diff options
-rw-r--r-- | README.md | 98 | ||||
-rw-r--r-- | RELNOTES | 4 | ||||
-rw-r--r-- | etc/Thunar.profile | 10 | ||||
-rw-r--r-- | etc/disable-programs.inc | 1 | ||||
-rw-r--r-- | etc/pcmanfm.profile | 30 | ||||
-rw-r--r-- | platform/debian/conffiles | 1 | ||||
-rw-r--r-- | src/firecfg/firecfg.config | 1 |
7 files changed, 104 insertions, 41 deletions
@@ -66,12 +66,69 @@ Use this issue to request new profiles: https://github.com/netblue30/firejail/is | |||
66 | ````` | 66 | ````` |
67 | 67 | ||
68 | ````` | 68 | ````` |
69 | ## Desktop integration | ||
70 | |||
71 | All --fix functionality is done by default in firecfg, --fix option was removed. Clicking on a program | ||
72 | in desktop manager menu should start the program automatically in a sandbox, if a profile | ||
73 | is available in /etc/firejail. We cover about 270 different applications in this moment on all major desktop managers. | ||
74 | |||
75 | Thunar (XFCE) and PCManFM (LXDE) file managers symlinks are installed in /usr/local/bin by firecfg. | ||
76 | File managers are usually started by default at login time, and will be sandboxed. | ||
77 | Clicking on a file in the file manager will start the corresponding program in the same sandbox as the file manager. | ||
78 | For example, clicking on a video file will start a sandboxed VLC running the video. | ||
79 | We support in this moment XFCE and LXDE, MATE will come next, followed by KDE and Gnome. | ||
80 | |||
69 | ## AppImage | 81 | ## AppImage |
70 | 82 | ||
71 | Added AppImage type 2 support, and support for passing command line arguments to appimages. | 83 | Added AppImage type 2 support, and support for passing command line arguments to appimages. |
72 | ````` | 84 | ````` |
73 | 85 | ||
74 | ````` | 86 | ````` |
87 | ## X11 sandboxing support | ||
88 | In this release we add support for Xvfb (X virtual framebuffer), an in-memory X display server. | ||
89 | Xvfb allows the user to run graphical applications without a display (e.g., browser tests on a CI server) | ||
90 | while also having the ability to take screenshots. | ||
91 | |||
92 | |||
93 | --x11=xvfb | ||
94 | Start Xvfb X11 server and attach the sandbox to this server. | ||
95 | Xvfb, short for X virtual framebuffer, performs all graphical | ||
96 | operations in memory without showing any screen output. Xvfb is | ||
97 | mainly used for remote access and software testing on headless | ||
98 | servers. | ||
99 | |||
100 | On Debian platforms Xvfb is installed with the command sudo apt- | ||
101 | get install xvfb. This feature is not available when running as | ||
102 | root. | ||
103 | |||
104 | Example: remote VNC access | ||
105 | |||
106 | On the server we start a sandbox using Xvfb and openbox window | ||
107 | manager. The default size of Xvfb screen is 800x600 - it can be | ||
108 | changed in /etc/firejail/firejail.config (xvfb-screen). Some | ||
109 | sort of networking (--net) is required in order to isolate the | ||
110 | abstract sockets used by other X servers. | ||
111 | |||
112 | $ firejail --net=none --x11=xvfb openbox | ||
113 | |||
114 | *** Attaching to Xvfb display 792 *** | ||
115 | |||
116 | Reading profile /etc/firejail/openbox.profile | ||
117 | Reading profile /etc/firejail/disable-common.inc | ||
118 | Reading profile /etc/firejail/disable-common.local | ||
119 | Parent pid 5400, child pid 5401 | ||
120 | |||
121 | On the server we also start a VNC server and attach it to the | ||
122 | display handled by our Xvfb server (792). | ||
123 | |||
124 | $ x11vnc -display :792 | ||
125 | |||
126 | On the client machine we start a VNC viewer and use it to con‐ | ||
127 | nect to our server: | ||
128 | |||
129 | $ vncviewer | ||
130 | |||
131 | |||
75 | ## New command line options | 132 | ## New command line options |
76 | ````` | 133 | ````` |
77 | --private-opt=file,directory | 134 | --private-opt=file,directory |
@@ -145,43 +202,6 @@ Added AppImage type 2 support, and support for passing command line arguments to | |||
145 | 202 | ||
146 | $ firejail --git-uninstall | 203 | $ firejail --git-uninstall |
147 | 204 | ||
148 | --x11=xvfb | ||
149 | Start Xvfb X11 server and attach the sandbox to this server. | ||
150 | Xvfb, short for X virtual framebuffer, performs all graphical | ||
151 | operations in memory without showing any screen output. Xvfb is | ||
152 | mainly used for remote access and software testing on headless | ||
153 | servers. | ||
154 | |||
155 | On Debian platforms Xvfb is installed with the command sudo apt- | ||
156 | get install xvfb. This feature is not available when running as | ||
157 | root. | ||
158 | |||
159 | Example: remote VNC access | ||
160 | |||
161 | On the server we start a sandbox using Xvfb and openbox window | ||
162 | manager. The default size of Xvfb screen is 800x600 - it can be | ||
163 | changed in /etc/firejail/firejail.config (xvfb-screen). Some | ||
164 | sort of networking (--net) is required in order to isolate the | ||
165 | abstract sockets used by other X servers. | ||
166 | |||
167 | $ firejail --net=none --x11=xvfb openbox | ||
168 | |||
169 | *** Attaching to Xvfb display 792 *** | ||
170 | |||
171 | Reading profile /etc/firejail/openbox.profile | ||
172 | Reading profile /etc/firejail/disable-common.inc | ||
173 | Reading profile /etc/firejail/disable-common.local | ||
174 | Parent pid 5400, child pid 5401 | ||
175 | |||
176 | On the server we also start a VNC server and attach it to the | ||
177 | display handled by our Xvfb server (792). | ||
178 | |||
179 | $ x11vnc -display :792 | ||
180 | |||
181 | On the client machine we start a VNC viewer and use it to con‐ | ||
182 | nect to our server: | ||
183 | |||
184 | $ vncviewer | ||
185 | 205 | ||
186 | --nowhitelist=dirname_or_filename | 206 | --nowhitelist=dirname_or_filename |
187 | Disable whitelist for this directory or file. | 207 | Disable whitelist for this directory or file. |
@@ -196,5 +216,5 @@ simple-scan, skanlite, ssh-agent, tracker, transmission-cli, transmission-show, | |||
196 | xed, pluma, Cryptocat, Bless, Gnome 2048, Gnome Calculator, Gnome Contacts, JD-GUI, Lollypop, MultiMC5, | 216 | xed, pluma, Cryptocat, Bless, Gnome 2048, Gnome Calculator, Gnome Contacts, JD-GUI, Lollypop, MultiMC5, |
197 | PDFSam, Pithos, Xonotic, wireshark, keepassx2, QupZilla, FossaMail, Uzbl browser, xmms, iridium browser, | 217 | PDFSam, Pithos, Xonotic, wireshark, keepassx2, QupZilla, FossaMail, Uzbl browser, xmms, iridium browser, |
198 | Kino, Thunar, Geeqie, Engrampa, Scribus, mousepad, gpicview, keepassxc, cvlc, MediathekView, baloo_file, | 218 | Kino, Thunar, Geeqie, Engrampa, Scribus, mousepad, gpicview, keepassxc, cvlc, MediathekView, baloo_file, |
199 | Nylas, dino, BibleTime, viewnior, Kodi, viking, youtube-dl, meld, Arduino, akregator, kcalc, ktorrent, | 219 | Nylas, dino, BibleTime, viewnior, Kodi, viking, youtube-dl, meld, Arduino, Akregator, KCalc, KTorrent, |
200 | Orage Globaltime, Orage Clendar, xfce4-notes, xfce4-dict, Ristretto | 220 | Orage Globaltime, Orage Clendar, xfce4-notes, xfce4-dict, Ristretto, PCManFM |
@@ -37,7 +37,9 @@ firejail (0.9.46-rc1) baseline; urgency=low | |||
37 | * new profiles: Uzbl browser, iridium browser, Thunar, Geeqie, Engrampa, | 37 | * new profiles: Uzbl browser, iridium browser, Thunar, Geeqie, Engrampa, |
38 | * new profiles: Scribus, mousepad, gpicview, keepassxc, cvlc, MediathekView, | 38 | * new profiles: Scribus, mousepad, gpicview, keepassxc, cvlc, MediathekView, |
39 | * new profiles: baloo_file, Nylas, dino, BibleTime, viewnior, Kodi, viking, | 39 | * new profiles: baloo_file, Nylas, dino, BibleTime, viewnior, Kodi, viking, |
40 | * new profiles: youtube-dl, meld, Arduino | 40 | * new profiles: youtube-dl, meld, Arduino, Akregator, KCalc, KTorrent, |
41 | * new profiles: Orage Globaltime, Orage Clendar, xfce4-notes, xfce4-dict, | ||
42 | * new profiles: Ristretto, PCManFM | ||
41 | * bugfixes | 43 | * bugfixes |
42 | -- netblue30 <netblue30@yahoo.com> Fri, 7 Apr 2017 08:00:00 -0500 | 44 | -- netblue30 <netblue30@yahoo.com> Fri, 7 Apr 2017 08:00:00 -0500 |
43 | 45 | ||
diff --git a/etc/Thunar.profile b/etc/Thunar.profile index 5a27177e0..f1b75b1f3 100644 --- a/etc/Thunar.profile +++ b/etc/Thunar.profile | |||
@@ -7,7 +7,7 @@ noblacklist ~/.config/Thunar | |||
7 | noblacklist ~/.config/xfce4/xfconf/xfce-perchannel-xml/thunar.xml | 7 | noblacklist ~/.config/xfce4/xfconf/xfce-perchannel-xml/thunar.xml |
8 | 8 | ||
9 | include /etc/firejail/disable-common.inc | 9 | include /etc/firejail/disable-common.inc |
10 | include /etc/firejail/disable-programs.inc | 10 | #include /etc/firejail/disable-programs.inc |
11 | include /etc/firejail/disable-devel.inc | 11 | include /etc/firejail/disable-devel.inc |
12 | include /etc/firejail/disable-passwdmgr.inc | 12 | include /etc/firejail/disable-passwdmgr.inc |
13 | 13 | ||
@@ -21,3 +21,11 @@ protocol unix | |||
21 | seccomp | 21 | seccomp |
22 | shell none | 22 | shell none |
23 | tracelog | 23 | tracelog |
24 | |||
25 | # | ||
26 | # depending on you usage, you can enable some of the commands below: | ||
27 | # | ||
28 | # private-bin program | ||
29 | # private-etc none | ||
30 | # private-dev | ||
31 | # private-tmp | ||
diff --git a/etc/disable-programs.inc b/etc/disable-programs.inc index 9b84f5e8a..18b644987 100644 --- a/etc/disable-programs.inc +++ b/etc/disable-programs.inc | |||
@@ -107,6 +107,7 @@ blacklist ${HOME}/.config/opera | |||
107 | blacklist ${HOME}/.config/opera-beta | 107 | blacklist ${HOME}/.config/opera-beta |
108 | blacklist ${HOME}/.config/orage | 108 | blacklist ${HOME}/.config/orage |
109 | blacklist ${HOME}/.config/org.kde.gwenviewrc | 109 | blacklist ${HOME}/.config/org.kde.gwenviewrc |
110 | blacklist ${HOME}/.config/pcmanfm | ||
110 | blacklist ${HOME}/.config/pix | 111 | blacklist ${HOME}/.config/pix |
111 | blacklist ${HOME}/.config/pluma | 112 | blacklist ${HOME}/.config/pluma |
112 | blacklist ${HOME}/.config/psi+ | 113 | blacklist ${HOME}/.config/psi+ |
diff --git a/etc/pcmanfm.profile b/etc/pcmanfm.profile new file mode 100644 index 000000000..e51c5e3b8 --- /dev/null +++ b/etc/pcmanfm.profile | |||
@@ -0,0 +1,30 @@ | |||
1 | # This file is overwritten during software install. | ||
2 | # Persistent customizations should go in a .local file. | ||
3 | include /etc/firejail/pcmanfm.local | ||
4 | |||
5 | noblacklist ~/.config/pcmanfm | ||
6 | noblacklist ~/.config/libfm | ||
7 | include /etc/firejail/disable-common.inc | ||
8 | #include /etc/firejail/disable-programs.inc | ||
9 | include /etc/firejail/disable-devel.inc | ||
10 | include /etc/firejail/disable-passwdmgr.inc | ||
11 | |||
12 | caps.drop all | ||
13 | netfilter | ||
14 | nogroups | ||
15 | nonewprivs | ||
16 | noroot | ||
17 | nosound | ||
18 | protocol unix | ||
19 | seccomp | ||
20 | shell none | ||
21 | tracelog | ||
22 | |||
23 | # | ||
24 | # depending on you usage, you can enable some of the commands below: | ||
25 | # | ||
26 | # private-bin program | ||
27 | # private-etc none | ||
28 | # private-dev | ||
29 | # private-tmp | ||
30 | |||
diff --git a/platform/debian/conffiles b/platform/debian/conffiles index 355faf44f..2f0da51ce 100644 --- a/platform/debian/conffiles +++ b/platform/debian/conffiles | |||
@@ -276,3 +276,4 @@ | |||
276 | /etc/firejail/ristretto.profile | 276 | /etc/firejail/ristretto.profile |
277 | /etc/firejail/xfce4-dict.profile | 277 | /etc/firejail/xfce4-dict.profile |
278 | /etc/firejail/xfce4-notes.profile | 278 | /etc/firejail/xfce4-notes.profile |
279 | /etc/firejail/pcmanfm.profile | ||
diff --git a/src/firecfg/firecfg.config b/src/firecfg/firecfg.config index c44d83e7b..93744f671 100644 --- a/src/firecfg/firecfg.config +++ b/src/firecfg/firecfg.config | |||
@@ -148,6 +148,7 @@ opera-beta | |||
148 | orage | 148 | orage |
149 | palemoon | 149 | palemoon |
150 | parole | 150 | parole |
151 | pcmanfm | ||
151 | pdfsam | 152 | pdfsam |
152 | pdftotext | 153 | pdftotext |
153 | pidgin | 154 | pidgin |