diff options
30 files changed, 299 insertions, 130 deletions
diff --git a/.gitignore b/.gitignore index 39380446b..70ced1a99 100644 --- a/.gitignore +++ b/.gitignore | |||
@@ -19,6 +19,7 @@ firejail-users.5 | |||
19 | firejail.1 | 19 | firejail.1 |
20 | firemon.1 | 20 | firemon.1 |
21 | firecfg.1 | 21 | firecfg.1 |
22 | mkdeb.sh | ||
22 | src/firejail/firejail | 23 | src/firejail/firejail |
23 | src/firemon/firemon | 24 | src/firemon/firemon |
24 | src/firecfg/firecfg | 25 | src/firecfg/firecfg |
diff --git a/.gitlab-ci.yml b/.gitlab-ci.yml index 2205c796c..204ebda95 100644 --- a/.gitlab-ci.yml +++ b/.gitlab-ci.yml | |||
@@ -9,7 +9,7 @@ build_ubuntu_package: | |||
9 | image: ubuntu:rolling | 9 | image: ubuntu:rolling |
10 | script: | 10 | script: |
11 | - apt-get update -qq | 11 | - apt-get update -qq |
12 | - apt-get install -y -qq build-essential lintian pkg-config python3 | 12 | - DEBIAN_FRONTEND=noninteractive apt-get install -y -qq build-essential lintian pkg-config python3 |
13 | - ./configure --prefix=/usr && make deb && dpkg -i firejail*.deb | 13 | - ./configure --prefix=/usr && make deb && dpkg -i firejail*.deb |
14 | - python3 contrib/sort.py etc/profile-*/*.profile etc/inc/*.inc | 14 | - python3 contrib/sort.py etc/profile-*/*.profile etc/inc/*.inc |
15 | 15 | ||
@@ -20,12 +20,12 @@ build_debian_package: | |||
20 | - apt-get install -y -qq build-essential lintian pkg-config | 20 | - apt-get install -y -qq build-essential lintian pkg-config |
21 | - ./configure --prefix=/usr && make deb && dpkg -i firejail*.deb | 21 | - ./configure --prefix=/usr && make deb && dpkg -i firejail*.deb |
22 | 22 | ||
23 | #build_redhat_package: | 23 | build_redhat_package: |
24 | # image: centos:latest | 24 | image: centos:latest |
25 | # script: | 25 | script: |
26 | # - yum update -y | 26 | - dnf update -y |
27 | # - yum install -y rpm-build gcc make | 27 | - dnf install -y rpm-build gcc make |
28 | # - ./configure --prefix=/usr && make rpms && yum install -y firejail*.rpm | 28 | - ./configure --prefix=/usr && make rpms && rpm -i firejail*.rpm |
29 | 29 | ||
30 | build_fedora_package: | 30 | build_fedora_package: |
31 | image: fedora:latest | 31 | image: fedora:latest |
@@ -48,8 +48,8 @@ build_apparmor: | |||
48 | image: ubuntu:latest | 48 | image: ubuntu:latest |
49 | script: | 49 | script: |
50 | - apt-get update -qq | 50 | - apt-get update -qq |
51 | - apt-get install -y -qq build-essential lintian libapparmor-dev pkg-config | 51 | - DEBIAN_FRONTEND=noninteractive apt-get install -y -qq build-essential lintian libapparmor-dev pkg-config |
52 | - ./configure --prefix=/usr && make deb-apparmor && dpkg -i firejail-apparmor*.deb | 52 | - ./configure --prefix=/usr && make deb-apparmor && dpkg -i firejail*.deb |
53 | 53 | ||
54 | cppcheck: | 54 | cppcheck: |
55 | image: debian:latest | 55 | image: debian:latest |
diff --git a/Makefile.in b/Makefile.in index 0da33544c..575c5d614 100644 --- a/Makefile.in +++ b/Makefile.in | |||
@@ -28,13 +28,13 @@ SECCOMP_FILTERS = seccomp seccomp.debug seccomp.32 seccomp.block_secondary secco | |||
28 | endif | 28 | endif |
29 | ALL_ITEMS = $(APPS) $(SBOX_APPS) $(MYLIBS) | 29 | ALL_ITEMS = $(APPS) $(SBOX_APPS) $(MYLIBS) |
30 | 30 | ||
31 | .PHONY: all_items man filters | 31 | .PHONY: all_items $(ALL_ITEMS) |
32 | all_items: $(ALL_ITEMS) | 32 | all_items: $(ALL_ITEMS) |
33 | $(ALL_ITEMS): $(MYDIRS) | 33 | $(ALL_ITEMS): $(MYDIRS) |
34 | $(MAKE) -C $(dir $@) | 34 | $(MAKE) -C $(dir $@) |
35 | 35 | ||
36 | .PHONY: mydirs | 36 | .PHONY: mydirs |
37 | mydirs: $(MYDIRS) | 37 | mydirs: mydirs $(MYDIRS) |
38 | $(MYDIRS): | 38 | $(MYDIRS): |
39 | $(MAKE) -C $@ | 39 | $(MAKE) -C $@ |
40 | 40 | ||
@@ -183,7 +183,7 @@ uninstall: | |||
183 | rm -f $(DESTDIR)/$(datarootdir)/bash-completion/completions/firecfg | 183 | rm -f $(DESTDIR)/$(datarootdir)/bash-completion/completions/firecfg |
184 | @echo "If you want to install a different version of firejail, you might also need to run 'rm -fr $(DESTDIR)/$(sysconfdir)/firejail', see #2038." | 184 | @echo "If you want to install a different version of firejail, you might also need to run 'rm -fr $(DESTDIR)/$(sysconfdir)/firejail', see #2038." |
185 | 185 | ||
186 | DISTFILES = "src etc m4 platform contrib configure configure.ac Makefile.in install.sh mkman.sh mketc.sh mkdeb.sh mkdeb-apparmor.sh COPYING README RELNOTES" | 186 | DISTFILES = "src etc m4 platform contrib configure configure.ac Makefile.in install.sh mkman.sh mketc.sh mkdeb.sh.in COPYING README RELNOTES" |
187 | DISTFILES_TEST = "test/apps test/apps-x11 test/apps-x11-xorg test/root test/fcopy test/environment test/profiles test/utils test/compile test/filters test/network test/arguments test/fs test/sysutils test/chroot" | 187 | DISTFILES_TEST = "test/apps test/apps-x11 test/apps-x11-xorg test/root test/fcopy test/environment test/profiles test/utils test/compile test/filters test/network test/arguments test/fs test/sysutils test/chroot" |
188 | 188 | ||
189 | dist: | 189 | dist: |
@@ -202,10 +202,10 @@ dist: | |||
202 | asc:; ./mkasc.sh $(VERSION) | 202 | asc:; ./mkasc.sh $(VERSION) |
203 | 203 | ||
204 | deb: dist | 204 | deb: dist |
205 | ./mkdeb.sh $(NAME) $(VERSION) | 205 | ./mkdeb.sh |
206 | 206 | ||
207 | deb-apparmor: dist | 207 | deb-apparmor: dist |
208 | ./mkdeb-apparmor.sh $(NAME) $(VERSION) | 208 | ./mkdeb.sh -apparmor |
209 | 209 | ||
210 | test-compile: dist | 210 | test-compile: dist |
211 | cd test/compile; ./compile.sh $(NAME)-$(VERSION) | 211 | cd test/compile; ./compile.sh $(NAME)-$(VERSION) |
@@ -511,6 +511,8 @@ Lukáš Krejčí (https://github.com/lskrejci) | |||
511 | - fixed parsing of --keep-var-tmp | 511 | - fixed parsing of --keep-var-tmp |
512 | luzpaz (https://github.com/luzpaz) | 512 | luzpaz (https://github.com/luzpaz) |
513 | - code spelling fixes | 513 | - code spelling fixes |
514 | Mace Muilman (https://github.com/mace015) | ||
515 | - google-chrome{,beta,unstable} flags | ||
514 | maces (https://github.com/maces) | 516 | maces (https://github.com/maces) |
515 | - Franz messenger profile | 517 | - Franz messenger profile |
516 | Madura A (https://github.com/manushanga) | 518 | Madura A (https://github.com/manushanga) |
@@ -33,7 +33,7 @@ firejail (0.9.63) baseline; urgency=low | |||
33 | * new profiles: mirrormagic, mrrescue, scorched3d-wrapper, scorchwentbonkers | 33 | * new profiles: mirrormagic, mrrescue, scorched3d-wrapper, scorchwentbonkers |
34 | * new profiles: seahorse-adventures, wordwarvi, xbill, gnome-klotski | 34 | * new profiles: seahorse-adventures, wordwarvi, xbill, gnome-klotski |
35 | * new profiles: swell-foop, fdns, five-or-more, steam-runtime, jitsi-meet-desktop | 35 | * new profiles: swell-foop, fdns, five-or-more, steam-runtime, jitsi-meet-desktop |
36 | * new profiles: nicontine | 36 | * new profiles: nicotine, plv, mocp |
37 | -- netblue30 <netblue30@yahoo.com> Tue, 21 Apr 2020 08:00:00 -0500 | 37 | -- netblue30 <netblue30@yahoo.com> Tue, 21 Apr 2020 08:00:00 -0500 |
38 | 38 | ||
39 | firejail (0.9.62) baseline; urgency=low | 39 | firejail (0.9.62) baseline; urgency=low |
@@ -4186,6 +4186,8 @@ if test "$prefix" = /usr; then | |||
4186 | test "$sysconfdir" = '${prefix}/etc' && sysconfdir="/etc" | 4186 | test "$sysconfdir" = '${prefix}/etc' && sysconfdir="/etc" |
4187 | fi | 4187 | fi |
4188 | 4188 | ||
4189 | ac_config_files="$ac_config_files mkdeb.sh" | ||
4190 | |||
4189 | ac_config_files="$ac_config_files Makefile src/common.mk src/lib/Makefile src/fcopy/Makefile src/fnet/Makefile src/firejail/Makefile src/fnetfilter/Makefile src/firemon/Makefile src/libtrace/Makefile src/libtracelog/Makefile src/firecfg/Makefile src/fbuilder/Makefile src/fsec-print/Makefile src/ftee/Makefile src/faudit/Makefile src/fseccomp/Makefile src/fldd/Makefile src/libpostexecseccomp/Makefile src/fsec-optimize/Makefile src/profstats/Makefile" | 4191 | ac_config_files="$ac_config_files Makefile src/common.mk src/lib/Makefile src/fcopy/Makefile src/fnet/Makefile src/firejail/Makefile src/fnetfilter/Makefile src/firemon/Makefile src/libtrace/Makefile src/libtracelog/Makefile src/firecfg/Makefile src/fbuilder/Makefile src/fsec-print/Makefile src/ftee/Makefile src/faudit/Makefile src/fseccomp/Makefile src/fldd/Makefile src/libpostexecseccomp/Makefile src/fsec-optimize/Makefile src/profstats/Makefile" |
4190 | 4192 | ||
4191 | cat >confcache <<\_ACEOF | 4193 | cat >confcache <<\_ACEOF |
@@ -4895,6 +4897,7 @@ cat >>$CONFIG_STATUS <<\_ACEOF || ac_write_fail=1 | |||
4895 | for ac_config_target in $ac_config_targets | 4897 | for ac_config_target in $ac_config_targets |
4896 | do | 4898 | do |
4897 | case $ac_config_target in | 4899 | case $ac_config_target in |
4900 | "mkdeb.sh") CONFIG_FILES="$CONFIG_FILES mkdeb.sh" ;; | ||
4898 | "Makefile") CONFIG_FILES="$CONFIG_FILES Makefile" ;; | 4901 | "Makefile") CONFIG_FILES="$CONFIG_FILES Makefile" ;; |
4899 | "src/common.mk") CONFIG_FILES="$CONFIG_FILES src/common.mk" ;; | 4902 | "src/common.mk") CONFIG_FILES="$CONFIG_FILES src/common.mk" ;; |
4900 | "src/lib/Makefile") CONFIG_FILES="$CONFIG_FILES src/lib/Makefile" ;; | 4903 | "src/lib/Makefile") CONFIG_FILES="$CONFIG_FILES src/lib/Makefile" ;; |
@@ -5333,6 +5336,11 @@ which seems to be undefined. Please make sure it is defined" >&2;} | |||
5333 | 5336 | ||
5334 | esac | 5337 | esac |
5335 | 5338 | ||
5339 | |||
5340 | case $ac_file$ac_mode in | ||
5341 | "mkdeb.sh":F) chmod +x mkdeb.sh ;; | ||
5342 | |||
5343 | esac | ||
5336 | done # for ac_tag | 5344 | done # for ac_tag |
5337 | 5345 | ||
5338 | 5346 | ||
diff --git a/configure.ac b/configure.ac index 8cf170c80..feb0b38a6 100644 --- a/configure.ac +++ b/configure.ac | |||
@@ -204,6 +204,7 @@ if test "$prefix" = /usr; then | |||
204 | test "$sysconfdir" = '${prefix}/etc' && sysconfdir="/etc" | 204 | test "$sysconfdir" = '${prefix}/etc' && sysconfdir="/etc" |
205 | fi | 205 | fi |
206 | 206 | ||
207 | AC_CONFIG_FILES([mkdeb.sh], [chmod +x mkdeb.sh]) | ||
207 | AC_OUTPUT(Makefile src/common.mk src/lib/Makefile src/fcopy/Makefile src/fnet/Makefile src/firejail/Makefile src/fnetfilter/Makefile \ | 208 | AC_OUTPUT(Makefile src/common.mk src/lib/Makefile src/fcopy/Makefile src/fnet/Makefile src/firejail/Makefile src/fnetfilter/Makefile \ |
208 | src/firemon/Makefile src/libtrace/Makefile src/libtracelog/Makefile src/firecfg/Makefile src/fbuilder/Makefile src/fsec-print/Makefile \ | 209 | src/firemon/Makefile src/libtrace/Makefile src/libtracelog/Makefile src/firecfg/Makefile src/fbuilder/Makefile src/fsec-print/Makefile \ |
209 | src/ftee/Makefile src/faudit/Makefile src/fseccomp/Makefile src/fldd/Makefile src/libpostexecseccomp/Makefile src/fsec-optimize/Makefile \ | 210 | src/ftee/Makefile src/faudit/Makefile src/fseccomp/Makefile src/fldd/Makefile src/libpostexecseccomp/Makefile src/fsec-optimize/Makefile \ |
diff --git a/etc/apparmor/firejail-default b/etc/apparmor/firejail-default index e68e51c63..fc6690752 100644 --- a/etc/apparmor/firejail-default +++ b/etc/apparmor/firejail-default | |||
@@ -19,6 +19,8 @@ profile firejail-default flags=(attach_disconnected,mediate_deleted) { | |||
19 | #include <abstractions/dbus-strict> | 19 | #include <abstractions/dbus-strict> |
20 | #include <abstractions/dbus-session-strict> | 20 | #include <abstractions/dbus-session-strict> |
21 | dbus, | 21 | dbus, |
22 | # Add rule in order to avoid dbus-*=filter breakage (#3432) | ||
23 | owner /{,var/}run/firejail/dbus/[0-9]*/[0-9]*-user w, | ||
22 | 24 | ||
23 | ########## | 25 | ########## |
24 | # With ptrace it is possible to inspect and hijack running programs. | 26 | # With ptrace it is possible to inspect and hijack running programs. |
diff --git a/etc/inc/disable-common.inc b/etc/inc/disable-common.inc index 3fd3cc7b2..ce3b24584 100644 --- a/etc/inc/disable-common.inc +++ b/etc/inc/disable-common.inc | |||
@@ -144,12 +144,16 @@ blacklist ${RUNUSER}/kdesud_* | |||
144 | blacklist ${HOME}/.local/share/gnome-shell | 144 | blacklist ${HOME}/.local/share/gnome-shell |
145 | # no direct modification of dconf database | 145 | # no direct modification of dconf database |
146 | read-only ${HOME}/.config/dconf | 146 | read-only ${HOME}/.config/dconf |
147 | blacklist ${RUNUSER}/gnome-session-leader-fifo | ||
148 | blacklist ${RUNUSER}/gnome-shell | ||
149 | blacklist ${RUNUSER}/gsconnect | ||
147 | 150 | ||
148 | # systemd | 151 | # systemd |
149 | blacklist ${HOME}/.config/systemd | 152 | blacklist ${HOME}/.config/systemd |
150 | blacklist ${HOME}/.local/share/systemd | 153 | blacklist ${HOME}/.local/share/systemd |
151 | blacklist /var/lib/systemd | 154 | blacklist /var/lib/systemd |
152 | blacklist ${PATH}/systemd-run | 155 | blacklist ${PATH}/systemd-run |
156 | blacklist ${RUNUSER}/systemd | ||
153 | # creates problems on Arch where /etc/resolv.conf is a symlink to /var/run/systemd/resolve/resolv.conf | 157 | # creates problems on Arch where /etc/resolv.conf is a symlink to /var/run/systemd/resolve/resolv.conf |
154 | #blacklist /var/run/systemd | 158 | #blacklist /var/run/systemd |
155 | 159 | ||
@@ -175,6 +179,13 @@ blacklist /var/cache/libvirt | |||
175 | blacklist /var/lib/libvirt | 179 | blacklist /var/lib/libvirt |
176 | blacklist /var/log/libvirt | 180 | blacklist /var/log/libvirt |
177 | 181 | ||
182 | # OCI-Containers / Podman | ||
183 | blacklist ${RUNUSER}/containers | ||
184 | blacklist ${RUNUSER}/crun | ||
185 | blacklist ${RUNUSER}/libpod | ||
186 | blacklist ${RUNUSER}/runc | ||
187 | blacklist ${RUNUSER}/toolbox | ||
188 | |||
178 | # VeraCrypt | 189 | # VeraCrypt |
179 | blacklist ${HOME}/.VeraCrypt | 190 | blacklist ${HOME}/.VeraCrypt |
180 | blacklist ${PATH}/veracrypt | 191 | blacklist ${PATH}/veracrypt |
@@ -389,6 +400,7 @@ blacklist /usr/sbin | |||
389 | 400 | ||
390 | # system management | 401 | # system management |
391 | blacklist ${PATH}/at | 402 | blacklist ${PATH}/at |
403 | blacklist ${PATH}/busybox | ||
392 | blacklist ${PATH}/chage | 404 | blacklist ${PATH}/chage |
393 | blacklist ${PATH}/chfn | 405 | blacklist ${PATH}/chfn |
394 | blacklist ${PATH}/chsh | 406 | blacklist ${PATH}/chsh |
@@ -477,6 +489,9 @@ blacklist /var/lib/flatpak | |||
477 | # most of the time bwrap is SUID binary | 489 | # most of the time bwrap is SUID binary |
478 | blacklist ${PATH}/bwrap | 490 | blacklist ${PATH}/bwrap |
479 | 491 | ||
492 | # snap | ||
493 | blacklist ${RUNUSER}/snapd-session-agent.socket | ||
494 | |||
480 | # mail directories used by mutt | 495 | # mail directories used by mutt |
481 | blacklist ${HOME}/.Mail | 496 | blacklist ${HOME}/.Mail |
482 | blacklist ${HOME}/.mail | 497 | blacklist ${HOME}/.mail |
@@ -501,3 +516,9 @@ blacklist ${PATH}/dns2tcp | |||
501 | blacklist ${PATH}/iodine | 516 | blacklist ${PATH}/iodine |
502 | blacklist ${PATH}/knsupdate | 517 | blacklist ${PATH}/knsupdate |
503 | blacklist ${PATH}/resolvectl | 518 | blacklist ${PATH}/resolvectl |
519 | |||
520 | # rest of ${RUNUSER} | ||
521 | blacklist ${RUNUSER}/*.lock | ||
522 | blacklist ${RUNUSER}/inaccessible | ||
523 | blacklist ${RUNUSER}/update-notifier.pid | ||
524 | blacklist ${RUNUSER}/pk-debconf-socket | ||
diff --git a/etc/inc/disable-programs.inc b/etc/inc/disable-programs.inc index 89189b533..89bfa540e 100644 --- a/etc/inc/disable-programs.inc +++ b/etc/inc/disable-programs.inc | |||
@@ -108,6 +108,7 @@ blacklist ${HOME}/.config/MuseScore | |||
108 | blacklist ${HOME}/.config/MusicBrainz | 108 | blacklist ${HOME}/.config/MusicBrainz |
109 | blacklist ${HOME}/.config/Nathan Osman | 109 | blacklist ${HOME}/.config/Nathan Osman |
110 | blacklist ${HOME}/.config/Nylas Mail | 110 | blacklist ${HOME}/.config/Nylas Mail |
111 | blacklist ${HOME}/.config/PacmanLogViewer | ||
111 | blacklist ${HOME}/.config/PBE | 112 | blacklist ${HOME}/.config/PBE |
112 | blacklist ${HOME}/.config/Philipp Schmieder | 113 | blacklist ${HOME}/.config/Philipp Schmieder |
113 | blacklist ${HOME}/.config/QGIS | 114 | blacklist ${HOME}/.config/QGIS |
@@ -160,6 +161,12 @@ blacklist ${HOME}/.config/cantata | |||
160 | blacklist ${HOME}/.config/catfish | 161 | blacklist ${HOME}/.config/catfish |
161 | blacklist ${HOME}/.config/celluloid | 162 | blacklist ${HOME}/.config/celluloid |
162 | blacklist ${HOME}/.config/cherrytree | 163 | blacklist ${HOME}/.config/cherrytree |
164 | blacklist ${HOME}/.config/chrome-beta-flags.conf | ||
165 | blacklist ${HOME}/.config/chrome-beta-flags.config | ||
166 | blacklist ${HOME}/.config/chrome-flags.conf | ||
167 | blacklist ${HOME}/.config/chrome-flags.config | ||
168 | blacklist ${HOME}/.config/chrome-unstable-flags.conf | ||
169 | blacklist ${HOME}/.config/chrome-unstable-flags.config | ||
163 | blacklist ${HOME}/.config/chromium | 170 | blacklist ${HOME}/.config/chromium |
164 | blacklist ${HOME}/.config/chromium-dev | 171 | blacklist ${HOME}/.config/chromium-dev |
165 | blacklist ${HOME}/.config/chromium-flags.conf | 172 | blacklist ${HOME}/.config/chromium-flags.conf |
@@ -553,6 +560,7 @@ blacklist ${HOME}/.local/share/dolphin | |||
553 | blacklist ${HOME}/.local/share/emailidentities | 560 | blacklist ${HOME}/.local/share/emailidentities |
554 | blacklist ${HOME}/.local/share/epiphany | 561 | blacklist ${HOME}/.local/share/epiphany |
555 | blacklist ${HOME}/.local/share/evolution | 562 | blacklist ${HOME}/.local/share/evolution |
563 | blacklist ${HOME}/.local/share/FasterThanLight | ||
556 | blacklist ${HOME}/.local/share/feedreader | 564 | blacklist ${HOME}/.local/share/feedreader |
557 | blacklist ${HOME}/.local/share/feral-interactive | 565 | blacklist ${HOME}/.local/share/feral-interactive |
558 | blacklist ${HOME}/.local/share/five-or-more | 566 | blacklist ${HOME}/.local/share/five-or-more |
@@ -581,6 +589,7 @@ blacklist ${HOME}/.local/share/godot | |||
581 | blacklist ${HOME}/.local/share/gradio | 589 | blacklist ${HOME}/.local/share/gradio |
582 | blacklist ${HOME}/.local/share/gwenview | 590 | blacklist ${HOME}/.local/share/gwenview |
583 | blacklist ${HOME}/.local/share/i2p | 591 | blacklist ${HOME}/.local/share/i2p |
592 | blacklist ${HOME}/.local/share/IntoTheBreach | ||
584 | blacklist ${HOME}/.local/share/kaffeine | 593 | blacklist ${HOME}/.local/share/kaffeine |
585 | blacklist ${HOME}/.local/share/kalgebra | 594 | blacklist ${HOME}/.local/share/kalgebra |
586 | blacklist ${HOME}/.local/share/kate | 595 | blacklist ${HOME}/.local/share/kate |
@@ -621,6 +630,7 @@ blacklist ${HOME}/.local/share/okular | |||
621 | blacklist ${HOME}/.local/share/onlyoffice | 630 | blacklist ${HOME}/.local/share/onlyoffice |
622 | blacklist ${HOME}/.local/share/orage | 631 | blacklist ${HOME}/.local/share/orage |
623 | blacklist ${HOME}/.local/share/org.kde.gwenview | 632 | blacklist ${HOME}/.local/share/org.kde.gwenview |
633 | blacklist ${HOME}/.local/share/Paradox Interactive | ||
624 | blacklist ${HOME}/.local/share/pix | 634 | blacklist ${HOME}/.local/share/pix |
625 | blacklist ${HOME}/.local/share/plasma_notes | 635 | blacklist ${HOME}/.local/share/plasma_notes |
626 | blacklist ${HOME}/.local/share/profanity | 636 | blacklist ${HOME}/.local/share/profanity |
@@ -654,12 +664,14 @@ blacklist ${HOME}/.local/share/zathura | |||
654 | blacklist ${HOME}/.lv2 | 664 | blacklist ${HOME}/.lv2 |
655 | blacklist ${HOME}/.magicor | 665 | blacklist ${HOME}/.magicor |
656 | blacklist ${HOME}/.masterpdfeditor | 666 | blacklist ${HOME}/.masterpdfeditor |
667 | blacklist ${HOME}/.mbwarband | ||
657 | blacklist ${HOME}/.mcabber | 668 | blacklist ${HOME}/.mcabber |
658 | blacklist ${HOME}/.mcabberrc | 669 | blacklist ${HOME}/.mcabberrc |
659 | blacklist ${HOME}/.mediathek3 | 670 | blacklist ${HOME}/.mediathek3 |
660 | blacklist ${HOME}/.megaglest | 671 | blacklist ${HOME}/.megaglest |
661 | blacklist ${HOME}/.minetest | 672 | blacklist ${HOME}/.minetest |
662 | blacklist ${HOME}/.mirrormagic | 673 | blacklist ${HOME}/.mirrormagic |
674 | blacklist ${HOME}/.moc | ||
663 | blacklist ${HOME}/.moonchild productions/basilisk | 675 | blacklist ${HOME}/.moonchild productions/basilisk |
664 | blacklist ${HOME}/.moonchild productions/pale moon | 676 | blacklist ${HOME}/.moonchild productions/pale moon |
665 | blacklist ${HOME}/.mozilla | 677 | blacklist ${HOME}/.mozilla |
@@ -686,6 +698,7 @@ blacklist ${HOME}/.openttd | |||
686 | blacklist ${HOME}/.opera | 698 | blacklist ${HOME}/.opera |
687 | blacklist ${HOME}/.opera-beta | 699 | blacklist ${HOME}/.opera-beta |
688 | blacklist ${HOME}/.ostrichriders | 700 | blacklist ${HOME}/.ostrichriders |
701 | blacklist ${HOME}/.paradoxinteractive | ||
689 | blacklist ${HOME}/.parallelrealities/blobwars | 702 | blacklist ${HOME}/.parallelrealities/blobwars |
690 | blacklist ${HOME}/.penguin-command | 703 | blacklist ${HOME}/.penguin-command |
691 | blacklist ${HOME}/.pingus | 704 | blacklist ${HOME}/.pingus |
diff --git a/etc/profile-a-l/dino-im.profile b/etc/profile-a-l/dino-im.profile new file mode 100644 index 000000000..ae0549d3e --- /dev/null +++ b/etc/profile-a-l/dino-im.profile | |||
@@ -0,0 +1,14 @@ | |||
1 | # Firejail profile for dino-im | ||
2 | # Description: Modern XMPP Chat Client using GTK+/Vala, Ubuntu specific bin name | ||
3 | # This file is overwritten after every install/update | ||
4 | # Persistent local customizations | ||
5 | include dino-im.local | ||
6 | # Persistent global definitions | ||
7 | # added by included profile | ||
8 | #include globals.local | ||
9 | |||
10 | # Add Ubuntu specific binary name | ||
11 | private-bin dino-im | ||
12 | |||
13 | # Redirect | ||
14 | include dino.profile | ||
diff --git a/etc/profile-a-l/google-chrome-beta.profile b/etc/profile-a-l/google-chrome-beta.profile index 73101f509..a62e4cf74 100644 --- a/etc/profile-a-l/google-chrome-beta.profile +++ b/etc/profile-a-l/google-chrome-beta.profile | |||
@@ -8,10 +8,16 @@ include globals.local | |||
8 | noblacklist ${HOME}/.cache/google-chrome-beta | 8 | noblacklist ${HOME}/.cache/google-chrome-beta |
9 | noblacklist ${HOME}/.config/google-chrome-beta | 9 | noblacklist ${HOME}/.config/google-chrome-beta |
10 | 10 | ||
11 | noblacklist ${HOME}/.config/chrome-beta-flags.conf | ||
12 | noblacklist ${HOME}/.config/chrome-beta-flags.config | ||
13 | |||
11 | mkdir ${HOME}/.cache/google-chrome-beta | 14 | mkdir ${HOME}/.cache/google-chrome-beta |
12 | mkdir ${HOME}/.config/google-chrome-beta | 15 | mkdir ${HOME}/.config/google-chrome-beta |
13 | whitelist ${HOME}/.cache/google-chrome-beta | 16 | whitelist ${HOME}/.cache/google-chrome-beta |
14 | whitelist ${HOME}/.config/google-chrome-beta | 17 | whitelist ${HOME}/.config/google-chrome-beta |
15 | 18 | ||
19 | whitelist ${HOME}/.config/chrome-beta-flags.conf | ||
20 | whitelist ${HOME}/.config/chrome-beta-flags.config | ||
21 | |||
16 | # Redirect | 22 | # Redirect |
17 | include chromium-common.profile | 23 | include chromium-common.profile |
diff --git a/etc/profile-a-l/google-chrome-unstable.profile b/etc/profile-a-l/google-chrome-unstable.profile index 50e9923aa..14547eab2 100644 --- a/etc/profile-a-l/google-chrome-unstable.profile +++ b/etc/profile-a-l/google-chrome-unstable.profile | |||
@@ -8,10 +8,16 @@ include globals.local | |||
8 | noblacklist ${HOME}/.cache/google-chrome-unstable | 8 | noblacklist ${HOME}/.cache/google-chrome-unstable |
9 | noblacklist ${HOME}/.config/google-chrome-unstable | 9 | noblacklist ${HOME}/.config/google-chrome-unstable |
10 | 10 | ||
11 | noblacklist ${HOME}/.config/chrome-unstable-flags.conf | ||
12 | noblacklist ${HOME}/.config/chrome-unstable-flags.config | ||
13 | |||
11 | mkdir ${HOME}/.cache/google-chrome-unstable | 14 | mkdir ${HOME}/.cache/google-chrome-unstable |
12 | mkdir ${HOME}/.config/google-chrome-unstable | 15 | mkdir ${HOME}/.config/google-chrome-unstable |
13 | whitelist ${HOME}/.cache/google-chrome-unstable | 16 | whitelist ${HOME}/.cache/google-chrome-unstable |
14 | whitelist ${HOME}/.config/google-chrome-unstable | 17 | whitelist ${HOME}/.config/google-chrome-unstable |
15 | 18 | ||
19 | whitelist ${HOME}/.config/chrome-unstable-flags.conf | ||
20 | whitelist ${HOME}/.config/chrome-unstable-flags.config | ||
21 | |||
16 | # Redirect | 22 | # Redirect |
17 | include chromium-common.profile | 23 | include chromium-common.profile |
diff --git a/etc/profile-a-l/google-chrome.profile b/etc/profile-a-l/google-chrome.profile index c69e98271..66f76caa0 100644 --- a/etc/profile-a-l/google-chrome.profile +++ b/etc/profile-a-l/google-chrome.profile | |||
@@ -8,10 +8,16 @@ include globals.local | |||
8 | noblacklist ${HOME}/.cache/google-chrome | 8 | noblacklist ${HOME}/.cache/google-chrome |
9 | noblacklist ${HOME}/.config/google-chrome | 9 | noblacklist ${HOME}/.config/google-chrome |
10 | 10 | ||
11 | noblacklist ${HOME}/.config/chrome-flags.conf | ||
12 | noblacklist ${HOME}/.config/chrome-flags.config | ||
13 | |||
11 | mkdir ${HOME}/.cache/google-chrome | 14 | mkdir ${HOME}/.cache/google-chrome |
12 | mkdir ${HOME}/.config/google-chrome | 15 | mkdir ${HOME}/.config/google-chrome |
13 | whitelist ${HOME}/.cache/google-chrome | 16 | whitelist ${HOME}/.cache/google-chrome |
14 | whitelist ${HOME}/.config/google-chrome | 17 | whitelist ${HOME}/.config/google-chrome |
15 | 18 | ||
19 | whitelist ${HOME}/.config/chrome-flags.conf | ||
20 | whitelist ${HOME}/.config/chrome-flags.config | ||
21 | |||
16 | # Redirect | 22 | # Redirect |
17 | include chromium-common.profile | 23 | include chromium-common.profile |
diff --git a/etc/profile-m-z/mocp.profile b/etc/profile-m-z/mocp.profile new file mode 100644 index 000000000..6fc7a4d67 --- /dev/null +++ b/etc/profile-m-z/mocp.profile | |||
@@ -0,0 +1,53 @@ | |||
1 | # Firejail profile for mocp | ||
2 | # Description: A powerful & easy to use console audio player | ||
3 | # This file is overwritten after every install/update | ||
4 | quiet | ||
5 | # Persistent local customizations | ||
6 | include mocp.local | ||
7 | # Persistent global definitions | ||
8 | include globals.local | ||
9 | |||
10 | noblacklist ${HOME}/.moc | ||
11 | noblacklist ${MUSIC} | ||
12 | |||
13 | include disable-common.inc | ||
14 | include disable-devel.inc | ||
15 | include disable-exec.inc | ||
16 | include disable-interpreters.inc | ||
17 | include disable-passwdmgr.inc | ||
18 | include disable-programs.inc | ||
19 | include disable-xdg.inc | ||
20 | |||
21 | include whitelist-usr-share-common.inc | ||
22 | include whitelist-runuser-common.inc | ||
23 | include whitelist-var-common.inc | ||
24 | |||
25 | apparmor | ||
26 | caps.drop all | ||
27 | ipc-namespace | ||
28 | netfilter | ||
29 | no3d | ||
30 | nodvd | ||
31 | nogroups | ||
32 | nonewprivs | ||
33 | noroot | ||
34 | notv | ||
35 | nou2f | ||
36 | novideo | ||
37 | protocol unix,inet,inet6,netlink | ||
38 | seccomp | ||
39 | shell none | ||
40 | tracelog | ||
41 | |||
42 | private-bin mocp | ||
43 | private-cache | ||
44 | private-dev | ||
45 | private-etc alternatives,asound.conf,ca-certificates,crypto-policies,group,machine-id,pki,pulse,resolv.conf,ssl | ||
46 | private-tmp | ||
47 | |||
48 | dbus-user none | ||
49 | dbus-system none | ||
50 | |||
51 | memory-deny-write-execute | ||
52 | read-only ${HOME} | ||
53 | read-write ${HOME}/.moc | ||
diff --git a/etc/profile-m-z/mpg123.profile b/etc/profile-m-z/mpg123.profile index 6e18aa401..b1ab81c1e 100644 --- a/etc/profile-m-z/mpg123.profile +++ b/etc/profile-m-z/mpg123.profile | |||
@@ -1,13 +1,13 @@ | |||
1 | # Firejail profile for mpg123 | 1 | # Firejail profile for mpg123 |
2 | # Description: MPEG audio player/decoder | 2 | # Description: MPEG audio player/decoder |
3 | # This file is overwritten after every install/update | 3 | # This file is overwritten after every install/update |
4 | quiet | ||
4 | # Persistent local customizations | 5 | # Persistent local customizations |
5 | include mpg123.local | 6 | include mpg123.local |
6 | # Persistent global definitions | 7 | # Persistent global definitions |
7 | include globals.local | 8 | include globals.local |
8 | 9 | ||
9 | noblacklist ${MUSIC} | 10 | noblacklist ${MUSIC} |
10 | noblacklist ${VIDEOS} | ||
11 | 11 | ||
12 | include disable-common.inc | 12 | include disable-common.inc |
13 | include disable-devel.inc | 13 | include disable-devel.inc |
@@ -23,19 +23,23 @@ include whitelist-var-common.inc | |||
23 | apparmor | 23 | apparmor |
24 | caps.drop all | 24 | caps.drop all |
25 | netfilter | 25 | netfilter |
26 | no3d | ||
26 | nogroups | 27 | nogroups |
27 | nonewprivs | 28 | nonewprivs |
28 | noroot | 29 | noroot |
30 | notv | ||
29 | nou2f | 31 | nou2f |
32 | novideo | ||
30 | protocol unix,inet,inet6,netlink | 33 | protocol unix,inet,inet6,netlink |
31 | seccomp | 34 | seccomp |
32 | shell none | 35 | shell none |
36 | tracelog | ||
33 | 37 | ||
34 | #private-bin mpg123* | 38 | #private-bin mpg123* |
35 | private-dev | 39 | private-dev |
36 | private-tmp | 40 | private-tmp |
37 | 41 | ||
38 | memory-deny-write-execute | ||
39 | |||
40 | dbus-user none | 42 | dbus-user none |
41 | dbus-system none | 43 | dbus-system none |
44 | |||
45 | memory-deny-write-execute | ||
diff --git a/etc/profile-m-z/plv.profile b/etc/profile-m-z/plv.profile new file mode 100644 index 000000000..7ff59ea77 --- /dev/null +++ b/etc/profile-m-z/plv.profile | |||
@@ -0,0 +1,59 @@ | |||
1 | # Firejail profile for plv | ||
2 | # Description: Inspect pacman log files | ||
3 | # This file is overwritten after every install/update | ||
4 | # Persistent local customizations | ||
5 | include plv.local | ||
6 | # Persistent global definitions | ||
7 | include globals.local | ||
8 | |||
9 | noblacklist ${HOME}/.config/PacmanLogViewer | ||
10 | |||
11 | include disable-common.inc | ||
12 | include disable-devel.inc | ||
13 | include disable-exec.inc | ||
14 | include disable-interpreters.inc | ||
15 | include disable-passwdmgr.inc | ||
16 | include disable-programs.inc | ||
17 | include disable-xdg.inc | ||
18 | |||
19 | mkdir ${HOME}/.config/PacmanLogViewer | ||
20 | whitelist ${HOME}/.config/PacmanLogViewer | ||
21 | whitelist /var/log/pacman* | ||
22 | include whitelist-common.inc | ||
23 | include whitelist-usr-share-common.inc | ||
24 | include whitelist-runuser-common.inc | ||
25 | include whitelist-var-common.inc | ||
26 | |||
27 | apparmor | ||
28 | caps.drop all | ||
29 | ipc-namespace | ||
30 | machine-id | ||
31 | net none | ||
32 | no3d | ||
33 | nodvd | ||
34 | nogroups | ||
35 | nonewprivs | ||
36 | noroot | ||
37 | nosound | ||
38 | notv | ||
39 | nou2f | ||
40 | novideo | ||
41 | seccomp | ||
42 | shell none | ||
43 | tracelog | ||
44 | |||
45 | disable-mnt | ||
46 | private-bin plv | ||
47 | private-cache | ||
48 | private-dev | ||
49 | private-etc alternatives,fonts | ||
50 | private-opt none | ||
51 | private-tmp | ||
52 | writable-var-log | ||
53 | |||
54 | dbus-user none | ||
55 | dbus-system none | ||
56 | |||
57 | #memory-deny-write-execute - breaks opening file-chooser | ||
58 | read-only ${HOME} | ||
59 | read-write ${HOME}/.config/PacmanLogViewer | ||
diff --git a/etc/profile-m-z/secret-tool.profile b/etc/profile-m-z/secret-tool.profile index 70d9a5b1d..99ba11d30 100644 --- a/etc/profile-m-z/secret-tool.profile +++ b/etc/profile-m-z/secret-tool.profile | |||
@@ -1,6 +1,7 @@ | |||
1 | # Firejail profile for secret-tool | 1 | # Firejail profile for secret-tool |
2 | # Description: Library for storing and retrieving passwords and other secrets | 2 | # Description: Library for storing and retrieving passwords and other secrets |
3 | # This file is overwritten after every install/update | 3 | # This file is overwritten after every install/update |
4 | quiet | ||
4 | # Persistent local customizations | 5 | # Persistent local customizations |
5 | include secret-tool.local | 6 | include secret-tool.local |
6 | # Persistent global definitions | 7 | # Persistent global definitions |
diff --git a/etc/profile-m-z/steam.profile b/etc/profile-m-z/steam.profile index a5e9a9932..004664a79 100644 --- a/etc/profile-m-z/steam.profile +++ b/etc/profile-m-z/steam.profile | |||
@@ -10,12 +10,17 @@ noblacklist ${HOME}/.killingfloor | |||
10 | noblacklist ${HOME}/.local/share/3909/PapersPlease | 10 | noblacklist ${HOME}/.local/share/3909/PapersPlease |
11 | noblacklist ${HOME}/.local/share/aspyr-media | 11 | noblacklist ${HOME}/.local/share/aspyr-media |
12 | noblacklist ${HOME}/.local/share/cdprojektred | 12 | noblacklist ${HOME}/.local/share/cdprojektred |
13 | noblacklist ${HOME}/.local/share/FasterThanLight | ||
13 | noblacklist ${HOME}/.local/share/feral-interactive | 14 | noblacklist ${HOME}/.local/share/feral-interactive |
15 | noblacklist ${HOME}/.local/share/IntoTheBreach | ||
16 | noblacklist ${HOME}/.local/share/Paradox Interactive | ||
14 | noblacklist ${HOME}/.local/share/Steam | 17 | noblacklist ${HOME}/.local/share/Steam |
15 | noblacklist ${HOME}/.local/share/SuperHexagon | 18 | noblacklist ${HOME}/.local/share/SuperHexagon |
16 | noblacklist ${HOME}/.local/share/Terraria | 19 | noblacklist ${HOME}/.local/share/Terraria |
17 | noblacklist ${HOME}/.local/share/vpltd | 20 | noblacklist ${HOME}/.local/share/vpltd |
18 | noblacklist ${HOME}/.local/share/vulkan | 21 | noblacklist ${HOME}/.local/share/vulkan |
22 | noblacklist ${HOME}/.mbwarband | ||
23 | noblacklist ${HOME}/.paradoxinteractive | ||
19 | noblacklist ${HOME}/.steam | 24 | noblacklist ${HOME}/.steam |
20 | noblacklist ${HOME}/.steampath | 25 | noblacklist ${HOME}/.steampath |
21 | noblacklist ${HOME}/.steampid | 26 | noblacklist ${HOME}/.steampid |
@@ -41,7 +46,9 @@ mkdir ${HOME}/.killingfloor | |||
41 | mkdir ${HOME}/.local/share/3909/PapersPlease | 46 | mkdir ${HOME}/.local/share/3909/PapersPlease |
42 | mkdir ${HOME}/.local/share/aspyr-media | 47 | mkdir ${HOME}/.local/share/aspyr-media |
43 | mkdir ${HOME}/.local/share/cdprojektred | 48 | mkdir ${HOME}/.local/share/cdprojektred |
49 | mkdir ${HOME}/.local/share/FasterThanLight | ||
44 | mkdir ${HOME}/.local/share/feral-interactive | 50 | mkdir ${HOME}/.local/share/feral-interactive |
51 | mkdir ${HOME}/.local/share/IntoTheBreach | ||
45 | mkdir ${HOME}/.local/share/Paradox Interactive | 52 | mkdir ${HOME}/.local/share/Paradox Interactive |
46 | mkdir ${HOME}/.local/share/Steam | 53 | mkdir ${HOME}/.local/share/Steam |
47 | mkdir ${HOME}/.local/share/SuperHexagon | 54 | mkdir ${HOME}/.local/share/SuperHexagon |
@@ -58,7 +65,9 @@ whitelist ${HOME}/.killingfloor | |||
58 | whitelist ${HOME}/.local/share/3909/PapersPlease | 65 | whitelist ${HOME}/.local/share/3909/PapersPlease |
59 | whitelist ${HOME}/.local/share/aspyr-media | 66 | whitelist ${HOME}/.local/share/aspyr-media |
60 | whitelist ${HOME}/.local/share/cdprojektred | 67 | whitelist ${HOME}/.local/share/cdprojektred |
68 | whitelist ${HOME}/.local/share/FasterThanLight | ||
61 | whitelist ${HOME}/.local/share/feral-interactive | 69 | whitelist ${HOME}/.local/share/feral-interactive |
70 | whitelist ${HOME}/.local/share/IntoTheBreach | ||
62 | whitelist ${HOME}/.local/share/Paradox Interactive | 71 | whitelist ${HOME}/.local/share/Paradox Interactive |
63 | whitelist ${HOME}/.local/share/Steam | 72 | whitelist ${HOME}/.local/share/Steam |
64 | whitelist ${HOME}/.local/share/SuperHexagon | 73 | whitelist ${HOME}/.local/share/SuperHexagon |
@@ -70,7 +79,6 @@ whitelist ${HOME}/.paradoxinteractive | |||
70 | whitelist ${HOME}/.steam | 79 | whitelist ${HOME}/.steam |
71 | whitelist ${HOME}/.steampath | 80 | whitelist ${HOME}/.steampath |
72 | whitelist ${HOME}/.steampid | 81 | whitelist ${HOME}/.steampid |
73 | whitelist ${HOME}/.steampid | ||
74 | include whitelist-common.inc | 82 | include whitelist-common.inc |
75 | include whitelist-var-common.inc | 83 | include whitelist-var-common.inc |
76 | 84 | ||
diff --git a/etc/profile-m-z/wire-desktop.profile b/etc/profile-m-z/wire-desktop.profile index c1250b1f0..8f6014dc3 100644 --- a/etc/profile-m-z/wire-desktop.profile +++ b/etc/profile-m-z/wire-desktop.profile | |||
@@ -9,7 +9,6 @@ include wire-desktop.local | |||
9 | 9 | ||
10 | # Debian/Ubuntu use /opt/Wire. As that is not in PATH by default, run `firejail /opt/Wire/wire-desktop` to start it. | 10 | # Debian/Ubuntu use /opt/Wire. As that is not in PATH by default, run `firejail /opt/Wire/wire-desktop` to start it. |
11 | 11 | ||
12 | ignore caps.drop all | ||
13 | ignore dbus-user none | 12 | ignore dbus-user none |
14 | ignore dbus-system none | 13 | ignore dbus-system none |
15 | 14 | ||
@@ -22,8 +21,9 @@ mkdir ${HOME}/.config/Wire | |||
22 | whitelist ${HOME}/.config/Wire | 21 | whitelist ${HOME}/.config/Wire |
23 | include whitelist-common.inc | 22 | include whitelist-common.inc |
24 | 23 | ||
25 | caps.keep sys_admin,sys_chroot | ||
26 | nou2f | 24 | nou2f |
25 | ignore seccomp | ||
26 | seccomp !chroot | ||
27 | shell none | 27 | shell none |
28 | 28 | ||
29 | disable-mnt | 29 | disable-mnt |
diff --git a/etc/profile-m-z/yelp.profile b/etc/profile-m-z/yelp.profile index 7053f98e8..08b31f1ff 100644 --- a/etc/profile-m-z/yelp.profile +++ b/etc/profile-m-z/yelp.profile | |||
@@ -21,6 +21,7 @@ whitelist ${HOME}/.config/yelp | |||
21 | whitelist /usr/share/doc | 21 | whitelist /usr/share/doc |
22 | whitelist /usr/share/help | 22 | whitelist /usr/share/help |
23 | whitelist /usr/share/yelp | 23 | whitelist /usr/share/yelp |
24 | whitelist /usr/share/yelp-tools | ||
24 | whitelist /usr/share/yelp-xsl | 25 | whitelist /usr/share/yelp-xsl |
25 | include whitelist-common.inc | 26 | include whitelist-common.inc |
26 | include whitelist-runuser-common.inc | 27 | include whitelist-runuser-common.inc |
diff --git a/mkdeb.sh b/mkdeb.sh deleted file mode 100755 index dd784eb8a..000000000 --- a/mkdeb.sh +++ /dev/null | |||
@@ -1,56 +0,0 @@ | |||
1 | #!/bin/sh | ||
2 | # This file is part of Firejail project | ||
3 | # Copyright (C) 2014-2020 Firejail Authors | ||
4 | # License GPL v2 | ||
5 | |||
6 | # based on http://tldp.org/HOWTO/html_single/Debian-Binary-Package-Building-HOWTO/ | ||
7 | # a code archive should already be available | ||
8 | |||
9 | set -e | ||
10 | |||
11 | TOP=`pwd` | ||
12 | CODE_ARCHIVE="$1-$2.tar.xz" | ||
13 | CODE_DIR="$1-$2" | ||
14 | INSTALL_DIR="${INSTALL_DIR}${CODE_DIR}/debian" | ||
15 | DEBIAN_CTRL_DIR="${DEBIAN_CTRL_DIR}${CODE_DIR}/debian/DEBIAN" | ||
16 | |||
17 | echo "*****************************************" | ||
18 | echo "code archive: $CODE_ARCHIVE" | ||
19 | echo "code directory: $CODE_DIR" | ||
20 | echo "install directory: $INSTALL_DIR" | ||
21 | echo "debian control directory: $DEBIAN_CTRL_DIR" | ||
22 | echo "*****************************************" | ||
23 | |||
24 | tar -xJvf $CODE_ARCHIVE | ||
25 | #mkdir -p $INSTALL_DIR | ||
26 | cd $CODE_DIR | ||
27 | ./configure --prefix=/usr | ||
28 | make -j2 | ||
29 | mkdir debian | ||
30 | DESTDIR=debian make install-strip | ||
31 | |||
32 | cd .. | ||
33 | echo "*****************************************" | ||
34 | SIZE=`du -s $INSTALL_DIR` | ||
35 | echo "install size $SIZE" | ||
36 | echo "*****************************************" | ||
37 | |||
38 | mv $INSTALL_DIR/usr/share/doc/firejail/RELNOTES $INSTALL_DIR/usr/share/doc/firejail/changelog.Debian | ||
39 | gzip -9 -n $INSTALL_DIR/usr/share/doc/firejail/changelog.Debian | ||
40 | rm $INSTALL_DIR/usr/share/doc/firejail/COPYING | ||
41 | install -m644 platform/debian/copyright $INSTALL_DIR/usr/share/doc/firejail/. | ||
42 | mkdir -p $DEBIAN_CTRL_DIR | ||
43 | sed "s/FIREJAILVER/$2/g" platform/debian/control.$(dpkg-architecture -qDEB_HOST_ARCH) > $DEBIAN_CTRL_DIR/control | ||
44 | |||
45 | mkdir -p $INSTALL_DIR/usr/share/lintian/overrides/ | ||
46 | install -m644 platform/debian/firejail.lintian-overrides $INSTALL_DIR/usr/share/lintian/overrides/firejail | ||
47 | |||
48 | find $INSTALL_DIR/etc -type f | sed "s,^$INSTALL_DIR,," | LC_ALL=C sort > $DEBIAN_CTRL_DIR/conffiles | ||
49 | chmod 644 $DEBIAN_CTRL_DIR/conffiles | ||
50 | find $INSTALL_DIR -type d | xargs chmod 755 | ||
51 | cd $CODE_DIR | ||
52 | fakeroot dpkg-deb --build debian | ||
53 | lintian debian.deb | ||
54 | mv debian.deb ../firejail_$2_1_$(dpkg-architecture -qDEB_HOST_ARCH).deb | ||
55 | cd .. | ||
56 | rm -fr $CODE_DIR | ||
diff --git a/mkdeb-apparmor.sh b/mkdeb.sh.in index 3c560179c..efb477920 100755 --- a/mkdeb-apparmor.sh +++ b/mkdeb.sh.in | |||
@@ -7,10 +7,24 @@ | |||
7 | # a code archive should already be available | 7 | # a code archive should already be available |
8 | 8 | ||
9 | set -e | 9 | set -e |
10 | NAME=@PACKAGE_NAME@ | ||
11 | VERSION=@PACKAGE_VERSION@ | ||
12 | PACKAGE_TARNAME=@PACKAGE_TARNAME@ | ||
13 | HAVE_APPARMOR=@HAVE_APPARMOR@ | ||
14 | HAVE_SELINUX=@HAVE_SELINUX@ | ||
15 | EXTRA_VERSION=$1 | ||
16 | |||
17 | CONFIG_ARGS="--prefix=/usr" | ||
18 | if [ -n "$HAVE_APPARMOR" ]; then | ||
19 | CONFIG_ARGS="$CONFIG_ARGS --enable-apparmor" | ||
20 | fi | ||
21 | if [ -n "$HAVE_SELINUX" ]; then | ||
22 | CONFIG_ARGS="$CONFIG_ARGS --enable-selinux" | ||
23 | fi | ||
10 | 24 | ||
11 | TOP=`pwd` | 25 | TOP=`pwd` |
12 | CODE_ARCHIVE="$1-$2.tar.xz" | 26 | CODE_ARCHIVE="$NAME-$VERSION.tar.xz" |
13 | CODE_DIR="$1-$2" | 27 | CODE_DIR="$NAME-$VERSION" |
14 | INSTALL_DIR="${INSTALL_DIR}${CODE_DIR}/debian" | 28 | INSTALL_DIR="${INSTALL_DIR}${CODE_DIR}/debian" |
15 | DEBIAN_CTRL_DIR="${DEBIAN_CTRL_DIR}${CODE_DIR}/debian/DEBIAN" | 29 | DEBIAN_CTRL_DIR="${DEBIAN_CTRL_DIR}${CODE_DIR}/debian/DEBIAN" |
16 | 30 | ||
@@ -24,7 +38,7 @@ echo "*****************************************" | |||
24 | tar -xJvf $CODE_ARCHIVE | 38 | tar -xJvf $CODE_ARCHIVE |
25 | #mkdir -p $INSTALL_DIR | 39 | #mkdir -p $INSTALL_DIR |
26 | cd $CODE_DIR | 40 | cd $CODE_DIR |
27 | ./configure --prefix=/usr --enable-apparmor | 41 | ./configure $CONFIG_ARGS |
28 | make -j2 | 42 | make -j2 |
29 | mkdir debian | 43 | mkdir debian |
30 | DESTDIR=debian make install-strip | 44 | DESTDIR=debian make install-strip |
@@ -40,7 +54,7 @@ gzip -9 -n $INSTALL_DIR/usr/share/doc/firejail/changelog.Debian | |||
40 | rm $INSTALL_DIR/usr/share/doc/firejail/COPYING | 54 | rm $INSTALL_DIR/usr/share/doc/firejail/COPYING |
41 | install -m644 platform/debian/copyright $INSTALL_DIR/usr/share/doc/firejail/. | 55 | install -m644 platform/debian/copyright $INSTALL_DIR/usr/share/doc/firejail/. |
42 | mkdir -p $DEBIAN_CTRL_DIR | 56 | mkdir -p $DEBIAN_CTRL_DIR |
43 | sed "s/FIREJAILVER/$2/g" platform/debian/control.$(dpkg-architecture -qDEB_HOST_ARCH) > $DEBIAN_CTRL_DIR/control | 57 | sed "s/FIREJAILVER/$VERSION/g" platform/debian/control.$(dpkg-architecture -qDEB_HOST_ARCH) > $DEBIAN_CTRL_DIR/control |
44 | 58 | ||
45 | mkdir -p $INSTALL_DIR/usr/share/lintian/overrides/ | 59 | mkdir -p $INSTALL_DIR/usr/share/lintian/overrides/ |
46 | install -m644 platform/debian/firejail.lintian-overrides $INSTALL_DIR/usr/share/lintian/overrides/firejail | 60 | install -m644 platform/debian/firejail.lintian-overrides $INSTALL_DIR/usr/share/lintian/overrides/firejail |
@@ -51,6 +65,6 @@ find $INSTALL_DIR -type d | xargs chmod 755 | |||
51 | cd $CODE_DIR | 65 | cd $CODE_DIR |
52 | fakeroot dpkg-deb --build debian | 66 | fakeroot dpkg-deb --build debian |
53 | lintian debian.deb | 67 | lintian debian.deb |
54 | mv debian.deb ../firejail-apparmor_$2_1_$(dpkg-architecture -qDEB_HOST_ARCH).deb | 68 | mv debian.deb ../firejail_${VERSION}${EXTRA_VERSION}_1_$(dpkg-architecture -qDEB_HOST_ARCH).deb |
55 | cd .. | 69 | cd .. |
56 | rm -fr $CODE_DIR | 70 | rm -fr $CODE_DIR |
diff --git a/platform/rpm/firejail.spec b/platform/rpm/firejail.spec index b32407c7d..da91f5a4f 100644 --- a/platform/rpm/firejail.spec +++ b/platform/rpm/firejail.spec | |||
@@ -1,7 +1,7 @@ | |||
1 | Name: __NAME__ | 1 | Name: __NAME__ |
2 | Version: __VERSION__ | 2 | Version: __VERSION__ |
3 | Release: 1 | 3 | Release: 1 |
4 | Summary: Linux namepaces sandbox program | 4 | Summary: Linux namespaces sandbox program |
5 | 5 | ||
6 | License: GPLv2+ | 6 | License: GPLv2+ |
7 | Group: Development/Tools | 7 | Group: Development/Tools |
@@ -19,7 +19,7 @@ using Linux namespaces. It includes a sandbox profile for Mozilla Firefox. | |||
19 | %setup -q | 19 | %setup -q |
20 | 20 | ||
21 | %build | 21 | %build |
22 | %configure --disable-userns --disable-contrib-install | 22 | %configure __CONFIG_OPT__ |
23 | make %{?_smp_mflags} | 23 | make %{?_smp_mflags} |
24 | 24 | ||
25 | %install | 25 | %install |
diff --git a/platform/rpm/mkrpm.sh b/platform/rpm/mkrpm.sh index 348bea7f2..2bdead7a8 100755 --- a/platform/rpm/mkrpm.sh +++ b/platform/rpm/mkrpm.sh | |||
@@ -3,7 +3,7 @@ | |||
3 | # Copyright (C) 2014-2020 Firejail Authors | 3 | # Copyright (C) 2014-2020 Firejail Authors |
4 | # License GPL v2 | 4 | # License GPL v2 |
5 | # | 5 | # |
6 | # Usage: ./platform/rpm/mkrpm.sh firejail <version> | 6 | # Usage: ./platform/rpm/mkrpm.sh firejail <version> "<config options>" |
7 | # | 7 | # |
8 | # Builds rpms in a temporary directory then places the result in the | 8 | # Builds rpms in a temporary directory then places the result in the |
9 | # current working directory. | 9 | # current working directory. |
@@ -11,6 +11,7 @@ | |||
11 | name=$1 | 11 | name=$1 |
12 | # Strip any trailing prefix from the version like -rc1 etc | 12 | # Strip any trailing prefix from the version like -rc1 etc |
13 | version=$(echo "$2" | sed 's/\-.*//g') | 13 | version=$(echo "$2" | sed 's/\-.*//g') |
14 | config_opt=$3 | ||
14 | 15 | ||
15 | if [[ ! -f platform/rpm/${name}.spec ]]; then | 16 | if [[ ! -f platform/rpm/${name}.spec ]]; then |
16 | echo error: spec file not found for name \"${name}\" | 17 | echo error: spec file not found for name \"${name}\" |
@@ -22,6 +23,10 @@ if [[ -z "${version}" ]]; then | |||
22 | exit 1 | 23 | exit 1 |
23 | fi | 24 | fi |
24 | 25 | ||
26 | if [[ -z "${config_opt}" ]]; then | ||
27 | config_opt="--disable-userns --disable-contrib-install" | ||
28 | fi | ||
29 | |||
25 | # Make a temporary directory and arrange to clean up on exit | 30 | # Make a temporary directory and arrange to clean up on exit |
26 | tmpdir=$(mktemp -d) | 31 | tmpdir=$(mktemp -d) |
27 | mkdir -p ${tmpdir}/{BUILD,RPMS,SOURCES,SPECS,SRPMS} | 32 | mkdir -p ${tmpdir}/{BUILD,RPMS,SOURCES,SPECS,SRPMS} |
@@ -32,7 +37,10 @@ trap cleanup EXIT | |||
32 | 37 | ||
33 | # Create the spec file | 38 | # Create the spec file |
34 | tmp_spec_file=${tmpdir}/SPECS/${name}.spec | 39 | tmp_spec_file=${tmpdir}/SPECS/${name}.spec |
35 | sed -e "s/__NAME__/${name}/g" -e "s/__VERSION__/${version}/g" platform/rpm/${name}.spec >${tmp_spec_file} | 40 | sed -e "s/__NAME__/${name}/g" \ |
41 | -e "s/__VERSION__/${version}/g" \ | ||
42 | -e "s/__CONFIG_OPT__/${config_opt}/g" \ | ||
43 | platform/rpm/${name}.spec >${tmp_spec_file} | ||
36 | # FIXME: We could parse RELNOTES and create a %changelog section here | 44 | # FIXME: We could parse RELNOTES and create a %changelog section here |
37 | 45 | ||
38 | # Copy the source to build into a tarball | 46 | # Copy the source to build into a tarball |
diff --git a/src/firecfg/firecfg.config b/src/firecfg/firecfg.config index 2ed70664b..251b23905 100644 --- a/src/firecfg/firecfg.config +++ b/src/firecfg/firecfg.config | |||
@@ -156,6 +156,7 @@ dig | |||
156 | digikam | 156 | digikam |
157 | dillo | 157 | dillo |
158 | dino | 158 | dino |
159 | dino-im | ||
159 | discord | 160 | discord |
160 | discord-canary | 161 | discord-canary |
161 | display | 162 | display |
@@ -441,6 +442,7 @@ min | |||
441 | mindless | 442 | mindless |
442 | minetest | 443 | minetest |
443 | mirrormagic | 444 | mirrormagic |
445 | mocp | ||
444 | mousepad | 446 | mousepad |
445 | mp3splt | 447 | mp3splt |
446 | mp3splt-gtk | 448 | mp3splt-gtk |
@@ -549,6 +551,7 @@ planmaker18 | |||
549 | planmaker18free | 551 | planmaker18free |
550 | playonlinux | 552 | playonlinux |
551 | pluma | 553 | pluma |
554 | plv | ||
552 | pngquant | 555 | pngquant |
553 | polari | 556 | polari |
554 | ppsspp | 557 | ppsspp |
diff --git a/src/firejail/fs.c b/src/firejail/fs.c index b906f3047..2000ffc62 100644 --- a/src/firejail/fs.c +++ b/src/firejail/fs.c | |||
@@ -111,6 +111,13 @@ static void disable_file(OPERATION op, const char *filename) { | |||
111 | return; | 111 | return; |
112 | } | 112 | } |
113 | 113 | ||
114 | // check for firejail executable | ||
115 | // we migth have a file found in ${PATH} pointing to /usr/bin/firejail | ||
116 | // blacklisting it here will end up breaking situations like user clicks on a link in Thunderbird | ||
117 | // and expects Firefox to open in the same sandbox | ||
118 | if (strcmp(BINDIR "/firejail", fname) == 0) | ||
119 | return; | ||
120 | |||
114 | // modify the file | 121 | // modify the file |
115 | if (op == BLACKLIST_FILE || op == BLACKLIST_NOLOG) { | 122 | if (op == BLACKLIST_FILE || op == BLACKLIST_NOLOG) { |
116 | // some distros put all executables under /usr/bin and make /bin a symbolic link | 123 | // some distros put all executables under /usr/bin and make /bin a symbolic link |
diff --git a/test/fs/mkdir_mkfile.exp b/test/fs/mkdir_mkfile.exp index 109984035..82dab1ddf 100755 --- a/test/fs/mkdir_mkfile.exp +++ b/test/fs/mkdir_mkfile.exp | |||
@@ -22,23 +22,23 @@ expect { | |||
22 | "_firejail_test_dir" | 22 | "_firejail_test_dir" |
23 | } | 23 | } |
24 | expect { | 24 | expect { |
25 | timeout {puts "TESTING ERROR 1\n";exit} | 25 | timeout {puts "TESTING ERROR 2\n";exit} |
26 | "_firejail_test_dir/dir1" | 26 | "_firejail_test_dir/dir1" |
27 | } | 27 | } |
28 | expect { | 28 | expect { |
29 | timeout {puts "TESTING ERROR 1\n";exit} | 29 | timeout {puts "TESTING ERROR 3\n";exit} |
30 | "_firejail_test_dir/dir1/dir2" | 30 | "_firejail_test_dir/dir1/dir2" |
31 | } | 31 | } |
32 | expect { | 32 | expect { |
33 | timeout {puts "TESTING ERROR 1\n";exit} | 33 | timeout {puts "TESTING ERROR 4\n";exit} |
34 | "_firejail_test_dir/dir1/dir2/dir3" | 34 | "_firejail_test_dir/dir1/dir2/dir3" |
35 | } | 35 | } |
36 | expect { | 36 | expect { |
37 | timeout {puts "TESTING ERROR 1\n";exit} | 37 | timeout {puts "TESTING ERROR 5\n";exit} |
38 | "_firejail_test_dir/dir1/dir2/dir3/file1" | 38 | "_firejail_test_dir/dir1/dir2/dir3/file1" |
39 | } | 39 | } |
40 | expect { | 40 | expect { |
41 | timeout {puts "TESTING ERROR 1\n";exit} | 41 | timeout {puts "TESTING ERROR 6\n";exit} |
42 | "_firejail_test_file" | 42 | "_firejail_test_file" |
43 | } | 43 | } |
44 | after 100 | 44 | after 100 |
@@ -47,8 +47,8 @@ after 100 | |||
47 | 47 | ||
48 | send -- "firejail --profile=mkfile.profile\r" | 48 | send -- "firejail --profile=mkfile.profile\r" |
49 | expect { | 49 | expect { |
50 | timeout {puts "TESTING ERROR 1\n";exit} | 50 | timeout {puts "TESTING ERROR 7\n";exit} |
51 | "only files in user home or /tmp" | 51 | "only files or directories in user home, /tmp" |
52 | } | 52 | } |
53 | after 100 | 53 | after 100 |
54 | 54 | ||
diff --git a/test/utils/build.exp b/test/utils/build.exp index ae46ffa6e..ac4f30326 100755 --- a/test/utils/build.exp +++ b/test/utils/build.exp | |||
@@ -7,22 +7,21 @@ set timeout 10 | |||
7 | spawn $env(SHELL) | 7 | spawn $env(SHELL) |
8 | match_max 100000 | 8 | match_max 100000 |
9 | 9 | ||
10 | send -- "echo testing > ~/firejail-test-file-7699\r" | ||
11 | after 100 | ||
12 | |||
10 | send -- "firejail --build cat ~/firejail-test-file-7699\r" | 13 | send -- "firejail --build cat ~/firejail-test-file-7699\r" |
11 | expect { | 14 | expect { |
12 | timeout {puts "TESTING ERROR 0\n";exit} | 15 | timeout {puts "TESTING ERROR 0\n";exit} |
13 | "whitelist ~/firejail-test-file-7699" | 16 | "whitelist $\{HOME\}/firejail-test-file-7699" |
14 | } | ||
15 | expect { | ||
16 | timeout {puts "TESTING ERROR 0.1\n";exit} | ||
17 | "include /etc/firejail/whitelist-common.inc" | ||
18 | } | 17 | } |
19 | expect { | 18 | expect { |
20 | timeout {puts "TESTING ERROR 1\n";exit} | 19 | timeout {puts "TESTING ERROR 1\n";exit} |
21 | "private-tmp" | 20 | "include whitelist-common.inc" |
22 | } | 21 | } |
23 | expect { | 22 | expect { |
24 | timeout {puts "TESTING ERROR 2\n";exit} | 23 | timeout {puts "TESTING ERROR 2\n";exit} |
25 | "private-dev" | 24 | "blacklist /usr/share" |
26 | } | 25 | } |
27 | expect { | 26 | expect { |
28 | timeout {puts "TESTING ERROR 3\n";exit} | 27 | timeout {puts "TESTING ERROR 3\n";exit} |
@@ -34,26 +33,40 @@ expect { | |||
34 | } | 33 | } |
35 | expect { | 34 | expect { |
36 | timeout {puts "TESTING ERROR 5\n";exit} | 35 | timeout {puts "TESTING ERROR 5\n";exit} |
37 | "caps.drop all" | 36 | "private-dev" |
38 | } | 37 | } |
39 | expect { | 38 | expect { |
40 | timeout {puts "TESTING ERROR 6\n";exit} | 39 | timeout {puts "TESTING ERROR 6\n";exit} |
41 | "nonewprivs" | 40 | "private-etc" |
42 | } | 41 | } |
43 | expect { | 42 | expect { |
44 | timeout {puts "TESTING ERROR 7\n";exit} | 43 | timeout {puts "TESTING ERROR 7\n";exit} |
45 | "seccomp" | 44 | "private-tmp" |
46 | } | 45 | } |
47 | expect { | 46 | expect { |
48 | timeout {puts "TESTING ERROR 8\n";exit} | 47 | timeout {puts "TESTING ERROR 8\n";exit} |
49 | "net none" | 48 | "caps.drop all" |
50 | } | 49 | } |
51 | expect { | 50 | expect { |
52 | timeout {puts "TESTING ERROR 9\n";exit} | 51 | timeout {puts "TESTING ERROR 9\n";exit} |
52 | "nonewprivs" | ||
53 | } | ||
54 | expect { | ||
55 | timeout {puts "TESTING ERROR 10\n";exit} | ||
56 | "seccomp" | ||
57 | } | ||
58 | expect { | ||
59 | timeout {puts "TESTING ERROR 11\n";exit} | ||
60 | "net none" | ||
61 | } | ||
62 | expect { | ||
63 | timeout {puts "TESTING ERROR 12\n";exit} | ||
53 | "shell none" | 64 | "shell none" |
54 | } | 65 | } |
55 | after 100 | 66 | after 100 |
56 | 67 | ||
68 | |||
69 | |||
57 | send -- "firejail --build cat /etc/passwd\r" | 70 | send -- "firejail --build cat /etc/passwd\r" |
58 | expect { | 71 | expect { |
59 | timeout {puts "TESTING ERROR 10\n";exit} | 72 | timeout {puts "TESTING ERROR 10\n";exit} |
@@ -72,21 +85,6 @@ expect { | |||
72 | } | 85 | } |
73 | after 100 | 86 | after 100 |
74 | 87 | ||
75 | |||
76 | #send -- "firejail --build cat /var/tmp/firejail-test-file-7699\r" | ||
77 | #expect { | ||
78 | # timeout {puts "TESTING ERROR 11\n";exit} | ||
79 | # "whitelist /var/tmp/firejail-test-file-7699" | ||
80 | #} | ||
81 | #after 100 | ||
82 | |||
83 | #send -- "firejail --build man firejail\r" | ||
84 | #expect { | ||
85 | # timeout {puts "TESTING ERROR 12\n";exit} | ||
86 | # "whitelist /usr/share/man" | ||
87 | #} | ||
88 | #after 100 | ||
89 | |||
90 | send -- "firejail --build wget --output-document=~ debian.org\r" | 88 | send -- "firejail --build wget --output-document=~ debian.org\r" |
91 | expect { | 89 | expect { |
92 | timeout {puts "TESTING ERROR 13\n";exit} | 90 | timeout {puts "TESTING ERROR 13\n";exit} |
@@ -98,10 +96,4 @@ expect { | |||
98 | } | 96 | } |
99 | after 100 | 97 | after 100 |
100 | 98 | ||
101 | |||
102 | send -- "firejail --build cat /tmp/firejail-test-file-7699\r" | ||
103 | #todo - bug: it comes back with private-tmp | ||
104 | sleep 1 | ||
105 | |||
106 | |||
107 | puts "all done\n" | 99 | puts "all done\n" |
diff --git a/test/utils/utils.sh b/test/utils/utils.sh index 82ccc82bb..48a8051fa 100755 --- a/test/utils/utils.sh +++ b/test/utils/utils.sh | |||
@@ -13,14 +13,9 @@ if [ -f /etc/debian_version ]; then | |||
13 | fi | 13 | fi |
14 | export PATH="$PATH:/usr/lib/firejail:/usr/lib64/firejail" | 14 | export PATH="$PATH:/usr/lib/firejail:/usr/lib64/firejail" |
15 | 15 | ||
16 | echo "testing" > ~/firejail-test-file-7699 | ||
17 | echo "testing" > /tmp/firejail-test-file-7699 | ||
18 | echo "testing" > /var/tmp/firejail-test-file-7699 | ||
19 | echo "TESTING: build (test/utils/build.exp)" | 16 | echo "TESTING: build (test/utils/build.exp)" |
20 | ./build.exp | 17 | ./build.exp |
21 | rm -f ~/firejail-test-file-7699 | 18 | rm -f ~/firejail-test-file-7699 |
22 | rm -f /tmp/firejail-test-file-7699 | ||
23 | rm -f /var/tmp/firejail-test-file-7699 | ||
24 | rm -f firejail-test-file-4388 | 19 | rm -f firejail-test-file-4388 |
25 | 20 | ||
26 | if [ $(readlink /proc/self) -lt 100 ]; then | 21 | if [ $(readlink /proc/self) -lt 100 ]; then |