diff options
278 files changed, 3794 insertions, 1091 deletions
diff --git a/.github/ISSUE_TEMPLATE/bug_report.md b/.github/ISSUE_TEMPLATE/bug_report.md index ae7b1089a..562d6b9e1 100644 --- a/.github/ISSUE_TEMPLATE/bug_report.md +++ b/.github/ISSUE_TEMPLATE/bug_report.md | |||
@@ -12,9 +12,9 @@ Write clear, concise and in textual form. | |||
12 | - Describe the bug. | 12 | - Describe the bug. |
13 | - What did you expect to happen? | 13 | - What did you expect to happen? |
14 | 14 | ||
15 | **No profile or disabling firejail** | 15 | **No profile and disabling firejail** |
16 | - What changed calling `firejail --noprofile PROGRAM` in a shell? | 16 | - What changed calling `firejail --noprofile /path/to/program` in a terminal? |
17 | - What changed calling the program *by path*=without firejail (check `whereis PROGRAM`, `firejail --list`, `stat $programpath`)? | 17 | - What changed calling the program by path (check `which <program>` or `firejail --list` while the sandbox is running)? |
18 | 18 | ||
19 | **Reproduce** | 19 | **Reproduce** |
20 | Steps to reproduce the behavior: | 20 | Steps to reproduce the behavior: |
@@ -24,19 +24,19 @@ Steps to reproduce the behavior: | |||
24 | 4. Scroll down to '....' | 24 | 4. Scroll down to '....' |
25 | 25 | ||
26 | **Environment** | 26 | **Environment** |
27 | - Linux distribution and version (ie output of `lsb_release -a`) | 27 | - Linux distribution and version (ie output of `lsb_release -a`, `screenfetch` or `cat /etc/os-release`) |
28 | - Firejail version (output of `firejail --version`) exclusive or used git commit (`git rev-parse HEAD`) | 28 | - Firejail version (output of `firejail --version`) exclusive or used git commit (`git rev-parse HEAD`) |
29 | - What other programs interact with the affected program for the functionality? | ||
30 | - Are these listed in the profile? | ||
31 | 29 | ||
32 | **Additional context** | 30 | **Additional context** |
33 | Other context about the problem like related errors to understand the problem. | 31 | Other context about the problem like related errors to understand the problem. |
34 | 32 | ||
35 | **Checklist** | 33 | **Checklist** |
36 | - [ ] The upstream profile (and redirect profile if exists) have no changes fixing it. | 34 | - [ ] The upstream profile (and redirect profile if exists) have no changes fixing it. |
37 | - [ ] The upstream profile exists (`find / -name 'firejail' 2>/dev/null`/`fd firejail` to locate profiles ie in `/usr/local/etc/firejail/PROGRAM.profile`) | 35 | - [ ] The program has a profile. (If not, request one in `https://github.com/netblue30/firejail/issues/1139`) |
38 | - [ ] Programs needed for interaction are listed. | 36 | - [ ] Programs needed for interaction are listed in the profile. |
39 | - [ ] Error was checked in search engine and on issue list without success. | 37 | - [ ] A short search for duplicates was performed. |
38 | - [ ] If it is a AppImage, `--profile=PROFILENAME` is used to set the right profile. | ||
39 | - [ ] Used `LC_ALL=en_US.UTF-8 LANG=en_US.UTF-8 PROGRAM` to get english error-messages. | ||
40 | 40 | ||
41 | 41 | ||
42 | <details><summary> debug output </summary> | 42 | <details><summary> debug output </summary> |
diff --git a/.github/workflows/build.yml b/.github/workflows/build.yml new file mode 100644 index 000000000..71cb7f0b4 --- /dev/null +++ b/.github/workflows/build.yml | |||
@@ -0,0 +1,55 @@ | |||
1 | name: Build CI | ||
2 | |||
3 | on: | ||
4 | push: | ||
5 | branches: [ master ] | ||
6 | pull_request: | ||
7 | branches: [ master ] | ||
8 | |||
9 | jobs: | ||
10 | build_and_test: | ||
11 | runs-on: ubuntu-20.04 | ||
12 | steps: | ||
13 | - uses: actions/checkout@v2 | ||
14 | - name: install dependencies | ||
15 | run: sudo apt-get install gcc-10 libapparmor-dev libselinux1-dev expect xzdec | ||
16 | - name: configure | ||
17 | run: CC=gcc-10 ./configure --enable-fatal-warnings --enable-analyzer --enable-apparmor --enable-selinux --prefix=/usr | ||
18 | - name: make | ||
19 | run: make | ||
20 | - name: make install | ||
21 | run: sudo make install | ||
22 | - name: run tests | ||
23 | run: SHELL=/bin/bash make test-github | ||
24 | build-clang: | ||
25 | runs-on: ubuntu-20.04 | ||
26 | steps: | ||
27 | - uses: actions/checkout@v2 | ||
28 | - name: configure | ||
29 | run: CC=clang-10 ./configure --enable-fatal-warnings | ||
30 | - name: make | ||
31 | run: make | ||
32 | scan-build: | ||
33 | runs-on: ubuntu-20.04 | ||
34 | steps: | ||
35 | - uses: actions/checkout@v2 | ||
36 | - name: install clang-tools-10 | ||
37 | run: sudo apt-get install clang-tools-10 | ||
38 | - name: configure | ||
39 | run: CC=clang-10 ./configure --enable-fatal-warnings | ||
40 | - name: scan-build | ||
41 | run: NO_EXTRA_CFLAGS="yes" scan-build-10 --status-bugs make | ||
42 | cppcheck: | ||
43 | runs-on: ubuntu-20.04 | ||
44 | steps: | ||
45 | - uses: actions/checkout@v2 | ||
46 | - name: install cppcheck | ||
47 | run: sudo apt-get install cppcheck | ||
48 | - name: cppcheck | ||
49 | run: cppcheck -q --force --error-exitcode=1 --enable=warning,performance . | ||
50 | profile-sort: | ||
51 | runs-on: ubuntu-20.04 | ||
52 | steps: | ||
53 | - uses: actions/checkout@v2 | ||
54 | - name: check profiles | ||
55 | run: ./contrib/sort.py etc/*/{*.inc,*.net,*.profile} | ||
diff --git a/.github/workflows/codeql-analysis.yml b/.github/workflows/codeql-analysis.yml new file mode 100644 index 000000000..a37bbb5c7 --- /dev/null +++ b/.github/workflows/codeql-analysis.yml | |||
@@ -0,0 +1,71 @@ | |||
1 | # For most projects, this workflow file will not need changing; you simply need | ||
2 | # to commit it to your repository. | ||
3 | # | ||
4 | # You may wish to alter this file to override the set of languages analyzed, | ||
5 | # or to provide custom queries or build logic. | ||
6 | name: "CodeQL" | ||
7 | |||
8 | on: | ||
9 | push: | ||
10 | branches: [master] | ||
11 | pull_request: | ||
12 | # The branches below must be a subset of the branches above | ||
13 | branches: [master] | ||
14 | schedule: | ||
15 | - cron: '0 7 * * 2' | ||
16 | |||
17 | jobs: | ||
18 | analyze: | ||
19 | name: Analyze | ||
20 | runs-on: ubuntu-latest | ||
21 | |||
22 | strategy: | ||
23 | fail-fast: false | ||
24 | matrix: | ||
25 | # Override automatic language detection by changing the below list | ||
26 | # Supported options are ['csharp', 'cpp', 'go', 'java', 'javascript', 'python'] | ||
27 | language: ['cpp', 'python'] | ||
28 | # Learn more... | ||
29 | # https://docs.github.com/en/github/finding-security-vulnerabilities-and-errors-in-your-code/configuring-code-scanning#overriding-automatic-language-detection | ||
30 | |||
31 | steps: | ||
32 | - name: Checkout repository | ||
33 | uses: actions/checkout@v2 | ||
34 | with: | ||
35 | # We must fetch at least the immediate parents so that if this is | ||
36 | # a pull request then we can checkout the head. | ||
37 | fetch-depth: 2 | ||
38 | |||
39 | # If this run was triggered by a pull request event, then checkout | ||
40 | # the head of the pull request instead of the merge commit. | ||
41 | - run: git checkout HEAD^2 | ||
42 | if: ${{ github.event_name == 'pull_request' }} | ||
43 | |||
44 | # Initializes the CodeQL tools for scanning. | ||
45 | - name: Initialize CodeQL | ||
46 | uses: github/codeql-action/init@v1 | ||
47 | with: | ||
48 | languages: ${{ matrix.language }} | ||
49 | # If you wish to specify custom queries, you can do so here or in a config file. | ||
50 | # By default, queries listed here will override any specified in a config file. | ||
51 | # Prefix the list here with "+" to use these queries and those in the config file. | ||
52 | # queries: ./path/to/local/query, your-org/your-repo/queries@main | ||
53 | |||
54 | # Autobuild attempts to build any compiled languages (C/C++, C#, or Java). | ||
55 | # If this step fails, then you should remove it and run the build manually (see below) | ||
56 | - name: Autobuild | ||
57 | uses: github/codeql-action/autobuild@v1 | ||
58 | |||
59 | # ℹ️ Command-line programs to run using the OS shell. | ||
60 | # 📚 https://git.io/JvXDl | ||
61 | |||
62 | # ✏️ If the Autobuild fails above, remove it and uncomment the following three lines | ||
63 | # and modify them (or add more) to build your code if your project | ||
64 | # uses a compiled language | ||
65 | |||
66 | #- run: | | ||
67 | # make bootstrap | ||
68 | # make release | ||
69 | |||
70 | - name: Perform CodeQL Analysis | ||
71 | uses: github/codeql-action/analyze@v1 | ||
diff --git a/.gitignore b/.gitignore index 8142985b3..76ce6c7ec 100644 --- a/.gitignore +++ b/.gitignore | |||
@@ -8,6 +8,8 @@ | |||
8 | *.gcno | 8 | *.gcno |
9 | *.DS_Store | 9 | *.DS_Store |
10 | .directory | 10 | .directory |
11 | *.man | ||
12 | .vscode | ||
11 | Makefile | 13 | Makefile |
12 | autom4te.cache/ | 14 | autom4te.cache/ |
13 | config.log | 15 | config.log |
@@ -35,7 +37,7 @@ src/fsec-optimize/fsec-optimize | |||
35 | src/fcopy/fcopy | 37 | src/fcopy/fcopy |
36 | src/fldd/fldd | 38 | src/fldd/fldd |
37 | src/fbuilder/fbuilder | 39 | src/fbuilder/fbuilder |
38 | etc/profstats | 40 | src/profstats/profstats |
39 | uids.h | 41 | uids.h |
40 | seccomp | 42 | seccomp |
41 | seccomp.debug | 43 | seccomp.debug |
diff --git a/.gitlab-ci.yml b/.gitlab-ci.yml index 11f25284d..5affd5cff 100644 --- a/.gitlab-ci.yml +++ b/.gitlab-ci.yml | |||
@@ -9,7 +9,7 @@ build_ubuntu_package: | |||
9 | image: ubuntu:rolling | 9 | image: ubuntu:rolling |
10 | script: | 10 | script: |
11 | - apt-get update -qq | 11 | - apt-get update -qq |
12 | - DEBIAN_FRONTEND=noninteractive apt-get install -y -qq build-essential lintian pkg-config python3 | 12 | - DEBIAN_FRONTEND=noninteractive apt-get install -y -qq build-essential lintian pkg-config python3 gawk |
13 | - ./configure --prefix=/usr && make deb && dpkg -i firejail*.deb | 13 | - ./configure --prefix=/usr && make deb && dpkg -i firejail*.deb |
14 | - python3 contrib/sort.py etc/profile-*/*.profile etc/inc/*.inc | 14 | - python3 contrib/sort.py etc/profile-*/*.profile etc/inc/*.inc |
15 | 15 | ||
@@ -17,7 +17,7 @@ build_debian_package: | |||
17 | image: debian:stretch | 17 | image: debian:stretch |
18 | script: | 18 | script: |
19 | - apt-get update -qq | 19 | - apt-get update -qq |
20 | - apt-get install -y -qq build-essential lintian pkg-config | 20 | - apt-get install -y -qq build-essential lintian pkg-config gawk |
21 | - ./configure --prefix=/usr && make deb && dpkg -i firejail*.deb | 21 | - ./configure --prefix=/usr && make deb && dpkg -i firejail*.deb |
22 | 22 | ||
23 | build_redhat_package: | 23 | build_redhat_package: |
@@ -40,7 +40,7 @@ build_src_package: | |||
40 | script: | 40 | script: |
41 | - apk update | 41 | - apk update |
42 | - apk upgrade | 42 | - apk upgrade |
43 | - apk add build-base linux-headers python3 | 43 | - apk add build-base linux-headers python3 gawk |
44 | - ./configure --prefix=/usr && make && make install-strip | 44 | - ./configure --prefix=/usr && make && make install-strip |
45 | # - python3 contrib/sort.py etc/*.{profile,inc} | 45 | # - python3 contrib/sort.py etc/*.{profile,inc} |
46 | 46 | ||
@@ -48,26 +48,9 @@ build_apparmor: | |||
48 | image: ubuntu:latest | 48 | image: ubuntu:latest |
49 | script: | 49 | script: |
50 | - apt-get update -qq | 50 | - apt-get update -qq |
51 | - DEBIAN_FRONTEND=noninteractive apt-get install -y -qq build-essential lintian libapparmor-dev pkg-config | 51 | - DEBIAN_FRONTEND=noninteractive apt-get install -y -qq build-essential lintian libapparmor-dev pkg-config gawk |
52 | - ./configure --prefix=/usr && make deb-apparmor && dpkg -i firejail*.deb | 52 | - ./configure --prefix=/usr && make deb-apparmor && dpkg -i firejail*.deb |
53 | 53 | ||
54 | cppcheck: | ||
55 | image: debian:latest | ||
56 | before_script: | ||
57 | - apt-get -qq update | ||
58 | - apt-get -qq --no-install-recommends install cppcheck | ||
59 | script: | ||
60 | - cppcheck -q --force --error-exitcode=1 --enable=warning,performance . | ||
61 | |||
62 | clang: | ||
63 | image: ubuntu:latest | ||
64 | script: | ||
65 | - apt-get update -qq | ||
66 | - apt-get --purge autoremove -y -qq gcc | ||
67 | - DEBIAN_FRONTEND=noninteractive apt-get install -y -qq clang pkg-config make | ||
68 | - ./configure --prefix=/usr CC=/usr/bin/clang && make && make install-strip | ||
69 | |||
70 | |||
71 | debian_ci: | 54 | debian_ci: |
72 | image: registry.salsa.debian.org/salsa-ci-team/ci-image-git-buildpackage:latest | 55 | image: registry.salsa.debian.org/salsa-ci-team/ci-image-git-buildpackage:latest |
73 | variables: | 56 | variables: |
@@ -88,6 +71,6 @@ debian_ci: | |||
88 | - git add debian && git commit -m "add debian/" | 71 | - git add debian && git commit -m "add debian/" |
89 | - export CI_COMMIT_SHA=$(git rev-parse HEAD) | 72 | - export CI_COMMIT_SHA=$(git rev-parse HEAD) |
90 | script: | 73 | script: |
91 | - apt-get --no-install-recommends install pkg-config | 74 | - apt-get --no-install-recommends install -y -qq gawk |
92 | - gitlab-ci-git-buildpackage | 75 | - gitlab-ci-git-buildpackage |
93 | - gitlab-ci-lintian | 76 | - gitlab-ci-lintian |
diff --git a/.travis.yml b/.travis.yml deleted file mode 100644 index f1590aaa2..000000000 --- a/.travis.yml +++ /dev/null | |||
@@ -1,12 +0,0 @@ | |||
1 | language: c | ||
2 | dist: trusty | ||
3 | sudo: true | ||
4 | |||
5 | script: | ||
6 | - sudo apt-get -y install expect csh xzdec lintian fakeroot | ||
7 | - ( ./configure --enable-fatal-warnings --prefix=/usr && make && sudo make install && make test-travis ) | ||
8 | - ( sudo make install-strip DESTDIR=$(readlink -f appdir) ) | ||
9 | # # If successful, build release tarball | ||
10 | # - ( cd appdir/ ; tar cfvj ../firejail-build$TRAVIS_BUILD_NUMBER.tar.bz2 . ) | ||
11 | # - curl --upload-file ./firejail-*.tar.bz2 https://transfer.sh/firejail-build$TRAVIS_BUILD_NUMBER.tar.bz2 | ||
12 | # - # Could use https://github.com/probonopd/uploadtool to upload to GitHub Releases instead | ||
diff --git a/CONTRIBUTING.md b/CONTRIBUTING.md index 07a9eef04..688101d13 100644 --- a/CONTRIBUTING.md +++ b/CONTRIBUTING.md | |||
@@ -25,7 +25,7 @@ ensure that **both** of the following were installed: | |||
25 | firejail-profiles was not installed when installing firejail. | 25 | firejail-profiles was not installed when installing firejail. |
26 | 26 | ||
27 | We take security bugs very seriously. If you believe you have found one, please report it by | 27 | We take security bugs very seriously. If you believe you have found one, please report it by |
28 | emailing us at netblue30@yahoo.com | 28 | emailing us at netblue30@protonmail.com |
29 | 29 | ||
30 | # Opening an pull request: | 30 | # Opening an pull request: |
31 | Pull requests with enhancements, bugfixes or new profiles are very welcome. | 31 | Pull requests with enhancements, bugfixes or new profiles are very welcome. |
diff --git a/Makefile.in b/Makefile.in index 890ba1b0a..623c8bd39 100644 --- a/Makefile.in +++ b/Makefile.in | |||
@@ -10,23 +10,26 @@ VERSION=@PACKAGE_VERSION@ | |||
10 | NAME=@PACKAGE_NAME@ | 10 | NAME=@PACKAGE_NAME@ |
11 | PACKAGE_TARNAME=@PACKAGE_TARNAME@ | 11 | PACKAGE_TARNAME=@PACKAGE_TARNAME@ |
12 | DOCDIR=@docdir@ | 12 | DOCDIR=@docdir@ |
13 | HAVE_SECCOMP=@HAVE_SECCOMP@ | ||
14 | HAVE_APPARMOR=@HAVE_APPARMOR@ | 13 | HAVE_APPARMOR=@HAVE_APPARMOR@ |
15 | HAVE_CONTRIB_INSTALL=@HAVE_CONTRIB_INSTALL@ | 14 | HAVE_CONTRIB_INSTALL=@HAVE_CONTRIB_INSTALL@ |
16 | BUSYBOX_WORKAROUND=@BUSYBOX_WORKAROUND@ | 15 | BUSYBOX_WORKAROUND=@BUSYBOX_WORKAROUND@ |
17 | HAVE_SUID=@HAVE_SUID@ | 16 | HAVE_SUID=@HAVE_SUID@ |
17 | HAVE_MAN=@HAVE_MAN@ | ||
18 | 18 | ||
19 | all: all_items man filters | 19 | ifneq ($(HAVE_MAN),no) |
20 | MAN_TARGET = man | ||
21 | MAN_SRC = src/man | ||
22 | endif | ||
23 | |||
24 | all: all_items mydirs $(MAN_TARGET) filters | ||
20 | APPS = src/firecfg/firecfg src/firejail/firejail src/firemon/firemon src/profstats/profstats | 25 | APPS = src/firecfg/firecfg src/firejail/firejail src/firemon/firemon src/profstats/profstats |
21 | SBOX_APPS = src/faudit/faudit src/fbuilder/fbuilder src/ftee/ftee | 26 | SBOX_APPS = src/faudit/faudit src/fbuilder/fbuilder src/ftee/ftee |
22 | SBOX_APPS_NON_DUMPABLE = src/fcopy/fcopy src/fldd/fldd src/fnet/fnet src/fnetfilter/fnetfilter | 27 | SBOX_APPS_NON_DUMPABLE = src/fcopy/fcopy src/fldd/fldd src/fnet/fnet src/fnetfilter/fnetfilter |
23 | MYDIRS = src/lib | 28 | MYDIRS = src/lib $(MAN_SRC) |
24 | MYLIBS = src/libpostexecseccomp/libpostexecseccomp.so src/libtrace/libtrace.so src/libtracelog/libtracelog.so | 29 | MYLIBS = src/libpostexecseccomp/libpostexecseccomp.so src/libtrace/libtrace.so src/libtracelog/libtracelog.so |
25 | MANPAGES = firejail.1 firemon.1 firecfg.1 firejail-profile.5 firejail-login.5 firejail-users.5 | 30 | MANPAGES = firejail.1 firemon.1 firecfg.1 firejail-profile.5 firejail-login.5 firejail-users.5 |
26 | ifeq ($(HAVE_SECCOMP),-DHAVE_SECCOMP) | ||
27 | SBOX_APPS_NON_DUMPABLE += src/fsec-optimize/fsec-optimize src/fsec-print/fsec-print src/fseccomp/fseccomp | 31 | SBOX_APPS_NON_DUMPABLE += src/fsec-optimize/fsec-optimize src/fsec-print/fsec-print src/fseccomp/fseccomp |
28 | SECCOMP_FILTERS = seccomp seccomp.debug seccomp.32 seccomp.block_secondary seccomp.mdwx seccomp.mdwx.32 | 32 | SECCOMP_FILTERS = seccomp seccomp.debug seccomp.32 seccomp.block_secondary seccomp.mdwx seccomp.mdwx.32 |
29 | endif | ||
30 | ALL_ITEMS = $(APPS) $(SBOX_APPS) $(SBOX_APPS_NON_DUMPABLE) $(MYLIBS) | 33 | ALL_ITEMS = $(APPS) $(SBOX_APPS) $(SBOX_APPS_NON_DUMPABLE) $(MYLIBS) |
31 | 34 | ||
32 | .PHONY: all_items $(ALL_ITEMS) | 35 | .PHONY: all_items $(ALL_ITEMS) |
@@ -34,18 +37,18 @@ all_items: $(ALL_ITEMS) | |||
34 | $(ALL_ITEMS): $(MYDIRS) | 37 | $(ALL_ITEMS): $(MYDIRS) |
35 | $(MAKE) -C $(dir $@) | 38 | $(MAKE) -C $(dir $@) |
36 | 39 | ||
37 | .PHONY: mydirs | 40 | .PHONY: mydirs $(MYDIRS) |
38 | mydirs: mydirs $(MYDIRS) | 41 | mydirs: $(MYDIRS) |
39 | $(MYDIRS): | 42 | $(MYDIRS): |
40 | $(MAKE) -C $@ | 43 | $(MAKE) -C $@ |
41 | 44 | ||
42 | $(MANPAGES): $(wildcard src/man/*.txt) | 45 | |
43 | ./mkman.sh $(VERSION) src/man/$(basename $@).txt $@ | 46 | $(MANPAGES): src/man |
47 | ./mkman.sh $(VERSION) src/man/$(basename $@).man $@ | ||
44 | 48 | ||
45 | man: $(MANPAGES) | 49 | man: $(MANPAGES) |
46 | 50 | ||
47 | filters: $(SECCOMP_FILTERS) $(SBOX_APPS_NON_DUMPABLE) | 51 | filters: $(SECCOMP_FILTERS) $(SBOX_APPS_NON_DUMPABLE) |
48 | ifeq ($(HAVE_SECCOMP),-DHAVE_SECCOMP) | ||
49 | seccomp: src/fseccomp/fseccomp src/fsec-optimize/fsec-optimize | 52 | seccomp: src/fseccomp/fseccomp src/fsec-optimize/fsec-optimize |
50 | src/fseccomp/fseccomp default seccomp | 53 | src/fseccomp/fseccomp default seccomp |
51 | src/fsec-optimize/fsec-optimize seccomp | 54 | src/fsec-optimize/fsec-optimize seccomp |
@@ -66,12 +69,12 @@ seccomp.mdwx: src/fseccomp/fseccomp | |||
66 | 69 | ||
67 | seccomp.mdwx.32: src/fseccomp/fseccomp | 70 | seccomp.mdwx.32: src/fseccomp/fseccomp |
68 | src/fseccomp/fseccomp memory-deny-write-execute.32 seccomp.mdwx.32 | 71 | src/fseccomp/fseccomp memory-deny-write-execute.32 seccomp.mdwx.32 |
69 | endif | ||
70 | 72 | ||
71 | clean: | 73 | clean: |
72 | for dir in $$(dirname $(ALL_ITEMS)) $(MYDIRS); do \ | 74 | for dir in $$(dirname $(ALL_ITEMS)) $(MYDIRS); do \ |
73 | $(MAKE) -C $$dir clean; \ | 75 | $(MAKE) -C $$dir clean; \ |
74 | done | 76 | done |
77 | $(MAKE) -C test clean | ||
75 | rm -f $(MANPAGES) $(MANPAGES:%=%.gz) firejail*.rpm | 78 | rm -f $(MANPAGES) $(MANPAGES:%=%.gz) firejail*.rpm |
76 | rm -f $(SECCOMP_FILTERS) | 79 | rm -f $(SECCOMP_FILTERS) |
77 | rm -f test/utils/index.html* | 80 | rm -f test/utils/index.html* |
@@ -108,7 +111,8 @@ endif | |||
108 | install -m 0644 -t $(DESTDIR)$(libdir)/firejail $(MYLIBS) $(SECCOMP_FILTERS) src/firecfg/firecfg.config | 111 | install -m 0644 -t $(DESTDIR)$(libdir)/firejail $(MYLIBS) $(SECCOMP_FILTERS) src/firecfg/firecfg.config |
109 | install -m 0755 -t $(DESTDIR)$(libdir)/firejail $(SBOX_APPS) | 112 | install -m 0755 -t $(DESTDIR)$(libdir)/firejail $(SBOX_APPS) |
110 | # non-dumpable plugins | 113 | # non-dumpable plugins |
111 | install -m 0711 -t $(DESTDIR)$(libdir)/firejail $(SBOX_APPS_NON_DUMPABLE) | 114 | install -m 0755 -t $(DESTDIR)$(libdir)/firejail $(SBOX_APPS_NON_DUMPABLE) |
115 | install -m 0755 -t $(DESTDIR)$(libdir)/firejail src/fshaper/fshaper.sh | ||
112 | ifeq ($(HAVE_CONTRIB_INSTALL),yes) | 116 | ifeq ($(HAVE_CONTRIB_INSTALL),yes) |
113 | # contrib scripts | 117 | # contrib scripts |
114 | install -m 0755 -t $(DESTDIR)$(libdir)/firejail contrib/*.py contrib/*.sh | 118 | install -m 0755 -t $(DESTDIR)$(libdir)/firejail contrib/*.py contrib/*.sh |
@@ -136,6 +140,7 @@ ifeq ($(HAVE_APPARMOR),-DHAVE_APPARMOR) | |||
136 | # install apparmor profile customization file | 140 | # install apparmor profile customization file |
137 | sh -c "if [ ! -f $(DESTDIR)/$(sysconfdir)/apparmor.d/local/firejail-default ]; then install -c -m 0644 etc/apparmor/firejail-local $(DESTDIR)/$(sysconfdir)/apparmor.d/local/firejail-default; fi;" | 141 | sh -c "if [ ! -f $(DESTDIR)/$(sysconfdir)/apparmor.d/local/firejail-default ]; then install -c -m 0644 etc/apparmor/firejail-local $(DESTDIR)/$(sysconfdir)/apparmor.d/local/firejail-default; fi;" |
138 | endif | 142 | endif |
143 | ifneq ($(HAVE_MAN),no) | ||
139 | # man pages | 144 | # man pages |
140 | install -m 0755 -d $(DESTDIR)$(mandir)/man1 $(DESTDIR)$(mandir)/man5 | 145 | install -m 0755 -d $(DESTDIR)$(mandir)/man1 $(DESTDIR)$(mandir)/man5 |
141 | for man in $(MANPAGES); do \ | 146 | for man in $(MANPAGES); do \ |
@@ -147,6 +152,7 @@ endif | |||
147 | esac; \ | 152 | esac; \ |
148 | done | 153 | done |
149 | rm -f $(MANPAGES) $(MANPAGES:%=%.gz) | 154 | rm -f $(MANPAGES) $(MANPAGES:%=%.gz) |
155 | endif | ||
150 | # bash completion | 156 | # bash completion |
151 | install -m 0755 -d $(DESTDIR)$(datarootdir)/bash-completion/completions | 157 | install -m 0755 -d $(DESTDIR)$(datarootdir)/bash-completion/completions |
152 | install -m 0644 src/bash_completion/firejail.bash_completion $(DESTDIR)$(datarootdir)/bash-completion/completions/firejail | 158 | install -m 0644 src/bash_completion/firejail.bash_completion $(DESTDIR)$(datarootdir)/bash-completion/completions/firejail |
@@ -176,7 +182,7 @@ uninstall: | |||
176 | @echo "If you want to install a different version of firejail, you might also need to run 'rm -fr $(DESTDIR)$(sysconfdir)/firejail', see #2038." | 182 | @echo "If you want to install a different version of firejail, you might also need to run 'rm -fr $(DESTDIR)$(sysconfdir)/firejail', see #2038." |
177 | 183 | ||
178 | DISTFILES = "src etc m4 platform contrib configure configure.ac Makefile.in install.sh mkman.sh mketc.sh mkdeb.sh.in COPYING README RELNOTES" | 184 | DISTFILES = "src etc m4 platform contrib configure configure.ac Makefile.in install.sh mkman.sh mketc.sh mkdeb.sh.in COPYING README RELNOTES" |
179 | DISTFILES_TEST = "test/apps test/apps-x11 test/apps-x11-xorg test/root test/fcopy test/environment test/profiles test/utils test/compile test/filters test/network test/arguments test/fs test/sysutils test/chroot" | 185 | DISTFILES_TEST = "test/Makefile.in test/apps test/apps-x11 test/apps-x11-xorg test/root test/private-lib test/fnetfilter test/fcopy test/environment test/profiles test/utils test/compile test/filters test/network test/arguments test/fs test/sysutils test/chroot" |
180 | 186 | ||
181 | dist: | 187 | dist: |
182 | mv config.status config.status.old | 188 | mv config.status config.status.old |
@@ -205,7 +211,7 @@ test-compile: dist | |||
205 | cd test/compile; ./compile.sh $(NAME)-$(VERSION) | 211 | cd test/compile; ./compile.sh $(NAME)-$(VERSION) |
206 | 212 | ||
207 | .PHONY: rpms | 213 | .PHONY: rpms |
208 | rpms: | 214 | rpms: src/man |
209 | ./platform/rpm/mkrpm.sh $(NAME) $(VERSION) | 215 | ./platform/rpm/mkrpm.sh $(NAME) $(VERSION) |
210 | 216 | ||
211 | extras: all | 217 | extras: all |
@@ -222,47 +228,11 @@ scan-build: clean | |||
222 | # make test | 228 | # make test |
223 | # | 229 | # |
224 | 230 | ||
231 | TESTS=profiles private-lib apps apps-x11 apps-x11-xorg sysutils utils environment filters arguments fs fcopy fnetfilter | ||
232 | TEST_TARGETS=$(patsubst %,test-%,$(TESTS)) | ||
225 | 233 | ||
226 | test-profiles: | 234 | $(TEST_TARGETS): |
227 | cd test/profiles; ./profiles.sh | grep TESTING | 235 | $(MAKE) -C test $(subst test-,,$@) |
228 | |||
229 | test-private-lib: | ||
230 | cd test/private-lib; ./private-lib.sh | grep TESTING | ||
231 | |||
232 | test-apps: | ||
233 | cd test/apps; ./apps.sh | grep TESTING | ||
234 | |||
235 | test-apps-x11: | ||
236 | cd test/apps-x11; ./apps-x11.sh | grep TESTING | ||
237 | |||
238 | test-apps-x11-xorg: | ||
239 | cd test/apps-x11-xorg; ./apps-x11-xorg.sh | grep TESTING | ||
240 | |||
241 | test-sysutils: | ||
242 | cd test/sysutils; ./sysutils.sh | grep TESTING | ||
243 | |||
244 | test-utils: | ||
245 | cd test/utils; ./utils.sh | grep TESTING | ||
246 | |||
247 | test-environment: | ||
248 | cd test/environment; ./environment.sh | grep TESTING | ||
249 | |||
250 | test-filters: | ||
251 | ifeq ($(HAVE_SECCOMP),-DHAVE_SECCOMP) | ||
252 | cd test/filters; ./filters.sh | grep TESTING | ||
253 | endif | ||
254 | |||
255 | test-arguments: | ||
256 | cd test/arguments; ./arguments.sh | grep TESTING | ||
257 | |||
258 | test-fs: | ||
259 | cd test/fs; ./fs.sh | grep TESTING | ||
260 | |||
261 | test-fcopy: | ||
262 | cd test/fcopy; ./fcopy.sh | grep TESTING | ||
263 | |||
264 | test-fnetfilter: | ||
265 | cd test/fnetfilter; ./fnetfilter.sh | grep TESTING | ||
266 | 236 | ||
267 | test: test-profiles test-private-lib test-fcopy test-fnetfilter test-fs test-utils test-sysutils test-environment test-apps test-apps-x11 test-apps-x11-xorg test-filters test-arguments | 237 | test: test-profiles test-private-lib test-fcopy test-fnetfilter test-fs test-utils test-sysutils test-environment test-apps test-apps-x11 test-apps-x11-xorg test-filters test-arguments |
268 | echo "TEST COMPLETE" | 238 | echo "TEST COMPLETE" |
@@ -270,7 +240,7 @@ test: test-profiles test-private-lib test-fcopy test-fnetfilter test-fs test-uti | |||
270 | test-noprofiles: test-private-lib test-fcopy test-fnetfilter test-fs test-utils test-sysutils test-environment test-apps test-apps-x11 test-apps-x11-xorg test-filters test-arguments | 240 | test-noprofiles: test-private-lib test-fcopy test-fnetfilter test-fs test-utils test-sysutils test-environment test-apps test-apps-x11 test-apps-x11-xorg test-filters test-arguments |
271 | echo "TEST COMPLETE" | 241 | echo "TEST COMPLETE" |
272 | 242 | ||
273 | test-travis: test-profiles test-fcopy test-fnetfilter test-fs test-utils test-sysutils test-environment test-filters test-arguments | 243 | test-github: test-profiles test-fcopy test-fnetfilter test-fs test-utils test-sysutils test-environment test-arguments |
274 | echo "TEST COMPLETE" | 244 | echo "TEST COMPLETE" |
275 | 245 | ||
276 | ########################################## | 246 | ########################################## |
@@ -281,32 +251,32 @@ test-travis: test-profiles test-fcopy test-fnetfilter test-fs test-utils test-sy | |||
281 | 251 | ||
282 | # a firejail-test account is required, public/private key setup | 252 | # a firejail-test account is required, public/private key setup |
283 | test-ssh: | 253 | test-ssh: |
284 | cd test/ssh; ./ssh.sh | grep TESTING | 254 | $(MAKE) -C test $(subst test-,,$@) |
285 | 255 | ||
286 | # requires root access | 256 | # requires root access |
287 | test-chroot: | 257 | test-chroot: |
288 | cd test/chroot; ./chroot.sh | grep testing | 258 | $(MAKE) -C test $(subst test-,,$@) |
289 | 259 | ||
290 | # Huge appimage files, not included in "make dist" archive | 260 | # Huge appimage files, not included in "make dist" archive |
291 | test-appimage: | 261 | test-appimage: |
292 | cd test/appimage; ./appimage.sh | grep TESTING | 262 | $(MAKE) -C test $(subst test-,,$@) |
293 | 263 | ||
294 | # Root access, network devices are created before the test | 264 | # Root access, network devices are created before the test |
295 | # restart your computer to get rid of these devices | 265 | # restart your computer to get rid of these devices |
296 | test-network: | 266 | test-network: |
297 | cd test/network; ./network.sh | grep TESTING | 267 | $(MAKE) -C test $(subst test-,,$@) |
298 | 268 | ||
299 | # requires the same setup as test-network | 269 | # requires the same setup as test-network |
300 | test-stress: | 270 | test-stress: |
301 | cd test/stress; ./stress.sh | grep TESTING | 271 | $(MAKE) -C test $(subst test-,,$@) |
302 | 272 | ||
303 | # Tests running a root user | 273 | # Tests running a root user |
304 | test-root: | 274 | test-root: |
305 | cd test/root; su -c ./root.sh | grep TESTING | 275 | $(MAKE) -C test $(subst test-,,$@) |
306 | 276 | ||
307 | # OverlayFS is not available on all platforms | 277 | # OverlayFS is not available on all platforms |
308 | test-overlay: | 278 | test-overlay: |
309 | cd test/overlay; ./overlay.sh | grep TESTING | 279 | $(MAKE) -C test $(subst test-,,$@) |
310 | 280 | ||
311 | # For testing hidepid system, the command to set it up is "mount -o remount,rw,hidepid=2 /proc" | 281 | # For testing hidepid system, the command to set it up is "mount -o remount,rw,hidepid=2 /proc" |
312 | 282 | ||
@@ -15,7 +15,7 @@ Documentation and support: https://firejail.wordpress.com/ | |||
15 | Development: https://github.com/netblue30/firejail | 15 | Development: https://github.com/netblue30/firejail |
16 | License: GPL v2 | 16 | License: GPL v2 |
17 | 17 | ||
18 | 18 | Please report all security vulnerabilities at netblue30@protonmail.com | |
19 | 19 | ||
20 | Compile and install mainline version from GitHub: | 20 | Compile and install mainline version from GitHub: |
21 | 21 | ||
@@ -27,12 +27,12 @@ On Debian/Ubuntu you will need to install git and gcc compiler. AppArmor | |||
27 | development libraries and pkg-config are required when using --apparmor | 27 | development libraries and pkg-config are required when using --apparmor |
28 | ./configure option: | 28 | ./configure option: |
29 | 29 | ||
30 | $ sudo apt-get install git build-essential libapparmor-dev pkg-config | 30 | $ sudo apt-get install git build-essential libapparmor-dev pkg-config gawk |
31 | 31 | ||
32 | For --selinux option, add libselinux1-dev (libselinux-devel for Fedora). | 32 | For --selinux option, add libselinux1-dev (libselinux-devel for Fedora). |
33 | 33 | ||
34 | Maintainer: | 34 | Maintainer: |
35 | - netblue30 (netblue30@yahoo.com) | 35 | - netblue30 (netblue30@protonmail.com) |
36 | 36 | ||
37 | Committers | 37 | Committers |
38 | - chiraag-nataraj (https://github.com/chiraag-nataraj) | 38 | - chiraag-nataraj (https://github.com/chiraag-nataraj) |
@@ -49,7 +49,7 @@ Committers | |||
49 | - Topi Miettinen (https://github.com/topimiettinen) | 49 | - Topi Miettinen (https://github.com/topimiettinen) |
50 | - veloute (https://github.com/veloute) | 50 | - veloute (https://github.com/veloute) |
51 | - Vincent43 (https://github.com/Vincent43) | 51 | - Vincent43 (https://github.com/Vincent43) |
52 | - netblue30 (netblue30@yahoo.com) | 52 | - netblue30 (netblue30@protonmail.com) |
53 | 53 | ||
54 | 54 | ||
55 | 55 | ||
@@ -100,6 +100,7 @@ Alexander Stein (https://github.com/ajstein) | |||
100 | Amin Vakil (https://github.com/aminvakil) | 100 | Amin Vakil (https://github.com/aminvakil) |
101 | - whois profile fix | 101 | - whois profile fix |
102 | - added profile for strawberry | 102 | - added profile for strawberry |
103 | - w3m profile fix | ||
103 | Andreas Hunkeler (https://github.com/Karneades) | 104 | Andreas Hunkeler (https://github.com/Karneades) |
104 | - Add profile for offical Linux Teams application | 105 | - Add profile for offical Linux Teams application |
105 | Andrey Alekseenko (https://github.com/al42and) | 106 | Andrey Alekseenko (https://github.com/al42and) |
@@ -113,6 +114,8 @@ announ (https://github.com/announ) | |||
113 | - mpv and youtube-dl profile fixes | 114 | - mpv and youtube-dl profile fixes |
114 | - git profile fix | 115 | - git profile fix |
115 | - evince profile fix | 116 | - evince profile fix |
117 | Anton Shestakov (https://github.com/antonv6) | ||
118 | - add whitelist items for uim | ||
116 | Antonio Russo (https://github.com/aerusso) | 119 | Antonio Russo (https://github.com/aerusso) |
117 | - enumerate root directories in apparmor profile | 120 | - enumerate root directories in apparmor profile |
118 | - fix join-or-start | 121 | - fix join-or-start |
@@ -121,6 +124,8 @@ Antonio Russo (https://github.com/aerusso) | |||
121 | - manpage fixes | 124 | - manpage fixes |
122 | aoand (https://github.com/aoand) | 125 | aoand (https://github.com/aoand) |
123 | - seccomp fix: allow numeric syscalls | 126 | - seccomp fix: allow numeric syscalls |
127 | Arne Welzel (https://github.com/awelzel) | ||
128 | - ignore SIGTTOU during flush_stdin() | ||
124 | Atrate (https://github.com/Atrate) | 129 | Atrate (https://github.com/Atrate) |
125 | - BetterDiscord support | 130 | - BetterDiscord support |
126 | Austin Morton (https://github.com/apmorton) | 131 | Austin Morton (https://github.com/apmorton) |
@@ -145,6 +150,9 @@ avoidr (https://github.com/avoidr) | |||
145 | - added mcabber profile | 150 | - added mcabber profile |
146 | - fixed mpv profile | 151 | - fixed mpv profile |
147 | - various other fixes | 152 | - various other fixes |
153 | backspac (https://github.com/backspac) | ||
154 | - firecfg fixes | ||
155 | - add steam-runtime alias | ||
148 | Bader Zaidan (https://github.com/BaderSZ) | 156 | Bader Zaidan (https://github.com/BaderSZ) |
149 | - Telegram profile | 157 | - Telegram profile |
150 | Bandie (https://github.com/Bandie) | 158 | Bandie (https://github.com/Bandie) |
@@ -168,12 +176,15 @@ BogDan Vatra (https://github.com/bog-dan-ro) | |||
168 | - zoom profile | 176 | - zoom profile |
169 | Brad Ackerman | 177 | Brad Ackerman |
170 | - blacklist Bitwarden config in disable-passwdmgr.inc | 178 | - blacklist Bitwarden config in disable-passwdmgr.inc |
179 | briaeros (https://github.com/briaeros) | ||
180 | - fix command test in jail_prober.py | ||
171 | Bruno Nova (https://github.com/brunonova) | 181 | Bruno Nova (https://github.com/brunonova) |
172 | - whitelist fix | 182 | - whitelist fix |
173 | - bash arguments fix | 183 | - bash arguments fix |
174 | Bundy01 (https://github.com/Bundy01) | 184 | Bundy01 (https://github.com/Bundy01) |
175 | - fixup geary | 185 | - fixup geary |
176 | - add gradio profile | 186 | - add gradio profile |
187 | - update virtualbox.profile | ||
177 | BytesTuner (https://github.com/BytesTuner) | 188 | BytesTuner (https://github.com/BytesTuner) |
178 | - provided keepassxc profile | 189 | - provided keepassxc profile |
179 | caoliver (https://github.com/caoliver) | 190 | caoliver (https://github.com/caoliver) |
@@ -181,10 +192,12 @@ caoliver (https://github.com/caoliver) | |||
181 | Carlo Abelli (https://github.com/carloabelli) | 192 | Carlo Abelli (https://github.com/carloabelli) |
182 | - fixed udiskie profile | 193 | - fixed udiskie profile |
183 | - Allow mbind syscall for GIMP | 194 | - Allow mbind syscall for GIMP |
195 | - fixed simple-scan | ||
184 | Cat (https://github.com/ecat3) | 196 | Cat (https://github.com/ecat3) |
185 | - prevent tmux connecting to an existing session | 197 | - prevent tmux connecting to an existing session |
186 | Christian Pinedo (https://github.com/chrpinedo) | 198 | Christian Pinedo (https://github.com/chrpinedo) |
187 | - added nicotine profile | 199 | - added nicotine profile |
200 | - allow python3 in totem profile | ||
188 | creideiki (https://github.com/creideiki) | 201 | creideiki (https://github.com/creideiki) |
189 | - make the sandbox process reap all children | 202 | - make the sandbox process reap all children |
190 | - tor browser profile fix | 203 | - tor browser profile fix |
@@ -202,6 +215,7 @@ Clayton Williams (https://github.com/gosre) | |||
202 | corecontingency (https://https://github.com/corecontingency) | 215 | corecontingency (https://https://github.com/corecontingency) |
203 | - tighten private-bin and etc for torbrowser-launcher.profile | 216 | - tighten private-bin and etc for torbrowser-launcher.profile |
204 | - added i2prouter profile | 217 | - added i2prouter profile |
218 | - add several games to steam and disable-programs | ||
205 | crass (https://github.com/crass) | 219 | crass (https://github.com/crass) |
206 | - extract_command_name fixes | 220 | - extract_command_name fixes |
207 | - update appimage size calculation to newest code from libappimage | 221 | - update appimage size calculation to newest code from libappimage |
@@ -238,10 +252,14 @@ Danil Semelenov (https://github.com/sgtpep) | |||
238 | Dara Adib (https://github.com/daradib) | 252 | Dara Adib (https://github.com/daradib) |
239 | - ssh profile fix | 253 | - ssh profile fix |
240 | - evince profile fix | 254 | - evince profile fix |
255 | Dario Pellegrini (https://github.com/dpellegr) | ||
256 | - allowing links in netns | ||
241 | David Thole (https://github.com/TheDarkTrumpet) | 257 | David Thole (https://github.com/TheDarkTrumpet) |
242 | - added profile for teams-for-linux | 258 | - added profile for teams-for-linux |
243 | Davide Beatrici (https://github.com/davidebeatrici) | 259 | Davide Beatrici (https://github.com/davidebeatrici) |
244 | - steam.profile: correctly blacklist unneeded directories in user's home | 260 | - steam.profile: correctly blacklist unneeded directories in user's home |
261 | David Hyrule (https://github.com/Svaag) | ||
262 | - remove nou2f in ssh profile | ||
245 | Deelvesh Bunjun (https://github.com/DeelveshBunjun) | 263 | Deelvesh Bunjun (https://github.com/DeelveshBunjun) |
246 | - added xpdf profile | 264 | - added xpdf profile |
247 | Denys Havrysh (https://github.com/vutny) | 265 | Denys Havrysh (https://github.com/vutny) |
@@ -253,6 +271,7 @@ dewbasaur (https://github.com/dewbasaur) | |||
253 | - Steam profile | 271 | - Steam profile |
254 | DiGitHubCap (https://github.com/DiGitHubCap) | 272 | DiGitHubCap (https://github.com/DiGitHubCap) |
255 | - deluge profile fix | 273 | - deluge profile fix |
274 | - fix qt5ct colour schemes and QSS | ||
256 | Disconnect3d (https://github.com/disconnect3d) | 275 | Disconnect3d (https://github.com/disconnect3d) |
257 | - code cleanup | 276 | - code cleanup |
258 | dmfreemon (https://github.com/dmfreemon) | 277 | dmfreemon (https://github.com/dmfreemon) |
@@ -269,6 +288,8 @@ Eduard Tolosa (https://github.com/Edu4rdSHL) | |||
269 | - fixed gajim.profile | 288 | - fixed gajim.profile |
270 | emacsomancer (https://github.com/emacsomancer) | 289 | emacsomancer (https://github.com/emacsomancer) |
271 | - added profile for Conkeror browser | 290 | - added profile for Conkeror browser |
291 | Emil Gedda (https://github.com/EmilGedda) | ||
292 | - fix multicast CIDR address in nolocal.net | ||
272 | eventyrer (https://github.com/eventyrer) | 293 | eventyrer (https://github.com/eventyrer) |
273 | - update gnome-mplayer.profile | 294 | - update gnome-mplayer.profile |
274 | Ethan R (https://github.com/AN3223) | 295 | Ethan R (https://github.com/AN3223) |
@@ -397,8 +418,12 @@ hawkey116477 (https://github.com/hawkeye116477) | |||
397 | - updated Waterfox profile | 418 | - updated Waterfox profile |
398 | Helmut Grohne (https://github.com/helmutg) | 419 | Helmut Grohne (https://github.com/helmutg) |
399 | - compiler support in the build system - Debian bug #869707 | 420 | - compiler support in the build system - Debian bug #869707 |
421 | hlein (https://github.com/hlein) | ||
422 | - strip out \r's from jail prober | ||
400 | Holger Heinz (https://github.com/hheinz) | 423 | Holger Heinz (https://github.com/hheinz) |
401 | - manpage work | 424 | - manpage work |
425 | Haowei Yu (https://github.com/sfc-gh-hyu) | ||
426 | - add configure options when building rpm | ||
402 | Icaro Perseo (https://github.com/icaroperseo) | 427 | Icaro Perseo (https://github.com/icaroperseo) |
403 | - Icecat profile | 428 | - Icecat profile |
404 | - several profile fixes | 429 | - several profile fixes |
@@ -442,6 +467,8 @@ Jean Lucas (https://github.com/flacks) | |||
442 | - allow reading of system-wide Flatpak locale in gajim profile | 467 | - allow reading of system-wide Flatpak locale in gajim profile |
443 | Jean-Philippe Eisenbarth (https://github.com/jpeisenbarth) | 468 | Jean-Philippe Eisenbarth (https://github.com/jpeisenbarth) |
444 | - fixed spotify.profile | 469 | - fixed spotify.profile |
470 | Jeff Squyres (https://github.com/jsquyres) | ||
471 | - various manpage fixes | ||
445 | Jericho (https://github.com/attritionorg) | 472 | Jericho (https://github.com/attritionorg) |
446 | - spelling | 473 | - spelling |
447 | Jesse Smith (https://github.com/slicer69) | 474 | Jesse Smith (https://github.com/slicer69) |
@@ -478,6 +505,8 @@ juan (https://github.com/nyancat18) | |||
478 | - profile hardening | 505 | - profile hardening |
479 | Kaan Genç (https://github.com/SeriousBug) | 506 | Kaan Genç (https://github.com/SeriousBug) |
480 | - dynamic allocation of noblacklist buffer | 507 | - dynamic allocation of noblacklist buffer |
508 | Karoshi42 (https://github.com/karoshi42) | ||
509 | - update dino-im.profile | ||
481 | KellerFuchs (https://github.com/KellerFuchs) | 510 | KellerFuchs (https://github.com/KellerFuchs) |
482 | - nonewpriv support, extended profiles for this feature | 511 | - nonewpriv support, extended profiles for this feature |
483 | - make `restricted-network` prevent use of netfilter | 512 | - make `restricted-network` prevent use of netfilter |
@@ -488,10 +517,17 @@ KellerFuchs (https://github.com/KellerFuchs) | |||
488 | - make ~/.local read-only | 517 | - make ~/.local read-only |
489 | Kishore96in (https://github.com/Kishore96in) | 518 | Kishore96in (https://github.com/Kishore96in) |
490 | - added falkon profile | 519 | - added falkon profile |
520 | - kxmlgui fixes | ||
521 | - okular profile fixes | ||
522 | - jitsi-meet-desktop profile | ||
523 | - konversatin profile fix | ||
491 | KOLANICH (https://github.com/KOLANICH) | 524 | KOLANICH (https://github.com/KOLANICH) |
492 | - added symlink fixer fix_private-bin.py in contrib section | 525 | - added symlink fixer fix_private-bin.py in contrib section |
493 | - update fix_private-bin.py | 526 | - update fix_private-bin.py |
494 | - fix meld | 527 | - fix meld |
528 | kortewegdevries (https://github.com/kortewegdevries) | ||
529 | - a whole bunch of new profiles and fixes | ||
530 | - whitelisting evolution, kmail | ||
495 | Kristóf Marussy (https://github.com/kris7t) | 531 | Kristóf Marussy (https://github.com/kris7t) |
496 | - dns support | 532 | - dns support |
497 | Kunal Mehta (https://github.com/legoktm) | 533 | Kunal Mehta (https://github.com/legoktm) |
@@ -509,6 +545,7 @@ Loïc Damien (https://github.com/dzamlo) | |||
509 | Liorst4 (https://github.com/Liorst4) | 545 | Liorst4 (https://github.com/Liorst4) |
510 | - Preserve CFLAGS given to configure in common.mk.in | 546 | - Preserve CFLAGS given to configure in common.mk.in |
511 | - fix emacs config to load as read-write | 547 | - fix emacs config to load as read-write |
548 | - disable browser drm by default | ||
512 | Lockdis (https://github.com/Lockdis) | 549 | Lockdis (https://github.com/Lockdis) |
513 | - Added crow, nyx, and google-earth-pro profiles | 550 | - Added crow, nyx, and google-earth-pro profiles |
514 | Lukáš Krejčí (https://github.com/lskrejci) | 551 | Lukáš Krejčí (https://github.com/lskrejci) |
@@ -556,11 +593,17 @@ mirabellette (https://github.com/mirabellette) | |||
556 | mjudtmann (https://github.com/mjudtmann) | 593 | mjudtmann (https://github.com/mjudtmann) |
557 | - lock firejail configuration in disable-mgmt.inc | 594 | - lock firejail configuration in disable-mgmt.inc |
558 | mustaqimM (https://github.com/mustaqimM) | 595 | mustaqimM (https://github.com/mustaqimM) |
559 | - added profile for Nylas Mail | 596 | - added profile for Nylas Mail |
560 | n1trux (https://github.com/n1trux) | 597 | n1trux (https://github.com/n1trux) |
561 | - fix flashpeak-slimjet profile typos | 598 | - fix flashpeak-slimjet profile typos |
562 | nblock (https://github.com/nblock) | 599 | nblock (https://github.com/nblock) |
563 | - cmus: allow access to resolv.conf | 600 | - cmus: allow access to resolv.conf |
601 | neirenoir (https://github.com/neirenoir) and noir <noir@neire.dev> | ||
602 | - fixed Blender profile being unable to import numpy | ||
603 | Neo00001 (https://github.com/Neo00001) | ||
604 | - add vmware profile | ||
605 | - update virtualbox profile | ||
606 | - update telegram profile | ||
564 | Nick Fox (https://github.com/njfox) | 607 | Nick Fox (https://github.com/njfox) |
565 | - add a profile alias for code-oss | 608 | - add a profile alias for code-oss |
566 | - add code-oss config directory | 609 | - add code-oss config directory |
@@ -575,6 +618,13 @@ nyancat18 (https://github.com/nyancat18) | |||
575 | - added ardour4, dooble, karbon, krita profiles | 618 | - added ardour4, dooble, karbon, krita profiles |
576 | Ondra Nekola (https://github.com/satai) | 619 | Ondra Nekola (https://github.com/satai) |
577 | - allow firefox theming with non-global themes | 620 | - allow firefox theming with non-global themes |
621 | OndrejMalek (https://github.com/OndrejMalek) | ||
622 | - various manpage fixes | ||
623 | Ondřej Nový (https://github.com/onovy) | ||
624 | - allow video for Signal profile | ||
625 | - added Mattermost desktop profile | ||
626 | - hardened Zoom profile | ||
627 | - hardened Signal desktop profile | ||
578 | Lorenzo "Palinuro" Faletra (https://github.com/PalinuroSec) | 628 | Lorenzo "Palinuro" Faletra (https://github.com/PalinuroSec) |
579 | - prevent thunderbird conflicts when firefox is running | 629 | - prevent thunderbird conflicts when firefox is running |
580 | - add join-or-start to pluma to open multiple files in tabs | 630 | - add join-or-start to pluma to open multiple files in tabs |
@@ -702,6 +752,8 @@ Senemu (https://github.com/Senemu) | |||
702 | Sergey Alirzaev (https://github.com/l29ah) | 752 | Sergey Alirzaev (https://github.com/l29ah) |
703 | - firejail.h enum fix | 753 | - firejail.h enum fix |
704 | - firefox-common-addons.inc: + tridactyl | 754 | - firefox-common-addons.inc: + tridactyl |
755 | Slava Monich (https://github.com/monich) | ||
756 | - added configure option to disable man pages | ||
705 | Tobias Schmidl (https://github.com/schtobia) | 757 | Tobias Schmidl (https://github.com/schtobia) |
706 | - added profile for webui-aria2 | 758 | - added profile for webui-aria2 |
707 | Simon Peter (https://github.com/probonopd) | 759 | Simon Peter (https://github.com/probonopd) |
@@ -1,5 +1,4 @@ | |||
1 | # Firejail | 1 | # Firejail |
2 | [![Test Status](https://travis-ci.org/netblue30/firejail.svg?branch=master)](https://travis-ci.org/netblue30/firejail) | ||
3 | [![Build Status](https://gitlab.com/Firejail/firejail_ci/badges/master/pipeline.svg)](https://gitlab.com/Firejail/firejail_ci/pipelines/) | 2 | [![Build Status](https://gitlab.com/Firejail/firejail_ci/badges/master/pipeline.svg)](https://gitlab.com/Firejail/firejail_ci/pipelines/) |
4 | [![Packaging status](https://repology.org/badge/tiny-repos/firejail.svg)](https://repology.org/project/firejail/versions) | 3 | [![Packaging status](https://repology.org/badge/tiny-repos/firejail.svg)](https://repology.org/project/firejail/versions) |
5 | 4 | ||
@@ -66,14 +65,12 @@ FAQ: https://github.com/netblue30/firejail/wiki/Frequently-Asked-Questions | |||
66 | 65 | ||
67 | Wiki: https://github.com/netblue30/firejail/wiki | 66 | Wiki: https://github.com/netblue30/firejail/wiki |
68 | 67 | ||
69 | Travis-CI status: https://travis-ci.org/netblue30/firejail | ||
70 | |||
71 | GitLab-CI status: https://gitlab.com/Firejail/firejail_ci/pipelines/ | 68 | GitLab-CI status: https://gitlab.com/Firejail/firejail_ci/pipelines/ |
72 | 69 | ||
73 | 70 | ||
74 | ## Security vulnerabilities | 71 | ## Security vulnerabilities |
75 | 72 | ||
76 | We take security bugs very seriously. If you believe you have found one, please report it by emailing us at netblue30@yahoo.com | 73 | We take security bugs very seriously. If you believe you have found one, please report it by emailing us at netblue30@protonmail.com |
77 | 74 | ||
78 | ## Installing | 75 | ## Installing |
79 | 76 | ||
@@ -92,7 +89,7 @@ On Debian/Ubuntu you will need to install git and gcc compiler. AppArmor | |||
92 | development libraries and pkg-config are required when using --apparmor | 89 | development libraries and pkg-config are required when using --apparmor |
93 | ./configure option: | 90 | ./configure option: |
94 | ````` | 91 | ````` |
95 | $ sudo apt-get install git build-essential libapparmor-dev pkg-config | 92 | $ sudo apt-get install git build-essential libapparmor-dev pkg-config gawk |
96 | ````` | 93 | ````` |
97 | For --selinux option, add libselinux1-dev (libselinux-devel for Fedora). | 94 | For --selinux option, add libselinux1-dev (libselinux-devel for Fedora). |
98 | 95 | ||
@@ -154,46 +151,47 @@ We also keep a list of profile fixes for previous released versions in [etc-fixe | |||
154 | ````` | 151 | ````` |
155 | 152 | ||
156 | ````` | 153 | ````` |
157 | ## Latest released version: 0.9.62 | 154 | ## Latest released version: 0.9.64 |
155 | |||
156 | ## Current development version: 0.9.65 | ||
157 | |||
158 | Milestone page: https://github.com/netblue30/firejail/milestone/1 | ||
159 | Release discussion: https://github.com/netblue30/firejail/issues/3696 | ||
160 | |||
158 | 161 | ||
159 | ## Current development version: 0.9.63 | ||
160 | 162 | ||
161 | ### Profile Statistics | 163 | ### Profile Statistics |
162 | 164 | ||
163 | A small tool to print profile statistics. Compile as usual and run: | 165 | A small tool to print profile statistics. Compile as usual and run in /etc/profiles: |
164 | ````` | 166 | ````` |
165 | $ make | 167 | $ sudo cp src/profstats/profstats /etc/firejail/. |
166 | $ cd etc | 168 | $ cd /etc/firejail |
167 | $ ./profstats *.profile | 169 | $ ./profstats *.profile |
168 | profiles 966 | 170 | Warning: multiple caps in transmission-daemon.profile |
169 | include local profile 966 (include profile-name.local) | 171 | |
170 | include globals 966 (include globals.local) | 172 | Stats: |
171 | blacklist ~/.ssh 951 (include disable-common.inc) | 173 | profiles 1031 |
172 | seccomp 908 | 174 | include local profile 1031 (include profile-name.local) |
173 | capabilities 965 | 175 | include globals 1031 (include globals.local) |
174 | noexec 830 (include disable-exec.inc) | 176 | blacklist ~/.ssh 1007 (include disable-common.inc) |
175 | memory-deny-write-execute 214 | 177 | seccomp 976 |
176 | apparmor 488 | 178 | capabilities 1030 |
177 | private-bin 483 | 179 | noexec 901 (include disable-exec.inc) |
178 | private-dev 829 | 180 | memory-deny-write-execute 221 |
179 | private-etc 366 | 181 | apparmor 555 |
180 | private-tmp 726 | 182 | private-bin 544 |
181 | whitelist var 638 (include whitelist-var-common.inc) | 183 | private-dev 897 |
182 | whitelist run/user 282 (include whitelist-runuser-common.inc | 184 | private-etc 435 |
185 | private-tmp 785 | ||
186 | whitelist home directory 474 | ||
187 | whitelist var 699 (include whitelist-var-common.inc) | ||
188 | whitelist run/user 336 (include whitelist-runuser-common.inc | ||
183 | or blacklist ${RUNUSER}) | 189 | or blacklist ${RUNUSER}) |
184 | whitelist usr/share 275 (include whitelist-usr-share-common.inc | 190 | whitelist usr/share 359 (include whitelist-usr-share-common.inc |
185 | net none 313 | 191 | net none 333 |
186 | ````` | 192 | dbus-user none 523 |
187 | 193 | dbus-system none 632 | |
188 | Run ./profstats -h for help. | ||
189 | 194 | ||
190 | ### New profiles: | 195 | ### New profiles: |
191 | 196 | ||
192 | gfeeds, firefox-x11, tvbrowser, rtv, clipgrab, gnome-passwordsafe, bibtex, gummi, latex, pdflatex, tex, wpp, wpspdf, wps, et, | 197 | spectacle, chromium-browser-privacy, gtk-straw-viewer, gtk-youtube-viewer, gtk2-youtube-viewer, gtk3-youtube-viewer, straw-viewer |
193 | multimc, gnome-hexgl, com.github.johnfactotum.Foliate, desktopeditors, impressive, mupdf-gl, mupdf-x11, mupdf-x11-curl, | ||
194 | muraster, mutool, planmaker18, planmaker18free, presentations18, presentations18free, textmaker18, textmaker18free, teams, xournal, | ||
195 | gnome-screenshot, ripperX, sound-juicer, iagno, com.github.dahenson.agenda, gnome-pomodoro, gnome-todo, kmplayer, | ||
196 | penguin-command, x2goclient, frogatto, gnome-mines, gnome-nibbles, lightsoff, ts3client_runscript.sh, warmux, ferdi, abiword, | ||
197 | four-in-a-row, gnome-mahjongg, gnome-robots, gnome-sudoku, gnome-taquin, gnome-tetravex, blobwars, gravity-beams-and-evaporating-stars, | ||
198 | hyperrogue, jumpnbump-menu, jumpnbump, magicor, mindless, mirrormagic, mrrescue, scorched3d-wrapper, scorchwentbonkers, | ||
199 | seahorse-adventures, wordwarvi, xbill, gnome-klotski, five-or-more, swell-foop, fdns, jitsi-meet-desktop, nicontine, steam-runtime, apostrophe, quadrapassel, dino-im, strawberry, hitori, bijiben, gnote, gnubik, ZeGrapher, gapplication, xonotic-sdl-wrapper, openarena_ded, cawbird, freetube, homebank, mattermost-desktop, newsflash, com.gitlab.newsflash, element-desktop, sushi, xfce4-screenshooter, org.gnome.NautilusPreviewer, lyx, minitube, nuclear, mtpaint, minecraft-launcher, gnome-calendar, vmware, git-cola, otter-browser | ||
@@ -1,6 +1,15 @@ | |||
1 | firejail (0.9.63) baseline; urgency=low | 1 | firejail (0.9.65) baseline; urgency=low |
2 | * work in progress | 2 | * allow --tmpfs inside $HOME for unprivileged users |
3 | * security: fixes for CVE-2020-17367 & CVE-2020-17368, reported by Tim Starling | 3 | * --disable-usertmpfs compile time option |
4 | * allow AF_BLUETOOTH via --protocol=bluetooth | ||
5 | * new profiles: spectacle, chromium-browser-privacy, gtk-straw-viewer | ||
6 | * new profiles: gtk-youtube-viewer, gtk2-youtube-viewer, gtk3-youtube-viewer | ||
7 | * new profiles: straw-viewer | ||
8 | |||
9 | -- netblue30 <netblue30@yahoo.com> Wed, 21 Oct 2020 09:00:00 -0500 | ||
10 | |||
11 | firejail (0.9.64) baseline; urgency=low | ||
12 | * replaced --nowrap option with --wrap in firemon | ||
4 | * The blocking action of seccomp filters has been changed from | 13 | * The blocking action of seccomp filters has been changed from |
5 | killing the process to returning EPERM to the caller. To get the | 14 | killing the process to returning EPERM to the caller. To get the |
6 | previous behaviour, use --seccomp-error-action=kill or | 15 | previous behaviour, use --seccomp-error-action=kill or |
@@ -19,6 +28,8 @@ firejail (0.9.63) baseline; urgency=low | |||
19 | * whitelist globbing | 28 | * whitelist globbing |
20 | * mkdir and mkfile support for /run/user directory | 29 | * mkdir and mkfile support for /run/user directory |
21 | * support ignore for include | 30 | * support ignore for include |
31 | * --include on the command line | ||
32 | * splitting up media players whitelists in whitelist-players.inc | ||
22 | * new condition: HAS_NOSOUND | 33 | * new condition: HAS_NOSOUND |
23 | * new profiles: gfeeds, firefox-x11, tvbrowser, rtv, clipgrab, muraster | 34 | * new profiles: gfeeds, firefox-x11, tvbrowser, rtv, clipgrab, muraster |
24 | * new profiles: gnome-passwordsafe, bibtex, gummi, latex, mupdf-x11-curl | 35 | * new profiles: gnome-passwordsafe, bibtex, gummi, latex, mupdf-x11-curl |
@@ -36,15 +47,21 @@ firejail (0.9.63) baseline; urgency=low | |||
36 | * new profiles: hyperrogue, jumpnbump-menu, jumpnbump, magicor, mindless | 47 | * new profiles: hyperrogue, jumpnbump-menu, jumpnbump, magicor, mindless |
37 | * new profiles: mirrormagic, mrrescue, scorched3d-wrapper, scorchwentbonkers | 48 | * new profiles: mirrormagic, mrrescue, scorched3d-wrapper, scorchwentbonkers |
38 | * new profiles: seahorse-adventures, wordwarvi, xbill, gnome-klotski | 49 | * new profiles: seahorse-adventures, wordwarvi, xbill, gnome-klotski |
39 | * new profiles: swell-foop, fdns, five-or-more, steam-runtime, jitsi-meet-desktop | 50 | * new profiles: swell-foop, fdns, five-or-more, steam-runtime |
40 | * new profiles: nicotine, plv, mocp, apostrophe, quadrapassel, dino-im, strawberry | 51 | * new profiles: nicotine, plv, mocp, apostrophe, quadrapassel, dino-im |
41 | * new profiles: hitori, bijiben, gnote, gnubik, ZeGrapher, xonotic-sdl-wrapper | 52 | * new profiles: hitori, bijiben, gnote, gnubik, ZeGrapher, xonotic-sdl-wrapper |
42 | * new profiles: gapplication, openarena_ded, element-desktop, cawbird, freetube | 53 | * new profiles: gapplication, openarena_ded, element-desktop, cawbird |
54 | * new profiles: freetube, strawberry, jitsi-meet-desktop | ||
43 | * new profiles: homebank, mattermost-desktop, newsflash, com.gitlab.newsflash | 55 | * new profiles: homebank, mattermost-desktop, newsflash, com.gitlab.newsflash |
44 | * new profiles: sushi, xfce4-screenshooter, org.gnome.NautilusPreviewer, lyx | 56 | * new profiles: sushi, xfce4-screenshooter, org.gnome.NautilusPreviewer, lyx |
45 | * new profiles: minitube, nuclear, mtpaint, minecraft-launcher, gnome-calendar | 57 | * new profiles: minitube, nuclear, mtpaint, minecraft-launcher, gnome-calendar |
46 | * new profiles: vmware, git-cola, otter-browser | 58 | * new profiles: vmware, git-cola, otter-browser, kazam, menulibre, musictube |
47 | -- netblue30 <netblue30@yahoo.com> Tue, 21 Apr 2020 08:00:00 -0500 | 59 | * new profiles: onboard, fractal, mirage, quaternion, spectral, man, psi |
60 | * new profiles: smuxi-frontend-gnome, balsa, kube, trojita, youtube | ||
61 | * new profiles: youtubemusic-nativefier, cola, dbus-send, notify-send | ||
62 | * new profiles: qrencode, ytmdesktop, twitch | ||
63 | * new profiles: xournalpp, chromium-freeworld, equalx | ||
64 | -- netblue30 <netblue30@yahoo.com> Wed, 21 Oct 2020 08:00:00 -0500 | ||
48 | 65 | ||
49 | firejail (0.9.62) baseline; urgency=low | 66 | firejail (0.9.62) baseline; urgency=low |
50 | * added file-copy-limit in /etc/firejail/firejail.config | 67 | * added file-copy-limit in /etc/firejail/firejail.config |
diff --git a/SECURITY.md b/SECURITY.md index 883f915ed..6df34685b 100644 --- a/SECURITY.md +++ b/SECURITY.md | |||
@@ -21,4 +21,4 @@ | |||
21 | 21 | ||
22 | ## Security vulnerabilities | 22 | ## Security vulnerabilities |
23 | 23 | ||
24 | We take security bugs very seriously. If you believe you have found one, please report it by emailing us at netblue30@yahoo.com | 24 | We take security bugs very seriously. If you believe you have found one, please report it by emailing us at netblue30@@protonmail.com |
@@ -1,8 +1,8 @@ | |||
1 | #! /bin/sh | 1 | #! /bin/sh |
2 | # Guess values for system-dependent variables and create Makefiles. | 2 | # Guess values for system-dependent variables and create Makefiles. |
3 | # Generated by GNU Autoconf 2.69 for firejail 0.9.63. | 3 | # Generated by GNU Autoconf 2.69 for firejail 0.9.65. |
4 | # | 4 | # |
5 | # Report bugs to <netblue30@yahoo.com>. | 5 | # Report bugs to <netblue30@protonmail.com>. |
6 | # | 6 | # |
7 | # | 7 | # |
8 | # Copyright (C) 1992-1996, 1998-2012 Free Software Foundation, Inc. | 8 | # Copyright (C) 1992-1996, 1998-2012 Free Software Foundation, Inc. |
@@ -267,10 +267,10 @@ fi | |||
267 | $as_echo "$0: be upgraded to zsh 4.3.4 or later." | 267 | $as_echo "$0: be upgraded to zsh 4.3.4 or later." |
268 | else | 268 | else |
269 | $as_echo "$0: Please tell bug-autoconf@gnu.org and | 269 | $as_echo "$0: Please tell bug-autoconf@gnu.org and |
270 | $0: netblue30@yahoo.com about your system, including any | 270 | $0: netblue30@protonmail.com about your system, including |
271 | $0: error possibly output before this message. Then install | 271 | $0: any error possibly output before this message. Then |
272 | $0: a modern shell, or manually run the script under such a | 272 | $0: install a modern shell, or manually run the script |
273 | $0: shell if you do have one." | 273 | $0: under such a shell if you do have one." |
274 | fi | 274 | fi |
275 | exit 1 | 275 | exit 1 |
276 | fi | 276 | fi |
@@ -580,9 +580,9 @@ MAKEFLAGS= | |||
580 | # Identity of this package. | 580 | # Identity of this package. |
581 | PACKAGE_NAME='firejail' | 581 | PACKAGE_NAME='firejail' |
582 | PACKAGE_TARNAME='firejail' | 582 | PACKAGE_TARNAME='firejail' |
583 | PACKAGE_VERSION='0.9.63' | 583 | PACKAGE_VERSION='0.9.65' |
584 | PACKAGE_STRING='firejail 0.9.63' | 584 | PACKAGE_STRING='firejail 0.9.65' |
585 | PACKAGE_BUGREPORT='netblue30@yahoo.com' | 585 | PACKAGE_BUGREPORT='netblue30@protonmail.com' |
586 | PACKAGE_URL='https://firejail.wordpress.com' | 586 | PACKAGE_URL='https://firejail.wordpress.com' |
587 | 587 | ||
588 | ac_unique_file="src/firejail/main.c" | 588 | ac_unique_file="src/firejail/main.c" |
@@ -624,7 +624,6 @@ ac_includes_default="\ | |||
624 | 624 | ||
625 | ac_subst_vars='LTLIBOBJS | 625 | ac_subst_vars='LTLIBOBJS |
626 | LIBOBJS | 626 | LIBOBJS |
627 | HAVE_SECCOMP_H | ||
628 | EGREP | 627 | EGREP |
629 | GREP | 628 | GREP |
630 | CPP | 629 | CPP |
@@ -641,10 +640,13 @@ HAVE_USERNS | |||
641 | HAVE_NETWORK | 640 | HAVE_NETWORK |
642 | HAVE_GLOBALCFG | 641 | HAVE_GLOBALCFG |
643 | HAVE_CHROOT | 642 | HAVE_CHROOT |
644 | HAVE_SECCOMP | ||
645 | HAVE_PRIVATE_HOME | 643 | HAVE_PRIVATE_HOME |
646 | HAVE_FIRETUNNEL | 644 | HAVE_FIRETUNNEL |
645 | HAVE_GAWK | ||
646 | HAVE_MAN | ||
647 | HAVE_USERTMPFS | ||
647 | HAVE_OVERLAYFS | 648 | HAVE_OVERLAYFS |
649 | HAVE_DBUSPROXY | ||
648 | EXTRA_LDFLAGS | 650 | EXTRA_LDFLAGS |
649 | EXTRA_CFLAGS | 651 | EXTRA_CFLAGS |
650 | HAVE_APPARMOR | 652 | HAVE_APPARMOR |
@@ -706,11 +708,14 @@ SHELL' | |||
706 | ac_subst_files='' | 708 | ac_subst_files='' |
707 | ac_user_opts=' | 709 | ac_user_opts=' |
708 | enable_option_checking | 710 | enable_option_checking |
711 | enable_analyzer | ||
709 | enable_apparmor | 712 | enable_apparmor |
713 | enable_dbusproxy | ||
710 | enable_overlayfs | 714 | enable_overlayfs |
715 | enable_usertmpfs | ||
716 | enable_man | ||
711 | enable_firetunnel | 717 | enable_firetunnel |
712 | enable_private_home | 718 | enable_private_home |
713 | enable_seccomp | ||
714 | enable_chroot | 719 | enable_chroot |
715 | enable_globalcfg | 720 | enable_globalcfg |
716 | enable_network | 721 | enable_network |
@@ -1289,7 +1294,7 @@ if test "$ac_init_help" = "long"; then | |||
1289 | # Omit some internal or obsolete options to make the list less imposing. | 1294 | # Omit some internal or obsolete options to make the list less imposing. |
1290 | # This message is too long to be a string in the A/UX 3.1 sh. | 1295 | # This message is too long to be a string in the A/UX 3.1 sh. |
1291 | cat <<_ACEOF | 1296 | cat <<_ACEOF |
1292 | \`configure' configures firejail 0.9.63 to adapt to many kinds of systems. | 1297 | \`configure' configures firejail 0.9.65 to adapt to many kinds of systems. |
1293 | 1298 | ||
1294 | Usage: $0 [OPTION]... [VAR=VALUE]... | 1299 | Usage: $0 [OPTION]... [VAR=VALUE]... |
1295 | 1300 | ||
@@ -1351,7 +1356,7 @@ fi | |||
1351 | 1356 | ||
1352 | if test -n "$ac_init_help"; then | 1357 | if test -n "$ac_init_help"; then |
1353 | case $ac_init_help in | 1358 | case $ac_init_help in |
1354 | short | recursive ) echo "Configuration of firejail 0.9.63:";; | 1359 | short | recursive ) echo "Configuration of firejail 0.9.65:";; |
1355 | esac | 1360 | esac |
1356 | cat <<\_ACEOF | 1361 | cat <<\_ACEOF |
1357 | 1362 | ||
@@ -1359,11 +1364,14 @@ Optional Features: | |||
1359 | --disable-option-checking ignore unrecognized --enable/--with options | 1364 | --disable-option-checking ignore unrecognized --enable/--with options |
1360 | --disable-FEATURE do not include FEATURE (same as --enable-FEATURE=no) | 1365 | --disable-FEATURE do not include FEATURE (same as --enable-FEATURE=no) |
1361 | --enable-FEATURE[=ARG] include FEATURE [ARG=yes] | 1366 | --enable-FEATURE[=ARG] include FEATURE [ARG=yes] |
1367 | --enable-analyzer enable GCC 10 static analyzer | ||
1362 | --enable-apparmor enable apparmor | 1368 | --enable-apparmor enable apparmor |
1369 | --disable-dbusproxy disable dbus proxy | ||
1363 | --disable-overlayfs disable overlayfs | 1370 | --disable-overlayfs disable overlayfs |
1371 | --disable-usertmpfs disable tmpfs as regular user | ||
1372 | --disable-man disable man pages | ||
1364 | --disable-firetunnel disable firetunnel | 1373 | --disable-firetunnel disable firetunnel |
1365 | --disable-private-home disable private home feature | 1374 | --disable-private-home disable private home feature |
1366 | --disable-seccomp disable seccomp | ||
1367 | --disable-chroot disable chroot | 1375 | --disable-chroot disable chroot |
1368 | --disable-globalcfg if the global config file firejail.cfg is not | 1376 | --disable-globalcfg if the global config file firejail.cfg is not |
1369 | present, continue the program using defaults | 1377 | present, continue the program using defaults |
@@ -1401,7 +1409,7 @@ Some influential environment variables: | |||
1401 | Use these variables to override the choices made by `configure' or to help | 1409 | Use these variables to override the choices made by `configure' or to help |
1402 | it to find libraries and programs with nonstandard names/locations. | 1410 | it to find libraries and programs with nonstandard names/locations. |
1403 | 1411 | ||
1404 | Report bugs to <netblue30@yahoo.com>. | 1412 | Report bugs to <netblue30@protonmail.com>. |
1405 | firejail home page: <https://firejail.wordpress.com>. | 1413 | firejail home page: <https://firejail.wordpress.com>. |
1406 | _ACEOF | 1414 | _ACEOF |
1407 | ac_status=$? | 1415 | ac_status=$? |
@@ -1465,7 +1473,7 @@ fi | |||
1465 | test -n "$ac_init_help" && exit $ac_status | 1473 | test -n "$ac_init_help" && exit $ac_status |
1466 | if $ac_init_version; then | 1474 | if $ac_init_version; then |
1467 | cat <<\_ACEOF | 1475 | cat <<\_ACEOF |
1468 | firejail configure 0.9.63 | 1476 | firejail configure 0.9.65 |
1469 | generated by GNU Autoconf 2.69 | 1477 | generated by GNU Autoconf 2.69 |
1470 | 1478 | ||
1471 | Copyright (C) 2012 Free Software Foundation, Inc. | 1479 | Copyright (C) 2012 Free Software Foundation, Inc. |
@@ -1670,9 +1678,9 @@ $as_echo "$as_me: WARNING: $2: see the Autoconf documentation" >&2;} | |||
1670 | $as_echo "$as_me: WARNING: $2: section \"Present But Cannot Be Compiled\"" >&2;} | 1678 | $as_echo "$as_me: WARNING: $2: section \"Present But Cannot Be Compiled\"" >&2;} |
1671 | { $as_echo "$as_me:${as_lineno-$LINENO}: WARNING: $2: proceeding with the compiler's result" >&5 | 1679 | { $as_echo "$as_me:${as_lineno-$LINENO}: WARNING: $2: proceeding with the compiler's result" >&5 |
1672 | $as_echo "$as_me: WARNING: $2: proceeding with the compiler's result" >&2;} | 1680 | $as_echo "$as_me: WARNING: $2: proceeding with the compiler's result" >&2;} |
1673 | ( $as_echo "## ---------------------------------- ## | 1681 | ( $as_echo "## --------------------------------------- ## |
1674 | ## Report this to netblue30@yahoo.com ## | 1682 | ## Report this to netblue30@protonmail.com ## |
1675 | ## ---------------------------------- ##" | 1683 | ## --------------------------------------- ##" |
1676 | ) | sed "s/^/$as_me: WARNING: /" >&2 | 1684 | ) | sed "s/^/$as_me: WARNING: /" >&2 |
1677 | ;; | 1685 | ;; |
1678 | esac | 1686 | esac |
@@ -1767,7 +1775,7 @@ cat >config.log <<_ACEOF | |||
1767 | This file contains any messages produced by compilers while | 1775 | This file contains any messages produced by compilers while |
1768 | running configure, to aid debugging if configure makes a mistake. | 1776 | running configure, to aid debugging if configure makes a mistake. |
1769 | 1777 | ||
1770 | It was created by firejail $as_me 0.9.63, which was | 1778 | It was created by firejail $as_me 0.9.65, which was |
1771 | generated by GNU Autoconf 2.69. Invocation command line was | 1779 | generated by GNU Autoconf 2.69. Invocation command line was |
1772 | 1780 | ||
1773 | $ $0 $@ | 1781 | $ $0 $@ |
@@ -3270,6 +3278,17 @@ else | |||
3270 | fi | 3278 | fi |
3271 | 3279 | ||
3272 | 3280 | ||
3281 | # Check whether --enable-analyzer was given. | ||
3282 | if test "${enable_analyzer+set}" = set; then : | ||
3283 | enableval=$enable_analyzer; | ||
3284 | fi | ||
3285 | |||
3286 | if test "x$enable_analyzer" = "xyes"; then : | ||
3287 | |||
3288 | EXTRA_CFLAGS+=" -fanalyzer" | ||
3289 | |||
3290 | fi | ||
3291 | |||
3273 | HAVE_APPARMOR="" | 3292 | HAVE_APPARMOR="" |
3274 | # Check whether --enable-apparmor was given. | 3293 | # Check whether --enable-apparmor was given. |
3275 | if test "${enable_apparmor+set}" = set; then : | 3294 | if test "${enable_apparmor+set}" = set; then : |
@@ -3498,6 +3517,19 @@ fi | |||
3498 | 3517 | ||
3499 | 3518 | ||
3500 | 3519 | ||
3520 | HAVE_DBUSPROXY="" | ||
3521 | # Check whether --enable-dbusproxy was given. | ||
3522 | if test "${enable_dbusproxy+set}" = set; then : | ||
3523 | enableval=$enable_dbusproxy; | ||
3524 | fi | ||
3525 | |||
3526 | if test "x$enable_dbusproxy" != "xno"; then : | ||
3527 | |||
3528 | HAVE_DBUSPROXY="-DHAVE_DBUSPROXY" | ||
3529 | |||
3530 | |||
3531 | fi | ||
3532 | |||
3501 | HAVE_OVERLAYFS="" | 3533 | HAVE_OVERLAYFS="" |
3502 | # Check whether --enable-overlayfs was given. | 3534 | # Check whether --enable-overlayfs was given. |
3503 | if test "${enable_overlayfs+set}" = set; then : | 3535 | if test "${enable_overlayfs+set}" = set; then : |
@@ -3511,6 +3543,73 @@ if test "x$enable_overlayfs" != "xno"; then : | |||
3511 | 3543 | ||
3512 | fi | 3544 | fi |
3513 | 3545 | ||
3546 | HAVE_USERTMPS="" | ||
3547 | # Check whether --enable-usertmpfs was given. | ||
3548 | if test "${enable_usertmpfs+set}" = set; then : | ||
3549 | enableval=$enable_usertmpfs; | ||
3550 | fi | ||
3551 | |||
3552 | if test "x$enable_usertmpfs" != "xno"; then : | ||
3553 | |||
3554 | HAVE_USERTMPFS="-DHAVE_USERTMPFS" | ||
3555 | |||
3556 | |||
3557 | fi | ||
3558 | |||
3559 | HAVE_MAN="no" | ||
3560 | # Check whether --enable-man was given. | ||
3561 | if test "${enable_man+set}" = set; then : | ||
3562 | enableval=$enable_man; | ||
3563 | fi | ||
3564 | |||
3565 | if test "x$enable_man" != "xno"; then : | ||
3566 | |||
3567 | HAVE_MAN="-DHAVE_MAN" | ||
3568 | |||
3569 | # Extract the first word of "gawk", so it can be a program name with args. | ||
3570 | set dummy gawk; ac_word=$2 | ||
3571 | { $as_echo "$as_me:${as_lineno-$LINENO}: checking for $ac_word" >&5 | ||
3572 | $as_echo_n "checking for $ac_word... " >&6; } | ||
3573 | if ${ac_cv_prog_HAVE_GAWK+:} false; then : | ||
3574 | $as_echo_n "(cached) " >&6 | ||
3575 | else | ||
3576 | if test -n "$HAVE_GAWK"; then | ||
3577 | ac_cv_prog_HAVE_GAWK="$HAVE_GAWK" # Let the user override the test. | ||
3578 | else | ||
3579 | as_save_IFS=$IFS; IFS=$PATH_SEPARATOR | ||
3580 | for as_dir in $PATH | ||
3581 | do | ||
3582 | IFS=$as_save_IFS | ||
3583 | test -z "$as_dir" && as_dir=. | ||
3584 | for ac_exec_ext in '' $ac_executable_extensions; do | ||
3585 | if as_fn_executable_p "$as_dir/$ac_word$ac_exec_ext"; then | ||
3586 | ac_cv_prog_HAVE_GAWK="yes" | ||
3587 | $as_echo "$as_me:${as_lineno-$LINENO}: found $as_dir/$ac_word$ac_exec_ext" >&5 | ||
3588 | break 2 | ||
3589 | fi | ||
3590 | done | ||
3591 | done | ||
3592 | IFS=$as_save_IFS | ||
3593 | |||
3594 | test -z "$ac_cv_prog_HAVE_GAWK" && ac_cv_prog_HAVE_GAWK="no" | ||
3595 | fi | ||
3596 | fi | ||
3597 | HAVE_GAWK=$ac_cv_prog_HAVE_GAWK | ||
3598 | if test -n "$HAVE_GAWK"; then | ||
3599 | { $as_echo "$as_me:${as_lineno-$LINENO}: result: $HAVE_GAWK" >&5 | ||
3600 | $as_echo "$HAVE_GAWK" >&6; } | ||
3601 | else | ||
3602 | { $as_echo "$as_me:${as_lineno-$LINENO}: result: no" >&5 | ||
3603 | $as_echo "no" >&6; } | ||
3604 | fi | ||
3605 | |||
3606 | |||
3607 | if test "x$HAVE_GAWK" != "xyes"; then : | ||
3608 | as_fn_error $? "\"*** gawk not found ***\"" "$LINENO" 5 | ||
3609 | fi | ||
3610 | |||
3611 | fi | ||
3612 | |||
3514 | HAVE_FIRETUNNEL="" | 3613 | HAVE_FIRETUNNEL="" |
3515 | # Check whether --enable-firetunnel was given. | 3614 | # Check whether --enable-firetunnel was given. |
3516 | if test "${enable_firetunnel+set}" = set; then : | 3615 | if test "${enable_firetunnel+set}" = set; then : |
@@ -3537,19 +3636,6 @@ if test "x$enable_private_home" != "xno"; then : | |||
3537 | 3636 | ||
3538 | fi | 3637 | fi |
3539 | 3638 | ||
3540 | HAVE_SECCOMP="" | ||
3541 | # Check whether --enable-seccomp was given. | ||
3542 | if test "${enable_seccomp+set}" = set; then : | ||
3543 | enableval=$enable_seccomp; | ||
3544 | fi | ||
3545 | |||
3546 | if test "x$enable_seccomp" != "xno"; then : | ||
3547 | |||
3548 | HAVE_SECCOMP="-DHAVE_SECCOMP" | ||
3549 | |||
3550 | |||
3551 | fi | ||
3552 | |||
3553 | HAVE_CHROOT="" | 3639 | HAVE_CHROOT="" |
3554 | # Check whether --enable-chroot was given. | 3640 | # Check whether --enable-chroot was given. |
3555 | if test "${enable_chroot+set}" = set; then : | 3641 | if test "${enable_chroot+set}" = set; then : |
@@ -4173,14 +4259,13 @@ fi | |||
4173 | 4259 | ||
4174 | ac_fn_c_check_header_mongrel "$LINENO" "linux/seccomp.h" "ac_cv_header_linux_seccomp_h" "$ac_includes_default" | 4260 | ac_fn_c_check_header_mongrel "$LINENO" "linux/seccomp.h" "ac_cv_header_linux_seccomp_h" "$ac_includes_default" |
4175 | if test "x$ac_cv_header_linux_seccomp_h" = xyes; then : | 4261 | if test "x$ac_cv_header_linux_seccomp_h" = xyes; then : |
4176 | HAVE_SECCOMP_H="-DHAVE_SECCOMP_H" | 4262 | |
4177 | else | 4263 | else |
4178 | HAVE_SECCOMP_H="" | 4264 | as_fn_error $? "*** SECCOMP support is not installed (/usr/include/linux/seccomp.h missing) ***" "$LINENO" 5 |
4179 | fi | 4265 | fi |
4180 | 4266 | ||
4181 | 4267 | ||
4182 | 4268 | ||
4183 | |||
4184 | # set sysconfdir | 4269 | # set sysconfdir |
4185 | if test "$prefix" = /usr; then | 4270 | if test "$prefix" = /usr; then |
4186 | test "$sysconfdir" = '${prefix}/etc' && sysconfdir="/etc" | 4271 | test "$sysconfdir" = '${prefix}/etc' && sysconfdir="/etc" |
@@ -4188,7 +4273,7 @@ fi | |||
4188 | 4273 | ||
4189 | ac_config_files="$ac_config_files mkdeb.sh" | 4274 | ac_config_files="$ac_config_files mkdeb.sh" |
4190 | 4275 | ||
4191 | ac_config_files="$ac_config_files Makefile src/common.mk src/lib/Makefile src/fcopy/Makefile src/fnet/Makefile src/firejail/Makefile src/fnetfilter/Makefile src/firemon/Makefile src/libtrace/Makefile src/libtracelog/Makefile src/firecfg/Makefile src/fbuilder/Makefile src/fsec-print/Makefile src/ftee/Makefile src/faudit/Makefile src/fseccomp/Makefile src/fldd/Makefile src/libpostexecseccomp/Makefile src/fsec-optimize/Makefile src/profstats/Makefile" | 4276 | ac_config_files="$ac_config_files Makefile src/common.mk src/lib/Makefile src/fcopy/Makefile src/fnet/Makefile src/firejail/Makefile src/fnetfilter/Makefile src/firemon/Makefile src/libtrace/Makefile src/libtracelog/Makefile src/firecfg/Makefile src/fbuilder/Makefile src/fsec-print/Makefile src/ftee/Makefile src/faudit/Makefile src/fseccomp/Makefile src/fldd/Makefile src/libpostexecseccomp/Makefile src/fsec-optimize/Makefile src/profstats/Makefile src/man/Makefile test/Makefile" |
4192 | 4277 | ||
4193 | cat >confcache <<\_ACEOF | 4278 | cat >confcache <<\_ACEOF |
4194 | # This file is a shell script that caches the results of configure | 4279 | # This file is a shell script that caches the results of configure |
@@ -4732,7 +4817,7 @@ cat >>$CONFIG_STATUS <<\_ACEOF || ac_write_fail=1 | |||
4732 | # report actual input values of CONFIG_FILES etc. instead of their | 4817 | # report actual input values of CONFIG_FILES etc. instead of their |
4733 | # values after options handling. | 4818 | # values after options handling. |
4734 | ac_log=" | 4819 | ac_log=" |
4735 | This file was extended by firejail $as_me 0.9.63, which was | 4820 | This file was extended by firejail $as_me 0.9.65, which was |
4736 | generated by GNU Autoconf 2.69. Invocation command line was | 4821 | generated by GNU Autoconf 2.69. Invocation command line was |
4737 | 4822 | ||
4738 | CONFIG_FILES = $CONFIG_FILES | 4823 | CONFIG_FILES = $CONFIG_FILES |
@@ -4779,14 +4864,14 @@ Usage: $0 [OPTION]... [TAG]... | |||
4779 | Configuration files: | 4864 | Configuration files: |
4780 | $config_files | 4865 | $config_files |
4781 | 4866 | ||
4782 | Report bugs to <netblue30@yahoo.com>. | 4867 | Report bugs to <netblue30@protonmail.com>. |
4783 | firejail home page: <https://firejail.wordpress.com>." | 4868 | firejail home page: <https://firejail.wordpress.com>." |
4784 | 4869 | ||
4785 | _ACEOF | 4870 | _ACEOF |
4786 | cat >>$CONFIG_STATUS <<_ACEOF || ac_write_fail=1 | 4871 | cat >>$CONFIG_STATUS <<_ACEOF || ac_write_fail=1 |
4787 | ac_cs_config="`$as_echo "$ac_configure_args" | sed 's/^ //; s/[\\""\`\$]/\\\\&/g'`" | 4872 | ac_cs_config="`$as_echo "$ac_configure_args" | sed 's/^ //; s/[\\""\`\$]/\\\\&/g'`" |
4788 | ac_cs_version="\\ | 4873 | ac_cs_version="\\ |
4789 | firejail config.status 0.9.63 | 4874 | firejail config.status 0.9.65 |
4790 | configured by $0, generated by GNU Autoconf 2.69, | 4875 | configured by $0, generated by GNU Autoconf 2.69, |
4791 | with options \\"\$ac_cs_config\\" | 4876 | with options \\"\$ac_cs_config\\" |
4792 | 4877 | ||
@@ -4918,6 +5003,8 @@ do | |||
4918 | "src/libpostexecseccomp/Makefile") CONFIG_FILES="$CONFIG_FILES src/libpostexecseccomp/Makefile" ;; | 5003 | "src/libpostexecseccomp/Makefile") CONFIG_FILES="$CONFIG_FILES src/libpostexecseccomp/Makefile" ;; |
4919 | "src/fsec-optimize/Makefile") CONFIG_FILES="$CONFIG_FILES src/fsec-optimize/Makefile" ;; | 5004 | "src/fsec-optimize/Makefile") CONFIG_FILES="$CONFIG_FILES src/fsec-optimize/Makefile" ;; |
4920 | "src/profstats/Makefile") CONFIG_FILES="$CONFIG_FILES src/profstats/Makefile" ;; | 5005 | "src/profstats/Makefile") CONFIG_FILES="$CONFIG_FILES src/profstats/Makefile" ;; |
5006 | "src/man/Makefile") CONFIG_FILES="$CONFIG_FILES src/man/Makefile" ;; | ||
5007 | "test/Makefile") CONFIG_FILES="$CONFIG_FILES test/Makefile" ;; | ||
4921 | 5008 | ||
4922 | *) as_fn_error $? "invalid argument: \`$ac_config_target'" "$LINENO" 5;; | 5009 | *) as_fn_error $? "invalid argument: \`$ac_config_target'" "$LINENO" 5;; |
4923 | esac | 5010 | esac |
@@ -5382,8 +5469,6 @@ echo | |||
5382 | echo "Configuration options:" | 5469 | echo "Configuration options:" |
5383 | echo " prefix: $prefix" | 5470 | echo " prefix: $prefix" |
5384 | echo " sysconfdir: $sysconfdir" | 5471 | echo " sysconfdir: $sysconfdir" |
5385 | echo " seccomp: $HAVE_SECCOMP" | ||
5386 | echo " <linux/seccomp.h>: $HAVE_SECCOMP_H" | ||
5387 | echo " apparmor: $HAVE_APPARMOR" | 5472 | echo " apparmor: $HAVE_APPARMOR" |
5388 | echo " global config: $HAVE_GLOBALCFG" | 5473 | echo " global config: $HAVE_GLOBALCFG" |
5389 | echo " chroot: $HAVE_CHROOT" | 5474 | echo " chroot: $HAVE_CHROOT" |
@@ -5394,6 +5479,9 @@ echo " whitelisting: $HAVE_WHITELIST" | |||
5394 | echo " private home support: $HAVE_PRIVATE_HOME" | 5479 | echo " private home support: $HAVE_PRIVATE_HOME" |
5395 | echo " file transfer support: $HAVE_FILE_TRANSFER" | 5480 | echo " file transfer support: $HAVE_FILE_TRANSFER" |
5396 | echo " overlayfs support: $HAVE_OVERLAYFS" | 5481 | echo " overlayfs support: $HAVE_OVERLAYFS" |
5482 | echo " DBUS proxy support: $HAVE_DBUSPROXY" | ||
5483 | echo " allow tmpfs as regular user: $HAVE_USERTMPFS" | ||
5484 | echo " Manpage support: $HAVE_MAN" | ||
5397 | echo " firetunnel support: $HAVE_FIRETUNNEL" | 5485 | echo " firetunnel support: $HAVE_FIRETUNNEL" |
5398 | echo " busybox workaround: $BUSYBOX_WORKAROUND" | 5486 | echo " busybox workaround: $BUSYBOX_WORKAROUND" |
5399 | echo " Spectre compiler patch: $HAVE_SPECTRE" | 5487 | echo " Spectre compiler patch: $HAVE_SPECTRE" |
diff --git a/configure.ac b/configure.ac index feb0b38a6..e21e4a01f 100644 --- a/configure.ac +++ b/configure.ac | |||
@@ -12,7 +12,7 @@ | |||
12 | # | 12 | # |
13 | 13 | ||
14 | AC_PREREQ([2.68]) | 14 | AC_PREREQ([2.68]) |
15 | AC_INIT(firejail, 0.9.63, netblue30@yahoo.com, , https://firejail.wordpress.com) | 15 | AC_INIT(firejail, 0.9.65, netblue30@protonmail.com, , https://firejail.wordpress.com) |
16 | AC_CONFIG_SRCDIR([src/firejail/main.c]) | 16 | AC_CONFIG_SRCDIR([src/firejail/main.c]) |
17 | 17 | ||
18 | AC_CONFIG_MACRO_DIR([m4]) | 18 | AC_CONFIG_MACRO_DIR([m4]) |
@@ -39,6 +39,12 @@ AX_CHECK_COMPILE_FLAG( | |||
39 | [HAVE_SPECTRE="yes" && EXTRA_CFLAGS+=" -fstack-protector-strong"] | 39 | [HAVE_SPECTRE="yes" && EXTRA_CFLAGS+=" -fstack-protector-strong"] |
40 | ) | 40 | ) |
41 | 41 | ||
42 | AC_ARG_ENABLE([analyzer], | ||
43 | AS_HELP_STRING([--enable-analyzer], [enable GCC 10 static analyzer])) | ||
44 | AS_IF([test "x$enable_analyzer" = "xyes"], [ | ||
45 | EXTRA_CFLAGS+=" -fanalyzer" | ||
46 | ]) | ||
47 | |||
42 | HAVE_APPARMOR="" | 48 | HAVE_APPARMOR="" |
43 | AC_ARG_ENABLE([apparmor], | 49 | AC_ARG_ENABLE([apparmor], |
44 | AS_HELP_STRING([--enable-apparmor], [enable apparmor])) | 50 | AS_HELP_STRING([--enable-apparmor], [enable apparmor])) |
@@ -52,6 +58,14 @@ AC_SUBST([EXTRA_CFLAGS]) | |||
52 | AC_SUBST([EXTRA_LDFLAGS]) | 58 | AC_SUBST([EXTRA_LDFLAGS]) |
53 | 59 | ||
54 | 60 | ||
61 | HAVE_DBUSPROXY="" | ||
62 | AC_ARG_ENABLE([dbusproxy], | ||
63 | AS_HELP_STRING([--disable-dbusproxy], [disable dbus proxy])) | ||
64 | AS_IF([test "x$enable_dbusproxy" != "xno"], [ | ||
65 | HAVE_DBUSPROXY="-DHAVE_DBUSPROXY" | ||
66 | AC_SUBST(HAVE_DBUSPROXY) | ||
67 | ]) | ||
68 | |||
55 | HAVE_OVERLAYFS="" | 69 | HAVE_OVERLAYFS="" |
56 | AC_ARG_ENABLE([overlayfs], | 70 | AC_ARG_ENABLE([overlayfs], |
57 | AS_HELP_STRING([--disable-overlayfs], [disable overlayfs])) | 71 | AS_HELP_STRING([--disable-overlayfs], [disable overlayfs])) |
@@ -60,6 +74,24 @@ AS_IF([test "x$enable_overlayfs" != "xno"], [ | |||
60 | AC_SUBST(HAVE_OVERLAYFS) | 74 | AC_SUBST(HAVE_OVERLAYFS) |
61 | ]) | 75 | ]) |
62 | 76 | ||
77 | HAVE_USERTMPS="" | ||
78 | AC_ARG_ENABLE([usertmpfs], | ||
79 | AS_HELP_STRING([--disable-usertmpfs], [disable tmpfs as regular user])) | ||
80 | AS_IF([test "x$enable_usertmpfs" != "xno"], [ | ||
81 | HAVE_USERTMPFS="-DHAVE_USERTMPFS" | ||
82 | AC_SUBST(HAVE_USERTMPFS) | ||
83 | ]) | ||
84 | |||
85 | HAVE_MAN="no" | ||
86 | AC_ARG_ENABLE([man], | ||
87 | AS_HELP_STRING([--disable-man], [disable man pages])) | ||
88 | AS_IF([test "x$enable_man" != "xno"], [ | ||
89 | HAVE_MAN="-DHAVE_MAN" | ||
90 | AC_SUBST(HAVE_MAN) | ||
91 | AC_CHECK_PROG([HAVE_GAWK], [gawk], [yes], [no]) | ||
92 | AS_IF([test "x$HAVE_GAWK" != "xyes"], [AC_MSG_ERROR("*** gawk not found ***")]) | ||
93 | ]) | ||
94 | |||
63 | HAVE_FIRETUNNEL="" | 95 | HAVE_FIRETUNNEL="" |
64 | AC_ARG_ENABLE([firetunnel], | 96 | AC_ARG_ENABLE([firetunnel], |
65 | AS_HELP_STRING([--disable-firetunnel], [disable firetunnel])) | 97 | AS_HELP_STRING([--disable-firetunnel], [disable firetunnel])) |
@@ -76,14 +108,6 @@ AS_IF([test "x$enable_private_home" != "xno"], [ | |||
76 | AC_SUBST(HAVE_PRIVATE_HOME) | 108 | AC_SUBST(HAVE_PRIVATE_HOME) |
77 | ]) | 109 | ]) |
78 | 110 | ||
79 | HAVE_SECCOMP="" | ||
80 | AC_ARG_ENABLE([seccomp], | ||
81 | AS_HELP_STRING([--disable-seccomp], [disable seccomp])) | ||
82 | AS_IF([test "x$enable_seccomp" != "xno"], [ | ||
83 | HAVE_SECCOMP="-DHAVE_SECCOMP" | ||
84 | AC_SUBST(HAVE_SECCOMP) | ||
85 | ]) | ||
86 | |||
87 | HAVE_CHROOT="" | 111 | HAVE_CHROOT="" |
88 | AC_ARG_ENABLE([chroot], | 112 | AC_ARG_ENABLE([chroot], |
89 | AS_HELP_STRING([--disable-chroot], [disable chroot])) | 113 | AS_HELP_STRING([--disable-chroot], [disable chroot])) |
@@ -196,8 +220,7 @@ AS_IF([test "x$enable_selinux" = "xyes"], [ | |||
196 | # checking pthread library | 220 | # checking pthread library |
197 | AC_CHECK_LIB([pthread], [main], [], AC_MSG_ERROR([*** POSIX thread support not installed ***])) | 221 | AC_CHECK_LIB([pthread], [main], [], AC_MSG_ERROR([*** POSIX thread support not installed ***])) |
198 | AC_CHECK_HEADER(pthread.h,,AC_MSG_ERROR([*** POSIX thread support not installed ***])) | 222 | AC_CHECK_HEADER(pthread.h,,AC_MSG_ERROR([*** POSIX thread support not installed ***])) |
199 | AC_CHECK_HEADER([linux/seccomp.h], HAVE_SECCOMP_H="-DHAVE_SECCOMP_H", HAVE_SECCOMP_H="") | 223 | AC_CHECK_HEADER([linux/seccomp.h],,AC_MSG_ERROR([*** SECCOMP support is not installed (/usr/include/linux/seccomp.h missing) ***])) |
200 | AC_SUBST(HAVE_SECCOMP_H) | ||
201 | 224 | ||
202 | # set sysconfdir | 225 | # set sysconfdir |
203 | if test "$prefix" = /usr; then | 226 | if test "$prefix" = /usr; then |
@@ -208,14 +231,12 @@ AC_CONFIG_FILES([mkdeb.sh], [chmod +x mkdeb.sh]) | |||
208 | AC_OUTPUT(Makefile src/common.mk src/lib/Makefile src/fcopy/Makefile src/fnet/Makefile src/firejail/Makefile src/fnetfilter/Makefile \ | 231 | AC_OUTPUT(Makefile src/common.mk src/lib/Makefile src/fcopy/Makefile src/fnet/Makefile src/firejail/Makefile src/fnetfilter/Makefile \ |
209 | src/firemon/Makefile src/libtrace/Makefile src/libtracelog/Makefile src/firecfg/Makefile src/fbuilder/Makefile src/fsec-print/Makefile \ | 232 | src/firemon/Makefile src/libtrace/Makefile src/libtracelog/Makefile src/firecfg/Makefile src/fbuilder/Makefile src/fsec-print/Makefile \ |
210 | src/ftee/Makefile src/faudit/Makefile src/fseccomp/Makefile src/fldd/Makefile src/libpostexecseccomp/Makefile src/fsec-optimize/Makefile \ | 233 | src/ftee/Makefile src/faudit/Makefile src/fseccomp/Makefile src/fldd/Makefile src/libpostexecseccomp/Makefile src/fsec-optimize/Makefile \ |
211 | src/profstats/Makefile) | 234 | src/profstats/Makefile src/man/Makefile test/Makefile) |
212 | 235 | ||
213 | echo | 236 | echo |
214 | echo "Configuration options:" | 237 | echo "Configuration options:" |
215 | echo " prefix: $prefix" | 238 | echo " prefix: $prefix" |
216 | echo " sysconfdir: $sysconfdir" | 239 | echo " sysconfdir: $sysconfdir" |
217 | echo " seccomp: $HAVE_SECCOMP" | ||
218 | echo " <linux/seccomp.h>: $HAVE_SECCOMP_H" | ||
219 | echo " apparmor: $HAVE_APPARMOR" | 240 | echo " apparmor: $HAVE_APPARMOR" |
220 | echo " global config: $HAVE_GLOBALCFG" | 241 | echo " global config: $HAVE_GLOBALCFG" |
221 | echo " chroot: $HAVE_CHROOT" | 242 | echo " chroot: $HAVE_CHROOT" |
@@ -226,6 +247,9 @@ echo " whitelisting: $HAVE_WHITELIST" | |||
226 | echo " private home support: $HAVE_PRIVATE_HOME" | 247 | echo " private home support: $HAVE_PRIVATE_HOME" |
227 | echo " file transfer support: $HAVE_FILE_TRANSFER" | 248 | echo " file transfer support: $HAVE_FILE_TRANSFER" |
228 | echo " overlayfs support: $HAVE_OVERLAYFS" | 249 | echo " overlayfs support: $HAVE_OVERLAYFS" |
250 | echo " DBUS proxy support: $HAVE_DBUSPROXY" | ||
251 | echo " allow tmpfs as regular user: $HAVE_USERTMPFS" | ||
252 | echo " Manpage support: $HAVE_MAN" | ||
229 | echo " firetunnel support: $HAVE_FIRETUNNEL" | 253 | echo " firetunnel support: $HAVE_FIRETUNNEL" |
230 | echo " busybox workaround: $BUSYBOX_WORKAROUND" | 254 | echo " busybox workaround: $BUSYBOX_WORKAROUND" |
231 | echo " Spectre compiler patch: $HAVE_SPECTRE" | 255 | echo " Spectre compiler patch: $HAVE_SPECTRE" |
diff --git a/contrib/fix_private-bin.py b/contrib/fix_private-bin.py index 668d68ff2..12b596749 100755 --- a/contrib/fix_private-bin.py +++ b/contrib/fix_private-bin.py | |||
@@ -1,4 +1,4 @@ | |||
1 | #!/usr/bin/python3 | 1 | #!/usr/bin/env python3 |
2 | __author__ = "KOLANICH" | 2 | __author__ = "KOLANICH" |
3 | __copyright__ = """This is free and unencumbered software released into the public domain. | 3 | __copyright__ = """This is free and unencumbered software released into the public domain. |
4 | 4 | ||
diff --git a/contrib/fj-mkdeb.py b/contrib/fj-mkdeb.py index 429cb9db4..487df4c83 100755 --- a/contrib/fj-mkdeb.py +++ b/contrib/fj-mkdeb.py | |||
@@ -5,12 +5,16 @@ | |||
5 | 5 | ||
6 | # This script automates the workaround for https://github.com/netblue30/firejail/issues/772 | 6 | # This script automates the workaround for https://github.com/netblue30/firejail/issues/772 |
7 | 7 | ||
8 | import os, re, shlex, subprocess, sys | 8 | import os, shlex, subprocess, sys |
9 | 9 | ||
10 | 10 | ||
11 | def run(srcdir, args): | 11 | def run(srcdir, args): |
12 | if srcdir: os.chdir(srcdir) | 12 | if srcdir: os.chdir(srcdir) |
13 | 13 | ||
14 | if not (os.path.isfile('./mkdeb.sh.in')): | ||
15 | print('Error: Not a firejail source tree? Exiting.') | ||
16 | return 1 | ||
17 | |||
14 | dry_run = False | 18 | dry_run = False |
15 | escaped_args = [] | 19 | escaped_args = [] |
16 | # We need to modify the list as we go. So be sure to copy the list to be iterated! | 20 | # We need to modify the list as we go. So be sure to copy the list to be iterated! |
@@ -25,23 +29,21 @@ def run(srcdir, args): | |||
25 | else: | 29 | else: |
26 | escaped_args.append(shlex.quote(a)) | 30 | escaped_args.append(shlex.quote(a)) |
27 | 31 | ||
28 | # Fix up mkdeb.sh to include custom configure options. | 32 | # Run configure to generate mkdeb.sh. |
33 | first_config = subprocess.call(['./configure', '--prefix=/usr'] + args) | ||
34 | if first_config != 0: | ||
35 | return first_config | ||
36 | |||
37 | # Fix up dynamically-generated mkdeb.sh to include custom configure options. | ||
29 | with open('mkdeb.sh', 'rb') as f: | 38 | with open('mkdeb.sh', 'rb') as f: |
30 | sh = str(f.read(), 'utf_8') | 39 | sh = str(f.read(), 'utf_8') |
31 | rx = re.compile(r'^\./configure\s.*$', re.M) | ||
32 | with open('mkdeb.sh', 'wb') as f: | 40 | with open('mkdeb.sh', 'wb') as f: |
33 | f.write( | 41 | f.write(bytes(sh.replace('./configure $CONFIG_ARGS', |
34 | bytes( | 42 | './configure $CONFIG_ARGS ' + (' '.join(escaped_args))), 'utf_8')) |
35 | rx.sub('./configure --prefix=/usr ' + (' '.join(escaped_args)), | ||
36 | sh), 'utf_8')) | ||
37 | 43 | ||
38 | if dry_run: return 0 | 44 | if dry_run: return 0 |
39 | 45 | ||
40 | # now run configure && make | 46 | return subprocess.call(['make', 'deb']) |
41 | if subprocess.call(['./configure', '--prefix=/usr'] + args) == 0: | ||
42 | subprocess.call(['make', 'deb']) | ||
43 | |||
44 | return 0 | ||
45 | 47 | ||
46 | 48 | ||
47 | if __name__ == '__main__': | 49 | if __name__ == '__main__': |
@@ -71,9 +73,9 @@ usage: | |||
71 | if not (srcdir): | 73 | if not (srcdir): |
72 | # srcdir not manually specified, try to auto-detect | 74 | # srcdir not manually specified, try to auto-detect |
73 | srcdir = os.path.dirname(os.path.abspath(sys.argv[0] + '/..')) | 75 | srcdir = os.path.dirname(os.path.abspath(sys.argv[0] + '/..')) |
74 | if not (os.path.isfile(srcdir + '/mkdeb.sh')): | 76 | if not (os.path.isfile(srcdir + '/mkdeb.sh.in')): |
75 | # Script is probably installed. Check the cwd. | 77 | # Script is probably installed. Check the cwd. |
76 | if os.path.isfile('./mkdeb.sh'): | 78 | if os.path.isfile('./mkdeb.sh.in'): |
77 | srcdir = None | 79 | srcdir = None |
78 | else: | 80 | else: |
79 | print( | 81 | print( |
diff --git a/contrib/jail_prober.py b/contrib/jail_prober.py index 6f8e98b6a..67e851282 100755 --- a/contrib/jail_prober.py +++ b/contrib/jail_prober.py | |||
@@ -1,166 +1,186 @@ | |||
1 | #!/usr/bin/env python3 | 1 | #!/usr/bin/env python3 |
2 | # This file is part of Firejail project | 2 | # This file is part of Firejail project |
3 | # Copyright (C) 2014-2020 Firejail Authors | 3 | # Copyright (C) 2014-2020 Firejail Authors |
4 | # License GPL v2 | 4 | # License GPL v2 |
5 | """ | 5 | """ |
6 | Figure out which profile options may be causing a particular program to break | 6 | Figure out which profile options may be causing a particular program to break |
7 | when run in firejail. | 7 | when run in firejail. |
8 | 8 | ||
9 | Instead of having to comment out each line in a profile by hand, and then | 9 | Instead of having to comment out each line in a profile by hand, and then |
10 | enable each line individually until the bad line or lines are found, this | 10 | enable each line individually until the bad line or lines are found, this |
11 | largely automates the process. Users only have to provide the path to the | 11 | largely automates the process. Users only have to provide the path to the |
12 | profile, program name, and answer 'y' for yes or 'n' for no when prompted. | 12 | profile, program name, and answer 'y' for yes or 'n' for no when prompted. |
13 | 13 | ||
14 | After completion, you'll be provided with some information to copy and then | 14 | After completion, you'll be provided with some information to copy and then |
15 | paste into a GitHub issue in the Firejail project repository: | 15 | paste into a GitHub issue in the Firejail project repository: |
16 | https://github.com/netblue30/firejail/issues | 16 | https://github.com/netblue30/firejail/issues |
17 | 17 | ||
18 | Paths to the profile should be absolute. If the program is in your path, then | 18 | Paths to the profile should be absolute. If the program is in your path, then |
19 | you only have to type the profile name. Else, you'll need to provide the | 19 | you only have to type the profile name. Else, you'll need to provide the |
20 | absolute path to the profile. | 20 | absolute path to the profile. |
21 | 21 | ||
22 | Examples: | 22 | Examples: |
23 | python jail_prober.py /etc/firejail/spotify.profile spotify | 23 | python jail_prober.py /etc/firejail/spotify.profile spotify |
24 | python jail_prober.py /usr/local/etc/firejail/firefox.profile /usr/bin/firefox | 24 | python jail_prober.py /usr/local/etc/firejail/firefox.profile /usr/bin/firefox |
25 | """ | 25 | """ |
26 | 26 | ||
27 | import sys | 27 | import sys |
28 | import os | 28 | import os |
29 | import subprocess | 29 | import subprocess |
30 | 30 | ||
31 | 31 | ||
32 | def check_params(profilePath): | 32 | def check_params(profile_path): |
33 | """ | 33 | """ |
34 | Ensure the path to the profile is valid and that an actual profile has been | 34 | Ensure the path to the profile is valid and that an actual profile has been |
35 | passed (as opposed to a config or .local file). | 35 | passed (as opposed to a config or .local file). |
36 | 36 | ||
37 | :params profilePath: The absolute path to the problematic profile. | 37 | Args: |
38 | """ | 38 | profile_path: The absolute path to the problematic profile |
39 | if not os.path.isfile(profilePath): | 39 | |
40 | raise FileNotFoundError( | 40 | Raises: |
41 | 'The path %s is not a valid system path.' % profilePath) | 41 | FileNotFoundError: If the provided path isn't real |
42 | if not profilePath.endswith('.profile'): | 42 | |
43 | raise ValueError('%s is not a valid Firejail profile.' % profilePath) | 43 | ValueError: If the provided path is real but doesn't point to |
44 | 44 | a Firejail profile | |
45 | 45 | """ | |
46 | def get_args(profilePath): | 46 | if not os.path.isfile(profile_path): |
47 | """ | 47 | raise FileNotFoundError('The path %s is not a valid system path.' % |
48 | Read the profile, stripping out comments and newlines | 48 | profile_path) |
49 | 49 | if not profile_path.endswith('.profile'): | |
50 | :params profilePath: The absolute path to the problematic profile. | 50 | raise ValueError('%s is not a valid Firejail profile.' % profile_path) |
51 | 51 | ||
52 | :returns profile: A list containing all active profile arguments | 52 | |
53 | """ | 53 | def get_args(profile_path): |
54 | with open(profilePath, 'r') as f: | 54 | """ |
55 | profile = f.readlines() | 55 | Read the profile, stripping out comments and newlines |
56 | profile = [ | 56 | |
57 | arg.strip() for arg in profile | 57 | Args: |
58 | if not arg.startswith('#') and arg.strip() != '' | 58 | profile_path: The absolute path to the problematic profile. |
59 | ] | 59 | |
60 | 60 | Returns: | |
61 | return profile | 61 | A list containing all active profile arguments |
62 | 62 | """ | |
63 | 63 | with open(profile_path, 'r') as f: | |
64 | def arg_converter(argList, style): | 64 | profile = f.readlines() |
65 | """ | 65 | profile = [ |
66 | Convert between firejail command-line arguments (--example=something) and | 66 | arg.strip() for arg in profile |
67 | profile arguments (example something) | 67 | if not arg.startswith('#') and arg.strip() != '' |
68 | 68 | ] | |
69 | :params argList: A list of firejail arguments | 69 | |
70 | 70 | return profile | |
71 | :params style: Whether to convert arguments to command-line form or profile | 71 | |
72 | form | 72 | |
73 | """ | 73 | def arg_converter(arg_list, style): |
74 | if style == 'to_profile': | 74 | """ |
75 | oldSep = '=' | 75 | Convert between firejail command-line arguments (--example=something) and |
76 | newSep = ' ' | 76 | profile arguments (example something) |
77 | prefix = '' | 77 | |
78 | elif style == 'to_commandline': | 78 | Args: |
79 | oldSep = ' ' | 79 | arg_list: A list of firejail arguments |
80 | newSep = '=' | 80 | |
81 | prefix = '--' | 81 | style: String, one of {'to_profile', 'to_commandline'}. Whether to |
82 | newArgs = [prefix + word.replace(oldSep, newSep) for word in argList] | 82 | convert arguments to command-line form or profile form |
83 | # Additional strip of '--' if converting to profile form | 83 | """ |
84 | if style == 'to_profile': | 84 | if style == 'to_profile': |
85 | newArgs = [word[2:] for word in newArgs] | 85 | old_sep = '=' |
86 | 86 | new_sep = ' ' | |
87 | # Remove invalid '--include' args if converting to command-line form | 87 | prefix = '' |
88 | elif style == 'to_commandline': | 88 | elif style == 'to_commandline': |
89 | newArgs = [word for word in newArgs if 'include' not in word] | 89 | old_sep = ' ' |
90 | 90 | new_sep = '=' | |
91 | return newArgs | 91 | prefix = '--' |
92 | 92 | new_args = [prefix + word.replace(old_sep, new_sep) for word in arg_list] | |
93 | 93 | # Additional strip of '--' if converting to profile form | |
94 | def run_firejail(program, allArgs): | 94 | if style == 'to_profile': |
95 | """ | 95 | new_args = [word[2:] for word in new_args] |
96 | Attempt to run the program in firejail, incrementally adding to the number | 96 | |
97 | of firejail arguments. Initial run has no additional params besides | 97 | # Remove invalid '--include' args if converting to command-line form |
98 | noprofile. | 98 | elif style == 'to_commandline': |
99 | 99 | new_args = [word for word in new_args if 'include' not in word] | |
100 | :params program: The program name. If it doesn't exist in the user's path | 100 | |
101 | then the full path should be provided. | 101 | return new_args |
102 | 102 | ||
103 | :params allArgs: A list of all Firejail arguments to try, in command-line | 103 | |
104 | format. | 104 | def run_firejail(program, all_args): |
105 | 105 | """ | |
106 | :returns goodArgs: A list of arguments that the user has reported to not | 106 | Attempt to run the program in firejail, incrementally adding to the number |
107 | affect the program | 107 | of firejail arguments. Initial run has no additional params besides |
108 | 108 | noprofile. | |
109 | :returns badArgs: A list of arguments that the user has reported to break | 109 | |
110 | the program when sandboxing with Firejail | 110 | Args: |
111 | """ | 111 | program: String, the program name. If it doesn't exist in $PATH then |
112 | goodArgs = ['firejail', '--noprofile', program] | 112 | the full path to the program should be provided |
113 | badArgs = [] | 113 | |
114 | print('Attempting to run %s in Firejail' % program) | 114 | all_args: List, all Firejail arguments to try, in command-line format |
115 | for arg in allArgs: | 115 | (i.e. prefixed by '--') |
116 | print('Running with', arg) | 116 | |
117 | subprocess.call(goodArgs) | 117 | Returns: |
118 | ans = input('Did %s run correctly? [y]/n ' % program) | 118 | good_args: List, all Firejail arguments that the user has reported to |
119 | if ans in ['n', 'N']: | 119 | not adversely affect the program |
120 | badArgs.append(arg) | 120 | |
121 | else: | 121 | bad_args: List, all Firejail arguments that the user has reported to |
122 | goodArgs.insert(-1, arg) | 122 | break the program |
123 | print('\n') | 123 | """ |
124 | # Don't include 'firejail', '--noprofile', or program name in arguments | 124 | good_args = ['firejail', '--noprofile', program] |
125 | goodArgs = goodArgs[2:-1] | 125 | bad_args = [] |
126 | 126 | all_args.insert(0, "") | |
127 | return goodArgs, badArgs | 127 | print('Attempting to run %s in Firejail' % program) |
128 | 128 | for arg in all_args: | |
129 | 129 | if arg: | |
130 | def main(): | 130 | print('Running with', arg) |
131 | profilePath = sys.argv[1] | 131 | else: |
132 | program = sys.argv[2] | 132 | print('Running without profile') |
133 | # Quick error check and extract arguments | 133 | #We are adding the argument in a copy of the actual list to avoid modify it now. |
134 | check_params(profilePath) | 134 | myargs = good_args.copy() |
135 | profile = get_args(profilePath) | 135 | if arg: |
136 | allArgs = arg_converter(profile, 'to_commandline') | 136 | myargs.insert(-1, arg) |
137 | # Find out which profile options break the program when running in firejail | 137 | subprocess.call(myargs) |
138 | goodArgs, badArgs = run_firejail(program, allArgs) | 138 | ans = input('Did %s run correctly? [y]/n ' % program) |
139 | 139 | if ans in ['n', 'N']: | |
140 | goodArgs = arg_converter(goodArgs, 'to_profile') | 140 | bad_args.append(arg) |
141 | badArgs = arg_converter(badArgs, 'to_profile') | 141 | elif arg: |
142 | 142 | good_args.insert(-1, arg) | |
143 | print('\n###########################') | 143 | print('\n') |
144 | print('Debugging completed.') | 144 | # Don't include 'firejail', '--noprofile', or program name in arguments |
145 | print( | 145 | good_args = good_args[2:-1] |
146 | 'Please copy the following and report it to the Firejail development', | 146 | |
147 | 'team on GitHub at %s \n\n' % | 147 | return good_args, bad_args |
148 | 'https://github.com/netblue30/firejail/issues') | 148 | |
149 | 149 | ||
150 | subprocess.call(['firejail', '--version']) | 150 | def main(): |
151 | 151 | profile_path = sys.argv[1] | |
152 | print('These profile options break the program.') | 152 | program = sys.argv[2] |
153 | print('```') | 153 | # Quick error check and extract arguments |
154 | for item in badArgs: | 154 | check_params(profile_path) |
155 | print(item) | 155 | profile = get_args(profile_path) |
156 | print('```\n\n\n') | 156 | all_args = arg_converter(profile, 'to_commandline') |
157 | 157 | # Find out which profile options break the program when running in firejail | |
158 | print('This is a minimal working profile:') | 158 | good_args, bad_args = run_firejail(program, all_args) |
159 | print('```') | 159 | |
160 | for item in goodArgs: | 160 | good_args = arg_converter(good_args, 'to_profile') |
161 | print(item) | 161 | bad_args = arg_converter(bad_args, 'to_profile') |
162 | print('```') | 162 | |
163 | 163 | print('\n###########################') | |
164 | 164 | print('Debugging completed.') | |
165 | if __name__ == '__main__': | 165 | print( |
166 | main() | 166 | 'Please copy the following and report it to the Firejail development', |
167 | 'team on GitHub at %s \n\n' % | ||
168 | 'https://github.com/netblue30/firejail/issues') | ||
169 | |||
170 | subprocess.call(['firejail', '--version']) | ||
171 | |||
172 | print('These profile options break the program.') | ||
173 | print('```') | ||
174 | for item in bad_args: | ||
175 | print(item) | ||
176 | print('```\n\n\n') | ||
177 | |||
178 | print('This is a minimal working profile:') | ||
179 | print('```') | ||
180 | for item in good_args: | ||
181 | print(item) | ||
182 | print('```') | ||
183 | |||
184 | |||
185 | if __name__ == '__main__': | ||
186 | main() | ||
diff --git a/contrib/sort.py b/contrib/sort.py index e2f82012b..54b2cbaa6 100755 --- a/contrib/sort.py +++ b/contrib/sort.py | |||
@@ -34,7 +34,7 @@ def sort_alphabetical(raw_items): | |||
34 | 34 | ||
35 | 35 | ||
36 | def sort_protocol(protocols): | 36 | def sort_protocol(protocols): |
37 | """sort the given protocole into this scheme: unix,inet,inet6,netlink,packet""" | 37 | """sort the given protocole into this scheme: unix,inet,inet6,netlink,packet,bluetooth""" |
38 | # shortcut for common protocol lines | 38 | # shortcut for common protocol lines |
39 | if protocols in ("unix", "unix,inet,inet6"): | 39 | if protocols in ("unix", "unix,inet,inet6"): |
40 | return protocols | 40 | return protocols |
@@ -45,6 +45,7 @@ def sort_protocol(protocols): | |||
45 | "inet6": False, | 45 | "inet6": False, |
46 | "netlink": False, | 46 | "netlink": False, |
47 | "packet": False, | 47 | "packet": False, |
48 | "bluetooth": False, | ||
48 | } | 49 | } |
49 | for protocol in protocols.split(","): | 50 | for protocol in protocols.split(","): |
50 | if protocol == "unix": | 51 | if protocol == "unix": |
@@ -57,6 +58,8 @@ def sort_protocol(protocols): | |||
57 | present_protocols["netlink"] = True | 58 | present_protocols["netlink"] = True |
58 | elif protocol == "packet": | 59 | elif protocol == "packet": |
59 | present_protocols["packet"] = True | 60 | present_protocols["packet"] = True |
61 | elif protocol == "bluetooth": | ||
62 | present_protocols["bluetooth"] = True | ||
60 | if present_protocols["unix"]: | 63 | if present_protocols["unix"]: |
61 | fixed_protocols += "unix," | 64 | fixed_protocols += "unix," |
62 | if present_protocols["inet"]: | 65 | if present_protocols["inet"]: |
@@ -67,6 +70,8 @@ def sort_protocol(protocols): | |||
67 | fixed_protocols += "netlink," | 70 | fixed_protocols += "netlink," |
68 | if present_protocols["packet"]: | 71 | if present_protocols["packet"]: |
69 | fixed_protocols += "packet," | 72 | fixed_protocols += "packet," |
73 | if present_protocols["bluetooth"]: | ||
74 | fixed_protocols += "bluetooth," | ||
70 | return fixed_protocols[:-1] | 75 | return fixed_protocols[:-1] |
71 | 76 | ||
72 | 77 | ||
diff --git a/etc/apparmor/firejail-default b/etc/apparmor/firejail-default index 68e20d9b9..ec87f1d2d 100644 --- a/etc/apparmor/firejail-default +++ b/etc/apparmor/firejail-default | |||
@@ -2,6 +2,10 @@ | |||
2 | # Generic Firejail AppArmor profile | 2 | # Generic Firejail AppArmor profile |
3 | ######################################### | 3 | ######################################### |
4 | 4 | ||
5 | # AppArmor 3.0 uses the @{run} variable in <abstractions/dbus-strict> | ||
6 | # and <abstractions/dbus-session-strict>. | ||
7 | #include <tunables/global> | ||
8 | |||
5 | ########## | 9 | ########## |
6 | # A simple PID declaration based on Ubuntu's @{pid} | 10 | # A simple PID declaration based on Ubuntu's @{pid} |
7 | # Ubuntu keeps it under tunables/kernelvars and include it via tunables/global. | 11 | # Ubuntu keeps it under tunables/kernelvars and include it via tunables/global. |
@@ -108,7 +112,8 @@ network inet6, | |||
108 | network unix, | 112 | network unix, |
109 | network netlink, | 113 | network netlink, |
110 | network raw, | 114 | network raw, |
111 | # needed for wireshark | 115 | # needed for wireshark, tcpdump etc |
116 | network bluetooth, | ||
112 | network packet, | 117 | network packet, |
113 | 118 | ||
114 | ########## | 119 | ########## |
diff --git a/etc/inc/allow-lua.inc b/etc/inc/allow-lua.inc index 9df8e8d32..9c47e7a3b 100644 --- a/etc/inc/allow-lua.inc +++ b/etc/inc/allow-lua.inc | |||
@@ -6,5 +6,7 @@ noblacklist ${PATH}/lua* | |||
6 | noblacklist /usr/include | 6 | noblacklist /usr/include |
7 | noblacklist /usr/lib/liblua* | 7 | noblacklist /usr/lib/liblua* |
8 | noblacklist /usr/lib/lua | 8 | noblacklist /usr/lib/lua |
9 | noblacklist /usr/lib64/liblua* | ||
10 | noblacklist /usr/lib64/lua | ||
9 | noblacklist /usr/share/lua | 11 | noblacklist /usr/share/lua |
10 | noblacklist /usr/share/lua* | 12 | noblacklist /usr/share/lua* |
diff --git a/etc/inc/allow-perl.inc b/etc/inc/allow-perl.inc index f44e1e3cc..5a1952c94 100644 --- a/etc/inc/allow-perl.inc +++ b/etc/inc/allow-perl.inc | |||
@@ -8,4 +8,5 @@ noblacklist ${PATH}/perl | |||
8 | noblacklist ${PATH}/site_perl | 8 | noblacklist ${PATH}/site_perl |
9 | noblacklist ${PATH}/vendor_perl | 9 | noblacklist ${PATH}/vendor_perl |
10 | noblacklist /usr/lib/perl* | 10 | noblacklist /usr/lib/perl* |
11 | noblacklist /usr/lib64/perl* | ||
11 | noblacklist /usr/share/perl* | 12 | noblacklist /usr/share/perl* |
diff --git a/etc/inc/chromium-common-hardened.inc b/etc/inc/chromium-common-hardened.inc new file mode 100644 index 000000000..f33ce3115 --- /dev/null +++ b/etc/inc/chromium-common-hardened.inc | |||
@@ -0,0 +1,5 @@ | |||
1 | caps.drop all | ||
2 | nonewprivs | ||
3 | noroot | ||
4 | protocol unix,inet,inet6,netlink | ||
5 | seccomp !chroot | ||
diff --git a/etc/inc/disable-common.inc b/etc/inc/disable-common.inc index c7516ab42..3bdad3138 100644 --- a/etc/inc/disable-common.inc +++ b/etc/inc/disable-common.inc | |||
@@ -69,6 +69,7 @@ read-only ${HOME}/.Xauthority | |||
69 | #?HAS_X11: blacklist /tmp/.ICE-unix | 69 | #?HAS_X11: blacklist /tmp/.ICE-unix |
70 | 70 | ||
71 | # KDE config | 71 | # KDE config |
72 | blacklist ${HOME}/.cache/konsole | ||
72 | blacklist ${HOME}/.config/khotkeysrc | 73 | blacklist ${HOME}/.config/khotkeysrc |
73 | blacklist ${HOME}/.config/krunnerrc | 74 | blacklist ${HOME}/.config/krunnerrc |
74 | blacklist ${HOME}/.config/kscreenlockerrc | 75 | blacklist ${HOME}/.config/kscreenlockerrc |
@@ -76,6 +77,7 @@ blacklist ${HOME}/.config/ksslcertificatemanager | |||
76 | blacklist ${HOME}/.config/kwalletrc | 77 | blacklist ${HOME}/.config/kwalletrc |
77 | blacklist ${HOME}/.config/kwinrc | 78 | blacklist ${HOME}/.config/kwinrc |
78 | blacklist ${HOME}/.config/kwinrulesrc | 79 | blacklist ${HOME}/.config/kwinrulesrc |
80 | blacklist ${HOME}/.config/plasma-locale-settings.sh | ||
79 | blacklist ${HOME}/.config/plasma-org.kde.plasma.desktop-appletsrc | 81 | blacklist ${HOME}/.config/plasma-org.kde.plasma.desktop-appletsrc |
80 | blacklist ${HOME}/.config/plasmashellrc | 82 | blacklist ${HOME}/.config/plasmashellrc |
81 | blacklist ${HOME}/.config/plasmavaultrc | 83 | blacklist ${HOME}/.config/plasmavaultrc |
@@ -106,6 +108,7 @@ blacklist ${HOME}/.local/share/kwin | |||
106 | blacklist ${HOME}/.local/share/plasma | 108 | blacklist ${HOME}/.local/share/plasma |
107 | blacklist ${HOME}/.local/share/plasmashell | 109 | blacklist ${HOME}/.local/share/plasmashell |
108 | blacklist ${HOME}/.local/share/solid | 110 | blacklist ${HOME}/.local/share/solid |
111 | blacklist /tmp/konsole-*.history | ||
109 | read-only ${HOME}/.cache/ksycoca5_* | 112 | read-only ${HOME}/.cache/ksycoca5_* |
110 | read-only ${HOME}/.config/*notifyrc | 113 | read-only ${HOME}/.config/*notifyrc |
111 | read-only ${HOME}/.config/kdeglobals | 114 | read-only ${HOME}/.config/kdeglobals |
@@ -144,6 +147,8 @@ blacklist ${RUNUSER}/kdesud_* | |||
144 | # gnome | 147 | # gnome |
145 | # contains extensions, last used times of applications, and notifications | 148 | # contains extensions, last used times of applications, and notifications |
146 | blacklist ${HOME}/.local/share/gnome-shell | 149 | blacklist ${HOME}/.local/share/gnome-shell |
150 | # contains recently used files and serials of static/removable storage | ||
151 | blacklist ${HOME}/.local/share/gvfs-metadata | ||
147 | # no direct modification of dconf database | 152 | # no direct modification of dconf database |
148 | read-only ${HOME}/.config/dconf | 153 | read-only ${HOME}/.config/dconf |
149 | blacklist ${RUNUSER}/gnome-session-leader-fifo | 154 | blacklist ${RUNUSER}/gnome-session-leader-fifo |
@@ -263,9 +268,11 @@ read-only ${HOME}/.config/fish | |||
263 | read-only ${HOME}/.csh_files | 268 | read-only ${HOME}/.csh_files |
264 | read-only ${HOME}/.cshrc | 269 | read-only ${HOME}/.cshrc |
265 | read-only ${HOME}/.forward | 270 | read-only ${HOME}/.forward |
271 | read-only ${HOME}/.kshrc | ||
266 | read-only ${HOME}/.local/share/fish | 272 | read-only ${HOME}/.local/share/fish |
267 | read-only ${HOME}/.login | 273 | read-only ${HOME}/.login |
268 | read-only ${HOME}/.logout | 274 | read-only ${HOME}/.logout |
275 | read-only ${HOME}/.mkshrc | ||
269 | read-only ${HOME}/.oh-my-zsh | 276 | read-only ${HOME}/.oh-my-zsh |
270 | read-only ${HOME}/.pam_environment | 277 | read-only ${HOME}/.pam_environment |
271 | read-only ${HOME}/.pgpkey | 278 | read-only ${HOME}/.pgpkey |
@@ -273,6 +280,7 @@ read-only ${HOME}/.plan | |||
273 | read-only ${HOME}/.profile | 280 | read-only ${HOME}/.profile |
274 | read-only ${HOME}/.project | 281 | read-only ${HOME}/.project |
275 | read-only ${HOME}/.tcshrc | 282 | read-only ${HOME}/.tcshrc |
283 | read-only ${HOME}/.zfunc | ||
276 | read-only ${HOME}/.zlogin | 284 | read-only ${HOME}/.zlogin |
277 | read-only ${HOME}/.zlogout | 285 | read-only ${HOME}/.zlogout |
278 | read-only ${HOME}/.zprofile | 286 | read-only ${HOME}/.zprofile |
@@ -472,22 +480,19 @@ blacklist /.snapshots | |||
472 | # flatpak | 480 | # flatpak |
473 | blacklist ${HOME}/.cache/flatpak | 481 | blacklist ${HOME}/.cache/flatpak |
474 | blacklist ${HOME}/.config/flatpak | 482 | blacklist ${HOME}/.config/flatpak |
475 | blacklist ${HOME}/.local/share/flatpak/app | 483 | noblacklist ${HOME}/.local/share/flatpak/exports |
476 | blacklist ${HOME}/.local/share/flatpak/appstream | ||
477 | blacklist ${HOME}/.local/share/flatpak/db | ||
478 | read-only ${HOME}/.local/share/flatpak/exports | 484 | read-only ${HOME}/.local/share/flatpak/exports |
479 | blacklist ${HOME}/.local/share/flatpak/oci | 485 | blacklist ${HOME}/.local/share/flatpak/* |
480 | blacklist ${HOME}/.local/share/flatpak/overrides | ||
481 | blacklist ${HOME}/.local/share/flatpak/repo | ||
482 | blacklist ${HOME}/.local/share/flatpak/runtime | ||
483 | blacklist ${HOME}/.var | 486 | blacklist ${HOME}/.var |
484 | blacklist ${RUNUSER}/app | 487 | blacklist ${RUNUSER}/app |
485 | blacklist ${RUNUSER}/doc | 488 | blacklist ${RUNUSER}/doc |
486 | blacklist ${RUNUSER}/.dbus-proxy | 489 | blacklist ${RUNUSER}/.dbus-proxy |
487 | blacklist ${RUNUSER}/.flatpak | 490 | blacklist ${RUNUSER}/.flatpak |
491 | blacklist ${RUNUSER}/.flatpak-cache | ||
488 | blacklist ${RUNUSER}/.flatpak-helper | 492 | blacklist ${RUNUSER}/.flatpak-helper |
489 | blacklist /usr/share/flatpak | 493 | blacklist /usr/share/flatpak |
490 | blacklist /var/lib/flatpak | 494 | noblacklist /var/lib/flatpak/exports |
495 | blacklist /var/lib/flatpak/* | ||
491 | # most of the time bwrap is SUID binary | 496 | # most of the time bwrap is SUID binary |
492 | blacklist ${PATH}/bwrap | 497 | blacklist ${PATH}/bwrap |
493 | 498 | ||
diff --git a/etc/inc/disable-devel.inc b/etc/inc/disable-devel.inc index e1ba13380..e74b1b40b 100644 --- a/etc/inc/disable-devel.inc +++ b/etc/inc/disable-devel.inc | |||
@@ -49,6 +49,7 @@ blacklist ${PATH}/openssl-1.0 | |||
49 | blacklist ${PATH}/rust-gdb | 49 | blacklist ${PATH}/rust-gdb |
50 | blacklist ${PATH}/rust-lldb | 50 | blacklist ${PATH}/rust-lldb |
51 | blacklist ${PATH}/rustc | 51 | blacklist ${PATH}/rustc |
52 | blacklist ${HOME}/.rustup | ||
52 | 53 | ||
53 | # tcc - Tiny C Compiler | 54 | # tcc - Tiny C Compiler |
54 | blacklist ${PATH}/tcc | 55 | blacklist ${PATH}/tcc |
diff --git a/etc/inc/disable-exec.inc b/etc/inc/disable-exec.inc index ee3391730..9b5c40a2b 100644 --- a/etc/inc/disable-exec.inc +++ b/etc/inc/disable-exec.inc | |||
@@ -4,6 +4,7 @@ include disable-exec.local | |||
4 | 4 | ||
5 | noexec ${HOME} | 5 | noexec ${HOME} |
6 | noexec ${RUNUSER} | 6 | noexec ${RUNUSER} |
7 | noexec /dev/mqueue | ||
7 | noexec /dev/shm | 8 | noexec /dev/shm |
8 | noexec /tmp | 9 | noexec /tmp |
9 | # /var is noexec by default for unprivileged users | 10 | # /var is noexec by default for unprivileged users |
diff --git a/etc/inc/disable-interpreters.inc b/etc/inc/disable-interpreters.inc index 59e9c7de3..4f6f71098 100644 --- a/etc/inc/disable-interpreters.inc +++ b/etc/inc/disable-interpreters.inc | |||
@@ -15,6 +15,8 @@ blacklist ${PATH}/lua* | |||
15 | blacklist /usr/include/lua* | 15 | blacklist /usr/include/lua* |
16 | blacklist /usr/lib/liblua* | 16 | blacklist /usr/lib/liblua* |
17 | blacklist /usr/lib/lua | 17 | blacklist /usr/lib/lua |
18 | blacklist /usr/lib64/liblua* | ||
19 | blacklist /usr/lib64/lua | ||
18 | blacklist /usr/share/lua* | 20 | blacklist /usr/share/lua* |
19 | 21 | ||
20 | # mozjs | 22 | # mozjs |
@@ -34,6 +36,7 @@ blacklist ${PATH}/perl | |||
34 | blacklist ${PATH}/site_perl | 36 | blacklist ${PATH}/site_perl |
35 | blacklist ${PATH}/vendor_perl | 37 | blacklist ${PATH}/vendor_perl |
36 | blacklist /usr/lib/perl* | 38 | blacklist /usr/lib/perl* |
39 | blacklist /usr/lib64/perl* | ||
37 | blacklist /usr/share/perl* | 40 | blacklist /usr/share/perl* |
38 | 41 | ||
39 | # PHP | 42 | # PHP |
diff --git a/etc/inc/disable-programs.inc b/etc/inc/disable-programs.inc index e5dd9cb59..976f988b2 100644 --- a/etc/inc/disable-programs.inc +++ b/etc/inc/disable-programs.inc | |||
@@ -37,6 +37,7 @@ blacklist ${HOME}/.VirtualBox | |||
37 | blacklist ${HOME}/.WebStorm* | 37 | blacklist ${HOME}/.WebStorm* |
38 | blacklist ${HOME}/.Wolfram Research | 38 | blacklist ${HOME}/.Wolfram Research |
39 | blacklist ${HOME}/.ZAP | 39 | blacklist ${HOME}/.ZAP |
40 | blacklist ${HOME}/.abook | ||
40 | blacklist ${HOME}/.aMule | 41 | blacklist ${HOME}/.aMule |
41 | blacklist ${HOME}/.android | 42 | blacklist ${HOME}/.android |
42 | blacklist ${HOME}/.anydesk | 43 | blacklist ${HOME}/.anydesk |
@@ -49,6 +50,7 @@ blacklist ${HOME}/.asunder_album_title | |||
49 | blacklist ${HOME}/.atom | 50 | blacklist ${HOME}/.atom |
50 | blacklist ${HOME}/.attic | 51 | blacklist ${HOME}/.attic |
51 | blacklist ${HOME}/.audacity-data | 52 | blacklist ${HOME}/.audacity-data |
53 | blacklist ${HOME}/.balsa | ||
52 | blacklist ${HOME}/.bcast5 | 54 | blacklist ${HOME}/.bcast5 |
53 | blacklist ${HOME}/.bibletime | 55 | blacklist ${HOME}/.bibletime |
54 | blacklist ${HOME}/.bitcoin | 56 | blacklist ${HOME}/.bitcoin |
@@ -83,6 +85,7 @@ blacklist ${HOME}/.config/Debauchee/Barrier.conf | |||
83 | blacklist ${HOME}/.config/Dharkael | 85 | blacklist ${HOME}/.config/Dharkael |
84 | blacklist ${HOME}/.config/Element | 86 | blacklist ${HOME}/.config/Element |
85 | blacklist ${HOME}/.config/Element (Riot) | 87 | blacklist ${HOME}/.config/Element (Riot) |
88 | blacklist ${HOME}/.config/ENCOM | ||
86 | blacklist ${HOME}/.config/Enox | 89 | blacklist ${HOME}/.config/Enox |
87 | blacklist ${HOME}/.config/Ferdi | 90 | blacklist ${HOME}/.config/Ferdi |
88 | blacklist ${HOME}/.config/Flavio Tordini | 91 | blacklist ${HOME}/.config/Flavio Tordini |
@@ -122,6 +125,7 @@ blacklist ${HOME}/.config/QMediathekView | |||
122 | blacklist ${HOME}/.config/Qlipper | 125 | blacklist ${HOME}/.config/Qlipper |
123 | blacklist ${HOME}/.config/QuiteRss | 126 | blacklist ${HOME}/.config/QuiteRss |
124 | blacklist ${HOME}/.config/QuiteRssrc | 127 | blacklist ${HOME}/.config/QuiteRssrc |
128 | blacklist ${HOME}/.config/Quotient | ||
125 | blacklist ${HOME}/.config/Rambox | 129 | blacklist ${HOME}/.config/Rambox |
126 | blacklist ${HOME}/.config/Riot | 130 | blacklist ${HOME}/.config/Riot |
127 | blacklist ${HOME}/.config/Rocket.Chat | 131 | blacklist ${HOME}/.config/Rocket.Chat |
@@ -131,11 +135,14 @@ blacklist ${HOME}/.config/Slack | |||
131 | blacklist ${HOME}/.config/Standard Notes | 135 | blacklist ${HOME}/.config/Standard Notes |
132 | blacklist ${HOME}/.config/SubDownloader | 136 | blacklist ${HOME}/.config/SubDownloader |
133 | blacklist ${HOME}/.config/Thunar | 137 | blacklist ${HOME}/.config/Thunar |
138 | blacklist ${HOME}/.config/Twitch | ||
134 | blacklist ${HOME}/.config/Unknown Organization | 139 | blacklist ${HOME}/.config/Unknown Organization |
135 | blacklist ${HOME}/.config/VirtualBox | 140 | blacklist ${HOME}/.config/VirtualBox |
136 | blacklist ${HOME}/.config/Wire | 141 | blacklist ${HOME}/.config/Wire |
142 | blacklist ${HOME}/.config/Youtube | ||
137 | blacklist ${HOME}/.config/Zeal | 143 | blacklist ${HOME}/.config/Zeal |
138 | blacklist ${HOME}/.config/ZeGrapher Project | 144 | blacklist ${HOME}/.config/ZeGrapher Project |
145 | blacklist ${HOME}/.config/aacs | ||
139 | blacklist ${HOME}/.config/abiword | 146 | blacklist ${HOME}/.config/abiword |
140 | blacklist ${HOME}/.config/agenda | 147 | blacklist ${HOME}/.config/agenda |
141 | blacklist ${HOME}/.config/akonadi* | 148 | blacklist ${HOME}/.config/akonadi* |
@@ -203,10 +210,13 @@ blacklist ${HOME}/.config/emailidentities | |||
203 | blacklist ${HOME}/.config/enchant | 210 | blacklist ${HOME}/.config/enchant |
204 | blacklist ${HOME}/.config/eog | 211 | blacklist ${HOME}/.config/eog |
205 | blacklist ${HOME}/.config/epiphany | 212 | blacklist ${HOME}/.config/epiphany |
213 | blacklist ${HOME}/.config/equalx | ||
206 | blacklist ${HOME}/.config/evince | 214 | blacklist ${HOME}/.config/evince |
207 | blacklist ${HOME}/.config/evolution | 215 | blacklist ${HOME}/.config/evolution |
208 | blacklist ${HOME}/.config/falkon | 216 | blacklist ${HOME}/.config/falkon |
209 | blacklist ${HOME}/.config/filezilla | 217 | blacklist ${HOME}/.config/filezilla |
218 | blacklist ${HOME}/.config/flameshot | ||
219 | blacklist ${HOME}/.config/flaska.net | ||
210 | blacklist ${HOME}/.config/flowblade | 220 | blacklist ${HOME}/.config/flowblade |
211 | blacklist ${HOME}/.config/font-manager | 221 | blacklist ${HOME}/.config/font-manager |
212 | blacklist ${HOME}/.config/freecol | 222 | blacklist ${HOME}/.config/freecol |
@@ -214,6 +224,7 @@ blacklist ${HOME}/.config/gajim | |||
214 | blacklist ${HOME}/.config/galculator | 224 | blacklist ${HOME}/.config/galculator |
215 | blacklist ${HOME}/.config/gconf | 225 | blacklist ${HOME}/.config/gconf |
216 | blacklist ${HOME}/.config/geany | 226 | blacklist ${HOME}/.config/geany |
227 | blacklist ${HOME}/.config/geary | ||
217 | blacklist ${HOME}/.config/gedit | 228 | blacklist ${HOME}/.config/gedit |
218 | blacklist ${HOME}/.config/geeqie | 229 | blacklist ${HOME}/.config/geeqie |
219 | blacklist ${HOME}/.config/ghb | 230 | blacklist ${HOME}/.config/ghb |
@@ -258,6 +269,7 @@ blacklist ${HOME}/.config/katerc | |||
258 | blacklist ${HOME}/.config/kateschemarc | 269 | blacklist ${HOME}/.config/kateschemarc |
259 | blacklist ${HOME}/.config/katesyntaxhighlightingrc | 270 | blacklist ${HOME}/.config/katesyntaxhighlightingrc |
260 | blacklist ${HOME}/.config/katevirc | 271 | blacklist ${HOME}/.config/katevirc |
272 | blacklist ${HOME}/.config/kazam | ||
261 | blacklist ${HOME}/.config/kdeconnect | 273 | blacklist ${HOME}/.config/kdeconnect |
262 | blacklist ${HOME}/.config/kdenliverc | 274 | blacklist ${HOME}/.config/kdenliverc |
263 | blacklist ${HOME}/.config/kfindrc | 275 | blacklist ${HOME}/.config/kfindrc |
@@ -274,13 +286,16 @@ blacklist ${HOME}/.config/konversation.notifyrc | |||
274 | blacklist ${HOME}/.config/kritarc | 286 | blacklist ${HOME}/.config/kritarc |
275 | blacklist ${HOME}/.config/ktorrentrc | 287 | blacklist ${HOME}/.config/ktorrentrc |
276 | blacklist ${HOME}/.config/ktouch2rc | 288 | blacklist ${HOME}/.config/ktouch2rc |
289 | blacklist ${HOME}/.config/kube | ||
277 | blacklist ${HOME}/.config/kwriterc | 290 | blacklist ${HOME}/.config/kwriterc |
278 | blacklist ${HOME}/.config/leafpad | 291 | blacklist ${HOME}/.config/leafpad |
279 | blacklist ${HOME}/.config/libreoffice | 292 | blacklist ${HOME}/.config/libreoffice |
280 | blacklist ${HOME}/.config/liferea | 293 | blacklist ${HOME}/.config/liferea |
294 | blacklist ${HOME}/.config/linphone | ||
281 | blacklist ${HOME}/.config/lugaru | 295 | blacklist ${HOME}/.config/lugaru |
282 | blacklist ${HOME}/.config/lximage-qt | 296 | blacklist ${HOME}/.config/lximage-qt |
283 | blacklist ${HOME}/.config/mailtransports | 297 | blacklist ${HOME}/.config/mailtransports |
298 | blacklist ${HOME}/.local/share/man | ||
284 | blacklist ${HOME}/.config/mana | 299 | blacklist ${HOME}/.config/mana |
285 | blacklist ${HOME}/.config/mate-calc | 300 | blacklist ${HOME}/.config/mate-calc |
286 | blacklist ${HOME}/.config/mate/eom | 301 | blacklist ${HOME}/.config/mate/eom |
@@ -291,6 +306,7 @@ blacklist ${HOME}/.config/menulibre.cfg | |||
291 | blacklist ${HOME}/.config/mfusion | 306 | blacklist ${HOME}/.config/mfusion |
292 | blacklist ${HOME}/.config/Microsoft | 307 | blacklist ${HOME}/.config/Microsoft |
293 | blacklist ${HOME}/.config/midori | 308 | blacklist ${HOME}/.config/midori |
309 | blacklist ${HOME}/.config/mirage | ||
294 | blacklist ${HOME}/.config/mono | 310 | blacklist ${HOME}/.config/mono |
295 | blacklist ${HOME}/.config/mpDris2 | 311 | blacklist ${HOME}/.config/mpDris2 |
296 | blacklist ${HOME}/.config/mpd | 312 | blacklist ${HOME}/.config/mpd |
@@ -312,6 +328,7 @@ blacklist ${HOME}/.config/nuclear | |||
312 | blacklist ${HOME}/.config/obs-studio | 328 | blacklist ${HOME}/.config/obs-studio |
313 | blacklist ${HOME}/.config/okularpartrc | 329 | blacklist ${HOME}/.config/okularpartrc |
314 | blacklist ${HOME}/.config/okularrc | 330 | blacklist ${HOME}/.config/okularrc |
331 | blacklist ${HOME}/.config/onboard | ||
315 | blacklist ${HOME}/.config/onionshare | 332 | blacklist ${HOME}/.config/onionshare |
316 | blacklist ${HOME}/.config/onlyoffice | 333 | blacklist ${HOME}/.config/onlyoffice |
317 | blacklist ${HOME}/.config/opera | 334 | blacklist ${HOME}/.config/opera |
@@ -331,6 +348,7 @@ blacklist ${HOME}/.config/pluma | |||
331 | blacklist ${HOME}/.config/ppsspp | 348 | blacklist ${HOME}/.config/ppsspp |
332 | blacklist ${HOME}/.config/pragha | 349 | blacklist ${HOME}/.config/pragha |
333 | blacklist ${HOME}/.config/profanity | 350 | blacklist ${HOME}/.config/profanity |
351 | blacklist ${HOME}/.config/psi | ||
334 | blacklist ${HOME}/.config/psi+ | 352 | blacklist ${HOME}/.config/psi+ |
335 | blacklist ${HOME}/.config/qBittorrent | 353 | blacklist ${HOME}/.config/qBittorrent |
336 | blacklist ${HOME}/.config/qBittorrentrc | 354 | blacklist ${HOME}/.config/qBittorrentrc |
@@ -346,17 +364,21 @@ blacklist ${HOME}/.config/rtv | |||
346 | blacklist ${HOME}/.config/scribus | 364 | blacklist ${HOME}/.config/scribus |
347 | blacklist ${HOME}/.config/scribusrc | 365 | blacklist ${HOME}/.config/scribusrc |
348 | blacklist ${HOME}/.config/sinew.in | 366 | blacklist ${HOME}/.config/sinew.in |
367 | blacklist ${HOME}/.config/sink | ||
349 | blacklist ${HOME}/.config/skypeforlinux | 368 | blacklist ${HOME}/.config/skypeforlinux |
350 | blacklist ${HOME}/.config/slimjet | 369 | blacklist ${HOME}/.config/slimjet |
351 | blacklist ${HOME}/.config/smplayer | 370 | blacklist ${HOME}/.config/smplayer |
352 | blacklist ${HOME}/.config/smtube | 371 | blacklist ${HOME}/.config/smtube |
372 | blacklist ${HOME}/.config/smuxi | ||
353 | blacklist ${HOME}/.config/snox | 373 | blacklist ${HOME}/.config/snox |
354 | blacklist ${HOME}/.config/sound-juicer | 374 | blacklist ${HOME}/.config/sound-juicer |
355 | blacklist ${HOME}/.config/specialmailcollectionsrc | 375 | blacklist ${HOME}/.config/specialmailcollectionsrc |
376 | blacklist ${HOME}/.config/spectaclerc | ||
356 | blacklist ${HOME}/.config/spotify | 377 | blacklist ${HOME}/.config/spotify |
357 | blacklist ${HOME}/.config/sqlitebrowser | 378 | blacklist ${HOME}/.config/sqlitebrowser |
358 | blacklist ${HOME}/.config/stellarium | 379 | blacklist ${HOME}/.config/stellarium |
359 | blacklist ${HOME}/.config/strawberry | 380 | blacklist ${HOME}/.config/strawberry |
381 | blacklist ${HOME}/.config/straw-viewer | ||
360 | blacklist ${HOME}/.config/supertuxkart | 382 | blacklist ${HOME}/.config/supertuxkart |
361 | blacklist ${HOME}/.config/synfig | 383 | blacklist ${HOME}/.config/synfig |
362 | blacklist ${HOME}/.config/teams | 384 | blacklist ${HOME}/.config/teams |
@@ -370,6 +392,7 @@ blacklist ${HOME}/.config/transmission | |||
370 | blacklist ${HOME}/.config/truecraft | 392 | blacklist ${HOME}/.config/truecraft |
371 | blacklist ${HOME}/.config/tvbrowser | 393 | blacklist ${HOME}/.config/tvbrowser |
372 | blacklist ${HOME}/.config/uGet | 394 | blacklist ${HOME}/.config/uGet |
395 | blacklist ${HOME}/.config/ungoogled-chromium | ||
373 | blacklist ${HOME}/.config/uzbl | 396 | blacklist ${HOME}/.config/uzbl |
374 | blacklist ${HOME}/.config/viewnior | 397 | blacklist ${HOME}/.config/viewnior |
375 | blacklist ${HOME}/.config/vivaldi | 398 | blacklist ${HOME}/.config/vivaldi |
@@ -396,6 +419,8 @@ blacklist ${HOME}/.config/yandex-browser | |||
396 | blacklist ${HOME}/.config/yandex-browser-beta | 419 | blacklist ${HOME}/.config/yandex-browser-beta |
397 | blacklist ${HOME}/.config/yelp | 420 | blacklist ${HOME}/.config/yelp |
398 | blacklist ${HOME}/.config/youtube-dl | 421 | blacklist ${HOME}/.config/youtube-dl |
422 | blacklist ${HOME}/.config/youtubemusic-nativefier-040164 | ||
423 | blacklist ${HOME}/.config/youtube-music-desktop-app | ||
399 | blacklist ${HOME}/.config/youtube-viewer | 424 | blacklist ${HOME}/.config/youtube-viewer |
400 | blacklist ${HOME}/.config/zathura | 425 | blacklist ${HOME}/.config/zathura |
401 | blacklist ${HOME}/.config/zoomus.conf | 426 | blacklist ${HOME}/.config/zoomus.conf |
@@ -418,6 +443,7 @@ blacklist ${HOME}/.electrum* | |||
418 | blacklist ${HOME}/.elinks | 443 | blacklist ${HOME}/.elinks |
419 | blacklist ${HOME}/.emacs | 444 | blacklist ${HOME}/.emacs |
420 | blacklist ${HOME}/.emacs.d | 445 | blacklist ${HOME}/.emacs.d |
446 | blacklist ${HOME}/.equalx | ||
421 | blacklist ${HOME}/.ethereum | 447 | blacklist ${HOME}/.ethereum |
422 | blacklist ${HOME}/.etr | 448 | blacklist ${HOME}/.etr |
423 | blacklist ${HOME}/.filezilla | 449 | blacklist ${HOME}/.filezilla |
@@ -541,6 +567,7 @@ blacklist ${HOME}/.local/share/Kingsoft | |||
541 | blacklist ${HOME}/.local/share/Mendeley Ltd. | 567 | blacklist ${HOME}/.local/share/Mendeley Ltd. |
542 | blacklist ${HOME}/.local/share/Mumble | 568 | blacklist ${HOME}/.local/share/Mumble |
543 | blacklist ${HOME}/.local/share/PBE | 569 | blacklist ${HOME}/.local/share/PBE |
570 | blacklist ${HOME}/.local/share/Psi | ||
544 | blacklist ${HOME}/.local/share/QGIS | 571 | blacklist ${HOME}/.local/share/QGIS |
545 | blacklist ${HOME}/.local/share/QMediathekView | 572 | blacklist ${HOME}/.local/share/QMediathekView |
546 | blacklist ${HOME}/.local/share/QuiteRss | 573 | blacklist ${HOME}/.local/share/QuiteRss |
@@ -626,9 +653,11 @@ blacklist ${HOME}/.local/share/krita | |||
626 | blacklist ${HOME}/.local/share/ktorrent | 653 | blacklist ${HOME}/.local/share/ktorrent |
627 | blacklist ${HOME}/.local/share/ktorrentrc | 654 | blacklist ${HOME}/.local/share/ktorrentrc |
628 | blacklist ${HOME}/.local/share/ktouch | 655 | blacklist ${HOME}/.local/share/ktouch |
656 | blacklist ${HOME}/.local/share/kube | ||
629 | blacklist ${HOME}/.local/share/kwrite | 657 | blacklist ${HOME}/.local/share/kwrite |
630 | blacklist ${HOME}/.local/share/kxmlgui5/* | 658 | blacklist ${HOME}/.local/share/kxmlgui5/* |
631 | blacklist ${HOME}/.local/share/liferea | 659 | blacklist ${HOME}/.local/share/liferea |
660 | blacklist ${HOME}/.local/share/linphone | ||
632 | blacklist ${HOME}/.local/share/local-mail | 661 | blacklist ${HOME}/.local/share/local-mail |
633 | blacklist ${HOME}/.local/share/lollypop | 662 | blacklist ${HOME}/.local/share/lollypop |
634 | blacklist ${HOME}/.local/share/love | 663 | blacklist ${HOME}/.local/share/love |
@@ -637,6 +666,7 @@ blacklist ${HOME}/.local/share/mana | |||
637 | blacklist ${HOME}/.local/share/maps-places.json | 666 | blacklist ${HOME}/.local/share/maps-places.json |
638 | blacklist ${HOME}/.local/share/meld | 667 | blacklist ${HOME}/.local/share/meld |
639 | blacklist ${HOME}/.local/share/midori | 668 | blacklist ${HOME}/.local/share/midori |
669 | blacklist ${HOME}/.local/share/mirage | ||
640 | blacklist ${HOME}/.local/share/multimc | 670 | blacklist ${HOME}/.local/share/multimc |
641 | blacklist ${HOME}/.local/share/multimc5 | 671 | blacklist ${HOME}/.local/share/multimc5 |
642 | blacklist ${HOME}/.local/share/mupen64plus | 672 | blacklist ${HOME}/.local/share/mupen64plus |
@@ -657,6 +687,7 @@ blacklist ${HOME}/.local/share/Paradox Interactive | |||
657 | blacklist ${HOME}/.local/share/pix | 687 | blacklist ${HOME}/.local/share/pix |
658 | blacklist ${HOME}/.local/share/plasma_notes | 688 | blacklist ${HOME}/.local/share/plasma_notes |
659 | blacklist ${HOME}/.local/share/profanity | 689 | blacklist ${HOME}/.local/share/profanity |
690 | blacklist ${HOME}/.local/share/psi | ||
660 | blacklist ${HOME}/.local/share/psi+ | 691 | blacklist ${HOME}/.local/share/psi+ |
661 | blacklist ${HOME}/.local/share/quadrapassel | 692 | blacklist ${HOME}/.local/share/quadrapassel |
662 | blacklist ${HOME}/.local/share/qpdfview | 693 | blacklist ${HOME}/.local/share/qpdfview |
@@ -666,6 +697,8 @@ blacklist ${HOME}/.local/share/rhythmbox | |||
666 | blacklist ${HOME}/.local/share/rtv | 697 | blacklist ${HOME}/.local/share/rtv |
667 | blacklist ${HOME}/.local/share/scribus | 698 | blacklist ${HOME}/.local/share/scribus |
668 | blacklist ${HOME}/.local/share/signal-cli | 699 | blacklist ${HOME}/.local/share/signal-cli |
700 | blacklist ${HOME}/.local/share/sink | ||
701 | blacklist ${HOME}/.local/share/smuxi | ||
669 | blacklist ${HOME}/.local/share/spotify | 702 | blacklist ${HOME}/.local/share/spotify |
670 | blacklist ${HOME}/.local/share/steam | 703 | blacklist ${HOME}/.local/share/steam |
671 | blacklist ${HOME}/.local/share/strawberry | 704 | blacklist ${HOME}/.local/share/strawberry |
@@ -798,6 +831,7 @@ blacklist ${HOME}/.xmind | |||
798 | blacklist ${HOME}/.xmms | 831 | blacklist ${HOME}/.xmms |
799 | blacklist ${HOME}/.xmr-stak | 832 | blacklist ${HOME}/.xmr-stak |
800 | blacklist ${HOME}/.xonotic | 833 | blacklist ${HOME}/.xonotic |
834 | blacklist ${HOME}/.xournalpp | ||
801 | blacklist ${HOME}/.xpdfrc | 835 | blacklist ${HOME}/.xpdfrc |
802 | blacklist ${HOME}/.zoom | 836 | blacklist ${HOME}/.zoom |
803 | blacklist /tmp/akonadi-* | 837 | blacklist /tmp/akonadi-* |
@@ -815,6 +849,7 @@ blacklist ${HOME}/.cache/8pecxstudios | |||
815 | blacklist ${HOME}/.cache/Authenticator | 849 | blacklist ${HOME}/.cache/Authenticator |
816 | blacklist ${HOME}/.cache/BraveSoftware | 850 | blacklist ${HOME}/.cache/BraveSoftware |
817 | blacklist ${HOME}/.cache/Clementine | 851 | blacklist ${HOME}/.cache/Clementine |
852 | blacklist ${HOME}/.cache/ENCOM/Spectral | ||
818 | blacklist ${HOME}/.cache/Enox | 853 | blacklist ${HOME}/.cache/Enox |
819 | blacklist ${HOME}/.cache/Enpass | 854 | blacklist ${HOME}/.cache/Enpass |
820 | blacklist ${HOME}/.cache/Ferdi | 855 | blacklist ${HOME}/.cache/Ferdi |
@@ -824,7 +859,9 @@ blacklist ${HOME}/.cache/INRIA | |||
824 | blacklist ${HOME}/.cache/MusicBrainz | 859 | blacklist ${HOME}/.cache/MusicBrainz |
825 | blacklist ${HOME}/.cache/NewsFlashGTK | 860 | blacklist ${HOME}/.cache/NewsFlashGTK |
826 | blacklist ${HOME}/.cache/Otter | 861 | blacklist ${HOME}/.cache/Otter |
862 | blacklist ${HOME}/.cache/Psi | ||
827 | blacklist ${HOME}/.cache/QuiteRss | 863 | blacklist ${HOME}/.cache/QuiteRss |
864 | blacklist ${HOME}/.cache/Quotient/quaternion | ||
828 | blacklist ${HOME}/.cache/Shortwave | 865 | blacklist ${HOME}/.cache/Shortwave |
829 | blacklist ${HOME}/.cache/Tox | 866 | blacklist ${HOME}/.cache/Tox |
830 | blacklist ${HOME}/.cache/Zeal | 867 | blacklist ${HOME}/.cache/Zeal |
@@ -852,10 +889,13 @@ blacklist ${HOME}/.cache/epiphany | |||
852 | blacklist ${HOME}/.cache/evolution | 889 | blacklist ${HOME}/.cache/evolution |
853 | blacklist ${HOME}/.cache/falkon | 890 | blacklist ${HOME}/.cache/falkon |
854 | blacklist ${HOME}/.cache/feedreader | 891 | blacklist ${HOME}/.cache/feedreader |
892 | blacklist ${HOME}/.cache/flaska.net/trojita | ||
855 | blacklist ${HOME}/.cache/font-manager | 893 | blacklist ${HOME}/.cache/font-manager |
856 | blacklist ${HOME}/.cache/fossamail | 894 | blacklist ${HOME}/.cache/fossamail |
895 | blacklist ${HOME}/.cache/fractal | ||
857 | blacklist ${HOME}/.cache/freecol | 896 | blacklist ${HOME}/.cache/freecol |
858 | blacklist ${HOME}/.cache/gajim | 897 | blacklist ${HOME}/.cache/gajim |
898 | blacklist ${HOME}/.cache/geary | ||
859 | blacklist ${HOME}/.cache/gegl-0.4 | 899 | blacklist ${HOME}/.cache/gegl-0.4 |
860 | blacklist ${HOME}/.cache/geeqie | 900 | blacklist ${HOME}/.cache/geeqie |
861 | blacklist ${HOME}/.cache/gfeeds | 901 | blacklist ${HOME}/.cache/gfeeds |
@@ -889,12 +929,14 @@ blacklist ${HOME}/.cache/krunnerbookmarkrunnerfirefoxdbfile.sqlite* | |||
889 | blacklist ${HOME}/.cache/kscreenlocker_greet | 929 | blacklist ${HOME}/.cache/kscreenlocker_greet |
890 | blacklist ${HOME}/.cache/ksmserver-logout-greeter | 930 | blacklist ${HOME}/.cache/ksmserver-logout-greeter |
891 | blacklist ${HOME}/.cache/ksplashqml | 931 | blacklist ${HOME}/.cache/ksplashqml |
932 | blacklist ${HOME}/.cache/kube | ||
892 | blacklist ${HOME}/.cache/kwin | 933 | blacklist ${HOME}/.cache/kwin |
893 | blacklist ${HOME}/.cache/libgweather | 934 | blacklist ${HOME}/.cache/libgweather |
894 | blacklist ${HOME}/.cache/liferea | 935 | blacklist ${HOME}/.cache/liferea |
895 | blacklist ${HOME}/.cache/Mendeley Ltd. | 936 | blacklist ${HOME}/.cache/Mendeley Ltd. |
896 | blacklist ${HOME}/.cache/midori | 937 | blacklist ${HOME}/.cache/midori |
897 | blacklist ${HOME}/.cache/minetest | 938 | blacklist ${HOME}/.cache/minetest |
939 | blacklist ${HOME}/.cache/mirage | ||
898 | blacklist ${HOME}/.cache/moonchild productions/basilisk | 940 | blacklist ${HOME}/.cache/moonchild productions/basilisk |
899 | blacklist ${HOME}/.cache/moonchild productions/pale moon | 941 | blacklist ${HOME}/.cache/moonchild productions/pale moon |
900 | blacklist ${HOME}/.cache/mozilla | 942 | blacklist ${HOME}/.cache/mozilla |
@@ -920,21 +962,25 @@ blacklist ${HOME}/.cache/peek | |||
920 | blacklist ${HOME}/.cache/pip | 962 | blacklist ${HOME}/.cache/pip |
921 | blacklist ${HOME}/.cache/plasmashell | 963 | blacklist ${HOME}/.cache/plasmashell |
922 | blacklist ${HOME}/.cache/plasmashellbookmarkrunnerfirefoxdbfile.sqlite* | 964 | blacklist ${HOME}/.cache/plasmashellbookmarkrunnerfirefoxdbfile.sqlite* |
965 | blacklist ${HOME}/.cache/psi | ||
923 | blacklist ${HOME}/.cache/qBittorrent | 966 | blacklist ${HOME}/.cache/qBittorrent |
924 | blacklist ${HOME}/.cache/qupzilla | 967 | blacklist ${HOME}/.cache/qupzilla |
925 | blacklist ${HOME}/.cache/qutebrowser | 968 | blacklist ${HOME}/.cache/qutebrowser |
926 | blacklist ${HOME}/.cache/rhythmbox | 969 | blacklist ${HOME}/.cache/rhythmbox |
927 | blacklist ${HOME}/.cache/simple-scan | 970 | blacklist ${HOME}/.cache/simple-scan |
928 | blacklist ${HOME}/.cache/slimjet | 971 | blacklist ${HOME}/.cache/slimjet |
972 | blacklist ${HOME}/.cache/smuxi | ||
929 | blacklist ${HOME}/.cache/snox | 973 | blacklist ${HOME}/.cache/snox |
930 | blacklist ${HOME}/.cache/spotify | 974 | blacklist ${HOME}/.cache/spotify |
931 | blacklist ${HOME}/.cache/strawberry | 975 | blacklist ${HOME}/.cache/strawberry |
976 | blacklist ${HOME}/.cache/straw-viewer | ||
932 | blacklist ${HOME}/.cache/supertuxkart | 977 | blacklist ${HOME}/.cache/supertuxkart |
933 | blacklist ${HOME}/.cache/systemsettings | 978 | blacklist ${HOME}/.cache/systemsettings |
934 | blacklist ${HOME}/.cache/telepathy | 979 | blacklist ${HOME}/.cache/telepathy |
935 | blacklist ${HOME}/.cache/thunderbird | 980 | blacklist ${HOME}/.cache/thunderbird |
936 | blacklist ${HOME}/.cache/torbrowser | 981 | blacklist ${HOME}/.cache/torbrowser |
937 | blacklist ${HOME}/.cache/transmission | 982 | blacklist ${HOME}/.cache/transmission |
983 | blacklist ${HOME}/.cache/ungoogled-chromium | ||
938 | blacklist ${HOME}/.cache/vivaldi | 984 | blacklist ${HOME}/.cache/vivaldi |
939 | blacklist ${HOME}/.cache/vivaldi-snapshot | 985 | blacklist ${HOME}/.cache/vivaldi-snapshot |
940 | blacklist ${HOME}/.cache/vlc | 986 | blacklist ${HOME}/.cache/vlc |
diff --git a/etc/inc/disable-shell.inc b/etc/inc/disable-shell.inc index fda528eb6..e66d23c9f 100644 --- a/etc/inc/disable-shell.inc +++ b/etc/inc/disable-shell.inc | |||
@@ -7,6 +7,7 @@ blacklist ${PATH}/csh | |||
7 | blacklist ${PATH}/dash | 7 | blacklist ${PATH}/dash |
8 | blacklist ${PATH}/fish | 8 | blacklist ${PATH}/fish |
9 | blacklist ${PATH}/ksh | 9 | blacklist ${PATH}/ksh |
10 | blacklist ${PATH}/mksh | ||
10 | blacklist ${PATH}/sh | 11 | blacklist ${PATH}/sh |
11 | blacklist ${PATH}/tclsh | 12 | blacklist ${PATH}/tclsh |
12 | blacklist ${PATH}/tcsh | 13 | blacklist ${PATH}/tcsh |
diff --git a/etc/inc/disable-write-mnt.inc b/etc/inc/disable-write-mnt.inc new file mode 100644 index 000000000..3990cf760 --- /dev/null +++ b/etc/inc/disable-write-mnt.inc | |||
@@ -0,0 +1,8 @@ | |||
1 | # This file is overwritten during software install. | ||
2 | # Persistent customizations should go in a .local file. | ||
3 | include disable-write-mnt.local | ||
4 | |||
5 | read-only /mnt | ||
6 | read-only /media | ||
7 | read-only /run/mount | ||
8 | read-only /run/media | ||
diff --git a/etc/inc/firefox-common-addons.inc b/etc/inc/firefox-common-addons.inc index 11acb7b42..03f09fece 100644 --- a/etc/inc/firefox-common-addons.inc +++ b/etc/inc/firefox-common-addons.inc | |||
@@ -2,6 +2,8 @@ | |||
2 | # Persistent customizations should go in a .local file. | 2 | # Persistent customizations should go in a .local file. |
3 | include firefox-common-addons.local | 3 | include firefox-common-addons.local |
4 | 4 | ||
5 | ignore include whitelist-runuser-common.inc | ||
6 | |||
5 | noblacklist ${HOME}/.config/kgetrc | 7 | noblacklist ${HOME}/.config/kgetrc |
6 | noblacklist ${HOME}/.config/okularpartrc | 8 | noblacklist ${HOME}/.config/okularpartrc |
7 | noblacklist ${HOME}/.config/okularrc | 9 | noblacklist ${HOME}/.config/okularrc |
@@ -69,3 +71,20 @@ include allow-python3.inc | |||
69 | # Flash plugin | 71 | # Flash plugin |
70 | # private-etc must first be enabled in firefox-common.profile and in profiles including it. | 72 | # private-etc must first be enabled in firefox-common.profile and in profiles including it. |
71 | #private-etc adobe | 73 | #private-etc adobe |
74 | |||
75 | # ff2mpv | ||
76 | #ignore noexec ${HOME} | ||
77 | #noblacklist ${HOME}/.config/mpv | ||
78 | #noblacklist ${HOME}/.config/youtube-dl | ||
79 | #noblacklist ${HOME}/.netrc | ||
80 | #include allow-lua.inc | ||
81 | #include allow-python3.inc | ||
82 | #mkdir ${HOME}/.config/mpv | ||
83 | #mkdir ${HOME}/.config/youtube-dl | ||
84 | #whitelist ${HOME}/.config/mpv | ||
85 | #whitelist ${HOME}/.config/youtube-dl | ||
86 | #whitelist ${HOME}/.netrc | ||
87 | #whitelist /usr/share/lua | ||
88 | #whitelist /usr/share/lua* | ||
89 | #whitelist /usr/share/vulkan | ||
90 | #private-bin env,mpv,python3*,waf,youtube-dl | ||
diff --git a/etc/inc/whitelist-common.inc b/etc/inc/whitelist-common.inc index 1b4e98d0e..7ea692607 100644 --- a/etc/inc/whitelist-common.inc +++ b/etc/inc/whitelist-common.inc | |||
@@ -4,6 +4,7 @@ include whitelist-common.local | |||
4 | # common whitelist for all profiles | 4 | # common whitelist for all profiles |
5 | 5 | ||
6 | whitelist ${HOME}/.XCompose | 6 | whitelist ${HOME}/.XCompose |
7 | whitelist ${HOME}/.alsaequal.bin | ||
7 | whitelist ${HOME}/.asoundrc | 8 | whitelist ${HOME}/.asoundrc |
8 | whitelist ${HOME}/.config/ibus | 9 | whitelist ${HOME}/.config/ibus |
9 | whitelist ${HOME}/.config/mimeapps.list | 10 | whitelist ${HOME}/.config/mimeapps.list |
@@ -60,11 +61,13 @@ whitelist ${HOME}/.themes | |||
60 | whitelist ${HOME}/.cache/kioexec/krun | 61 | whitelist ${HOME}/.cache/kioexec/krun |
61 | whitelist ${HOME}/.config/Kvantum | 62 | whitelist ${HOME}/.config/Kvantum |
62 | whitelist ${HOME}/.config/Trolltech.conf | 63 | whitelist ${HOME}/.config/Trolltech.conf |
64 | whitelist ${HOME}/.config/QtProject.conf | ||
63 | whitelist ${HOME}/.config/kdeglobals | 65 | whitelist ${HOME}/.config/kdeglobals |
64 | whitelist ${HOME}/.config/kio_httprc | 66 | whitelist ${HOME}/.config/kio_httprc |
65 | whitelist ${HOME}/.config/kioslaverc | 67 | whitelist ${HOME}/.config/kioslaverc |
66 | whitelist ${HOME}/.config/ksslcablacklist | 68 | whitelist ${HOME}/.config/ksslcablacklist |
67 | whitelist ${HOME}/.config/qt5ct | 69 | whitelist ${HOME}/.config/qt5ct |
70 | whitelist ${HOME}/.config/qtcurve | ||
68 | whitelist ${HOME}/.kde/share/config/kdeglobals | 71 | whitelist ${HOME}/.kde/share/config/kdeglobals |
69 | whitelist ${HOME}/.kde/share/config/kio_httprc | 72 | whitelist ${HOME}/.kde/share/config/kio_httprc |
70 | whitelist ${HOME}/.kde/share/config/kioslaverc | 73 | whitelist ${HOME}/.kde/share/config/kioslaverc |
diff --git a/etc/inc/whitelist-players.inc b/etc/inc/whitelist-players.inc new file mode 100644 index 000000000..0e473768b --- /dev/null +++ b/etc/inc/whitelist-players.inc | |||
@@ -0,0 +1,10 @@ | |||
1 | # Local customizations come here | ||
2 | include whitelist-players.local | ||
3 | |||
4 | # common whitelist for all media players | ||
5 | |||
6 | whitelist ${DESKTOP} | ||
7 | whitelist ${DOWNLOADS} | ||
8 | whitelist ${MUSIC} | ||
9 | whitelist ${PICTURES} | ||
10 | whitelist ${VIDEOS} | ||
diff --git a/etc/inc/whitelist-runuser-common.inc b/etc/inc/whitelist-runuser-common.inc index f2a510e9d..7d9f106ef 100644 --- a/etc/inc/whitelist-runuser-common.inc +++ b/etc/inc/whitelist-runuser-common.inc | |||
@@ -10,3 +10,4 @@ whitelist ${RUNUSER}/ICEauthority | |||
10 | whitelist ${RUNUSER}/.mutter-Xwaylandauth.* | 10 | whitelist ${RUNUSER}/.mutter-Xwaylandauth.* |
11 | whitelist ${RUNUSER}/pulse/native | 11 | whitelist ${RUNUSER}/pulse/native |
12 | whitelist ${RUNUSER}/wayland-0 | 12 | whitelist ${RUNUSER}/wayland-0 |
13 | whitelist ${RUNUSER}/xauth_* | ||
diff --git a/etc/inc/whitelist-usr-share-common.inc b/etc/inc/whitelist-usr-share-common.inc index ceeb14dcc..de4ae2101 100644 --- a/etc/inc/whitelist-usr-share-common.inc +++ b/etc/inc/whitelist-usr-share-common.inc | |||
@@ -16,6 +16,7 @@ whitelist /usr/share/enchant-2 | |||
16 | whitelist /usr/share/file | 16 | whitelist /usr/share/file |
17 | whitelist /usr/share/fontconfig | 17 | whitelist /usr/share/fontconfig |
18 | whitelist /usr/share/fonts | 18 | whitelist /usr/share/fonts |
19 | whitelist /usr/share/fonts-config | ||
19 | whitelist /usr/share/gir-1.0 | 20 | whitelist /usr/share/gir-1.0 |
20 | whitelist /usr/share/gjs-1.0 | 21 | whitelist /usr/share/gjs-1.0 |
21 | whitelist /usr/share/glib-2.0 | 22 | whitelist /usr/share/glib-2.0 |
diff --git a/etc/profile-a-l/0ad.profile b/etc/profile-a-l/0ad.profile index 6869ea631..c4e820078 100644 --- a/etc/profile-a-l/0ad.profile +++ b/etc/profile-a-l/0ad.profile | |||
@@ -16,6 +16,7 @@ include disable-exec.inc | |||
16 | include disable-interpreters.inc | 16 | include disable-interpreters.inc |
17 | include disable-passwdmgr.inc | 17 | include disable-passwdmgr.inc |
18 | include disable-programs.inc | 18 | include disable-programs.inc |
19 | include disable-xdg.inc | ||
19 | 20 | ||
20 | mkdir ${HOME}/.cache/0ad | 21 | mkdir ${HOME}/.cache/0ad |
21 | mkdir ${HOME}/.config/0ad | 22 | mkdir ${HOME}/.config/0ad |
@@ -40,6 +41,7 @@ nou2f | |||
40 | novideo | 41 | novideo |
41 | protocol unix,inet,inet6 | 42 | protocol unix,inet,inet6 |
42 | seccomp | 43 | seccomp |
44 | seccomp.block-secondary | ||
43 | shell none | 45 | shell none |
44 | tracelog | 46 | tracelog |
45 | 47 | ||
diff --git a/etc/profile-a-l/assogiate.profile b/etc/profile-a-l/assogiate.profile index 2686839ef..1332f4db4 100644 --- a/etc/profile-a-l/assogiate.profile +++ b/etc/profile-a-l/assogiate.profile | |||
@@ -51,3 +51,4 @@ dbus-user none | |||
51 | dbus-system none | 51 | dbus-system none |
52 | 52 | ||
53 | memory-deny-write-execute | 53 | memory-deny-write-execute |
54 | read-write ${HOME}/.local/share/mime | ||
diff --git a/etc/profile-a-l/balsa.profile b/etc/profile-a-l/balsa.profile new file mode 100644 index 000000000..a401ac592 --- /dev/null +++ b/etc/profile-a-l/balsa.profile | |||
@@ -0,0 +1,78 @@ | |||
1 | # Firejail profile for balsa | ||
2 | # Description: GNOME mail client | ||
3 | # This file is overwritten after every install/update | ||
4 | # Persistent local customizations | ||
5 | include balsa.local | ||
6 | # Persistent global definitions | ||
7 | include globals.local | ||
8 | |||
9 | noblacklist ${HOME}/.balsa | ||
10 | noblacklist ${HOME}/.gnupg | ||
11 | noblacklist ${HOME}/.mozilla | ||
12 | noblacklist ${HOME}/mail | ||
13 | noblacklist /var/mail | ||
14 | noblacklist /var/spool/mail | ||
15 | |||
16 | include disable-common.inc | ||
17 | include disable-devel.inc | ||
18 | include disable-exec.inc | ||
19 | include disable-interpreters.inc | ||
20 | include disable-passwdmgr.inc | ||
21 | include disable-programs.inc | ||
22 | include disable-shell.inc | ||
23 | include disable-xdg.inc | ||
24 | |||
25 | mkdir ${HOME}/.balsa | ||
26 | mkdir ${HOME}/.gnupg | ||
27 | mkdir ${HOME}/mail | ||
28 | whitelist ${HOME}/.balsa | ||
29 | whitelist ${HOME}/.gnupg | ||
30 | whitelist ${HOME}/.mozilla/firefox/profiles.ini | ||
31 | whitelist ${HOME}/mail | ||
32 | whitelist ${RUNUSER}/gnupg | ||
33 | whitelist /usr/share/balsa | ||
34 | whitelist /usr/share/gnupg | ||
35 | whitelist /usr/share/gnupg2 | ||
36 | whitelist /var/mail | ||
37 | whitelist /var/spool/mail | ||
38 | include whitelist-common.inc | ||
39 | include whitelist-runuser-common.inc | ||
40 | include whitelist-usr-share-common.inc | ||
41 | include whitelist-var-common.inc | ||
42 | |||
43 | apparmor | ||
44 | caps.drop all | ||
45 | netfilter | ||
46 | no3d | ||
47 | nodvd | ||
48 | nogroups | ||
49 | nonewprivs | ||
50 | noroot | ||
51 | nosound | ||
52 | notv | ||
53 | nou2f | ||
54 | novideo | ||
55 | protocol unix,inet,inet6 | ||
56 | seccomp | ||
57 | shell none | ||
58 | tracelog | ||
59 | |||
60 | # disable-mnt | ||
61 | # Add "gpg,gpg2,gpg-agent,pinentry-curses,pinentry-emacs,pinentry-fltk,pinentry-gnome3,pinentry-gtk,pinentry-gtk2,pinentry-gtk-2,pinentry-qt,pinentry-qt4,pinentry-tty,pinentry-x2go,pinentry-kwallet" for gpg | ||
62 | # Add "ignore private-bin" for hyperlinks or have a look at the private-bins in firefox.profile and firefox-common.profile. | ||
63 | private-bin balsa,balsa-ab | ||
64 | private-cache | ||
65 | private-dev | ||
66 | private-etc alternatives,ca-certificates,crypto-policies,dconf,fonts,gcrypt,groups,gtk-2.0,gtk-3.0,hostname,hosts,mailname,passwd,pki,resolv.conf,selinux,ssl,xdg | ||
67 | private-tmp | ||
68 | writable-run-user | ||
69 | writable-var | ||
70 | |||
71 | dbus-user filter | ||
72 | dbus-user.own org.desktop.Balsa | ||
73 | dbus-user.talk ca.desrt.dconf | ||
74 | dbus-user.talk org.freedesktop.secrets | ||
75 | dbus-user.talk org.freedesktop.Notifications | ||
76 | dbus-system none | ||
77 | |||
78 | read-only ${HOME}/.mozilla/firefox/profiles.ini | ||
diff --git a/etc/profile-a-l/baobab.profile b/etc/profile-a-l/baobab.profile index 3937e1966..4401c9dfd 100644 --- a/etc/profile-a-l/baobab.profile +++ b/etc/profile-a-l/baobab.profile | |||
@@ -30,6 +30,7 @@ nou2f | |||
30 | novideo | 30 | novideo |
31 | protocol unix | 31 | protocol unix |
32 | seccomp | 32 | seccomp |
33 | seccomp.block-secondary | ||
33 | shell none | 34 | shell none |
34 | tracelog | 35 | tracelog |
35 | 36 | ||
diff --git a/etc/profile-a-l/bijiben.profile b/etc/profile-a-l/bijiben.profile index c1c338536..dbde3e4de 100644 --- a/etc/profile-a-l/bijiben.profile +++ b/etc/profile-a-l/bijiben.profile | |||
@@ -41,6 +41,7 @@ nou2f | |||
41 | novideo | 41 | novideo |
42 | protocol unix | 42 | protocol unix |
43 | seccomp | 43 | seccomp |
44 | seccomp.block-secondary | ||
44 | shell none | 45 | shell none |
45 | tracelog | 46 | tracelog |
46 | 47 | ||
diff --git a/etc/profile-a-l/bnox.profile b/etc/profile-a-l/bnox.profile index 031f3f4bd..6e8f0d7d1 100644 --- a/etc/profile-a-l/bnox.profile +++ b/etc/profile-a-l/bnox.profile | |||
@@ -5,6 +5,11 @@ include bnox.local | |||
5 | # Persistent global definitions | 5 | # Persistent global definitions |
6 | include globals.local | 6 | include globals.local |
7 | 7 | ||
8 | # Disable for now, see https://github.com/netblue30/firejail/pull/3688#issuecomment-718711565 | ||
9 | ignore whitelist /usr/share/chromium | ||
10 | ignore include whitelist-runuser-common.inc | ||
11 | ignore include whitelist-usr-share-common.inc | ||
12 | |||
8 | noblacklist ${HOME}/.cache/bnox | 13 | noblacklist ${HOME}/.cache/bnox |
9 | noblacklist ${HOME}/.config/bnox | 14 | noblacklist ${HOME}/.config/bnox |
10 | 15 | ||
diff --git a/etc/profile-a-l/brave.profile b/etc/profile-a-l/brave.profile index 35c59f5a3..904d3e94f 100644 --- a/etc/profile-a-l/brave.profile +++ b/etc/profile-a-l/brave.profile | |||
@@ -8,6 +8,12 @@ include globals.local | |||
8 | 8 | ||
9 | # noexec /tmp is included in chromium-common.profile and breaks Brave | 9 | # noexec /tmp is included in chromium-common.profile and breaks Brave |
10 | ignore noexec /tmp | 10 | ignore noexec /tmp |
11 | # TOR is installed in ${HOME} | ||
12 | ignore noexec ${HOME} | ||
13 | # Disable for now, see https://github.com/netblue30/firejail/pull/3688#issuecomment-718711565 | ||
14 | ignore whitelist /usr/share/chromium | ||
15 | ignore include whitelist-runuser-common.inc | ||
16 | ignore include whitelist-usr-share-common.inc | ||
11 | 17 | ||
12 | noblacklist ${HOME}/.cache/BraveSoftware | 18 | noblacklist ${HOME}/.cache/BraveSoftware |
13 | noblacklist ${HOME}/.config/BraveSoftware | 19 | noblacklist ${HOME}/.config/BraveSoftware |
diff --git a/etc/profile-a-l/celluloid.profile b/etc/profile-a-l/celluloid.profile index 54d3f742f..56709a466 100644 --- a/etc/profile-a-l/celluloid.profile +++ b/etc/profile-a-l/celluloid.profile | |||
@@ -14,6 +14,9 @@ noblacklist ${HOME}/.config/youtube-dl | |||
14 | include allow-python2.inc | 14 | include allow-python2.inc |
15 | include allow-python3.inc | 15 | include allow-python3.inc |
16 | 16 | ||
17 | # Allow lua (blacklisted by disable-interpreters.inc) | ||
18 | include allow-lua.inc | ||
19 | |||
17 | include disable-common.inc | 20 | include disable-common.inc |
18 | include disable-devel.inc | 21 | include disable-devel.inc |
19 | include disable-exec.inc | 22 | include disable-exec.inc |
@@ -28,12 +31,8 @@ mkdir ${HOME}/.config/youtube-dl | |||
28 | whitelist ${HOME}/.config/celluloid | 31 | whitelist ${HOME}/.config/celluloid |
29 | whitelist ${HOME}/.config/gnome-mpv | 32 | whitelist ${HOME}/.config/gnome-mpv |
30 | whitelist ${HOME}/.config/youtube-dl | 33 | whitelist ${HOME}/.config/youtube-dl |
31 | whitelist ${DESKTOP} | ||
32 | whitelist ${DOWNLOADS} | ||
33 | whitelist ${MUSIC} | ||
34 | whitelist ${PICTURES} | ||
35 | whitelist ${VIDEOS} | ||
36 | include whitelist-common.inc | 34 | include whitelist-common.inc |
35 | include whitelist-players.inc | ||
37 | include whitelist-runuser-common.inc | 36 | include whitelist-runuser-common.inc |
38 | include whitelist-usr-share-common.inc | 37 | include whitelist-usr-share-common.inc |
39 | include whitelist-var-common.inc | 38 | include whitelist-var-common.inc |
@@ -47,6 +46,7 @@ noroot | |||
47 | nou2f | 46 | nou2f |
48 | protocol unix,inet,inet6 | 47 | protocol unix,inet,inet6 |
49 | seccomp | 48 | seccomp |
49 | seccomp.block-secondary | ||
50 | shell none | 50 | shell none |
51 | tracelog | 51 | tracelog |
52 | 52 | ||
diff --git a/etc/profile-a-l/chromium-browser-privacy.profile b/etc/profile-a-l/chromium-browser-privacy.profile new file mode 100644 index 000000000..09eaa2d12 --- /dev/null +++ b/etc/profile-a-l/chromium-browser-privacy.profile | |||
@@ -0,0 +1,17 @@ | |||
1 | # Firejail profile for chromium-browser-privacy | ||
2 | # This file is overwritten after every install/update | ||
3 | # Persistent local customizations | ||
4 | include chromium-browser-privacy.local | ||
5 | |||
6 | noblacklist ${HOME}/.cache/ungoogled-chromium | ||
7 | noblacklist ${HOME}/.config/ungoogled-chromium | ||
8 | |||
9 | mkdir ${HOME}/.cache/ungoogled-chromium | ||
10 | mkdir ${HOME}/.config/ungoogled-chromium | ||
11 | whitelist ${HOME}/.cache/ungoogled-chromium | ||
12 | whitelist ${HOME}/.config/ungoogled-chromium | ||
13 | |||
14 | # private-bin basename,bash,chromium-browser-privacy,dirname,mkdir,readlink,sed,touch,which,xdg-settings | ||
15 | |||
16 | # Redirect | ||
17 | include chromium.profile | ||
diff --git a/etc/profile-a-l/chromium-common.profile b/etc/profile-a-l/chromium-common.profile index 899400d25..6a9cf99b0 100644 --- a/etc/profile-a-l/chromium-common.profile +++ b/etc/profile-a-l/chromium-common.profile | |||
@@ -16,16 +16,25 @@ include disable-common.inc | |||
16 | include disable-devel.inc | 16 | include disable-devel.inc |
17 | include disable-exec.inc | 17 | include disable-exec.inc |
18 | include disable-interpreters.inc | 18 | include disable-interpreters.inc |
19 | # include disable-passwdmgr.inc | ||
19 | include disable-programs.inc | 20 | include disable-programs.inc |
21 | include disable-xdg.inc | ||
20 | 22 | ||
21 | mkdir ${HOME}/.pki | 23 | mkdir ${HOME}/.pki |
22 | mkdir ${HOME}/.local/share/pki | 24 | mkdir ${HOME}/.local/share/pki |
23 | whitelist ${DOWNLOADS} | 25 | whitelist ${DOWNLOADS} |
24 | whitelist ${HOME}/.pki | 26 | whitelist ${HOME}/.pki |
25 | whitelist ${HOME}/.local/share/pki | 27 | whitelist ${HOME}/.local/share/pki |
28 | whitelist /usr/share/chromium | ||
26 | include whitelist-common.inc | 29 | include whitelist-common.inc |
30 | include whitelist-runuser-common.inc | ||
31 | include whitelist-usr-share-common.inc | ||
27 | include whitelist-var-common.inc | 32 | include whitelist-var-common.inc |
28 | 33 | ||
34 | # Uncomment the next line (or add it to your chromium-common.local) | ||
35 | # if your kernel allows unprivileged userns clone. | ||
36 | #include chromium-common-hardened.inc | ||
37 | |||
29 | apparmor | 38 | apparmor |
30 | caps.keep sys_admin,sys_chroot | 39 | caps.keep sys_admin,sys_chroot |
31 | netfilter | 40 | netfilter |
@@ -36,8 +45,10 @@ notv | |||
36 | shell none | 45 | shell none |
37 | 46 | ||
38 | disable-mnt | 47 | disable-mnt |
48 | private-cache | ||
39 | ?BROWSER_DISABLE_U2F: private-dev | 49 | ?BROWSER_DISABLE_U2F: private-dev |
40 | # private-tmp - problems with multiple browser sessions | 50 | # problems with multiple browser sessions |
51 | #private-tmp | ||
41 | 52 | ||
42 | # prevents access to passwords saved in GNOME Keyring and KWallet, also breaks Gnome connector | 53 | # prevents access to passwords saved in GNOME Keyring and KWallet, also breaks Gnome connector |
43 | # dbus-user none | 54 | # dbus-user none |
diff --git a/etc/profile-a-l/chromium-freeworld.profile b/etc/profile-a-l/chromium-freeworld.profile new file mode 100644 index 000000000..a1de85afa --- /dev/null +++ b/etc/profile-a-l/chromium-freeworld.profile | |||
@@ -0,0 +1,5 @@ | |||
1 | # Firejail profile for chromium-freeworld | ||
2 | # This file is overwritten after every install/update | ||
3 | |||
4 | # Redirect | ||
5 | include chromium.profile | ||
diff --git a/etc/profile-a-l/claws-mail.profile b/etc/profile-a-l/claws-mail.profile index 24954b2d8..69196c578 100644 --- a/etc/profile-a-l/claws-mail.profile +++ b/etc/profile-a-l/claws-mail.profile | |||
@@ -18,5 +18,10 @@ whitelist ${HOME}/.claws-mail | |||
18 | 18 | ||
19 | whitelist /usr/share/doc/claws-mail | 19 | whitelist /usr/share/doc/claws-mail |
20 | 20 | ||
21 | # if you use the notification plugin you need to uncomment the below (or put them in your claws-mail.local) | ||
22 | #ignore dbus-user none | ||
23 | #dbus-user filter | ||
24 | #dbus-user.talk org.freedesktop.Notifications | ||
25 | |||
21 | # Redirect | 26 | # Redirect |
22 | include email-common.profile | 27 | include email-common.profile |
diff --git a/etc/profile-a-l/clementine.profile b/etc/profile-a-l/clementine.profile index 4d92157d0..387b5f0a7 100644 --- a/etc/profile-a-l/clementine.profile +++ b/etc/profile-a-l/clementine.profile | |||
@@ -12,22 +12,29 @@ noblacklist ${MUSIC} | |||
12 | 12 | ||
13 | include disable-common.inc | 13 | include disable-common.inc |
14 | include disable-devel.inc | 14 | include disable-devel.inc |
15 | include disable-exec.inc | ||
15 | include disable-interpreters.inc | 16 | include disable-interpreters.inc |
16 | include disable-passwdmgr.inc | 17 | include disable-passwdmgr.inc |
17 | include disable-programs.inc | 18 | include disable-programs.inc |
18 | include disable-xdg.inc | 19 | include disable-xdg.inc |
19 | 20 | ||
20 | include whitelist-var-common.inc | 21 | include whitelist-var-common.inc |
22 | include whitelist-usr-share-common.inc | ||
23 | include whitelist-runuser-common.inc | ||
21 | 24 | ||
25 | apparmor | ||
22 | caps.drop all | 26 | caps.drop all |
23 | nonewprivs | 27 | nonewprivs |
24 | noroot | 28 | noroot |
25 | notv | 29 | notv |
26 | nou2f | 30 | nou2f |
27 | novideo | 31 | novideo |
28 | protocol unix,inet,inet6 | 32 | protocol unix,inet,inet6,netlink |
29 | # blacklisting of ioprio_set system calls breaks clementine | 33 | # blacklisting of ioprio_set system calls breaks clementine |
30 | seccomp !ioprio_set | 34 | seccomp !ioprio_set |
31 | 35 | ||
32 | private-dev | 36 | private-dev |
33 | private-tmp | 37 | private-tmp |
38 | |||
39 | dbus-system none | ||
40 | # dbus-user none | ||
diff --git a/etc/profile-a-l/cola.profile b/etc/profile-a-l/cola.profile new file mode 100644 index 000000000..e5debfd82 --- /dev/null +++ b/etc/profile-a-l/cola.profile | |||
@@ -0,0 +1,10 @@ | |||
1 | # Firejail profile for cola | ||
2 | # Description: Linux native frontend for Git,alternative call for git-cola | ||
3 | # This file is overwritten after every install/update | ||
4 | # Persistent local customizations | ||
5 | include cola.local | ||
6 | # Persistent global definitions | ||
7 | include globals.local | ||
8 | |||
9 | # Redirect | ||
10 | include git-cola.profile \ No newline at end of file | ||
diff --git a/etc/profile-a-l/dbus-send.profile b/etc/profile-a-l/dbus-send.profile new file mode 100644 index 000000000..76a14d99b --- /dev/null +++ b/etc/profile-a-l/dbus-send.profile | |||
@@ -0,0 +1,59 @@ | |||
1 | # Firejail profile for dbus-send | ||
2 | # Description: Send a message to a message bus | ||
3 | # This file is overwritten after every install/update | ||
4 | quiet | ||
5 | # Persistent local customizations | ||
6 | include dbus-send.local | ||
7 | # Persistent global definitions | ||
8 | include globals.local | ||
9 | |||
10 | blacklist /tmp/.X11-unix | ||
11 | blacklist ${RUNUSER}/wayland-* | ||
12 | |||
13 | include disable-common.inc | ||
14 | include disable-devel.inc | ||
15 | include disable-exec.inc | ||
16 | include disable-interpreters.inc | ||
17 | include disable-passwdmgr.inc | ||
18 | include disable-programs.inc | ||
19 | include disable-shell.inc | ||
20 | include disable-write-mnt.inc | ||
21 | include disable-xdg.inc | ||
22 | |||
23 | include whitelist-common.inc | ||
24 | include whitelist-runuser-common.inc | ||
25 | include whitelist-usr-share-common.inc | ||
26 | include whitelist-var-common.inc | ||
27 | |||
28 | apparmor | ||
29 | caps.drop all | ||
30 | ipc-namespace | ||
31 | machine-id | ||
32 | # Breaks abstract sockets | ||
33 | #net none | ||
34 | netfilter | ||
35 | no3d | ||
36 | nodvd | ||
37 | nogroups | ||
38 | nonewprivs | ||
39 | noroot | ||
40 | nosound | ||
41 | notv | ||
42 | nou2f | ||
43 | novideo | ||
44 | protocol unix | ||
45 | seccomp | ||
46 | shell none | ||
47 | tracelog | ||
48 | |||
49 | disable-mnt | ||
50 | private | ||
51 | private-bin dbus-send | ||
52 | private-cache | ||
53 | private-dev | ||
54 | private-etc alternatives,dbus-1 | ||
55 | private-lib libpcre2-8.so.0 | ||
56 | private-tmp | ||
57 | |||
58 | memory-deny-write-execute | ||
59 | read-only ${HOME} | ||
diff --git a/etc/profile-a-l/dconf-editor.profile b/etc/profile-a-l/dconf-editor.profile index d6541850d..b41a73916 100644 --- a/etc/profile-a-l/dconf-editor.profile +++ b/etc/profile-a-l/dconf-editor.profile | |||
@@ -35,6 +35,7 @@ nou2f | |||
35 | novideo | 35 | novideo |
36 | protocol unix | 36 | protocol unix |
37 | seccomp | 37 | seccomp |
38 | seccomp.block-secondary | ||
38 | shell none | 39 | shell none |
39 | tracelog | 40 | tracelog |
40 | 41 | ||
diff --git a/etc/profile-a-l/default.profile b/etc/profile-a-l/default.profile index 74314cf92..7eb7660dd 100644 --- a/etc/profile-a-l/default.profile +++ b/etc/profile-a-l/default.profile | |||
@@ -14,6 +14,7 @@ include disable-common.inc | |||
14 | # include disable-interpreters.inc | 14 | # include disable-interpreters.inc |
15 | include disable-passwdmgr.inc | 15 | include disable-passwdmgr.inc |
16 | include disable-programs.inc | 16 | include disable-programs.inc |
17 | # include disable-write-mnt.inc | ||
17 | # include disable-xdg.inc | 18 | # include disable-xdg.inc |
18 | 19 | ||
19 | # include whitelist-common.inc | 20 | # include whitelist-common.inc |
diff --git a/etc/profile-a-l/dia.profile b/etc/profile-a-l/dia.profile index 52bf1c7f8..e409eb044 100644 --- a/etc/profile-a-l/dia.profile +++ b/etc/profile-a-l/dia.profile | |||
@@ -9,16 +9,24 @@ include globals.local | |||
9 | noblacklist ${HOME}/.dia | 9 | noblacklist ${HOME}/.dia |
10 | noblacklist ${DOCUMENTS} | 10 | noblacklist ${DOCUMENTS} |
11 | 11 | ||
12 | include allow-python2.inc | ||
13 | include allow-python3.inc | ||
14 | |||
12 | include disable-common.inc | 15 | include disable-common.inc |
13 | include disable-devel.inc | 16 | include disable-devel.inc |
14 | include disable-exec.inc | 17 | include disable-exec.inc |
15 | include allow-python2.inc | ||
16 | include allow-python3.inc | ||
17 | include disable-interpreters.inc | 18 | include disable-interpreters.inc |
18 | include disable-passwdmgr.inc | 19 | include disable-passwdmgr.inc |
19 | include disable-programs.inc | 20 | include disable-programs.inc |
20 | include disable-xdg.inc | 21 | include disable-xdg.inc |
21 | 22 | ||
23 | #mkdir ${HOME}/.dia | ||
24 | #whitelist ${HOME}/.dia | ||
25 | #whitelist ${DOCUMENTS} | ||
26 | #include whitelist-common.inc | ||
27 | whitelist /usr/share/dia | ||
28 | include whitelist-runuser-common.inc | ||
29 | include whitelist-usr-share-common.inc | ||
22 | include whitelist-var-common.inc | 30 | include whitelist-var-common.inc |
23 | 31 | ||
24 | apparmor | 32 | apparmor |
@@ -36,6 +44,7 @@ novideo | |||
36 | protocol unix | 44 | protocol unix |
37 | seccomp | 45 | seccomp |
38 | shell none | 46 | shell none |
47 | tracelog | ||
39 | 48 | ||
40 | disable-mnt | 49 | disable-mnt |
41 | #private-bin dia | 50 | #private-bin dia |
diff --git a/etc/profile-a-l/dnox.profile b/etc/profile-a-l/dnox.profile index e02395771..51ba6f8b7 100644 --- a/etc/profile-a-l/dnox.profile +++ b/etc/profile-a-l/dnox.profile | |||
@@ -5,6 +5,11 @@ include dnox.local | |||
5 | # Persistent global definitions | 5 | # Persistent global definitions |
6 | include globals.local | 6 | include globals.local |
7 | 7 | ||
8 | # Disable for now, see https://github.com/netblue30/firejail/pull/3688#issuecomment-718711565 | ||
9 | ignore whitelist /usr/share/chromium | ||
10 | ignore include whitelist-runuser-common.inc | ||
11 | ignore include whitelist-usr-share-common.inc | ||
12 | |||
8 | noblacklist ${HOME}/.cache/dnox | 13 | noblacklist ${HOME}/.cache/dnox |
9 | noblacklist ${HOME}/.config/dnox | 14 | noblacklist ${HOME}/.config/dnox |
10 | 15 | ||
diff --git a/etc/profile-a-l/electron-mail.profile b/etc/profile-a-l/electron-mail.profile index 39366470f..5957d4316 100644 --- a/etc/profile-a-l/electron-mail.profile +++ b/etc/profile-a-l/electron-mail.profile | |||
@@ -8,8 +8,6 @@ include globals.local | |||
8 | 8 | ||
9 | noblacklist ${HOME}/.config/electron-mail | 9 | noblacklist ${HOME}/.config/electron-mail |
10 | 10 | ||
11 | whitelist ${DOWNLOADS} | ||
12 | |||
13 | include disable-common.inc | 11 | include disable-common.inc |
14 | include disable-devel.inc | 12 | include disable-devel.inc |
15 | include disable-exec.inc | 13 | include disable-exec.inc |
@@ -21,8 +19,10 @@ include disable-xdg.inc | |||
21 | 19 | ||
22 | mkdir ${HOME}/.config/electron-mail | 20 | mkdir ${HOME}/.config/electron-mail |
23 | whitelist ${HOME}/.config/electron-mail | 21 | whitelist ${HOME}/.config/electron-mail |
22 | whitelist ${DOWNLOADS} | ||
24 | 23 | ||
25 | include whitelist-common.inc | 24 | include whitelist-common.inc |
25 | include whitelist-runuser-common.inc | ||
26 | include whitelist-usr-share-common.inc | 26 | include whitelist-usr-share-common.inc |
27 | include whitelist-var-common.inc | 27 | include whitelist-var-common.inc |
28 | 28 | ||
@@ -45,12 +45,12 @@ shell none | |||
45 | private-bin electron-mail | 45 | private-bin electron-mail |
46 | private-cache | 46 | private-cache |
47 | private-dev | 47 | private-dev |
48 | private-etc alternatives,fonts | 48 | private-etc alternatives,ca-certificates,crypto-policies,fonts,gtk-2.0,gtk-3.0,nsswitch.conf,pki,resolv.conf,selinux,ssl,xdg |
49 | private-opt ElectronMail | 49 | private-opt ElectronMail |
50 | private-tmp | 50 | private-tmp |
51 | 51 | ||
52 | # breaks tray functionality | 52 | # breaks tray functionality |
53 | # dbus-user none | 53 | # dbus-user none |
54 | # dbus-system none | 54 | dbus-system none |
55 | 55 | ||
56 | # memory-deny-write-execute - breaks on Arch | 56 | # memory-deny-write-execute - breaks on Arch |
diff --git a/etc/profile-a-l/element-desktop.profile b/etc/profile-a-l/element-desktop.profile index c1aa821e3..2d56369cd 100644 --- a/etc/profile-a-l/element-desktop.profile +++ b/etc/profile-a-l/element-desktop.profile | |||
@@ -8,12 +8,9 @@ include element-desktop.local | |||
8 | #include globals.local | 8 | #include globals.local |
9 | 9 | ||
10 | noblacklist ${HOME}/.config/Element | 10 | noblacklist ${HOME}/.config/Element |
11 | noblacklist ${HOME}/.config/Element (Riot) | ||
12 | 11 | ||
13 | mkdir ${HOME}/.config/Element | 12 | mkdir ${HOME}/.config/Element |
14 | mkdir ${HOME}/.config/Element (Riot) | ||
15 | whitelist ${HOME}/.config/Element | 13 | whitelist ${HOME}/.config/Element |
16 | whitelist ${HOME}/.config/Element (Riot) | ||
17 | whitelist /opt/Element | 14 | whitelist /opt/Element |
18 | 15 | ||
19 | private-opt Element | 16 | private-opt Element |
diff --git a/etc/profile-a-l/email-common.profile b/etc/profile-a-l/email-common.profile index 67af04267..df47f478d 100644 --- a/etc/profile-a-l/email-common.profile +++ b/etc/profile-a-l/email-common.profile | |||
@@ -58,8 +58,10 @@ private-cache | |||
58 | private-dev | 58 | private-dev |
59 | private-tmp | 59 | private-tmp |
60 | 60 | ||
61 | dbus-user none | ||
62 | dbus-system none | ||
63 | |||
61 | # encrypting and signing email | 64 | # encrypting and signing email |
62 | read-only ${HOME}/.config/mimeapps.list | ||
63 | writable-run-user | 65 | writable-run-user |
64 | 66 | ||
65 | # If you want to read local mail stored in /var/mail, add the following to email-common.local: | 67 | # If you want to read local mail stored in /var/mail, add the following to email-common.local: |
diff --git a/etc/profile-a-l/enox.profile b/etc/profile-a-l/enox.profile index d8ac8b24a..d982433e2 100644 --- a/etc/profile-a-l/enox.profile +++ b/etc/profile-a-l/enox.profile | |||
@@ -5,6 +5,11 @@ include enox.local | |||
5 | # Persistent global definitions | 5 | # Persistent global definitions |
6 | include globals.local | 6 | include globals.local |
7 | 7 | ||
8 | # Disable for now, see https://github.com/netblue30/firejail/pull/3688#issuecomment-718711565 | ||
9 | ignore whitelist /usr/share/chromium | ||
10 | ignore include whitelist-runuser-common.inc | ||
11 | ignore include whitelist-usr-share-common.inc | ||
12 | |||
8 | noblacklist ${HOME}/.cache/Enox | 13 | noblacklist ${HOME}/.cache/Enox |
9 | noblacklist ${HOME}/.config/Enox | 14 | noblacklist ${HOME}/.config/Enox |
10 | 15 | ||
diff --git a/etc/profile-a-l/eo-common.profile b/etc/profile-a-l/eo-common.profile index 80c704c6b..e059f3b74 100644 --- a/etc/profile-a-l/eo-common.profile +++ b/etc/profile-a-l/eo-common.profile | |||
@@ -17,6 +17,7 @@ include disable-exec.inc | |||
17 | include disable-interpreters.inc | 17 | include disable-interpreters.inc |
18 | include disable-passwdmgr.inc | 18 | include disable-passwdmgr.inc |
19 | include disable-programs.inc | 19 | include disable-programs.inc |
20 | include disable-write-mnt.inc | ||
20 | 21 | ||
21 | include whitelist-runuser-common.inc | 22 | include whitelist-runuser-common.inc |
22 | include whitelist-usr-share-common.inc | 23 | include whitelist-usr-share-common.inc |
@@ -26,6 +27,7 @@ apparmor | |||
26 | caps.drop all | 27 | caps.drop all |
27 | ipc-namespace | 28 | ipc-namespace |
28 | machine-id | 29 | machine-id |
30 | net none | ||
29 | no3d | 31 | no3d |
30 | nodvd | 32 | nodvd |
31 | nogroups | 33 | nogroups |
@@ -37,6 +39,7 @@ nou2f | |||
37 | novideo | 39 | novideo |
38 | protocol unix,netlink | 40 | protocol unix,netlink |
39 | seccomp | 41 | seccomp |
42 | seccomp.block-secondary | ||
40 | shell none | 43 | shell none |
41 | tracelog | 44 | tracelog |
42 | 45 | ||
diff --git a/etc/profile-a-l/eog.profile b/etc/profile-a-l/eog.profile index 0d0153fc2..aabef65fc 100644 --- a/etc/profile-a-l/eog.profile +++ b/etc/profile-a-l/eog.profile | |||
@@ -15,9 +15,12 @@ whitelist /usr/share/eog | |||
15 | # or put 'ignore private-bin', 'ignore private-etc' and 'ignore private-lib' in your eog.local | 15 | # or put 'ignore private-bin', 'ignore private-etc' and 'ignore private-lib' in your eog.local |
16 | private-bin eog | 16 | private-bin eog |
17 | 17 | ||
18 | dbus-user filter | 18 | |
19 | dbus-user.own org.gnome.eog | 19 | # broken on Debian 10 (buster) running LXDE got the folowing error: |
20 | dbus-user.talk ca.desrt.dconf | 20 | # Failed to register: GDBus.Error:org.freedesktop.DBus.Error.ServiceUnknown: org.freedesktop.DBus.Error.ServiceUnknown |
21 | #dbus-user filter | ||
22 | #dbus-user.own org.gnome.eog | ||
23 | #dbus-user.talk ca.desrt.dconf | ||
21 | dbus-system none | 24 | dbus-system none |
22 | 25 | ||
23 | # Redirect | 26 | # Redirect |
diff --git a/etc/profile-a-l/equalx.profile b/etc/profile-a-l/equalx.profile new file mode 100644 index 000000000..58b053041 --- /dev/null +++ b/etc/profile-a-l/equalx.profile | |||
@@ -0,0 +1,63 @@ | |||
1 | # Firejail profile for equalx | ||
2 | # Description: A graphical editor for writing LaTeX equations | ||
3 | # This file is overwritten after every install/update | ||
4 | # Persistent local customizations | ||
5 | include equalx.local | ||
6 | # Persistent global definitions | ||
7 | include globals.local | ||
8 | |||
9 | noblacklist ${HOME}/.config/equalx | ||
10 | noblacklist ${HOME}/.equalx | ||
11 | |||
12 | include disable-common.inc | ||
13 | include disable-devel.inc | ||
14 | include disable-exec.inc | ||
15 | include disable-interpreters.inc | ||
16 | include disable-passwdmgr.inc | ||
17 | include disable-programs.inc | ||
18 | include disable-shell.inc | ||
19 | include disable-xdg.inc | ||
20 | |||
21 | mkdir ${HOME}/.config/equalx | ||
22 | mkdir ${HOME}/.equalx | ||
23 | whitelist ${HOME}/.config/equalx | ||
24 | whitelist ${HOME}/.equalx | ||
25 | whitelist /usr/share/poppler | ||
26 | whitelist /usr/share/ghostscript | ||
27 | whitelist /usr/share/texlive | ||
28 | whitelist /usr/share/equalx | ||
29 | whitelist /var/lib/texmf | ||
30 | include whitelist-common.inc | ||
31 | include whitelist-runuser-common.inc | ||
32 | include whitelist-usr-share-common.inc | ||
33 | include whitelist-var-common.inc | ||
34 | |||
35 | apparmor | ||
36 | caps.drop all | ||
37 | machine-id | ||
38 | net none | ||
39 | no3d | ||
40 | nodvd | ||
41 | nogroups | ||
42 | nonewprivs | ||
43 | noroot | ||
44 | nosound | ||
45 | notv | ||
46 | nou2f | ||
47 | novideo | ||
48 | protocol unix | ||
49 | seccomp | ||
50 | shell none | ||
51 | tracelog | ||
52 | |||
53 | disable-mnt | ||
54 | private-bin equalx,gs,pdflatex,pdftocairo | ||
55 | private-cache | ||
56 | private-dev | ||
57 | private-etc equalx,equalx.conf,fonts,gtk-2.0,latexmk.conf,machine-id,papersize,passwd,texlive,Trolltech.conf | ||
58 | private-tmp | ||
59 | |||
60 | dbus-user none | ||
61 | dbus-system none | ||
62 | |||
63 | memory-deny-write-execute | ||
diff --git a/etc/profile-a-l/evince.profile b/etc/profile-a-l/evince.profile index 77a48f0ba..c0c16e929 100644 --- a/etc/profile-a-l/evince.profile +++ b/etc/profile-a-l/evince.profile | |||
@@ -41,6 +41,7 @@ nou2f | |||
41 | novideo | 41 | novideo |
42 | protocol unix | 42 | protocol unix |
43 | seccomp | 43 | seccomp |
44 | seccomp.block-secondary | ||
44 | shell none | 45 | shell none |
45 | tracelog | 46 | tracelog |
46 | 47 | ||
diff --git a/etc/profile-a-l/evolution.profile b/etc/profile-a-l/evolution.profile index 422200ffe..1355c4337 100644 --- a/etc/profile-a-l/evolution.profile +++ b/etc/profile-a-l/evolution.profile | |||
@@ -6,15 +6,16 @@ include evolution.local | |||
6 | # Persistent global definitions | 6 | # Persistent global definitions |
7 | include globals.local | 7 | include globals.local |
8 | 8 | ||
9 | noblacklist /var/mail | ||
10 | noblacklist /var/spool/mail | ||
11 | noblacklist ${HOME}/.bogofilter | 9 | noblacklist ${HOME}/.bogofilter |
10 | noblacklist ${HOME}/.gnupg | ||
11 | noblacklist ${HOME}/.mozilla | ||
12 | noblacklist ${HOME}/.pki | ||
12 | noblacklist ${HOME}/.cache/evolution | 13 | noblacklist ${HOME}/.cache/evolution |
13 | noblacklist ${HOME}/.config/evolution | 14 | noblacklist ${HOME}/.config/evolution |
14 | noblacklist ${HOME}/.gnupg | ||
15 | noblacklist ${HOME}/.local/share/evolution | 15 | noblacklist ${HOME}/.local/share/evolution |
16 | noblacklist ${HOME}/.pki | ||
17 | noblacklist ${HOME}/.local/share/pki | 16 | noblacklist ${HOME}/.local/share/pki |
17 | noblacklist /var/mail | ||
18 | noblacklist /var/spool/mail | ||
18 | 19 | ||
19 | include disable-common.inc | 20 | include disable-common.inc |
20 | include disable-devel.inc | 21 | include disable-devel.inc |
@@ -22,13 +23,42 @@ include disable-exec.inc | |||
22 | include disable-interpreters.inc | 23 | include disable-interpreters.inc |
23 | include disable-passwdmgr.inc | 24 | include disable-passwdmgr.inc |
24 | include disable-programs.inc | 25 | include disable-programs.inc |
26 | include disable-shell.inc | ||
27 | include disable-xdg.inc | ||
25 | 28 | ||
29 | mkdir ${HOME}/.bogofilter | ||
30 | mkdir ${HOME}/.gnupg | ||
31 | mkdir ${HOME}/.pki | ||
32 | mkdir ${HOME}/.cache/evolution | ||
33 | mkdir ${HOME}/.config/evolution | ||
34 | mkdir ${HOME}/.local/share/evolution | ||
35 | mkdir ${HOME}/.local/share/pki | ||
36 | whitelist ${HOME}/.bogofilter | ||
37 | whitelist ${HOME}/.gnupg | ||
38 | whitelist ${HOME}/.mozilla/firefox/profiles.ini | ||
39 | whitelist ${HOME}/.pki | ||
40 | whitelist ${HOME}/.cache/evolution | ||
41 | whitelist ${HOME}/.config/evolution | ||
42 | whitelist ${HOME}/.local/share/evolution | ||
43 | whitelist ${HOME}/.local/share/pki | ||
44 | whitelist ${DOCUMENTS} | ||
45 | whitelist ${DOWNLOADS} | ||
46 | whitelist ${RUNUSER}/gnupg | ||
47 | whitelist /usr/share/evolution | ||
48 | whitelist /usr/share/gnupg | ||
49 | whitelist /usr/share/gnupg2 | ||
50 | whitelist /var/mail | ||
51 | whitelist /var/spool/mail | ||
52 | include whitelist-common.inc | ||
26 | include whitelist-runuser-common.inc | 53 | include whitelist-runuser-common.inc |
54 | include whitelist-usr-share-common.inc | ||
55 | include whitelist-var-common.inc | ||
27 | 56 | ||
57 | apparmor | ||
28 | caps.drop all | 58 | caps.drop all |
29 | netfilter | 59 | netfilter |
30 | # no3d breaks under wayland | 60 | # no3d breaks under wayland |
31 | #no3d | 61 | # no3d |
32 | nodvd | 62 | nodvd |
33 | nogroups | 63 | nogroups |
34 | nonewprivs | 64 | nonewprivs |
@@ -40,7 +70,27 @@ novideo | |||
40 | protocol unix,inet,inet6 | 70 | protocol unix,inet,inet6 |
41 | seccomp | 71 | seccomp |
42 | shell none | 72 | shell none |
73 | tracelog | ||
43 | 74 | ||
75 | # disable-mnt | ||
76 | # Add "gpg,gpg2,gpg-agent,pinentry-curses,pinentry-emacs,pinentry-fltk,pinentry-gnome3,pinentry-gtk,pinentry-gtk2,pinentry-gtk-2,pinentry-qt,pinentry-qt4,pinentry-tty,pinentry-x2go,pinentry-kwallet" for gpg | ||
77 | # To use private-bin add all evolution,gpg,pinentry binaries and follow firefox.profile for hyperlink support | ||
78 | # private-bin evolution | ||
79 | private-cache | ||
44 | private-dev | 80 | private-dev |
81 | private-etc alternatives,ca-certificates,crypto-policies,dconf,fonts,gcrypt,groups,gtk-2.0,gtk-3.0,hostname,hosts,mailname,passwd,pki,resolv.conf,selinux,ssl,xdg | ||
45 | private-tmp | 82 | private-tmp |
83 | writable-run-user | ||
46 | writable-var | 84 | writable-var |
85 | |||
86 | dbus-user filter | ||
87 | dbus-user.own org.gnome.Evolution | ||
88 | dbus-user.talk ca.desrt.dconf | ||
89 | # Uncomment to have keyring access | ||
90 | # dbus-user.talk org.freedesktop.secrets | ||
91 | dbus-user.talk org.gnome.keyring.SystemPrompter | ||
92 | dbus-user.talk org.gnome.OnlineAccounts | ||
93 | dbus-user.talk org.freedesktop.Notifications | ||
94 | dbus-system none | ||
95 | |||
96 | read-only ${HOME}/.mozilla/firefox/profiles.ini | ||
diff --git a/etc/profile-a-l/fdns.profile b/etc/profile-a-l/fdns.profile index 179540806..31cb1776c 100644 --- a/etc/profile-a-l/fdns.profile +++ b/etc/profile-a-l/fdns.profile | |||
@@ -29,20 +29,20 @@ no3d | |||
29 | nodvd | 29 | nodvd |
30 | nogroups | 30 | nogroups |
31 | nonewprivs | 31 | nonewprivs |
32 | # noroot | 32 | noroot |
33 | nosound | 33 | nosound |
34 | notv | 34 | notv |
35 | nou2f | 35 | nou2f |
36 | novideo | 36 | novideo |
37 | protocol unix,inet,inet6 | 37 | protocol unix,inet,inet6,netlink |
38 | #seccomp | 38 | #seccomp |
39 | #shell none | 39 | #shell none |
40 | 40 | ||
41 | disable-mnt | 41 | disable-mnt |
42 | private | 42 | private |
43 | private-bin bash,fdns,sh | 43 | private-bin bash,fdns,sh |
44 | # private-cache | 44 | private-cache |
45 | private-dev | 45 | #private-dev |
46 | private-etc ca-certificates,crypto-policies,fdns,ld.so.cache,ld.so.preload,localtime,nsswitch.conf,passwd,pki,ssl | 46 | private-etc ca-certificates,crypto-policies,fdns,ld.so.cache,ld.so.preload,localtime,nsswitch.conf,passwd,pki,ssl |
47 | # private-lib | 47 | # private-lib |
48 | private-tmp | 48 | private-tmp |
diff --git a/etc/profile-a-l/ffmpeg.profile b/etc/profile-a-l/ffmpeg.profile index fb5c9ee57..c6e9ba095 100644 --- a/etc/profile-a-l/ffmpeg.profile +++ b/etc/profile-a-l/ffmpeg.profile | |||
@@ -41,6 +41,7 @@ novideo | |||
41 | protocol inet,inet6 | 41 | protocol inet,inet6 |
42 | # allow set_mempolicy, which is required to encode using libx265 | 42 | # allow set_mempolicy, which is required to encode using libx265 |
43 | seccomp !set_mempolicy | 43 | seccomp !set_mempolicy |
44 | seccomp.block-secondary | ||
44 | shell none | 45 | shell none |
45 | tracelog | 46 | tracelog |
46 | 47 | ||
diff --git a/etc/profile-a-l/file-roller.profile b/etc/profile-a-l/file-roller.profile index 745b8b8e9..2a1eb2001 100644 --- a/etc/profile-a-l/file-roller.profile +++ b/etc/profile-a-l/file-roller.profile | |||
@@ -34,6 +34,7 @@ nou2f | |||
34 | novideo | 34 | novideo |
35 | protocol unix | 35 | protocol unix |
36 | seccomp | 36 | seccomp |
37 | seccomp.block-secondary | ||
37 | shell none | 38 | shell none |
38 | tracelog | 39 | tracelog |
39 | 40 | ||
diff --git a/etc/profile-a-l/filezilla.profile b/etc/profile-a-l/filezilla.profile index 6c7ab8f0d..43e877fd0 100644 --- a/etc/profile-a-l/filezilla.profile +++ b/etc/profile-a-l/filezilla.profile | |||
@@ -8,6 +8,7 @@ include globals.local | |||
8 | 8 | ||
9 | noblacklist ${HOME}/.config/filezilla | 9 | noblacklist ${HOME}/.config/filezilla |
10 | noblacklist ${HOME}/.filezilla | 10 | noblacklist ${HOME}/.filezilla |
11 | noblacklist ${HOME}/.ssh | ||
11 | 12 | ||
12 | # Allow python (blacklisted by disable-interpreters.inc) | 13 | # Allow python (blacklisted by disable-interpreters.inc) |
13 | include allow-python2.inc | 14 | include allow-python2.inc |
diff --git a/etc/profile-a-l/firefox-common.profile b/etc/profile-a-l/firefox-common.profile index 7c343c26d..fe0a27828 100644 --- a/etc/profile-a-l/firefox-common.profile +++ b/etc/profile-a-l/firefox-common.profile | |||
@@ -27,6 +27,7 @@ whitelist ${DOWNLOADS} | |||
27 | whitelist ${HOME}/.pki | 27 | whitelist ${HOME}/.pki |
28 | whitelist ${HOME}/.local/share/pki | 28 | whitelist ${HOME}/.local/share/pki |
29 | include whitelist-common.inc | 29 | include whitelist-common.inc |
30 | include whitelist-runuser-common.inc | ||
30 | include whitelist-var-common.inc | 31 | include whitelist-var-common.inc |
31 | 32 | ||
32 | apparmor | 33 | apparmor |
diff --git a/etc/profile-a-l/firefox.profile b/etc/profile-a-l/firefox.profile index 337311ed8..3472ac5c4 100644 --- a/etc/profile-a-l/firefox.profile +++ b/etc/profile-a-l/firefox.profile | |||
@@ -24,7 +24,7 @@ include whitelist-usr-share-common.inc | |||
24 | # firefox requires a shell to launch on Arch. | 24 | # firefox requires a shell to launch on Arch. |
25 | #private-bin bash,dbus-launch,dbus-send,env,firefox,sh,which | 25 | #private-bin bash,dbus-launch,dbus-send,env,firefox,sh,which |
26 | # Fedora use shell scripts to launch firefox, at least this is required | 26 | # Fedora use shell scripts to launch firefox, at least this is required |
27 | #private-bin basename,bash,cat,dirname,expr,false,firefox,firefox-wayland,ln,mkdir,pidof,rm,rmdir,sed,sh,tclsh,true,uname | 27 | #private-bin basename,bash,cat,dirname,expr,false,firefox,firefox-wayland,getenforce,ln,mkdir,pidof,restorecon,rm,rmdir,sed,sh,tclsh,true,uname |
28 | # private-etc must first be enabled in firefox-common.profile | 28 | # private-etc must first be enabled in firefox-common.profile |
29 | #private-etc firefox | 29 | #private-etc firefox |
30 | 30 | ||
@@ -33,6 +33,12 @@ dbus-user.own org.mozilla.firefox.* | |||
33 | dbus-user.own org.mpris.MediaPlayer2.firefox.* | 33 | dbus-user.own org.mpris.MediaPlayer2.firefox.* |
34 | # Uncomment or put in your firefox.local to enable native notifications. | 34 | # Uncomment or put in your firefox.local to enable native notifications. |
35 | #dbus-user.talk org.freedesktop.Notifications | 35 | #dbus-user.talk org.freedesktop.Notifications |
36 | # Uncomment or put in your firefox.local to allow to inhibit screensavers | ||
37 | #dbus-user.talk org.freedesktop.ScreenSaver | ||
38 | # Uncomment or put in your firefox.local for plasma browser integration | ||
39 | #dbus-user.own org.mpris.MediaPlayer2.plasma-browser-integration | ||
40 | #dbus-user.talk org.kde.JobViewServer | ||
41 | #dbus-user.talk org.kde.kuiserver | ||
36 | ignore dbus-user none | 42 | ignore dbus-user none |
37 | 43 | ||
38 | # Redirect | 44 | # Redirect |
diff --git a/etc/profile-a-l/flameshot.profile b/etc/profile-a-l/flameshot.profile index 7c41417ec..851a7c747 100644 --- a/etc/profile-a-l/flameshot.profile +++ b/etc/profile-a-l/flameshot.profile | |||
@@ -9,6 +9,7 @@ include globals.local | |||
9 | 9 | ||
10 | noblacklist ${PICTURES} | 10 | noblacklist ${PICTURES} |
11 | noblacklist ${HOME}/.config/Dharkael | 11 | noblacklist ${HOME}/.config/Dharkael |
12 | noblacklist ${HOME}/.config/flameshot | ||
12 | 13 | ||
13 | include disable-common.inc | 14 | include disable-common.inc |
14 | include disable-devel.inc | 15 | include disable-devel.inc |
@@ -19,8 +20,11 @@ include disable-programs.inc | |||
19 | include disable-shell.inc | 20 | include disable-shell.inc |
20 | include disable-xdg.inc | 21 | include disable-xdg.inc |
21 | 22 | ||
23 | #mkdir ${HOME}/.config/Dharkael | ||
24 | #mkdir ${HOME}/.config/flameshot | ||
22 | #whitelist ${PICTURES} | 25 | #whitelist ${PICTURES} |
23 | #whitelist ${HOME}/.config/Dharkael | 26 | #whitelist ${HOME}/.config/Dharkael |
27 | #whitelist ${HOME}/.config/flameshot | ||
24 | whitelist /usr/share/flameshot | 28 | whitelist /usr/share/flameshot |
25 | #include whitelist-common.inc | 29 | #include whitelist-common.inc |
26 | include whitelist-runuser-common.inc | 30 | include whitelist-runuser-common.inc |
@@ -41,6 +45,7 @@ nou2f | |||
41 | novideo | 45 | novideo |
42 | protocol unix,inet,inet6 | 46 | protocol unix,inet,inet6 |
43 | seccomp | 47 | seccomp |
48 | seccomp.block-secondary | ||
44 | shell none | 49 | shell none |
45 | tracelog | 50 | tracelog |
46 | 51 | ||
@@ -53,4 +58,5 @@ private-tmp | |||
53 | 58 | ||
54 | dbus-user filter | 59 | dbus-user filter |
55 | dbus-user.own org.dharkael.Flameshot | 60 | dbus-user.own org.dharkael.Flameshot |
61 | dbus-user.own org.flameshot.Flameshot | ||
56 | dbus-system none | 62 | dbus-system none |
diff --git a/etc/profile-a-l/flashpeak-slimjet.profile b/etc/profile-a-l/flashpeak-slimjet.profile index b841bce75..310fb378f 100644 --- a/etc/profile-a-l/flashpeak-slimjet.profile +++ b/etc/profile-a-l/flashpeak-slimjet.profile | |||
@@ -5,6 +5,11 @@ include flashpeak-slimjet.local | |||
5 | # Persistent global definitions | 5 | # Persistent global definitions |
6 | include globals.local | 6 | include globals.local |
7 | 7 | ||
8 | # Disable for now, see https://github.com/netblue30/firejail/pull/3688#issuecomment-718711565 | ||
9 | ignore whitelist /usr/share/chromium | ||
10 | ignore include whitelist-runuser-common.inc | ||
11 | ignore include whitelist-usr-share-common.inc | ||
12 | |||
8 | noblacklist ${HOME}/.cache/slimjet | 13 | noblacklist ${HOME}/.cache/slimjet |
9 | noblacklist ${HOME}/.config/slimjet | 14 | noblacklist ${HOME}/.config/slimjet |
10 | 15 | ||
diff --git a/etc/profile-a-l/fractal.profile b/etc/profile-a-l/fractal.profile new file mode 100644 index 000000000..ab907eb0d --- /dev/null +++ b/etc/profile-a-l/fractal.profile | |||
@@ -0,0 +1,54 @@ | |||
1 | # Firejail profile for fractal | ||
2 | # Description: Desktop client for Matrix | ||
3 | # This file is overwritten after every install/update | ||
4 | # Persistent local customizations | ||
5 | include fractal.local | ||
6 | # Persistent global definitions | ||
7 | include globals.local | ||
8 | |||
9 | noblacklist ${HOME}/.cache/fractal | ||
10 | |||
11 | include disable-common.inc | ||
12 | include disable-devel.inc | ||
13 | include disable-exec.inc | ||
14 | include disable-interpreters.inc | ||
15 | include disable-passwdmgr.inc | ||
16 | include disable-programs.inc | ||
17 | include disable-shell.inc | ||
18 | include disable-xdg.inc | ||
19 | |||
20 | mkdir ${HOME}/.cache/fractal | ||
21 | whitelist ${HOME}/.cache/fractal | ||
22 | whitelist ${DOWNLOADS} | ||
23 | include whitelist-common.inc | ||
24 | include whitelist-runuser-common.inc | ||
25 | include whitelist-usr-share-common.inc | ||
26 | include whitelist-var-common.inc | ||
27 | |||
28 | apparmor | ||
29 | caps.drop all | ||
30 | netfilter | ||
31 | nodvd | ||
32 | nogroups | ||
33 | nonewprivs | ||
34 | noroot | ||
35 | notv | ||
36 | nou2f | ||
37 | protocol unix,inet,inet6 | ||
38 | seccomp | ||
39 | shell none | ||
40 | tracelog | ||
41 | |||
42 | disable-mnt | ||
43 | private-bin fractal | ||
44 | private-cache | ||
45 | private-dev | ||
46 | private-etc alsa,alternatives,asound.conf,ca-certificates,crypto-policies,fonts,gtk-2.0,gtk-3.0,host.conf,hostname,hosts,ld.so.cache,ld.so.conf,ld.so.conf.d,ld.so.preload,locale,locale.alias,locale.conf,mime.types,nsswitch.conf,pki,pulse,resolv.conf,selinux,ssl,X11,xdg | ||
47 | private-tmp | ||
48 | |||
49 | dbus-user filter | ||
50 | dbus-user.own org.gnome.Fractal | ||
51 | dbus-user.talk ca.desrt.dconf | ||
52 | dbus-user.talk org.freedesktop.secrets | ||
53 | dbus-user.talk org.freedesktop.Notifications | ||
54 | dbus-system none | ||
diff --git a/etc/profile-a-l/frogatto.profile b/etc/profile-a-l/frogatto.profile index 653272499..23d259337 100644 --- a/etc/profile-a-l/frogatto.profile +++ b/etc/profile-a-l/frogatto.profile | |||
@@ -36,6 +36,7 @@ nou2f | |||
36 | novideo | 36 | novideo |
37 | protocol unix | 37 | protocol unix |
38 | seccomp | 38 | seccomp |
39 | seccomp.block-secondary | ||
39 | shell none | 40 | shell none |
40 | tracelog | 41 | tracelog |
41 | 42 | ||
diff --git a/etc/profile-a-l/gapplication.profile b/etc/profile-a-l/gapplication.profile index 74b468020..e339f6abb 100644 --- a/etc/profile-a-l/gapplication.profile +++ b/etc/profile-a-l/gapplication.profile | |||
@@ -38,6 +38,7 @@ nou2f | |||
38 | novideo | 38 | novideo |
39 | protocol unix | 39 | protocol unix |
40 | seccomp | 40 | seccomp |
41 | seccomp.block-secondary | ||
41 | shell none | 42 | shell none |
42 | tracelog | 43 | tracelog |
43 | x11 none | 44 | x11 none |
diff --git a/etc/profile-a-l/geary.profile b/etc/profile-a-l/geary.profile index fa01d04b7..f4e5a392f 100644 --- a/etc/profile-a-l/geary.profile +++ b/etc/profile-a-l/geary.profile | |||
@@ -10,22 +10,20 @@ include geary.local | |||
10 | # Users have Geary set to open a browser by clicking a link in an email | 10 | # Users have Geary set to open a browser by clicking a link in an email |
11 | # We are not allowed to blacklist browser-specific directories | 11 | # We are not allowed to blacklist browser-specific directories |
12 | 12 | ||
13 | ignore dbus-user none | 13 | ignore dbus-user filter |
14 | ignore dbus-system none | 14 | ignore dbus-system none |
15 | ignore private-tmp | 15 | ignore private-tmp |
16 | 16 | ||
17 | noblacklist ${HOME}/.gnupg | 17 | noblacklist ${HOME}/.cache/geary |
18 | noblacklist ${HOME}/.config/geary | ||
18 | noblacklist ${HOME}/.local/share/geary | 19 | noblacklist ${HOME}/.local/share/geary |
19 | 20 | ||
20 | mkdir ${HOME}/.gnupg | 21 | mkdir ${HOME}/.cache/geary |
21 | mkdir ${HOME}/.config/geary | 22 | mkdir ${HOME}/.config/geary |
22 | mkdir ${HOME}/.local/share/geary | 23 | mkdir ${HOME}/.local/share/geary |
23 | whitelist ${HOME}/.gnupg | 24 | whitelist ${HOME}/.cache/geary |
24 | whitelist ${HOME}/.config/geary | 25 | whitelist ${HOME}/.config/geary |
25 | whitelist ${HOME}/.local/share/geary | 26 | whitelist ${HOME}/.local/share/geary |
26 | |||
27 | read-only ${HOME}/.config/mimeapps.list | ||
28 | |||
29 | whitelist /usr/share/geary | 27 | whitelist /usr/share/geary |
30 | 28 | ||
31 | # allow Mozilla browsers | 29 | # allow Mozilla browsers |
diff --git a/etc/profile-a-l/gedit.profile b/etc/profile-a-l/gedit.profile index 17b7ad563..30251fbe5 100644 --- a/etc/profile-a-l/gedit.profile +++ b/etc/profile-a-l/gedit.profile | |||
@@ -37,6 +37,7 @@ nou2f | |||
37 | novideo | 37 | novideo |
38 | protocol unix | 38 | protocol unix |
39 | seccomp | 39 | seccomp |
40 | seccomp.block-secondary | ||
40 | shell none | 41 | shell none |
41 | tracelog | 42 | tracelog |
42 | 43 | ||
diff --git a/etc/profile-a-l/gfeeds.profile b/etc/profile-a-l/gfeeds.profile index d97ab530b..b8d1b9608 100644 --- a/etc/profile-a-l/gfeeds.profile +++ b/etc/profile-a-l/gfeeds.profile | |||
@@ -49,6 +49,7 @@ nou2f | |||
49 | novideo | 49 | novideo |
50 | protocol unix,inet,inet6 | 50 | protocol unix,inet,inet6 |
51 | seccomp | 51 | seccomp |
52 | seccomp.block-secondary | ||
52 | shell none | 53 | shell none |
53 | tracelog | 54 | tracelog |
54 | 55 | ||
diff --git a/etc/profile-a-l/ghostwriter.profile b/etc/profile-a-l/ghostwriter.profile index 5bb410278..c15174815 100644 --- a/etc/profile-a-l/ghostwriter.profile +++ b/etc/profile-a-l/ghostwriter.profile | |||
@@ -26,6 +26,7 @@ whitelist /usr/share/texlive | |||
26 | whitelist /usr/share/pandoc* | 26 | whitelist /usr/share/pandoc* |
27 | include whitelist-runuser-common.inc | 27 | include whitelist-runuser-common.inc |
28 | include whitelist-usr-share-common.inc | 28 | include whitelist-usr-share-common.inc |
29 | include whitelist-var-common.inc | ||
29 | 30 | ||
30 | apparmor | 31 | apparmor |
31 | caps.drop all | 32 | caps.drop all |
@@ -41,6 +42,7 @@ nou2f | |||
41 | novideo | 42 | novideo |
42 | protocol unix,inet,inet6,netlink | 43 | protocol unix,inet,inet6,netlink |
43 | seccomp !chroot | 44 | seccomp !chroot |
45 | seccomp.block-secondary | ||
44 | shell none | 46 | shell none |
45 | #tracelog -- breaks | 47 | #tracelog -- breaks |
46 | 48 | ||
diff --git a/etc/profile-a-l/gimp.profile b/etc/profile-a-l/gimp.profile index 8093c0c39..ed27de7f5 100644 --- a/etc/profile-a-l/gimp.profile +++ b/etc/profile-a-l/gimp.profile | |||
@@ -6,6 +6,14 @@ include gimp.local | |||
6 | # Persistent global definitions | 6 | # Persistent global definitions |
7 | include globals.local | 7 | include globals.local |
8 | 8 | ||
9 | # Uncomment or add to gimp.local in order to support scanning via xsane (see #3640). | ||
10 | # TODO: Replace 'ignore seccomp' with a less permissive option. | ||
11 | #ignore seccomp | ||
12 | #ignore dbus-system | ||
13 | #ignore net | ||
14 | #protocol unix,inet,inet6 | ||
15 | |||
16 | |||
9 | # gimp plugins are installed by the user in ${HOME}/.gimp-2.8/plug-ins/ directory | 17 | # gimp plugins are installed by the user in ${HOME}/.gimp-2.8/plug-ins/ directory |
10 | # if you are not using external plugins, you can comment 'ignore noexec' statement below | 18 | # if you are not using external plugins, you can comment 'ignore noexec' statement below |
11 | # or put 'noexec ${HOME}' in your gimp.local | 19 | # or put 'noexec ${HOME}' in your gimp.local |
diff --git a/etc/profile-a-l/git-cola.profile b/etc/profile-a-l/git-cola.profile index 30e80f519..4708078dd 100644 --- a/etc/profile-a-l/git-cola.profile +++ b/etc/profile-a-l/git-cola.profile | |||
@@ -12,6 +12,7 @@ noblacklist ${HOME}/.gitconfig | |||
12 | noblacklist ${HOME}/.git-credentials | 12 | noblacklist ${HOME}/.git-credentials |
13 | noblacklist ${HOME}/.gnupg | 13 | noblacklist ${HOME}/.gnupg |
14 | noblacklist ${HOME}/.ssh | 14 | noblacklist ${HOME}/.ssh |
15 | noblacklist ${HOME}/.subversion | ||
15 | noblacklist ${HOME}/.config/git | 16 | noblacklist ${HOME}/.config/git |
16 | noblacklist ${HOME}/.config/git-cola | 17 | noblacklist ${HOME}/.config/git-cola |
17 | # Put your editor,diff viewer config path below and uncomment to load settings | 18 | # Put your editor,diff viewer config path below and uncomment to load settings |
@@ -28,7 +29,19 @@ include disable-passwdmgr.inc | |||
28 | include disable-programs.inc | 29 | include disable-programs.inc |
29 | include disable-xdg.inc | 30 | include disable-xdg.inc |
30 | 31 | ||
32 | whitelist ${RUNUSER}/gnupg | ||
33 | whitelist ${RUNUSER}/keyring | ||
34 | # Whitelist your editor, diff viewer, gnupg path below in /usr/share/ | ||
35 | whitelist /usr/share/git | ||
36 | whitelist /usr/share/git-cola | ||
37 | whitelist /usr/share/git-core | ||
38 | whitelist /usr/share/git-gui | ||
39 | whitelist /usr/share/gitk | ||
40 | whitelist /usr/share/gitweb | ||
41 | whitelist /usr/share/gnupg | ||
42 | whitelist /usr/share/gnupg2 | ||
31 | include whitelist-runuser-common.inc | 43 | include whitelist-runuser-common.inc |
44 | include whitelist-usr-share-common.inc | ||
32 | include whitelist-var-common.inc | 45 | include whitelist-var-common.inc |
33 | 46 | ||
34 | apparmor | 47 | apparmor |
@@ -49,18 +62,22 @@ seccomp | |||
49 | shell none | 62 | shell none |
50 | tracelog | 63 | tracelog |
51 | 64 | ||
52 | # private-bin atom,bash,colordiff,emacs,fldiff,geany,gedit,git,git gui,git-cola,git-dag,gitk,gpg,gvim,leafpad,meld,mousepad,nano,notepadqq,python*,sh,ssh,vim,vimdiff,which,xed | 65 | # Add your own diff viewer,editor,pinentry program |
66 | # pinentry-curses,pinentry-emacs,pinentry-fltk,pinentry-gnome3,pinentry-gtk,pinentry-gtk2,pinentry-gtk-2,pinentry-qt,pinentry-qt4,pinentry-tty,pinentry-x2go,pinentry-kwallet" for gpg | ||
67 | private-bin basename,bash,cola,envsubst,gettext,git,git-cola,git-dag,git-gui,gitk,gpg,gpg-agent,nano,ps,python*,sh,ssh,ssh-agent,tclsh,tr,wc,which,xed | ||
53 | private-cache | 68 | private-cache |
54 | private-dev | 69 | private-dev |
55 | # Comment if you sign commits with GPG | 70 | private-etc alternatives,ca-certificates,crypto-policies,dconf,fonts,gcrypt,gitconfig,gtk-2.0,gtk-3.0,host.conf,hostname,hosts,localtime,login.defs,machine-id,mime.types,nsswitch.conf,passwd,pki,resolv.conf,selinux,ssh,ssl,X11,xdg |
56 | private-etc alternatives,ca-certificates,crypto-policies,fonts,gtk-2.0,gtk-3.0,host.conf,hostname,hosts,localtime,login.defs,machine-id,mime.types,nsswitch.conf,passwd,pki,resolv.conf,selinux,ssl,X11,xdg | ||
57 | private-tmp | 71 | private-tmp |
72 | writable-run-user | ||
58 | 73 | ||
59 | dbus-user filter | 74 | # Breaks meld as diff viewer |
75 | # dbus-user filter | ||
60 | # Uncomment if you need keyring access | 76 | # Uncomment if you need keyring access |
61 | # dbus-user.talk org.freedesktop.secrets | 77 | # dbus-user.talk org.freedesktop.secrets |
62 | dbus-system none | 78 | dbus-system none |
63 | 79 | ||
64 | read-only ${HOME}/.ssh | ||
65 | read-only ${HOME}/.gnupg | ||
66 | read-only ${HOME}/.git-credentials | 80 | read-only ${HOME}/.git-credentials |
81 | |||
82 | # Comment if you need to allow hosts | ||
83 | read-only ${HOME}/.ssh | ||
diff --git a/etc/profile-a-l/gitg.profile b/etc/profile-a-l/gitg.profile index 71b8e9b11..3d80c1ed2 100644 --- a/etc/profile-a-l/gitg.profile +++ b/etc/profile-a-l/gitg.profile | |||
@@ -45,6 +45,7 @@ nou2f | |||
45 | novideo | 45 | novideo |
46 | protocol unix,inet,inet6 | 46 | protocol unix,inet,inet6 |
47 | seccomp | 47 | seccomp |
48 | seccomp.block-secondary | ||
48 | shell none | 49 | shell none |
49 | tracelog | 50 | tracelog |
50 | 51 | ||
diff --git a/etc/profile-a-l/gnome-builder.profile b/etc/profile-a-l/gnome-builder.profile index 7a684dd59..8f637902c 100644 --- a/etc/profile-a-l/gnome-builder.profile +++ b/etc/profile-a-l/gnome-builder.profile | |||
@@ -6,6 +6,8 @@ include gnome-builder.local | |||
6 | # Persistent global definitions | 6 | # Persistent global definitions |
7 | include globals.local | 7 | include globals.local |
8 | 8 | ||
9 | noblacklist ${HOME}/.bash_history | ||
10 | |||
9 | noblacklist ${HOME}/.cache/gnome-builder | 11 | noblacklist ${HOME}/.cache/gnome-builder |
10 | noblacklist ${HOME}/.config/gnome-builder | 12 | noblacklist ${HOME}/.config/gnome-builder |
11 | noblacklist ${HOME}/.local/share/gnome-builder | 13 | noblacklist ${HOME}/.local/share/gnome-builder |
@@ -34,3 +36,5 @@ seccomp | |||
34 | shell none | 36 | shell none |
35 | 37 | ||
36 | private-dev | 38 | private-dev |
39 | |||
40 | read-write ${HOME}/.bash_history | ||
diff --git a/etc/profile-a-l/gnome-calculator.profile b/etc/profile-a-l/gnome-calculator.profile index ceb01f2a0..7780dfa65 100644 --- a/etc/profile-a-l/gnome-calculator.profile +++ b/etc/profile-a-l/gnome-calculator.profile | |||
@@ -38,6 +38,7 @@ nou2f | |||
38 | novideo | 38 | novideo |
39 | protocol unix,inet,inet6 | 39 | protocol unix,inet,inet6 |
40 | seccomp | 40 | seccomp |
41 | seccomp.block-secondary | ||
41 | shell none | 42 | shell none |
42 | tracelog | 43 | tracelog |
43 | 44 | ||
diff --git a/etc/profile-a-l/gnome-calendar.profile b/etc/profile-a-l/gnome-calendar.profile index 3e815234c..9927fb869 100644 --- a/etc/profile-a-l/gnome-calendar.profile +++ b/etc/profile-a-l/gnome-calendar.profile | |||
@@ -36,6 +36,7 @@ nou2f | |||
36 | novideo | 36 | novideo |
37 | protocol unix,inet,inet6 | 37 | protocol unix,inet,inet6 |
38 | seccomp | 38 | seccomp |
39 | seccomp.block-secondary | ||
39 | shell none | 40 | shell none |
40 | tracelog | 41 | tracelog |
41 | 42 | ||
diff --git a/etc/profile-a-l/gnome-characters.profile b/etc/profile-a-l/gnome-characters.profile index f4f3ae2d7..4d53a67dd 100644 --- a/etc/profile-a-l/gnome-characters.profile +++ b/etc/profile-a-l/gnome-characters.profile | |||
@@ -39,6 +39,7 @@ nou2f | |||
39 | novideo | 39 | novideo |
40 | protocol unix | 40 | protocol unix |
41 | seccomp | 41 | seccomp |
42 | seccomp.block-secondary | ||
42 | shell none | 43 | shell none |
43 | tracelog | 44 | tracelog |
44 | 45 | ||
diff --git a/etc/profile-a-l/gnome-contacts.profile b/etc/profile-a-l/gnome-contacts.profile index 7a38bdc8a..03b89e394 100644 --- a/etc/profile-a-l/gnome-contacts.profile +++ b/etc/profile-a-l/gnome-contacts.profile | |||
@@ -32,6 +32,7 @@ nou2f | |||
32 | novideo | 32 | novideo |
33 | protocol unix,inet,inet6,netlink | 33 | protocol unix,inet,inet6,netlink |
34 | seccomp | 34 | seccomp |
35 | seccomp.block-secondary | ||
35 | 36 | ||
36 | disable-mnt | 37 | disable-mnt |
37 | private-dev | 38 | private-dev |
diff --git a/etc/profile-a-l/gnome-hexgl.profile b/etc/profile-a-l/gnome-hexgl.profile index 5ae7bbe01..bb5ef0eab 100644 --- a/etc/profile-a-l/gnome-hexgl.profile +++ b/etc/profile-a-l/gnome-hexgl.profile | |||
@@ -33,6 +33,7 @@ nou2f | |||
33 | novideo | 33 | novideo |
34 | protocol unix | 34 | protocol unix |
35 | seccomp | 35 | seccomp |
36 | seccomp.block-secondary | ||
36 | shell none | 37 | shell none |
37 | tracelog | 38 | tracelog |
38 | 39 | ||
diff --git a/etc/profile-a-l/gnome-keyring.profile b/etc/profile-a-l/gnome-keyring.profile index ecbb74158..a0b9ef04e 100644 --- a/etc/profile-a-l/gnome-keyring.profile +++ b/etc/profile-a-l/gnome-keyring.profile | |||
@@ -9,8 +9,6 @@ include globals.local | |||
9 | 9 | ||
10 | noblacklist ${HOME}/.gnupg | 10 | noblacklist ${HOME}/.gnupg |
11 | 11 | ||
12 | whitelist ${HOME}/.gnupg | ||
13 | whitelist ${DOWNLOADS} | ||
14 | include disable-common.inc | 12 | include disable-common.inc |
15 | include disable-devel.inc | 13 | include disable-devel.inc |
16 | include disable-exec.inc | 14 | include disable-exec.inc |
@@ -19,9 +17,15 @@ include disable-interpreters.inc | |||
19 | include disable-programs.inc | 17 | include disable-programs.inc |
20 | include disable-xdg.inc | 18 | include disable-xdg.inc |
21 | 19 | ||
20 | mkdir ${HOME}/.gnupg | ||
21 | whitelist ${HOME}/.gnupg | ||
22 | whitelist ${DOWNLOADS} | ||
23 | whitelist ${RUNUSER}/gnupg | ||
24 | whitelist ${RUNUSER}/keyring | ||
22 | whitelist /usr/share/gnupg | 25 | whitelist /usr/share/gnupg |
23 | whitelist /usr/share/gnupg2 | 26 | whitelist /usr/share/gnupg2 |
24 | include whitelist-common.inc | 27 | include whitelist-common.inc |
28 | include whitelist-runuser-common.inc | ||
25 | include whitelist-usr-share-common.inc | 29 | include whitelist-usr-share-common.inc |
26 | include whitelist-var-common.inc | 30 | include whitelist-var-common.inc |
27 | 31 | ||
@@ -41,6 +45,7 @@ nou2f | |||
41 | novideo | 45 | novideo |
42 | protocol unix,inet,inet6 | 46 | protocol unix,inet,inet6 |
43 | seccomp | 47 | seccomp |
48 | seccomp.block-secondary | ||
44 | shell none | 49 | shell none |
45 | tracelog | 50 | tracelog |
46 | 51 | ||
@@ -52,6 +57,6 @@ private-dev | |||
52 | private-tmp | 57 | private-tmp |
53 | 58 | ||
54 | # dbus-user none | 59 | # dbus-user none |
55 | # dbus-system none | 60 | dbus-system none |
56 | 61 | ||
57 | memory-deny-write-execute | 62 | memory-deny-write-execute |
diff --git a/etc/profile-a-l/gnome-latex.profile b/etc/profile-a-l/gnome-latex.profile index 11d184bc6..87376da40 100644 --- a/etc/profile-a-l/gnome-latex.profile +++ b/etc/profile-a-l/gnome-latex.profile | |||
@@ -41,6 +41,7 @@ nou2f | |||
41 | novideo | 41 | novideo |
42 | protocol unix | 42 | protocol unix |
43 | seccomp | 43 | seccomp |
44 | seccomp.block-secondary | ||
44 | shell none | 45 | shell none |
45 | tracelog | 46 | tracelog |
46 | 47 | ||
diff --git a/etc/profile-a-l/gnome-maps.profile b/etc/profile-a-l/gnome-maps.profile index eb0030dda..23629df95 100644 --- a/etc/profile-a-l/gnome-maps.profile +++ b/etc/profile-a-l/gnome-maps.profile | |||
@@ -54,6 +54,7 @@ nou2f | |||
54 | novideo | 54 | novideo |
55 | protocol unix,inet,inet6 | 55 | protocol unix,inet,inet6 |
56 | seccomp | 56 | seccomp |
57 | seccomp.block-secondary | ||
57 | shell none | 58 | shell none |
58 | tracelog | 59 | tracelog |
59 | 60 | ||
diff --git a/etc/profile-a-l/gnome-passwordsafe.profile b/etc/profile-a-l/gnome-passwordsafe.profile index 615be7873..073de47b9 100644 --- a/etc/profile-a-l/gnome-passwordsafe.profile +++ b/etc/profile-a-l/gnome-passwordsafe.profile | |||
@@ -43,6 +43,7 @@ nou2f | |||
43 | novideo | 43 | novideo |
44 | protocol unix | 44 | protocol unix |
45 | seccomp | 45 | seccomp |
46 | seccomp.block-secondary | ||
46 | shell none | 47 | shell none |
47 | tracelog | 48 | tracelog |
48 | 49 | ||
@@ -52,3 +53,8 @@ private-cache | |||
52 | private-dev | 53 | private-dev |
53 | private-etc dconf,fonts,gtk-3.0,passwd | 54 | private-etc dconf,fonts,gtk-3.0,passwd |
54 | private-tmp | 55 | private-tmp |
56 | |||
57 | dbus-user filter | ||
58 | dbus-user.own org.gnome.PasswordSafe | ||
59 | dbus-user.talk ca.desrt.dconf | ||
60 | dbus-system none | ||
diff --git a/etc/profile-a-l/gnome-photos.profile b/etc/profile-a-l/gnome-photos.profile index 2af406af9..65cc23b5f 100644 --- a/etc/profile-a-l/gnome-photos.profile +++ b/etc/profile-a-l/gnome-photos.profile | |||
@@ -33,6 +33,7 @@ nou2f | |||
33 | novideo | 33 | novideo |
34 | protocol unix | 34 | protocol unix |
35 | seccomp | 35 | seccomp |
36 | seccomp.block-secondary | ||
36 | shell none | 37 | shell none |
37 | tracelog | 38 | tracelog |
38 | 39 | ||
diff --git a/etc/profile-a-l/gnome-screenshot.profile b/etc/profile-a-l/gnome-screenshot.profile index 82fb1b658..2534eed5a 100644 --- a/etc/profile-a-l/gnome-screenshot.profile +++ b/etc/profile-a-l/gnome-screenshot.profile | |||
@@ -35,6 +35,7 @@ nou2f | |||
35 | novideo | 35 | novideo |
36 | protocol unix | 36 | protocol unix |
37 | seccomp | 37 | seccomp |
38 | seccomp.block-secondary | ||
38 | shell none | 39 | shell none |
39 | tracelog | 40 | tracelog |
40 | 41 | ||
diff --git a/etc/profile-a-l/gnome-sound-recorder.profile b/etc/profile-a-l/gnome-sound-recorder.profile index a64ec25a9..2e063ebfe 100644 --- a/etc/profile-a-l/gnome-sound-recorder.profile +++ b/etc/profile-a-l/gnome-sound-recorder.profile | |||
@@ -33,6 +33,7 @@ nou2f | |||
33 | novideo | 33 | novideo |
34 | protocol unix | 34 | protocol unix |
35 | seccomp | 35 | seccomp |
36 | seccomp.block-secondary | ||
36 | shell none | 37 | shell none |
37 | tracelog | 38 | tracelog |
38 | 39 | ||
diff --git a/etc/profile-a-l/gnome-todo.profile b/etc/profile-a-l/gnome-todo.profile index 2fab3dcc7..5bef96ae7 100644 --- a/etc/profile-a-l/gnome-todo.profile +++ b/etc/profile-a-l/gnome-todo.profile | |||
@@ -53,8 +53,8 @@ dbus-user filter | |||
53 | dbus-user.own org.gnome.Todo | 53 | dbus-user.own org.gnome.Todo |
54 | dbus-user.talk ca.desrt.dconf | 54 | dbus-user.talk ca.desrt.dconf |
55 | #dbus-user.talk org.gnome.evolution.dataserver.AddressBook9 | 55 | #dbus-user.talk org.gnome.evolution.dataserver.AddressBook9 |
56 | #dbus-user.talk org.gnome.evolution.dataserver.Calendar8 | 56 | dbus-user.talk org.gnome.evolution.dataserver.Calendar8 |
57 | #dbus-user.talk org.gnome.evolution.dataserver.Sources5 | 57 | dbus-user.talk org.gnome.evolution.dataserver.Sources5 |
58 | #dbus-user.talk org.gnome.evolution.dataserver.Subprocess.Backend.* | 58 | #dbus-user.talk org.gnome.evolution.dataserver.Subprocess.Backend.* |
59 | #dbus-user.talk org.gnome.OnlineAccounts | 59 | #dbus-user.talk org.gnome.OnlineAccounts |
60 | dbus-system none | 60 | dbus-system none |
diff --git a/etc/profile-a-l/gnome-weather.profile b/etc/profile-a-l/gnome-weather.profile index a181f1b9e..beed92a7d 100644 --- a/etc/profile-a-l/gnome-weather.profile +++ b/etc/profile-a-l/gnome-weather.profile | |||
@@ -37,6 +37,7 @@ nou2f | |||
37 | novideo | 37 | novideo |
38 | protocol unix,inet,inet6 | 38 | protocol unix,inet,inet6 |
39 | seccomp | 39 | seccomp |
40 | seccomp.block-secondary | ||
40 | shell none | 41 | shell none |
41 | tracelog | 42 | tracelog |
42 | 43 | ||
diff --git a/etc/profile-a-l/gnome_games-common.profile b/etc/profile-a-l/gnome_games-common.profile index c46fbc1d9..56ed7a436 100644 --- a/etc/profile-a-l/gnome_games-common.profile +++ b/etc/profile-a-l/gnome_games-common.profile | |||
@@ -34,6 +34,7 @@ nou2f | |||
34 | novideo | 34 | novideo |
35 | protocol unix | 35 | protocol unix |
36 | seccomp | 36 | seccomp |
37 | seccomp.block-secondary | ||
37 | shell none | 38 | shell none |
38 | tracelog | 39 | tracelog |
39 | 40 | ||
diff --git a/etc/profile-a-l/google-chrome-beta.profile b/etc/profile-a-l/google-chrome-beta.profile index a62e4cf74..ebe5e870b 100644 --- a/etc/profile-a-l/google-chrome-beta.profile +++ b/etc/profile-a-l/google-chrome-beta.profile | |||
@@ -5,6 +5,11 @@ include google-chrome-beta.local | |||
5 | # Persistent global definitions | 5 | # Persistent global definitions |
6 | include globals.local | 6 | include globals.local |
7 | 7 | ||
8 | # Disable for now, see https://github.com/netblue30/firejail/pull/3688#issuecomment-718711565 | ||
9 | ignore whitelist /usr/share/chromium | ||
10 | ignore include whitelist-runuser-common.inc | ||
11 | ignore include whitelist-usr-share-common.inc | ||
12 | |||
8 | noblacklist ${HOME}/.cache/google-chrome-beta | 13 | noblacklist ${HOME}/.cache/google-chrome-beta |
9 | noblacklist ${HOME}/.config/google-chrome-beta | 14 | noblacklist ${HOME}/.config/google-chrome-beta |
10 | 15 | ||
diff --git a/etc/profile-a-l/google-chrome-unstable.profile b/etc/profile-a-l/google-chrome-unstable.profile index 14547eab2..4d303f71b 100644 --- a/etc/profile-a-l/google-chrome-unstable.profile +++ b/etc/profile-a-l/google-chrome-unstable.profile | |||
@@ -5,6 +5,11 @@ include google-chrome-unstable.local | |||
5 | # Persistent global definitions | 5 | # Persistent global definitions |
6 | include globals.local | 6 | include globals.local |
7 | 7 | ||
8 | # Disable for now, see https://github.com/netblue30/firejail/pull/3688#issuecomment-718711565 | ||
9 | ignore whitelist /usr/share/chromium | ||
10 | ignore include whitelist-runuser-common.inc | ||
11 | ignore include whitelist-usr-share-common.inc | ||
12 | |||
8 | noblacklist ${HOME}/.cache/google-chrome-unstable | 13 | noblacklist ${HOME}/.cache/google-chrome-unstable |
9 | noblacklist ${HOME}/.config/google-chrome-unstable | 14 | noblacklist ${HOME}/.config/google-chrome-unstable |
10 | 15 | ||
diff --git a/etc/profile-a-l/google-chrome.profile b/etc/profile-a-l/google-chrome.profile index 66f76caa0..ed2595f72 100644 --- a/etc/profile-a-l/google-chrome.profile +++ b/etc/profile-a-l/google-chrome.profile | |||
@@ -5,6 +5,11 @@ include google-chrome.local | |||
5 | # Persistent global definitions | 5 | # Persistent global definitions |
6 | include globals.local | 6 | include globals.local |
7 | 7 | ||
8 | # Disable for now, see https://github.com/netblue30/firejail/pull/3688#issuecomment-718711565 | ||
9 | ignore whitelist /usr/share/chromium | ||
10 | ignore include whitelist-runuser-common.inc | ||
11 | ignore include whitelist-usr-share-common.inc | ||
12 | |||
8 | noblacklist ${HOME}/.cache/google-chrome | 13 | noblacklist ${HOME}/.cache/google-chrome |
9 | noblacklist ${HOME}/.config/google-chrome | 14 | noblacklist ${HOME}/.config/google-chrome |
10 | 15 | ||
diff --git a/etc/profile-a-l/gtk-straw-viewer.profile b/etc/profile-a-l/gtk-straw-viewer.profile new file mode 100644 index 000000000..e2721360b --- /dev/null +++ b/etc/profile-a-l/gtk-straw-viewer.profile | |||
@@ -0,0 +1,14 @@ | |||
1 | # Firejail profile for gtk-straw-viewer | ||
2 | # Description: Gtk front-end to straw-viewer | ||
3 | # This file is overwritten after every install/update | ||
4 | # Persistent local customizations | ||
5 | include gtk-straw-viewer.local | ||
6 | # added by included profile | ||
7 | #include globals.local | ||
8 | |||
9 | ignore quiet | ||
10 | |||
11 | include whitelist-runuser-common.inc | ||
12 | |||
13 | # Redirect | ||
14 | include straw-viewer.profile | ||
diff --git a/etc/profile-a-l/gtk-youtube-viewer b/etc/profile-a-l/gtk-youtube-viewer.profile index 023f10d3d..848979b52 100644 --- a/etc/profile-a-l/gtk-youtube-viewer +++ b/etc/profile-a-l/gtk-youtube-viewer.profile | |||
@@ -3,16 +3,12 @@ | |||
3 | # This file is overwritten after every install/update | 3 | # This file is overwritten after every install/update |
4 | # Persistent local customizations | 4 | # Persistent local customizations |
5 | include gtk-youtube-viewer.local | 5 | include gtk-youtube-viewer.local |
6 | # Persistent global definitions | 6 | # added by included profile |
7 | # include globals.local | 7 | #include globals.local |
8 | 8 | ||
9 | ignore quiet | 9 | ignore quiet |
10 | 10 | ||
11 | noblacklist /tmp/.X11-unix | ||
12 | noblacklist ${RUNUSER}/wayland-* | ||
13 | noblacklist ${RUNUSER} | ||
14 | |||
15 | include whitelist-runuser-common.inc | 11 | include whitelist-runuser-common.inc |
16 | 12 | ||
17 | # Redirect | 13 | # Redirect |
18 | include youtube-viewer.profile \ No newline at end of file | 14 | include youtube-viewer.profile |
diff --git a/etc/profile-a-l/gtk2-youtube-viewer b/etc/profile-a-l/gtk2-youtube-viewer.profile index 331e73218..dccadcf2e 100644 --- a/etc/profile-a-l/gtk2-youtube-viewer +++ b/etc/profile-a-l/gtk2-youtube-viewer.profile | |||
@@ -3,8 +3,8 @@ | |||
3 | # This file is overwritten after every install/update | 3 | # This file is overwritten after every install/update |
4 | # Persistent local customizations | 4 | # Persistent local customizations |
5 | include gtk2-youtube-viewer.local | 5 | include gtk2-youtube-viewer.local |
6 | # Persistent global definitions | 6 | # added by included profile |
7 | # include globals.local | 7 | #include globals.local |
8 | 8 | ||
9 | ignore quiet | 9 | ignore quiet |
10 | 10 | ||
@@ -15,4 +15,4 @@ noblacklist ${RUNUSER} | |||
15 | include whitelist-runuser-common.inc | 15 | include whitelist-runuser-common.inc |
16 | 16 | ||
17 | # Redirect | 17 | # Redirect |
18 | include youtube-viewer.profile \ No newline at end of file | 18 | include youtube-viewer.profile |
diff --git a/etc/profile-a-l/gtk3-youtube-viewer b/etc/profile-a-l/gtk3-youtube-viewer.profile index 4c5bde55f..3d91e284d 100644 --- a/etc/profile-a-l/gtk3-youtube-viewer +++ b/etc/profile-a-l/gtk3-youtube-viewer.profile | |||
@@ -3,8 +3,8 @@ | |||
3 | # This file is overwritten after every install/update | 3 | # This file is overwritten after every install/update |
4 | # Persistent local customizations | 4 | # Persistent local customizations |
5 | include gtk3-youtube-viewer.local | 5 | include gtk3-youtube-viewer.local |
6 | # Persistent global definitions | 6 | # added by included profile |
7 | # include globals.local | 7 | #include globals.local |
8 | 8 | ||
9 | ignore quiet | 9 | ignore quiet |
10 | 10 | ||
@@ -15,4 +15,4 @@ noblacklist ${RUNUSER} | |||
15 | include whitelist-runuser-common.inc | 15 | include whitelist-runuser-common.inc |
16 | 16 | ||
17 | # Redirect | 17 | # Redirect |
18 | include youtube-viewer.profile \ No newline at end of file | 18 | include youtube-viewer.profile |
diff --git a/etc/profile-a-l/gucharmap.profile b/etc/profile-a-l/gucharmap.profile index c0254b5ec..3df42d209 100644 --- a/etc/profile-a-l/gucharmap.profile +++ b/etc/profile-a-l/gucharmap.profile | |||
@@ -35,6 +35,7 @@ nou2f | |||
35 | novideo | 35 | novideo |
36 | protocol unix | 36 | protocol unix |
37 | seccomp | 37 | seccomp |
38 | seccomp.block-secondary | ||
38 | shell none | 39 | shell none |
39 | tracelog | 40 | tracelog |
40 | 41 | ||
diff --git a/etc/profile-a-l/hedgewars.profile b/etc/profile-a-l/hedgewars.profile index 898a07a5f..8ac07d3da 100644 --- a/etc/profile-a-l/hedgewars.profile +++ b/etc/profile-a-l/hedgewars.profile | |||
@@ -8,6 +8,8 @@ include globals.local | |||
8 | 8 | ||
9 | noblacklist ${HOME}/.hedgewars | 9 | noblacklist ${HOME}/.hedgewars |
10 | 10 | ||
11 | include allow-lua.inc | ||
12 | |||
11 | include disable-common.inc | 13 | include disable-common.inc |
12 | include disable-devel.inc | 14 | include disable-devel.inc |
13 | include disable-interpreters.inc | 15 | include disable-interpreters.inc |
diff --git a/etc/profile-a-l/inox.profile b/etc/profile-a-l/inox.profile index 1b3db73b4..a5cac12f2 100644 --- a/etc/profile-a-l/inox.profile +++ b/etc/profile-a-l/inox.profile | |||
@@ -5,6 +5,11 @@ include inox.local | |||
5 | # Persistent global definitions | 5 | # Persistent global definitions |
6 | include globals.local | 6 | include globals.local |
7 | 7 | ||
8 | # Disable for now, see https://github.com/netblue30/firejail/pull/3688#issuecomment-718711565 | ||
9 | ignore whitelist /usr/share/chromium | ||
10 | ignore include whitelist-runuser-common.inc | ||
11 | ignore include whitelist-usr-share-common.inc | ||
12 | |||
8 | noblacklist ${HOME}/.cache/inox | 13 | noblacklist ${HOME}/.cache/inox |
9 | noblacklist ${HOME}/.config/inox | 14 | noblacklist ${HOME}/.config/inox |
10 | 15 | ||
diff --git a/etc/profile-a-l/iridium.profile b/etc/profile-a-l/iridium.profile index ebb39b0a3..3037d00e9 100644 --- a/etc/profile-a-l/iridium.profile +++ b/etc/profile-a-l/iridium.profile | |||
@@ -5,6 +5,11 @@ include iridium.local | |||
5 | # Persistent global definitions | 5 | # Persistent global definitions |
6 | include globals.local | 6 | include globals.local |
7 | 7 | ||
8 | # Disable for now, see https://github.com/netblue30/firejail/pull/3688#issuecomment-718711565 | ||
9 | ignore whitelist /usr/share/chromium | ||
10 | ignore include whitelist-runuser-common.inc | ||
11 | ignore include whitelist-usr-share-common.inc | ||
12 | |||
8 | noblacklist ${HOME}/.cache/iridium | 13 | noblacklist ${HOME}/.cache/iridium |
9 | noblacklist ${HOME}/.config/iridium | 14 | noblacklist ${HOME}/.config/iridium |
10 | 15 | ||
diff --git a/etc/profile-a-l/kazam.profile b/etc/profile-a-l/kazam.profile new file mode 100644 index 000000000..9899ff195 --- /dev/null +++ b/etc/profile-a-l/kazam.profile | |||
@@ -0,0 +1,54 @@ | |||
1 | # Firejail profile for kazam | ||
2 | # Description: Screen capture tool | ||
3 | # This file is overwritten after every install/update | ||
4 | # Persistent local customizations | ||
5 | include kazam.local | ||
6 | # Persistent global definitions | ||
7 | include globals.local | ||
8 | |||
9 | ignore noexec ${HOME} | ||
10 | |||
11 | noblacklist ${PICTURES} | ||
12 | noblacklist ${VIDEOS} | ||
13 | noblacklist ${HOME}/.config/kazam | ||
14 | |||
15 | include allow-python2.inc | ||
16 | include allow-python3.inc | ||
17 | |||
18 | include disable-common.inc | ||
19 | include disable-devel.inc | ||
20 | include disable-exec.inc | ||
21 | include disable-interpreters.inc | ||
22 | include disable-programs.inc | ||
23 | include disable-passwdmgr.inc | ||
24 | include disable-shell.inc | ||
25 | include disable-xdg.inc | ||
26 | |||
27 | whitelist /usr/share/kazam | ||
28 | include whitelist-runuser-common.inc | ||
29 | include whitelist-usr-share-common.inc | ||
30 | include whitelist-var-common.inc | ||
31 | |||
32 | apparmor | ||
33 | caps.drop all | ||
34 | net none | ||
35 | nodvd | ||
36 | nogroups | ||
37 | nonewprivs | ||
38 | noroot | ||
39 | notv | ||
40 | nou2f | ||
41 | novideo | ||
42 | protocol unix | ||
43 | seccomp | ||
44 | shell none | ||
45 | tracelog | ||
46 | |||
47 | disable-mnt | ||
48 | # private-bin kazam,python* | ||
49 | private-cache | ||
50 | private-dev | ||
51 | private-etc alsa,alternatives,asound.conf,dconf,fonts,gtk-2.0,gtk-3.0,machine-id,pulse,selinux,X11,xdg | ||
52 | private-tmp | ||
53 | |||
54 | dbus-system none | ||
diff --git a/etc/profile-a-l/keepassxc.profile b/etc/profile-a-l/keepassxc.profile index e8fc4e632..58db056b2 100644 --- a/etc/profile-a-l/keepassxc.profile +++ b/etc/profile-a-l/keepassxc.profile | |||
@@ -55,6 +55,7 @@ nou2f | |||
55 | novideo | 55 | novideo |
56 | protocol unix,netlink | 56 | protocol unix,netlink |
57 | seccomp | 57 | seccomp |
58 | seccomp.block-secondary | ||
58 | shell none | 59 | shell none |
59 | tracelog | 60 | tracelog |
60 | 61 | ||
@@ -72,9 +73,12 @@ dbus-user.talk org.freedesktop.login1.Session | |||
72 | dbus-user.talk org.gnome.ScreenSaver | 73 | dbus-user.talk org.gnome.ScreenSaver |
73 | dbus-user.talk org.gnome.SessionManager | 74 | dbus-user.talk org.gnome.SessionManager |
74 | dbus-user.talk org.gnome.SessionManager.Presence | 75 | dbus-user.talk org.gnome.SessionManager.Presence |
75 | # Uncomment or add to your keepassxc.local to allow Notifications. | 76 | # Uncomment or add to your keepassxc.local to allow Notifications/Tray. |
76 | #dbus-user.talk org.freedesktop.Notifications | 77 | #dbus-user.talk org.freedesktop.Notifications |
77 | #dbus-user.talk org.kde.StatusNotifierWatcher | 78 | #dbus-user.talk org.kde.StatusNotifierWatcher |
79 | # These numbers seems to be not stable, see #3713. Play around with them. | ||
80 | #dbus-user.own org.kde.StatusNotifierItem-2-2 | ||
81 | #dbus-user.own org.kde.StatusNotifierItem-10-2 | ||
78 | dbus-system none | 82 | dbus-system none |
79 | 83 | ||
80 | # Mutex is stored in /tmp by default, which is broken by private-tmp | 84 | # Mutex is stored in /tmp by default, which is broken by private-tmp |
diff --git a/etc/profile-a-l/kmail.profile b/etc/profile-a-l/kmail.profile index ab4ff10b9..8d99da3cf 100644 --- a/etc/profile-a-l/kmail.profile +++ b/etc/profile-a-l/kmail.profile | |||
@@ -9,6 +9,10 @@ include globals.local | |||
9 | # kmail has problems launching akonadi in debian and ubuntu. | 9 | # kmail has problems launching akonadi in debian and ubuntu. |
10 | # one solution is to have akonadi already running when kmail is started | 10 | # one solution is to have akonadi already running when kmail is started |
11 | 11 | ||
12 | noblacklist ${HOME}/.gnupg | ||
13 | # noblacklist ${HOME}/.kde/ | ||
14 | # noblacklist ${HOME}/.kde4/ | ||
15 | noblacklist ${HOME}/.mozilla | ||
12 | noblacklist ${HOME}/.cache/akonadi* | 16 | noblacklist ${HOME}/.cache/akonadi* |
13 | noblacklist ${HOME}/.cache/kmail2 | 17 | noblacklist ${HOME}/.cache/kmail2 |
14 | noblacklist ${HOME}/.config/akonadi* | 18 | noblacklist ${HOME}/.config/akonadi* |
@@ -19,7 +23,6 @@ noblacklist ${HOME}/.config/kmail2rc | |||
19 | noblacklist ${HOME}/.config/kmailsearchindexingrc | 23 | noblacklist ${HOME}/.config/kmailsearchindexingrc |
20 | noblacklist ${HOME}/.config/mailtransports | 24 | noblacklist ${HOME}/.config/mailtransports |
21 | noblacklist ${HOME}/.config/specialmailcollectionsrc | 25 | noblacklist ${HOME}/.config/specialmailcollectionsrc |
22 | noblacklist ${HOME}/.gnupg | ||
23 | noblacklist ${HOME}/.local/share/akonadi* | 26 | noblacklist ${HOME}/.local/share/akonadi* |
24 | noblacklist ${HOME}/.local/share/apps/korganizer | 27 | noblacklist ${HOME}/.local/share/apps/korganizer |
25 | noblacklist ${HOME}/.local/share/contacts | 28 | noblacklist ${HOME}/.local/share/contacts |
@@ -30,6 +33,8 @@ noblacklist ${HOME}/.local/share/kxmlgui5/kmail2 | |||
30 | noblacklist ${HOME}/.local/share/local-mail | 33 | noblacklist ${HOME}/.local/share/local-mail |
31 | noblacklist ${HOME}/.local/share/notes | 34 | noblacklist ${HOME}/.local/share/notes |
32 | noblacklist /tmp/akonadi-* | 35 | noblacklist /tmp/akonadi-* |
36 | noblacklist /var/mail | ||
37 | noblacklist /var/spool/mail | ||
33 | 38 | ||
34 | include disable-common.inc | 39 | include disable-common.inc |
35 | include disable-devel.inc | 40 | include disable-devel.inc |
@@ -37,10 +42,73 @@ include disable-exec.inc | |||
37 | include disable-interpreters.inc | 42 | include disable-interpreters.inc |
38 | include disable-passwdmgr.inc | 43 | include disable-passwdmgr.inc |
39 | include disable-programs.inc | 44 | include disable-programs.inc |
45 | include disable-xdg.inc | ||
40 | 46 | ||
47 | mkdir ${HOME}/.gnupg | ||
48 | # mkdir ${HOME}/.kde/ | ||
49 | # mkdir ${HOME}/.kde4/ | ||
50 | mkdir ${HOME}/.cache/akonadi* | ||
51 | mkdir ${HOME}/.cache/kmail2 | ||
52 | mkdir ${HOME}/.config/akonadi* | ||
53 | mkdir ${HOME}/.config/baloorc | ||
54 | mkdir ${HOME}/.config/emaildefaults | ||
55 | mkdir ${HOME}/.config/emailidentities | ||
56 | mkdir ${HOME}/.config/kmail2rc | ||
57 | mkdir ${HOME}/.config/kmailsearchindexingrc | ||
58 | mkdir ${HOME}/.config/mailtransports | ||
59 | mkdir ${HOME}/.config/specialmailcollectionsrc | ||
60 | mkdir ${HOME}/.local/share/akonadi* | ||
61 | mkdir ${HOME}/.local/share/apps/korganizer | ||
62 | mkdir ${HOME}/.local/share/contacts | ||
63 | mkdir ${HOME}/.local/share/emailidentities | ||
64 | mkdir ${HOME}/.local/share/kmail2 | ||
65 | mkdir ${HOME}/.local/share/kxmlgui5/kmail | ||
66 | mkdir ${HOME}/.local/share/kxmlgui5/kmail2 | ||
67 | mkdir ${HOME}/.local/share/local-mail | ||
68 | mkdir ${HOME}/.local/share/notes | ||
69 | mkdir /tmp/akonadi-* | ||
70 | whitelist ${HOME}/.gnupg | ||
71 | # whitelist ${HOME}/.kde/ | ||
72 | # whitelist ${HOME}/.kde4/ | ||
73 | whitelist ${HOME}/.mozilla/firefox/profiles.ini | ||
74 | whitelist ${HOME}/.cache/akonadi* | ||
75 | whitelist ${HOME}/.cache/kmail2 | ||
76 | whitelist ${HOME}/.config/akonadi* | ||
77 | whitelist ${HOME}/.config/baloorc | ||
78 | whitelist ${HOME}/.config/emaildefaults | ||
79 | whitelist ${HOME}/.config/emailidentities | ||
80 | whitelist ${HOME}/.config/kmail2rc | ||
81 | whitelist ${HOME}/.config/kmailsearchindexingrc | ||
82 | whitelist ${HOME}/.config/mailtransports | ||
83 | whitelist ${HOME}/.config/specialmailcollectionsrc | ||
84 | whitelist ${HOME}/.local/share/akonadi* | ||
85 | whitelist ${HOME}/.local/share/apps/korganizer | ||
86 | whitelist ${HOME}/.local/share/contacts | ||
87 | whitelist ${HOME}/.local/share/emailidentities | ||
88 | whitelist ${HOME}/.local/share/kmail2 | ||
89 | whitelist ${HOME}/.local/share/kxmlgui5/kmail | ||
90 | whitelist ${HOME}/.local/share/kxmlgui5/kmail2 | ||
91 | whitelist ${HOME}/.local/share/local-mail | ||
92 | whitelist ${HOME}/.local/share/notes | ||
93 | whitelist ${DOWNLOADS} | ||
94 | whitelist ${DOCUMENTS} | ||
95 | whitelist ${RUNUSER}/gnupg | ||
96 | whitelist /tmp/akonadi-* | ||
97 | whitelist /usr/share/akonadi | ||
98 | whitelist /usr/share/gnupg | ||
99 | whitelist /usr/share/gnupg2 | ||
100 | whitelist /usr/share/kconf_update | ||
101 | whitelist /usr/share/kf5 | ||
102 | whitelist /usr/share/kservices5 | ||
103 | whitelist /usr/share/qlogging-categories5 | ||
104 | whitelist /var/mail | ||
105 | whitelist /var/spool/mail | ||
106 | include whitelist-common.inc | ||
107 | include whitelist-runuser-common.inc | ||
108 | include whitelist-usr-share-common.inc | ||
41 | include whitelist-var-common.inc | 109 | include whitelist-var-common.inc |
42 | 110 | ||
43 | # apparmor | 111 | apparmor |
44 | caps.drop all | 112 | caps.drop all |
45 | netfilter | 113 | netfilter |
46 | nodvd | 114 | nodvd |
@@ -56,7 +124,14 @@ protocol unix,inet,inet6,netlink | |||
56 | seccomp !chroot,!io_getevents,!io_setup,!io_submit,!ioprio_set | 124 | seccomp !chroot,!io_getevents,!io_setup,!io_submit,!ioprio_set |
57 | # tracelog | 125 | # tracelog |
58 | 126 | ||
127 | private-cache | ||
59 | private-dev | 128 | private-dev |
129 | private-etc alternatives,ca-certificates,crypto-policies,dconf,drirc,fonts,gcrypt,groups,gtk-2.0,gtk-3.0,hostname,hosts,ld.so.cache,ld.so.preload,mailname,nsswitch.conf,passwd,pki,resolv.conf,selinux,ssl,xdg | ||
60 | # private-tmp - interrupts connection to akonadi, breaks opening of email attachments | 130 | # private-tmp - interrupts connection to akonadi, breaks opening of email attachments |
61 | # writable-run-user is needed for signing and encrypting emails | ||
62 | writable-run-user | 131 | writable-run-user |
132 | writable-var | ||
133 | |||
134 | # dbus-user none | ||
135 | dbus-system none | ||
136 | |||
137 | read-only ${HOME}/.mozilla/firefox/profiles.ini \ No newline at end of file | ||
diff --git a/etc/profile-a-l/kube.profile b/etc/profile-a-l/kube.profile new file mode 100644 index 000000000..cf3a69fd7 --- /dev/null +++ b/etc/profile-a-l/kube.profile | |||
@@ -0,0 +1,81 @@ | |||
1 | # Firejail profile for kube | ||
2 | # Description: Qt mail client | ||
3 | # This file is overwritten after every install/update | ||
4 | # Persistent local customizations | ||
5 | include kube.local | ||
6 | # Persistent global definitions | ||
7 | include globals.local | ||
8 | |||
9 | noblacklist ${HOME}/.gnupg | ||
10 | noblacklist ${HOME}/.mozilla | ||
11 | noblacklist ${HOME}/.cache/kube | ||
12 | noblacklist ${HOME}/.config/kube | ||
13 | noblacklist ${HOME}/.config/sink | ||
14 | noblacklist ${HOME}/.local/share/kube | ||
15 | noblacklist ${HOME}/.local/share/sink | ||
16 | |||
17 | include disable-common.inc | ||
18 | include disable-devel.inc | ||
19 | include disable-exec.inc | ||
20 | include disable-interpreters.inc | ||
21 | include disable-passwdmgr.inc | ||
22 | include disable-programs.inc | ||
23 | include disable-shell.inc | ||
24 | include disable-xdg.inc | ||
25 | |||
26 | mkdir ${HOME}/.gnupg | ||
27 | mkdir ${HOME}/.cache/kube | ||
28 | mkdir ${HOME}/.config/kube | ||
29 | mkdir ${HOME}/.config/sink | ||
30 | mkdir ${HOME}/.local/share/kube | ||
31 | mkdir ${HOME}/.local/share/sink | ||
32 | whitelist ${HOME}/.gnupg | ||
33 | whitelist ${HOME}/.mozilla/firefox/profiles.ini | ||
34 | whitelist ${HOME}/.cache/kube | ||
35 | whitelist ${HOME}/.config/kube | ||
36 | whitelist ${HOME}/.config/sink | ||
37 | whitelist ${HOME}/.local/share/kube | ||
38 | whitelist ${HOME}/.local/share/sink | ||
39 | whitelist ${RUNUSER}/gnupg | ||
40 | whitelist /usr/share/kube | ||
41 | whitelist /usr/share/gnupg | ||
42 | whitelist /usr/share/gnupg2 | ||
43 | include whitelist-common.inc | ||
44 | include whitelist-runuser-common.inc | ||
45 | include whitelist-usr-share-common.inc | ||
46 | include whitelist-var-common.inc | ||
47 | |||
48 | apparmor | ||
49 | caps.drop all | ||
50 | netfilter | ||
51 | no3d | ||
52 | nodvd | ||
53 | nogroups | ||
54 | nonewprivs | ||
55 | noroot | ||
56 | nosound | ||
57 | notv | ||
58 | nou2f | ||
59 | novideo | ||
60 | protocol unix,inet,inet6 | ||
61 | seccomp | ||
62 | shell none | ||
63 | tracelog | ||
64 | |||
65 | # disable-mnt | ||
66 | # Add "gpg,gpg2,gpg-agent,pinentry-curses,pinentry-emacs,pinentry-fltk,pinentry-gnome3,pinentry-gtk,pinentry-gtk2,pinentry-gtk-2,pinentry-qt,pinentry-qt4,pinentry-tty,pinentry-x2go,pinentry-kwallet" for gpg | ||
67 | # Add "ignore private-bin" for hyperlinks or have a look at the private-bins in firefox.profile and firefox-common.profile. | ||
68 | private-bin kube,sink_synchronizer | ||
69 | private-cache | ||
70 | private-dev | ||
71 | private-etc alternatives,ca-certificates,crypto-policies,fonts,gcrypt,gtk-2.0,gtk-3.0,hostname,hosts,pki,resolv.conf,selinux,ssl,xdg | ||
72 | private-tmp | ||
73 | writable-run-user | ||
74 | |||
75 | dbus-user filter | ||
76 | dbus-user.talk ca.desrt.dconf | ||
77 | dbus-user.talk org.freedesktop.secrets | ||
78 | dbus-user.talk org.freedesktop.Notifications | ||
79 | dbus-system none | ||
80 | |||
81 | read-only ${HOME}/.mozilla/firefox/profiles.ini | ||
diff --git a/etc/profile-a-l/libreoffice.profile b/etc/profile-a-l/libreoffice.profile index f9c92f6f6..031f0e19f 100644 --- a/etc/profile-a-l/libreoffice.profile +++ b/etc/profile-a-l/libreoffice.profile | |||
@@ -43,6 +43,8 @@ shell none | |||
43 | # comment tracelog when using the ubuntu 18.04/debian 10 apparmor profile | 43 | # comment tracelog when using the ubuntu 18.04/debian 10 apparmor profile |
44 | tracelog | 44 | tracelog |
45 | 45 | ||
46 | #private-bin libreoffice,sh,uname,dirname,grep,sed,basename,ls | ||
47 | private-cache | ||
46 | private-dev | 48 | private-dev |
47 | private-tmp | 49 | private-tmp |
48 | 50 | ||
diff --git a/etc/profile-a-l/linphone.profile b/etc/profile-a-l/linphone.profile index dc156b298..c509122e2 100644 --- a/etc/profile-a-l/linphone.profile +++ b/etc/profile-a-l/linphone.profile | |||
@@ -6,8 +6,10 @@ include linphone.local | |||
6 | # Persistent global definitions | 6 | # Persistent global definitions |
7 | include globals.local | 7 | include globals.local |
8 | 8 | ||
9 | noblacklist ${HOME}/.config/linphone | ||
9 | noblacklist ${HOME}/.linphone-history.db | 10 | noblacklist ${HOME}/.linphone-history.db |
10 | noblacklist ${HOME}/.linphonerc | 11 | noblacklist ${HOME}/.linphonerc |
12 | noblacklist ${HOME}/.local/share/linphone | ||
11 | 13 | ||
12 | include disable-common.inc | 14 | include disable-common.inc |
13 | include disable-devel.inc | 15 | include disable-devel.inc |
@@ -16,10 +18,15 @@ include disable-interpreters.inc | |||
16 | include disable-passwdmgr.inc | 18 | include disable-passwdmgr.inc |
17 | include disable-programs.inc | 19 | include disable-programs.inc |
18 | 20 | ||
19 | mkfile ${HOME}/.linphone-history.db | 21 | # linphone 4.0 (released 2017-06-26) moved config and database files to respect |
20 | mkfile ${HOME}/.linphonerc | 22 | # freedesktop standards. For backward compatibility we continue to whitelist |
23 | # ${HOME}/.linphone-history.db and ${HOME}/.linphonerc but no longer mkfile. | ||
24 | mkdir ${HOME}/.config/linphone | ||
25 | mkdir ${HOME}/.local/share/linphone | ||
26 | whitelist ${HOME}/.config/linphone | ||
21 | whitelist ${HOME}/.linphone-history.db | 27 | whitelist ${HOME}/.linphone-history.db |
22 | whitelist ${HOME}/.linphonerc | 28 | whitelist ${HOME}/.linphonerc |
29 | whitelist ${HOME}/.local/share/linphone | ||
23 | whitelist ${DOWNLOADS} | 30 | whitelist ${DOWNLOADS} |
24 | include whitelist-common.inc | 31 | include whitelist-common.inc |
25 | 32 | ||
diff --git a/etc/profile-m-z/man.profile b/etc/profile-m-z/man.profile new file mode 100644 index 000000000..6f74e6da3 --- /dev/null +++ b/etc/profile-m-z/man.profile | |||
@@ -0,0 +1,65 @@ | |||
1 | # Firejail profile for man | ||
2 | # Description: manpage viewer | ||
3 | quiet | ||
4 | # This file is overwritten after every install/update | ||
5 | # Persistent local customizations | ||
6 | include man.local | ||
7 | # Persistent global definitions | ||
8 | include globals.local | ||
9 | |||
10 | blacklist ${RUNUSER} | ||
11 | |||
12 | noblacklist ${HOME}/.local/share/man | ||
13 | |||
14 | include disable-common.inc | ||
15 | include disable-devel.inc | ||
16 | include disable-exec.inc | ||
17 | include disable-interpreters.inc | ||
18 | include disable-passwdmgr.inc | ||
19 | include disable-programs.inc | ||
20 | include disable-xdg.inc | ||
21 | |||
22 | mkdir ${HOME}/.local/share/man | ||
23 | whitelist ${HOME}/.local/share/man | ||
24 | whitelist ${HOME}/.manpath | ||
25 | whitelist /usr/share/groff | ||
26 | whitelist /usr/share/info | ||
27 | whitelist /usr/share/lintian | ||
28 | whitelist /usr/share/locale | ||
29 | whitelist /usr/share/man | ||
30 | whitelist /var/cache/man | ||
31 | include whitelist-common.inc | ||
32 | include whitelist-usr-share-common.inc | ||
33 | include whitelist-var-common.inc | ||
34 | |||
35 | apparmor | ||
36 | caps.drop all | ||
37 | ipc-namespace | ||
38 | machine-id | ||
39 | net none | ||
40 | no3d | ||
41 | nodvd | ||
42 | nogroups | ||
43 | nonewprivs | ||
44 | noroot | ||
45 | nosound | ||
46 | notv | ||
47 | novideo | ||
48 | nou2f | ||
49 | protocol unix | ||
50 | seccomp | ||
51 | shell none | ||
52 | tracelog | ||
53 | x11 none | ||
54 | |||
55 | disable-mnt | ||
56 | private-bin apropos,bash,cat,catman,col,gpreconv,groff,grotty,gunzip,gzip,less,man,most,nroff,preconv,sed,sh,tbl,tr,troff,whatis,which,xtotroff,zcat,zsoelim | ||
57 | private-cache | ||
58 | private-dev | ||
59 | private-etc alternatives,fonts,locale,locale.alias,locale.conf,man_db.conf,manpath.config,selinux,sysless,xdg | ||
60 | private-tmp | ||
61 | |||
62 | dbus-user none | ||
63 | dbus-system none | ||
64 | |||
65 | memory-deny-write-execute | ||
diff --git a/etc/profile-m-z/megaglest.profile b/etc/profile-m-z/megaglest.profile index 19f9edf05..37ac9e304 100644 --- a/etc/profile-m-z/megaglest.profile +++ b/etc/profile-m-z/megaglest.profile | |||
@@ -14,6 +14,7 @@ include disable-exec.inc | |||
14 | include disable-interpreters.inc | 14 | include disable-interpreters.inc |
15 | include disable-passwdmgr.inc | 15 | include disable-passwdmgr.inc |
16 | include disable-programs.inc | 16 | include disable-programs.inc |
17 | include disable-shell.inc | ||
17 | include disable-xdg.inc | 18 | include disable-xdg.inc |
18 | 19 | ||
19 | mkdir ${HOME}/.megaglest | 20 | mkdir ${HOME}/.megaglest |
@@ -37,6 +38,7 @@ nou2f | |||
37 | novideo | 38 | novideo |
38 | protocol unix,inet,inet6,netlink | 39 | protocol unix,inet,inet6,netlink |
39 | seccomp | 40 | seccomp |
41 | seccomp.block-secondary | ||
40 | shell none | 42 | shell none |
41 | tracelog | 43 | tracelog |
42 | 44 | ||
diff --git a/etc/profile-m-z/meld.profile b/etc/profile-m-z/meld.profile index 385700648..6ceeb867f 100644 --- a/etc/profile-m-z/meld.profile +++ b/etc/profile-m-z/meld.profile | |||
@@ -62,6 +62,7 @@ nou2f | |||
62 | novideo | 62 | novideo |
63 | protocol unix,inet,inet6 | 63 | protocol unix,inet,inet6 |
64 | seccomp | 64 | seccomp |
65 | seccomp.block-secondary | ||
65 | shell none | 66 | shell none |
66 | tracelog | 67 | tracelog |
67 | 68 | ||
diff --git a/etc/profile-m-z/menulibre.profile b/etc/profile-m-z/menulibre.profile new file mode 100644 index 000000000..c70090a25 --- /dev/null +++ b/etc/profile-m-z/menulibre.profile | |||
@@ -0,0 +1,63 @@ | |||
1 | # Firejail profile for menulibre | ||
2 | # Description: Create desktop and menu launchers easily | ||
3 | # This file is overwritten after every install/update | ||
4 | # Persistent local customizations | ||
5 | include menulibre.local | ||
6 | # Persistent global definitions | ||
7 | include globals.local | ||
8 | |||
9 | include allow-python2.inc | ||
10 | include allow-python3.inc | ||
11 | |||
12 | include disable-common.inc | ||
13 | include disable-devel.inc | ||
14 | include disable-exec.inc | ||
15 | include disable-interpreters.inc | ||
16 | include disable-programs.inc | ||
17 | include disable-passwdmgr.inc | ||
18 | include disable-xdg.inc | ||
19 | |||
20 | # Whitelist your system icon directory,varies by distro | ||
21 | whitelist /usr/share/app-info | ||
22 | whitelist /usr/share/desktop-directories | ||
23 | whitelist /usr/share/icons | ||
24 | whitelist /usr/share/menulibre | ||
25 | whitelist /var/lib/app-info/icons | ||
26 | whitelist /var/lib/flatpak/exports/share/applications | ||
27 | whitelist /var/lib/flatpak/exports/share/icons | ||
28 | include whitelist-runuser-common.inc | ||
29 | include whitelist-usr-share-common.inc | ||
30 | include whitelist-var-common.inc | ||
31 | |||
32 | apparmor | ||
33 | caps.drop all | ||
34 | machine-id | ||
35 | net none | ||
36 | nodvd | ||
37 | no3d | ||
38 | nogroups | ||
39 | nonewprivs | ||
40 | noroot | ||
41 | nosound | ||
42 | notv | ||
43 | nou2f | ||
44 | novideo | ||
45 | protocol unix | ||
46 | seccomp | ||
47 | seccomp.block-secondary | ||
48 | shell none | ||
49 | tracelog | ||
50 | |||
51 | disable-mnt | ||
52 | private-cache | ||
53 | private-dev | ||
54 | private-etc alternatives,dconf,fonts,gtk-3.0,locale.alias,locale.conf,mime.types,nsswitch.conf,passwd,pki,selinux,X11,xdg | ||
55 | private-tmp | ||
56 | |||
57 | dbus-user none | ||
58 | dbus-system none | ||
59 | |||
60 | read-write ${HOME}/.config/menus | ||
61 | read-write ${HOME}/.gnome/apps | ||
62 | read-write ${HOME}/.local/share/applications | ||
63 | read-write ${HOME}/.local/share/flatpak/exports | ||
diff --git a/etc/profile-m-z/min.profile b/etc/profile-m-z/min.profile index 7f3aeab44..be85fdbc4 100644 --- a/etc/profile-m-z/min.profile +++ b/etc/profile-m-z/min.profile | |||
@@ -6,6 +6,8 @@ include min.local | |||
6 | # Persistent global definitions | 6 | # Persistent global definitions |
7 | include globals.local | 7 | include globals.local |
8 | 8 | ||
9 | nowhitelist /usr/share/chromium | ||
10 | |||
9 | noblacklist ${HOME}/.config/Min | 11 | noblacklist ${HOME}/.config/Min |
10 | 12 | ||
11 | mkdir ${HOME}/.config/Min | 13 | mkdir ${HOME}/.config/Min |
diff --git a/etc/profile-m-z/minetest.profile b/etc/profile-m-z/minetest.profile index 1da430ce6..e126050b7 100644 --- a/etc/profile-m-z/minetest.profile +++ b/etc/profile-m-z/minetest.profile | |||
@@ -12,6 +12,9 @@ include globals.local | |||
12 | noblacklist ${HOME}/.cache/minetest | 12 | noblacklist ${HOME}/.cache/minetest |
13 | noblacklist ${HOME}/.minetest | 13 | noblacklist ${HOME}/.minetest |
14 | 14 | ||
15 | # Allow lua (blacklisted by disable-interpreters.inc) | ||
16 | include allow-lua.inc | ||
17 | |||
15 | include disable-common.inc | 18 | include disable-common.inc |
16 | include disable-devel.inc | 19 | include disable-devel.inc |
17 | include disable-exec.inc | 20 | include disable-exec.inc |
@@ -25,6 +28,7 @@ mkdir ${HOME}/.cache/minetest | |||
25 | mkdir ${HOME}/.minetest | 28 | mkdir ${HOME}/.minetest |
26 | whitelist ${HOME}/.cache/minetest | 29 | whitelist ${HOME}/.cache/minetest |
27 | whitelist ${HOME}/.minetest | 30 | whitelist ${HOME}/.minetest |
31 | whitelist /usr/share/games/minetest | ||
28 | whitelist /usr/share/minetest | 32 | whitelist /usr/share/minetest |
29 | include whitelist-common.inc | 33 | include whitelist-common.inc |
30 | include whitelist-runuser-common.inc | 34 | include whitelist-runuser-common.inc |
@@ -43,11 +47,12 @@ nou2f | |||
43 | novideo | 47 | novideo |
44 | protocol unix,inet,inet6 | 48 | protocol unix,inet,inet6 |
45 | seccomp | 49 | seccomp |
50 | seccomp.block-secondary | ||
46 | shell none | 51 | shell none |
47 | tracelog | 52 | tracelog |
48 | 53 | ||
49 | disable-mnt | 54 | disable-mnt |
50 | private-bin minetest | 55 | private-bin minetest,rm |
51 | private-cache | 56 | private-cache |
52 | private-dev | 57 | private-dev |
53 | # private-etc needs to be updated, see #1702 | 58 | # private-etc needs to be updated, see #1702 |
diff --git a/etc/profile-m-z/minitube.profile b/etc/profile-m-z/minitube.profile index 2c70978a9..39ecc7127 100644 --- a/etc/profile-m-z/minitube.profile +++ b/etc/profile-m-z/minitube.profile | |||
@@ -46,7 +46,7 @@ notv | |||
46 | nou2f | 46 | nou2f |
47 | novideo | 47 | novideo |
48 | protocol unix,inet,inet6,netlink | 48 | protocol unix,inet,inet6,netlink |
49 | seccomp | 49 | seccomp !kcmp |
50 | shell none | 50 | shell none |
51 | tracelog | 51 | tracelog |
52 | 52 | ||
diff --git a/etc/profile-m-z/mirage.profile b/etc/profile-m-z/mirage.profile new file mode 100644 index 000000000..4a5f12aec --- /dev/null +++ b/etc/profile-m-z/mirage.profile | |||
@@ -0,0 +1,59 @@ | |||
1 | # Firejail profile for mirage | ||
2 | # Description: Desktop client for Matrix | ||
3 | # This file is overwritten after every install/update | ||
4 | # Persistent local customizations | ||
5 | include mirage.local | ||
6 | # Persistent global definitions | ||
7 | include globals.local | ||
8 | |||
9 | noblacklist ${HOME}/.cache/mirage | ||
10 | noblacklist ${HOME}/.config/mirage | ||
11 | noblacklist ${HOME}/.local/share/mirage | ||
12 | |||
13 | include allow-python2.inc | ||
14 | include allow-python3.inc | ||
15 | |||
16 | include disable-common.inc | ||
17 | include disable-devel.inc | ||
18 | include disable-exec.inc | ||
19 | include disable-interpreters.inc | ||
20 | include disable-passwdmgr.inc | ||
21 | include disable-programs.inc | ||
22 | include disable-shell.inc | ||
23 | include disable-xdg.inc | ||
24 | |||
25 | mkdir ${HOME}/.cache/mirage | ||
26 | mkdir ${HOME}/.config/mirage | ||
27 | mkdir ${HOME}/.local/share/mirage | ||
28 | whitelist ${HOME}/.cache/mirage | ||
29 | whitelist ${HOME}/.config/mirage | ||
30 | whitelist ${HOME}/.local/share/mirage | ||
31 | whitelist ${DOWNLOADS} | ||
32 | include whitelist-common.inc | ||
33 | include whitelist-runuser-common.inc | ||
34 | include whitelist-usr-share-common.inc | ||
35 | include whitelist-var-common.inc | ||
36 | |||
37 | apparmor | ||
38 | caps.drop all | ||
39 | netfilter | ||
40 | nodvd | ||
41 | nogroups | ||
42 | nonewprivs | ||
43 | noroot | ||
44 | notv | ||
45 | nou2f | ||
46 | protocol unix,inet,inet6 | ||
47 | seccomp | ||
48 | shell none | ||
49 | tracelog | ||
50 | |||
51 | disable-mnt | ||
52 | private-bin mirage | ||
53 | private-cache | ||
54 | private-dev | ||
55 | private-etc alsa,alternatives,asound.conf,ca-certificates,crypto-policies,fonts,gtk-2.0,gtk-3.0,host.conf,hostname,hosts,ld.so.cache,ld.so.conf,ld.so.conf.d,ld.so.preload,locale,locale.alias,locale.conf,mime.types,nsswitch.conf,pki,pulse,resolv.conf,selinux,ssl,X11,xdg | ||
56 | private-tmp | ||
57 | |||
58 | dbus-user none | ||
59 | dbus-system none | ||
diff --git a/etc/profile-m-z/mplayer.profile b/etc/profile-m-z/mplayer.profile index f4f862cb9..31a6caa9a 100644 --- a/etc/profile-m-z/mplayer.profile +++ b/etc/profile-m-z/mplayer.profile | |||
@@ -18,12 +18,8 @@ include disable-programs.inc | |||
18 | read-only ${DESKTOP} | 18 | read-only ${DESKTOP} |
19 | mkdir ${HOME}/.mplayer | 19 | mkdir ${HOME}/.mplayer |
20 | whitelist ${HOME}/.mplayer | 20 | whitelist ${HOME}/.mplayer |
21 | whitelist ${DESKTOP} | ||
22 | whitelist ${DOWNLOADS} | ||
23 | whitelist ${MUSIC} | ||
24 | whitelist ${PICTURES} | ||
25 | whitelist ${VIDEOS} | ||
26 | include whitelist-common.inc | 21 | include whitelist-common.inc |
22 | include whitelist-players.inc | ||
27 | include whitelist-usr-share-common.inc | 23 | include whitelist-usr-share-common.inc |
28 | include whitelist-var-common.inc | 24 | include whitelist-var-common.inc |
29 | 25 | ||
diff --git a/etc/profile-m-z/mpsyt.profile b/etc/profile-m-z/mpsyt.profile index e0c6ff1c8..414eaf312 100644 --- a/etc/profile-m-z/mpsyt.profile +++ b/etc/profile-m-z/mpsyt.profile | |||
@@ -13,6 +13,9 @@ noblacklist ${HOME}/.mplayer | |||
13 | noblacklist ${HOME}/.netrc | 13 | noblacklist ${HOME}/.netrc |
14 | noblacklist ${HOME}/mps | 14 | noblacklist ${HOME}/mps |
15 | 15 | ||
16 | # Allow lua (blacklisted by disable-interpreters.inc) | ||
17 | include allow-lua.inc | ||
18 | |||
16 | # Allow python (blacklisted by disable-interpreters.inc) | 19 | # Allow python (blacklisted by disable-interpreters.inc) |
17 | include allow-python2.inc | 20 | include allow-python2.inc |
18 | include allow-python3.inc | 21 | include allow-python3.inc |
@@ -40,10 +43,8 @@ whitelist ${HOME}/.config/youtube-dl | |||
40 | whitelist ${HOME}/.mplayer | 43 | whitelist ${HOME}/.mplayer |
41 | whitelist ${HOME}/.netrc | 44 | whitelist ${HOME}/.netrc |
42 | whitelist ${HOME}/mps | 45 | whitelist ${HOME}/mps |
43 | whitelist ${DOWNLOADS} | ||
44 | whitelist ${MUSIC} | ||
45 | whitelist ${VIDEOS} | ||
46 | include whitelist-common.inc | 46 | include whitelist-common.inc |
47 | include whitelist-players.inc | ||
47 | include whitelist-var-common.inc | 48 | include whitelist-var-common.inc |
48 | 49 | ||
49 | apparmor | 50 | apparmor |
diff --git a/etc/profile-m-z/mpv.profile b/etc/profile-m-z/mpv.profile index 5ca684eb5..ce3bfe421 100644 --- a/etc/profile-m-z/mpv.profile +++ b/etc/profile-m-z/mpv.profile | |||
@@ -11,6 +11,19 @@ include globals.local | |||
11 | # edit ~/.config/mpv/foobar.conf: | 11 | # edit ~/.config/mpv/foobar.conf: |
12 | # screenshot-directory=~/Pictures | 12 | # screenshot-directory=~/Pictures |
13 | 13 | ||
14 | # Mpv has a powerfull lua-API, some off these lua-scripts interact | ||
15 | # with external resources which are blocked by firejail. In such cases | ||
16 | # you need to allow these resources by | ||
17 | # - adding additional binaries to private-bin | ||
18 | # - whitelisting additional paths | ||
19 | # - noblacklisting paths | ||
20 | # - weaking the dbus-policy | ||
21 | # - ... | ||
22 | # | ||
23 | # Often these scripts require a shell: | ||
24 | #noblacklist ${PATH}/sh | ||
25 | #private-bin sh | ||
26 | |||
14 | noblacklist ${HOME}/.config/mpv | 27 | noblacklist ${HOME}/.config/mpv |
15 | noblacklist ${HOME}/.config/youtube-dl | 28 | noblacklist ${HOME}/.config/youtube-dl |
16 | noblacklist ${HOME}/.netrc | 29 | noblacklist ${HOME}/.netrc |
@@ -36,12 +49,8 @@ mkfile ${HOME}/.netrc | |||
36 | whitelist ${HOME}/.config/mpv | 49 | whitelist ${HOME}/.config/mpv |
37 | whitelist ${HOME}/.config/youtube-dl | 50 | whitelist ${HOME}/.config/youtube-dl |
38 | whitelist ${HOME}/.netrc | 51 | whitelist ${HOME}/.netrc |
39 | whitelist ${DESKTOP} | ||
40 | whitelist ${DOWNLOADS} | ||
41 | whitelist ${MUSIC} | ||
42 | whitelist ${PICTURES} | ||
43 | whitelist ${VIDEOS} | ||
44 | include whitelist-common.inc | 52 | include whitelist-common.inc |
53 | include whitelist-players.inc | ||
45 | whitelist /usr/share/lua | 54 | whitelist /usr/share/lua |
46 | whitelist /usr/share/lua* | 55 | whitelist /usr/share/lua* |
47 | whitelist /usr/share/vulkan | 56 | whitelist /usr/share/vulkan |
@@ -58,10 +67,11 @@ noroot | |||
58 | nou2f | 67 | nou2f |
59 | protocol unix,inet,inet6,netlink | 68 | protocol unix,inet,inet6,netlink |
60 | seccomp | 69 | seccomp |
70 | seccomp.block-secondary | ||
61 | shell none | 71 | shell none |
62 | tracelog | 72 | tracelog |
63 | 73 | ||
64 | private-bin env,mpv,python*,youtube-dl | 74 | private-bin env,mpv,python*,waf,youtube-dl |
65 | # private-cache causes slow OSD, see #2838 | 75 | # private-cache causes slow OSD, see #2838 |
66 | #private-cache | 76 | #private-cache |
67 | private-dev | 77 | private-dev |
diff --git a/etc/profile-m-z/musictube.profile b/etc/profile-m-z/musictube.profile new file mode 100644 index 000000000..955df698d --- /dev/null +++ b/etc/profile-m-z/musictube.profile | |||
@@ -0,0 +1,57 @@ | |||
1 | # Firejail profile for musictube | ||
2 | # Description: Stream music | ||
3 | # This file is overwritten after every install/update | ||
4 | # Persistent local customizations | ||
5 | include musictube.local | ||
6 | # Persistent global definitions | ||
7 | include globals.local | ||
8 | |||
9 | noblacklist ${HOME}/.cache/Flavio Tordini | ||
10 | noblacklist ${HOME}/.config/Flavio Tordini | ||
11 | noblacklist ${HOME}/.local/share/Flavio Tordini | ||
12 | |||
13 | include disable-common.inc | ||
14 | include disable-devel.inc | ||
15 | include disable-exec.inc | ||
16 | include disable-interpreters.inc | ||
17 | include disable-passwdmgr.inc | ||
18 | include disable-programs.inc | ||
19 | include disable-shell.inc | ||
20 | include disable-xdg.inc | ||
21 | |||
22 | mkdir ${HOME}/.cache/Flavio Tordini | ||
23 | mkdir ${HOME}/.config/Flavio Tordini | ||
24 | mkdir ${HOME}/.local/share/Flavio Tordini | ||
25 | whitelist ${HOME}/.cache/Flavio Tordini | ||
26 | whitelist ${HOME}/.config/Flavio Tordini | ||
27 | whitelist ${HOME}/.local/share/Flavio Tordini | ||
28 | whitelist /usr/share/musictube | ||
29 | include whitelist-common.inc | ||
30 | include whitelist-runuser-common.inc | ||
31 | include whitelist-usr-share-common.inc | ||
32 | include whitelist-var-common.inc | ||
33 | |||
34 | apparmor | ||
35 | caps.drop all | ||
36 | netfilter | ||
37 | nodvd | ||
38 | nogroups | ||
39 | nonewprivs | ||
40 | noroot | ||
41 | notv | ||
42 | nou2f | ||
43 | novideo | ||
44 | protocol unix,inet,inet6,netlink | ||
45 | seccomp | ||
46 | shell none | ||
47 | tracelog | ||
48 | |||
49 | disable-mnt | ||
50 | private-bin musictube | ||
51 | private-cache | ||
52 | private-dev | ||
53 | private-etc alsa,alternatives,asound.conf,ca-certificates,crypto-policies,drirc,fonts,gtk-2.0,gtk-3.0,host.conf,hostname,hosts,ld.so.cache,ld.so.conf,ld.so.conf.d,ld.so.preload,machine-id,mime.types,nsswitch.conf,pki,pulse,resolv.conf,selinux,ssl,X11,xdg | ||
54 | private-tmp | ||
55 | |||
56 | dbus-user none | ||
57 | dbus-system none | ||
diff --git a/etc/profile-m-z/notify-send.profile b/etc/profile-m-z/notify-send.profile new file mode 100644 index 000000000..ff292f409 --- /dev/null +++ b/etc/profile-m-z/notify-send.profile | |||
@@ -0,0 +1,60 @@ | |||
1 | # Firejail profile for notify-send | ||
2 | # Description: a program to send desktop notifications | ||
3 | # This file is overwritten after every install/update | ||
4 | quiet | ||
5 | # Persistent local customizations | ||
6 | include notify-send.local | ||
7 | # Persistent global definitions | ||
8 | include globals.local | ||
9 | |||
10 | blacklist ${RUNUSER}/wayland-* | ||
11 | |||
12 | include disable-common.inc | ||
13 | include disable-devel.inc | ||
14 | include disable-exec.inc | ||
15 | include disable-interpreters.inc | ||
16 | include disable-passwdmgr.inc | ||
17 | include disable-programs.inc | ||
18 | include disable-shell.inc | ||
19 | include disable-write-mnt.inc | ||
20 | include disable-xdg.inc | ||
21 | |||
22 | include whitelist-common.inc | ||
23 | include whitelist-runuser-common.inc | ||
24 | include whitelist-usr-share-common.inc | ||
25 | include whitelist-var-common.inc | ||
26 | |||
27 | apparmor | ||
28 | caps.drop all | ||
29 | ipc-namespace | ||
30 | machine-id | ||
31 | net none | ||
32 | no3d | ||
33 | nodvd | ||
34 | nogroups | ||
35 | nonewprivs | ||
36 | noroot | ||
37 | nosound | ||
38 | notv | ||
39 | nou2f | ||
40 | novideo | ||
41 | protocol unix | ||
42 | seccomp | ||
43 | shell none | ||
44 | tracelog | ||
45 | x11 none | ||
46 | |||
47 | disable-mnt | ||
48 | private | ||
49 | private-bin notify-send | ||
50 | private-cache | ||
51 | private-dev | ||
52 | private-etc none | ||
53 | private-tmp | ||
54 | |||
55 | dbus-user filter | ||
56 | dbus-user.talk org.freedesktop.Notifications | ||
57 | dbus-system none | ||
58 | |||
59 | memory-deny-write-execute | ||
60 | read-only ${HOME} | ||
diff --git a/etc/profile-m-z/okular.profile b/etc/profile-m-z/okular.profile index 36723ca29..e21ac997a 100644 --- a/etc/profile-m-z/okular.profile +++ b/etc/profile-m-z/okular.profile | |||
@@ -53,7 +53,7 @@ seccomp | |||
53 | shell none | 53 | shell none |
54 | tracelog | 54 | tracelog |
55 | 55 | ||
56 | private-bin kbuildsycoca4,kdeinit4,lpr,okular | 56 | private-bin kbuildsycoca4,kdeinit4,lpr,okular,unar,unrar |
57 | private-dev | 57 | private-dev |
58 | private-etc alternatives,cups,fonts,kde4rc,kde5rc,ld.so.cache,machine-id,passwd,xdg | 58 | private-etc alternatives,cups,fonts,kde4rc,kde5rc,ld.so.cache,machine-id,passwd,xdg |
59 | # private-tmp - on KDE we need access to the real /tmp for data exchange with email clients | 59 | # private-tmp - on KDE we need access to the real /tmp for data exchange with email clients |
diff --git a/etc/profile-m-z/onboard.profile b/etc/profile-m-z/onboard.profile new file mode 100644 index 000000000..3a235a677 --- /dev/null +++ b/etc/profile-m-z/onboard.profile | |||
@@ -0,0 +1,55 @@ | |||
1 | # Firejail profile for onboard | ||
2 | # Description: On-screen keyboard | ||
3 | # This file is overwritten after every install/update | ||
4 | # Persistent local customizations | ||
5 | include onboard.local | ||
6 | # Persistent global definitions | ||
7 | include globals.local | ||
8 | |||
9 | noblacklist ${HOME}/.config/onboard | ||
10 | |||
11 | include allow-python2.inc | ||
12 | include allow-python3.inc | ||
13 | |||
14 | include disable-common.inc | ||
15 | include disable-devel.inc | ||
16 | include disable-exec.inc | ||
17 | include disable-interpreters.inc | ||
18 | include disable-programs.inc | ||
19 | include disable-passwdmgr.inc | ||
20 | include disable-shell.inc | ||
21 | include disable-xdg.inc | ||
22 | |||
23 | mkdir ${HOME}/.config/onboard | ||
24 | whitelist ${HOME}/.config/onboard | ||
25 | whitelist /usr/share/onboard | ||
26 | include whitelist-common.inc | ||
27 | include whitelist-usr-share-common.inc | ||
28 | include whitelist-runuser-common.inc | ||
29 | include whitelist-var-common.inc | ||
30 | |||
31 | apparmor | ||
32 | caps.drop all | ||
33 | machine-id | ||
34 | net none | ||
35 | nodvd | ||
36 | no3d | ||
37 | nogroups | ||
38 | nonewprivs | ||
39 | noroot | ||
40 | notv | ||
41 | nou2f | ||
42 | novideo | ||
43 | protocol unix | ||
44 | seccomp | ||
45 | shell none | ||
46 | tracelog | ||
47 | |||
48 | disable-mnt | ||
49 | private-cache | ||
50 | private-bin onboard,python*,tput | ||
51 | private-dev | ||
52 | private-etc alternatives,dbus-1,dconf,fonts,gtk-2.0,gtk-3.0,locale,locale.alias,locale.conf,mime.types,selinux,X11,xdg | ||
53 | private-tmp | ||
54 | |||
55 | dbus-system none | ||
diff --git a/etc/profile-m-z/openarena.profile b/etc/profile-m-z/openarena.profile index 45682fc31..88d5d0e1e 100644 --- a/etc/profile-m-z/openarena.profile +++ b/etc/profile-m-z/openarena.profile | |||
@@ -21,7 +21,7 @@ whitelist ${HOME}/.openarena | |||
21 | whitelist /usr/share/openarena | 21 | whitelist /usr/share/openarena |
22 | include whitelist-common.inc | 22 | include whitelist-common.inc |
23 | include whitelist-runuser-common.inc | 23 | include whitelist-runuser-common.inc |
24 | include whitelist-usr-share-common.in | 24 | include whitelist-usr-share-common.inc |
25 | include whitelist-var-common.inc | 25 | include whitelist-var-common.inc |
26 | 26 | ||
27 | apparmor | 27 | apparmor |
diff --git a/etc/profile-m-z/opera-beta.profile b/etc/profile-m-z/opera-beta.profile index 8658d30c6..551f1aba4 100644 --- a/etc/profile-m-z/opera-beta.profile +++ b/etc/profile-m-z/opera-beta.profile | |||
@@ -5,6 +5,11 @@ include opera-beta.local | |||
5 | # Persistent global definitions | 5 | # Persistent global definitions |
6 | include globals.local | 6 | include globals.local |
7 | 7 | ||
8 | # Disable for now, see https://www.tutorialspoint.com/difference-between-void-main-and-int-main-in-c-cplusplus | ||
9 | ignore whitelist /usr/share/chromium | ||
10 | ignore include whitelist-runuser-common.inc | ||
11 | ignore include whitelist-usr-share-common.inc | ||
12 | |||
8 | noblacklist ${HOME}/.cache/opera | 13 | noblacklist ${HOME}/.cache/opera |
9 | noblacklist ${HOME}/.config/opera-beta | 14 | noblacklist ${HOME}/.config/opera-beta |
10 | 15 | ||
diff --git a/etc/profile-m-z/opera.profile b/etc/profile-m-z/opera.profile index b342b3961..2c7c5fc35 100644 --- a/etc/profile-m-z/opera.profile +++ b/etc/profile-m-z/opera.profile | |||
@@ -6,6 +6,11 @@ include opera.local | |||
6 | # Persistent global definitions | 6 | # Persistent global definitions |
7 | include globals.local | 7 | include globals.local |
8 | 8 | ||
9 | # Disable for now, see https://www.tutorialspoint.com/difference-between-void-main-and-int-main-in-c-cplusplus | ||
10 | ignore whitelist /usr/share/chromium | ||
11 | ignore include whitelist-runuser-common.inc | ||
12 | ignore include whitelist-usr-share-common.inc | ||
13 | |||
9 | noblacklist ${HOME}/.cache/opera | 14 | noblacklist ${HOME}/.cache/opera |
10 | noblacklist ${HOME}/.config/opera | 15 | noblacklist ${HOME}/.config/opera |
11 | noblacklist ${HOME}/.opera | 16 | noblacklist ${HOME}/.opera |
diff --git a/etc/profile-m-z/patch.profile b/etc/profile-m-z/patch.profile index 8663fb453..6cbaa66ad 100644 --- a/etc/profile-m-z/patch.profile +++ b/etc/profile-m-z/patch.profile | |||
@@ -37,6 +37,7 @@ nou2f | |||
37 | novideo | 37 | novideo |
38 | protocol unix | 38 | protocol unix |
39 | seccomp | 39 | seccomp |
40 | seccomp.block-secondary | ||
40 | shell none | 41 | shell none |
41 | tracelog | 42 | tracelog |
42 | x11 none | 43 | x11 none |
diff --git a/etc/profile-m-z/pdftotext.profile b/etc/profile-m-z/pdftotext.profile index eee42424f..2a7d0cec1 100644 --- a/etc/profile-m-z/pdftotext.profile +++ b/etc/profile-m-z/pdftotext.profile | |||
@@ -13,6 +13,7 @@ noblacklist ${DOCUMENTS} | |||
13 | 13 | ||
14 | include disable-common.inc | 14 | include disable-common.inc |
15 | include disable-devel.inc | 15 | include disable-devel.inc |
16 | include disable-exec.inc | ||
16 | include disable-interpreters.inc | 17 | include disable-interpreters.inc |
17 | include disable-passwdmgr.inc | 18 | include disable-passwdmgr.inc |
18 | include disable-programs.inc | 19 | include disable-programs.inc |
@@ -40,6 +41,7 @@ nou2f | |||
40 | novideo | 41 | novideo |
41 | protocol unix | 42 | protocol unix |
42 | seccomp | 43 | seccomp |
44 | seccomp.block-secondary | ||
43 | shell none | 45 | shell none |
44 | tracelog | 46 | tracelog |
45 | x11 none | 47 | x11 none |
diff --git a/etc/profile-m-z/peek.profile b/etc/profile-m-z/peek.profile index 66fdd6496..710a533a9 100644 --- a/etc/profile-m-z/peek.profile +++ b/etc/profile-m-z/peek.profile | |||
@@ -17,7 +17,18 @@ include disable-passwdmgr.inc | |||
17 | include disable-programs.inc | 17 | include disable-programs.inc |
18 | include disable-xdg.inc | 18 | include disable-xdg.inc |
19 | 19 | ||
20 | #mkdir ${HOME}/.cache/peek | ||
21 | #whitelist ${HOME}/.cache/peek | ||
22 | #whitelist ${PICTURES} | ||
23 | #whitelist ${VIDEOS} | ||
24 | #include whitelist-common.inc | ||
25 | include whitelist-runuser-common.inc | ||
26 | include whitelist-usr-share-common.inc | ||
27 | include whitelist-var-common.inc | ||
28 | |||
29 | apparmor | ||
20 | caps.drop all | 30 | caps.drop all |
31 | machine-id | ||
21 | net none | 32 | net none |
22 | no3d | 33 | no3d |
23 | nodvd | 34 | nodvd |
@@ -30,14 +41,22 @@ nou2f | |||
30 | novideo | 41 | novideo |
31 | protocol unix | 42 | protocol unix |
32 | seccomp | 43 | seccomp |
44 | seccomp.block-secondary | ||
33 | shell none | 45 | shell none |
46 | tracelog | ||
34 | 47 | ||
35 | # private-bin breaks gif mode, mp4 and webm mode work fine however | 48 | disable-mnt |
36 | # private-bin convert,ffmpeg,peek | 49 | private-bin bash,convert,ffmpeg,firejail,fish,peek,sh,which,zsh |
37 | private-dev | 50 | private-dev |
51 | private-etc dconf,firejail,fonts,gtk-3.0,login.defs,pango,passwd,X11 | ||
38 | private-tmp | 52 | private-tmp |
39 | 53 | ||
40 | dbus-user none | 54 | dbus-user filter |
55 | dbus-user.own com.uploadedlobster.peek | ||
56 | dbus-user.talk ca.desrt.dconf | ||
57 | dbus-user.talk org.freedesktop.FileManager1 | ||
58 | dbus-user.talk org.freedesktop.Notifications | ||
59 | dbus-user.talk org.gnome.Shell.Screencast | ||
41 | dbus-system none | 60 | dbus-system none |
42 | 61 | ||
43 | memory-deny-write-execute | 62 | memory-deny-write-execute |
diff --git a/etc/profile-m-z/pidgin.profile b/etc/profile-m-z/pidgin.profile index 2e4215744..e81e78ca7 100644 --- a/etc/profile-m-z/pidgin.profile +++ b/etc/profile-m-z/pidgin.profile | |||
@@ -21,6 +21,8 @@ include disable-xdg.inc | |||
21 | 21 | ||
22 | mkdir ${HOME}/.purple | 22 | mkdir ${HOME}/.purple |
23 | whitelist ${HOME}/.purple | 23 | whitelist ${HOME}/.purple |
24 | whitelist ${DOWNLOADS} | ||
25 | whitelist ${PICTURES} | ||
24 | include whitelist-common.inc | 26 | include whitelist-common.inc |
25 | include whitelist-usr-share-common.inc | 27 | include whitelist-usr-share-common.inc |
26 | include whitelist-var-common.inc | 28 | include whitelist-var-common.inc |
diff --git a/etc/profile-m-z/ping.profile b/etc/profile-m-z/ping.profile index 3ef8ad64a..bd95cb1de 100644 --- a/etc/profile-m-z/ping.profile +++ b/etc/profile-m-z/ping.profile | |||
@@ -54,3 +54,6 @@ private-tmp | |||
54 | 54 | ||
55 | # memory-deny-write-execute is built using seccomp; nonewprivs will kill it | 55 | # memory-deny-write-execute is built using seccomp; nonewprivs will kill it |
56 | #memory-deny-write-execute | 56 | #memory-deny-write-execute |
57 | |||
58 | dbus-user none | ||
59 | dbus-system none | ||
diff --git a/etc/profile-m-z/pngquant.profile b/etc/profile-m-z/pngquant.profile index 83905b108..3513e91cc 100644 --- a/etc/profile-m-z/pngquant.profile +++ b/etc/profile-m-z/pngquant.profile | |||
@@ -7,6 +7,8 @@ include pngquant.local | |||
7 | # Persistent global definitions | 7 | # Persistent global definitions |
8 | include globals.local | 8 | include globals.local |
9 | 9 | ||
10 | noblacklist ${PICTURES} | ||
11 | |||
10 | blacklist ${RUNUSER}/wayland-* | 12 | blacklist ${RUNUSER}/wayland-* |
11 | 13 | ||
12 | include disable-common.inc | 14 | include disable-common.inc |
@@ -16,6 +18,7 @@ include disable-interpreters.inc | |||
16 | include disable-passwdmgr.inc | 18 | include disable-passwdmgr.inc |
17 | include disable-programs.inc | 19 | include disable-programs.inc |
18 | include disable-shell.inc | 20 | include disable-shell.inc |
21 | include disable-xdg.inc | ||
19 | 22 | ||
20 | include whitelist-runuser-common.inc | 23 | include whitelist-runuser-common.inc |
21 | include whitelist-usr-share-common.inc | 24 | include whitelist-usr-share-common.inc |
diff --git a/etc/profile-m-z/psi.profile b/etc/profile-m-z/psi.profile new file mode 100644 index 000000000..d3112ae95 --- /dev/null +++ b/etc/profile-m-z/psi.profile | |||
@@ -0,0 +1,78 @@ | |||
1 | # Firejail profile for psi | ||
2 | # Description: Native XMPP client with GPG support | ||
3 | # This file is overwritten after every install/update | ||
4 | # Persistent local customizations | ||
5 | include psi.local | ||
6 | # Persistent global definitions | ||
7 | include globals.local | ||
8 | |||
9 | # Uncomment for GPG | ||
10 | # noblacklist ${HOME}/.gnupg | ||
11 | noblacklist ${HOME}/.cache/psi | ||
12 | noblacklist ${HOME}/.cache/Psi | ||
13 | noblacklist ${HOME}/.config/psi | ||
14 | noblacklist ${HOME}/.local/share/psi | ||
15 | noblacklist ${HOME}/.local/share/Psi | ||
16 | |||
17 | include disable-common.inc | ||
18 | include disable-devel.inc | ||
19 | include disable-exec.inc | ||
20 | include disable-interpreters.inc | ||
21 | include disable-passwdmgr.inc | ||
22 | include disable-programs.inc | ||
23 | include disable-shell.inc | ||
24 | include disable-xdg.inc | ||
25 | |||
26 | # Uncomment for GPG | ||
27 | # mkdir ${HOME}/.gnupg | ||
28 | mkdir ${HOME}/.cache/psi | ||
29 | mkdir ${HOME}/.cache/Psi | ||
30 | mkdir ${HOME}/.config/psi | ||
31 | mkdir ${HOME}/.local/share/psi | ||
32 | mkdir ${HOME}/.local/share/Psi | ||
33 | # Uncomment for GPG | ||
34 | # whitelist ${HOME}/.gnupg | ||
35 | whitelist ${HOME}/.cache/psi | ||
36 | whitelist ${HOME}/.cache/Psi | ||
37 | whitelist ${HOME}/.config/psi | ||
38 | whitelist ${HOME}/.local/share/psi | ||
39 | whitelist ${HOME}/.local/share/Psi | ||
40 | whitelist ${DOWNLOADS} | ||
41 | # Uncomment for GPG | ||
42 | # whitelist /usr/share/gnupg | ||
43 | # whitelist /usr/share/gnupg2 | ||
44 | whitelist /usr/share/psi | ||
45 | # Uncomment for GPG | ||
46 | # whitelist ${RUNUSER}/gnupg | ||
47 | # whitelist ${RUNUSER}/keyring | ||
48 | include whitelist-common.inc | ||
49 | include whitelist-runuser-common.inc | ||
50 | include whitelist-usr-share-common.inc | ||
51 | include whitelist-var-common.inc | ||
52 | |||
53 | apparmor | ||
54 | caps.drop all | ||
55 | netfilter | ||
56 | nodvd | ||
57 | nogroups | ||
58 | nonewprivs | ||
59 | noroot | ||
60 | notv | ||
61 | novideo | ||
62 | nou2f | ||
63 | protocol unix,inet,inet6,netlink | ||
64 | seccomp !chroot | ||
65 | shell none | ||
66 | # breaks on Arch | ||
67 | # tracelog | ||
68 | |||
69 | disable-mnt | ||
70 | # Add "gpg,gpg2,gpg-agent,pinentry-curses,pinentry-emacs,pinentry-fltk,pinentry-gnome3,pinentry-gtk,pinentry-gtk2,pinentry-gtk-2,pinentry-qt,pinentry-qt4,pinentry-tty,pinentry-x2go,pinentry-kwallet" for GPG | ||
71 | private-bin getopt,psi | ||
72 | private-cache | ||
73 | private-dev | ||
74 | private-etc alsa,alternatives,asound.conf,ca-certificates,crypto-policies,drirc,fonts,gcrypt,group,hostname,hosts,ld.so.cache,ld.so.conf,machine-id,passwd,pki,pulse,resolv.conf,selinux,ssl,xdg | ||
75 | private-tmp | ||
76 | |||
77 | dbus-user none | ||
78 | dbus-system none | ||
diff --git a/etc/profile-m-z/qbittorrent.profile b/etc/profile-m-z/qbittorrent.profile index 81ec1bc6b..2fb02aefc 100644 --- a/etc/profile-m-z/qbittorrent.profile +++ b/etc/profile-m-z/qbittorrent.profile | |||
@@ -56,6 +56,7 @@ private-dev | |||
56 | # private-etc alternatives,ca-certificates,crypto-policies,fonts,pki,resolv.conf,ssl,X11,xdg | 56 | # private-etc alternatives,ca-certificates,crypto-policies,fonts,pki,resolv.conf,ssl,X11,xdg |
57 | private-tmp | 57 | private-tmp |
58 | 58 | ||
59 | # See https://github.com/netblue30/firejail/issues/3707 for tray-icon | ||
59 | dbus-user none | 60 | dbus-user none |
60 | dbus-system none | 61 | dbus-system none |
61 | 62 | ||
diff --git a/etc/profile-m-z/qrencode.profile b/etc/profile-m-z/qrencode.profile new file mode 100644 index 000000000..5e49a342a --- /dev/null +++ b/etc/profile-m-z/qrencode.profile | |||
@@ -0,0 +1,58 @@ | |||
1 | # Firejail profile for qrencode | ||
2 | # Description: Encode input data in a QR Code and save as a PNG or EPS image. | ||
3 | # This file is overwritten after every install/update | ||
4 | quiet | ||
5 | # Persistent local customizations | ||
6 | include qrencode.local | ||
7 | # Persistent global definitions | ||
8 | include globals.local | ||
9 | |||
10 | blacklist ${RUNUSER}/wayland-* | ||
11 | blacklist ${RUNUSER} | ||
12 | |||
13 | include disable-common.inc | ||
14 | include disable-devel.inc | ||
15 | include disable-exec.inc | ||
16 | include disable-interpreters.inc | ||
17 | include disable-passwdmgr.inc | ||
18 | include disable-programs.inc | ||
19 | include disable-shell.inc | ||
20 | include disable-write-mnt.inc | ||
21 | include disable-xdg.inc | ||
22 | |||
23 | include whitelist-runuser-common.inc | ||
24 | include whitelist-usr-share-common.inc | ||
25 | include whitelist-var-common.inc | ||
26 | |||
27 | apparmor | ||
28 | caps.drop all | ||
29 | ipc-namespace | ||
30 | machine-id | ||
31 | net none | ||
32 | no3d | ||
33 | nodvd | ||
34 | nogroups | ||
35 | nonewprivs | ||
36 | noroot | ||
37 | nosound | ||
38 | notv | ||
39 | nou2f | ||
40 | novideo | ||
41 | protocol unix | ||
42 | seccomp | ||
43 | shell none | ||
44 | tracelog | ||
45 | x11 none | ||
46 | |||
47 | disable-mnt | ||
48 | private-bin qrencode | ||
49 | private-cache | ||
50 | private-dev | ||
51 | private-etc none | ||
52 | private-lib libpcre2-8.so.0 | ||
53 | private-tmp | ||
54 | |||
55 | dbus-user none | ||
56 | dbus-system none | ||
57 | |||
58 | memory-deny-write-execute | ||
diff --git a/etc/profile-m-z/quaternion.profile b/etc/profile-m-z/quaternion.profile new file mode 100644 index 000000000..2133c74d3 --- /dev/null +++ b/etc/profile-m-z/quaternion.profile | |||
@@ -0,0 +1,54 @@ | |||
1 | # Firejail profile for quaternion | ||
2 | # Description: Desktop client for Matrix | ||
3 | # This file is overwritten after every install/update | ||
4 | # Persistent local customizations | ||
5 | include quaternion.local | ||
6 | # Persistent global definitions | ||
7 | include globals.local | ||
8 | |||
9 | noblacklist ${HOME}/.cache/Quotient/quaternion | ||
10 | noblacklist ${HOME}/.config/Quotient | ||
11 | |||
12 | include disable-common.inc | ||
13 | include disable-devel.inc | ||
14 | include disable-exec.inc | ||
15 | include disable-interpreters.inc | ||
16 | include disable-passwdmgr.inc | ||
17 | include disable-programs.inc | ||
18 | include disable-shell.inc | ||
19 | include disable-xdg.inc | ||
20 | |||
21 | mkdir ${HOME}/.cache/Quotient/quaternion | ||
22 | mkdir ${HOME}/.config/Quotient | ||
23 | whitelist ${HOME}/.cache/Quotient/quaternion | ||
24 | whitelist ${HOME}/.config/Quotient | ||
25 | whitelist ${DOWNLOADS} | ||
26 | whitelist /usr/share/Quotient/quaternion | ||
27 | include whitelist-common.inc | ||
28 | include whitelist-runuser-common.inc | ||
29 | include whitelist-usr-share-common.inc | ||
30 | include whitelist-var-common.inc | ||
31 | |||
32 | apparmor | ||
33 | caps.drop all | ||
34 | netfilter | ||
35 | nodvd | ||
36 | nogroups | ||
37 | nonewprivs | ||
38 | noroot | ||
39 | notv | ||
40 | nou2f | ||
41 | protocol unix,inet,inet6,netlink | ||
42 | seccomp | ||
43 | shell none | ||
44 | tracelog | ||
45 | |||
46 | disable-mnt | ||
47 | private-bin quaternion | ||
48 | private-cache | ||
49 | private-dev | ||
50 | private-etc alsa,alternatives,asound.conf,ca-certificates,crypto-policies,fonts,gtk-2.0,gtk-3.0,host.conf,hostname,hosts,ld.so.cache,ld.so.conf,ld.so.conf.d,ld.so.preload,locale,locale.alias,locale.conf,mime.types,nsswitch.conf,pki,pulse,resolv.conf,selinux,ssl,X11,xdg | ||
51 | private-tmp | ||
52 | |||
53 | dbus-user none | ||
54 | dbus-system none | ||
diff --git a/etc/profile-m-z/redeclipse.profile b/etc/profile-m-z/redeclipse.profile index bb1ad56d3..a29205e14 100644 --- a/etc/profile-m-z/redeclipse.profile +++ b/etc/profile-m-z/redeclipse.profile | |||
@@ -14,10 +14,14 @@ include disable-exec.inc | |||
14 | include disable-interpreters.inc | 14 | include disable-interpreters.inc |
15 | include disable-passwdmgr.inc | 15 | include disable-passwdmgr.inc |
16 | include disable-programs.inc | 16 | include disable-programs.inc |
17 | include disable-xdg.inc | ||
17 | 18 | ||
18 | mkdir ${HOME}/.redeclipse | 19 | mkdir ${HOME}/.redeclipse |
19 | whitelist ${HOME}/.redeclipse | 20 | whitelist ${HOME}/.redeclipse |
21 | whitelist /usr/share/redeclipse | ||
20 | include whitelist-common.inc | 22 | include whitelist-common.inc |
23 | include whitelist-runuser-common.inc | ||
24 | include whitelist-usr-share-common.inc | ||
21 | include whitelist-var-common.inc | 25 | include whitelist-var-common.inc |
22 | 26 | ||
23 | caps.drop all | 27 | caps.drop all |
@@ -32,8 +36,13 @@ novideo | |||
32 | protocol unix,inet,inet6 | 36 | protocol unix,inet,inet6 |
33 | seccomp | 37 | seccomp |
34 | shell none | 38 | shell none |
39 | tracelog | ||
35 | 40 | ||
36 | disable-mnt | 41 | disable-mnt |
42 | #private-bin redeclipse,sh,man | ||
43 | private-cache | ||
37 | private-dev | 44 | private-dev |
38 | private-tmp | 45 | private-tmp |
39 | 46 | ||
47 | dbus-user none | ||
48 | dbus-system none | ||
diff --git a/etc/profile-m-z/rhythmbox.profile b/etc/profile-m-z/rhythmbox.profile index b76f2b947..e7f379509 100644 --- a/etc/profile-m-z/rhythmbox.profile +++ b/etc/profile-m-z/rhythmbox.profile | |||
@@ -14,6 +14,9 @@ noblacklist ${HOME}/.local/share/rhythmbox | |||
14 | include allow-python2.inc | 14 | include allow-python2.inc |
15 | include allow-python3.inc | 15 | include allow-python3.inc |
16 | 16 | ||
17 | # Allow lua (blacklisted by disable-interpreters.inc) | ||
18 | include allow-lua.inc | ||
19 | |||
17 | include disable-common.inc | 20 | include disable-common.inc |
18 | include disable-devel.inc | 21 | include disable-devel.inc |
19 | include disable-exec.inc | 22 | include disable-exec.inc |
@@ -26,6 +29,7 @@ include disable-xdg.inc | |||
26 | whitelist /usr/share/rhythmbox | 29 | whitelist /usr/share/rhythmbox |
27 | whitelist /usr/share/lua | 30 | whitelist /usr/share/lua |
28 | whitelist /usr/share/libquvi-scripts | 31 | whitelist /usr/share/libquvi-scripts |
32 | whitelist /usr/share/tracker | ||
29 | include whitelist-runuser-common.inc | 33 | include whitelist-runuser-common.inc |
30 | include whitelist-usr-share-common.inc | 34 | include whitelist-usr-share-common.inc |
31 | include whitelist-var-common.inc | 35 | include whitelist-var-common.inc |
@@ -41,10 +45,12 @@ nou2f | |||
41 | novideo | 45 | novideo |
42 | protocol unix,inet,inet6,netlink | 46 | protocol unix,inet,inet6,netlink |
43 | seccomp | 47 | seccomp |
48 | seccomp.block-secondary | ||
44 | shell none | 49 | shell none |
45 | tracelog | 50 | tracelog |
46 | 51 | ||
47 | private-bin rhythmbox,rhythmbox-client | 52 | private-bin rhythmbox,rhythmbox-client |
53 | private-cache | ||
48 | private-dev | 54 | private-dev |
49 | private-tmp | 55 | private-tmp |
50 | 56 | ||
@@ -54,6 +60,6 @@ dbus-user.own org.mpris.MediaPlayer2.rhythmbox | |||
54 | dbus-user.own org.gnome.UPnP.MediaServer2.Rhythmbox | 60 | dbus-user.own org.gnome.UPnP.MediaServer2.Rhythmbox |
55 | dbus-user.talk ca.desrt.dconf | 61 | dbus-user.talk ca.desrt.dconf |
56 | dbus-user.talk org.freedesktop.Notifications | 62 | dbus-user.talk org.freedesktop.Notifications |
57 | dbus-system none | 63 | dbus-user.talk org.gnome.SettingsDaemon.MediaKeys |
58 | dbus-system filter | 64 | dbus-system filter |
59 | dbus-system.talk org.freedesktop.Avahi | 65 | dbus-system.talk org.freedesktop.Avahi |
diff --git a/etc/profile-m-z/seahorse.profile b/etc/profile-m-z/seahorse.profile index 85d86d646..8bb1f53a7 100644 --- a/etc/profile-m-z/seahorse.profile +++ b/etc/profile-m-z/seahorse.profile | |||
@@ -63,6 +63,7 @@ private-etc ca-certificates,crypto-policies,dconf,fonts,gconf,gtk-2.0,gtk-3.0,ho | |||
63 | writable-run-user | 63 | writable-run-user |
64 | 64 | ||
65 | dbus-user filter | 65 | dbus-user filter |
66 | dbus-user.own org.gnome.seahorse | ||
66 | dbus-user.own org.gnome.seahorse.Application | 67 | dbus-user.own org.gnome.seahorse.Application |
67 | dbus-user.talk org.freedesktop.secrets | 68 | dbus-user.talk org.freedesktop.secrets |
68 | dbus-system none | 69 | dbus-system none |
diff --git a/etc/profile-m-z/shellcheck.profile b/etc/profile-m-z/shellcheck.profile index 6cd70c2ea..c67a88161 100644 --- a/etc/profile-m-z/shellcheck.profile +++ b/etc/profile-m-z/shellcheck.profile | |||
@@ -40,6 +40,7 @@ nou2f | |||
40 | novideo | 40 | novideo |
41 | protocol unix | 41 | protocol unix |
42 | seccomp | 42 | seccomp |
43 | seccomp.block-secondary | ||
43 | shell none | 44 | shell none |
44 | tracelog | 45 | tracelog |
45 | x11 none | 46 | x11 none |
diff --git a/etc/profile-m-z/smplayer.profile b/etc/profile-m-z/smplayer.profile index 3fb6fc349..8ffc47ff6 100644 --- a/etc/profile-m-z/smplayer.profile +++ b/etc/profile-m-z/smplayer.profile | |||
@@ -10,7 +10,7 @@ noblacklist ${HOME}/.config/smplayer | |||
10 | noblacklist ${HOME}/.config/youtube-dl | 10 | noblacklist ${HOME}/.config/youtube-dl |
11 | noblacklist ${HOME}/.mplayer | 11 | noblacklist ${HOME}/.mplayer |
12 | 12 | ||
13 | # Allow python (blacklisted by disable-interpreters.inc) | 13 | include allow-lua.inc |
14 | include allow-python2.inc | 14 | include allow-python2.inc |
15 | include allow-python3.inc | 15 | include allow-python3.inc |
16 | 16 | ||
@@ -26,7 +26,9 @@ include disable-programs.inc | |||
26 | include disable-shell.inc | 26 | include disable-shell.inc |
27 | include disable-xdg.inc | 27 | include disable-xdg.inc |
28 | 28 | ||
29 | whitelist /usr/share/lua* | ||
29 | whitelist /usr/share/smplayer | 30 | whitelist /usr/share/smplayer |
31 | whitelist /usr/share/vulkan | ||
30 | include whitelist-usr-share-common.inc | 32 | include whitelist-usr-share-common.inc |
31 | include whitelist-var-common.inc | 33 | include whitelist-var-common.inc |
32 | 34 | ||
@@ -41,7 +43,7 @@ protocol unix,inet,inet6,netlink | |||
41 | seccomp | 43 | seccomp |
42 | shell none | 44 | shell none |
43 | 45 | ||
44 | private-bin env,mplayer,mpv,python*,smplayer,smtube,youtube-dl | 46 | private-bin env,mplayer,mpv,python*,smplayer,smtube,waf,youtube-dl |
45 | private-dev | 47 | private-dev |
46 | private-tmp | 48 | private-tmp |
47 | 49 | ||
diff --git a/etc/profile-m-z/smuxi-frontend-gnome.profile b/etc/profile-m-z/smuxi-frontend-gnome.profile new file mode 100644 index 000000000..541e5a1c4 --- /dev/null +++ b/etc/profile-m-z/smuxi-frontend-gnome.profile | |||
@@ -0,0 +1,55 @@ | |||
1 | # Firejail profile for smuxi-frontend-gnome | ||
2 | # Description: Multi protocol chat client with Twitter support | ||
3 | # This file is overwritten after every install/update | ||
4 | # Persistent local customizations | ||
5 | include smuxi-frontend-gnome.local | ||
6 | # Persistent global definitions | ||
7 | include globals.local | ||
8 | |||
9 | noblacklist ${HOME}/.cache/smuxi | ||
10 | noblacklist ${HOME}/.config/smuxi | ||
11 | noblacklist ${HOME}/.local/share/smuxi | ||
12 | |||
13 | include disable-common.inc | ||
14 | include disable-devel.inc | ||
15 | include disable-exec.inc | ||
16 | include disable-interpreters.inc | ||
17 | include disable-passwdmgr.inc | ||
18 | include disable-programs.inc | ||
19 | include disable-xdg.inc | ||
20 | |||
21 | mkdir ${HOME}/.cache/smuxi | ||
22 | mkdir ${HOME}/.config/smuxi | ||
23 | mkdir ${HOME}/.local/share/smuxi | ||
24 | whitelist ${HOME}/.cache/smuxi | ||
25 | whitelist ${HOME}/.config/smuxi | ||
26 | whitelist ${HOME}/.local/share/smuxi | ||
27 | whitelist ${DOWNLOADS} | ||
28 | include whitelist-common.inc | ||
29 | include whitelist-runuser-common.inc | ||
30 | include whitelist-usr-share-common.inc | ||
31 | include whitelist-var-common.inc | ||
32 | |||
33 | apparmor | ||
34 | caps.drop all | ||
35 | netfilter | ||
36 | nodvd | ||
37 | nogroups | ||
38 | nonewprivs | ||
39 | noroot | ||
40 | notv | ||
41 | nou2f | ||
42 | protocol unix,inet,inet6,netlink | ||
43 | seccomp | ||
44 | shell none | ||
45 | tracelog | ||
46 | |||
47 | disable-mnt | ||
48 | private-bin bash,mono,mono-sgen,sh,smuxi-frontend-gnome | ||
49 | private-cache | ||
50 | private-dev | ||
51 | private-etc alsa,alternatives,asound.conf,ca-certificates,crypto-policies,fonts,hostname,hosts,ld.so.cache,ld.so.conf,machine-id,mono,passwd,pki,pulse,resolv.conf,selinux,ssl,xdg | ||
52 | private-tmp | ||
53 | |||
54 | dbus-user none | ||
55 | dbus-system none | ||
diff --git a/etc/profile-m-z/snox.profile b/etc/profile-m-z/snox.profile index 3b3fd1ae1..83493652c 100644 --- a/etc/profile-m-z/snox.profile +++ b/etc/profile-m-z/snox.profile | |||
@@ -5,6 +5,11 @@ include snox.local | |||
5 | # Persistent global definitions | 5 | # Persistent global definitions |
6 | include globals.local | 6 | include globals.local |
7 | 7 | ||
8 | # Disable for now, see https://www.tutorialspoint.com/difference-between-void-main-and-int-main-in-c-cplusplus | ||
9 | ignore whitelist /usr/share/chromium | ||
10 | ignore include whitelist-runuser-common.inc | ||
11 | ignore include whitelist-usr-share-common.inc | ||
12 | |||
8 | noblacklist ${HOME}/.cache/snox | 13 | noblacklist ${HOME}/.cache/snox |
9 | noblacklist ${HOME}/.config/snox | 14 | noblacklist ${HOME}/.config/snox |
10 | 15 | ||
diff --git a/etc/profile-m-z/spectacle.profile b/etc/profile-m-z/spectacle.profile new file mode 100644 index 000000000..ad39f1071 --- /dev/null +++ b/etc/profile-m-z/spectacle.profile | |||
@@ -0,0 +1,64 @@ | |||
1 | # Firejail profile for spectacle | ||
2 | # Description: Spectacle is a simple application for capturing desktop screenshots. | ||
3 | # This file is overwritten after every install/update | ||
4 | # Persistent local customizations | ||
5 | include spectacle.local | ||
6 | # Persistent global definitions | ||
7 | include globals.local | ||
8 | |||
9 | # Uncomment the following lines to use sharing services. | ||
10 | #netfilter | ||
11 | #ignore net none | ||
12 | #private-etc ca-certificates,crypto-policies,pki,resolv.conf,ssl | ||
13 | #protocol unix,inet,inet6 | ||
14 | |||
15 | noblacklist ${HOME}/.config/spectaclerc | ||
16 | noblacklist ${PICTURES} | ||
17 | |||
18 | include disable-common.inc | ||
19 | include disable-devel.inc | ||
20 | include disable-exec.inc | ||
21 | include disable-interpreters.inc | ||
22 | include disable-passwdmgr.inc | ||
23 | include disable-programs.inc | ||
24 | include disable-xdg.inc | ||
25 | |||
26 | mkfile ${HOME}/.config/spectaclerc | ||
27 | whitelist ${HOME}/.config/spectaclerc | ||
28 | whitelist ${PICTURES} | ||
29 | include whitelist-common.inc | ||
30 | include whitelist-runuser-common.inc | ||
31 | include whitelist-usr-share-common.inc | ||
32 | include whitelist-var-common.inc | ||
33 | |||
34 | apparmor | ||
35 | caps.drop all | ||
36 | machine-id | ||
37 | net none | ||
38 | no3d | ||
39 | nodvd | ||
40 | nogroups | ||
41 | nonewprivs | ||
42 | noroot | ||
43 | nosound | ||
44 | notv | ||
45 | nou2f | ||
46 | novideo | ||
47 | protocol unix | ||
48 | seccomp | ||
49 | shell none | ||
50 | tracelog | ||
51 | |||
52 | disable-mnt | ||
53 | private-bin spectacle | ||
54 | private-cache | ||
55 | private-dev | ||
56 | private-etc alternatives,fonts,ld.so.conf | ||
57 | private-tmp | ||
58 | |||
59 | dbus-user filter | ||
60 | dbus-user.own org.kde.spectacle | ||
61 | dbus-user.talk org.freedesktop.FileManager1 | ||
62 | #dbus-user.talk org.kde.JobViewServer | ||
63 | #dbus-user.talk org.kde.kglobalaccel | ||
64 | dbus-system none | ||
diff --git a/etc/profile-m-z/spectral.profile b/etc/profile-m-z/spectral.profile new file mode 100644 index 000000000..d7f94e144 --- /dev/null +++ b/etc/profile-m-z/spectral.profile | |||
@@ -0,0 +1,53 @@ | |||
1 | # Firejail profile for spectral | ||
2 | # Description: Desktop client for Matrix | ||
3 | # This file is overwritten after every install/update | ||
4 | # Persistent local customizations | ||
5 | include spectral.local | ||
6 | # Persistent global definitions | ||
7 | include globals.local | ||
8 | |||
9 | noblacklist ${HOME}/.cache/ENCOM/Spectral | ||
10 | noblacklist ${HOME}/.config/ENCOM | ||
11 | |||
12 | include disable-common.inc | ||
13 | include disable-devel.inc | ||
14 | include disable-exec.inc | ||
15 | include disable-interpreters.inc | ||
16 | include disable-passwdmgr.inc | ||
17 | include disable-programs.inc | ||
18 | include disable-shell.inc | ||
19 | include disable-xdg.inc | ||
20 | |||
21 | mkdir ${HOME}/.cache/ENCOM/Spectral | ||
22 | mkdir ${HOME}/.config/ENCOM | ||
23 | whitelist ${HOME}/.cache/ENCOM/Spectral | ||
24 | whitelist ${HOME}/.config/ENCOM | ||
25 | whitelist ${DOWNLOADS} | ||
26 | include whitelist-common.inc | ||
27 | include whitelist-runuser-common.inc | ||
28 | include whitelist-usr-share-common.inc | ||
29 | include whitelist-var-common.inc | ||
30 | |||
31 | apparmor | ||
32 | caps.drop all | ||
33 | netfilter | ||
34 | nodvd | ||
35 | nogroups | ||
36 | nonewprivs | ||
37 | noroot | ||
38 | notv | ||
39 | nou2f | ||
40 | protocol unix,inet,inet6,netlink | ||
41 | seccomp | ||
42 | shell none | ||
43 | tracelog | ||
44 | |||
45 | disable-mnt | ||
46 | private-cache | ||
47 | private-bin spectral | ||
48 | private-dev | ||
49 | private-etc alsa,alternatives,asound.conf,ca-certificates,crypto-policies,fonts,gtk-2.0,gtk-3.0,host.conf,hostname,hosts,ld.so.cache,ld.so.conf,ld.so.conf.d,ld.so.preload,locale,locale.alias,locale.conf,mime.types,nsswitch.conf,pki,pulse,resolv.conf,selinux,ssl,X11,xdg | ||
50 | private-tmp | ||
51 | |||
52 | dbus-user none | ||
53 | dbus-system none | ||
diff --git a/etc/profile-m-z/sqlitebrowser.profile b/etc/profile-m-z/sqlitebrowser.profile index cdb20b4e0..110434736 100644 --- a/etc/profile-m-z/sqlitebrowser.profile +++ b/etc/profile-m-z/sqlitebrowser.profile | |||
@@ -18,6 +18,7 @@ include disable-programs.inc | |||
18 | include disable-shell.inc | 18 | include disable-shell.inc |
19 | include disable-xdg.inc | 19 | include disable-xdg.inc |
20 | 20 | ||
21 | include whitelist-runuser-common.inc | ||
21 | include whitelist-usr-share-common.inc | 22 | include whitelist-usr-share-common.inc |
22 | include whitelist-var-common.inc | 23 | include whitelist-var-common.inc |
23 | 24 | ||
@@ -35,6 +36,7 @@ nou2f | |||
35 | novideo | 36 | novideo |
36 | protocol unix,inet,inet6,netlink | 37 | protocol unix,inet,inet6,netlink |
37 | seccomp | 38 | seccomp |
39 | seccomp.block-secondary | ||
38 | shell none | 40 | shell none |
39 | 41 | ||
40 | private-bin sqlitebrowser | 42 | private-bin sqlitebrowser |
diff --git a/etc/profile-m-z/ssh.profile b/etc/profile-m-z/ssh.profile index 5d3458c29..78b12c2cb 100644 --- a/etc/profile-m-z/ssh.profile +++ b/etc/profile-m-z/ssh.profile | |||
@@ -34,7 +34,7 @@ nonewprivs | |||
34 | # noroot - see issue #1543 | 34 | # noroot - see issue #1543 |
35 | nosound | 35 | nosound |
36 | notv | 36 | notv |
37 | nou2f | 37 | # nou2f - OpenSSH >= 8.2 supports U2F |
38 | novideo | 38 | novideo |
39 | protocol unix,inet,inet6 | 39 | protocol unix,inet,inet6 |
40 | seccomp | 40 | seccomp |
diff --git a/etc/profile-m-z/straw-viewer.profile b/etc/profile-m-z/straw-viewer.profile new file mode 100644 index 000000000..721ad38ee --- /dev/null +++ b/etc/profile-m-z/straw-viewer.profile | |||
@@ -0,0 +1,58 @@ | |||
1 | # Firejail profile for straw-viewer | ||
2 | # Description: Fork of youtube-viewer acts like an invidious frontend | ||
3 | quiet | ||
4 | # This file is overwritten after every install/update | ||
5 | # Persistent local customizations | ||
6 | include straw-viewer.local | ||
7 | # Persistent global definitions | ||
8 | include globals.local | ||
9 | |||
10 | noblacklist ${HOME}/.cache/straw-viewer | ||
11 | noblacklist ${HOME}/.config/straw-viewer | ||
12 | |||
13 | include allow-lua.inc | ||
14 | include allow-perl.inc | ||
15 | include allow-python2.inc | ||
16 | include allow-python3.inc | ||
17 | |||
18 | include disable-common.inc | ||
19 | include disable-devel.inc | ||
20 | include disable-exec.inc | ||
21 | include disable-interpreters.inc | ||
22 | include disable-passwdmgr.inc | ||
23 | include disable-programs.inc | ||
24 | include disable-xdg.inc | ||
25 | |||
26 | mkdir ${HOME}/.config/straw-viewer | ||
27 | mkdir ${HOME}/.cache/straw-viewer | ||
28 | whitelist ${HOME}/.cache/straw-viewer | ||
29 | whitelist ${HOME}/.config/straw-viewer | ||
30 | whitelist ${DOWNLOADS} | ||
31 | include whitelist-common.inc | ||
32 | include whitelist-usr-share-common.inc | ||
33 | include whitelist-var-common.inc | ||
34 | |||
35 | apparmor | ||
36 | caps.drop all | ||
37 | netfilter | ||
38 | nodvd | ||
39 | nogroups | ||
40 | nonewprivs | ||
41 | noroot | ||
42 | notv | ||
43 | nou2f | ||
44 | novideo | ||
45 | protocol unix,inet,inet6 | ||
46 | seccomp | ||
47 | shell none | ||
48 | tracelog | ||
49 | |||
50 | disable-mnt | ||
51 | private-bin bash,ffmpeg,ffprobe,gtk-straw-viewer,mpv,perl,python*,sh,smplayer,straw-viewer,stty,vlc,wget,which,youtube-dl | ||
52 | private-cache | ||
53 | private-dev | ||
54 | private-etc alsa,alternatives,asound.conf,ca-certificates,crypto-policies,fonts,gtk-2.0,gtk-3.0,host.conf,hostname,hosts,machine-id,mime.types,nsswitch.conf,passwd,pki,pulse,resolv.conf,ssl,X11,xdg | ||
55 | private-tmp | ||
56 | |||
57 | dbus-user none | ||
58 | dbus-system none | ||
diff --git a/etc/profile-m-z/strings.profile b/etc/profile-m-z/strings.profile index 426b2dc1c..09ada1e25 100644 --- a/etc/profile-m-z/strings.profile +++ b/etc/profile-m-z/strings.profile | |||
@@ -38,6 +38,7 @@ nou2f | |||
38 | novideo | 38 | novideo |
39 | protocol unix | 39 | protocol unix |
40 | seccomp | 40 | seccomp |
41 | seccomp.block-secondary | ||
41 | shell none | 42 | shell none |
42 | tracelog | 43 | tracelog |
43 | x11 none | 44 | x11 none |
diff --git a/etc/profile-m-z/supertux2.profile b/etc/profile-m-z/supertux2.profile index ceaae8fbf..9cc023765 100644 --- a/etc/profile-m-z/supertux2.profile +++ b/etc/profile-m-z/supertux2.profile | |||
@@ -36,6 +36,7 @@ nou2f | |||
36 | novideo | 36 | novideo |
37 | protocol unix,netlink | 37 | protocol unix,netlink |
38 | seccomp | 38 | seccomp |
39 | seccomp.block-secondary | ||
39 | shell none | 40 | shell none |
40 | tracelog | 41 | tracelog |
41 | 42 | ||
diff --git a/etc/profile-m-z/supertuxkart.profile b/etc/profile-m-z/supertuxkart.profile index ce69c8b4b..ff99c234e 100644 --- a/etc/profile-m-z/supertuxkart.profile +++ b/etc/profile-m-z/supertuxkart.profile | |||
@@ -27,6 +27,7 @@ whitelist ${HOME}/.cache/supertuxkart | |||
27 | whitelist ${HOME}/.local/share/supertuxkart | 27 | whitelist ${HOME}/.local/share/supertuxkart |
28 | whitelist /usr/share/supertuxkart | 28 | whitelist /usr/share/supertuxkart |
29 | include whitelist-common.inc | 29 | include whitelist-common.inc |
30 | include whitelist-runuser-common.inc | ||
30 | include whitelist-usr-share-common.inc | 31 | include whitelist-usr-share-common.inc |
31 | include whitelist-var-common.inc | 32 | include whitelist-var-common.inc |
32 | 33 | ||
@@ -42,6 +43,7 @@ nou2f | |||
42 | novideo | 43 | novideo |
43 | protocol unix,inet,inet6 | 44 | protocol unix,inet,inet6 |
44 | seccomp | 45 | seccomp |
46 | seccomp.block-secondary | ||
45 | shell none | 47 | shell none |
46 | tracelog | 48 | tracelog |
47 | 49 | ||
diff --git a/etc/profile-m-z/tcpdump.profile b/etc/profile-m-z/tcpdump.profile index 881fbf49e..7984702f3 100644 --- a/etc/profile-m-z/tcpdump.profile +++ b/etc/profile-m-z/tcpdump.profile | |||
@@ -33,7 +33,7 @@ nosound | |||
33 | notv | 33 | notv |
34 | nou2f | 34 | nou2f |
35 | novideo | 35 | novideo |
36 | protocol unix,inet,inet6,netlink,packet | 36 | protocol unix,inet,inet6,netlink,packet,bluetooth |
37 | seccomp | 37 | seccomp |
38 | 38 | ||
39 | disable-mnt | 39 | disable-mnt |
diff --git a/etc/profile-m-z/telegram.profile b/etc/profile-m-z/telegram.profile index 8e0741458..5be834fb0 100644 --- a/etc/profile-m-z/telegram.profile +++ b/etc/profile-m-z/telegram.profile | |||
@@ -20,10 +20,10 @@ nodvd | |||
20 | nonewprivs | 20 | nonewprivs |
21 | noroot | 21 | noroot |
22 | notv | 22 | notv |
23 | protocol unix,inet,inet6 | 23 | protocol unix,inet,inet6,netlink |
24 | seccomp | 24 | seccomp |
25 | 25 | ||
26 | disable-mnt | 26 | disable-mnt |
27 | private-cache | 27 | private-cache |
28 | private-etc ca-certificates,crypto-policies,fonts,ld.so.cache,localtime,machine-id,pki,pulse,resolv.conf,ssl | 28 | private-etc alsa,ca-certificates,crypto-policies,fonts,group,ld.so.cache,localtime,machine-id,pki,pulse,resolv.conf,ssl |
29 | private-tmp | 29 | private-tmp |
diff --git a/etc/profile-m-z/thunderbird.profile b/etc/profile-m-z/thunderbird.profile index 6e4bb50d4..2e7b69cec 100644 --- a/etc/profile-m-z/thunderbird.profile +++ b/etc/profile-m-z/thunderbird.profile | |||
@@ -6,6 +6,8 @@ include thunderbird.local | |||
6 | # Persistent global definitions | 6 | # Persistent global definitions |
7 | include globals.local | 7 | include globals.local |
8 | 8 | ||
9 | ignore whitelist-runuser-common.inc | ||
10 | |||
9 | # writable-run-user and dbus are needed by enigmail | 11 | # writable-run-user and dbus are needed by enigmail |
10 | ignore dbus-user none | 12 | ignore dbus-user none |
11 | ignore dbus-system none | 13 | ignore dbus-system none |
@@ -58,7 +60,5 @@ novideo | |||
58 | # We need the real /tmp for data exchange when xdg-open handles email attachments on KDE | 60 | # We need the real /tmp for data exchange when xdg-open handles email attachments on KDE |
59 | ignore private-tmp | 61 | ignore private-tmp |
60 | 62 | ||
61 | read-only ${HOME}/.config/mimeapps.list | ||
62 | |||
63 | # Redirect | 63 | # Redirect |
64 | include firefox-common.profile | 64 | include firefox-common.profile |
diff --git a/etc/profile-m-z/totem.profile b/etc/profile-m-z/totem.profile index abbbba6c3..7bb2f3e2d 100644 --- a/etc/profile-m-z/totem.profile +++ b/etc/profile-m-z/totem.profile | |||
@@ -28,12 +28,11 @@ mkdir ${HOME}/.config/totem | |||
28 | mkdir ${HOME}/.local/share/totem | 28 | mkdir ${HOME}/.local/share/totem |
29 | whitelist ${HOME}/.config/totem | 29 | whitelist ${HOME}/.config/totem |
30 | whitelist ${HOME}/.local/share/totem | 30 | whitelist ${HOME}/.local/share/totem |
31 | whitelist ${DESKTOP} | 31 | whitelist /usr/share/totem |
32 | whitelist ${DOWNLOADS} | ||
33 | whitelist ${MUSIC} | ||
34 | whitelist ${PICTURES} | ||
35 | whitelist ${VIDEOS} | ||
36 | include whitelist-common.inc | 32 | include whitelist-common.inc |
33 | include whitelist-players.inc | ||
34 | include whitelist-runuser-common.inc | ||
35 | include whitelist-usr-share-common.inc | ||
37 | include whitelist-var-common.inc | 36 | include whitelist-var-common.inc |
38 | 37 | ||
39 | # apparmor - makes settings immutable | 38 | # apparmor - makes settings immutable |
@@ -57,4 +56,4 @@ private-tmp | |||
57 | 56 | ||
58 | # makes settings immutable | 57 | # makes settings immutable |
59 | # dbus-user none | 58 | # dbus-user none |
60 | # dbus-system none | 59 | dbus-system none |
diff --git a/etc/profile-m-z/transmission-common.profile b/etc/profile-m-z/transmission-common.profile index 9d2e8e990..d601f0f15 100644 --- a/etc/profile-m-z/transmission-common.profile +++ b/etc/profile-m-z/transmission-common.profile | |||
@@ -39,6 +39,7 @@ nou2f | |||
39 | novideo | 39 | novideo |
40 | protocol unix,inet,inet6 | 40 | protocol unix,inet,inet6 |
41 | seccomp | 41 | seccomp |
42 | seccomp.block-secondary | ||
42 | shell none | 43 | shell none |
43 | tracelog | 44 | tracelog |
44 | 45 | ||
diff --git a/etc/profile-m-z/transmission-daemon.profile b/etc/profile-m-z/transmission-daemon.profile index 363c685e0..8dbbfcc62 100644 --- a/etc/profile-m-z/transmission-daemon.profile +++ b/etc/profile-m-z/transmission-daemon.profile | |||
@@ -14,6 +14,7 @@ whitelist ${HOME}/.config/transmission-daemon | |||
14 | whitelist /var/lib/transmission | 14 | whitelist /var/lib/transmission |
15 | 15 | ||
16 | caps.keep ipc_lock,net_bind_service,setgid,setuid,sys_chroot | 16 | caps.keep ipc_lock,net_bind_service,setgid,setuid,sys_chroot |
17 | protocol unix,inet,inet6,packet | ||
17 | 18 | ||
18 | private-bin transmission-daemon | 19 | private-bin transmission-daemon |
19 | private-etc alternatives,ca-certificates,crypto-policies,nsswitch.conf,pki,resolv.conf,ssl | 20 | private-etc alternatives,ca-certificates,crypto-policies,nsswitch.conf,pki,resolv.conf,ssl |
diff --git a/etc/profile-m-z/trojita.profile b/etc/profile-m-z/trojita.profile new file mode 100644 index 000000000..a8641af85 --- /dev/null +++ b/etc/profile-m-z/trojita.profile | |||
@@ -0,0 +1,63 @@ | |||
1 | # Firejail profile for trojita | ||
2 | # Description: Qt mail client | ||
3 | # This file is overwritten after every install/update | ||
4 | # Persistent local customizations | ||
5 | include trojita.local | ||
6 | # Persistent global definitions | ||
7 | include globals.local | ||
8 | |||
9 | noblacklist ${HOME}/.abook | ||
10 | noblacklist ${HOME}/.mozilla | ||
11 | noblacklist ${HOME}/.cache/flaska.net/trojita | ||
12 | noblacklist ${HOME}/.config/flaska.net | ||
13 | |||
14 | include disable-common.inc | ||
15 | include disable-devel.inc | ||
16 | include disable-exec.inc | ||
17 | include disable-interpreters.inc | ||
18 | include disable-passwdmgr.inc | ||
19 | include disable-programs.inc | ||
20 | include disable-shell.inc | ||
21 | include disable-xdg.inc | ||
22 | |||
23 | mkdir ${HOME}/.abook | ||
24 | mkdir ${HOME}/.cache/flaska.net/trojita | ||
25 | mkdir ${HOME}/.config/flaska.net | ||
26 | whitelist ${HOME}/.abook | ||
27 | whitelist ${HOME}/.mozilla/firefox/profiles.ini | ||
28 | whitelist ${HOME}/.cache/flaska.net/trojita | ||
29 | whitelist ${HOME}/.config/flaska.net | ||
30 | include whitelist-common.inc | ||
31 | include whitelist-runuser-common.inc | ||
32 | include whitelist-usr-share-common.inc | ||
33 | include whitelist-var-common.inc | ||
34 | |||
35 | apparmor | ||
36 | caps.drop all | ||
37 | netfilter | ||
38 | no3d | ||
39 | nodvd | ||
40 | nogroups | ||
41 | nonewprivs | ||
42 | noroot | ||
43 | nosound | ||
44 | notv | ||
45 | nou2f | ||
46 | novideo | ||
47 | protocol unix,inet,inet6,netlink | ||
48 | seccomp | ||
49 | shell none | ||
50 | tracelog | ||
51 | |||
52 | # disable-mnt | ||
53 | # Add "ignore private-bin" for hyperlinks or have a look at the private-bins in firefox.profile and firefox-common.profile. | ||
54 | private-bin trojita | ||
55 | private-cache | ||
56 | private-dev | ||
57 | private-etc alternatives,ca-certificates,crypto-policies,fonts,hostname,hosts,pki,resolv.conf,selinux,ssl,xdg | ||
58 | private-tmp | ||
59 | |||
60 | dbus-user none | ||
61 | dbus-system none | ||
62 | |||
63 | read-only ${HOME}/.mozilla/firefox/profiles.ini | ||
diff --git a/etc/profile-m-z/tshark.profile b/etc/profile-m-z/tshark.profile index 684a9491d..a5cefb47a 100644 --- a/etc/profile-m-z/tshark.profile +++ b/etc/profile-m-z/tshark.profile | |||
@@ -1,46 +1,6 @@ | |||
1 | # Firejail profile for tshark | 1 | # Firejail profile for tshark |
2 | # This file is overwritten after every install/update | 2 | # This file is overwritten after every install/update |
3 | quiet | 3 | quiet |
4 | # Persistent local customizations | ||
5 | include tshark.local | ||
6 | # Persistent global definitions | ||
7 | include globals.local | ||
8 | 4 | ||
9 | include disable-common.inc | 5 | # Redirect |
10 | include disable-devel.inc | 6 | include wireshark.profile |
11 | include disable-exec.inc | ||
12 | include disable-interpreters.inc | ||
13 | include disable-passwdmgr.inc | ||
14 | include disable-programs.inc | ||
15 | include disable-xdg.inc | ||
16 | |||
17 | whitelist /usr/share/wireshark | ||
18 | include whitelist-common.inc | ||
19 | include whitelist-runuser-common.inc | ||
20 | include whitelist-usr-share-common.inc | ||
21 | include whitelist-var-common.inc | ||
22 | |||
23 | apparmor | ||
24 | #caps.keep net_raw | ||
25 | caps.keep dac_override,net_admin,net_raw | ||
26 | ipc-namespace | ||
27 | #net tun0 | ||
28 | netfilter | ||
29 | no3d | ||
30 | nodvd | ||
31 | # nogroups - breaks network traffic capture for unprivileged users | ||
32 | # nonewprivs - breaks network traffic capture for unprivileged users | ||
33 | # noroot | ||
34 | nosound | ||
35 | notv | ||
36 | nou2f | ||
37 | novideo | ||
38 | #protocol unix,inet,inet6,netlink,packet | ||
39 | #seccomp | ||
40 | |||
41 | disable-mnt | ||
42 | #private | ||
43 | private-cache | ||
44 | #private-bin tshark | ||
45 | private-dev | ||
46 | private-tmp | ||
diff --git a/etc/profile-m-z/twitch.profile b/etc/profile-m-z/twitch.profile new file mode 100644 index 000000000..3c50344f1 --- /dev/null +++ b/etc/profile-m-z/twitch.profile | |||
@@ -0,0 +1,36 @@ | |||
1 | # Firejail profile for twitch | ||
2 | # Description: Unofficial electron based desktop warpper for Twitch | ||
3 | # This file is overwritten after every install/update | ||
4 | # Persistent local customizations | ||
5 | include twitch.local | ||
6 | # Persistent global definitions | ||
7 | include globals.local | ||
8 | |||
9 | noblacklist ${HOME}/.config/Twitch | ||
10 | |||
11 | include disable-devel.inc | ||
12 | include disable-exec.inc | ||
13 | include disable-interpreters.inc | ||
14 | include disable-shell.inc | ||
15 | include disable-xdg.inc | ||
16 | |||
17 | mkdir ${HOME}/.config/Twitch | ||
18 | whitelist ${HOME}/.config/Twitch | ||
19 | include whitelist-common.inc | ||
20 | include whitelist-runuser-common.inc | ||
21 | include whitelist-usr-share-common.inc | ||
22 | include whitelist-var-common.inc | ||
23 | |||
24 | seccomp !chroot | ||
25 | shell none | ||
26 | |||
27 | disable-mnt | ||
28 | private-bin twitch | ||
29 | private-cache | ||
30 | private-dev | ||
31 | private-etc alsa,alternatives,asound.conf,ati,bumblebee,ca-certificates,crypto-policies,drirc,fonts,gtk-2.0,gtk-3.0,host.conf,hostname,hosts,mime.types,nsswitch.conf,nvidia,pki,pulse,resolv.conf,selinux,ssl,X11,xdg | ||
32 | private-opt Twitch | ||
33 | private-tmp | ||
34 | |||
35 | # Redirect | ||
36 | include electron.profile | ||
diff --git a/etc/profile-m-z/virtualbox.profile b/etc/profile-m-z/virtualbox.profile index 12bef5d1f..7a49ad88a 100644 --- a/etc/profile-m-z/virtualbox.profile +++ b/etc/profile-m-z/virtualbox.profile | |||
@@ -26,6 +26,7 @@ mkdir ${HOME}/VirtualBox VMs | |||
26 | whitelist ${HOME}/.config/VirtualBox | 26 | whitelist ${HOME}/.config/VirtualBox |
27 | whitelist ${HOME}/VirtualBox VMs | 27 | whitelist ${HOME}/VirtualBox VMs |
28 | whitelist ${DOWNLOADS} | 28 | whitelist ${DOWNLOADS} |
29 | whitelist /usr/share/virtualbox | ||
29 | include whitelist-common.inc | 30 | include whitelist-common.inc |
30 | include whitelist-runuser-common.inc | 31 | include whitelist-runuser-common.inc |
31 | include whitelist-usr-share-common.inc | 32 | include whitelist-usr-share-common.inc |
diff --git a/etc/profile-m-z/vivaldi-beta.profile b/etc/profile-m-z/vivaldi-beta.profile index 5de5682a3..0d80167f3 100644 --- a/etc/profile-m-z/vivaldi-beta.profile +++ b/etc/profile-m-z/vivaldi-beta.profile | |||
@@ -1,5 +1,7 @@ | |||
1 | # Firejail profile alias for vivaldi | 1 | # Firejail profile for vivaldi-beta |
2 | # This file is overwritten after every install/update | 2 | # This file is overwritten after every install/update |
3 | # Persistent local customizations | ||
4 | include vivaldi-beta.local | ||
3 | 5 | ||
4 | # Redirect | 6 | # Redirect |
5 | include vivaldi.profile | 7 | include vivaldi.profile |
diff --git a/etc/profile-m-z/vivaldi-snapshot.profile b/etc/profile-m-z/vivaldi-snapshot.profile index ea4a4009f..543f206af 100644 --- a/etc/profile-m-z/vivaldi-snapshot.profile +++ b/etc/profile-m-z/vivaldi-snapshot.profile | |||
@@ -2,16 +2,6 @@ | |||
2 | # This file is overwritten after every install/update | 2 | # This file is overwritten after every install/update |
3 | # Persistent local customizations | 3 | # Persistent local customizations |
4 | include vivaldi-snapshot.local | 4 | include vivaldi-snapshot.local |
5 | # Persistent global definitions | ||
6 | include globals.local | ||
7 | |||
8 | noblacklist ${HOME}/.cache/vivaldi-snapshot | ||
9 | noblacklist ${HOME}/.config/vivaldi-snapshot | ||
10 | |||
11 | mkdir ${HOME}/.cache/vivaldi-snapshot | ||
12 | mkdir ${HOME}/.config/vivaldi-snapshot | ||
13 | whitelist ${HOME}/.cache/vivaldi-snapshot | ||
14 | whitelist ${HOME}/.config/vivaldi-snapshot | ||
15 | 5 | ||
16 | # Redirect | 6 | # Redirect |
17 | include chromium-common.profile | 7 | include vivaldi.profile |
diff --git a/etc/profile-m-z/vivaldi-stable.profile b/etc/profile-m-z/vivaldi-stable.profile index 5de5682a3..94b2cd76c 100644 --- a/etc/profile-m-z/vivaldi-stable.profile +++ b/etc/profile-m-z/vivaldi-stable.profile | |||
@@ -1,5 +1,7 @@ | |||
1 | # Firejail profile alias for vivaldi | 1 | # Firejail profile for vivaldi-stable |
2 | # This file is overwritten after every install/update | 2 | # This file is overwritten after every install/update |
3 | # Persistent local customizations | ||
4 | include vivaldi-stable.local | ||
3 | 5 | ||
4 | # Redirect | 6 | # Redirect |
5 | include vivaldi.profile | 7 | include vivaldi.profile |
diff --git a/etc/profile-m-z/vivaldi.profile b/etc/profile-m-z/vivaldi.profile index 096ce8a72..cd06b7f4c 100644 --- a/etc/profile-m-z/vivaldi.profile +++ b/etc/profile-m-z/vivaldi.profile | |||
@@ -13,16 +13,24 @@ whitelist /var/opt/vivaldi | |||
13 | writable-var | 13 | writable-var |
14 | 14 | ||
15 | noblacklist ${HOME}/.cache/vivaldi | 15 | noblacklist ${HOME}/.cache/vivaldi |
16 | noblacklist ${HOME}/.cache/vivaldi-snapshot | ||
16 | noblacklist ${HOME}/.config/vivaldi | 17 | noblacklist ${HOME}/.config/vivaldi |
18 | noblacklist ${HOME}/.config/vivaldi-snapshot | ||
17 | noblacklist ${HOME}/.local/lib/vivaldi | 19 | noblacklist ${HOME}/.local/lib/vivaldi |
18 | 20 | ||
19 | mkdir ${HOME}/.cache/vivaldi | 21 | mkdir ${HOME}/.cache/vivaldi |
22 | mkdir ${HOME}/.cache/vivaldi-snapshot | ||
20 | mkdir ${HOME}/.config/vivaldi | 23 | mkdir ${HOME}/.config/vivaldi |
24 | mkdir ${HOME}/.config/vivaldi-snapshot | ||
21 | mkdir ${HOME}/.local/lib/vivaldi | 25 | mkdir ${HOME}/.local/lib/vivaldi |
22 | whitelist ${HOME}/.cache/vivaldi | 26 | whitelist ${HOME}/.cache/vivaldi |
27 | whitelist ${HOME}/.cache/vivaldi-snapshot | ||
23 | whitelist ${HOME}/.config/vivaldi | 28 | whitelist ${HOME}/.config/vivaldi |
29 | whitelist ${HOME}/.config/vivaldi-snapshot | ||
24 | whitelist ${HOME}/.local/lib/vivaldi | 30 | whitelist ${HOME}/.local/lib/vivaldi |
25 | 31 | ||
32 | #private-bin bash,cat,dirname,readlink,rm,vivaldi,vivaldi-stable,vivaldi-snapshot | ||
33 | |||
26 | # breaks vivaldi sync | 34 | # breaks vivaldi sync |
27 | ignore dbus-user none | 35 | ignore dbus-user none |
28 | ignore dbus-system none | 36 | ignore dbus-system none |
diff --git a/etc/profile-m-z/vlc.profile b/etc/profile-m-z/vlc.profile index 07a1b5fc0..fc8efe089 100644 --- a/etc/profile-m-z/vlc.profile +++ b/etc/profile-m-z/vlc.profile | |||
@@ -8,6 +8,7 @@ include globals.local | |||
8 | 8 | ||
9 | noblacklist ${HOME}/.cache/vlc | 9 | noblacklist ${HOME}/.cache/vlc |
10 | noblacklist ${HOME}/.config/vlc | 10 | noblacklist ${HOME}/.config/vlc |
11 | noblacklist ${HOME}/.config/aacs | ||
11 | noblacklist ${HOME}/.local/share/vlc | 12 | noblacklist ${HOME}/.local/share/vlc |
12 | 13 | ||
13 | include disable-common.inc | 14 | include disable-common.inc |
@@ -23,13 +24,10 @@ mkdir ${HOME}/.config/vlc | |||
23 | mkdir ${HOME}/.local/share/vlc | 24 | mkdir ${HOME}/.local/share/vlc |
24 | whitelist ${HOME}/.cache/vlc | 25 | whitelist ${HOME}/.cache/vlc |
25 | whitelist ${HOME}/.config/vlc | 26 | whitelist ${HOME}/.config/vlc |
27 | whitelist ${HOME}/.config/aacs | ||
26 | whitelist ${HOME}/.local/share/vlc | 28 | whitelist ${HOME}/.local/share/vlc |
27 | whitelist ${DESKTOP} | ||
28 | whitelist ${DOWNLOADS} | ||
29 | whitelist ${MUSIC} | ||
30 | whitelist ${PICTURES} | ||
31 | whitelist ${VIDEOS} | ||
32 | include whitelist-common.inc | 29 | include whitelist-common.inc |
30 | include whitelist-players.inc | ||
33 | include whitelist-var-common.inc | 31 | include whitelist-var-common.inc |
34 | 32 | ||
35 | #apparmor - on Ubuntu 18.04 it refuses to start without dbus access | 33 | #apparmor - on Ubuntu 18.04 it refuses to start without dbus access |
diff --git a/etc/profile-m-z/vmware.profile b/etc/profile-m-z/vmware.profile index 720b69773..493c53936 100644 --- a/etc/profile-m-z/vmware.profile +++ b/etc/profile-m-z/vmware.profile | |||
@@ -34,6 +34,6 @@ shell none | |||
34 | tracelog | 34 | tracelog |
35 | 35 | ||
36 | #disable-mnt | 36 | #disable-mnt |
37 | private-etc alsa,asound.conf,ca-certificates,conf.d,crypto-policies,dconf,fonts,gtk-2.0,gtk-3.0,hostname,hosts,ld.so.cache,localtime,machine-id,pki,pulse,resolv.conf,ssl,vmware,vmware-installer,vmware-vix | 37 | #private-etc alsa,asound.conf,ca-certificates,conf.d,crypto-policies,dconf,fonts,gtk-2.0,gtk-3.0,hostname,hosts,ld.so.cache,localtime,machine-id,pki,pulse,resolv.conf,ssl,vmware,vmware-installer,vmware-vix |
38 | dbus-user none | 38 | dbus-user none |
39 | dbus-system none | 39 | dbus-system none |
diff --git a/etc/profile-m-z/w3m.profile b/etc/profile-m-z/w3m.profile index bd33edd6a..0e172333a 100644 --- a/etc/profile-m-z/w3m.profile +++ b/etc/profile-m-z/w3m.profile | |||
@@ -7,6 +7,11 @@ include w3m.local | |||
7 | # Persistent global definitions | 7 | # Persistent global definitions |
8 | include globals.local | 8 | include globals.local |
9 | 9 | ||
10 | # Uncomment or add to your w3m.local if you want to use w3m-img on a vconsole | ||
11 | #ignore nogroups | ||
12 | #ignore private-dev | ||
13 | #ignore private-etc | ||
14 | |||
10 | noblacklist ${HOME}/.w3m | 15 | noblacklist ${HOME}/.w3m |
11 | 16 | ||
12 | blacklist /tmp/.X11-unix | 17 | blacklist /tmp/.X11-unix |
diff --git a/etc/profile-m-z/warsow.profile b/etc/profile-m-z/warsow.profile index d8cd5557e..178e0c7b1 100644 --- a/etc/profile-m-z/warsow.profile +++ b/etc/profile-m-z/warsow.profile | |||
@@ -24,7 +24,10 @@ mkdir ${HOME}/.cache/warsow-2.1 | |||
24 | mkdir ${HOME}/.local/share/warsow-2.1 | 24 | mkdir ${HOME}/.local/share/warsow-2.1 |
25 | whitelist ${HOME}/.cache/warsow-2.1 | 25 | whitelist ${HOME}/.cache/warsow-2.1 |
26 | whitelist ${HOME}/.local/share/warsow-2.1 | 26 | whitelist ${HOME}/.local/share/warsow-2.1 |
27 | whitelist /usr/share/warsow | ||
27 | include whitelist-common.inc | 28 | include whitelist-common.inc |
29 | include whitelist-runuser-common.inc | ||
30 | include whitelist-usr-share-common.inc | ||
28 | include whitelist-var-common.inc | 31 | include whitelist-var-common.inc |
29 | 32 | ||
30 | caps.drop all | 33 | caps.drop all |
diff --git a/etc/profile-m-z/wget.profile b/etc/profile-m-z/wget.profile index cdb8f0b93..8a64d2d73 100644 --- a/etc/profile-m-z/wget.profile +++ b/etc/profile-m-z/wget.profile | |||
@@ -44,6 +44,7 @@ nou2f | |||
44 | novideo | 44 | novideo |
45 | protocol unix,inet,inet6 | 45 | protocol unix,inet,inet6 |
46 | seccomp | 46 | seccomp |
47 | seccomp.block-secondary | ||
47 | shell none | 48 | shell none |
48 | tracelog | 49 | tracelog |
49 | 50 | ||
diff --git a/etc/profile-m-z/whois.profile b/etc/profile-m-z/whois.profile index 2af1379e0..a9cecb18d 100644 --- a/etc/profile-m-z/whois.profile +++ b/etc/profile-m-z/whois.profile | |||
@@ -39,6 +39,7 @@ nou2f | |||
39 | novideo | 39 | novideo |
40 | protocol inet,inet6 | 40 | protocol inet,inet6 |
41 | seccomp | 41 | seccomp |
42 | seccomp.block-secondary | ||
42 | shell none | 43 | shell none |
43 | tracelog | 44 | tracelog |
44 | 45 | ||
diff --git a/etc/profile-m-z/wire-desktop.profile b/etc/profile-m-z/wire-desktop.profile index 8f6014dc3..d265c6bae 100644 --- a/etc/profile-m-z/wire-desktop.profile +++ b/etc/profile-m-z/wire-desktop.profile | |||
@@ -27,7 +27,7 @@ seccomp !chroot | |||
27 | shell none | 27 | shell none |
28 | 28 | ||
29 | disable-mnt | 29 | disable-mnt |
30 | private-bin bash,electron,electron4,electron6,env,sh,wire-desktop | 30 | private-bin bash,electron,electron[0-9],electron[0-9][0-9],env,sh,wire-desktop |
31 | private-dev | 31 | private-dev |
32 | private-etc alternatives,ca-certificates,crypto-policies,fonts,machine-id,pki,resolv.conf,ssl | 32 | private-etc alternatives,ca-certificates,crypto-policies,fonts,machine-id,pki,resolv.conf,ssl |
33 | private-tmp | 33 | private-tmp |
diff --git a/etc/profile-m-z/wireshark.profile b/etc/profile-m-z/wireshark.profile index a30cb43d5..6a84246e1 100644 --- a/etc/profile-m-z/wireshark.profile +++ b/etc/profile-m-z/wireshark.profile | |||
@@ -38,8 +38,8 @@ nosound | |||
38 | notv | 38 | notv |
39 | nou2f | 39 | nou2f |
40 | novideo | 40 | novideo |
41 | # protocol unix,inet,inet6,netlink | 41 | # protocol unix,inet,inet6,netlink,packet,bluetooth - commented out in case they bring in new protocols |
42 | # seccomp - breaks network traffic capture for unprivileged users | 42 | seccomp |
43 | shell none | 43 | shell none |
44 | tracelog | 44 | tracelog |
45 | 45 | ||
diff --git a/etc/profile-m-z/xournal.profile b/etc/profile-m-z/xournal.profile index b842b5307..0c6969e09 100644 --- a/etc/profile-m-z/xournal.profile +++ b/etc/profile-m-z/xournal.profile | |||
@@ -36,6 +36,7 @@ nou2f | |||
36 | novideo | 36 | novideo |
37 | protocol unix | 37 | protocol unix |
38 | seccomp | 38 | seccomp |
39 | seccomp.block-secondary | ||
39 | shell none | 40 | shell none |
40 | tracelog | 41 | tracelog |
41 | 42 | ||
diff --git a/etc/profile-m-z/xournalpp.profile b/etc/profile-m-z/xournalpp.profile new file mode 100644 index 000000000..a52858870 --- /dev/null +++ b/etc/profile-m-z/xournalpp.profile | |||
@@ -0,0 +1,29 @@ | |||
1 | # Firejail profile for xournalpp | ||
2 | # Description: Handwriting note-taking software with PDF annotation support | ||
3 | # This file is overwritten after every install/update | ||
4 | # Persistent local customizations | ||
5 | include xournalpp.local | ||
6 | # Persistent global definitions | ||
7 | # added by included profile | ||
8 | #include globals.local | ||
9 | |||
10 | noblacklist ${HOME}/.xournalpp | ||
11 | |||
12 | include allow-lua.inc | ||
13 | |||
14 | whitelist /usr/share/texlive | ||
15 | whitelist /usr/share/xournalpp | ||
16 | whitelist /var/lib/texmf | ||
17 | include whitelist-runuser-common.inc | ||
18 | |||
19 | #mkdir ${HOME}/.xournalpp | ||
20 | #whitelist ${HOME}/.xournalpp | ||
21 | #whitelist ${HOME}/.texlive2019 | ||
22 | #whitelist ${DOCUMENTS} | ||
23 | #include whitelist-common.inc | ||
24 | |||
25 | private-bin kpsewhich,pdflatex,xournalpp | ||
26 | private-etc latexmk.conf,texlive | ||
27 | |||
28 | # Redirect | ||
29 | include xournal.profile | ||
diff --git a/etc/profile-m-z/xplayer.profile b/etc/profile-m-z/xplayer.profile index 555d8e9a4..d22d04818 100644 --- a/etc/profile-m-z/xplayer.profile +++ b/etc/profile-m-z/xplayer.profile | |||
@@ -24,12 +24,8 @@ mkdir ${HOME}/.config/xplayer | |||
24 | mkdir ${HOME}/.local/share/xplayer | 24 | mkdir ${HOME}/.local/share/xplayer |
25 | whitelist ${HOME}/.config/xplayer | 25 | whitelist ${HOME}/.config/xplayer |
26 | whitelist ${HOME}/.local/share/xplayer | 26 | whitelist ${HOME}/.local/share/xplayer |
27 | whitelist ${DESKTOP} | ||
28 | whitelist ${DOWNLOADS} | ||
29 | whitelist ${MUSIC} | ||
30 | whitelist ${PICTURES} | ||
31 | whitelist ${VIDEOS} | ||
32 | include whitelist-common.inc | 27 | include whitelist-common.inc |
28 | include whitelist-players.inc | ||
33 | include whitelist-var-common.inc | 29 | include whitelist-var-common.inc |
34 | 30 | ||
35 | # apparmor - makes settings immutable | 31 | # apparmor - makes settings immutable |
diff --git a/etc/profile-m-z/yandex-browser.profile b/etc/profile-m-z/yandex-browser.profile index 680bef677..81cd021f7 100644 --- a/etc/profile-m-z/yandex-browser.profile +++ b/etc/profile-m-z/yandex-browser.profile | |||
@@ -5,6 +5,11 @@ include yandex-browser.local | |||
5 | # Persistent global definitions | 5 | # Persistent global definitions |
6 | include globals.local | 6 | include globals.local |
7 | 7 | ||
8 | # Disable for now, see https://www.tutorialspoint.com/difference-between-void-main-and-int-main-in-c-cplusplus | ||
9 | ignore whitelist /usr/share/chromium | ||
10 | ignore include whitelist-runuser-common.inc | ||
11 | ignore include whitelist-usr-share-common.inc | ||
12 | |||
8 | noblacklist ${HOME}/.cache/yandex-browser | 13 | noblacklist ${HOME}/.cache/yandex-browser |
9 | noblacklist ${HOME}/.cache/yandex-browser-beta | 14 | noblacklist ${HOME}/.cache/yandex-browser-beta |
10 | noblacklist ${HOME}/.config/yandex-browser | 15 | noblacklist ${HOME}/.config/yandex-browser |
diff --git a/etc/profile-m-z/yelp.profile b/etc/profile-m-z/yelp.profile index fd95ceb04..3ba1dca1a 100644 --- a/etc/profile-m-z/yelp.profile +++ b/etc/profile-m-z/yelp.profile | |||
@@ -20,7 +20,9 @@ include disable-xdg.inc | |||
20 | mkdir ${HOME}/.config/yelp | 20 | mkdir ${HOME}/.config/yelp |
21 | whitelist ${HOME}/.config/yelp | 21 | whitelist ${HOME}/.config/yelp |
22 | whitelist /usr/share/doc | 22 | whitelist /usr/share/doc |
23 | whitelist /usr/share/groff | ||
23 | whitelist /usr/share/help | 24 | whitelist /usr/share/help |
25 | whitelist /usr/share/man | ||
24 | whitelist /usr/share/yelp | 26 | whitelist /usr/share/yelp |
25 | whitelist /usr/share/yelp-tools | 27 | whitelist /usr/share/yelp-tools |
26 | whitelist /usr/share/yelp-xsl | 28 | whitelist /usr/share/yelp-xsl |
@@ -41,14 +43,15 @@ nou2f | |||
41 | novideo | 43 | novideo |
42 | protocol unix | 44 | protocol unix |
43 | seccomp | 45 | seccomp |
46 | seccomp.block-secondary | ||
44 | shell none | 47 | shell none |
45 | tracelog | 48 | tracelog |
46 | 49 | ||
47 | disable-mnt | 50 | disable-mnt |
48 | private-bin yelp | 51 | private-bin groff,man,tbl,troff,yelp |
49 | private-cache | 52 | private-cache |
50 | private-dev | 53 | private-dev |
51 | private-etc alsa,alternatives,asound.conf,crypto-policies,cups,dconf,drirc,fonts,gcrypt,gtk-3.0,machine-id,openal,os-release,pulse,sgml,xml | 54 | private-etc alsa,alternatives,asound.conf,crypto-policies,cups,dconf,drirc,fonts,gcrypt,groff,gtk-3.0,machine-id,man_db.conf,openal,os-release,pulse,sgml,xml |
52 | private-tmp | 55 | private-tmp |
53 | 56 | ||
54 | dbus-system none | 57 | dbus-system none |
@@ -59,3 +62,4 @@ dbus-system none | |||
59 | # 1. yelp --editor-mode | 62 | # 1. yelp --editor-mode |
60 | # 2. saving the window geometry | 63 | # 2. saving the window geometry |
61 | read-only ${HOME} | 64 | read-only ${HOME} |
65 | read-write ${HOME}/.cache | ||
diff --git a/etc/profile-m-z/youtube-dl.profile b/etc/profile-m-z/youtube-dl.profile index db3535f78..d9dee6891 100644 --- a/etc/profile-m-z/youtube-dl.profile +++ b/etc/profile-m-z/youtube-dl.profile | |||
@@ -52,6 +52,7 @@ nou2f | |||
52 | novideo | 52 | novideo |
53 | protocol unix,inet,inet6 | 53 | protocol unix,inet,inet6 |
54 | seccomp | 54 | seccomp |
55 | seccomp.block-secondary | ||
55 | shell none | 56 | shell none |
56 | tracelog | 57 | tracelog |
57 | 58 | ||
diff --git a/etc/profile-m-z/youtube-viewer.profile b/etc/profile-m-z/youtube-viewer.profile index 513cb0f6e..a3a2afa29 100644 --- a/etc/profile-m-z/youtube-viewer.profile +++ b/etc/profile-m-z/youtube-viewer.profile | |||
@@ -7,10 +7,6 @@ include youtube-viewer.local | |||
7 | # Persistent global definitions | 7 | # Persistent global definitions |
8 | include globals.local | 8 | include globals.local |
9 | 9 | ||
10 | blacklist /tmp/.X11-unix | ||
11 | blacklist ${RUNUSER}/wayland-* | ||
12 | blacklist ${RUNUSER} | ||
13 | |||
14 | noblacklist ${HOME}/.config/youtube-viewer | 10 | noblacklist ${HOME}/.config/youtube-viewer |
15 | 11 | ||
16 | include allow-perl.inc | 12 | include allow-perl.inc |
@@ -47,11 +43,11 @@ shell none | |||
47 | tracelog | 43 | tracelog |
48 | 44 | ||
49 | disable-mnt | 45 | disable-mnt |
50 | # private-bin ffmpeg,ffprobe,firefox,gtk-youtube-viewer,gtk2-youtube-viewer,gtk3-youtube-viewer,mpv,python*,smplayer,sh,which,vlc,youtube-dl,youtube-viewer | 46 | private-bin ffmpeg,ffprobe,firefox,gtk-youtube-viewer,gtk2-youtube-viewer,gtk3-youtube-viewer,mpv,python*,sh,smplayer,stty,vlc,which,youtube-dl,youtube-viewer |
51 | private-cache | 47 | private-cache |
52 | private-dev | 48 | private-dev |
53 | private-etc alsa,alternatives,asound.conf,ca-certificates,crypto-policies,fonts,gtk-2.0,gtk-3.0,host.conf,hostname,hosts,machine-id,mime.types,nsswitch.conf,passwd,pki,pulse,resolv.conf,ssl,X11,xdg | 49 | private-etc alsa,alternatives,asound.conf,ca-certificates,crypto-policies,fonts,gtk-2.0,gtk-3.0,host.conf,hostname,hosts,machine-id,mime.types,nsswitch.conf,passwd,pki,pulse,resolv.conf,ssl,X11,xdg |
54 | private-tmp | 50 | private-tmp |
55 | 51 | ||
56 | dbus-user none | 52 | dbus-user none |
57 | dbus-system none \ No newline at end of file | 53 | dbus-system none |
diff --git a/etc/profile-m-z/youtube.profile b/etc/profile-m-z/youtube.profile new file mode 100644 index 000000000..a6c7750a9 --- /dev/null +++ b/etc/profile-m-z/youtube.profile | |||
@@ -0,0 +1,37 @@ | |||
1 | # Firejail profile for youtube | ||
2 | # Description: Unofficial electron based desktop warpper for YouTube | ||
3 | # This file is overwritten after every install/update | ||
4 | # Persistent local customizations | ||
5 | include youtube.local | ||
6 | # Persistent global definitions | ||
7 | include globals.local | ||
8 | |||
9 | noblacklist ${HOME}/.config/Youtube | ||
10 | |||
11 | include disable-devel.inc | ||
12 | include disable-exec.inc | ||
13 | include disable-interpreters.inc | ||
14 | include disable-shell.inc | ||
15 | include disable-xdg.inc | ||
16 | |||
17 | mkdir ${HOME}/.config/Youtube | ||
18 | whitelist ${HOME}/.config/Youtube | ||
19 | include whitelist-common.inc | ||
20 | include whitelist-runuser-common.inc | ||
21 | include whitelist-usr-share-common.inc | ||
22 | include whitelist-var-common.inc | ||
23 | |||
24 | novideo | ||
25 | seccomp !chroot | ||
26 | shell none | ||
27 | |||
28 | disable-mnt | ||
29 | private-bin youtube | ||
30 | private-cache | ||
31 | private-dev | ||
32 | private-etc alsa,alternatives,asound.conf,ati,bumblebee,ca-certificates,crypto-policies,drirc,fonts,gtk-2.0,gtk-3.0,host.conf,hostname,hosts,mime.types,nsswitch.conf,nvidia,pki,pulse,resolv.conf,selinux,ssl,X11,xdg | ||
33 | private-opt Youtube | ||
34 | private-tmp | ||
35 | |||
36 | # Redirect | ||
37 | include electron.profile | ||
diff --git a/etc/profile-m-z/youtubemusic-nativefier.profile b/etc/profile-m-z/youtubemusic-nativefier.profile new file mode 100644 index 000000000..3a94a5707 --- /dev/null +++ b/etc/profile-m-z/youtubemusic-nativefier.profile | |||
@@ -0,0 +1,38 @@ | |||
1 | # Firejail profile for youtubemusic-nativefier | ||
2 | # Description: Unofficial electron based desktop warpper for YouTube Music | ||
3 | # This file is overwritten after every install/update | ||
4 | # Persistent local customizations | ||
5 | include youtube.local | ||
6 | # Persistent global definitions | ||
7 | include globals.local | ||
8 | |||
9 | noblacklist ${HOME}/.config/youtubemusic-nativefier-040164 | ||
10 | |||
11 | include disable-devel.inc | ||
12 | include disable-exec.inc | ||
13 | include disable-interpreters.inc | ||
14 | include disable-shell.inc | ||
15 | include disable-xdg.inc | ||
16 | |||
17 | mkdir ${HOME}/.config/youtubemusic-nativefier-040164 | ||
18 | whitelist ${HOME}/.config/youtubemusic-nativefier-040164 | ||
19 | include whitelist-common.inc | ||
20 | include whitelist-runuser-common.inc | ||
21 | include whitelist-usr-share-common.inc | ||
22 | include whitelist-var-common.inc | ||
23 | |||
24 | nou2f | ||
25 | novideo | ||
26 | seccomp !chroot | ||
27 | shell none | ||
28 | |||
29 | disable-mnt | ||
30 | private-bin youtubemusic-nativefier | ||
31 | private-cache | ||
32 | private-dev | ||
33 | private-etc alsa,alternatives,asound.conf,ati,bumblebee,ca-certificates,crypto-policies,drirc,fonts,gtk-2.0,gtk-3.0,host.conf,hostname,hosts,mime.types,nsswitch.conf,nvidia,pki,pulse,resolv.conf,selinux,ssl,X11,xdg | ||
34 | private-opt youtubemusic-nativefier | ||
35 | private-tmp | ||
36 | |||
37 | # Redirect | ||
38 | include electron.profile | ||
diff --git a/etc/profile-m-z/ytmdesktop.profile b/etc/profile-m-z/ytmdesktop.profile new file mode 100644 index 000000000..5c37b838b --- /dev/null +++ b/etc/profile-m-z/ytmdesktop.profile | |||
@@ -0,0 +1,39 @@ | |||
1 | # Firejail profile for ytmdesktop | ||
2 | # Description: Unofficial electron based desktop warpper for YouTube Music | ||
3 | # This file is overwritten after every install/update | ||
4 | # Persistent local customizations | ||
5 | include youtube.local | ||
6 | # Persistent global definitions | ||
7 | include globals.local | ||
8 | |||
9 | ignore dbus-user none | ||
10 | |||
11 | noblacklist ${HOME}/.config/youtube-music-desktop-app | ||
12 | |||
13 | include disable-devel.inc | ||
14 | include disable-exec.inc | ||
15 | include disable-interpreters.inc | ||
16 | include disable-xdg.inc | ||
17 | |||
18 | mkdir ${HOME}/.config/youtube-music-desktop-app | ||
19 | whitelist ${HOME}/.config/youtube-music-desktop-app | ||
20 | include whitelist-common.inc | ||
21 | include whitelist-runuser-common.inc | ||
22 | include whitelist-usr-share-common.inc | ||
23 | include whitelist-var-common.inc | ||
24 | |||
25 | nou2f | ||
26 | novideo | ||
27 | seccomp !chroot | ||
28 | shell none | ||
29 | |||
30 | disable-mnt | ||
31 | # private-bin env,ytmdesktop | ||
32 | private-cache | ||
33 | private-dev | ||
34 | private-etc alsa,alternatives,asound.conf,ati,bumblebee,ca-certificates,crypto-policies,drirc,fonts,gtk-2.0,gtk-3.0,host.conf,hostname,hosts,mime.types,nsswitch.conf,nvidia,pki,pulse,resolv.conf,selinux,ssl,X11,xdg | ||
35 | # private-opt | ||
36 | private-tmp | ||
37 | |||
38 | # Redirect | ||
39 | include electron.profile | ||
diff --git a/etc/profile-m-z/zoom.profile b/etc/profile-m-z/zoom.profile index b3125ee50..f175e5e21 100644 --- a/etc/profile-m-z/zoom.profile +++ b/etc/profile-m-z/zoom.profile | |||
@@ -1,4 +1,5 @@ | |||
1 | # Firejail profile for zoom | 1 | # Firejail profile for zoom |
2 | # Description: Video Conferencing and Web Conferencing Service | ||
2 | # This file is overwritten after every install/update | 3 | # This file is overwritten after every install/update |
3 | # Persistent local customizations | 4 | # Persistent local customizations |
4 | include zoom.local | 5 | include zoom.local |
@@ -30,7 +31,7 @@ include whitelist-var-common.inc | |||
30 | caps.drop all | 31 | caps.drop all |
31 | netfilter | 32 | netfilter |
32 | nodvd | 33 | nodvd |
33 | nogroups | 34 | #nogroups - breaks webcam access (see #3711) |
34 | nonewprivs | 35 | nonewprivs |
35 | noroot | 36 | noroot |
36 | notv | 37 | notv |
@@ -43,5 +44,6 @@ tracelog | |||
43 | disable-mnt | 44 | disable-mnt |
44 | private-cache | 45 | private-cache |
45 | private-dev | 46 | private-dev |
46 | private-etc alternatives,ca-certificates,crypto-policies,fonts,ld.so.cache,ld.so.conf,ld.so.conf.d,ld.so.preload,machine-id,nsswitch.conf,pki,resolv.conf,ssl | 47 | # Disable for now, see https://github.com/netblue30/firejail/issues/3726 |
48 | #private-etc alternatives,ca-certificates,crypto-policies,fonts,group,ld.so.cache,ld.so.conf,ld.so.conf.d,ld.so.preload,machine-id,nsswitch.conf,pki,resolv.conf,ssl | ||
47 | private-tmp | 49 | private-tmp |
diff --git a/etc/templates/profile.template b/etc/templates/profile.template index 02d9fa076..3d37fc827 100644 --- a/etc/templates/profile.template +++ b/etc/templates/profile.template | |||
@@ -110,6 +110,7 @@ include globals.local | |||
110 | #include disable-passwdmgr.inc | 110 | #include disable-passwdmgr.inc |
111 | #include disable-programs.inc | 111 | #include disable-programs.inc |
112 | #include disable-shell.inc | 112 | #include disable-shell.inc |
113 | #include disable-write-mnt.inc | ||
113 | #include disable-xdg.inc | 114 | #include disable-xdg.inc |
114 | 115 | ||
115 | # This section often mirrors noblacklist section above. The idea is | 116 | # This section often mirrors noblacklist section above. The idea is |
@@ -156,6 +157,7 @@ include globals.local | |||
156 | #seccomp | 157 | #seccomp |
157 | ##seccomp !chroot | 158 | ##seccomp !chroot |
158 | ##seccomp.drop SYSCALLS (see syscalls.txt) | 159 | ##seccomp.drop SYSCALLS (see syscalls.txt) |
160 | #seccomp.block-secondary | ||
159 | #shell none | 161 | #shell none |
160 | #tracelog | 162 | #tracelog |
161 | # Prefer 'x11 none' instead of 'blacklist /tmp/.X11-unix' if 'net none' is set | 163 | # Prefer 'x11 none' instead of 'blacklist /tmp/.X11-unix' if 'net none' is set |
diff --git a/etc/templates/syscalls.txt b/etc/templates/syscalls.txt index ea3b5a6b0..c454887dd 100644 --- a/etc/templates/syscalls.txt +++ b/etc/templates/syscalls.txt | |||
@@ -33,7 +33,7 @@ Definition of groups | |||
33 | @clock=adjtimex,clock_adjtime,clock_settime,settimeofday,stime | 33 | @clock=adjtimex,clock_adjtime,clock_settime,settimeofday,stime |
34 | @cpu-emulation=modify_ldt,subpage_prot,switch_endian,vm86,vm86old | 34 | @cpu-emulation=modify_ldt,subpage_prot,switch_endian,vm86,vm86old |
35 | @debug=lookup_dcookie,perf_event_open,process_vm_writev,rtas,s390_runtime_instr,sys_debug_setcontext | 35 | @debug=lookup_dcookie,perf_event_open,process_vm_writev,rtas,s390_runtime_instr,sys_debug_setcontext |
36 | @default=@clock,@cpu-emulation,@debug,@module,@obsolete,@raw-io,@reboot,@swap,open_by_handle_at,name_to_handle_at,ioprio_set,ni_syscall,syslog,fanotify_init,kcmp,add_key,request_key,mbind,migrate_pages,move_pages,keyctl,io_setup,io_destroy,io_getevents,io_submit,io_cancel,remap_file_pages,set_mempolicyvmsplice,umount,userfaultfd,acct,bpf,chroot,mount,nfsservctl,pivot_root,setdomainname,sethostname,umount2,vhangup | 36 | @default=@clock,@cpu-emulation,@debug,@module,@mount,@obsolete,@raw-io,@reboot,@swap,open_by_handle_at,name_to_handle_at,ioprio_set,ni_syscall,syslog,fanotify_init,kcmp,add_key,request_key,mbind,migrate_pages,move_pages,keyctl,io_setup,io_destroy,io_getevents,io_submit,io_cancel,remap_file_pages,set_mempolicyvmsplice,userfaultfd,acct,bpf,nfsservctl,setdomainname,sethostname,vhangup |
37 | @default-nodebuggers=@default,ptrace,personality,process_vm_readv | 37 | @default-nodebuggers=@default,ptrace,personality,process_vm_readv |
38 | @default-keep=execve,prctl | 38 | @default-keep=execve,prctl |
39 | @file-system=access,chdir,chmod,close,creat,faccessat,fallocate,fchdir,fchmod,fchmodat,fcntl,fcntl64,fgetxattr,flistxattr,fremovexattr,fsetxattr,fstat,fstat64,fstatat64,fstatfs,fstatfs64,ftruncate,ftruncate64,futimesat,getcwd,getdents,getdents64,getxattr,inotify_add_watch,inotify_init,inotify_init1,inotify_rm_watch,lgetxattr,link,linkat,listxattr,llistxattr,lremovexattr,lsetxattr,lstat,lstat64,mkdir,mkdirat,mknod,mknodat,mmap,mmap2,munmap,newfstatat,oldfstat,oldlstat,oldstat,open,openat,readlink,readlinkat,removexattr,rename,renameat,renameat2,rmdir,setxattr,stat,stat64,statfs,statfs64,statx,symlink,symlinkat,truncate,truncate64,unlink,unlinkat,utime,utimensat,utimes | 39 | @file-system=access,chdir,chmod,close,creat,faccessat,fallocate,fchdir,fchmod,fchmodat,fcntl,fcntl64,fgetxattr,flistxattr,fremovexattr,fsetxattr,fstat,fstat64,fstatat64,fstatfs,fstatfs64,ftruncate,ftruncate64,futimesat,getcwd,getdents,getdents64,getxattr,inotify_add_watch,inotify_init,inotify_init1,inotify_rm_watch,lgetxattr,link,linkat,listxattr,llistxattr,lremovexattr,lsetxattr,lstat,lstat64,mkdir,mkdirat,mknod,mknodat,mmap,mmap2,munmap,newfstatat,oldfstat,oldlstat,oldstat,open,openat,readlink,readlinkat,removexattr,rename,renameat,renameat2,rmdir,setxattr,stat,stat64,statfs,statfs64,statx,symlink,symlinkat,truncate,truncate64,unlink,unlinkat,utime,utimensat,utimes |
@@ -62,15 +62,14 @@ Inheritance of groups | |||
62 | 62 | ||
63 | +---------------+ | 63 | +---------------+ |
64 | | @default-keep | | 64 | | @default-keep | |
65 | | @mount | | ||
66 | +---------------+ | 65 | +---------------+ |
67 | 66 | ||
68 | +----------------+ +---------+ +--------+ +--------------+ | 67 | +----------------+ +---------+ +--------+ +--------------+ |
69 | | @cpu-emulation | | @clock | | @chown | | @aio | | 68 | | @cpu-emulation | | @clock | | @chown | | @aio | |
70 | | @debug | | @module | +--------+ | @basic-io | | 69 | | @debug | | @module | +--------+ | @basic-io | |
71 | | @obsolete | | @raw-io | : : | @file-system | | 70 | | @obsolete | | @raw-io | : : | @file-system | |
72 | +----------------+ | @reboot | : : | @io-event | | 71 | | @mount | | @reboot | : : | @io-event | |
73 | : | @swap | : : | @ipc | | 72 | +----------------+ | @swap | : : | @ipc | |
74 | : +---------+ : : | @keyring | | 73 | : +---------+ : : | @keyring | |
75 | : : : : : | @memlock | | 74 | : : : : : | @memlock | |
76 | : ..............: : : : | @network-io | | 75 | : ..............: : : : | @network-io | |
@@ -3,6 +3,8 @@ | |||
3 | # Copyright (C) 2014-2020 Firejail Authors | 3 | # Copyright (C) 2014-2020 Firejail Authors |
4 | # License GPL v2 | 4 | # License GPL v2 |
5 | 5 | ||
6 | set -e | ||
7 | |||
6 | sed "s/VERSION/$1/g" $2 > $3 | 8 | sed "s/VERSION/$1/g" $2 > $3 |
7 | MONTH=`LC_ALL=C date -u --date="@${SOURCE_DATE_EPOCH:-$(date +%s)}" +%b` | 9 | MONTH=`LC_ALL=C date -u --date="@${SOURCE_DATE_EPOCH:-$(date +%s)}" +%b` |
8 | sed -i "s/MONTH/$MONTH/g" $3 | 10 | sed -i "s/MONTH/$MONTH/g" $3 |
diff --git a/platform/debian/control.amd64 b/platform/debian/control.amd64 index 3d654acd0..f666200d5 100644 --- a/platform/debian/control.amd64 +++ b/platform/debian/control.amd64 | |||
@@ -1,7 +1,7 @@ | |||
1 | Package: firejail | 1 | Package: firejail |
2 | Version: FIREJAILVER-1 | 2 | Version: FIREJAILVER-1 |
3 | Architecture: amd64 | 3 | Architecture: amd64 |
4 | Maintainer: netblue30 <netblue30@yahoo.com> | 4 | Maintainer: netblue30 <netblue30@protonmail.com> |
5 | Installed-Size: 2024 | 5 | Installed-Size: 2024 |
6 | Depends: libc6 | 6 | Depends: libc6 |
7 | Suggests: python, python3 | 7 | Suggests: python, python3 |
diff --git a/platform/debian/control.i386 b/platform/debian/control.i386 index 300c20db9..ab9e0fc52 100644 --- a/platform/debian/control.i386 +++ b/platform/debian/control.i386 | |||
@@ -1,7 +1,7 @@ | |||
1 | Package: firejail | 1 | Package: firejail |
2 | Version: FIREJAILVER-1 | 2 | Version: FIREJAILVER-1 |
3 | Architecture: i386 | 3 | Architecture: i386 |
4 | Maintainer: netblue30 <netblue30@yahoo.com> | 4 | Maintainer: netblue30 <netblue30@protonmail.com> |
5 | Installed-Size: 2024 | 5 | Installed-Size: 2024 |
6 | Depends: libc6 | 6 | Depends: libc6 |
7 | Suggests: python, python3 | 7 | Suggests: python, python3 |
diff --git a/platform/rpm/mkrpm.sh b/platform/rpm/mkrpm.sh index 2bdead7a8..c9b90dbe3 100755 --- a/platform/rpm/mkrpm.sh +++ b/platform/rpm/mkrpm.sh | |||
@@ -44,7 +44,7 @@ sed -e "s/__NAME__/${name}/g" \ | |||
44 | # FIXME: We could parse RELNOTES and create a %changelog section here | 44 | # FIXME: We could parse RELNOTES and create a %changelog section here |
45 | 45 | ||
46 | # Copy the source to build into a tarball | 46 | # Copy the source to build into a tarball |
47 | tar --exclude='./.git*' --exclude='./test' --transform "s/^./${name}-${version}/" -czf ${tmpdir}/SOURCES/${name}-${version}.tar.gz . | 47 | tar --exclude='./.git*' --transform "s/^./${name}-${version}/" -czf ${tmpdir}/SOURCES/${name}-${version}.tar.gz . |
48 | 48 | ||
49 | # Build the files (rpm, debug rpm and source rpm) | 49 | # Build the files (rpm, debug rpm and source rpm) |
50 | rpmbuild --quiet --define "_topdir ${tmpdir}" -ba ${tmp_spec_file} | 50 | rpmbuild --quiet --define "_topdir ${tmpdir}" -ba ${tmp_spec_file} |
diff --git a/src/common.mk.in b/src/common.mk.in index 8104bc258..b8a13cd1b 100644 --- a/src/common.mk.in +++ b/src/common.mk.in | |||
@@ -9,8 +9,6 @@ sysconfdir=@sysconfdir@ | |||
9 | 9 | ||
10 | VERSION=@PACKAGE_VERSION@ | 10 | VERSION=@PACKAGE_VERSION@ |
11 | NAME=@PACKAGE_NAME@ | 11 | NAME=@PACKAGE_NAME@ |
12 | HAVE_SECCOMP_H=@HAVE_SECCOMP_H@ | ||
13 | HAVE_SECCOMP=@HAVE_SECCOMP@ | ||
14 | HAVE_CHROOT=@HAVE_CHROOT@ | 12 | HAVE_CHROOT=@HAVE_CHROOT@ |
15 | HAVE_FATAL_WARNINGS=@HAVE_FATAL_WARNINGS@ | 13 | HAVE_FATAL_WARNINGS=@HAVE_FATAL_WARNINGS@ |
16 | HAVE_NETWORK=@HAVE_NETWORK@ | 14 | HAVE_NETWORK=@HAVE_NETWORK@ |
@@ -25,6 +23,8 @@ HAVE_FIRETUNNEL=@HAVE_FIRETUNNEL@ | |||
25 | HAVE_PRIVATE_HOME=@HAVE_PRIVATE_HOME@ | 23 | HAVE_PRIVATE_HOME=@HAVE_PRIVATE_HOME@ |
26 | HAVE_GCOV=@HAVE_GCOV@ | 24 | HAVE_GCOV=@HAVE_GCOV@ |
27 | HAVE_SELINUX=@HAVE_SELINUX@ | 25 | HAVE_SELINUX=@HAVE_SELINUX@ |
26 | HAVE_DBUSPROXY=@HAVE_DBUSPROXY@ | ||
27 | HAVE_USERTMPFS=@HAVE_USERTMPFS@ | ||
28 | 28 | ||
29 | H_FILE_LIST = $(sort $(wildcard *.[h])) | 29 | H_FILE_LIST = $(sort $(wildcard *.[h])) |
30 | C_FILE_LIST = $(sort $(wildcard *.c)) | 30 | C_FILE_LIST = $(sort $(wildcard *.c)) |
@@ -34,9 +34,10 @@ BINOBJS = $(foreach file, $(OBJS), $file) | |||
34 | CFLAGS = @CFLAGS@ | 34 | CFLAGS = @CFLAGS@ |
35 | CFLAGS += -ggdb $(HAVE_FATAL_WARNINGS) -O2 -DVERSION='"$(VERSION)"' $(HAVE_GCOV) | 35 | CFLAGS += -ggdb $(HAVE_FATAL_WARNINGS) -O2 -DVERSION='"$(VERSION)"' $(HAVE_GCOV) |
36 | CFLAGS += -DPREFIX='"$(prefix)"' -DSYSCONFDIR='"$(sysconfdir)/firejail"' -DLIBDIR='"$(libdir)"' -DBINDIR='"$(bindir)"' | 36 | CFLAGS += -DPREFIX='"$(prefix)"' -DSYSCONFDIR='"$(sysconfdir)/firejail"' -DLIBDIR='"$(libdir)"' -DBINDIR='"$(bindir)"' |
37 | CFLAGS += $(HAVE_X11) $(HAVE_PRIVATE_HOME) $(HAVE_APPARMOR) $(HAVE_OVERLAYFS) $(HAVE_FIRETUNNEL) $(HAVE_SECCOMP) $(HAVE_GLOBALCFG) $(HAVE_SECCOMP_H) $(HAVE_CHROOT) $(HAVE_NETWORK) $(HAVE_USERNS) $(HAVE_FILE_TRANSFER) $(HAVE_WHITELIST) $(HAVE_SELINUX) | 37 | MANFLAGS = $(HAVE_X11) $(HAVE_PRIVATE_HOME) $(HAVE_APPARMOR) $(HAVE_OVERLAYFS) $(HAVE_USERTMPFS) $(HAVE_DBUSPROXY) $(HAVE_FIRETUNNEL) $(HAVE_GLOBALCFG) $(HAVE_CHROOT) $(HAVE_NETWORK) $(HAVE_USERNS) $(HAVE_FILE_TRANSFER) $(HAVE_WHITELIST) $(HAVE_SELINUX) |
38 | CFLAGS += -fstack-protector-all -D_FORTIFY_SOURCE=2 -fPIE -pie -Wformat -Wformat-security | 38 | CFLAGS += $(MANFLAGS) |
39 | LDFLAGS += -pie -Wl,-z,relro -Wl,-z,now -lpthread | 39 | CFLAGS += -fstack-protector-all -D_FORTIFY_SOURCE=2 -fPIE -Wformat -Wformat-security |
40 | LDFLAGS += -pie -fPIE -Wl,-z,relro -Wl,-z,now -lpthread | ||
40 | EXTRA_LDFLAGS +=@EXTRA_LDFLAGS@ | 41 | EXTRA_LDFLAGS +=@EXTRA_LDFLAGS@ |
41 | 42 | ||
42 | ifdef NO_EXTRA_CFLAGS | 43 | ifdef NO_EXTRA_CFLAGS |
diff --git a/src/faudit/dbus.c b/src/faudit/dbus.c index beaa5ac46..2a3c282d7 100644 --- a/src/faudit/dbus.c +++ b/src/faudit/dbus.c | |||
@@ -91,7 +91,7 @@ static char *test_dbus_env(char *env_var_name) { | |||
91 | if (!found) | 91 | if (!found) |
92 | errExit("strdup"); | 92 | errExit("strdup"); |
93 | } | 93 | } |
94 | else if ((sockfile = strstr(bus, "tcp:host=")) != NULL) | 94 | else if (strstr(bus, "tcp:host=") != NULL) |
95 | printf("UGLY: %s bus configured for TCP communication.\n", env_var_name); | 95 | printf("UGLY: %s bus configured for TCP communication.\n", env_var_name); |
96 | else | 96 | else |
97 | printf("GOOD: cannot find a %s D-Bus socket\n", env_var_name); | 97 | printf("GOOD: cannot find a %s D-Bus socket\n", env_var_name); |
diff --git a/src/firecfg/firecfg.config b/src/firecfg/firecfg.config index 0574daae6..8794076c6 100644 --- a/src/firecfg/firecfg.config +++ b/src/firecfg/firecfg.config | |||
@@ -70,6 +70,7 @@ autokey-shell | |||
70 | aweather | 70 | aweather |
71 | baloo_file | 71 | baloo_file |
72 | baloo_filemetadata_temp_extractor | 72 | baloo_filemetadata_temp_extractor |
73 | balsa | ||
73 | baobab | 74 | baobab |
74 | barrier | 75 | barrier |
75 | basilisk | 76 | basilisk |
@@ -118,6 +119,8 @@ cheese | |||
118 | cherrytree | 119 | cherrytree |
119 | chromium | 120 | chromium |
120 | chromium-browser | 121 | chromium-browser |
122 | chromium-browser-privacy | ||
123 | chromium-freeworld | ||
121 | cin | 124 | cin |
122 | cinelerra | 125 | cinelerra |
123 | clamdscan | 126 | clamdscan |
@@ -135,6 +138,7 @@ clocks | |||
135 | cmus | 138 | cmus |
136 | code | 139 | code |
137 | code-oss | 140 | code-oss |
141 | cola | ||
138 | com.github.dahenson.agenda | 142 | com.github.dahenson.agenda |
139 | com.github.johnfactotum.Foliate | 143 | com.github.johnfactotum.Foliate |
140 | com.gitlab.newsflash | 144 | com.gitlab.newsflash |
@@ -194,6 +198,7 @@ eog | |||
194 | eom | 198 | eom |
195 | ephemeral | 199 | ephemeral |
196 | #epiphany | 200 | #epiphany |
201 | equalx | ||
197 | et | 202 | et |
198 | etr | 203 | etr |
199 | evince | 204 | evince |
@@ -229,6 +234,7 @@ font-manager | |||
229 | fontforge | 234 | fontforge |
230 | fossamail | 235 | fossamail |
231 | four-in-a-row | 236 | four-in-a-row |
237 | fractal | ||
232 | franz | 238 | franz |
233 | freecad | 239 | freecad |
234 | freecadcmd | 240 | freecadcmd |
@@ -302,6 +308,7 @@ gnome-recipes | |||
302 | gnome-robots | 308 | gnome-robots |
303 | gnome-schedule | 309 | gnome-schedule |
304 | gnome-screenshot | 310 | gnome-screenshot |
311 | gnome-sound-recorder | ||
305 | gnome-sudoku | 312 | gnome-sudoku |
306 | gnome-system-log | 313 | gnome-system-log |
307 | gnome-taquin | 314 | gnome-taquin |
@@ -327,6 +334,7 @@ gradio | |||
327 | gramps | 334 | gramps |
328 | gravity-beams-and-evaporating-stars | 335 | gravity-beams-and-evaporating-stars |
329 | gthumb | 336 | gthumb |
337 | gtk-straw-viewer | ||
330 | gtk-youtube-viewer | 338 | gtk-youtube-viewer |
331 | gtk2-youtube-viewer | 339 | gtk2-youtube-viewer |
332 | gtk3-youtube-viewer | 340 | gtk3-youtube-viewer |
@@ -373,6 +381,7 @@ kalgebra | |||
373 | kalgebramobile | 381 | kalgebramobile |
374 | karbon | 382 | karbon |
375 | kate | 383 | kate |
384 | kazam | ||
376 | kcalc | 385 | kcalc |
377 | # kdeinit4 | 386 | # kdeinit4 |
378 | kdenlive | 387 | kdenlive |
@@ -403,6 +412,7 @@ krita | |||
403 | # krunner | 412 | # krunner |
404 | ktorrent | 413 | ktorrent |
405 | ktouch | 414 | ktouch |
415 | kube | ||
406 | # kwin_x11 | 416 | # kwin_x11 |
407 | kwrite | 417 | kwrite |
408 | leafpad | 418 | leafpad |
@@ -437,6 +447,7 @@ lynx | |||
437 | lyx | 447 | lyx |
438 | macrofusion | 448 | macrofusion |
439 | magicor | 449 | magicor |
450 | # man | ||
440 | manaplus | 451 | manaplus |
441 | masterpdfeditor | 452 | masterpdfeditor |
442 | masterpdfeditor4 | 453 | masterpdfeditor4 |
@@ -455,6 +466,7 @@ megaglest_editor | |||
455 | meld | 466 | meld |
456 | mencoder | 467 | mencoder |
457 | mendeleydesktop | 468 | mendeleydesktop |
469 | menulibre | ||
458 | meteo-qt | 470 | meteo-qt |
459 | midori | 471 | midori |
460 | min | 472 | min |
@@ -462,6 +474,7 @@ mindless | |||
462 | minecraft-launcher | 474 | minecraft-launcher |
463 | minetest | 475 | minetest |
464 | minitube | 476 | minitube |
477 | mirage | ||
465 | mirrormagic | 478 | mirrormagic |
466 | mocp | 479 | mocp |
467 | mousepad | 480 | mousepad |
@@ -502,6 +515,7 @@ mupdf-x11-curl | |||
502 | mupen64plus | 515 | mupen64plus |
503 | muraster | 516 | muraster |
504 | musescore | 517 | musescore |
518 | musictube | ||
505 | musixmatch | 519 | musixmatch |
506 | mutool | 520 | mutool |
507 | mutt | 521 | mutt |
@@ -534,6 +548,7 @@ ocenaudio | |||
534 | odt2txt | 548 | odt2txt |
535 | oggsplt | 549 | oggsplt |
536 | okular | 550 | okular |
551 | onboard | ||
537 | onionshare-gui | 552 | onionshare-gui |
538 | ooffice | 553 | ooffice |
539 | ooviewdoc | 554 | ooviewdoc |
@@ -585,6 +600,7 @@ pragha | |||
585 | presentations18 | 600 | presentations18 |
586 | presentations18free | 601 | presentations18free |
587 | profanity | 602 | profanity |
603 | psi | ||
588 | psi-plus | 604 | psi-plus |
589 | pybitmessage | 605 | pybitmessage |
590 | # pycharm-community - FB note: may enable later | 606 | # pycharm-community - FB note: may enable later |
@@ -600,6 +616,7 @@ qt-faststart | |||
600 | qtox | 616 | qtox |
601 | quadrapassel | 617 | quadrapassel |
602 | quassel | 618 | quassel |
619 | quaternion | ||
603 | quiterss | 620 | quiterss |
604 | qupzilla | 621 | qupzilla |
605 | qutebrowser | 622 | qutebrowser |
@@ -647,11 +664,14 @@ slack | |||
647 | slashem | 664 | slashem |
648 | smplayer | 665 | smplayer |
649 | smtube | 666 | smtube |
667 | smuxi-frontend-gnome | ||
650 | snox | 668 | snox |
651 | soffice | 669 | soffice |
652 | sol | 670 | sol |
653 | sound-juicer | 671 | sound-juicer |
654 | soundconverter | 672 | soundconverter |
673 | spectacle | ||
674 | spectral | ||
655 | spotify | 675 | spotify |
656 | sqlitebrowser | 676 | sqlitebrowser |
657 | ssh | 677 | ssh |
@@ -663,6 +683,7 @@ steam-native | |||
663 | steam-runtime | 683 | steam-runtime |
664 | stellarium | 684 | stellarium |
665 | strawberry | 685 | strawberry |
686 | straw-viewer | ||
666 | strings | 687 | strings |
667 | studio.sh | 688 | studio.sh |
668 | subdownloader | 689 | subdownloader |
@@ -737,10 +758,12 @@ transmission-remote-cli | |||
737 | transmission-remote-gtk | 758 | transmission-remote-gtk |
738 | transmission-show | 759 | transmission-show |
739 | tremulous | 760 | tremulous |
761 | trojita | ||
740 | truecraft | 762 | truecraft |
741 | tshark | 763 | tshark |
742 | tuxguitar | 764 | tuxguitar |
743 | tvbrowser | 765 | tvbrowser |
766 | twitch | ||
744 | udiskie | 767 | udiskie |
745 | uefitool | 768 | uefitool |
746 | uget-gtk | 769 | uget-gtk |
@@ -807,6 +830,7 @@ xonotic-glx | |||
807 | xonotic-sdl | 830 | xonotic-sdl |
808 | xonotic-sdl-wrapper | 831 | xonotic-sdl-wrapper |
809 | xournal | 832 | xournal |
833 | xournalpp | ||
810 | xpdf | 834 | xpdf |
811 | xplayer | 835 | xplayer |
812 | xplayer-audio-preview | 836 | xplayer-audio-preview |
@@ -818,8 +842,11 @@ xreader-thumbnailer | |||
818 | xviewer | 842 | xviewer |
819 | yandex-browser | 843 | yandex-browser |
820 | yelp | 844 | yelp |
845 | youtube | ||
821 | youtube-dl | 846 | youtube-dl |
822 | youtube-viewer | 847 | youtube-viewer |
848 | youtubemusic-nativefier | ||
849 | ytmdesktop | ||
823 | zaproxy | 850 | zaproxy |
824 | zart | 851 | zart |
825 | zathura | 852 | zathura |
diff --git a/src/firejail/arp.c b/src/firejail/arp.c index f88d0a1dd..69d872110 100644 --- a/src/firejail/arp.c +++ b/src/firejail/arp.c | |||
@@ -105,8 +105,7 @@ void arp_announce(const char *dev, Bridge *br) { | |||
105 | if ((sock = socket(PF_PACKET, SOCK_RAW, htons (ETH_P_ALL))) < 0) | 105 | if ((sock = socket(PF_PACKET, SOCK_RAW, htons (ETH_P_ALL))) < 0) |
106 | errExit("socket"); | 106 | errExit("socket"); |
107 | 107 | ||
108 | int len; | 108 | if (sendto (sock, frame, 14 + sizeof(ArpHdr), 0, (struct sockaddr *) &addr, sizeof (addr)) <= 0) |
109 | if ((len = sendto (sock, frame, 14 + sizeof(ArpHdr), 0, (struct sockaddr *) &addr, sizeof (addr))) <= 0) | ||
110 | errExit("send"); | 109 | errExit("send"); |
111 | fflush(0); | 110 | fflush(0); |
112 | close(sock); | 111 | close(sock); |
@@ -177,8 +176,7 @@ int arp_check(const char *dev, uint32_t destaddr) { | |||
177 | if ((sock = socket(PF_PACKET, SOCK_RAW, htons (ETH_P_ALL))) < 0) | 176 | if ((sock = socket(PF_PACKET, SOCK_RAW, htons (ETH_P_ALL))) < 0) |
178 | errExit("socket"); | 177 | errExit("socket"); |
179 | 178 | ||
180 | int len; | 179 | if (sendto (sock, frame, 14 + sizeof(ArpHdr), 0, (struct sockaddr *) &addr, sizeof (addr)) <= 0) |
181 | if ((len = sendto (sock, frame, 14 + sizeof(ArpHdr), 0, (struct sockaddr *) &addr, sizeof (addr))) <= 0) | ||
182 | errExit("send"); | 180 | errExit("send"); |
183 | fflush(0); | 181 | fflush(0); |
184 | 182 | ||
@@ -201,7 +199,7 @@ int arp_check(const char *dev, uint32_t destaddr) { | |||
201 | close(sock); | 199 | close(sock); |
202 | return 0; | 200 | return 0; |
203 | } | 201 | } |
204 | if ((len = sendto (sock, frame, 14 + sizeof(ArpHdr), 0, (struct sockaddr *) &addr, sizeof (addr))) <= 0) | 202 | if (sendto (sock, frame, 14 + sizeof(ArpHdr), 0, (struct sockaddr *) &addr, sizeof (addr)) <= 0) |
205 | errExit("send"); | 203 | errExit("send"); |
206 | ts.tv_sec = 0; // 0.5 seconds wait time | 204 | ts.tv_sec = 0; // 0.5 seconds wait time |
207 | ts.tv_usec = 500000; | 205 | ts.tv_usec = 500000; |
diff --git a/src/firejail/checkcfg.c b/src/firejail/checkcfg.c index f6b3b3252..085221464 100644 --- a/src/firejail/checkcfg.c +++ b/src/firejail/checkcfg.c | |||
@@ -226,7 +226,6 @@ int checkcfg(int val) { | |||
226 | 226 | ||
227 | // seccomp error action | 227 | // seccomp error action |
228 | else if (strncmp(ptr, "seccomp-error-action ", 21) == 0) { | 228 | else if (strncmp(ptr, "seccomp-error-action ", 21) == 0) { |
229 | #ifdef HAVE_SECCOMP | ||
230 | if (strcmp(ptr + 21, "kill") == 0) | 229 | if (strcmp(ptr + 21, "kill") == 0) |
231 | cfg_val[CFG_SECCOMP_ERROR_ACTION] = SECCOMP_RET_KILL; | 230 | cfg_val[CFG_SECCOMP_ERROR_ACTION] = SECCOMP_RET_KILL; |
232 | else if (strcmp(ptr + 21, "log") == 0) | 231 | else if (strcmp(ptr + 21, "log") == 0) |
@@ -239,9 +238,6 @@ int checkcfg(int val) { | |||
239 | config_seccomp_error_action_str = strdup(ptr + 21); | 238 | config_seccomp_error_action_str = strdup(ptr + 21); |
240 | if (!config_seccomp_error_action_str) | 239 | if (!config_seccomp_error_action_str) |
241 | errExit("strdup"); | 240 | errExit("strdup"); |
242 | #else | ||
243 | warning_feature_disabled("seccomp"); | ||
244 | #endif | ||
245 | } | 241 | } |
246 | 242 | ||
247 | else | 243 | else |
@@ -299,6 +295,14 @@ void print_compiletime_support(void) { | |||
299 | #endif | 295 | #endif |
300 | ); | 296 | ); |
301 | 297 | ||
298 | printf("\t- D-BUS proxy support is %s\n", | ||
299 | #ifdef HAVE_DBUSPROXY | ||
300 | "enabled" | ||
301 | #else | ||
302 | "disabled" | ||
303 | #endif | ||
304 | ); | ||
305 | |||
302 | printf("\t- file and directory whitelisting support is %s\n", | 306 | printf("\t- file and directory whitelisting support is %s\n", |
303 | #ifdef HAVE_WHITELIST | 307 | #ifdef HAVE_WHITELIST |
304 | "enabled" | 308 | "enabled" |
@@ -347,8 +351,8 @@ void print_compiletime_support(void) { | |||
347 | #endif | 351 | #endif |
348 | ); | 352 | ); |
349 | 353 | ||
350 | printf("\t- seccomp-bpf support is %s\n", | 354 | printf("\t- private-cache and tmpfs as user %s\n", |
351 | #ifdef HAVE_SECCOMP | 355 | #ifdef HAVE_USERTMPFS |
352 | "enabled" | 356 | "enabled" |
353 | #else | 357 | #else |
354 | "disabled" | 358 | "disabled" |
diff --git a/src/firejail/chroot.c b/src/firejail/chroot.c index 5fc6c8298..cfa32d1d3 100644 --- a/src/firejail/chroot.c +++ b/src/firejail/chroot.c | |||
@@ -26,7 +26,7 @@ | |||
26 | 26 | ||
27 | #include <fcntl.h> | 27 | #include <fcntl.h> |
28 | #ifndef O_PATH | 28 | #ifndef O_PATH |
29 | # define O_PATH 010000000 | 29 | #define O_PATH 010000000 |
30 | #endif | 30 | #endif |
31 | 31 | ||
32 | 32 | ||
@@ -35,13 +35,12 @@ void fs_check_chroot_dir(void) { | |||
35 | EUID_ASSERT(); | 35 | EUID_ASSERT(); |
36 | assert(cfg.chrootdir); | 36 | assert(cfg.chrootdir); |
37 | if (strstr(cfg.chrootdir, "..") || | 37 | if (strstr(cfg.chrootdir, "..") || |
38 | is_link(cfg.chrootdir) || | 38 | is_link(cfg.chrootdir)) |
39 | !is_dir(cfg.chrootdir)) | ||
40 | goto errout; | 39 | goto errout; |
41 | 40 | ||
42 | // check chroot dirname exists, chrooting into the root directory is not allowed | 41 | // check chroot dirname exists, chrooting into the root directory is not allowed |
43 | char *rpath = realpath(cfg.chrootdir, NULL); | 42 | char *rpath = realpath(cfg.chrootdir, NULL); |
44 | if (rpath == NULL || strcmp(rpath, "/") == 0) | 43 | if (rpath == NULL || !is_dir(rpath) || strcmp(rpath, "/") == 0) |
45 | goto errout; | 44 | goto errout; |
46 | 45 | ||
47 | char *overlay; | 46 | char *overlay; |
@@ -52,6 +51,7 @@ void fs_check_chroot_dir(void) { | |||
52 | exit(1); | 51 | exit(1); |
53 | } | 52 | } |
54 | free(overlay); | 53 | free(overlay); |
54 | |||
55 | cfg.chrootdir = rpath; | 55 | cfg.chrootdir = rpath; |
56 | return; | 56 | return; |
57 | 57 | ||
@@ -60,27 +60,33 @@ errout: | |||
60 | exit(1); | 60 | exit(1); |
61 | } | 61 | } |
62 | 62 | ||
63 | // copy /etc/resolv.conf in chroot directory | 63 | // copy /etc/resolv.conf or /etc/machine-id in chroot directory |
64 | static void copy_resolvconf(int parentfd) { | 64 | static void update_file(int parentfd, const char *relpath) { |
65 | int in = open("/etc/resolv.conf", O_RDONLY|O_CLOEXEC); | 65 | assert(relpath && relpath[0] && relpath[0] != '/'); |
66 | |||
67 | char *abspath; | ||
68 | if (asprintf(&abspath, "/%s", relpath) == -1) | ||
69 | errExit("asprintf"); | ||
70 | int in = open(abspath, O_RDONLY|O_CLOEXEC); | ||
71 | free(abspath); | ||
66 | if (in == -1) | 72 | if (in == -1) |
67 | goto errout; | 73 | goto errout; |
74 | |||
68 | struct stat src; | 75 | struct stat src; |
69 | if (fstat(in, &src) == -1) | 76 | if (fstat(in, &src) == -1) |
70 | errExit("fstat"); | 77 | errExit("fstat"); |
71 | // try to detect if resolv.conf has been bind mounted into the chroot | 78 | // try to detect if file has been bind mounted into the chroot |
72 | // do nothing in this case in order to not unlink the real file | ||
73 | struct stat dst; | 79 | struct stat dst; |
74 | if (fstatat(parentfd, "etc/resolv.conf", &dst, 0) == 0) { | 80 | if (fstatat(parentfd, relpath, &dst, 0) == 0) { |
75 | if (src.st_dev == dst.st_dev && src.st_ino == dst.st_ino) { | 81 | if (src.st_dev == dst.st_dev && src.st_ino == dst.st_ino) { |
76 | close(in); | 82 | close(in); |
77 | return; | 83 | return; |
78 | } | 84 | } |
79 | } | 85 | } |
80 | if (arg_debug) | 86 | if (arg_debug) |
81 | printf("Updating /etc/resolv.conf in chroot\n"); | 87 | printf("Updating chroot /%s\n", relpath); |
82 | unlinkat(parentfd, "etc/resolv.conf", 0); | 88 | unlinkat(parentfd, relpath, 0); |
83 | int out = openat(parentfd, "etc/resolv.conf", O_WRONLY|O_CREAT|O_EXCL|O_CLOEXEC, S_IRUSR | S_IWRITE | S_IRGRP | S_IROTH); | 89 | int out = openat(parentfd, relpath, O_WRONLY|O_CREAT|O_EXCL|O_CLOEXEC, S_IRUSR | S_IWRITE | S_IRGRP | S_IROTH); |
84 | if (out == -1) { | 90 | if (out == -1) { |
85 | close(in); | 91 | close(in); |
86 | goto errout; | 92 | goto errout; |
@@ -92,12 +98,12 @@ static void copy_resolvconf(int parentfd) { | |||
92 | return; | 98 | return; |
93 | 99 | ||
94 | errout: | 100 | errout: |
95 | fwarning("/etc/resolv.conf not initialized\n"); | 101 | fwarning("chroot /%s not initialized\n", relpath); |
96 | } | 102 | } |
97 | 103 | ||
98 | // exit if error | 104 | // exit if error |
99 | static void check_subdir(int parentfd, const char *subdir, int check_writable) { | 105 | static void check_subdir(int parentfd, const char *subdir, int check_writable) { |
100 | assert(subdir); | 106 | assert(subdir && subdir[0] && subdir[0] != '/'); |
101 | struct stat s; | 107 | struct stat s; |
102 | if (fstatat(parentfd, subdir, &s, AT_SYMLINK_NOFOLLOW) != 0) { | 108 | if (fstatat(parentfd, subdir, &s, AT_SYMLINK_NOFOLLOW) != 0) { |
103 | fprintf(stderr, "Error: cannot find /%s in chroot directory\n", subdir); | 109 | fprintf(stderr, "Error: cannot find /%s in chroot directory\n", subdir); |
@@ -146,6 +152,7 @@ void fs_chroot(const char *rootdir) { | |||
146 | check_subdir(parentfd, "etc", 1); | 152 | check_subdir(parentfd, "etc", 1); |
147 | check_subdir(parentfd, "proc", 0); | 153 | check_subdir(parentfd, "proc", 0); |
148 | check_subdir(parentfd, "tmp", 0); | 154 | check_subdir(parentfd, "tmp", 0); |
155 | check_subdir(parentfd, "var", 1); | ||
149 | check_subdir(parentfd, "var/tmp", 0); | 156 | check_subdir(parentfd, "var/tmp", 0); |
150 | 157 | ||
151 | // mount-bind a /dev in rootdir | 158 | // mount-bind a /dev in rootdir |
@@ -186,17 +193,54 @@ void fs_chroot(const char *rootdir) { | |||
186 | errExit("mkdir"); | 193 | errExit("mkdir"); |
187 | check_subdir(parentfd, "run", 1); | 194 | check_subdir(parentfd, "run", 1); |
188 | 195 | ||
196 | // pulseaudio; only support for default directory /run/user/$UID/pulse | ||
197 | if (getenv("FIREJAIL_CHROOT_PULSE")) { | ||
198 | char *pulse; | ||
199 | if (asprintf(&pulse, "%s/run/user/%d/pulse", cfg.chrootdir, getuid()) == -1) | ||
200 | errExit("asprintf"); | ||
201 | char *orig_pulse = pulse + strlen(cfg.chrootdir); | ||
202 | |||
203 | if (arg_debug) | ||
204 | printf("Mounting %s on chroot %s\n", orig_pulse, orig_pulse); | ||
205 | int src = safe_fd(orig_pulse, O_PATH|O_DIRECTORY|O_NOFOLLOW|O_CLOEXEC); | ||
206 | if (src == -1) { | ||
207 | fprintf(stderr, "Error: cannot open %s\n", orig_pulse); | ||
208 | exit(1); | ||
209 | } | ||
210 | int dst = safe_fd(pulse, O_PATH|O_DIRECTORY|O_NOFOLLOW|O_CLOEXEC); | ||
211 | if (dst == -1) { | ||
212 | fprintf(stderr, "Error: cannot open %s\n", pulse); | ||
213 | exit(1); | ||
214 | } | ||
215 | free(pulse); | ||
216 | |||
217 | char *proc_src, *proc_dst; | ||
218 | if (asprintf(&proc_src, "/proc/self/fd/%d", src) == -1) | ||
219 | errExit("asprintf"); | ||
220 | if (asprintf(&proc_dst, "/proc/self/fd/%d", dst) == -1) | ||
221 | errExit("asprintf"); | ||
222 | if (mount(proc_src, proc_dst, NULL, MS_BIND|MS_REC, NULL) < 0) | ||
223 | errExit("mount bind"); | ||
224 | free(proc_src); | ||
225 | free(proc_dst); | ||
226 | close(src); | ||
227 | close(dst); | ||
228 | |||
229 | // update /etc/machine-id in chroot | ||
230 | update_file(parentfd, "etc/machine-id"); | ||
231 | } | ||
232 | |||
189 | // create /run/firejail directory in chroot | 233 | // create /run/firejail directory in chroot |
190 | if (mkdirat(parentfd, RUN_FIREJAIL_DIR+1, 0755) == -1 && errno != EEXIST) | 234 | if (mkdirat(parentfd, &RUN_FIREJAIL_DIR[1], 0755) == -1 && errno != EEXIST) |
191 | errExit("mkdir"); | 235 | errExit("mkdir"); |
192 | check_subdir(parentfd, RUN_FIREJAIL_DIR+1, 1); | 236 | check_subdir(parentfd, &RUN_FIREJAIL_DIR[1], 1); |
193 | 237 | ||
194 | // create /run/firejail/lib directory in chroot | 238 | // create /run/firejail/lib directory in chroot |
195 | if (mkdirat(parentfd, RUN_FIREJAIL_LIB_DIR+1, 0755) == -1 && errno != EEXIST) | 239 | if (mkdirat(parentfd, &RUN_FIREJAIL_LIB_DIR[1], 0755) == -1 && errno != EEXIST) |
196 | errExit("mkdir"); | 240 | errExit("mkdir"); |
197 | check_subdir(parentfd, RUN_FIREJAIL_LIB_DIR+1, 1); | 241 | check_subdir(parentfd, &RUN_FIREJAIL_LIB_DIR[1], 1); |
198 | // mount lib directory into the chroot | 242 | // mount lib directory into the chroot |
199 | fd = openat(parentfd, RUN_FIREJAIL_LIB_DIR+1, O_PATH|O_DIRECTORY|O_NOFOLLOW|O_CLOEXEC); | 243 | fd = openat(parentfd, &RUN_FIREJAIL_LIB_DIR[1], O_PATH|O_DIRECTORY|O_NOFOLLOW|O_CLOEXEC); |
200 | if (fd == -1) | 244 | if (fd == -1) |
201 | errExit("open"); | 245 | errExit("open"); |
202 | if (asprintf(&proc, "/proc/self/fd/%d", fd) == -1) | 246 | if (asprintf(&proc, "/proc/self/fd/%d", fd) == -1) |
@@ -207,11 +251,11 @@ void fs_chroot(const char *rootdir) { | |||
207 | close(fd); | 251 | close(fd); |
208 | 252 | ||
209 | // create /run/firejail/mnt directory in chroot | 253 | // create /run/firejail/mnt directory in chroot |
210 | if (mkdirat(parentfd, RUN_MNT_DIR+1, 0755) == -1 && errno != EEXIST) | 254 | if (mkdirat(parentfd, &RUN_MNT_DIR[1], 0755) == -1 && errno != EEXIST) |
211 | errExit("mkdir"); | 255 | errExit("mkdir"); |
212 | check_subdir(parentfd, RUN_MNT_DIR+1, 1); | 256 | check_subdir(parentfd, &RUN_MNT_DIR[1], 1); |
213 | // mount the current mnt directory into the chroot | 257 | // mount the current mnt directory into the chroot |
214 | fd = openat(parentfd, RUN_MNT_DIR+1, O_PATH|O_DIRECTORY|O_NOFOLLOW|O_CLOEXEC); | 258 | fd = openat(parentfd, &RUN_MNT_DIR[1], O_PATH|O_DIRECTORY|O_NOFOLLOW|O_CLOEXEC); |
215 | if (fd == -1) | 259 | if (fd == -1) |
216 | errExit("open"); | 260 | errExit("open"); |
217 | if (asprintf(&proc, "/proc/self/fd/%d", fd) == -1) | 261 | if (asprintf(&proc, "/proc/self/fd/%d", fd) == -1) |
@@ -222,7 +266,7 @@ void fs_chroot(const char *rootdir) { | |||
222 | close(fd); | 266 | close(fd); |
223 | 267 | ||
224 | // update chroot resolv.conf | 268 | // update chroot resolv.conf |
225 | copy_resolvconf(parentfd); | 269 | update_file(parentfd, "etc/resolv.conf"); |
226 | 270 | ||
227 | #ifdef HAVE_GCOV | 271 | #ifdef HAVE_GCOV |
228 | __gcov_flush(); | 272 | __gcov_flush(); |
@@ -244,15 +288,15 @@ void fs_chroot(const char *rootdir) { | |||
244 | if (chroot(oroot) < 0) | 288 | if (chroot(oroot) < 0) |
245 | errExit("chroot"); | 289 | errExit("chroot"); |
246 | 290 | ||
247 | // create all other /run/firejail files and directories | ||
248 | preproc_build_firejail_dir(); | ||
249 | |||
250 | // mount a new proc filesystem | 291 | // mount a new proc filesystem |
251 | if (arg_debug) | 292 | if (arg_debug) |
252 | printf("Mounting /proc filesystem representing the PID namespace\n"); | 293 | printf("Mounting /proc filesystem representing the PID namespace\n"); |
253 | if (mount("proc", "/proc", "proc", MS_NOSUID | MS_NOEXEC | MS_NODEV | MS_REC, NULL) < 0) | 294 | if (mount("proc", "/proc", "proc", MS_NOSUID | MS_NOEXEC | MS_NODEV | MS_REC, NULL) < 0) |
254 | errExit("mounting /proc"); | 295 | errExit("mounting /proc"); |
255 | 296 | ||
297 | // create all other /run/firejail files and directories | ||
298 | preproc_build_firejail_dir(); | ||
299 | |||
256 | // update /var directory in order to support multiple sandboxes running on the same root directory | 300 | // update /var directory in order to support multiple sandboxes running on the same root directory |
257 | // if (!arg_private_dev) | 301 | // if (!arg_private_dev) |
258 | // fs_dev_shm(); | 302 | // fs_dev_shm(); |
diff --git a/src/firejail/dbus.c b/src/firejail/dbus.c index 36d110ac7..3cf75ed84 100644 --- a/src/firejail/dbus.c +++ b/src/firejail/dbus.c | |||
@@ -17,6 +17,7 @@ | |||
17 | * with this program; if not, write to the Free Software Foundation, Inc., | 17 | * with this program; if not, write to the Free Software Foundation, Inc., |
18 | * 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA. | 18 | * 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA. |
19 | */ | 19 | */ |
20 | #ifdef HAVE_DBUSPROXY | ||
20 | #include "firejail.h" | 21 | #include "firejail.h" |
21 | #include <sys/mount.h> | 22 | #include <sys/mount.h> |
22 | #include <sys/stat.h> | 23 | #include <sys/stat.h> |
@@ -555,10 +556,9 @@ void dbus_apply_policy(void) { | |||
555 | return; | 556 | return; |
556 | 557 | ||
557 | // --protocol=unix | 558 | // --protocol=unix |
558 | #ifdef HAVE_SECCOMP | ||
559 | if (cfg.protocol && !strstr(cfg.protocol, "unix")) | 559 | if (cfg.protocol && !strstr(cfg.protocol, "unix")) |
560 | return; | 560 | return; |
561 | #endif | ||
562 | 561 | ||
563 | fwarning("An abstract unix socket for session D-BUS might still be available. Use --net or remove unix from --protocol set.\n"); | 562 | fwarning("An abstract unix socket for session D-BUS might still be available. Use --net or remove unix from --protocol set.\n"); |
564 | } | 563 | } |
564 | #endif // HAVE_DBUSPROXY \ No newline at end of file | ||
diff --git a/src/firejail/dhcp.c b/src/firejail/dhcp.c index 37547a985..456bba91b 100644 --- a/src/firejail/dhcp.c +++ b/src/firejail/dhcp.c | |||
@@ -130,7 +130,9 @@ static void dhcp_waitll_all() { | |||
130 | dhcp_waitll(cfg.bridge3.devsandbox); | 130 | dhcp_waitll(cfg.bridge3.devsandbox); |
131 | } | 131 | } |
132 | 132 | ||
133 | void dhcp_start(void) { | 133 | // Temporarily copy dhclient executable under /run/firejail/mnt and start it from there |
134 | // in order to recognize it later in firemon and firetools | ||
135 | void dhcp_store_exec(void) { | ||
134 | if (!any_dhcp()) | 136 | if (!any_dhcp()) |
135 | return; | 137 | return; |
136 | 138 | ||
@@ -144,6 +146,26 @@ void dhcp_start(void) { | |||
144 | } | 146 | } |
145 | } | 147 | } |
146 | 148 | ||
149 | sbox_run(SBOX_ROOT| SBOX_SECCOMP, 4, PATH_FCOPY, "--follow-link", dhclient_path, RUN_MNT_DIR); | ||
150 | } | ||
151 | |||
152 | void dhcp_start(void) { | ||
153 | if (!any_dhcp()) | ||
154 | return; | ||
155 | |||
156 | char *dhclient_path = RUN_MNT_DIR "/dhclient";; | ||
157 | struct stat s; | ||
158 | if (stat(dhclient_path, &s) == -1) { | ||
159 | dhclient_path = "/usr/sbin/dhclient"; | ||
160 | if (stat(dhclient_path, &s) == -1) { | ||
161 | fprintf(stderr, "Error: dhclient was not found.\n"); | ||
162 | exit(1); | ||
163 | } | ||
164 | } | ||
165 | |||
166 | sbox_run(SBOX_ROOT| SBOX_SECCOMP, 4, PATH_FCOPY, "--follow-link", dhclient_path, RUN_MNT_DIR); | ||
167 | dhclient_path = RUN_MNT_DIR "/dhclient"; | ||
168 | |||
147 | EUID_ROOT(); | 169 | EUID_ROOT(); |
148 | if (mkdir(RUN_DHCLIENT_DIR, 0700)) | 170 | if (mkdir(RUN_DHCLIENT_DIR, 0700)) |
149 | errExit("mkdir"); | 171 | errExit("mkdir"); |
@@ -163,4 +185,6 @@ void dhcp_start(void) { | |||
163 | exit(1); | 185 | exit(1); |
164 | } | 186 | } |
165 | } | 187 | } |
188 | |||
189 | unlink(dhclient_path); | ||
166 | } | 190 | } |
diff --git a/src/firejail/env.c b/src/firejail/env.c index a8b344544..d74cebb39 100644 --- a/src/firejail/env.c +++ b/src/firejail/env.c | |||
@@ -158,7 +158,7 @@ void env_defaults(void) { | |||
158 | } | 158 | } |
159 | 159 | ||
160 | // set the window title | 160 | // set the window title |
161 | if (!arg_quiet) | 161 | if (!arg_quiet && isatty(STDOUT_FILENO)) |
162 | printf("\033]0;firejail %s\007", cfg.window_title); | 162 | printf("\033]0;firejail %s\007", cfg.window_title); |
163 | 163 | ||
164 | // pass --quiet as an environment variable, in case the command calls further firejailed commands | 164 | // pass --quiet as an environment variable, in case the command calls further firejailed commands |
diff --git a/src/firejail/firejail.h b/src/firejail/firejail.h index 85139d75f..6c0ebcd43 100644 --- a/src/firejail/firejail.h +++ b/src/firejail/firejail.h | |||
@@ -370,8 +370,9 @@ void check_user_namespace(void); | |||
370 | char *guess_shell(void); | 370 | char *guess_shell(void); |
371 | 371 | ||
372 | // sandbox.c | 372 | // sandbox.c |
373 | #define SANDBOX_DONE '1' | ||
373 | int sandbox(void* sandbox_arg); | 374 | int sandbox(void* sandbox_arg); |
374 | void start_application(int no_sandbox, FILE *fp) __attribute__((noreturn)); | 375 | void start_application(int no_sandbox, char *set_sandbox_status) __attribute__((noreturn)); |
375 | void set_apparmor(void); | 376 | void set_apparmor(void); |
376 | 377 | ||
377 | // network_main.c | 378 | // network_main.c |
@@ -866,6 +867,7 @@ void dbus_apply_policy(void); | |||
866 | // dhcp.c | 867 | // dhcp.c |
867 | extern pid_t dhclient4_pid; | 868 | extern pid_t dhclient4_pid; |
868 | extern pid_t dhclient6_pid; | 869 | extern pid_t dhclient6_pid; |
870 | void dhcp_store_exec(void); | ||
869 | void dhcp_start(void); | 871 | void dhcp_start(void); |
870 | 872 | ||
871 | // selinux.c | 873 | // selinux.c |
diff --git a/src/firejail/fs.c b/src/firejail/fs.c index 2000ffc62..65f53bf76 100644 --- a/src/firejail/fs.c +++ b/src/firejail/fs.c | |||
@@ -162,7 +162,13 @@ static void disable_file(OPERATION op, const char *filename) { | |||
162 | } | 162 | } |
163 | else if (op == MOUNT_TMPFS) { | 163 | else if (op == MOUNT_TMPFS) { |
164 | if (S_ISDIR(s.st_mode)) { | 164 | if (S_ISDIR(s.st_mode)) { |
165 | fs_tmpfs(fname, 0); | 165 | if (getuid() && |
166 | (strncmp(cfg.homedir, fname, strlen(cfg.homedir)) != 0 || | ||
167 | fname[strlen(cfg.homedir)] != '/')) { | ||
168 | fprintf(stderr, "Error: tmpfs outside $HOME is only available for root\n"); | ||
169 | exit(1); | ||
170 | } | ||
171 | fs_tmpfs(fname, getuid()); | ||
166 | last_disable = SUCCESSFUL; | 172 | last_disable = SUCCESSFUL; |
167 | } | 173 | } |
168 | else | 174 | else |
@@ -443,7 +449,7 @@ void fs_blacklist(void) { | |||
443 | void fs_tmpfs(const char *dir, unsigned check_owner) { | 449 | void fs_tmpfs(const char *dir, unsigned check_owner) { |
444 | assert(dir); | 450 | assert(dir); |
445 | if (arg_debug) | 451 | if (arg_debug) |
446 | printf("Mounting tmpfs on %s\n", dir); | 452 | printf("Mounting tmpfs on %s, check owner: %s\n", dir, (check_owner)? "yes": "no"); |
447 | // get a file descriptor for dir, fails if there is any symlink | 453 | // get a file descriptor for dir, fails if there is any symlink |
448 | int fd = safe_fd(dir, O_PATH|O_DIRECTORY|O_NOFOLLOW|O_CLOEXEC); | 454 | int fd = safe_fd(dir, O_PATH|O_DIRECTORY|O_NOFOLLOW|O_CLOEXEC); |
449 | if (fd == -1) | 455 | if (fd == -1) |
diff --git a/src/firejail/fs_dev.c b/src/firejail/fs_dev.c index 00edc5f88..3950ea2fd 100644 --- a/src/firejail/fs_dev.c +++ b/src/firejail/fs_dev.c | |||
@@ -244,6 +244,8 @@ void fs_private_dev(void){ | |||
244 | errExit("mounting /dev/log"); | 244 | errExit("mounting /dev/log"); |
245 | fs_logger("clone /dev/log"); | 245 | fs_logger("clone /dev/log"); |
246 | } | 246 | } |
247 | if (mount(RUN_RO_FILE, RUN_DEVLOG_FILE, "none", MS_BIND, "mode=400,gid=0") < 0) | ||
248 | errExit("blacklisting " RUN_DEVLOG_FILE); | ||
247 | } | 249 | } |
248 | 250 | ||
249 | // bring forward the current /dev/shm directory if necessary | 251 | // bring forward the current /dev/shm directory if necessary |
diff --git a/src/firejail/fs_lib.c b/src/firejail/fs_lib.c index 64444bba2..5cfd33b42 100644 --- a/src/firejail/fs_lib.c +++ b/src/firejail/fs_lib.c | |||
@@ -378,6 +378,9 @@ void fs_private_lib(void) { | |||
378 | // bring in firejail executable libraries in case we are redirected here by a firejail symlink from /usr/local/bin/firejail | 378 | // bring in firejail executable libraries in case we are redirected here by a firejail symlink from /usr/local/bin/firejail |
379 | fslib_install_list("/usr/bin/firejail,firejail"); // todo: use the installed path for the executable | 379 | fslib_install_list("/usr/bin/firejail,firejail"); // todo: use the installed path for the executable |
380 | 380 | ||
381 | // install libraries needed by fcopy | ||
382 | fslib_install_list(PATH_FCOPY); | ||
383 | |||
381 | fmessage("Installed %d %s and %d %s\n", lib_cnt, (lib_cnt == 1)? "library": "libraries", | 384 | fmessage("Installed %d %s and %d %s\n", lib_cnt, (lib_cnt == 1)? "library": "libraries", |
382 | dir_cnt, (dir_cnt == 1)? "directory": "directories"); | 385 | dir_cnt, (dir_cnt == 1)? "directory": "directories"); |
383 | 386 | ||
diff --git a/src/firejail/join.c b/src/firejail/join.c index 14eea4612..ca8b8c4bf 100644 --- a/src/firejail/join.c +++ b/src/firejail/join.c | |||
@@ -292,7 +292,7 @@ static void extract_umask(pid_t pid) { | |||
292 | fprintf(stderr, "Error: cannot open umask file\n"); | 292 | fprintf(stderr, "Error: cannot open umask file\n"); |
293 | exit(1); | 293 | exit(1); |
294 | } | 294 | } |
295 | if (fscanf(fp, "%3o", &orig_umask) < 1) { | 295 | if (fscanf(fp, "%o", &orig_umask) != 1) { |
296 | fprintf(stderr, "Error: cannot read umask\n"); | 296 | fprintf(stderr, "Error: cannot read umask\n"); |
297 | exit(1); | 297 | exit(1); |
298 | } | 298 | } |
@@ -303,66 +303,33 @@ static void extract_umask(pid_t pid) { | |||
303 | // it is no firejail sandbox at all, return true if the sandbox is complete | 303 | // it is no firejail sandbox at all, return true if the sandbox is complete |
304 | bool is_ready_for_join(const pid_t pid) { | 304 | bool is_ready_for_join(const pid_t pid) { |
305 | EUID_ASSERT(); | 305 | EUID_ASSERT(); |
306 | // check if a file "ready-for-join" exists | 306 | // check if a file /run/firejail/mnt/join exists |
307 | char *fname; | 307 | char *fname; |
308 | if (asprintf(&fname, "/proc/%d/root%s", pid, RUN_READY_FOR_JOIN) == -1) | 308 | if (asprintf(&fname, "/proc/%d/root%s", pid, RUN_JOIN_FILE) == -1) |
309 | errExit("asprintf"); | 309 | errExit("asprintf"); |
310 | EUID_ROOT(); | 310 | EUID_ROOT(); |
311 | FILE *fp = fopen(fname, "re"); | 311 | int fd = open(fname, O_RDONLY|O_CLOEXEC); |
312 | EUID_USER(); | 312 | EUID_USER(); |
313 | free(fname); | 313 | free(fname); |
314 | if (!fp) | ||
315 | return false; | ||
316 | // regular file owned by root | ||
317 | int fd = fileno(fp); | ||
318 | if (fd == -1) | 314 | if (fd == -1) |
319 | errExit("fileno"); | 315 | return false; |
320 | struct stat s; | 316 | struct stat s; |
321 | if (fstat(fd, &s) == -1) | 317 | if (fstat(fd, &s) == -1) |
322 | errExit("fstat"); | 318 | errExit("fstat"); |
323 | if (!S_ISREG(s.st_mode) || s.st_uid != 0) { | 319 | if (!S_ISREG(s.st_mode) || s.st_uid != 0) { |
324 | fclose(fp); | 320 | close(fd); |
325 | return false; | 321 | return false; |
326 | } | 322 | } |
327 | // check if it is non-empty | 323 | char status; |
328 | char buf[BUFLEN]; | 324 | if (read(fd, &status, 1) == 1 && status == SANDBOX_DONE) { |
329 | if (fgets(buf, BUFLEN, fp) == NULL) { | 325 | close(fd); |
330 | fclose(fp); | 326 | return true; |
331 | return false; | ||
332 | } | 327 | } |
333 | fclose(fp); | 328 | close(fd); |
334 | // confirm "ready" string was written | 329 | return false; |
335 | if (strcmp(buf, "ready\n") != 0) | ||
336 | return false; | ||
337 | |||
338 | // walk down the process tree a few nodes, there should be no firejail leaf | ||
339 | #define MAXNODES 5 | ||
340 | pid_t current = pid, next; | ||
341 | int i; | ||
342 | for (i = 0; i < MAXNODES; i++) { | ||
343 | if (find_child(current, &next) == 1) { | ||
344 | // found a leaf | ||
345 | EUID_ROOT(); | ||
346 | char *comm = pid_proc_comm(current); | ||
347 | EUID_USER(); | ||
348 | if (!comm) { | ||
349 | fprintf(stderr, "Error: cannot read /proc file\n"); | ||
350 | exit(1); | ||
351 | } | ||
352 | if (strcmp(comm, "firejail") == 0) { | ||
353 | free(comm); | ||
354 | return false; | ||
355 | } | ||
356 | free(comm); | ||
357 | break; | ||
358 | } | ||
359 | current = next; | ||
360 | } | ||
361 | |||
362 | return true; | ||
363 | } | 330 | } |
364 | 331 | ||
365 | #define SNOOZE 100000 // sleep interval in microseconds | 332 | #define SNOOZE 10000 // sleep interval in microseconds |
366 | void check_join_permission(pid_t pid) { | 333 | void check_join_permission(pid_t pid) { |
367 | // check if pid belongs to a fully set up firejail sandbox | 334 | // check if pid belongs to a fully set up firejail sandbox |
368 | unsigned long i; | 335 | unsigned long i; |
@@ -498,10 +465,8 @@ void join(pid_t pid, int argc, char **argv, int index) { | |||
498 | EUID_ROOT(); | 465 | EUID_ROOT(); |
499 | if (apply_caps == 1) // not available for uid 0 | 466 | if (apply_caps == 1) // not available for uid 0 |
500 | caps_set(caps); | 467 | caps_set(caps); |
501 | #ifdef HAVE_SECCOMP | ||
502 | if (getuid() != 0) | 468 | if (getuid() != 0) |
503 | seccomp_load_file_list(); | 469 | seccomp_load_file_list(); |
504 | #endif | ||
505 | 470 | ||
506 | // mount user namespace or drop privileges | 471 | // mount user namespace or drop privileges |
507 | if (arg_noroot) { // not available for uid 0 | 472 | if (arg_noroot) { // not available for uid 0 |
@@ -580,12 +545,14 @@ void join(pid_t pid, int argc, char **argv, int index) { | |||
580 | free(display_str); | 545 | free(display_str); |
581 | } | 546 | } |
582 | 547 | ||
548 | #ifdef HAVE_DBUSPROXY | ||
583 | // set D-Bus environment variables | 549 | // set D-Bus environment variables |
584 | struct stat s; | 550 | struct stat s; |
585 | if (stat(RUN_DBUS_USER_SOCKET, &s) == 0) | 551 | if (stat(RUN_DBUS_USER_SOCKET, &s) == 0) |
586 | dbus_set_session_bus_env(); | 552 | dbus_set_session_bus_env(); |
587 | if (stat(RUN_DBUS_SYSTEM_SOCKET, &s) == 0) | 553 | if (stat(RUN_DBUS_SYSTEM_SOCKET, &s) == 0) |
588 | dbus_set_system_bus_env(); | 554 | dbus_set_system_bus_env(); |
555 | #endif | ||
589 | 556 | ||
590 | start_application(0, NULL); | 557 | start_application(0, NULL); |
591 | 558 | ||
diff --git a/src/firejail/ls.c b/src/firejail/ls.c index ebd65cdd3..e61edf427 100644 --- a/src/firejail/ls.c +++ b/src/firejail/ls.c | |||
@@ -49,6 +49,7 @@ static void print_file_or_dir(const char *path, const char *fname) { | |||
49 | return; | 49 | return; |
50 | } | 50 | } |
51 | } | 51 | } |
52 | free(name); | ||
52 | 53 | ||
53 | // permissions | 54 | // permissions |
54 | if (S_ISLNK(s.st_mode)) | 55 | if (S_ISLNK(s.st_mode)) |
@@ -172,10 +173,11 @@ static void print_directory(const char *path) { | |||
172 | if (n < 0) | 173 | if (n < 0) |
173 | errExit("scandir"); | 174 | errExit("scandir"); |
174 | else { | 175 | else { |
175 | for (i = 0; i < n; i++) { | 176 | for (i = 0; i < n; i++) |
176 | print_file_or_dir(path, namelist[i]->d_name); | 177 | print_file_or_dir(path, namelist[i]->d_name); |
178 | // get rid of false psitive reported by GCC -fanalyze | ||
179 | for (i = 0; i < n; i++) | ||
177 | free(namelist[i]); | 180 | free(namelist[i]); |
178 | } | ||
179 | } | 181 | } |
180 | free(namelist); | 182 | free(namelist); |
181 | } | 183 | } |
@@ -333,35 +335,23 @@ void sandboxfs(int op, pid_t pid, const char *path1, const char *path2) { | |||
333 | errExit("asprintf"); | 335 | errExit("asprintf"); |
334 | 336 | ||
335 | if (op == SANDBOX_FS_LS || op == SANDBOX_FS_CAT) { | 337 | if (op == SANDBOX_FS_LS || op == SANDBOX_FS_CAT) { |
336 | pid_t child = fork(); | 338 | EUID_ROOT(); |
337 | if (child < 0) | 339 | // chroot |
338 | errExit("fork"); | 340 | if (chroot(rootdir) < 0) |
339 | if (child == 0) { | 341 | errExit("chroot"); |
340 | EUID_ROOT(); | 342 | if (chdir("/") < 0) |
341 | // chroot | 343 | errExit("chdir"); |
342 | if (chroot(rootdir) < 0) | ||
343 | errExit("chroot"); | ||
344 | if (chdir("/") < 0) | ||
345 | errExit("chdir"); | ||
346 | 344 | ||
347 | // drop privileges | 345 | // drop privileges |
348 | drop_privs(0); | 346 | drop_privs(0); |
349 | 347 | ||
350 | if (op == SANDBOX_FS_LS) | 348 | if (op == SANDBOX_FS_LS) |
351 | ls(fname1); | 349 | ls(fname1); |
352 | else | 350 | else |
353 | cat(fname1); | 351 | cat(fname1); |
354 | #ifdef HAVE_GCOV | 352 | #ifdef HAVE_GCOV |
355 | __gcov_flush(); | 353 | __gcov_flush(); |
356 | #endif | 354 | #endif |
357 | _exit(0); | ||
358 | } | ||
359 | // wait for the child to finish | ||
360 | int status = 0; | ||
361 | waitpid(child, &status, 0); | ||
362 | if (WIFEXITED(status) && WEXITSTATUS(status) == 0); | ||
363 | else | ||
364 | exit(1); | ||
365 | } | 355 | } |
366 | // get file from host and store it in the sandbox | 356 | // get file from host and store it in the sandbox |
367 | else if (op == SANDBOX_FS_PUT && path2) { | 357 | else if (op == SANDBOX_FS_PUT && path2) { |
diff --git a/src/firejail/macros.c b/src/firejail/macros.c index e52a7a430..2623d794f 100644 --- a/src/firejail/macros.c +++ b/src/firejail/macros.c | |||
@@ -208,7 +208,11 @@ char *expand_macros(const char *path) { | |||
208 | 208 | ||
209 | // Replace home macro | 209 | // Replace home macro |
210 | char *new_name = NULL; | 210 | char *new_name = NULL; |
211 | if (strncmp(path, "${HOME}", 7) == 0) { | 211 | if (strncmp(path, "$HOME", 5) == 0) { |
212 | fprintf(stderr, "Error: $HOME is not allowed in profile files, please replace it with ${HOME}\n"); | ||
213 | exit(1); | ||
214 | } | ||
215 | else if (strncmp(path, "${HOME}", 7) == 0) { | ||
212 | if (asprintf(&new_name, "%s%s", cfg.homedir, path + 7) == -1) | 216 | if (asprintf(&new_name, "%s%s", cfg.homedir, path + 7) == -1) |
213 | errExit("asprintf"); | 217 | errExit("asprintf"); |
214 | if(called_as_root) | 218 | if(called_as_root) |
diff --git a/src/firejail/main.c b/src/firejail/main.c index df890ecea..676d04895 100644 --- a/src/firejail/main.c +++ b/src/firejail/main.c | |||
@@ -175,7 +175,9 @@ static void myexit(int rv) { | |||
175 | 175 | ||
176 | 176 | ||
177 | // delete sandbox files in shared memory | 177 | // delete sandbox files in shared memory |
178 | #ifdef HAVE_DBUSPROXY | ||
178 | dbus_proxy_stop(); | 179 | dbus_proxy_stop(); |
180 | #endif | ||
179 | EUID_ROOT(); | 181 | EUID_ROOT(); |
180 | delete_run_files(sandbox_pid); | 182 | delete_run_files(sandbox_pid); |
181 | appimage_clear(); | 183 | appimage_clear(); |
@@ -479,7 +481,6 @@ static void run_cmd_and_exit(int i, int argc, char **argv) { | |||
479 | //************************************* | 481 | //************************************* |
480 | // independent commands - the program will exit! | 482 | // independent commands - the program will exit! |
481 | //************************************* | 483 | //************************************* |
482 | #ifdef HAVE_SECCOMP | ||
483 | else if (strcmp(argv[i], "--debug-syscalls") == 0) { | 484 | else if (strcmp(argv[i], "--debug-syscalls") == 0) { |
484 | if (checkcfg(CFG_SECCOMP)) { | 485 | if (checkcfg(CFG_SECCOMP)) { |
485 | int rv = sbox_run(SBOX_USER | SBOX_CAPS_NONE | SBOX_SECCOMP, 2, PATH_FSECCOMP_MAIN, "debug-syscalls"); | 486 | int rv = sbox_run(SBOX_USER | SBOX_CAPS_NONE | SBOX_SECCOMP, 2, PATH_FSECCOMP_MAIN, "debug-syscalls"); |
@@ -529,7 +530,6 @@ static void run_cmd_and_exit(int i, int argc, char **argv) { | |||
529 | exit_err_feature("seccomp"); | 530 | exit_err_feature("seccomp"); |
530 | exit(0); | 531 | exit(0); |
531 | } | 532 | } |
532 | #endif | ||
533 | else if (strncmp(argv[i], "--profile.print=", 16) == 0) { | 533 | else if (strncmp(argv[i], "--profile.print=", 16) == 0) { |
534 | pid_t pid = require_pid(argv[i] + 16); | 534 | pid_t pid = require_pid(argv[i] + 16); |
535 | 535 | ||
@@ -888,19 +888,20 @@ char *guess_shell(void) { | |||
888 | return shell; | 888 | return shell; |
889 | } | 889 | } |
890 | 890 | ||
891 | // return argument index | ||
891 | static int check_arg(int argc, char **argv, const char *argument, int strict) { | 892 | static int check_arg(int argc, char **argv, const char *argument, int strict) { |
892 | int i; | 893 | int i; |
893 | int found = 0; | 894 | int found = 0; |
894 | for (i = 1; i < argc; i++) { | 895 | for (i = 1; i < argc; i++) { |
895 | if (strict) { | 896 | if (strict) { |
896 | if (strcmp(argv[i], argument) == 0) { | 897 | if (strcmp(argv[i], argument) == 0) { |
897 | found = 1; | 898 | found = i; |
898 | break; | 899 | break; |
899 | } | 900 | } |
900 | } | 901 | } |
901 | else { | 902 | else { |
902 | if (strncmp(argv[i], argument, strlen(argument)) == 0) { | 903 | if (strncmp(argv[i], argument, strlen(argument)) == 0) { |
903 | found = 1; | 904 | found = i; |
904 | break; | 905 | break; |
905 | } | 906 | } |
906 | } | 907 | } |
@@ -950,7 +951,6 @@ void filter_add_blacklist_override(int fd, int syscall, int arg, void *ptrarg, b | |||
950 | (void) native; | 951 | (void) native; |
951 | } | 952 | } |
952 | 953 | ||
953 | #ifdef HAVE_SECCOMP | ||
954 | static int check_postexec(const char *list) { | 954 | static int check_postexec(const char *list) { |
955 | char *prelist, *postlist; | 955 | char *prelist, *postlist; |
956 | 956 | ||
@@ -961,7 +961,6 @@ static int check_postexec(const char *list) { | |||
961 | } | 961 | } |
962 | return 0; | 962 | return 0; |
963 | } | 963 | } |
964 | #endif | ||
965 | 964 | ||
966 | //******************************************* | 965 | //******************************************* |
967 | // Main program | 966 | // Main program |
@@ -1005,17 +1004,21 @@ int main(int argc, char **argv, char **envp) { | |||
1005 | fprintf(stderr, "Error: too long arguments\n"); | 1004 | fprintf(stderr, "Error: too long arguments\n"); |
1006 | exit(1); | 1005 | exit(1); |
1007 | } | 1006 | } |
1007 | // Also remove requested environment variables | ||
1008 | // entirely to avoid tripping the length check below | ||
1009 | if (strncmp(argv[i], "--rmenv=", 8) == 0) | ||
1010 | unsetenv(argv[i] + 8); | ||
1008 | } | 1011 | } |
1009 | 1012 | ||
1010 | // sanity check for environment variables | 1013 | // sanity check for environment variables |
1011 | for (i = 0, ptr = envp; ptr && *ptr && i < MAX_ENVS; i++, ptr++) { | 1014 | for (i = 0, ptr = envp; ptr && *ptr && i < MAX_ENVS; i++, ptr++) { |
1012 | if (strlen(*ptr) >= MAX_ENV_LEN) { | 1015 | if (strlen(*ptr) >= MAX_ENV_LEN) { |
1013 | fprintf(stderr, "Error: too long environment variables\n"); | 1016 | fprintf(stderr, "Error: too long environment variables, please use --rmenv\n"); |
1014 | exit(1); | 1017 | exit(1); |
1015 | } | 1018 | } |
1016 | } | 1019 | } |
1017 | if (i >= MAX_ENVS) { | 1020 | if (i >= MAX_ENVS) { |
1018 | fprintf(stderr, "Error: too many environment variables\n"); | 1021 | fprintf(stderr, "Error: too many environment variables, please use --rmenv\n"); |
1019 | exit(1); | 1022 | exit(1); |
1020 | } | 1023 | } |
1021 | 1024 | ||
@@ -1048,6 +1051,19 @@ int main(int argc, char **argv, char **envp) { | |||
1048 | } | 1051 | } |
1049 | EUID_USER(); | 1052 | EUID_USER(); |
1050 | 1053 | ||
1054 | // --ip=dhcp - we need access to /sbin and /usr/sbin directories in order to run ISC DHCP client (dhclient) | ||
1055 | // these paths are disabled in disable-common.inc | ||
1056 | if ((i = check_arg(argc, argv, "--ip", 0)) != 0) { | ||
1057 | if (strncmp(argv[i] + 4, "=dhcp", 5) == 0) { | ||
1058 | profile_add("noblacklist /sbin"); | ||
1059 | profile_add("noblacklist /usr/sbin"); | ||
1060 | } | ||
1061 | } | ||
1062 | |||
1063 | // for appimages we need to remove "include disable-shell.inc from the profile | ||
1064 | // a --profile command can show up before --appimage | ||
1065 | if (check_arg(argc, argv, "--appimage", 1)) | ||
1066 | arg_appimage = 1; | ||
1051 | 1067 | ||
1052 | // process allow-debuggers | 1068 | // process allow-debuggers |
1053 | if (check_arg(argc, argv, "--allow-debuggers", 1)) { | 1069 | if (check_arg(argc, argv, "--allow-debuggers", 1)) { |
@@ -1264,11 +1280,10 @@ int main(int argc, char **argv, char **envp) { | |||
1264 | else if (strcmp(argv[i], "--apparmor") == 0) | 1280 | else if (strcmp(argv[i], "--apparmor") == 0) |
1265 | arg_apparmor = 1; | 1281 | arg_apparmor = 1; |
1266 | #endif | 1282 | #endif |
1267 | #ifdef HAVE_SECCOMP | ||
1268 | else if (strncmp(argv[i], "--protocol=", 11) == 0) { | 1283 | else if (strncmp(argv[i], "--protocol=", 11) == 0) { |
1269 | if (checkcfg(CFG_SECCOMP)) { | 1284 | if (checkcfg(CFG_SECCOMP)) { |
1270 | if (cfg.protocol) { | 1285 | if (cfg.protocol) { |
1271 | fwarning("two protocol lists are present, \"%s\" will be installed\n", cfg.protocol); | 1286 | fwarning("more than one protocol list is present, \"%s\" will be installed\n", cfg.protocol); |
1272 | } | 1287 | } |
1273 | else { | 1288 | else { |
1274 | // store list | 1289 | // store list |
@@ -1402,7 +1417,6 @@ int main(int argc, char **argv, char **envp) { | |||
1402 | } else | 1417 | } else |
1403 | exit_err_feature("seccomp"); | 1418 | exit_err_feature("seccomp"); |
1404 | } | 1419 | } |
1405 | #endif | ||
1406 | else if (strcmp(argv[i], "--caps") == 0) { | 1420 | else if (strcmp(argv[i], "--caps") == 0) { |
1407 | arg_caps_default_filter = 1; | 1421 | arg_caps_default_filter = 1; |
1408 | arg_caps_cmdline = 1; | 1422 | arg_caps_cmdline = 1; |
@@ -1713,6 +1727,34 @@ int main(int argc, char **argv, char **envp) { | |||
1713 | } | 1727 | } |
1714 | } | 1728 | } |
1715 | #endif | 1729 | #endif |
1730 | else if (strncmp(argv[i], "--include=", 10) == 0) { | ||
1731 | char *ppath = expand_macros(argv[i] + 10); | ||
1732 | if (!ppath) | ||
1733 | errExit("strdup"); | ||
1734 | |||
1735 | char *ptr = ppath; | ||
1736 | while (*ptr != '/' && *ptr != '\0') | ||
1737 | ptr++; | ||
1738 | if (*ptr == '\0') { | ||
1739 | if (access(ppath, R_OK)) { | ||
1740 | profile_read(ppath); | ||
1741 | } | ||
1742 | else { | ||
1743 | // ppath contains no '/' and is not a local file, assume it's a name | ||
1744 | int rv = profile_find_firejail(ppath, 0); | ||
1745 | if (!rv) { | ||
1746 | fprintf(stderr, "Error: no profile with name \"%s\" found.\n", ppath); | ||
1747 | exit(1); | ||
1748 | } | ||
1749 | } | ||
1750 | } | ||
1751 | else { | ||
1752 | // ppath contains a '/', assume it's a path | ||
1753 | profile_read(ppath); | ||
1754 | } | ||
1755 | |||
1756 | free(ppath); | ||
1757 | } | ||
1716 | else if (strncmp(argv[i], "--profile=", 10) == 0) { | 1758 | else if (strncmp(argv[i], "--profile=", 10) == 0) { |
1717 | // multiple profile files are allowed! | 1759 | // multiple profile files are allowed! |
1718 | 1760 | ||
@@ -1958,12 +2000,14 @@ int main(int argc, char **argv, char **envp) { | |||
1958 | else if (strcmp(argv[i], "--private-tmp") == 0) { | 2000 | else if (strcmp(argv[i], "--private-tmp") == 0) { |
1959 | arg_private_tmp = 1; | 2001 | arg_private_tmp = 1; |
1960 | } | 2002 | } |
2003 | #ifdef HAVE_USERTMPFS | ||
1961 | else if (strcmp(argv[i], "--private-cache") == 0) { | 2004 | else if (strcmp(argv[i], "--private-cache") == 0) { |
1962 | if (checkcfg(CFG_PRIVATE_CACHE)) | 2005 | if (checkcfg(CFG_PRIVATE_CACHE)) |
1963 | arg_private_cache = 1; | 2006 | arg_private_cache = 1; |
1964 | else | 2007 | else |
1965 | exit_err_feature("private-cache"); | 2008 | exit_err_feature("private-cache"); |
1966 | } | 2009 | } |
2010 | #endif | ||
1967 | else if (strcmp(argv[i], "--private-cwd") == 0) { | 2011 | else if (strcmp(argv[i], "--private-cwd") == 0) { |
1968 | cfg.cwd = NULL; | 2012 | cfg.cwd = NULL; |
1969 | arg_private_cwd = 1; | 2013 | arg_private_cwd = 1; |
@@ -2029,6 +2073,11 @@ int main(int argc, char **argv, char **envp) { | |||
2029 | arg_dbus_user = DBUS_POLICY_BLOCK; | 2073 | arg_dbus_user = DBUS_POLICY_BLOCK; |
2030 | arg_dbus_system = DBUS_POLICY_BLOCK; | 2074 | arg_dbus_system = DBUS_POLICY_BLOCK; |
2031 | } | 2075 | } |
2076 | |||
2077 | //************************************* | ||
2078 | // D-BUS proxy | ||
2079 | //************************************* | ||
2080 | #ifdef HAVE_DBUSPROXY | ||
2032 | else if (strncmp("--dbus-user=", argv[i], 12) == 0) { | 2081 | else if (strncmp("--dbus-user=", argv[i], 12) == 0) { |
2033 | if (strcmp("filter", argv[i] + 12) == 0) { | 2082 | if (strcmp("filter", argv[i] + 12) == 0) { |
2034 | if (arg_dbus_user == DBUS_POLICY_BLOCK) { | 2083 | if (arg_dbus_user == DBUS_POLICY_BLOCK) { |
@@ -2166,6 +2215,7 @@ int main(int argc, char **argv, char **envp) { | |||
2166 | } | 2215 | } |
2167 | arg_dbus_log_system = 1; | 2216 | arg_dbus_log_system = 1; |
2168 | } | 2217 | } |
2218 | #endif | ||
2169 | 2219 | ||
2170 | //************************************* | 2220 | //************************************* |
2171 | // network | 2221 | // network |
@@ -2534,6 +2584,7 @@ int main(int argc, char **argv, char **envp) { | |||
2534 | cfg.timeout = extract_timeout(argv[i] + 10); | 2584 | cfg.timeout = extract_timeout(argv[i] + 10); |
2535 | else if (strcmp(argv[i], "--audit") == 0) { | 2585 | else if (strcmp(argv[i], "--audit") == 0) { |
2536 | arg_audit_prog = LIBDIR "/firejail/faudit"; | 2586 | arg_audit_prog = LIBDIR "/firejail/faudit"; |
2587 | profile_add_ignore("shell none"); | ||
2537 | arg_audit = 1; | 2588 | arg_audit = 1; |
2538 | } | 2589 | } |
2539 | else if (strncmp(argv[i], "--audit=", 8) == 0) { | 2590 | else if (strncmp(argv[i], "--audit=", 8) == 0) { |
@@ -2550,6 +2601,7 @@ int main(int argc, char **argv, char **envp) { | |||
2550 | fprintf(stderr, "Error: cannot find the audit program %s\n", arg_audit_prog); | 2601 | fprintf(stderr, "Error: cannot find the audit program %s\n", arg_audit_prog); |
2551 | exit(1); | 2602 | exit(1); |
2552 | } | 2603 | } |
2604 | profile_add_ignore("shell none"); | ||
2553 | arg_audit = 1; | 2605 | arg_audit = 1; |
2554 | } | 2606 | } |
2555 | else if (strcmp(argv[i], "--appimage") == 0) | 2607 | else if (strcmp(argv[i], "--appimage") == 0) |
@@ -2783,10 +2835,9 @@ int main(int argc, char **argv, char **envp) { | |||
2783 | // check network configuration options - it will exit if anything went wrong | 2835 | // check network configuration options - it will exit if anything went wrong |
2784 | net_check_cfg(); | 2836 | net_check_cfg(); |
2785 | 2837 | ||
2786 | #ifdef HAVE_SECCOMP | ||
2787 | if (arg_seccomp) | 2838 | if (arg_seccomp) |
2788 | arg_seccomp_postexec = check_postexec(cfg.seccomp_list) || check_postexec(cfg.seccomp_list_drop); | 2839 | arg_seccomp_postexec = check_postexec(cfg.seccomp_list) || check_postexec(cfg.seccomp_list_drop); |
2789 | #endif | 2840 | |
2790 | bool need_preload = arg_trace || arg_tracelog || arg_seccomp_postexec; | 2841 | bool need_preload = arg_trace || arg_tracelog || arg_seccomp_postexec; |
2791 | if (need_preload && (cfg.seccomp_list32 || cfg.seccomp_list_drop32 || cfg.seccomp_list_keep32)) | 2842 | if (need_preload && (cfg.seccomp_list32 || cfg.seccomp_list_drop32 || cfg.seccomp_list_keep32)) |
2792 | fwarning("preload libraries (trace, tracelog, postexecseccomp due to seccomp.drop=execve etc.) are incompatible with 32 bit filters\n"); | 2843 | fwarning("preload libraries (trace, tracelog, postexecseccomp due to seccomp.drop=execve etc.) are incompatible with 32 bit filters\n"); |
@@ -2851,6 +2902,7 @@ int main(int argc, char **argv, char **envp) { | |||
2851 | } | 2902 | } |
2852 | EUID_USER(); | 2903 | EUID_USER(); |
2853 | 2904 | ||
2905 | #ifdef HAVE_DBUSPROXY | ||
2854 | if (checkcfg(CFG_DBUS)) { | 2906 | if (checkcfg(CFG_DBUS)) { |
2855 | dbus_check_profile(); | 2907 | dbus_check_profile(); |
2856 | if (arg_dbus_user == DBUS_POLICY_FILTER || | 2908 | if (arg_dbus_user == DBUS_POLICY_FILTER || |
@@ -2860,6 +2912,7 @@ int main(int argc, char **argv, char **envp) { | |||
2860 | EUID_USER(); | 2912 | EUID_USER(); |
2861 | } | 2913 | } |
2862 | } | 2914 | } |
2915 | #endif | ||
2863 | 2916 | ||
2864 | // clone environment | 2917 | // clone environment |
2865 | int flags = CLONE_NEWNS | CLONE_NEWPID | CLONE_NEWUTS | SIGCHLD; | 2918 | int flags = CLONE_NEWNS | CLONE_NEWPID | CLONE_NEWUTS | SIGCHLD; |
@@ -3033,17 +3086,27 @@ int main(int argc, char **argv, char **envp) { | |||
3033 | // end of signal-safe code | 3086 | // end of signal-safe code |
3034 | //***************************** | 3087 | //***************************** |
3035 | 3088 | ||
3089 | #if 0 | ||
3090 | // at this point the sandbox was closed and we are on our way out | ||
3091 | // it would make sense to move this before waitpid above to free some memory | ||
3092 | // crash for now as of issue #3662 from dhcp code | ||
3036 | // free globals | 3093 | // free globals |
3037 | if (cfg.profile) { | 3094 | if (cfg.profile) { |
3038 | ProfileEntry *prf = cfg.profile; | 3095 | ProfileEntry *prf = cfg.profile; |
3039 | while (prf != NULL) { | 3096 | while (prf != NULL) { |
3040 | ProfileEntry *next = prf->next; | 3097 | ProfileEntry *next = prf->next; |
3041 | free(prf->data); | 3098 | printf("data #%s#\n", prf->data); |
3042 | free(prf->link); | 3099 | if (prf->data) |
3100 | free(prf->data); | ||
3101 | printf("link #%s#\n", prf->link); | ||
3102 | if (prf->link) | ||
3103 | free(prf->link); | ||
3043 | free(prf); | 3104 | free(prf); |
3044 | prf = next; | 3105 | prf = next; |
3045 | } | 3106 | } |
3046 | } | 3107 | } |
3108 | #endif | ||
3109 | |||
3047 | 3110 | ||
3048 | if (WIFEXITED(status)){ | 3111 | if (WIFEXITED(status)){ |
3049 | myexit(WEXITSTATUS(status)); | 3112 | myexit(WEXITSTATUS(status)); |
diff --git a/src/firejail/netns.c b/src/firejail/netns.c index 104453376..7ccff3265 100644 --- a/src/firejail/netns.c +++ b/src/firejail/netns.c | |||
@@ -60,7 +60,7 @@ void check_netns(const char *nsname) { | |||
60 | nsname, control_file, strerror(errno)); | 60 | nsname, control_file, strerror(errno)); |
61 | exit(1); | 61 | exit(1); |
62 | } | 62 | } |
63 | if (!S_ISREG(st.st_mode)) { | 63 | if (!S_ISREG(st.st_mode) && !S_ISLNK(st.st_mode)) { |
64 | fprintf(stderr, "Error: invalid netns '%s' (%s: not a regular file)\n", | 64 | fprintf(stderr, "Error: invalid netns '%s' (%s: not a regular file)\n", |
65 | nsname, control_file); | 65 | nsname, control_file); |
66 | exit(1); | 66 | exit(1); |
diff --git a/src/firejail/network.c b/src/firejail/network.c index aa05e3bd0..8cdf04947 100644 --- a/src/firejail/network.c +++ b/src/firejail/network.c | |||
@@ -183,7 +183,6 @@ int net_add_route(uint32_t ip, uint32_t mask, uint32_t gw) { | |||
183 | int sock; | 183 | int sock; |
184 | struct rtentry route; | 184 | struct rtentry route; |
185 | struct sockaddr_in *addr; | 185 | struct sockaddr_in *addr; |
186 | int err = 0; | ||
187 | 186 | ||
188 | // create the socket | 187 | // create the socket |
189 | if((sock = socket(AF_INET, SOCK_DGRAM, 0)) < 0) | 188 | if((sock = socket(AF_INET, SOCK_DGRAM, 0)) < 0) |
@@ -205,7 +204,7 @@ int net_add_route(uint32_t ip, uint32_t mask, uint32_t gw) { | |||
205 | 204 | ||
206 | route.rt_flags = RTF_UP | RTF_GATEWAY; | 205 | route.rt_flags = RTF_UP | RTF_GATEWAY; |
207 | route.rt_metric = 0; | 206 | route.rt_metric = 0; |
208 | if ((err = ioctl(sock, SIOCADDRT, &route)) != 0) { | 207 | if (ioctl(sock, SIOCADDRT, &route) != 0) { |
209 | close(sock); | 208 | close(sock); |
210 | return -1; | 209 | return -1; |
211 | } | 210 | } |
diff --git a/src/firejail/paths.c b/src/firejail/paths.c index f03d98e29..5de704bef 100644 --- a/src/firejail/paths.c +++ b/src/firejail/paths.c | |||
@@ -45,6 +45,7 @@ static void init_paths(void) { | |||
45 | paths = calloc(path_cnt, sizeof(char *)); | 45 | paths = calloc(path_cnt, sizeof(char *)); |
46 | if (!paths) | 46 | if (!paths) |
47 | errExit("calloc"); | 47 | errExit("calloc"); |
48 | memset(paths, 0, path_cnt * sizeof(char *)); // get rid of false positive error from GCC static analyzer | ||
48 | 49 | ||
49 | // fill in 'paths' with pointers to elements of 'path' | 50 | // fill in 'paths' with pointers to elements of 'path' |
50 | unsigned int i = 0, j; | 51 | unsigned int i = 0, j; |
diff --git a/src/firejail/preproc.c b/src/firejail/preproc.c index c0b09e945..836526593 100644 --- a/src/firejail/preproc.c +++ b/src/firejail/preproc.c | |||
@@ -103,7 +103,6 @@ void preproc_mount_mnt_dir(void) { | |||
103 | if (arg_tracefile) | 103 | if (arg_tracefile) |
104 | fs_tracefile(); | 104 | fs_tracefile(); |
105 | 105 | ||
106 | #ifdef HAVE_SECCOMP | ||
107 | create_empty_dir_as_root(RUN_SECCOMP_DIR, 0755); | 106 | create_empty_dir_as_root(RUN_SECCOMP_DIR, 0755); |
108 | 107 | ||
109 | if (arg_seccomp_block_secondary) | 108 | if (arg_seccomp_block_secondary) |
@@ -132,7 +131,6 @@ void preproc_mount_mnt_dir(void) { | |||
132 | create_empty_file_as_root(RUN_SECCOMP_POSTEXEC_32, 0644); | 131 | create_empty_file_as_root(RUN_SECCOMP_POSTEXEC_32, 0644); |
133 | if (set_perms(RUN_SECCOMP_POSTEXEC_32, getuid(), getgid(), 0644)) | 132 | if (set_perms(RUN_SECCOMP_POSTEXEC_32, getuid(), getgid(), 0644)) |
134 | errExit("set_perms"); | 133 | errExit("set_perms"); |
135 | #endif | ||
136 | } | 134 | } |
137 | } | 135 | } |
138 | 136 | ||
diff --git a/src/firejail/profile.c b/src/firejail/profile.c index 970033899..5ddf6fdbb 100644 --- a/src/firejail/profile.c +++ b/src/firejail/profile.c | |||
@@ -327,12 +327,10 @@ int profile_check_line(char *ptr, int lineno, const char *fname) { | |||
327 | return 0; | 327 | return 0; |
328 | } | 328 | } |
329 | else if (strcmp(ptr, "seccomp") == 0) { | 329 | else if (strcmp(ptr, "seccomp") == 0) { |
330 | #ifdef HAVE_SECCOMP | ||
331 | if (checkcfg(CFG_SECCOMP)) | 330 | if (checkcfg(CFG_SECCOMP)) |
332 | arg_seccomp = 1; | 331 | arg_seccomp = 1; |
333 | else | 332 | else |
334 | warning_feature_disabled("seccomp"); | 333 | warning_feature_disabled("seccomp"); |
335 | #endif | ||
336 | return 0; | 334 | return 0; |
337 | } | 335 | } |
338 | else if (strcmp(ptr, "caps") == 0) { | 336 | else if (strcmp(ptr, "caps") == 0) { |
@@ -385,10 +383,12 @@ int profile_check_line(char *ptr, int lineno, const char *fname) { | |||
385 | return 0; | 383 | return 0; |
386 | } | 384 | } |
387 | else if (strcmp(ptr, "private-cache") == 0) { | 385 | else if (strcmp(ptr, "private-cache") == 0) { |
386 | #ifdef HAVE_USERTMPFS | ||
388 | if (checkcfg(CFG_PRIVATE_CACHE)) | 387 | if (checkcfg(CFG_PRIVATE_CACHE)) |
389 | arg_private_cache = 1; | 388 | arg_private_cache = 1; |
390 | else | 389 | else |
391 | warning_feature_disabled("private-cache"); | 390 | warning_feature_disabled("private-cache"); |
391 | #endif | ||
392 | return 0; | 392 | return 0; |
393 | } | 393 | } |
394 | else if (strcmp(ptr, "private-dev") == 0) { | 394 | else if (strcmp(ptr, "private-dev") == 0) { |
@@ -404,7 +404,13 @@ int profile_check_line(char *ptr, int lineno, const char *fname) { | |||
404 | return 0; | 404 | return 0; |
405 | } | 405 | } |
406 | else if (strcmp(ptr, "nogroups") == 0) { | 406 | else if (strcmp(ptr, "nogroups") == 0) { |
407 | arg_nogroups = 1; | 407 | // nvidia cards require video group; disable nogroups |
408 | if (access("/dev/nvidiactl", R_OK) == 0 && arg_no3d == 0) { | ||
409 | fwarning("Warning: NVIDIA card detected, nogroups command disabled\n"); | ||
410 | arg_nogroups = 0; | ||
411 | } | ||
412 | else | ||
413 | arg_nogroups = 1; | ||
408 | return 0; | 414 | return 0; |
409 | } | 415 | } |
410 | else if (strcmp(ptr, "nosound") == 0) { | 416 | else if (strcmp(ptr, "nosound") == 0) { |
@@ -432,11 +438,14 @@ int profile_check_line(char *ptr, int lineno, const char *fname) { | |||
432 | return 0; | 438 | return 0; |
433 | } | 439 | } |
434 | else if (strcmp(ptr, "nodbus") == 0) { | 440 | else if (strcmp(ptr, "nodbus") == 0) { |
441 | #ifdef HAVE_DBUSPROXY | ||
435 | arg_dbus_user = DBUS_POLICY_BLOCK; | 442 | arg_dbus_user = DBUS_POLICY_BLOCK; |
436 | arg_dbus_system = DBUS_POLICY_BLOCK; | 443 | arg_dbus_system = DBUS_POLICY_BLOCK; |
444 | #endif | ||
437 | return 0; | 445 | return 0; |
438 | } | 446 | } |
439 | else if (strncmp("dbus-user ", ptr, 10) == 0) { | 447 | else if (strncmp("dbus-user ", ptr, 10) == 0) { |
448 | #ifdef HAVE_DBUSPROXY | ||
440 | ptr += 10; | 449 | ptr += 10; |
441 | if (strcmp("filter", ptr) == 0) { | 450 | if (strcmp("filter", ptr) == 0) { |
442 | if (arg_dbus_user == DBUS_POLICY_BLOCK) { | 451 | if (arg_dbus_user == DBUS_POLICY_BLOCK) { |
@@ -454,44 +463,56 @@ int profile_check_line(char *ptr, int lineno, const char *fname) { | |||
454 | fprintf(stderr, "Unknown dbus-user policy: %s\n", ptr); | 463 | fprintf(stderr, "Unknown dbus-user policy: %s\n", ptr); |
455 | exit(1); | 464 | exit(1); |
456 | } | 465 | } |
466 | #endif | ||
457 | return 0; | 467 | return 0; |
458 | } | 468 | } |
459 | else if (strncmp(ptr, "dbus-user.see ", 14) == 0) { | 469 | else if (strncmp(ptr, "dbus-user.see ", 14) == 0) { |
470 | #ifdef HAVE_DBUSPROXY | ||
460 | if (!dbus_check_name(ptr + 14)) { | 471 | if (!dbus_check_name(ptr + 14)) { |
461 | printf("Invalid dbus-user.see name: %s\n", ptr + 15); | 472 | fprintf(stderr, "Invalid dbus-user.see name: %s\n", ptr + 15); |
462 | exit(1); | 473 | exit(1); |
463 | } | 474 | } |
475 | #endif | ||
464 | return 1; | 476 | return 1; |
465 | } | 477 | } |
466 | else if (strncmp(ptr, "dbus-user.talk ", 15) == 0) { | 478 | else if (strncmp(ptr, "dbus-user.talk ", 15) == 0) { |
479 | #ifdef HAVE_DBUSPROXY | ||
467 | if (!dbus_check_name(ptr + 15)) { | 480 | if (!dbus_check_name(ptr + 15)) { |
468 | printf("Invalid dbus-user.talk name: %s\n", ptr + 15); | 481 | fprintf(stderr, "Error: Invalid dbus-user.talk name: %s\n", ptr + 15); |
469 | exit(1); | 482 | exit(1); |
470 | } | 483 | } |
484 | #endif | ||
471 | return 1; | 485 | return 1; |
472 | } | 486 | } |
473 | else if (strncmp(ptr, "dbus-user.own ", 14) == 0) { | 487 | else if (strncmp(ptr, "dbus-user.own ", 14) == 0) { |
488 | #ifdef HAVE_DBUSPROXY | ||
474 | if (!dbus_check_name(ptr + 14)) { | 489 | if (!dbus_check_name(ptr + 14)) { |
475 | fprintf(stderr, "Invalid dbus-user.own name: %s\n", ptr + 14); | 490 | fprintf(stderr, "Error: Invalid dbus-user.own name: %s\n", ptr + 14); |
476 | exit(1); | 491 | exit(1); |
477 | } | 492 | } |
493 | #endif | ||
478 | return 1; | 494 | return 1; |
479 | } | 495 | } |
480 | else if (strncmp(ptr, "dbus-user.call ", 15) == 0) { | 496 | else if (strncmp(ptr, "dbus-user.call ", 15) == 0) { |
497 | #ifdef HAVE_DBUSPROXY | ||
481 | if (!dbus_check_call_rule(ptr + 15)) { | 498 | if (!dbus_check_call_rule(ptr + 15)) { |
482 | fprintf(stderr, "Invalid dbus-user.call rule: %s\n", ptr + 15); | 499 | fprintf(stderr, "Error: Invalid dbus-user.call rule: %s\n", ptr + 15); |
483 | exit(1); | 500 | exit(1); |
484 | } | 501 | } |
502 | #endif | ||
485 | return 1; | 503 | return 1; |
486 | } | 504 | } |
487 | else if (strncmp(ptr, "dbus-user.broadcast ", 20) == 0) { | 505 | else if (strncmp(ptr, "dbus-user.broadcast ", 20) == 0) { |
506 | #ifdef HAVE_DBUSPROXY | ||
488 | if (!dbus_check_call_rule(ptr + 20)) { | 507 | if (!dbus_check_call_rule(ptr + 20)) { |
489 | fprintf(stderr, "Invalid dbus-user.broadcast rule: %s\n", ptr + 20); | 508 | fprintf(stderr, "Error: Invalid dbus-user.broadcast rule: %s\n", ptr + 20); |
490 | exit(1); | 509 | exit(1); |
491 | } | 510 | } |
511 | #endif | ||
492 | return 1; | 512 | return 1; |
493 | } | 513 | } |
494 | else if (strncmp("dbus-system ", ptr, 12) == 0) { | 514 | else if (strncmp("dbus-system ", ptr, 12) == 0) { |
515 | #ifdef HAVE_DBUSPROXY | ||
495 | ptr += 12; | 516 | ptr += 12; |
496 | if (strcmp("filter", ptr) == 0) { | 517 | if (strcmp("filter", ptr) == 0) { |
497 | if (arg_dbus_system == DBUS_POLICY_BLOCK) { | 518 | if (arg_dbus_system == DBUS_POLICY_BLOCK) { |
@@ -506,44 +527,55 @@ int profile_check_line(char *ptr, int lineno, const char *fname) { | |||
506 | } | 527 | } |
507 | arg_dbus_system = DBUS_POLICY_BLOCK; | 528 | arg_dbus_system = DBUS_POLICY_BLOCK; |
508 | } else { | 529 | } else { |
509 | fprintf(stderr, "Unknown dbus-system policy: %s\n", ptr); | 530 | fprintf(stderr, "Error: Unknown dbus-system policy: %s\n", ptr); |
510 | exit(1); | 531 | exit(1); |
511 | } | 532 | } |
533 | #endif | ||
512 | return 0; | 534 | return 0; |
513 | } | 535 | } |
514 | else if (strncmp(ptr, "dbus-system.see ", 16) == 0) { | 536 | else if (strncmp(ptr, "dbus-system.see ", 16) == 0) { |
537 | #ifdef HAVE_DBUSPROXY | ||
515 | if (!dbus_check_name(ptr + 16)) { | 538 | if (!dbus_check_name(ptr + 16)) { |
516 | fprintf(stderr, "Invalid dbus-system.see name: %s\n", ptr + 17); | 539 | fprintf(stderr, "Error: Invalid dbus-system.see name: %s\n", ptr + 17); |
517 | exit(1); | 540 | exit(1); |
518 | } | 541 | } |
542 | #endif | ||
519 | return 1; | 543 | return 1; |
520 | } | 544 | } |
521 | else if (strncmp(ptr, "dbus-system.talk ", 17) == 0) { | 545 | else if (strncmp(ptr, "dbus-system.talk ", 17) == 0) { |
546 | #ifdef HAVE_DBUSPROXY | ||
522 | if (!dbus_check_name(ptr + 17)) { | 547 | if (!dbus_check_name(ptr + 17)) { |
523 | fprintf(stderr, "Invalid dbus-system.talk name: %s\n", ptr + 17); | 548 | fprintf(stderr, "Error: Invalid dbus-system.talk name: %s\n", ptr + 17); |
524 | exit(1); | 549 | exit(1); |
525 | } | 550 | } |
551 | #endif | ||
526 | return 1; | 552 | return 1; |
527 | } | 553 | } |
528 | else if (strncmp(ptr, "dbus-system.own ", 16) == 0) { | 554 | else if (strncmp(ptr, "dbus-system.own ", 16) == 0) { |
555 | #ifdef HAVE_DBUSPROXY | ||
529 | if (!dbus_check_name(ptr + 16)) { | 556 | if (!dbus_check_name(ptr + 16)) { |
530 | fprintf(stderr, "Invalid dbus-system.own name: %s\n", ptr + 16); | 557 | fprintf(stderr, "Error: Invalid dbus-system.own name: %s\n", ptr + 16); |
531 | exit(1); | 558 | exit(1); |
532 | } | 559 | } |
560 | #endif | ||
533 | return 1; | 561 | return 1; |
534 | } | 562 | } |
535 | else if (strncmp(ptr, "dbus-system.call ", 17) == 0) { | 563 | else if (strncmp(ptr, "dbus-system.call ", 17) == 0) { |
564 | #ifdef HAVE_DBUSPROXY | ||
536 | if (!dbus_check_call_rule(ptr + 17)) { | 565 | if (!dbus_check_call_rule(ptr + 17)) { |
537 | fprintf(stderr, "Invalid dbus-system.call rule: %s\n", ptr + 17); | 566 | fprintf(stderr, "Error: Invalid dbus-system.call rule: %s\n", ptr + 17); |
538 | exit(1); | 567 | exit(1); |
539 | } | 568 | } |
569 | #endif | ||
540 | return 1; | 570 | return 1; |
541 | } | 571 | } |
542 | else if (strncmp(ptr, "dbus-system.broadcast ", 22) == 0) { | 572 | else if (strncmp(ptr, "dbus-system.broadcast ", 22) == 0) { |
573 | #ifdef HAVE_DBUSPROXY | ||
543 | if (!dbus_check_call_rule(ptr + 22)) { | 574 | if (!dbus_check_call_rule(ptr + 22)) { |
544 | fprintf(stderr, "Invalid dbus-system.broadcast rule: %s\n", ptr + 22); | 575 | fprintf(stderr, "Error: Invalid dbus-system.broadcast rule: %s\n", ptr + 22); |
545 | exit(1); | 576 | exit(1); |
546 | } | 577 | } |
578 | #endif | ||
547 | return 1; | 579 | return 1; |
548 | } | 580 | } |
549 | else if (strcmp(ptr, "nou2f") == 0) { | 581 | else if (strcmp(ptr, "nou2f") == 0) { |
@@ -861,10 +893,9 @@ int profile_check_line(char *ptr, int lineno, const char *fname) { | |||
861 | } | 893 | } |
862 | 894 | ||
863 | if (strncmp(ptr, "protocol ", 9) == 0) { | 895 | if (strncmp(ptr, "protocol ", 9) == 0) { |
864 | #ifdef HAVE_SECCOMP | ||
865 | if (checkcfg(CFG_SECCOMP)) { | 896 | if (checkcfg(CFG_SECCOMP)) { |
866 | if (cfg.protocol) { | 897 | if (cfg.protocol) { |
867 | fwarning("two protocol lists are present, \"%s\" will be installed\n", cfg.protocol); | 898 | fwarning("more than one protocol list is present, \"%s\" will be installed\n", cfg.protocol); |
868 | return 0; | 899 | return 0; |
869 | } | 900 | } |
870 | 901 | ||
@@ -875,7 +906,6 @@ int profile_check_line(char *ptr, int lineno, const char *fname) { | |||
875 | } | 906 | } |
876 | else | 907 | else |
877 | warning_feature_disabled("seccomp"); | 908 | warning_feature_disabled("seccomp"); |
878 | #endif | ||
879 | return 0; | 909 | return 0; |
880 | } | 910 | } |
881 | 911 | ||
@@ -884,108 +914,92 @@ int profile_check_line(char *ptr, int lineno, const char *fname) { | |||
884 | return 0; | 914 | return 0; |
885 | } | 915 | } |
886 | if (strncmp(ptr, "rmenv ", 6) == 0) { | 916 | if (strncmp(ptr, "rmenv ", 6) == 0) { |
917 | unsetenv(ptr + 6); // Remove also immediately from Firejail itself | ||
887 | env_store(ptr + 6, RMENV); | 918 | env_store(ptr + 6, RMENV); |
888 | return 0; | 919 | return 0; |
889 | } | 920 | } |
890 | 921 | ||
891 | // seccomp drop list on top of default list | 922 | // seccomp drop list on top of default list |
892 | if (strncmp(ptr, "seccomp ", 8) == 0) { | 923 | if (strncmp(ptr, "seccomp ", 8) == 0) { |
893 | #ifdef HAVE_SECCOMP | ||
894 | if (checkcfg(CFG_SECCOMP)) { | 924 | if (checkcfg(CFG_SECCOMP)) { |
895 | arg_seccomp = 1; | 925 | arg_seccomp = 1; |
896 | cfg.seccomp_list = seccomp_check_list(ptr + 8); | 926 | cfg.seccomp_list = seccomp_check_list(ptr + 8); |
897 | } | 927 | } |
898 | else if (!arg_quiet) | 928 | else if (!arg_quiet) |
899 | warning_feature_disabled("seccomp"); | 929 | warning_feature_disabled("seccomp"); |
900 | #endif | ||
901 | 930 | ||
902 | return 0; | 931 | return 0; |
903 | } | 932 | } |
904 | if (strncmp(ptr, "seccomp.32 ", 11) == 0) { | 933 | if (strncmp(ptr, "seccomp.32 ", 11) == 0) { |
905 | #ifdef HAVE_SECCOMP | ||
906 | if (checkcfg(CFG_SECCOMP)) { | 934 | if (checkcfg(CFG_SECCOMP)) { |
907 | arg_seccomp32 = 1; | 935 | arg_seccomp32 = 1; |
908 | cfg.seccomp_list32 = seccomp_check_list(ptr + 11); | 936 | cfg.seccomp_list32 = seccomp_check_list(ptr + 11); |
909 | } | 937 | } |
910 | else if (!arg_quiet) | 938 | else if (!arg_quiet) |
911 | warning_feature_disabled("seccomp"); | 939 | warning_feature_disabled("seccomp"); |
912 | #endif | ||
913 | 940 | ||
914 | return 0; | 941 | return 0; |
915 | } | 942 | } |
916 | 943 | ||
917 | if (strcmp(ptr, "seccomp.block-secondary") == 0) { | 944 | if (strcmp(ptr, "seccomp.block-secondary") == 0) { |
918 | #ifdef HAVE_SECCOMP | ||
919 | if (checkcfg(CFG_SECCOMP)) { | 945 | if (checkcfg(CFG_SECCOMP)) { |
920 | arg_seccomp_block_secondary = 1; | 946 | arg_seccomp_block_secondary = 1; |
921 | } | 947 | } |
922 | else | 948 | else |
923 | warning_feature_disabled("seccomp"); | 949 | warning_feature_disabled("seccomp"); |
924 | #endif | ||
925 | return 0; | 950 | return 0; |
926 | } | 951 | } |
927 | // seccomp drop list without default list | 952 | // seccomp drop list without default list |
928 | if (strncmp(ptr, "seccomp.drop ", 13) == 0) { | 953 | if (strncmp(ptr, "seccomp.drop ", 13) == 0) { |
929 | #ifdef HAVE_SECCOMP | ||
930 | if (checkcfg(CFG_SECCOMP)) { | 954 | if (checkcfg(CFG_SECCOMP)) { |
931 | arg_seccomp = 1; | 955 | arg_seccomp = 1; |
932 | cfg.seccomp_list_drop = seccomp_check_list(ptr + 13); | 956 | cfg.seccomp_list_drop = seccomp_check_list(ptr + 13); |
933 | } | 957 | } |
934 | else | 958 | else |
935 | warning_feature_disabled("seccomp"); | 959 | warning_feature_disabled("seccomp"); |
936 | #endif | ||
937 | return 0; | 960 | return 0; |
938 | } | 961 | } |
939 | if (strncmp(ptr, "seccomp.32.drop ", 13) == 0) { | 962 | if (strncmp(ptr, "seccomp.32.drop ", 13) == 0) { |
940 | #ifdef HAVE_SECCOMP | ||
941 | if (checkcfg(CFG_SECCOMP)) { | 963 | if (checkcfg(CFG_SECCOMP)) { |
942 | arg_seccomp32 = 1; | 964 | arg_seccomp32 = 1; |
943 | cfg.seccomp_list_drop32 = seccomp_check_list(ptr + 13); | 965 | cfg.seccomp_list_drop32 = seccomp_check_list(ptr + 13); |
944 | } | 966 | } |
945 | else | 967 | else |
946 | warning_feature_disabled("seccomp"); | 968 | warning_feature_disabled("seccomp"); |
947 | #endif | ||
948 | return 0; | 969 | return 0; |
949 | } | 970 | } |
950 | 971 | ||
951 | // seccomp keep list | 972 | // seccomp keep list |
952 | if (strncmp(ptr, "seccomp.keep ", 13) == 0) { | 973 | if (strncmp(ptr, "seccomp.keep ", 13) == 0) { |
953 | #ifdef HAVE_SECCOMP | ||
954 | if (checkcfg(CFG_SECCOMP)) { | 974 | if (checkcfg(CFG_SECCOMP)) { |
955 | arg_seccomp = 1; | 975 | arg_seccomp = 1; |
956 | cfg.seccomp_list_keep= seccomp_check_list(ptr + 13); | 976 | cfg.seccomp_list_keep= seccomp_check_list(ptr + 13); |
957 | } | 977 | } |
958 | else | 978 | else |
959 | warning_feature_disabled("seccomp"); | 979 | warning_feature_disabled("seccomp"); |
960 | #endif | ||
961 | return 0; | 980 | return 0; |
962 | } | 981 | } |
963 | if (strncmp(ptr, "seccomp.32.keep ", 13) == 0) { | 982 | if (strncmp(ptr, "seccomp.32.keep ", 13) == 0) { |
964 | #ifdef HAVE_SECCOMP | ||
965 | if (checkcfg(CFG_SECCOMP)) { | 983 | if (checkcfg(CFG_SECCOMP)) { |
966 | arg_seccomp32 = 1; | 984 | arg_seccomp32 = 1; |
967 | cfg.seccomp_list_keep32 = seccomp_check_list(ptr + 13); | 985 | cfg.seccomp_list_keep32 = seccomp_check_list(ptr + 13); |
968 | } | 986 | } |
969 | else | 987 | else |
970 | warning_feature_disabled("seccomp"); | 988 | warning_feature_disabled("seccomp"); |
971 | #endif | ||
972 | return 0; | 989 | return 0; |
973 | } | 990 | } |
974 | 991 | ||
975 | // memory deny write&execute | 992 | // memory deny write&execute |
976 | if (strcmp(ptr, "memory-deny-write-execute") == 0) { | 993 | if (strcmp(ptr, "memory-deny-write-execute") == 0) { |
977 | #ifdef HAVE_SECCOMP | ||
978 | if (checkcfg(CFG_SECCOMP)) | 994 | if (checkcfg(CFG_SECCOMP)) |
979 | arg_memory_deny_write_execute = 1; | 995 | arg_memory_deny_write_execute = 1; |
980 | else | 996 | else |
981 | warning_feature_disabled("seccomp"); | 997 | warning_feature_disabled("seccomp"); |
982 | #endif | ||
983 | return 0; | 998 | return 0; |
984 | } | 999 | } |
985 | 1000 | ||
986 | // seccomp error action | 1001 | // seccomp error action |
987 | if (strncmp(ptr, "seccomp-error-action ", 21) == 0) { | 1002 | if (strncmp(ptr, "seccomp-error-action ", 21) == 0) { |
988 | #ifdef HAVE_SECCOMP | ||
989 | if (checkcfg(CFG_SECCOMP)) { | 1003 | if (checkcfg(CFG_SECCOMP)) { |
990 | int config_seccomp_error_action = checkcfg(CFG_SECCOMP_ERROR_ACTION); | 1004 | int config_seccomp_error_action = checkcfg(CFG_SECCOMP_ERROR_ACTION); |
991 | if (config_seccomp_error_action == -1) { | 1005 | if (config_seccomp_error_action == -1) { |
@@ -1008,7 +1022,6 @@ int profile_check_line(char *ptr, int lineno, const char *fname) { | |||
1008 | } | 1022 | } |
1009 | } else | 1023 | } else |
1010 | warning_feature_disabled("seccomp"); | 1024 | warning_feature_disabled("seccomp"); |
1011 | #endif | ||
1012 | return 0; | 1025 | return 0; |
1013 | } | 1026 | } |
1014 | 1027 | ||
@@ -1401,12 +1414,12 @@ int profile_check_line(char *ptr, int lineno, const char *fname) { | |||
1401 | // filesystem bind | 1414 | // filesystem bind |
1402 | if (strncmp(ptr, "bind ", 5) == 0) { | 1415 | if (strncmp(ptr, "bind ", 5) == 0) { |
1403 | if (checkcfg(CFG_BIND)) { | 1416 | if (checkcfg(CFG_BIND)) { |
1417 | // extract two directories | ||
1404 | if (getuid() != 0) { | 1418 | if (getuid() != 0) { |
1405 | fprintf(stderr, "Error: --bind option is available only if running as root\n"); | 1419 | fprintf(stderr, "Error: --bind option is available only if running as root\n"); |
1406 | exit(1); | 1420 | exit(1); |
1407 | } | 1421 | } |
1408 | 1422 | ||
1409 | // extract two directories | ||
1410 | char *dname1 = ptr + 5; | 1423 | char *dname1 = ptr + 5; |
1411 | char *dname2 = split_comma(dname1); // this inserts a '0 to separate the two dierctories | 1424 | char *dname2 = split_comma(dname1); // this inserts a '0 to separate the two dierctories |
1412 | if (dname2 == NULL) { | 1425 | if (dname2 == NULL) { |
@@ -1468,7 +1481,7 @@ int profile_check_line(char *ptr, int lineno, const char *fname) { | |||
1468 | arg_rlimit_as = 1; | 1481 | arg_rlimit_as = 1; |
1469 | } | 1482 | } |
1470 | else { | 1483 | else { |
1471 | fprintf(stderr, "Invalid rlimit option on line %d\n", lineno); | 1484 | fprintf(stderr, "Error: Invalid rlimit option on line %d\n", lineno); |
1472 | exit(1); | 1485 | exit(1); |
1473 | } | 1486 | } |
1474 | 1487 | ||
@@ -1552,10 +1565,12 @@ int profile_check_line(char *ptr, int lineno, const char *fname) { | |||
1552 | else if (strncmp(ptr, "noexec ", 7) == 0) | 1565 | else if (strncmp(ptr, "noexec ", 7) == 0) |
1553 | ptr += 7; | 1566 | ptr += 7; |
1554 | else if (strncmp(ptr, "tmpfs ", 6) == 0) { | 1567 | else if (strncmp(ptr, "tmpfs ", 6) == 0) { |
1568 | #ifndef HAVE_USERTMPFS | ||
1555 | if (getuid() != 0) { | 1569 | if (getuid() != 0) { |
1556 | fprintf(stderr, "Error: tmpfs available only when running the sandbox as root\n"); | 1570 | fprintf(stderr, "Error: tmpfs available only when running the sandbox as root\n"); |
1557 | exit(1); | 1571 | exit(1); |
1558 | } | 1572 | } |
1573 | #endif | ||
1559 | ptr += 6; | 1574 | ptr += 6; |
1560 | } | 1575 | } |
1561 | else { | 1576 | else { |
@@ -1622,17 +1637,18 @@ void profile_read(const char *fname) { | |||
1622 | exit(1); | 1637 | exit(1); |
1623 | } | 1638 | } |
1624 | if (access(fname, R_OK)) { | 1639 | if (access(fname, R_OK)) { |
1640 | int errsv = errno; | ||
1625 | // if the file ends in ".local", do not exit | 1641 | // if the file ends in ".local", do not exit |
1626 | const char *base = gnu_basename(fname); | 1642 | const char *base = gnu_basename(fname); |
1627 | char *ptr = strstr(base, ".local"); | 1643 | char *ptr = strstr(base, ".local"); |
1628 | if (ptr && strlen(ptr) == 6) | 1644 | if (ptr && strlen(ptr) == 6 && errsv != EACCES) |
1629 | return; | 1645 | return; |
1630 | 1646 | ||
1631 | fprintf(stderr, "Error: cannot access profile file: %s\n", fname); | 1647 | fprintf(stderr, "Error: cannot access profile file: %s\n", fname); |
1632 | exit(1); | 1648 | exit(1); |
1633 | } | 1649 | } |
1634 | 1650 | ||
1635 | // allow debuggers | 1651 | // --allow-debuggers - skip disable-devel.inc file |
1636 | if (arg_allow_debuggers) { | 1652 | if (arg_allow_debuggers) { |
1637 | char *tmp = strrchr(fname, '/'); | 1653 | char *tmp = strrchr(fname, '/'); |
1638 | if (tmp && *(tmp + 1) != '\0') { | 1654 | if (tmp && *(tmp + 1) != '\0') { |
@@ -1641,6 +1657,15 @@ void profile_read(const char *fname) { | |||
1641 | return; | 1657 | return; |
1642 | } | 1658 | } |
1643 | } | 1659 | } |
1660 | // --appimage - skip disable-shell.inc file | ||
1661 | if (arg_appimage) { | ||
1662 | char *tmp = strrchr(fname, '/'); | ||
1663 | if (tmp && *(tmp + 1) != '\0') { | ||
1664 | tmp++; | ||
1665 | if (strcmp(tmp, "disable-shell.inc") == 0) | ||
1666 | return; | ||
1667 | } | ||
1668 | } | ||
1644 | 1669 | ||
1645 | // open profile file: | 1670 | // open profile file: |
1646 | FILE *fp = fopen(fname, "r"); | 1671 | FILE *fp = fopen(fname, "r"); |
diff --git a/src/firejail/protocol.c b/src/firejail/protocol.c index a1594d6b9..cd54eb72d 100644 --- a/src/firejail/protocol.c +++ b/src/firejail/protocol.c | |||
@@ -18,7 +18,6 @@ | |||
18 | * 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA. | 18 | * 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA. |
19 | */ | 19 | */ |
20 | 20 | ||
21 | #ifdef HAVE_SECCOMP | ||
22 | #include "firejail.h" | 21 | #include "firejail.h" |
23 | #include "../include/seccomp.h" | 22 | #include "../include/seccomp.h" |
24 | 23 | ||
@@ -93,6 +92,3 @@ void protocol_print_filter(pid_t pid) { | |||
93 | exit(1); | 92 | exit(1); |
94 | #endif | 93 | #endif |
95 | } | 94 | } |
96 | |||
97 | |||
98 | #endif // HAVE_SECCOMP | ||
diff --git a/src/firejail/pulseaudio.c b/src/firejail/pulseaudio.c index b4df78dda..84cbb1977 100644 --- a/src/firejail/pulseaudio.c +++ b/src/firejail/pulseaudio.c | |||
@@ -23,6 +23,7 @@ | |||
23 | #include <sys/statvfs.h> | 23 | #include <sys/statvfs.h> |
24 | #include <sys/mount.h> | 24 | #include <sys/mount.h> |
25 | #include <dirent.h> | 25 | #include <dirent.h> |
26 | #include <errno.h> | ||
26 | #include <sys/wait.h> | 27 | #include <sys/wait.h> |
27 | 28 | ||
28 | #include <fcntl.h> | 29 | #include <fcntl.h> |
@@ -47,7 +48,7 @@ void pulseaudio_disable(void) { | |||
47 | char *path; | 48 | char *path; |
48 | if (asprintf(&path, "/run/user/%d", getuid()) == -1) | 49 | if (asprintf(&path, "/run/user/%d", getuid()) == -1) |
49 | errExit("asprintf"); | 50 | errExit("asprintf"); |
50 | disable_file_path(path, "pulse/native"); | 51 | disable_file_path(path, "pulse"); |
51 | free(path); | 52 | free(path); |
52 | 53 | ||
53 | 54 | ||
@@ -133,8 +134,13 @@ void pulseaudio_init(void) { | |||
133 | goto out; | 134 | goto out; |
134 | } | 135 | } |
135 | // confirm the actual mount destination is owned by the user | 136 | // confirm the actual mount destination is owned by the user |
136 | if (fstat(fd, &s) == -1) | 137 | if (fstat(fd, &s) == -1) { // FUSE |
137 | errExit("fstat"); | 138 | if (errno != EACCES) |
139 | errExit("fstat"); | ||
140 | close(fd); | ||
141 | pulseaudio_set_environment(pulsecfg); | ||
142 | goto out; | ||
143 | } | ||
138 | if (s.st_uid != getuid()) { | 144 | if (s.st_uid != getuid()) { |
139 | close(fd); | 145 | close(fd); |
140 | pulseaudio_set_environment(pulsecfg); | 146 | pulseaudio_set_environment(pulsecfg); |
@@ -169,6 +175,11 @@ void pulseaudio_init(void) { | |||
169 | pulseaudio_set_environment(p); | 175 | pulseaudio_set_environment(p); |
170 | free(p); | 176 | free(p); |
171 | 177 | ||
178 | // RUN_PULSE_DIR not needed anymore, mask it | ||
179 | if (mount("tmpfs", RUN_PULSE_DIR, "tmpfs", MS_NOSUID | MS_NODEV | MS_STRICTATIME, "mode=755,gid=0") < 0) | ||
180 | errExit("mount pulseaudio"); | ||
181 | fs_logger2("tmpfs", RUN_PULSE_DIR); | ||
182 | |||
172 | out: | 183 | out: |
173 | free(pulsecfg); | 184 | free(pulsecfg); |
174 | free(homeusercfg); | 185 | free(homeusercfg); |
diff --git a/src/firejail/sandbox.c b/src/firejail/sandbox.c index 0965b1017..8bfe76603 100644 --- a/src/firejail/sandbox.c +++ b/src/firejail/sandbox.c | |||
@@ -20,6 +20,7 @@ | |||
20 | 20 | ||
21 | #include "firejail.h" | 21 | #include "firejail.h" |
22 | #include "../include/seccomp.h" | 22 | #include "../include/seccomp.h" |
23 | #include <sys/mman.h> | ||
23 | #include <sys/mount.h> | 24 | #include <sys/mount.h> |
24 | #include <sys/wait.h> | 25 | #include <sys/wait.h> |
25 | #include <sys/stat.h> | 26 | #include <sys/stat.h> |
@@ -140,7 +141,6 @@ void set_apparmor(void) { | |||
140 | } | 141 | } |
141 | #endif | 142 | #endif |
142 | 143 | ||
143 | #ifdef HAVE_SECCOMP | ||
144 | void seccomp_debug(void) { | 144 | void seccomp_debug(void) { |
145 | if (arg_debug == 0) | 145 | if (arg_debug == 0) |
146 | return; | 146 | return; |
@@ -157,7 +157,6 @@ void seccomp_debug(void) { | |||
157 | printf("No active seccomp files\n"); | 157 | printf("No active seccomp files\n"); |
158 | EUID_ROOT(); | 158 | EUID_ROOT(); |
159 | } | 159 | } |
160 | #endif | ||
161 | 160 | ||
162 | static void save_nogroups(void) { | 161 | static void save_nogroups(void) { |
163 | if (arg_nogroups == 0) | 162 | if (arg_nogroups == 0) |
@@ -204,16 +203,17 @@ static void save_umask(void) { | |||
204 | } | 203 | } |
205 | } | 204 | } |
206 | 205 | ||
207 | static FILE *create_ready_for_join_file(void) { | 206 | static char *create_join_file(void) { |
208 | FILE *fp = fopen(RUN_READY_FOR_JOIN, "wxe"); | 207 | int fd = open(RUN_JOIN_FILE, O_RDWR|O_CREAT|O_EXCL|O_CLOEXEC, S_IRUSR | S_IWRITE | S_IRGRP | S_IROTH); |
209 | if (fp) { | 208 | if (fd == -1) |
210 | ASSERT_PERMS_STREAM(fp, 0, 0, 0644); | 209 | errExit("open"); |
211 | return fp; | 210 | if (ftruncate(fd, 1) == -1) |
212 | } | 211 | errExit("ftruncate"); |
213 | else { | 212 | char *rv = mmap(NULL, 1, PROT_WRITE, MAP_SHARED, fd, 0); |
214 | fprintf(stderr, "Error: cannot create %s\n", RUN_READY_FOR_JOIN); | 213 | if (rv == MAP_FAILED) |
215 | exit(1); | 214 | errExit("mmap"); |
216 | } | 215 | close(fd); |
216 | return rv; | ||
217 | } | 217 | } |
218 | 218 | ||
219 | static void sandbox_if_up(Bridge *br) { | 219 | static void sandbox_if_up(Bridge *br) { |
@@ -472,7 +472,7 @@ static int ok_to_run(const char *program) { | |||
472 | return 0; | 472 | return 0; |
473 | } | 473 | } |
474 | 474 | ||
475 | void start_application(int no_sandbox, FILE *fp) { | 475 | void start_application(int no_sandbox, char *set_sandbox_status) { |
476 | // set environment | 476 | // set environment |
477 | if (no_sandbox == 0) { | 477 | if (no_sandbox == 0) { |
478 | env_defaults(); | 478 | env_defaults(); |
@@ -492,16 +492,12 @@ void start_application(int no_sandbox, FILE *fp) { | |||
492 | if (arg_audit) { | 492 | if (arg_audit) { |
493 | assert(arg_audit_prog); | 493 | assert(arg_audit_prog); |
494 | 494 | ||
495 | if (fp) { | ||
496 | fprintf(fp, "ready\n"); | ||
497 | fclose(fp); | ||
498 | } | ||
499 | #ifdef HAVE_GCOV | 495 | #ifdef HAVE_GCOV |
500 | __gcov_dump(); | 496 | __gcov_dump(); |
501 | #endif | 497 | #endif |
502 | #ifdef HAVE_SECCOMP | ||
503 | seccomp_install_filters(); | 498 | seccomp_install_filters(); |
504 | #endif | 499 | if (set_sandbox_status) |
500 | *set_sandbox_status = SANDBOX_DONE; | ||
505 | execl(arg_audit_prog, arg_audit_prog, NULL); | 501 | execl(arg_audit_prog, arg_audit_prog, NULL); |
506 | 502 | ||
507 | perror("execl"); | 503 | perror("execl"); |
@@ -528,23 +524,19 @@ void start_application(int no_sandbox, FILE *fp) { | |||
528 | if (!arg_command && !arg_quiet) | 524 | if (!arg_command && !arg_quiet) |
529 | print_time(); | 525 | print_time(); |
530 | 526 | ||
531 | int rv = ok_to_run(cfg.original_argv[cfg.original_program_index]); | 527 | if (ok_to_run(cfg.original_argv[cfg.original_program_index]) == 0) { |
532 | 528 | fprintf(stderr, "Error: no suitable %s executable found\n", cfg.original_argv[cfg.original_program_index]); | |
533 | if (fp) { | 529 | exit(1); |
534 | fprintf(fp, "ready\n"); | ||
535 | fclose(fp); | ||
536 | } | 530 | } |
531 | |||
537 | #ifdef HAVE_GCOV | 532 | #ifdef HAVE_GCOV |
538 | __gcov_dump(); | 533 | __gcov_dump(); |
539 | #endif | 534 | #endif |
540 | #ifdef HAVE_SECCOMP | ||
541 | seccomp_install_filters(); | 535 | seccomp_install_filters(); |
542 | #endif | 536 | |
543 | if (rv) | 537 | if (set_sandbox_status) |
544 | execvp(cfg.original_argv[cfg.original_program_index], &cfg.original_argv[cfg.original_program_index]); | 538 | *set_sandbox_status = SANDBOX_DONE; |
545 | else | 539 | execvp(cfg.original_argv[cfg.original_program_index], &cfg.original_argv[cfg.original_program_index]); |
546 | fprintf(stderr, "Error: no suitable %s executable found\n", cfg.original_argv[cfg.original_program_index]); | ||
547 | exit(1); | ||
548 | } | 540 | } |
549 | //**************************************** | 541 | //**************************************** |
550 | // start the program using a shell | 542 | // start the program using a shell |
@@ -591,16 +583,13 @@ void start_application(int no_sandbox, FILE *fp) { | |||
591 | if (!arg_command && !arg_quiet) | 583 | if (!arg_command && !arg_quiet) |
592 | print_time(); | 584 | print_time(); |
593 | 585 | ||
594 | if (fp) { | ||
595 | fprintf(fp, "ready\n"); | ||
596 | fclose(fp); | ||
597 | } | ||
598 | #ifdef HAVE_GCOV | 586 | #ifdef HAVE_GCOV |
599 | __gcov_dump(); | 587 | __gcov_dump(); |
600 | #endif | 588 | #endif |
601 | #ifdef HAVE_SECCOMP | ||
602 | seccomp_install_filters(); | 589 | seccomp_install_filters(); |
603 | #endif | 590 | |
591 | if (set_sandbox_status) | ||
592 | *set_sandbox_status = SANDBOX_DONE; | ||
604 | execvp(arg[0], arg); | 593 | execvp(arg[0], arg); |
605 | } | 594 | } |
606 | 595 | ||
@@ -662,6 +651,8 @@ int sandbox(void* sandbox_arg) { | |||
662 | if (mount(LIBDIR "/firejail", RUN_FIREJAIL_LIB_DIR, NULL, MS_BIND, NULL) < 0 || | 651 | if (mount(LIBDIR "/firejail", RUN_FIREJAIL_LIB_DIR, NULL, MS_BIND, NULL) < 0 || |
663 | mount(NULL, RUN_FIREJAIL_LIB_DIR, NULL, MS_RDONLY|MS_NOSUID|MS_NODEV|MS_BIND|MS_REMOUNT, NULL) < 0) | 652 | mount(NULL, RUN_FIREJAIL_LIB_DIR, NULL, MS_RDONLY|MS_NOSUID|MS_NODEV|MS_BIND|MS_REMOUNT, NULL) < 0) |
664 | errExit("mounting " RUN_FIREJAIL_LIB_DIR); | 653 | errExit("mounting " RUN_FIREJAIL_LIB_DIR); |
654 | // keep a copy of dhclient executable before the filesystem is modified | ||
655 | dhcp_store_exec(); | ||
665 | 656 | ||
666 | //**************************** | 657 | //**************************** |
667 | // log sandbox data | 658 | // log sandbox data |
@@ -802,7 +793,6 @@ int sandbox(void* sandbox_arg) { | |||
802 | // - build seccomp filters | 793 | // - build seccomp filters |
803 | // - create an empty /etc/ld.so.preload | 794 | // - create an empty /etc/ld.so.preload |
804 | //**************************** | 795 | //**************************** |
805 | #ifdef HAVE_SECCOMP | ||
806 | if (cfg.protocol) { | 796 | if (cfg.protocol) { |
807 | if (arg_debug) | 797 | if (arg_debug) |
808 | printf("Build protocol filter: %s\n", cfg.protocol); | 798 | printf("Build protocol filter: %s\n", cfg.protocol); |
@@ -813,7 +803,6 @@ int sandbox(void* sandbox_arg) { | |||
813 | if (rv) | 803 | if (rv) |
814 | exit(rv); | 804 | exit(rv); |
815 | } | 805 | } |
816 | #endif | ||
817 | 806 | ||
818 | // need ld.so.preload if tracing or seccomp with any non-default lists | 807 | // need ld.so.preload if tracing or seccomp with any non-default lists |
819 | bool need_preload = arg_trace || arg_tracelog || arg_seccomp_postexec; | 808 | bool need_preload = arg_trace || arg_tracelog || arg_seccomp_postexec; |
@@ -932,6 +921,7 @@ int sandbox(void* sandbox_arg) { | |||
932 | } | 921 | } |
933 | } | 922 | } |
934 | 923 | ||
924 | #ifdef HAVE_USERTMPFS | ||
935 | if (arg_private_cache) { | 925 | if (arg_private_cache) { |
936 | if (cfg.chrootdir) | 926 | if (cfg.chrootdir) |
937 | fwarning("private-cache feature is disabled in chroot\n"); | 927 | fwarning("private-cache feature is disabled in chroot\n"); |
@@ -940,6 +930,7 @@ int sandbox(void* sandbox_arg) { | |||
940 | else | 930 | else |
941 | fs_private_cache(); | 931 | fs_private_cache(); |
942 | } | 932 | } |
933 | #endif | ||
943 | 934 | ||
944 | if (arg_private_tmp) { | 935 | if (arg_private_tmp) { |
945 | // private-tmp is implemented as a whitelist | 936 | // private-tmp is implemented as a whitelist |
@@ -951,8 +942,9 @@ int sandbox(void* sandbox_arg) { | |||
951 | //**************************** | 942 | //**************************** |
952 | // Session D-BUS | 943 | // Session D-BUS |
953 | //**************************** | 944 | //**************************** |
945 | #ifdef HAVE_DBUSPROXY | ||
954 | dbus_apply_policy(); | 946 | dbus_apply_policy(); |
955 | 947 | #endif | |
956 | 948 | ||
957 | //**************************** | 949 | //**************************** |
958 | // hosts and hostname | 950 | // hosts and hostname |
@@ -1112,7 +1104,6 @@ int sandbox(void* sandbox_arg) { | |||
1112 | save_cgroup(); | 1104 | save_cgroup(); |
1113 | 1105 | ||
1114 | // set seccomp | 1106 | // set seccomp |
1115 | #ifdef HAVE_SECCOMP | ||
1116 | // install protocol filter | 1107 | // install protocol filter |
1117 | #ifdef SYS_socket | 1108 | #ifdef SYS_socket |
1118 | if (cfg.protocol) { | 1109 | if (cfg.protocol) { |
@@ -1156,17 +1147,15 @@ int sandbox(void* sandbox_arg) { | |||
1156 | // make seccomp filters read-only | 1147 | // make seccomp filters read-only |
1157 | fs_remount(RUN_SECCOMP_DIR, MOUNT_READONLY, 0); | 1148 | fs_remount(RUN_SECCOMP_DIR, MOUNT_READONLY, 0); |
1158 | seccomp_debug(); | 1149 | seccomp_debug(); |
1159 | #endif | ||
1160 | 1150 | ||
1161 | // set capabilities | 1151 | // set capabilities |
1162 | set_caps(); | 1152 | set_caps(); |
1163 | 1153 | ||
1164 | //**************************************** | 1154 | //**************************************** |
1165 | // communicate progress of sandbox set up | 1155 | // relay status information to join option |
1166 | // to --join | ||
1167 | //**************************************** | 1156 | //**************************************** |
1168 | 1157 | ||
1169 | FILE *rj = create_ready_for_join_file(); | 1158 | char *set_sandbox_status = create_join_file(); |
1170 | 1159 | ||
1171 | //**************************************** | 1160 | //**************************************** |
1172 | // create a new user namespace | 1161 | // create a new user namespace |
@@ -1248,10 +1237,10 @@ int sandbox(void* sandbox_arg) { | |||
1248 | set_nice(cfg.nice); | 1237 | set_nice(cfg.nice); |
1249 | set_rlimits(); | 1238 | set_rlimits(); |
1250 | 1239 | ||
1251 | start_application(0, rj); | 1240 | start_application(0, set_sandbox_status); |
1252 | } | 1241 | } |
1253 | 1242 | ||
1254 | fclose(rj); | 1243 | munmap(set_sandbox_status, 1); |
1255 | 1244 | ||
1256 | int status = monitor_application(app_pid); // monitor application | 1245 | int status = monitor_application(app_pid); // monitor application |
1257 | flush_stdin(); | 1246 | flush_stdin(); |
diff --git a/src/firejail/sbox.c b/src/firejail/sbox.c index a92d62940..a2aaa86eb 100644 --- a/src/firejail/sbox.c +++ b/src/firejail/sbox.c | |||
@@ -263,6 +263,7 @@ int sbox_run(unsigned filtermask, int num, ...) { | |||
263 | 263 | ||
264 | int sbox_run_v(unsigned filtermask, char * const arg[]) { | 264 | int sbox_run_v(unsigned filtermask, char * const arg[]) { |
265 | EUID_ROOT(); | 265 | EUID_ROOT(); |
266 | assert(arg); | ||
266 | 267 | ||
267 | if (arg_debug) { | 268 | if (arg_debug) { |
268 | printf("sbox run: "); | 269 | printf("sbox run: "); |
@@ -288,7 +289,7 @@ int sbox_run_v(unsigned filtermask, char * const arg[]) { | |||
288 | if (waitpid(child, &status, 0) == -1 ) { | 289 | if (waitpid(child, &status, 0) == -1 ) { |
289 | errExit("waitpid"); | 290 | errExit("waitpid"); |
290 | } | 291 | } |
291 | if (WIFEXITED(status) && status != 0) { | 292 | if (WIFEXITED(status) && WEXITSTATUS(status) != 0) { |
292 | fprintf(stderr, "Error: failed to run %s\n", arg[0]); | 293 | fprintf(stderr, "Error: failed to run %s\n", arg[0]); |
293 | exit(1); | 294 | exit(1); |
294 | } | 295 | } |
diff --git a/src/firejail/seccomp.c b/src/firejail/seccomp.c index 7f55ccc0e..e47e6c910 100644 --- a/src/firejail/seccomp.c +++ b/src/firejail/seccomp.c | |||
@@ -18,7 +18,6 @@ | |||
18 | * 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA. | 18 | * 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA. |
19 | */ | 19 | */ |
20 | 20 | ||
21 | #ifdef HAVE_SECCOMP | ||
22 | #include "firejail.h" | 21 | #include "firejail.h" |
23 | #include "../include/seccomp.h" | 22 | #include "../include/seccomp.h" |
24 | #include <sys/mman.h> | 23 | #include <sys/mman.h> |
@@ -445,5 +444,3 @@ errexit: | |||
445 | printf("Cannot access seccomp filter.\n"); | 444 | printf("Cannot access seccomp filter.\n"); |
446 | exit(1); | 445 | exit(1); |
447 | } | 446 | } |
448 | |||
449 | #endif // HAVE_SECCOMP | ||
diff --git a/src/firejail/selinux.c b/src/firejail/selinux.c index 52d6788ef..dd776fcce 100644 --- a/src/firejail/selinux.c +++ b/src/firejail/selinux.c | |||
@@ -35,7 +35,7 @@ static int selinux_enabled = -1; | |||
35 | void selinux_relabel_path(const char *path, const char *inside_path) | 35 | void selinux_relabel_path(const char *path, const char *inside_path) |
36 | { | 36 | { |
37 | #if HAVE_SELINUX | 37 | #if HAVE_SELINUX |
38 | char procfs_path[64]; | 38 | char procfs_path[64]; |
39 | char *fcon = NULL; | 39 | char *fcon = NULL; |
40 | int fd; | 40 | int fd; |
41 | struct stat st; | 41 | struct stat st; |
@@ -43,26 +43,29 @@ void selinux_relabel_path(const char *path, const char *inside_path) | |||
43 | if (selinux_enabled == -1) | 43 | if (selinux_enabled == -1) |
44 | selinux_enabled = is_selinux_enabled(); | 44 | selinux_enabled = is_selinux_enabled(); |
45 | 45 | ||
46 | if (!selinux_enabled && arg_debug) | 46 | if (!selinux_enabled) |
47 | return; | 47 | return; |
48 | 48 | ||
49 | if (!label_hnd) | 49 | if (!label_hnd) |
50 | label_hnd = selabel_open(SELABEL_CTX_FILE, NULL, 0); | 50 | label_hnd = selabel_open(SELABEL_CTX_FILE, NULL, 0); |
51 | 51 | ||
52 | if (!label_hnd) | ||
53 | errExit("selabel_open"); | ||
54 | |||
52 | /* Open the file as O_PATH, to pin it while we determine and adjust the label */ | 55 | /* Open the file as O_PATH, to pin it while we determine and adjust the label */ |
53 | fd = open(path, O_NOFOLLOW|O_CLOEXEC|O_PATH); | 56 | fd = open(path, O_NOFOLLOW|O_CLOEXEC|O_PATH); |
54 | if (fd < 0) | 57 | if (fd < 0) |
55 | return; | 58 | return; |
56 | if (fstat(fd, &st) < 0) | 59 | if (fstat(fd, &st) < 0) |
57 | goto close; | 60 | goto close; |
58 | 61 | ||
59 | if (selabel_lookup_raw(label_hnd, &fcon, inside_path, st.st_mode) == 0) { | 62 | if (selabel_lookup_raw(label_hnd, &fcon, inside_path, st.st_mode) == 0) { |
60 | sprintf(procfs_path, "/proc/self/fd/%i", fd); | 63 | sprintf(procfs_path, "/proc/self/fd/%i", fd); |
61 | if (arg_debug) | 64 | if (arg_debug) |
62 | printf("Relabeling %s as %s (%s)\n", path, inside_path, fcon); | 65 | printf("Relabeling %s as %s (%s)\n", path, inside_path, fcon); |
63 | 66 | ||
64 | setfilecon_raw(procfs_path, fcon); | 67 | setfilecon_raw(procfs_path, fcon); |
65 | } | 68 | } |
66 | freecon(fcon); | 69 | freecon(fcon); |
67 | close: | 70 | close: |
68 | close(fd); | 71 | close(fd); |
diff --git a/src/firejail/usage.c b/src/firejail/usage.c index 2390706f2..d58bbb409 100644 --- a/src/firejail/usage.c +++ b/src/firejail/usage.c | |||
@@ -123,10 +123,8 @@ static char *usage_str = | |||
123 | " --mac=xx:xx:xx:xx:xx:xx - set interface MAC address.\n" | 123 | " --mac=xx:xx:xx:xx:xx:xx - set interface MAC address.\n" |
124 | #endif | 124 | #endif |
125 | " --machine-id - preserve /etc/machine-id\n" | 125 | " --machine-id - preserve /etc/machine-id\n" |
126 | #ifdef HAVE_SECCOMP | ||
127 | " --memory-deny-write-execute - seccomp filter to block attempts to create\n" | 126 | " --memory-deny-write-execute - seccomp filter to block attempts to create\n" |
128 | "\tmemory mappings that are both writable and executable.\n" | 127 | "\tmemory mappings that are both writable and executable.\n" |
129 | #endif | ||
130 | #ifdef HAVE_NETWORK | 128 | #ifdef HAVE_NETWORK |
131 | " --mtu=number - set interface MTU.\n" | 129 | " --mtu=number - set interface MTU.\n" |
132 | #endif | 130 | #endif |
@@ -215,7 +213,6 @@ static char *usage_str = | |||
215 | #ifdef HAVE_NETWORK | 213 | #ifdef HAVE_NETWORK |
216 | " --scan - ARP-scan all the networks from inside a network namespace.\n" | 214 | " --scan - ARP-scan all the networks from inside a network namespace.\n" |
217 | #endif | 215 | #endif |
218 | #ifdef HAVE_SECCOMP | ||
219 | " --seccomp - enable seccomp filter and apply the default blacklist.\n" | 216 | " --seccomp - enable seccomp filter and apply the default blacklist.\n" |
220 | " --seccomp=syscall,syscall,syscall - enable seccomp filter, blacklist the\n" | 217 | " --seccomp=syscall,syscall,syscall - enable seccomp filter, blacklist the\n" |
221 | "\tdefault syscall list and the syscalls specified by the command.\n" | 218 | "\tdefault syscall list and the syscalls specified by the command.\n" |
@@ -229,7 +226,6 @@ static char *usage_str = | |||
229 | " --seccomp.32[.drop,.keep][=syscall] - like above but for 32 bit architecture.\n" | 226 | " --seccomp.32[.drop,.keep][=syscall] - like above but for 32 bit architecture.\n" |
230 | " --seccomp-error-action=errno|kill|log - change error code, kill process\n" | 227 | " --seccomp-error-action=errno|kill|log - change error code, kill process\n" |
231 | "\tor log the attempt.\n" | 228 | "\tor log the attempt.\n" |
232 | #endif | ||
233 | " --shell=none - run the program directly without a user shell.\n" | 229 | " --shell=none - run the program directly without a user shell.\n" |
234 | " --shell=program - set default user shell.\n" | 230 | " --shell=program - set default user shell.\n" |
235 | " --shutdown=name|pid - shutdown the sandbox identified by name or PID.\n" | 231 | " --shutdown=name|pid - shutdown the sandbox identified by name or PID.\n" |
diff --git a/src/firejail/util.c b/src/firejail/util.c index 9f878611a..02befdc12 100644 --- a/src/firejail/util.c +++ b/src/firejail/util.c | |||
@@ -33,7 +33,7 @@ | |||
33 | 33 | ||
34 | #include <fcntl.h> | 34 | #include <fcntl.h> |
35 | #ifndef O_PATH | 35 | #ifndef O_PATH |
36 | # define O_PATH 010000000 | 36 | #define O_PATH 010000000 |
37 | #endif | 37 | #endif |
38 | 38 | ||
39 | #define MAX_GROUPS 1024 | 39 | #define MAX_GROUPS 1024 |
@@ -281,8 +281,9 @@ static int copy_file_by_fd(int src, int dst) { | |||
281 | done += rv; | 281 | done += rv; |
282 | } | 282 | } |
283 | } | 283 | } |
284 | // fflush(0); | 284 | if (len == 0) |
285 | return 0; | 285 | return 0; |
286 | return -1; | ||
286 | } | 287 | } |
287 | 288 | ||
288 | // return -1 if error, 0 if no error; if destname already exists, return error | 289 | // return -1 if error, 0 if no error; if destname already exists, return error |
diff --git a/src/firemon/apparmor.c b/src/firemon/apparmor.c index 028dbc212..c34a44165 100644 --- a/src/firemon/apparmor.c +++ b/src/firemon/apparmor.c | |||
@@ -44,7 +44,7 @@ void apparmor(pid_t pid, int print_procs) { | |||
44 | for (i = 0; i < max_pids; i++) { | 44 | for (i = 0; i < max_pids; i++) { |
45 | if (pids[i].level == 1) { | 45 | if (pids[i].level == 1) { |
46 | if (print_procs || pid == 0) | 46 | if (print_procs || pid == 0) |
47 | pid_print_list(i, arg_nowrap); | 47 | pid_print_list(i, arg_wrap); |
48 | int child = find_child(i); | 48 | int child = find_child(i); |
49 | if (child != -1) | 49 | if (child != -1) |
50 | print_apparmor(child); | 50 | print_apparmor(child); |
diff --git a/src/firemon/arp.c b/src/firemon/arp.c index a43593ced..3bd59e65e 100644 --- a/src/firemon/arp.c +++ b/src/firemon/arp.c | |||
@@ -80,7 +80,7 @@ void arp(pid_t pid, int print_procs) { | |||
80 | for (i = 0; i < max_pids; i++) { | 80 | for (i = 0; i < max_pids; i++) { |
81 | if (pids[i].level == 1) { | 81 | if (pids[i].level == 1) { |
82 | if (print_procs || pid == 0) | 82 | if (print_procs || pid == 0) |
83 | pid_print_list(i, arg_nowrap); | 83 | pid_print_list(i, arg_wrap); |
84 | int child = find_child(i); | 84 | int child = find_child(i); |
85 | if (child != -1) { | 85 | if (child != -1) { |
86 | char *fname; | 86 | char *fname; |
diff --git a/src/firemon/caps.c b/src/firemon/caps.c index 951bd21a5..0e720706d 100644 --- a/src/firemon/caps.c +++ b/src/firemon/caps.c | |||
@@ -53,7 +53,7 @@ void caps(pid_t pid, int print_procs) { | |||
53 | for (i = 0; i < max_pids; i++) { | 53 | for (i = 0; i < max_pids; i++) { |
54 | if (pids[i].level == 1) { | 54 | if (pids[i].level == 1) { |
55 | if (print_procs || pid == 0) | 55 | if (print_procs || pid == 0) |
56 | pid_print_list(i, arg_nowrap); | 56 | pid_print_list(i, arg_wrap); |
57 | int child = find_child(i); | 57 | int child = find_child(i); |
58 | if (child != -1) | 58 | if (child != -1) |
59 | print_caps(child); | 59 | print_caps(child); |
diff --git a/src/firemon/cgroup.c b/src/firemon/cgroup.c index 251db0077..e0d605d10 100644 --- a/src/firemon/cgroup.c +++ b/src/firemon/cgroup.c | |||
@@ -53,7 +53,7 @@ void cgroup(pid_t pid, int print_procs) { | |||
53 | for (i = 0; i < max_pids; i++) { | 53 | for (i = 0; i < max_pids; i++) { |
54 | if (pids[i].level == 1) { | 54 | if (pids[i].level == 1) { |
55 | if (print_procs || pid == 0) | 55 | if (print_procs || pid == 0) |
56 | pid_print_list(i, arg_nowrap); | 56 | pid_print_list(i, arg_wrap); |
57 | int child = find_child(i); | 57 | int child = find_child(i); |
58 | if (child != -1) | 58 | if (child != -1) |
59 | print_cgroup(child); | 59 | print_cgroup(child); |
diff --git a/src/firemon/cpu.c b/src/firemon/cpu.c index 6170ef8c1..e97068851 100644 --- a/src/firemon/cpu.c +++ b/src/firemon/cpu.c | |||
@@ -54,7 +54,7 @@ void cpu(pid_t pid, int print_procs) { | |||
54 | for (i = 0; i < max_pids; i++) { | 54 | for (i = 0; i < max_pids; i++) { |
55 | if (pids[i].level == 1) { | 55 | if (pids[i].level == 1) { |
56 | if (print_procs || pid == 0) | 56 | if (print_procs || pid == 0) |
57 | pid_print_list(i, arg_nowrap); | 57 | pid_print_list(i, arg_wrap); |
58 | int child = find_child(i); | 58 | int child = find_child(i); |
59 | if (child != -1) | 59 | if (child != -1) |
60 | print_cpu(child); | 60 | print_cpu(child); |
diff --git a/src/firemon/firemon.c b/src/firemon/firemon.c index 7468e3240..5ae0ed013 100644 --- a/src/firemon/firemon.c +++ b/src/firemon/firemon.c | |||
@@ -40,7 +40,7 @@ static int arg_top = 0; | |||
40 | static int arg_list = 0; | 40 | static int arg_list = 0; |
41 | static int arg_netstats = 0; | 41 | static int arg_netstats = 0; |
42 | static int arg_apparmor = 0; | 42 | static int arg_apparmor = 0; |
43 | int arg_nowrap = 0; | 43 | int arg_wrap = 0; |
44 | 44 | ||
45 | static struct termios tlocal; // startup terminal setting | 45 | static struct termios tlocal; // startup terminal setting |
46 | static struct termios twait; // no wait on key press | 46 | static struct termios twait; // no wait on key press |
@@ -159,6 +159,7 @@ int main(int argc, char **argv) { | |||
159 | arg_list = 1; | 159 | arg_list = 1; |
160 | else if (strcmp(argv[i], "--tree") == 0) | 160 | else if (strcmp(argv[i], "--tree") == 0) |
161 | arg_tree = 1; | 161 | arg_tree = 1; |
162 | #ifdef HAVE_NETWORK | ||
162 | else if (strcmp(argv[i], "--netstats") == 0) { | 163 | else if (strcmp(argv[i], "--netstats") == 0) { |
163 | struct stat s; | 164 | struct stat s; |
164 | if (getuid() != 0 && stat("/proc/sys/kernel/grsecurity", &s) == 0) { | 165 | if (getuid() != 0 && stat("/proc/sys/kernel/grsecurity", &s) == 0) { |
@@ -167,7 +168,7 @@ int main(int argc, char **argv) { | |||
167 | } | 168 | } |
168 | arg_netstats = 1; | 169 | arg_netstats = 1; |
169 | } | 170 | } |
170 | 171 | #endif | |
171 | 172 | ||
172 | // cumulative options with or without a pid argument | 173 | // cumulative options with or without a pid argument |
173 | else if (strcmp(argv[i], "--x11") == 0) | 174 | else if (strcmp(argv[i], "--x11") == 0) |
@@ -187,10 +188,12 @@ int main(int argc, char **argv) { | |||
187 | } | 188 | } |
188 | arg_interface = 1; | 189 | arg_interface = 1; |
189 | } | 190 | } |
191 | #ifdef HAVE_NETWORK | ||
190 | else if (strcmp(argv[i], "--route") == 0) | 192 | else if (strcmp(argv[i], "--route") == 0) |
191 | arg_route = 1; | 193 | arg_route = 1; |
192 | else if (strcmp(argv[i], "--arp") == 0) | 194 | else if (strcmp(argv[i], "--arp") == 0) |
193 | arg_arp = 1; | 195 | arg_arp = 1; |
196 | #endif | ||
194 | else if (strcmp(argv[i], "--apparmor") == 0) | 197 | else if (strcmp(argv[i], "--apparmor") == 0) |
195 | arg_apparmor = 1; | 198 | arg_apparmor = 1; |
196 | 199 | ||
@@ -203,8 +206,8 @@ int main(int argc, char **argv) { | |||
203 | } | 206 | } |
204 | 207 | ||
205 | // etc | 208 | // etc |
206 | else if (strcmp(argv[i], "--nowrap") == 0) | 209 | else if (strcmp(argv[i], "--wrap") == 0) |
207 | arg_nowrap = 1; | 210 | arg_wrap = 1; |
208 | 211 | ||
209 | // invalid option | 212 | // invalid option |
210 | else if (*argv[i] == '-') { | 213 | else if (*argv[i] == '-') { |
diff --git a/src/firemon/firemon.h b/src/firemon/firemon.h index 3fba486eb..948214d4d 100644 --- a/src/firemon/firemon.h +++ b/src/firemon/firemon.h | |||
@@ -40,7 +40,7 @@ static inline void firemon_clrscr(void) { | |||
40 | 40 | ||
41 | // firemon.c | 41 | // firemon.c |
42 | extern pid_t skip_process; | 42 | extern pid_t skip_process; |
43 | extern int arg_nowrap; | 43 | extern int arg_wrap; |
44 | int find_child(int id); | 44 | int find_child(int id); |
45 | void firemon_sleep(int st); | 45 | void firemon_sleep(int st); |
46 | 46 | ||
diff --git a/src/firemon/interface.c b/src/firemon/interface.c index 325ffd80e..34d616647 100644 --- a/src/firemon/interface.c +++ b/src/firemon/interface.c | |||
@@ -163,7 +163,7 @@ void interface(pid_t pid, int print_procs) { | |||
163 | for (i = 0; i < max_pids; i++) { | 163 | for (i = 0; i < max_pids; i++) { |
164 | if (pids[i].level == 1) { | 164 | if (pids[i].level == 1) { |
165 | if (print_procs || pid == 0) | 165 | if (print_procs || pid == 0) |
166 | pid_print_list(i, arg_nowrap); | 166 | pid_print_list(i, arg_wrap); |
167 | int child = find_child(i); | 167 | int child = find_child(i); |
168 | if (child != -1) { | 168 | if (child != -1) { |
169 | print_sandbox(child); | 169 | print_sandbox(child); |
diff --git a/src/firemon/list.c b/src/firemon/list.c index 8a07f9eb2..22a08272d 100644 --- a/src/firemon/list.c +++ b/src/firemon/list.c | |||
@@ -28,6 +28,6 @@ void list(void) { | |||
28 | if (i == skip_process) | 28 | if (i == skip_process) |
29 | continue; | 29 | continue; |
30 | if (pids[i].level == 1) | 30 | if (pids[i].level == 1) |
31 | pid_print_list(i, arg_nowrap); | 31 | pid_print_list(i, arg_wrap); |
32 | } | 32 | } |
33 | } | 33 | } |
diff --git a/src/firemon/route.c b/src/firemon/route.c index 9fd46505f..19c823a87 100644 --- a/src/firemon/route.c +++ b/src/firemon/route.c | |||
@@ -189,7 +189,7 @@ void route(pid_t pid, int print_procs) { | |||
189 | for (i = 0; i < max_pids; i++) { | 189 | for (i = 0; i < max_pids; i++) { |
190 | if (pids[i].level == 1) { | 190 | if (pids[i].level == 1) { |
191 | if (print_procs || pid == 0) | 191 | if (print_procs || pid == 0) |
192 | pid_print_list(i, arg_nowrap); | 192 | pid_print_list(i, arg_wrap); |
193 | int child = find_child(i); | 193 | int child = find_child(i); |
194 | if (child != -1) { | 194 | if (child != -1) { |
195 | char *fname; | 195 | char *fname; |
diff --git a/src/firemon/seccomp.c b/src/firemon/seccomp.c index 7bc700ee6..7867fbad3 100644 --- a/src/firemon/seccomp.c +++ b/src/firemon/seccomp.c | |||
@@ -52,7 +52,7 @@ void seccomp(pid_t pid, int print_procs) { | |||
52 | for (i = 0; i < max_pids; i++) { | 52 | for (i = 0; i < max_pids; i++) { |
53 | if (pids[i].level == 1) { | 53 | if (pids[i].level == 1) { |
54 | if (print_procs || pid == 0) | 54 | if (print_procs || pid == 0) |
55 | pid_print_list(i, arg_nowrap); | 55 | pid_print_list(i, arg_wrap); |
56 | int child = find_child(i); | 56 | int child = find_child(i); |
57 | if (child != -1) | 57 | if (child != -1) |
58 | print_seccomp(child); | 58 | print_seccomp(child); |
diff --git a/src/firemon/tree.c b/src/firemon/tree.c index f3610eaec..711066c19 100644 --- a/src/firemon/tree.c +++ b/src/firemon/tree.c | |||
@@ -28,7 +28,7 @@ void tree(pid_t pid) { | |||
28 | if (i == skip_process) | 28 | if (i == skip_process) |
29 | continue; | 29 | continue; |
30 | if (pids[i].level == 1) | 30 | if (pids[i].level == 1) |
31 | pid_print_tree(i, 0, arg_nowrap); | 31 | pid_print_tree(i, 0, arg_wrap); |
32 | } | 32 | } |
33 | printf("\n"); | 33 | printf("\n"); |
34 | } | 34 | } |
diff --git a/src/firemon/x11.c b/src/firemon/x11.c index a41f4825f..19b54429c 100644 --- a/src/firemon/x11.c +++ b/src/firemon/x11.c | |||
@@ -30,7 +30,7 @@ void x11(pid_t pid, int print_procs) { | |||
30 | for (i = 0; i < max_pids; i++) { | 30 | for (i = 0; i < max_pids; i++) { |
31 | if (pids[i].level == 1) { | 31 | if (pids[i].level == 1) { |
32 | if (print_procs || pid == 0) | 32 | if (print_procs || pid == 0) |
33 | pid_print_list(i, arg_nowrap); | 33 | pid_print_list(i, arg_wrap); |
34 | 34 | ||
35 | char *x11file; | 35 | char *x11file; |
36 | // todo: use macro from src/firejail/firejail.h for /run/firejail/x11 directory | 36 | // todo: use macro from src/firejail/firejail.h for /run/firejail/x11 directory |
diff --git a/src/fnet/arp.c b/src/fnet/arp.c index 122d0007c..64f177574 100644 --- a/src/fnet/arp.c +++ b/src/fnet/arp.c | |||
@@ -149,10 +149,8 @@ void arp_scan(const char *dev, uint32_t ifip, uint32_t ifmask) { | |||
149 | memcpy (frame + 14, &hdr, sizeof(hdr)); | 149 | memcpy (frame + 14, &hdr, sizeof(hdr)); |
150 | 150 | ||
151 | // send packet | 151 | // send packet |
152 | int len; | 152 | if (sendto (sock, frame, 14 + sizeof(ArpHdr), 0, (struct sockaddr *) &addr, sizeof (addr)) <= 0) |
153 | if ((len = sendto (sock, frame, 14 + sizeof(ArpHdr), 0, (struct sockaddr *) &addr, sizeof (addr))) <= 0) | ||
154 | errExit("send"); | 153 | errExit("send"); |
155 | //printf("send %d bytes to %d.%d.%d.%d\n", len, PRINT_IP(dest)); | ||
156 | fflush(0); | 154 | fflush(0); |
157 | dest++; | 155 | dest++; |
158 | } | 156 | } |
diff --git a/src/fsec-print/print.c b/src/fsec-print/print.c index a6aae5ecb..eecf18832 100644 --- a/src/fsec-print/print.c +++ b/src/fsec-print/print.c | |||
@@ -19,7 +19,7 @@ | |||
19 | * | 19 | * |
20 | * | 20 | * |
21 | * | 21 | * |
22 | * Parts of this code was lifted from libseccomp project, license LGPV 2.1. | 22 | * Parts of this code was lifted from libseccomp project, license LGPL 2.1. |
23 | * This is the original copyright notice in libseccomp code: | 23 | * This is the original copyright notice in libseccomp code: |
24 | * | 24 | * |
25 | * | 25 | * |
diff --git a/src/fseccomp/protocol.c b/src/fseccomp/protocol.c index b8b30f488..4d261f9e5 100644 --- a/src/fseccomp/protocol.c +++ b/src/fseccomp/protocol.c | |||
@@ -57,6 +57,7 @@ static char *protocol[] = { | |||
57 | "inet6", | 57 | "inet6", |
58 | "netlink", | 58 | "netlink", |
59 | "packet", | 59 | "packet", |
60 | "bluetooth", | ||
60 | NULL | 61 | NULL |
61 | }; | 62 | }; |
62 | 63 | ||
@@ -66,7 +67,8 @@ static struct sock_filter protocol_filter_command[] = { | |||
66 | WHITELIST(AF_INET), | 67 | WHITELIST(AF_INET), |
67 | WHITELIST(AF_INET6), | 68 | WHITELIST(AF_INET6), |
68 | WHITELIST(AF_NETLINK), | 69 | WHITELIST(AF_NETLINK), |
69 | WHITELIST(AF_PACKET) | 70 | WHITELIST(AF_PACKET), |
71 | WHITELIST(AF_BLUETOOTH) | ||
70 | }; | 72 | }; |
71 | #endif | 73 | #endif |
72 | // Note: protocol[] and protocol_filter_command are synchronized | 74 | // Note: protocol[] and protocol_filter_command are synchronized |
@@ -143,22 +145,6 @@ void protocol_build_filter(const char *prlist, const char *fname) { | |||
143 | memcpy(ptr, &filter_start[0], sizeof(filter_start)); | 145 | memcpy(ptr, &filter_start[0], sizeof(filter_start)); |
144 | ptr += sizeof(filter_start); | 146 | ptr += sizeof(filter_start); |
145 | 147 | ||
146 | #if 0 | ||
147 | printf("entries %u\n", (unsigned) (sizeof(filter_start) / sizeof(struct sock_filter))); | ||
148 | { | ||
149 | unsigned j; | ||
150 | unsigned char *ptr2 = (unsigned char *) &filter[0]; | ||
151 | for (j = 0; j < sizeof(filter); j++, ptr2++) { | ||
152 | if ((j % (sizeof(struct sock_filter))) == 0) | ||
153 | printf("\n%u: ", 1 + (unsigned) (j / (sizeof(struct sock_filter)))); | ||
154 | printf("%02x, ", (*ptr2) & 0xff); | ||
155 | } | ||
156 | printf("\n"); | ||
157 | } | ||
158 | printf("whitelist_len %u, struct sock_filter len %u\n", whitelist_len, (unsigned) sizeof(struct sock_filter)); | ||
159 | #endif | ||
160 | |||
161 | |||
162 | // parse list and add commands | 148 | // parse list and add commands |
163 | char *tmplist = strdup(prlist); | 149 | char *tmplist = strdup(prlist); |
164 | if (!tmplist) | 150 | if (!tmplist) |
@@ -176,22 +162,6 @@ printf("whitelist_len %u, struct sock_filter len %u\n", whitelist_len, (unsigned | |||
176 | memcpy(ptr, domain, whitelist_len * sizeof(struct sock_filter)); | 162 | memcpy(ptr, domain, whitelist_len * sizeof(struct sock_filter)); |
177 | ptr += whitelist_len * sizeof(struct sock_filter); | 163 | ptr += whitelist_len * sizeof(struct sock_filter); |
178 | token = strtok(NULL, ","); | 164 | token = strtok(NULL, ","); |
179 | |||
180 | #if 0 | ||
181 | printf("entries %u\n", (unsigned) ((uint64_t) ptr - (uint64_t) (filter)) / (unsigned) sizeof(struct sock_filter)); | ||
182 | { | ||
183 | unsigned j; | ||
184 | unsigned char *ptr2 = (unsigned char *) &filter[0]; | ||
185 | for (j = 0; j < sizeof(filter); j++, ptr2++) { | ||
186 | if ((j % (sizeof(struct sock_filter))) == 0) | ||
187 | printf("\n%u: ", 1 + (unsigned) (j / (sizeof(struct sock_filter)))); | ||
188 | printf("%02x, ", (*ptr2) & 0xff); | ||
189 | } | ||
190 | printf("\n"); | ||
191 | } | ||
192 | #endif | ||
193 | |||
194 | |||
195 | } | 165 | } |
196 | free(tmplist); | 166 | free(tmplist); |
197 | 167 | ||
@@ -202,19 +172,6 @@ printf("entries %u\n", (unsigned) ((uint64_t) ptr - (uint64_t) (filter)) / (uns | |||
202 | memcpy(ptr, &filter_end[0], sizeof(filter_end)); | 172 | memcpy(ptr, &filter_end[0], sizeof(filter_end)); |
203 | ptr += sizeof(filter_end); | 173 | ptr += sizeof(filter_end); |
204 | 174 | ||
205 | #if 0 | ||
206 | printf("entries %u\n", (unsigned) ((uint64_t) ptr - (uint64_t) (filter)) / (unsigned) sizeof(struct sock_filter)); | ||
207 | { | ||
208 | unsigned j; | ||
209 | unsigned char *ptr2 = (unsigned char *) &filter[0]; | ||
210 | for (j = 0; j < sizeof(filter); j++, ptr2++) { | ||
211 | if ((j % (sizeof(struct sock_filter))) == 0) | ||
212 | printf("\n%u: ", 1 + (unsigned) (j / (sizeof(struct sock_filter)))); | ||
213 | printf("%02x, ", (*ptr2) & 0xff); | ||
214 | } | ||
215 | printf("\n"); | ||
216 | } | ||
217 | #endif | ||
218 | // save filter to file | 175 | // save filter to file |
219 | int dst = open(fname, O_CREAT|O_WRONLY|O_TRUNC, S_IRUSR | S_IWUSR | S_IRGRP | S_IROTH); | 176 | int dst = open(fname, O_CREAT|O_WRONLY|O_TRUNC, S_IRUSR | S_IWUSR | S_IRGRP | S_IROTH); |
220 | if (dst < 0) { | 177 | if (dst < 0) { |
diff --git a/src/fshaper/fshaper.sh b/src/fshaper/fshaper.sh index 936a23512..ef76813ea 100755 --- a/src/fshaper/fshaper.sh +++ b/src/fshaper/fshaper.sh | |||
@@ -3,6 +3,16 @@ | |||
3 | # Copyright (C) 2014-2020 Firejail Authors | 3 | # Copyright (C) 2014-2020 Firejail Authors |
4 | # License GPL v2 | 4 | # License GPL v2 |
5 | 5 | ||
6 | TCFILE="" | ||
7 | if [ -x "/usr/sbin/tc" ]; then | ||
8 | TCFILE="/usr/sbin/tc" | ||
9 | elif [ -x "/sbin/tc" ]; then | ||
10 | TCFILE="/sbin/tc"; | ||
11 | else | ||
12 | echo "Error: traffic control utility (tc) not found"; | ||
13 | exit 1 | ||
14 | fi | ||
15 | |||
6 | usage() { | 16 | usage() { |
7 | echo "Usage:" | 17 | echo "Usage:" |
8 | echo " fshaper.sh --status" | 18 | echo " fshaper.sh --status" |
@@ -11,8 +21,8 @@ usage() { | |||
11 | } | 21 | } |
12 | 22 | ||
13 | if [ "$1" = "--status" ]; then | 23 | if [ "$1" = "--status" ]; then |
14 | /sbin/tc -s qdisc ls | 24 | $TCFILE -s qdisc ls |
15 | /sbin/tc -s class ls | 25 | $TCFILE -s class ls |
16 | exit | 26 | exit |
17 | fi | 27 | fi |
18 | 28 | ||
@@ -25,8 +35,8 @@ if [ "$1" = "--clear" ]; then | |||
25 | 35 | ||
26 | DEV=$2 | 36 | DEV=$2 |
27 | echo "Removing bandwidth limits" | 37 | echo "Removing bandwidth limits" |
28 | /sbin/tc qdisc del dev $DEV root 2> /dev/null > /dev/null | 38 | $TCFILE qdisc del dev $DEV root 2> /dev/null > /dev/null |
29 | /sbin/tc qdisc del dev $DEV ingress 2> /dev/null > /dev/null | 39 | $TCFILE qdisc del dev $DEV ingress 2> /dev/null > /dev/null |
30 | exit | 40 | exit |
31 | 41 | ||
32 | fi | 42 | fi |
@@ -34,7 +44,7 @@ fi | |||
34 | if [ "$1" = "--set" ]; then | 44 | if [ "$1" = "--set" ]; then |
35 | DEV=$2 | 45 | DEV=$2 |
36 | echo "Removing bandwidth limit" | 46 | echo "Removing bandwidth limit" |
37 | /sbin/tc qdisc del dev $DEV ingress #2> /dev/null > /dev/null | 47 | $TCFILE qdisc del dev $DEV ingress #2> /dev/null > /dev/null |
38 | 48 | ||
39 | if [ $# -ne 4 ]; then | 49 | if [ $# -ne 4 ]; then |
40 | echo "Error: missing parameters" | 50 | echo "Error: missing parameters" |
@@ -54,16 +64,16 @@ if [ "$1" = "--set" ]; then | |||
54 | echo "Upload speed ${OUT}kbps" | 64 | echo "Upload speed ${OUT}kbps" |
55 | 65 | ||
56 | echo "cleaning limits" | 66 | echo "cleaning limits" |
57 | /sbin/tc qdisc del dev $DEV root 2> /dev/null > /dev/null | 67 | $TCFILE qdisc del dev $DEV root 2> /dev/null > /dev/null |
58 | /sbin/tc qdisc del dev $DEV ingress 2> /dev/null > /dev/null | 68 | $TCFILE qdisc del dev $DEV ingress 2> /dev/null > /dev/null |
59 | 69 | ||
60 | echo "configuring tc ingress" | 70 | echo "configuring tc ingress" |
61 | /sbin/tc qdisc add dev $DEV handle ffff: ingress #2> /dev/null > /dev/null | 71 | $TCFILE qdisc add dev $DEV handle ffff: ingress #2> /dev/null > /dev/null |
62 | /sbin/tc filter add dev $DEV parent ffff: protocol ip prio 50 u32 match ip src \ | 72 | $TCFILE filter add dev $DEV parent ffff: protocol ip prio 50 u32 match ip src \ |
63 | 0.0.0.0/0 police rate ${IN}kbit burst 10k drop flowid :1 #2> /dev/null > /dev/null | 73 | 0.0.0.0/0 police rate ${IN}kbit burst 10k drop flowid :1 #2> /dev/null > /dev/null |
64 | 74 | ||
65 | echo "configuring tc egress" | 75 | echo "configuring tc egress" |
66 | /sbin/tc qdisc add dev $DEV root tbf rate ${OUT}kbit latency 25ms burst 10k #2> /dev/null > /dev/null | 76 | $TCFILE qdisc add dev $DEV root tbf rate ${OUT}kbit latency 25ms burst 10k #2> /dev/null > /dev/null |
67 | exit | 77 | exit |
68 | fi | 78 | fi |
69 | 79 | ||
diff --git a/src/include/common.h b/src/include/common.h index 68d60fef3..2fa61cc91 100644 --- a/src/include/common.h +++ b/src/include/common.h | |||
@@ -39,7 +39,9 @@ | |||
39 | #define errExit(msg) do { char msgout[500]; snprintf(msgout, 500, "Error %s: %s:%d %s", msg, __FILE__, __LINE__, __FUNCTION__); perror(msgout); exit(1);} while (0) | 39 | #define errExit(msg) do { char msgout[500]; snprintf(msgout, 500, "Error %s: %s:%d %s", msg, __FILE__, __LINE__, __FUNCTION__); perror(msgout); exit(1);} while (0) |
40 | 40 | ||
41 | // check if processes run with dumpable flag set | 41 | // check if processes run with dumpable flag set |
42 | #define WARN_DUMPABLE | 42 | // currently we get "Error fseccomp: I am dumpable" every time we run a firejail build on Debian 8, |
43 | // regardless what Debian version we run the build on | ||
44 | //#define WARN_DUMPABLE | ||
43 | 45 | ||
44 | // macro to print ip addresses in a printf statement | 46 | // macro to print ip addresses in a printf statement |
45 | #define PRINT_IP(A) \ | 47 | #define PRINT_IP(A) \ |
diff --git a/src/include/rundefs.h b/src/include/rundefs.h index d56623907..21aad66f7 100644 --- a/src/include/rundefs.h +++ b/src/include/rundefs.h | |||
@@ -51,7 +51,7 @@ | |||
51 | #define RUN_LIB_DIR RUN_MNT_DIR "/lib" | 51 | #define RUN_LIB_DIR RUN_MNT_DIR "/lib" |
52 | #define RUN_LIB_FILE RUN_MNT_DIR "/libfiles" | 52 | #define RUN_LIB_FILE RUN_MNT_DIR "/libfiles" |
53 | #define RUN_DNS_ETC RUN_MNT_DIR "/dns-etc" | 53 | #define RUN_DNS_ETC RUN_MNT_DIR "/dns-etc" |
54 | #define RUN_DHCLIENT_DIR RUN_MNT_DIR "/dhclient" | 54 | #define RUN_DHCLIENT_DIR RUN_MNT_DIR "/dhclient-dir" |
55 | #define RUN_DHCLIENT_4_LEASES_FILE RUN_DHCLIENT_DIR "/dhclient.leases" | 55 | #define RUN_DHCLIENT_4_LEASES_FILE RUN_DHCLIENT_DIR "/dhclient.leases" |
56 | #define RUN_DHCLIENT_6_LEASES_FILE RUN_DHCLIENT_DIR "/dhclient6.leases" | 56 | #define RUN_DHCLIENT_6_LEASES_FILE RUN_DHCLIENT_DIR "/dhclient6.leases" |
57 | #define RUN_DHCLIENT_4_LEASES_FILE RUN_DHCLIENT_DIR "/dhclient.leases" | 57 | #define RUN_DHCLIENT_4_LEASES_FILE RUN_DHCLIENT_DIR "/dhclient.leases" |
@@ -113,7 +113,7 @@ | |||
113 | #define RUN_FSLOGGER_FILE RUN_MNT_DIR "/fslogger" | 113 | #define RUN_FSLOGGER_FILE RUN_MNT_DIR "/fslogger" |
114 | #define RUN_TRACE_FILE RUN_MNT_DIR "/trace" | 114 | #define RUN_TRACE_FILE RUN_MNT_DIR "/trace" |
115 | #define RUN_UMASK_FILE RUN_MNT_DIR "/umask" | 115 | #define RUN_UMASK_FILE RUN_MNT_DIR "/umask" |
116 | #define RUN_JOIN_FILE RUN_MNT_DIR "/join" | ||
116 | #define RUN_OVERLAY_ROOT RUN_MNT_DIR "/oroot" | 117 | #define RUN_OVERLAY_ROOT RUN_MNT_DIR "/oroot" |
117 | #define RUN_READY_FOR_JOIN RUN_MNT_DIR "/ready-for-join" | ||
118 | 118 | ||
119 | #endif | 119 | #endif |
diff --git a/src/include/seccomp.h b/src/include/seccomp.h index 29b858c70..90db16d39 100644 --- a/src/include/seccomp.h +++ b/src/include/seccomp.h | |||
@@ -96,24 +96,7 @@ | |||
96 | # define PR_SET_NO_NEW_PRIVS 38 | 96 | # define PR_SET_NO_NEW_PRIVS 38 |
97 | #endif | 97 | #endif |
98 | 98 | ||
99 | #if HAVE_SECCOMP_H | ||
100 | #include <linux/seccomp.h> | 99 | #include <linux/seccomp.h> |
101 | #else | ||
102 | #define SECCOMP_MODE_FILTER 2 | ||
103 | #define SECCOMP_RET_KILL 0x00000000U | ||
104 | #define SECCOMP_RET_TRAP 0x00030000U | ||
105 | #define SECCOMP_RET_ALLOW 0x7fff0000U | ||
106 | #define SECCOMP_RET_ERRNO 0x00050000U | ||
107 | #define SECCOMP_RET_DATA 0x0000ffffU | ||
108 | |||
109 | struct seccomp_data { | ||
110 | int nr; | ||
111 | __u32 arch; | ||
112 | __u64 instruction_pointer; | ||
113 | __u64 args[6]; | ||
114 | }; | ||
115 | #endif | ||
116 | |||
117 | #ifndef SECCOMP_RET_LOG | 100 | #ifndef SECCOMP_RET_LOG |
118 | #define SECCOMP_RET_LOG 0x7ffc0000U | 101 | #define SECCOMP_RET_LOG 0x7ffc0000U |
119 | #endif | 102 | #endif |
diff --git a/src/lib/syscall.c b/src/lib/syscall.c index 2f8ccaed7..4903971ad 100644 --- a/src/lib/syscall.c +++ b/src/lib/syscall.c | |||
@@ -230,6 +230,7 @@ static const SyscallGroupList sysgroups[] = { | |||
230 | "@cpu-emulation," | 230 | "@cpu-emulation," |
231 | "@debug," | 231 | "@debug," |
232 | "@module," | 232 | "@module," |
233 | "@mount," | ||
233 | "@obsolete," | 234 | "@obsolete," |
234 | "@raw-io," | 235 | "@raw-io," |
235 | "@reboot," | 236 | "@reboot," |
@@ -297,9 +298,6 @@ static const SyscallGroupList sysgroups[] = { | |||
297 | #ifdef SYS_vmsplice | 298 | #ifdef SYS_vmsplice |
298 | "vmsplice," | 299 | "vmsplice," |
299 | #endif | 300 | #endif |
300 | #ifdef SYS_umount | ||
301 | "umount," | ||
302 | #endif | ||
303 | #ifdef SYS_userfaultfd | 301 | #ifdef SYS_userfaultfd |
304 | "userfaultfd," | 302 | "userfaultfd," |
305 | #endif | 303 | #endif |
@@ -309,27 +307,15 @@ static const SyscallGroupList sysgroups[] = { | |||
309 | #ifdef SYS_bpf | 307 | #ifdef SYS_bpf |
310 | "bpf," | 308 | "bpf," |
311 | #endif | 309 | #endif |
312 | #ifdef SYS_chroot | ||
313 | "chroot," | ||
314 | #endif | ||
315 | #ifdef SYS_mount | ||
316 | "mount," | ||
317 | #endif | ||
318 | #ifdef SYS_nfsservctl | 310 | #ifdef SYS_nfsservctl |
319 | "nfsservctl," | 311 | "nfsservctl," |
320 | #endif | 312 | #endif |
321 | #ifdef SYS_pivot_root | ||
322 | "pivot_root," | ||
323 | #endif | ||
324 | #ifdef SYS_setdomainname | 313 | #ifdef SYS_setdomainname |
325 | "setdomainname," | 314 | "setdomainname," |
326 | #endif | 315 | #endif |
327 | #ifdef SYS_sethostname | 316 | #ifdef SYS_sethostname |
328 | "sethostname," | 317 | "sethostname," |
329 | #endif | 318 | #endif |
330 | #ifdef SYS_umount2 | ||
331 | "umount2," | ||
332 | #endif | ||
333 | #ifdef SYS_vhangup | 319 | #ifdef SYS_vhangup |
334 | "vhangup" | 320 | "vhangup" |
335 | #endif | 321 | #endif |
diff --git a/src/libpostexecseccomp/Makefile.in b/src/libpostexecseccomp/Makefile.in index 00dc6ee7e..edd4534b8 100644 --- a/src/libpostexecseccomp/Makefile.in +++ b/src/libpostexecseccomp/Makefile.in | |||
@@ -9,7 +9,7 @@ C_FILE_LIST = $(sort $(wildcard *.c)) | |||
9 | OBJS = $(C_FILE_LIST:.c=.o) | 9 | OBJS = $(C_FILE_LIST:.c=.o) |
10 | BINOBJS = $(foreach file, $(OBJS), $file) | 10 | BINOBJS = $(foreach file, $(OBJS), $file) |
11 | CFLAGS += -ggdb $(HAVE_FATAL_WARNINGS) -O2 -DVERSION='"$(VERSION)"' -fstack-protector-all -D_FORTIFY_SOURCE=2 -fPIC -Wformat -Wformat-security | 11 | CFLAGS += -ggdb $(HAVE_FATAL_WARNINGS) -O2 -DVERSION='"$(VERSION)"' -fstack-protector-all -D_FORTIFY_SOURCE=2 -fPIC -Wformat -Wformat-security |
12 | LDFLAGS += -pie -Wl,-z,relro -Wl,-z,now | 12 | LDFLAGS += -pie -fPIE -Wl,-z,relro -Wl,-z,now |
13 | 13 | ||
14 | all: libpostexecseccomp.so | 14 | all: libpostexecseccomp.so |
15 | 15 | ||
diff --git a/src/libtrace/Makefile.in b/src/libtrace/Makefile.in index 2070fe0ea..5c7d0f885 100644 --- a/src/libtrace/Makefile.in +++ b/src/libtrace/Makefile.in | |||
@@ -9,7 +9,7 @@ C_FILE_LIST = $(sort $(wildcard *.c)) | |||
9 | OBJS = $(C_FILE_LIST:.c=.o) | 9 | OBJS = $(C_FILE_LIST:.c=.o) |
10 | BINOBJS = $(foreach file, $(OBJS), $file) | 10 | BINOBJS = $(foreach file, $(OBJS), $file) |
11 | CFLAGS += -ggdb $(HAVE_FATAL_WARNINGS) -O2 -DVERSION='"$(VERSION)"' -fstack-protector-all -D_FORTIFY_SOURCE=2 -fPIC -Wformat -Wformat-security | 11 | CFLAGS += -ggdb $(HAVE_FATAL_WARNINGS) -O2 -DVERSION='"$(VERSION)"' -fstack-protector-all -D_FORTIFY_SOURCE=2 -fPIC -Wformat -Wformat-security |
12 | LDFLAGS += -pie -Wl,-z,relro -Wl,-z,now | 12 | LDFLAGS += -pie -fPIE -Wl,-z,relro -Wl,-z,now |
13 | 13 | ||
14 | all: libtrace.so | 14 | all: libtrace.so |
15 | 15 | ||
diff --git a/src/libtracelog/Makefile.in b/src/libtracelog/Makefile.in index db640617a..b1ac9e57c 100644 --- a/src/libtracelog/Makefile.in +++ b/src/libtracelog/Makefile.in | |||
@@ -9,7 +9,7 @@ C_FILE_LIST = $(sort $(wildcard *.c)) | |||
9 | OBJS = $(C_FILE_LIST:.c=.o) | 9 | OBJS = $(C_FILE_LIST:.c=.o) |
10 | BINOBJS = $(foreach file, $(OBJS), $file) | 10 | BINOBJS = $(foreach file, $(OBJS), $file) |
11 | CFLAGS += -ggdb $(HAVE_FATAL_WARNINGS) -O2 -DVERSION='"$(VERSION)"' -fstack-protector-all -D_FORTIFY_SOURCE=2 -fPIC -Wformat -Wformat-security | 11 | CFLAGS += -ggdb $(HAVE_FATAL_WARNINGS) -O2 -DVERSION='"$(VERSION)"' -fstack-protector-all -D_FORTIFY_SOURCE=2 -fPIC -Wformat -Wformat-security |
12 | LDFLAGS += -pie -Wl,-z,relro -Wl,-z,now | 12 | LDFLAGS += -pie -fPIE -Wl,-z,relro -Wl,-z,now |
13 | 13 | ||
14 | all: libtracelog.so | 14 | all: libtracelog.so |
15 | 15 | ||
diff --git a/src/man/Makefile.in b/src/man/Makefile.in new file mode 100644 index 000000000..1c4444307 --- /dev/null +++ b/src/man/Makefile.in | |||
@@ -0,0 +1,10 @@ | |||
1 | all: firecfg.man firejail.man firejail-login.man firejail-users.man firejail-profile.man firemon.man | ||
2 | include ../common.mk | ||
3 | |||
4 | %.man: %.txt | ||
5 | gawk -f ./preproc.awk -- $(MANFLAGS) < $< > $@ | ||
6 | |||
7 | clean:; rm -fr *.man | ||
8 | |||
9 | distclean: clean | ||
10 | rm -fr Makefile | ||
diff --git a/src/man/firecfg.txt b/src/man/firecfg.txt index e282c8cf0..f3123356a 100644 --- a/src/man/firecfg.txt +++ b/src/man/firecfg.txt | |||
@@ -44,9 +44,10 @@ The following actions are implemented by default by running sudo firecfg: | |||
44 | .br | 44 | .br |
45 | - fix desktop files in $HOME/.local/share/applications/ (firecfg --fix). | 45 | - fix desktop files in $HOME/.local/share/applications/ (firecfg --fix). |
46 | .br | 46 | .br |
47 | 47 | #ifdef HAVE_APPARMOR | |
48 | .br | 48 | .br |
49 | - automatically loads and forces the AppArmor profile "firejail-default". | 49 | - automatically loads and forces the AppArmor profile "firejail-default". |
50 | #endif | ||
50 | .RE | 51 | .RE |
51 | 52 | ||
52 | .SH OPTIONS | 53 | .SH OPTIONS |
diff --git a/src/man/firejail-profile.txt b/src/man/firejail-profile.txt index 0784e7fd7..9524254c1 100644 --- a/src/man/firejail-profile.txt +++ b/src/man/firejail-profile.txt | |||
@@ -150,9 +150,10 @@ Example: "nowhitelist ~/.config" | |||
150 | Ignore command. | 150 | Ignore command. |
151 | 151 | ||
152 | Example: "ignore seccomp" | 152 | Example: "ignore seccomp" |
153 | #ifdef HAVE_NETWORK | ||
153 | .br | 154 | .br |
154 | Example: "ignore net eth0" | 155 | Example: "ignore net eth0" |
155 | 156 | #endif | |
156 | .TP | 157 | .TP |
157 | \fBquiet | 158 | \fBquiet |
158 | Disable Firejail's output. This should be the first uncommented command in the profile file. | 159 | Disable Firejail's output. This should be the first uncommented command in the profile file. |
@@ -245,6 +246,7 @@ before the sandbox is started. The file is created if it doesn't already exist. | |||
245 | .TP | 246 | .TP |
246 | \fBnoexec file_or_directory | 247 | \fBnoexec file_or_directory |
247 | Remount the file or the directory noexec, nodev and nosuid. | 248 | Remount the file or the directory noexec, nodev and nosuid. |
249 | #ifdef HAVE_OVERLAYFS | ||
248 | .TP | 250 | .TP |
249 | \fBoverlay | 251 | \fBoverlay |
250 | Mount a filesystem overlay on top of the current filesystem. | 252 | Mount a filesystem overlay on top of the current filesystem. |
@@ -257,6 +259,7 @@ The overlay is stored in $HOME/.firejail/name directory. | |||
257 | \fBoverlay-tmpfs | 259 | \fBoverlay-tmpfs |
258 | Mount a filesystem overlay on top of the current filesystem. | 260 | Mount a filesystem overlay on top of the current filesystem. |
259 | All filesystem modifications are discarded when the sandbox is closed. | 261 | All filesystem modifications are discarded when the sandbox is closed. |
262 | #endif | ||
260 | .TP | 263 | .TP |
261 | \fBprivate | 264 | \fBprivate |
262 | Mount new /root and /home/user directories in temporary | 265 | Mount new /root and /home/user directories in temporary |
@@ -294,6 +297,7 @@ filesystem, and copy the files and directories in the list. | |||
294 | The files and directories in the list must be expressed as relative to | 297 | The files and directories in the list must be expressed as relative to |
295 | the /etc directory. | 298 | the /etc directory. |
296 | All modifications are discarded when the sandbox is closed. | 299 | All modifications are discarded when the sandbox is closed. |
300 | #ifdef HAVE_PRIVATE_HOME | ||
297 | .TP | 301 | .TP |
298 | \fBprivate-home file,directory | 302 | \fBprivate-home file,directory |
299 | Build a new user home in a temporary | 303 | Build a new user home in a temporary |
@@ -303,6 +307,7 @@ The files and directories in the list must be expressed as relative to | |||
303 | the current user's home directory. | 307 | the current user's home directory. |
304 | All modifications are discarded when the sandbox is | 308 | All modifications are discarded when the sandbox is |
305 | closed. | 309 | closed. |
310 | #endif | ||
306 | .TP | 311 | .TP |
307 | \fBprivate-lib file,directory | 312 | \fBprivate-lib file,directory |
308 | Build a new /lib directory and bring in the libraries required by the application to run. | 313 | Build a new /lib directory and bring in the libraries required by the application to run. |
@@ -369,9 +374,11 @@ The following security filters are currently implemented: | |||
369 | .TP | 374 | .TP |
370 | \fBallow-debuggers | 375 | \fBallow-debuggers |
371 | Allow tools such as strace and gdb inside the sandbox by whitelisting system calls ptrace and process_vm_readv. | 376 | Allow tools such as strace and gdb inside the sandbox by whitelisting system calls ptrace and process_vm_readv. |
377 | #ifdef HAVE_APPARMOR | ||
372 | .TP | 378 | .TP |
373 | \fBapparmor | 379 | \fBapparmor |
374 | Enable AppArmor confinement. | 380 | Enable AppArmor confinement. |
381 | #endif | ||
375 | .TP | 382 | .TP |
376 | \fBcaps | 383 | \fBcaps |
377 | Enable default Linux capabilities filter. | 384 | Enable default Linux capabilities filter. |
@@ -395,15 +402,17 @@ Sets the NO_NEW_PRIVS prctl. This ensures that child processes | |||
395 | cannot acquire new privileges using execve(2); in particular, | 402 | cannot acquire new privileges using execve(2); in particular, |
396 | this means that calling a suid binary (or one with file capabilities) | 403 | this means that calling a suid binary (or one with file capabilities) |
397 | does not result in an increase of privilege. | 404 | does not result in an increase of privilege. |
405 | #ifdef HAVE_USERNS | ||
398 | .TP | 406 | .TP |
399 | \fBnoroot | 407 | \fBnoroot |
400 | Use this command to enable an user namespace. The namespace has only one user, the current user. | 408 | Use this command to enable an user namespace. The namespace has only one user, the current user. |
401 | There is no root account (uid 0) defined in the namespace. | 409 | There is no root account (uid 0) defined in the namespace. |
410 | #endif | ||
402 | .TP | 411 | .TP |
403 | \fBprotocol protocol1,protocol2,protocol3 | 412 | \fBprotocol protocol1,protocol2,protocol3 |
404 | Enable protocol filter. The filter is based on seccomp and checks the | 413 | Enable protocol filter. The filter is based on seccomp and checks the |
405 | first argument to socket system call. Recognized values: \fBunix\fR, | 414 | first argument to socket system call. Recognized values: \fBunix\fR, |
406 | \fBinet\fR, \fBinet6\fR, \fBnetlink\fR and \fBpacket\fR. | 415 | \fBinet\fR, \fBinet6\fR, \fBnetlink\fR, \fBpacket\fR and \fBbluetooth\fR. |
407 | .TP | 416 | .TP |
408 | \fBseccomp | 417 | \fBseccomp |
409 | Enable seccomp filter and blacklist the syscalls in the default list. See man 1 firejail for more details. | 418 | Enable seccomp filter and blacklist the syscalls in the default list. See man 1 firejail for more details. |
@@ -437,6 +446,7 @@ Enable seccomp filter and whitelist the system calls in the list for 32 bit syst | |||
437 | Return a different error instead of EPERM to the process, kill it when | 446 | Return a different error instead of EPERM to the process, kill it when |
438 | an attempt is made to call a blocked system call, or allow but log the | 447 | an attempt is made to call a blocked system call, or allow but log the |
439 | attempt. | 448 | attempt. |
449 | #ifdef HAVE_X11 | ||
440 | .TP | 450 | .TP |
441 | \fBx11 | 451 | \fBx11 |
442 | Enable X11 sandboxing. | 452 | Enable X11 sandboxing. |
@@ -470,7 +480,8 @@ Example: | |||
470 | xephyr-screen 640x480 | 480 | xephyr-screen 640x480 |
471 | .br | 481 | .br |
472 | x11 xephyr | 482 | x11 xephyr |
473 | 483 | #endif | |
484 | #ifdef HAVE_DBUSPROXY | ||
474 | .SH DBus filtering | 485 | .SH DBus filtering |
475 | 486 | ||
476 | Access to the session and system DBus UNIX sockets can be allowed, filtered or | 487 | Access to the session and system DBus UNIX sockets can be allowed, filtered or |
@@ -513,7 +524,7 @@ Allow the application to see but not talk to the name org.freedesktop.Notificati | |||
513 | Allow the application to call methods of the interface org.freedesktop.Notifications of the object exposed at the path /org/freedesktop/Notifications by the client owning the bus name org.freedesktop.Notifications on the system DBus. | 524 | Allow the application to call methods of the interface org.freedesktop.Notifications of the object exposed at the path /org/freedesktop/Notifications by the client owning the bus name org.freedesktop.Notifications on the system DBus. |
514 | .TP | 525 | .TP |
515 | \fBdbus-system.broadcast org.freedesktop.Notifications=org.freedesktop.Notifications.*@/org/freedesktop/Notifications | 526 | \fBdbus-system.broadcast org.freedesktop.Notifications=org.freedesktop.Notifications.*@/org/freedesktop/Notifications |
516 | Allow the application to recieve broadcast signals from the the interface org.freedesktop.Notifications of the object exposed at the path /org/freedesktop/Notifications by the client owning the bus name org.freedesktop.Notifications on the system DBus. | 527 | Allow the application to receive broadcast signals from the the interface org.freedesktop.Notifications of the object exposed at the path /org/freedesktop/Notifications by the client owning the bus name org.freedesktop.Notifications on the system DBus. |
517 | .TP | 528 | .TP |
518 | \fBdbus-user filter | 529 | \fBdbus-user filter |
519 | Enable filtered access to the session DBus. Filters can be specified with the dbus-user.talk and dbus-user.own commands. | 530 | Enable filtered access to the session DBus. Filters can be specified with the dbus-user.talk and dbus-user.own commands. |
@@ -534,7 +545,7 @@ Allow the application to see but not talk to the name org.freedesktop.Notificati | |||
534 | Allow the application to call methods of the interface org.freedesktop.Notifications of the object exposed at the path /org/freedesktop/Notifications by the client owning the bus name org.freedesktop.Notifications on the session DBus. | 545 | Allow the application to call methods of the interface org.freedesktop.Notifications of the object exposed at the path /org/freedesktop/Notifications by the client owning the bus name org.freedesktop.Notifications on the session DBus. |
535 | .TP | 546 | .TP |
536 | \fBdbus-user.broadcast org.freedesktop.Notifications=org.freedesktop.Notifications.*@/org/freedesktop/Notifications | 547 | \fBdbus-user.broadcast org.freedesktop.Notifications=org.freedesktop.Notifications.*@/org/freedesktop/Notifications |
537 | Allow the application to recieve broadcast signals from the the interface org.freedesktop.Notifications of the object exposed at the path /org/freedesktop/Notifications by the client owning the bus name org.freedesktop.Notifications on the session DBus. | 548 | Allow the application to receive broadcast signals from the the interface org.freedesktop.Notifications of the object exposed at the path /org/freedesktop/Notifications by the client owning the bus name org.freedesktop.Notifications on the session DBus. |
538 | .TP | 549 | .TP |
539 | \fBnodbus \fR(deprecated) | 550 | \fBnodbus \fR(deprecated) |
540 | Disable D-Bus access (both system and session buses). Equivalent to dbus-system none and dbus-user none. | 551 | Disable D-Bus access (both system and session buses). Equivalent to dbus-system none and dbus-user none. |
@@ -565,7 +576,7 @@ and the user wants to disable notifications, this can be achieved by putting the | |||
565 | ignore dbus-user.talk org.freedesktop.Notifications | 576 | ignore dbus-user.talk org.freedesktop.Notifications |
566 | .br | 577 | .br |
567 | [...] | 578 | [...] |
568 | 579 | #endif | |
569 | .SH Resource limits, CPU affinity, Control Groups | 580 | .SH Resource limits, CPU affinity, Control Groups |
570 | These profile entries define the limits on system resources (rlimits) for the processes inside the sandbox. | 581 | These profile entries define the limits on system resources (rlimits) for the processes inside the sandbox. |
571 | The limits can be modified inside the sandbox using the regular \fBulimit\fR command. \fBcpu\fR command | 582 | The limits can be modified inside the sandbox using the regular \fBulimit\fR command. \fBcpu\fR command |
@@ -661,6 +672,7 @@ Disable video devices. | |||
661 | Run the program directly, without a shell. | 672 | Run the program directly, without a shell. |
662 | 673 | ||
663 | 674 | ||
675 | #ifdef HAVE_NETWORK | ||
664 | .SH Networking | 676 | .SH Networking |
665 | Networking features available in profile files. | 677 | Networking features available in profile files. |
666 | 678 | ||
@@ -853,7 +865,7 @@ a default gateway address also have to be added. | |||
853 | \fBveth-name name | 865 | \fBveth-name name |
854 | Use this name for the interface connected to the bridge for --net=bridge_interface commands, | 866 | Use this name for the interface connected to the bridge for --net=bridge_interface commands, |
855 | instead of the default one. | 867 | instead of the default one. |
856 | 868 | #endif | |
857 | .SH Other | 869 | .SH Other |
858 | .TP | 870 | .TP |
859 | \fBdeterministic-exit-code | 871 | \fBdeterministic-exit-code |
@@ -877,5 +889,5 @@ Homepage: https://firejail.wordpress.com | |||
877 | \&\flfirecfg\fR\|(1), | 889 | \&\flfirecfg\fR\|(1), |
878 | \&\flfirejail-login\fR\|(5), | 890 | \&\flfirejail-login\fR\|(5), |
879 | \&\flfirejail-users\fR\|(5), | 891 | \&\flfirejail-users\fR\|(5), |
880 | .UR https://github.com/netblue30/firejail/wiki/Creating-Profiles | 892 | .UR https://github.com/netblue30/firejail/wiki/Creating-Profiles |
881 | .UE | 893 | .UE |
diff --git a/src/man/firejail-users.txt b/src/man/firejail-users.txt index 88b4041b0..6fa09e05e 100644 --- a/src/man/firejail-users.txt +++ b/src/man/firejail-users.txt | |||
@@ -38,7 +38,7 @@ See \fBman 1 firecfg\fR for details. | |||
38 | An alternative way of restricting user access to firejail executable is to create a special firejail user group and | 38 | An alternative way of restricting user access to firejail executable is to create a special firejail user group and |
39 | allow only users in this group to run the sandbox: | 39 | allow only users in this group to run the sandbox: |
40 | 40 | ||
41 | # addgroup firejail | 41 | # addgroup --system firejail |
42 | .br | 42 | .br |
43 | # chown root:firejail /usr/bin/firejail | 43 | # chown root:firejail /usr/bin/firejail |
44 | .br | 44 | .br |
diff --git a/src/man/firejail.txt b/src/man/firejail.txt index 3b7ba4e3d..8c73962fb 100644 --- a/src/man/firejail.txt +++ b/src/man/firejail.txt | |||
@@ -14,18 +14,22 @@ Start an AppImage program: | |||
14 | firejail [OPTIONS] --appimage [appimage-file and arguments] | 14 | firejail [OPTIONS] --appimage [appimage-file and arguments] |
15 | .RE | 15 | .RE |
16 | .PP | 16 | .PP |
17 | #ifdef HAVE_FILE_TRANSFER | ||
17 | File transfer from an existing sandbox | 18 | File transfer from an existing sandbox |
18 | .PP | 19 | .PP |
19 | .RS | 20 | .RS |
20 | firejail {\-\-ls | \-\-get | \-\-put} dir_or_filename | 21 | firejail {\-\-ls | \-\-get | \-\-put | \-\-cat} dir_or_filename |
21 | .RE | 22 | .RE |
22 | .PP | 23 | .PP |
24 | #endif | ||
25 | #ifdef HAVE_NETWORK | ||
23 | Network traffic shaping for an existing sandbox: | 26 | Network traffic shaping for an existing sandbox: |
24 | .PP | 27 | .PP |
25 | .RS | 28 | .RS |
26 | firejail \-\-bandwidth={name|pid} bandwidth-command | 29 | firejail \-\-bandwidth={name|pid} bandwidth-command |
27 | .RE | 30 | .RE |
28 | .PP | 31 | .PP |
32 | #endif | ||
29 | Monitoring: | 33 | Monitoring: |
30 | .PP | 34 | .PP |
31 | .RS | 35 | .RS |
@@ -106,6 +110,7 @@ All directories under /home are visible inside the sandbox. By default, only cur | |||
106 | Example: | 110 | Example: |
107 | .br | 111 | .br |
108 | $ firejail --allusers | 112 | $ firejail --allusers |
113 | #ifdef HAVE_APPARMOR | ||
109 | .TP | 114 | .TP |
110 | \fB\-\-apparmor | 115 | \fB\-\-apparmor |
111 | Enable AppArmor confinement. For more information, please see \fBAPPARMOR\fR section below. | 116 | Enable AppArmor confinement. For more information, please see \fBAPPARMOR\fR section below. |
@@ -122,11 +127,12 @@ $ firejail \-\-apparmor.print=browser | |||
122 | 5074:netblue:/usr/bin/firejail /usr/bin/firefox-esr | 127 | 5074:netblue:/usr/bin/firejail /usr/bin/firefox-esr |
123 | .br | 128 | .br |
124 | AppArmor: firejail-default enforce | 129 | AppArmor: firejail-default enforce |
125 | 130 | #endif | |
126 | .TP | 131 | .TP |
127 | \fB\-\-appimage | 132 | \fB\-\-appimage |
128 | Sandbox an AppImage (https://appimage.org/) application. If the sandbox is started | 133 | Sandbox an AppImage (https://appimage.org/) application. If the sandbox is started |
129 | as a regular user, nonewprivs and a default capabilities filter are enabled. | 134 | as a regular user, nonewprivs and a default capabilities filter are enabled. |
135 | private-bin and private-lib are disabled by default when running appimages. | ||
130 | .br | 136 | .br |
131 | 137 | ||
132 | .br | 138 | .br |
@@ -136,8 +142,9 @@ $ firejail --appimage krita-3.0-x86_64.appimage | |||
136 | .br | 142 | .br |
137 | $ firejail --appimage --private krita-3.0-x86_64.appimage | 143 | $ firejail --appimage --private krita-3.0-x86_64.appimage |
138 | .br | 144 | .br |
145 | #ifdef HAVE_X11 | ||
139 | $ firejail --appimage --net=none --x11 krita-3.0-x86_64.appimage | 146 | $ firejail --appimage --net=none --x11 krita-3.0-x86_64.appimage |
140 | 147 | #endif | |
141 | .TP | 148 | .TP |
142 | \fB\-\-audit | 149 | \fB\-\-audit |
143 | Audit the sandbox, see \fBAUDIT\fR section for more details. | 150 | Audit the sandbox, see \fBAUDIT\fR section for more details. |
@@ -272,10 +279,11 @@ $ firejail \-\-list | |||
272 | .br | 279 | .br |
273 | $ firejail \-\-caps.print=3272 | 280 | $ firejail \-\-caps.print=3272 |
274 | 281 | ||
282 | #ifdef HAVE_FILE_TRANSFER | ||
275 | .TP | 283 | .TP |
276 | \fB\-\-cat=name|pid filename | 284 | \fB\-\-cat=name|pid filename |
277 | Print content of file from sandbox container, see FILE TRANSFER section for more details. | 285 | Print content of file from sandbox container, see FILE TRANSFER section for more details. |
278 | 286 | #endif | |
279 | .TP | 287 | .TP |
280 | \fB\-\-cgroup=tasks-file | 288 | \fB\-\-cgroup=tasks-file |
281 | Place the sandbox in the specified control group. tasks-file is the full path of cgroup tasks file. | 289 | Place the sandbox in the specified control group. tasks-file is the full path of cgroup tasks file. |
@@ -285,7 +293,7 @@ Place the sandbox in the specified control group. tasks-file is the full path of | |||
285 | Example: | 293 | Example: |
286 | .br | 294 | .br |
287 | # firejail \-\-cgroup=/sys/fs/cgroup/g1/tasks | 295 | # firejail \-\-cgroup=/sys/fs/cgroup/g1/tasks |
288 | 296 | #ifdef HAVE_CHROOT | |
289 | .TP | 297 | .TP |
290 | \fB\-\-chroot=dirname | 298 | \fB\-\-chroot=dirname |
291 | Chroot the sandbox into a root filesystem. Unlike the regular filesystem container, | 299 | Chroot the sandbox into a root filesystem. Unlike the regular filesystem container, |
@@ -297,7 +305,7 @@ regular user, nonewprivs and a default capabilities filter are enabled. | |||
297 | Example: | 305 | Example: |
298 | .br | 306 | .br |
299 | $ firejail \-\-chroot=/media/ubuntu warzone2100 | 307 | $ firejail \-\-chroot=/media/ubuntu warzone2100 |
300 | 308 | #endif | |
301 | .TP | 309 | .TP |
302 | \fB\-\-cpu=cpu-number,cpu-number,cpu-number | 310 | \fB\-\-cpu=cpu-number,cpu-number,cpu-number |
303 | Set CPU affinity. | 311 | Set CPU affinity. |
@@ -329,7 +337,7 @@ $ firejail \-\-list | |||
329 | 3272:netblue::firejail \-\-private firefox | 337 | 3272:netblue::firejail \-\-private firefox |
330 | .br | 338 | .br |
331 | $ firejail \-\-cpu.print=3272 | 339 | $ firejail \-\-cpu.print=3272 |
332 | 340 | #ifdef HAVE_DBUSPROXY | |
333 | .TP | 341 | .TP |
334 | \fB\-\-dbus-log=file | 342 | \fB\-\-dbus-log=file |
335 | Specify the location for the DBus log file. | 343 | Specify the location for the DBus log file. |
@@ -344,7 +352,9 @@ path is given, logs are written to the standard output instead. | |||
344 | .br | 352 | .br |
345 | Example: | 353 | Example: |
346 | .br | 354 | .br |
347 | $ firejail --dbus-system=filter --dbus-system.log --dbus-log=dbus.txt | 355 | $ firejail --dbus-system=filter --dbus-system.log \\ |
356 | .br | ||
357 | --dbus-log=dbus.txt | ||
348 | 358 | ||
349 | .TP | 359 | .TP |
350 | \fB\-\-dbus-system=filter|none | 360 | \fB\-\-dbus-system=filter|none |
@@ -390,7 +400,11 @@ object paths, respectively. | |||
390 | .br | 400 | .br |
391 | Example: | 401 | Example: |
392 | .br | 402 | .br |
393 | $ firejail --dbus-system=filter --dbus-system.broadcast=org.freedesktop.Notifications=org.freedesktop.Notifications.*@/org/freedesktop/Notifications | 403 | $ firejail --dbus-system=filter --dbus-system.broadcast=\\ |
404 | .br | ||
405 | org.freedesktop.Notifications=\\ | ||
406 | .br | ||
407 | org.freedesktop.Notifications.*@/org/freedesktop/Notifications | ||
394 | 408 | ||
395 | .TP | 409 | .TP |
396 | \fB\-\-dbus-system.call=name=[member][@path] | 410 | \fB\-\-dbus-system.call=name=[member][@path] |
@@ -408,7 +422,11 @@ object paths, respectively. | |||
408 | .br | 422 | .br |
409 | Example: | 423 | Example: |
410 | .br | 424 | .br |
411 | $ firejail --dbus-system=filter --dbus-system.call=org.freedesktop.Notifications=org.freedesktop.Notifications.*@/org/freedesktop/Notifications | 425 | $ firejail --dbus-system=filter --dbus-system.call=\\ |
426 | .br | ||
427 | org.freedesktop.Notifications=\\ | ||
428 | .br | ||
429 | org.freedesktop.Notifications.*@/org/freedesktop/Notifications | ||
412 | 430 | ||
413 | .TP | 431 | .TP |
414 | \fB\-\-dbus-system.log | 432 | \fB\-\-dbus-system.log |
@@ -430,7 +448,9 @@ not "foobar"). | |||
430 | .br | 448 | .br |
431 | Example: | 449 | Example: |
432 | .br | 450 | .br |
433 | $ firejail --dbus-system=filter --dbus-system.own=org.gnome.ghex.* | 451 | $ firejail --dbus-system=filter --dbus-system.own=\\ |
452 | .br | ||
453 | org.gnome.ghex.* | ||
434 | 454 | ||
435 | .TP | 455 | .TP |
436 | \fB\-\-dbus-system.see=name | 456 | \fB\-\-dbus-system.see=name |
@@ -444,7 +464,9 @@ not "foobar"). | |||
444 | .br | 464 | .br |
445 | Example: | 465 | Example: |
446 | .br | 466 | .br |
447 | $ firejail --dbus-system=filter --dbus-system.see=org.freedesktop.Notifications | 467 | $ firejail --dbus-system=filter --dbus-system.see=\\ |
468 | .br | ||
469 | org.freedesktop.Notifications | ||
448 | 470 | ||
449 | .TP | 471 | .TP |
450 | \fB\-\-dbus-system.talk=name | 472 | \fB\-\-dbus-system.talk=name |
@@ -457,7 +479,9 @@ not "foobar"). | |||
457 | .br | 479 | .br |
458 | Example: | 480 | Example: |
459 | .br | 481 | .br |
460 | $ firejail --dbus-system=filter --dbus-system.talk=org.freedesktop.Notifications | 482 | $ firejail --dbus-system=filter --dbus-system.talk=\\ |
483 | .br | ||
484 | org.freedesktop.Notifications | ||
461 | 485 | ||
462 | .TP | 486 | .TP |
463 | \fB\-\-dbus-user=filter|none | 487 | \fB\-\-dbus-user=filter|none |
@@ -503,7 +527,11 @@ object paths, respectively. | |||
503 | .br | 527 | .br |
504 | Example: | 528 | Example: |
505 | .br | 529 | .br |
506 | $ firejail --dbus-user=filter --dbus-user.broadcast=org.freedesktop.Notifications=org.freedesktop.Notifications.*@/org/freedesktop/Notifications | 530 | $ firejail --dbus-user=filter --dbus-user.broadcast=\\ |
531 | .br | ||
532 | org.freedesktop.Notifications=\\ | ||
533 | .br | ||
534 | org.freedesktop.Notifications.*@/org/freedesktop/Notifications | ||
507 | 535 | ||
508 | .TP | 536 | .TP |
509 | \fB\-\-dbus-user.call=name=[member][@path] | 537 | \fB\-\-dbus-user.call=name=[member][@path] |
@@ -521,7 +549,11 @@ object paths, respectively. | |||
521 | .br | 549 | .br |
522 | Example: | 550 | Example: |
523 | .br | 551 | .br |
524 | $ firejail --dbus-user=filter --dbus-user.call=org.freedesktop.Notifications=org.freedesktop.Notifications.*@/org/freedesktop/Notifications | 552 | $ firejail --dbus-user=filter --dbus-user.call=\\ |
553 | .br | ||
554 | org.freedesktop.Notifications=\\ | ||
555 | .br | ||
556 | org.freedesktop.Notifications.*@/org/freedesktop/Notifications | ||
525 | 557 | ||
526 | .TP | 558 | .TP |
527 | \fB\-\-dbus-user.log | 559 | \fB\-\-dbus-user.log |
@@ -556,7 +588,9 @@ not "foobar"). | |||
556 | .br | 588 | .br |
557 | Example: | 589 | Example: |
558 | .br | 590 | .br |
559 | $ firejail --dbus-user=filter --dbus-user.talk=org.freedesktop.Notifications | 591 | $ firejail --dbus-user=filter --dbus-user.talk=\\ |
592 | .br | ||
593 | org.freedesktop.Notifications | ||
560 | 594 | ||
561 | .TP | 595 | .TP |
562 | \fB\-\-dbus-user.see=name | 596 | \fB\-\-dbus-user.see=name |
@@ -570,8 +604,10 @@ not "foobar"). | |||
570 | .br | 604 | .br |
571 | Example: | 605 | Example: |
572 | .br | 606 | .br |
573 | $ firejail --dbus-user=filter --dbus-user.see=org.freedesktop.Notifications | 607 | $ firejail --dbus-user=filter --dbus-user.see=\\ |
574 | 608 | .br | |
609 | org.freedesktop.Notifications | ||
610 | #endif | ||
575 | .TP | 611 | .TP |
576 | \fB\-\-debug\fR | 612 | \fB\-\-debug\fR |
577 | Print debug messages. | 613 | Print debug messages. |
@@ -645,7 +681,7 @@ Debug whitelisting. | |||
645 | Example: | 681 | Example: |
646 | .br | 682 | .br |
647 | $ firejail \-\-debug-whitelists firefox | 683 | $ firejail \-\-debug-whitelists firefox |
648 | 684 | #ifdef HAVE_NETWORK | |
649 | .TP | 685 | .TP |
650 | \fB\-\-defaultgw=address | 686 | \fB\-\-defaultgw=address |
651 | Use this address as default gateway in the new network namespace. | 687 | Use this address as default gateway in the new network namespace. |
@@ -655,7 +691,7 @@ Use this address as default gateway in the new network namespace. | |||
655 | Example: | 691 | Example: |
656 | .br | 692 | .br |
657 | $ firejail \-\-net=eth0 \-\-defaultgw=10.10.20.1 firefox | 693 | $ firejail \-\-net=eth0 \-\-defaultgw=10.10.20.1 firefox |
658 | 694 | #endif | |
659 | .TP | 695 | .TP |
660 | \fB\-\-disable-mnt | 696 | \fB\-\-disable-mnt |
661 | Blacklist /mnt, /media, /run/mount and /run/media access. | 697 | Blacklist /mnt, /media, /run/mount and /run/media access. |
@@ -738,10 +774,11 @@ $ firejail \-\-list | |||
738 | .br | 774 | .br |
739 | $ firejail \-\-fs.print=3272 | 775 | $ firejail \-\-fs.print=3272 |
740 | 776 | ||
777 | #ifdef HAVE_FILE_TRANSFER | ||
741 | .TP | 778 | .TP |
742 | \fB\-\-get=name|pid filename | 779 | \fB\-\-get=name|pid filename |
743 | Get a file from sandbox container, see \fBFILE TRANSFER\fR section for more details. | 780 | Get a file from sandbox container, see \fBFILE TRANSFER\fR section for more details. |
744 | 781 | #endif | |
745 | .TP | 782 | .TP |
746 | \fB\-?\fR, \fB\-\-help\fR | 783 | \fB\-?\fR, \fB\-\-help\fR |
747 | Print options end exit. | 784 | Print options end exit. |
@@ -776,8 +813,12 @@ Ignore command in profile file. | |||
776 | Example: | 813 | Example: |
777 | .br | 814 | .br |
778 | $ firejail \-\-ignore=shell --ignore=seccomp firefox | 815 | $ firejail \-\-ignore=shell --ignore=seccomp firefox |
816 | #ifdef HAVE_NETWORK | ||
779 | .br | 817 | .br |
780 | $ firejail \-\-ignore="net eth0" firefox | 818 | $ firejail \-\-ignore="net eth0" firefox |
819 | #endif | ||
820 | |||
821 | #ifdef HAVE_NETWORK | ||
781 | .TP | 822 | .TP |
782 | \fB\-\-interface=interface | 823 | \fB\-\-interface=interface |
783 | Move interface in a new network namespace. Up to four --interface options can be specified. | 824 | Move interface in a new network namespace. Up to four --interface options can be specified. |
@@ -899,6 +940,7 @@ for sandboxes started as root. | |||
899 | Example: | 940 | Example: |
900 | .br | 941 | .br |
901 | $ firejail \-\-ipc-namespace firefox | 942 | $ firejail \-\-ipc-namespace firefox |
943 | #endif | ||
902 | .TP | 944 | .TP |
903 | \fB\-\-join=name|pid | 945 | \fB\-\-join=name|pid |
904 | Join the sandbox identified by name or by PID. By default a /bin/bash shell is started after joining the sandbox. | 946 | Join the sandbox identified by name or by PID. By default a /bin/bash shell is started after joining the sandbox. |
@@ -930,7 +972,7 @@ $ firejail \-\-join=3272 | |||
930 | Join the mount namespace of the sandbox identified by name or PID. By default a /bin/bash shell is started after joining the sandbox. | 972 | Join the mount namespace of the sandbox identified by name or PID. By default a /bin/bash shell is started after joining the sandbox. |
931 | If a program is specified, the program is run in the sandbox. This command is available only to root user. | 973 | If a program is specified, the program is run in the sandbox. This command is available only to root user. |
932 | Security filters, cgroups and cpus configurations are not applied to the process joining the sandbox. | 974 | Security filters, cgroups and cpus configurations are not applied to the process joining the sandbox. |
933 | 975 | #ifdef HAVE_NETWORK | |
934 | .TP | 976 | .TP |
935 | \fB\-\-join-network=name|pid | 977 | \fB\-\-join-network=name|pid |
936 | Join the network namespace of the sandbox identified by name. By default a /bin/bash shell is started after joining the sandbox. | 978 | Join the network namespace of the sandbox identified by name. By default a /bin/bash shell is started after joining the sandbox. |
@@ -986,7 +1028,7 @@ Switching to pid 1932, the first child process inside the sandbox | |||
986 | inet6 fe80::7458:14ff:fe42:78e4/64 scope link | 1028 | inet6 fe80::7458:14ff:fe42:78e4/64 scope link |
987 | .br | 1029 | .br |
988 | valid_lft forever preferred_lft forever | 1030 | valid_lft forever preferred_lft forever |
989 | 1031 | #endif | |
990 | .TP | 1032 | .TP |
991 | \fB\-\-join-or-start=name | 1033 | \fB\-\-join-or-start=name |
992 | Join the sandbox identified by name or start a new one. | 1034 | Join the sandbox identified by name or start a new one. |
@@ -1025,15 +1067,21 @@ Example: | |||
1025 | $ firejail \-\-list | 1067 | $ firejail \-\-list |
1026 | .br | 1068 | .br |
1027 | 7015:netblue:browser:firejail firefox | 1069 | 7015:netblue:browser:firejail firefox |
1070 | #ifdef HAVE_NETWORK | ||
1028 | .br | 1071 | .br |
1029 | 7056:netblue:torrent:firejail \-\-net=eth0 transmission-gtk | 1072 | 7056:netblue:torrent:firejail \-\-net=eth0 transmission-gtk |
1073 | #endif | ||
1074 | #ifdef HAVE_USERNS | ||
1030 | .br | 1075 | .br |
1031 | 7064:netblue::firejail \-\-noroot xterm | 1076 | 7064:netblue::firejail \-\-noroot xterm |
1032 | .br | 1077 | .br |
1078 | #endif | ||
1079 | #ifdef HAVE_FILE_TRANSFER | ||
1033 | .TP | 1080 | .TP |
1034 | \fB\-\-ls=name|pid dir_or_filename | 1081 | \fB\-\-ls=name|pid dir_or_filename |
1035 | List files in sandbox container, see \fBFILE TRANSFER\fR section for more details. | 1082 | List files in sandbox container, see \fBFILE TRANSFER\fR section for more details. |
1036 | 1083 | #endif | |
1084 | #ifdef HAVE_NETWORK | ||
1037 | .TP | 1085 | .TP |
1038 | \fB\-\-mac=address | 1086 | \fB\-\-mac=address |
1039 | Assign MAC addresses to the last network interface defined by a \-\-net option. This option | 1087 | Assign MAC addresses to the last network interface defined by a \-\-net option. This option |
@@ -1044,7 +1092,7 @@ is not supported for wireless interfaces. | |||
1044 | Example: | 1092 | Example: |
1045 | .br | 1093 | .br |
1046 | $ firejail \-\-net=eth0 \-\-mac=00:11:22:33:44:55 firefox | 1094 | $ firejail \-\-net=eth0 \-\-mac=00:11:22:33:44:55 firefox |
1047 | 1095 | #endif | |
1048 | .TP | 1096 | .TP |
1049 | \fB\-\-machine-id | 1097 | \fB\-\-machine-id |
1050 | Spoof id number in /etc/machine-id file - a new random id is generated inside the sandbox. | 1098 | Spoof id number in /etc/machine-id file - a new random id is generated inside the sandbox. |
@@ -1070,7 +1118,7 @@ kills it or log the attempt, see \-\-seccomp-error-action below) if necessary. | |||
1070 | Note: shmat is not implemented | 1118 | Note: shmat is not implemented |
1071 | as a system call on some platforms including i386, and it cannot be | 1119 | as a system call on some platforms including i386, and it cannot be |
1072 | handled by seccomp-bpf. | 1120 | handled by seccomp-bpf. |
1073 | 1121 | #ifdef HAVE_NETWORK | |
1074 | .TP | 1122 | .TP |
1075 | \fB\-\-mtu=number | 1123 | \fB\-\-mtu=number |
1076 | Assign a MTU value to the last network interface defined by a \-\-net option. | 1124 | Assign a MTU value to the last network interface defined by a \-\-net option. |
@@ -1080,7 +1128,7 @@ Assign a MTU value to the last network interface defined by a \-\-net option. | |||
1080 | Example: | 1128 | Example: |
1081 | .br | 1129 | .br |
1082 | $ firejail \-\-net=eth0 \-\-mtu=1492 | 1130 | $ firejail \-\-net=eth0 \-\-mtu=1492 |
1083 | 1131 | #endif | |
1084 | .TP | 1132 | .TP |
1085 | \fB\-\-name=name | 1133 | \fB\-\-name=name |
1086 | Set sandbox name. Several options, such as \-\-join and \-\-shutdown, can use | 1134 | Set sandbox name. Several options, such as \-\-join and \-\-shutdown, can use |
@@ -1105,7 +1153,7 @@ $ firejail --list | |||
1105 | .br | 1153 | .br |
1106 | 1312:netblue:browser-1312:firejail --name=browser --private firefox --no-remote | 1154 | 1312:netblue:browser-1312:firejail --name=browser --private firefox --no-remote |
1107 | .br | 1155 | .br |
1108 | 1156 | #ifdef HAVE_NETWORK | |
1109 | .TP | 1157 | .TP |
1110 | \fB\-\-net=bridge_interface | 1158 | \fB\-\-net=bridge_interface |
1111 | Enable a new network namespace and connect it to this bridge interface. | 1159 | Enable a new network namespace and connect it to this bridge interface. |
@@ -1146,7 +1194,7 @@ Example: | |||
1146 | $ firejail \-\-net=eth0 \-\-ip=192.168.1.80 \-\-dns=8.8.8.8 firefox | 1194 | $ firejail \-\-net=eth0 \-\-ip=192.168.1.80 \-\-dns=8.8.8.8 firefox |
1147 | .br | 1195 | .br |
1148 | $ firejail \-\-net=wlan0 firefox | 1196 | $ firejail \-\-net=wlan0 firefox |
1149 | 1197 | #endif | |
1150 | .TP | 1198 | .TP |
1151 | \fB\-\-net=none | 1199 | \fB\-\-net=none |
1152 | Enable a new, unconnected network namespace. The only interface | 1200 | Enable a new, unconnected network namespace. The only interface |
@@ -1164,7 +1212,7 @@ $ firejail \-\-net=none vlc | |||
1164 | .br | 1212 | .br |
1165 | Note: \-\-net=none can crash the application on some platforms. | 1213 | Note: \-\-net=none can crash the application on some platforms. |
1166 | In these cases, it can be replaced with \-\-protocol=unix. | 1214 | In these cases, it can be replaced with \-\-protocol=unix. |
1167 | 1215 | #ifdef HAVE_NETWORK | |
1168 | .TP | 1216 | .TP |
1169 | \fB\-\-net=tap_interface | 1217 | \fB\-\-net=tap_interface |
1170 | Enable a new network namespace and connect it | 1218 | Enable a new network namespace and connect it |
@@ -1278,9 +1326,6 @@ $ firejail --netfilter=/etc/firejail/nolocal.net \\ | |||
1278 | .br | 1326 | .br |
1279 | --net=eth0 firefox | 1327 | --net=eth0 firefox |
1280 | 1328 | ||
1281 | |||
1282 | |||
1283 | |||
1284 | .TP | 1329 | .TP |
1285 | \fB\-\-netfilter=filename,arg1,arg2,arg3 ... | 1330 | \fB\-\-netfilter=filename,arg1,arg2,arg3 ... |
1286 | This is the template version of the previous command. $ARG1, $ARG2, $ARG3 ... in the firewall script | 1331 | This is the template version of the previous command. $ARG1, $ARG2, $ARG3 ... in the firewall script |
@@ -1294,8 +1339,6 @@ $ firejail --net=eth0 --ip=192.168.1.105 \\ | |||
1294 | --netfilter=/etc/firejail/tcpserver.net,5001 server-program | 1339 | --netfilter=/etc/firejail/tcpserver.net,5001 server-program |
1295 | .br | 1340 | .br |
1296 | 1341 | ||
1297 | |||
1298 | |||
1299 | .TP | 1342 | .TP |
1300 | \fB\-\-netfilter.print=name|pid | 1343 | \fB\-\-netfilter.print=name|pid |
1301 | Print the firewall installed in the sandbox specified by name or PID. Example: | 1344 | Print the firewall installed in the sandbox specified by name or PID. Example: |
@@ -1359,7 +1402,7 @@ PID User RX(KB/s) TX(KB/s) Command | |||
1359 | 1294 netblue 53.355 1.473 firejail \-\-net=eth0 firefox | 1402 | 1294 netblue 53.355 1.473 firejail \-\-net=eth0 firefox |
1360 | .br | 1403 | .br |
1361 | 7383 netblue 9.045 0.112 firejail \-\-net=eth0 transmission | 1404 | 7383 netblue 9.045 0.112 firejail \-\-net=eth0 transmission |
1362 | 1405 | #endif | |
1363 | .TP | 1406 | .TP |
1364 | \fB\-\-nice=value | 1407 | \fB\-\-nice=value |
1365 | Set nice value for all processes running inside the sandbox. | 1408 | Set nice value for all processes running inside the sandbox. |
@@ -1418,6 +1461,7 @@ $ nc dict.org 2628 | |||
1418 | .br | 1461 | .br |
1419 | .TP | 1462 | .TP |
1420 | \fB\-\-nodbus \fR(deprecated) | 1463 | \fB\-\-nodbus \fR(deprecated) |
1464 | #ifdef HAVE_DBUSPROXY | ||
1421 | Disable D-Bus access (both system and session buses). Equivalent to --dbus-system=none --dbus-user=none. | 1465 | Disable D-Bus access (both system and session buses). Equivalent to --dbus-system=none --dbus-user=none. |
1422 | .br | 1466 | .br |
1423 | 1467 | ||
@@ -1425,6 +1469,7 @@ Disable D-Bus access (both system and session buses). Equivalent to --dbus-syste | |||
1425 | Example: | 1469 | Example: |
1426 | .br | 1470 | .br |
1427 | $ firejail \-\-nodbus \-\-net=none | 1471 | $ firejail \-\-nodbus \-\-net=none |
1472 | #endif | ||
1428 | .TP | 1473 | .TP |
1429 | \fB\-\-nodvd | 1474 | \fB\-\-nodvd |
1430 | Disable DVD and audio CD devices. | 1475 | Disable DVD and audio CD devices. |
@@ -1513,7 +1558,7 @@ Parent pid 8553, child pid 8554 | |||
1513 | Child process initialized | 1558 | Child process initialized |
1514 | .br | 1559 | .br |
1515 | [...] | 1560 | [...] |
1516 | 1561 | #if HAVE_USERNS | |
1517 | .TP | 1562 | .TP |
1518 | \fB\-\-noroot | 1563 | \fB\-\-noroot |
1519 | Install a user namespace with a single user - the current user. | 1564 | Install a user namespace with a single user - the current user. |
@@ -1537,7 +1582,7 @@ $ ping google.com | |||
1537 | ping: icmp open socket: Operation not permitted | 1582 | ping: icmp open socket: Operation not permitted |
1538 | .br | 1583 | .br |
1539 | $ | 1584 | $ |
1540 | 1585 | #endif | |
1541 | .TP | 1586 | .TP |
1542 | \fB\-\-nosound | 1587 | \fB\-\-nosound |
1543 | Disable sound system. | 1588 | Disable sound system. |
@@ -1608,6 +1653,7 @@ $ ls -l sandboxlog* | |||
1608 | \fB\-\-output-stderr=logfile | 1653 | \fB\-\-output-stderr=logfile |
1609 | Similar to \-\-output, but stderr is also stored. | 1654 | Similar to \-\-output, but stderr is also stored. |
1610 | 1655 | ||
1656 | #ifdef HAVE_OVERLAYFS | ||
1611 | .TP | 1657 | .TP |
1612 | \fB\-\-overlay | 1658 | \fB\-\-overlay |
1613 | Mount a filesystem overlay on top of the current filesystem. Unlike the regular filesystem container, | 1659 | Mount a filesystem overlay on top of the current filesystem. Unlike the regular filesystem container, |
@@ -1674,7 +1720,7 @@ This option is not available on Grsecurity systems. | |||
1674 | Example: | 1720 | Example: |
1675 | .br | 1721 | .br |
1676 | $ firejail \-\-overlay-tmpfs firefox | 1722 | $ firejail \-\-overlay-tmpfs firefox |
1677 | 1723 | #endif | |
1678 | .TP | 1724 | .TP |
1679 | \fB\-\-private | 1725 | \fB\-\-private |
1680 | Mount new /root and /home/user directories in temporary | 1726 | Mount new /root and /home/user directories in temporary |
@@ -1811,7 +1857,7 @@ Example: | |||
1811 | $ firejail --private-etc=group,hostname,localtime, \\ | 1857 | $ firejail --private-etc=group,hostname,localtime, \\ |
1812 | .br | 1858 | .br |
1813 | nsswitch.conf,passwd,resolv.conf,default/motd-news | 1859 | nsswitch.conf,passwd,resolv.conf,default/motd-news |
1814 | 1860 | #ifdef HAVE_PRIVATE_HOME | |
1815 | .TP | 1861 | .TP |
1816 | \fB\-\-private-home=file,directory | 1862 | \fB\-\-private-home=file,directory |
1817 | Build a new user home in a temporary | 1863 | Build a new user home in a temporary |
@@ -1827,7 +1873,7 @@ closed. | |||
1827 | Example: | 1873 | Example: |
1828 | .br | 1874 | .br |
1829 | $ firejail \-\-private-home=.mozilla firefox | 1875 | $ firejail \-\-private-home=.mozilla firefox |
1830 | 1876 | #endif | |
1831 | .TP | 1877 | .TP |
1832 | \fB\-\-private-lib=file,directory | 1878 | \fB\-\-private-lib=file,directory |
1833 | This feature is currently under heavy development. Only amd64 platforms are supported at this moment. | 1879 | This feature is currently under heavy development. Only amd64 platforms are supported at this moment. |
@@ -1957,7 +2003,7 @@ $ firejail \-\-profile.print=browser | |||
1957 | .TP | 2003 | .TP |
1958 | \fB\-\-protocol=protocol,protocol,protocol | 2004 | \fB\-\-protocol=protocol,protocol,protocol |
1959 | Enable protocol filter. The filter is based on seccomp and checks the first argument to socket system call. | 2005 | Enable protocol filter. The filter is based on seccomp and checks the first argument to socket system call. |
1960 | Recognized values: unix, inet, inet6, netlink and packet. This option is not supported for i386 architecture. | 2006 | Recognized values: unix, inet, inet6, netlink, packet and bluetooth. This option is not supported for i386 architecture. |
1961 | .br | 2007 | .br |
1962 | 2008 | ||
1963 | .br | 2009 | .br |
@@ -1989,9 +2035,11 @@ $ firejail \-\-list | |||
1989 | $ firejail \-\-protocol.print=3272 | 2035 | $ firejail \-\-protocol.print=3272 |
1990 | .br | 2036 | .br |
1991 | unix,inet,inet6,netlink | 2037 | unix,inet,inet6,netlink |
2038 | #ifdef HAVE_FILE_TRANSFER | ||
1992 | .TP | 2039 | .TP |
1993 | \fB\-\-put=name|pid src-filename dest-filename | 2040 | \fB\-\-put=name|pid src-filename dest-filename |
1994 | Put a file in sandbox container, see \fBFILE TRANSFER\fR section for more details. | 2041 | Put a file in sandbox container, see \fBFILE TRANSFER\fR section for more details. |
2042 | #endif | ||
1995 | .TP | 2043 | .TP |
1996 | \fB\-\-quiet | 2044 | \fB\-\-quiet |
1997 | Turn off Firejail's output. | 2045 | Turn off Firejail's output. |
@@ -2059,7 +2107,7 @@ Remove environment variable in the new sandbox. | |||
2059 | Example: | 2107 | Example: |
2060 | .br | 2108 | .br |
2061 | $ firejail \-\-rmenv=DBUS_SESSION_BUS_ADDRESS | 2109 | $ firejail \-\-rmenv=DBUS_SESSION_BUS_ADDRESS |
2062 | 2110 | #ifdef HAVE_NETWORK | |
2063 | .TP | 2111 | .TP |
2064 | \fB\-\-scan | 2112 | \fB\-\-scan |
2065 | ARP-scan all the networks from inside a network namespace. | 2113 | ARP-scan all the networks from inside a network namespace. |
@@ -2070,6 +2118,7 @@ This makes it possible to detect macvlan kernel device drivers running on the cu | |||
2070 | Example: | 2118 | Example: |
2071 | .br | 2119 | .br |
2072 | $ firejail \-\-net=eth0 \-\-scan | 2120 | $ firejail \-\-net=eth0 \-\-scan |
2121 | #endif | ||
2073 | .TP | 2122 | .TP |
2074 | \fB\-\-seccomp | 2123 | \fB\-\-seccomp |
2075 | Enable seccomp filter and blacklist the syscalls in the default list, | 2124 | Enable seccomp filter and blacklist the syscalls in the default list, |
@@ -2549,11 +2598,14 @@ $ firejail \-\-tree | |||
2549 | 11904:netblue:iceweasel | 2598 | 11904:netblue:iceweasel |
2550 | .br | 2599 | .br |
2551 | 11957:netblue:/usr/lib/iceweasel/plugin-container | 2600 | 11957:netblue:/usr/lib/iceweasel/plugin-container |
2601 | #ifdef HAVE_NETWORK | ||
2552 | .br | 2602 | .br |
2553 | 11969:netblue:firejail \-\-net=eth0 transmission-gtk | 2603 | 11969:netblue:firejail \-\-net=eth0 transmission-gtk |
2604 | #endif | ||
2554 | .br | 2605 | .br |
2555 | 11970:netblue:transmission-gtk | 2606 | 11970:netblue:transmission-gtk |
2556 | 2607 | ||
2608 | #ifdef HAVE_FIRETUNNEL | ||
2557 | .TP | 2609 | .TP |
2558 | \fB\-\-tunnel[=devname] | 2610 | \fB\-\-tunnel[=devname] |
2559 | Connect the sandbox to a network overlay/VPN tunnel created by firetunnel utility. This options | 2611 | Connect the sandbox to a network overlay/VPN tunnel created by firetunnel utility. This options |
@@ -2574,6 +2626,7 @@ Example: | |||
2574 | .br | 2626 | .br |
2575 | $ firejail --tunnel firefox | 2627 | $ firejail --tunnel firefox |
2576 | .br | 2628 | .br |
2629 | #endif | ||
2577 | .TP | 2630 | .TP |
2578 | \fB\-\-version | 2631 | \fB\-\-version |
2579 | Print program version/compile time support and exit. | 2632 | Print program version/compile time support and exit. |
@@ -2600,6 +2653,7 @@ Compile time support: | |||
2600 | - user namespace support is enabled | 2653 | - user namespace support is enabled |
2601 | - X11 sandboxing support is enabled | 2654 | - X11 sandboxing support is enabled |
2602 | .br | 2655 | .br |
2656 | #ifdef HAVE_NETWORK | ||
2603 | .TP | 2657 | .TP |
2604 | \fB\-\-veth-name=name | 2658 | \fB\-\-veth-name=name |
2605 | Use this name for the interface connected to the bridge for --net=bridge_interface commands, | 2659 | Use this name for the interface connected to the bridge for --net=bridge_interface commands, |
@@ -2610,7 +2664,7 @@ instead of the default one. | |||
2610 | Example: | 2664 | Example: |
2611 | .br | 2665 | .br |
2612 | $ firejail \-\-net=br0 --veth-name=if0 | 2666 | $ firejail \-\-net=br0 --veth-name=if0 |
2613 | 2667 | #endif | |
2614 | .TP | 2668 | .TP |
2615 | \fB\-\-whitelist=dirname_or_filename | 2669 | \fB\-\-whitelist=dirname_or_filename |
2616 | Whitelist directory or file. A temporary file system is mounted on the top directory, and the | 2670 | Whitelist directory or file. A temporary file system is mounted on the top directory, and the |
@@ -2680,7 +2734,7 @@ Example: | |||
2680 | .br | 2734 | .br |
2681 | $ sudo firejail --writable-var-log | 2735 | $ sudo firejail --writable-var-log |
2682 | 2736 | ||
2683 | 2737 | #ifdef HAVE_X11 | |
2684 | .TP | 2738 | .TP |
2685 | \fB\-\-x11 | 2739 | \fB\-\-x11 |
2686 | Sandbox the application using Xpra, Xephyr, Xvfb or Xorg security extension. | 2740 | Sandbox the application using Xpra, Xephyr, Xvfb or Xorg security extension. |
@@ -2841,7 +2895,8 @@ Example: | |||
2841 | .br | 2895 | .br |
2842 | $ firejail --net=eth0 --x11=xephyr --xephyr-screen=640x480 firefox | 2896 | $ firejail --net=eth0 --x11=xephyr --xephyr-screen=640x480 firefox |
2843 | .br | 2897 | .br |
2844 | 2898 | #endif | |
2899 | #ifdef HAVE_APPARMOR | ||
2845 | .SH APPARMOR | 2900 | .SH APPARMOR |
2846 | .TP | 2901 | .TP |
2847 | AppArmor support is disabled by default at compile time. Use --enable-apparmor configuration option to enable it: | 2902 | AppArmor support is disabled by default at compile time. Use --enable-apparmor configuration option to enable it: |
@@ -2884,6 +2939,7 @@ To enable AppArmor confinement on top of your current Firejail security features | |||
2884 | 2939 | ||
2885 | .br | 2940 | .br |
2886 | $ firejail --apparmor firefox | 2941 | $ firejail --apparmor firefox |
2942 | #endif | ||
2887 | 2943 | ||
2888 | .SH AUDIT | 2944 | .SH AUDIT |
2889 | Audit feature allows the user to point out gaps in security profiles. The | 2945 | Audit feature allows the user to point out gaps in security profiles. The |
@@ -2903,6 +2959,10 @@ In the examples above, the sandbox configures transmission-gtk profile and | |||
2903 | starts the test program. The real program, transmission-gtk, will not be | 2959 | starts the test program. The real program, transmission-gtk, will not be |
2904 | started. | 2960 | started. |
2905 | 2961 | ||
2962 | You can also audit a specific profile without specifying a program. | ||
2963 | .br | ||
2964 | $ firejail --audit --profile=/etc/firejail/zoom.profile | ||
2965 | |||
2906 | Limitations: audit feature is not implemented for --x11 commands. | 2966 | Limitations: audit feature is not implemented for --x11 commands. |
2907 | 2967 | ||
2908 | .SH DESKTOP INTEGRATION | 2968 | .SH DESKTOP INTEGRATION |
@@ -2976,6 +3036,7 @@ Start Firefox with a new, empty home directory. | |||
2976 | .TP | 3036 | .TP |
2977 | \f\firejail --net=none vlc | 3037 | \f\firejail --net=none vlc |
2978 | Start VLC in an unconnected network namespace. | 3038 | Start VLC in an unconnected network namespace. |
3039 | #ifdef HAVE_NETWORK | ||
2979 | .TP | 3040 | .TP |
2980 | \f\firejail \-\-net=eth0 firefox | 3041 | \f\firejail \-\-net=eth0 firefox |
2981 | Start Firefox in a new network namespace. An IP address is | 3042 | Start Firefox in a new network namespace. An IP address is |
@@ -2985,6 +3046,7 @@ assigned automatically. | |||
2985 | Start a /bin/bash session in a new network namespace and connect it | 3046 | Start a /bin/bash session in a new network namespace and connect it |
2986 | to br0, br1, and br2 host bridge devices. IP addresses are assigned | 3047 | to br0, br1, and br2 host bridge devices. IP addresses are assigned |
2987 | automatically for the interfaces connected to br1 and b2 | 3048 | automatically for the interfaces connected to br1 and b2 |
3049 | #endif | ||
2988 | .TP | 3050 | .TP |
2989 | \f\firejail \-\-list | 3051 | \f\firejail \-\-list |
2990 | List all sandboxed processes. | 3052 | List all sandboxed processes. |
@@ -3030,6 +3092,7 @@ $ firejail --blacklist=~/dir[1234] | |||
3030 | $ firejail --read-only=~/dir[1-4] | 3092 | $ firejail --read-only=~/dir[1-4] |
3031 | .br | 3093 | .br |
3032 | 3094 | ||
3095 | #ifdef HAVE_FILE_TRANSFER | ||
3033 | .SH FILE TRANSFER | 3096 | .SH FILE TRANSFER |
3034 | These features allow the user to inspect the filesystem container of an existing sandbox | 3097 | These features allow the user to inspect the filesystem container of an existing sandbox |
3035 | and transfer files between the container and the host filesystem. | 3098 | and transfer files between the container and the host filesystem. |
@@ -3087,7 +3150,7 @@ $ firejail \-\-put=mybrowser xpra-clipboard.png ~/Downloads/xpra-clipboard.png | |||
3087 | .br | 3150 | .br |
3088 | $ firejail \-\-cat=mybrowser ~/.bashrc | 3151 | $ firejail \-\-cat=mybrowser ~/.bashrc |
3089 | .br | 3152 | .br |
3090 | 3153 | #endif | |
3091 | .SH MONITORING | 3154 | .SH MONITORING |
3092 | Option \-\-list prints a list of all sandboxes. The format | 3155 | Option \-\-list prints a list of all sandboxes. The format |
3093 | for each process entry is as follows: | 3156 | for each process entry is as follows: |
@@ -3104,7 +3167,6 @@ sandboxes. | |||
3104 | 3167 | ||
3105 | Option \-\-netstats prints network statistics for active sandboxes installing new network namespaces. | 3168 | Option \-\-netstats prints network statistics for active sandboxes installing new network namespaces. |
3106 | 3169 | ||
3107 | |||
3108 | Listed below are the available fields (columns) in alphabetical | 3170 | Listed below are the available fields (columns) in alphabetical |
3109 | order for \-\-top and \-\-netstats options: | 3171 | order for \-\-top and \-\-netstats options: |
3110 | 3172 | ||
@@ -3222,7 +3284,7 @@ Child process initialized | |||
3222 | .RE | 3284 | .RE |
3223 | 3285 | ||
3224 | See \fBman 5 firejail-profile\fR for profile file syntax information. | 3286 | See \fBman 5 firejail-profile\fR for profile file syntax information. |
3225 | 3287 | #ifdef HAVE_NETWORK | |
3226 | .SH TRAFFIC SHAPING | 3288 | .SH TRAFFIC SHAPING |
3227 | Network bandwidth is an expensive resource shared among all sandboxes running on a system. | 3289 | Network bandwidth is an expensive resource shared among all sandboxes running on a system. |
3228 | Traffic shaping allows the user to increase network performance by controlling | 3290 | Traffic shaping allows the user to increase network performance by controlling |
@@ -3264,7 +3326,7 @@ Example: | |||
3264 | $ firejail \-\-bandwidth=mybrowser status | 3326 | $ firejail \-\-bandwidth=mybrowser status |
3265 | .br | 3327 | .br |
3266 | $ firejail \-\-bandwidth=mybrowser clear eth0 | 3328 | $ firejail \-\-bandwidth=mybrowser clear eth0 |
3267 | 3329 | #endif | |
3268 | .SH LICENSE | 3330 | .SH LICENSE |
3269 | This program is free software; you can redistribute it and/or modify it under the terms of the GNU General Public License as published by the Free Software Foundation; either version 2 of the License, or (at your option) any later version. | 3331 | This program is free software; you can redistribute it and/or modify it under the terms of the GNU General Public License as published by the Free Software Foundation; either version 2 of the License, or (at your option) any later version. |
3270 | .PP | 3332 | .PP |
diff --git a/src/man/firemon.txt b/src/man/firemon.txt index 40a00ec3f..cea6c0265 100644 --- a/src/man/firemon.txt +++ b/src/man/firemon.txt | |||
@@ -12,9 +12,11 @@ can run this program. | |||
12 | .TP | 12 | .TP |
13 | \fB\-\-apparmor | 13 | \fB\-\-apparmor |
14 | Print AppArmor confinement status for each sandbox. | 14 | Print AppArmor confinement status for each sandbox. |
15 | #ifdef HAVE_NETWORK | ||
15 | .TP | 16 | .TP |
16 | \fB\-\-arp | 17 | \fB\-\-arp |
17 | Print ARP table for each sandbox. | 18 | Print ARP table for each sandbox. |
19 | #endif | ||
18 | .TP | 20 | .TP |
19 | \fB\-\-caps | 21 | \fB\-\-caps |
20 | Print capabilities configuration for each sandbox. | 22 | Print capabilities configuration for each sandbox. |
@@ -39,15 +41,16 @@ List all sandboxes. | |||
39 | .TP | 41 | .TP |
40 | \fB\-\-name=name | 42 | \fB\-\-name=name |
41 | Print information only about named sandbox. | 43 | Print information only about named sandbox. |
44 | #ifdef HAVE_NETWORK | ||
42 | .TP | 45 | .TP |
43 | \fB\-\-netstats | 46 | \fB\-\-netstats |
44 | Monitor network statistics for sandboxes creating a new network namespace. | 47 | Monitor network statistics for sandboxes creating a new network namespace. |
45 | .TP | 48 | #endif |
46 | \fB\-\-nowrap | 49 | #ifdef HAVE_NETWORK |
47 | Enable line wrapping in terminals. By default the lines are trimmed. | ||
48 | .TP | 50 | .TP |
49 | \fB\-\-route | 51 | \fB\-\-route |
50 | Print route table for each sandbox. | 52 | Print route table for each sandbox. |
53 | #endif | ||
51 | .TP | 54 | .TP |
52 | \fB\-\-seccomp | 55 | \fB\-\-seccomp |
53 | Print seccomp configuration for each sandbox. | 56 | Print seccomp configuration for each sandbox. |
@@ -61,7 +64,9 @@ Print a tree of all sandboxed processes. | |||
61 | .TP | 64 | .TP |
62 | \fB\-\-version | 65 | \fB\-\-version |
63 | Print program version and exit. | 66 | Print program version and exit. |
64 | 67 | .TP | |
68 | \fB\-\-wrap | ||
69 | Enable line wrapping in terminals. By default the lines are trimmed. | ||
65 | .TP | 70 | .TP |
66 | \fB\-\-x11 | 71 | \fB\-\-x11 |
67 | Print X11 display number. | 72 | Print X11 display number. |
diff --git a/src/man/preproc.awk b/src/man/preproc.awk new file mode 100755 index 000000000..20081b551 --- /dev/null +++ b/src/man/preproc.awk | |||
@@ -0,0 +1,55 @@ | |||
1 | #!/usr/bin/gawk -E | ||
2 | |||
3 | # Copyright (c) 2019,2020 rusty-snake | ||
4 | # | ||
5 | # Permission is hereby granted, free of charge, to any person obtaining a copy | ||
6 | # of this software and associated documentation files (the "Software"), to deal | ||
7 | # in the Software without restriction, including without limitation the rights | ||
8 | # to use, copy, modify, merge, publish, distribute, sublicense, and/or sell | ||
9 | # copies of the Software, and to permit persons to whom the Software is | ||
10 | # furnished to do so, subject to the following conditions: | ||
11 | # | ||
12 | # The above copyright notice and this permission notice shall be included in all | ||
13 | # copies or substantial portions of the Software. | ||
14 | # | ||
15 | # THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR | ||
16 | # IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY, | ||
17 | # FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE | ||
18 | # AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER | ||
19 | # LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM, | ||
20 | # OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE | ||
21 | # SOFTWARE. | ||
22 | |||
23 | BEGIN { | ||
24 | macros[0] = 0 | ||
25 | for (arg in ARGV) { | ||
26 | if (ARGV[arg] ~ /^-D[A-Z_]+$/) { | ||
27 | macros[length(macros) + 1] = substr(ARGV[arg], 3) | ||
28 | } | ||
29 | ARGV[arg] = "" | ||
30 | } | ||
31 | |||
32 | include = 1 | ||
33 | } | ||
34 | /^#ifdef [A-Z_]+$/ { | ||
35 | macro = substr($0, 8) | ||
36 | for (i in macros) { | ||
37 | if (macros[i] == macro) { | ||
38 | include = 1 | ||
39 | next | ||
40 | } | ||
41 | } | ||
42 | include = 0 | ||
43 | } | ||
44 | /^#if 0$/ { | ||
45 | include = 0 | ||
46 | next | ||
47 | } | ||
48 | /^#endif$/ { | ||
49 | include = 1 | ||
50 | next | ||
51 | } | ||
52 | { | ||
53 | if (include) | ||
54 | |||
55 | } | ||
diff --git a/src/profstats/main.c b/src/profstats/main.c index a75ad8e29..4c1221464 100644 --- a/src/profstats/main.c +++ b/src/profstats/main.c | |||
@@ -28,6 +28,8 @@ static int cnt_profiles = 0; | |||
28 | static int cnt_apparmor = 0; | 28 | static int cnt_apparmor = 0; |
29 | static int cnt_seccomp = 0; | 29 | static int cnt_seccomp = 0; |
30 | static int cnt_caps = 0; | 30 | static int cnt_caps = 0; |
31 | static int cnt_dbus_system_none = 0; | ||
32 | static int cnt_dbus_user_none = 0; | ||
31 | static int cnt_dotlocal = 0; | 33 | static int cnt_dotlocal = 0; |
32 | static int cnt_globalsdotlocal = 0; | 34 | static int cnt_globalsdotlocal = 0; |
33 | static int cnt_netnone = 0; | 35 | static int cnt_netnone = 0; |
@@ -41,6 +43,7 @@ static int cnt_whitelistrunuser = 0; // include whitelist-runuser-common.inc | |||
41 | static int cnt_whitelistusrshare = 0; // include whitelist-usr-share-common.inc | 43 | static int cnt_whitelistusrshare = 0; // include whitelist-usr-share-common.inc |
42 | static int cnt_ssh = 0; | 44 | static int cnt_ssh = 0; |
43 | static int cnt_mdwx = 0; | 45 | static int cnt_mdwx = 0; |
46 | static int cnt_whitelisthome = 0; | ||
44 | 47 | ||
45 | static int level = 0; | 48 | static int level = 0; |
46 | static int arg_debug = 0; | 49 | static int arg_debug = 0; |
@@ -57,6 +60,10 @@ static int arg_whitelistrunuser = 0; | |||
57 | static int arg_whitelistusrshare = 0; | 60 | static int arg_whitelistusrshare = 0; |
58 | static int arg_ssh = 0; | 61 | static int arg_ssh = 0; |
59 | static int arg_mdwx = 0; | 62 | static int arg_mdwx = 0; |
63 | static int arg_dbus_system_none = 0; | ||
64 | static int arg_dbus_user_none = 0; | ||
65 | static int arg_whitelisthome = 0; | ||
66 | |||
60 | 67 | ||
61 | static char *profile = NULL; | 68 | static char *profile = NULL; |
62 | 69 | ||
@@ -67,6 +74,8 @@ static void usage(void) { | |||
67 | printf("Options:\n"); | 74 | printf("Options:\n"); |
68 | printf(" --apparmor - print profiles without apparmor\n"); | 75 | printf(" --apparmor - print profiles without apparmor\n"); |
69 | printf(" --caps - print profiles without caps\n"); | 76 | printf(" --caps - print profiles without caps\n"); |
77 | printf(" --dbus-system-none - profiles without \"dbus-system none\"\n"); | ||
78 | printf(" --dbus-user-none - profiles without \"dbus-user none\"\n"); | ||
70 | printf(" --ssh - print profiles without \"include disable-common.inc\"\n"); | 79 | printf(" --ssh - print profiles without \"include disable-common.inc\"\n"); |
71 | printf(" --noexec - print profiles without \"include disable-exec.inc\"\n"); | 80 | printf(" --noexec - print profiles without \"include disable-exec.inc\"\n"); |
72 | printf(" --private-bin - print profiles without private-bin\n"); | 81 | printf(" --private-bin - print profiles without private-bin\n"); |
@@ -75,6 +84,7 @@ static void usage(void) { | |||
75 | printf(" --private-tmp - print profiles without private-tmp\n"); | 84 | printf(" --private-tmp - print profiles without private-tmp\n"); |
76 | printf(" --seccomp - print profiles without seccomp\n"); | 85 | printf(" --seccomp - print profiles without seccomp\n"); |
77 | printf(" --memory-deny-write-execute - profile without \"memory-deny-write-execute\"\n"); | 86 | printf(" --memory-deny-write-execute - profile without \"memory-deny-write-execute\"\n"); |
87 | printf(" --whitelist-home - print profiles whitelisting home directory\n"); | ||
78 | printf(" --whitelist-var - print profiles without \"include whitelist-var-common.inc\"\n"); | 88 | printf(" --whitelist-var - print profiles without \"include whitelist-var-common.inc\"\n"); |
79 | printf(" --whitelist-runuser - print profiles without \"include whitelist-runuser-common.inc\" or \"blacklist ${RUNUSER}\"\n"); | 89 | printf(" --whitelist-runuser - print profiles without \"include whitelist-runuser-common.inc\" or \"blacklist ${RUNUSER}\"\n"); |
80 | printf(" --whitelist-usrshare - print profiles without \"include whitelist-usr-share-common.inc\"\n"); | 90 | printf(" --whitelist-usrshare - print profiles without \"include whitelist-usr-share-common.inc\"\n"); |
@@ -120,6 +130,8 @@ void process_file(const char *fname) { | |||
120 | else if (strncmp(ptr, "include whitelist-runuser-common.inc", 36) == 0 || | 130 | else if (strncmp(ptr, "include whitelist-runuser-common.inc", 36) == 0 || |
121 | strncmp(ptr, "blacklist ${RUNUSER}", 20) == 0) | 131 | strncmp(ptr, "blacklist ${RUNUSER}", 20) == 0) |
122 | cnt_whitelistrunuser++; | 132 | cnt_whitelistrunuser++; |
133 | else if (strncmp(ptr, "include whitelist-common.inc", 28) == 0) | ||
134 | cnt_whitelisthome++; | ||
123 | else if (strncmp(ptr, "include whitelist-usr-share-common.inc", 38) == 0) | 135 | else if (strncmp(ptr, "include whitelist-usr-share-common.inc", 38) == 0) |
124 | cnt_whitelistusrshare++; | 136 | cnt_whitelistusrshare++; |
125 | else if (strncmp(ptr, "include disable-common.inc", 26) == 0) | 137 | else if (strncmp(ptr, "include disable-common.inc", 26) == 0) |
@@ -138,6 +150,10 @@ void process_file(const char *fname) { | |||
138 | cnt_privatetmp++; | 150 | cnt_privatetmp++; |
139 | else if (strncmp(ptr, "private-etc", 11) == 0) | 151 | else if (strncmp(ptr, "private-etc", 11) == 0) |
140 | cnt_privateetc++; | 152 | cnt_privateetc++; |
153 | else if (strncmp(ptr, "dbus-system none", 16) == 0) | ||
154 | cnt_dbus_system_none++; | ||
155 | else if (strncmp(ptr, "dbus-user none", 14) == 0) | ||
156 | cnt_dbus_user_none++; | ||
141 | else if (strncmp(ptr, "include ", 8) == 0) { | 157 | else if (strncmp(ptr, "include ", 8) == 0) { |
142 | // not processing .local files | 158 | // not processing .local files |
143 | if (strstr(ptr, ".local")) { | 159 | if (strstr(ptr, ".local")) { |
@@ -148,6 +164,11 @@ void process_file(const char *fname) { | |||
148 | cnt_dotlocal++; | 164 | cnt_dotlocal++; |
149 | continue; | 165 | continue; |
150 | } | 166 | } |
167 | // clean blanks | ||
168 | char *ptr = buf + 8; | ||
169 | while (*ptr != '\0' && *ptr != ' ' && *ptr != '\t') | ||
170 | ptr++; | ||
171 | *ptr = '\0'; | ||
151 | process_file(buf + 8); | 172 | process_file(buf + 8); |
152 | } | 173 | } |
153 | } | 174 | } |
@@ -189,6 +210,8 @@ int main(int argc, char **argv) { | |||
189 | arg_privatetmp = 1; | 210 | arg_privatetmp = 1; |
190 | else if (strcmp(argv[i], "--private-etc") == 0) | 211 | else if (strcmp(argv[i], "--private-etc") == 0) |
191 | arg_privateetc = 1; | 212 | arg_privateetc = 1; |
213 | else if (strcmp(argv[i], "--whitelist-home") == 0) | ||
214 | arg_whitelisthome = 1; | ||
192 | else if (strcmp(argv[i], "--whitelist-var") == 0) | 215 | else if (strcmp(argv[i], "--whitelist-var") == 0) |
193 | arg_whitelistvar = 1; | 216 | arg_whitelistvar = 1; |
194 | else if (strcmp(argv[i], "--whitelist-runuser") == 0) | 217 | else if (strcmp(argv[i], "--whitelist-runuser") == 0) |
@@ -197,6 +220,10 @@ int main(int argc, char **argv) { | |||
197 | arg_whitelistusrshare = 1; | 220 | arg_whitelistusrshare = 1; |
198 | else if (strcmp(argv[i], "--ssh") == 0) | 221 | else if (strcmp(argv[i], "--ssh") == 0) |
199 | arg_ssh = 1; | 222 | arg_ssh = 1; |
223 | else if (strcmp(argv[i], "--dbus-system-none") == 0) | ||
224 | arg_dbus_system_none = 1; | ||
225 | else if (strcmp(argv[i], "--dbus-user-none") == 0) | ||
226 | arg_dbus_user_none = 1; | ||
200 | else if (*argv[i] == '-') { | 227 | else if (*argv[i] == '-') { |
201 | fprintf(stderr, "Error: invalid option %s\n", argv[i]); | 228 | fprintf(stderr, "Error: invalid option %s\n", argv[i]); |
202 | return 1; | 229 | return 1; |
@@ -225,9 +252,12 @@ int main(int argc, char **argv) { | |||
225 | int privateetc = cnt_privateetc; | 252 | int privateetc = cnt_privateetc; |
226 | int dotlocal = cnt_dotlocal; | 253 | int dotlocal = cnt_dotlocal; |
227 | int globalsdotlocal = cnt_globalsdotlocal; | 254 | int globalsdotlocal = cnt_globalsdotlocal; |
255 | int whitelisthome = cnt_whitelisthome; | ||
228 | int whitelistvar = cnt_whitelistvar; | 256 | int whitelistvar = cnt_whitelistvar; |
229 | int whitelistrunuser = cnt_whitelistrunuser; | 257 | int whitelistrunuser = cnt_whitelistrunuser; |
230 | int whitelistusrshare = cnt_whitelistusrshare; | 258 | int whitelistusrshare = cnt_whitelistusrshare; |
259 | int dbussystemnone = cnt_dbus_system_none; | ||
260 | int dbususernone = cnt_dbus_user_none; | ||
231 | int ssh = cnt_ssh; | 261 | int ssh = cnt_ssh; |
232 | int mdwx = cnt_mdwx; | 262 | int mdwx = cnt_mdwx; |
233 | 263 | ||
@@ -249,6 +279,10 @@ int main(int argc, char **argv) { | |||
249 | if (cnt_whitelistrunuser > (whitelistrunuser + 1)) | 279 | if (cnt_whitelistrunuser > (whitelistrunuser + 1)) |
250 | cnt_whitelistrunuser = whitelistrunuser + 1; | 280 | cnt_whitelistrunuser = whitelistrunuser + 1; |
251 | 281 | ||
282 | if (arg_dbus_system_none && dbussystemnone == cnt_dbus_system_none) | ||
283 | printf("No dbus-system none found in %s\n", argv[i]); | ||
284 | if (arg_dbus_user_none && dbususernone == cnt_dbus_user_none) | ||
285 | printf("No dbus-user none found in %s\n", argv[i]); | ||
252 | if (arg_apparmor && apparmor == cnt_apparmor) | 286 | if (arg_apparmor && apparmor == cnt_apparmor) |
253 | printf("No apparmor found in %s\n", argv[i]); | 287 | printf("No apparmor found in %s\n", argv[i]); |
254 | if (arg_caps && caps == cnt_caps) | 288 | if (arg_caps && caps == cnt_caps) |
@@ -265,6 +299,8 @@ int main(int argc, char **argv) { | |||
265 | printf("No private-tmp found in %s\n", argv[i]); | 299 | printf("No private-tmp found in %s\n", argv[i]); |
266 | if (arg_privateetc && privateetc == cnt_privateetc) | 300 | if (arg_privateetc && privateetc == cnt_privateetc) |
267 | printf("No private-etc found in %s\n", argv[i]); | 301 | printf("No private-etc found in %s\n", argv[i]); |
302 | if (arg_whitelisthome && whitelisthome == cnt_whitelisthome) | ||
303 | printf("Home directory not whitelisted in %s\n", argv[i]); | ||
268 | if (arg_whitelistvar && whitelistvar == cnt_whitelistvar) | 304 | if (arg_whitelistvar && whitelistvar == cnt_whitelistvar) |
269 | printf("No include whitelist-var-common.inc found in %s\n", argv[i]); | 305 | printf("No include whitelist-var-common.inc found in %s\n", argv[i]); |
270 | if (arg_whitelistrunuser && whitelistrunuser == cnt_whitelistrunuser) | 306 | if (arg_whitelistrunuser && whitelistrunuser == cnt_whitelistrunuser) |
@@ -294,11 +330,14 @@ int main(int argc, char **argv) { | |||
294 | printf(" private-dev\t\t\t%d\n", cnt_privatedev); | 330 | printf(" private-dev\t\t\t%d\n", cnt_privatedev); |
295 | printf(" private-etc\t\t\t%d\n", cnt_privateetc); | 331 | printf(" private-etc\t\t\t%d\n", cnt_privateetc); |
296 | printf(" private-tmp\t\t\t%d\n", cnt_privatetmp); | 332 | printf(" private-tmp\t\t\t%d\n", cnt_privatetmp); |
333 | printf(" whitelist home directory\t%d\n", cnt_whitelisthome); | ||
297 | printf(" whitelist var\t\t%d (include whitelist-var-common.inc)\n", cnt_whitelistvar); | 334 | printf(" whitelist var\t\t%d (include whitelist-var-common.inc)\n", cnt_whitelistvar); |
298 | printf(" whitelist run/user\t\t%d (include whitelist-runuser-common.inc\n", cnt_whitelistrunuser); | 335 | printf(" whitelist run/user\t\t%d (include whitelist-runuser-common.inc\n", cnt_whitelistrunuser); |
299 | printf("\t\t\t\t\tor blacklist ${RUNUSER})\n"); | 336 | printf("\t\t\t\t\tor blacklist ${RUNUSER})\n"); |
300 | printf(" whitelist usr/share\t\t%d (include whitelist-usr-share-common.inc\n", cnt_whitelistusrshare); | 337 | printf(" whitelist usr/share\t\t%d (include whitelist-usr-share-common.inc\n", cnt_whitelistusrshare); |
301 | printf(" net none\t\t\t%d\n", cnt_netnone); | 338 | printf(" net none\t\t\t%d\n", cnt_netnone); |
339 | printf(" dbus-user none \t\t%d\n", cnt_dbus_user_none); | ||
340 | printf(" dbus-system none \t\t%d\n", cnt_dbus_system_none); | ||
302 | printf("\n"); | 341 | printf("\n"); |
303 | return 0; | 342 | return 0; |
304 | } | 343 | } |
diff --git a/test/Makefile.in b/test/Makefile.in new file mode 100644 index 000000000..ef1ca73bc --- /dev/null +++ b/test/Makefile.in | |||
@@ -0,0 +1,10 @@ | |||
1 | TESTS=$(patsubst %/,%,$(wildcard */)) | ||
2 | |||
3 | .PHONY: $(TESTS) | ||
4 | |||
5 | $(TESTS): | ||
6 | cd $@ && ./$@.sh 2>&1 | tee $@.log | ||
7 | cd $@ && grep -a TESTING $@.log && grep -a -L "TESTING ERROR" $@.log | ||
8 | |||
9 | clean: | ||
10 | for test in $(TESTS); do rm -f "$$test/$$test.log"; done | ||
diff --git a/test/appimage/appimage-args.exp b/test/appimage/appimage-args.exp index 03c7218ac..cee01d509 100755 --- a/test/appimage/appimage-args.exp +++ b/test/appimage/appimage-args.exp | |||
@@ -56,7 +56,7 @@ expect { | |||
56 | sleep 2 | 56 | sleep 2 |
57 | 57 | ||
58 | spawn $env(SHELL) | 58 | spawn $env(SHELL) |
59 | send -- "firemon --seccomp --nowrap\r" | 59 | send -- "firemon --seccomp --wrap\r" |
60 | expect { | 60 | expect { |
61 | timeout {puts "TESTING ERROR 8\n";exit} | 61 | timeout {puts "TESTING ERROR 8\n";exit} |
62 | "need to be root" {puts "/proc mounted as hidepid, exiting...\n"; exit} | 62 | "need to be root" {puts "/proc mounted as hidepid, exiting...\n"; exit} |
@@ -71,7 +71,7 @@ expect { | |||
71 | "name=blablabla" | 71 | "name=blablabla" |
72 | } | 72 | } |
73 | after 100 | 73 | after 100 |
74 | send -- "firemon --caps --nowrap\r" | 74 | send -- "firemon --caps --wrap\r" |
75 | expect { | 75 | expect { |
76 | timeout {puts "TESTING ERROR 11\n";exit} | 76 | timeout {puts "TESTING ERROR 11\n";exit} |
77 | "appimage Leafpad" | 77 | "appimage Leafpad" |
diff --git a/test/appimage/appimage-v1.exp b/test/appimage/appimage-v1.exp index 7b6fa2120..80e228145 100755 --- a/test/appimage/appimage-v1.exp +++ b/test/appimage/appimage-v1.exp | |||
@@ -44,7 +44,7 @@ expect { | |||
44 | sleep 2 | 44 | sleep 2 |
45 | 45 | ||
46 | spawn $env(SHELL) | 46 | spawn $env(SHELL) |
47 | send -- "firemon --seccomp --nowrap\r" | 47 | send -- "firemon --seccomp --wrap\r" |
48 | expect { | 48 | expect { |
49 | timeout {puts "TESTING ERROR 5\n";exit} | 49 | timeout {puts "TESTING ERROR 5\n";exit} |
50 | "need to be root" {puts "/proc mounted as hidepid, exiting...\n"; exit} | 50 | "need to be root" {puts "/proc mounted as hidepid, exiting...\n"; exit} |
@@ -59,7 +59,7 @@ expect { | |||
59 | "name=blablabla" | 59 | "name=blablabla" |
60 | } | 60 | } |
61 | after 100 | 61 | after 100 |
62 | send -- "firemon --caps --nowrap\r" | 62 | send -- "firemon --caps --wrap\r" |
63 | expect { | 63 | expect { |
64 | timeout {puts "TESTING ERROR 6\n";exit} | 64 | timeout {puts "TESTING ERROR 6\n";exit} |
65 | "appimage Leafpad" | 65 | "appimage Leafpad" |
diff --git a/test/apps-x11-xorg/apps-x11-xorg.sh b/test/apps-x11-xorg/apps-x11-xorg.sh index 843fdc50b..568dee85d 100755 --- a/test/apps-x11-xorg/apps-x11-xorg.sh +++ b/test/apps-x11-xorg/apps-x11-xorg.sh | |||
@@ -25,6 +25,15 @@ else | |||
25 | echo "TESTING SKIP: transmission-gtk not found" | 25 | echo "TESTING SKIP: transmission-gtk not found" |
26 | fi | 26 | fi |
27 | 27 | ||
28 | which transmission-qt 2>/dev/null | ||
29 | if [ "$?" -eq 0 ]; | ||
30 | then | ||
31 | echo "TESTING: transmission-qt x11 xorg" | ||
32 | ./transmission-qt.exp | ||
33 | else | ||
34 | echo "TESTING SKIP: transmission-qt not found" | ||
35 | fi | ||
36 | |||
28 | which thunderbird 2>/dev/null | 37 | which thunderbird 2>/dev/null |
29 | if [ "$?" -eq 0 ]; | 38 | if [ "$?" -eq 0 ]; |
30 | then | 39 | then |
diff --git a/test/apps-x11-xorg/firefox.exp b/test/apps-x11-xorg/firefox.exp index 0a43db568..8322e2d0e 100755 --- a/test/apps-x11-xorg/firefox.exp +++ b/test/apps-x11-xorg/firefox.exp | |||
@@ -41,7 +41,7 @@ expect { | |||
41 | sleep 2 | 41 | sleep 2 |
42 | 42 | ||
43 | spawn $env(SHELL) | 43 | spawn $env(SHELL) |
44 | send -- "firemon --seccomp --nowrap\r" | 44 | send -- "firemon --seccomp --wrap\r" |
45 | expect { | 45 | expect { |
46 | timeout {puts "TESTING ERROR 5\n";exit} | 46 | timeout {puts "TESTING ERROR 5\n";exit} |
47 | "need to be root" {puts "/proc mounted as hidepid, exiting...\n"; exit} | 47 | "need to be root" {puts "/proc mounted as hidepid, exiting...\n"; exit} |
@@ -61,7 +61,7 @@ expect { | |||
61 | "name=blablabla" | 61 | "name=blablabla" |
62 | } | 62 | } |
63 | sleep 1 | 63 | sleep 1 |
64 | send -- "firemon --caps --nowrap\r" | 64 | send -- "firemon --caps --wrap\r" |
65 | expect { | 65 | expect { |
66 | timeout {puts "TESTING ERROR 6\n";exit} | 66 | timeout {puts "TESTING ERROR 6\n";exit} |
67 | " firefox" {puts "firefox detected\n";} | 67 | " firefox" {puts "firefox detected\n";} |
diff --git a/test/apps-x11-xorg/thunderbird.exp b/test/apps-x11-xorg/thunderbird.exp index 8cf0ac244..24549e6c8 100755 --- a/test/apps-x11-xorg/thunderbird.exp +++ b/test/apps-x11-xorg/thunderbird.exp | |||
@@ -38,7 +38,7 @@ expect { | |||
38 | sleep 2 | 38 | sleep 2 |
39 | 39 | ||
40 | spawn $env(SHELL) | 40 | spawn $env(SHELL) |
41 | send -- "firemon --seccomp --nowrap\r" | 41 | send -- "firemon --seccomp --wrap\r" |
42 | expect { | 42 | expect { |
43 | timeout {puts "TESTING ERROR 5\n";exit} | 43 | timeout {puts "TESTING ERROR 5\n";exit} |
44 | "need to be root" {puts "/proc mounted as hidepid, exiting...\n"; exit} | 44 | "need to be root" {puts "/proc mounted as hidepid, exiting...\n"; exit} |
@@ -57,7 +57,7 @@ expect { | |||
57 | "name=blablabla" | 57 | "name=blablabla" |
58 | } | 58 | } |
59 | sleep 2 | 59 | sleep 2 |
60 | send -- "firemon --caps --nowrap\r" | 60 | send -- "firemon --caps --wrap\r" |
61 | expect { | 61 | expect { |
62 | timeout {puts "TESTING ERROR 6\n";exit} | 62 | timeout {puts "TESTING ERROR 6\n";exit} |
63 | ":firejail" | 63 | ":firejail" |
diff --git a/test/apps-x11-xorg/transmission-gtk.exp b/test/apps-x11-xorg/transmission-gtk.exp index fdbf388e9..b688bc619 100755 --- a/test/apps-x11-xorg/transmission-gtk.exp +++ b/test/apps-x11-xorg/transmission-gtk.exp | |||
@@ -38,7 +38,7 @@ expect { | |||
38 | sleep 2 | 38 | sleep 2 |
39 | 39 | ||
40 | spawn $env(SHELL) | 40 | spawn $env(SHELL) |
41 | send -- "firemon --seccomp --nowrap\r" | 41 | send -- "firemon --seccomp --wrap\r" |
42 | expect { | 42 | expect { |
43 | timeout {puts "TESTING ERROR 5\n";exit} | 43 | timeout {puts "TESTING ERROR 5\n";exit} |
44 | "need to be root" {puts "/proc mounted as hidepid, exiting...\n"; exit} | 44 | "need to be root" {puts "/proc mounted as hidepid, exiting...\n"; exit} |
@@ -57,7 +57,7 @@ expect { | |||
57 | "name=blablabla" | 57 | "name=blablabla" |
58 | } | 58 | } |
59 | sleep 1 | 59 | sleep 1 |
60 | send -- "firemon --caps --nowrap\r" | 60 | send -- "firemon --caps --wrap\r" |
61 | expect { | 61 | expect { |
62 | timeout {puts "TESTING ERROR 6\n";exit} | 62 | timeout {puts "TESTING ERROR 6\n";exit} |
63 | ":firejail" | 63 | ":firejail" |
diff --git a/test/apps-x11-xorg/transmission-qt.exp b/test/apps-x11-xorg/transmission-qt.exp new file mode 100755 index 000000000..5864bb845 --- /dev/null +++ b/test/apps-x11-xorg/transmission-qt.exp | |||
@@ -0,0 +1,85 @@ | |||
1 | #!/usr/bin/expect -f | ||
2 | # This file is part of Firejail project | ||
3 | # Copyright (C) 2014-2020 Firejail Authors | ||
4 | # License GPL v2 | ||
5 | |||
6 | set timeout 10 | ||
7 | spawn $env(SHELL) | ||
8 | match_max 100000 | ||
9 | |||
10 | send -- "firejail --name=test --x11=xorg --ignore=net --ignore=netfilter --ignore=iprange transmission-qt\r" | ||
11 | sleep 10 | ||
12 | |||
13 | spawn $env(SHELL) | ||
14 | send -- "firejail --list\r" | ||
15 | expect { | ||
16 | timeout {puts "TESTING ERROR 3\n";exit} | ||
17 | ":firejail" | ||
18 | } | ||
19 | expect { | ||
20 | timeout {puts "TESTING ERROR 3.1\n";exit} | ||
21 | "transmission-qt" | ||
22 | } | ||
23 | sleep 1 | ||
24 | |||
25 | # grsecurity exit | ||
26 | send -- "file /proc/sys/kernel/grsecurity\r" | ||
27 | expect { | ||
28 | timeout {puts "TESTING ERROR - grsecurity detection\n";exit} | ||
29 | "grsecurity: directory" {puts "grsecurity present, exiting...\n";exit} | ||
30 | "cannot open" {puts "grsecurity not present\n"} | ||
31 | } | ||
32 | |||
33 | send -- "firejail --name=blablabla\r" | ||
34 | expect { | ||
35 | timeout {puts "TESTING ERROR 4\n";exit} | ||
36 | "Child process initialized" | ||
37 | } | ||
38 | sleep 2 | ||
39 | |||
40 | spawn $env(SHELL) | ||
41 | send -- "firemon --seccomp --wrap\r" | ||
42 | expect { | ||
43 | timeout {puts "TESTING ERROR 5\n";exit} | ||
44 | "need to be root" {puts "/proc mounted as hidepid, exiting...\n"; exit} | ||
45 | ":firejail" | ||
46 | } | ||
47 | expect { | ||
48 | timeout {puts "TESTING ERROR 5.0\n";exit} | ||
49 | "transmission-qt" | ||
50 | } | ||
51 | expect { | ||
52 | timeout {puts "TESTING ERROR 5.1 (seccomp)\n";exit} | ||
53 | "Seccomp: 2" | ||
54 | } | ||
55 | expect { | ||
56 | timeout {puts "TESTING ERROR 5.1\n";exit} | ||
57 | "name=blablabla" | ||
58 | } | ||
59 | sleep 1 | ||
60 | send -- "firemon --caps --wrap\r" | ||
61 | expect { | ||
62 | timeout {puts "TESTING ERROR 6\n";exit} | ||
63 | ":firejail" | ||
64 | } | ||
65 | expect { | ||
66 | timeout {puts "TESTING ERROR 6.0\n";exit} | ||
67 | "transmission-qt" | ||
68 | } | ||
69 | expect { | ||
70 | timeout {puts "TESTING ERROR 6.1\n";exit} | ||
71 | "CapBnd" | ||
72 | } | ||
73 | expect { | ||
74 | timeout {puts "TESTING ERROR 6.2\n";exit} | ||
75 | "0000000000000000" | ||
76 | } | ||
77 | expect { | ||
78 | timeout {puts "TESTING ERROR 6.3\n";exit} | ||
79 | "name=blablabla" | ||
80 | } | ||
81 | sleep 1 | ||
82 | send -- "firejail --shutdown=test\r" | ||
83 | sleep 3 | ||
84 | |||
85 | puts "\nall done\n" | ||
diff --git a/test/compile/compile.sh b/test/compile/compile.sh index 2f9e0ece6..91fcfb85d 100755 --- a/test/compile/compile.sh +++ b/test/compile/compile.sh | |||
@@ -4,7 +4,7 @@ | |||
4 | # License GPL v2 | 4 | # License GPL v2 |
5 | 5 | ||
6 | arr[1]="TEST 1: standard compilation" | 6 | arr[1]="TEST 1: standard compilation" |
7 | arr[2]="TEST 2: compile seccomp disabled" | 7 | arr[2]="TEST 2: compile dbus proxy disabled" |
8 | arr[3]="TEST 3: compile chroot disabled" | 8 | arr[3]="TEST 3: compile chroot disabled" |
9 | arr[4]="TEST 4: compile firetunnel disabled" | 9 | arr[4]="TEST 4: compile firetunnel disabled" |
10 | arr[5]="TEST 5: compile user namespace disabled" | 10 | arr[5]="TEST 5: compile user namespace disabled" |
@@ -17,13 +17,16 @@ arr[11]="TEST 11: compile disable global config" | |||
17 | arr[12]="TEST 12: compile apparmor" | 17 | arr[12]="TEST 12: compile apparmor" |
18 | arr[13]="TEST 13: compile busybox" | 18 | arr[13]="TEST 13: compile busybox" |
19 | arr[14]="TEST 14: compile overlayfs disabled" | 19 | arr[14]="TEST 14: compile overlayfs disabled" |
20 | arr[14]="TEST 15: compile private-home disabled" | 20 | arr[15]="TEST 15: compile private-home disabled" |
21 | arr[15]="TEST 16: compile disable manpages" | ||
21 | 22 | ||
22 | # remove previous reports and output file | 23 | # remove previous reports and output file |
23 | cleanup() { | 24 | cleanup() { |
24 | rm -f report* | 25 | rm -f report* |
25 | rm -fr firejail | 26 | rm -fr firejail |
26 | rm -f oc* om* | 27 | rm -f oc* om* |
28 | rm -f output-configure | ||
29 | rm -f output-make | ||
27 | } | 30 | } |
28 | 31 | ||
29 | print_title() { | 32 | print_title() { |
@@ -77,13 +80,12 @@ rm output-configure output-make | |||
77 | #***************************************************************** | 80 | #***************************************************************** |
78 | # TEST 2 | 81 | # TEST 2 |
79 | #***************************************************************** | 82 | #***************************************************************** |
80 | # - disable seccomp configuration | 83 | # - disable dbus proxy configuration |
81 | #***************************************************************** | 84 | #***************************************************************** |
82 | print_title "${arr[2]}" | 85 | print_title "${arr[2]}" |
83 | # seccomp | ||
84 | cd firejail | 86 | cd firejail |
85 | make distclean | 87 | make distclean |
86 | ./configure --prefix=/usr --disable-seccomp --enable-fatal-warnings 2>&1 | tee ../output-configure | 88 | ./configure --prefix=/usr --disable-dbusproxy --enable-fatal-warnings 2>&1 | tee ../output-configure |
87 | make -j4 2>&1 | tee ../output-make | 89 | make -j4 2>&1 | tee ../output-make |
88 | cd .. | 90 | cd .. |
89 | grep Warning output-configure output-make > ./report-test2 | 91 | grep Warning output-configure output-make > ./report-test2 |
@@ -98,7 +100,6 @@ rm output-configure output-make | |||
98 | # - disable chroot configuration | 100 | # - disable chroot configuration |
99 | #***************************************************************** | 101 | #***************************************************************** |
100 | print_title "${arr[3]}" | 102 | print_title "${arr[3]}" |
101 | # seccomp | ||
102 | cd firejail | 103 | cd firejail |
103 | make distclean | 104 | make distclean |
104 | ./configure --prefix=/usr --disable-chroot --enable-fatal-warnings 2>&1 | tee ../output-configure | 105 | ./configure --prefix=/usr --disable-chroot --enable-fatal-warnings 2>&1 | tee ../output-configure |
@@ -116,7 +117,6 @@ rm output-configure output-make | |||
116 | # - disable firetunnel configuration | 117 | # - disable firetunnel configuration |
117 | #***************************************************************** | 118 | #***************************************************************** |
118 | print_title "${arr[4]}" | 119 | print_title "${arr[4]}" |
119 | # seccomp | ||
120 | cd firejail | 120 | cd firejail |
121 | make distclean | 121 | make distclean |
122 | ./configure --prefix=/usr --disable-firetunnel --enable-fatal-warnings 2>&1 | tee ../output-configure | 122 | ./configure --prefix=/usr --disable-firetunnel --enable-fatal-warnings 2>&1 | tee ../output-configure |
@@ -134,7 +134,6 @@ rm output-configure output-make | |||
134 | # - disable user namespace configuration | 134 | # - disable user namespace configuration |
135 | #***************************************************************** | 135 | #***************************************************************** |
136 | print_title "${arr[5]}" | 136 | print_title "${arr[5]}" |
137 | # seccomp | ||
138 | cd firejail | 137 | cd firejail |
139 | make distclean | 138 | make distclean |
140 | ./configure --prefix=/usr --disable-userns --enable-fatal-warnings 2>&1 | tee ../output-configure | 139 | ./configure --prefix=/usr --disable-userns --enable-fatal-warnings 2>&1 | tee ../output-configure |
@@ -153,7 +152,6 @@ rm output-configure output-make | |||
153 | # - check compilation | 152 | # - check compilation |
154 | #***************************************************************** | 153 | #***************************************************************** |
155 | print_title "${arr[6]}" | 154 | print_title "${arr[6]}" |
156 | # seccomp | ||
157 | cd firejail | 155 | cd firejail |
158 | make distclean | 156 | make distclean |
159 | ./configure --prefix=/usr --disable-network --enable-fatal-warnings 2>&1 | tee ../output-configure | 157 | ./configure --prefix=/usr --disable-network --enable-fatal-warnings 2>&1 | tee ../output-configure |
@@ -171,7 +169,6 @@ rm output-configure output-make | |||
171 | # - disable X11 support | 169 | # - disable X11 support |
172 | #***************************************************************** | 170 | #***************************************************************** |
173 | print_title "${arr[7]}" | 171 | print_title "${arr[7]}" |
174 | # seccomp | ||
175 | cd firejail | 172 | cd firejail |
176 | make distclean | 173 | make distclean |
177 | ./configure --prefix=/usr --disable-x11 --enable-fatal-warnings 2>&1 | tee ../output-configure | 174 | ./configure --prefix=/usr --disable-x11 --enable-fatal-warnings 2>&1 | tee ../output-configure |
@@ -189,7 +186,6 @@ rm output-configure output-make | |||
189 | # - enable selinux | 186 | # - enable selinux |
190 | #***************************************************************** | 187 | #***************************************************************** |
191 | print_title "${arr[8]}" | 188 | print_title "${arr[8]}" |
192 | # seccomp | ||
193 | cd firejail | 189 | cd firejail |
194 | make distclean | 190 | make distclean |
195 | ./configure --prefix=/usr --enable-selinux --enable-fatal-warnings 2>&1 | tee ../output-configure | 191 | ./configure --prefix=/usr --enable-selinux --enable-fatal-warnings 2>&1 | tee ../output-configure |
@@ -207,7 +203,6 @@ rm output-configure output-make | |||
207 | # - disable file transfer | 203 | # - disable file transfer |
208 | #***************************************************************** | 204 | #***************************************************************** |
209 | print_title "${arr[9]}" | 205 | print_title "${arr[9]}" |
210 | # seccomp | ||
211 | cd firejail | 206 | cd firejail |
212 | make distclean | 207 | make distclean |
213 | ./configure --prefix=/usr --disable-file-transfer --enable-fatal-warnings 2>&1 | tee ../output-configure | 208 | ./configure --prefix=/usr --disable-file-transfer --enable-fatal-warnings 2>&1 | tee ../output-configure |
@@ -225,7 +220,6 @@ rm output-configure output-make | |||
225 | # - disable whitelist | 220 | # - disable whitelist |
226 | #***************************************************************** | 221 | #***************************************************************** |
227 | print_title "${arr[10]}" | 222 | print_title "${arr[10]}" |
228 | # seccomp | ||
229 | cd firejail | 223 | cd firejail |
230 | make distclean | 224 | make distclean |
231 | ./configure --prefix=/usr --disable-whitelist --enable-fatal-warnings 2>&1 | tee ../output-configure | 225 | ./configure --prefix=/usr --disable-whitelist --enable-fatal-warnings 2>&1 | tee ../output-configure |
@@ -243,7 +237,6 @@ rm output-configure output-make | |||
243 | # - disable global config | 237 | # - disable global config |
244 | #***************************************************************** | 238 | #***************************************************************** |
245 | print_title "${arr[11]}" | 239 | print_title "${arr[11]}" |
246 | # seccomp | ||
247 | cd firejail | 240 | cd firejail |
248 | make distclean | 241 | make distclean |
249 | ./configure --prefix=/usr --disable-globalcfg --enable-fatal-warnings 2>&1 | tee ../output-configure | 242 | ./configure --prefix=/usr --disable-globalcfg --enable-fatal-warnings 2>&1 | tee ../output-configure |
@@ -261,7 +254,6 @@ rm output-configure output-make | |||
261 | # - enable apparmor | 254 | # - enable apparmor |
262 | #***************************************************************** | 255 | #***************************************************************** |
263 | print_title "${arr[12]}" | 256 | print_title "${arr[12]}" |
264 | # seccomp | ||
265 | cd firejail | 257 | cd firejail |
266 | make distclean | 258 | make distclean |
267 | ./configure --prefix=/usr --enable-apparmor --enable-fatal-warnings 2>&1 | tee ../output-configure | 259 | ./configure --prefix=/usr --enable-apparmor --enable-fatal-warnings 2>&1 | tee ../output-configure |
@@ -279,7 +271,6 @@ rm output-configure output-make | |||
279 | # - enable busybox workaround | 271 | # - enable busybox workaround |
280 | #***************************************************************** | 272 | #***************************************************************** |
281 | print_title "${arr[13]}" | 273 | print_title "${arr[13]}" |
282 | # seccomp | ||
283 | cd firejail | 274 | cd firejail |
284 | make distclean | 275 | make distclean |
285 | ./configure --prefix=/usr --enable-busybox-workaround --enable-fatal-warnings 2>&1 | tee ../output-configure | 276 | ./configure --prefix=/usr --enable-busybox-workaround --enable-fatal-warnings 2>&1 | tee ../output-configure |
@@ -297,7 +288,6 @@ rm output-configure output-make | |||
297 | # - disable overlayfs | 288 | # - disable overlayfs |
298 | #***************************************************************** | 289 | #***************************************************************** |
299 | print_title "${arr[14]}" | 290 | print_title "${arr[14]}" |
300 | # seccomp | ||
301 | cd firejail | 291 | cd firejail |
302 | make distclean | 292 | make distclean |
303 | ./configure --prefix=/usr --disable-overlayfs --enable-fatal-warnings 2>&1 | tee ../output-configure | 293 | ./configure --prefix=/usr --disable-overlayfs --enable-fatal-warnings 2>&1 | tee ../output-configure |
@@ -315,7 +305,6 @@ rm output-configure output-make | |||
315 | # - disable private home | 305 | # - disable private home |
316 | #***************************************************************** | 306 | #***************************************************************** |
317 | print_title "${arr[15]}" | 307 | print_title "${arr[15]}" |
318 | # seccomp | ||
319 | cd firejail | 308 | cd firejail |
320 | make distclean | 309 | make distclean |
321 | ./configure --prefix=/usr --disable-private-home --enable-fatal-warnings 2>&1 | tee ../output-configure | 310 | ./configure --prefix=/usr --disable-private-home --enable-fatal-warnings 2>&1 | tee ../output-configure |
@@ -328,6 +317,23 @@ cp output-make om15 | |||
328 | rm output-configure output-make | 317 | rm output-configure output-make |
329 | 318 | ||
330 | #***************************************************************** | 319 | #***************************************************************** |
320 | # TEST 16 | ||
321 | #***************************************************************** | ||
322 | # - disable manpages | ||
323 | #***************************************************************** | ||
324 | print_title "${arr[16]}" | ||
325 | cd firejail | ||
326 | make distclean | ||
327 | ./configure --prefix=/usr --disable-man --enable-fatal-warnings 2>&1 | tee ../output-configure | ||
328 | make -j4 2>&1 | tee ../output-make | ||
329 | cd .. | ||
330 | grep Warning output-configure output-make > ./report-test16 | ||
331 | grep Error output-configure output-make >> ./report-test16 | ||
332 | cp output-configure oc16 | ||
333 | cp output-make om16 | ||
334 | rm output-configure output-make | ||
335 | |||
336 | #***************************************************************** | ||
331 | # PRINT REPORTS | 337 | # PRINT REPORTS |
332 | #***************************************************************** | 338 | #***************************************************************** |
333 | echo | 339 | echo |
@@ -356,3 +362,4 @@ echo ${arr[12]} | |||
356 | echo ${arr[13]} | 362 | echo ${arr[13]} |
357 | echo ${arr[14]} | 363 | echo ${arr[14]} |
358 | echo ${arr[15]} | 364 | echo ${arr[15]} |
365 | echo ${arr[16]} | ||
diff --git a/test/filters/seccomp-chmod-profile.exp b/test/filters/seccomp-chmod-profile.exp index 9b61397ca..22392f882 100755 --- a/test/filters/seccomp-chmod-profile.exp +++ b/test/filters/seccomp-chmod-profile.exp | |||
@@ -41,7 +41,7 @@ expect { | |||
41 | send -- "chmod +x testfile; echo done\r" | 41 | send -- "chmod +x testfile; echo done\r" |
42 | expect { | 42 | expect { |
43 | timeout {puts "TESTING ERROR 5\n";exit} | 43 | timeout {puts "TESTING ERROR 5\n";exit} |
44 | "Bad system call" | 44 | "Operation not permitted" |
45 | } | 45 | } |
46 | expect { | 46 | expect { |
47 | timeout {puts "TESTING ERROR 6\n";exit} | 47 | timeout {puts "TESTING ERROR 6\n";exit} |
diff --git a/test/filters/seccomp-chmod.exp b/test/filters/seccomp-chmod.exp index 01b9cbaac..c72a68c82 100755 --- a/test/filters/seccomp-chmod.exp +++ b/test/filters/seccomp-chmod.exp | |||
@@ -41,7 +41,7 @@ expect { | |||
41 | send -- "chmod +x testfile; echo done\r" | 41 | send -- "chmod +x testfile; echo done\r" |
42 | expect { | 42 | expect { |
43 | timeout {puts "TESTING ERROR 5\n";exit} | 43 | timeout {puts "TESTING ERROR 5\n";exit} |
44 | "Bad system call" | 44 | "Operation not permitted" |
45 | } | 45 | } |
46 | expect { | 46 | expect { |
47 | timeout {puts "TESTING ERROR 6\n";exit} | 47 | timeout {puts "TESTING ERROR 6\n";exit} |
diff --git a/test/filters/seccomp-run-files.exp b/test/filters/seccomp-run-files.exp index fd3033a69..5f468cf24 100755 --- a/test/filters/seccomp-run-files.exp +++ b/test/filters/seccomp-run-files.exp | |||
@@ -24,7 +24,7 @@ after 100 | |||
24 | send -- "ls -l /run/firejail/mnt/seccomp | grep -c seccomp\r" | 24 | send -- "ls -l /run/firejail/mnt/seccomp | grep -c seccomp\r" |
25 | expect { | 25 | expect { |
26 | timeout {puts "TESTING ERROR 3\n";exit} | 26 | timeout {puts "TESTING ERROR 3\n";exit} |
27 | "5" | 27 | "6" |
28 | } | 28 | } |
29 | send -- "exit\r" | 29 | send -- "exit\r" |
30 | sleep 1 | 30 | sleep 1 |
@@ -90,7 +90,7 @@ after 100 | |||
90 | send -- "ls -l /run/firejail/mnt/seccomp | grep -c seccomp\r" | 90 | send -- "ls -l /run/firejail/mnt/seccomp | grep -c seccomp\r" |
91 | expect { | 91 | expect { |
92 | timeout {puts "TESTING ERROR 18\n";exit} | 92 | timeout {puts "TESTING ERROR 18\n";exit} |
93 | "6" | 93 | "8" |
94 | } | 94 | } |
95 | send -- "exit\r" | 95 | send -- "exit\r" |
96 | sleep 1 | 96 | sleep 1 |
diff --git a/test/fs/fscheck-tmpfs.exp b/test/fs/fscheck-tmpfs.exp index ebd3eeb9c..818549fe2 100755 --- a/test/fs/fscheck-tmpfs.exp +++ b/test/fs/fscheck-tmpfs.exp | |||
@@ -7,12 +7,49 @@ set timeout 10 | |||
7 | spawn $env(SHELL) | 7 | spawn $env(SHELL) |
8 | match_max 100000 | 8 | match_max 100000 |
9 | 9 | ||
10 | # .. | 10 | send -- "mkdir -p ~/fjtest-dir/fjtest-dir\r" |
11 | send -- "firejail --tmpfs=fscheck-dir\r" | 11 | after 100 |
12 | send -- "mkdir /tmp/fjtest-dir\r" | ||
13 | after 100 | ||
14 | |||
15 | if { ! [file exists ~/fjtest-dir/fjtest-dir] } { | ||
16 | puts "TESTING ERROR 1\n" | ||
17 | exit | ||
18 | } | ||
19 | if { ! [file exists /tmp/fjtest-dir] } { | ||
20 | puts "TESTING ERROR 2\n" | ||
21 | exit | ||
22 | } | ||
23 | |||
24 | send -- "firejail --noprofile --tmpfs=~/fjtest-dir\r" | ||
25 | expect { | ||
26 | timeout {puts "TESTING ERROR 3\n";exit} | ||
27 | "Child process initialized" | ||
28 | } | ||
29 | after 500 | ||
30 | |||
31 | send -- "ls ~/fjtest-dir/fjtest-dir\r" | ||
32 | expect { | ||
33 | timeout {puts "TESTING ERROR 4\n";exit} | ||
34 | "No such file or directory" | ||
35 | } | ||
36 | after 500 | ||
37 | |||
38 | send -- "exit\r" | ||
39 | after 500 | ||
40 | |||
41 | send -- "firejail --noprofile --tmpfs=/tmp/fjtest-dir\r" | ||
12 | expect { | 42 | expect { |
13 | timeout {puts "TESTING ERROR 0.1\n";exit} | 43 | timeout {puts "TESTING ERROR 5\n";exit} |
14 | "Error" | 44 | "Error" |
15 | } | 45 | } |
46 | after 500 | ||
47 | |||
48 | # cleanup | ||
49 | send -- "rm -fr ~/fjtest-dir\r" | ||
16 | after 100 | 50 | after 100 |
51 | send -- "rm -fr /tmp/fjtest-dir\r" | ||
52 | after 100 | ||
53 | |||
17 | 54 | ||
18 | puts "\nall done\n" | 55 | puts "\nall done\n" |
diff --git a/test/fs/mkdir.exp b/test/fs/mkdir.exp index 59005e1a2..61029ec18 100755 --- a/test/fs/mkdir.exp +++ b/test/fs/mkdir.exp | |||
@@ -7,11 +7,12 @@ set timeout 3 | |||
7 | spawn $env(SHELL) | 7 | spawn $env(SHELL) |
8 | match_max 100000 | 8 | match_max 100000 |
9 | 9 | ||
10 | send -- "rm -fr ~/.firejail_test\r" | ||
11 | after 100 | ||
12 | |||
10 | send -- "firejail --profile=mkdir.profile find ~/.firejail_test\r" | 13 | send -- "firejail --profile=mkdir.profile find ~/.firejail_test\r" |
11 | expect { | 14 | expect { |
12 | timeout {puts "TESTING ERROR 1.1\n";exit} | 15 | timeout {puts "TESTING ERROR 1.1\n";exit} |
13 | "Warning: cannot create" { puts "TESTING ERROR 1.2\n";exit} | ||
14 | "No such file or directory" { puts "TESTING ERROR 1.3\n";exit} | ||
15 | ".firejail_test/a/b/c/d.txt" | 16 | ".firejail_test/a/b/c/d.txt" |
16 | } | 17 | } |
17 | send -- "rm -rf ~/.firejail_test\r" | 18 | send -- "rm -rf ~/.firejail_test\r" |
@@ -20,30 +21,29 @@ after 100 | |||
20 | send -- "firejail --profile=mkdir.profile find /tmp/.firejail_test\r" | 21 | send -- "firejail --profile=mkdir.profile find /tmp/.firejail_test\r" |
21 | expect { | 22 | expect { |
22 | timeout {puts "TESTING ERROR 2.1\n";exit} | 23 | timeout {puts "TESTING ERROR 2.1\n";exit} |
23 | "Warning: cannot create" { puts "TESTING ERROR 2.2\n";exit} | ||
24 | "No such file or directory" { puts "TESTING ERROR 2.3\n";exit} | ||
25 | "/tmp/.firejail_test/a/b/c/d.txt" | 24 | "/tmp/.firejail_test/a/b/c/d.txt" |
26 | } | 25 | } |
27 | send -- "rm -rf /tmp/.firejail_test\r" | 26 | send -- "rm -rf /tmp/.firejail_test\r" |
28 | after 100 | 27 | after 100 |
29 | 28 | ||
30 | set UID [exec id -u] | 29 | set UID [exec id -u] |
31 | send -- "firejail --profile=mkdir.profile find /run/user/$UID/.firejail_test\r" | 30 | set fexist [file exist /run/user/$UID] |
32 | expect { | 31 | if { $fexist } { |
33 | timeout {puts "TESTING ERROR 3.1\n";exit} | 32 | send -- "firejail --profile=mkdir.profile find /run/user/$UID/.firejail_test\r" |
34 | "Warning: cannot create" { puts "TESTING ERROR 3.2\n";exit} | 33 | expect { |
35 | "No such file or directory" { puts "TESTING ERROR 3.3\n";exit} | 34 | timeout {puts "TESTING ERROR 3.1\n";exit} |
36 | "/run/user/$UID/.firejail_test/a/b/c/d.txt" | 35 | "/run/user/$UID/.firejail_test/a/b/c/d.txt" |
37 | } | 36 | } |
38 | send -- "rm -rf /run/user/$UID/.firejail_test\r" | 37 | send -- "rm -rf /run/user/$UID/.firejail_test\r" |
39 | after 100 | 38 | after 100 |
40 | 39 | ||
41 | 40 | ||
42 | send -- "firejail --profile=mkdir2.profile\r" | 41 | send -- "firejail --profile=mkdir2.profile\r" |
43 | expect { | 42 | expect { |
44 | timeout {puts "TESTING ERROR 4\n";exit} | 43 | timeout {puts "TESTING ERROR 4\n";exit} |
45 | "only files or directories in user home, /tmp, or /run/user/<UID>" | 44 | "only files or directories in user home, /tmp, or /run/user/<UID>" |
45 | } | ||
46 | after 100 | ||
46 | } | 47 | } |
47 | after 100 | ||
48 | 48 | ||
49 | puts "\nall done\n" | 49 | puts "\nall done\n" |
diff --git a/test/profiles/profiles.sh b/test/profiles/profiles.sh index 69f0dc086..2d7d2a966 100755 --- a/test/profiles/profiles.sh +++ b/test/profiles/profiles.sh | |||
@@ -34,11 +34,16 @@ echo "TESTING: profile read-only links (test/profiles/profile_readonly.exp)" | |||
34 | echo "TESTING: profile no permissions (test/profiles/profile_noperm.exp)" | 34 | echo "TESTING: profile no permissions (test/profiles/profile_noperm.exp)" |
35 | ./profile_noperm.exp | 35 | ./profile_noperm.exp |
36 | 36 | ||
37 | # GitHub CI doesn't have a /run/user/$UID directory. Using it to test a small number of profiles. | ||
38 | UID=`id -u` | ||
39 | if [ -d "/run/user/$UID" ]; then | ||
40 | PROFILES=`ls /etc/firejail/*.profile` | ||
41 | echo "TESTING: default profiles installed in /etc" | ||
42 | else | ||
43 | PROFILES=`ls /etc/firejail/transmission*.profile /etc/firejail/fi*.profile /etc/firejail/fl*.profile /etc/firejail/free*.profile` | ||
44 | echo "TESTING: small number of default profiles installed in /etc" | ||
45 | fi | ||
37 | 46 | ||
38 | |||
39 | |||
40 | echo "TESTING: default profiles installed in /etc" | ||
41 | PROFILES=`ls /etc/firejail/*.profile` | ||
42 | for PROFILE in $PROFILES | 47 | for PROFILE in $PROFILES |
43 | do | 48 | do |
44 | echo "TESTING: $PROFILE" | 49 | echo "TESTING: $PROFILE" |
diff --git a/test/sysutils/less.exp b/test/sysutils/less.exp index 2bfb60302..daa666c18 100755 --- a/test/sysutils/less.exp +++ b/test/sysutils/less.exp | |||
@@ -10,6 +10,7 @@ match_max 100000 | |||
10 | send -- "firejail less sysutils.sh\r" | 10 | send -- "firejail less sysutils.sh\r" |
11 | expect { | 11 | expect { |
12 | timeout {puts "TESTING ERROR 1\n";exit} | 12 | timeout {puts "TESTING ERROR 1\n";exit} |
13 | "(press RETURN)" {puts "TESTING SKIP 1.1\n";exit} | ||
13 | "MALLOC_CHECK" | 14 | "MALLOC_CHECK" |
14 | } | 15 | } |
15 | expect { | 16 | expect { |
diff --git a/test/sysutils/xz.exp b/test/sysutils/xz.exp index 63b1ad3c7..074b90076 100755 --- a/test/sysutils/xz.exp +++ b/test/sysutils/xz.exp | |||
@@ -3,7 +3,7 @@ | |||
3 | # Copyright (C) 2014-2020 Firejail Authors | 3 | # Copyright (C) 2014-2020 Firejail Authors |
4 | # License GPL v2 | 4 | # License GPL v2 |
5 | 5 | ||
6 | set timeout 10 | 6 | set timeout 60 |
7 | spawn $env(SHELL) | 7 | spawn $env(SHELL) |
8 | match_max 100000 | 8 | match_max 100000 |
9 | 9 | ||
@@ -13,6 +13,9 @@ sleep 1 | |||
13 | send -- "firejail /usr/bin/xz -c /usr/bin/firejail > firejail_t2\r" | 13 | send -- "firejail /usr/bin/xz -c /usr/bin/firejail > firejail_t2\r" |
14 | sleep 1 | 14 | sleep 1 |
15 | 15 | ||
16 | send -- "md5sum firejail_t1 firejail_t2; ls -l firejail_t1 firejail_t2\r" | ||
17 | sleep 1 | ||
18 | |||
16 | send -- "diff -s firejail_t1 firejail_t2\r" | 19 | send -- "diff -s firejail_t1 firejail_t2\r" |
17 | expect { | 20 | expect { |
18 | timeout {puts "TESTING ERROR 1\n";exit} | 21 | timeout {puts "TESTING ERROR 1\n";exit} |
diff --git a/test/utils/join5.exp b/test/utils/join5.exp new file mode 100755 index 000000000..43ca09b4d --- /dev/null +++ b/test/utils/join5.exp | |||
@@ -0,0 +1,46 @@ | |||
1 | #!/usr/bin/expect -f | ||
2 | # This file is part of Firejail project | ||
3 | # Copyright (C) 2014-2020 Firejail Authors | ||
4 | # License GPL v2 | ||
5 | |||
6 | set timeout 10 | ||
7 | spawn $env(SHELL) | ||
8 | match_max 100000 | ||
9 | |||
10 | send -- "firejail --name=test123 --profile=join5.profile\r" | ||
11 | expect { | ||
12 | timeout {puts "TESTING ERROR 5\n";exit} | ||
13 | "Child process initialized" | ||
14 | } | ||
15 | sleep 1 | ||
16 | spawn $env(SHELL) | ||
17 | send -- "firejail --join=test123\r" | ||
18 | expect { | ||
19 | timeout {puts "TESTING ERROR 1\n";exit} | ||
20 | "Switching to pid" | ||
21 | } | ||
22 | sleep 1 | ||
23 | send -- "ps aux\r" | ||
24 | expect { | ||
25 | timeout {puts "TESTING ERROR 2\n";exit} | ||
26 | "/bin/bash" | ||
27 | } | ||
28 | expect { | ||
29 | timeout {puts "TESTING ERROR 3\n";exit} | ||
30 | "/bin/bash" | ||
31 | } | ||
32 | |||
33 | send -- "exit\r" | ||
34 | after 100 | ||
35 | |||
36 | send -- "firejail --protocol.print=test123\r" | ||
37 | expect { | ||
38 | timeout {puts "TESTING ERROR 4\n";exit} | ||
39 | "Switching to pid" | ||
40 | } | ||
41 | expect { | ||
42 | timeout {puts "TESTING ERROR 5\n";exit} | ||
43 | "unix" | ||
44 | } | ||
45 | |||
46 | puts "\nall done\n" | ||
diff --git a/test/utils/join5.profile b/test/utils/join5.profile new file mode 100644 index 000000000..e9eb37a4f --- /dev/null +++ b/test/utils/join5.profile | |||
@@ -0,0 +1,4 @@ | |||
1 | dbus-user filter | ||
2 | dbus-system none | ||
3 | seccomp | ||
4 | protocol unix | ||
diff --git a/test/utils/man.exp b/test/utils/man.exp index 3cde9f2c8..102701a6a 100755 --- a/test/utils/man.exp +++ b/test/utils/man.exp | |||
@@ -10,6 +10,7 @@ match_max 100000 | |||
10 | send -- "man firejail\r" | 10 | send -- "man firejail\r" |
11 | expect { | 11 | expect { |
12 | timeout {puts "TESTING ERROR 0\n";exit} | 12 | timeout {puts "TESTING ERROR 0\n";exit} |
13 | "(press RETURN)" {puts "TESTING SKIP 1.1\n";exit} | ||
13 | "Linux namespaces sandbox program" | 14 | "Linux namespaces sandbox program" |
14 | } | 15 | } |
15 | after 100 | 16 | after 100 |
diff --git a/test/utils/utils.sh b/test/utils/utils.sh index 48a8051fa..7e8426f35 100755 --- a/test/utils/utils.sh +++ b/test/utils/utils.sh | |||
@@ -99,9 +99,12 @@ echo "TESTING: join2 (test/utils/join2.exp)" | |||
99 | echo "TESTING: join3 (test/utils/join3.exp)" | 99 | echo "TESTING: join3 (test/utils/join3.exp)" |
100 | ./join3.exp | 100 | ./join3.exp |
101 | 101 | ||
102 | echo "TESTING: join3 (test/utils/join4.exp)" | 102 | echo "TESTING: join4 (test/utils/join4.exp)" |
103 | ./join4.exp | 103 | ./join4.exp |
104 | 104 | ||
105 | echo "TESTING: join5 (test/utils/join5.exp)" | ||
106 | ./join5.exp | ||
107 | |||
105 | echo "TESTING: join profile (test/utils/join-profile.exp)" | 108 | echo "TESTING: join profile (test/utils/join-profile.exp)" |
106 | ./join-profile.exp | 109 | ./join-profile.exp |
107 | 110 | ||