diff options
-rw-r--r-- | README | 2 | ||||
-rw-r--r-- | README.md | 2 | ||||
-rw-r--r-- | RELNOTES | 3 | ||||
-rw-r--r-- | etc/android-studio.profile | 37 | ||||
-rw-r--r-- | etc/arduino.profile | 1 | ||||
-rw-r--r-- | etc/disable-programs.inc | 8 | ||||
-rw-r--r-- | etc/exiftool.profile | 1 | ||||
-rw-r--r-- | etc/idea.sh.profile | 37 | ||||
-rw-r--r-- | etc/jd-gui.profile | 1 | ||||
-rw-r--r-- | etc/libreoffice.profile | 1 | ||||
-rw-r--r-- | etc/multimc5.profile | 1 | ||||
-rw-r--r-- | etc/pdfsam.profile | 1 | ||||
-rw-r--r-- | etc/silentarmy.profile | 33 | ||||
-rw-r--r-- | etc/steam.profile | 5 | ||||
-rw-r--r-- | platform/debian/conffiles | 4 | ||||
-rw-r--r-- | src/firecfg/firecfg.config | 4 | ||||
-rw-r--r-- | src/firejail/profile.c | 8 | ||||
-rw-r--r-- | src/firejail/seccomp.c | 56 | ||||
-rw-r--r-- | src/firejail/x11.c | 2 |
19 files changed, 175 insertions, 32 deletions
@@ -387,6 +387,8 @@ SpotComms (https://github.com/SpotComms) | |||
387 | - fixed wget profile | 387 | - fixed wget profile |
388 | - fixed firecfg.config file | 388 | - fixed firecfg.config file |
389 | - added novideo and disable-mnt support in all profile files | 389 | - added novideo and disable-mnt support in all profile files |
390 | - added Peek and silent profiles | ||
391 | - added IntelliJ IDEA and Android Studio profiles | ||
390 | SYN-cook (https://github.com/SYN-cook) | 392 | SYN-cook (https://github.com/SYN-cook) |
391 | - keepass/keepassx browser fixes | 393 | - keepass/keepassx browser fixes |
392 | - disable-common.inc fixes | 394 | - disable-common.inc fixes |
@@ -107,5 +107,5 @@ Use this issue to request new profiles: [#1139](https://github.com/netblue30/fir | |||
107 | 107 | ||
108 | ## New profiles: | 108 | ## New profiles: |
109 | 109 | ||
110 | curl, mplayer2, SMPlayer, Calibre, ebook-viewer, KWrite, Geary, Liferea | 110 | curl, mplayer2, SMPlayer, Calibre, ebook-viewer, KWrite, Geary, Liferea, peek, silentarmy, IntelliJ IDEA, Android Studio |
111 | 111 | ||
@@ -2,7 +2,8 @@ firejail (0.9.49) baseline; urgency=low | |||
2 | * work in progress! | 2 | * work in progress! |
3 | * feature: per-profile disable-mnt | 3 | * feature: per-profile disable-mnt |
4 | * new profiles: curl, mplayer2, SMPlayer, Calibre, ebook-viewer, KWrite, | 4 | * new profiles: curl, mplayer2, SMPlayer, Calibre, ebook-viewer, KWrite, |
5 | * new profiles: Geary, Liferea | 5 | * new profiles: Geary, Liferea, peek, silentarmy, IntelliJ IDEA, |
6 | * new profiles: Android Studio | ||
6 | * bugfixes | 7 | * bugfixes |
7 | -- netblue30 <netblue30@yahoo.com> Mon, 12 Jun 2017 20:00:00 -0500 | 8 | -- netblue30 <netblue30@yahoo.com> Mon, 12 Jun 2017 20:00:00 -0500 |
8 | 9 | ||
diff --git a/etc/android-studio.profile b/etc/android-studio.profile new file mode 100644 index 000000000..68a3cdc85 --- /dev/null +++ b/etc/android-studio.profile | |||
@@ -0,0 +1,37 @@ | |||
1 | # Persistent global definitions go here | ||
2 | include /etc/firejail/globals.local | ||
3 | |||
4 | # This file is overwritten during software install. | ||
5 | # Persistent customizations should go in a .local file. | ||
6 | include /etc/firejail/android-studio.local | ||
7 | |||
8 | # Firejail profile for Android Studio | ||
9 | |||
10 | noblacklist ${HOME}/.AndroidStudio* | ||
11 | noblacklist ${HOME}/.android | ||
12 | noblacklist ${HOME}/.gitconfig | ||
13 | noblacklist ${HOME}/.gradle | ||
14 | noblacklist ${HOME}/.java | ||
15 | noblacklist ${HOME}/.local/share/JetBrains | ||
16 | noblacklist ${HOME}/.ssh | ||
17 | noblacklist ${HOME}/.tooling | ||
18 | |||
19 | include /etc/firejail/disable-common.inc | ||
20 | include /etc/firejail/disable-passwdmgr.inc | ||
21 | include /etc/firejail/disable-programs.inc | ||
22 | |||
23 | caps.drop all | ||
24 | netfilter | ||
25 | nogroups | ||
26 | nonewprivs | ||
27 | noroot | ||
28 | #nosound | ||
29 | novideo | ||
30 | protocol unix,inet,inet6 | ||
31 | seccomp | ||
32 | shell none | ||
33 | |||
34 | private-dev | ||
35 | #private-tmp | ||
36 | |||
37 | noexec /tmp | ||
diff --git a/etc/arduino.profile b/etc/arduino.profile index 60c071c01..ff605501d 100644 --- a/etc/arduino.profile +++ b/etc/arduino.profile | |||
@@ -8,6 +8,7 @@ include /etc/firejail/arduino.local | |||
8 | # Firejail profile for arduino | 8 | # Firejail profile for arduino |
9 | noblacklist ${HOME}/.arduino15 | 9 | noblacklist ${HOME}/.arduino15 |
10 | noblacklist ${HOME}/Arduino | 10 | noblacklist ${HOME}/Arduino |
11 | noblacklist ${HOME}/.java | ||
11 | 12 | ||
12 | include /etc/firejail/disable-common.inc | 13 | include /etc/firejail/disable-common.inc |
13 | include /etc/firejail/disable-programs.inc | 14 | include /etc/firejail/disable-programs.inc |
diff --git a/etc/disable-programs.inc b/etc/disable-programs.inc index 655a44a04..3c98b8ac3 100644 --- a/etc/disable-programs.inc +++ b/etc/disable-programs.inc | |||
@@ -4,8 +4,10 @@ include /etc/firejail/disable-programs.local | |||
4 | 4 | ||
5 | blacklist ${HOME}/.*coin | 5 | blacklist ${HOME}/.*coin |
6 | blacklist ${HOME}/.8pecxstudios | 6 | blacklist ${HOME}/.8pecxstudios |
7 | blacklist ${HOME}/.AndroidStudio* | ||
7 | blacklist ${HOME}/.Atom | 8 | blacklist ${HOME}/.Atom |
8 | blacklist ${HOME}/.FBReader | 9 | blacklist ${HOME}/.FBReader |
10 | blacklist ${HOME}/.IdeaIC* | ||
9 | blacklist ${HOME}/.LuminanceHDR | 11 | blacklist ${HOME}/.LuminanceHDR |
10 | blacklist ${HOME}/.Mathematica | 12 | blacklist ${HOME}/.Mathematica |
11 | blacklist ${HOME}/.Natron | 13 | blacklist ${HOME}/.Natron |
@@ -16,6 +18,7 @@ blacklist ${HOME}/.Steampid | |||
16 | blacklist ${HOME}/.TelegramDesktop | 18 | blacklist ${HOME}/.TelegramDesktop |
17 | blacklist ${HOME}/.VirtualBox | 19 | blacklist ${HOME}/.VirtualBox |
18 | blacklist ${HOME}/.Wolfram Research | 20 | blacklist ${HOME}/.Wolfram Research |
21 | blacklist ${HOME}/.android | ||
19 | blacklist ${HOME}/.arduino15 | 22 | blacklist ${HOME}/.arduino15 |
20 | blacklist ${HOME}/.atom | 23 | blacklist ${HOME}/.atom |
21 | blacklist ${HOME}/.attic | 24 | blacklist ${HOME}/.attic |
@@ -192,11 +195,13 @@ blacklist ${HOME}/.googleearth/Cache/ | |||
192 | blacklist ${HOME}/.googleearth/Temp/ | 195 | blacklist ${HOME}/.googleearth/Temp/ |
193 | blacklist ${HOME}/.googleearth/myplaces.backup.kml | 196 | blacklist ${HOME}/.googleearth/myplaces.backup.kml |
194 | blacklist ${HOME}/.googleearth/myplaces.kml | 197 | blacklist ${HOME}/.googleearth/myplaces.kml |
198 | blacklist ${HOME}/.gradle | ||
195 | blacklist ${HOME}/.guayadeque | 199 | blacklist ${HOME}/.guayadeque |
196 | blacklist ${HOME}/.hedgewars | 200 | blacklist ${HOME}/.hedgewars |
197 | blacklist ${HOME}/.hugin | 201 | blacklist ${HOME}/.hugin |
198 | blacklist ${HOME}/.icedove | 202 | blacklist ${HOME}/.icedove |
199 | blacklist ${HOME}/.inkscape | 203 | blacklist ${HOME}/.inkscape |
204 | blacklist ${HOME}/.java | ||
200 | blacklist ${HOME}/.jitsi | 205 | blacklist ${HOME}/.jitsi |
201 | blacklist ${HOME}/.kde4/share/apps/gwenview | 206 | blacklist ${HOME}/.kde4/share/apps/gwenview |
202 | blacklist ${HOME}/.kde4/share/apps/kcookiejar | 207 | blacklist ${HOME}/.kde4/share/apps/kcookiejar |
@@ -249,6 +254,7 @@ blacklist ${HOME}/.local/share/0ad | |||
249 | blacklist ${HOME}/.local/share/3909/PapersPlease | 254 | blacklist ${HOME}/.local/share/3909/PapersPlease |
250 | blacklist ${HOME}/.local/share/akregator | 255 | blacklist ${HOME}/.local/share/akregator |
251 | blacklist ${HOME}/.local/share/Empathy | 256 | blacklist ${HOME}/.local/share/Empathy |
257 | blacklist ${HOME}/.local/share/JetBrains | ||
252 | blacklist ${HOME}/.local/share/Mumble | 258 | blacklist ${HOME}/.local/share/Mumble |
253 | blacklist ${HOME}/.local/share/QuiteRss | 259 | blacklist ${HOME}/.local/share/QuiteRss |
254 | blacklist ${HOME}/.local/share/Ricochet | 260 | blacklist ${HOME}/.local/share/Ricochet |
@@ -338,6 +344,7 @@ blacklist ${HOME}/.sylpheed-2.0 | |||
338 | blacklist ${HOME}/.synfig | 344 | blacklist ${HOME}/.synfig |
339 | blacklist ${HOME}/.tconn | 345 | blacklist ${HOME}/.tconn |
340 | blacklist ${HOME}/.thunderbird | 346 | blacklist ${HOME}/.thunderbird |
347 | blacklist ${HOME}/.tooling | ||
341 | blacklist ${HOME}/.ts3client | 348 | blacklist ${HOME}/.ts3client |
342 | blacklist ${HOME}/.viking | 349 | blacklist ${HOME}/.viking |
343 | blacklist ${HOME}/.viking-maps | 350 | blacklist ${HOME}/.viking-maps |
@@ -387,6 +394,7 @@ blacklist ${HOME}/.cache/netsurf | |||
387 | blacklist ${HOME}/.cache/opera | 394 | blacklist ${HOME}/.cache/opera |
388 | blacklist ${HOME}/.cache/opera-beta | 395 | blacklist ${HOME}/.cache/opera-beta |
389 | blacklist ${HOME}/.cache/org.gnome.Books | 396 | blacklist ${HOME}/.cache/org.gnome.Books |
397 | blacklist ${HOME}/.cache/peek | ||
390 | blacklist ${HOME}/.cache/qBittorrent | 398 | blacklist ${HOME}/.cache/qBittorrent |
391 | blacklist ${HOME}/.cache/qutebrowser | 399 | blacklist ${HOME}/.cache/qutebrowser |
392 | blacklist ${HOME}/.cache/simple-scan | 400 | blacklist ${HOME}/.cache/simple-scan |
diff --git a/etc/exiftool.profile b/etc/exiftool.profile index 729dabeb7..aba484718 100644 --- a/etc/exiftool.profile +++ b/etc/exiftool.profile | |||
@@ -1,3 +1,4 @@ | |||
1 | quiet | ||
1 | # Persistent global definitions go here | 2 | # Persistent global definitions go here |
2 | include /etc/firejail/globals.local | 3 | include /etc/firejail/globals.local |
3 | 4 | ||
diff --git a/etc/idea.sh.profile b/etc/idea.sh.profile new file mode 100644 index 000000000..771131262 --- /dev/null +++ b/etc/idea.sh.profile | |||
@@ -0,0 +1,37 @@ | |||
1 | # Persistent global definitions go here | ||
2 | include /etc/firejail/globals.local | ||
3 | |||
4 | # This file is overwritten during software install. | ||
5 | # Persistent customizations should go in a .local file. | ||
6 | include /etc/firejail/idea.sh.local | ||
7 | |||
8 | # Firejail profile for IntelliJ IDEA Community Edition | ||
9 | |||
10 | noblacklist ${HOME}/.android | ||
11 | noblacklist ${HOME}/.gitconfig | ||
12 | noblacklist ${HOME}/.gradle | ||
13 | noblacklist ${HOME}/.IdeaIC* | ||
14 | noblacklist ${HOME}/.java | ||
15 | noblacklist ${HOME}/.local/share/JetBrains | ||
16 | noblacklist ${HOME}/.ssh | ||
17 | noblacklist ${HOME}/.tooling | ||
18 | |||
19 | include /etc/firejail/disable-common.inc | ||
20 | include /etc/firejail/disable-passwdmgr.inc | ||
21 | include /etc/firejail/disable-programs.inc | ||
22 | |||
23 | caps.drop all | ||
24 | netfilter | ||
25 | nogroups | ||
26 | nonewprivs | ||
27 | noroot | ||
28 | #nosound | ||
29 | novideo | ||
30 | protocol unix,inet,inet6 | ||
31 | seccomp | ||
32 | shell none | ||
33 | |||
34 | private-dev | ||
35 | #private-tmp | ||
36 | |||
37 | noexec /tmp | ||
diff --git a/etc/jd-gui.profile b/etc/jd-gui.profile index a96eedee6..32b43cdf1 100644 --- a/etc/jd-gui.profile +++ b/etc/jd-gui.profile | |||
@@ -10,6 +10,7 @@ include /etc/firejail/jd-gui.local | |||
10 | # | 10 | # |
11 | 11 | ||
12 | noblacklist ${HOME}/.config/jd-gui.cfg | 12 | noblacklist ${HOME}/.config/jd-gui.cfg |
13 | noblacklist ${HOME}/.java | ||
13 | 14 | ||
14 | #Blacklist Paths | 15 | #Blacklist Paths |
15 | include /etc/firejail/disable-common.inc | 16 | include /etc/firejail/disable-common.inc |
diff --git a/etc/libreoffice.profile b/etc/libreoffice.profile index 90d87df2f..fe5861e4a 100644 --- a/etc/libreoffice.profile +++ b/etc/libreoffice.profile | |||
@@ -7,6 +7,7 @@ include /etc/firejail/libreoffice.local | |||
7 | 7 | ||
8 | # Firejail profile for LibreOffice | 8 | # Firejail profile for LibreOffice |
9 | noblacklist ~/.config/libreoffice | 9 | noblacklist ~/.config/libreoffice |
10 | noblacklist ${HOME}/.java | ||
10 | noblacklist /usr/local/sbin | 11 | noblacklist /usr/local/sbin |
11 | include /etc/firejail/disable-common.inc | 12 | include /etc/firejail/disable-common.inc |
12 | include /etc/firejail/disable-programs.inc | 13 | include /etc/firejail/disable-programs.inc |
diff --git a/etc/multimc5.profile b/etc/multimc5.profile index e45ab9cba..6b0696064 100644 --- a/etc/multimc5.profile +++ b/etc/multimc5.profile | |||
@@ -10,6 +10,7 @@ include /etc/firejail/multimc5.local | |||
10 | # | 10 | # |
11 | 11 | ||
12 | #No Blacklist Paths | 12 | #No Blacklist Paths |
13 | noblacklist ${HOME}/.java | ||
13 | noblacklist ${HOME}/.local/share/multimc5 | 14 | noblacklist ${HOME}/.local/share/multimc5 |
14 | noblacklist ${HOME}/.multimc5 | 15 | noblacklist ${HOME}/.multimc5 |
15 | 16 | ||
diff --git a/etc/pdfsam.profile b/etc/pdfsam.profile index 611ca3775..b46ac9294 100644 --- a/etc/pdfsam.profile +++ b/etc/pdfsam.profile | |||
@@ -8,6 +8,7 @@ include /etc/firejail/pdfsam.local | |||
8 | # | 8 | # |
9 | #Profile for pdfsam | 9 | #Profile for pdfsam |
10 | # | 10 | # |
11 | noblacklist ${HOME}/.java | ||
11 | 12 | ||
12 | #Blacklist Paths | 13 | #Blacklist Paths |
13 | include /etc/firejail/disable-common.inc | 14 | include /etc/firejail/disable-common.inc |
diff --git a/etc/silentarmy.profile b/etc/silentarmy.profile new file mode 100644 index 000000000..bcad82b5d --- /dev/null +++ b/etc/silentarmy.profile | |||
@@ -0,0 +1,33 @@ | |||
1 | # Persistent global definitions go here | ||
2 | include /etc/firejail/globals.local | ||
3 | |||
4 | # This file is overwritten during software install. | ||
5 | # Persistent customizations should go in a .local file. | ||
6 | include /etc/firejail/silentarmy.local | ||
7 | |||
8 | # Firejail profile for SILENTARMY | ||
9 | |||
10 | include /etc/firejail/disable-common.inc | ||
11 | #include /etc/firejail/disable-devel.inc | ||
12 | include /etc/firejail/disable-passwdmgr.inc | ||
13 | include /etc/firejail/disable-programs.inc | ||
14 | |||
15 | caps.drop all | ||
16 | netfilter | ||
17 | nogroups | ||
18 | nonewprivs | ||
19 | noroot | ||
20 | nosound | ||
21 | novideo | ||
22 | protocol unix,inet,inet6 | ||
23 | seccomp | ||
24 | shell none | ||
25 | |||
26 | disable-mnt | ||
27 | private | ||
28 | #private-bin silentarmy,sa-solver,python3 | ||
29 | private-dev | ||
30 | private-tmp | ||
31 | |||
32 | noexec ${HOME} | ||
33 | noexec /tmp | ||
diff --git a/etc/steam.profile b/etc/steam.profile index e2dc6216b..9eaa6a83b 100644 --- a/etc/steam.profile +++ b/etc/steam.profile | |||
@@ -6,6 +6,7 @@ include /etc/firejail/globals.local | |||
6 | include /etc/firejail/steam.local | 6 | include /etc/firejail/steam.local |
7 | 7 | ||
8 | # Steam profile (applies to games/apps launched from Steam as well) | 8 | # Steam profile (applies to games/apps launched from Steam as well) |
9 | noblacklist ${HOME}/.java | ||
9 | noblacklist ${HOME}/.Steam | 10 | noblacklist ${HOME}/.Steam |
10 | noblacklist ${HOME}/.steam | 11 | noblacklist ${HOME}/.steam |
11 | noblacklist ${HOME}/.Steampath | 12 | noblacklist ${HOME}/.Steampath |
@@ -29,7 +30,9 @@ noroot | |||
29 | protocol unix,inet,inet6,netlink | 30 | protocol unix,inet,inet6,netlink |
30 | seccomp | 31 | seccomp |
31 | shell none | 32 | shell none |
32 | tracelog | 33 | |
34 | # tracelog disabled as it breaks integrated browser | ||
35 | #tracelog | ||
33 | 36 | ||
34 | private-dev | 37 | private-dev |
35 | private-tmp | 38 | private-tmp |
diff --git a/platform/debian/conffiles b/platform/debian/conffiles index 214f4f885..852d54c0e 100644 --- a/platform/debian/conffiles +++ b/platform/debian/conffiles | |||
@@ -14,6 +14,7 @@ | |||
14 | /etc/firejail/abrowser.profile | 14 | /etc/firejail/abrowser.profile |
15 | /etc/firejail/akregator.profile | 15 | /etc/firejail/akregator.profile |
16 | /etc/firejail/amarok.profile | 16 | /etc/firejail/amarok.profile |
17 | /etc/firejail/android-studio.profile | ||
17 | /etc/firejail/arduino.profile | 18 | /etc/firejail/arduino.profile |
18 | /etc/firejail/ark.profile | 19 | /etc/firejail/ark.profile |
19 | /etc/firejail/atom-beta.profile | 20 | /etc/firejail/atom-beta.profile |
@@ -136,6 +137,7 @@ | |||
136 | /etc/firejail/icecat.profile | 137 | /etc/firejail/icecat.profile |
137 | /etc/firejail/icedove.profile | 138 | /etc/firejail/icedove.profile |
138 | /etc/firejail/iceweasel.profile | 139 | /etc/firejail/iceweasel.profile |
140 | /etc/firejail/idea.sh.profile | ||
139 | /etc/firejail/img2txt.profile | 141 | /etc/firejail/img2txt.profile |
140 | /etc/firejail/inkscape.profile | 142 | /etc/firejail/inkscape.profile |
141 | /etc/firejail/inox.profile | 143 | /etc/firejail/inox.profile |
@@ -209,6 +211,7 @@ | |||
209 | /etc/firejail/pcmanfm.profile | 211 | /etc/firejail/pcmanfm.profile |
210 | /etc/firejail/pdfsam.profile | 212 | /etc/firejail/pdfsam.profile |
211 | /etc/firejail/pdftotext.profile | 213 | /etc/firejail/pdftotext.profile |
214 | /etc/firejail/peek.profile | ||
212 | /etc/firejail/pidgin.profile | 215 | /etc/firejail/pidgin.profile |
213 | /etc/firejail/pithos.profile | 216 | /etc/firejail/pithos.profile |
214 | /etc/firejail/pix.profile | 217 | /etc/firejail/pix.profile |
@@ -233,6 +236,7 @@ | |||
233 | /etc/firejail/seamonkey-bin.profile | 236 | /etc/firejail/seamonkey-bin.profile |
234 | /etc/firejail/seamonkey.profile | 237 | /etc/firejail/seamonkey.profile |
235 | /etc/firejail/server.profile | 238 | /etc/firejail/server.profile |
239 | /etc/firejail/silentarmy.profile | ||
236 | /etc/firejail/simple-scan.profile | 240 | /etc/firejail/simple-scan.profile |
237 | /etc/firejail/skanlite.profile | 241 | /etc/firejail/skanlite.profile |
238 | /etc/firejail/skype.profile | 242 | /etc/firejail/skype.profile |
diff --git a/src/firecfg/firecfg.config b/src/firecfg/firecfg.config index c616f040c..025f239ba 100644 --- a/src/firecfg/firecfg.config +++ b/src/firecfg/firecfg.config | |||
@@ -6,6 +6,7 @@ | |||
6 | abrowser | 6 | abrowser |
7 | akregator | 7 | akregator |
8 | amarok | 8 | amarok |
9 | android-studio | ||
9 | arduino | 10 | arduino |
10 | ark | 11 | ark |
11 | atom | 12 | atom |
@@ -118,6 +119,7 @@ hugin | |||
118 | icecat | 119 | icecat |
119 | icedove | 120 | icedove |
120 | iceweasel | 121 | iceweasel |
122 | idea.sh | ||
121 | img2txt | 123 | img2txt |
122 | inkscape | 124 | inkscape |
123 | inox | 125 | inox |
@@ -188,6 +190,7 @@ palemoon | |||
188 | parole | 190 | parole |
189 | pdfsam | 191 | pdfsam |
190 | pdftotext | 192 | pdftotext |
193 | peek | ||
191 | pidgin | 194 | pidgin |
192 | pithos | 195 | pithos |
193 | pix | 196 | pix |
@@ -212,6 +215,7 @@ scribus | |||
212 | seamonkey | 215 | seamonkey |
213 | seamonkey-bin | 216 | seamonkey-bin |
214 | simple-scan | 217 | simple-scan |
218 | silentarmy | ||
215 | skanlite | 219 | skanlite |
216 | skype | 220 | skype |
217 | skypeforlinux | 221 | skypeforlinux |
diff --git a/src/firejail/profile.c b/src/firejail/profile.c index af943581e..88f04f47f 100644 --- a/src/firejail/profile.c +++ b/src/firejail/profile.c | |||
@@ -81,8 +81,12 @@ int profile_check_line(char *ptr, int lineno, const char *fname) { | |||
81 | if (cfg.profile_ignore[i] == NULL) | 81 | if (cfg.profile_ignore[i] == NULL) |
82 | break; | 82 | break; |
83 | 83 | ||
84 | if (strncmp(ptr, cfg.profile_ignore[i], strlen(cfg.profile_ignore[i])) == 0) | 84 | int len = strlen(cfg.profile_ignore[i]); |
85 | return 0; // ignore line | 85 | if (strncmp(ptr, cfg.profile_ignore[i], len) == 0) { |
86 | // full word match | ||
87 | if (*(ptr + len) == '\0' || *(ptr + len) == ' ') | ||
88 | return 0; // ignore line | ||
89 | } | ||
86 | } | 90 | } |
87 | 91 | ||
88 | if (strncmp(ptr, "ignore ", 7) == 0) { | 92 | if (strncmp(ptr, "ignore ", 7) == 0) { |
diff --git a/src/firejail/seccomp.c b/src/firejail/seccomp.c index 15379215c..29f928ee7 100644 --- a/src/firejail/seccomp.c +++ b/src/firejail/seccomp.c | |||
@@ -123,40 +123,47 @@ void seccomp_filter_64(void) { | |||
123 | 123 | ||
124 | // drop filter for seccomp option | 124 | // drop filter for seccomp option |
125 | int seccomp_filter_drop(int enforce_seccomp) { | 125 | int seccomp_filter_drop(int enforce_seccomp) { |
126 | // default seccomp | 126 | // if we have multiple seccomp commands, only one of them is executed |
127 | if (cfg.seccomp_list_drop == NULL && cfg.seccomp_list == NULL) { | 127 | // in the following order: |
128 | // - seccomp.drop list | ||
129 | // - seccomp list | ||
130 | // - seccomp | ||
131 | if (cfg.seccomp_list_drop == NULL) { | ||
132 | // default seccomp | ||
133 | if (cfg.seccomp_list == NULL) { | ||
128 | #if defined(__x86_64__) | 134 | #if defined(__x86_64__) |
129 | seccomp_filter_32(); | 135 | seccomp_filter_32(); |
130 | #endif | 136 | #endif |
131 | #if defined(__i386__) | 137 | #if defined(__i386__) |
132 | seccomp_filter_64(); | 138 | seccomp_filter_64(); |
133 | #endif | 139 | #endif |
134 | } | 140 | } |
135 | // default seccomp filter with additional drop list | 141 | // default seccomp filter with additional drop list |
136 | else if (cfg.seccomp_list && cfg.seccomp_list_drop == NULL) { | 142 | else { // cfg.seccomp_list != NULL |
137 | #if defined(__x86_64__) | 143 | #if defined(__x86_64__) |
138 | seccomp_filter_32(); | 144 | seccomp_filter_32(); |
139 | #endif | 145 | #endif |
140 | #if defined(__i386__) | 146 | #if defined(__i386__) |
141 | seccomp_filter_64(); | 147 | seccomp_filter_64(); |
142 | #endif | 148 | #endif |
143 | if (arg_debug) | 149 | if (arg_debug) |
144 | printf("Build default+drop seccomp filter\n"); | 150 | printf("Build default+drop seccomp filter\n"); |
145 | 151 | ||
146 | // build the seccomp filter as a regular user | 152 | // build the seccomp filter as a regular user |
147 | int rv; | 153 | int rv; |
148 | if (arg_allow_debuggers) | 154 | if (arg_allow_debuggers) |
149 | rv = sbox_run(SBOX_USER | SBOX_CAPS_NONE | SBOX_SECCOMP, 6, | 155 | rv = sbox_run(SBOX_USER | SBOX_CAPS_NONE | SBOX_SECCOMP, 6, |
150 | PATH_FSECCOMP, "default", "drop", RUN_SECCOMP_CFG, cfg.seccomp_list, "allow-debuggers"); | 156 | PATH_FSECCOMP, "default", "drop", RUN_SECCOMP_CFG, cfg.seccomp_list, "allow-debuggers"); |
151 | else | 157 | else |
152 | rv = sbox_run(SBOX_USER | SBOX_CAPS_NONE | SBOX_SECCOMP, 5, | 158 | rv = sbox_run(SBOX_USER | SBOX_CAPS_NONE | SBOX_SECCOMP, 5, |
153 | PATH_FSECCOMP, "default", "drop", RUN_SECCOMP_CFG, cfg.seccomp_list); | 159 | PATH_FSECCOMP, "default", "drop", RUN_SECCOMP_CFG, cfg.seccomp_list); |
154 | if (rv) | 160 | if (rv) |
155 | exit(rv); | 161 | exit(rv); |
162 | } | ||
156 | } | 163 | } |
157 | 164 | ||
158 | // drop list without defaults - secondary filters are not installed | 165 | // drop list without defaults - secondary filters are not installed |
159 | else if (cfg.seccomp_list == NULL && cfg.seccomp_list_drop) { | 166 | else { // cfg.seccomp_list_drop != NULL |
160 | if (arg_debug) | 167 | if (arg_debug) |
161 | printf("Build drop seccomp filter\n"); | 168 | printf("Build drop seccomp filter\n"); |
162 | 169 | ||
@@ -172,9 +179,6 @@ int seccomp_filter_drop(int enforce_seccomp) { | |||
172 | if (rv) | 179 | if (rv) |
173 | exit(rv); | 180 | exit(rv); |
174 | } | 181 | } |
175 | else { | ||
176 | assert(0); | ||
177 | } | ||
178 | 182 | ||
179 | // load the filter | 183 | // load the filter |
180 | if (seccomp_load(RUN_SECCOMP_CFG) == 0) { | 184 | if (seccomp_load(RUN_SECCOMP_CFG) == 0) { |
diff --git a/src/firejail/x11.c b/src/firejail/x11.c index 79ebc3b1b..77bf7749f 100644 --- a/src/firejail/x11.c +++ b/src/firejail/x11.c | |||
@@ -639,7 +639,7 @@ void x11_start_xpra(int argc, char **argv) { | |||
639 | 639 | ||
640 | // build the start command | 640 | // build the start command |
641 | char *server_argv[256] = { // rest initialyzed to NULL | 641 | char *server_argv[256] = { // rest initialyzed to NULL |
642 | "xpra", "start", display_str, "--no-daemon", "--use-display", | 642 | "xpra", "start", display_str, "--no-daemon", |
643 | }; | 643 | }; |
644 | unsigned pos = 0; | 644 | unsigned pos = 0; |
645 | while (server_argv[pos] != NULL) pos++; | 645 | while (server_argv[pos] != NULL) pos++; |