diff options
-rw-r--r-- | .github/ISSUE_TEMPLATE/bug_report.md | 64 | ||||
-rw-r--r-- | .github/ISSUE_TEMPLATE/config.yml | 5 | ||||
-rw-r--r-- | .github/ISSUE_TEMPLATE/feature_request.md | 23 | ||||
-rw-r--r-- | SECURITY.md | 33 | ||||
-rw-r--r-- | etc/inc/disable-programs.inc | 1 | ||||
-rw-r--r-- | etc/inc/whitelist-runuser-common.inc | 4 | ||||
-rw-r--r-- | etc/inc/whitelist-usr-share-common.inc | 1 | ||||
-rw-r--r-- | etc/profile-a-l/chromium-common.profile | 4 | ||||
-rw-r--r-- | etc/profile-a-l/evince.profile | 2 | ||||
-rw-r--r-- | etc/profile-a-l/firefox-common-addons.profile | 1 | ||||
-rw-r--r-- | etc/profile-a-l/firefox.profile | 6 | ||||
-rw-r--r-- | etc/profile-a-l/gallery-dl.profile | 3 | ||||
-rw-r--r-- | etc/profile-a-l/gimp.profile | 5 | ||||
-rw-r--r-- | etc/profile-a-l/librewolf.profile | 7 | ||||
-rw-r--r-- | etc/profile-m-z/nextcloud.profile | 3 | ||||
-rw-r--r-- | etc/profile-m-z/xournalpp.profile | 1 | ||||
-rw-r--r-- | etc/profile-m-z/yt-dlp.profile | 3 | ||||
-rw-r--r-- | etc/templates/profile.template | 4 | ||||
-rw-r--r-- | src/firejail/main.c | 4 | ||||
-rw-r--r-- | src/firejail/usage.c | 32 | ||||
-rw-r--r-- | src/man/firejail-profile.txt | 98 | ||||
-rw-r--r-- | src/man/firejail.txt | 138 | ||||
-rw-r--r-- | src/zsh_completion/_firejail.in | 2 |
23 files changed, 238 insertions, 206 deletions
diff --git a/.github/ISSUE_TEMPLATE/bug_report.md b/.github/ISSUE_TEMPLATE/bug_report.md index 3700dac20..0f13afc51 100644 --- a/.github/ISSUE_TEMPLATE/bug_report.md +++ b/.github/ISSUE_TEMPLATE/bug_report.md | |||
@@ -7,54 +7,70 @@ assignees: '' | |||
7 | 7 | ||
8 | --- | 8 | --- |
9 | 9 | ||
10 | Write clear, concise and in textual form. | 10 | ### Description |
11 | 11 | ||
12 | ### Bug and expected behavior | 12 | _Describe the bug_ |
13 | 13 | ||
14 | - Describe the bug. | 14 | ### Steps to Reproduce |
15 | - What did you expect to happen? | ||
16 | 15 | ||
17 | ### No profile and disabling firejail | 16 | _Steps to reproduce the behavior_ |
18 | 17 | ||
19 | - What changed calling `firejail --noprofile /path/to/program` in a terminal? | 18 | 1. Run in bash `LANG=C firejail PROGRAM` (`LANG=C` to get English messages that can be understood by everybody) |
20 | - What changed calling the program by path (e.g. `/usr/bin/vlc`)? | 19 | 2. Click on '....' |
20 | 3. Scroll down to '....' | ||
21 | 4. See error `ERROR` | ||
21 | 22 | ||
22 | ### Reproduce | 23 | ### Expected behavior |
23 | 24 | ||
24 | Steps to reproduce the behavior: | 25 | _What you expected to happen_ |
25 | 26 | ||
26 | 1. Run in bash `firejail PROGRAM` | 27 | ### Actual behavior |
27 | 2. See error `ERROR` | ||
28 | 3. Click on '....' | ||
29 | 4. Scroll down to '....' | ||
30 | 28 | ||
31 | ### Environment | 29 | _What actually happened_ |
30 | |||
31 | ### Behavior without a profile | ||
32 | 32 | ||
33 | - Linux distribution and version (ie output of `lsb_release -a`, `screenfetch` or `cat /etc/os-release`) | 33 | _What changed calling `firejail --noprofile /path/to/program` in a terminal?_ |
34 | - Firejail version (output of `firejail --version`) exclusive or used git commit (`git rev-parse HEAD`) | ||
35 | 34 | ||
36 | ### Additional context | 35 | ### Additional context |
37 | 36 | ||
38 | Other context about the problem like related errors to understand the problem. | 37 | _Any other detail that may help to understand/debug the problem_ |
38 | |||
39 | ### Environment | ||
40 | |||
41 | - Linux distribution and version (e.g. "Ubuntu 20.04" or "Arch Linux") | ||
42 | - Firejail version (`firejail --version`). | ||
43 | - If you use a development version of firejail, also the commit from which it was compiled (`git rev-parse HEAD`). | ||
39 | 44 | ||
40 | ### Checklist | 45 | ### Checklist |
41 | 46 | ||
42 | - [ ] The profile (and redirect profile if exists) hasn't already been fixed [upstream](https://github.com/netblue30/firejail/tree/master/etc). | 47 | - [ ] The issues is caused by firejail (i.e. running the program by path (e.g. `/usr/bin/vlc`) "fixes" it). |
48 | - [ ] I can reproduce the issue without custom modifications (e.g. globals.local). | ||
43 | - [ ] The program has a profile. (If not, request one in `https://github.com/netblue30/firejail/issues/1139`) | 49 | - [ ] The program has a profile. (If not, request one in `https://github.com/netblue30/firejail/issues/1139`) |
50 | - [ ] The profile (and redirect profile if exists) hasn't already been fixed [upstream](https://github.com/netblue30/firejail/tree/master/etc). | ||
44 | - [ ] I have performed a short search for similar issues (to avoid opening a duplicate). | 51 | - [ ] I have performed a short search for similar issues (to avoid opening a duplicate). |
45 | - [ ] If it is a AppImage, `--profile=PROFILENAME` is used to set the right profile. | 52 | - [ ] I'm aware of `browser-allow-drm yes`/`browser-disable-u2f no` in `firejail.config` to allow DRM/U2F in browsers. |
46 | - [ ] Used `LC_ALL=en_US.UTF-8 LANG=en_US.UTF-8 PROGRAM` to get english error-messages. | 53 | - [ ] I used `--profile=PROFILENAME` to set the right profile. (Only relevant for AppImages) |
47 | - [ ] I'm aware of `browser-allow-drm yes`/`browser-disable-u2f no` in `firejail.config` to allow DRM/U2F in browsers. | ||
48 | - [ ] This is not a question. Questions should be asked in https://github.com/netblue30/firejail/discussions. | ||
49 | 54 | ||
50 | ### Log | 55 | ### Log |
51 | 56 | ||
52 | <details> | 57 | <details> |
53 | <summary>debug output</summary> | 58 | <summary>Output of <code>firejail /path/to/program</code></summary> |
59 | <p> | ||
60 | |||
61 | ``` | ||
62 | output goes here | ||
63 | ``` | ||
64 | |||
65 | </p> | ||
66 | </details> | ||
67 | |||
68 | <details> | ||
69 | <summary>Output of <code>firejail --debug /path/to/program</code></summary> | ||
54 | <p> | 70 | <p> |
55 | 71 | ||
56 | ``` | 72 | ``` |
57 | OUTPUT OF `firejail --debug PROGRAM` | 73 | output goes here |
58 | ``` | 74 | ``` |
59 | 75 | ||
60 | </p> | 76 | </p> |
diff --git a/.github/ISSUE_TEMPLATE/config.yml b/.github/ISSUE_TEMPLATE/config.yml new file mode 100644 index 000000000..b8fe40acd --- /dev/null +++ b/.github/ISSUE_TEMPLATE/config.yml | |||
@@ -0,0 +1,5 @@ | |||
1 | blank_issues_enabled: true | ||
2 | contact_links: | ||
3 | - name: Question | ||
4 | url: https://github.com/netblue30/firejail/discussions | ||
5 | about: For questions you should use GitHub Discussions. | ||
diff --git a/.github/ISSUE_TEMPLATE/feature_request.md b/.github/ISSUE_TEMPLATE/feature_request.md new file mode 100644 index 000000000..a723cdbde --- /dev/null +++ b/.github/ISSUE_TEMPLATE/feature_request.md | |||
@@ -0,0 +1,23 @@ | |||
1 | --- | ||
2 | name: Feature request | ||
3 | about: Suggest an idea for this project | ||
4 | title: '' | ||
5 | labels: '' | ||
6 | assignees: '' | ||
7 | --- | ||
8 | |||
9 | ### Is your feature request related to a problem? Please describe. | ||
10 | |||
11 | _A clear and concise description of what the problem is. Ex. I'm always frustrated when [...]_ | ||
12 | |||
13 | ### Describe the solution you'd like | ||
14 | |||
15 | _A clear and concise description of what you want to happen._ | ||
16 | |||
17 | ### Describe alternatives you've considered | ||
18 | |||
19 | _A clear and concise description of any alternative solutions or features you've considered._ | ||
20 | |||
21 | ### Additional context | ||
22 | |||
23 | _Add any other context or screenshots about the feature request here._ | ||
diff --git a/SECURITY.md b/SECURITY.md index 92204da0a..7ec2940f6 100644 --- a/SECURITY.md +++ b/SECURITY.md | |||
@@ -3,22 +3,23 @@ | |||
3 | ## Supported Versions | 3 | ## Supported Versions |
4 | 4 | ||
5 | | Version | Supported by us | EOL | Supported by distribution | | 5 | | Version | Supported by us | EOL | Supported by distribution | |
6 | | ------- | ------------------ | ---- | --------------------------- | 6 | | ------- | ------------------ | ---- | ------------------------- | |
7 | | 0.9.64 | :heavy_check_mark: | | :white_check_mark: Debian 10 **backports**, Debian 11 **backports**, Debian 12 (testing/unstable) | 7 | | 0.9.66 | :heavy_check_mark: | | | |
8 | | 0.9.62 | :x: | | :white_check_mark: Ubuntu 20.04 LTS, Ubuntu 20.10 | 8 | | 0.9.64 | :x: | | :white_check_mark: Debian 10 **backports**, Debian 11 **backports**, Debian 12 (testing/unstable) | |
9 | | 0.9.60 | :x: | 29 Dec 2019 | | 9 | | 0.9.62 | :x: | | :white_check_mark: Ubuntu 20.04 LTS, Ubuntu 20.10 | |
10 | | 0.9.58 | :x: | | :white_check_mark: Debian 9 **backports**, Debian 10 | 10 | | 0.9.60 | :x: | 29 Dec 2019 | | |
11 | | 0.9.56 | :x: | 27 Jan 2019 | | 11 | | 0.9.58 | :x: | | :white_check_mark: Debian 9 **backports**, Debian 10 | |
12 | | 0.9.54 | :x: | 18 Sep 2018 | | 12 | | 0.9.56 | :x: | 27 Jan 2019 | | |
13 | | 0.9.52 | :x: | | :white_check_mark: Ubuntu 18.04 LTS | 13 | | 0.9.54 | :x: | 18 Sep 2018 | | |
14 | | 0.9.50 | :x: | 12 Dec 2017 | | 14 | | 0.9.52 | :x: | | :white_check_mark: Ubuntu 18.04 LTS | |
15 | | 0.9.48 | :x: | 09 Sep 2017 | | 15 | | 0.9.50 | :x: | 12 Dec 2017 | | |
16 | | 0.9.46 | :x: | 12 Jun 2017 | | 16 | | 0.9.48 | :x: | 09 Sep 2017 | | |
17 | | 0.9.44 | :x: | | :white_check_mark: Debian 9 | 17 | | 0.9.46 | :x: | 12 Jun 2017 | | |
18 | | 0.9.42 | :x: | 22 Oct 2016 | | 18 | | 0.9.44 | :x: | | :white_check_mark: Debian 9 | |
19 | | 0.9.40 | :x: | 09 Sep 2016 | | 19 | | 0.9.42 | :x: | 22 Oct 2016 | | |
20 | | 0.9.38 | :x: | | :white_check_mark: Ubuntu 16.04 LTS | 20 | | 0.9.40 | :x: | 09 Sep 2016 | | |
21 | | <0.9.38 | :x: | Before 05 Feb 2016 | | 21 | | 0.9.38 | :x: | | :white_check_mark: Ubuntu 16.04 LTS | |
22 | | <0.9.38 | :x: | Before 05 Feb 2016 | | | ||
22 | 23 | ||
23 | ## Security vulnerabilities | 24 | ## Security vulnerabilities |
24 | 25 | ||
diff --git a/etc/inc/disable-programs.inc b/etc/inc/disable-programs.inc index 444446156..4941630a2 100644 --- a/etc/inc/disable-programs.inc +++ b/etc/inc/disable-programs.inc | |||
@@ -77,6 +77,7 @@ blacklist ${HOME}/.config/Element | |||
77 | blacklist ${HOME}/.config/Element (Riot) | 77 | blacklist ${HOME}/.config/Element (Riot) |
78 | blacklist ${HOME}/.config/Enox | 78 | blacklist ${HOME}/.config/Enox |
79 | blacklist ${HOME}/.config/Epic | 79 | blacklist ${HOME}/.config/Epic |
80 | blacklist ${HOME}/.config/Exodus | ||
80 | blacklist ${HOME}/.config/Ferdi | 81 | blacklist ${HOME}/.config/Ferdi |
81 | blacklist ${HOME}/.config/Flavio Tordini | 82 | blacklist ${HOME}/.config/Flavio Tordini |
82 | blacklist ${HOME}/.config/Franz | 83 | blacklist ${HOME}/.config/Franz |
diff --git a/etc/inc/whitelist-runuser-common.inc b/etc/inc/whitelist-runuser-common.inc index 48309ffe3..a8cab8d07 100644 --- a/etc/inc/whitelist-runuser-common.inc +++ b/etc/inc/whitelist-runuser-common.inc | |||
@@ -10,7 +10,7 @@ whitelist ${RUNUSER}/gdm/Xauthority | |||
10 | whitelist ${RUNUSER}/ICEauthority | 10 | whitelist ${RUNUSER}/ICEauthority |
11 | whitelist ${RUNUSER}/.mutter-Xwaylandauth.* | 11 | whitelist ${RUNUSER}/.mutter-Xwaylandauth.* |
12 | whitelist ${RUNUSER}/pulse/native | 12 | whitelist ${RUNUSER}/pulse/native |
13 | whitelist ${RUNUSER}/wayland-0 | 13 | whitelist ${RUNUSER}/pipewire-? |
14 | whitelist ${RUNUSER}/wayland-1 | 14 | whitelist ${RUNUSER}/wayland-? |
15 | whitelist ${RUNUSER}/xauth_* | 15 | whitelist ${RUNUSER}/xauth_* |
16 | whitelist ${RUNUSER}/[[:xdigit:]][[:xdigit:]][[:xdigit:]][[:xdigit:]][[:xdigit:]][[:xdigit:]][[:xdigit:]][[:xdigit:]]-[[:xdigit:]][[:xdigit:]][[:xdigit:]][[:xdigit:]]-[[:xdigit:]][[:xdigit:]][[:xdigit:]][[:xdigit:]]-[[:xdigit:]][[:xdigit:]][[:xdigit:]][[:xdigit:]]-[[:xdigit:]][[:xdigit:]][[:xdigit:]][[:xdigit:]][[:xdigit:]][[:xdigit:]][[:xdigit:]][[:xdigit:]][[:xdigit:]][[:xdigit:]][[:xdigit:]][[:xdigit:]] | 16 | whitelist ${RUNUSER}/[[:xdigit:]][[:xdigit:]][[:xdigit:]][[:xdigit:]][[:xdigit:]][[:xdigit:]][[:xdigit:]][[:xdigit:]]-[[:xdigit:]][[:xdigit:]][[:xdigit:]][[:xdigit:]]-[[:xdigit:]][[:xdigit:]][[:xdigit:]][[:xdigit:]]-[[:xdigit:]][[:xdigit:]][[:xdigit:]][[:xdigit:]]-[[:xdigit:]][[:xdigit:]][[:xdigit:]][[:xdigit:]][[:xdigit:]][[:xdigit:]][[:xdigit:]][[:xdigit:]][[:xdigit:]][[:xdigit:]][[:xdigit:]][[:xdigit:]] |
diff --git a/etc/inc/whitelist-usr-share-common.inc b/etc/inc/whitelist-usr-share-common.inc index fe0097934..0049ce804 100644 --- a/etc/inc/whitelist-usr-share-common.inc +++ b/etc/inc/whitelist-usr-share-common.inc | |||
@@ -45,6 +45,7 @@ whitelist /usr/share/myspell | |||
45 | whitelist /usr/share/p11-kit | 45 | whitelist /usr/share/p11-kit |
46 | whitelist /usr/share/perl | 46 | whitelist /usr/share/perl |
47 | whitelist /usr/share/perl5 | 47 | whitelist /usr/share/perl5 |
48 | whitelist /usr/share/pipewire | ||
48 | whitelist /usr/share/pixmaps | 49 | whitelist /usr/share/pixmaps |
49 | whitelist /usr/share/pki | 50 | whitelist /usr/share/pki |
50 | whitelist /usr/share/plasma | 51 | whitelist /usr/share/plasma |
diff --git a/etc/profile-a-l/chromium-common.profile b/etc/profile-a-l/chromium-common.profile index b35b6ae80..c42243e02 100644 --- a/etc/profile-a-l/chromium-common.profile +++ b/etc/profile-a-l/chromium-common.profile | |||
@@ -37,10 +37,6 @@ include whitelist-var-common.inc | |||
37 | # Add the next line to your chromium-common.local if your kernel allows unprivileged userns clone. | 37 | # Add the next line to your chromium-common.local if your kernel allows unprivileged userns clone. |
38 | #include chromium-common-hardened.inc.profile | 38 | #include chromium-common-hardened.inc.profile |
39 | 39 | ||
40 | # Add the next two lines to your chromium-common.local to allow screen sharing under wayland. | ||
41 | #whitelist ${RUNUSER}/pipewire-0 | ||
42 | #whitelist /usr/share/pipewire/client.conf | ||
43 | |||
44 | apparmor | 40 | apparmor |
45 | caps.keep sys_admin,sys_chroot | 41 | caps.keep sys_admin,sys_chroot |
46 | netfilter | 42 | netfilter |
diff --git a/etc/profile-a-l/evince.profile b/etc/profile-a-l/evince.profile index 77fb458ca..19ad5799c 100644 --- a/etc/profile-a-l/evince.profile +++ b/etc/profile-a-l/evince.profile | |||
@@ -56,7 +56,7 @@ private-cache | |||
56 | private-dev | 56 | private-dev |
57 | private-etc alternatives,fonts,group,ld.so.cache,machine-id,passwd | 57 | private-etc alternatives,fonts,group,ld.so.cache,machine-id,passwd |
58 | # private-lib might break two-page-view on some systems | 58 | # private-lib might break two-page-view on some systems |
59 | private-lib evince,gcc/*/*/libgcc_s.so.*,gcc/*/*/libstdc++.so.*,gconv,gdk-pixbuf-2.*,gio,gvfs/libgvfscommon.so,libdjvulibre.so.*,libgconf-2.so.*,libgraphite2.so.*,libpoppler-glib.so.*,librsvg-2.so.*,libspectre.so.* | 59 | private-lib evince,gcc/*/*/libgcc_s.so.*,gcc/*/*/libstdc++.so.*,gconv,gdk-pixbuf-2.*,gio,gvfs/libgvfscommon.so,libarchive.so.*,libdjvulibre.so.*,libgconf-2.so.*,libgraphite2.so.*,libpoppler-glib.so.*,librsvg-2.so.*,libspectre.so.* |
60 | private-tmp | 60 | private-tmp |
61 | 61 | ||
62 | # dbus-user filtering might break two-page-view on some systems | 62 | # dbus-user filtering might break two-page-view on some systems |
diff --git a/etc/profile-a-l/firefox-common-addons.profile b/etc/profile-a-l/firefox-common-addons.profile index d282f9a60..b2b7c362a 100644 --- a/etc/profile-a-l/firefox-common-addons.profile +++ b/etc/profile-a-l/firefox-common-addons.profile | |||
@@ -2,6 +2,7 @@ | |||
2 | # Persistent customizations should go in a .local file. | 2 | # Persistent customizations should go in a .local file. |
3 | include firefox-common-addons.local | 3 | include firefox-common-addons.local |
4 | 4 | ||
5 | ignore whitelist ${RUNUSER}/*firefox* | ||
5 | ignore include whitelist-runuser-common.inc | 6 | ignore include whitelist-runuser-common.inc |
6 | ignore private-cache | 7 | ignore private-cache |
7 | 8 | ||
diff --git a/etc/profile-a-l/firefox.profile b/etc/profile-a-l/firefox.profile index 5a123d081..9138fed90 100644 --- a/etc/profile-a-l/firefox.profile +++ b/etc/profile-a-l/firefox.profile | |||
@@ -58,10 +58,8 @@ dbus-user.own org.mpris.MediaPlayer2.firefox.* | |||
58 | #dbus-user.own org.mpris.MediaPlayer2.plasma-browser-integration | 58 | #dbus-user.own org.mpris.MediaPlayer2.plasma-browser-integration |
59 | #dbus-user.talk org.kde.JobViewServer | 59 | #dbus-user.talk org.kde.JobViewServer |
60 | #dbus-user.talk org.kde.kuiserver | 60 | #dbus-user.talk org.kde.kuiserver |
61 | # Add the next three lines to your firefox.local to allow screen sharing under wayland. | 61 | # Add the next line to your firefox.local to allow screen sharing under wayland. |
62 | #whitelist ${RUNUSER}/pipewire-0 | 62 | #dbus-user.talk org.freedesktop.portal.Desktop |
63 | #whitelist /usr/share/pipewire/client.conf | ||
64 | #dbus-user.talk org.freedesktop.portal.* | ||
65 | # Add the next line to your firefox.local if screen sharing sharing still does not work | 63 | # Add the next line to your firefox.local if screen sharing sharing still does not work |
66 | # with the above lines (might depend on the portal implementation). | 64 | # with the above lines (might depend on the portal implementation). |
67 | #ignore noroot | 65 | #ignore noroot |
diff --git a/etc/profile-a-l/gallery-dl.profile b/etc/profile-a-l/gallery-dl.profile index b2f482835..9c8200dc4 100644 --- a/etc/profile-a-l/gallery-dl.profile +++ b/etc/profile-a-l/gallery-dl.profile | |||
@@ -5,7 +5,8 @@ quiet | |||
5 | # Persistent local customizations | 5 | # Persistent local customizations |
6 | include gallery-dl.local | 6 | include gallery-dl.local |
7 | # Persistent global definitions | 7 | # Persistent global definitions |
8 | include globals.local | 8 | # added by included profile |
9 | #include globals.local | ||
9 | 10 | ||
10 | noblacklist ${HOME}/.config/gallery-dl | 11 | noblacklist ${HOME}/.config/gallery-dl |
11 | noblacklist ${HOME}/.gallery-dl.conf | 12 | noblacklist ${HOME}/.gallery-dl.conf |
diff --git a/etc/profile-a-l/gimp.profile b/etc/profile-a-l/gimp.profile index 0786da6df..df9c2ac7a 100644 --- a/etc/profile-a-l/gimp.profile +++ b/etc/profile-a-l/gimp.profile | |||
@@ -13,7 +13,6 @@ include globals.local | |||
13 | #ignore net | 13 | #ignore net |
14 | #protocol unix,inet,inet6 | 14 | #protocol unix,inet,inet6 |
15 | 15 | ||
16 | |||
17 | # gimp plugins are installed by the user in ${HOME}/.gimp-2.8/plug-ins/ directory | 16 | # gimp plugins are installed by the user in ${HOME}/.gimp-2.8/plug-ins/ directory |
18 | # If you are not using external plugins, you can add 'noexec ${HOME}' to your gimp.local. | 17 | # If you are not using external plugins, you can add 'noexec ${HOME}' to your gimp.local. |
19 | ignore noexec ${HOME} | 18 | ignore noexec ${HOME} |
@@ -26,6 +25,10 @@ noblacklist ${HOME}/.gimp* | |||
26 | noblacklist ${DOCUMENTS} | 25 | noblacklist ${DOCUMENTS} |
27 | noblacklist ${PICTURES} | 26 | noblacklist ${PICTURES} |
28 | 27 | ||
28 | # See issue #4367, gimp 2.10.22-3: gegl:introspect broken | ||
29 | noblacklist /sbin | ||
30 | noblacklist /usr/sbin | ||
31 | |||
29 | include disable-common.inc | 32 | include disable-common.inc |
30 | include disable-exec.inc | 33 | include disable-exec.inc |
31 | include disable-devel.inc | 34 | include disable-devel.inc |
diff --git a/etc/profile-a-l/librewolf.profile b/etc/profile-a-l/librewolf.profile index da047357a..ebffbbabf 100644 --- a/etc/profile-a-l/librewolf.profile +++ b/etc/profile-a-l/librewolf.profile | |||
@@ -36,6 +36,7 @@ include whitelist-usr-share-common.inc | |||
36 | #private-etc librewolf | 36 | #private-etc librewolf |
37 | 37 | ||
38 | dbus-user filter | 38 | dbus-user filter |
39 | dbus-user.own org.mozilla.librewolf.* | ||
39 | # Add the next line to your librewolf.local to enable native notifications. | 40 | # Add the next line to your librewolf.local to enable native notifications. |
40 | #dbus-user.talk org.freedesktop.Notifications | 41 | #dbus-user.talk org.freedesktop.Notifications |
41 | # Add the next line to your librewolf.local to allow inhibiting screensavers. | 42 | # Add the next line to your librewolf.local to allow inhibiting screensavers. |
@@ -44,10 +45,8 @@ dbus-user filter | |||
44 | #dbus-user.own org.mpris.MediaPlayer2.plasma-browser-integration | 45 | #dbus-user.own org.mpris.MediaPlayer2.plasma-browser-integration |
45 | #dbus-user.talk org.kde.JobViewServer | 46 | #dbus-user.talk org.kde.JobViewServer |
46 | #dbus-user.talk org.kde.kuiserver | 47 | #dbus-user.talk org.kde.kuiserver |
47 | # Add the next three lines to your librewolf.local to allow screensharing under Wayland. | 48 | # Add the next line to your librewolf.local to allow screensharing under Wayland. |
48 | #whitelist ${RUNUSER}/pipewire-0 | 49 | #dbus-user.talk org.freedesktop.portal.Desktop |
49 | #whitelist /usr/share/pipewire/client.conf | ||
50 | #dbus-user.talk org.freedesktop.portal.* | ||
51 | # Also add the next line to your librewolf.local if screensharing does not work with | 50 | # Also add the next line to your librewolf.local if screensharing does not work with |
52 | # the above lines (depends on the portal implementation). | 51 | # the above lines (depends on the portal implementation). |
53 | #ignore noroot | 52 | #ignore noroot |
diff --git a/etc/profile-m-z/nextcloud.profile b/etc/profile-m-z/nextcloud.profile index 06e19670a..cb499ba34 100644 --- a/etc/profile-m-z/nextcloud.profile +++ b/etc/profile-m-z/nextcloud.profile | |||
@@ -43,7 +43,6 @@ apparmor | |||
43 | caps.drop all | 43 | caps.drop all |
44 | machine-id | 44 | machine-id |
45 | netfilter | 45 | netfilter |
46 | no3d | ||
47 | nodvd | 46 | nodvd |
48 | nogroups | 47 | nogroups |
49 | noinput | 48 | noinput |
@@ -68,4 +67,6 @@ private-tmp | |||
68 | 67 | ||
69 | dbus-user filter | 68 | dbus-user filter |
70 | dbus-user.talk org.freedesktop.secrets | 69 | dbus-user.talk org.freedesktop.secrets |
70 | # Add the next line to your nextcloud.local for tray icon support | ||
71 | #dbus-user.talk org.kde.StatusNotifierWatcher | ||
71 | dbus-system none | 72 | dbus-system none |
diff --git a/etc/profile-m-z/xournalpp.profile b/etc/profile-m-z/xournalpp.profile index 1ef789689..a23ad68df 100644 --- a/etc/profile-m-z/xournalpp.profile +++ b/etc/profile-m-z/xournalpp.profile | |||
@@ -13,7 +13,6 @@ noblacklist ${HOME}/.xournalpp | |||
13 | 13 | ||
14 | include allow-lua.inc | 14 | include allow-lua.inc |
15 | 15 | ||
16 | whitelist /usr/share/pipewire | ||
17 | whitelist /usr/share/texlive | 16 | whitelist /usr/share/texlive |
18 | whitelist /usr/share/xournalpp | 17 | whitelist /usr/share/xournalpp |
19 | whitelist /var/lib/texmf | 18 | whitelist /var/lib/texmf |
diff --git a/etc/profile-m-z/yt-dlp.profile b/etc/profile-m-z/yt-dlp.profile index ab90c837e..1c3382a08 100644 --- a/etc/profile-m-z/yt-dlp.profile +++ b/etc/profile-m-z/yt-dlp.profile | |||
@@ -5,7 +5,8 @@ quiet | |||
5 | # Persistent local customizations | 5 | # Persistent local customizations |
6 | include yt-dlp.local | 6 | include yt-dlp.local |
7 | # Persistent global definitions | 7 | # Persistent global definitions |
8 | include globals.local | 8 | # added by included profile |
9 | #include globals.local | ||
9 | 10 | ||
10 | noblacklist ${HOME}/.cache/yt-dlp | 11 | noblacklist ${HOME}/.cache/yt-dlp |
11 | noblacklist ${HOME}/.config/yt-dlp | 12 | noblacklist ${HOME}/.config/yt-dlp |
diff --git a/etc/templates/profile.template b/etc/templates/profile.template index 02dcefd35..e580a0c0c 100644 --- a/etc/templates/profile.template +++ b/etc/templates/profile.template | |||
@@ -102,8 +102,6 @@ include globals.local | |||
102 | #include allow-ssh.inc | 102 | #include allow-ssh.inc |
103 | 103 | ||
104 | ##blacklist PATH | 104 | ##blacklist PATH |
105 | # Disable X11 (CLI only), see also 'x11 none' below | ||
106 | #blacklist /tmp/.X11-unix | ||
107 | # Disable Wayland | 105 | # Disable Wayland |
108 | #blacklist ${RUNUSER}/wayland-* | 106 | #blacklist ${RUNUSER}/wayland-* |
109 | # Disable RUNUSER (cli only; supersedes Disable Wayland) | 107 | # Disable RUNUSER (cli only; supersedes Disable Wayland) |
@@ -174,7 +172,7 @@ include globals.local | |||
174 | ##seccomp-error-action log (only for debugging seccomp issues) | 172 | ##seccomp-error-action log (only for debugging seccomp issues) |
175 | #shell none | 173 | #shell none |
176 | #tracelog | 174 | #tracelog |
177 | # Prefer 'x11 none' instead of 'blacklist /tmp/.X11-unix' if 'net none' is set | 175 | # Prefer 'x11 none' instead of 'disable-X11.inc' if 'net none' is set |
178 | ##x11 none | 176 | ##x11 none |
179 | 177 | ||
180 | #disable-mnt | 178 | #disable-mnt |
diff --git a/src/firejail/main.c b/src/firejail/main.c index 2a9cb7c08..81d148257 100644 --- a/src/firejail/main.c +++ b/src/firejail/main.c | |||
@@ -1265,9 +1265,9 @@ int main(int argc, char **argv, char **envp) { | |||
1265 | arg_debug = 1; | 1265 | arg_debug = 1; |
1266 | arg_quiet = 0; | 1266 | arg_quiet = 0; |
1267 | } | 1267 | } |
1268 | else if (strcmp(argv[i], "--debug-deny") == 0) | 1268 | else if (strcmp(argv[i], "--debug-blacklists") == 0) |
1269 | arg_debug_blacklists = 1; | 1269 | arg_debug_blacklists = 1; |
1270 | else if (strcmp(argv[i], "--debug-allow") == 0) | 1270 | else if (strcmp(argv[i], "--debug-whitelists") == 0) |
1271 | arg_debug_whitelists = 1; | 1271 | arg_debug_whitelists = 1; |
1272 | else if (strcmp(argv[i], "--debug-private-lib") == 0) | 1272 | else if (strcmp(argv[i], "--debug-private-lib") == 0) |
1273 | arg_debug_private_lib = 1; | 1273 | arg_debug_private_lib = 1; |
diff --git a/src/firejail/usage.c b/src/firejail/usage.c index d843c74ae..43f862b9d 100644 --- a/src/firejail/usage.c +++ b/src/firejail/usage.c | |||
@@ -28,7 +28,6 @@ static char *usage_str = | |||
28 | "\n" | 28 | "\n" |
29 | "Options:\n" | 29 | "Options:\n" |
30 | " -- - signal the end of options and disables further option processing.\n" | 30 | " -- - signal the end of options and disables further option processing.\n" |
31 | " --allow=filename - allow file system access.\n" | ||
32 | " --allow-debuggers - allow tools such as strace and gdb inside the sandbox.\n" | 31 | " --allow-debuggers - allow tools such as strace and gdb inside the sandbox.\n" |
33 | " --allusers - all user home directories are visible inside the sandbox.\n" | 32 | " --allusers - all user home directories are visible inside the sandbox.\n" |
34 | " --apparmor - enable AppArmor confinement.\n" | 33 | " --apparmor - enable AppArmor confinement.\n" |
@@ -39,12 +38,13 @@ static char *usage_str = | |||
39 | #endif | 38 | #endif |
40 | " --bind=dirname1,dirname2 - mount-bind dirname1 on top of dirname2.\n" | 39 | " --bind=dirname1,dirname2 - mount-bind dirname1 on top of dirname2.\n" |
41 | " --bind=filename1,filename2 - mount-bind filename1 on top of filename2.\n" | 40 | " --bind=filename1,filename2 - mount-bind filename1 on top of filename2.\n" |
42 | " --build - build a profile for the application.\n" | 41 | " --blacklist=filename - blacklist directory or file.\n" |
43 | " --build=filename - build a profile for the application.\n" | 42 | " --build - build a whitelisted profile for the application.\n" |
43 | " --build=filename - build a whitelisted profile for the application.\n" | ||
44 | " --caps - enable default Linux capabilities filter.\n" | 44 | " --caps - enable default Linux capabilities filter.\n" |
45 | " --caps.drop=all - drop all capabilities.\n" | 45 | " --caps.drop=all - drop all capabilities.\n" |
46 | " --caps.drop=capability,capability - drop capabilities.\n" | 46 | " --caps.drop=capability,capability - blacklist capabilities filter.\n" |
47 | " --caps.keep=capability,capability - allow capabilities.\n" | 47 | " --caps.keep=capability,capability - whitelist capabilities filter.\n" |
48 | " --caps.print=name|pid - print the caps filter.\n" | 48 | " --caps.print=name|pid - print the caps filter.\n" |
49 | #ifdef HAVE_FILE_TRANSFER | 49 | #ifdef HAVE_FILE_TRANSFER |
50 | " --cat=name|pid filename - print content of file from sandbox container.\n" | 50 | " --cat=name|pid filename - print content of file from sandbox container.\n" |
@@ -75,18 +75,17 @@ static char *usage_str = | |||
75 | " --dbus-user.talk=name - allow talking to name on the session DBus.\n" | 75 | " --dbus-user.talk=name - allow talking to name on the session DBus.\n" |
76 | #endif | 76 | #endif |
77 | " --debug - print sandbox debug messages.\n" | 77 | " --debug - print sandbox debug messages.\n" |
78 | " --debug-allow - debug file system access.\n" | 78 | " --debug-blacklists - debug blacklisting.\n" |
79 | " --debug-deny - debug file system access.\n" | ||
80 | " --debug-caps - print all recognized capabilities.\n" | 79 | " --debug-caps - print all recognized capabilities.\n" |
81 | " --debug-errnos - print all recognized error numbers.\n" | 80 | " --debug-errnos - print all recognized error numbers.\n" |
82 | " --debug-private-lib - debug for --private-lib option.\n" | 81 | " --debug-private-lib - debug for --private-lib option.\n" |
83 | " --debug-protocols - print all recognized protocols.\n" | 82 | " --debug-protocols - print all recognized protocols.\n" |
84 | " --debug-syscalls - print all recognized system calls.\n" | 83 | " --debug-syscalls - print all recognized system calls.\n" |
85 | " --debug-syscalls32 - print all recognized 32 bit system calls.\n" | 84 | " --debug-syscalls32 - print all recognized 32 bit system calls.\n" |
85 | " --debug-whitelists - debug whitelisting.\n" | ||
86 | #ifdef HAVE_NETWORK | 86 | #ifdef HAVE_NETWORK |
87 | " --defaultgw=address - configure default gateway.\n" | 87 | " --defaultgw=address - configure default gateway.\n" |
88 | #endif | 88 | #endif |
89 | " --deny=filename - deny access to directory or file.\n" | ||
90 | " --deterministic-exit-code - always exit with first child's status code.\n" | 89 | " --deterministic-exit-code - always exit with first child's status code.\n" |
91 | " --dns=address - set DNS server.\n" | 90 | " --dns=address - set DNS server.\n" |
92 | " --dns.print=name|pid - print DNS configuration.\n" | 91 | " --dns.print=name|pid - print DNS configuration.\n" |
@@ -147,14 +146,13 @@ static char *usage_str = | |||
147 | " --netfilter6=filename - enable IPv6 firewall.\n" | 146 | " --netfilter6=filename - enable IPv6 firewall.\n" |
148 | " --netfilter6.print=name|pid - print the IPv6 firewall.\n" | 147 | " --netfilter6.print=name|pid - print the IPv6 firewall.\n" |
149 | " --netmask=address - define a network mask when dealing with unconfigured\n" | 148 | " --netmask=address - define a network mask when dealing with unconfigured\n" |
150 | "\tparrent interfaces.\n" | 149 | "\tparent interfaces.\n" |
151 | " --netns=name - Run the program in a named, persistent network namespace.\n" | 150 | " --netns=name - Run the program in a named, persistent network namespace.\n" |
152 | " --netstats - monitor network statistics.\n" | 151 | " --netstats - monitor network statistics.\n" |
153 | #endif | 152 | #endif |
154 | " --nice=value - set nice value.\n" | 153 | " --nice=value - set nice value.\n" |
155 | " --no3d - disable 3D hardware acceleration.\n" | 154 | " --no3d - disable 3D hardware acceleration.\n" |
156 | " --noallow=filename - disable allow command for file or directory.\n" | 155 | " --noblacklist=filename - disable blacklist for file or directory.\n" |
157 | " --nodeny=filename - disable deny command for file or directory.\n" | ||
158 | " --nodbus - disable D-Bus access.\n" | 156 | " --nodbus - disable D-Bus access.\n" |
159 | " --nodvd - disable DVD and audio CD devices.\n" | 157 | " --nodvd - disable DVD and audio CD devices.\n" |
160 | " --noexec=filename - remount the file or directory noexec nosuid and nodev.\n" | 158 | " --noexec=filename - remount the file or directory noexec nosuid and nodev.\n" |
@@ -169,6 +167,7 @@ static char *usage_str = | |||
169 | " --noautopulse - disable automatic ~/.config/pulse init.\n" | 167 | " --noautopulse - disable automatic ~/.config/pulse init.\n" |
170 | " --novideo - disable video devices.\n" | 168 | " --novideo - disable video devices.\n" |
171 | " --nou2f - disable U2F devices.\n" | 169 | " --nou2f - disable U2F devices.\n" |
170 | " --nowhitelist=filename - disable whitelist for file or directory.\n" | ||
172 | #ifdef HAVE_OUTPUT | 171 | #ifdef HAVE_OUTPUT |
173 | " --output=logfile - stdout logging and log rotation.\n" | 172 | " --output=logfile - stdout logging and log rotation.\n" |
174 | " --output-stderr=logfile - stdout and stderr logging and log rotation.\n" | 173 | " --output-stderr=logfile - stdout and stderr logging and log rotation.\n" |
@@ -225,14 +224,14 @@ static char *usage_str = | |||
225 | #ifdef HAVE_NETWORK | 224 | #ifdef HAVE_NETWORK |
226 | " --scan - ARP-scan all the networks from inside a network namespace.\n" | 225 | " --scan - ARP-scan all the networks from inside a network namespace.\n" |
227 | #endif | 226 | #endif |
228 | " --seccomp - enable seccomp filter and drop the default syscalls.\n" | 227 | " --seccomp - enable seccomp filter and apply the default blacklist.\n" |
229 | " --seccomp=syscall,syscall,syscall - enable seccomp filter, drop the\n" | 228 | " --seccomp=syscall,syscall,syscall - enable seccomp filter, blacklist the\n" |
230 | "\tdefault syscall list and the syscalls specified by the command.\n" | 229 | "\tdefault syscall list and the syscalls specified by the command.\n" |
231 | " --seccomp.block-secondary - build only the native architecture filters.\n" | 230 | " --seccomp.block-secondary - build only the native architecture filters.\n" |
232 | " --seccomp.drop=syscall,syscall,syscall - enable seccomp filter, and\n" | 231 | " --seccomp.drop=syscall,syscall,syscall - enable seccomp filter, and\n" |
233 | "\tdrop the syscalls specified by the command.\n" | 232 | "\tblacklist the syscalls specified by the command.\n" |
234 | " --seccomp.keep=syscall,syscall,syscall - enable seccomp filter, and\n" | 233 | " --seccomp.keep=syscall,syscall,syscall - enable seccomp filter, and\n" |
235 | "\tallow the syscalls specified by the command.\n" | 234 | "\twhitelist the syscalls specified by the command.\n" |
236 | " --seccomp.print=name|pid - print the seccomp filter for the sandbox\n" | 235 | " --seccomp.print=name|pid - print the seccomp filter for the sandbox\n" |
237 | "\tidentified by name or PID.\n" | 236 | "\tidentified by name or PID.\n" |
238 | " --seccomp.32[.drop,.keep][=syscall] - like above but for 32 bit architecture.\n" | 237 | " --seccomp.32[.drop,.keep][=syscall] - like above but for 32 bit architecture.\n" |
@@ -247,7 +246,7 @@ static char *usage_str = | |||
247 | " --top - monitor the most CPU-intensive sandboxes.\n" | 246 | " --top - monitor the most CPU-intensive sandboxes.\n" |
248 | " --trace - trace open, access and connect system calls.\n" | 247 | " --trace - trace open, access and connect system calls.\n" |
249 | " --tracelog - add a syslog message for every access to files or\n" | 248 | " --tracelog - add a syslog message for every access to files or\n" |
250 | "\tdirectories dropped by the security profile.\n" | 249 | "\tdirectories blacklisted by the security profile.\n" |
251 | " --tree - print a tree of all sandboxed processes.\n" | 250 | " --tree - print a tree of all sandboxed processes.\n" |
252 | " --tunnel[=devname] - connect the sandbox to a tunnel created by\n" | 251 | " --tunnel[=devname] - connect the sandbox to a tunnel created by\n" |
253 | "\tfiretunnel utility.\n" | 252 | "\tfiretunnel utility.\n" |
@@ -255,6 +254,7 @@ static char *usage_str = | |||
255 | #ifdef HAVE_NETWORK | 254 | #ifdef HAVE_NETWORK |
256 | " --veth-name=name - use this name for the interface connected to the bridge.\n" | 255 | " --veth-name=name - use this name for the interface connected to the bridge.\n" |
257 | #endif | 256 | #endif |
257 | " --whitelist=filename - whitelist directory or file.\n" | ||
258 | " --writable-etc - /etc directory is mounted read-write.\n" | 258 | " --writable-etc - /etc directory is mounted read-write.\n" |
259 | " --writable-run-user - allow access to /run/user/$UID/systemd and\n" | 259 | " --writable-run-user - allow access to /run/user/$UID/systemd and\n" |
260 | "\t/run/user/$UID/gnupg.\n" | 260 | "\t/run/user/$UID/gnupg.\n" |
diff --git a/src/man/firejail-profile.txt b/src/man/firejail-profile.txt index 6280026e6..d0d3c25e8 100644 --- a/src/man/firejail-profile.txt +++ b/src/man/firejail-profile.txt | |||
@@ -156,7 +156,7 @@ Scripting commands: | |||
156 | \fBFile and directory names | 156 | \fBFile and directory names |
157 | File and directory names containing spaces are supported. The space character ' ' should not be escaped. | 157 | File and directory names containing spaces are supported. The space character ' ' should not be escaped. |
158 | 158 | ||
159 | Example: "deny ~/My Virtual Machines" | 159 | Example: "blacklist ~/My Virtual Machines" |
160 | 160 | ||
161 | .TP | 161 | .TP |
162 | \fB# this is a comment | 162 | \fB# this is a comment |
@@ -170,9 +170,9 @@ net none # this command creates an empty network namespace | |||
170 | \fB?CONDITIONAL: profile line | 170 | \fB?CONDITIONAL: profile line |
171 | Conditionally add profile line. | 171 | Conditionally add profile line. |
172 | 172 | ||
173 | Example: "?HAS_APPIMAGE: allow ${HOME}/special/appimage/dir" | 173 | Example: "?HAS_APPIMAGE: whitelist ${HOME}/special/appimage/dir" |
174 | 174 | ||
175 | This example will load the profile line only if the \-\-appimage option has been specified on the command line. | 175 | This example will load the whitelist profile line only if the \-\-appimage option has been specified on the command line. |
176 | 176 | ||
177 | Currently the only conditionals supported this way are HAS_APPIMAGE, HAS_NET, HAS_NODBUS, HAS_NOSOUND, HAS_PRIVATE and HAS_X11. The conditionals BROWSER_DISABLE_U2F and BROWSER_ALLOW_DRM | 177 | Currently the only conditionals supported this way are HAS_APPIMAGE, HAS_NET, HAS_NODBUS, HAS_NOSOUND, HAS_PRIVATE and HAS_X11. The conditionals BROWSER_DISABLE_U2F and BROWSER_ALLOW_DRM |
178 | can be enabled or disabled globally in Firejail's configuration file. | 178 | can be enabled or disabled globally in Firejail's configuration file. |
@@ -205,16 +205,16 @@ storing modifications to the persistent configuration. Persistent .local files | |||
205 | are included at the start of regular profile files. | 205 | are included at the start of regular profile files. |
206 | 206 | ||
207 | .TP | 207 | .TP |
208 | \fBnoallow file_name | 208 | \fBnoblacklist file_name |
209 | If the file name matches file_name, the file will not be allowed in any allow commands that follow. | 209 | If the file name matches file_name, the file will not be blacklisted in any blacklist commands that follow. |
210 | 210 | ||
211 | Example: "nowhitelist ~/.config" | 211 | Example: "noblacklist ${HOME}/.mozilla" |
212 | 212 | ||
213 | .TP | 213 | .TP |
214 | \fBnodeny file_name | 214 | \fBnowhitelist file_name |
215 | If the file name matches file_name, the file will not be denied any deny commands that follow. | 215 | If the file name matches file_name, the file will not be whitelisted in any whitelist commands that follow. |
216 | 216 | ||
217 | Example: "nodeny ${HOME}/.mozilla" | 217 | Example: "nowhitelist ~/.config" |
218 | 218 | ||
219 | .TP | 219 | .TP |
220 | \fBignore | 220 | \fBignore |
@@ -242,17 +242,19 @@ HOME directories are searched, see the \fBfirejail\f(1) \fBFILE GLOBBING\fR sect | |||
242 | for more details. | 242 | for more details. |
243 | Examples: | 243 | Examples: |
244 | .TP | 244 | .TP |
245 | \fBallow file_or_directory | 245 | \fBblacklist file_or_directory |
246 | Allow directory or file. A temporary file system is mounted on the top directory, and the | 246 | Blacklist directory or file. Examples: |
247 | allowed files are mount-binded inside. Modifications to allowd files are persistent, | ||
248 | everything else is discarded when the sandbox is closed. The top directory can be | ||
249 | all directories in / (except /proc and /sys), /sys/module, /run/user/$UID, $HOME and | ||
250 | all directories in /usr. | ||
251 | .br | 247 | .br |
252 | 248 | ||
253 | .br | 249 | .br |
254 | Symbolic link handling: with the exception of user home, both the link and the real file should be in | 250 | blacklist /usr/bin |
255 | the same top directory. For user home, both the link and the real file should be owned by the user. | 251 | .br |
252 | blacklist /usr/bin/gcc* | ||
253 | .br | ||
254 | blacklist ${PATH}/ifconfig | ||
255 | .br | ||
256 | blacklist ${HOME}/.ssh | ||
257 | |||
256 | .TP | 258 | .TP |
257 | \fBblacklist-nolog file_or_directory | 259 | \fBblacklist-nolog file_or_directory |
258 | When --tracelog flag is set, blacklisting generates syslog messages if the sandbox tries to access the file or directory. | 260 | When --tracelog flag is set, blacklisting generates syslog messages if the sandbox tries to access the file or directory. |
@@ -271,20 +273,6 @@ Mount-bind directory1 on top of directory2. This option is only available when r | |||
271 | \fBbind file1,file2 | 273 | \fBbind file1,file2 |
272 | Mount-bind file1 on top of file2. This option is only available when running as root. | 274 | Mount-bind file1 on top of file2. This option is only available when running as root. |
273 | .TP | 275 | .TP |
274 | \fBdeny file_or_directory | ||
275 | Deny access to directory or file. Examples: | ||
276 | .br | ||
277 | |||
278 | .br | ||
279 | deny /usr/bin | ||
280 | .br | ||
281 | deny /usr/bin/gcc* | ||
282 | .br | ||
283 | deny ${PATH}/ifconfig | ||
284 | .br | ||
285 | deny ${HOME}/.ssh | ||
286 | |||
287 | .TP | ||
288 | \fBdisable-mnt | 276 | \fBdisable-mnt |
289 | Disable /mnt, /media, /run/mount and /run/media access. | 277 | Disable /mnt, /media, /run/mount and /run/media access. |
290 | .TP | 278 | .TP |
@@ -304,7 +292,7 @@ The directory is created if it doesn't already exist. | |||
304 | .br | 292 | .br |
305 | 293 | ||
306 | .br | 294 | .br |
307 | Use this command for allowed directories you need to preserve | 295 | Use this command for whitelisted directories you need to preserve |
308 | when the sandbox is closed. Without it, the application will create the directory, and the directory | 296 | when the sandbox is closed. Without it, the application will create the directory, and the directory |
309 | will be deleted when the sandbox is closed. Subdirectories are recursively created. Example from | 297 | will be deleted when the sandbox is closed. Subdirectories are recursively created. Example from |
310 | firefox profile: | 298 | firefox profile: |
@@ -317,7 +305,7 @@ whitelist ~/.mozilla | |||
317 | .br | 305 | .br |
318 | mkdir ~/.cache/mozilla/firefox | 306 | mkdir ~/.cache/mozilla/firefox |
319 | .br | 307 | .br |
320 | allow ~/.cache/mozilla/firefox | 308 | whitelist ~/.cache/mozilla/firefox |
321 | .br | 309 | .br |
322 | 310 | ||
323 | .br | 311 | .br |
@@ -423,7 +411,7 @@ expressed as foo/bar -- is disallowed). | |||
423 | All modifications are discarded when the sandbox is closed. | 411 | All modifications are discarded when the sandbox is closed. |
424 | .TP | 412 | .TP |
425 | \fBprivate-tmp | 413 | \fBprivate-tmp |
426 | Mount an empty temporary filesystem on top of /tmp directory allowing /tmp/.X11-unix. | 414 | Mount an empty temporary filesystem on top of /tmp directory whitelisting /tmp/.X11-unix. |
427 | .TP | 415 | .TP |
428 | \fBread-only file_or_directory | 416 | \fBread-only file_or_directory |
429 | Make directory or file read-only. | 417 | Make directory or file read-only. |
@@ -435,13 +423,25 @@ Make directory or file read-write. | |||
435 | Mount an empty tmpfs filesystem on top of directory. Directories outside user home or not owned by the user are not allowed. Sandboxes running as root are exempt from these restrictions. | 423 | Mount an empty tmpfs filesystem on top of directory. Directories outside user home or not owned by the user are not allowed. Sandboxes running as root are exempt from these restrictions. |
436 | .TP | 424 | .TP |
437 | \fBtracelog | 425 | \fBtracelog |
438 | File system deny violations logged to syslog. | 426 | Blacklist violations logged to syslog. |
427 | .TP | ||
428 | \fBwhitelist file_or_directory | ||
429 | Whitelist directory or file. A temporary file system is mounted on the top directory, and the | ||
430 | whitelisted files are mount-binded inside. Modifications to whitelisted files are persistent, | ||
431 | everything else is discarded when the sandbox is closed. The top directory can be | ||
432 | all directories in / (except /proc and /sys), /sys/module, /run/user/$UID, $HOME and | ||
433 | all directories in /usr. | ||
434 | .br | ||
435 | |||
436 | .br | ||
437 | Symbolic link handling: with the exception of user home, both the link and the real file should be in | ||
438 | the same top directory. For user home, both the link and the real file should be owned by the user. | ||
439 | .TP | 439 | .TP |
440 | \fBwritable-etc | 440 | \fBwritable-etc |
441 | Mount /etc directory read-write. | 441 | Mount /etc directory read-write. |
442 | .TP | 442 | .TP |
443 | \fBwritable-run-user | 443 | \fBwritable-run-user |
444 | Disable the default denying of run/user/$UID/systemd and /run/user/$UID/gnupg. | 444 | Disable the default blacklisting of run/user/$UID/systemd and /run/user/$UID/gnupg. |
445 | .TP | 445 | .TP |
446 | \fBwritable-var | 446 | \fBwritable-var |
447 | Mount /var directory read-write. | 447 | Mount /var directory read-write. |
@@ -455,7 +455,7 @@ The following security filters are currently implemented: | |||
455 | 455 | ||
456 | .TP | 456 | .TP |
457 | \fBallow-debuggers | 457 | \fBallow-debuggers |
458 | Allow tools such as strace and gdb inside the sandbox by allowing system calls ptrace and process_vm_readv. | 458 | Allow tools such as strace and gdb inside the sandbox by whitelisting system calls ptrace and process_vm_readv. |
459 | #ifdef HAVE_APPARMOR | 459 | #ifdef HAVE_APPARMOR |
460 | .TP | 460 | .TP |
461 | \fBapparmor | 461 | \fBapparmor |
@@ -466,13 +466,13 @@ Enable AppArmor confinement. | |||
466 | Enable default Linux capabilities filter. | 466 | Enable default Linux capabilities filter. |
467 | .TP | 467 | .TP |
468 | \fBcaps.drop capability,capability,capability | 468 | \fBcaps.drop capability,capability,capability |
469 | Deny given Linux capabilities. | 469 | Blacklist given Linux capabilities. |
470 | .TP | 470 | .TP |
471 | \fBcaps.drop all | 471 | \fBcaps.drop all |
472 | Deny all Linux capabilities. | 472 | Blacklist all Linux capabilities. |
473 | .TP | 473 | .TP |
474 | \fBcaps.keep capability,capability,capability | 474 | \fBcaps.keep capability,capability,capability |
475 | Allow given Linux capabilities. | 475 | Whitelist given Linux capabilities. |
476 | .TP | 476 | .TP |
477 | \fBmemory-deny-write-execute | 477 | \fBmemory-deny-write-execute |
478 | Install a seccomp filter to block attempts to create memory mappings | 478 | Install a seccomp filter to block attempts to create memory mappings |
@@ -497,32 +497,32 @@ first argument to socket system call. Recognized values: \fBunix\fR, | |||
497 | \fBinet\fR, \fBinet6\fR, \fBnetlink\fR, \fBpacket\fR and \fBbluetooth\fR. | 497 | \fBinet\fR, \fBinet6\fR, \fBnetlink\fR, \fBpacket\fR and \fBbluetooth\fR. |
498 | .TP | 498 | .TP |
499 | \fBseccomp | 499 | \fBseccomp |
500 | Enable seccomp filter and deny the syscalls in the default list. See man 1 firejail for more details. | 500 | Enable seccomp filter and blacklist the syscalls in the default list. See man 1 firejail for more details. |
501 | .TP | 501 | .TP |
502 | \fBseccomp.32 | 502 | \fBseccomp.32 |
503 | Enable seccomp filter and deny the syscalls in the default list for 32 bit system calls on a 64 bit architecture system. | 503 | Enable seccomp filter and blacklist the syscalls in the default list for 32 bit system calls on a 64 bit architecture system. |
504 | .TP | 504 | .TP |
505 | \fBseccomp syscall,syscall,syscall | 505 | \fBseccomp syscall,syscall,syscall |
506 | Enable seccomp filter and deny the system calls in the list on top of default seccomp filter. | 506 | Enable seccomp filter and blacklist the system calls in the list on top of default seccomp filter. |
507 | .TP | 507 | .TP |
508 | \fBseccomp.32 syscall,syscall,syscall | 508 | \fBseccomp.32 syscall,syscall,syscall |
509 | Enable seccomp filter and deny the system calls in the list on top of default seccomp filter for 32 bit system calls on a 64 bit architecture system. | 509 | Enable seccomp filter and blacklist the system calls in the list on top of default seccomp filter for 32 bit system calls on a 64 bit architecture system. |
510 | .TP | 510 | .TP |
511 | \fBseccomp.block-secondary | 511 | \fBseccomp.block-secondary |
512 | Enable seccomp filter and filter system call architectures | 512 | Enable seccomp filter and filter system call architectures |
513 | so that only the native architecture is allowed. | 513 | so that only the native architecture is allowed. |
514 | .TP | 514 | .TP |
515 | \fBseccomp.drop syscall,syscall,syscall | 515 | \fBseccomp.drop syscall,syscall,syscall |
516 | Enable seccomp filter and deny the system calls in the list. | 516 | Enable seccomp filter and blacklist the system calls in the list. |
517 | .TP | 517 | .TP |
518 | \fBseccomp.32.drop syscall,syscall,syscall | 518 | \fBseccomp.32.drop syscall,syscall,syscall |
519 | Enable seccomp filter and deny the system calls in the list for 32 bit system calls on a 64 bit architecture system. | 519 | Enable seccomp filter and blacklist the system calls in the list for 32 bit system calls on a 64 bit architecture system. |
520 | .TP | 520 | .TP |
521 | \fBseccomp.keep syscall,syscall,syscall | 521 | \fBseccomp.keep syscall,syscall,syscall |
522 | Enable seccomp filter and allow the system calls in the list. | 522 | Enable seccomp filter and whitelist the system calls in the list. |
523 | .TP | 523 | .TP |
524 | \fBseccomp.32.keep syscall,syscall,syscall | 524 | \fBseccomp.32.keep syscall,syscall,syscall |
525 | Enable seccomp filter and allow the system calls in the list for 32 bit system calls on a 64 bit architecture system. | 525 | Enable seccomp filter and whitelist the system calls in the list for 32 bit system calls on a 64 bit architecture system. |
526 | .TP | 526 | .TP |
527 | \fBseccomp-error-action kill | log | ERRNO | 527 | \fBseccomp-error-action kill | log | ERRNO |
528 | Return a different error instead of EPERM to the process, kill it when | 528 | Return a different error instead of EPERM to the process, kill it when |
@@ -534,7 +534,7 @@ attempt. | |||
534 | Enable X11 sandboxing. | 534 | Enable X11 sandboxing. |
535 | .TP | 535 | .TP |
536 | \fBx11 none | 536 | \fBx11 none |
537 | Deny access to /tmp/.X11-unix directory, ${HOME}/.Xauthority and file specified in ${XAUTHORITY} environment variable. | 537 | Blacklist /tmp/.X11-unix directory, ${HOME}/.Xauthority and file specified in ${XAUTHORITY} environment variable. |
538 | Remove DISPLAY and XAUTHORITY environment variables. | 538 | Remove DISPLAY and XAUTHORITY environment variables. |
539 | Stop with error message if X11 abstract socket will be accessible in jail. | 539 | Stop with error message if X11 abstract socket will be accessible in jail. |
540 | .TP | 540 | .TP |
diff --git a/src/man/firejail.txt b/src/man/firejail.txt index 498ff9aa9..0462705c0 100644 --- a/src/man/firejail.txt +++ b/src/man/firejail.txt | |||
@@ -99,40 +99,6 @@ $ firejail [OPTIONS] firefox # starting Mozilla Firefox | |||
99 | \fB\-\- | 99 | \fB\-\- |
100 | Signal the end of options and disables further option processing. | 100 | Signal the end of options and disables further option processing. |
101 | .TP | 101 | .TP |
102 | \fB\-\-allow=dirname_or_filename | ||
103 | Allow access to a directory or file. A temporary file system is mounted on the top directory, and the | ||
104 | allowed files are mount-binded inside. Modifications to allowed files are persistent, | ||
105 | everything else is discarded when the sandbox is closed. The top directory can be | ||
106 | all directories in / (except /proc and /sys), /sys/module, /run/user/$UID, $HOME and | ||
107 | all directories in /usr. | ||
108 | .br | ||
109 | |||
110 | .br | ||
111 | Symbolic link handling: with the exception of user home, both the link and the real file should be in | ||
112 | the same top directory. For user home, both the link and the real file should be owned by the user. | ||
113 | .br | ||
114 | |||
115 | .br | ||
116 | File globbing is supported, see \fBFILE GLOBBING\fR section for more details. | ||
117 | .br | ||
118 | |||
119 | .br | ||
120 | Example: | ||
121 | .br | ||
122 | $ firejail \-\-noprofile \-\-allow=~/.mozilla | ||
123 | .br | ||
124 | $ firejail \-\-allow=/tmp/.X11-unix --allow=/dev/null | ||
125 | .br | ||
126 | $ firejail "\-\-allow=/home/username/My Virtual Machines" | ||
127 | .br | ||
128 | $ firejail \-\-allow=~/work* \-\-allow=/var/backups* | ||
129 | |||
130 | |||
131 | |||
132 | |||
133 | |||
134 | |||
135 | .TP | ||
136 | \fB\-\-allow-debuggers | 102 | \fB\-\-allow-debuggers |
137 | Allow tools such as strace and gdb inside the sandbox by whitelisting | 103 | Allow tools such as strace and gdb inside the sandbox by whitelisting |
138 | system calls ptrace and process_vm_readv. This option is only | 104 | system calls ptrace and process_vm_readv. This option is only |
@@ -203,6 +169,21 @@ Example: | |||
203 | .br | 169 | .br |
204 | # firejail \-\-bind=/config/etc/passwd,/etc/passwd | 170 | # firejail \-\-bind=/config/etc/passwd,/etc/passwd |
205 | .TP | 171 | .TP |
172 | \fB\-\-blacklist=dirname_or_filename | ||
173 | Blacklist directory or file. File globbing is supported, see \fBFILE GLOBBING\fR section for more details. | ||
174 | .br | ||
175 | |||
176 | .br | ||
177 | Example: | ||
178 | .br | ||
179 | $ firejail \-\-blacklist=/sbin \-\-blacklist=/usr/sbin | ||
180 | .br | ||
181 | $ firejail \-\-blacklist=~/.mozilla | ||
182 | .br | ||
183 | $ firejail "\-\-blacklist=/home/username/My Virtual Machines" | ||
184 | .br | ||
185 | $ firejail \-\-blacklist=/home/username/My\\ Virtual\\ Machines | ||
186 | .TP | ||
206 | \fB\-\-build | 187 | \fB\-\-build |
207 | The command builds a whitelisted profile. The profile is printed on the screen. If /usr/bin/strace is installed on the system, it also | 188 | The command builds a whitelisted profile. The profile is printed on the screen. If /usr/bin/strace is installed on the system, it also |
208 | builds a whitelisted seccomp profile. The program is run in a very relaxed sandbox, | 189 | builds a whitelisted seccomp profile. The program is run in a very relaxed sandbox, |
@@ -262,7 +243,7 @@ $ firejail \-\-caps.drop=all warzone2100 | |||
262 | 243 | ||
263 | .TP | 244 | .TP |
264 | \fB\-\-caps.drop=capability,capability,capability | 245 | \fB\-\-caps.drop=capability,capability,capability |
265 | Define a custom Linux capabilities filter. | 246 | Define a custom blacklist Linux capabilities filter. |
266 | .br | 247 | .br |
267 | 248 | ||
268 | .br | 249 | .br |
@@ -643,14 +624,14 @@ Example: | |||
643 | $ firejail \-\-debug firefox | 624 | $ firejail \-\-debug firefox |
644 | 625 | ||
645 | .TP | 626 | .TP |
646 | \fB\-\-debug-allow\fR | 627 | \fB\-\-debug-blacklists\fR |
647 | Debug file system access. | 628 | Debug blacklisting. |
648 | .br | 629 | .br |
649 | 630 | ||
650 | .br | 631 | .br |
651 | Example: | 632 | Example: |
652 | .br | 633 | .br |
653 | $ firejail \-\-debug-allow firefox | 634 | $ firejail \-\-debug-blacklists firefox |
654 | 635 | ||
655 | .TP | 636 | .TP |
656 | \fB\-\-debug-caps | 637 | \fB\-\-debug-caps |
@@ -663,16 +644,6 @@ Example: | |||
663 | $ firejail \-\-debug-caps | 644 | $ firejail \-\-debug-caps |
664 | 645 | ||
665 | .TP | 646 | .TP |
666 | \fB\-\-debug-deny\fR | ||
667 | Debug file access. | ||
668 | .br | ||
669 | |||
670 | .br | ||
671 | Example: | ||
672 | .br | ||
673 | $ firejail \-\-debug-deny firefox | ||
674 | |||
675 | .TP | ||
676 | \fB\-\-debug-errnos | 647 | \fB\-\-debug-errnos |
677 | Print all recognized error numbers in the current Firejail software build and exit. | 648 | Print all recognized error numbers in the current Firejail software build and exit. |
678 | .br | 649 | .br |
@@ -706,44 +677,33 @@ $ firejail \-\-debug-syscalls | |||
706 | \fB\-\-debug-syscalls32 | 677 | \fB\-\-debug-syscalls32 |
707 | Print all recognized 32 bit system calls in the current Firejail software build and exit. | 678 | Print all recognized 32 bit system calls in the current Firejail software build and exit. |
708 | .br | 679 | .br |
709 | |||
710 | #ifdef HAVE_NETWORK | ||
711 | .TP | 680 | .TP |
712 | \fB\-\-defaultgw=address | 681 | \fB\-\-debug-whitelists\fR |
713 | Use this address as default gateway in the new network namespace. | 682 | Debug whitelisting. |
714 | .br | 683 | .br |
715 | 684 | ||
716 | .br | 685 | .br |
717 | Example: | 686 | Example: |
718 | .br | 687 | .br |
719 | $ firejail \-\-net=eth0 \-\-defaultgw=10.10.20.1 firefox | 688 | $ firejail \-\-debug-whitelists firefox |
720 | #endif | 689 | #ifdef HAVE_NETWORK |
721 | |||
722 | .TP | 690 | .TP |
723 | \fB\-\-deny=dirname_or_filename | 691 | \fB\-\-defaultgw=address |
724 | Deny access to directory or file. File globbing is supported, see \fBFILE GLOBBING\fR section for more details. | 692 | Use this address as default gateway in the new network namespace. |
725 | .br | 693 | .br |
726 | 694 | ||
727 | .br | 695 | .br |
728 | Example: | 696 | Example: |
729 | .br | 697 | .br |
730 | $ firejail \-\-deny=/sbin \-\-deny=/usr/sbin | 698 | $ firejail \-\-net=eth0 \-\-defaultgw=10.10.20.1 firefox |
731 | .br | 699 | #endif |
732 | $ firejail \-\-deny=~/.mozilla | ||
733 | .br | ||
734 | $ firejail "\-\-deny=/home/username/My Virtual Machines" | ||
735 | .br | ||
736 | $ firejail \-\-deny=/home/username/My\\ Virtual\\ Machines | ||
737 | |||
738 | |||
739 | |||
740 | .TP | 700 | .TP |
741 | \fB\-\-deterministic-exit-code | 701 | \fB\-\-deterministic-exit-code |
742 | Always exit firejail with the first child's exit status. The default behavior is to use the exit status of the final child to exit, which can be nondeterministic. | 702 | Always exit firejail with the first child's exit status. The default behavior is to use the exit status of the final child to exit, which can be nondeterministic. |
743 | .br | 703 | .br |
744 | .TP | 704 | .TP |
745 | \fB\-\-disable-mnt | 705 | \fB\-\-disable-mnt |
746 | Deny access to /mnt, /media, /run/mount and /run/media. | 706 | Blacklist /mnt, /media, /run/mount and /run/media access. |
747 | .br | 707 | .br |
748 | 708 | ||
749 | .br | 709 | .br |
@@ -1511,16 +1471,12 @@ Example: | |||
1511 | $ firejail --no3d firefox | 1471 | $ firejail --no3d firefox |
1512 | 1472 | ||
1513 | .TP | 1473 | .TP |
1514 | \fB\-\-noallow=dirname_or_filename | ||
1515 | Disable \-\-allow for this directory or file. | ||
1516 | |||
1517 | .TP | ||
1518 | \fB\-\-noautopulse \fR(deprecated) | 1474 | \fB\-\-noautopulse \fR(deprecated) |
1519 | See --keep-config-pulse. | 1475 | See --keep-config-pulse. |
1520 | 1476 | ||
1521 | .TP | 1477 | .TP |
1522 | \fB\-\-nodeny=dirname_or_filename | 1478 | \fB\-\-noblacklist=dirname_or_filename |
1523 | Disable \-\-deny for this directory or file. | 1479 | Disable blacklist for this directory or file. |
1524 | .br | 1480 | .br |
1525 | 1481 | ||
1526 | .br | 1482 | .br |
@@ -1536,7 +1492,7 @@ $ exit | |||
1536 | .br | 1492 | .br |
1537 | 1493 | ||
1538 | .br | 1494 | .br |
1539 | $ firejail --nodeny=/bin/nc | 1495 | $ firejail --noblacklist=/bin/nc |
1540 | .br | 1496 | .br |
1541 | $ nc dict.org 2628 | 1497 | $ nc dict.org 2628 |
1542 | .br | 1498 | .br |
@@ -1710,6 +1666,10 @@ $ firejail \-\-nou2f | |||
1710 | Disable video devices. | 1666 | Disable video devices. |
1711 | .br | 1667 | .br |
1712 | 1668 | ||
1669 | .TP | ||
1670 | \fB\-\-nowhitelist=dirname_or_filename | ||
1671 | Disable whitelist for this directory or file. | ||
1672 | |||
1713 | #ifdef HAVE_OUTPUT | 1673 | #ifdef HAVE_OUTPUT |
1714 | .TP | 1674 | .TP |
1715 | \fB\-\-output=logfile | 1675 | \fB\-\-output=logfile |
@@ -2773,6 +2733,34 @@ Example: | |||
2773 | .br | 2733 | .br |
2774 | $ firejail \-\-net=br0 --veth-name=if0 | 2734 | $ firejail \-\-net=br0 --veth-name=if0 |
2775 | #endif | 2735 | #endif |
2736 | .TP | ||
2737 | \fB\-\-whitelist=dirname_or_filename | ||
2738 | Whitelist directory or file. A temporary file system is mounted on the top directory, and the | ||
2739 | whitelisted files are mount-binded inside. Modifications to whitelisted files are persistent, | ||
2740 | everything else is discarded when the sandbox is closed. The top directory can be | ||
2741 | all directories in / (except /proc and /sys), /sys/module, /run/user/$UID, $HOME and | ||
2742 | all directories in /usr. | ||
2743 | .br | ||
2744 | |||
2745 | .br | ||
2746 | Symbolic link handling: with the exception of user home, both the link and the real file should be in | ||
2747 | the same top directory. For user home, both the link and the real file should be owned by the user. | ||
2748 | .br | ||
2749 | |||
2750 | .br | ||
2751 | File globbing is supported, see \fBFILE GLOBBING\fR section for more details. | ||
2752 | .br | ||
2753 | |||
2754 | .br | ||
2755 | Example: | ||
2756 | .br | ||
2757 | $ firejail \-\-noprofile \-\-whitelist=~/.mozilla | ||
2758 | .br | ||
2759 | $ firejail \-\-whitelist=/tmp/.X11-unix --whitelist=/dev/null | ||
2760 | .br | ||
2761 | $ firejail "\-\-whitelist=/home/username/My Virtual Machines" | ||
2762 | .br | ||
2763 | $ firejail \-\-whitelist=~/work* \-\-whitelist=/var/backups* | ||
2776 | 2764 | ||
2777 | .TP | 2765 | .TP |
2778 | \fB\-\-writable-etc | 2766 | \fB\-\-writable-etc |
diff --git a/src/zsh_completion/_firejail.in b/src/zsh_completion/_firejail.in index 666dfd4c2..c7f6ee3f1 100644 --- a/src/zsh_completion/_firejail.in +++ b/src/zsh_completion/_firejail.in | |||
@@ -218,7 +218,7 @@ _firejail_args=( | |||
218 | '--netfilter.print=-[print the firewall name|pid]: :_all_firejails' | 218 | '--netfilter.print=-[print the firewall name|pid]: :_all_firejails' |
219 | '--netfilter6=-[enable IPv6 firewall]: :' | 219 | '--netfilter6=-[enable IPv6 firewall]: :' |
220 | '--netfilter6.print=-[print the IPv6 firewall name|pid]: :_all_firejails' | 220 | '--netfilter6.print=-[print the IPv6 firewall name|pid]: :_all_firejails' |
221 | '--netmask=-[define a network mask when dealing with unconfigured parrent interfaces]: :' | 221 | '--netmask=-[define a network mask when dealing with unconfigured parent interfaces]: :' |
222 | '--netns=-[Run the program in a named, persistent network namespace]: :' | 222 | '--netns=-[Run the program in a named, persistent network namespace]: :' |
223 | '--netstats[monitor network statistics]' | 223 | '--netstats[monitor network statistics]' |
224 | '--interface=-[move interface in sandbox]: :' | 224 | '--interface=-[move interface in sandbox]: :' |