diff options
58 files changed, 1159 insertions, 592 deletions
diff --git a/.github/pull_request_template.md b/.github/pull_request_template.md index 71791c000..57ac2e9c4 100644 --- a/.github/pull_request_template.md +++ b/.github/pull_request_template.md | |||
@@ -1,10 +1,10 @@ | |||
1 | 1 | ||
2 | If your PR isn't about profiles or you have no idea how to do one of these, skip the following and go ahead with this PR. | 2 | If your PR isn't about profiles or you have no idea how to do one of these, skip the following and go ahead with this PR. |
3 | 3 | ||
4 | If you make a PR for new profiles or changeing profiles please do the following: | 4 | If you submit a PR for new profiles or changing profiles, please do the following: |
5 | - The ordering of options follow the rules descripted in [/usr/share/doc/firejail/profile.template](https://github.com/netblue30/firejail/blob/master/etc/templates/profile.template). | 5 | - The ordering of options follow the rules described in [/usr/share/doc/firejail/profile.template](https://github.com/netblue30/firejail/blob/master/etc/templates/profile.template). |
6 | > Hint: The profile-template is very new, if you install firejail with your package-manager, it maybe missing, therefore, and to follow the latest rules, it is recommended to use the template from the repository. | 6 | > Hint: The profile-template is very new. If you install firejail with your package manager, it may be missing. In order to follow the latest rules, it is recommended to use the template from the repository. |
7 | - Order the arguments of options alphabetical, you can easy do this with the [sort.py](https://github.com/netblue30/firejail/tree/master/contrib/sort.py). | 7 | - Order the arguments of options alphabetically. You can easily do this with [sort.py](https://github.com/netblue30/firejail/tree/master/contrib/sort.py). |
8 | The path to it depends on your distro: | 8 | The path to it depends on your distro: |
9 | 9 | ||
10 | | Distro | Path | | 10 | | Distro | Path | |
@@ -330,5 +330,6 @@ Stats: | |||
330 | 330 | ||
331 | ### New profiles: | 331 | ### New profiles: |
332 | 332 | ||
333 | vmware-view, display-im6.q16, ipcalc, ipcalc-ng, ebook-convert, ebook-edit, ebook-meta, ebook-polish, lzop. | 333 | vmware-view, display-im6.q16, ipcalc, ipcalc-ng, ebook-convert, ebook-edit, ebook-meta, ebook-polish, lzop, |
334 | avidemux, calligragemini, vmware-player, vmware-workstation, gget \ No newline at end of file | 334 | avidemux, calligragemini, vmware-player, vmware-workstation, gget, com.github.phase1geo.minder, nextcloud-desktop, |
335 | pcsxr, PPSSPPSDL, openmw, openmw-launcher, jami-gnome, PCSX2 | ||
@@ -15,7 +15,8 @@ firejail (0.9.65) baseline; urgency=low | |||
15 | * new profiles: vmware-view, display-im6.q16, ipcalc, ipcalc-ng | 15 | * new profiles: vmware-view, display-im6.q16, ipcalc, ipcalc-ng |
16 | * ebook-convert, ebook-edit, ebook-meta, ebook-polish, lzop, | 16 | * ebook-convert, ebook-edit, ebook-meta, ebook-polish, lzop, |
17 | * avidemux, calligragemini, vmware-player, vmware-workstation | 17 | * avidemux, calligragemini, vmware-player, vmware-workstation |
18 | * gget | 18 | * gget, com.github.phase1geo.minder, nextcloud-desktop, pcsxr |
19 | * PPSSPPSDL, openmw, openmw-launcher, jami-gnome, PCSX2 | ||
19 | -- netblue30 <netblue30@yahoo.com> Tue, 9 Feb 2021 09:00:00 -0500 | 20 | -- netblue30 <netblue30@yahoo.com> Tue, 9 Feb 2021 09:00:00 -0500 |
20 | 21 | ||
21 | firejail (0.9.64.4) baseline; urgency=low | 22 | firejail (0.9.64.4) baseline; urgency=low |
diff --git a/etc/inc/disable-common.inc b/etc/inc/disable-common.inc index d724e3b52..52534a9e9 100644 --- a/etc/inc/disable-common.inc +++ b/etc/inc/disable-common.inc | |||
@@ -442,6 +442,7 @@ blacklist ${PATH}/mount | |||
442 | blacklist ${PATH}/mount.ecryptfs_private | 442 | blacklist ${PATH}/mount.ecryptfs_private |
443 | blacklist ${PATH}/nc | 443 | blacklist ${PATH}/nc |
444 | blacklist ${PATH}/ncat | 444 | blacklist ${PATH}/ncat |
445 | blacklist ${PATH}/nmap | ||
445 | blacklist ${PATH}/newgidmap | 446 | blacklist ${PATH}/newgidmap |
446 | blacklist ${PATH}/newgrp | 447 | blacklist ${PATH}/newgrp |
447 | blacklist ${PATH}/newuidmap | 448 | blacklist ${PATH}/newuidmap |
@@ -452,6 +453,7 @@ blacklist ${PATH}/sg | |||
452 | blacklist ${PATH}/strace | 453 | blacklist ${PATH}/strace |
453 | blacklist ${PATH}/su | 454 | blacklist ${PATH}/su |
454 | blacklist ${PATH}/sudo | 455 | blacklist ${PATH}/sudo |
456 | blacklist ${PATH}/tcpdump | ||
455 | blacklist ${PATH}/umount | 457 | blacklist ${PATH}/umount |
456 | blacklist ${PATH}/unix_chkpwd | 458 | blacklist ${PATH}/unix_chkpwd |
457 | blacklist ${PATH}/xev | 459 | blacklist ${PATH}/xev |
diff --git a/etc/inc/disable-programs.inc b/etc/inc/disable-programs.inc index d74d21a9b..ca3fcd216 100644 --- a/etc/inc/disable-programs.inc +++ b/etc/inc/disable-programs.inc | |||
@@ -5,6 +5,7 @@ include disable-programs.local | |||
5 | blacklist ${HOME}/Arduino | 5 | blacklist ${HOME}/Arduino |
6 | blacklist ${HOME}/i2p | 6 | blacklist ${HOME}/i2p |
7 | blacklist ${HOME}/Monero/wallets | 7 | blacklist ${HOME}/Monero/wallets |
8 | blacklist ${HOME}/Nextcloud | ||
8 | blacklist ${HOME}/Nextcloud/Notes | 9 | blacklist ${HOME}/Nextcloud/Notes |
9 | blacklist ${HOME}/SoftMaker | 10 | blacklist ${HOME}/SoftMaker |
10 | blacklist ${HOME}/Standard Notes Backups | 11 | blacklist ${HOME}/Standard Notes Backups |
@@ -117,6 +118,7 @@ blacklist ${HOME}/.config/MusE | |||
117 | blacklist ${HOME}/.config/MuseScore | 118 | blacklist ${HOME}/.config/MuseScore |
118 | blacklist ${HOME}/.config/MusicBrainz | 119 | blacklist ${HOME}/.config/MusicBrainz |
119 | blacklist ${HOME}/.config/Nathan Osman | 120 | blacklist ${HOME}/.config/Nathan Osman |
121 | blacklist ${HOME}/.config/Nextcloud | ||
120 | blacklist ${HOME}/.config/Nylas Mail | 122 | blacklist ${HOME}/.config/Nylas Mail |
121 | blacklist ${HOME}/.config/PacmanLogViewer | 123 | blacklist ${HOME}/.config/PacmanLogViewer |
122 | blacklist ${HOME}/.config/PBE | 124 | blacklist ${HOME}/.config/PBE |
@@ -266,6 +268,7 @@ blacklist ${HOME}/.config/inkscape | |||
266 | blacklist ${HOME}/.config/inox | 268 | blacklist ${HOME}/.config/inox |
267 | blacklist ${HOME}/.config/iridium | 269 | blacklist ${HOME}/.config/iridium |
268 | blacklist ${HOME}/.config/itch | 270 | blacklist ${HOME}/.config/itch |
271 | blacklist ${HOME}/.config/jami | ||
269 | blacklist ${HOME}/.config/jd-gui.cfg | 272 | blacklist ${HOME}/.config/jd-gui.cfg |
270 | blacklist ${HOME}/.config/k3brc | 273 | blacklist ${HOME}/.config/k3brc |
271 | blacklist ${HOME}/.config/kaffeinerc | 274 | blacklist ${HOME}/.config/kaffeinerc |
@@ -305,7 +308,6 @@ blacklist ${HOME}/.config/lugaru | |||
305 | blacklist ${HOME}/.config/lutris | 308 | blacklist ${HOME}/.config/lutris |
306 | blacklist ${HOME}/.config/lximage-qt | 309 | blacklist ${HOME}/.config/lximage-qt |
307 | blacklist ${HOME}/.config/mailtransports | 310 | blacklist ${HOME}/.config/mailtransports |
308 | blacklist ${HOME}/.local/share/man | ||
309 | blacklist ${HOME}/.config/mana | 311 | blacklist ${HOME}/.config/mana |
310 | blacklist ${HOME}/.config/mate-calc | 312 | blacklist ${HOME}/.config/mate-calc |
311 | blacklist ${HOME}/.config/mate/eom | 313 | blacklist ${HOME}/.config/mate/eom |
@@ -334,6 +336,7 @@ blacklist ${HOME}/.config/nemo | |||
334 | blacklist ${HOME}/.config/neomutt | 336 | blacklist ${HOME}/.config/neomutt |
335 | blacklist ${HOME}/.config/netsurf | 337 | blacklist ${HOME}/.config/netsurf |
336 | blacklist ${HOME}/.config/newsbeuter | 338 | blacklist ${HOME}/.config/newsbeuter |
339 | blacklist ${HOME}/.config/newsboat | ||
337 | blacklist ${HOME}/.config/newsflash | 340 | blacklist ${HOME}/.config/newsflash |
338 | blacklist ${HOME}/.config/nheko | 341 | blacklist ${HOME}/.config/nheko |
339 | blacklist ${HOME}/.config/NitroShare | 342 | blacklist ${HOME}/.config/NitroShare |
@@ -345,6 +348,7 @@ blacklist ${HOME}/.config/okularrc | |||
345 | blacklist ${HOME}/.config/onboard | 348 | blacklist ${HOME}/.config/onboard |
346 | blacklist ${HOME}/.config/onionshare | 349 | blacklist ${HOME}/.config/onionshare |
347 | blacklist ${HOME}/.config/onlyoffice | 350 | blacklist ${HOME}/.config/onlyoffice |
351 | blacklist ${HOME}/.config/openmw | ||
348 | blacklist ${HOME}/.config/opera | 352 | blacklist ${HOME}/.config/opera |
349 | blacklist ${HOME}/.config/opera-beta | 353 | blacklist ${HOME}/.config/opera-beta |
350 | blacklist ${HOME}/.config/orage | 354 | blacklist ${HOME}/.config/orage |
@@ -437,6 +441,7 @@ blacklist ${HOME}/.config/yandex-browser | |||
437 | blacklist ${HOME}/.config/yandex-browser-beta | 441 | blacklist ${HOME}/.config/yandex-browser-beta |
438 | blacklist ${HOME}/.config/yelp | 442 | blacklist ${HOME}/.config/yelp |
439 | blacklist ${HOME}/.config/youtube-dl | 443 | blacklist ${HOME}/.config/youtube-dl |
444 | blacklist ${HOME}/.config/youtube-dlg | ||
440 | blacklist ${HOME}/.config/youtubemusic-nativefier-040164 | 445 | blacklist ${HOME}/.config/youtubemusic-nativefier-040164 |
441 | blacklist ${HOME}/.config/youtube-music-desktop-app | 446 | blacklist ${HOME}/.config/youtube-music-desktop-app |
442 | blacklist ${HOME}/.config/youtube-viewer | 447 | blacklist ${HOME}/.config/youtube-viewer |
@@ -583,6 +588,7 @@ blacklist ${HOME}/.local/share/JetBrains | |||
583 | blacklist ${HOME}/.local/share/Kingsoft | 588 | blacklist ${HOME}/.local/share/Kingsoft |
584 | blacklist ${HOME}/.local/share/Mendeley Ltd. | 589 | blacklist ${HOME}/.local/share/Mendeley Ltd. |
585 | blacklist ${HOME}/.local/share/Mumble | 590 | blacklist ${HOME}/.local/share/Mumble |
591 | blacklist ${HOME}/.local/share/Nextcloud | ||
586 | blacklist ${HOME}/.local/share/PBE | 592 | blacklist ${HOME}/.local/share/PBE |
587 | blacklist ${HOME}/.local/share/Psi | 593 | blacklist ${HOME}/.local/share/Psi |
588 | blacklist ${HOME}/.local/share/QGIS | 594 | blacklist ${HOME}/.local/share/QGIS |
@@ -659,6 +665,7 @@ blacklist ${HOME}/.local/share/gradio | |||
659 | blacklist ${HOME}/.local/share/gwenview | 665 | blacklist ${HOME}/.local/share/gwenview |
660 | blacklist ${HOME}/.local/share/i2p | 666 | blacklist ${HOME}/.local/share/i2p |
661 | blacklist ${HOME}/.local/share/IntoTheBreach | 667 | blacklist ${HOME}/.local/share/IntoTheBreach |
668 | blacklist ${HOME}/.local/share/jami | ||
662 | blacklist ${HOME}/.local/share/kaffeine | 669 | blacklist ${HOME}/.local/share/kaffeine |
663 | blacklist ${HOME}/.local/share/kalgebra | 670 | blacklist ${HOME}/.local/share/kalgebra |
664 | blacklist ${HOME}/.local/share/kate | 671 | blacklist ${HOME}/.local/share/kate |
@@ -684,11 +691,13 @@ blacklist ${HOME}/.local/share/lollypop | |||
684 | blacklist ${HOME}/.local/share/love | 691 | blacklist ${HOME}/.local/share/love |
685 | blacklist ${HOME}/.local/share/lugaru | 692 | blacklist ${HOME}/.local/share/lugaru |
686 | blacklist ${HOME}/.local/share/lutris | 693 | blacklist ${HOME}/.local/share/lutris |
694 | blacklist ${HOME}/.local/share/man | ||
687 | blacklist ${HOME}/.local/share/mana | 695 | blacklist ${HOME}/.local/share/mana |
688 | blacklist ${HOME}/.local/share/maps-places.json | 696 | blacklist ${HOME}/.local/share/maps-places.json |
689 | blacklist ${HOME}/.local/share/matrix-mirage | 697 | blacklist ${HOME}/.local/share/matrix-mirage |
690 | blacklist ${HOME}/.local/share/meld | 698 | blacklist ${HOME}/.local/share/meld |
691 | blacklist ${HOME}/.local/share/midori | 699 | blacklist ${HOME}/.local/share/midori |
700 | blacklist ${HOME}/.local/share/minder | ||
692 | blacklist ${HOME}/.local/share/mirage | 701 | blacklist ${HOME}/.local/share/mirage |
693 | blacklist ${HOME}/.local/share/multimc | 702 | blacklist ${HOME}/.local/share/multimc |
694 | blacklist ${HOME}/.local/share/multimc5 | 703 | blacklist ${HOME}/.local/share/multimc5 |
@@ -699,11 +708,14 @@ blacklist ${HOME}/.local/share/nautilus-python | |||
699 | blacklist ${HOME}/.local/share/nemo | 708 | blacklist ${HOME}/.local/share/nemo |
700 | blacklist ${HOME}/.local/share/nemo-python | 709 | blacklist ${HOME}/.local/share/nemo-python |
701 | blacklist ${HOME}/.local/share/news-flash | 710 | blacklist ${HOME}/.local/share/news-flash |
711 | blacklist ${HOME}/.local/share/newsbeuter | ||
712 | blacklist ${HOME}/.local/share/newsboat | ||
702 | blacklist ${HOME}/.local/share/nomacs | 713 | blacklist ${HOME}/.local/share/nomacs |
703 | blacklist ${HOME}/.local/share/notes | 714 | blacklist ${HOME}/.local/share/notes |
704 | blacklist ${HOME}/.local/share/ocenaudio | 715 | blacklist ${HOME}/.local/share/ocenaudio |
705 | blacklist ${HOME}/.local/share/okular | 716 | blacklist ${HOME}/.local/share/okular |
706 | blacklist ${HOME}/.local/share/onlyoffice | 717 | blacklist ${HOME}/.local/share/onlyoffice |
718 | blacklist ${HOME}/.local/share/openmw | ||
707 | blacklist ${HOME}/.local/share/orage | 719 | blacklist ${HOME}/.local/share/orage |
708 | blacklist ${HOME}/.local/share/org.kde.gwenview | 720 | blacklist ${HOME}/.local/share/org.kde.gwenview |
709 | blacklist ${HOME}/.local/share/Paradox Interactive | 721 | blacklist ${HOME}/.local/share/Paradox Interactive |
@@ -787,6 +799,7 @@ blacklist ${HOME}/.opera-beta | |||
787 | blacklist ${HOME}/.ostrichriders | 799 | blacklist ${HOME}/.ostrichriders |
788 | blacklist ${HOME}/.paradoxinteractive | 800 | blacklist ${HOME}/.paradoxinteractive |
789 | blacklist ${HOME}/.parallelrealities/blobwars | 801 | blacklist ${HOME}/.parallelrealities/blobwars |
802 | blacklist ${HOME}/.pcsxr | ||
790 | blacklist ${HOME}/.penguin-command | 803 | blacklist ${HOME}/.penguin-command |
791 | blacklist ${HOME}/.pingus | 804 | blacklist ${HOME}/.pingus |
792 | blacklist ${HOME}/.pioneer | 805 | blacklist ${HOME}/.pioneer |
diff --git a/etc/profile-a-l/atril.profile b/etc/profile-a-l/atril.profile index adca38cb5..2b032e977 100644 --- a/etc/profile-a-l/atril.profile +++ b/etc/profile-a-l/atril.profile | |||
@@ -40,7 +40,7 @@ seccomp | |||
40 | shell none | 40 | shell none |
41 | tracelog | 41 | tracelog |
42 | 42 | ||
43 | private-bin atril,atril-previewer,atril-thumbnailer | 43 | private-bin 7z,7za,7zr,atril,atril-previewer,atril-thumbnailer,sh,tar,unrar,unzip,zipnote |
44 | private-dev | 44 | private-dev |
45 | private-etc alternatives,fonts,ld.so.cache | 45 | private-etc alternatives,fonts,ld.so.cache |
46 | # atril uses webkit gtk to display epub files | 46 | # atril uses webkit gtk to display epub files |
diff --git a/etc/profile-a-l/com.github.phase1geo.minder.profile b/etc/profile-a-l/com.github.phase1geo.minder.profile new file mode 100644 index 000000000..8be06a4b3 --- /dev/null +++ b/etc/profile-a-l/com.github.phase1geo.minder.profile | |||
@@ -0,0 +1,61 @@ | |||
1 | # Firejail profile for com.github.phase1geo.minder | ||
2 | # Description: Mind-mapping application | ||
3 | # This file is overwritten after every install/update | ||
4 | # Persistent local customizations | ||
5 | include com.github.phase1geo.minder.local | ||
6 | # Persistent global definitions | ||
7 | include globals.local | ||
8 | |||
9 | noblacklist ${HOME}/.local/share/minder | ||
10 | noblacklist ${DOCUMENTS} | ||
11 | noblacklist ${PICTURES} | ||
12 | |||
13 | include disable-common.inc | ||
14 | include disable-devel.inc | ||
15 | include disable-exec.inc | ||
16 | include disable-interpreters.inc | ||
17 | include disable-passwdmgr.inc | ||
18 | include disable-programs.inc | ||
19 | include disable-shell.inc | ||
20 | include disable-xdg.inc | ||
21 | |||
22 | mkdir ${HOME}/.local/share/minder | ||
23 | whitelist ${HOME}/.local/share/minder | ||
24 | whitelist ${DOCUMENTS} | ||
25 | whitelist ${DOWNLOADS} | ||
26 | whitelist ${PICTURES} | ||
27 | include whitelist-common.inc | ||
28 | include whitelist-runuser-common.inc | ||
29 | include whitelist-usr-share-common.inc | ||
30 | include whitelist-var-common.inc | ||
31 | |||
32 | apparmor | ||
33 | caps.drop all | ||
34 | machine-id | ||
35 | net none | ||
36 | no3d | ||
37 | nodvd | ||
38 | nogroups | ||
39 | nonewprivs | ||
40 | noroot | ||
41 | nosound | ||
42 | notv | ||
43 | nou2f | ||
44 | novideo | ||
45 | protocol unix | ||
46 | seccomp | ||
47 | seccomp.block-secondary | ||
48 | shell none | ||
49 | tracelog | ||
50 | |||
51 | disable-mnt | ||
52 | private-bin com.github.phase1geo.minder | ||
53 | private-cache | ||
54 | private-dev | ||
55 | private-etc alternatives,dconf,fonts,gtk-3.0,ld.so.cache,ld.so.conf,ld.so.conf.d,ld.so.preload,locale,locale.alias,locale.conf,localtime,mime.types,pango,passwd,X11,xdg | ||
56 | private-tmp | ||
57 | |||
58 | dbus-user filter | ||
59 | dbus-user.own com.github.phase1geo.minder | ||
60 | dbus-user.talk ca.desrt.dconf | ||
61 | dbus-system none | ||
diff --git a/etc/profile-a-l/dolphin-emu.profile b/etc/profile-a-l/dolphin-emu.profile index 13d830b55..fc920a065 100644 --- a/etc/profile-a-l/dolphin-emu.profile +++ b/etc/profile-a-l/dolphin-emu.profile | |||
@@ -18,6 +18,7 @@ include disable-exec.inc | |||
18 | include disable-interpreters.inc | 18 | include disable-interpreters.inc |
19 | include disable-passwdmgr.inc | 19 | include disable-passwdmgr.inc |
20 | include disable-programs.inc | 20 | include disable-programs.inc |
21 | include disable-write-mnt.inc | ||
21 | include disable-xdg.inc | 22 | include disable-xdg.inc |
22 | 23 | ||
23 | mkdir ${HOME}/.cache/dolphin-emu | 24 | mkdir ${HOME}/.cache/dolphin-emu |
diff --git a/etc/profile-a-l/engrampa.profile b/etc/profile-a-l/engrampa.profile index 6c0892c56..54fe6a0f9 100644 --- a/etc/profile-a-l/engrampa.profile +++ b/etc/profile-a-l/engrampa.profile | |||
@@ -17,7 +17,6 @@ include whitelist-var-common.inc | |||
17 | 17 | ||
18 | apparmor | 18 | apparmor |
19 | caps.drop all | 19 | caps.drop all |
20 | net none | ||
21 | no3d | 20 | no3d |
22 | nodvd | 21 | nodvd |
23 | nogroups | 22 | nogroups |
@@ -36,7 +35,4 @@ tracelog | |||
36 | private-dev | 35 | private-dev |
37 | # private-tmp | 36 | # private-tmp |
38 | 37 | ||
39 | dbus-user none | ||
40 | dbus-system none | 38 | dbus-system none |
41 | |||
42 | memory-deny-write-execute | ||
diff --git a/etc/profile-a-l/firefox-common-addons.profile b/etc/profile-a-l/firefox-common-addons.profile index ca7731442..4da087f7f 100644 --- a/etc/profile-a-l/firefox-common-addons.profile +++ b/etc/profile-a-l/firefox-common-addons.profile | |||
@@ -3,11 +3,15 @@ | |||
3 | include firefox-common-addons.local | 3 | include firefox-common-addons.local |
4 | 4 | ||
5 | ignore include whitelist-runuser-common.inc | 5 | ignore include whitelist-runuser-common.inc |
6 | ignore private-cache | ||
6 | 7 | ||
8 | noblacklist ${HOME}/.cache/youtube-dl | ||
7 | noblacklist ${HOME}/.config/kgetrc | 9 | noblacklist ${HOME}/.config/kgetrc |
10 | noblacklist ${HOME}/.config/mpv | ||
8 | noblacklist ${HOME}/.config/okularpartrc | 11 | noblacklist ${HOME}/.config/okularpartrc |
9 | noblacklist ${HOME}/.config/okularrc | 12 | noblacklist ${HOME}/.config/okularrc |
10 | noblacklist ${HOME}/.config/qpdfview | 13 | noblacklist ${HOME}/.config/qpdfview |
14 | noblacklist ${HOME}/.config/youtube-dl | ||
11 | noblacklist ${HOME}/.kde/share/apps/kget | 15 | noblacklist ${HOME}/.kde/share/apps/kget |
12 | noblacklist ${HOME}/.kde/share/apps/okular | 16 | noblacklist ${HOME}/.kde/share/apps/okular |
13 | noblacklist ${HOME}/.kde/share/config/kgetrc | 17 | noblacklist ${HOME}/.kde/share/config/kgetrc |
@@ -22,15 +26,19 @@ noblacklist ${HOME}/.local/share/kget | |||
22 | noblacklist ${HOME}/.local/share/kxmlgui5/okular | 26 | noblacklist ${HOME}/.local/share/kxmlgui5/okular |
23 | noblacklist ${HOME}/.local/share/okular | 27 | noblacklist ${HOME}/.local/share/okular |
24 | noblacklist ${HOME}/.local/share/qpdfview | 28 | noblacklist ${HOME}/.local/share/qpdfview |
29 | noblacklist ${HOME}/.netrc | ||
25 | 30 | ||
26 | whitelist ${HOME}/.cache/gnome-mplayer/plugin | 31 | whitelist ${HOME}/.cache/gnome-mplayer/plugin |
32 | whitelist ${HOME}/.cache/youtube-dl/youtube-sigfuncs | ||
27 | whitelist ${HOME}/.config/gnome-mplayer | 33 | whitelist ${HOME}/.config/gnome-mplayer |
28 | whitelist ${HOME}/.config/kgetrc | 34 | whitelist ${HOME}/.config/kgetrc |
35 | whitelist ${HOME}/.config/mpv | ||
29 | whitelist ${HOME}/.config/okularpartrc | 36 | whitelist ${HOME}/.config/okularpartrc |
30 | whitelist ${HOME}/.config/okularrc | 37 | whitelist ${HOME}/.config/okularrc |
31 | whitelist ${HOME}/.config/pipelight-silverlight5.1 | 38 | whitelist ${HOME}/.config/pipelight-silverlight5.1 |
32 | whitelist ${HOME}/.config/pipelight-widevine | 39 | whitelist ${HOME}/.config/pipelight-widevine |
33 | whitelist ${HOME}/.config/qpdfview | 40 | whitelist ${HOME}/.config/qpdfview |
41 | whitelist ${HOME}/.config/youtube-dl | ||
34 | whitelist ${HOME}/.kde/share/apps/kget | 42 | whitelist ${HOME}/.kde/share/apps/kget |
35 | whitelist ${HOME}/.kde/share/apps/okular | 43 | whitelist ${HOME}/.kde/share/apps/okular |
36 | whitelist ${HOME}/.kde/share/config/kgetrc | 44 | whitelist ${HOME}/.kde/share/config/kgetrc |
@@ -48,6 +56,7 @@ whitelist ${HOME}/.local/share/kxmlgui5/okular | |||
48 | whitelist ${HOME}/.local/share/okular | 56 | whitelist ${HOME}/.local/share/okular |
49 | whitelist ${HOME}/.local/share/qpdfview | 57 | whitelist ${HOME}/.local/share/qpdfview |
50 | whitelist ${HOME}/.local/share/tridactyl | 58 | whitelist ${HOME}/.local/share/tridactyl |
59 | whitelist ${HOME}/.netrc | ||
51 | whitelist ${HOME}/.pentadactyl | 60 | whitelist ${HOME}/.pentadactyl |
52 | whitelist ${HOME}/.pentadactylrc | 61 | whitelist ${HOME}/.pentadactylrc |
53 | whitelist ${HOME}/.tridactylrc | 62 | whitelist ${HOME}/.tridactylrc |
@@ -57,6 +66,9 @@ whitelist ${HOME}/.wine-pipelight | |||
57 | whitelist ${HOME}/.wine-pipelight64 | 66 | whitelist ${HOME}/.wine-pipelight64 |
58 | whitelist ${HOME}/.zotero | 67 | whitelist ${HOME}/.zotero |
59 | whitelist ${HOME}/dwhelper | 68 | whitelist ${HOME}/dwhelper |
69 | whitelist /usr/share/lua | ||
70 | whitelist /usr/share/lua* | ||
71 | whitelist /usr/share/vulkan | ||
60 | 72 | ||
61 | # GNOME Shell integration (chrome-gnome-shell) needs dbus and python | 73 | # GNOME Shell integration (chrome-gnome-shell) needs dbus and python |
62 | noblacklist ${HOME}/.local/share/gnome-shell | 74 | noblacklist ${HOME}/.local/share/gnome-shell |
@@ -75,17 +87,5 @@ include allow-python3.inc | |||
75 | 87 | ||
76 | # ff2mpv | 88 | # ff2mpv |
77 | #ignore noexec ${HOME} | 89 | #ignore noexec ${HOME} |
78 | #noblacklist ${HOME}/.config/mpv | ||
79 | #noblacklist ${HOME}/.config/youtube-dl | ||
80 | #noblacklist ${HOME}/.netrc | ||
81 | #include allow-lua.inc | 90 | #include allow-lua.inc |
82 | #include allow-python3.inc | ||
83 | #mkdir ${HOME}/.config/mpv | ||
84 | #mkdir ${HOME}/.config/youtube-dl | ||
85 | #whitelist ${HOME}/.config/mpv | ||
86 | #whitelist ${HOME}/.config/youtube-dl | ||
87 | #whitelist ${HOME}/.netrc | ||
88 | #whitelist /usr/share/lua | ||
89 | #whitelist /usr/share/lua* | ||
90 | #whitelist /usr/share/vulkan | ||
91 | #private-bin env,mpv,python3*,waf,youtube-dl | 91 | #private-bin env,mpv,python3*,waf,youtube-dl |
diff --git a/etc/profile-a-l/ghostwriter.profile b/etc/profile-a-l/ghostwriter.profile index d56d6714e..820d5e694 100644 --- a/etc/profile-a-l/ghostwriter.profile +++ b/etc/profile-a-l/ghostwriter.profile | |||
@@ -55,5 +55,5 @@ private-dev | |||
55 | private-etc alternatives,ca-certificates,crypto-policies,dbus-1,dconf,firejail,fonts,gconf,groups,gtk-2.0,gtk-3.0,host.conf,hostname,hosts,ld.so.cache,ld.so.conf,ld.so.conf.d,ld.so.preload,locale,locale.alias,locale.conf,localtime,login.defs,machine-id,mime.types,nsswitch.conf,pango,passwd,pki,protocols,resolv.conf,rpc,services,ssl,texlive,Trolltech.conf,X11,xdg | 55 | private-etc alternatives,ca-certificates,crypto-policies,dbus-1,dconf,firejail,fonts,gconf,groups,gtk-2.0,gtk-3.0,host.conf,hostname,hosts,ld.so.cache,ld.so.conf,ld.so.conf.d,ld.so.preload,locale,locale.alias,locale.conf,localtime,login.defs,machine-id,mime.types,nsswitch.conf,pango,passwd,pki,protocols,resolv.conf,rpc,services,ssl,texlive,Trolltech.conf,X11,xdg |
56 | private-tmp | 56 | private-tmp |
57 | 57 | ||
58 | dbus-user none | 58 | dbus-user filter |
59 | dbus-system none | 59 | dbus-system none |
diff --git a/etc/profile-a-l/jami-gnome.profile b/etc/profile-a-l/jami-gnome.profile new file mode 100644 index 000000000..226bb0008 --- /dev/null +++ b/etc/profile-a-l/jami-gnome.profile | |||
@@ -0,0 +1,42 @@ | |||
1 | # Firejail profile for jami-gnome | ||
2 | # Description: An encrypted peer-to-peer messenger | ||
3 | # This file is overwritten after every install/update | ||
4 | # Persistent local customizations | ||
5 | include jami-gnome.local | ||
6 | # Persistent global definitions | ||
7 | include globals.local | ||
8 | |||
9 | noblacklist ${HOME}/.config/jami | ||
10 | noblacklist ${HOME}/.local/share/jami | ||
11 | |||
12 | include disable-common.inc | ||
13 | include disable-devel.inc | ||
14 | include disable-exec.inc | ||
15 | #include disable-interpreters.inc | ||
16 | include disable-passwdmgr.inc | ||
17 | include disable-programs.inc | ||
18 | |||
19 | mkdir ${HOME}/.config/jami | ||
20 | mkdir ${HOME}/.local/share/jami | ||
21 | whitelist ${HOME}/.config/jami | ||
22 | whitelist ${HOME}/.local/share/jami | ||
23 | include whitelist-common.inc | ||
24 | include whitelist-var-common.inc | ||
25 | |||
26 | caps.drop all | ||
27 | ipc-namespace | ||
28 | netfilter | ||
29 | nodvd | ||
30 | nogroups | ||
31 | nonewprivs | ||
32 | noroot | ||
33 | notv | ||
34 | protocol unix,inet,inet6,netlink | ||
35 | seccomp | ||
36 | shell none | ||
37 | |||
38 | disable-mnt | ||
39 | private-dev | ||
40 | private-tmp | ||
41 | |||
42 | env QT_QPA_PLATFORM=xcb | ||
diff --git a/etc/profile-m-z/PCSX2.profile b/etc/profile-m-z/PCSX2.profile new file mode 100644 index 000000000..b2687ba3c --- /dev/null +++ b/etc/profile-m-z/PCSX2.profile | |||
@@ -0,0 +1,57 @@ | |||
1 | # Firejail profile for PCSX2 | ||
2 | # Description: A PlayStation 2 emulator | ||
3 | # This file is overwritten after every install/update | ||
4 | # Persistent local customizations | ||
5 | include PCSX2.local | ||
6 | # Persistent global definitions | ||
7 | include globals.local | ||
8 | |||
9 | # Note: you must whitelist your games folder in a PCSX2.local | ||
10 | |||
11 | noblacklist ${HOME}/.config/PCSX2 | ||
12 | |||
13 | include disable-common.inc | ||
14 | include disable-devel.inc | ||
15 | include disable-exec.inc | ||
16 | include disable-interpreters.inc | ||
17 | include disable-passwdmgr.inc | ||
18 | include disable-programs.inc | ||
19 | include disable-shell.inc | ||
20 | include disable-write-mnt.inc | ||
21 | include disable-xdg.inc | ||
22 | |||
23 | mkdir ${HOME}/.config/PCSX2 | ||
24 | whitelist ${HOME}/.config/PCSX2 | ||
25 | include whitelist-common.inc | ||
26 | include whitelist-runuser-common.inc | ||
27 | include whitelist-usr-share-common.inc | ||
28 | include whitelist-var-common.inc | ||
29 | |||
30 | apparmor | ||
31 | caps.drop all | ||
32 | ipc-namespace | ||
33 | net none | ||
34 | netfilter | ||
35 | # Uncomment the following line if not loading games from disc | ||
36 | #nodvd | ||
37 | nogroups | ||
38 | nonewprivs | ||
39 | noroot | ||
40 | notv | ||
41 | nou2f | ||
42 | novideo | ||
43 | protocol unix,netlink | ||
44 | #seccomp - breaks loading with no logs | ||
45 | shell none | ||
46 | #tracelog - 32/64 bit incompatibility | ||
47 | |||
48 | private-bin PCSX2 | ||
49 | private-cache | ||
50 | # uncomment the following line if you do not need controller support | ||
51 | #private-dev | ||
52 | private-etc alsa,alternatives,asound.conf,bumblebee,ca-certificates,crypto-policies,dconf,drirc,fonts,gconf,glvnd,gtk-2.0,gtk-3.0,host.conf,hostname,hosts,ld.so.cache,ld.so.conf,ld.so.conf.d,ld.so.preload,locale,locale.alias,locale.conf,localtime,machine-id,mime.types,nsswitch.conf,nvidia,pango,pki,protocols,pulse,resolv.conf,rpc,services,ssl,X11,xdg | ||
53 | private-opt none | ||
54 | private-tmp | ||
55 | |||
56 | dbus-user none | ||
57 | dbus-system none | ||
diff --git a/etc/profile-m-z/PPSSPPSDL.profile b/etc/profile-m-z/PPSSPPSDL.profile new file mode 100644 index 000000000..deb00a436 --- /dev/null +++ b/etc/profile-m-z/PPSSPPSDL.profile | |||
@@ -0,0 +1,9 @@ | |||
1 | # Firejail profile for PPSSPPSDL | ||
2 | # This file is overwritten after every install/update | ||
3 | # Persistent local customizations | ||
4 | include PPSSPPSDL.local | ||
5 | # added by included profile | ||
6 | #include globals.local | ||
7 | |||
8 | # Redirect | ||
9 | include ppsspp.profile | ||
diff --git a/etc/profile-m-z/man.profile b/etc/profile-m-z/man.profile index c6c50cf47..965750bf0 100644 --- a/etc/profile-m-z/man.profile +++ b/etc/profile-m-z/man.profile | |||
@@ -57,7 +57,7 @@ disable-mnt | |||
57 | #private-bin apropos,bash,cat,catman,col,gpreconv,groff,grotty,gunzip,gzip,less,man,most,nroff,preconv,sed,sh,tbl,tr,troff,whatis,which,xtotroff,zcat,zsoelim | 57 | #private-bin apropos,bash,cat,catman,col,gpreconv,groff,grotty,gunzip,gzip,less,man,most,nroff,preconv,sed,sh,tbl,tr,troff,whatis,which,xtotroff,zcat,zsoelim |
58 | private-cache | 58 | private-cache |
59 | private-dev | 59 | private-dev |
60 | private-etc alternatives,fonts,locale,locale.alias,locale.conf,man_db.conf,manpath.config,selinux,sysless,xdg | 60 | private-etc alternatives,fonts,groff,locale,locale.alias,locale.conf,man_db.conf,manpath.config,selinux,sysless,xdg |
61 | private-tmp | 61 | private-tmp |
62 | 62 | ||
63 | dbus-user none | 63 | dbus-user none |
diff --git a/etc/profile-m-z/marker.profile b/etc/profile-m-z/marker.profile index 029d0183d..70e5c72cf 100644 --- a/etc/profile-m-z/marker.profile +++ b/etc/profile-m-z/marker.profile | |||
@@ -14,6 +14,8 @@ include globals.local | |||
14 | noblacklist ${HOME}/.cache/marker | 14 | noblacklist ${HOME}/.cache/marker |
15 | noblacklist ${DOCUMENTS} | 15 | noblacklist ${DOCUMENTS} |
16 | 16 | ||
17 | include allow-python3.inc | ||
18 | |||
17 | include disable-common.inc | 19 | include disable-common.inc |
18 | include disable-devel.inc | 20 | include disable-devel.inc |
19 | include disable-exec.inc | 21 | include disable-exec.inc |
@@ -48,7 +50,7 @@ seccomp.block-secondary | |||
48 | shell none | 50 | shell none |
49 | tracelog | 51 | tracelog |
50 | 52 | ||
51 | private-bin marker | 53 | private-bin marker,python3* |
52 | private-cache | 54 | private-cache |
53 | private-dev | 55 | private-dev |
54 | private-etc alternatives,dconfgtk-3.0,fonts,ld.so.cache,ld.so.conf,ld.so.conf.d,ld.so.preload,locale,locale.alias,locale.conf,localtime,pango,X11 | 56 | private-etc alternatives,dconfgtk-3.0,fonts,ld.so.cache,ld.so.conf,ld.so.conf.d,ld.so.preload,locale,locale.alias,locale.conf,localtime,pango,X11 |
diff --git a/etc/profile-m-z/newsbeuter.profile b/etc/profile-m-z/newsbeuter.profile index 85581a2f0..6efb19502 100644 --- a/etc/profile-m-z/newsbeuter.profile +++ b/etc/profile-m-z/newsbeuter.profile | |||
@@ -7,13 +7,23 @@ include newsbeuter.local | |||
7 | # added by included profile | 7 | # added by included profile |
8 | #include globals.local | 8 | #include globals.local |
9 | 9 | ||
10 | noblacklist ${HOME}/.config/newsbeuter | 10 | ignore include newsboat.local |
11 | noblacklist ${HOME}/.newsbeuter | 11 | ignore mkdir ${HOME}/.config/newsboat |
12 | ignore mkdir ${HOME}/.local/share/newsboat | ||
13 | ignore mkdir ${HOME}/.newsboat | ||
14 | blacklist ${PATH}/newsboat | ||
15 | |||
16 | blacklist ${HOME}/.config/newsboat | ||
17 | blacklist ${HOME}/.local/share/newsboat | ||
18 | blacklist ${HOME}/.newsboat | ||
19 | |||
20 | nowhitelist ${HOME}/.config/newsboat | ||
21 | nowhitelist ${HOME}/.local/share/newsboat | ||
22 | nowhitelist ${HOME}/.newsboat | ||
12 | 23 | ||
13 | mkdir ${HOME}/.config/newsbeuter | 24 | mkdir ${HOME}/.config/newsbeuter |
25 | mkdir ${HOME}/.local/share/newsbeuter | ||
14 | mkdir ${HOME}/.newsbeuter | 26 | mkdir ${HOME}/.newsbeuter |
15 | whitelist ${HOME}/.config/newsbeuter | ||
16 | whitelist ${HOME}/.newsbeuter | ||
17 | 27 | ||
18 | private-bin newsbeuter | 28 | private-bin newsbeuter |
19 | 29 | ||
diff --git a/etc/profile-m-z/newsboat.profile b/etc/profile-m-z/newsboat.profile index 85b780ced..23c2de43c 100644 --- a/etc/profile-m-z/newsboat.profile +++ b/etc/profile-m-z/newsboat.profile | |||
@@ -6,6 +6,11 @@ include newsboat.local | |||
6 | # Persistent global definitions | 6 | # Persistent global definitions |
7 | include globals.local | 7 | include globals.local |
8 | 8 | ||
9 | noblacklist ${HOME}/.config/newsbeuter | ||
10 | noblacklist ${HOME}/.config/newsboat | ||
11 | noblacklist ${HOME}/.local/share/newsbeuter | ||
12 | noblacklist ${HOME}/.local/share/newsboat | ||
13 | noblacklist ${HOME}/.newsbeuter | ||
9 | noblacklist ${HOME}/.newsboat | 14 | noblacklist ${HOME}/.newsboat |
10 | 15 | ||
11 | include disable-common.inc | 16 | include disable-common.inc |
@@ -16,7 +21,14 @@ include disable-passwdmgr.inc | |||
16 | include disable-programs.inc | 21 | include disable-programs.inc |
17 | include disable-xdg.inc | 22 | include disable-xdg.inc |
18 | 23 | ||
24 | mkdir ${HOME}/.config/newsboat | ||
25 | mkdir ${HOME}/.local/share/newsboat | ||
19 | mkdir ${HOME}/.newsboat | 26 | mkdir ${HOME}/.newsboat |
27 | whitelist ${HOME}/.config/newsbeuter | ||
28 | whitelist ${HOME}/.config/newsboat | ||
29 | whitelist ${HOME}/.local/share/newsbeuter | ||
30 | whitelist ${HOME}/.local/share/newsboat | ||
31 | whitelist ${HOME}/.newsbeuter | ||
20 | whitelist ${HOME}/.newsboat | 32 | whitelist ${HOME}/.newsboat |
21 | include whitelist-common.inc | 33 | include whitelist-common.inc |
22 | include whitelist-runuser-common.inc | 34 | include whitelist-runuser-common.inc |
@@ -38,7 +50,7 @@ seccomp | |||
38 | shell none | 50 | shell none |
39 | 51 | ||
40 | disable-mnt | 52 | disable-mnt |
41 | private-bin gzip,lynx,newsboat,sh | 53 | private-bin gzip,lynx,newsboat,sh,w3m |
42 | private-cache | 54 | private-cache |
43 | private-dev | 55 | private-dev |
44 | private-etc alternatives,ca-certificates,crypto-policies,lynx.cfg,lynx.lss,pki,resolv.conf,ssl,terminfo | 56 | private-etc alternatives,ca-certificates,crypto-policies,lynx.cfg,lynx.lss,pki,resolv.conf,ssl,terminfo |
diff --git a/etc/profile-m-z/nextcloud-desktop.profile b/etc/profile-m-z/nextcloud-desktop.profile new file mode 100644 index 000000000..e74f9c03f --- /dev/null +++ b/etc/profile-m-z/nextcloud-desktop.profile | |||
@@ -0,0 +1,10 @@ | |||
1 | # Firejail profile alias for nextcloud | ||
2 | # This file is overwritten after every install/update | ||
3 | # Persistent local customizations | ||
4 | include nextcloud-desktop.local | ||
5 | # Persistent global definitions | ||
6 | # added by included profile | ||
7 | #include globals.local | ||
8 | |||
9 | # Redirect | ||
10 | include nextcloud.profile | ||
diff --git a/etc/profile-m-z/nextcloud.profile b/etc/profile-m-z/nextcloud.profile new file mode 100644 index 000000000..4e7c902d9 --- /dev/null +++ b/etc/profile-m-z/nextcloud.profile | |||
@@ -0,0 +1,71 @@ | |||
1 | # Firejail profile for nextcloud | ||
2 | # Description: Nextcloud desktop synchronization client | ||
3 | # This file is overwritten after every install/update | ||
4 | # Persistent local customizations | ||
5 | include nextcloud.local | ||
6 | # Persistent global definitions | ||
7 | include globals.local | ||
8 | |||
9 | noblacklist ${HOME}/Nextcloud | ||
10 | noblacklist ${HOME}/.config/Nextcloud | ||
11 | noblacklist ${HOME}/.local/share/Nextcloud | ||
12 | # Uncomment or put in your nextcloud.local to allow sync with more directories. | ||
13 | #noblacklist ${DOCUMENTS} | ||
14 | #noblacklist ${MUSIC} | ||
15 | #noblacklist ${PICTURES} | ||
16 | #noblacklist ${VIDEOS} | ||
17 | |||
18 | include disable-common.inc | ||
19 | include disable-devel.inc | ||
20 | include disable-exec.inc | ||
21 | include disable-interpreters.inc | ||
22 | include disable-passwdmgr.inc | ||
23 | include disable-programs.inc | ||
24 | include disable-shell.inc | ||
25 | include disable-xdg.inc | ||
26 | |||
27 | mkdir ${HOME}/Nextcloud | ||
28 | mkdir ${HOME}/.config/Nextcloud | ||
29 | mkdir ${HOME}/.local/share/Nextcloud | ||
30 | whitelist ${HOME}/Nextcloud | ||
31 | whitelist ${HOME}/.config/Nextcloud | ||
32 | whitelist ${HOME}/.local/share/Nextcloud | ||
33 | # Uncomment or put in your nextcloud.local to allow sync with more directories. | ||
34 | #whitelist ${DOCUMENTS} | ||
35 | #whitelist ${MUSIC} | ||
36 | #whitelist ${PICTURES} | ||
37 | #whitelist ${VIDEOS} | ||
38 | include whitelist-common.inc | ||
39 | include whitelist-runuser-common.inc | ||
40 | include whitelist-usr-share-common.inc | ||
41 | include whitelist-var-common.inc | ||
42 | |||
43 | apparmor | ||
44 | caps.drop all | ||
45 | machine-id | ||
46 | netfilter | ||
47 | no3d | ||
48 | nodvd | ||
49 | nogroups | ||
50 | nonewprivs | ||
51 | noroot | ||
52 | nosound | ||
53 | notv | ||
54 | nou2f | ||
55 | novideo | ||
56 | protocol unix,inet,inet6,netlink | ||
57 | seccomp | ||
58 | seccomp.block-secondary | ||
59 | shell none | ||
60 | tracelog | ||
61 | |||
62 | disable-mnt | ||
63 | private-bin nextcloud,nextcloud-desktop | ||
64 | private-cache | ||
65 | private-etc alternatives,ca-certificates,crypto-policies,drirc,fonts,gcrypt,host.conf,hosts,ld.so.cache,machine-id,Nextcloud,nsswitch.conf,os-release,passwd,pki,pulse,resolv.conf,selinux,ssl,xdg | ||
66 | private-dev | ||
67 | private-tmp | ||
68 | |||
69 | dbus-user filter | ||
70 | dbus-user.talk org.freedesktop.secrets | ||
71 | dbus-system none | ||
diff --git a/etc/profile-m-z/openmw-launcher.profile b/etc/profile-m-z/openmw-launcher.profile new file mode 100644 index 000000000..c9cc144e4 --- /dev/null +++ b/etc/profile-m-z/openmw-launcher.profile | |||
@@ -0,0 +1,7 @@ | |||
1 | # Firejail profile for openmw-launcher | ||
2 | # This file is overwritten after every install/update | ||
3 | # Persistent local customizations | ||
4 | include openmw-launcher.local | ||
5 | |||
6 | # Redirect | ||
7 | include openmw.profile | ||
diff --git a/etc/profile-m-z/openmw.profile b/etc/profile-m-z/openmw.profile new file mode 100644 index 000000000..270d64c1e --- /dev/null +++ b/etc/profile-m-z/openmw.profile | |||
@@ -0,0 +1,61 @@ | |||
1 | # Firejail profile for openmw | ||
2 | # Description: Open source engine re-implementation for Morrowind | ||
3 | # This file is overwritten after every install/update | ||
4 | # Persistent local customizations | ||
5 | include openmw.local | ||
6 | # Persistent global definitions | ||
7 | include globals.local | ||
8 | |||
9 | noblacklist ${HOME}/.config/openmw | ||
10 | noblacklist ${HOME}/.local/share/openmw | ||
11 | |||
12 | include disable-common.inc | ||
13 | include disable-devel.inc | ||
14 | include disable-exec.inc | ||
15 | include disable-interpreters.inc | ||
16 | include disable-passwdmgr.inc | ||
17 | include disable-programs.inc | ||
18 | include disable-shell.inc | ||
19 | include disable-write-mnt.inc | ||
20 | include disable-xdg.inc | ||
21 | |||
22 | mkdir ${HOME}/.config/openmw | ||
23 | mkdir ${HOME}/.local/share/openmw | ||
24 | whitelist ${HOME}/.config/openmw | ||
25 | # Copy Morrowind data files into the following directory or load it from /mnt | ||
26 | # or whitelist it in a openmw.local | ||
27 | whitelist ${HOME}/.local/share/openmw | ||
28 | whitelist /usr/share/openmw | ||
29 | include whitelist-common.inc | ||
30 | include whitelist-runuser-common.inc | ||
31 | include whitelist-usr-share-common.inc | ||
32 | include whitelist-var-common.inc | ||
33 | |||
34 | apparmor | ||
35 | caps.drop all | ||
36 | ipc-namespace | ||
37 | net none | ||
38 | netfilter | ||
39 | # Uncomment the following line if installing from disc | ||
40 | nodvd | ||
41 | nogroups | ||
42 | nonewprivs | ||
43 | noroot | ||
44 | notv | ||
45 | nou2f | ||
46 | novideo | ||
47 | protocol unix,netlink | ||
48 | seccomp | ||
49 | seccomp.block-secondary | ||
50 | shell none | ||
51 | tracelog | ||
52 | |||
53 | private-bin bsatool,esmtool,niftest,openmw,openmw-cs,openmw-essimporter,openmw-iniimporter,openmw-launcher,openmw-wizard | ||
54 | private-cache | ||
55 | private-dev | ||
56 | private-etc alsa,alternatives,asound.conf,bumblebee,drirc,fonts,glvnd,group,ld.so.cache,ld.so.conf,ld.so.conf.d,ld.so.preload,locale,locale.alias,locale.conf,localtime,machine-id,mime.types,nvidia,openmw,pango,passwd,pulse,Trolltech.conf,X11,xdg | ||
57 | private-opt none | ||
58 | private-tmp | ||
59 | |||
60 | dbus-user none | ||
61 | dbus-system none | ||
diff --git a/etc/profile-m-z/pcsxr.profile b/etc/profile-m-z/pcsxr.profile new file mode 100644 index 000000000..c25c4ae66 --- /dev/null +++ b/etc/profile-m-z/pcsxr.profile | |||
@@ -0,0 +1,57 @@ | |||
1 | # Firejail profile for pcsxr | ||
2 | # Description: A PlayStation emulator | ||
3 | # This file is overwritten after every install/update | ||
4 | # Persistent local customizations | ||
5 | include pcsxr.local | ||
6 | # Persistent global definitions | ||
7 | include globals.local | ||
8 | |||
9 | # Note: you must whitelist your games folder in a pcsxr.local | ||
10 | |||
11 | noblacklist ${HOME}/.pcsxr | ||
12 | |||
13 | include disable-common.inc | ||
14 | include disable-devel.inc | ||
15 | include disable-exec.inc | ||
16 | include disable-interpreters.inc | ||
17 | include disable-passwdmgr.inc | ||
18 | include disable-programs.inc | ||
19 | include disable-shell.inc | ||
20 | include disable-write-mnt.inc | ||
21 | include disable-xdg.inc | ||
22 | |||
23 | mkdir ${HOME}/.pcsxr | ||
24 | whitelist ${HOME}/.pcsxr | ||
25 | include whitelist-common.inc | ||
26 | include whitelist-runuser-common.inc | ||
27 | include whitelist-usr-share-common.inc | ||
28 | include whitelist-var-common.inc | ||
29 | |||
30 | apparmor | ||
31 | caps.drop all | ||
32 | ipc-namespace | ||
33 | net none | ||
34 | netfilter | ||
35 | # Uncomment the following line if not loading games from disc | ||
36 | #nodvd | ||
37 | nogroups | ||
38 | nonewprivs | ||
39 | noroot | ||
40 | notv | ||
41 | nou2f | ||
42 | novideo | ||
43 | protocol unix,netlink | ||
44 | seccomp | ||
45 | shell none | ||
46 | tracelog | ||
47 | |||
48 | private-bin pcsxr | ||
49 | private-cache | ||
50 | # uncomment the following line if you do not need controller support | ||
51 | #private-dev | ||
52 | private-etc alsa,alternatives,asound.conf,bumblebee,ca-certificates,crypto-policies,dconf,drirc,fonts,gconf,glvnd,gtk-2.0,gtk-3.0,host.conf,hostname,hosts,ld.so.cache,ld.so.conf,ld.so.conf.d,ld.so.preload,locale,locale.alias,locale.conf,localtime,machine-id,mime.types,nsswitch.conf,nvidia,pango,pki,protocols,pulse,resolv.conf,rpc,services,ssl,X11,xdg | ||
53 | private-opt none | ||
54 | private-tmp | ||
55 | |||
56 | dbus-user none | ||
57 | dbus-system none | ||
diff --git a/etc/profile-m-z/ppsspp.profile b/etc/profile-m-z/ppsspp.profile index c71553bcd..263d99c83 100644 --- a/etc/profile-m-z/ppsspp.profile +++ b/etc/profile-m-z/ppsspp.profile | |||
@@ -1,13 +1,14 @@ | |||
1 | # Firejail profile for ppsspp | 1 | # Firejail profile for ppsspp |
2 | # Description: A PSP emulator written in C++ | 2 | # Description: A PSP emulator |
3 | # This file is overwritten after every install/update | 3 | # This file is overwritten after every install/update |
4 | # Persistent local customizations | 4 | # Persistent local customizations |
5 | include ppsspp.local | 5 | include ppsspp.local |
6 | # Persistent global definitions | 6 | # Persistent global definitions |
7 | include globals.local | 7 | include globals.local |
8 | 8 | ||
9 | # Note: you must whitelist your games folder in a ppsspp.local | ||
10 | |||
9 | noblacklist ${HOME}/.config/ppsspp | 11 | noblacklist ${HOME}/.config/ppsspp |
10 | noblacklist ${DOCUMENTS} | ||
11 | 12 | ||
12 | include disable-common.inc | 13 | include disable-common.inc |
13 | include disable-devel.inc | 14 | include disable-devel.inc |
@@ -15,8 +16,15 @@ include disable-exec.inc | |||
15 | include disable-interpreters.inc | 16 | include disable-interpreters.inc |
16 | include disable-passwdmgr.inc | 17 | include disable-passwdmgr.inc |
17 | include disable-programs.inc | 18 | include disable-programs.inc |
19 | include disable-write-mnt.inc | ||
18 | include disable-xdg.inc | 20 | include disable-xdg.inc |
19 | 21 | ||
22 | mkdir ${HOME}/.config/ppsspp | ||
23 | whitelist ${HOME}/.config/ppsspp | ||
24 | whitelist /usr/share/ppsspp | ||
25 | include whitelist-common.inc | ||
26 | include whitelist-runuser-common.inc | ||
27 | include whitelist-usr-share-common.inc | ||
20 | include whitelist-var-common.inc | 28 | include whitelist-var-common.inc |
21 | 29 | ||
22 | caps.drop all | 30 | caps.drop all |
@@ -27,11 +35,13 @@ nogroups | |||
27 | nonewprivs | 35 | nonewprivs |
28 | noroot | 36 | noroot |
29 | notv | 37 | notv |
38 | nou2f | ||
30 | novideo | 39 | novideo |
31 | protocol unix,netlink | 40 | protocol unix,netlink |
32 | seccomp | 41 | seccomp |
33 | shell none | 42 | shell none |
34 | 43 | ||
44 | private-bin ppsspp,PPSSPP,PPSSPPQt,PPSSPPSDL | ||
35 | # uncomment the following line if you do not need controller support | 45 | # uncomment the following line if you do not need controller support |
36 | #private-dev | 46 | #private-dev |
37 | private-etc alternatives,asound.conf,ca-certificates,crypto-policies,drirc,fonts,group,host.conf,hostname,hosts,ld.so.cache,ld.so.preload,localtime,machine-id,nsswitch.conf,passwd,pki,pulse,resolv.conf,ssl | 47 | private-etc alternatives,asound.conf,ca-certificates,crypto-policies,drirc,fonts,group,host.conf,hostname,hosts,ld.so.cache,ld.so.preload,localtime,machine-id,nsswitch.conf,passwd,pki,pulse,resolv.conf,ssl |
diff --git a/etc/profile-m-z/tcpdump.profile b/etc/profile-m-z/tcpdump.profile index 7984702f3..6f863d7a1 100644 --- a/etc/profile-m-z/tcpdump.profile +++ b/etc/profile-m-z/tcpdump.profile | |||
@@ -8,6 +8,7 @@ include globals.local | |||
8 | 8 | ||
9 | noblacklist /sbin | 9 | noblacklist /sbin |
10 | noblacklist /usr/sbin | 10 | noblacklist /usr/sbin |
11 | noblacklist ${PATH}/tcpdump | ||
11 | 12 | ||
12 | include disable-common.inc | 13 | include disable-common.inc |
13 | include disable-devel.inc | 14 | include disable-devel.inc |
diff --git a/etc/profile-m-z/telegram.profile b/etc/profile-m-z/telegram.profile index fce7dc461..38d291324 100644 --- a/etc/profile-m-z/telegram.profile +++ b/etc/profile-m-z/telegram.profile | |||
@@ -36,10 +36,20 @@ noroot | |||
36 | notv | 36 | notv |
37 | protocol unix,inet,inet6,netlink | 37 | protocol unix,inet,inet6,netlink |
38 | seccomp | 38 | seccomp |
39 | seccomp.block-secondary | ||
39 | shell none | 40 | shell none |
41 | tracelog | ||
40 | 42 | ||
41 | disable-mnt | 43 | disable-mnt |
44 | #private-bin telegram,Telegram,telegram-desktop | ||
42 | private-cache | 45 | private-cache |
43 | private-dev | 46 | private-dev |
44 | private-etc alsa,alternatives,ca-certificates,crypto-policies,fonts,group,ld.so.cache,localtime,machine-id,os-release,passwd,pki,pulse,resolv.conf,ssl,xdg | 47 | private-etc alsa,alternatives,ca-certificates,crypto-policies,fonts,group,ld.so.cache,localtime,machine-id,os-release,passwd,pki,pulse,resolv.conf,ssl,xdg |
45 | private-tmp | 48 | private-tmp |
49 | |||
50 | dbus-user filter | ||
51 | dbus-user.talk org.freedesktop.Notifications | ||
52 | dbus-user.talk org.kde.StatusNotifierWatcher | ||
53 | dbus-user.talk org.gnome.Mutter.IdleMonitor | ||
54 | dbus-user.talk org.freedesktop.ScreenSaver | ||
55 | dbus-system none | ||
diff --git a/etc/profile-m-z/virtualbox.profile b/etc/profile-m-z/virtualbox.profile index 232ff8ae4..64d787bfb 100644 --- a/etc/profile-m-z/virtualbox.profile +++ b/etc/profile-m-z/virtualbox.profile | |||
@@ -44,6 +44,7 @@ shell none | |||
44 | tracelog | 44 | tracelog |
45 | 45 | ||
46 | #disable-mnt | 46 | #disable-mnt |
47 | #private-bin basename,bash,env,gawk,grep,ps,readlink,sh,virtualbox,VirtualBox,VBox*,vbox*,whoami | ||
47 | private-cache | 48 | private-cache |
48 | private-etc alsa,asound.conf,ca-certificates,conf.d,crypto-policies,dconf,fonts,hostname,hosts,ld.so.cache,localtime,machine-id,pki,pulse,resolv.conf,ssl | 49 | private-etc alsa,asound.conf,ca-certificates,conf.d,crypto-policies,dconf,fonts,hostname,hosts,ld.so.cache,localtime,machine-id,pki,pulse,resolv.conf,ssl |
49 | private-tmp | 50 | private-tmp |
diff --git a/etc/profile-m-z/youtube-dl-gui.profile b/etc/profile-m-z/youtube-dl-gui.profile new file mode 100644 index 000000000..c072d6267 --- /dev/null +++ b/etc/profile-m-z/youtube-dl-gui.profile | |||
@@ -0,0 +1,56 @@ | |||
1 | # Firejail profile for youtube-dl-gui | ||
2 | # Description: A cross platform front-end GUI of the popular youtube-dl media downloader | ||
3 | include youtube-dl-gui.local | ||
4 | # This file is overwritten after every install/update | ||
5 | include globals.local | ||
6 | |||
7 | #These are blacklisted by disable-interpreters.inc | ||
8 | include allow-python2.inc | ||
9 | include allow-python3.inc | ||
10 | |||
11 | noblacklist ${HOME}/.config/youtube-dlg | ||
12 | |||
13 | include disable-common.inc | ||
14 | include disable-devel.inc | ||
15 | include disable-exec.inc | ||
16 | include disable-interpreters.inc | ||
17 | include disable-passwdmgr.inc | ||
18 | include disable-programs.inc | ||
19 | include disable-shell.inc | ||
20 | include disable-xdg.inc | ||
21 | |||
22 | mkdir ${HOME}/.config/youtube-dlg | ||
23 | whitelist ${HOME}/.config/youtube-dlg | ||
24 | whitelist ${DOWNLOADS} | ||
25 | include whitelist-common.inc | ||
26 | include whitelist-runuser-common.inc | ||
27 | include whitelist-usr-share-common.inc | ||
28 | include whitelist-var-common.inc | ||
29 | |||
30 | apparmor | ||
31 | caps.drop all | ||
32 | machine-id | ||
33 | netfilter | ||
34 | nodvd | ||
35 | nogroups | ||
36 | nonewprivs | ||
37 | noroot | ||
38 | nosound | ||
39 | notv | ||
40 | nou2f | ||
41 | novideo | ||
42 | protocol unix,inet,inet6 | ||
43 | seccomp | ||
44 | seccomp.block-secondary | ||
45 | shell none | ||
46 | tracelog | ||
47 | |||
48 | disable-mnt | ||
49 | private-bin atomicparsley,ffmpeg,ffprobe,python*,youtube-dl-gui | ||
50 | private-cache | ||
51 | private-dev | ||
52 | private-etc alternatives,ca-certificates,crypto-policies,dconf,fonts,gtk-2.0,gtk-3.0,hostname,hosts,ld.so.cache,locale,locale.conf,passwd,pki,resolv.conf,ssl | ||
53 | private-tmp | ||
54 | |||
55 | dbus-user none | ||
56 | dbus-system none | ||
diff --git a/etc/templates/profile.template b/etc/templates/profile.template index 17d7f55b2..065245a63 100644 --- a/etc/templates/profile.template +++ b/etc/templates/profile.template | |||
@@ -1,5 +1,5 @@ | |||
1 | # Firejail profile for PROGRAM_NAME | 1 | # Firejail profile for PROGRAM_NAME |
2 | # Description: DESCRIPTION | 2 | # Description: DESCRIPTION OF THE PROGRAM |
3 | # This file is overwritten after every install/update | 3 | # This file is overwritten after every install/update |
4 | # --- CUT HERE --- | 4 | # --- CUT HERE --- |
5 | # This is a generic template to help you create profiles. | 5 | # This is a generic template to help you create profiles. |
@@ -10,8 +10,8 @@ | |||
10 | # - lines with two ## are only needed in special situations | 10 | # - lines with two ## are only needed in special situations |
11 | # - make the profile as restrictive as possible while still keeping the program useful | 11 | # - make the profile as restrictive as possible while still keeping the program useful |
12 | # (e.g. a program that is unable to save user's work is considered bad practice) | 12 | # (e.g. a program that is unable to save user's work is considered bad practice) |
13 | # - dedicate ample time (based on the complexity of the application) to profile testing before raising | 13 | # - dedicate ample time (based on the complexity of the application) to profile testing before |
14 | # a pull request | 14 | # submitting a pull request |
15 | # - keep the sections structure, use a single empty line as separator | 15 | # - keep the sections structure, use a single empty line as separator |
16 | # - entries within sections are alphabetically sorted | 16 | # - entries within sections are alphabetically sorted |
17 | # - consider putting binary into src/firecfg/firecfg.config (keep list sorted) but beware | 17 | # - consider putting binary into src/firecfg/firecfg.config (keep list sorted) but beware |
@@ -203,7 +203,7 @@ include globals.local | |||
203 | # - Some features like native notifications are implemented as portal too. | 203 | # - Some features like native notifications are implemented as portal too. |
204 | # - In order to make dconf work (when used by the app) you need to allow | 204 | # - In order to make dconf work (when used by the app) you need to allow |
205 | # 'ca.desrt.dconf' even when not allowed by flatpak. | 205 | # 'ca.desrt.dconf' even when not allowed by flatpak. |
206 | # Notes and Policiy about addresses can be found at | 206 | # Notes and policies about addresses can be found at |
207 | # <https://github.com/netblue30/firejail/wiki/Restrict-D-Bus> | 207 | # <https://github.com/netblue30/firejail/wiki/Restrict-D-Bus> |
208 | #dbus-user filter | 208 | #dbus-user filter |
209 | #dbus-user.own com.github.netblue30.firejail | 209 | #dbus-user.own com.github.netblue30.firejail |
diff --git a/src/firecfg/firecfg.config b/src/firecfg/firecfg.config index a9ede3217..6cef32249 100644 --- a/src/firecfg/firecfg.config +++ b/src/firecfg/firecfg.config | |||
@@ -20,7 +20,9 @@ Maelstrom | |||
20 | Maps | 20 | Maps |
21 | Mathematica | 21 | Mathematica |
22 | Natron | 22 | Natron |
23 | PCSX2 | ||
23 | PPSSPPQt | 24 | PPSSPPQt |
25 | PPSSPPSDL | ||
24 | QMediathekView | 26 | QMediathekView |
25 | QOwnNotes | 27 | QOwnNotes |
26 | Screenshot | 28 | Screenshot |
@@ -147,6 +149,7 @@ cola | |||
147 | com.github.bleakgrey.tootle | 149 | com.github.bleakgrey.tootle |
148 | com.github.dahenson.agenda | 150 | com.github.dahenson.agenda |
149 | com.github.johnfactotum.Foliate | 151 | com.github.johnfactotum.Foliate |
152 | com.github.phase1geo.minder | ||
150 | com.gitlab.newsflash | 153 | com.gitlab.newsflash |
151 | conkeror | 154 | conkeror |
152 | conky | 155 | conky |
@@ -554,6 +557,8 @@ neverputt | |||
554 | newsbeuter | 557 | newsbeuter |
555 | newsboat | 558 | newsboat |
556 | newsflash | 559 | newsflash |
560 | nextcloud | ||
561 | nextcloud-desktop | ||
557 | nheko | 562 | nheko |
558 | nicotine | 563 | nicotine |
559 | nitroshare | 564 | nitroshare |
@@ -580,6 +585,8 @@ openarena | |||
580 | openarena_ded | 585 | openarena_ded |
581 | opencity | 586 | opencity |
582 | openclonk | 587 | openclonk |
588 | openmw | ||
589 | openmw-launcher | ||
583 | openoffice.org | 590 | openoffice.org |
584 | openshot | 591 | openshot |
585 | openshot-qt | 592 | openshot-qt |
@@ -596,6 +603,7 @@ parole | |||
596 | patch | 603 | patch |
597 | pavucontrol | 604 | pavucontrol |
598 | pavucontrol-qt | 605 | pavucontrol-qt |
606 | pcsxr | ||
599 | pdfchain | 607 | pdfchain |
600 | pdfmod | 608 | pdfmod |
601 | pdfsam | 609 | pdfsam |
@@ -873,6 +881,7 @@ yandex-browser | |||
873 | yelp | 881 | yelp |
874 | youtube | 882 | youtube |
875 | youtube-dl | 883 | youtube-dl |
884 | youtube-dl-gui | ||
876 | youtube-viewer | 885 | youtube-viewer |
877 | youtubemusic-nativefier | 886 | youtubemusic-nativefier |
878 | ytmdesktop | 887 | ytmdesktop |
diff --git a/src/firejail/appimage.c b/src/firejail/appimage.c index 40e53f44d..59758bf2d 100644 --- a/src/firejail/appimage.c +++ b/src/firejail/appimage.c | |||
@@ -29,7 +29,7 @@ | |||
29 | #include <errno.h> | 29 | #include <errno.h> |
30 | 30 | ||
31 | static char *devloop = NULL; // device file | 31 | static char *devloop = NULL; // device file |
32 | static char *mntdir = NULL; // mount point in /tmp directory | 32 | static long unsigned size = 0; // offset into appimage file |
33 | 33 | ||
34 | #ifdef LOOP_CTL_GET_FREE // test for older kernels; this definition is found in /usr/include/linux/loop.h | 34 | #ifdef LOOP_CTL_GET_FREE // test for older kernels; this definition is found in /usr/include/linux/loop.h |
35 | static void err_loop(void) { | 35 | static void err_loop(void) { |
@@ -44,27 +44,27 @@ void appimage_set(const char *appimage) { | |||
44 | EUID_ASSERT(); | 44 | EUID_ASSERT(); |
45 | 45 | ||
46 | #ifdef LOOP_CTL_GET_FREE | 46 | #ifdef LOOP_CTL_GET_FREE |
47 | // check appimage file | 47 | // open appimage file |
48 | invalid_filename(appimage, 0); // no globbing | 48 | invalid_filename(appimage, 0); // no globbing |
49 | if (access(appimage, R_OK) == -1) { | 49 | int ffd = open(appimage, O_RDONLY|O_CLOEXEC); |
50 | fprintf(stderr, "Error: cannot access AppImage file\n"); | 50 | if (ffd == -1) { |
51 | fprintf(stderr, "Error: cannot read AppImage file\n"); | ||
52 | exit(1); | ||
53 | } | ||
54 | struct stat s; | ||
55 | if (fstat(ffd, &s) == -1) | ||
56 | errExit("fstat"); | ||
57 | if (!S_ISREG(s.st_mode)) { | ||
58 | fprintf(stderr, "Error: invalid AppImage file\n"); | ||
51 | exit(1); | 59 | exit(1); |
52 | } | 60 | } |
53 | 61 | ||
54 | // get appimage type and ELF size | 62 | // get appimage type and ELF size |
55 | // a value of 0 means we are dealing with a type1 appimage | 63 | // a value of 0 means we are dealing with a type1 appimage |
56 | long unsigned int size = appimage2_size(appimage); | 64 | size = appimage2_size(ffd); |
57 | if (arg_debug) | 65 | if (arg_debug) |
58 | printf("AppImage ELF size %lu\n", size); | 66 | printf("AppImage ELF size %lu\n", size); |
59 | 67 | ||
60 | // open appimage file | ||
61 | /* coverity[toctou] */ | ||
62 | int ffd = open(appimage, O_RDONLY|O_CLOEXEC); | ||
63 | if (ffd == -1) { | ||
64 | fprintf(stderr, "Error: cannot open AppImage file\n"); | ||
65 | exit(1); | ||
66 | } | ||
67 | |||
68 | // find or allocate a free loop device to use | 68 | // find or allocate a free loop device to use |
69 | EUID_ROOT(); | 69 | EUID_ROOT(); |
70 | int cfd = open("/dev/loop-control", O_RDWR); | 70 | int cfd = open("/dev/loop-control", O_RDWR); |
@@ -77,6 +77,7 @@ void appimage_set(const char *appimage) { | |||
77 | if (asprintf(&devloop, "/dev/loop%d", devnr) == -1) | 77 | if (asprintf(&devloop, "/dev/loop%d", devnr) == -1) |
78 | errExit("asprintf"); | 78 | errExit("asprintf"); |
79 | 79 | ||
80 | // associate loop device with appimage | ||
80 | int lfd = open(devloop, O_RDONLY); | 81 | int lfd = open(devloop, O_RDONLY); |
81 | if (lfd == -1) | 82 | if (lfd == -1) |
82 | err_loop(); | 83 | err_loop(); |
@@ -90,64 +91,24 @@ void appimage_set(const char *appimage) { | |||
90 | if (ioctl(lfd, LOOP_SET_STATUS64, &info) == -1) | 91 | if (ioctl(lfd, LOOP_SET_STATUS64, &info) == -1) |
91 | err_loop(); | 92 | err_loop(); |
92 | } | 93 | } |
93 | |||
94 | close(lfd); | 94 | close(lfd); |
95 | close(ffd); | 95 | close(ffd); |
96 | EUID_USER(); | 96 | EUID_USER(); |
97 | 97 | ||
98 | // creates appimage mount point perms 0700 | 98 | // set environment |
99 | if (asprintf(&mntdir, "%s/.appimage-%u", RUN_FIREJAIL_APPIMAGE_DIR, getpid()) == -1) | ||
100 | errExit("asprintf"); | ||
101 | EUID_ROOT(); | ||
102 | mkdir_attr(mntdir, 0700, getuid(), getgid()); | ||
103 | EUID_USER(); | ||
104 | |||
105 | // mount | ||
106 | char *mode; | ||
107 | if (asprintf(&mode, "mode=700,uid=%d,gid=%d", getuid(), getgid()) == -1) | ||
108 | errExit("asprintf"); | ||
109 | unsigned long flags = MS_MGC_VAL|MS_RDONLY; | ||
110 | if (getuid()) | ||
111 | flags |= MS_NODEV|MS_NOSUID; | ||
112 | |||
113 | EUID_ROOT(); | ||
114 | if (size == 0) { | ||
115 | fmessage("Mounting appimage type 1\n"); | ||
116 | if (mount(devloop, mntdir, "iso9660", flags, mode) < 0) | ||
117 | errExit("mounting appimage"); | ||
118 | } | ||
119 | else { | ||
120 | fmessage("Mounting appimage type 2\n"); | ||
121 | if (mount(devloop, mntdir, "squashfs", flags, NULL) < 0) | ||
122 | errExit("mounting appimage"); | ||
123 | } | ||
124 | |||
125 | if (arg_debug) | ||
126 | printf("appimage mounted on %s\n", mntdir); | ||
127 | EUID_USER(); | ||
128 | |||
129 | char* abspath = realpath(appimage, NULL); | 99 | char* abspath = realpath(appimage, NULL); |
130 | if (abspath == NULL) | 100 | if (abspath == NULL) |
131 | errExit("Failed to obtain absolute path"); | 101 | errExit("Failed to obtain absolute path"); |
132 | |||
133 | // set environment | ||
134 | env_store_name_val("APPIMAGE", abspath, SETENV); | 102 | env_store_name_val("APPIMAGE", abspath, SETENV); |
103 | free(abspath); | ||
135 | 104 | ||
136 | if (mntdir) | 105 | env_store_name_val("APPDIR", RUN_FIREJAIL_APPIMAGE_DIR, SETENV); |
137 | env_store_name_val("APPDIR", mntdir, SETENV); | ||
138 | 106 | ||
139 | if (size != 0) | 107 | if (size != 0) |
140 | env_store_name_val("ARGV0", appimage, SETENV); | 108 | env_store_name_val("ARGV0", appimage, SETENV); |
141 | 109 | ||
142 | if (cfg.cwd) | 110 | if (cfg.cwd) |
143 | env_store_name_val("OWD", cfg.cwd, SETENV); | 111 | env_store_name_val("OWD", cfg.cwd, SETENV); |
144 | |||
145 | // build new command line | ||
146 | if (asprintf(&cfg.command_line, "%s/AppRun", mntdir) == -1) | ||
147 | errExit("asprintf"); | ||
148 | |||
149 | free(abspath); | ||
150 | free(mode); | ||
151 | #ifdef HAVE_GCOV | 112 | #ifdef HAVE_GCOV |
152 | __gcov_flush(); | 113 | __gcov_flush(); |
153 | #endif | 114 | #endif |
@@ -157,44 +118,38 @@ void appimage_set(const char *appimage) { | |||
157 | #endif | 118 | #endif |
158 | } | 119 | } |
159 | 120 | ||
160 | void appimage_clear(void) { | 121 | // mount appimage into sandbox file system |
161 | int rv; | 122 | void appimage_mount(void) { |
123 | if (!devloop) | ||
124 | return; | ||
162 | 125 | ||
163 | EUID_ROOT(); | 126 | unsigned long flags = MS_MGC_VAL|MS_RDONLY; |
164 | if (mntdir) { | 127 | if (getuid()) |
165 | int i; | 128 | flags |= MS_NODEV|MS_NOSUID; |
166 | int rv = 0; | ||
167 | for (i = 0; i < 5; i++) { | ||
168 | rv = umount2(mntdir, MNT_FORCE); | ||
169 | if (rv == 0) { | ||
170 | fmessage("AppImage unmounted\n"); | ||
171 | |||
172 | break; | ||
173 | } | ||
174 | if (rv == -1 && errno == EBUSY) { | ||
175 | fwarning("EBUSY error trying to unmount %s\n", mntdir); | ||
176 | sleep(2); | ||
177 | continue; | ||
178 | } | ||
179 | |||
180 | // rv = -1 | ||
181 | if (!arg_quiet) { | ||
182 | fwarning("error trying to unmount %s\n", mntdir); | ||
183 | perror("umount"); | ||
184 | } | ||
185 | } | ||
186 | 129 | ||
187 | if (rv == 0) { | 130 | if (size == 0) { |
188 | rmdir(mntdir); | 131 | fmessage("Mounting appimage type 1\n"); |
189 | free(mntdir); | 132 | char *mode; |
190 | } | 133 | if (asprintf(&mode, "mode=700,uid=%d,gid=%d", getuid(), getgid()) == -1) |
134 | errExit("asprintf"); | ||
135 | if (mount(devloop, RUN_FIREJAIL_APPIMAGE_DIR, "iso9660", flags, mode) < 0) | ||
136 | errExit("mounting appimage"); | ||
137 | free(mode); | ||
191 | } | 138 | } |
139 | else { | ||
140 | fmessage("Mounting appimage type 2\n"); | ||
141 | if (mount(devloop, RUN_FIREJAIL_APPIMAGE_DIR, "squashfs", flags, NULL) < 0) | ||
142 | errExit("mounting appimage"); | ||
143 | } | ||
144 | } | ||
192 | 145 | ||
146 | void appimage_clear(void) { | ||
147 | EUID_ROOT(); | ||
193 | if (devloop) { | 148 | if (devloop) { |
194 | int lfd = open(devloop, O_RDONLY); | 149 | int lfd = open(devloop, O_RDONLY); |
195 | if (lfd != -1) { | 150 | if (lfd != -1) { |
196 | rv = ioctl(lfd, LOOP_CLR_FD, 0); | 151 | if (ioctl(lfd, LOOP_CLR_FD, 0) != -1) |
197 | (void) rv; | 152 | fmessage("AppImage detached\n"); |
198 | close(lfd); | 153 | close(lfd); |
199 | } | 154 | } |
200 | } | 155 | } |
diff --git a/src/firejail/appimage_size.c b/src/firejail/appimage_size.c index 4640cb8a5..43ca501da 100644 --- a/src/firejail/appimage_size.c +++ b/src/firejail/appimage_size.c | |||
@@ -132,22 +132,20 @@ static long unsigned int read_elf64(int fd) { | |||
132 | 132 | ||
133 | // return 0 if error | 133 | // return 0 if error |
134 | // return 0 if this is not an appimgage2 file | 134 | // return 0 if this is not an appimgage2 file |
135 | long unsigned int appimage2_size(const char *fname) { | 135 | long unsigned int appimage2_size(int fd) { |
136 | ssize_t ret; | 136 | ssize_t ret; |
137 | int fd; | ||
138 | long unsigned int size = 0; | 137 | long unsigned int size = 0; |
139 | 138 | ||
140 | fd = open(fname, O_RDONLY); | ||
141 | if (fd < 0) | 139 | if (fd < 0) |
142 | return 0; | 140 | return 0; |
143 | 141 | ||
144 | ret = pread(fd, ehdr.e_ident, EI_NIDENT, 0); | 142 | ret = pread(fd, ehdr.e_ident, EI_NIDENT, 0); |
145 | if (ret != EI_NIDENT) | 143 | if (ret != EI_NIDENT) |
146 | goto getout; | 144 | return 0; |
147 | 145 | ||
148 | if ((ehdr.e_ident[EI_DATA] != ELFDATA2LSB) && | 146 | if ((ehdr.e_ident[EI_DATA] != ELFDATA2LSB) && |
149 | (ehdr.e_ident[EI_DATA] != ELFDATA2MSB)) | 147 | (ehdr.e_ident[EI_DATA] != ELFDATA2MSB)) |
150 | goto getout; | 148 | return 0; |
151 | 149 | ||
152 | if(ehdr.e_ident[EI_CLASS] == ELFCLASS32) { | 150 | if(ehdr.e_ident[EI_CLASS] == ELFCLASS32) { |
153 | size = read_elf32(fd); | 151 | size = read_elf32(fd); |
@@ -156,23 +154,19 @@ long unsigned int appimage2_size(const char *fname) { | |||
156 | size = read_elf64(fd); | 154 | size = read_elf64(fd); |
157 | } | 155 | } |
158 | else { | 156 | else { |
159 | goto getout; | 157 | return 0; |
160 | } | 158 | } |
161 | if (size == 0) | 159 | if (size == 0) |
162 | goto getout; | 160 | return 0; |
163 | 161 | ||
164 | 162 | ||
165 | // look for a LZMA header at this location | 163 | // look for a LZMA header at this location |
166 | unsigned char buf[4]; | 164 | unsigned char buf[4]; |
167 | ret = pread(fd, buf, 4, size); | 165 | ret = pread(fd, buf, 4, size); |
168 | if (ret != 4) { | 166 | if (ret != 4) |
169 | size = 0; | 167 | return 0; |
170 | goto getout; | ||
171 | } | ||
172 | if (memcmp(buf, "hsqs", 4) != 0) | 168 | if (memcmp(buf, "hsqs", 4) != 0) |
173 | size = 0; | 169 | return 0; |
174 | 170 | ||
175 | getout: | ||
176 | close(fd); | ||
177 | return size; | 171 | return size; |
178 | } | 172 | } |
diff --git a/src/firejail/cmdline.c b/src/firejail/cmdline.c index 0cdcb32bf..f902c4e1c 100644 --- a/src/firejail/cmdline.c +++ b/src/firejail/cmdline.c | |||
@@ -161,18 +161,16 @@ void build_cmdline(char **command_line, char **window_title, int argc, char **ar | |||
161 | assert(*window_title); | 161 | assert(*window_title); |
162 | } | 162 | } |
163 | 163 | ||
164 | void build_appimage_cmdline(char **command_line, char **window_title, int argc, char **argv, int index, char *apprun_path) { | 164 | void build_appimage_cmdline(char **command_line, char **window_title, int argc, char **argv, int index) { |
165 | // index == -1 could happen if we have --shell=none and no program was specified | 165 | // index == -1 could happen if we have --shell=none and no program was specified |
166 | // the program should exit with an error before entering this function | 166 | // the program should exit with an error before entering this function |
167 | assert(index != -1); | 167 | assert(index != -1); |
168 | 168 | ||
169 | if (arg_debug) | 169 | char *apprun_path = RUN_FIREJAIL_APPIMAGE_DIR "/AppRun"; |
170 | printf("Building AppImage command line: %s\n", *command_line); | ||
171 | |||
172 | 170 | ||
173 | int len1 = cmdline_length(argc, argv, index); // length of argv w/o changes | 171 | int len1 = cmdline_length(argc, argv, index); // length of argv w/o changes |
174 | int len2 = cmdline_length(1, &argv[index], 0); // apptest.AppImage | 172 | int len2 = cmdline_length(1, &argv[index], 0); // apptest.AppImage |
175 | int len3 = cmdline_length(1, &apprun_path, 0); // /run/firejail/appimage/.appimage-23304/AppRun | 173 | int len3 = cmdline_length(1, &apprun_path, 0); // /run/firejail/appimage/AppRun |
176 | int len4 = (len1 - len2 + len3) + 1; // apptest.AppImage is replaced by /path/to/AppRun | 174 | int len4 = (len1 - len2 + len3) + 1; // apptest.AppImage is replaced by /path/to/AppRun |
177 | 175 | ||
178 | if (len4 > ARG_MAX) { | 176 | if (len4 > ARG_MAX) { |
@@ -180,11 +178,6 @@ void build_appimage_cmdline(char **command_line, char **window_title, int argc, | |||
180 | errExit("cmdline_length"); | 178 | errExit("cmdline_length"); |
181 | } | 179 | } |
182 | 180 | ||
183 | // save created apprun in cfg.command_line | ||
184 | char *tmp1 = strdup(*command_line); | ||
185 | if (!tmp1) | ||
186 | errExit("strdup"); | ||
187 | |||
188 | // TODO: deal with extra allocated memory. | 181 | // TODO: deal with extra allocated memory. |
189 | char *command_line_tmp = malloc(len1 + len3 + 1); | 182 | char *command_line_tmp = malloc(len1 + len3 + 1); |
190 | if (!command_line_tmp) | 183 | if (!command_line_tmp) |
@@ -200,13 +193,12 @@ void build_appimage_cmdline(char **command_line, char **window_title, int argc, | |||
200 | assert(*window_title); | 193 | assert(*window_title); |
201 | 194 | ||
202 | // 'fix' command_line now | 195 | // 'fix' command_line now |
203 | if (asprintf(command_line, "'%s' %s", tmp1, command_line_tmp + len2) == -1) | 196 | if (asprintf(command_line, "'%s' %s", apprun_path, command_line_tmp + len2) == -1) |
204 | errExit("asprintf"); | 197 | errExit("asprintf"); |
205 | 198 | ||
206 | if (arg_debug) | 199 | if (arg_debug) |
207 | printf("AppImage quoted command line: %s\n", *command_line); | 200 | printf("AppImage quoted command line: %s\n", *command_line); |
208 | 201 | ||
209 | // free strdup | 202 | // free strdup |
210 | free(tmp1); | ||
211 | free(command_line_tmp); | 203 | free(command_line_tmp); |
212 | } | 204 | } |
diff --git a/src/firejail/firejail.h b/src/firejail/firejail.h index b21b5bef6..ca4c988fa 100644 --- a/src/firejail/firejail.h +++ b/src/firejail/firejail.h | |||
@@ -798,15 +798,15 @@ void print_compiletime_support(void); | |||
798 | 798 | ||
799 | // appimage.c | 799 | // appimage.c |
800 | void appimage_set(const char *appimage_path); | 800 | void appimage_set(const char *appimage_path); |
801 | void appimage_mount(void); | ||
801 | void appimage_clear(void); | 802 | void appimage_clear(void); |
802 | const char *appimage_getdir(void); | ||
803 | 803 | ||
804 | // appimage_size.c | 804 | // appimage_size.c |
805 | long unsigned int appimage2_size(const char *fname); | 805 | long unsigned int appimage2_size(int fd); |
806 | 806 | ||
807 | // cmdline.c | 807 | // cmdline.c |
808 | void build_cmdline(char **command_line, char **window_title, int argc, char **argv, int index); | 808 | void build_cmdline(char **command_line, char **window_title, int argc, char **argv, int index); |
809 | void build_appimage_cmdline(char **command_line, char **window_title, int argc, char **argv, int index, char *apprun_path); | 809 | void build_appimage_cmdline(char **command_line, char **window_title, int argc, char **argv, int index); |
810 | 810 | ||
811 | // sbox.c | 811 | // sbox.c |
812 | // programs | 812 | // programs |
diff --git a/src/firejail/fs.c b/src/firejail/fs.c index fe79daa70..fc67a15f3 100644 --- a/src/firejail/fs.c +++ b/src/firejail/fs.c | |||
@@ -170,6 +170,7 @@ static void disable_file(OPERATION op, const char *filename) { | |||
170 | } | 170 | } |
171 | } | 171 | } |
172 | fs_tmpfs(fname, getuid()); | 172 | fs_tmpfs(fname, getuid()); |
173 | selinux_relabel_path(fname, fname); | ||
173 | last_disable = SUCCESSFUL; | 174 | last_disable = SUCCESSFUL; |
174 | } | 175 | } |
175 | else | 176 | else |
@@ -800,8 +801,6 @@ void disable_config(void) { | |||
800 | disable_file(BLACKLIST_FILE, RUN_FIREJAIL_PROFILE_DIR); | 801 | disable_file(BLACKLIST_FILE, RUN_FIREJAIL_PROFILE_DIR); |
801 | if (stat(RUN_FIREJAIL_X11_DIR, &s) == 0) | 802 | if (stat(RUN_FIREJAIL_X11_DIR, &s) == 0) |
802 | disable_file(BLACKLIST_FILE, RUN_FIREJAIL_X11_DIR); | 803 | disable_file(BLACKLIST_FILE, RUN_FIREJAIL_X11_DIR); |
803 | if (!arg_appimage && stat(RUN_FIREJAIL_APPIMAGE_DIR, &s) == 0) | ||
804 | disable_file(BLACKLIST_FILE, RUN_FIREJAIL_APPIMAGE_DIR); | ||
805 | } | 804 | } |
806 | 805 | ||
807 | 806 | ||
diff --git a/src/firejail/fs_home.c b/src/firejail/fs_home.c index 2c5ea8be0..46f32d7ad 100644 --- a/src/firejail/fs_home.c +++ b/src/firejail/fs_home.c | |||
@@ -31,7 +31,7 @@ | |||
31 | 31 | ||
32 | #include <fcntl.h> | 32 | #include <fcntl.h> |
33 | #ifndef O_PATH | 33 | #ifndef O_PATH |
34 | # define O_PATH 010000000 | 34 | #define O_PATH 010000000 |
35 | #endif | 35 | #endif |
36 | 36 | ||
37 | static void skel(const char *homedir, uid_t u, gid_t g) { | 37 | static void skel(const char *homedir, uid_t u, gid_t g) { |
@@ -384,7 +384,6 @@ void fs_private(void) { | |||
384 | if (chown(homedir, u, g) < 0) | 384 | if (chown(homedir, u, g) < 0) |
385 | errExit("chown"); | 385 | errExit("chown"); |
386 | 386 | ||
387 | selinux_relabel_path(homedir, homedir); | ||
388 | fs_logger2("mkdir", homedir); | 387 | fs_logger2("mkdir", homedir); |
389 | fs_logger2("tmpfs", homedir); | 388 | fs_logger2("tmpfs", homedir); |
390 | } | 389 | } |
@@ -392,6 +391,8 @@ void fs_private(void) { | |||
392 | // mask user home directory | 391 | // mask user home directory |
393 | // the directory should be owned by the current user | 392 | // the directory should be owned by the current user |
394 | fs_tmpfs(homedir, 1); | 393 | fs_tmpfs(homedir, 1); |
394 | |||
395 | selinux_relabel_path(homedir, homedir); | ||
395 | } | 396 | } |
396 | 397 | ||
397 | skel(homedir, u, g); | 398 | skel(homedir, u, g); |
@@ -549,7 +550,7 @@ void fs_private_home_list(void) { | |||
549 | 550 | ||
550 | // create /run/firejail/mnt/home directory | 551 | // create /run/firejail/mnt/home directory |
551 | mkdir_attr(RUN_HOME_DIR, 0755, uid, gid); | 552 | mkdir_attr(RUN_HOME_DIR, 0755, uid, gid); |
552 | selinux_relabel_path(RUN_HOME_DIR, "/home"); | 553 | selinux_relabel_path(RUN_HOME_DIR, homedir); |
553 | fs_logger_print(); // save the current log | 554 | fs_logger_print(); // save the current log |
554 | 555 | ||
555 | if (arg_debug) | 556 | if (arg_debug) |
diff --git a/src/firejail/fs_lib.c b/src/firejail/fs_lib.c index 7e9666fc0..0491fd9b1 100644 --- a/src/firejail/fs_lib.c +++ b/src/firejail/fs_lib.c | |||
@@ -23,7 +23,8 @@ | |||
23 | #include <sys/stat.h> | 23 | #include <sys/stat.h> |
24 | #include <sys/types.h> | 24 | #include <sys/types.h> |
25 | #include <unistd.h> | 25 | #include <unistd.h> |
26 | #include <dirent.h> | 26 | #include <fcntl.h> |
27 | #include <errno.h> | ||
27 | #include <glob.h> | 28 | #include <glob.h> |
28 | #define MAXBUF 4096 | 29 | #define MAXBUF 4096 |
29 | 30 | ||
@@ -34,6 +35,31 @@ extern void fslib_install_system(void); | |||
34 | static int lib_cnt = 0; | 35 | static int lib_cnt = 0; |
35 | static int dir_cnt = 0; | 36 | static int dir_cnt = 0; |
36 | 37 | ||
38 | static const char *masked_lib_dirs[] = { | ||
39 | "/usr/lib64", | ||
40 | "/lib64", | ||
41 | "/usr/lib", | ||
42 | "/lib", | ||
43 | "/usr/local/lib64", | ||
44 | "/usr/local/lib", | ||
45 | NULL, | ||
46 | }; | ||
47 | |||
48 | // return 1 if the file is in masked_lib_dirs[] | ||
49 | static int valid_full_path(const char *full_path) { | ||
50 | if (strstr(full_path, "..")) | ||
51 | return 0; | ||
52 | |||
53 | int i = 0; | ||
54 | while (masked_lib_dirs[i]) { | ||
55 | if (strncmp(full_path, masked_lib_dirs[i], strlen(masked_lib_dirs[i])) == 0 && | ||
56 | full_path[strlen(masked_lib_dirs[i])] == '/') | ||
57 | return 1; | ||
58 | i++; | ||
59 | } | ||
60 | return 0; | ||
61 | } | ||
62 | |||
37 | char *find_in_path(const char *program) { | 63 | char *find_in_path(const char *program) { |
38 | EUID_ASSERT(); | 64 | EUID_ASSERT(); |
39 | if (arg_debug) | 65 | if (arg_debug) |
@@ -45,9 +71,10 @@ char *find_in_path(const char *program) { | |||
45 | errExit("readlink"); | 71 | errExit("readlink"); |
46 | self[len] = '\0'; | 72 | self[len] = '\0'; |
47 | 73 | ||
48 | char *path = getenv("PATH"); | 74 | const char *path = env_get("PATH"); |
49 | if (!path) | 75 | if (!path) |
50 | return NULL; | 76 | return NULL; |
77 | |||
51 | char *dup = strdup(path); | 78 | char *dup = strdup(path); |
52 | if (!dup) | 79 | if (!dup) |
53 | errExit("strdup"); | 80 | errExit("strdup"); |
@@ -80,22 +107,6 @@ char *find_in_path(const char *program) { | |||
80 | return NULL; | 107 | return NULL; |
81 | } | 108 | } |
82 | 109 | ||
83 | static void report_duplication(const char *full_path) { | ||
84 | char *fname = strrchr(full_path, '/'); | ||
85 | if (fname && *(++fname) != '\0') { | ||
86 | // report the file on all bin paths | ||
87 | int i = 0; | ||
88 | while (default_lib_paths[i]) { | ||
89 | char *p; | ||
90 | if (asprintf(&p, "%s/%s", default_lib_paths[i], fname) == -1) | ||
91 | errExit("asprintf"); | ||
92 | fs_logger2("clone", p); | ||
93 | free(p); | ||
94 | i++; | ||
95 | } | ||
96 | } | ||
97 | } | ||
98 | |||
99 | static char *build_dest_dir(const char *full_path) { | 110 | static char *build_dest_dir(const char *full_path) { |
100 | assert(full_path); | 111 | assert(full_path); |
101 | if (strstr(full_path, "/x86_64-linux-gnu/")) | 112 | if (strstr(full_path, "/x86_64-linux-gnu/")) |
@@ -103,56 +114,107 @@ static char *build_dest_dir(const char *full_path) { | |||
103 | return RUN_LIB_DIR; | 114 | return RUN_LIB_DIR; |
104 | } | 115 | } |
105 | 116 | ||
106 | // copy fname in private_run_dir | 117 | // return name of mount target in allocated memory |
107 | void fslib_duplicate(const char *full_path) { | 118 | static char *build_dest_name(const char *full_path) { |
108 | assert(full_path); | 119 | assert(full_path); |
120 | char *fname = strrchr(full_path, '/'); | ||
121 | assert(fname); | ||
122 | fname++; | ||
123 | assert(*fname != '\0'); | ||
109 | 124 | ||
110 | struct stat s; | 125 | char *dest; |
111 | if (stat(full_path, &s) != 0 || s.st_uid != 0 || access(full_path, R_OK)) | 126 | if (asprintf(&dest, "%s/%s", build_dest_dir(full_path), fname) == -1) |
112 | return; | 127 | errExit("asprintf"); |
128 | return dest; | ||
129 | } | ||
113 | 130 | ||
114 | char *dest_dir = build_dest_dir(full_path); | 131 | static void fslib_mount_dir(const char *full_path) { |
132 | // create new directory and mount the original on top of it | ||
133 | char *dest = build_dest_name(full_path); | ||
134 | if (mkdir(dest, 0755) == -1) { | ||
135 | if (errno == EEXIST) { // directory has been mounted already, nothing to do | ||
136 | free(dest); | ||
137 | return; | ||
138 | } | ||
139 | errExit("mkdir"); | ||
140 | } | ||
115 | 141 | ||
116 | // don't copy it if the file is already there | 142 | if (arg_debug || arg_debug_private_lib) |
117 | char *ptr = strrchr(full_path, '/'); | 143 | printf(" mounting %s on %s\n", full_path, dest); |
118 | if (!ptr) | 144 | // if full_path is a symbolic link, mount will follow it |
119 | return; | 145 | if (mount(full_path, dest, NULL, MS_BIND|MS_REC, NULL) < 0) |
120 | ptr++; | 146 | errExit("mount bind"); |
121 | if (*ptr == '\0') | 147 | free(dest); |
122 | return; | 148 | dir_cnt++; |
149 | } | ||
123 | 150 | ||
124 | char *name; | 151 | static void fslib_mount_file(const char *full_path) { |
125 | if (asprintf(&name, "%s/%s", dest_dir, ptr) == -1) | 152 | // create new file and mount the original on top of it |
126 | errExit("asprintf"); | 153 | char *dest = build_dest_name(full_path); |
127 | if (stat(name, &s) == 0) { | 154 | int fd = open(dest, O_RDONLY|O_CREAT|O_EXCL|O_CLOEXEC, S_IRUSR | S_IWUSR); |
128 | free(name); | 155 | if (fd == -1) { |
129 | return; | 156 | if (errno == EEXIST) { // file has been mounted already, nothing to do |
157 | free(dest); | ||
158 | return; | ||
159 | } | ||
160 | errExit("open"); | ||
130 | } | 161 | } |
131 | free(name); | 162 | close(fd); |
132 | 163 | ||
133 | if (arg_debug || arg_debug_private_lib) | 164 | if (arg_debug || arg_debug_private_lib) |
134 | printf(" copying %s to private %s\n", full_path, dest_dir); | 165 | printf(" mounting %s on %s\n", full_path, dest); |
135 | 166 | // if full_path is a symbolic link, mount will follow it | |
136 | sbox_run(SBOX_ROOT| SBOX_SECCOMP, 4, PATH_FCOPY, "--follow-link", full_path, dest_dir); | 167 | if (mount(full_path, dest, NULL, MS_BIND, NULL) < 0) |
137 | report_duplication(full_path); | 168 | errExit("mount bind"); |
169 | free(dest); | ||
138 | lib_cnt++; | 170 | lib_cnt++; |
139 | } | 171 | } |
140 | 172 | ||
173 | void fslib_mount(const char *full_path) { | ||
174 | assert(full_path); | ||
175 | struct stat s; | ||
176 | |||
177 | if (!valid_full_path(full_path) || | ||
178 | access(full_path, F_OK) != 0 || | ||
179 | stat(full_path, &s) != 0 || | ||
180 | s.st_uid != 0) | ||
181 | return; | ||
182 | |||
183 | if (S_ISDIR(s.st_mode)) | ||
184 | fslib_mount_dir(full_path); | ||
185 | else if (S_ISREG(s.st_mode) && is_lib_64(full_path)) | ||
186 | fslib_mount_file(full_path); | ||
187 | } | ||
188 | |||
141 | // requires full path for lib | 189 | // requires full path for lib |
142 | // it could be a library or an executable | 190 | // it could be a library or an executable |
143 | // lib is not copied, only libraries used by it | 191 | // lib is not copied, only libraries used by it |
144 | static void fslib_copy_libs(const char *full_path, unsigned mask) { | 192 | void fslib_mount_libs(const char *full_path, unsigned user) { |
193 | assert(full_path); | ||
194 | // if library/executable does not exist or the user does not have read access to it | ||
195 | // print a warning and exit the function. | ||
196 | if (user && access(full_path, R_OK)) { | ||
197 | if (arg_debug || arg_debug_private_lib) | ||
198 | printf("Cannot read %s, skipping...\n", full_path); | ||
199 | return; | ||
200 | } | ||
201 | |||
202 | if (arg_debug || arg_debug_private_lib) | ||
203 | printf(" fslib_mount_libs %s (parse as %s)\n", full_path, user ? "user" : "root"); | ||
145 | // create an empty RUN_LIB_FILE and allow the user to write to it | 204 | // create an empty RUN_LIB_FILE and allow the user to write to it |
146 | unlink(RUN_LIB_FILE); // in case is there | 205 | unlink(RUN_LIB_FILE); // in case is there |
147 | create_empty_file_as_root(RUN_LIB_FILE, 0644); | 206 | create_empty_file_as_root(RUN_LIB_FILE, 0644); |
148 | if (mask & SBOX_USER) { | 207 | if (user && chown(RUN_LIB_FILE, getuid(), getgid())) |
149 | if (chown(RUN_LIB_FILE, getuid(), getgid())) | 208 | errExit("chown"); |
150 | errExit("chown"); | ||
151 | } | ||
152 | 209 | ||
153 | // run fldd to extract the list of files | 210 | // run fldd to extract the list of files |
154 | if (arg_debug || arg_debug_private_lib) | 211 | if (arg_debug || arg_debug_private_lib) |
155 | printf(" running fldd %s\n", full_path); | 212 | printf(" running fldd %s\n", full_path); |
213 | unsigned mask; | ||
214 | if (user) | ||
215 | mask = SBOX_USER; | ||
216 | else | ||
217 | mask = SBOX_ROOT; | ||
156 | sbox_run(mask | SBOX_SECCOMP | SBOX_CAPS_NONE, 3, PATH_FLDD, full_path, RUN_LIB_FILE); | 218 | sbox_run(mask | SBOX_SECCOMP | SBOX_CAPS_NONE, 3, PATH_FLDD, full_path, RUN_LIB_FILE); |
157 | 219 | ||
158 | // open the list of libraries and install them on by one | 220 | // open the list of libraries and install them on by one |
@@ -166,96 +228,30 @@ static void fslib_copy_libs(const char *full_path, unsigned mask) { | |||
166 | char *ptr = strchr(buf, '\n'); | 228 | char *ptr = strchr(buf, '\n'); |
167 | if (ptr) | 229 | if (ptr) |
168 | *ptr = '\0'; | 230 | *ptr = '\0'; |
169 | fslib_duplicate(buf); | 231 | |
232 | fslib_mount(buf); | ||
170 | } | 233 | } |
171 | fclose(fp); | 234 | fclose(fp); |
172 | unlink(RUN_LIB_FILE); | 235 | unlink(RUN_LIB_FILE); |
173 | } | 236 | } |
174 | 237 | ||
175 | void fslib_copy_libs_parse_as_root(const char *full_path) { | 238 | // fname should be a valid full path at this point |
176 | assert(full_path); | ||
177 | if (arg_debug || arg_debug_private_lib) | ||
178 | printf(" fslib_copy_libs_parse_as_root %s\n", full_path); | ||
179 | |||
180 | struct stat s; | ||
181 | if (stat(full_path, &s)) { | ||
182 | if (arg_debug || arg_debug_private_lib) | ||
183 | printf("cannot find %s for private-lib, skipping...\n", full_path); | ||
184 | return; | ||
185 | } | ||
186 | fslib_copy_libs(full_path, SBOX_ROOT); | ||
187 | } | ||
188 | |||
189 | // if library/executable does not exist or the user does not have read access to it | ||
190 | // print a warning and exit the function. | ||
191 | void fslib_copy_libs_parse_as_user(const char *full_path) { | ||
192 | assert(full_path); | ||
193 | if (arg_debug || arg_debug_private_lib) | ||
194 | printf(" fslib_copy_libs_parse_as_user %s\n", full_path); | ||
195 | |||
196 | if (access(full_path, R_OK)) { | ||
197 | if (arg_debug || arg_debug_private_lib) | ||
198 | printf("cannot find %s for private-lib, skipping...\n", full_path); | ||
199 | return; | ||
200 | } | ||
201 | fslib_copy_libs(full_path, SBOX_USER); | ||
202 | } | ||
203 | |||
204 | void fslib_copy_dir(const char *full_path) { | ||
205 | assert(full_path); | ||
206 | if (arg_debug || arg_debug_private_lib) | ||
207 | printf(" fslib_copy_dir %s\n", full_path); | ||
208 | |||
209 | // do nothing if the directory does not exist or is not owned by root | ||
210 | struct stat s; | ||
211 | if (stat(full_path, &s) != 0 || s.st_uid != 0 || !S_ISDIR(s.st_mode) || access(full_path, R_OK)) | ||
212 | return; | ||
213 | |||
214 | char *dir_name = strrchr(full_path, '/'); | ||
215 | assert(dir_name); | ||
216 | dir_name++; | ||
217 | assert(*dir_name != '\0'); | ||
218 | |||
219 | // do nothing if the directory is already there | ||
220 | char *dest; | ||
221 | if (asprintf(&dest, "%s/%s", build_dest_dir(full_path), dir_name) == -1) | ||
222 | errExit("asprintf"); | ||
223 | if (stat(dest, &s) == 0) { | ||
224 | free(dest); | ||
225 | return; | ||
226 | } | ||
227 | |||
228 | // create new directory and mount the original on top of it | ||
229 | mkdir_attr(dest, 0755, 0, 0); | ||
230 | |||
231 | if (mount(full_path, dest, NULL, MS_BIND|MS_REC, NULL) < 0 || | ||
232 | mount(NULL, dest, NULL, MS_BIND|MS_REMOUNT|MS_RDONLY|MS_NOSUID|MS_NODEV|MS_REC, NULL) < 0) | ||
233 | errExit("mount bind"); | ||
234 | fs_logger2("clone", full_path); | ||
235 | fs_logger2("mount", full_path); | ||
236 | dir_cnt++; | ||
237 | free(dest); | ||
238 | } | ||
239 | |||
240 | // fname should be a vallid full path at this point | ||
241 | static void load_library(const char *fname) { | 239 | static void load_library(const char *fname) { |
242 | assert(fname); | 240 | assert(fname); |
243 | assert(*fname == '/'); | 241 | assert(*fname == '/'); |
244 | 242 | ||
245 | // existing file owned by root, read access | 243 | // existing file owned by root |
246 | struct stat s; | 244 | struct stat s; |
247 | if (stat(fname, &s) == 0 && s.st_uid == 0 && !access(fname, R_OK)) { | 245 | if (!access(fname, F_OK) && stat(fname, &s) == 0 && s.st_uid == 0) { |
248 | // load directories, regular 64 bit libraries, and 64 bit executables | 246 | // load directories, regular 64 bit libraries, and 64 bit executables |
249 | if (is_dir(fname) || is_lib_64(fname)) { | 247 | if (S_ISDIR(s.st_mode)) |
250 | if (is_dir(fname)) | 248 | fslib_mount(fname); |
251 | fslib_copy_dir(fname); | 249 | else if (S_ISREG(s.st_mode) && is_lib_64(fname)) { |
252 | else { | 250 | if (strstr(fname, ".so") || |
253 | if (strstr(fname, ".so") || | 251 | access(fname, X_OK) != 0) // don't duplicate executables, just install the libraries |
254 | access(fname, X_OK) != 0) // don't duplicate executables, just install the libraries | 252 | fslib_mount(fname); |
255 | fslib_duplicate(fname); | 253 | |
256 | 254 | fslib_mount_libs(fname, 1); // parse as user | |
257 | fslib_copy_libs_parse_as_user(fname); | ||
258 | } | ||
259 | } | 255 | } |
260 | } | 256 | } |
261 | } | 257 | } |
@@ -311,7 +307,6 @@ static void install_list_entry(const char *lib) { | |||
311 | return; | 307 | return; |
312 | } | 308 | } |
313 | 309 | ||
314 | |||
315 | void fslib_install_list(const char *lib_list) { | 310 | void fslib_install_list(const char *lib_list) { |
316 | assert(lib_list); | 311 | assert(lib_list); |
317 | if (arg_debug || arg_debug_private_lib) | 312 | if (arg_debug || arg_debug_private_lib) |
@@ -334,34 +329,20 @@ void fslib_install_list(const char *lib_list) { | |||
334 | fs_logger_print(); | 329 | fs_logger_print(); |
335 | } | 330 | } |
336 | 331 | ||
337 | |||
338 | |||
339 | static void mount_directories(void) { | 332 | static void mount_directories(void) { |
340 | if (arg_debug || arg_debug_private_lib) | 333 | fs_remount(RUN_LIB_DIR, MOUNT_READONLY, 1); // should be redundant except for RUN_LIB_DIR itself |
341 | printf("Mount-bind %s on top of /lib /lib64 /usr/lib\n", RUN_LIB_DIR); | 334 | |
342 | 335 | int i = 0; | |
343 | if (is_dir("/lib")) { | 336 | while (masked_lib_dirs[i]) { |
344 | if (mount(RUN_LIB_DIR, "/lib", NULL, MS_BIND|MS_REC, NULL) < 0 || | 337 | if (is_dir(masked_lib_dirs[i])) { |
345 | mount(NULL, "/lib", NULL, MS_BIND|MS_REMOUNT|MS_NOSUID|MS_NODEV|MS_REC, NULL) < 0) | 338 | if (arg_debug || arg_debug_private_lib) |
346 | errExit("mount bind"); | 339 | printf("Mount-bind %s on top of %s\n", RUN_LIB_DIR, masked_lib_dirs[i]); |
347 | fs_logger2("tmpfs", "/lib"); | 340 | if (mount(RUN_LIB_DIR, masked_lib_dirs[i], NULL, MS_BIND|MS_REC, NULL) < 0) |
348 | fs_logger("mount /lib"); | 341 | errExit("mount bind"); |
349 | } | 342 | fs_logger2("tmpfs", masked_lib_dirs[i]); |
350 | 343 | fs_logger2("mount", masked_lib_dirs[i]); | |
351 | if (is_dir("/lib64")) { | 344 | } |
352 | if (mount(RUN_LIB_DIR, "/lib64", NULL, MS_BIND|MS_REC, NULL) < 0 || | 345 | i++; |
353 | mount(NULL, "/lib64", NULL, MS_BIND|MS_REMOUNT|MS_NOSUID|MS_NODEV|MS_REC, NULL) < 0) | ||
354 | errExit("mount bind"); | ||
355 | fs_logger2("tmpfs", "/lib64"); | ||
356 | fs_logger("mount /lib64"); | ||
357 | } | ||
358 | |||
359 | if (is_dir("/usr/lib")) { | ||
360 | if (mount(RUN_LIB_DIR, "/usr/lib", NULL, MS_BIND|MS_REC, NULL) < 0 || | ||
361 | mount(NULL, "/usr/lib", NULL, MS_BIND|MS_REMOUNT|MS_NOSUID|MS_NODEV|MS_REC, NULL) < 0) | ||
362 | errExit("mount bind"); | ||
363 | fs_logger2("tmpfs", "/usr/lib"); | ||
364 | fs_logger("mount /usr/lib"); | ||
365 | } | 346 | } |
366 | 347 | ||
367 | // for amd64 only - we'll deal with i386 later | 348 | // for amd64 only - we'll deal with i386 later |
@@ -431,7 +412,6 @@ void fs_private_lib(void) { | |||
431 | fslib_install_list(cfg.shell); | 412 | fslib_install_list(cfg.shell); |
432 | // a shell is useless without some basic commands | 413 | // a shell is useless without some basic commands |
433 | fslib_install_list("/bin/ls,/bin/cat,/bin/mv,/bin/rm"); | 414 | fslib_install_list("/bin/ls,/bin/cat,/bin/mv,/bin/rm"); |
434 | |||
435 | } | 415 | } |
436 | 416 | ||
437 | // for the listed libs and directories | 417 | // for the listed libs and directories |
diff --git a/src/firejail/fs_lib2.c b/src/firejail/fs_lib2.c index d46cfed86..c69bf7c98 100644 --- a/src/firejail/fs_lib2.c +++ b/src/firejail/fs_lib2.c | |||
@@ -21,10 +21,8 @@ | |||
21 | #include <dirent.h> | 21 | #include <dirent.h> |
22 | #include <sys/stat.h> | 22 | #include <sys/stat.h> |
23 | 23 | ||
24 | extern void fslib_duplicate(const char *full_path); | 24 | extern void fslib_mount_libs(const char *full_path, unsigned user); |
25 | extern void fslib_copy_libs_parse_as_user(const char *full_path); | 25 | extern void fslib_mount(const char *full_path); |
26 | extern void fslib_copy_libs_parse_as_root(const char *full_path); | ||
27 | extern void fslib_copy_dir(const char *full_path); | ||
28 | 26 | ||
29 | //*************************************************************** | 27 | //*************************************************************** |
30 | // Standard C library | 28 | // Standard C library |
@@ -98,7 +96,8 @@ static void stdc(const char *dirname) { | |||
98 | if (asprintf(&fname, "%s/%s", dirname, entry->d_name) == -1) | 96 | if (asprintf(&fname, "%s/%s", dirname, entry->d_name) == -1) |
99 | errExit("asprintf"); | 97 | errExit("asprintf"); |
100 | 98 | ||
101 | fslib_duplicate(fname); | 99 | fslib_mount(fname); |
100 | free(fname); | ||
102 | } | 101 | } |
103 | } | 102 | } |
104 | closedir(dir); | 103 | closedir(dir); |
@@ -119,7 +118,7 @@ void fslib_install_stdc(void) { | |||
119 | 118 | ||
120 | // install locale | 119 | // install locale |
121 | if (stat("/usr/lib/locale", &s) == 0) | 120 | if (stat("/usr/lib/locale", &s) == 0) |
122 | fslib_copy_dir("/usr/lib/locale"); | 121 | fslib_mount("/usr/lib/locale"); |
123 | 122 | ||
124 | fmessage("Standard C library installed in %0.2f ms\n", timetrace_end()); | 123 | fmessage("Standard C library installed in %0.2f ms\n", timetrace_end()); |
125 | } | 124 | } |
@@ -129,7 +128,8 @@ void fslib_install_stdc(void) { | |||
129 | //*************************************************************** | 128 | //*************************************************************** |
130 | 129 | ||
131 | static void fdir(void) { | 130 | static void fdir(void) { |
132 | fslib_copy_dir(LIBDIR "/firejail"); | 131 | // firejail directory itself |
132 | fslib_mount(LIBDIR "/firejail"); | ||
133 | 133 | ||
134 | // executables and libraries from firejail directory | 134 | // executables and libraries from firejail directory |
135 | static const char * const fbin[] = { | 135 | static const char * const fbin[] = { |
@@ -143,30 +143,28 @@ static void fdir(void) { | |||
143 | NULL, | 143 | NULL, |
144 | }; | 144 | }; |
145 | 145 | ||
146 | // need to run fldd as root user, unprivileged users have no read permission on executables | 146 | // need to parse as root user, unprivileged users have no read permission on executables |
147 | int i; | 147 | int i; |
148 | for (i = 0; fbin[i]; i++) | 148 | for (i = 0; fbin[i]; i++) |
149 | fslib_copy_libs_parse_as_root(fbin[i]); | 149 | fslib_mount_libs(fbin[i], 0); |
150 | } | 150 | } |
151 | 151 | ||
152 | void fslib_install_firejail(void) { | 152 | void fslib_install_firejail(void) { |
153 | timetrace_start(); | 153 | timetrace_start(); |
154 | // bring in firejail executable libraries, in case we are redirected here | 154 | // bring in firejail executable libraries, in case we are redirected here |
155 | // by a firejail symlink from /usr/local/bin/firejail | 155 | // by a firejail symlink from /usr/local/bin/firejail |
156 | fslib_copy_libs_parse_as_user(PATH_FIREJAIL); | 156 | fslib_mount_libs(PATH_FIREJAIL, 1); // parse as user |
157 | 157 | ||
158 | // bring in firejail directory | 158 | // bring in firejail directory |
159 | fdir(); | 159 | fdir(); |
160 | 160 | ||
161 | // bring in dhclient libraries | 161 | // bring in dhclient libraries |
162 | if (any_dhcp()) | 162 | if (any_dhcp()) |
163 | fslib_copy_libs_parse_as_user(RUN_MNT_DIR "/dhclient"); | 163 | fslib_mount_libs(RUN_MNT_DIR "/dhclient", 1); // parse as user |
164 | 164 | ||
165 | #ifdef HAVE_X11 | ||
166 | // bring in xauth libraries | 165 | // bring in xauth libraries |
167 | if (arg_x11_xorg) | 166 | if (arg_x11_xorg) |
168 | fslib_copy_libs_parse_as_user("/usr/bin/xauth"); | 167 | fslib_mount_libs("/usr/bin/xauth", 1); // parse as user |
169 | #endif | ||
170 | 168 | ||
171 | fmessage("Firejail libraries installed in %0.2f ms\n", timetrace_end()); | 169 | fmessage("Firejail libraries installed in %0.2f ms\n", timetrace_end()); |
172 | } | 170 | } |
@@ -315,8 +313,8 @@ void fslib_install_system(void) { | |||
315 | if (asprintf(&name, "/usr/lib/x86_64-linux-gnu/%s", ptr->dir1) == -1) | 313 | if (asprintf(&name, "/usr/lib/x86_64-linux-gnu/%s", ptr->dir1) == -1) |
316 | errExit("asprintf"); | 314 | errExit("asprintf"); |
317 | if (access(name, R_OK) == 0) { | 315 | if (access(name, R_OK) == 0) { |
318 | fslib_copy_libs_parse_as_user(name); | 316 | fslib_mount_libs(name, 1); // parse as user |
319 | fslib_copy_dir(name); | 317 | fslib_mount(name); |
320 | } | 318 | } |
321 | else { | 319 | else { |
322 | free(name); | 320 | free(name); |
@@ -324,8 +322,8 @@ void fslib_install_system(void) { | |||
324 | if (asprintf(&name, "/usr/lib64/%s", ptr->dir1) == -1) | 322 | if (asprintf(&name, "/usr/lib64/%s", ptr->dir1) == -1) |
325 | errExit("asprintf"); | 323 | errExit("asprintf"); |
326 | if (access(name, R_OK) == 0) { | 324 | if (access(name, R_OK) == 0) { |
327 | fslib_copy_libs_parse_as_user(name); | 325 | fslib_mount_libs(name, 1); // parse as user |
328 | fslib_copy_dir(name); | 326 | fslib_mount(name); |
329 | } | 327 | } |
330 | } | 328 | } |
331 | free(name); | 329 | free(name); |
@@ -335,8 +333,8 @@ void fslib_install_system(void) { | |||
335 | if (asprintf(&name, "/usr/lib/x86_64-linux-gnu/%s", ptr->dir2) == -1) | 333 | if (asprintf(&name, "/usr/lib/x86_64-linux-gnu/%s", ptr->dir2) == -1) |
336 | errExit("asprintf"); | 334 | errExit("asprintf"); |
337 | if (access(name, R_OK) == 0) { | 335 | if (access(name, R_OK) == 0) { |
338 | fslib_copy_libs_parse_as_user(name); | 336 | fslib_mount_libs(name, 1); // parse as user |
339 | fslib_copy_dir(name); | 337 | fslib_mount(name); |
340 | } | 338 | } |
341 | else { | 339 | else { |
342 | free(name); | 340 | free(name); |
@@ -344,8 +342,8 @@ void fslib_install_system(void) { | |||
344 | if (asprintf(&name, "/usr/lib64/%s", ptr->dir2) == -1) | 342 | if (asprintf(&name, "/usr/lib64/%s", ptr->dir2) == -1) |
345 | errExit("asprintf"); | 343 | errExit("asprintf"); |
346 | if (access(name, R_OK) == 0) { | 344 | if (access(name, R_OK) == 0) { |
347 | fslib_copy_libs_parse_as_user(name); | 345 | fslib_mount_libs(name, 1); // parse as user |
348 | fslib_copy_dir(name); | 346 | fslib_mount(name); |
349 | } | 347 | } |
350 | } | 348 | } |
351 | free(name); | 349 | free(name); |
diff --git a/src/firejail/main.c b/src/firejail/main.c index 9705c2436..b3524fcf5 100644 --- a/src/firejail/main.c +++ b/src/firejail/main.c | |||
@@ -2790,7 +2790,7 @@ int main(int argc, char **argv, char **envp) { | |||
2790 | if (arg_debug) | 2790 | if (arg_debug) |
2791 | printf("Configuring appimage environment\n"); | 2791 | printf("Configuring appimage environment\n"); |
2792 | appimage_set(cfg.command_name); | 2792 | appimage_set(cfg.command_name); |
2793 | build_appimage_cmdline(&cfg.command_line, &cfg.window_title, argc, argv, prog_index, cfg.command_line); | 2793 | build_appimage_cmdline(&cfg.command_line, &cfg.window_title, argc, argv, prog_index); |
2794 | } | 2794 | } |
2795 | else { | 2795 | else { |
2796 | build_cmdline(&cfg.command_line, &cfg.window_title, argc, argv, prog_index); | 2796 | build_cmdline(&cfg.command_line, &cfg.window_title, argc, argv, prog_index); |
diff --git a/src/firejail/profile.c b/src/firejail/profile.c index f3266c23e..351b760df 100644 --- a/src/firejail/profile.c +++ b/src/firejail/profile.c | |||
@@ -157,6 +157,10 @@ static int check_nosound(void) { | |||
157 | return arg_nosound != 0; | 157 | return arg_nosound != 0; |
158 | } | 158 | } |
159 | 159 | ||
160 | static int check_private(void) { | ||
161 | return arg_private; | ||
162 | } | ||
163 | |||
160 | static int check_x11(void) { | 164 | static int check_x11(void) { |
161 | return (arg_x11_block || arg_x11_xorg || env_get("FIREJAIL_X11")); | 165 | return (arg_x11_block || arg_x11_xorg || env_get("FIREJAIL_X11")); |
162 | } | 166 | } |
@@ -174,6 +178,7 @@ Cond conditionals[] = { | |||
174 | {"HAS_NET", check_netoptions}, | 178 | {"HAS_NET", check_netoptions}, |
175 | {"HAS_NODBUS", check_nodbus}, | 179 | {"HAS_NODBUS", check_nodbus}, |
176 | {"HAS_NOSOUND", check_nosound}, | 180 | {"HAS_NOSOUND", check_nosound}, |
181 | {"HAS_PRIVATE", check_private}, | ||
177 | {"HAS_X11", check_x11}, | 182 | {"HAS_X11", check_x11}, |
178 | {"BROWSER_DISABLE_U2F", check_disable_u2f}, | 183 | {"BROWSER_DISABLE_U2F", check_disable_u2f}, |
179 | {"BROWSER_ALLOW_DRM", check_allow_drm}, | 184 | {"BROWSER_ALLOW_DRM", check_allow_drm}, |
diff --git a/src/firejail/restrict_users.c b/src/firejail/restrict_users.c index 0dfd9ca1c..a0ca4c02c 100644 --- a/src/firejail/restrict_users.c +++ b/src/firejail/restrict_users.c | |||
@@ -72,7 +72,7 @@ static void sanitize_home(void) { | |||
72 | 72 | ||
73 | if (arg_debug) | 73 | if (arg_debug) |
74 | printf("Cleaning /home directory\n"); | 74 | printf("Cleaning /home directory\n"); |
75 | // keep a copy of the user home directory | 75 | // open user home directory in order to keep it around |
76 | int fd = safe_fd(cfg.homedir, O_PATH|O_DIRECTORY|O_NOFOLLOW|O_CLOEXEC); | 76 | int fd = safe_fd(cfg.homedir, O_PATH|O_DIRECTORY|O_NOFOLLOW|O_CLOEXEC); |
77 | if (fd == -1) | 77 | if (fd == -1) |
78 | goto errout; | 78 | goto errout; |
@@ -82,47 +82,38 @@ static void sanitize_home(void) { | |||
82 | close(fd); | 82 | close(fd); |
83 | goto errout; | 83 | goto errout; |
84 | } | 84 | } |
85 | char *proc; | ||
86 | if (asprintf(&proc, "/proc/self/fd/%d", fd) == -1) | ||
87 | errExit("asprintf"); | ||
88 | if (mkdir(RUN_WHITELIST_HOME_DIR, 0755) == -1) | ||
89 | errExit("mkdir"); | ||
90 | if (mount(proc, RUN_WHITELIST_HOME_DIR, NULL, MS_BIND|MS_REC, NULL) < 0) | ||
91 | errExit("mount bind"); | ||
92 | free(proc); | ||
93 | close(fd); | ||
94 | 85 | ||
95 | // mount tmpfs in the new home | 86 | // mount tmpfs on /home |
96 | if (mount("tmpfs", "/home", "tmpfs", MS_NOSUID | MS_NODEV | MS_STRICTATIME, "mode=755,gid=0") < 0) | 87 | if (mount("tmpfs", "/home", "tmpfs", MS_NOSUID | MS_NODEV | MS_STRICTATIME, "mode=755,gid=0") < 0) |
97 | errExit("mount tmpfs"); | 88 | errExit("mount tmpfs"); |
98 | selinux_relabel_path("/home", "/home"); | 89 | selinux_relabel_path("/home", "/home"); |
99 | fs_logger("tmpfs /home"); | 90 | fs_logger("tmpfs /home"); |
100 | 91 | ||
101 | // create user home directory | 92 | // create new user home directory |
102 | if (mkdir(cfg.homedir, 0755) == -1) { | 93 | if (mkdir(cfg.homedir, 0755) == -1) { |
103 | if (mkpath_as_root(cfg.homedir)) | 94 | if (mkpath_as_root(cfg.homedir) == -1) |
104 | errExit("mkpath"); | 95 | errExit("mkpath"); |
105 | if (mkdir(cfg.homedir, 0755) == -1) | 96 | if (mkdir(cfg.homedir, 0755) == -1) |
106 | errExit("mkdir"); | 97 | errExit("mkdir"); |
107 | selinux_relabel_path(cfg.homedir, cfg.homedir); | ||
108 | } | 98 | } |
109 | fs_logger2("mkdir", cfg.homedir); | 99 | fs_logger2("mkdir", cfg.homedir); |
110 | 100 | ||
111 | // set mode and ownership | 101 | // set mode and ownership |
112 | if (set_perms(cfg.homedir, s.st_uid, s.st_gid, s.st_mode)) | 102 | if (set_perms(cfg.homedir, s.st_uid, s.st_gid, s.st_mode)) |
113 | errExit("set_perms"); | 103 | errExit("set_perms"); |
104 | selinux_relabel_path(cfg.homedir, cfg.homedir); | ||
114 | 105 | ||
115 | // mount user home directory | 106 | // bring back real user home directory |
116 | if (mount(RUN_WHITELIST_HOME_DIR, cfg.homedir, NULL, MS_BIND|MS_REC, NULL) < 0) | 107 | char *proc; |
108 | if (asprintf(&proc, "/proc/self/fd/%d", fd) == -1) | ||
109 | errExit("asprintf"); | ||
110 | if (mount(proc, cfg.homedir, NULL, MS_BIND|MS_REC, NULL) < 0) | ||
117 | errExit("mount bind"); | 111 | errExit("mount bind"); |
112 | free(proc); | ||
113 | close(fd); | ||
118 | 114 | ||
119 | // mask home dir under /run | ||
120 | if (mount("tmpfs", RUN_WHITELIST_HOME_DIR, "tmpfs", MS_NOSUID | MS_NODEV | MS_STRICTATIME, "mode=755,gid=0") < 0) | ||
121 | errExit("mount tmpfs"); | ||
122 | fs_logger2("tmpfs", RUN_WHITELIST_HOME_DIR); | ||
123 | if (!arg_private) | 115 | if (!arg_private) |
124 | fs_logger2("whitelist", cfg.homedir); | 116 | fs_logger2("whitelist", cfg.homedir); |
125 | |||
126 | return; | 117 | return; |
127 | 118 | ||
128 | errout: | 119 | errout: |
@@ -137,22 +128,15 @@ static void sanitize_run(void) { | |||
137 | if (asprintf(&runuser, "/run/user/%u", getuid()) == -1) | 128 | if (asprintf(&runuser, "/run/user/%u", getuid()) == -1) |
138 | errExit("asprintf"); | 129 | errExit("asprintf"); |
139 | 130 | ||
140 | struct stat s; | 131 | // open /run/user/$UID directory in order to keep it around |
141 | if (stat(runuser, &s) == -1) { | 132 | int fd = open(runuser, O_PATH|O_DIRECTORY|O_NOFOLLOW|O_CLOEXEC); |
142 | // cannot find /user/run/$UID directory, just return | 133 | if (fd == -1) { |
143 | if (arg_debug) | 134 | if (arg_debug) |
144 | printf("Cannot find %s directory\n", runuser); | 135 | printf("Cannot open %s directory\n", runuser); |
145 | free(runuser); | 136 | free(runuser); |
146 | return; | 137 | return; |
147 | } | 138 | } |
148 | 139 | ||
149 | if (mkdir(RUN_WHITELIST_RUN_DIR, 0755) == -1) | ||
150 | errExit("mkdir"); | ||
151 | |||
152 | // keep a copy of the /run/user/$UID directory | ||
153 | if (mount(runuser, RUN_WHITELIST_RUN_DIR, NULL, MS_BIND|MS_REC, NULL) < 0) | ||
154 | errExit("mount bind"); | ||
155 | |||
156 | // mount tmpfs on /run/user | 140 | // mount tmpfs on /run/user |
157 | if (mount("tmpfs", "/run/user", "tmpfs", MS_NOSUID | MS_NODEV | MS_STRICTATIME, "mode=755,gid=0") < 0) | 141 | if (mount("tmpfs", "/run/user", "tmpfs", MS_NOSUID | MS_NODEV | MS_STRICTATIME, "mode=755,gid=0") < 0) |
158 | errExit("mount tmpfs"); | 142 | errExit("mount tmpfs"); |
@@ -162,22 +146,23 @@ static void sanitize_run(void) { | |||
162 | // create new user directory | 146 | // create new user directory |
163 | if (mkdir(runuser, 0700) == -1) | 147 | if (mkdir(runuser, 0700) == -1) |
164 | errExit("mkdir"); | 148 | errExit("mkdir"); |
165 | selinux_relabel_path(runuser, runuser); | ||
166 | fs_logger2("mkdir", runuser); | 149 | fs_logger2("mkdir", runuser); |
167 | 150 | ||
168 | // set mode and ownership | 151 | // set mode and ownership |
169 | if (set_perms(runuser, getuid(), getgid(), 0700)) | 152 | if (set_perms(runuser, getuid(), getgid(), 0700)) |
170 | errExit("set_perms"); | 153 | errExit("set_perms"); |
154 | selinux_relabel_path(runuser, runuser); | ||
171 | 155 | ||
172 | // mount /run/user/$UID directory | 156 | // bring back real run/user/$UID directory |
173 | if (mount(RUN_WHITELIST_RUN_DIR, runuser, NULL, MS_BIND|MS_REC, NULL) < 0) | 157 | char *proc; |
158 | if (asprintf(&proc, "/proc/self/fd/%d", fd) == -1) | ||
159 | errExit("asprintf"); | ||
160 | if (mount(proc, runuser, NULL, MS_BIND|MS_REC, NULL) < 0) | ||
174 | errExit("mount bind"); | 161 | errExit("mount bind"); |
162 | free(proc); | ||
163 | close(fd); | ||
175 | 164 | ||
176 | // mask mirrored /run/user/$UID directory | 165 | fs_logger2("whitelist", runuser); |
177 | if (mount("tmpfs", RUN_WHITELIST_RUN_DIR, "tmpfs", MS_NOSUID | MS_NODEV | MS_STRICTATIME, "mode=755,gid=0") < 0) | ||
178 | errExit("mount tmpfs"); | ||
179 | fs_logger2("tmpfs", RUN_WHITELIST_RUN_DIR); | ||
180 | |||
181 | free(runuser); | 166 | free(runuser); |
182 | } | 167 | } |
183 | 168 | ||
diff --git a/src/firejail/sandbox.c b/src/firejail/sandbox.c index b6e0468c6..743d84b43 100644 --- a/src/firejail/sandbox.c +++ b/src/firejail/sandbox.c | |||
@@ -825,6 +825,11 @@ int sandbox(void* sandbox_arg) { | |||
825 | fs_basic_fs(); | 825 | fs_basic_fs(); |
826 | 826 | ||
827 | //**************************** | 827 | //**************************** |
828 | // appimage | ||
829 | //**************************** | ||
830 | appimage_mount(); | ||
831 | |||
832 | //**************************** | ||
828 | // private mode | 833 | // private mode |
829 | //**************************** | 834 | //**************************** |
830 | if (arg_private) { | 835 | if (arg_private) { |
@@ -1029,23 +1034,11 @@ int sandbox(void* sandbox_arg) { | |||
1029 | fs_dev_disable_video(); | 1034 | fs_dev_disable_video(); |
1030 | 1035 | ||
1031 | //**************************** | 1036 | //**************************** |
1032 | // install trace | ||
1033 | //**************************** | ||
1034 | if (need_preload) | ||
1035 | fs_trace(); | ||
1036 | |||
1037 | //**************************** | ||
1038 | // set dns | 1037 | // set dns |
1039 | //**************************** | 1038 | //**************************** |
1040 | fs_resolvconf(); | 1039 | fs_resolvconf(); |
1041 | 1040 | ||
1042 | //**************************** | 1041 | //**************************** |
1043 | // fs post-processing | ||
1044 | //**************************** | ||
1045 | fs_logger_print(); | ||
1046 | fs_logger_change_owner(); | ||
1047 | |||
1048 | //**************************** | ||
1049 | // start dhcp client | 1042 | // start dhcp client |
1050 | //**************************** | 1043 | //**************************** |
1051 | dhcp_start(); | 1044 | dhcp_start(); |
@@ -1094,6 +1087,12 @@ int sandbox(void* sandbox_arg) { | |||
1094 | save_umask(); | 1087 | save_umask(); |
1095 | 1088 | ||
1096 | //**************************** | 1089 | //**************************** |
1090 | // fs post-processing | ||
1091 | //**************************** | ||
1092 | fs_logger_print(); | ||
1093 | fs_logger_change_owner(); | ||
1094 | |||
1095 | //**************************** | ||
1097 | // set security filters | 1096 | // set security filters |
1098 | //**************************** | 1097 | //**************************** |
1099 | // save state of nonewprivs | 1098 | // save state of nonewprivs |
@@ -1150,13 +1149,21 @@ int sandbox(void* sandbox_arg) { | |||
1150 | fs_remount(RUN_SECCOMP_DIR, MOUNT_READONLY, 0); | 1149 | fs_remount(RUN_SECCOMP_DIR, MOUNT_READONLY, 0); |
1151 | seccomp_debug(); | 1150 | seccomp_debug(); |
1152 | 1151 | ||
1152 | //**************************** | ||
1153 | // install trace - still need capabilities | ||
1154 | //**************************** | ||
1155 | if (need_preload) | ||
1156 | fs_trace(); | ||
1157 | |||
1158 | //**************************** | ||
1159 | // continue security filters | ||
1160 | //**************************** | ||
1153 | // set capabilities | 1161 | // set capabilities |
1154 | set_caps(); | 1162 | set_caps(); |
1155 | 1163 | ||
1156 | //**************************************** | 1164 | //**************************************** |
1157 | // relay status information to join option | 1165 | // relay status information to join option |
1158 | //**************************************** | 1166 | //**************************************** |
1159 | |||
1160 | char *set_sandbox_status = create_join_file(); | 1167 | char *set_sandbox_status = create_join_file(); |
1161 | 1168 | ||
1162 | //**************************************** | 1169 | //**************************************** |
@@ -1217,7 +1224,6 @@ int sandbox(void* sandbox_arg) { | |||
1217 | //**************************************** | 1224 | //**************************************** |
1218 | // set cpu affinity | 1225 | // set cpu affinity |
1219 | //**************************************** | 1226 | //**************************************** |
1220 | |||
1221 | if (cfg.cpus) | 1227 | if (cfg.cpus) |
1222 | set_cpu_affinity(); | 1228 | set_cpu_affinity(); |
1223 | 1229 | ||
diff --git a/src/firejail/util.c b/src/firejail/util.c index 53c671794..2ad85acd6 100644 --- a/src/firejail/util.c +++ b/src/firejail/util.c | |||
@@ -441,35 +441,22 @@ int is_dir(const char *fname) { | |||
441 | return 0; | 441 | return 0; |
442 | } | 442 | } |
443 | 443 | ||
444 | |||
445 | // return 1 if the file is a link | 444 | // return 1 if the file is a link |
446 | int is_link(const char *fname) { | 445 | int is_link(const char *fname) { |
447 | assert(fname); | 446 | assert(fname); |
448 | if (*fname == '\0') | 447 | if (*fname == '\0') |
449 | return 0; | 448 | return 0; |
450 | 449 | ||
451 | char *dup = NULL; | 450 | char *dup = strdup(fname); |
452 | struct stat s; | 451 | if (!dup) |
453 | if (lstat(fname, &s) == 0) { | 452 | errExit("strdup"); |
454 | if (S_ISLNK(s.st_mode)) | 453 | trim_trailing_slash_or_dot(dup); |
455 | return 1; | 454 | |
456 | if (S_ISDIR(s.st_mode)) { | 455 | char c; |
457 | // remove trailing slashes and single dots and try again | 456 | ssize_t rv = readlink(dup, &c, 1); |
458 | dup = strdup(fname); | ||
459 | if (!dup) | ||
460 | errExit("strdup"); | ||
461 | trim_trailing_slash_or_dot(dup); | ||
462 | if (lstat(dup, &s) == 0) { | ||
463 | if (S_ISLNK(s.st_mode)) { | ||
464 | free(dup); | ||
465 | return 1; | ||
466 | } | ||
467 | } | ||
468 | } | ||
469 | } | ||
470 | 457 | ||
471 | free(dup); | 458 | free(dup); |
472 | return 0; | 459 | return (rv != -1); |
473 | } | 460 | } |
474 | 461 | ||
475 | // remove all slashes and single dots from the end of a path | 462 | // remove all slashes and single dots from the end of a path |
diff --git a/src/include/rundefs.h b/src/include/rundefs.h index 5749c66e4..d14f6782f 100644 --- a/src/include/rundefs.h +++ b/src/include/rundefs.h | |||
@@ -84,8 +84,6 @@ | |||
84 | #define RUN_DEVLOG_FILE RUN_MNT_DIR "/devlog" | 84 | #define RUN_DEVLOG_FILE RUN_MNT_DIR "/devlog" |
85 | 85 | ||
86 | #define RUN_WHITELIST_X11_DIR RUN_MNT_DIR "/orig-x11" | 86 | #define RUN_WHITELIST_X11_DIR RUN_MNT_DIR "/orig-x11" |
87 | #define RUN_WHITELIST_HOME_DIR RUN_MNT_DIR "/orig-home" // default home directory masking | ||
88 | #define RUN_WHITELIST_RUN_DIR RUN_MNT_DIR "/orig-run" // default run directory masking | ||
89 | #define RUN_WHITELIST_HOME_USER_DIR RUN_MNT_DIR "/orig-home-user" // home directory whitelisting | 87 | #define RUN_WHITELIST_HOME_USER_DIR RUN_MNT_DIR "/orig-home-user" // home directory whitelisting |
90 | #define RUN_WHITELIST_RUN_USER_DIR RUN_MNT_DIR "/orig-run-user" // run directory whitelisting | 88 | #define RUN_WHITELIST_RUN_USER_DIR RUN_MNT_DIR "/orig-run-user" // run directory whitelisting |
91 | #define RUN_WHITELIST_TMP_DIR RUN_MNT_DIR "/orig-tmp" | 89 | #define RUN_WHITELIST_TMP_DIR RUN_MNT_DIR "/orig-tmp" |
diff --git a/src/jailtest/jailtest.h b/src/jailtest/jailtest.h index 10174cc9a..0c4883061 100644 --- a/src/jailtest/jailtest.h +++ b/src/jailtest/jailtest.h | |||
@@ -38,6 +38,10 @@ void access_destroy(void); | |||
38 | void noexec_setup(void); | 38 | void noexec_setup(void); |
39 | void noexec_test(const char *msg); | 39 | void noexec_test(const char *msg); |
40 | 40 | ||
41 | // sysfiles.c | ||
42 | void sysfiles_setup(const char *file); | ||
43 | void sysfiles_test(void); | ||
44 | |||
41 | // virtual.c | 45 | // virtual.c |
42 | void virtual_setup(const char *directory); | 46 | void virtual_setup(const char *directory); |
43 | void virtual_destroy(void); | 47 | void virtual_destroy(void); |
diff --git a/src/jailtest/main.c b/src/jailtest/main.c index 850277bc5..3369dca39 100644 --- a/src/jailtest/main.c +++ b/src/jailtest/main.c | |||
@@ -114,8 +114,32 @@ int main(int argc, char **argv) { | |||
114 | virtual_setup("/bin"); | 114 | virtual_setup("/bin"); |
115 | virtual_setup("/usr/share"); | 115 | virtual_setup("/usr/share"); |
116 | virtual_setup(user_run_dir); | 116 | virtual_setup(user_run_dir); |
117 | 117 | // basic sysfiles | |
118 | 118 | sysfiles_setup("/etc/shadow"); | |
119 | sysfiles_setup("/etc/gshadow"); | ||
120 | sysfiles_setup("/usr/bin/mount"); | ||
121 | sysfiles_setup("/usr/bin/su"); | ||
122 | sysfiles_setup("/usr/bin/ksu"); | ||
123 | sysfiles_setup("/usr/bin/sudo"); | ||
124 | sysfiles_setup("/usr/bin/strace"); | ||
125 | // X11 | ||
126 | sysfiles_setup("/usr/bin/xev"); | ||
127 | sysfiles_setup("/usr/bin/xinput"); | ||
128 | // compilers | ||
129 | sysfiles_setup("/usr/bin/gcc"); | ||
130 | sysfiles_setup("/usr/bin/clang"); | ||
131 | // networking | ||
132 | sysfiles_setup("/usr/bin/dig"); | ||
133 | sysfiles_setup("/usr/bin/nslookup"); | ||
134 | sysfiles_setup("/usr/bin/resolvectl"); | ||
135 | sysfiles_setup("/usr/bin/nc"); | ||
136 | sysfiles_setup("/usr/bin/ncat"); | ||
137 | sysfiles_setup("/usr/bin/nmap"); | ||
138 | sysfiles_setup("/usr/sbin/tcpdump"); | ||
139 | // terminals | ||
140 | sysfiles_setup("/usr/bin/gnome-terminal"); | ||
141 | sysfiles_setup("/usr/bin/xfce4-terminal"); | ||
142 | sysfiles_setup("/usr/bin/lxterminal"); | ||
119 | 143 | ||
120 | // print processes | 144 | // print processes |
121 | pid_read(0); | 145 | pid_read(0); |
@@ -145,6 +169,7 @@ int main(int argc, char **argv) { | |||
145 | noexec_test("/var/tmp"); | 169 | noexec_test("/var/tmp"); |
146 | noexec_test(user_run_dir); | 170 | noexec_test(user_run_dir); |
147 | access_test(); | 171 | access_test(); |
172 | sysfiles_test(); | ||
148 | } | 173 | } |
149 | else { | 174 | else { |
150 | printf(" Error: I cannot join the process mount space\n"); | 175 | printf(" Error: I cannot join the process mount space\n"); |
diff --git a/src/jailtest/sysfiles.c b/src/jailtest/sysfiles.c new file mode 100644 index 000000000..7e4709453 --- /dev/null +++ b/src/jailtest/sysfiles.c | |||
@@ -0,0 +1,88 @@ | |||
1 | /* | ||
2 | * Copyright (C) 2014-2021 Firejail Authors | ||
3 | * | ||
4 | * This file is part of firejail project | ||
5 | * | ||
6 | * This program is free software; you can redistribute it and/or modify | ||
7 | * it under the terms of the GNU General Public License as published by | ||
8 | * the Free Software Foundation; either version 2 of the License, or | ||
9 | * (at your option) any later version. | ||
10 | * | ||
11 | * This program is distributed in the hope that it will be useful, | ||
12 | * but WITHOUT ANY WARRANTY; without even the implied warranty of | ||
13 | * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the | ||
14 | * GNU General Public License for more details. | ||
15 | * | ||
16 | * You should have received a copy of the GNU General Public License along | ||
17 | * with this program; if not, write to the Free Software Foundation, Inc., | ||
18 | * 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA. | ||
19 | */ | ||
20 | #include "jailtest.h" | ||
21 | #include <dirent.h> | ||
22 | #include <sys/wait.h> | ||
23 | |||
24 | typedef struct { | ||
25 | char *tfile; | ||
26 | } TestFile; | ||
27 | |||
28 | #define MAX_TEST_FILES 32 | ||
29 | TestFile tf[MAX_TEST_FILES]; | ||
30 | static int files_cnt = 0; | ||
31 | |||
32 | void sysfiles_setup(const char *file) { | ||
33 | // I am root! | ||
34 | assert(file); | ||
35 | |||
36 | if (files_cnt >= MAX_TEST_FILES) { | ||
37 | fprintf(stderr, "Error: maximum number of system test files exceded\n"); | ||
38 | exit(1); | ||
39 | } | ||
40 | |||
41 | if (access(file, F_OK)) { | ||
42 | // no such file | ||
43 | return; | ||
44 | } | ||
45 | |||
46 | |||
47 | char *fname = strdup(file); | ||
48 | if (!fname) | ||
49 | errExit("strdup"); | ||
50 | |||
51 | tf[files_cnt].tfile = fname; | ||
52 | files_cnt++; | ||
53 | } | ||
54 | |||
55 | void sysfiles_test(void) { | ||
56 | // I am root in sandbox mount namespace | ||
57 | assert(user_uid); | ||
58 | int i; | ||
59 | |||
60 | pid_t child = fork(); | ||
61 | if (child == -1) | ||
62 | errExit("fork"); | ||
63 | |||
64 | if (child == 0) { // child | ||
65 | // drop privileges | ||
66 | if (setgid(user_gid) != 0) | ||
67 | errExit("setgid"); | ||
68 | if (setuid(user_uid) != 0) | ||
69 | errExit("setuid"); | ||
70 | |||
71 | for (i = 0; i < files_cnt; i++) { | ||
72 | assert(tf[i].tfile); | ||
73 | |||
74 | // try to open the file for reading | ||
75 | FILE *fp = fopen(tf[i].tfile, "r"); | ||
76 | if (fp) { | ||
77 | |||
78 | printf(" Warning: I can access %s\n", tf[i].tfile); | ||
79 | fclose(fp); | ||
80 | } | ||
81 | } | ||
82 | exit(0); | ||
83 | } | ||
84 | |||
85 | // wait for the child to finish | ||
86 | int status; | ||
87 | wait(&status); | ||
88 | } | ||
diff --git a/src/lib/ldd_utils.c b/src/lib/ldd_utils.c index adde4a9b9..cd60d74e4 100644 --- a/src/lib/ldd_utils.c +++ b/src/lib/ldd_utils.c | |||
@@ -23,13 +23,16 @@ | |||
23 | #include <sys/stat.h> | 23 | #include <sys/stat.h> |
24 | #include <fcntl.h> | 24 | #include <fcntl.h> |
25 | 25 | ||
26 | // todo: resolve overlap with masked_lib_dirs[] array from fs_lib.c | ||
26 | const char * const default_lib_paths[] = { | 27 | const char * const default_lib_paths[] = { |
27 | "/usr/lib/x86_64-linux-gnu", // Debian & friends | 28 | "/usr/lib/x86_64-linux-gnu", // Debian & friends |
28 | "/lib/x86_64-linux-gnu", // CentOS, Fedora | 29 | "/lib/x86_64-linux-gnu", // CentOS, Fedora |
30 | "/usr/lib64", | ||
31 | "/lib64", | ||
29 | "/usr/lib", | 32 | "/usr/lib", |
30 | "/lib", | 33 | "/lib", |
31 | "/lib64", | ||
32 | LIBDIR, | 34 | LIBDIR, |
35 | "/usr/local/lib64", | ||
33 | "/usr/local/lib", | 36 | "/usr/local/lib", |
34 | "/usr/lib/x86_64-linux-gnu/mesa", // libGL.so is sometimes a symlink into this directory | 37 | "/usr/lib/x86_64-linux-gnu/mesa", // libGL.so is sometimes a symlink into this directory |
35 | "/usr/lib/x86_64-linux-gnu/mesa-egl", // libGL.so is sometimes a symlink into this directory | 38 | "/usr/lib/x86_64-linux-gnu/mesa-egl", // libGL.so is sometimes a symlink into this directory |
diff --git a/src/man/firejail-login.txt b/src/man/firejail-login.txt index ce27729b7..1b8a4931c 100644 --- a/src/man/firejail-login.txt +++ b/src/man/firejail-login.txt | |||
@@ -3,7 +3,7 @@ | |||
3 | login.users \- Login file syntax for Firejail | 3 | login.users \- Login file syntax for Firejail |
4 | 4 | ||
5 | .SH DESCRIPTION | 5 | .SH DESCRIPTION |
6 | /etc/firejail/login.users file describes additional arguments passed to firejail executable | 6 | /etc/firejail/login.users file describes additional arguments passed to the firejail executable |
7 | upon user logging into a Firejail restricted shell. Each user entry in the file consists of | 7 | upon user logging into a Firejail restricted shell. Each user entry in the file consists of |
8 | a user name followed by the arguments passed to firejail. The format is as follows: | 8 | a user name followed by the arguments passed to firejail. The format is as follows: |
9 | 9 | ||
@@ -19,8 +19,8 @@ Wildcard patterns are accepted in the user name field: | |||
19 | 19 | ||
20 | .SH RESTRICTED SHELL | 20 | .SH RESTRICTED SHELL |
21 | To configure a restricted shell, replace /bin/bash with /usr/bin/firejail in | 21 | To configure a restricted shell, replace /bin/bash with /usr/bin/firejail in |
22 | /etc/passwd file for each user that needs to be restricted. Alternatively, | 22 | the /etc/passwd file for each user that needs to be restricted. Alternatively, |
23 | you can specify /usr/bin/firejail using adduser or usermod commands: | 23 | you can specify /usr/bin/firejail using the `adduser` or `usermod` commands: |
24 | 24 | ||
25 | adduser \-\-shell /usr/bin/firejail username | 25 | adduser \-\-shell /usr/bin/firejail username |
26 | .br | 26 | .br |
diff --git a/src/man/firejail-profile.txt b/src/man/firejail-profile.txt index b25fc9181..b0b390507 100644 --- a/src/man/firejail-profile.txt +++ b/src/man/firejail-profile.txt | |||
@@ -103,7 +103,7 @@ Example: "?HAS_APPIMAGE: whitelist ${HOME}/special/appimage/dir" | |||
103 | 103 | ||
104 | This example will load the whitelist profile line only if the \-\-appimage option has been specified on the command line. | 104 | This example will load the whitelist profile line only if the \-\-appimage option has been specified on the command line. |
105 | 105 | ||
106 | Currently the only conditionals supported this way are HAS_APPIMAGE, HAS_NET, HAS_NODBUS, HAS_NOSOUND and HAS_X11. The conditionals BROWSER_DISABLE_U2F and BROWSER_ALLOW_DRM | 106 | Currently the only conditionals supported this way are HAS_APPIMAGE, HAS_NET, HAS_NODBUS, HAS_NOSOUND, HAS_PRIVATE and HAS_X11. The conditionals BROWSER_DISABLE_U2F and BROWSER_ALLOW_DRM |
107 | can be enabled or disabled globally in Firejail's configuration file. | 107 | can be enabled or disabled globally in Firejail's configuration file. |
108 | 108 | ||
109 | The profile line may be any profile line that you would normally use in a profile \fBexcept\fR for "quiet" and "include" lines. | 109 | The profile line may be any profile line that you would normally use in a profile \fBexcept\fR for "quiet" and "include" lines. |
diff --git a/src/man/firejail.txt b/src/man/firejail.txt index 68deb85ec..0b9b403f8 100644 --- a/src/man/firejail.txt +++ b/src/man/firejail.txt | |||
@@ -433,7 +433,7 @@ org.freedesktop.Notifications.*@/org/freedesktop/Notifications | |||
433 | 433 | ||
434 | .TP | 434 | .TP |
435 | \fB\-\-dbus-system.log | 435 | \fB\-\-dbus-system.log |
436 | Turn on DBus logging for the system DBus. This option requires --dbus-system=log. | 436 | Turn on DBus logging for the system DBus. This option requires --dbus-system=filter. |
437 | 437 | ||
438 | .br | 438 | .br |
439 | Example: | 439 | Example: |
@@ -560,7 +560,7 @@ org.freedesktop.Notifications.*@/org/freedesktop/Notifications | |||
560 | 560 | ||
561 | .TP | 561 | .TP |
562 | \fB\-\-dbus-user.log | 562 | \fB\-\-dbus-user.log |
563 | Turn on DBus logging for the session DBus. This option requires --dbus-user=log. | 563 | Turn on DBus logging for the session DBus. This option requires --dbus-user=filter. |
564 | 564 | ||
565 | .br | 565 | .br |
566 | Example: | 566 | Example: |
@@ -821,6 +821,16 @@ $ firejail \-\-ignore=shell --ignore=seccomp firefox | |||
821 | $ firejail \-\-ignore="net eth0" firefox | 821 | $ firejail \-\-ignore="net eth0" firefox |
822 | #endif | 822 | #endif |
823 | 823 | ||
824 | .TP | ||
825 | \fB\-\-\include=file.profile | ||
826 | Include a profile file before the regular profiles are used. | ||
827 | .br | ||
828 | |||
829 | .br | ||
830 | Example: | ||
831 | .br | ||
832 | $ firejail --include=/etc/firejail/disable-devel.inc gedit | ||
833 | |||
824 | #ifdef HAVE_NETWORK | 834 | #ifdef HAVE_NETWORK |
825 | .TP | 835 | .TP |
826 | \fB\-\-interface=interface | 836 | \fB\-\-interface=interface |
diff --git a/src/zsh_completion/_firejail.in b/src/zsh_completion/_firejail.in index f58f0d4b9..fd27bb35f 100644 --- a/src/zsh_completion/_firejail.in +++ b/src/zsh_completion/_firejail.in | |||
@@ -1,5 +1,8 @@ | |||
1 | #compdef firejail | 1 | #compdef firejail |
2 | 2 | ||
3 | # Documentation: man 1 zshcompsys | ||
4 | # HowTo: https://github.com/zsh-users/zsh-completions/blob/master/zsh-completions-howto.org | ||
5 | |||
3 | _all_firejails() { | 6 | _all_firejails() { |
4 | local -a _all_firejails_list | 7 | local -a _all_firejails_list |
5 | for jail in ${(f)"$(_call_program modules_tag "firejail --list 2> /dev/null | cut -d: -f1")"}; do | 8 | for jail in ${(f)"$(_call_program modules_tag "firejail --list 2> /dev/null | cut -d: -f1")"}; do |
@@ -16,7 +19,7 @@ _all_cpus() { | |||
16 | } | 19 | } |
17 | 20 | ||
18 | _profiles() { | 21 | _profiles() { |
19 | print $1/*.profile | sed -E "s;^$1/;;g;s;\.profile$;;g;" | 22 | print $1/*.profile | sed -E "s;$1/;;g;s;\.profile;;g;" |
20 | } | 23 | } |
21 | _profiles_with_ext() { | 24 | _profiles_with_ext() { |
22 | print $1/*.profile | 25 | print $1/*.profile |
@@ -26,15 +29,40 @@ _all_profiles() { | |||
26 | _values 'profiles' $(_profiles _SYSCONFDIR_/firejail) $(_profiles $HOME/.config/firejail) $(_profiles_with_ext .) | 29 | _values 'profiles' $(_profiles _SYSCONFDIR_/firejail) $(_profiles $HOME/.config/firejail) $(_profiles_with_ext .) |
27 | } | 30 | } |
28 | 31 | ||
32 | _session_bus_names() { | ||
33 | _values names $(busctl --user list --no-legend --activatable | cut -d" " -f1) | ||
34 | # Alternatives to hack on for non-systemd systems: | ||
35 | # dbus-send --session --dest=org.freedesktop.DBus --type=method_call --print-reply=literal /org/freedesktop/DBus org.freedesktop.DBus.ListNames | ||
36 | # ls /usr/share/dbus-1/services | xargs -I FILENAME basename FILENAME .service | ||
37 | } | ||
38 | |||
39 | _system_bus_names() { | ||
40 | _values names $(busctl --system list --no-legend --activatable | cut -d" " -f1) | ||
41 | } | ||
42 | |||
43 | _caps() { | ||
44 | _values -s "," caps $(firejail --debug-caps | awk '/[0-9]+\s*- /{print $3}') | ||
45 | } | ||
46 | |||
29 | _firejail_args=( | 47 | _firejail_args=( |
30 | '*::arguments:_normal' | 48 | '*::arguments:_normal' |
31 | '(--profile)'{--profile=,--profile=}'[use a custom profile]: :_all_profiles' | 49 | |
32 | '--caps[enable default Linux capabilities filter]' | 50 | '--appimage[sandbox an AppImage application]' |
33 | '(--caps.drop)'{--caps.drop=,--caps.drop=}'[drop capabilities: all|cap1,cap2,...]: :->caps_drop' | 51 | '--build[build a whitelisted profile for the application and print it on stdout]' |
34 | '(--caps.keep)'{--caps.keep=,--caps.keep=}'[keep capabilities: cap1,cap2,...]: :->caps_keep' | 52 | '--build=-[build a whitelisted profile for the application and save it]: :_files' |
35 | '(--caps.print)'{--caps.print=,--caps.print=}'[print the caps filter name|pid]:firejail:_all_firejails' | 53 | # Ignore that you can do -? too as it's the only short option |
36 | '--allow-debuggers[allow tools such as strace and gdb inside the sandbox]' | 54 | '--help[this help screen]' |
37 | '(--debug)'{--debug,--debug}'[print sandbox debug messages]' | 55 | '--join=-[join the sandbox name|pid]: :_all_firejails' |
56 | '--join-filesystem=-[join the mount namespace name|pid]: :_all_firejails' | ||
57 | '--list[list all sandboxes]' | ||
58 | '(--profile)--noprofile[do not use a security profile]' | ||
59 | '(--noprofile)--profile=-[use a custom profile]: :_all_profiles' | ||
60 | '--shutdown=-[shutdown the sandbox identified by name|pid]: :_all_firejails' | ||
61 | '--top[monitor the most CPU-intensive sandboxes]' | ||
62 | '--tree[print a tree of all sandboxed processes]' | ||
63 | '--version[print program version and exit]' | ||
64 | |||
65 | '--debug[print sandbox debug messages]' | ||
38 | '--debug-blacklists[debug blacklisting]' | 66 | '--debug-blacklists[debug blacklisting]' |
39 | '--debug-caps[print all recognized capabilities]' | 67 | '--debug-caps[print all recognized capabilities]' |
40 | '--debug-errnos[print all recognized error numbers]' | 68 | '--debug-errnos[print all recognized error numbers]' |
@@ -43,197 +71,200 @@ _firejail_args=( | |||
43 | '--debug-syscalls[print all recognized system calls]' | 71 | '--debug-syscalls[print all recognized system calls]' |
44 | '--debug-syscalls32[print all recognized 32 bit system calls]' | 72 | '--debug-syscalls32[print all recognized 32 bit system calls]' |
45 | '--debug-whitelists[debug whitelisting]' | 73 | '--debug-whitelists[debug whitelisting]' |
46 | # Ignore that you can do -? too as it's the only short option | 74 | |
47 | '(--help)'{--help,--help}'[this help screen]' | 75 | '--caps.print=-[print the caps filter name|pid]:firejail:_all_firejails' |
76 | '--cpu.print=-[print the cpus in use name|pid]: :_all_firejails' | ||
77 | '--fs.print=-[print the filesystem log name|pid]: :_all_firejails' | ||
78 | '--profile.print=-[print the name of profile file name|pid]: :_all_firejails' | ||
79 | '--protocol.print=-[print the protocol filter name|pid]: :_all_firejails' | ||
80 | '--seccomp.print=-[print the seccomp filter for the sandbox identified by name|pid]: :_all_firejails' | ||
81 | |||
82 | '--allow-debuggers[allow tools such as strace and gdb inside the sandbox]' | ||
48 | '--allusers[all user home directories are visible inside the sandbox]' | 83 | '--allusers[all user home directories are visible inside the sandbox]' |
49 | '--appimage[sandbox an AppImage application]' | 84 | # Should be _files, a comma and files or files -/ |
50 | '--private[temporary home directory]' | 85 | '*--bind=-[mount-bind dirname1/filename1 on top of dirname2/filename2]: :(file1,file2 dir1,dir2)' |
51 | '(--private)'{--private=,--private=}'[use directory as user home]: : _files -/' | 86 | '*--blacklist=-[blacklist directory or file]: :_files' |
52 | '--seccomp[enable seccomp filter and apply the default blacklist]' | 87 | '--caps[enable default Linux capabilities filter]' |
53 | '(--seccomp=)'{--seccomp=,--seccomp=}'[enable seccomp filter, blacklist the default syscall list and the syscalls specified by the command]:' | 88 | '--caps.drop=all[drop all capabilities]' |
54 | '(--seccomp.print)'{--seccomp.print=,--seccomp.print=}'[print the seccomp filter for the sandbox identified by name|pid]: : _all_firejails' | 89 | '*--caps.drop=-[drop capabilities: all|cap1,cap2,...]: :_caps' |
55 | '--seccomp.block-secondary[build only the native architecture filters]' | 90 | '*--caps.keep=-[keep capabilities: cap1,cap2,...]: :_caps' |
56 | '(--seccomp.drop)'{--seccomp.drop=,--seccomp.drop=}'[enable seccomp filter, and blacklist the syscalls specified by the command]: :' | 91 | '--cgroup=-[place the sandbox in the specified control group]: :' |
57 | '(--seccomp.keep)'{--seccomp.keep=,--seccomp.keep=}'[enable seccomp filter, and whitelist the syscalls specified by the command]: :' | 92 | '--cpu=-[set cpu affinity]: :->cpus' |
58 | '(--seccomp.32.drop)'{--seccomp.32.drop=,--seccomp.32.drop=}'[enable seccomp filter, and blacklist the 32 bit syscalls specified by the command]: :' | 93 | "--deterministic-exit-code[always exit with first child's status code]" |
59 | '(--seccomp.32.keep)'{--seccomp.32.keep=,--seccomp.32.keep=}'[enable seccomp filter, and whitelist the 32 bit syscalls specified by the command]: :' | 94 | '*--dns=-[set DNS server]: :' |
60 | '(--seccomp-error-action)'{--seccomp-error-action=,--seccomp-error-action=}'[change error code, kill process or log the attempt]: :(ERRNO kill log)' | 95 | '*--env=-[set environment variable]: :' |
96 | '--hostname=-[set sandbox hostname]: :' | ||
97 | '--hosts-file=-[use file as /etc/hosts]: :_files' | ||
98 | '*--ignore=-[ignore command in profile files]: :' | ||
99 | '--ipc-namespace[enable a new IPC namespace]' | ||
100 | '--join-or-start=-[join the sandbox or start a new one name|pid]: :_all_firejails' | ||
101 | '--keep-dev-shm[/dev/shm directory is untouched (even with --private-dev)]' | ||
102 | '--keep-var-tmp[/var/tmp directory is untouched]' | ||
103 | '--machine-id[preserve /etc/machine-id]' | ||
61 | '--memory-deny-write-execute[seccomp filter to block attempts to create memory mappings that are both writable and executable]' | 104 | '--memory-deny-write-execute[seccomp filter to block attempts to create memory mappings that are both writable and executable]' |
62 | '*'{--blacklist=,--blacklist=}'[blacklist directory or file]: : _files' | ||
63 | '--writable-etc[/etc directory is mounted read-write]' | ||
64 | '--writable-run-user[allow access to /run/user/$UID/systemd and /run/user/$UID/gnupg]' | ||
65 | '--writable-var[/var directory is mounted read-write]' | ||
66 | '--writable-var-log[use the real /var/log directory, not a clone]' | ||
67 | '--build[build a whitelisted profile for the application and print it on stdout]' | ||
68 | '(--build)'{--build=,--build=}'[build a whitelisted profile for the application and save it]: : _files' | ||
69 | '(--fs.print)'{--fs.print=,--fs.print=}'[print the filesystem log name|pid]: : _all_firejails' | ||
70 | '(--join)'{--join=,--join=}'[join the sandbox name|pid]: : _all_firejails' | ||
71 | '(--join-filesystem)'{--join-filesystem=,--join-filesystem=}'[join the mount namespace name|pid]: : _all_firejails' | ||
72 | '(--profile.print)'{--profile.print=,--profile.print=}'[print the name of profile file name|pid]: : _all_firejails' | ||
73 | '(--protocol.print)'{--protocol.print=,--protocol.print=}'[print the protocol filter name|pid]: : _all_firejails' | ||
74 | '(--shutdown)'{--shutdown=,--shutdown=}'[shutdown the sandbox identified by name|pid]: : _all_firejails' | ||
75 | '(--cat)'{--cat=,--cat=}'[print content of file from sandbox container name|pid]: : _all_firejails' | ||
76 | '(--cpu.print)'{--cpu.print=,--cpu.print=}'[print the cpus in use name|pid]: : _all_firejails' | ||
77 | '--list[list all sandboxes]' | ||
78 | '(--dns)'{--dns=,--dns=}'[set DNS server]: :' | ||
79 | '*--mkdir=-[create a directory]:' | 105 | '*--mkdir=-[create a directory]:' |
80 | '*--mkfile=-[create a file]:' | 106 | '*--mkfile=-[create a file]:' |
81 | '(--protocol)'{--protocol=,--protocol=}'[enable protocol filter]: :' | 107 | '--name=-[set sandbox name]: :' |
82 | '(--join-or-start)'{--join-or-start=,--join-or-start=}'[join the sandbox or start a new one name|pid]: : _all_firejails' | 108 | '--net=none[enable a new, unconnected network namespace]' |
83 | '(--hosts-file)'{--hosts-file=,--hosts-file=}'[use file as /etc/hosts]: : _files' | 109 | # Sample values as I don't think |
84 | '--shell=none[run the program directly without a user shell]' | 110 | # many would enjoy getting a list from -20..20 |
85 | '(--shell)'{--shell=,--shell=}'[set default user shell]: : _files -g "*(*)"' | 111 | '--nice=-[set nice value]: :(1 10 15 20)' |
86 | '(--output)'{--output=,--output=}'[stdout logging and log rotation]: : _files' | ||
87 | '(--output-stderr)'{--output-stderr=,--output-stderr=}'[stdout and stderr logging and log rotation]: : _files' | ||
88 | '--no3d[disable 3D hardware acceleration]' | 112 | '--no3d[disable 3D hardware acceleration]' |
113 | '--noautopulse[disable automatic ~/.config/pulse init]' | ||
114 | '--noblacklist=-[disable blacklist for file or directory]: :_files' | ||
115 | '--nodbus[disable D-Bus access]' | ||
89 | '--nodvd[disable DVD and audio CD devices]' | 116 | '--nodvd[disable DVD and audio CD devices]' |
117 | '*--noexec=-[remount the file or directory noexec nosuid and nodev]: :_files' | ||
90 | '--nogroups[disable supplementary groups]' | 118 | '--nogroups[disable supplementary groups]' |
91 | '--nonewprivs[sets the NO_NEW_PRIVS prctl]' | 119 | '--nonewprivs[sets the NO_NEW_PRIVS prctl]' |
92 | '--noprofile[do not use a security profile]' | 120 | '--nosound[disable sound system]' |
93 | '(--noexec)'{--noexec=,--noexec=}'[remount the file or directory noexec nosuid and nodev]: : _files' | 121 | '--nou2f[disable U2F devices]' |
94 | '--ipc-namespace[enable a new IPC namespace]' | 122 | '--novideo[disable video devices]' |
95 | '--keep-dev-shm[/dev/shm directory is untouched (even with --private-dev)]' | 123 | '--private[temporary home directory]' |
96 | '--keep-var-tmp[/var/tmp directory is untouched]' | 124 | '--private=-[use directory as user home]: :_files -/' |
97 | '--top[monitor the most CPU-intensive sandboxes]' | 125 | '--private-bin=-[build a new /bin in a temporary filesystem, and copy the programs in the list]: :_files -W /usr/bin' |
98 | '--trace[trace open, access and connect system calls]' | 126 | '--private-cwd[do not inherit working directory inside jail]' |
99 | '--tracelog[add a syslog message for every access to files or directories blacklisted by the security profile]' | 127 | '--private-cwd=-[set working directory inside jail]: :_files -/' |
100 | '--tree[print a tree of all sandboxed processes]' | ||
101 | '(--cpu)'{--cpu=,--cpu=}'[set cpu affinity]: :->cpus' | ||
102 | '--private-dev[create a new /dev directory with a small number of common device files]' | 128 | '--private-dev[create a new /dev directory with a small number of common device files]' |
129 | '(--writable-etc)--private-etc=-[build a new /etc in a temporary filesystem, and copy the files and directories in the list]: :_files -W /etc' | ||
130 | '--private-opt=-[build a new /opt in a temporary filesystem]: :_files -W /opt' | ||
131 | '--private-srv=-[build a new /srv in a temporary filesystem]: :_files -W /srv' | ||
103 | '--private-tmp[mount a tmpfs on top of /tmp directory]' | 132 | '--private-tmp[mount a tmpfs on top of /tmp directory]' |
104 | '--private-cwd[do not inherit working directory inside jail]' | 133 | '*--protocol=-[enable protocol filter]: :_values -s , protocols unix inet inet6 netlink packet bluetooth' |
105 | '(--private-cwd)'{--private-cwd=,--private-cwd=}'[set working directory inside jail]: : _files -/' | ||
106 | '*'{--read-only=,--read-only=}'[set directory or file read-only]: : _files' | ||
107 | '*'{--read-write=,--read-write=}'[set directory or file read-write]: : _files' | ||
108 | '(--tmpfs)'{--tmpfs=,--tmpfs=}'[mount a tmpfs filesystem on directory dirname]: : _files -/' | ||
109 | '(--private-etc)'{--private-etc=,--private-etc=}'[build a new /etc in a temporary filesystem, and copy the files and directories in the list]: : _files' | ||
110 | "--deterministic-exit-code[always exit with first child's status code]" | ||
111 | '--machine-id[preserve /etc/machine-id]' | ||
112 | # Sample values as I don't think | ||
113 | # many would enjoy getting a list from -20..20 | ||
114 | '(--nice)'{--nice=,--nice=}'[set nice value]: :(1 10 15 20)' | ||
115 | # Should be _files, a comma and files or files -/ | ||
116 | '*'{--bind=,--bind=}'[mount-bind dirname1/filename1 on top of dirname2/filename2]: :(file1,file2 dir1,dir2)' | ||
117 | '(--cgroup)'{--cgroup=,--cgroup=}'[place the sandbox in the specified control group]: :' | ||
118 | '*'{--env=,--env=}'[set environment variable]: :' | ||
119 | '(--hostname)'{--hostname=,--hostname=}'[set sandbox hostname]: :' | ||
120 | '(--ignore)'{--ignore=,--ignore=}'[ignore command in profile files]: :' | ||
121 | '(--name)'{--name=,--name=}'[set sandbox name]: :' | ||
122 | '(--rlimit-as)'{--rlimit-as=,--rlimit-as=}"[set the maximum size of the process's virtual memory (address space) in bytes]: :" | ||
123 | '(--rlimit-cpu)'{--rlimit-cpu=,--rlimit-cpu=}'[set the maximum CPU time in seconds]: :' | ||
124 | '(--rlimit-fsize)'{--rlimit-fsize=,--rlimit-fsize=}'[set the maximum file size that can be created by a process]: :' | ||
125 | '(--rlimit-nofile)'{--rlimit-nofile=,--rlimit-nofile=}'[set the maximum number of files that can be opened by a process]: :' | ||
126 | '(--rlimit-nproc)'{--rlimit-nproc=,--rlimit-nproc=}'[set the maximum number of processes that can be created for the real user ID of the calling process]: :' | ||
127 | '(--rlimit-sigpending)'{--rlimit-sigpending=,--rlimit-sigpending=}'[set the maximum number of pending signals for a process]: :' | ||
128 | '*'{--rmenv=,--rmenv=}'[remove environment variable in the new sandbox]: :' | ||
129 | '(--timeout)'{--timeout=,--timeout=}'[kill the sandbox automatically after the time has elapsed]: :(hh\:mm\:ss)' | ||
130 | "--quiet[turn off Firejail's output.]" | 134 | "--quiet[turn off Firejail's output.]" |
131 | '--version[print program version and exit]' | 135 | '*--read-only=-[set directory or file read-only]: :_files' |
136 | '*--read-write=-[set directory or file read-write]: :_files' | ||
137 | "--rlimit-as=-[set the maximum size of the process's virtual memory (address space) in bytes]: :" | ||
138 | '--rlimit-cpu=-[set the maximum CPU time in seconds]: :' | ||
139 | '--rlimit-fsize=-[set the maximum file size that can be created by a process]: :' | ||
140 | '--rlimit-nofile=-[set the maximum number of files that can be opened by a process]: :' | ||
141 | '--rlimit-nproc=-[set the maximum number of processes that can be created for the real user ID of the calling process]: :' | ||
142 | '--rlimit-sigpending=-[set the maximum number of pending signals for a process]: :' | ||
143 | '*--rmenv=-[remove environment variable in the new sandbox]: :_values environment-variables $(env | cut -d= -f1)' | ||
144 | '--seccomp[enable seccomp filter and apply the default blacklist]: :' | ||
145 | '--seccomp=-[enable seccomp filter, blacklist the default syscall list and the syscalls specified by the command]: :->seccomp' | ||
146 | '--seccomp.block-secondary[build only the native architecture filters]' | ||
147 | '*--seccomp.drop=-[enable seccomp filter, and blacklist the syscalls specified by the command]: :->seccomp' | ||
148 | '*--seccomp.keep=-[enable seccomp filter, and whitelist the syscalls specified by the command]: :->seccomp' | ||
149 | '*--seccomp.32.drop=-[enable seccomp filter, and blacklist the 32 bit syscalls specified by the command]: :' | ||
150 | '*--seccomp.32.keep=-[enable seccomp filter, and whitelist the 32 bit syscalls specified by the command]: :' | ||
151 | # FIXME: Add errnos | ||
152 | '--seccomp-error-action=-[change error code, kill process or log the attempt]: :(kill log)' | ||
153 | '--shell=none[run the program directly without a user shell]' | ||
154 | '--shell=-[set default user shell]: :_values $(cat /etc/shells)' | ||
155 | '--timeout=-[kill the sandbox automatically after the time has elapsed]: :' | ||
156 | #'(--tracelog)--trace[trace open, access and connect system calls]' | ||
157 | '(--tracelog)--trace=-[trace open, access and connect system calls]: :_files' | ||
158 | '(--trace)--tracelog[add a syslog message for every access to files or directories blacklisted by the security profile]' | ||
159 | '(--private-etc)--writable-etc[/etc directory is mounted read-write]' | ||
160 | '--writable-run-user[allow access to /run/user/$UID/systemd and /run/user/$UID/gnupg]' | ||
161 | '--writable-var[/var directory is mounted read-write]' | ||
162 | '--writable-var-log[use the real /var/log directory, not a clone]' | ||
163 | |||
132 | #ifdef HAVE_APPARMOR | 164 | #ifdef HAVE_APPARMOR |
133 | '--apparmor[enable AppArmor confinement]' | 165 | '--apparmor[enable AppArmor confinement]' |
134 | '(--apparmor.print=)'{--apparmor.print=,--apparmor.print=}'[print apparmor status name|pid]:firejail:_all_firejails' | 166 | '--apparmor.print=-[print apparmor status name|pid]:firejail:_all_firejails' |
135 | #endif | 167 | #endif |
168 | |||
136 | #ifdef HAVE_CHROOT | 169 | #ifdef HAVE_CHROOT |
137 | '(--chroot)'{--chroot=,--chroot=}'[chroot into directory]: : _files -/' | 170 | '(--noroot --overlay --overlay-named --overlay-tmpfs)--chroot=-[chroot into directory]: :_files -/' |
138 | #endif | 171 | #endif |
172 | |||
173 | #ifdef HAVE_DBUSPROXY | ||
174 | # FIXME: _xx_bus_names is actually wrong for --dbus-*.{broadcast,call}. | ||
175 | # We can steal some function from https://github.com/systemd/systemd/blob/main/shell-completion/zsh/_busctl | ||
176 | '--dbus-log=-[set DBus log file location]: :_files' | ||
177 | '--dbus-system=-[set system DBus access policy]: :(filter none)' | ||
178 | '--dbus-system.broadcast=-[allow signals on the system DBus according to rule]: :_system_bus_names' | ||
179 | '--dbus-system.call=-[allow calls on the system DBus according to rule]: :_system_bus_names' | ||
180 | '--dbus-system.own=-[allow ownership of name on the system DBus]: :_system_bus_names' | ||
181 | '--dbus-system.see=-[allow seeing name on the system DBus]: :_system_bus_names' | ||
182 | '--dbus-system.talk=-[allow talking to name on the system DBus]: :_system_bus_names' | ||
183 | '--dbus-user=-[set session DBus access policy or none]: :(filter none)' | ||
184 | '--dbus-user.broadcast=-[allow signals on the session DBus according to rule]: :_session_bus_names' | ||
185 | '--dbus-user.call=-[allow calls on the session DBus according to rule]: :_session_bus_names' | ||
186 | '--dbus-user.own=-[allow ownership of name on the session DBus]: :_session_bus_names' | ||
187 | '--dbus-user.see=-[allow seeing name on the session DBus]: :_session_bus_names' | ||
188 | '--dbus-user.talk=-[allow talking to name on the session DBus]: :_session_bus_names' | ||
189 | #endif | ||
190 | |||
139 | #ifdef HAVE_FILE_TRANSFER | 191 | #ifdef HAVE_FILE_TRANSFER |
140 | '(--get)'{--get=,--get=}'[get a file from sandbox container name|pid]: : _all_firejails' | 192 | '--cat=-[print content of file from sandbox container name|pid]: :_all_firejails' |
193 | '--get=-[get a file from sandbox container name|pid]: :_all_firejails' | ||
141 | # --put=name|pid src-filename dest-filename - put a file in sandbox container. | 194 | # --put=name|pid src-filename dest-filename - put a file in sandbox container. |
142 | '(--put)'{--put=,--put=}'[put a file in sandbox container]: :' | 195 | '--put=-[put a file in sandbox container]: :' |
143 | '(--ls)'{--ls=,--ls=}'[list files in sandbox container name|pid]: : _all_firejails' | 196 | '--ls=-[list files in sandbox container name|pid]: :_all_firejails' |
197 | #endif | ||
198 | |||
199 | #ifdef HAVE_FIRETUNNEL | ||
200 | '--tunnel=-[connect the sandbox to a tunnel created by firetunnel utility]: :' | ||
144 | #endif | 201 | #endif |
202 | |||
145 | #ifdef HAVE_NETWORK | 203 | #ifdef HAVE_NETWORK |
146 | # '--net=none[enable a new, unconnected network namespace]' | 204 | '--bandwidth=-[set bandwidth limits name|pid]: :_all_firejails' |
147 | '(--net)'{--net=,--net=}'[enable network namespaces and connect to this bridge or Ethernet interface (or none to disable)]: :->net_or_none' | 205 | '--defaultgw=[configure default gateway]: :' |
148 | '(--net.print)'{--net.print=,--net.print=}'[print network interface configuration name|pid]: : _all_firejails' | 206 | '--dns.print=-[print DNS configuration name|pid]: :_all_firejails' |
149 | '(--netfilter.print)'{--netfilter.print=,--netfilter.print=}'[print the firewall name|pid]: : _all_firejails' | 207 | '--join-network=-[join the network namespace name|pid]: :_all_firejails' |
150 | '(--netfilter6.print)'{--netfilter6.print=,--netfilter6.print=}'[print the IPv6 firewall name|pid]: : _all_firejails' | 208 | '--mac=-[set interface MAC address]: :(xx\:xx\:xx\:xx\:xx\:xx)' |
209 | '--mtu=-[set interface MTU]: :' | ||
210 | '--net=-[enable network namespaces and connect to this bridge or Ethernet interface (or none to disable)]: :->net_or_none' | ||
211 | '--net.print=-[print network interface configuration name|pid]: :_all_firejails' | ||
212 | '--netfilter=-[enable firewall]: :' | ||
213 | '--netfilter.print=-[print the firewall name|pid]: :_all_firejails' | ||
214 | '--netfilter6=-[enable IPv6 firewall]: :' | ||
215 | '--netfilter6.print=-[print the IPv6 firewall name|pid]: :_all_firejails' | ||
216 | '--netmask=-[define a network mask when dealing with unconfigured parrent interfaces]: :' | ||
217 | '--netns=-[Run the program in a named, persistent network namespace]: :' | ||
151 | '--netstats[monitor network statistics]' | 218 | '--netstats[monitor network statistics]' |
152 | '(--netmask)'{--netmask=,--netmask=}'[define a network mask when dealing with unconfigured parrent interfaces]: :' | 219 | '--interface=-[move interface in sandbox]: :' |
153 | '(--netns)'{--netns=,--netns=}'[Run the program in a named, persistent network namespace]: :' | 220 | '--ip=-[set interface IP address none|dhcp|ADDRESS]: :(none dhcp)' |
154 | '(--netfilter)'{--netfilter=,--netfilter=}'[enable firewall]: :' | 221 | '--ip6=-[set interface IPv6 address or use dhcp via dhclient]: :(dhcp)' |
155 | '(--netfilter6)'{--netfilter6=,--netfilter6=}'[enable IPv6 firewall]: :' | 222 | '--iprange=-[configure an IP address in this range]: :' |
156 | '(--veth-name)'{--veth-name=,--veth-name=}'[use this name for the interface connected to the bridge]: :' | ||
157 | '(--join-network)'{--join-network=,--join-network=}'[join the network namespace name|pid]: : _all_firejails' | ||
158 | '(--defaultgw)'{--defaultgw=,--defaultgw=}'[configure default gateway]: :' | ||
159 | '(--ip)'{--ip=,--ip=}'[set interface IP address none|dhcp|ADDRESS]: :(none dhcp)' | ||
160 | '(--dns.print)'{--dns.print=,--dns.print=}'[print DNS configuration name|pid]: : _all_firejails' | ||
161 | '(--interface)'{--interface=,--interface=}'[move interface in sandbox]: :' | ||
162 | '(--ip6)'{--ip6=,--ip6=}'[set interface IPv6 address or use dhcp via dhclient]: :(dhcp)' | ||
163 | '(--iprange)'{--iprange=,--iprange=}'[configure an IP address in this range]: :' | ||
164 | '(--mac)'{--mac=,--mac=}'[set interface MAC address]: :(xx\:xx\:xx\:xx\:xx\:xx)' | ||
165 | '(--mtu)'{--mtu=,--mtu=}'[set interface MTU]: :' | ||
166 | '--scan[ARP-scan all the networks from inside a network namespace]' | 223 | '--scan[ARP-scan all the networks from inside a network namespace]' |
167 | '(--bandwidth)'{--bandwidth=,--bandwidth=}'[set bandwidth limits name|pid]: : _all_firejails' | 224 | '--veth-name=-[use this name for the interface connected to the bridge]: :' |
168 | #endif | ||
169 | #ifdef HAVE_X11 | ||
170 | '--x11[enable X11 sandboxing. The software checks first if Xpra is installed, then it checks if Xephyr is installed. If all fails, it will attempt to use X11 security extension]' | ||
171 | '(--x11)'{--x11=,--x11=}'[disable or enable specific X11 server]: :(none xephyr xorg xpra xvfb)' | ||
172 | '(--xephyr-screen)'{--xephyr-screen=,--xephyr-screen=}'[set screen size for --x11=xephyr]: :(WIDTHxHEIGHT)' | ||
173 | #endif | 225 | #endif |
174 | #ifdef HAVE_USERNS | 226 | |
175 | '--noroot[install a user namespace with only the current user]' | 227 | #ifdef HAVE_OUTPUT |
228 | '--output=-[stdout logging and log rotation]: :_files' | ||
229 | '--output-stderr=-[stdout and stderr logging and log rotation]: :_files' | ||
176 | #endif | 230 | #endif |
177 | '--nosound[disable sound system]' | 231 | |
178 | '--noautopulse[disable automatic ~/.config/pulse init]' | ||
179 | '--novideo[disable video devices]' | ||
180 | '--nou2f[disable U2F devices]' | ||
181 | #ifdef HAVE_OVERLAYFS | 232 | #ifdef HAVE_OVERLAYFS |
182 | '--overlay[mount a filesystem overlay on top of the current filesystem]' | 233 | '(--chroot --noroot)--overlay[mount a filesystem overlay on top of the current filesystem]' |
183 | '(--overlay-named)'{--overlay-named=,--overlay-named=}'[mount a filesystem overlay on top of the current filesystem, and store it in name directory]: : _files -/' | ||
184 | '--overlay-tmpfs[mount a temporary filesystem overlay on top of the current filesystem]' | ||
185 | '--overlay-clean[clean all overlays stored in $HOME/.firejail directory]' | 234 | '--overlay-clean[clean all overlays stored in $HOME/.firejail directory]' |
235 | '(--chroot --noroot)--overlay-named=-[mount a filesystem overlay on top of the current filesystem, and store it in name directory]: :_files -/' | ||
236 | '(--chroot --noroot)--overlay-tmpfs[mount a temporary filesystem overlay on top of the current filesystem]' | ||
186 | #endif | 237 | #endif |
187 | #ifdef HAVE_WHITELIST | 238 | |
188 | '(--nowhitelist)'{--nowhitelist=,--nowhitelist=}'[disable whitelist for file or directory]: : _files' | ||
189 | '*'{--whitelist=,--whitelist=}'[whitelist directory or file]: : _files' | ||
190 | #endif | ||
191 | '(--noblacklist)'{--noblacklist=,--noblacklist=}'[disable blacklist for file or directory]: : _files' | ||
192 | #ifdef HAVE_DBUSPROXY | ||
193 | '(--dbus-system)'{--dbus-system=,--dbus-system=}'[set system DBus access policy or none]: :' | ||
194 | '(--dbus-system.broadcast)'{--dbus-system.broadcast=,--dbus-system.broadcast=}'[allow signals on the system DBus according to rule]: :' | ||
195 | '(--dbus-system.call)'{--dbus-system.call=,--dbus-system.call=}'[allow calls on the system DBus according to rule]: :' | ||
196 | '(--dbus-system.own)'{--dbus-system.own=,--dbus-system.own=}'[allow ownership of name on the system DBus]: :' | ||
197 | '(--dbus-system.see)'{--dbus-system.see=,--dbus-system.see=}'[allow seeing name on the system DBus]: :' | ||
198 | '(--dbus-system.talk)'{--dbus-system.talk=,--dbus-system.talk=}'[allow talking to name on the system DBus]: :' | ||
199 | '(--dbus-user)'{--dbus-user=,--dbus-user=}'[set session DBus access policy or none]: :' | ||
200 | '(--dbus-user.broadcast)'{--dbus-user.broadcast=,--dbus-user.broadcast=}'[allow signals on the session DBus according to rule]: :' | ||
201 | '(--dbus-user.call)'{--dbus-user.call=,--dbus-user.call=}'[allow calls on the session DBus according to rule]: :' | ||
202 | '(--dbus-user.see)'{--dbus-user.see=,--dbus-user.see=}'[allow seeing name on the session DBus]: :' | ||
203 | '(--dbus-user.talk)'{--dbus-user.talk=,--dbus-user.talk=}'[allow talking to name on the session DBus]: :' | ||
204 | '(--dbus-log)'{--dbus-log=,--dbus-log=}'[set DBus log file location]: : _files' | ||
205 | '(--dbus-system)'{--dbus-system=,--dbus-system=}'[set system DBus access policy]: :(filter none)' | ||
206 | '--dbus-user.log[turn on logging for the user DBus]' | ||
207 | '(--dbus-user.own)'{--dbus-user.own=,--dbus-user.own=}'[allow ownership of name on the session DBus]: :' | ||
208 | '--dbus-system.log[turn on logging for the system DBus]' | ||
209 | '--nodbus[disable D-Bus access]' | ||
210 | #endif | ||
211 | #ifdef HAVE_PRIVATE_HOME | 239 | #ifdef HAVE_PRIVATE_HOME |
212 | '(--private-home)'{--private-home=,--private-home=}'[build a new user home in a temporary filesystem, and copy the files and directories in the list in the new home]: :' | 240 | '--private-home=-[build a new user home in a temporary filesystem, and copy the files and directories in the list in the new home]: :_files' |
241 | #endif | ||
242 | |||
243 | #ifdef HAVE_USERNS | ||
244 | '(--chroot --overlay --overlay-named --overlay-tmpfs)--noroot[install a user namespace with only the current user]' | ||
213 | #endif | 245 | #endif |
214 | '(--private-bin)'{--private-bin=,--private-bin=}'[build a new /bin in a temporary filesystem, and copy the programs in the list]: :' | 246 | |
215 | '(--private-opt)'{--private-opt=,--private-opt=}'[build a new /opt in a temporary filesystem]: :' | ||
216 | '(--private-srv)'{--private-srv=,--private-srv=}'[build a new /srv in a temporary filesystem]: :' | ||
217 | #ifdef HAVE_USERTMPFS | 247 | #ifdef HAVE_USERTMPFS |
218 | '--private-cache[temporary ~/.cache directory]' | 248 | '--private-cache[temporary ~/.cache directory]' |
249 | '*--tmpfs=-[mount a tmpfs filesystem on directory dirname]: :_files -/' | ||
219 | #endif | 250 | #endif |
220 | #ifdef HAVE_FIRETUNNEL | 251 | |
221 | '(--tunnel)'{--tunnel=,--tunnel=}'[connect the sandbox to a tunnel created by firetunnel utility]: :' | 252 | #ifdef HAVE_WHITELIST |
253 | '*--nowhitelist=-[disable whitelist for file or directory]: :_files' | ||
254 | '*--whitelist=-[whitelist directory or file]: :_files' | ||
222 | #endif | 255 | #endif |
223 | ) | 256 | |
257 | #ifdef HAVE_X11 | ||
258 | '--x11[enable X11 sandboxing. The software checks first if Xpra is installed, then it checks if Xephyr is installed. If all fails, it will attempt to use X11 security extension]' | ||
259 | '--x11=-[disable or enable specific X11 server]: :(none xephyr xorg xpra xvfb)' | ||
260 | '--xephyr-screen=-[set screen size for --x11=xephyr]: :(WIDTHxHEIGHT)' | ||
261 | #endif | ||
262 | ) | ||
224 | 263 | ||
225 | 264 | ||
226 | _firejail() { | 265 | _firejail() { |
227 | _arguments -S $_firejail_args | 266 | _arguments -S $_firejail_args |
228 | case "$state" in | 267 | case "$state" in |
229 | caps_drop) | ||
230 | local caps_and_all=(all $(firejail --debug-caps | awk '/[0-9]+\s*- /{print $3}')) | ||
231 | _values -s "," 'caps_drop' $caps_and_all | ||
232 | ;; | ||
233 | caps_keep) | ||
234 | local caps=($(firejail --debug-caps | awk '/[0-9]+\s*- /{print $3}')) | ||
235 | _values -s "," 'caps_keep' $caps | ||
236 | ;; | ||
237 | cpus) | 268 | cpus) |
238 | _values -s "," 'cpus' $(_all_cpus) | 269 | _values -s "," 'cpus' $(_all_cpus) |
239 | ;; | 270 | ;; |
@@ -242,5 +273,11 @@ _firejail() { | |||
242 | local net_and_none=(none $netdevs) | 273 | local net_and_none=(none $netdevs) |
243 | _values 'net' $net_and_none | 274 | _values 'net' $net_and_none |
244 | ;; | 275 | ;; |
276 | seccomp) | ||
277 | # TODO: syscall groups | ||
278 | _values -s "," 'syscalls' $(firejail --debug-syscalls | cut -d" " -f2) | ||
279 | ;; | ||
245 | esac | 280 | esac |
246 | } | 281 | } |
282 | |||
283 | # vim: ft=zsh sw=4 ts=4 et sts=4 ai | ||
diff --git a/test/appimage/appimage-args.exp b/test/appimage/appimage-args.exp index 16ab7f54d..eecb9bf82 100755 --- a/test/appimage/appimage-args.exp +++ b/test/appimage/appimage-args.exp | |||
@@ -96,7 +96,7 @@ send -- "firejail --shutdown=appimage-test\r" | |||
96 | set spawn_id $appimage_id | 96 | set spawn_id $appimage_id |
97 | expect { | 97 | expect { |
98 | timeout {puts "shutdown\n";exit} | 98 | timeout {puts "shutdown\n";exit} |
99 | "AppImage unmounted" | 99 | "AppImage detached" |
100 | } | 100 | } |
101 | 101 | ||
102 | after 100 | 102 | after 100 |
diff --git a/test/appimage/appimage-trace.exp b/test/appimage/appimage-trace.exp index 5f05e2846..2f67eb531 100755 --- a/test/appimage/appimage-trace.exp +++ b/test/appimage/appimage-trace.exp | |||
@@ -31,7 +31,7 @@ expect { | |||
31 | } | 31 | } |
32 | expect { | 32 | expect { |
33 | timeout {puts "shutdown\n"} | 33 | timeout {puts "shutdown\n"} |
34 | "AppImage unmounted" | 34 | "AppImage detached" |
35 | } | 35 | } |
36 | sleep 1 | 36 | sleep 1 |
37 | 37 | ||
@@ -58,7 +58,7 @@ expect { | |||
58 | } | 58 | } |
59 | expect { | 59 | expect { |
60 | timeout {puts "shutdown\n"} | 60 | timeout {puts "shutdown\n"} |
61 | "AppImage unmounted" | 61 | "AppImage detached" |
62 | } | 62 | } |
63 | sleep 1 | 63 | sleep 1 |
64 | 64 | ||
diff --git a/test/appimage/appimage-v1.exp b/test/appimage/appimage-v1.exp index d90793bb3..b8b6e0c96 100755 --- a/test/appimage/appimage-v1.exp +++ b/test/appimage/appimage-v1.exp | |||
@@ -84,7 +84,7 @@ send -- "firejail --shutdown=appimage-test\r" | |||
84 | set spawn_id $appimage_id | 84 | set spawn_id $appimage_id |
85 | expect { | 85 | expect { |
86 | timeout {puts "shutdown\n"} | 86 | timeout {puts "shutdown\n"} |
87 | "AppImage unmounted" | 87 | "AppImage detached" |
88 | } | 88 | } |
89 | 89 | ||
90 | after 100 | 90 | after 100 |
diff --git a/test/appimage/appimage-v2.exp b/test/appimage/appimage-v2.exp index b606c7a77..243824f75 100755 --- a/test/appimage/appimage-v2.exp +++ b/test/appimage/appimage-v2.exp | |||
@@ -83,7 +83,7 @@ send -- "firejail --shutdown=appimage-test\r" | |||
83 | set spawn_id $appimage_id | 83 | set spawn_id $appimage_id |
84 | expect { | 84 | expect { |
85 | timeout {puts "shutdown\n"} | 85 | timeout {puts "shutdown\n"} |
86 | "AppImage unmounted" | 86 | "AppImage detached" |
87 | } | 87 | } |
88 | 88 | ||
89 | after 100 | 89 | after 100 |
diff --git a/test/appimage/appimage.sh b/test/appimage/appimage.sh index 548cd7fdf..e766b1acd 100755 --- a/test/appimage/appimage.sh +++ b/test/appimage/appimage.sh | |||
@@ -20,4 +20,4 @@ echo "TESTING: AppImage argsv1 (test/appimage/appimage-args.exp)" | |||
20 | ./appimage-args.exp | 20 | ./appimage-args.exp |
21 | 21 | ||
22 | echo "TESTING: AppImage trace (test/appimage/appimage-trace.exp)" | 22 | echo "TESTING: AppImage trace (test/appimage/appimage-trace.exp)" |
23 | ./appimage-args.exp | 23 | ./appimage-trace.exp |
diff --git a/test/appimage/filename.exp b/test/appimage/filename.exp index 7b64129b7..54d8d722d 100755 --- a/test/appimage/filename.exp +++ b/test/appimage/filename.exp | |||
@@ -17,7 +17,7 @@ after 100 | |||
17 | send -- "firejail --appimage /etc/shadow\r" | 17 | send -- "firejail --appimage /etc/shadow\r" |
18 | expect { | 18 | expect { |
19 | timeout {puts "TESTING ERROR 2\n";exit} | 19 | timeout {puts "TESTING ERROR 2\n";exit} |
20 | "cannot access" | 20 | "cannot read" |
21 | } | 21 | } |
22 | after 100 | 22 | after 100 |
23 | 23 | ||