diff options
93 files changed, 1207 insertions, 331 deletions
diff --git a/Makefile.in b/Makefile.in index 9574c74bc..dbf53e2cb 100644 --- a/Makefile.in +++ b/Makefile.in | |||
@@ -141,7 +141,7 @@ uninstall: | |||
141 | rm -f $(DESTDIR)/$(datarootdir)/bash-completion/completions/firecfg | 141 | rm -f $(DESTDIR)/$(datarootdir)/bash-completion/completions/firecfg |
142 | 142 | ||
143 | DISTFILES = "src etc platform configure configure.ac Makefile.in install.sh mkman.sh mketc.sh mkdeb.sh mkuid.sh COPYING README RELNOTES" | 143 | DISTFILES = "src etc platform configure configure.ac Makefile.in install.sh mkman.sh mketc.sh mkdeb.sh mkuid.sh COPYING README RELNOTES" |
144 | DISTFILES_TEST = "test/apps test/apps-x11 test/environment test/profiles test/utils test/compile test/filters test/network test/fs test/sysutils" | 144 | DISTFILES_TEST = "test/apps test/apps-x11 test/apps-x11-xorg test/environment test/profiles test/utils test/compile test/filters test/network test/fs test/sysutils" |
145 | 145 | ||
146 | dist: | 146 | dist: |
147 | mv config.status config.status.old | 147 | mv config.status config.status.old |
@@ -47,6 +47,7 @@ Aleksey Manevich (https://github.com/manevich) | |||
47 | - added --join-or-start command | 47 | - added --join-or-start command |
48 | - CVE-2016-7545 | 48 | - CVE-2016-7545 |
49 | Fred-Barclay (https://github.com/Fred-Barclay) | 49 | Fred-Barclay (https://github.com/Fred-Barclay) |
50 | - lots of profile fixes | ||
50 | - added Vivaldi, Atril profiles | 51 | - added Vivaldi, Atril profiles |
51 | - added PaleMoon profile | 52 | - added PaleMoon profile |
52 | - split Icedove and Thunderbird profiles | 53 | - split Icedove and Thunderbird profiles |
@@ -69,7 +70,7 @@ Fred-Barclay (https://github.com/Fred-Barclay) | |||
69 | - added audacity profile | 70 | - added audacity profile |
70 | - fixed Telegram and qtox profiles | 71 | - fixed Telegram and qtox profiles |
71 | - added Atom Beta and Atom profiles | 72 | - added Atom Beta and Atom profiles |
72 | - tightened 0ad, atril, evince, gthumb, pix, qtox, and xreader profiles. | 73 | - tightened 0ad, atril, evince, gthumb, pix, qtox, and xreader profiles |
73 | - several private-bin conversions | 74 | - several private-bin conversions |
74 | - added jitsi profile | 75 | - added jitsi profile |
75 | - pidgin private-bin conversion | 76 | - pidgin private-bin conversion |
@@ -77,6 +78,16 @@ Fred-Barclay (https://github.com/Fred-Barclay) | |||
77 | - added gnome-chess profile | 78 | - added gnome-chess profile |
78 | - added DOSBox profile | 79 | - added DOSBox profile |
79 | - evince profile enhancement | 80 | - evince profile enhancement |
81 | - tightened Spotify profile | ||
82 | - added xiphos and Tor Browser Bundle profiles | ||
83 | valoq (https://github.com/valoq) | ||
84 | - LibreOffice profile fixes | ||
85 | - cherrytree profile fixes | ||
86 | - added support for /srv in --whitelist feature | ||
87 | - Eye of GNOME and Evolution profiles | ||
88 | - blacklist suid binaries in disable-common.inc | ||
89 | Rafael Cavalcanti (https://github.com/rccavalcanti) | ||
90 | - chromium profile fixes for Arch Linux | ||
80 | Deelvesh Bunjun (https://github.com/DeelveshBunjun) | 91 | Deelvesh Bunjun (https://github.com/DeelveshBunjun) |
81 | - added xpdf profile | 92 | - added xpdf profile |
82 | vismir2 (https://github.com/vismir2) | 93 | vismir2 (https://github.com/vismir2) |
@@ -84,9 +95,6 @@ vismir2 (https://github.com/vismir2) | |||
84 | Dara Adib (https://github.com/daradib) | 95 | Dara Adib (https://github.com/daradib) |
85 | - ssh profile fix | 96 | - ssh profile fix |
86 | - evince profile fix | 97 | - evince profile fix |
87 | valoq (https://github.com/valoq) | ||
88 | - LibreOffice profile fixes | ||
89 | - cherrytree profile fixes | ||
90 | vismir2 (https://github.com/vismir2) | 98 | vismir2 (https://github.com/vismir2) |
91 | - feh, ranger, 7z, keepass, keepassx and zathura profiles | 99 | - feh, ranger, 7z, keepass, keepassx and zathura profiles |
92 | - lots of profile fixes | 100 | - lots of profile fixes |
@@ -42,76 +42,15 @@ If you keep your Firejail profiles in a public repository, please give us a link | |||
42 | * https://github.com/chiraag-nataraj/firejail-profiles | 42 | * https://github.com/chiraag-nataraj/firejail-profiles |
43 | 43 | ||
44 | * https://github.com/triceratops1/fe | 44 | * https://github.com/triceratops1/fe |
45 | ````` | ||
46 | 45 | ||
46 | Use this issue to request new profiles: https://github.com/netblue30/firejail/issues/825 | ||
47 | ````` | 47 | ````` |
48 | # Current development version: 0.9.43 | ||
49 | 48 | ||
50 | ## X11 development | ||
51 | ````` | ||
52 | --x11=none | ||
53 | Blacklist /tmp/.X11-unix directory, ${HOME}/.Xauthority and the | ||
54 | file specified in ${XAUTHORITY} environment variable. Remove | ||
55 | DISPLAY and XAUTHORITY environment variables. Stop with error | ||
56 | message if X11 abstract socket will be accessible in jail. | ||
57 | |||
58 | --x11=xorg | ||
59 | Sandbox the application using the untrusted mode implemented by | ||
60 | X11 security extension. The extension is available in Xorg | ||
61 | package and it is installed by default on most Linux distribu‐ | ||
62 | tions. It provides support for a simple trusted/untrusted con‐ | ||
63 | nection model. Untrusted clients are restricted in certain ways | ||
64 | to prevent them from reading window contents of other clients, | ||
65 | stealing input events, etc. | ||
66 | |||
67 | The untrusted mode has several limitations. A lot of regular | ||
68 | programs assume they are a trusted X11 clients and will crash | ||
69 | or lock up when run in untrusted mode. Chromium browser and | ||
70 | xterm are two examples. Firefox and transmission-gtk seem to be | ||
71 | working fine. A network namespace is not required for this | ||
72 | option. | ||
73 | |||
74 | Example: | ||
75 | $ firejail --x11=xorg firefox | ||
76 | ````` | 49 | ````` |
77 | 50 | # Current development version: 0.9.45 | |
78 | ## Other command line options | ||
79 | ````` | 51 | ````` |
80 | --put=name|pid src-filename dest-filename | ||
81 | Put src-filename in sandbox container. The container is specified by name or PID. | ||
82 | |||
83 | --allusers | ||
84 | All user home directories are visible inside the sandbox. By default, only current user home | ||
85 | directory is visible. | ||
86 | |||
87 | Example: | ||
88 | $ firejail --allusers | ||
89 | |||
90 | --join-or-start=name | ||
91 | Join the sandbox identified by name or start a new one. Same as "firejail --join=name" if | ||
92 | sandbox with specified name exists, otherwise same as "firejail --name=name ..." | ||
93 | Note that in contrary to other join options there is respective profile option. | ||
94 | |||
95 | --no3d Disable 3D hardware acceleration. | ||
96 | |||
97 | Example: | ||
98 | $ firejail --no3d firefox | ||
99 | |||
100 | --veth-name=name | ||
101 | Use this name for the interface connected to the bridge for | ||
102 | --net=bridge_interface commands, instead of the default one. | ||
103 | |||
104 | Example: | ||
105 | $ firejail --net=br0 --veth-name=if0 | ||
106 | 52 | ||
107 | ````` | 53 | ````` |
108 | 54 | ## New Profiles | |
109 | ## New profile commands | 55 | xiphos, Tor Browser Bundle |
110 | |||
111 | x11 xpra, x11 xephyr, x11 none, x11 xorg, allusers, join-or-start | ||
112 | |||
113 | ## New profiles | ||
114 | |||
115 | qpdfview, mupdf, Luminance HDR, Synfig Studio, Gimp, Inkscape, feh, ranger, zathura, 7z, keepass, keepassx, | ||
116 | claws-mail, mutt, git, emacs, vim, xpdf | ||
117 | 56 | ||
@@ -1,9 +1,15 @@ | |||
1 | firejail (0.9.43) baseline; urgency=low | 1 | firejail (0.9.45) baseline; urgency=low |
2 | * development version, work in progress | ||
3 | -- netblue30 <netblue30@yahoo.com> Sun, 23 Oct 2016 08:00:00 -0500 | ||
4 | * new profiles: xiphos, Tor Browser Bundle | ||
5 | |||
6 | firejail (0.9.44) baseline; urgency=low | ||
2 | * CVE-2016-7545 submitted by Aleksey Manevich | 7 | * CVE-2016-7545 submitted by Aleksey Manevich |
3 | * development version | ||
4 | * modifs: removed man firejail-config | 8 | * modifs: removed man firejail-config |
5 | * modifs: --private-tmp whitelists /tmp/.X11-unix directory | 9 | * modifs: --private-tmp whitelists /tmp/.X11-unix directory |
6 | * modifs: Nvidia drivers added to --private-dev | 10 | * modifs: Nvidia drivers added to --private-dev |
11 | * modifs: /srv supported by --whitelist | ||
12 | * feature: allow user access to /sys/fs (--noblacklist=/sys/fs) | ||
7 | * feature: support starting/joining sandbox is a single command | 13 | * feature: support starting/joining sandbox is a single command |
8 | (--join-or-start) | 14 | (--join-or-start) |
9 | * feature: X11 detection support for --audit | 15 | * feature: X11 detection support for --audit |
@@ -15,11 +21,15 @@ firejail (0.9.43) baseline; urgency=low | |||
15 | * feature: X11 security extension (--x11=xorg) | 21 | * feature: X11 security extension (--x11=xorg) |
16 | * feature: disable 3D hardware acceleration (--no3d) | 22 | * feature: disable 3D hardware acceleration (--no3d) |
17 | * feature: x11 xpra, x11 xephyr, x11 block, allusers, no3d profile commands | 23 | * feature: x11 xpra, x11 xephyr, x11 block, allusers, no3d profile commands |
24 | * feature: move files in sandbox (--put) | ||
25 | * feature: accept wildcard patterns in user name field of restricted | ||
26 | shell login feature | ||
18 | * new profiles: qpdfview, mupdf, Luminance HDR, Synfig Studio, Gimp, Inkscape | 27 | * new profiles: qpdfview, mupdf, Luminance HDR, Synfig Studio, Gimp, Inkscape |
19 | * new profiles: feh, ranger, zathura, 7z, keepass, keepassx, | 28 | * new profiles: feh, ranger, zathura, 7z, keepass, keepassx, |
20 | * new profiles: claws-mail, mutt, git, emacs, vim, xpdf | 29 | * new profiles: claws-mail, mutt, git, emacs, vim, xpdf, VirtualBox, OpenShot |
30 | * new profiles: Flowblade, Eye of GNOME (eog), Evolution | ||
21 | * bugfixes | 31 | * bugfixes |
22 | -- netblue30 <netblue30@yahoo.com> Fri, 9 Sept 2016 08:00:00 -0500 | 32 | -- netblue30 <netblue30@yahoo.com> Fri, 21 Oct 2016 08:00:00 -0500 |
23 | 33 | ||
24 | firejail (0.9.42) baseline; urgency=low | 34 | firejail (0.9.42) baseline; urgency=low |
25 | * security: --whitelist deleted files, submitted by Vasya Novikov | 35 | * security: --whitelist deleted files, submitted by Vasya Novikov |
@@ -1,6 +1,6 @@ | |||
1 | #! /bin/sh | 1 | #! /bin/sh |
2 | # Guess values for system-dependent variables and create Makefiles. | 2 | # Guess values for system-dependent variables and create Makefiles. |
3 | # Generated by GNU Autoconf 2.69 for firejail 0.9.44~rc1. | 3 | # Generated by GNU Autoconf 2.69 for firejail 0.9.45. |
4 | # | 4 | # |
5 | # Report bugs to <netblue30@yahoo.com>. | 5 | # Report bugs to <netblue30@yahoo.com>. |
6 | # | 6 | # |
@@ -580,8 +580,8 @@ MAKEFLAGS= | |||
580 | # Identity of this package. | 580 | # Identity of this package. |
581 | PACKAGE_NAME='firejail' | 581 | PACKAGE_NAME='firejail' |
582 | PACKAGE_TARNAME='firejail' | 582 | PACKAGE_TARNAME='firejail' |
583 | PACKAGE_VERSION='0.9.44~rc1' | 583 | PACKAGE_VERSION='0.9.45' |
584 | PACKAGE_STRING='firejail 0.9.44~rc1' | 584 | PACKAGE_STRING='firejail 0.9.45' |
585 | PACKAGE_BUGREPORT='netblue30@yahoo.com' | 585 | PACKAGE_BUGREPORT='netblue30@yahoo.com' |
586 | PACKAGE_URL='http://firejail.wordpress.com' | 586 | PACKAGE_URL='http://firejail.wordpress.com' |
587 | 587 | ||
@@ -1259,7 +1259,7 @@ if test "$ac_init_help" = "long"; then | |||
1259 | # Omit some internal or obsolete options to make the list less imposing. | 1259 | # Omit some internal or obsolete options to make the list less imposing. |
1260 | # This message is too long to be a string in the A/UX 3.1 sh. | 1260 | # This message is too long to be a string in the A/UX 3.1 sh. |
1261 | cat <<_ACEOF | 1261 | cat <<_ACEOF |
1262 | \`configure' configures firejail 0.9.44~rc1 to adapt to many kinds of systems. | 1262 | \`configure' configures firejail 0.9.45 to adapt to many kinds of systems. |
1263 | 1263 | ||
1264 | Usage: $0 [OPTION]... [VAR=VALUE]... | 1264 | Usage: $0 [OPTION]... [VAR=VALUE]... |
1265 | 1265 | ||
@@ -1320,7 +1320,7 @@ fi | |||
1320 | 1320 | ||
1321 | if test -n "$ac_init_help"; then | 1321 | if test -n "$ac_init_help"; then |
1322 | case $ac_init_help in | 1322 | case $ac_init_help in |
1323 | short | recursive ) echo "Configuration of firejail 0.9.44~rc1:";; | 1323 | short | recursive ) echo "Configuration of firejail 0.9.45:";; |
1324 | esac | 1324 | esac |
1325 | cat <<\_ACEOF | 1325 | cat <<\_ACEOF |
1326 | 1326 | ||
@@ -1424,7 +1424,7 @@ fi | |||
1424 | test -n "$ac_init_help" && exit $ac_status | 1424 | test -n "$ac_init_help" && exit $ac_status |
1425 | if $ac_init_version; then | 1425 | if $ac_init_version; then |
1426 | cat <<\_ACEOF | 1426 | cat <<\_ACEOF |
1427 | firejail configure 0.9.44~rc1 | 1427 | firejail configure 0.9.45 |
1428 | generated by GNU Autoconf 2.69 | 1428 | generated by GNU Autoconf 2.69 |
1429 | 1429 | ||
1430 | Copyright (C) 2012 Free Software Foundation, Inc. | 1430 | Copyright (C) 2012 Free Software Foundation, Inc. |
@@ -1726,7 +1726,7 @@ cat >config.log <<_ACEOF | |||
1726 | This file contains any messages produced by compilers while | 1726 | This file contains any messages produced by compilers while |
1727 | running configure, to aid debugging if configure makes a mistake. | 1727 | running configure, to aid debugging if configure makes a mistake. |
1728 | 1728 | ||
1729 | It was created by firejail $as_me 0.9.44~rc1, which was | 1729 | It was created by firejail $as_me 0.9.45, which was |
1730 | generated by GNU Autoconf 2.69. Invocation command line was | 1730 | generated by GNU Autoconf 2.69. Invocation command line was |
1731 | 1731 | ||
1732 | $ $0 $@ | 1732 | $ $0 $@ |
@@ -4303,7 +4303,7 @@ cat >>$CONFIG_STATUS <<\_ACEOF || ac_write_fail=1 | |||
4303 | # report actual input values of CONFIG_FILES etc. instead of their | 4303 | # report actual input values of CONFIG_FILES etc. instead of their |
4304 | # values after options handling. | 4304 | # values after options handling. |
4305 | ac_log=" | 4305 | ac_log=" |
4306 | This file was extended by firejail $as_me 0.9.44~rc1, which was | 4306 | This file was extended by firejail $as_me 0.9.45, which was |
4307 | generated by GNU Autoconf 2.69. Invocation command line was | 4307 | generated by GNU Autoconf 2.69. Invocation command line was |
4308 | 4308 | ||
4309 | CONFIG_FILES = $CONFIG_FILES | 4309 | CONFIG_FILES = $CONFIG_FILES |
@@ -4357,7 +4357,7 @@ _ACEOF | |||
4357 | cat >>$CONFIG_STATUS <<_ACEOF || ac_write_fail=1 | 4357 | cat >>$CONFIG_STATUS <<_ACEOF || ac_write_fail=1 |
4358 | ac_cs_config="`$as_echo "$ac_configure_args" | sed 's/^ //; s/[\\""\`\$]/\\\\&/g'`" | 4358 | ac_cs_config="`$as_echo "$ac_configure_args" | sed 's/^ //; s/[\\""\`\$]/\\\\&/g'`" |
4359 | ac_cs_version="\\ | 4359 | ac_cs_version="\\ |
4360 | firejail config.status 0.9.44~rc1 | 4360 | firejail config.status 0.9.45 |
4361 | configured by $0, generated by GNU Autoconf 2.69, | 4361 | configured by $0, generated by GNU Autoconf 2.69, |
4362 | with options \\"\$ac_cs_config\\" | 4362 | with options \\"\$ac_cs_config\\" |
4363 | 4363 | ||
diff --git a/configure.ac b/configure.ac index 108b558d4..95947a8e3 100644 --- a/configure.ac +++ b/configure.ac | |||
@@ -1,5 +1,5 @@ | |||
1 | AC_PREREQ([2.68]) | 1 | AC_PREREQ([2.68]) |
2 | AC_INIT(firejail, 0.9.44~rc1, netblue30@yahoo.com, , http://firejail.wordpress.com) | 2 | AC_INIT(firejail, 0.9.45, netblue30@yahoo.com, , http://firejail.wordpress.com) |
3 | AC_CONFIG_SRCDIR([src/firejail/main.c]) | 3 | AC_CONFIG_SRCDIR([src/firejail/main.c]) |
4 | #AC_CONFIG_HEADERS([config.h]) | 4 | #AC_CONFIG_HEADERS([config.h]) |
5 | 5 | ||
diff --git a/etc/atom-beta.profile b/etc/atom-beta.profile index 9a8d93875..fa0b316bb 100644 --- a/etc/atom-beta.profile +++ b/etc/atom-beta.profile | |||
@@ -8,8 +8,8 @@ include /etc/firejail/disable-passwdmgr.inc | |||
8 | 8 | ||
9 | caps.drop all | 9 | caps.drop all |
10 | netfilter | 10 | netfilter |
11 | nonewprivs | ||
12 | nogroups | 11 | nogroups |
12 | nonewprivs | ||
13 | noroot | 13 | noroot |
14 | nosound | 14 | nosound |
15 | protocol unix,inet,inet6,netlink | 15 | protocol unix,inet,inet6,netlink |
diff --git a/etc/atom.profile b/etc/atom.profile index 3cb86847e..61930d5c1 100644 --- a/etc/atom.profile +++ b/etc/atom.profile | |||
@@ -8,8 +8,8 @@ include /etc/firejail/disable-passwdmgr.inc | |||
8 | 8 | ||
9 | caps.drop all | 9 | caps.drop all |
10 | netfilter | 10 | netfilter |
11 | nonewprivs | ||
12 | nogroups | 11 | nogroups |
12 | nonewprivs | ||
13 | noroot | 13 | noroot |
14 | nosound | 14 | nosound |
15 | protocol unix,inet,inet6,netlink | 15 | protocol unix,inet,inet6,netlink |
diff --git a/etc/atril.profile b/etc/atril.profile index d9e10b072..fbcca0c1b 100644 --- a/etc/atril.profile +++ b/etc/atril.profile | |||
@@ -7,8 +7,8 @@ include /etc/firejail/disable-devel.inc | |||
7 | include /etc/firejail/disable-passwdmgr.inc | 7 | include /etc/firejail/disable-passwdmgr.inc |
8 | 8 | ||
9 | caps.drop all | 9 | caps.drop all |
10 | nonewprivs | ||
11 | nogroups | 10 | nogroups |
11 | nonewprivs | ||
12 | noroot | 12 | noroot |
13 | nosound | 13 | nosound |
14 | protocol unix | 14 | protocol unix |
diff --git a/etc/audacity.profile b/etc/audacity.profile index be3fac9be..827fa4301 100644 --- a/etc/audacity.profile +++ b/etc/audacity.profile | |||
@@ -8,8 +8,8 @@ include /etc/firejail/disable-programs.inc | |||
8 | 8 | ||
9 | caps.drop all | 9 | caps.drop all |
10 | netfilter | 10 | netfilter |
11 | nonewprivs | ||
12 | nogroups | 11 | nogroups |
12 | nonewprivs | ||
13 | noroot | 13 | noroot |
14 | protocol unix | 14 | protocol unix |
15 | seccomp | 15 | seccomp |
diff --git a/etc/aweather.profile b/etc/aweather.profile index 4e5c36f50..fa8654f1e 100644 --- a/etc/aweather.profile +++ b/etc/aweather.profile | |||
@@ -11,8 +11,8 @@ whitelist ~/.config/aweather | |||
11 | 11 | ||
12 | caps.drop all | 12 | caps.drop all |
13 | netfilter | 13 | netfilter |
14 | nonewprivs | ||
15 | nogroups | 14 | nogroups |
15 | nonewprivs | ||
16 | noroot | 16 | noroot |
17 | nosound | 17 | nosound |
18 | protocol unix,inet,inet6 | 18 | protocol unix,inet,inet6 |
diff --git a/etc/cherrytree.profile b/etc/cherrytree.profile index ec6d0d69d..139dec8ec 100644 --- a/etc/cherrytree.profile +++ b/etc/cherrytree.profile | |||
@@ -9,11 +9,10 @@ include /etc/firejail/disable-passwdmgr.inc | |||
9 | 9 | ||
10 | caps.drop all | 10 | caps.drop all |
11 | netfilter | 11 | netfilter |
12 | nogroups | ||
12 | nonewprivs | 13 | nonewprivs |
13 | noroot | 14 | noroot |
14 | nosound | 15 | nosound |
15 | seccomp | 16 | seccomp |
16 | protocol unix,inet,inet6,netlink | 17 | protocol unix,inet,inet6,netlink |
17 | tracelog | 18 | tracelog |
18 | |||
19 | |||
diff --git a/etc/chromium.profile b/etc/chromium.profile index 0d383aebf..4109af9a4 100644 --- a/etc/chromium.profile +++ b/etc/chromium.profile | |||
@@ -25,4 +25,7 @@ whitelist ~/keepassx.kdbx | |||
25 | whitelist ~/.lastpass | 25 | whitelist ~/.lastpass |
26 | whitelist ~/.config/lastpass | 26 | whitelist ~/.config/lastpass |
27 | 27 | ||
28 | # specific to Arch | ||
29 | whitelist ~/.config/chromium-flags.conf | ||
30 | |||
28 | include /etc/firejail/whitelist-common.inc | 31 | include /etc/firejail/whitelist-common.inc |
diff --git a/etc/disable-common.inc b/etc/disable-common.inc index 19a23d764..82398473d 100644 --- a/etc/disable-common.inc +++ b/etc/disable-common.inc | |||
@@ -137,6 +137,11 @@ blacklist /etc/gshadow+ | |||
137 | blacklist /etc/ssh | 137 | blacklist /etc/ssh |
138 | blacklist /var/backup | 138 | blacklist /var/backup |
139 | 139 | ||
140 | # system directories | ||
141 | blacklist /sbin | ||
142 | blacklist /usr/sbin | ||
143 | blacklist /usr/local/sbin | ||
144 | |||
140 | # system management | 145 | # system management |
141 | # blacklist ${PATH}/umount | 146 | # blacklist ${PATH}/umount |
142 | # blacklist ${PATH}/mount | 147 | # blacklist ${PATH}/mount |
@@ -149,11 +154,22 @@ blacklist ${PATH}/xev | |||
149 | blacklist ${PATH}/strace | 154 | blacklist ${PATH}/strace |
150 | blacklist ${PATH}/nc | 155 | blacklist ${PATH}/nc |
151 | blacklist ${PATH}/ncat | 156 | blacklist ${PATH}/ncat |
152 | 157 | blacklist ${PATH}/gpasswd | |
153 | # system directories | 158 | blacklist ${PATH}/newgidmap |
154 | blacklist /sbin | 159 | blacklist ${PATH}/newgrp |
155 | blacklist /usr/sbin | 160 | blacklist ${PATH}/newuidmap |
156 | blacklist /usr/local/sbin | 161 | blacklist ${PATH}/pkexec |
162 | blacklist ${PATH}/sg | ||
163 | blacklist ${PATH}/rsh | ||
164 | blacklist ${PATH}/rlogin | ||
165 | blacklist ${PATH}/rcp | ||
166 | blacklist ${PATH}/crontab | ||
167 | blacklist ${PATH}/ksu | ||
168 | blacklist ${PATH}/chsh | ||
169 | blacklist ${PATH}/chfn | ||
170 | blacklist ${PATH}/chage | ||
171 | blacklist ${PATH}/expiry | ||
172 | blacklist ${PATH}/unix_chkpwd | ||
157 | 173 | ||
158 | # prevent lxterminal connecting to an existing lxterminal session | 174 | # prevent lxterminal connecting to an existing lxterminal session |
159 | blacklist /tmp/.lxterminal-socket* | 175 | blacklist /tmp/.lxterminal-socket* |
@@ -173,28 +189,6 @@ blacklist ${PATH}/terminix | |||
173 | blacklist ${PATH}/urxvtc | 189 | blacklist ${PATH}/urxvtc |
174 | blacklist ${PATH}/urxvtcd | 190 | blacklist ${PATH}/urxvtcd |
175 | 191 | ||
176 | # disable common suid programms | 192 | # kernel files |
177 | blacklist ${PATH}/firejail | 193 | blacklist /vmlinuz* |
178 | blacklist ${PATH}/sudo | 194 | blacklist /initrd* |
179 | blacklist ${PATH}/su | ||
180 | blacklist ${PATH}/mount | ||
181 | blacklist ${PATH}/umount | ||
182 | blacklist ${PATH}/fusermount | ||
183 | blacklist ${PATH}/passwd | ||
184 | blacklist ${PATH}/gpasswd | ||
185 | blacklist ${PATH}/newgidmap | ||
186 | blacklist ${PATH}/newgrp | ||
187 | blacklist ${PATH}/newuidmap | ||
188 | blacklist ${PATH}/pkexec | ||
189 | blacklist ${PATH}/sg | ||
190 | blacklist ${PATH}/rsh | ||
191 | blacklist ${PATH}/rlogin | ||
192 | blacklist ${PATH}/rcp | ||
193 | blacklist ${PATH}/crontab | ||
194 | blacklist ${PATH}/ksu | ||
195 | blacklist ${PATH}/chsh | ||
196 | blacklist ${PATH}/chfn | ||
197 | blacklist ${PATH}/chage | ||
198 | blacklist ${PATH}/expiry | ||
199 | blacklist ${PATH}/ping | ||
200 | blacklist ${PATH}/unix_chkpwd | ||
diff --git a/etc/disable-devel.inc b/etc/disable-devel.inc index 971857710..2ac367f37 100644 --- a/etc/disable-devel.inc +++ b/etc/disable-devel.inc | |||
@@ -20,7 +20,7 @@ blacklist /usr/bin/x86_64-unknown-linux-gnu-gcc* | |||
20 | # clang/llvm | 20 | # clang/llvm |
21 | blacklist /usr/bin/clang* | 21 | blacklist /usr/bin/clang* |
22 | blacklist /usr/bin/llvm* | 22 | blacklist /usr/bin/llvm* |
23 | blacklist /usb/bin/lldb* | 23 | blacklist /usr/bin/lldb* |
24 | blacklist /usr/lib/llvm* | 24 | blacklist /usr/lib/llvm* |
25 | 25 | ||
26 | # tcc - Tiny C Compiler | 26 | # tcc - Tiny C Compiler |
diff --git a/etc/disable-programs.inc b/etc/disable-programs.inc index 369e4813c..6e22fe04d 100644 --- a/etc/disable-programs.inc +++ b/etc/disable-programs.inc | |||
@@ -7,6 +7,8 @@ blacklist ${HOME}/.wine | |||
7 | blacklist ${HOME}/.Mathematica | 7 | blacklist ${HOME}/.Mathematica |
8 | blacklist ${HOME}/.Wolfram Research | 8 | blacklist ${HOME}/.Wolfram Research |
9 | blacklist ${HOME}/.stellarium | 9 | blacklist ${HOME}/.stellarium |
10 | blacklist ${HOME}/.sword | ||
11 | blacklist ${HOME}/.xiphos | ||
10 | blacklist ${HOME}/.config/Atom | 12 | blacklist ${HOME}/.config/Atom |
11 | blacklist ${HOME}/.config/gthumb | 13 | blacklist ${HOME}/.config/gthumb |
12 | blacklist ${HOME}/.config/mupen64plus | 14 | blacklist ${HOME}/.config/mupen64plus |
@@ -35,6 +37,11 @@ blacklist ${HOME}/.gimp* | |||
35 | blacklist ${HOME}/.config/zathura | 37 | blacklist ${HOME}/.config/zathura |
36 | blacklist ${HOME}/.config/cherrytree | 38 | blacklist ${HOME}/.config/cherrytree |
37 | blacklist ${HOME}/.xpdfrc | 39 | blacklist ${HOME}/.xpdfrc |
40 | blacklist ${HOME}/.openshot | ||
41 | blacklist ${HOME}/.openshot_qt | ||
42 | blacklist ${HOME}/.flowblade | ||
43 | blacklist ${HOME}/.config/flowblade | ||
44 | blacklist ${HOME}/.config/eog | ||
38 | 45 | ||
39 | 46 | ||
40 | # Media players | 47 | # Media players |
@@ -72,8 +79,12 @@ blacklist ${HOME}/.8pecxstudios | |||
72 | blacklist ${HOME}/.config/brave | 79 | blacklist ${HOME}/.config/brave |
73 | blacklist ${HOME}/.config/inox | 80 | blacklist ${HOME}/.config/inox |
74 | blacklist ${HOME}/.muttrc | 81 | blacklist ${HOME}/.muttrc |
82 | blacklist ${HOME}/.mutt | ||
75 | blacklist ${HOME}/.mutt/muttrc | 83 | blacklist ${HOME}/.mutt/muttrc |
76 | blacklist ${HOME}/.msmtprc | 84 | blacklist ${HOME}/.msmtprc |
85 | blacklist ${HOME}/.config/evolution | ||
86 | blacklist ${HOME}/.local/share/evolution | ||
87 | blacklist ${HOME}/.cache/evolution | ||
77 | 88 | ||
78 | # Instant Messaging | 89 | # Instant Messaging |
79 | blacklist ${HOME}/.config/hexchat | 90 | blacklist ${HOME}/.config/hexchat |
diff --git a/etc/eog.profile b/etc/eog.profile index 32b54a042..7eb7fd127 100644 --- a/etc/eog.profile +++ b/etc/eog.profile | |||
@@ -9,9 +9,9 @@ include /etc/firejail/disable-passwdmgr.inc | |||
9 | 9 | ||
10 | caps.drop all | 10 | caps.drop all |
11 | netfilter | 11 | netfilter |
12 | nogroups | ||
12 | nonewprivs | 13 | nonewprivs |
13 | noroot | 14 | noroot |
14 | nogroups | ||
15 | protocol unix | 15 | protocol unix |
16 | seccomp | 16 | seccomp |
17 | shell none | 17 | shell none |
@@ -20,4 +20,3 @@ private-bin eog | |||
20 | private-dev | 20 | private-dev |
21 | private-etc fonts | 21 | private-etc fonts |
22 | private-tmp | 22 | private-tmp |
23 | |||
diff --git a/etc/evolution.profile b/etc/evolution.profile index cf581643d..d097c0f34 100644 --- a/etc/evolution.profile +++ b/etc/evolution.profile | |||
@@ -14,9 +14,9 @@ include /etc/firejail/disable-passwdmgr.inc | |||
14 | 14 | ||
15 | caps.drop all | 15 | caps.drop all |
16 | netfilter | 16 | netfilter |
17 | nogroups | ||
17 | nonewprivs | 18 | nonewprivs |
18 | noroot | 19 | noroot |
19 | nogroups | ||
20 | protocol unix,inet,inet6 | 20 | protocol unix,inet,inet6 |
21 | seccomp | 21 | seccomp |
22 | shell none | 22 | shell none |
diff --git a/etc/feh.profile b/etc/feh.profile index 5fcb6bf25..e3b1ec528 100644 --- a/etc/feh.profile +++ b/etc/feh.profile | |||
@@ -5,14 +5,14 @@ include /etc/firejail/disable-devel.inc | |||
5 | include /etc/firejail/disable-passwdmgr.inc | 5 | include /etc/firejail/disable-passwdmgr.inc |
6 | 6 | ||
7 | caps.drop all | 7 | caps.drop all |
8 | seccomp | ||
9 | protocol unix | ||
10 | netfilter | 8 | netfilter |
11 | net none | 9 | net none |
10 | nogroups | ||
12 | nonewprivs | 11 | nonewprivs |
13 | noroot | 12 | noroot |
14 | nogroups | ||
15 | nosound | 13 | nosound |
14 | protocol unix | ||
15 | seccomp | ||
16 | shell none | 16 | shell none |
17 | 17 | ||
18 | private-bin feh | 18 | private-bin feh |
diff --git a/etc/file.profile b/etc/file.profile index 2e54030b1..199a97fad 100644 --- a/etc/file.profile +++ b/etc/file.profile | |||
@@ -1,16 +1,17 @@ | |||
1 | # file profile | 1 | # file profile |
2 | quiet | ||
3 | ignore noroot | 2 | ignore noroot |
4 | include /etc/firejail/default.profile | 3 | include /etc/firejail/default.profile |
5 | 4 | ||
6 | tracelog | 5 | blacklist /tmp/.X11-unix |
6 | |||
7 | hostname file | ||
7 | net none | 8 | net none |
9 | no3d | ||
10 | nosound | ||
11 | quiet | ||
8 | shell none | 12 | shell none |
13 | tracelog | ||
14 | |||
15 | private-dev | ||
9 | private-bin file | 16 | private-bin file |
10 | private-etc magic.mgc,magic,localtime | 17 | private-etc magic.mgc,magic,localtime |
11 | hostname file | ||
12 | private-dev | ||
13 | nosound | ||
14 | no3d | ||
15 | blacklist /tmp/.X11-unix | ||
16 | |||
diff --git a/etc/filezilla.profile b/etc/filezilla.profile index 551c17a78..fe1d9d20d 100644 --- a/etc/filezilla.profile +++ b/etc/filezilla.profile | |||
@@ -13,10 +13,9 @@ noroot | |||
13 | nosound | 13 | nosound |
14 | protocol unix,inet,inet6 | 14 | protocol unix,inet,inet6 |
15 | seccomp | 15 | seccomp |
16 | |||
17 | shell none | 16 | shell none |
17 | |||
18 | private-bin filezilla,uname,sh,python,lsb_release,fzputtygen,fzsftp | 18 | private-bin filezilla,uname,sh,python,lsb_release,fzputtygen,fzsftp |
19 | whitelist /tmp/.X11-unix | ||
20 | private-dev | 19 | private-dev |
21 | nosound | ||
22 | 20 | ||
21 | whitelist /tmp/.X11-unix | ||
diff --git a/etc/flowblade.profile b/etc/flowblade.profile new file mode 100644 index 000000000..12afdb0aa --- /dev/null +++ b/etc/flowblade.profile | |||
@@ -0,0 +1,13 @@ | |||
1 | # FlowBlade profile | ||
2 | noblacklist ${HOME}/.flowblade | ||
3 | noblacklist ${HOME}/.config/flowblade | ||
4 | include /etc/firejail/disable-common.inc | ||
5 | include /etc/firejail/disable-programs.inc | ||
6 | include /etc/firejail/disable-passwdmgr.inc | ||
7 | |||
8 | caps.drop all | ||
9 | netfilter | ||
10 | nonewprivs | ||
11 | noroot | ||
12 | protocol unix,inet,inet6,netlink | ||
13 | seccomp | ||
diff --git a/etc/franz.profile b/etc/franz.profile index 3cb7942ab..0b3be551b 100644 --- a/etc/franz.profile +++ b/etc/franz.profile | |||
@@ -6,12 +6,12 @@ include /etc/firejail/disable-programs.inc | |||
6 | include /etc/firejail/disable-devel.inc | 6 | include /etc/firejail/disable-devel.inc |
7 | 7 | ||
8 | caps.drop all | 8 | caps.drop all |
9 | seccomp | ||
10 | protocol unix,inet,inet6,netlink | ||
11 | netfilter | 9 | netfilter |
12 | #tracelog | ||
13 | nonewprivs | 10 | nonewprivs |
14 | noroot | 11 | noroot |
12 | protocol unix,inet,inet6,netlink | ||
13 | seccomp | ||
14 | #tracelog | ||
15 | 15 | ||
16 | whitelist ${DOWNLOADS} | 16 | whitelist ${DOWNLOADS} |
17 | mkdir ~/.config/Franz | 17 | mkdir ~/.config/Franz |
diff --git a/etc/gajim.profile b/etc/gajim.profile index 04902a734..809378ef9 100644 --- a/etc/gajim.profile +++ b/etc/gajim.profile | |||
@@ -22,8 +22,8 @@ include /etc/firejail/disable-devel.inc | |||
22 | 22 | ||
23 | caps.drop all | 23 | caps.drop all |
24 | netfilter | 24 | netfilter |
25 | nonewprivs | ||
26 | nogroups | 25 | nogroups |
26 | nonewprivs | ||
27 | noroot | 27 | noroot |
28 | protocol unix,inet,inet6 | 28 | protocol unix,inet,inet6 |
29 | seccomp | 29 | seccomp |
diff --git a/etc/gimp.profile b/etc/gimp.profile index 23361b771..cb441fc9d 100644 --- a/etc/gimp.profile +++ b/etc/gimp.profile | |||
@@ -6,13 +6,15 @@ include /etc/firejail/disable-passwdmgr.inc | |||
6 | 6 | ||
7 | caps.drop all | 7 | caps.drop all |
8 | netfilter | 8 | netfilter |
9 | nogroups | ||
9 | nonewprivs | 10 | nonewprivs |
10 | noroot | 11 | noroot |
12 | nosound | ||
11 | protocol unix | 13 | protocol unix |
12 | seccomp | 14 | seccomp |
13 | private-dev | 15 | |
14 | private-tmp | ||
15 | noexec ${HOME} | 16 | noexec ${HOME} |
16 | noexec /tmp | 17 | noexec /tmp |
17 | nogroups | 18 | |
18 | nosound | 19 | private-dev |
20 | private-tmp | ||
diff --git a/etc/git.profile b/etc/git.profile index 2fb55377d..73122d347 100644 --- a/etc/git.profile +++ b/etc/git.profile | |||
@@ -12,15 +12,15 @@ include /etc/firejail/disable-common.inc | |||
12 | include /etc/firejail/disable-programs.inc | 12 | include /etc/firejail/disable-programs.inc |
13 | include /etc/firejail/disable-passwdmgr.inc | 13 | include /etc/firejail/disable-passwdmgr.inc |
14 | 14 | ||
15 | quiet | ||
16 | 15 | ||
17 | caps.drop all | 16 | caps.drop all |
18 | netfilter | 17 | netfilter |
18 | nogroups | ||
19 | nonewprivs | 19 | nonewprivs |
20 | noroot | 20 | noroot |
21 | nogroups | ||
22 | nosound | 21 | nosound |
23 | protocol unix,inet,inet6 | 22 | protocol unix,inet,inet6 |
23 | quiet | ||
24 | seccomp | 24 | seccomp |
25 | shell none | 25 | shell none |
26 | 26 | ||
diff --git a/etc/gpredict.profile b/etc/gpredict.profile index 353ecceae..801304c18 100644 --- a/etc/gpredict.profile +++ b/etc/gpredict.profile | |||
@@ -6,13 +6,12 @@ include /etc/firejail/disable-passwdmgr.inc | |||
6 | include /etc/firejail/disable-programs.inc | 6 | include /etc/firejail/disable-programs.inc |
7 | 7 | ||
8 | # Whitelist | 8 | # Whitelist |
9 | mkdir ~/.config/Gpredict | ||
10 | whitelist ~/.config/Gpredict | 9 | whitelist ~/.config/Gpredict |
11 | 10 | ||
12 | caps.drop all | 11 | caps.drop all |
13 | netfilter | 12 | netfilter |
14 | nonewprivs | ||
15 | nogroups | 13 | nogroups |
14 | nonewprivs | ||
16 | noroot | 15 | noroot |
17 | nosound | 16 | nosound |
18 | protocol unix,inet,inet6 | 17 | protocol unix,inet,inet6 |
@@ -21,5 +20,6 @@ shell none | |||
21 | tracelog | 20 | tracelog |
22 | 21 | ||
23 | private-bin gpredict | 22 | private-bin gpredict |
23 | private-etc fonts,resolv.conf | ||
24 | private-dev | 24 | private-dev |
25 | private-tmp | 25 | private-tmp |
diff --git a/etc/gwenview.profile b/etc/gwenview.profile index 67f10c4e1..c866c9e63 100644 --- a/etc/gwenview.profile +++ b/etc/gwenview.profile | |||
@@ -7,14 +7,15 @@ include /etc/firejail/disable-devel.inc | |||
7 | include /etc/firejail/disable-passwdmgr.inc | 7 | include /etc/firejail/disable-passwdmgr.inc |
8 | 8 | ||
9 | caps.drop all | 9 | caps.drop all |
10 | nogroups | ||
10 | nonewprivs | 11 | nonewprivs |
11 | noroot | 12 | noroot |
12 | nogroups | ||
13 | private-dev | ||
14 | protocol unix | 13 | protocol unix |
15 | seccomp | 14 | seccomp |
16 | nosound | 15 | nosound |
17 | 16 | ||
17 | private-dev | ||
18 | |||
18 | #Experimental: | 19 | #Experimental: |
19 | #shell none | 20 | #shell none |
20 | #private-bin gwenview | 21 | #private-bin gwenview |
diff --git a/etc/gzip.profile b/etc/gzip.profile index 5e73969c4..d51b9a951 100644 --- a/etc/gzip.profile +++ b/etc/gzip.profile | |||
@@ -1,12 +1,14 @@ | |||
1 | # gzip profile | 1 | # gzip profile |
2 | quiet | ||
3 | ignore noroot | 2 | ignore noroot |
4 | include /etc/firejail/default.profile | 3 | include /etc/firejail/default.profile |
5 | tracelog | 4 | |
6 | net none | ||
7 | shell none | ||
8 | blacklist /tmp/.X11-unix | 5 | blacklist /tmp/.X11-unix |
9 | private-dev | 6 | |
10 | nosound | 7 | net none |
11 | no3d | 8 | no3d |
9 | nosound | ||
10 | quiet | ||
11 | shell none | ||
12 | tracelog | ||
12 | 13 | ||
14 | private-dev | ||
diff --git a/etc/inkscape.profile b/etc/inkscape.profile index cf885fba2..a0e86b6c9 100644 --- a/etc/inkscape.profile +++ b/etc/inkscape.profile | |||
@@ -6,13 +6,15 @@ include /etc/firejail/disable-passwdmgr.inc | |||
6 | 6 | ||
7 | caps.drop all | 7 | caps.drop all |
8 | netfilter | 8 | netfilter |
9 | nogroups | ||
9 | nonewprivs | 10 | nonewprivs |
10 | noroot | 11 | noroot |
12 | nosound | ||
11 | protocol unix | 13 | protocol unix |
12 | seccomp | 14 | seccomp |
13 | private-dev | 15 | |
14 | private-tmp | ||
15 | noexec ${HOME} | 16 | noexec ${HOME} |
16 | noexec /tmp | 17 | noexec /tmp |
17 | nogroups | 18 | |
18 | nosound | 19 | private-dev |
20 | private-tmp | ||
diff --git a/etc/jitsi.profile b/etc/jitsi.profile index c61158f8b..046499abe 100644 --- a/etc/jitsi.profile +++ b/etc/jitsi.profile | |||
@@ -6,8 +6,8 @@ include /etc/firejail/disable-passwdmgr.inc | |||
6 | include /etc/firejail/disable-programs.inc | 6 | include /etc/firejail/disable-programs.inc |
7 | 7 | ||
8 | caps.drop all | 8 | caps.drop all |
9 | nonewprivs | ||
10 | nogroups | 9 | nogroups |
10 | nonewprivs | ||
11 | noroot | 11 | noroot |
12 | protocol unix,inet,inet6 | 12 | protocol unix,inet,inet6 |
13 | seccomp | 13 | seccomp |
diff --git a/etc/kmail.profile b/etc/kmail.profile index 8c8fd18c4..bc21ba604 100644 --- a/etc/kmail.profile +++ b/etc/kmail.profile | |||
@@ -8,8 +8,8 @@ include /etc/firejail/disable-passwdmgr.inc | |||
8 | 8 | ||
9 | caps.drop all | 9 | caps.drop all |
10 | netfilter | 10 | netfilter |
11 | nonewprivs | ||
12 | nogroups | 11 | nogroups |
12 | nonewprivs | ||
13 | noroot | 13 | noroot |
14 | protocol unix,inet,inet6,netlink | 14 | protocol unix,inet,inet6,netlink |
15 | seccomp | 15 | seccomp |
diff --git a/etc/less.profile b/etc/less.profile index 6dfae027e..08758aead 100644 --- a/etc/less.profile +++ b/etc/less.profile | |||
@@ -2,8 +2,10 @@ | |||
2 | quiet | 2 | quiet |
3 | ignore noroot | 3 | ignore noroot |
4 | include /etc/firejail/default.profile | 4 | include /etc/firejail/default.profile |
5 | tracelog | 5 | |
6 | net none | 6 | net none |
7 | nosound | ||
7 | shell none | 8 | shell none |
9 | tracelog | ||
10 | |||
8 | private-dev | 11 | private-dev |
9 | nosound | ||
diff --git a/etc/luminance-hdr.profile b/etc/luminance-hdr.profile index 6e059ea52..76e864e0c 100644 --- a/etc/luminance-hdr.profile +++ b/etc/luminance-hdr.profile | |||
@@ -5,17 +5,19 @@ include /etc/firejail/disable-programs.inc | |||
5 | include /etc/firejail/disable-passwdmgr.inc | 5 | include /etc/firejail/disable-passwdmgr.inc |
6 | 6 | ||
7 | caps.drop all | 7 | caps.drop all |
8 | ipc-namespace | ||
8 | netfilter | 9 | netfilter |
9 | protocol unix | 10 | nogroups |
10 | nonewprivs | 11 | nonewprivs |
11 | noroot | 12 | noroot |
13 | nosound | ||
14 | protocol unix | ||
12 | seccomp | 15 | seccomp |
13 | shell none | 16 | shell none |
14 | tracelog | 17 | tracelog |
15 | private-tmp | 18 | |
16 | private-dev | ||
17 | noexec ${HOME} | 19 | noexec ${HOME} |
18 | noexec /tmp | 20 | noexec /tmp |
19 | nogroups | 21 | |
20 | nosound | 22 | private-tmp |
21 | ipc-namespace | 23 | private-dev |
diff --git a/etc/mutt.profile b/etc/mutt.profile index cda7fc4bf..b532ded67 100644 --- a/etc/mutt.profile +++ b/etc/mutt.profile | |||
@@ -2,6 +2,7 @@ | |||
2 | 2 | ||
3 | noblacklist ~/.muttrc | 3 | noblacklist ~/.muttrc |
4 | noblacklist ~/.mutt | 4 | noblacklist ~/.mutt |
5 | noblacklist ~/.mutt/muttrc | ||
5 | noblacklist ~/.mailcap | 6 | noblacklist ~/.mailcap |
6 | noblacklist ~/.gnupg | 7 | noblacklist ~/.gnupg |
7 | noblacklist ~/.mail | 8 | noblacklist ~/.mail |
diff --git a/etc/okular.profile b/etc/okular.profile index df142ccfc..b43a5fbea 100644 --- a/etc/okular.profile +++ b/etc/okular.profile | |||
@@ -9,14 +9,15 @@ include /etc/firejail/disable-devel.inc | |||
9 | include /etc/firejail/disable-passwdmgr.inc | 9 | include /etc/firejail/disable-passwdmgr.inc |
10 | 10 | ||
11 | caps.drop all | 11 | caps.drop all |
12 | nonewprivs | ||
13 | nogroups | 12 | nogroups |
13 | nonewprivs | ||
14 | noroot | 14 | noroot |
15 | private-dev | ||
16 | protocol unix | 15 | protocol unix |
17 | seccomp | 16 | seccomp |
18 | nosound | 17 | nosound |
19 | 18 | ||
19 | private-dev | ||
20 | |||
20 | #Experimental: | 21 | #Experimental: |
21 | #net none | 22 | #net none |
22 | #shell none | 23 | #shell none |
diff --git a/etc/openshot.profile b/etc/openshot.profile new file mode 100644 index 000000000..f12bd7d11 --- /dev/null +++ b/etc/openshot.profile | |||
@@ -0,0 +1,13 @@ | |||
1 | # OpenShot profile | ||
2 | noblacklist ${HOME}/.openshot | ||
3 | noblacklist ${HOME}/.openshot_qt | ||
4 | include /etc/firejail/disable-common.inc | ||
5 | include /etc/firejail/disable-programs.inc | ||
6 | include /etc/firejail/disable-passwdmgr.inc | ||
7 | |||
8 | caps.drop all | ||
9 | netfilter | ||
10 | nonewprivs | ||
11 | noroot | ||
12 | protocol unix,inet,inet6,netlink | ||
13 | seccomp | ||
diff --git a/etc/pidgin.profile b/etc/pidgin.profile index 47be2b6ea..850706145 100644 --- a/etc/pidgin.profile +++ b/etc/pidgin.profile | |||
@@ -8,8 +8,8 @@ include /etc/firejail/disable-programs.inc | |||
8 | 8 | ||
9 | caps.drop all | 9 | caps.drop all |
10 | netfilter | 10 | netfilter |
11 | nonewprivs | ||
12 | nogroups | 11 | nogroups |
12 | nonewprivs | ||
13 | noroot | 13 | noroot |
14 | protocol unix,inet,inet6 | 14 | protocol unix,inet,inet6 |
15 | seccomp | 15 | seccomp |
diff --git a/etc/pix.profile b/etc/pix.profile index 80c05fd09..e21ddadc6 100644 --- a/etc/pix.profile +++ b/etc/pix.profile | |||
@@ -8,8 +8,8 @@ include /etc/firejail/disable-devel.inc | |||
8 | include /etc/firejail/disable-passwdmgr.inc | 8 | include /etc/firejail/disable-passwdmgr.inc |
9 | 9 | ||
10 | caps.drop all | 10 | caps.drop all |
11 | nonewprivs | ||
12 | nogroups | 11 | nogroups |
12 | nonewprivs | ||
13 | noroot | 13 | noroot |
14 | nosound | 14 | nosound |
15 | protocol unix | 15 | protocol unix |
@@ -20,4 +20,3 @@ tracelog | |||
20 | private-bin pix | 20 | private-bin pix |
21 | whitelist /tmp/.X11-unix | 21 | whitelist /tmp/.X11-unix |
22 | private-dev | 22 | private-dev |
23 | |||
diff --git a/etc/psi-plus.profile b/etc/psi-plus.profile index 22c5bafc5..a9323448b 100644 --- a/etc/psi-plus.profile +++ b/etc/psi-plus.profile | |||
@@ -14,10 +14,10 @@ whitelist ~/.local/share/psi+ | |||
14 | mkdir ~/.cache/psi+ | 14 | mkdir ~/.cache/psi+ |
15 | whitelist ~/.cache/psi+ | 15 | whitelist ~/.cache/psi+ |
16 | 16 | ||
17 | include /etc/firejail/whitelist-common.inc | ||
18 | |||
19 | caps.drop all | 17 | caps.drop all |
20 | netfilter | 18 | netfilter |
21 | noroot | 19 | noroot |
22 | protocol unix,inet,inet6 | 20 | protocol unix,inet,inet6 |
23 | seccomp | 21 | seccomp |
22 | |||
23 | include /etc/firejail/whitelist-common.inc | ||
diff --git a/etc/qbittorrent.profile b/etc/qbittorrent.profile index 138b6db55..67829c9ca 100644 --- a/etc/qbittorrent.profile +++ b/etc/qbittorrent.profile | |||
@@ -15,6 +15,6 @@ seccomp | |||
15 | # there are some problems with "Open destination folder", see bug #536 | 15 | # there are some problems with "Open destination folder", see bug #536 |
16 | #shell none | 16 | #shell none |
17 | #private-bin qbittorrent | 17 | #private-bin qbittorrent |
18 | whitelist /tmp/.X11-unix | ||
19 | private-dev | 18 | private-dev |
20 | nosound | 19 | |
20 | whitelist /tmp/.X11-unix | ||
diff --git a/etc/qpdfview.profile b/etc/qpdfview.profile index 07ea173e6..06c0db206 100644 --- a/etc/qpdfview.profile +++ b/etc/qpdfview.profile | |||
@@ -18,5 +18,5 @@ shell none | |||
18 | tracelog | 18 | tracelog |
19 | 19 | ||
20 | private-bin qpdfview | 20 | private-bin qpdfview |
21 | private-tmp | ||
22 | private-dev | 21 | private-dev |
22 | private-tmp | ||
diff --git a/etc/qtox.profile b/etc/qtox.profile index 927487037..81d8aa10e 100644 --- a/etc/qtox.profile +++ b/etc/qtox.profile | |||
@@ -11,8 +11,8 @@ whitelist ${DOWNLOADS} | |||
11 | 11 | ||
12 | caps.drop all | 12 | caps.drop all |
13 | netfilter | 13 | netfilter |
14 | nonewprivs | ||
15 | nogroups | 14 | nogroups |
15 | nonewprivs | ||
16 | noroot | 16 | noroot |
17 | protocol unix,inet,inet6 | 17 | protocol unix,inet,inet6 |
18 | seccomp | 18 | seccomp |
diff --git a/etc/quiterss.profile b/etc/quiterss.profile index 2ab5d8a8e..2b28fce73 100644 --- a/etc/quiterss.profile +++ b/etc/quiterss.profile | |||
@@ -14,16 +14,17 @@ whitelist ${HOME}/.cache/QuiteRss | |||
14 | 14 | ||
15 | caps.drop all | 15 | caps.drop all |
16 | netfilter | 16 | netfilter |
17 | nonewprivs | ||
18 | nogroups | 17 | nogroups |
18 | nonewprivs | ||
19 | noroot | 19 | noroot |
20 | private-bin quiterss | ||
21 | private-dev | ||
22 | nosound | 20 | nosound |
23 | #private-etc X11,ssl | ||
24 | protocol unix,inet,inet6 | 21 | protocol unix,inet,inet6 |
25 | seccomp | 22 | seccomp |
26 | shell none | 23 | shell none |
27 | tracelog | 24 | tracelog |
28 | 25 | ||
26 | private-bin quiterss | ||
27 | private-dev | ||
28 | #private-etc X11,ssl | ||
29 | |||
29 | include /etc/firejail/whitelist-common.inc | 30 | include /etc/firejail/whitelist-common.inc |
diff --git a/etc/ranger.profile b/etc/ranger.profile index a040cd6bc..323e64dee 100644 --- a/etc/ranger.profile +++ b/etc/ranger.profile | |||
@@ -12,13 +12,12 @@ include /etc/firejail/disable-passwdmgr.inc | |||
12 | caps.drop all | 12 | caps.drop all |
13 | netfilter | 13 | netfilter |
14 | net none | 14 | net none |
15 | nogroups | ||
15 | nonewprivs | 16 | nonewprivs |
16 | noroot | 17 | noroot |
17 | nogroups | ||
18 | protocol unix | 18 | protocol unix |
19 | seccomp | 19 | seccomp |
20 | nosound | 20 | nosound |
21 | 21 | ||
22 | private-tmp | 22 | private-tmp |
23 | private-dev | 23 | private-dev |
24 | |||
diff --git a/etc/rhythmbox.profile b/etc/rhythmbox.profile index 0e8527ae7..e5e192486 100644 --- a/etc/rhythmbox.profile +++ b/etc/rhythmbox.profile | |||
@@ -5,8 +5,8 @@ include /etc/firejail/disable-devel.inc | |||
5 | include /etc/firejail/disable-passwdmgr.inc | 5 | include /etc/firejail/disable-passwdmgr.inc |
6 | 6 | ||
7 | caps.drop all | 7 | caps.drop all |
8 | nogroups | ||
9 | netfilter | 8 | netfilter |
9 | nogroups | ||
10 | nonewprivs | 10 | nonewprivs |
11 | noroot | 11 | noroot |
12 | protocol unix,inet,inet6 | 12 | protocol unix,inet,inet6 |
diff --git a/etc/rtorrent.profile b/etc/rtorrent.profile index 15df2c374..1226a51cd 100644 --- a/etc/rtorrent.profile +++ b/etc/rtorrent.profile | |||
@@ -16,4 +16,3 @@ shell none | |||
16 | private-bin rtorrent | 16 | private-bin rtorrent |
17 | whitelist /tmp/.X11-unix | 17 | whitelist /tmp/.X11-unix |
18 | private-dev | 18 | private-dev |
19 | nosound | ||
diff --git a/etc/server.profile b/etc/server.profile index 22cef0a3c..b8a34feb2 100644 --- a/etc/server.profile +++ b/etc/server.profile | |||
@@ -6,11 +6,12 @@ include /etc/firejail/disable-common.inc | |||
6 | include /etc/firejail/disable-programs.inc | 6 | include /etc/firejail/disable-programs.inc |
7 | include /etc/firejail/disable-passwdmgr.inc | 7 | include /etc/firejail/disable-passwdmgr.inc |
8 | 8 | ||
9 | private | ||
10 | private-dev | ||
11 | nosound | ||
12 | no3d | ||
13 | private-tmp | ||
14 | blacklist /tmp/.X11-unix | 9 | blacklist /tmp/.X11-unix |
10 | |||
11 | no3d | ||
12 | nosound | ||
15 | seccomp | 13 | seccomp |
16 | 14 | ||
15 | private | ||
16 | private-dev | ||
17 | private-tmp | ||
diff --git a/etc/slack.profile b/etc/slack.profile index 1009f7ee0..a85a28f03 100644 --- a/etc/slack.profile +++ b/etc/slack.profile | |||
@@ -1,3 +1,4 @@ | |||
1 | # Firejail profile for Slack | ||
1 | noblacklist ${HOME}/.config/Slack | 2 | noblacklist ${HOME}/.config/Slack |
2 | noblacklist ${HOME}/Downloads | 3 | noblacklist ${HOME}/Downloads |
3 | 4 | ||
@@ -6,25 +7,25 @@ include /etc/firejail/disable-programs.inc | |||
6 | include /etc/firejail/disable-devel.inc | 7 | include /etc/firejail/disable-devel.inc |
7 | include /etc/firejail/disable-passwdmgr.inc | 8 | include /etc/firejail/disable-passwdmgr.inc |
8 | 9 | ||
9 | mkdir ${HOME}/.config | ||
10 | mkdir ${HOME}/.config/Slack | ||
11 | whitelist ${HOME}/.config/Slack | ||
12 | whitelist ${HOME}/Downloads | ||
13 | |||
14 | protocol unix,inet,inet6,netlink | ||
15 | private-dev | ||
16 | private-tmp | ||
17 | private-etc fonts,resolv.conf,ld.so.conf,ld.so.cache,localtime | ||
18 | name slack | ||
19 | blacklist /var | 10 | blacklist /var |
20 | 11 | ||
21 | include /etc/firejail/whitelist-common.inc | ||
22 | |||
23 | caps.drop all | 12 | caps.drop all |
24 | seccomp | 13 | name slack |
25 | netfilter | 14 | netfilter |
26 | nonewprivs | ||
27 | nogroups | 15 | nogroups |
16 | nonewprivs | ||
28 | noroot | 17 | noroot |
18 | protocol unix,inet,inet6,netlink | ||
19 | seccomp | ||
29 | shell none | 20 | shell none |
21 | |||
30 | private-bin slack | 22 | private-bin slack |
23 | private-dev | ||
24 | private-etc fonts,resolv.conf,ld.so.conf,ld.so.cache,localtime | ||
25 | private-tmp | ||
26 | |||
27 | mkdir ${HOME}/.config | ||
28 | mkdir ${HOME}/.config/Slack | ||
29 | whitelist ${HOME}/.config/Slack | ||
30 | whitelist ${HOME}/Downloads | ||
31 | include /etc/firejail/whitelist-common.inc | ||
diff --git a/etc/spotify.profile b/etc/spotify.profile index 73d427db3..6dbcc03ee 100644 --- a/etc/spotify.profile +++ b/etc/spotify.profile | |||
@@ -7,16 +7,13 @@ include /etc/firejail/disable-programs.inc | |||
7 | include /etc/firejail/disable-devel.inc | 7 | include /etc/firejail/disable-devel.inc |
8 | include /etc/firejail/disable-passwdmgr.inc | 8 | include /etc/firejail/disable-passwdmgr.inc |
9 | 9 | ||
10 | # Whitelist the folders needed by Spotify - This is more restrictive | 10 | # Whitelist the folders needed by Spotify |
11 | # than a blacklist though, but this is all spotify requires for | ||
12 | # streaming audio | ||
13 | mkdir ${HOME}/.config/spotify | 11 | mkdir ${HOME}/.config/spotify |
14 | whitelist ${HOME}/.config/spotify | 12 | whitelist ${HOME}/.config/spotify |
15 | mkdir ${HOME}/.local/share/spotify | 13 | mkdir ${HOME}/.local/share/spotify |
16 | whitelist ${HOME}/.local/share/spotify | 14 | whitelist ${HOME}/.local/share/spotify |
17 | mkdir ${HOME}/.cache/spotify | 15 | mkdir ${HOME}/.cache/spotify |
18 | whitelist ${HOME}/.cache/spotify | 16 | whitelist ${HOME}/.cache/spotify |
19 | include /etc/firejail/whitelist-common.inc | ||
20 | 17 | ||
21 | caps.drop all | 18 | caps.drop all |
22 | netfilter | 19 | netfilter |
@@ -27,5 +24,20 @@ protocol unix,inet,inet6,netlink | |||
27 | seccomp | 24 | seccomp |
28 | shell none | 25 | shell none |
29 | 26 | ||
30 | #private-bin spotify | 27 | private-bin spotify |
28 | private-etc fonts,machine-id,pulse,resolv.conf | ||
31 | private-dev | 29 | private-dev |
30 | private-tmp | ||
31 | |||
32 | blacklist ${HOME}/.Xauthority | ||
33 | blacklist ${HOME}/.bashrc | ||
34 | blacklist /boot | ||
35 | blacklist /lost+found | ||
36 | blacklist /media | ||
37 | blacklist /mnt | ||
38 | blacklist /opt | ||
39 | blacklist /root | ||
40 | blacklist /sbin | ||
41 | blacklist /srv | ||
42 | blacklist /sys | ||
43 | blacklist /var | ||
diff --git a/etc/start-tor-browser.profile b/etc/start-tor-browser.profile new file mode 100644 index 000000000..ee19cee25 --- /dev/null +++ b/etc/start-tor-browser.profile | |||
@@ -0,0 +1,20 @@ | |||
1 | # Firejail profile for the Tor Brower Bundle | ||
2 | include /etc/firejail/disable-common.inc | ||
3 | include /etc/firejail/disable-devel.inc | ||
4 | include /etc/firejail/disable-passwdmgr.inc | ||
5 | include /etc/firejail/disable-programs.inc | ||
6 | |||
7 | caps.drop all | ||
8 | netfilter | ||
9 | nogroups | ||
10 | nonewprivs | ||
11 | noroot | ||
12 | protocol unix,inet,inet6 | ||
13 | seccomp | ||
14 | shell none | ||
15 | tracelog | ||
16 | |||
17 | private-bin bash,grep,sed,tail,env,gpg,id,readlink,dirname,test,mkdir,ln,sed,cp,rm,getconf | ||
18 | private-etc fonts | ||
19 | private-dev | ||
20 | private-tmp | ||
diff --git a/etc/strings.profile b/etc/strings.profile index f99a65009..7c464bf88 100644 --- a/etc/strings.profile +++ b/etc/strings.profile | |||
@@ -1,10 +1,11 @@ | |||
1 | # strings profile | 1 | # strings profile |
2 | quiet | ||
3 | ignore noroot | 2 | ignore noroot |
4 | include /etc/firejail/default.profile | 3 | include /etc/firejail/default.profile |
5 | tracelog | 4 | |
6 | net none | 5 | net none |
7 | shell none | ||
8 | private-dev | ||
9 | nosound | 6 | nosound |
7 | quiet | ||
8 | shell none | ||
9 | tracelog | ||
10 | 10 | ||
11 | private-dev | ||
diff --git a/etc/synfigstudio.profile b/etc/synfigstudio.profile index d46467b99..69b2a0db2 100644 --- a/etc/synfigstudio.profile +++ b/etc/synfigstudio.profile | |||
@@ -11,7 +11,9 @@ nonewprivs | |||
11 | noroot | 11 | noroot |
12 | protocol unix | 12 | protocol unix |
13 | seccomp | 13 | seccomp |
14 | private-dev | 14 | |
15 | private-tmp | ||
16 | noexec ${HOME} | 15 | noexec ${HOME} |
17 | noexec /tmp | 16 | noexec /tmp |
17 | |||
18 | private-dev | ||
19 | private-tmp | ||
diff --git a/etc/tar.profile b/etc/tar.profile index 663ac3805..91fdaf48d 100644 --- a/etc/tar.profile +++ b/etc/tar.profile | |||
@@ -1,18 +1,18 @@ | |||
1 | # tar profile | 1 | # tar profile |
2 | quiet | ||
3 | ignore noroot | 2 | ignore noroot |
4 | include /etc/firejail/default.profile | 3 | include /etc/firejail/default.profile |
5 | 4 | ||
6 | tracelog | 5 | blacklist /tmp/.X11-unix |
6 | |||
7 | hostname tar | ||
7 | net none | 8 | net none |
9 | no3d | ||
10 | nosound | ||
11 | quiet | ||
8 | shell none | 12 | shell none |
13 | tracelog | ||
9 | 14 | ||
10 | # support compressed archives | 15 | # support compressed archives |
11 | private-bin sh,tar,gtar,compress,gzip,lzma,xz,bzip2,lbzip2,lzip,lzop | 16 | private-bin sh,tar,gtar,compress,gzip,lzma,xz,bzip2,lbzip2,lzip,lzop |
12 | private-dev | 17 | private-dev |
13 | nosound | ||
14 | no3d | ||
15 | private-etc passwd,group,localtime | 18 | private-etc passwd,group,localtime |
16 | hostname tar | ||
17 | blacklist /tmp/.X11-unix | ||
18 | |||
diff --git a/etc/telegram.profile b/etc/telegram.profile index 8e91e426b..7615c8eef 100644 --- a/etc/telegram.profile +++ b/etc/telegram.profile | |||
@@ -10,4 +10,3 @@ nonewprivs | |||
10 | noroot | 10 | noroot |
11 | protocol unix,inet,inet6 | 11 | protocol unix,inet,inet6 |
12 | seccomp | 12 | seccomp |
13 | |||
diff --git a/etc/transmission-gtk.profile b/etc/transmission-gtk.profile index 0cfa4fcfc..316cdfec6 100644 --- a/etc/transmission-gtk.profile +++ b/etc/transmission-gtk.profile | |||
@@ -18,6 +18,6 @@ shell none | |||
18 | tracelog | 18 | tracelog |
19 | 19 | ||
20 | private-bin transmission-gtk | 20 | private-bin transmission-gtk |
21 | whitelist /tmp/.X11-unix | ||
22 | private-dev | 21 | private-dev |
23 | 22 | ||
23 | whitelist /tmp/.X11-unix | ||
diff --git a/etc/transmission-qt.profile b/etc/transmission-qt.profile index 754211a63..51c58e224 100644 --- a/etc/transmission-qt.profile +++ b/etc/transmission-qt.profile | |||
@@ -14,9 +14,10 @@ noroot | |||
14 | nosound | 14 | nosound |
15 | protocol unix,inet,inet6 | 15 | protocol unix,inet,inet6 |
16 | seccomp | 16 | seccomp |
17 | shell none | ||
17 | tracelog | 18 | tracelog |
18 | 19 | ||
19 | shell none | ||
20 | private-bin transmission-qt | 20 | private-bin transmission-qt |
21 | whitelist /tmp/.X11-unix | ||
22 | private-dev | 21 | private-dev |
22 | |||
23 | whitelist /tmp/.X11-unix | ||
diff --git a/etc/uget-gtk.profile b/etc/uget-gtk.profile index 522b4bd1e..f42e6c69a 100644 --- a/etc/uget-gtk.profile +++ b/etc/uget-gtk.profile | |||
@@ -9,17 +9,16 @@ caps.drop all | |||
9 | netfilter | 9 | netfilter |
10 | nonewprivs | 10 | nonewprivs |
11 | noroot | 11 | noroot |
12 | nosound | ||
12 | protocol unix,inet,inet6 | 13 | protocol unix,inet,inet6 |
13 | seccomp | 14 | seccomp |
15 | shell none | ||
14 | 16 | ||
17 | private-bin uget-gtk | ||
18 | private-dev | ||
19 | |||
20 | whitelist /tmp/.X11-unix | ||
15 | whitelist ${DOWNLOADS} | 21 | whitelist ${DOWNLOADS} |
16 | mkdir ~/.config/uGet | 22 | mkdir ~/.config/uGet |
17 | whitelist ~/.config/uGet | 23 | whitelist ~/.config/uGet |
18 | include /etc/firejail/whitelist-common.inc | 24 | include /etc/firejail/whitelist-common.inc |
19 | |||
20 | shell none | ||
21 | private-bin uget-gtk | ||
22 | whitelist /tmp/.X11-unix | ||
23 | private-dev | ||
24 | nosound | ||
25 | |||
diff --git a/etc/unrar.profile b/etc/unrar.profile index f29d1b51b..0700cafe9 100644 --- a/etc/unrar.profile +++ b/etc/unrar.profile | |||
@@ -1,17 +1,18 @@ | |||
1 | # unrar profile | 1 | # unrar profile |
2 | quiet | ||
3 | ignore noroot | 2 | ignore noroot |
4 | include /etc/firejail/default.profile | 3 | include /etc/firejail/default.profile |
5 | 4 | ||
6 | tracelog | 5 | blacklist /tmp/.X11-unix |
6 | |||
7 | hostname unrar | ||
7 | net none | 8 | net none |
9 | no3d | ||
10 | nosound | ||
11 | quiet | ||
8 | shell none | 12 | shell none |
13 | tracelog | ||
14 | |||
9 | private-bin unrar | 15 | private-bin unrar |
10 | private-dev | 16 | private-dev |
11 | nosound | ||
12 | no3d | ||
13 | private-etc passwd,group,localtime | 17 | private-etc passwd,group,localtime |
14 | hostname unrar | ||
15 | private-tmp | 18 | private-tmp |
16 | blacklist /tmp/.X11-unix | ||
17 | |||
diff --git a/etc/unzip.profile b/etc/unzip.profile index 07224855f..a43785795 100644 --- a/etc/unzip.profile +++ b/etc/unzip.profile | |||
@@ -1,16 +1,16 @@ | |||
1 | # unzip profile | 1 | # unzip profile |
2 | quiet | ||
3 | ignore noroot | 2 | ignore noroot |
4 | include /etc/firejail/default.profile | 3 | include /etc/firejail/default.profile |
4 | blacklist /tmp/.X11-unix | ||
5 | 5 | ||
6 | tracelog | 6 | hostname unzip |
7 | net none | 7 | net none |
8 | no3d | ||
9 | nosound | ||
10 | quiet | ||
8 | shell none | 11 | shell none |
12 | tracelog | ||
13 | |||
9 | private-bin unzip | 14 | private-bin unzip |
10 | private-etc passwd,group,localtime | ||
11 | hostname unzip | ||
12 | private-dev | 15 | private-dev |
13 | nosound | 16 | private-etc passwd,group,localtime |
14 | no3d | ||
15 | blacklist /tmp/.X11-unix | ||
16 | |||
diff --git a/etc/uudeview.profile b/etc/uudeview.profile index 8ea9d5163..5ba0896ab 100644 --- a/etc/uudeview.profile +++ b/etc/uudeview.profile | |||
@@ -1,15 +1,15 @@ | |||
1 | # uudeview profile | 1 | # uudeview profile |
2 | quiet | ||
3 | ignore noroot | 2 | ignore noroot |
4 | include /etc/firejail/default.profile | 3 | include /etc/firejail/default.profile |
5 | 4 | ||
6 | tracelog | 5 | blacklist /etc |
6 | |||
7 | hostname uudeview | ||
7 | net none | 8 | net none |
9 | nosound | ||
10 | quiet | ||
8 | shell none | 11 | shell none |
12 | tracelog | ||
13 | |||
9 | private-bin uudeview | 14 | private-bin uudeview |
10 | private-dev | 15 | private-dev |
11 | private-etc nonexisting_fakefile_for_empty_etc | ||
12 | hostname uudeview | ||
13 | nosound | ||
14 | uudeview | ||
15 | |||
diff --git a/etc/vim.profile b/etc/vim.profile index 3c1fefe41..b161fcbb0 100644 --- a/etc/vim.profile +++ b/etc/vim.profile | |||
@@ -1,5 +1,4 @@ | |||
1 | # vim profile | 1 | # vim profile |
2 | |||
3 | noblacklist ~/.vim | 2 | noblacklist ~/.vim |
4 | noblacklist ~/.vimrc | 3 | noblacklist ~/.vimrc |
5 | noblacklist ~/.viminfo | 4 | noblacklist ~/.viminfo |
@@ -10,8 +9,8 @@ include /etc/firejail/disable-passwdmgr.inc | |||
10 | 9 | ||
11 | caps.drop all | 10 | caps.drop all |
12 | netfilter | 11 | netfilter |
12 | nogroups | ||
13 | nonewprivs | 13 | nonewprivs |
14 | noroot | 14 | noroot |
15 | nogroups | ||
16 | protocol unix,inet,inet6 | 15 | protocol unix,inet,inet6 |
17 | seccomp | 16 | seccomp |
diff --git a/etc/virtualbox.profile b/etc/virtualbox.profile new file mode 100644 index 000000000..148b7efc8 --- /dev/null +++ b/etc/virtualbox.profile | |||
@@ -0,0 +1,12 @@ | |||
1 | # VirtualBox profile | ||
2 | |||
3 | noblacklist ${HOME}/.VirtualBox | ||
4 | noblacklist ${HOME}/VirtualBox VMs | ||
5 | noblacklist ${HOME}/.config/VirtualBox | ||
6 | include /etc/firejail/disable-common.inc | ||
7 | include /etc/firejail/disable-programs.inc | ||
8 | include /etc/firejail/disable-passwdmgr.inc | ||
9 | |||
10 | caps.drop all | ||
11 | |||
12 | |||
diff --git a/etc/xiphos.profile b/etc/xiphos.profile new file mode 100644 index 000000000..b7fb6ecf3 --- /dev/null +++ b/etc/xiphos.profile | |||
@@ -0,0 +1,30 @@ | |||
1 | # Firejail profile for xiphos | ||
2 | noblacklist ~/.sword | ||
3 | noblacklist ~/.xiphos | ||
4 | |||
5 | include /etc/firejail/disable-common.inc | ||
6 | include /etc/firejail/disable-devel.inc | ||
7 | include /etc/firejail/disable-passwdmgr.inc | ||
8 | include /etc/firejail/disable-programs.inc | ||
9 | |||
10 | blacklist ~/.bashrc | ||
11 | blacklist ~/.Xauthority | ||
12 | |||
13 | caps.drop all | ||
14 | netfilter | ||
15 | nogroups | ||
16 | nonewprivs | ||
17 | noroot | ||
18 | nosound | ||
19 | protocol unix,inet,inet6 | ||
20 | seccomp | ||
21 | shell none | ||
22 | tracelog | ||
23 | |||
24 | private-bin xiphos | ||
25 | private-etc fonts,resolv.conf,sword | ||
26 | private-dev | ||
27 | private-tmp | ||
28 | |||
29 | whitelist ${HOME}/.sword | ||
30 | whitelist ${HOME}/.xiphos | ||
diff --git a/etc/xpdf.profile b/etc/xpdf.profile index e036fba21..7ea368bbe 100644 --- a/etc/xpdf.profile +++ b/etc/xpdf.profile | |||
@@ -7,15 +7,12 @@ include /etc/firejail/disable-programs.inc | |||
7 | include /etc/firejail/disable-passwdmgr.inc | 7 | include /etc/firejail/disable-passwdmgr.inc |
8 | 8 | ||
9 | caps.drop all | 9 | caps.drop all |
10 | shell none | 10 | net none |
11 | nonewprivs | 11 | nonewprivs |
12 | noroot | 12 | noroot |
13 | protocol unix | 13 | protocol unix |
14 | shell none | ||
14 | seccomp | 15 | seccomp |
16 | |||
15 | private-dev | 17 | private-dev |
16 | private-tmp | 18 | private-tmp |
17 | net none | ||
18 | |||
19 | |||
20 | |||
21 | |||
diff --git a/etc/xplayer.profile b/etc/xplayer.profile index 54d5ed89b..191d2f67f 100644 --- a/etc/xplayer.profile +++ b/etc/xplayer.profile | |||
@@ -9,8 +9,8 @@ include /etc/firejail/disable-passwdmgr.inc | |||
9 | 9 | ||
10 | caps.drop all | 10 | caps.drop all |
11 | netfilter | 11 | netfilter |
12 | nonewprivs | ||
13 | nogroups | 12 | nogroups |
13 | nonewprivs | ||
14 | noroot | 14 | noroot |
15 | protocol unix,inet,inet6 | 15 | protocol unix,inet,inet6 |
16 | seccomp | 16 | seccomp |
diff --git a/etc/xzdec.profile b/etc/xzdec.profile index a9d027c38..04f98cef6 100644 --- a/etc/xzdec.profile +++ b/etc/xzdec.profile | |||
@@ -1,12 +1,14 @@ | |||
1 | # xzdec profile | 1 | # xzdec profile |
2 | quiet | ||
3 | ignore noroot | 2 | ignore noroot |
4 | include /etc/firejail/default.profile | 3 | include /etc/firejail/default.profile |
5 | tracelog | 4 | |
6 | net none | ||
7 | shell none | ||
8 | blacklist /tmp/.X11-unix | 5 | blacklist /tmp/.X11-unix |
9 | private-dev | 6 | |
10 | nosound | 7 | net none |
11 | no3d | 8 | no3d |
9 | nosound | ||
10 | quiet | ||
11 | shell none | ||
12 | tracelog | ||
12 | 13 | ||
14 | private-dev | ||
diff --git a/etc/zathura.profile b/etc/zathura.profile index 7093c52b2..ab2e99dbc 100644 --- a/etc/zathura.profile +++ b/etc/zathura.profile | |||
@@ -7,14 +7,14 @@ include /etc/firejail/disable-devel.inc | |||
7 | include /etc/firejail/disable-passwdmgr.inc | 7 | include /etc/firejail/disable-passwdmgr.inc |
8 | 8 | ||
9 | caps.drop all | 9 | caps.drop all |
10 | seccomp | ||
11 | protocol unix | ||
12 | netfilter | 10 | netfilter |
11 | nogroups | ||
13 | nonewprivs | 12 | nonewprivs |
14 | noroot | 13 | noroot |
15 | nogroups | ||
16 | nosound | 14 | nosound |
17 | shell none | 15 | shell none |
16 | seccomp | ||
17 | protocol unix | ||
18 | 18 | ||
19 | private-bin zathura | 19 | private-bin zathura |
20 | private-dev | 20 | private-dev |
@@ -1,4 +1,4 @@ | |||
1 | #!/bin/bash | 1 | #!/bin/sh |
2 | 2 | ||
3 | echo "extracting UID_MIN and GID_MIN" | 3 | echo "extracting UID_MIN and GID_MIN" |
4 | echo "#ifndef FIREJAIL_UIDS_H" > uids.h | 4 | echo "#ifndef FIREJAIL_UIDS_H" > uids.h |
diff --git a/platform/debian/conffiles b/platform/debian/conffiles index a8ed6f691..0c2e85904 100644 --- a/platform/debian/conffiles +++ b/platform/debian/conffiles | |||
@@ -161,3 +161,10 @@ | |||
161 | /etc/firejail/emacs.profile | 161 | /etc/firejail/emacs.profile |
162 | /etc/firejail/vim.profile | 162 | /etc/firejail/vim.profile |
163 | /etc/firejail/xpdf.profile | 163 | /etc/firejail/xpdf.profile |
164 | /etc/firejail/virtualbox.profile | ||
165 | /etc/firejail/openshot.profile | ||
166 | /etc/firejail/flowblade.profile | ||
167 | /etc/firejail/eog.profile | ||
168 | /etc/firejail/evolution.profile | ||
169 | /etc/firejail/start-tor-browser.profile | ||
170 | /etc/firejail/xiphos.profile | ||
diff --git a/platform/rpm/old-mkrpm.sh b/platform/rpm/old-mkrpm.sh new file mode 100755 index 000000000..017d5e1c3 --- /dev/null +++ b/platform/rpm/old-mkrpm.sh | |||
@@ -0,0 +1,542 @@ | |||
1 | #!/bin/bash | ||
2 | VERSION="0.9.44" | ||
3 | rm -fr ~/rpmbuild | ||
4 | rm -f firejail-$VERSION-1.x86_64.rpm | ||
5 | |||
6 | mkdir -p ~/rpmbuild/{RPMS,SRPMS,BUILD,SOURCES,SPECS,tmp} | ||
7 | cat <<EOF >~/.rpmmacros | ||
8 | %_topdir %(echo $HOME)/rpmbuild | ||
9 | %_tmppath %{_topdir}/tmp | ||
10 | EOF | ||
11 | |||
12 | cd ~/rpmbuild | ||
13 | echo "building directory tree" | ||
14 | |||
15 | mkdir -p firejail-$VERSION/usr/bin | ||
16 | install -m 755 /usr/bin/firejail firejail-$VERSION/usr/bin/. | ||
17 | install -m 755 /usr/bin/firemon firejail-$VERSION/usr/bin/. | ||
18 | install -m 755 /usr/bin/firecfg firejail-$VERSION/usr/bin/. | ||
19 | |||
20 | mkdir -p firejail-$VERSION/usr/lib/firejail | ||
21 | install -m 755 /usr/lib/firejail/faudit firejail-$VERSION/usr/lib/firejail/. | ||
22 | install -m 644 /usr/lib/firejail/firecfg.config firejail-$VERSION/usr/lib/firejail/. | ||
23 | install -m 755 /usr/lib/firejail/fshaper.sh firejail-$VERSION/usr/lib/firejail/. | ||
24 | install -m 755 /usr/lib/firejail/ftee firejail-$VERSION/usr/lib/firejail/. | ||
25 | install -m 644 /usr/lib/firejail/libtrace.so firejail-$VERSION/usr/lib/firejail/. | ||
26 | install -m 644 /usr/lib/firejail/libtracelog.so firejail-$VERSION/usr/lib/firejail/. | ||
27 | install -m 644 /usr/lib/firejail/libconnect.so firejail-$VERSION/usr/lib/firejail/. | ||
28 | |||
29 | mkdir -p firejail-$VERSION/usr/share/man/man1 | ||
30 | install -m 644 /usr/share/man/man1/firejail.1.gz firejail-$VERSION/usr/share/man/man1/. | ||
31 | install -m 644 /usr/share/man/man1/firemon.1.gz firejail-$VERSION/usr/share/man/man1/. | ||
32 | install -m 644 /usr/share/man/man1/firecfg.1.gz firejail-$VERSION/usr/share/man/man1/. | ||
33 | |||
34 | mkdir -p firejail-$VERSION/usr/share/man/man5 | ||
35 | install -m 644 /usr/share/man/man5/firejail-profile.5.gz firejail-$VERSION/usr/share/man/man5/. | ||
36 | install -m 644 /usr/share/man/man5/firejail-login.5.gz firejail-$VERSION/usr/share/man/man5/. | ||
37 | |||
38 | mkdir -p firejail-$VERSION/usr/share/doc/packages/firejail | ||
39 | install -m 644 /usr/share/doc/firejail/COPYING firejail-$VERSION/usr/share/doc/packages/firejail/. | ||
40 | install -m 644 /usr/share/doc/firejail/README firejail-$VERSION/usr/share/doc/packages/firejail/. | ||
41 | install -m 644 /usr/share/doc/firejail/RELNOTES firejail-$VERSION/usr/share/doc/packages/firejail/. | ||
42 | |||
43 | mkdir -p firejail-$VERSION/etc/firejail | ||
44 | install -m 644 /etc/firejail/0ad.profile firejail-$VERSION/etc/firejail/. | ||
45 | install -m 644 /etc/firejail/abrowser.profile firejail-$VERSION/etc/firejail/. | ||
46 | install -m 644 /etc/firejail/atom-beta.profile firejail-$VERSION/etc/firejail/. | ||
47 | install -m 644 /etc/firejail/atom.profile firejail-$VERSION/etc/firejail/. | ||
48 | install -m 644 /etc/firejail/atril.profile firejail-$VERSION/etc/firejail/. | ||
49 | install -m 644 /etc/firejail/audacious.profile firejail-$VERSION/etc/firejail/. | ||
50 | install -m 644 /etc/firejail/audacity.profile firejail-$VERSION/etc/firejail/. | ||
51 | install -m 644 /etc/firejail/aweather.profile firejail-$VERSION/etc/firejail/. | ||
52 | install -m 644 /etc/firejail/bitlbee.profile firejail-$VERSION/etc/firejail/. | ||
53 | install -m 644 /etc/firejail/brave.profile firejail-$VERSION/etc/firejail/. | ||
54 | install -m 644 /etc/firejail/cherrytree.profile firejail-$VERSION/etc/firejail/. | ||
55 | install -m 644 /etc/firejail/chromium-browser.profile firejail-$VERSION/etc/firejail/. | ||
56 | install -m 644 /etc/firejail/chromium.profile firejail-$VERSION/etc/firejail/. | ||
57 | install -m 644 /etc/firejail/clementine.profile firejail-$VERSION/etc/firejail/. | ||
58 | install -m 644 /etc/firejail/cmus.profile firejail-$VERSION/etc/firejail/. | ||
59 | install -m 644 /etc/firejail/conkeror.profile firejail-$VERSION/etc/firejail/. | ||
60 | install -m 644 /etc/firejail/corebird.profile firejail-$VERSION/etc/firejail/. | ||
61 | install -m 644 /etc/firejail/cpio.profile firejail-$VERSION/etc/firejail/. | ||
62 | install -m 644 /etc/firejail/cyberfox.profile firejail-$VERSION/etc/firejail/. | ||
63 | install -m 644 /etc/firejail/Cyberfox.profile firejail-$VERSION/etc/firejail/. | ||
64 | install -m 644 /etc/firejail/deadbeef.profile firejail-$VERSION/etc/firejail/. | ||
65 | install -m 644 /etc/firejail/default.profile firejail-$VERSION/etc/firejail/. | ||
66 | install -m 644 /etc/firejail/deluge.profile firejail-$VERSION/etc/firejail/. | ||
67 | install -m 644 /etc/firejail/dillo.profile firejail-$VERSION/etc/firejail/. | ||
68 | install -m 644 /etc/firejail/disable-common.inc firejail-$VERSION/etc/firejail/. | ||
69 | install -m 644 /etc/firejail/disable-devel.inc firejail-$VERSION/etc/firejail/. | ||
70 | install -m 644 /etc/firejail/disable-passwdmgr.inc firejail-$VERSION/etc/firejail/. | ||
71 | install -m 644 /etc/firejail/disable-programs.inc firejail-$VERSION/etc/firejail/. | ||
72 | install -m 644 /etc/firejail/dnscrypt-proxy.profile firejail-$VERSION/etc/firejail/. | ||
73 | install -m 644 /etc/firejail/dnsmasq.profile firejail-$VERSION/etc/firejail/. | ||
74 | install -m 644 /etc/firejail/dosbox.profile firejail-$VERSION/etc/firejail/. | ||
75 | install -m 644 /etc/firejail/dropbox.profile firejail-$VERSION/etc/firejail/. | ||
76 | install -m 644 /etc/firejail/empathy.profile firejail-$VERSION/etc/firejail/. | ||
77 | install -m 644 /etc/firejail/eom.profile firejail-$VERSION/etc/firejail/. | ||
78 | install -m 644 /etc/firejail/epiphany.profile firejail-$VERSION/etc/firejail/. | ||
79 | install -m 644 /etc/firejail/evince.profile firejail-$VERSION/etc/firejail/. | ||
80 | install -m 644 /etc/firejail/fbreader.profile firejail-$VERSION/etc/firejail/. | ||
81 | install -m 644 /etc/firejail/file.profile firejail-$VERSION/etc/firejail/. | ||
82 | install -m 644 /etc/firejail/filezilla.profile firejail-$VERSION/etc/firejail/. | ||
83 | install -m 644 /etc/firejail/firefox-esr.profile firejail-$VERSION/etc/firejail/. | ||
84 | install -m 644 /etc/firejail/firefox.profile firejail-$VERSION/etc/firejail/. | ||
85 | install -m 644 /etc/firejail/firejail.config firejail-$VERSION/etc/firejail/. | ||
86 | install -m 644 /etc/firejail/flashpeak-slimjet.profile firejail-$VERSION/etc/firejail/. | ||
87 | install -m 644 /etc/firejail/franz.profile firejail-$VERSION/etc/firejail/. | ||
88 | install -m 644 /etc/firejail/gajim.profile firejail-$VERSION/etc/firejail/. | ||
89 | install -m 644 /etc/firejail/gitter.profile firejail-$VERSION/etc/firejail/. | ||
90 | install -m 644 /etc/firejail/gnome-chess.profile firejail-$VERSION/etc/firejail/. | ||
91 | install -m 644 /etc/firejail/gnome-mplayer.profile firejail-$VERSION/etc/firejail/. | ||
92 | install -m 644 /etc/firejail/google-chrome-beta.profile firejail-$VERSION/etc/firejail/. | ||
93 | install -m 644 /etc/firejail/google-chrome.profile firejail-$VERSION/etc/firejail/. | ||
94 | install -m 644 /etc/firejail/google-chrome-stable.profile firejail-$VERSION/etc/firejail/. | ||
95 | install -m 644 /etc/firejail/google-chrome-unstable.profile firejail-$VERSION/etc/firejail/. | ||
96 | install -m 644 /etc/firejail/google-play-music-desktop-player.profile firejail-$VERSION/etc/firejail/. | ||
97 | install -m 644 /etc/firejail/gpredict.profile firejail-$VERSION/etc/firejail/. | ||
98 | install -m 644 /etc/firejail/gtar.profile firejail-$VERSION/etc/firejail/. | ||
99 | install -m 644 /etc/firejail/gthumb.profile firejail-$VERSION/etc/firejail/. | ||
100 | install -m 644 /etc/firejail/gwenview.profile firejail-$VERSION/etc/firejail/. | ||
101 | install -m 644 /etc/firejail/gzip.profile firejail-$VERSION/etc/firejail/. | ||
102 | install -m 644 /etc/firejail/hedgewars.profile firejail-$VERSION/etc/firejail/. | ||
103 | install -m 644 /etc/firejail/hexchat.profile firejail-$VERSION/etc/firejail/. | ||
104 | install -m 644 /etc/firejail/icecat.profile firejail-$VERSION/etc/firejail/. | ||
105 | install -m 644 /etc/firejail/icedove.profile firejail-$VERSION/etc/firejail/. | ||
106 | install -m 644 /etc/firejail/iceweasel.profile firejail-$VERSION/etc/firejail/. | ||
107 | install -m 644 /etc/firejail/inox.profile firejail-$VERSION/etc/firejail/. | ||
108 | install -m 644 /etc/firejail/jitsi.profile firejail-$VERSION/etc/firejail/. | ||
109 | install -m 644 /etc/firejail/kmail.profile firejail-$VERSION/etc/firejail/. | ||
110 | install -m 644 /etc/firejail/konversation.profile firejail-$VERSION/etc/firejail/. | ||
111 | install -m 644 /etc/firejail/less.profile firejail-$VERSION/etc/firejail/. | ||
112 | install -m 644 /etc/firejail/libreoffice.profile firejail-$VERSION/etc/firejail/. | ||
113 | install -m 644 /etc/firejail/localc.profile firejail-$VERSION/etc/firejail/. | ||
114 | install -m 644 /etc/firejail/lodraw.profile firejail-$VERSION/etc/firejail/. | ||
115 | install -m 644 /etc/firejail/loffice.profile firejail-$VERSION/etc/firejail/. | ||
116 | install -m 644 /etc/firejail/lofromtemplate.profile firejail-$VERSION/etc/firejail/. | ||
117 | install -m 644 /etc/firejail/login.users firejail-$VERSION/etc/firejail/. | ||
118 | install -m 644 /etc/firejail/loimpress.profile firejail-$VERSION/etc/firejail/. | ||
119 | install -m 644 /etc/firejail/lomath.profile firejail-$VERSION/etc/firejail/. | ||
120 | install -m 644 /etc/firejail/loweb.profile firejail-$VERSION/etc/firejail/. | ||
121 | install -m 644 /etc/firejail/lowriter.profile firejail-$VERSION/etc/firejail/. | ||
122 | install -m 644 /etc/firejail/lxterminal.profile firejail-$VERSION/etc/firejail/. | ||
123 | install -m 644 /etc/firejail/mathematica.profile firejail-$VERSION/etc/firejail/. | ||
124 | install -m 644 /etc/firejail/Mathematica.profile firejail-$VERSION/etc/firejail/. | ||
125 | install -m 644 /etc/firejail/mcabber.profile firejail-$VERSION/etc/firejail/. | ||
126 | install -m 644 /etc/firejail/midori.profile firejail-$VERSION/etc/firejail/. | ||
127 | install -m 644 /etc/firejail/mpv.profile firejail-$VERSION/etc/firejail/. | ||
128 | install -m 644 /etc/firejail/mupen64plus.profile firejail-$VERSION/etc/firejail/. | ||
129 | install -m 644 /etc/firejail/netsurf.profile firejail-$VERSION/etc/firejail/. | ||
130 | install -m 644 /etc/firejail/nolocal.net firejail-$VERSION/etc/firejail/. | ||
131 | install -m 644 /etc/firejail/okular.profile firejail-$VERSION/etc/firejail/. | ||
132 | install -m 644 /etc/firejail/openbox.profile firejail-$VERSION/etc/firejail/. | ||
133 | install -m 644 /etc/firejail/opera-beta.profile firejail-$VERSION/etc/firejail/. | ||
134 | install -m 644 /etc/firejail/opera.profile firejail-$VERSION/etc/firejail/. | ||
135 | install -m 644 /etc/firejail/palemoon.profile firejail-$VERSION/etc/firejail/. | ||
136 | install -m 644 /etc/firejail/parole.profile firejail-$VERSION/etc/firejail/. | ||
137 | install -m 644 /etc/firejail/pidgin.profile firejail-$VERSION/etc/firejail/. | ||
138 | install -m 644 /etc/firejail/pix.profile firejail-$VERSION/etc/firejail/. | ||
139 | install -m 644 /etc/firejail/polari.profile firejail-$VERSION/etc/firejail/. | ||
140 | install -m 644 /etc/firejail/psi-plus.profile firejail-$VERSION/etc/firejail/. | ||
141 | install -m 644 /etc/firejail/qbittorrent.profile firejail-$VERSION/etc/firejail/. | ||
142 | install -m 644 /etc/firejail/qtox.profile firejail-$VERSION/etc/firejail/. | ||
143 | install -m 644 /etc/firejail/quassel.profile firejail-$VERSION/etc/firejail/. | ||
144 | install -m 644 /etc/firejail/quiterss.profile firejail-$VERSION/etc/firejail/. | ||
145 | install -m 644 /etc/firejail/qutebrowser.profile firejail-$VERSION/etc/firejail/. | ||
146 | install -m 644 /etc/firejail/rhythmbox.profile firejail-$VERSION/etc/firejail/. | ||
147 | install -m 644 /etc/firejail/rtorrent.profile firejail-$VERSION/etc/firejail/. | ||
148 | install -m 644 /etc/firejail/seamonkey-bin.profile firejail-$VERSION/etc/firejail/. | ||
149 | install -m 644 /etc/firejail/seamonkey.profile firejail-$VERSION/etc/firejail/. | ||
150 | install -m 644 /etc/firejail/server.profile firejail-$VERSION/etc/firejail/. | ||
151 | install -m 644 /etc/firejail/skypeforlinux.profile firejail-$VERSION/etc/firejail/. | ||
152 | install -m 644 /etc/firejail/skype.profile firejail-$VERSION/etc/firejail/. | ||
153 | install -m 644 /etc/firejail/slack.profile firejail-$VERSION/etc/firejail/. | ||
154 | install -m 644 /etc/firejail/snap.profile firejail-$VERSION/etc/firejail/. | ||
155 | install -m 644 /etc/firejail/soffice.profile firejail-$VERSION/etc/firejail/. | ||
156 | install -m 644 /etc/firejail/spotify.profile firejail-$VERSION/etc/firejail/. | ||
157 | install -m 644 /etc/firejail/ssh.profile firejail-$VERSION/etc/firejail/. | ||
158 | install -m 644 /etc/firejail/steam.profile firejail-$VERSION/etc/firejail/. | ||
159 | install -m 644 /etc/firejail/stellarium.profile firejail-$VERSION/etc/firejail/. | ||
160 | install -m 644 /etc/firejail/strings.profile firejail-$VERSION/etc/firejail/. | ||
161 | install -m 644 /etc/firejail/tar.profile firejail-$VERSION/etc/firejail/. | ||
162 | install -m 644 /etc/firejail/telegram.profile firejail-$VERSION/etc/firejail/. | ||
163 | install -m 644 /etc/firejail/Telegram.profile firejail-$VERSION/etc/firejail/. | ||
164 | install -m 644 /etc/firejail/thunderbird.profile firejail-$VERSION/etc/firejail/. | ||
165 | install -m 644 /etc/firejail/totem.profile firejail-$VERSION/etc/firejail/. | ||
166 | install -m 644 /etc/firejail/transmission-gtk.profile firejail-$VERSION/etc/firejail/. | ||
167 | install -m 644 /etc/firejail/transmission-qt.profile firejail-$VERSION/etc/firejail/. | ||
168 | install -m 644 /etc/firejail/uget-gtk.profile firejail-$VERSION/etc/firejail/. | ||
169 | install -m 644 /etc/firejail/unbound.profile firejail-$VERSION/etc/firejail/. | ||
170 | install -m 644 /etc/firejail/unrar.profile firejail-$VERSION/etc/firejail/. | ||
171 | install -m 644 /etc/firejail/unzip.profile firejail-$VERSION/etc/firejail/. | ||
172 | install -m 644 /etc/firejail/uudeview.profile firejail-$VERSION/etc/firejail/. | ||
173 | install -m 644 /etc/firejail/vivaldi-beta.profile firejail-$VERSION/etc/firejail/. | ||
174 | install -m 644 /etc/firejail/vivaldi.profile firejail-$VERSION/etc/firejail/. | ||
175 | install -m 644 /etc/firejail/vlc.profile firejail-$VERSION/etc/firejail/. | ||
176 | install -m 644 /etc/firejail/warzone2100.profile firejail-$VERSION/etc/firejail/. | ||
177 | install -m 644 /etc/firejail/webserver.net firejail-$VERSION/etc/firejail/. | ||
178 | install -m 644 /etc/firejail/weechat-curses.profile firejail-$VERSION/etc/firejail/. | ||
179 | install -m 644 /etc/firejail/weechat.profile firejail-$VERSION/etc/firejail/. | ||
180 | install -m 644 /etc/firejail/wesnoth.profile firejail-$VERSION/etc/firejail/. | ||
181 | install -m 644 /etc/firejail/whitelist-common.inc firejail-$VERSION/etc/firejail/. | ||
182 | install -m 644 /etc/firejail/wine.profile firejail-$VERSION/etc/firejail/. | ||
183 | install -m 644 /etc/firejail/xchat.profile firejail-$VERSION/etc/firejail/. | ||
184 | install -m 644 /etc/firejail/xplayer.profile firejail-$VERSION/etc/firejail/. | ||
185 | install -m 644 /etc/firejail/xreader.profile firejail-$VERSION/etc/firejail/. | ||
186 | install -m 644 /etc/firejail/xviewer.profile firejail-$VERSION/etc/firejail/. | ||
187 | install -m 644 /etc/firejail/xzdec.profile firejail-$VERSION/etc/firejail/. | ||
188 | install -m 644 /etc/firejail/xz.profile firejail-$VERSION/etc/firejail/. | ||
189 | install -m 644 /etc/firejail/zathura.profile firejail-$VERSION/etc/firejail/. | ||
190 | install -m 644 /etc/firejail/7z.profile firejail-$VERSION/etc/firejail/. | ||
191 | install -m 644 /etc/firejail/keepass.profile firejail-$VERSION/etc/firejail/. | ||
192 | install -m 644 /etc/firejail/keepassx.profile firejail-$VERSION/etc/firejail/. | ||
193 | install -m 644 /etc/firejail/claws-mail.profile firejail-$VERSION/etc/firejail/. | ||
194 | install -m 644 /etc/firejail/mutt.profile firejail-$VERSION/etc/firejail/. | ||
195 | install -m 644 /etc/firejail/git.profile firejail-$VERSION/etc/firejail/. | ||
196 | install -m 644 /etc/firejail/emacs.profile firejail-$VERSION/etc/firejail/. | ||
197 | install -m 644 /etc/firejail/vim.profile firejail-$VERSION/etc/firejail/. | ||
198 | install -m 644 /etc/firejail/xpdf.profile firejail-$VERSION/etc/firejail/. | ||
199 | install -m 644 /etc/firejail/virtualbox.profile firejail-$VERSION/etc/firejail/. | ||
200 | install -m 644 /etc/firejail/openshot.profile firejail-$VERSION/etc/firejail/. | ||
201 | install -m 644 /etc/firejail/flowblade.profile firejail-$VERSION/etc/firejail/. | ||
202 | install -m 644 /etc/firejail/eog.profile firejail-$VERSION/etc/firejail/. | ||
203 | install -m 644 /etc/firejail/evolution.profile firejail-$VERSION/etc/firejail/. | ||
204 | install -m 644 /etc/firejail/feh.profile firejail-$VERSION/etc/firejail/. | ||
205 | install -m 644 /etc/firejail/gimp.profile firejail-$VERSION/etc/firejail/. | ||
206 | install -m 644 /etc/firejail/inkscape.profile firejail-$VERSION/etc/firejail/. | ||
207 | install -m 644 /etc/firejail/luminance-hdr.profile firejail-$VERSION/etc/firejail/. | ||
208 | install -m 644 /etc/firejail/mupdf.profile firejail-$VERSION/etc/firejail/. | ||
209 | install -m 644 /etc/firejail/qpdfview.profile firejail-$VERSION/etc/firejail/. | ||
210 | install -m 644 /etc/firejail/ranger.profile firejail-$VERSION/etc/firejail/. | ||
211 | install -m 644 /etc/firejail/synfigstudio.profile firejail-$VERSION/etc/firejail/. | ||
212 | |||
213 | |||
214 | mkdir -p firejail-$VERSION/usr/share/bash-completion/completions | ||
215 | install -m 644 /usr/share/bash-completion/completions/firejail firejail-$VERSION/usr/share/bash-completion/completions/. | ||
216 | install -m 644 /usr/share/bash-completion/completions/firemon firejail-$VERSION/usr/share/bash-completion/completions/. | ||
217 | install -m 644 /usr/share/bash-completion/completions/firecfg firejail-$VERSION/usr/share/bash-completion/completions/. | ||
218 | |||
219 | echo "building tar.gz archive" | ||
220 | tar -czvf firejail-$VERSION.tar.gz firejail-$VERSION | ||
221 | |||
222 | cp firejail-$VERSION.tar.gz SOURCES/. | ||
223 | |||
224 | echo "building config spec" | ||
225 | cat <<EOF > SPECS/firejail.spec | ||
226 | %define __spec_install_post %{nil} | ||
227 | %define debug_package %{nil} | ||
228 | %define __os_install_post %{_dbpath}/brp-compress | ||
229 | |||
230 | Summary: Linux namepaces sandbox program | ||
231 | Name: firejail | ||
232 | Version: $VERSION | ||
233 | Release: 1 | ||
234 | License: GPL+ | ||
235 | Group: Development/Tools | ||
236 | SOURCE0 : %{name}-%{version}.tar.gz | ||
237 | URL: http://firejail.wordpress.com | ||
238 | |||
239 | BuildRoot: %{_tmppath}/%{name}-%{version}-%{release}-root | ||
240 | |||
241 | %description | ||
242 | Firejail is a SUID sandbox program that reduces the risk of security | ||
243 | breaches by restricting the running environment of untrusted applications | ||
244 | using Linux namespaces. It includes a sandbox profile for Mozilla Firefox. | ||
245 | |||
246 | %prep | ||
247 | %setup -q | ||
248 | |||
249 | %build | ||
250 | |||
251 | %install | ||
252 | rm -rf %{buildroot} | ||
253 | mkdir -p %{buildroot} | ||
254 | |||
255 | cp -a * %{buildroot} | ||
256 | |||
257 | |||
258 | %clean | ||
259 | rm -rf %{buildroot} | ||
260 | |||
261 | |||
262 | %files | ||
263 | %defattr(-,root,root,-) | ||
264 | %config(noreplace) %{_sysconfdir}/%{name}/0ad.profile | ||
265 | %config(noreplace) %{_sysconfdir}/%{name}/abrowser.profile | ||
266 | %config(noreplace) %{_sysconfdir}/%{name}/atom-beta.profile | ||
267 | %config(noreplace) %{_sysconfdir}/%{name}/atom.profile | ||
268 | %config(noreplace) %{_sysconfdir}/%{name}/atril.profile | ||
269 | %config(noreplace) %{_sysconfdir}/%{name}/audacious.profile | ||
270 | %config(noreplace) %{_sysconfdir}/%{name}/audacity.profile | ||
271 | %config(noreplace) %{_sysconfdir}/%{name}/aweather.profile | ||
272 | %config(noreplace) %{_sysconfdir}/%{name}/bitlbee.profile | ||
273 | %config(noreplace) %{_sysconfdir}/%{name}/brave.profile | ||
274 | %config(noreplace) %{_sysconfdir}/%{name}/cherrytree.profile | ||
275 | %config(noreplace) %{_sysconfdir}/%{name}/chromium-browser.profile | ||
276 | %config(noreplace) %{_sysconfdir}/%{name}/chromium.profile | ||
277 | %config(noreplace) %{_sysconfdir}/%{name}/clementine.profile | ||
278 | %config(noreplace) %{_sysconfdir}/%{name}/cmus.profile | ||
279 | %config(noreplace) %{_sysconfdir}/%{name}/conkeror.profile | ||
280 | %config(noreplace) %{_sysconfdir}/%{name}/corebird.profile | ||
281 | %config(noreplace) %{_sysconfdir}/%{name}/cpio.profile | ||
282 | %config(noreplace) %{_sysconfdir}/%{name}/cyberfox.profile | ||
283 | %config(noreplace) %{_sysconfdir}/%{name}/Cyberfox.profile | ||
284 | %config(noreplace) %{_sysconfdir}/%{name}/deadbeef.profile | ||
285 | %config(noreplace) %{_sysconfdir}/%{name}/default.profile | ||
286 | %config(noreplace) %{_sysconfdir}/%{name}/deluge.profile | ||
287 | %config(noreplace) %{_sysconfdir}/%{name}/dillo.profile | ||
288 | %config(noreplace) %{_sysconfdir}/%{name}/disable-common.inc | ||
289 | %config(noreplace) %{_sysconfdir}/%{name}/disable-devel.inc | ||
290 | %config(noreplace) %{_sysconfdir}/%{name}/disable-passwdmgr.inc | ||
291 | %config(noreplace) %{_sysconfdir}/%{name}/disable-programs.inc | ||
292 | %config(noreplace) %{_sysconfdir}/%{name}/dnscrypt-proxy.profile | ||
293 | %config(noreplace) %{_sysconfdir}/%{name}/dnsmasq.profile | ||
294 | %config(noreplace) %{_sysconfdir}/%{name}/dosbox.profile | ||
295 | %config(noreplace) %{_sysconfdir}/%{name}/dropbox.profile | ||
296 | %config(noreplace) %{_sysconfdir}/%{name}/empathy.profile | ||
297 | %config(noreplace) %{_sysconfdir}/%{name}/eom.profile | ||
298 | %config(noreplace) %{_sysconfdir}/%{name}/epiphany.profile | ||
299 | %config(noreplace) %{_sysconfdir}/%{name}/evince.profile | ||
300 | %config(noreplace) %{_sysconfdir}/%{name}/fbreader.profile | ||
301 | %config(noreplace) %{_sysconfdir}/%{name}/file.profile | ||
302 | %config(noreplace) %{_sysconfdir}/%{name}/filezilla.profile | ||
303 | %config(noreplace) %{_sysconfdir}/%{name}/firefox-esr.profile | ||
304 | %config(noreplace) %{_sysconfdir}/%{name}/firefox.profile | ||
305 | %config(noreplace) %{_sysconfdir}/%{name}/firejail.config | ||
306 | %config(noreplace) %{_sysconfdir}/%{name}/flashpeak-slimjet.profile | ||
307 | %config(noreplace) %{_sysconfdir}/%{name}/franz.profile | ||
308 | %config(noreplace) %{_sysconfdir}/%{name}/gajim.profile | ||
309 | %config(noreplace) %{_sysconfdir}/%{name}/gitter.profile | ||
310 | %config(noreplace) %{_sysconfdir}/%{name}/gnome-chess.profile | ||
311 | %config(noreplace) %{_sysconfdir}/%{name}/gnome-mplayer.profile | ||
312 | %config(noreplace) %{_sysconfdir}/%{name}/google-chrome-beta.profile | ||
313 | %config(noreplace) %{_sysconfdir}/%{name}/google-chrome.profile | ||
314 | %config(noreplace) %{_sysconfdir}/%{name}/google-chrome-stable.profile | ||
315 | %config(noreplace) %{_sysconfdir}/%{name}/google-chrome-unstable.profile | ||
316 | %config(noreplace) %{_sysconfdir}/%{name}/google-play-music-desktop-player.profile | ||
317 | %config(noreplace) %{_sysconfdir}/%{name}/gpredict.profile | ||
318 | %config(noreplace) %{_sysconfdir}/%{name}/gtar.profile | ||
319 | %config(noreplace) %{_sysconfdir}/%{name}/gthumb.profile | ||
320 | %config(noreplace) %{_sysconfdir}/%{name}/gwenview.profile | ||
321 | %config(noreplace) %{_sysconfdir}/%{name}/gzip.profile | ||
322 | %config(noreplace) %{_sysconfdir}/%{name}/hedgewars.profile | ||
323 | %config(noreplace) %{_sysconfdir}/%{name}/hexchat.profile | ||
324 | %config(noreplace) %{_sysconfdir}/%{name}/icecat.profile | ||
325 | %config(noreplace) %{_sysconfdir}/%{name}/icedove.profile | ||
326 | %config(noreplace) %{_sysconfdir}/%{name}/iceweasel.profile | ||
327 | %config(noreplace) %{_sysconfdir}/%{name}/inox.profile | ||
328 | %config(noreplace) %{_sysconfdir}/%{name}/jitsi.profile | ||
329 | %config(noreplace) %{_sysconfdir}/%{name}/kmail.profile | ||
330 | %config(noreplace) %{_sysconfdir}/%{name}/konversation.profile | ||
331 | %config(noreplace) %{_sysconfdir}/%{name}/less.profile | ||
332 | %config(noreplace) %{_sysconfdir}/%{name}/libreoffice.profile | ||
333 | %config(noreplace) %{_sysconfdir}/%{name}/localc.profile | ||
334 | %config(noreplace) %{_sysconfdir}/%{name}/lodraw.profile | ||
335 | %config(noreplace) %{_sysconfdir}/%{name}/loffice.profile | ||
336 | %config(noreplace) %{_sysconfdir}/%{name}/lofromtemplate.profile | ||
337 | %config(noreplace) %{_sysconfdir}/%{name}/login.users | ||
338 | %config(noreplace) %{_sysconfdir}/%{name}/loimpress.profile | ||
339 | %config(noreplace) %{_sysconfdir}/%{name}/lomath.profile | ||
340 | %config(noreplace) %{_sysconfdir}/%{name}/loweb.profile | ||
341 | %config(noreplace) %{_sysconfdir}/%{name}/lowriter.profile | ||
342 | %config(noreplace) %{_sysconfdir}/%{name}/lxterminal.profile | ||
343 | %config(noreplace) %{_sysconfdir}/%{name}/mathematica.profile | ||
344 | %config(noreplace) %{_sysconfdir}/%{name}/Mathematica.profile | ||
345 | %config(noreplace) %{_sysconfdir}/%{name}/mcabber.profile | ||
346 | %config(noreplace) %{_sysconfdir}/%{name}/midori.profile | ||
347 | %config(noreplace) %{_sysconfdir}/%{name}/mpv.profile | ||
348 | %config(noreplace) %{_sysconfdir}/%{name}/mupen64plus.profile | ||
349 | %config(noreplace) %{_sysconfdir}/%{name}/netsurf.profile | ||
350 | %config(noreplace) %{_sysconfdir}/%{name}/nolocal.net | ||
351 | %config(noreplace) %{_sysconfdir}/%{name}/okular.profile | ||
352 | %config(noreplace) %{_sysconfdir}/%{name}/openbox.profile | ||
353 | %config(noreplace) %{_sysconfdir}/%{name}/opera-beta.profile | ||
354 | %config(noreplace) %{_sysconfdir}/%{name}/opera.profile | ||
355 | %config(noreplace) %{_sysconfdir}/%{name}/palemoon.profile | ||
356 | %config(noreplace) %{_sysconfdir}/%{name}/parole.profile | ||
357 | %config(noreplace) %{_sysconfdir}/%{name}/pidgin.profile | ||
358 | %config(noreplace) %{_sysconfdir}/%{name}/pix.profile | ||
359 | %config(noreplace) %{_sysconfdir}/%{name}/polari.profile | ||
360 | %config(noreplace) %{_sysconfdir}/%{name}/psi-plus.profile | ||
361 | %config(noreplace) %{_sysconfdir}/%{name}/qbittorrent.profile | ||
362 | %config(noreplace) %{_sysconfdir}/%{name}/qtox.profile | ||
363 | %config(noreplace) %{_sysconfdir}/%{name}/quassel.profile | ||
364 | %config(noreplace) %{_sysconfdir}/%{name}/quiterss.profile | ||
365 | %config(noreplace) %{_sysconfdir}/%{name}/qutebrowser.profile | ||
366 | %config(noreplace) %{_sysconfdir}/%{name}/rhythmbox.profile | ||
367 | %config(noreplace) %{_sysconfdir}/%{name}/rtorrent.profile | ||
368 | %config(noreplace) %{_sysconfdir}/%{name}/seamonkey-bin.profile | ||
369 | %config(noreplace) %{_sysconfdir}/%{name}/seamonkey.profile | ||
370 | %config(noreplace) %{_sysconfdir}/%{name}/server.profile | ||
371 | %config(noreplace) %{_sysconfdir}/%{name}/skypeforlinux.profile | ||
372 | %config(noreplace) %{_sysconfdir}/%{name}/skype.profile | ||
373 | %config(noreplace) %{_sysconfdir}/%{name}/slack.profile | ||
374 | %config(noreplace) %{_sysconfdir}/%{name}/snap.profile | ||
375 | %config(noreplace) %{_sysconfdir}/%{name}/soffice.profile | ||
376 | %config(noreplace) %{_sysconfdir}/%{name}/spotify.profile | ||
377 | %config(noreplace) %{_sysconfdir}/%{name}/ssh.profile | ||
378 | %config(noreplace) %{_sysconfdir}/%{name}/steam.profile | ||
379 | %config(noreplace) %{_sysconfdir}/%{name}/stellarium.profile | ||
380 | %config(noreplace) %{_sysconfdir}/%{name}/strings.profile | ||
381 | %config(noreplace) %{_sysconfdir}/%{name}/tar.profile | ||
382 | %config(noreplace) %{_sysconfdir}/%{name}/telegram.profile | ||
383 | %config(noreplace) %{_sysconfdir}/%{name}/Telegram.profile | ||
384 | %config(noreplace) %{_sysconfdir}/%{name}/thunderbird.profile | ||
385 | %config(noreplace) %{_sysconfdir}/%{name}/totem.profile | ||
386 | %config(noreplace) %{_sysconfdir}/%{name}/transmission-gtk.profile | ||
387 | %config(noreplace) %{_sysconfdir}/%{name}/transmission-qt.profile | ||
388 | %config(noreplace) %{_sysconfdir}/%{name}/uget-gtk.profile | ||
389 | %config(noreplace) %{_sysconfdir}/%{name}/unbound.profile | ||
390 | %config(noreplace) %{_sysconfdir}/%{name}/unrar.profile | ||
391 | %config(noreplace) %{_sysconfdir}/%{name}/unzip.profile | ||
392 | %config(noreplace) %{_sysconfdir}/%{name}/uudeview.profile | ||
393 | %config(noreplace) %{_sysconfdir}/%{name}/vivaldi-beta.profile | ||
394 | %config(noreplace) %{_sysconfdir}/%{name}/vivaldi.profile | ||
395 | %config(noreplace) %{_sysconfdir}/%{name}/vlc.profile | ||
396 | %config(noreplace) %{_sysconfdir}/%{name}/warzone2100.profile | ||
397 | %config(noreplace) %{_sysconfdir}/%{name}/webserver.net | ||
398 | %config(noreplace) %{_sysconfdir}/%{name}/weechat-curses.profile | ||
399 | %config(noreplace) %{_sysconfdir}/%{name}/weechat.profile | ||
400 | %config(noreplace) %{_sysconfdir}/%{name}/wesnoth.profile | ||
401 | %config(noreplace) %{_sysconfdir}/%{name}/whitelist-common.inc | ||
402 | %config(noreplace) %{_sysconfdir}/%{name}/wine.profile | ||
403 | %config(noreplace) %{_sysconfdir}/%{name}/xchat.profile | ||
404 | %config(noreplace) %{_sysconfdir}/%{name}/xplayer.profile | ||
405 | %config(noreplace) %{_sysconfdir}/%{name}/xreader.profile | ||
406 | %config(noreplace) %{_sysconfdir}/%{name}/xviewer.profile | ||
407 | %config(noreplace) %{_sysconfdir}/%{name}/xzdec.profile | ||
408 | %config(noreplace) %{_sysconfdir}/%{name}/xz.profile | ||
409 | %config(noreplace) %{_sysconfdir}/%{name}/zathura.profile | ||
410 | %config(noreplace) %{_sysconfdir}/%{name}/7z.profile | ||
411 | %config(noreplace) %{_sysconfdir}/%{name}/keepass.profile | ||
412 | %config(noreplace) %{_sysconfdir}/%{name}/keepassx.profile | ||
413 | %config(noreplace) %{_sysconfdir}/%{name}/claws-mail.profile | ||
414 | %config(noreplace) %{_sysconfdir}/%{name}/mutt.profile | ||
415 | %config(noreplace) %{_sysconfdir}/%{name}/git.profile | ||
416 | %config(noreplace) %{_sysconfdir}/%{name}/emacs.profile | ||
417 | %config(noreplace) %{_sysconfdir}/%{name}/vim.profile | ||
418 | %config(noreplace) %{_sysconfdir}/%{name}/xpdf.profile | ||
419 | %config(noreplace) %{_sysconfdir}/%{name}/virtualbox.profile | ||
420 | %config(noreplace) %{_sysconfdir}/%{name}/openshot.profile | ||
421 | %config(noreplace) %{_sysconfdir}/%{name}/flowblade.profile | ||
422 | %config(noreplace) %{_sysconfdir}/%{name}/eog.profile | ||
423 | %config(noreplace) %{_sysconfdir}/%{name}/evolution.profile | ||
424 | %config(noreplace) %{_sysconfdir}/%{name}/feh.profile | ||
425 | %config(noreplace) %{_sysconfdir}/%{name}/inkscape.profile | ||
426 | %config(noreplace) %{_sysconfdir}/%{name}/gimp.profile | ||
427 | %config(noreplace) %{_sysconfdir}/%{name}/luminance-hdr.profile | ||
428 | %config(noreplace) %{_sysconfdir}/%{name}/mupdf.profile | ||
429 | %config(noreplace) %{_sysconfdir}/%{name}/qpdfview.profile | ||
430 | %config(noreplace) %{_sysconfdir}/%{name}/ranger.profile | ||
431 | %config(noreplace) %{_sysconfdir}/%{name}/synfigstudio.profile | ||
432 | |||
433 | /usr/bin/firejail | ||
434 | /usr/bin/firemon | ||
435 | /usr/bin/firecfg | ||
436 | |||
437 | /usr/lib/firejail/libtrace.so | ||
438 | /usr/lib/firejail/libtracelog.so | ||
439 | /usr/lib/firejail/libconnect.so | ||
440 | /usr/lib/firejail/faudit | ||
441 | /usr/lib/firejail/ftee | ||
442 | /usr/lib/firejail/firecfg.config | ||
443 | /usr/lib/firejail/fshaper.sh | ||
444 | |||
445 | /usr/share/doc/packages/firejail/COPYING | ||
446 | /usr/share/doc/packages/firejail/README | ||
447 | /usr/share/doc/packages/firejail/RELNOTES | ||
448 | /usr/share/man/man1/firejail.1.gz | ||
449 | /usr/share/man/man1/firemon.1.gz | ||
450 | /usr/share/man/man1/firecfg.1.gz | ||
451 | /usr/share/man/man5/firejail-profile.5.gz | ||
452 | /usr/share/man/man5/firejail-login.5.gz | ||
453 | /usr/share/bash-completion/completions/firejail | ||
454 | /usr/share/bash-completion/completions/firemon | ||
455 | /usr/share/bash-completion/completions/firecfg | ||
456 | |||
457 | %post | ||
458 | chmod u+s /usr/bin/firejail | ||
459 | |||
460 | %changelog | ||
461 | * Fri Oct 21 2016 netblue30 <netblue30@yahoo.com> 0.9.44-1 | ||
462 | - CVE-2016-7545 submitted by Aleksey Manevich | ||
463 | - modifs: removed man firejail-config | ||
464 | - modifs: --private-tmp whitelists /tmp/.X11-unix directory | ||
465 | - modifs: Nvidia drivers added to --private-dev | ||
466 | - modifs: /srv supported by --whitelist | ||
467 | - feature: allow user access to /sys/fs (--noblacklist=/sys/fs) | ||
468 | - feature: support starting/joining sandbox is a single command | ||
469 | (--join-or-start) | ||
470 | - feature: X11 detection support for --audit | ||
471 | - feature: assign a name to the interface connected to the bridge | ||
472 | (--veth-name) | ||
473 | - feature: all user home directories are visible (--allusers) | ||
474 | - feature: add files to sandbox container (--put) | ||
475 | - feature: blocking x11 (--x11=block) | ||
476 | - feature: X11 security extension (--x11=xorg) | ||
477 | - feature: disable 3D hardware acceleration (--no3d) | ||
478 | - feature: x11 xpra, x11 xephyr, x11 block, allusers, no3d profile commands | ||
479 | - feature: move files in sandbox (--put) | ||
480 | - feature: accept wildcard patterns in user name field of restricted | ||
481 | shell login feature | ||
482 | - new profiles: qpdfview, mupdf, Luminance HDR, Synfig Studio, Gimp, Inkscape | ||
483 | - new profiles: feh, ranger, zathura, 7z, keepass, keepassx, | ||
484 | - new profiles: claws-mail, mutt, git, emacs, vim, xpdf, VirtualBox, OpenShot | ||
485 | - new profiles: Flowblade, Eye of GNOME (eog), Evolution | ||
486 | - bugfixes | ||
487 | |||
488 | * Thu Sep 8 2016 netblue30 <netblue30@yahoo.com> 0.9.42-1 | ||
489 | - security: --whitelist deleted files, submitted by Vasya Novikov | ||
490 | - security: disable x32 ABI in seccomp, submitted by Jann Horn | ||
491 | - security: tighten --chroot, submitted by Jann Horn | ||
492 | - security: terminal sandbox escape, submitted by Stephan Sokolow | ||
493 | - security: several TOCTOU fixes submitted by Aleksey Manevich | ||
494 | - modifs: bringing back --private-home option | ||
495 | - modifs: deprecated --user option, please use "sudo -u username firejail" | ||
496 | - modifs: allow symlinks in home directory for --whitelist option | ||
497 | - modifs: Firejail prompt is enabled by env variable FIREJAIL_PROMPT="yes" | ||
498 | - modifs: recursive mkdir | ||
499 | - modifs: include /dev/snd in --private-dev | ||
500 | - modifs: seccomp filter update | ||
501 | - modifs: release archives moved to .xz format | ||
502 | - feature: AppImage support (--appimage) | ||
503 | - feature: AppArmor support (--apparmor) | ||
504 | - feature: Ubuntu snap support (/etc/firejail/snap.profile) | ||
505 | - feature: Sandbox auditing support (--audit) | ||
506 | - feature: remove environment variable (--rmenv) | ||
507 | - feature: noexec support (--noexec) | ||
508 | - feature: clean local overlay storage directory (--overlay-clean) | ||
509 | - feature: store and reuse overlay (--overlay-named) | ||
510 | - feature: allow debugging inside the sandbox with gdb and strace | ||
511 | (--allow-debuggers) | ||
512 | - feature: mkfile profile command | ||
513 | - feature: quiet profile command | ||
514 | - feature: x11 profile command | ||
515 | - feature: option to fix desktop files (firecfg --fix) | ||
516 | - compile time: Busybox support (--enable-busybox-workaround) | ||
517 | - compile time: disable overlayfs (--disable-overlayfs) | ||
518 | - compile time: disable whitlisting (--disable-whitelist) | ||
519 | - compile time: disable global config (--disable-globalcfg) | ||
520 | - run time: enable/disable overlayfs (overlayfs yes/no) | ||
521 | - run time: enable/disable quiet as default (quiet-by-default yes/no) | ||
522 | - run time: user-defined network filter (netfilter-default) | ||
523 | - run time: enable/disable whitelisting (whitelist yes/no) | ||
524 | - run time: enable/disable remounting of /proc and /sys | ||
525 | (remount-proc-sys yes/no) | ||
526 | - run time: enable/disable chroot desktop features (chroot-desktop yes/no) | ||
527 | - profiles: Gitter, gThumb, mpv, Franz messenger, LibreOffice | ||
528 | - profiles: pix, audacity, xz, xzdec, gzip, cpio, less | ||
529 | - profiles: Atom Beta, Atom, jitsi, eom, uudeview | ||
530 | - profiles: tar (gtar), unzip, unrar, file, skypeforlinux, | ||
531 | - profiles: inox, Slack, gnome-chess. Gajim IM client, DOSBox | ||
532 | - bugfixes | ||
533 | |||
534 | EOF | ||
535 | |||
536 | echo "building rpm" | ||
537 | rpmbuild -ba SPECS/firejail.spec | ||
538 | rpm -qpl RPMS/x86_64/firejail-$VERSION-1.x86_64.rpm | ||
539 | cd .. | ||
540 | rm -f firejail-$VERSION-1.x86_64.rpm | ||
541 | cp rpmbuild/RPMS/x86_64/firejail-$VERSION-1.x86_64.rpm . | ||
542 | |||
diff --git a/src/faudit/syscall.c b/src/faudit/syscall.c index 9924be00f..3c87305df 100644 --- a/src/faudit/syscall.c +++ b/src/faudit/syscall.c | |||
@@ -92,7 +92,8 @@ void syscall_run(const char *name) { | |||
92 | errExit("fork"); | 92 | errExit("fork"); |
93 | if (child == 0) { | 93 | if (child == 0) { |
94 | execl(prog, prog, "syscall", name, NULL); | 94 | execl(prog, prog, "syscall", name, NULL); |
95 | exit(1); | 95 | perror("execl"); |
96 | _exit(1); | ||
96 | } | 97 | } |
97 | 98 | ||
98 | // wait for the child to finish | 99 | // wait for the child to finish |
diff --git a/src/firecfg/firecfg.config b/src/firecfg/firecfg.config index 31f6b2fd5..e3e333497 100644 --- a/src/firecfg/firecfg.config +++ b/src/firecfg/firecfg.config | |||
@@ -42,11 +42,13 @@ opera-beta | |||
42 | opera | 42 | opera |
43 | palemoon | 43 | palemoon |
44 | qutebrowser | 44 | qutebrowser |
45 | start-tor-browser | ||
45 | seamonkey | 46 | seamonkey |
46 | seamonkey-bin | 47 | seamonkey-bin |
47 | thunderbird | 48 | thunderbird |
48 | vivaldi-beta | 49 | vivaldi-beta |
49 | vivaldi | 50 | vivaldi |
51 | evolution | ||
50 | 52 | ||
51 | # chat/messaging | 53 | # chat/messaging |
52 | bitlbee | 54 | bitlbee |
@@ -76,6 +78,7 @@ unbound | |||
76 | mupen64plus | 78 | mupen64plus |
77 | wine | 79 | wine |
78 | dosbox | 80 | dosbox |
81 | virtualbox | ||
79 | 82 | ||
80 | # games | 83 | # games |
81 | 0ad | 84 | 0ad |
@@ -137,6 +140,9 @@ pix | |||
137 | xpdf | 140 | xpdf |
138 | xreader | 141 | xreader |
139 | zathura | 142 | zathura |
143 | openshot | ||
144 | flowblade | ||
145 | eog | ||
140 | 146 | ||
141 | # other | 147 | # other |
142 | ssh | 148 | ssh |
@@ -145,6 +151,7 @@ atom | |||
145 | ranger | 151 | ranger |
146 | keepass | 152 | keepass |
147 | keepassx | 153 | keepassx |
154 | xiphos | ||
148 | 155 | ||
149 | # weather/climate | 156 | # weather/climate |
150 | aweather | 157 | aweather |
diff --git a/src/firejail/appimage.c b/src/firejail/appimage.c index 375d6be24..09b242964 100644 --- a/src/firejail/appimage.c +++ b/src/firejail/appimage.c | |||
@@ -39,7 +39,7 @@ void appimage_set(const char *appimage_path) { | |||
39 | assert(appimage_path); | 39 | assert(appimage_path); |
40 | assert(devloop == NULL); // don't call this twice! | 40 | assert(devloop == NULL); // don't call this twice! |
41 | EUID_ASSERT(); | 41 | EUID_ASSERT(); |
42 | 42 | ||
43 | #ifdef LOOP_CTL_GET_FREE // test for older kernels; this definition is found in /usr/include/linux/loop.h | 43 | #ifdef LOOP_CTL_GET_FREE // test for older kernels; this definition is found in /usr/include/linux/loop.h |
44 | // check appimage_path | 44 | // check appimage_path |
45 | if (access(appimage_path, R_OK) == -1) { | 45 | if (access(appimage_path, R_OK) == -1) { |
@@ -47,6 +47,12 @@ void appimage_set(const char *appimage_path) { | |||
47 | exit(1); | 47 | exit(1); |
48 | } | 48 | } |
49 | 49 | ||
50 | // get appimage type and ELF size | ||
51 | // a value of 0 means we are dealing with a type1 appimage | ||
52 | long unsigned int size = appimage2_size(appimage_path); | ||
53 | if (arg_debug) | ||
54 | printf("AppImage ELF size %lu\n", size); | ||
55 | |||
50 | // open as user to prevent race condition | 56 | // open as user to prevent race condition |
51 | int ffd = open(appimage_path, O_RDONLY|O_CLOEXEC); | 57 | int ffd = open(appimage_path, O_RDONLY|O_CLOEXEC); |
52 | if (ffd == -1) { | 58 | if (ffd == -1) { |
@@ -76,12 +82,21 @@ void appimage_set(const char *appimage_path) { | |||
76 | fprintf(stderr, "Error: cannot configure the loopback device\n"); | 82 | fprintf(stderr, "Error: cannot configure the loopback device\n"); |
77 | exit(1); | 83 | exit(1); |
78 | } | 84 | } |
85 | |||
86 | if (size) { | ||
87 | struct loop_info64 info; | ||
88 | memset(&info, 0, sizeof(struct loop_info64)); | ||
89 | info.lo_offset = size; | ||
90 | if (ioctl(lfd, LOOP_SET_STATUS64, &info) == -1) | ||
91 | errExit("configure appimage offset"); | ||
92 | } | ||
93 | |||
79 | close(lfd); | 94 | close(lfd); |
80 | close(ffd); | 95 | close(ffd); |
81 | EUID_USER(); | 96 | EUID_USER(); |
82 | 97 | ||
83 | // creates appimage mount point perms 0700 | 98 | // creates appimage mount point perms 0700 |
84 | if (asprintf(&mntdir, "%s/appimage-%u", RUN_FIREJAIL_APPIMAGE_DIR, getpid()) == -1) | 99 | if (asprintf(&mntdir, "%s/.appimage-%u", RUN_FIREJAIL_APPIMAGE_DIR, getpid()) == -1) |
85 | errExit("asprintf"); | 100 | errExit("asprintf"); |
86 | EUID_ROOT(); | 101 | EUID_ROOT(); |
87 | if (mkdir(mntdir, 0700) == -1) { | 102 | if (mkdir(mntdir, 0700) == -1) { |
@@ -100,8 +115,16 @@ void appimage_set(const char *appimage_path) { | |||
100 | if (asprintf(&mode, "mode=700,uid=%d,gid=%d", getuid(), getgid()) == -1) | 115 | if (asprintf(&mode, "mode=700,uid=%d,gid=%d", getuid(), getgid()) == -1) |
101 | errExit("asprintf"); | 116 | errExit("asprintf"); |
102 | EUID_ROOT(); | 117 | EUID_ROOT(); |
103 | if (mount(devloop, mntdir, "iso9660",MS_MGC_VAL|MS_RDONLY, mode) < 0) | 118 | |
104 | errExit("mounting appimage"); | 119 | if (size == 0) { |
120 | if (mount(devloop, mntdir, "iso9660",MS_MGC_VAL|MS_RDONLY, mode) < 0) | ||
121 | errExit("mounting appimage"); | ||
122 | } | ||
123 | else { | ||
124 | if (mount(devloop, mntdir, "squashfs",MS_MGC_VAL|MS_RDONLY, mode) < 0) | ||
125 | errExit("mounting appimage"); | ||
126 | } | ||
127 | |||
105 | if (arg_debug) | 128 | if (arg_debug) |
106 | printf("appimage mounted on %s\n", mntdir); | 129 | printf("appimage mounted on %s\n", mntdir); |
107 | EUID_USER(); | 130 | EUID_USER(); |
diff --git a/src/firejail/appimage_size.c b/src/firejail/appimage_size.c new file mode 100644 index 000000000..c8b3d28c5 --- /dev/null +++ b/src/firejail/appimage_size.c | |||
@@ -0,0 +1,143 @@ | |||
1 | /* | ||
2 | Compile with: | ||
3 | gcc elfsize.c -o elfsize | ||
4 | Example: | ||
5 | ls -l 126584 | ||
6 | Calculation using the values also reported by readelf -h: | ||
7 | Start of section headers e_shoff 124728 | ||
8 | Size of section headers e_shentsize 64 | ||
9 | Number of section headers e_shnum 29 | ||
10 | e_shoff + ( e_shentsize * e_shnum ) = 126584 | ||
11 | */ | ||
12 | |||
13 | #include <elf.h> | ||
14 | #include <byteswap.h> | ||
15 | #include <stdio.h> | ||
16 | #include <stdint.h> | ||
17 | #include <errno.h> | ||
18 | #include <stdlib.h> | ||
19 | #include <unistd.h> | ||
20 | #include <string.h> | ||
21 | #include <fcntl.h> | ||
22 | |||
23 | typedef Elf32_Nhdr Elf_Nhdr; | ||
24 | |||
25 | static Elf64_Ehdr ehdr; | ||
26 | static Elf64_Phdr *phdr; | ||
27 | |||
28 | #if __BYTE_ORDER == __LITTLE_ENDIAN | ||
29 | #define ELFDATANATIVE ELFDATA2LSB | ||
30 | #elif __BYTE_ORDER == __BIG_ENDIAN | ||
31 | #define ELFDATANATIVE ELFDATA2MSB | ||
32 | #else | ||
33 | #error "Unknown machine endian" | ||
34 | #endif | ||
35 | |||
36 | static uint16_t file16_to_cpu(uint16_t val) { | ||
37 | if (ehdr.e_ident[EI_DATA] != ELFDATANATIVE) | ||
38 | val = bswap_16(val); | ||
39 | return val; | ||
40 | } | ||
41 | |||
42 | |||
43 | static uint32_t file32_to_cpu(uint32_t val) { | ||
44 | if (ehdr.e_ident[EI_DATA] != ELFDATANATIVE) | ||
45 | val = bswap_32(val); | ||
46 | return val; | ||
47 | } | ||
48 | |||
49 | |||
50 | static uint64_t file64_to_cpu(uint64_t val) { | ||
51 | if (ehdr.e_ident[EI_DATA] != ELFDATANATIVE) | ||
52 | val = bswap_64(val); | ||
53 | return val; | ||
54 | } | ||
55 | |||
56 | |||
57 | // return 0 if error | ||
58 | static long unsigned int read_elf32(int fd) { | ||
59 | Elf32_Ehdr ehdr32; | ||
60 | ssize_t ret, i; | ||
61 | |||
62 | ret = pread(fd, &ehdr32, sizeof(ehdr32), 0); | ||
63 | if (ret < 0 || (size_t)ret != sizeof(ehdr)) | ||
64 | return 0; | ||
65 | |||
66 | ehdr.e_shoff = file32_to_cpu(ehdr32.e_shoff); | ||
67 | ehdr.e_shentsize = file16_to_cpu(ehdr32.e_shentsize); | ||
68 | ehdr.e_shnum = file16_to_cpu(ehdr32.e_shnum); | ||
69 | |||
70 | return(ehdr.e_shoff + (ehdr.e_shentsize * ehdr.e_shnum)); | ||
71 | } | ||
72 | |||
73 | |||
74 | // return 0 if error | ||
75 | static long unsigned int read_elf64(int fd) { | ||
76 | Elf64_Ehdr ehdr64; | ||
77 | ssize_t ret, i; | ||
78 | |||
79 | ret = pread(fd, &ehdr64, sizeof(ehdr64), 0); | ||
80 | if (ret < 0 || (size_t)ret != sizeof(ehdr)) | ||
81 | return 0; | ||
82 | |||
83 | ehdr.e_shoff = file64_to_cpu(ehdr64.e_shoff); | ||
84 | ehdr.e_shentsize = file16_to_cpu(ehdr64.e_shentsize); | ||
85 | ehdr.e_shnum = file16_to_cpu(ehdr64.e_shnum); | ||
86 | |||
87 | return(ehdr.e_shoff + (ehdr.e_shentsize * ehdr.e_shnum)); | ||
88 | } | ||
89 | |||
90 | |||
91 | // return 0 if error | ||
92 | // return 0 if this is not an appimgage2 file | ||
93 | long unsigned int appimage2_size(const char *fname) { | ||
94 | /* TODO, FIXME: This assumes that the section header table (SHT) is | ||
95 | the last part of the ELF. This is usually the case but | ||
96 | it could also be that the last section is the last part | ||
97 | of the ELF. This should be checked for. | ||
98 | */ | ||
99 | ssize_t ret; | ||
100 | int fd; | ||
101 | long unsigned int size = 0; | ||
102 | |||
103 | fd = open(fname, O_RDONLY); | ||
104 | if (fd < 0) | ||
105 | return 0; | ||
106 | |||
107 | ret = pread(fd, ehdr.e_ident, EI_NIDENT, 0); | ||
108 | if (ret != EI_NIDENT) | ||
109 | goto getout; | ||
110 | |||
111 | if ((ehdr.e_ident[EI_DATA] != ELFDATA2LSB) && | ||
112 | (ehdr.e_ident[EI_DATA] != ELFDATA2MSB)) | ||
113 | goto getout; | ||
114 | |||
115 | if(ehdr.e_ident[EI_CLASS] == ELFCLASS32) { | ||
116 | size = read_elf32(fd); | ||
117 | } | ||
118 | else if(ehdr.e_ident[EI_CLASS] == ELFCLASS64) { | ||
119 | size = read_elf64(fd); | ||
120 | } | ||
121 | else { | ||
122 | goto getout; | ||
123 | } | ||
124 | if (size == 0) | ||
125 | goto getout; | ||
126 | |||
127 | |||
128 | // look for a LZMA header at this location | ||
129 | unsigned char buf[4]; | ||
130 | ret = pread(fd, buf, 4, size); | ||
131 | if (ret != 4) { | ||
132 | size = 0; | ||
133 | goto getout; | ||
134 | } | ||
135 | if (memcmp(buf, "hsqs", 4) != 0) | ||
136 | size = 0; | ||
137 | |||
138 | getout: | ||
139 | close(fd); | ||
140 | return size; | ||
141 | } | ||
142 | |||
143 | |||
diff --git a/src/firejail/firejail.h b/src/firejail/firejail.h index dafa5919c..9a9bb1ae7 100644 --- a/src/firejail/firejail.h +++ b/src/firejail/firejail.h | |||
@@ -681,8 +681,12 @@ void appimage_set(const char *appimage_path); | |||
681 | void appimage_clear(void); | 681 | void appimage_clear(void); |
682 | const char *appimage_getdir(void); | 682 | const char *appimage_getdir(void); |
683 | 683 | ||
684 | // appimage_size.c | ||
685 | long unsigned int appimage2_size(const char *fname); | ||
686 | |||
684 | // cmdline.c | 687 | // cmdline.c |
685 | void build_cmdline(char **command_line, char **window_title, int argc, char **argv, int index); | 688 | void build_cmdline(char **command_line, char **window_title, int argc, char **argv, int index); |
686 | 689 | ||
690 | |||
687 | #endif | 691 | #endif |
688 | 692 | ||
diff --git a/src/firejail/fs.c b/src/firejail/fs.c index a5f12c7df..6c566bd90 100644 --- a/src/firejail/fs.c +++ b/src/firejail/fs.c | |||
@@ -649,7 +649,11 @@ void fs_proc_sys_dev_boot(void) { | |||
649 | 649 | ||
650 | disable_file(BLACKLIST_FILE, "/sys/firmware"); | 650 | disable_file(BLACKLIST_FILE, "/sys/firmware"); |
651 | disable_file(BLACKLIST_FILE, "/sys/hypervisor"); | 651 | disable_file(BLACKLIST_FILE, "/sys/hypervisor"); |
652 | disable_file(BLACKLIST_FILE, "/sys/fs"); | 652 | { // allow user access to /sys/fs if "--noblacklist=/sys/fs" is present on the command line |
653 | EUID_USER(); | ||
654 | profile_add("blacklist /sys/fs"); | ||
655 | EUID_ROOT(); | ||
656 | } | ||
653 | disable_file(BLACKLIST_FILE, "/sys/module"); | 657 | disable_file(BLACKLIST_FILE, "/sys/module"); |
654 | disable_file(BLACKLIST_FILE, "/sys/power"); | 658 | disable_file(BLACKLIST_FILE, "/sys/power"); |
655 | disable_file(BLACKLIST_FILE, "/sys/kernel/debug"); | 659 | disable_file(BLACKLIST_FILE, "/sys/kernel/debug"); |
diff --git a/src/firejail/fs_bin.c b/src/firejail/fs_bin.c index e65474f44..ba0633649 100644 --- a/src/firejail/fs_bin.c +++ b/src/firejail/fs_bin.c | |||
@@ -192,6 +192,8 @@ static void duplicate(char *fname) { | |||
192 | if (asprintf(&f, "%s/%s", RUN_BIN_DIR, fname) == -1) | 192 | if (asprintf(&f, "%s/%s", RUN_BIN_DIR, fname) == -1) |
193 | errExit("asprintf"); | 193 | errExit("asprintf"); |
194 | execlp(RUN_CP_COMMAND, RUN_CP_COMMAND, "-a", actual_path, f, NULL); | 194 | execlp(RUN_CP_COMMAND, RUN_CP_COMMAND, "-a", actual_path, f, NULL); |
195 | perror("execlp"); | ||
196 | _exit(1); | ||
195 | } | 197 | } |
196 | // wait for the child to finish | 198 | // wait for the child to finish |
197 | waitpid(child, NULL, 0); | 199 | waitpid(child, NULL, 0); |
@@ -245,7 +247,7 @@ void fs_private_bin_list(void) { | |||
245 | duplicate(ptr); | 247 | duplicate(ptr); |
246 | free(dlist); | 248 | free(dlist); |
247 | fs_logger_print(); | 249 | fs_logger_print(); |
248 | exit(0); | 250 | _exit(0); |
249 | } | 251 | } |
250 | // wait for the child to finish | 252 | // wait for the child to finish |
251 | waitpid(child, NULL, 0); | 253 | waitpid(child, NULL, 0); |
diff --git a/src/firejail/fs_etc.c b/src/firejail/fs_etc.c index fc9e40ca0..de29c312e 100644 --- a/src/firejail/fs_etc.c +++ b/src/firejail/fs_etc.c | |||
@@ -106,6 +106,8 @@ static void duplicate(char *fname) { | |||
106 | if (asprintf(&f, "/etc/%s", fname) == -1) | 106 | if (asprintf(&f, "/etc/%s", fname) == -1) |
107 | errExit("asprintf"); | 107 | errExit("asprintf"); |
108 | execlp(RUN_CP_COMMAND, RUN_CP_COMMAND, "-a", "--parents", f, RUN_MNT_DIR, NULL); | 108 | execlp(RUN_CP_COMMAND, RUN_CP_COMMAND, "-a", "--parents", f, RUN_MNT_DIR, NULL); |
109 | perror("execlp"); | ||
110 | _exit(1); | ||
109 | } | 111 | } |
110 | // wait for the child to finish | 112 | // wait for the child to finish |
111 | waitpid(child, NULL, 0); | 113 | waitpid(child, NULL, 0); |
@@ -169,7 +171,7 @@ void fs_private_etc_list(void) { | |||
169 | duplicate(ptr); | 171 | duplicate(ptr); |
170 | free(dlist); | 172 | free(dlist); |
171 | fs_logger_print(); | 173 | fs_logger_print(); |
172 | exit(0); | 174 | _exit(0); |
173 | } | 175 | } |
174 | // wait for the child to finish | 176 | // wait for the child to finish |
175 | waitpid(child, NULL, 0); | 177 | waitpid(child, NULL, 0); |
diff --git a/src/firejail/fs_home.c b/src/firejail/fs_home.c index bd3c404e9..75cc3e732 100644 --- a/src/firejail/fs_home.c +++ b/src/firejail/fs_home.c | |||
@@ -641,7 +641,7 @@ void fs_private_home_list(void) { | |||
641 | 641 | ||
642 | fs_logger_print(); // save the current log | 642 | fs_logger_print(); // save the current log |
643 | free(dlist); | 643 | free(dlist); |
644 | exit(0); | 644 | _exit(0); |
645 | } | 645 | } |
646 | // wait for the child to finish | 646 | // wait for the child to finish |
647 | waitpid(child, NULL, 0); | 647 | waitpid(child, NULL, 0); |
diff --git a/src/firejail/fs_mkdir.c b/src/firejail/fs_mkdir.c index b2a5927e6..cffe32a7a 100644 --- a/src/firejail/fs_mkdir.c +++ b/src/firejail/fs_mkdir.c | |||
@@ -81,7 +81,7 @@ void fs_mkdir(const char *name) { | |||
81 | 81 | ||
82 | // create directory | 82 | // create directory |
83 | mkdir_recursive(expanded); | 83 | mkdir_recursive(expanded); |
84 | exit(0); | 84 | _exit(0); |
85 | } | 85 | } |
86 | // wait for the child to finish | 86 | // wait for the child to finish |
87 | waitpid(child, NULL, 0); | 87 | waitpid(child, NULL, 0); |
@@ -126,7 +126,7 @@ void fs_mkfile(const char *name) { | |||
126 | (void) rv; | 126 | (void) rv; |
127 | fclose(fp); | 127 | fclose(fp); |
128 | } | 128 | } |
129 | exit(0); | 129 | _exit(0); |
130 | } | 130 | } |
131 | // wait for the child to finish | 131 | // wait for the child to finish |
132 | waitpid(child, NULL, 0); | 132 | waitpid(child, NULL, 0); |
diff --git a/src/firejail/fs_whitelist.c b/src/firejail/fs_whitelist.c index b1c2774e2..8bbdbe5d3 100644 --- a/src/firejail/fs_whitelist.c +++ b/src/firejail/fs_whitelist.c | |||
@@ -822,6 +822,7 @@ void fs_whitelist(void) { | |||
822 | if (mount("tmpfs", RUN_WHITELIST_SRV_DIR, "tmpfs", MS_NOSUID | MS_STRICTATIME | MS_REC, "mode=755,gid=0") < 0) | 822 | if (mount("tmpfs", RUN_WHITELIST_SRV_DIR, "tmpfs", MS_NOSUID | MS_STRICTATIME | MS_REC, "mode=755,gid=0") < 0) |
823 | errExit("mount tmpfs"); | 823 | errExit("mount tmpfs"); |
824 | fs_logger2("tmpfs", RUN_WHITELIST_SRV_DIR); | 824 | fs_logger2("tmpfs", RUN_WHITELIST_SRV_DIR); |
825 | } | ||
825 | 826 | ||
826 | if (new_name) | 827 | if (new_name) |
827 | free(new_name); | 828 | free(new_name); |
diff --git a/src/firejail/ls.c b/src/firejail/ls.c index 39efaa0a6..dba82be0b 100644 --- a/src/firejail/ls.c +++ b/src/firejail/ls.c | |||
@@ -358,7 +358,7 @@ void sandboxfs(int op, pid_t pid, const char *path1, const char *path2) { | |||
358 | fprintf(stderr, "Error: Cannot read %s\n", fname1); | 358 | fprintf(stderr, "Error: Cannot read %s\n", fname1); |
359 | exit(1); | 359 | exit(1); |
360 | } | 360 | } |
361 | exit(0); | 361 | _exit(0); |
362 | } | 362 | } |
363 | 363 | ||
364 | // wait for the child to finish | 364 | // wait for the child to finish |
@@ -391,7 +391,7 @@ void sandboxfs(int op, pid_t pid, const char *path1, const char *path2) { | |||
391 | exit(1); | 391 | exit(1); |
392 | } | 392 | } |
393 | fclose(fp); | 393 | fclose(fp); |
394 | exit(0); | 394 | _exit(0); |
395 | } | 395 | } |
396 | 396 | ||
397 | // wait for the child to finish | 397 | // wait for the child to finish |
@@ -445,7 +445,7 @@ void sandboxfs(int op, pid_t pid, const char *path1, const char *path2) { | |||
445 | fprintf(stderr, "Error: Cannot read %s\n", src_fname); | 445 | fprintf(stderr, "Error: Cannot read %s\n", src_fname); |
446 | exit(1); | 446 | exit(1); |
447 | } | 447 | } |
448 | exit(0); | 448 | _exit(0); |
449 | } | 449 | } |
450 | 450 | ||
451 | // wait for the child to finish | 451 | // wait for the child to finish |
@@ -494,7 +494,7 @@ void sandboxfs(int op, pid_t pid, const char *path1, const char *path2) { | |||
494 | } | 494 | } |
495 | } | 495 | } |
496 | 496 | ||
497 | exit(0); | 497 | _exit(0); |
498 | } | 498 | } |
499 | 499 | ||
500 | // wait for the child to finish | 500 | // wait for the child to finish |
diff --git a/src/firejail/main.c b/src/firejail/main.c index 987a79d1c..b5a97c71e 100644 --- a/src/firejail/main.c +++ b/src/firejail/main.c | |||
@@ -2506,7 +2506,7 @@ int main(int argc, char **argv) { | |||
2506 | network_main(child); | 2506 | network_main(child); |
2507 | if (arg_debug) | 2507 | if (arg_debug) |
2508 | printf("Host network configured\n"); | 2508 | printf("Host network configured\n"); |
2509 | exit(0); | 2509 | _exit(0); |
2510 | } | 2510 | } |
2511 | 2511 | ||
2512 | // wait for the child to finish | 2512 | // wait for the child to finish |
@@ -2579,7 +2579,6 @@ int main(int argc, char **argv) { | |||
2579 | g = get_group_id("games"); | 2579 | g = get_group_id("games"); |
2580 | if (g) { | 2580 | if (g) { |
2581 | sprintf(ptr, "%d %d 1\n", g, g); | 2581 | sprintf(ptr, "%d %d 1\n", g, g); |
2582 | ptr += strlen(ptr); | ||
2583 | } | 2582 | } |
2584 | 2583 | ||
2585 | EUID_ROOT(); | 2584 | EUID_ROOT(); |
diff --git a/src/firejail/netfilter.c b/src/firejail/netfilter.c index b50d61039..c1f9a2c37 100644 --- a/src/firejail/netfilter.c +++ b/src/firejail/netfilter.c | |||
@@ -145,7 +145,8 @@ void netfilter(const char *fname) { | |||
145 | // wipe out environment variables | 145 | // wipe out environment variables |
146 | environ = NULL; | 146 | environ = NULL; |
147 | execl(iptables_restore, iptables_restore, NULL); | 147 | execl(iptables_restore, iptables_restore, NULL); |
148 | // it will never get here!!! | 148 | perror("execl"); |
149 | _exit(1); | ||
149 | } | 150 | } |
150 | // wait for the child to finish | 151 | // wait for the child to finish |
151 | waitpid(child, NULL, 0); | 152 | waitpid(child, NULL, 0); |
@@ -163,7 +164,8 @@ void netfilter(const char *fname) { | |||
163 | errExit("setregid"); | 164 | errExit("setregid"); |
164 | environ = NULL; | 165 | environ = NULL; |
165 | execl(iptables, iptables, "-vL", NULL); | 166 | execl(iptables, iptables, "-vL", NULL); |
166 | // it will never get here!!! | 167 | perror("execl"); |
168 | _exit(1); | ||
167 | } | 169 | } |
168 | // wait for the child to finish | 170 | // wait for the child to finish |
169 | waitpid(child, NULL, 0); | 171 | waitpid(child, NULL, 0); |
@@ -256,7 +258,8 @@ void netfilter6(const char *fname) { | |||
256 | // wipe out environment variables | 258 | // wipe out environment variables |
257 | environ = NULL; | 259 | environ = NULL; |
258 | execl(ip6tables_restore, ip6tables_restore, NULL); | 260 | execl(ip6tables_restore, ip6tables_restore, NULL); |
259 | // it will never get here!!! | 261 | perror("execl"); |
262 | _exit(1); | ||
260 | } | 263 | } |
261 | // wait for the child to finish | 264 | // wait for the child to finish |
262 | waitpid(child, NULL, 0); | 265 | waitpid(child, NULL, 0); |
@@ -269,7 +272,8 @@ void netfilter6(const char *fname) { | |||
269 | if (child == 0) { | 272 | if (child == 0) { |
270 | environ = NULL; | 273 | environ = NULL; |
271 | execl(ip6tables, ip6tables, "-vL", NULL); | 274 | execl(ip6tables, ip6tables, "-vL", NULL); |
272 | // it will never get here!!! | 275 | perror("execl"); |
276 | _exit(1); | ||
273 | } | 277 | } |
274 | // wait for the child to finish | 278 | // wait for the child to finish |
275 | waitpid(child, NULL, 0); | 279 | waitpid(child, NULL, 0); |
diff --git a/src/firejail/sandbox.c b/src/firejail/sandbox.c index 8021ce9a3..f5cca7494 100644 --- a/src/firejail/sandbox.c +++ b/src/firejail/sandbox.c | |||
@@ -488,6 +488,13 @@ int sandbox(void* sandbox_arg) { | |||
488 | #ifdef HAVE_SECCOMP | 488 | #ifdef HAVE_SECCOMP |
489 | int enforce_seccomp = 0; | 489 | int enforce_seccomp = 0; |
490 | #endif | 490 | #endif |
491 | if (arg_appimage) { | ||
492 | enforce_filters(); | ||
493 | #ifdef HAVE_SECCOMP | ||
494 | enforce_seccomp = 1; | ||
495 | #endif | ||
496 | } | ||
497 | |||
491 | #ifdef HAVE_CHROOT | 498 | #ifdef HAVE_CHROOT |
492 | if (cfg.chrootdir) { | 499 | if (cfg.chrootdir) { |
493 | fs_chroot(cfg.chrootdir); | 500 | fs_chroot(cfg.chrootdir); |
diff --git a/src/firejail/x11.c b/src/firejail/x11.c index d40d349e1..c79f1a74e 100644 --- a/src/firejail/x11.c +++ b/src/firejail/x11.c | |||
@@ -314,7 +314,7 @@ void x11_start_xephyr(int argc, char **argv) { | |||
314 | 314 | ||
315 | execvp(server_argv[0], server_argv); | 315 | execvp(server_argv[0], server_argv); |
316 | perror("execvp"); | 316 | perror("execvp"); |
317 | exit(1); | 317 | _exit(1); |
318 | } | 318 | } |
319 | 319 | ||
320 | if (arg_debug) | 320 | if (arg_debug) |
@@ -355,7 +355,7 @@ void x11_start_xephyr(int argc, char **argv) { | |||
355 | 355 | ||
356 | execvp(jail_argv[0], jail_argv); | 356 | execvp(jail_argv[0], jail_argv); |
357 | perror("execvp"); | 357 | perror("execvp"); |
358 | exit(1); | 358 | _exit(1); |
359 | } | 359 | } |
360 | 360 | ||
361 | // cleanup | 361 | // cleanup |
@@ -434,7 +434,7 @@ void x11_start_xpra(int argc, char **argv) { | |||
434 | 434 | ||
435 | execvp(server_argv[0], server_argv); | 435 | execvp(server_argv[0], server_argv); |
436 | perror("execvp"); | 436 | perror("execvp"); |
437 | exit(1); | 437 | _exit(1); |
438 | } | 438 | } |
439 | 439 | ||
440 | // check X11 socket | 440 | // check X11 socket |
@@ -480,7 +480,7 @@ void x11_start_xpra(int argc, char **argv) { | |||
480 | 480 | ||
481 | execvp(attach_argv[0], attach_argv); | 481 | execvp(attach_argv[0], attach_argv); |
482 | perror("execvp"); | 482 | perror("execvp"); |
483 | exit(1); | 483 | _exit(1); |
484 | } | 484 | } |
485 | 485 | ||
486 | setenv("DISPLAY", display_str, 1); | 486 | setenv("DISPLAY", display_str, 1); |
@@ -536,7 +536,7 @@ void x11_start_xpra(int argc, char **argv) { | |||
536 | } | 536 | } |
537 | execvp(stop_argv[0], stop_argv); | 537 | execvp(stop_argv[0], stop_argv); |
538 | perror("execvp"); | 538 | perror("execvp"); |
539 | exit(1); | 539 | _exit(1); |
540 | } | 540 | } |
541 | 541 | ||
542 | // wait for xpra server to stop, 10 seconds limit | 542 | // wait for xpra server to stop, 10 seconds limit |
@@ -672,7 +672,7 @@ void x11_xorg(void) { | |||
672 | execlp("/usr/bin/xauth", "/usr/bin/xauth", "-f", RUN_XAUTHORITY_SEC_FILE, | 672 | execlp("/usr/bin/xauth", "/usr/bin/xauth", "-f", RUN_XAUTHORITY_SEC_FILE, |
673 | "generate", display, "MIT-MAGIC-COOKIE-1", "untrusted", NULL); | 673 | "generate", display, "MIT-MAGIC-COOKIE-1", "untrusted", NULL); |
674 | 674 | ||
675 | exit(0); | 675 | _exit(0); |
676 | } | 676 | } |
677 | // wait for the child to finish | 677 | // wait for the child to finish |
678 | waitpid(child, NULL, 0); | 678 | waitpid(child, NULL, 0); |
diff --git a/src/firemon/interface.c b/src/firemon/interface.c index 5a89e1491..bceed93d3 100644 --- a/src/firemon/interface.c +++ b/src/firemon/interface.c | |||
@@ -146,7 +146,7 @@ static void print_sandbox(pid_t pid) { | |||
146 | return; | 146 | return; |
147 | net_ifprint(); | 147 | net_ifprint(); |
148 | printf("\n"); | 148 | printf("\n"); |
149 | exit(0); | 149 | _exit(0); |
150 | } | 150 | } |
151 | 151 | ||
152 | // wait for the child to finish | 152 | // wait for the child to finish |
diff --git a/src/firemon/procevent.c b/src/firemon/procevent.c index 188c10183..78a3a4fb2 100644 --- a/src/firemon/procevent.c +++ b/src/firemon/procevent.c | |||
@@ -28,6 +28,8 @@ | |||
28 | #include <arpa/inet.h> | 28 | #include <arpa/inet.h> |
29 | #include <time.h> | 29 | #include <time.h> |
30 | #include <fcntl.h> | 30 | #include <fcntl.h> |
31 | #include <sys/uio.h> | ||
32 | |||
31 | #define PIDS_BUFLEN 4096 | 33 | #define PIDS_BUFLEN 4096 |
32 | #define SERVER_PORT 889 // 889-899 is left unassigned by IANA | 34 | #define SERVER_PORT 889 // 889-899 is left unassigned by IANA |
33 | 35 | ||
diff --git a/src/man/firejail-login.txt b/src/man/firejail-login.txt index 691217253..796179d0b 100644 --- a/src/man/firejail-login.txt +++ b/src/man/firejail-login.txt | |||
@@ -13,6 +13,10 @@ Example: | |||
13 | 13 | ||
14 | netblue:--net=none --protocol=unix | 14 | netblue:--net=none --protocol=unix |
15 | 15 | ||
16 | Wildcard patterns are accepted in the user name field: | ||
17 | |||
18 | user*: --private | ||
19 | |||
16 | .SH RESTRICTED SHELL | 20 | .SH RESTRICTED SHELL |
17 | To configure a restricted shell, replace /bin/bash with /usr/bin/firejail in | 21 | To configure a restricted shell, replace /bin/bash with /usr/bin/firejail in |
18 | /etc/passwd file for each user that needs to be restricted. Alternatively, | 22 | /etc/passwd file for each user that needs to be restricted. Alternatively, |
diff --git a/test/filters/noroot.exp b/test/filters/noroot.exp index 2a7cb7975..b011f2bf9 100755 --- a/test/filters/noroot.exp +++ b/test/filters/noroot.exp | |||
@@ -46,20 +46,20 @@ expect { | |||
46 | } | 46 | } |
47 | send -- "sudo -s\r" | 47 | send -- "sudo -s\r" |
48 | expect { | 48 | expect { |
49 | timeout {puts "TESTING ERROR 8\n";exit} | 49 | timeout {puts "TESTING ERROR 7\n";exit} |
50 | "effective uid is not 0, is sudo installed setuid root?" { puts "OK\n";} | 50 | "effective uid is not 0, is sudo installed setuid root?" { puts "OK\n";} |
51 | "sudo must be owned by uid 0 and have the setuid bit set" { puts "OK\n";} | 51 | "sudo must be owned by uid 0 and have the setuid bit set" { puts "OK\n";} |
52 | "Bad system call" { puts "OK\n";} | 52 | "Bad system call" { puts "OK\n";} |
53 | } | 53 | } |
54 | send -- "cat /proc/self/uid_map | wc -l\r" | 54 | send -- "cat /proc/self/uid_map | wc -l\r" |
55 | expect { | 55 | expect { |
56 | timeout {puts "TESTING ERROR 7\n";exit} | 56 | timeout {puts "TESTING ERROR 8\n";exit} |
57 | "1" | 57 | "1" |
58 | } | 58 | } |
59 | send -- "cat /proc/self/gid_map | wc -l\r" | 59 | send -- "cat /proc/self/gid_map | wc -l\r" |
60 | expect { | 60 | expect { |
61 | timeout {puts "TESTING ERROR 8\n";exit} | 61 | timeout {puts "TESTING ERROR 9\n";exit} |
62 | "3" | 62 | "5" |
63 | } | 63 | } |
64 | 64 | ||
65 | puts "\n" | 65 | puts "\n" |
@@ -70,59 +70,59 @@ sleep 2 | |||
70 | 70 | ||
71 | send -- "firejail --name=test --noroot --noprofile\r" | 71 | send -- "firejail --name=test --noroot --noprofile\r" |
72 | expect { | 72 | expect { |
73 | timeout {puts "TESTING ERROR 9\n";exit} | 73 | timeout {puts "TESTING ERROR 10\n";exit} |
74 | "Child process initialized" | 74 | "Child process initialized" |
75 | } | 75 | } |
76 | sleep 1 | 76 | sleep 1 |
77 | 77 | ||
78 | send -- "cat /proc/self/status\r" | 78 | send -- "cat /proc/self/status\r" |
79 | expect { | 79 | expect { |
80 | timeout {puts "TESTING ERROR 10\n";exit} | 80 | timeout {puts "TESTING ERROR 11\n";exit} |
81 | "CapBnd:" | 81 | "CapBnd:" |
82 | } | 82 | } |
83 | expect { | 83 | expect { |
84 | timeout {puts "TESTING ERROR 11\n";exit} | 84 | timeout {puts "TESTING ERROR 12\n";exit} |
85 | "ffffffff" | 85 | "ffffffff" |
86 | } | 86 | } |
87 | expect { | 87 | expect { |
88 | timeout {puts "TESTING ERROR 12\n";exit} | 88 | timeout {puts "TESTING ERROR 13\n";exit} |
89 | "Seccomp:" | 89 | "Seccomp:" |
90 | } | 90 | } |
91 | expect { | 91 | expect { |
92 | timeout {puts "TESTING ERROR 13\n";exit} | 92 | timeout {puts "TESTING ERROR 14\n";exit} |
93 | "0" | 93 | "0" |
94 | } | 94 | } |
95 | expect { | 95 | expect { |
96 | timeout {puts "TESTING ERROR 14\n";exit} | 96 | timeout {puts "TESTING ERROR 15\n";exit} |
97 | "Cpus_allowed:" | 97 | "Cpus_allowed:" |
98 | } | 98 | } |
99 | puts "\n" | 99 | puts "\n" |
100 | 100 | ||
101 | send -- "whoami\r" | 101 | send -- "whoami\r" |
102 | expect { | 102 | expect { |
103 | timeout {puts "TESTING ERROR 15\n";exit} | 103 | timeout {puts "TESTING ERROR 16\n";exit} |
104 | $env(USER) | 104 | $env(USER) |
105 | } | 105 | } |
106 | send -- "sudo -s\r" | 106 | send -- "sudo -s\r" |
107 | expect { | 107 | expect { |
108 | timeout {puts "TESTING ERROR 16\n";exit} | 108 | timeout {puts "TESTING ERROR 17\n";exit} |
109 | "effective uid is not 0, is sudo installed setuid root?" { puts "OK\n";} | 109 | "effective uid is not 0, is sudo installed setuid root?" { puts "OK\n";} |
110 | "sudo must be owned by uid 0 and have the setuid bit set" { puts "OK\n";} | 110 | "sudo must be owned by uid 0 and have the setuid bit set" { puts "OK\n";} |
111 | } | 111 | } |
112 | send -- "ping 0\r" | 112 | send -- "ping 0\r" |
113 | expect { | 113 | expect { |
114 | timeout {puts "TESTING ERROR 17\n";exit} | 114 | timeout {puts "TESTING ERROR 18\n";exit} |
115 | "Operation not permitted" | 115 | "Operation not permitted" |
116 | } | 116 | } |
117 | send -- "cat /proc/self/uid_map | wc -l\r" | 117 | send -- "cat /proc/self/uid_map | wc -l\r" |
118 | expect { | 118 | expect { |
119 | timeout {puts "TESTING ERROR 18\n";exit} | 119 | timeout {puts "TESTING ERROR 19\n";exit} |
120 | "1" | 120 | "1" |
121 | } | 121 | } |
122 | send -- "cat /proc/self/gid_map | wc -l\r" | 122 | send -- "cat /proc/self/gid_map | wc -l\r" |
123 | expect { | 123 | expect { |
124 | timeout {puts "TESTING ERROR 19\n";exit} | 124 | timeout {puts "TESTING ERROR 20\n";exit} |
125 | "3" | 125 | "5" |
126 | } | 126 | } |
127 | 127 | ||
128 | 128 | ||
@@ -130,31 +130,31 @@ expect { | |||
130 | spawn $env(SHELL) | 130 | spawn $env(SHELL) |
131 | send -- "firejail --debug --join=test\r" | 131 | send -- "firejail --debug --join=test\r" |
132 | expect { | 132 | expect { |
133 | timeout {puts "TESTING ERROR 20\n";exit} | 133 | timeout {puts "TESTING ERROR 21\n";exit} |
134 | "User namespace detected" | 134 | "User namespace detected" |
135 | } | 135 | } |
136 | expect { | 136 | expect { |
137 | timeout {puts "TESTING ERROR 21\n";exit} | 137 | timeout {puts "TESTING ERROR 22\n";exit} |
138 | "Joining user namespace" | 138 | "Joining user namespace" |
139 | } | 139 | } |
140 | sleep 1 | 140 | sleep 1 |
141 | 141 | ||
142 | send -- "sudo -s\r" | 142 | send -- "sudo -s\r" |
143 | expect { | 143 | expect { |
144 | timeout {puts "TESTING ERROR 22\n";exit} | 144 | timeout {puts "TESTING ERROR 23\n";exit} |
145 | "effective uid is not 0, is sudo installed setuid root?" { puts "OK\n";} | 145 | "effective uid is not 0, is sudo installed setuid root?" { puts "OK\n";} |
146 | "sudo must be owned by uid 0 and have the setuid bit set" { puts "OK\n";} | 146 | "sudo must be owned by uid 0 and have the setuid bit set" { puts "OK\n";} |
147 | "Permission denied" { puts "OK\n";} | 147 | "Permission denied" { puts "OK\n";} |
148 | } | 148 | } |
149 | send -- "cat /proc/self/uid_map | wc -l\r" | 149 | send -- "cat /proc/self/uid_map | wc -l\r" |
150 | expect { | 150 | expect { |
151 | timeout {puts "TESTING ERROR 23\n";exit} | 151 | timeout {puts "TESTING ERROR 24\n";exit} |
152 | "1" | 152 | "1" |
153 | } | 153 | } |
154 | send -- "cat /proc/self/gid_map | wc -l\r" | 154 | send -- "cat /proc/self/gid_map | wc -l\r" |
155 | expect { | 155 | expect { |
156 | timeout {puts "TESTING ERROR 24\n";exit} | 156 | timeout {puts "TESTING ERROR 25\n";exit} |
157 | "3" | 157 | "5" |
158 | } | 158 | } |
159 | after 100 | 159 | after 100 |
160 | puts "\nall done\n" | 160 | puts "\nall done\n" |
diff --git a/test/fs/fs.sh b/test/fs/fs.sh index d45ef48bd..3139b8eae 100755 --- a/test/fs/fs.sh +++ b/test/fs/fs.sh | |||
@@ -6,6 +6,9 @@ | |||
6 | export MALLOC_CHECK_=3 | 6 | export MALLOC_CHECK_=3 |
7 | export MALLOC_PERTURB_=$(($RANDOM % 255 + 1)) | 7 | export MALLOC_PERTURB_=$(($RANDOM % 255 + 1)) |
8 | 8 | ||
9 | echo "TESTING: /sys/fs access (test/fs/sys_fs.exp)" | ||
10 | ./sys_fs.exp | ||
11 | |||
9 | echo "TESTING: kmsg access (test/fs/kmsg.exp)" | 12 | echo "TESTING: kmsg access (test/fs/kmsg.exp)" |
10 | ./kmsg.exp | 13 | ./kmsg.exp |
11 | 14 | ||
diff --git a/test/fs/sys_fs.exp b/test/fs/sys_fs.exp new file mode 100755 index 000000000..f512776d9 --- /dev/null +++ b/test/fs/sys_fs.exp | |||
@@ -0,0 +1,44 @@ | |||
1 | #!/usr/bin/expect -f | ||
2 | # This file is part of Firejail project | ||
3 | # Copyright (C) 2014-2016 Firejail Authors | ||
4 | # License GPL v2 | ||
5 | |||
6 | set timeout 10 | ||
7 | spawn $env(SHELL) | ||
8 | match_max 100000 | ||
9 | |||
10 | send -- "firejail\r" | ||
11 | expect { | ||
12 | timeout {puts "TESTING ERROR 1\n";exit} | ||
13 | "Child process initialized" | ||
14 | } | ||
15 | sleep 1 | ||
16 | |||
17 | send -- "ls /sys/fs\r" | ||
18 | expect { | ||
19 | timeout {puts "TESTING ERROR 2\n";exit} | ||
20 | "Permission denied" | ||
21 | } | ||
22 | after 100 | ||
23 | |||
24 | send -- "exit\r" | ||
25 | sleep 1 | ||
26 | |||
27 | send -- "firejail --noblacklist=/sys/fs\r" | ||
28 | expect { | ||
29 | timeout {puts "TESTING ERROR 1\n";exit} | ||
30 | "Child process initialized" | ||
31 | } | ||
32 | sleep 1 | ||
33 | |||
34 | send -- "ls /sys/fs\r" | ||
35 | expect { | ||
36 | timeout {puts "TESTING ERROR 2\n";exit} | ||
37 | "cgroup" | ||
38 | } | ||
39 | after 100 | ||
40 | send -- "exit\r" | ||
41 | after 100 | ||
42 | |||
43 | puts "\nall done\n" | ||
44 | |||