diff options
-rw-r--r-- | README | 5 | ||||
-rw-r--r-- | README.md | 6 | ||||
-rw-r--r-- | RELNOTES | 8 | ||||
-rw-r--r-- | test/filters/block-secondary.profile | 1 | ||||
-rwxr-xr-x | test/filters/filters.sh | 8 | ||||
-rwxr-xr-x | test/filters/seccomp-debug.exp | 137 |
6 files changed, 156 insertions, 9 deletions
@@ -245,6 +245,8 @@ Ivan Kozik (https://github.com/ivan) | |||
245 | - speed up sandbox exit | 245 | - speed up sandbox exit |
246 | Jaykishan Mutkawoa (https://github.com/jmutkawoa) | 246 | Jaykishan Mutkawoa (https://github.com/jmutkawoa) |
247 | - cpio profile | 247 | - cpio profile |
248 | James Elford (https://github.com/jelford) | ||
249 | - pass password manager support | ||
248 | Jericho (https://github.com/attritionorg) | 250 | Jericho (https://github.com/attritionorg) |
249 | - spelling | 251 | - spelling |
250 | Jesse Smith (https://github.com/slicer69) | 252 | Jesse Smith (https://github.com/slicer69) |
@@ -293,6 +295,9 @@ mahdi1234 (https://github.com/mahdi1234) | |||
293 | Martin Carpenter (https://github.com/mcarpenter) | 295 | Martin Carpenter (https://github.com/mcarpenter) |
294 | - security audit and bug fixes | 296 | - security audit and bug fixes |
295 | - Centos 6.x support | 297 | - Centos 6.x support |
298 | Martin Dosch (spam-debian@mdosch.de) | ||
299 | - support for gnome-shell integration addon in Firefox | ||
300 | (Bug-Debian: https://bugs.debian.org/872720) | ||
296 | Matt Parnell (https://github.com/ilikenwf) | 301 | Matt Parnell (https://github.com/ilikenwf) |
297 | - whitelisting for core firefox related functionality | 302 | - whitelisting for core firefox related functionality |
298 | Mattias Wadman (https://github.com/wader) | 303 | Mattias Wadman (https://github.com/wader) |
@@ -168,6 +168,12 @@ Check the status of the latest build here: https://travis-ci.org/netblue30/firej | |||
168 | 48 pts/0 00:00:00 ps | 168 | 48 pts/0 00:00:00 ps |
169 | $ | 169 | $ |
170 | 170 | ||
171 | --seccomp.block_secondary | ||
172 | Enable seccomp filter and filter system call architectures so | ||
173 | that only the native architecture is allowed. For example, on | ||
174 | amd64, i386 and x32 system calls are blocked as well as changā | ||
175 | ing the execution domain with personality(2) system call. | ||
176 | |||
171 | ````` | 177 | ````` |
172 | 178 | ||
173 | ## /etc/firejail/firejail.config | 179 | ## /etc/firejail/firejail.config |
@@ -3,18 +3,22 @@ firejail (0.9.49) baseline; urgency=low | |||
3 | * modif: --output split in two commands, --output and --output-stderr | 3 | * modif: --output split in two commands, --output and --output-stderr |
4 | * feature: per-profile disable-mnt (--disable-mnt) | 4 | * feature: per-profile disable-mnt (--disable-mnt) |
5 | * feature: per-profile support to set X11 Xephyr screen size (--xephyr-screen) | 5 | * feature: per-profile support to set X11 Xephyr screen size (--xephyr-screen) |
6 | * feature: --memory-deny-write-execute seccomp feature | ||
7 | * feature: private /lib directory (--private-lib) | 6 | * feature: private /lib directory (--private-lib) |
8 | * feature: disable CDROM/DVD drive (--nodvd) | 7 | * feature: disable CDROM/DVD drive (--nodvd) |
9 | * feature: disable DVB devices (--notv) | 8 | * feature: disable DVB devices (--notv) |
10 | * enhancement: print all seccomp filters under --debug | 9 | * enhancement: print all seccomp filters under --debug |
11 | * enhancement: /proc/sys mounting | 10 | * enhancement: /proc/sys mounting |
12 | * enhancement: default seccomp list update | ||
13 | * enhancement: rework IP address assingment for --net options | 11 | * enhancement: rework IP address assingment for --net options |
14 | * enhancement: support for newer Xpra versions (2.1+) - | 12 | * enhancement: support for newer Xpra versions (2.1+) - |
15 | set "xpra-attach yes" in /etc/firejail/firejail.config | 13 | set "xpra-attach yes" in /etc/firejail/firejail.config |
16 | * enhancement: all profiles use a standard layout style | 14 | * enhancement: all profiles use a standard layout style |
17 | * enhancement: create /usr/local for firecfg if the directory doesn't exist | 15 | * enhancement: create /usr/local for firecfg if the directory doesn't exist |
16 | * seccomp feature: --memory-deny-write-execute | ||
17 | * seccomp feature: seccomp post-exec | ||
18 | * seccomp feature: block secondary architecture (--seccomp.block_secondary) | ||
19 | * seccomp feature: seccomp syscall groups | ||
20 | * seccomp enhancement: print all seccomp filters under --debug | ||
21 | * seccomp enhancement: default seccomp list update | ||
18 | * new profiles: curl, mplayer2, SMPlayer, Calibre, ebook-viewer, KWrite, | 22 | * new profiles: curl, mplayer2, SMPlayer, Calibre, ebook-viewer, KWrite, |
19 | * new profiles: Geary, Liferea, peek, silentarmy, IntelliJ IDEA, | 23 | * new profiles: Geary, Liferea, peek, silentarmy, IntelliJ IDEA, |
20 | * new profiles: Android Studio, electron, riot-web, Extreme Tux Racer, | 24 | * new profiles: Android Studio, electron, riot-web, Extreme Tux Racer, |
diff --git a/test/filters/block-secondary.profile b/test/filters/block-secondary.profile new file mode 100644 index 000000000..e32056c3d --- /dev/null +++ b/test/filters/block-secondary.profile | |||
@@ -0,0 +1 @@ | |||
seccomp.block-secondary | |||
diff --git a/test/filters/filters.sh b/test/filters/filters.sh index 611580612..3ebb61419 100755 --- a/test/filters/filters.sh +++ b/test/filters/filters.sh | |||
@@ -54,8 +54,12 @@ fi | |||
54 | echo "TESTING: seccomp bad empty (test/filters/seccomp-bad-empty.exp)" | 54 | echo "TESTING: seccomp bad empty (test/filters/seccomp-bad-empty.exp)" |
55 | ./seccomp-bad-empty.exp | 55 | ./seccomp-bad-empty.exp |
56 | 56 | ||
57 | echo "TESTING: seccomp debug (test/filters/seccomp-debug.exp)" | 57 | if [ "$(uname -m)" = "x86_64" ]; then |
58 | ./seccomp-debug.exp | 58 | echo "TESTING: seccomp debug (test/filters/seccomp-debug.exp)" |
59 | ./seccomp-debug.exp | ||
60 | else | ||
61 | echo "TESTING SKIP: protocol, running only on x86_64" | ||
62 | fi | ||
59 | 63 | ||
60 | echo "TESTING: seccomp errno (test/filters/seccomp-errno.exp)" | 64 | echo "TESTING: seccomp errno (test/filters/seccomp-errno.exp)" |
61 | ./seccomp-errno.exp | 65 | ./seccomp-errno.exp |
diff --git a/test/filters/seccomp-debug.exp b/test/filters/seccomp-debug.exp index a95f3bd23..7f03e45e8 100755 --- a/test/filters/seccomp-debug.exp +++ b/test/filters/seccomp-debug.exp | |||
@@ -7,25 +7,152 @@ set timeout 10 | |||
7 | spawn $env(SHELL) | 7 | spawn $env(SHELL) |
8 | match_max 100000 | 8 | match_max 100000 |
9 | 9 | ||
10 | send -- "firejail --seccomp --debug\r" | 10 | send -- "firejail --debug sleep 1; echo done\r" |
11 | expect { | 11 | expect { |
12 | timeout {puts "TESTING ERROR 0\n";exit} | 12 | timeout {puts "TESTING ERROR 0\n";exit} |
13 | "SECCOMP Filter" | 13 | "SECCOMP Filter" |
14 | } | 14 | } |
15 | expect { | 15 | expect { |
16 | timeout {puts "TESTING ERROR 2\n";exit} | 16 | timeout {puts "TESTING ERROR 1\n";exit} |
17 | "BLACKLIST" | 17 | "BLACKLIST" |
18 | } | 18 | } |
19 | expect { | 19 | expect { |
20 | timeout {puts "TESTING ERROR 3\n";exit} | 20 | timeout {puts "TESTING ERROR 2\n";exit} |
21 | "open_by_handle_at" | 21 | "open_by_handle_at" |
22 | } | 22 | } |
23 | expect { | 23 | expect { |
24 | timeout {puts "TESTING ERROR 3\n";exit} | ||
25 | "Child process initialized" | ||
26 | } | ||
27 | expect { | ||
24 | timeout {puts "TESTING ERROR 4\n";exit} | 28 | timeout {puts "TESTING ERROR 4\n";exit} |
29 | "done" | ||
30 | } | ||
31 | after 100 | ||
32 | |||
33 | |||
34 | # amd64 architecture | ||
35 | send -- "firejail --debug sleep 1; echo done\r" | ||
36 | expect { | ||
37 | timeout {puts "TESTING ERROR 5\n";exit} | ||
25 | "Child process initialized" | 38 | "Child process initialized" |
26 | } | 39 | } |
27 | sleep 2 | 40 | expect { |
41 | timeout {puts "TESTING ERROR 6\n";exit} | ||
42 | "Installing /run/firejail/mnt/seccomp seccomp filter" | ||
43 | } | ||
44 | expect { | ||
45 | timeout {puts "TESTING ERROR 7\n";exit} | ||
46 | "Installing /run/firejail/mnt/seccomp.i386 seccomp filter" | ||
47 | } | ||
48 | expect { | ||
49 | timeout {puts "TESTING ERROR 8\n";exit} | ||
50 | "Installing /run/firejail/mnt/seccomp.protocol seccomp filter" | ||
51 | } | ||
52 | expect { | ||
53 | timeout {puts "TESTING ERROR 9\n";exit} | ||
54 | "done" | ||
55 | } | ||
56 | after 100 | ||
28 | 57 | ||
29 | send -- "exit\r" | 58 | # amd64 architecture - ignore seccomp |
59 | send -- "firejail --debug --ignore=seccomp sleep 1; echo done\r" | ||
60 | expect { | ||
61 | timeout {puts "TESTING ERROR 10\n";exit} | ||
62 | "Installing /run/firejail/mnt/seccomp seccomp filter" {puts "TESTING ERROR 11\n";exit} | ||
63 | "Installing /run/firejail/mnt/seccomp.i386 seccomp filter" {puts "TESTING ERROR 12\n";exit} | ||
64 | "Child process initialized" | ||
65 | } | ||
66 | expect { | ||
67 | timeout {puts "TESTING ERROR 13\n";exit} | ||
68 | "Installing /run/firejail/mnt/seccomp seccomp filter" {puts "TESTING ERROR 14\n";exit} | ||
69 | "Installing /run/firejail/mnt/seccomp.i386 seccomp filter" {puts "TESTING ERROR 15\n";exit} | ||
70 | "Installing /run/firejail/mnt/seccomp.protocol seccomp filter" | ||
71 | } | ||
72 | expect { | ||
73 | timeout {puts "TESTING ERROR 16\n";exit} | ||
74 | "done" | ||
75 | } | ||
30 | after 100 | 76 | after 100 |
77 | |||
78 | # amd64 architecture - ignore protocol | ||
79 | send -- "firejail --debug --ignore=protocol sleep 1; echo done\r" | ||
80 | expect { | ||
81 | timeout {puts "TESTING ERROR 17\n";exit} | ||
82 | "Installing /run/firejail/mnt/seccomp.protocol seccomp filter" {puts "TESTING ERROR 18\n";exit} | ||
83 | "Child process initialized" | ||
84 | } | ||
85 | expect { | ||
86 | timeout {puts "TESTING ERROR 19\n";exit} | ||
87 | "Installing /run/firejail/mnt/seccomp.protocol seccomp filter" {puts "TESTING ERROR 20\n";exit} | ||
88 | "Installing /run/firejail/mnt/seccomp seccomp filter" | ||
89 | } | ||
90 | expect { | ||
91 | timeout {puts "TESTING ERROR 21\n";exit} | ||
92 | "Installing /run/firejail/mnt/seccomp.protocol seccomp filter" {puts "TESTING ERROR 22\n";exit} | ||
93 | "Installing /run/firejail/mnt/seccomp.i386 seccomp filter" | ||
94 | } | ||
95 | expect { | ||
96 | timeout {puts "TESTING ERROR 23\n";exit} | ||
97 | "done" | ||
98 | } | ||
99 | after 100 | ||
100 | |||
101 | # memory-deny-write-execute | ||
102 | send -- "firejail --debug --memory-deny-write-execute sleep 1; echo done\r" | ||
103 | expect { | ||
104 | timeout {puts "TESTING ERROR 24\n";exit} | ||
105 | "Child process initialized" | ||
106 | } | ||
107 | expect { | ||
108 | timeout {puts "TESTING ERROR 25\n";exit} | ||
109 | "Installing /run/firejail/mnt/seccomp.protocol seccomp filter" | ||
110 | } | ||
111 | expect { | ||
112 | timeout {puts "TESTING ERROR 26\n";exit} | ||
113 | "done" | ||
114 | } | ||
115 | |||
116 | |||
117 | # amd64 architecture - seccomp.block-secondary | ||
118 | send -- "firejail --debug --seccomp.block-secondary sleep 1; echo done\r" | ||
119 | expect { | ||
120 | timeout {puts "TESTING ERROR 27\n";exit} | ||
121 | "Installing /run/firejail/mnt/seccomp.i386 seccomp filter" {puts "TESTING ERROR 28\n";exit} | ||
122 | "Child process initialized" | ||
123 | } | ||
124 | expect { | ||
125 | timeout {puts "TESTING ERROR 29\n";exit} | ||
126 | "Installing /run/firejail/mnt/seccomp.i386 seccomp filter" {puts "TESTING ERROR 30\n";exit} | ||
127 | "Installing /run/firejail/mnt/seccomp seccomp filter" | ||
128 | } | ||
129 | expect { | ||
130 | timeout {puts "TESTING ERROR 31\n";exit} | ||
131 | "Installing /run/firejail/mnt/seccomp.i386 seccomp filter" {puts "TESTING ERROR 32\n";exit} | ||
132 | "Installing /run/firejail/mnt/seccomp.protocol seccomp filter" | ||
133 | } | ||
134 | expect { | ||
135 | timeout {puts "TESTING ERROR 33\n";exit} | ||
136 | "done" | ||
137 | } | ||
138 | after 100 | ||
139 | |||
140 | # amd64 architecture - seccomp.block-secondary, profile | ||
141 | send -- "firejail --debug --profile=block-secondary.profile sleep 1; echo done\r" | ||
142 | expect { | ||
143 | timeout {puts "TESTING ERROR 33\n";exit} | ||
144 | "Installing /run/firejail/mnt/seccomp.i386 seccomp filter" {puts "TESTING ERROR 34\n";exit} | ||
145 | "Child process initialized" | ||
146 | } | ||
147 | expect { | ||
148 | timeout {puts "TESTING ERROR 35\n";exit} | ||
149 | "Installing /run/firejail/mnt/seccomp.i386 seccomp filter" {puts "TESTING ERROR 35\n";exit} | ||
150 | "Installing /run/firejail/mnt/seccomp seccomp filter" | ||
151 | } | ||
152 | expect { | ||
153 | timeout {puts "TESTING ERROR 37\n";exit} | ||
154 | "done" | ||
155 | } | ||
156 | after 100 | ||
157 | |||
31 | puts "all done\n" | 158 | puts "all done\n" |