=m | ||
2931 | CONFIG_GIGASET_M101=m | ||
2932 | # CONFIG_GIGASET_DEBUG is not set | ||
2933 | CONFIG_HYSDN=m | ||
2934 | CONFIG_HYSDN_CAPI=y | ||
2935 | CONFIG_MISDN=m | ||
2936 | CONFIG_MISDN_DSP=m | ||
2937 | CONFIG_MISDN_L1OIP=m | ||
2938 | |||
2939 | # | ||
2940 | # mISDN hardware drivers | ||
2941 | # | ||
2942 | CONFIG_MISDN_HFCPCI=m | ||
2943 | CONFIG_MISDN_HFCMULTI=m | ||
2944 | CONFIG_MISDN_HFCUSB=m | ||
2945 | CONFIG_MISDN_AVMFRITZ=m | ||
2946 | CONFIG_MISDN_SPEEDFAX=m | ||
2947 | CONFIG_MISDN_INFINEON=m | ||
2948 | CONFIG_MISDN_W6692=m | ||
2949 | # CONFIG_MISDN_NETJET is not set | ||
2950 | CONFIG_MISDN_IPAC=m | ||
2951 | CONFIG_MISDN_ISAR=m | ||
2952 | # CONFIG_NVM is not set | ||
2953 | |||
2954 | # | ||
2955 | # Input device support | ||
2956 | # | ||
2957 | CONFIG_INPUT=y | ||
2958 | CONFIG_INPUT_LEDS=y | ||
2959 | CONFIG_INPUT_FF_MEMLESS=m | ||
2960 | CONFIG_INPUT_POLLDEV=m | ||
2961 | CONFIG_INPUT_SPARSEKMAP=m | ||
2962 | CONFIG_INPUT_MATRIXKMAP=m | ||
2963 | |||
2964 | # | ||
2965 | # Userland interfaces | ||
2966 | # | ||
2967 | CONFIG_INPUT_MOUSEDEV=y | ||
2968 | CONFIG_INPUT_MOUSEDEV_PSAUX=y | ||
2969 | CONFIG_INPUT_MOUSEDEV_SCREEN_X=1024 | ||
2970 | CONFIG_INPUT_MOUSEDEV_SCREEN_Y=768 | ||
2971 | CONFIG_INPUT_JOYDEV=m | ||
2972 | CONFIG_INPUT_EVDEV=m | ||
2973 | # CONFIG_INPUT_EVBUG is not set | ||
2974 | |||
2975 | # | ||
2976 | # Input Device Drivers | ||
2977 | # | ||
2978 | CONFIG_INPUT_KEYBOARD=y | ||
2979 | CONFIG_KEYBOARD_ADP5588=m | ||
2980 | # CONFIG_KEYBOARD_ADP5589 is not set | ||
2981 | CONFIG_KEYBOARD_ATKBD=y | ||
2982 | # CONFIG_KEYBOARD_QT1070 is not set | ||
2983 | CONFIG_KEYBOARD_QT2160=m | ||
2984 | CONFIG_KEYBOARD_LKKBD=m | ||
2985 | CONFIG_KEYBOARD_GPIO=m | ||
2986 | # CONFIG_KEYBOARD_GPIO_POLLED is not set | ||
2987 | # CONFIG_KEYBOARD_TCA6416 is not set | ||
2988 | # CONFIG_KEYBOARD_TCA8418 is not set | ||
2989 | # CONFIG_KEYBOARD_MATRIX is not set | ||
2990 | CONFIG_KEYBOARD_LM8323=m | ||
2991 | # CONFIG_KEYBOARD_LM8333 is not set | ||
2992 | CONFIG_KEYBOARD_MAX7359=m | ||
2993 | # CONFIG_KEYBOARD_MCS is not set | ||
2994 | # CONFIG_KEYBOARD_MPR121 is not set | ||
2995 | CONFIG_KEYBOARD_NEWTON=m | ||
2996 | CONFIG_KEYBOARD_OPENCORES=m | ||
2997 | # CONFIG_KEYBOARD_SAMSUNG is not set | ||
2998 | CONFIG_KEYBOARD_STOWAWAY=m | ||
2999 | CONFIG_KEYBOARD_SUNKBD=m | ||
3000 | CONFIG_KEYBOARD_XTKBD=m | ||
3001 | CONFIG_INPUT_MOUSE=y | ||
3002 | CONFIG_MOUSE_PS2=m | ||
3003 | CONFIG_MOUSE_PS2_ALPS=y | ||
3004 | CONFIG_MOUSE_PS2_LOGIPS2PP=y | ||
3005 | CONFIG_MOUSE_PS2_SYNAPTICS=y | ||
3006 | CONFIG_MOUSE_PS2_CYPRESS=y | ||
3007 | CONFIG_MOUSE_PS2_LIFEBOOK=y | ||
3008 | CONFIG_MOUSE_PS2_TRACKPOINT=y | ||
3009 | CONFIG_MOUSE_PS2_ELANTECH=y | ||
3010 | CONFIG_MOUSE_PS2_SENTELIC=y | ||
3011 | # CONFIG_MOUSE_PS2_TOUCHKIT is not set | ||
3012 | CONFIG_MOUSE_PS2_FOCALTECH=y | ||
3013 | CONFIG_MOUSE_PS2_VMMOUSE=y | ||
3014 | CONFIG_MOUSE_SERIAL=m | ||
3015 | CONFIG_MOUSE_APPLETOUCH=m | ||
3016 | CONFIG_MOUSE_BCM5974=m | ||
3017 | CONFIG_MOUSE_CYAPA=m | ||
3018 | CONFIG_MOUSE_ELAN_I2C=m | ||
3019 | CONFIG_MOUSE_ELAN_I2C_I2C=y | ||
3020 | CONFIG_MOUSE_ELAN_I2C_SMBUS=y | ||
3021 | CONFIG_MOUSE_VSXXXAA=m | ||
3022 | # CONFIG_MOUSE_GPIO is not set | ||
3023 | CONFIG_MOUSE_SYNAPTICS_I2C=m | ||
3024 | CONFIG_MOUSE_SYNAPTICS_USB=m | ||
3025 | CONFIG_INPUT_JOYSTICK=y | ||
3026 | CONFIG_JOYSTICK_ANALOG=m | ||
3027 | CONFIG_JOYSTICK_A3D=m | ||
3028 | CONFIG_JOYSTICK_ADI=m | ||
3029 | CONFIG_JOYSTICK_COBRA=m | ||
3030 | CONFIG_JOYSTICK_GF2K=m | ||
3031 | CONFIG_JOYSTICK_GRIP=m | ||
3032 | CONFIG_JOYSTICK_GRIP_MP=m | ||
3033 | CONFIG_JOYSTICK_GUILLEMOT=m | ||
3034 | CONFIG_JOYSTICK_INTERACT=m | ||
3035 | CONFIG_JOYSTICK_SIDEWINDER=m | ||
3036 | CONFIG_JOYSTICK_TMDC=m | ||
3037 | CONFIG_JOYSTICK_IFORCE=m | ||
3038 | CONFIG_JOYSTICK_IFORCE_USB=y | ||
3039 | CONFIG_JOYSTICK_IFORCE_232=y | ||
3040 | CONFIG_JOYSTICK_WARRIOR=m | ||
3041 | CONFIG_JOYSTICK_MAGELLAN=m | ||
3042 | CONFIG_JOYSTICK_SPACEORB=m | ||
3043 | CONFIG_JOYSTICK_SPACEBALL=m | ||
3044 | CONFIG_JOYSTICK_STINGER=m | ||
3045 | CONFIG_JOYSTICK_TWIDJOY=m | ||
3046 | CONFIG_JOYSTICK_ZHENHUA=m | ||
3047 | CONFIG_JOYSTICK_DB9=m | ||
3048 | CONFIG_JOYSTICK_GAMECON=m | ||
3049 | CONFIG_JOYSTICK_TURBOGRAFX=m | ||
3050 | # CONFIG_JOYSTICK_AS5011 is not set | ||
3051 | CONFIG_JOYSTICK_JOYDUMP=m | ||
3052 | CONFIG_JOYSTICK_XPAD=m | ||
3053 | CONFIG_JOYSTICK_XPAD_FF=y | ||
3054 | CONFIG_JOYSTICK_XPAD_LEDS=y | ||
3055 | CONFIG_JOYSTICK_WALKERA0701=m | ||
3056 | CONFIG_INPUT_TABLET=y | ||
3057 | CONFIG_TABLET_USB_ACECAD=m | ||
3058 | CONFIG_TABLET_USB_AIPTEK=m | ||
3059 | CONFIG_TABLET_USB_GTCO=m | ||
3060 | CONFIG_TABLET_USB_HANWANG=m | ||
3061 | CONFIG_TABLET_USB_KBTAB=m | ||
3062 | CONFIG_TABLET_SERIAL_WACOM4=m | ||
3063 | CONFIG_INPUT_TOUCHSCREEN=y | ||
3064 | CONFIG_TOUCHSCREEN_PROPERTIES=y | ||
3065 | CONFIG_TOUCHSCREEN_ADS7846=m | ||
3066 | CONFIG_TOUCHSCREEN_AD7877=m | ||
3067 | CONFIG_TOUCHSCREEN_AD7879=m | ||
3068 | CONFIG_TOUCHSCREEN_AD7879_I2C=m | ||
3069 | # CONFIG_TOUCHSCREEN_AD7879_SPI is not set | ||
3070 | CONFIG_TOUCHSCREEN_ATMEL_MXT=m | ||
3071 | # CONFIG_TOUCHSCREEN_AUO_PIXCIR is not set | ||
3072 | # CONFIG_TOUCHSCREEN_BU21013 is not set | ||
3073 | # CONFIG_TOUCHSCREEN_CY8CTMG110 is not set | ||
3074 | # CONFIG_TOUCHSCREEN_CYTTSP_CORE is not set | ||
3075 | # CONFIG_TOUCHSCREEN_CYTTSP4_CORE is not set | ||
3076 | CONFIG_TOUCHSCREEN_DYNAPRO=m | ||
3077 | CONFIG_TOUCHSCREEN_HAMPSHIRE=m | ||
3078 | CONFIG_TOUCHSCREEN_EETI=m | ||
3079 | # CONFIG_TOUCHSCREEN_FT6236 is not set | ||
3080 | CONFIG_TOUCHSCREEN_FUJITSU=m | ||
3081 | # CONFIG_TOUCHSCREEN_GOODIX is not set | ||
3082 | # CONFIG_TOUCHSCREEN_ILI210X is not set | ||
3083 | CONFIG_TOUCHSCREEN_GUNZE=m | ||
3084 | # CONFIG_TOUCHSCREEN_ELAN is not set | ||
3085 | CONFIG_TOUCHSCREEN_ELO=m | ||
3086 | CONFIG_TOUCHSCREEN_WACOM_W8001=m | ||
3087 | # CONFIG_TOUCHSCREEN_WACOM_I2C is not set | ||
3088 | # CONFIG_TOUCHSCREEN_MAX11801 is not set | ||
3089 | CONFIG_TOUCHSCREEN_MCS5000=m | ||
3090 | # CONFIG_TOUCHSCREEN_MMS114 is not set | ||
3091 | CONFIG_TOUCHSCREEN_MTOUCH=m | ||
3092 | CONFIG_TOUCHSCREEN_INEXIO=m | ||
3093 | CONFIG_TOUCHSCREEN_MK712=m | ||
3094 | CONFIG_TOUCHSCREEN_PENMOUNT=m | ||
3095 | # CONFIG_TOUCHSCREEN_EDT_FT5X06 is not set | ||
3096 | CONFIG_TOUCHSCREEN_TOUCHRIGHT=m | ||
3097 | CONFIG_TOUCHSCREEN_TOUCHWIN=m | ||
3098 | # CONFIG_TOUCHSCREEN_PIXCIR is not set | ||
3099 | # CONFIG_TOUCHSCREEN_WDT87XX_I2C is not set | ||
3100 | CONFIG_TOUCHSCREEN_WM97XX=m | ||
3101 | CONFIG_TOUCHSCREEN_WM9705=y | ||
3102 | CONFIG_TOUCHSCREEN_WM9712=y | ||
3103 | CONFIG_TOUCHSCREEN_WM9713=y | ||
3104 | CONFIG_TOUCHSCREEN_USB_COMPOSITE=m | ||
3105 | CONFIG_TOUCHSCREEN_USB_EGALAX=y | ||
3106 | CONFIG_TOUCHSCREEN_USB_PANJIT=y | ||
3107 | CONFIG_TOUCHSCREEN_USB_3M=y | ||
3108 | CONFIG_TOUCHSCREEN_USB_ITM=y | ||
3109 | CONFIG_TOUCHSCREEN_USB_ETURBO=y | ||
3110 | CONFIG_TOUCHSCREEN_USB_GUNZE=y | ||
3111 | CONFIG_TOUCHSCREEN_USB_DMC_TSC10=y | ||
3112 | CONFIG_TOUCHSCREEN_USB_IRTOUCH=y | ||
3113 | CONFIG_TOUCHSCREEN_USB_IDEALTEK=y | ||
3114 | CONFIG_TOUCHSCREEN_USB_GENERAL_TOUCH=y | ||
3115 | CONFIG_TOUCHSCREEN_USB_GOTOP=y | ||
3116 | CONFIG_TOUCHSCREEN_USB_JASTEC=y | ||
3117 | CONFIG_TOUCHSCREEN_USB_ELO=y | ||
3118 | CONFIG_TOUCHSCREEN_USB_E2I=y | ||
3119 | CONFIG_TOUCHSCREEN_USB_ZYTRONIC=y | ||
3120 | CONFIG_TOUCHSCREEN_USB_ETT_TC45USB=y | ||
3121 | CONFIG_TOUCHSCREEN_USB_NEXIO=y | ||
3122 | CONFIG_TOUCHSCREEN_USB_EASYTOUCH=y | ||
3123 | CONFIG_TOUCHSCREEN_TOUCHIT213=m | ||
3124 | CONFIG_TOUCHSCREEN_TSC_SERIO=m | ||
3125 | # CONFIG_TOUCHSCREEN_TSC2004 is not set | ||
3126 | # CONFIG_TOUCHSCREEN_TSC2005 is not set | ||
3127 | CONFIG_TOUCHSCREEN_TSC2007=m | ||
3128 | # CONFIG_TOUCHSCREEN_ST1232 is not set | ||
3129 | CONFIG_TOUCHSCREEN_SUR40=m | ||
3130 | # CONFIG_TOUCHSCREEN_SX8654 is not set | ||
3131 | CONFIG_TOUCHSCREEN_TPS6507X=m | ||
3132 | # CONFIG_TOUCHSCREEN_ZFORCE is not set | ||
3133 | # CONFIG_TOUCHSCREEN_ROHM_BU21023 is not set | ||
3134 | CONFIG_INPUT_MISC=y | ||
3135 | # CONFIG_INPUT_AD714X is not set | ||
3136 | # CONFIG_INPUT_BMA150 is not set | ||
3137 | # CONFIG_INPUT_E3X0_BUTTON is not set | ||
3138 | CONFIG_INPUT_PCSPKR=m | ||
3139 | # CONFIG_INPUT_MMA8450 is not set | ||
3140 | # CONFIG_INPUT_MPU3050 is not set | ||
3141 | CONFIG_INPUT_APANEL=m | ||
3142 | # CONFIG_INPUT_GP2A is not set | ||
3143 | # CONFIG_INPUT_GPIO_BEEPER is not set | ||
3144 | # CONFIG_INPUT_GPIO_TILT_POLLED is not set | ||
3145 | CONFIG_INPUT_ATLAS_BTNS=m | ||
3146 | CONFIG_INPUT_ATI_REMOTE2=m | ||
3147 | CONFIG_INPUT_KEYSPAN_REMOTE=m | ||
3148 | # CONFIG_INPUT_KXTJ9 is not set | ||
3149 | CONFIG_INPUT_POWERMATE=m | ||
3150 | CONFIG_INPUT_YEALINK=m | ||
3151 | CONFIG_INPUT_CM109=m | ||
3152 | CONFIG_INPUT_UINPUT=m | ||
3153 | # CONFIG_INPUT_PCF8574 is not set | ||
3154 | # CONFIG_INPUT_GPIO_ROTARY_ENCODER is not set | ||
3155 | # CONFIG_INPUT_ADXL34X is not set | ||
3156 | # CONFIG_INPUT_IMS_PCU is not set | ||
3157 | # CONFIG_INPUT_CMA3000 is not set | ||
3158 | CONFIG_INPUT_IDEAPAD_SLIDEBAR=m | ||
3159 | CONFIG_INPUT_SOC_BUTTON_ARRAY=m | ||
3160 | # CONFIG_INPUT_DRV260X_HAPTICS is not set | ||
3161 | # CONFIG_INPUT_DRV2665_HAPTICS is not set | ||
3162 | # CONFIG_INPUT_DRV2667_HAPTICS is not set | ||
3163 | |||
3164 | # | ||
3165 | # Hardware I/O ports | ||
3166 | # | ||
3167 | CONFIG_SERIO=y | ||
3168 | CONFIG_ARCH_MIGHT_HAVE_PC_SERIO=y | ||
3169 | CONFIG_SERIO_I8042=y | ||
3170 | CONFIG_SERIO_SERPORT=m | ||
3171 | CONFIG_SERIO_CT82C710=m | ||
3172 | CONFIG_SERIO_PARKBD=m | ||
3173 | CONFIG_SERIO_PCIPS2=m | ||
3174 | CONFIG_SERIO_LIBPS2=y | ||
3175 | CONFIG_SERIO_RAW=m | ||
3176 | CONFIG_SERIO_ALTERA_PS2=m | ||
3177 | # CONFIG_SERIO_PS2MULT is not set | ||
3178 | # CONFIG_SERIO_ARC_PS2 is not set | ||
3179 | CONFIG_HYPERV_KEYBOARD=m | ||
3180 | # CONFIG_USERIO is not set | ||
3181 | CONFIG_GAMEPORT=m | ||
3182 | CONFIG_GAMEPORT_NS558=m | ||
3183 | CONFIG_GAMEPORT_L4=m | ||
3184 | CONFIG_GAMEPORT_EMU10K1=m | ||
3185 | CONFIG_GAMEPORT_FM801=m | ||
3186 | |||
3187 | # | ||
3188 | # Character devices | ||
3189 | # | ||
3190 | CONFIG_TTY=y | ||
3191 | CONFIG_VT=y | ||
3192 | CONFIG_CONSOLE_TRANSLATIONS=y | ||
3193 | CONFIG_VT_CONSOLE=y | ||
3194 | CONFIG_VT_CONSOLE_SLEEP=y | ||
3195 | CONFIG_HW_CONSOLE=y | ||
3196 | CONFIG_VT_HW_CONSOLE_BINDING=y | ||
3197 | CONFIG_UNIX98_PTYS=y | ||
3198 | CONFIG_DEVPTS_MULTIPLE_INSTANCES=y | ||
3199 | # CONFIG_LEGACY_PTYS is not set | ||
3200 | CONFIG_SERIAL_NONSTANDARD=y | ||
3201 | CONFIG_ROCKETPORT=m | ||
3202 | CONFIG_CYCLADES=m | ||
3203 | # CONFIG_CYZ_INTR is not set | ||
3204 | CONFIG_MOXA_INTELLIO=m | ||
3205 | CONFIG_MOXA_SMARTIO=m | ||
3206 | CONFIG_SYNCLINK=m | ||
3207 | CONFIG_SYNCLINKMP=m | ||
3208 | CONFIG_SYNCLINK_GT=m | ||
3209 | CONFIG_NOZOMI=m | ||
3210 | CONFIG_ISI=m | ||
3211 | CONFIG_N_HDLC=m | ||
3212 | CONFIG_N_GSM=m | ||
3213 | # CONFIG_TRACE_SINK is not set | ||
3214 | CONFIG_DEVMEM=y | ||
3215 | |||
3216 | # | ||
3217 | # Serial drivers | ||
3218 | # | ||
3219 | CONFIG_SERIAL_EARLYCON=y | ||
3220 | CONFIG_SERIAL_8250=y | ||
3221 | # CONFIG_SERIAL_8250_DEPRECATED_OPTIONS is not set | ||
3222 | CONFIG_SERIAL_8250_PNP=y | ||
3223 | CONFIG_SERIAL_8250_CONSOLE=y | ||
3224 | CONFIG_SERIAL_8250_DMA=y | ||
3225 | CONFIG_SERIAL_8250_PCI=y | ||
3226 | CONFIG_SERIAL_8250_CS=m | ||
3227 | CONFIG_SERIAL_8250_NR_UARTS=32 | ||
3228 | CONFIG_SERIAL_8250_RUNTIME_UARTS=4 | ||
3229 | CONFIG_SERIAL_8250_EXTENDED=y | ||
3230 | CONFIG_SERIAL_8250_MANY_PORTS=y | ||
3231 | CONFIG_SERIAL_8250_SHARE_IRQ=y | ||
3232 | # CONFIG_SERIAL_8250_DETECT_IRQ is not set | ||
3233 | CONFIG_SERIAL_8250_RSA=y | ||
3234 | # CONFIG_SERIAL_8250_FSL is not set | ||
3235 | CONFIG_SERIAL_8250_DW=y | ||
3236 | # CONFIG_SERIAL_8250_RT288X is not set | ||
3237 | CONFIG_SERIAL_8250_FINTEK=m | ||
3238 | # CONFIG_SERIAL_8250_MID is not set | ||
3239 | |||
3240 | # | ||
3241 | # Non-8250 serial port support | ||
3242 | # | ||
3243 | # CONFIG_SERIAL_MAX3100 is not set | ||
3244 | # CONFIG_SERIAL_MAX310X is not set | ||
3245 | # CONFIG_SERIAL_UARTLITE is not set | ||
3246 | CONFIG_SERIAL_CORE=y | ||
3247 | CONFIG_SERIAL_CORE_CONSOLE=y | ||
3248 | CONFIG_SERIAL_JSM=m | ||
3249 | # CONFIG_SERIAL_SCCNXP is not set | ||
3250 | # CONFIG_SERIAL_SC16IS7XX is not set | ||
3251 | # CONFIG_SERIAL_ALTERA_JTAGUART is not set | ||
3252 | # CONFIG_SERIAL_ALTERA_UART is not set | ||
3253 | # CONFIG_SERIAL_IFX6X60 is not set | ||
3254 | # CONFIG_SERIAL_ARC is not set | ||
3255 | CONFIG_SERIAL_RP2=m | ||
3256 | CONFIG_SERIAL_RP2_NR_UARTS=32 | ||
3257 | # CONFIG_SERIAL_FSL_LPUART is not set | ||
3258 | CONFIG_TTY_PRINTK=m | ||
3259 | CONFIG_PRINTER=m | ||
3260 | # CONFIG_LP_CONSOLE is not set | ||
3261 | CONFIG_PPDEV=m | ||
3262 | CONFIG_HVC_DRIVER=y | ||
3263 | CONFIG_VIRTIO_CONSOLE=m | ||
3264 | CONFIG_IPMI_HANDLER=m | ||
3265 | # CONFIG_IPMI_PANIC_EVENT is not set | ||
3266 | CONFIG_IPMI_DEVICE_INTERFACE=m | ||
3267 | CONFIG_IPMI_SI=m | ||
3268 | # CONFIG_IPMI_SI_PROBE_DEFAULTS is not set | ||
3269 | # CONFIG_IPMI_SSIF is not set | ||
3270 | CONFIG_IPMI_WATCHDOG=m | ||
3271 | CONFIG_IPMI_POWEROFF=m | ||
3272 | CONFIG_HW_RANDOM=m | ||
3273 | # CONFIG_HW_RANDOM_TIMERIOMEM is not set | ||
3274 | CONFIG_HW_RANDOM_INTEL=m | ||
3275 | CONFIG_HW_RANDOM_AMD=m | ||
3276 | CONFIG_HW_RANDOM_VIA=m | ||
3277 | CONFIG_HW_RANDOM_VIRTIO=m | ||
3278 | CONFIG_HW_RANDOM_TPM=m | ||
3279 | CONFIG_NVRAM=m | ||
3280 | CONFIG_R3964=m | ||
3281 | CONFIG_APPLICOM=m | ||
3282 | |||
3283 | # | ||
3284 | # PCMCIA character devices | ||
3285 | # | ||
3286 | CONFIG_SYNCLINK_CS=m | ||
3287 | CONFIG_CARDMAN_4000=m | ||
3288 | CONFIG_CARDMAN_4040=m | ||
3289 | CONFIG_IPWIRELESS=m | ||
3290 | CONFIG_MWAVE=m | ||
3291 | CONFIG_RAW_DRIVER=m | ||
3292 | CONFIG_MAX_RAW_DEVS=256 | ||
3293 | CONFIG_HPET=y | ||
3294 | CONFIG_HPET_MMAP=y | ||
3295 | CONFIG_HPET_MMAP_DEFAULT=y | ||
3296 | CONFIG_HANGCHECK_TIMER=m | ||
3297 | CONFIG_TCG_TPM=m | ||
3298 | CONFIG_TCG_TIS=m | ||
3299 | CONFIG_TCG_TIS_I2C_ATMEL=m | ||
3300 | CONFIG_TCG_TIS_I2C_INFINEON=m | ||
3301 | CONFIG_TCG_TIS_I2C_NUVOTON=m | ||
3302 | CONFIG_TCG_NSC=m | ||
3303 | CONFIG_TCG_ATMEL=m | ||
3304 | CONFIG_TCG_INFINEON=m | ||
3305 | CONFIG_TCG_CRB=m | ||
3306 | CONFIG_TCG_TIS_ST33ZP24=m | ||
3307 | CONFIG_TCG_TIS_ST33ZP24_I2C=m | ||
3308 | # CONFIG_TCG_TIS_ST33ZP24_SPI is not set | ||
3309 | CONFIG_TELCLOCK=m | ||
3310 | # CONFIG_XILLYBUS is not set | ||
3311 | |||
3312 | # | ||
3313 | # I2C support | ||
3314 | # | ||
3315 | CONFIG_I2C=y | ||
3316 | CONFIG_ACPI_I2C_OPREGION=y | ||
3317 | CONFIG_I2C_BOARDINFO=y | ||
3318 | CONFIG_I2C_COMPAT=y | ||
3319 | CONFIG_I2C_CHARDEV=m | ||
3320 | CONFIG_I2C_MUX=m | ||
3321 | |||
3322 | # | ||
3323 | # Multiplexer I2C Chip support | ||
3324 | # | ||
3325 | # CONFIG_I2C_MUX_GPIO is not set | ||
3326 | # CONFIG_I2C_MUX_PCA9541 is not set | ||
3327 | # CONFIG_I2C_MUX_PCA954x is not set | ||
3328 | # CONFIG_I2C_MUX_PINCTRL is not set | ||
3329 | # CONFIG_I2C_MUX_REG is not set | ||
3330 | CONFIG_I2C_HELPER_AUTO=y | ||
3331 | CONFIG_I2C_SMBUS=m | ||
3332 | CONFIG_I2C_ALGOBIT=m | ||
3333 | CONFIG_I2C_ALGOPCA=m | ||
3334 | |||
3335 | # | ||
3336 | # I2C Hardware Bus support | ||
3337 | # | ||
3338 | |||
3339 | # | ||
3340 | # PC SMBus host controller drivers | ||
3341 | # | ||
3342 | CONFIG_I2C_ALI1535=m | ||
3343 | CONFIG_I2C_ALI1563=m | ||
3344 | CONFIG_I2C_ALI15X3=m | ||
3345 | CONFIG_I2C_AMD756=m | ||
3346 | CONFIG_I2C_AMD756_S4882=m | ||
3347 | CONFIG_I2C_AMD8111=m | ||
3348 | CONFIG_I2C_I801=m | ||
3349 | CONFIG_I2C_ISCH=m | ||
3350 | CONFIG_I2C_ISMT=m | ||
3351 | CONFIG_I2C_PIIX4=m | ||
3352 | CONFIG_I2C_NFORCE2=m | ||
3353 | CONFIG_I2C_NFORCE2_S4985=m | ||
3354 | CONFIG_I2C_SIS5595=m | ||
3355 | CONFIG_I2C_SIS630=m | ||
3356 | CONFIG_I2C_SIS96X=m | ||
3357 | CONFIG_I2C_VIA=m | ||
3358 | CONFIG_I2C_VIAPRO=m | ||
3359 | |||
3360 | # | ||
3361 | # ACPI drivers | ||
3362 | # | ||
3363 | CONFIG_I2C_SCMI=m | ||
3364 | |||
3365 | # | ||
3366 | # I2C system bus drivers (mostly embedded / system-on-chip) | ||
3367 | # | ||
3368 | # CONFIG_I2C_CBUS_GPIO is not set | ||
3369 | CONFIG_I2C_DESIGNWARE_CORE=m | ||
3370 | CONFIG_I2C_DESIGNWARE_PLATFORM=m | ||
3371 | CONFIG_I2C_DESIGNWARE_PCI=m | ||
3372 | # CONFIG_I2C_EMEV2 is not set | ||
3373 | # CONFIG_I2C_GPIO is not set | ||
3374 | CONFIG_I2C_KEMPLD=m | ||
3375 | CONFIG_I2C_OCORES=m | ||
3376 | CONFIG_I2C_PCA_PLATFORM=m | ||
3377 | # CONFIG_I2C_PXA_PCI is not set | ||
3378 | CONFIG_I2C_SIMTEC=m | ||
3379 | # CONFIG_I2C_XILINX is not set | ||
3380 | |||
3381 | # | ||
3382 | # External I2C/SMBus adapter drivers | ||
3383 | # | ||
3384 | CONFIG_I2C_DIOLAN_U2C=m | ||
3385 | CONFIG_I2C_PARPORT=m | ||
3386 | CONFIG_I2C_PARPORT_LIGHT=m | ||
3387 | CONFIG_I2C_ROBOTFUZZ_OSIF=m | ||
3388 | CONFIG_I2C_TAOS_EVM=m | ||
3389 | CONFIG_I2C_TINY_USB=m | ||
3390 | CONFIG_I2C_VIPERBOARD=m | ||
3391 | |||
3392 | # | ||
3393 | # Other I2C/SMBus bus drivers | ||
3394 | # | ||
3395 | CONFIG_I2C_STUB=m | ||
3396 | # CONFIG_I2C_SLAVE is not set | ||
3397 | # CONFIG_I2C_DEBUG_CORE is not set | ||
3398 | # CONFIG_I2C_DEBUG_ALGO is not set | ||
3399 | # CONFIG_I2C_DEBUG_BUS is not set | ||
3400 | CONFIG_SPI=y | ||
3401 | # CONFIG_SPI_DEBUG is not set | ||
3402 | CONFIG_SPI_MASTER=y | ||
3403 | |||
3404 | # | ||
3405 | # SPI Master Controller Drivers | ||
3406 | # | ||
3407 | # CONFIG_SPI_ALTERA is not set | ||
3408 | CONFIG_SPI_BITBANG=m | ||
3409 | CONFIG_SPI_BUTTERFLY=m | ||
3410 | # CONFIG_SPI_CADENCE is not set | ||
3411 | # CONFIG_SPI_GPIO is not set | ||
3412 | CONFIG_SPI_LM70_LLP=m | ||
3413 | # CONFIG_SPI_OC_TINY is not set | ||
3414 | # CONFIG_SPI_PXA2XX is not set | ||
3415 | # CONFIG_SPI_PXA2XX_PCI is not set | ||
3416 | # CONFIG_SPI_SC18IS602 is not set | ||
3417 | # CONFIG_SPI_XCOMM is not set | ||
3418 | # CONFIG_SPI_XILINX is not set | ||
3419 | # CONFIG_SPI_ZYNQMP_GQSPI is not set | ||
3420 | # CONFIG_SPI_DESIGNWARE is not set | ||
3421 | |||
3422 | # | ||
3423 | # SPI Protocol Masters | ||
3424 | # | ||
3425 | # CONFIG_SPI_SPIDEV is not set | ||
3426 | # CONFIG_SPI_TLE62X0 is not set | ||
3427 | # CONFIG_SPMI is not set | ||
3428 | # CONFIG_HSI is not set | ||
3429 | |||
3430 | # | ||
3431 | # PPS support | ||
3432 | # | ||
3433 | CONFIG_PPS=m | ||
3434 | # CONFIG_PPS_DEBUG is not set | ||
3435 | # CONFIG_NTP_PPS is not set | ||
3436 | |||
3437 | # | ||
3438 | # PPS clients support | ||
3439 | # | ||
3440 | # CONFIG_PPS_CLIENT_KTIMER is not set | ||
3441 | CONFIG_PPS_CLIENT_LDISC=m | ||
3442 | CONFIG_PPS_CLIENT_PARPORT=m | ||
3443 | # CONFIG_PPS_CLIENT_GPIO is not set | ||
3444 | |||
3445 | # | ||
3446 | # PPS generators support | ||
3447 | # | ||
3448 | |||
3449 | # | ||
3450 | # PTP clock support | ||
3451 | # | ||
3452 | CONFIG_PTP_1588_CLOCK=m | ||
3453 | |||
3454 | # | ||
3455 | # Enable PHYLIB and NETWORK_PHY_TIMESTAMPING to see the additional clocks. | ||
3456 | # | ||
3457 | CONFIG_PINCTRL=y | ||
3458 | |||
3459 | # | ||
3460 | # Pin controllers | ||
3461 | # | ||
3462 | CONFIG_PINMUX=y | ||
3463 | CONFIG_PINCONF=y | ||
3464 | CONFIG_GENERIC_PINCONF=y | ||
3465 | # CONFIG_DEBUG_PINCTRL is not set | ||
3466 | # CONFIG_PINCTRL_AMD is not set | ||
3467 | CONFIG_PINCTRL_BAYTRAIL=y | ||
3468 | CONFIG_PINCTRL_CHERRYVIEW=y | ||
3469 | CONFIG_PINCTRL_INTEL=y | ||
3470 | CONFIG_PINCTRL_BROXTON=y | ||
3471 | CONFIG_PINCTRL_SUNRISEPOINT=y | ||
3472 | CONFIG_ARCH_WANT_OPTIONAL_GPIOLIB=y | ||
3473 | CONFIG_GPIOLIB=y | ||
3474 | CONFIG_GPIO_DEVRES=y | ||
3475 | CONFIG_GPIO_ACPI=y | ||
3476 | CONFIG_GPIOLIB_IRQCHIP=y | ||
3477 | # CONFIG_DEBUG_GPIO is not set | ||
3478 | CONFIG_GPIO_SYSFS=y | ||
3479 | |||
3480 | # | ||
3481 | # Memory mapped GPIO drivers | ||
3482 | # | ||
3483 | # CONFIG_GPIO_AMDPT is not set | ||
3484 | # CONFIG_GPIO_DWAPB is not set | ||
3485 | # CONFIG_GPIO_GENERIC_PLATFORM is not set | ||
3486 | # CONFIG_GPIO_ICH is not set | ||
3487 | # CONFIG_GPIO_LYNXPOINT is not set | ||
3488 | # CONFIG_GPIO_VX855 is not set | ||
3489 | # CONFIG_GPIO_ZX is not set | ||
3490 | |||
3491 | # | ||
3492 | # Port-mapped I/O GPIO drivers | ||
3493 | # | ||
3494 | # CONFIG_GPIO_104_IDIO_16 is not set | ||
3495 | # CONFIG_GPIO_F7188X is not set | ||
3496 | # CONFIG_GPIO_IT87 is not set | ||
3497 | # CONFIG_GPIO_SCH is not set | ||
3498 | # CONFIG_GPIO_SCH311X is not set | ||
3499 | |||
3500 | # | ||
3501 | # I2C GPIO expanders | ||
3502 | # | ||
3503 | # CONFIG_GPIO_ADP5588 is not set | ||
3504 | # CONFIG_GPIO_MAX7300 is not set | ||
3505 | # CONFIG_GPIO_MAX732X is not set | ||
3506 | # CONFIG_GPIO_PCA953X is not set | ||
3507 | # CONFIG_GPIO_PCF857X is not set | ||
3508 | # CONFIG_GPIO_SX150X is not set | ||
3509 | |||
3510 | # | ||
3511 | # MFD GPIO expanders | ||
3512 | # | ||
3513 | CONFIG_GPIO_KEMPLD=m | ||
3514 | |||
3515 | # | ||
3516 | # PCI GPIO expanders | ||
3517 | # | ||
3518 | # CONFIG_GPIO_AMD8111 is not set | ||
3519 | # CONFIG_GPIO_INTEL_MID is not set | ||
3520 | CONFIG_GPIO_ML_IOH=m | ||
3521 | # CONFIG_GPIO_RDC321X is not set | ||
3522 | |||
3523 | # | ||
3524 | # SPI GPIO expanders | ||
3525 | # | ||
3526 | # CONFIG_GPIO_MAX7301 is not set | ||
3527 | # CONFIG_GPIO_MC33880 is not set | ||
3528 | |||
3529 | # | ||
3530 | # SPI or I2C GPIO expanders | ||
3531 | # | ||
3532 | # CONFIG_GPIO_MCP23S08 is not set | ||
3533 | |||
3534 | # | ||
3535 | # USB GPIO expanders | ||
3536 | # | ||
3537 | CONFIG_GPIO_VIPERBOARD=m | ||
3538 | CONFIG_W1=m | ||
3539 | CONFIG_W1_CON=y | ||
3540 | |||
3541 | # | ||
3542 | # 1-wire Bus Masters | ||
3543 | # | ||
3544 | CONFIG_W1_MASTER_MATROX=m | ||
3545 | CONFIG_W1_MASTER_DS2490=m | ||
3546 | CONFIG_W1_MASTER_DS2482=m | ||
3547 | # CONFIG_W1_MASTER_DS1WM is not set | ||
3548 | # CONFIG_W1_MASTER_GPIO is not set | ||
3549 | |||
3550 | # | ||
3551 | # 1-wire Slaves | ||
3552 | # | ||
3553 | CONFIG_W1_SLAVE_THERM=m | ||
3554 | CONFIG_W1_SLAVE_SMEM=m | ||
3555 | # CONFIG_W1_SLAVE_DS2408 is not set | ||
3556 | # CONFIG_W1_SLAVE_DS2413 is not set | ||
3557 | # CONFIG_W1_SLAVE_DS2406 is not set | ||
3558 | # CONFIG_W1_SLAVE_DS2423 is not set | ||
3559 | CONFIG_W1_SLAVE_DS2431=m | ||
3560 | CONFIG_W1_SLAVE_DS2433=m | ||
3561 | # CONFIG_W1_SLAVE_DS2433_CRC is not set | ||
3562 | # CONFIG_W1_SLAVE_DS2760 is not set | ||
3563 | # CONFIG_W1_SLAVE_DS2780 is not set | ||
3564 | # CONFIG_W1_SLAVE_DS2781 is not set | ||
3565 | # CONFIG_W1_SLAVE_DS28E04 is not set | ||
3566 | CONFIG_W1_SLAVE_BQ27000=m | ||
3567 | CONFIG_POWER_SUPPLY=y | ||
3568 | # CONFIG_POWER_SUPPLY_DEBUG is not set | ||
3569 | # CONFIG_PDA_POWER is not set | ||
3570 | # CONFIG_GENERIC_ADC_BATTERY is not set | ||
3571 | # CONFIG_TEST_POWER is not set | ||
3572 | # CONFIG_BATTERY_DS2780 is not set | ||
3573 | # CONFIG_BATTERY_DS2781 is not set | ||
3574 | # CONFIG_BATTERY_DS2782 is not set | ||
3575 | CONFIG_BATTERY_SBS=m | ||
3576 | # CONFIG_BATTERY_BQ27XXX is not set | ||
3577 | # CONFIG_BATTERY_MAX17040 is not set | ||
3578 | # CONFIG_BATTERY_MAX17042 is not set | ||
3579 | # CONFIG_CHARGER_MAX8903 is not set | ||
3580 | # CONFIG_CHARGER_LP8727 is not set | ||
3581 | # CONFIG_CHARGER_GPIO is not set | ||
3582 | # CONFIG_CHARGER_BQ2415X is not set | ||
3583 | # CONFIG_CHARGER_BQ24190 is not set | ||
3584 | # CONFIG_CHARGER_BQ24257 is not set | ||
3585 | # CONFIG_CHARGER_BQ24735 is not set | ||
3586 | # CONFIG_CHARGER_BQ25890 is not set | ||
3587 | # CONFIG_CHARGER_SMB347 is not set | ||
3588 | # CONFIG_BATTERY_GAUGE_LTC2941 is not set | ||
3589 | # CONFIG_CHARGER_RT9455 is not set | ||
3590 | # CONFIG_POWER_RESET is not set | ||
3591 | # CONFIG_POWER_AVS is not set | ||
3592 | CONFIG_HWMON=y | ||
3593 | CONFIG_HWMON_VID=m | ||
3594 | # CONFIG_HWMON_DEBUG_CHIP is not set | ||
3595 | |||
3596 | # | ||
3597 | # Native drivers | ||
3598 | # | ||
3599 | CONFIG_SENSORS_ABITUGURU=m | ||
3600 | CONFIG_SENSORS_ABITUGURU3=m | ||
3601 | # CONFIG_SENSORS_AD7314 is not set | ||
3602 | CONFIG_SENSORS_AD7414=m | ||
3603 | CONFIG_SENSORS_AD7418=m | ||
3604 | CONFIG_SENSORS_ADM1021=m | ||
3605 | CONFIG_SENSORS_ADM1025=m | ||
3606 | CONFIG_SENSORS_ADM1026=m | ||
3607 | CONFIG_SENSORS_ADM1029=m | ||
3608 | CONFIG_SENSORS_ADM1031=m | ||
3609 | CONFIG_SENSORS_ADM9240=m | ||
3610 | # CONFIG_SENSORS_ADT7310 is not set | ||
3611 | # CONFIG_SENSORS_ADT7410 is not set | ||
3612 | CONFIG_SENSORS_ADT7411=m | ||
3613 | CONFIG_SENSORS_ADT7462=m | ||
3614 | CONFIG_SENSORS_ADT7470=m | ||
3615 | CONFIG_SENSORS_ADT7475=m | ||
3616 | CONFIG_SENSORS_ASC7621=m | ||
3617 | CONFIG_SENSORS_K8TEMP=m | ||
3618 | CONFIG_SENSORS_K10TEMP=m | ||
3619 | CONFIG_SENSORS_FAM15H_POWER=m | ||
3620 | CONFIG_SENSORS_APPLESMC=m | ||
3621 | CONFIG_SENSORS_ASB100=m | ||
3622 | CONFIG_SENSORS_ATXP1=m | ||
3623 | CONFIG_SENSORS_DS620=m | ||
3624 | CONFIG_SENSORS_DS1621=m | ||
3625 | CONFIG_SENSORS_DELL_SMM=m | ||
3626 | CONFIG_SENSORS_I5K_AMB=m | ||
3627 | CONFIG_SENSORS_F71805F=m | ||
3628 | CONFIG_SENSORS_F71882FG=m | ||
3629 | CONFIG_SENSORS_F75375S=m | ||
3630 | CONFIG_SENSORS_FSCHMD=m | ||
3631 | CONFIG_SENSORS_GL518SM=m | ||
3632 | CONFIG_SENSORS_GL520SM=m | ||
3633 | CONFIG_SENSORS_G760A=m | ||
3634 | # CONFIG_SENSORS_G762 is not set | ||
3635 | # CONFIG_SENSORS_GPIO_FAN is not set | ||
3636 | # CONFIG_SENSORS_HIH6130 is not set | ||
3637 | CONFIG_SENSORS_IBMAEM=m | ||
3638 | CONFIG_SENSORS_IBMPEX=m | ||
3639 | # CONFIG_SENSORS_IIO_HWMON is not set | ||
3640 | CONFIG_SENSORS_I5500=m | ||
3641 | CONFIG_SENSORS_CORETEMP=m | ||
3642 | CONFIG_SENSORS_IT87=m | ||
3643 | CONFIG_SENSORS_JC42=m | ||
3644 | # CONFIG_SENSORS_POWR1220 is not set | ||
3645 | CONFIG_SENSORS_LINEAGE=m | ||
3646 | # CONFIG_SENSORS_LTC2945 is not set | ||
3647 | CONFIG_SENSORS_LTC4151=m | ||
3648 | CONFIG_SENSORS_LTC4215=m | ||
3649 | # CONFIG_SENSORS_LTC4222 is not set | ||
3650 | CONFIG_SENSORS_LTC4245=m | ||
3651 | # CONFIG_SENSORS_LTC4260 is not set | ||
3652 | CONFIG_SENSORS_LTC4261=m | ||
3653 | CONFIG_SENSORS_MAX1111=m | ||
3654 | CONFIG_SENSORS_MAX16065=m | ||
3655 | CONFIG_SENSORS_MAX1619=m | ||
3656 | CONFIG_SENSORS_MAX1668=m | ||
3657 | # CONFIG_SENSORS_MAX197 is not set | ||
3658 | CONFIG_SENSORS_MAX6639=m | ||
3659 | CONFIG_SENSORS_MAX6642=m | ||
3660 | CONFIG_SENSORS_MAX6650=m | ||
3661 | # CONFIG_SENSORS_MAX6697 is not set | ||
3662 | # CONFIG_SENSORS_MAX31790 is not set | ||
3663 | # CONFIG_SENSORS_HTU21 is not set | ||
3664 | # CONFIG_SENSORS_MCP3021 is not set | ||
3665 | CONFIG_SENSORS_MENF21BMC_HWMON=m | ||
3666 | CONFIG_SENSORS_ADCXX=m | ||
3667 | CONFIG_SENSORS_LM63=m | ||
3668 | CONFIG_SENSORS_LM70=m | ||
3669 | CONFIG_SENSORS_LM73=m | ||
3670 | CONFIG_SENSORS_LM75=m | ||
3671 | CONFIG_SENSORS_LM77=m | ||
3672 | CONFIG_SENSORS_LM78=m | ||
3673 | CONFIG_SENSORS_LM80=m | ||
3674 | CONFIG_SENSORS_LM83=m | ||
3675 | CONFIG_SENSORS_LM85=m | ||
3676 | CONFIG_SENSORS_LM87=m | ||
3677 | CONFIG_SENSORS_LM90=m | ||
3678 | CONFIG_SENSORS_LM92=m | ||
3679 | CONFIG_SENSORS_LM93=m | ||
3680 | # CONFIG_SENSORS_LM95234 is not set | ||
3681 | CONFIG_SENSORS_LM95241=m | ||
3682 | CONFIG_SENSORS_LM95245=m | ||
3683 | CONFIG_SENSORS_PC87360=m | ||
3684 | CONFIG_SENSORS_PC87427=m | ||
3685 | CONFIG_SENSORS_NTC_THERMISTOR=m | ||
3686 | CONFIG_SENSORS_NCT6683=m | ||
3687 | CONFIG_SENSORS_NCT6775=m | ||
3688 | # CONFIG_SENSORS_NCT7802 is not set | ||
3689 | # CONFIG_SENSORS_NCT7904 is not set | ||
3690 | CONFIG_SENSORS_PCF8591=m | ||
3691 | # CONFIG_PMBUS is not set | ||
3692 | # CONFIG_SENSORS_SHT15 is not set | ||
3693 | CONFIG_SENSORS_SHT21=m | ||
3694 | # CONFIG_SENSORS_SHTC1 is not set | ||
3695 | CONFIG_SENSORS_SIS5595=m | ||
3696 | CONFIG_SENSORS_DME1737=m | ||
3697 | CONFIG_SENSORS_EMC1403=m | ||
3698 | CONFIG_SENSORS_EMC2103=m | ||
3699 | CONFIG_SENSORS_EMC6W201=m | ||
3700 | CONFIG_SENSORS_SMSC47M1=m | ||
3701 | CONFIG_SENSORS_SMSC47M192=m | ||
3702 | CONFIG_SENSORS_SMSC47B397=m | ||
3703 | CONFIG_SENSORS_SCH56XX_COMMON=m | ||
3704 | CONFIG_SENSORS_SCH5627=m | ||
3705 | CONFIG_SENSORS_SCH5636=m | ||
3706 | CONFIG_SENSORS_SMM665=m | ||
3707 | # CONFIG_SENSORS_ADC128D818 is not set | ||
3708 | CONFIG_SENSORS_ADS1015=m | ||
3709 | CONFIG_SENSORS_ADS7828=m | ||
3710 | CONFIG_SENSORS_ADS7871=m | ||
3711 | CONFIG_SENSORS_AMC6821=m | ||
3712 | # CONFIG_SENSORS_INA209 is not set | ||
3713 | # CONFIG_SENSORS_INA2XX is not set | ||
3714 | # CONFIG_SENSORS_TC74 is not set | ||
3715 | CONFIG_SENSORS_THMC50=m | ||
3716 | CONFIG_SENSORS_TMP102=m | ||
3717 | # CONFIG_SENSORS_TMP103 is not set | ||
3718 | CONFIG_SENSORS_TMP401=m | ||
3719 | CONFIG_SENSORS_TMP421=m | ||
3720 | CONFIG_SENSORS_VIA_CPUTEMP=m | ||
3721 | CONFIG_SENSORS_VIA686A=m | ||
3722 | CONFIG_SENSORS_VT1211=m | ||
3723 | CONFIG_SENSORS_VT8231=m | ||
3724 | CONFIG_SENSORS_W83781D=m | ||
3725 | CONFIG_SENSORS_W83791D=m | ||
3726 | CONFIG_SENSORS_W83792D=m | ||
3727 | CONFIG_SENSORS_W83793=m | ||
3728 | CONFIG_SENSORS_W83795=m | ||
3729 | # CONFIG_SENSORS_W83795_FANCTRL is not set | ||
3730 | CONFIG_SENSORS_W83L785TS=m | ||
3731 | CONFIG_SENSORS_W83L786NG=m | ||
3732 | CONFIG_SENSORS_W83627HF=m | ||
3733 | CONFIG_SENSORS_W83627EHF=m | ||
3734 | |||
3735 | # | ||
3736 | # ACPI drivers | ||
3737 | # | ||
3738 | CONFIG_SENSORS_ACPI_POWER=m | ||
3739 | CONFIG_SENSORS_ATK0110=m | ||
3740 | CONFIG_THERMAL=y | ||
3741 | CONFIG_THERMAL_HWMON=y | ||
3742 | CONFIG_THERMAL_WRITABLE_TRIPS=y | ||
3743 | CONFIG_THERMAL_DEFAULT_GOV_STEP_WISE=y | ||
3744 | # CONFIG_THERMAL_DEFAULT_GOV_FAIR_SHARE is not set | ||
3745 | # CONFIG_THERMAL_DEFAULT_GOV_USER_SPACE is not set | ||
3746 | # CONFIG_THERMAL_DEFAULT_GOV_POWER_ALLOCATOR is not set | ||
3747 | CONFIG_THERMAL_GOV_FAIR_SHARE=y | ||
3748 | CONFIG_THERMAL_GOV_STEP_WISE=y | ||
3749 | CONFIG_THERMAL_GOV_BANG_BANG=y | ||
3750 | CONFIG_THERMAL_GOV_USER_SPACE=y | ||
3751 | # CONFIG_THERMAL_GOV_POWER_ALLOCATOR is not set | ||
3752 | # CONFIG_THERMAL_EMULATION is not set | ||
3753 | CONFIG_INTEL_POWERCLAMP=m | ||
3754 | CONFIG_X86_PKG_TEMP_THERMAL=m | ||
3755 | CONFIG_INTEL_SOC_DTS_IOSF_CORE=m | ||
3756 | CONFIG_INTEL_SOC_DTS_THERMAL=m | ||
3757 | CONFIG_INT340X_THERMAL=m | ||
3758 | CONFIG_ACPI_THERMAL_REL=m | ||
3759 | CONFIG_INTEL_PCH_THERMAL=m | ||
3760 | CONFIG_WATCHDOG=y | ||
3761 | CONFIG_WATCHDOG_CORE=y | ||
3762 | # CONFIG_WATCHDOG_NOWAYOUT is not set | ||
3763 | |||
3764 | # | ||
3765 | # Watchdog Device Drivers | ||
3766 | # | ||
3767 | CONFIG_SOFT_WATCHDOG=m | ||
3768 | CONFIG_MENF21BMC_WATCHDOG=m | ||
3769 | # CONFIG_XILINX_WATCHDOG is not set | ||
3770 | # CONFIG_CADENCE_WATCHDOG is not set | ||
3771 | # CONFIG_DW_WATCHDOG is not set | ||
3772 | # CONFIG_MAX63XX_WATCHDOG is not set | ||
3773 | CONFIG_ACQUIRE_WDT=m | ||
3774 | CONFIG_ADVANTECH_WDT=m | ||
3775 | CONFIG_ALIM1535_WDT=m | ||
3776 | CONFIG_ALIM7101_WDT=m | ||
3777 | CONFIG_F71808E_WDT=m | ||
3778 | CONFIG_SP5100_TCO=m | ||
3779 | CONFIG_SBC_FITPC2_WATCHDOG=m | ||
3780 | CONFIG_EUROTECH_WDT=m | ||
3781 | CONFIG_IB700_WDT=m | ||
3782 | CONFIG_IBMASR=m | ||
3783 | CONFIG_WAFER_WDT=m | ||
3784 | CONFIG_I6300ESB_WDT=m | ||
3785 | CONFIG_IE6XX_WDT=m | ||
3786 | CONFIG_ITCO_WDT=m | ||
3787 | CONFIG_ITCO_VENDOR_SUPPORT=y | ||
3788 | CONFIG_IT8712F_WDT=m | ||
3789 | CONFIG_IT87_WDT=m | ||
3790 | CONFIG_HP_WATCHDOG=m | ||
3791 | CONFIG_KEMPLD_WDT=m | ||
3792 | CONFIG_HPWDT_NMI_DECODING=y | ||
3793 | CONFIG_SC1200_WDT=m | ||
3794 | CONFIG_PC87413_WDT=m | ||
3795 | CONFIG_NV_TCO=m | ||
3796 | CONFIG_60XX_WDT=m | ||
3797 | CONFIG_CPU5_WDT=m | ||
3798 | CONFIG_SMSC_SCH311X_WDT=m | ||
3799 | CONFIG_SMSC37B787_WDT=m | ||
3800 | CONFIG_VIA_WDT=m | ||
3801 | CONFIG_W83627HF_WDT=m | ||
3802 | CONFIG_W83877F_WDT=m | ||
3803 | CONFIG_W83977F_WDT=m | ||
3804 | CONFIG_MACHZ_WDT=m | ||
3805 | CONFIG_SBC_EPX_C3_WATCHDOG=m | ||
3806 | # CONFIG_BCM7038_WDT is not set | ||
3807 | # CONFIG_MEN_A21_WDT is not set | ||
3808 | |||
3809 | # | ||
3810 | # PCI-based Watchdog Cards | ||
3811 | # | ||
3812 | CONFIG_PCIPCWATCHDOG=m | ||
3813 | CONFIG_WDTPCI=m | ||
3814 | |||
3815 | # | ||
3816 | # USB-based Watchdog Cards | ||
3817 | # | ||
3818 | CONFIG_USBPCWATCHDOG=m | ||
3819 | CONFIG_SSB_POSSIBLE=y | ||
3820 | |||
3821 | # | ||
3822 | # Sonics Silicon Backplane | ||
3823 | # | ||
3824 | CONFIG_SSB=m | ||
3825 | CONFIG_SSB_SPROM=y | ||
3826 | CONFIG_SSB_BLOCKIO=y | ||
3827 | CONFIG_SSB_PCIHOST_POSSIBLE=y | ||
3828 | CONFIG_SSB_PCIHOST=y | ||
3829 | CONFIG_SSB_B43_PCI_BRIDGE=y | ||
3830 | CONFIG_SSB_PCMCIAHOST_POSSIBLE=y | ||
3831 | CONFIG_SSB_PCMCIAHOST=y | ||
3832 | CONFIG_SSB_SDIOHOST_POSSIBLE=y | ||
3833 | CONFIG_SSB_SDIOHOST=y | ||
3834 | # CONFIG_SSB_HOST_SOC is not set | ||
3835 | # CONFIG_SSB_SILENT is not set | ||
3836 | # CONFIG_SSB_DEBUG is not set | ||
3837 | CONFIG_SSB_DRIVER_PCICORE_POSSIBLE=y | ||
3838 | CONFIG_SSB_DRIVER_PCICORE=y | ||
3839 | # CONFIG_SSB_DRIVER_GPIO is not set | ||
3840 | CONFIG_BCMA_POSSIBLE=y | ||
3841 | |||
3842 | # | ||
3843 | # Broadcom specific AMBA | ||
3844 | # | ||
3845 | CONFIG_BCMA=m | ||
3846 | CONFIG_BCMA_BLOCKIO=y | ||
3847 | CONFIG_BCMA_HOST_PCI_POSSIBLE=y | ||
3848 | CONFIG_BCMA_HOST_PCI=y | ||
3849 | # CONFIG_BCMA_HOST_SOC is not set | ||
3850 | CONFIG_BCMA_DRIVER_PCI=y | ||
3851 | # CONFIG_BCMA_DRIVER_GMAC_CMN is not set | ||
3852 | # CONFIG_BCMA_DRIVER_GPIO is not set | ||
3853 | # CONFIG_BCMA_DEBUG is not set | ||
3854 | |||
3855 | # | ||
3856 | # Multifunction device drivers | ||
3857 | # | ||
3858 | CONFIG_MFD_CORE=m | ||
3859 | # CONFIG_MFD_AS3711 is not set | ||
3860 | # CONFIG_PMIC_ADP5520 is not set | ||
3861 | # CONFIG_MFD_AAT2870_CORE is not set | ||
3862 | # CONFIG_MFD_BCM590XX is not set | ||
3863 | # CONFIG_MFD_AXP20X is not set | ||
3864 | # CONFIG_MFD_CROS_EC is not set | ||
3865 | # CONFIG_PMIC_DA903X is not set | ||
3866 | # CONFIG_MFD_DA9052_SPI is not set | ||
3867 | # CONFIG_MFD_DA9052_I2C is not set | ||
3868 | # CONFIG_MFD_DA9055 is not set | ||
3869 | # CONFIG_MFD_DA9062 is not set | ||
3870 | # CONFIG_MFD_DA9063 is not set | ||
3871 | # CONFIG_MFD_DA9150 is not set | ||
3872 | # CONFIG_MFD_DLN2 is not set | ||
3873 | # CONFIG_MFD_MC13XXX_SPI is not set | ||
3874 | # CONFIG_MFD_MC13XXX_I2C is not set | ||
3875 | # CONFIG_HTC_PASIC3 is not set | ||
3876 | # CONFIG_HTC_I2CPLD is not set | ||
3877 | # CONFIG_MFD_INTEL_QUARK_I2C_GPIO is not set | ||
3878 | CONFIG_LPC_ICH=m | ||
3879 | CONFIG_LPC_SCH=m | ||
3880 | # CONFIG_INTEL_SOC_PMIC is not set | ||
3881 | CONFIG_MFD_INTEL_LPSS=m | ||
3882 | CONFIG_MFD_INTEL_LPSS_ACPI=m | ||
3883 | CONFIG_MFD_INTEL_LPSS_PCI=m | ||
3884 | # CONFIG_MFD_JANZ_CMODIO is not set | ||
3885 | CONFIG_MFD_KEMPLD=m | ||
3886 | # CONFIG_MFD_88PM800 is not set | ||
3887 | # CONFIG_MFD_88PM805 is not set | ||
3888 | # CONFIG_MFD_88PM860X is not set | ||
3889 | # CONFIG_MFD_MAX14577 is not set | ||
3890 | # CONFIG_MFD_MAX77693 is not set | ||
3891 | # CONFIG_MFD_MAX77843 is not set | ||
3892 | # CONFIG_MFD_MAX8907 is not set | ||
3893 | # CONFIG_MFD_MAX8925 is not set | ||
3894 | # CONFIG_MFD_MAX8997 is not set | ||
3895 | # CONFIG_MFD_MAX8998 is not set | ||
3896 | # CONFIG_MFD_MT6397 is not set | ||
3897 | CONFIG_MFD_MENF21BMC=m | ||
3898 | # CONFIG_EZX_PCAP is not set | ||
3899 | CONFIG_MFD_VIPERBOARD=m | ||
3900 | # CONFIG_MFD_RETU is not set | ||
3901 | # CONFIG_MFD_PCF50633 is not set | ||
3902 | # CONFIG_UCB1400_CORE is not set | ||
3903 | # CONFIG_MFD_RDC321X is not set | ||
3904 | CONFIG_MFD_RTSX_PCI=m | ||
3905 | # CONFIG_MFD_RT5033 is not set | ||
3906 | CONFIG_MFD_RTSX_USB=m | ||
3907 | # CONFIG_MFD_RC5T583 is not set | ||
3908 | # CONFIG_MFD_RN5T618 is not set | ||
3909 | # CONFIG_MFD_SEC_CORE is not set | ||
3910 | # CONFIG_MFD_SI476X_CORE is not set | ||
3911 | # CONFIG_MFD_SM501 is not set | ||
3912 | # CONFIG_MFD_SKY81452 is not set | ||
3913 | # CONFIG_MFD_SMSC is not set | ||
3914 | # CONFIG_ABX500_CORE is not set | ||
3915 | # CONFIG_MFD_SYSCON is not set | ||
3916 | # CONFIG_MFD_TI_AM335X_TSCADC is not set | ||
3917 | # CONFIG_MFD_LP3943 is not set | ||
3918 | # CONFIG_MFD_LP8788 is not set | ||
3919 | # CONFIG_MFD_PALMAS is not set | ||
3920 | # CONFIG_TPS6105X is not set | ||
3921 | # CONFIG_TPS65010 is not set | ||
3922 | # CONFIG_TPS6507X is not set | ||
3923 | # CONFIG_MFD_TPS65090 is not set | ||
3924 | # CONFIG_MFD_TPS65217 is not set | ||
3925 | # CONFIG_MFD_TPS65218 is not set | ||
3926 | # CONFIG_MFD_TPS6586X is not set | ||
3927 | # CONFIG_MFD_TPS65910 is not set | ||
3928 | # CONFIG_MFD_TPS65912 is not set | ||
3929 | # CONFIG_MFD_TPS65912_I2C is not set | ||
3930 | # CONFIG_MFD_TPS65912_SPI is not set | ||
3931 | # CONFIG_MFD_TPS80031 is not set | ||
3932 | # CONFIG_TWL4030_CORE is not set | ||
3933 | # CONFIG_TWL6040_CORE is not set | ||
3934 | # CONFIG_MFD_WL1273_CORE is not set | ||
3935 | # CONFIG_MFD_LM3533 is not set | ||
3936 | # CONFIG_MFD_TMIO is not set | ||
3937 | # CONFIG_MFD_VX855 is not set | ||
3938 | # CONFIG_MFD_ARIZONA_I2C is not set | ||
3939 | # CONFIG_MFD_ARIZONA_SPI is not set | ||
3940 | # CONFIG_MFD_WM8400 is not set | ||
3941 | # CONFIG_MFD_WM831X_I2C is not set | ||
3942 | # CONFIG_MFD_WM831X_SPI is not set | ||
3943 | # CONFIG_MFD_WM8350_I2C is not set | ||
3944 | # CONFIG_MFD_WM8994 is not set | ||
3945 | # CONFIG_REGULATOR is not set | ||
3946 | CONFIG_MEDIA_SUPPORT=m | ||
3947 | |||
3948 | # | ||
3949 | # Multimedia core support | ||
3950 | # | ||
3951 | CONFIG_MEDIA_CAMERA_SUPPORT=y | ||
3952 | CONFIG_MEDIA_ANALOG_TV_SUPPORT=y | ||
3953 | CONFIG_MEDIA_DIGITAL_TV_SUPPORT=y | ||
3954 | CONFIG_MEDIA_RADIO_SUPPORT=y | ||
3955 | CONFIG_MEDIA_SDR_SUPPORT=y | ||
3956 | CONFIG_MEDIA_RC_SUPPORT=y | ||
3957 | CONFIG_MEDIA_CONTROLLER=y | ||
3958 | CONFIG_VIDEO_DEV=m | ||
3959 | # CONFIG_VIDEO_V4L2_SUBDEV_API is not set | ||
3960 | CONFIG_VIDEO_V4L2=m | ||
3961 | # CONFIG_VIDEO_ADV_DEBUG is not set | ||
3962 | # CONFIG_VIDEO_FIXED_MINOR_RANGES is not set | ||
3963 | CONFIG_VIDEO_TUNER=m | ||
3964 | CONFIG_VIDEOBUF_GEN=m | ||
3965 | CONFIG_VIDEOBUF_DMA_SG=m | ||
3966 | CONFIG_VIDEOBUF_VMALLOC=m | ||
3967 | CONFIG_VIDEOBUF_DVB=m | ||
3968 | CONFIG_VIDEOBUF2_CORE=m | ||
3969 | CONFIG_VIDEOBUF2_MEMOPS=m | ||
3970 | CONFIG_VIDEOBUF2_DMA_CONTIG=m | ||
3971 | CONFIG_VIDEOBUF2_VMALLOC=m | ||
3972 | CONFIG_VIDEOBUF2_DMA_SG=m | ||
3973 | CONFIG_VIDEOBUF2_DVB=m | ||
3974 | CONFIG_DVB_CORE=m | ||
3975 | CONFIG_DVB_NET=y | ||
3976 | CONFIG_TTPCI_EEPROM=m | ||
3977 | CONFIG_DVB_MAX_ADAPTERS=8 | ||
3978 | CONFIG_DVB_DYNAMIC_MINORS=y | ||
3979 | |||
3980 | # | ||
3981 | # Media drivers | ||
3982 | # | ||
3983 | CONFIG_RC_CORE=m | ||
3984 | CONFIG_RC_MAP=m | ||
3985 | CONFIG_RC_DECODERS=y | ||
3986 | CONFIG_LIRC=m | ||
3987 | CONFIG_IR_LIRC_CODEC=m | ||
3988 | CONFIG_IR_NEC_DECODER=m | ||
3989 | CONFIG_IR_RC5_DECODER=m | ||
3990 | CONFIG_IR_RC6_DECODER=m | ||
3991 | CONFIG_IR_JVC_DECODER=m | ||
3992 | CONFIG_IR_SONY_DECODER=m | ||
3993 | CONFIG_IR_SANYO_DECODER=m | ||
3994 | CONFIG_IR_SHARP_DECODER=m | ||
3995 | CONFIG_IR_MCE_KBD_DECODER=m | ||
3996 | CONFIG_IR_XMP_DECODER=m | ||
3997 | CONFIG_RC_DEVICES=y | ||
3998 | CONFIG_RC_ATI_REMOTE=m | ||
3999 | CONFIG_IR_ENE=m | ||
4000 | # CONFIG_IR_HIX5HD2 is not set | ||
4001 | CONFIG_IR_IMON=m | ||
4002 | CONFIG_IR_MCEUSB=m | ||
4003 | CONFIG_IR_ITE_CIR=m | ||
4004 | CONFIG_IR_FINTEK=m | ||
4005 | CONFIG_IR_NUVOTON=m | ||
4006 | CONFIG_IR_REDRAT3=m | ||
4007 | CONFIG_IR_STREAMZAP=m | ||
4008 | CONFIG_IR_WINBOND_CIR=m | ||
4009 | CONFIG_IR_IGORPLUGUSB=m | ||
4010 | CONFIG_IR_IGUANA=m | ||
4011 | CONFIG_IR_TTUSBIR=m | ||
4012 | CONFIG_RC_LOOPBACK=m | ||
4013 | # CONFIG_IR_GPIO_CIR is not set | ||
4014 | CONFIG_MEDIA_USB_SUPPORT=y | ||
4015 | |||
4016 | # | ||
4017 | # Webcam devices | ||
4018 | # | ||
4019 | CONFIG_USB_VIDEO_CLASS=m | ||
4020 | CONFIG_USB_VIDEO_CLASS_INPUT_EVDEV=y | ||
4021 | CONFIG_USB_GSPCA=m | ||
4022 | CONFIG_USB_M5602=m | ||
4023 | CONFIG_USB_STV06XX=m | ||
4024 | CONFIG_USB_GL860=m | ||
4025 | CONFIG_USB_GSPCA_BENQ=m | ||
4026 | CONFIG_USB_GSPCA_CONEX=m | ||
4027 | CONFIG_USB_GSPCA_CPIA1=m | ||
4028 | CONFIG_USB_GSPCA_DTCS033=m | ||
4029 | CONFIG_USB_GSPCA_ETOMS=m | ||
4030 | CONFIG_USB_GSPCA_FINEPIX=m | ||
4031 | CONFIG_USB_GSPCA_JEILINJ=m | ||
4032 | CONFIG_USB_GSPCA_JL2005BCD=m | ||
4033 | CONFIG_USB_GSPCA_KINECT=m | ||
4034 | CONFIG_USB_GSPCA_KONICA=m | ||
4035 | CONFIG_USB_GSPCA_MARS=m | ||
4036 | CONFIG_USB_GSPCA_MR97310A=m | ||
4037 | CONFIG_USB_GSPCA_NW80X=m | ||
4038 | CONFIG_USB_GSPCA_OV519=m | ||
4039 | CONFIG_USB_GSPCA_OV534=m | ||
4040 | CONFIG_USB_GSPCA_OV534_9=m | ||
4041 | CONFIG_USB_GSPCA_PAC207=m | ||
4042 | CONFIG_USB_GSPCA_PAC7302=m | ||
4043 | CONFIG_USB_GSPCA_PAC7311=m | ||
4044 | CONFIG_USB_GSPCA_SE401=m | ||
4045 | CONFIG_USB_GSPCA_SN9C2028=m | ||
4046 | CONFIG_USB_GSPCA_SN9C20X=m | ||
4047 | CONFIG_USB_GSPCA_SONIXB=m | ||
4048 | CONFIG_USB_GSPCA_SONIXJ=m | ||
4049 | CONFIG_USB_GSPCA_SPCA500=m | ||
4050 | CONFIG_USB_GSPCA_SPCA501=m | ||
4051 | CONFIG_USB_GSPCA_SPCA505=m | ||
4052 | CONFIG_USB_GSPCA_SPCA506=m | ||
4053 | CONFIG_USB_GSPCA_SPCA508=m | ||
4054 | CONFIG_USB_GSPCA_SPCA561=m | ||
4055 | CONFIG_USB_GSPCA_SPCA1528=m | ||
4056 | CONFIG_USB_GSPCA_SQ905=m | ||
4057 | CONFIG_USB_GSPCA_SQ905C=m | ||
4058 | CONFIG_USB_GSPCA_SQ930X=m | ||
4059 | CONFIG_USB_GSPCA_STK014=m | ||
4060 | CONFIG_USB_GSPCA_STK1135=m | ||
4061 | CONFIG_USB_GSPCA_STV0680=m | ||
4062 | CONFIG_USB_GSPCA_SUNPLUS=m | ||
4063 | CONFIG_USB_GSPCA_T613=m | ||
4064 | CONFIG_USB_GSPCA_TOPRO=m | ||
4065 | CONFIG_USB_GSPCA_TOUPTEK=m | ||
4066 | CONFIG_USB_GSPCA_TV8532=m | ||
4067 | CONFIG_USB_GSPCA_VC032X=m | ||
4068 | CONFIG_USB_GSPCA_VICAM=m | ||
4069 | CONFIG_USB_GSPCA_XIRLINK_CIT=m | ||
4070 | CONFIG_USB_GSPCA_ZC3XX=m | ||
4071 | CONFIG_USB_PWC=m | ||
4072 | # CONFIG_USB_PWC_DEBUG is not set | ||
4073 | CONFIG_USB_PWC_INPUT_EVDEV=y | ||
4074 | CONFIG_VIDEO_CPIA2=m | ||
4075 | CONFIG_USB_ZR364XX=m | ||
4076 | CONFIG_USB_STKWEBCAM=m | ||
4077 | CONFIG_USB_S2255=m | ||
4078 | CONFIG_VIDEO_USBTV=m | ||
4079 | |||
4080 | # | ||
4081 | # Analog TV USB devices | ||
4082 | # | ||
4083 | CONFIG_VIDEO_PVRUSB2=m | ||
4084 | CONFIG_VIDEO_PVRUSB2_SYSFS=y | ||
4085 | CONFIG_VIDEO_PVRUSB2_DVB=y | ||
4086 | # CONFIG_VIDEO_PVRUSB2_DEBUGIFC is not set | ||
4087 | CONFIG_VIDEO_HDPVR=m | ||
4088 | CONFIG_VIDEO_USBVISION=m | ||
4089 | CONFIG_VIDEO_STK1160_COMMON=m | ||
4090 | CONFIG_VIDEO_STK1160_AC97=y | ||
4091 | CONFIG_VIDEO_STK1160=m | ||
4092 | # CONFIG_VIDEO_GO7007 is not set | ||
4093 | |||
4094 | # | ||
4095 | # Analog/digital TV USB devices | ||
4096 | # | ||
4097 | CONFIG_VIDEO_AU0828=m | ||
4098 | CONFIG_VIDEO_AU0828_V4L2=y | ||
4099 | CONFIG_VIDEO_AU0828_RC=y | ||
4100 | CONFIG_VIDEO_CX231XX=m | ||
4101 | CONFIG_VIDEO_CX231XX_RC=y | ||
4102 | CONFIG_VIDEO_CX231XX_ALSA=m | ||
4103 | CONFIG_VIDEO_CX231XX_DVB=m | ||
4104 | CONFIG_VIDEO_TM6000=m | ||
4105 | CONFIG_VIDEO_TM6000_ALSA=m | ||
4106 | CONFIG_VIDEO_TM6000_DVB=m | ||
4107 | |||
4108 | # | ||
4109 | # Digital TV USB devices | ||
4110 | # | ||
4111 | CONFIG_DVB_USB=m | ||
4112 | # CONFIG_DVB_USB_DEBUG is not set | ||
4113 | CONFIG_DVB_USB_A800=m | ||
4114 | CONFIG_DVB_USB_DIBUSB_MB=m | ||
4115 | CONFIG_DVB_USB_DIBUSB_MB_FAULTY=y | ||
4116 | CONFIG_DVB_USB_DIBUSB_MC=m | ||
4117 | CONFIG_DVB_USB_DIB0700=m | ||
4118 | CONFIG_DVB_USB_UMT_010=m | ||
4119 | CONFIG_DVB_USB_CXUSB=m | ||
4120 | CONFIG_DVB_USB_M920X=m | ||
4121 | CONFIG_DVB_USB_DIGITV=m | ||
4122 | CONFIG_DVB_USB_VP7045=m | ||
4123 | CONFIG_DVB_USB_VP702X=m | ||
4124 | CONFIG_DVB_USB_GP8PSK=m | ||
4125 | CONFIG_DVB_USB_NOVA_T_USB2=m | ||
4126 | CONFIG_DVB_USB_TTUSB2=m | ||
4127 | CONFIG_DVB_USB_DTT200U=m | ||
4128 | CONFIG_DVB_USB_OPERA1=m | ||
4129 | CONFIG_DVB_USB_AF9005=m | ||
4130 | CONFIG_DVB_USB_AF9005_REMOTE=m | ||
4131 | CONFIG_DVB_USB_PCTV452E=m | ||
4132 | CONFIG_DVB_USB_DW2102=m | ||
4133 | CONFIG_DVB_USB_CINERGY_T2=m | ||
4134 | CONFIG_DVB_USB_DTV5100=m | ||
4135 | CONFIG_DVB_USB_FRIIO=m | ||
4136 | CONFIG_DVB_USB_AZ6027=m | ||
4137 | CONFIG_DVB_USB_TECHNISAT_USB2=m | ||
4138 | CONFIG_DVB_USB_V2=m | ||
4139 | CONFIG_DVB_USB_AF9015=m | ||
4140 | CONFIG_DVB_USB_AF9035=m | ||
4141 | CONFIG_DVB_USB_ANYSEE=m | ||
4142 | CONFIG_DVB_USB_AU6610=m | ||
4143 | CONFIG_DVB_USB_AZ6007=m | ||
4144 | CONFIG_DVB_USB_CE6230=m | ||
4145 | CONFIG_DVB_USB_EC168=m | ||
4146 | CONFIG_DVB_USB_GL861=m | ||
4147 | CONFIG_DVB_USB_LME2510=m | ||
4148 | CONFIG_DVB_USB_MXL111SF=m | ||
4149 | CONFIG_DVB_USB_RTL28XXU=m | ||
4150 | CONFIG_DVB_USB_DVBSKY=m | ||
4151 | CONFIG_DVB_TTUSB_BUDGET=m | ||
4152 | CONFIG_DVB_TTUSB_DEC=m | ||
4153 | CONFIG_SMS_USB_DRV=m | ||
4154 | CONFIG_DVB_B2C2_FLEXCOP_USB=m | ||
4155 | # CONFIG_DVB_B2C2_FLEXCOP_USB_DEBUG is not set | ||
4156 | CONFIG_DVB_AS102=m | ||
4157 | |||
4158 | # | ||
4159 | # Webcam, TV (analog/digital) USB devices | ||
4160 | # | ||
4161 | CONFIG_VIDEO_EM28XX=m | ||
4162 | CONFIG_VIDEO_EM28XX_V4L2=m | ||
4163 | CONFIG_VIDEO_EM28XX_ALSA=m | ||
4164 | CONFIG_VIDEO_EM28XX_DVB=m | ||
4165 | CONFIG_VIDEO_EM28XX_RC=m | ||
4166 | |||
4167 | # | ||
4168 | # Software defined radio USB devices | ||
4169 | # | ||
4170 | CONFIG_USB_AIRSPY=m | ||
4171 | CONFIG_USB_HACKRF=m | ||
4172 | CONFIG_USB_MSI2500=m | ||
4173 | CONFIG_MEDIA_PCI_SUPPORT=y | ||
4174 | |||
4175 | # | ||
4176 | # Media capture support | ||
4177 | # | ||
4178 | CONFIG_VIDEO_MEYE=m | ||
4179 | CONFIG_VIDEO_SOLO6X10=m | ||
4180 | CONFIG_VIDEO_TW68=m | ||
4181 | CONFIG_VIDEO_ZORAN=m | ||
4182 | CONFIG_VIDEO_ZORAN_DC30=m | ||
4183 | CONFIG_VIDEO_ZORAN_ZR36060=m | ||
4184 | CONFIG_VIDEO_ZORAN_BUZ=m | ||
4185 | CONFIG_VIDEO_ZORAN_DC10=m | ||
4186 | CONFIG_VIDEO_ZORAN_LML33=m | ||
4187 | CONFIG_VIDEO_ZORAN_LML33R10=m | ||
4188 | CONFIG_VIDEO_ZORAN_AVS6EYES=m | ||
4189 | |||
4190 | # | ||
4191 | # Media capture/analog TV support | ||
4192 | # | ||
4193 | CONFIG_VIDEO_IVTV=m | ||
4194 | CONFIG_VIDEO_IVTV_ALSA=m | ||
4195 | CONFIG_VIDEO_FB_IVTV=m | ||
4196 | CONFIG_VIDEO_HEXIUM_GEMINI=m | ||
4197 | CONFIG_VIDEO_HEXIUM_ORION=m | ||
4198 | CONFIG_VIDEO_MXB=m | ||
4199 | CONFIG_VIDEO_DT3155=m | ||
4200 | |||
4201 | # | ||
4202 | # Media capture/analog/hybrid TV support | ||
4203 | # | ||
4204 | CONFIG_VIDEO_CX18=m | ||
4205 | CONFIG_VIDEO_CX18_ALSA=m | ||
4206 | CONFIG_VIDEO_CX23885=m | ||
4207 | CONFIG_MEDIA_ALTERA_CI=m | ||
4208 | # CONFIG_VIDEO_CX25821 is not set | ||
4209 | CONFIG_VIDEO_CX88=m | ||
4210 | CONFIG_VIDEO_CX88_ALSA=m | ||
4211 | CONFIG_VIDEO_CX88_BLACKBIRD=m | ||
4212 | CONFIG_VIDEO_CX88_DVB=m | ||
4213 | CONFIG_VIDEO_CX88_ENABLE_VP3054=y | ||
4214 | CONFIG_VIDEO_CX88_VP3054=m | ||
4215 | CONFIG_VIDEO_CX88_MPEG=m | ||
4216 | CONFIG_VIDEO_BT848=m | ||
4217 | CONFIG_DVB_BT8XX=m | ||
4218 | CONFIG_VIDEO_SAA7134=m | ||
4219 | CONFIG_VIDEO_SAA7134_ALSA=m | ||
4220 | CONFIG_VIDEO_SAA7134_RC=y | ||
4221 | CONFIG_VIDEO_SAA7134_DVB=m | ||
4222 | CONFIG_VIDEO_SAA7164=m | ||
4223 | |||
4224 | # | ||
4225 | # Media digital TV PCI Adapters | ||
4226 | # | ||
4227 | CONFIG_DVB_AV7110_IR=y | ||
4228 | CONFIG_DVB_AV7110=m | ||
4229 | CONFIG_DVB_AV7110_OSD=y | ||
4230 | CONFIG_DVB_BUDGET_CORE=m | ||
4231 | CONFIG_DVB_BUDGET=m | ||
4232 | CONFIG_DVB_BUDGET_CI=m | ||
4233 | CONFIG_DVB_BUDGET_AV=m | ||
4234 | CONFIG_DVB_BUDGET_PATCH=m | ||
4235 | CONFIG_DVB_B2C2_FLEXCOP_PCI=m | ||
4236 | # CONFIG_DVB_B2C2_FLEXCOP_PCI_DEBUG is not set | ||
4237 | CONFIG_DVB_PLUTO2=m | ||
4238 | CONFIG_DVB_DM1105=m | ||
4239 | CONFIG_DVB_PT1=m | ||
4240 | CONFIG_DVB_PT3=m | ||
4241 | CONFIG_MANTIS_CORE=m | ||
4242 | CONFIG_DVB_MANTIS=m | ||
4243 | CONFIG_DVB_HOPPER=m | ||
4244 | CONFIG_DVB_NGENE=m | ||
4245 | CONFIG_DVB_DDBRIDGE=m | ||
4246 | CONFIG_DVB_SMIPCIE=m | ||
4247 | CONFIG_DVB_NETUP_UNIDVB=m | ||
4248 | CONFIG_V4L_PLATFORM_DRIVERS=y | ||
4249 | CONFIG_VIDEO_CAFE_CCIC=m | ||
4250 | CONFIG_VIDEO_VIA_CAMERA=m | ||
4251 | # CONFIG_SOC_CAMERA is not set | ||
4252 | CONFIG_V4L_MEM2MEM_DRIVERS=y | ||
4253 | # CONFIG_VIDEO_MEM2MEM_DEINTERLACE is not set | ||
4254 | # CONFIG_VIDEO_SH_VEU is not set | ||
4255 | CONFIG_V4L_TEST_DRIVERS=y | ||
4256 | CONFIG_VIDEO_VIVID=m | ||
4257 | CONFIG_VIDEO_VIVID_MAX_DEVS=64 | ||
4258 | # CONFIG_VIDEO_VIM2M is not set | ||
4259 | # CONFIG_DVB_PLATFORM_DRIVERS is not set | ||
4260 | |||
4261 | # | ||
4262 | # Supported MMC/SDIO adapters | ||
4263 | # | ||
4264 | CONFIG_SMS_SDIO_DRV=m | ||
4265 | CONFIG_RADIO_ADAPTERS=y | ||
4266 | CONFIG_RADIO_TEA575X=m | ||
4267 | CONFIG_RADIO_SI470X=y | ||
4268 | CONFIG_USB_SI470X=m | ||
4269 | # CONFIG_I2C_SI470X is not set | ||
4270 | # CONFIG_RADIO_SI4713 is not set | ||
4271 | CONFIG_USB_MR800=m | ||
4272 | CONFIG_USB_DSBR=m | ||
4273 | CONFIG_RADIO_MAXIRADIO=m | ||
4274 | CONFIG_RADIO_SHARK=m | ||
4275 | CONFIG_RADIO_SHARK2=m | ||
4276 | CONFIG_USB_KEENE=m | ||
4277 | CONFIG_USB_RAREMONO=m | ||
4278 | CONFIG_USB_MA901=m | ||
4279 | # CONFIG_RADIO_TEA5764 is not set | ||
4280 | # CONFIG_RADIO_SAA7706H is not set | ||
4281 | # CONFIG_RADIO_TEF6862 is not set | ||
4282 | # CONFIG_RADIO_WL1273 is not set | ||
4283 | |||
4284 | # | ||
4285 | # Texas Instruments WL128x FM driver (ST based) | ||
4286 | # | ||
4287 | |||
4288 | # | ||
4289 | # Supported FireWire (IEEE 1394) Adapters | ||
4290 | # | ||
4291 | CONFIG_DVB_FIREDTV=m | ||
4292 | CONFIG_DVB_FIREDTV_INPUT=y | ||
4293 | CONFIG_MEDIA_COMMON_OPTIONS=y | ||
4294 | |||
4295 | # | ||
4296 | # common driver options | ||
4297 | # | ||
4298 | CONFIG_VIDEO_CX2341X=m | ||
4299 | CONFIG_VIDEO_TVEEPROM=m | ||
4300 | CONFIG_CYPRESS_FIRMWARE=m | ||
4301 | CONFIG_DVB_B2C2_FLEXCOP=m | ||
4302 | CONFIG_VIDEO_SAA7146=m | ||
4303 | CONFIG_VIDEO_SAA7146_VV=m | ||
4304 | CONFIG_SMS_SIANO_MDTV=m | ||
4305 | CONFIG_SMS_SIANO_RC=y | ||
4306 | |||
4307 | # | ||
4308 | # Media ancillary drivers (tuners, sensors, i2c, frontends) | ||
4309 | # | ||
4310 | CONFIG_MEDIA_SUBDRV_AUTOSELECT=y | ||
4311 | CONFIG_MEDIA_ATTACH=y | ||
4312 | CONFIG_VIDEO_IR_I2C=m | ||
4313 | |||
4314 | # | ||
4315 | # Audio decoders, processors and mixers | ||
4316 | # | ||
4317 | CONFIG_VIDEO_TVAUDIO=m | ||
4318 | CONFIG_VIDEO_TDA7432=m | ||
4319 | CONFIG_VIDEO_TDA9840=m | ||
4320 | CONFIG_VIDEO_TEA6415C=m | ||
4321 | CONFIG_VIDEO_TEA6420=m | ||
4322 | CONFIG_VIDEO_MSP3400=m | ||
4323 | CONFIG_VIDEO_CS5345=m | ||
4324 | CONFIG_VIDEO_CS53L32A=m | ||
4325 | CONFIG_VIDEO_WM8775=m | ||
4326 | CONFIG_VIDEO_WM8739=m | ||
4327 | CONFIG_VIDEO_VP27SMPX=m | ||
4328 | |||
4329 | # | ||
4330 | # RDS decoders | ||
4331 | # | ||
4332 | CONFIG_VIDEO_SAA6588=m | ||
4333 | |||
4334 | # | ||
4335 | # Video decoders | ||
4336 | # | ||
4337 | CONFIG_VIDEO_BT819=m | ||
4338 | CONFIG_VIDEO_BT856=m | ||
4339 | CONFIG_VIDEO_BT866=m | ||
4340 | CONFIG_VIDEO_KS0127=m | ||
4341 | CONFIG_VIDEO_SAA7110=m | ||
4342 | CONFIG_VIDEO_SAA711X=m | ||
4343 | CONFIG_VIDEO_TVP5150=m | ||
4344 | CONFIG_VIDEO_VPX3220=m | ||
4345 | |||
4346 | # | ||
4347 | # Video and audio decoders | ||
4348 | # | ||
4349 | CONFIG_VIDEO_SAA717X=m | ||
4350 | CONFIG_VIDEO_CX25840=m | ||
4351 | |||
4352 | # | ||
4353 | # Video encoders | ||
4354 | # | ||
4355 | CONFIG_VIDEO_SAA7127=m | ||
4356 | CONFIG_VIDEO_SAA7185=m | ||
4357 | CONFIG_VIDEO_ADV7170=m | ||
4358 | CONFIG_VIDEO_ADV7175=m | ||
4359 | |||
4360 | # | ||
4361 | # Camera sensor devices | ||
4362 | # | ||
4363 | CONFIG_VIDEO_OV7670=m | ||
4364 | CONFIG_VIDEO_MT9V011=m | ||
4365 | |||
4366 | # | ||
4367 | # Flash devices | ||
4368 | # | ||
4369 | |||
4370 | # | ||
4371 | # Video improvement chips | ||
4372 | # | ||
4373 | CONFIG_VIDEO_UPD64031A=m | ||
4374 | CONFIG_VIDEO_UPD64083=m | ||
4375 | |||
4376 | # | ||
4377 | # Audio/Video compression chips | ||
4378 | # | ||
4379 | CONFIG_VIDEO_SAA6752HS=m | ||
4380 | |||
4381 | # | ||
4382 | # Miscellaneous helper chips | ||
4383 | # | ||
4384 | CONFIG_VIDEO_M52790=m | ||
4385 | |||
4386 | # | ||
4387 | # Sensors used on soc_camera driver | ||
4388 | # | ||
4389 | CONFIG_MEDIA_TUNER=m | ||
4390 | CONFIG_MEDIA_TUNER_SIMPLE=m | ||
4391 | CONFIG_MEDIA_TUNER_TDA8290=m | ||
4392 | CONFIG_MEDIA_TUNER_TDA827X=m | ||
4393 | CONFIG_MEDIA_TUNER_TDA18271=m | ||
4394 | CONFIG_MEDIA_TUNER_TDA9887=m | ||
4395 | CONFIG_MEDIA_TUNER_TEA5761=m | ||
4396 | CONFIG_MEDIA_TUNER_TEA5767=m | ||
4397 | CONFIG_MEDIA_TUNER_MSI001=m | ||
4398 | CONFIG_MEDIA_TUNER_MT20XX=m | ||
4399 | CONFIG_MEDIA_TUNER_MT2060=m | ||
4400 | CONFIG_MEDIA_TUNER_MT2063=m | ||
4401 | CONFIG_MEDIA_TUNER_MT2266=m | ||
4402 | CONFIG_MEDIA_TUNER_MT2131=m | ||
4403 | CONFIG_MEDIA_TUNER_QT1010=m | ||
4404 | CONFIG_MEDIA_TUNER_XC2028=m | ||
4405 | CONFIG_MEDIA_TUNER_XC5000=m | ||
4406 | CONFIG_MEDIA_TUNER_XC4000=m | ||
4407 | CONFIG_MEDIA_TUNER_MXL5005S=m | ||
4408 | CONFIG_MEDIA_TUNER_MXL5007T=m | ||
4409 | CONFIG_MEDIA_TUNER_MC44S803=m | ||
4410 | CONFIG_MEDIA_TUNER_MAX2165=m | ||
4411 | CONFIG_MEDIA_TUNER_TDA18218=m | ||
4412 | CONFIG_MEDIA_TUNER_FC0011=m | ||
4413 | CONFIG_MEDIA_TUNER_FC0012=m | ||
4414 | CONFIG_MEDIA_TUNER_FC0013=m | ||
4415 | CONFIG_MEDIA_TUNER_TDA18212=m | ||
4416 | CONFIG_MEDIA_TUNER_E4000=m | ||
4417 | CONFIG_MEDIA_TUNER_FC2580=m | ||
4418 | CONFIG_MEDIA_TUNER_M88RS6000T=m | ||
4419 | CONFIG_MEDIA_TUNER_TUA9001=m | ||
4420 | CONFIG_MEDIA_TUNER_SI2157=m | ||
4421 | CONFIG_MEDIA_TUNER_IT913X=m | ||
4422 | CONFIG_MEDIA_TUNER_R820T=m | ||
4423 | CONFIG_MEDIA_TUNER_MXL301RF=m | ||
4424 | CONFIG_MEDIA_TUNER_QM1D1C0042=m | ||
4425 | |||
4426 | # | ||
4427 | # Multistandard (satellite) frontends | ||
4428 | # | ||
4429 | CONFIG_DVB_STB0899=m | ||
4430 | CONFIG_DVB_STB6100=m | ||
4431 | CONFIG_DVB_STV090x=m | ||
4432 | CONFIG_DVB_STV6110x=m | ||
4433 | CONFIG_DVB_M88DS3103=m | ||
4434 | |||
4435 | # | ||
4436 | # Multistandard (cable + terrestrial) frontends | ||
4437 | # | ||
4438 | CONFIG_DVB_DRXK=m | ||
4439 | CONFIG_DVB_TDA18271C2DD=m | ||
4440 | CONFIG_DVB_SI2165=m | ||
4441 | |||
4442 | # | ||
4443 | # DVB-S (satellite) frontends | ||
4444 | # | ||
4445 | CONFIG_DVB_CX24110=m | ||
4446 | CONFIG_DVB_CX24123=m | ||
4447 | CONFIG_DVB_MT312=m | ||
4448 | CONFIG_DVB_ZL10036=m | ||
4449 | CONFIG_DVB_ZL10039=m | ||
4450 | CONFIG_DVB_S5H1420=m | ||
4451 | CONFIG_DVB_STV0288=m | ||
4452 | CONFIG_DVB_STB6000=m | ||
4453 | CONFIG_DVB_STV0299=m | ||
4454 | CONFIG_DVB_STV6110=m | ||
4455 | CONFIG_DVB_STV0900=m | ||
4456 | CONFIG_DVB_TDA8083=m | ||
4457 | CONFIG_DVB_TDA10086=m | ||
4458 | CONFIG_DVB_TDA8261=m | ||
4459 | CONFIG_DVB_VES1X93=m | ||
4460 | CONFIG_DVB_TUNER_ITD1000=m | ||
4461 | CONFIG_DVB_TUNER_CX24113=m | ||
4462 | CONFIG_DVB_TDA826X=m | ||
4463 | CONFIG_DVB_TUA6100=m | ||
4464 | CONFIG_DVB_CX24116=m | ||
4465 | CONFIG_DVB_CX24117=m | ||
4466 | CONFIG_DVB_CX24120=m | ||
4467 | CONFIG_DVB_SI21XX=m | ||
4468 | CONFIG_DVB_TS2020=m | ||
4469 | CONFIG_DVB_DS3000=m | ||
4470 | CONFIG_DVB_MB86A16=m | ||
4471 | CONFIG_DVB_TDA10071=m | ||
4472 | |||
4473 | # | ||
4474 | # DVB-T (terrestrial) frontends | ||
4475 | # | ||
4476 | CONFIG_DVB_SP8870=m | ||
4477 | CONFIG_DVB_SP887X=m | ||
4478 | CONFIG_DVB_CX22700=m | ||
4479 | CONFIG_DVB_CX22702=m | ||
4480 | CONFIG_DVB_DRXD=m | ||
4481 | CONFIG_DVB_L64781=m | ||
4482 | CONFIG_DVB_TDA1004X=m | ||
4483 | CONFIG_DVB_NXT6000=m | ||
4484 | CONFIG_DVB_MT352=m | ||
4485 | CONFIG_DVB_ZL10353=m | ||
4486 | CONFIG_DVB_DIB3000MB=m | ||
4487 | CONFIG_DVB_DIB3000MC=m | ||
4488 | CONFIG_DVB_DIB7000M=m | ||
4489 | CONFIG_DVB_DIB7000P=m | ||
4490 | CONFIG_DVB_TDA10048=m | ||
4491 | CONFIG_DVB_AF9013=m | ||
4492 | CONFIG_DVB_EC100=m | ||
4493 | CONFIG_DVB_STV0367=m | ||
4494 | CONFIG_DVB_CXD2820R=m | ||
4495 | CONFIG_DVB_CXD2841ER=m | ||
4496 | CONFIG_DVB_RTL2830=m | ||
4497 | CONFIG_DVB_RTL2832=m | ||
4498 | CONFIG_DVB_RTL2832_SDR=m | ||
4499 | CONFIG_DVB_SI2168=m | ||
4500 | CONFIG_DVB_AS102_FE=m | ||
4501 | |||
4502 | # | ||
4503 | # DVB-C (cable) frontends | ||
4504 | # | ||
4505 | CONFIG_DVB_VES1820=m | ||
4506 | CONFIG_DVB_TDA10021=m | ||
4507 | CONFIG_DVB_TDA10023=m | ||
4508 | CONFIG_DVB_STV0297=m | ||
4509 | |||
4510 | # | ||
4511 | # ATSC (North American/Korean Terrestrial/Cable DTV) frontends | ||
4512 | # | ||
4513 | CONFIG_DVB_NXT200X=m | ||
4514 | CONFIG_DVB_OR51211=m | ||
4515 | CONFIG_DVB_OR51132=m | ||
4516 | CONFIG_DVB_BCM3510=m | ||
4517 | CONFIG_DVB_LGDT330X=m | ||
4518 | CONFIG_DVB_LGDT3305=m | ||
4519 | CONFIG_DVB_LGDT3306A=m | ||
4520 | CONFIG_DVB_LG2160=m | ||
4521 | CONFIG_DVB_S5H1409=m | ||
4522 | CONFIG_DVB_AU8522=m | ||
4523 | CONFIG_DVB_AU8522_DTV=m | ||
4524 | CONFIG_DVB_AU8522_V4L=m | ||
4525 | CONFIG_DVB_S5H1411=m | ||
4526 | |||
4527 | # | ||
4528 | # ISDB-T (terrestrial) frontends | ||
4529 | # | ||
4530 | CONFIG_DVB_S921=m | ||
4531 | CONFIG_DVB_DIB8000=m | ||
4532 | CONFIG_DVB_MB86A20S=m | ||
4533 | |||
4534 | # | ||
4535 | # ISDB-S (satellite) & ISDB-T (terrestrial) frontends | ||
4536 | # | ||
4537 | CONFIG_DVB_TC90522=m | ||
4538 | |||
4539 | # | ||
4540 | # Digital terrestrial only tuners/PLL | ||
4541 | # | ||
4542 | CONFIG_DVB_PLL=m | ||
4543 | CONFIG_DVB_TUNER_DIB0070=m | ||
4544 | CONFIG_DVB_TUNER_DIB0090=m | ||
4545 | |||
4546 | # | ||
4547 | # SEC control devices for DVB-S | ||
4548 | # | ||
4549 | CONFIG_DVB_DRX39XYJ=m | ||
4550 | CONFIG_DVB_LNBH25=m | ||
4551 | CONFIG_DVB_LNBP21=m | ||
4552 | CONFIG_DVB_LNBP22=m | ||
4553 | CONFIG_DVB_ISL6405=m | ||
4554 | CONFIG_DVB_ISL6421=m | ||
4555 | CONFIG_DVB_ISL6423=m | ||
4556 | CONFIG_DVB_A8293=m | ||
4557 | CONFIG_DVB_SP2=m | ||
4558 | CONFIG_DVB_LGS8GXX=m | ||
4559 | CONFIG_DVB_ATBM8830=m | ||
4560 | CONFIG_DVB_TDA665x=m | ||
4561 | CONFIG_DVB_IX2505V=m | ||
4562 | CONFIG_DVB_M88RS2000=m | ||
4563 | CONFIG_DVB_AF9033=m | ||
4564 | CONFIG_DVB_HORUS3A=m | ||
4565 | CONFIG_DVB_ASCOT2E=m | ||
4566 | |||
4567 | # | ||
4568 | # Tools to develop new frontends | ||
4569 | # | ||
4570 | # CONFIG_DVB_DUMMY_FE is not set | ||
4571 | |||
4572 | # | ||
4573 | # Graphics support | ||
4574 | # | ||
4575 | CONFIG_AGP=y | ||
4576 | CONFIG_AGP_AMD64=y | ||
4577 | CONFIG_AGP_INTEL=y | ||
4578 | CONFIG_AGP_SIS=y | ||
4579 | CONFIG_AGP_VIA=y | ||
4580 | CONFIG_INTEL_GTT=y | ||
4581 | CONFIG_VGA_ARB=y | ||
4582 | CONFIG_VGA_ARB_MAX_GPUS=16 | ||
4583 | CONFIG_VGA_SWITCHEROO=y | ||
4584 | CONFIG_DRM=m | ||
4585 | CONFIG_DRM_MIPI_DSI=y | ||
4586 | CONFIG_DRM_KMS_HELPER=m | ||
4587 | CONFIG_DRM_KMS_FB_HELPER=y | ||
4588 | CONFIG_DRM_FBDEV_EMULATION=y | ||
4589 | CONFIG_DRM_LOAD_EDID_FIRMWARE=y | ||
4590 | CONFIG_DRM_TTM=m | ||
4591 | |||
4592 | # | ||
4593 | # I2C encoder or helper chips | ||
4594 | # | ||
4595 | # CONFIG_DRM_I2C_ADV7511 is not set | ||
4596 | CONFIG_DRM_I2C_CH7006=m | ||
4597 | CONFIG_DRM_I2C_SIL164=m | ||
4598 | # CONFIG_DRM_I2C_NXP_TDA998X is not set | ||
4599 | CONFIG_DRM_TDFX=m | ||
4600 | CONFIG_DRM_R128=m | ||
4601 | CONFIG_DRM_RADEON=m | ||
4602 | # CONFIG_DRM_RADEON_USERPTR is not set | ||
4603 | # CONFIG_DRM_RADEON_UMS is not set | ||
4604 | CONFIG_DRM_AMDGPU=m | ||
4605 | # CONFIG_DRM_AMDGPU_CIK is not set | ||
4606 | CONFIG_DRM_AMDGPU_USERPTR=y | ||
4607 | CONFIG_DRM_NOUVEAU=m | ||
4608 | CONFIG_NOUVEAU_DEBUG=5 | ||
4609 | CONFIG_NOUVEAU_DEBUG_DEFAULT=3 | ||
4610 | CONFIG_DRM_NOUVEAU_BACKLIGHT=y | ||
4611 | # CONFIG_DRM_I810 is not set | ||
4612 | CONFIG_DRM_I915=m | ||
4613 | # CONFIG_DRM_I915_PRELIMINARY_HW_SUPPORT is not set | ||
4614 | CONFIG_DRM_MGA=m | ||
4615 | CONFIG_DRM_SIS=m | ||
4616 | CONFIG_DRM_VIA=m | ||
4617 | CONFIG_DRM_SAVAGE=m | ||
4618 | CONFIG_DRM_VGEM=m | ||
4619 | CONFIG_DRM_VMWGFX=m | ||
4620 | CONFIG_DRM_VMWGFX_FBCON=y | ||
4621 | CONFIG_DRM_GMA500=m | ||
4622 | CONFIG_DRM_GMA600=y | ||
4623 | CONFIG_DRM_GMA3600=y | ||
4624 | CONFIG_DRM_UDL=m | ||
4625 | CONFIG_DRM_AST=m | ||
4626 | CONFIG_DRM_MGAG200=m | ||
4627 | CONFIG_DRM_CIRRUS_QEMU=m | ||
4628 | CONFIG_DRM_QXL=m | ||
4629 | CONFIG_DRM_BOCHS=m | ||
4630 | CONFIG_DRM_VIRTIO_GPU=m | ||
4631 | CONFIG_DRM_PANEL=y | ||
4632 | |||
4633 | # | ||
4634 | # Display Panels | ||
4635 | # | ||
4636 | CONFIG_DRM_BRIDGE=y | ||
4637 | |||
4638 | # | ||
4639 | # Display Interface Bridges | ||
4640 | # | ||
4641 | CONFIG_HSA_AMD=m | ||
4642 | |||
4643 | # | ||
4644 | # Frame buffer Devices | ||
4645 | # | ||
4646 | CONFIG_FB=y | ||
4647 | CONFIG_FIRMWARE_EDID=y | ||
4648 | CONFIG_FB_CMDLINE=y | ||
4649 | CONFIG_FB_DDC=m | ||
4650 | CONFIG_FB_BOOT_VESA_SUPPORT=y | ||
4651 | CONFIG_FB_CFB_FILLRECT=y | ||
4652 | CONFIG_FB_CFB_COPYAREA=y | ||
4653 | CONFIG_FB_CFB_IMAGEBLIT=y | ||
4654 | # CONFIG_FB_CFB_REV_PIXELS_IN_BYTE is not set | ||
4655 | CONFIG_FB_SYS_FILLRECT=m | ||
4656 | CONFIG_FB_SYS_COPYAREA=m | ||
4657 | CONFIG_FB_SYS_IMAGEBLIT=m | ||
4658 | # CONFIG_FB_FOREIGN_ENDIAN is not set | ||
4659 | CONFIG_FB_SYS_FOPS=m | ||
4660 | CONFIG_FB_DEFERRED_IO=y | ||
4661 | CONFIG_FB_HECUBA=m | ||
4662 | CONFIG_FB_SVGALIB=m | ||
4663 | # CONFIG_FB_MACMODES is not set | ||
4664 | CONFIG_FB_BACKLIGHT=y | ||
4665 | CONFIG_FB_MODE_HELPERS=y | ||
4666 | CONFIG_FB_TILEBLITTING=y | ||
4667 | |||
4668 | # | ||
4669 | # Frame buffer hardware drivers | ||
4670 | # | ||
4671 | CONFIG_FB_CIRRUS=m | ||
4672 | CONFIG_FB_PM2=m | ||
4673 | CONFIG_FB_PM2_FIFO_DISCONNECT=y | ||
4674 | CONFIG_FB_CYBER2000=m | ||
4675 | CONFIG_FB_CYBER2000_DDC=y | ||
4676 | CONFIG_FB_ARC=m | ||
4677 | # CONFIG_FB_ASILIANT is not set | ||
4678 | # CONFIG_FB_IMSTT is not set | ||
4679 | CONFIG_FB_VGA16=m | ||
4680 | CONFIG_FB_UVESA=m | ||
4681 | CONFIG_FB_VESA=y | ||
4682 | CONFIG_FB_EFI=y | ||
4683 | CONFIG_FB_N411=m | ||
4684 | CONFIG_FB_HGA=m | ||
4685 | # CONFIG_FB_OPENCORES is not set | ||
4686 | # CONFIG_FB_S1D13XXX is not set | ||
4687 | # CONFIG_FB_I740 is not set | ||
4688 | CONFIG_FB_LE80578=m | ||
4689 | CONFIG_FB_CARILLO_RANCH=m | ||
4690 | # CONFIG_FB_INTEL is not set | ||
4691 | CONFIG_FB_MATROX=m | ||
4692 | CONFIG_FB_MATROX_MILLENIUM=y | ||
4693 | CONFIG_FB_MATROX_MYSTIQUE=y | ||
4694 | CONFIG_FB_MATROX_G=y | ||
4695 | CONFIG_FB_MATROX_I2C=m | ||
4696 | CONFIG_FB_MATROX_MAVEN=m | ||
4697 | CONFIG_FB_RADEON=m | ||
4698 | CONFIG_FB_RADEON_I2C=y | ||
4699 | CONFIG_FB_RADEON_BACKLIGHT=y | ||
4700 | # CONFIG_FB_RADEON_DEBUG is not set | ||
4701 | CONFIG_FB_ATY128=m | ||
4702 | CONFIG_FB_ATY128_BACKLIGHT=y | ||
4703 | CONFIG_FB_ATY=m | ||
4704 | CONFIG_FB_ATY_CT=y | ||
4705 | # CONFIG_FB_ATY_GENERIC_LCD is not set | ||
4706 | CONFIG_FB_ATY_GX=y | ||
4707 | CONFIG_FB_ATY_BACKLIGHT=y | ||
4708 | CONFIG_FB_S3=m | ||
4709 | CONFIG_FB_S3_DDC=y | ||
4710 | CONFIG_FB_SAVAGE=m | ||
4711 | # CONFIG_FB_SAVAGE_I2C is not set | ||
4712 | # CONFIG_FB_SAVAGE_ACCEL is not set | ||
4713 | CONFIG_FB_SIS=m | ||
4714 | CONFIG_FB_SIS_300=y | ||
4715 | CONFIG_FB_SIS_315=y | ||
4716 | CONFIG_FB_VIA=m | ||
4717 | # CONFIG_FB_VIA_DIRECT_PROCFS is not set | ||
4718 | CONFIG_FB_VIA_X_COMPATIBILITY=y | ||
4719 | CONFIG_FB_NEOMAGIC=m | ||
4720 | CONFIG_FB_KYRO=m | ||
4721 | CONFIG_FB_3DFX=m | ||
4722 | # CONFIG_FB_3DFX_ACCEL is not set | ||
4723 | CONFIG_FB_3DFX_I2C=y | ||
4724 | CONFIG_FB_VOODOO1=m | ||
4725 | CONFIG_FB_VT8623=m | ||
4726 | CONFIG_FB_TRIDENT=m | ||
4727 | CONFIG_FB_ARK=m | ||
4728 | CONFIG_FB_PM3=m | ||
4729 | # CONFIG_FB_CARMINE is not set | ||
4730 | CONFIG_FB_SMSCUFX=m | ||
4731 | CONFIG_FB_UDL=m | ||
4732 | # CONFIG_FB_IBM_GXT4500 is not set | ||
4733 | CONFIG_FB_VIRTUAL=m | ||
4734 | # CONFIG_FB_METRONOME is not set | ||
4735 | CONFIG_FB_MB862XX=m | ||
4736 | CONFIG_FB_MB862XX_PCI_GDC=y | ||
4737 | CONFIG_FB_MB862XX_I2C=y | ||
4738 | # CONFIG_FB_BROADSHEET is not set | ||
4739 | # CONFIG_FB_AUO_K190X is not set | ||
4740 | CONFIG_FB_HYPERV=m | ||
4741 | CONFIG_FB_SIMPLE=y | ||
4742 | # CONFIG_FB_SM712 is not set | ||
4743 | CONFIG_BACKLIGHT_LCD_SUPPORT=y | ||
4744 | # CONFIG_LCD_CLASS_DEVICE is not set | ||
4745 | CONFIG_BACKLIGHT_CLASS_DEVICE=y | ||
4746 | # CONFIG_BACKLIGHT_GENERIC is not set | ||
4747 | CONFIG_BACKLIGHT_APPLE=m | ||
4748 | # CONFIG_BACKLIGHT_PM8941_WLED is not set | ||
4749 | # CONFIG_BACKLIGHT_SAHARA is not set | ||
4750 | # CONFIG_BACKLIGHT_ADP8860 is not set | ||
4751 | # CONFIG_BACKLIGHT_ADP8870 is not set | ||
4752 | # CONFIG_BACKLIGHT_LM3639 is not set | ||
4753 | # CONFIG_BACKLIGHT_GPIO is not set | ||
4754 | # CONFIG_BACKLIGHT_LV5207LP is not set | ||
4755 | # CONFIG_BACKLIGHT_BD6107 is not set | ||
4756 | CONFIG_VGASTATE=m | ||
4757 | CONFIG_HDMI=y | ||
4758 | |||
4759 | # | ||
4760 | # Console display driver support | ||
4761 | # | ||
4762 | CONFIG_VGA_CONSOLE=y | ||
4763 | # CONFIG_VGACON_SOFT_SCROLLBACK is not set | ||
4764 | CONFIG_DUMMY_CONSOLE=y | ||
4765 | CONFIG_DUMMY_CONSOLE_COLUMNS=80 | ||
4766 | CONFIG_DUMMY_CONSOLE_ROWS=25 | ||
4767 | CONFIG_FRAMEBUFFER_CONSOLE=y | ||
4768 | CONFIG_FRAMEBUFFER_CONSOLE_DETECT_PRIMARY=y | ||
4769 | CONFIG_FRAMEBUFFER_CONSOLE_ROTATION=y | ||
4770 | # CONFIG_LOGO is not set | ||
4771 | CONFIG_SOUND=m | ||
4772 | CONFIG_SOUND_OSS_CORE=y | ||
4773 | # CONFIG_SOUND_OSS_CORE_PRECLAIM is not set | ||
4774 | CONFIG_SND=m | ||
4775 | CONFIG_SND_TIMER=m | ||
4776 | CONFIG_SND_PCM=m | ||
4777 | CONFIG_SND_HWDEP=m | ||
4778 | CONFIG_SND_RAWMIDI=m | ||
4779 | CONFIG_SND_JACK=y | ||
4780 | CONFIG_SND_SEQUENCER=m | ||
4781 | CONFIG_SND_SEQ_DUMMY=m | ||
4782 | CONFIG_SND_OSSEMUL=y | ||
4783 | CONFIG_SND_MIXER_OSS=m | ||
4784 | CONFIG_SND_PCM_OSS=m | ||
4785 | CONFIG_SND_PCM_OSS_PLUGINS=y | ||
4786 | CONFIG_SND_PCM_TIMER=y | ||
4787 | # CONFIG_SND_SEQUENCER_OSS is not set | ||
4788 | CONFIG_SND_HRTIMER=m | ||
4789 | CONFIG_SND_SEQ_HRTIMER_DEFAULT=y | ||
4790 | CONFIG_SND_DYNAMIC_MINORS=y | ||
4791 | CONFIG_SND_MAX_CARDS=32 | ||
4792 | CONFIG_SND_SUPPORT_OLD_API=y | ||
4793 | CONFIG_SND_PROC_FS=y | ||
4794 | CONFIG_SND_VERBOSE_PROCFS=y | ||
4795 | # CONFIG_SND_VERBOSE_PRINTK is not set | ||
4796 | # CONFIG_SND_DEBUG is not set | ||
4797 | CONFIG_SND_VMASTER=y | ||
4798 | CONFIG_SND_DMA_SGBUF=y | ||
4799 | CONFIG_SND_RAWMIDI_SEQ=m | ||
4800 | CONFIG_SND_OPL3_LIB_SEQ=m | ||
4801 | # CONFIG_SND_OPL4_LIB_SEQ is not set | ||
4802 | # CONFIG_SND_SBAWE_SEQ is not set | ||
4803 | # CONFIG_SND_EMU10K1_SEQ is not set | ||
4804 | CONFIG_SND_MPU401_UART=m | ||
4805 | CONFIG_SND_OPL3_LIB=m | ||
4806 | CONFIG_SND_VX_LIB=m | ||
4807 | CONFIG_SND_AC97_CODEC=m | ||
4808 | CONFIG_SND_DRIVERS=y | ||
4809 | CONFIG_SND_PCSP=m | ||
4810 | CONFIG_SND_DUMMY=m | ||
4811 | CONFIG_SND_ALOOP=m | ||
4812 | CONFIG_SND_VIRMIDI=m | ||
4813 | CONFIG_SND_MTPAV=m | ||
4814 | CONFIG_SND_MTS64=m | ||
4815 | CONFIG_SND_SERIAL_U16550=m | ||
4816 | CONFIG_SND_MPU401=m | ||
4817 | CONFIG_SND_PORTMAN2X4=m | ||
4818 | CONFIG_SND_AC97_POWER_SAVE=y | ||
4819 | CONFIG_SND_AC97_POWER_SAVE_DEFAULT=0 | ||
4820 | CONFIG_SND_SB_COMMON=m | ||
4821 | CONFIG_SND_PCI=y | ||
4822 | CONFIG_SND_AD1889=m | ||
4823 | CONFIG_SND_ALS4000=m | ||
4824 | CONFIG_SND_ASIHPI=m | ||
4825 | CONFIG_SND_ATIIXP=m | ||
4826 | CONFIG_SND_ATIIXP_MODEM=m | ||
4827 | CONFIG_SND_AU8810=m | ||
4828 | CONFIG_SND_AU8820=m | ||
4829 | CONFIG_SND_AU8830=m | ||
4830 | # CONFIG_SND_AW2 is not set | ||
4831 | CONFIG_SND_BT87X=m | ||
4832 | # CONFIG_SND_BT87X_OVERCLOCK is not set | ||
4833 | CONFIG_SND_CA0106=m | ||
4834 | CONFIG_SND_CMIPCI=m | ||
4835 | CONFIG_SND_OXYGEN_LIB=m | ||
4836 | CONFIG_SND_OXYGEN=m | ||
4837 | CONFIG_SND_CS4281=m | ||
4838 | CONFIG_SND_CS46XX=m | ||
4839 | CONFIG_SND_CS46XX_NEW_DSP=y | ||
4840 | CONFIG_SND_CTXFI=m | ||
4841 | CONFIG_SND_DARLA20=m | ||
4842 | CONFIG_SND_GINA20=m | ||
4843 | CONFIG_SND_LAYLA20=m | ||
4844 | CONFIG_SND_DARLA24=m | ||
4845 | CONFIG_SND_GINA24=m | ||
4846 | CONFIG_SND_LAYLA24=m | ||
4847 | CONFIG_SND_MONA=m | ||
4848 | CONFIG_SND_MIA=m | ||
4849 | CONFIG_SND_ECHO3G=m | ||
4850 | CONFIG_SND_INDIGO=m | ||
4851 | CONFIG_SND_INDIGOIO=m | ||
4852 | CONFIG_SND_INDIGODJ=m | ||
4853 | CONFIG_SND_INDIGOIOX=m | ||
4854 | CONFIG_SND_INDIGODJX=m | ||
4855 | CONFIG_SND_ENS1370=m | ||
4856 | CONFIG_SND_ENS1371=m | ||
4857 | CONFIG_SND_FM801=m | ||
4858 | CONFIG_SND_FM801_TEA575X_BOOL=y | ||
4859 | CONFIG_SND_HDSP=m | ||
4860 | CONFIG_SND_HDSPM=m | ||
4861 | CONFIG_SND_ICE1724=m | ||
4862 | CONFIG_SND_INTEL8X0=m | ||
4863 | CONFIG_SND_INTEL8X0M=m | ||
4864 | CONFIG_SND_KORG1212=m | ||
4865 | CONFIG_SND_LOLA=m | ||
4866 | CONFIG_SND_LX6464ES=m | ||
4867 | CONFIG_SND_MIXART=m | ||
4868 | CONFIG_SND_NM256=m | ||
4869 | CONFIG_SND_PCXHR=m | ||
4870 | CONFIG_SND_RIPTIDE=m | ||
4871 | CONFIG_SND_RME32=m | ||
4872 | CONFIG_SND_RME96=m | ||
4873 | CONFIG_SND_RME9652=m | ||
4874 | CONFIG_SND_VIA82XX=m | ||
4875 | CONFIG_SND_VIA82XX_MODEM=m | ||
4876 | CONFIG_SND_VIRTUOSO=m | ||
4877 | CONFIG_SND_VX222=m | ||
4878 | CONFIG_SND_YMFPCI=m | ||
4879 | |||
4880 | # | ||
4881 | # HD-Audio | ||
4882 | # | ||
4883 | CONFIG_SND_HDA=m | ||
4884 | CONFIG_SND_HDA_INTEL=m | ||
4885 | CONFIG_SND_HDA_HWDEP=y | ||
4886 | CONFIG_SND_HDA_RECONFIG=y | ||
4887 | CONFIG_SND_HDA_INPUT_BEEP=y | ||
4888 | CONFIG_SND_HDA_INPUT_BEEP_MODE=1 | ||
4889 | CONFIG_SND_HDA_PATCH_LOADER=y | ||
4890 | CONFIG_SND_HDA_CODEC_REALTEK=m | ||
4891 | CONFIG_SND_HDA_CODEC_ANALOG=m | ||
4892 | CONFIG_SND_HDA_CODEC_SIGMATEL=m | ||
4893 | CONFIG_SND_HDA_CODEC_VIA=m | ||
4894 | CONFIG_SND_HDA_CODEC_HDMI=m | ||
4895 | CONFIG_SND_HDA_CODEC_CIRRUS=m | ||
4896 | CONFIG_SND_HDA_CODEC_CONEXANT=m | ||
4897 | CONFIG_SND_HDA_CODEC_CA0110=m | ||
4898 | CONFIG_SND_HDA_CODEC_CA0132=m | ||
4899 | CONFIG_SND_HDA_CODEC_CA0132_DSP=y | ||
4900 | CONFIG_SND_HDA_CODEC_CMEDIA=m | ||
4901 | CONFIG_SND_HDA_CODEC_SI3054=m | ||
4902 | CONFIG_SND_HDA_GENERIC=m | ||
4903 | CONFIG_SND_HDA_POWER_SAVE_DEFAULT=0 | ||
4904 | CONFIG_SND_HDA_CORE=m | ||
4905 | CONFIG_SND_HDA_DSP_LOADER=y | ||
4906 | CONFIG_SND_HDA_I915=y | ||
4907 | CONFIG_SND_HDA_PREALLOC_SIZE=64 | ||
4908 | CONFIG_SND_SPI=y | ||
4909 | CONFIG_SND_USB=y | ||
4910 | CONFIG_SND_USB_AUDIO=m | ||
4911 | CONFIG_SND_USB_UA101=m | ||
4912 | CONFIG_SND_USB_USX2Y=m | ||
4913 | CONFIG_SND_USB_CAIAQ=m | ||
4914 | CONFIG_SND_USB_CAIAQ_INPUT=y | ||
4915 | CONFIG_SND_USB_US122L=m | ||
4916 | CONFIG_SND_USB_6FIRE=m | ||
4917 | CONFIG_SND_USB_HIFACE=m | ||
4918 | CONFIG_SND_BCD2000=m | ||
4919 | CONFIG_SND_USB_LINE6=m | ||
4920 | CONFIG_SND_USB_POD=m | ||
4921 | CONFIG_SND_USB_PODHD=m | ||
4922 | CONFIG_SND_USB_TONEPORT=m | ||
4923 | CONFIG_SND_USB_VARIAX=m | ||
4924 | CONFIG_SND_FIREWIRE=y | ||
4925 | CONFIG_SND_FIREWIRE_LIB=m | ||
4926 | CONFIG_SND_DICE=m | ||
4927 | CONFIG_SND_OXFW=m | ||
4928 | CONFIG_SND_ISIGHT=m | ||
4929 | CONFIG_SND_SCS1X=m | ||
4930 | CONFIG_SND_FIREWORKS=m | ||
4931 | CONFIG_SND_BEBOB=m | ||
4932 | CONFIG_SND_FIREWIRE_DIGI00X=m | ||
4933 | CONFIG_SND_FIREWIRE_TASCAM=m | ||
4934 | CONFIG_SND_PCMCIA=y | ||
4935 | CONFIG_SND_VXPOCKET=m | ||
4936 | CONFIG_SND_PDAUDIOCF=m | ||
4937 | CONFIG_SND_SOC=m | ||
4938 | # CONFIG_SND_ATMEL_SOC is not set | ||
4939 | # CONFIG_SND_DESIGNWARE_I2S is not set | ||
4940 | |||
4941 | # | ||
4942 | # SoC Audio for Freescale CPUs | ||
4943 | # | ||
4944 | |||
4945 | # | ||
4946 | # Common SoC Audio options for Freescale CPUs: | ||
4947 | # | ||
4948 | # CONFIG_SND_SOC_FSL_ASRC is not set | ||
4949 | # CONFIG_SND_SOC_FSL_SAI is not set | ||
4950 | # CONFIG_SND_SOC_FSL_SSI is not set | ||
4951 | # CONFIG_SND_SOC_FSL_SPDIF is not set | ||
4952 | # CONFIG_SND_SOC_FSL_ESAI is not set | ||
4953 | # CONFIG_SND_SOC_IMX_AUDMUX is not set | ||
4954 | CONFIG_SND_SOC_INTEL_SST=m | ||
4955 | CONFIG_SND_SOC_INTEL_SST_ACPI=m | ||
4956 | CONFIG_SND_SOC_INTEL_HASWELL=m | ||
4957 | CONFIG_SND_SOC_INTEL_BAYTRAIL=m | ||
4958 | CONFIG_SND_SOC_INTEL_HASWELL_MACH=m | ||
4959 | CONFIG_SND_SOC_INTEL_BYT_RT5640_MACH=m | ||
4960 | CONFIG_SND_SOC_INTEL_BYT_MAX98090_MACH=m | ||
4961 | CONFIG_SND_SOC_INTEL_BROADWELL_MACH=m | ||
4962 | # CONFIG_SND_SOC_INTEL_BYTCR_RT5640_MACH is not set | ||
4963 | # CONFIG_SND_SOC_INTEL_CHT_BSW_RT5672_MACH is not set | ||
4964 | # CONFIG_SND_SOC_INTEL_CHT_BSW_RT5645_MACH is not set | ||
4965 | # CONFIG_SND_SOC_INTEL_CHT_BSW_MAX98090_TI_MACH is not set | ||
4966 | # CONFIG_SND_SOC_INTEL_SKL_RT286_MACH is not set | ||
4967 | |||
4968 | # | ||
4969 | # Allwinner SoC Audio support | ||
4970 | # | ||
4971 | # CONFIG_SND_SUN4I_CODEC is not set | ||
4972 | # CONFIG_SND_SOC_XTFPGA_I2S is not set | ||
4973 | CONFIG_SND_SOC_I2C_AND_SPI=m | ||
4974 | |||
4975 | # | ||
4976 | # CODEC drivers | ||
4977 | # | ||
4978 | # CONFIG_SND_SOC_AC97_CODEC is not set | ||
4979 | # CONFIG_SND_SOC_ADAU1701 is not set | ||
4980 | # CONFIG_SND_SOC_AK4104 is not set | ||
4981 | # CONFIG_SND_SOC_AK4554 is not set | ||
4982 | # CONFIG_SND_SOC_AK4613 is not set | ||
4983 | # CONFIG_SND_SOC_AK4642 is not set | ||
4984 | # CONFIG_SND_SOC_AK5386 is not set | ||
4985 | # CONFIG_SND_SOC_ALC5623 is not set | ||
4986 | # CONFIG_SND_SOC_CS35L32 is not set | ||
4987 | # CONFIG_SND_SOC_CS42L51_I2C is not set | ||
4988 | # CONFIG_SND_SOC_CS42L52 is not set | ||
4989 | # CONFIG_SND_SOC_CS42L56 is not set | ||
4990 | # CONFIG_SND_SOC_CS42L73 is not set | ||
4991 | # CONFIG_SND_SOC_CS4265 is not set | ||
4992 | # CONFIG_SND_SOC_CS4270 is not set | ||
4993 | # CONFIG_SND_SOC_CS4271_I2C is not set | ||
4994 | # CONFIG_SND_SOC_CS4271_SPI is not set | ||
4995 | # CONFIG_SND_SOC_CS42XX8_I2C is not set | ||
4996 | # CONFIG_SND_SOC_CS4349 is not set | ||
4997 | # CONFIG_SND_SOC_ES8328 is not set | ||
4998 | # CONFIG_SND_SOC_GTM601 is not set | ||
4999 | CONFIG_SND_SOC_MAX98090=m | ||
5000 | # CONFIG_SND_SOC_PCM1681 is not set | ||
5001 | # CONFIG_SND_SOC_PCM1792A is not set | ||
5002 | # CONFIG_SND_SOC_PCM512x_I2C is not set | ||
5003 | # CONFIG_SND_SOC_PCM512x_SPI is not set | ||
5004 | CONFIG_SND_SOC_RL6231=m | ||
5005 | CONFIG_SND_SOC_RL6347A=m | ||
5006 | CONFIG_SND_SOC_RT286=m | ||
5007 | # CONFIG_SND_SOC_RT5631 is not set | ||
5008 | CONFIG_SND_SOC_RT5640=m | ||
5009 | # CONFIG_SND_SOC_RT5677_SPI is not set | ||
5010 | # CONFIG_SND_SOC_SGTL5000 is not set | ||
5011 | # CONFIG_SND_SOC_SIRF_AUDIO_CODEC is not set | ||
5012 | # CONFIG_SND_SOC_SPDIF is not set | ||
5013 | # CONFIG_SND_SOC_SSM2602_SPI is not set | ||
5014 | # CONFIG_SND_SOC_SSM2602_I2C is not set | ||
5015 | # CONFIG_SND_SOC_SSM4567 is not set | ||
5016 | # CONFIG_SND_SOC_STA32X is not set | ||
5017 | # CONFIG_SND_SOC_STA350 is not set | ||
5018 | # CONFIG_SND_SOC_STI_SAS is not set | ||
5019 | # CONFIG_SND_SOC_TAS2552 is not set | ||
5020 | # CONFIG_SND_SOC_TAS5086 is not set | ||
5021 | # CONFIG_SND_SOC_TAS571X is not set | ||
5022 | # CONFIG_SND_SOC_TFA9879 is not set | ||
5023 | # CONFIG_SND_SOC_TLV320AIC23_I2C is not set | ||
5024 | # CONFIG_SND_SOC_TLV320AIC23_SPI is not set | ||
5025 | # CONFIG_SND_SOC_TLV320AIC31XX is not set | ||
5026 | # CONFIG_SND_SOC_TLV320AIC3X is not set | ||
5027 | # CONFIG_SND_SOC_TS3A227E is not set | ||
5028 | # CONFIG_SND_SOC_WM8510 is not set | ||
5029 | # CONFIG_SND_SOC_WM8523 is not set | ||
5030 | # CONFIG_SND_SOC_WM8580 is not set | ||
5031 | # CONFIG_SND_SOC_WM8711 is not set | ||
5032 | # CONFIG_SND_SOC_WM8728 is not set | ||
5033 | # CONFIG_SND_SOC_WM8731 is not set | ||
5034 | # CONFIG_SND_SOC_WM8737 is not set | ||
5035 | # CONFIG_SND_SOC_WM8741 is not set | ||
5036 | # CONFIG_SND_SOC_WM8750 is not set | ||
5037 | # CONFIG_SND_SOC_WM8753 is not set | ||
5038 | # CONFIG_SND_SOC_WM8770 is not set | ||
5039 | # CONFIG_SND_SOC_WM8776 is not set | ||
5040 | # CONFIG_SND_SOC_WM8804_I2C is not set | ||
5041 | # CONFIG_SND_SOC_WM8804_SPI is not set | ||
5042 | # CONFIG_SND_SOC_WM8903 is not set | ||
5043 | # CONFIG_SND_SOC_WM8962 is not set | ||
5044 | # CONFIG_SND_SOC_WM8978 is not set | ||
5045 | # CONFIG_SND_SOC_TPA6130A2 is not set | ||
5046 | # CONFIG_SND_SIMPLE_CARD is not set | ||
5047 | # CONFIG_SOUND_PRIME is not set | ||
5048 | CONFIG_AC97_BUS=m | ||
5049 | |||
5050 | # | ||
5051 | # HID support | ||
5052 | # | ||
5053 | CONFIG_HID=m | ||
5054 | CONFIG_HID_BATTERY_STRENGTH=y | ||
5055 | CONFIG_HIDRAW=y | ||
5056 | CONFIG_UHID=m | ||
5057 | CONFIG_HID_GENERIC=m | ||
5058 | |||
5059 | # | ||
5060 | # Special HID drivers | ||
5061 | # | ||
5062 | CONFIG_HID_A4TECH=m | ||
5063 | CONFIG_HID_ACRUX=m | ||
5064 | CONFIG_HID_ACRUX_FF=y | ||
5065 | CONFIG_HID_APPLE=m | ||
5066 | CONFIG_HID_APPLEIR=m | ||
5067 | CONFIG_HID_AUREAL=m | ||
5068 | CONFIG_HID_BELKIN=m | ||
5069 | CONFIG_HID_BETOP_FF=m | ||
5070 | CONFIG_HID_CHERRY=m | ||
5071 | CONFIG_HID_CHICONY=m | ||
5072 | CONFIG_HID_CORSAIR=m | ||
5073 | CONFIG_HID_PRODIKEYS=m | ||
5074 | CONFIG_HID_CP2112=m | ||
5075 | CONFIG_HID_CYPRESS=m | ||
5076 | CONFIG_HID_DRAGONRISE=m | ||
5077 | CONFIG_DRAGONRISE_FF=y | ||
5078 | CONFIG_HID_EMS_FF=m | ||
5079 | CONFIG_HID_ELECOM=m | ||
5080 | CONFIG_HID_ELO=m | ||
5081 | CONFIG_HID_EZKEY=m | ||
5082 | CONFIG_HID_GEMBIRD=m | ||
5083 | # CONFIG_HID_GFRM is not set | ||
5084 | CONFIG_HID_HOLTEK=m | ||
5085 | CONFIG_HOLTEK_FF=y | ||
5086 | # CONFIG_HID_GT683R is not set | ||
5087 | CONFIG_HID_KEYTOUCH=m | ||
5088 | CONFIG_HID_KYE=m | ||
5089 | CONFIG_HID_UCLOGIC=m | ||
5090 | CONFIG_HID_WALTOP=m | ||
5091 | CONFIG_HID_GYRATION=m | ||
5092 | CONFIG_HID_ICADE=m | ||
5093 | CONFIG_HID_TWINHAN=m | ||
5094 | CONFIG_HID_KENSINGTON=m | ||
5095 | CONFIG_HID_LCPOWER=m | ||
5096 | CONFIG_HID_LENOVO=m | ||
5097 | CONFIG_HID_LOGITECH=m | ||
5098 | CONFIG_HID_LOGITECH_DJ=m | ||
5099 | CONFIG_HID_LOGITECH_HIDPP=m | ||
5100 | CONFIG_LOGITECH_FF=y | ||
5101 | CONFIG_LOGIRUMBLEPAD2_FF=y | ||
5102 | CONFIG_LOGIG940_FF=y | ||
5103 | CONFIG_LOGIWHEELS_FF=y | ||
5104 | CONFIG_HID_MAGICMOUSE=m | ||
5105 | CONFIG_HID_MICROSOFT=m | ||
5106 | CONFIG_HID_MONTEREY=m | ||
5107 | CONFIG_HID_MULTITOUCH=m | ||
5108 | CONFIG_HID_NTRIG=m | ||
5109 | CONFIG_HID_ORTEK=m | ||
5110 | CONFIG_HID_PANTHERLORD=m | ||
5111 | CONFIG_PANTHERLORD_FF=y | ||
5112 | CONFIG_HID_PENMOUNT=m | ||
5113 | CONFIG_HID_PETALYNX=m | ||
5114 | CONFIG_HID_PICOLCD=m | ||
5115 | CONFIG_HID_PICOLCD_FB=y | ||
5116 | CONFIG_HID_PICOLCD_BACKLIGHT=y | ||
5117 | CONFIG_HID_PICOLCD_LEDS=y | ||
5118 | CONFIG_HID_PICOLCD_CIR=y | ||
5119 | CONFIG_HID_PLANTRONICS=m | ||
5120 | CONFIG_HID_PRIMAX=m | ||
5121 | CONFIG_HID_ROCCAT=m | ||
5122 | CONFIG_HID_SAITEK=m | ||
5123 | CONFIG_HID_SAMSUNG=m | ||
5124 | CONFIG_HID_SONY=m | ||
5125 | CONFIG_SONY_FF=y | ||
5126 | CONFIG_HID_SPEEDLINK=m | ||
5127 | CONFIG_HID_STEELSERIES=m | ||
5128 | CONFIG_HID_SUNPLUS=m | ||
5129 | CONFIG_HID_RMI=m | ||
5130 | CONFIG_HID_GREENASIA=m | ||
5131 | CONFIG_GREENASIA_FF=y | ||
5132 | CONFIG_HID_HYPERV_MOUSE=m | ||
5133 | CONFIG_HID_SMARTJOYPLUS=m | ||
5134 | CONFIG_SMARTJOYPLUS_FF=y | ||
5135 | CONFIG_HID_TIVO=m | ||
5136 | CONFIG_HID_TOPSEED=m | ||
5137 | CONFIG_HID_THINGM=m | ||
5138 | CONFIG_HID_THRUSTMASTER=m | ||
5139 | CONFIG_THRUSTMASTER_FF=y | ||
5140 | CONFIG_HID_WACOM=m | ||
5141 | CONFIG_HID_WIIMOTE=m | ||
5142 | CONFIG_HID_XINMO=m | ||
5143 | CONFIG_HID_ZEROPLUS=m | ||
5144 | CONFIG_ZEROPLUS_FF=y | ||
5145 | CONFIG_HID_ZYDACRON=m | ||
5146 | CONFIG_HID_SENSOR_HUB=m | ||
5147 | # CONFIG_HID_SENSOR_CUSTOM_SENSOR is not set | ||
5148 | |||
5149 | # | ||
5150 | # USB HID support | ||
5151 | # | ||
5152 | CONFIG_USB_HID=m | ||
5153 | CONFIG_HID_PID=y | ||
5154 | CONFIG_USB_HIDDEV=y | ||
5155 | |||
5156 | # | ||
5157 | # USB HID Boot Protocol drivers | ||
5158 | # | ||
5159 | # CONFIG_USB_KBD is not set | ||
5160 | # CONFIG_USB_MOUSE is not set | ||
5161 | |||
5162 | # | ||
5163 | # I2C HID support | ||
5164 | # | ||
5165 | CONFIG_I2C_HID=m | ||
5166 | CONFIG_USB_OHCI_LITTLE_ENDIAN=y | ||
5167 | CONFIG_USB_SUPPORT=y | ||
5168 | CONFIG_USB_COMMON=m | ||
5169 | CONFIG_USB_ARCH_HAS_HCD=y | ||
5170 | CONFIG_USB=m | ||
5171 | CONFIG_USB_ANNOUNCE_NEW_DEVICES=y | ||
5172 | |||
5173 | # | ||
5174 | # Miscellaneous USB options | ||
5175 | # | ||
5176 | CONFIG_USB_DEFAULT_PERSIST=y | ||
5177 | CONFIG_USB_DYNAMIC_MINORS=y | ||
5178 | # CONFIG_USB_OTG is not set | ||
5179 | # CONFIG_USB_OTG_WHITELIST is not set | ||
5180 | # CONFIG_USB_OTG_BLACKLIST_HUB is not set | ||
5181 | # CONFIG_USB_ULPI_BUS is not set | ||
5182 | CONFIG_USB_MON=m | ||
5183 | CONFIG_USB_WUSB=m | ||
5184 | CONFIG_USB_WUSB_CBAF=m | ||
5185 | # CONFIG_USB_WUSB_CBAF_DEBUG is not set | ||
5186 | |||
5187 | # | ||
5188 | # USB Host Controller Drivers | ||
5189 | # | ||
5190 | # CONFIG_USB_C67X00_HCD is not set | ||
5191 | CONFIG_USB_XHCI_HCD=m | ||
5192 | CONFIG_USB_XHCI_PCI=m | ||
5193 | # CONFIG_USB_XHCI_PLATFORM is not set | ||
5194 | CONFIG_USB_EHCI_HCD=m | ||
5195 | CONFIG_USB_EHCI_ROOT_HUB_TT=y | ||
5196 | CONFIG_USB_EHCI_TT_NEWSCHED=y | ||
5197 | CONFIG_USB_EHCI_PCI=m | ||
5198 | # CONFIG_USB_EHCI_HCD_PLATFORM is not set | ||
5199 | # CONFIG_USB_OXU210HP_HCD is not set | ||
5200 | # CONFIG_USB_ISP116X_HCD is not set | ||
5201 | # CONFIG_USB_ISP1362_HCD is not set | ||
5202 | # CONFIG_USB_FOTG210_HCD is not set | ||
5203 | # CONFIG_USB_MAX3421_HCD is not set | ||
5204 | CONFIG_USB_OHCI_HCD=m | ||
5205 | CONFIG_USB_OHCI_HCD_PCI=m | ||
5206 | # CONFIG_USB_OHCI_HCD_SSB is not set | ||
5207 | # CONFIG_USB_OHCI_HCD_PLATFORM is not set | ||
5208 | CONFIG_USB_UHCI_HCD=m | ||
5209 | CONFIG_USB_U132_HCD=m | ||
5210 | CONFIG_USB_SL811_HCD=m | ||
5211 | # CONFIG_USB_SL811_HCD_ISO is not set | ||
5212 | CONFIG_USB_SL811_CS=m | ||
5213 | # CONFIG_USB_R8A66597_HCD is not set | ||
5214 | CONFIG_USB_WHCI_HCD=m | ||
5215 | CONFIG_USB_HWA_HCD=m | ||
5216 | # CONFIG_USB_HCD_BCMA is not set | ||
5217 | # CONFIG_USB_HCD_SSB is not set | ||
5218 | # CONFIG_USB_HCD_TEST_MODE is not set | ||
5219 | |||
5220 | # | ||
5221 | # USB Device Class drivers | ||
5222 | # | ||
5223 | CONFIG_USB_ACM=m | ||
5224 | CONFIG_USB_PRINTER=m | ||
5225 | CONFIG_USB_WDM=m | ||
5226 | CONFIG_USB_TMC=m | ||
5227 | |||
5228 | # | ||
5229 | # NOTE: USB_STORAGE depends on SCSI but BLK_DEV_SD may | ||
5230 | # | ||
5231 | |||
5232 | # | ||
5233 | # also be needed; see USB_STORAGE Help for more info | ||
5234 | # | ||
5235 | CONFIG_USB_STORAGE=m | ||
5236 | # CONFIG_USB_STORAGE_DEBUG is not set | ||
5237 | CONFIG_USB_STORAGE_REALTEK=m | ||
5238 | CONFIG_REALTEK_AUTOPM=y | ||
5239 | CONFIG_USB_STORAGE_DATAFAB=m | ||
5240 | CONFIG_USB_STORAGE_FREECOM=m | ||
5241 | CONFIG_USB_STORAGE_ISD200=m | ||
5242 | CONFIG_USB_STORAGE_USBAT=m | ||
5243 | CONFIG_USB_STORAGE_SDDR09=m | ||
5244 | CONFIG_USB_STORAGE_SDDR55=m | ||
5245 | CONFIG_USB_STORAGE_JUMPSHOT=m | ||
5246 | CONFIG_USB_STORAGE_ALAUDA=m | ||
5247 | CONFIG_USB_STORAGE_ONETOUCH=m | ||
5248 | CONFIG_USB_STORAGE_KARMA=m | ||
5249 | CONFIG_USB_STORAGE_CYPRESS_ATACB=m | ||
5250 | CONFIG_USB_STORAGE_ENE_UB6250=m | ||
5251 | CONFIG_USB_UAS=m | ||
5252 | |||
5253 | # | ||
5254 | # USB Imaging devices | ||
5255 | # | ||
5256 | CONFIG_USB_MDC800=m | ||
5257 | CONFIG_USB_MICROTEK=m | ||
5258 | CONFIG_USBIP_CORE=m | ||
5259 | CONFIG_USBIP_VHCI_HCD=m | ||
5260 | CONFIG_USBIP_HOST=m | ||
5261 | # CONFIG_USBIP_DEBUG is not set | ||
5262 | # CONFIG_USB_MUSB_HDRC is not set | ||
5263 | # CONFIG_USB_DWC3 is not set | ||
5264 | # CONFIG_USB_DWC2 is not set | ||
5265 | # CONFIG_USB_CHIPIDEA is not set | ||
5266 | # CONFIG_USB_ISP1760 is not set | ||
5267 | |||
5268 | # | ||
5269 | # USB port drivers | ||
5270 | # | ||
5271 | CONFIG_USB_USS720=m | ||
5272 | CONFIG_USB_SERIAL=m | ||
5273 | CONFIG_USB_SERIAL_GENERIC=y | ||
5274 | CONFIG_USB_SERIAL_SIMPLE=m | ||
5275 | CONFIG_USB_SERIAL_AIRCABLE=m | ||
5276 | CONFIG_USB_SERIAL_ARK3116=m | ||
5277 | CONFIG_USB_SERIAL_BELKIN=m | ||
5278 | CONFIG_USB_SERIAL_CH341=m | ||
5279 | CONFIG_USB_SERIAL_WHITEHEAT=m | ||
5280 | CONFIG_USB_SERIAL_DIGI_ACCELEPORT=m | ||
5281 | CONFIG_USB_SERIAL_CP210X=m | ||
5282 | CONFIG_USB_SERIAL_CYPRESS_M8=m | ||
5283 | CONFIG_USB_SERIAL_EMPEG=m | ||
5284 | CONFIG_USB_SERIAL_FTDI_SIO=m | ||
5285 | CONFIG_USB_SERIAL_VISOR=m | ||
5286 | CONFIG_USB_SERIAL_IPAQ=m | ||
5287 | CONFIG_USB_SERIAL_IR=m | ||
5288 | CONFIG_USB_SERIAL_EDGEPORT=m | ||
5289 | CONFIG_USB_SERIAL_EDGEPORT_TI=m | ||
5290 | CONFIG_USB_SERIAL_F81232=m | ||
5291 | CONFIG_USB_SERIAL_GARMIN=m | ||
5292 | CONFIG_USB_SERIAL_IPW=m | ||
5293 | CONFIG_USB_SERIAL_IUU=m | ||
5294 | CONFIG_USB_SERIAL_KEYSPAN_PDA=m | ||
5295 | CONFIG_USB_SERIAL_KEYSPAN=m | ||
5296 | CONFIG_USB_SERIAL_KLSI=m | ||
5297 | CONFIG_USB_SERIAL_KOBIL_SCT=m | ||
5298 | CONFIG_USB_SERIAL_MCT_U232=m | ||
5299 | CONFIG_USB_SERIAL_METRO=m | ||
5300 | CONFIG_USB_SERIAL_MOS7720=m | ||
5301 | CONFIG_USB_SERIAL_MOS7715_PARPORT=y | ||
5302 | CONFIG_USB_SERIAL_MOS7840=m | ||
5303 | CONFIG_USB_SERIAL_MXUPORT=m | ||
5304 | CONFIG_USB_SERIAL_NAVMAN=m | ||
5305 | CONFIG_USB_SERIAL_PL2303=m | ||
5306 | CONFIG_USB_SERIAL_OTI6858=m | ||
5307 | CONFIG_USB_SERIAL_QCAUX=m | ||
5308 | CONFIG_USB_SERIAL_QUALCOMM=m | ||
5309 | CONFIG_USB_SERIAL_SPCP8X5=m | ||
5310 | CONFIG_USB_SERIAL_SAFE=m | ||
5311 | # CONFIG_USB_SERIAL_SAFE_PADDED is not set | ||
5312 | CONFIG_USB_SERIAL_SIERRAWIRELESS=m | ||
5313 | CONFIG_USB_SERIAL_SYMBOL=m | ||
5314 | CONFIG_USB_SERIAL_TI=m | ||
5315 | CONFIG_USB_SERIAL_CYBERJACK=m | ||
5316 | CONFIG_USB_SERIAL_XIRCOM=m | ||
5317 | CONFIG_USB_SERIAL_WWAN=m | ||
5318 | CONFIG_USB_SERIAL_OPTION=m | ||
5319 | CONFIG_USB_SERIAL_OMNINET=m | ||
5320 | CONFIG_USB_SERIAL_OPTICON=m | ||
5321 | CONFIG_USB_SERIAL_XSENS_MT=m | ||
5322 | CONFIG_USB_SERIAL_WISHBONE=m | ||
5323 | CONFIG_USB_SERIAL_SSU100=m | ||
5324 | CONFIG_USB_SERIAL_QT2=m | ||
5325 | CONFIG_USB_SERIAL_DEBUG=m | ||
5326 | |||
5327 | # | ||
5328 | # USB Miscellaneous drivers | ||
5329 | # | ||
5330 | CONFIG_USB_EMI62=m | ||
5331 | CONFIG_USB_EMI26=m | ||
5332 | CONFIG_USB_ADUTUX=m | ||
5333 | CONFIG_USB_SEVSEG=m | ||
5334 | CONFIG_USB_RIO500=m | ||
5335 | CONFIG_USB_LEGOTOWER=m | ||
5336 | CONFIG_USB_LCD=m | ||
5337 | CONFIG_USB_LED=m | ||
5338 | CONFIG_USB_CYPRESS_CY7C63=m | ||
5339 | CONFIG_USB_CYTHERM=m | ||
5340 | CONFIG_USB_IDMOUSE=m | ||
5341 | CONFIG_USB_FTDI_ELAN=m | ||
5342 | CONFIG_USB_APPLEDISPLAY=m | ||
5343 | CONFIG_USB_SISUSBVGA=m | ||
5344 | CONFIG_USB_SISUSBVGA_CON=y | ||
5345 | CONFIG_USB_LD=m | ||
5346 | CONFIG_USB_TRANCEVIBRATOR=m | ||
5347 | CONFIG_USB_IOWARRIOR=m | ||
5348 | CONFIG_USB_TEST=m | ||
5349 | CONFIG_USB_EHSET_TEST_FIXTURE=m | ||
5350 | CONFIG_USB_ISIGHTFW=m | ||
5351 | CONFIG_USB_YUREX=m | ||
5352 | CONFIG_USB_EZUSB_FX2=m | ||
5353 | # CONFIG_USB_HSIC_USB3503 is not set | ||
5354 | # CONFIG_USB_LINK_LAYER_TEST is not set | ||
5355 | CONFIG_USB_CHAOSKEY=m | ||
5356 | CONFIG_USB_ATM=m | ||
5357 | CONFIG_USB_SPEEDTOUCH=m | ||
5358 | CONFIG_USB_CXACRU=m | ||
5359 | CONFIG_USB_UEAGLEATM=m | ||
5360 | CONFIG_USB_XUSBATM=m | ||
5361 | |||
5362 | # | ||
5363 | # USB Physical Layer drivers | ||
5364 | # | ||
5365 | # CONFIG_USB_PHY is not set | ||
5366 | # CONFIG_NOP_USB_XCEIV is not set | ||
5367 | # CONFIG_USB_GPIO_VBUS is not set | ||
5368 | # CONFIG_USB_ISP1301 is not set | ||
5369 | CONFIG_USB_GADGET=m | ||
5370 | # CONFIG_USB_GADGET_DEBUG is not set | ||
5371 | # CONFIG_USB_GADGET_DEBUG_FILES is not set | ||
5372 | CONFIG_USB_GADGET_VBUS_DRAW=2 | ||
5373 | CONFIG_USB_GADGET_STORAGE_NUM_BUFFERS=2 | ||
5374 | |||
5375 | # | ||
5376 | # USB Peripheral Controller | ||
5377 | # | ||
5378 | # CONFIG_USB_FOTG210_UDC is not set | ||
5379 | # CONFIG_USB_GR_UDC is not set | ||
5380 | # CONFIG_USB_R8A66597 is not set | ||
5381 | # CONFIG_USB_PXA27X is not set | ||
5382 | # CONFIG_USB_MV_UDC is not set | ||
5383 | # CONFIG_USB_MV_U3D is not set | ||
5384 | # CONFIG_USB_M66592 is not set | ||
5385 | # CONFIG_USB_BDC_UDC is not set | ||
5386 | # CONFIG_USB_AMD5536UDC is not set | ||
5387 | # CONFIG_USB_NET2272 is not set | ||
5388 | CONFIG_USB_NET2280=m | ||
5389 | # CONFIG_USB_GOKU is not set | ||
5390 | CONFIG_USB_EG20T=m | ||
5391 | # CONFIG_USB_DUMMY_HCD is not set | ||
5392 | # CONFIG_USB_CONFIGFS is not set | ||
5393 | # CONFIG_USB_ZERO is not set | ||
5394 | # CONFIG_USB_AUDIO is not set | ||
5395 | # CONFIG_USB_ETH is not set | ||
5396 | # CONFIG_USB_G_NCM is not set | ||
5397 | # CONFIG_USB_GADGETFS is not set | ||
5398 | # CONFIG_USB_FUNCTIONFS is not set | ||
5399 | # CONFIG_USB_MASS_STORAGE is not set | ||
5400 | # CONFIG_USB_GADGET_TARGET is not set | ||
5401 | # CONFIG_USB_G_SERIAL is not set | ||
5402 | # CONFIG_USB_MIDI_GADGET is not set | ||
5403 | # CONFIG_USB_G_PRINTER is not set | ||
5404 | # CONFIG_USB_CDC_COMPOSITE is not set | ||
5405 | # CONFIG_USB_G_NOKIA is not set | ||
5406 | # CONFIG_USB_G_ACM_MS is not set | ||
5407 | # CONFIG_USB_G_MULTI is not set | ||
5408 | # CONFIG_USB_G_HID is not set | ||
5409 | # CONFIG_USB_G_DBGP is not set | ||
5410 | # CONFIG_USB_G_WEBCAM is not set | ||
5411 | CONFIG_USB_LED_TRIG=y | ||
5412 | CONFIG_UWB=m | ||
5413 | CONFIG_UWB_HWA=m | ||
5414 | CONFIG_UWB_WHCI=m | ||
5415 | CONFIG_UWB_I1480U=m | ||
5416 | CONFIG_MMC=m | ||
5417 | # CONFIG_MMC_DEBUG is not set | ||
5418 | |||
5419 | # | ||
5420 | # MMC/SD/SDIO Card Drivers | ||
5421 | # | ||
5422 | CONFIG_MMC_BLOCK=m | ||
5423 | CONFIG_MMC_BLOCK_MINORS=256 | ||
5424 | CONFIG_MMC_BLOCK_BOUNCE=y | ||
5425 | CONFIG_SDIO_UART=m | ||
5426 | # CONFIG_MMC_TEST is not set | ||
5427 | |||
5428 | # | ||
5429 | # MMC/SD/SDIO Host Controller Drivers | ||
5430 | # | ||
5431 | CONFIG_MMC_SDHCI=m | ||
5432 | CONFIG_MMC_SDHCI_PCI=m | ||
5433 | CONFIG_MMC_RICOH_MMC=y | ||
5434 | CONFIG_MMC_SDHCI_ACPI=m | ||
5435 | # CONFIG_MMC_SDHCI_PLTFM is not set | ||
5436 | CONFIG_MMC_WBSD=m | ||
5437 | CONFIG_MMC_TIFM_SD=m | ||
5438 | # CONFIG_MMC_SPI is not set | ||
5439 | CONFIG_MMC_SDRICOH_CS=m | ||
5440 | CONFIG_MMC_CB710=m | ||
5441 | CONFIG_MMC_VIA_SDMMC=m | ||
5442 | CONFIG_MMC_VUB300=m | ||
5443 | CONFIG_MMC_USHC=m | ||
5444 | # CONFIG_MMC_USDHI6ROL0 is not set | ||
5445 | CONFIG_MMC_REALTEK_PCI=m | ||
5446 | CONFIG_MMC_REALTEK_USB=m | ||
5447 | CONFIG_MMC_TOSHIBA_PCI=m | ||
5448 | # CONFIG_MMC_MTK is not set | ||
5449 | CONFIG_MEMSTICK=m | ||
5450 | # CONFIG_MEMSTICK_DEBUG is not set | ||
5451 | |||
5452 | # | ||
5453 | # MemoryStick drivers | ||
5454 | # | ||
5455 | # CONFIG_MEMSTICK_UNSAFE_RESUME is not set | ||
5456 | CONFIG_MSPRO_BLOCK=m | ||
5457 | # CONFIG_MS_BLOCK is not set | ||
5458 | |||
5459 | # | ||
5460 | # MemoryStick Host Controller Drivers | ||
5461 | # | ||
5462 | CONFIG_MEMSTICK_TIFM_MS=m | ||
5463 | CONFIG_MEMSTICK_JMICRON_38X=m | ||
5464 | CONFIG_MEMSTICK_R592=m | ||
5465 | CONFIG_MEMSTICK_REALTEK_PCI=m | ||
5466 | CONFIG_MEMSTICK_REALTEK_USB=m | ||
5467 | CONFIG_NEW_LEDS=y | ||
5468 | CONFIG_LEDS_CLASS=y | ||
5469 | # CONFIG_LEDS_CLASS_FLASH is not set | ||
5470 | |||
5471 | # | ||
5472 | # LED drivers | ||
5473 | # | ||
5474 | # CONFIG_LEDS_LM3530 is not set | ||
5475 | # CONFIG_LEDS_LM3642 is not set | ||
5476 | # CONFIG_LEDS_PCA9532 is not set | ||
5477 | # CONFIG_LEDS_GPIO is not set | ||
5478 | CONFIG_LEDS_LP3944=m | ||
5479 | # CONFIG_LEDS_LP5521 is not set | ||
5480 | # CONFIG_LEDS_LP5523 is not set | ||
5481 | # CONFIG_LEDS_LP5562 is not set | ||
5482 | # CONFIG_LEDS_LP8501 is not set | ||
5483 | # CONFIG_LEDS_LP8860 is not set | ||
5484 | CONFIG_LEDS_CLEVO_MAIL=m | ||
5485 | CONFIG_LEDS_PCA955X=m | ||
5486 | # CONFIG_LEDS_PCA963X is not set | ||
5487 | CONFIG_LEDS_DAC124S085=m | ||
5488 | CONFIG_LEDS_BD2802=m | ||
5489 | CONFIG_LEDS_INTEL_SS4200=m | ||
5490 | CONFIG_LEDS_LT3593=m | ||
5491 | CONFIG_LEDS_DELL_NETBOOKS=m | ||
5492 | # CONFIG_LEDS_TCA6507 is not set | ||
5493 | # CONFIG_LEDS_TLC591XX is not set | ||
5494 | # CONFIG_LEDS_LM355x is not set | ||
5495 | CONFIG_LEDS_MENF21BMC=m | ||
5496 | |||
5497 | # | ||
5498 | # LED driver for blink(1) USB RGB LED is under Special HID drivers (HID_THINGM) | ||
5499 | # | ||
5500 | # CONFIG_LEDS_BLINKM is not set | ||
5501 | |||
5502 | # | ||
5503 | # LED Triggers | ||
5504 | # | ||
5505 | CONFIG_LEDS_TRIGGERS=y | ||
5506 | CONFIG_LEDS_TRIGGER_TIMER=m | ||
5507 | CONFIG_LEDS_TRIGGER_ONESHOT=m | ||
5508 | CONFIG_LEDS_TRIGGER_HEARTBEAT=m | ||
5509 | CONFIG_LEDS_TRIGGER_BACKLIGHT=m | ||
5510 | CONFIG_LEDS_TRIGGER_CPU=y | ||
5511 | CONFIG_LEDS_TRIGGER_GPIO=m | ||
5512 | CONFIG_LEDS_TRIGGER_DEFAULT_ON=m | ||
5513 | |||
5514 | # | ||
5515 | # iptables trigger is under Netfilter config (LED target) | ||
5516 | # | ||
5517 | CONFIG_LEDS_TRIGGER_TRANSIENT=m | ||
5518 | CONFIG_LEDS_TRIGGER_CAMERA=m | ||
5519 | CONFIG_ACCESSIBILITY=y | ||
5520 | CONFIG_A11Y_BRAILLE_CONSOLE=y | ||
5521 | CONFIG_INFINIBAND=m | ||
5522 | CONFIG_INFINIBAND_USER_MAD=m | ||
5523 | CONFIG_INFINIBAND_USER_ACCESS=m | ||
5524 | CONFIG_INFINIBAND_USER_MEM=y | ||
5525 | CONFIG_INFINIBAND_ON_DEMAND_PAGING=y | ||
5526 | CONFIG_INFINIBAND_ADDR_TRANS=y | ||
5527 | CONFIG_INFINIBAND_MTHCA=m | ||
5528 | CONFIG_INFINIBAND_MTHCA_DEBUG=y | ||
5529 | CONFIG_INFINIBAND_QIB=m | ||
5530 | CONFIG_INFINIBAND_QIB_DCA=y | ||
5531 | CONFIG_INFINIBAND_CXGB3=m | ||
5532 | # CONFIG_INFINIBAND_CXGB3_DEBUG is not set | ||
5533 | CONFIG_INFINIBAND_CXGB4=m | ||
5534 | CONFIG_MLX4_INFINIBAND=m | ||
5535 | CONFIG_MLX5_INFINIBAND=m | ||
5536 | CONFIG_INFINIBAND_NES=m | ||
5537 | # CONFIG_INFINIBAND_NES_DEBUG is not set | ||
5538 | CONFIG_INFINIBAND_OCRDMA=m | ||
5539 | CONFIG_INFINIBAND_USNIC=m | ||
5540 | CONFIG_INFINIBAND_IPOIB=m | ||
5541 | CONFIG_INFINIBAND_IPOIB_CM=y | ||
5542 | CONFIG_INFINIBAND_IPOIB_DEBUG=y | ||
5543 | # CONFIG_INFINIBAND_IPOIB_DEBUG_DATA is not set | ||
5544 | CONFIG_INFINIBAND_SRP=m | ||
5545 | CONFIG_INFINIBAND_SRPT=m | ||
5546 | CONFIG_INFINIBAND_ISER=m | ||
5547 | CONFIG_INFINIBAND_ISERT=m | ||
5548 | CONFIG_EDAC_ATOMIC_SCRUB=y | ||
5549 | CONFIG_EDAC_SUPPORT=y | ||
5550 | CONFIG_EDAC=y | ||
5551 | CONFIG_EDAC_LEGACY_SYSFS=y | ||
5552 | # CONFIG_EDAC_DEBUG is not set | ||
5553 | CONFIG_EDAC_DECODE_MCE=m | ||
5554 | CONFIG_EDAC_MM_EDAC=m | ||
5555 | CONFIG_EDAC_AMD64=m | ||
5556 | # CONFIG_EDAC_AMD64_ERROR_INJECTION is not set | ||
5557 | CONFIG_EDAC_E752X=m | ||
5558 | CONFIG_EDAC_I82975X=m | ||
5559 | CONFIG_EDAC_I3000=m | ||
5560 | CONFIG_EDAC_I3200=m | ||
5561 | CONFIG_EDAC_IE31200=m | ||
5562 | CONFIG_EDAC_X38=m | ||
5563 | CONFIG_EDAC_I5400=m | ||
5564 | CONFIG_EDAC_I7CORE=m | ||
5565 | CONFIG_EDAC_I5000=m | ||
5566 | CONFIG_EDAC_I5100=m | ||
5567 | CONFIG_EDAC_I7300=m | ||
5568 | CONFIG_EDAC_SBRIDGE=m | ||
5569 | CONFIG_RTC_LIB=y | ||
5570 | CONFIG_RTC_CLASS=y | ||
5571 | CONFIG_RTC_HCTOSYS=y | ||
5572 | CONFIG_RTC_HCTOSYS_DEVICE="rtc0" | ||
5573 | CONFIG_RTC_SYSTOHC=y | ||
5574 | CONFIG_RTC_SYSTOHC_DEVICE="rtc0" | ||
5575 | # CONFIG_RTC_DEBUG is not set | ||
5576 | |||
5577 | # | ||
5578 | # RTC interfaces | ||
5579 | # | ||
5580 | CONFIG_RTC_INTF_SYSFS=y | ||
5581 | CONFIG_RTC_INTF_PROC=y | ||
5582 | CONFIG_RTC_INTF_DEV=y | ||
5583 | # CONFIG_RTC_INTF_DEV_UIE_EMUL is not set | ||
5584 | # CONFIG_RTC_DRV_TEST is not set | ||
5585 | |||
5586 | # | ||
5587 | # I2C RTC drivers | ||
5588 | # | ||
5589 | # CONFIG_RTC_DRV_ABB5ZES3 is not set | ||
5590 | # CONFIG_RTC_DRV_ABX80X is not set | ||
5591 | # CONFIG_RTC_DRV_DS1307 is not set | ||
5592 | # CONFIG_RTC_DRV_DS1374 is not set | ||
5593 | # CONFIG_RTC_DRV_DS1672 is not set | ||
5594 | # CONFIG_RTC_DRV_DS3232 is not set | ||
5595 | # CONFIG_RTC_DRV_MAX6900 is not set | ||
5596 | # CONFIG_RTC_DRV_RS5C372 is not set | ||
5597 | # CONFIG_RTC_DRV_ISL1208 is not set | ||
5598 | # CONFIG_RTC_DRV_ISL12022 is not set | ||
5599 | # CONFIG_RTC_DRV_ISL12057 is not set | ||
5600 | # CONFIG_RTC_DRV_X1205 is not set | ||
5601 | # CONFIG_RTC_DRV_PCF2127 is not set | ||
5602 | # CONFIG_RTC_DRV_PCF8523 is not set | ||
5603 | # CONFIG_RTC_DRV_PCF8563 is not set | ||
5604 | # CONFIG_RTC_DRV_PCF85063 is not set | ||
5605 | # CONFIG_RTC_DRV_PCF8583 is not set | ||
5606 | # CONFIG_RTC_DRV_M41T80 is not set | ||
5607 | # CONFIG_RTC_DRV_BQ32K is not set | ||
5608 | # CONFIG_RTC_DRV_S35390A is not set | ||
5609 | # CONFIG_RTC_DRV_FM3130 is not set | ||
5610 | # CONFIG_RTC_DRV_RX8581 is not set | ||
5611 | # CONFIG_RTC_DRV_RX8025 is not set | ||
5612 | # CONFIG_RTC_DRV_EM3027 is not set | ||
5613 | # CONFIG_RTC_DRV_RV3029C2 is not set | ||
5614 | # CONFIG_RTC_DRV_RV8803 is not set | ||
5615 | |||
5616 | # | ||
5617 | # SPI RTC drivers | ||
5618 | # | ||
5619 | # CONFIG_RTC_DRV_M41T93 is not set | ||
5620 | # CONFIG_RTC_DRV_M41T94 is not set | ||
5621 | # CONFIG_RTC_DRV_DS1305 is not set | ||
5622 | # CONFIG_RTC_DRV_DS1343 is not set | ||
5623 | # CONFIG_RTC_DRV_DS1347 is not set | ||
5624 | # CONFIG_RTC_DRV_DS1390 is not set | ||
5625 | # CONFIG_RTC_DRV_MAX6902 is not set | ||
5626 | # CONFIG_RTC_DRV_R9701 is not set | ||
5627 | # CONFIG_RTC_DRV_RS5C348 is not set | ||
5628 | # CONFIG_RTC_DRV_DS3234 is not set | ||
5629 | # CONFIG_RTC_DRV_PCF2123 is not set | ||
5630 | # CONFIG_RTC_DRV_RX4581 is not set | ||
5631 | # CONFIG_RTC_DRV_MCP795 is not set | ||
5632 | |||
5633 | # | ||
5634 | # Platform RTC drivers | ||
5635 | # | ||
5636 | CONFIG_RTC_DRV_CMOS=y | ||
5637 | # CONFIG_RTC_DRV_DS1286 is not set | ||
5638 | # CONFIG_RTC_DRV_DS1511 is not set | ||
5639 | # CONFIG_RTC_DRV_DS1553 is not set | ||
5640 | # CONFIG_RTC_DRV_DS1685_FAMILY is not set | ||
5641 | # CONFIG_RTC_DRV_DS1742 is not set | ||
5642 | # CONFIG_RTC_DRV_DS2404 is not set | ||
5643 | # CONFIG_RTC_DRV_STK17TA8 is not set | ||
5644 | # CONFIG_RTC_DRV_M48T86 is not set | ||
5645 | # CONFIG_RTC_DRV_M48T35 is not set | ||
5646 | # CONFIG_RTC_DRV_M48T59 is not set | ||
5647 | # CONFIG_RTC_DRV_MSM6242 is not set | ||
5648 | # CONFIG_RTC_DRV_BQ4802 is not set | ||
5649 | # CONFIG_RTC_DRV_RP5C01 is not set | ||
5650 | # CONFIG_RTC_DRV_V3020 is not set | ||
5651 | |||
5652 | # | ||
5653 | # on-CPU RTC drivers | ||
5654 | # | ||
5655 | |||
5656 | # | ||
5657 | # HID Sensor RTC drivers | ||
5658 | # | ||
5659 | # CONFIG_RTC_DRV_HID_SENSOR_TIME is not set | ||
5660 | CONFIG_DMADEVICES=y | ||
5661 | # CONFIG_DMADEVICES_DEBUG is not set | ||
5662 | |||
5663 | # | ||
5664 | # DMA Devices | ||
5665 | # | ||
5666 | CONFIG_DMA_ENGINE=y | ||
5667 | CONFIG_DMA_VIRTUAL_CHANNELS=m | ||
5668 | CONFIG_DMA_ACPI=y | ||
5669 | CONFIG_INTEL_IDMA64=m | ||
5670 | CONFIG_INTEL_IOATDMA=m | ||
5671 | CONFIG_INTEL_MIC_X100_DMA=m | ||
5672 | CONFIG_DW_DMAC_CORE=m | ||
5673 | CONFIG_DW_DMAC=m | ||
5674 | # CONFIG_DW_DMAC_PCI is not set | ||
5675 | |||
5676 | # | ||
5677 | # DMA Clients | ||
5678 | # | ||
5679 | CONFIG_ASYNC_TX_DMA=y | ||
5680 | # CONFIG_DMATEST is not set | ||
5681 | CONFIG_DMA_ENGINE_RAID=y | ||
5682 | CONFIG_DCA=m | ||
5683 | # CONFIG_AUXDISPLAY is not set | ||
5684 | CONFIG_UIO=m | ||
5685 | CONFIG_UIO_CIF=m | ||
5686 | # CONFIG_UIO_PDRV_GENIRQ is not set | ||
5687 | # CONFIG_UIO_DMEM_GENIRQ is not set | ||
5688 | CONFIG_UIO_AEC=m | ||
5689 | CONFIG_UIO_SERCOS3=m | ||
5690 | CONFIG_UIO_PCI_GENERIC=m | ||
5691 | CONFIG_UIO_NETX=m | ||
5692 | # CONFIG_UIO_PRUSS is not set | ||
5693 | CONFIG_UIO_MF624=m | ||
5694 | CONFIG_VFIO_IOMMU_TYPE1=m | ||
5695 | CONFIG_VFIO_VIRQFD=m | ||
5696 | CONFIG_VFIO=m | ||
5697 | CONFIG_VFIO_PCI=m | ||
5698 | CONFIG_VFIO_PCI_VGA=y | ||
5699 | CONFIG_VFIO_PCI_MMAP=y | ||
5700 | CONFIG_VFIO_PCI_INTX=y | ||
5701 | CONFIG_IRQ_BYPASS_MANAGER=m | ||
5702 | CONFIG_VIRT_DRIVERS=y | ||
5703 | CONFIG_VIRTIO=m | ||
5704 | |||
5705 | # | ||
5706 | # Virtio drivers | ||
5707 | # | ||
5708 | CONFIG_VIRTIO_PCI=m | ||
5709 | CONFIG_VIRTIO_PCI_LEGACY=y | ||
5710 | CONFIG_VIRTIO_BALLOON=m | ||
5711 | CONFIG_VIRTIO_INPUT=m | ||
5712 | # CONFIG_VIRTIO_MMIO is not set | ||
5713 | |||
5714 | # | ||
5715 | # Microsoft Hyper-V guest support | ||
5716 | # | ||
5717 | CONFIG_HYPERV=m | ||
5718 | CONFIG_HYPERV_UTILS=m | ||
5719 | CONFIG_HYPERV_BALLOON=m | ||
5720 | CONFIG_STAGING=y | ||
5721 | # CONFIG_SLICOSS is not set | ||
5722 | CONFIG_PRISM2_USB=m | ||
5723 | CONFIG_COMEDI=m | ||
5724 | # CONFIG_COMEDI_DEBUG is not set | ||
5725 | CONFIG_COMEDI_DEFAULT_BUF_SIZE_KB=2048 | ||
5726 | CONFIG_COMEDI_DEFAULT_BUF_MAXSIZE_KB=20480 | ||
5727 | CONFIG_COMEDI_MISC_DRIVERS=y | ||
5728 | CONFIG_COMEDI_BOND=m | ||
5729 | CONFIG_COMEDI_TEST=m | ||
5730 | CONFIG_COMEDI_PARPORT=m | ||
5731 | CONFIG_COMEDI_SERIAL2002=m | ||
5732 | # CONFIG_COMEDI_ISA_DRIVERS is not set | ||
5733 | CONFIG_COMEDI_PCI_DRIVERS=m | ||
5734 | CONFIG_COMEDI_8255_PCI=m | ||
5735 | CONFIG_COMEDI_ADDI_WATCHDOG=m | ||
5736 | CONFIG_COMEDI_ADDI_APCI_1032=m | ||
5737 | CONFIG_COMEDI_ADDI_APCI_1500=m | ||
5738 | CONFIG_COMEDI_ADDI_APCI_1516=m | ||
5739 | CONFIG_COMEDI_ADDI_APCI_1564=m | ||
5740 | CONFIG_COMEDI_ADDI_APCI_16XX=m | ||
5741 | CONFIG_COMEDI_ADDI_APCI_2032=m | ||
5742 | CONFIG_COMEDI_ADDI_APCI_2200=m | ||
5743 | CONFIG_COMEDI_ADDI_APCI_3120=m | ||
5744 | CONFIG_COMEDI_ADDI_APCI_3501=m | ||
5745 | CONFIG_COMEDI_ADDI_APCI_3XXX=m | ||
5746 | CONFIG_COMEDI_ADL_PCI6208=m | ||
5747 | CONFIG_COMEDI_ADL_PCI7X3X=m | ||
5748 | CONFIG_COMEDI_ADL_PCI8164=m | ||
5749 | CONFIG_COMEDI_ADL_PCI9111=m | ||
5750 | CONFIG_COMEDI_ADL_PCI9118=m | ||
5751 | CONFIG_COMEDI_ADV_PCI1710=m | ||
5752 | CONFIG_COMEDI_ADV_PCI1723=m | ||
5753 | CONFIG_COMEDI_ADV_PCI1724=m | ||
5754 | CONFIG_COMEDI_ADV_PCI_DIO=m | ||
5755 | CONFIG_COMEDI_AMPLC_DIO200_PCI=m | ||
5756 | CONFIG_COMEDI_AMPLC_PC236_PCI=m | ||
5757 | CONFIG_COMEDI_AMPLC_PC263_PCI=m | ||
5758 | CONFIG_COMEDI_AMPLC_PCI224=m | ||
5759 | CONFIG_COMEDI_AMPLC_PCI230=m | ||
5760 | CONFIG_COMEDI_CONTEC_PCI_DIO=m | ||
5761 | CONFIG_COMEDI_DAS08_PCI=m | ||
5762 | CONFIG_COMEDI_DT3000=m | ||
5763 | CONFIG_COMEDI_DYNA_PCI10XX=m | ||
5764 | CONFIG_COMEDI_GSC_HPDI=m | ||
5765 | CONFIG_COMEDI_MF6X4=m | ||
5766 | CONFIG_COMEDI_ICP_MULTI=m | ||
5767 | CONFIG_COMEDI_DAQBOARD2000=m | ||
5768 | CONFIG_COMEDI_JR3_PCI=m | ||
5769 | CONFIG_COMEDI_KE_COUNTER=m | ||
5770 | CONFIG_COMEDI_CB_PCIDAS64=m | ||
5771 | CONFIG_COMEDI_CB_PCIDAS=m | ||
5772 | CONFIG_COMEDI_CB_PCIDDA=m | ||
5773 | CONFIG_COMEDI_CB_PCIMDAS=m | ||
5774 | CONFIG_COMEDI_CB_PCIMDDA=m | ||
5775 | CONFIG_COMEDI_ME4000=m | ||
5776 | CONFIG_COMEDI_ME_DAQ=m | ||
5777 | CONFIG_COMEDI_NI_6527=m | ||
5778 | CONFIG_COMEDI_NI_65XX=m | ||
5779 | CONFIG_COMEDI_NI_660X=m | ||
5780 | CONFIG_COMEDI_NI_670X=m | ||
5781 | CONFIG_COMEDI_NI_LABPC_PCI=m | ||
5782 | CONFIG_COMEDI_NI_PCIDIO=m | ||
5783 | CONFIG_COMEDI_NI_PCIMIO=m | ||
5784 | CONFIG_COMEDI_RTD520=m | ||
5785 | CONFIG_COMEDI_S626=m | ||
5786 | CONFIG_COMEDI_MITE=m | ||
5787 | CONFIG_COMEDI_NI_TIOCMD=m | ||
5788 | CONFIG_COMEDI_PCMCIA_DRIVERS=m | ||
5789 | CONFIG_COMEDI_CB_DAS16_CS=m | ||
5790 | CONFIG_COMEDI_DAS08_CS=m | ||
5791 | CONFIG_COMEDI_NI_DAQ_700_CS=m | ||
5792 | CONFIG_COMEDI_NI_DAQ_DIO24_CS=m | ||
5793 | CONFIG_COMEDI_NI_LABPC_CS=m | ||
5794 | CONFIG_COMEDI_NI_MIO_CS=m | ||
5795 | CONFIG_COMEDI_QUATECH_DAQP_CS=m | ||
5796 | CONFIG_COMEDI_USB_DRIVERS=m | ||
5797 | CONFIG_COMEDI_DT9812=m | ||
5798 | CONFIG_COMEDI_NI_USB6501=m | ||
5799 | CONFIG_COMEDI_USBDUX=m | ||
5800 | CONFIG_COMEDI_USBDUXFAST=m | ||
5801 | CONFIG_COMEDI_USBDUXSIGMA=m | ||
5802 | CONFIG_COMEDI_VMK80XX=m | ||
5803 | CONFIG_COMEDI_8254=m | ||
5804 | CONFIG_COMEDI_8255=m | ||
5805 | CONFIG_COMEDI_8255_SA=m | ||
5806 | CONFIG_COMEDI_KCOMEDILIB=m | ||
5807 | CONFIG_COMEDI_AMPLC_DIO200=m | ||
5808 | CONFIG_COMEDI_AMPLC_PC236=m | ||
5809 | CONFIG_COMEDI_DAS08=m | ||
5810 | CONFIG_COMEDI_NI_LABPC=m | ||
5811 | CONFIG_COMEDI_NI_TIO=m | ||
5812 | # CONFIG_PANEL is not set | ||
5813 | CONFIG_RTL8192U=m | ||
5814 | CONFIG_RTLLIB=m | ||
5815 | CONFIG_RTLLIB_CRYPTO_CCMP=m | ||
5816 | CONFIG_RTLLIB_CRYPTO_TKIP=m | ||
5817 | CONFIG_RTLLIB_CRYPTO_WEP=m | ||
5818 | CONFIG_RTL8192E=m | ||
5819 | CONFIG_R8712U=m | ||
5820 | CONFIG_R8188EU=m | ||
5821 | CONFIG_88EU_AP_MODE=y | ||
5822 | CONFIG_R8723AU=m | ||
5823 | CONFIG_8723AU_AP_MODE=y | ||
5824 | CONFIG_8723AU_BT_COEXIST=y | ||
5825 | CONFIG_RTS5208=m | ||
5826 | # CONFIG_VT6655 is not set | ||
5827 | CONFIG_VT6656=m | ||
5828 | |||
5829 | # | ||
5830 | # IIO staging drivers | ||
5831 | # | ||
5832 | |||
5833 | # | ||
5834 | # Accelerometers | ||
5835 | # | ||
5836 | # CONFIG_ADIS16201 is not set | ||
5837 | # CONFIG_ADIS16203 is not set | ||
5838 | # CONFIG_ADIS16204 is not set | ||
5839 | # CONFIG_ADIS16209 is not set | ||
5840 | # CONFIG_ADIS16220 is not set | ||
5841 | # CONFIG_ADIS16240 is not set | ||
5842 | # CONFIG_LIS3L02DQ is not set | ||
5843 | # CONFIG_SCA3000 is not set | ||
5844 | |||
5845 | # | ||
5846 | # Analog to digital converters | ||
5847 | # | ||
5848 | # CONFIG_AD7606 is not set | ||
5849 | # CONFIG_AD7780 is not set | ||
5850 | # CONFIG_AD7816 is not set | ||
5851 | # CONFIG_AD7192 is not set | ||
5852 | # CONFIG_AD7280 is not set | ||
5853 | |||
5854 | # | ||
5855 | # Analog digital bi-direction converters | ||
5856 | # | ||
5857 | # CONFIG_ADT7316 is not set | ||
5858 | |||
5859 | # | ||
5860 | # Capacitance to digital converters | ||
5861 | # | ||
5862 | # CONFIG_AD7150 is not set | ||
5863 | # CONFIG_AD7152 is not set | ||
5864 | # CONFIG_AD7746 is not set | ||
5865 | |||
5866 | # | ||
5867 | # Direct Digital Synthesis | ||
5868 | # | ||
5869 | # CONFIG_AD9832 is not set | ||
5870 | # CONFIG_AD9834 is not set | ||
5871 | |||
5872 | # | ||
5873 | # Digital gyroscope sensors | ||
5874 | # | ||
5875 | # CONFIG_ADIS16060 is not set | ||
5876 | |||
5877 | # | ||
5878 | # Network Analyzer, Impedance Converters | ||
5879 | # | ||
5880 | # CONFIG_AD5933 is not set | ||
5881 | |||
5882 | # | ||
5883 | # Light sensors | ||
5884 | # | ||
5885 | CONFIG_SENSORS_ISL29018=m | ||
5886 | # CONFIG_SENSORS_ISL29028 is not set | ||
5887 | CONFIG_TSL2583=m | ||
5888 | # CONFIG_TSL2x7x is not set | ||
5889 | |||
5890 | # | ||
5891 | # Magnetometer sensors | ||
5892 | # | ||
5893 | # CONFIG_SENSORS_HMC5843_I2C is not set | ||
5894 | # CONFIG_SENSORS_HMC5843_SPI is not set | ||
5895 | |||
5896 | # | ||
5897 | # Active energy metering IC | ||
5898 | # | ||
5899 | # CONFIG_ADE7753 is not set | ||
5900 | # CONFIG_ADE7754 is not set | ||
5901 | # CONFIG_ADE7758 is not set | ||
5902 | # CONFIG_ADE7759 is not set | ||
5903 | # CONFIG_ADE7854 is not set | ||
5904 | |||
5905 | # | ||
5906 | # Resolver to digital converters | ||
5907 | # | ||
5908 | # CONFIG_AD2S90 is not set | ||
5909 | # CONFIG_AD2S1200 is not set | ||
5910 | # CONFIG_AD2S1210 is not set | ||
5911 | |||
5912 | # | ||
5913 | # Triggers - standalone | ||
5914 | # | ||
5915 | # CONFIG_IIO_PERIODIC_RTC_TRIGGER is not set | ||
5916 | # CONFIG_IIO_SIMPLE_DUMMY is not set | ||
5917 | # CONFIG_FB_SM750 is not set | ||
5918 | # CONFIG_FB_XGI is not set | ||
5919 | |||
5920 | # | ||
5921 | # Speakup console speech | ||
5922 | # | ||
5923 | CONFIG_SPEAKUP=m | ||
5924 | CONFIG_SPEAKUP_SYNTH_ACNTSA=m | ||
5925 | CONFIG_SPEAKUP_SYNTH_APOLLO=m | ||
5926 | CONFIG_SPEAKUP_SYNTH_AUDPTR=m | ||
5927 | CONFIG_SPEAKUP_SYNTH_BNS=m | ||
5928 | CONFIG_SPEAKUP_SYNTH_DECTLK=m | ||
5929 | CONFIG_SPEAKUP_SYNTH_DECEXT=m | ||
5930 | CONFIG_SPEAKUP_SYNTH_LTLK=m | ||
5931 | CONFIG_SPEAKUP_SYNTH_SOFT=m | ||
5932 | CONFIG_SPEAKUP_SYNTH_SPKOUT=m | ||
5933 | CONFIG_SPEAKUP_SYNTH_TXPRT=m | ||
5934 | CONFIG_SPEAKUP_SYNTH_DUMMY=m | ||
5935 | # CONFIG_TOUCHSCREEN_SYNAPTICS_I2C_RMI4 is not set | ||
5936 | CONFIG_STAGING_MEDIA=y | ||
5937 | # CONFIG_I2C_BCM2048 is not set | ||
5938 | # CONFIG_DVB_CXD2099 is not set | ||
5939 | # CONFIG_DVB_MN88472 is not set | ||
5940 | # CONFIG_DVB_MN88473 is not set | ||
5941 | CONFIG_LIRC_STAGING=y | ||
5942 | CONFIG_LIRC_BT829=m | ||
5943 | CONFIG_LIRC_IMON=m | ||
5944 | # CONFIG_LIRC_PARALLEL is not set | ||
5945 | CONFIG_LIRC_SASEM=m | ||
5946 | CONFIG_LIRC_SERIAL=m | ||
5947 | CONFIG_LIRC_SERIAL_TRANSMITTER=y | ||
5948 | CONFIG_LIRC_SIR=m | ||
5949 | CONFIG_LIRC_ZILOG=m | ||
5950 | # CONFIG_STAGING_RDMA is not set | ||
5951 | |||
5952 | # | ||
5953 | # Android | ||
5954 | # | ||
5955 | CONFIG_WIMAX_GDM72XX=m | ||
5956 | # CONFIG_WIMAX_GDM72XX_QOS is not set | ||
5957 | # CONFIG_WIMAX_GDM72XX_K_MODE is not set | ||
5958 | # CONFIG_WIMAX_GDM72XX_WIMAX2 is not set | ||
5959 | CONFIG_WIMAX_GDM72XX_USB=y | ||
5960 | # CONFIG_WIMAX_GDM72XX_SDIO is not set | ||
5961 | CONFIG_WIMAX_GDM72XX_USB_PM=y | ||
5962 | # CONFIG_LTE_GDM724X is not set | ||
5963 | # CONFIG_FIREWIRE_SERIAL is not set | ||
5964 | # CONFIG_MTD_SPINAND_MT29F is not set | ||
5965 | CONFIG_LUSTRE_FS=m | ||
5966 | CONFIG_LUSTRE_OBD_MAX_IOCTL_BUFFER=8192 | ||
5967 | # CONFIG_LUSTRE_DEBUG_EXPENSIVE_CHECK is not set | ||
5968 | CONFIG_LUSTRE_LLITE_LLOOP=m | ||
5969 | CONFIG_LNET=m | ||
5970 | CONFIG_LNET_MAX_PAYLOAD=1048576 | ||
5971 | # CONFIG_LNET_SELFTEST is not set | ||
5972 | CONFIG_LNET_XPRT_IB=m | ||
5973 | # CONFIG_DGNC is not set | ||
5974 | # CONFIG_DGAP is not set | ||
5975 | # CONFIG_GS_FPGABOOT is not set | ||
5976 | # CONFIG_CRYPTO_SKEIN is not set | ||
5977 | # CONFIG_UNISYSSPAR is not set | ||
5978 | # CONFIG_FB_TFT is not set | ||
5979 | # CONFIG_WILC1000_DRIVER is not set | ||
5980 | # CONFIG_MOST is not set | ||
5981 | CONFIG_X86_PLATFORM_DEVICES=y | ||
5982 | CONFIG_ACER_WMI=m | ||
5983 | CONFIG_ACERHDF=m | ||
5984 | CONFIG_ALIENWARE_WMI=m | ||
5985 | CONFIG_ASUS_LAPTOP=m | ||
5986 | CONFIG_DELL_LAPTOP=m | ||
5987 | CONFIG_DELL_WMI=m | ||
5988 | CONFIG_DELL_WMI_AIO=m | ||
5989 | CONFIG_DELL_SMO8800=m | ||
5990 | CONFIG_DELL_RBTN=m | ||
5991 | CONFIG_FUJITSU_LAPTOP=m | ||
5992 | # CONFIG_FUJITSU_LAPTOP_DEBUG is not set | ||
5993 | CONFIG_FUJITSU_TABLET=m | ||
5994 | CONFIG_AMILO_RFKILL=m | ||
5995 | CONFIG_HP_ACCEL=m | ||
5996 | CONFIG_HP_WIRELESS=m | ||
5997 | CONFIG_HP_WMI=m | ||
5998 | CONFIG_MSI_LAPTOP=m | ||
5999 | CONFIG_PANASONIC_LAPTOP=m | ||
6000 | CONFIG_COMPAL_LAPTOP=m | ||
6001 | CONFIG_SONY_LAPTOP=m | ||
6002 | CONFIG_SONYPI_COMPAT=y | ||
6003 | CONFIG_IDEAPAD_LAPTOP=m | ||
6004 | CONFIG_THINKPAD_ACPI=m | ||
6005 | CONFIG_THINKPAD_ACPI_ALSA_SUPPORT=y | ||
6006 | # CONFIG_THINKPAD_ACPI_DEBUGFACILITIES is not set | ||
6007 | # CONFIG_THINKPAD_ACPI_DEBUG is not set | ||
6008 | # CONFIG_THINKPAD_ACPI_UNSAFE_LEDS is not set | ||
6009 | CONFIG_THINKPAD_ACPI_VIDEO=y | ||
6010 | CONFIG_THINKPAD_ACPI_HOTKEY_POLL=y | ||
6011 | CONFIG_SENSORS_HDAPS=m | ||
6012 | # CONFIG_INTEL_MENLOW is not set | ||
6013 | CONFIG_EEEPC_LAPTOP=m | ||
6014 | CONFIG_ASUS_WMI=m | ||
6015 | CONFIG_ASUS_NB_WMI=m | ||
6016 | CONFIG_EEEPC_WMI=m | ||
6017 | CONFIG_ACPI_WMI=m | ||
6018 | CONFIG_MSI_WMI=m | ||
6019 | CONFIG_TOPSTAR_LAPTOP=m | ||
6020 | CONFIG_ACPI_TOSHIBA=m | ||
6021 | CONFIG_TOSHIBA_BT_RFKILL=m | ||
6022 | CONFIG_TOSHIBA_HAPS=m | ||
6023 | # CONFIG_TOSHIBA_WMI is not set | ||
6024 | CONFIG_ACPI_CMPC=m | ||
6025 | CONFIG_INTEL_IPS=m | ||
6026 | CONFIG_IBM_RTL=m | ||
6027 | CONFIG_SAMSUNG_LAPTOP=m | ||
6028 | CONFIG_MXM_WMI=m | ||
6029 | CONFIG_INTEL_OAKTRAIL=m | ||
6030 | CONFIG_SAMSUNG_Q10=m | ||
6031 | CONFIG_APPLE_GMUX=m | ||
6032 | CONFIG_INTEL_RST=m | ||
6033 | CONFIG_INTEL_SMARTCONNECT=m | ||
6034 | CONFIG_PVPANIC=m | ||
6035 | CONFIG_INTEL_PMC_IPC=m | ||
6036 | CONFIG_SURFACE_PRO3_BUTTON=m | ||
6037 | CONFIG_CHROME_PLATFORMS=y | ||
6038 | CONFIG_CHROMEOS_LAPTOP=m | ||
6039 | CONFIG_CHROMEOS_PSTORE=m | ||
6040 | CONFIG_CLKDEV_LOOKUP=y | ||
6041 | CONFIG_HAVE_CLK_PREPARE=y | ||
6042 | CONFIG_COMMON_CLK=y | ||
6043 | |||
6044 | # | ||
6045 | # Common Clock Framework | ||
6046 | # | ||
6047 | # CONFIG_COMMON_CLK_SI5351 is not set | ||
6048 | # CONFIG_COMMON_CLK_PXA is not set | ||
6049 | # CONFIG_COMMON_CLK_CDCE706 is not set | ||
6050 | |||
6051 | # | ||
6052 | # Hardware Spinlock drivers | ||
6053 | # | ||
6054 | |||
6055 | # | ||
6056 | # Clock Source drivers | ||
6057 | # | ||
6058 | CONFIG_CLKEVT_I8253=y | ||
6059 | CONFIG_I8253_LOCK=y | ||
6060 | CONFIG_CLKBLD_I8253=y | ||
6061 | # CONFIG_ATMEL_PIT is not set | ||
6062 | # CONFIG_SH_TIMER_CMT is not set | ||
6063 | # CONFIG_SH_TIMER_MTU2 is not set | ||
6064 | # CONFIG_SH_TIMER_TMU is not set | ||
6065 | # CONFIG_EM_TIMER_STI is not set | ||
6066 | # CONFIG_MAILBOX is not set | ||
6067 | CONFIG_IOMMU_API=y | ||
6068 | CONFIG_IOMMU_SUPPORT=y | ||
6069 | |||
6070 | # | ||
6071 | # Generic IOMMU Pagetable Support | ||
6072 | # | ||
6073 | CONFIG_IOMMU_IOVA=y | ||
6074 | CONFIG_AMD_IOMMU=y | ||
6075 | CONFIG_AMD_IOMMU_V2=y | ||
6076 | CONFIG_DMAR_TABLE=y | ||
6077 | CONFIG_INTEL_IOMMU=y | ||
6078 | CONFIG_INTEL_IOMMU_SVM=y | ||
6079 | # CONFIG_INTEL_IOMMU_DEFAULT_ON is not set | ||
6080 | CONFIG_INTEL_IOMMU_FLOPPY_WA=y | ||
6081 | CONFIG_IRQ_REMAP=y | ||
6082 | |||
6083 | # | ||
6084 | # Remoteproc drivers | ||
6085 | # | ||
6086 | # CONFIG_STE_MODEM_RPROC is not set | ||
6087 | |||
6088 | # | ||
6089 | # Rpmsg drivers | ||
6090 | # | ||
6091 | |||
6092 | # | ||
6093 | # SOC (System On Chip) specific Drivers | ||
6094 | # | ||
6095 | # CONFIG_SUNXI_SRAM is not set | ||
6096 | # CONFIG_SOC_TI is not set | ||
6097 | CONFIG_PM_DEVFREQ=y | ||
6098 | |||
6099 | # | ||
6100 | # DEVFREQ Governors | ||
6101 | # | ||
6102 | CONFIG_DEVFREQ_GOV_SIMPLE_ONDEMAND=m | ||
6103 | # CONFIG_DEVFREQ_GOV_PERFORMANCE is not set | ||
6104 | # CONFIG_DEVFREQ_GOV_POWERSAVE is not set | ||
6105 | # CONFIG_DEVFREQ_GOV_USERSPACE is not set | ||
6106 | |||
6107 | # | ||
6108 | # DEVFREQ Drivers | ||
6109 | # | ||
6110 | # CONFIG_PM_DEVFREQ_EVENT is not set | ||
6111 | # CONFIG_EXTCON is not set | ||
6112 | CONFIG_MEMORY=y | ||
6113 | CONFIG_IIO=m | ||
6114 | CONFIG_IIO_BUFFER=y | ||
6115 | # CONFIG_IIO_BUFFER_CB is not set | ||
6116 | CONFIG_IIO_KFIFO_BUF=m | ||
6117 | CONFIG_IIO_TRIGGERED_BUFFER=m | ||
6118 | CONFIG_IIO_TRIGGER=y | ||
6119 | CONFIG_IIO_CONSUMERS_PER_TRIGGER=2 | ||
6120 | |||
6121 | # | ||
6122 | # Accelerometers | ||
6123 | # | ||
6124 | # CONFIG_BMA180 is not set | ||
6125 | CONFIG_BMC150_ACCEL=m | ||
6126 | CONFIG_BMC150_ACCEL_I2C=m | ||
6127 | CONFIG_BMC150_ACCEL_SPI=m | ||
6128 | CONFIG_HID_SENSOR_ACCEL_3D=m | ||
6129 | # CONFIG_IIO_ST_ACCEL_3AXIS is not set | ||
6130 | # CONFIG_KXSD9 is not set | ||
6131 | CONFIG_KXCJK1013=m | ||
6132 | # CONFIG_MMA8452 is not set | ||
6133 | CONFIG_MMA9551_CORE=m | ||
6134 | CONFIG_MMA9551=m | ||
6135 | CONFIG_MMA9553=m | ||
6136 | # CONFIG_MXC4005 is not set | ||
6137 | # CONFIG_STK8312 is not set | ||
6138 | # CONFIG_STK8BA50 is not set | ||
6139 | |||
6140 | # | ||
6141 | # Analog to digital converters | ||
6142 | # | ||
6143 | # CONFIG_AD7266 is not set | ||
6144 | # CONFIG_AD7291 is not set | ||
6145 | # CONFIG_AD7298 is not set | ||
6146 | # CONFIG_AD7476 is not set | ||
6147 | # CONFIG_AD7791 is not set | ||
6148 | # CONFIG_AD7793 is not set | ||
6149 | # CONFIG_AD7887 is not set | ||
6150 | # CONFIG_AD7923 is not set | ||
6151 | # CONFIG_AD799X is not set | ||
6152 | # CONFIG_HI8435 is not set | ||
6153 | # CONFIG_MAX1027 is not set | ||
6154 | # CONFIG_MAX1363 is not set | ||
6155 | # CONFIG_MCP320X is not set | ||
6156 | # CONFIG_MCP3422 is not set | ||
6157 | # CONFIG_NAU7802 is not set | ||
6158 | # CONFIG_TI_ADC081C is not set | ||
6159 | # CONFIG_TI_ADC128S052 is not set | ||
6160 | CONFIG_VIPERBOARD_ADC=m | ||
6161 | |||
6162 | # | ||
6163 | # Amplifiers | ||
6164 | # | ||
6165 | # CONFIG_AD8366 is not set | ||
6166 | |||
6167 | # | ||
6168 | # Chemical Sensors | ||
6169 | # | ||
6170 | # CONFIG_VZ89X is not set | ||
6171 | |||
6172 | # | ||
6173 | # Hid Sensor IIO Common | ||
6174 | # | ||
6175 | CONFIG_HID_SENSOR_IIO_COMMON=m | ||
6176 | CONFIG_HID_SENSOR_IIO_TRIGGER=m | ||
6177 | |||
6178 | # | ||
6179 | # SSP Sensor Common | ||
6180 | # | ||
6181 | # CONFIG_IIO_SSP_SENSORHUB is not set | ||
6182 | |||
6183 | # | ||
6184 | # Digital to analog converters | ||
6185 | # | ||
6186 | # CONFIG_AD5064 is not set | ||
6187 | # CONFIG_AD5360 is not set | ||
6188 | # CONFIG_AD5380 is not set | ||
6189 | # CONFIG_AD5421 is not set | ||
6190 | # CONFIG_AD5446 is not set | ||
6191 | # CONFIG_AD5449 is not set | ||
6192 | # CONFIG_AD5504 is not set | ||
6193 | # CONFIG_AD5624R_SPI is not set | ||
6194 | # CONFIG_AD5686 is not set | ||
6195 | # CONFIG_AD5755 is not set | ||
6196 | # CONFIG_AD5764 is not set | ||
6197 | # CONFIG_AD5791 is not set | ||
6198 | # CONFIG_AD7303 is not set | ||
6199 | # CONFIG_M62332 is not set | ||
6200 | # CONFIG_MAX517 is not set | ||
6201 | # CONFIG_MCP4725 is not set | ||
6202 | # CONFIG_MCP4922 is not set | ||
6203 | |||
6204 | # | ||
6205 | # Frequency Synthesizers DDS/PLL | ||
6206 | # | ||
6207 | |||
6208 | # | ||
6209 | # Clock Generator/Distribution | ||
6210 | # | ||
6211 | # CONFIG_AD9523 is not set | ||
6212 | |||
6213 | # | ||
6214 | # Phase-Locked Loop (PLL) frequency synthesizers | ||
6215 | # | ||
6216 | # CONFIG_ADF4350 is not set | ||
6217 | |||
6218 | # | ||
6219 | # Digital gyroscope sensors | ||
6220 | # | ||
6221 | # CONFIG_ADIS16080 is not set | ||
6222 | # CONFIG_ADIS16130 is not set | ||
6223 | # CONFIG_ADIS16136 is not set | ||
6224 | # CONFIG_ADIS16260 is not set | ||
6225 | # CONFIG_ADXRS450 is not set | ||
6226 | CONFIG_BMG160=m | ||
6227 | CONFIG_BMG160_I2C=m | ||
6228 | CONFIG_BMG160_SPI=m | ||
6229 | CONFIG_HID_SENSOR_GYRO_3D=m | ||
6230 | # CONFIG_IIO_ST_GYRO_3AXIS is not set | ||
6231 | # CONFIG_ITG3200 is not set | ||
6232 | |||
6233 | # | ||
6234 | # Humidity sensors | ||
6235 | # | ||
6236 | # CONFIG_DHT11 is not set | ||
6237 | # CONFIG_HDC100X is not set | ||
6238 | # CONFIG_HTU21 is not set | ||
6239 | # CONFIG_SI7005 is not set | ||
6240 | # CONFIG_SI7020 is not set | ||
6241 | |||
6242 | # | ||
6243 | # Inertial measurement units | ||
6244 | # | ||
6245 | # CONFIG_ADIS16400 is not set | ||
6246 | # CONFIG_ADIS16480 is not set | ||
6247 | CONFIG_KMX61=m | ||
6248 | CONFIG_INV_MPU6050_IIO=m | ||
6249 | |||
6250 | # | ||
6251 | # Light sensors | ||
6252 | # | ||
6253 | CONFIG_ACPI_ALS=m | ||
6254 | # CONFIG_ADJD_S311 is not set | ||
6255 | # CONFIG_AL3320A is not set | ||
6256 | # CONFIG_APDS9300 is not set | ||
6257 | # CONFIG_APDS9960 is not set | ||
6258 | # CONFIG_BH1750 is not set | ||
6259 | # CONFIG_CM32181 is not set | ||
6260 | # CONFIG_CM3232 is not set | ||
6261 | # CONFIG_CM3323 is not set | ||
6262 | # CONFIG_CM36651 is not set | ||
6263 | # CONFIG_GP2AP020A00F is not set | ||
6264 | # CONFIG_ISL29125 is not set | ||
6265 | CONFIG_HID_SENSOR_ALS=m | ||
6266 | CONFIG_HID_SENSOR_PROX=m | ||
6267 | CONFIG_JSA1212=m | ||
6268 | # CONFIG_RPR0521 is not set | ||
6269 | # CONFIG_LTR501 is not set | ||
6270 | # CONFIG_OPT3001 is not set | ||
6271 | # CONFIG_PA12203001 is not set | ||
6272 | # CONFIG_STK3310 is not set | ||
6273 | # CONFIG_TCS3414 is not set | ||
6274 | # CONFIG_TCS3472 is not set | ||
6275 | CONFIG_SENSORS_TSL2563=m | ||
6276 | # CONFIG_TSL4531 is not set | ||
6277 | # CONFIG_US5182D is not set | ||
6278 | # CONFIG_VCNL4000 is not set | ||
6279 | |||
6280 | # | ||
6281 | # Magnetometer sensors | ||
6282 | # | ||
6283 | CONFIG_AK8975=m | ||
6284 | # CONFIG_AK09911 is not set | ||
6285 | # CONFIG_BMC150_MAGN is not set | ||
6286 | # CONFIG_MAG3110 is not set | ||
6287 | CONFIG_HID_SENSOR_MAGNETOMETER_3D=m | ||
6288 | # CONFIG_MMC35240 is not set | ||
6289 | # CONFIG_IIO_ST_MAGN_3AXIS is not set | ||
6290 | |||
6291 | # | ||
6292 | # Inclinometer sensors | ||
6293 | # | ||
6294 | CONFIG_HID_SENSOR_INCLINOMETER_3D=m | ||
6295 | CONFIG_HID_SENSOR_DEVICE_ROTATION=m | ||
6296 | |||
6297 | # | ||
6298 | # Triggers - standalone | ||
6299 | # | ||
6300 | # CONFIG_IIO_INTERRUPT_TRIGGER is not set | ||
6301 | # CONFIG_IIO_SYSFS_TRIGGER is not set | ||
6302 | |||
6303 | # | ||
6304 | # Digital potentiometers | ||
6305 | # | ||
6306 | # CONFIG_MCP4531 is not set | ||
6307 | |||
6308 | # | ||
6309 | # Pressure sensors | ||
6310 | # | ||
6311 | CONFIG_BMP280=m | ||
6312 | CONFIG_HID_SENSOR_PRESS=m | ||
6313 | # CONFIG_MPL115 is not set | ||
6314 | # CONFIG_MPL3115 is not set | ||
6315 | # CONFIG_MS5611 is not set | ||
6316 | # CONFIG_MS5637 is not set | ||
6317 | # CONFIG_IIO_ST_PRESS is not set | ||
6318 | # CONFIG_T5403 is not set | ||
6319 | |||
6320 | # | ||
6321 | # Lightning sensors | ||
6322 | # | ||
6323 | # CONFIG_AS3935 is not set | ||
6324 | |||
6325 | # | ||
6326 | # Proximity sensors | ||
6327 | # | ||
6328 | # CONFIG_LIDAR_LITE_V2 is not set | ||
6329 | CONFIG_SX9500=m | ||
6330 | |||
6331 | # | ||
6332 | # Temperature sensors | ||
6333 | # | ||
6334 | # CONFIG_MLX90614 is not set | ||
6335 | # CONFIG_TMP006 is not set | ||
6336 | # CONFIG_TSYS01 is not set | ||
6337 | # CONFIG_TSYS02D is not set | ||
6338 | # CONFIG_NTB is not set | ||
6339 | # CONFIG_VME_BUS is not set | ||
6340 | # CONFIG_PWM is not set | ||
6341 | # CONFIG_IPACK_BUS is not set | ||
6342 | # CONFIG_RESET_CONTROLLER is not set | ||
6343 | # CONFIG_FMC is not set | ||
6344 | |||
6345 | # | ||
6346 | # PHY Subsystem | ||
6347 | # | ||
6348 | CONFIG_GENERIC_PHY=y | ||
6349 | # CONFIG_PHY_PXA_28NM_HSIC is not set | ||
6350 | # CONFIG_PHY_PXA_28NM_USB2 is not set | ||
6351 | # CONFIG_BCM_KONA_USB2_PHY is not set | ||
6352 | CONFIG_POWERCAP=y | ||
6353 | CONFIG_INTEL_RAPL=m | ||
6354 | # CONFIG_MCB is not set | ||
6355 | |||
6356 | # | ||
6357 | # Performance monitor support | ||
6358 | # | ||
6359 | CONFIG_RAS=y | ||
6360 | CONFIG_THUNDERBOLT=m | ||
6361 | |||
6362 | # | ||
6363 | # Android | ||
6364 | # | ||
6365 | # CONFIG_ANDROID is not set | ||
6366 | CONFIG_LIBNVDIMM=m | ||
6367 | CONFIG_BLK_DEV_PMEM=m | ||
6368 | CONFIG_ND_BLK=m | ||
6369 | CONFIG_ND_CLAIM=y | ||
6370 | CONFIG_ND_BTT=m | ||
6371 | CONFIG_BTT=y | ||
6372 | CONFIG_ND_PFN=m | ||
6373 | CONFIG_NVDIMM_PFN=y | ||
6374 | # CONFIG_NVMEM is not set | ||
6375 | # CONFIG_STM is not set | ||
6376 | # CONFIG_STM_DUMMY is not set | ||
6377 | # CONFIG_STM_SOURCE_CONSOLE is not set | ||
6378 | # CONFIG_INTEL_TH is not set | ||
6379 | |||
6380 | # | ||
6381 | # FPGA Configuration Support | ||
6382 | # | ||
6383 | # CONFIG_FPGA is not set | ||
6384 | |||
6385 | # | ||
6386 | # Firmware Drivers | ||
6387 | # | ||
6388 | CONFIG_EDD=m | ||
6389 | # CONFIG_EDD_OFF is not set | ||
6390 | CONFIG_FIRMWARE_MEMMAP=y | ||
6391 | CONFIG_DELL_RBU=m | ||
6392 | CONFIG_DCDBAS=m | ||
6393 | CONFIG_DMIID=y | ||
6394 | CONFIG_DMI_SYSFS=y | ||
6395 | CONFIG_DMI_SCAN_MACHINE_NON_EFI_FALLBACK=y | ||
6396 | CONFIG_ISCSI_IBFT_FIND=y | ||
6397 | CONFIG_ISCSI_IBFT=m | ||
6398 | # CONFIG_GOOGLE_FIRMWARE is not set | ||
6399 | |||
6400 | # | ||
6401 | # EFI (Extensible Firmware Interface) Support | ||
6402 | # | ||
6403 | CONFIG_EFI_VARS=m | ||
6404 | CONFIG_EFI_ESRT=y | ||
6405 | CONFIG_EFI_VARS_PSTORE=m | ||
6406 | # CONFIG_EFI_VARS_PSTORE_DEFAULT_DISABLE is not set | ||
6407 | # CONFIG_EFI_FAKE_MEMMAP is not set | ||
6408 | CONFIG_EFI_RUNTIME_WRAPPERS=y | ||
6409 | CONFIG_UEFI_CPER=y | ||
6410 | |||
6411 | # | ||
6412 | # File systems | ||
6413 | # | ||
6414 | CONFIG_DCACHE_WORD_ACCESS=y | ||
6415 | # CONFIG_EXT2_FS is not set | ||
6416 | # CONFIG_EXT3_FS is not set | ||
6417 | CONFIG_EXT4_FS=m | ||
6418 | CONFIG_EXT4_USE_FOR_EXT2=y | ||
6419 | CONFIG_EXT4_FS_POSIX_ACL=y | ||
6420 | CONFIG_EXT4_FS_SECURITY=y | ||
6421 | CONFIG_EXT4_ENCRYPTION=m | ||
6422 | CONFIG_EXT4_FS_ENCRYPTION=y | ||
6423 | # CONFIG_EXT4_DEBUG is not set | ||
6424 | CONFIG_JBD2=m | ||
6425 | # CONFIG_JBD2_DEBUG is not set | ||
6426 | CONFIG_FS_MBCACHE=m | ||
6427 | CONFIG_REISERFS_FS=m | ||
6428 | # CONFIG_REISERFS_CHECK is not set | ||
6429 | # CONFIG_REISERFS_PROC_INFO is not set | ||
6430 | CONFIG_REISERFS_FS_XATTR=y | ||
6431 | CONFIG_REISERFS_FS_POSIX_ACL=y | ||
6432 | CONFIG_REISERFS_FS_SECURITY=y | ||
6433 | CONFIG_JFS_FS=m | ||
6434 | CONFIG_JFS_POSIX_ACL=y | ||
6435 | CONFIG_JFS_SECURITY=y | ||
6436 | # CONFIG_JFS_DEBUG is not set | ||
6437 | # CONFIG_JFS_STATISTICS is not set | ||
6438 | CONFIG_XFS_FS=m | ||
6439 | CONFIG_XFS_QUOTA=y | ||
6440 | CONFIG_XFS_POSIX_ACL=y | ||
6441 | CONFIG_XFS_RT=y | ||
6442 | # CONFIG_XFS_WARN is not set | ||
6443 | # CONFIG_XFS_DEBUG is not set | ||
6444 | CONFIG_GFS2_FS=m | ||
6445 | CONFIG_GFS2_FS_LOCKING_DLM=y | ||
6446 | CONFIG_OCFS2_FS=m | ||
6447 | CONFIG_OCFS2_FS_O2CB=m | ||
6448 | CONFIG_OCFS2_FS_USERSPACE_CLUSTER=m | ||
6449 | CONFIG_OCFS2_DEBUG_MASKLOG=y | ||
6450 | # CONFIG_OCFS2_DEBUG_FS is not set | ||
6451 | CONFIG_BTRFS_FS=m | ||
6452 | CONFIG_BTRFS_FS_POSIX_ACL=y | ||
6453 | # CONFIG_BTRFS_FS_CHECK_INTEGRITY is not set | ||
6454 | # CONFIG_BTRFS_FS_RUN_SANITY_TESTS is not set | ||
6455 | # CONFIG_BTRFS_DEBUG is not set | ||
6456 | # CONFIG_BTRFS_ASSERT is not set | ||
6457 | CONFIG_NILFS2_FS=m | ||
6458 | CONFIG_F2FS_FS=m | ||
6459 | CONFIG_F2FS_FS_XATTR=y | ||
6460 | CONFIG_F2FS_FS_POSIX_ACL=y | ||
6461 | CONFIG_F2FS_FS_SECURITY=y | ||
6462 | # CONFIG_F2FS_CHECK_FS is not set | ||
6463 | CONFIG_F2FS_FS_ENCRYPTION=y | ||
6464 | CONFIG_FS_DAX=y | ||
6465 | CONFIG_FS_POSIX_ACL=y | ||
6466 | CONFIG_EXPORTFS=y | ||
6467 | CONFIG_FILE_LOCKING=y | ||
6468 | CONFIG_FSNOTIFY=y | ||
6469 | CONFIG_DNOTIFY=y | ||
6470 | CONFIG_INOTIFY_USER=y | ||
6471 | CONFIG_FANOTIFY=y | ||
6472 | # CONFIG_FANOTIFY_ACCESS_PERMISSIONS is not set | ||
6473 | CONFIG_QUOTA=y | ||
6474 | CONFIG_QUOTA_NETLINK_INTERFACE=y | ||
6475 | CONFIG_PRINT_QUOTA_WARNING=y | ||
6476 | # CONFIG_QUOTA_DEBUG is not set | ||
6477 | CONFIG_QUOTA_TREE=m | ||
6478 | CONFIG_QFMT_V1=m | ||
6479 | CONFIG_QFMT_V2=m | ||
6480 | CONFIG_QUOTACTL=y | ||
6481 | CONFIG_QUOTACTL_COMPAT=y | ||
6482 | CONFIG_AUTOFS4_FS=m | ||
6483 | CONFIG_FUSE_FS=m | ||
6484 | CONFIG_CUSE=m | ||
6485 | CONFIG_OVERLAY_FS=m | ||
6486 | |||
6487 | # | ||
6488 | # Caches | ||
6489 | # | ||
6490 | CONFIG_FSCACHE=m | ||
6491 | CONFIG_FSCACHE_STATS=y | ||
6492 | # CONFIG_FSCACHE_HISTOGRAM is not set | ||
6493 | # CONFIG_FSCACHE_DEBUG is not set | ||
6494 | # CONFIG_FSCACHE_OBJECT_LIST is not set | ||
6495 | CONFIG_CACHEFILES=m | ||
6496 | # CONFIG_CACHEFILES_DEBUG is not set | ||
6497 | # CONFIG_CACHEFILES_HISTOGRAM is not set | ||
6498 | |||
6499 | # | ||
6500 | # CD-ROM/DVD Filesystems | ||
6501 | # | ||
6502 | CONFIG_ISO9660_FS=m | ||
6503 | CONFIG_JOLIET=y | ||
6504 | CONFIG_ZISOFS=y | ||
6505 | CONFIG_UDF_FS=m | ||
6506 | CONFIG_UDF_NLS=y | ||
6507 | |||
6508 | # | ||
6509 | # DOS/FAT/NT Filesystems | ||
6510 | # | ||
6511 | CONFIG_FAT_FS=m | ||
6512 | CONFIG_MSDOS_FS=m | ||
6513 | CONFIG_VFAT_FS=m | ||
6514 | CONFIG_FAT_DEFAULT_CODEPAGE=437 | ||
6515 | CONFIG_FAT_DEFAULT_IOCHARSET="utf8" | ||
6516 | CONFIG_NTFS_FS=m | ||
6517 | # CONFIG_NTFS_DEBUG is not set | ||
6518 | CONFIG_NTFS_RW=y | ||
6519 | |||
6520 | # | ||
6521 | # Pseudo filesystems | ||
6522 | # | ||
6523 | CONFIG_PROC_FS=y | ||
6524 | CONFIG_PROC_SYSCTL=y | ||
6525 | # CONFIG_PROC_CHILDREN is not set | ||
6526 | CONFIG_KERNFS=y | ||
6527 | CONFIG_SYSFS=y | ||
6528 | CONFIG_TMPFS=y | ||
6529 | CONFIG_TMPFS_POSIX_ACL=y | ||
6530 | CONFIG_TMPFS_XATTR=y | ||
6531 | CONFIG_HUGETLBFS=y | ||
6532 | CONFIG_HUGETLB_PAGE=y | ||
6533 | CONFIG_CONFIGFS_FS=m | ||
6534 | CONFIG_EFIVAR_FS=m | ||
6535 | CONFIG_MISC_FILESYSTEMS=y | ||
6536 | CONFIG_ADFS_FS=m | ||
6537 | # CONFIG_ADFS_FS_RW is not set | ||
6538 | CONFIG_AFFS_FS=m | ||
6539 | CONFIG_ECRYPT_FS=m | ||
6540 | CONFIG_ECRYPT_FS_MESSAGING=y | ||
6541 | CONFIG_HFS_FS=m | ||
6542 | CONFIG_HFSPLUS_FS=m | ||
6543 | # CONFIG_HFSPLUS_FS_POSIX_ACL is not set | ||
6544 | CONFIG_BEFS_FS=m | ||
6545 | # CONFIG_BEFS_DEBUG is not set | ||
6546 | CONFIG_BFS_FS=m | ||
6547 | CONFIG_EFS_FS=m | ||
6548 | CONFIG_JFFS2_FS=m | ||
6549 | CONFIG_JFFS2_FS_DEBUG=0 | ||
6550 | CONFIG_JFFS2_FS_WRITEBUFFER=y | ||
6551 | # CONFIG_JFFS2_FS_WBUF_VERIFY is not set | ||
6552 | CONFIG_JFFS2_SUMMARY=y | ||
6553 | CONFIG_JFFS2_FS_XATTR=y | ||
6554 | CONFIG_JFFS2_FS_POSIX_ACL=y | ||
6555 | CONFIG_JFFS2_FS_SECURITY=y | ||
6556 | CONFIG_JFFS2_COMPRESSION_OPTIONS=y | ||
6557 | CONFIG_JFFS2_ZLIB=y | ||
6558 | CONFIG_JFFS2_LZO=y | ||
6559 | CONFIG_JFFS2_RTIME=y | ||
6560 | # CONFIG_JFFS2_RUBIN is not set | ||
6561 | # CONFIG_JFFS2_CMODE_NONE is not set | ||
6562 | CONFIG_JFFS2_CMODE_PRIORITY=y | ||
6563 | # CONFIG_JFFS2_CMODE_SIZE is not set | ||
6564 | # CONFIG_JFFS2_CMODE_FAVOURLZO is not set | ||
6565 | CONFIG_UBIFS_FS=m | ||
6566 | CONFIG_UBIFS_FS_ADVANCED_COMPR=y | ||
6567 | CONFIG_UBIFS_FS_LZO=y | ||
6568 | CONFIG_UBIFS_FS_ZLIB=y | ||
6569 | # CONFIG_UBIFS_ATIME_SUPPORT is not set | ||
6570 | CONFIG_LOGFS=m | ||
6571 | # CONFIG_CRAMFS is not set | ||
6572 | CONFIG_SQUASHFS=m | ||
6573 | CONFIG_SQUASHFS_FILE_CACHE=y | ||
6574 | # CONFIG_SQUASHFS_FILE_DIRECT is not set | ||
6575 | CONFIG_SQUASHFS_DECOMP_SINGLE=y | ||
6576 | # CONFIG_SQUASHFS_DECOMP_MULTI is not set | ||
6577 | # CONFIG_SQUASHFS_DECOMP_MULTI_PERCPU is not set | ||
6578 | CONFIG_SQUASHFS_XATTR=y | ||
6579 | CONFIG_SQUASHFS_ZLIB=y | ||
6580 | # CONFIG_SQUASHFS_LZ4 is not set | ||
6581 | CONFIG_SQUASHFS_LZO=y | ||
6582 | CONFIG_SQUASHFS_XZ=y | ||
6583 | # CONFIG_SQUASHFS_4K_DEVBLK_SIZE is not set | ||
6584 | # CONFIG_SQUASHFS_EMBEDDED is not set | ||
6585 | CONFIG_SQUASHFS_FRAGMENT_CACHE_SIZE=3 | ||
6586 | CONFIG_VXFS_FS=m | ||
6587 | CONFIG_MINIX_FS=m | ||
6588 | CONFIG_OMFS_FS=m | ||
6589 | # CONFIG_HPFS_FS is not set | ||
6590 | CONFIG_QNX4FS_FS=m | ||
6591 | CONFIG_QNX6FS_FS=m | ||
6592 | # CONFIG_QNX6FS_DEBUG is not set | ||
6593 | CONFIG_ROMFS_FS=m | ||
6594 | # CONFIG_ROMFS_BACKED_BY_BLOCK is not set | ||
6595 | # CONFIG_ROMFS_BACKED_BY_MTD is not set | ||
6596 | CONFIG_ROMFS_BACKED_BY_BOTH=y | ||
6597 | CONFIG_ROMFS_ON_BLOCK=y | ||
6598 | CONFIG_ROMFS_ON_MTD=y | ||
6599 | CONFIG_PSTORE=y | ||
6600 | # CONFIG_PSTORE_CONSOLE is not set | ||
6601 | # CONFIG_PSTORE_PMSG is not set | ||
6602 | CONFIG_PSTORE_RAM=m | ||
6603 | CONFIG_SYSV_FS=m | ||
6604 | CONFIG_UFS_FS=m | ||
6605 | # CONFIG_UFS_FS_WRITE is not set | ||
6606 | # CONFIG_UFS_DEBUG is not set | ||
6607 | CONFIG_EXOFS_FS=m | ||
6608 | # CONFIG_EXOFS_DEBUG is not set | ||
6609 | CONFIG_ORE=m | ||
6610 | CONFIG_NETWORK_FILESYSTEMS=y | ||
6611 | CONFIG_NFS_FS=m | ||
6612 | CONFIG_NFS_V2=m | ||
6613 | CONFIG_NFS_V3=m | ||
6614 | CONFIG_NFS_V3_ACL=y | ||
6615 | CONFIG_NFS_V4=m | ||
6616 | CONFIG_NFS_SWAP=y | ||
6617 | CONFIG_NFS_V4_1=y | ||
6618 | CONFIG_NFS_V4_2=y | ||
6619 | CONFIG_PNFS_FILE_LAYOUT=m | ||
6620 | CONFIG_PNFS_BLOCK=m | ||
6621 | CONFIG_PNFS_OBJLAYOUT=m | ||
6622 | CONFIG_PNFS_FLEXFILE_LAYOUT=m | ||
6623 | CONFIG_NFS_V4_1_IMPLEMENTATION_ID_DOMAIN="kernel.org" | ||
6624 | # CONFIG_NFS_V4_1_MIGRATION is not set | ||
6625 | CONFIG_NFS_V4_SECURITY_LABEL=y | ||
6626 | CONFIG_NFS_FSCACHE=y | ||
6627 | # CONFIG_NFS_USE_LEGACY_DNS is not set | ||
6628 | CONFIG_NFS_USE_KERNEL_DNS=y | ||
6629 | CONFIG_NFSD=m | ||
6630 | CONFIG_NFSD_V2_ACL=y | ||
6631 | CONFIG_NFSD_V3=y | ||
6632 | CONFIG_NFSD_V3_ACL=y | ||
6633 | CONFIG_NFSD_V4=y | ||
6634 | CONFIG_NFSD_PNFS=y | ||
6635 | CONFIG_NFSD_V4_SECURITY_LABEL=y | ||
6636 | CONFIG_GRACE_PERIOD=m | ||
6637 | CONFIG_LOCKD=m | ||
6638 | CONFIG_LOCKD_V4=y | ||
6639 | CONFIG_NFS_ACL_SUPPORT=m | ||
6640 | CONFIG_NFS_COMMON=y | ||
6641 | CONFIG_SUNRPC=m | ||
6642 | CONFIG_SUNRPC_GSS=m | ||
6643 | CONFIG_SUNRPC_BACKCHANNEL=y | ||
6644 | CONFIG_SUNRPC_SWAP=y | ||
6645 | CONFIG_RPCSEC_GSS_KRB5=m | ||
6646 | CONFIG_SUNRPC_XPRT_RDMA=m | ||
6647 | CONFIG_CEPH_FS=m | ||
6648 | CONFIG_CEPH_FSCACHE=y | ||
6649 | CONFIG_CEPH_FS_POSIX_ACL=y | ||
6650 | CONFIG_CIFS=m | ||
6651 | # CONFIG_CIFS_STATS is not set | ||
6652 | CONFIG_CIFS_WEAK_PW_HASH=y | ||
6653 | CONFIG_CIFS_UPCALL=y | ||
6654 | CONFIG_CIFS_XATTR=y | ||
6655 | CONFIG_CIFS_POSIX=y | ||
6656 | CONFIG_CIFS_ACL=y | ||
6657 | CONFIG_CIFS_DEBUG=y | ||
6658 | # CONFIG_CIFS_DEBUG2 is not set | ||
6659 | CONFIG_CIFS_DFS_UPCALL=y | ||
6660 | CONFIG_CIFS_SMB2=y | ||
6661 | # CONFIG_CIFS_SMB311 is not set | ||
6662 | CONFIG_CIFS_FSCACHE=y | ||
6663 | CONFIG_NCP_FS=m | ||
6664 | CONFIG_NCPFS_PACKET_SIGNING=y | ||
6665 | CONFIG_NCPFS_IOCTL_LOCKING=y | ||
6666 | CONFIG_NCPFS_STRONG=y | ||
6667 | CONFIG_NCPFS_NFS_NS=y | ||
6668 | CONFIG_NCPFS_OS2_NS=y | ||
6669 | # CONFIG_NCPFS_SMALLDOS is not set | ||
6670 | CONFIG_NCPFS_NLS=y | ||
6671 | CONFIG_NCPFS_EXTRAS=y | ||
6672 | CONFIG_CODA_FS=m | ||
6673 | CONFIG_AFS_FS=m | ||
6674 | # CONFIG_AFS_DEBUG is not set | ||
6675 | CONFIG_AFS_FSCACHE=y | ||
6676 | CONFIG_9P_FS=m | ||
6677 | CONFIG_9P_FSCACHE=y | ||
6678 | CONFIG_9P_FS_POSIX_ACL=y | ||
6679 | CONFIG_9P_FS_SECURITY=y | ||
6680 | CONFIG_NLS=y | ||
6681 | CONFIG_NLS_DEFAULT="utf8" | ||
6682 | CONFIG_NLS_CODEPAGE_437=m | ||
6683 | CONFIG_NLS_CODEPAGE_737=m | ||
6684 | CONFIG_NLS_CODEPAGE_775=m | ||
6685 | CONFIG_NLS_CODEPAGE_850=m | ||
6686 | CONFIG_NLS_CODEPAGE_852=m | ||
6687 | CONFIG_NLS_CODEPAGE_855=m | ||
6688 | CONFIG_NLS_CODEPAGE_857=m | ||
6689 | CONFIG_NLS_CODEPAGE_860=m | ||
6690 | CONFIG_NLS_CODEPAGE_861=m | ||
6691 | CONFIG_NLS_CODEPAGE_862=m | ||
6692 | CONFIG_NLS_CODEPAGE_863=m | ||
6693 | CONFIG_NLS_CODEPAGE_864=m | ||
6694 | CONFIG_NLS_CODEPAGE_865=m | ||
6695 | CONFIG_NLS_CODEPAGE_866=m | ||
6696 | CONFIG_NLS_CODEPAGE_869=m | ||
6697 | CONFIG_NLS_CODEPAGE_936=m | ||
6698 | CONFIG_NLS_CODEPAGE_950=m | ||
6699 | CONFIG_NLS_CODEPAGE_932=m | ||
6700 | CONFIG_NLS_CODEPAGE_949=m | ||
6701 | CONFIG_NLS_CODEPAGE_874=m | ||
6702 | CONFIG_NLS_ISO8859_8=m | ||
6703 | CONFIG_NLS_CODEPAGE_1250=m | ||
6704 | CONFIG_NLS_CODEPAGE_1251=m | ||
6705 | CONFIG_NLS_ASCII=m | ||
6706 | CONFIG_NLS_ISO8859_1=m | ||
6707 | CONFIG_NLS_ISO8859_2=m | ||
6708 | CONFIG_NLS_ISO8859_3=m | ||
6709 | CONFIG_NLS_ISO8859_4=m | ||
6710 | CONFIG_NLS_ISO8859_5=m | ||
6711 | CONFIG_NLS_ISO8859_6=m | ||
6712 | CONFIG_NLS_ISO8859_7=m | ||
6713 | CONFIG_NLS_ISO8859_9=m | ||
6714 | CONFIG_NLS_ISO8859_13=m | ||
6715 | CONFIG_NLS_ISO8859_14=m | ||
6716 | CONFIG_NLS_ISO8859_15=m | ||
6717 | CONFIG_NLS_KOI8_R=m | ||
6718 | CONFIG_NLS_KOI8_U=m | ||
6719 | CONFIG_NLS_MAC_ROMAN=m | ||
6720 | CONFIG_NLS_MAC_CELTIC=m | ||
6721 | CONFIG_NLS_MAC_CENTEURO=m | ||
6722 | CONFIG_NLS_MAC_CROATIAN=m | ||
6723 | CONFIG_NLS_MAC_CYRILLIC=m | ||
6724 | CONFIG_NLS_MAC_GAELIC=m | ||
6725 | CONFIG_NLS_MAC_GREEK=m | ||
6726 | CONFIG_NLS_MAC_ICELAND=m | ||
6727 | CONFIG_NLS_MAC_INUIT=m | ||
6728 | CONFIG_NLS_MAC_ROMANIAN=m | ||
6729 | CONFIG_NLS_MAC_TURKISH=m | ||
6730 | CONFIG_NLS_UTF8=m | ||
6731 | CONFIG_DLM=m | ||
6732 | CONFIG_DLM_DEBUG=y | ||
6733 | |||
6734 | # | ||
6735 | # Kernel hacking | ||
6736 | # | ||
6737 | CONFIG_TRACE_IRQFLAGS_SUPPORT=y | ||
6738 | |||
6739 | # | ||
6740 | # printk and dmesg options | ||
6741 | # | ||
6742 | CONFIG_PRINTK_TIME=y | ||
6743 | CONFIG_MESSAGE_LOGLEVEL_DEFAULT=4 | ||
6744 | CONFIG_BOOT_PRINTK_DELAY=y | ||
6745 | |||
6746 | # | ||
6747 | # Compile-time checks and compiler options | ||
6748 | # | ||
6749 | # CONFIG_DEBUG_INFO is not set | ||
6750 | CONFIG_ENABLE_WARN_DEPRECATED=y | ||
6751 | CONFIG_ENABLE_MUST_CHECK=y | ||
6752 | CONFIG_FRAME_WARN=2048 | ||
6753 | CONFIG_STRIP_ASM_SYMS=y | ||
6754 | # CONFIG_READABLE_ASM is not set | ||
6755 | CONFIG_UNUSED_SYMBOLS=y | ||
6756 | # CONFIG_HEADERS_CHECK is not set | ||
6757 | # CONFIG_DEBUG_SECTION_MISMATCH is not set | ||
6758 | CONFIG_SECTION_MISMATCH_WARN_ONLY=y | ||
6759 | CONFIG_ARCH_WANT_FRAME_POINTERS=y | ||
6760 | # CONFIG_FRAME_POINTER is not set | ||
6761 | # CONFIG_DEBUG_FORCE_WEAK_PER_CPU is not set | ||
6762 | CONFIG_MAGIC_SYSRQ=y | ||
6763 | CONFIG_MAGIC_SYSRQ_DEFAULT_ENABLE=0x01b6 | ||
6764 | CONFIG_DEBUG_KERNEL=y | ||
6765 | |||
6766 | # | ||
6767 | # Memory Debugging | ||
6768 | # | ||
6769 | # CONFIG_PAGE_EXTENSION is not set | ||
6770 | # CONFIG_DEBUG_OBJECTS is not set | ||
6771 | # CONFIG_DEBUG_SLAB is not set | ||
6772 | CONFIG_HAVE_DEBUG_KMEMLEAK=y | ||
6773 | # CONFIG_DEBUG_STACK_USAGE is not set | ||
6774 | # CONFIG_DEBUG_VM is not set | ||
6775 | # CONFIG_DEBUG_VIRTUAL is not set | ||
6776 | CONFIG_DEBUG_MEMORY_INIT=y | ||
6777 | # CONFIG_DEBUG_PER_CPU_MAPS is not set | ||
6778 | CONFIG_HAVE_DEBUG_STACKOVERFLOW=y | ||
6779 | # CONFIG_DEBUG_STACKOVERFLOW is not set | ||
6780 | CONFIG_HAVE_ARCH_KMEMCHECK=y | ||
6781 | # CONFIG_KMEMCHECK is not set | ||
6782 | CONFIG_HAVE_ARCH_KASAN=y | ||
6783 | # CONFIG_DEBUG_SHIRQ is not set | ||
6784 | |||
6785 | # | ||
6786 | # Debug Lockups and Hangs | ||
6787 | # | ||
6788 | CONFIG_LOCKUP_DETECTOR=y | ||
6789 | CONFIG_HARDLOCKUP_DETECTOR=y | ||
6790 | # CONFIG_BOOTPARAM_HARDLOCKUP_PANIC is not set | ||
6791 | CONFIG_BOOTPARAM_HARDLOCKUP_PANIC_VALUE=0 | ||
6792 | # CONFIG_BOOTPARAM_SOFTLOCKUP_PANIC is not set | ||
6793 | CONFIG_BOOTPARAM_SOFTLOCKUP_PANIC_VALUE=0 | ||
6794 | CONFIG_DETECT_HUNG_TASK=y | ||
6795 | CONFIG_DEFAULT_HUNG_TASK_TIMEOUT=120 | ||
6796 | # CONFIG_BOOTPARAM_HUNG_TASK_PANIC is not set | ||
6797 | CONFIG_BOOTPARAM_HUNG_TASK_PANIC_VALUE=0 | ||
6798 | # CONFIG_PANIC_ON_OOPS is not set | ||
6799 | CONFIG_PANIC_ON_OOPS_VALUE=0 | ||
6800 | CONFIG_PANIC_TIMEOUT=0 | ||
6801 | CONFIG_SCHED_DEBUG=y | ||
6802 | CONFIG_SCHED_INFO=y | ||
6803 | # CONFIG_SCHEDSTATS is not set | ||
6804 | CONFIG_SCHED_STACK_END_CHECK=y | ||
6805 | # CONFIG_DEBUG_TIMEKEEPING is not set | ||
6806 | CONFIG_TIMER_STATS=y | ||
6807 | |||
6808 | # | ||
6809 | # Lock Debugging (spinlocks, mutexes, etc...) | ||
6810 | # | ||
6811 | # CONFIG_DEBUG_RT_MUTEXES is not set | ||
6812 | # CONFIG_DEBUG_SPINLOCK is not set | ||
6813 | # CONFIG_DEBUG_MUTEXES is not set | ||
6814 | # CONFIG_DEBUG_ATOMIC_SLEEP is not set | ||
6815 | # CONFIG_DEBUG_LOCKING_API_SELFTESTS is not set | ||
6816 | # CONFIG_LOCK_TORTURE_TEST is not set | ||
6817 | # CONFIG_STACKTRACE is not set | ||
6818 | # CONFIG_DEBUG_KOBJECT is not set | ||
6819 | CONFIG_DEBUG_BUGVERBOSE=y | ||
6820 | CONFIG_DEBUG_LIST=y | ||
6821 | # CONFIG_DEBUG_PI_LIST is not set | ||
6822 | # CONFIG_DEBUG_SG is not set | ||
6823 | # CONFIG_DEBUG_NOTIFIERS is not set | ||
6824 | # CONFIG_DEBUG_CREDENTIALS is not set | ||
6825 | |||
6826 | # | ||
6827 | # RCU Debugging | ||
6828 | # | ||
6829 | # CONFIG_PROVE_RCU is not set | ||
6830 | # CONFIG_SPARSE_RCU_POINTER is not set | ||
6831 | # CONFIG_TORTURE_TEST is not set | ||
6832 | # CONFIG_RCU_TORTURE_TEST is not set | ||
6833 | CONFIG_RCU_CPU_STALL_TIMEOUT=21 | ||
6834 | # CONFIG_RCU_TRACE is not set | ||
6835 | # CONFIG_RCU_EQS_DEBUG is not set | ||
6836 | # CONFIG_DEBUG_BLOCK_EXT_DEVT is not set | ||
6837 | # CONFIG_FAULT_INJECTION is not set | ||
6838 | CONFIG_ARCH_HAS_DEBUG_STRICT_USER_COPY_CHECKS=y | ||
6839 | CONFIG_USER_STACKTRACE_SUPPORT=y | ||
6840 | CONFIG_HAVE_FUNCTION_TRACER=y | ||
6841 | CONFIG_HAVE_FUNCTION_GRAPH_TRACER=y | ||
6842 | CONFIG_HAVE_FUNCTION_GRAPH_FP_TEST=y | ||
6843 | CONFIG_HAVE_DYNAMIC_FTRACE=y | ||
6844 | CONFIG_HAVE_DYNAMIC_FTRACE_WITH_REGS=y | ||
6845 | CONFIG_HAVE_FTRACE_MCOUNT_RECORD=y | ||
6846 | CONFIG_HAVE_SYSCALL_TRACEPOINTS=y | ||
6847 | CONFIG_HAVE_FENTRY=y | ||
6848 | CONFIG_HAVE_C_RECORDMCOUNT=y | ||
6849 | CONFIG_TRACE_CLOCK=y | ||
6850 | CONFIG_RING_BUFFER=y | ||
6851 | CONFIG_RING_BUFFER_ALLOW_SWAP=y | ||
6852 | |||
6853 | # | ||
6854 | # Runtime Testing | ||
6855 | # | ||
6856 | # CONFIG_TEST_LIST_SORT is not set | ||
6857 | # CONFIG_KPROBES_SANITY_TEST is not set | ||
6858 | # CONFIG_BACKTRACE_SELF_TEST is not set | ||
6859 | # CONFIG_RBTREE_TEST is not set | ||
6860 | # CONFIG_INTERVAL_TREE_TEST is not set | ||
6861 | # CONFIG_PERCPU_TEST is not set | ||
6862 | # CONFIG_ATOMIC64_SELFTEST is not set | ||
6863 | # CONFIG_ASYNC_RAID6_TEST is not set | ||
6864 | # CONFIG_TEST_HEXDUMP is not set | ||
6865 | # CONFIG_TEST_STRING_HELPERS is not set | ||
6866 | # CONFIG_TEST_KSTRTOX is not set | ||
6867 | # CONFIG_TEST_PRINTF is not set | ||
6868 | # CONFIG_TEST_RHASHTABLE is not set | ||
6869 | # CONFIG_DMA_API_DEBUG is not set | ||
6870 | # CONFIG_TEST_LKM is not set | ||
6871 | CONFIG_TEST_USER_COPY=m | ||
6872 | CONFIG_TEST_BPF=m | ||
6873 | CONFIG_TEST_FIRMWARE=m | ||
6874 | # CONFIG_TEST_UDELAY is not set | ||
6875 | CONFIG_MEMTEST=y | ||
6876 | CONFIG_TEST_STATIC_KEYS=m | ||
6877 | # CONFIG_SAMPLES is not set | ||
6878 | CONFIG_HAVE_ARCH_KGDB=y | ||
6879 | # CONFIG_KGDB is not set | ||
6880 | CONFIG_STRICT_DEVMEM=y | ||
6881 | # CONFIG_X86_VERBOSE_BOOTUP is not set | ||
6882 | CONFIG_EARLY_PRINTK=y | ||
6883 | # CONFIG_EARLY_PRINTK_DBGP is not set | ||
6884 | CONFIG_EARLY_PRINTK_EFI=y | ||
6885 | # CONFIG_X86_PTDUMP_CORE is not set | ||
6886 | # CONFIG_EFI_PGT_DUMP is not set | ||
6887 | # CONFIG_DEBUG_NX_TEST is not set | ||
6888 | CONFIG_DOUBLEFAULT=y | ||
6889 | # CONFIG_DEBUG_TLBFLUSH is not set | ||
6890 | # CONFIG_IOMMU_DEBUG is not set | ||
6891 | # CONFIG_IOMMU_STRESS is not set | ||
6892 | CONFIG_HAVE_MMIOTRACE_SUPPORT=y | ||
6893 | # CONFIG_X86_DECODER_SELFTEST is not set | ||
6894 | CONFIG_IO_DELAY_TYPE_0X80=0 | ||
6895 | CONFIG_IO_DELAY_TYPE_0XED=1 | ||
6896 | CONFIG_IO_DELAY_TYPE_UDELAY=2 | ||
6897 | CONFIG_IO_DELAY_TYPE_NONE=3 | ||
6898 | CONFIG_IO_DELAY_0X80=y | ||
6899 | # CONFIG_IO_DELAY_0XED is not set | ||
6900 | # CONFIG_IO_DELAY_UDELAY is not set | ||
6901 | # CONFIG_IO_DELAY_NONE is not set | ||
6902 | CONFIG_DEFAULT_IO_DELAY_TYPE=0 | ||
6903 | # CONFIG_CPA_DEBUG is not set | ||
6904 | CONFIG_OPTIMIZE_INLINING=y | ||
6905 | # CONFIG_DEBUG_ENTRY is not set | ||
6906 | # CONFIG_DEBUG_NMI_SELFTEST is not set | ||
6907 | # CONFIG_X86_DEBUG_STATIC_CPU_HAS is not set | ||
6908 | CONFIG_X86_DEBUG_FPU=y | ||
6909 | |||
6910 | # | ||
6911 | # Security options | ||
6912 | # | ||
6913 | |||
6914 | # | ||
6915 | # Grsecurity | ||
6916 | # | ||
6917 | CONFIG_PAX_KERNEXEC_PLUGIN=y | ||
6918 | CONFIG_PAX_PER_CPU_PGD=y | ||
6919 | CONFIG_TASK_SIZE_MAX_SHIFT=42 | ||
6920 | CONFIG_PAX_USERCOPY_SLABS=y | ||
6921 | CONFIG_GRKERNSEC=y | ||
6922 | # CONFIG_GRKERNSEC_CONFIG_AUTO is not set | ||
6923 | CONFIG_GRKERNSEC_CONFIG_CUSTOM=y | ||
6924 | CONFIG_GRKERNSEC_TPE_TRUSTED_GID=64040 | ||
6925 | CONFIG_GRKERNSEC_SYMLINKOWN_GID=33 | ||
6926 | |||
6927 | # | ||
6928 | # Customize Configuration | ||
6929 | # | ||
6930 | |||
6931 | # | ||
6932 | # PaX | ||
6933 | # | ||
6934 | CONFIG_PAX=y | ||
6935 | |||
6936 | # | ||
6937 | # PaX Control | ||
6938 | # | ||
6939 | CONFIG_PAX_SOFTMODE=y | ||
6940 | CONFIG_PAX_EI_PAX=y | ||
6941 | CONFIG_PAX_PT_PAX_FLAGS=y | ||
6942 | CONFIG_PAX_XATTR_PAX_FLAGS=y | ||
6943 | # CONFIG_PAX_NO_ACL_FLAGS is not set | ||
6944 | CONFIG_PAX_HAVE_ACL_FLAGS=y | ||
6945 | # CONFIG_PAX_HOOK_ACL_FLAGS is not set | ||
6946 | |||
6947 | # | ||
6948 | # Non-executable pages | ||
6949 | # | ||
6950 | CONFIG_PAX_NOEXEC=y | ||
6951 | CONFIG_PAX_PAGEEXEC=y | ||
6952 | CONFIG_PAX_EMUTRAMP=y | ||
6953 | CONFIG_PAX_MPROTECT=y | ||
6954 | # CONFIG_PAX_MPROTECT_COMPAT is not set | ||
6955 | # CONFIG_PAX_ELFRELOCS is not set | ||
6956 | CONFIG_PAX_KERNEXEC=y | ||
6957 | CONFIG_PAX_KERNEXEC_PLUGIN_METHOD_BTS=y | ||
6958 | CONFIG_PAX_KERNEXEC_PLUGIN_METHOD="bts" | ||
6959 | |||
6960 | # | ||
6961 | # Address Space Layout Randomization | ||
6962 | # | ||
6963 | CONFIG_PAX_ASLR=y | ||
6964 | CONFIG_PAX_RANDKSTACK=y | ||
6965 | CONFIG_PAX_RANDUSTACK=y | ||
6966 | CONFIG_PAX_RANDMMAP=y | ||
6967 | |||
6968 | # | ||
6969 | # Miscellaneous hardening features | ||
6970 | # | ||
6971 | CONFIG_PAX_MEMORY_SANITIZE=y | ||
6972 | CONFIG_PAX_MEMORY_STACKLEAK=y | ||
6973 | CONFIG_PAX_MEMORY_STRUCTLEAK=y | ||
6974 | CONFIG_PAX_MEMORY_UDEREF=y | ||
6975 | CONFIG_PAX_REFCOUNT=y | ||
6976 | CONFIG_PAX_CONSTIFY_PLUGIN=y | ||
6977 | CONFIG_PAX_USERCOPY=y | ||
6978 | # CONFIG_PAX_USERCOPY_DEBUG is not set | ||
6979 | CONFIG_PAX_SIZE_OVERFLOW=y | ||
6980 | CONFIG_PAX_LATENT_ENTROPY=y | ||
6981 | |||
6982 | # | ||
6983 | # Memory Protections | ||
6984 | # | ||
6985 | CONFIG_GRKERNSEC_KMEM=y | ||
6986 | CONFIG_GRKERNSEC_IO=y | ||
6987 | CONFIG_GRKERNSEC_BPF_HARDEN=y | ||
6988 | CONFIG_GRKERNSEC_PERF_HARDEN=y | ||
6989 | CONFIG_GRKERNSEC_RAND_THREADSTACK=y | ||
6990 | CONFIG_GRKERNSEC_PROC_MEMMAP=y | ||
6991 | CONFIG_GRKERNSEC_KSTACKOVERFLOW=y | ||
6992 | CONFIG_GRKERNSEC_BRUTE=y | ||
6993 | CONFIG_GRKERNSEC_MODHARDEN=y | ||
6994 | CONFIG_GRKERNSEC_HIDESYM=y | ||
6995 | CONFIG_GRKERNSEC_RANDSTRUCT=y | ||
6996 | CONFIG_GRKERNSEC_RANDSTRUCT_PERFORMANCE=y | ||
6997 | CONFIG_GRKERNSEC_KERN_LOCKOUT=y | ||
6998 | |||
6999 | # | ||
7000 | # Role Based Access Control Options | ||
7001 | # | ||
7002 | # CONFIG_GRKERNSEC_NO_RBAC is not set | ||
7003 | CONFIG_GRKERNSEC_ACL_HIDEKERN=y | ||
7004 | CONFIG_GRKERNSEC_ACL_MAXTRIES=3 | ||
7005 | CONFIG_GRKERNSEC_ACL_TIMEOUT=30 | ||
7006 | |||
7007 | # | ||
7008 | # Filesystem Protections | ||
7009 | # | ||
7010 | CONFIG_GRKERNSEC_PROC=y | ||
7011 | CONFIG_GRKERNSEC_PROC_USER=y | ||
7012 | CONFIG_GRKERNSEC_PROC_ADD=y | ||
7013 | CONFIG_GRKERNSEC_LINK=y | ||
7014 | CONFIG_GRKERNSEC_SYMLINKOWN=y | ||
7015 | CONFIG_GRKERNSEC_FIFO=y | ||
7016 | # CONFIG_GRKERNSEC_SYSFS_RESTRICT is not set | ||
7017 | CONFIG_GRKERNSEC_ROFS=y | ||
7018 | CONFIG_GRKERNSEC_DEVICE_SIDECHANNEL=y | ||
7019 | CONFIG_GRKERNSEC_CHROOT=y | ||
7020 | CONFIG_GRKERNSEC_CHROOT_MOUNT=y | ||
7021 | CONFIG_GRKERNSEC_CHROOT_DOUBLE=y | ||
7022 | CONFIG_GRKERNSEC_CHROOT_PIVOT=y | ||
7023 | CONFIG_GRKERNSEC_CHROOT_CHDIR=y | ||
7024 | CONFIG_GRKERNSEC_CHROOT_CHMOD=y | ||
7025 | CONFIG_GRKERNSEC_CHROOT_FCHDIR=y | ||
7026 | CONFIG_GRKERNSEC_CHROOT_MKNOD=y | ||
7027 | CONFIG_GRKERNSEC_CHROOT_SHMAT=y | ||
7028 | CONFIG_GRKERNSEC_CHROOT_UNIX=y | ||
7029 | CONFIG_GRKERNSEC_CHROOT_FINDTASK=y | ||
7030 | CONFIG_GRKERNSEC_CHROOT_NICE=y | ||
7031 | CONFIG_GRKERNSEC_CHROOT_SYSCTL=y | ||
7032 | CONFIG_GRKERNSEC_CHROOT_RENAME=y | ||
7033 | CONFIG_GRKERNSEC_CHROOT_CAPS=y | ||
7034 | CONFIG_GRKERNSEC_CHROOT_INITRD=y | ||
7035 | |||
7036 | # | ||
7037 | # Kernel Auditing | ||
7038 | # | ||
7039 | CONFIG_GRKERNSEC_AUDIT_GROUP=y | ||
7040 | CONFIG_GRKERNSEC_AUDIT_GID=64044 | ||
7041 | CONFIG_GRKERNSEC_EXECLOG=y | ||
7042 | CONFIG_GRKERNSEC_RESLOG=y | ||
7043 | CONFIG_GRKERNSEC_CHROOT_EXECLOG=y | ||
7044 | CONFIG_GRKERNSEC_AUDIT_PTRACE=y | ||
7045 | CONFIG_GRKERNSEC_AUDIT_CHDIR=y | ||
7046 | CONFIG_GRKERNSEC_AUDIT_MOUNT=y | ||
7047 | CONFIG_GRKERNSEC_SIGNAL=y | ||
7048 | CONFIG_GRKERNSEC_FORKFAIL=y | ||
7049 | CONFIG_GRKERNSEC_TIME=y | ||
7050 | CONFIG_GRKERNSEC_PROC_IPADDR=y | ||
7051 | CONFIG_GRKERNSEC_RWXMAP_LOG=y | ||
7052 | |||
7053 | # | ||
7054 | # Executable Protections | ||
7055 | # | ||
7056 | CONFIG_GRKERNSEC_DMESG=y | ||
7057 | CONFIG_GRKERNSEC_HARDEN_PTRACE=y | ||
7058 | CONFIG_GRKERNSEC_PTRACE_READEXEC=y | ||
7059 | CONFIG_GRKERNSEC_SETXID=y | ||
7060 | CONFIG_GRKERNSEC_HARDEN_IPC=y | ||
7061 | CONFIG_GRKERNSEC_HARDEN_TTY=y | ||
7062 | CONFIG_GRKERNSEC_TPE=y | ||
7063 | CONFIG_GRKERNSEC_TPE_ALL=y | ||
7064 | CONFIG_GRKERNSEC_TPE_INVERT=y | ||
7065 | CONFIG_GRKERNSEC_TPE_GID=64040 | ||
7066 | |||
7067 | # | ||
7068 | # Network Protections | ||
7069 | # | ||
7070 | CONFIG_GRKERNSEC_BLACKHOLE=y | ||
7071 | CONFIG_GRKERNSEC_NO_SIMULT_CONNECT=y | ||
7072 | CONFIG_GRKERNSEC_SOCKET=y | ||
7073 | CONFIG_GRKERNSEC_SOCKET_ALL=y | ||
7074 | CONFIG_GRKERNSEC_SOCKET_ALL_GID=64041 | ||
7075 | CONFIG_GRKERNSEC_SOCKET_CLIENT=y | ||
7076 | CONFIG_GRKERNSEC_SOCKET_CLIENT_GID=64042 | ||
7077 | CONFIG_GRKERNSEC_SOCKET_SERVER=y | ||
7078 | CONFIG_GRKERNSEC_SOCKET_SERVER_GID=64043 | ||
7079 | |||
7080 | # | ||
7081 | # Physical Protections | ||
7082 | # | ||
7083 | CONFIG_GRKERNSEC_DENYUSB=y | ||
7084 | # CONFIG_GRKERNSEC_DENYUSB_FORCE is not set | ||
7085 | |||
7086 | # | ||
7087 | # Sysctl Support | ||
7088 | # | ||
7089 | CONFIG_GRKERNSEC_SYSCTL=y | ||
7090 | CONFIG_GRKERNSEC_SYSCTL_DISTRO=y | ||
7091 | CONFIG_GRKERNSEC_SYSCTL_ON=y | ||
7092 | |||
7093 | # | ||
7094 | # Logging Options | ||
7095 | # | ||
7096 | CONFIG_GRKERNSEC_FLOODTIME=10 | ||
7097 | CONFIG_GRKERNSEC_FLOODBURST=6 | ||
7098 | CONFIG_KEYS=y | ||
7099 | # CONFIG_PERSISTENT_KEYRINGS is not set | ||
7100 | # CONFIG_BIG_KEYS is not set | ||
7101 | # CONFIG_TRUSTED_KEYS is not set | ||
7102 | CONFIG_ENCRYPTED_KEYS=m | ||
7103 | CONFIG_SECURITY_DMESG_RESTRICT=y | ||
7104 | CONFIG_SECURITY=y | ||
7105 | CONFIG_SECURITYFS=y | ||
7106 | CONFIG_SECURITY_NETWORK=y | ||
7107 | CONFIG_SECURITY_NETWORK_XFRM=y | ||
7108 | CONFIG_SECURITY_PATH=y | ||
7109 | # CONFIG_INTEL_TXT is not set | ||
7110 | CONFIG_LSM_MMAP_MIN_ADDR=65536 | ||
7111 | CONFIG_SECURITY_SELINUX=y | ||
7112 | # CONFIG_SECURITY_SELINUX_BOOTPARAM is not set | ||
7113 | # CONFIG_SECURITY_SELINUX_DISABLE is not set | ||
7114 | CONFIG_SECURITY_SELINUX_DEVELOP=y | ||
7115 | CONFIG_SECURITY_SELINUX_AVC_STATS=y | ||
7116 | CONFIG_SECURITY_SELINUX_CHECKREQPROT_VALUE=1 | ||
7117 | # CONFIG_SECURITY_SELINUX_POLICYDB_VERSION_MAX is not set | ||
7118 | # CONFIG_SECURITY_SMACK is not set | ||
7119 | CONFIG_SECURITY_TOMOYO=y | ||
7120 | CONFIG_SECURITY_TOMOYO_MAX_ACCEPT_ENTRY=2048 | ||
7121 | CONFIG_SECURITY_TOMOYO_MAX_AUDIT_LOG=1024 | ||
7122 | # CONFIG_SECURITY_TOMOYO_OMIT_USERSPACE_LOADER is not set | ||
7123 | CONFIG_SECURITY_TOMOYO_POLICY_LOADER="/sbin/tomoyo-init" | ||
7124 | CONFIG_SECURITY_TOMOYO_ACTIVATION_TRIGGER="/sbin/init" | ||
7125 | CONFIG_SECURITY_APPARMOR=y | ||
7126 | CONFIG_SECURITY_APPARMOR_BOOTPARAM_VALUE=1 | ||
7127 | CONFIG_SECURITY_APPARMOR_HASH=y | ||
7128 | CONFIG_INTEGRITY=y | ||
7129 | # CONFIG_INTEGRITY_SIGNATURE is not set | ||
7130 | CONFIG_INTEGRITY_AUDIT=y | ||
7131 | # CONFIG_IMA is not set | ||
7132 | # CONFIG_EVM is not set | ||
7133 | # CONFIG_DEFAULT_SECURITY_SELINUX is not set | ||
7134 | # CONFIG_DEFAULT_SECURITY_TOMOYO is not set | ||
7135 | # CONFIG_DEFAULT_SECURITY_APPARMOR is not set | ||
7136 | CONFIG_DEFAULT_SECURITY_DAC=y | ||
7137 | CONFIG_DEFAULT_SECURITY="" | ||
7138 | CONFIG_XOR_BLOCKS=m | ||
7139 | CONFIG_ASYNC_CORE=m | ||
7140 | CONFIG_ASYNC_MEMCPY=m | ||
7141 | CONFIG_ASYNC_XOR=m | ||
7142 | CONFIG_ASYNC_PQ=m | ||
7143 | CONFIG_ASYNC_RAID6_RECOV=m | ||
7144 | CONFIG_CRYPTO=y | ||
7145 | |||
7146 | # | ||
7147 | # Crypto core or helper | ||
7148 | # | ||
7149 | CONFIG_CRYPTO_ALGAPI=y | ||
7150 | CONFIG_CRYPTO_ALGAPI2=y | ||
7151 | CONFIG_CRYPTO_AEAD=m | ||
7152 | CONFIG_CRYPTO_AEAD2=y | ||
7153 | CONFIG_CRYPTO_BLKCIPHER=m | ||
7154 | CONFIG_CRYPTO_BLKCIPHER2=y | ||
7155 | CONFIG_CRYPTO_HASH=y | ||
7156 | CONFIG_CRYPTO_HASH2=y | ||
7157 | CONFIG_CRYPTO_RNG=m | ||
7158 | CONFIG_CRYPTO_RNG2=y | ||
7159 | CONFIG_CRYPTO_RNG_DEFAULT=m | ||
7160 | CONFIG_CRYPTO_PCOMP=m | ||
7161 | CONFIG_CRYPTO_PCOMP2=y | ||
7162 | CONFIG_CRYPTO_AKCIPHER2=y | ||
7163 | CONFIG_CRYPTO_AKCIPHER=m | ||
7164 | # CONFIG_CRYPTO_RSA is not set | ||
7165 | CONFIG_CRYPTO_MANAGER=y | ||
7166 | CONFIG_CRYPTO_MANAGER2=y | ||
7167 | # CONFIG_CRYPTO_USER is not set | ||
7168 | # CONFIG_CRYPTO_MANAGER_DISABLE_TESTS is not set | ||
7169 | CONFIG_CRYPTO_GF128MUL=m | ||
7170 | CONFIG_CRYPTO_NULL=m | ||
7171 | CONFIG_CRYPTO_NULL2=y | ||
7172 | CONFIG_CRYPTO_PCRYPT=m | ||
7173 | CONFIG_CRYPTO_WORKQUEUE=y | ||
7174 | CONFIG_CRYPTO_CRYPTD=m | ||
7175 | # CONFIG_CRYPTO_MCRYPTD is not set | ||
7176 | CONFIG_CRYPTO_AUTHENC=m | ||
7177 | CONFIG_CRYPTO_TEST=m | ||
7178 | CONFIG_CRYPTO_ABLK_HELPER=m | ||
7179 | CONFIG_CRYPTO_GLUE_HELPER_X86=m | ||
7180 | |||
7181 | # | ||
7182 | # Authenticated Encryption with Associated Data | ||
7183 | # | ||
7184 | CONFIG_CRYPTO_CCM=m | ||
7185 | CONFIG_CRYPTO_GCM=m | ||
7186 | CONFIG_CRYPTO_CHACHA20POLY1305=m | ||
7187 | CONFIG_CRYPTO_SEQIV=m | ||
7188 | CONFIG_CRYPTO_ECHAINIV=m | ||
7189 | |||
7190 | # | ||
7191 | # Block modes | ||
7192 | # | ||
7193 | CONFIG_CRYPTO_CBC=m | ||
7194 | CONFIG_CRYPTO_CTR=m | ||
7195 | CONFIG_CRYPTO_CTS=m | ||
7196 | CONFIG_CRYPTO_ECB=m | ||
7197 | CONFIG_CRYPTO_LRW=m | ||
7198 | CONFIG_CRYPTO_PCBC=m | ||
7199 | CONFIG_CRYPTO_XTS=m | ||
7200 | # CONFIG_CRYPTO_KEYWRAP is not set | ||
7201 | |||
7202 | # | ||
7203 | # Hash modes | ||
7204 | # | ||
7205 | CONFIG_CRYPTO_CMAC=m | ||
7206 | CONFIG_CRYPTO_HMAC=m | ||
7207 | CONFIG_CRYPTO_XCBC=m | ||
7208 | CONFIG_CRYPTO_VMAC=m | ||
7209 | |||
7210 | # | ||
7211 | # Digest | ||
7212 | # | ||
7213 | CONFIG_CRYPTO_CRC32C=m | ||
7214 | CONFIG_CRYPTO_CRC32C_INTEL=m | ||
7215 | CONFIG_CRYPTO_CRC32=m | ||
7216 | CONFIG_CRYPTO_CRC32_PCLMUL=m | ||
7217 | CONFIG_CRYPTO_CRCT10DIF=y | ||
7218 | CONFIG_CRYPTO_CRCT10DIF_PCLMUL=m | ||
7219 | CONFIG_CRYPTO_GHASH=m | ||
7220 | CONFIG_CRYPTO_POLY1305=m | ||
7221 | CONFIG_CRYPTO_POLY1305_X86_64=m | ||
7222 | CONFIG_CRYPTO_MD4=m | ||
7223 | CONFIG_CRYPTO_MD5=y | ||
7224 | CONFIG_CRYPTO_MICHAEL_MIC=m | ||
7225 | CONFIG_CRYPTO_RMD128=m | ||
7226 | CONFIG_CRYPTO_RMD160=m | ||
7227 | CONFIG_CRYPTO_RMD256=m | ||
7228 | CONFIG_CRYPTO_RMD320=m | ||
7229 | CONFIG_CRYPTO_SHA1=y | ||
7230 | CONFIG_CRYPTO_SHA1_SSSE3=m | ||
7231 | CONFIG_CRYPTO_SHA256_SSSE3=m | ||
7232 | CONFIG_CRYPTO_SHA512_SSSE3=m | ||
7233 | # CONFIG_CRYPTO_SHA1_MB is not set | ||
7234 | CONFIG_CRYPTO_SHA256=y | ||
7235 | CONFIG_CRYPTO_SHA512=m | ||
7236 | CONFIG_CRYPTO_TGR192=m | ||
7237 | CONFIG_CRYPTO_WP512=m | ||
7238 | CONFIG_CRYPTO_GHASH_CLMUL_NI_INTEL=m | ||
7239 | |||
7240 | # | ||
7241 | # Ciphers | ||
7242 | # | ||
7243 | CONFIG_CRYPTO_AES=y | ||
7244 | CONFIG_CRYPTO_AES_X86_64=m | ||
7245 | CONFIG_CRYPTO_AES_NI_INTEL=m | ||
7246 | CONFIG_CRYPTO_ANUBIS=m | ||
7247 | CONFIG_CRYPTO_ARC4=m | ||
7248 | CONFIG_CRYPTO_BLOWFISH=m | ||
7249 | CONFIG_CRYPTO_BLOWFISH_COMMON=m | ||
7250 | CONFIG_CRYPTO_BLOWFISH_X86_64=m | ||
7251 | CONFIG_CRYPTO_CAMELLIA=m | ||
7252 | CONFIG_CRYPTO_CAMELLIA_X86_64=m | ||
7253 | CONFIG_CRYPTO_CAMELLIA_AESNI_AVX_X86_64=m | ||
7254 | CONFIG_CRYPTO_CAMELLIA_AESNI_AVX2_X86_64=m | ||
7255 | CONFIG_CRYPTO_CAST_COMMON=m | ||
7256 | CONFIG_CRYPTO_CAST5=m | ||
7257 | CONFIG_CRYPTO_CAST5_AVX_X86_64=m | ||
7258 | CONFIG_CRYPTO_CAST6=m | ||
7259 | CONFIG_CRYPTO_CAST6_AVX_X86_64=m | ||
7260 | CONFIG_CRYPTO_DES=m | ||
7261 | CONFIG_CRYPTO_DES3_EDE_X86_64=m | ||
7262 | CONFIG_CRYPTO_FCRYPT=m | ||
7263 | CONFIG_CRYPTO_KHAZAD=m | ||
7264 | CONFIG_CRYPTO_SALSA20=m | ||
7265 | CONFIG_CRYPTO_SALSA20_X86_64=m | ||
7266 | CONFIG_CRYPTO_CHACHA20=m | ||
7267 | CONFIG_CRYPTO_CHACHA20_X86_64=m | ||
7268 | CONFIG_CRYPTO_SEED=m | ||
7269 | CONFIG_CRYPTO_SERPENT=m | ||
7270 | CONFIG_CRYPTO_SERPENT_SSE2_X86_64=m | ||
7271 | CONFIG_CRYPTO_SERPENT_AVX_X86_64=m | ||
7272 | CONFIG_CRYPTO_SERPENT_AVX2_X86_64=m | ||
7273 | CONFIG_CRYPTO_TEA=m | ||
7274 | CONFIG_CRYPTO_TWOFISH=m | ||
7275 | CONFIG_CRYPTO_TWOFISH_COMMON=m | ||
7276 | CONFIG_CRYPTO_TWOFISH_X86_64=m | ||
7277 | CONFIG_CRYPTO_TWOFISH_X86_64_3WAY=m | ||
7278 | CONFIG_CRYPTO_TWOFISH_AVX_X86_64=m | ||
7279 | |||
7280 | # | ||
7281 | # Compression | ||
7282 | # | ||
7283 | CONFIG_CRYPTO_DEFLATE=m | ||
7284 | CONFIG_CRYPTO_ZLIB=m | ||
7285 | CONFIG_CRYPTO_LZO=y | ||
7286 | # CONFIG_CRYPTO_842 is not set | ||
7287 | CONFIG_CRYPTO_LZ4=m | ||
7288 | CONFIG_CRYPTO_LZ4HC=m | ||
7289 | |||
7290 | # | ||
7291 | # Random Number Generation | ||
7292 | # | ||
7293 | CONFIG_CRYPTO_ANSI_CPRNG=m | ||
7294 | CONFIG_CRYPTO_DRBG_MENU=m | ||
7295 | CONFIG_CRYPTO_DRBG_HMAC=y | ||
7296 | # CONFIG_CRYPTO_DRBG_HASH is not set | ||
7297 | # CONFIG_CRYPTO_DRBG_CTR is not set | ||
7298 | CONFIG_CRYPTO_DRBG=m | ||
7299 | CONFIG_CRYPTO_JITTERENTROPY=m | ||
7300 | CONFIG_CRYPTO_USER_API=m | ||
7301 | CONFIG_CRYPTO_USER_API_HASH=m | ||
7302 | CONFIG_CRYPTO_USER_API_SKCIPHER=m | ||
7303 | # CONFIG_CRYPTO_USER_API_RNG is not set | ||
7304 | CONFIG_CRYPTO_USER_API_AEAD=m | ||
7305 | CONFIG_CRYPTO_HW=y | ||
7306 | CONFIG_CRYPTO_DEV_PADLOCK=m | ||
7307 | CONFIG_CRYPTO_DEV_PADLOCK_AES=m | ||
7308 | CONFIG_CRYPTO_DEV_PADLOCK_SHA=m | ||
7309 | CONFIG_CRYPTO_DEV_CCP=y | ||
7310 | CONFIG_CRYPTO_DEV_CCP_DD=m | ||
7311 | CONFIG_CRYPTO_DEV_CCP_CRYPTO=m | ||
7312 | CONFIG_CRYPTO_DEV_QAT=m | ||
7313 | CONFIG_CRYPTO_DEV_QAT_DH895xCC=m | ||
7314 | CONFIG_CRYPTO_DEV_QAT_DH895xCCVF=m | ||
7315 | # CONFIG_ASYMMETRIC_KEY_TYPE is not set | ||
7316 | |||
7317 | # | ||
7318 | # Certificates for signature checking | ||
7319 | # | ||
7320 | # CONFIG_SYSTEM_TRUSTED_KEYRING is not set | ||
7321 | CONFIG_HAVE_KVM=y | ||
7322 | CONFIG_HAVE_KVM_IRQCHIP=y | ||
7323 | CONFIG_HAVE_KVM_IRQFD=y | ||
7324 | CONFIG_HAVE_KVM_IRQ_ROUTING=y | ||
7325 | CONFIG_HAVE_KVM_EVENTFD=y | ||
7326 | CONFIG_KVM_APIC_ARCHITECTURE=y | ||
7327 | CONFIG_KVM_MMIO=y | ||
7328 | CONFIG_KVM_ASYNC_PF=y | ||
7329 | CONFIG_HAVE_KVM_MSI=y | ||
7330 | CONFIG_HAVE_KVM_CPU_RELAX_INTERCEPT=y | ||
7331 | CONFIG_KVM_VFIO=y | ||
7332 | CONFIG_KVM_GENERIC_DIRTYLOG_READ_PROTECT=y | ||
7333 | CONFIG_KVM_COMPAT=y | ||
7334 | CONFIG_HAVE_KVM_IRQ_BYPASS=y | ||
7335 | CONFIG_VIRTUALIZATION=y | ||
7336 | CONFIG_KVM=m | ||
7337 | CONFIG_KVM_INTEL=m | ||
7338 | CONFIG_KVM_AMD=m | ||
7339 | CONFIG_KVM_DEVICE_ASSIGNMENT=y | ||
7340 | # CONFIG_BINARY_PRINTF is not set | ||
7341 | |||
7342 | # | ||
7343 | # Library routines | ||
7344 | # | ||
7345 | CONFIG_RAID6_PQ=m | ||
7346 | CONFIG_BITREVERSE=y | ||
7347 | # CONFIG_HAVE_ARCH_BITREVERSE is not set | ||
7348 | CONFIG_RATIONAL=y | ||
7349 | CONFIG_GENERIC_STRNCPY_FROM_USER=y | ||
7350 | CONFIG_GENERIC_STRNLEN_USER=y | ||
7351 | CONFIG_GENERIC_NET_UTILS=y | ||
7352 | CONFIG_GENERIC_FIND_FIRST_BIT=y | ||
7353 | CONFIG_GENERIC_PCI_IOMAP=y | ||
7354 | CONFIG_GENERIC_IOMAP=y | ||
7355 | CONFIG_GENERIC_IO=y | ||
7356 | CONFIG_ARCH_USE_CMPXCHG_LOCKREF=y | ||
7357 | CONFIG_ARCH_HAS_FAST_MULTIPLIER=y | ||
7358 | CONFIG_CRC_CCITT=m | ||
7359 | CONFIG_CRC16=m | ||
7360 | CONFIG_CRC_T10DIF=y | ||
7361 | CONFIG_CRC_ITU_T=m | ||
7362 | CONFIG_CRC32=y | ||
7363 | # CONFIG_CRC32_SELFTEST is not set | ||
7364 | CONFIG_CRC32_SLICEBY8=y | ||
7365 | # CONFIG_CRC32_SLICEBY4 is not set | ||
7366 | # CONFIG_CRC32_SARWATE is not set | ||
7367 | # CONFIG_CRC32_BIT is not set | ||
7368 | CONFIG_CRC7=m | ||
7369 | CONFIG_LIBCRC32C=m | ||
7370 | # CONFIG_CRC8 is not set | ||
7371 | # CONFIG_AUDIT_ARCH_COMPAT_GENERIC is not set | ||
7372 | # CONFIG_RANDOM32_SELFTEST is not set | ||
7373 | CONFIG_ZLIB_INFLATE=y | ||
7374 | CONFIG_ZLIB_DEFLATE=y | ||
7375 | CONFIG_LZO_COMPRESS=y | ||
7376 | CONFIG_LZO_DECOMPRESS=y | ||
7377 | CONFIG_LZ4_COMPRESS=m | ||
7378 | CONFIG_LZ4HC_COMPRESS=m | ||
7379 | CONFIG_LZ4_DECOMPRESS=y | ||
7380 | CONFIG_XZ_DEC=y | ||
7381 | CONFIG_XZ_DEC_X86=y | ||
7382 | # CONFIG_XZ_DEC_POWERPC is not set | ||
7383 | # CONFIG_XZ_DEC_IA64 is not set | ||
7384 | # CONFIG_XZ_DEC_ARM is not set | ||
7385 | # CONFIG_XZ_DEC_ARMTHUMB is not set | ||
7386 | # CONFIG_XZ_DEC_SPARC is not set | ||
7387 | CONFIG_XZ_DEC_BCJ=y | ||
7388 | # CONFIG_XZ_DEC_TEST is not set | ||
7389 | CONFIG_DECOMPRESS_GZIP=y | ||
7390 | CONFIG_DECOMPRESS_BZIP2=y | ||
7391 | CONFIG_DECOMPRESS_LZMA=y | ||
7392 | CONFIG_DECOMPRESS_XZ=y | ||
7393 | CONFIG_DECOMPRESS_LZO=y | ||
7394 | CONFIG_DECOMPRESS_LZ4=y | ||
7395 | CONFIG_GENERIC_ALLOCATOR=y | ||
7396 | CONFIG_REED_SOLOMON=m | ||
7397 | CONFIG_REED_SOLOMON_ENC8=y | ||
7398 | CONFIG_REED_SOLOMON_DEC8=y | ||
7399 | CONFIG_REED_SOLOMON_DEC16=y | ||
7400 | CONFIG_BCH=m | ||
7401 | CONFIG_TEXTSEARCH=y | ||
7402 | CONFIG_TEXTSEARCH_KMP=m | ||
7403 | CONFIG_TEXTSEARCH_BM=m | ||
7404 | CONFIG_TEXTSEARCH_FSM=m | ||
7405 | CONFIG_BTREE=y | ||
7406 | CONFIG_INTERVAL_TREE=y | ||
7407 | CONFIG_ASSOCIATIVE_ARRAY=y | ||
7408 | CONFIG_HAS_IOMEM=y | ||
7409 | CONFIG_HAS_IOPORT_MAP=y | ||
7410 | CONFIG_HAS_DMA=y | ||
7411 | CONFIG_CHECK_SIGNATURE=y | ||
7412 | CONFIG_CPU_RMAP=y | ||
7413 | CONFIG_DQL=y | ||
7414 | CONFIG_GLOB=y | ||
7415 | # CONFIG_GLOB_SELFTEST is not set | ||
7416 | CONFIG_NLATTR=y | ||
7417 | CONFIG_ARCH_HAS_ATOMIC64_DEC_IF_POSITIVE=y | ||
7418 | CONFIG_LRU_CACHE=m | ||
7419 | CONFIG_CORDIC=m | ||
7420 | # CONFIG_DDR is not set | ||
7421 | CONFIG_OID_REGISTRY=m | ||
7422 | CONFIG_UCS2_STRING=y | ||
7423 | CONFIG_FONT_SUPPORT=y | ||
7424 | # CONFIG_FONTS is not set | ||
7425 | CONFIG_FONT_8x8=y | ||
7426 | CONFIG_FONT_8x16=y | ||
7427 | # CONFIG_SG_SPLIT is not set | ||
7428 | CONFIG_ARCH_HAS_SG_CHAIN=y | ||
7429 | CONFIG_ARCH_HAS_PMEM_API=y | ||
7430 | CONFIG_ARCH_HAS_MMIO_FLUSH=y | ||
diff --git a/src/tools/grsec.conf b/src/tools/grsec.conf new file mode 100644 index 000000000..177e4d59b --- /dev/null +++ b/src/tools/grsec.conf | |||
@@ -0,0 +1,98 @@ | |||
1 | ## Address Space Protection | ||
2 | # Disable privileged io: iopl(2) and ioperm(2) | ||
3 | # Warning: Xorg without modesetting needs it to be 0 | ||
4 | kernel.grsecurity.disable_priv_io = 1 | ||
5 | kernel.grsecurity.deter_bruteforce = 1 | ||
6 | |||
7 | kernel.grsecurity.deny_new_usb = 0 | ||
8 | kernel.grsecurity.harden_ipc = 1 | ||
9 | |||
10 | ## Filesystem Protections | ||
11 | # Prevent symlinks/hardlinks exploits (don't follow symlink on world-writable +t | ||
12 | # folders) | ||
13 | kernel.grsecurity.linking_restrictions = 1 | ||
14 | # Prevent writing to fifo not owned in world-writable +t folders | ||
15 | kernel.grsecurity.fifo_restrictions = 1 | ||
16 | |||
17 | # Chroot restrictions | ||
18 | kernel.grsecurity.chroot_deny_bad_rename = 1 | ||
19 | kernel.grsecurity.chroot_deny_mount = 1 | ||
20 | kernel.grsecurity.chroot_deny_chroot = 1 | ||
21 | kernel.grsecurity.chroot_deny_pivot = 1 | ||
22 | kernel.grsecurity.chroot_enforce_chdir = 1 | ||
23 | kernel.grsecurity.chroot_deny_chmod = 1 | ||
24 | kernel.grsecurity.chroot_deny_fchdir = 1 | ||
25 | kernel.grsecurity.chroot_deny_mknod = 1 | ||
26 | kernel.grsecurity.chroot_deny_shmat = 1 | ||
27 | kernel.grsecurity.chroot_deny_unix = 1 | ||
28 | kernel.grsecurity.chroot_findtask = 1 | ||
29 | kernel.grsecurity.chroot_restrict_nice = 1 | ||
30 | kernel.grsecurity.chroot_deny_sysctl = 1 | ||
31 | kernel.grsecurity.chroot_caps = 1 | ||
32 | |||
33 | ## Kernel Auditing | ||
34 | kernel.grsecurity.exec_logging = 1 | ||
35 | kernel.grsecurity.audit_chdir = 1 | ||
36 | # By default exec_logging and audit_chdir only target members of audit_gid, you | ||
37 | # can change that by setting audit_group to 0 | ||
38 | kernel.grsecurity.audit_group = 1 | ||
39 | # You can also override audit_gid to use another group | ||
40 | kernel.grsecurity.audit_gid = 0 | ||
41 | kernel.grsecurity.resource_logging = 1 | ||
42 | kernel.grsecurity.chroot_execlog = 1 | ||
43 | kernel.grsecurity.audit_ptrace = 1 | ||
44 | kernel.grsecurity.audit_mount = 1 | ||
45 | kernel.grsecurity.signal_logging = 1 | ||
46 | kernel.grsecurity.forkfail_logging = 1 | ||
47 | kernel.grsecurity.timechange_logging = 1 | ||
48 | kernel.grsecurity.rwxmap_logging = 1 | ||
49 | |||
50 | ## Executable Protections | ||
51 | kernel.grsecurity.dmesg = 1 | ||
52 | kernel.grsecurity.consistent_setxid = 1 | ||
53 | # Trusted execution | ||
54 | # Add users to the 64040 (grsec-tpe) group to enable them to execute binaries | ||
55 | # from untrusted directories | ||
56 | kernel.grsecurity.tpe = 1 | ||
57 | kernel.grsecurity.tpe_invert = 1 | ||
58 | kernel.grsecurity.tpe_restrict_all = 1 | ||
59 | kernel.grsecurity.tpe_gid = 64040 | ||
60 | |||
61 | ## Kernel-enforce SymlinkIfOwnerMatch | ||
62 | kernel.grsecurity.enforce_symlinksifowner = 1 | ||
63 | kernel.grsecurity.symlinkown_gid = 33 | ||
64 | |||
65 | ## Network Protections | ||
66 | kernel.grsecurity.ip_blackhole = 1 | ||
67 | kernel.grsecurity.lastack_retries = 4 | ||
68 | # Socket restrictions | ||
69 | # If the setting is enabled and an user is added to relevant group, she won't | ||
70 | # be able to open this kind of socket | ||
71 | kernel.grsecurity.socket_all = 1 | ||
72 | kernel.grsecurity.socket_all_gid = 64041 | ||
73 | kernel.grsecurity.socket_client = 1 | ||
74 | kernel.grsecurity.socket_client_gid = 64042 | ||
75 | kernel.grsecurity.socket_server = 1 | ||
76 | kernel.grsecurity.socket_server_gid = 64043 | ||
77 | |||
78 | # Ptrace | ||
79 | kernel.grsecurity.harden_ptrace = 1 | ||
80 | kernel.grsecurity.ptrace_readexec = 1 | ||
81 | |||
82 | # Protect mounts | ||
83 | # don't try to set it to 0, it'll fail, just let it commented | ||
84 | # kernel.grsecurity.romount_protect = 1 | ||
85 | |||
86 | # PAX | ||
87 | kernel.pax.softmode = 0 | ||
88 | |||
89 | # Disable module loading | ||
90 | # This is not a grsecurity anymore, but you might still want to disable module | ||
91 | # loading so no code is inserted into the kernel | ||
92 | # kernel.modules_disabled=1 | ||
93 | |||
94 | # Once you're satisfied with settings, set grsec_lock to 1 so noone can change | ||
95 | # grsec sysctl on a running system | ||
96 | kernel.grsecurity.grsec_lock = 1 | ||
97 | |||
98 | # vim: filetype=conf: | ||
diff --git a/test/apps-x11/apps-x11.sh b/test/apps-x11/apps-x11.sh new file mode 100755 index 000000000..1b3494290 --- /dev/null +++ b/test/apps-x11/apps-x11.sh | |||
@@ -0,0 +1,70 @@ | |||
1 | #!/bin/bash | ||
2 | # This file is part of Firejail project | ||
3 | # Copyright (C) 2014-2016 Firejail Authors | ||
4 | # License GPL v2 | ||
5 | |||
6 | export MALLOC_CHECK_=3 | ||
7 | export MALLOC_PERTURB_=$(($RANDOM % 255 + 1)) | ||
8 | |||
9 | # check xpra/xephyr | ||
10 | which xpra | ||
11 | if [ "$?" -eq 0 ]; | ||
12 | then | ||
13 | echo "xpra found" | ||
14 | else | ||
15 | echo "xpra not found" | ||
16 | which Xephyr | ||
17 | if [ "$?" -eq 0 ]; | ||
18 | then | ||
19 | echo "Xephyr found" | ||
20 | else | ||
21 | echo "TESTING SKIP: xpra and/or Xephyr not found" | ||
22 | exit | ||
23 | fi | ||
24 | fi | ||
25 | |||
26 | which xterm | ||
27 | if [ "$?" -eq 0 ]; | ||
28 | then | ||
29 | echo "TESTING: xterm x11" | ||
30 | ./xterm.exp | ||
31 | else | ||
32 | echo "TESTING SKIP: xterm not found" | ||
33 | fi | ||
34 | |||
35 | which firefox | ||
36 | if [ "$?" -eq 0 ]; | ||
37 | then | ||
38 | echo "TESTING: firefox x11" | ||
39 | ./firefox.exp | ||
40 | else | ||
41 | echo "TESTING SKIP: firefox not found" | ||
42 | fi | ||
43 | |||
44 | which chromium | ||
45 | if [ "$?" -eq 0 ]; | ||
46 | then | ||
47 | echo "TESTING: chromium x11" | ||
48 | ./chromium.exp | ||
49 | else | ||
50 | echo "TESTING SKIP: chromium not found" | ||
51 | fi | ||
52 | |||
53 | which transmission-gtk | ||
54 | if [ "$?" -eq 0 ]; | ||
55 | then | ||
56 | echo "TESTING: transmission-gtk x11" | ||
57 | ./transmission-gtk.exp | ||
58 | else | ||
59 | echo "TESTING SKIP: transmission-gtk not found" | ||
60 | fi | ||
61 | |||
62 | which icedove | ||
63 | if [ "$?" -eq 0 ]; | ||
64 | then | ||
65 | echo "TESTING: icedove x11" | ||
66 | ./icedove.exp | ||
67 | else | ||
68 | echo "TESTING SKIP: icedove not found" | ||
69 | fi | ||
70 | |||
diff --git a/test/chromium-x11.exp b/test/apps-x11/chromium.exp index 0d8a5dfb3..38c932aca 100755 --- a/test/chromium-x11.exp +++ b/test/apps-x11/chromium.exp | |||
@@ -1,10 +1,13 @@ | |||
1 | #!/usr/bin/expect -f | 1 | #!/usr/bin/expect -f |
2 | # This file is part of Firejail project | ||
3 | # Copyright (C) 2014-2016 Firejail Authors | ||
4 | # License GPL v2 | ||
2 | 5 | ||
3 | set timeout 10 | 6 | set timeout 10 |
4 | spawn $env(SHELL) | 7 | spawn $env(SHELL) |
5 | match_max 100000 | 8 | match_max 100000 |
6 | 9 | ||
7 | send -- "firejail --name=test --x11 --net=br0 chromium www.gentoo.org\r" | 10 | send -- "firejail --name=test --x11 chromium www.gentoo.org\r" |
8 | sleep 10 | 11 | sleep 10 |
9 | 12 | ||
10 | spawn $env(SHELL) | 13 | spawn $env(SHELL) |
@@ -19,6 +22,13 @@ expect { | |||
19 | } | 22 | } |
20 | sleep 1 | 23 | sleep 1 |
21 | 24 | ||
25 | # grsecurity exit | ||
26 | send -- "file /proc/sys/kernel/grsecurity\r" | ||
27 | expect { | ||
28 | timeout {puts "TESTING ERROR - grsecurity detection\n";exit} | ||
29 | "grsecurity: directory" {puts "grsecurity present, exiting...\n";exit} | ||
30 | "cannot open" {puts "grsecurity not present\n"} | ||
31 | } | ||
22 | send -- "firejail --name=blablabla\r" | 32 | send -- "firejail --name=blablabla\r" |
23 | expect { | 33 | expect { |
24 | timeout {puts "TESTING ERROR 4\n";exit} | 34 | timeout {puts "TESTING ERROR 4\n";exit} |
diff --git a/test/firefox-x11.exp b/test/apps-x11/firefox.exp index c82408896..e82fc6e72 100755 --- a/test/firefox-x11.exp +++ b/test/apps-x11/firefox.exp | |||
@@ -1,10 +1,13 @@ | |||
1 | #!/usr/bin/expect -f | 1 | #!/usr/bin/expect -f |
2 | # This file is part of Firejail project | ||
3 | # Copyright (C) 2014-2016 Firejail Authors | ||
4 | # License GPL v2 | ||
2 | 5 | ||
3 | set timeout 10 | 6 | set timeout 10 |
4 | spawn $env(SHELL) | 7 | spawn $env(SHELL) |
5 | match_max 100000 | 8 | match_max 100000 |
6 | 9 | ||
7 | send -- "firejail --name=test --x11 --net=br0 firefox www.gentoo.org\r" | 10 | send -- "firejail --name=test --x11 firefox -no-remote www.gentoo.org\r" |
8 | sleep 10 | 11 | sleep 10 |
9 | 12 | ||
10 | spawn $env(SHELL) | 13 | spawn $env(SHELL) |
@@ -18,7 +21,18 @@ expect { | |||
18 | "firefox" {puts "firefox detected\n";} | 21 | "firefox" {puts "firefox detected\n";} |
19 | "iceweasel" {puts "iceweasel detected\n";} | 22 | "iceweasel" {puts "iceweasel detected\n";} |
20 | } | 23 | } |
24 | expect { | ||
25 | timeout {puts "TESTING ERROR 3.2\n";exit} | ||
26 | "no-remote" | ||
27 | } | ||
21 | sleep 1 | 28 | sleep 1 |
29 | # grsecurity exit | ||
30 | send -- "file /proc/sys/kernel/grsecurity\r" | ||
31 | expect { | ||
32 | timeout {puts "TESTING ERROR - grsecurity detection\n";exit} | ||
33 | "grsecurity: directory" {puts "grsecurity present, exiting...\n";exit} | ||
34 | "cannot open" {puts "grsecurity not present\n"} | ||
35 | } | ||
22 | send -- "firejail --name=blablabla\r" | 36 | send -- "firejail --name=blablabla\r" |
23 | expect { | 37 | expect { |
24 | timeout {puts "TESTING ERROR 4\n";exit} | 38 | timeout {puts "TESTING ERROR 4\n";exit} |
@@ -34,6 +48,10 @@ expect { | |||
34 | " iceweasel" {puts "iceweasel detected\n";} | 48 | " iceweasel" {puts "iceweasel detected\n";} |
35 | } | 49 | } |
36 | expect { | 50 | expect { |
51 | timeout {puts "TESTING ERROR 5.0\n";exit} | ||
52 | "no-remote" | ||
53 | } | ||
54 | expect { | ||
37 | timeout {puts "TESTING ERROR 5.1 (seccomp)\n";exit} | 55 | timeout {puts "TESTING ERROR 5.1 (seccomp)\n";exit} |
38 | "Seccomp: 2" | 56 | "Seccomp: 2" |
39 | } | 57 | } |
@@ -49,6 +67,10 @@ expect { | |||
49 | " iceweasel" {puts "iceweasel detected\n";} | 67 | " iceweasel" {puts "iceweasel detected\n";} |
50 | } | 68 | } |
51 | expect { | 69 | expect { |
70 | timeout {puts "TESTING ERROR 6.0\n";exit} | ||
71 | "no-remote" | ||
72 | } | ||
73 | expect { | ||
52 | timeout {puts "TESTING ERROR 6.1\n";exit} | 74 | timeout {puts "TESTING ERROR 6.1\n";exit} |
53 | "CapBnd:" | 75 | "CapBnd:" |
54 | } | 76 | } |
diff --git a/test/apps-x11/icedove.exp b/test/apps-x11/icedove.exp new file mode 100755 index 000000000..a07344f36 --- /dev/null +++ b/test/apps-x11/icedove.exp | |||
@@ -0,0 +1,85 @@ | |||
1 | #!/usr/bin/expect -f | ||
2 | # This file is part of Firejail project | ||
3 | # Copyright (C) 2014-2016 Firejail Authors | ||
4 | # License GPL v2 | ||
5 | |||
6 | set timeout 10 | ||
7 | spawn $env(SHELL) | ||
8 | match_max 100000 | ||
9 | |||
10 | send -- "firejail --name=test --x11 icedove\r" | ||
11 | sleep 10 | ||
12 | |||
13 | spawn $env(SHELL) | ||
14 | send -- "firejail --list\r" | ||
15 | expect { | ||
16 | timeout {puts "TESTING ERROR 3\n";exit} | ||
17 | ":firejail" | ||
18 | } | ||
19 | expect { | ||
20 | timeout {puts "TESTING ERROR 3.1\n";exit} | ||
21 | "icedove" | ||
22 | } | ||
23 | sleep 1 | ||
24 | |||
25 | # grsecurity exit | ||
26 | send -- "file /proc/sys/kernel/grsecurity\r" | ||
27 | expect { | ||
28 | timeout {puts "TESTING ERROR - grsecurity detection\n";exit} | ||
29 | "grsecurity: directory" {puts "grsecurity present, exiting...\n";exit} | ||
30 | "cannot open" {puts "grsecurity not present\n"} | ||
31 | } | ||
32 | |||
33 | send -- "firejail --name=blablabla\r" | ||
34 | expect { | ||
35 | timeout {puts "TESTING ERROR 4\n";exit} | ||
36 | "Child process initialized" | ||
37 | } | ||
38 | sleep 2 | ||
39 | |||
40 | spawn $env(SHELL) | ||
41 | send -- "firemon --seccomp\r" | ||
42 | expect { | ||
43 | timeout {puts "TESTING ERROR 5\n";exit} | ||
44 | ":firejail" | ||
45 | } | ||
46 | expect { | ||
47 | timeout {puts "TESTING ERROR 5.0\n";exit} | ||
48 | "icedove" | ||
49 | } | ||
50 | expect { | ||
51 | timeout {puts "TESTING ERROR 5.1 (seccomp)\n";exit} | ||
52 | "Seccomp: 2" | ||
53 | } | ||
54 | expect { | ||
55 | timeout {puts "TESTING ERROR 5.1\n";exit} | ||
56 | "name=blablabla" | ||
57 | } | ||
58 | sleep 2 | ||
59 | send -- "firemon --caps\r" | ||
60 | expect { | ||
61 | timeout {puts "TESTING ERROR 6\n";exit} | ||
62 | ":firejail" | ||
63 | } | ||
64 | expect { | ||
65 | timeout {puts "TESTING ERROR 6.0\n";exit} | ||
66 | "icedove" | ||
67 | } | ||
68 | expect { | ||
69 | timeout {puts "TESTING ERROR 6.1\n";exit} | ||
70 | "CapBnd" | ||
71 | } | ||
72 | expect { | ||
73 | timeout {puts "TESTING ERROR 6.2\n";exit} | ||
74 | "0000000000000000" | ||
75 | } | ||
76 | expect { | ||
77 | timeout {puts "TESTING ERROR 6.3\n";exit} | ||
78 | "name=blablabla" | ||
79 | } | ||
80 | sleep 1 | ||
81 | send -- "firejail --shutdown=test\r" | ||
82 | sleep 3 | ||
83 | |||
84 | puts "\nall done\n" | ||
85 | |||
diff --git a/test/transmission-gtk-x11.exp b/test/apps-x11/transmission-gtk.exp index 6192b277c..6391a3717 100755 --- a/test/transmission-gtk-x11.exp +++ b/test/apps-x11/transmission-gtk.exp | |||
@@ -1,10 +1,13 @@ | |||
1 | #!/usr/bin/expect -f | 1 | #!/usr/bin/expect -f |
2 | # This file is part of Firejail project | ||
3 | # Copyright (C) 2014-2016 Firejail Authors | ||
4 | # License GPL v2 | ||
2 | 5 | ||
3 | set timeout 10 | 6 | set timeout 10 |
4 | spawn $env(SHELL) | 7 | spawn $env(SHELL) |
5 | match_max 100000 | 8 | match_max 100000 |
6 | 9 | ||
7 | send -- "firejail --name=test --net=br0 --x11 transmission-gtk\r" | 10 | send -- "firejail --name=test --x11 transmission-gtk\r" |
8 | sleep 10 | 11 | sleep 10 |
9 | 12 | ||
10 | spawn $env(SHELL) | 13 | spawn $env(SHELL) |
@@ -19,6 +22,14 @@ expect { | |||
19 | } | 22 | } |
20 | sleep 1 | 23 | sleep 1 |
21 | 24 | ||
25 | # grsecurity exit | ||
26 | send -- "file /proc/sys/kernel/grsecurity\r" | ||
27 | expect { | ||
28 | timeout {puts "TESTING ERROR - grsecurity detection\n";exit} | ||
29 | "grsecurity: directory" {puts "grsecurity present, exiting...\n";exit} | ||
30 | "cannot open" {puts "grsecurity not present\n"} | ||
31 | } | ||
32 | |||
22 | send -- "firejail --name=blablabla\r" | 33 | send -- "firejail --name=blablabla\r" |
23 | expect { | 34 | expect { |
24 | timeout {puts "TESTING ERROR 4\n";exit} | 35 | timeout {puts "TESTING ERROR 4\n";exit} |
diff --git a/test/apps-x11/xterm.exp b/test/apps-x11/xterm.exp new file mode 100755 index 000000000..7d61da542 --- /dev/null +++ b/test/apps-x11/xterm.exp | |||
@@ -0,0 +1,85 @@ | |||
1 | #!/usr/bin/expect -f | ||
2 | # This file is part of Firejail project | ||
3 | # Copyright (C) 2014-2016 Firejail Authors | ||
4 | # License GPL v2 | ||
5 | |||
6 | set timeout 10 | ||
7 | spawn $env(SHELL) | ||
8 | match_max 100000 | ||
9 | |||
10 | send -- "firejail --name=test --x11 xterm\r" | ||
11 | sleep 10 | ||
12 | |||
13 | spawn $env(SHELL) | ||
14 | send -- "firejail --list\r" | ||
15 | expect { | ||
16 | timeout {puts "TESTING ERROR 3\n";exit} | ||
17 | ":firejail" | ||
18 | } | ||
19 | expect { | ||
20 | timeout {puts "TESTING ERROR 3.1\n";exit} | ||
21 | "xterm" | ||
22 | } | ||
23 | sleep 1 | ||
24 | |||
25 | # grsecurity exit | ||
26 | send -- "file /proc/sys/kernel/grsecurity\r" | ||
27 | expect { | ||
28 | timeout {puts "TESTING ERROR - grsecurity detection\n";exit} | ||
29 | "grsecurity: directory" {puts "grsecurity present, exiting...\n";exit} | ||
30 | "cannot open" {puts "grsecurity not present\n"} | ||
31 | } | ||
32 | |||
33 | send -- "firejail --name=blablabla\r" | ||
34 | expect { | ||
35 | timeout {puts "TESTING ERROR 4\n";exit} | ||
36 | "Child process initialized" | ||
37 | } | ||
38 | sleep 2 | ||
39 | |||
40 | spawn $env(SHELL) | ||
41 | send -- "firemon --seccomp\r" | ||
42 | expect { | ||
43 | timeout {puts "TESTING ERROR 5\n";exit} | ||
44 | ":firejail" | ||
45 | } | ||
46 | expect { | ||
47 | timeout {puts "TESTING ERROR 5.0\n";exit} | ||
48 | "xterm" | ||
49 | } | ||
50 | expect { | ||
51 | timeout {puts "TESTING ERROR 5.1 (seccomp)\n";exit} | ||
52 | "Seccomp: 2" | ||
53 | } | ||
54 | expect { | ||
55 | timeout {puts "TESTING ERROR 5.1\n";exit} | ||
56 | "name=blablabla" | ||
57 | } | ||
58 | sleep 1 | ||
59 | send -- "firemon --caps\r" | ||
60 | expect { | ||
61 | timeout {puts "TESTING ERROR 6\n";exit} | ||
62 | ":firejail" | ||
63 | } | ||
64 | expect { | ||
65 | timeout {puts "TESTING ERROR 6.0\n";exit} | ||
66 | "xterm" | ||
67 | } | ||
68 | expect { | ||
69 | timeout {puts "TESTING ERROR 6.1\n";exit} | ||
70 | "CapBnd" | ||
71 | } | ||
72 | expect { | ||
73 | timeout {puts "TESTING ERROR 6.2\n";exit} | ||
74 | "0000000000000000" | ||
75 | } | ||
76 | expect { | ||
77 | timeout {puts "TESTING ERROR 6.3\n";exit} | ||
78 | "name=blablabla" | ||
79 | } | ||
80 | sleep 1 | ||
81 | send -- "firejail --shutdown=test\r" | ||
82 | sleep 3 | ||
83 | |||
84 | puts "\nall done\n" | ||
85 | |||
diff --git a/test/test-apps.sh b/test/apps/apps.sh index 5ada20549..c329c57e5 100755 --- a/test/test-apps.sh +++ b/test/apps/apps.sh | |||
@@ -1,4 +1,10 @@ | |||
1 | #!/bin/bash | 1 | #!/bin/bash |
2 | # This file is part of Firejail project | ||
3 | # Copyright (C) 2014-2016 Firejail Authors | ||
4 | # License GPL v2 | ||
5 | |||
6 | export MALLOC_CHECK_=3 | ||
7 | export MALLOC_PERTURB_=$(($RANDOM % 255 + 1)) | ||
2 | 8 | ||
3 | which firefox | 9 | which firefox |
4 | if [ "$?" -eq 0 ]; | 10 | if [ "$?" -eq 0 ]; |
@@ -6,7 +12,7 @@ then | |||
6 | echo "TESTING: firefox" | 12 | echo "TESTING: firefox" |
7 | ./firefox.exp | 13 | ./firefox.exp |
8 | else | 14 | else |
9 | echo "TESTING: firefox not found" | 15 | echo "TESTING SKIP: firefox not found" |
10 | fi | 16 | fi |
11 | 17 | ||
12 | which midori | 18 | which midori |
@@ -15,7 +21,7 @@ then | |||
15 | echo "TESTING: midori" | 21 | echo "TESTING: midori" |
16 | ./midori.exp | 22 | ./midori.exp |
17 | else | 23 | else |
18 | echo "TESTING: midori not found" | 24 | echo "TESTING SKIP: midori not found" |
19 | fi | 25 | fi |
20 | 26 | ||
21 | which chromium | 27 | which chromium |
@@ -24,16 +30,7 @@ then | |||
24 | echo "TESTING: chromium" | 30 | echo "TESTING: chromium" |
25 | ./chromium.exp | 31 | ./chromium.exp |
26 | else | 32 | else |
27 | echo "TESTING: chromium not found" | 33 | echo "TESTING SKIP: chromium not found" |
28 | fi | ||
29 | |||
30 | which google-chrome | ||
31 | if [ "$?" -eq 0 ]; | ||
32 | then | ||
33 | echo "TESTING: google-chrome" | ||
34 | ./chromium.exp | ||
35 | else | ||
36 | echo "TESTING: google-chrome not found" | ||
37 | fi | 34 | fi |
38 | 35 | ||
39 | which opera | 36 | which opera |
@@ -42,7 +39,7 @@ then | |||
42 | echo "TESTING: opera" | 39 | echo "TESTING: opera" |
43 | ./opera.exp | 40 | ./opera.exp |
44 | else | 41 | else |
45 | echo "TESTING: opera not found" | 42 | echo "TESTING SKIP: opera not found" |
46 | fi | 43 | fi |
47 | 44 | ||
48 | which transmission-gtk | 45 | which transmission-gtk |
@@ -51,7 +48,7 @@ then | |||
51 | echo "TESTING: transmission-gtk" | 48 | echo "TESTING: transmission-gtk" |
52 | ./transmission-gtk.exp | 49 | ./transmission-gtk.exp |
53 | else | 50 | else |
54 | echo "TESTING: transmission-gtk not found" | 51 | echo "TESTING SKIP: transmission-gtk not found" |
55 | fi | 52 | fi |
56 | 53 | ||
57 | which transmission-qt | 54 | which transmission-qt |
@@ -60,7 +57,34 @@ then | |||
60 | echo "TESTING: transmission-qt" | 57 | echo "TESTING: transmission-qt" |
61 | ./transmission-qt.exp | 58 | ./transmission-qt.exp |
62 | else | 59 | else |
63 | echo "TESTING: transmission-qt not found" | 60 | echo "TESTING SKIP: transmission-qt not found" |
61 | fi | ||
62 | |||
63 | which qbittorrent | ||
64 | if [ "$?" -eq 0 ]; | ||
65 | then | ||
66 | echo "TESTING: qbittorrent" | ||
67 | ./qbittorrent.exp | ||
68 | else | ||
69 | echo "TESTING SKIP: qbittorrent not found" | ||
70 | fi | ||
71 | |||
72 | which uget-gtk | ||
73 | if [ "$?" -eq 0 ]; | ||
74 | then | ||
75 | echo "TESTING: uget" | ||
76 | ./uget-gtk.exp | ||
77 | else | ||
78 | echo "TESTING SKIP: uget-gtk not found" | ||
79 | fi | ||
80 | |||
81 | which filezilla | ||
82 | if [ "$?" -eq 0 ]; | ||
83 | then | ||
84 | echo "TESTING: filezilla" | ||
85 | ./filezilla.exp | ||
86 | else | ||
87 | echo "TESTING SKIP: filezilla not found" | ||
64 | fi | 88 | fi |
65 | 89 | ||
66 | which evince | 90 | which evince |
@@ -69,7 +93,17 @@ then | |||
69 | echo "TESTING: evince" | 93 | echo "TESTING: evince" |
70 | ./evince.exp | 94 | ./evince.exp |
71 | else | 95 | else |
72 | echo "TESTING: evince not found" | 96 | echo "TESTING SKIP: evince not found" |
97 | fi | ||
98 | |||
99 | |||
100 | which gthumb | ||
101 | if [ "$?" -eq 0 ]; | ||
102 | then | ||
103 | echo "TESTING: gthumb" | ||
104 | ./gthumb.exp | ||
105 | else | ||
106 | echo "TESTING SKIP: gthumb not found" | ||
73 | fi | 107 | fi |
74 | 108 | ||
75 | which icedove | 109 | which icedove |
@@ -78,7 +112,7 @@ then | |||
78 | echo "TESTING: icedove" | 112 | echo "TESTING: icedove" |
79 | ./icedove.exp | 113 | ./icedove.exp |
80 | else | 114 | else |
81 | echo "TESTING: icedove not found" | 115 | echo "TESTING SKIP: icedove not found" |
82 | fi | 116 | fi |
83 | 117 | ||
84 | which vlc | 118 | which vlc |
@@ -87,7 +121,7 @@ then | |||
87 | echo "TESTING: vlc" | 121 | echo "TESTING: vlc" |
88 | ./vlc.exp | 122 | ./vlc.exp |
89 | else | 123 | else |
90 | echo "TESTING: vlc not found" | 124 | echo "TESTING SKIP: vlc not found" |
91 | fi | 125 | fi |
92 | 126 | ||
93 | which fbreader | 127 | which fbreader |
@@ -96,7 +130,7 @@ then | |||
96 | echo "TESTING: fbreader" | 130 | echo "TESTING: fbreader" |
97 | ./fbreader.exp | 131 | ./fbreader.exp |
98 | else | 132 | else |
99 | echo "TESTING: fbreader not found" | 133 | echo "TESTING SKIP: fbreader not found" |
100 | fi | 134 | fi |
101 | 135 | ||
102 | which deluge | 136 | which deluge |
@@ -105,7 +139,7 @@ then | |||
105 | echo "TESTING: deluge" | 139 | echo "TESTING: deluge" |
106 | ./deluge.exp | 140 | ./deluge.exp |
107 | else | 141 | else |
108 | echo "TESTING: deluge not found" | 142 | echo "TESTING SKIP: deluge not found" |
109 | fi | 143 | fi |
110 | 144 | ||
111 | which gnome-mplayer | 145 | which gnome-mplayer |
@@ -114,7 +148,7 @@ then | |||
114 | echo "TESTING: gnome-mplayer" | 148 | echo "TESTING: gnome-mplayer" |
115 | ./gnome-mplayer.exp | 149 | ./gnome-mplayer.exp |
116 | else | 150 | else |
117 | echo "TESTING: gnome-mplayer not found" | 151 | echo "TESTING SKIP: gnome-mplayer not found" |
118 | fi | 152 | fi |
119 | 153 | ||
120 | which xchat | 154 | which xchat |
@@ -123,7 +157,7 @@ then | |||
123 | echo "TESTING: xchat" | 157 | echo "TESTING: xchat" |
124 | ./xchat.exp | 158 | ./xchat.exp |
125 | else | 159 | else |
126 | echo "TESTING: xchat not found" | 160 | echo "TESTING SKIP: xchat not found" |
127 | fi | 161 | fi |
128 | 162 | ||
129 | which hexchat | 163 | which hexchat |
@@ -132,7 +166,7 @@ then | |||
132 | echo "TESTING: hexchat" | 166 | echo "TESTING: hexchat" |
133 | ./hexchat.exp | 167 | ./hexchat.exp |
134 | else | 168 | else |
135 | echo "TESTING: hexchat not found" | 169 | echo "TESTING SKIP: hexchat not found" |
136 | fi | 170 | fi |
137 | 171 | ||
138 | which weechat-curses | 172 | which weechat-curses |
@@ -141,7 +175,7 @@ then | |||
141 | echo "TESTING: weechat" | 175 | echo "TESTING: weechat" |
142 | ./weechat.exp | 176 | ./weechat.exp |
143 | else | 177 | else |
144 | echo "TESTING: weechat not found" | 178 | echo "TESTING SKIP: weechat not found" |
145 | fi | 179 | fi |
146 | 180 | ||
147 | which wine | 181 | which wine |
@@ -150,6 +184,6 @@ then | |||
150 | echo "TESTING: wine" | 184 | echo "TESTING: wine" |
151 | ./wine.exp | 185 | ./wine.exp |
152 | else | 186 | else |
153 | echo "TESTING: wine not found" | 187 | echo "TESTING SKIP: wine not found" |
154 | fi | 188 | fi |
155 | 189 | ||
diff --git a/test/chromium.exp b/test/apps/chromium.exp index 77325d070..c01f9a54d 100755 --- a/test/chromium.exp +++ b/test/apps/chromium.exp | |||
@@ -1,4 +1,7 @@ | |||
1 | #!/usr/bin/expect -f | 1 | #!/usr/bin/expect -f |
2 | # This file is part of Firejail project | ||
3 | # Copyright (C) 2014-2016 Firejail Authors | ||
4 | # License GPL v2 | ||
2 | 5 | ||
3 | set timeout 10 | 6 | set timeout 10 |
4 | spawn $env(SHELL) | 7 | spawn $env(SHELL) |
@@ -25,7 +28,15 @@ expect { | |||
25 | timeout {puts "TESTING ERROR 3.1\n";exit} | 28 | timeout {puts "TESTING ERROR 3.1\n";exit} |
26 | "chromium" | 29 | "chromium" |
27 | } | 30 | } |
28 | sleep 1 | 31 | after 100 |
32 | |||
33 | # grsecurity exit | ||
34 | send -- "file /proc/sys/kernel/grsecurity\r" | ||
35 | expect { | ||
36 | timeout {puts "TESTING ERROR - grsecurity detection\n";exit} | ||
37 | "grsecurity: directory" {puts "grsecurity present, exiting...\n";exit} | ||
38 | "cannot open" {puts "grsecurity not present\n"} | ||
39 | } | ||
29 | 40 | ||
30 | send -- "firejail --name=blablabla\r" | 41 | send -- "firejail --name=blablabla\r" |
31 | expect { | 42 | expect { |
@@ -48,7 +59,7 @@ expect { | |||
48 | timeout {puts "TESTING ERROR 5.1\n";exit} | 59 | timeout {puts "TESTING ERROR 5.1\n";exit} |
49 | "name=blablabla" | 60 | "name=blablabla" |
50 | } | 61 | } |
51 | sleep 1 | 62 | after 100 |
52 | send -- "firemon --caps\r" | 63 | send -- "firemon --caps\r" |
53 | expect { | 64 | expect { |
54 | timeout {puts "TESTING ERROR 6\n";exit} | 65 | timeout {puts "TESTING ERROR 6\n";exit} |
@@ -66,7 +77,7 @@ expect { | |||
66 | timeout {puts "TESTING ERROR 6.3\n";exit} | 77 | timeout {puts "TESTING ERROR 6.3\n";exit} |
67 | "name=blablabla" | 78 | "name=blablabla" |
68 | } | 79 | } |
69 | sleep 1 | 80 | after 100 |
70 | 81 | ||
71 | puts "\n" | 82 | puts "\n" |
72 | 83 | ||
diff --git a/test/deluge.exp b/test/apps/deluge.exp index 49266813e..df7899b51 100755 --- a/test/deluge.exp +++ b/test/apps/deluge.exp | |||
@@ -1,4 +1,7 @@ | |||
1 | #!/usr/bin/expect -f | 1 | #!/usr/bin/expect -f |
2 | # This file is part of Firejail project | ||
3 | # Copyright (C) 2014-2016 Firejail Authors | ||
4 | # License GPL v2 | ||
2 | 5 | ||
3 | set timeout 10 | 6 | set timeout 10 |
4 | spawn $env(SHELL) | 7 | spawn $env(SHELL) |
@@ -25,7 +28,15 @@ expect { | |||
25 | timeout {puts "TESTING ERROR 3.1\n";exit} | 28 | timeout {puts "TESTING ERROR 3.1\n";exit} |
26 | "deluge" | 29 | "deluge" |
27 | } | 30 | } |
28 | sleep 1 | 31 | after 100 |
32 | |||
33 | # grsecurity exit | ||
34 | send -- "file /proc/sys/kernel/grsecurity\r" | ||
35 | expect { | ||
36 | timeout {puts "TESTING ERROR - grsecurity detection\n";exit} | ||
37 | "grsecurity: directory" {puts "grsecurity present, exiting...\n";exit} | ||
38 | "cannot open" {puts "grsecurity not present\n"} | ||
39 | } | ||
29 | 40 | ||
30 | send -- "firejail --name=blablabla\r" | 41 | send -- "firejail --name=blablabla\r" |
31 | expect { | 42 | expect { |
@@ -48,7 +59,7 @@ expect { | |||
48 | timeout {puts "TESTING ERROR 5.1\n";exit} | 59 | timeout {puts "TESTING ERROR 5.1\n";exit} |
49 | "name=blablabla" | 60 | "name=blablabla" |
50 | } | 61 | } |
51 | sleep 1 | 62 | after 100 |
52 | send -- "firemon --caps\r" | 63 | send -- "firemon --caps\r" |
53 | expect { | 64 | expect { |
54 | timeout {puts "TESTING ERROR 6\n";exit} | 65 | timeout {puts "TESTING ERROR 6\n";exit} |
@@ -66,7 +77,7 @@ expect { | |||
66 | timeout {puts "TESTING ERROR 6.3\n";exit} | 77 | timeout {puts "TESTING ERROR 6.3\n";exit} |
67 | "name=blablabla" | 78 | "name=blablabla" |
68 | } | 79 | } |
69 | sleep 1 | 80 | after 100 |
70 | 81 | ||
71 | puts "\n" | 82 | puts "\n" |
72 | 83 | ||
diff --git a/test/evince.exp b/test/apps/evince.exp index 0c57f3871..0c1efcf59 100755 --- a/test/evince.exp +++ b/test/apps/evince.exp | |||
@@ -1,4 +1,7 @@ | |||
1 | #!/usr/bin/expect -f | 1 | #!/usr/bin/expect -f |
2 | # This file is part of Firejail project | ||
3 | # Copyright (C) 2014-2016 Firejail Authors | ||
4 | # License GPL v2 | ||
2 | 5 | ||
3 | set timeout 10 | 6 | set timeout 10 |
4 | spawn $env(SHELL) | 7 | spawn $env(SHELL) |
@@ -25,7 +28,15 @@ expect { | |||
25 | timeout {puts "TESTING ERROR 3.1\n";exit} | 28 | timeout {puts "TESTING ERROR 3.1\n";exit} |
26 | "evince" | 29 | "evince" |
27 | } | 30 | } |
28 | sleep 1 | 31 | after 100 |
32 | |||
33 | # grsecurity exit | ||
34 | send -- "file /proc/sys/kernel/grsecurity\r" | ||
35 | expect { | ||
36 | timeout {puts "TESTING ERROR - grsecurity detection\n";exit} | ||
37 | "grsecurity: directory" {puts "grsecurity present, exiting...\n";exit} | ||
38 | "cannot open" {puts "grsecurity not present\n"} | ||
39 | } | ||
29 | 40 | ||
30 | send -- "firejail --name=blablabla\r" | 41 | send -- "firejail --name=blablabla\r" |
31 | expect { | 42 | expect { |
@@ -48,7 +59,7 @@ expect { | |||
48 | timeout {puts "TESTING ERROR 5.1\n";exit} | 59 | timeout {puts "TESTING ERROR 5.1\n";exit} |
49 | "name=blablabla" | 60 | "name=blablabla" |
50 | } | 61 | } |
51 | sleep 1 | 62 | after 100 |
52 | send -- "firemon --caps\r" | 63 | send -- "firemon --caps\r" |
53 | expect { | 64 | expect { |
54 | timeout {puts "TESTING ERROR 6\n";exit} | 65 | timeout {puts "TESTING ERROR 6\n";exit} |
@@ -66,7 +77,7 @@ expect { | |||
66 | timeout {puts "TESTING ERROR 6.3\n";exit} | 77 | timeout {puts "TESTING ERROR 6.3\n";exit} |
67 | "name=blablabla" | 78 | "name=blablabla" |
68 | } | 79 | } |
69 | sleep 1 | 80 | after 100 |
70 | 81 | ||
71 | puts "\nall done\n" | 82 | puts "\nall done\n" |
72 | 83 | ||
diff --git a/test/fbreader.exp b/test/apps/fbreader.exp index a4df50932..30fbb1a77 100755 --- a/test/fbreader.exp +++ b/test/apps/fbreader.exp | |||
@@ -1,4 +1,7 @@ | |||
1 | #!/usr/bin/expect -f | 1 | #!/usr/bin/expect -f |
2 | # This file is part of Firejail project | ||
3 | # Copyright (C) 2014-2016 Firejail Authors | ||
4 | # License GPL v2 | ||
2 | 5 | ||
3 | set timeout 10 | 6 | set timeout 10 |
4 | spawn $env(SHELL) | 7 | spawn $env(SHELL) |
@@ -25,7 +28,15 @@ expect { | |||
25 | timeout {puts "TESTING ERROR 3.1\n";exit} | 28 | timeout {puts "TESTING ERROR 3.1\n";exit} |
26 | "fbreader" | 29 | "fbreader" |
27 | } | 30 | } |
28 | sleep 1 | 31 | after 100 |
32 | |||
33 | # grsecurity exit | ||
34 | send -- "file /proc/sys/kernel/grsecurity\r" | ||
35 | expect { | ||
36 | timeout {puts "TESTING ERROR - grsecurity detection\n";exit} | ||
37 | "grsecurity: directory" {puts "grsecurity present, exiting...\n";exit} | ||
38 | "cannot open" {puts "grsecurity not present\n"} | ||
39 | } | ||
29 | 40 | ||
30 | send -- "firejail --name=blablabla\r" | 41 | send -- "firejail --name=blablabla\r" |
31 | expect { | 42 | expect { |
@@ -48,7 +59,7 @@ expect { | |||
48 | timeout {puts "TESTING ERROR 5.1\n";exit} | 59 | timeout {puts "TESTING ERROR 5.1\n";exit} |
49 | "name=blablabla" | 60 | "name=blablabla" |
50 | } | 61 | } |
51 | sleep 1 | 62 | after 100 |
52 | send -- "firemon --caps\r" | 63 | send -- "firemon --caps\r" |
53 | expect { | 64 | expect { |
54 | timeout {puts "TESTING ERROR 6\n";exit} | 65 | timeout {puts "TESTING ERROR 6\n";exit} |
@@ -66,7 +77,7 @@ expect { | |||
66 | timeout {puts "TESTING ERROR 6.3\n";exit} | 77 | timeout {puts "TESTING ERROR 6.3\n";exit} |
67 | "name=blablabla" | 78 | "name=blablabla" |
68 | } | 79 | } |
69 | sleep 1 | 80 | after 100 |
70 | 81 | ||
71 | puts "\nall done\n" | 82 | puts "\nall done\n" |
72 | 83 | ||
diff --git a/test/apps/filezilla.exp b/test/apps/filezilla.exp new file mode 100755 index 000000000..1533eae69 --- /dev/null +++ b/test/apps/filezilla.exp | |||
@@ -0,0 +1,83 @@ | |||
1 | #!/usr/bin/expect -f | ||
2 | # This file is part of Firejail project | ||
3 | # Copyright (C) 2014-2016 Firejail Authors | ||
4 | # License GPL v2 | ||
5 | |||
6 | set timeout 10 | ||
7 | spawn $env(SHELL) | ||
8 | match_max 100000 | ||
9 | |||
10 | send -- "firejail filezilla\r" | ||
11 | expect { | ||
12 | timeout {puts "TESTING ERROR 0\n";exit} | ||
13 | "Reading profile /etc/firejail/filezilla.profile" | ||
14 | } | ||
15 | expect { | ||
16 | timeout {puts "TESTING ERROR 1\n";exit} | ||
17 | "Child process initialized" | ||
18 | } | ||
19 | sleep 3 | ||
20 | |||
21 | spawn $env(SHELL) | ||
22 | send -- "firejail --list\r" | ||
23 | expect { | ||
24 | timeout {puts "TESTING ERROR 3\n";exit} | ||
25 | ":firejail" | ||
26 | } | ||
27 | expect { | ||
28 | timeout {puts "TESTING ERROR 3.1\n";exit} | ||
29 | "filezilla" | ||
30 | } | ||
31 | after 100 | ||
32 | |||
33 | # grsecurity exit | ||
34 | send -- "file /proc/sys/kernel/grsecurity\r" | ||
35 | expect { | ||
36 | timeout {puts "TESTING ERROR - grsecurity detection\n";exit} | ||
37 | "grsecurity: directory" {puts "grsecurity present, exiting...\n";exit} | ||
38 | "cannot open" {puts "grsecurity not present\n"} | ||
39 | } | ||
40 | |||
41 | send -- "firejail --name=blablabla\r" | ||
42 | expect { | ||
43 | timeout {puts "TESTING ERROR 4\n";exit} | ||
44 | "Child process initialized" | ||
45 | } | ||
46 | sleep 2 | ||
47 | |||
48 | spawn $env(SHELL) | ||
49 | send -- "firemon --seccomp\r" | ||
50 | expect { | ||
51 | timeout {puts "TESTING ERROR 5\n";exit} | ||
52 | ":firejail filezilla" | ||
53 | } | ||
54 | expect { | ||
55 | timeout {puts "TESTING ERROR 5.1 (seccomp)\n";exit} | ||
56 | "Seccomp: 2" | ||
57 | } | ||
58 | expect { | ||
59 | timeout {puts "TESTING ERROR 5.1\n";exit} | ||
60 | "name=blablabla" | ||
61 | } | ||
62 | after 100 | ||
63 | send -- "firemon --caps\r" | ||
64 | expect { | ||
65 | timeout {puts "TESTING ERROR 6\n";exit} | ||
66 | ":firejail filezilla" | ||
67 | } | ||
68 | expect { | ||
69 | timeout {puts "TESTING ERROR 6.1\n";exit} | ||
70 | "CapBnd:" | ||
71 | } | ||
72 | expect { | ||
73 | timeout {puts "TESTING ERROR 6.2\n";exit} | ||
74 | "0000000000000000" | ||
75 | } | ||
76 | expect { | ||
77 | timeout {puts "TESTING ERROR 6.3\n";exit} | ||
78 | "name=blablabla" | ||
79 | } | ||
80 | after 100 | ||
81 | |||
82 | puts "\nall done\n" | ||
83 | |||
diff --git a/test/firefox.exp b/test/apps/firefox.exp index c2e64e04f..64a733f98 100755 --- a/test/firefox.exp +++ b/test/apps/firefox.exp | |||
@@ -1,10 +1,13 @@ | |||
1 | #!/usr/bin/expect -f | 1 | #!/usr/bin/expect -f |
2 | # This file is part of Firejail project | ||
3 | # Copyright (C) 2014-2016 Firejail Authors | ||
4 | # License GPL v2 | ||
2 | 5 | ||
3 | set timeout 10 | 6 | set timeout 10 |
4 | spawn $env(SHELL) | 7 | spawn $env(SHELL) |
5 | match_max 100000 | 8 | match_max 100000 |
6 | 9 | ||
7 | send -- "firejail firefox www.gentoo.org\r" | 10 | send -- "firejail firefox -no-remote www.gentoo.org\r" |
8 | expect { | 11 | expect { |
9 | timeout {puts "TESTING ERROR 0\n";exit} | 12 | timeout {puts "TESTING ERROR 0\n";exit} |
10 | "Reading profile /etc/firejail/firefox.profile" | 13 | "Reading profile /etc/firejail/firefox.profile" |
@@ -26,7 +29,21 @@ expect { | |||
26 | "firefox" {puts "firefox detected\n";} | 29 | "firefox" {puts "firefox detected\n";} |
27 | "iceweasel" {puts "iceweasel detected\n";} | 30 | "iceweasel" {puts "iceweasel detected\n";} |
28 | } | 31 | } |
29 | sleep 1 | 32 | expect { |
33 | timeout {puts "TESTING ERROR 3.2\n";exit} | ||
34 | "no-remote" | ||
35 | } | ||
36 | after 100 | ||
37 | |||
38 | # grsecurity exit | ||
39 | send -- "file /proc/sys/kernel/grsecurity\r" | ||
40 | expect { | ||
41 | timeout {puts "TESTING ERROR - grsecurity detection\n";exit} | ||
42 | "grsecurity: directory" {puts "grsecurity present, exiting...\n";exit} | ||
43 | "cannot open" {puts "grsecurity not present\n"} | ||
44 | } | ||
45 | |||
46 | |||
30 | send -- "firejail --name=blablabla\r" | 47 | send -- "firejail --name=blablabla\r" |
31 | expect { | 48 | expect { |
32 | timeout {puts "TESTING ERROR 4\n";exit} | 49 | timeout {puts "TESTING ERROR 4\n";exit} |
@@ -42,6 +59,10 @@ expect { | |||
42 | " iceweasel" {puts "iceweasel detected\n";} | 59 | " iceweasel" {puts "iceweasel detected\n";} |
43 | } | 60 | } |
44 | expect { | 61 | expect { |
62 | timeout {puts "TESTING ERROR 5.0\n";exit} | ||
63 | "no-remote" | ||
64 | } | ||
65 | expect { | ||
45 | timeout {puts "TESTING ERROR 5.1 (seccomp)\n";exit} | 66 | timeout {puts "TESTING ERROR 5.1 (seccomp)\n";exit} |
46 | "Seccomp: 2" | 67 | "Seccomp: 2" |
47 | } | 68 | } |
@@ -49,7 +70,7 @@ expect { | |||
49 | timeout {puts "TESTING ERROR 5.1\n";exit} | 70 | timeout {puts "TESTING ERROR 5.1\n";exit} |
50 | "name=blablabla" | 71 | "name=blablabla" |
51 | } | 72 | } |
52 | sleep 1 | 73 | after 100 |
53 | send -- "firemon --caps\r" | 74 | send -- "firemon --caps\r" |
54 | expect { | 75 | expect { |
55 | timeout {puts "TESTING ERROR 6\n";exit} | 76 | timeout {puts "TESTING ERROR 6\n";exit} |
@@ -57,6 +78,10 @@ expect { | |||
57 | " iceweasel" {puts "iceweasel detected\n";} | 78 | " iceweasel" {puts "iceweasel detected\n";} |
58 | } | 79 | } |
59 | expect { | 80 | expect { |
81 | timeout {puts "TESTING ERROR 6.0\n";exit} | ||
82 | "no-remote" | ||
83 | } | ||
84 | expect { | ||
60 | timeout {puts "TESTING ERROR 6.1\n";exit} | 85 | timeout {puts "TESTING ERROR 6.1\n";exit} |
61 | "CapBnd:" | 86 | "CapBnd:" |
62 | } | 87 | } |
@@ -68,7 +93,7 @@ expect { | |||
68 | timeout {puts "TESTING ERROR 6.3\n";exit} | 93 | timeout {puts "TESTING ERROR 6.3\n";exit} |
69 | "name=blablabla" | 94 | "name=blablabla" |
70 | } | 95 | } |
71 | sleep 1 | 96 | after 100 |
72 | 97 | ||
73 | puts "\n" | 98 | puts "\n" |
74 | 99 | ||
diff --git a/test/gnome-mplayer.exp b/test/apps/gnome-mplayer.exp index 193d532ae..aa0ef44fb 100755 --- a/test/gnome-mplayer.exp +++ b/test/apps/gnome-mplayer.exp | |||
@@ -1,4 +1,7 @@ | |||
1 | #!/usr/bin/expect -f | 1 | #!/usr/bin/expect -f |
2 | # This file is part of Firejail project | ||
3 | # Copyright (C) 2014-2016 Firejail Authors | ||
4 | # License GPL v2 | ||
2 | 5 | ||
3 | set timeout 10 | 6 | set timeout 10 |
4 | spawn $env(SHELL) | 7 | spawn $env(SHELL) |
@@ -13,7 +16,7 @@ expect { | |||
13 | timeout {puts "TESTING ERROR 1\n";exit} | 16 | timeout {puts "TESTING ERROR 1\n";exit} |
14 | "Child process initialized" | 17 | "Child process initialized" |
15 | } | 18 | } |
16 | sleep 10 | 19 | sleep 5 |
17 | 20 | ||
18 | spawn $env(SHELL) | 21 | spawn $env(SHELL) |
19 | send -- "firejail --list\r" | 22 | send -- "firejail --list\r" |
@@ -25,7 +28,15 @@ expect { | |||
25 | timeout {puts "TESTING ERROR 3.1\n";exit} | 28 | timeout {puts "TESTING ERROR 3.1\n";exit} |
26 | "gnome-mplayer" | 29 | "gnome-mplayer" |
27 | } | 30 | } |
28 | sleep 1 | 31 | after 100 |
32 | |||
33 | # grsecurity exit | ||
34 | send -- "file /proc/sys/kernel/grsecurity\r" | ||
35 | expect { | ||
36 | timeout {puts "TESTING ERROR - grsecurity detection\n";exit} | ||
37 | "grsecurity: directory" {puts "grsecurity present, exiting...\n";exit} | ||
38 | "cannot open" {puts "grsecurity not present\n"} | ||
39 | } | ||
29 | 40 | ||
30 | send -- "firejail --name=blablabla\r" | 41 | send -- "firejail --name=blablabla\r" |
31 | expect { | 42 | expect { |
@@ -48,7 +59,7 @@ expect { | |||
48 | timeout {puts "TESTING ERROR 5.1\n";exit} | 59 | timeout {puts "TESTING ERROR 5.1\n";exit} |
49 | "name=blablabla" | 60 | "name=blablabla" |
50 | } | 61 | } |
51 | sleep 1 | 62 | after 100 |
52 | send -- "firemon --caps\r" | 63 | send -- "firemon --caps\r" |
53 | expect { | 64 | expect { |
54 | timeout {puts "TESTING ERROR 6\n";exit} | 65 | timeout {puts "TESTING ERROR 6\n";exit} |
@@ -66,7 +77,7 @@ expect { | |||
66 | timeout {puts "TESTING ERROR 6.3\n";exit} | 77 | timeout {puts "TESTING ERROR 6.3\n";exit} |
67 | "name=blablabla" | 78 | "name=blablabla" |
68 | } | 79 | } |
69 | sleep 1 | 80 | after 100 |
70 | 81 | ||
71 | puts "\nall done\n" | 82 | puts "\nall done\n" |
72 | 83 | ||
diff --git a/test/apps/gthumb.exp b/test/apps/gthumb.exp new file mode 100755 index 000000000..8dcd2fcd0 --- /dev/null +++ b/test/apps/gthumb.exp | |||
@@ -0,0 +1,83 @@ | |||
1 | #!/usr/bin/expect -f | ||
2 | # This file is part of Firejail project | ||
3 | # Copyright (C) 2014-2016 Firejail Authors | ||
4 | # License GPL v2 | ||
5 | |||
6 | set timeout 10 | ||
7 | spawn $env(SHELL) | ||
8 | match_max 100000 | ||
9 | |||
10 | send -- "firejail gthumb\r" | ||
11 | expect { | ||
12 | timeout {puts "TESTING ERROR 0\n";exit} | ||
13 | "Reading profile /etc/firejail/gthumb.profile" | ||
14 | } | ||
15 | expect { | ||
16 | timeout {puts "TESTING ERROR 1\n";exit} | ||
17 | "Child process initialized" | ||
18 | } | ||
19 | sleep 3 | ||
20 | |||
21 | spawn $env(SHELL) | ||
22 | send -- "firejail --list\r" | ||
23 | expect { | ||
24 | timeout {puts "TESTING ERROR 3\n";exit} | ||
25 | ":firejail" | ||
26 | } | ||
27 | expect { | ||
28 | timeout {puts "TESTING ERROR 3.1\n";exit} | ||
29 | "gthumb" | ||
30 | } | ||
31 | after 100 | ||
32 | |||
33 | # grsecurity exit | ||
34 | send -- "file /proc/sys/kernel/grsecurity\r" | ||
35 | expect { | ||
36 | timeout {puts "TESTING ERROR - grsecurity detection\n";exit} | ||
37 | "grsecurity: directory" {puts "grsecurity present, exiting...\n";exit} | ||
38 | "cannot open" {puts "grsecurity not present\n"} | ||
39 | } | ||
40 | |||
41 | send -- "firejail --name=blablabla\r" | ||
42 | expect { | ||
43 | timeout {puts "TESTING ERROR 4\n";exit} | ||
44 | "Child process initialized" | ||
45 | } | ||
46 | sleep 2 | ||
47 | |||
48 | spawn $env(SHELL) | ||
49 | send -- "firemon --seccomp\r" | ||
50 | expect { | ||
51 | timeout {puts "TESTING ERROR 5\n";exit} | ||
52 | ":firejail gthumb" | ||
53 | } | ||
54 | expect { | ||
55 | timeout {puts "TESTING ERROR 5.1 (seccomp)\n";exit} | ||
56 | "Seccomp: 2" | ||
57 | } | ||
58 | expect { | ||
59 | timeout {puts "TESTING ERROR 5.1\n";exit} | ||
60 | "name=blablabla" | ||
61 | } | ||
62 | after 100 | ||
63 | send -- "firemon --caps\r" | ||
64 | expect { | ||
65 | timeout {puts "TESTING ERROR 6\n";exit} | ||
66 | ":firejail gthumb" | ||
67 | } | ||
68 | expect { | ||
69 | timeout {puts "TESTING ERROR 6.1\n";exit} | ||
70 | "CapBnd:" | ||
71 | } | ||
72 | expect { | ||
73 | timeout {puts "TESTING ERROR 6.2\n";exit} | ||
74 | "0000000000000000" | ||
75 | } | ||
76 | expect { | ||
77 | timeout {puts "TESTING ERROR 6.3\n";exit} | ||
78 | "name=blablabla" | ||
79 | } | ||
80 | after 100 | ||
81 | |||
82 | puts "\nall done\n" | ||
83 | |||
diff --git a/test/hexchat.exp b/test/apps/hexchat.exp index 0653bcb13..a66cc52cc 100755 --- a/test/hexchat.exp +++ b/test/apps/hexchat.exp | |||
@@ -1,4 +1,7 @@ | |||
1 | #!/usr/bin/expect -f | 1 | #!/usr/bin/expect -f |
2 | # This file is part of Firejail project | ||
3 | # Copyright (C) 2014-2016 Firejail Authors | ||
4 | # License GPL v2 | ||
2 | 5 | ||
3 | set timeout 10 | 6 | set timeout 10 |
4 | spawn $env(SHELL) | 7 | spawn $env(SHELL) |
@@ -25,7 +28,16 @@ expect { | |||
25 | timeout {puts "TESTING ERROR 3.1\n";exit} | 28 | timeout {puts "TESTING ERROR 3.1\n";exit} |
26 | "hexchat" | 29 | "hexchat" |
27 | } | 30 | } |
28 | sleep 1 | 31 | after 100 |
32 | |||
33 | # grsecurity exit | ||
34 | send -- "file /proc/sys/kernel/grsecurity\r" | ||
35 | expect { | ||
36 | timeout {puts "TESTING ERROR - grsecurity detection\n";exit} | ||
37 | "grsecurity: directory" {puts "grsecurity present, exiting...\n";exit} | ||
38 | "cannot open" {puts "grsecurity not present\n"} | ||
39 | } | ||
40 | |||
29 | send -- "firejail --name=blablabla\r" | 41 | send -- "firejail --name=blablabla\r" |
30 | expect { | 42 | expect { |
31 | timeout {puts "TESTING ERROR 4\n";exit} | 43 | timeout {puts "TESTING ERROR 4\n";exit} |
@@ -47,7 +59,7 @@ expect { | |||
47 | timeout {puts "TESTING ERROR 5.1\n";exit} | 59 | timeout {puts "TESTING ERROR 5.1\n";exit} |
48 | "name=blablabla" | 60 | "name=blablabla" |
49 | } | 61 | } |
50 | sleep 1 | 62 | after 100 |
51 | send -- "firemon --caps\r" | 63 | send -- "firemon --caps\r" |
52 | expect { | 64 | expect { |
53 | timeout {puts "TESTING ERROR 6\n";exit} | 65 | timeout {puts "TESTING ERROR 6\n";exit} |
@@ -65,7 +77,7 @@ expect { | |||
65 | timeout {puts "TESTING ERROR 6.3\n";exit} | 77 | timeout {puts "TESTING ERROR 6.3\n";exit} |
66 | "name=blablabla" | 78 | "name=blablabla" |
67 | } | 79 | } |
68 | sleep 1 | 80 | after 100 |
69 | 81 | ||
70 | puts "\n" | 82 | puts "\n" |
71 | 83 | ||
diff --git a/test/icedove.exp b/test/apps/icedove.exp index be5309e07..667f6745d 100755 --- a/test/icedove.exp +++ b/test/apps/icedove.exp | |||
@@ -1,4 +1,7 @@ | |||
1 | #!/usr/bin/expect -f | 1 | #!/usr/bin/expect -f |
2 | # This file is part of Firejail project | ||
3 | # Copyright (C) 2014-2016 Firejail Authors | ||
4 | # License GPL v2 | ||
2 | 5 | ||
3 | set timeout 10 | 6 | set timeout 10 |
4 | spawn $env(SHELL) | 7 | spawn $env(SHELL) |
@@ -25,7 +28,15 @@ expect { | |||
25 | timeout {puts "TESTING ERROR 3.1\n";exit} | 28 | timeout {puts "TESTING ERROR 3.1\n";exit} |
26 | "icedove" | 29 | "icedove" |
27 | } | 30 | } |
28 | sleep 1 | 31 | after 100 |
32 | |||
33 | # grsecurity exit | ||
34 | send -- "file /proc/sys/kernel/grsecurity\r" | ||
35 | expect { | ||
36 | timeout {puts "TESTING ERROR - grsecurity detection\n";exit} | ||
37 | "grsecurity: directory" {puts "grsecurity present, exiting...\n";exit} | ||
38 | "cannot open" {puts "grsecurity not present\n"} | ||
39 | } | ||
29 | 40 | ||
30 | send -- "firejail --name=blablabla\r" | 41 | send -- "firejail --name=blablabla\r" |
31 | expect { | 42 | expect { |
@@ -48,7 +59,7 @@ expect { | |||
48 | timeout {puts "TESTING ERROR 5.1\n";exit} | 59 | timeout {puts "TESTING ERROR 5.1\n";exit} |
49 | "name=blablabla" | 60 | "name=blablabla" |
50 | } | 61 | } |
51 | sleep 1 | 62 | after 100 |
52 | send -- "firemon --caps\r" | 63 | send -- "firemon --caps\r" |
53 | expect { | 64 | expect { |
54 | timeout {puts "TESTING ERROR 6\n";exit} | 65 | timeout {puts "TESTING ERROR 6\n";exit} |
@@ -66,7 +77,7 @@ expect { | |||
66 | timeout {puts "TESTING ERROR 6.3\n";exit} | 77 | timeout {puts "TESTING ERROR 6.3\n";exit} |
67 | "name=blablabla" | 78 | "name=blablabla" |
68 | } | 79 | } |
69 | sleep 1 | 80 | after 100 |
70 | 81 | ||
71 | puts "\nall done\n" | 82 | puts "\nall done\n" |
72 | 83 | ||
diff --git a/test/midori.exp b/test/apps/midori.exp index ec33816dd..fdd47954c 100755 --- a/test/midori.exp +++ b/test/apps/midori.exp | |||
@@ -1,4 +1,7 @@ | |||
1 | #!/usr/bin/expect -f | 1 | #!/usr/bin/expect -f |
2 | # This file is part of Firejail project | ||
3 | # Copyright (C) 2014-2016 Firejail Authors | ||
4 | # License GPL v2 | ||
2 | 5 | ||
3 | set timeout 10 | 6 | set timeout 10 |
4 | spawn $env(SHELL) | 7 | spawn $env(SHELL) |
@@ -13,7 +16,7 @@ expect { | |||
13 | timeout {puts "TESTING ERROR 1\n";exit} | 16 | timeout {puts "TESTING ERROR 1\n";exit} |
14 | "Child process initialized" | 17 | "Child process initialized" |
15 | } | 18 | } |
16 | sleep 10 | 19 | sleep 5 |
17 | 20 | ||
18 | spawn $env(SHELL) | 21 | spawn $env(SHELL) |
19 | send -- "firejail --list\r" | 22 | send -- "firejail --list\r" |
@@ -25,7 +28,15 @@ expect { | |||
25 | timeout {puts "TESTING ERROR 3.1\n";exit} | 28 | timeout {puts "TESTING ERROR 3.1\n";exit} |
26 | "midori" | 29 | "midori" |
27 | } | 30 | } |
28 | sleep 1 | 31 | after 100 |
32 | |||
33 | # grsecurity exit | ||
34 | send -- "file /proc/sys/kernel/grsecurity\r" | ||
35 | expect { | ||
36 | timeout {puts "TESTING ERROR - grsecurity detection\n";exit} | ||
37 | "grsecurity: directory" {puts "grsecurity present, exiting...\n";exit} | ||
38 | "cannot open" {puts "grsecurity not present\n"} | ||
39 | } | ||
29 | 40 | ||
30 | send -- "firejail --name=blablabla\r" | 41 | send -- "firejail --name=blablabla\r" |
31 | expect { | 42 | expect { |
@@ -48,7 +59,7 @@ expect { | |||
48 | timeout {puts "TESTING ERROR 5.1\n";exit} | 59 | timeout {puts "TESTING ERROR 5.1\n";exit} |
49 | "name=blablabla" | 60 | "name=blablabla" |
50 | } | 61 | } |
51 | sleep 1 | 62 | after 100 |
52 | send -- "firemon --caps\r" | 63 | send -- "firemon --caps\r" |
53 | expect { | 64 | expect { |
54 | timeout {puts "TESTING ERROR 6\n";exit} | 65 | timeout {puts "TESTING ERROR 6\n";exit} |
@@ -66,7 +77,7 @@ expect { | |||
66 | timeout {puts "TESTING ERROR 6.3n";exit} | 77 | timeout {puts "TESTING ERROR 6.3n";exit} |
67 | "name=blablabla" | 78 | "name=blablabla" |
68 | } | 79 | } |
69 | sleep 1 | 80 | after 100 |
70 | 81 | ||
71 | 82 | ||
72 | puts "\n" | 83 | puts "\n" |
diff --git a/test/opera.exp b/test/apps/opera.exp index f536ae866..b94c9dbbd 100755 --- a/test/opera.exp +++ b/test/apps/opera.exp | |||
@@ -1,4 +1,7 @@ | |||
1 | #!/usr/bin/expect -f | 1 | #!/usr/bin/expect -f |
2 | # This file is part of Firejail project | ||
3 | # Copyright (C) 2014-2016 Firejail Authors | ||
4 | # License GPL v2 | ||
2 | 5 | ||
3 | set timeout 10 | 6 | set timeout 10 |
4 | spawn $env(SHELL) | 7 | spawn $env(SHELL) |
@@ -25,7 +28,15 @@ expect { | |||
25 | timeout {puts "TESTING ERROR 3.1\n";exit} | 28 | timeout {puts "TESTING ERROR 3.1\n";exit} |
26 | "opera" | 29 | "opera" |
27 | } | 30 | } |
28 | sleep 1 | 31 | after 100 |
32 | |||
33 | # grsecurity exit | ||
34 | send -- "file /proc/sys/kernel/grsecurity\r" | ||
35 | expect { | ||
36 | timeout {puts "TESTING ERROR - grsecurity detection\n";exit} | ||
37 | "grsecurity: directory" {puts "grsecurity present, exiting...\n";exit} | ||
38 | "cannot open" {puts "grsecurity not present\n"} | ||
39 | } | ||
29 | 40 | ||
30 | send -- "firejail --name=blablabla\r" | 41 | send -- "firejail --name=blablabla\r" |
31 | expect { | 42 | expect { |
@@ -48,7 +59,7 @@ expect { | |||
48 | timeout {puts "TESTING ERROR 5.1\n";exit} | 59 | timeout {puts "TESTING ERROR 5.1\n";exit} |
49 | "name=blablabla" | 60 | "name=blablabla" |
50 | } | 61 | } |
51 | sleep 1 | 62 | after 100 |
52 | send -- "firemon --caps\r" | 63 | send -- "firemon --caps\r" |
53 | expect { | 64 | expect { |
54 | timeout {puts "TESTING ERROR 6\n";exit} | 65 | timeout {puts "TESTING ERROR 6\n";exit} |
@@ -66,7 +77,7 @@ expect { | |||
66 | timeout {puts "TESTING ERROR 6.3\n";exit} | 77 | timeout {puts "TESTING ERROR 6.3\n";exit} |
67 | "name=blablabla" | 78 | "name=blablabla" |
68 | } | 79 | } |
69 | sleep 1 | 80 | after 100 |
70 | 81 | ||
71 | puts "\n" | 82 | puts "\n" |
72 | 83 | ||
diff --git a/test/apps/qbittorrent.exp b/test/apps/qbittorrent.exp new file mode 100755 index 000000000..ee4044a84 --- /dev/null +++ b/test/apps/qbittorrent.exp | |||
@@ -0,0 +1,83 @@ | |||
1 | #!/usr/bin/expect -f | ||
2 | # This file is part of Firejail project | ||
3 | # Copyright (C) 2014-2016 Firejail Authors | ||
4 | # License GPL v2 | ||
5 | |||
6 | set timeout 10 | ||
7 | spawn $env(SHELL) | ||
8 | match_max 100000 | ||
9 | |||
10 | send -- "firejail qbittorrent\r" | ||
11 | expect { | ||
12 | timeout {puts "TESTING ERROR 0\n";exit} | ||
13 | "Reading profile /etc/firejail/qbittorrent.profile" | ||
14 | } | ||
15 | expect { | ||
16 | timeout {puts "TESTING ERROR 1\n";exit} | ||
17 | "Child process initialized" | ||
18 | } | ||
19 | sleep 3 | ||
20 | |||
21 | spawn $env(SHELL) | ||
22 | send -- "firejail --list\r" | ||
23 | expect { | ||
24 | timeout {puts "TESTING ERROR 3\n";exit} | ||
25 | ":firejail" | ||
26 | } | ||
27 | expect { | ||
28 | timeout {puts "TESTING ERROR 3.1\n";exit} | ||
29 | "qbittorrent" | ||
30 | } | ||
31 | after 100 | ||
32 | |||
33 | # grsecurity exit | ||
34 | send -- "file /proc/sys/kernel/grsecurity\r" | ||
35 | expect { | ||
36 | timeout {puts "TESTING ERROR - grsecurity detection\n";exit} | ||
37 | "grsecurity: directory" {puts "grsecurity present, exiting...\n";exit} | ||
38 | "cannot open" {puts "grsecurity not present\n"} | ||
39 | } | ||
40 | |||
41 | send -- "firejail --name=blablabla\r" | ||
42 | expect { | ||
43 | timeout {puts "TESTING ERROR 4\n";exit} | ||
44 | "Child process initialized" | ||
45 | } | ||
46 | sleep 2 | ||
47 | |||
48 | spawn $env(SHELL) | ||
49 | send -- "firemon --seccomp\r" | ||
50 | expect { | ||
51 | timeout {puts "TESTING ERROR 5\n";exit} | ||
52 | ":firejail qbittorrent" | ||
53 | } | ||
54 | expect { | ||
55 | timeout {puts "TESTING ERROR 5.1 (seccomp)\n";exit} | ||
56 | "Seccomp: 2" | ||
57 | } | ||
58 | expect { | ||
59 | timeout {puts "TESTING ERROR 5.1\n";exit} | ||
60 | "name=blablabla" | ||
61 | } | ||
62 | after 100 | ||
63 | send -- "firemon --caps\r" | ||
64 | expect { | ||
65 | timeout {puts "TESTING ERROR 6\n";exit} | ||
66 | ":firejail qbittorrent" | ||
67 | } | ||
68 | expect { | ||
69 | timeout {puts "TESTING ERROR 6.1\n";exit} | ||
70 | "CapBnd:" | ||
71 | } | ||
72 | expect { | ||
73 | timeout {puts "TESTING ERROR 6.2\n";exit} | ||
74 | "0000000000000000" | ||
75 | } | ||
76 | expect { | ||
77 | timeout {puts "TESTING ERROR 6.3\n";exit} | ||
78 | "name=blablabla" | ||
79 | } | ||
80 | after 100 | ||
81 | |||
82 | puts "\n" | ||
83 | |||
diff --git a/test/transmission-gtk.exp b/test/apps/transmission-gtk.exp index 77d5dd30c..33f4ef963 100755 --- a/test/transmission-gtk.exp +++ b/test/apps/transmission-gtk.exp | |||
@@ -1,4 +1,7 @@ | |||
1 | #!/usr/bin/expect -f | 1 | #!/usr/bin/expect -f |
2 | # This file is part of Firejail project | ||
3 | # Copyright (C) 2014-2016 Firejail Authors | ||
4 | # License GPL v2 | ||
2 | 5 | ||
3 | set timeout 10 | 6 | set timeout 10 |
4 | spawn $env(SHELL) | 7 | spawn $env(SHELL) |
@@ -9,7 +12,7 @@ expect { | |||
9 | timeout {puts "TESTING ERROR 1\n";exit} | 12 | timeout {puts "TESTING ERROR 1\n";exit} |
10 | "Child process initialized" | 13 | "Child process initialized" |
11 | } | 14 | } |
12 | sleep 10 | 15 | sleep 5 |
13 | 16 | ||
14 | spawn $env(SHELL) | 17 | spawn $env(SHELL) |
15 | send -- "firejail --list\r" | 18 | send -- "firejail --list\r" |
@@ -21,8 +24,15 @@ expect { | |||
21 | timeout {puts "TESTING ERROR 3.1\n";exit} | 24 | timeout {puts "TESTING ERROR 3.1\n";exit} |
22 | "transmission-gtk" | 25 | "transmission-gtk" |
23 | } | 26 | } |
24 | sleep 1 | 27 | after 100 |
25 | 28 | ||
29 | # grsecurity exit | ||
30 | send -- "file /proc/sys/kernel/grsecurity\r" | ||
31 | expect { | ||
32 | timeout {puts "TESTING ERROR - grsecurity detection\n";exit} | ||
33 | "grsecurity: directory" {puts "grsecurity present, exiting...\n";exit} | ||
34 | "cannot open" {puts "grsecurity not present\n"} | ||
35 | } | ||
26 | send -- "firejail --name=blablabla\r" | 36 | send -- "firejail --name=blablabla\r" |
27 | expect { | 37 | expect { |
28 | timeout {puts "TESTING ERROR 4\n";exit} | 38 | timeout {puts "TESTING ERROR 4\n";exit} |
@@ -44,7 +54,7 @@ expect { | |||
44 | timeout {puts "TESTING ERROR 5.1\n";exit} | 54 | timeout {puts "TESTING ERROR 5.1\n";exit} |
45 | "name=blablabla" | 55 | "name=blablabla" |
46 | } | 56 | } |
47 | sleep 1 | 57 | after 100 |
48 | send -- "firemon --caps\r" | 58 | send -- "firemon --caps\r" |
49 | expect { | 59 | expect { |
50 | timeout {puts "TESTING ERROR 6\n";exit} | 60 | timeout {puts "TESTING ERROR 6\n";exit} |
@@ -62,7 +72,7 @@ expect { | |||
62 | timeout {puts "TESTING ERROR 6.3\n";exit} | 72 | timeout {puts "TESTING ERROR 6.3\n";exit} |
63 | "name=blablabla" | 73 | "name=blablabla" |
64 | } | 74 | } |
65 | sleep 1 | 75 | after 100 |
66 | 76 | ||
67 | puts "\nall done\n" | 77 | puts "\nall done\n" |
68 | 78 | ||
diff --git a/test/transmission-qt.exp b/test/apps/transmission-qt.exp index d27c16d6d..991742106 100755 --- a/test/transmission-qt.exp +++ b/test/apps/transmission-qt.exp | |||
@@ -1,4 +1,7 @@ | |||
1 | #!/usr/bin/expect -f | 1 | #!/usr/bin/expect -f |
2 | # This file is part of Firejail project | ||
3 | # Copyright (C) 2014-2016 Firejail Authors | ||
4 | # License GPL v2 | ||
2 | 5 | ||
3 | set timeout 10 | 6 | set timeout 10 |
4 | spawn $env(SHELL) | 7 | spawn $env(SHELL) |
@@ -13,7 +16,7 @@ expect { | |||
13 | timeout {puts "TESTING ERROR 1\n";exit} | 16 | timeout {puts "TESTING ERROR 1\n";exit} |
14 | "Child process initialized" | 17 | "Child process initialized" |
15 | } | 18 | } |
16 | sleep 10 | 19 | sleep 3 |
17 | 20 | ||
18 | spawn $env(SHELL) | 21 | spawn $env(SHELL) |
19 | send -- "firejail --list\r" | 22 | send -- "firejail --list\r" |
@@ -25,7 +28,15 @@ expect { | |||
25 | timeout {puts "TESTING ERROR 3.1\n";exit} | 28 | timeout {puts "TESTING ERROR 3.1\n";exit} |
26 | "transmission-qt" | 29 | "transmission-qt" |
27 | } | 30 | } |
28 | sleep 1 | 31 | after 100 |
32 | |||
33 | # grsecurity exit | ||
34 | send -- "file /proc/sys/kernel/grsecurity\r" | ||
35 | expect { | ||
36 | timeout {puts "TESTING ERROR - grsecurity detection\n";exit} | ||
37 | "grsecurity: directory" {puts "grsecurity present, exiting...\n";exit} | ||
38 | "cannot open" {puts "grsecurity not present\n"} | ||
39 | } | ||
29 | 40 | ||
30 | send -- "firejail --name=blablabla\r" | 41 | send -- "firejail --name=blablabla\r" |
31 | expect { | 42 | expect { |
@@ -48,7 +59,7 @@ expect { | |||
48 | timeout {puts "TESTING ERROR 5.1\n";exit} | 59 | timeout {puts "TESTING ERROR 5.1\n";exit} |
49 | "name=blablabla" | 60 | "name=blablabla" |
50 | } | 61 | } |
51 | sleep 1 | 62 | after 100 |
52 | send -- "firemon --caps\r" | 63 | send -- "firemon --caps\r" |
53 | expect { | 64 | expect { |
54 | timeout {puts "TESTING ERROR 6\n";exit} | 65 | timeout {puts "TESTING ERROR 6\n";exit} |
@@ -66,7 +77,7 @@ expect { | |||
66 | timeout {puts "TESTING ERROR 6.3\n";exit} | 77 | timeout {puts "TESTING ERROR 6.3\n";exit} |
67 | "name=blablabla" | 78 | "name=blablabla" |
68 | } | 79 | } |
69 | sleep 1 | 80 | after 100 |
70 | 81 | ||
71 | puts "\nall done\n" | 82 | puts "\nall done\n" |
72 | 83 | ||
diff --git a/test/apps/uget-gtk.exp b/test/apps/uget-gtk.exp new file mode 100755 index 000000000..1511a07af --- /dev/null +++ b/test/apps/uget-gtk.exp | |||
@@ -0,0 +1,83 @@ | |||
1 | #!/usr/bin/expect -f | ||
2 | # This file is part of Firejail project | ||
3 | # Copyright (C) 2014-2016 Firejail Authors | ||
4 | # License GPL v2 | ||
5 | |||
6 | set timeout 10 | ||
7 | spawn $env(SHELL) | ||
8 | match_max 100000 | ||
9 | |||
10 | send -- "firejail uget-gtk\r" | ||
11 | expect { | ||
12 | timeout {puts "TESTING ERROR 0\n";exit} | ||
13 | "Reading profile /etc/firejail/uget-gtk.profile" | ||
14 | } | ||
15 | expect { | ||
16 | timeout {puts "TESTING ERROR 1\n";exit} | ||
17 | "Child process initialized" | ||
18 | } | ||
19 | sleep 3 | ||
20 | |||
21 | spawn $env(SHELL) | ||
22 | send -- "firejail --list\r" | ||
23 | expect { | ||
24 | timeout {puts "TESTING ERROR 3\n";exit} | ||
25 | ":firejail" | ||
26 | } | ||
27 | expect { | ||
28 | timeout {puts "TESTING ERROR 3.1\n";exit} | ||
29 | "uget-gtk" | ||
30 | } | ||
31 | after 100 | ||
32 | |||
33 | # grsecurity exit | ||
34 | send -- "file /proc/sys/kernel/grsecurity\r" | ||
35 | expect { | ||
36 | timeout {puts "TESTING ERROR - grsecurity detection\n";exit} | ||
37 | "grsecurity: directory" {puts "grsecurity present, exiting...\n";exit} | ||
38 | "cannot open" {puts "grsecurity not present\n"} | ||
39 | } | ||
40 | |||
41 | send -- "firejail --name=blablabla\r" | ||
42 | expect { | ||
43 | timeout {puts "TESTING ERROR 4\n";exit} | ||
44 | "Child process initialized" | ||
45 | } | ||
46 | sleep 2 | ||
47 | |||
48 | spawn $env(SHELL) | ||
49 | send -- "firemon --seccomp\r" | ||
50 | expect { | ||
51 | timeout {puts "TESTING ERROR 5\n";exit} | ||
52 | ":firejail uget-gtk" | ||
53 | } | ||
54 | expect { | ||
55 | timeout {puts "TESTING ERROR 5.1 (seccomp)\n";exit} | ||
56 | "Seccomp: 2" | ||
57 | } | ||
58 | expect { | ||
59 | timeout {puts "TESTING ERROR 5.1\n";exit} | ||
60 | "name=blablabla" | ||
61 | } | ||
62 | after 100 | ||
63 | send -- "firemon --caps\r" | ||
64 | expect { | ||
65 | timeout {puts "TESTING ERROR 6\n";exit} | ||
66 | ":firejail uget-gtk" | ||
67 | } | ||
68 | expect { | ||
69 | timeout {puts "TESTING ERROR 6.1\n";exit} | ||
70 | "CapBnd:" | ||
71 | } | ||
72 | expect { | ||
73 | timeout {puts "TESTING ERROR 6.2\n";exit} | ||
74 | "0000000000000000" | ||
75 | } | ||
76 | expect { | ||
77 | timeout {puts "TESTING ERROR 6.3\n";exit} | ||
78 | "name=blablabla" | ||
79 | } | ||
80 | after 100 | ||
81 | |||
82 | puts "\nall done\n" | ||
83 | |||
diff --git a/test/vlc.exp b/test/apps/vlc.exp index 53d25c9dd..f0903c170 100755 --- a/test/vlc.exp +++ b/test/apps/vlc.exp | |||
@@ -1,4 +1,7 @@ | |||
1 | #!/usr/bin/expect -f | 1 | #!/usr/bin/expect -f |
2 | # This file is part of Firejail project | ||
3 | # Copyright (C) 2014-2016 Firejail Authors | ||
4 | # License GPL v2 | ||
2 | 5 | ||
3 | set timeout 10 | 6 | set timeout 10 |
4 | spawn $env(SHELL) | 7 | spawn $env(SHELL) |
@@ -25,7 +28,15 @@ expect { | |||
25 | timeout {puts "TESTING ERROR 3.1\n";exit} | 28 | timeout {puts "TESTING ERROR 3.1\n";exit} |
26 | "vlc" | 29 | "vlc" |
27 | } | 30 | } |
28 | sleep 1 | 31 | after 100 |
32 | |||
33 | # grsecurity exit | ||
34 | send -- "file /proc/sys/kernel/grsecurity\r" | ||
35 | expect { | ||
36 | timeout {puts "TESTING ERROR - grsecurity detection\n";exit} | ||
37 | "grsecurity: directory" {puts "grsecurity present, exiting...\n";exit} | ||
38 | "cannot open" {puts "grsecurity not present\n"} | ||
39 | } | ||
29 | 40 | ||
30 | send -- "firejail --name=blablabla\r" | 41 | send -- "firejail --name=blablabla\r" |
31 | expect { | 42 | expect { |
@@ -48,7 +59,7 @@ expect { | |||
48 | timeout {puts "TESTING ERROR 5.1\n";exit} | 59 | timeout {puts "TESTING ERROR 5.1\n";exit} |
49 | "name=blablabla" | 60 | "name=blablabla" |
50 | } | 61 | } |
51 | sleep 1 | 62 | after 100 |
52 | send -- "firemon --caps\r" | 63 | send -- "firemon --caps\r" |
53 | expect { | 64 | expect { |
54 | timeout {puts "TESTING ERROR 6\n";exit} | 65 | timeout {puts "TESTING ERROR 6\n";exit} |
@@ -66,7 +77,7 @@ expect { | |||
66 | timeout {puts "TESTING ERROR 6.3\n";exit} | 77 | timeout {puts "TESTING ERROR 6.3\n";exit} |
67 | "name=blablabla" | 78 | "name=blablabla" |
68 | } | 79 | } |
69 | sleep 1 | 80 | after 100 |
70 | 81 | ||
71 | puts "\nall done\n" | 82 | puts "\nall done\n" |
72 | 83 | ||
diff --git a/test/weechat.exp b/test/apps/weechat.exp index ac2430280..b3e04da84 100755 --- a/test/weechat.exp +++ b/test/apps/weechat.exp | |||
@@ -1,4 +1,7 @@ | |||
1 | #!/usr/bin/expect -f | 1 | #!/usr/bin/expect -f |
2 | # This file is part of Firejail project | ||
3 | # Copyright (C) 2014-2016 Firejail Authors | ||
4 | # License GPL v2 | ||
2 | 5 | ||
3 | set timeout 10 | 6 | set timeout 10 |
4 | spawn $env(SHELL) | 7 | spawn $env(SHELL) |
@@ -25,7 +28,16 @@ expect { | |||
25 | timeout {puts "TESTING ERROR 3.1\n";exit} | 28 | timeout {puts "TESTING ERROR 3.1\n";exit} |
26 | "weechat-curses" | 29 | "weechat-curses" |
27 | } | 30 | } |
28 | sleep 1 | 31 | after 100 |
32 | |||
33 | # grsecurity exit | ||
34 | send -- "file /proc/sys/kernel/grsecurity\r" | ||
35 | expect { | ||
36 | timeout {puts "TESTING ERROR - grsecurity detection\n";exit} | ||
37 | "grsecurity: directory" {puts "grsecurity present, exiting...\n";exit} | ||
38 | "cannot open" {puts "grsecurity not present\n"} | ||
39 | } | ||
40 | |||
29 | send -- "firejail --name=blablabla\r" | 41 | send -- "firejail --name=blablabla\r" |
30 | expect { | 42 | expect { |
31 | timeout {puts "TESTING ERROR 4\n";exit} | 43 | timeout {puts "TESTING ERROR 4\n";exit} |
@@ -47,7 +59,7 @@ expect { | |||
47 | timeout {puts "TESTING ERROR 5.1\n";exit} | 59 | timeout {puts "TESTING ERROR 5.1\n";exit} |
48 | "name=blablabla" | 60 | "name=blablabla" |
49 | } | 61 | } |
50 | sleep 1 | 62 | after 100 |
51 | send -- "firemon --caps\r" | 63 | send -- "firemon --caps\r" |
52 | expect { | 64 | expect { |
53 | timeout {puts "TESTING ERROR 6\n";exit} | 65 | timeout {puts "TESTING ERROR 6\n";exit} |
@@ -65,7 +77,7 @@ expect { | |||
65 | timeout {puts "TESTING ERROR 6.3\n";exit} | 77 | timeout {puts "TESTING ERROR 6.3\n";exit} |
66 | "name=blablabla" | 78 | "name=blablabla" |
67 | } | 79 | } |
68 | sleep 1 | 80 | after 100 |
69 | 81 | ||
70 | puts "\n" | 82 | puts "\n" |
71 | 83 | ||
diff --git a/test/wine.exp b/test/apps/wine.exp index d87c1f205..a2f465acb 100755 --- a/test/wine.exp +++ b/test/apps/wine.exp | |||
@@ -1,4 +1,7 @@ | |||
1 | #!/usr/bin/expect -f | 1 | #!/usr/bin/expect -f |
2 | # This file is part of Firejail project | ||
3 | # Copyright (C) 2014-2016 Firejail Authors | ||
4 | # License GPL v2 | ||
2 | 5 | ||
3 | set timeout 10 | 6 | set timeout 10 |
4 | spawn $env(SHELL) | 7 | spawn $env(SHELL) |
@@ -23,7 +26,7 @@ expect { | |||
23 | } | 26 | } |
24 | expect { | 27 | expect { |
25 | timeout {puts "TESTING ERROR 4\n";exit} | 28 | timeout {puts "TESTING ERROR 4\n";exit} |
26 | "parent is shutting down, bye..." | 29 | "Parent is shutting down, bye..." |
27 | } | 30 | } |
28 | 31 | ||
29 | puts "\nall done\n" | 32 | puts "\nall done\n" |
diff --git a/test/xchat.exp b/test/apps/xchat.exp index babbcf87d..206397f3e 100755 --- a/test/xchat.exp +++ b/test/apps/xchat.exp | |||
@@ -1,4 +1,7 @@ | |||
1 | #!/usr/bin/expect -f | 1 | #!/usr/bin/expect -f |
2 | # This file is part of Firejail project | ||
3 | # Copyright (C) 2014-2016 Firejail Authors | ||
4 | # License GPL v2 | ||
2 | 5 | ||
3 | set timeout 10 | 6 | set timeout 10 |
4 | spawn $env(SHELL) | 7 | spawn $env(SHELL) |
@@ -25,7 +28,16 @@ expect { | |||
25 | timeout {puts "TESTING ERROR 3.1\n";exit} | 28 | timeout {puts "TESTING ERROR 3.1\n";exit} |
26 | "xchat" | 29 | "xchat" |
27 | } | 30 | } |
28 | sleep 1 | 31 | after 100 |
32 | |||
33 | # grsecurity exit | ||
34 | send -- "file /proc/sys/kernel/grsecurity\r" | ||
35 | expect { | ||
36 | timeout {puts "TESTING ERROR - grsecurity detection\n";exit} | ||
37 | "grsecurity: directory" {puts "grsecurity present, exiting...\n";exit} | ||
38 | "cannot open" {puts "grsecurity not present\n"} | ||
39 | } | ||
40 | |||
29 | send -- "firejail --name=blablabla\r" | 41 | send -- "firejail --name=blablabla\r" |
30 | expect { | 42 | expect { |
31 | timeout {puts "TESTING ERROR 4\n";exit} | 43 | timeout {puts "TESTING ERROR 4\n";exit} |
@@ -47,7 +59,7 @@ expect { | |||
47 | timeout {puts "TESTING ERROR 5.1\n";exit} | 59 | timeout {puts "TESTING ERROR 5.1\n";exit} |
48 | "name=blablabla" | 60 | "name=blablabla" |
49 | } | 61 | } |
50 | sleep 1 | 62 | after 100 |
51 | send -- "firemon --caps\r" | 63 | send -- "firemon --caps\r" |
52 | expect { | 64 | expect { |
53 | timeout {puts "TESTING ERROR 6\n";exit} | 65 | timeout {puts "TESTING ERROR 6\n";exit} |
@@ -65,7 +77,7 @@ expect { | |||
65 | timeout {puts "TESTING ERROR 6.3\n";exit} | 77 | timeout {puts "TESTING ERROR 6.3\n";exit} |
66 | "name=blablabla" | 78 | "name=blablabla" |
67 | } | 79 | } |
68 | sleep 1 | 80 | after 100 |
69 | 81 | ||
70 | puts "\n" | 82 | puts "\n" |
71 | 83 | ||
diff --git a/test/arguments/Makefile b/test/arguments/Makefile new file mode 100644 index 000000000..3ccab3702 --- /dev/null +++ b/test/arguments/Makefile | |||
@@ -0,0 +1,13 @@ | |||
1 | all: argtest | ||
2 | |||
3 | argtest: main.c | ||
4 | gcc -o argtest main.c | ||
5 | |||
6 | clean:; rm -f argtest; rm -fr symtest; rm -f out out.* | ||
7 | |||
8 | install:;install -c -m 0755 argtest /usr/local/bin/argtest | ||
9 | |||
10 | uninstall:; rm -f /usr/local/bin/argtest | ||
11 | |||
12 | |||
13 | test:; ./arguments.sh | grep TESTING | ||
diff --git a/test/arguments/arguments.sh b/test/arguments/arguments.sh new file mode 100755 index 000000000..2f53eb3fa --- /dev/null +++ b/test/arguments/arguments.sh | |||
@@ -0,0 +1,19 @@ | |||
1 | #!/bin/bash | ||
2 | |||
3 | [ -f argtest ] || make argtest | ||
4 | |||
5 | echo "TESTING: 1. regular bash session" | ||
6 | ./bashrun.exp | ||
7 | |||
8 | echo "TESTING: 2. symbolic link to firejail" | ||
9 | ./symrun.exp | ||
10 | |||
11 | echo "TESTING: 3. --join option" | ||
12 | ./joinrun.exp | ||
13 | |||
14 | echo "TESTING: 4. --output option" | ||
15 | ./outrun.exp | ||
16 | rm out | ||
17 | rm out.* | ||
18 | |||
19 | |||
diff --git a/test/arguments/bashrun.exp b/test/arguments/bashrun.exp new file mode 100755 index 000000000..a3c9e382d --- /dev/null +++ b/test/arguments/bashrun.exp | |||
@@ -0,0 +1,86 @@ | |||
1 | #!/usr/bin/expect -f | ||
2 | |||
3 | set timeout 10 | ||
4 | spawn $env(SHELL) | ||
5 | match_max 100000 | ||
6 | |||
7 | send -- "./bashrun.sh\r" | ||
8 | expect { | ||
9 | timeout {puts "TESTING ERROR 1.1.1\n";exit} | ||
10 | "Arguments:" | ||
11 | } | ||
12 | expect { | ||
13 | timeout {puts "TESTING ERROR 1.1.2\n";exit} | ||
14 | "#arg1#" | ||
15 | } | ||
16 | expect { | ||
17 | timeout {puts "TESTING ERROR 1.1.3\n";exit} | ||
18 | "#arg2#" | ||
19 | } | ||
20 | |||
21 | expect { | ||
22 | timeout {puts "TESTING ERROR 1.2.1\n";exit} | ||
23 | "Arguments:" | ||
24 | } | ||
25 | expect { | ||
26 | timeout {puts "TESTING ERROR 1.2.2\n";exit} | ||
27 | "#arg1 tail#" | ||
28 | } | ||
29 | expect { | ||
30 | timeout {puts "TESTING ERROR 1.2.3\n";exit} | ||
31 | "#arg2 tail#" | ||
32 | } | ||
33 | |||
34 | expect { | ||
35 | timeout {puts "TESTING ERROR 1.3.1\n";exit} | ||
36 | "Arguments:" | ||
37 | } | ||
38 | expect { | ||
39 | timeout {puts "TESTING ERROR 1.3.2\n";exit} | ||
40 | "#arg1 tail#" | ||
41 | } | ||
42 | expect { | ||
43 | timeout {puts "TESTING ERROR 1.3.3\n";exit} | ||
44 | "#arg2 tail#" | ||
45 | } | ||
46 | |||
47 | expect { | ||
48 | timeout {puts "TESTING ERROR 1.4.1\n";exit} | ||
49 | "Arguments:" | ||
50 | } | ||
51 | expect { | ||
52 | timeout {puts "TESTING ERROR 1.4.2\n";exit} | ||
53 | "#arg1 tail#" | ||
54 | } | ||
55 | expect { | ||
56 | timeout {puts "TESTING ERROR 1.4.3\n";exit} | ||
57 | "#arg2 tail#" | ||
58 | } | ||
59 | |||
60 | expect { | ||
61 | timeout {puts "TESTING ERROR 1.5.1\n";exit} | ||
62 | "Arguments:" | ||
63 | } | ||
64 | expect { | ||
65 | timeout {puts "TESTING ERROR 1.5.2\n";exit} | ||
66 | "#arg1&tail#" | ||
67 | } | ||
68 | expect { | ||
69 | timeout {puts "TESTING ERROR 1.5.3\n";exit} | ||
70 | "#arg2&tail#" | ||
71 | } | ||
72 | |||
73 | expect { | ||
74 | timeout {puts "TESTING ERROR 1.6.1\n";exit} | ||
75 | "Arguments:" | ||
76 | } | ||
77 | expect { | ||
78 | timeout {puts "TESTING ERROR 1.6.2\n";exit} | ||
79 | "#arg1&tail#" | ||
80 | } | ||
81 | expect { | ||
82 | timeout {puts "TESTING ERROR 1.6.3\n";exit} | ||
83 | "#arg2&tail#" | ||
84 | } | ||
85 | |||
86 | puts "\nall done\n" | ||
diff --git a/test/arguments/bashrun.sh b/test/arguments/bashrun.sh new file mode 100755 index 000000000..c2f209548 --- /dev/null +++ b/test/arguments/bashrun.sh | |||
@@ -0,0 +1,22 @@ | |||
1 | #!/bin/bash | ||
2 | |||
3 | echo "TESTING: 1.1 - simple args" | ||
4 | firejail --quiet ./argtest arg1 arg2 | ||
5 | |||
6 | # simple quotes, testing spaces in file names | ||
7 | echo "TESTING: 1.2 - args with space and \"" | ||
8 | firejail --quiet ./argtest "arg1 tail" "arg2 tail" | ||
9 | |||
10 | echo "TESTING: 1.3 - args with space and '" | ||
11 | firejail --quiet ./argtest 'arg1 tail' 'arg2 tail' | ||
12 | |||
13 | # escaped space in file names | ||
14 | echo "TESTING: 1.4 - args with space and \\" | ||
15 | firejail --quiet ./argtest arg1\ tail arg2\ tail | ||
16 | |||
17 | # & char appears in URLs - URLs should be quoted | ||
18 | echo "TESTING: 1.5 - args with & and \"" | ||
19 | firejail --quiet ./argtest "arg1&tail" "arg2&tail" | ||
20 | |||
21 | echo "TESTING: 1.6 - args with & and '" | ||
22 | firejail --quiet ./argtest 'arg1&tail' 'arg2&tail' | ||
diff --git a/test/arguments/joinrun.exp b/test/arguments/joinrun.exp new file mode 100755 index 000000000..8e8570e4f --- /dev/null +++ b/test/arguments/joinrun.exp | |||
@@ -0,0 +1,91 @@ | |||
1 | #!/usr/bin/expect -f | ||
2 | |||
3 | set timeout 10 | ||
4 | spawn $env(SHELL) | ||
5 | match_max 100000 | ||
6 | |||
7 | |||
8 | send -- "firejail --name=joinrun\r" | ||
9 | sleep 2 | ||
10 | |||
11 | spawn $env(SHELL) | ||
12 | send -- "./joinrun.sh\r" | ||
13 | expect { | ||
14 | timeout {puts "TESTING ERROR 3.1.1\n";exit} | ||
15 | "Arguments:" | ||
16 | } | ||
17 | expect { | ||
18 | timeout {puts "TESTING ERROR 3.1.2\n";exit} | ||
19 | "#arg1#" | ||
20 | } | ||
21 | expect { | ||
22 | timeout {puts "TESTING ERROR 3.1.3\n";exit} | ||
23 | "#arg2#" | ||
24 | } | ||
25 | |||
26 | expect { | ||
27 | timeout {puts "TESTING ERROR 3.2.1\n";exit} | ||
28 | "Arguments:" | ||
29 | } | ||
30 | expect { | ||
31 | timeout {puts "TESTING ERROR 3.2.2\n";exit} | ||
32 | "#arg1 tail#" | ||
33 | } | ||
34 | expect { | ||
35 | timeout {puts "TESTING ERROR 3.2.3\n";exit} | ||
36 | "#arg2 tail#" | ||
37 | } | ||
38 | |||
39 | expect { | ||
40 | timeout {puts "TESTING ERROR 3.3.1\n";exit} | ||
41 | "Arguments:" | ||
42 | } | ||
43 | expect { | ||
44 | timeout {puts "TESTING ERROR 3.3.2\n";exit} | ||
45 | "#arg1 tail#" | ||
46 | } | ||
47 | expect { | ||
48 | timeout {puts "TESTING ERROR 3.3.3\n";exit} | ||
49 | "#arg2 tail#" | ||
50 | } | ||
51 | |||
52 | expect { | ||
53 | timeout {puts "TESTING ERROR 3.4.1\n";exit} | ||
54 | "Arguments:" | ||
55 | } | ||
56 | expect { | ||
57 | timeout {puts "TESTING ERROR 3.4.2\n";exit} | ||
58 | "#arg1 tail#" | ||
59 | } | ||
60 | expect { | ||
61 | timeout {puts "TESTING ERROR 3.4.3\n";exit} | ||
62 | "#arg2 tail#" | ||
63 | } | ||
64 | |||
65 | expect { | ||
66 | timeout {puts "TESTING ERROR 3.5.1\n";exit} | ||
67 | "Arguments:" | ||
68 | } | ||
69 | expect { | ||
70 | timeout {puts "TESTING ERROR 3.5.2\n";exit} | ||
71 | "#arg1&tail#" | ||
72 | } | ||
73 | expect { | ||
74 | timeout {puts "TESTING ERROR 3.5.3\n";exit} | ||
75 | "#arg2&tail#" | ||
76 | } | ||
77 | |||
78 | expect { | ||
79 | timeout {puts "TESTING ERROR 3.6.1\n";exit} | ||
80 | "Arguments:" | ||
81 | } | ||
82 | expect { | ||
83 | timeout {puts "TESTING ERROR 3.6.2\n";exit} | ||
84 | "#arg1&tail#" | ||
85 | } | ||
86 | expect { | ||
87 | timeout {puts "TESTING ERROR 3.6.3\n";exit} | ||
88 | "#arg2&tail#" | ||
89 | } | ||
90 | |||
91 | puts "\nall done\n" | ||
diff --git a/test/arguments/joinrun.sh b/test/arguments/joinrun.sh new file mode 100755 index 000000000..f6c2b2e22 --- /dev/null +++ b/test/arguments/joinrun.sh | |||
@@ -0,0 +1,22 @@ | |||
1 | #!/bin/bash | ||
2 | |||
3 | echo "TESTING: 3.1 - simple args" | ||
4 | firejail --join=joinrun ./argtest arg1 arg2 | ||
5 | |||
6 | # simple quotes, testing spaces in file names | ||
7 | echo "TESTING: 3.2 - args with space and \"" | ||
8 | firejail --quiet ./argtest "arg1 tail" "arg2 tail" | ||
9 | |||
10 | echo "TESTING: 3.3 - args with space and '" | ||
11 | firejail --quiet ./argtest 'arg1 tail' 'arg2 tail' | ||
12 | |||
13 | # escaped space in file names | ||
14 | echo "TESTING: 3.4 - args with space and \\" | ||
15 | firejail --quiet ./argtest arg1\ tail arg2\ tail | ||
16 | |||
17 | # & char appears in URLs - URLs should be quoted | ||
18 | echo "TESTING: 3.5 - args with & and \"" | ||
19 | firejail --quiet ./argtest "arg1&tail" "arg2&tail" | ||
20 | |||
21 | echo "TESTING: 3.6 - args with & and '" | ||
22 | firejail --quiet ./argtest 'arg1&tail' 'arg2&tail' | ||
diff --git a/test/arguments/main.c b/test/arguments/main.c new file mode 100644 index 000000000..75bdca715 --- /dev/null +++ b/test/arguments/main.c | |||
@@ -0,0 +1,31 @@ | |||
1 | /* | ||
2 | * Copyright (C) 2014-2016 Firejail Authors | ||
3 | * | ||
4 | * This file is part of firejail project | ||
5 | * | ||
6 | * This program is free software; you can redistribute it and/or modify | ||
7 | * it under the terms of the GNU General Public License as published by | ||
8 | * the Free Software Foundation; either version 2 of the License, or | ||
9 | * (at your option) any later version. | ||
10 | * | ||
11 | * This program is distributed in the hope that it will be useful, | ||
12 | * but WITHOUT ANY WARRANTY; without even the implied warranty of | ||
13 | * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the | ||
14 | * GNU General Public License for more details. | ||
15 | * | ||
16 | * You should have received a copy of the GNU General Public License along | ||
17 | * with this program; if not, write to the Free Software Foundation, Inc., | ||
18 | * 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA. | ||
19 | */ | ||
20 | #include <stdio.h> | ||
21 | |||
22 | int main(int argc, char **argv) { | ||
23 | printf("Arguments:\n"); | ||
24 | |||
25 | int i; | ||
26 | for (i = 0; i < argc; i++) { | ||
27 | printf("#%s#\n", argv[i]); | ||
28 | } | ||
29 | |||
30 | return 0; | ||
31 | } | ||
diff --git a/test/arguments/outrun.exp b/test/arguments/outrun.exp new file mode 100755 index 000000000..d28e75661 --- /dev/null +++ b/test/arguments/outrun.exp | |||
@@ -0,0 +1,90 @@ | |||
1 | #!/usr/bin/expect -f | ||
2 | |||
3 | set timeout 10 | ||
4 | spawn $env(SHELL) | ||
5 | match_max 100000 | ||
6 | |||
7 | send -- "./outrun.sh\r" | ||
8 | expect { | ||
9 | timeout {puts "TESTING ERROR 4.1.1\n";exit} | ||
10 | "Arguments:" | ||
11 | } | ||
12 | expect { | ||
13 | timeout {puts "TESTING ERROR 4.1.2\n";exit} | ||
14 | "#arg1#" | ||
15 | } | ||
16 | expect { | ||
17 | timeout {puts "TESTING ERROR 4.1.3\n";exit} | ||
18 | "#arg2#" | ||
19 | } | ||
20 | |||
21 | exit | ||
22 | #*************************************************** | ||
23 | # breaking down from here on - bug to fix | ||
24 | #*************************************************** | ||
25 | expect { | ||
26 | timeout {puts "TESTING ERROR 4.2.1\n";exit} | ||
27 | "Arguments:" | ||
28 | } | ||
29 | expect { | ||
30 | timeout {puts "TESTING ERROR 4.2.2\n";exit} | ||
31 | "#arg1 tail#" | ||
32 | } | ||
33 | expect { | ||
34 | timeout {puts "TESTING ERROR 4.2.3\n";exit} | ||
35 | "#arg2 tail#" | ||
36 | } | ||
37 | |||
38 | expect { | ||
39 | timeout {puts "TESTING ERROR 4.3.1\n";exit} | ||
40 | "Arguments:" | ||
41 | } | ||
42 | expect { | ||
43 | timeout {puts "TESTING ERROR 4.3.2\n";exit} | ||
44 | "#arg1 tail#" | ||
45 | } | ||
46 | expect { | ||
47 | timeout {puts "TESTING ERROR 4.3.3\n";exit} | ||
48 | "#arg2 tail#" | ||
49 | } | ||
50 | |||
51 | expect { | ||
52 | timeout {puts "TESTING ERROR 4.4.1\n";exit} | ||
53 | "Arguments:" | ||
54 | } | ||
55 | expect { | ||
56 | timeout {puts "TESTING ERROR 4.4.2\n";exit} | ||
57 | "#arg1 tail#" | ||
58 | } | ||
59 | expect { | ||
60 | timeout {puts "TESTING ERROR 4.4.3\n";exit} | ||
61 | "#arg2 tail#" | ||
62 | } | ||
63 | |||
64 | expect { | ||
65 | timeout {puts "TESTING ERROR 4.5.1\n";exit} | ||
66 | "Arguments:" | ||
67 | } | ||
68 | expect { | ||
69 | timeout {puts "TESTING ERROR 4.5.2\n";exit} | ||
70 | "#arg1&tail#" | ||
71 | } | ||
72 | expect { | ||
73 | timeout {puts "TESTING ERROR 4.5.3\n";exit} | ||
74 | "#arg2&tail#" | ||
75 | } | ||
76 | |||
77 | expect { | ||
78 | timeout {puts "TESTING ERROR 4.6.1\n";exit} | ||
79 | "Arguments:" | ||
80 | } | ||
81 | expect { | ||
82 | timeout {puts "TESTING ERROR 4.6.2\n";exit} | ||
83 | "#arg1&tail#" | ||
84 | } | ||
85 | expect { | ||
86 | timeout {puts "TESTING ERROR 4.6.3\n";exit} | ||
87 | "#arg2&tail#" | ||
88 | } | ||
89 | |||
90 | puts "\nall done\n" | ||
diff --git a/test/arguments/outrun.sh b/test/arguments/outrun.sh new file mode 100755 index 000000000..cfd8e684c --- /dev/null +++ b/test/arguments/outrun.sh | |||
@@ -0,0 +1,22 @@ | |||
1 | #!/bin/bash | ||
2 | |||
3 | echo "TESTING: 4.1 - simple args" | ||
4 | firejail --output=out ./argtest arg1 arg2 | ||
5 | |||
6 | # simple quotes, testing spaces in file names | ||
7 | echo "TESTING: 4.2 - args with space and \"" | ||
8 | firejail --output=out ./argtest "arg1 tail" "arg2 tail" | ||
9 | |||
10 | echo "TESTING: 4.3 - args with space and '" | ||
11 | firejail --output=out ./argtest 'arg1 tail' 'arg2 tail' | ||
12 | |||
13 | # escaped space in file names | ||
14 | echo "TESTING: 4.4 - args with space and \\" | ||
15 | firejail --output=out ./argtest arg1\ tail arg2\ tail | ||
16 | |||
17 | # & char appears in URLs - URLs should be quoted | ||
18 | echo "TESTING: 4.5 - args with & and \"" | ||
19 | firejail --output=out ./argtest "arg1&tail" "arg2&tail" | ||
20 | |||
21 | echo "TESTING: 4.6 - args with & and '" | ||
22 | firejail --output=out ./argtest 'arg1&tail' 'arg2&tail' | ||
diff --git a/test/arguments/readme b/test/arguments/readme new file mode 100644 index 000000000..f5844848e --- /dev/null +++ b/test/arguments/readme | |||
@@ -0,0 +1,9 @@ | |||
1 | Argument testing fremework for Firejail. | ||
2 | |||
3 | A small test program, argtest, is compiled and installed in /usr/local/bin directory. | ||
4 | Run "make && sudo make install" to install it. | ||
5 | |||
6 | Run "make test" to run the tests. | ||
7 | |||
8 | Run "make uninstall" to remove the test program. | ||
9 | |||
diff --git a/test/arguments/symrun.exp b/test/arguments/symrun.exp new file mode 100755 index 000000000..10e7ac6c8 --- /dev/null +++ b/test/arguments/symrun.exp | |||
@@ -0,0 +1,71 @@ | |||
1 | #!/usr/bin/expect -f | ||
2 | |||
3 | set timeout 10 | ||
4 | spawn $env(SHELL) | ||
5 | match_max 100000 | ||
6 | |||
7 | send -- "./symrun.sh\r" | ||
8 | expect { | ||
9 | timeout {puts "TESTING ERROR 2.1.1\n";exit} | ||
10 | "Arguments:" | ||
11 | } | ||
12 | expect { | ||
13 | timeout {puts "TESTING ERROR 2.1.2\n";exit} | ||
14 | "#arg1#" | ||
15 | } | ||
16 | expect { | ||
17 | timeout {puts "TESTING ERROR 2.1.3\n";exit} | ||
18 | "#arg2#" | ||
19 | } | ||
20 | |||
21 | expect { | ||
22 | timeout {puts "TESTING ERROR 2.3.1\n";exit} | ||
23 | "Arguments:" | ||
24 | } | ||
25 | expect { | ||
26 | timeout {puts "TESTING ERROR 2.3.2\n";exit} | ||
27 | "#arg1 tail#" | ||
28 | } | ||
29 | expect { | ||
30 | timeout {puts "TESTING ERROR 2.3.3\n";exit} | ||
31 | "#arg2 tail#" | ||
32 | } | ||
33 | |||
34 | expect { | ||
35 | timeout {puts "TESTING ERROR 2.4.1\n";exit} | ||
36 | "Arguments:" | ||
37 | } | ||
38 | expect { | ||
39 | timeout {puts "TESTING ERROR 2.4.2\n";exit} | ||
40 | "#arg1 tail#" | ||
41 | } | ||
42 | expect { | ||
43 | timeout {puts "TESTING ERROR 2.4.3\n";exit} | ||
44 | "#arg2 tail#" | ||
45 | } | ||
46 | |||
47 | expect { | ||
48 | timeout {puts "TESTING ERROR 2.5.1\n";exit} | ||
49 | "Arguments:" | ||
50 | } | ||
51 | expect { | ||
52 | timeout {puts "TESTING ERROR 2.5.2\n";exit} | ||
53 | "#arg1&tail#" | ||
54 | } | ||
55 | expect { | ||
56 | timeout {puts "TESTING ERROR 2.5.3\n";exit} | ||
57 | "#arg2&tail#" | ||
58 | } | ||
59 | |||
60 | expect { | ||
61 | timeout {puts "TESTING ERROR 2.6.1\n";exit} | ||
62 | "Arguments:" | ||
63 | } | ||
64 | expect { | ||
65 | timeout {puts "TESTING ERROR 2.6.2\n";exit} | ||
66 | "#arg1&tail#" | ||
67 | } | ||
68 | expect { | ||
69 | timeout {puts "TESTING ERROR 2.6.3\n";exit} | ||
70 | "#arg2&tail#" | ||
71 | } | ||
diff --git a/test/arguments/symrun.sh b/test/arguments/symrun.sh new file mode 100755 index 000000000..d28f024a8 --- /dev/null +++ b/test/arguments/symrun.sh | |||
@@ -0,0 +1,30 @@ | |||
1 | #!/bin/bash | ||
2 | |||
3 | mkdir symtest | ||
4 | ln -s /usr/bin/firejail symtest/argtest | ||
5 | |||
6 | # search for argtest in current directory | ||
7 | export PATH=$PATH:. | ||
8 | |||
9 | echo "TESTING: 2.1 - simple args" | ||
10 | symtest/argtest arg1 arg2 | ||
11 | |||
12 | # simple quotes, testing spaces in file names | ||
13 | echo "TESTING: 2.2 - args with space and \"" | ||
14 | symtest/argtest "arg1 tail" "arg2 tail" | ||
15 | |||
16 | echo "TESTING: 2.3 - args with space and '" | ||
17 | symtest/argtest 'arg1 tail' 'arg2 tail' | ||
18 | |||
19 | # escaped space in file names | ||
20 | echo "TESTING: 2.4 - args with space and \\" | ||
21 | symtest/argtest arg1\ tail arg2\ tail | ||
22 | |||
23 | # & char appears in URLs - URLs should be quoted | ||
24 | echo "TESTING: 2.5 - args with & and \"" | ||
25 | symtest/argtest "arg1&tail" "arg2&tail" | ||
26 | |||
27 | echo "TESTING: 2.6 - args with & and '" | ||
28 | symtest/argtest 'arg1&tail' 'arg2&tail' | ||
29 | |||
30 | rm -fr symtest | ||
diff --git a/test/auto/autotest.sh b/test/auto/autotest.sh deleted file mode 100755 index 0fb7565af..000000000 --- a/test/auto/autotest.sh +++ /dev/null | |||
@@ -1,202 +0,0 @@ | |||
1 | #!/bin/bash | ||
2 | |||
3 | arr[1]="TEST 1: svn and standard compilation" | ||
4 | arr[2]="TEST 2: cppcheck" | ||
5 | arr[3]="TEST 3: compile seccomp disabled, chroot disabled, bind disabled" | ||
6 | arr[4]="TEST 4: rvtest" | ||
7 | arr[5]="TEST 5: expect test as root, no malloc perturb" | ||
8 | arr[6]="TEST 6: expect test as user, no malloc perturb" | ||
9 | arr[7]="TEST 7: expect test as root, malloc perturb" | ||
10 | arr[8]="TEST 8: expect test as user, malloc perturb" | ||
11 | |||
12 | |||
13 | # remove previous reports and output file | ||
14 | cleanup() { | ||
15 | rm -f out-test | ||
16 | rm -f output* | ||
17 | rm -f report* | ||
18 | rm -fr firejail-trunk | ||
19 | } | ||
20 | |||
21 | print_title() { | ||
22 | echo | ||
23 | echo | ||
24 | echo | ||
25 | echo "**************************************************" | ||
26 | echo $1 | ||
27 | echo "**************************************************" | ||
28 | } | ||
29 | |||
30 | while [ $# -gt 0 ]; do # Until you run out of parameters . . . | ||
31 | case "$1" in | ||
32 | --clean) | ||
33 | cleanup | ||
34 | exit | ||
35 | ;; | ||
36 | --help) | ||
37 | echo "./autotest.sh [--clean|--help]" | ||
38 | exit | ||
39 | ;; | ||
40 | esac | ||
41 | shift # Check next set of parameters. | ||
42 | done | ||
43 | |||
44 | cleanup | ||
45 | # enable sudo | ||
46 | sudo ls -al | ||
47 | |||
48 | #***************************************************************** | ||
49 | # TEST 1 | ||
50 | #***************************************************************** | ||
51 | # - checkout source code | ||
52 | # - check compilation | ||
53 | # - install | ||
54 | #***************************************************************** | ||
55 | print_title "${arr[1]}" | ||
56 | svn checkout svn://svn.code.sf.net/p/firejail/code-0/trunk firejail-trunk | ||
57 | cd firejail-trunk | ||
58 | ./configure --prefix=/usr 2>&1 | tee ../output-configure | ||
59 | make -j4 2>&1 | tee ../output-make | ||
60 | sudo make install 2>&1 | tee ../output-install | ||
61 | cd src/tools | ||
62 | gcc -o rvtest rvtest.c | ||
63 | cd ../.. | ||
64 | cd test | ||
65 | sudo ./configure > /dev/null | ||
66 | cd ../.. | ||
67 | grep warning output-configure output-make output-install > ./report-test1 | ||
68 | grep error output-configure output-make output-install >> ./report-test1 | ||
69 | cat report-test1 > out-test1 | ||
70 | |||
71 | #***************************************************************** | ||
72 | # TEST 2 | ||
73 | #***************************************************************** | ||
74 | # - run cppcheck | ||
75 | #***************************************************************** | ||
76 | print_title "${arr[2]}" | ||
77 | cd firejail-trunk | ||
78 | cp /home/netblue/bin/cfg/std.cfg . | ||
79 | cppcheck --force . 2>&1 | tee ../output-cppcheck | ||
80 | cd .. | ||
81 | grep error output-cppcheck > report-test2 | ||
82 | cat report-test2 > out-test2 | ||
83 | |||
84 | #***************************************************************** | ||
85 | # TEST 3 | ||
86 | #***************************************************************** | ||
87 | # - disable seccomp configuration | ||
88 | # - check compilation | ||
89 | #***************************************************************** | ||
90 | print_title "${arr[3]}" | ||
91 | # seccomp | ||
92 | cd firejail-trunk | ||
93 | make distclean | ||
94 | ./configure --prefix=/usr --disable-seccomp 2>&1 | tee ../output-configure-noseccomp | ||
95 | make -j4 2>&1 | tee ../output-make-noseccomp | ||
96 | cd .. | ||
97 | grep warning output-configure-noseccomp output-make-noseccomp > ./report-test3 | ||
98 | grep error output-configure-noseccomp output-make-noseccomp >> ./report-test3 | ||
99 | # chroot | ||
100 | cd firejail-trunk | ||
101 | make distclean | ||
102 | ./configure --prefix=/usr --disable-chroot 2>&1 | tee ../output-configure-nochroot | ||
103 | make -j4 2>&1 | tee ../output-make-nochroot | ||
104 | cd .. | ||
105 | grep warning output-configure-nochroot output-make-nochroot >> ./report-test3 | ||
106 | grep error output-configure-nochroot output-make-nochroot >> ./report-test3 | ||
107 | # bind | ||
108 | cd firejail-trunk | ||
109 | make distclean | ||
110 | ./configure --prefix=/usr --disable-bind 2>&1 | tee ../output-configure-nobind | ||
111 | make -j4 2>&1 | tee ../output-make-nobind | ||
112 | cd .. | ||
113 | grep warning output-configure-nobind output-make-nobind >> ./report-test3 | ||
114 | grep error output-configure-nobind output-make-nobind >> ./report-test3 | ||
115 | # save result | ||
116 | cat report-test3 > out-test3 | ||
117 | |||
118 | #***************************************************************** | ||
119 | # TEST 4 | ||
120 | #***************************************************************** | ||
121 | # - rvtest | ||
122 | #***************************************************************** | ||
123 | print_title "${arr[4]}" | ||
124 | cd firejail-trunk | ||
125 | cd test | ||
126 | ../src/tools/rvtest test.rv 2>/dev/null | tee ../../output-test4 | grep TESTING | ||
127 | cd ../.. | ||
128 | grep TESTING output-test4 > ./report-test4 | ||
129 | grep ERROR report-test4 > out-test4 | ||
130 | |||
131 | |||
132 | #***************************************************************** | ||
133 | # TEST 5 | ||
134 | #***************************************************************** | ||
135 | # - expect test as root, no malloc perturb | ||
136 | #***************************************************************** | ||
137 | print_title "${arr[5]}" | ||
138 | cd firejail-trunk/test | ||
139 | sudo ./test-root.sh 2>&1 | tee ../../output-test5 | grep TESTING | ||
140 | cd ../.. | ||
141 | grep TESTING output-test5 > ./report-test5 | ||
142 | grep ERROR report-test5 > out-test5 | ||
143 | |||
144 | #***************************************************************** | ||
145 | # TEST 6 | ||
146 | #***************************************************************** | ||
147 | # - expect test as user, no malloc perturb | ||
148 | #***************************************************************** | ||
149 | print_title "${arr[6]}" | ||
150 | cd firejail-trunk/test | ||
151 | ./test.sh 2>&1 | tee ../../output-test6 | grep TESTING | ||
152 | cd ../.. | ||
153 | grep TESTING output-test6 > ./report-test6 | ||
154 | grep ERROR report-test6 > out-test6 | ||
155 | |||
156 | |||
157 | |||
158 | #***************************************************************** | ||
159 | # TEST 7 | ||
160 | #***************************************************************** | ||
161 | # - expect test as root, malloc perturb | ||
162 | #***************************************************************** | ||
163 | print_title "${arr[7]}" | ||
164 | export MALLOC_CHECK_=3 | ||
165 | export MALLOC_PERTURB_=$(($RANDOM % 255 + 1)) | ||
166 | cd firejail-trunk/test | ||
167 | sudo ./test-root.sh 2>&1 | tee ../../output-test7 | grep TESTING | ||
168 | cd ../.. | ||
169 | grep TESTING output-test7 > ./report-test7 | ||
170 | grep ERROR report-test7 > out-test7 | ||
171 | |||
172 | #***************************************************************** | ||
173 | # TEST 8 | ||
174 | #***************************************************************** | ||
175 | # - expect test as user, malloc perturb | ||
176 | #***************************************************************** | ||
177 | print_title "${arr[8]}" | ||
178 | cd firejail-trunk/test | ||
179 | ./test.sh 2>&1 | tee ../../output-test8| grep TESTING | ||
180 | cd ../.. | ||
181 | grep TESTING output-test8 > ./report-test8 | ||
182 | grep ERROR report-test8 > out-test8 | ||
183 | |||
184 | #***************************************************************** | ||
185 | # PRINT REPORTS | ||
186 | #***************************************************************** | ||
187 | echo | ||
188 | echo | ||
189 | echo | ||
190 | echo | ||
191 | echo "**********************************************************" | ||
192 | echo "TEST RESULTS" | ||
193 | echo "**********************************************************" | ||
194 | |||
195 | wc -l out-test* | ||
196 | rm out-test* | ||
197 | echo | ||
198 | |||
199 | |||
200 | |||
201 | |||
202 | exit | ||
diff --git a/test/compile/compile.sh b/test/compile/compile.sh index 70c24ca3e..1207ef518 100755 --- a/test/compile/compile.sh +++ b/test/compile/compile.sh | |||
@@ -15,6 +15,7 @@ arr[9]="TEST 9: compile file transfer disabled" | |||
15 | cleanup() { | 15 | cleanup() { |
16 | rm -f report* | 16 | rm -f report* |
17 | rm -fr firejail | 17 | rm -fr firejail |
18 | rm -f oc* om* | ||
18 | } | 19 | } |
19 | 20 | ||
20 | print_title() { | 21 | print_title() { |
@@ -41,9 +42,6 @@ while [ $# -gt 0 ]; do # Until you run out of parameters . . . | |||
41 | done | 42 | done |
42 | 43 | ||
43 | cleanup | 44 | cleanup |
44 | # enable sudo | ||
45 | sudo ls -al | ||
46 | |||
47 | 45 | ||
48 | #***************************************************************** | 46 | #***************************************************************** |
49 | # TEST 1 | 47 | # TEST 1 |
@@ -57,11 +55,12 @@ git clone https://github.com/netblue30/firejail.git | |||
57 | cd firejail | 55 | cd firejail |
58 | ./configure --prefix=/usr --enable-fatal-warnings 2>&1 | tee ../output-configure | 56 | ./configure --prefix=/usr --enable-fatal-warnings 2>&1 | tee ../output-configure |
59 | make -j4 2>&1 | tee ../output-make | 57 | make -j4 2>&1 | tee ../output-make |
60 | sudo make install 2>&1 | tee ../output-install | ||
61 | cd .. | 58 | cd .. |
62 | grep Warning output-configure output-make output-install > ./report-test1 | 59 | grep Warning output-configure output-make > ./report-test1 |
63 | grep Error output-configure output-make output-install >> ./report-test1 | 60 | grep Error output-configure output-make >> ./report-test1 |
64 | rm output-configure output-make output-install | 61 | cp output-configure oc1 |
62 | cp output-make om1 | ||
63 | rm output-configure output-make | ||
65 | 64 | ||
66 | 65 | ||
67 | #***************************************************************** | 66 | #***************************************************************** |
@@ -79,6 +78,8 @@ make -j4 2>&1 | tee ../output-make | |||
79 | cd .. | 78 | cd .. |
80 | grep Warning output-configure output-make > ./report-test2 | 79 | grep Warning output-configure output-make > ./report-test2 |
81 | grep Error output-configure output-make >> ./report-test2 | 80 | grep Error output-configure output-make >> ./report-test2 |
81 | cp output-configure oc2 | ||
82 | cp output-make om2 | ||
82 | rm output-configure output-make | 83 | rm output-configure output-make |
83 | 84 | ||
84 | #***************************************************************** | 85 | #***************************************************************** |
@@ -96,6 +97,8 @@ make -j4 2>&1 | tee ../output-make | |||
96 | cd .. | 97 | cd .. |
97 | grep Warning output-configure output-make > ./report-test3 | 98 | grep Warning output-configure output-make > ./report-test3 |
98 | grep Error output-configure output-make >> ./report-test3 | 99 | grep Error output-configure output-make >> ./report-test3 |
100 | cp output-configure oc3 | ||
101 | cp output-make om3 | ||
99 | rm output-configure output-make | 102 | rm output-configure output-make |
100 | 103 | ||
101 | #***************************************************************** | 104 | #***************************************************************** |
@@ -113,6 +116,8 @@ make -j4 2>&1 | tee ../output-make | |||
113 | cd .. | 116 | cd .. |
114 | grep Warning output-configure output-make > ./report-test4 | 117 | grep Warning output-configure output-make > ./report-test4 |
115 | grep Error output-configure output-make >> ./report-test4 | 118 | grep Error output-configure output-make >> ./report-test4 |
119 | cp output-configure oc4 | ||
120 | cp output-make om4 | ||
116 | rm output-configure output-make | 121 | rm output-configure output-make |
117 | 122 | ||
118 | #***************************************************************** | 123 | #***************************************************************** |
@@ -130,6 +135,8 @@ make -j4 2>&1 | tee ../output-make | |||
130 | cd .. | 135 | cd .. |
131 | grep Warning output-configure output-make > ./report-test5 | 136 | grep Warning output-configure output-make > ./report-test5 |
132 | grep Error output-configure output-make >> ./report-test5 | 137 | grep Error output-configure output-make >> ./report-test5 |
138 | cp output-configure oc5 | ||
139 | cp output-make om5 | ||
133 | rm output-configure output-make | 140 | rm output-configure output-make |
134 | 141 | ||
135 | #***************************************************************** | 142 | #***************************************************************** |
@@ -147,6 +154,8 @@ make -j4 2>&1 | tee ../output-make | |||
147 | cd .. | 154 | cd .. |
148 | grep Warning output-configure output-make > ./report-test6 | 155 | grep Warning output-configure output-make > ./report-test6 |
149 | grep Error output-configure output-make >> ./report-test6 | 156 | grep Error output-configure output-make >> ./report-test6 |
157 | cp output-configure oc6 | ||
158 | cp output-make om6 | ||
150 | rm output-configure output-make | 159 | rm output-configure output-make |
151 | 160 | ||
152 | #***************************************************************** | 161 | #***************************************************************** |
@@ -164,6 +173,8 @@ make -j4 2>&1 | tee ../output-make | |||
164 | cd .. | 173 | cd .. |
165 | grep Warning output-configure output-make > ./report-test7 | 174 | grep Warning output-configure output-make > ./report-test7 |
166 | grep Error output-configure output-make >> ./report-test7 | 175 | grep Error output-configure output-make >> ./report-test7 |
176 | cp output-configure oc7 | ||
177 | cp output-make om7 | ||
167 | rm output-configure output-make | 178 | rm output-configure output-make |
168 | 179 | ||
169 | 180 | ||
@@ -182,6 +193,8 @@ make -j4 2>&1 | tee ../output-make | |||
182 | cd .. | 193 | cd .. |
183 | grep Warning output-configure output-make > ./report-test8 | 194 | grep Warning output-configure output-make > ./report-test8 |
184 | grep Error output-configure output-make >> ./report-test8 | 195 | grep Error output-configure output-make >> ./report-test8 |
196 | cp output-configure oc8 | ||
197 | cp output-make om8 | ||
185 | rm output-configure output-make | 198 | rm output-configure output-make |
186 | 199 | ||
187 | 200 | ||
@@ -200,6 +213,8 @@ make -j4 2>&1 | tee ../output-make | |||
200 | cd .. | 213 | cd .. |
201 | grep Warning output-configure output-make > ./report-test9 | 214 | grep Warning output-configure output-make > ./report-test9 |
202 | grep Error output-configure output-make >> ./report-test9 | 215 | grep Error output-configure output-make >> ./report-test9 |
216 | cp output-configure oc9 | ||
217 | cp output-make om9 | ||
203 | rm output-configure output-make | 218 | rm output-configure output-make |
204 | 219 | ||
205 | 220 | ||
diff --git a/test/configure b/test/configure index bdf36fcad..9acd021c8 100755 --- a/test/configure +++ b/test/configure | |||
@@ -28,7 +28,7 @@ ROOTDIR="/tmp/chroot" # default chroot directory | |||
28 | DEFAULT_FILES="/bin/bash /bin/sh " # basic chroot files | 28 | DEFAULT_FILES="/bin/bash /bin/sh " # basic chroot files |
29 | DEFAULT_FILES+="/etc/passwd /etc/nsswitch.conf /etc/group " | 29 | DEFAULT_FILES+="/etc/passwd /etc/nsswitch.conf /etc/group " |
30 | DEFAULT_FILES+=`find /lib -name libnss*` # files required by glibc | 30 | DEFAULT_FILES+=`find /lib -name libnss*` # files required by glibc |
31 | DEFAULT_FILES+=" /bin/cp /bin/ls /bin/cat /bin/ps /bin/netstat /bin/ping /sbin/ifconfig /usr/bin/touch /bin/hostname /bin/grep /usr/bin/dig /usr/bin/openssl /usr/bin/id /usr/bin/getent /usr/bin/whoami /usr/bin/wc /usr/bin/wget /bin/umount" | 31 | DEFAULT_FILES+=" /bin/cp /bin/ls /bin/cat /bin/ps /bin/netstat /bin/ping /sbin/ifconfig /usr/bin/touch /bin/ip /bin/hostname /bin/grep /usr/bin/dig /usr/bin/openssl /usr/bin/id /usr/bin/getent /usr/bin/whoami /usr/bin/wc /usr/bin/wget /bin/umount" |
32 | 32 | ||
33 | rm -fr $ROOTDIR | 33 | rm -fr $ROOTDIR |
34 | mkdir -p $ROOTDIR/{root,bin,lib,lib64,usr,home,etc,dev/shm,tmp,var/run,var/tmp,var/lock,var/log,proc} | 34 | mkdir -p $ROOTDIR/{root,bin,lib,lib64,usr,home,etc,dev/shm,tmp,var/run,var/tmp,var/lock,var/log,proc} |
diff --git a/test/dist-compile/compile.sh b/test/dist-compile/compile.sh new file mode 100755 index 000000000..2d055c1bd --- /dev/null +++ b/test/dist-compile/compile.sh | |||
@@ -0,0 +1,289 @@ | |||
1 | #!/bin/bash | ||
2 | |||
3 | arr[1]="TEST 1: standard compilation" | ||
4 | arr[2]="TEST 2: compile seccomp disabled" | ||
5 | arr[3]="TEST 3: compile chroot disabled" | ||
6 | arr[4]="TEST 4: compile bind disabled" | ||
7 | arr[5]="TEST 5: compile user namespace disabled" | ||
8 | arr[6]="TEST 6: compile network disabled" | ||
9 | arr[7]="TEST 7: compile X11 disabled" | ||
10 | arr[8]="TEST 8: compile network restricted" | ||
11 | arr[9]="TEST 9: compile file transfer disabled" | ||
12 | arr[10]="TEST 10: compile disable whitelist" | ||
13 | arr[11]="TEST 11: compile disable global config" | ||
14 | |||
15 | # remove previous reports and output file | ||
16 | cleanup() { | ||
17 | rm -f report* | ||
18 | rm -fr firejail | ||
19 | rm -f oc* om* | ||
20 | } | ||
21 | |||
22 | print_title() { | ||
23 | echo | ||
24 | echo | ||
25 | echo | ||
26 | echo "**************************************************" | ||
27 | echo $1 | ||
28 | echo "**************************************************" | ||
29 | } | ||
30 | |||
31 | DIST="$1" | ||
32 | while [ $# -gt 0 ]; do # Until you run out of parameters . . . | ||
33 | case "$1" in | ||
34 | --clean) | ||
35 | cleanup | ||
36 | exit | ||
37 | ;; | ||
38 | --help) | ||
39 | echo "./compile.sh [--clean|--help]" | ||
40 | exit | ||
41 | ;; | ||
42 | esac | ||
43 | shift # Check next set of parameters. | ||
44 | done | ||
45 | |||
46 | cleanup | ||
47 | |||
48 | |||
49 | #***************************************************************** | ||
50 | # TEST 1 | ||
51 | #***************************************************************** | ||
52 | # - checkout source code | ||
53 | # - check compilation | ||
54 | # - install | ||
55 | #***************************************************************** | ||
56 | print_title "${arr[1]}" | ||
57 | echo "$DIST" | ||
58 | tar -xjvf ../../$DIST.tar.bz2 | ||
59 | mv $DIST firejail | ||
60 | |||
61 | cd firejail | ||
62 | ./configure --prefix=/usr --enable-fatal-warnings 2>&1 | tee ../output-configure | ||
63 | make -j4 2>&1 | tee ../output-make | ||
64 | cd .. | ||
65 | grep Warning output-configure output-make > ./report-test1 | ||
66 | grep Error output-configure output-make >> ./report-test1 | ||
67 | cp output-configure oc1 | ||
68 | cp output-make om1 | ||
69 | rm output-configure output-make | ||
70 | |||
71 | |||
72 | #***************************************************************** | ||
73 | # TEST 2 | ||
74 | #***************************************************************** | ||
75 | # - disable seccomp configuration | ||
76 | # - check compilation | ||
77 | #***************************************************************** | ||
78 | print_title "${arr[2]}" | ||
79 | # seccomp | ||
80 | cd firejail | ||
81 | make distclean | ||
82 | ./configure --prefix=/usr --disable-seccomp --enable-fatal-warnings 2>&1 | tee ../output-configure | ||
83 | make -j4 2>&1 | tee ../output-make | ||
84 | cd .. | ||
85 | grep Warning output-configure output-make > ./report-test2 | ||
86 | grep Error output-configure output-make >> ./report-test2 | ||
87 | cp output-configure oc2 | ||
88 | cp output-make om2 | ||
89 | rm output-configure output-make | ||
90 | |||
91 | #***************************************************************** | ||
92 | # TEST 3 | ||
93 | #***************************************************************** | ||
94 | # - disable chroot configuration | ||
95 | # - check compilation | ||
96 | #***************************************************************** | ||
97 | print_title "${arr[3]}" | ||
98 | # seccomp | ||
99 | cd firejail | ||
100 | make distclean | ||
101 | ./configure --prefix=/usr --disable-chroot --enable-fatal-warnings 2>&1 | tee ../output-configure | ||
102 | make -j4 2>&1 | tee ../output-make | ||
103 | cd .. | ||
104 | grep Warning output-configure output-make > ./report-test3 | ||
105 | grep Error output-configure output-make >> ./report-test3 | ||
106 | cp output-configure oc3 | ||
107 | cp output-make om3 | ||
108 | rm output-configure output-make | ||
109 | |||
110 | #***************************************************************** | ||
111 | # TEST 4 | ||
112 | #***************************************************************** | ||
113 | # - disable bind configuration | ||
114 | # - check compilation | ||
115 | #***************************************************************** | ||
116 | print_title "${arr[4]}" | ||
117 | # seccomp | ||
118 | cd firejail | ||
119 | make distclean | ||
120 | ./configure --prefix=/usr --disable-bind --enable-fatal-warnings 2>&1 | tee ../output-configure | ||
121 | make -j4 2>&1 | tee ../output-make | ||
122 | cd .. | ||
123 | grep Warning output-configure output-make > ./report-test4 | ||
124 | grep Error output-configure output-make >> ./report-test4 | ||
125 | cp output-configure oc4 | ||
126 | cp output-make om4 | ||
127 | rm output-configure output-make | ||
128 | |||
129 | #***************************************************************** | ||
130 | # TEST 5 | ||
131 | #***************************************************************** | ||
132 | # - disable user namespace configuration | ||
133 | # - check compilation | ||
134 | #***************************************************************** | ||
135 | print_title "${arr[5]}" | ||
136 | # seccomp | ||
137 | cd firejail | ||
138 | make distclean | ||
139 | ./configure --prefix=/usr --disable-userns --enable-fatal-warnings 2>&1 | tee ../output-configure | ||
140 | make -j4 2>&1 | tee ../output-make | ||
141 | cd .. | ||
142 | grep Warning output-configure output-make > ./report-test5 | ||
143 | grep Error output-configure output-make >> ./report-test5 | ||
144 | cp output-configure oc5 | ||
145 | cp output-make om5 | ||
146 | rm output-configure output-make | ||
147 | |||
148 | #***************************************************************** | ||
149 | # TEST 6 | ||
150 | #***************************************************************** | ||
151 | # - disable user namespace configuration | ||
152 | # - check compilation | ||
153 | #***************************************************************** | ||
154 | print_title "${arr[6]}" | ||
155 | # seccomp | ||
156 | cd firejail | ||
157 | make distclean | ||
158 | ./configure --prefix=/usr --disable-network --enable-fatal-warnings 2>&1 | tee ../output-configure | ||
159 | make -j4 2>&1 | tee ../output-make | ||
160 | cd .. | ||
161 | grep Warning output-configure output-make > ./report-test6 | ||
162 | grep Error output-configure output-make >> ./report-test6 | ||
163 | cp output-configure oc6 | ||
164 | cp output-make om6 | ||
165 | rm output-configure output-make | ||
166 | |||
167 | #***************************************************************** | ||
168 | # TEST 7 | ||
169 | #***************************************************************** | ||
170 | # - disable X11 support | ||
171 | # - check compilation | ||
172 | #***************************************************************** | ||
173 | print_title "${arr[7]}" | ||
174 | # seccomp | ||
175 | cd firejail | ||
176 | make distclean | ||
177 | ./configure --prefix=/usr --disable-x11 --enable-fatal-warnings 2>&1 | tee ../output-configure | ||
178 | make -j4 2>&1 | tee ../output-make | ||
179 | cd .. | ||
180 | grep Warning output-configure output-make > ./report-test7 | ||
181 | grep Error output-configure output-make >> ./report-test7 | ||
182 | cp output-configure oc7 | ||
183 | cp output-make om7 | ||
184 | rm output-configure output-make | ||
185 | |||
186 | |||
187 | #***************************************************************** | ||
188 | # TEST 8 | ||
189 | #***************************************************************** | ||
190 | # - enable network restricted | ||
191 | # - check compilation | ||
192 | #***************************************************************** | ||
193 | print_title "${arr[8]}" | ||
194 | # seccomp | ||
195 | cd firejail | ||
196 | make distclean | ||
197 | ./configure --prefix=/usr --enable-network=restricted --enable-fatal-warnings 2>&1 | tee ../output-configure | ||
198 | make -j4 2>&1 | tee ../output-make | ||
199 | cd .. | ||
200 | grep Warning output-configure output-make > ./report-test8 | ||
201 | grep Error output-configure output-make >> ./report-test8 | ||
202 | cp output-configure oc8 | ||
203 | cp output-make om8 | ||
204 | rm output-configure output-make | ||
205 | |||
206 | |||
207 | #***************************************************************** | ||
208 | # TEST 9 | ||
209 | #***************************************************************** | ||
210 | # - disable file transfer | ||
211 | # - check compilation | ||
212 | #***************************************************************** | ||
213 | print_title "${arr[9]}" | ||
214 | # seccomp | ||
215 | cd firejail | ||
216 | make distclean | ||
217 | ./configure --prefix=/usr --disable-file-transfer --enable-fatal-warnings 2>&1 | tee ../output-configure | ||
218 | make -j4 2>&1 | tee ../output-make | ||
219 | cd .. | ||
220 | grep Warning output-configure output-make > ./report-test9 | ||
221 | grep Error output-configure output-make >> ./report-test9 | ||
222 | cp output-configure oc9 | ||
223 | cp output-make om9 | ||
224 | rm output-configure output-make | ||
225 | |||
226 | #***************************************************************** | ||
227 | # TEST 10 | ||
228 | #***************************************************************** | ||
229 | # - disable whitelist | ||
230 | # - check compilation | ||
231 | #***************************************************************** | ||
232 | print_title "${arr[10]}" | ||
233 | # seccomp | ||
234 | cd firejail | ||
235 | make distclean | ||
236 | ./configure --prefix=/usr --disable-whitelist --enable-fatal-warnings 2>&1 | tee ../output-configure | ||
237 | make -j4 2>&1 | tee ../output-make | ||
238 | cd .. | ||
239 | grep Warning output-configure output-make > ./report-test10 | ||
240 | grep Error output-configure output-make >> ./report-test10 | ||
241 | cp output-configure oc10 | ||
242 | cp output-make om10 | ||
243 | rm output-configure output-make | ||
244 | |||
245 | #***************************************************************** | ||
246 | # TEST 11 | ||
247 | #***************************************************************** | ||
248 | # - disable global config | ||
249 | # - check compilation | ||
250 | #***************************************************************** | ||
251 | print_title "${arr[11]}" | ||
252 | # seccomp | ||
253 | cd firejail | ||
254 | make distclean | ||
255 | ./configure --prefix=/usr --disable-globalcfg --enable-fatal-warnings 2>&1 | tee ../output-configure | ||
256 | make -j4 2>&1 | tee ../output-make | ||
257 | cd .. | ||
258 | grep Warning output-configure output-make > ./report-test11 | ||
259 | grep Error output-configure output-make >> ./report-test11 | ||
260 | cp output-configure oc11 | ||
261 | cp output-make om11 | ||
262 | rm output-configure output-make | ||
263 | |||
264 | |||
265 | #***************************************************************** | ||
266 | # PRINT REPORTS | ||
267 | #***************************************************************** | ||
268 | echo | ||
269 | echo | ||
270 | echo | ||
271 | echo | ||
272 | echo "**********************************************************" | ||
273 | echo "TEST RESULTS" | ||
274 | echo "**********************************************************" | ||
275 | |||
276 | wc -l report-test* | ||
277 | echo | ||
278 | echo "Legend:" | ||
279 | echo ${arr[1]} | ||
280 | echo ${arr[2]} | ||
281 | echo ${arr[3]} | ||
282 | echo ${arr[4]} | ||
283 | echo ${arr[5]} | ||
284 | echo ${arr[6]} | ||
285 | echo ${arr[7]} | ||
286 | echo ${arr[8]} | ||
287 | echo ${arr[9]} | ||
288 | echo ${arr[10]} | ||
289 | echo ${arr[11]} | ||
diff --git a/test/dns.exp b/test/dns.exp deleted file mode 100755 index 96513f278..000000000 --- a/test/dns.exp +++ /dev/null | |||
@@ -1,69 +0,0 @@ | |||
1 | #!/usr/bin/expect -f | ||
2 | |||
3 | set timeout 30 | ||
4 | spawn $env(SHELL) | ||
5 | match_max 100000 | ||
6 | |||
7 | # no chroot | ||
8 | send -- "firejail --trace --dns=208.67.222.222 wget -q debian.org\r" | ||
9 | expect { | ||
10 | timeout {puts "TESTING ERROR 1.1\n";exit} | ||
11 | "Child process initialized" | ||
12 | } | ||
13 | expect { | ||
14 | timeout {puts "TESTING ERROR 1.2\n";exit} | ||
15 | "1:wget:connect 208.67.222.222:53" | ||
16 | } | ||
17 | sleep 1 | ||
18 | |||
19 | send -- "rm index.html\r" | ||
20 | sleep 1 | ||
21 | |||
22 | # with chroot | ||
23 | send -- "firejail --chroot=/tmp/chroot --trace --dns=208.67.222.222 wget -q debian.org\r" | ||
24 | expect { | ||
25 | timeout {puts "TESTING ERROR 2.1\n";exit} | ||
26 | "Child process initialized" | ||
27 | } | ||
28 | expect { | ||
29 | timeout {puts "TESTING ERROR 2.2\n";exit} | ||
30 | "1:wget:connect 208.67.222.222:53" | ||
31 | } | ||
32 | sleep 1 | ||
33 | |||
34 | send -- "rm index.html\r" | ||
35 | sleep 1 | ||
36 | |||
37 | # net eth0 | ||
38 | send -- "firejail --net=eth0 --trace --dns=208.67.222.222 wget -q debian.org\r" | ||
39 | expect { | ||
40 | timeout {puts "TESTING ERROR 3.1\n";exit} | ||
41 | "Child process initialized" | ||
42 | } | ||
43 | expect { | ||
44 | timeout {puts "TESTING ERROR 3.2\n";exit} | ||
45 | "1:wget:connect 208.67.222.222:53" | ||
46 | } | ||
47 | sleep 1 | ||
48 | |||
49 | send -- "rm index.html\r" | ||
50 | sleep 1 | ||
51 | |||
52 | # net eth0 and chroot | ||
53 | send -- "firejail --net=eth0 --chroot=/tmp/chroot --trace --dns=208.67.222.222 wget -q debian.org\r" | ||
54 | expect { | ||
55 | timeout {puts "TESTING ERROR 4.1\n";exit} | ||
56 | "Child process initialized" | ||
57 | } | ||
58 | expect { | ||
59 | timeout {puts "TESTING ERROR 4.2\n";exit} | ||
60 | "1:wget:connect 208.67.222.222:53" | ||
61 | } | ||
62 | sleep 1 | ||
63 | |||
64 | send -- "rm index.html\r" | ||
65 | sleep 1 | ||
66 | |||
67 | |||
68 | puts "\n" | ||
69 | |||
diff --git a/test/shell_csh.exp b/test/environment/csh.exp index a2634f633..2f1ae17b9 100755 --- a/test/shell_csh.exp +++ b/test/environment/csh.exp | |||
@@ -1,4 +1,7 @@ | |||
1 | #!/usr/bin/expect -f | 1 | #!/usr/bin/expect -f |
2 | # This file is part of Firejail project | ||
3 | # Copyright (C) 2014-2016 Firejail Authors | ||
4 | # License GPL v2 | ||
2 | 5 | ||
3 | set timeout 10 | 6 | set timeout 10 |
4 | spawn $env(SHELL) | 7 | spawn $env(SHELL) |
@@ -11,16 +14,13 @@ expect { | |||
11 | } | 14 | } |
12 | sleep 1 | 15 | sleep 1 |
13 | 16 | ||
14 | send -- "ls -al;pwd\r" | 17 | send -- "find /home\r" |
15 | expect { | 18 | expect { |
16 | timeout {puts "TESTING ERROR 1\n";exit} | 19 | timeout {puts "TESTING ERROR 1\n";exit} |
17 | ".cshrc" | 20 | ".cshrc" |
18 | } | 21 | } |
19 | expect { | 22 | |
20 | timeout {puts "TESTING ERROR 1.1\n";exit} | 23 | send -- "env | grep SHELL\r" |
21 | "home" | ||
22 | } | ||
23 | send -- "env | grep SHELL;pwd\r" | ||
24 | expect { | 24 | expect { |
25 | timeout {puts "TESTING ERROR 2\n";exit} | 25 | timeout {puts "TESTING ERROR 2\n";exit} |
26 | "SHELL" | 26 | "SHELL" |
@@ -29,10 +29,6 @@ expect { | |||
29 | timeout {puts "TESTING ERROR 2.1\n";exit} | 29 | timeout {puts "TESTING ERROR 2.1\n";exit} |
30 | "/bin/csh" | 30 | "/bin/csh" |
31 | } | 31 | } |
32 | expect { | ||
33 | timeout {puts "TESTING ERROR 2.2\n";exit} | ||
34 | "home" | ||
35 | } | ||
36 | send -- "exit\r" | 32 | send -- "exit\r" |
37 | sleep 1 | 33 | sleep 1 |
38 | 34 | ||
diff --git a/test/shell_dash.exp b/test/environment/dash.exp index f5a60719e..d727d302e 100755 --- a/test/shell_dash.exp +++ b/test/environment/dash.exp | |||
@@ -1,6 +1,7 @@ | |||
1 | #!/usr/bin/expect -f | 1 | #!/usr/bin/expect -f |
2 | 2 | ||
3 | set timeout 10 | 3 | set timeout 10 |
4 | cd /home | ||
4 | spawn $env(SHELL) | 5 | spawn $env(SHELL) |
5 | match_max 100000 | 6 | match_max 100000 |
6 | 7 | ||
diff --git a/test/environment/dns.exp b/test/environment/dns.exp new file mode 100755 index 000000000..6ffb124cf --- /dev/null +++ b/test/environment/dns.exp | |||
@@ -0,0 +1,30 @@ | |||
1 | #!/usr/bin/expect -f | ||
2 | |||
3 | set timeout 30 | ||
4 | spawn $env(SHELL) | ||
5 | match_max 100000 | ||
6 | |||
7 | # no chroot | ||
8 | send -- "firejail --trace --dns=208.67.222.222 wget -q debian.org\r" | ||
9 | expect { | ||
10 | timeout {puts "TESTING ERROR 1.1\n";exit} | ||
11 | "Child process initialized" | ||
12 | } | ||
13 | expect { | ||
14 | timeout {puts "TESTING ERROR 1.2\n";exit} | ||
15 | "connect" | ||
16 | } | ||
17 | expect { | ||
18 | timeout {puts "TESTING ERROR 1.2\n";exit} | ||
19 | "208.67.222.222" | ||
20 | } | ||
21 | expect { | ||
22 | timeout {puts "TESTING ERROR 1.2\n";exit} | ||
23 | "53" | ||
24 | } | ||
25 | |||
26 | after 100 | ||
27 | |||
28 | send -- "rm index.html\r" | ||
29 | after 100 | ||
30 | puts "\nall done\n" | ||
diff --git a/test/doubledash.exp b/test/environment/doubledash.exp index 3c8a42471..7abf4b918 100755 --- a/test/doubledash.exp +++ b/test/environment/doubledash.exp | |||
@@ -15,7 +15,7 @@ expect { | |||
15 | } | 15 | } |
16 | expect { | 16 | expect { |
17 | timeout {puts "TESTING ERROR 3\n";exit} | 17 | timeout {puts "TESTING ERROR 3\n";exit} |
18 | "parent is shutting down" | 18 | "Parent is shutting down" |
19 | } | 19 | } |
20 | sleep 1 | 20 | sleep 1 |
21 | 21 | ||
@@ -36,23 +36,23 @@ expect { | |||
36 | sleep 3 | 36 | sleep 3 |
37 | 37 | ||
38 | spawn $env(SHELL) | 38 | spawn $env(SHELL) |
39 | send -- "firejail --list;pwd\r" | 39 | send -- "firejail --list;ls -d /tmp\r" |
40 | expect { | 40 | expect { |
41 | timeout {puts "TESTING ERROR 6\n";exit} | 41 | timeout {puts "TESTING ERROR 6\n";exit} |
42 | "name=testing" | 42 | "name=testing" |
43 | } | 43 | } |
44 | expect { | 44 | expect { |
45 | timeout {puts "TESTING ERROR 7\n";exit} | 45 | timeout {puts "TESTING ERROR 7\n";exit} |
46 | "home" | 46 | "/tmp" |
47 | } | 47 | } |
48 | send -- "firejail --list;pwd\r" | 48 | send -- "firejail --list;ls -d /tmp\r" |
49 | expect { | 49 | expect { |
50 | timeout {puts "TESTING ERROR 8 (join)\n";exit} | 50 | timeout {puts "TESTING ERROR 8 (join)\n";exit} |
51 | "join=testing" | 51 | "join=testing" |
52 | } | 52 | } |
53 | expect { | 53 | expect { |
54 | timeout {puts "TESTING ERROR 9\n";exit} | 54 | timeout {puts "TESTING ERROR 9\n";exit} |
55 | "home" | 55 | "/tmp" |
56 | } | 56 | } |
57 | 57 | ||
58 | sleep 1 | 58 | sleep 1 |
diff --git a/test/env.exp b/test/environment/env.exp index d7aee3c64..a09c3f9c5 100755 --- a/test/env.exp +++ b/test/environment/env.exp | |||
@@ -1,4 +1,7 @@ | |||
1 | #!/usr/bin/expect -f | 1 | #!/usr/bin/expect -f |
2 | # This file is part of Firejail project | ||
3 | # Copyright (C) 2014-2016 Firejail Authors | ||
4 | # License GPL v2 | ||
2 | 5 | ||
3 | set timeout 10 | 6 | set timeout 10 |
4 | spawn $env(SHELL) | 7 | spawn $env(SHELL) |
diff --git a/test/env.profile b/test/environment/env.profile index ba66e6210..ba66e6210 100644 --- a/test/env.profile +++ b/test/environment/env.profile | |||
diff --git a/test/environment/environment.sh b/test/environment/environment.sh new file mode 100755 index 000000000..a6fe07a1c --- /dev/null +++ b/test/environment/environment.sh | |||
@@ -0,0 +1,85 @@ | |||
1 | #!/bin/bash | ||
2 | # This file is part of Firejail project | ||
3 | # Copyright (C) 2014-2016 Firejail Authors | ||
4 | # License GPL v2 | ||
5 | |||
6 | export MALLOC_CHECK_=3 | ||
7 | export MALLOC_PERTURB_=$(($RANDOM % 255 + 1)) | ||
8 | |||
9 | echo "TESTING: DNS (test/environment/dns.exp)" | ||
10 | ./dns.exp | ||
11 | |||
12 | echo "TESTING: doubledash (test/environment/doubledash.exp" | ||
13 | mkdir -- -testdir | ||
14 | touch -- -testdir/ttt | ||
15 | cp -- /bin/bash -testdir/. | ||
16 | ./doubledash.exp | ||
17 | rm -fr -- -testdir | ||
18 | |||
19 | echo "TESTING: output (test/environment/output.exp)" | ||
20 | ./output.exp | ||
21 | |||
22 | echo "TESTING: extract command (extract_command.exp)" | ||
23 | ./extract_command.exp | ||
24 | |||
25 | echo "TESTING: environment variables (test/environment/env.exp)" | ||
26 | ./env.exp | ||
27 | |||
28 | echo "TESTING: shell none(test/environment/shell-none.exp)" | ||
29 | ./shell-none.exp | ||
30 | |||
31 | which dash | ||
32 | if [ "$?" -eq 0 ]; | ||
33 | then | ||
34 | echo "TESTING: dash (test/environment/dash.exp)" | ||
35 | ./dash.exp | ||
36 | else | ||
37 | echo "TESTING SKIP: dash not found" | ||
38 | fi | ||
39 | |||
40 | which csh | ||
41 | if [ "$?" -eq 0 ]; | ||
42 | then | ||
43 | echo "TESTING: csh (test/environment/csh.exp)" | ||
44 | ./csh.exp | ||
45 | else | ||
46 | echo "TESTING SKIP: csh not found" | ||
47 | fi | ||
48 | |||
49 | which zsh | ||
50 | if [ "$?" -eq 0 ]; | ||
51 | then | ||
52 | echo "TESTING: zsh (test/environment/zsh.exp)" | ||
53 | ./csh.exp | ||
54 | else | ||
55 | echo "TESTING SKIP: zsh not found" | ||
56 | fi | ||
57 | |||
58 | echo "TESTING: rlimit (test/environment/rlimit.exp)" | ||
59 | ./rlimit.exp | ||
60 | |||
61 | echo "TESTING: rlimit profile (test/environment/rlimit-profile.exp)" | ||
62 | ./rlimit-profile.exp | ||
63 | |||
64 | echo "TESTING: firejail in firejail - single sandbox (test/environment/firejail-in-firejail.exp)" | ||
65 | ./firejail-in-firejail.exp | ||
66 | |||
67 | echo "TESTING: firejail in firejail - force new sandbox (test/environment/firejail-in-firejail2.exp)" | ||
68 | ./firejail-in-firejail2.exp | ||
69 | |||
70 | which aplay | ||
71 | if [ "$?" -eq 0 ]; | ||
72 | then | ||
73 | echo "TESTING: sound (test/environment/sound.exp)" | ||
74 | ./sound.exp | ||
75 | else | ||
76 | echo "TESTING SKIP: aplay not found" | ||
77 | fi | ||
78 | |||
79 | echo "TESTING: nice (test/environment/nice.exp)" | ||
80 | ./nice.exp | ||
81 | |||
82 | echo "TESTING: quiet (test/environment/quiet.exp)" | ||
83 | ./quiet.exp | ||
84 | |||
85 | |||
diff --git a/test/extract_command.exp b/test/environment/extract_command.exp index cbc36afd4..266f66ff5 100755 --- a/test/extract_command.exp +++ b/test/environment/extract_command.exp | |||
@@ -7,7 +7,7 @@ match_max 100000 | |||
7 | send -- "firejail --debug ls -al\r" | 7 | send -- "firejail --debug ls -al\r" |
8 | expect { | 8 | expect { |
9 | timeout {puts "TESTING ERROR 0\n";exit} | 9 | timeout {puts "TESTING ERROR 0\n";exit} |
10 | "Reading profile /etc/firejail/generic.profile" | 10 | "Reading profile /etc/firejail/default.profile" |
11 | } | 11 | } |
12 | expect { | 12 | expect { |
13 | timeout {puts "TESTING ERROR 2\n";exit} | 13 | timeout {puts "TESTING ERROR 2\n";exit} |
@@ -15,9 +15,9 @@ expect { | |||
15 | } | 15 | } |
16 | expect { | 16 | expect { |
17 | timeout {puts "TESTING ERROR 2\n";exit} | 17 | timeout {puts "TESTING ERROR 2\n";exit} |
18 | "parent is shutting down, bye" | 18 | "Parent is shutting down, bye" |
19 | } | 19 | } |
20 | sleep 1 | 20 | after 100 |
21 | 21 | ||
22 | puts "\nall done\n" | 22 | puts "\nall done\n" |
23 | 23 | ||
diff --git a/test/firejail-in-firejail.exp b/test/environment/firejail-in-firejail.exp index 5ba18d1fa..7e7f4fd17 100755 --- a/test/firejail-in-firejail.exp +++ b/test/environment/firejail-in-firejail.exp | |||
@@ -1,4 +1,7 @@ | |||
1 | #!/usr/bin/expect -f | 1 | #!/usr/bin/expect -f |
2 | # This file is part of Firejail project | ||
3 | # Copyright (C) 2014-2016 Firejail Authors | ||
4 | # License GPL v2 | ||
2 | 5 | ||
3 | set timeout 10 | 6 | set timeout 10 |
4 | spawn $env(SHELL) | 7 | spawn $env(SHELL) |
diff --git a/test/firejail-in-firejail2.exp b/test/environment/firejail-in-firejail2.exp index b0fed0dae..5a2213074 100755 --- a/test/firejail-in-firejail2.exp +++ b/test/environment/firejail-in-firejail2.exp | |||
@@ -1,4 +1,7 @@ | |||
1 | #!/usr/bin/expect -f | 1 | #!/usr/bin/expect -f |
2 | # This file is part of Firejail project | ||
3 | # Copyright (C) 2014-2016 Firejail Authors | ||
4 | # License GPL v2 | ||
2 | 5 | ||
3 | set timeout 10 | 6 | set timeout 10 |
4 | spawn $env(SHELL) | 7 | spawn $env(SHELL) |
diff --git a/test/nice.exp b/test/environment/nice.exp index f4afb547d..3a5db71c8 100755 --- a/test/nice.exp +++ b/test/environment/nice.exp | |||
@@ -1,4 +1,7 @@ | |||
1 | #!/usr/bin/expect -f | 1 | #!/usr/bin/expect -f |
2 | # This file is part of Firejail project | ||
3 | # Copyright (C) 2014-2016 Firejail Authors | ||
4 | # License GPL v2 | ||
2 | 5 | ||
3 | set timeout 10 | 6 | set timeout 10 |
4 | spawn $env(SHELL) | 7 | spawn $env(SHELL) |
@@ -14,7 +17,7 @@ sleep 1 | |||
14 | send -- "top -b -n 1\r" | 17 | send -- "top -b -n 1\r" |
15 | expect { | 18 | expect { |
16 | timeout {puts "TESTING ERROR 1\n";exit} | 19 | timeout {puts "TESTING ERROR 1\n";exit} |
17 | "netblue" | 20 | $env(USER) |
18 | } | 21 | } |
19 | expect { | 22 | expect { |
20 | timeout {puts "TESTING ERROR 2\n";exit} | 23 | timeout {puts "TESTING ERROR 2\n";exit} |
@@ -26,7 +29,7 @@ expect { | |||
26 | } | 29 | } |
27 | expect { | 30 | expect { |
28 | timeout {puts "TESTING ERROR 4\n";exit} | 31 | timeout {puts "TESTING ERROR 4\n";exit} |
29 | "netblu" | 32 | $env(USER) |
30 | } | 33 | } |
31 | expect { | 34 | expect { |
32 | timeout {puts "TESTING ERROR 5\n";exit} | 35 | timeout {puts "TESTING ERROR 5\n";exit} |
@@ -51,7 +54,7 @@ sleep 1 | |||
51 | send -- "top -b -n 1\r" | 54 | send -- "top -b -n 1\r" |
52 | expect { | 55 | expect { |
53 | timeout {puts "TESTING ERROR 11\n";exit} | 56 | timeout {puts "TESTING ERROR 11\n";exit} |
54 | "netblue" | 57 | $env(USER) |
55 | } | 58 | } |
56 | expect { | 59 | expect { |
57 | timeout {puts "TESTING ERROR 12\n";exit} | 60 | timeout {puts "TESTING ERROR 12\n";exit} |
@@ -63,7 +66,7 @@ expect { | |||
63 | } | 66 | } |
64 | expect { | 67 | expect { |
65 | timeout {puts "TESTING ERROR 14\n";exit} | 68 | timeout {puts "TESTING ERROR 14\n";exit} |
66 | "netblu" | 69 | $env(USER) |
67 | } | 70 | } |
68 | expect { | 71 | expect { |
69 | timeout {puts "TESTING ERROR 15\n";exit} | 72 | timeout {puts "TESTING ERROR 15\n";exit} |
diff --git a/test/nice.profile b/test/environment/nice.profile index d02c8f58b..d02c8f58b 100644 --- a/test/nice.profile +++ b/test/environment/nice.profile | |||
diff --git a/test/output.exp b/test/environment/output.exp index 90a9d64b6..10c325832 100755 --- a/test/output.exp +++ b/test/environment/output.exp | |||
@@ -59,8 +59,7 @@ expect { | |||
59 | timeout {puts "TESTING ERROR 7\n";exit} | 59 | timeout {puts "TESTING ERROR 7\n";exit} |
60 | "logfile.5" | 60 | "logfile.5" |
61 | } | 61 | } |
62 | sleep 1 | 62 | after 100 |
63 | send -- "rm -f logfile*\r" | 63 | send -- "rm -f logfile*\r" |
64 | sleep 1 | 64 | after 100 |
65 | 65 | puts "\nall done\n" | |
66 | puts "\n" | ||
diff --git a/test/output.sh b/test/environment/output.sh index 2be188e3a..2be188e3a 100755 --- a/test/output.sh +++ b/test/environment/output.sh | |||
diff --git a/test/environment/quiet.exp b/test/environment/quiet.exp new file mode 100755 index 000000000..38da4673e --- /dev/null +++ b/test/environment/quiet.exp | |||
@@ -0,0 +1,21 @@ | |||
1 | #!/usr/bin/expect -f | ||
2 | # This file is part of Firejail project | ||
3 | # Copyright (C) 2014-2016 Firejail Authors | ||
4 | # License GPL v2 | ||
5 | |||
6 | set timeout 4 | ||
7 | spawn $env(SHELL) | ||
8 | match_max 100000 | ||
9 | |||
10 | # check ip address | ||
11 | send -- "firejail --quiet echo done\r" | ||
12 | expect { | ||
13 | timeout {puts "TESTING ERROR 1\n";exit} | ||
14 | "Reading profile" {puts "TESTING ERROR 2\n";exit} | ||
15 | "Child process initialized" {puts "TESTING ERROR 3\n";exit} | ||
16 | "done" | ||
17 | } | ||
18 | sleep 1 | ||
19 | |||
20 | puts "\nall done\n" | ||
21 | |||
diff --git a/test/profile_rlimit.exp b/test/environment/rlimit-profile.exp index 7d2637444..7ee828bf2 100755 --- a/test/profile_rlimit.exp +++ b/test/environment/rlimit-profile.exp | |||
@@ -1,6 +1,7 @@ | |||
1 | #!/usr/bin/expect -f | 1 | #!/usr/bin/expect -f |
2 | 2 | ||
3 | set timeout 10 | 3 | set timeout 10 |
4 | #cd /home | ||
4 | spawn $env(SHELL) | 5 | spawn $env(SHELL) |
5 | match_max 100000 | 6 | match_max 100000 |
6 | 7 | ||
@@ -11,7 +12,7 @@ expect { | |||
11 | } | 12 | } |
12 | sleep 1 | 13 | sleep 1 |
13 | 14 | ||
14 | send -- "cat /proc/self/limits; pwd\r" | 15 | send -- "cat /proc/self/limits\r" |
15 | expect { | 16 | expect { |
16 | timeout {puts "TESTING ERROR 1.1\n";exit} | 17 | timeout {puts "TESTING ERROR 1.1\n";exit} |
17 | "Max file size 1024 1024" | 18 | "Max file size 1024 1024" |
@@ -28,9 +29,5 @@ expect { | |||
28 | timeout {puts "TESTING ERROR 1.4\n";exit} | 29 | timeout {puts "TESTING ERROR 1.4\n";exit} |
29 | "Max pending signals 200 200" | 30 | "Max pending signals 200 200" |
30 | } | 31 | } |
31 | expect { | ||
32 | timeout {puts "TESTING ERROR 1.5\n";exit} | ||
33 | "home" | ||
34 | } | ||
35 | sleep 1 | 32 | sleep 1 |
36 | puts "\n" | 33 | puts "\nall done\n" |
diff --git a/test/option_rlimit.exp b/test/environment/rlimit.exp index 17d2bd9d1..680520b33 100755 --- a/test/option_rlimit.exp +++ b/test/environment/rlimit.exp | |||
@@ -1,6 +1,7 @@ | |||
1 | #!/usr/bin/expect -f | 1 | #!/usr/bin/expect -f |
2 | 2 | ||
3 | set timeout 10 | 3 | set timeout 10 |
4 | cd /home | ||
4 | spawn $env(SHELL) | 5 | spawn $env(SHELL) |
5 | match_max 100000 | 6 | match_max 100000 |
6 | 7 | ||
diff --git a/test/rlimit.profile b/test/environment/rlimit.profile index 271891c03..271891c03 100644 --- a/test/rlimit.profile +++ b/test/environment/rlimit.profile | |||
diff --git a/test/seccomp-dualfilter.exp b/test/environment/shell-none.exp index b497be5ea..e30008f83 100755 --- a/test/seccomp-dualfilter.exp +++ b/test/environment/shell-none.exp | |||
@@ -1,38 +1,48 @@ | |||
1 | #!/usr/bin/expect -f | 1 | #!/usr/bin/expect -f |
2 | # This file is part of Firejail project | ||
3 | # Copyright (C) 2014-2016 Firejail Authors | ||
4 | # License GPL v2 | ||
2 | 5 | ||
3 | set timeout 10 | 6 | set timeout 10 |
4 | spawn $env(SHELL) | 7 | spawn $env(SHELL) |
5 | match_max 100000 | 8 | match_max 100000 |
6 | 9 | ||
7 | send -- "firejail ../src/tools/syscall_test mount\r" | 10 | send -- "firejail --shell=none\r" |
8 | expect { | 11 | expect { |
9 | timeout {puts "TESTING ERROR 0\n";exit} | 12 | timeout {puts "TESTING ERROR 0\n";exit} |
10 | "Child process initialized" | 13 | "shell=none configured, but no program specified" |
11 | } | 14 | } |
15 | sleep 1 | ||
16 | |||
17 | send -- "firejail --profile=shell-none.profile\r" | ||
12 | expect { | 18 | expect { |
13 | timeout {puts "TESTING ERROR 1\n";exit} | 19 | timeout {puts "TESTING ERROR 1\n";exit} |
14 | "before mount" | 20 | "shell=none configured, but no program specified" |
15 | } | 21 | } |
22 | sleep 1 | ||
23 | |||
24 | send -- "firejail --shell=none ls\r" | ||
16 | expect { | 25 | expect { |
17 | timeout {puts "TESTING ERROR 2\n";exit} | 26 | timeout {puts "TESTING ERROR 2\n";exit} |
18 | "after mount" {puts "TESTING ERROR 2.1\n";exit} | 27 | "Child process initialized" |
19 | "parent is shutting down" | ||
20 | } | 28 | } |
21 | sleep 1 | ||
22 | |||
23 | send -- "firejail ../src/tools/syscall_test32 mount\r" | ||
24 | expect { | 29 | expect { |
25 | timeout {puts "TESTING ERROR 3\n";exit} | 30 | timeout {puts "TESTING ERROR 3\n";exit} |
26 | "Child process initialized" | 31 | "environment.sh" |
27 | } | 32 | } |
33 | sleep 1 | ||
34 | |||
35 | send -- "firejail --profile=shell-none.profile ls\r" | ||
28 | expect { | 36 | expect { |
29 | timeout {puts "TESTING ERROR 4\n";exit} | 37 | timeout {puts "TESTING ERROR 4\n";exit} |
30 | "before mount" | 38 | "Child process initialized" |
31 | } | 39 | } |
32 | expect { | 40 | expect { |
33 | timeout {puts "TESTING ERROR 5\n";exit} | 41 | timeout {puts "TESTING ERROR 5\n";exit} |
34 | "after mount" {puts "TESTING ERROR 5.1\n";exit} | 42 | "environment.sh" |
35 | "parent is shutting down" | ||
36 | } | 43 | } |
44 | sleep 1 | ||
45 | |||
37 | 46 | ||
38 | puts "\nall done\n" | 47 | puts "\nall done\n" |
48 | |||
diff --git a/test/environment/shell-none.profile b/test/environment/shell-none.profile new file mode 100644 index 000000000..f16ebe3a0 --- /dev/null +++ b/test/environment/shell-none.profile | |||
@@ -0,0 +1 @@ | |||
shell none | |||
diff --git a/test/sound.exp b/test/environment/sound.exp index 7df50bf16..e2e8fb610 100755 --- a/test/sound.exp +++ b/test/environment/sound.exp | |||
@@ -1,4 +1,8 @@ | |||
1 | #!/usr/bin/expect -f | 1 | #!/usr/bin/expect -f |
2 | # This file is part of Firejail project | ||
3 | # Copyright (C) 2014-2016 Firejail Authors | ||
4 | # License GPL v2 | ||
5 | |||
2 | 6 | ||
3 | set timeout 10 | 7 | set timeout 10 |
4 | spawn $env(SHELL) | 8 | spawn $env(SHELL) |
@@ -11,7 +15,7 @@ expect { | |||
11 | } | 15 | } |
12 | expect { | 16 | expect { |
13 | timeout {puts "TESTING ERROR 2\n";exit} | 17 | timeout {puts "TESTING ERROR 2\n";exit} |
14 | "parent is shutting down" | 18 | "Parent is shutting down" |
15 | } | 19 | } |
16 | sleep 2 | 20 | sleep 2 |
17 | 21 | ||
@@ -27,7 +31,7 @@ expect { | |||
27 | } | 31 | } |
28 | expect { | 32 | expect { |
29 | timeout {puts "TESTING ERROR 5\n";exit} | 33 | timeout {puts "TESTING ERROR 5\n";exit} |
30 | "parent is shutting down" | 34 | "Parent is shutting down" |
31 | } | 35 | } |
32 | sleep 2 | 36 | sleep 2 |
33 | 37 | ||
@@ -39,7 +43,7 @@ expect { | |||
39 | } | 43 | } |
40 | expect { | 44 | expect { |
41 | timeout {puts "TESTING ERROR 12\n";exit} | 45 | timeout {puts "TESTING ERROR 12\n";exit} |
42 | "parent is shutting down" | 46 | "Parent is shutting down" |
43 | } | 47 | } |
44 | sleep 2 | 48 | sleep 2 |
45 | 49 | ||
@@ -55,7 +59,7 @@ expect { | |||
55 | } | 59 | } |
56 | expect { | 60 | expect { |
57 | timeout {puts "TESTING ERROR 15\n";exit} | 61 | timeout {puts "TESTING ERROR 15\n";exit} |
58 | "parent is shutting down" | 62 | "Parent is shutting down" |
59 | } | 63 | } |
60 | sleep 2 | 64 | sleep 2 |
61 | 65 | ||
@@ -71,9 +75,9 @@ expect { | |||
71 | } | 75 | } |
72 | expect { | 76 | expect { |
73 | timeout {puts "TESTING ERROR 25\n";exit} | 77 | timeout {puts "TESTING ERROR 25\n";exit} |
74 | "parent is shutting down" | 78 | "Parent is shutting down" |
75 | } | 79 | } |
76 | sleep 2 | 80 | sleep 2 |
77 | 81 | ||
78 | puts "\n" | 82 | puts "\nall done\n" |
79 | 83 | ||
diff --git a/test/sound.profile b/test/environment/sound.profile index 2f83a0bbb..2f83a0bbb 100644 --- a/test/sound.profile +++ b/test/environment/sound.profile | |||
diff --git a/test/shell_zsh.exp b/test/environment/zsh.exp index 1d73fd926..7ab7faa76 100755 --- a/test/shell_zsh.exp +++ b/test/environment/zsh.exp | |||
@@ -1,4 +1,7 @@ | |||
1 | #!/usr/bin/expect -f | 1 | #!/usr/bin/expect -f |
2 | # This file is part of Firejail project | ||
3 | # Copyright (C) 2014-2016 Firejail Authors | ||
4 | # License GPL v2 | ||
2 | 5 | ||
3 | set timeout 10 | 6 | set timeout 10 |
4 | spawn $env(SHELL) | 7 | spawn $env(SHELL) |
@@ -11,15 +14,12 @@ expect { | |||
11 | } | 14 | } |
12 | sleep 1 | 15 | sleep 1 |
13 | 16 | ||
14 | send -- "ls -al;pwd\r" | 17 | send -- "find /home\r" |
15 | expect { | 18 | expect { |
16 | timeout {puts "TESTING ERROR 1\n";exit} | 19 | timeout {puts "TESTING ERROR 1\n";exit} |
17 | ".zshrc" | 20 | ".zshrc" |
18 | } | 21 | } |
19 | expect { | 22 | |
20 | timeout {puts "TESTING ERROR 1.1\n";exit} | ||
21 | "home" | ||
22 | } | ||
23 | send -- "env | grep SHELL;pwd\r" | 23 | send -- "env | grep SHELL;pwd\r" |
24 | expect { | 24 | expect { |
25 | timeout {puts "TESTING ERROR 2\n";exit} | 25 | timeout {puts "TESTING ERROR 2\n";exit} |
@@ -29,12 +29,8 @@ expect { | |||
29 | timeout {puts "TESTING ERROR 2.1\n";exit} | 29 | timeout {puts "TESTING ERROR 2.1\n";exit} |
30 | "/usr/bin/zsh" | 30 | "/usr/bin/zsh" |
31 | } | 31 | } |
32 | expect { | ||
33 | timeout {puts "TESTING ERROR 2.2\n";exit} | ||
34 | "home" | ||
35 | } | ||
36 | send -- "exit\r" | 32 | send -- "exit\r" |
37 | sleep 1 | 33 | sleep 1 |
38 | 34 | ||
39 | puts "\n" | 35 | puts "\nall done\n" |
40 | 36 | ||
diff --git a/test/features/1.1.exp b/test/features/1.1.exp index 0d02b54c1..804b73135 100755 --- a/test/features/1.1.exp +++ b/test/features/1.1.exp | |||
@@ -36,7 +36,8 @@ if { $overlay == "overlay" } { | |||
36 | send -- "firejail --noprofile --overlay\r" | 36 | send -- "firejail --noprofile --overlay\r" |
37 | expect { | 37 | expect { |
38 | timeout {puts "TESTING ERROR 2\n";exit} | 38 | timeout {puts "TESTING ERROR 2\n";exit} |
39 | "Child process initialized" | 39 | "overlay option is not available" {puts "grsecurity\n"; exit} |
40 | "Child process initialized" {puts "normal system\n"} | ||
40 | } | 41 | } |
41 | sleep 1 | 42 | sleep 1 |
42 | 43 | ||
diff --git a/test/features/1.10.exp b/test/features/1.10.exp index d9ed8cc6e..e7d51007c 100755 --- a/test/features/1.10.exp +++ b/test/features/1.10.exp | |||
@@ -37,7 +37,8 @@ if { $overlay == "overlay" } { | |||
37 | send -- "firejail --noprofile --overlay\r" | 37 | send -- "firejail --noprofile --overlay\r" |
38 | expect { | 38 | expect { |
39 | timeout {puts "TESTING ERROR 2\n";exit} | 39 | timeout {puts "TESTING ERROR 2\n";exit} |
40 | "Child process initialized" | 40 | "overlay option is not available" {puts "grsecurity\n"; exit} |
41 | "Child process initialized" {puts "normal system\n"} | ||
41 | } | 42 | } |
42 | sleep 1 | 43 | sleep 1 |
43 | 44 | ||
diff --git a/test/features/1.2.exp b/test/features/1.2.exp index 65fcd54ae..685acf737 100755 --- a/test/features/1.2.exp +++ b/test/features/1.2.exp | |||
@@ -34,7 +34,7 @@ expect { | |||
34 | } | 34 | } |
35 | expect { | 35 | expect { |
36 | timeout {puts "TESTING ERROR 1.4\n";exit} | 36 | timeout {puts "TESTING ERROR 1.4\n";exit} |
37 | "proc /proc/sysrq-trigger proc" | 37 | "/proc/sysrq-trigger" |
38 | } | 38 | } |
39 | #expect { | 39 | #expect { |
40 | # timeout {puts "TESTING ERROR 1.5\n";exit} | 40 | # timeout {puts "TESTING ERROR 1.5\n";exit} |
@@ -42,11 +42,11 @@ expect { | |||
42 | #} | 42 | #} |
43 | expect { | 43 | expect { |
44 | timeout {puts "TESTING ERROR 1.6\n";exit} | 44 | timeout {puts "TESTING ERROR 1.6\n";exit} |
45 | "proc /proc/irq proc" | 45 | "/proc/irq" |
46 | } | 46 | } |
47 | expect { | 47 | expect { |
48 | timeout {puts "TESTING ERROR 1.7\n";exit} | 48 | timeout {puts "TESTING ERROR 1.7\n";exit} |
49 | "proc /proc/bus proc" | 49 | "/proc/bus" |
50 | } | 50 | } |
51 | after 100 | 51 | after 100 |
52 | send -- "exit\r" | 52 | send -- "exit\r" |
@@ -60,7 +60,8 @@ if { $overlay == "overlay" } { | |||
60 | send -- "firejail --noprofile --overlay\r" | 60 | send -- "firejail --noprofile --overlay\r" |
61 | expect { | 61 | expect { |
62 | timeout {puts "TESTING ERROR 2\n";exit} | 62 | timeout {puts "TESTING ERROR 2\n";exit} |
63 | "Child process initialized" | 63 | "overlay option is not available" {puts "grsecurity\n"; exit} |
64 | "Child process initialized" {puts "normal system\n"} | ||
64 | } | 65 | } |
65 | sleep 1 | 66 | sleep 1 |
66 | 67 | ||
diff --git a/test/features/1.4.exp b/test/features/1.4.exp index 1c626518b..d6f373e2a 100755 --- a/test/features/1.4.exp +++ b/test/features/1.4.exp | |||
@@ -49,7 +49,8 @@ if { $overlay == "overlay" } { | |||
49 | send -- "firejail --noprofile --overlay\r" | 49 | send -- "firejail --noprofile --overlay\r" |
50 | expect { | 50 | expect { |
51 | timeout {puts "TESTING ERROR 2\n";exit} | 51 | timeout {puts "TESTING ERROR 2\n";exit} |
52 | "Child process initialized" | 52 | "overlay option is not available" {puts "grsecurity\n"; exit} |
53 | "Child process initialized" {puts "normal system\n"} | ||
53 | } | 54 | } |
54 | sleep 1 | 55 | sleep 1 |
55 | 56 | ||
diff --git a/test/features/1.5.exp b/test/features/1.5.exp index 56530f3f4..a17504e74 100755 --- a/test/features/1.5.exp +++ b/test/features/1.5.exp | |||
@@ -36,7 +36,8 @@ if { $overlay == "overlay" } { | |||
36 | send -- "firejail --noprofile --overlay\r" | 36 | send -- "firejail --noprofile --overlay\r" |
37 | expect { | 37 | expect { |
38 | timeout {puts "TESTING ERROR 2\n";exit} | 38 | timeout {puts "TESTING ERROR 2\n";exit} |
39 | "Child process initialized" | 39 | "overlay option is not available" {puts "grsecurity\n"; exit} |
40 | "Child process initialized" {puts "normal system\n"} | ||
40 | } | 41 | } |
41 | sleep 1 | 42 | sleep 1 |
42 | 43 | ||
diff --git a/test/features/1.6.exp b/test/features/1.6.exp index e8ab456e4..0db929c5a 100755 --- a/test/features/1.6.exp +++ b/test/features/1.6.exp | |||
@@ -36,7 +36,8 @@ if { $overlay == "overlay" } { | |||
36 | send -- "firejail --noprofile --overlay\r" | 36 | send -- "firejail --noprofile --overlay\r" |
37 | expect { | 37 | expect { |
38 | timeout {puts "TESTING ERROR 2\n";exit} | 38 | timeout {puts "TESTING ERROR 2\n";exit} |
39 | "Child process initialized" | 39 | "overlay option is not available" {puts "grsecurity\n"; exit} |
40 | "Child process initialized" {puts "normal system\n"} | ||
40 | } | 41 | } |
41 | sleep 1 | 42 | sleep 1 |
42 | 43 | ||
diff --git a/test/features/1.7.exp b/test/features/1.7.exp index 2b79ea6be..b838c092f 100755 --- a/test/features/1.7.exp +++ b/test/features/1.7.exp | |||
@@ -38,7 +38,8 @@ if { $overlay == "overlay" } { | |||
38 | send -- "firejail --noprofile --overlay\r" | 38 | send -- "firejail --noprofile --overlay\r" |
39 | expect { | 39 | expect { |
40 | timeout {puts "TESTING ERROR 2\n";exit} | 40 | timeout {puts "TESTING ERROR 2\n";exit} |
41 | "Child process initialized" | 41 | "overlay option is not available" {puts "grsecurity\n"; exit} |
42 | "Child process initialized" {puts "normal system\n"} | ||
42 | } | 43 | } |
43 | sleep 1 | 44 | sleep 1 |
44 | 45 | ||
diff --git a/test/features/1.8.exp b/test/features/1.8.exp index d937f4f12..4c6d3f3dc 100755 --- a/test/features/1.8.exp +++ b/test/features/1.8.exp | |||
@@ -20,15 +20,39 @@ expect { | |||
20 | } | 20 | } |
21 | sleep 1 | 21 | sleep 1 |
22 | 22 | ||
23 | send -- "ls /etc/firejail\r" | 23 | send -- "ls ~/.config/firejail\r" |
24 | expect { | 24 | expect { |
25 | timeout {puts "TESTING ERROR 1\n";exit} | 25 | timeout {puts "TESTING ERROR 1.1\n";exit} |
26 | "Permission denied" | 26 | "Permission denied" |
27 | } | 27 | } |
28 | after 100 | 28 | after 100 |
29 | send -- "ls ~/.config/firejail\r" | 29 | send -- "ls /run/firejail/bandwidth\r" |
30 | expect { | 30 | expect { |
31 | timeout {puts "TESTING ERROR 1.1\n";exit} | 31 | timeout {puts "TESTING ERROR 1.2\n";exit} |
32 | "Permission denied" | ||
33 | } | ||
34 | after 100 | ||
35 | #send -- "ls /run/firejail/mnt\r" | ||
36 | #expect { | ||
37 | # timeout {puts "TESTING ERROR 1.3\n";exit} | ||
38 | # "Permission denied" | ||
39 | #} | ||
40 | #after 100 | ||
41 | send -- "ls /run/firejail/name\r" | ||
42 | expect { | ||
43 | timeout {puts "TESTING ERROR 1.4\n";exit} | ||
44 | "Permission denied" | ||
45 | } | ||
46 | after 100 | ||
47 | send -- "ls /run/firejail/network\r" | ||
48 | expect { | ||
49 | timeout {puts "TESTING ERROR 1.5\n";exit} | ||
50 | "Permission denied" | ||
51 | } | ||
52 | after 100 | ||
53 | send -- "ls /run/firejail/x11\r" | ||
54 | expect { | ||
55 | timeout {puts "TESTING ERROR 1.6\n";exit} | ||
32 | "Permission denied" | 56 | "Permission denied" |
33 | } | 57 | } |
34 | after 100 | 58 | after 100 |
@@ -43,18 +67,43 @@ if { $overlay == "overlay" } { | |||
43 | send -- "firejail --noprofile --overlay\r" | 67 | send -- "firejail --noprofile --overlay\r" |
44 | expect { | 68 | expect { |
45 | timeout {puts "TESTING ERROR 2\n";exit} | 69 | timeout {puts "TESTING ERROR 2\n";exit} |
46 | "Child process initialized" | 70 | "overlay option is not available" {puts "grsecurity\n"; exit} |
71 | "Child process initialized" {puts "normal system\n"} | ||
47 | } | 72 | } |
48 | sleep 1 | 73 | sleep 1 |
49 | send -- "ls /etc/firejail\r" | 74 | send -- "ls ~/.config/firejail\r" |
75 | expect { | ||
76 | timeout {puts "TESTING ERROR 3.1\n";exit} | ||
77 | "Permission denied" | ||
78 | } | ||
79 | after 100 | ||
80 | send -- "ls /run/firejail/bandwidth\r" | ||
50 | expect { | 81 | expect { |
51 | timeout {puts "TESTING ERROR 3\n";exit} | 82 | timeout {puts "TESTING ERROR 3.2\n";exit} |
52 | "Permission denied" | 83 | "Permission denied" |
53 | } | 84 | } |
54 | after 100 | 85 | after 100 |
55 | send -- "ls ~/.config/firejail\r" | 86 | #send -- "ls /run/firejail/mnt\r" |
87 | #expect { | ||
88 | # timeout {puts "TESTING ERROR 3.3\n";exit} | ||
89 | # "Permission denied" | ||
90 | #} | ||
91 | #after 100 | ||
92 | send -- "ls /run/firejail/name\r" | ||
56 | expect { | 93 | expect { |
57 | timeout {puts "TESTING ERROR 3.1\n";exit} | 94 | timeout {puts "TESTING ERROR 3.4\n";exit} |
95 | "Permission denied" | ||
96 | } | ||
97 | after 100 | ||
98 | send -- "ls /run/firejail/network\r" | ||
99 | expect { | ||
100 | timeout {puts "TESTING ERROR 3.5\n";exit} | ||
101 | "Permission denied" | ||
102 | } | ||
103 | after 100 | ||
104 | send -- "ls /run/firejail/x11\r" | ||
105 | expect { | ||
106 | timeout {puts "TESTING ERROR 3.6\n";exit} | ||
58 | "Permission denied" | 107 | "Permission denied" |
59 | } | 108 | } |
60 | after 100 | 109 | after 100 |
@@ -73,15 +122,39 @@ if { $chroot == "chroot" } { | |||
73 | "Child process initialized" | 122 | "Child process initialized" |
74 | } | 123 | } |
75 | sleep 1 | 124 | sleep 1 |
76 | send -- "ls /etc/firejail\r" | 125 | send -- "ls ~/.config/firejail\r" |
77 | expect { | 126 | expect { |
78 | timeout {puts "TESTING ERROR 5\n";exit} | 127 | timeout {puts "TESTING ERROR 5.1\n";exit} |
79 | "Permission denied" | 128 | "Permission denied" |
80 | } | 129 | } |
81 | after 100 | 130 | after 100 |
82 | send -- "ls ~/.config/firejail\r" | 131 | send -- "ls /run/firejail/bandwidth\r" |
83 | expect { | 132 | expect { |
84 | timeout {puts "TESTING ERROR 5.1\n";exit} | 133 | timeout {puts "TESTING ERROR 5.2\n";exit} |
134 | "Permission denied" | ||
135 | } | ||
136 | after 100 | ||
137 | #send -- "ls /run/firejail/mnt\r" | ||
138 | #expect { | ||
139 | # timeout {puts "TESTING ERROR 5.3\n";exit} | ||
140 | # "Permission denied" | ||
141 | #} | ||
142 | #after 100 | ||
143 | send -- "ls /run/firejail/name\r" | ||
144 | expect { | ||
145 | timeout {puts "TESTING ERROR 5.4\n";exit} | ||
146 | "Permission denied" | ||
147 | } | ||
148 | after 100 | ||
149 | send -- "ls /run/firejail/network\r" | ||
150 | expect { | ||
151 | timeout {puts "TESTING ERROR 5.5\n";exit} | ||
152 | "Permission denied" | ||
153 | } | ||
154 | after 100 | ||
155 | send -- "ls /run/firejail/x11\r" | ||
156 | expect { | ||
157 | timeout {puts "TESTING ERROR 5.6\n";exit} | ||
85 | "Permission denied" | 158 | "Permission denied" |
86 | } | 159 | } |
87 | after 100 | 160 | after 100 |
diff --git a/test/features/2.1.exp b/test/features/2.1.exp index 07d6a9820..074b5989b 100755 --- a/test/features/2.1.exp +++ b/test/features/2.1.exp | |||
@@ -52,7 +52,8 @@ if { $overlay == "overlay" } { | |||
52 | send -- "firejail --noprofile --hostname=bingo --overlay\r" | 52 | send -- "firejail --noprofile --hostname=bingo --overlay\r" |
53 | expect { | 53 | expect { |
54 | timeout {puts "TESTING ERROR 2\n";exit} | 54 | timeout {puts "TESTING ERROR 2\n";exit} |
55 | "Child process initialized" | 55 | "overlay option is not available" {puts "grsecurity\n"; exit} |
56 | "Child process initialized" {puts "normal system\n"} | ||
56 | } | 57 | } |
57 | sleep 1 | 58 | sleep 1 |
58 | 59 | ||
diff --git a/test/features/2.2.exp b/test/features/2.2.exp index 9e3878a4d..f30ccaf79 100755 --- a/test/features/2.2.exp +++ b/test/features/2.2.exp | |||
@@ -44,7 +44,8 @@ if { $overlay == "overlay" } { | |||
44 | send -- "firejail --noprofile --dns=4.2.2.1 --overlay\r" | 44 | send -- "firejail --noprofile --dns=4.2.2.1 --overlay\r" |
45 | expect { | 45 | expect { |
46 | timeout {puts "TESTING ERROR 2\n";exit} | 46 | timeout {puts "TESTING ERROR 2\n";exit} |
47 | "Child process initialized" | 47 | "overlay option is not available" {puts "grsecurity\n"; exit} |
48 | "Child process initialized" {puts "normal system\n"} | ||
48 | } | 49 | } |
49 | sleep 1 | 50 | sleep 1 |
50 | 51 | ||
diff --git a/test/features/2.3.exp b/test/features/2.3.exp index 1363e41b6..63caab14c 100755 --- a/test/features/2.3.exp +++ b/test/features/2.3.exp | |||
@@ -107,7 +107,8 @@ if { $overlay == "overlay" } { | |||
107 | send -- "firejail --noprofile --net=eth0 --overlay --dns=8.8.8.8 --dns=8.8.4.4\r" | 107 | send -- "firejail --noprofile --net=eth0 --overlay --dns=8.8.8.8 --dns=8.8.4.4\r" |
108 | expect { | 108 | expect { |
109 | timeout {puts "TESTING ERROR 2\n";exit} | 109 | timeout {puts "TESTING ERROR 2\n";exit} |
110 | "Child process initialized" | 110 | "overlay option is not available" {puts "grsecurity\n"; exit} |
111 | "Child process initialized" {puts "normal system\n"} | ||
111 | } | 112 | } |
112 | sleep 1 | 113 | sleep 1 |
113 | 114 | ||
diff --git a/test/features/2.4.exp b/test/features/2.4.exp index 0c4808a1a..fed596410 100755 --- a/test/features/2.4.exp +++ b/test/features/2.4.exp | |||
@@ -95,7 +95,8 @@ if { $overlay == "overlay" } { | |||
95 | send -- "firejail --noprofile --net=br0 --overlay\r" | 95 | send -- "firejail --noprofile --net=br0 --overlay\r" |
96 | expect { | 96 | expect { |
97 | timeout {puts "TESTING ERROR 2\n";exit} | 97 | timeout {puts "TESTING ERROR 2\n";exit} |
98 | "Child process initialized" | 98 | "overlay option is not available" {puts "grsecurity\n"; exit} |
99 | "Child process initialized" {puts "normal system\n"} | ||
99 | } | 100 | } |
100 | sleep 1 | 101 | sleep 1 |
101 | 102 | ||
diff --git a/test/features/2.5.exp b/test/features/2.5.exp index a3a330643..1d6105ae8 100755 --- a/test/features/2.5.exp +++ b/test/features/2.5.exp | |||
@@ -47,7 +47,8 @@ if { $overlay == "overlay" } { | |||
47 | send -- "firejail --noprofile --overlay --interface=eth0.6\r" | 47 | send -- "firejail --noprofile --overlay --interface=eth0.6\r" |
48 | expect { | 48 | expect { |
49 | timeout {puts "TESTING ERROR 2\n";exit} | 49 | timeout {puts "TESTING ERROR 2\n";exit} |
50 | "Child process initialized" | 50 | "overlay option is not available" {puts "grsecurity\n"; exit} |
51 | "Child process initialized" {puts "normal system\n"} | ||
51 | } | 52 | } |
52 | sleep 1 | 53 | sleep 1 |
53 | 54 | ||
diff --git a/test/features/2.6.exp b/test/features/2.6.exp index f3eea2fd6..596e8f435 100755 --- a/test/features/2.6.exp +++ b/test/features/2.6.exp | |||
@@ -12,17 +12,17 @@ set chroot [lindex $argv 1] | |||
12 | # | 12 | # |
13 | # N | 13 | # N |
14 | # | 14 | # |
15 | send -- "firejail --noprofile --net=eth0 --defaultgw=192.168.1.10\r" | 15 | send -- "firejail --noprofile --net=eth0 --defaultgw=192.168.1.10 --protocol=unix,inet,netlink\r" |
16 | expect { | 16 | expect { |
17 | timeout {puts "TESTING ERROR 0\n";exit} | 17 | timeout {puts "TESTING ERROR 0\n";exit} |
18 | "Child process initialized" | 18 | "Child process initialized" |
19 | } | 19 | } |
20 | sleep 1 | 20 | sleep 1 |
21 | 21 | ||
22 | send -- "netstat -rn\r" | 22 | send -- "ip route show\r" |
23 | expect { | 23 | expect { |
24 | timeout {puts "TESTING ERROR 1\n";exit} | 24 | timeout {puts "TESTING ERROR 1\n";exit} |
25 | "0.0.0.0 192.168.1.10" | 25 | "default via 192.168.1.10 dev eth0" |
26 | } | 26 | } |
27 | after 100 | 27 | after 100 |
28 | send -- "exit\r" | 28 | send -- "exit\r" |
@@ -32,17 +32,18 @@ sleep 1 | |||
32 | # O | 32 | # O |
33 | # | 33 | # |
34 | if { $overlay == "overlay" } { | 34 | if { $overlay == "overlay" } { |
35 | send -- "firejail --noprofile --overlay --net=eth0 --defaultgw=192.168.1.10\r" | 35 | send -- "firejail --noprofile --overlay --net=eth0 --defaultgw=192.168.1.10 --protocol=unix,inet,netlink\r" |
36 | expect { | 36 | expect { |
37 | timeout {puts "TESTING ERROR 2\n";exit} | 37 | timeout {puts "TESTING ERROR 2\n";exit} |
38 | "Child process initialized" | 38 | "overlay option is not available" {puts "grsecurity\n"; exit} |
39 | "Child process initialized" {puts "normal system\n"} | ||
39 | } | 40 | } |
40 | sleep 1 | 41 | sleep 1 |
41 | 42 | ||
42 | send -- "netstat -rn\r" | 43 | send -- "ip route show\r" |
43 | expect { | 44 | expect { |
44 | timeout {puts "TESTING ERROR 3\n";exit} | 45 | timeout {puts "TESTING ERROR 3\n";exit} |
45 | "0.0.0.0 192.168.1.10" | 46 | "default via 192.168.1.10 dev eth0" |
46 | } | 47 | } |
47 | after 100 | 48 | after 100 |
48 | send -- "exit\r" | 49 | send -- "exit\r" |
@@ -53,17 +54,17 @@ if { $overlay == "overlay" } { | |||
53 | # C | 54 | # C |
54 | # | 55 | # |
55 | if { $chroot == "chroot" } { | 56 | if { $chroot == "chroot" } { |
56 | send -- "firejail --noprofile --chroot=/tmp/chroot --net=eth0 --defaultgw=192.168.1.10\r" | 57 | send -- "firejail --noprofile --chroot=/tmp/chroot --net=eth0 --defaultgw=192.168.1.10 --protocol=unix,inet,netlink\r" |
57 | expect { | 58 | expect { |
58 | timeout {puts "TESTING ERROR 4\n";exit} | 59 | timeout {puts "TESTING ERROR 4\n";exit} |
59 | "Child process initialized" | 60 | "Child process initialized" |
60 | } | 61 | } |
61 | sleep 1 | 62 | sleep 1 |
62 | 63 | ||
63 | send -- "netstat -rn\r" | 64 | send -- "ip route show\r" |
64 | expect { | 65 | expect { |
65 | timeout {puts "TESTING ERROR 5\n";exit} | 66 | timeout {puts "TESTING ERROR 5\n";exit} |
66 | "0.0.0.0 192.168.1.10" | 67 | "default via 192.168.1.10 dev eth0" |
67 | } | 68 | } |
68 | after 100 | 69 | after 100 |
69 | send -- "exit\r" | 70 | send -- "exit\r" |
diff --git a/test/features/3.1.exp b/test/features/3.1.exp index a66fbdae1..046c703b7 100755 --- a/test/features/3.1.exp +++ b/test/features/3.1.exp | |||
@@ -22,7 +22,7 @@ sleep 1 | |||
22 | send -- "ls -al | wc -l\r" | 22 | send -- "ls -al | wc -l\r" |
23 | expect { | 23 | expect { |
24 | timeout {puts "TESTING ERROR 1.1\n";exit} | 24 | timeout {puts "TESTING ERROR 1.1\n";exit} |
25 | "5" | 25 | "6" |
26 | } | 26 | } |
27 | 27 | ||
28 | send -- "ls -al .bashrc\r" | 28 | send -- "ls -al .bashrc\r" |
@@ -66,14 +66,15 @@ if { $overlay == "overlay" } { | |||
66 | send -- "firejail --noprofile --overlay --private\r" | 66 | send -- "firejail --noprofile --overlay --private\r" |
67 | expect { | 67 | expect { |
68 | timeout {puts "TESTING ERROR 2\n";exit} | 68 | timeout {puts "TESTING ERROR 2\n";exit} |
69 | "Child process initialized" | 69 | "overlay option is not available" {puts "grsecurity\n"; exit} |
70 | "Child process initialized" {puts "normal system\n"} | ||
70 | } | 71 | } |
71 | sleep 1 | 72 | sleep 1 |
72 | 73 | ||
73 | send -- "ls -al | wc -l\r" | 74 | send -- "ls -al | wc -l\r" |
74 | expect { | 75 | expect { |
75 | timeout {puts "TESTING ERROR 3.1\n";exit} | 76 | timeout {puts "TESTING ERROR 3.1\n";exit} |
76 | "5" | 77 | "6" |
77 | } | 78 | } |
78 | 79 | ||
79 | send -- "ls -al .bashrc\r" | 80 | send -- "ls -al .bashrc\r" |
diff --git a/test/features/3.10.exp b/test/features/3.10.exp index 47da7f1c2..4a06463a7 100755 --- a/test/features/3.10.exp +++ b/test/features/3.10.exp | |||
@@ -74,7 +74,8 @@ if { $overlay == "overlay" } { | |||
74 | send -- "firejail --noprofile --overlay --whitelist=/tmp/test1dir\r" | 74 | send -- "firejail --noprofile --overlay --whitelist=/tmp/test1dir\r" |
75 | expect { | 75 | expect { |
76 | timeout {puts "TESTING ERROR 2\n";exit} | 76 | timeout {puts "TESTING ERROR 2\n";exit} |
77 | "Child process initialized" | 77 | "overlay option is not available" {puts "grsecurity\n"; exit} |
78 | "Child process initialized" {puts "normal system\n"} | ||
78 | } | 79 | } |
79 | sleep 1 | 80 | sleep 1 |
80 | 81 | ||
diff --git a/test/features/3.11.exp b/test/features/3.11.exp index 3a5e38257..dc41ed743 100755 --- a/test/features/3.11.exp +++ b/test/features/3.11.exp | |||
@@ -69,7 +69,8 @@ if { $overlay == "overlay" } { | |||
69 | send -- "firejail --profile=3.11.profile\r" | 69 | send -- "firejail --profile=3.11.profile\r" |
70 | expect { | 70 | expect { |
71 | timeout {puts "TESTING ERROR 10\n";exit} | 71 | timeout {puts "TESTING ERROR 10\n";exit} |
72 | "Child process initialized" | 72 | "overlay option is not available" {puts "grsecurity\n"; exit} |
73 | "Child process initialized" {puts "normal system\n"} | ||
73 | } | 74 | } |
74 | sleep 1 | 75 | sleep 1 |
75 | 76 | ||
diff --git a/test/features/3.2.exp b/test/features/3.2.exp index 6f743c414..be20b1547 100755 --- a/test/features/3.2.exp +++ b/test/features/3.2.exp | |||
@@ -37,7 +37,8 @@ if { $overlay == "overlay" } { | |||
37 | send -- "firejail --noprofile --overlay --read-only=/home/netblue/.config\r" | 37 | send -- "firejail --noprofile --overlay --read-only=/home/netblue/.config\r" |
38 | expect { | 38 | expect { |
39 | timeout {puts "TESTING ERROR 2\n";exit} | 39 | timeout {puts "TESTING ERROR 2\n";exit} |
40 | "Child process initialized" | 40 | "overlay option is not available" {puts "grsecurity\n"; exit} |
41 | "Child process initialized" {puts "normal system\n"} | ||
41 | } | 42 | } |
42 | sleep 1 | 43 | sleep 1 |
43 | 44 | ||
diff --git a/test/features/3.3.exp b/test/features/3.3.exp index 74260cad3..bb2c34dc1 100755 --- a/test/features/3.3.exp +++ b/test/features/3.3.exp | |||
@@ -36,7 +36,8 @@ if { $overlay == "overlay" } { | |||
36 | send -- "firejail --noprofile --overlay --blacklist=/home/netblue/.config\r" | 36 | send -- "firejail --noprofile --overlay --blacklist=/home/netblue/.config\r" |
37 | expect { | 37 | expect { |
38 | timeout {puts "TESTING ERROR 2\n";exit} | 38 | timeout {puts "TESTING ERROR 2\n";exit} |
39 | "Child process initialized" | 39 | "overlay option is not available" {puts "grsecurity\n"; exit} |
40 | "Child process initialized" {puts "normal system\n"} | ||
40 | } | 41 | } |
41 | sleep 1 | 42 | sleep 1 |
42 | 43 | ||
diff --git a/test/features/3.4.exp b/test/features/3.4.exp index 3f316af5b..7ed439669 100755 --- a/test/features/3.4.exp +++ b/test/features/3.4.exp | |||
@@ -79,7 +79,8 @@ if { $overlay == "overlay" } { | |||
79 | send -- "firejail --noprofile --overlay --whitelist=/home/netblue/.config\r" | 79 | send -- "firejail --noprofile --overlay --whitelist=/home/netblue/.config\r" |
80 | expect { | 80 | expect { |
81 | timeout {puts "TESTING ERROR 2\n";exit} | 81 | timeout {puts "TESTING ERROR 2\n";exit} |
82 | "Child process initialized" | 82 | "overlay option is not available" {puts "grsecurity\n"; exit} |
83 | "Child process initialized" {puts "normal system\n"} | ||
83 | } | 84 | } |
84 | sleep 1 | 85 | sleep 1 |
85 | 86 | ||
diff --git a/test/features/3.5.exp b/test/features/3.5.exp index b1a16830d..f4b544b3d 100755 --- a/test/features/3.5.exp +++ b/test/features/3.5.exp | |||
@@ -22,8 +22,8 @@ sleep 1 | |||
22 | send -- "ls -l /dev | wc -l\r" | 22 | send -- "ls -l /dev | wc -l\r" |
23 | expect { | 23 | expect { |
24 | timeout {puts "TESTING ERROR 1.1\n";exit} | 24 | timeout {puts "TESTING ERROR 1.1\n";exit} |
25 | "12" { puts "Debian\n"} | 25 | "13" { puts "Debian\n"} |
26 | "11" { puts "Centos\n"} | 26 | "12" { puts "Centos\n"} |
27 | } | 27 | } |
28 | 28 | ||
29 | after 100 | 29 | after 100 |
@@ -37,15 +37,16 @@ if { $overlay == "overlay" } { | |||
37 | send -- "firejail --noprofile --overlay --private-dev\r" | 37 | send -- "firejail --noprofile --overlay --private-dev\r" |
38 | expect { | 38 | expect { |
39 | timeout {puts "TESTING ERROR 2\n";exit} | 39 | timeout {puts "TESTING ERROR 2\n";exit} |
40 | "Child process initialized" | 40 | "overlay option is not available" {puts "grsecurity\n"; exit} |
41 | "Child process initialized" {puts "normal system\n"} | ||
41 | } | 42 | } |
42 | sleep 1 | 43 | sleep 1 |
43 | 44 | ||
44 | send -- "ls -l /dev | wc -l\r" | 45 | send -- "ls -l /dev | wc -l\r" |
45 | expect { | 46 | expect { |
46 | timeout {puts "TESTING ERROR 3.1\n";exit} | 47 | timeout {puts "TESTING ERROR 3.1\n";exit} |
47 | "12" { puts "Debian\n"} | 48 | "13" { puts "Debian\n"} |
48 | "11" { puts "Centos\n"} | 49 | "12" { puts "Centos\n"} |
49 | } | 50 | } |
50 | 51 | ||
51 | after 100 | 52 | after 100 |
@@ -67,7 +68,7 @@ if { $chroot == "chroot" } { | |||
67 | send -- "ls -l /dev | wc -l\r" | 68 | send -- "ls -l /dev | wc -l\r" |
68 | expect { | 69 | expect { |
69 | timeout {puts "TESTING ERROR 5.1\n";exit} | 70 | timeout {puts "TESTING ERROR 5.1\n";exit} |
70 | "11" | 71 | "12" |
71 | } | 72 | } |
72 | 73 | ||
73 | after 100 | 74 | after 100 |
diff --git a/test/features/3.6.exp b/test/features/3.6.exp index 6117485da..a00517716 100755 --- a/test/features/3.6.exp +++ b/test/features/3.6.exp | |||
@@ -36,7 +36,8 @@ if { $overlay == "overlay" } { | |||
36 | send -- "firejail --noprofile --overlay --private-etc=group,hostname,hosts,nsswitch.conf,passwd,resolv.conf,skel\r" | 36 | send -- "firejail --noprofile --overlay --private-etc=group,hostname,hosts,nsswitch.conf,passwd,resolv.conf,skel\r" |
37 | expect { | 37 | expect { |
38 | timeout {puts "TESTING ERROR 2\n";exit} | 38 | timeout {puts "TESTING ERROR 2\n";exit} |
39 | "Child process initialized" | 39 | "overlay option is not available" {puts "grsecurity\n"; exit} |
40 | "Child process initialized" {puts "normal system\n"} | ||
40 | } | 41 | } |
41 | sleep 1 | 42 | sleep 1 |
42 | 43 | ||
@@ -58,6 +59,7 @@ if { $chroot == "chroot" } { | |||
58 | send -- "firejail --noprofile --chroot=/tmp/chroot --private-etc=group,hostname,hosts,nsswitch.conf,passwd,resolv.conf,skel\r" | 59 | send -- "firejail --noprofile --chroot=/tmp/chroot --private-etc=group,hostname,hosts,nsswitch.conf,passwd,resolv.conf,skel\r" |
59 | expect { | 60 | expect { |
60 | timeout {puts "TESTING ERROR 4\n";exit} | 61 | timeout {puts "TESTING ERROR 4\n";exit} |
62 | "chroot option is not available" {puts "grsecurity\n"; exit} | ||
61 | "Child process initialized" | 63 | "Child process initialized" |
62 | } | 64 | } |
63 | sleep 1 | 65 | sleep 1 |
diff --git a/test/features/3.7.exp b/test/features/3.7.exp index d8236b851..2a9ce84d6 100755 --- a/test/features/3.7.exp +++ b/test/features/3.7.exp | |||
@@ -45,7 +45,8 @@ if { $overlay == "overlay" } { | |||
45 | send -- "firejail --noprofile --overlay --private-tmp\r" | 45 | send -- "firejail --noprofile --overlay --private-tmp\r" |
46 | expect { | 46 | expect { |
47 | timeout {puts "TESTING ERROR 2\n";exit} | 47 | timeout {puts "TESTING ERROR 2\n";exit} |
48 | "Child process initialized" | 48 | "overlay option is not available" {puts "grsecurity\n"; exit} |
49 | "Child process initialized" {puts "normal system\n"} | ||
49 | } | 50 | } |
50 | sleep 1 | 51 | sleep 1 |
51 | 52 | ||
diff --git a/test/features/3.8.exp b/test/features/3.8.exp index 2405e4fdb..94a1abf67 100755 --- a/test/features/3.8.exp +++ b/test/features/3.8.exp | |||
@@ -37,7 +37,8 @@ if { $overlay == "overlay" } { | |||
37 | send -- "firejail --noprofile --overlay --private-bin=bash,cat,cp,ls,wc\r" | 37 | send -- "firejail --noprofile --overlay --private-bin=bash,cat,cp,ls,wc\r" |
38 | expect { | 38 | expect { |
39 | timeout {puts "TESTING ERROR 2\n";exit} | 39 | timeout {puts "TESTING ERROR 2\n";exit} |
40 | "Child process initialized" | 40 | "overlay option is not available" {puts "grsecurity\n"; exit} |
41 | "Child process initialized" {puts "normal system\n"} | ||
41 | } | 42 | } |
42 | sleep 1 | 43 | sleep 1 |
43 | 44 | ||
diff --git a/test/features/3.9.exp b/test/features/3.9.exp index a1797804f..660ccbe05 100755 --- a/test/features/3.9.exp +++ b/test/features/3.9.exp | |||
@@ -38,7 +38,8 @@ if { $overlay == "overlay" } { | |||
38 | send -- "firejail --noprofile --overlay --whitelist=/dev/tty --whitelist=/dev/null\r" | 38 | send -- "firejail --noprofile --overlay --whitelist=/dev/tty --whitelist=/dev/null\r" |
39 | expect { | 39 | expect { |
40 | timeout {puts "TESTING ERROR 2\n";exit} | 40 | timeout {puts "TESTING ERROR 2\n";exit} |
41 | "Child process initialized" | 41 | "overlay option is not available" {puts "grsecurity\n"; exit} |
42 | "Child process initialized" {puts "normal system\n"} | ||
42 | } | 43 | } |
43 | sleep 1 | 44 | sleep 1 |
44 | 45 | ||
diff --git a/test/features/features.txt b/test/features/features.txt index 283e85d93..b793257c3 100644 --- a/test/features/features.txt +++ b/test/features/features.txt | |||
@@ -21,7 +21,7 @@ C - chroot filesystem | |||
21 | 1.5 PID namespace | 21 | 1.5 PID namespace |
22 | 1.6 new /var/log | 22 | 1.6 new /var/log |
23 | 1.7 new /var/tmp | 23 | 1.7 new /var/tmp |
24 | 1.8 disable /etc/firejail and ~/.config/firejail | 24 | 1.8 disable firejail config and run time information |
25 | 1.9 mount namespace | 25 | 1.9 mount namespace |
26 | 1.10 disable /selinux | 26 | 1.10 disable /selinux |
27 | 27 | ||
diff --git a/test/features/test.sh b/test/features/test.sh index 3570dae5a..f28da37d5 100755 --- a/test/features/test.sh +++ b/test/features/test.sh | |||
@@ -50,7 +50,7 @@ echo "TESTING: 1.6 new /var/log" | |||
50 | echo "TESTING: 1.7 new /var/tmp" | 50 | echo "TESTING: 1.7 new /var/tmp" |
51 | ./1.7.exp $OVERLAY $CHROOT | 51 | ./1.7.exp $OVERLAY $CHROOT |
52 | 52 | ||
53 | echo "TESTING: 1.8 disable /etc/firejail and ~/.config/firejail" | 53 | echo "TESTING: 1.8 disable firejail config and run time information" |
54 | ./1.8.exp $OVERLAY $CHROOT | 54 | ./1.8.exp $OVERLAY $CHROOT |
55 | 55 | ||
56 | echo "TESTING: 1.10 disable /selinux" | 56 | echo "TESTING: 1.10 disable /selinux" |
diff --git a/test/filters/caps.exp b/test/filters/caps.exp new file mode 100755 index 000000000..034d6a733 --- /dev/null +++ b/test/filters/caps.exp | |||
@@ -0,0 +1,72 @@ | |||
1 | #!/usr/bin/expect -f | ||
2 | # This file is part of Firejail project | ||
3 | # Copyright (C) 2014-2016 Firejail Authors | ||
4 | # License GPL v2 | ||
5 | |||
6 | set timeout 10 | ||
7 | spawn $env(SHELL) | ||
8 | match_max 100000 | ||
9 | |||
10 | send -- "firejail --caps.keep=chown,fowner --noprofile\r" | ||
11 | expect { | ||
12 | timeout {puts "TESTING ERROR 1\n";exit} | ||
13 | "Child process initialized" | ||
14 | } | ||
15 | sleep 2 | ||
16 | |||
17 | send -- "cat /proc/self/status\r" | ||
18 | expect { | ||
19 | timeout {puts "TESTING ERROR 2\n";exit} | ||
20 | "CapBnd: 0000000000000009" | ||
21 | } | ||
22 | expect { | ||
23 | timeout {puts "TESTING ERROR 3\n";exit} | ||
24 | "Seccomp:" | ||
25 | } | ||
26 | send -- "exit\r" | ||
27 | sleep 1 | ||
28 | |||
29 | send -- "firejail --caps.drop=all --noprofile\r" | ||
30 | expect { | ||
31 | timeout {puts "TESTING ERROR 4\n";exit} | ||
32 | "Child process initialized" | ||
33 | } | ||
34 | sleep 2 | ||
35 | |||
36 | send -- "cat /proc/self/status\r" | ||
37 | expect { | ||
38 | timeout {puts "TESTING ERROR 5\n";exit} | ||
39 | "CapBnd: 0000000000000000" | ||
40 | } | ||
41 | expect { | ||
42 | timeout {puts "TESTING ERROR 6\n";exit} | ||
43 | "Seccomp:" | ||
44 | } | ||
45 | send -- "exit\r" | ||
46 | sleep 1 | ||
47 | |||
48 | send -- "firejail --caps.drop=chown,dac_override,dac_read_search,fowner --noprofile\r" | ||
49 | expect { | ||
50 | timeout {puts "TESTING ERROR 7\n";exit} | ||
51 | "Child process initialized" | ||
52 | } | ||
53 | sleep 2 | ||
54 | |||
55 | send -- "cat /proc/self/status\r" | ||
56 | expect { | ||
57 | timeout {puts "TESTING ERROR 8\n";exit} | ||
58 | "CapBnd:" | ||
59 | } | ||
60 | expect { | ||
61 | timeout {puts "TESTING ERROR 9\n";exit} | ||
62 | "fffffff0" | ||
63 | } | ||
64 | expect { | ||
65 | timeout {puts "TESTING ERROR 10\n";exit} | ||
66 | "Seccomp:" | ||
67 | } | ||
68 | send -- "exit\r" | ||
69 | sleep 1 | ||
70 | |||
71 | |||
72 | puts "\nall done\n" | ||
diff --git a/test/filters/filters.sh b/test/filters/filters.sh new file mode 100755 index 000000000..67b9f2c0d --- /dev/null +++ b/test/filters/filters.sh | |||
@@ -0,0 +1,61 @@ | |||
1 | #!/bin/bash | ||
2 | # This file is part of Firejail project | ||
3 | # Copyright (C) 2014-2016 Firejail Authors | ||
4 | # License GPL v2 | ||
5 | |||
6 | export MALLOC_CHECK_=3 | ||
7 | export MALLOC_PERTURB_=$(($RANDOM % 255 + 1)) | ||
8 | |||
9 | echo "TESTING: noroot (test/filters/noroot.exp)" | ||
10 | ./noroot.exp | ||
11 | |||
12 | echo "TESTING: capabilities (test/filters/caps.exp)" | ||
13 | ./caps.exp | ||
14 | |||
15 | if [ "$(uname -m)" = "x86_64" ]; then | ||
16 | echo "TESTING: protocol (test/filters/protocol.exp)" | ||
17 | ./protocol.exp | ||
18 | else | ||
19 | echo "TESTING SKIP: protocol, not running on x86_64" | ||
20 | fi | ||
21 | |||
22 | echo "TESTING: seccomp bad empty (test/filters/seccomp-bad-empty.exp)" | ||
23 | ./seccomp-bad-empty.exp | ||
24 | |||
25 | echo "TESTING: seccomp debug (test/filters/seccomp-debug.exp)" | ||
26 | ./seccomp-debug.exp | ||
27 | |||
28 | echo "TESTING: seccomp errno (test/filters/seccomp-errno.exp)" | ||
29 | ./seccomp-errno.exp | ||
30 | |||
31 | echo "TESTING: seccomp su (test/filters/seccomp-su.exp)" | ||
32 | ./seccomp-su.exp | ||
33 | |||
34 | which strace | ||
35 | if [ $? -eq 0 ]; then | ||
36 | echo "TESTING: seccomp ptrace (test/filters/seccomp-ptrace.exp)" | ||
37 | ./seccomp-ptrace.exp | ||
38 | else | ||
39 | echo "TESTING SKIP: ptrace, strace not found" | ||
40 | fi | ||
41 | |||
42 | echo "TESTING: seccomp chmod - seccomp lists (test/filters/seccomp-chmod.exp)" | ||
43 | ./seccomp-chmod.exp | ||
44 | |||
45 | echo "TESTING: seccomp chmod profile - seccomp lists (test/filters/seccomp-chmod-profile.exp)" | ||
46 | ./seccomp-chmod-profile.exp | ||
47 | |||
48 | # todo: fix pwd and add seccomp-chown.exp and seccomp-umount.exp | ||
49 | |||
50 | echo "TESTING: seccomp empty (test/filters/seccomp-empty.exp)" | ||
51 | ./seccomp-empty.exp | ||
52 | |||
53 | echo "TESTING: seccomp bad empty (test/filters/seccomp-bad-empty.exp)" | ||
54 | ./seccomp-bad-empty.exp | ||
55 | |||
56 | if [ "$(uname -m)" = "x86_64" ]; then | ||
57 | echo "TESTING: seccomp dual filter (test/filters/seccomp-dualfilter.exp)" | ||
58 | ./seccomp-dualfilter.exp | ||
59 | else | ||
60 | echo "TESTING SKIP: seccomp dual, not running on x86_64" | ||
61 | fi | ||
diff --git a/test/filters/noroot.exp b/test/filters/noroot.exp new file mode 100755 index 000000000..1e08cee12 --- /dev/null +++ b/test/filters/noroot.exp | |||
@@ -0,0 +1,159 @@ | |||
1 | #!/usr/bin/expect -f | ||
2 | # This file is part of Firejail project | ||
3 | # Copyright (C) 2014-2016 Firejail Authors | ||
4 | # License GPL v2 | ||
5 | |||
6 | set timeout 10 | ||
7 | spawn $env(SHELL) | ||
8 | match_max 100000 | ||
9 | |||
10 | send -- "firejail --noprofile --noroot --caps.drop=all --seccomp\r" | ||
11 | expect { | ||
12 | timeout {puts "TESTING ERROR 1\n";exit} | ||
13 | "cannot create a new user namespace" {puts "TESTING SKIP: user namespace not available\n"; exit} | ||
14 | "Child process initialized" | ||
15 | } | ||
16 | sleep 1 | ||
17 | |||
18 | send -- "cat /proc/self/status\r" | ||
19 | expect { | ||
20 | timeout {puts "TESTING ERROR 1\n";exit} | ||
21 | "CapBnd: 0000000000000000" | ||
22 | } | ||
23 | expect { | ||
24 | timeout {puts "TESTING ERROR 2\n";exit} | ||
25 | "Seccomp:" | ||
26 | } | ||
27 | expect { | ||
28 | timeout {puts "TESTING ERROR 3\n";exit} | ||
29 | "2" | ||
30 | } | ||
31 | expect { | ||
32 | timeout {puts "TESTING ERROR 4\n";exit} | ||
33 | "Cpus_allowed:" | ||
34 | } | ||
35 | puts "\n" | ||
36 | |||
37 | send -- "ping 0\r" | ||
38 | expect { | ||
39 | timeout {puts "TESTING ERROR 5\n";exit} | ||
40 | "Operation not permitted" | ||
41 | } | ||
42 | send -- "whoami\r" | ||
43 | expect { | ||
44 | timeout {puts "TESTING ERROR 6\n";exit} | ||
45 | $env(USER) | ||
46 | } | ||
47 | send -- "sudo -s\r" | ||
48 | expect { | ||
49 | timeout {puts "TESTING ERROR 8\n";exit} | ||
50 | "effective uid is not 0, is sudo installed setuid root?" { puts "OK\n";} | ||
51 | "sudo must be owned by uid 0 and have the setuid bit set" { puts "OK\n";} | ||
52 | "Bad system call" { puts "OK\n";} | ||
53 | } | ||
54 | send -- "cat /proc/self/uid_map | wc -l\r" | ||
55 | expect { | ||
56 | timeout {puts "TESTING ERROR 7\n";exit} | ||
57 | "1" | ||
58 | } | ||
59 | send -- "cat /proc/self/gid_map | wc -l\r" | ||
60 | expect { | ||
61 | timeout {puts "TESTING ERROR 8\n";exit} | ||
62 | "3" | ||
63 | } | ||
64 | |||
65 | puts "\n" | ||
66 | send -- "exit\r" | ||
67 | sleep 2 | ||
68 | |||
69 | |||
70 | |||
71 | send -- "firejail --name=test --noroot --noprofile\r" | ||
72 | expect { | ||
73 | timeout {puts "TESTING ERROR 9\n";exit} | ||
74 | "Child process initialized" | ||
75 | } | ||
76 | sleep 1 | ||
77 | |||
78 | send -- "cat /proc/self/status\r" | ||
79 | expect { | ||
80 | timeout {puts "TESTING ERROR 10\n";exit} | ||
81 | "CapBnd:" | ||
82 | } | ||
83 | expect { | ||
84 | timeout {puts "TESTING ERROR 11\n";exit} | ||
85 | "ffffffff" | ||
86 | } | ||
87 | expect { | ||
88 | timeout {puts "TESTING ERROR 12\n";exit} | ||
89 | "Seccomp:" | ||
90 | } | ||
91 | expect { | ||
92 | timeout {puts "TESTING ERROR 13\n";exit} | ||
93 | "0" | ||
94 | } | ||
95 | expect { | ||
96 | timeout {puts "TESTING ERROR 14\n";exit} | ||
97 | "Cpus_allowed:" | ||
98 | } | ||
99 | puts "\n" | ||
100 | |||
101 | send -- "whoami\r" | ||
102 | expect { | ||
103 | timeout {puts "TESTING ERROR 15\n";exit} | ||
104 | $env(USER) | ||
105 | } | ||
106 | send -- "sudo -s\r" | ||
107 | expect { | ||
108 | timeout {puts "TESTING ERROR 16\n";exit} | ||
109 | "effective uid is not 0, is sudo installed setuid root?" { puts "OK\n";} | ||
110 | "sudo must be owned by uid 0 and have the setuid bit set" { puts "OK\n";} | ||
111 | } | ||
112 | send -- "ping 0\r" | ||
113 | expect { | ||
114 | timeout {puts "TESTING ERROR 17\n";exit} | ||
115 | "Operation not permitted" | ||
116 | } | ||
117 | send -- "cat /proc/self/uid_map | wc -l\r" | ||
118 | expect { | ||
119 | timeout {puts "TESTING ERROR 18\n";exit} | ||
120 | "1" | ||
121 | } | ||
122 | send -- "cat /proc/self/gid_map | wc -l\r" | ||
123 | expect { | ||
124 | timeout {puts "TESTING ERROR 19\n";exit} | ||
125 | "3" | ||
126 | } | ||
127 | |||
128 | |||
129 | |||
130 | spawn $env(SHELL) | ||
131 | send -- "firejail --debug --join=test\r" | ||
132 | expect { | ||
133 | timeout {puts "TESTING ERROR 20\n";exit} | ||
134 | "User namespace detected" | ||
135 | } | ||
136 | expect { | ||
137 | timeout {puts "TESTING ERROR 21\n";exit} | ||
138 | "Joining user namespace" | ||
139 | } | ||
140 | sleep 1 | ||
141 | |||
142 | send -- "sudo -s\r" | ||
143 | expect { | ||
144 | timeout {puts "TESTING ERROR 22\n";exit} | ||
145 | "effective uid is not 0, is sudo installed setuid root?" { puts "OK\n";} | ||
146 | "sudo must be owned by uid 0 and have the setuid bit set" { puts "OK\n";} | ||
147 | "Permission denied" { puts "OK\n";} | ||
148 | } | ||
149 | send -- "cat /proc/self/uid_map | wc -l\r" | ||
150 | expect { | ||
151 | timeout {puts "TESTING ERROR 23\n";exit} | ||
152 | "1" | ||
153 | } | ||
154 | send -- "cat /proc/self/gid_map | wc -l\r" | ||
155 | expect { | ||
156 | timeout {puts "TESTING ERROR 24\n";exit} | ||
157 | "3" | ||
158 | } | ||
159 | puts "\nall done\n" | ||
diff --git a/test/protocol.exp b/test/filters/protocol.exp index 018f4cd9b..82e9a63eb 100755 --- a/test/protocol.exp +++ b/test/filters/protocol.exp | |||
@@ -1,16 +1,21 @@ | |||
1 | #!/usr/bin/expect -f | 1 | #!/usr/bin/expect -f |
2 | # This file is part of Firejail project | ||
3 | # Copyright (C) 2014-2016 Firejail Authors | ||
4 | # License GPL v2 | ||
2 | 5 | ||
3 | set timeout 10 | 6 | set timeout 10 |
4 | spawn $env(SHELL) | 7 | spawn $env(SHELL) |
5 | match_max 100000 | 8 | match_max 100000 |
6 | 9 | ||
7 | send -- "firejail --noprofile --protocol=unix ../src/tools/syscall_test socket\r" | 10 | send -- "firejail --noprofile --protocol=unix ./syscall_test socket\r" |
8 | expect { | 11 | expect { |
9 | timeout {puts "TESTING ERROR 1\n";exit} | 12 | timeout {puts "TESTING ERROR 1\n";exit} |
13 | "Permission denied" {puts "TESTING SKIP: permission denied\n"; exit} | ||
10 | "Child process initialized" | 14 | "Child process initialized" |
11 | } | 15 | } |
12 | expect { | 16 | expect { |
13 | timeout {puts "TESTING ERROR 1.1\n";exit} | 17 | timeout {puts "TESTING ERROR 1.1\n";exit} |
18 | "Permission denied" {puts "TESTING SKIP: permission denied\n"; exit} | ||
14 | "socket AF_INET" | 19 | "socket AF_INET" |
15 | } | 20 | } |
16 | expect { | 21 | expect { |
@@ -47,7 +52,7 @@ expect { | |||
47 | } | 52 | } |
48 | sleep 1 | 53 | sleep 1 |
49 | 54 | ||
50 | send -- "firejail --noprofile --protocol=inet6,packet ../src/tools/syscall_test socket\r" | 55 | send -- "firejail --noprofile --protocol=inet6,packet ./syscall_test socket\r" |
51 | expect { | 56 | expect { |
52 | timeout {puts "TESTING ERROR 2\n";exit} | 57 | timeout {puts "TESTING ERROR 2\n";exit} |
53 | "Child process initialized" | 58 | "Child process initialized" |
@@ -91,7 +96,7 @@ expect { | |||
91 | sleep 1 | 96 | sleep 1 |
92 | 97 | ||
93 | # profile testing | 98 | # profile testing |
94 | send -- "firejail --profile=protocol1.profile ../src/tools/syscall_test socket\r" | 99 | send -- "firejail --profile=protocol1.profile ./syscall_test socket\r" |
95 | expect { | 100 | expect { |
96 | timeout {puts "TESTING ERROR 3\n";exit} | 101 | timeout {puts "TESTING ERROR 3\n";exit} |
97 | "Child process initialized" | 102 | "Child process initialized" |
@@ -134,7 +139,7 @@ expect { | |||
134 | } | 139 | } |
135 | sleep 1 | 140 | sleep 1 |
136 | 141 | ||
137 | send -- "firejail --profile=protocol2.profile ../src/tools/syscall_test socket\r" | 142 | send -- "firejail --profile=protocol2.profile ./syscall_test socket\r" |
138 | expect { | 143 | expect { |
139 | timeout {puts "TESTING ERROR 4\n";exit} | 144 | timeout {puts "TESTING ERROR 4\n";exit} |
140 | "Child process initialized" | 145 | "Child process initialized" |
@@ -177,8 +182,4 @@ expect { | |||
177 | } | 182 | } |
178 | sleep 1 | 183 | sleep 1 |
179 | 184 | ||
180 | |||
181 | |||
182 | |||
183 | |||
184 | puts "\nall done\n" | 185 | puts "\nall done\n" |
diff --git a/test/protocol1.profile b/test/filters/protocol1.profile index 3e1ea2a29..3e1ea2a29 100644 --- a/test/protocol1.profile +++ b/test/filters/protocol1.profile | |||
diff --git a/test/protocol2.profile b/test/filters/protocol2.profile index b7eb4ab91..b7eb4ab91 100644 --- a/test/protocol2.profile +++ b/test/filters/protocol2.profile | |||
diff --git a/test/seccomp-bad-empty.exp b/test/filters/seccomp-bad-empty.exp index 631d67743..53f06e632 100755 --- a/test/seccomp-bad-empty.exp +++ b/test/filters/seccomp-bad-empty.exp | |||
@@ -1,4 +1,7 @@ | |||
1 | #!/usr/bin/expect -f | 1 | #!/usr/bin/expect -f |
2 | # This file is part of Firejail project | ||
3 | # Copyright (C) 2014-2016 Firejail Authors | ||
4 | # License GPL v2 | ||
2 | 5 | ||
3 | set timeout 10 | 6 | set timeout 10 |
4 | spawn $env(SHELL) | 7 | spawn $env(SHELL) |
diff --git a/test/seccomp-bad-empty.profile b/test/filters/seccomp-bad-empty.profile index 2d4fcde7c..2d4fcde7c 100644 --- a/test/seccomp-bad-empty.profile +++ b/test/filters/seccomp-bad-empty.profile | |||
diff --git a/test/seccomp-bad-empty2.profile b/test/filters/seccomp-bad-empty2.profile index c4e6c9f74..c4e6c9f74 100644 --- a/test/seccomp-bad-empty2.profile +++ b/test/filters/seccomp-bad-empty2.profile | |||
diff --git a/test/seccomp-chmod-profile.exp b/test/filters/seccomp-chmod-profile.exp index 098328cea..e5d16f524 100755 --- a/test/seccomp-chmod-profile.exp +++ b/test/filters/seccomp-chmod-profile.exp | |||
@@ -1,4 +1,7 @@ | |||
1 | #!/usr/bin/expect -f | 1 | #!/usr/bin/expect -f |
2 | # This file is part of Firejail project | ||
3 | # Copyright (C) 2014-2016 Firejail Authors | ||
4 | # License GPL v2 | ||
2 | 5 | ||
3 | set timeout 10 | 6 | set timeout 10 |
4 | spawn $env(SHELL) | 7 | spawn $env(SHELL) |
@@ -11,36 +14,38 @@ expect { | |||
11 | } | 14 | } |
12 | sleep 2 | 15 | sleep 2 |
13 | 16 | ||
14 | send -- "touch testfile;pwd\r" | 17 | send -- "cd ~; echo done\r" |
15 | expect { | 18 | expect { |
16 | timeout {puts "TESTING ERROR 1\n";exit} | 19 | timeout {puts "TESTING ERROR 1\n";exit} |
17 | "/root" {puts "running as root"} | 20 | "done" |
18 | "/home" | ||
19 | } | 21 | } |
20 | 22 | ||
21 | send -- "ls -l testfile;pwd\r" | 23 | send -- "touch testfile; echo done\r" |
22 | expect { | 24 | expect { |
23 | timeout {puts "TESTING ERROR 2\n";exit} | 25 | timeout {puts "TESTING ERROR 2\n";exit} |
24 | "testfile" | 26 | "done" |
25 | } | 27 | } |
28 | |||
29 | send -- "ls -l testfile; echo done\r" | ||
26 | expect { | 30 | expect { |
27 | timeout {puts "TESTING ERROR 3\n";exit} | 31 | timeout {puts "TESTING ERROR 3\n";exit} |
28 | "/root" {puts "running as root"} | 32 | "testfile" |
29 | "/home" | 33 | } |
34 | expect { | ||
35 | timeout {puts "TESTING ERROR 4\n";exit} | ||
36 | "done" | ||
30 | } | 37 | } |
31 | 38 | ||
32 | send -- "chmod +x testfile;pwd\r" | 39 | send -- "chmod +x testfile; echo done\r" |
33 | expect { | 40 | expect { |
34 | timeout {puts "TESTING ERROR 2\n";exit} | 41 | timeout {puts "TESTING ERROR 5\n";exit} |
35 | "Bad system call" | 42 | "Bad system call" |
36 | } | 43 | } |
37 | expect { | 44 | expect { |
38 | timeout {puts "TESTING ERROR 3\n";exit} | 45 | timeout {puts "TESTING ERROR 6\n";exit} |
39 | "/root" {puts "running as root"} | 46 | "done" |
40 | "/home" | ||
41 | } | 47 | } |
42 | 48 | ||
43 | |||
44 | send -- "exit\r" | 49 | send -- "exit\r" |
45 | sleep 1 | 50 | sleep 1 |
46 | puts "\n" | 51 | puts "\nall done\n" |
diff --git a/test/seccomp-chmod.exp b/test/filters/seccomp-chmod.exp index b4a213206..9ca084e7f 100755 --- a/test/seccomp-chmod.exp +++ b/test/filters/seccomp-chmod.exp | |||
@@ -1,4 +1,7 @@ | |||
1 | #!/usr/bin/expect -f | 1 | #!/usr/bin/expect -f |
2 | # This file is part of Firejail project | ||
3 | # Copyright (C) 2014-2016 Firejail Authors | ||
4 | # License GPL v2 | ||
2 | 5 | ||
3 | set timeout 10 | 6 | set timeout 10 |
4 | spawn $env(SHELL) | 7 | spawn $env(SHELL) |
@@ -11,36 +14,38 @@ expect { | |||
11 | } | 14 | } |
12 | sleep 2 | 15 | sleep 2 |
13 | 16 | ||
14 | send -- "touch testfile;pwd\r" | 17 | send -- "cd ~; echo done\r" |
15 | expect { | 18 | expect { |
16 | timeout {puts "TESTING ERROR 1\n";exit} | 19 | timeout {puts "TESTING ERROR 1\n";exit} |
17 | "/root" {puts "running as root"} | 20 | "done" |
18 | "/home" | ||
19 | } | 21 | } |
20 | 22 | ||
21 | send -- "ls -l testfile;pwd\r" | 23 | send -- "touch testfile; echo done\r" |
22 | expect { | 24 | expect { |
23 | timeout {puts "TESTING ERROR 2\n";exit} | 25 | timeout {puts "TESTING ERROR 2\n";exit} |
24 | "testfile" | 26 | "done" |
25 | } | 27 | } |
28 | |||
29 | send -- "ls -l testfile; echo done\r" | ||
26 | expect { | 30 | expect { |
27 | timeout {puts "TESTING ERROR 3\n";exit} | 31 | timeout {puts "TESTING ERROR 3\n";exit} |
28 | "/root" {puts "running as root"} | 32 | "testfile" |
29 | "/home" | 33 | } |
34 | expect { | ||
35 | timeout {puts "TESTING ERROR 4\n";exit} | ||
36 | "done" | ||
30 | } | 37 | } |
31 | 38 | ||
32 | send -- "chmod +x testfile;pwd\r" | 39 | send -- "chmod +x testfile; echo done\r" |
33 | expect { | 40 | expect { |
34 | timeout {puts "TESTING ERROR 2\n";exit} | 41 | timeout {puts "TESTING ERROR 5\n";exit} |
35 | "Bad system call" | 42 | "Bad system call" |
36 | } | 43 | } |
37 | expect { | 44 | expect { |
38 | timeout {puts "TESTING ERROR 3\n";exit} | 45 | timeout {puts "TESTING ERROR 6\n";exit} |
39 | "/root" {puts "running as root"} | 46 | "done" |
40 | "/home" | ||
41 | } | 47 | } |
42 | 48 | ||
43 | |||
44 | send -- "exit\r" | 49 | send -- "exit\r" |
45 | sleep 1 | 50 | sleep 1 |
46 | puts "\n" | 51 | puts "\nall done\n" |
diff --git a/test/seccomp-chown.exp b/test/filters/seccomp-chown.exp index 69b896700..4e393fea2 100755 --- a/test/seccomp-chown.exp +++ b/test/filters/seccomp-chown.exp | |||
@@ -1,4 +1,7 @@ | |||
1 | #!/usr/bin/expect -f | 1 | #!/usr/bin/expect -f |
2 | # This file is part of Firejail project | ||
3 | # Copyright (C) 2014-2016 Firejail Authors | ||
4 | # License GPL v2 | ||
2 | 5 | ||
3 | set timeout 10 | 6 | set timeout 10 |
4 | spawn $env(SHELL) | 7 | spawn $env(SHELL) |
diff --git a/test/seccomp-debug.exp b/test/filters/seccomp-debug.exp index 1034f040e..dbc0d37a9 100755 --- a/test/seccomp-debug.exp +++ b/test/filters/seccomp-debug.exp | |||
@@ -1,4 +1,7 @@ | |||
1 | #!/usr/bin/expect -f | 1 | #!/usr/bin/expect -f |
2 | # This file is part of Firejail project | ||
3 | # Copyright (C) 2014-2016 Firejail Authors | ||
4 | # License GPL v2 | ||
2 | 5 | ||
3 | set timeout 10 | 6 | set timeout 10 |
4 | spawn $env(SHELL) | 7 | spawn $env(SHELL) |
diff --git a/test/filters/seccomp-dualfilter.exp b/test/filters/seccomp-dualfilter.exp new file mode 100755 index 000000000..8a48130b3 --- /dev/null +++ b/test/filters/seccomp-dualfilter.exp | |||
@@ -0,0 +1,54 @@ | |||
1 | #!/usr/bin/expect -f | ||
2 | # This file is part of Firejail project | ||
3 | # Copyright (C) 2014-2016 Firejail Authors | ||
4 | # License GPL v2 | ||
5 | |||
6 | set timeout 1 | ||
7 | spawn $env(SHELL) | ||
8 | match_max 100000 | ||
9 | |||
10 | send -- "./syscall_test\r" | ||
11 | expect { | ||
12 | timeout {puts "\nTESTING SKIP: 64-bit support missing\n";exit} | ||
13 | "Usage" | ||
14 | } | ||
15 | |||
16 | send -- "./syscall_test32\r" | ||
17 | expect { | ||
18 | timeout {puts "\nTESTING SKIP: 32-bit support missing\n";exit} | ||
19 | "Usage" | ||
20 | } | ||
21 | |||
22 | set timeout 10 | ||
23 | send -- "firejail ./syscall_test mount\r" | ||
24 | expect { | ||
25 | timeout {puts "TESTING ERROR 0\n";exit} | ||
26 | "Child process initialized" | ||
27 | } | ||
28 | expect { | ||
29 | timeout {puts "TESTING ERROR 1\n";exit} | ||
30 | "before mount" | ||
31 | } | ||
32 | expect { | ||
33 | timeout {puts "TESTING ERROR 2\n";exit} | ||
34 | "after mount" {puts "TESTING ERROR 3\n";exit} | ||
35 | "Parent is shutting down" | ||
36 | } | ||
37 | sleep 1 | ||
38 | |||
39 | send -- "firejail ./syscall_test32 mount\r" | ||
40 | expect { | ||
41 | timeout {puts "TESTING ERROR 4\n";exit} | ||
42 | "Child process initialized" | ||
43 | } | ||
44 | expect { | ||
45 | timeout {puts "TESTING ERROR 5\n";exit} | ||
46 | "before mount" | ||
47 | } | ||
48 | expect { | ||
49 | timeout {puts "TESTING ERROR 6\n";exit} | ||
50 | "after mount" {puts "TESTING ERROR 7\n";exit} | ||
51 | "Parent is shutting down" | ||
52 | } | ||
53 | |||
54 | puts "\nall done\n" | ||
diff --git a/test/seccomp-empty.exp b/test/filters/seccomp-empty.exp index 11abf2e00..11b275c7d 100755 --- a/test/seccomp-empty.exp +++ b/test/filters/seccomp-empty.exp | |||
@@ -1,4 +1,7 @@ | |||
1 | #!/usr/bin/expect -f | 1 | #!/usr/bin/expect -f |
2 | # This file is part of Firejail project | ||
3 | # Copyright (C) 2014-2016 Firejail Authors | ||
4 | # License GPL v2 | ||
2 | 5 | ||
3 | set timeout 10 | 6 | set timeout 10 |
4 | spawn $env(SHELL) | 7 | spawn $env(SHELL) |
diff --git a/test/seccomp-empty.profile b/test/filters/seccomp-empty.profile index 8f71f55a5..8f71f55a5 100644 --- a/test/seccomp-empty.profile +++ b/test/filters/seccomp-empty.profile | |||
diff --git a/test/seccomp-errno.exp b/test/filters/seccomp-errno.exp index e6678ab8f..aefe816e1 100755 --- a/test/seccomp-errno.exp +++ b/test/filters/seccomp-errno.exp | |||
@@ -1,4 +1,7 @@ | |||
1 | #!/usr/bin/expect -f | 1 | #!/usr/bin/expect -f |
2 | # This file is part of Firejail project | ||
3 | # Copyright (C) 2014-2016 Firejail Authors | ||
4 | # License GPL v2 | ||
2 | 5 | ||
3 | set timeout 10 | 6 | set timeout 10 |
4 | spawn $env(SHELL) | 7 | spawn $env(SHELL) |
diff --git a/test/seccomp-ptrace.exp b/test/filters/seccomp-ptrace.exp index 9a9b7430e..fba9ea92f 100755 --- a/test/seccomp-ptrace.exp +++ b/test/filters/seccomp-ptrace.exp | |||
@@ -1,4 +1,7 @@ | |||
1 | #!/usr/bin/expect -f | 1 | #!/usr/bin/expect -f |
2 | # This file is part of Firejail project | ||
3 | # Copyright (C) 2014-2016 Firejail Authors | ||
4 | # License GPL v2 | ||
2 | 5 | ||
3 | set timeout 10 | 6 | set timeout 10 |
4 | spawn $env(SHELL) | 7 | spawn $env(SHELL) |
diff --git a/test/seccomp-su.exp b/test/filters/seccomp-su.exp index dcae6f869..3f1f2e732 100755 --- a/test/seccomp-su.exp +++ b/test/filters/seccomp-su.exp | |||
@@ -1,4 +1,7 @@ | |||
1 | #!/usr/bin/expect -f | 1 | #!/usr/bin/expect -f |
2 | # This file is part of Firejail project | ||
3 | # Copyright (C) 2014-2016 Firejail Authors | ||
4 | # License GPL v2 | ||
2 | 5 | ||
3 | set timeout 10 | 6 | set timeout 10 |
4 | spawn $env(SHELL) | 7 | spawn $env(SHELL) |
@@ -14,19 +17,22 @@ sleep 2 | |||
14 | send -- "sudo su -\r" | 17 | send -- "sudo su -\r" |
15 | expect { | 18 | expect { |
16 | timeout {puts "TESTING ERROR 1\n";exit} | 19 | timeout {puts "TESTING ERROR 1\n";exit} |
17 | "effective uid is not 0" | 20 | "effective uid is not 0" {puts "OK\n"} |
21 | "Bad system call" {puts "OK\n"} | ||
18 | } | 22 | } |
19 | 23 | ||
20 | send -- "sudo ls\r" | 24 | send -- "sudo ls\r" |
21 | expect { | 25 | expect { |
22 | timeout {puts "TESTING ERROR 2\n";exit} | 26 | timeout {puts "TESTING ERROR 2\n";exit} |
23 | "effective uid is not 0" | 27 | "effective uid is not 0" {puts "OK\n"} |
28 | "Bad system call" {puts "OK\n"} | ||
24 | } | 29 | } |
25 | 30 | ||
26 | send -- "ping google.com\r" | 31 | send -- "ping google.com\r" |
27 | expect { | 32 | expect { |
28 | timeout {puts "TESTING ERROR 2\n";exit} | 33 | timeout {puts "TESTING ERROR 2\n";exit} |
29 | "Operation not permitted" | 34 | "Operation not permitted" {puts "OK\n"} |
35 | "unknown host" {puts "OK\n"} | ||
30 | } | 36 | } |
31 | 37 | ||
32 | send -- "exit\r" | 38 | send -- "exit\r" |
diff --git a/test/seccomp-umount.exp b/test/filters/seccomp-umount.exp index c0107a084..6e2f8c6c2 100755 --- a/test/seccomp-umount.exp +++ b/test/filters/seccomp-umount.exp | |||
@@ -1,4 +1,7 @@ | |||
1 | #!/usr/bin/expect -f | 1 | #!/usr/bin/expect -f |
2 | # This file is part of Firejail project | ||
3 | # Copyright (C) 2014-2016 Firejail Authors | ||
4 | # License GPL v2 | ||
2 | 5 | ||
3 | set timeout 10 | 6 | set timeout 10 |
4 | spawn $env(SHELL) | 7 | spawn $env(SHELL) |
diff --git a/test/seccomp.profile b/test/filters/seccomp.profile index cb0b15aee..cb0b15aee 100644 --- a/test/seccomp.profile +++ b/test/filters/seccomp.profile | |||
diff --git a/src/tools/syscall_test b/test/filters/syscall_test index bf29c5b99..bf29c5b99 100755 --- a/src/tools/syscall_test +++ b/test/filters/syscall_test | |||
Binary files differ | |||
diff --git a/src/tools/syscall_test.c b/test/filters/syscall_test.c index b3f43c755..422af619d 100644 --- a/src/tools/syscall_test.c +++ b/test/filters/syscall_test.c | |||
@@ -1,3 +1,7 @@ | |||
1 | // This file is part of Firejail project | ||
2 | // Copyright (C) 2014-2016 Firejail Authors | ||
3 | // License GPL v2 | ||
4 | |||
1 | #include <stdlib.h> | 5 | #include <stdlib.h> |
2 | #include <stdio.h> | 6 | #include <stdio.h> |
3 | #include <unistd.h> | 7 | #include <unistd.h> |
diff --git a/src/tools/syscall_test32 b/test/filters/syscall_test32 index 8d72f58c4..8d72f58c4 100755 --- a/src/tools/syscall_test32 +++ b/test/filters/syscall_test32 | |||
Binary files differ | |||
diff --git a/test/fs/fs.sh b/test/fs/fs.sh new file mode 100755 index 000000000..08888020c --- /dev/null +++ b/test/fs/fs.sh | |||
@@ -0,0 +1,55 @@ | |||
1 | #!/bin/bash | ||
2 | # This file is part of Firejail project | ||
3 | # Copyright (C) 2014-2016 Firejail Authors | ||
4 | # License GPL v2 | ||
5 | |||
6 | export MALLOC_CHECK_=3 | ||
7 | export MALLOC_PERTURB_=$(($RANDOM % 255 + 1)) | ||
8 | |||
9 | echo "TESTING: kmsg access (test/fs/kmsg.exp)" | ||
10 | ./kmsg.exp | ||
11 | |||
12 | echo "TESTING: read/write /var/tmp (test/fs/fs_var_tmp.exp)" | ||
13 | ./fs_var_tmp.exp | ||
14 | |||
15 | echo "TESTING: read/write /var/lock (test/fs/fs_var_lock.exp)" | ||
16 | ./fs_var_lock.exp | ||
17 | |||
18 | echo "TESTING: read/write /dev/shm (test/fs/fs_dev_shm.exp)" | ||
19 | ./fs_dev_shm.exp | ||
20 | |||
21 | echo "TESTING: private (test/fs/private.exp)" | ||
22 | ./private.exp `whoami` | ||
23 | |||
24 | echo "TESTING: private-etc (test/fs/private-etc.exp)" | ||
25 | ./private-etc.exp | ||
26 | |||
27 | echo "TESTING: empty private-etc (test/fs/private-etc-empty.exp)" | ||
28 | ./private-etc-empty.exp | ||
29 | |||
30 | echo "TESTING: private-bin (test/fs/private-bin.exp)" | ||
31 | ./private-bin.exp | ||
32 | |||
33 | echo "TESTING: whitelist empty (test/fs/whitelist-empty.exp)" | ||
34 | ./whitelist-empty.exp | ||
35 | |||
36 | echo "TESTING: private whitelist (test/fs/private-whitelist.exp)" | ||
37 | ./private-whitelist.exp | ||
38 | |||
39 | echo "TESTING: invalid filename (test/fs/invalid_filename.exp)" | ||
40 | ./invalid_filename.exp | ||
41 | |||
42 | echo "TESTING: blacklist directory (test/fs/option_blacklist.exp)" | ||
43 | ./option_blacklist.exp | ||
44 | |||
45 | echo "TESTING: blacklist file (test/fs/option_blacklist_file.exp)" | ||
46 | ./option_blacklist_file.exp | ||
47 | |||
48 | echo "TESTING: blacklist glob (test/fs/option_blacklist_glob.exp)" | ||
49 | ./option_blacklist_glob.exp | ||
50 | |||
51 | echo "TESTING: bind as user (test/fs/option_bind_user.exp)" | ||
52 | ./option_bind_user.exp | ||
53 | |||
54 | |||
55 | |||
diff --git a/test/fs_dev_shm.exp b/test/fs/fs_dev_shm.exp index b54f24eb5..6d27978e2 100755 --- a/test/fs_dev_shm.exp +++ b/test/fs/fs_dev_shm.exp | |||
@@ -1,4 +1,7 @@ | |||
1 | #!/usr/bin/expect -f | 1 | #!/usr/bin/expect -f |
2 | # This file is part of Firejail project | ||
3 | # Copyright (C) 2014-2016 Firejail Authors | ||
4 | # License GPL v2 | ||
2 | 5 | ||
3 | set timeout 10 | 6 | set timeout 10 |
4 | spawn $env(SHELL) | 7 | spawn $env(SHELL) |
@@ -12,33 +15,33 @@ expect { | |||
12 | } | 15 | } |
13 | sleep 1 | 16 | sleep 1 |
14 | 17 | ||
15 | send -- "echo mytest > /dev/shm/ttt;pwd\r" | 18 | send -- "echo mytest > /dev/shm/ttt;echo done\r" |
16 | expect { | 19 | expect { |
17 | timeout {puts "TESTING ERROR 1\n";exit} | 20 | timeout {puts "TESTING ERROR 1\n";exit} |
18 | "home" | 21 | "done" |
19 | } | 22 | } |
20 | 23 | ||
21 | send -- "cat /dev/shm/ttt;pwd\r" | 24 | send -- "cat /dev/shm/ttt;echo done\r" |
22 | expect { | 25 | expect { |
23 | timeout {puts "TESTING ERROR 2.1\n";exit} | 26 | timeout {puts "TESTING ERROR 2\n";exit} |
24 | "mytest" | 27 | "mytest" |
25 | } | 28 | } |
26 | expect { | 29 | expect { |
27 | timeout {puts "TESTING ERROR 2\n";exit} | 30 | timeout {puts "TESTING ERROR 3\n";exit} |
28 | "home" | 31 | "done" |
29 | } | 32 | } |
30 | 33 | ||
31 | send -- "rm /dev/shm/ttt;pwd\r" | 34 | send -- "rm /dev/shm/ttt;echo done\r" |
32 | expect { | 35 | expect { |
33 | timeout {puts "TESTING ERROR 3\n";exit} | 36 | timeout {puts "TESTING ERROR 4\n";exit} |
34 | "home" | 37 | "done" |
35 | } | 38 | } |
36 | 39 | ||
37 | send -- "cat /dev/shm/ttt;pwd\r" | 40 | send -- "cat /dev/shm/ttt;echo done\r" |
38 | expect { | 41 | expect { |
39 | timeout {puts "TESTING ERROR 4\n";exit} | 42 | timeout {puts "TESTING ERROR 5\n";exit} |
40 | "mytest" {puts "TESTING ERROR 4.1\n";exit} | 43 | "mytest" {puts "TESTING ERROR 6\n";exit} |
41 | "home" | 44 | "done" |
42 | } | 45 | } |
43 | 46 | ||
44 | sleep 1 | 47 | sleep 1 |
@@ -48,40 +51,40 @@ sleep 1 | |||
48 | # redo the test with --private | 51 | # redo the test with --private |
49 | send -- "firejail\r" | 52 | send -- "firejail\r" |
50 | expect { | 53 | expect { |
51 | timeout {puts "TESTING ERROR 10\n";exit} | 54 | timeout {puts "TESTING ERROR 7\n";exit} |
52 | "Child process initialized" | 55 | "Child process initialized" |
53 | } | 56 | } |
54 | sleep 1 | 57 | sleep 1 |
55 | 58 | ||
56 | send -- "echo mytest > /dev/shm/ttt;pwd\r" | 59 | send -- "echo mytest > /dev/shm/ttt;echo done\r" |
57 | expect { | 60 | expect { |
58 | timeout {puts "TESTING ERROR 11\n";exit} | 61 | timeout {puts "TESTING ERROR 8\n";exit} |
59 | "home" | 62 | "done" |
60 | } | 63 | } |
61 | 64 | ||
62 | send -- "cat /dev/shm/ttt;pwd\r" | 65 | send -- "cat /dev/shm/ttt;echo done\r" |
63 | expect { | 66 | expect { |
64 | timeout {puts "TESTING ERROR 12.1\n";exit} | 67 | timeout {puts "TESTING ERROR 9\n";exit} |
65 | "mytest" | 68 | "mytest" |
66 | } | 69 | } |
67 | expect { | 70 | expect { |
68 | timeout {puts "TESTING ERROR 12\n";exit} | 71 | timeout {puts "TESTING ERROR 10\n";exit} |
69 | "home" | 72 | "done" |
70 | } | 73 | } |
71 | 74 | ||
72 | send -- "rm /dev/shm/ttt;pwd\r" | 75 | send -- "rm /dev/shm/ttt;echo done\r" |
73 | expect { | 76 | expect { |
74 | timeout {puts "TESTING ERROR 13\n";exit} | 77 | timeout {puts "TESTING ERROR 11\n";exit} |
75 | "home" | 78 | "done" |
76 | } | 79 | } |
77 | 80 | ||
78 | send -- "cat /dev/shm/ttt;pwd\r" | 81 | send -- "cat /dev/shm/ttt;echo done\r" |
79 | expect { | 82 | expect { |
80 | timeout {puts "TESTING ERROR 14\n";exit} | 83 | timeout {puts "TESTING ERROR 12\n";exit} |
81 | "mytest" {puts "TESTING ERROR 14.1\n";exit} | 84 | "mytest" {puts "TESTING ERROR 13\n";exit} |
82 | "home" | 85 | "done" |
83 | } | 86 | } |
84 | 87 | ||
85 | sleep 1 | 88 | sleep 1 |
86 | 89 | ||
87 | puts "\n" | 90 | puts "\nall done\n" |
diff --git a/test/fs_var_lock.exp b/test/fs/fs_var_lock.exp index dfcf571f4..0e2b3181a 100755 --- a/test/fs_var_lock.exp +++ b/test/fs/fs_var_lock.exp | |||
@@ -1,4 +1,7 @@ | |||
1 | #!/usr/bin/expect -f | 1 | #!/usr/bin/expect -f |
2 | # This file is part of Firejail project | ||
3 | # Copyright (C) 2014-2016 Firejail Authors | ||
4 | # License GPL v2 | ||
2 | 5 | ||
3 | set timeout 10 | 6 | set timeout 10 |
4 | spawn $env(SHELL) | 7 | spawn $env(SHELL) |
@@ -12,33 +15,33 @@ expect { | |||
12 | } | 15 | } |
13 | sleep 1 | 16 | sleep 1 |
14 | 17 | ||
15 | send -- "echo mytest > /var/lock/ttt;pwd\r" | 18 | send -- "echo mytest > /var/lock/ttt;echo done\r" |
16 | expect { | 19 | expect { |
17 | timeout {puts "TESTING ERROR 1\n";exit} | 20 | timeout {puts "TESTING ERROR 1\n";exit} |
18 | "home" | 21 | "done" |
19 | } | 22 | } |
20 | 23 | ||
21 | send -- "cat /var/lock/ttt;pwd\r" | 24 | send -- "cat /var/lock/ttt;echo done\r" |
22 | expect { | 25 | expect { |
23 | timeout {puts "TESTING ERROR 2.1\n";exit} | 26 | timeout {puts "TESTING ERROR 2\n";exit} |
24 | "mytest" | 27 | "mytest" |
25 | } | 28 | } |
26 | expect { | 29 | expect { |
27 | timeout {puts "TESTING ERROR 2\n";exit} | 30 | timeout {puts "TESTING ERROR 3\n";exit} |
28 | "home" | 31 | "done" |
29 | } | 32 | } |
30 | 33 | ||
31 | send -- "rm /var/lock/ttt;pwd\r" | 34 | send -- "rm /var/lock/ttt;echo done\r" |
32 | expect { | 35 | expect { |
33 | timeout {puts "TESTING ERROR 3\n";exit} | 36 | timeout {puts "TESTING ERROR 4\n";exit} |
34 | "home" | 37 | "done" |
35 | } | 38 | } |
36 | 39 | ||
37 | send -- "cat /var/lock/ttt;pwd\r" | 40 | send -- "cat /var/lock/ttt;echo done\r" |
38 | expect { | 41 | expect { |
39 | timeout {puts "TESTING ERROR 4\n";exit} | 42 | timeout {puts "TESTING ERROR 5\n";exit} |
40 | "mytest" {puts "TESTING ERROR 4.1\n";exit} | 43 | "mytest" {puts "TESTING ERROR 6\n";exit} |
41 | "home" | 44 | "done" |
42 | } | 45 | } |
43 | 46 | ||
44 | sleep 1 | 47 | sleep 1 |
@@ -48,40 +51,40 @@ sleep 1 | |||
48 | # redo the test with --private | 51 | # redo the test with --private |
49 | send -- "firejail\r" | 52 | send -- "firejail\r" |
50 | expect { | 53 | expect { |
51 | timeout {puts "TESTING ERROR 10\n";exit} | 54 | timeout {puts "TESTING ERROR 7\n";exit} |
52 | "Child process initialized" | 55 | "Child process initialized" |
53 | } | 56 | } |
54 | sleep 1 | 57 | sleep 1 |
55 | 58 | ||
56 | send -- "echo mytest > /var/lock/ttt;pwd\r" | 59 | send -- "echo mytest > /var/lock/ttt;echo done\r" |
57 | expect { | 60 | expect { |
58 | timeout {puts "TESTING ERROR 11\n";exit} | 61 | timeout {puts "TESTING ERROR 8\n";exit} |
59 | "home" | 62 | "done" |
60 | } | 63 | } |
61 | 64 | ||
62 | send -- "cat /var/lock/ttt;pwd\r" | 65 | send -- "cat /var/lock/ttt;echo done\r" |
63 | expect { | 66 | expect { |
64 | timeout {puts "TESTING ERROR 12.1\n";exit} | 67 | timeout {puts "TESTING ERROR 9\n";exit} |
65 | "mytest" | 68 | "mytest" |
66 | } | 69 | } |
67 | expect { | 70 | expect { |
68 | timeout {puts "TESTING ERROR 12\n";exit} | 71 | timeout {puts "TESTING ERROR 10\n";exit} |
69 | "home" | 72 | "done" |
70 | } | 73 | } |
71 | 74 | ||
72 | send -- "rm /var/lock/ttt;pwd\r" | 75 | send -- "rm /var/lock/ttt;echo done\r" |
73 | expect { | 76 | expect { |
74 | timeout {puts "TESTING ERROR 13\n";exit} | 77 | timeout {puts "TESTING ERROR 11\n";exit} |
75 | "home" | 78 | "done" |
76 | } | 79 | } |
77 | 80 | ||
78 | send -- "cat /var/lock/ttt;pwd\r" | 81 | send -- "cat /var/lock/ttt;echo done\r" |
79 | expect { | 82 | expect { |
80 | timeout {puts "TESTING ERROR 14\n";exit} | 83 | timeout {puts "TESTING ERROR 12\n";exit} |
81 | "mytest" {puts "TESTING ERROR 14.1\n";exit} | 84 | "mytest" {puts "TESTING ERROR 13\n";exit} |
82 | "home" | 85 | "done" |
83 | } | 86 | } |
84 | 87 | ||
85 | sleep 1 | 88 | sleep 1 |
86 | 89 | ||
87 | puts "\n" | 90 | puts "\nall done\n" |
diff --git a/test/fs_var_tmp.exp b/test/fs/fs_var_tmp.exp index 95ceeb2a4..811baac68 100755 --- a/test/fs_var_tmp.exp +++ b/test/fs/fs_var_tmp.exp | |||
@@ -1,4 +1,7 @@ | |||
1 | #!/usr/bin/expect -f | 1 | #!/usr/bin/expect -f |
2 | # This file is part of Firejail project | ||
3 | # Copyright (C) 2014-2016 Firejail Authors | ||
4 | # License GPL v2 | ||
2 | 5 | ||
3 | set timeout 10 | 6 | set timeout 10 |
4 | spawn $env(SHELL) | 7 | spawn $env(SHELL) |
@@ -12,33 +15,33 @@ expect { | |||
12 | } | 15 | } |
13 | sleep 1 | 16 | sleep 1 |
14 | 17 | ||
15 | send -- "echo mytest > /var/tmp/ttt;pwd\r" | 18 | send -- "echo mytest > /var/tmp/ttt;echo done\r" |
16 | expect { | 19 | expect { |
17 | timeout {puts "TESTING ERROR 1\n";exit} | 20 | timeout {puts "TESTING ERROR 1\n";exit} |
18 | "home" | 21 | "done" |
19 | } | 22 | } |
20 | 23 | ||
21 | send -- "cat /var/tmp/ttt;pwd\r" | 24 | send -- "cat /var/tmp/ttt;echo done\r" |
22 | expect { | 25 | expect { |
23 | timeout {puts "TESTING ERROR 2.1\n";exit} | 26 | timeout {puts "TESTING ERROR 2\n";exit} |
24 | "mytest" | 27 | "mytest" |
25 | } | 28 | } |
26 | expect { | 29 | expect { |
27 | timeout {puts "TESTING ERROR 2\n";exit} | 30 | timeout {puts "TESTING ERROR 3\n";exit} |
28 | "home" | 31 | "done" |
29 | } | 32 | } |
30 | 33 | ||
31 | send -- "rm /var/tmp/ttt;pwd\r" | 34 | send -- "rm /var/tmp/ttt;echo done\r" |
32 | expect { | 35 | expect { |
33 | timeout {puts "TESTING ERROR 3\n";exit} | 36 | timeout {puts "TESTING ERROR 4\n";exit} |
34 | "home" | 37 | "done" |
35 | } | 38 | } |
36 | 39 | ||
37 | send -- "cat /var/tmp/ttt;pwd\r" | 40 | send -- "cat /var/tmp/ttt;echo done\r" |
38 | expect { | 41 | expect { |
39 | timeout {puts "TESTING ERROR 4\n";exit} | 42 | timeout {puts "TESTING ERROR 5\n";exit} |
40 | "mytest" {puts "TESTING ERROR 4.1\n";exit} | 43 | "mytest" {puts "TESTING ERROR 6\n";exit} |
41 | "home" | 44 | "done" |
42 | } | 45 | } |
43 | 46 | ||
44 | sleep 1 | 47 | sleep 1 |
@@ -48,40 +51,40 @@ sleep 1 | |||
48 | # redo the test with --private | 51 | # redo the test with --private |
49 | send -- "firejail\r" | 52 | send -- "firejail\r" |
50 | expect { | 53 | expect { |
51 | timeout {puts "TESTING ERROR 10\n";exit} | 54 | timeout {puts "TESTING ERROR 7\n";exit} |
52 | "Child process initialized" | 55 | "Child process initialized" |
53 | } | 56 | } |
54 | sleep 1 | 57 | sleep 1 |
55 | 58 | ||
56 | send -- "echo mytest > /var/tmp/ttt;pwd\r" | 59 | send -- "echo mytest > /var/tmp/ttt;echo done\r" |
57 | expect { | 60 | expect { |
58 | timeout {puts "TESTING ERROR 11\n";exit} | 61 | timeout {puts "TESTING ERROR 8\n";exit} |
59 | "home" | 62 | "done" |
60 | } | 63 | } |
61 | 64 | ||
62 | send -- "cat /var/tmp/ttt;pwd\r" | 65 | send -- "cat /var/tmp/ttt;echo done\r" |
63 | expect { | 66 | expect { |
64 | timeout {puts "TESTING ERROR 12.1\n";exit} | 67 | timeout {puts "TESTING ERROR 9\n";exit} |
65 | "mytest" | 68 | "mytest" |
66 | } | 69 | } |
67 | expect { | 70 | expect { |
68 | timeout {puts "TESTING ERROR 12\n";exit} | 71 | timeout {puts "TESTING ERROR 10\n";exit} |
69 | "home" | 72 | "done" |
70 | } | 73 | } |
71 | 74 | ||
72 | send -- "rm /var/tmp/ttt;pwd\r" | 75 | send -- "rm /var/tmp/ttt;echo done\r" |
73 | expect { | 76 | expect { |
74 | timeout {puts "TESTING ERROR 13\n";exit} | 77 | timeout {puts "TESTING ERROR 11\n";exit} |
75 | "home" | 78 | "done" |
76 | } | 79 | } |
77 | 80 | ||
78 | send -- "cat /var/tmp/ttt;pwd\r" | 81 | send -- "cat /var/tmp/ttt;echo done\r" |
79 | expect { | 82 | expect { |
80 | timeout {puts "TESTING ERROR 14\n";exit} | 83 | timeout {puts "TESTING ERROR 12\n";exit} |
81 | "mytest" {puts "TESTING ERROR 14.1\n";exit} | 84 | "mytest" {puts "TESTING ERROR 13\n";exit} |
82 | "home" | 85 | "done" |
83 | } | 86 | } |
84 | 87 | ||
85 | sleep 1 | 88 | sleep 1 |
86 | 89 | ||
87 | puts "\n" | 90 | puts "\nall done\n" |
diff --git a/test/invalid_filename.exp b/test/fs/invalid_filename.exp index dd1fa4634..1acc85491 100755 --- a/test/invalid_filename.exp +++ b/test/fs/invalid_filename.exp | |||
@@ -1,23 +1,7 @@ | |||
1 | #!/usr/bin/expect -f | 1 | #!/usr/bin/expect -f |
2 | 2 | # This file is part of Firejail project | |
3 | #invalid_filename checks: | 3 | # Copyright (C) 2014-2016 Firejail Authors |
4 | # | 4 | # License GPL v2 |
5 | #--bind (two files) - profile.c - Note: The test is not implemented here, need to be root to test it | ||
6 | #--blacklist - profile.c | ||
7 | #--cgroup - cgroup.c | ||
8 | #--chroot - main.c | ||
9 | #--netfilter - netfilter.c | ||
10 | #--output - output.c | ||
11 | #--private - fs_home.c | ||
12 | #--privte-bin (list) - fs_bin.c | ||
13 | #--private-home (list) - fs_home.c | ||
14 | #--private-etc (list) - fs_etc.c | ||
15 | #--profile - main.c | ||
16 | #--read_only - profile.c | ||
17 | #--shell - main.c | ||
18 | #--tmpfs - profile.c | ||
19 | #--white-list | ||
20 | |||
21 | 5 | ||
22 | set timeout 10 | 6 | set timeout 10 |
23 | spawn $env(SHELL) | 7 | spawn $env(SHELL) |
@@ -56,7 +40,8 @@ after 100 | |||
56 | send -- "firejail --debug-check-filename --noprofile --chroot=\"bla&&bla\"\r" | 40 | send -- "firejail --debug-check-filename --noprofile --chroot=\"bla&&bla\"\r" |
57 | expect { | 41 | expect { |
58 | timeout {puts "TESTING ERROR 3.1\n";exit} | 42 | timeout {puts "TESTING ERROR 3.1\n";exit} |
59 | "Checking filename bla&&bla" | 43 | "Checking filename bla&&bla" {puts "normal system\n"} |
44 | "Error: --chroot option is not available on Grsecurity systems" { puts "\nall done\n"; exit} | ||
60 | } | 45 | } |
61 | expect { | 46 | expect { |
62 | timeout {puts "TESTING ERROR 3.2\n";exit} | 47 | timeout {puts "TESTING ERROR 3.2\n";exit} |
@@ -200,7 +185,5 @@ expect { | |||
200 | } | 185 | } |
201 | after 100 | 186 | after 100 |
202 | 187 | ||
203 | |||
204 | |||
205 | puts "\nall done\n" | 188 | puts "\nall done\n" |
206 | 189 | ||
diff --git a/test/kmsg.exp b/test/fs/kmsg.exp index 096bdb708..abc711aee 100755 --- a/test/kmsg.exp +++ b/test/fs/kmsg.exp | |||
@@ -1,4 +1,7 @@ | |||
1 | #!/usr/bin/expect -f | 1 | #!/usr/bin/expect -f |
2 | # This file is part of Firejail project | ||
3 | # Copyright (C) 2014-2016 Firejail Authors | ||
4 | # License GPL v2 | ||
2 | 5 | ||
3 | set timeout 10 | 6 | set timeout 10 |
4 | spawn $env(SHELL) | 7 | spawn $env(SHELL) |
@@ -16,14 +19,14 @@ expect { | |||
16 | timeout {puts "TESTING ERROR 2\n";exit} | 19 | timeout {puts "TESTING ERROR 2\n";exit} |
17 | "Permission denied" | 20 | "Permission denied" |
18 | } | 21 | } |
19 | sleep 1 | 22 | after 100 |
20 | 23 | ||
21 | send -- "cat /proc/kmsg\r" | 24 | send -- "cat /proc/kmsg\r" |
22 | expect { | 25 | expect { |
23 | timeout {puts "TESTING ERROR 3\n";exit} | 26 | timeout {puts "TESTING ERROR 3\n";exit} |
24 | "Permission denied" | 27 | "Permission denied" |
25 | } | 28 | } |
26 | sleep 1 | 29 | after 100 |
27 | 30 | ||
28 | puts "\nall done\n" | 31 | puts "\nall done\n" |
29 | 32 | ||
diff --git a/test/option_bind_user.exp b/test/fs/option_bind_user.exp index 9d2d17d7f..9d2d17d7f 100755 --- a/test/option_bind_user.exp +++ b/test/fs/option_bind_user.exp | |||
diff --git a/test/option_blacklist.exp b/test/fs/option_blacklist.exp index b80d0cc60..38fd19237 100755 --- a/test/option_blacklist.exp +++ b/test/fs/option_blacklist.exp | |||
@@ -1,4 +1,7 @@ | |||
1 | #!/usr/bin/expect -f | 1 | #!/usr/bin/expect -f |
2 | # This file is part of Firejail project | ||
3 | # Copyright (C) 2014-2016 Firejail Authors | ||
4 | # License GPL v2 | ||
2 | 5 | ||
3 | set timeout 10 | 6 | set timeout 10 |
4 | spawn $env(SHELL) | 7 | spawn $env(SHELL) |
@@ -11,23 +14,23 @@ expect { | |||
11 | } | 14 | } |
12 | sleep 1 | 15 | sleep 1 |
13 | 16 | ||
14 | send -- "ls -l /var;pwd\r" | 17 | send -- "ls -l /var;echo done\r" |
15 | expect { | 18 | expect { |
16 | timeout {puts "TESTING ERROR 1\n";exit} | 19 | timeout {puts "TESTING ERROR 1\n";exit} |
17 | "Permission denied" | 20 | "Permission denied" |
18 | } | 21 | } |
19 | expect { | 22 | expect { |
20 | timeout {puts "TESTING ERROR 2\n";exit} | 23 | timeout {puts "TESTING ERROR 2\n";exit} |
21 | "home" | 24 | "done" |
22 | } | 25 | } |
23 | send -- "cd /var;pwd\r" | 26 | send -- "cd /var;echo done\r" |
24 | expect { | 27 | expect { |
25 | timeout {puts "TESTING ERROR 3\n";exit} | 28 | timeout {puts "TESTING ERROR 3\n";exit} |
26 | "Permission denied" | 29 | "Permission denied" |
27 | } | 30 | } |
28 | expect { | 31 | expect { |
29 | timeout {puts "TESTING ERROR 4\n";exit} | 32 | timeout {puts "TESTING ERROR 4\n";exit} |
30 | "home" | 33 | "done" |
31 | } | 34 | } |
32 | sleep 1 | 35 | sleep 1 |
33 | 36 | ||
diff --git a/test/option_blacklist_file.exp b/test/fs/option_blacklist_file.exp index ecdfe3b82..846735d9e 100755 --- a/test/option_blacklist_file.exp +++ b/test/fs/option_blacklist_file.exp | |||
@@ -11,14 +11,14 @@ expect { | |||
11 | } | 11 | } |
12 | sleep 1 | 12 | sleep 1 |
13 | 13 | ||
14 | send -- "cat /etc/passwd;pwd\r" | 14 | send -- "cat /etc/passwd;echo done\r" |
15 | expect { | 15 | expect { |
16 | timeout {puts "TESTING ERROR 1\n";exit} | 16 | timeout {puts "TESTING ERROR 1\n";exit} |
17 | "Permission denied" | 17 | "Permission denied" |
18 | } | 18 | } |
19 | expect { | 19 | expect { |
20 | timeout {puts "TESTING ERROR 2\n";exit} | 20 | timeout {puts "TESTING ERROR 2\n";exit} |
21 | "home" | 21 | "done" |
22 | } | 22 | } |
23 | sleep 1 | 23 | sleep 1 |
24 | 24 | ||
diff --git a/test/fs/option_blacklist_glob.exp b/test/fs/option_blacklist_glob.exp new file mode 100755 index 000000000..01939736d --- /dev/null +++ b/test/fs/option_blacklist_glob.exp | |||
@@ -0,0 +1,32 @@ | |||
1 | #!/usr/bin/expect -f | ||
2 | # This file is part of Firejail project | ||
3 | # Copyright (C) 2014-2016 Firejail Authors | ||
4 | # License GPL v2 | ||
5 | |||
6 | set timeout 10 | ||
7 | spawn $env(SHELL) | ||
8 | match_max 100000 | ||
9 | |||
10 | send -- "firejail --blacklist=testdir1/*\r" | ||
11 | expect { | ||
12 | timeout {puts "TESTING ERROR 0\n";exit} | ||
13 | "Child process initialized" | ||
14 | } | ||
15 | sleep 1 | ||
16 | send -- "cd testdir1\r" | ||
17 | sleep 1 | ||
18 | |||
19 | send -- "cat .file\r" | ||
20 | expect { | ||
21 | timeout {puts "TESTING ERROR 1\n";exit} | ||
22 | "Permission denied" | ||
23 | } | ||
24 | |||
25 | send -- "ls .directory\r" | ||
26 | expect { | ||
27 | timeout {puts "TESTING ERROR 2\n";exit} | ||
28 | "Permission denied" | ||
29 | } | ||
30 | |||
31 | puts "\n" | ||
32 | |||
diff --git a/test/private-bin.exp b/test/fs/private-bin.exp index a82d2b213..c19702e77 100755 --- a/test/private-bin.exp +++ b/test/fs/private-bin.exp | |||
@@ -1,4 +1,7 @@ | |||
1 | #!/usr/bin/expect -f | 1 | #!/usr/bin/expect -f |
2 | # This file is part of Firejail project | ||
3 | # Copyright (C) 2014-2016 Firejail Authors | ||
4 | # License GPL v2 | ||
2 | 5 | ||
3 | set timeout 10 | 6 | set timeout 10 |
4 | spawn $env(SHELL) | 7 | spawn $env(SHELL) |
@@ -63,9 +66,6 @@ expect { | |||
63 | } | 66 | } |
64 | send -- "exit\r" | 67 | send -- "exit\r" |
65 | 68 | ||
66 | |||
67 | |||
68 | |||
69 | sleep 1 | 69 | sleep 1 |
70 | puts "\nall done\n" | 70 | puts "\nall done\n" |
71 | 71 | ||
diff --git a/test/private-bin.profile b/test/fs/private-bin.profile index 24cf5929a..24cf5929a 100644 --- a/test/private-bin.profile +++ b/test/fs/private-bin.profile | |||
diff --git a/test/fs/private-etc-empty.exp b/test/fs/private-etc-empty.exp new file mode 100755 index 000000000..13e917a5c --- /dev/null +++ b/test/fs/private-etc-empty.exp | |||
@@ -0,0 +1,38 @@ | |||
1 | #!/usr/bin/expect -f | ||
2 | # This file is part of Firejail project | ||
3 | # Copyright (C) 2014-2016 Firejail Authors | ||
4 | # License GPL v2 | ||
5 | |||
6 | set timeout 30 | ||
7 | spawn $env(SHELL) | ||
8 | match_max 100000 | ||
9 | |||
10 | send -- "firejail --private-etc=blablabla\r" | ||
11 | expect { | ||
12 | timeout {puts "TESTING ERROR 0\n";exit} | ||
13 | "Child process initialized" | ||
14 | } | ||
15 | sleep 1 | ||
16 | |||
17 | send -- "ls -l /etc | wc -l\r" | ||
18 | expect { | ||
19 | timeout {puts "TESTING ERROR 1\n";exit} | ||
20 | "0" | ||
21 | } | ||
22 | send -- "exit\r" | ||
23 | sleep 1 | ||
24 | |||
25 | send -- "firejail --profile=private-etc-empty.profile\r" | ||
26 | expect { | ||
27 | timeout {puts "TESTING ERROR 0\n";exit} | ||
28 | "Child process initialized" | ||
29 | } | ||
30 | sleep 1 | ||
31 | |||
32 | send -- "ls -l /etc | wc -l\r" | ||
33 | expect { | ||
34 | timeout {puts "TESTING ERROR 1\n";exit} | ||
35 | "0" | ||
36 | } | ||
37 | |||
38 | puts "\nall done\n" | ||
diff --git a/test/fs/private-etc-empty.profile b/test/fs/private-etc-empty.profile new file mode 100644 index 000000000..38aa8cd68 --- /dev/null +++ b/test/fs/private-etc-empty.profile | |||
@@ -0,0 +1 @@ | |||
private-etc blablabla | |||
diff --git a/test/private-etc.exp b/test/fs/private-etc.exp index db1d1df3a..3b4f3eb2b 100755 --- a/test/private-etc.exp +++ b/test/fs/private-etc.exp | |||
@@ -1,4 +1,7 @@ | |||
1 | #!/usr/bin/expect -f | 1 | #!/usr/bin/expect -f |
2 | # This file is part of Firejail project | ||
3 | # Copyright (C) 2014-2016 Firejail Authors | ||
4 | # License GPL v2 | ||
2 | 5 | ||
3 | set timeout 10 | 6 | set timeout 10 |
4 | spawn $env(SHELL) | 7 | spawn $env(SHELL) |
@@ -12,29 +15,29 @@ expect { | |||
12 | } | 15 | } |
13 | sleep 1 | 16 | sleep 1 |
14 | 17 | ||
15 | send -- "ls -al /etc\r" | 18 | send -- "LC_ALL=C ls -al /etc\r" |
16 | expect { | 19 | expect { |
17 | timeout {puts "TESTING ERROR 3\n";exit} | 20 | timeout {puts "TESTING ERROR 3\n";exit} |
18 | "group" | 21 | "X11" |
19 | } | 22 | } |
20 | expect { | 23 | expect { |
21 | timeout {puts "TESTING ERROR 4\n";exit} | 24 | timeout {puts "TESTING ERROR 4\n";exit} |
22 | "passwd" | 25 | "group" |
23 | } | 26 | } |
24 | expect { | 27 | expect { |
25 | timeout {puts "TESTING ERROR 5\n";exit} | 28 | timeout {puts "TESTING ERROR 5\n";exit} |
26 | "resolv.conf" | 29 | "passwd" |
27 | } | 30 | } |
28 | expect { | 31 | expect { |
29 | timeout {puts "TESTING ERROR 6\n";exit} | 32 | timeout {puts "TESTING ERROR 6\n";exit} |
30 | "X11" | 33 | "resolv.conf" |
31 | } | 34 | } |
32 | 35 | ||
33 | send -- "ls -al /etc\r" | 36 | send -- "ls -al /etc; echo done\r" |
34 | expect { | 37 | expect { |
35 | timeout {puts "TESTING ERROR 7\n";exit} | 38 | timeout {puts "TESTING ERROR 7\n";exit} |
36 | "shadow" {puts "TESTING ERROR 8\n";exit} | 39 | "shadow" {puts "TESTING ERROR 8\n";exit} |
37 | "X11" | 40 | "done" |
38 | } | 41 | } |
39 | 42 | ||
40 | sleep 1 | 43 | sleep 1 |
diff --git a/test/private-whitelist.exp b/test/fs/private-whitelist.exp index f06415c52..4dadeacb1 100755 --- a/test/private-whitelist.exp +++ b/test/fs/private-whitelist.exp | |||
@@ -1,4 +1,7 @@ | |||
1 | #!/usr/bin/expect -f | 1 | #!/usr/bin/expect -f |
2 | # This file is part of Firejail project | ||
3 | # Copyright (C) 2014-2016 Firejail Authors | ||
4 | # License GPL v2 | ||
2 | 5 | ||
3 | set timeout 10 | 6 | set timeout 10 |
4 | spawn $env(SHELL) | 7 | spawn $env(SHELL) |
@@ -9,26 +12,28 @@ expect { | |||
9 | timeout {puts "TESTING ERROR 1\n";exit} | 12 | timeout {puts "TESTING ERROR 1\n";exit} |
10 | "Child process initialized" | 13 | "Child process initialized" |
11 | } | 14 | } |
12 | sleep 1 | 15 | after 100 |
13 | 16 | ||
14 | send -- "ls -al /tmp\r" | 17 | send -- "ls -al /tmp\r" |
15 | expect { | 18 | expect { |
16 | timeout {puts "TESTING ERROR 2\n";exit} | 19 | timeout {puts "TESTING ERROR 2\n";exit} |
17 | ".X11-unix" | 20 | ".X11-unix" |
18 | } | 21 | } |
19 | sleep 1 | 22 | after 100 |
20 | 23 | ||
21 | send -- "ls -a /tmp | wc -l\r" | 24 | send -- "ls -a /tmp | wc -l\r" |
22 | expect { | 25 | expect { |
23 | timeout {puts "TESTING ERROR 3\n";exit} | 26 | timeout {puts "TESTING ERROR 3\n";exit} |
24 | "3" | 27 | "3" |
25 | } | 28 | } |
26 | sleep 1 | 29 | after 100 |
27 | 30 | ||
28 | send -- "ls -a ~ | wc -l\r" | 31 | send -- "ls -a ~ | wc -l\r" |
29 | expect { | 32 | expect { |
30 | timeout {puts "TESTING ERROR 4\n";exit} | 33 | timeout {puts "TESTING ERROR 4\n";exit} |
31 | "4" | 34 | "3" {puts "3\n"} |
35 | "4" {puts "4\n"} | ||
36 | "5" {puts "5\n"} | ||
32 | } | 37 | } |
33 | 38 | ||
34 | sleep 1 | 39 | sleep 1 |
diff --git a/test/fs/private.exp b/test/fs/private.exp new file mode 100755 index 000000000..7eee0c82b --- /dev/null +++ b/test/fs/private.exp | |||
@@ -0,0 +1,59 @@ | |||
1 | #!/usr/bin/expect -f | ||
2 | # This file is part of Firejail project | ||
3 | # Copyright (C) 2014-2016 Firejail Authors | ||
4 | # License GPL v2 | ||
5 | |||
6 | set timeout 10 | ||
7 | spawn $env(SHELL) | ||
8 | match_max 100000 | ||
9 | |||
10 | if { $argc != 1 } { | ||
11 | puts "TESTING ERROR: argument missing" | ||
12 | puts "Usage: private.exp username" | ||
13 | puts "where username is the name of the current user" | ||
14 | exit | ||
15 | } | ||
16 | |||
17 | # testing profile and private | ||
18 | send -- "firejail --private --profile=/etc/firejail/default.profile\r" | ||
19 | expect { | ||
20 | timeout {puts "TESTING ERROR 0\n";exit} | ||
21 | "Child process initialized" | ||
22 | } | ||
23 | sleep 1 | ||
24 | send -- "exit\r" | ||
25 | sleep 1 | ||
26 | |||
27 | send -- "firejail --private --noprofile\r" | ||
28 | expect { | ||
29 | timeout {puts "TESTING ERROR 1\n";exit} | ||
30 | "Child process initialized" | ||
31 | } | ||
32 | |||
33 | sleep 1 | ||
34 | send -- "cd ~; ls -al; echo done\r" | ||
35 | expect { | ||
36 | timeout {puts "TESTING ERROR 2\n";exit} | ||
37 | ".bashrc" | ||
38 | } | ||
39 | expect { | ||
40 | timeout {puts "TESTING ERROR 3\n";exit} | ||
41 | done | ||
42 | } | ||
43 | |||
44 | # owner /tmp | ||
45 | send -- "stat -c %U%a /tmp;echo done\r" | ||
46 | expect { | ||
47 | timeout {puts "TESTING ERROR 10\n";exit} | ||
48 | "root777" {puts "version 1\n";} | ||
49 | "root1777" {puts "version 2\n";} | ||
50 | "nobody777" {puts "version 3\n";} | ||
51 | "nobody1777" {puts "version 4\n";} | ||
52 | } | ||
53 | expect { | ||
54 | timeout {puts "TESTING ERROR 11\n";exit} | ||
55 | "done" | ||
56 | } | ||
57 | sleep 1 | ||
58 | |||
59 | puts "all done\n" | ||
diff --git a/test/fs/testdir1/.directory/file b/test/fs/testdir1/.directory/file new file mode 100644 index 000000000..e69de29bb --- /dev/null +++ b/test/fs/testdir1/.directory/file | |||
diff --git a/test/fs/testdir1/.file b/test/fs/testdir1/.file new file mode 100644 index 000000000..e69de29bb --- /dev/null +++ b/test/fs/testdir1/.file | |||
diff --git a/test/whitelist-empty.exp b/test/fs/whitelist-empty.exp index 226b019db..f44d4fb58 100755 --- a/test/whitelist-empty.exp +++ b/test/fs/whitelist-empty.exp | |||
@@ -1,4 +1,7 @@ | |||
1 | #!/usr/bin/expect -f | 1 | #!/usr/bin/expect -f |
2 | # This file is part of Firejail project | ||
3 | # Copyright (C) 2014-2016 Firejail Authors | ||
4 | # License GPL v2 | ||
2 | 5 | ||
3 | set timeout 30 | 6 | set timeout 30 |
4 | spawn $env(SHELL) | 7 | spawn $env(SHELL) |
diff --git a/test/fs_chroot.exp b/test/fs_chroot.exp index cc0d82179..aeb5669e1 100755 --- a/test/fs_chroot.exp +++ b/test/fs_chroot.exp | |||
@@ -7,7 +7,8 @@ match_max 100000 | |||
7 | send -- "firejail --chroot=/tmp/chroot\r" | 7 | send -- "firejail --chroot=/tmp/chroot\r" |
8 | expect { | 8 | expect { |
9 | timeout {puts "TESTING ERROR 0\n";exit} | 9 | timeout {puts "TESTING ERROR 0\n";exit} |
10 | "Child process initialized" | 10 | "Error: --chroot option is not available on Grsecurity systems" {puts "\nall done\n"; exit} |
11 | "Child process initialized" {puts "chroot available\n"}; | ||
11 | } | 12 | } |
12 | sleep 1 | 13 | sleep 1 |
13 | 14 | ||
diff --git a/test/fs_overlay.exp b/test/fs_overlay.exp index 42d25b407..b7eeba80f 100755 --- a/test/fs_overlay.exp +++ b/test/fs_overlay.exp | |||
@@ -20,6 +20,7 @@ send -- "firejail --noprofile --overlay\r" | |||
20 | expect { | 20 | expect { |
21 | timeout {puts "TESTING ERROR 2\n";exit} | 21 | timeout {puts "TESTING ERROR 2\n";exit} |
22 | "not available for kernels older than 3.18" {puts "\nTESTING: overlayfs not available\n"; exit} | 22 | "not available for kernels older than 3.18" {puts "\nTESTING: overlayfs not available\n"; exit} |
23 | "Error: --overlay option is not available on Grsecurity systems" {puts "\nTESTING: overlayfs not available\n"; exit} | ||
23 | "Child process initialized" {puts "found\n"} | 24 | "Child process initialized" {puts "found\n"} |
24 | } | 25 | } |
25 | sleep 1 | 26 | sleep 1 |
diff --git a/test/google-chrome.exp b/test/google-chrome.exp deleted file mode 100755 index 7999831d7..000000000 --- a/test/google-chrome.exp +++ /dev/null | |||
@@ -1,72 +0,0 @@ | |||
1 | #!/usr/bin/expect -f | ||
2 | |||
3 | set timeout 10 | ||
4 | spawn $env(SHELL) | ||
5 | match_max 100000 | ||
6 | |||
7 | send -- "firejail google-chrome www.gentoo.org\r" | ||
8 | expect { | ||
9 | timeout {puts "TESTING ERROR 0\n";exit} | ||
10 | "Reading profile /etc/firejail/google-chrome.profile" | ||
11 | } | ||
12 | expect { | ||
13 | timeout {puts "TESTING ERROR 1\n";exit} | ||
14 | "Child process initialized" | ||
15 | } | ||
16 | sleep 10 | ||
17 | |||
18 | spawn $env(SHELL) | ||
19 | send -- "firejail --list\r" | ||
20 | expect { | ||
21 | timeout {puts "TESTING ERROR 3\n";exit} | ||
22 | ":firejail" | ||
23 | } | ||
24 | expect { | ||
25 | timeout {puts "TESTING ERROR 3.1\n";exit} | ||
26 | "google-chrome" | ||
27 | } | ||
28 | sleep 1 | ||
29 | |||
30 | send -- "firejail --name=blablabla\r" | ||
31 | expect { | ||
32 | timeout {puts "TESTING ERROR 4\n";exit} | ||
33 | "Child process initialized" | ||
34 | } | ||
35 | sleep 2 | ||
36 | |||
37 | spawn $env(SHELL) | ||
38 | send -- "firemon --seccomp\r" | ||
39 | expect { | ||
40 | timeout {puts "TESTING ERROR 5\n";exit} | ||
41 | ":firejail google-chrome" | ||
42 | } | ||
43 | expect { | ||
44 | timeout {puts "TESTING ERROR 5.1\n";exit} | ||
45 | "Seccomp: 0" | ||
46 | } | ||
47 | expect { | ||
48 | timeout {puts "TESTING ERROR 5.1\n";exit} | ||
49 | "name=blablabla" | ||
50 | } | ||
51 | sleep 1 | ||
52 | send -- "firemon --caps\r" | ||
53 | expect { | ||
54 | timeout {puts "TESTING ERROR 6\n";exit} | ||
55 | ":firejail google-chrome" | ||
56 | } | ||
57 | expect { | ||
58 | timeout {puts "TESTING ERROR 6.1\n";exit} | ||
59 | "CapBnd:" | ||
60 | } | ||
61 | expect { | ||
62 | timeout {puts "TESTING ERROR 6.2\n";exit} | ||
63 | "fffffffff" | ||
64 | } | ||
65 | expect { | ||
66 | timeout {puts "TESTING ERROR 6.3\n";exit} | ||
67 | "name=blablabla" | ||
68 | } | ||
69 | sleep 1 | ||
70 | |||
71 | puts "\n" | ||
72 | |||
diff --git a/test/net_defaultgw2.exp b/test/net_defaultgw2.exp deleted file mode 100755 index be9b4882a..000000000 --- a/test/net_defaultgw2.exp +++ /dev/null | |||
@@ -1,65 +0,0 @@ | |||
1 | #!/usr/bin/expect -f | ||
2 | |||
3 | set timeout 10 | ||
4 | spawn $env(SHELL) | ||
5 | match_max 100000 | ||
6 | |||
7 | # check ip address | ||
8 | send -- "firejail --net=br0 --net=br1 --defaultgw=10.10.30.89\r" | ||
9 | expect { | ||
10 | timeout {puts "TESTING ERROR 0\n";exit} | ||
11 | "eth1" | ||
12 | } | ||
13 | expect { | ||
14 | timeout {puts "TESTING ERROR 4\n";exit} | ||
15 | "Child process initialized" | ||
16 | } | ||
17 | |||
18 | # check default gateway | ||
19 | send -- "bash\r" | ||
20 | sleep 1 | ||
21 | send -- "netstat -rn;pwd\r" | ||
22 | expect { | ||
23 | timeout {puts "TESTING ERROR 10.1\n";exit} | ||
24 | "0.0.0.0" | ||
25 | } | ||
26 | expect { | ||
27 | timeout {puts "TESTING ERROR 10.2\n";exit} | ||
28 | "10.10.30.89" | ||
29 | } | ||
30 | expect { | ||
31 | timeout {puts "TESTING ERROR 10.3\n";exit} | ||
32 | "eth1" | ||
33 | } | ||
34 | expect { | ||
35 | timeout {puts "TESTING ERROR 10.4\n";exit} | ||
36 | "10.10.20.0" | ||
37 | } | ||
38 | expect { | ||
39 | timeout {puts "TESTING ERROR 10.5\n";exit} | ||
40 | "0.0.0.0" | ||
41 | } | ||
42 | expect { | ||
43 | timeout {puts "TESTING ERROR 10.6\n";exit} | ||
44 | "eth0" | ||
45 | } | ||
46 | expect { | ||
47 | timeout {puts "TESTING ERROR 10.4\n";exit} | ||
48 | "10.10.30.0" | ||
49 | } | ||
50 | expect { | ||
51 | timeout {puts "TESTING ERROR 10.5\n";exit} | ||
52 | "0.0.0.0" | ||
53 | } | ||
54 | expect { | ||
55 | timeout {puts "TESTING ERROR 10.6\n";exit} | ||
56 | "eth1" | ||
57 | } | ||
58 | expect { | ||
59 | timeout {puts "TESTING ERROR 10\n";exit} | ||
60 | "home" | ||
61 | } | ||
62 | sleep 1 | ||
63 | |||
64 | puts "\n" | ||
65 | |||
diff --git a/test/4bridges_arp.exp b/test/network/4bridges_arp.exp index 3004082e6..f769df43b 100755 --- a/test/4bridges_arp.exp +++ b/test/network/4bridges_arp.exp | |||
@@ -1,4 +1,7 @@ | |||
1 | #!/usr/bin/expect -f | 1 | #!/usr/bin/expect -f |
2 | # This file is part of Firejail project | ||
3 | # Copyright (C) 2014-2016 Firejail Authors | ||
4 | # License GPL v2 | ||
2 | 5 | ||
3 | set timeout 10 | 6 | set timeout 10 |
4 | spawn $env(SHELL) | 7 | spawn $env(SHELL) |
@@ -115,7 +118,7 @@ sleep 2 | |||
115 | 118 | ||
116 | 119 | ||
117 | # check loopback | 120 | # check loopback |
118 | send -- "firejail --net=br0 --net=br1 --net=br2 --net=br3\r" | 121 | send -- "firejail --net=br0 --net=br1 --net=br2 --net=br3 --protocol=unix,inet,netlink\r" |
119 | expect { | 122 | expect { |
120 | timeout {puts "TESTING ERROR 5\n";exit} | 123 | timeout {puts "TESTING ERROR 5\n";exit} |
121 | "lo" | 124 | "lo" |
@@ -136,40 +139,35 @@ expect { | |||
136 | timeout {puts "TESTING ERROR 9\n";exit} | 139 | timeout {puts "TESTING ERROR 9\n";exit} |
137 | "Child process initialized" | 140 | "Child process initialized" |
138 | } | 141 | } |
142 | sleep 1 | ||
139 | 143 | ||
140 | # check default gateway | 144 | # check default gateway |
141 | send -- "bash\r" | 145 | send -- "ip route show\r" |
142 | sleep 1 | ||
143 | send -- "netstat -rn;pwd\r" | ||
144 | expect { | 146 | expect { |
145 | timeout {puts "TESTING ERROR 10.1\n";exit} | 147 | timeout {puts "TESTING ERROR 10.1\n";exit} |
146 | "0.0.0.0" | 148 | "default via 10.10.20.1 dev eth0" |
147 | } | 149 | } |
150 | send -- "ip route show\r" | ||
148 | expect { | 151 | expect { |
149 | timeout {puts "TESTING ERROR 10.2\n";exit} | 152 | timeout {puts "TESTING ERROR 10.2\n";exit} |
150 | "10.10.20.1" | 153 | "10.10.20.0/29 dev eth0 proto kernel scope link" |
151 | } | ||
152 | expect { | ||
153 | timeout {puts "TESTING ERROR 10.3\n";exit} | ||
154 | "eth0" | ||
155 | } | 154 | } |
155 | send -- "ip route show\r" | ||
156 | expect { | 156 | expect { |
157 | timeout {puts "TESTING ERROR 10.4\n";exit} | 157 | timeout {puts "TESTING ERROR 10.2\n";exit} |
158 | "10.10.20.0" | 158 | "10.10.30.0/24 dev eth1 proto kernel scope link" |
159 | } | ||
160 | expect { | ||
161 | timeout {puts "TESTING ERROR 10.5\n";exit} | ||
162 | "0.0.0.0" | ||
163 | } | 159 | } |
160 | send -- "ip route show\r" | ||
164 | expect { | 161 | expect { |
165 | timeout {puts "TESTING ERROR 10.6\n";exit} | 162 | timeout {puts "TESTING ERROR 10.2\n";exit} |
166 | "eth0" | 163 | "10.10.40.0/24 dev eth2 proto kernel scope link" |
167 | } | 164 | } |
165 | send -- "ip route show\r" | ||
168 | expect { | 166 | expect { |
169 | timeout {puts "TESTING ERROR 10\n";exit} | 167 | timeout {puts "TESTING ERROR 10.2\n";exit} |
170 | "home" | 168 | "10.10.50.0/24 dev eth3 proto kernel scope link" |
171 | } | 169 | } |
172 | sleep 1 | 170 | sleep 1 |
173 | 171 | ||
174 | puts "\n" | 172 | puts "\nall done\n" |
175 | 173 | ||
diff --git a/test/4bridges_ip.exp b/test/network/4bridges_ip.exp index 9e37b4ff4..db7a61867 100755 --- a/test/4bridges_ip.exp +++ b/test/network/4bridges_ip.exp | |||
@@ -1,4 +1,7 @@ | |||
1 | #!/usr/bin/expect -f | 1 | #!/usr/bin/expect -f |
2 | # This file is part of Firejail project | ||
3 | # Copyright (C) 2014-2016 Firejail Authors | ||
4 | # License GPL v2 | ||
2 | 5 | ||
3 | set timeout 10 | 6 | set timeout 10 |
4 | spawn $env(SHELL) | 7 | spawn $env(SHELL) |
@@ -115,7 +118,7 @@ sleep 2 | |||
115 | 118 | ||
116 | 119 | ||
117 | # check loopback | 120 | # check loopback |
118 | send -- "firejail --net=br0 --net=br1 --ip=10.10.30.50 --net=br2 --ip=10.10.40.100 --net=br3\r" | 121 | send -- "firejail --net=br0 --net=br1 --ip=10.10.30.50 --net=br2 --ip=10.10.40.100 --net=br3 --protocol=unix,inet,netlink\r" |
119 | expect { | 122 | expect { |
120 | timeout {puts "TESTING ERROR 5\n";exit} | 123 | timeout {puts "TESTING ERROR 5\n";exit} |
121 | "lo" | 124 | "lo" |
@@ -138,38 +141,37 @@ expect { | |||
138 | } | 141 | } |
139 | 142 | ||
140 | # check default gateway | 143 | # check default gateway |
141 | send -- "bash\r" | 144 | send -- "ip route show\r" |
142 | sleep 1 | ||
143 | send -- "netstat -rn;pwd\r" | ||
144 | expect { | 145 | expect { |
145 | timeout {puts "TESTING ERROR 10.1\n";exit} | 146 | timeout {puts "TESTING ERROR 10.1\n";exit} |
146 | "0.0.0.0" | 147 | "default via 10.10.20.1 dev eth0" |
147 | } | 148 | } |
149 | |||
150 | send -- "ip route show\r" | ||
148 | expect { | 151 | expect { |
149 | timeout {puts "TESTING ERROR 10.2\n";exit} | 152 | timeout {puts "TESTING ERROR 10.2\n";exit} |
150 | "10.10.20.1" | 153 | "10.10.20.0/29 dev eth0 proto kernel scope link" |
151 | } | 154 | } |
155 | |||
156 | send -- "ip route show\r" | ||
152 | expect { | 157 | expect { |
153 | timeout {puts "TESTING ERROR 10.3\n";exit} | 158 | timeout {puts "TESTING ERROR 10.3\n";exit} |
154 | "eth0" | 159 | "10.10.30.0/24 dev eth1 proto kernel scope link src 10.10.30.50" |
155 | } | 160 | } |
161 | |||
162 | send -- "ip route show\r" | ||
156 | expect { | 163 | expect { |
157 | timeout {puts "TESTING ERROR 10.4\n";exit} | 164 | timeout {puts "TESTING ERROR 10.4\n";exit} |
158 | "10.10.20.0" | 165 | "10.10.40.0/24 dev eth2 proto kernel scope link src 10.10.40.100" |
159 | } | 166 | } |
167 | |||
168 | send -- "ip route show\r" | ||
160 | expect { | 169 | expect { |
161 | timeout {puts "TESTING ERROR 10.5\n";exit} | 170 | timeout {puts "TESTING ERROR 10.5\n";exit} |
162 | "0.0.0.0" | 171 | "10.10.50.0/24 dev eth3 proto kernel scope link" |
163 | } | ||
164 | expect { | ||
165 | timeout {puts "TESTING ERROR 10.6\n";exit} | ||
166 | "eth0" | ||
167 | } | ||
168 | expect { | ||
169 | timeout {puts "TESTING ERROR 10\n";exit} | ||
170 | "home" | ||
171 | } | 172 | } |
173 | |||
172 | sleep 1 | 174 | sleep 1 |
173 | 175 | ||
174 | puts "\n" | 176 | puts "\nall done\n" |
175 | 177 | ||
diff --git a/test/network/README b/test/network/README new file mode 100644 index 000000000..a715d8edf --- /dev/null +++ b/test/network/README | |||
@@ -0,0 +1,15 @@ | |||
1 | Warning: this test requires root access to configure a number of bridge, mac | ||
2 | and vlan devices. Please take a look at configure file. By the time you are | ||
3 | finished testing, you'll probably have to reboot the computer to get your | ||
4 | networking subsytem back to normal. | ||
5 | |||
6 | Limitations - to be investigated and fixed: | ||
7 | - the test is assuming an eth0 wired interface to be present | ||
8 | - using netstat and ifconfig - this needs to be moved to iproute2 | ||
9 | - configure script inserts an entry in system netfilter configuration | ||
10 | - the test will probably not work on grsecurity settings | ||
11 | - macvlan interfaces don't seem to work correctly under VirtualBox | ||
12 | |||
13 | Run the test: | ||
14 | $ sudo ./configure | ||
15 | $ ./network.sh | grep TESTING | ||
diff --git a/test/network/bandwidth.exp b/test/network/bandwidth.exp new file mode 100755 index 000000000..2913c6b14 --- /dev/null +++ b/test/network/bandwidth.exp | |||
@@ -0,0 +1,65 @@ | |||
1 | #!/usr/bin/expect -f | ||
2 | # This file is part of Firejail project | ||
3 | # Copyright (C) 2014-2016 Firejail Authors | ||
4 | # License GPL v2 | ||
5 | |||
6 | set timeout 10 | ||
7 | spawn $env(SHELL) | ||
8 | match_max 100000 | ||
9 | |||
10 | send -- "firejail --name=test --net=br0\r" | ||
11 | expect { | ||
12 | timeout {puts "TESTING ERROR 0\n";exit} | ||
13 | "Child process initialized" | ||
14 | } | ||
15 | sleep 2 | ||
16 | |||
17 | spawn $env(SHELL) | ||
18 | send -- "firejail --bandwidth=test status\r" | ||
19 | expect { | ||
20 | timeout {puts "TESTING ERROR 1\n";exit} | ||
21 | "qdisc * 0: dev eth0" | ||
22 | } | ||
23 | sleep 1 | ||
24 | |||
25 | send -- "firejail --bandwidth=test set br0 50 10\r" | ||
26 | expect { | ||
27 | timeout {puts "TESTING ERROR 2\n";exit} | ||
28 | "Configuring interface eth0" | ||
29 | } | ||
30 | expect { | ||
31 | timeout {puts "TESTING ERROR 3\n";exit} | ||
32 | "configuring tc ingress" | ||
33 | } | ||
34 | expect { | ||
35 | timeout {puts "TESTING ERROR 4\n";exit} | ||
36 | "configuring tc egress" | ||
37 | } | ||
38 | |||
39 | send -- "firejail --bandwidth=test status\r" | ||
40 | expect { | ||
41 | timeout {puts "TESTING ERROR 5\n";exit} | ||
42 | "dev eth0" | ||
43 | } | ||
44 | expect { | ||
45 | timeout {puts "TESTING ERROR 6\n";exit} | ||
46 | "rate 80Kbit burst 10Kb" | ||
47 | } | ||
48 | sleep 1 | ||
49 | |||
50 | send -- "firejail --bandwidth=test clear br0\r" | ||
51 | expect { | ||
52 | timeout {puts "TESTING ERROR 7\n";exit} | ||
53 | "Removing bandwith limits" | ||
54 | } | ||
55 | sleep 1 | ||
56 | |||
57 | send -- "firejail --bandwidth=test status; echo done\r" | ||
58 | expect { | ||
59 | timeout {puts "TESTING ERROR 8\n";exit} | ||
60 | "rate 80Kbit burst 10Kb" {puts "TESTING ERROR 9\n";exit} | ||
61 | "done" | ||
62 | } | ||
63 | sleep 1 | ||
64 | |||
65 | puts "\nall done\n" | ||
diff --git a/test/network/configure b/test/network/configure new file mode 100755 index 000000000..35d938340 --- /dev/null +++ b/test/network/configure | |||
@@ -0,0 +1,27 @@ | |||
1 | #!/bin/bash | ||
2 | # This file is part of Firejail project | ||
3 | # Copyright (C) 2014-2016 Firejail Authors | ||
4 | # License GPL v2 | ||
5 | |||
6 | brctl addbr br0 | ||
7 | ifconfig br0 10.10.20.1/29 up | ||
8 | # NAT masquerade | ||
9 | iptables -t nat -A POSTROUTING -o eth0 -s 10.10.20.0/29 -j MASQUERADE | ||
10 | # port forwarding | ||
11 | # iptables -t nat -A PREROUTING -p tcp --dport 80 -j DNAT --to 10.10.20.2:80 | ||
12 | |||
13 | brctl addbr br1 | ||
14 | ifconfig br1 10.10.30.1/24 up | ||
15 | brctl addbr br2 | ||
16 | ifconfig br2 10.10.40.1/24 up | ||
17 | brctl addbr br3 | ||
18 | ifconfig br3 10.10.50.1/24 up | ||
19 | brctl addbr br4 | ||
20 | ifconfig br4 10.10.60.1/24 up | ||
21 | ip link add link eth0 name eth0.5 type vlan id 5 | ||
22 | /sbin/ifconfig eth0.5 10.10.205.10/24 up | ||
23 | ip link add link eth0 name eth0.6 type vlan id 6 | ||
24 | /sbin/ifconfig eth0.6 10.10.206.10/24 up | ||
25 | ip link add link eth0 name eth0.7 type vlan id 7 | ||
26 | /sbin/ifconfig eth0.7 10.10.207.10/24 up | ||
27 | |||
diff --git a/test/hostname.exp b/test/network/hostname.exp index 4e5c7e073..53f24f7b1 100755 --- a/test/hostname.exp +++ b/test/network/hostname.exp | |||
@@ -1,24 +1,27 @@ | |||
1 | #!/usr/bin/expect -f | 1 | #!/usr/bin/expect -f |
2 | # This file is part of Firejail project | ||
3 | # Copyright (C) 2014-2016 Firejail Authors | ||
4 | # License GPL v2 | ||
2 | 5 | ||
3 | set timeout 10 | 6 | set timeout 10 |
4 | spawn $env(SHELL) | 7 | spawn $env(SHELL) |
5 | match_max 100000 | 8 | match_max 100000 |
6 | 9 | ||
7 | send -- "firejail --hostname=baluba --noprofile\r" | 10 | send -- "firejail --hostname=bingo --noprofile\r" |
8 | expect { | 11 | expect { |
9 | timeout {puts "TESTING ERROR 1\n";exit} | 12 | timeout {puts "TESTING ERROR 1\n";exit} |
10 | "Child process initialized" | 13 | "Child process initialized" |
11 | } | 14 | } |
12 | sleep 1 | 15 | sleep 1 |
13 | 16 | ||
14 | send -- "ping -c 3 baluba;pwd\r" | 17 | send -- "ping -c 3 bingo; echo done\r" |
15 | expect { | 18 | expect { |
16 | timeout {puts "TESTING ERROR 2\n";exit} | 19 | timeout {puts "TESTING ERROR 2\n";exit} |
17 | "3 packets transmitted, 3 received" | 20 | "3 packets transmitted, 3 received" |
18 | } | 21 | } |
19 | expect { | 22 | expect { |
20 | timeout {puts "TESTING ERROR 3\n";exit} | 23 | timeout {puts "TESTING ERROR 3\n";exit} |
21 | "home" | 24 | "done" |
22 | } | 25 | } |
23 | sleep 1 | 26 | sleep 1 |
24 | 27 | ||
diff --git a/test/ip6.exp b/test/network/ip6.exp index fba47d095..e5939021e 100755 --- a/test/ip6.exp +++ b/test/network/ip6.exp | |||
@@ -1,4 +1,7 @@ | |||
1 | #!/usr/bin/expect -f | 1 | #!/usr/bin/expect -f |
2 | # This file is part of Firejail project | ||
3 | # Copyright (C) 2014-2016 Firejail Authors | ||
4 | # License GPL v2 | ||
2 | 5 | ||
3 | set timeout 10 | 6 | set timeout 10 |
4 | spawn $env(SHELL) | 7 | spawn $env(SHELL) |
@@ -15,6 +18,7 @@ expect { | |||
15 | } | 18 | } |
16 | expect { | 19 | expect { |
17 | timeout {puts "TESTING ERROR 2\n";exit} | 20 | timeout {puts "TESTING ERROR 2\n";exit} |
21 | "unable to initialize table 'filter'" {puts "\nTESTING SKIP 2: no IPv6 support\n"; exit} | ||
18 | "2001:db8:1f0a:3ec::2" | 22 | "2001:db8:1f0a:3ec::2" |
19 | } | 23 | } |
20 | expect { | 24 | expect { |
diff --git a/test/ipv6.net b/test/network/ipv6.net index cc8f22943..cc8f22943 100644 --- a/test/ipv6.net +++ b/test/network/ipv6.net | |||
diff --git a/test/network/net-profile.profile b/test/network/net-profile.profile new file mode 100644 index 000000000..05052b6dc --- /dev/null +++ b/test/network/net-profile.profile | |||
@@ -0,0 +1,10 @@ | |||
1 | net br0 | ||
2 | mac 00:11:22:33:44:55 | ||
3 | mtu 1000 | ||
4 | net br1 | ||
5 | ip 10.10.30.50 | ||
6 | net br2 | ||
7 | ip 10.10.40.100 | ||
8 | net br3 | ||
9 | defaultgw 10.10.20.2 | ||
10 | |||
diff --git a/test/net_arp.exp b/test/network/net_arp.exp index 9e07744f3..f27f85814 100755 --- a/test/net_arp.exp +++ b/test/network/net_arp.exp | |||
@@ -1,4 +1,7 @@ | |||
1 | #!/usr/bin/expect -f | 1 | #!/usr/bin/expect -f |
2 | # This file is part of Firejail project | ||
3 | # Copyright (C) 2014-2016 Firejail Authors | ||
4 | # License GPL v2 | ||
2 | 5 | ||
3 | set timeout 10 | 6 | set timeout 10 |
4 | spawn $env(SHELL) | 7 | spawn $env(SHELL) |
diff --git a/test/net_badip.exp b/test/network/net_badip.exp index 71b69e104..8003252d6 100755 --- a/test/net_badip.exp +++ b/test/network/net_badip.exp | |||
@@ -1,4 +1,7 @@ | |||
1 | #!/usr/bin/expect -f | 1 | #!/usr/bin/expect -f |
2 | # This file is part of Firejail project | ||
3 | # Copyright (C) 2014-2016 Firejail Authors | ||
4 | # License GPL v2 | ||
2 | 5 | ||
3 | set timeout 10 | 6 | set timeout 10 |
4 | spawn $env(SHELL) | 7 | spawn $env(SHELL) |
diff --git a/test/net_defaultgw.exp b/test/network/net_defaultgw.exp index 9820660b7..5534b7706 100755 --- a/test/net_defaultgw.exp +++ b/test/network/net_defaultgw.exp | |||
@@ -1,11 +1,14 @@ | |||
1 | #!/usr/bin/expect -f | 1 | #!/usr/bin/expect -f |
2 | # This file is part of Firejail project | ||
3 | # Copyright (C) 2014-2016 Firejail Authors | ||
4 | # License GPL v2 | ||
2 | 5 | ||
3 | set timeout 10 | 6 | set timeout 10 |
4 | spawn $env(SHELL) | 7 | spawn $env(SHELL) |
5 | match_max 100000 | 8 | match_max 100000 |
6 | 9 | ||
7 | # check ip address | 10 | # check ip address |
8 | send -- "firejail --net=br0 --ip=10.10.20.5 --defaultgw=10.10.20.2\r" | 11 | send -- "firejail --net=br0 --ip=10.10.20.5 --defaultgw=10.10.20.2 --protocol=unix,inet,netlink\r" |
9 | expect { | 12 | expect { |
10 | timeout {puts "TESTING ERROR 0\n";exit} | 13 | timeout {puts "TESTING ERROR 0\n";exit} |
11 | "eth0" | 14 | "eth0" |
@@ -26,40 +29,21 @@ expect { | |||
26 | timeout {puts "TESTING ERROR 4\n";exit} | 29 | timeout {puts "TESTING ERROR 4\n";exit} |
27 | "Child process initialized" | 30 | "Child process initialized" |
28 | } | 31 | } |
32 | sleep 1 | ||
29 | 33 | ||
30 | # check default gateway | 34 | # check default gateway |
31 | send -- "bash\r" | 35 | send -- "ip route show\r" |
32 | sleep 1 | ||
33 | send -- "netstat -rn;pwd\r" | ||
34 | expect { | 36 | expect { |
35 | timeout {puts "TESTING ERROR 10.1\n";exit} | 37 | timeout {puts "TESTING ERROR 10.1\n";exit} |
36 | "0.0.0.0" | 38 | "default via 10.10.20.2 dev eth0" |
37 | } | 39 | } |
40 | |||
41 | send -- "ip route show\r" | ||
38 | expect { | 42 | expect { |
39 | timeout {puts "TESTING ERROR 10.2\n";exit} | 43 | timeout {puts "TESTING ERROR 10.2\n";exit} |
40 | "10.10.20.2" | 44 | "10.10.20.0/29 dev eth0 proto kernel scope link" |
41 | } | ||
42 | expect { | ||
43 | timeout {puts "TESTING ERROR 10.3\n";exit} | ||
44 | "eth0" | ||
45 | } | ||
46 | expect { | ||
47 | timeout {puts "TESTING ERROR 10.4\n";exit} | ||
48 | "10.10.20.0" | ||
49 | } | ||
50 | expect { | ||
51 | timeout {puts "TESTING ERROR 10.5\n";exit} | ||
52 | "0.0.0.0" | ||
53 | } | ||
54 | expect { | ||
55 | timeout {puts "TESTING ERROR 10.6\n";exit} | ||
56 | "eth0" | ||
57 | } | ||
58 | expect { | ||
59 | timeout {puts "TESTING ERROR 10\n";exit} | ||
60 | "home" | ||
61 | } | 45 | } |
62 | sleep 1 | 46 | sleep 1 |
63 | 47 | ||
64 | puts "\n" | 48 | puts "\nall done\n" |
65 | 49 | ||
diff --git a/test/network/net_defaultgw2.exp b/test/network/net_defaultgw2.exp new file mode 100755 index 000000000..86f204e8c --- /dev/null +++ b/test/network/net_defaultgw2.exp | |||
@@ -0,0 +1,43 @@ | |||
1 | #!/usr/bin/expect -f | ||
2 | # This file is part of Firejail project | ||
3 | # Copyright (C) 2014-2016 Firejail Authors | ||
4 | # License GPL v2 | ||
5 | |||
6 | set timeout 10 | ||
7 | spawn $env(SHELL) | ||
8 | match_max 100000 | ||
9 | |||
10 | # check ip address | ||
11 | send -- "firejail --net=br0 --net=br1 --defaultgw=10.10.30.89 --protocol=unix,inet,netlink\r" | ||
12 | expect { | ||
13 | timeout {puts "TESTING ERROR 0\n";exit} | ||
14 | "eth1" | ||
15 | } | ||
16 | expect { | ||
17 | timeout {puts "TESTING ERROR 4\n";exit} | ||
18 | "Child process initialized" | ||
19 | } | ||
20 | sleep 1 | ||
21 | |||
22 | # check default gateway | ||
23 | send -- "ip route show\r" | ||
24 | expect { | ||
25 | timeout {puts "TESTING ERROR 10.1\n";exit} | ||
26 | "default via 10.10.30.89 dev eth1" | ||
27 | } | ||
28 | |||
29 | send -- "ip route show\r" | ||
30 | expect { | ||
31 | timeout {puts "TESTING ERROR 10.2\n";exit} | ||
32 | "10.10.20.0/29 dev eth0 proto kernel scope link" | ||
33 | } | ||
34 | |||
35 | send -- "ip route show\r" | ||
36 | expect { | ||
37 | timeout {puts "TESTING ERROR 10.3\n";exit} | ||
38 | "10.10.30.0/24 dev eth1 proto kernel scope link" | ||
39 | } | ||
40 | sleep 1 | ||
41 | |||
42 | puts "\nall done\n" | ||
43 | |||
diff --git a/test/net_defaultgw3.exp b/test/network/net_defaultgw3.exp index 64da9dfca..30150938f 100755 --- a/test/net_defaultgw3.exp +++ b/test/network/net_defaultgw3.exp | |||
@@ -1,4 +1,7 @@ | |||
1 | #!/usr/bin/expect -f | 1 | #!/usr/bin/expect -f |
2 | # This file is part of Firejail project | ||
3 | # Copyright (C) 2014-2016 Firejail Authors | ||
4 | # License GPL v2 | ||
2 | 5 | ||
3 | set timeout 10 | 6 | set timeout 10 |
4 | spawn $env(SHELL) | 7 | spawn $env(SHELL) |
diff --git a/test/net_interface.exp b/test/network/net_interface.exp index 4b55187ff..2e6619938 100755 --- a/test/net_interface.exp +++ b/test/network/net_interface.exp | |||
@@ -1,4 +1,7 @@ | |||
1 | #!/usr/bin/expect -f | 1 | #!/usr/bin/expect -f |
2 | # This file is part of Firejail project | ||
3 | # Copyright (C) 2014-2016 Firejail Authors | ||
4 | # License GPL v2 | ||
2 | 5 | ||
3 | set timeout 10 | 6 | set timeout 10 |
4 | spawn $env(SHELL) | 7 | spawn $env(SHELL) |
diff --git a/test/net_ip.exp b/test/network/net_ip.exp index 5995296c7..0eff212dd 100755 --- a/test/net_ip.exp +++ b/test/network/net_ip.exp | |||
@@ -1,4 +1,7 @@ | |||
1 | #!/usr/bin/expect -f | 1 | #!/usr/bin/expect -f |
2 | # This file is part of Firejail project | ||
3 | # Copyright (C) 2014-2016 Firejail Authors | ||
4 | # License GPL v2 | ||
2 | 5 | ||
3 | set timeout 10 | 6 | set timeout 10 |
4 | spawn $env(SHELL) | 7 | spawn $env(SHELL) |
@@ -31,7 +34,7 @@ send -- "exit\r" | |||
31 | sleep 2 | 34 | sleep 2 |
32 | 35 | ||
33 | # check loopback | 36 | # check loopback |
34 | send -- "firejail --net=br0 --ip=10.10.20.5\r" | 37 | send -- "firejail --net=br0 --ip=10.10.20.5 --protocol=unix,inet,netlink\r" |
35 | expect { | 38 | expect { |
36 | timeout {puts "TESTING ERROR 5\n";exit} | 39 | timeout {puts "TESTING ERROR 5\n";exit} |
37 | "lo" | 40 | "lo" |
@@ -52,38 +55,19 @@ expect { | |||
52 | timeout {puts "TESTING ERROR 9\n";exit} | 55 | timeout {puts "TESTING ERROR 9\n";exit} |
53 | "Child process initialized" | 56 | "Child process initialized" |
54 | } | 57 | } |
58 | sleep 1 | ||
55 | 59 | ||
56 | # check default gateway | 60 | # check default gateway |
57 | send -- "bash\r" | 61 | send -- "ip route show\r" |
58 | sleep 1 | ||
59 | send -- "netstat -rn;pwd\r" | ||
60 | expect { | 62 | expect { |
61 | timeout {puts "TESTING ERROR 10.1\n";exit} | 63 | timeout {puts "TESTING ERROR 10.1\n";exit} |
62 | "0.0.0.0" | 64 | "default via 10.10.20.1 dev eth0" |
63 | } | ||
64 | expect { | ||
65 | timeout {puts "TESTING ERROR 10.2\n";exit} | ||
66 | "10.10.20.1" | ||
67 | } | ||
68 | expect { | ||
69 | timeout {puts "TESTING ERROR 10.3\n";exit} | ||
70 | "eth0" | ||
71 | } | ||
72 | expect { | ||
73 | timeout {puts "TESTING ERROR 10.4\n";exit} | ||
74 | "10.10.20.0" | ||
75 | } | ||
76 | expect { | ||
77 | timeout {puts "TESTING ERROR 10.5\n";exit} | ||
78 | "0.0.0.0" | ||
79 | } | ||
80 | expect { | ||
81 | timeout {puts "TESTING ERROR 10.6\n";exit} | ||
82 | "eth0" | ||
83 | } | 65 | } |
66 | |||
67 | send -- "ip route show\r" | ||
84 | expect { | 68 | expect { |
85 | timeout {puts "TESTING ERROR 10\n";exit} | 69 | timeout {puts "TESTING ERROR 10\n";exit} |
86 | "home" | 70 | "10.10.20.0/29 dev eth0 proto kernel scope link" |
87 | } | 71 | } |
88 | sleep 1 | 72 | sleep 1 |
89 | 73 | ||
diff --git a/test/net_local.exp b/test/network/net_local.exp index 642213658..60ab2af05 100755 --- a/test/net_local.exp +++ b/test/network/net_local.exp | |||
@@ -1,4 +1,7 @@ | |||
1 | #!/usr/bin/expect -f | 1 | #!/usr/bin/expect -f |
2 | # This file is part of Firejail project | ||
3 | # Copyright (C) 2014-2016 Firejail Authors | ||
4 | # License GPL v2 | ||
2 | 5 | ||
3 | set timeout 10 | 6 | set timeout 10 |
4 | spawn $env(SHELL) | 7 | spawn $env(SHELL) |
diff --git a/test/net_mac.exp b/test/network/net_mac.exp index 076634730..5c48be9fd 100755 --- a/test/net_mac.exp +++ b/test/network/net_mac.exp | |||
@@ -1,4 +1,7 @@ | |||
1 | #!/usr/bin/expect -f | 1 | #!/usr/bin/expect -f |
2 | # This file is part of Firejail project | ||
3 | # Copyright (C) 2014-2016 Firejail Authors | ||
4 | # License GPL v2 | ||
2 | 5 | ||
3 | set timeout 10 | 6 | set timeout 10 |
4 | spawn $env(SHELL) | 7 | spawn $env(SHELL) |
diff --git a/test/net_macvlan.exp b/test/network/net_macvlan.exp index 20d022de9..ca503c26a 100755 --- a/test/net_macvlan.exp +++ b/test/network/net_macvlan.exp | |||
@@ -1,4 +1,7 @@ | |||
1 | #!/usr/bin/expect -f | 1 | #!/usr/bin/expect -f |
2 | # This file is part of Firejail project | ||
3 | # Copyright (C) 2014-2016 Firejail Authors | ||
4 | # License GPL v2 | ||
2 | 5 | ||
3 | set timeout 10 | 6 | set timeout 10 |
4 | spawn $env(SHELL) | 7 | spawn $env(SHELL) |
diff --git a/test/net_mtu.exp b/test/network/net_mtu.exp index 7943b2866..21b9aa5cb 100755 --- a/test/net_mtu.exp +++ b/test/network/net_mtu.exp | |||
@@ -1,4 +1,7 @@ | |||
1 | #!/usr/bin/expect -f | 1 | #!/usr/bin/expect -f |
2 | # This file is part of Firejail project | ||
3 | # Copyright (C) 2014-2016 Firejail Authors | ||
4 | # License GPL v2 | ||
2 | 5 | ||
3 | set timeout 10 | 6 | set timeout 10 |
4 | spawn $env(SHELL) | 7 | spawn $env(SHELL) |
diff --git a/test/net_netfilter.exp b/test/network/net_netfilter.exp index 989fcc407..f011f3746 100755 --- a/test/net_netfilter.exp +++ b/test/network/net_netfilter.exp | |||
@@ -1,4 +1,7 @@ | |||
1 | #!/usr/bin/expect -f | 1 | #!/usr/bin/expect -f |
2 | # This file is part of Firejail project | ||
3 | # Copyright (C) 2014-2016 Firejail Authors | ||
4 | # License GPL v2 | ||
2 | 5 | ||
3 | set timeout 10 | 6 | set timeout 10 |
4 | spawn $env(SHELL) | 7 | spawn $env(SHELL) |
diff --git a/test/net_noip.exp b/test/network/net_noip.exp index 8d28adb39..3fb53d860 100755 --- a/test/net_noip.exp +++ b/test/network/net_noip.exp | |||
@@ -1,4 +1,7 @@ | |||
1 | #!/usr/bin/expect -f | 1 | #!/usr/bin/expect -f |
2 | # This file is part of Firejail project | ||
3 | # Copyright (C) 2014-2016 Firejail Authors | ||
4 | # License GPL v2 | ||
2 | 5 | ||
3 | set timeout 10 | 6 | set timeout 10 |
4 | spawn $env(SHELL) | 7 | spawn $env(SHELL) |
@@ -16,24 +19,24 @@ send -- "bash\r" | |||
16 | sleep 1 | 19 | sleep 1 |
17 | 20 | ||
18 | # no default gateway configured | 21 | # no default gateway configured |
19 | send -- "netstat -rn;pwd\r" | 22 | send -- "netstat -rn;echo done\r" |
20 | expect { | 23 | expect { |
21 | timeout {puts "TESTING ERROR 2\n";exit} | 24 | timeout {puts "TESTING ERROR 2\n";exit} |
22 | "0.0.0.0" {puts "TESTING ERROR 3\n";exit} | 25 | "0.0.0.0" {puts "TESTING ERROR 3\n";exit} |
23 | "eth0" {puts "TESTING ERROR 4\n";exit} | 26 | "eth0" {puts "TESTING ERROR 4\n";exit} |
24 | "home" | 27 | "done" |
25 | } | 28 | } |
26 | sleep 1 | 29 | sleep 1 |
27 | 30 | ||
28 | # eth0 configured | 31 | # eth0 configured |
29 | send -- "/sbin/ifconfig;pwd\r" | 32 | send -- "/sbin/ifconfig;echo done\r" |
30 | expect { | 33 | expect { |
31 | timeout {puts "TESTING ERROR 5\n";exit} | 34 | timeout {puts "TESTING ERROR 5\n";exit} |
32 | "eth0" | 35 | "eth0" |
33 | } | 36 | } |
34 | expect { | 37 | expect { |
35 | timeout {puts "TESTING ERROR 6\n";exit} | 38 | timeout {puts "TESTING ERROR 6\n";exit} |
36 | "home" | 39 | "done" |
37 | } | 40 | } |
38 | after 100 | 41 | after 100 |
39 | 42 | ||
diff --git a/test/net_noip2.exp b/test/network/net_noip2.exp index 58f90422b..cf86d7f6b 100755 --- a/test/net_noip2.exp +++ b/test/network/net_noip2.exp | |||
@@ -1,4 +1,7 @@ | |||
1 | #!/usr/bin/expect -f | 1 | #!/usr/bin/expect -f |
2 | # This file is part of Firejail project | ||
3 | # Copyright (C) 2014-2016 Firejail Authors | ||
4 | # License GPL v2 | ||
2 | 5 | ||
3 | set timeout 10 | 6 | set timeout 10 |
4 | spawn $env(SHELL) | 7 | spawn $env(SHELL) |
@@ -16,24 +19,24 @@ send -- "bash\r" | |||
16 | sleep 1 | 19 | sleep 1 |
17 | 20 | ||
18 | # no default gateway configured | 21 | # no default gateway configured |
19 | send -- "netstat -rn;pwd\r" | 22 | send -- "netstat -rn;echo done\r" |
20 | expect { | 23 | expect { |
21 | timeout {puts "TESTING ERROR 2\n";exit} | 24 | timeout {puts "TESTING ERROR 2\n";exit} |
22 | "0.0.0.0" {puts "TESTING ERROR 3\n";exit} | 25 | "0.0.0.0" {puts "TESTING ERROR 3\n";exit} |
23 | "eth0" {puts "TESTING ERROR 4\n";exit} | 26 | "eth0" {puts "TESTING ERROR 4\n";exit} |
24 | "home" | 27 | "done" |
25 | } | 28 | } |
26 | sleep 1 | 29 | sleep 1 |
27 | 30 | ||
28 | # eth0 configured | 31 | # eth0 configured |
29 | send -- "/sbin/ifconfig;pwd\r" | 32 | send -- "/sbin/ifconfig;echo done\r" |
30 | expect { | 33 | expect { |
31 | timeout {puts "TESTING ERROR 5\n";exit} | 34 | timeout {puts "TESTING ERROR 5\n";exit} |
32 | "eth0" | 35 | "eth0" |
33 | } | 36 | } |
34 | expect { | 37 | expect { |
35 | timeout {puts "TESTING ERROR 6\n";exit} | 38 | timeout {puts "TESTING ERROR 6\n";exit} |
36 | "home" | 39 | "done" |
37 | } | 40 | } |
38 | after 100 | 41 | after 100 |
39 | 42 | ||
diff --git a/test/net_none.exp b/test/network/net_none.exp index 54b6cb946..1c1577d76 100755 --- a/test/net_none.exp +++ b/test/network/net_none.exp | |||
@@ -1,4 +1,7 @@ | |||
1 | #!/usr/bin/expect -f | 1 | #!/usr/bin/expect -f |
2 | # This file is part of Firejail project | ||
3 | # Copyright (C) 2014-2016 Firejail Authors | ||
4 | # License GPL v2 | ||
2 | 5 | ||
3 | set timeout 10 | 6 | set timeout 10 |
4 | spawn $env(SHELL) | 7 | spawn $env(SHELL) |
@@ -16,20 +19,20 @@ sleep 1 | |||
16 | # test default gw | 19 | # test default gw |
17 | send -- "bash\r" | 20 | send -- "bash\r" |
18 | sleep 1 | 21 | sleep 1 |
19 | send -- "netstat -rn; pwd\r" | 22 | send -- "netstat -rn; echo done\r" |
20 | expect { | 23 | expect { |
21 | timeout {puts "TESTING ERROR 1\n";exit} | 24 | timeout {puts "TESTING ERROR 1\n";exit} |
22 | "0.0.0.0" {puts "TESTING ERROR 1.1\n";exit} | 25 | "0.0.0.0" {puts "TESTING ERROR 1.1\n";exit} |
23 | "home" | 26 | "done" |
24 | } | 27 | } |
25 | sleep 1 | 28 | sleep 1 |
26 | 29 | ||
27 | # check again devices | 30 | # check again devices |
28 | send -- "cat /proc/1/net/dev;pwd\r" | 31 | send -- "cat /proc/1/net/dev;echo done\r" |
29 | expect { | 32 | expect { |
30 | timeout {puts "TESTING ERROR 2\n";exit} | 33 | timeout {puts "TESTING ERROR 2\n";exit} |
31 | "eth0" {puts "TESTING ERROR 2.1\n";exit} | 34 | "eth0" {puts "TESTING ERROR 2.1\n";exit} |
32 | "home" | 35 | "done" |
33 | } | 36 | } |
34 | send -- "exit\r" | 37 | send -- "exit\r" |
35 | sleep 1 | 38 | sleep 1 |
@@ -48,21 +51,21 @@ sleep 1 | |||
48 | # test default gw | 51 | # test default gw |
49 | send -- "bash\r" | 52 | send -- "bash\r" |
50 | sleep 1 | 53 | sleep 1 |
51 | send -- "netstat -rn; pwd\r" | 54 | send -- "netstat -rn; echo done\r" |
52 | expect { | 55 | expect { |
53 | timeout {puts "TESTING ERROR 4\n";exit} | 56 | timeout {puts "TESTING ERROR 4\n";exit} |
54 | "0.0.0.0" {puts "TESTING ERROR 4.1\n";exit} | 57 | "0.0.0.0" {puts "TESTING ERROR 4.1\n";exit} |
55 | "home" | 58 | "done" |
56 | } | 59 | } |
57 | sleep 1 | 60 | sleep 1 |
58 | 61 | ||
59 | # check again devices | 62 | # check again devices |
60 | send -- "cat /proc/1/net/dev;pwd\r" | 63 | send -- "cat /proc/1/net/dev;echo done\r" |
61 | expect { | 64 | expect { |
62 | timeout {puts "TESTING ERROR 5\n";exit} | 65 | timeout {puts "TESTING ERROR 5\n";exit} |
63 | "eth0" {puts "TESTING ERROR 5.1\n";exit} | 66 | "eth0" {puts "TESTING ERROR 5.1\n";exit} |
64 | "home" | 67 | "done" |
65 | } | 68 | } |
66 | sleep 1 | 69 | sleep 1 |
67 | 70 | ||
68 | puts "\n" | 71 | puts "\nall done\n" |
diff --git a/test/net_none.profile b/test/network/net_none.profile index 079c08ea8..079c08ea8 100644 --- a/test/net_none.profile +++ b/test/network/net_none.profile | |||
diff --git a/test/network/net_profile.exp b/test/network/net_profile.exp new file mode 100755 index 000000000..7e88193cc --- /dev/null +++ b/test/network/net_profile.exp | |||
@@ -0,0 +1,76 @@ | |||
1 | #!/usr/bin/expect -f | ||
2 | # This file is part of Firejail project | ||
3 | # Copyright (C) 2014-2016 Firejail Authors | ||
4 | # License GPL v2 | ||
5 | |||
6 | set timeout 10 | ||
7 | spawn $env(SHELL) | ||
8 | match_max 100000 | ||
9 | |||
10 | # check eth0 | ||
11 | send -- "firejail --profile=net-profile.profile\r" | ||
12 | expect { | ||
13 | timeout {puts "TESTING ERROR 0.0\n";exit} | ||
14 | "eth0" | ||
15 | } | ||
16 | expect { | ||
17 | timeout {puts "TESTING ERROR 0.1\n";exit} | ||
18 | "00:11:22:33:44:55" | ||
19 | } | ||
20 | expect { | ||
21 | timeout {puts "TESTING ERROR 0.1\n";exit} | ||
22 | "10.10.20" | ||
23 | } | ||
24 | expect { | ||
25 | timeout {puts "TESTING ERROR 0.2\n";exit} | ||
26 | "255.255.255.248" | ||
27 | } | ||
28 | expect { | ||
29 | timeout {puts "TESTING ERROR 0.3\n";exit} | ||
30 | "UP" | ||
31 | } | ||
32 | expect { | ||
33 | timeout {puts "TESTING ERROR 0.4\n";exit} | ||
34 | "Child process initialized" | ||
35 | } | ||
36 | sleep 2 | ||
37 | |||
38 | send -- "ip route show\r" | ||
39 | expect { | ||
40 | timeout {puts "TESTING ERROR 1\n";exit} | ||
41 | "10.10.30.0/24 dev eth1 proto kernel scope link src 10.10.30.50" | ||
42 | } | ||
43 | |||
44 | send -- "ip route show\r" | ||
45 | expect { | ||
46 | timeout {puts "TESTING ERROR 2\n";exit} | ||
47 | "10.10.40.0/24 dev eth2 proto kernel scope link src 10.10.40.100" | ||
48 | } | ||
49 | |||
50 | |||
51 | # check default gw | ||
52 | send -- "ip route show\r" | ||
53 | expect { | ||
54 | timeout {puts "TESTING ERROR 3\n";exit} | ||
55 | "default via 10.10.20.2 dev eth0" | ||
56 | } | ||
57 | |||
58 | # check mtu | ||
59 | send -- "ip link show\r" | ||
60 | expect { | ||
61 | timeout {puts "TESTING ERROR 4\n";exit} | ||
62 | "eth0" | ||
63 | } | ||
64 | expect { | ||
65 | timeout {puts "TESTING ERROR 5\n";exit} | ||
66 | "mtu 1000" | ||
67 | } | ||
68 | expect { | ||
69 | timeout {puts "TESTING ERROR 6\n";exit} | ||
70 | "state UP" | ||
71 | } | ||
72 | |||
73 | sleep 1 | ||
74 | |||
75 | puts "\nall done\n" | ||
76 | |||
diff --git a/test/netfilter.filter b/test/network/netfilter.filter index 3e232065c..3e232065c 100644 --- a/test/netfilter.filter +++ b/test/network/netfilter.filter | |||
diff --git a/test/netfilter.profile b/test/network/netfilter.profile index 824c6cd0f..824c6cd0f 100644 --- a/test/netfilter.profile +++ b/test/network/netfilter.profile | |||
diff --git a/test/network/network.sh b/test/network/network.sh new file mode 100755 index 000000000..7b6d66e34 --- /dev/null +++ b/test/network/network.sh | |||
@@ -0,0 +1,62 @@ | |||
1 | #!/bin/bash | ||
2 | # This file is part of Firejail project | ||
3 | # Copyright (C) 2014-2016 Firejail Authors | ||
4 | # License GPL v2 | ||
5 | |||
6 | export MALLOC_CHECK_=3 | ||
7 | export MALLOC_PERTURB_=$(($RANDOM % 255 + 1)) | ||
8 | |||
9 | echo "TESTING: network profile (net_profile.exp)" | ||
10 | ./net_profile.exp | ||
11 | |||
12 | echo "TESTING: bandwidth (bandwidth.exp)" | ||
13 | ./bandwidth.exp | ||
14 | |||
15 | echo "TESTING: IPv6 support (ip6.exp)" | ||
16 | ./ip6.exp | ||
17 | |||
18 | echo "TESTING: local network (net_local.exp)" | ||
19 | ./net_local.exp | ||
20 | |||
21 | echo "TESTING: no network (net_none.exp)" | ||
22 | ./net_none.exp | ||
23 | |||
24 | echo "TESTING: network IP (net_ip.exp)" | ||
25 | ./net_ip.exp | ||
26 | |||
27 | echo "TESTING: network MAC (net_mac.exp)" | ||
28 | sleep 2 | ||
29 | ./net_mac.exp | ||
30 | |||
31 | echo "TESTING: network MTU (net_mtu.exp)" | ||
32 | ./net_mtu.exp | ||
33 | |||
34 | echo "TESTING: network hostname (hostname.exp)" | ||
35 | ./hostname.exp | ||
36 | |||
37 | echo "TESTING: network bad IP (net_badip.exp)" | ||
38 | ./net_badip.exp | ||
39 | |||
40 | echo "TESTING: network no IP test 1 (net_noip.exp)" | ||
41 | ./net_noip.exp | ||
42 | |||
43 | echo "TESTING: network no IP test 2 (net_noip2.exp)" | ||
44 | ./net_noip2.exp | ||
45 | |||
46 | echo "TESTING: network default gateway test 1 (net_defaultgw.exp)" | ||
47 | ./net_defaultgw.exp | ||
48 | |||
49 | echo "TESTING: network default gateway test 2 (net_defaultgw2.exp)" | ||
50 | ./net_defaultgw2.exp | ||
51 | |||
52 | echo "TESTING: network default gateway test 3 (net_defaultgw3.exp)" | ||
53 | ./net_defaultgw3.exp | ||
54 | |||
55 | echo "TESTING: netfilter (net_netfilter.exp)" | ||
56 | ./net_netfilter.exp | ||
57 | |||
58 | echo "TESTING: 4 bridges ARP (4bridges_arp.exp)" | ||
59 | ./4bridges_arp.exp | ||
60 | |||
61 | echo "TESTING: 4 bridges IP (4bridges_ip.exp)" | ||
62 | ./4bridges_ip.exp | ||
diff --git a/test/noroot.exp b/test/noroot.exp deleted file mode 100755 index 37d55fe78..000000000 --- a/test/noroot.exp +++ /dev/null | |||
@@ -1,117 +0,0 @@ | |||
1 | #!/usr/bin/expect -f | ||
2 | |||
3 | set timeout 10 | ||
4 | spawn $env(SHELL) | ||
5 | match_max 100000 | ||
6 | |||
7 | send -- "firejail --debug --noprofile --noroot --caps.drop=all --seccomp --cpu=0,1 --name=noroot-sandbox\r" | ||
8 | expect { | ||
9 | timeout {puts "TESTING ERROR 0.1\n";exit} | ||
10 | "Child process initialized" | ||
11 | } | ||
12 | sleep 1 | ||
13 | |||
14 | send -- "cat /proc/self/status\r" | ||
15 | expect { | ||
16 | timeout {puts "TESTING ERROR 1\n";exit} | ||
17 | "CapBnd:" | ||
18 | } | ||
19 | expect { | ||
20 | timeout {puts "TESTING ERROR 1.1\n";exit} | ||
21 | "0000000000000000" | ||
22 | } | ||
23 | |||
24 | send -- "cat /proc/self/status\r" | ||
25 | expect { | ||
26 | timeout {puts "TESTING ERROR 2\n";exit} | ||
27 | "Cpus_allowed:" | ||
28 | } | ||
29 | expect { | ||
30 | timeout {puts "TESTING ERROR 2.1\n";exit} | ||
31 | "3" | ||
32 | } | ||
33 | expect { | ||
34 | timeout {puts "TESTING ERROR 2.2\n";exit} | ||
35 | "Cpus_allowed_list:" | ||
36 | } | ||
37 | puts "\n" | ||
38 | |||
39 | send -- "cat /proc/self/status\r" | ||
40 | expect { | ||
41 | timeout {puts "TESTING ERROR 2\n";exit} | ||
42 | "Seccomp:" | ||
43 | } | ||
44 | expect { | ||
45 | timeout {puts "TESTING ERROR 2.1\n";exit} | ||
46 | "2" | ||
47 | } | ||
48 | expect { | ||
49 | timeout {puts "TESTING ERROR 2.2\n";exit} | ||
50 | "Cpus_allowed:" | ||
51 | } | ||
52 | puts "\n" | ||
53 | |||
54 | send -- "ping 0\r" | ||
55 | expect { | ||
56 | timeout {puts "TESTING ERROR 4\n";exit} | ||
57 | "Operation not permitted" | ||
58 | } | ||
59 | puts "\n" | ||
60 | |||
61 | send -- "whoami\r" | ||
62 | expect { | ||
63 | timeout {puts "TESTING ERROR 55\\n";exit} | ||
64 | "netblue" | ||
65 | } | ||
66 | puts "\n" | ||
67 | send -- "exit\r" | ||
68 | sleep 2 | ||
69 | |||
70 | |||
71 | send -- "firejail --noroot --noprofile\r" | ||
72 | expect { | ||
73 | timeout {puts "TESTING ERROR 6\n";exit} | ||
74 | "Child process initialized" | ||
75 | } | ||
76 | sleep 1 | ||
77 | send -- "whoami\r" | ||
78 | expect { | ||
79 | timeout {puts "TESTING ERROR 7\n";exit} | ||
80 | "netblue" | ||
81 | } | ||
82 | send -- "sudo -s\r" | ||
83 | expect { | ||
84 | timeout {puts "TESTING ERROR 8\n";exit} | ||
85 | "effective uid is not 0, is sudo installed setuid root?" { puts "OK\n";} | ||
86 | "sudo must be owned by uid 0 and have the setuid bit set" { puts "OK\n";} | ||
87 | } | ||
88 | puts "\n" | ||
89 | send -- "exit\r" | ||
90 | sleep 2 | ||
91 | |||
92 | send -- "firejail --name=test --noroot --noprofile\r" | ||
93 | expect { | ||
94 | timeout {puts "TESTING ERROR 9\n";exit} | ||
95 | "Child process initialized" | ||
96 | } | ||
97 | sleep 1 | ||
98 | |||
99 | spawn $env(SHELL) | ||
100 | send -- "firejail --debug --join=test\r" | ||
101 | expect { | ||
102 | timeout {puts "TESTING ERROR 9\n";exit} | ||
103 | "User namespace detected" | ||
104 | } | ||
105 | expect { | ||
106 | timeout {puts "TESTING ERROR 9\n";exit} | ||
107 | "Joining user namespace" | ||
108 | } | ||
109 | sleep 1 | ||
110 | |||
111 | send -- "sudo -s\r" | ||
112 | expect { | ||
113 | timeout {puts "TESTING ERROR 8\n";exit} | ||
114 | "effective uid is not 0, is sudo installed setuid root?" { puts "OK\n";} | ||
115 | "sudo must be owned by uid 0 and have the setuid bit set" { puts "OK\n";} | ||
116 | } | ||
117 | puts "all done\n" | ||
diff --git a/test/notes b/test/notes deleted file mode 100644 index 864cd5519..000000000 --- a/test/notes +++ /dev/null | |||
@@ -1,13 +0,0 @@ | |||
1 | Testing --nosound | ||
2 | |||
3 | Get a list of active PulseAudio clients: | ||
4 | $ pacmd info | grep application.process.binary | ||
5 | application.process.binary = "lxpanel" | ||
6 | application.process.binary = "plugin-container" | ||
7 | application.process.binary = "plugin-container" | ||
8 | |||
9 | Find active PulseAudio socket: | ||
10 | $ netstat -l | grep pulse | ||
11 | unix 2 [ ACC ] STREAM LISTENING 10669 /tmp/pulse-WwG6ohxIJmGO/cli | ||
12 | unix 2 [ ACC ] STREAM LISTENING 12584 /tmp/pulse-WwG6ohxIJmGO/dbus-socket | ||
13 | unix 2 [ ACC ] STREAM LISTENING 12581 /tmp/pulse-WwG6ohxIJmGO/native | ||
diff --git a/test/option-trace.exp b/test/option-trace.exp deleted file mode 100755 index 38038b58e..000000000 --- a/test/option-trace.exp +++ /dev/null | |||
@@ -1,25 +0,0 @@ | |||
1 | #!/usr/bin/expect -f | ||
2 | |||
3 | set timeout 10 | ||
4 | spawn $env(SHELL) | ||
5 | match_max 100000 | ||
6 | |||
7 | send -- "firejail --trace\r" | ||
8 | expect { | ||
9 | timeout {puts "TESTING ERROR 0\n";exit} | ||
10 | "Child process initialized" | ||
11 | } | ||
12 | expect { | ||
13 | timeout {puts "TESTING ERROR 1\n";exit} | ||
14 | "bash:open /dev/tty" {puts "64bit\n"} | ||
15 | "bash:open64 /dev/tty" {puts "32bit\n"} | ||
16 | } | ||
17 | expect { | ||
18 | timeout {puts "TESTING ERROR 3\n";exit} | ||
19 | "bash:access /etc/terminfo/x/xterm" {puts "debian\n"} | ||
20 | "bash:access /usr/share/terminfo/x/xterm" {puts "arch\n"} | ||
21 | } | ||
22 | |||
23 | sleep 1 | ||
24 | |||
25 | puts "\nall done\n" | ||
diff --git a/test/option_chroot_overlay.exp b/test/option_chroot_overlay.exp index b39bc0c8e..08ffb1b43 100755 --- a/test/option_chroot_overlay.exp +++ b/test/option_chroot_overlay.exp | |||
@@ -7,7 +7,8 @@ match_max 100000 | |||
7 | send -- "firejail --chroot=/tmp/chroot --overlay\r" | 7 | send -- "firejail --chroot=/tmp/chroot --overlay\r" |
8 | expect { | 8 | expect { |
9 | timeout {puts "TESTING ERROR 0\n";exit} | 9 | timeout {puts "TESTING ERROR 0\n";exit} |
10 | "mutually exclusive" | 10 | "mutually exclusive" {puts "normal system\n"} |
11 | "Error: --chroot option is not available on Grsecurity systems" { puts "\nall done\n"; exit} | ||
11 | } | 12 | } |
12 | sleep 1 | 13 | sleep 1 |
13 | 14 | ||
diff --git a/test/private.exp b/test/private.exp deleted file mode 100755 index a5920c37b..000000000 --- a/test/private.exp +++ /dev/null | |||
@@ -1,97 +0,0 @@ | |||
1 | #!/usr/bin/expect -f | ||
2 | |||
3 | set timeout 10 | ||
4 | spawn $env(SHELL) | ||
5 | match_max 100000 | ||
6 | |||
7 | if { $argc != 1 } { | ||
8 | puts "TESTING ERROR: argument missing" | ||
9 | puts "Usage: private.exp username" | ||
10 | puts "where username is the name of the current user" | ||
11 | exit | ||
12 | } | ||
13 | |||
14 | # testing profile and private | ||
15 | send -- "firejail --private --profile=/etc/firejail/generic.profile\r" | ||
16 | expect { | ||
17 | timeout {puts "TESTING ERROR 0\n";exit} | ||
18 | "Child process initialized" | ||
19 | } | ||
20 | sleep 1 | ||
21 | send -- "exit\r" | ||
22 | sleep 1 | ||
23 | |||
24 | send -- "firejail --private --noprofile\r" | ||
25 | expect { | ||
26 | timeout {puts "TESTING ERROR 0\n";exit} | ||
27 | "Child process initialized" | ||
28 | } | ||
29 | |||
30 | sleep 1 | ||
31 | send -- "ls -al; pwd\r" | ||
32 | expect { | ||
33 | timeout {puts "TESTING ERROR 0.1\n";exit} | ||
34 | ".bashrc" | ||
35 | } | ||
36 | expect { | ||
37 | timeout {puts "TESTING ERROR 0.2\n";exit} | ||
38 | [lindex $argv 0] | ||
39 | } | ||
40 | send -- "ls -al; pwd\r" | ||
41 | expect { | ||
42 | timeout { | ||
43 | # OpenSUSE doesn't use .Xauthority from user home directory | ||
44 | send -- "env | grep XAUTHORITY\r" | ||
45 | |||
46 | expect { | ||
47 | timeout {puts "TESTING ERROR 0.3\n";exit} | ||
48 | "/run/lightdm/netblue/xauthority" | ||
49 | } | ||
50 | } | ||
51 | ".Xauthority" | ||
52 | } | ||
53 | expect { | ||
54 | timeout {puts "TESTING ERROR 0.4\n";exit} | ||
55 | [lindex $argv 0] | ||
56 | } | ||
57 | |||
58 | |||
59 | # testing private only | ||
60 | send -- "bash\r" | ||
61 | sleep 1 | ||
62 | # owner /home/netblue | ||
63 | send -- "ls -l /home;pwd\r" | ||
64 | expect { | ||
65 | timeout {puts "TESTING ERROR 1\n";exit} | ||
66 | [lindex $argv 0] | ||
67 | } | ||
68 | expect { | ||
69 | timeout {puts "TESTING ERROR 1.1\n";exit} | ||
70 | [lindex $argv 0] | ||
71 | } | ||
72 | expect { | ||
73 | timeout {puts "TESTING ERROR 1.2\n";exit} | ||
74 | [lindex $argv 0] | ||
75 | } | ||
76 | expect { | ||
77 | timeout {puts "TESTING ERROR 1.3\n";exit} | ||
78 | "home" | ||
79 | } | ||
80 | sleep 1 | ||
81 | |||
82 | # owner /tmp | ||
83 | send -- "stat -c %U%a /tmp;pwd\r" | ||
84 | expect { | ||
85 | timeout {puts "TESTING ERROR 2\n";exit} | ||
86 | "root777" {puts "version 1\n";} | ||
87 | "root1777" {puts "version 2\n";} | ||
88 | "nobody777" {puts "version 3\n";} | ||
89 | "nobody1777" {puts "version 4\n";} | ||
90 | } | ||
91 | expect { | ||
92 | timeout {puts "TESTING ERROR 2.1\n";exit} | ||
93 | "home" | ||
94 | } | ||
95 | sleep 1 | ||
96 | |||
97 | puts "all done\n" | ||
diff --git a/test/private_dir.exp b/test/private_dir.exp index 95f89362a..a4beeba27 100755 --- a/test/private_dir.exp +++ b/test/private_dir.exp | |||
@@ -42,8 +42,8 @@ expect { | |||
42 | send -- "ls -al | wc -l;pwd\r" | 42 | send -- "ls -al | wc -l;pwd\r" |
43 | expect { | 43 | expect { |
44 | timeout {puts "TESTING ERROR 1\n";exit} | 44 | timeout {puts "TESTING ERROR 1\n";exit} |
45 | "5" {puts "normal system\n";} | 45 | "6" {puts "normal system\n";} |
46 | "4" {puts "OpenSUSE\n";} | 46 | "5" {puts "OpenSUSE\n";} |
47 | } | 47 | } |
48 | expect { | 48 | expect { |
49 | timeout {puts "TESTING ERROR 2\n";exit} | 49 | timeout {puts "TESTING ERROR 2\n";exit} |
diff --git a/test/private_dir_profile.exp b/test/private_dir_profile.exp index e6c01798e..8d1c74444 100755 --- a/test/private_dir_profile.exp +++ b/test/private_dir_profile.exp | |||
@@ -42,13 +42,13 @@ expect { | |||
42 | send -- "ls -al | wc -l;pwd\r" | 42 | send -- "ls -al | wc -l;pwd\r" |
43 | expect { | 43 | expect { |
44 | timeout {puts "TESTING ERROR 1\n";exit} | 44 | timeout {puts "TESTING ERROR 1\n";exit} |
45 | "5" {puts "normal system\n";} | 45 | "6" {puts "normal system\n";} |
46 | "4" {puts "OpenSUSE\n";} | 46 | "5" {puts "OpenSUSE\n";} |
47 | } | 47 | } |
48 | expect { | 48 | expect { |
49 | timeout {puts "TESTING ERROR 2\n";exit} | 49 | timeout {puts "TESTING ERROR 2\n";exit} |
50 | "home" | 50 | "home" |
51 | } | 51 | } |
52 | 52 | ||
53 | puts "\n" | 53 | puts "\nall done\n" |
54 | 54 | ||
diff --git a/test/ignore.exp b/test/profiles/ignore.exp index c5ea25684..281697b26 100755 --- a/test/ignore.exp +++ b/test/profiles/ignore.exp | |||
@@ -1,4 +1,7 @@ | |||
1 | #!/usr/bin/expect -f | 1 | #!/usr/bin/expect -f |
2 | # This file is part of Firejail project | ||
3 | # Copyright (C) 2014-2016 Firejail Authors | ||
4 | # License GPL v2 | ||
2 | 5 | ||
3 | set timeout 10 | 6 | set timeout 10 |
4 | spawn $env(SHELL) | 7 | spawn $env(SHELL) |
diff --git a/test/ignore.profile b/test/profiles/ignore.profile index aec231ad2..aec231ad2 100644 --- a/test/ignore.profile +++ b/test/profiles/ignore.profile | |||
diff --git a/test/ignore2.profile b/test/profiles/ignore2.profile index 49fcd8324..49fcd8324 100644 --- a/test/ignore2.profile +++ b/test/profiles/ignore2.profile | |||
diff --git a/test/profile_followlnk.exp b/test/profiles/profile_followlnk.exp index e2ede2865..4d89de26b 100755 --- a/test/profile_followlnk.exp +++ b/test/profiles/profile_followlnk.exp | |||
@@ -5,34 +5,22 @@ spawn $env(SHELL) | |||
5 | match_max 100000 | 5 | match_max 100000 |
6 | 6 | ||
7 | send -- "mkdir /tmp/firejailtestdir\r" | 7 | send -- "mkdir /tmp/firejailtestdir\r" |
8 | sleep 1 | ||
9 | send -- "ln -s /tmp/firejailtestdir /tmp/firejailtestdirlnk\r" | 8 | send -- "ln -s /tmp/firejailtestdir /tmp/firejailtestdirlnk\r" |
10 | sleep 1 | ||
11 | send -- "touch /tmp/firejailtestfile\r" | 9 | send -- "touch /tmp/firejailtestfile\r" |
12 | sleep 1 | ||
13 | send -- "ln -s /tmp/firejailtestfile /tmp/firejailtestfilelnk\r" | 10 | send -- "ln -s /tmp/firejailtestfile /tmp/firejailtestfilelnk\r" |
14 | sleep 1 | 11 | sleep 1 |
15 | 12 | ||
16 | send -- "firejail --profile=readonly-lnk.profile --debug\r" | 13 | send -- "firejail --profile=readonly-lnk.profile\r" |
17 | expect { | 14 | expect { |
18 | timeout {puts "TESTING ERROR 0\n";exit} | 15 | timeout {puts "TESTING ERROR 0\n";exit} |
19 | "Child process initialized" | 16 | "Child process initialized" |
20 | } | 17 | } |
21 | 18 | ||
22 | # testing private only | 19 | send -- "ls > /tmp/firejailtestdirlnk/ttt\r" |
23 | send -- "bash\r" | ||
24 | sleep 1 | ||
25 | |||
26 | |||
27 | send -- "ls > /tmp/firejailtestdirlnk/ttt;pwd\r" | ||
28 | expect { | 20 | expect { |
29 | timeout {puts "TESTING ERROR 1\n";exit} | 21 | timeout {puts "TESTING ERROR 1\n";exit} |
30 | "Read-only file system" | 22 | "Read-only file system" |
31 | } | 23 | } |
32 | expect { | ||
33 | timeout {puts "TESTING ERROR 1.1\n";exit} | ||
34 | "home" | ||
35 | } | ||
36 | sleep 1 | 24 | sleep 1 |
37 | 25 | ||
38 | send -- "ls > /tmp/firejailtestfilelnk;pwd\r" | 26 | send -- "ls > /tmp/firejailtestfilelnk;pwd\r" |
@@ -40,29 +28,10 @@ expect { | |||
40 | timeout {puts "TESTING ERROR 2\n";exit} | 28 | timeout {puts "TESTING ERROR 2\n";exit} |
41 | "Read-only file system" | 29 | "Read-only file system" |
42 | } | 30 | } |
43 | expect { | ||
44 | timeout {puts "TESTING ERROR 2.1\n";exit} | ||
45 | "home" | ||
46 | } | ||
47 | sleep 1 | 31 | sleep 1 |
48 | 32 | ||
49 | send -- "exit\r" | 33 | send -- "exit\r" |
50 | sleep 1 | ||
51 | send -- "pwd\r" | ||
52 | expect { | ||
53 | timeout {puts "TESTING ERROR 3\n";exit} | ||
54 | "home" | ||
55 | } | ||
56 | sleep 1 | ||
57 | send -- "exit\r" | ||
58 | sleep 1 | ||
59 | send -- "pwd\r" | ||
60 | expect { | ||
61 | timeout {puts "TESTING ERROR 4\n";exit} | ||
62 | "home" | ||
63 | } | ||
64 | sleep 2 | ||
65 | send -- "rm -fr /tmp/firejailtest*\r" | 34 | send -- "rm -fr /tmp/firejailtest*\r" |
66 | sleep 1 | 35 | sleep 1 |
67 | 36 | ||
68 | puts "\n" | 37 | puts "\nall done\n" |
diff --git a/test/profile_noperm.exp b/test/profiles/profile_noperm.exp index b3ed558bc..25ec580bd 100755 --- a/test/profile_noperm.exp +++ b/test/profiles/profile_noperm.exp | |||
@@ -10,4 +10,4 @@ expect { | |||
10 | "cannot access profile" | 10 | "cannot access profile" |
11 | } | 11 | } |
12 | sleep 1 | 12 | sleep 1 |
13 | puts "\n" | 13 | puts "\nall done\n" |
diff --git a/test/profile_readonly.exp b/test/profiles/profile_readonly.exp index 046b0d738..e8e78d6ad 100755 --- a/test/profile_readonly.exp +++ b/test/profiles/profile_readonly.exp | |||
@@ -5,7 +5,6 @@ spawn $env(SHELL) | |||
5 | match_max 100000 | 5 | match_max 100000 |
6 | 6 | ||
7 | send -- "mkdir /tmp/firejailtestdir\r" | 7 | send -- "mkdir /tmp/firejailtestdir\r" |
8 | sleep 1 | ||
9 | send -- "touch /tmp/firejailtestfile\r" | 8 | send -- "touch /tmp/firejailtestfile\r" |
10 | sleep 1 | 9 | sleep 1 |
11 | 10 | ||
@@ -14,51 +13,24 @@ expect { | |||
14 | timeout {puts "TESTING ERROR 0\n";exit} | 13 | timeout {puts "TESTING ERROR 0\n";exit} |
15 | "Child process initialized" | 14 | "Child process initialized" |
16 | } | 15 | } |
16 | sleep 2 | ||
17 | 17 | ||
18 | # testing private only | 18 | send -- "ls > /tmp/firejailtestdir/ttt\r" |
19 | send -- "bash\r" | ||
20 | sleep 1 | ||
21 | |||
22 | |||
23 | send -- "ls > /tmp/firejailtestdir/ttt;pwd\r" | ||
24 | expect { | 19 | expect { |
25 | timeout {puts "TESTING ERROR 1\n";exit} | 20 | timeout {puts "TESTING ERROR 1\n";exit} |
26 | "Read-only file system" | 21 | "Read-only file system" |
27 | } | 22 | } |
28 | expect { | ||
29 | timeout {puts "TESTING ERROR 1.1\n";exit} | ||
30 | "home" | ||
31 | } | ||
32 | sleep 1 | 23 | sleep 1 |
33 | 24 | ||
34 | send -- "ls > /tmp/firejailtestfile;pwd\r" | 25 | send -- "ls > /tmp/firejailtestfile\r" |
35 | expect { | 26 | expect { |
36 | timeout {puts "TESTING ERROR 2\n";exit} | 27 | timeout {puts "TESTING ERROR 2\n";exit} |
37 | "Read-only file system" | 28 | "Read-only file system" |
38 | } | 29 | } |
39 | expect { | ||
40 | timeout {puts "TESTING ERROR 2.1\n";exit} | ||
41 | "home" | ||
42 | } | ||
43 | sleep 1 | ||
44 | |||
45 | send -- "exit\r" | ||
46 | sleep 1 | ||
47 | send -- "pwd\r" | ||
48 | expect { | ||
49 | timeout {puts "TESTING ERROR 3\n";exit} | ||
50 | "home" | ||
51 | } | ||
52 | sleep 1 | ||
53 | send -- "exit\r" | 30 | send -- "exit\r" |
54 | sleep 1 | 31 | sleep 1 |
55 | send -- "pwd\r" | 32 | |
56 | expect { | ||
57 | timeout {puts "TESTING ERROR 4\n";exit} | ||
58 | "home" | ||
59 | } | ||
60 | sleep 2 | ||
61 | send -- "rm -fr /tmp/firejailtest*\r" | 33 | send -- "rm -fr /tmp/firejailtest*\r" |
62 | sleep 1 | 34 | sleep 1 |
63 | 35 | ||
64 | puts "\n" | 36 | puts "\nall done\n" |
diff --git a/test/profile_syntax.exp b/test/profiles/profile_syntax.exp index 559947276..dd6b637ed 100755 --- a/test/profile_syntax.exp +++ b/test/profiles/profile_syntax.exp | |||
@@ -1,4 +1,7 @@ | |||
1 | #!/usr/bin/expect -f | 1 | #!/usr/bin/expect -f |
2 | # This file is part of Firejail project | ||
3 | # Copyright (C) 2014-2016 Firejail Authors | ||
4 | # License GPL v2 | ||
2 | 5 | ||
3 | set timeout 10 | 6 | set timeout 10 |
4 | spawn $env(SHELL) | 7 | spawn $env(SHELL) |
@@ -26,38 +29,26 @@ expect { | |||
26 | } | 29 | } |
27 | 30 | ||
28 | sleep 1 | 31 | sleep 1 |
29 | send -- "rmdir;pwd\r" | 32 | send -- "rmdir\r" |
30 | expect { | 33 | expect { |
31 | timeout {puts "TESTING ERROR 4\n";exit} | 34 | timeout {puts "TESTING ERROR 4\n";exit} |
32 | "Permission denied" | 35 | "Permission denied" |
33 | } | 36 | } |
34 | expect { | ||
35 | timeout {puts "TESTING ERROR 5\n";exit} | ||
36 | "home" | ||
37 | } | ||
38 | 37 | ||
39 | sleep 1 | 38 | sleep 1 |
40 | send -- "mount;pwd\r" | 39 | send -- "mount\r" |
41 | expect { | 40 | expect { |
42 | timeout {puts "TESTING ERROR 6\n";exit} | 41 | timeout {puts "TESTING ERROR 6\n";exit} |
43 | "Permission denied" | 42 | "Permission denied" |
44 | } | 43 | } |
45 | expect { | ||
46 | timeout {puts "TESTING ERROR 7\n";exit} | ||
47 | "home" | ||
48 | } | ||
49 | 44 | ||
50 | sleep 1 | 45 | sleep 1 |
51 | send -- "umount;pwd\r" | 46 | send -- "umount\r" |
52 | expect { | 47 | expect { |
53 | timeout {puts "TESTING ERROR 8\n";exit} | 48 | timeout {puts "TESTING ERROR 8\n";exit} |
54 | "Permission denied" | 49 | "Permission denied" |
55 | } | 50 | } |
56 | expect { | ||
57 | timeout {puts "TESTING ERROR 9\n";exit} | ||
58 | "home" | ||
59 | } | ||
60 | send -- "exit\r" | 51 | send -- "exit\r" |
61 | 52 | ||
62 | sleep 1 | 53 | sleep 1 |
63 | puts "\n" | 54 | puts "\nall done\n" |
diff --git a/test/profile_syntax2.exp b/test/profiles/profile_syntax2.exp index 96e85ba93..ba83731be 100755 --- a/test/profile_syntax2.exp +++ b/test/profiles/profile_syntax2.exp | |||
@@ -1,4 +1,7 @@ | |||
1 | #!/usr/bin/expect -f | 1 | #!/usr/bin/expect -f |
2 | # This file is part of Firejail project | ||
3 | # Copyright (C) 2014-2016 Firejail Authors | ||
4 | # License GPL v2 | ||
2 | 5 | ||
3 | set timeout 10 | 6 | set timeout 10 |
4 | spawn $env(SHELL) | 7 | spawn $env(SHELL) |
diff --git a/test/profiles/profiles.sh b/test/profiles/profiles.sh new file mode 100755 index 000000000..ca0b9fb29 --- /dev/null +++ b/test/profiles/profiles.sh | |||
@@ -0,0 +1,34 @@ | |||
1 | #!/bin/bash | ||
2 | # This file is part of Firejail project | ||
3 | # Copyright (C) 2014-2016 Firejail Authors | ||
4 | # License GPL v2 | ||
5 | |||
6 | export MALLOC_CHECK_=3 | ||
7 | export MALLOC_PERTURB_=$(($RANDOM % 255 + 1)) | ||
8 | |||
9 | echo "TESTING: default profiles installed in /etc" | ||
10 | PROFILES=`ls /etc/firejail/*.profile` | ||
11 | for PROFILE in $PROFILES | ||
12 | do | ||
13 | echo "TESTING: $PROFILE" | ||
14 | ./test-profile.exp $PROFILE | ||
15 | done | ||
16 | |||
17 | echo "TESTING: profile syntax (test/profiles/profile_syntax.exp)" | ||
18 | ./profile_syntax.exp | ||
19 | |||
20 | echo "TESTING: profile syntax 2 (test/profiles/profile_syntax2.exp)" | ||
21 | ./profile_syntax2.exp | ||
22 | |||
23 | echo "TESTING: ignore command (test/profiles/ignore.exp)" | ||
24 | ./ignore.exp | ||
25 | |||
26 | echo "TESTING: profile read-only (test/profiles/profile_readonly.exp)" | ||
27 | ./profile_readonly.exp | ||
28 | |||
29 | echo "TESTING: profile read-only links (test/profiles/profile_readonly.exp)" | ||
30 | ./profile_followlnk.exp | ||
31 | |||
32 | echo "TESTING: profile no permissions (test/profiles/profile_noperm.exp)" | ||
33 | ./profile_noperm.exp | ||
34 | |||
diff --git a/test/readonly-lnk.profile b/test/profiles/readonly-lnk.profile index 71ffb1a26..71ffb1a26 100644 --- a/test/readonly-lnk.profile +++ b/test/profiles/readonly-lnk.profile | |||
diff --git a/test/readonly.profile b/test/profiles/readonly.profile index 55d89e3d7..55d89e3d7 100644 --- a/test/readonly.profile +++ b/test/profiles/readonly.profile | |||
diff --git a/test/test-profile.exp b/test/profiles/test-profile.exp index 89fe9c10a..590b42652 100755 --- a/test/test-profile.exp +++ b/test/profiles/test-profile.exp | |||
@@ -1,4 +1,7 @@ | |||
1 | #!/usr/bin/expect -f | 1 | #!/usr/bin/expect -f |
2 | # This file is part of Firejail project | ||
3 | # Copyright (C) 2014-2016 Firejail Authors | ||
4 | # License GPL v2 | ||
2 | 5 | ||
3 | set timeout 10 | 6 | set timeout 10 |
4 | spawn $env(SHELL) | 7 | spawn $env(SHELL) |
@@ -10,7 +13,7 @@ if { $argc != 1 } { | |||
10 | exit | 13 | exit |
11 | } | 14 | } |
12 | 15 | ||
13 | send -- "firejail --profile=$argv\r" | 16 | send -- "firejail --profile=$argv /bin/bash\r" |
14 | expect { | 17 | expect { |
15 | timeout {puts "TESTING ERROR 0\n";exit} | 18 | timeout {puts "TESTING ERROR 0\n";exit} |
16 | "Child process initialized" | 19 | "Child process initialized" |
diff --git a/test/test.profile b/test/profiles/test.profile index 1d69cc960..1d69cc960 100644 --- a/test/test.profile +++ b/test/profiles/test.profile | |||
diff --git a/test/test2.profile b/test/profiles/test2.profile index d7e1a1f21..d7e1a1f21 100644 --- a/test/test2.profile +++ b/test/profiles/test2.profile | |||
diff --git a/test/quiet.exp b/test/quiet.exp deleted file mode 100755 index fa46aebf2..000000000 --- a/test/quiet.exp +++ /dev/null | |||
@@ -1,17 +0,0 @@ | |||
1 | #!/usr/bin/expect -f | ||
2 | |||
3 | set timeout 4 | ||
4 | spawn $env(SHELL) | ||
5 | match_max 100000 | ||
6 | |||
7 | # check ip address | ||
8 | send -- "firejail --net=br0 --quiet\r" | ||
9 | expect { | ||
10 | "Child process initialized" {puts "TESTING ERROR 1\n";exit} | ||
11 | "Interface" {puts "TESTING ERROR 1\n";exit} | ||
12 | } | ||
13 | sleep 1 | ||
14 | send -- "\r" | ||
15 | |||
16 | puts "\nall done\n" | ||
17 | |||
diff --git a/test/sysutils/cpio.exp b/test/sysutils/cpio.exp new file mode 100755 index 000000000..9755d8737 --- /dev/null +++ b/test/sysutils/cpio.exp | |||
@@ -0,0 +1,26 @@ | |||
1 | #!/usr/bin/expect -f | ||
2 | # This file is part of Firejail project | ||
3 | # Copyright (C) 2014-2016 Firejail Authors | ||
4 | # License GPL v2 | ||
5 | |||
6 | set timeout 10 | ||
7 | spawn $env(SHELL) | ||
8 | match_max 100000 | ||
9 | |||
10 | send -- "find /usr/share/doc/firejail | /bin/cpio -ov > firejail_t1\r" | ||
11 | sleep 1 | ||
12 | |||
13 | send -- "find /usr/share/doc/firejail | firejail /bin/cpio -ov > firejail_t2\r" | ||
14 | sleep 1 | ||
15 | |||
16 | send -- "diff -s firejail_t1 firejail_t2\r" | ||
17 | expect { | ||
18 | timeout {puts "TESTING ERROR 1\n";exit} | ||
19 | "firejail_t1 and firejail_t2 are identical" | ||
20 | } | ||
21 | |||
22 | send -- "rm firejail_t*\r" | ||
23 | sleep 1 | ||
24 | |||
25 | |||
26 | puts "\nall done\n" | ||
diff --git a/test/sysutils/gzip.exp b/test/sysutils/gzip.exp new file mode 100755 index 000000000..ab0e727de --- /dev/null +++ b/test/sysutils/gzip.exp | |||
@@ -0,0 +1,26 @@ | |||
1 | #!/usr/bin/expect -f | ||
2 | # This file is part of Firejail project | ||
3 | # Copyright (C) 2014-2016 Firejail Authors | ||
4 | # License GPL v2 | ||
5 | |||
6 | set timeout 10 | ||
7 | spawn $env(SHELL) | ||
8 | match_max 100000 | ||
9 | |||
10 | send -- "/bin/gzip -c /usr/bin/firejail > firejail_t1\r" | ||
11 | sleep 1 | ||
12 | |||
13 | send -- "firejail /bin/gzip -c /usr/bin/firejail > firejail_t2\r" | ||
14 | sleep 1 | ||
15 | |||
16 | send -- "diff -s firejail_t1 firejail_t2\r" | ||
17 | expect { | ||
18 | timeout {puts "TESTING ERROR 1\n";exit} | ||
19 | "firejail_t1 and firejail_t2 are identical" | ||
20 | } | ||
21 | |||
22 | send -- "rm firejail_t*\r" | ||
23 | sleep 1 | ||
24 | |||
25 | |||
26 | puts "\nall done\n" | ||
diff --git a/test/sysutils/less.exp b/test/sysutils/less.exp new file mode 100755 index 000000000..720830304 --- /dev/null +++ b/test/sysutils/less.exp | |||
@@ -0,0 +1,20 @@ | |||
1 | #!/usr/bin/expect -f | ||
2 | # This file is part of Firejail project | ||
3 | # Copyright (C) 2014-2016 Firejail Authors | ||
4 | # License GPL v2 | ||
5 | |||
6 | set timeout 10 | ||
7 | spawn $env(SHELL) | ||
8 | match_max 100000 | ||
9 | |||
10 | send -- "firejail less ../../Makefile.in\r" | ||
11 | expect { | ||
12 | timeout {puts "TESTING ERROR 1\n";exit} | ||
13 | "MYLIBS" | ||
14 | } | ||
15 | expect { | ||
16 | timeout {puts "TESTING ERROR 2\n";exit} | ||
17 | "APPS" | ||
18 | } | ||
19 | |||
20 | puts "\nall done\n" | ||
diff --git a/test/sysutils/strings.exp b/test/sysutils/strings.exp new file mode 100755 index 000000000..1fd0f5dc0 --- /dev/null +++ b/test/sysutils/strings.exp | |||
@@ -0,0 +1,26 @@ | |||
1 | #!/usr/bin/expect -f | ||
2 | # This file is part of Firejail project | ||
3 | # Copyright (C) 2014-2016 Firejail Authors | ||
4 | # License GPL v2 | ||
5 | |||
6 | set timeout 10 | ||
7 | spawn $env(SHELL) | ||
8 | match_max 100000 | ||
9 | |||
10 | send -- "/usr/bin/strings /usr/bin/firejail > firejail_t1\r" | ||
11 | sleep 1 | ||
12 | |||
13 | send -- "firejail /usr/bin/strings /usr/bin/firejail > firejail_t2\r" | ||
14 | sleep 1 | ||
15 | |||
16 | send -- "diff -s firejail_t1 firejail_t2\r" | ||
17 | expect { | ||
18 | timeout {puts "TESTING ERROR 1\n";exit} | ||
19 | "firejail_t1 and firejail_t2 are identical" | ||
20 | } | ||
21 | |||
22 | send -- "rm firejail_t*\r" | ||
23 | sleep 1 | ||
24 | |||
25 | |||
26 | puts "\nall done\n" | ||
diff --git a/test/sysutils/sysutils.sh b/test/sysutils/sysutils.sh new file mode 100755 index 000000000..d75738f97 --- /dev/null +++ b/test/sysutils/sysutils.sh | |||
@@ -0,0 +1,62 @@ | |||
1 | #!/bin/bash | ||
2 | # This file is part of Firejail project | ||
3 | # Copyright (C) 2014-2016 Firejail Authors | ||
4 | # License GPL v2 | ||
5 | |||
6 | export MALLOC_CHECK_=3 | ||
7 | export MALLOC_PERTURB_=$(($RANDOM % 255 + 1)) | ||
8 | |||
9 | which cpio | ||
10 | if [ "$?" -eq 0 ]; | ||
11 | then | ||
12 | echo "TESTING: cpio" | ||
13 | ./cpio.exp | ||
14 | else | ||
15 | echo "TESTING SKIP: cpio not found" | ||
16 | fi | ||
17 | |||
18 | which strings | ||
19 | if [ "$?" -eq 0 ]; | ||
20 | then | ||
21 | echo "TESTING: strings" | ||
22 | ./strings.exp | ||
23 | else | ||
24 | echo "TESTING SKIP: strings not found" | ||
25 | fi | ||
26 | |||
27 | which gzip | ||
28 | if [ "$?" -eq 0 ]; | ||
29 | then | ||
30 | echo "TESTING: gzip" | ||
31 | ./gzip.exp | ||
32 | else | ||
33 | echo "TESTING SKIP: gzip not found" | ||
34 | fi | ||
35 | |||
36 | which xzdec | ||
37 | if [ "$?" -eq 0 ]; | ||
38 | then | ||
39 | echo "TESTING: xzdec" | ||
40 | ./xzdec.exp | ||
41 | else | ||
42 | echo "TESTING SKIP: xzdec not found" | ||
43 | fi | ||
44 | |||
45 | which xz | ||
46 | if [ "$?" -eq 0 ]; | ||
47 | then | ||
48 | echo "TESTING: xz" | ||
49 | ./xz.exp | ||
50 | else | ||
51 | echo "TESTING SKIP: xz not found" | ||
52 | fi | ||
53 | |||
54 | which less | ||
55 | if [ "$?" -eq 0 ]; | ||
56 | then | ||
57 | echo "TESTING: less" | ||
58 | ./less.exp | ||
59 | else | ||
60 | echo "TESTING SKIP: less not found" | ||
61 | fi | ||
62 | |||
diff --git a/test/sysutils/xz.exp b/test/sysutils/xz.exp new file mode 100755 index 000000000..11d0e560c --- /dev/null +++ b/test/sysutils/xz.exp | |||
@@ -0,0 +1,26 @@ | |||
1 | #!/usr/bin/expect -f | ||
2 | # This file is part of Firejail project | ||
3 | # Copyright (C) 2014-2016 Firejail Authors | ||
4 | # License GPL v2 | ||
5 | |||
6 | set timeout 10 | ||
7 | spawn $env(SHELL) | ||
8 | match_max 100000 | ||
9 | |||
10 | send -- "/usr/bin/xz -c /usr/bin/firejail > firejail_t1\r" | ||
11 | sleep 1 | ||
12 | |||
13 | send -- "firejail /usr/bin/xz -c /usr/bin/firejail > firejail_t2\r" | ||
14 | sleep 1 | ||
15 | |||
16 | send -- "diff -s firejail_t1 firejail_t2\r" | ||
17 | expect { | ||
18 | timeout {puts "TESTING ERROR 1\n";exit} | ||
19 | "firejail_t1 and firejail_t2 are identical" | ||
20 | } | ||
21 | |||
22 | send -- "rm firejail_t*\r" | ||
23 | sleep 1 | ||
24 | |||
25 | |||
26 | puts "\nall done\n" | ||
diff --git a/test/sysutils/xzdec.exp b/test/sysutils/xzdec.exp new file mode 100755 index 000000000..0ea6f5fb0 --- /dev/null +++ b/test/sysutils/xzdec.exp | |||
@@ -0,0 +1,29 @@ | |||
1 | #!/usr/bin/expect -f | ||
2 | # This file is part of Firejail project | ||
3 | # Copyright (C) 2014-2016 Firejail Authors | ||
4 | # License GPL v2 | ||
5 | |||
6 | set timeout 10 | ||
7 | spawn $env(SHELL) | ||
8 | match_max 100000 | ||
9 | |||
10 | send -- "/usr/bin/xz -c /usr/bin/firejail > firejail_t3\r" | ||
11 | sleep 1 | ||
12 | |||
13 | send -- "/usr/bin/xzdec -c firejail_t3 > firejail_t1\r" | ||
14 | sleep 1 | ||
15 | |||
16 | send -- "firejail /usr/bin/xzdec -c firejail_t3 > firejail_t2\r" | ||
17 | sleep 1 | ||
18 | |||
19 | send -- "diff -s firejail_t1 firejail_t2\r" | ||
20 | expect { | ||
21 | timeout {puts "TESTING ERROR 1\n";exit} | ||
22 | "firejail_t1 and firejail_t2 are identical" | ||
23 | } | ||
24 | |||
25 | send -- "rm firejail_t*\r" | ||
26 | sleep 1 | ||
27 | |||
28 | |||
29 | puts "\nall done\n" | ||
diff --git a/test/test-apps-x11.sh b/test/test-apps-x11.sh deleted file mode 100755 index 6521fa2b0..000000000 --- a/test/test-apps-x11.sh +++ /dev/null | |||
@@ -1,29 +0,0 @@ | |||
1 | #!/bin/bash | ||
2 | |||
3 | which firefox | ||
4 | if [ "$?" -eq 0 ]; | ||
5 | then | ||
6 | echo "TESTING: firefox x11" | ||
7 | ./firefox-x11.exp | ||
8 | else | ||
9 | echo "TESTING: firefox not found" | ||
10 | fi | ||
11 | |||
12 | which chromium | ||
13 | if [ "$?" -eq 0 ]; | ||
14 | then | ||
15 | echo "TESTING: chromium x11" | ||
16 | ./chromium-x11.exp | ||
17 | else | ||
18 | echo "TESTING: chromium not found" | ||
19 | fi | ||
20 | |||
21 | which transmission-gtk | ||
22 | if [ "$?" -eq 0 ]; | ||
23 | then | ||
24 | echo "TESTING: transmission-gtk x11" | ||
25 | ./transmission-gtk.exp | ||
26 | else | ||
27 | echo "TESTING: transmission-gtk not found" | ||
28 | fi | ||
29 | |||
diff --git a/test/test-nonet.sh b/test/test-nonet.sh deleted file mode 100755 index 3df8b2d4e..000000000 --- a/test/test-nonet.sh +++ /dev/null | |||
@@ -1,44 +0,0 @@ | |||
1 | #!/bin/bash | ||
2 | |||
3 | echo "TESTING: version" | ||
4 | ./option_version.exp | ||
5 | |||
6 | echo "TESTING: help" | ||
7 | ./option_help.exp | ||
8 | |||
9 | echo "TESTING: man" | ||
10 | ./option_man.exp | ||
11 | |||
12 | echo "TESTING: list" | ||
13 | ./option_list.exp | ||
14 | |||
15 | echo "TESTING: PID" | ||
16 | ./pid.exp | ||
17 | |||
18 | echo "TESTING: profile no permissions" | ||
19 | ./profile_noperm.exp | ||
20 | |||
21 | echo "TESTING: profile syntax" | ||
22 | ./profile_syntax.exp | ||
23 | |||
24 | echo "TESTING: profile read-only" | ||
25 | ./profile_readonly.exp | ||
26 | |||
27 | echo "TESTING: profile tmpfs" | ||
28 | ./profile_tmpfs.exp | ||
29 | |||
30 | echo "TESTING: private" | ||
31 | ./private.exp `whoami` | ||
32 | |||
33 | echo "TESTING: read/write /var/tmp" | ||
34 | ./fs_var_tmp.exp | ||
35 | |||
36 | echo "TESTING: read/write /var/run" | ||
37 | ./fs_var_run.exp | ||
38 | |||
39 | echo "TESTING: read/write /var/lock" | ||
40 | ./fs_var_lock.exp | ||
41 | |||
42 | echo "TESTING: read/write /dev/shm" | ||
43 | ./fs_dev_shm.exp | ||
44 | |||
diff --git a/test/test-profiles.sh b/test/test-profiles.sh deleted file mode 100755 index d9142885b..000000000 --- a/test/test-profiles.sh +++ /dev/null | |||
@@ -1,10 +0,0 @@ | |||
1 | #!/bin/bash | ||
2 | |||
3 | echo "TESTING: default profiles installed in /etc" | ||
4 | PROFILES=`ls /etc/firejail/*.profile` | ||
5 | for PROFILE in $PROFILES | ||
6 | do | ||
7 | echo "TESTING: $PROFILE" | ||
8 | ./test-profile.exp $PROFILE | ||
9 | done | ||
10 | |||
diff --git a/test/test-root.sh b/test/test-root.sh index 1c3fc4c96..aca48d334 100755 --- a/test/test-root.sh +++ b/test/test-root.sh | |||
@@ -2,80 +2,81 @@ | |||
2 | 2 | ||
3 | ./chk_config.exp | 3 | ./chk_config.exp |
4 | 4 | ||
5 | echo "TESTING: tmpfs" | 5 | echo "TESTING: tmpfs (option_tmpfs.exp)" |
6 | ./option_tmpfs.exp | 6 | ./option_tmpfs.exp |
7 | 7 | ||
8 | echo "TESTING: profile tmpfs" | 8 | echo "TESTING: profile tmpfs (profile_tmpfs)" |
9 | ./profile_tmpfs.exp | 9 | ./profile_tmpfs.exp |
10 | 10 | ||
11 | echo "TESTING: network interfaces" | 11 | echo "TESTING: network interfaces (net_interface.exp)" |
12 | ./net_interface.exp | 12 | ./network/net_interface.exp |
13 | 13 | ||
14 | echo "TESTING: chroot" | 14 | echo "TESTING: chroot (fs_chroot_asroot.exp)" |
15 | ./fs_chroot_asroot.exp | 15 | ./fs_chroot_asroot.exp |
16 | 16 | ||
17 | if [ -f /etc/init.d/snmpd ] | 17 | if [ -f /etc/init.d/snmpd ] |
18 | then | 18 | then |
19 | echo "TESTING: servers snmpd, private-dev" | 19 | echo "TESTING: servers snmpd, private-dev (servers2.exp)" |
20 | ./servers2.exp | 20 | ./servers2.exp |
21 | fi | 21 | fi |
22 | 22 | ||
23 | if [ -f /etc/init.d/apache2 ] | 23 | if [ -f /etc/init.d/apache2 ] |
24 | then | 24 | then |
25 | echo "TESTING: servers apache2, private-dev, private-tmp" | 25 | echo "TESTING: servers apache2, private-dev, private-tmp (servers3.exp)" |
26 | ./servers3.exp | 26 | ./servers3.exp |
27 | fi | 27 | fi |
28 | 28 | ||
29 | if [ -f /etc/init.d/isc-dhcp-server ] | 29 | if [ -f /etc/init.d/isc-dhcp-server ] |
30 | then | 30 | then |
31 | echo "TESTING: servers isc dhcp server, private-dev" | 31 | echo "TESTING: servers isc dhcp server, private-dev (servers4.exp)" |
32 | ./servers4.exp | 32 | ./servers4.exp |
33 | fi | 33 | fi |
34 | 34 | ||
35 | if [ -f /etc/init.d/unbound ] | 35 | if [ -f /etc/init.d/unbound ] |
36 | then | 36 | then |
37 | echo "TESTING: servers unbound, private-dev, private-tmp" | 37 | echo "TESTING: servers unbound, private-dev, private-tmp (servers5.exp)" |
38 | ./servers5.exp | 38 | ./servers5.exp |
39 | fi | 39 | fi |
40 | 40 | ||
41 | if [ -f /etc/init.d/nginx ] | 41 | if [ -f /etc/init.d/nginx ] |
42 | then | 42 | then |
43 | echo "TESTING: servers nginx, private-dev, private-tmp" | 43 | echo "TESTING: servers nginx, private-dev, private-tmp (servers6.exp)" |
44 | ./servers6.exp | 44 | ./servers6.exp |
45 | fi | 45 | fi |
46 | 46 | ||
47 | echo "TESTING: /proc/sysrq-trigger reset disabled" | 47 | echo "TESTING: /proc/sysrq-trigger reset disabled (sysrq-trigger.exp)" |
48 | ./sysrq-trigger.exp | 48 | ./sysrq-trigger.exp |
49 | 49 | ||
50 | echo "TESTING: seccomp umount" | 50 | echo "TESTING: seccomp umount (seccomp-umount.exp)" |
51 | ./seccomp-umount.exp | 51 | ./filters/seccomp-umount.exp |
52 | 52 | ||
53 | echo "TESTING: seccomp chmod (seccomp lists)" | 53 | echo "TESTING: seccomp chmod (seccomp-chmod.exp)" |
54 | ./seccomp-chmod.exp | 54 | ./filters/seccomp-chmod.exp |
55 | 55 | ||
56 | echo "TESTING: seccomp chown (seccomp lists)" | 56 | echo "TESTING: seccomp chown (seccomp-chown.exp)" |
57 | ./seccomp-chown.exp | 57 | ./filters/seccomp-chown.exp |
58 | 58 | ||
59 | echo "TESTING: bind directory" | 59 | echo "TESTING: bind directory (option_bind_directory.exp)" |
60 | ./option_bind_directory.exp | 60 | ./option_bind_directory.exp |
61 | 61 | ||
62 | echo "TESTING: bind file" | 62 | echo "TESTING: bind file (option_bind_file.exp)" |
63 | echo hello > tmpfile | 63 | echo hello > tmpfile |
64 | ./option_bind_file.exp | 64 | ./option_bind_file.exp |
65 | rm -f tmpfile | 65 | rm -f tmpfile |
66 | 66 | ||
67 | echo "TESTING: firemon --interface" | 67 | echo "TESTING: firemon --interface (firemon-interface.exp)" |
68 | ./firemon-interface.exp | 68 | ./firemon-interface.exp |
69 | 69 | ||
70 | if [ -f /sys/fs/cgroup/g1/tasks ] | 70 | if [ -f /sys/fs/cgroup/g1/tasks ] |
71 | then | 71 | then |
72 | echo "TESTING: firemon --cgroup" | 72 | echo "TESTING: firemon --cgroup (firemon-cgroup.exp)" |
73 | ./firemon-cgroup.exp | 73 | ./firemon-cgroup.exp |
74 | fi | 74 | fi |
75 | 75 | ||
76 | echo "TESTING: chroot resolv.conf" | 76 | echo "TESTING: chroot resolv.conf (chroot-resolvconf.exp)" |
77 | rm -f tmpfile | 77 | rm -f tmpfile |
78 | touch tmpfile | 78 | touch tmpfile |
79 | rm -f /tmp/chroot/etc/resolv.conf | ||
79 | ln -s tmp /tmp/chroot/etc/resolv.conf | 80 | ln -s tmp /tmp/chroot/etc/resolv.conf |
80 | ./chroot-resolvconf.exp | 81 | ./chroot-resolvconf.exp |
81 | rm -f tmpfile | 82 | rm -f tmpfile |
diff --git a/test/test.sh b/test/test.sh index 2dcb89f2a..4b7d5bb6d 100755 --- a/test/test.sh +++ b/test/test.sh | |||
@@ -1,45 +1,15 @@ | |||
1 | #!/bin/bash | 1 | #!/bin/bash |
2 | # This file is part of Firejail project | ||
3 | # Copyright (C) 2014-2016 Firejail Authors | ||
4 | # License GPL v2 | ||
2 | 5 | ||
3 | ./chk_config.exp | 6 | ./chk_config.exp |
4 | 7 | ||
5 | ./test-profiles.sh | ||
6 | |||
7 | ./fscheck.sh | 8 | ./fscheck.sh |
8 | 9 | ||
9 | echo "TESTING: sound (sound.exp)" | ||
10 | ./sound.exp | ||
11 | |||
12 | echo "TESTING: nice (nice.exp)" | ||
13 | ./nice.exp | ||
14 | |||
15 | echo "TESTING: tty (tty.exp)" | 10 | echo "TESTING: tty (tty.exp)" |
16 | ./tty.exp | 11 | ./tty.exp |
17 | 12 | ||
18 | echo "TESTING: protocol (protocol.exp)" | ||
19 | ./protocol.exp | ||
20 | |||
21 | echo "TESTING: invalid filename (invalid_filename.exp)" | ||
22 | ./invalid_filename.exp | ||
23 | |||
24 | echo "TESTING: environment variables (env.exp)" | ||
25 | ./env.exp | ||
26 | |||
27 | echo "TESTING: whitelist empty (whitelist-empty.exp)" | ||
28 | ./whitelist-empty.exp | ||
29 | |||
30 | echo "TESTING: ignore command (ignore.exp)" | ||
31 | ./ignore.exp | ||
32 | |||
33 | echo "TESTING: private-etc (private-etc.exp)" | ||
34 | ./private-etc.exp | ||
35 | |||
36 | echo "TESTING: private-bin (private-bin.exp)" | ||
37 | ./private-bin.exp | ||
38 | |||
39 | echo "TESTING: private whitelist (private-whitelist.exp)" | ||
40 | echo "TESTING: failing on OpenSUSE" | ||
41 | ./private-whitelist.exp | ||
42 | |||
43 | sleep 1 | 13 | sleep 1 |
44 | rm -fr dir\ with\ space | 14 | rm -fr dir\ with\ space |
45 | mkdir dir\ with\ space | 15 | mkdir dir\ with\ space |
@@ -57,93 +27,9 @@ rm -fr auto2 | |||
57 | rm -fr auto3 | 27 | rm -fr auto3 |
58 | rm -fr auto4 | 28 | rm -fr auto4 |
59 | 29 | ||
60 | |||
61 | echo "TESTING: version (option_version.exp)" | ||
62 | ./option_version.exp | ||
63 | |||
64 | echo "TESTING: help (option_help.exp)" | ||
65 | ./option_help.exp | ||
66 | |||
67 | echo "TESTING: man (option_man.exp)" | ||
68 | ./option_man.exp | ||
69 | |||
70 | echo "TESTING: list (option_list.exp)" | ||
71 | ./option_list.exp | ||
72 | |||
73 | echo "TESTING: tree (option_tree.exp)" | ||
74 | ./option_tree.exp | ||
75 | |||
76 | if [ -f /proc/self/uid_map ]; | ||
77 | then | ||
78 | echo "TESTING: noroot (noroot.exp)" | ||
79 | ./noroot.exp | ||
80 | else | ||
81 | echo "TESTING: user namespaces not available" | ||
82 | fi | ||
83 | |||
84 | echo "TESTING: doubledash" | ||
85 | mkdir -- -testdir | ||
86 | touch -- -testdir/ttt | ||
87 | cp -- /bin/bash -testdir/. | ||
88 | ./doubledash.exp | ||
89 | rm -fr -- -testdir | ||
90 | |||
91 | echo "TESTING: trace1 (option-trace.exp)" | ||
92 | ./option-trace.exp | ||
93 | |||
94 | echo "TESTING: trace2 (trace.exp)" | ||
95 | rm -f index.html* | ||
96 | ./trace.exp | ||
97 | rm -f index.html* | ||
98 | |||
99 | echo "TESTING: extract command (extract_command.exp)" | ||
100 | ./extract_command.exp | ||
101 | |||
102 | echo "TESTING: kmsg access (kmsg.exp)" | ||
103 | ./kmsg.exp | ||
104 | |||
105 | echo "TESTING: rlimit (option_rlimit.exp)" | ||
106 | ./option_rlimit.exp | ||
107 | |||
108 | echo "TESTING: shutdown (option_shutdown.exp)" | ||
109 | ./option-shutdown.exp | ||
110 | |||
111 | echo "TESTING: join (option-join.exp)" | ||
112 | ./option-join.exp | ||
113 | |||
114 | echo "TESTING: join2 (option-join2.exp)" | ||
115 | ./option-join2.exp | ||
116 | |||
117 | echo "TESTING: join3 (option-join3.exp)" | ||
118 | ./option-join3.exp | ||
119 | |||
120 | echo "TESTING: join profile (option-join-profile.exp)" | ||
121 | ./option-join-profile.exp | ||
122 | |||
123 | echo "TESTING: firejail in firejail - single sandbox (firejail-in-firejail.exp)" | ||
124 | ./firejail-in-firejail.exp | ||
125 | |||
126 | echo "TESTING: firejail in firejail - force new sandbox (firejail-in-firejail2.exp)" | ||
127 | ./firejail-in-firejail2.exp | ||
128 | |||
129 | echo "TESTING: chroot overlay (option_chroot_overlay.exp)" | 30 | echo "TESTING: chroot overlay (option_chroot_overlay.exp)" |
130 | ./option_chroot_overlay.exp | 31 | ./option_chroot_overlay.exp |
131 | 32 | ||
132 | echo "TESTING: blacklist directory (option_blacklist.exp)" | ||
133 | ./option_blacklist.exp | ||
134 | |||
135 | echo "TESTING: blacklist file (opiton_blacklist_file.exp)" | ||
136 | ./option_blacklist_file.exp | ||
137 | |||
138 | echo "TESTING: bind as user (option_bind_user.exp)" | ||
139 | ./option_bind_user.exp | ||
140 | |||
141 | if [ -d /home/bingo ]; | ||
142 | then | ||
143 | echo "TESTING: home sanitize (opiton_version.exp)" | ||
144 | ./option_version.exp | ||
145 | fi | ||
146 | |||
147 | echo "TESTING: chroot as user (fs_chroot.exp)" | 33 | echo "TESTING: chroot as user (fs_chroot.exp)" |
148 | ./fs_chroot.exp | 34 | ./fs_chroot.exp |
149 | 35 | ||
@@ -156,47 +42,7 @@ ls -al > tmpreadonly | |||
156 | sleep 5 | 42 | sleep 5 |
157 | rm -f tmpreadonly | 43 | rm -f tmpreadonly |
158 | 44 | ||
159 | echo "TESTING: zsh (shell_zsh.exp)" | ||
160 | ./shell_zsh.exp | ||
161 | |||
162 | echo "TESTING: csh (shell_csh.exp)" | ||
163 | ./shell_csh.exp | ||
164 | |||
165 | which dash | ||
166 | if [ "$?" -eq 0 ]; | ||
167 | then | ||
168 | echo "TESTING: dash (shell_dash.exp)" | ||
169 | ./shell_dash.exp | ||
170 | else | ||
171 | echo "TESTING: dash not found" | ||
172 | fi | ||
173 | |||
174 | ./test-apps.sh | ||
175 | ./test-apps-x11.sh | ||
176 | |||
177 | echo "TESTING: PID (pid.exp)" | ||
178 | ./pid.exp | ||
179 | 45 | ||
180 | echo "TESTING: output (output.exp)" | ||
181 | ./output.exp | ||
182 | |||
183 | echo "TESTING: profile no permissions (profile_noperm.exp)" | ||
184 | ./profile_noperm.exp | ||
185 | |||
186 | echo "TESTING: profile syntax (profile_syntax.exp)" | ||
187 | ./profile_syntax.exp | ||
188 | |||
189 | echo "TESTING: profile syntax 2 (profile_syntax2.exp)" | ||
190 | ./profile_syntax2.exp | ||
191 | |||
192 | echo "TESTING: profile rlimit (profile_rlimit.exp)" | ||
193 | ./profile_rlimit.exp | ||
194 | |||
195 | echo "TESTING: profile read-only (profile_readonly.exp)" | ||
196 | ./profile_readonly.exp | ||
197 | |||
198 | echo "TESTING: private (private.exp)" | ||
199 | ./private.exp `whoami` | ||
200 | 46 | ||
201 | echo "TESTING: private directory (private_dir.exp)" | 47 | echo "TESTING: private directory (private_dir.exp)" |
202 | rm -fr dirprivate | 48 | rm -fr dirprivate |
@@ -213,113 +59,13 @@ rm -fr dirprivate | |||
213 | echo "TESTING: overlayfs (fs_overlay.exp)" | 59 | echo "TESTING: overlayfs (fs_overlay.exp)" |
214 | ./fs_overlay.exp | 60 | ./fs_overlay.exp |
215 | 61 | ||
216 | echo "TESTING: seccomp debug (seccomp-debug.exp)" | ||
217 | ./seccomp-debug.exp | ||
218 | |||
219 | echo "TESTING: seccomp errno (seccomp-errno.exp)" | ||
220 | ./seccomp-errno.exp | ||
221 | |||
222 | echo "TESTING: seccomp su (seccomp-su.exp)" | ||
223 | ./seccomp-su.exp | ||
224 | |||
225 | echo "TESTING: seccomp ptrace (seccomp-ptrace.exp)" | ||
226 | ./seccomp-ptrace.exp | ||
227 | |||
228 | echo "TESTING: seccomp chmod - seccomp lists (seccomp-chmod.exp)" | ||
229 | ./seccomp-chmod.exp | ||
230 | |||
231 | echo "TESTING: seccomp chmod profile - seccomp lists (seccomp-chmod-profile.exp)" | ||
232 | ./seccomp-chmod-profile.exp | ||
233 | |||
234 | echo "TESTING: seccomp empty (seccomp-empty.exp)" | ||
235 | ./seccomp-empty.exp | ||
236 | |||
237 | echo "TESTING: seccomp bad empty (seccomp-bad-empty.exp)" | ||
238 | ./seccomp-bad-empty.exp | ||
239 | |||
240 | echo "TESTING: seccomp dual filter (seccomp-dualfilter.exp)" | ||
241 | ./seccomp-dualfilter.exp | ||
242 | |||
243 | echo "TESTING: read/write /var/tmp (fs_var_tmp.exp)" | ||
244 | ./fs_var_tmp.exp | ||
245 | |||
246 | echo "TESTING: read/write /var/lock (fs_var_lock.exp)" | ||
247 | ./fs_var_lock.exp | ||
248 | |||
249 | echo "TESTING: read/write /dev/shm (fs_dev_shm.exp)" | ||
250 | ./fs_dev_shm.exp | ||
251 | |||
252 | echo "TESTING: quiet (quiet.exp)" | ||
253 | ./quiet.exp | ||
254 | |||
255 | echo "TESTING: IPv6 support (ip6.exp)" | ||
256 | echo "TESTING: broken on Centos - todo" | ||
257 | ./ip6.exp | ||
258 | |||
259 | echo "TESTING: local network (net_local.exp)" | ||
260 | ./net_local.exp | ||
261 | |||
262 | echo "TESTING: no network (net_none.exp)" | ||
263 | ./net_none.exp | ||
264 | |||
265 | echo "TESTING: network IP (net_ip.exp)" | ||
266 | ./net_ip.exp | ||
267 | |||
268 | echo "TESTING: network MAC (net_mac.exp)" | ||
269 | sleep 2 | ||
270 | ./net_mac.exp | ||
271 | |||
272 | echo "TESTING: network MTU (net_mtu.exp)" | ||
273 | ./net_mtu.exp | ||
274 | |||
275 | echo "TESTING: network hostname (hostname.exp)" | ||
276 | ./hostname.exp | ||
277 | |||
278 | echo "TESTING: network bad IP (net_badip.exp)" | ||
279 | ./net_badip.exp | ||
280 | |||
281 | echo "TESTING: network no IP test 1 (net_noip.exp)" | ||
282 | ./net_noip.exp | ||
283 | |||
284 | echo "TESTING: network no IP test 2 (net_noip2.exp)" | ||
285 | ./net_noip2.exp | ||
286 | |||
287 | echo "TESTING: network default gateway test 1 (net_defaultgw.exp)" | ||
288 | ./net_defaultgw.exp | ||
289 | |||
290 | echo "TESTING: network default gateway test 2 (net_defaultgw2.exp)" | ||
291 | ./net_defaultgw2.exp | ||
292 | |||
293 | echo "TESTING: network default gateway test 3 (net_defaultgw3.exp)" | ||
294 | ./net_defaultgw3.exp | ||
295 | |||
296 | echo "TESTING: netfilter (net_netfilter.exp)" | ||
297 | ./net_netfilter.exp | ||
298 | |||
299 | echo "TESTING: 4 bridges ARP (4bridges_arp.exp)" | ||
300 | ./4bridges_arp.exp | ||
301 | |||
302 | echo "TESTING: 4 bridges IP (4bridges_ip.exp)" | ||
303 | ./4bridges_ip.exp | ||
304 | |||
305 | echo "TESTING: login SSH (login_ssh.exp)" | 62 | echo "TESTING: login SSH (login_ssh.exp)" |
306 | ./login_ssh.exp | 63 | ./login_ssh.exp |
307 | 64 | ||
308 | echo "TESTING: ARP (net_arp.exp)" | ||
309 | ./net_arp.exp | ||
310 | |||
311 | echo "TESTING: DNS (dns.exp)" | ||
312 | ./dns.exp | ||
313 | |||
314 | echo "TESTING: firemon --arp (firemon-arp.exp)" | 65 | echo "TESTING: firemon --arp (firemon-arp.exp)" |
315 | ./firemon-arp.exp | 66 | ./firemon-arp.exp |
316 | 67 | ||
317 | echo "TESTING: firemon --route (firemon-route.exp)" | 68 | echo "TESTING: firemon --route (firemon-route.exp)" |
318 | ./firemon-route.exp | 69 | ./firemon-route.exp |
319 | 70 | ||
320 | echo "TESTING: firemon --seccomp (firemon-seccomp.exp)" | ||
321 | ./firemon-seccomp.exp | ||
322 | |||
323 | echo "TESTING: firemon --caps (firemon-caps.exp)" | ||
324 | ./firemon-caps.exp | ||
325 | 71 | ||
diff --git a/test/utils/caps-print.exp b/test/utils/caps-print.exp new file mode 100755 index 000000000..9cc4b1872 --- /dev/null +++ b/test/utils/caps-print.exp | |||
@@ -0,0 +1,32 @@ | |||
1 | #!/usr/bin/expect -f | ||
2 | # This file is part of Firejail project | ||
3 | # Copyright (C) 2014-2016 Firejail Authors | ||
4 | # License GPL v2 | ||
5 | |||
6 | set timeout 10 | ||
7 | spawn $env(SHELL) | ||
8 | match_max 100000 | ||
9 | |||
10 | send -- "firejail --name=test\r" | ||
11 | expect { | ||
12 | timeout {puts "TESTING ERROR 0\n";exit} | ||
13 | "Child process initialized" | ||
14 | } | ||
15 | sleep 2 | ||
16 | |||
17 | spawn $env(SHELL) | ||
18 | send -- "firejail --caps.print=test\r" | ||
19 | expect { | ||
20 | timeout {puts "TESTING ERROR 1\n";exit} | ||
21 | "setgid - disabled" | ||
22 | } | ||
23 | expect { | ||
24 | timeout {puts "TESTING ERROR 2\n";exit} | ||
25 | "setuid - disabled" | ||
26 | } | ||
27 | expect { | ||
28 | timeout {puts "TESTING ERROR 3\n";exit} | ||
29 | "net_raw - disabled" | ||
30 | } | ||
31 | sleep 1 | ||
32 | puts "\nall done\n" | ||
diff --git a/test/firemon-caps.exp b/test/utils/caps.exp index 3dd6384db..ab1067921 100755 --- a/test/firemon-caps.exp +++ b/test/utils/caps.exp | |||
@@ -1,4 +1,7 @@ | |||
1 | #!/usr/bin/expect -f | 1 | #!/usr/bin/expect -f |
2 | # This file is part of Firejail project | ||
3 | # Copyright (C) 2014-2016 Firejail Authors | ||
4 | # License GPL v2 | ||
2 | 5 | ||
3 | set timeout 10 | 6 | set timeout 10 |
4 | spawn $env(SHELL) | 7 | spawn $env(SHELL) |
diff --git a/test/caps1.profile b/test/utils/caps1.profile index e14655b2e..e14655b2e 100644 --- a/test/caps1.profile +++ b/test/utils/caps1.profile | |||
diff --git a/test/caps2.profile b/test/utils/caps2.profile index cb2258c52..cb2258c52 100644 --- a/test/caps2.profile +++ b/test/utils/caps2.profile | |||
diff --git a/test/utils/catchsignal-master.sh b/test/utils/catchsignal-master.sh new file mode 100755 index 000000000..62a1801cc --- /dev/null +++ b/test/utils/catchsignal-master.sh | |||
@@ -0,0 +1,4 @@ | |||
1 | #!/bin/bash | ||
2 | |||
3 | ./catchsignal.sh & | ||
4 | ./catchsignal.sh & | ||
diff --git a/test/utils/catchsignal.sh b/test/utils/catchsignal.sh new file mode 100755 index 000000000..87a1d0adf --- /dev/null +++ b/test/utils/catchsignal.sh | |||
@@ -0,0 +1,27 @@ | |||
1 | #!/bin/bash | ||
2 | |||
3 | _term() { | ||
4 | echo "Caught Signal" | ||
5 | echo 1 | ||
6 | sleep 1 | ||
7 | echo 2 | ||
8 | sleep 1 | ||
9 | echo 3 | ||
10 | sleep 1 | ||
11 | echo 4 | ||
12 | sleep 1 | ||
13 | echo 5 | ||
14 | sleep 1 | ||
15 | |||
16 | kill $pid | ||
17 | exit | ||
18 | } | ||
19 | |||
20 | trap _term SIGTERM | ||
21 | trap _term SIGINT | ||
22 | |||
23 | echo "Sleeping..." | ||
24 | |||
25 | sleep inf & | ||
26 | pid=$! | ||
27 | wait $pid | ||
diff --git a/test/utils/catchsignal2.sh b/test/utils/catchsignal2.sh new file mode 100755 index 000000000..424350397 --- /dev/null +++ b/test/utils/catchsignal2.sh | |||
@@ -0,0 +1,49 @@ | |||
1 | #!/bin/bash | ||
2 | |||
3 | _term() { | ||
4 | echo "Caught Signal" | ||
5 | echo 1 | ||
6 | sleep 1 | ||
7 | echo 2 | ||
8 | sleep 1 | ||
9 | echo 3 | ||
10 | sleep 1 | ||
11 | echo 4 | ||
12 | sleep 1 | ||
13 | echo 5 | ||
14 | sleep 1 | ||
15 | |||
16 | echo 10 | ||
17 | sleep 1 | ||
18 | echo 20 | ||
19 | sleep 1 | ||
20 | echo 30 | ||
21 | sleep 1 | ||
22 | echo 40 | ||
23 | sleep 1 | ||
24 | echo 50 | ||
25 | sleep 1 | ||
26 | |||
27 | echo 100 | ||
28 | sleep 1 | ||
29 | echo 200 | ||
30 | sleep 1 | ||
31 | echo 300 | ||
32 | sleep 1 | ||
33 | echo 400 | ||
34 | sleep 1 | ||
35 | echo 500 | ||
36 | sleep 1 | ||
37 | |||
38 | kill $pid | ||
39 | exit | ||
40 | } | ||
41 | |||
42 | trap _term SIGTERM | ||
43 | trap _term SIGINT | ||
44 | |||
45 | echo "Sleeping..." | ||
46 | |||
47 | sleep inf & | ||
48 | pid=$! | ||
49 | wait $pid | ||
diff --git a/test/utils/cpu-print.exp b/test/utils/cpu-print.exp new file mode 100755 index 000000000..4a9ffa0ac --- /dev/null +++ b/test/utils/cpu-print.exp | |||
@@ -0,0 +1,24 @@ | |||
1 | #!/usr/bin/expect -f | ||
2 | # This file is part of Firejail project | ||
3 | # Copyright (C) 2014-2016 Firejail Authors | ||
4 | # License GPL v2 | ||
5 | |||
6 | set timeout 10 | ||
7 | spawn $env(SHELL) | ||
8 | match_max 100000 | ||
9 | |||
10 | send -- "firejail --name=test --cpu=1,2\r" | ||
11 | expect { | ||
12 | timeout {puts "TESTING ERROR 0\n";exit} | ||
13 | "Child process initialized" | ||
14 | } | ||
15 | sleep 2 | ||
16 | |||
17 | spawn $env(SHELL) | ||
18 | send -- "firejail --cpu.print=test\r" | ||
19 | expect { | ||
20 | timeout {puts "TESTING ERROR 1\n";exit} | ||
21 | "Cpus_allowed_list: 1-2" | ||
22 | } | ||
23 | sleep 1 | ||
24 | puts "\nall done\n" | ||
diff --git a/test/utils/dns-print.exp b/test/utils/dns-print.exp new file mode 100755 index 000000000..51dcab508 --- /dev/null +++ b/test/utils/dns-print.exp | |||
@@ -0,0 +1,24 @@ | |||
1 | #!/usr/bin/expect -f | ||
2 | # This file is part of Firejail project | ||
3 | # Copyright (C) 2014-2016 Firejail Authors | ||
4 | # License GPL v2 | ||
5 | |||
6 | set timeout 10 | ||
7 | spawn $env(SHELL) | ||
8 | match_max 100000 | ||
9 | |||
10 | send -- "firejail --name=test --dns=1.2.3.4\r" | ||
11 | expect { | ||
12 | timeout {puts "TESTING ERROR 0\n";exit} | ||
13 | "Child process initialized" | ||
14 | } | ||
15 | sleep 2 | ||
16 | |||
17 | spawn $env(SHELL) | ||
18 | send -- "firejail --dns.print=test\r" | ||
19 | expect { | ||
20 | timeout {puts "TESTING ERROR 1\n";exit} | ||
21 | "nameserver 1.2.3.4" | ||
22 | } | ||
23 | sleep 1 | ||
24 | puts "\nall done\n" | ||
diff --git a/test/utils/fs-print.exp b/test/utils/fs-print.exp new file mode 100755 index 000000000..fa0eab95b --- /dev/null +++ b/test/utils/fs-print.exp | |||
@@ -0,0 +1,32 @@ | |||
1 | #!/usr/bin/expect -f | ||
2 | # This file is part of Firejail project | ||
3 | # Copyright (C) 2014-2016 Firejail Authors | ||
4 | # License GPL v2 | ||
5 | |||
6 | set timeout 10 | ||
7 | spawn $env(SHELL) | ||
8 | match_max 100000 | ||
9 | |||
10 | send -- "firejail --name=test\r" | ||
11 | expect { | ||
12 | timeout {puts "TESTING ERROR 0\n";exit} | ||
13 | "Child process initialized" | ||
14 | } | ||
15 | sleep 2 | ||
16 | |||
17 | spawn $env(SHELL) | ||
18 | send -- "firejail --fs.print=test\r" | ||
19 | expect { | ||
20 | timeout {puts "TESTING ERROR 1\n";exit} | ||
21 | "blacklist /boot" | ||
22 | } | ||
23 | expect { | ||
24 | timeout {puts "TESTING ERROR 2\n";exit} | ||
25 | "blacklist /dev/kmsg" | ||
26 | } | ||
27 | expect { | ||
28 | timeout {puts "TESTING ERROR 3\n";exit} | ||
29 | "blacklist /proc/kmsg" | ||
30 | } | ||
31 | sleep 1 | ||
32 | puts "\nall done\n" | ||
diff --git a/test/option_help.exp b/test/utils/help.exp index f4518219c..5b9864578 100755 --- a/test/option_help.exp +++ b/test/utils/help.exp | |||
@@ -1,4 +1,7 @@ | |||
1 | #!/usr/bin/expect -f | 1 | #!/usr/bin/expect -f |
2 | # This file is part of Firejail project | ||
3 | # Copyright (C) 2014-2016 Firejail Authors | ||
4 | # License GPL v2 | ||
2 | 5 | ||
3 | set timeout 10 | 6 | set timeout 10 |
4 | spawn $env(SHELL) | 7 | spawn $env(SHELL) |
diff --git a/test/option-join-profile.exp b/test/utils/join-profile.exp index 9200980a1..a4262b999 100755 --- a/test/option-join-profile.exp +++ b/test/utils/join-profile.exp | |||
@@ -4,36 +4,32 @@ set timeout 10 | |||
4 | spawn $env(SHELL) | 4 | spawn $env(SHELL) |
5 | match_max 100000 | 5 | match_max 100000 |
6 | 6 | ||
7 | |||
7 | send -- "firejail --profile=name.profile\r" | 8 | send -- "firejail --profile=name.profile\r" |
8 | expect { | 9 | expect { |
9 | timeout {puts "TESTING ERROR 0\n";exit} | 10 | timeout {puts "TESTING ERROR 0\n";exit} |
10 | "Child process initialized" | 11 | "Child process initialized" |
11 | } | 12 | } |
12 | sleep 3 | 13 | sleep 2 |
13 | 14 | ||
14 | spawn $env(SHELL) | 15 | spawn $env(SHELL) |
15 | send -- "firejail --join=jointesting;pwd\r" | 16 | send -- "firejail --join=jointesting\r" |
16 | expect { | 17 | expect { |
17 | timeout {puts "TESTING ERROR 1\n";exit} | 18 | timeout {puts "TESTING ERROR 1\n";exit} |
18 | "Switching to pid" | 19 | "Switching to pid" |
19 | } | 20 | } |
20 | sleep 3 | 21 | sleep 1 |
21 | 22 | send -- "ps aux\r" | |
22 | |||
23 | spawn $env(SHELL) | ||
24 | send -- "firejail --shutdown=jointesting;pwd\r" | ||
25 | expect { | 23 | expect { |
26 | timeout {puts "TESTING ERROR 3\n";exit} | 24 | timeout {puts "TESTING ERROR 2\n";exit} |
27 | "home" | 25 | "/bin/bash" |
28 | } | 26 | } |
29 | sleep 5 | ||
30 | |||
31 | send -- "firejail --list;pwd\r" | ||
32 | expect { | 27 | expect { |
33 | timeout {puts "TESTING ERROR 4\n";exit} | 28 | timeout {puts "TESTING ERROR 3\n";exit} |
34 | "jointesting" {puts "TESTING ERROR 5\n";exit} | 29 | "/bin/bash" |
35 | "home" | ||
36 | } | 30 | } |
31 | |||
32 | send -- "exit" | ||
37 | sleep 1 | 33 | sleep 1 |
38 | 34 | ||
39 | puts "\nall done\n" | 35 | puts "\nall done\n" |
diff --git a/test/option-join.exp b/test/utils/join.exp index 6250e87a2..ab4917f7d 100755 --- a/test/option-join.exp +++ b/test/utils/join.exp | |||
@@ -1,39 +1,38 @@ | |||
1 | #!/usr/bin/expect -f | 1 | #!/usr/bin/expect -f |
2 | # This file is part of Firejail project | ||
3 | # Copyright (C) 2014-2016 Firejail Authors | ||
4 | # License GPL v2 | ||
2 | 5 | ||
3 | set timeout 10 | 6 | set timeout 10 |
7 | cd /home | ||
4 | spawn $env(SHELL) | 8 | spawn $env(SHELL) |
5 | match_max 100000 | 9 | match_max 100000 |
6 | 10 | ||
7 | send -- "firejail --name=svntesting\r" | 11 | send -- "firejail --name=jointesting\r" |
8 | expect { | 12 | expect { |
9 | timeout {puts "TESTING ERROR 0\n";exit} | 13 | timeout {puts "TESTING ERROR 0\n";exit} |
10 | "Child process initialized" | 14 | "Child process initialized" |
11 | } | 15 | } |
12 | sleep 3 | 16 | sleep 2 |
13 | 17 | ||
14 | spawn $env(SHELL) | 18 | spawn $env(SHELL) |
15 | send -- "firejail --join=svntesting;pwd\r" | 19 | send -- "firejail --join=jointesting\r" |
16 | expect { | 20 | expect { |
17 | timeout {puts "TESTING ERROR 1\n";exit} | 21 | timeout {puts "TESTING ERROR 1\n";exit} |
18 | "Switching to pid" | 22 | "Switching to pid" |
19 | } | 23 | } |
20 | sleep 1 | 24 | sleep 1 |
21 | 25 | send -- "ps aux\r" | |
22 | |||
23 | spawn $env(SHELL) | ||
24 | send -- "firejail --shutdown=svntesting;pwd\r" | ||
25 | expect { | 26 | expect { |
26 | timeout {puts "TESTING ERROR 3\n";exit} | 27 | timeout {puts "TESTING ERROR 2\n";exit} |
27 | "home" | 28 | "/bin/bash" |
28 | } | 29 | } |
29 | sleep 1 | ||
30 | |||
31 | send -- "firejail --list;pwd\r" | ||
32 | expect { | 30 | expect { |
33 | timeout {puts "TESTING ERROR 4\n";exit} | 31 | timeout {puts "TESTING ERROR 3\n";exit} |
34 | "svntesting" {puts "TESTING ERROR 5\n";exit} | 32 | "/bin/bash" |
35 | "home" | ||
36 | } | 33 | } |
34 | |||
35 | send -- "exit" | ||
37 | sleep 1 | 36 | sleep 1 |
38 | 37 | ||
39 | puts "\nall done\n" | 38 | puts "\nall done\n" |
diff --git a/test/option-join3.exp b/test/utils/join2.exp index aa8a445df..82540fe39 100755 --- a/test/option-join3.exp +++ b/test/utils/join2.exp | |||
@@ -1,39 +1,38 @@ | |||
1 | #!/usr/bin/expect -f | 1 | #!/usr/bin/expect -f |
2 | # This file is part of Firejail project | ||
3 | # Copyright (C) 2014-2016 Firejail Authors | ||
4 | # License GPL v2 | ||
2 | 5 | ||
3 | set timeout 10 | 6 | set timeout 10 |
7 | cd /home | ||
4 | spawn $env(SHELL) | 8 | spawn $env(SHELL) |
5 | match_max 100000 | 9 | match_max 100000 |
6 | 10 | ||
7 | send -- "firejail --name=svn\\ testing\r" | 11 | send -- "firejail --name=\"join testing\"\r" |
8 | expect { | 12 | expect { |
9 | timeout {puts "TESTING ERROR 0\n";exit} | 13 | timeout {puts "TESTING ERROR 0\n";exit} |
10 | "Child process initialized" | 14 | "Child process initialized" |
11 | } | 15 | } |
12 | sleep 3 | 16 | sleep 2 |
13 | 17 | ||
14 | spawn $env(SHELL) | 18 | spawn $env(SHELL) |
15 | send -- "firejail --join=svn\\ testing;pwd\r" | 19 | send -- "firejail --join=\"join testing\"\r" |
16 | expect { | 20 | expect { |
17 | timeout {puts "TESTING ERROR 1\n";exit} | 21 | timeout {puts "TESTING ERROR 1\n";exit} |
18 | "Switching to pid" | 22 | "Switching to pid" |
19 | } | 23 | } |
20 | sleep 1 | 24 | sleep 1 |
21 | 25 | send -- "ps aux\r" | |
22 | |||
23 | spawn $env(SHELL) | ||
24 | send -- "firejail --shutdown=svn\\ testing;pwd\r" | ||
25 | expect { | 26 | expect { |
26 | timeout {puts "TESTING ERROR 3\n";exit} | 27 | timeout {puts "TESTING ERROR 2\n";exit} |
27 | "home" | 28 | "/bin/bash" |
28 | } | 29 | } |
29 | sleep 1 | ||
30 | |||
31 | send -- "firejail --list;pwd\r" | ||
32 | expect { | 30 | expect { |
33 | timeout {puts "TESTING ERROR 4\n";exit} | 31 | timeout {puts "TESTING ERROR 3\n";exit} |
34 | "svn testing" {puts "TESTING ERROR 5\n";exit} | 32 | "/bin/bash" |
35 | "home" | ||
36 | } | 33 | } |
34 | |||
35 | send -- "exit" | ||
37 | sleep 1 | 36 | sleep 1 |
38 | 37 | ||
39 | puts "\nall done\n" | 38 | puts "\nall done\n" |
diff --git a/test/option-join2.exp b/test/utils/join3.exp index 630b62d9e..e92045dd1 100755 --- a/test/option-join2.exp +++ b/test/utils/join3.exp | |||
@@ -1,39 +1,38 @@ | |||
1 | #!/usr/bin/expect -f | 1 | #!/usr/bin/expect -f |
2 | # This file is part of Firejail project | ||
3 | # Copyright (C) 2014-2016 Firejail Authors | ||
4 | # License GPL v2 | ||
2 | 5 | ||
3 | set timeout 10 | 6 | set timeout 10 |
7 | cd /home | ||
4 | spawn $env(SHELL) | 8 | spawn $env(SHELL) |
5 | match_max 100000 | 9 | match_max 100000 |
6 | 10 | ||
7 | send -- "firejail --name=\"svn testing\"\r" | 11 | send -- "firejail --name=join\\ testing\r" |
8 | expect { | 12 | expect { |
9 | timeout {puts "TESTING ERROR 0\n";exit} | 13 | timeout {puts "TESTING ERROR 0\n";exit} |
10 | "Child process initialized" | 14 | "Child process initialized" |
11 | } | 15 | } |
12 | sleep 3 | 16 | sleep 2 |
13 | 17 | ||
14 | spawn $env(SHELL) | 18 | spawn $env(SHELL) |
15 | send -- "firejail --join=\"svn testing\";pwd\r" | 19 | send -- "firejail --join=join\\ testing\r" |
16 | expect { | 20 | expect { |
17 | timeout {puts "TESTING ERROR 1\n";exit} | 21 | timeout {puts "TESTING ERROR 1\n";exit} |
18 | "Switching to pid" | 22 | "Switching to pid" |
19 | } | 23 | } |
20 | sleep 1 | 24 | sleep 1 |
21 | 25 | send -- "ps aux\r" | |
22 | |||
23 | spawn $env(SHELL) | ||
24 | send -- "firejail --shutdown=\"svn testing\";pwd\r" | ||
25 | expect { | 26 | expect { |
26 | timeout {puts "TESTING ERROR 3\n";exit} | 27 | timeout {puts "TESTING ERROR 2\n";exit} |
27 | "home" | 28 | "/bin/bash" |
28 | } | 29 | } |
29 | sleep 1 | ||
30 | |||
31 | send -- "firejail --list;pwd\r" | ||
32 | expect { | 30 | expect { |
33 | timeout {puts "TESTING ERROR 4\n";exit} | 31 | timeout {puts "TESTING ERROR 3\n";exit} |
34 | "svn testing" {puts "TESTING ERROR 5\n";exit} | 32 | "/bin/bash" |
35 | "home" | ||
36 | } | 33 | } |
34 | |||
35 | send -- "exit" | ||
37 | sleep 1 | 36 | sleep 1 |
38 | 37 | ||
39 | puts "\nall done\n" | 38 | puts "\nall done\n" |
diff --git a/test/option_list.exp b/test/utils/list.exp index b9c73e52b..69db1f568 100755 --- a/test/option_list.exp +++ b/test/utils/list.exp | |||
@@ -1,4 +1,7 @@ | |||
1 | #!/usr/bin/expect -f | 1 | #!/usr/bin/expect -f |
2 | # This file is part of Firejail project | ||
3 | # Copyright (C) 2014-2016 Firejail Authors | ||
4 | # License GPL v2 | ||
2 | 5 | ||
3 | set timeout 10 | 6 | set timeout 10 |
4 | spawn $env(SHELL) | 7 | spawn $env(SHELL) |
diff --git a/test/utils/ls.exp b/test/utils/ls.exp new file mode 100755 index 000000000..3a99be0d5 --- /dev/null +++ b/test/utils/ls.exp | |||
@@ -0,0 +1,41 @@ | |||
1 | #!/usr/bin/expect -f | ||
2 | |||
3 | set timeout 10 | ||
4 | spawn $env(SHELL) | ||
5 | match_max 100000 | ||
6 | |||
7 | send -- "rm -f lstesting\r" | ||
8 | sleep 1 | ||
9 | send -- "firejail --private --name=test\r" | ||
10 | expect { | ||
11 | timeout {puts "TESTING ERROR 0\n";exit} | ||
12 | "Child process initialized" | ||
13 | } | ||
14 | sleep 2 | ||
15 | send -- "echo my_testing > ~/lstesting\r" | ||
16 | sleep 2 | ||
17 | |||
18 | |||
19 | spawn $env(SHELL) | ||
20 | send -- "firejail --ls=test ~/.\r" | ||
21 | expect { | ||
22 | timeout {puts "TESTING ERROR 1\n";exit} | ||
23 | "lstesting" | ||
24 | } | ||
25 | sleep 1 | ||
26 | send -- "firejail --get=test ~/lstesting\r" | ||
27 | expect { | ||
28 | timeout {puts "TESTING ERROR 2\n";exit} | ||
29 | "Transfer complete" | ||
30 | } | ||
31 | sleep 1 | ||
32 | send -- "cat lstesting\r" | ||
33 | expect { | ||
34 | timeout {puts "TESTING ERROR 3\n";exit} | ||
35 | "my_testing" | ||
36 | } | ||
37 | sleep 1 | ||
38 | send -- "rm -f lstesting\r" | ||
39 | |||
40 | sleep 1 | ||
41 | puts "\nall done\n" | ||
diff --git a/test/option_man.exp b/test/utils/man.exp index d941a2432..d29f760b0 100755 --- a/test/option_man.exp +++ b/test/utils/man.exp | |||
@@ -1,4 +1,7 @@ | |||
1 | #!/usr/bin/expect -f | 1 | #!/usr/bin/expect -f |
2 | # This file is part of Firejail project | ||
3 | # Copyright (C) 2014-2016 Firejail Authors | ||
4 | # License GPL v2 | ||
2 | 5 | ||
3 | set timeout 10 | 6 | set timeout 10 |
4 | spawn $env(SHELL) | 7 | spawn $env(SHELL) |
diff --git a/test/name.profile b/test/utils/name.profile index 1aa9f2d64..1aa9f2d64 100644 --- a/test/name.profile +++ b/test/utils/name.profile | |||
diff --git a/test/utils/protocol-print.exp b/test/utils/protocol-print.exp new file mode 100755 index 000000000..152a64467 --- /dev/null +++ b/test/utils/protocol-print.exp | |||
@@ -0,0 +1,24 @@ | |||
1 | #!/usr/bin/expect -f | ||
2 | # This file is part of Firejail project | ||
3 | # Copyright (C) 2014-2016 Firejail Authors | ||
4 | # License GPL v2 | ||
5 | |||
6 | set timeout 10 | ||
7 | spawn $env(SHELL) | ||
8 | match_max 100000 | ||
9 | |||
10 | send -- "firejail --name=test\r" | ||
11 | expect { | ||
12 | timeout {puts "TESTING ERROR 0\n";exit} | ||
13 | "Child process initialized" | ||
14 | } | ||
15 | sleep 2 | ||
16 | |||
17 | spawn $env(SHELL) | ||
18 | send -- "firejail --protocol.print=test\r" | ||
19 | expect { | ||
20 | timeout {puts "TESTING ERROR 1\n";exit} | ||
21 | "unix,inet,inet6" | ||
22 | } | ||
23 | sleep 1 | ||
24 | puts "\nall done\n" | ||
diff --git a/test/utils/seccomp-print.exp b/test/utils/seccomp-print.exp new file mode 100755 index 000000000..d0531a9c3 --- /dev/null +++ b/test/utils/seccomp-print.exp | |||
@@ -0,0 +1,36 @@ | |||
1 | #!/usr/bin/expect -f | ||
2 | # This file is part of Firejail project | ||
3 | # Copyright (C) 2014-2016 Firejail Authors | ||
4 | # License GPL v2 | ||
5 | |||
6 | set timeout 10 | ||
7 | spawn $env(SHELL) | ||
8 | match_max 100000 | ||
9 | |||
10 | send -- "firejail --name=test\r" | ||
11 | expect { | ||
12 | timeout {puts "TESTING ERROR 0\n";exit} | ||
13 | "Child process initialized" | ||
14 | } | ||
15 | sleep 2 | ||
16 | |||
17 | spawn $env(SHELL) | ||
18 | send -- "firejail --seccomp.print=test\r" | ||
19 | expect { | ||
20 | timeout {puts "TESTING ERROR 1\n";exit} | ||
21 | "EXAMINE_SYSCAL" | ||
22 | } | ||
23 | expect { | ||
24 | timeout {puts "TESTING ERROR 2\n";exit} | ||
25 | "init_module" | ||
26 | } | ||
27 | expect { | ||
28 | timeout {puts "TESTING ERROR 3\n";exit} | ||
29 | "delete_module" | ||
30 | } | ||
31 | expect { | ||
32 | timeout {puts "TESTING ERROR 4\n";exit} | ||
33 | "RETURN_ALLOW" | ||
34 | } | ||
35 | sleep 1 | ||
36 | puts "\nall done\n" | ||
diff --git a/test/firemon-seccomp.exp b/test/utils/seccomp.exp index 55817faf3..c9726ff21 100755 --- a/test/firemon-seccomp.exp +++ b/test/utils/seccomp.exp | |||
@@ -1,4 +1,7 @@ | |||
1 | #!/usr/bin/expect -f | 1 | #!/usr/bin/expect -f |
2 | # This file is part of Firejail project | ||
3 | # Copyright (C) 2014-2016 Firejail Authors | ||
4 | # License GPL v2 | ||
2 | 5 | ||
3 | set timeout 10 | 6 | set timeout 10 |
4 | spawn $env(SHELL) | 7 | spawn $env(SHELL) |
@@ -37,7 +40,7 @@ expect { | |||
37 | "bingo2" | 40 | "bingo2" |
38 | } | 41 | } |
39 | expect { | 42 | expect { |
40 | timeout {puts "TESTING ERROR 3\n";exit} | 43 | timeout {puts "TESTING ERROR 4\n";exit} |
41 | "Seccomp: 0" | 44 | "Seccomp: 0" |
42 | } | 45 | } |
43 | after 100 | 46 | after 100 |
diff --git a/test/option-shutdown.exp b/test/utils/shutdown.exp index e869f7611..15a9a62c8 100755 --- a/test/option-shutdown.exp +++ b/test/utils/shutdown.exp | |||
@@ -1,6 +1,10 @@ | |||
1 | #!/usr/bin/expect -f | 1 | #!/usr/bin/expect -f |
2 | # This file is part of Firejail project | ||
3 | # Copyright (C) 2014-2016 Firejail Authors | ||
4 | # License GPL v2 | ||
2 | 5 | ||
3 | set timeout 10 | 6 | set timeout 10 |
7 | cd /home | ||
4 | spawn $env(SHELL) | 8 | spawn $env(SHELL) |
5 | match_max 100000 | 9 | match_max 100000 |
6 | 10 | ||
@@ -9,22 +13,23 @@ expect { | |||
9 | timeout {puts "TESTING ERROR 0\n";exit} | 13 | timeout {puts "TESTING ERROR 0\n";exit} |
10 | "Child process initialized" | 14 | "Child process initialized" |
11 | } | 15 | } |
12 | sleep 3 | 16 | sleep 2 |
13 | 17 | ||
14 | spawn $env(SHELL) | 18 | spawn $env(SHELL) |
15 | send -- "firejail --shutdown=shutdowntesting;pwd\r" | 19 | send -- "firejail --shutdown=shutdowntesting; echo done\r" |
16 | expect { | 20 | expect { |
17 | timeout {puts "TESTING ERROR 4\n";exit} | 21 | timeout {puts "TESTING ERROR 4\n";exit} |
18 | "home" | 22 | "done" |
19 | } | 23 | } |
20 | sleep 1 | 24 | sleep 5 |
21 | 25 | ||
22 | send -- "firejail --list;pwd\r" | 26 | spawn $env(SHELL) |
27 | send -- "firejail --list;echo done\r" | ||
23 | expect { | 28 | expect { |
24 | timeout {puts "TESTING ERROR 5\n";exit} | 29 | timeout {puts "TESTING ERROR 5\n";exit} |
25 | "shutdowntesting" {puts "TESTING ERROR 6\n";exit} | 30 | "shutdowntesting" {puts "TESTING ERROR 6\n";exit} |
26 | "home" | 31 | "done" |
27 | } | 32 | } |
28 | sleep 1 | 33 | sleep 1 |
29 | 34 | ||
30 | puts "\nalldone\n" | 35 | puts "\nall done\n" |
diff --git a/test/pid.exp b/test/utils/shutdown2.exp index d382feb96..7857b919c 100755 --- a/test/pid.exp +++ b/test/utils/shutdown2.exp | |||
@@ -1,48 +1,45 @@ | |||
1 | #!/usr/bin/expect -f | 1 | #!/usr/bin/expect -f |
2 | # This file is part of Firejail project | ||
3 | # Copyright (C) 2014-2016 Firejail Authors | ||
4 | # License GPL v2 | ||
2 | 5 | ||
3 | set timeout 10 | 6 | set timeout 10 |
4 | spawn $env(SHELL) | 7 | spawn $env(SHELL) |
5 | match_max 100000 | 8 | match_max 100000 |
6 | 9 | ||
7 | send -- "firejail\r" | 10 | set firstspawn $spawn_id |
11 | |||
12 | send -- "firejail --name=shutdowntesting ./catchsignal.sh\r" | ||
8 | expect { | 13 | expect { |
9 | timeout {puts "TESTING ERROR 0\n";exit} | 14 | timeout {puts "TESTING ERROR 0\n";exit} |
10 | "Child process initialized" | 15 | "Child process initialized" |
11 | } | 16 | } |
12 | sleep 1 | 17 | sleep 2 |
13 | 18 | ||
14 | # test processes | 19 | spawn $env(SHELL) |
15 | send -- "bash\r" | 20 | send -- "firejail --shutdown=shutdowntesting\r" |
16 | sleep 1 | 21 | |
17 | send -- "ps aux; pwd\r" | 22 | set spawn_id $firstspawn |
18 | expect { | 23 | expect { |
19 | timeout {puts "TESTING ERROR 1\n";exit} | 24 | timeout {puts "TESTING ERROR 1\n";exit} |
20 | "/bin/bash" | 25 | "1" |
21 | } | 26 | } |
22 | expect { | 27 | expect { |
23 | timeout {puts "TESTING ERROR 2\n";exit} | 28 | timeout {puts "TESTING ERROR 2\n";exit} |
24 | "bash" | 29 | "2" |
25 | } | 30 | } |
26 | expect { | 31 | expect { |
27 | timeout {puts "TESTING ERROR 3\n";exit} | 32 | timeout {puts "TESTING ERROR 3\n";exit} |
28 | "ps aux" | 33 | "3" |
29 | } | 34 | } |
30 | expect { | 35 | expect { |
31 | timeout {puts "TESTING ERROR 4\n";exit} | 36 | timeout {puts "TESTING ERROR 4\n";exit} |
32 | "home" | 37 | "4" |
33 | } | 38 | } |
34 | sleep 1 | ||
35 | |||
36 | |||
37 | send -- "ps aux |wc -l; pwd\r" | ||
38 | expect { | 39 | expect { |
39 | timeout {puts "TESTING ERROR 5\n";exit} | 40 | timeout {puts "TESTING ERROR 5\n";exit} |
40 | "6" | 41 | "5" |
41 | } | ||
42 | expect { | ||
43 | timeout {puts "TESTING ERROR 6\n";exit} | ||
44 | "home" | ||
45 | } | 42 | } |
46 | sleep 1 | 43 | sleep 1 |
47 | 44 | ||
48 | puts "\n" | 45 | puts "\nalldone\n" |
diff --git a/test/utils/shutdown3.exp b/test/utils/shutdown3.exp new file mode 100755 index 000000000..02b68c4ce --- /dev/null +++ b/test/utils/shutdown3.exp | |||
@@ -0,0 +1,65 @@ | |||
1 | #!/usr/bin/expect -f | ||
2 | # This file is part of Firejail project | ||
3 | # Copyright (C) 2014-2016 Firejail Authors | ||
4 | # License GPL v2 | ||
5 | |||
6 | set timeout 10 | ||
7 | spawn $env(SHELL) | ||
8 | match_max 100000 | ||
9 | |||
10 | set firstspawn $spawn_id | ||
11 | |||
12 | send -- "firejail --name=shutdowntesting ./catchsignal-master.sh\r" | ||
13 | expect { | ||
14 | timeout {puts "TESTING ERROR 0\n";exit} | ||
15 | "Child process initialized" | ||
16 | } | ||
17 | sleep 2 | ||
18 | |||
19 | spawn $env(SHELL) | ||
20 | send -- "firejail --shutdown=shutdowntesting\r" | ||
21 | |||
22 | set spawn_id $firstspawn | ||
23 | expect { | ||
24 | timeout {puts "TESTING ERROR 1\n";exit} | ||
25 | "1" | ||
26 | } | ||
27 | expect { | ||
28 | timeout {puts "TESTING ERROR 2\n";exit} | ||
29 | "1" | ||
30 | } | ||
31 | expect { | ||
32 | timeout {puts "TESTING ERROR 3\n";exit} | ||
33 | "2" | ||
34 | } | ||
35 | expect { | ||
36 | timeout {puts "TESTING ERROR 4\n";exit} | ||
37 | "2" | ||
38 | } | ||
39 | expect { | ||
40 | timeout {puts "TESTING ERROR 5\n";exit} | ||
41 | "3" | ||
42 | } | ||
43 | expect { | ||
44 | timeout {puts "TESTING ERROR 6\n";exit} | ||
45 | "3" | ||
46 | } | ||
47 | expect { | ||
48 | timeout {puts "TESTING ERROR 7\n";exit} | ||
49 | "4" | ||
50 | } | ||
51 | expect { | ||
52 | timeout {puts "TESTING ERROR 8\n";exit} | ||
53 | "4" | ||
54 | } | ||
55 | expect { | ||
56 | timeout {puts "TESTING ERROR 9\n";exit} | ||
57 | "5" | ||
58 | } | ||
59 | expect { | ||
60 | timeout {puts "TESTING ERROR 10\n";exit} | ||
61 | "5" | ||
62 | } | ||
63 | sleep 1 | ||
64 | |||
65 | puts "\nalldone\n" | ||
diff --git a/test/utils/shutdown4.exp b/test/utils/shutdown4.exp new file mode 100755 index 000000000..0f2e0e7fe --- /dev/null +++ b/test/utils/shutdown4.exp | |||
@@ -0,0 +1,65 @@ | |||
1 | #!/usr/bin/expect -f | ||
2 | # This file is part of Firejail project | ||
3 | # Copyright (C) 2014-2016 Firejail Authors | ||
4 | # License GPL v2 | ||
5 | |||
6 | set timeout 10 | ||
7 | spawn $env(SHELL) | ||
8 | match_max 100000 | ||
9 | |||
10 | set firstspawn $spawn_id | ||
11 | |||
12 | send -- "firejail --name=shutdowntesting ./catchsignal2.sh\r" | ||
13 | expect { | ||
14 | timeout {puts "TESTING ERROR 0\n";exit} | ||
15 | "Child process initialized" | ||
16 | } | ||
17 | sleep 2 | ||
18 | |||
19 | spawn $env(SHELL) | ||
20 | send -- "firejail --shutdown=shutdowntesting\r" | ||
21 | |||
22 | set spawn_id $firstspawn | ||
23 | expect { | ||
24 | timeout {puts "TESTING ERROR 1\n";exit} | ||
25 | "1" | ||
26 | } | ||
27 | expect { | ||
28 | timeout {puts "TESTING ERROR 2\n";exit} | ||
29 | "2" | ||
30 | } | ||
31 | expect { | ||
32 | timeout {puts "TESTING ERROR 3\n";exit} | ||
33 | "3" | ||
34 | } | ||
35 | expect { | ||
36 | timeout {puts "TESTING ERROR 4\n";exit} | ||
37 | "4" | ||
38 | } | ||
39 | expect { | ||
40 | timeout {puts "TESTING ERROR 5\n";exit} | ||
41 | "5" | ||
42 | } | ||
43 | expect { | ||
44 | timeout {puts "TESTING ERROR 10\n";exit} | ||
45 | "10" | ||
46 | } | ||
47 | expect { | ||
48 | timeout {puts "TESTING ERROR 20\n";exit} | ||
49 | "20" | ||
50 | } | ||
51 | expect { | ||
52 | timeout {puts "TESTING ERROR 30\n";exit} | ||
53 | "30" | ||
54 | } | ||
55 | expect { | ||
56 | timeout {puts "TESTING ERROR 40\n";exit} | ||
57 | "40" | ||
58 | } | ||
59 | expect { | ||
60 | timeout {puts "TESTING ERROR 50\n";exit} | ||
61 | "50" | ||
62 | } | ||
63 | sleep 1 | ||
64 | |||
65 | puts "\nalldone\n" | ||
diff --git a/test/trace.exp b/test/utils/trace.exp index 21dd6a559..b562a6b49 100755 --- a/test/trace.exp +++ b/test/utils/trace.exp | |||
@@ -1,4 +1,7 @@ | |||
1 | #!/usr/bin/expect -f | 1 | #!/usr/bin/expect -f |
2 | # This file is part of Firejail project | ||
3 | # Copyright (C) 2014-2016 Firejail Authors | ||
4 | # License GPL v2 | ||
2 | 5 | ||
3 | set timeout 30 | 6 | set timeout 30 |
4 | spawn $env(SHELL) | 7 | spawn $env(SHELL) |
@@ -76,6 +79,7 @@ expect { | |||
76 | timeout {puts "TESTING ERROR 8.6\n";exit} | 79 | timeout {puts "TESTING ERROR 8.6\n";exit} |
77 | "wget:fopen64 index.html" {puts "OK\n";} | 80 | "wget:fopen64 index.html" {puts "OK\n";} |
78 | "wget:fopen index.html" {puts "OK\n";} | 81 | "wget:fopen index.html" {puts "OK\n";} |
82 | "Parent is shutting down" {puts "OK\n";} | ||
79 | } | 83 | } |
80 | sleep 1 | 84 | sleep 1 |
81 | 85 | ||
@@ -86,9 +90,25 @@ expect { | |||
86 | } | 90 | } |
87 | expect { | 91 | expect { |
88 | timeout {puts "TESTING ERROR 10\n";exit} | 92 | timeout {puts "TESTING ERROR 10\n";exit} |
89 | "rm:unlinkat index.html" | 93 | "rm:unlinkat index.html" {puts "OK\n";} |
94 | "Parent is shutting down" {puts "OK\n";} | ||
90 | } | 95 | } |
91 | sleep 1 | 96 | sleep 1 |
92 | 97 | ||
98 | send -- "firejail --trace\r" | ||
99 | expect { | ||
100 | timeout {puts "TESTING ERROR 11\n";exit} | ||
101 | "Child process initialized" | ||
102 | } | ||
103 | expect { | ||
104 | timeout {puts "TESTING ERROR 12\n";exit} | ||
105 | "bash:open /dev/tty" {puts "64bit\n"} | ||
106 | "bash:open64 /dev/tty" {puts "32bit\n"} | ||
107 | } | ||
108 | expect { | ||
109 | timeout {puts "TESTING ERROR 13\n";exit} | ||
110 | "bash:access /etc/terminfo/" {puts "debian\n"} | ||
111 | "bash:access /usr/share/terminfo/" {puts "arch\n"} | ||
112 | } | ||
93 | 113 | ||
94 | puts "\nall done\n" | 114 | puts "\nall done\n" |
diff --git a/test/option_tree.exp b/test/utils/tree.exp index 1841907d1..a8ef763f1 100755 --- a/test/option_tree.exp +++ b/test/utils/tree.exp | |||
@@ -1,4 +1,7 @@ | |||
1 | #!/usr/bin/expect -f | 1 | #!/usr/bin/expect -f |
2 | # This file is part of Firejail project | ||
3 | # Copyright (C) 2014-2016 Firejail Authors | ||
4 | # License GPL v2 | ||
2 | 5 | ||
3 | set timeout 10 | 6 | set timeout 10 |
4 | spawn $env(SHELL) | 7 | spawn $env(SHELL) |
diff --git a/test/utils/utils.sh b/test/utils/utils.sh new file mode 100755 index 000000000..0428c4807 --- /dev/null +++ b/test/utils/utils.sh | |||
@@ -0,0 +1,90 @@ | |||
1 | #!/bin/bash | ||
2 | # This file is part of Firejail project | ||
3 | # Copyright (C) 2014-2016 Firejail Authors | ||
4 | # License GPL v2 | ||
5 | |||
6 | export MALLOC_CHECK_=3 | ||
7 | export MALLOC_PERTURB_=$(($RANDOM % 255 + 1)) | ||
8 | |||
9 | echo "TESTING: version (test/utils/version.exp)" | ||
10 | ./version.exp | ||
11 | |||
12 | echo "TESTING: help (test/utils/help.exp)" | ||
13 | ./help.exp | ||
14 | |||
15 | which man | ||
16 | if [ "$?" -eq 0 ]; | ||
17 | then | ||
18 | echo "TESTING: man (test/utils/man.exp)" | ||
19 | ./man.exp | ||
20 | else | ||
21 | echo "TESTING SKIP: man not found" | ||
22 | fi | ||
23 | |||
24 | echo "TESTING: list (test/utils/list.exp)" | ||
25 | ./list.exp | ||
26 | |||
27 | echo "TESTING: tree (test/utils/tree.exp)" | ||
28 | ./tree.exp | ||
29 | |||
30 | if [ $(grep -c ^processor /proc/cpuinfo) -gt 1 ]; | ||
31 | then | ||
32 | echo "TESTING: cpu.print (test/utils/cpu-print.exp)" | ||
33 | ./cpu-print.exp | ||
34 | else | ||
35 | echo "TESTING SKIP: cpu.print, not enough CPUs" | ||
36 | fi | ||
37 | |||
38 | echo "TESTING: fs.print (test/utils/fs-print.exp)" | ||
39 | ./fs-print.exp | ||
40 | |||
41 | echo "TESTING: dns.print (test/utils/dns-print.exp)" | ||
42 | ./dns-print.exp | ||
43 | |||
44 | echo "TESTING: caps.print (test/utils/caps-print.exp)" | ||
45 | ./caps-print.exp | ||
46 | |||
47 | echo "TESTING: seccomp.print (test/utils/seccomp-print.exp)" | ||
48 | ./seccomp-print.exp | ||
49 | |||
50 | echo "TESTING: protocol.print (test/utils/protocol-print.exp)" | ||
51 | ./protocol-print.exp | ||
52 | |||
53 | echo "TESTING: shutdown (test/utils/shutdown.exp)" | ||
54 | ./shutdown.exp | ||
55 | |||
56 | echo "TESTING: shutdown2 (test/utils/shutdown2.exp)" | ||
57 | ./shutdown2.exp | ||
58 | |||
59 | echo "TESTING: shutdown3 (test/utils/shutdown3.exp)" | ||
60 | ./shutdown3.exp | ||
61 | |||
62 | echo "TESTING: shutdown4 (test/utils/shutdown4.exp)" | ||
63 | ./shutdown4.exp | ||
64 | |||
65 | echo "TESTING: join (test/utils/join.exp)" | ||
66 | ./join.exp | ||
67 | |||
68 | echo "TESTING: join2 (test/utils/join2.exp)" | ||
69 | ./join2.exp | ||
70 | |||
71 | echo "TESTING: join3 (test/utils/join3.exp)" | ||
72 | ./join3.exp | ||
73 | |||
74 | echo "TESTING: join profile (test/utils/join-profile.exp)" | ||
75 | ./join-profile.exp | ||
76 | |||
77 | echo "TESTING: trace (test/utils/trace.exp)" | ||
78 | rm -f index.html* | ||
79 | ./trace.exp | ||
80 | rm -f index.html* | ||
81 | |||
82 | echo "TESTING: firemon --seccomp (test/utils/seccomp.exp)" | ||
83 | ./seccomp.exp | ||
84 | |||
85 | echo "TESTING: firemon --caps (test/utils/caps.exp)" | ||
86 | ./caps.exp | ||
87 | |||
88 | echo "TESTING: file transfer (test/utils/ls.exp)" | ||
89 | ./ls.exp | ||
90 | |||
diff --git a/test/option_version.exp b/test/utils/version.exp index 44c0c217f..2ce6f1680 100755 --- a/test/option_version.exp +++ b/test/utils/version.exp | |||
@@ -1,4 +1,7 @@ | |||
1 | #!/usr/bin/expect -f | 1 | #!/usr/bin/expect -f |
2 | # This file is part of Firejail project | ||
3 | # Copyright (C) 2014-2016 Firejail Authors | ||
4 | # License GPL v2 | ||
2 | 5 | ||
3 | set timeout 10 | 6 | set timeout 10 |
4 | spawn $env(SHELL) | 7 | spawn $env(SHELL) |
@@ -35,3 +35,214 @@ socat ABSTRACT-LISTEN:/tmp/dbus-awBoQTCc,fork UNIX-CONNECT:/tmp/mysock | |||
35 | 8. profile for dillo | 35 | 8. profile for dillo |
36 | Also, in dillo open a directory (file:///etc), when the browser window is closed the sandbox still remains active. | 36 | Also, in dillo open a directory (file:///etc), when the browser window is closed the sandbox still remains active. |
37 | This is probably a dillo problem. | 37 | This is probably a dillo problem. |
38 | |||
39 | 9. --force sandbox in a overlayfs sandbox | ||
40 | |||
41 | $ sudo firejail --overlay | ||
42 | # su netblue | ||
43 | $ xterm & | ||
44 | $ firejail --force --private | ||
45 | Parent pid 77, child pid 78 | ||
46 | Warning: failed to unmount /sys | ||
47 | |||
48 | Warning: cannot mount a new user namespace, going forward without it... | ||
49 | Child process initialized | ||
50 | |||
51 | Try to join the forced sandbox in xterm window: | ||
52 | $ firejail --join=77 | ||
53 | Switching to pid 78, the first child process inside the sandbox | ||
54 | Warning: seccomp file not found | ||
55 | Warning: seccomp disabled, it requires a Linux kernel version 3.5 or newer. | ||
56 | $ ls ~ <----------------- all files are available, the directory is not empty! | ||
57 | |||
58 | 10. Posibly capabilities broken for --join | ||
59 | |||
60 | $ firejail --name=test | ||
61 | ... | ||
62 | $ firejail --debug --join=test | ||
63 | Switching to pid 18591, the first child process inside the sandbox | ||
64 | User namespace detected: /proc/18591/uid_map, 1000, 1000 | ||
65 | Set caps filter 0 | ||
66 | Set protocol filter: unix,inet,inet6 | ||
67 | Read seccomp filter, size 792 bytes | ||
68 | |||
69 | However, in the join sandbox we have: | ||
70 | $ cat /proc/self/status | grep Cap | ||
71 | CapInh: 0000000000000000 | ||
72 | CapPrm: 0000000000000000 | ||
73 | CapEff: 0000000000000000 | ||
74 | CapBnd: 0000003fffffffff | ||
75 | CapAmb: 0000000000000000 | ||
76 | |||
77 | 11. check seccomp on Docker: https://docs.docker.com/engine/security/seccomp/ | ||
78 | Seccomp lists: | ||
79 | https://github.com/torvalds/linux/blob/1e75a9f34a5ed5902707fb74b468356c55142b71/arch/x86/entry/syscalls/syscall_64.tbl | ||
80 | https://github.com/torvalds/linux/blob/1e75a9f34a5ed5902707fb74b468356c55142b71/arch/x86/entry/syscalls/syscall_32.tbl | ||
81 | |||
82 | 12. check for --chroot why .config/pulse dir is not created | ||
83 | |||
84 | 13. print error line number for profile files in profile_check_line() | ||
85 | |||
86 | 14. make rpms problems | ||
87 | $ firejail --version | ||
88 | firejail version 0.9.40 | ||
89 | User namespace support is disabled. | ||
90 | |||
91 | $ rpmlint firejail-0.9.40-1.x86_64.rpm | ||
92 | firejail.x86_64: E: no-changelogname-tag | ||
93 | firejail.x86_64: W: unstripped-binary-or-object /usr/lib64/firejail/libtracelog.so | ||
94 | firejail.x86_64: W: unstripped-binary-or-object /usr/lib64/firejail/libtrace.so | ||
95 | firejail.x86_64: E: missing-call-to-setgroups /usr/lib64/firejail/libtrace.so | ||
96 | firejail.x86_64: W: conffile-without-noreplace-flag /etc/firejail/google-play-music-desktop-player.profile | ||
97 | firejail.x86_64: W: conffile-without-noreplace-flag /etc/firejail/rtorrent.profi | ||
98 | |||
99 | $ rpmlint firejail-0.9.40-1.src.rpm | ||
100 | firejail.src: E: no-changelogname-tag | ||
101 | firejail.src: W: invalid-url Source0: https://github.com/netblue30/firejail/archive/0.9.40.tar.gz#/firejail-0.9.40.tar.gz HTTP Error 404: Not Found | ||
102 | 1 packages and 0 specfiles checked; 1 errors, 1 warnings. | ||
103 | |||
104 | 15. bug: capabiliteis declared on the command line take precedence over caps declared in profiles | ||
105 | |||
106 | $ firejail --caps.keep=chown,net_bind_service src/faudit/faudit | ||
107 | Reading profile /etc/firejail/default.profile | ||
108 | Reading profile /etc/firejail/disable-common.inc | ||
109 | Reading profile /etc/firejail/disable-programs.inc | ||
110 | Reading profile /etc/firejail/disable-passwdmgr.inc | ||
111 | |||
112 | ** Note: you can use --noprofile to disable default.profile ** | ||
113 | |||
114 | Parent pid 6872, child pid 6873 | ||
115 | |||
116 | Child process initialized | ||
117 | |||
118 | ----- Firejail Audit: the Good, the Bad and the Ugly ----- | ||
119 | |||
120 | GOOD: Process PID 2, running in a PID namespace | ||
121 | Container/sandbox: firejail | ||
122 | GOOD: all capabilities are disabled | ||
123 | |||
124 | |||
125 | Parent is shutting down, bye... | ||
126 | |||
127 | 16. Sound devices: | ||
128 | /dev/snd | ||
129 | |||
130 | |||
131 | /dev/snd/pcmC0D0 -> /dev/audio0 (/dev/audio) -> minor 4 | ||
132 | /dev/snd/pcmC0D0 -> /dev/dsp0 (/dev/dsp) -> minor 3 | ||
133 | /dev/snd/pcmC0D1 -> /dev/adsp0 (/dev/adsp) -> minor 12 | ||
134 | /dev/snd/pcmC1D0 -> /dev/audio1 -> minor 4+16 = 20 | ||
135 | /dev/snd/pcmC1D0 -> /dev/dsp1 -> minor 3+16 = 19 | ||
136 | /dev/snd/pcmC1D1 -> /dev/adsp1 -> minor 12+16 = 28 | ||
137 | /dev/snd/pcmC2D0 -> /dev/audio2 -> minor 4+32 = 36 | ||
138 | /dev/snd/pcmC2D0 -> /dev/dsp2 -> minor 3+32 = 35 | ||
139 | /dev/snd/pcmC2D1 -> /dev/adsp2 -> minor 12+32 = 44 | ||
140 | |||
141 | |||
142 | 17. test 3d acceleration | ||
143 | |||
144 | $ lspci -nn | grep VGA | ||
145 | |||
146 | # apt-get install mesa-utils | ||
147 | |||
148 | $ glxinfo | grep rendering | ||
149 | |||
150 | The output should be: | ||
151 | |||
152 | direct rendering: Yes | ||
153 | |||
154 | $ glxinfo | grep "renderer string" | ||
155 | |||
156 | OpenGL renderer string: Gallium 0.4 on AMD KAVERI | ||
157 | |||
158 | |||
159 | glxgears stuck to 60fps may be due to VSync signal synchronization. | ||
160 | To disable Vsync | ||
161 | |||
162 | $ vblank_mode=0 glxgears | ||
163 | |||
164 | 18. Bring in nvidia drives in private-dev | ||
165 | |||
166 | /dev/nvidia[0-9], /dev/nvidiactl, /dev/nvidia-modset and /dev/nvidia-uvm | ||
167 | |||
168 | 19. testing snaps | ||
169 | |||
170 | Install firejail from official repository | ||
171 | sudo apt-get install firejail | ||
172 | |||
173 | Check firejail version | ||
174 | firejail --version | ||
175 | |||
176 | Above command outputs: firejail version 0.9.38 | ||
177 | |||
178 | Search the snap 'ubuntu clock' application | ||
179 | sudo snap find ubuntu-clock-app | ||
180 | |||
181 | Install 'ubuntu clock' application using snap | ||
182 | sudo snap install ubuntu-clock-app | ||
183 | |||
184 | Ubuntu snap packages are installed in /snap/// directory and can be executed from /snap/bin/ | ||
185 | cd /snap/bin/ | ||
186 | ls -l | ||
187 | |||
188 | Note: We see application name is: ubuntu-clock-app.clock | ||
189 | |||
190 | Run application | ||
191 | /snap/bin/ubuntu-clock-app.clock | ||
192 | |||
193 | Note: Application starts-up without a problem and clock is displayed. | ||
194 | |||
195 | Close application using mouse. | ||
196 | |||
197 | Now try to firejail the application. | ||
198 | firejail /snap/bin/ubuntu-clock-app.clock | ||
199 | |||
200 | -------- Error message -------- | ||
201 | Reading profile /etc/firejail/generic.profile | ||
202 | Reading profile /etc/firejail/disable-mgmt.inc | ||
203 | Reading profile /etc/firejail/disable-secret.inc | ||
204 | Reading profile /etc/firejail/disable-common.inc | ||
205 | |||
206 | ** Note: you can use --noprofile to disable generic.profile ** | ||
207 | |||
208 | Parent pid 3770, child pid 3771 | ||
209 | |||
210 | Child process initialized | ||
211 | need to run as root or suid | ||
212 | |||
213 | parent is shutting down, bye... | ||
214 | -------- End of Error message -------- | ||
215 | |||
216 | Try running as root as message instructs. | ||
217 | sudo firejail /snap/bin/ubuntu-clock-app.clock | ||
218 | |||
219 | extract env for process | ||
220 | ps e -p <pid> | sed 's/ /\n/g' | ||
221 | |||
222 | |||
223 | 20. check default disable - from grsecurity | ||
224 | |||
225 | GRKERNSEC_HIDESYM | ||
226 | /proc/kallsyms and other files | ||
227 | |||
228 | GRKERNSEC_PROC_USER | ||
229 | If you say Y here, non-root users will only be able to view their own | ||
230 | processes, and restricts them from viewing network-related information, | ||
231 | and viewing kernel symbol and module information. | ||
232 | |||
233 | GRKERNSEC_PROC_ADD | ||
234 | If you say Y here, additional restrictions will be placed on | ||
235 | /proc that keep normal users from viewing device information and | ||
236 | slabinfo information that could be useful for exploits. | ||
237 | |||
238 | 21. Core Infrastructure Initiative (CII) Best Practices | ||
239 | |||
240 | Proposal | ||
241 | |||
242 | Someone closely involved with the project could go thought the criteria and keep them up-to-date. | ||
243 | References | ||
244 | |||
245 | https://bestpractices.coreinfrastructure.org | ||
246 | https://twit.tv/shows/floss-weekly/episodes/389 | ||
247 | |||
248 | 22. add support for read-write and noexec to Firetools | ||