diff options
-rw-r--r-- | Makefile | 2 | ||||
-rw-r--r-- | etc/ids.config | 1 | ||||
-rw-r--r-- | etc/inc/disable-common.inc | 3 | ||||
-rw-r--r-- | etc/inc/disable-programs.inc | 2 | ||||
-rw-r--r-- | etc/profile-a-l/bleachbit.profile | 3 | ||||
-rw-r--r-- | etc/profile-a-l/feh.profile | 12 | ||||
-rw-r--r-- | etc/profile-m-z/rssguard.profile | 58 | ||||
-rw-r--r-- | src/firecfg/desktop_files.c | 2 | ||||
-rw-r--r-- | src/firecfg/firecfg.config | 1 | ||||
-rw-r--r-- | src/firecfg/firecfg.h | 2 | ||||
-rw-r--r-- | src/firecfg/main.c | 16 | ||||
-rw-r--r-- | src/jailcheck/main.c | 3 | ||||
-rw-r--r-- | src/jailcheck/utils.c | 5 | ||||
-rw-r--r-- | src/man/firecfg.1.in | 4 | ||||
-rw-r--r-- | src/man/jailcheck.1.in | 5 |
15 files changed, 103 insertions, 16 deletions
@@ -362,7 +362,7 @@ scan-build: clean | |||
362 | 362 | ||
363 | .PHONY: codespell | 363 | .PHONY: codespell |
364 | codespell: clean | 364 | codespell: clean |
365 | codespell --ignore-regex "UE|creat|shotcut|ether" src test | 365 | codespell --ignore-regex "UE|creat|doas|shotcut|ether" src test |
366 | 366 | ||
367 | .PHONY: print-env | 367 | .PHONY: print-env |
368 | print-env: | 368 | print-env: |
diff --git a/etc/ids.config b/etc/ids.config index 880ec6ab5..4b75c701c 100644 --- a/etc/ids.config +++ b/etc/ids.config | |||
@@ -139,6 +139,7 @@ ${HOME}/.local/share/autostart | |||
139 | /etc/security | 139 | /etc/security |
140 | /etc/selinux | 140 | /etc/selinux |
141 | /etc/shadow* | 141 | /etc/shadow* |
142 | /etc/sudo*.conf | ||
142 | /etc/sudoers* | 143 | /etc/sudoers* |
143 | /etc/tripwire | 144 | /etc/tripwire |
144 | ${HOME}/.config/firejail | 145 | ${HOME}/.config/firejail |
diff --git a/etc/inc/disable-common.inc b/etc/inc/disable-common.inc index 4277100ce..ce4f08958 100644 --- a/etc/inc/disable-common.inc +++ b/etc/inc/disable-common.inc | |||
@@ -416,6 +416,7 @@ blacklist /tmp/ssh-* | |||
416 | # top secret | 416 | # top secret |
417 | blacklist /.fscrypt | 417 | blacklist /.fscrypt |
418 | blacklist /etc/davfs2/secrets | 418 | blacklist /etc/davfs2/secrets |
419 | blacklist /etc/doas.conf | ||
419 | blacklist /etc/group+ | 420 | blacklist /etc/group+ |
420 | blacklist /etc/group- | 421 | blacklist /etc/group- |
421 | blacklist /etc/gshadow | 422 | blacklist /etc/gshadow |
@@ -428,6 +429,8 @@ blacklist /etc/shadow+ | |||
428 | blacklist /etc/shadow- | 429 | blacklist /etc/shadow- |
429 | blacklist /etc/ssh | 430 | blacklist /etc/ssh |
430 | blacklist /etc/ssh/* | 431 | blacklist /etc/ssh/* |
432 | blacklist /etc/sudo*.conf | ||
433 | blacklist /etc/sudoers* | ||
431 | blacklist /home/.ecryptfs | 434 | blacklist /home/.ecryptfs |
432 | blacklist /home/.fscrypt | 435 | blacklist /home/.fscrypt |
433 | blacklist ${HOME}/*.kdb | 436 | blacklist ${HOME}/*.kdb |
diff --git a/etc/inc/disable-programs.inc b/etc/inc/disable-programs.inc index b4a01638f..f95ddf2fa 100644 --- a/etc/inc/disable-programs.inc +++ b/etc/inc/disable-programs.inc | |||
@@ -329,6 +329,7 @@ blacklist ${HOME}/.config/Qlipper | |||
329 | blacklist ${HOME}/.config/QuiteRss | 329 | blacklist ${HOME}/.config/QuiteRss |
330 | blacklist ${HOME}/.config/QuiteRssrc | 330 | blacklist ${HOME}/.config/QuiteRssrc |
331 | blacklist ${HOME}/.config/Quotient | 331 | blacklist ${HOME}/.config/Quotient |
332 | blacklist ${HOME}/.config/RSS Guard 4 | ||
332 | blacklist ${HOME}/.config/Rambox | 333 | blacklist ${HOME}/.config/Rambox |
333 | blacklist ${HOME}/.config/Riot | 334 | blacklist ${HOME}/.config/Riot |
334 | blacklist ${HOME}/.config/Rocket.Chat | 335 | blacklist ${HOME}/.config/Rocket.Chat |
@@ -432,6 +433,7 @@ blacklist ${HOME}/.config/equalx | |||
432 | blacklist ${HOME}/.config/evince | 433 | blacklist ${HOME}/.config/evince |
433 | blacklist ${HOME}/.config/evolution | 434 | blacklist ${HOME}/.config/evolution |
434 | blacklist ${HOME}/.config/falkon | 435 | blacklist ${HOME}/.config/falkon |
436 | blacklist ${HOME}/.config/feh | ||
435 | blacklist ${HOME}/.config/filezilla | 437 | blacklist ${HOME}/.config/filezilla |
436 | blacklist ${HOME}/.config/flameshot | 438 | blacklist ${HOME}/.config/flameshot |
437 | blacklist ${HOME}/.config/flaska.net | 439 | blacklist ${HOME}/.config/flaska.net |
diff --git a/etc/profile-a-l/bleachbit.profile b/etc/profile-a-l/bleachbit.profile index 45ae345c3..52d970d89 100644 --- a/etc/profile-a-l/bleachbit.profile +++ b/etc/profile-a-l/bleachbit.profile | |||
@@ -7,6 +7,9 @@ include bleachbit.local | |||
7 | # Persistent global definitions | 7 | # Persistent global definitions |
8 | include globals.local | 8 | include globals.local |
9 | 9 | ||
10 | # Necessary for BleachBit to erase Trash contents. | ||
11 | noblacklist ${HOME}/.local/share/Trash | ||
12 | |||
10 | # Allow python (blacklisted by disable-interpreters.inc) | 13 | # Allow python (blacklisted by disable-interpreters.inc) |
11 | include allow-python2.inc | 14 | include allow-python2.inc |
12 | include allow-python3.inc | 15 | include allow-python3.inc |
diff --git a/etc/profile-a-l/feh.profile b/etc/profile-a-l/feh.profile index 82b3f7645..2efd10ba2 100644 --- a/etc/profile-a-l/feh.profile +++ b/etc/profile-a-l/feh.profile | |||
@@ -7,23 +7,33 @@ include feh.local | |||
7 | # Persistent global definitions | 7 | # Persistent global definitions |
8 | include globals.local | 8 | include globals.local |
9 | 9 | ||
10 | noblacklist ${HOME}/.config/feh | ||
11 | |||
10 | include disable-common.inc | 12 | include disable-common.inc |
11 | include disable-devel.inc | 13 | include disable-devel.inc |
12 | include disable-exec.inc | 14 | include disable-exec.inc |
13 | include disable-interpreters.inc | 15 | include disable-interpreters.inc |
16 | include disable-proc.inc | ||
14 | include disable-programs.inc | 17 | include disable-programs.inc |
15 | include disable-shell.inc | 18 | include disable-shell.inc |
16 | 19 | ||
20 | include whitelist-run-common.inc | ||
21 | include whitelist-runuser-common.inc | ||
22 | |||
17 | # Add the next line to your feh.local to enable network access. | 23 | # Add the next line to your feh.local to enable network access. |
18 | #include feh-network.inc.profile | 24 | #include feh-network.inc.profile |
19 | 25 | ||
26 | apparmor | ||
20 | caps.drop all | 27 | caps.drop all |
28 | ipc-namespace | ||
29 | machine-id | ||
21 | net none | 30 | net none |
22 | no3d | 31 | no3d |
23 | nodvd | 32 | nodvd |
24 | nogroups | 33 | nogroups |
25 | noinput | 34 | noinput |
26 | nonewprivs | 35 | nonewprivs |
36 | noprinters | ||
27 | noroot | 37 | noroot |
28 | nosound | 38 | nosound |
29 | notv | 39 | notv |
@@ -31,6 +41,8 @@ nou2f | |||
31 | novideo | 41 | novideo |
32 | protocol unix | 42 | protocol unix |
33 | seccomp | 43 | seccomp |
44 | seccomp.block-secondary | ||
45 | tracelog | ||
34 | 46 | ||
35 | private-bin feh,jpegexiforient,jpegtran | 47 | private-bin feh,jpegexiforient,jpegtran |
36 | private-cache | 48 | private-cache |
diff --git a/etc/profile-m-z/rssguard.profile b/etc/profile-m-z/rssguard.profile new file mode 100644 index 000000000..81381c205 --- /dev/null +++ b/etc/profile-m-z/rssguard.profile | |||
@@ -0,0 +1,58 @@ | |||
1 | # Firejail profile for rssguard | ||
2 | # Description: Simple (yet powerful) Qt feed reader | ||
3 | # This file is overwritten after every install/update | ||
4 | # Persistent local customizations | ||
5 | include rssguard.local | ||
6 | # Persistent global definitions | ||
7 | include globals.local | ||
8 | |||
9 | noblacklist ${HOME}/.config/RSS Guard 4 | ||
10 | |||
11 | include allow-nodejs.inc | ||
12 | |||
13 | include disable-common.inc | ||
14 | include disable-devel.inc | ||
15 | include disable-exec.inc | ||
16 | include disable-interpreters.inc | ||
17 | include disable-proc.inc | ||
18 | include disable-programs.inc | ||
19 | include disable-shell.inc | ||
20 | include disable-xdg.inc | ||
21 | |||
22 | mkdir ${HOME}/.config/RSS Guard 4 | ||
23 | whitelist ${HOME}/.config/RSS Guard 4 | ||
24 | whitelist ${DOWNLOADS} | ||
25 | include whitelist-common.inc | ||
26 | include whitelist-run-common.inc | ||
27 | include whitelist-runuser-common.inc | ||
28 | include whitelist-usr-share-common.inc | ||
29 | include whitelist-var-common.inc | ||
30 | |||
31 | apparmor | ||
32 | caps.drop all | ||
33 | netfilter | ||
34 | # no3d | ||
35 | nodvd | ||
36 | nogroups | ||
37 | noinput | ||
38 | nonewprivs | ||
39 | noroot | ||
40 | # nosound | ||
41 | notv | ||
42 | nou2f | ||
43 | novideo | ||
44 | protocol unix,inet,inet6,netlink | ||
45 | seccomp | ||
46 | seccomp.block-secondary | ||
47 | tracelog | ||
48 | |||
49 | disable-mnt | ||
50 | private-bin node,rssguard | ||
51 | private-dev | ||
52 | private-etc @network,@sound,@tls-ca,@x11,mime.types | ||
53 | private-tmp | ||
54 | |||
55 | dbus-user none | ||
56 | dbus-system none | ||
57 | |||
58 | restrict-namespaces | ||
diff --git a/src/firecfg/desktop_files.c b/src/firecfg/desktop_files.c index 963e05ff3..7ac60f70c 100644 --- a/src/firecfg/desktop_files.c +++ b/src/firecfg/desktop_files.c | |||
@@ -108,7 +108,7 @@ static int have_profile(const char *filename, const char *homedir) { | |||
108 | return rv; | 108 | return rv; |
109 | } | 109 | } |
110 | 110 | ||
111 | void fix_desktop_files(char *homedir) { | 111 | void fix_desktop_files(const char *homedir) { |
112 | assert(homedir); | 112 | assert(homedir); |
113 | struct stat sb; | 113 | struct stat sb; |
114 | 114 | ||
diff --git a/src/firecfg/firecfg.config b/src/firecfg/firecfg.config index dac5794b4..2755968c9 100644 --- a/src/firecfg/firecfg.config +++ b/src/firecfg/firecfg.config | |||
@@ -734,6 +734,7 @@ ripperx | |||
734 | ristretto | 734 | ristretto |
735 | rocketchat | 735 | rocketchat |
736 | rpcs3 | 736 | rpcs3 |
737 | rssguard | ||
737 | rtorrent | 738 | rtorrent |
738 | runenpass.sh | 739 | runenpass.sh |
739 | sayonara | 740 | sayonara |
diff --git a/src/firecfg/firecfg.h b/src/firecfg/firecfg.h index 825bf8d03..8f74a1198 100644 --- a/src/firecfg/firecfg.h +++ b/src/firecfg/firecfg.h | |||
@@ -49,6 +49,6 @@ int is_link(const char *fname); | |||
49 | void sound(void); | 49 | void sound(void); |
50 | 50 | ||
51 | // desktop_files.c | 51 | // desktop_files.c |
52 | void fix_desktop_files(char *homedir); | 52 | void fix_desktop_files(const char *homedir); |
53 | 53 | ||
54 | #endif | 54 | #endif |
diff --git a/src/firecfg/main.c b/src/firecfg/main.c index da962c35d..4ec81c5b3 100644 --- a/src/firecfg/main.c +++ b/src/firecfg/main.c | |||
@@ -288,8 +288,11 @@ static void set_links_homedir(const char *homedir) { | |||
288 | free(firejail_exec); | 288 | free(firejail_exec); |
289 | } | 289 | } |
290 | 290 | ||
291 | static char *get_user(void) { | 291 | static const char *get_sudo_user(void) { |
292 | char *user = getenv("SUDO_USER"); | 292 | const char *doas_user = getenv("DOAS_USER"); |
293 | const char *sudo_user = getenv("SUDO_USER"); | ||
294 | const char *user = doas_user ? doas_user : sudo_user; | ||
295 | |||
293 | if (!user) { | 296 | if (!user) { |
294 | user = getpwuid(getuid())->pw_name; | 297 | user = getpwuid(getuid())->pw_name; |
295 | if (!user) { | 298 | if (!user) { |
@@ -301,13 +304,13 @@ static char *get_user(void) { | |||
301 | return user; | 304 | return user; |
302 | } | 305 | } |
303 | 306 | ||
304 | static char *get_homedir(const char *user, uid_t *uid, gid_t *gid) { | 307 | static const char *get_homedir(const char *user, uid_t *uid, gid_t *gid) { |
305 | // find home directory | 308 | // find home directory |
306 | struct passwd *pw = getpwnam(user); | 309 | struct passwd *pw = getpwnam(user); |
307 | if (!pw) | 310 | if (!pw) |
308 | goto errexit; | 311 | goto errexit; |
309 | 312 | ||
310 | char *home = pw->pw_dir; | 313 | const char *home = pw->pw_dir; |
311 | if (!home) | 314 | if (!home) |
312 | goto errexit; | 315 | goto errexit; |
313 | 316 | ||
@@ -326,12 +329,11 @@ int main(int argc, char **argv) { | |||
326 | int bindir_set = 0; | 329 | int bindir_set = 0; |
327 | 330 | ||
328 | // user setup | 331 | // user setup |
329 | char *user = get_user(); | 332 | const char *user = get_sudo_user(); |
330 | assert(user); | 333 | assert(user); |
331 | uid_t uid; | 334 | uid_t uid; |
332 | gid_t gid; | 335 | gid_t gid; |
333 | char *home = get_homedir(user, &uid, &gid); | 336 | const char *home = get_homedir(user, &uid, &gid); |
334 | |||
335 | 337 | ||
336 | // check for --bindir | 338 | // check for --bindir |
337 | for (i = 1; i < argc; i++) { | 339 | for (i = 1; i < argc; i++) { |
diff --git a/src/jailcheck/main.c b/src/jailcheck/main.c index 27da309ea..6cc5cf904 100644 --- a/src/jailcheck/main.c +++ b/src/jailcheck/main.c | |||
@@ -86,7 +86,7 @@ int main(int argc, char **argv) { | |||
86 | 86 | ||
87 | // user setup | 87 | // user setup |
88 | if (getuid() != 0) { | 88 | if (getuid() != 0) { |
89 | fprintf(stderr, "Error: you need to be root (via sudo) to run this program\n"); | 89 | fprintf(stderr, "Error: you need to be root (via sudo or doas) to run this program\n"); |
90 | exit(1); | 90 | exit(1); |
91 | } | 91 | } |
92 | user_name = get_sudo_user(); | 92 | user_name = get_sudo_user(); |
@@ -120,6 +120,7 @@ int main(int argc, char **argv) { | |||
120 | // basic sysfiles | 120 | // basic sysfiles |
121 | sysfiles_setup("/etc/shadow"); | 121 | sysfiles_setup("/etc/shadow"); |
122 | sysfiles_setup("/etc/gshadow"); | 122 | sysfiles_setup("/etc/gshadow"); |
123 | sysfiles_setup("/usr/bin/doas"); | ||
123 | sysfiles_setup("/usr/bin/mount"); | 124 | sysfiles_setup("/usr/bin/mount"); |
124 | sysfiles_setup("/usr/bin/su"); | 125 | sysfiles_setup("/usr/bin/su"); |
125 | sysfiles_setup("/usr/bin/ksu"); | 126 | sysfiles_setup("/usr/bin/ksu"); |
diff --git a/src/jailcheck/utils.c b/src/jailcheck/utils.c index 97fe8833b..930820604 100644 --- a/src/jailcheck/utils.c +++ b/src/jailcheck/utils.c | |||
@@ -26,7 +26,10 @@ | |||
26 | #define BUFLEN 4096 | 26 | #define BUFLEN 4096 |
27 | 27 | ||
28 | char *get_sudo_user(void) { | 28 | char *get_sudo_user(void) { |
29 | char *user = getenv("SUDO_USER"); | 29 | char *doas_user = getenv("DOAS_USER"); |
30 | char *sudo_user = getenv("SUDO_USER"); | ||
31 | char *user = doas_user ? doas_user : sudo_user; | ||
32 | |||
30 | if (!user) { | 33 | if (!user) { |
31 | user = getpwuid(getuid())->pw_name; | 34 | user = getpwuid(getuid())->pw_name; |
32 | if (!user) { | 35 | if (!user) { |
diff --git a/src/man/firecfg.1.in b/src/man/firecfg.1.in index 42add6a41..a85fbc5da 100644 --- a/src/man/firecfg.1.in +++ b/src/man/firecfg.1.in | |||
@@ -23,7 +23,9 @@ The integration covers: | |||
23 | - programs started by clicking on file icons in file manager - only Cinnamon, KDE, LXDE/LXQT, MATE and XFCE | 23 | - programs started by clicking on file icons in file manager - only Cinnamon, KDE, LXDE/LXQT, MATE and XFCE |
24 | desktop managers are supported in this moment | 24 | desktop managers are supported in this moment |
25 | .RE | 25 | .RE |
26 | 26 | .PP | |
27 | Note: The examples use \fBsudo\fR, but \fBdoas\fR is also supported. | ||
28 | .PP | ||
27 | To set it up, run "sudo firecfg" after installing Firejail software. | 29 | To set it up, run "sudo firecfg" after installing Firejail software. |
28 | The same command should also be run after | 30 | The same command should also be run after |
29 | installing new programs. If the program is supported by Firejail, the symbolic link in /usr/local/bin | 31 | installing new programs. If the program is supported by Firejail, the symbolic link in /usr/local/bin |
diff --git a/src/man/jailcheck.1.in b/src/man/jailcheck.1.in index e889ea91b..eea5987b7 100644 --- a/src/man/jailcheck.1.in +++ b/src/man/jailcheck.1.in | |||
@@ -24,9 +24,8 @@ them from inside the sandbox. | |||
24 | \fB5. Seccomp test | 24 | \fB5. Seccomp test |
25 | .TP | 25 | .TP |
26 | \fB6. Networking test | 26 | \fB6. Networking test |
27 | .TP | 27 | .PP |
28 | The program is started as root using sudo. | 28 | The program should be started using \fBsudo\fR or \fBdoas\fR. |
29 | |||
30 | .SH OPTIONS | 29 | .SH OPTIONS |
31 | .TP | 30 | .TP |
32 | \fB\-\-debug | 31 | \fB\-\-debug |