diff options
-rw-r--r-- | RELNOTES | 2 | ||||
-rw-r--r-- | src/firejail/Makefile.in | 2 | ||||
-rw-r--r-- | src/firejail/checkcfg.c | 7 | ||||
-rw-r--r-- | src/firejail/firejail.h | 4 | ||||
-rw-r--r-- | src/firejail/main.c | 32 | ||||
-rw-r--r-- | src/firejail/no_sandbox.c | 4 | ||||
-rw-r--r-- | src/firejail/profile.c | 4 | ||||
-rw-r--r-- | src/firejail/usage.c | 6 | ||||
-rw-r--r-- | src/firejail/util.c | 3 | ||||
-rw-r--r-- | src/firemon/usage.c | 1 | ||||
-rw-r--r-- | src/lib/firejail_user.c | 6 | ||||
-rw-r--r-- | src/man/firejail-users.txt | 2 | ||||
-rw-r--r-- | src/man/firejail.txt | 31 | ||||
-rwxr-xr-x | test/appimage/appimage-args.exp | 4 | ||||
-rwxr-xr-x | test/appimage/appimage-v1.exp | 4 | ||||
-rwxr-xr-x | test/environment/csh.exp | 34 | ||||
-rwxr-xr-x | test/environment/zsh.exp | 30 | ||||
-rwxr-xr-x | test/root/private.exp | 37 |
18 files changed, 61 insertions, 152 deletions
@@ -1,6 +1,8 @@ | |||
1 | firejail (0.9.53) baseline; urgency=low | 1 | firejail (0.9.53) baseline; urgency=low |
2 | * work in progress | 2 | * work in progress |
3 | * modif: --force depercated | 3 | * modif: --force depercated |
4 | * modif: --csg, --zsh deprecated | ||
5 | * modif: --debug-check-filename deprecated | ||
4 | * modif: --git-install and --git-uninstall deprecated | 6 | * modif: --git-install and --git-uninstall deprecated |
5 | * modif: support for private-bin, private-lib and shell none has been | 7 | * modif: support for private-bin, private-lib and shell none has been |
6 | disabled while running AppImage archives in order to be able to use | 8 | disabled while running AppImage archives in order to be able to use |
diff --git a/src/firejail/Makefile.in b/src/firejail/Makefile.in index 48d985d73..d0f43041c 100644 --- a/src/firejail/Makefile.in +++ b/src/firejail/Makefile.in | |||
@@ -2,7 +2,7 @@ all: firejail | |||
2 | 2 | ||
3 | include ../common.mk | 3 | include ../common.mk |
4 | 4 | ||
5 | %.o : %.c $(H_FILE_LIST) ../include/common.h ../include/euid_common.h ../include/pid.h ../include/seccomp.h ../include/syscall.h ../include/firejail_user.h | 5 | %.o : %.c $(H_FILE_LIST) ../include/common.h ../include/ldd_utils.h ../include/euid_common.h ../include/pid.h ../include/seccomp.h ../include/syscall.h ../include/firejail_user.h |
6 | $(CC) $(CFLAGS) $(EXTRA_CFLAGS) $(INCLUDE) -c $< -o $@ | 6 | $(CC) $(CFLAGS) $(EXTRA_CFLAGS) $(INCLUDE) -c $< -o $@ |
7 | 7 | ||
8 | firejail: $(OBJS) ../lib/libnetlink.o ../lib/common.o ../lib/ldd_utils.o ../lib/firejail_user.o | 8 | firejail: $(OBJS) ../lib/libnetlink.o ../lib/common.o ../lib/ldd_utils.o ../lib/firejail_user.o |
diff --git a/src/firejail/checkcfg.c b/src/firejail/checkcfg.c index 7b0ae30b6..f8094e893 100644 --- a/src/firejail/checkcfg.c +++ b/src/firejail/checkcfg.c | |||
@@ -166,10 +166,6 @@ int checkcfg(int val) { | |||
166 | else | 166 | else |
167 | goto errout; | 167 | goto errout; |
168 | } | 168 | } |
169 | // follow symlink in private-bin command | ||
170 | else if (strncmp(ptr, "follow-symlink-private-bin ", 27) == 0) { | ||
171 | fwarning("follow-symlink-private-bin from firejail.config was deprecated\n"); | ||
172 | } | ||
173 | // nonewprivs | 169 | // nonewprivs |
174 | else if (strncmp(ptr, "force-nonewprivs ", 17) == 0) { | 170 | else if (strncmp(ptr, "force-nonewprivs ", 17) == 0) { |
175 | if (strcmp(ptr + 17, "yes") == 0) | 171 | if (strcmp(ptr + 17, "yes") == 0) |
@@ -311,9 +307,6 @@ int checkcfg(int val) { | |||
311 | else | 307 | else |
312 | goto errout; | 308 | goto errout; |
313 | } | 309 | } |
314 | else if (strncmp(ptr, "remount-proc-sys ", 17) == 0) { | ||
315 | fwarning("remount-proc-sys from firejail.config was deprecated\n"); | ||
316 | } | ||
317 | else if (strncmp(ptr, "overlayfs ", 10) == 0) { | 310 | else if (strncmp(ptr, "overlayfs ", 10) == 0) { |
318 | if (strcmp(ptr + 10, "yes") == 0) | 311 | if (strcmp(ptr + 10, "yes") == 0) |
319 | cfg_val[CFG_OVERLAYFS] = 1; | 312 | cfg_val[CFG_OVERLAYFS] = 1; |
diff --git a/src/firejail/firejail.h b/src/firejail/firejail.h index 718c0b328..2746deea1 100644 --- a/src/firejail/firejail.h +++ b/src/firejail/firejail.h | |||
@@ -309,7 +309,6 @@ static inline int any_interface_configured(void) { | |||
309 | extern int arg_private; // mount private /home | 309 | extern int arg_private; // mount private /home |
310 | extern int arg_private_template; // private /home template | 310 | extern int arg_private_template; // private /home template |
311 | extern int arg_debug; // print debug messages | 311 | extern int arg_debug; // print debug messages |
312 | extern int arg_debug_check_filename; // print debug messages for filename checking | ||
313 | extern int arg_debug_blacklists; // print debug messages for blacklists | 312 | extern int arg_debug_blacklists; // print debug messages for blacklists |
314 | extern int arg_debug_whitelists; // print debug messages for whitelists | 313 | extern int arg_debug_whitelists; // print debug messages for whitelists |
315 | extern int arg_debug_private_lib; // print debug messages for private-lib | 314 | extern int arg_debug_private_lib; // print debug messages for private-lib |
@@ -577,9 +576,6 @@ void caps_keep_list(const char *clist); | |||
577 | void caps_print_filter(pid_t pid); | 576 | void caps_print_filter(pid_t pid); |
578 | void caps_drop_dac_override(void); | 577 | void caps_drop_dac_override(void); |
579 | 578 | ||
580 | // syscall.c | ||
581 | const char *syscall_find_nr(int nr); | ||
582 | |||
583 | // fs_trace.c | 579 | // fs_trace.c |
584 | void fs_trace_preload(void); | 580 | void fs_trace_preload(void); |
585 | void fs_trace(void); | 581 | void fs_trace(void); |
diff --git a/src/firejail/main.c b/src/firejail/main.c index e676bbd7c..2d8af7f41 100644 --- a/src/firejail/main.c +++ b/src/firejail/main.c | |||
@@ -47,7 +47,6 @@ Config cfg; // configuration | |||
47 | int arg_private = 0; // mount private /home and /tmp directoryu | 47 | int arg_private = 0; // mount private /home and /tmp directoryu |
48 | int arg_private_template = 0; // mount private /home using a template | 48 | int arg_private_template = 0; // mount private /home using a template |
49 | int arg_debug = 0; // print debug messages | 49 | int arg_debug = 0; // print debug messages |
50 | int arg_debug_check_filename = 0; // print debug messages for filename checking | ||
51 | int arg_debug_blacklists = 0; // print debug messages for blacklists | 50 | int arg_debug_blacklists = 0; // print debug messages for blacklists |
52 | int arg_debug_whitelists = 0; // print debug messages for whitelists | 51 | int arg_debug_whitelists = 0; // print debug messages for whitelists |
53 | int arg_debug_private_lib = 0; // print debug messages for private-lib | 52 | int arg_debug_private_lib = 0; // print debug messages for private-lib |
@@ -1051,8 +1050,6 @@ int main(int argc, char **argv) { | |||
1051 | 1050 | ||
1052 | if (strcmp(argv[i], "--debug") == 0 && !arg_quiet) | 1051 | if (strcmp(argv[i], "--debug") == 0 && !arg_quiet) |
1053 | arg_debug = 1; | 1052 | arg_debug = 1; |
1054 | else if (strcmp(argv[i], "--debug-check-filename") == 0) | ||
1055 | arg_debug_check_filename = 1; | ||
1056 | else if (strcmp(argv[i], "--debug-blacklists") == 0) | 1053 | else if (strcmp(argv[i], "--debug-blacklists") == 0) |
1057 | arg_debug_blacklists = 1; | 1054 | arg_debug_blacklists = 1; |
1058 | else if (strcmp(argv[i], "--debug-whitelists") == 0) | 1055 | else if (strcmp(argv[i], "--debug-whitelists") == 0) |
@@ -1439,9 +1436,6 @@ int main(int argc, char **argv) { | |||
1439 | custom_profile = 1; | 1436 | custom_profile = 1; |
1440 | free(ppath); | 1437 | free(ppath); |
1441 | } | 1438 | } |
1442 | else if (strncmp(argv[i], "--profile-path=", 15) == 0) { | ||
1443 | fwarning("--profile-path has been deprecated\n"); | ||
1444 | } | ||
1445 | else if (strcmp(argv[i], "--noprofile") == 0) { | 1439 | else if (strcmp(argv[i], "--noprofile") == 0) { |
1446 | if (custom_profile) { | 1440 | if (custom_profile) { |
1447 | fprintf(stderr, "Error: --profile and --noprofile options are mutually exclusive\n"); | 1441 | fprintf(stderr, "Error: --profile and --noprofile options are mutually exclusive\n"); |
@@ -1541,9 +1535,6 @@ int main(int argc, char **argv) { | |||
1541 | else if (strcmp(argv[i], "--machine-id") == 0) { | 1535 | else if (strcmp(argv[i], "--machine-id") == 0) { |
1542 | arg_machineid = 1; | 1536 | arg_machineid = 1; |
1543 | } | 1537 | } |
1544 | else if (strcmp(argv[i], "--allow-private-blacklist") == 0) { | ||
1545 | fwarning("--allow-private-blacklist was deprecated\n"); | ||
1546 | } | ||
1547 | else if (strcmp(argv[i], "--private") == 0) { | 1538 | else if (strcmp(argv[i], "--private") == 0) { |
1548 | arg_private = 1; | 1539 | arg_private = 1; |
1549 | } | 1540 | } |
@@ -2117,29 +2108,6 @@ int main(int argc, char **argv) { | |||
2117 | } | 2108 | } |
2118 | else if (strcmp(argv[i], "--appimage") == 0) | 2109 | else if (strcmp(argv[i], "--appimage") == 0) |
2119 | arg_appimage = 1; | 2110 | arg_appimage = 1; |
2120 | else if (strcmp(argv[i], "--csh") == 0) { | ||
2121 | if (arg_shell_none) { | ||
2122 | |||
2123 | fprintf(stderr, "Error: --shell=none was already specified.\n"); | ||
2124 | return 1; | ||
2125 | } | ||
2126 | if (cfg.shell) { | ||
2127 | fprintf(stderr, "Error: only one default user shell can be specified\n"); | ||
2128 | return 1; | ||
2129 | } | ||
2130 | cfg.shell = "/bin/csh"; | ||
2131 | } | ||
2132 | else if (strcmp(argv[i], "--zsh") == 0) { | ||
2133 | if (arg_shell_none) { | ||
2134 | fprintf(stderr, "Error: --shell=none was already specified.\n"); | ||
2135 | return 1; | ||
2136 | } | ||
2137 | if (cfg.shell) { | ||
2138 | fprintf(stderr, "Error: only one default user shell can be specified\n"); | ||
2139 | return 1; | ||
2140 | } | ||
2141 | cfg.shell = "/bin/zsh"; | ||
2142 | } | ||
2143 | else if (strcmp(argv[i], "--shell=none") == 0) { | 2111 | else if (strcmp(argv[i], "--shell=none") == 0) { |
2144 | arg_shell_none = 1; | 2112 | arg_shell_none = 1; |
2145 | if (cfg.shell) { | 2113 | if (cfg.shell) { |
diff --git a/src/firejail/no_sandbox.c b/src/firejail/no_sandbox.c index ba955bcca..5bd3f7e09 100644 --- a/src/firejail/no_sandbox.c +++ b/src/firejail/no_sandbox.c | |||
@@ -167,9 +167,7 @@ void run_no_sandbox(int argc, char **argv) { | |||
167 | for (i = 0; i < argc; i++) { | 167 | for (i = 0; i < argc; i++) { |
168 | if (strcmp(argv[i], "--debug") == 0) | 168 | if (strcmp(argv[i], "--debug") == 0) |
169 | arg_debug = 1; | 169 | arg_debug = 1; |
170 | else if (strcmp(argv[i], "--csh") == 0 || | 170 | else if (strcmp(argv[i], "--shell=none") == 0 || |
171 | strcmp(argv[i], "--zsh") == 0 || | ||
172 | strcmp(argv[i], "--shell=none") == 0 || | ||
173 | strncmp(argv[i], "--shell=", 8) == 0) | 171 | strncmp(argv[i], "--shell=", 8) == 0) |
174 | fwarning("shell-related command line options are disregarded - using SHELL environment variable\n"); | 172 | fwarning("shell-related command line options are disregarded - using SHELL environment variable\n"); |
175 | } | 173 | } |
diff --git a/src/firejail/profile.c b/src/firejail/profile.c index 3ef9a1856..156ffa24a 100644 --- a/src/firejail/profile.c +++ b/src/firejail/profile.c | |||
@@ -257,10 +257,6 @@ int profile_check_line(char *ptr, int lineno, const char *fname) { | |||
257 | arg_nodbus = 1; | 257 | arg_nodbus = 1; |
258 | return 0; | 258 | return 0; |
259 | } | 259 | } |
260 | else if (strcmp(ptr, "allow-private-blacklist") == 0) { | ||
261 | fmessage("--allow-private-blacklist was deprecated\n"); | ||
262 | return 0; | ||
263 | } | ||
264 | else if (strcmp(ptr, "netfilter") == 0) { | 260 | else if (strcmp(ptr, "netfilter") == 0) { |
265 | #ifdef HAVE_NETWORK | 261 | #ifdef HAVE_NETWORK |
266 | if (checkcfg(CFG_NETWORK)) | 262 | if (checkcfg(CFG_NETWORK)) |
diff --git a/src/firejail/usage.c b/src/firejail/usage.c index a9dcc78e5..742fc0465 100644 --- a/src/firejail/usage.c +++ b/src/firejail/usage.c | |||
@@ -29,8 +29,6 @@ static char *usage_str = | |||
29 | "Options:\n" | 29 | "Options:\n" |
30 | " -- - signal the end of options and disables further option processing.\n" | 30 | " -- - signal the end of options and disables further option processing.\n" |
31 | " --allow-debuggers - allow tools such as strace and gdb inside the sandbox.\n" | 31 | " --allow-debuggers - allow tools such as strace and gdb inside the sandbox.\n" |
32 | " --allow-private-blacklist - allow blacklisting files in private\n" | ||
33 | "\thome directories.\n" | ||
34 | " --allusers - all user home directories are visible inside the sandbox.\n" | 32 | " --allusers - all user home directories are visible inside the sandbox.\n" |
35 | " --apparmor - enable AppArmor confinement.\n" | 33 | " --apparmor - enable AppArmor confinement.\n" |
36 | " --apparmor.print=name|pid - print apparmor status.\n" | 34 | " --apparmor.print=name|pid - print apparmor status.\n" |
@@ -58,11 +56,9 @@ static char *usage_str = | |||
58 | #endif | 56 | #endif |
59 | " --cpu=cpu-number,cpu-number - set cpu affinity.\n" | 57 | " --cpu=cpu-number,cpu-number - set cpu affinity.\n" |
60 | " --cpu.print=name|pid - print the cpus in use.\n" | 58 | " --cpu.print=name|pid - print the cpus in use.\n" |
61 | " --csh - use /bin/csh as default shell.\n" | ||
62 | " --debug - print sandbox debug messages.\n" | 59 | " --debug - print sandbox debug messages.\n" |
63 | " --debug-blacklists - debug blacklisting.\n" | 60 | " --debug-blacklists - debug blacklisting.\n" |
64 | " --debug-caps - print all recognized capabilities.\n" | 61 | " --debug-caps - print all recognized capabilities.\n" |
65 | " --debug-check-filename - debug filename checking.\n" | ||
66 | " --debug-errnos - print all recognized error numbers.\n" | 62 | " --debug-errnos - print all recognized error numbers.\n" |
67 | " --debug-private-lib - debug for --private-lib option.\n" | 63 | " --debug-private-lib - debug for --private-lib option.\n" |
68 | " --debug-protocols - print all recognized protocols.\n" | 64 | " --debug-protocols - print all recognized protocols.\n" |
@@ -163,6 +159,7 @@ static char *usage_str = | |||
163 | "\tfilesystem, and copy the files and directories in the list.\n" | 159 | "\tfilesystem, and copy the files and directories in the list.\n" |
164 | " --private-tmp - mount a tmpfs on top of /tmp directory.\n" | 160 | " --private-tmp - mount a tmpfs on top of /tmp directory.\n" |
165 | " --private-opt=file,directory - build a new /opt in a temporary filesystem.\n" | 161 | " --private-opt=file,directory - build a new /opt in a temporary filesystem.\n" |
162 | " --private-srv=file,directory - build a new /srv in a temporary filesystem.\n" | ||
166 | " --profile=filename - use a custom profile.\n" | 163 | " --profile=filename - use a custom profile.\n" |
167 | " --profile.print=name|pid - print the name of profile file.\n" | 164 | " --profile.print=name|pid - print the name of profile file.\n" |
168 | " --profile-path=directory - use this directory to look for profile files.\n" | 165 | " --profile-path=directory - use this directory to look for profile files.\n" |
@@ -236,7 +233,6 @@ static char *usage_str = | |||
236 | " --x11=xvfb - enable Xvfb X11 server.\n" | 233 | " --x11=xvfb - enable Xvfb X11 server.\n" |
237 | " --xephyr-screen=WIDTHxHEIGHT - set screen size for --x11=xephyr.\n" | 234 | " --xephyr-screen=WIDTHxHEIGHT - set screen size for --x11=xephyr.\n" |
238 | #endif | 235 | #endif |
239 | " --zsh - use /usr/bin/zsh as default shell.\n" | ||
240 | "\n" | 236 | "\n" |
241 | "Examples:\n" | 237 | "Examples:\n" |
242 | " $ firejail firefox\n" | 238 | " $ firejail firefox\n" |
diff --git a/src/firejail/util.c b/src/firejail/util.c index 3437d495f..a44e52e98 100644 --- a/src/firejail/util.c +++ b/src/firejail/util.c | |||
@@ -800,9 +800,6 @@ void invalid_filename(const char *fname, int globbing) { | |||
800 | assert(fname); | 800 | assert(fname); |
801 | const char *ptr = fname; | 801 | const char *ptr = fname; |
802 | 802 | ||
803 | if (arg_debug_check_filename) | ||
804 | printf("Checking filename %s\n", fname); | ||
805 | |||
806 | if (strncmp(ptr, "${HOME}", 7) == 0) | 803 | if (strncmp(ptr, "${HOME}", 7) == 0) |
807 | ptr = fname + 7; | 804 | ptr = fname + 7; |
808 | else if (strncmp(ptr, "${PATH}", 7) == 0) | 805 | else if (strncmp(ptr, "${PATH}", 7) == 0) |
diff --git a/src/firemon/usage.c b/src/firemon/usage.c index 37bd4e874..a4d642d66 100644 --- a/src/firemon/usage.c +++ b/src/firemon/usage.c | |||
@@ -43,6 +43,7 @@ static char *help_str = | |||
43 | "\t--tree - print a tree of all sandboxed processes.\n\n" | 43 | "\t--tree - print a tree of all sandboxed processes.\n\n" |
44 | "\t--top - monitor the most CPU-intensive sandboxes.\n\n" | 44 | "\t--top - monitor the most CPU-intensive sandboxes.\n\n" |
45 | "\t--version - print program version and exit.\n\n" | 45 | "\t--version - print program version and exit.\n\n" |
46 | "\t--x11 - print X11 display number.\n\n" | ||
46 | 47 | ||
47 | "Without any options, firemon monitors all fork, exec, id change, and exit\n" | 48 | "Without any options, firemon monitors all fork, exec, id change, and exit\n" |
48 | "events in the sandbox. Monitoring a specific PID is also supported.\n\n" | 49 | "events in the sandbox. Monitoring a specific PID is also supported.\n\n" |
diff --git a/src/lib/firejail_user.c b/src/lib/firejail_user.c index 5d92aa133..7d9784392 100644 --- a/src/lib/firejail_user.c +++ b/src/lib/firejail_user.c | |||
@@ -45,6 +45,12 @@ int firejail_user_check(const char *name) { | |||
45 | if (strcmp(name, "root") == 0) | 45 | if (strcmp(name, "root") == 0) |
46 | return 1; | 46 | return 1; |
47 | 47 | ||
48 | // user nobody disabled by default | ||
49 | if (strcmp(name, "nobody") == 0) { | ||
50 | fprintf(stderr, "Error: user nobody is not allowed to run the sandbox\n"); | ||
51 | exit(1); | ||
52 | } | ||
53 | |||
48 | // check file existence | 54 | // check file existence |
49 | char *fname = get_fname(); | 55 | char *fname = get_fname(); |
50 | if (access(fname, F_OK)) { | 56 | if (access(fname, F_OK)) { |
diff --git a/src/man/firejail-users.txt b/src/man/firejail-users.txt index fcc0f914b..ec91e495c 100644 --- a/src/man/firejail-users.txt +++ b/src/man/firejail-users.txt | |||
@@ -5,7 +5,7 @@ firejail.users \- Firejail user access database | |||
5 | .SH DESCRIPTION | 5 | .SH DESCRIPTION |
6 | /etc/firejail/firejail.users lists the users allowed to run firejail SUID executable. | 6 | /etc/firejail/firejail.users lists the users allowed to run firejail SUID executable. |
7 | If the file is not present in the system, all users are allowed to use the sandbox. | 7 | If the file is not present in the system, all users are allowed to use the sandbox. |
8 | root user is allowed by default. | 8 | root user is allowed by default, user nobody is denied access by default. |
9 | 9 | ||
10 | Example: | 10 | Example: |
11 | 11 | ||
diff --git a/src/man/firejail.txt b/src/man/firejail.txt index 6e8e4eb2c..2e410061d 100644 --- a/src/man/firejail.txt +++ b/src/man/firejail.txt | |||
@@ -314,15 +314,6 @@ $ firejail \-\-list | |||
314 | $ firejail \-\-cpu.print=3272 | 314 | $ firejail \-\-cpu.print=3272 |
315 | 315 | ||
316 | .TP | 316 | .TP |
317 | \fB\-\-csh | ||
318 | Use /bin/csh as default user shell. | ||
319 | .br | ||
320 | |||
321 | .br | ||
322 | Example: | ||
323 | .br | ||
324 | $ firejail \-\-csh | ||
325 | .TP | ||
326 | \fB\-\-debug\fR | 317 | \fB\-\-debug\fR |
327 | Print debug messages. | 318 | Print debug messages. |
328 | .br | 319 | .br |
@@ -351,15 +342,6 @@ Print all recognized capabilities in the current Firejail software build and exi | |||
351 | Example: | 342 | Example: |
352 | .br | 343 | .br |
353 | $ firejail \-\-debug-caps | 344 | $ firejail \-\-debug-caps |
354 | .TP | ||
355 | \fB\-\-debug-check-filename\fR | ||
356 | Debug filename checking. | ||
357 | .br | ||
358 | |||
359 | .br | ||
360 | Example: | ||
361 | .br | ||
362 | $ firejail \-\-debug-check-filename firefox | ||
363 | 345 | ||
364 | .TP | 346 | .TP |
365 | \fB\-\-debug-errnos | 347 | \fB\-\-debug-errnos |
@@ -1949,8 +1931,7 @@ $ firejail \-\-shell=none script.sh | |||
1949 | \fB\-\-shell=program | 1931 | \fB\-\-shell=program |
1950 | Set default user shell. Use this shell to run the application using \-c shell option. | 1932 | Set default user shell. Use this shell to run the application using \-c shell option. |
1951 | For example "firejail \-\-shell=/bin/dash firefox" will start Mozilla Firefox as "/bin/dash \-c firefox". | 1933 | For example "firejail \-\-shell=/bin/dash firefox" will start Mozilla Firefox as "/bin/dash \-c firefox". |
1952 | By default Bash shell (/bin/bash) is used. Options such as \-\-zsh and \-\-csh can also set the default | 1934 | By default Bash shell (/bin/bash) is used. |
1953 | shell. | ||
1954 | .br | 1935 | .br |
1955 | 1936 | ||
1956 | .br | 1937 | .br |
@@ -2324,16 +2305,6 @@ Example: | |||
2324 | $ firejail --net=eth0 --x11=xephyr --xephyr-screen=640x480 firefox | 2305 | $ firejail --net=eth0 --x11=xephyr --xephyr-screen=640x480 firefox |
2325 | .br | 2306 | .br |
2326 | 2307 | ||
2327 | .TP | ||
2328 | \fB\-\-zsh | ||
2329 | Use /usr/bin/zsh as default user shell. | ||
2330 | .br | ||
2331 | |||
2332 | .br | ||
2333 | Example: | ||
2334 | .br | ||
2335 | $ firejail \-\-zsh | ||
2336 | |||
2337 | .SH DESKTOP INTEGRATION | 2308 | .SH DESKTOP INTEGRATION |
2338 | A symbolic link to /usr/bin/firejail under the name of a program, will start the program in Firejail sandbox. | 2309 | A symbolic link to /usr/bin/firejail under the name of a program, will start the program in Firejail sandbox. |
2339 | The symbolic link should be placed in the first $PATH position. On most systems, a good place | 2310 | The symbolic link should be placed in the first $PATH position. On most systems, a good place |
diff --git a/test/appimage/appimage-args.exp b/test/appimage/appimage-args.exp index dcf16452f..0ec07c1ad 100755 --- a/test/appimage/appimage-args.exp +++ b/test/appimage/appimage-args.exp | |||
@@ -56,7 +56,7 @@ expect { | |||
56 | sleep 2 | 56 | sleep 2 |
57 | 57 | ||
58 | spawn $env(SHELL) | 58 | spawn $env(SHELL) |
59 | send -- "firemon --seccomp\r" | 59 | send -- "firemon --seccomp --nowrap\r" |
60 | expect { | 60 | expect { |
61 | timeout {puts "TESTING ERROR 8\n";exit} | 61 | timeout {puts "TESTING ERROR 8\n";exit} |
62 | "need to be root" {puts "/proc mounted as hidepid, exiting...\n"; exit} | 62 | "need to be root" {puts "/proc mounted as hidepid, exiting...\n"; exit} |
@@ -71,7 +71,7 @@ expect { | |||
71 | "name=blablabla" | 71 | "name=blablabla" |
72 | } | 72 | } |
73 | after 100 | 73 | after 100 |
74 | send -- "firemon --caps\r" | 74 | send -- "firemon --caps --nowrap\r" |
75 | expect { | 75 | expect { |
76 | timeout {puts "TESTING ERROR 11\n";exit} | 76 | timeout {puts "TESTING ERROR 11\n";exit} |
77 | "appimage Leafpad" | 77 | "appimage Leafpad" |
diff --git a/test/appimage/appimage-v1.exp b/test/appimage/appimage-v1.exp index 073c32dab..90b13b9ff 100755 --- a/test/appimage/appimage-v1.exp +++ b/test/appimage/appimage-v1.exp | |||
@@ -44,7 +44,7 @@ expect { | |||
44 | sleep 2 | 44 | sleep 2 |
45 | 45 | ||
46 | spawn $env(SHELL) | 46 | spawn $env(SHELL) |
47 | send -- "firemon --seccomp\r" | 47 | send -- "firemon --seccomp --nowrap\r" |
48 | expect { | 48 | expect { |
49 | timeout {puts "TESTING ERROR 5\n";exit} | 49 | timeout {puts "TESTING ERROR 5\n";exit} |
50 | "need to be root" {puts "/proc mounted as hidepid, exiting...\n"; exit} | 50 | "need to be root" {puts "/proc mounted as hidepid, exiting...\n"; exit} |
@@ -59,7 +59,7 @@ expect { | |||
59 | "name=blablabla" | 59 | "name=blablabla" |
60 | } | 60 | } |
61 | after 100 | 61 | after 100 |
62 | send -- "firemon --caps\r" | 62 | send -- "firemon --caps --nowrap\r" |
63 | expect { | 63 | expect { |
64 | timeout {puts "TESTING ERROR 6\n";exit} | 64 | timeout {puts "TESTING ERROR 6\n";exit} |
65 | "appimage Leafpad" | 65 | "appimage Leafpad" |
diff --git a/test/environment/csh.exp b/test/environment/csh.exp index 10a278ebc..7b5ab9b33 100755 --- a/test/environment/csh.exp +++ b/test/environment/csh.exp | |||
@@ -1,49 +1,31 @@ | |||
1 | #!/usr/bin/expect -f | 1 | #!/usr/bin/expect -f |
2 | # This file is part of Firejail project | ||
3 | # Copyright (C) 2014-2018 Firejail Authors | ||
4 | # License GPL v2 | ||
5 | 2 | ||
6 | set timeout 10 | 3 | set timeout 10 |
4 | cd /home | ||
7 | spawn $env(SHELL) | 5 | spawn $env(SHELL) |
8 | match_max 100000 | 6 | match_max 100000 |
9 | 7 | ||
10 | send -- "firejail --private --tracelog --csh\r" | 8 | send -- "firejail --private --shell=/bin/csh\r" |
11 | expect { | 9 | expect { |
12 | timeout {puts "TESTING ERROR 0\n";exit} | 10 | timeout {puts "TESTING ERROR 0\n";exit} |
13 | "Child process initialized" | 11 | "Child process initialized" |
14 | } | 12 | } |
15 | sleep 1 | 13 | sleep 1 |
16 | 14 | ||
17 | send -- "find ~\r" | 15 | send -- "env | grep SHELL;pwd\r" |
18 | expect { | 16 | expect { |
19 | timeout {puts "TESTING ERROR 1\n";exit} | 17 | timeout {puts "TESTING ERROR 1\n";exit} |
20 | ".cshrc" | 18 | "SHELL" |
21 | } | ||
22 | |||
23 | send -- "env | grep SHELL\r" | ||
24 | expect { | ||
25 | timeout {puts "TESTING ERROR 2\n";exit} | ||
26 | "SHELL" | ||
27 | } | 19 | } |
28 | expect { | 20 | expect { |
29 | timeout {puts "TESTING ERROR 2.1\n";exit} | 21 | timeout {puts "TESTING ERROR 2\n";exit} |
30 | "/bin/csh" | 22 | "/bin/csh" |
31 | } | 23 | } |
32 | send -- "exit\r" | ||
33 | sleep 1 | ||
34 | |||
35 | send -- "firejail --shell=none --csh\r" | ||
36 | expect { | 24 | expect { |
37 | timeout {puts "TESTING ERROR 3\n";exit} | 25 | timeout {puts "TESTING ERROR 3\n";exit} |
38 | "shell=none was already specified" | 26 | "home" |
39 | } | ||
40 | after 100 | ||
41 | |||
42 | send -- "firejail --csh --shell=none\r" | ||
43 | expect { | ||
44 | timeout {puts "TESTING ERROR 4\n";exit} | ||
45 | "a shell was already specified" | ||
46 | } | 27 | } |
28 | send -- "exit\r" | ||
47 | after 100 | 29 | after 100 |
48 | 30 | ||
49 | puts "\n" | 31 | puts "\nall done\n" |
diff --git a/test/environment/zsh.exp b/test/environment/zsh.exp index e7f610e98..a1b94a326 100755 --- a/test/environment/zsh.exp +++ b/test/environment/zsh.exp | |||
@@ -1,49 +1,31 @@ | |||
1 | #!/usr/bin/expect -f | 1 | #!/usr/bin/expect -f |
2 | # This file is part of Firejail project | ||
3 | # Copyright (C) 2014-2018 Firejail Authors | ||
4 | # License GPL v2 | ||
5 | 2 | ||
6 | set timeout 10 | 3 | set timeout 10 |
4 | cd /home | ||
7 | spawn $env(SHELL) | 5 | spawn $env(SHELL) |
8 | match_max 100000 | 6 | match_max 100000 |
9 | 7 | ||
10 | send -- "firejail --private --tracelog --zsh\r" | 8 | send -- "firejail --private --shell=/bin/zsh\r" |
11 | expect { | 9 | expect { |
12 | timeout {puts "TESTING ERROR 0\n";exit} | 10 | timeout {puts "TESTING ERROR 0\n";exit} |
13 | "Child process initialized" | 11 | "Child process initialized" |
14 | } | 12 | } |
15 | sleep 1 | 13 | sleep 1 |
16 | 14 | ||
17 | send -- "find ~\r" | ||
18 | expect { | ||
19 | timeout {puts "TESTING ERROR 1\n";exit} | ||
20 | ".zshrc" | ||
21 | } | ||
22 | |||
23 | send -- "env | grep SHELL;pwd\r" | 15 | send -- "env | grep SHELL;pwd\r" |
24 | expect { | 16 | expect { |
25 | timeout {puts "TESTING ERROR 2\n";exit} | 17 | timeout {puts "TESTING ERROR 1\n";exit} |
26 | "SHELL" | 18 | "SHELL" |
27 | } | 19 | } |
28 | expect { | 20 | expect { |
29 | timeout {puts "TESTING ERROR 2.1\n";exit} | 21 | timeout {puts "TESTING ERROR 2\n";exit} |
30 | "/bin/zsh" | 22 | "/bin/zsh" |
31 | } | 23 | } |
32 | send -- "exit\r" | ||
33 | sleep 1 | ||
34 | |||
35 | send -- "firejail --shell=none --zsh\r" | ||
36 | expect { | 24 | expect { |
37 | timeout {puts "TESTING ERROR 3\n";exit} | 25 | timeout {puts "TESTING ERROR 3\n";exit} |
38 | "shell=none was already specified" | 26 | "home" |
39 | } | ||
40 | after 100 | ||
41 | |||
42 | send -- "firejail --zsh --shell=none\r" | ||
43 | expect { | ||
44 | timeout {puts "TESTING ERROR 4\n";exit} | ||
45 | "a shell was already specified" | ||
46 | } | 27 | } |
28 | send -- "exit\r" | ||
47 | after 100 | 29 | after 100 |
48 | 30 | ||
49 | puts "\nall done\n" | 31 | puts "\nall done\n" |
diff --git a/test/root/private.exp b/test/root/private.exp index 784761fc8..e3d3245ae 100755 --- a/test/root/private.exp +++ b/test/root/private.exp | |||
@@ -54,6 +54,21 @@ expect { | |||
54 | after 100 | 54 | after 100 |
55 | send -- "exit\r" | 55 | send -- "exit\r" |
56 | sleep 1 | 56 | sleep 1 |
57 | send -- "firejail --whitelist=/opt/firejail-test-file --whitelist=/opt/firejail-test-dir --debug\r" | ||
58 | expect { | ||
59 | timeout {puts "TESTING ERROR 3.1\n";exit} | ||
60 | "Child process initialized" | ||
61 | } | ||
62 | sleep 1 | ||
63 | |||
64 | send -- "find /opt | wc -l\r" | ||
65 | expect { | ||
66 | timeout {puts "TESTING ERROR 4.1\n";exit} | ||
67 | "4" | ||
68 | } | ||
69 | after 100 | ||
70 | send -- "exit\r" | ||
71 | sleep 1 | ||
57 | 72 | ||
58 | 73 | ||
59 | send -- "touch /srv/firejail-test-file\r" | 74 | send -- "touch /srv/firejail-test-file\r" |
@@ -77,14 +92,20 @@ expect { | |||
77 | after 100 | 92 | after 100 |
78 | send -- "exit\r" | 93 | send -- "exit\r" |
79 | sleep 1 | 94 | sleep 1 |
95 | send -- "firejail --whitelist=/srv/firejail-test-file --whitelist=/srv/firejail-test-dir --debug\r" | ||
96 | expect { | ||
97 | timeout {puts "TESTING ERROR 5.1\n";exit} | ||
98 | "Child process initialized" | ||
99 | } | ||
100 | sleep 1 | ||
80 | 101 | ||
81 | 102 | send -- "find /srv | wc -l\r" | |
82 | 103 | expect { | |
83 | 104 | timeout {puts "TESTING ERROR 6.1\n";exit} | |
84 | 105 | "4" | |
85 | 106 | } | |
86 | 107 | after 100 | |
87 | 108 | send -- "exit\r" | |
88 | 109 | sleep 1 | |
89 | 110 | ||
90 | puts "\nall done\n" | 111 | puts "\nall done\n" |