diff options
-rw-r--r-- | .gitignore | 1 | ||||
-rwxr-xr-x | contrib/jail_prober.py | 360 | ||||
-rw-r--r-- | etc/inc/disable-programs.inc | 1 | ||||
-rw-r--r-- | etc/profile-a-l/firefox.profile | 2 | ||||
-rw-r--r-- | etc/profile-a-l/flameshot.profile | 5 |
5 files changed, 194 insertions, 175 deletions
diff --git a/.gitignore b/.gitignore index 16169ab94..76ce6c7ec 100644 --- a/.gitignore +++ b/.gitignore | |||
@@ -9,6 +9,7 @@ | |||
9 | *.DS_Store | 9 | *.DS_Store |
10 | .directory | 10 | .directory |
11 | *.man | 11 | *.man |
12 | .vscode | ||
12 | Makefile | 13 | Makefile |
13 | autom4te.cache/ | 14 | autom4te.cache/ |
14 | config.log | 15 | config.log |
diff --git a/contrib/jail_prober.py b/contrib/jail_prober.py index dad790b57..67e851282 100755 --- a/contrib/jail_prober.py +++ b/contrib/jail_prober.py | |||
@@ -1,174 +1,186 @@ | |||
1 | #!/usr/bin/env python3 | 1 | #!/usr/bin/env python3 |
2 | # This file is part of Firejail project | 2 | # This file is part of Firejail project |
3 | # Copyright (C) 2014-2020 Firejail Authors | 3 | # Copyright (C) 2014-2020 Firejail Authors |
4 | # License GPL v2 | 4 | # License GPL v2 |
5 | """ | 5 | """ |
6 | Figure out which profile options may be causing a particular program to break | 6 | Figure out which profile options may be causing a particular program to break |
7 | when run in firejail. | 7 | when run in firejail. |
8 | 8 | ||
9 | Instead of having to comment out each line in a profile by hand, and then | 9 | Instead of having to comment out each line in a profile by hand, and then |
10 | enable each line individually until the bad line or lines are found, this | 10 | enable each line individually until the bad line or lines are found, this |
11 | largely automates the process. Users only have to provide the path to the | 11 | largely automates the process. Users only have to provide the path to the |
12 | profile, program name, and answer 'y' for yes or 'n' for no when prompted. | 12 | profile, program name, and answer 'y' for yes or 'n' for no when prompted. |
13 | 13 | ||
14 | After completion, you'll be provided with some information to copy and then | 14 | After completion, you'll be provided with some information to copy and then |
15 | paste into a GitHub issue in the Firejail project repository: | 15 | paste into a GitHub issue in the Firejail project repository: |
16 | https://github.com/netblue30/firejail/issues | 16 | https://github.com/netblue30/firejail/issues |
17 | 17 | ||
18 | Paths to the profile should be absolute. If the program is in your path, then | 18 | Paths to the profile should be absolute. If the program is in your path, then |
19 | you only have to type the profile name. Else, you'll need to provide the | 19 | you only have to type the profile name. Else, you'll need to provide the |
20 | absolute path to the profile. | 20 | absolute path to the profile. |
21 | 21 | ||
22 | Examples: | 22 | Examples: |
23 | python jail_prober.py /etc/firejail/spotify.profile spotify | 23 | python jail_prober.py /etc/firejail/spotify.profile spotify |
24 | python jail_prober.py /usr/local/etc/firejail/firefox.profile /usr/bin/firefox | 24 | python jail_prober.py /usr/local/etc/firejail/firefox.profile /usr/bin/firefox |
25 | """ | 25 | """ |
26 | 26 | ||
27 | import sys | 27 | import sys |
28 | import os | 28 | import os |
29 | import subprocess | 29 | import subprocess |
30 | 30 | ||
31 | 31 | ||
32 | def check_params(profilePath): | 32 | def check_params(profile_path): |
33 | """ | 33 | """ |
34 | Ensure the path to the profile is valid and that an actual profile has been | 34 | Ensure the path to the profile is valid and that an actual profile has been |
35 | passed (as opposed to a config or .local file). | 35 | passed (as opposed to a config or .local file). |
36 | 36 | ||
37 | :params profilePath: The absolute path to the problematic profile. | 37 | Args: |
38 | """ | 38 | profile_path: The absolute path to the problematic profile |
39 | if not os.path.isfile(profilePath): | 39 | |
40 | raise FileNotFoundError( | 40 | Raises: |
41 | 'The path %s is not a valid system path.' % profilePath) | 41 | FileNotFoundError: If the provided path isn't real |
42 | if not profilePath.endswith('.profile'): | 42 | |
43 | raise ValueError('%s is not a valid Firejail profile.' % profilePath) | 43 | ValueError: If the provided path is real but doesn't point to |
44 | 44 | a Firejail profile | |
45 | 45 | """ | |
46 | def get_args(profilePath): | 46 | if not os.path.isfile(profile_path): |
47 | """ | 47 | raise FileNotFoundError('The path %s is not a valid system path.' % |
48 | Read the profile, stripping out comments and newlines | 48 | profile_path) |
49 | 49 | if not profile_path.endswith('.profile'): | |
50 | :params profilePath: The absolute path to the problematic profile. | 50 | raise ValueError('%s is not a valid Firejail profile.' % profile_path) |
51 | 51 | ||
52 | :returns profile: A list containing all active profile arguments | 52 | |
53 | """ | 53 | def get_args(profile_path): |
54 | with open(profilePath, 'r') as f: | 54 | """ |
55 | profile = f.readlines() | 55 | Read the profile, stripping out comments and newlines |
56 | profile = [ | 56 | |
57 | arg.strip() for arg in profile | 57 | Args: |
58 | if not arg.startswith('#') and arg.strip() != '' | 58 | profile_path: The absolute path to the problematic profile. |
59 | ] | 59 | |
60 | 60 | Returns: | |
61 | return profile | 61 | A list containing all active profile arguments |
62 | 62 | """ | |
63 | 63 | with open(profile_path, 'r') as f: | |
64 | def arg_converter(argList, style): | 64 | profile = f.readlines() |
65 | """ | 65 | profile = [ |
66 | Convert between firejail command-line arguments (--example=something) and | 66 | arg.strip() for arg in profile |
67 | profile arguments (example something) | 67 | if not arg.startswith('#') and arg.strip() != '' |
68 | 68 | ] | |
69 | :params argList: A list of firejail arguments | 69 | |
70 | 70 | return profile | |
71 | :params style: Whether to convert arguments to command-line form or profile | 71 | |
72 | form | 72 | |
73 | """ | 73 | def arg_converter(arg_list, style): |
74 | if style == 'to_profile': | 74 | """ |
75 | oldSep = '=' | 75 | Convert between firejail command-line arguments (--example=something) and |
76 | newSep = ' ' | 76 | profile arguments (example something) |
77 | prefix = '' | 77 | |
78 | elif style == 'to_commandline': | 78 | Args: |
79 | oldSep = ' ' | 79 | arg_list: A list of firejail arguments |
80 | newSep = '=' | 80 | |
81 | prefix = '--' | 81 | style: String, one of {'to_profile', 'to_commandline'}. Whether to |
82 | newArgs = [prefix + word.replace(oldSep, newSep) for word in argList] | 82 | convert arguments to command-line form or profile form |
83 | # Additional strip of '--' if converting to profile form | 83 | """ |
84 | if style == 'to_profile': | 84 | if style == 'to_profile': |
85 | newArgs = [word[2:] for word in newArgs] | 85 | old_sep = '=' |
86 | 86 | new_sep = ' ' | |
87 | # Remove invalid '--include' args if converting to command-line form | 87 | prefix = '' |
88 | elif style == 'to_commandline': | 88 | elif style == 'to_commandline': |
89 | newArgs = [word for word in newArgs if 'include' not in word] | 89 | old_sep = ' ' |
90 | 90 | new_sep = '=' | |
91 | return newArgs | 91 | prefix = '--' |
92 | 92 | new_args = [prefix + word.replace(old_sep, new_sep) for word in arg_list] | |
93 | 93 | # Additional strip of '--' if converting to profile form | |
94 | def run_firejail(program, allArgs): | 94 | if style == 'to_profile': |
95 | """ | 95 | new_args = [word[2:] for word in new_args] |
96 | Attempt to run the program in firejail, incrementally adding to the number | 96 | |
97 | of firejail arguments. Initial run has no additional params besides | 97 | # Remove invalid '--include' args if converting to command-line form |
98 | noprofile. | 98 | elif style == 'to_commandline': |
99 | 99 | new_args = [word for word in new_args if 'include' not in word] | |
100 | :params program: The program name. If it doesn't exist in the user's path | 100 | |
101 | then the full path should be provided. | 101 | return new_args |
102 | 102 | ||
103 | :params allArgs: A list of all Firejail arguments to try, in command-line | 103 | |
104 | format. | 104 | def run_firejail(program, all_args): |
105 | 105 | """ | |
106 | :returns goodArgs: A list of arguments that the user has reported to not | 106 | Attempt to run the program in firejail, incrementally adding to the number |
107 | affect the program | 107 | of firejail arguments. Initial run has no additional params besides |
108 | 108 | noprofile. | |
109 | :returns badArgs: A list of arguments that the user has reported to break | 109 | |
110 | the program when sandboxing with Firejail | 110 | Args: |
111 | """ | 111 | program: String, the program name. If it doesn't exist in $PATH then |
112 | goodArgs = ['firejail', '--noprofile', program] | 112 | the full path to the program should be provided |
113 | badArgs = [] | 113 | |
114 | allArgs.insert(0,"") | 114 | all_args: List, all Firejail arguments to try, in command-line format |
115 | print('Attempting to run %s in Firejail' % program) | 115 | (i.e. prefixed by '--') |
116 | for arg in allArgs: | 116 | |
117 | if arg: | 117 | Returns: |
118 | print('Running with', arg) | 118 | good_args: List, all Firejail arguments that the user has reported to |
119 | else: | 119 | not adversely affect the program |
120 | print('Running without profile') | 120 | |
121 | #We are adding the argument in a copy of the actual list to avoid modify it now. | 121 | bad_args: List, all Firejail arguments that the user has reported to |
122 | myargs=goodArgs.copy() | 122 | break the program |
123 | if arg: | 123 | """ |
124 | myargs.insert(-1,arg) | 124 | good_args = ['firejail', '--noprofile', program] |
125 | subprocess.call(myargs) | 125 | bad_args = [] |
126 | ans = input('Did %s run correctly? [y]/n ' % program) | 126 | all_args.insert(0, "") |
127 | if ans in ['n', 'N']: | 127 | print('Attempting to run %s in Firejail' % program) |
128 | badArgs.append(arg) | 128 | for arg in all_args: |
129 | elif arg: | 129 | if arg: |
130 | goodArgs.insert(-1, arg) | 130 | print('Running with', arg) |
131 | print('\n') | 131 | else: |
132 | # Don't include 'firejail', '--noprofile', or program name in arguments | 132 | print('Running without profile') |
133 | goodArgs = goodArgs[2:-1] | 133 | #We are adding the argument in a copy of the actual list to avoid modify it now. |
134 | 134 | myargs = good_args.copy() | |
135 | return goodArgs, badArgs | 135 | if arg: |
136 | 136 | myargs.insert(-1, arg) | |
137 | 137 | subprocess.call(myargs) | |
138 | def main(): | 138 | ans = input('Did %s run correctly? [y]/n ' % program) |
139 | profilePath = sys.argv[1] | 139 | if ans in ['n', 'N']: |
140 | program = sys.argv[2] | 140 | bad_args.append(arg) |
141 | # Quick error check and extract arguments | 141 | elif arg: |
142 | check_params(profilePath) | 142 | good_args.insert(-1, arg) |
143 | profile = get_args(profilePath) | 143 | print('\n') |
144 | allArgs = arg_converter(profile, 'to_commandline') | 144 | # Don't include 'firejail', '--noprofile', or program name in arguments |
145 | # Find out which profile options break the program when running in firejail | 145 | good_args = good_args[2:-1] |
146 | goodArgs, badArgs = run_firejail(program, allArgs) | 146 | |
147 | 147 | return good_args, bad_args | |
148 | goodArgs = arg_converter(goodArgs, 'to_profile') | 148 | |
149 | badArgs = arg_converter(badArgs, 'to_profile') | 149 | |
150 | 150 | def main(): | |
151 | print('\n###########################') | 151 | profile_path = sys.argv[1] |
152 | print('Debugging completed.') | 152 | program = sys.argv[2] |
153 | print( | 153 | # Quick error check and extract arguments |
154 | 'Please copy the following and report it to the Firejail development', | 154 | check_params(profile_path) |
155 | 'team on GitHub at %s \n\n' % | 155 | profile = get_args(profile_path) |
156 | 'https://github.com/netblue30/firejail/issues') | 156 | all_args = arg_converter(profile, 'to_commandline') |
157 | 157 | # Find out which profile options break the program when running in firejail | |
158 | subprocess.call(['firejail', '--version']) | 158 | good_args, bad_args = run_firejail(program, all_args) |
159 | 159 | ||
160 | print('These profile options break the program.') | 160 | good_args = arg_converter(good_args, 'to_profile') |
161 | print('```') | 161 | bad_args = arg_converter(bad_args, 'to_profile') |
162 | for item in badArgs: | 162 | |
163 | print(item) | 163 | print('\n###########################') |
164 | print('```\n\n\n') | 164 | print('Debugging completed.') |
165 | 165 | print( | |
166 | print('This is a minimal working profile:') | 166 | 'Please copy the following and report it to the Firejail development', |
167 | print('```') | 167 | 'team on GitHub at %s \n\n' % |
168 | for item in goodArgs: | 168 | 'https://github.com/netblue30/firejail/issues') |
169 | print(item) | 169 | |
170 | print('```') | 170 | subprocess.call(['firejail', '--version']) |
171 | 171 | ||
172 | 172 | print('These profile options break the program.') | |
173 | if __name__ == '__main__': | 173 | print('```') |
174 | main() | 174 | for item in bad_args: |
175 | print(item) | ||
176 | print('```\n\n\n') | ||
177 | |||
178 | print('This is a minimal working profile:') | ||
179 | print('```') | ||
180 | for item in good_args: | ||
181 | print(item) | ||
182 | print('```') | ||
183 | |||
184 | |||
185 | if __name__ == '__main__': | ||
186 | main() | ||
diff --git a/etc/inc/disable-programs.inc b/etc/inc/disable-programs.inc index 4f90e6413..cc4f81fa6 100644 --- a/etc/inc/disable-programs.inc +++ b/etc/inc/disable-programs.inc | |||
@@ -214,6 +214,7 @@ blacklist ${HOME}/.config/evince | |||
214 | blacklist ${HOME}/.config/evolution | 214 | blacklist ${HOME}/.config/evolution |
215 | blacklist ${HOME}/.config/falkon | 215 | blacklist ${HOME}/.config/falkon |
216 | blacklist ${HOME}/.config/filezilla | 216 | blacklist ${HOME}/.config/filezilla |
217 | blacklist ${HOME}/.config/flameshot | ||
217 | blacklist ${HOME}/.config/flaska.net | 218 | blacklist ${HOME}/.config/flaska.net |
218 | blacklist ${HOME}/.config/flowblade | 219 | blacklist ${HOME}/.config/flowblade |
219 | blacklist ${HOME}/.config/font-manager | 220 | blacklist ${HOME}/.config/font-manager |
diff --git a/etc/profile-a-l/firefox.profile b/etc/profile-a-l/firefox.profile index 337311ed8..ce2013c57 100644 --- a/etc/profile-a-l/firefox.profile +++ b/etc/profile-a-l/firefox.profile | |||
@@ -24,7 +24,7 @@ include whitelist-usr-share-common.inc | |||
24 | # firefox requires a shell to launch on Arch. | 24 | # firefox requires a shell to launch on Arch. |
25 | #private-bin bash,dbus-launch,dbus-send,env,firefox,sh,which | 25 | #private-bin bash,dbus-launch,dbus-send,env,firefox,sh,which |
26 | # Fedora use shell scripts to launch firefox, at least this is required | 26 | # Fedora use shell scripts to launch firefox, at least this is required |
27 | #private-bin basename,bash,cat,dirname,expr,false,firefox,firefox-wayland,ln,mkdir,pidof,rm,rmdir,sed,sh,tclsh,true,uname | 27 | #private-bin basename,bash,cat,dirname,expr,false,firefox,firefox-wayland,getenforce,ln,mkdir,pidof,restorecon,rm,rmdir,sed,sh,tclsh,true,uname |
28 | # private-etc must first be enabled in firefox-common.profile | 28 | # private-etc must first be enabled in firefox-common.profile |
29 | #private-etc firefox | 29 | #private-etc firefox |
30 | 30 | ||
diff --git a/etc/profile-a-l/flameshot.profile b/etc/profile-a-l/flameshot.profile index 7c41417ec..357354e70 100644 --- a/etc/profile-a-l/flameshot.profile +++ b/etc/profile-a-l/flameshot.profile | |||
@@ -9,6 +9,7 @@ include globals.local | |||
9 | 9 | ||
10 | noblacklist ${PICTURES} | 10 | noblacklist ${PICTURES} |
11 | noblacklist ${HOME}/.config/Dharkael | 11 | noblacklist ${HOME}/.config/Dharkael |
12 | noblacklist ${HOME}/.config/flameshot | ||
12 | 13 | ||
13 | include disable-common.inc | 14 | include disable-common.inc |
14 | include disable-devel.inc | 15 | include disable-devel.inc |
@@ -19,8 +20,11 @@ include disable-programs.inc | |||
19 | include disable-shell.inc | 20 | include disable-shell.inc |
20 | include disable-xdg.inc | 21 | include disable-xdg.inc |
21 | 22 | ||
23 | #mkdir ${HOME}/.config/Dharkael | ||
24 | #mkdir ${HOME}/.config/flameshot | ||
22 | #whitelist ${PICTURES} | 25 | #whitelist ${PICTURES} |
23 | #whitelist ${HOME}/.config/Dharkael | 26 | #whitelist ${HOME}/.config/Dharkael |
27 | #whitelist ${HOME}/.config/flameshot | ||
24 | whitelist /usr/share/flameshot | 28 | whitelist /usr/share/flameshot |
25 | #include whitelist-common.inc | 29 | #include whitelist-common.inc |
26 | include whitelist-runuser-common.inc | 30 | include whitelist-runuser-common.inc |
@@ -53,4 +57,5 @@ private-tmp | |||
53 | 57 | ||
54 | dbus-user filter | 58 | dbus-user filter |
55 | dbus-user.own org.dharkael.Flameshot | 59 | dbus-user.own org.dharkael.Flameshot |
60 | dbus-user.own org.flameshot.Flameshot | ||
56 | dbus-system none | 61 | dbus-system none |