diff options
559 files changed, 3684 insertions, 1326 deletions
diff --git a/.gitignore b/.gitignore index 89bf3c4fa..1b2c7fc7b 100644 --- a/.gitignore +++ b/.gitignore | |||
@@ -6,6 +6,7 @@ | |||
6 | *.gcda | 6 | *.gcda |
7 | *.gcno | 7 | *.gcno |
8 | Makefile | 8 | Makefile |
9 | autom4te.cache/ | ||
9 | config.log | 10 | config.log |
10 | config.status | 11 | config.status |
11 | firejail-login.5 | 12 | firejail-login.5 |
diff --git a/Makefile.in b/Makefile.in index 8251f9882..7ed27c89d 100644 --- a/Makefile.in +++ b/Makefile.in | |||
@@ -1,6 +1,6 @@ | |||
1 | all: apps man filters | 1 | all: apps man filters |
2 | MYLIBS = src/lib | 2 | MYLIBS = src/lib |
3 | APPS = src/firejail src/firemon src/firecfg src/libtrace src/libtracelog src/ftee src/faudit src/libconnect src/fnet src/fseccomp src/fcopy | 3 | APPS = src/firejail src/firemon src/firecfg src/libtrace src/libtracelog src/ftee src/faudit src/fnet src/fseccomp src/fcopy |
4 | MANPAGES = firejail.1 firemon.1 firecfg.1 firejail-profile.5 firejail-login.5 | 4 | MANPAGES = firejail.1 firemon.1 firecfg.1 firejail-profile.5 firejail-login.5 |
5 | SECCOMP_FILTERS = seccomp seccomp.i386 seccomp.amd64 | 5 | SECCOMP_FILTERS = seccomp seccomp.i386 seccomp.amd64 |
6 | 6 | ||
@@ -79,9 +79,10 @@ realinstall: | |||
79 | install -m 0755 -d $(DESTDIR)/$(libdir)/firejail | 79 | install -m 0755 -d $(DESTDIR)/$(libdir)/firejail |
80 | install -c -m 0644 src/libtrace/libtrace.so $(DESTDIR)/$(libdir)/firejail/. | 80 | install -c -m 0644 src/libtrace/libtrace.so $(DESTDIR)/$(libdir)/firejail/. |
81 | install -c -m 0644 src/libtracelog/libtracelog.so $(DESTDIR)/$(libdir)/firejail/. | 81 | install -c -m 0644 src/libtracelog/libtracelog.so $(DESTDIR)/$(libdir)/firejail/. |
82 | install -c -m 0644 src/libconnect/libconnect.so $(DESTDIR)/$(libdir)/firejail/. | ||
83 | install -c -m 0755 src/ftee/ftee $(DESTDIR)/$(libdir)/firejail/. | 82 | install -c -m 0755 src/ftee/ftee $(DESTDIR)/$(libdir)/firejail/. |
84 | install -c -m 0755 src/fshaper/fshaper.sh $(DESTDIR)/$(libdir)/firejail/. | 83 | install -c -m 0755 src/fshaper/fshaper.sh $(DESTDIR)/$(libdir)/firejail/. |
84 | install -c -m 0755 src/fgit/fgit-install.sh $(DESTDIR)/$(libdir)/firejail/. | ||
85 | install -c -m 0755 src/fgit/fgit-uninstall.sh $(DESTDIR)/$(libdir)/firejail/. | ||
85 | install -c -m 0644 src/firecfg/firecfg.config $(DESTDIR)/$(libdir)/firejail/. | 86 | install -c -m 0644 src/firecfg/firecfg.config $(DESTDIR)/$(libdir)/firejail/. |
86 | install -c -m 0755 src/faudit/faudit $(DESTDIR)/$(libdir)/firejail/. | 87 | install -c -m 0755 src/faudit/faudit $(DESTDIR)/$(libdir)/firejail/. |
87 | install -c -m 0755 src/fnet/fnet $(DESTDIR)/$(libdir)/firejail/. | 88 | install -c -m 0755 src/fnet/fnet $(DESTDIR)/$(libdir)/firejail/. |
@@ -91,6 +92,10 @@ realinstall: | |||
91 | install -c -m 0644 seccomp.debug $(DESTDIR)/$(libdir)/firejail/. | 92 | install -c -m 0644 seccomp.debug $(DESTDIR)/$(libdir)/firejail/. |
92 | install -c -m 0644 seccomp.i386 $(DESTDIR)/$(libdir)/firejail/. | 93 | install -c -m 0644 seccomp.i386 $(DESTDIR)/$(libdir)/firejail/. |
93 | install -c -m 0644 seccomp.amd64 $(DESTDIR)/$(libdir)/firejail/. | 94 | install -c -m 0644 seccomp.amd64 $(DESTDIR)/$(libdir)/firejail/. |
95 | install -c -m 0755 contrib/fix_private-bin.py $(DESTDIR)/$(libdir)/firejail/. | ||
96 | install -c -m 0755 contrib/fjclip.py $(DESTDIR)/$(libdir)/firejail/. | ||
97 | install -c -m 0755 contrib/fjdisplay.py $(DESTDIR)/$(libdir)/firejail/. | ||
98 | install -c -m 0755 contrib/fjresize.py $(DESTDIR)/$(libdir)/firejail/. | ||
94 | # documents | 99 | # documents |
95 | install -m 0755 -d $(DESTDIR)/$(DOCDIR) | 100 | install -m 0755 -d $(DESTDIR)/$(DOCDIR) |
96 | install -c -m 0644 COPYING $(DESTDIR)/$(DOCDIR)/. | 101 | install -c -m 0644 COPYING $(DESTDIR)/$(DOCDIR)/. |
@@ -136,7 +141,6 @@ install-strip: all | |||
136 | strip src/firecfg/firecfg | 141 | strip src/firecfg/firecfg |
137 | strip src/libtrace/libtrace.so | 142 | strip src/libtrace/libtrace.so |
138 | strip src/libtracelog/libtracelog.so | 143 | strip src/libtracelog/libtracelog.so |
139 | strip src/libconnect/libconnect.so | ||
140 | strip src/ftee/ftee | 144 | strip src/ftee/ftee |
141 | strip src/faudit/faudit | 145 | strip src/faudit/faudit |
142 | strip src/fnet/fnet | 146 | strip src/fnet/fnet |
@@ -158,7 +162,7 @@ uninstall: | |||
158 | rm -f $(DESTDIR)/$(datarootdir)/bash-completion/completions/firemon | 162 | rm -f $(DESTDIR)/$(datarootdir)/bash-completion/completions/firemon |
159 | rm -f $(DESTDIR)/$(datarootdir)/bash-completion/completions/firecfg | 163 | rm -f $(DESTDIR)/$(datarootdir)/bash-completion/completions/firecfg |
160 | 164 | ||
161 | DISTFILES = "src etc platform configure configure.ac Makefile.in install.sh mkman.sh mketc.sh mkdeb.sh mkuid.sh COPYING README RELNOTES" | 165 | DISTFILES = "src etc platform contrib configure configure.ac Makefile.in install.sh mkman.sh mketc.sh mkdeb.sh mkuid.sh COPYING README RELNOTES" |
162 | DISTFILES_TEST = "test/apps test/apps-x11 test/apps-x11-xorg test/root test/fcopy test/environment test/profiles test/utils test/compile test/filters test/network test/arguments test/fs test/sysutils" | 166 | DISTFILES_TEST = "test/apps test/apps-x11 test/apps-x11-xorg test/root test/fcopy test/environment test/profiles test/utils test/compile test/filters test/network test/arguments test/fs test/sysutils" |
163 | 167 | ||
164 | dist: | 168 | dist: |
@@ -15,6 +15,17 @@ Documentation and support: https://firejail.wordpress.com/ | |||
15 | Development: https://github.com/netblue30/firejail | 15 | Development: https://github.com/netblue30/firejail |
16 | License: GPL v2 | 16 | License: GPL v2 |
17 | 17 | ||
18 | Compile and install | ||
19 | |||
20 | $ git clone https://github.com/netblue30/firejail.git | ||
21 | $ cd firejail | ||
22 | $ ./configure && make && sudo make install-strip | ||
23 | |||
24 | On Debian/Ubuntu you will need to install git and a compiler: | ||
25 | |||
26 | $ sudo apt-get install build-essential | ||
27 | |||
28 | |||
18 | Firejail Authors: | 29 | Firejail Authors: |
19 | 30 | ||
20 | netblue30 (netblue30@yahoo.com) | 31 | netblue30 (netblue30@yahoo.com) |
@@ -83,6 +94,11 @@ Fred-Barclay (https://github.com/Fred-Barclay) | |||
83 | - added xed and pluma profiles | 94 | - added xed and pluma profiles |
84 | - added Cryptocat profile | 95 | - added Cryptocat profile |
85 | - added wireshark profile | 96 | - added wireshark profile |
97 | - uudeview profile fix | ||
98 | - fixed palemoon and qbittorrent profiles | ||
99 | - compile/install scripts for --git-install/--git-uninstall commands | ||
100 | - tighten keepassx | ||
101 | - added Thunar profile | ||
86 | valoq (https://github.com/valoq) | 102 | valoq (https://github.com/valoq) |
87 | - lots of profile fixes | 103 | - lots of profile fixes |
88 | - added support for /srv in --whitelist feature | 104 | - added support for /srv in --whitelist feature |
@@ -97,6 +113,37 @@ valoq (https://github.com/valoq) | |||
97 | - added skanlite, ssh-agent, transmission-cli, tracker, transmission-show, w3m, xfburn, xpra profiles | 113 | - added skanlite, ssh-agent, transmission-cli, tracker, transmission-show, w3m, xfburn, xpra profiles |
98 | - added wget profile | 114 | - added wget profile |
99 | - disable gnupg and systemd directories under /run/user | 115 | - disable gnupg and systemd directories under /run/user |
116 | - added iridium browser profile | ||
117 | Zack Weinberg (https://github.com/zackw) | ||
118 | - removed libconnect | ||
119 | - fixed memory corruption in noblacklist processing | ||
120 | - rework DISPLAY environment parsing | ||
121 | - rework masking X11 sockets in /tmp/.X11-unix directory | ||
122 | - rework xpra and xephyr detection | ||
123 | - rework abstract X11 socket detection | ||
124 | - rework X11 display number assignment | ||
125 | - rework X11 xorg processing | ||
126 | - rework fcopy, --follow-link support in fcopy | ||
127 | - follow link support in --private-bin | ||
128 | - wait_for_other function rewrite | ||
129 | Austin S. Hemmelgarn (https://github.com/Ferroin) | ||
130 | - unbound profile update | ||
131 | Igor Bukanov (https://github.com/ibukanov) | ||
132 | - found/fiixed privilege escalation in --hosts-file option | ||
133 | Cat (https://github.com/ecat3) | ||
134 | - prevent tmux connecting to an existing session | ||
135 | Zack Weinberg (https://github.com/zackw) | ||
136 | - sdded support for joining a persistent, named network namespace | ||
137 | GSI (https://github.com/GSI) | ||
138 | - added Uzbl browser profile | ||
139 | Mike Frysinger (vapier@gentoo.org) | ||
140 | - Gentoo compile patch | ||
141 | Jericho (https://github.com/attritionorg) | ||
142 | - spelling | ||
143 | Pixel Fairy (https://github.com/xahare) | ||
144 | - added fjclip.py, fjdisplay.py and fjresize.py in contrib section | ||
145 | pshpsh (https://github.com/pshpsh) | ||
146 | - added FossaMail profile | ||
100 | eventyrer (https://github.com/eventyrer) | 147 | eventyrer (https://github.com/eventyrer) |
101 | - update gnome-mplayer.profile | 148 | - update gnome-mplayer.profile |
102 | thewisenerd (https://github.com/thewisenerd) | 149 | thewisenerd (https://github.com/thewisenerd) |
@@ -104,10 +151,13 @@ thewisenerd (https://github.com/thewisenerd) | |||
104 | - use $SHELL variable if the shell is not specified | 151 | - use $SHELL variable if the shell is not specified |
105 | SYN-cook (https://github.com/SYN-cook) | 152 | SYN-cook (https://github.com/SYN-cook) |
106 | - keepass/keepassx browser fixes | 153 | - keepass/keepassx browser fixes |
154 | - disable-common.inc fixes | ||
155 | - blacklist GNOME keyring and Konqueror | ||
156 | - fixed Keepass(x) profiles | ||
107 | thewisenerd (https://github.com/thewisenerd) | 157 | thewisenerd (https://github.com/thewisenerd) |
108 | - appimage: pass commandline arguments | 158 | - appimage: pass commandline arguments |
109 | KOLANICH (https://github.com/KOLANICH) | 159 | KOLANICH (https://github.com/KOLANICH) |
110 | - added symlink fixer | 160 | - added symlink fixer fix_private-bin.py in contrib section |
111 | Jesse Smith (https://github.com/slicer69) | 161 | Jesse Smith (https://github.com/slicer69) |
112 | - added QupZilla profile | 162 | - added QupZilla profile |
113 | Lari Rauno (https://github.com/tuutti) | 163 | Lari Rauno (https://github.com/tuutti) |
@@ -213,6 +263,10 @@ KellerFuchs (https://github.com/KellerFuchs) | |||
213 | - nonewpriv support, extended profiles for this feature | 263 | - nonewpriv support, extended profiles for this feature |
214 | - make `restricted-network` prevent use of netfilter | 264 | - make `restricted-network` prevent use of netfilter |
215 | - disable-common.inc additions | 265 | - disable-common.inc additions |
266 | - make mutt and msmtp's rc files read-only | ||
267 | - added support for .local profile files in /etc/firejail | ||
268 | - fixed Cryptocat profile | ||
269 | - make ~/.local read-only | ||
216 | ValdikSS (https://github.com/ValdikSS) | 270 | ValdikSS (https://github.com/ValdikSS) |
217 | - Psi+, Corebird, Konversation profiles | 271 | - Psi+, Corebird, Konversation profiles |
218 | - various profile fixes | 272 | - various profile fixes |
@@ -292,6 +346,7 @@ Ivan Kozik (https://github.com/ivan) | |||
292 | - speed up sandbox exit | 346 | - speed up sandbox exit |
293 | Christian Stadelmann (https://github.com/genodeftest) | 347 | Christian Stadelmann (https://github.com/genodeftest) |
294 | - profile fixes | 348 | - profile fixes |
349 | - evolution profile fix | ||
295 | pirate486743186 (https://github.com/pirate486743186) | 350 | pirate486743186 (https://github.com/pirate486743186) |
296 | - KMail profile | 351 | - KMail profile |
297 | Kaan Genç (https://github.com/SeriousBug) | 352 | Kaan Genç (https://github.com/SeriousBug) |
@@ -355,4 +410,4 @@ pstn (https://github.com/pstn) | |||
355 | Alexey Kuznetsov (kuznet@ms2.inr.ac.ru) | 410 | Alexey Kuznetsov (kuznet@ms2.inr.ac.ru) |
356 | - src/lib/libnetlink.c extracted from iproute2 software package | 411 | - src/lib/libnetlink.c extracted from iproute2 software package |
357 | 412 | ||
358 | Copyright (C) 2014-2016 Firejail Authors | 413 | Copyright (C) 2014-2017 Firejail Authors |
@@ -22,6 +22,10 @@ $ firejail transmission-gtk # starting Transmission BitTorrent | |||
22 | $ firejail vlc # starting VideoLAN Client | 22 | $ firejail vlc # starting VideoLAN Client |
23 | $ sudo firejail /etc/init.d/nginx start | 23 | $ sudo firejail /etc/init.d/nginx start |
24 | ````` | 24 | ````` |
25 | |||
26 | [![About Firejail](video.png)](http://www.youtube.com/watch?v=Yk1HVPOeoTc) | ||
27 | |||
28 | |||
25 | Project webpage: https://firejail.wordpress.com/ | 29 | Project webpage: https://firejail.wordpress.com/ |
26 | 30 | ||
27 | Download and Installation: https://firejail.wordpress.com/download-2/ | 31 | Download and Installation: https://firejail.wordpress.com/download-2/ |
@@ -35,6 +39,17 @@ FAQ: https://firejail.wordpress.com/support/frequently-asked-questions/ | |||
35 | ````` | 39 | ````` |
36 | 40 | ||
37 | ````` | 41 | ````` |
42 | ## Compile and install | ||
43 | ````` | ||
44 | $ git clone https://github.com/netblue30/firejail.git | ||
45 | $ cd firejail | ||
46 | $ ./configure && make && sudo make install-strip | ||
47 | ````` | ||
48 | On Debian/Ubuntu you will need to install git and a compiler: | ||
49 | ````` | ||
50 | $ sudo apt-get install git build-essential | ||
51 | ````` | ||
52 | |||
38 | ## User submitted profile repositories | 53 | ## User submitted profile repositories |
39 | 54 | ||
40 | If you keep your Firejail profiles in a public repository, please give us a link: | 55 | If you keep your Firejail profiles in a public repository, please give us a link: |
@@ -51,7 +66,9 @@ Use this issue to request new profiles: https://github.com/netblue30/firejail/is | |||
51 | ````` | 66 | ````` |
52 | 67 | ||
53 | ````` | 68 | ````` |
54 | ## AppImage type 2 support | 69 | ## AppImage |
70 | |||
71 | Added AppImage type 2 support, and support for passing command line arguments to appimages. | ||
55 | ````` | 72 | ````` |
56 | 73 | ||
57 | ````` | 74 | ````` |
@@ -75,9 +92,9 @@ Use this issue to request new profiles: https://github.com/netblue30/firejail/is | |||
75 | Example: | 92 | Example: |
76 | # firejail --private-srv=www /etc/init.d/apache2 start | 93 | # firejail --private-srv=www /etc/init.d/apache2 start |
77 | 94 | ||
78 | --machine-id | 95 | --machine-id |
79 | Preserve id number in /etc/machine-id file. By default a new | 96 | Spoof id number in /etc/machine-id file - a new random id is |
80 | random id is generated inside the sandbox. | 97 | generated inside the sandbox. |
81 | 98 | ||
82 | Example: | 99 | Example: |
83 | $ firejail --machine-id | 100 | $ firejail --machine-id |
@@ -89,7 +106,46 @@ Use this issue to request new profiles: https://github.com/netblue30/firejail/is | |||
89 | Example: | 106 | Example: |
90 | $ firejail --allow-private-blacklist --private=~/priv-dir | 107 | $ firejail --allow-private-blacklist --private=~/priv-dir |
91 | --blacklist=~/.mozilla | 108 | --blacklist=~/.mozilla |
109 | |||
110 | --hosts-file=file | ||
111 | Use file as /etc/hosts. | ||
112 | |||
113 | Example: | ||
114 | $ firejail --hosts-file=~/myhosts firefox | ||
92 | 115 | ||
116 | --writable-var-log | ||
117 | Use the real /var/log directory, not a clone. By default, a | ||
118 | tmpfs is mounted on top of /var/log directory, and a skeleton | ||
119 | filesystem is created based on the original /var/log. | ||
120 | |||
121 | Example: | ||
122 | $ sudo firejail --writable-var-log | ||
123 | |||
124 | --git-install | ||
125 | Download, compile and install mainline git version of Firejail | ||
126 | from the official repository on GitHub. The software is | ||
127 | installed in /usr/local/bin, and takes precedence over the (old) | ||
128 | version installed in /usr/bin. If for any reason the new version | ||
129 | doesn't work, the user can uninstall it using --git-uninstall | ||
130 | command and revert to the old version. | ||
131 | |||
132 | Prerequisites: git and compile support are required for this com‐ | ||
133 | mand to work. On Debian/Ubuntu systems this support is installed | ||
134 | using "sudo apt-get install build-essential git". | ||
135 | |||
136 | Example: | ||
137 | |||
138 | $ firejail --git-install | ||
139 | |||
140 | --git-uninstall | ||
141 | Remove the Firejail version previously installed in | ||
142 | /usr/local/bin using --git-install command. | ||
143 | |||
144 | Example: | ||
145 | |||
146 | $ firejail --git-uninstall | ||
147 | |||
148 | |||
93 | ````` | 149 | ````` |
94 | ## New Profiles | 150 | ## New Profiles |
95 | xiphos, Tor Browser Bundle, display (imagemagik), Wire, mumble, zoom, Guayadeque, qemu, keypass2, | 151 | xiphos, Tor Browser Bundle, display (imagemagik), Wire, mumble, zoom, Guayadeque, qemu, keypass2, |
@@ -98,5 +154,5 @@ gjs, gnome-books, gnome-clocks, gnome-documents, gnome-maps, gnome-music, gnome- | |||
98 | goobox, gpa, gpg, gpg-agent, highlight, img2txt, k3b, kate, lynx, mediainfo, nautilus, odt2txt, pdftotext, | 154 | goobox, gpa, gpg, gpg-agent, highlight, img2txt, k3b, kate, lynx, mediainfo, nautilus, odt2txt, pdftotext, |
99 | simple-scan, skanlite, ssh-agent, tracker, transmission-cli, transmission-show, w3m, xfburn, xpra, wget, | 155 | simple-scan, skanlite, ssh-agent, tracker, transmission-cli, transmission-show, w3m, xfburn, xpra, wget, |
100 | xed, pluma, Cryptocat, Bless, Gnome 2048, Gnome Calculator, Gnome Contacts, JD-GUI, Lollypop, MultiMC5, | 156 | xed, pluma, Cryptocat, Bless, Gnome 2048, Gnome Calculator, Gnome Contacts, JD-GUI, Lollypop, MultiMC5, |
101 | PDFSam, Pithos, Xonotic, wireshark, keepassx2, QupZilla | 157 | PDFSam, Pithos, Xonotic, wireshark, keepassx2, QupZilla, FossaMail, Uzbl browser, xmms, iridium browser, |
102 | 158 | Kino, Thunar | |
@@ -1,31 +1,47 @@ | |||
1 | firejail (0.9.45) baseline; urgency=low | 1 | firejail (0.9.45) baseline; urgency=low |
2 | * development version, work in progress | 2 | * development version, work in progress |
3 | * security: overwrite /etc/resolv.conf found by Martin Carpenter | 3 | * Gentoo compile patch |
4 | * secuirty: TOCTOU exploit for --get and --put found by Daniel Hodson | 4 | * security: --bandwidth root shell found by Martin Carpenter (CVE-2017-5207) |
5 | * security: invalid environment exploit found by Martin Carpenter | 5 | * security: disabled --allow-debuggers when running on kernel |
6 | versions prior to 4.8; a kernel bug in ptrace system call | ||
7 | allows a full bypass of seccomp filter; problem reported by Lizzie Dixon | ||
8 | (CVE-2017-5206) | ||
9 | * security: overwrite /etc/resolv.conf found by Martin Carpenter (CVE-2016-10118) | ||
10 | * security: TOCTOU exploit for --get and --put found by Daniel Hodson | ||
11 | * security: invalid environment exploit found by Martin Carpenter (CVE-2016-10122) | ||
6 | * security: split most of networking code in a separate executable | 12 | * security: split most of networking code in a separate executable |
7 | * security: split seccomp filter code configuration in a separate executable | 13 | * security: split seccomp filter code configuration in a separate executable |
8 | * security: split file copying in private option in a separate executable | 14 | * security: split file copying in private option in a separate executable |
15 | * security: root exploit found by Sebastian Krahmer (CVE-2017-5180) | ||
16 | * security: ~/.pki directory whitelisted and later blacklisted. This affects | ||
17 | most browsers, and disables the custom certificates installed by the user. | ||
9 | * feature: disable gnupg and systemd directories under /run/user | 18 | * feature: disable gnupg and systemd directories under /run/user |
10 | * feature: allow root user access to /dev/shm (--noblacklist=/dev/shm) | ||
11 | * feature: AppImage type 2 support | ||
12 | * feature: test coverage (gcov) support | 19 | * feature: test coverage (gcov) support |
20 | * feature: allow root user access to /dev/shm (--noblacklist=/dev/shm) | ||
13 | * feature: private /opt directory (--private-opt, profile support) | 21 | * feature: private /opt directory (--private-opt, profile support) |
14 | * feature: private /srv directory (--private-srv, profile support) | 22 | * feature: private /srv directory (--private-srv, profile support) |
15 | * feature: spoof machine-id | 23 | * feature: spoof machine-id (--machine-id, profile support) |
24 | * feature: allow blacklists under --private (--allow-private-blacklist, profile support) | ||
25 | * feature: user-defined /etc/hosts file (--hosts-file, profile support) | ||
26 | * feature: support for the real /var/log directory (--writable-var-log, profile support) | ||
16 | * feature: config support for firejail prompt in terminals | 27 | * feature: config support for firejail prompt in terminals |
28 | * feature: AppImage type 2 support | ||
17 | * feature: pass command line arguments to appimages | 29 | * feature: pass command line arguments to appimages |
18 | * feature: --allow-private-blacklist option | 30 | * feature: allow non-seccomp setup for OverlayFS sandboxes - more work to come |
31 | * feature: added a number o Python scripts for handling sandboxes | ||
32 | * feature: allow local customization using .local files under /etc/firejail | ||
33 | * feature: follow-symlink-as-user runtime config option in /etc/firejail/firejail.config | ||
19 | * new profiles: xiphos, Tor Browser Bundle, display (imagemagik), Wire, | 34 | * new profiles: xiphos, Tor Browser Bundle, display (imagemagik), Wire, |
20 | * new profiles: mumble, zoom, Guayadeque, qemu, keypass2, xed, pluma, | 35 | * new profiles: mumble, zoom, Guayadeque, qemu, keypass2, xed, pluma, |
21 | * new profiles: Cryptocat, Bless, Gnome 2048, Gnome Calculator, | 36 | * new profiles: Cryptocat, Bless, Gnome 2048, Gnome Calculator, |
22 | * new profiles: Gnome Contacts, JD-GUI, Lollypop, MultiMC5, PDFSam, Pithos, | 37 | * new profiles: Gnome Contacts, JD-GUI, Lollypop, MultiMC5, PDFSam, Pithos, |
23 | * new profies: Xonotic, wireshark, keepassx2, QupZilla | 38 | * new profies: Xonotic, wireshark, keepassx2, QupZilla, FossaMail, |
39 | * new profiles: Uzbl browser, iridium browser, Thunar | ||
24 | * bugfixes | 40 | * bugfixes |
25 | -- netblue30 <netblue30@yahoo.com> Sun, 23 Oct 2016 08:00:00 -0500 | 41 | -- netblue30 <netblue30@yahoo.com> Sun, 23 Oct 2016 08:00:00 -0500 |
26 | 42 | ||
27 | firejail (0.9.44) baseline; urgency=low | 43 | firejail (0.9.44) baseline; urgency=low |
28 | * CVE-2016-7545 submitted by Aleksey Manevich | 44 | * CVE-2016-9016 submitted by Aleksey Manevich |
29 | * modifs: removed man firejail-config | 45 | * modifs: removed man firejail-config |
30 | * modifs: --private-tmp whitelists /tmp/.X11-unix directory | 46 | * modifs: --private-tmp whitelists /tmp/.X11-unix directory |
31 | * modifs: Nvidia drivers added to --private-dev | 47 | * modifs: Nvidia drivers added to --private-dev |
@@ -142,11 +158,12 @@ firejail (0.9.38) baseline; urgency=low | |||
142 | * added KMail, Seamonkey, Telegram, Mathematica, uGet, | 158 | * added KMail, Seamonkey, Telegram, Mathematica, uGet, |
143 | * and mupen64plus profiles | 159 | * and mupen64plus profiles |
144 | * --chroot in user mode allowed only if seccomp support is available | 160 | * --chroot in user mode allowed only if seccomp support is available |
145 | * in current Linux kernel | 161 | * in current Linux kernel (CVE-2016-10123) |
146 | * deprecated --private-home feature | 162 | * deprecated --private-home feature |
147 | * the first protocol list installed takes precedence | 163 | * the first protocol list installed takes precedence |
148 | * --tmpfs option allowed only running as root | 164 | * --tmpfs option allowed only running as root (CVE-2016-10117) |
149 | * added --private-tmp option | 165 | * added --private-tmp option |
166 | * weak permissions (CVE-2016-10119, CVE-2016-10120, CVE-2016-10121) | ||
150 | * bugfixes | 167 | * bugfixes |
151 | -- netblue30 <netblue30@yahoo.com> Tue, 2 Feb 2016 10:00:00 -0500 | 168 | -- netblue30 <netblue30@yahoo.com> Tue, 2 Feb 2016 10:00:00 -0500 |
152 | 169 | ||
@@ -625,6 +625,7 @@ ac_includes_default="\ | |||
625 | ac_subst_vars='LTLIBOBJS | 625 | ac_subst_vars='LTLIBOBJS |
626 | LIBOBJS | 626 | LIBOBJS |
627 | HAVE_SECCOMP_H | 627 | HAVE_SECCOMP_H |
628 | HAVE_GIT_INSTALL | ||
628 | HAVE_GCOV | 629 | HAVE_GCOV |
629 | BUSYBOX_WORKAROUND | 630 | BUSYBOX_WORKAROUND |
630 | HAVE_FATAL_WARNINGS | 631 | HAVE_FATAL_WARNINGS |
@@ -711,6 +712,7 @@ enable_whitelist | |||
711 | enable_fatal_warnings | 712 | enable_fatal_warnings |
712 | enable_busybox_workaround | 713 | enable_busybox_workaround |
713 | enable_gcov | 714 | enable_gcov |
715 | enable_git_install | ||
714 | ' | 716 | ' |
715 | ac_precious_vars='build_alias | 717 | ac_precious_vars='build_alias |
716 | host_alias | 718 | host_alias |
@@ -1349,6 +1351,7 @@ Optional Features: | |||
1349 | --enable-busybox-workaround | 1351 | --enable-busybox-workaround |
1350 | enable busybox workaround | 1352 | enable busybox workaround |
1351 | --enable-gcov Gcov instrumentation | 1353 | --enable-gcov Gcov instrumentation |
1354 | --enable-git-install enable git install feature | ||
1352 | 1355 | ||
1353 | Some influential environment variables: | 1356 | Some influential environment variables: |
1354 | CC C compiler command | 1357 | CC C compiler command |
@@ -3100,6 +3103,7 @@ if test "x$enable_apparmor" = "xyes"; then : | |||
3100 | fi | 3103 | fi |
3101 | 3104 | ||
3102 | 3105 | ||
3106 | |||
3103 | ac_ext=c | 3107 | ac_ext=c |
3104 | ac_cpp='$CPP $CPPFLAGS' | 3108 | ac_cpp='$CPP $CPPFLAGS' |
3105 | ac_compile='$CC -c $CFLAGS $CPPFLAGS conftest.$ac_ext >&5' | 3109 | ac_compile='$CC -c $CFLAGS $CPPFLAGS conftest.$ac_ext >&5' |
@@ -3711,6 +3715,18 @@ if test "x$enable_gcov" = "xyes"; then : | |||
3711 | fi | 3715 | fi |
3712 | 3716 | ||
3713 | 3717 | ||
3718 | HAVE_GIT_INSTALL="" | ||
3719 | # Check whether --enable-git-install was given. | ||
3720 | if test "${enable_git_install+set}" = set; then : | ||
3721 | enableval=$enable_git_install; | ||
3722 | fi | ||
3723 | |||
3724 | if test "x$enable_git_install" = "xyes"; then : | ||
3725 | |||
3726 | HAVE_GIT_INSTALL="-DHAVE_GIT_INSTALL" | ||
3727 | |||
3728 | |||
3729 | fi | ||
3714 | 3730 | ||
3715 | # checking pthread library | 3731 | # checking pthread library |
3716 | { $as_echo "$as_me:${as_lineno-$LINENO}: checking for main in -lpthread" >&5 | 3732 | { $as_echo "$as_me:${as_lineno-$LINENO}: checking for main in -lpthread" >&5 |
@@ -3777,7 +3793,7 @@ if test "$prefix" = /usr; then | |||
3777 | sysconfdir="/etc" | 3793 | sysconfdir="/etc" |
3778 | fi | 3794 | fi |
3779 | 3795 | ||
3780 | ac_config_files="$ac_config_files Makefile src/lib/Makefile src/fcopy/Makefile src/fnet/Makefile src/firejail/Makefile src/firemon/Makefile src/libtrace/Makefile src/libtracelog/Makefile src/firecfg/Makefile src/ftee/Makefile src/faudit/Makefile src/libconnect/Makefile src/fseccomp/Makefile" | 3796 | ac_config_files="$ac_config_files Makefile src/lib/Makefile src/fcopy/Makefile src/fnet/Makefile src/firejail/Makefile src/firemon/Makefile src/libtrace/Makefile src/libtracelog/Makefile src/firecfg/Makefile src/ftee/Makefile src/faudit/Makefile src/fseccomp/Makefile" |
3781 | 3797 | ||
3782 | cat >confcache <<\_ACEOF | 3798 | cat >confcache <<\_ACEOF |
3783 | # This file is a shell script that caches the results of configure | 3799 | # This file is a shell script that caches the results of configure |
@@ -4497,7 +4513,6 @@ do | |||
4497 | "src/firecfg/Makefile") CONFIG_FILES="$CONFIG_FILES src/firecfg/Makefile" ;; | 4513 | "src/firecfg/Makefile") CONFIG_FILES="$CONFIG_FILES src/firecfg/Makefile" ;; |
4498 | "src/ftee/Makefile") CONFIG_FILES="$CONFIG_FILES src/ftee/Makefile" ;; | 4514 | "src/ftee/Makefile") CONFIG_FILES="$CONFIG_FILES src/ftee/Makefile" ;; |
4499 | "src/faudit/Makefile") CONFIG_FILES="$CONFIG_FILES src/faudit/Makefile" ;; | 4515 | "src/faudit/Makefile") CONFIG_FILES="$CONFIG_FILES src/faudit/Makefile" ;; |
4500 | "src/libconnect/Makefile") CONFIG_FILES="$CONFIG_FILES src/libconnect/Makefile" ;; | ||
4501 | "src/fseccomp/Makefile") CONFIG_FILES="$CONFIG_FILES src/fseccomp/Makefile" ;; | 4516 | "src/fseccomp/Makefile") CONFIG_FILES="$CONFIG_FILES src/fseccomp/Makefile" ;; |
4502 | 4517 | ||
4503 | *) as_fn_error $? "invalid argument: \`$ac_config_target'" "$LINENO" 5;; | 4518 | *) as_fn_error $? "invalid argument: \`$ac_config_target'" "$LINENO" 5;; |
@@ -4971,6 +4986,7 @@ echo " whitelisting: $HAVE_WHITELIST" | |||
4971 | echo " private home support: $HAVE_PRIVATE_HOME" | 4986 | echo " private home support: $HAVE_PRIVATE_HOME" |
4972 | echo " file transfer support: $HAVE_FILE_TRANSFER" | 4987 | echo " file transfer support: $HAVE_FILE_TRANSFER" |
4973 | echo " overlayfs support: $HAVE_OVERLAYFS" | 4988 | echo " overlayfs support: $HAVE_OVERLAYFS" |
4989 | echo " git install support: $HAVE_GIT_INSTALL" | ||
4974 | echo " busybox workaround: $BUSYBOX_WORKAROUND" | 4990 | echo " busybox workaround: $BUSYBOX_WORKAROUND" |
4975 | echo " EXTRA_LDFLAGS: $EXTRA_LDFLAGS" | 4991 | echo " EXTRA_LDFLAGS: $EXTRA_LDFLAGS" |
4976 | echo " fatal warnings: $HAVE_FATAL_WARNINGS" | 4992 | echo " fatal warnings: $HAVE_FATAL_WARNINGS" |
diff --git a/configure.ac b/configure.ac index f3076f2f8..c04bfed89 100644 --- a/configure.ac +++ b/configure.ac | |||
@@ -17,6 +17,7 @@ AS_IF([test "x$enable_apparmor" = "xyes"], [ | |||
17 | AC_SUBST(HAVE_APPARMOR) | 17 | AC_SUBST(HAVE_APPARMOR) |
18 | ]) | 18 | ]) |
19 | 19 | ||
20 | |||
20 | AS_IF([test "x$enable_apparmor" = "xyes"], [ | 21 | AS_IF([test "x$enable_apparmor" = "xyes"], [ |
21 | AC_CHECK_HEADER(sys/apparmor.h, , [AC_MSG_ERROR( | 22 | AC_CHECK_HEADER(sys/apparmor.h, , [AC_MSG_ERROR( |
22 | [Couldn't find sys/apparmor.h... please install apparmor user space library and development files] )]) | 23 | [Couldn't find sys/apparmor.h... please install apparmor user space library and development files] )]) |
@@ -146,6 +147,13 @@ AS_IF([test "x$enable_gcov" = "xyes"], [ | |||
146 | ]) | 147 | ]) |
147 | 148 | ||
148 | 149 | ||
150 | HAVE_GIT_INSTALL="" | ||
151 | AC_ARG_ENABLE([git-install], | ||
152 | AS_HELP_STRING([--enable-git-install], [enable git install feature])) | ||
153 | AS_IF([test "x$enable_git_install" = "xyes"], [ | ||
154 | HAVE_GIT_INSTALL="-DHAVE_GIT_INSTALL" | ||
155 | AC_SUBST(HAVE_GIT_INSTALL) | ||
156 | ]) | ||
149 | 157 | ||
150 | # checking pthread library | 158 | # checking pthread library |
151 | AC_CHECK_LIB([pthread], [main], [], AC_MSG_ERROR([*** POSIX thread support not installed ***])) | 159 | AC_CHECK_LIB([pthread], [main], [], AC_MSG_ERROR([*** POSIX thread support not installed ***])) |
@@ -160,7 +168,7 @@ fi | |||
160 | 168 | ||
161 | AC_OUTPUT(Makefile src/lib/Makefile src/fcopy/Makefile src/fnet/Makefile src/firejail/Makefile \ | 169 | AC_OUTPUT(Makefile src/lib/Makefile src/fcopy/Makefile src/fnet/Makefile src/firejail/Makefile \ |
162 | src/firemon/Makefile src/libtrace/Makefile src/libtracelog/Makefile src/firecfg/Makefile \ | 170 | src/firemon/Makefile src/libtrace/Makefile src/libtracelog/Makefile src/firecfg/Makefile \ |
163 | src/ftee/Makefile src/faudit/Makefile src/libconnect/Makefile src/fseccomp/Makefile) | 171 | src/ftee/Makefile src/faudit/Makefile src/fseccomp/Makefile) |
164 | 172 | ||
165 | echo | 173 | echo |
166 | echo "Configuration options:" | 174 | echo "Configuration options:" |
@@ -179,6 +187,7 @@ echo " whitelisting: $HAVE_WHITELIST" | |||
179 | echo " private home support: $HAVE_PRIVATE_HOME" | 187 | echo " private home support: $HAVE_PRIVATE_HOME" |
180 | echo " file transfer support: $HAVE_FILE_TRANSFER" | 188 | echo " file transfer support: $HAVE_FILE_TRANSFER" |
181 | echo " overlayfs support: $HAVE_OVERLAYFS" | 189 | echo " overlayfs support: $HAVE_OVERLAYFS" |
190 | echo " git install support: $HAVE_GIT_INSTALL" | ||
182 | echo " busybox workaround: $BUSYBOX_WORKAROUND" | 191 | echo " busybox workaround: $BUSYBOX_WORKAROUND" |
183 | echo " EXTRA_LDFLAGS: $EXTRA_LDFLAGS" | 192 | echo " EXTRA_LDFLAGS: $EXTRA_LDFLAGS" |
184 | echo " fatal warnings: $HAVE_FATAL_WARNINGS" | 193 | echo " fatal warnings: $HAVE_FATAL_WARNINGS" |
diff --git a/contrib/fix_private-bin.py b/contrib/fix_private-bin.py new file mode 100755 index 000000000..270c758a2 --- /dev/null +++ b/contrib/fix_private-bin.py | |||
@@ -0,0 +1,157 @@ | |||
1 | #!/usr/bin/python3 | ||
2 | |||
3 | __author__ = "KOLANICH" | ||
4 | __copyright__ = """This is free and unencumbered software released into the public domain. | ||
5 | |||
6 | Anyone is free to copy, modify, publish, use, compile, sell, or | ||
7 | distribute this software, either in source code form or as a compiled | ||
8 | binary, for any purpose, commercial or non-commercial, and by any | ||
9 | means. | ||
10 | |||
11 | In jurisdictions that recognize copyright laws, the author or authors | ||
12 | of this software dedicate any and all copyright interest in the | ||
13 | software to the public domain. We make this dedication for the benefit | ||
14 | of the public at large and to the detriment of our heirs and | ||
15 | successors. We intend this dedication to be an overt act of | ||
16 | relinquishment in perpetuity of all present and future rights to this | ||
17 | software under copyright law. | ||
18 | |||
19 | THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, | ||
20 | EXPRESS OR IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF | ||
21 | MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. | ||
22 | IN NO EVENT SHALL THE AUTHORS BE LIABLE FOR ANY CLAIM, DAMAGES OR | ||
23 | OTHER LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, | ||
24 | ARISING FROM, OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR | ||
25 | OTHER DEALINGS IN THE SOFTWARE. | ||
26 | |||
27 | For more information, please refer to <http://unlicense.org/>""" | ||
28 | __license__ = "Unlicense" | ||
29 | |||
30 | import sys, os, glob, re | ||
31 | |||
32 | privRx=re.compile("^(?:#\s*)?private-bin") | ||
33 | |||
34 | def fixSymlinkedBins(files, replMap): | ||
35 | """ | ||
36 | Used to add filenames to private-bin directives of files if the ones present are mentioned in replMap | ||
37 | replMap is a dict where key is the marker filename and value is the filename to add | ||
38 | """ | ||
39 | |||
40 | rxs=dict() | ||
41 | for (old,new) in replMap.items(): | ||
42 | rxs[old]=re.compile("\\b"+old+"\\b") | ||
43 | rxs[new]=re.compile("\\b"+new+"\\b") | ||
44 | #print(rxs) | ||
45 | |||
46 | for filename in files: | ||
47 | lines=None | ||
48 | with open(filename,"r") as file: | ||
49 | lines=file.readlines() | ||
50 | |||
51 | shouldUpdate=False | ||
52 | for (i,line) in enumerate(lines): | ||
53 | if privRx.search(line): | ||
54 | for (old,new) in replMap.items(): | ||
55 | if rxs[old].search(line) and not rxs[new].search(line): | ||
56 | lines[i]=rxs[old].sub(old+","+new, line) | ||
57 | shouldUpdate=True | ||
58 | print(lines[i]) | ||
59 | |||
60 | if shouldUpdate: | ||
61 | with open(filename,"w") as file: | ||
62 | file.writelines(lines) | ||
63 | pass | ||
64 | |||
65 | def createSetOfBinaries(files): | ||
66 | """ | ||
67 | Creates a set of binaries mentioned in private-bin directives of files. | ||
68 | """ | ||
69 | s=set() | ||
70 | for filename in files: | ||
71 | lines=None | ||
72 | with open(filename,"r") as file: | ||
73 | for line in file: | ||
74 | if privRx.search(line): | ||
75 | bins=line.split(",") | ||
76 | bins[0]=bins[0].split(" ")[-1] | ||
77 | bins = [n.strip() for n in bins] | ||
78 | s=s|set(bins) | ||
79 | return s | ||
80 | |||
81 | def createSymlinkTable(binDirs, binariesSet): | ||
82 | """ | ||
83 | creates a dict of symlinked binaries in the system where a key is a symlink name and value is a symlinked binary. | ||
84 | binDirs are folders to look into for binaries symlinks | ||
85 | binariesSet is a set of binaries to be checked if they are actually a symlinks | ||
86 | """ | ||
87 | m=dict() | ||
88 | toProcess=binariesSet | ||
89 | while len(toProcess)!=0: | ||
90 | additional=set() | ||
91 | for sh in toProcess: | ||
92 | for bD in binDirs: | ||
93 | p=bD+os.path.sep+sh | ||
94 | if os.path.exists(p): | ||
95 | if os.path.islink(p): | ||
96 | m[sh]=os.readlink(p) | ||
97 | additional.add(m[sh].split(" ")[0]) | ||
98 | else: | ||
99 | pass | ||
100 | break | ||
101 | toProcess=additional | ||
102 | return m | ||
103 | |||
104 | def doTheFixes(profilesPath, binDirs): | ||
105 | """ | ||
106 | Fixes private-bin in .profiles for firejail. The pipeline is as follows: | ||
107 | discover files -> discover mentioned binaries -> | ||
108 | discover the ones which are symlinks -> | ||
109 | make a look-up table for fix -> | ||
110 | filter the ones can be fixed (we cannot fix the ones which are not in directories for binaries) -> | ||
111 | apply fix | ||
112 | """ | ||
113 | files=glob.glob(profilesPath+os.path.sep+"*.profile") | ||
114 | bins=createSetOfBinaries(files) | ||
115 | #print("The binaries used are:") | ||
116 | #print(bins) | ||
117 | stbl=createSymlinkTable(binDirs,bins) | ||
118 | print("The replacement table is:") | ||
119 | print(stbl) | ||
120 | stbl={a[0]:a[1] for a in stbl.items() if a[0].find(os.path.sep) < 0 and a[1].find(os.path.sep)<0} | ||
121 | print("Filtered replacement table is:") | ||
122 | print(stbl) | ||
123 | fixSymlinkedBins(files,stbl) | ||
124 | |||
125 | def printHelp(): | ||
126 | print("python3 "+os.path.basename(__file__)+" <dir with .profile files>\nThe default dir is "+defaultProfilesPath+"\n"+doTheFixes.__doc__) | ||
127 | |||
128 | def main(): | ||
129 | """The main function. Parses the commandline args, shows messages and calles the function actually doing the work.""" | ||
130 | print(repr(sys.argv)) | ||
131 | defaultProfilesPath="../etc" | ||
132 | if len(sys.argv)>2 or (len(sys.argv)==2 and (sys.argv[1] == '-h' or sys.argv[1] == '--help') ): | ||
133 | printHelp() | ||
134 | exit(1) | ||
135 | |||
136 | profilesPath=None | ||
137 | if len(sys.argv)==2: | ||
138 | if os.path.isdir(sys.argv[1]): | ||
139 | profilesPath=os.path.abspath(sys.argv[1]) | ||
140 | else: | ||
141 | if os.path.exists(sys.argv[1]): | ||
142 | print(sys.argv[1]+" is not a dir") | ||
143 | else: | ||
144 | print(sys.argv[1]+" does not exist") | ||
145 | printHelp() | ||
146 | exit(1) | ||
147 | else: | ||
148 | print("Using default profiles dir: " + defaultProfilesPath) | ||
149 | profilesPath=defaultProfilesPath | ||
150 | |||
151 | binDirs=["/bin","/usr/bin","/usr/sbin","/usr/local/bin","/usr/local/sbin"] | ||
152 | print("Binaries dirs are:") | ||
153 | print(binDirs) | ||
154 | doTheFixes(profilesPath, binDirs) | ||
155 | |||
156 | if __name__ == "__main__": | ||
157 | main() | ||
diff --git a/contrib/fix_private-bin_for_symlinked_sh.py b/contrib/fix_private-bin_for_symlinked_sh.py deleted file mode 100644 index 705e46e46..000000000 --- a/contrib/fix_private-bin_for_symlinked_sh.py +++ /dev/null | |||
@@ -1,68 +0,0 @@ | |||
1 | #!/usr/bin/python3 | ||
2 | |||
3 | import sys, os, glob, re | ||
4 | |||
5 | privRx=re.compile("^(?:#\s*)?private-bin") | ||
6 | |||
7 | def fixSymlinkedBins(files, replMap): | ||
8 | rxs=dict() | ||
9 | for (old,new) in replMap.items(): | ||
10 | rxs[old]=re.compile("\\b"+old+"\\b") | ||
11 | rxs[new]=re.compile("\\b"+new+"\\b") | ||
12 | print(rxs) | ||
13 | |||
14 | for filename in files: | ||
15 | lines=None | ||
16 | with open(filename,"r") as file: | ||
17 | lines=file.readlines() | ||
18 | |||
19 | shouldUpdate=False | ||
20 | for (i,line) in enumerate(lines): | ||
21 | if privRx.search(line): | ||
22 | for (old,new) in replMap.items(): | ||
23 | if rxs[old].search(line) and not rxs[new].search(line): | ||
24 | lines[i]=rxs[old].sub(old+","+new, line) | ||
25 | shouldUpdate=True | ||
26 | print(lines[i]) | ||
27 | |||
28 | if shouldUpdate: | ||
29 | with open(filename,"w") as file: | ||
30 | file.writelines(lines) | ||
31 | pass | ||
32 | |||
33 | def createListOfBinaries(files): | ||
34 | s=set() | ||
35 | for filename in files: | ||
36 | lines=None | ||
37 | with open(filename,"r") as file: | ||
38 | for line in file: | ||
39 | if privRx.search(line): | ||
40 | bins=line.split(",") | ||
41 | bins[0]=bins[0].split(" ")[-1] | ||
42 | bins = [n.strip() for n in bins] | ||
43 | s=s|set(bins) | ||
44 | return s | ||
45 | |||
46 | def createSymlinkTable(binDirs, binariesSet): | ||
47 | m=dict() | ||
48 | for sh in binariesSet: | ||
49 | for bD in binDirs: | ||
50 | p=bD+os.path.sep+sh | ||
51 | if os.path.exists(p): | ||
52 | if os.path.islink(p): | ||
53 | m[sh]=os.readlink(p) | ||
54 | else: | ||
55 | pass | ||
56 | break | ||
57 | return m | ||
58 | |||
59 | |||
60 | sh="sh" | ||
61 | binDirs=["/bin","/usr/bin","/usr/sbin","/usr/local/bin","/usr/local/sbin"] | ||
62 | profilesPath="." | ||
63 | files=glob.glob(profilesPath+os.path.sep+"*.profile") | ||
64 | |||
65 | bins=createListOfBinaries(files) | ||
66 | stbl=createSymlinkTable(binDirs,bins) | ||
67 | print(stbl) | ||
68 | fixSymlinkedBins(files,{a[0]:a[1] for a in stbl.items() if a[0].find("/") < 0 and a[1].find("/")<0}) | ||
diff --git a/contrib/fjclip.py b/contrib/fjclip.py new file mode 100755 index 000000000..cd12cd289 --- /dev/null +++ b/contrib/fjclip.py | |||
@@ -0,0 +1,35 @@ | |||
1 | #!/usr/bin/env python | ||
2 | |||
3 | import re | ||
4 | import sys | ||
5 | import subprocess | ||
6 | import fjdisplay | ||
7 | |||
8 | usage = """fjclip.py src dest. src or dest can be named firejails or - for stdin or stdout. | ||
9 | firemon --x11 to see available running x11 firejails. firejail names can be shortened | ||
10 | to least ambiguous. for example 'work-libreoffice' can be shortened to 'work' if no | ||
11 | other firejails name starts with 'work'. | ||
12 | warning: browsers are dangerous. clipboards from browsers are dangerous. see | ||
13 | https://github.com/dxa4481/Pastejacking | ||
14 | fjclip.py strips whitespace from both | ||
15 | ends, but does nothing else to protect you. use a simple gui text editor like | ||
16 | gedit if you want to see what your pasting.""" | ||
17 | |||
18 | if len(sys.argv) != 3 or sys.argv == '-h' or sys.argv == '--help': | ||
19 | print(usage) | ||
20 | exit(1) | ||
21 | |||
22 | if sys.argv[1] == '-': | ||
23 | clipin_raw = sys.stdin.read() | ||
24 | else: | ||
25 | display = fjdisplay.getdisplay(sys.argv[1]) | ||
26 | clipin_raw = subprocess.check_output(['xsel','-b','--display',display]) | ||
27 | |||
28 | clipin = clipin_raw.strip() | ||
29 | |||
30 | if sys.argv[2] == '-': | ||
31 | print(clipin) | ||
32 | else: | ||
33 | display = fjdisplay.getdisplay(sys.argv[2]) | ||
34 | clipout = subprocess.Popen(['xsel','-b','-i','--display',display],stdin=subprocess.PIPE) | ||
35 | clipout.communicate(clipin) \ No newline at end of file | ||
diff --git a/contrib/fjdisplay.py b/contrib/fjdisplay.py new file mode 100755 index 000000000..0e0ef01ec --- /dev/null +++ b/contrib/fjdisplay.py | |||
@@ -0,0 +1,43 @@ | |||
1 | #!/usr/bin/env python | ||
2 | |||
3 | import re | ||
4 | import sys | ||
5 | import subprocess | ||
6 | |||
7 | usage = """fjdisplay.py name-of-firejail | ||
8 | returns the display in the form of ':NNN' | ||
9 | """ | ||
10 | |||
11 | def getfirejails(): | ||
12 | output = subprocess.check_output(['firemon','--x11']) | ||
13 | firejails = {} | ||
14 | name = '' | ||
15 | for line in output.split('\n'): | ||
16 | namematch = re.search('--name=(\w+\S*)',line) | ||
17 | if namematch: | ||
18 | name = namematch.group(1) | ||
19 | displaymatch = re.search('DISPLAY (:\d+)',line) | ||
20 | if displaymatch: | ||
21 | firejails[name] = displaymatch.group(1) | ||
22 | return firejails | ||
23 | |||
24 | def getdisplay(name): | ||
25 | firejails = getfirejails() | ||
26 | fjlist = '\n'.join(firejails.keys()) | ||
27 | namere = re.compile('^'+name+'.*', re.MULTILINE) | ||
28 | matchingjails = namere.findall(fjlist) | ||
29 | if len(matchingjails) == 1: | ||
30 | return firejails[matchingjails[0]] | ||
31 | if len(matchingjails) == 0: | ||
32 | raise NameError("firejail {} does not exist".format(name)) | ||
33 | else: | ||
34 | raise NameError("ambiguous firejail name") | ||
35 | |||
36 | if __name__ == '__main__': | ||
37 | if '-h' in sys.argv or '--help' in sys.argv or len(sys.argv) > 2: | ||
38 | print(usage) | ||
39 | exit() | ||
40 | if len(sys.argv) == 1: | ||
41 | print(getfirejails()) | ||
42 | if len(sys.argv) == 2: | ||
43 | print (getdisplay(sys.argv[1])) \ No newline at end of file | ||
diff --git a/contrib/fjresize.py b/contrib/fjresize.py new file mode 100755 index 000000000..52b289159 --- /dev/null +++ b/contrib/fjresize.py | |||
@@ -0,0 +1,25 @@ | |||
1 | #!/usr/bin/env python | ||
2 | |||
3 | import sys | ||
4 | import fjdisplay | ||
5 | import subprocess | ||
6 | |||
7 | usage = """usage: fjresize.py firejail-name displaysize | ||
8 | resize firejail xephyr windows. | ||
9 | fjdisplay.py with no other arguments will list running named firejails with displays. | ||
10 | fjresize.py with only a firejail name will list valid resolutions. | ||
11 | names can be shortend as long its unambiguous. | ||
12 | note: you may need to move the xephyr window for the resize to take effect | ||
13 | example: | ||
14 | fjresize.py browser 1280x800 | ||
15 | """ | ||
16 | |||
17 | |||
18 | if len(sys.argv) == 2: | ||
19 | out = subprocess.check_output(['xrandr','--display',fjdisplay.getdisplay(sys.argv[1])]) | ||
20 | print(out) | ||
21 | elif len(sys.argv) == 3: | ||
22 | out = subprocess.check_output(['xrandr','--display',fjdisplay.getdisplay(sys.argv[1]),'--output','default','--mode',sys.argv[2]]) | ||
23 | print(out) | ||
24 | else: | ||
25 | print(usage) \ No newline at end of file | ||
diff --git a/contrib/update_deb.sh b/contrib/update_deb.sh new file mode 100755 index 000000000..c2adffaf8 --- /dev/null +++ b/contrib/update_deb.sh | |||
@@ -0,0 +1,12 @@ | |||
1 | #!/bin/sh | ||
2 | # Purpose: Fetch, compile, and install firejail from GitHub source. For | ||
3 | # Debian-based distros only (Ubuntu, Mint, etc). | ||
4 | set -e | ||
5 | git clone --depth=1 https://www.github.com/netblue30/firejail.git | ||
6 | cd firejail | ||
7 | ./configure --prefix=/usr | ||
8 | make deb | ||
9 | sudo dpkg -i firejail*.deb | ||
10 | echo "Firejail was updated!" | ||
11 | cd .. | ||
12 | rm -rf firejail | ||
diff --git a/etc/0ad.profile b/etc/0ad.profile index 1e7c06879..84addc229 100644 --- a/etc/0ad.profile +++ b/etc/0ad.profile | |||
@@ -1,3 +1,7 @@ | |||
1 | # This file is overwritten during software install. | ||
2 | # Persistent customizations should go in a .local file. | ||
3 | include /etc/firejail/0ad.local | ||
4 | |||
1 | # Firejail profile for 0ad. | 5 | # Firejail profile for 0ad. |
2 | noblacklist ~/.cache/0ad | 6 | noblacklist ~/.cache/0ad |
3 | noblacklist ~/.config/0ad | 7 | noblacklist ~/.config/0ad |
diff --git a/etc/7z.profile b/etc/7z.profile index 319126540..102de44ee 100644 --- a/etc/7z.profile +++ b/etc/7z.profile | |||
@@ -1,3 +1,7 @@ | |||
1 | # This file is overwritten during software install. | ||
2 | # Persistent customizations should go in a .local file. | ||
3 | include /etc/firejail/7z.local | ||
4 | |||
1 | # 7zip crompression tool profile | 5 | # 7zip crompression tool profile |
2 | quiet | 6 | quiet |
3 | ignore noroot | 7 | ignore noroot |
diff --git a/etc/Cryptocat.profile b/etc/Cryptocat.profile index 3db34c03c..da7f93791 100644 --- a/etc/Cryptocat.profile +++ b/etc/Cryptocat.profile | |||
@@ -1,4 +1,8 @@ | |||
1 | # Firejail profile for | 1 | # This file is overwritten during software install. |
2 | # Persistent customizations should go in a .local file. | ||
3 | include /etc/firejail/Cryptocat.local | ||
4 | |||
5 | # Firejail profile for Cryptocat | ||
2 | noblacklist ${HOME}/.config/Cryptocat | 6 | noblacklist ${HOME}/.config/Cryptocat |
3 | 7 | ||
4 | include /etc/firejail/disable-common.inc | 8 | include /etc/firejail/disable-common.inc |
diff --git a/etc/Cyberfox.profile b/etc/Cyberfox.profile index 1f74606ce..bd2765bc7 100644 --- a/etc/Cyberfox.profile +++ b/etc/Cyberfox.profile | |||
@@ -1,3 +1,7 @@ | |||
1 | # This file is overwritten during software install. | ||
2 | # Persistent customizations should go in a .local file. | ||
3 | include /etc/firejail/Cyberfox.local | ||
4 | |||
1 | # Firejail profile for Cyberfox (based on Mozilla Firefox) | 5 | # Firejail profile for Cyberfox (based on Mozilla Firefox) |
2 | 6 | ||
3 | include /etc/firejail/cyberfox.profile | 7 | include /etc/firejail/cyberfox.profile |
diff --git a/etc/FossaMail.profile b/etc/FossaMail.profile new file mode 100644 index 000000000..e0ba131ed --- /dev/null +++ b/etc/FossaMail.profile | |||
@@ -0,0 +1,6 @@ | |||
1 | # This file is overwritten during software install. | ||
2 | # Persistent customizations should go in a .local file. | ||
3 | include /etc/firejail/FossaMail.local | ||
4 | |||
5 | # Firejail profile for FossaMail | ||
6 | include /etc/firejail/fossamail.profile | ||
diff --git a/etc/Mathematica.profile b/etc/Mathematica.profile index e719f070f..2fe19c570 100644 --- a/etc/Mathematica.profile +++ b/etc/Mathematica.profile | |||
@@ -1,3 +1,7 @@ | |||
1 | # This file is overwritten during software install. | ||
2 | # Persistent customizations should go in a .local file. | ||
3 | include /etc/firejail/Mathematica.local | ||
4 | |||
1 | # Mathematica profile | 5 | # Mathematica profile |
2 | noblacklist ${HOME}/.Mathematica | 6 | noblacklist ${HOME}/.Mathematica |
3 | noblacklist ${HOME}/.Wolfram Research | 7 | noblacklist ${HOME}/.Wolfram Research |
diff --git a/etc/Telegram.profile b/etc/Telegram.profile index 2e0f97821..6ccda7929 100644 --- a/etc/Telegram.profile +++ b/etc/Telegram.profile | |||
@@ -1,2 +1,6 @@ | |||
1 | # This file is overwritten during software install. | ||
2 | # Persistent customizations should go in a .local file. | ||
3 | include /etc/firejail/Telegram.local | ||
4 | |||
1 | # Telegram IRC profile | 5 | # Telegram IRC profile |
2 | include /etc/firejail/telegram.profile | 6 | include /etc/firejail/telegram.profile |
diff --git a/etc/Thunar.profile b/etc/Thunar.profile new file mode 100644 index 000000000..5a27177e0 --- /dev/null +++ b/etc/Thunar.profile | |||
@@ -0,0 +1,23 @@ | |||
1 | # This file is overwritten during software install. | ||
2 | # Persistent customizations should go in a .local file. | ||
3 | include /etc/firejail/Thunar.local | ||
4 | |||
5 | # Firejail profile for thunar | ||
6 | noblacklist ~/.config/Thunar | ||
7 | noblacklist ~/.config/xfce4/xfconf/xfce-perchannel-xml/thunar.xml | ||
8 | |||
9 | include /etc/firejail/disable-common.inc | ||
10 | include /etc/firejail/disable-programs.inc | ||
11 | include /etc/firejail/disable-devel.inc | ||
12 | include /etc/firejail/disable-passwdmgr.inc | ||
13 | |||
14 | caps.drop all | ||
15 | netfilter | ||
16 | nogroups | ||
17 | nonewprivs | ||
18 | noroot | ||
19 | nosound | ||
20 | protocol unix | ||
21 | seccomp | ||
22 | shell none | ||
23 | tracelog | ||
diff --git a/etc/VirtualBox.profile b/etc/VirtualBox.profile index ff0a4b6ef..5e011b1fc 100644 --- a/etc/VirtualBox.profile +++ b/etc/VirtualBox.profile | |||
@@ -1 +1,5 @@ | |||
1 | # This file is overwritten during software install. | ||
2 | # Persistent customizations should go in a .local file. | ||
3 | include /etc/firejail/VirtualBox.local | ||
4 | |||
1 | include /etc/firejail/virtualbox.profile | 5 | include /etc/firejail/virtualbox.profile |
diff --git a/etc/Wire.profile b/etc/Wire.profile index bd9645c7f..0895353d1 100644 --- a/etc/Wire.profile +++ b/etc/Wire.profile | |||
@@ -1,3 +1,7 @@ | |||
1 | # This file is overwritten during software install. | ||
2 | # Persistent customizations should go in a .local file. | ||
3 | include /etc/firejail/Wire.local | ||
4 | |||
1 | # wire messenger profile | 5 | # wire messenger profile |
2 | 6 | ||
3 | include /etc/firejail/wire.profile | 7 | include /etc/firejail/wire.profile |
diff --git a/etc/abrowser.profile b/etc/abrowser.profile index f25bbd94d..bdd56e42f 100644 --- a/etc/abrowser.profile +++ b/etc/abrowser.profile | |||
@@ -1,6 +1,11 @@ | |||
1 | # This file is overwritten during software install. | ||
2 | # Persistent customizations should go in a .local file. | ||
3 | include /etc/firejail/abrowser.local | ||
4 | |||
1 | # Firejail profile for Abrowser | 5 | # Firejail profile for Abrowser |
2 | noblacklist ~/.mozilla | 6 | noblacklist ~/.mozilla |
3 | noblacklist ~/.cache/mozilla | 7 | noblacklist ~/.cache/mozilla |
8 | noblacklist ~/.pki | ||
4 | include /etc/firejail/disable-common.inc | 9 | include /etc/firejail/disable-common.inc |
5 | include /etc/firejail/disable-programs.inc | 10 | include /etc/firejail/disable-programs.inc |
6 | include /etc/firejail/disable-devel.inc | 11 | include /etc/firejail/disable-devel.inc |
diff --git a/etc/amarok.profile b/etc/amarok.profile index 8d5b35d47..c2a400fe4 100644 --- a/etc/amarok.profile +++ b/etc/amarok.profile | |||
@@ -1,3 +1,7 @@ | |||
1 | # This file is overwritten during software install. | ||
2 | # Persistent customizations should go in a .local file. | ||
3 | include /etc/firejail/amarok.local | ||
4 | |||
1 | # amarok profile | 5 | # amarok profile |
2 | include /etc/firejail/disable-common.inc | 6 | include /etc/firejail/disable-common.inc |
3 | include /etc/firejail/disable-programs.inc | 7 | include /etc/firejail/disable-programs.inc |
diff --git a/etc/ark.profile b/etc/ark.profile index 61b4c6f60..20a2d10e0 100644 --- a/etc/ark.profile +++ b/etc/ark.profile | |||
@@ -1,3 +1,7 @@ | |||
1 | # This file is overwritten during software install. | ||
2 | # Persistent customizations should go in a .local file. | ||
3 | include /etc/firejail/ark.local | ||
4 | |||
1 | # ark profile | 5 | # ark profile |
2 | noblacklist ~/.config/arkrc | 6 | noblacklist ~/.config/arkrc |
3 | 7 | ||
diff --git a/etc/atom-beta.profile b/etc/atom-beta.profile index fa0b316bb..4c50687aa 100644 --- a/etc/atom-beta.profile +++ b/etc/atom-beta.profile | |||
@@ -1,3 +1,7 @@ | |||
1 | # This file is overwritten during software install. | ||
2 | # Persistent customizations should go in a .local file. | ||
3 | include /etc/firejail/atom-beta.local | ||
4 | |||
1 | # Firejail profile for Atom Beta. | 5 | # Firejail profile for Atom Beta. |
2 | noblacklist ~/.atom | 6 | noblacklist ~/.atom |
3 | noblacklist ~/.config/Atom | 7 | noblacklist ~/.config/Atom |
diff --git a/etc/atom.profile b/etc/atom.profile index 61930d5c1..fc0e1b69c 100644 --- a/etc/atom.profile +++ b/etc/atom.profile | |||
@@ -1,3 +1,7 @@ | |||
1 | # This file is overwritten during software install. | ||
2 | # Persistent customizations should go in a .local file. | ||
3 | include /etc/firejail/atom.local | ||
4 | |||
1 | # Firejail profile for Atom. | 5 | # Firejail profile for Atom. |
2 | noblacklist ~/.atom | 6 | noblacklist ~/.atom |
3 | noblacklist ~/.config/Atom | 7 | noblacklist ~/.config/Atom |
diff --git a/etc/atool.profile b/etc/atool.profile index 578a88fc7..37a2e09e4 100644 --- a/etc/atool.profile +++ b/etc/atool.profile | |||
@@ -1,3 +1,7 @@ | |||
1 | # This file is overwritten during software install. | ||
2 | # Persistent customizations should go in a .local file. | ||
3 | include /etc/firejail/atool.local | ||
4 | |||
1 | # atool profile | 5 | # atool profile |
2 | include /etc/firejail/disable-common.inc | 6 | include /etc/firejail/disable-common.inc |
3 | include /etc/firejail/disable-programs.inc | 7 | include /etc/firejail/disable-programs.inc |
diff --git a/etc/atril.profile b/etc/atril.profile index fbcca0c1b..1125f4f3c 100644 --- a/etc/atril.profile +++ b/etc/atril.profile | |||
@@ -1,3 +1,7 @@ | |||
1 | # This file is overwritten during software install. | ||
2 | # Persistent customizations should go in a .local file. | ||
3 | include /etc/firejail/atril.local | ||
4 | |||
1 | # Atril profile | 5 | # Atril profile |
2 | noblacklist ~/.config/atril | 6 | noblacklist ~/.config/atril |
3 | noblacklist ~/.local/share | 7 | noblacklist ~/.local/share |
diff --git a/etc/audacious.profile b/etc/audacious.profile index e5275213c..63ba9af9c 100644 --- a/etc/audacious.profile +++ b/etc/audacious.profile | |||
@@ -1,4 +1,9 @@ | |||
1 | # This file is overwritten during software install. | ||
2 | # Persistent customizations should go in a .local file. | ||
3 | include /etc/firejail/audacious.local | ||
4 | |||
1 | # Audacious media player profile | 5 | # Audacious media player profile |
6 | noblacklist ~/.config/audacious | ||
2 | include /etc/firejail/disable-common.inc | 7 | include /etc/firejail/disable-common.inc |
3 | include /etc/firejail/disable-programs.inc | 8 | include /etc/firejail/disable-programs.inc |
4 | include /etc/firejail/disable-devel.inc | 9 | include /etc/firejail/disable-devel.inc |
diff --git a/etc/audacity.profile b/etc/audacity.profile index 827fa4301..4394416ff 100644 --- a/etc/audacity.profile +++ b/etc/audacity.profile | |||
@@ -1,3 +1,7 @@ | |||
1 | # This file is overwritten during software install. | ||
2 | # Persistent customizations should go in a .local file. | ||
3 | include /etc/firejail/audacity.local | ||
4 | |||
1 | # Audacity profile | 5 | # Audacity profile |
2 | noblacklist ~/.audacity-data | 6 | noblacklist ~/.audacity-data |
3 | 7 | ||
diff --git a/etc/aweather.profile b/etc/aweather.profile index fa8654f1e..b6ed0de51 100644 --- a/etc/aweather.profile +++ b/etc/aweather.profile | |||
@@ -1,3 +1,7 @@ | |||
1 | # This file is overwritten during software install. | ||
2 | # Persistent customizations should go in a .local file. | ||
3 | include /etc/firejail/aweather.local | ||
4 | |||
1 | # Firejail profile for aweather. | 5 | # Firejail profile for aweather. |
2 | noblacklist ~/.config/aweather | 6 | noblacklist ~/.config/aweather |
3 | include /etc/firejail/disable-common.inc | 7 | include /etc/firejail/disable-common.inc |
diff --git a/etc/bitlbee.profile b/etc/bitlbee.profile index 87d2e843a..b056a54e3 100644 --- a/etc/bitlbee.profile +++ b/etc/bitlbee.profile | |||
@@ -1,3 +1,7 @@ | |||
1 | # This file is overwritten during software install. | ||
2 | # Persistent customizations should go in a .local file. | ||
3 | include /etc/firejail/bitlbee.local | ||
4 | |||
1 | # BitlBee instant messaging profile | 5 | # BitlBee instant messaging profile |
2 | noblacklist /sbin | 6 | noblacklist /sbin |
3 | noblacklist /usr/sbin | 7 | noblacklist /usr/sbin |
diff --git a/etc/bleachbit.profile b/etc/bleachbit.profile index 0a71db9f0..b406b9985 100644 --- a/etc/bleachbit.profile +++ b/etc/bleachbit.profile | |||
@@ -1,3 +1,7 @@ | |||
1 | # This file is overwritten during software install. | ||
2 | # Persistent customizations should go in a .local file. | ||
3 | include /etc/firejail/bleachbit.local | ||
4 | |||
1 | # bleachbit profile | 5 | # bleachbit profile |
2 | include /etc/firejail/disable-common.inc | 6 | include /etc/firejail/disable-common.inc |
3 | # include /etc/firejail/disable-programs.inc | 7 | # include /etc/firejail/disable-programs.inc |
diff --git a/etc/bless.profile b/etc/bless.profile index 752edadf7..b8325de39 100644 --- a/etc/bless.profile +++ b/etc/bless.profile | |||
@@ -1,3 +1,7 @@ | |||
1 | # This file is overwritten during software install. | ||
2 | # Persistent customizations should go in a .local file. | ||
3 | include /etc/firejail/bless.local | ||
4 | |||
1 | # | 5 | # |
2 | #Profile for bless | 6 | #Profile for bless |
3 | # | 7 | # |
diff --git a/etc/brasero.profile b/etc/brasero.profile index 66de6fa50..6d84b0ca5 100644 --- a/etc/brasero.profile +++ b/etc/brasero.profile | |||
@@ -1,3 +1,7 @@ | |||
1 | # This file is overwritten during software install. | ||
2 | # Persistent customizations should go in a .local file. | ||
3 | include /etc/firejail/brasero.local | ||
4 | |||
1 | # brasero profile | 5 | # brasero profile |
2 | noblacklist ~/.config/brasero | 6 | noblacklist ~/.config/brasero |
3 | 7 | ||
diff --git a/etc/brave.profile b/etc/brave.profile index 21ea7f908..d7678d5d5 100644 --- a/etc/brave.profile +++ b/etc/brave.profile | |||
@@ -1,3 +1,7 @@ | |||
1 | # This file is overwritten during software install. | ||
2 | # Persistent customizations should go in a .local file. | ||
3 | include /etc/firejail/brave.local | ||
4 | |||
1 | # Profile for Brave browser | 5 | # Profile for Brave browser |
2 | noblacklist ~/.config/brave | 6 | noblacklist ~/.config/brave |
3 | include /etc/firejail/disable-common.inc | 7 | include /etc/firejail/disable-common.inc |
diff --git a/etc/cherrytree.profile b/etc/cherrytree.profile index 139dec8ec..8d7585fb9 100644 --- a/etc/cherrytree.profile +++ b/etc/cherrytree.profile | |||
@@ -1,3 +1,7 @@ | |||
1 | # This file is overwritten during software install. | ||
2 | # Persistent customizations should go in a .local file. | ||
3 | include /etc/firejail/cherrytree.local | ||
4 | |||
1 | # cherrytree note taking application | 5 | # cherrytree note taking application |
2 | noblacklist /usr/bin/python2* | 6 | noblacklist /usr/bin/python2* |
3 | noblacklist /usr/lib/python3* | 7 | noblacklist /usr/lib/python3* |
diff --git a/etc/chromium-browser.profile b/etc/chromium-browser.profile index d989b736b..e7dd5afe3 100644 --- a/etc/chromium-browser.profile +++ b/etc/chromium-browser.profile | |||
@@ -1,2 +1,6 @@ | |||
1 | # This file is overwritten during software install. | ||
2 | # Persistent customizations should go in a .local file. | ||
3 | include /etc/firejail/chromium-browser.local | ||
4 | |||
1 | # Chromium browser profile | 5 | # Chromium browser profile |
2 | include /etc/firejail/chromium.profile | 6 | include /etc/firejail/chromium.profile |
diff --git a/etc/chromium.profile b/etc/chromium.profile index 7610d9b26..531f9156c 100644 --- a/etc/chromium.profile +++ b/etc/chromium.profile | |||
@@ -1,6 +1,11 @@ | |||
1 | # This file is overwritten during software install. | ||
2 | # Persistent customizations should go in a .local file. | ||
3 | include /etc/firejail/chromium.local | ||
4 | |||
1 | # Chromium browser profile | 5 | # Chromium browser profile |
2 | noblacklist ~/.config/chromium | 6 | noblacklist ~/.config/chromium |
3 | noblacklist ~/.cache/chromium | 7 | noblacklist ~/.cache/chromium |
8 | noblacklist ~/.pki | ||
4 | include /etc/firejail/disable-common.inc | 9 | include /etc/firejail/disable-common.inc |
5 | include /etc/firejail/disable-programs.inc | 10 | include /etc/firejail/disable-programs.inc |
6 | 11 | ||
diff --git a/etc/claws-mail.profile b/etc/claws-mail.profile index 8921bb25e..3bffb9b0a 100644 --- a/etc/claws-mail.profile +++ b/etc/claws-mail.profile | |||
@@ -1,3 +1,7 @@ | |||
1 | # This file is overwritten during software install. | ||
2 | # Persistent customizations should go in a .local file. | ||
3 | include /etc/firejail/claws-mail.local | ||
4 | |||
1 | # claws-mail profile | 5 | # claws-mail profile |
2 | noblacklist ~/.claws-mail | 6 | noblacklist ~/.claws-mail |
3 | noblacklist ~/.signature | 7 | noblacklist ~/.signature |
diff --git a/etc/clementine.profile b/etc/clementine.profile index 5ce085358..f92413a36 100644 --- a/etc/clementine.profile +++ b/etc/clementine.profile | |||
@@ -1,3 +1,7 @@ | |||
1 | # This file is overwritten during software install. | ||
2 | # Persistent customizations should go in a .local file. | ||
3 | include /etc/firejail/clementine.local | ||
4 | |||
1 | # Clementine media player profile | 5 | # Clementine media player profile |
2 | include /etc/firejail/disable-common.inc | 6 | include /etc/firejail/disable-common.inc |
3 | include /etc/firejail/disable-programs.inc | 7 | include /etc/firejail/disable-programs.inc |
diff --git a/etc/cmus.profile b/etc/cmus.profile index 2e2a6940c..50bfbf7c8 100644 --- a/etc/cmus.profile +++ b/etc/cmus.profile | |||
@@ -1,3 +1,7 @@ | |||
1 | # This file is overwritten during software install. | ||
2 | # Persistent customizations should go in a .local file. | ||
3 | include /etc/firejail/cmus.local | ||
4 | |||
1 | # cmus profile | 5 | # cmus profile |
2 | noblacklist ${HOME}/.config/cmus | 6 | noblacklist ${HOME}/.config/cmus |
3 | 7 | ||
diff --git a/etc/conkeror.profile b/etc/conkeror.profile index e82eeec4c..b87aa835d 100644 --- a/etc/conkeror.profile +++ b/etc/conkeror.profile | |||
@@ -1,3 +1,7 @@ | |||
1 | # This file is overwritten during software install. | ||
2 | # Persistent customizations should go in a .local file. | ||
3 | include /etc/firejail/conkeror.local | ||
4 | |||
1 | # Firejail profile for Conkeror web browser profile | 5 | # Firejail profile for Conkeror web browser profile |
2 | noblacklist ${HOME}/.conkeror.mozdev.org | 6 | noblacklist ${HOME}/.conkeror.mozdev.org |
3 | include /etc/firejail/disable-common.inc | 7 | include /etc/firejail/disable-common.inc |
diff --git a/etc/corebird.profile b/etc/corebird.profile index 6fb8219e8..a6514af5a 100644 --- a/etc/corebird.profile +++ b/etc/corebird.profile | |||
@@ -1,3 +1,7 @@ | |||
1 | # This file is overwritten during software install. | ||
2 | # Persistent customizations should go in a .local file. | ||
3 | include /etc/firejail/corebird.local | ||
4 | |||
1 | # Firejail corebird profile | 5 | # Firejail corebird profile |
2 | include /etc/firejail/disable-common.inc | 6 | include /etc/firejail/disable-common.inc |
3 | include /etc/firejail/disable-programs.inc | 7 | include /etc/firejail/disable-programs.inc |
diff --git a/etc/cpio.profile b/etc/cpio.profile index cf89acdac..d4b0e6d2d 100644 --- a/etc/cpio.profile +++ b/etc/cpio.profile | |||
@@ -1,3 +1,7 @@ | |||
1 | # This file is overwritten during software install. | ||
2 | # Persistent customizations should go in a .local file. | ||
3 | include /etc/firejail/cpio.local | ||
4 | |||
1 | # cpio profile | 5 | # cpio profile |
2 | # /sbin and /usr/sbin are visible inside the sandbox | 6 | # /sbin and /usr/sbin are visible inside the sandbox |
3 | # /boot is not visible and /var is heavily modified | 7 | # /boot is not visible and /var is heavily modified |
diff --git a/etc/cryptocat.profile b/etc/cryptocat.profile index 0d392b272..ea5c5c69b 100644 --- a/etc/cryptocat.profile +++ b/etc/cryptocat.profile | |||
@@ -1 +1,5 @@ | |||
1 | # This file is overwritten during software install. | ||
2 | # Persistent customizations should go in a .local file. | ||
3 | include /etc/firejail/cryptocat.local | ||
4 | |||
1 | include /etc/Cryptocat.profile | 5 | include /etc/Cryptocat.profile |
diff --git a/etc/cyberfox.profile b/etc/cyberfox.profile index f722915f0..3dffe187c 100644 --- a/etc/cyberfox.profile +++ b/etc/cyberfox.profile | |||
@@ -1,6 +1,11 @@ | |||
1 | # This file is overwritten during software install. | ||
2 | # Persistent customizations should go in a .local file. | ||
3 | include /etc/firejail/cyberfox.local | ||
4 | |||
1 | # Firejail profile for Cyberfox (based on Mozilla Firefox) | 5 | # Firejail profile for Cyberfox (based on Mozilla Firefox) |
2 | noblacklist ~/.8pecxstudios | 6 | noblacklist ~/.8pecxstudios |
3 | noblacklist ~/.cache/8pecxstudios | 7 | noblacklist ~/.cache/8pecxstudios |
8 | noblacklist ~/.pki | ||
4 | include /etc/firejail/disable-common.inc | 9 | include /etc/firejail/disable-common.inc |
5 | include /etc/firejail/disable-programs.inc | 10 | include /etc/firejail/disable-programs.inc |
6 | include /etc/firejail/disable-devel.inc | 11 | include /etc/firejail/disable-devel.inc |
diff --git a/etc/deadbeef.profile b/etc/deadbeef.profile index 04abd0a92..603d6345c 100644 --- a/etc/deadbeef.profile +++ b/etc/deadbeef.profile | |||
@@ -1,3 +1,7 @@ | |||
1 | # This file is overwritten during software install. | ||
2 | # Persistent customizations should go in a .local file. | ||
3 | include /etc/firejail/deadbeef.local | ||
4 | |||
1 | # DeaDBeeF media player profile | 5 | # DeaDBeeF media player profile |
2 | noblacklist ${HOME}/.config/deadbeef | 6 | noblacklist ${HOME}/.config/deadbeef |
3 | 7 | ||
diff --git a/etc/default.profile b/etc/default.profile index 603321316..66b04896f 100644 --- a/etc/default.profile +++ b/etc/default.profile | |||
@@ -1,3 +1,7 @@ | |||
1 | # This file is overwritten during software install. | ||
2 | # Persistent customizations should go in a .local file. | ||
3 | include /etc/firejail/default.local | ||
4 | |||
1 | ################################ | 5 | ################################ |
2 | # Generic GUI application profile | 6 | # Generic GUI application profile |
3 | ################################ | 7 | ################################ |
diff --git a/etc/deluge.profile b/etc/deluge.profile index c6ddec3ec..7b4a49db5 100644 --- a/etc/deluge.profile +++ b/etc/deluge.profile | |||
@@ -1,3 +1,7 @@ | |||
1 | # This file is overwritten during software install. | ||
2 | # Persistent customizations should go in a .local file. | ||
3 | include /etc/firejail/deluge.local | ||
4 | |||
1 | # deluge bittorrernt client profile | 5 | # deluge bittorrernt client profile |
2 | include /etc/firejail/disable-common.inc | 6 | include /etc/firejail/disable-common.inc |
3 | include /etc/firejail/disable-programs.inc | 7 | include /etc/firejail/disable-programs.inc |
diff --git a/etc/dillo.profile b/etc/dillo.profile index 108787920..f8a3e5252 100644 --- a/etc/dillo.profile +++ b/etc/dillo.profile | |||
@@ -1,3 +1,7 @@ | |||
1 | # This file is overwritten during software install. | ||
2 | # Persistent customizations should go in a .local file. | ||
3 | include /etc/firejail/dillo.local | ||
4 | |||
1 | # Firejail profile for Dillo web browser | 5 | # Firejail profile for Dillo web browser |
2 | noblacklist ~/.dillo | 6 | noblacklist ~/.dillo |
3 | include /etc/firejail/disable-common.inc | 7 | include /etc/firejail/disable-common.inc |
diff --git a/etc/disable-common.inc b/etc/disable-common.inc index 22f54604a..79732b197 100644 --- a/etc/disable-common.inc +++ b/etc/disable-common.inc | |||
@@ -1,3 +1,7 @@ | |||
1 | # This file is overwritten during software install. | ||
2 | # Persistent customizations should go in a .local file. | ||
3 | include /etc/firejail/disable-common.local | ||
4 | |||
1 | # History files in $HOME | 5 | # History files in $HOME |
2 | blacklist-nolog ${HOME}/.history | 6 | blacklist-nolog ${HOME}/.history |
3 | blacklist-nolog ${HOME}/.*_history | 7 | blacklist-nolog ${HOME}/.*_history |
@@ -72,12 +76,9 @@ blacklist /etc/profile.d | |||
72 | blacklist /etc/rc.local | 76 | blacklist /etc/rc.local |
73 | blacklist /etc/anacrontab | 77 | blacklist /etc/anacrontab |
74 | 78 | ||
75 | # General startup files | 79 | # Startup files |
76 | read-only ${HOME}/.xinitrc | 80 | read-only ${HOME}/.xinitrc |
77 | read-only ${HOME}/.xserverrc | 81 | read-only ${HOME}/.xserverrc |
78 | read-only ${HOME}/.profile | ||
79 | |||
80 | # Shell startup files | ||
81 | read-only ${HOME}/.antigen | 82 | read-only ${HOME}/.antigen |
82 | read-only ${HOME}/.bash_login | 83 | read-only ${HOME}/.bash_login |
83 | read-only ${HOME}/.bashrc | 84 | read-only ${HOME}/.bashrc |
@@ -96,12 +97,21 @@ read-only ${HOME}/.tcshrc | |||
96 | read-only ${HOME}/.cshrc | 97 | read-only ${HOME}/.cshrc |
97 | read-only ${HOME}/.csh_files | 98 | read-only ${HOME}/.csh_files |
98 | read-only ${HOME}/.profile | 99 | read-only ${HOME}/.profile |
100 | read-only ${HOME}/.forward | ||
101 | read-only ${HOME}/.login | ||
102 | read-only ${HOME}/.logout | ||
103 | read-only ${HOME}/.pgpkey | ||
104 | read-only ${HOME}/.plan | ||
105 | read-only ${HOME}/.project | ||
99 | 106 | ||
100 | # Initialization files that allow arbitrary command execution | 107 | # Initialization files that allow arbitrary command execution |
101 | read-only ${HOME}/.caffrc | 108 | read-only ${HOME}/.caffrc |
102 | read-only ${HOME}/.dotfiles | 109 | read-only ${HOME}/.dotfiles |
103 | read-only ${HOME}/dotfiles | 110 | read-only ${HOME}/dotfiles |
104 | read-only ${HOME}/.mailcap | 111 | read-only ${HOME}/.mailcap |
112 | read-only ${HOME}/.muttrc | ||
113 | read-only ${HOME}/.mutt/muttrc | ||
114 | read-only ${HOME}/.msmtprc | ||
105 | read-only ${HOME}/.exrc | 115 | read-only ${HOME}/.exrc |
106 | read-only ${HOME}/_exrc | 116 | read-only ${HOME}/_exrc |
107 | read-only ${HOME}/.vimrc | 117 | read-only ${HOME}/.vimrc |
@@ -118,8 +128,16 @@ read-only ${HOME}/.reportbugrc | |||
118 | read-only ${HOME}/.xmonad | 128 | read-only ${HOME}/.xmonad |
119 | read-only ${HOME}/.xscreensaver | 129 | read-only ${HOME}/.xscreensaver |
120 | 130 | ||
121 | # The user ~/bin directory can override commands such as ls | 131 | # Make directories commonly found in $PATH read-only |
122 | read-only ${HOME}/bin | 132 | read-only ${HOME}/bin |
133 | read-only ${HOME}/.gem | ||
134 | read-only ${HOME}/.luarocks | ||
135 | read-only ${HOME}/.npm-packages | ||
136 | |||
137 | # Make the contents of ~/.local read-only, | ||
138 | # except the commonly-used ~/.local/share | ||
139 | read-only ${HOME}/.local | ||
140 | read-write ${HOME}/.local/share | ||
123 | 141 | ||
124 | # top secret | 142 | # top secret |
125 | blacklist ${HOME}/.ecryptfs | 143 | blacklist ${HOME}/.ecryptfs |
@@ -197,6 +215,8 @@ blacklist /usr/lib64/virtualbox | |||
197 | 215 | ||
198 | # prevent lxterminal connecting to an existing lxterminal session | 216 | # prevent lxterminal connecting to an existing lxterminal session |
199 | blacklist /tmp/.lxterminal-socket* | 217 | blacklist /tmp/.lxterminal-socket* |
218 | # prevent tmux connecting to an existing session | ||
219 | blacklist /tmp/tmux-* | ||
200 | 220 | ||
201 | # disable terminals running as server resulting in sandbox escape | 221 | # disable terminals running as server resulting in sandbox escape |
202 | blacklist ${PATH}/gnome-terminal | 222 | blacklist ${PATH}/gnome-terminal |
diff --git a/etc/disable-devel.inc b/etc/disable-devel.inc index 2ac367f37..24c739b5b 100644 --- a/etc/disable-devel.inc +++ b/etc/disable-devel.inc | |||
@@ -1,3 +1,7 @@ | |||
1 | # This file is overwritten during software install. | ||
2 | # Persistent customizations should go in a .local file. | ||
3 | include /etc/firejail/disable-devel.local | ||
4 | |||
1 | # development tools | 5 | # development tools |
2 | 6 | ||
3 | # GCC | 7 | # GCC |
diff --git a/etc/disable-passwdmgr.inc b/etc/disable-passwdmgr.inc index 8f8aa1c2c..c4112d4d5 100644 --- a/etc/disable-passwdmgr.inc +++ b/etc/disable-passwdmgr.inc | |||
@@ -1,3 +1,7 @@ | |||
1 | # This file is overwritten during software install. | ||
2 | # Persistent customizations should go in a .local file. | ||
3 | include /etc/firejail/disable-passwdmgr.local | ||
4 | |||
1 | blacklist ${HOME}/.pki/nssdb | 5 | blacklist ${HOME}/.pki/nssdb |
2 | blacklist ${HOME}/.lastpass | 6 | blacklist ${HOME}/.lastpass |
3 | blacklist ${HOME}/.keepassx | 7 | blacklist ${HOME}/.keepassx |
diff --git a/etc/disable-programs.inc b/etc/disable-programs.inc index 69f0a2e1b..c59285e85 100644 --- a/etc/disable-programs.inc +++ b/etc/disable-programs.inc | |||
@@ -1,3 +1,7 @@ | |||
1 | # This file is overwritten during software install. | ||
2 | # Persistent customizations should go in a .local file. | ||
3 | include /etc/firejail/disable-programs.local | ||
4 | |||
1 | blacklist ${HOME}/.*coin | 5 | blacklist ${HOME}/.*coin |
2 | blacklist ${HOME}/.8pecxstudios | 6 | blacklist ${HOME}/.8pecxstudios |
3 | blacklist ${HOME}/.Atom | 7 | blacklist ${HOME}/.Atom |
@@ -66,12 +70,14 @@ blacklist ${HOME}/.config/Mumble | |||
66 | blacklist ${HOME}/.config/QuiteRss | 70 | blacklist ${HOME}/.config/QuiteRss |
67 | blacklist ${HOME}/.config/QuiteRssrc | 71 | blacklist ${HOME}/.config/QuiteRssrc |
68 | blacklist ${HOME}/.config/Slack | 72 | blacklist ${HOME}/.config/Slack |
73 | blacklist ${HOME}/.config/Thunar | ||
69 | blacklist ${HOME}/.config/VirtualBox | 74 | blacklist ${HOME}/.config/VirtualBox |
70 | blacklist ${HOME}/.config/Wire | 75 | blacklist ${HOME}/.config/Wire |
71 | blacklist ${HOME}/.config/ardour4 | 76 | blacklist ${HOME}/.config/ardour4 |
72 | blacklist ${HOME}/.config/ardour5 | 77 | blacklist ${HOME}/.config/ardour5 |
73 | blacklist ${HOME}/.config/arkrc | 78 | blacklist ${HOME}/.config/arkrc |
74 | blacklist ${HOME}/.config/atril | 79 | blacklist ${HOME}/.config/atril |
80 | blacklist ${HOME}/.config/audacious | ||
75 | blacklist ${HOME}/.config/autostart | 81 | blacklist ${HOME}/.config/autostart |
76 | blacklist ${HOME}/.config/autostart/dropbox.desktop | 82 | blacklist ${HOME}/.config/autostart/dropbox.desktop |
77 | blacklist ${HOME}/.config/aweather | 83 | blacklist ${HOME}/.config/aweather |
@@ -145,6 +151,7 @@ blacklist ${HOME}/.config/wireshark | |||
145 | blacklist ${HOME}/.config/xchat | 151 | blacklist ${HOME}/.config/xchat |
146 | blacklist ${HOME}/.config/xed | 152 | blacklist ${HOME}/.config/xed |
147 | blacklist ${HOME}/.config/xfburn | 153 | blacklist ${HOME}/.config/xfburn |
154 | blacklist ${HOME}/.config/xfce4/xfconf/xfce-perchannel-xml/thunar.xml | ||
148 | blacklist ${HOME}/.config/xplayer | 155 | blacklist ${HOME}/.config/xplayer |
149 | blacklist ${HOME}/.config/xreader | 156 | blacklist ${HOME}/.config/xreader |
150 | blacklist ${HOME}/.config/xviewer | 157 | blacklist ${HOME}/.config/xviewer |
@@ -278,3 +285,5 @@ blacklist ${HOME}/.xpdfrc | |||
278 | blacklist ${HOME}/.zoom | 285 | blacklist ${HOME}/.zoom |
279 | blacklist ${HOME}/wallet.dat | 286 | blacklist ${HOME}/wallet.dat |
280 | blacklist /tmp/ssh-* | 287 | blacklist /tmp/ssh-* |
288 | blacklist ${HOME}/.kinorc | ||
289 | blacklist ${HOME}/.kino-history | ||
diff --git a/etc/display.profile b/etc/display.profile index ec041bff7..83fbc965a 100644 --- a/etc/display.profile +++ b/etc/display.profile | |||
@@ -1,3 +1,7 @@ | |||
1 | # This file is overwritten during software install. | ||
2 | # Persistent customizations should go in a .local file. | ||
3 | include /etc/firejail/display.local | ||
4 | |||
1 | # display (ImageMagick tool) image viewer profile | 5 | # display (ImageMagick tool) image viewer profile |
2 | include /etc/firejail/disable-common.inc | 6 | include /etc/firejail/disable-common.inc |
3 | include /etc/firejail/disable-programs.inc | 7 | include /etc/firejail/disable-programs.inc |
diff --git a/etc/dnscrypt-proxy.profile b/etc/dnscrypt-proxy.profile index 926b8bfcc..c69707181 100644 --- a/etc/dnscrypt-proxy.profile +++ b/etc/dnscrypt-proxy.profile | |||
@@ -1,3 +1,7 @@ | |||
1 | # This file is overwritten during software install. | ||
2 | # Persistent customizations should go in a .local file. | ||
3 | include /etc/firejail/dnscrypt-proxy.local | ||
4 | |||
1 | # security profile for dnscrypt-proxy | 5 | # security profile for dnscrypt-proxy |
2 | noblacklist /sbin | 6 | noblacklist /sbin |
3 | noblacklist /usr/sbin | 7 | noblacklist /usr/sbin |
diff --git a/etc/dnsmasq.profile b/etc/dnsmasq.profile index 3bd43f144..0af4a3f62 100644 --- a/etc/dnsmasq.profile +++ b/etc/dnsmasq.profile | |||
@@ -1,3 +1,7 @@ | |||
1 | # This file is overwritten during software install. | ||
2 | # Persistent customizations should go in a .local file. | ||
3 | include /etc/firejail/dnsmasq.local | ||
4 | |||
1 | # dnsmasq profile | 5 | # dnsmasq profile |
2 | noblacklist /sbin | 6 | noblacklist /sbin |
3 | noblacklist /usr/sbin | 7 | noblacklist /usr/sbin |
diff --git a/etc/dolphin.profile b/etc/dolphin.profile index 09a86f811..2b7919083 100644 --- a/etc/dolphin.profile +++ b/etc/dolphin.profile | |||
@@ -1,3 +1,7 @@ | |||
1 | # This file is overwritten during software install. | ||
2 | # Persistent customizations should go in a .local file. | ||
3 | include /etc/firejail/dolphin.local | ||
4 | |||
1 | # dolphin profile | 5 | # dolphin profile |
2 | 6 | ||
3 | # warning: firejail is currently not effectively constraining dolphin since used services are started by kdeinit5 | 7 | # warning: firejail is currently not effectively constraining dolphin since used services are started by kdeinit5 |
diff --git a/etc/dosbox.profile b/etc/dosbox.profile index 45fbb712a..3ef6931fc 100644 --- a/etc/dosbox.profile +++ b/etc/dosbox.profile | |||
@@ -1,3 +1,7 @@ | |||
1 | # This file is overwritten during software install. | ||
2 | # Persistent customizations should go in a .local file. | ||
3 | include /etc/firejail/dosbox.local | ||
4 | |||
1 | # Firejail profile for dosbox | 5 | # Firejail profile for dosbox |
2 | noblacklist ~/.dosbox | 6 | noblacklist ~/.dosbox |
3 | 7 | ||
diff --git a/etc/dragon.profile b/etc/dragon.profile index 09cb73802..b6228fd41 100644 --- a/etc/dragon.profile +++ b/etc/dragon.profile | |||
@@ -1,3 +1,7 @@ | |||
1 | # This file is overwritten during software install. | ||
2 | # Persistent customizations should go in a .local file. | ||
3 | include /etc/firejail/dragon.local | ||
4 | |||
1 | # dragon player profile | 5 | # dragon player profile |
2 | noblacklist ~/.config/dragonplayerrc | 6 | noblacklist ~/.config/dragonplayerrc |
3 | 7 | ||
diff --git a/etc/dropbox.profile b/etc/dropbox.profile index 40efd62b2..b58fa0ed1 100644 --- a/etc/dropbox.profile +++ b/etc/dropbox.profile | |||
@@ -1,3 +1,7 @@ | |||
1 | # This file is overwritten during software install. | ||
2 | # Persistent customizations should go in a .local file. | ||
3 | include /etc/firejail/dropbox.local | ||
4 | |||
1 | # dropbox profile | 5 | # dropbox profile |
2 | noblacklist ~/.config/autostart | 6 | noblacklist ~/.config/autostart |
3 | include /etc/firejail/disable-common.inc | 7 | include /etc/firejail/disable-common.inc |
diff --git a/etc/elinks.profile b/etc/elinks.profile index ade15f203..1fad33d54 100644 --- a/etc/elinks.profile +++ b/etc/elinks.profile | |||
@@ -1,3 +1,7 @@ | |||
1 | # This file is overwritten during software install. | ||
2 | # Persistent customizations should go in a .local file. | ||
3 | include /etc/firejail/elinks.local | ||
4 | |||
1 | # elinks profile | 5 | # elinks profile |
2 | noblacklist ~/.elinks | 6 | noblacklist ~/.elinks |
3 | 7 | ||
diff --git a/etc/emacs.profile b/etc/emacs.profile index 2b9c5805c..21767402f 100644 --- a/etc/emacs.profile +++ b/etc/emacs.profile | |||
@@ -1,3 +1,7 @@ | |||
1 | # This file is overwritten during software install. | ||
2 | # Persistent customizations should go in a .local file. | ||
3 | include /etc/firejail/emacs.local | ||
4 | |||
1 | # emacs profile | 5 | # emacs profile |
2 | noblacklist ~/.emacs | 6 | noblacklist ~/.emacs |
3 | noblacklist ~/.emacs.d | 7 | noblacklist ~/.emacs.d |
diff --git a/etc/empathy.profile b/etc/empathy.profile index 2a0a6389c..4cf90908f 100644 --- a/etc/empathy.profile +++ b/etc/empathy.profile | |||
@@ -1,3 +1,7 @@ | |||
1 | # This file is overwritten during software install. | ||
2 | # Persistent customizations should go in a .local file. | ||
3 | include /etc/firejail/empathy.local | ||
4 | |||
1 | # Empathy instant messaging profile | 5 | # Empathy instant messaging profile |
2 | include /etc/firejail/disable-common.inc | 6 | include /etc/firejail/disable-common.inc |
3 | include /etc/firejail/disable-programs.inc | 7 | include /etc/firejail/disable-programs.inc |
diff --git a/etc/enchant.profile b/etc/enchant.profile index cf8288919..8b1995a95 100644 --- a/etc/enchant.profile +++ b/etc/enchant.profile | |||
@@ -1,3 +1,7 @@ | |||
1 | # This file is overwritten during software install. | ||
2 | # Persistent customizations should go in a .local file. | ||
3 | include /etc/firejail/enchant.local | ||
4 | |||
1 | # enchant profile | 5 | # enchant profile |
2 | noblacklist ~/.config/enchant | 6 | noblacklist ~/.config/enchant |
3 | 7 | ||
diff --git a/etc/eog.profile b/etc/eog.profile index d463f3a97..c5afec7fa 100644 --- a/etc/eog.profile +++ b/etc/eog.profile | |||
@@ -1,3 +1,7 @@ | |||
1 | # This file is overwritten during software install. | ||
2 | # Persistent customizations should go in a .local file. | ||
3 | include /etc/firejail/eog.local | ||
4 | |||
1 | # eog (gnome image viewer) profile | 5 | # eog (gnome image viewer) profile |
2 | noblacklist ~/.config/eog | 6 | noblacklist ~/.config/eog |
3 | 7 | ||
diff --git a/etc/eom.profile b/etc/eom.profile index dfcea82c1..a7e10ba9e 100644 --- a/etc/eom.profile +++ b/etc/eom.profile | |||
@@ -1,3 +1,7 @@ | |||
1 | # This file is overwritten during software install. | ||
2 | # Persistent customizations should go in a .local file. | ||
3 | include /etc/firejail/eom.local | ||
4 | |||
1 | # Firejail profile for Eye of Mate (eom) | 5 | # Firejail profile for Eye of Mate (eom) |
2 | noblacklist ~/.config/mate/eom | 6 | noblacklist ~/.config/mate/eom |
3 | 7 | ||
diff --git a/etc/epiphany.profile b/etc/epiphany.profile index 0e898f02b..1bf259440 100644 --- a/etc/epiphany.profile +++ b/etc/epiphany.profile | |||
@@ -1,3 +1,7 @@ | |||
1 | # This file is overwritten during software install. | ||
2 | # Persistent customizations should go in a .local file. | ||
3 | include /etc/firejail/epiphany.local | ||
4 | |||
1 | # Epiphany browser profile | 5 | # Epiphany browser profile |
2 | noblacklist ${HOME}/.config/epiphany | 6 | noblacklist ${HOME}/.config/epiphany |
3 | noblacklist ${HOME}/.cache/epiphany | 7 | noblacklist ${HOME}/.cache/epiphany |
diff --git a/etc/evince.profile b/etc/evince.profile index 1ec384947..94cefdd8b 100644 --- a/etc/evince.profile +++ b/etc/evince.profile | |||
@@ -1,3 +1,7 @@ | |||
1 | # This file is overwritten during software install. | ||
2 | # Persistent customizations should go in a .local file. | ||
3 | include /etc/firejail/evince.local | ||
4 | |||
1 | # evince pdf reader profile | 5 | # evince pdf reader profile |
2 | noblacklist ~/.config/evince | 6 | noblacklist ~/.config/evince |
3 | 7 | ||
diff --git a/etc/evolution.profile b/etc/evolution.profile index ab6dd7a4a..cb6615716 100644 --- a/etc/evolution.profile +++ b/etc/evolution.profile | |||
@@ -1,3 +1,7 @@ | |||
1 | # This file is overwritten during software install. | ||
2 | # Persistent customizations should go in a .local file. | ||
3 | include /etc/firejail/evolution.local | ||
4 | |||
1 | # evolution profile | 5 | # evolution profile |
2 | noblacklist ~/.config/evolution | 6 | noblacklist ~/.config/evolution |
3 | noblacklist ~/.local/share/evolution | 7 | noblacklist ~/.local/share/evolution |
@@ -6,6 +10,9 @@ noblacklist ~/.pki | |||
6 | noblacklist ~/.pki/nssdb | 10 | noblacklist ~/.pki/nssdb |
7 | noblacklist ~/.gnupg | 11 | noblacklist ~/.gnupg |
8 | 12 | ||
13 | noblacklist /var/spool/mail | ||
14 | noblacklist /var/mail | ||
15 | |||
9 | include /etc/firejail/disable-common.inc | 16 | include /etc/firejail/disable-common.inc |
10 | include /etc/firejail/disable-programs.inc | 17 | include /etc/firejail/disable-programs.inc |
11 | include /etc/firejail/disable-devel.inc | 18 | include /etc/firejail/disable-devel.inc |
diff --git a/etc/exiftool.profile b/etc/exiftool.profile index 1cae8c093..356735421 100644 --- a/etc/exiftool.profile +++ b/etc/exiftool.profile | |||
@@ -1,3 +1,7 @@ | |||
1 | # This file is overwritten during software install. | ||
2 | # Persistent customizations should go in a .local file. | ||
3 | include /etc/firejail/exiftool.local | ||
4 | |||
1 | # exiftool profile | 5 | # exiftool profile |
2 | noblacklist /usr/bin/perl | 6 | noblacklist /usr/bin/perl |
3 | noblacklist /usr/share/perl* | 7 | noblacklist /usr/share/perl* |
diff --git a/etc/fbreader.profile b/etc/fbreader.profile index ec098d5fe..77bf89f35 100644 --- a/etc/fbreader.profile +++ b/etc/fbreader.profile | |||
@@ -1,3 +1,7 @@ | |||
1 | # This file is overwritten during software install. | ||
2 | # Persistent customizations should go in a .local file. | ||
3 | include /etc/firejail/fbreader.local | ||
4 | |||
1 | # fbreader ebook reader profile | 5 | # fbreader ebook reader profile |
2 | noblacklist ${HOME}/.FBReader | 6 | noblacklist ${HOME}/.FBReader |
3 | 7 | ||
diff --git a/etc/feh.profile b/etc/feh.profile index 2812effc9..e00b6a821 100644 --- a/etc/feh.profile +++ b/etc/feh.profile | |||
@@ -1,3 +1,7 @@ | |||
1 | # This file is overwritten during software install. | ||
2 | # Persistent customizations should go in a .local file. | ||
3 | include /etc/firejail/feh.local | ||
4 | |||
1 | # feh image viewer profile | 5 | # feh image viewer profile |
2 | include /etc/firejail/disable-common.inc | 6 | include /etc/firejail/disable-common.inc |
3 | include /etc/firejail/disable-programs.inc | 7 | include /etc/firejail/disable-programs.inc |
diff --git a/etc/file-roller.profile b/etc/file-roller.profile index 6116389db..804d20ce1 100644 --- a/etc/file-roller.profile +++ b/etc/file-roller.profile | |||
@@ -1,3 +1,7 @@ | |||
1 | # This file is overwritten during software install. | ||
2 | # Persistent customizations should go in a .local file. | ||
3 | include /etc/firejail/file-roller.local | ||
4 | |||
1 | # file-roller profile | 5 | # file-roller profile |
2 | include /etc/firejail/disable-common.inc | 6 | include /etc/firejail/disable-common.inc |
3 | include /etc/firejail/disable-programs.inc | 7 | include /etc/firejail/disable-programs.inc |
diff --git a/etc/file.profile b/etc/file.profile index d145fe12a..2f972212e 100644 --- a/etc/file.profile +++ b/etc/file.profile | |||
@@ -1,3 +1,7 @@ | |||
1 | # This file is overwritten during software install. | ||
2 | # Persistent customizations should go in a .local file. | ||
3 | include /etc/firejail/file.local | ||
4 | |||
1 | # file profile | 5 | # file profile |
2 | quiet | 6 | quiet |
3 | include /etc/firejail/disable-common.inc | 7 | include /etc/firejail/disable-common.inc |
diff --git a/etc/filezilla.profile b/etc/filezilla.profile index a40fceec1..5f2636bf5 100644 --- a/etc/filezilla.profile +++ b/etc/filezilla.profile | |||
@@ -1,3 +1,7 @@ | |||
1 | # This file is overwritten during software install. | ||
2 | # Persistent customizations should go in a .local file. | ||
3 | include /etc/firejail/filezilla.local | ||
4 | |||
1 | # FileZilla ftp profile | 5 | # FileZilla ftp profile |
2 | noblacklist ${HOME}/.filezilla | 6 | noblacklist ${HOME}/.filezilla |
3 | noblacklist ${HOME}/.config/filezilla | 7 | noblacklist ${HOME}/.config/filezilla |
diff --git a/etc/firefox-esr.profile b/etc/firefox-esr.profile index d2fde9a3f..753f64526 100644 --- a/etc/firefox-esr.profile +++ b/etc/firefox-esr.profile | |||
@@ -1,2 +1,6 @@ | |||
1 | # This file is overwritten during software install. | ||
2 | # Persistent customizations should go in a .local file. | ||
3 | include /etc/firejail/firefox-esr.local | ||
4 | |||
1 | # Firejail profile for Mozilla Firefox ESR | 5 | # Firejail profile for Mozilla Firefox ESR |
2 | include /etc/firejail/firefox.profile | 6 | include /etc/firejail/firefox.profile |
diff --git a/etc/firefox.profile b/etc/firefox.profile index c3a9b2a62..5f891ea3c 100644 --- a/etc/firefox.profile +++ b/etc/firefox.profile | |||
@@ -1,9 +1,14 @@ | |||
1 | # This file is overwritten during software install. | ||
2 | # Persistent customizations should go in a .local file. | ||
3 | include /etc/firejail/firefox.local | ||
4 | |||
1 | # Firejail profile for Mozilla Firefox (Iceweasel in Debian) | 5 | # Firejail profile for Mozilla Firefox (Iceweasel in Debian) |
2 | noblacklist ~/.mozilla | 6 | noblacklist ~/.mozilla |
3 | noblacklist ~/.cache/mozilla | 7 | noblacklist ~/.cache/mozilla |
4 | noblacklist ~/.config/qpdfview | 8 | noblacklist ~/.config/qpdfview |
5 | noblacklist ~/.local/share/qpdfview | 9 | noblacklist ~/.local/share/qpdfview |
6 | noblacklist ~/.kde/share/apps/okular | 10 | noblacklist ~/.kde/share/apps/okular |
11 | noblacklist ~/.pki | ||
7 | include /etc/firejail/disable-common.inc | 12 | include /etc/firejail/disable-common.inc |
8 | include /etc/firejail/disable-programs.inc | 13 | include /etc/firejail/disable-programs.inc |
9 | include /etc/firejail/disable-devel.inc | 14 | include /etc/firejail/disable-devel.inc |
@@ -30,6 +35,7 @@ whitelist ~/.pentadactyl | |||
30 | whitelist ~/.keysnail.js | 35 | whitelist ~/.keysnail.js |
31 | whitelist ~/.config/gnome-mplayer | 36 | whitelist ~/.config/gnome-mplayer |
32 | whitelist ~/.cache/gnome-mplayer/plugin | 37 | whitelist ~/.cache/gnome-mplayer/plugin |
38 | mkdir ~/.pki | ||
33 | whitelist ~/.pki | 39 | whitelist ~/.pki |
34 | whitelist ~/.config/qpdfview | 40 | whitelist ~/.config/qpdfview |
35 | whitelist ~/.local/share/qpdfview | 41 | whitelist ~/.local/share/qpdfview |
diff --git a/etc/firejail.config b/etc/firejail.config index 824e3f503..766802a7d 100644 --- a/etc/firejail.config +++ b/etc/firejail.config | |||
@@ -20,6 +20,12 @@ | |||
20 | # Enable Firejail green prompt in terminal, default disabled | 20 | # Enable Firejail green prompt in terminal, default disabled |
21 | # firejail-prompt no | 21 | # firejail-prompt no |
22 | 22 | ||
23 | # Follow symlink as user. While using --whitelist feature, | ||
24 | # symlinks pointing outside home directory are followed only | ||
25 | # if both the link and the real file are owned by the user. | ||
26 | # Enabled by default | ||
27 | # follow-symlink-as-user yes | ||
28 | |||
23 | # Force use of nonewprivs. This mitigates the possibility of | 29 | # Force use of nonewprivs. This mitigates the possibility of |
24 | # a user abusing firejail's features to trick a privileged (suid | 30 | # a user abusing firejail's features to trick a privileged (suid |
25 | # or file capabilities) process into loading code or configuration | 31 | # or file capabilities) process into loading code or configuration |
@@ -79,6 +85,6 @@ | |||
79 | # Firejail window title in Xephyr, default enabled. | 85 | # Firejail window title in Xephyr, default enabled. |
80 | # xephyr-window-title yes | 86 | # xephyr-window-title yes |
81 | 87 | ||
82 | # Xephyr command extra parameters. None by default, and the declaration is commented out. | 88 | # Xephyr command extra parameters. None by default; these are examples. |
83 | # xephyr-extra-params -keybd ephyr,,,xkbmodel=evdev | 89 | # xephyr-extra-params -keybd ephyr,,,xkbmodel=evdev |
84 | # xephyr-extra-params -grayscale | 90 | # xephyr-extra-params -grayscale |
diff --git a/etc/flashpeak-slimjet.profile b/etc/flashpeak-slimjet.profile index 3c23ff6f6..56437ba06 100644 --- a/etc/flashpeak-slimjet.profile +++ b/etc/flashpeak-slimjet.profile | |||
@@ -1,3 +1,7 @@ | |||
1 | # This file is overwritten during software install. | ||
2 | # Persistent customizations should go in a .local file. | ||
3 | include /etc/firejail/flashpeak-slimjet.local | ||
4 | |||
1 | # SlimJet browser profile | 5 | # SlimJet browser profile |
2 | # This is a whitelisted profile, the internal browser sandbox | 6 | # This is a whitelisted profile, the internal browser sandbox |
3 | # is disabled because it requires sudo password. The command | 7 | # is disabled because it requires sudo password. The command |
@@ -7,6 +11,7 @@ | |||
7 | # | 11 | # |
8 | noblacklist ~/.config/slimjet | 12 | noblacklist ~/.config/slimjet |
9 | noblacklist ~/.cache/slimjet | 13 | noblacklist ~/.cache/slimjet |
14 | noblacklist ~/.pki | ||
10 | include /etc/firejail/disable-common.inc | 15 | include /etc/firejail/disable-common.inc |
11 | include /etc/firejail/disable-programs.inc | 16 | include /etc/firejail/disable-programs.inc |
12 | 17 | ||
diff --git a/etc/flowblade.profile b/etc/flowblade.profile index 12afdb0aa..e60417081 100644 --- a/etc/flowblade.profile +++ b/etc/flowblade.profile | |||
@@ -1,3 +1,7 @@ | |||
1 | # This file is overwritten during software install. | ||
2 | # Persistent customizations should go in a .local file. | ||
3 | include /etc/firejail/flowblade.local | ||
4 | |||
1 | # FlowBlade profile | 5 | # FlowBlade profile |
2 | noblacklist ${HOME}/.flowblade | 6 | noblacklist ${HOME}/.flowblade |
3 | noblacklist ${HOME}/.config/flowblade | 7 | noblacklist ${HOME}/.config/flowblade |
diff --git a/etc/fossamail.profile b/etc/fossamail.profile new file mode 100644 index 000000000..3caaad71c --- /dev/null +++ b/etc/fossamail.profile | |||
@@ -0,0 +1,19 @@ | |||
1 | # This file is overwritten during software install. | ||
2 | # Persistent customizations should go in a .local file. | ||
3 | include /etc/firejail/fossamail.local | ||
4 | |||
5 | # Firejail profile for FossaMail | ||
6 | |||
7 | noblacklist ~/.gnupg | ||
8 | mkdir ~/.gnupg | ||
9 | whitelist ~/.gnupg | ||
10 | |||
11 | noblacklist ~/.fossamail | ||
12 | mkdir ~/.fossamail | ||
13 | whitelist ~/.fossamail | ||
14 | |||
15 | noblacklist ~/.cache/fossamail | ||
16 | mkdir ~/.cache/fossamail | ||
17 | whitelist ~/.cache/fossamail | ||
18 | |||
19 | include /etc/firejail/firefox.profile | ||
diff --git a/etc/franz.profile b/etc/franz.profile index 0b3be551b..05ff72a47 100644 --- a/etc/franz.profile +++ b/etc/franz.profile | |||
@@ -1,6 +1,11 @@ | |||
1 | # This file is overwritten during software install. | ||
2 | # Persistent customizations should go in a .local file. | ||
3 | include /etc/firejail/franz.local | ||
4 | |||
1 | # Franz profile | 5 | # Franz profile |
2 | noblacklist ~/.config/Franz | 6 | noblacklist ~/.config/Franz |
3 | noblacklist ~/.cache/Franz | 7 | noblacklist ~/.cache/Franz |
8 | noblacklist ~/.pki | ||
4 | include /etc/firejail/disable-common.inc | 9 | include /etc/firejail/disable-common.inc |
5 | include /etc/firejail/disable-programs.inc | 10 | include /etc/firejail/disable-programs.inc |
6 | include /etc/firejail/disable-devel.inc | 11 | include /etc/firejail/disable-devel.inc |
diff --git a/etc/gajim.profile b/etc/gajim.profile index eb60f858b..bac6cc466 100644 --- a/etc/gajim.profile +++ b/etc/gajim.profile | |||
@@ -1,3 +1,7 @@ | |||
1 | # This file is overwritten during software install. | ||
2 | # Persistent customizations should go in a .local file. | ||
3 | include /etc/firejail/gajim.local | ||
4 | |||
1 | # Firejail profile for Gajim | 5 | # Firejail profile for Gajim |
2 | noblacklist ${HOME}/.cache/gajim | 6 | noblacklist ${HOME}/.cache/gajim |
3 | noblacklist ${HOME}/.local/share/gajim | 7 | noblacklist ${HOME}/.local/share/gajim |
diff --git a/etc/gedit.profile b/etc/gedit.profile index a25286bfa..9f4eee9b3 100644 --- a/etc/gedit.profile +++ b/etc/gedit.profile | |||
@@ -1,3 +1,7 @@ | |||
1 | # This file is overwritten during software install. | ||
2 | # Persistent customizations should go in a .local file. | ||
3 | include /etc/firejail/gedit.local | ||
4 | |||
1 | # gedit profile | 5 | # gedit profile |
2 | 6 | ||
3 | # when gedit is started via gnome-shell, firejail is not applied because systemd will start it | 7 | # when gedit is started via gnome-shell, firejail is not applied because systemd will start it |
diff --git a/etc/gimp.profile b/etc/gimp.profile index cb441fc9d..d07398a41 100644 --- a/etc/gimp.profile +++ b/etc/gimp.profile | |||
@@ -1,3 +1,7 @@ | |||
1 | # This file is overwritten during software install. | ||
2 | # Persistent customizations should go in a .local file. | ||
3 | include /etc/firejail/gimp.local | ||
4 | |||
1 | # gimp | 5 | # gimp |
2 | noblacklist ${HOME}/.gimp* | 6 | noblacklist ${HOME}/.gimp* |
3 | include /etc/firejail/disable-common.inc | 7 | include /etc/firejail/disable-common.inc |
diff --git a/etc/git.profile b/etc/git.profile index 80e534e20..5fbacd7fa 100644 --- a/etc/git.profile +++ b/etc/git.profile | |||
@@ -1,3 +1,7 @@ | |||
1 | # This file is overwritten during software install. | ||
2 | # Persistent customizations should go in a .local file. | ||
3 | include /etc/firejail/git.local | ||
4 | |||
1 | # git profile | 5 | # git profile |
2 | quiet | 6 | quiet |
3 | noblacklist ~/.gitconfig | 7 | noblacklist ~/.gitconfig |
diff --git a/etc/gitter.profile b/etc/gitter.profile index f43f5f199..054d859f8 100644 --- a/etc/gitter.profile +++ b/etc/gitter.profile | |||
@@ -1,3 +1,7 @@ | |||
1 | # This file is overwritten during software install. | ||
2 | # Persistent customizations should go in a .local file. | ||
3 | include /etc/firejail/gitter.local | ||
4 | |||
1 | # Firejail profile for Gitter | 5 | # Firejail profile for Gitter |
2 | noblacklist ~/.config/Gitter | 6 | noblacklist ~/.config/Gitter |
3 | include /etc/firejail/disable-common.inc | 7 | include /etc/firejail/disable-common.inc |
diff --git a/etc/gjs.profile b/etc/gjs.profile index 8d71728a2..24ec70e86 100644 --- a/etc/gjs.profile +++ b/etc/gjs.profile | |||
@@ -1,3 +1,7 @@ | |||
1 | # This file is overwritten during software install. | ||
2 | # Persistent customizations should go in a .local file. | ||
3 | include /etc/firejail/gjs.local | ||
4 | |||
1 | # gjs (gnome javascript bindings) profile | 5 | # gjs (gnome javascript bindings) profile |
2 | 6 | ||
3 | # when gjs apps are started via gnome-shell, firejail is not applied because systemd will start them | 7 | # when gjs apps are started via gnome-shell, firejail is not applied because systemd will start them |
diff --git a/etc/gnome-2048.profile b/etc/gnome-2048.profile index f9982da61..95c0daccd 100644 --- a/etc/gnome-2048.profile +++ b/etc/gnome-2048.profile | |||
@@ -1,3 +1,7 @@ | |||
1 | # This file is overwritten during software install. | ||
2 | # Persistent customizations should go in a .local file. | ||
3 | include /etc/firejail/gnome-2048.local | ||
4 | |||
1 | # | 5 | # |
2 | #Profile for gnome-2048 | 6 | #Profile for gnome-2048 |
3 | # | 7 | # |
diff --git a/etc/gnome-books.profile b/etc/gnome-books.profile index 10b06e173..692e32896 100644 --- a/etc/gnome-books.profile +++ b/etc/gnome-books.profile | |||
@@ -1,3 +1,7 @@ | |||
1 | # This file is overwritten during software install. | ||
2 | # Persistent customizations should go in a .local file. | ||
3 | include /etc/firejail/gnome-books.local | ||
4 | |||
1 | # gnome-books profile | 5 | # gnome-books profile |
2 | 6 | ||
3 | # when gjs apps are started via gnome-shell, firejail is not applied because systemd will start them | 7 | # when gjs apps are started via gnome-shell, firejail is not applied because systemd will start them |
diff --git a/etc/gnome-calculator.profile b/etc/gnome-calculator.profile index 49e068171..714a97650 100644 --- a/etc/gnome-calculator.profile +++ b/etc/gnome-calculator.profile | |||
@@ -1,3 +1,7 @@ | |||
1 | # This file is overwritten during software install. | ||
2 | # Persistent customizations should go in a .local file. | ||
3 | include /etc/firejail/gnome-calculator.local | ||
4 | |||
1 | # | 5 | # |
2 | #Profile for gnome-calculator | 6 | #Profile for gnome-calculator |
3 | # | 7 | # |
diff --git a/etc/gnome-chess.profile b/etc/gnome-chess.profile index 4db485ea7..3dcc98b72 100644 --- a/etc/gnome-chess.profile +++ b/etc/gnome-chess.profile | |||
@@ -1,3 +1,7 @@ | |||
1 | # This file is overwritten during software install. | ||
2 | # Persistent customizations should go in a .local file. | ||
3 | include /etc/firejail/gnome-chess.local | ||
4 | |||
1 | # Firejail profile for gnome-chess | 5 | # Firejail profile for gnome-chess |
2 | noblacklist ~/.local/share/gnome-chess | 6 | noblacklist ~/.local/share/gnome-chess |
3 | 7 | ||
diff --git a/etc/gnome-clocks.profile b/etc/gnome-clocks.profile index 6cccf9d32..30598f348 100644 --- a/etc/gnome-clocks.profile +++ b/etc/gnome-clocks.profile | |||
@@ -1,3 +1,7 @@ | |||
1 | # This file is overwritten during software install. | ||
2 | # Persistent customizations should go in a .local file. | ||
3 | include /etc/firejail/gnome-clocks.local | ||
4 | |||
1 | # gnome-clocks profile | 5 | # gnome-clocks profile |
2 | include /etc/firejail/disable-common.inc | 6 | include /etc/firejail/disable-common.inc |
3 | include /etc/firejail/disable-programs.inc | 7 | include /etc/firejail/disable-programs.inc |
diff --git a/etc/gnome-contacts.profile b/etc/gnome-contacts.profile index 9dc25b26c..b61cd3c74 100644 --- a/etc/gnome-contacts.profile +++ b/etc/gnome-contacts.profile | |||
@@ -1,3 +1,7 @@ | |||
1 | # This file is overwritten during software install. | ||
2 | # Persistent customizations should go in a .local file. | ||
3 | include /etc/firejail/gnome-contacts.local | ||
4 | |||
1 | # | 5 | # |
2 | #Profile for gnome-contacts | 6 | #Profile for gnome-contacts |
3 | # | 7 | # |
diff --git a/etc/gnome-documents.profile b/etc/gnome-documents.profile index c5def7aff..9d3b8172b 100644 --- a/etc/gnome-documents.profile +++ b/etc/gnome-documents.profile | |||
@@ -1,3 +1,7 @@ | |||
1 | # This file is overwritten during software install. | ||
2 | # Persistent customizations should go in a .local file. | ||
3 | include /etc/firejail/gnome-documents.local | ||
4 | |||
1 | # gnome-documents profile | 5 | # gnome-documents profile |
2 | 6 | ||
3 | # when gjs apps are started via gnome-shell, firejail is not applied because systemd will start them | 7 | # when gjs apps are started via gnome-shell, firejail is not applied because systemd will start them |
diff --git a/etc/gnome-maps.profile b/etc/gnome-maps.profile index f1451506e..54c0eb99c 100644 --- a/etc/gnome-maps.profile +++ b/etc/gnome-maps.profile | |||
@@ -1,3 +1,7 @@ | |||
1 | # This file is overwritten during software install. | ||
2 | # Persistent customizations should go in a .local file. | ||
3 | include /etc/firejail/gnome-maps.local | ||
4 | |||
1 | # gnome-maps profile | 5 | # gnome-maps profile |
2 | 6 | ||
3 | # when gjs apps are started via gnome-shell, firejail is not applied because systemd will start them | 7 | # when gjs apps are started via gnome-shell, firejail is not applied because systemd will start them |
diff --git a/etc/gnome-mplayer.profile b/etc/gnome-mplayer.profile index 488c7e0b8..cd268aed7 100644 --- a/etc/gnome-mplayer.profile +++ b/etc/gnome-mplayer.profile | |||
@@ -1,3 +1,7 @@ | |||
1 | # This file is overwritten during software install. | ||
2 | # Persistent customizations should go in a .local file. | ||
3 | include /etc/firejail/gnome-mplayer.local | ||
4 | |||
1 | # GNOME MPlayer profile | 5 | # GNOME MPlayer profile |
2 | include /etc/firejail/disable-common.inc | 6 | include /etc/firejail/disable-common.inc |
3 | include /etc/firejail/disable-programs.inc | 7 | include /etc/firejail/disable-programs.inc |
@@ -12,6 +16,6 @@ protocol unix,inet,inet6 | |||
12 | seccomp | 16 | seccomp |
13 | shell none | 17 | shell none |
14 | 18 | ||
15 | private-bin gnome-mplayer,mplayer | 19 | # private-bin gnome-mplayer,mplayer |
16 | private-dev | 20 | private-dev |
17 | private-tmp | 21 | private-tmp |
diff --git a/etc/gnome-music.profile b/etc/gnome-music.profile index 4a8adeb22..9136015e9 100644 --- a/etc/gnome-music.profile +++ b/etc/gnome-music.profile | |||
@@ -1,3 +1,7 @@ | |||
1 | # This file is overwritten during software install. | ||
2 | # Persistent customizations should go in a .local file. | ||
3 | include /etc/firejail/gnome-music.local | ||
4 | |||
1 | # gnome-music profile | 5 | # gnome-music profile |
2 | noblacklist ~/.local/share/gnome-music | 6 | noblacklist ~/.local/share/gnome-music |
3 | 7 | ||
diff --git a/etc/gnome-photos.profile b/etc/gnome-photos.profile index 8f9d60cb5..d1636e02e 100644 --- a/etc/gnome-photos.profile +++ b/etc/gnome-photos.profile | |||
@@ -1,3 +1,7 @@ | |||
1 | # This file is overwritten during software install. | ||
2 | # Persistent customizations should go in a .local file. | ||
3 | include /etc/firejail/gnome-photos.local | ||
4 | |||
1 | # gnome-photos profile | 5 | # gnome-photos profile |
2 | 6 | ||
3 | # when gjs apps are started via gnome-shell, firejail is not applied because systemd will start them | 7 | # when gjs apps are started via gnome-shell, firejail is not applied because systemd will start them |
diff --git a/etc/gnome-weather.profile b/etc/gnome-weather.profile index 9f93b8f15..925420a5a 100644 --- a/etc/gnome-weather.profile +++ b/etc/gnome-weather.profile | |||
@@ -1,3 +1,7 @@ | |||
1 | # This file is overwritten during software install. | ||
2 | # Persistent customizations should go in a .local file. | ||
3 | include /etc/firejail/gnome-weather.local | ||
4 | |||
1 | # gnome-weather profile | 5 | # gnome-weather profile |
2 | 6 | ||
3 | # when gjs apps are started via gnome-shell, firejail is not applied because systemd will start them | 7 | # when gjs apps are started via gnome-shell, firejail is not applied because systemd will start them |
diff --git a/etc/goobox.profile b/etc/goobox.profile index 8990943fc..6aaec1354 100644 --- a/etc/goobox.profile +++ b/etc/goobox.profile | |||
@@ -1,3 +1,7 @@ | |||
1 | # This file is overwritten during software install. | ||
2 | # Persistent customizations should go in a .local file. | ||
3 | include /etc/firejail/goobox.local | ||
4 | |||
1 | # goobox profile | 5 | # goobox profile |
2 | include /etc/firejail/disable-common.inc | 6 | include /etc/firejail/disable-common.inc |
3 | include /etc/firejail/disable-programs.inc | 7 | include /etc/firejail/disable-programs.inc |
diff --git a/etc/google-chrome-beta.profile b/etc/google-chrome-beta.profile index 3d483967c..2f09edb7a 100644 --- a/etc/google-chrome-beta.profile +++ b/etc/google-chrome-beta.profile | |||
@@ -1,6 +1,11 @@ | |||
1 | # This file is overwritten during software install. | ||
2 | # Persistent customizations should go in a .local file. | ||
3 | include /etc/firejail/google-chrome-beta.local | ||
4 | |||
1 | # Google Chrome beta browser profile | 5 | # Google Chrome beta browser profile |
2 | noblacklist ~/.config/google-chrome-beta | 6 | noblacklist ~/.config/google-chrome-beta |
3 | noblacklist ~/.cache/google-chrome-beta | 7 | noblacklist ~/.cache/google-chrome-beta |
8 | noblacklist ~/.pki | ||
4 | include /etc/firejail/disable-common.inc | 9 | include /etc/firejail/disable-common.inc |
5 | include /etc/firejail/disable-programs.inc | 10 | include /etc/firejail/disable-programs.inc |
6 | 11 | ||
diff --git a/etc/google-chrome-stable.profile b/etc/google-chrome-stable.profile index 78c8ca6e5..b8d9d6917 100644 --- a/etc/google-chrome-stable.profile +++ b/etc/google-chrome-stable.profile | |||
@@ -1,2 +1,6 @@ | |||
1 | # This file is overwritten during software install. | ||
2 | # Persistent customizations should go in a .local file. | ||
3 | include /etc/firejail/google-chrome-stable.local | ||
4 | |||
1 | # Google Chrome browser profile | 5 | # Google Chrome browser profile |
2 | include /etc/firejail/google-chrome.profile | 6 | include /etc/firejail/google-chrome.profile |
diff --git a/etc/google-chrome-unstable.profile b/etc/google-chrome-unstable.profile index 0189ce40b..e0dc37034 100644 --- a/etc/google-chrome-unstable.profile +++ b/etc/google-chrome-unstable.profile | |||
@@ -1,6 +1,11 @@ | |||
1 | # This file is overwritten during software install. | ||
2 | # Persistent customizations should go in a .local file. | ||
3 | include /etc/firejail/google-chrome-unstable.local | ||
4 | |||
1 | # Google Chrome unstable browser profile | 5 | # Google Chrome unstable browser profile |
2 | noblacklist ~/.config/google-chrome-unstable | 6 | noblacklist ~/.config/google-chrome-unstable |
3 | noblacklist ~/.cache/google-chrome-unstable | 7 | noblacklist ~/.cache/google-chrome-unstable |
8 | noblacklist ~/.pki | ||
4 | include /etc/firejail/disable-common.inc | 9 | include /etc/firejail/disable-common.inc |
5 | include /etc/firejail/disable-programs.inc | 10 | include /etc/firejail/disable-programs.inc |
6 | 11 | ||
diff --git a/etc/google-chrome.profile b/etc/google-chrome.profile index 3083c2afd..dfb30dc7e 100644 --- a/etc/google-chrome.profile +++ b/etc/google-chrome.profile | |||
@@ -1,6 +1,11 @@ | |||
1 | # This file is overwritten during software install. | ||
2 | # Persistent customizations should go in a .local file. | ||
3 | include /etc/firejail/google-chrome.local | ||
4 | |||
1 | # Google Chrome browser profile | 5 | # Google Chrome browser profile |
2 | noblacklist ~/.config/google-chrome | 6 | noblacklist ~/.config/google-chrome |
3 | noblacklist ~/.cache/google-chrome | 7 | noblacklist ~/.cache/google-chrome |
8 | noblacklist ~/.pki | ||
4 | include /etc/firejail/disable-common.inc | 9 | include /etc/firejail/disable-common.inc |
5 | include /etc/firejail/disable-programs.inc | 10 | include /etc/firejail/disable-programs.inc |
6 | 11 | ||
diff --git a/etc/google-play-music-desktop-player.profile b/etc/google-play-music-desktop-player.profile index b4cf8d9ac..dbe07cfee 100644 --- a/etc/google-play-music-desktop-player.profile +++ b/etc/google-play-music-desktop-player.profile | |||
@@ -1,3 +1,7 @@ | |||
1 | # This file is overwritten during software install. | ||
2 | # Persistent customizations should go in a .local file. | ||
3 | include /etc/firejail/google-play-music-desktop-player.local | ||
4 | |||
1 | # Google Play Music desktop player profile | 5 | # Google Play Music desktop player profile |
2 | noblacklist ~/.config/Google Play Music Desktop Player | 6 | noblacklist ~/.config/Google Play Music Desktop Player |
3 | 7 | ||
diff --git a/etc/gpa.profile b/etc/gpa.profile index 7d7277190..7618fdd41 100644 --- a/etc/gpa.profile +++ b/etc/gpa.profile | |||
@@ -1,3 +1,7 @@ | |||
1 | # This file is overwritten during software install. | ||
2 | # Persistent customizations should go in a .local file. | ||
3 | include /etc/firejail/gpa.local | ||
4 | |||
1 | # gpa profile | 5 | # gpa profile |
2 | noblacklist ~/.gnupg | 6 | noblacklist ~/.gnupg |
3 | 7 | ||
@@ -18,6 +22,4 @@ shell none | |||
18 | tracelog | 22 | tracelog |
19 | 23 | ||
20 | # private-bin gpa,gpg | 24 | # private-bin gpa,gpg |
21 | private-tmp | ||
22 | private-dev | 25 | private-dev |
23 | # private-etc none | ||
diff --git a/etc/gpg-agent.profile b/etc/gpg-agent.profile index 59c7383d7..7beaca6f2 100644 --- a/etc/gpg-agent.profile +++ b/etc/gpg-agent.profile | |||
@@ -1,3 +1,7 @@ | |||
1 | # This file is overwritten during software install. | ||
2 | # Persistent customizations should go in a .local file. | ||
3 | include /etc/firejail/gpg-agent.local | ||
4 | |||
1 | # gpg-agent profile | 5 | # gpg-agent profile |
2 | noblacklist ~/.gnupg | 6 | noblacklist ~/.gnupg |
3 | 7 | ||
@@ -11,7 +15,7 @@ nogroups | |||
11 | nonewprivs | 15 | nonewprivs |
12 | noroot | 16 | noroot |
13 | nosound | 17 | nosound |
14 | protocol unix | 18 | protocol unix,inet,inet6 |
15 | seccomp | 19 | seccomp |
16 | netfilter | 20 | netfilter |
17 | no3d | 21 | no3d |
@@ -21,6 +25,4 @@ tracelog | |||
21 | blacklist /tmp/.X11-unix | 25 | blacklist /tmp/.X11-unix |
22 | 26 | ||
23 | # private-bin gpg-agent,gpg | 27 | # private-bin gpg-agent,gpg |
24 | private-tmp | ||
25 | private-dev | 28 | private-dev |
26 | # private-etc none | ||
diff --git a/etc/gpg.profile b/etc/gpg.profile index d711c6f3e..92e42cc4b 100644 --- a/etc/gpg.profile +++ b/etc/gpg.profile | |||
@@ -1,3 +1,7 @@ | |||
1 | # This file is overwritten during software install. | ||
2 | # Persistent customizations should go in a .local file. | ||
3 | include /etc/firejail/gpg.local | ||
4 | |||
1 | # gpg profile | 5 | # gpg profile |
2 | noblacklist ~/.gnupg | 6 | noblacklist ~/.gnupg |
3 | 7 | ||
@@ -11,10 +15,9 @@ nogroups | |||
11 | nonewprivs | 15 | nonewprivs |
12 | noroot | 16 | noroot |
13 | nosound | 17 | nosound |
14 | protocol unix | 18 | protocol unix,inet,inet6 |
15 | seccomp | 19 | seccomp |
16 | netfilter | 20 | netfilter |
17 | net none | ||
18 | no3d | 21 | no3d |
19 | shell none | 22 | shell none |
20 | tracelog | 23 | tracelog |
@@ -22,6 +25,4 @@ tracelog | |||
22 | blacklist /tmp/.X11-unix | 25 | blacklist /tmp/.X11-unix |
23 | 26 | ||
24 | # private-bin gpg,gpg-agent | 27 | # private-bin gpg,gpg-agent |
25 | private-tmp | ||
26 | private-dev | 28 | private-dev |
27 | # private-etc none | ||
diff --git a/etc/gpredict.profile b/etc/gpredict.profile index 801304c18..9e8af2016 100644 --- a/etc/gpredict.profile +++ b/etc/gpredict.profile | |||
@@ -1,3 +1,7 @@ | |||
1 | # This file is overwritten during software install. | ||
2 | # Persistent customizations should go in a .local file. | ||
3 | include /etc/firejail/gpredict.local | ||
4 | |||
1 | # Firejail profile for gpredict. | 5 | # Firejail profile for gpredict. |
2 | noblacklist ~/.config/Gpredict | 6 | noblacklist ~/.config/Gpredict |
3 | include /etc/firejail/disable-common.inc | 7 | include /etc/firejail/disable-common.inc |
diff --git a/etc/gtar.profile b/etc/gtar.profile index 2f675cd9d..2fcdbaa83 100644 --- a/etc/gtar.profile +++ b/etc/gtar.profile | |||
@@ -1,3 +1,7 @@ | |||
1 | # This file is overwritten during software install. | ||
2 | # Persistent customizations should go in a .local file. | ||
3 | include /etc/firejail/gtar.local | ||
4 | |||
1 | # gtar profile | 5 | # gtar profile |
2 | quiet | 6 | quiet |
3 | include /etc/firejail/tar.profile | 7 | include /etc/firejail/tar.profile |
diff --git a/etc/gthumb.profile b/etc/gthumb.profile index 055d78935..d8c438181 100644 --- a/etc/gthumb.profile +++ b/etc/gthumb.profile | |||
@@ -1,3 +1,7 @@ | |||
1 | # This file is overwritten during software install. | ||
2 | # Persistent customizations should go in a .local file. | ||
3 | include /etc/firejail/gthumb.local | ||
4 | |||
1 | # gthumb profile | 5 | # gthumb profile |
2 | noblacklist ${HOME}/.config/gthumb | 6 | noblacklist ${HOME}/.config/gthumb |
3 | 7 | ||
diff --git a/etc/guayadeque.profile b/etc/guayadeque.profile index 0c6ad00be..3c8da9e46 100644 --- a/etc/guayadeque.profile +++ b/etc/guayadeque.profile | |||
@@ -1,3 +1,7 @@ | |||
1 | # This file is overwritten during software install. | ||
2 | # Persistent customizations should go in a .local file. | ||
3 | include /etc/firejail/guayadeque.local | ||
4 | |||
1 | noblacklist ${HOME}/.guayadeque | 5 | noblacklist ${HOME}/.guayadeque |
2 | 6 | ||
3 | include /etc/firejail/disable-common.inc | 7 | include /etc/firejail/disable-common.inc |
diff --git a/etc/gwenview.profile b/etc/gwenview.profile index c866c9e63..f636792f0 100644 --- a/etc/gwenview.profile +++ b/etc/gwenview.profile | |||
@@ -1,3 +1,7 @@ | |||
1 | # This file is overwritten during software install. | ||
2 | # Persistent customizations should go in a .local file. | ||
3 | include /etc/firejail/gwenview.local | ||
4 | |||
1 | # KDE gwenview profile | 5 | # KDE gwenview profile |
2 | noblacklist ~/.kde/share/apps/gwenview | 6 | noblacklist ~/.kde/share/apps/gwenview |
3 | noblacklist ~/.kde/share/config/gwenviewrc | 7 | noblacklist ~/.kde/share/config/gwenviewrc |
diff --git a/etc/gzip.profile b/etc/gzip.profile index feb27c150..2eca4d8b6 100644 --- a/etc/gzip.profile +++ b/etc/gzip.profile | |||
@@ -1,3 +1,7 @@ | |||
1 | # This file is overwritten during software install. | ||
2 | # Persistent customizations should go in a .local file. | ||
3 | include /etc/firejail/gzip.local | ||
4 | |||
1 | # gzip profile | 5 | # gzip profile |
2 | quiet | 6 | quiet |
3 | ignore noroot | 7 | ignore noroot |
diff --git a/etc/hedgewars.profile b/etc/hedgewars.profile index 7910b7eb0..4e469bd42 100644 --- a/etc/hedgewars.profile +++ b/etc/hedgewars.profile | |||
@@ -1,3 +1,7 @@ | |||
1 | # This file is overwritten during software install. | ||
2 | # Persistent customizations should go in a .local file. | ||
3 | include /etc/firejail/hedgewars.local | ||
4 | |||
1 | # whitelist profile for Hedgewars (game) | 5 | # whitelist profile for Hedgewars (game) |
2 | noblacklist ${HOME}/.hedgewars | 6 | noblacklist ${HOME}/.hedgewars |
3 | 7 | ||
diff --git a/etc/hexchat.profile b/etc/hexchat.profile index 5cefe45b5..53f447f7e 100644 --- a/etc/hexchat.profile +++ b/etc/hexchat.profile | |||
@@ -1,3 +1,7 @@ | |||
1 | # This file is overwritten during software install. | ||
2 | # Persistent customizations should go in a .local file. | ||
3 | include /etc/firejail/hexchat.local | ||
4 | |||
1 | # HexChat instant messaging profile | 5 | # HexChat instant messaging profile |
2 | # Currently in testing (may not work for all users) | 6 | # Currently in testing (may not work for all users) |
3 | noblacklist ${HOME}/.config/hexchat | 7 | noblacklist ${HOME}/.config/hexchat |
diff --git a/etc/highlight.profile b/etc/highlight.profile index 4bab18349..446a3fbb7 100644 --- a/etc/highlight.profile +++ b/etc/highlight.profile | |||
@@ -1,3 +1,7 @@ | |||
1 | # This file is overwritten during software install. | ||
2 | # Persistent customizations should go in a .local file. | ||
3 | include /etc/firejail/highlight.local | ||
4 | |||
1 | # highlight profile | 5 | # highlight profile |
2 | include /etc/firejail/disable-common.inc | 6 | include /etc/firejail/disable-common.inc |
3 | include /etc/firejail/disable-programs.inc | 7 | include /etc/firejail/disable-programs.inc |
diff --git a/etc/icecat.profile b/etc/icecat.profile index 038afc876..144f5c4eb 100644 --- a/etc/icecat.profile +++ b/etc/icecat.profile | |||
@@ -1,6 +1,11 @@ | |||
1 | # This file is overwritten during software install. | ||
2 | # Persistent customizations should go in a .local file. | ||
3 | include /etc/firejail/icecat.local | ||
4 | |||
1 | # Firejail profile for GNU Icecat | 5 | # Firejail profile for GNU Icecat |
2 | noblacklist ~/.mozilla | 6 | noblacklist ~/.mozilla |
3 | noblacklist ~/.cache/mozilla | 7 | noblacklist ~/.cache/mozilla |
8 | noblacklist ~/.pki | ||
4 | include /etc/firejail/disable-common.inc | 9 | include /etc/firejail/disable-common.inc |
5 | include /etc/firejail/disable-programs.inc | 10 | include /etc/firejail/disable-programs.inc |
6 | include /etc/firejail/disable-devel.inc | 11 | include /etc/firejail/disable-devel.inc |
diff --git a/etc/icedove.profile b/etc/icedove.profile index 310684bdb..b5265e992 100644 --- a/etc/icedove.profile +++ b/etc/icedove.profile | |||
@@ -1,3 +1,7 @@ | |||
1 | # This file is overwritten during software install. | ||
2 | # Persistent customizations should go in a .local file. | ||
3 | include /etc/firejail/icedove.local | ||
4 | |||
1 | # Firejail profile for Mozilla Thunderbird (Icedove in Debian Stable) | 5 | # Firejail profile for Mozilla Thunderbird (Icedove in Debian Stable) |
2 | # Users have icedove set to open a browser by clicking a link in an email | 6 | # Users have icedove set to open a browser by clicking a link in an email |
3 | # We are not allowed to blacklist browser-specific directories | 7 | # We are not allowed to blacklist browser-specific directories |
diff --git a/etc/iceweasel.profile b/etc/iceweasel.profile index e9b32846a..d5c29a5ce 100644 --- a/etc/iceweasel.profile +++ b/etc/iceweasel.profile | |||
@@ -1,2 +1,6 @@ | |||
1 | # This file is overwritten during software install. | ||
2 | # Persistent customizations should go in a .local file. | ||
3 | include /etc/firejail/iceweasel.local | ||
4 | |||
1 | # Firejail profile for Mozilla Firefox (Iceweasel in Debian) | 5 | # Firejail profile for Mozilla Firefox (Iceweasel in Debian) |
2 | include /etc/firejail/firefox.profile | 6 | include /etc/firejail/firefox.profile |
diff --git a/etc/img2txt.profile b/etc/img2txt.profile index d55a31cd0..15692b2b0 100644 --- a/etc/img2txt.profile +++ b/etc/img2txt.profile | |||
@@ -1,3 +1,7 @@ | |||
1 | # This file is overwritten during software install. | ||
2 | # Persistent customizations should go in a .local file. | ||
3 | include /etc/firejail/img2txt.local | ||
4 | |||
1 | # img2txt profile | 5 | # img2txt profile |
2 | include /etc/firejail/disable-common.inc | 6 | include /etc/firejail/disable-common.inc |
3 | include /etc/firejail/disable-programs.inc | 7 | include /etc/firejail/disable-programs.inc |
diff --git a/etc/inkscape.profile b/etc/inkscape.profile index a0e86b6c9..000a35fd9 100644 --- a/etc/inkscape.profile +++ b/etc/inkscape.profile | |||
@@ -1,3 +1,7 @@ | |||
1 | # This file is overwritten during software install. | ||
2 | # Persistent customizations should go in a .local file. | ||
3 | include /etc/firejail/inkscape.local | ||
4 | |||
1 | # inkscape | 5 | # inkscape |
2 | noblacklist ${HOME}/.inkscape | 6 | noblacklist ${HOME}/.inkscape |
3 | include /etc/firejail/disable-common.inc | 7 | include /etc/firejail/disable-common.inc |
diff --git a/etc/inox.profile b/etc/inox.profile index 6f6d140e2..8e95208ab 100644 --- a/etc/inox.profile +++ b/etc/inox.profile | |||
@@ -1,6 +1,11 @@ | |||
1 | # This file is overwritten during software install. | ||
2 | # Persistent customizations should go in a .local file. | ||
3 | include /etc/firejail/inox.local | ||
4 | |||
1 | # Inox browser profile | 5 | # Inox browser profile |
2 | noblacklist ~/.config/inox | 6 | noblacklist ~/.config/inox |
3 | noblacklist ~/.cache/inox | 7 | noblacklist ~/.cache/inox |
8 | noblacklist ~/.pki | ||
4 | include /etc/firejail/disable-common.inc | 9 | include /etc/firejail/disable-common.inc |
5 | include /etc/firejail/disable-programs.inc | 10 | include /etc/firejail/disable-programs.inc |
6 | 11 | ||
diff --git a/etc/iridium-browser.profile b/etc/iridium-browser.profile new file mode 100644 index 000000000..7a2f889dc --- /dev/null +++ b/etc/iridium-browser.profile | |||
@@ -0,0 +1,6 @@ | |||
1 | # This file is overwritten during software install. | ||
2 | # Persistent customizations should go in a .local file. | ||
3 | include /etc/firejail/iridium-browser.local | ||
4 | |||
5 | include /etc/firejail/iridium.profile | ||
6 | |||
diff --git a/etc/iridium.profile b/etc/iridium.profile new file mode 100644 index 000000000..69ea483aa --- /dev/null +++ b/etc/iridium.profile | |||
@@ -0,0 +1,33 @@ | |||
1 | # This file is overwritten during software install. | ||
2 | # Persistent customizations should go in a .local file. | ||
3 | include /etc/firejail/iridium.local | ||
4 | |||
5 | # Iridium browser profile | ||
6 | noblacklist ~/.config/iridium | ||
7 | noblacklist ~/.cache/iridium | ||
8 | include /etc/firejail/disable-common.inc | ||
9 | include /etc/firejail/disable-programs.inc | ||
10 | |||
11 | # chromium/iridium is distributed with a perl script on Arch | ||
12 | # include /etc/firejail/disable-devel.inc | ||
13 | # | ||
14 | |||
15 | netfilter | ||
16 | |||
17 | whitelist ${DOWNLOADS} | ||
18 | mkdir ~/.config/iridium | ||
19 | whitelist ~/.config/iridium | ||
20 | mkdir ~/.cache/iridium | ||
21 | whitelist ~/.cache/iridium | ||
22 | mkdir ~/.pki | ||
23 | whitelist ~/.pki | ||
24 | |||
25 | # lastpass, keepass | ||
26 | # for keepass we additionally need to whitelist our .kdbx password database | ||
27 | whitelist ~/.keepass | ||
28 | whitelist ~/.config/keepass | ||
29 | whitelist ~/.config/KeePass | ||
30 | whitelist ~/.lastpass | ||
31 | whitelist ~/.config/lastpass | ||
32 | |||
33 | include /etc/firejail/whitelist-common.inc | ||
diff --git a/etc/jd-gui.profile b/etc/jd-gui.profile index 1d6eb41f8..2ba1a4380 100644 --- a/etc/jd-gui.profile +++ b/etc/jd-gui.profile | |||
@@ -1,3 +1,7 @@ | |||
1 | # This file is overwritten during software install. | ||
2 | # Persistent customizations should go in a .local file. | ||
3 | include /etc/firejail/jd-gui.local | ||
4 | |||
1 | # | 5 | # |
2 | #Profile for jd-gui | 6 | #Profile for jd-gui |
3 | # | 7 | # |
diff --git a/etc/jitsi.profile b/etc/jitsi.profile index 046499abe..5d502fffe 100644 --- a/etc/jitsi.profile +++ b/etc/jitsi.profile | |||
@@ -1,3 +1,7 @@ | |||
1 | # This file is overwritten during software install. | ||
2 | # Persistent customizations should go in a .local file. | ||
3 | include /etc/firejail/jitsi.local | ||
4 | |||
1 | # Firejail profile for jitsi | 5 | # Firejail profile for jitsi |
2 | noblacklist ~/.jitsi | 6 | noblacklist ~/.jitsi |
3 | include /etc/firejail/disable-common.inc | 7 | include /etc/firejail/disable-common.inc |
diff --git a/etc/k3b.profile b/etc/k3b.profile index 8a5fff0c6..68b825c5e 100644 --- a/etc/k3b.profile +++ b/etc/k3b.profile | |||
@@ -1,3 +1,7 @@ | |||
1 | # This file is overwritten during software install. | ||
2 | # Persistent customizations should go in a .local file. | ||
3 | include /etc/firejail/k3b.local | ||
4 | |||
1 | # k3b profile | 5 | # k3b profile |
2 | include /etc/firejail/disable-common.inc | 6 | include /etc/firejail/disable-common.inc |
3 | include /etc/firejail/disable-programs.inc | 7 | include /etc/firejail/disable-programs.inc |
diff --git a/etc/kate.profile b/etc/kate.profile index 4b07ea6cb..466786e61 100644 --- a/etc/kate.profile +++ b/etc/kate.profile | |||
@@ -1,3 +1,7 @@ | |||
1 | # This file is overwritten during software install. | ||
2 | # Persistent customizations should go in a .local file. | ||
3 | include /etc/firejail/kate.local | ||
4 | |||
1 | # kate profile | 5 | # kate profile |
2 | noblacklist ~/.local/share/kate | 6 | noblacklist ~/.local/share/kate |
3 | noblacklist ~/.config/katerc | 7 | noblacklist ~/.config/katerc |
diff --git a/etc/keepass.profile b/etc/keepass.profile index eb7d92a7c..d269c3e8a 100644 --- a/etc/keepass.profile +++ b/etc/keepass.profile | |||
@@ -1,3 +1,7 @@ | |||
1 | # This file is overwritten during software install. | ||
2 | # Persistent customizations should go in a .local file. | ||
3 | include /etc/firejail/keepass.local | ||
4 | |||
1 | # keepass password manager profile | 5 | # keepass password manager profile |
2 | noblacklist ${HOME}/.keepass | 6 | noblacklist ${HOME}/.keepass |
3 | noblacklist ${HOME}/.config/keepass | 7 | noblacklist ${HOME}/.config/keepass |
diff --git a/etc/keepass2.profile b/etc/keepass2.profile index 1ee2644d5..dbf7a4180 100644 --- a/etc/keepass2.profile +++ b/etc/keepass2.profile | |||
@@ -1,2 +1,6 @@ | |||
1 | # This file is overwritten during software install. | ||
2 | # Persistent customizations should go in a .local file. | ||
3 | include /etc/firejail/keepass2.local | ||
4 | |||
1 | # keepass password manager profile | 5 | # keepass password manager profile |
2 | include /etc/firejail/keepass.profile | 6 | include /etc/firejail/keepass.profile |
diff --git a/etc/keepassx.profile b/etc/keepassx.profile index bb74bb629..379b8a668 100644 --- a/etc/keepassx.profile +++ b/etc/keepassx.profile | |||
@@ -1,3 +1,7 @@ | |||
1 | # This file is overwritten during software install. | ||
2 | # Persistent customizations should go in a .local file. | ||
3 | include /etc/firejail/keepassx.local | ||
4 | |||
1 | # keepassx password manager profile | 5 | # keepassx password manager profile |
2 | noblacklist ${HOME}/.config/keepassx | 6 | noblacklist ${HOME}/.config/keepassx |
3 | noblacklist ${HOME}/.keepassx | 7 | noblacklist ${HOME}/.keepassx |
@@ -10,14 +14,17 @@ include /etc/firejail/disable-devel.inc | |||
10 | include /etc/firejail/disable-passwdmgr.inc | 14 | include /etc/firejail/disable-passwdmgr.inc |
11 | 15 | ||
12 | caps.drop all | 16 | caps.drop all |
17 | net none | ||
13 | nogroups | 18 | nogroups |
14 | nonewprivs | 19 | nonewprivs |
15 | noroot | 20 | noroot |
16 | nosound | 21 | nosound |
17 | protocol unix | 22 | protocol unix |
18 | seccomp | 23 | seccomp |
19 | netfilter | ||
20 | shell none | 24 | shell none |
25 | tracelog | ||
21 | 26 | ||
27 | private-bin keepassx | ||
28 | private-etc fonts | ||
29 | private-dev | ||
22 | private-tmp | 30 | private-tmp |
23 | private-dev | ||
diff --git a/etc/keepassx2.profile b/etc/keepassx2.profile index bb74bb629..a21caf3f1 100644 --- a/etc/keepassx2.profile +++ b/etc/keepassx2.profile | |||
@@ -1,3 +1,7 @@ | |||
1 | # This file is overwritten during software install. | ||
2 | # Persistent customizations should go in a .local file. | ||
3 | include /etc/firejail/keepassx2.local | ||
4 | |||
1 | # keepassx password manager profile | 5 | # keepassx password manager profile |
2 | noblacklist ${HOME}/.config/keepassx | 6 | noblacklist ${HOME}/.config/keepassx |
3 | noblacklist ${HOME}/.keepassx | 7 | noblacklist ${HOME}/.keepassx |
@@ -10,14 +14,16 @@ include /etc/firejail/disable-devel.inc | |||
10 | include /etc/firejail/disable-passwdmgr.inc | 14 | include /etc/firejail/disable-passwdmgr.inc |
11 | 15 | ||
12 | caps.drop all | 16 | caps.drop all |
17 | net none | ||
13 | nogroups | 18 | nogroups |
14 | nonewprivs | 19 | nonewprivs |
15 | noroot | 20 | noroot |
16 | nosound | 21 | nosound |
17 | protocol unix | 22 | protocol unix |
18 | seccomp | 23 | seccomp |
19 | netfilter | ||
20 | shell none | 24 | shell none |
21 | 25 | ||
26 | private-bin keepassx2 | ||
27 | private-etc fonts | ||
28 | private-dev | ||
22 | private-tmp | 29 | private-tmp |
23 | private-dev | ||
diff --git a/etc/kino.profile b/etc/kino.profile new file mode 100644 index 000000000..70269e75a --- /dev/null +++ b/etc/kino.profile | |||
@@ -0,0 +1,30 @@ | |||
1 | # This file is overwritten during software install. | ||
2 | # Persistent customizations should go in a .local file. | ||
3 | include /etc/firejail/kino.local | ||
4 | |||
5 | ################################ | ||
6 | # Generic GUI application profile | ||
7 | ################################ | ||
8 | noblacklist ~/.kinorc | ||
9 | noblacklist ~/.kino-history | ||
10 | include /etc/firejail/disable-common.inc | ||
11 | include /etc/firejail/disable-programs.inc | ||
12 | include /etc/firejail/disable-passwdmgr.inc | ||
13 | |||
14 | caps.drop all | ||
15 | netfilter | ||
16 | nonewprivs | ||
17 | noroot | ||
18 | protocol unix,inet,inet6 | ||
19 | seccomp | ||
20 | |||
21 | # | ||
22 | # depending on you usage, you can enable some of the commands below: | ||
23 | # | ||
24 | # nogroups | ||
25 | # shell none | ||
26 | # private-bin program | ||
27 | # private-etc none | ||
28 | # private-dev | ||
29 | # private-tmp | ||
30 | |||
diff --git a/etc/kmail.profile b/etc/kmail.profile index 410ff36c6..b930f6e48 100644 --- a/etc/kmail.profile +++ b/etc/kmail.profile | |||
@@ -1,3 +1,7 @@ | |||
1 | # This file is overwritten during software install. | ||
2 | # Persistent customizations should go in a .local file. | ||
3 | include /etc/firejail/kmail.local | ||
4 | |||
1 | # kmail profile | 5 | # kmail profile |
2 | noblacklist ${HOME}/.gnupg | 6 | noblacklist ${HOME}/.gnupg |
3 | 7 | ||
diff --git a/etc/konversation.profile b/etc/konversation.profile index c00b91c18..0b920bd6a 100644 --- a/etc/konversation.profile +++ b/etc/konversation.profile | |||
@@ -1,3 +1,7 @@ | |||
1 | # This file is overwritten during software install. | ||
2 | # Persistent customizations should go in a .local file. | ||
3 | include /etc/firejail/konversation.local | ||
4 | |||
1 | # Firejail konversation profile | 5 | # Firejail konversation profile |
2 | include /etc/firejail/disable-common.inc | 6 | include /etc/firejail/disable-common.inc |
3 | include /etc/firejail/disable-programs.inc | 7 | include /etc/firejail/disable-programs.inc |
diff --git a/etc/less.profile b/etc/less.profile index c01dfc466..23fbc4ba2 100644 --- a/etc/less.profile +++ b/etc/less.profile | |||
@@ -1,3 +1,7 @@ | |||
1 | # This file is overwritten during software install. | ||
2 | # Persistent customizations should go in a .local file. | ||
3 | include /etc/firejail/less.local | ||
4 | |||
1 | # less profile | 5 | # less profile |
2 | quiet | 6 | quiet |
3 | ignore noroot | 7 | ignore noroot |
diff --git a/etc/libreoffice.profile b/etc/libreoffice.profile index d6aceb7a8..685073e7c 100644 --- a/etc/libreoffice.profile +++ b/etc/libreoffice.profile | |||
@@ -1,3 +1,7 @@ | |||
1 | # This file is overwritten during software install. | ||
2 | # Persistent customizations should go in a .local file. | ||
3 | include /etc/firejail/libreoffice.local | ||
4 | |||
1 | # Firejail profile for LibreOffice | 5 | # Firejail profile for LibreOffice |
2 | noblacklist ~/.config/libreoffice | 6 | noblacklist ~/.config/libreoffice |
3 | noblacklist /usr/local/sbin | 7 | noblacklist /usr/local/sbin |
diff --git a/etc/localc.profile b/etc/localc.profile index fecd08822..14c34c722 100644 --- a/etc/localc.profile +++ b/etc/localc.profile | |||
@@ -1,3 +1,7 @@ | |||
1 | # This file is overwritten during software install. | ||
2 | # Persistent customizations should go in a .local file. | ||
3 | include /etc/firejail/localc.local | ||
4 | |||
1 | ################################ | 5 | ################################ |
2 | # LibreOffice profile | 6 | # LibreOffice profile |
3 | ################################ | 7 | ################################ |
diff --git a/etc/lodraw.profile b/etc/lodraw.profile index fecd08822..5be66c5de 100644 --- a/etc/lodraw.profile +++ b/etc/lodraw.profile | |||
@@ -1,3 +1,7 @@ | |||
1 | # This file is overwritten during software install. | ||
2 | # Persistent customizations should go in a .local file. | ||
3 | include /etc/firejail/lodraw.local | ||
4 | |||
1 | ################################ | 5 | ################################ |
2 | # LibreOffice profile | 6 | # LibreOffice profile |
3 | ################################ | 7 | ################################ |
diff --git a/etc/loffice.profile b/etc/loffice.profile index fecd08822..5f931502c 100644 --- a/etc/loffice.profile +++ b/etc/loffice.profile | |||
@@ -1,3 +1,7 @@ | |||
1 | # This file is overwritten during software install. | ||
2 | # Persistent customizations should go in a .local file. | ||
3 | include /etc/firejail/loffice.local | ||
4 | |||
1 | ################################ | 5 | ################################ |
2 | # LibreOffice profile | 6 | # LibreOffice profile |
3 | ################################ | 7 | ################################ |
diff --git a/etc/lofromtemplate.profile b/etc/lofromtemplate.profile index fecd08822..9899ddf58 100644 --- a/etc/lofromtemplate.profile +++ b/etc/lofromtemplate.profile | |||
@@ -1,3 +1,7 @@ | |||
1 | # This file is overwritten during software install. | ||
2 | # Persistent customizations should go in a .local file. | ||
3 | include /etc/firejail/lofromtemplate.local | ||
4 | |||
1 | ################################ | 5 | ################################ |
2 | # LibreOffice profile | 6 | # LibreOffice profile |
3 | ################################ | 7 | ################################ |
diff --git a/etc/login.users b/etc/login.users index bc6ac4b09..81f12c6b1 100644 --- a/etc/login.users +++ b/etc/login.users | |||
@@ -9,6 +9,12 @@ | |||
9 | # | 9 | # |
10 | # netblue:--net=none --protocol=unix | 10 | # netblue:--net=none --protocol=unix |
11 | # | 11 | # |
12 | # Wildcard patterns are accepted in the user name field: | ||
13 | # | ||
14 | # user*: --private | ||
15 | # | ||
16 | # The example will do --private for user1, user2, and so on. | ||
17 | # | ||
12 | # The extra arguments are inserted into program command line if firejail | 18 | # The extra arguments are inserted into program command line if firejail |
13 | # was started as a login shell. | 19 | # was started as a login shell. |
14 | 20 | ||
diff --git a/etc/loimpress.profile b/etc/loimpress.profile index fecd08822..4de330d67 100644 --- a/etc/loimpress.profile +++ b/etc/loimpress.profile | |||
@@ -1,3 +1,7 @@ | |||
1 | # This file is overwritten during software install. | ||
2 | # Persistent customizations should go in a .local file. | ||
3 | include /etc/firejail/loimpress.local | ||
4 | |||
1 | ################################ | 5 | ################################ |
2 | # LibreOffice profile | 6 | # LibreOffice profile |
3 | ################################ | 7 | ################################ |
diff --git a/etc/lollypop.profile b/etc/lollypop.profile index 41a662bca..06ed415d6 100644 --- a/etc/lollypop.profile +++ b/etc/lollypop.profile | |||
@@ -1,3 +1,7 @@ | |||
1 | # This file is overwritten during software install. | ||
2 | # Persistent customizations should go in a .local file. | ||
3 | include /etc/firejail/lollypop.local | ||
4 | |||
1 | # | 5 | # |
2 | #Profile for lollypop | 6 | #Profile for lollypop |
3 | # | 7 | # |
diff --git a/etc/lomath.profile b/etc/lomath.profile index fecd08822..cbe13f474 100644 --- a/etc/lomath.profile +++ b/etc/lomath.profile | |||
@@ -1,3 +1,7 @@ | |||
1 | # This file is overwritten during software install. | ||
2 | # Persistent customizations should go in a .local file. | ||
3 | include /etc/firejail/lomath.local | ||
4 | |||
1 | ################################ | 5 | ################################ |
2 | # LibreOffice profile | 6 | # LibreOffice profile |
3 | ################################ | 7 | ################################ |
diff --git a/etc/loweb.profile b/etc/loweb.profile index fecd08822..f5e13db02 100644 --- a/etc/loweb.profile +++ b/etc/loweb.profile | |||
@@ -1,3 +1,7 @@ | |||
1 | # This file is overwritten during software install. | ||
2 | # Persistent customizations should go in a .local file. | ||
3 | include /etc/firejail/loweb.local | ||
4 | |||
1 | ################################ | 5 | ################################ |
2 | # LibreOffice profile | 6 | # LibreOffice profile |
3 | ################################ | 7 | ################################ |
diff --git a/etc/lowriter.profile b/etc/lowriter.profile index fecd08822..b6c6ed407 100644 --- a/etc/lowriter.profile +++ b/etc/lowriter.profile | |||
@@ -1,3 +1,7 @@ | |||
1 | # This file is overwritten during software install. | ||
2 | # Persistent customizations should go in a .local file. | ||
3 | include /etc/firejail/lowriter.local | ||
4 | |||
1 | ################################ | 5 | ################################ |
2 | # LibreOffice profile | 6 | # LibreOffice profile |
3 | ################################ | 7 | ################################ |
diff --git a/etc/luminance-hdr.profile b/etc/luminance-hdr.profile index 76e864e0c..1b06b27c3 100644 --- a/etc/luminance-hdr.profile +++ b/etc/luminance-hdr.profile | |||
@@ -1,3 +1,7 @@ | |||
1 | # This file is overwritten during software install. | ||
2 | # Persistent customizations should go in a .local file. | ||
3 | include /etc/firejail/luminance-hdr.local | ||
4 | |||
1 | # luminance-hdr | 5 | # luminance-hdr |
2 | noblacklist ${HOME}/.config/Luminance | 6 | noblacklist ${HOME}/.config/Luminance |
3 | include /etc/firejail/disable-common.inc | 7 | include /etc/firejail/disable-common.inc |
diff --git a/etc/lxterminal.profile b/etc/lxterminal.profile index 12765c299..5d76adf4c 100644 --- a/etc/lxterminal.profile +++ b/etc/lxterminal.profile | |||
@@ -1,3 +1,7 @@ | |||
1 | # This file is overwritten during software install. | ||
2 | # Persistent customizations should go in a .local file. | ||
3 | include /etc/firejail/lxterminal.local | ||
4 | |||
1 | # lxterminal (LXDE) profile | 5 | # lxterminal (LXDE) profile |
2 | include /etc/firejail/disable-common.inc | 6 | include /etc/firejail/disable-common.inc |
3 | include /etc/firejail/disable-programs.inc | 7 | include /etc/firejail/disable-programs.inc |
diff --git a/etc/lynx.profile b/etc/lynx.profile index 3e8d72103..de428c214 100644 --- a/etc/lynx.profile +++ b/etc/lynx.profile | |||
@@ -1,3 +1,7 @@ | |||
1 | # This file is overwritten during software install. | ||
2 | # Persistent customizations should go in a .local file. | ||
3 | include /etc/firejail/lynx.local | ||
4 | |||
1 | # lynx profile | 5 | # lynx profile |
2 | include /etc/firejail/disable-common.inc | 6 | include /etc/firejail/disable-common.inc |
3 | include /etc/firejail/disable-programs.inc | 7 | include /etc/firejail/disable-programs.inc |
diff --git a/etc/mathematica.profile b/etc/mathematica.profile index 9410054ae..c880b1daa 100644 --- a/etc/mathematica.profile +++ b/etc/mathematica.profile | |||
@@ -1,2 +1,6 @@ | |||
1 | # This file is overwritten during software install. | ||
2 | # Persistent customizations should go in a .local file. | ||
3 | include /etc/firejail/mathematica.local | ||
4 | |||
1 | # Mathematica profile | 5 | # Mathematica profile |
2 | include /etc/firejail/Mathematica.profile | 6 | include /etc/firejail/Mathematica.profile |
diff --git a/etc/mcabber.profile b/etc/mcabber.profile index 48b46dba0..87e672501 100644 --- a/etc/mcabber.profile +++ b/etc/mcabber.profile | |||
@@ -1,3 +1,7 @@ | |||
1 | # This file is overwritten during software install. | ||
2 | # Persistent customizations should go in a .local file. | ||
3 | include /etc/firejail/mcabber.local | ||
4 | |||
1 | # mcabber profile | 5 | # mcabber profile |
2 | noblacklist ${HOME}/.mcabber | 6 | noblacklist ${HOME}/.mcabber |
3 | noblacklist ${HOME}/.mcabberrc | 7 | noblacklist ${HOME}/.mcabberrc |
diff --git a/etc/mediainfo.profile b/etc/mediainfo.profile index 65d12c49e..9b4adc26f 100644 --- a/etc/mediainfo.profile +++ b/etc/mediainfo.profile | |||
@@ -1,3 +1,7 @@ | |||
1 | # This file is overwritten during software install. | ||
2 | # Persistent customizations should go in a .local file. | ||
3 | include /etc/firejail/mediainfo.local | ||
4 | |||
1 | # mediainfo profile | 5 | # mediainfo profile |
2 | include /etc/firejail/disable-common.inc | 6 | include /etc/firejail/disable-common.inc |
3 | include /etc/firejail/disable-programs.inc | 7 | include /etc/firejail/disable-programs.inc |
diff --git a/etc/midori.profile b/etc/midori.profile index 046c45d94..44e5e7417 100644 --- a/etc/midori.profile +++ b/etc/midori.profile | |||
@@ -1,3 +1,7 @@ | |||
1 | # This file is overwritten during software install. | ||
2 | # Persistent customizations should go in a .local file. | ||
3 | include /etc/firejail/midori.local | ||
4 | |||
1 | # Midori browser profile | 5 | # Midori browser profile |
2 | noblacklist ${HOME}/.config/midori | 6 | noblacklist ${HOME}/.config/midori |
3 | include /etc/firejail/disable-common.inc | 7 | include /etc/firejail/disable-common.inc |
diff --git a/etc/mpv.profile b/etc/mpv.profile index 80f8de54a..d7a8d37e8 100644 --- a/etc/mpv.profile +++ b/etc/mpv.profile | |||
@@ -1,3 +1,7 @@ | |||
1 | # This file is overwritten during software install. | ||
2 | # Persistent customizations should go in a .local file. | ||
3 | include /etc/firejail/mpv.local | ||
4 | |||
1 | # mpv media player profile | 5 | # mpv media player profile |
2 | noblacklist ${HOME}/.config/mpv | 6 | noblacklist ${HOME}/.config/mpv |
3 | 7 | ||
diff --git a/etc/multimc5.profile b/etc/multimc5.profile index cc310f294..6b8946be3 100644 --- a/etc/multimc5.profile +++ b/etc/multimc5.profile | |||
@@ -1,3 +1,7 @@ | |||
1 | # This file is overwritten during software install. | ||
2 | # Persistent customizations should go in a .local file. | ||
3 | include /etc/firejail/multimc5.local | ||
4 | |||
1 | # | 5 | # |
2 | #Profile for multimc5 | 6 | #Profile for multimc5 |
3 | # | 7 | # |
diff --git a/etc/mumble.profile b/etc/mumble.profile index ddd70822d..d5405a6ae 100644 --- a/etc/mumble.profile +++ b/etc/mumble.profile | |||
@@ -1,3 +1,7 @@ | |||
1 | # This file is overwritten during software install. | ||
2 | # Persistent customizations should go in a .local file. | ||
3 | include /etc/firejail/mumble.local | ||
4 | |||
1 | # mumble profile | 5 | # mumble profile |
2 | noblacklist ${HOME}/.config/Mumble | 6 | noblacklist ${HOME}/.config/Mumble |
3 | noblacklist ${HOME}/.local/share/data/Mumble | 7 | noblacklist ${HOME}/.local/share/data/Mumble |
diff --git a/etc/mupdf.profile b/etc/mupdf.profile index 7f9261d8b..712552965 100644 --- a/etc/mupdf.profile +++ b/etc/mupdf.profile | |||
@@ -1,3 +1,7 @@ | |||
1 | # This file is overwritten during software install. | ||
2 | # Persistent customizations should go in a .local file. | ||
3 | include /etc/firejail/mupdf.local | ||
4 | |||
1 | # mupdf reader profile | 5 | # mupdf reader profile |
2 | include /etc/firejail/disable-common.inc | 6 | include /etc/firejail/disable-common.inc |
3 | include /etc/firejail/disable-programs.inc | 7 | include /etc/firejail/disable-programs.inc |
diff --git a/etc/mupen64plus.profile b/etc/mupen64plus.profile index acb13e6b9..80e75e836 100644 --- a/etc/mupen64plus.profile +++ b/etc/mupen64plus.profile | |||
@@ -1,3 +1,7 @@ | |||
1 | # This file is overwritten during software install. | ||
2 | # Persistent customizations should go in a .local file. | ||
3 | include /etc/firejail/mupen64plus.local | ||
4 | |||
1 | # mupen64plus profile | 5 | # mupen64plus profile |
2 | # manually whitelist ROM files | 6 | # manually whitelist ROM files |
3 | noblacklist ${HOME}/.config/mupen64plus | 7 | noblacklist ${HOME}/.config/mupen64plus |
diff --git a/etc/mutt.profile b/etc/mutt.profile index 5a714de4a..2f0809f02 100644 --- a/etc/mutt.profile +++ b/etc/mutt.profile | |||
@@ -1,3 +1,7 @@ | |||
1 | # This file is overwritten during software install. | ||
2 | # Persistent customizations should go in a .local file. | ||
3 | include /etc/firejail/mutt.local | ||
4 | |||
1 | # mutt email client profile | 5 | # mutt email client profile |
2 | noblacklist ~/.muttrc | 6 | noblacklist ~/.muttrc |
3 | noblacklist ~/.mutt | 7 | noblacklist ~/.mutt |
diff --git a/etc/nautilus.profile b/etc/nautilus.profile index 264ee0b9d..85f9ab7d7 100644 --- a/etc/nautilus.profile +++ b/etc/nautilus.profile | |||
@@ -1,3 +1,7 @@ | |||
1 | # This file is overwritten during software install. | ||
2 | # Persistent customizations should go in a .local file. | ||
3 | include /etc/firejail/nautilus.local | ||
4 | |||
1 | # nautilus profile | 5 | # nautilus profile |
2 | 6 | ||
3 | # Nautilus is started by systemd on most systems. Therefore it is not firejailed by default. Since there is already a nautilus process running on gnome desktops firejail will have no effect. | 7 | # Nautilus is started by systemd on most systems. Therefore it is not firejailed by default. Since there is already a nautilus process running on gnome desktops firejail will have no effect. |
diff --git a/etc/netsurf.profile b/etc/netsurf.profile index 644a1605b..4c10a3e98 100644 --- a/etc/netsurf.profile +++ b/etc/netsurf.profile | |||
@@ -1,3 +1,7 @@ | |||
1 | # This file is overwritten during software install. | ||
2 | # Persistent customizations should go in a .local file. | ||
3 | include /etc/firejail/netsurf.local | ||
4 | |||
1 | # Firejail profile for Mozilla Firefox (Iceweasel in Debian) | 5 | # Firejail profile for Mozilla Firefox (Iceweasel in Debian) |
2 | noblacklist ~/.config/netsurf | 6 | noblacklist ~/.config/netsurf |
3 | noblacklist ~/.cache/netsurf | 7 | noblacklist ~/.cache/netsurf |
diff --git a/etc/odt2txt.profile b/etc/odt2txt.profile index c4e28f70e..3880895f3 100644 --- a/etc/odt2txt.profile +++ b/etc/odt2txt.profile | |||
@@ -1,3 +1,7 @@ | |||
1 | # This file is overwritten during software install. | ||
2 | # Persistent customizations should go in a .local file. | ||
3 | include /etc/firejail/odt2txt.local | ||
4 | |||
1 | # odt2txt profile | 5 | # odt2txt profile |
2 | include /etc/firejail/disable-common.inc | 6 | include /etc/firejail/disable-common.inc |
3 | include /etc/firejail/disable-programs.inc | 7 | include /etc/firejail/disable-programs.inc |
diff --git a/etc/okular.profile b/etc/okular.profile index 22e223cea..2875d2ef5 100644 --- a/etc/okular.profile +++ b/etc/okular.profile | |||
@@ -1,3 +1,7 @@ | |||
1 | # This file is overwritten during software install. | ||
2 | # Persistent customizations should go in a .local file. | ||
3 | include /etc/firejail/okular.local | ||
4 | |||
1 | # KDE okular profile | 5 | # KDE okular profile |
2 | noblacklist ~/.kde/share/apps/okular | 6 | noblacklist ~/.kde/share/apps/okular |
3 | noblacklist ~/.kde/share/config/okularrc | 7 | noblacklist ~/.kde/share/config/okularrc |
diff --git a/etc/openbox.profile b/etc/openbox.profile index f812768a1..7e074f5b5 100644 --- a/etc/openbox.profile +++ b/etc/openbox.profile | |||
@@ -1,3 +1,7 @@ | |||
1 | # This file is overwritten during software install. | ||
2 | # Persistent customizations should go in a .local file. | ||
3 | include /etc/firejail/openbox.local | ||
4 | |||
1 | ####################################### | 5 | ####################################### |
2 | # OpenBox window manager profile | 6 | # OpenBox window manager profile |
3 | # - all applications started in OpenBox will run in this profile | 7 | # - all applications started in OpenBox will run in this profile |
diff --git a/etc/openshot.profile b/etc/openshot.profile index f12bd7d11..25e9a4066 100644 --- a/etc/openshot.profile +++ b/etc/openshot.profile | |||
@@ -1,3 +1,7 @@ | |||
1 | # This file is overwritten during software install. | ||
2 | # Persistent customizations should go in a .local file. | ||
3 | include /etc/firejail/openshot.local | ||
4 | |||
1 | # OpenShot profile | 5 | # OpenShot profile |
2 | noblacklist ${HOME}/.openshot | 6 | noblacklist ${HOME}/.openshot |
3 | noblacklist ${HOME}/.openshot_qt | 7 | noblacklist ${HOME}/.openshot_qt |
diff --git a/etc/opera-beta.profile b/etc/opera-beta.profile index 4cdb0a9eb..dba7cf68c 100644 --- a/etc/opera-beta.profile +++ b/etc/opera-beta.profile | |||
@@ -1,6 +1,11 @@ | |||
1 | # This file is overwritten during software install. | ||
2 | # Persistent customizations should go in a .local file. | ||
3 | include /etc/firejail/opera-beta.local | ||
4 | |||
1 | # Opera-beta browser profile | 5 | # Opera-beta browser profile |
2 | noblacklist ~/.config/opera-beta | 6 | noblacklist ~/.config/opera-beta |
3 | noblacklist ~/.cache/opera-beta | 7 | noblacklist ~/.cache/opera-beta |
8 | noblacklist ~/.pki | ||
4 | include /etc/firejail/disable-common.inc | 9 | include /etc/firejail/disable-common.inc |
5 | include /etc/firejail/disable-programs.inc | 10 | include /etc/firejail/disable-programs.inc |
6 | include /etc/firejail/disable-devel.inc | 11 | include /etc/firejail/disable-devel.inc |
diff --git a/etc/opera.profile b/etc/opera.profile index a337ccc5b..57395ea72 100644 --- a/etc/opera.profile +++ b/etc/opera.profile | |||
@@ -1,7 +1,12 @@ | |||
1 | # This file is overwritten during software install. | ||
2 | # Persistent customizations should go in a .local file. | ||
3 | include /etc/firejail/opera.local | ||
4 | |||
1 | # Opera browser profile | 5 | # Opera browser profile |
2 | noblacklist ~/.config/opera | 6 | noblacklist ~/.config/opera |
3 | noblacklist ~/.cache/opera | 7 | noblacklist ~/.cache/opera |
4 | noblacklist ~/.opera | 8 | noblacklist ~/.opera |
9 | noblacklist ~/.pki | ||
5 | include /etc/firejail/disable-common.inc | 10 | include /etc/firejail/disable-common.inc |
6 | include /etc/firejail/disable-programs.inc | 11 | include /etc/firejail/disable-programs.inc |
7 | include /etc/firejail/disable-devel.inc | 12 | include /etc/firejail/disable-devel.inc |
diff --git a/etc/palemoon.profile b/etc/palemoon.profile index 1476369a1..41eef8d91 100644 --- a/etc/palemoon.profile +++ b/etc/palemoon.profile | |||
@@ -1,3 +1,7 @@ | |||
1 | # This file is overwritten during software install. | ||
2 | # Persistent customizations should go in a .local file. | ||
3 | include /etc/firejail/palemoon.local | ||
4 | |||
1 | # Firejail profile for Pale Moon | 5 | # Firejail profile for Pale Moon |
2 | noblacklist ~/.moonchild productions/pale moon | 6 | noblacklist ~/.moonchild productions/pale moon |
3 | noblacklist ~/.cache/moonchild productions/pale moon | 7 | noblacklist ~/.cache/moonchild productions/pale moon |
@@ -23,6 +27,7 @@ shell none | |||
23 | tracelog | 27 | tracelog |
24 | 28 | ||
25 | private-bin palemoon | 29 | private-bin palemoon |
30 | private-opt palemoon | ||
26 | private-tmp | 31 | private-tmp |
27 | 32 | ||
28 | # These are uncommented in the Firefox profile. If you run into trouble you may | 33 | # These are uncommented in the Firefox profile. If you run into trouble you may |
diff --git a/etc/parole.profile b/etc/parole.profile index 1440a9ef7..58a9f2c6c 100644 --- a/etc/parole.profile +++ b/etc/parole.profile | |||
@@ -1,3 +1,7 @@ | |||
1 | # This file is overwritten during software install. | ||
2 | # Persistent customizations should go in a .local file. | ||
3 | include /etc/firejail/parole.local | ||
4 | |||
1 | # Profile for Parole, the default XFCE4 media player | 5 | # Profile for Parole, the default XFCE4 media player |
2 | include /etc/firejail/disable-common.inc | 6 | include /etc/firejail/disable-common.inc |
3 | include /etc/firejail/disable-programs.inc | 7 | include /etc/firejail/disable-programs.inc |
diff --git a/etc/pdfsam.profile b/etc/pdfsam.profile index 6e50f37cf..37adabb39 100644 --- a/etc/pdfsam.profile +++ b/etc/pdfsam.profile | |||
@@ -1,3 +1,7 @@ | |||
1 | # This file is overwritten during software install. | ||
2 | # Persistent customizations should go in a .local file. | ||
3 | include /etc/firejail/pdfsam.local | ||
4 | |||
1 | # | 5 | # |
2 | #Profile for pdfsam | 6 | #Profile for pdfsam |
3 | # | 7 | # |
diff --git a/etc/pdftotext.profile b/etc/pdftotext.profile index fe9e9e3cd..ce19f1760 100644 --- a/etc/pdftotext.profile +++ b/etc/pdftotext.profile | |||
@@ -1,3 +1,7 @@ | |||
1 | # This file is overwritten during software install. | ||
2 | # Persistent customizations should go in a .local file. | ||
3 | include /etc/firejail/pdftotext.local | ||
4 | |||
1 | # pdftotext profile | 5 | # pdftotext profile |
2 | include /etc/firejail/disable-common.inc | 6 | include /etc/firejail/disable-common.inc |
3 | include /etc/firejail/disable-programs.inc | 7 | include /etc/firejail/disable-programs.inc |
diff --git a/etc/pidgin.profile b/etc/pidgin.profile index 850706145..5c5cb0a5b 100644 --- a/etc/pidgin.profile +++ b/etc/pidgin.profile | |||
@@ -1,3 +1,7 @@ | |||
1 | # This file is overwritten during software install. | ||
2 | # Persistent customizations should go in a .local file. | ||
3 | include /etc/firejail/pidgin.local | ||
4 | |||
1 | # Pidgin profile | 5 | # Pidgin profile |
2 | noblacklist ${HOME}/.purple | 6 | noblacklist ${HOME}/.purple |
3 | 7 | ||
diff --git a/etc/pithos.profile b/etc/pithos.profile index 8270b8bee..500e35989 100644 --- a/etc/pithos.profile +++ b/etc/pithos.profile | |||
@@ -1,3 +1,7 @@ | |||
1 | # This file is overwritten during software install. | ||
2 | # Persistent customizations should go in a .local file. | ||
3 | include /etc/firejail/pithos.local | ||
4 | |||
1 | # | 5 | # |
2 | #Profile for pithos | 6 | #Profile for pithos |
3 | # | 7 | # |
diff --git a/etc/pix.profile b/etc/pix.profile index dc8192b01..c36a5f96e 100644 --- a/etc/pix.profile +++ b/etc/pix.profile | |||
@@ -1,3 +1,7 @@ | |||
1 | # This file is overwritten during software install. | ||
2 | # Persistent customizations should go in a .local file. | ||
3 | include /etc/firejail/pix.local | ||
4 | |||
1 | # Firejail profile for pix | 5 | # Firejail profile for pix |
2 | noblacklist ${HOME}/.config/pix | 6 | noblacklist ${HOME}/.config/pix |
3 | noblacklist ${HOME}/.local/share/pix | 7 | noblacklist ${HOME}/.local/share/pix |
diff --git a/etc/pluma.profile b/etc/pluma.profile index 895cc2369..719a26928 100644 --- a/etc/pluma.profile +++ b/etc/pluma.profile | |||
@@ -1,3 +1,7 @@ | |||
1 | # This file is overwritten during software install. | ||
2 | # Persistent customizations should go in a .local file. | ||
3 | include /etc/firejail/pluma.local | ||
4 | |||
1 | # Firejail profile for Xed | 5 | # Firejail profile for Xed |
2 | noblacklist ${HOME}/.config/pluma | 6 | noblacklist ${HOME}/.config/pluma |
3 | 7 | ||
diff --git a/etc/polari.profile b/etc/polari.profile index ac9530c40..834a8b3d6 100644 --- a/etc/polari.profile +++ b/etc/polari.profile | |||
@@ -1,3 +1,7 @@ | |||
1 | # This file is overwritten during software install. | ||
2 | # Persistent customizations should go in a .local file. | ||
3 | include /etc/firejail/polari.local | ||
4 | |||
1 | # Polari IRC profile | 5 | # Polari IRC profile |
2 | include /etc/firejail/disable-common.inc | 6 | include /etc/firejail/disable-common.inc |
3 | include /etc/firejail/disable-programs.inc | 7 | include /etc/firejail/disable-programs.inc |
diff --git a/etc/psi-plus.profile b/etc/psi-plus.profile index e4e69b9f6..45cb22ee4 100644 --- a/etc/psi-plus.profile +++ b/etc/psi-plus.profile | |||
@@ -1,3 +1,7 @@ | |||
1 | # This file is overwritten during software install. | ||
2 | # Persistent customizations should go in a .local file. | ||
3 | include /etc/firejail/psi-plus.local | ||
4 | |||
1 | # Firejail profile for Psi+ | 5 | # Firejail profile for Psi+ |
2 | noblacklist ${HOME}/.config/psi+ | 6 | noblacklist ${HOME}/.config/psi+ |
3 | noblacklist ${HOME}/.local/share/psi+ | 7 | noblacklist ${HOME}/.local/share/psi+ |
diff --git a/etc/qbittorrent.profile b/etc/qbittorrent.profile index 89e0e4c78..4a454d2f6 100644 --- a/etc/qbittorrent.profile +++ b/etc/qbittorrent.profile | |||
@@ -1,3 +1,7 @@ | |||
1 | # This file is overwritten during software install. | ||
2 | # Persistent customizations should go in a .local file. | ||
3 | include /etc/firejail/qbittorrent.local | ||
4 | |||
1 | # qbittorrent bittorrent profile | 5 | # qbittorrent bittorrent profile |
2 | include /etc/firejail/disable-common.inc | 6 | include /etc/firejail/disable-common.inc |
3 | include /etc/firejail/disable-programs.inc | 7 | include /etc/firejail/disable-programs.inc |
@@ -6,6 +10,7 @@ include /etc/firejail/disable-passwdmgr.inc | |||
6 | 10 | ||
7 | caps.drop all | 11 | caps.drop all |
8 | netfilter | 12 | netfilter |
13 | nogroups | ||
9 | nonewprivs | 14 | nonewprivs |
10 | noroot | 15 | noroot |
11 | nosound | 16 | nosound |
diff --git a/etc/qemu-launcher.profile b/etc/qemu-launcher.profile index f9c8e6345..328f1a30d 100644 --- a/etc/qemu-launcher.profile +++ b/etc/qemu-launcher.profile | |||
@@ -1,3 +1,7 @@ | |||
1 | # This file is overwritten during software install. | ||
2 | # Persistent customizations should go in a .local file. | ||
3 | include /etc/firejail/qemu-launcher.local | ||
4 | |||
1 | # qemu-launcher profile | 5 | # qemu-launcher profile |
2 | noblacklist ~/.qemu-launcher | 6 | noblacklist ~/.qemu-launcher |
3 | 7 | ||
diff --git a/etc/qemu-system-x86_64.profile b/etc/qemu-system-x86_64.profile index 65e1e44ea..16e822901 100644 --- a/etc/qemu-system-x86_64.profile +++ b/etc/qemu-system-x86_64.profile | |||
@@ -1,3 +1,7 @@ | |||
1 | # This file is overwritten during software install. | ||
2 | # Persistent customizations should go in a .local file. | ||
3 | include /etc/firejail/qemu-system-x86_64.local | ||
4 | |||
1 | # qemu profile | 5 | # qemu profile |
2 | include /etc/firejail/disable-common.inc | 6 | include /etc/firejail/disable-common.inc |
3 | include /etc/firejail/disable-programs.inc | 7 | include /etc/firejail/disable-programs.inc |
diff --git a/etc/qpdfview.profile b/etc/qpdfview.profile index 06c0db206..97f06f848 100644 --- a/etc/qpdfview.profile +++ b/etc/qpdfview.profile | |||
@@ -1,3 +1,7 @@ | |||
1 | # This file is overwritten during software install. | ||
2 | # Persistent customizations should go in a .local file. | ||
3 | include /etc/firejail/qpdfview.local | ||
4 | |||
1 | # qpdfview profile | 5 | # qpdfview profile |
2 | noblacklist ${HOME}/.config/qpdfview | 6 | noblacklist ${HOME}/.config/qpdfview |
3 | noblacklist ${HOME}/.local/share/qpdfview | 7 | noblacklist ${HOME}/.local/share/qpdfview |
diff --git a/etc/qtox.profile b/etc/qtox.profile index 81d8aa10e..40a959d05 100644 --- a/etc/qtox.profile +++ b/etc/qtox.profile | |||
@@ -1,3 +1,7 @@ | |||
1 | # This file is overwritten during software install. | ||
2 | # Persistent customizations should go in a .local file. | ||
3 | include /etc/firejail/qtox.local | ||
4 | |||
1 | # qTox instant messaging profile | 5 | # qTox instant messaging profile |
2 | noblacklist ${HOME}/.config/tox | 6 | noblacklist ${HOME}/.config/tox |
3 | include /etc/firejail/disable-common.inc | 7 | include /etc/firejail/disable-common.inc |
diff --git a/etc/quassel.profile b/etc/quassel.profile index f92dfeb9f..6fd438073 100644 --- a/etc/quassel.profile +++ b/etc/quassel.profile | |||
@@ -1,3 +1,7 @@ | |||
1 | # This file is overwritten during software install. | ||
2 | # Persistent customizations should go in a .local file. | ||
3 | include /etc/firejail/quassel.local | ||
4 | |||
1 | # Quassel IRC profile | 5 | # Quassel IRC profile |
2 | include /etc/firejail/disable-common.inc | 6 | include /etc/firejail/disable-common.inc |
3 | include /etc/firejail/disable-programs.inc | 7 | include /etc/firejail/disable-programs.inc |
diff --git a/etc/quiterss.profile b/etc/quiterss.profile index 47ab77675..f4e4f96d3 100644 --- a/etc/quiterss.profile +++ b/etc/quiterss.profile | |||
@@ -1,3 +1,7 @@ | |||
1 | # This file is overwritten during software install. | ||
2 | # Persistent customizations should go in a .local file. | ||
3 | include /etc/firejail/quiterss.local | ||
4 | |||
1 | noblacklist ${HOME}/.cache/QuiteRss | 5 | noblacklist ${HOME}/.cache/QuiteRss |
2 | noblacklist ${HOME}/.config/QuiteRss | 6 | noblacklist ${HOME}/.config/QuiteRss |
3 | noblacklist ${HOME}/.config/QuiteRssrc | 7 | noblacklist ${HOME}/.config/QuiteRssrc |
diff --git a/etc/qupzilla.profile b/etc/qupzilla.profile index 387ddeffa..3f5cb60c0 100644 --- a/etc/qupzilla.profile +++ b/etc/qupzilla.profile | |||
@@ -1,3 +1,7 @@ | |||
1 | # This file is overwritten during software install. | ||
2 | # Persistent customizations should go in a .local file. | ||
3 | include /etc/firejail/qupzilla.local | ||
4 | |||
1 | # Firejail profile for Qupzilla web browser | 5 | # Firejail profile for Qupzilla web browser |
2 | noblacklist ${HOME}/.config/qupzilla | 6 | noblacklist ${HOME}/.config/qupzilla |
3 | noblacklist ${HOME}/.cache/qupzilla | 7 | noblacklist ${HOME}/.cache/qupzilla |
diff --git a/etc/qutebrowser.profile b/etc/qutebrowser.profile index dcacd4f29..f43307ef9 100644 --- a/etc/qutebrowser.profile +++ b/etc/qutebrowser.profile | |||
@@ -1,3 +1,7 @@ | |||
1 | # This file is overwritten during software install. | ||
2 | # Persistent customizations should go in a .local file. | ||
3 | include /etc/firejail/qutebrowser.local | ||
4 | |||
1 | # Firejail profile for Qutebrowser (Qt5-Webkit+Python) browser | 5 | # Firejail profile for Qutebrowser (Qt5-Webkit+Python) browser |
2 | noblacklist ~/.config/qutebrowser | 6 | noblacklist ~/.config/qutebrowser |
3 | noblacklist ~/.cache/qutebrowser | 7 | noblacklist ~/.cache/qutebrowser |
diff --git a/etc/ranger.profile b/etc/ranger.profile index 3538f3eb2..0cabca11e 100644 --- a/etc/ranger.profile +++ b/etc/ranger.profile | |||
@@ -1,3 +1,7 @@ | |||
1 | # This file is overwritten during software install. | ||
2 | # Persistent customizations should go in a .local file. | ||
3 | include /etc/firejail/ranger.local | ||
4 | |||
1 | # ranger file manager profile | 5 | # ranger file manager profile |
2 | noblacklist /usr/bin/perl | 6 | noblacklist /usr/bin/perl |
3 | #noblacklist /usr/bin/cpan* | 7 | #noblacklist /usr/bin/cpan* |
diff --git a/etc/rhythmbox.profile b/etc/rhythmbox.profile index e5e192486..0f7a3fa5b 100644 --- a/etc/rhythmbox.profile +++ b/etc/rhythmbox.profile | |||
@@ -1,3 +1,7 @@ | |||
1 | # This file is overwritten during software install. | ||
2 | # Persistent customizations should go in a .local file. | ||
3 | include /etc/firejail/rhythmbox.local | ||
4 | |||
1 | # Rhythmbox media player profile | 5 | # Rhythmbox media player profile |
2 | include /etc/firejail/disable-common.inc | 6 | include /etc/firejail/disable-common.inc |
3 | include /etc/firejail/disable-programs.inc | 7 | include /etc/firejail/disable-programs.inc |
diff --git a/etc/rtorrent.profile b/etc/rtorrent.profile index 55bfcd77f..2f8a527cc 100644 --- a/etc/rtorrent.profile +++ b/etc/rtorrent.profile | |||
@@ -1,3 +1,7 @@ | |||
1 | # This file is overwritten during software install. | ||
2 | # Persistent customizations should go in a .local file. | ||
3 | include /etc/firejail/rtorrent.local | ||
4 | |||
1 | # rtorrent bittorrent profile | 5 | # rtorrent bittorrent profile |
2 | include /etc/firejail/disable-common.inc | 6 | include /etc/firejail/disable-common.inc |
3 | include /etc/firejail/disable-programs.inc | 7 | include /etc/firejail/disable-programs.inc |
diff --git a/etc/seamonkey-bin.profile b/etc/seamonkey-bin.profile index fff8c1258..ff8936014 100644 --- a/etc/seamonkey-bin.profile +++ b/etc/seamonkey-bin.profile | |||
@@ -1,3 +1,7 @@ | |||
1 | # This file is overwritten during software install. | ||
2 | # Persistent customizations should go in a .local file. | ||
3 | include /etc/firejail/seamonkey-bin.local | ||
4 | |||
1 | # Firejail profile for Seamonkey based off Mozilla Firefox | 5 | # Firejail profile for Seamonkey based off Mozilla Firefox |
2 | include /etc/firejail/seamonkey.profile | 6 | include /etc/firejail/seamonkey.profile |
3 | 7 | ||
diff --git a/etc/seamonkey.profile b/etc/seamonkey.profile index 5d817acce..bfcdf5873 100644 --- a/etc/seamonkey.profile +++ b/etc/seamonkey.profile | |||
@@ -1,6 +1,11 @@ | |||
1 | # This file is overwritten during software install. | ||
2 | # Persistent customizations should go in a .local file. | ||
3 | include /etc/firejail/seamonkey.local | ||
4 | |||
1 | # Firejail profile for Seamoneky based off Mozilla Firefox | 5 | # Firejail profile for Seamoneky based off Mozilla Firefox |
2 | noblacklist ~/.mozilla | 6 | noblacklist ~/.mozilla |
3 | noblacklist ~/.cache/mozilla | 7 | noblacklist ~/.cache/mozilla |
8 | noblacklist ~/.pki | ||
4 | include /etc/firejail/disable-common.inc | 9 | include /etc/firejail/disable-common.inc |
5 | include /etc/firejail/disable-programs.inc | 10 | include /etc/firejail/disable-programs.inc |
6 | include /etc/firejail/disable-devel.inc | 11 | include /etc/firejail/disable-devel.inc |
diff --git a/etc/server.profile b/etc/server.profile index b8a34feb2..d1d7dffa9 100644 --- a/etc/server.profile +++ b/etc/server.profile | |||
@@ -1,3 +1,7 @@ | |||
1 | # This file is overwritten during software install. | ||
2 | # Persistent customizations should go in a .local file. | ||
3 | include /etc/firejail/server.local | ||
4 | |||
1 | # generic server profile | 5 | # generic server profile |
2 | # it allows /sbin and /usr/sbin directories - this is where servers are installed | 6 | # it allows /sbin and /usr/sbin directories - this is where servers are installed |
3 | noblacklist /sbin | 7 | noblacklist /sbin |
diff --git a/etc/simple-scan.profile b/etc/simple-scan.profile index 03089482b..ee7e50ba7 100644 --- a/etc/simple-scan.profile +++ b/etc/simple-scan.profile | |||
@@ -1,3 +1,7 @@ | |||
1 | # This file is overwritten during software install. | ||
2 | # Persistent customizations should go in a .local file. | ||
3 | include /etc/firejail/simple-scan.local | ||
4 | |||
1 | # simple-scan profile | 5 | # simple-scan profile |
2 | noblacklist ~/.cache/simple-scan | 6 | noblacklist ~/.cache/simple-scan |
3 | 7 | ||
diff --git a/etc/skanlite.profile b/etc/skanlite.profile index 667b775c8..b1b4b5a96 100644 --- a/etc/skanlite.profile +++ b/etc/skanlite.profile | |||
@@ -1,3 +1,7 @@ | |||
1 | # This file is overwritten during software install. | ||
2 | # Persistent customizations should go in a .local file. | ||
3 | include /etc/firejail/skanlite.local | ||
4 | |||
1 | # skanlite profile | 5 | # skanlite profile |
2 | include /etc/firejail/disable-common.inc | 6 | include /etc/firejail/disable-common.inc |
3 | include /etc/firejail/disable-programs.inc | 7 | include /etc/firejail/disable-programs.inc |
diff --git a/etc/skype.profile b/etc/skype.profile index 9cbcd5117..169a1dd51 100644 --- a/etc/skype.profile +++ b/etc/skype.profile | |||
@@ -1,3 +1,7 @@ | |||
1 | # This file is overwritten during software install. | ||
2 | # Persistent customizations should go in a .local file. | ||
3 | include /etc/firejail/skype.local | ||
4 | |||
1 | # Skype profile | 5 | # Skype profile |
2 | noblacklist ${HOME}/.Skype | 6 | noblacklist ${HOME}/.Skype |
3 | include /etc/firejail/disable-common.inc | 7 | include /etc/firejail/disable-common.inc |
diff --git a/etc/skypeforlinux.profile b/etc/skypeforlinux.profile index 3f0a274f9..d3bbf3e53 100644 --- a/etc/skypeforlinux.profile +++ b/etc/skypeforlinux.profile | |||
@@ -1,3 +1,7 @@ | |||
1 | # This file is overwritten during software install. | ||
2 | # Persistent customizations should go in a .local file. | ||
3 | include /etc/firejail/skypeforlinux.local | ||
4 | |||
1 | # skypeforlinux profile | 5 | # skypeforlinux profile |
2 | noblacklist ${HOME}/.config/skypeforlinux | 6 | noblacklist ${HOME}/.config/skypeforlinux |
3 | include /etc/firejail/disable-common.inc | 7 | include /etc/firejail/disable-common.inc |
diff --git a/etc/slack.profile b/etc/slack.profile index a85a28f03..6a2dae253 100644 --- a/etc/slack.profile +++ b/etc/slack.profile | |||
@@ -1,3 +1,7 @@ | |||
1 | # This file is overwritten during software install. | ||
2 | # Persistent customizations should go in a .local file. | ||
3 | include /etc/firejail/slack.local | ||
4 | |||
1 | # Firejail profile for Slack | 5 | # Firejail profile for Slack |
2 | noblacklist ${HOME}/.config/Slack | 6 | noblacklist ${HOME}/.config/Slack |
3 | noblacklist ${HOME}/Downloads | 7 | noblacklist ${HOME}/Downloads |
diff --git a/etc/snap.profile b/etc/snap.profile index e2ada3a99..085ce8e2a 100644 --- a/etc/snap.profile +++ b/etc/snap.profile | |||
@@ -1,3 +1,7 @@ | |||
1 | # This file is overwritten during software install. | ||
2 | # Persistent customizations should go in a .local file. | ||
3 | include /etc/firejail/snap.local | ||
4 | |||
1 | ################################ | 5 | ################################ |
2 | # Generic Ubuntu snap application profile | 6 | # Generic Ubuntu snap application profile |
3 | ################################ | 7 | ################################ |
diff --git a/etc/soffice.profile b/etc/soffice.profile index fecd08822..737419a8f 100644 --- a/etc/soffice.profile +++ b/etc/soffice.profile | |||
@@ -1,3 +1,7 @@ | |||
1 | # This file is overwritten during software install. | ||
2 | # Persistent customizations should go in a .local file. | ||
3 | include /etc/firejail/soffice.local | ||
4 | |||
1 | ################################ | 5 | ################################ |
2 | # LibreOffice profile | 6 | # LibreOffice profile |
3 | ################################ | 7 | ################################ |
diff --git a/etc/spotify.profile b/etc/spotify.profile index 6dbcc03ee..843038a2b 100644 --- a/etc/spotify.profile +++ b/etc/spotify.profile | |||
@@ -1,3 +1,7 @@ | |||
1 | # This file is overwritten during software install. | ||
2 | # Persistent customizations should go in a .local file. | ||
3 | include /etc/firejail/spotify.local | ||
4 | |||
1 | # Spotify media player profile | 5 | # Spotify media player profile |
2 | noblacklist ${HOME}/.config/spotify | 6 | noblacklist ${HOME}/.config/spotify |
3 | noblacklist ${HOME}/.cache/spotify | 7 | noblacklist ${HOME}/.cache/spotify |
diff --git a/etc/ssh-agent.profile b/etc/ssh-agent.profile index bea3a6061..43d9f62fa 100644 --- a/etc/ssh-agent.profile +++ b/etc/ssh-agent.profile | |||
@@ -1,3 +1,7 @@ | |||
1 | # This file is overwritten during software install. | ||
2 | # Persistent customizations should go in a .local file. | ||
3 | include /etc/firejail/ssh-agent.local | ||
4 | |||
1 | # ssh-agent | 5 | # ssh-agent |
2 | quiet | 6 | quiet |
3 | noblacklist ~/.ssh | 7 | noblacklist ~/.ssh |
diff --git a/etc/ssh.profile b/etc/ssh.profile index b7a8ed2b9..b1ef6b27e 100644 --- a/etc/ssh.profile +++ b/etc/ssh.profile | |||
@@ -1,3 +1,7 @@ | |||
1 | # This file is overwritten during software install. | ||
2 | # Persistent customizations should go in a .local file. | ||
3 | include /etc/firejail/ssh.local | ||
4 | |||
1 | # ssh client | 5 | # ssh client |
2 | quiet | 6 | quiet |
3 | noblacklist ~/.ssh | 7 | noblacklist ~/.ssh |
diff --git a/etc/start-tor-browser.profile b/etc/start-tor-browser.profile index ee19cee25..c13f85a66 100644 --- a/etc/start-tor-browser.profile +++ b/etc/start-tor-browser.profile | |||
@@ -1,3 +1,7 @@ | |||
1 | # This file is overwritten during software install. | ||
2 | # Persistent customizations should go in a .local file. | ||
3 | include /etc/firejail/start-tor-browser.local | ||
4 | |||
1 | # Firejail profile for the Tor Brower Bundle | 5 | # Firejail profile for the Tor Brower Bundle |
2 | include /etc/firejail/disable-common.inc | 6 | include /etc/firejail/disable-common.inc |
3 | include /etc/firejail/disable-devel.inc | 7 | include /etc/firejail/disable-devel.inc |
@@ -14,7 +18,7 @@ seccomp | |||
14 | shell none | 18 | shell none |
15 | tracelog | 19 | tracelog |
16 | 20 | ||
17 | private-bin bash,grep,sed,tail,env,gpg,id,readlink,dirname,test,mkdir,ln,sed,cp,rm,getconf | 21 | private-bin bash,grep,tail,env,gpg,id,readlink,dirname,test,mkdir,ln,sed,cp,rm,getconf |
18 | private-etc fonts | 22 | private-etc fonts |
19 | private-dev | 23 | private-dev |
20 | private-tmp | 24 | private-tmp |
diff --git a/etc/steam.profile b/etc/steam.profile index 5dc5e80ff..b527589de 100644 --- a/etc/steam.profile +++ b/etc/steam.profile | |||
@@ -1,3 +1,7 @@ | |||
1 | # This file is overwritten during software install. | ||
2 | # Persistent customizations should go in a .local file. | ||
3 | include /etc/firejail/steam.local | ||
4 | |||
1 | # Steam profile (applies to games/apps launched from Steam as well) | 5 | # Steam profile (applies to games/apps launched from Steam as well) |
2 | noblacklist ${HOME}/.steam | 6 | noblacklist ${HOME}/.steam |
3 | noblacklist ${HOME}/.local/share/steam | 7 | noblacklist ${HOME}/.local/share/steam |
diff --git a/etc/stellarium.profile b/etc/stellarium.profile index d57c9e5f7..fc952be34 100644 --- a/etc/stellarium.profile +++ b/etc/stellarium.profile | |||
@@ -1,3 +1,7 @@ | |||
1 | # This file is overwritten during software install. | ||
2 | # Persistent customizations should go in a .local file. | ||
3 | include /etc/firejail/stellarium.local | ||
4 | |||
1 | # Firejail profile for Stellarium. | 5 | # Firejail profile for Stellarium. |
2 | noblacklist ~/.stellarium | 6 | noblacklist ~/.stellarium |
3 | noblacklist ~/.config/stellarium | 7 | noblacklist ~/.config/stellarium |
diff --git a/etc/strings.profile b/etc/strings.profile index 2bbab1366..bfa089bd0 100644 --- a/etc/strings.profile +++ b/etc/strings.profile | |||
@@ -1,3 +1,7 @@ | |||
1 | # This file is overwritten during software install. | ||
2 | # Persistent customizations should go in a .local file. | ||
3 | include /etc/firejail/strings.local | ||
4 | |||
1 | # strings profile | 5 | # strings profile |
2 | quiet | 6 | quiet |
3 | ignore noroot | 7 | ignore noroot |
diff --git a/etc/synfigstudio.profile b/etc/synfigstudio.profile index 69b2a0db2..636b09bd0 100644 --- a/etc/synfigstudio.profile +++ b/etc/synfigstudio.profile | |||
@@ -1,3 +1,7 @@ | |||
1 | # This file is overwritten during software install. | ||
2 | # Persistent customizations should go in a .local file. | ||
3 | include /etc/firejail/synfigstudio.local | ||
4 | |||
1 | # synfigstudio | 5 | # synfigstudio |
2 | noblacklist ${HOME}/.config/synfig | 6 | noblacklist ${HOME}/.config/synfig |
3 | noblacklist ${HOME}/.synfig | 7 | noblacklist ${HOME}/.synfig |
diff --git a/etc/tar.profile b/etc/tar.profile index 3addb02fb..0162be718 100644 --- a/etc/tar.profile +++ b/etc/tar.profile | |||
@@ -1,3 +1,7 @@ | |||
1 | # This file is overwritten during software install. | ||
2 | # Persistent customizations should go in a .local file. | ||
3 | include /etc/firejail/tar.local | ||
4 | |||
1 | # tar profile | 5 | # tar profile |
2 | quiet | 6 | quiet |
3 | ignore noroot | 7 | ignore noroot |
diff --git a/etc/telegram.profile b/etc/telegram.profile index 7615c8eef..c5e72fe76 100644 --- a/etc/telegram.profile +++ b/etc/telegram.profile | |||
@@ -1,3 +1,7 @@ | |||
1 | # This file is overwritten during software install. | ||
2 | # Persistent customizations should go in a .local file. | ||
3 | include /etc/firejail/telegram.local | ||
4 | |||
1 | # Telegram IRC profile | 5 | # Telegram IRC profile |
2 | noblacklist ${HOME}/.TelegramDesktop | 6 | noblacklist ${HOME}/.TelegramDesktop |
3 | include /etc/firejail/disable-common.inc | 7 | include /etc/firejail/disable-common.inc |
diff --git a/etc/thunar.profile b/etc/thunar.profile new file mode 100644 index 000000000..868f80912 --- /dev/null +++ b/etc/thunar.profile | |||
@@ -0,0 +1 @@ | |||
include /etc/firejail/Thunar.profile | |||
diff --git a/etc/thunderbird.profile b/etc/thunderbird.profile index 568343ba6..88ab7501e 100644 --- a/etc/thunderbird.profile +++ b/etc/thunderbird.profile | |||
@@ -1,3 +1,7 @@ | |||
1 | # This file is overwritten during software install. | ||
2 | # Persistent customizations should go in a .local file. | ||
3 | include /etc/firejail/thunderbird.local | ||
4 | |||
1 | # Firejail profile for Mozilla Thunderbird | 5 | # Firejail profile for Mozilla Thunderbird |
2 | # Users have thunderbird set to open a browser by clicking a link in an email | 6 | # Users have thunderbird set to open a browser by clicking a link in an email |
3 | # We are not allowed to blacklist browser-specific directories | 7 | # We are not allowed to blacklist browser-specific directories |
diff --git a/etc/totem.profile b/etc/totem.profile index 252b46979..0b3942cf0 100644 --- a/etc/totem.profile +++ b/etc/totem.profile | |||
@@ -1,3 +1,7 @@ | |||
1 | # This file is overwritten during software install. | ||
2 | # Persistent customizations should go in a .local file. | ||
3 | include /etc/firejail/totem.local | ||
4 | |||
1 | # Totem media player profile | 5 | # Totem media player profile |
2 | noblacklist ~/.config/totem | 6 | noblacklist ~/.config/totem |
3 | noblacklist ~/.local/share/totem | 7 | noblacklist ~/.local/share/totem |
diff --git a/etc/tracker.profile b/etc/tracker.profile index 7f4f371eb..56528785a 100644 --- a/etc/tracker.profile +++ b/etc/tracker.profile | |||
@@ -1,3 +1,7 @@ | |||
1 | # This file is overwritten during software install. | ||
2 | # Persistent customizations should go in a .local file. | ||
3 | include /etc/firejail/tracker.local | ||
4 | |||
1 | # tracker profile | 5 | # tracker profile |
2 | 6 | ||
3 | # Tracker is started by systemd on most systems. Therefore it is not firejailed by default | 7 | # Tracker is started by systemd on most systems. Therefore it is not firejailed by default |
diff --git a/etc/transmission-cli.profile b/etc/transmission-cli.profile index 6cbc3415c..dbcc8d041 100644 --- a/etc/transmission-cli.profile +++ b/etc/transmission-cli.profile | |||
@@ -1,3 +1,7 @@ | |||
1 | # This file is overwritten during software install. | ||
2 | # Persistent customizations should go in a .local file. | ||
3 | include /etc/firejail/transmission-cli.local | ||
4 | |||
1 | # transmission-cli bittorrent profile | 5 | # transmission-cli bittorrent profile |
2 | noblacklist ${HOME}/.config/transmission | 6 | noblacklist ${HOME}/.config/transmission |
3 | noblacklist ${HOME}/.cache/transmission | 7 | noblacklist ${HOME}/.cache/transmission |
diff --git a/etc/transmission-gtk.profile b/etc/transmission-gtk.profile index fa54ea81b..dcd3317ef 100644 --- a/etc/transmission-gtk.profile +++ b/etc/transmission-gtk.profile | |||
@@ -1,3 +1,7 @@ | |||
1 | # This file is overwritten during software install. | ||
2 | # Persistent customizations should go in a .local file. | ||
3 | include /etc/firejail/transmission-gtk.local | ||
4 | |||
1 | # transmission-gtk bittorrent profile | 5 | # transmission-gtk bittorrent profile |
2 | noblacklist ${HOME}/.config/transmission | 6 | noblacklist ${HOME}/.config/transmission |
3 | noblacklist ${HOME}/.cache/transmission | 7 | noblacklist ${HOME}/.cache/transmission |
diff --git a/etc/transmission-qt.profile b/etc/transmission-qt.profile index 100fadc27..ed63f7cff 100644 --- a/etc/transmission-qt.profile +++ b/etc/transmission-qt.profile | |||
@@ -1,3 +1,7 @@ | |||
1 | # This file is overwritten during software install. | ||
2 | # Persistent customizations should go in a .local file. | ||
3 | include /etc/firejail/transmission-qt.local | ||
4 | |||
1 | # transmission-qt bittorrent profile | 5 | # transmission-qt bittorrent profile |
2 | noblacklist ${HOME}/.config/transmission | 6 | noblacklist ${HOME}/.config/transmission |
3 | noblacklist ${HOME}/.cache/transmission | 7 | noblacklist ${HOME}/.cache/transmission |
diff --git a/etc/transmission-show.profile b/etc/transmission-show.profile index 5e5284b34..0b88789b1 100644 --- a/etc/transmission-show.profile +++ b/etc/transmission-show.profile | |||
@@ -1,3 +1,7 @@ | |||
1 | # This file is overwritten during software install. | ||
2 | # Persistent customizations should go in a .local file. | ||
3 | include /etc/firejail/transmission-show.local | ||
4 | |||
1 | # transmission-show profile | 5 | # transmission-show profile |
2 | noblacklist ${HOME}/.config/transmission | 6 | noblacklist ${HOME}/.config/transmission |
3 | noblacklist ${HOME}/.cache/transmission | 7 | noblacklist ${HOME}/.cache/transmission |
diff --git a/etc/uget-gtk.profile b/etc/uget-gtk.profile index 3ba28f772..cc5d4dda5 100644 --- a/etc/uget-gtk.profile +++ b/etc/uget-gtk.profile | |||
@@ -1,3 +1,7 @@ | |||
1 | # This file is overwritten during software install. | ||
2 | # Persistent customizations should go in a .local file. | ||
3 | include /etc/firejail/uget-gtk.local | ||
4 | |||
1 | # uGet profile | 5 | # uGet profile |
2 | noblacklist ${HOME}/.config/uGet | 6 | noblacklist ${HOME}/.config/uGet |
3 | 7 | ||
diff --git a/etc/unbound.profile b/etc/unbound.profile index 5e2cb5f65..0bd46b7f4 100644 --- a/etc/unbound.profile +++ b/etc/unbound.profile | |||
@@ -1,3 +1,7 @@ | |||
1 | # This file is overwritten during software install. | ||
2 | # Persistent customizations should go in a .local file. | ||
3 | include /etc/firejail/unbound.local | ||
4 | |||
1 | # security profile for unbound (https://unbound.net) | 5 | # security profile for unbound (https://unbound.net) |
2 | noblacklist /sbin | 6 | noblacklist /sbin |
3 | noblacklist /usr/sbin | 7 | noblacklist /usr/sbin |
@@ -9,5 +13,6 @@ include /etc/firejail/disable-passwdmgr.inc | |||
9 | private | 13 | private |
10 | private-dev | 14 | private-dev |
11 | nosound | 15 | nosound |
16 | no3d | ||
12 | seccomp.drop mount,umount2,ptrace,kexec_load,kexec_file_load,open_by_handle_at,init_module,finit_module,delete_module,iopl,ioperm,swapon,swapoff,syslog,process_vm_readv,process_vm_writev,sysfs,_sysctl,adjtimex,clock_adjtime,lookup_dcookie,perf_event_open,fanotify_init,kcmp,add_key,request_key,keyctl,uselib,acct,modify_ldt,pivot_root,io_setup,io_destroy,io_getevents,io_submit,io_cancel,remap_file_pages,mbind,get_mempolicy,set_mempolicy,migrate_pages,move_pages,vmsplice,perf_event_open | 17 | seccomp.drop mount,umount2,ptrace,kexec_load,kexec_file_load,open_by_handle_at,init_module,finit_module,delete_module,iopl,ioperm,swapon,swapoff,syslog,process_vm_readv,process_vm_writev,sysfs,_sysctl,adjtimex,clock_adjtime,lookup_dcookie,perf_event_open,fanotify_init,kcmp,add_key,request_key,keyctl,uselib,acct,modify_ldt,pivot_root,io_setup,io_destroy,io_getevents,io_submit,io_cancel,remap_file_pages,mbind,get_mempolicy,set_mempolicy,migrate_pages,move_pages,vmsplice,perf_event_open |
13 | 18 | ||
diff --git a/etc/unrar.profile b/etc/unrar.profile index bde6f4e22..da187bfef 100644 --- a/etc/unrar.profile +++ b/etc/unrar.profile | |||
@@ -1,3 +1,7 @@ | |||
1 | # This file is overwritten during software install. | ||
2 | # Persistent customizations should go in a .local file. | ||
3 | include /etc/firejail/unrar.local | ||
4 | |||
1 | # unrar profile | 5 | # unrar profile |
2 | quiet | 6 | quiet |
3 | ignore noroot | 7 | ignore noroot |
diff --git a/etc/unzip.profile b/etc/unzip.profile index 8c10d11a0..24767c86f 100644 --- a/etc/unzip.profile +++ b/etc/unzip.profile | |||
@@ -1,3 +1,7 @@ | |||
1 | # This file is overwritten during software install. | ||
2 | # Persistent customizations should go in a .local file. | ||
3 | include /etc/firejail/unzip.local | ||
4 | |||
1 | # unzip profile | 5 | # unzip profile |
2 | quiet | 6 | quiet |
3 | ignore noroot | 7 | ignore noroot |
diff --git a/etc/uudeview.profile b/etc/uudeview.profile index d5b750a13..5f41188af 100644 --- a/etc/uudeview.profile +++ b/etc/uudeview.profile | |||
@@ -1,9 +1,12 @@ | |||
1 | # This file is overwritten during software install. | ||
2 | # Persistent customizations should go in a .local file. | ||
3 | include /etc/firejail/uudeview.local | ||
4 | |||
1 | # uudeview profile | 5 | # uudeview profile |
2 | quiet | 6 | quiet |
3 | ignore noroot | 7 | ignore noroot |
4 | include /etc/firejail/default.profile | 8 | include /etc/firejail/default.profile |
5 | 9 | ||
6 | blacklist /etc | ||
7 | 10 | ||
8 | hostname uudeview | 11 | hostname uudeview |
9 | net none | 12 | net none |
@@ -13,3 +16,4 @@ tracelog | |||
13 | 16 | ||
14 | private-bin uudeview | 17 | private-bin uudeview |
15 | private-dev | 18 | private-dev |
19 | private-etc ld.so.preload | ||
diff --git a/etc/uzbl-browser.profile b/etc/uzbl-browser.profile new file mode 100644 index 000000000..ce0b0d0a5 --- /dev/null +++ b/etc/uzbl-browser.profile | |||
@@ -0,0 +1,33 @@ | |||
1 | # This file is overwritten during software install. | ||
2 | # Persistent customizations should go in a .local file. | ||
3 | include /etc/firejail/uzbl-browser.local | ||
4 | |||
5 | # Firejail profile for uzbl-browser | ||
6 | |||
7 | noblacklist ~/.config/uzbl | ||
8 | noblacklist ~/.gnupg | ||
9 | include /etc/firejail/disable-common.inc | ||
10 | include /etc/firejail/disable-programs.inc | ||
11 | include /etc/firejail/disable-devel.inc | ||
12 | |||
13 | caps.drop all | ||
14 | netfilter | ||
15 | nonewprivs | ||
16 | noroot | ||
17 | protocol unix,inet,inet6 | ||
18 | seccomp | ||
19 | tracelog | ||
20 | |||
21 | mkdir ~/.config/uzbl | ||
22 | whitelist ~/.config/uzbl | ||
23 | mkdir ~/.local/share/uzbl | ||
24 | whitelist ~/.local/share/uzbl | ||
25 | |||
26 | whitelist ${DOWNLOADS} | ||
27 | |||
28 | mkdir ~/.gnupg | ||
29 | whitelist ~/.gnupg | ||
30 | mkdir ~/.password-store | ||
31 | whitelist ~/.password-store | ||
32 | |||
33 | include /etc/firejail/whitelist-common.inc | ||
diff --git a/etc/vim.profile b/etc/vim.profile index b161fcbb0..e89104e17 100644 --- a/etc/vim.profile +++ b/etc/vim.profile | |||
@@ -1,3 +1,7 @@ | |||
1 | # This file is overwritten during software install. | ||
2 | # Persistent customizations should go in a .local file. | ||
3 | include /etc/firejail/vim.local | ||
4 | |||
1 | # vim profile | 5 | # vim profile |
2 | noblacklist ~/.vim | 6 | noblacklist ~/.vim |
3 | noblacklist ~/.vimrc | 7 | noblacklist ~/.vimrc |
diff --git a/etc/virtualbox.profile b/etc/virtualbox.profile index 1e765b89b..57ead818e 100644 --- a/etc/virtualbox.profile +++ b/etc/virtualbox.profile | |||
@@ -1,3 +1,7 @@ | |||
1 | # This file is overwritten during software install. | ||
2 | # Persistent customizations should go in a .local file. | ||
3 | include /etc/firejail/virtualbox.local | ||
4 | |||
1 | # virtualbox profile | 5 | # virtualbox profile |
2 | noblacklist ${HOME}/.VirtualBox | 6 | noblacklist ${HOME}/.VirtualBox |
3 | noblacklist ${HOME}/VirtualBox VMs | 7 | noblacklist ${HOME}/VirtualBox VMs |
diff --git a/etc/vivaldi-beta.profile b/etc/vivaldi-beta.profile index 5426c4a2d..3b7c7d2b4 100644 --- a/etc/vivaldi-beta.profile +++ b/etc/vivaldi-beta.profile | |||
@@ -1,2 +1,6 @@ | |||
1 | # This file is overwritten during software install. | ||
2 | # Persistent customizations should go in a .local file. | ||
3 | include /etc/firejail/vivaldi-beta.local | ||
4 | |||
1 | # Vivaldi Beta browser profile | 5 | # Vivaldi Beta browser profile |
2 | include /etc/firejail/vivaldi.profile | 6 | include /etc/firejail/vivaldi.profile |
diff --git a/etc/vivaldi.profile b/etc/vivaldi.profile index b3a096069..0667c4114 100644 --- a/etc/vivaldi.profile +++ b/etc/vivaldi.profile | |||
@@ -1,3 +1,7 @@ | |||
1 | # This file is overwritten during software install. | ||
2 | # Persistent customizations should go in a .local file. | ||
3 | include /etc/firejail/vivaldi.local | ||
4 | |||
1 | # Vivaldi browser profile | 5 | # Vivaldi browser profile |
2 | noblacklist ~/.config/vivaldi | 6 | noblacklist ~/.config/vivaldi |
3 | noblacklist ~/.cache/vivaldi | 7 | noblacklist ~/.cache/vivaldi |
diff --git a/etc/vlc.profile b/etc/vlc.profile index 2fd763f25..9d1cdb4c8 100644 --- a/etc/vlc.profile +++ b/etc/vlc.profile | |||
@@ -1,3 +1,7 @@ | |||
1 | # This file is overwritten during software install. | ||
2 | # Persistent customizations should go in a .local file. | ||
3 | include /etc/firejail/vlc.local | ||
4 | |||
1 | # VLC media player profile | 5 | # VLC media player profile |
2 | noblacklist ${HOME}/.config/vlc | 6 | noblacklist ${HOME}/.config/vlc |
3 | 7 | ||
@@ -8,7 +12,7 @@ include /etc/firejail/disable-passwdmgr.inc | |||
8 | 12 | ||
9 | caps.drop all | 13 | caps.drop all |
10 | netfilter | 14 | netfilter |
11 | nogroups | 15 | # nogroups |
12 | nonewprivs | 16 | nonewprivs |
13 | noroot | 17 | noroot |
14 | protocol unix,inet,inet6,netlink | 18 | protocol unix,inet,inet6,netlink |
diff --git a/etc/w3m.profile b/etc/w3m.profile index 7ee91bb70..45546440a 100644 --- a/etc/w3m.profile +++ b/etc/w3m.profile | |||
@@ -1,3 +1,7 @@ | |||
1 | # This file is overwritten during software install. | ||
2 | # Persistent customizations should go in a .local file. | ||
3 | include /etc/firejail/w3m.local | ||
4 | |||
1 | # w3m profile | 5 | # w3m profile |
2 | noblacklist ~/.w3m | 6 | noblacklist ~/.w3m |
3 | 7 | ||
diff --git a/etc/warzone2100.profile b/etc/warzone2100.profile index 7c7efade8..702097d98 100644 --- a/etc/warzone2100.profile +++ b/etc/warzone2100.profile | |||
@@ -1,3 +1,7 @@ | |||
1 | # This file is overwritten during software install. | ||
2 | # Persistent customizations should go in a .local file. | ||
3 | include /etc/firejail/warzone2100.local | ||
4 | |||
1 | # Firejail profile for warzone2100 | 5 | # Firejail profile for warzone2100 |
2 | # Currently supports warzone2100-3.1 | 6 | # Currently supports warzone2100-3.1 |
3 | noblacklist ~/.warzone2100-3.1 | 7 | noblacklist ~/.warzone2100-3.1 |
diff --git a/etc/weechat-curses.profile b/etc/weechat-curses.profile index 4a92f0b34..345196dfb 100644 --- a/etc/weechat-curses.profile +++ b/etc/weechat-curses.profile | |||
@@ -1,2 +1,6 @@ | |||
1 | # This file is overwritten during software install. | ||
2 | # Persistent customizations should go in a .local file. | ||
3 | include /etc/firejail/weechat-curses.local | ||
4 | |||
1 | # Weechat IRC profile (Debian) | 5 | # Weechat IRC profile (Debian) |
2 | include /etc/firejail/weechat.profile | 6 | include /etc/firejail/weechat.profile |
diff --git a/etc/weechat.profile b/etc/weechat.profile index 410061278..870e02677 100644 --- a/etc/weechat.profile +++ b/etc/weechat.profile | |||
@@ -1,3 +1,7 @@ | |||
1 | # This file is overwritten during software install. | ||
2 | # Persistent customizations should go in a .local file. | ||
3 | include /etc/firejail/weechat.local | ||
4 | |||
1 | # Weechat IRC profile | 5 | # Weechat IRC profile |
2 | noblacklist ${HOME}/.weechat | 6 | noblacklist ${HOME}/.weechat |
3 | include /etc/firejail/disable-common.inc | 7 | include /etc/firejail/disable-common.inc |
diff --git a/etc/wesnoth.profile b/etc/wesnoth.profile index bb489ddeb..212466f5a 100644 --- a/etc/wesnoth.profile +++ b/etc/wesnoth.profile | |||
@@ -1,3 +1,7 @@ | |||
1 | # This file is overwritten during software install. | ||
2 | # Persistent customizations should go in a .local file. | ||
3 | include /etc/firejail/wesnoth.local | ||
4 | |||
1 | # Whitelist-based profile for "Battle for Wesnoth" (game). | 5 | # Whitelist-based profile for "Battle for Wesnoth" (game). |
2 | noblacklist ${HOME}/.config/wesnoth | 6 | noblacklist ${HOME}/.config/wesnoth |
3 | noblacklist ${HOME}/.cache/wesnoth | 7 | noblacklist ${HOME}/.cache/wesnoth |
diff --git a/etc/wget.profile b/etc/wget.profile index ff4b92bae..cd156a376 100644 --- a/etc/wget.profile +++ b/etc/wget.profile | |||
@@ -1,3 +1,7 @@ | |||
1 | # This file is overwritten during software install. | ||
2 | # Persistent customizations should go in a .local file. | ||
3 | include /etc/firejail/wget.local | ||
4 | |||
1 | # wget profile | 5 | # wget profile |
2 | quiet | 6 | quiet |
3 | include /etc/firejail/disable-common.inc | 7 | include /etc/firejail/disable-common.inc |
diff --git a/etc/whitelist-common.inc b/etc/whitelist-common.inc index d4e69948e..cf7797100 100644 --- a/etc/whitelist-common.inc +++ b/etc/whitelist-common.inc | |||
@@ -1,3 +1,6 @@ | |||
1 | # Local customizations come here | ||
2 | include /etc/firejail/whitelist-common.local | ||
3 | |||
1 | # common whitelist for all profiles | 4 | # common whitelist for all profiles |
2 | 5 | ||
3 | whitelist ~/.XCompose | 6 | whitelist ~/.XCompose |
diff --git a/etc/wine.profile b/etc/wine.profile index 18e5346af..c732d6edf 100644 --- a/etc/wine.profile +++ b/etc/wine.profile | |||
@@ -1,3 +1,7 @@ | |||
1 | # This file is overwritten during software install. | ||
2 | # Persistent customizations should go in a .local file. | ||
3 | include /etc/firejail/wine.local | ||
4 | |||
1 | # wine profile | 5 | # wine profile |
2 | noblacklist ${HOME}/.steam | 6 | noblacklist ${HOME}/.steam |
3 | noblacklist ${HOME}/.local/share/steam | 7 | noblacklist ${HOME}/.local/share/steam |
diff --git a/etc/wire.profile b/etc/wire.profile index ec8ed8771..79ac893a9 100644 --- a/etc/wire.profile +++ b/etc/wire.profile | |||
@@ -1,3 +1,7 @@ | |||
1 | # This file is overwritten during software install. | ||
2 | # Persistent customizations should go in a .local file. | ||
3 | include /etc/firejail/wire.local | ||
4 | |||
1 | # wire messenger profile | 5 | # wire messenger profile |
2 | noblacklist ~/.config/Wire | 6 | noblacklist ~/.config/Wire |
3 | noblacklist ~/.config/wire | 7 | noblacklist ~/.config/wire |
diff --git a/etc/wireshark.profile b/etc/wireshark.profile index 898fc787e..90909edf1 100644 --- a/etc/wireshark.profile +++ b/etc/wireshark.profile | |||
@@ -1,3 +1,7 @@ | |||
1 | # This file is overwritten during software install. | ||
2 | # Persistent customizations should go in a .local file. | ||
3 | include /etc/firejail/wireshark.local | ||
4 | |||
1 | # Firejail profile for | 5 | # Firejail profile for |
2 | noblacklist ${HOME}/.config/wireshark | 6 | noblacklist ${HOME}/.config/wireshark |
3 | 7 | ||
@@ -6,17 +10,21 @@ include /etc/firejail/disable-programs.inc | |||
6 | include /etc/firejail/disable-devel.inc | 10 | include /etc/firejail/disable-devel.inc |
7 | include /etc/firejail/disable-passwdmgr.inc | 11 | include /etc/firejail/disable-passwdmgr.inc |
8 | 12 | ||
9 | caps.drop all | 13 | # |
14 | # The profile allows users to run wireshark as root | ||
15 | # | ||
16 | #caps.drop all | ||
17 | #noroot | ||
18 | #protocol unix,inet,inet6,netlink | ||
19 | |||
10 | netfilter | 20 | netfilter |
11 | nogroups | 21 | nogroups |
12 | nonewprivs | 22 | nonewprivs |
13 | noroot | ||
14 | nosound | 23 | nosound |
15 | protocol unix,inet,inet6,netlink | ||
16 | seccomp | 24 | seccomp |
17 | shell none | 25 | shell none |
18 | tracelog | 26 | tracelog |
19 | 27 | ||
20 | private-bin wireshark | 28 | #private-bin wireshark |
21 | private-dev | 29 | private-dev |
22 | private-tmp | 30 | private-tmp |
diff --git a/etc/xchat.profile b/etc/xchat.profile index 1f2865cab..0571746b3 100644 --- a/etc/xchat.profile +++ b/etc/xchat.profile | |||
@@ -1,3 +1,7 @@ | |||
1 | # This file is overwritten during software install. | ||
2 | # Persistent customizations should go in a .local file. | ||
3 | include /etc/firejail/xchat.local | ||
4 | |||
1 | # XChat IRC profile | 5 | # XChat IRC profile |
2 | noblacklist ${HOME}/.config/xchat | 6 | noblacklist ${HOME}/.config/xchat |
3 | 7 | ||
diff --git a/etc/xed.profile b/etc/xed.profile index 051710a70..c8076923a 100644 --- a/etc/xed.profile +++ b/etc/xed.profile | |||
@@ -1,3 +1,7 @@ | |||
1 | # This file is overwritten during software install. | ||
2 | # Persistent customizations should go in a .local file. | ||
3 | include /etc/firejail/xed.local | ||
4 | |||
1 | # Firejail profile for Xed | 5 | # Firejail profile for Xed |
2 | noblacklist ${HOME}/.config/xed | 6 | noblacklist ${HOME}/.config/xed |
3 | 7 | ||
diff --git a/etc/xfburn.profile b/etc/xfburn.profile index 1dd24aa61..a05d844d0 100644 --- a/etc/xfburn.profile +++ b/etc/xfburn.profile | |||
@@ -1,3 +1,7 @@ | |||
1 | # This file is overwritten during software install. | ||
2 | # Persistent customizations should go in a .local file. | ||
3 | include /etc/firejail/xfburn.local | ||
4 | |||
1 | # xfburn profile | 5 | # xfburn profile |
2 | noblacklist ~/.config/xfburn | 6 | noblacklist ~/.config/xfburn |
3 | 7 | ||
diff --git a/etc/xiphos.profile b/etc/xiphos.profile index b7fb6ecf3..7522c00d7 100644 --- a/etc/xiphos.profile +++ b/etc/xiphos.profile | |||
@@ -1,3 +1,7 @@ | |||
1 | # This file is overwritten during software install. | ||
2 | # Persistent customizations should go in a .local file. | ||
3 | include /etc/firejail/xiphos.local | ||
4 | |||
1 | # Firejail profile for xiphos | 5 | # Firejail profile for xiphos |
2 | noblacklist ~/.sword | 6 | noblacklist ~/.sword |
3 | noblacklist ~/.xiphos | 7 | noblacklist ~/.xiphos |
diff --git a/etc/xmms.profile b/etc/xmms.profile new file mode 100644 index 000000000..b33727c2c --- /dev/null +++ b/etc/xmms.profile | |||
@@ -0,0 +1,23 @@ | |||
1 | # This file is overwritten during software install. | ||
2 | # Persistent customizations should go in a .local file. | ||
3 | include /etc/firejail/xmms.local | ||
4 | |||
5 | # Firejail profile for XMMS | ||
6 | noblacklist ${HOME}/.xmms | ||
7 | |||
8 | include /etc/firejail/disable-common.inc | ||
9 | include /etc/firejail/disable-programs.inc | ||
10 | include /etc/firejail/disable-devel.inc | ||
11 | include /etc/firejail/disable-passwdmgr.inc | ||
12 | |||
13 | caps.drop all | ||
14 | netfilter | ||
15 | nonewprivs | ||
16 | noroot | ||
17 | protocol unix,inet,inet6 | ||
18 | seccomp | ||
19 | shell none | ||
20 | no3d | ||
21 | |||
22 | private-bin xmms | ||
23 | private-dev | ||
diff --git a/etc/xonotic-glx.profile b/etc/xonotic-glx.profile index b255ffdbb..2f57340de 100644 --- a/etc/xonotic-glx.profile +++ b/etc/xonotic-glx.profile | |||
@@ -1,3 +1,7 @@ | |||
1 | # This file is overwritten during software install. | ||
2 | # Persistent customizations should go in a .local file. | ||
3 | include /etc/firejail/xonotic-glx.local | ||
4 | |||
1 | # | 5 | # |
2 | #Profile for xonotic:xonotic-glx | 6 | #Profile for xonotic:xonotic-glx |
3 | # | 7 | # |
diff --git a/etc/xonotic-sdl.profile b/etc/xonotic-sdl.profile index 783667304..9af845958 100644 --- a/etc/xonotic-sdl.profile +++ b/etc/xonotic-sdl.profile | |||
@@ -1,3 +1,7 @@ | |||
1 | # This file is overwritten during software install. | ||
2 | # Persistent customizations should go in a .local file. | ||
3 | include /etc/firejail/xonotic-sdl.local | ||
4 | |||
1 | # | 5 | # |
2 | #Profile for xonotic:xonotic-sdl | 6 | #Profile for xonotic:xonotic-sdl |
3 | # | 7 | # |
diff --git a/etc/xonotic.profile b/etc/xonotic.profile index 75d649619..f2690c6c3 100644 --- a/etc/xonotic.profile +++ b/etc/xonotic.profile | |||
@@ -1,3 +1,7 @@ | |||
1 | # This file is overwritten during software install. | ||
2 | # Persistent customizations should go in a .local file. | ||
3 | include /etc/firejail/xonotic.local | ||
4 | |||
1 | # | 5 | # |
2 | #Profile for xonotic | 6 | #Profile for xonotic |
3 | # | 7 | # |
diff --git a/etc/xpdf.profile b/etc/xpdf.profile index 7ea368bbe..b77bc76ac 100644 --- a/etc/xpdf.profile +++ b/etc/xpdf.profile | |||
@@ -1,3 +1,7 @@ | |||
1 | # This file is overwritten during software install. | ||
2 | # Persistent customizations should go in a .local file. | ||
3 | include /etc/firejail/xpdf.local | ||
4 | |||
1 | ################################ | 5 | ################################ |
2 | # xpdf application profile | 6 | # xpdf application profile |
3 | ################################ | 7 | ################################ |
diff --git a/etc/xplayer.profile b/etc/xplayer.profile index 191d2f67f..d5b80fbc0 100644 --- a/etc/xplayer.profile +++ b/etc/xplayer.profile | |||
@@ -1,3 +1,7 @@ | |||
1 | # This file is overwritten during software install. | ||
2 | # Persistent customizations should go in a .local file. | ||
3 | include /etc/firejail/xplayer.local | ||
4 | |||
1 | # Xplayer profile | 5 | # Xplayer profile |
2 | noblacklist ~/.config/xplayer | 6 | noblacklist ~/.config/xplayer |
3 | noblacklist ~/.local/share/xplayer | 7 | noblacklist ~/.local/share/xplayer |
diff --git a/etc/xpra.profile b/etc/xpra.profile index 32be90b19..d0fff2ebf 100644 --- a/etc/xpra.profile +++ b/etc/xpra.profile | |||
@@ -1,3 +1,7 @@ | |||
1 | # This file is overwritten during software install. | ||
2 | # Persistent customizations should go in a .local file. | ||
3 | include /etc/firejail/xpra.local | ||
4 | |||
1 | # xpra profile | 5 | # xpra profile |
2 | include /etc/firejail/disable-common.inc | 6 | include /etc/firejail/disable-common.inc |
3 | include /etc/firejail/disable-programs.inc | 7 | include /etc/firejail/disable-programs.inc |
diff --git a/etc/xreader.profile b/etc/xreader.profile index d2a000bd0..2e6015aef 100644 --- a/etc/xreader.profile +++ b/etc/xreader.profile | |||
@@ -1,3 +1,7 @@ | |||
1 | # This file is overwritten during software install. | ||
2 | # Persistent customizations should go in a .local file. | ||
3 | include /etc/firejail/xreader.local | ||
4 | |||
1 | # Xreader profile | 5 | # Xreader profile |
2 | noblacklist ~/.config/xreader | 6 | noblacklist ~/.config/xreader |
3 | noblacklist ~/.cache/xreader | 7 | noblacklist ~/.cache/xreader |
diff --git a/etc/xviewer.profile b/etc/xviewer.profile index ca380b4c7..d784ddfb3 100644 --- a/etc/xviewer.profile +++ b/etc/xviewer.profile | |||
@@ -1,3 +1,7 @@ | |||
1 | # This file is overwritten during software install. | ||
2 | # Persistent customizations should go in a .local file. | ||
3 | include /etc/firejail/xviewer.local | ||
4 | |||
1 | # xviewer profile | 5 | # xviewer profile |
2 | noblacklist ~/.config/xviewer | 6 | noblacklist ~/.config/xviewer |
3 | 7 | ||
diff --git a/etc/xz.profile b/etc/xz.profile index 5b29f7338..2f7d9cae5 100644 --- a/etc/xz.profile +++ b/etc/xz.profile | |||
@@ -1,3 +1,7 @@ | |||
1 | # This file is overwritten during software install. | ||
2 | # Persistent customizations should go in a .local file. | ||
3 | include /etc/firejail/xz.local | ||
4 | |||
1 | # xz profile | 5 | # xz profile |
2 | quiet | 6 | quiet |
3 | include /etc/firejail/cpio.profile | 7 | include /etc/firejail/cpio.profile |
diff --git a/etc/xzdec.profile b/etc/xzdec.profile index 6164e3200..e938b81ec 100644 --- a/etc/xzdec.profile +++ b/etc/xzdec.profile | |||
@@ -1,3 +1,7 @@ | |||
1 | # This file is overwritten during software install. | ||
2 | # Persistent customizations should go in a .local file. | ||
3 | include /etc/firejail/xzdec.local | ||
4 | |||
1 | # xzdec profile | 5 | # xzdec profile |
2 | quiet | 6 | quiet |
3 | ignore noroot | 7 | ignore noroot |
diff --git a/etc/zathura.profile b/etc/zathura.profile index 6c93a2480..f75541dad 100644 --- a/etc/zathura.profile +++ b/etc/zathura.profile | |||
@@ -1,3 +1,7 @@ | |||
1 | # This file is overwritten during software install. | ||
2 | # Persistent customizations should go in a .local file. | ||
3 | include /etc/firejail/zathura.local | ||
4 | |||
1 | # zathura document viewer profile | 5 | # zathura document viewer profile |
2 | noblacklist ~/.config/zathura | 6 | noblacklist ~/.config/zathura |
3 | noblacklist ~/.local/share/zathura | 7 | noblacklist ~/.local/share/zathura |
diff --git a/etc/zoom.profile b/etc/zoom.profile index 4c08868cf..809356d95 100644 --- a/etc/zoom.profile +++ b/etc/zoom.profile | |||
@@ -1,3 +1,7 @@ | |||
1 | # This file is overwritten during software install. | ||
2 | # Persistent customizations should go in a .local file. | ||
3 | include /etc/firejail/zoom.local | ||
4 | |||
1 | # Firejail profile for zoom.us | 5 | # Firejail profile for zoom.us |
2 | noblacklist ~/.config/zoomus.conf | 6 | noblacklist ~/.config/zoomus.conf |
3 | 7 | ||
diff --git a/platform/debian/conffiles b/platform/debian/conffiles index 9afe42be8..edaf1781b 100644 --- a/platform/debian/conffiles +++ b/platform/debian/conffiles | |||
@@ -240,3 +240,12 @@ | |||
240 | /etc/firejail/xonotic.profile | 240 | /etc/firejail/xonotic.profile |
241 | /etc/firejail/VirtualBox.profile | 241 | /etc/firejail/VirtualBox.profile |
242 | /etc/firejail/qupzilla.profile | 242 | /etc/firejail/qupzilla.profile |
243 | /etc/firejail/FossaMail.profile | ||
244 | /etc/firejail/fossamail.profile | ||
245 | /etc/firejail/uzbl-browser.profile | ||
246 | /etc/firejail/xmms.profile | ||
247 | /etc/firejail/iridium-browser.profile | ||
248 | /etc/firejail/iridium.profile | ||
249 | /etc/firejail/kino.profile | ||
250 | /etc/firejail/Thunar.profile | ||
251 | /etc/firejail/thunar.profile | ||
diff --git a/platform/rpm/old-mkrpm.sh b/platform/rpm/old-mkrpm.sh index 017d5e1c3..6c8a4c240 100755 --- a/platform/rpm/old-mkrpm.sh +++ b/platform/rpm/old-mkrpm.sh | |||
@@ -24,7 +24,6 @@ install -m 755 /usr/lib/firejail/fshaper.sh firejail-$VERSION/usr/lib/firejail/ | |||
24 | install -m 755 /usr/lib/firejail/ftee firejail-$VERSION/usr/lib/firejail/. | 24 | install -m 755 /usr/lib/firejail/ftee firejail-$VERSION/usr/lib/firejail/. |
25 | install -m 644 /usr/lib/firejail/libtrace.so firejail-$VERSION/usr/lib/firejail/. | 25 | install -m 644 /usr/lib/firejail/libtrace.so firejail-$VERSION/usr/lib/firejail/. |
26 | install -m 644 /usr/lib/firejail/libtracelog.so firejail-$VERSION/usr/lib/firejail/. | 26 | install -m 644 /usr/lib/firejail/libtracelog.so firejail-$VERSION/usr/lib/firejail/. |
27 | install -m 644 /usr/lib/firejail/libconnect.so firejail-$VERSION/usr/lib/firejail/. | ||
28 | 27 | ||
29 | mkdir -p firejail-$VERSION/usr/share/man/man1 | 28 | mkdir -p firejail-$VERSION/usr/share/man/man1 |
30 | install -m 644 /usr/share/man/man1/firejail.1.gz firejail-$VERSION/usr/share/man/man1/. | 29 | install -m 644 /usr/share/man/man1/firejail.1.gz firejail-$VERSION/usr/share/man/man1/. |
@@ -436,7 +435,6 @@ rm -rf %{buildroot} | |||
436 | 435 | ||
437 | /usr/lib/firejail/libtrace.so | 436 | /usr/lib/firejail/libtrace.so |
438 | /usr/lib/firejail/libtracelog.so | 437 | /usr/lib/firejail/libtracelog.so |
439 | /usr/lib/firejail/libconnect.so | ||
440 | /usr/lib/firejail/faudit | 438 | /usr/lib/firejail/faudit |
441 | /usr/lib/firejail/ftee | 439 | /usr/lib/firejail/ftee |
442 | /usr/lib/firejail/firecfg.config | 440 | /usr/lib/firejail/firecfg.config |
diff --git a/src/bash_completion/firejail.bash_completion b/src/bash_completion/firejail.bash_completion index d3dcd57d0..0f71c74dc 100644 --- a/src/bash_completion/firejail.bash_completion +++ b/src/bash_completion/firejail.bash_completion | |||
@@ -23,6 +23,10 @@ _firejail() | |||
23 | _filedir | 23 | _filedir |
24 | return 0 | 24 | return 0 |
25 | ;; | 25 | ;; |
26 | --hosts-file) | ||
27 | _filedir | ||
28 | return 0 | ||
29 | ;; | ||
26 | --chroot) | 30 | --chroot) |
27 | _filedir -d | 31 | _filedir -d |
28 | return 0 | 32 | return 0 |
diff --git a/src/faudit/caps.c b/src/faudit/caps.c index d4a62b34f..b200c6792 100644 --- a/src/faudit/caps.c +++ b/src/faudit/caps.c | |||
@@ -1,5 +1,5 @@ | |||
1 | /* | 1 | /* |
2 | * Copyright (C) 2014-2016 Firejail Authors | 2 | * Copyright (C) 2014-2017 Firejail Authors |
3 | * | 3 | * |
4 | * This file is part of firejail project | 4 | * This file is part of firejail project |
5 | * | 5 | * |
diff --git a/src/faudit/dbus.c b/src/faudit/dbus.c index d92660536..1b1fbb817 100644 --- a/src/faudit/dbus.c +++ b/src/faudit/dbus.c | |||
@@ -1,5 +1,5 @@ | |||
1 | /* | 1 | /* |
2 | * Copyright (C) 2014-2016 Firejail Authors | 2 | * Copyright (C) 2014-2017 Firejail Authors |
3 | * | 3 | * |
4 | * This file is part of firejail project | 4 | * This file is part of firejail project |
5 | * | 5 | * |
diff --git a/src/faudit/dev.c b/src/faudit/dev.c index 92f615958..74adbca9c 100644 --- a/src/faudit/dev.c +++ b/src/faudit/dev.c | |||
@@ -1,5 +1,5 @@ | |||
1 | /* | 1 | /* |
2 | * Copyright (C) 2014-2016 Firejail Authors | 2 | * Copyright (C) 2014-2017 Firejail Authors |
3 | * | 3 | * |
4 | * This file is part of firejail project | 4 | * This file is part of firejail project |
5 | * | 5 | * |
diff --git a/src/faudit/faudit.h b/src/faudit/faudit.h index 17c754c3b..16a13d0ff 100644 --- a/src/faudit/faudit.h +++ b/src/faudit/faudit.h | |||
@@ -1,5 +1,5 @@ | |||
1 | /* | 1 | /* |
2 | * Copyright (C) 2014-2016 Firejail Authors | 2 | * Copyright (C) 2014-2017 Firejail Authors |
3 | * | 3 | * |
4 | * This file is part of firejail project | 4 | * This file is part of firejail project |
5 | * | 5 | * |
diff --git a/src/faudit/files.c b/src/faudit/files.c index 67b43f22b..46256f5f0 100644 --- a/src/faudit/files.c +++ b/src/faudit/files.c | |||
@@ -1,5 +1,5 @@ | |||
1 | /* | 1 | /* |
2 | * Copyright (C) 2014-2016 Firejail Authors | 2 | * Copyright (C) 2014-2017 Firejail Authors |
3 | * | 3 | * |
4 | * This file is part of firejail project | 4 | * This file is part of firejail project |
5 | * | 5 | * |
diff --git a/src/faudit/main.c b/src/faudit/main.c index 7f47ccaf0..2572bf332 100644 --- a/src/faudit/main.c +++ b/src/faudit/main.c | |||
@@ -1,5 +1,5 @@ | |||
1 | /* | 1 | /* |
2 | * Copyright (C) 2014-2016 Firejail Authors | 2 | * Copyright (C) 2014-2017 Firejail Authors |
3 | * | 3 | * |
4 | * This file is part of firejail project | 4 | * This file is part of firejail project |
5 | * | 5 | * |
diff --git a/src/faudit/network.c b/src/faudit/network.c index cf1eede69..67c11e835 100644 --- a/src/faudit/network.c +++ b/src/faudit/network.c | |||
@@ -1,5 +1,5 @@ | |||
1 | /* | 1 | /* |
2 | * Copyright (C) 2014-2016 Firejail Authors | 2 | * Copyright (C) 2014-2017 Firejail Authors |
3 | * | 3 | * |
4 | * This file is part of firejail project | 4 | * This file is part of firejail project |
5 | * | 5 | * |
diff --git a/src/faudit/pid.c b/src/faudit/pid.c index 84b23fe0a..34f6d1691 100644 --- a/src/faudit/pid.c +++ b/src/faudit/pid.c | |||
@@ -1,5 +1,5 @@ | |||
1 | /* | 1 | /* |
2 | * Copyright (C) 2014-2016 Firejail Authors | 2 | * Copyright (C) 2014-2017 Firejail Authors |
3 | * | 3 | * |
4 | * This file is part of firejail project | 4 | * This file is part of firejail project |
5 | * | 5 | * |
diff --git a/src/faudit/seccomp.c b/src/faudit/seccomp.c index 7b2999467..fe814598b 100644 --- a/src/faudit/seccomp.c +++ b/src/faudit/seccomp.c | |||
@@ -1,5 +1,5 @@ | |||
1 | /* | 1 | /* |
2 | * Copyright (C) 2014-2016 Firejail Authors | 2 | * Copyright (C) 2014-2017 Firejail Authors |
3 | * | 3 | * |
4 | * This file is part of firejail project | 4 | * This file is part of firejail project |
5 | * | 5 | * |
diff --git a/src/faudit/syscall.c b/src/faudit/syscall.c index 4cd2526ba..40b1ecc84 100644 --- a/src/faudit/syscall.c +++ b/src/faudit/syscall.c | |||
@@ -1,5 +1,5 @@ | |||
1 | /* | 1 | /* |
2 | * Copyright (C) 2014-2016 Firejail Authors | 2 | * Copyright (C) 2014-2017 Firejail Authors |
3 | * | 3 | * |
4 | * This file is part of firejail project | 4 | * This file is part of firejail project |
5 | * | 5 | * |
diff --git a/src/faudit/x11.c b/src/faudit/x11.c index 43f40f4e9..4cf1511a5 100644 --- a/src/faudit/x11.c +++ b/src/faudit/x11.c | |||
@@ -1,5 +1,5 @@ | |||
1 | /* | 1 | /* |
2 | * Copyright (C) 2014-2016 Firejail Authors | 2 | * Copyright (C) 2014-2017 Firejail Authors |
3 | * | 3 | * |
4 | * This file is part of firejail project | 4 | * This file is part of firejail project |
5 | * | 5 | * |
diff --git a/src/fcopy/main.c b/src/fcopy/main.c index b1e2813db..9f19b6dd8 100644 --- a/src/fcopy/main.c +++ b/src/fcopy/main.c | |||
@@ -1,5 +1,5 @@ | |||
1 | /* | 1 | /* |
2 | * Copyright (C) 2014-2016 Firejail Authors | 2 | * Copyright (C) 2014-2017 Firejail Authors |
3 | * | 3 | * |
4 | * This file is part of firejail project | 4 | * This file is part of firejail project |
5 | * | 5 | * |
@@ -21,6 +21,9 @@ | |||
21 | #include "../include/common.h" | 21 | #include "../include/common.h" |
22 | #include <fcntl.h> | 22 | #include <fcntl.h> |
23 | #include <ftw.h> | 23 | #include <ftw.h> |
24 | #include <errno.h> | ||
25 | |||
26 | static int arg_follow_link = 0; | ||
24 | 27 | ||
25 | 28 | ||
26 | #define COPY_LIMIT (500 * 1024 *1024) | 29 | #define COPY_LIMIT (500 * 1024 *1024) |
@@ -34,245 +37,244 @@ static char *inpath = NULL; | |||
34 | 37 | ||
35 | // modified version of the function from util.c | 38 | // modified version of the function from util.c |
36 | static void copy_file(const char *srcname, const char *destname, mode_t mode, uid_t uid, gid_t gid) { | 39 | static void copy_file(const char *srcname, const char *destname, mode_t mode, uid_t uid, gid_t gid) { |
37 | assert(srcname); | 40 | assert(srcname); |
38 | assert(destname); | 41 | assert(destname); |
39 | mode &= 07777; | 42 | mode &= 07777; |
40 | 43 | ||
41 | // open source | 44 | // open source |
42 | int src = open(srcname, O_RDONLY); | 45 | int src = open(srcname, O_RDONLY); |
43 | if (src < 0) { | 46 | if (src < 0) { |
44 | fprintf(stderr, "Warning: cannot open %s, file not copied\n", srcname); | 47 | fprintf(stderr, "Warning fcopy: cannot open %s, file not copied\n", srcname); |
45 | return; | 48 | return; |
46 | } | 49 | } |
47 | 50 | ||
48 | // open destination | 51 | // open destination |
49 | int dst = open(destname, O_CREAT|O_WRONLY|O_TRUNC, 0755); | 52 | int dst = open(destname, O_CREAT|O_WRONLY|O_TRUNC, 0755); |
50 | if (dst < 0) { | 53 | if (dst < 0) { |
51 | fprintf(stderr, "Warning fcopy: cannot open %s, file not copied\n", destname); | 54 | fprintf(stderr, "Warning fcopy: cannot open %s, file not copied\n", destname); |
52 | close(src); | 55 | close(src); |
53 | return; | 56 | return; |
54 | } | 57 | } |
55 | 58 | ||
56 | // copy | 59 | // copy |
57 | ssize_t len; | 60 | ssize_t len; |
58 | static const int BUFLEN = 1024; | 61 | static const int BUFLEN = 1024; |
59 | unsigned char buf[BUFLEN]; | 62 | unsigned char buf[BUFLEN]; |
60 | while ((len = read(src, buf, BUFLEN)) > 0) { | 63 | while ((len = read(src, buf, BUFLEN)) > 0) { |
61 | int done = 0; | 64 | int done = 0; |
62 | while (done != len) { | 65 | while (done != len) { |
63 | int rv = write(dst, buf + done, len - done); | 66 | int rv = write(dst, buf + done, len - done); |
64 | if (rv == -1) | 67 | if (rv == -1) |
65 | goto errexit; | 68 | goto errexit; |
66 | done += rv; | 69 | done += rv; |
67 | } | 70 | } |
68 | } | 71 | } |
69 | fflush(0); | 72 | fflush(0); |
70 | 73 | ||
71 | if (fchown(dst, uid, gid) == -1) | 74 | if (fchown(dst, uid, gid) == -1) |
72 | goto errexit; | 75 | goto errexit; |
73 | if (fchmod(dst, mode) == -1) | 76 | if (fchmod(dst, mode) == -1) |
74 | goto errexit; | 77 | goto errexit; |
75 | 78 | ||
76 | close(src); | 79 | close(src); |
77 | close(dst); | 80 | close(dst); |
78 | 81 | ||
79 | return; | 82 | return; |
80 | 83 | ||
81 | errexit: | 84 | errexit: |
82 | close(src); | 85 | close(src); |
83 | close(dst); | 86 | close(dst); |
84 | unlink(destname); | 87 | unlink(destname); |
85 | fprintf(stderr, "Warning fcopy: cannot copy %s\n", destname); | 88 | fprintf(stderr, "Warning fcopy: cannot copy %s\n", destname); |
86 | } | 89 | } |
87 | 90 | ||
88 | 91 | ||
89 | 92 | ||
90 | // modified version of the function in firejail/util.c | 93 | // modified version of the function in firejail/util.c |
91 | static void mkdir_attr(const char *fname, mode_t mode, uid_t uid, gid_t gid) { | 94 | static void mkdir_attr(const char *fname, mode_t mode, uid_t uid, gid_t gid) { |
92 | assert(fname); | 95 | assert(fname); |
93 | mode &= 07777; | 96 | mode &= 07777; |
94 | 97 | ||
95 | if (mkdir(fname, mode) == -1 || | 98 | if (mkdir(fname, mode) == -1 || |
96 | chmod(fname, mode) == -1) { | 99 | chmod(fname, mode) == -1) { |
97 | fprintf(stderr, "Error fcopy: failed to create %s directory\n", fname); | 100 | fprintf(stderr, "Error fcopy: failed to create %s directory\n", fname); |
98 | errExit("mkdir/chmod"); | 101 | errExit("mkdir/chmod"); |
99 | } | 102 | } |
100 | if (chown(fname, uid, gid)) | 103 | if (chown(fname, uid, gid)) |
101 | fprintf(stderr, "Warning fcopy: failed to change ownership of %s\n", fname); | 104 | fprintf(stderr, "Warning fcopy: failed to change ownership of %s\n", fname); |
102 | } | 105 | } |
103 | 106 | ||
104 | void copy_link(const char *target, const char *linkpath, mode_t mode, uid_t uid, gid_t gid) { | 107 | void copy_link(const char *target, const char *linkpath, mode_t mode, uid_t uid, gid_t gid) { |
105 | (void) mode; | 108 | (void) mode; |
106 | (void) uid; | 109 | (void) uid; |
107 | (void) gid; | 110 | (void) gid; |
108 | char *rp = realpath(target, NULL); | 111 | char *rp = realpath(target, NULL); |
109 | if (rp) { | 112 | if (rp) { |
110 | if (symlink(rp, linkpath) == -1) | 113 | if (symlink(rp, linkpath) == -1) |
111 | goto errout; | 114 | goto errout; |
112 | free(rp); | 115 | free(rp); |
113 | } | 116 | } |
114 | else | 117 | else |
115 | goto errout; | 118 | goto errout; |
116 | 119 | ||
117 | return; | 120 | return; |
118 | errout: | 121 | errout: |
119 | fprintf(stderr, "Warning fcopy: cannot create symbolic link %s\n", target); | 122 | fprintf(stderr, "Warning fcopy: cannot create symbolic link %s\n", target); |
120 | } | 123 | } |
121 | 124 | ||
122 | static int first = 1; | 125 | static int first = 1; |
123 | static int fs_copydir(const char *infname, const struct stat *st, int ftype, struct FTW *sftw) { | 126 | static int fs_copydir(const char *infname, const struct stat *st, int ftype, struct FTW *sftw) { |
124 | (void) st; | 127 | (void) st; |
125 | (void) sftw; | 128 | (void) sftw; |
126 | assert(infname); | 129 | assert(infname); |
127 | assert(*infname != '\0'); | 130 | assert(*infname != '\0'); |
128 | assert(outpath); | 131 | assert(outpath); |
129 | assert(*outpath != '\0'); | 132 | assert(*outpath != '\0'); |
130 | assert(inpath); | 133 | assert(inpath); |
131 | 134 | ||
132 | // check size limit | 135 | // check size limit |
133 | if (size_limit_reached) | 136 | if (size_limit_reached) |
134 | return 0; | 137 | return 0; |
135 | 138 | ||
136 | 139 | ||
137 | char *outfname; | 140 | char *outfname; |
138 | if (asprintf(&outfname, "%s%s", outpath, infname + strlen(inpath)) == -1) | 141 | if (asprintf(&outfname, "%s%s", outpath, infname + strlen(inpath)) == -1) |
139 | errExit("asprintf"); | 142 | errExit("asprintf"); |
140 | 143 | ||
141 | //printf("outpaht %s\n", outpath); | 144 | // don't copy it if we already have the file |
142 | //printf("inpath %s\n", inpath); | 145 | struct stat s; |
143 | //printf("infname %s\n", infname); | 146 | if (stat(outfname, &s) == 0) { |
144 | //printf("outfname %s\n\n", outfname); | 147 | if (first) |
145 | 148 | first = 0; | |
146 | // don't copy it if we already have the file | 149 | else |
147 | struct stat s; | 150 | fprintf(stderr, "Warning fcopy: skipping %s, file already present\n", infname); |
148 | if (stat(outfname, &s) == 0) { | 151 | free(outfname); |
149 | if (first) | 152 | return 0; |
150 | first = 0; | 153 | } |
151 | else | 154 | |
152 | fprintf(stderr, "Warning fcopy: skipping %s, file already present\n", infname); | 155 | // extract mode and ownership |
153 | free(outfname); | 156 | if (stat(infname, &s) != 0) { |
154 | return 0; | 157 | fprintf(stderr, "Warning fcopy: skipping %s, cannot find inode\n", infname); |
155 | } | 158 | free(outfname); |
156 | 159 | return 0; | |
157 | // extract mode and ownership | 160 | } |
158 | if (stat(infname, &s) != 0) { | 161 | uid_t uid = s.st_uid; |
159 | fprintf(stderr, "Warning fcopy: skipping %s, cannot find inode\n", infname); | 162 | gid_t gid = s.st_gid; |
160 | free(outfname); | 163 | mode_t mode = s.st_mode; |
161 | return 0; | 164 | |
162 | } | 165 | // recalculate size |
163 | uid_t uid = s.st_uid; | 166 | if ((s.st_size + size_cnt) > COPY_LIMIT) { |
164 | gid_t gid = s.st_gid; | 167 | fprintf(stderr, "Error fcopy: size limit of %dMB reached\n", (COPY_LIMIT / 1024) / 1024); |
165 | mode_t mode = s.st_mode; | 168 | size_limit_reached = 1; |
166 | 169 | free(outfname); | |
167 | // recalculate size | 170 | return 0; |
168 | if ((s.st_size + size_cnt) > COPY_LIMIT) { | 171 | } |
169 | fprintf(stderr, "Error fcopy: size limit of %dMB reached\n", (COPY_LIMIT / 1024) / 1024); | 172 | |
170 | size_limit_reached = 1; | 173 | file_cnt++; |
171 | free(outfname); | 174 | size_cnt += s.st_size; |
172 | return 0; | 175 | |
173 | } | 176 | if(ftype == FTW_F) { |
174 | 177 | copy_file(infname, outfname, mode, uid, gid); | |
175 | file_cnt++; | 178 | } |
176 | size_cnt += s.st_size; | 179 | else if (ftype == FTW_D) { |
177 | 180 | mkdir_attr(outfname, mode, uid, gid); | |
178 | if(ftype == FTW_F) { | 181 | } |
179 | copy_file(infname, outfname, mode, uid, gid); | 182 | else if (ftype == FTW_SL) { |
180 | } | 183 | copy_link(infname, outfname, mode, uid, gid); |
181 | else if (ftype == FTW_D) { | 184 | } |
182 | mkdir_attr(outfname, mode, uid, gid); | 185 | |
183 | } | 186 | return(0); |
184 | else if (ftype == FTW_SL) { | ||
185 | copy_link(infname, outfname, mode, uid, gid); | ||
186 | } | ||
187 | |||
188 | return(0); | ||
189 | } | 187 | } |
190 | 188 | ||
191 | static char *check(const char *src) { | 189 | static char *check(const char *src) { |
192 | struct stat s; | 190 | struct stat s; |
193 | char *rsrc = realpath(src, NULL); | 191 | char *rsrc = realpath(src, NULL); |
194 | if (!rsrc || stat(rsrc, &s) == -1) | 192 | if (!rsrc || stat(rsrc, &s) == -1) |
195 | goto errexit; | 193 | goto errexit; |
196 | 194 | ||
197 | // check uid | 195 | // check uid |
198 | if (s.st_uid != getuid() || s.st_gid != getgid()) | 196 | if (s.st_uid != getuid() || s.st_gid != getgid()) |
199 | goto errexit; | 197 | goto errexit; |
200 | 198 | ||
201 | // dir, link, regular file | 199 | // dir, link, regular file |
202 | if (S_ISDIR(s.st_mode) || S_ISREG(s.st_mode) || S_ISLNK(s.st_mode)) | 200 | if (S_ISDIR(s.st_mode) || S_ISREG(s.st_mode) || S_ISLNK(s.st_mode)) |
203 | return rsrc; // normal exit from the function | 201 | return rsrc; // normal exit from the function |
204 | 202 | ||
205 | errexit: | 203 | errexit: |
206 | fprintf(stderr, "Error fcopy: invalid file %s\n", src); | 204 | fprintf(stderr, "Error fcopy: invalid file %s\n", src); |
207 | exit(1); | 205 | exit(1); |
208 | } | 206 | } |
209 | 207 | ||
210 | static void duplicate_dir(const char *src, const char *dest, struct stat *s) { | 208 | static void duplicate_dir(const char *src, const char *dest, struct stat *s) { |
211 | (void) s; | 209 | (void) s; |
212 | char *rsrc = check(src); | 210 | char *rsrc = check(src); |
213 | char *rdest = check(dest); | 211 | char *rdest = check(dest); |
214 | inpath = rsrc; | 212 | inpath = rsrc; |
215 | outpath = rdest; | 213 | outpath = rdest; |
216 | 214 | ||
217 | // walk | 215 | // walk |
218 | if(nftw(rsrc, fs_copydir, 1, FTW_PHYS) != 0) { | 216 | if(nftw(rsrc, fs_copydir, 1, FTW_PHYS) != 0) { |
219 | fprintf(stderr, "Error: unable to copy file\n"); | 217 | fprintf(stderr, "Error: unable to copy file\n"); |
220 | exit(1); | 218 | exit(1); |
221 | } | 219 | } |
222 | 220 | ||
223 | free(rsrc); | 221 | free(rsrc); |
224 | free(rdest); | 222 | free(rdest); |
225 | } | 223 | } |
226 | 224 | ||
227 | static void duplicate_file(const char *src, const char *dest, struct stat *s) { | 225 | static void duplicate_file(const char *src, const char *dest, struct stat *s) { |
228 | char *rsrc = check(src); | 226 | char *rsrc = check(src); |
229 | char *rdest = check(dest); | 227 | char *rdest = check(dest); |
230 | uid_t uid = s->st_uid; | 228 | uid_t uid = s->st_uid; |
231 | gid_t gid = s->st_gid; | 229 | gid_t gid = s->st_gid; |
232 | mode_t mode = s->st_mode; | 230 | mode_t mode = s->st_mode; |
233 | 231 | ||
234 | // build destination file name | 232 | // build destination file name |
235 | char *name; | 233 | char *name; |
236 | char *ptr = strrchr(rsrc, '/'); | 234 | char *ptr = (arg_follow_link)? strrchr(src, '/'): strrchr(rsrc, '/'); |
237 | ptr++; | 235 | ptr++; |
238 | if (asprintf(&name, "%s/%s", rdest, ptr) == -1) | 236 | if (asprintf(&name, "%s/%s", rdest, ptr) == -1) |
239 | errExit("asprintf"); | 237 | errExit("asprintf"); |
240 | 238 | ||
241 | // copy | 239 | // copy |
242 | copy_file(rsrc, name, mode, uid, gid); | 240 | copy_file(rsrc, name, mode, uid, gid); |
243 | 241 | ||
244 | free(name); | 242 | free(name); |
245 | free(rsrc); | 243 | free(rsrc); |
246 | free(rdest); | 244 | free(rdest); |
247 | } | 245 | } |
248 | 246 | ||
249 | static void duplicate_link(const char *src, const char *dest, struct stat *s) { | 247 | static void duplicate_link(const char *src, const char *dest, struct stat *s) { |
250 | char *rsrc = check(src); // we drop the result and use the original name | 248 | char *rsrc = check(src); // we drop the result and use the original name |
251 | char *rdest = check(dest); | 249 | char *rdest = check(dest); |
252 | uid_t uid = s->st_uid; | 250 | uid_t uid = s->st_uid; |
253 | gid_t gid = s->st_gid; | 251 | gid_t gid = s->st_gid; |
254 | mode_t mode = s->st_mode; | 252 | mode_t mode = s->st_mode; |
255 | 253 | ||
256 | // build destination file name | 254 | // build destination file name |
257 | char *name; | 255 | char *name; |
258 | // char *ptr = strrchr(rsrc, '/'); | 256 | // char *ptr = strrchr(rsrc, '/'); |
259 | char *ptr = strrchr(src, '/'); | 257 | char *ptr = strrchr(src, '/'); |
260 | ptr++; | 258 | ptr++; |
261 | if (asprintf(&name, "%s/%s", rdest, ptr) == -1) | 259 | if (asprintf(&name, "%s/%s", rdest, ptr) == -1) |
262 | errExit("asprintf"); | 260 | errExit("asprintf"); |
263 | 261 | ||
264 | // copy | 262 | // copy |
265 | copy_link(rsrc, name, mode, uid, gid); | 263 | copy_link(rsrc, name, mode, uid, gid); |
266 | 264 | ||
267 | free(name); | 265 | free(name); |
268 | free(rsrc); | 266 | free(rsrc); |
269 | free(rdest); | 267 | free(rdest); |
270 | } | 268 | } |
271 | 269 | ||
272 | static void usage(void) { | 270 | static void usage(void) { |
273 | printf("Usage: fcopy src dest\n"); | 271 | fputs("Usage: fcopy [--follow-link] src dest\n" |
274 | printf("Copy src file in dest directory. If src is a directory, copy all the files in\n"); | 272 | "\n" |
275 | printf("src recoursively. If the destination directory does not exist, it will be created.\n"); | 273 | "Copy SRC to DEST/SRC. SRC may be a file, directory, or symbolic link.\n" |
274 | "If SRC is a directory it is copied recursively. If it is a symlink,\n" | ||
275 | "the link itself is duplicated, unless --follow-link is given,\n" | ||
276 | "in which case the destination of the link is copied.\n" | ||
277 | "DEST must already exist and must be a directory.\n", stderr); | ||
276 | } | 278 | } |
277 | 279 | ||
278 | int main(int argc, char **argv) { | 280 | int main(int argc, char **argv) { |
@@ -285,56 +287,70 @@ for (i = 0; i < argc; i++) | |||
285 | printf("\n"); | 287 | printf("\n"); |
286 | } | 288 | } |
287 | #endif | 289 | #endif |
288 | if (argc != 3) { | 290 | char *src; |
289 | fprintf(stderr, "Error fcopy: files missing\n"); | 291 | char *dest; |
290 | usage(); | 292 | |
291 | exit(1); | 293 | if (argc == 3) { |
292 | } | 294 | src = argv[1]; |
293 | 295 | dest = argv[2]; | |
294 | // check the two files; remove ending / | 296 | arg_follow_link = 0; |
295 | char *src = argv[1]; | 297 | } |
296 | int len = strlen(src); | 298 | else if (argc == 4 && !strcmp(argv[1], "--follow-link")) { |
297 | if (src[len - 1] == '/') | 299 | src = argv[2]; |
298 | src[len - 1] = '\0'; | 300 | dest = argv[3]; |
299 | if (strcspn(src, "\\*&!?\"'<>%^(){}[];,") != (size_t)len) { | 301 | arg_follow_link = 1; |
300 | fprintf(stderr, "Error fcopy: invalid file name %s\n", src); | 302 | } |
301 | exit(1); | 303 | else { |
302 | } | 304 | fprintf(stderr, "Error: arguments missing\n"); |
303 | 305 | usage(); | |
304 | char *dest = argv[2]; | 306 | exit(1); |
305 | len = strlen(dest); | 307 | } |
306 | if (dest[len - 1] == '/') | 308 | |
307 | dest[len - 1] = '\0'; | 309 | // check the two files; remove ending / |
308 | if (strcspn(dest, "\\*&!?\"'<>%^(){}[];,~") != (size_t)len) { | 310 | int len = strlen(src); |
309 | fprintf(stderr, "Error fcopy: invalid file name %s\n", dest); | 311 | if (src[len - 1] == '/') |
310 | exit(1); | 312 | src[len - 1] = '\0'; |
311 | } | 313 | if (strcspn(src, "\\*&!?\"'<>%^(){}[];,") != (size_t)len) { |
312 | 314 | fprintf(stderr, "Error fcopy: invalid source file name %s\n", src); | |
313 | 315 | exit(1); | |
314 | // the destination should be a directory; | 316 | } |
315 | struct stat s; | 317 | |
316 | if (stat(dest, &s) == -1 || | 318 | len = strlen(dest); |
317 | !S_ISDIR(s.st_mode)) { | 319 | if (dest[len - 1] == '/') |
318 | fprintf(stderr, "Error fcopy: invalid destination directory\n"); | 320 | dest[len - 1] = '\0'; |
319 | exit(1); | 321 | if (strcspn(dest, "\\*&!?\"'<>%^(){}[];,~") != (size_t)len) { |
320 | } | 322 | fprintf(stderr, "Error fcopy: invalid dest file name %s\n", dest); |
321 | 323 | exit(1); | |
322 | // copy files | 324 | } |
323 | if (lstat(src, &s) == -1) { | 325 | |
324 | fprintf(stderr, "Error fcopy: cannot find source file\n"); | 326 | |
325 | exit(1); | 327 | // the destination should be a directory; |
326 | } | 328 | struct stat s; |
327 | 329 | if (stat(dest, &s) == -1) { | |
328 | if (S_ISDIR(s.st_mode)) | 330 | fprintf(stderr, "Error fcopy: dest dir %s: %s\n", dest, strerror(errno)); |
329 | duplicate_dir(src, dest, &s); | 331 | exit(1); |
330 | else if (S_ISREG(s.st_mode)) | 332 | } |
331 | duplicate_file(src, dest, &s); | 333 | if (!S_ISDIR(s.st_mode)) { |
332 | else if (S_ISLNK(s.st_mode)) | 334 | fprintf(stderr, "Error fcopy: dest %s is not a directory\n", dest); |
333 | duplicate_link(src, dest, &s); | 335 | exit(1); |
334 | else { | 336 | } |
335 | fprintf(stderr, "Error fcopy: source file unsupported\n"); | 337 | |
336 | exit(1); | 338 | // copy files |
337 | } | 339 | if ((arg_follow_link ? stat : lstat)(src, &s) == -1) { |
338 | 340 | fprintf(stderr, "Error fcopy: src %s: %s\n", src, strerror(errno)); | |
339 | return 0; | 341 | exit(1); |
342 | } | ||
343 | |||
344 | if (S_ISDIR(s.st_mode)) | ||
345 | duplicate_dir(src, dest, &s); | ||
346 | else if (S_ISREG(s.st_mode)) | ||
347 | duplicate_file(src, dest, &s); | ||
348 | else if (S_ISLNK(s.st_mode)) | ||
349 | duplicate_link(src, dest, &s); | ||
350 | else { | ||
351 | fprintf(stderr, "Error fcopy: src %s is an unsupported type of file\n", src); | ||
352 | exit(1); | ||
353 | } | ||
354 | |||
355 | return 0; | ||
340 | } | 356 | } |
diff --git a/src/fgit/fgit-install.sh b/src/fgit/fgit-install.sh new file mode 100755 index 000000000..1f710c688 --- /dev/null +++ b/src/fgit/fgit-install.sh | |||
@@ -0,0 +1,20 @@ | |||
1 | #!/bin/sh | ||
2 | # Purpose: Fetch, compile, and install firejail from GitHub source. Package-manager agnostic. | ||
3 | # | ||
4 | |||
5 | set -e # exit immediately if one of the commands fails | ||
6 | cd /tmp # by the time we start this, we should have a tmpfs mounted on top of /tmp | ||
7 | git clone --depth=1 https://www.github.com/netblue30/firejail.git | ||
8 | cd firejail | ||
9 | ./configure --enable-git-install | ||
10 | make | ||
11 | sudo make install-strip | ||
12 | echo "**********************************************************************" | ||
13 | echo "Mainline git Firejail version was installed in /usr/local." | ||
14 | echo "If you want to remove it, run" | ||
15 | echo | ||
16 | echo " firejail --git-uninstall" | ||
17 | echo | ||
18 | echo "**********************************************************************" | ||
19 | cd .. | ||
20 | rm -rf firejail | ||
diff --git a/src/fgit/fgit-uninstall.sh b/src/fgit/fgit-uninstall.sh new file mode 100644 index 000000000..bc7cc9563 --- /dev/null +++ b/src/fgit/fgit-uninstall.sh | |||
@@ -0,0 +1,16 @@ | |||
1 | #!/bin/sh | ||
2 | # Purpose: Fetch, compile, and install firejail from GitHub source. Package-manager agnostic. | ||
3 | # | ||
4 | |||
5 | set -e # exit immediately if one of the commands fails | ||
6 | cd /tmp # by the time we start this, we should have a tmpfs mounted on top of /tmp | ||
7 | git clone --depth=1 https://www.github.com/netblue30/firejail.git | ||
8 | cd firejail | ||
9 | ./configure --enable-git-install | ||
10 | sudo make uninstall | ||
11 | echo "**********************************************************************" | ||
12 | echo "Firejail mainline git version uninstalled from /usr/local" | ||
13 | echo | ||
14 | echo "**********************************************************************" | ||
15 | cd .. | ||
16 | rm -rf firejail | ||
diff --git a/src/firecfg/firecfg.config b/src/firecfg/firecfg.config index fe65a5077..7c959cd04 100644 --- a/src/firecfg/firecfg.config +++ b/src/firecfg/firecfg.config | |||
@@ -80,7 +80,7 @@ xchat | |||
80 | 80 | ||
81 | # dns | 81 | # dns |
82 | dnscrypt-proxy | 82 | dnscrypt-proxy |
83 | dnsmaq | 83 | dnsmasq |
84 | unbound | 84 | unbound |
85 | 85 | ||
86 | # emulators/compatibility layers | 86 | # emulators/compatibility layers |
@@ -135,6 +135,7 @@ spotify | |||
135 | totem | 135 | totem |
136 | vlc | 136 | vlc |
137 | xfburn | 137 | xfburn |
138 | xmms | ||
138 | xplayer | 139 | xplayer |
139 | xviewer | 140 | xviewer |
140 | eom | 141 | eom |
@@ -184,14 +185,14 @@ eog | |||
184 | # other | 185 | # other |
185 | atom | 186 | atom |
186 | atom-beta | 187 | atom-beta |
187 | gpa | ||
188 | gpg | ||
189 | ranger | 188 | ranger |
190 | keepass | 189 | keepass |
191 | keepass2 | 190 | keepass2 |
192 | keepassx | 191 | keepassx |
193 | keepassx2 | 192 | keepassx2 |
194 | pluma | 193 | pluma |
194 | Thunar | ||
195 | thunar | ||
195 | tracker | 196 | tracker |
196 | wireshark | 197 | wireshark |
197 | xiphos | 198 | xiphos |
diff --git a/src/firecfg/main.c b/src/firecfg/main.c index 15ee78384..054df9e09 100644 --- a/src/firecfg/main.c +++ b/src/firecfg/main.c | |||
@@ -1,5 +1,5 @@ | |||
1 | /* | 1 | /* |
2 | * Copyright (C) 2014-2016 netblue30 (netblue30@yahoo.com) | 2 | * Copyright (C) 2014-2017 netblue30 (netblue30@yahoo.com) |
3 | * | 3 | * |
4 | * This file is part of firejail project | 4 | * This file is part of firejail project |
5 | * | 5 | * |
diff --git a/src/firejail/Makefile.in b/src/firejail/Makefile.in index 6e5071925..80f35ff4d 100644 --- a/src/firejail/Makefile.in +++ b/src/firejail/Makefile.in | |||
@@ -22,13 +22,14 @@ HAVE_APPARMOR=@HAVE_APPARMOR@ | |||
22 | HAVE_OVERLAYFS=@HAVE_OVERLAYFS@ | 22 | HAVE_OVERLAYFS=@HAVE_OVERLAYFS@ |
23 | HAVE_PRIVATE_HOME=@HAVE_PRIVATE_HOME@ | 23 | HAVE_PRIVATE_HOME=@HAVE_PRIVATE_HOME@ |
24 | HAVE_GCOV=@HAVE_GCOV@ | 24 | HAVE_GCOV=@HAVE_GCOV@ |
25 | HAVE_GIT_INSTALL=@HAVE_GIT_INSTALL@ | ||
25 | EXTRA_LDFLAGS +=@EXTRA_LDFLAGS@ | 26 | EXTRA_LDFLAGS +=@EXTRA_LDFLAGS@ |
26 | 27 | ||
27 | H_FILE_LIST = $(sort $(wildcard *.[h])) | 28 | H_FILE_LIST = $(sort $(wildcard *.[h])) |
28 | C_FILE_LIST = $(sort $(wildcard *.c)) | 29 | C_FILE_LIST = $(sort $(wildcard *.c)) |
29 | OBJS = $(C_FILE_LIST:.c=.o) | 30 | OBJS = $(C_FILE_LIST:.c=.o) |
30 | BINOBJS = $(foreach file, $(OBJS), $file) | 31 | BINOBJS = $(foreach file, $(OBJS), $file) |
31 | CFLAGS += -ggdb $(HAVE_FATAL_WARNINGS) -O2 -DVERSION='"$(VERSION)"' $(HAVE_GCOV) -DPREFIX='"$(prefix)"' -DSYSCONFDIR='"$(sysconfdir)/firejail"' -DLIBDIR='"$(libdir)"' $(HAVE_X11) $(HAVE_PRIVATE_HOME) $(HAVE_APPARMOR) $(HAVE_OVERLAYFS) $(HAVE_SECCOMP) $(HAVE_GLOBALCFG) $(HAVE_SECCOMP_H) $(HAVE_CHROOT) $(HAVE_NETWORK) $(HAVE_USERNS) $(HAVE_BIND) $(HAVE_FILE_TRANSFER) $(HAVE_WHITELIST) -fstack-protector-all -D_FORTIFY_SOURCE=2 -fPIE -pie -Wformat -Wformat-security | 32 | CFLAGS += -ggdb $(HAVE_FATAL_WARNINGS) -O2 -DVERSION='"$(VERSION)"' $(HAVE_GCOV) $(HAVE_GIT_INSTALL) -DPREFIX='"$(prefix)"' -DSYSCONFDIR='"$(sysconfdir)/firejail"' -DLIBDIR='"$(libdir)"' $(HAVE_X11) $(HAVE_PRIVATE_HOME) $(HAVE_APPARMOR) $(HAVE_OVERLAYFS) $(HAVE_SECCOMP) $(HAVE_GLOBALCFG) $(HAVE_SECCOMP_H) $(HAVE_CHROOT) $(HAVE_NETWORK) $(HAVE_USERNS) $(HAVE_BIND) $(HAVE_FILE_TRANSFER) $(HAVE_WHITELIST) -fstack-protector-all -D_FORTIFY_SOURCE=2 -fPIE -pie -Wformat -Wformat-security |
32 | LDFLAGS += -pie -Wl,-z,relro -Wl,-z,now -lpthread | 33 | LDFLAGS += -pie -Wl,-z,relro -Wl,-z,now -lpthread |
33 | 34 | ||
34 | %.o : %.c $(H_FILE_LIST) ../include/common.h ../include/euid_common.h ../include/pid.h ../include/seccomp.h ../include/syscall.h | 35 | %.o : %.c $(H_FILE_LIST) ../include/common.h ../include/euid_common.h ../include/pid.h ../include/seccomp.h ../include/syscall.h |
diff --git a/src/firejail/appimage.c b/src/firejail/appimage.c index 0d1f8cb4d..4cc5cc180 100644 --- a/src/firejail/appimage.c +++ b/src/firejail/appimage.c | |||
@@ -1,5 +1,5 @@ | |||
1 | /* | 1 | /* |
2 | * Copyright (C) 2014-2016 Firejail Authors | 2 | * Copyright (C) 2014-2017 Firejail Authors |
3 | * | 3 | * |
4 | * This file is part of firejail project | 4 | * This file is part of firejail project |
5 | * | 5 | * |
diff --git a/src/firejail/appimage_size.c b/src/firejail/appimage_size.c index 3f5c3150c..1632440ed 100644 --- a/src/firejail/appimage_size.c +++ b/src/firejail/appimage_size.c | |||
@@ -1,5 +1,5 @@ | |||
1 | /* | 1 | /* |
2 | * Copyright (C) 2014-2016 Firejail Authors | 2 | * Copyright (C) 2014-2017 Firejail Authors |
3 | * | 3 | * |
4 | * This file is part of firejail project | 4 | * This file is part of firejail project |
5 | * | 5 | * |
diff --git a/src/firejail/arp.c b/src/firejail/arp.c index ddb75905f..55ffbb301 100644 --- a/src/firejail/arp.c +++ b/src/firejail/arp.c | |||
@@ -1,5 +1,5 @@ | |||
1 | /* | 1 | /* |
2 | * Copyright (C) 2014-2016 Firejail Authors | 2 | * Copyright (C) 2014-2017 Firejail Authors |
3 | * | 3 | * |
4 | * This file is part of firejail project | 4 | * This file is part of firejail project |
5 | * | 5 | * |
diff --git a/src/firejail/bandwidth.c b/src/firejail/bandwidth.c index 5e9002f22..998fe5ffe 100644 --- a/src/firejail/bandwidth.c +++ b/src/firejail/bandwidth.c | |||
@@ -1,5 +1,5 @@ | |||
1 | /* | 1 | /* |
2 | * Copyright (C) 2014-2016 Firejail Authors | 2 | * Copyright (C) 2014-2017 Firejail Authors |
3 | * | 3 | * |
4 | * This file is part of firejail project | 4 | * This file is part of firejail project |
5 | * | 5 | * |
@@ -435,15 +435,8 @@ void bandwidth_pid(pid_t pid, const char *command, const char *dev, int down, in | |||
435 | if (setregid(0, 0)) | 435 | if (setregid(0, 0)) |
436 | errExit("setregid"); | 436 | errExit("setregid"); |
437 | 437 | ||
438 | if (!cfg.shell) | ||
439 | cfg.shell = guess_shell(); | ||
440 | if (!cfg.shell) { | ||
441 | fprintf(stderr, "Error: no POSIX shell found, please use --shell command line option\n"); | ||
442 | exit(1); | ||
443 | } | ||
444 | |||
445 | char *arg[4]; | 438 | char *arg[4]; |
446 | arg[0] = cfg.shell; | 439 | arg[0] = "/bin/sh"; |
447 | arg[1] = "-c"; | 440 | arg[1] = "-c"; |
448 | arg[2] = cmd; | 441 | arg[2] = cmd; |
449 | arg[3] = NULL; | 442 | arg[3] = NULL; |
diff --git a/src/firejail/caps.c b/src/firejail/caps.c index 6cfa36629..521187e3a 100644 --- a/src/firejail/caps.c +++ b/src/firejail/caps.c | |||
@@ -1,5 +1,5 @@ | |||
1 | /* | 1 | /* |
2 | * Copyright (C) 2014-2016Firejail Authors | 2 | * Copyright (C) 2014-2017Firejail Authors |
3 | * | 3 | * |
4 | * This file is part of firejail project | 4 | * This file is part of firejail project |
5 | * | 5 | * |
diff --git a/src/firejail/cgroup.c b/src/firejail/cgroup.c index d9c7af9cf..143180bfb 100644 --- a/src/firejail/cgroup.c +++ b/src/firejail/cgroup.c | |||
@@ -1,5 +1,5 @@ | |||
1 | /* | 1 | /* |
2 | * Copyright (C) 2014-2016 Firejail Authors | 2 | * Copyright (C) 2014-2017 Firejail Authors |
3 | * | 3 | * |
4 | * This file is part of firejail project | 4 | * This file is part of firejail project |
5 | * | 5 | * |
diff --git a/src/firejail/checkcfg.c b/src/firejail/checkcfg.c index c3eedc510..dff892ea3 100644 --- a/src/firejail/checkcfg.c +++ b/src/firejail/checkcfg.c | |||
@@ -1,5 +1,5 @@ | |||
1 | /* | 1 | /* |
2 | * Copyright (C) 2014-2016 Firejail Authors | 2 | * Copyright (C) 2014-2017 Firejail Authors |
3 | * | 3 | * |
4 | * This file is part of firejail project | 4 | * This file is part of firejail project |
5 | * | 5 | * |
@@ -124,12 +124,21 @@ int checkcfg(int val) { | |||
124 | else | 124 | else |
125 | goto errout; | 125 | goto errout; |
126 | } | 126 | } |
127 | // follow symlink as user | ||
128 | else if (strncmp(ptr, "follow-symlink-as-user ", 23) == 0) { | ||
129 | if (strcmp(ptr + 23, "yes") == 0) | ||
130 | cfg_val[CFG_FOLLOW_SYMLINK_AS_USER] = 1; | ||
131 | else if (strcmp(ptr + 23, "no") == 0) | ||
132 | cfg_val[CFG_FOLLOW_SYMLINK_AS_USER] = 0; | ||
133 | else | ||
134 | goto errout; | ||
135 | } | ||
127 | // nonewprivs | 136 | // nonewprivs |
128 | else if (strncmp(ptr, "force-nonewprivs ", 17) == 0) { | 137 | else if (strncmp(ptr, "force-nonewprivs ", 17) == 0) { |
129 | if (strcmp(ptr + 17, "yes") == 0) | 138 | if (strcmp(ptr + 17, "yes") == 0) |
130 | cfg_val[CFG_SECCOMP] = 1; | 139 | cfg_val[CFG_FORCE_NONEWPRIVS] = 1; |
131 | else if (strcmp(ptr + 17, "no") == 0) | 140 | else if (strcmp(ptr + 17, "no") == 0) |
132 | cfg_val[CFG_SECCOMP] = 0; | 141 | cfg_val[CFG_FORCE_NONEWPRIVS] = 0; |
133 | else | 142 | else |
134 | goto errout; | 143 | goto errout; |
135 | } | 144 | } |
@@ -351,6 +360,13 @@ void print_compiletime_support(void) { | |||
351 | #endif | 360 | #endif |
352 | ); | 361 | ); |
353 | 362 | ||
363 | printf("\t- git install support is %s\n", | ||
364 | #ifdef HAVE_GIT_INSTALL | ||
365 | "enabled" | ||
366 | #else | ||
367 | "disabled" | ||
368 | #endif | ||
369 | ); | ||
354 | 370 | ||
355 | #ifdef HAVE_NETWORK_RESTRICTED | 371 | #ifdef HAVE_NETWORK_RESTRICTED |
356 | printf("\t- networking features are available only to root user\n"); | 372 | printf("\t- networking features are available only to root user\n"); |
@@ -395,4 +411,5 @@ void print_compiletime_support(void) { | |||
395 | "disabled" | 411 | "disabled" |
396 | #endif | 412 | #endif |
397 | ); | 413 | ); |
414 | |||
398 | } | 415 | } |
diff --git a/src/firejail/cmdline.c b/src/firejail/cmdline.c index a17758f8b..60301ed58 100644 --- a/src/firejail/cmdline.c +++ b/src/firejail/cmdline.c | |||
@@ -1,5 +1,5 @@ | |||
1 | /* | 1 | /* |
2 | * Copyright (C) 2014-2016 Firejail Authors | 2 | * Copyright (C) 2014-2017 Firejail Authors |
3 | * | 3 | * |
4 | * This file is part of firejail project | 4 | * This file is part of firejail project |
5 | * | 5 | * |
diff --git a/src/firejail/cpu.c b/src/firejail/cpu.c index 7f53fed0f..7a3e056c1 100644 --- a/src/firejail/cpu.c +++ b/src/firejail/cpu.c | |||
@@ -1,5 +1,5 @@ | |||
1 | /* | 1 | /* |
2 | * Copyright (C) 2014-2016 Firejail Authors | 2 | * Copyright (C) 2014-2017 Firejail Authors |
3 | * | 3 | * |
4 | * This file is part of firejail project | 4 | * This file is part of firejail project |
5 | * | 5 | * |
diff --git a/src/firejail/env.c b/src/firejail/env.c index 783f019a6..c54b429c3 100644 --- a/src/firejail/env.c +++ b/src/firejail/env.c | |||
@@ -1,5 +1,5 @@ | |||
1 | /* | 1 | /* |
2 | * Copyright (C) 2014-2016 Firejail Authors | 2 | * Copyright (C) 2014-2017 Firejail Authors |
3 | * | 3 | * |
4 | * This file is part of firejail project | 4 | * This file is part of firejail project |
5 | * | 5 | * |
diff --git a/src/firejail/firejail.h b/src/firejail/firejail.h index 36cf47435..fbf83abb3 100644 --- a/src/firejail/firejail.h +++ b/src/firejail/firejail.h | |||
@@ -1,5 +1,5 @@ | |||
1 | /* | 1 | /* |
2 | * Copyright (C) 2014-2016 Firejail Authors | 2 | * Copyright (C) 2014-2017 Firejail Authors |
3 | * | 3 | * |
4 | * This file is part of firejail project | 4 | * This file is part of firejail project |
5 | * | 5 | * |
@@ -105,7 +105,7 @@ | |||
105 | #define ASSERT_PERMS_FD(fd, uid, gid, mode) \ | 105 | #define ASSERT_PERMS_FD(fd, uid, gid, mode) \ |
106 | do { \ | 106 | do { \ |
107 | struct stat s;\ | 107 | struct stat s;\ |
108 | if (stat(fd, &s) == -1) errExit("stat");\ | 108 | if (fstat(fd, &s) == -1) errExit("fstat");\ |
109 | assert(s.st_uid == uid);\ | 109 | assert(s.st_uid == uid);\ |
110 | assert(s.st_gid == gid);\ | 110 | assert(s.st_gid == gid);\ |
111 | assert((s.st_mode & 07777) == (mode));\ | 111 | assert((s.st_mode & 07777) == (mode));\ |
@@ -213,6 +213,7 @@ typedef struct config_t { | |||
213 | // networking | 213 | // networking |
214 | char *name; // sandbox name | 214 | char *name; // sandbox name |
215 | char *hostname; // host name | 215 | char *hostname; // host name |
216 | char *hosts_file; // hosts file to be installed in the sandbox | ||
216 | uint32_t defaultgw; // default gateway | 217 | uint32_t defaultgw; // default gateway |
217 | Bridge bridge0; | 218 | Bridge bridge0; |
218 | Bridge bridge1; | 219 | Bridge bridge1; |
@@ -317,6 +318,7 @@ extern int arg_netfilter; // enable netfilter | |||
317 | extern int arg_netfilter6; // enable netfilter6 | 318 | extern int arg_netfilter6; // enable netfilter6 |
318 | extern char *arg_netfilter_file; // netfilter file | 319 | extern char *arg_netfilter_file; // netfilter file |
319 | extern char *arg_netfilter6_file; // netfilter file | 320 | extern char *arg_netfilter6_file; // netfilter file |
321 | extern char *arg_netns; // "ip netns"-created network namespace to use | ||
320 | extern int arg_doubledash; // double dash | 322 | extern int arg_doubledash; // double dash |
321 | extern int arg_shell_none; // run the program directly without a shell | 323 | extern int arg_shell_none; // run the program directly without a shell |
322 | extern int arg_private_dev; // private dev directory | 324 | extern int arg_private_dev; // private dev directory |
@@ -336,6 +338,7 @@ extern int arg_nice; // nice value configured | |||
336 | extern int arg_ipc; // enable ipc namespace | 338 | extern int arg_ipc; // enable ipc namespace |
337 | extern int arg_writable_etc; // writable etc | 339 | extern int arg_writable_etc; // writable etc |
338 | extern int arg_writable_var; // writable var | 340 | extern int arg_writable_var; // writable var |
341 | extern int arg_writable_var_log; // writable /var/log | ||
339 | extern int arg_appimage; // appimage | 342 | extern int arg_appimage; // appimage |
340 | extern int arg_audit; // audit | 343 | extern int arg_audit; // audit |
341 | extern char *arg_audit_prog; // audit | 344 | extern char *arg_audit_prog; // audit |
@@ -403,7 +406,7 @@ char *fs_check_overlay_dir(const char *subdirname, int allow_reuse); | |||
403 | void fs_overlayfs(void); | 406 | void fs_overlayfs(void); |
404 | // chroot into an existing directory; mount exiting /dev and update /etc/resolv.conf | 407 | // chroot into an existing directory; mount exiting /dev and update /etc/resolv.conf |
405 | void fs_chroot(const char *rootdir); | 408 | void fs_chroot(const char *rootdir); |
406 | int fs_check_chroot_dir(const char *rootdir); | 409 | void fs_check_chroot_dir(const char *rootdir); |
407 | 410 | ||
408 | // profile.c | 411 | // profile.c |
409 | // find and read the profile specified by name from dir directory | 412 | // find and read the profile specified by name from dir directory |
@@ -450,6 +453,9 @@ void logmsg(const char *msg); | |||
450 | void logargs(int argc, char **argv) ; | 453 | void logargs(int argc, char **argv) ; |
451 | void logerr(const char *msg); | 454 | void logerr(const char *msg); |
452 | int copy_file(const char *srcname, const char *destname, uid_t uid, gid_t gid, mode_t mode); | 455 | int copy_file(const char *srcname, const char *destname, uid_t uid, gid_t gid, mode_t mode); |
456 | void copy_file_as_user(const char *srcname, const char *destname, uid_t uid, gid_t gid, mode_t mode); | ||
457 | void copy_file_from_user_to_root(const char *srcname, const char *destname, uid_t uid, gid_t gid, mode_t mode); | ||
458 | void touch_file_as_user(const char *fname, uid_t uid, gid_t gid, mode_t mode); | ||
453 | int is_dir(const char *fname); | 459 | int is_dir(const char *fname); |
454 | int is_link(const char *fname); | 460 | int is_link(const char *fname); |
455 | char *line_remove_spaces(const char *buf); | 461 | char *line_remove_spaces(const char *buf); |
@@ -534,6 +540,9 @@ void fs_trace(void); | |||
534 | // fs_hostname.c | 540 | // fs_hostname.c |
535 | void fs_hostname(const char *hostname); | 541 | void fs_hostname(const char *hostname); |
536 | void fs_resolvconf(void); | 542 | void fs_resolvconf(void); |
543 | char *fs_check_hosts_fiile(const char *fname); | ||
544 | void fs_store_hosts_file(void); | ||
545 | void fs_mount_hosts_file(void); | ||
537 | 546 | ||
538 | // rlimit.c | 547 | // rlimit.c |
539 | void set_rlimits(void); | 548 | void set_rlimits(void); |
@@ -558,6 +567,11 @@ void check_netfilter_file(const char *fname); | |||
558 | void netfilter(const char *fname); | 567 | void netfilter(const char *fname); |
559 | void netfilter6(const char *fname); | 568 | void netfilter6(const char *fname); |
560 | 569 | ||
570 | // netns.c | ||
571 | void check_netns(const char *nsname); | ||
572 | void netns(const char *nsname); | ||
573 | void netns_mounts(const char *nsname); | ||
574 | |||
561 | // bandwidth.c | 575 | // bandwidth.c |
562 | void bandwidth_del_run_file(pid_t pid); | 576 | void bandwidth_del_run_file(pid_t pid); |
563 | void bandwidth_pid(pid_t pid, const char *command, const char *dev, int down, int up); | 577 | void bandwidth_pid(pid_t pid, const char *command, const char *dev, int down, int up); |
@@ -622,6 +636,8 @@ void run_symlink(int argc, char **argv); | |||
622 | 636 | ||
623 | // paths.c | 637 | // paths.c |
624 | char **build_paths(void); | 638 | char **build_paths(void); |
639 | unsigned int count_paths(void); | ||
640 | int program_in_path(const char *program); | ||
625 | 641 | ||
626 | // fs_mkdir.c | 642 | // fs_mkdir.c |
627 | void fs_mkdir(const char *name); | 643 | void fs_mkdir(const char *name); |
@@ -664,6 +680,7 @@ enum { | |||
664 | CFG_PRIVATE_HOME, | 680 | CFG_PRIVATE_HOME, |
665 | CFG_PRIVATE_BIN_NO_LOCAL, | 681 | CFG_PRIVATE_BIN_NO_LOCAL, |
666 | CFG_FIREJAIL_PROMPT, | 682 | CFG_FIREJAIL_PROMPT, |
683 | CFG_FOLLOW_SYMLINK_AS_USER, | ||
667 | CFG_MAX // this should always be the last entry | 684 | CFG_MAX // this should always be the last entry |
668 | }; | 685 | }; |
669 | extern char *xephyr_screen; | 686 | extern char *xephyr_screen; |
@@ -706,5 +723,9 @@ void build_appimage_cmdline(char **command_line, char **window_title, int argc, | |||
706 | int sbox_run(unsigned filter, int num, ...); | 723 | int sbox_run(unsigned filter, int num, ...); |
707 | 724 | ||
708 | 725 | ||
726 | // git.c | ||
727 | void git_install(); | ||
728 | void git_uninstall(); | ||
729 | |||
709 | #endif | 730 | #endif |
710 | 731 | ||
diff --git a/src/firejail/fs.c b/src/firejail/fs.c index e2fc09533..c386f70cf 100644 --- a/src/firejail/fs.c +++ b/src/firejail/fs.c | |||
@@ -1,5 +1,5 @@ | |||
1 | /* | 1 | /* |
2 | * Copyright (C) 2014-2016 Firejail Authors | 2 | * Copyright (C) 2014-2017 Firejail Authors |
3 | * | 3 | * |
4 | * This file is part of firejail project | 4 | * This file is part of firejail project |
5 | * | 5 | * |
@@ -20,6 +20,7 @@ | |||
20 | #include "firejail.h" | 20 | #include "firejail.h" |
21 | #include <sys/mount.h> | 21 | #include <sys/mount.h> |
22 | #include <sys/stat.h> | 22 | #include <sys/stat.h> |
23 | #include <sys/wait.h> | ||
23 | #include <linux/limits.h> | 24 | #include <linux/limits.h> |
24 | #include <fnmatch.h> | 25 | #include <fnmatch.h> |
25 | #include <glob.h> | 26 | #include <glob.h> |
@@ -288,26 +289,35 @@ void fs_blacklist(void) { | |||
288 | 289 | ||
289 | // Process noblacklist command | 290 | // Process noblacklist command |
290 | if (strncmp(entry->data, "noblacklist ", 12) == 0) { | 291 | if (strncmp(entry->data, "noblacklist ", 12) == 0) { |
291 | char **paths = build_paths(); | 292 | char **enames; |
292 | 293 | int i; | |
293 | char *enames[sizeof(paths)+1] = {0}; | ||
294 | int i = 0; | ||
295 | 294 | ||
296 | if (strncmp(entry->data + 12, "${PATH}", 7) == 0) { | 295 | if (strncmp(entry->data + 12, "${PATH}", 7) == 0) { |
297 | // expand ${PATH} macro | 296 | // expand ${PATH} macro |
298 | while (paths[i] != NULL) { | 297 | char **paths = build_paths(); |
299 | if (asprintf(&enames[i], "%s%s", paths[i], entry->data + 19) == -1) | 298 | unsigned int npaths = count_paths(); |
299 | enames = calloc(npaths, sizeof(char *)); | ||
300 | if (!enames) | ||
301 | errExit("calloc"); | ||
302 | |||
303 | for (i = 0; paths[i]; i++) { | ||
304 | if (asprintf(&enames[i], "%s%s", paths[i], | ||
305 | entry->data + 19) == -1) | ||
300 | errExit("asprintf"); | 306 | errExit("asprintf"); |
301 | i++; | ||
302 | } | 307 | } |
303 | } else { | 308 | assert(enames[npaths-1] == 0); |
309 | |||
310 | } | ||
311 | else { | ||
304 | // expand ${HOME} macro if found or pass as is | 312 | // expand ${HOME} macro if found or pass as is |
313 | enames = calloc(2, sizeof(char *)); | ||
314 | if (!enames) | ||
315 | errExit("calloc"); | ||
305 | enames[0] = expand_home(entry->data + 12, homedir); | 316 | enames[0] = expand_home(entry->data + 12, homedir); |
306 | enames[1] = NULL; | 317 | assert(enames[1] == 0); |
307 | } | 318 | } |
308 | 319 | ||
309 | i = 0; | 320 | for (i = 0; enames[i]; i++) { |
310 | while (enames[i] != NULL) { | ||
311 | if (noblacklist_c >= noblacklist_m) { | 321 | if (noblacklist_c >= noblacklist_m) { |
312 | noblacklist_m *= 2; | 322 | noblacklist_m *= 2; |
313 | noblacklist = realloc(noblacklist, sizeof(*noblacklist) * noblacklist_m); | 323 | noblacklist = realloc(noblacklist, sizeof(*noblacklist) * noblacklist_m); |
@@ -315,12 +325,9 @@ void fs_blacklist(void) { | |||
315 | errExit("failed increasing memory for noblacklist entries"); | 325 | errExit("failed increasing memory for noblacklist entries"); |
316 | } | 326 | } |
317 | noblacklist[noblacklist_c++] = enames[i]; | 327 | noblacklist[noblacklist_c++] = enames[i]; |
318 | i++; | ||
319 | } | 328 | } |
320 | 329 | ||
321 | while (enames[i] != NULL) { | 330 | free(enames); |
322 | free(enames[i]); | ||
323 | } | ||
324 | 331 | ||
325 | entry = entry->next; | 332 | entry = entry->next; |
326 | continue; | 333 | continue; |
@@ -571,58 +578,6 @@ void fs_proc_sys_dev_boot(void) { | |||
571 | } | 578 | } |
572 | free(fname); | 579 | free(fname); |
573 | 580 | ||
574 | // todo: investigate | ||
575 | #if 0 | ||
576 | // breaks too many applications, option needed | ||
577 | /* // disable /run/user/{uid}/bus */ | ||
578 | /* char *fnamebus; */ | ||
579 | /* if (asprintf(&fnamebus, "/run/user/%d/bus", getuid()) == -1) */ | ||
580 | /* errExit("asprintf"); */ | ||
581 | /* if (stat(fnamebus, &s) == 0) */ | ||
582 | /* disable_file(BLACKLIST_FILE, fnamebus); */ | ||
583 | /* free(fnamebus); */ | ||
584 | |||
585 | // WARNING: not working | ||
586 | // disable /run/user/{uid}/kdeinit* | ||
587 | //char *fnamekde; | ||
588 | //if (asprintf(&fnamekde, "/run/user/%d/kdeinit*", getuid()) == -1) | ||
589 | // errExit("asprintf"); | ||
590 | //if (stat(fnamekde, &s) == 0) | ||
591 | // disable_file(BLACKLIST_FILE, fnamekde); | ||
592 | //free(fnamekde); | ||
593 | |||
594 | |||
595 | // disable /run/user/{uid}/pulse | ||
596 | /* char *fnamepulse; */ | ||
597 | /* if (asprintf(&fnamepulse, "/run/user/%d/pulse", getuid()) == -1) */ | ||
598 | /* errExit("asprintf"); */ | ||
599 | /* if (stat(fnamepulse, &s) == 0) */ | ||
600 | /* disable_file(BLACKLIST_FILE, fnamepulse); */ | ||
601 | /* free(fnamepulse); */ | ||
602 | |||
603 | // disable /run/user/{uid}/dconf | ||
604 | /* char *fnamedconf; */ | ||
605 | /* if (asprintf(&fnamedconf, "/run/user/%d/dconf", getuid()) == -1) */ | ||
606 | /* errExit("asprintf"); */ | ||
607 | /* if (stat(fnamedconf, &s) == 0) */ | ||
608 | /* disable_file(BLACKLIST_FILE, fnamedconf); */ | ||
609 | /* free(fnamedconf); */ | ||
610 | |||
611 | |||
612 | // dirs in /run/user/{uid}/ | ||
613 | // using gnome: | ||
614 | // bus, dconf, gdm, gnome-shell, gnupg, gvfs, keyring, pulse, systemd | ||
615 | |||
616 | // using kde: | ||
617 | // kdeinit__0, ... | ||
618 | |||
619 | // more files with sockets to be blacklisted | ||
620 | // /run/dbus /run/systemd /run/udev /run/lvm | ||
621 | |||
622 | // /run/user/{uid} does not exist on some systems, usually used and created by desktop applications | ||
623 | |||
624 | #endif | ||
625 | |||
626 | if (getuid() != 0) { | 581 | if (getuid() != 0) { |
627 | // disable /dev/kmsg and /proc/kmsg | 582 | // disable /dev/kmsg and /proc/kmsg |
628 | disable_file(BLACKLIST_FILE, "/dev/kmsg"); | 583 | disable_file(BLACKLIST_FILE, "/dev/kmsg"); |
@@ -681,11 +636,13 @@ void fs_basic_fs(void) { | |||
681 | fs_rdonly("/usr"); | 636 | fs_rdonly("/usr"); |
682 | 637 | ||
683 | // update /var directory in order to support multiple sandboxes running on the same root directory | 638 | // update /var directory in order to support multiple sandboxes running on the same root directory |
684 | // if (!arg_private_dev) | ||
685 | // fs_dev_shm(); | ||
686 | fs_var_lock(); | 639 | fs_var_lock(); |
687 | fs_var_tmp(); | 640 | fs_var_tmp(); |
688 | fs_var_log(); | 641 | if (!arg_writable_var_log) |
642 | fs_var_log(); | ||
643 | else | ||
644 | fs_rdwr("/var/log"); | ||
645 | |||
689 | fs_var_lib(); | 646 | fs_var_lib(); |
690 | fs_var_cache(); | 647 | fs_var_cache(); |
691 | fs_var_utmp(); | 648 | fs_var_utmp(); |
@@ -711,10 +668,36 @@ char *fs_check_overlay_dir(const char *subdirname, int allow_reuse) { | |||
711 | // create ~/.firejail directory | 668 | // create ~/.firejail directory |
712 | if (asprintf(&dirname, "%s/.firejail", cfg.homedir) == -1) | 669 | if (asprintf(&dirname, "%s/.firejail", cfg.homedir) == -1) |
713 | errExit("asprintf"); | 670 | errExit("asprintf"); |
671 | |||
672 | if (is_link(dirname)) { | ||
673 | fprintf(stderr, "Error: invalid ~/.firejail directory\n"); | ||
674 | exit(1); | ||
675 | } | ||
714 | if (stat(dirname, &s) == -1) { | 676 | if (stat(dirname, &s) == -1) { |
715 | mkdir_attr(dirname, 0700, 0, 0); | 677 | // create directory |
678 | pid_t child = fork(); | ||
679 | if (child < 0) | ||
680 | errExit("fork"); | ||
681 | if (child == 0) { | ||
682 | // drop privileges | ||
683 | drop_privs(0); | ||
684 | |||
685 | // create directory | ||
686 | if (mkdir(dirname, 0700)) | ||
687 | errExit("mkdir"); | ||
688 | if (chmod(dirname, 0700) == -1) | ||
689 | errExit("chmod"); | ||
690 | ASSERT_PERMS(dirname, getuid(), getgid(), 0700); | ||
691 | _exit(0); | ||
692 | } | ||
693 | // wait for the child to finish | ||
694 | waitpid(child, NULL, 0); | ||
695 | if (stat(dirname, &s) == -1) { | ||
696 | fprintf(stderr, "Error: cannot create ~/.firejail directory\n"); | ||
697 | exit(1); | ||
698 | } | ||
716 | } | 699 | } |
717 | else if (is_link(dirname)) { | 700 | else if (s.st_uid != getuid()) { |
718 | fprintf(stderr, "Error: invalid ~/.firejail directory\n"); | 701 | fprintf(stderr, "Error: invalid ~/.firejail directory\n"); |
719 | exit(1); | 702 | exit(1); |
720 | } | 703 | } |
@@ -969,7 +952,11 @@ void fs_overlayfs(void) { | |||
969 | // fs_dev_shm(); | 952 | // fs_dev_shm(); |
970 | fs_var_lock(); | 953 | fs_var_lock(); |
971 | fs_var_tmp(); | 954 | fs_var_tmp(); |
972 | fs_var_log(); | 955 | if (!arg_writable_var_log) |
956 | fs_var_log(); | ||
957 | else | ||
958 | fs_rdwr("/var/log"); | ||
959 | |||
973 | fs_var_lib(); | 960 | fs_var_lib(); |
974 | fs_var_cache(); | 961 | fs_var_cache(); |
975 | fs_var_utmp(); | 962 | fs_var_utmp(); |
@@ -994,20 +981,25 @@ void fs_overlayfs(void) { | |||
994 | 981 | ||
995 | #ifdef HAVE_CHROOT | 982 | #ifdef HAVE_CHROOT |
996 | // return 1 if error | 983 | // return 1 if error |
997 | int fs_check_chroot_dir(const char *rootdir) { | 984 | void fs_check_chroot_dir(const char *rootdir) { |
998 | EUID_ASSERT(); | 985 | EUID_ASSERT(); |
999 | assert(rootdir); | 986 | assert(rootdir); |
1000 | struct stat s; | 987 | struct stat s; |
1001 | char *name; | 988 | char *name; |
1002 | 989 | ||
990 | if (strcmp(rootdir, "/tmp") == 0 || strcmp(rootdir, "/var/tmp") == 0) { | ||
991 | fprintf(stderr, "Error: invalid chroot directory\n"); | ||
992 | exit(1); | ||
993 | } | ||
994 | |||
1003 | // rootdir has to be owned by root | 995 | // rootdir has to be owned by root |
1004 | if (stat(rootdir, &s) != 0) { | 996 | if (stat(rootdir, &s) != 0) { |
1005 | fprintf(stderr, "Error: cannot find chroot directory\n"); | 997 | fprintf(stderr, "Error: cannot find chroot directory\n"); |
1006 | return 1; | 998 | exit(1); |
1007 | } | 999 | } |
1008 | if (s.st_uid != 0) { | 1000 | if (s.st_uid != 0) { |
1009 | fprintf(stderr, "Error: chroot directory should be owned by root\n"); | 1001 | fprintf(stderr, "Error: chroot directory should be owned by root\n"); |
1010 | return 1; | 1002 | exit(1); |
1011 | } | 1003 | } |
1012 | 1004 | ||
1013 | // check /dev | 1005 | // check /dev |
@@ -1015,7 +1007,11 @@ int fs_check_chroot_dir(const char *rootdir) { | |||
1015 | errExit("asprintf"); | 1007 | errExit("asprintf"); |
1016 | if (stat(name, &s) == -1) { | 1008 | if (stat(name, &s) == -1) { |
1017 | fprintf(stderr, "Error: cannot find /dev in chroot directory\n"); | 1009 | fprintf(stderr, "Error: cannot find /dev in chroot directory\n"); |
1018 | return 1; | 1010 | exit(1); |
1011 | } | ||
1012 | if (s.st_uid != 0) { | ||
1013 | fprintf(stderr, "Error: chroot /dev directory should be owned by root\n"); | ||
1014 | exit(1); | ||
1019 | } | 1015 | } |
1020 | free(name); | 1016 | free(name); |
1021 | 1017 | ||
@@ -1024,7 +1020,11 @@ int fs_check_chroot_dir(const char *rootdir) { | |||
1024 | errExit("asprintf"); | 1020 | errExit("asprintf"); |
1025 | if (stat(name, &s) == -1) { | 1021 | if (stat(name, &s) == -1) { |
1026 | fprintf(stderr, "Error: cannot find /var/tmp in chroot directory\n"); | 1022 | fprintf(stderr, "Error: cannot find /var/tmp in chroot directory\n"); |
1027 | return 1; | 1023 | exit(1); |
1024 | } | ||
1025 | if (s.st_uid != 0) { | ||
1026 | fprintf(stderr, "Error: chroot /var/tmp directory should be owned by root\n"); | ||
1027 | exit(1); | ||
1028 | } | 1028 | } |
1029 | free(name); | 1029 | free(name); |
1030 | 1030 | ||
@@ -1033,7 +1033,11 @@ int fs_check_chroot_dir(const char *rootdir) { | |||
1033 | errExit("asprintf"); | 1033 | errExit("asprintf"); |
1034 | if (stat(name, &s) == -1) { | 1034 | if (stat(name, &s) == -1) { |
1035 | fprintf(stderr, "Error: cannot find /proc in chroot directory\n"); | 1035 | fprintf(stderr, "Error: cannot find /proc in chroot directory\n"); |
1036 | return 1; | 1036 | exit(1); |
1037 | } | ||
1038 | if (s.st_uid != 0) { | ||
1039 | fprintf(stderr, "Error: chroot /proc directory should be owned by root\n"); | ||
1040 | exit(1); | ||
1037 | } | 1041 | } |
1038 | free(name); | 1042 | free(name); |
1039 | 1043 | ||
@@ -1042,18 +1046,41 @@ int fs_check_chroot_dir(const char *rootdir) { | |||
1042 | errExit("asprintf"); | 1046 | errExit("asprintf"); |
1043 | if (stat(name, &s) == -1) { | 1047 | if (stat(name, &s) == -1) { |
1044 | fprintf(stderr, "Error: cannot find /tmp in chroot directory\n"); | 1048 | fprintf(stderr, "Error: cannot find /tmp in chroot directory\n"); |
1045 | return 1; | 1049 | exit(1); |
1050 | } | ||
1051 | if (s.st_uid != 0) { | ||
1052 | fprintf(stderr, "Error: chroot /tmp directory should be owned by root\n"); | ||
1053 | exit(1); | ||
1054 | } | ||
1055 | free(name); | ||
1056 | |||
1057 | // check /etc | ||
1058 | if (asprintf(&name, "%s/etc", rootdir) == -1) | ||
1059 | errExit("asprintf"); | ||
1060 | if (stat(name, &s) == -1) { | ||
1061 | fprintf(stderr, "Error: cannot find /etc in chroot directory\n"); | ||
1062 | exit(1); | ||
1063 | } | ||
1064 | if (s.st_uid != 0) { | ||
1065 | fprintf(stderr, "Error: chroot /etc directory should be owned by root\n"); | ||
1066 | exit(1); | ||
1046 | } | 1067 | } |
1047 | free(name); | 1068 | free(name); |
1048 | 1069 | ||
1049 | // check /bin/bash | 1070 | // check /etc/resolv.conf |
1050 | // if (asprintf(&name, "%s/bin/bash", rootdir) == -1) | 1071 | if (asprintf(&name, "%s/etc/resolv.conf", rootdir) == -1) |
1051 | // errExit("asprintf"); | 1072 | errExit("asprintf"); |
1052 | // if (stat(name, &s) == -1) { | 1073 | if (stat(name, &s) == 0) { |
1053 | // fprintf(stderr, "Error: cannot find /bin/bash in chroot directory\n"); | 1074 | if (s.st_uid != 0) { |
1054 | // return 1; | 1075 | fprintf(stderr, "Error: chroot /etc/resolv.conf should be owned by root\n"); |
1055 | // } | 1076 | exit(1); |
1056 | // free(name); | 1077 | } |
1078 | } | ||
1079 | if (is_link(name)) { | ||
1080 | fprintf(stderr, "Error: invalid %s file\n", name); | ||
1081 | exit(1); | ||
1082 | } | ||
1083 | free(name); | ||
1057 | 1084 | ||
1058 | // check x11 socket directory | 1085 | // check x11 socket directory |
1059 | if (getenv("FIREJAIL_X11")) { | 1086 | if (getenv("FIREJAIL_X11")) { |
@@ -1063,12 +1090,14 @@ int fs_check_chroot_dir(const char *rootdir) { | |||
1063 | errExit("asprintf"); | 1090 | errExit("asprintf"); |
1064 | if (stat(name, &s) == -1) { | 1091 | if (stat(name, &s) == -1) { |
1065 | fprintf(stderr, "Error: cannot find /tmp/.X11-unix in chroot directory\n"); | 1092 | fprintf(stderr, "Error: cannot find /tmp/.X11-unix in chroot directory\n"); |
1066 | return 1; | 1093 | exit(1); |
1094 | } | ||
1095 | if (s.st_uid != 0) { | ||
1096 | fprintf(stderr, "Error: chroot /tmp/.X11-unix directory should be owned by root\n"); | ||
1097 | exit(1); | ||
1067 | } | 1098 | } |
1068 | free(name); | 1099 | free(name); |
1069 | } | 1100 | } |
1070 | |||
1071 | return 0; | ||
1072 | } | 1101 | } |
1073 | 1102 | ||
1074 | // chroot into an existing directory; mount exiting /dev and update /etc/resolv.conf | 1103 | // chroot into an existing directory; mount exiting /dev and update /etc/resolv.conf |
@@ -1099,10 +1128,16 @@ void fs_chroot(const char *rootdir) { | |||
1099 | free(newx11); | 1128 | free(newx11); |
1100 | } | 1129 | } |
1101 | 1130 | ||
1131 | // some older distros don't have a /run directory | ||
1132 | // create one by default | ||
1102 | // create /run/firejail directory in chroot | 1133 | // create /run/firejail directory in chroot |
1103 | char *rundir; | 1134 | char *rundir; |
1104 | if (asprintf(&rundir, "%s/run", rootdir) == -1) | 1135 | if (asprintf(&rundir, "%s/run", rootdir) == -1) |
1105 | errExit("asprintf"); | 1136 | errExit("asprintf"); |
1137 | if (is_link(rundir)) { | ||
1138 | fprintf(stderr, "Error: invalid run directory inside chroot\n"); | ||
1139 | exit(1); | ||
1140 | } | ||
1106 | create_empty_dir_as_root(rundir, 0755); | 1141 | create_empty_dir_as_root(rundir, 0755); |
1107 | free(rundir); | 1142 | free(rundir); |
1108 | if (asprintf(&rundir, "%s/run/firejail", rootdir) == -1) | 1143 | if (asprintf(&rundir, "%s/run/firejail", rootdir) == -1) |
@@ -1129,7 +1164,7 @@ void fs_chroot(const char *rootdir) { | |||
1129 | fprintf(stderr, "Error: invalid %s file\n", fname); | 1164 | fprintf(stderr, "Error: invalid %s file\n", fname); |
1130 | exit(1); | 1165 | exit(1); |
1131 | } | 1166 | } |
1132 | if (copy_file("/etc/resolv.conf", fname, 0, 0, 0644) == -1) | 1167 | if (copy_file("/etc/resolv.conf", fname, 0, 0, 0644) == -1) // root needed |
1133 | fprintf(stderr, "Warning: /etc/resolv.conf not initialized\n"); | 1168 | fprintf(stderr, "Warning: /etc/resolv.conf not initialized\n"); |
1134 | } | 1169 | } |
1135 | 1170 | ||
@@ -1151,7 +1186,11 @@ void fs_chroot(const char *rootdir) { | |||
1151 | // fs_dev_shm(); | 1186 | // fs_dev_shm(); |
1152 | fs_var_lock(); | 1187 | fs_var_lock(); |
1153 | fs_var_tmp(); | 1188 | fs_var_tmp(); |
1154 | fs_var_log(); | 1189 | if (!arg_writable_var_log) |
1190 | fs_var_log(); | ||
1191 | else | ||
1192 | fs_rdwr("/var/log"); | ||
1193 | |||
1155 | fs_var_lib(); | 1194 | fs_var_lib(); |
1156 | fs_var_cache(); | 1195 | fs_var_cache(); |
1157 | fs_var_utmp(); | 1196 | fs_var_utmp(); |
diff --git a/src/firejail/fs_bin.c b/src/firejail/fs_bin.c index 7c56d524e..3473fca4c 100644 --- a/src/firejail/fs_bin.c +++ b/src/firejail/fs_bin.c | |||
@@ -1,5 +1,5 @@ | |||
1 | /* | 1 | /* |
2 | * Copyright (C) 2014-2016 Firejail Authors | 2 | * Copyright (C) 2014-2017 Firejail Authors |
3 | * | 3 | * |
4 | * This file is part of firejail project | 4 | * This file is part of firejail project |
5 | * | 5 | * |
@@ -111,7 +111,7 @@ static void duplicate(char *fname) { | |||
111 | errExit("asprintf"); | 111 | errExit("asprintf"); |
112 | 112 | ||
113 | // copy the file | 113 | // copy the file |
114 | sbox_run(SBOX_ROOT| SBOX_SECCOMP, 3, PATH_FCOPY, full_path, RUN_BIN_DIR); | 114 | sbox_run(SBOX_ROOT| SBOX_SECCOMP, 4, PATH_FCOPY, "--follow-link", full_path, RUN_BIN_DIR); |
115 | fs_logger2("clone", fname); | 115 | fs_logger2("clone", fname); |
116 | free(full_path); | 116 | free(full_path); |
117 | } | 117 | } |
diff --git a/src/firejail/fs_dev.c b/src/firejail/fs_dev.c index d710e98f2..fd21e7515 100644 --- a/src/firejail/fs_dev.c +++ b/src/firejail/fs_dev.c | |||
@@ -1,5 +1,5 @@ | |||
1 | /* | 1 | /* |
2 | * Copyright (C) 2014-2016 Firejail Authors | 2 | * Copyright (C) 2014-2017 Firejail Authors |
3 | * | 3 | * |
4 | * This file is part of firejail project | 4 | * This file is part of firejail project |
5 | * | 5 | * |
@@ -28,6 +28,7 @@ | |||
28 | #ifndef _BSD_SOURCE | 28 | #ifndef _BSD_SOURCE |
29 | #define _BSD_SOURCE | 29 | #define _BSD_SOURCE |
30 | #endif | 30 | #endif |
31 | #include <sys/sysmacros.h> | ||
31 | #include <sys/types.h> | 32 | #include <sys/types.h> |
32 | 33 | ||
33 | typedef struct { | 34 | typedef struct { |
@@ -51,7 +52,7 @@ static DevEntry dev[] = { | |||
51 | {"/dev/nvidia8", RUN_DEV_DIR "/nvidia8", 0, 1}, | 52 | {"/dev/nvidia8", RUN_DEV_DIR "/nvidia8", 0, 1}, |
52 | {"/dev/nvidia9", RUN_DEV_DIR "/nvidia9", 0, 1}, | 53 | {"/dev/nvidia9", RUN_DEV_DIR "/nvidia9", 0, 1}, |
53 | {"/dev/nvidiactl", RUN_DEV_DIR "/nvidiactl", 0, 1}, | 54 | {"/dev/nvidiactl", RUN_DEV_DIR "/nvidiactl", 0, 1}, |
54 | {"/dev/nvidia-modset", RUN_DEV_DIR "/nvidia-modset", 0, 1}, | 55 | {"/dev/nvidia-modeset", RUN_DEV_DIR "/nvidia-modeset", 0, 1}, |
55 | {"/dev/nvidia-uvm", RUN_DEV_DIR "/nvidia-uvm", 0, 1}, | 56 | {"/dev/nvidia-uvm", RUN_DEV_DIR "/nvidia-uvm", 0, 1}, |
56 | {NULL, NULL, 0, 0} | 57 | {NULL, NULL, 0, 0} |
57 | }; | 58 | }; |
diff --git a/src/firejail/fs_etc.c b/src/firejail/fs_etc.c index 479383af2..19c2210b3 100644 --- a/src/firejail/fs_etc.c +++ b/src/firejail/fs_etc.c | |||
@@ -1,5 +1,5 @@ | |||
1 | /* | 1 | /* |
2 | * Copyright (C) 2014-2016 Firejail Authors | 2 | * Copyright (C) 2014-2017 Firejail Authors |
3 | * | 3 | * |
4 | * This file is part of firejail project | 4 | * This file is part of firejail project |
5 | * | 5 | * |
@@ -31,8 +31,8 @@ void fs_machineid(void) { | |||
31 | uint32_t u32[4]; | 31 | uint32_t u32[4]; |
32 | } mid; | 32 | } mid; |
33 | 33 | ||
34 | // if --machine-id flag is active, do nothing | 34 | // if --machine-id flag is inactive, do nothing |
35 | if (arg_machineid) | 35 | if (arg_machineid == 0) |
36 | return; | 36 | return; |
37 | 37 | ||
38 | // init random number generator | 38 | // init random number generator |
diff --git a/src/firejail/fs_home.c b/src/firejail/fs_home.c index 0872bf0d0..3364ef797 100644 --- a/src/firejail/fs_home.c +++ b/src/firejail/fs_home.c | |||
@@ -1,5 +1,5 @@ | |||
1 | /* | 1 | /* |
2 | * Copyright (C) 2014-2016 Firejail Authors | 2 | * Copyright (C) 2014-2017 Firejail Authors |
3 | * | 3 | * |
4 | * This file is part of firejail project | 4 | * This file is part of firejail project |
5 | * | 5 | * |
@@ -42,19 +42,17 @@ static void skel(const char *homedir, uid_t u, gid_t g) { | |||
42 | // don't copy it if we already have the file | 42 | // don't copy it if we already have the file |
43 | if (stat(fname, &s) == 0) | 43 | if (stat(fname, &s) == 0) |
44 | return; | 44 | return; |
45 | if (is_link(fname)) { // stat on dangling symlinks fails, try again using lstat | ||
46 | fprintf(stderr, "Error: invalid %s file\n", fname); | ||
47 | exit(1); | ||
48 | } | ||
45 | if (stat("/etc/skel/.zshrc", &s) == 0) { | 49 | if (stat("/etc/skel/.zshrc", &s) == 0) { |
46 | if (copy_file("/etc/skel/.zshrc", fname, u, g, 0644) == 0) { | 50 | copy_file_as_user("/etc/skel/.zshrc", fname, u, g, 0644); // regular user |
47 | fs_logger("clone /etc/skel/.zshrc"); | 51 | fs_logger("clone /etc/skel/.zshrc"); |
48 | } | ||
49 | } | 52 | } |
50 | else { // | 53 | else { |
51 | FILE *fp = fopen(fname, "w"); | 54 | touch_file_as_user(fname, u, g, 0644); |
52 | if (fp) { | 55 | fs_logger2("touch", fname); |
53 | fprintf(fp, "\n"); | ||
54 | SET_PERMS_STREAM(fp, u, g, S_IRUSR | S_IWUSR); | ||
55 | fclose(fp); | ||
56 | fs_logger2("touch", fname); | ||
57 | } | ||
58 | } | 56 | } |
59 | free(fname); | 57 | free(fname); |
60 | } | 58 | } |
@@ -64,23 +62,21 @@ static void skel(const char *homedir, uid_t u, gid_t g) { | |||
64 | if (asprintf(&fname, "%s/.cshrc", homedir) == -1) | 62 | if (asprintf(&fname, "%s/.cshrc", homedir) == -1) |
65 | errExit("asprintf"); | 63 | errExit("asprintf"); |
66 | struct stat s; | 64 | struct stat s; |
65 | |||
67 | // don't copy it if we already have the file | 66 | // don't copy it if we already have the file |
68 | if (stat(fname, &s) == 0) | 67 | if (stat(fname, &s) == 0) |
69 | return; | 68 | return; |
69 | if (is_link(fname)) { // stat on dangling symlinks fails, try again using lstat | ||
70 | fprintf(stderr, "Error: invalid %s file\n", fname); | ||
71 | exit(1); | ||
72 | } | ||
70 | if (stat("/etc/skel/.cshrc", &s) == 0) { | 73 | if (stat("/etc/skel/.cshrc", &s) == 0) { |
71 | if (copy_file("/etc/skel/.cshrc", fname, u, g, 0644) == 0) { | 74 | copy_file_as_user("/etc/skel/.cshrc", fname, u, g, 0644); // regular user |
72 | fs_logger("clone /etc/skel/.cshrc"); | 75 | fs_logger("clone /etc/skel/.cshrc"); |
73 | } | ||
74 | } | 76 | } |
75 | else { // | 77 | else { |
76 | /* coverity[toctou] */ | 78 | touch_file_as_user(fname, u, g, 0644); |
77 | FILE *fp = fopen(fname, "w"); | 79 | fs_logger2("touch", fname); |
78 | if (fp) { | ||
79 | fprintf(fp, "\n"); | ||
80 | SET_PERMS_STREAM(fp, u, g, S_IRUSR | S_IWUSR); | ||
81 | fclose(fp); | ||
82 | fs_logger2("touch", fname); | ||
83 | } | ||
84 | } | 80 | } |
85 | free(fname); | 81 | free(fname); |
86 | } | 82 | } |
@@ -93,10 +89,13 @@ static void skel(const char *homedir, uid_t u, gid_t g) { | |||
93 | // don't copy it if we already have the file | 89 | // don't copy it if we already have the file |
94 | if (stat(fname, &s) == 0) | 90 | if (stat(fname, &s) == 0) |
95 | return; | 91 | return; |
92 | if (is_link(fname)) { // stat on dangling symlinks fails, try again using lstat | ||
93 | fprintf(stderr, "Error: invalid %s file\n", fname); | ||
94 | exit(1); | ||
95 | } | ||
96 | if (stat("/etc/skel/.bashrc", &s) == 0) { | 96 | if (stat("/etc/skel/.bashrc", &s) == 0) { |
97 | if (copy_file("/etc/skel/.bashrc", fname, u, g, 0644) == 0) { | 97 | copy_file_as_user("/etc/skel/.bashrc", fname, u, g, 0644); // regular user |
98 | fs_logger("clone /etc/skel/.bashrc"); | 98 | fs_logger("clone /etc/skel/.bashrc"); |
99 | } | ||
100 | } | 99 | } |
101 | free(fname); | 100 | free(fname); |
102 | } | 101 | } |
@@ -106,6 +105,14 @@ static int store_xauthority(void) { | |||
106 | // put a copy of .Xauthority in XAUTHORITY_FILE | 105 | // put a copy of .Xauthority in XAUTHORITY_FILE |
107 | char *src; | 106 | char *src; |
108 | char *dest = RUN_XAUTHORITY_FILE; | 107 | char *dest = RUN_XAUTHORITY_FILE; |
108 | // create an empty file as root, and change ownership to user | ||
109 | FILE *fp = fopen(dest, "w"); | ||
110 | if (fp) { | ||
111 | fprintf(fp, "\n"); | ||
112 | SET_PERMS_STREAM(fp, getuid(), getgid(), 0600); | ||
113 | fclose(fp); | ||
114 | } | ||
115 | |||
109 | if (asprintf(&src, "%s/.Xauthority", cfg.homedir) == -1) | 116 | if (asprintf(&src, "%s/.Xauthority", cfg.homedir) == -1) |
110 | errExit("asprintf"); | 117 | errExit("asprintf"); |
111 | 118 | ||
@@ -115,12 +122,9 @@ static int store_xauthority(void) { | |||
115 | fprintf(stderr, "Warning: invalid .Xauthority file\n"); | 122 | fprintf(stderr, "Warning: invalid .Xauthority file\n"); |
116 | return 0; | 123 | return 0; |
117 | } | 124 | } |
118 | 125 | ||
119 | int rv = copy_file(src, dest, -1, -1, 0600); | 126 | copy_file_as_user(src, dest, getuid(), getgid(), 0600); // regular user |
120 | if (rv) { | 127 | fs_logger2("clone", dest); |
121 | fprintf(stderr, "Warning: cannot transfer .Xauthority in private home directory\n"); | ||
122 | return 0; | ||
123 | } | ||
124 | return 1; // file copied | 128 | return 1; // file copied |
125 | } | 129 | } |
126 | 130 | ||
@@ -128,8 +132,17 @@ static int store_xauthority(void) { | |||
128 | } | 132 | } |
129 | 133 | ||
130 | static int store_asoundrc(void) { | 134 | static int store_asoundrc(void) { |
135 | // put a copy of .Xauthority in XAUTHORITY_FILE | ||
131 | char *src; | 136 | char *src; |
132 | char *dest = RUN_ASOUNDRC_FILE; | 137 | char *dest = RUN_ASOUNDRC_FILE; |
138 | // create an empty file as root, and change ownership to user | ||
139 | FILE *fp = fopen(dest, "w"); | ||
140 | if (fp) { | ||
141 | fprintf(fp, "\n"); | ||
142 | SET_PERMS_STREAM(fp, getuid(), getgid(), 0644); | ||
143 | fclose(fp); | ||
144 | } | ||
145 | |||
133 | if (asprintf(&src, "%s/.asoundrc", cfg.homedir) == -1) | 146 | if (asprintf(&src, "%s/.asoundrc", cfg.homedir) == -1) |
134 | errExit("asprintf"); | 147 | errExit("asprintf"); |
135 | 148 | ||
@@ -150,11 +163,8 @@ static int store_asoundrc(void) { | |||
150 | free(rp); | 163 | free(rp); |
151 | } | 164 | } |
152 | 165 | ||
153 | int rv = copy_file(src, dest, -1, -1, -0644); | 166 | copy_file_as_user(src, dest, getuid(), getgid(), 0644); // regular user |
154 | if (rv) { | 167 | fs_logger2("clone", dest); |
155 | fprintf(stderr, "Warning: cannot transfer .asoundrc in private home directory\n"); | ||
156 | return 0; | ||
157 | } | ||
158 | return 1; // file copied | 168 | return 1; // file copied |
159 | } | 169 | } |
160 | 170 | ||
@@ -167,13 +177,15 @@ static void copy_xauthority(void) { | |||
167 | char *dest; | 177 | char *dest; |
168 | if (asprintf(&dest, "%s/.Xauthority", cfg.homedir) == -1) | 178 | if (asprintf(&dest, "%s/.Xauthority", cfg.homedir) == -1) |
169 | errExit("asprintf"); | 179 | errExit("asprintf"); |
170 | // copy, set permissions and ownership | 180 | |
171 | int rv = copy_file(src, dest, getuid(), getgid(), S_IRUSR | S_IWUSR); | 181 | // if destination is a symbolic link, exit the sandbox!!! |
172 | if (rv) | 182 | if (is_link(dest)) { |
173 | fprintf(stderr, "Warning: cannot transfer .Xauthority in private home directory\n"); | 183 | fprintf(stderr, "Error: %s is a symbolic link\n", dest); |
174 | else { | 184 | exit(1); |
175 | fs_logger2("clone", dest); | ||
176 | } | 185 | } |
186 | |||
187 | copy_file_as_user(src, dest, getuid(), getgid(), S_IRUSR | S_IWUSR); // regular user | ||
188 | fs_logger2("clone", dest); | ||
177 | 189 | ||
178 | // delete the temporary file | 190 | // delete the temporary file |
179 | unlink(src); | 191 | unlink(src); |
@@ -185,14 +197,16 @@ static void copy_asoundrc(void) { | |||
185 | char *dest; | 197 | char *dest; |
186 | if (asprintf(&dest, "%s/.asoundrc", cfg.homedir) == -1) | 198 | if (asprintf(&dest, "%s/.asoundrc", cfg.homedir) == -1) |
187 | errExit("asprintf"); | 199 | errExit("asprintf"); |
188 | // copy, set permissions and ownership | 200 | |
189 | int rv = copy_file(src, dest, getuid(), getgid(), S_IRUSR | S_IWUSR); | 201 | // if destination is a symbolic link, exit the sandbox!!! |
190 | if (rv) | 202 | if (is_link(dest)) { |
191 | fprintf(stderr, "Warning: cannot transfer .asoundrc in private home directory\n"); | 203 | fprintf(stderr, "Error: %s is a symbolic link\n", dest); |
192 | else { | 204 | exit(1); |
193 | fs_logger2("clone", dest); | ||
194 | } | 205 | } |
195 | 206 | ||
207 | copy_file_as_user(src, dest, getuid(), getgid(), S_IRUSR | S_IWUSR); // regular user | ||
208 | fs_logger2("clone", dest); | ||
209 | |||
196 | // delete the temporary file | 210 | // delete the temporary file |
197 | unlink(src); | 211 | unlink(src); |
198 | } | 212 | } |
diff --git a/src/firejail/fs_hostname.c b/src/firejail/fs_hostname.c index b2e1b4a99..535526409 100644 --- a/src/firejail/fs_hostname.c +++ b/src/firejail/fs_hostname.c | |||
@@ -1,5 +1,5 @@ | |||
1 | /* | 1 | /* |
2 | * Copyright (C) 2014-2016 Firejail Authors | 2 | * Copyright (C) 2014-2017 Firejail Authors |
3 | * | 3 | * |
4 | * This file is part of firejail project | 4 | * This file is part of firejail project |
5 | * | 5 | * |
@@ -42,7 +42,7 @@ void fs_hostname(const char *hostname) { | |||
42 | } | 42 | } |
43 | 43 | ||
44 | // create a new /etc/hosts | 44 | // create a new /etc/hosts |
45 | if (stat("/etc/hosts", &s) == 0) { | 45 | if (cfg.hosts_file == NULL && stat("/etc/hosts", &s) == 0) { |
46 | if (arg_debug) | 46 | if (arg_debug) |
47 | printf("Creating a new /etc/hosts file\n"); | 47 | printf("Creating a new /etc/hosts file\n"); |
48 | // copy /etc/host into our new file, and modify it on the fly | 48 | // copy /etc/host into our new file, and modify it on the fly |
@@ -79,9 +79,7 @@ void fs_hostname(const char *hostname) { | |||
79 | fclose(fp2); | 79 | fclose(fp2); |
80 | 80 | ||
81 | // bind-mount the file on top of /etc/hostname | 81 | // bind-mount the file on top of /etc/hostname |
82 | if (mount(RUN_HOSTS_FILE, "/etc/hosts", NULL, MS_BIND|MS_REC, NULL) < 0) | 82 | fs_mount_hosts_file(); |
83 | errExit("mount bind /etc/hosts"); | ||
84 | fs_logger("create /etc/hosts"); | ||
85 | } | 83 | } |
86 | return; | 84 | return; |
87 | 85 | ||
@@ -129,4 +127,49 @@ void fs_resolvconf(void) { | |||
129 | } | 127 | } |
130 | } | 128 | } |
131 | 129 | ||
130 | char *fs_check_hosts_fiile(const char *fname) { | ||
131 | assert(fname); | ||
132 | invalid_filename(fname); | ||
133 | char *rv = expand_home(fname, cfg.homedir); | ||
134 | |||
135 | // no a link | ||
136 | if (is_link(rv)) | ||
137 | goto errexit; | ||
132 | 138 | ||
139 | // the user has read access to the file | ||
140 | if (access(rv, R_OK)) | ||
141 | goto errexit; | ||
142 | |||
143 | return rv; | ||
144 | errexit: | ||
145 | fprintf(stderr, "Error: invalid file %s\n", fname); | ||
146 | exit(1); | ||
147 | } | ||
148 | |||
149 | void fs_store_hosts_file(void) { | ||
150 | copy_file_from_user_to_root(cfg.hosts_file, RUN_HOSTS_FILE, 0, 0, 0644); // root needed | ||
151 | } | ||
152 | |||
153 | void fs_mount_hosts_file(void) { | ||
154 | // check /etc/hosts file | ||
155 | struct stat s; | ||
156 | if (stat("/etc/hosts", &s) == -1) | ||
157 | goto errexit; | ||
158 | // not a link | ||
159 | if (is_link("/etc/hosts")) | ||
160 | goto errexit; | ||
161 | // owned by root | ||
162 | if (s.st_uid != 0) | ||
163 | goto errexit; | ||
164 | |||
165 | // bind-mount the file on top of /etc/hostname | ||
166 | if (mount(RUN_HOSTS_FILE, "/etc/hosts", NULL, MS_BIND|MS_REC, NULL) < 0) | ||
167 | errExit("mount bind /etc/hosts"); | ||
168 | fs_logger("create /etc/hosts"); | ||
169 | return; | ||
170 | |||
171 | errexit: | ||
172 | fprintf(stderr, "Error: invalid /etc/hosts file\n"); | ||
173 | exit(1); | ||
174 | } | ||
175 | |||
diff --git a/src/firejail/fs_logger.c b/src/firejail/fs_logger.c index 052a41457..a2b6b317e 100644 --- a/src/firejail/fs_logger.c +++ b/src/firejail/fs_logger.c | |||
@@ -1,5 +1,5 @@ | |||
1 | /* | 1 | /* |
2 | * Copyright (C) 2014-2016 Firejail Authors | 2 | * Copyright (C) 2014-2017 Firejail Authors |
3 | * | 3 | * |
4 | * This file is part of firejail project | 4 | * This file is part of firejail project |
5 | * | 5 | * |
diff --git a/src/firejail/fs_mkdir.c b/src/firejail/fs_mkdir.c index 5b6ceae90..a0bda7443 100644 --- a/src/firejail/fs_mkdir.c +++ b/src/firejail/fs_mkdir.c | |||
@@ -1,5 +1,5 @@ | |||
1 | /* | 1 | /* |
2 | * Copyright (C) 2014-2016 Firejail Authors | 2 | * Copyright (C) 2014-2017 Firejail Authors |
3 | * | 3 | * |
4 | * This file is part of firejail project | 4 | * This file is part of firejail project |
5 | * | 5 | * |
@@ -112,33 +112,8 @@ void fs_mkfile(const char *name) { | |||
112 | } | 112 | } |
113 | 113 | ||
114 | // create file | 114 | // create file |
115 | pid_t child = fork(); | 115 | touch_file_as_user(expanded, getuid(), getgid(), 0600); |
116 | if (child < 0) | 116 | |
117 | errExit("fork"); | ||
118 | if (child == 0) { | ||
119 | // drop privileges | ||
120 | drop_privs(0); | ||
121 | |||
122 | /* coverity[toctou] */ | ||
123 | FILE *fp = fopen(expanded, "w"); | ||
124 | if (!fp) | ||
125 | fprintf(stderr, "Warning: cannot create %s file\n", expanded); | ||
126 | else { | ||
127 | int fd = fileno(fp); | ||
128 | if (fd == -1) | ||
129 | errExit("fileno"); | ||
130 | int rv = fchmod(fd, 0600); | ||
131 | (void) rv; | ||
132 | fclose(fp); | ||
133 | } | ||
134 | #ifdef HAVE_GCOV | ||
135 | __gcov_flush(); | ||
136 | #endif | ||
137 | _exit(0); | ||
138 | } | ||
139 | // wait for the child to finish | ||
140 | waitpid(child, NULL, 0); | ||
141 | |||
142 | doexit: | 117 | doexit: |
143 | free(expanded); | 118 | free(expanded); |
144 | } | 119 | } |
diff --git a/src/firejail/fs_trace.c b/src/firejail/fs_trace.c index 719b55048..2a58d1eb2 100644 --- a/src/firejail/fs_trace.c +++ b/src/firejail/fs_trace.c | |||
@@ -1,5 +1,5 @@ | |||
1 | /* | 1 | /* |
2 | * Copyright (C) 2014-2016 Firejail Authors | 2 | * Copyright (C) 2014-2017 Firejail Authors |
3 | * | 3 | * |
4 | * This file is part of firejail project | 4 | * This file is part of firejail project |
5 | * | 5 | * |
@@ -60,9 +60,6 @@ void fs_trace(void) { | |||
60 | printf("Blacklist violations are logged to syslog\n"); | 60 | printf("Blacklist violations are logged to syslog\n"); |
61 | } | 61 | } |
62 | 62 | ||
63 | if (mask_x11_abstract_socket) | ||
64 | fprintf(fp, "%s/firejail/libconnect.so\n", LIBDIR); | ||
65 | |||
66 | SET_PERMS_STREAM(fp, 0, 0, S_IRUSR | S_IWRITE | S_IRGRP | S_IROTH); | 63 | SET_PERMS_STREAM(fp, 0, 0, S_IRUSR | S_IWRITE | S_IRGRP | S_IROTH); |
67 | fclose(fp); | 64 | fclose(fp); |
68 | 65 | ||
diff --git a/src/firejail/fs_var.c b/src/firejail/fs_var.c index f742e7e22..bbea3b392 100644 --- a/src/firejail/fs_var.c +++ b/src/firejail/fs_var.c | |||
@@ -1,5 +1,5 @@ | |||
1 | /* | 1 | /* |
2 | * Copyright (C) 2014-2016 Firejail Authors | 2 | * Copyright (C) 2014-2017 Firejail Authors |
3 | * | 3 | * |
4 | * This file is part of firejail project | 4 | * This file is part of firejail project |
5 | * | 5 | * |
diff --git a/src/firejail/fs_whitelist.c b/src/firejail/fs_whitelist.c index 0970642db..1794e4b35 100644 --- a/src/firejail/fs_whitelist.c +++ b/src/firejail/fs_whitelist.c | |||
@@ -1,5 +1,5 @@ | |||
1 | /* | 1 | /* |
2 | * Copyright (C) 2014-2016 Firejail Authors | 2 | * Copyright (C) 2014-2017 Firejail Authors |
3 | * | 3 | * |
4 | * This file is part of firejail project | 4 | * This file is part of firejail project |
5 | * | 5 | * |
@@ -406,10 +406,12 @@ void fs_whitelist(void) { | |||
406 | 406 | ||
407 | // both path and absolute path are under /home | 407 | // both path and absolute path are under /home |
408 | if (strncmp(fname, cfg.homedir, strlen(cfg.homedir)) != 0) { | 408 | if (strncmp(fname, cfg.homedir, strlen(cfg.homedir)) != 0) { |
409 | // check if the file is owned by the user | 409 | if (checkcfg(CFG_FOLLOW_SYMLINK_AS_USER)) { |
410 | struct stat s; | 410 | // check if the file is owned by the user |
411 | if (stat(fname, &s) == 0 && s.st_uid != getuid()) | 411 | struct stat s; |
412 | goto errexit; | 412 | if (stat(fname, &s) == 0 && s.st_uid != getuid()) |
413 | goto errexit; | ||
414 | } | ||
413 | } | 415 | } |
414 | } | 416 | } |
415 | else if (strncmp(new_name, "/tmp/", 5) == 0) { | 417 | else if (strncmp(new_name, "/tmp/", 5) == 0) { |
diff --git a/src/firejail/git.c b/src/firejail/git.c new file mode 100644 index 000000000..c4dd54a1b --- /dev/null +++ b/src/firejail/git.c | |||
@@ -0,0 +1,90 @@ | |||
1 | /* | ||
2 | * Copyright (C) 2014-2017 Firejail Authors | ||
3 | * | ||
4 | * This file is part of firejail project | ||
5 | * | ||
6 | * This program is free software; you can redistribute it and/or modify | ||
7 | * it under the terms of the GNU General Public License as published by | ||
8 | * the Free Software Foundation; either version 2 of the License, or | ||
9 | * (at your option) any later version. | ||
10 | * | ||
11 | * This program is distributed in the hope that it will be useful, | ||
12 | * but WITHOUT ANY WARRANTY; without even the implied warranty of | ||
13 | * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the | ||
14 | * GNU General Public License for more details. | ||
15 | * | ||
16 | * You should have received a copy of the GNU General Public License along | ||
17 | * with this program; if not, write to the Free Software Foundation, Inc., | ||
18 | * 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA. | ||
19 | */ | ||
20 | |||
21 | #ifdef HAVE_GIT_INSTALL | ||
22 | |||
23 | #include "firejail.h" | ||
24 | #include <sys/utsname.h> | ||
25 | #include <sched.h> | ||
26 | #include <sys/mount.h> | ||
27 | |||
28 | // install a very simple mount namespace sandbox with a tmpfs on top of /tmp | ||
29 | // and drop privileges | ||
30 | static void sbox_ns(void) { | ||
31 | if (unshare(CLONE_NEWNS) < 0) | ||
32 | errExit("unshare"); | ||
33 | |||
34 | // mount events are not forwarded between the host the sandbox | ||
35 | if (mount(NULL, "/", NULL, MS_SLAVE | MS_REC, NULL) < 0) { | ||
36 | errExit("mount"); | ||
37 | } | ||
38 | |||
39 | // mount a tmpfs on top of /tmp | ||
40 | if (mount(NULL, "/tmp", "tmpfs", 0, NULL) < 0) | ||
41 | errExit("mount"); | ||
42 | |||
43 | |||
44 | // drop privileges | ||
45 | if (setgid(getgid()) < 0) | ||
46 | errExit("setgid/getgid"); | ||
47 | if (setuid(getuid()) < 0) | ||
48 | errExit("setuid/getuid"); | ||
49 | assert(getenv("LD_PRELOAD") == NULL); | ||
50 | |||
51 | printf("Running as "); fflush(0); | ||
52 | int rv = system("whoami"); | ||
53 | (void) rv; | ||
54 | printf("/tmp directory: "); fflush(0); | ||
55 | rv = system("ls -l /tmp"); | ||
56 | (void) rv; | ||
57 | } | ||
58 | |||
59 | |||
60 | void git_install(void) { | ||
61 | // redirect to "/usr/bin/firejail --noprofile --private-tmp /usr/lib/firejail/fgit-install.sh" | ||
62 | EUID_ASSERT(); | ||
63 | EUID_ROOT(); | ||
64 | |||
65 | // install a mount namespace with a tmpfs on top of /tmp | ||
66 | sbox_ns(); | ||
67 | |||
68 | // run command | ||
69 | const char *cmd = LIBDIR "/firejail/fgit-install.sh"; | ||
70 | int rv = system(cmd); | ||
71 | (void) rv; | ||
72 | exit(0); | ||
73 | } | ||
74 | |||
75 | void git_uninstall(void) { | ||
76 | // redirect to "/usr/bin/firejail --noprofile --private-tmp /usr/lib/firejail/fgit-install.sh" | ||
77 | EUID_ASSERT(); | ||
78 | EUID_ROOT(); | ||
79 | |||
80 | // install a mount namespace with a tmpfs on top of /tmp | ||
81 | sbox_ns(); | ||
82 | |||
83 | // run command | ||
84 | const char *cmd = LIBDIR "/firejail/fgit-uninstall.sh"; | ||
85 | int rv = system(cmd); | ||
86 | (void) rv; | ||
87 | exit(0); | ||
88 | } | ||
89 | |||
90 | #endif // HAVE_GIT_INSTALL | ||
diff --git a/src/firejail/join.c b/src/firejail/join.c index bcf951f33..fa19243b8 100644 --- a/src/firejail/join.c +++ b/src/firejail/join.c | |||
@@ -1,5 +1,5 @@ | |||
1 | /* | 1 | /* |
2 | * Copyright (C) 2014-2016 Firejail Authors | 2 | * Copyright (C) 2014-2017 Firejail Authors |
3 | * | 3 | * |
4 | * This file is part of firejail project | 4 | * This file is part of firejail project |
5 | * | 5 | * |
diff --git a/src/firejail/ls.c b/src/firejail/ls.c index 77eb35f97..7b51ee697 100644 --- a/src/firejail/ls.c +++ b/src/firejail/ls.c | |||
@@ -1,5 +1,5 @@ | |||
1 | /* | 1 | /* |
2 | * Copyright (C) 2014-2016 Firejail Authors | 2 | * Copyright (C) 2014-2017 Firejail Authors |
3 | * | 3 | * |
4 | * This file is part of firejail project | 4 | * This file is part of firejail project |
5 | * | 5 | * |
@@ -336,7 +336,7 @@ void sandboxfs(int op, pid_t pid, const char *path1, const char *path2) { | |||
336 | drop_privs(0); | 336 | drop_privs(0); |
337 | 337 | ||
338 | // copy the file | 338 | // copy the file |
339 | if (copy_file(src_fname, tmp_fname, getuid(), getgid(), 0600)) | 339 | if (copy_file(src_fname, tmp_fname, getuid(), getgid(), 0600)) // already a regular user |
340 | _exit(1); | 340 | _exit(1); |
341 | #ifdef HAVE_GCOV | 341 | #ifdef HAVE_GCOV |
342 | __gcov_flush(); | 342 | __gcov_flush(); |
@@ -362,7 +362,7 @@ void sandboxfs(int op, pid_t pid, const char *path1, const char *path2) { | |||
362 | drop_privs(0); | 362 | drop_privs(0); |
363 | 363 | ||
364 | // copy the file | 364 | // copy the file |
365 | if (copy_file(tmp_fname, dest_fname, getuid(), getgid(), 0600)) | 365 | if (copy_file(tmp_fname, dest_fname, getuid(), getgid(), 0600)) // already a regular user |
366 | _exit(1); | 366 | _exit(1); |
367 | #ifdef HAVE_GCOV | 367 | #ifdef HAVE_GCOV |
368 | __gcov_flush(); | 368 | __gcov_flush(); |
@@ -411,7 +411,7 @@ void sandboxfs(int op, pid_t pid, const char *path1, const char *path2) { | |||
411 | drop_privs(0); | 411 | drop_privs(0); |
412 | 412 | ||
413 | // copy the file | 413 | // copy the file |
414 | if (copy_file(src_fname, tmp_fname, getuid(), getgid(), 0600)) | 414 | if (copy_file(src_fname, tmp_fname, getuid(), getgid(), 0600)) // already a regular user |
415 | _exit(1); | 415 | _exit(1); |
416 | #ifdef HAVE_GCOV | 416 | #ifdef HAVE_GCOV |
417 | __gcov_flush(); | 417 | __gcov_flush(); |
@@ -443,7 +443,7 @@ void sandboxfs(int op, pid_t pid, const char *path1, const char *path2) { | |||
443 | drop_privs(0); | 443 | drop_privs(0); |
444 | 444 | ||
445 | // copy the file | 445 | // copy the file |
446 | if (copy_file(tmp_fname, dest_fname, getuid(), getgid(), 0600)) | 446 | if (copy_file(tmp_fname, dest_fname, getuid(), getgid(), 0600)) // already a regular user |
447 | _exit(1); | 447 | _exit(1); |
448 | #ifdef HAVE_GCOV | 448 | #ifdef HAVE_GCOV |
449 | __gcov_flush(); | 449 | __gcov_flush(); |
diff --git a/src/firejail/main.c b/src/firejail/main.c index e70e20eec..310795abf 100644 --- a/src/firejail/main.c +++ b/src/firejail/main.c | |||
@@ -1,5 +1,5 @@ | |||
1 | /* | 1 | /* |
2 | * Copyright (C) 2014-2016 Firejail Authors | 2 | * Copyright (C) 2014-2017 Firejail Authors |
3 | * | 3 | * |
4 | * This file is part of firejail project | 4 | * This file is part of firejail project |
5 | * | 5 | * |
@@ -35,6 +35,7 @@ | |||
35 | #include <signal.h> | 35 | #include <signal.h> |
36 | #include <time.h> | 36 | #include <time.h> |
37 | #include <net/if.h> | 37 | #include <net/if.h> |
38 | #include <sys/utsname.h> | ||
38 | 39 | ||
39 | #if 0 | 40 | #if 0 |
40 | #include <sys/times.h> | 41 | #include <sys/times.h> |
@@ -84,6 +85,7 @@ int arg_netfilter; // enable netfilter | |||
84 | int arg_netfilter6; // enable netfilter6 | 85 | int arg_netfilter6; // enable netfilter6 |
85 | char *arg_netfilter_file = NULL; // netfilter file | 86 | char *arg_netfilter_file = NULL; // netfilter file |
86 | char *arg_netfilter6_file = NULL; // netfilter6 file | 87 | char *arg_netfilter6_file = NULL; // netfilter6 file |
88 | char *arg_netns = NULL; // "ip netns"-created network namespace to use | ||
87 | int arg_doubledash = 0; // double dash | 89 | int arg_doubledash = 0; // double dash |
88 | int arg_shell_none = 0; // run the program directly without a shell | 90 | int arg_shell_none = 0; // run the program directly without a shell |
89 | int arg_private_dev = 0; // private dev directory | 91 | int arg_private_dev = 0; // private dev directory |
@@ -112,7 +114,8 @@ int arg_x11_block = 0; // block X11 | |||
112 | int arg_x11_xorg = 0; // use X11 security extention | 114 | int arg_x11_xorg = 0; // use X11 security extention |
113 | int arg_allusers = 0; // all user home directories visible | 115 | int arg_allusers = 0; // all user home directories visible |
114 | int arg_machineid = 0; // preserve /etc/machine-id | 116 | int arg_machineid = 0; // preserve /etc/machine-id |
115 | int arg_allow_private_blacklist = 0; // blacklist things in private directories | 117 | int arg_allow_private_blacklist = 0; // blacklist things in private directories |
118 | int arg_writable_var_log; // writable /var/log | ||
116 | 119 | ||
117 | int login_shell = 0; | 120 | int login_shell = 0; |
118 | 121 | ||
@@ -817,17 +820,43 @@ int main(int argc, char **argv) { | |||
817 | 820 | ||
818 | if (check_arg(argc, argv, "--quiet")) | 821 | if (check_arg(argc, argv, "--quiet")) |
819 | arg_quiet = 1; | 822 | arg_quiet = 1; |
820 | if (check_arg(argc, argv, "--allow-debuggers")) | 823 | if (check_arg(argc, argv, "--allow-debuggers")) { |
824 | // check kernel version | ||
825 | struct utsname u; | ||
826 | int rv = uname(&u); | ||
827 | if (rv != 0) | ||
828 | errExit("uname"); | ||
829 | int major; | ||
830 | int minor; | ||
831 | if (2 != sscanf(u.release, "%d.%d", &major, &minor)) { | ||
832 | fprintf(stderr, "Error: cannot extract Linux kernel version: %s\n", u.version); | ||
833 | exit(1); | ||
834 | } | ||
835 | if (major < 4 || (major == 4 && minor < 8)) { | ||
836 | fprintf(stderr, "Error: --allow-debuggers is disabled on Linux kernels prior to 4.8. " | ||
837 | "A bug in ptrace call allows a full bypass of the seccomp filter. " | ||
838 | "Your current kernel version is %d.%d.\n", major, minor); | ||
839 | exit(1); | ||
840 | } | ||
841 | |||
821 | arg_allow_debuggers = 1; | 842 | arg_allow_debuggers = 1; |
843 | } | ||
822 | 844 | ||
823 | // drop permissions by default and rise them when required | 845 | // drop permissions by default and rise them when required |
824 | EUID_INIT(); | 846 | EUID_INIT(); |
825 | EUID_USER(); | 847 | EUID_USER(); |
826 | 848 | ||
849 | #ifdef HAVE_GIT_INSTALL | ||
850 | // process git-install and git-uninstall | ||
851 | if (check_arg(argc, argv, "--git-install")) | ||
852 | git_install(); // this function will not return | ||
853 | if (check_arg(argc, argv, "--git-uninstall")) | ||
854 | git_uninstall(); // this function will not return | ||
855 | #endif | ||
827 | 856 | ||
828 | // check argv[0] symlink wrapper if this is not a login shell | 857 | // check argv[0] symlink wrapper if this is not a login shell |
829 | if (*argv[0] != '-') | 858 | if (*argv[0] != '-') |
830 | run_symlink(argc, argv); | 859 | run_symlink(argc, argv); // this function will not return |
831 | 860 | ||
832 | // check if we already have a sandbox running | 861 | // check if we already have a sandbox running |
833 | // If LXC is detected, start firejail sandbox | 862 | // If LXC is detected, start firejail sandbox |
@@ -1333,6 +1362,8 @@ int main(int argc, char **argv) { | |||
1333 | } | 1362 | } |
1334 | #endif | 1363 | #endif |
1335 | else if (strncmp(argv[i], "--profile=", 10) == 0) { | 1364 | else if (strncmp(argv[i], "--profile=", 10) == 0) { |
1365 | // multiple profile files are allowed! | ||
1366 | |||
1336 | if (arg_noprofile) { | 1367 | if (arg_noprofile) { |
1337 | fprintf(stderr, "Error: --noprofile and --profile options are mutually exclusive\n"); | 1368 | fprintf(stderr, "Error: --noprofile and --profile options are mutually exclusive\n"); |
1338 | exit(1); | 1369 | exit(1); |
@@ -1341,19 +1372,6 @@ int main(int argc, char **argv) { | |||
1341 | char *ppath = expand_home(argv[i] + 10, cfg.homedir); | 1372 | char *ppath = expand_home(argv[i] + 10, cfg.homedir); |
1342 | if (!ppath) | 1373 | if (!ppath) |
1343 | errExit("strdup"); | 1374 | errExit("strdup"); |
1344 | invalid_filename(ppath); | ||
1345 | |||
1346 | // multiple profile files are allowed! | ||
1347 | if (is_dir(ppath) || is_link(ppath) || strstr(ppath, "..")) { | ||
1348 | fprintf(stderr, "Error: invalid profile file\n"); | ||
1349 | exit(1); | ||
1350 | } | ||
1351 | |||
1352 | // access call checks as real UID/GID, not as effective UID/GID | ||
1353 | if (access(ppath, R_OK)) { | ||
1354 | fprintf(stderr, "Error: cannot access profile file\n"); | ||
1355 | return 1; | ||
1356 | } | ||
1357 | 1375 | ||
1358 | profile_read(ppath); | 1376 | profile_read(ppath); |
1359 | custom_profile = 1; | 1377 | custom_profile = 1; |
@@ -1448,13 +1466,10 @@ int main(int argc, char **argv) { | |||
1448 | fprintf(stderr, "Error: invalid chroot directory\n"); | 1466 | fprintf(stderr, "Error: invalid chroot directory\n"); |
1449 | exit(1); | 1467 | exit(1); |
1450 | } | 1468 | } |
1451 | free(rpath); | 1469 | cfg.chrootdir = rpath; |
1452 | 1470 | ||
1453 | // check chroot directory structure | 1471 | // check chroot directory structure |
1454 | if (fs_check_chroot_dir(cfg.chrootdir)) { | 1472 | fs_check_chroot_dir(cfg.chrootdir); |
1455 | fprintf(stderr, "Error: invalid chroot\n"); | ||
1456 | exit(1); | ||
1457 | } | ||
1458 | } | 1473 | } |
1459 | else | 1474 | else |
1460 | exit_err_feature("chroot"); | 1475 | exit_err_feature("chroot"); |
@@ -1470,6 +1485,9 @@ int main(int argc, char **argv) { | |||
1470 | else if (strcmp(argv[i], "--writable-var") == 0) { | 1485 | else if (strcmp(argv[i], "--writable-var") == 0) { |
1471 | arg_writable_var = 1; | 1486 | arg_writable_var = 1; |
1472 | } | 1487 | } |
1488 | else if (strcmp(argv[i], "--writable-var-log") == 0) { | ||
1489 | arg_writable_var_log = 1; | ||
1490 | } | ||
1473 | else if (strcmp(argv[i], "--machine-id") == 0) { | 1491 | else if (strcmp(argv[i], "--machine-id") == 0) { |
1474 | arg_machineid = 1; | 1492 | arg_machineid = 1; |
1475 | } | 1493 | } |
@@ -1929,6 +1947,9 @@ int main(int argc, char **argv) { | |||
1929 | return 1; | 1947 | return 1; |
1930 | } | 1948 | } |
1931 | } | 1949 | } |
1950 | |||
1951 | else if (strncmp(argv[i], "--hosts-file=", 13) == 0) | ||
1952 | cfg.hosts_file = fs_check_hosts_fiile(argv[i] + 13); | ||
1932 | 1953 | ||
1933 | #ifdef HAVE_NETWORK | 1954 | #ifdef HAVE_NETWORK |
1934 | else if (strcmp(argv[i], "--netfilter") == 0) { | 1955 | else if (strcmp(argv[i], "--netfilter") == 0) { |
@@ -1982,6 +2003,15 @@ int main(int argc, char **argv) { | |||
1982 | else | 2003 | else |
1983 | exit_err_feature("networking"); | 2004 | exit_err_feature("networking"); |
1984 | } | 2005 | } |
2006 | |||
2007 | else if (strncmp(argv[i], "--netns=", 8) == 0) { | ||
2008 | if (checkcfg(CFG_NETWORK)) { | ||
2009 | arg_netns = argv[i] + 8; | ||
2010 | check_netns(arg_netns); | ||
2011 | } | ||
2012 | else | ||
2013 | exit_err_feature("networking"); | ||
2014 | } | ||
1985 | #endif | 2015 | #endif |
1986 | //************************************* | 2016 | //************************************* |
1987 | // command | 2017 | // command |
@@ -2102,6 +2132,12 @@ int main(int argc, char **argv) { | |||
2102 | return 1; | 2132 | return 1; |
2103 | } | 2133 | } |
2104 | } | 2134 | } |
2135 | else if (strcmp(argv[i], "--git-install") == 0 || | ||
2136 | strcmp(argv[i], "--git-uninstall") == 0) { | ||
2137 | fprintf(stderr, "This feature is not enabled in the current build\n"); | ||
2138 | exit(1); | ||
2139 | } | ||
2140 | |||
2105 | else if (strcmp(argv[i], "--") == 0) { | 2141 | else if (strcmp(argv[i], "--") == 0) { |
2106 | // double dash - positional params to follow | 2142 | // double dash - positional params to follow |
2107 | arg_doubledash = 1; | 2143 | arg_doubledash = 1; |
diff --git a/src/firejail/netfilter.c b/src/firejail/netfilter.c index 9e759ec70..ea1d45dd7 100644 --- a/src/firejail/netfilter.c +++ b/src/firejail/netfilter.c | |||
@@ -1,5 +1,5 @@ | |||
1 | /* | 1 | /* |
2 | * Copyright (C) 2014-2016 Firejail Authors | 2 | * Copyright (C) 2014-2017 Firejail Authors |
3 | * | 3 | * |
4 | * This file is part of firejail project | 4 | * This file is part of firejail project |
5 | * | 5 | * |
diff --git a/src/firejail/netns.c b/src/firejail/netns.c new file mode 100644 index 000000000..477d56b3d --- /dev/null +++ b/src/firejail/netns.c | |||
@@ -0,0 +1,114 @@ | |||
1 | /* | ||
2 | * Copyright (C) 2017 Firejail Authors | ||
3 | * | ||
4 | * This file is part of firejail project | ||
5 | * | ||
6 | * This program is free software; you can redistribute it and/or modify | ||
7 | * it under the terms of the GNU General Public License as published by | ||
8 | * the Free Software Foundation; either version 2 of the License, or | ||
9 | * (at your option) any later version. | ||
10 | * | ||
11 | * This program is distributed in the hope that it will be useful, | ||
12 | * but WITHOUT ANY WARRANTY; without even the implied warranty of | ||
13 | * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the | ||
14 | * GNU General Public License for more details. | ||
15 | * | ||
16 | * You should have received a copy of the GNU General Public License along | ||
17 | * with this program; if not, write to the Free Software Foundation, Inc., | ||
18 | * 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA. | ||
19 | */ | ||
20 | #include "firejail.h" | ||
21 | #include <stdio.h> | ||
22 | #include <string.h> | ||
23 | #include <errno.h> | ||
24 | #include <sys/types.h> | ||
25 | #include <sys/mount.h> | ||
26 | #include <sys/stat.h> | ||
27 | #include <sys/syscall.h> | ||
28 | #include <dirent.h> | ||
29 | #include <fcntl.h> | ||
30 | #include <sched.h> | ||
31 | #include <unistd.h> | ||
32 | |||
33 | static char *netns_control_file(const char *nsname) { | ||
34 | char *rv = 0; | ||
35 | if (asprintf(&rv, "/var/run/netns/%s", nsname) <= 0) | ||
36 | errExit("asprintf"); | ||
37 | return rv; | ||
38 | } | ||
39 | |||
40 | static char *netns_etc_dir(const char *nsname) { | ||
41 | char *rv = 0; | ||
42 | if (asprintf(&rv, "/etc/netns/%s", nsname) <= 0) | ||
43 | errExit("asprintf"); | ||
44 | return rv; | ||
45 | } | ||
46 | |||
47 | void check_netns(const char *nsname) { | ||
48 | if (strchr(nsname, '/') || strstr(nsname, "..")) { | ||
49 | fprintf(stderr, "Error: invalid netns name %s\n", nsname); | ||
50 | exit(1); | ||
51 | } | ||
52 | invalid_filename(nsname); | ||
53 | char *control_file = netns_control_file(nsname); | ||
54 | |||
55 | EUID_ASSERT(); | ||
56 | |||
57 | struct stat st; | ||
58 | if (lstat(control_file, &st)) { | ||
59 | fprintf(stderr, "Error: invalid netns '%s' (%s: %s)\n", | ||
60 | nsname, control_file, strerror(errno)); | ||
61 | exit(1); | ||
62 | } | ||
63 | if (!S_ISREG(st.st_mode)) { | ||
64 | fprintf(stderr, "Error: invalid netns '%s' (%s: not a regular file)\n", | ||
65 | nsname, control_file); | ||
66 | exit(1); | ||
67 | } | ||
68 | free(control_file); | ||
69 | } | ||
70 | |||
71 | void netns(const char *nsname) { | ||
72 | char *control_file = netns_control_file(nsname); | ||
73 | int nsfd = open(control_file, O_RDONLY|O_CLOEXEC); | ||
74 | if (nsfd < 0) { | ||
75 | fprintf(stderr, "Error: cannot open netns '%s' (%s: %s)\n", | ||
76 | nsname, control_file, strerror(errno)); | ||
77 | exit(1); | ||
78 | } | ||
79 | if (syscall(__NR_setns, nsfd, CLONE_NEWNET) < 0) { | ||
80 | fprintf(stderr, "Error: cannot join netns '%s': %s\n", | ||
81 | nsname, strerror(errno)); | ||
82 | exit(1); | ||
83 | } | ||
84 | close(nsfd); | ||
85 | free(control_file); | ||
86 | } | ||
87 | |||
88 | void netns_mounts(const char *nsname) { | ||
89 | char *etcdir = netns_etc_dir(nsname); | ||
90 | char *netns_name, *etc_name; | ||
91 | struct dirent *entry; | ||
92 | DIR *dir; | ||
93 | |||
94 | dir = opendir(etcdir); | ||
95 | if (!dir) { | ||
96 | free(etcdir); | ||
97 | return; | ||
98 | } | ||
99 | while ((entry = readdir(dir))) { | ||
100 | if (!strcmp(entry->d_name, ".") || !strcmp(entry->d_name, "..")) | ||
101 | continue; | ||
102 | if (asprintf(&netns_name, "%s/%s", etcdir, entry->d_name) < 0 || | ||
103 | asprintf(&etc_name, "/etc/%s", entry->d_name) < 0) | ||
104 | errExit("asprintf"); | ||
105 | if (mount(netns_name, etc_name, "none", MS_BIND, 0) < 0) { | ||
106 | fprintf(stderr, "Warning: bind %s -> %s failed: %s\n", | ||
107 | netns_name, etc_name, strerror(errno)); | ||
108 | } | ||
109 | free(netns_name); | ||
110 | free(etc_name); | ||
111 | } | ||
112 | closedir(dir); | ||
113 | free(etcdir); | ||
114 | } | ||
diff --git a/src/firejail/network.c b/src/firejail/network.c index 6d09d770f..673c607ca 100644 --- a/src/firejail/network.c +++ b/src/firejail/network.c | |||
@@ -1,5 +1,5 @@ | |||
1 | /* | 1 | /* |
2 | * Copyright (C) 2014-2016 Firejail Authors | 2 | * Copyright (C) 2014-2017 Firejail Authors |
3 | * | 3 | * |
4 | * This file is part of firejail project | 4 | * This file is part of firejail project |
5 | * | 5 | * |
diff --git a/src/firejail/network_main.c b/src/firejail/network_main.c index 9fbc09d2b..924a94091 100644 --- a/src/firejail/network_main.c +++ b/src/firejail/network_main.c | |||
@@ -1,5 +1,5 @@ | |||
1 | /* | 1 | /* |
2 | * Copyright (C) 2014-2016 Firejail Authors | 2 | * Copyright (C) 2014-2017 Firejail Authors |
3 | * | 3 | * |
4 | * This file is part of firejail project | 4 | * This file is part of firejail project |
5 | * | 5 | * |
diff --git a/src/firejail/no_sandbox.c b/src/firejail/no_sandbox.c index c56d90994..1828405db 100644 --- a/src/firejail/no_sandbox.c +++ b/src/firejail/no_sandbox.c | |||
@@ -1,5 +1,5 @@ | |||
1 | /* | 1 | /* |
2 | * Copyright (C) 2014-2016 Firejail Authors | 2 | * Copyright (C) 2014-2017 Firejail Authors |
3 | * | 3 | * |
4 | * This file is part of firejail project | 4 | * This file is part of firejail project |
5 | * | 5 | * |
diff --git a/src/firejail/output.c b/src/firejail/output.c index 91fe7f164..4872c57ba 100644 --- a/src/firejail/output.c +++ b/src/firejail/output.c | |||
@@ -1,5 +1,5 @@ | |||
1 | /* | 1 | /* |
2 | * Copyright (C) 2014-2016 Firejail Authors | 2 | * Copyright (C) 2014-2017 Firejail Authors |
3 | * | 3 | * |
4 | * This file is part of firejail project | 4 | * This file is part of firejail project |
5 | * | 5 | * |
diff --git a/src/firejail/paths.c b/src/firejail/paths.c index 97a1d5a98..454255717 100644 --- a/src/firejail/paths.c +++ b/src/firejail/paths.c | |||
@@ -1,5 +1,5 @@ | |||
1 | /* | 1 | /* |
2 | * Copyright (C) 2014-2016 Firejail Authors | 2 | * Copyright (C) 2014-2017 Firejail Authors |
3 | * | 3 | * |
4 | * This file is part of firejail project | 4 | * This file is part of firejail project |
5 | * | 5 | * |
@@ -18,83 +18,134 @@ | |||
18 | * 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA. | 18 | * 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA. |
19 | */ | 19 | */ |
20 | #include "firejail.h" | 20 | #include "firejail.h" |
21 | #include <sys/stat.h> | ||
21 | 22 | ||
22 | static char **paths = NULL; | 23 | static char **paths = 0; |
23 | static int path_cnt = 0; | 24 | static unsigned int path_cnt = 0; |
24 | static char initialized = 0; | 25 | static unsigned int longest_path_elt = 0; |
25 | 26 | ||
26 | static void add_path(const char *path) { | 27 | static void init_paths(void) { |
27 | assert(paths); | 28 | char *path = getenv("PATH"); |
28 | assert(path_cnt); | 29 | char *p; |
29 | 30 | if (!path) { | |
30 | // filter out duplicates | 31 | path = "/usr/local/bin:/usr/bin:/bin:/usr/local/sbin:/usr/sbin:/sbin"; |
31 | int i; | 32 | setenv("PATH", path, 1); |
32 | int empty = 0; | ||
33 | for (i = 0; i < path_cnt; i++) { | ||
34 | if (paths[i] && strcmp(path, paths[i]) == 0) { | ||
35 | return; | ||
36 | } | ||
37 | if (!paths[i]) { | ||
38 | empty = i; | ||
39 | break; | ||
40 | } | ||
41 | } | 33 | } |
42 | 34 | path = strdup(path); | |
43 | paths[empty] = strdup(path); | 35 | if (!path) |
44 | if (!paths[empty]) | ||
45 | errExit("strdup"); | 36 | errExit("strdup"); |
37 | |||
38 | // size the paths array | ||
39 | for (p = path; *p; p++) | ||
40 | if (*p == ':') | ||
41 | path_cnt++; | ||
42 | path_cnt += 2; // one because we were counting fenceposts, one for the NULL at the end | ||
43 | |||
44 | paths = calloc(path_cnt, sizeof(char *)); | ||
45 | if (!paths) | ||
46 | errExit("calloc"); | ||
47 | |||
48 | // fill in 'paths' with pointers to elements of 'path' | ||
49 | char *elt; | ||
50 | unsigned int i = 0, j; | ||
51 | unsigned int len; | ||
52 | while ((elt = strsep(&path, ":")) != 0) { | ||
53 | // skip any entry that is not absolute | ||
54 | if (elt[0] != '/') | ||
55 | goto skip; | ||
56 | |||
57 | // strip trailing slashes (this also prevents '/' from being a path entry). | ||
58 | len = strlen(elt); | ||
59 | while (len > 0 && elt[len-1] == '/') | ||
60 | elt[--len] = '\0'; | ||
61 | if (len == 0) | ||
62 | goto skip; | ||
63 | |||
64 | // filter out duplicate entries | ||
65 | for (j = 0; j < i; j++) | ||
66 | if (strcmp(elt, paths[j]) == 0) | ||
67 | goto skip; | ||
68 | |||
69 | paths[i++] = elt; | ||
70 | if (len > longest_path_elt) | ||
71 | longest_path_elt = len; | ||
72 | |||
73 | skip:; | ||
74 | } | ||
75 | |||
76 | assert(paths[i] == 0); | ||
77 | // path_cnt may be too big now, if entries were skipped above | ||
78 | path_cnt = i+1; | ||
46 | } | 79 | } |
47 | 80 | ||
81 | |||
48 | char **build_paths(void) { | 82 | char **build_paths(void) { |
49 | if (initialized) { | 83 | if (!paths) |
50 | assert(paths); | 84 | init_paths(); |
51 | return paths; | 85 | assert(paths); |
52 | } | 86 | return paths; |
53 | initialized = 1; | 87 | } |
54 | 88 | ||
55 | int cnt = 5; // 4 default paths + 1 NULL to end the array | 89 | // Note: the NULL element at the end of 'paths' is included in this count. |
56 | char *path1 = getenv("PATH"); | 90 | unsigned int count_paths(void) { |
57 | if (path1) { | 91 | if (!path_cnt) |
58 | char *path2 = strdup(path1); | 92 | init_paths(); |
59 | if (!path2) | 93 | assert(path_cnt); |
60 | errExit("strdup"); | 94 | return path_cnt; |
61 | 95 | } | |
62 | // use path2 to count the entries | 96 | |
63 | char *ptr = strtok(path2, ":"); | 97 | // Return 1 if PROGRAM exists in $PATH and is runnable by the |
64 | while (ptr) { | 98 | // invoking user (not root). |
65 | cnt++; | 99 | // In other words, tests "will execvp(PROGRAM, ...) succeed?" |
66 | ptr = strtok(NULL, ":"); | 100 | int program_in_path(const char *program) { |
67 | } | 101 | assert(program && *program); |
68 | free(path2); | 102 | assert(strchr(program, '/') == 0); |
69 | path_cnt = cnt; | 103 | assert(strcmp(program, ".") != 0); |
70 | 104 | assert(strcmp(program, "..") != 0); | |
71 | // allocate paths array | 105 | |
72 | paths = malloc(sizeof(char *) * cnt); | 106 | if (!paths) |
73 | if (!paths) | 107 | init_paths(); |
74 | errExit("malloc"); | 108 | assert(paths); |
75 | memset(paths, 0, sizeof(char *) * cnt); | 109 | |
76 | 110 | size_t proglen = strlen(program); | |
77 | // add default paths | 111 | char *scratch = malloc(longest_path_elt + proglen + 2); |
78 | add_path("/usr/local/bin"); | 112 | if (!scratch) |
79 | add_path("/usr/bin"); | 113 | errExit("malloc"); |
80 | add_path("/bin"); | 114 | |
81 | add_path("/usr/local/sbin"); | 115 | int found = 0; |
82 | add_path("/usr/sbin"); | 116 | size_t dlen; |
83 | add_path("/sbin"); | 117 | char **p; |
84 | 118 | for (p = paths; *p; p++) { | |
85 | path2 = strdup(path1); | 119 | char *dir = *p; |
86 | if (!path2) | 120 | dlen = strlen(dir); |
87 | errExit("strdup"); | 121 | |
88 | 122 | // init_paths should ensure that this is true; as long | |
89 | // use path2 to count the entries | 123 | // as it is true, 'scratch' has enough space for "$p/$program". |
90 | ptr = strtok(path2, ":"); | 124 | assert(dlen <= longest_path_elt); |
91 | while (ptr) { | 125 | |
92 | cnt++; | 126 | memcpy(scratch, dir, dlen); |
93 | add_path(ptr); | 127 | scratch[dlen++] = '/'; |
94 | ptr = strtok(NULL, ":"); | 128 | |
129 | // copy proglen+1 bytes to copy the nul terminator at | ||
130 | // the end of 'program'. | ||
131 | memcpy(scratch + dlen, program, proglen+1); | ||
132 | |||
133 | if (access(scratch, X_OK) == 0) { | ||
134 | // must also verify that this is a regular file | ||
135 | // ('x' permission means something different for directories). | ||
136 | // exec follows symlinks, so use stat, not lstat. | ||
137 | struct stat st; | ||
138 | if (stat(scratch, &st)) { | ||
139 | perror(scratch); | ||
140 | exit(1); | ||
141 | } | ||
142 | if (S_ISREG(st.st_mode)) { | ||
143 | found = 1; | ||
144 | break; | ||
145 | } | ||
95 | } | 146 | } |
96 | free(path2); | ||
97 | } | 147 | } |
98 | 148 | ||
99 | return paths; | 149 | free(scratch); |
150 | return found; | ||
100 | } | 151 | } |
diff --git a/src/firejail/preproc.c b/src/firejail/preproc.c index d2db7d3dd..b834e6275 100644 --- a/src/firejail/preproc.c +++ b/src/firejail/preproc.c | |||
@@ -1,5 +1,5 @@ | |||
1 | /* | 1 | /* |
2 | * Copyright (C) 2014-2016 Firejail Authors | 2 | * Copyright (C) 2014-2017 Firejail Authors |
3 | * | 3 | * |
4 | * This file is part of firejail project | 4 | * This file is part of firejail project |
5 | * | 5 | * |
@@ -76,12 +76,12 @@ void preproc_mount_mnt_dir(void) { | |||
76 | fs_logger2("tmpfs", RUN_MNT_DIR); | 76 | fs_logger2("tmpfs", RUN_MNT_DIR); |
77 | 77 | ||
78 | //copy defaultl seccomp files | 78 | //copy defaultl seccomp files |
79 | copy_file(PATH_SECCOMP_I386, RUN_SECCOMP_I386, getuid(), getgid(), 0644); | 79 | copy_file(PATH_SECCOMP_I386, RUN_SECCOMP_I386, getuid(), getgid(), 0644); // root needed |
80 | copy_file(PATH_SECCOMP_AMD64, RUN_SECCOMP_AMD64, getuid(), getgid(), 0644); | 80 | copy_file(PATH_SECCOMP_AMD64, RUN_SECCOMP_AMD64, getuid(), getgid(), 0644); // root needed |
81 | if (arg_allow_debuggers) | 81 | if (arg_allow_debuggers) |
82 | copy_file(PATH_SECCOMP_DEFAULT_DEBUG, RUN_SECCOMP_CFG, getuid(), getgid(), 0644); | 82 | copy_file(PATH_SECCOMP_DEFAULT_DEBUG, RUN_SECCOMP_CFG, getuid(), getgid(), 0644); // root needed |
83 | else | 83 | else |
84 | copy_file(PATH_SECCOMP_DEFAULT, RUN_SECCOMP_CFG, getuid(), getgid(), 0644); | 84 | copy_file(PATH_SECCOMP_DEFAULT, RUN_SECCOMP_CFG, getuid(), getgid(), 0644); // root needed |
85 | 85 | ||
86 | // as root, create an empty RUN_SECCOMP_PROTOCOL file | 86 | // as root, create an empty RUN_SECCOMP_PROTOCOL file |
87 | create_empty_file_as_root(RUN_SECCOMP_PROTOCOL, 0644); | 87 | create_empty_file_as_root(RUN_SECCOMP_PROTOCOL, 0644); |
diff --git a/src/firejail/profile.c b/src/firejail/profile.c index fab4f1efa..5684a2d95 100644 --- a/src/firejail/profile.c +++ b/src/firejail/profile.c | |||
@@ -1,5 +1,5 @@ | |||
1 | /* | 1 | /* |
2 | * Copyright (C) 2014-2016 Firejail Authors | 2 | * Copyright (C) 2014-2017 Firejail Authors |
3 | * | 3 | * |
4 | * This file is part of firejail project | 4 | * This file is part of firejail project |
5 | * | 5 | * |
@@ -215,6 +215,10 @@ int profile_check_line(char *ptr, int lineno, const char *fname) { | |||
215 | arg_no3d = 1; | 215 | arg_no3d = 1; |
216 | return 0; | 216 | return 0; |
217 | } | 217 | } |
218 | else if (strcmp(ptr, "allow-private-blacklist") == 0) { | ||
219 | arg_allow_private_blacklist = 1; | ||
220 | return 0; | ||
221 | } | ||
218 | else if (strcmp(ptr, "netfilter") == 0) { | 222 | else if (strcmp(ptr, "netfilter") == 0) { |
219 | #ifdef HAVE_NETWORK | 223 | #ifdef HAVE_NETWORK |
220 | if (checkcfg(CFG_NETWORK)) | 224 | if (checkcfg(CFG_NETWORK)) |
@@ -602,6 +606,12 @@ int profile_check_line(char *ptr, int lineno, const char *fname) { | |||
602 | return 0; | 606 | return 0; |
603 | } | 607 | } |
604 | 608 | ||
609 | // hosts-file | ||
610 | if (strncmp(ptr, "hosts-file ", 11) == 0) { | ||
611 | cfg.hosts_file = fs_check_hosts_fiile(ptr + 11); | ||
612 | return 0; | ||
613 | } | ||
614 | |||
605 | // dns | 615 | // dns |
606 | if (strncmp(ptr, "dns ", 4) == 0) { | 616 | if (strncmp(ptr, "dns ", 4) == 0) { |
607 | uint32_t dns; | 617 | uint32_t dns; |
@@ -663,6 +673,10 @@ int profile_check_line(char *ptr, int lineno, const char *fname) { | |||
663 | arg_writable_var = 1; | 673 | arg_writable_var = 1; |
664 | return 0; | 674 | return 0; |
665 | } | 675 | } |
676 | if (strcmp(ptr, "writable-var-log") == 0) { | ||
677 | arg_writable_var_log = 1; | ||
678 | return 0; | ||
679 | } | ||
666 | 680 | ||
667 | // private directory | 681 | // private directory |
668 | if (strncmp(ptr, "private ", 8) == 0) { | 682 | if (strncmp(ptr, "private ", 8) == 0) { |
@@ -999,10 +1013,25 @@ void profile_read(const char *fname) { | |||
999 | exit(1); | 1013 | exit(1); |
1000 | } | 1014 | } |
1001 | 1015 | ||
1016 | // check file | ||
1002 | if (strlen(fname) == 0) { | 1017 | if (strlen(fname) == 0) { |
1003 | fprintf(stderr, "Error: invalid profile file\n"); | 1018 | fprintf(stderr, "Error: invalid profile file\n"); |
1004 | exit(1); | 1019 | exit(1); |
1005 | } | 1020 | } |
1021 | invalid_filename(fname); | ||
1022 | if (is_dir(fname) || is_link(fname) || strstr(fname, "..")) { | ||
1023 | fprintf(stderr, "Error: invalid profile file\n"); | ||
1024 | exit(1); | ||
1025 | } | ||
1026 | if (access(fname, R_OK)) { | ||
1027 | // if the file ends in ".local", do not exit | ||
1028 | char *ptr = strstr(fname, ".local"); | ||
1029 | if (ptr && strlen(ptr) == 6) | ||
1030 | return; | ||
1031 | |||
1032 | fprintf(stderr, "Error: cannot access profile file\n"); | ||
1033 | exit(1); | ||
1034 | } | ||
1006 | 1035 | ||
1007 | // allow debuggers | 1036 | // allow debuggers |
1008 | if (arg_allow_debuggers) { | 1037 | if (arg_allow_debuggers) { |
@@ -1013,7 +1042,7 @@ void profile_read(const char *fname) { | |||
1013 | return; | 1042 | return; |
1014 | } | 1043 | } |
1015 | } | 1044 | } |
1016 | 1045 | ||
1017 | // open profile file: | 1046 | // open profile file: |
1018 | FILE *fp = fopen(fname, "r"); | 1047 | FILE *fp = fopen(fname, "r"); |
1019 | if (fp == NULL) { | 1048 | if (fp == NULL) { |
diff --git a/src/firejail/protocol.c b/src/firejail/protocol.c index 2a09ed010..382d469f1 100644 --- a/src/firejail/protocol.c +++ b/src/firejail/protocol.c | |||
@@ -1,5 +1,5 @@ | |||
1 | /* | 1 | /* |
2 | * Copyright (C) 2014-2016 Firejail Authors | 2 | * Copyright (C) 2014-2017 Firejail Authors |
3 | * | 3 | * |
4 | * This file is part of firejail project | 4 | * This file is part of firejail project |
5 | * | 5 | * |
diff --git a/src/firejail/pulseaudio.c b/src/firejail/pulseaudio.c index f890dd534..ead5dd361 100644 --- a/src/firejail/pulseaudio.c +++ b/src/firejail/pulseaudio.c | |||
@@ -1,5 +1,5 @@ | |||
1 | /* | 1 | /* |
2 | * Copyright (C) 2014-2016 Firejail Authors | 2 | * Copyright (C) 2014-2017 Firejail Authors |
3 | * | 3 | * |
4 | * This file is part of firejail project | 4 | * This file is part of firejail project |
5 | * | 5 | * |
@@ -22,6 +22,7 @@ | |||
22 | #include <sys/stat.h> | 22 | #include <sys/stat.h> |
23 | #include <sys/mount.h> | 23 | #include <sys/mount.h> |
24 | #include <dirent.h> | 24 | #include <dirent.h> |
25 | #include <sys/wait.h> | ||
25 | 26 | ||
26 | static void disable_file(const char *path, const char *file) { | 27 | static void disable_file(const char *path, const char *file) { |
27 | assert(file); | 28 | assert(file); |
@@ -113,7 +114,7 @@ void pulseaudio_init(void) { | |||
113 | char *pulsecfg = NULL; | 114 | char *pulsecfg = NULL; |
114 | if (asprintf(&pulsecfg, "%s/client.conf", RUN_PULSE_DIR) == -1) | 115 | if (asprintf(&pulsecfg, "%s/client.conf", RUN_PULSE_DIR) == -1) |
115 | errExit("asprintf"); | 116 | errExit("asprintf"); |
116 | if (copy_file("/etc/pulse/client.conf", pulsecfg, -1, -1, 0644)) | 117 | if (copy_file("/etc/pulse/client.conf", pulsecfg, -1, -1, 0644)) // root needed |
117 | errExit("copy_file"); | 118 | errExit("copy_file"); |
118 | FILE *fp = fopen(pulsecfg, "a+"); | 119 | FILE *fp = fopen(pulsecfg, "a+"); |
119 | if (!fp) | 120 | if (!fp) |
@@ -127,21 +128,63 @@ void pulseaudio_init(void) { | |||
127 | if (asprintf(&dir1, "%s/.config", cfg.homedir) == -1) | 128 | if (asprintf(&dir1, "%s/.config", cfg.homedir) == -1) |
128 | errExit("asprintf"); | 129 | errExit("asprintf"); |
129 | if (stat(dir1, &s) == -1) { | 130 | if (stat(dir1, &s) == -1) { |
130 | int rv = mkdir(dir1, 0755); | 131 | pid_t child = fork(); |
131 | if (rv == 0) { | 132 | if (child < 0) |
132 | if (set_perms(dir1, getuid(), getgid(), 0755)) | 133 | errExit("fork"); |
133 | {;} // do nothing | 134 | if (child == 0) { |
135 | // drop privileges | ||
136 | drop_privs(0); | ||
137 | |||
138 | int rv = mkdir(dir1, 0755); | ||
139 | if (rv == 0) { | ||
140 | if (set_perms(dir1, getuid(), getgid(), 0755)) | ||
141 | {;} // do nothing | ||
142 | } | ||
143 | #ifdef HAVE_GCOV | ||
144 | __gcov_flush(); | ||
145 | #endif | ||
146 | _exit(0); | ||
147 | } | ||
148 | // wait for the child to finish | ||
149 | waitpid(child, NULL, 0); | ||
150 | } | ||
151 | else { | ||
152 | // make sure the directory is owned by the user | ||
153 | if (s.st_uid != getuid()) { | ||
154 | fprintf(stderr, "Error: user .config directory is not owned by the current user\n"); | ||
155 | exit(1); | ||
134 | } | 156 | } |
135 | } | 157 | } |
136 | free(dir1); | 158 | free(dir1); |
159 | |||
137 | if (asprintf(&dir1, "%s/.config/pulse", cfg.homedir) == -1) | 160 | if (asprintf(&dir1, "%s/.config/pulse", cfg.homedir) == -1) |
138 | errExit("asprintf"); | 161 | errExit("asprintf"); |
139 | if (stat(dir1, &s) == -1) { | 162 | if (stat(dir1, &s) == -1) { |
140 | /* coverity[toctou] */ | 163 | pid_t child = fork(); |
141 | int rv = mkdir(dir1, 0700); | 164 | if (child < 0) |
142 | if (rv == 0) { | 165 | errExit("fork"); |
143 | if (set_perms(dir1, getuid(), getgid(), 0700)) | 166 | if (child == 0) { |
144 | {;} // do nothing | 167 | // drop privileges |
168 | drop_privs(0); | ||
169 | |||
170 | int rv = mkdir(dir1, 0700); | ||
171 | if (rv == 0) { | ||
172 | if (set_perms(dir1, getuid(), getgid(), 0700)) | ||
173 | {;} // do nothing | ||
174 | } | ||
175 | #ifdef HAVE_GCOV | ||
176 | __gcov_flush(); | ||
177 | #endif | ||
178 | _exit(0); | ||
179 | } | ||
180 | // wait for the child to finish | ||
181 | waitpid(child, NULL, 0); | ||
182 | } | ||
183 | else { | ||
184 | // make sure the directory is owned by the user | ||
185 | if (s.st_uid != getuid()) { | ||
186 | fprintf(stderr, "Error: user .config/pulse directory is not owned by the current user\n"); | ||
187 | exit(1); | ||
145 | } | 188 | } |
146 | } | 189 | } |
147 | free(dir1); | 190 | free(dir1); |
diff --git a/src/firejail/restrict_users.c b/src/firejail/restrict_users.c index 393851148..774e2908f 100644 --- a/src/firejail/restrict_users.c +++ b/src/firejail/restrict_users.c | |||
@@ -1,5 +1,5 @@ | |||
1 | /* | 1 | /* |
2 | * Copyright (C) 2014-2016 Firejail Authors | 2 | * Copyright (C) 2014-2017 Firejail Authors |
3 | * | 3 | * |
4 | * This file is part of firejail project | 4 | * This file is part of firejail project |
5 | * | 5 | * |
diff --git a/src/firejail/restricted_shell.c b/src/firejail/restricted_shell.c index 979bb1eed..9919c4656 100644 --- a/src/firejail/restricted_shell.c +++ b/src/firejail/restricted_shell.c | |||
@@ -1,5 +1,5 @@ | |||
1 | /* | 1 | /* |
2 | * Copyright (C) 2014-2016 Firejail Authors | 2 | * Copyright (C) 2014-2017 Firejail Authors |
3 | * | 3 | * |
4 | * This file is part of firejail project | 4 | * This file is part of firejail project |
5 | * | 5 | * |
diff --git a/src/firejail/rlimit.c b/src/firejail/rlimit.c index 47dd846d2..5e30e56a3 100644 --- a/src/firejail/rlimit.c +++ b/src/firejail/rlimit.c | |||
@@ -1,5 +1,5 @@ | |||
1 | /* | 1 | /* |
2 | * Copyright (C) 2014-2016 Firejail Authors | 2 | * Copyright (C) 2014-2017 Firejail Authors |
3 | * | 3 | * |
4 | * This file is part of firejail project | 4 | * This file is part of firejail project |
5 | * | 5 | * |
diff --git a/src/firejail/run_symlink.c b/src/firejail/run_symlink.c index 753c50208..57f04485b 100644 --- a/src/firejail/run_symlink.c +++ b/src/firejail/run_symlink.c | |||
@@ -1,5 +1,5 @@ | |||
1 | /* | 1 | /* |
2 | * Copyright (C) 2014-2016 Firejail Authors | 2 | * Copyright (C) 2014-2017 Firejail Authors |
3 | * | 3 | * |
4 | * This file is part of firejail project | 4 | * This file is part of firejail project |
5 | * | 5 | * |
diff --git a/src/firejail/sandbox.c b/src/firejail/sandbox.c index 50fcd6ed0..84ee5ee11 100644 --- a/src/firejail/sandbox.c +++ b/src/firejail/sandbox.c | |||
@@ -1,5 +1,5 @@ | |||
1 | /* | 1 | /* |
2 | * Copyright (C) 2014-2016 Firejail Authors | 2 | * Copyright (C) 2014-2017 Firejail Authors |
3 | * | 3 | * |
4 | * This file is part of firejail project | 4 | * This file is part of firejail project |
5 | * | 5 | * |
@@ -386,7 +386,7 @@ static void enforce_filters(void) { | |||
386 | } | 386 | } |
387 | 387 | ||
388 | // disable all capabilities | 388 | // disable all capabilities |
389 | if (arg_caps_default_filter || arg_caps_list) | 389 | if ((arg_caps_default_filter || arg_caps_list) && !arg_quiet) |
390 | fprintf(stderr, "Warning: all capabilities disabled for a regular user in chroot\n"); | 390 | fprintf(stderr, "Warning: all capabilities disabled for a regular user in chroot\n"); |
391 | arg_caps_drop_all = 1; | 391 | arg_caps_drop_all = 1; |
392 | 392 | ||
@@ -467,6 +467,11 @@ int sandbox(void* sandbox_arg) { | |||
467 | if (arg_debug) | 467 | if (arg_debug) |
468 | printf("Network namespace enabled, only loopback interface available\n"); | 468 | printf("Network namespace enabled, only loopback interface available\n"); |
469 | } | 469 | } |
470 | else if (arg_netns) { | ||
471 | netns(arg_netns); | ||
472 | if (arg_debug) | ||
473 | printf("Network namespace '%s' activated\n", arg_netns); | ||
474 | } | ||
470 | else if (any_bridge_configured() || any_interface_configured()) { | 475 | else if (any_bridge_configured() || any_interface_configured()) { |
471 | // configure lo and eth0...eth3 | 476 | // configure lo and eth0...eth3 |
472 | net_if_up("lo"); | 477 | net_if_up("lo"); |
@@ -515,7 +520,8 @@ int sandbox(void* sandbox_arg) { | |||
515 | if (cfg.defaultgw) { | 520 | if (cfg.defaultgw) { |
516 | // set the default route | 521 | // set the default route |
517 | if (net_add_route(0, 0, cfg.defaultgw)) { | 522 | if (net_add_route(0, 0, cfg.defaultgw)) { |
518 | fprintf(stderr, "Warning: cannot configure default route\n"); | 523 | if (!arg_quiet) |
524 | fprintf(stderr, "Warning: cannot configure default route\n"); | ||
519 | gw_cfg_failed = 1; | 525 | gw_cfg_failed = 1; |
520 | } | 526 | } |
521 | } | 527 | } |
@@ -579,9 +585,13 @@ int sandbox(void* sandbox_arg) { | |||
579 | #endif | 585 | #endif |
580 | 586 | ||
581 | // trace pre-install | 587 | // trace pre-install |
582 | if (arg_trace || arg_tracelog || mask_x11_abstract_socket) | 588 | if (arg_trace || arg_tracelog) |
583 | fs_trace_preload(); | 589 | fs_trace_preload(); |
584 | 590 | ||
591 | // store hosts file | ||
592 | if (cfg.hosts_file) | ||
593 | fs_store_hosts_file(); | ||
594 | |||
585 | //**************************** | 595 | //**************************** |
586 | // configure filesystem | 596 | // configure filesystem |
587 | //**************************** | 597 | //**************************** |
@@ -612,11 +622,11 @@ int sandbox(void* sandbox_arg) { | |||
612 | //**************************** | 622 | //**************************** |
613 | // trace pre-install, this time inside chroot | 623 | // trace pre-install, this time inside chroot |
614 | //**************************** | 624 | //**************************** |
615 | if (arg_trace || arg_tracelog || mask_x11_abstract_socket) | 625 | if (arg_trace || arg_tracelog) |
616 | fs_trace_preload(); | 626 | fs_trace_preload(); |
617 | } | 627 | } |
618 | else | 628 | else |
619 | #endif | 629 | #endif |
620 | #ifdef HAVE_OVERLAYFS | 630 | #ifdef HAVE_OVERLAYFS |
621 | if (arg_overlay) { | 631 | if (arg_overlay) { |
622 | fs_overlayfs(); | 632 | fs_overlayfs(); |
@@ -635,13 +645,6 @@ int sandbox(void* sandbox_arg) { | |||
635 | fs_basic_fs(); | 645 | fs_basic_fs(); |
636 | 646 | ||
637 | //**************************** | 647 | //**************************** |
638 | // set hostname in /etc/hostname | ||
639 | //**************************** | ||
640 | if (cfg.hostname) { | ||
641 | fs_hostname(cfg.hostname); | ||
642 | } | ||
643 | |||
644 | //**************************** | ||
645 | // private mode | 648 | // private mode |
646 | //**************************** | 649 | //**************************** |
647 | if (arg_private) { | 650 | if (arg_private) { |
@@ -682,7 +685,7 @@ int sandbox(void* sandbox_arg) { | |||
682 | else { | 685 | else { |
683 | fs_private_dir_list("/etc", RUN_ETC_DIR, cfg.etc_private_keep); | 686 | fs_private_dir_list("/etc", RUN_ETC_DIR, cfg.etc_private_keep); |
684 | // create /etc/ld.so.preload file again | 687 | // create /etc/ld.so.preload file again |
685 | if (arg_trace || arg_tracelog || mask_x11_abstract_socket) | 688 | if (arg_trace || arg_tracelog) |
686 | fs_trace_preload(); | 689 | fs_trace_preload(); |
687 | } | 690 | } |
688 | } | 691 | } |
@@ -738,6 +741,22 @@ int sandbox(void* sandbox_arg) { | |||
738 | EUID_ROOT(); | 741 | EUID_ROOT(); |
739 | } | 742 | } |
740 | } | 743 | } |
744 | |||
745 | |||
746 | //**************************** | ||
747 | // hosts and hostname | ||
748 | //**************************** | ||
749 | if (cfg.hostname) | ||
750 | fs_hostname(cfg.hostname); | ||
751 | |||
752 | if (cfg.hosts_file) | ||
753 | fs_mount_hosts_file(); | ||
754 | |||
755 | //**************************** | ||
756 | // /etc overrides from the network namespace | ||
757 | //**************************** | ||
758 | if (arg_netns) | ||
759 | netns_mounts(arg_netns); | ||
741 | 760 | ||
742 | //**************************** | 761 | //**************************** |
743 | // update /proc, /sys, /dev, /boot directorymy | 762 | // update /proc, /sys, /dev, /boot directorymy |
@@ -762,7 +781,7 @@ int sandbox(void* sandbox_arg) { | |||
762 | //**************************** | 781 | //**************************** |
763 | // install trace | 782 | // install trace |
764 | //**************************** | 783 | //**************************** |
765 | if (arg_trace || arg_tracelog || mask_x11_abstract_socket) | 784 | if (arg_trace || arg_tracelog) |
766 | fs_trace(); | 785 | fs_trace(); |
767 | 786 | ||
768 | //**************************** | 787 | //**************************** |
@@ -821,7 +840,8 @@ int sandbox(void* sandbox_arg) { | |||
821 | int rv = nice(cfg.nice); | 840 | int rv = nice(cfg.nice); |
822 | (void) rv; | 841 | (void) rv; |
823 | if (errno) { | 842 | if (errno) { |
824 | fprintf(stderr, "Warning: cannot set nice value\n"); | 843 | if (!arg_quiet) |
844 | fprintf(stderr, "Warning: cannot set nice value\n"); | ||
825 | errno = 0; | 845 | errno = 0; |
826 | } | 846 | } |
827 | } | 847 | } |
@@ -877,7 +897,8 @@ int sandbox(void* sandbox_arg) { | |||
877 | if (arg_noroot) { | 897 | if (arg_noroot) { |
878 | int rv = unshare(CLONE_NEWUSER); | 898 | int rv = unshare(CLONE_NEWUSER); |
879 | if (rv == -1) { | 899 | if (rv == -1) { |
880 | fprintf(stderr, "Warning: cannot create a new user namespace, going forward without it...\n"); | 900 | if (!arg_quiet) |
901 | fprintf(stderr, "Warning: cannot create a new user namespace, going forward without it...\n"); | ||
881 | drop_privs(arg_nogroups); | 902 | drop_privs(arg_nogroups); |
882 | arg_noroot = 0; | 903 | arg_noroot = 0; |
883 | } | 904 | } |
@@ -908,7 +929,7 @@ int sandbox(void* sandbox_arg) { | |||
908 | if (arg_nonewprivs) { | 929 | if (arg_nonewprivs) { |
909 | int no_new_privs = prctl(PR_SET_NO_NEW_PRIVS, 1, 0, 0, 0); | 930 | int no_new_privs = prctl(PR_SET_NO_NEW_PRIVS, 1, 0, 0, 0); |
910 | 931 | ||
911 | if(no_new_privs != 0) | 932 | if(no_new_privs != 0 && !arg_quiet) |
912 | fprintf(stderr, "Warning: NO_NEW_PRIVS disabled, it requires a Linux kernel version 3.5 or newer.\n"); | 933 | fprintf(stderr, "Warning: NO_NEW_PRIVS disabled, it requires a Linux kernel version 3.5 or newer.\n"); |
913 | else if (arg_debug) | 934 | else if (arg_debug) |
914 | printf("NO_NEW_PRIVS set\n"); | 935 | printf("NO_NEW_PRIVS set\n"); |
diff --git a/src/firejail/sbox.c b/src/firejail/sbox.c index f28bbaf1a..467745a64 100644 --- a/src/firejail/sbox.c +++ b/src/firejail/sbox.c | |||
@@ -1,5 +1,5 @@ | |||
1 | /* | 1 | /* |
2 | * Copyright (C) 2014-2016 Firejail Authors | 2 | * Copyright (C) 2014-2017 Firejail Authors |
3 | * | 3 | * |
4 | * This file is part of firejail project | 4 | * This file is part of firejail project |
5 | * | 5 | * |
diff --git a/src/firejail/seccomp.c b/src/firejail/seccomp.c index 96dfdaff2..ee10f3abf 100644 --- a/src/firejail/seccomp.c +++ b/src/firejail/seccomp.c | |||
@@ -1,5 +1,5 @@ | |||
1 | /* | 1 | /* |
2 | * Copyright (C) 2014-2016 Firejail Authors | 2 | * Copyright (C) 2014-2017 Firejail Authors |
3 | * | 3 | * |
4 | * This file is part of firejail project | 4 | * This file is part of firejail project |
5 | * | 5 | * |
diff --git a/src/firejail/shutdown.c b/src/firejail/shutdown.c index c23e87321..3c150738b 100644 --- a/src/firejail/shutdown.c +++ b/src/firejail/shutdown.c | |||
@@ -1,5 +1,5 @@ | |||
1 | /* | 1 | /* |
2 | * Copyright (C) 2014-2016 Firejail Authors | 2 | * Copyright (C) 2014-2017 Firejail Authors |
3 | * | 3 | * |
4 | * This file is part of firejail project | 4 | * This file is part of firejail project |
5 | * | 5 | * |
diff --git a/src/firejail/usage.c b/src/firejail/usage.c index 9f4dfd44c..ae3993aec 100644 --- a/src/firejail/usage.c +++ b/src/firejail/usage.c | |||
@@ -1,5 +1,5 @@ | |||
1 | /* | 1 | /* |
2 | * Copyright (C) 2014-2016 Firejail Authors | 2 | * Copyright (C) 2014-2017 Firejail Authors |
3 | * | 3 | * |
4 | * This file is part of firejail project | 4 | * This file is part of firejail project |
5 | * | 5 | * |
@@ -76,8 +76,14 @@ void usage(void) { | |||
76 | printf(" --env=name=value - set environment variable.\n"); | 76 | printf(" --env=name=value - set environment variable.\n"); |
77 | printf(" --fs.print=name|pid - print the filesystem log.\n"); | 77 | printf(" --fs.print=name|pid - print the filesystem log.\n"); |
78 | printf(" --get=name|pid filename - get a file from sandbox container.\n"); | 78 | printf(" --get=name|pid filename - get a file from sandbox container.\n"); |
79 | #ifdef HAVE_GIT_INSTALL | ||
80 | printf(" --git-install - download, compile and install mainline git version\n"); | ||
81 | printf("\tof Firejail.\n"); | ||
82 | printf(" --git-uninstall - uninstall mainline git version of Firejail\n"); | ||
83 | #endif | ||
79 | printf(" --help, -? - this help screen.\n"); | 84 | printf(" --help, -? - this help screen.\n"); |
80 | printf(" --hostname=name - set sandbox hostname.\n"); | 85 | printf(" --hostname=name - set sandbox hostname.\n"); |
86 | printf(" --hosts-file=file - use file as /etc/hosts.\n"); | ||
81 | printf(" --ignore=command - ignore command in profile files.\n"); | 87 | printf(" --ignore=command - ignore command in profile files.\n"); |
82 | #ifdef HAVE_NETWORK | 88 | #ifdef HAVE_NETWORK |
83 | printf(" --interface=name - move interface in sandbox.\n"); | 89 | printf(" --interface=name - move interface in sandbox.\n"); |
@@ -191,6 +197,7 @@ void usage(void) { | |||
191 | #endif | 197 | #endif |
192 | printf(" --writable-etc - /etc directory is mounted read-write.\n"); | 198 | printf(" --writable-etc - /etc directory is mounted read-write.\n"); |
193 | printf(" --writable-var - /var directory is mounted read-write.\n"); | 199 | printf(" --writable-var - /var directory is mounted read-write.\n"); |
200 | printf(" --writable-var-log - use the real /var/log directory, not a clone.\n"); | ||
194 | printf(" --x11 - enable X11 sandboxing. The software checks first if Xpra is\n"); | 201 | printf(" --x11 - enable X11 sandboxing. The software checks first if Xpra is\n"); |
195 | printf("\tinstalled, then it checks if Xephyr is installed. If all fails, it will\n"); | 202 | printf("\tinstalled, then it checks if Xephyr is installed. If all fails, it will\n"); |
196 | printf("\tattempt to use X11 security extension.\n"); | 203 | printf("\tattempt to use X11 security extension.\n"); |
diff --git a/src/firejail/util.c b/src/firejail/util.c index 75f2acdb9..9b9308670 100644 --- a/src/firejail/util.c +++ b/src/firejail/util.c | |||
@@ -1,5 +1,5 @@ | |||
1 | /* | 1 | /* |
2 | * Copyright (C) 2014-2016 Firejail Authors | 2 | * Copyright (C) 2014-2017 Firejail Authors |
3 | * | 3 | * |
4 | * This file is part of firejail project | 4 | * This file is part of firejail project |
5 | * | 5 | * |
@@ -28,6 +28,7 @@ | |||
28 | #include <grp.h> | 28 | #include <grp.h> |
29 | #include <sys/ioctl.h> | 29 | #include <sys/ioctl.h> |
30 | #include <termios.h> | 30 | #include <termios.h> |
31 | #include <sys/wait.h> | ||
31 | 32 | ||
32 | #define MAX_GROUPS 1024 | 33 | #define MAX_GROUPS 1024 |
33 | // drop privileges | 34 | // drop privileges |
@@ -168,6 +169,25 @@ void logerr(const char *msg) { | |||
168 | closelog(); | 169 | closelog(); |
169 | } | 170 | } |
170 | 171 | ||
172 | static int copy_file_by_fd(int src, int dst) { | ||
173 | assert(src >= 0); | ||
174 | assert(dst >= 0); | ||
175 | |||
176 | ssize_t len; | ||
177 | static const int BUFLEN = 1024; | ||
178 | unsigned char buf[BUFLEN]; | ||
179 | while ((len = read(src, buf, BUFLEN)) > 0) { | ||
180 | int done = 0; | ||
181 | while (done != len) { | ||
182 | int rv = write(dst, buf + done, len - done); | ||
183 | if (rv == -1) | ||
184 | return -1; | ||
185 | done += rv; | ||
186 | } | ||
187 | } | ||
188 | fflush(0); | ||
189 | return 0; | ||
190 | } | ||
171 | 191 | ||
172 | // return -1 if error, 0 if no error; if destname already exists, return error | 192 | // return -1 if error, 0 if no error; if destname already exists, return error |
173 | int copy_file(const char *srcname, const char *destname, uid_t uid, gid_t gid, mode_t mode) { | 193 | int copy_file(const char *srcname, const char *destname, uid_t uid, gid_t gid, mode_t mode) { |
@@ -177,47 +197,114 @@ int copy_file(const char *srcname, const char *destname, uid_t uid, gid_t gid, m | |||
177 | // open source | 197 | // open source |
178 | int src = open(srcname, O_RDONLY); | 198 | int src = open(srcname, O_RDONLY); |
179 | if (src < 0) { | 199 | if (src < 0) { |
180 | fprintf(stderr, "Warning: cannot open %s, file not copied\n", srcname); | 200 | fprintf(stderr, "Warning: cannot open source file %s, file not copied\n", srcname); |
181 | return -1; | 201 | return -1; |
182 | } | 202 | } |
183 | 203 | ||
184 | // open destination | 204 | // open destination |
185 | int dst = open(destname, O_CREAT|O_WRONLY|O_TRUNC, S_IRUSR | S_IWUSR | S_IRGRP | S_IROTH); | 205 | int dst = open(destname, O_CREAT|O_WRONLY|O_TRUNC, S_IRUSR | S_IWUSR | S_IRGRP | S_IROTH); |
186 | if (dst < 0) { | 206 | if (dst < 0) { |
187 | fprintf(stderr, "Warning: cannot open %s, file not copied\n", destname); | 207 | fprintf(stderr, "Warning: cannot open destination file %s, file not copied\n", destname); |
188 | close(src); | 208 | close(src); |
189 | return -1; | 209 | return -1; |
190 | } | 210 | } |
191 | 211 | ||
192 | // copy | 212 | int errors = copy_file_by_fd(src, dst); |
193 | ssize_t len; | 213 | if (!errors) { |
194 | static const int BUFLEN = 1024; | 214 | if (fchown(dst, uid, gid) == -1) |
195 | unsigned char buf[BUFLEN]; | 215 | errExit("fchown"); |
196 | while ((len = read(src, buf, BUFLEN)) > 0) { | 216 | if (fchmod(dst, mode) == -1) |
197 | int done = 0; | 217 | errExit("fchmod"); |
198 | while (done != len) { | 218 | } |
199 | int rv = write(dst, buf + done, len - done); | 219 | close(src); |
200 | if (rv == -1) { | 220 | close(dst); |
201 | close(src); | 221 | return errors; |
202 | close(dst); | 222 | } |
203 | return -1; | ||
204 | } | ||
205 | 223 | ||
206 | done += rv; | 224 | // return -1 if error, 0 if no error |
207 | } | 225 | void copy_file_as_user(const char *srcname, const char *destname, uid_t uid, gid_t gid, mode_t mode) { |
226 | pid_t child = fork(); | ||
227 | if (child < 0) | ||
228 | errExit("fork"); | ||
229 | if (child == 0) { | ||
230 | // drop privileges | ||
231 | drop_privs(0); | ||
232 | |||
233 | // copy, set permissions and ownership | ||
234 | int rv = copy_file(srcname, destname, uid, gid, mode); // already a regular user | ||
235 | if (rv) | ||
236 | fprintf(stderr, "Warning: cannot copy %s\n", srcname); | ||
237 | #ifdef HAVE_GCOV | ||
238 | __gcov_flush(); | ||
239 | #endif | ||
240 | _exit(0); | ||
241 | } | ||
242 | // wait for the child to finish | ||
243 | waitpid(child, NULL, 0); | ||
244 | } | ||
245 | |||
246 | void copy_file_from_user_to_root(const char *srcname, const char *destname, uid_t uid, gid_t gid, mode_t mode) { | ||
247 | // open destination | ||
248 | int dst = open(destname, O_CREAT|O_WRONLY|O_TRUNC, S_IRUSR | S_IWUSR | S_IRGRP | S_IROTH); | ||
249 | if (dst < 0) { | ||
250 | fprintf(stderr, "Warning: cannot open destination file %s, file not copied\n", destname); | ||
251 | return; | ||
208 | } | 252 | } |
209 | fflush(0); | ||
210 | 253 | ||
254 | pid_t child = fork(); | ||
255 | if (child < 0) | ||
256 | errExit("fork"); | ||
257 | if (child == 0) { | ||
258 | // drop privileges | ||
259 | drop_privs(0); | ||
260 | |||
261 | int src = open(srcname, O_RDONLY); | ||
262 | if (src < 0) { | ||
263 | fprintf(stderr, "Warning: cannot open source file %s, file not copied\n", srcname); | ||
264 | } else { | ||
265 | if (copy_file_by_fd(src, dst)) { | ||
266 | fprintf(stderr, "Warning: cannot copy %s\n", srcname); | ||
267 | } | ||
268 | close(src); | ||
269 | } | ||
270 | close(dst); | ||
271 | #ifdef HAVE_GCOV | ||
272 | __gcov_flush(); | ||
273 | #endif | ||
274 | _exit(0); | ||
275 | } | ||
276 | // wait for the child to finish | ||
277 | waitpid(child, NULL, 0); | ||
211 | if (fchown(dst, uid, gid) == -1) | 278 | if (fchown(dst, uid, gid) == -1) |
212 | errExit("fchown"); | 279 | errExit("fchown"); |
213 | if (fchmod(dst, mode) == -1) | 280 | if (fchmod(dst, mode) == -1) |
214 | errExit("fchmod"); | 281 | errExit("fchmod"); |
215 | |||
216 | close(src); | ||
217 | close(dst); | 282 | close(dst); |
218 | return 0; | ||
219 | } | 283 | } |
220 | 284 | ||
285 | // return -1 if error, 0 if no error | ||
286 | void touch_file_as_user(const char *fname, uid_t uid, gid_t gid, mode_t mode) { | ||
287 | pid_t child = fork(); | ||
288 | if (child < 0) | ||
289 | errExit("fork"); | ||
290 | if (child == 0) { | ||
291 | // drop privileges | ||
292 | drop_privs(0); | ||
293 | |||
294 | FILE *fp = fopen(fname, "w"); | ||
295 | if (fp) { | ||
296 | fprintf(fp, "\n"); | ||
297 | SET_PERMS_STREAM(fp, uid, gid, mode); | ||
298 | fclose(fp); | ||
299 | } | ||
300 | #ifdef HAVE_GCOV | ||
301 | __gcov_flush(); | ||
302 | #endif | ||
303 | _exit(0); | ||
304 | } | ||
305 | // wait for the child to finish | ||
306 | waitpid(child, NULL, 0); | ||
307 | } | ||
221 | 308 | ||
222 | // return 1 if the file is a directory | 309 | // return 1 if the file is a directory |
223 | int is_dir(const char *fname) { | 310 | int is_dir(const char *fname) { |
@@ -518,16 +605,37 @@ void wait_for_other(int fd) { | |||
518 | *ptr = '\0'; | 605 | *ptr = '\0'; |
519 | } | 606 | } |
520 | else { | 607 | else { |
521 | fprintf(stderr, "Error: cannot establish communication with the parent, exiting...\n"); | 608 | fprintf(stderr, "Error: proc %d cannot sync with peer: %s\n", |
609 | getpid(), ferror(stream) ? strerror(errno) : "unexpected EOF"); | ||
610 | |||
611 | int status = 0; | ||
612 | pid_t pid = wait(&status); | ||
613 | if (pid != -1) { | ||
614 | if (WIFEXITED(status)) | ||
615 | fprintf(stderr, "Peer %d unexpectedly exited with status %d\n", | ||
616 | pid, WEXITSTATUS(status)); | ||
617 | else if (WIFSIGNALED(status)) | ||
618 | fprintf(stderr, "Peer %d unexpectedly killed (%s)\n", | ||
619 | pid, strsignal(WTERMSIG(status))); | ||
620 | else | ||
621 | fprintf(stderr, "Peer %d unexpectedly exited " | ||
622 | "(un-decodable wait status %04x)\n", pid, status); | ||
623 | } | ||
522 | exit(1); | 624 | exit(1); |
523 | } | 625 | } |
626 | |||
524 | if (strcmp(childstr, "arg_noroot=0") == 0) | 627 | if (strcmp(childstr, "arg_noroot=0") == 0) |
525 | arg_noroot = 0; | 628 | arg_noroot = 0; |
629 | else if (strcmp(childstr, "arg_noroot=1") == 0) | ||
630 | arg_noroot = 1; | ||
631 | else { | ||
632 | fprintf(stderr, "Error: unexpected message from peer: %s\n", childstr); | ||
633 | exit(1); | ||
634 | } | ||
526 | 635 | ||
527 | fclose(stream); | 636 | fclose(stream); |
528 | } | 637 | } |
529 | 638 | ||
530 | |||
531 | void notify_other(int fd) { | 639 | void notify_other(int fd) { |
532 | FILE* stream; | 640 | FILE* stream; |
533 | int newfd = dup(fd); | 641 | int newfd = dup(fd); |
@@ -561,6 +669,11 @@ char *expand_home(const char *path, const char* homedir) { | |||
561 | errExit("asprintf"); | 669 | errExit("asprintf"); |
562 | return new_name; | 670 | return new_name; |
563 | } | 671 | } |
672 | else if (strncmp(path, "${CFG}", 6) == 0) { | ||
673 | if (asprintf(&new_name, "%s%s", SYSCONFDIR, path + 6) == -1) | ||
674 | errExit("asprintf"); | ||
675 | return new_name; | ||
676 | } | ||
564 | 677 | ||
565 | char *rv = strdup(path); | 678 | char *rv = strdup(path); |
566 | if (!rv) | 679 | if (!rv) |
@@ -818,4 +931,4 @@ errexit: | |||
818 | close(fd); | 931 | close(fd); |
819 | fprintf(stderr, "Error: cannot read %s\n", fname); | 932 | fprintf(stderr, "Error: cannot read %s\n", fname); |
820 | exit(1); | 933 | exit(1); |
821 | } \ No newline at end of file | 934 | } |
diff --git a/src/firejail/x11.c b/src/firejail/x11.c index 91017237d..5bbc327a6 100644 --- a/src/firejail/x11.c +++ b/src/firejail/x11.c | |||
@@ -1,5 +1,5 @@ | |||
1 | /* | 1 | /* |
2 | * Copyright (C) 2014-2016 Firejail Authors | 2 | * Copyright (C) 2014-2017 Firejail Authors |
3 | * | 3 | * |
4 | * This file is part of firejail project | 4 | * This file is part of firejail project |
5 | * | 5 | * |
@@ -20,6 +20,8 @@ | |||
20 | #include "firejail.h" | 20 | #include "firejail.h" |
21 | #include <sys/types.h> | 21 | #include <sys/types.h> |
22 | #include <sys/stat.h> | 22 | #include <sys/stat.h> |
23 | #include <sys/socket.h> | ||
24 | #include <sys/un.h> | ||
23 | #include <fcntl.h> | 25 | #include <fcntl.h> |
24 | #include <unistd.h> | 26 | #include <unistd.h> |
25 | #include <signal.h> | 27 | #include <signal.h> |
@@ -27,157 +29,176 @@ | |||
27 | #include <dirent.h> | 29 | #include <dirent.h> |
28 | #include <sys/mount.h> | 30 | #include <sys/mount.h> |
29 | #include <sys/wait.h> | 31 | #include <sys/wait.h> |
32 | #include <errno.h> | ||
33 | #include <limits.h> | ||
30 | int mask_x11_abstract_socket = 0; | 34 | int mask_x11_abstract_socket = 0; |
31 | 35 | ||
32 | #ifdef HAVE_X11 | ||
33 | // return 1 if xpra is installed on the system | ||
34 | static int x11_check_xpra(void) { | ||
35 | struct stat s; | ||
36 | |||
37 | // check xpra | ||
38 | if (stat("/usr/bin/xpra", &s) == -1) | ||
39 | return 0; | ||
40 | 36 | ||
41 | return 1; | 37 | // Parse the DISPLAY environment variable and return a display number. |
42 | } | 38 | // Returns -1 if DISPLAY is not set, or is set to anything other than :ddd. |
39 | int x11_display(void) { | ||
40 | const char *display_str = getenv("DISPLAY"); | ||
41 | char *endp; | ||
42 | unsigned long display; | ||
43 | |||
44 | if (!display_str) { | ||
45 | if (arg_debug) | ||
46 | fputs("DISPLAY is not set\n", stderr); | ||
47 | return -1; | ||
48 | } | ||
43 | 49 | ||
44 | // return 1 if xephyr is installed on the system | 50 | if (display_str[0] != ':' || display_str[1] < '0' || display_str[1] > '9') { |
45 | static int x11_check_xephyr(void) { | 51 | if (arg_debug) |
46 | struct stat s; | 52 | fprintf(stderr, "unsupported DISPLAY form '%s'\n", display_str); |
47 | 53 | return -1; | |
48 | // check xephyr | 54 | } |
49 | if (stat("/usr/bin/Xephyr", &s) == -1) | ||
50 | return 0; | ||
51 | 55 | ||
52 | return 1; | 56 | errno = 0; |
57 | display = strtoul(display_str+1, &endp, 10); | ||
58 | if (endp == display_str+1 || (*endp != '\0' && *endp != '.')) { // handling DISPLAY=:0 and also :0.0 | ||
59 | if (arg_debug) | ||
60 | fprintf(stderr, "unsupported DISPLAY form '%s'\n", display_str); | ||
61 | return -1; | ||
62 | } | ||
63 | if (errno || display > (unsigned long)INT_MAX) { | ||
64 | if (arg_debug) | ||
65 | fprintf(stderr, "display number %s is outside the valid range\n", | ||
66 | display_str+1); | ||
67 | return -1; | ||
68 | } | ||
69 | |||
70 | if (arg_debug) | ||
71 | fprintf(stderr, "DISPLAY=%s parsed as %lu\n", display_str, display); | ||
72 | |||
73 | return (int)display; | ||
53 | } | 74 | } |
54 | 75 | ||
76 | |||
77 | #ifdef HAVE_X11 | ||
55 | // check for X11 abstract sockets | 78 | // check for X11 abstract sockets |
56 | static int x11_abstract_sockets_present(void) { | 79 | static int x11_abstract_sockets_present(void) { |
57 | char *path; | ||
58 | 80 | ||
59 | EUID_ROOT(); // grsecurity fix | 81 | EUID_ROOT(); // grsecurity fix |
60 | FILE *fp = fopen("/proc/net/unix", "r"); | 82 | FILE *fp = fopen("/proc/net/unix", "r"); |
61 | EUID_USER(); | ||
62 | |||
63 | if (!fp) | 83 | if (!fp) |
64 | errExit("fopen"); | 84 | errExit("fopen"); |
85 | EUID_USER(); | ||
65 | 86 | ||
66 | while (fscanf(fp, "%*s %*s %*s %*s %*s %*s %*s %ms\n", &path) != EOF) { | 87 | char *linebuf = 0; |
67 | if (path && strncmp(path, "@/tmp/.X11-unix/", 16) == 0) { | 88 | size_t bufsz = 0; |
68 | free(path); | 89 | int found = 0; |
69 | fclose(fp); | 90 | errno = 0; |
70 | return 1; | 91 | |
92 | for (;;) { | ||
93 | if (getline(&linebuf, &bufsz, fp) == -1) { | ||
94 | if (errno) | ||
95 | errExit("getline"); | ||
96 | break; | ||
97 | } | ||
98 | // The last space-separated field in 'linebuf' is the | ||
99 | // pathname of the socket. Abstract sockets' pathnames | ||
100 | // all begin with '@/', normal ones begin with '/'. | ||
101 | char *p = strrchr(linebuf, ' '); | ||
102 | if (!p) { | ||
103 | fputs("error parsing /proc/net/unix\n", stderr); | ||
104 | exit(1); | ||
105 | } | ||
106 | if (strncmp(p+1, "@/tmp/.X11-unix/", 16) == 0) { | ||
107 | found = 1; | ||
108 | break; | ||
71 | } | 109 | } |
72 | } | 110 | } |
73 | 111 | ||
74 | free(path); | 112 | free(linebuf); |
75 | fclose(fp); | 113 | fclose(fp); |
76 | 114 | return found; | |
77 | return 0; | ||
78 | } | 115 | } |
79 | 116 | ||
117 | // Choose a random, unallocated display number. This has an inherent | ||
118 | // and unavoidable TOCTOU race, since we cannot create either the | ||
119 | // socket or a lockfile ourselves. | ||
80 | static int random_display_number(void) { | 120 | static int random_display_number(void) { |
121 | int display; | ||
122 | int found = 0; | ||
81 | int i; | 123 | int i; |
82 | int found = 1; | 124 | |
83 | int display; | 125 | struct sockaddr_un sa; |
126 | // The -1 here is because we need space to inject a | ||
127 | // leading nul byte. | ||
128 | int sun_pathmax = (int)(sizeof sa.sun_path - 1); | ||
129 | assert((size_t)sun_pathmax == sizeof sa.sun_path - 1); | ||
130 | int sun_pathlen; | ||
131 | |||
132 | int sockfd = socket(AF_UNIX, SOCK_STREAM, 0); | ||
133 | if (sockfd == -1) | ||
134 | errExit("socket"); | ||
135 | |||
84 | for (i = 0; i < 100; i++) { | 136 | for (i = 0; i < 100; i++) { |
85 | display = rand() % 1024; | 137 | // We try display numbers in the range 21 through 1000. |
86 | if (display < 10) | 138 | // Normal X servers typically use displays in the 0-10 range; |
87 | continue; | 139 | // ssh's X11 forwarding uses 10-20, and login screens |
88 | char *fname; | 140 | // (e.g. gdm3) may use displays above 1000. |
89 | if (asprintf(&fname, "/tmp/.X11-unix/X%d", display) == -1) | 141 | display = rand() % 979 + 21; |
90 | errExit("asprintf"); | 142 | |
91 | struct stat s; | 143 | // The display number might be claimed by a server listening |
92 | if (stat(fname, &s) == -1) { | 144 | // in _either_ the normal or the abstract namespace; they |
93 | found = 1; | 145 | // don't necessarily do both. The easiest way to check is |
94 | break; | 146 | // to try to connect, both ways. |
95 | } | 147 | memset(&sa, 0, sizeof sa); |
96 | } | 148 | sa.sun_family = AF_UNIX; |
149 | sun_pathlen = snprintf(sa.sun_path, sun_pathmax, | ||
150 | "/tmp/.X11-unix/X%d", display); | ||
151 | if (sun_pathlen >= sun_pathmax) { | ||
152 | fprintf(stderr, "sun_path too small for display :%d" | ||
153 | " (only %d bytes usable)\n", display, sun_pathmax); | ||
154 | exit(1); | ||
155 | } | ||
156 | |||
157 | if (connect(sockfd, (struct sockaddr *)&sa, | ||
158 | offsetof(struct sockaddr_un, sun_path) + sun_pathlen + 1) == 0) { | ||
159 | close(sockfd); | ||
160 | sockfd = socket(AF_UNIX, SOCK_STREAM, 0); | ||
161 | if (sockfd == -1) | ||
162 | errExit("socket"); | ||
163 | continue; | ||
164 | } | ||
165 | if (errno != ECONNREFUSED && errno != ENOENT) | ||
166 | errExit("connect"); | ||
167 | |||
168 | // Name not claimed in the normal namespace; now try it | ||
169 | // in the abstract namespace. Note that abstract-namespace | ||
170 | // names are NOT nul-terminated; they extend to the length | ||
171 | // specified as the third argument to 'connect'. | ||
172 | memmove(sa.sun_path + 1, sa.sun_path, sun_pathlen + 1); | ||
173 | sa.sun_path[0] = '\0'; | ||
174 | if (connect(sockfd, (struct sockaddr *)&sa, | ||
175 | offsetof(struct sockaddr_un, sun_path) + 1 + sun_pathlen) == 0) { | ||
176 | close(sockfd); | ||
177 | sockfd = socket(AF_UNIX, SOCK_STREAM, 0); | ||
178 | if (sockfd == -1) | ||
179 | errExit("socket"); | ||
180 | continue; | ||
181 | } | ||
182 | if (errno != ECONNREFUSED && errno != ENOENT) | ||
183 | errExit("connect"); | ||
184 | |||
185 | // This display number is unclaimed. Of course, it could | ||
186 | // be claimed before we get around to doing it... | ||
187 | found = 1; | ||
188 | break; | ||
189 | } | ||
190 | close(sockfd); | ||
191 | |||
97 | if (!found) { | 192 | if (!found) { |
98 | fprintf(stderr, "Error: cannot pick up a random X11 display number, exiting...\n"); | 193 | fputs("Error: cannot find an unallocated X11 display number, " |
194 | "exiting...\n", stderr); | ||
99 | exit(1); | 195 | exit(1); |
100 | } | 196 | } |
101 | |||
102 | return display; | 197 | return display; |
103 | } | 198 | } |
104 | #endif | 199 | #endif |
105 | 200 | ||
106 | // return display number, -1 if not configured | ||
107 | int x11_display(void) { | ||
108 | // extract display | ||
109 | char *d = getenv("DISPLAY"); | ||
110 | if (!d) | ||
111 | return - 1; | ||
112 | |||
113 | int display; | ||
114 | int rv = sscanf(d, ":%d", &display); | ||
115 | if (rv != 1) | ||
116 | return -1; | ||
117 | if (arg_debug) | ||
118 | printf("DISPLAY %s, %d\n", d, display); | ||
119 | |||
120 | return display; | ||
121 | } | ||
122 | |||
123 | void fs_x11(void) { | ||
124 | #ifdef HAVE_X11 | ||
125 | int display = x11_display(); | ||
126 | if (display <= 0) | ||
127 | return; | ||
128 | 201 | ||
129 | char *x11file; | ||
130 | if (asprintf(&x11file, "/tmp/.X11-unix/X%d", display) == -1) | ||
131 | errExit("asprintf"); | ||
132 | struct stat s; | ||
133 | if (stat(x11file, &s) == -1) | ||
134 | return; | ||
135 | |||
136 | // keep a copy of real /tmp/.X11-unix directory in WHITELIST_TMP_DIR | ||
137 | int rv = mkdir(RUN_WHITELIST_X11_DIR, 1777); | ||
138 | if (rv == -1) | ||
139 | errExit("mkdir"); | ||
140 | if (set_perms(RUN_WHITELIST_X11_DIR, 0, 0, 1777)) | ||
141 | errExit("set_perms"); | ||
142 | |||
143 | if (mount("/tmp/.X11-unix", RUN_WHITELIST_X11_DIR, NULL, MS_BIND|MS_REC, NULL) < 0) | ||
144 | errExit("mount bind"); | ||
145 | |||
146 | // mount tmpfs on /tmp/.X11-unix | ||
147 | if (arg_debug || arg_debug_whitelists) | ||
148 | printf("Mounting tmpfs on /tmp/.X11-unix directory\n"); | ||
149 | if (mount("tmpfs", "/tmp/.X11-unix", "tmpfs", MS_NOSUID | MS_STRICTATIME | MS_REC, "mode=1777,gid=0") < 0) | ||
150 | errExit("mounting tmpfs on /tmp"); | ||
151 | fs_logger("tmpfs /tmp/.X11-unix"); | ||
152 | |||
153 | // create an empty file | ||
154 | /* coverity[toctou] */ | ||
155 | FILE *fp = fopen(x11file, "w"); | ||
156 | if (!fp) { | ||
157 | fprintf(stderr, "Error: cannot create empty file in x11 directory\n"); | ||
158 | exit(1); | ||
159 | } | ||
160 | // set file properties | ||
161 | SET_PERMS_STREAM(fp, s.st_uid, s.st_gid, s.st_mode); | ||
162 | fclose(fp); | ||
163 | |||
164 | // mount | ||
165 | char *wx11file; | ||
166 | if (asprintf(&wx11file, "%s/X%d", RUN_WHITELIST_X11_DIR, display) == -1) | ||
167 | errExit("asprintf"); | ||
168 | if (mount(wx11file, x11file, NULL, MS_BIND|MS_REC, NULL) < 0) | ||
169 | errExit("mount bind"); | ||
170 | fs_logger2("whitelist", x11file); | ||
171 | |||
172 | free(x11file); | ||
173 | free(wx11file); | ||
174 | |||
175 | // block access to RUN_WHITELIST_X11_DIR | ||
176 | if (mount(RUN_RO_DIR, RUN_WHITELIST_X11_DIR, "none", MS_BIND, "mode=400,gid=0") == -1) | ||
177 | errExit("mount"); | ||
178 | fs_logger2("blacklist", RUN_WHITELIST_X11_DIR); | ||
179 | #endif | ||
180 | } | ||
181 | 202 | ||
182 | 203 | ||
183 | #ifdef HAVE_X11 | 204 | #ifdef HAVE_X11 |
@@ -200,7 +221,7 @@ void x11_start_xephyr(int argc, char **argv) { | |||
200 | drop_privs(0); | 221 | drop_privs(0); |
201 | 222 | ||
202 | // check xephyr | 223 | // check xephyr |
203 | if (x11_check_xephyr() == 0) { | 224 | if (!program_in_path("Xephyr")) { |
204 | fprintf(stderr, "\nError: Xephyr program was not found in /usr/bin directory, please install it:\n"); | 225 | fprintf(stderr, "\nError: Xephyr program was not found in /usr/bin directory, please install it:\n"); |
205 | fprintf(stderr, " Debian/Ubuntu/Mint: sudo apt-get install xserver-xephyr\n"); | 226 | fprintf(stderr, " Debian/Ubuntu/Mint: sudo apt-get install xserver-xephyr\n"); |
206 | fprintf(stderr, " Arch: sudo pacman -S xorg-server-xephyr\n"); | 227 | fprintf(stderr, " Arch: sudo pacman -S xorg-server-xephyr\n"); |
@@ -400,7 +421,7 @@ void x11_start_xpra(int argc, char **argv) { | |||
400 | drop_privs(0); | 421 | drop_privs(0); |
401 | 422 | ||
402 | // check xpra | 423 | // check xpra |
403 | if (x11_check_xpra() == 0) { | 424 | if (!program_in_path("xpra")) { |
404 | fprintf(stderr, "\nError: Xpra program was not found in /usr/bin directory, please install it:\n"); | 425 | fprintf(stderr, "\nError: Xpra program was not found in /usr/bin directory, please install it:\n"); |
405 | fprintf(stderr, " Debian/Ubuntu/Mint: sudo apt-get install xpra\n"); | 426 | fprintf(stderr, " Debian/Ubuntu/Mint: sudo apt-get install xpra\n"); |
406 | exit(0); | 427 | exit(0); |
@@ -593,9 +614,9 @@ void x11_start(int argc, char **argv) { | |||
593 | } | 614 | } |
594 | 615 | ||
595 | // check xpra | 616 | // check xpra |
596 | if (x11_check_xpra() == 1) | 617 | if (program_in_path("xpra")) |
597 | x11_start_xpra(argc, argv); | 618 | x11_start_xpra(argc, argv); |
598 | else if (x11_check_xephyr() == 1) | 619 | else if (program_in_path("Xephyr")) |
599 | x11_start_xephyr(argc, argv); | 620 | x11_start_xephyr(argc, argv); |
600 | else { | 621 | else { |
601 | fprintf(stderr, "\nError: Xpra or Xephyr not found in /usr/bin directory, please install one of them:\n"); | 622 | fprintf(stderr, "\nError: Xpra or Xephyr not found in /usr/bin directory, please install one of them:\n"); |
@@ -604,116 +625,113 @@ void x11_start(int argc, char **argv) { | |||
604 | exit(0); | 625 | exit(0); |
605 | } | 626 | } |
606 | } | 627 | } |
607 | |||
608 | #endif | 628 | #endif |
609 | 629 | ||
610 | void x11_block(void) { | 630 | // Porting notes: |
631 | // | ||
632 | // 1. merge #1100 from zackw: | ||
633 | // Attempting to run xauth -f directly on a file in /run/firejail/mnt/ directory fails on Debian 8 | ||
634 | // with this message: | ||
635 | // xauth: timeout in locking authority file /run/firejail/mnt/sec.Xauthority-Qt5Mu4 | ||
636 | // Failed to create untrusted X cookie: xauth: exit 1 | ||
637 | // For this reason we run xauth on a file in a tmpfs filesystem mounted on /tmp. This was | ||
638 | // a partial merge. | ||
639 | // | ||
640 | // 2. Since we cannot deal with the TOCTOU condition when mounting .Xauthority in user home | ||
641 | // directory, we need to make sure /usr/bin/xauth executable is the real thing, and not | ||
642 | // something picked up on $PATH. | ||
643 | // | ||
644 | // 3. If for any reason xauth command fails, we exit the sandbox. On Debian 8 this happens | ||
645 | // when using a network namespace. Somehow, xauth tries to connect to the abstract socket, | ||
646 | // and it fails because of the network namespace - it should try to connect to the regular | ||
647 | // Unix socket! If we ignore the fail condition, the program will be started on X server without | ||
648 | // the security extension loaded. | ||
649 | void x11_xorg(void) { | ||
611 | #ifdef HAVE_X11 | 650 | #ifdef HAVE_X11 |
612 | mask_x11_abstract_socket = 1; | ||
613 | 651 | ||
614 | // check abstract socket presence and network namespace options | 652 | // check xauth utility is present in the system |
615 | if ((!arg_nonetwork && !cfg.bridge0.configured && !cfg.interface0.configured) | 653 | struct stat s; |
616 | && x11_abstract_sockets_present()) { | 654 | if (stat("/usr/bin/xauth", &s) == -1) { |
617 | fprintf(stderr, "ERROR: --x11=none specified, but abstract X11 socket still accessible.\n" | 655 | fprintf(stderr, "Error: xauth utility not found in PATH. Please install it:\n" |
618 | "Additional setup required. To block abstract X11 socket you can either:\n" | 656 | " Debian/Ubuntu/Mint: sudo apt-get install xauth\n"); |
619 | " * use network namespace in firejail (--net=none, --net=...)\n" | ||
620 | " * add \"-nolisten local\" to xserver options\n" | ||
621 | " (eg. to your display manager config, or /etc/X11/xinit/xserverrc)\n"); | ||
622 | exit(1); | 657 | exit(1); |
623 | } | 658 | } |
624 | 659 | if (s.st_uid != 0 && s.st_gid != 0) { | |
625 | // blacklist sockets | 660 | fprintf(stderr, "Error: invalid /usr/bin/xauth executable\n"); |
626 | profile_check_line("blacklist /tmp/.X11-unix", 0, NULL); | 661 | exit(1); |
627 | profile_add(strdup("blacklist /tmp/.X11-unix")); | ||
628 | |||
629 | // blacklist .Xauthority | ||
630 | profile_check_line("blacklist ${HOME}/.Xauthority", 0, NULL); | ||
631 | profile_add(strdup("blacklist ${HOME}/.Xauthority")); | ||
632 | char *xauthority = getenv("XAUTHORITY"); | ||
633 | if (xauthority) { | ||
634 | char *line; | ||
635 | if (asprintf(&line, "blacklist %s", xauthority) == -1) | ||
636 | errExit("asprintf"); | ||
637 | profile_check_line(line, 0, NULL); | ||
638 | profile_add(line); | ||
639 | } | ||
640 | |||
641 | // clear environment | ||
642 | env_store("DISPLAY", RMENV); | ||
643 | env_store("XAUTHORITY", RMENV); | ||
644 | #endif | ||
645 | } | ||
646 | |||
647 | void x11_xorg(void) { | ||
648 | #ifdef HAVE_X11 | ||
649 | // destination - create an empty ~/.Xauthotrity file if it doesn't exist already, and use it as a mount point | ||
650 | char *dest; | ||
651 | if (asprintf(&dest, "%s/.Xauthority", cfg.homedir) == -1) | ||
652 | errExit("asprintf"); | ||
653 | struct stat s; | ||
654 | if (stat(dest, &s) == -1) { | ||
655 | // create an .Xauthority file | ||
656 | FILE *fp = fopen(dest, "w"); | ||
657 | if (!fp) | ||
658 | errExit("fopen"); | ||
659 | SET_PERMS_STREAM(fp, getuid(), getgid(), 0600); | ||
660 | fclose(fp); | ||
661 | } | 662 | } |
662 | 663 | ||
663 | // check xauth utility is present in the system | 664 | // get DISPLAY env |
664 | if (stat("/usr/bin/xauth", &s) == -1) { | 665 | char *display = getenv("DISPLAY"); |
665 | fprintf(stderr, "Error: cannot find /usr/bin/xauth executable\n"); | 666 | if (!display) { |
667 | fputs("Error: --x11=xorg requires an 'outer' X11 server to use.\n", stderr); | ||
666 | exit(1); | 668 | exit(1); |
667 | } | 669 | } |
668 | 670 | ||
669 | // create a temporary .Xauthority file | 671 | // temporarily mount a tempfs on top of /tmp directory |
672 | if (mount("tmpfs", "/tmp", "tmpfs", MS_NOSUID | MS_STRICTATIME | MS_REC, "mode=777,gid=0") < 0) | ||
673 | errExit("mounting /tmp"); | ||
674 | |||
675 | // create the temporary .Xauthority file | ||
676 | if (arg_debug) | ||
677 | printf("Generating a new .Xauthority file\n"); | ||
670 | char tmpfname[] = "/tmp/.tmpXauth-XXXXXX"; | 678 | char tmpfname[] = "/tmp/.tmpXauth-XXXXXX"; |
671 | int fd = mkstemp(tmpfname); | 679 | int fd = mkstemp(tmpfname); |
672 | if (fd == -1) { | 680 | if (fd == -1) { |
673 | fprintf(stderr, "Error: cannot create .Xauthority file\n"); | 681 | fprintf(stderr, "Error: cannot create .Xauthority file\n"); |
674 | exit(1); | 682 | exit(1); |
675 | } | 683 | } |
676 | close(fd); | 684 | if (fchown(fd, getuid(), getgid()) == -1) |
677 | if (chown(tmpfname, getuid(), getgid()) == -1) | ||
678 | errExit("chown"); | 685 | errExit("chown"); |
686 | close(fd); | ||
679 | 687 | ||
680 | pid_t child = fork(); | 688 | pid_t child = fork(); |
681 | if (child < 0) | 689 | if (child < 0) |
682 | errExit("fork"); | 690 | errExit("fork"); |
683 | if (child == 0) { | 691 | if (child == 0) { |
684 | // generate the new .Xauthority file using xauth utility | ||
685 | if (arg_debug) | ||
686 | printf("Generating a new .Xauthority file\n"); | ||
687 | drop_privs(1); | 692 | drop_privs(1); |
688 | |||
689 | char *display = getenv("DISPLAY"); | ||
690 | if (!display) | ||
691 | display = ":0.0"; | ||
692 | |||
693 | clearenv(); | 693 | clearenv(); |
694 | execlp("/usr/bin/xauth", "/usr/bin/xauth", "-f", tmpfname, | ||
695 | "generate", display, "MIT-MAGIC-COOKIE-1", "untrusted", NULL); | ||
696 | |||
697 | #ifdef HAVE_GCOV | 694 | #ifdef HAVE_GCOV |
698 | __gcov_flush(); | 695 | __gcov_flush(); |
699 | #endif | 696 | #endif |
700 | _exit(0); | 697 | execlp("/usr/bin/xauth", "/usr/bin/xauth", "-v", "-f", tmpfname, |
698 | "generate", display, "MIT-MAGIC-COOKIE-1", "untrusted", NULL); | ||
699 | |||
700 | _exit(127); | ||
701 | } | ||
702 | |||
703 | // wait for the xauth process to finish | ||
704 | int status; | ||
705 | if (waitpid(child, &status, 0) != child) | ||
706 | errExit("waitpid"); | ||
707 | if (WIFEXITED(status) && WEXITSTATUS(status) == 0) { | ||
708 | /* success */ | ||
709 | } else if (WIFEXITED(status)) { | ||
710 | fprintf(stderr, "Failed to create untrusted X cookie: xauth: exit %d\n", | ||
711 | WEXITSTATUS(status)); | ||
712 | exit(1); | ||
713 | } else if (WIFSIGNALED(status)) { | ||
714 | fprintf(stderr, "Failed to create untrusted X cookie: xauth: %s\n", | ||
715 | strsignal(WTERMSIG(status))); | ||
716 | exit(1); | ||
717 | } else { | ||
718 | fprintf(stderr, "Failed to create untrusted X cookie: " | ||
719 | "xauth: un-decodable exit status %04x\n", status); | ||
720 | exit(1); | ||
701 | } | 721 | } |
702 | 722 | ||
703 | // wait for the child to finish | 723 | // ensure the file has the correct permissions and move it |
704 | waitpid(child, NULL, 0); | 724 | // into the correct location. |
705 | |||
706 | // check the file was created and set mode and ownership | ||
707 | if (stat(tmpfname, &s) == -1) { | 725 | if (stat(tmpfname, &s) == -1) { |
708 | fprintf(stderr, "Error: cannot create the new .Xauthority file\n"); | 726 | fprintf(stderr, "Error: .Xauthority file was not created\n"); |
709 | exit(1); | 727 | exit(1); |
710 | } | 728 | } |
711 | if (set_perms(tmpfname, getuid(), getgid(), 0600)) | 729 | if (set_perms(tmpfname, getuid(), getgid(), 0600)) |
712 | errExit("set_perms"); | 730 | errExit("set_perms"); |
713 | 731 | ||
714 | // move the temporary file in RUN_XAUTHORITY_SEC_FILE in order to have it deleted | 732 | // move the temporary file in RUN_XAUTHORITY_SEC_FILE in order to have it deleted |
715 | // automatically when the sandbox is closed | 733 | // automatically when the sandbox is closed (rename doesn't work) |
716 | if (copy_file(tmpfname, RUN_XAUTHORITY_SEC_FILE, getuid(), getgid(), 0600)) { | 734 | if (copy_file(tmpfname, RUN_XAUTHORITY_SEC_FILE, getuid(), getgid(), 0600)) { // root needed |
717 | fprintf(stderr, "Error: cannot create the new .Xauthority file\n"); | 735 | fprintf(stderr, "Error: cannot create the new .Xauthority file\n"); |
718 | exit(1); | 736 | exit(1); |
719 | } | 737 | } |
@@ -721,14 +739,132 @@ void x11_xorg(void) { | |||
721 | errExit("set_perms"); | 739 | errExit("set_perms"); |
722 | /* coverity[toctou] */ | 740 | /* coverity[toctou] */ |
723 | unlink(tmpfname); | 741 | unlink(tmpfname); |
742 | umount("/tmp"); | ||
724 | 743 | ||
744 | |||
745 | // Ensure there is already a file in the usual location, so that bind-mount below will work. | ||
746 | // todo: fix TOCTOU races, currently managed by imposing /usr/bin/xauth as executable | ||
747 | char *dest; | ||
748 | if (asprintf(&dest, "%s/.Xauthority", cfg.homedir) == -1) | ||
749 | errExit("asprintf"); | ||
750 | if (stat(dest, &s) == -1) { | ||
751 | // create an .Xauthority file | ||
752 | touch_file_as_user(dest, getuid(), getgid(), 0600); | ||
753 | } | ||
754 | if (is_link(dest)) { | ||
755 | fprintf(stderr, "Error: .Xauthority is a symbolic link\n"); | ||
756 | exit(1); | ||
757 | } | ||
758 | |||
725 | // mount | 759 | // mount |
726 | if (mount(RUN_XAUTHORITY_SEC_FILE, dest, "none", MS_BIND, "mode=0600") == -1) { | 760 | if (mount(RUN_XAUTHORITY_SEC_FILE, dest, "none", MS_BIND, "mode=0600") == -1) { |
727 | fprintf(stderr, "Error: cannot mount the new .Xauthority file\n"); | 761 | fprintf(stderr, "Error: cannot mount the new .Xauthority file\n"); |
728 | exit(1); | 762 | exit(1); |
729 | } | 763 | } |
764 | // just in case... | ||
730 | if (set_perms(dest, getuid(), getgid(), 0600)) | 765 | if (set_perms(dest, getuid(), getgid(), 0600)) |
731 | errExit("set_perms"); | 766 | errExit("set_perms"); |
732 | free(dest); | 767 | free(dest); |
733 | #endif | 768 | #endif |
734 | } | 769 | } |
770 | |||
771 | void fs_x11(void) { | ||
772 | #ifdef HAVE_X11 | ||
773 | int display = x11_display(); | ||
774 | if (display <= 0) | ||
775 | return; | ||
776 | |||
777 | char *x11file; | ||
778 | if (asprintf(&x11file, "/tmp/.X11-unix/X%d", display) == -1) | ||
779 | errExit("asprintf"); | ||
780 | struct stat x11stat; | ||
781 | if (stat(x11file, &x11stat) == -1 || !S_ISSOCK(x11stat.st_mode)) { | ||
782 | free(x11file); | ||
783 | return; | ||
784 | } | ||
785 | |||
786 | if (arg_debug || arg_debug_whitelists) | ||
787 | fprintf(stderr, "Masking all X11 sockets except %s\n", x11file); | ||
788 | |||
789 | // Move the real /tmp/.X11-unix to a scratch location | ||
790 | // so we can still access x11file after we mount a | ||
791 | // tmpfs over /tmp/.X11-unix. | ||
792 | int rv = mkdir(RUN_WHITELIST_X11_DIR, 0700); | ||
793 | if (rv == -1) | ||
794 | errExit("mkdir"); | ||
795 | if (set_perms(RUN_WHITELIST_X11_DIR, 0, 0, 0700)) | ||
796 | errExit("set_perms"); | ||
797 | |||
798 | if (mount("/tmp/.X11-unix", RUN_WHITELIST_X11_DIR, 0, MS_BIND|MS_REC, 0) < 0) | ||
799 | errExit("mount bind"); | ||
800 | |||
801 | // This directory must be mode 1777, or Xlib will barf. | ||
802 | if (mount("tmpfs", "/tmp/.X11-unix", "tmpfs", | ||
803 | MS_NOSUID | MS_NOEXEC | MS_NODEV | MS_STRICTATIME | MS_REC, | ||
804 | "mode=1777,uid=0,gid=0") < 0) | ||
805 | errExit("mounting tmpfs on /tmp/.X11-unix"); | ||
806 | fs_logger("tmpfs /tmp/.X11-unix"); | ||
807 | |||
808 | // create an empty file which will have the desired socket bind-mounted over it | ||
809 | int fd = open(x11file, O_RDWR|O_CREAT|O_EXCL, x11stat.st_mode & ~S_IFMT); | ||
810 | if (fd < 0) | ||
811 | errExit(x11file); | ||
812 | if (fchown(fd, x11stat.st_uid, x11stat.st_gid)) | ||
813 | errExit("fchown"); | ||
814 | close(fd); | ||
815 | |||
816 | // do the mount | ||
817 | char *wx11file; | ||
818 | if (asprintf(&wx11file, "%s/X%d", RUN_WHITELIST_X11_DIR, display) == -1) | ||
819 | errExit("asprintf"); | ||
820 | if (mount(wx11file, x11file, NULL, MS_BIND|MS_REC, NULL) < 0) | ||
821 | errExit("mount bind"); | ||
822 | fs_logger2("whitelist", x11file); | ||
823 | |||
824 | free(x11file); | ||
825 | free(wx11file); | ||
826 | |||
827 | // block access to RUN_WHITELIST_X11_DIR | ||
828 | if (mount(RUN_RO_DIR, RUN_WHITELIST_X11_DIR, 0, MS_BIND, 0) < 0) | ||
829 | errExit("mount"); | ||
830 | fs_logger2("blacklist", RUN_WHITELIST_X11_DIR); | ||
831 | #endif | ||
832 | } | ||
833 | |||
834 | void x11_block(void) { | ||
835 | #ifdef HAVE_X11 | ||
836 | mask_x11_abstract_socket = 1; | ||
837 | |||
838 | // check abstract socket presence and network namespace options | ||
839 | if ((!arg_nonetwork && !cfg.bridge0.configured && !cfg.interface0.configured) | ||
840 | && x11_abstract_sockets_present()) { | ||
841 | fprintf(stderr, "ERROR: --x11=none specified, but abstract X11 socket still accessible.\n" | ||
842 | "Additional setup required. To block abstract X11 socket you can either:\n" | ||
843 | " * use network namespace in firejail (--net=none, --net=...)\n" | ||
844 | " * add \"-nolisten local\" to xserver options\n" | ||
845 | " (eg. to your display manager config, or /etc/X11/xinit/xserverrc)\n"); | ||
846 | exit(1); | ||
847 | } | ||
848 | |||
849 | // blacklist sockets | ||
850 | profile_check_line("blacklist /tmp/.X11-unix", 0, NULL); | ||
851 | profile_add(strdup("blacklist /tmp/.X11-unix")); | ||
852 | |||
853 | // blacklist .Xauthority | ||
854 | profile_check_line("blacklist ${HOME}/.Xauthority", 0, NULL); | ||
855 | profile_add(strdup("blacklist ${HOME}/.Xauthority")); | ||
856 | char *xauthority = getenv("XAUTHORITY"); | ||
857 | if (xauthority) { | ||
858 | char *line; | ||
859 | if (asprintf(&line, "blacklist %s", xauthority) == -1) | ||
860 | errExit("asprintf"); | ||
861 | profile_check_line(line, 0, NULL); | ||
862 | profile_add(line); | ||
863 | } | ||
864 | |||
865 | // clear environment | ||
866 | env_store("DISPLAY", RMENV); | ||
867 | env_store("XAUTHORITY", RMENV); | ||
868 | #endif | ||
869 | } | ||
870 | |||
diff --git a/src/firemon/arp.c b/src/firemon/arp.c index 014f6a904..cef48fb0d 100644 --- a/src/firemon/arp.c +++ b/src/firemon/arp.c | |||
@@ -1,5 +1,5 @@ | |||
1 | /* | 1 | /* |
2 | * Copyright (C) 2014-2016 netblue30 (netblue30@yahoo.com) | 2 | * Copyright (C) 2014-2017 netblue30 (netblue30@yahoo.com) |
3 | * | 3 | * |
4 | * This file is part of firejail project | 4 | * This file is part of firejail project |
5 | * | 5 | * |
diff --git a/src/firemon/caps.c b/src/firemon/caps.c index 3f8a139ae..8837c9ee7 100644 --- a/src/firemon/caps.c +++ b/src/firemon/caps.c | |||
@@ -1,5 +1,5 @@ | |||
1 | /* | 1 | /* |
2 | * Copyright (C) 2014-2016 netblue30 (netblue30@yahoo.com) | 2 | * Copyright (C) 2014-2017 netblue30 (netblue30@yahoo.com) |
3 | * | 3 | * |
4 | * This file is part of firejail project | 4 | * This file is part of firejail project |
5 | * | 5 | * |
diff --git a/src/firemon/cgroup.c b/src/firemon/cgroup.c index e20e1d449..bbb28f619 100644 --- a/src/firemon/cgroup.c +++ b/src/firemon/cgroup.c | |||
@@ -1,5 +1,5 @@ | |||
1 | /* | 1 | /* |
2 | * Copyright (C) 2014-2016 netblue30 (netblue30@yahoo.com) | 2 | * Copyright (C) 2014-2017 netblue30 (netblue30@yahoo.com) |
3 | * | 3 | * |
4 | * This file is part of firejail project | 4 | * This file is part of firejail project |
5 | * | 5 | * |
diff --git a/src/firemon/firemon.c b/src/firemon/firemon.c index b63e37444..da5cc2d97 100644 --- a/src/firemon/firemon.c +++ b/src/firemon/firemon.c | |||
@@ -1,5 +1,5 @@ | |||
1 | /* | 1 | /* |
2 | * Copyright (C) 2014-2016 netblue30 (netblue30@yahoo.com) | 2 | * Copyright (C) 2014-2017 netblue30 (netblue30@yahoo.com) |
3 | * | 3 | * |
4 | * This file is part of firejail project | 4 | * This file is part of firejail project |
5 | * | 5 | * |
diff --git a/src/firemon/firemon.h b/src/firemon/firemon.h index c78023888..caf6b50c2 100644 --- a/src/firemon/firemon.h +++ b/src/firemon/firemon.h | |||
@@ -1,5 +1,5 @@ | |||
1 | /* | 1 | /* |
2 | * Copyright (C) 2014-2016 netblue30 (netblue30@yahoo.com) | 2 | * Copyright (C) 2014-2017 netblue30 (netblue30@yahoo.com) |
3 | * | 3 | * |
4 | * This file is part of firejail project | 4 | * This file is part of firejail project |
5 | * | 5 | * |
diff --git a/src/firemon/interface.c b/src/firemon/interface.c index def9cd5ac..ba3c9fceb 100644 --- a/src/firemon/interface.c +++ b/src/firemon/interface.c | |||
@@ -1,5 +1,5 @@ | |||
1 | /* | 1 | /* |
2 | * Copyright (C) 2014-2016 netblue30 (netblue30@yahoo.com) | 2 | * Copyright (C) 2014-2017 netblue30 (netblue30@yahoo.com) |
3 | * | 3 | * |
4 | * This file is part of firejail project | 4 | * This file is part of firejail project |
5 | * | 5 | * |
diff --git a/src/firemon/list.c b/src/firemon/list.c index acff13a28..1df737e8c 100644 --- a/src/firemon/list.c +++ b/src/firemon/list.c | |||
@@ -1,5 +1,5 @@ | |||
1 | /* | 1 | /* |
2 | * Copyright (C) 2014-2016 netblue30 (netblue30@yahoo.com) | 2 | * Copyright (C) 2014-2017 netblue30 (netblue30@yahoo.com) |
3 | * | 3 | * |
4 | * This file is part of firejail project | 4 | * This file is part of firejail project |
5 | * | 5 | * |
diff --git a/src/firemon/netstats.c b/src/firemon/netstats.c index 534d783cb..8d78b094b 100644 --- a/src/firemon/netstats.c +++ b/src/firemon/netstats.c | |||
@@ -1,5 +1,5 @@ | |||
1 | /* | 1 | /* |
2 | * Copyright (C) 2014-2016 netblue30 (netblue30@yahoo.com) | 2 | * Copyright (C) 2014-2017 netblue30 (netblue30@yahoo.com) |
3 | * | 3 | * |
4 | * This file is part of firejail project | 4 | * This file is part of firejail project |
5 | * | 5 | * |
diff --git a/src/firemon/procevent.c b/src/firemon/procevent.c index edae21951..ebcb7a72c 100644 --- a/src/firemon/procevent.c +++ b/src/firemon/procevent.c | |||
@@ -1,5 +1,5 @@ | |||
1 | /* | 1 | /* |
2 | * Copyright (C) 2014-2016 netblue30 (netblue30@yahoo.com) | 2 | * Copyright (C) 2014-2017 netblue30 (netblue30@yahoo.com) |
3 | * | 3 | * |
4 | * This file is part of firejail project | 4 | * This file is part of firejail project |
5 | * | 5 | * |
@@ -70,7 +70,9 @@ static int pid_is_firejail(pid_t pid) { | |||
70 | errExit("asprintf"); | 70 | errExit("asprintf"); |
71 | if ((fd = open(fname, O_RDONLY)) < 0) { | 71 | if ((fd = open(fname, O_RDONLY)) < 0) { |
72 | free(fname); | 72 | free(fname); |
73 | rv = 0; | 73 | #ifdef DEBUG_PRCTL |
74 | printf("%s: %d, comm %s, rv %d\n", __FUNCTION__, __LINE__, buf, rv); | ||
75 | #endif | ||
74 | goto doexit; | 76 | goto doexit; |
75 | } | 77 | } |
76 | free(fname); | 78 | free(fname); |
@@ -81,7 +83,9 @@ static int pid_is_firejail(pid_t pid) { | |||
81 | ssize_t len; | 83 | ssize_t len; |
82 | if ((len = read(fd, buffer, sizeof(buffer) - 1)) <= 0) { | 84 | if ((len = read(fd, buffer, sizeof(buffer) - 1)) <= 0) { |
83 | close(fd); | 85 | close(fd); |
84 | rv = 0; | 86 | #ifdef DEBUG_PRCTL |
87 | printf("%s: %d, comm %s, rv %d\n", __FUNCTION__, __LINE__, buf, rv); | ||
88 | #endif | ||
85 | goto doexit; | 89 | goto doexit; |
86 | } | 90 | } |
87 | buffer[len] = '\0'; | 91 | buffer[len] = '\0'; |
@@ -89,8 +93,12 @@ static int pid_is_firejail(pid_t pid) { | |||
89 | 93 | ||
90 | // list of firejail arguments that don't trigger sandbox creation | 94 | // list of firejail arguments that don't trigger sandbox creation |
91 | // the initial -- is not included | 95 | // the initial -- is not included |
92 | char *firejail_args = "ls list tree x11 help version top netstats debug-syscalls debug-errnos debug-protocols " | 96 | char *exclude_args[] = { |
93 | "protocol.print debug.caps shutdown bandwidth caps.print cpu.print debug-caps fs.print get overlay-clean "; | 97 | "ls", "list", "tree", "x11", "help", "version", "top", "netstats", "debug-syscalls", |
98 | "debug-errnos", "debug-protocols", "protocol.print", "debug.caps", | ||
99 | "shutdown", "bandwidth", "caps.print", "cpu.print", "debug-caps", | ||
100 | "fs.print", "get", "overlay-clean", NULL | ||
101 | }; | ||
94 | 102 | ||
95 | int i; | 103 | int i; |
96 | char *start; | 104 | char *start; |
@@ -105,16 +113,26 @@ static int pid_is_firejail(pid_t pid) { | |||
105 | } | 113 | } |
106 | if (strncmp(start, "--", 2) != 0) | 114 | if (strncmp(start, "--", 2) != 0) |
107 | break; | 115 | break; |
116 | start += 2; | ||
108 | 117 | ||
109 | // clan starting with = | 118 | // clan starting with = |
110 | char *ptr = strchr(start + 2, '='); | 119 | char *ptr = strchr(start, '='); |
111 | if (ptr) | 120 | if (ptr) |
112 | *ptr = '\0'; | 121 | *ptr = '\0'; |
113 | 122 | ||
114 | if (strstr(firejail_args, start + 2)) { | 123 | // look into exclude list |
115 | rv = 0; | 124 | int j = 0; |
116 | break; | 125 | while (exclude_args[j] != NULL) { |
126 | if (strcmp(start, exclude_args[j]) == 0) { | ||
127 | rv = 0; | ||
128 | #ifdef DEBUG_PRCTL | ||
129 | printf("start=#%s#, ptr=#%s#, flip rv %d\n", start, ptr, rv); | ||
130 | #endif | ||
131 | break; | ||
132 | } | ||
133 | j++; | ||
117 | } | 134 | } |
135 | |||
118 | start = (char *) buffer + i + 1; | 136 | start = (char *) buffer + i + 1; |
119 | } | 137 | } |
120 | } | 138 | } |
diff --git a/src/firemon/route.c b/src/firemon/route.c index fb58b169d..dff594431 100644 --- a/src/firemon/route.c +++ b/src/firemon/route.c | |||
@@ -1,5 +1,5 @@ | |||
1 | /* | 1 | /* |
2 | * Copyright (C) 2014-2016 netblue30 (netblue30@yahoo.com) | 2 | * Copyright (C) 2014-2017 netblue30 (netblue30@yahoo.com) |
3 | * | 3 | * |
4 | * This file is part of firejail project | 4 | * This file is part of firejail project |
5 | * | 5 | * |
diff --git a/src/firemon/seccomp.c b/src/firemon/seccomp.c index f11c624ea..d50692b37 100644 --- a/src/firemon/seccomp.c +++ b/src/firemon/seccomp.c | |||
@@ -1,5 +1,5 @@ | |||
1 | /* | 1 | /* |
2 | * Copyright (C) 2014-2016 netblue30 (netblue30@yahoo.com) | 2 | * Copyright (C) 2014-2017 netblue30 (netblue30@yahoo.com) |
3 | * | 3 | * |
4 | * This file is part of firejail project | 4 | * This file is part of firejail project |
5 | * | 5 | * |
diff --git a/src/firemon/top.c b/src/firemon/top.c index 94271523c..3ed976af1 100644 --- a/src/firemon/top.c +++ b/src/firemon/top.c | |||
@@ -1,5 +1,5 @@ | |||
1 | /* | 1 | /* |
2 | * Copyright (C) 2014-2016 netblue30 (netblue30@yahoo.com) | 2 | * Copyright (C) 2014-2017 netblue30 (netblue30@yahoo.com) |
3 | * | 3 | * |
4 | * This file is part of firejail project | 4 | * This file is part of firejail project |
5 | * | 5 | * |
diff --git a/src/firemon/tree.c b/src/firemon/tree.c index 6d8b37ecb..3fdcc4d37 100644 --- a/src/firemon/tree.c +++ b/src/firemon/tree.c | |||
@@ -1,5 +1,5 @@ | |||
1 | /* | 1 | /* |
2 | * Copyright (C) 2014-2016 netblue30 (netblue30@yahoo.com) | 2 | * Copyright (C) 2014-2017 netblue30 (netblue30@yahoo.com) |
3 | * | 3 | * |
4 | * This file is part of firejail project | 4 | * This file is part of firejail project |
5 | * | 5 | * |
diff --git a/src/firemon/usage.c b/src/firemon/usage.c index 74a2a61f0..1768237b3 100644 --- a/src/firemon/usage.c +++ b/src/firemon/usage.c | |||
@@ -1,5 +1,5 @@ | |||
1 | /* | 1 | /* |
2 | * Copyright (C) 2014-2016 netblue30 (netblue30@yahoo.com) | 2 | * Copyright (C) 2014-2017 netblue30 (netblue30@yahoo.com) |
3 | * | 3 | * |
4 | * This file is part of firejail project | 4 | * This file is part of firejail project |
5 | * | 5 | * |
diff --git a/src/firemon/x11.c b/src/firemon/x11.c index 73dc310d3..97cfffe64 100644 --- a/src/firemon/x11.c +++ b/src/firemon/x11.c | |||
@@ -1,5 +1,5 @@ | |||
1 | /* | 1 | /* |
2 | * Copyright (C) 2014-2016 netblue30 (netblue30@yahoo.com) | 2 | * Copyright (C) 2014-2017 netblue30 (netblue30@yahoo.com) |
3 | * | 3 | * |
4 | * This file is part of firejail project | 4 | * This file is part of firejail project |
5 | * | 5 | * |
diff --git a/src/fnet/arp.c b/src/fnet/arp.c index 96684fdf9..a7f0a603a 100644 --- a/src/fnet/arp.c +++ b/src/fnet/arp.c | |||
@@ -1,5 +1,5 @@ | |||
1 | /* | 1 | /* |
2 | * Copyright (C) 2014-2016 Firejail Authors | 2 | * Copyright (C) 2014-2017 Firejail Authors |
3 | * | 3 | * |
4 | * This file is part of firejail project | 4 | * This file is part of firejail project |
5 | * | 5 | * |
diff --git a/src/fnet/fnet.h b/src/fnet/fnet.h index 0c5e5baef..d6080e283 100644 --- a/src/fnet/fnet.h +++ b/src/fnet/fnet.h | |||
@@ -1,5 +1,5 @@ | |||
1 | /* | 1 | /* |
2 | * Copyright (C) 2014-2016 Firejail Authors | 2 | * Copyright (C) 2014-2017 Firejail Authors |
3 | * | 3 | * |
4 | * This file is part of firejail project | 4 | * This file is part of firejail project |
5 | * | 5 | * |
diff --git a/src/fnet/interface.c b/src/fnet/interface.c index 3958efddd..5813db337 100644 --- a/src/fnet/interface.c +++ b/src/fnet/interface.c | |||
@@ -1,5 +1,5 @@ | |||
1 | /* | 1 | /* |
2 | * Copyright (C) 2014-2016 Firejail Authors | 2 | * Copyright (C) 2014-2017 Firejail Authors |
3 | * | 3 | * |
4 | * This file is part of firejail project | 4 | * This file is part of firejail project |
5 | * | 5 | * |
diff --git a/src/fnet/main.c b/src/fnet/main.c index 4e7807d07..6ec8e5f84 100644 --- a/src/fnet/main.c +++ b/src/fnet/main.c | |||
@@ -1,5 +1,5 @@ | |||
1 | /* | 1 | /* |
2 | * Copyright (C) 2014-2016 Firejail Authors | 2 | * Copyright (C) 2014-2017 Firejail Authors |
3 | * | 3 | * |
4 | * This file is part of firejail project | 4 | * This file is part of firejail project |
5 | * | 5 | * |
diff --git a/src/fnet/veth.c b/src/fnet/veth.c index 546fafcec..86d9d5190 100644 --- a/src/fnet/veth.c +++ b/src/fnet/veth.c | |||
@@ -26,7 +26,7 @@ | |||
26 | * | 26 | * |
27 | */ | 27 | */ |
28 | /* | 28 | /* |
29 | * Copyright (C) 2014-2016 Firejail Authors | 29 | * Copyright (C) 2014-2017 Firejail Authors |
30 | * | 30 | * |
31 | * This file is part of firejail project | 31 | * This file is part of firejail project |
32 | * | 32 | * |
diff --git a/src/fseccomp/errno.c b/src/fseccomp/errno.c index dbee916d4..3e92a1f9d 100644 --- a/src/fseccomp/errno.c +++ b/src/fseccomp/errno.c | |||
@@ -1,5 +1,5 @@ | |||
1 | /* | 1 | /* |
2 | * Copyright (C) 2014-2016 Firejail Authors | 2 | * Copyright (C) 2014-2017 Firejail Authors |
3 | * | 3 | * |
4 | * This file is part of firejail project | 4 | * This file is part of firejail project |
5 | * | 5 | * |
diff --git a/src/fseccomp/fseccomp.h b/src/fseccomp/fseccomp.h index 504f1c23f..e0d423b4a 100644 --- a/src/fseccomp/fseccomp.h +++ b/src/fseccomp/fseccomp.h | |||
@@ -1,5 +1,5 @@ | |||
1 | /* | 1 | /* |
2 | * Copyright (C) 2014-2016 Firejail Authors | 2 | * Copyright (C) 2014-2017 Firejail Authors |
3 | * | 3 | * |
4 | * This file is part of firejail project | 4 | * This file is part of firejail project |
5 | * | 5 | * |
diff --git a/src/fseccomp/main.c b/src/fseccomp/main.c index 2f85a786b..134b840f2 100644 --- a/src/fseccomp/main.c +++ b/src/fseccomp/main.c | |||
@@ -1,5 +1,5 @@ | |||
1 | /* | 1 | /* |
2 | * Copyright (C) 2014-2016 Firejail Authors | 2 | * Copyright (C) 2014-2017 Firejail Authors |
3 | * | 3 | * |
4 | * This file is part of firejail project | 4 | * This file is part of firejail project |
5 | * | 5 | * |
diff --git a/src/fseccomp/protocol.c b/src/fseccomp/protocol.c index 7bf560fe1..e9f65e7e8 100644 --- a/src/fseccomp/protocol.c +++ b/src/fseccomp/protocol.c | |||
@@ -1,5 +1,5 @@ | |||
1 | /* | 1 | /* |
2 | * Copyright (C) 2014-2016 Firejail Authors | 2 | * Copyright (C) 2014-2017 Firejail Authors |
3 | * | 3 | * |
4 | * This file is part of firejail project | 4 | * This file is part of firejail project |
5 | * | 5 | * |
diff --git a/src/fseccomp/seccomp.c b/src/fseccomp/seccomp.c index cc6edc8ca..f252e36b6 100644 --- a/src/fseccomp/seccomp.c +++ b/src/fseccomp/seccomp.c | |||
@@ -1,5 +1,5 @@ | |||
1 | /* | 1 | /* |
2 | * Copyright (C) 2014-2016 Firejail Authors | 2 | * Copyright (C) 2014-2017 Firejail Authors |
3 | * | 3 | * |
4 | * This file is part of firejail project | 4 | * This file is part of firejail project |
5 | * | 5 | * |
diff --git a/src/fseccomp/seccomp_file.c b/src/fseccomp/seccomp_file.c index 10ef9dd31..d706b3359 100644 --- a/src/fseccomp/seccomp_file.c +++ b/src/fseccomp/seccomp_file.c | |||
@@ -1,5 +1,5 @@ | |||
1 | /* | 1 | /* |
2 | * Copyright (C) 2014-2016 Firejail Authors | 2 | * Copyright (C) 2014-2017 Firejail Authors |
3 | * | 3 | * |
4 | * This file is part of firejail project | 4 | * This file is part of firejail project |
5 | * | 5 | * |
diff --git a/src/fseccomp/seccomp_print.c b/src/fseccomp/seccomp_print.c index e22c682dc..d18f2efa5 100644 --- a/src/fseccomp/seccomp_print.c +++ b/src/fseccomp/seccomp_print.c | |||
@@ -1,5 +1,5 @@ | |||
1 | /* | 1 | /* |
2 | * Copyright (C) 2014-2016 Firejail Authors | 2 | * Copyright (C) 2014-2017 Firejail Authors |
3 | * | 3 | * |
4 | * This file is part of firejail project | 4 | * This file is part of firejail project |
5 | * | 5 | * |
diff --git a/src/fseccomp/seccomp_secondary.c b/src/fseccomp/seccomp_secondary.c index a856e5aef..79c85eb75 100644 --- a/src/fseccomp/seccomp_secondary.c +++ b/src/fseccomp/seccomp_secondary.c | |||
@@ -1,5 +1,5 @@ | |||
1 | /* | 1 | /* |
2 | * Copyright (C) 2014-2016 Firejail Authors | 2 | * Copyright (C) 2014-2017 Firejail Authors |
3 | * | 3 | * |
4 | * This file is part of firejail project | 4 | * This file is part of firejail project |
5 | * | 5 | * |
diff --git a/src/fseccomp/syscall.c b/src/fseccomp/syscall.c index 7c2c4cbb2..398a49578 100644 --- a/src/fseccomp/syscall.c +++ b/src/fseccomp/syscall.c | |||
@@ -1,5 +1,5 @@ | |||
1 | /* | 1 | /* |
2 | * Copyright (C) 2014-2016 Firejail Authors | 2 | * Copyright (C) 2014-2017 Firejail Authors |
3 | * | 3 | * |
4 | * This file is part of firejail project | 4 | * This file is part of firejail project |
5 | * | 5 | * |
diff --git a/src/ftee/ftee.h b/src/ftee/ftee.h index 15d1a090e..b663f1f38 100644 --- a/src/ftee/ftee.h +++ b/src/ftee/ftee.h | |||
@@ -1,5 +1,5 @@ | |||
1 | /* | 1 | /* |
2 | * Copyright (C) 2014-2016 netblue30 (netblue30@yahoo.com) | 2 | * Copyright (C) 2014-2017 netblue30 (netblue30@yahoo.com) |
3 | * | 3 | * |
4 | * This file is part of firejail project | 4 | * This file is part of firejail project |
5 | * | 5 | * |
diff --git a/src/ftee/main.c b/src/ftee/main.c index 2b27baa5a..d425be07c 100644 --- a/src/ftee/main.c +++ b/src/ftee/main.c | |||
@@ -1,5 +1,5 @@ | |||
1 | /* | 1 | /* |
2 | * Copyright (C) 2014-2016 netblue30 (netblue30@yahoo.com) | 2 | * Copyright (C) 2014-2017 netblue30 (netblue30@yahoo.com) |
3 | * | 3 | * |
4 | * This file is part of firejail project | 4 | * This file is part of firejail project |
5 | * | 5 | * |
diff --git a/src/include/common.h b/src/include/common.h index 108820290..fc4059334 100644 --- a/src/include/common.h +++ b/src/include/common.h | |||
@@ -1,5 +1,5 @@ | |||
1 | /* | 1 | /* |
2 | * Copyright (C) 2014-2016 netblue30 (netblue30@yahoo.com) | 2 | * Copyright (C) 2014-2017 netblue30 (netblue30@yahoo.com) |
3 | * | 3 | * |
4 | * This file is part of firejail project | 4 | * This file is part of firejail project |
5 | * | 5 | * |
diff --git a/src/include/euid_common.h b/src/include/euid_common.h index 752df5fff..29a3bdf4b 100644 --- a/src/include/euid_common.h +++ b/src/include/euid_common.h | |||
@@ -1,5 +1,5 @@ | |||
1 | /* | 1 | /* |
2 | * Copyright (C) 2014-2016 netblue30 (netblue30@yahoo.com) | 2 | * Copyright (C) 2014-2017 netblue30 (netblue30@yahoo.com) |
3 | * | 3 | * |
4 | * This file is part of firejail project | 4 | * This file is part of firejail project |
5 | * | 5 | * |
diff --git a/src/include/pid.h b/src/include/pid.h index b7878ddb5..e8e20d575 100644 --- a/src/include/pid.h +++ b/src/include/pid.h | |||
@@ -1,5 +1,5 @@ | |||
1 | /* | 1 | /* |
2 | * Copyright (C) 2014-2016 netblue30 (netblue30@yahoo.com) | 2 | * Copyright (C) 2014-2017 netblue30 (netblue30@yahoo.com) |
3 | * | 3 | * |
4 | * This file is part of firejail project | 4 | * This file is part of firejail project |
5 | * | 5 | * |
diff --git a/src/include/seccomp.h b/src/include/seccomp.h index 7d646dd9e..ced1ed2e3 100644 --- a/src/include/seccomp.h +++ b/src/include/seccomp.h | |||
@@ -1,5 +1,5 @@ | |||
1 | /* | 1 | /* |
2 | * Copyright (C) 2014-2016 Firejail Authors | 2 | * Copyright (C) 2014-2017 Firejail Authors |
3 | * | 3 | * |
4 | * This file is part of firejail project | 4 | * This file is part of firejail project |
5 | * | 5 | * |
diff --git a/src/include/syscall.h b/src/include/syscall.h index 9a29779c9..c49760703 100644 --- a/src/include/syscall.h +++ b/src/include/syscall.h | |||
@@ -1,5 +1,5 @@ | |||
1 | /* | 1 | /* |
2 | * Copyright (C) 2014-2016 Firejail Authors | 2 | * Copyright (C) 2014-2017 Firejail Authors |
3 | * | 3 | * |
4 | * This file is part of firejail project | 4 | * This file is part of firejail project |
5 | * | 5 | * |
diff --git a/src/lib/common.c b/src/lib/common.c index 3f66fa72a..6f2cebf12 100644 --- a/src/lib/common.c +++ b/src/lib/common.c | |||
@@ -1,5 +1,5 @@ | |||
1 | /* | 1 | /* |
2 | * Copyright (C) 2014-2016 netblue30 (netblue30@yahoo.com) | 2 | * Copyright (C) 2014-2017 netblue30 (netblue30@yahoo.com) |
3 | * | 3 | * |
4 | * This file is part of firejail project | 4 | * This file is part of firejail project |
5 | * | 5 | * |
diff --git a/src/lib/pid.c b/src/lib/pid.c index 42687274e..7ae5a8d3e 100644 --- a/src/lib/pid.c +++ b/src/lib/pid.c | |||
@@ -1,5 +1,5 @@ | |||
1 | /* | 1 | /* |
2 | * Copyright (C) 2014-2016 netblue30 (netblue30@yahoo.com) | 2 | * Copyright (C) 2014-2017 netblue30 (netblue30@yahoo.com) |
3 | * | 3 | * |
4 | * This file is part of firejail project | 4 | * This file is part of firejail project |
5 | * | 5 | * |
diff --git a/src/libconnect/Makefile.in b/src/libconnect/Makefile.in deleted file mode 100644 index 5b7a8d0f1..000000000 --- a/src/libconnect/Makefile.in +++ /dev/null | |||
@@ -1,25 +0,0 @@ | |||
1 | PREFIX=@prefix@ | ||
2 | VERSION=@PACKAGE_VERSION@ | ||
3 | NAME=@PACKAGE_NAME@ | ||
4 | HAVE_FATAL_WARNINGS=@HAVE_FATAL_WARNINGS@ | ||
5 | |||
6 | H_FILE_LIST = $(sort $(wildcard *.[h])) | ||
7 | C_FILE_LIST = $(sort $(wildcard *.c)) | ||
8 | OBJS = $(C_FILE_LIST:.c=.o) | ||
9 | BINOBJS = $(foreach file, $(OBJS), $file) | ||
10 | CFLAGS += -ggdb $(HAVE_FATAL_WARNINGS) -O2 -DVERSION='"$(VERSION)"' -fstack-protector-all -D_FORTIFY_SOURCE=2 -fPIC -Wformat -Wformat-security | ||
11 | LDFLAGS += -pie -Wl,-z,relro -Wl,-z,now | ||
12 | |||
13 | all: libconnect.so | ||
14 | |||
15 | %.o : %.c $(H_FILE_LIST) | ||
16 | $(CC) $(CFLAGS) $(INCLUDE) -c $< -o $@ | ||
17 | |||
18 | libconnect.so: $(OBJS) | ||
19 | $(CC) $(LDFLAGS) -shared -fPIC -z relro -o $@ $(OBJS) -ldl | ||
20 | |||
21 | |||
22 | clean:; rm -f $(OBJS) libconnect.so | ||
23 | |||
24 | distclean: clean | ||
25 | rm -fr Makefile | ||
diff --git a/src/libconnect/libconnect.c b/src/libconnect/libconnect.c deleted file mode 100644 index 18c4d81f5..000000000 --- a/src/libconnect/libconnect.c +++ /dev/null | |||
@@ -1,66 +0,0 @@ | |||
1 | /* | ||
2 | * Copyright (C) 2014-2016 Firejail Authors | ||
3 | * | ||
4 | * This file is part of firejail project | ||
5 | * | ||
6 | * This program is free software; you can redistribute it and/or modify | ||
7 | * it under the terms of the GNU General Public License as published by | ||
8 | * the Free Software Foundation; either version 2 of the License, or | ||
9 | * (at your option) any later version. | ||
10 | * | ||
11 | * This program is distributed in the hope that it will be useful, | ||
12 | * but WITHOUT ANY WARRANTY; without even the implied warranty of | ||
13 | * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the | ||
14 | * GNU General Public License for more details. | ||
15 | * | ||
16 | * You should have received a copy of the GNU General Public License along | ||
17 | * with this program; if not, write to the Free Software Foundation, Inc., | ||
18 | * 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA. | ||
19 | */ | ||
20 | #define _GNU_SOURCE | ||
21 | #include <stdio.h> | ||
22 | #include <stdlib.h> | ||
23 | #include <string.h> | ||
24 | #include <dlfcn.h> | ||
25 | #include <sys/types.h> | ||
26 | #include <unistd.h> | ||
27 | #include <sys/socket.h> | ||
28 | #include <netinet/in.h> | ||
29 | #include <arpa/inet.h> | ||
30 | #include <sys/un.h> | ||
31 | #include <sys/stat.h> | ||
32 | #include <dirent.h> | ||
33 | #include <errno.h> | ||
34 | |||
35 | //#define DEBUG | ||
36 | |||
37 | //static int check_sockaddr(int sockfd, const char *call, const struct sockaddr *addr, int rv) { | ||
38 | static int check_sockaddr(const struct sockaddr *addr) { | ||
39 | if (addr->sa_family == AF_UNIX) { | ||
40 | struct sockaddr_un *a = (struct sockaddr_un *) addr; | ||
41 | if (a->sun_path[0] == '\0' && strstr(a->sun_path + 1, "X11-unix")) { | ||
42 | // printf("@%s\n", a->sun_path + 1); | ||
43 | errno = ENOENT; | ||
44 | return -1; | ||
45 | } | ||
46 | } | ||
47 | |||
48 | return 0; | ||
49 | } | ||
50 | |||
51 | // | ||
52 | // syscalls | ||
53 | // | ||
54 | |||
55 | // connect | ||
56 | typedef int (*orig_connect_t)(int sockfd, const struct sockaddr *addr, socklen_t addrlen); | ||
57 | static orig_connect_t orig_connect = NULL; | ||
58 | int connect(int sockfd, const struct sockaddr *addr, socklen_t addrlen) { | ||
59 | if (!orig_connect) | ||
60 | orig_connect = (orig_connect_t)dlsym(RTLD_NEXT, "connect"); | ||
61 | |||
62 | if (check_sockaddr(addr) == -1) | ||
63 | return -1; | ||
64 | |||
65 | return orig_connect(sockfd, addr, addrlen); | ||
66 | } | ||
diff --git a/src/libtrace/libtrace.c b/src/libtrace/libtrace.c index dde3df2ea..1be89052c 100644 --- a/src/libtrace/libtrace.c +++ b/src/libtrace/libtrace.c | |||
@@ -1,5 +1,5 @@ | |||
1 | /* | 1 | /* |
2 | * Copyright (C) 2014-2016 Firejail Authors | 2 | * Copyright (C) 2014-2017 Firejail Authors |
3 | * | 3 | * |
4 | * This file is part of firejail project | 4 | * This file is part of firejail project |
5 | * | 5 | * |
diff --git a/src/libtracelog/libtracelog.c b/src/libtracelog/libtracelog.c index 90fe726de..abacb7115 100644 --- a/src/libtracelog/libtracelog.c +++ b/src/libtracelog/libtracelog.c | |||
@@ -1,5 +1,5 @@ | |||
1 | /* | 1 | /* |
2 | * Copyright (C) 2014-2016 Firejail Authors | 2 | * Copyright (C) 2014-2017 Firejail Authors |
3 | * | 3 | * |
4 | * This file is part of firejail project | 4 | * This file is part of firejail project |
5 | * | 5 | * |
diff --git a/src/man/firejail-profile.txt b/src/man/firejail-profile.txt index fa522c154..aa1aec567 100644 --- a/src/man/firejail-profile.txt +++ b/src/man/firejail-profile.txt | |||
@@ -81,11 +81,21 @@ Include other.profile file. | |||
81 | 81 | ||
82 | Example: "include /etc/firejail/disable-common.inc" | 82 | Example: "include /etc/firejail/disable-common.inc" |
83 | 83 | ||
84 | other.profile file name can be prefixed with ${HOME}. This will force Firejail to look for the | 84 | The file name can be prefixed with a macro such as ${HOME} or ${CFG}. |
85 | file in user home directory. | 85 | ${HOME} is expanded as user home directory, and ${CFG} is expanded as |
86 | Firejail system configuration directory - in most cases /etc/firejail or | ||
87 | /usr/local/etc/firejail. | ||
86 | 88 | ||
87 | Example: "include ${HOME}/myprofiles/profile1" will load "~/myprofiles/profile1" file. | 89 | Example: "include ${HOME}/myprofiles/profile1" will load "~/myprofiles/profile1" file. |
88 | 90 | ||
91 | Example: "include ${CFG}/firefox.profile" will load "/etc/firejail/firefox.profile" file. | ||
92 | |||
93 | System configuration files in ${CFG} are overwritten during software installation. | ||
94 | Persistent configuration at system level is handled in ".local" files. For every | ||
95 | profile file in ${CFG} directory, the user can create a corresponding .local file | ||
96 | storing modifications to the persistent configuration. Persistent .local files | ||
97 | are included at the start of regular profile files. | ||
98 | |||
89 | .TP | 99 | .TP |
90 | \fBnoblacklist file_name | 100 | \fBnoblacklist file_name |
91 | If the file name matches file_name, the file will not be blacklisted in any blacklist commands that follow. | 101 | If the file name matches file_name, the file will not be blacklisted in any blacklist commands that follow. |
@@ -240,6 +250,11 @@ Mount /etc directory read-write. | |||
240 | .TP | 250 | .TP |
241 | \fBwritable-var | 251 | \fBwritable-var |
242 | Mount /var directory read-write. | 252 | Mount /var directory read-write. |
253 | .TP | ||
254 | \fBwritable-var-log | ||
255 | Use the real /var/log directory, not a clone. By default, a tmpfs is mounted on top of /var/log | ||
256 | directory, and a skeleton filesystem is created based on the original /var/log. | ||
257 | |||
243 | .SH Security filters | 258 | .SH Security filters |
244 | The following security filters are currently implemented: | 259 | The following security filters are currently implemented: |
245 | 260 | ||
@@ -388,6 +403,10 @@ Set a DNS server for the sandbox. Up to three DNS servers can be defined. | |||
388 | Set a hostname for the sandbox. | 403 | Set a hostname for the sandbox. |
389 | 404 | ||
390 | .TP | 405 | .TP |
406 | \fBhosts-file file | ||
407 | Use file as /etc/hosts. | ||
408 | |||
409 | .TP | ||
391 | \fBip address | 410 | \fBip address |
392 | Assign IP addresses to the last network interface defined by a net command. A | 411 | Assign IP addresses to the last network interface defined by a net command. A |
393 | default gateway is assigned by default. | 412 | default gateway is assigned by default. |
@@ -448,7 +467,7 @@ Assign MAC addresses to the last network interface defined by a net command. | |||
448 | 467 | ||
449 | .TP | 468 | .TP |
450 | \fBmachine-id | 469 | \fBmachine-id |
451 | Preserve id number in /etc/machine-id file. By default a new random id is generated inside the sandbox. | 470 | Spoof id number in /etc/machine-id file - a new random id is generated inside the sandbox. |
452 | 471 | ||
453 | .TP | 472 | .TP |
454 | \fBmtu number | 473 | \fBmtu number |
diff --git a/src/man/firejail.txt b/src/man/firejail.txt index 60c21cbc1..f978661dc 100644 --- a/src/man/firejail.txt +++ b/src/man/firejail.txt | |||
@@ -76,7 +76,9 @@ $ firejail [OPTIONS] firefox # starting Mozilla Firefox | |||
76 | Signal the end of options and disables further option processing. | 76 | Signal the end of options and disables further option processing. |
77 | .TP | 77 | .TP |
78 | \fB\-\-allow-debuggers | 78 | \fB\-\-allow-debuggers |
79 | Allow tools such as strace and gdb inside the sandbox. | 79 | Allow tools such as strace and gdb inside the sandbox. This option is only available |
80 | when running on Linux kernels 4.8 or newer - a kernel bug in ptrace system call allows a full | ||
81 | bypass of the seccomp filter. | ||
80 | .br | 82 | .br |
81 | 83 | ||
82 | .br | 84 | .br |
@@ -190,7 +192,7 @@ Define a custom blacklist Linux capabilities filter. | |||
190 | .br | 192 | .br |
191 | Example: | 193 | Example: |
192 | .br | 194 | .br |
193 | $ firejail \-\-caps.keep=net_broadcast,net_admin,net_raw | 195 | $ firejail \-\-caps.drop=net_broadcast,net_admin,net_raw |
194 | 196 | ||
195 | .TP | 197 | .TP |
196 | \fB\-\-caps.keep=capability,capability,capability | 198 | \fB\-\-caps.keep=capability,capability,capability |
@@ -451,6 +453,39 @@ $ firejail \-\-fs.print=3272 | |||
451 | \fB\-\-get=name|pid filename | 453 | \fB\-\-get=name|pid filename |
452 | Get a file from sandbox container, see \fBFILE TRANSFER\fR section for more details. | 454 | Get a file from sandbox container, see \fBFILE TRANSFER\fR section for more details. |
453 | 455 | ||
456 | |||
457 | .TP | ||
458 | \fB\-\-git-install | ||
459 | Download, compile and install mainline git version of Firejail from the official repository on GitHub. | ||
460 | The software is installed in /usr/local/bin, and takes precedence over the (old) version | ||
461 | installed in /usr/bin. If for any reason the new version doesn't work, the user can uninstall it | ||
462 | using \-\-git-uninstall command and revert to the old version. | ||
463 | .br | ||
464 | |||
465 | .br | ||
466 | Prerequisites: git and compile support are required for this command to work. On Debian/Ubuntu | ||
467 | systems this support is installed using "sudo apt-get install build-essential git". | ||
468 | .br | ||
469 | |||
470 | .br | ||
471 | Example: | ||
472 | .br | ||
473 | |||
474 | .br | ||
475 | $ firejail \-\-git-install | ||
476 | |||
477 | .TP | ||
478 | \fB\-\-git-uninstall | ||
479 | Remove the Firejail version previously installed in /usr/local/bin using \-\-git-install command. | ||
480 | .br | ||
481 | |||
482 | .br | ||
483 | Example: | ||
484 | .br | ||
485 | |||
486 | .br | ||
487 | $ firejail \-\-git-uninstall | ||
488 | |||
454 | .TP | 489 | .TP |
455 | \fB\-?\fR, \fB\-\-help\fR | 490 | \fB\-?\fR, \fB\-\-help\fR |
456 | Print options end exit. | 491 | Print options end exit. |
@@ -467,6 +502,16 @@ Example: | |||
467 | $ firejail \-\-hostname=officepc firefox | 502 | $ firejail \-\-hostname=officepc firefox |
468 | 503 | ||
469 | .TP | 504 | .TP |
505 | \fB\-\-hosts-file=file | ||
506 | Use file as /etc/hosts. | ||
507 | .br | ||
508 | |||
509 | .br | ||
510 | Example: | ||
511 | .br | ||
512 | $ firejail \-\-hosts-file=~/myhosts firefox | ||
513 | |||
514 | .TP | ||
470 | \fB\-\-ignore=command | 515 | \fB\-\-ignore=command |
471 | Ignore command in profile file. | 516 | Ignore command in profile file. |
472 | .br | 517 | .br |
@@ -676,7 +721,7 @@ $ firejail \-\-net=eth0 \-\-mac=00:11:22:33:44:55 firefox | |||
676 | 721 | ||
677 | .TP | 722 | .TP |
678 | \fB\-\-machine-id | 723 | \fB\-\-machine-id |
679 | Preserve id number in /etc/machine-id file. By default a new random id is generated inside the sandbox. | 724 | Spoof id number in /etc/machine-id file - a new random id is generated inside the sandbox. |
680 | .br | 725 | .br |
681 | 726 | ||
682 | .br | 727 | .br |
@@ -759,6 +804,11 @@ Example: | |||
759 | $ firejail \-\-net=none vlc | 804 | $ firejail \-\-net=none vlc |
760 | 805 | ||
761 | .TP | 806 | .TP |
807 | \fB\-\-netns=name | ||
808 | Run the program in a named, persistent network namespace. These can | ||
809 | be created and configured using "ip netns". | ||
810 | |||
811 | .TP | ||
762 | \fB\-\-netfilter | 812 | \fB\-\-netfilter |
763 | Enable a default client network filter in the new network namespace. | 813 | Enable a default client network filter in the new network namespace. |
764 | New network namespaces are created using \-\-net option. If a new network namespaces is not created, | 814 | New network namespaces are created using \-\-net option. If a new network namespaces is not created, |
@@ -1708,6 +1758,17 @@ Example: | |||
1708 | .br | 1758 | .br |
1709 | $ sudo firejail --writable-var | 1759 | $ sudo firejail --writable-var |
1710 | 1760 | ||
1761 | .TP | ||
1762 | \fB\-\-writable-var-log | ||
1763 | Use the real /var/log directory, not a clone. By default, a tmpfs is mounted on top of /var/log | ||
1764 | directory, and a skeleton filesystem is created based on the original /var/log. | ||
1765 | .br | ||
1766 | |||
1767 | .br | ||
1768 | Example: | ||
1769 | .br | ||
1770 | $ sudo firejail --writable-var-log | ||
1771 | |||
1711 | 1772 | ||
1712 | .TP | 1773 | .TP |
1713 | \fB\-\-x11 | 1774 | \fB\-\-x11 |
diff --git a/src/tools/extract_caps.c b/src/tools/extract_caps.c index ed6319be5..66d86e1a6 100644 --- a/src/tools/extract_caps.c +++ b/src/tools/extract_caps.c | |||
@@ -1,5 +1,5 @@ | |||
1 | /* | 1 | /* |
2 | * Copyright (C) 2014-2016 netblue30 (netblue30@yahoo.com) | 2 | * Copyright (C) 2014-2017 netblue30 (netblue30@yahoo.com) |
3 | * | 3 | * |
4 | * This file is part of firejail project | 4 | * This file is part of firejail project |
5 | * | 5 | * |
diff --git a/src/tools/extract_syscalls.c b/src/tools/extract_syscalls.c index 3ab4d66e0..9af24b8cd 100644 --- a/src/tools/extract_syscalls.c +++ b/src/tools/extract_syscalls.c | |||
@@ -1,5 +1,5 @@ | |||
1 | /* | 1 | /* |
2 | * Copyright (C) 2014-2016 netblue30 (netblue30@yahoo.com) | 2 | * Copyright (C) 2014-2017 netblue30 (netblue30@yahoo.com) |
3 | * | 3 | * |
4 | * This file is part of firejail project | 4 | * This file is part of firejail project |
5 | * | 5 | * |
diff --git a/src/tools/rvtest.c b/src/tools/rvtest.c index 4dbeb7ffc..d108672d2 100644 --- a/src/tools/rvtest.c +++ b/src/tools/rvtest.c | |||
@@ -1,5 +1,5 @@ | |||
1 | /* | 1 | /* |
2 | * Copyright (C) 2014-2016 netblue30 (netblue30@yahoo.com) | 2 | * Copyright (C) 2014-2017 netblue30 (netblue30@yahoo.com) |
3 | * | 3 | * |
4 | * This file is part of firejail project | 4 | * This file is part of firejail project |
5 | * | 5 | * |
diff --git a/test/appimage/appimage-args.exp b/test/appimage/appimage-args.exp index 93dba69ad..f304f5b94 100755 --- a/test/appimage/appimage-args.exp +++ b/test/appimage/appimage-args.exp | |||
@@ -1,6 +1,6 @@ | |||
1 | #!/usr/bin/expect -f | 1 | #!/usr/bin/expect -f |
2 | # This file is part of Firejail project | 2 | # This file is part of Firejail project |
3 | # Copyright (C) 2014-2016 Firejail Authors | 3 | # Copyright (C) 2014-2017 Firejail Authors |
4 | # License GPL v2 | 4 | # License GPL v2 |
5 | 5 | ||
6 | set timeout 10 | 6 | set timeout 10 |
diff --git a/test/appimage/appimage-v1.exp b/test/appimage/appimage-v1.exp index f1c1c10f5..d9b64af1d 100755 --- a/test/appimage/appimage-v1.exp +++ b/test/appimage/appimage-v1.exp | |||
@@ -1,6 +1,6 @@ | |||
1 | #!/usr/bin/expect -f | 1 | #!/usr/bin/expect -f |
2 | # This file is part of Firejail project | 2 | # This file is part of Firejail project |
3 | # Copyright (C) 2014-2016 Firejail Authors | 3 | # Copyright (C) 2014-2017 Firejail Authors |
4 | # License GPL v2 | 4 | # License GPL v2 |
5 | 5 | ||
6 | set timeout 10 | 6 | set timeout 10 |
diff --git a/test/appimage/appimage-v2.exp b/test/appimage/appimage-v2.exp index 5cb9d0849..10443a1c7 100755 --- a/test/appimage/appimage-v2.exp +++ b/test/appimage/appimage-v2.exp | |||
@@ -1,6 +1,6 @@ | |||
1 | #!/usr/bin/expect -f | 1 | #!/usr/bin/expect -f |
2 | # This file is part of Firejail project | 2 | # This file is part of Firejail project |
3 | # Copyright (C) 2014-2016 Firejail Authors | 3 | # Copyright (C) 2014-2017 Firejail Authors |
4 | # License GPL v2 | 4 | # License GPL v2 |
5 | 5 | ||
6 | set timeout 10 | 6 | set timeout 10 |
diff --git a/test/appimage/appimage.sh b/test/appimage/appimage.sh index bb646e189..6d0fcf081 100755 --- a/test/appimage/appimage.sh +++ b/test/appimage/appimage.sh | |||
@@ -1,6 +1,6 @@ | |||
1 | #!/bin/bash | 1 | #!/bin/bash |
2 | # This file is part of Firejail project | 2 | # This file is part of Firejail project |
3 | # Copyright (C) 2014-2016 Firejail Authors | 3 | # Copyright (C) 2014-2017 Firejail Authors |
4 | # License GPL v2 | 4 | # License GPL v2 |
5 | 5 | ||
6 | export MALLOC_CHECK_=3 | 6 | export MALLOC_CHECK_=3 |
diff --git a/test/appimage/filename.exp b/test/appimage/filename.exp index ce8d70464..5038ab21c 100755 --- a/test/appimage/filename.exp +++ b/test/appimage/filename.exp | |||
@@ -1,6 +1,6 @@ | |||
1 | #!/usr/bin/expect -f | 1 | #!/usr/bin/expect -f |
2 | # This file is part of Firejail project | 2 | # This file is part of Firejail project |
3 | # Copyright (C) 2014-2016 Firejail Authors | 3 | # Copyright (C) 2014-2017 Firejail Authors |
4 | # License GPL v2 | 4 | # License GPL v2 |
5 | 5 | ||
6 | set timeout 10 | 6 | set timeout 10 |
diff --git a/test/apps-x11-xorg/apps-x11-xorg.sh b/test/apps-x11-xorg/apps-x11-xorg.sh index b05914b52..d39d8390e 100755 --- a/test/apps-x11-xorg/apps-x11-xorg.sh +++ b/test/apps-x11-xorg/apps-x11-xorg.sh | |||
@@ -1,6 +1,6 @@ | |||
1 | #!/bin/bash | 1 | #!/bin/bash |
2 | # This file is part of Firejail project | 2 | # This file is part of Firejail project |
3 | # Copyright (C) 2014-2016 Firejail Authors | 3 | # Copyright (C) 2014-2017 Firejail Authors |
4 | # License GPL v2 | 4 | # License GPL v2 |
5 | 5 | ||
6 | export MALLOC_CHECK_=3 | 6 | export MALLOC_CHECK_=3 |
diff --git a/test/apps-x11-xorg/firefox.exp b/test/apps-x11-xorg/firefox.exp index 66b82fe92..4da9e5a16 100755 --- a/test/apps-x11-xorg/firefox.exp +++ b/test/apps-x11-xorg/firefox.exp | |||
@@ -1,13 +1,13 @@ | |||
1 | #!/usr/bin/expect -f | 1 | #!/usr/bin/expect -f |
2 | # This file is part of Firejail project | 2 | # This file is part of Firejail project |
3 | # Copyright (C) 2014-2016 Firejail Authors | 3 | # Copyright (C) 2014-2017 Firejail Authors |
4 | # License GPL v2 | 4 | # License GPL v2 |
5 | 5 | ||
6 | set timeout 10 | 6 | set timeout 10 |
7 | spawn $env(SHELL) | 7 | spawn $env(SHELL) |
8 | match_max 100000 | 8 | match_max 100000 |
9 | 9 | ||
10 | send -- "firejail --name=test --x11=xorg firefox -no-remote www.gentoo.org\r" | 10 | send -- "firejail --name=test --x11=xorg --ignore=net --ignore=netfilter --ignore=iprange firefox -no-remote www.gentoo.org\r" |
11 | sleep 10 | 11 | sleep 10 |
12 | 12 | ||
13 | spawn $env(SHELL) | 13 | spawn $env(SHELL) |
diff --git a/test/apps-x11-xorg/icedove.exp b/test/apps-x11-xorg/icedove.exp index 667c2259f..ce1d38222 100755 --- a/test/apps-x11-xorg/icedove.exp +++ b/test/apps-x11-xorg/icedove.exp | |||
@@ -1,13 +1,13 @@ | |||
1 | #!/usr/bin/expect -f | 1 | #!/usr/bin/expect -f |
2 | # This file is part of Firejail project | 2 | # This file is part of Firejail project |
3 | # Copyright (C) 2014-2016 Firejail Authors | 3 | # Copyright (C) 2014-2017 Firejail Authors |
4 | # License GPL v2 | 4 | # License GPL v2 |
5 | 5 | ||
6 | set timeout 10 | 6 | set timeout 10 |
7 | spawn $env(SHELL) | 7 | spawn $env(SHELL) |
8 | match_max 100000 | 8 | match_max 100000 |
9 | 9 | ||
10 | send -- "firejail --name=test --x11=xorg icedove\r" | 10 | send -- "firejail --name=test --x11=xorg --ignore=net --ignore=netfilter --ignore=iprange icedove\r" |
11 | sleep 10 | 11 | sleep 10 |
12 | 12 | ||
13 | spawn $env(SHELL) | 13 | spawn $env(SHELL) |
diff --git a/test/apps-x11-xorg/transmission-gtk.exp b/test/apps-x11-xorg/transmission-gtk.exp index c52cb5b3a..c6d9ba13a 100755 --- a/test/apps-x11-xorg/transmission-gtk.exp +++ b/test/apps-x11-xorg/transmission-gtk.exp | |||
@@ -1,13 +1,13 @@ | |||
1 | #!/usr/bin/expect -f | 1 | #!/usr/bin/expect -f |
2 | # This file is part of Firejail project | 2 | # This file is part of Firejail project |
3 | # Copyright (C) 2014-2016 Firejail Authors | 3 | # Copyright (C) 2014-2017 Firejail Authors |
4 | # License GPL v2 | 4 | # License GPL v2 |
5 | 5 | ||
6 | set timeout 10 | 6 | set timeout 10 |
7 | spawn $env(SHELL) | 7 | spawn $env(SHELL) |
8 | match_max 100000 | 8 | match_max 100000 |
9 | 9 | ||
10 | send -- "firejail --name=test --x11=xorg transmission-gtk\r" | 10 | send -- "firejail --name=test --x11=xorg --ignore=net --ignore=netfilter --ignore=iprange transmission-gtk\r" |
11 | sleep 10 | 11 | sleep 10 |
12 | 12 | ||
13 | spawn $env(SHELL) | 13 | spawn $env(SHELL) |
diff --git a/test/apps-x11/apps-x11.sh b/test/apps-x11/apps-x11.sh index 4a8671dbd..739a94f2e 100755 --- a/test/apps-x11/apps-x11.sh +++ b/test/apps-x11/apps-x11.sh | |||
@@ -1,6 +1,6 @@ | |||
1 | #!/bin/bash | 1 | #!/bin/bash |
2 | # This file is part of Firejail project | 2 | # This file is part of Firejail project |
3 | # Copyright (C) 2014-2016 Firejail Authors | 3 | # Copyright (C) 2014-2017 Firejail Authors |
4 | # License GPL v2 | 4 | # License GPL v2 |
5 | 5 | ||
6 | export MALLOC_CHECK_=3 | 6 | export MALLOC_CHECK_=3 |
diff --git a/test/apps-x11/chromium.exp b/test/apps-x11/chromium.exp index 2505c0c37..eeedd99c4 100755 --- a/test/apps-x11/chromium.exp +++ b/test/apps-x11/chromium.exp | |||
@@ -1,6 +1,6 @@ | |||
1 | #!/usr/bin/expect -f | 1 | #!/usr/bin/expect -f |
2 | # This file is part of Firejail project | 2 | # This file is part of Firejail project |
3 | # Copyright (C) 2014-2016 Firejail Authors | 3 | # Copyright (C) 2014-2017 Firejail Authors |
4 | # License GPL v2 | 4 | # License GPL v2 |
5 | 5 | ||
6 | set timeout 10 | 6 | set timeout 10 |
diff --git a/test/apps-x11/firefox.exp b/test/apps-x11/firefox.exp index 6a50c8884..5464e39cd 100755 --- a/test/apps-x11/firefox.exp +++ b/test/apps-x11/firefox.exp | |||
@@ -1,6 +1,6 @@ | |||
1 | #!/usr/bin/expect -f | 1 | #!/usr/bin/expect -f |
2 | # This file is part of Firejail project | 2 | # This file is part of Firejail project |
3 | # Copyright (C) 2014-2016 Firejail Authors | 3 | # Copyright (C) 2014-2017 Firejail Authors |
4 | # License GPL v2 | 4 | # License GPL v2 |
5 | 5 | ||
6 | set timeout 10 | 6 | set timeout 10 |
diff --git a/test/apps-x11/icedove.exp b/test/apps-x11/icedove.exp index e306e33ce..f81d814a7 100755 --- a/test/apps-x11/icedove.exp +++ b/test/apps-x11/icedove.exp | |||
@@ -1,6 +1,6 @@ | |||
1 | #!/usr/bin/expect -f | 1 | #!/usr/bin/expect -f |
2 | # This file is part of Firejail project | 2 | # This file is part of Firejail project |
3 | # Copyright (C) 2014-2016 Firejail Authors | 3 | # Copyright (C) 2014-2017 Firejail Authors |
4 | # License GPL v2 | 4 | # License GPL v2 |
5 | 5 | ||
6 | set timeout 10 | 6 | set timeout 10 |
diff --git a/test/apps-x11/transmission-gtk.exp b/test/apps-x11/transmission-gtk.exp index 4083a121f..8dae20e31 100755 --- a/test/apps-x11/transmission-gtk.exp +++ b/test/apps-x11/transmission-gtk.exp | |||
@@ -1,6 +1,6 @@ | |||
1 | #!/usr/bin/expect -f | 1 | #!/usr/bin/expect -f |
2 | # This file is part of Firejail project | 2 | # This file is part of Firejail project |
3 | # Copyright (C) 2014-2016 Firejail Authors | 3 | # Copyright (C) 2014-2017 Firejail Authors |
4 | # License GPL v2 | 4 | # License GPL v2 |
5 | 5 | ||
6 | set timeout 10 | 6 | set timeout 10 |
diff --git a/test/apps-x11/x11-none.exp b/test/apps-x11/x11-none.exp index e9908839b..1f3e1439a 100755 --- a/test/apps-x11/x11-none.exp +++ b/test/apps-x11/x11-none.exp | |||
@@ -1,6 +1,6 @@ | |||
1 | #!/usr/bin/expect -f | 1 | #!/usr/bin/expect -f |
2 | # This file is part of Firejail project | 2 | # This file is part of Firejail project |
3 | # Copyright (C) 2014-2016 Firejail Authors | 3 | # Copyright (C) 2014-2017 Firejail Authors |
4 | # License GPL v2 | 4 | # License GPL v2 |
5 | 5 | ||
6 | set timeout 10 | 6 | set timeout 10 |
diff --git a/test/apps-x11/x11-xephyr.exp b/test/apps-x11/x11-xephyr.exp index 41a413890..31a434103 100755 --- a/test/apps-x11/x11-xephyr.exp +++ b/test/apps-x11/x11-xephyr.exp | |||
@@ -1,6 +1,6 @@ | |||
1 | #!/usr/bin/expect -f | 1 | #!/usr/bin/expect -f |
2 | # This file is part of Firejail project | 2 | # This file is part of Firejail project |
3 | # Copyright (C) 2014-2016 Firejail Authors | 3 | # Copyright (C) 2014-2017 Firejail Authors |
4 | # License GPL v2 | 4 | # License GPL v2 |
5 | 5 | ||
6 | set timeout 10 | 6 | set timeout 10 |
diff --git a/test/apps-x11/xterm-xephyr.exp b/test/apps-x11/xterm-xephyr.exp index 5b4299478..c36121a75 100755 --- a/test/apps-x11/xterm-xephyr.exp +++ b/test/apps-x11/xterm-xephyr.exp | |||
@@ -1,6 +1,6 @@ | |||
1 | #!/usr/bin/expect -f | 1 | #!/usr/bin/expect -f |
2 | # This file is part of Firejail project | 2 | # This file is part of Firejail project |
3 | # Copyright (C) 2014-2016 Firejail Authors | 3 | # Copyright (C) 2014-2017 Firejail Authors |
4 | # License GPL v2 | 4 | # License GPL v2 |
5 | 5 | ||
6 | set timeout 10 | 6 | set timeout 10 |
diff --git a/test/apps-x11/xterm-xorg.exp b/test/apps-x11/xterm-xorg.exp index fbc88f196..04fc4b960 100755 --- a/test/apps-x11/xterm-xorg.exp +++ b/test/apps-x11/xterm-xorg.exp | |||
@@ -1,6 +1,6 @@ | |||
1 | #!/usr/bin/expect -f | 1 | #!/usr/bin/expect -f |
2 | # This file is part of Firejail project | 2 | # This file is part of Firejail project |
3 | # Copyright (C) 2014-2016 Firejail Authors | 3 | # Copyright (C) 2014-2017 Firejail Authors |
4 | # License GPL v2 | 4 | # License GPL v2 |
5 | 5 | ||
6 | set timeout 10 | 6 | set timeout 10 |
diff --git a/test/apps-x11/xterm-xpra.exp b/test/apps-x11/xterm-xpra.exp index 1fb5df486..e769e5e20 100755 --- a/test/apps-x11/xterm-xpra.exp +++ b/test/apps-x11/xterm-xpra.exp | |||
@@ -1,6 +1,6 @@ | |||
1 | #!/usr/bin/expect -f | 1 | #!/usr/bin/expect -f |
2 | # This file is part of Firejail project | 2 | # This file is part of Firejail project |
3 | # Copyright (C) 2014-2016 Firejail Authors | 3 | # Copyright (C) 2014-2017 Firejail Authors |
4 | # License GPL v2 | 4 | # License GPL v2 |
5 | 5 | ||
6 | set timeout 10 | 6 | set timeout 10 |
diff --git a/test/apps/apps.sh b/test/apps/apps.sh index 38307b284..4b7afe1a9 100755 --- a/test/apps/apps.sh +++ b/test/apps/apps.sh | |||
@@ -1,6 +1,6 @@ | |||
1 | #!/bin/bash | 1 | #!/bin/bash |
2 | # This file is part of Firejail project | 2 | # This file is part of Firejail project |
3 | # Copyright (C) 2014-2016 Firejail Authors | 3 | # Copyright (C) 2014-2017 Firejail Authors |
4 | # License GPL v2 | 4 | # License GPL v2 |
5 | 5 | ||
6 | export MALLOC_CHECK_=3 | 6 | export MALLOC_CHECK_=3 |
diff --git a/test/apps/chromium.exp b/test/apps/chromium.exp index d43f70f8e..635c07afa 100755 --- a/test/apps/chromium.exp +++ b/test/apps/chromium.exp | |||
@@ -1,6 +1,6 @@ | |||
1 | #!/usr/bin/expect -f | 1 | #!/usr/bin/expect -f |
2 | # This file is part of Firejail project | 2 | # This file is part of Firejail project |
3 | # Copyright (C) 2014-2016 Firejail Authors | 3 | # Copyright (C) 2014-2017 Firejail Authors |
4 | # License GPL v2 | 4 | # License GPL v2 |
5 | 5 | ||
6 | set timeout 10 | 6 | set timeout 10 |
diff --git a/test/apps/deluge.exp b/test/apps/deluge.exp index 0bf1baae2..3f83a1e01 100755 --- a/test/apps/deluge.exp +++ b/test/apps/deluge.exp | |||
@@ -1,6 +1,6 @@ | |||
1 | #!/usr/bin/expect -f | 1 | #!/usr/bin/expect -f |
2 | # This file is part of Firejail project | 2 | # This file is part of Firejail project |
3 | # Copyright (C) 2014-2016 Firejail Authors | 3 | # Copyright (C) 2014-2017 Firejail Authors |
4 | # License GPL v2 | 4 | # License GPL v2 |
5 | 5 | ||
6 | set timeout 10 | 6 | set timeout 10 |
diff --git a/test/apps/evince.exp b/test/apps/evince.exp index 71f760a9c..dbad46068 100755 --- a/test/apps/evince.exp +++ b/test/apps/evince.exp | |||
@@ -1,6 +1,6 @@ | |||
1 | #!/usr/bin/expect -f | 1 | #!/usr/bin/expect -f |
2 | # This file is part of Firejail project | 2 | # This file is part of Firejail project |
3 | # Copyright (C) 2014-2016 Firejail Authors | 3 | # Copyright (C) 2014-2017 Firejail Authors |
4 | # License GPL v2 | 4 | # License GPL v2 |
5 | 5 | ||
6 | set timeout 10 | 6 | set timeout 10 |
diff --git a/test/apps/fbreader.exp b/test/apps/fbreader.exp index 99c48d87c..b5c58c909 100755 --- a/test/apps/fbreader.exp +++ b/test/apps/fbreader.exp | |||
@@ -1,6 +1,6 @@ | |||
1 | #!/usr/bin/expect -f | 1 | #!/usr/bin/expect -f |
2 | # This file is part of Firejail project | 2 | # This file is part of Firejail project |
3 | # Copyright (C) 2014-2016 Firejail Authors | 3 | # Copyright (C) 2014-2017 Firejail Authors |
4 | # License GPL v2 | 4 | # License GPL v2 |
5 | 5 | ||
6 | set timeout 10 | 6 | set timeout 10 |
diff --git a/test/apps/filezilla.exp b/test/apps/filezilla.exp index 2f7038184..7bef9dc27 100755 --- a/test/apps/filezilla.exp +++ b/test/apps/filezilla.exp | |||
@@ -1,6 +1,6 @@ | |||
1 | #!/usr/bin/expect -f | 1 | #!/usr/bin/expect -f |
2 | # This file is part of Firejail project | 2 | # This file is part of Firejail project |
3 | # Copyright (C) 2014-2016 Firejail Authors | 3 | # Copyright (C) 2014-2017 Firejail Authors |
4 | # License GPL v2 | 4 | # License GPL v2 |
5 | 5 | ||
6 | set timeout 10 | 6 | set timeout 10 |
diff --git a/test/apps/firefox.exp b/test/apps/firefox.exp index 5745d9270..06b5a3bc3 100755 --- a/test/apps/firefox.exp +++ b/test/apps/firefox.exp | |||
@@ -1,6 +1,6 @@ | |||
1 | #!/usr/bin/expect -f | 1 | #!/usr/bin/expect -f |
2 | # This file is part of Firejail project | 2 | # This file is part of Firejail project |
3 | # Copyright (C) 2014-2016 Firejail Authors | 3 | # Copyright (C) 2014-2017 Firejail Authors |
4 | # License GPL v2 | 4 | # License GPL v2 |
5 | 5 | ||
6 | set timeout 10 | 6 | set timeout 10 |
diff --git a/test/apps/gnome-mplayer.exp b/test/apps/gnome-mplayer.exp index 6f0e5a312..0e879d33b 100755 --- a/test/apps/gnome-mplayer.exp +++ b/test/apps/gnome-mplayer.exp | |||
@@ -1,6 +1,6 @@ | |||
1 | #!/usr/bin/expect -f | 1 | #!/usr/bin/expect -f |
2 | # This file is part of Firejail project | 2 | # This file is part of Firejail project |
3 | # Copyright (C) 2014-2016 Firejail Authors | 3 | # Copyright (C) 2014-2017 Firejail Authors |
4 | # License GPL v2 | 4 | # License GPL v2 |
5 | 5 | ||
6 | set timeout 10 | 6 | set timeout 10 |
diff --git a/test/apps/gthumb.exp b/test/apps/gthumb.exp index 13132cef6..ae2976910 100755 --- a/test/apps/gthumb.exp +++ b/test/apps/gthumb.exp | |||
@@ -1,6 +1,6 @@ | |||
1 | #!/usr/bin/expect -f | 1 | #!/usr/bin/expect -f |
2 | # This file is part of Firejail project | 2 | # This file is part of Firejail project |
3 | # Copyright (C) 2014-2016 Firejail Authors | 3 | # Copyright (C) 2014-2017 Firejail Authors |
4 | # License GPL v2 | 4 | # License GPL v2 |
5 | 5 | ||
6 | set timeout 10 | 6 | set timeout 10 |
diff --git a/test/apps/hexchat.exp b/test/apps/hexchat.exp index 5d0bc1093..74f0a9fb6 100755 --- a/test/apps/hexchat.exp +++ b/test/apps/hexchat.exp | |||
@@ -1,6 +1,6 @@ | |||
1 | #!/usr/bin/expect -f | 1 | #!/usr/bin/expect -f |
2 | # This file is part of Firejail project | 2 | # This file is part of Firejail project |
3 | # Copyright (C) 2014-2016 Firejail Authors | 3 | # Copyright (C) 2014-2017 Firejail Authors |
4 | # License GPL v2 | 4 | # License GPL v2 |
5 | 5 | ||
6 | set timeout 10 | 6 | set timeout 10 |
diff --git a/test/apps/icedove.exp b/test/apps/icedove.exp index c0fbd9fc8..1acb59112 100755 --- a/test/apps/icedove.exp +++ b/test/apps/icedove.exp | |||
@@ -1,6 +1,6 @@ | |||
1 | #!/usr/bin/expect -f | 1 | #!/usr/bin/expect -f |
2 | # This file is part of Firejail project | 2 | # This file is part of Firejail project |
3 | # Copyright (C) 2014-2016 Firejail Authors | 3 | # Copyright (C) 2014-2017 Firejail Authors |
4 | # License GPL v2 | 4 | # License GPL v2 |
5 | 5 | ||
6 | set timeout 10 | 6 | set timeout 10 |
diff --git a/test/apps/midori.exp b/test/apps/midori.exp index 45d70eda1..764f3e4a4 100755 --- a/test/apps/midori.exp +++ b/test/apps/midori.exp | |||
@@ -1,6 +1,6 @@ | |||
1 | #!/usr/bin/expect -f | 1 | #!/usr/bin/expect -f |
2 | # This file is part of Firejail project | 2 | # This file is part of Firejail project |
3 | # Copyright (C) 2014-2016 Firejail Authors | 3 | # Copyright (C) 2014-2017 Firejail Authors |
4 | # License GPL v2 | 4 | # License GPL v2 |
5 | 5 | ||
6 | set timeout 10 | 6 | set timeout 10 |
diff --git a/test/apps/opera.exp b/test/apps/opera.exp index 036fc2e21..8a8885afa 100755 --- a/test/apps/opera.exp +++ b/test/apps/opera.exp | |||
@@ -1,6 +1,6 @@ | |||
1 | #!/usr/bin/expect -f | 1 | #!/usr/bin/expect -f |
2 | # This file is part of Firejail project | 2 | # This file is part of Firejail project |
3 | # Copyright (C) 2014-2016 Firejail Authors | 3 | # Copyright (C) 2014-2017 Firejail Authors |
4 | # License GPL v2 | 4 | # License GPL v2 |
5 | 5 | ||
6 | set timeout 10 | 6 | set timeout 10 |
diff --git a/test/apps/qbittorrent.exp b/test/apps/qbittorrent.exp index 8bc6d8564..bf23390a1 100755 --- a/test/apps/qbittorrent.exp +++ b/test/apps/qbittorrent.exp | |||
@@ -1,6 +1,6 @@ | |||
1 | #!/usr/bin/expect -f | 1 | #!/usr/bin/expect -f |
2 | # This file is part of Firejail project | 2 | # This file is part of Firejail project |
3 | # Copyright (C) 2014-2016 Firejail Authors | 3 | # Copyright (C) 2014-2017 Firejail Authors |
4 | # License GPL v2 | 4 | # License GPL v2 |
5 | 5 | ||
6 | set timeout 10 | 6 | set timeout 10 |
diff --git a/test/apps/transmission-gtk.exp b/test/apps/transmission-gtk.exp index 70700d523..d9e5869c8 100755 --- a/test/apps/transmission-gtk.exp +++ b/test/apps/transmission-gtk.exp | |||
@@ -1,6 +1,6 @@ | |||
1 | #!/usr/bin/expect -f | 1 | #!/usr/bin/expect -f |
2 | # This file is part of Firejail project | 2 | # This file is part of Firejail project |
3 | # Copyright (C) 2014-2016 Firejail Authors | 3 | # Copyright (C) 2014-2017 Firejail Authors |
4 | # License GPL v2 | 4 | # License GPL v2 |
5 | 5 | ||
6 | set timeout 10 | 6 | set timeout 10 |
diff --git a/test/apps/transmission-qt.exp b/test/apps/transmission-qt.exp index 3773b1dc2..189919720 100755 --- a/test/apps/transmission-qt.exp +++ b/test/apps/transmission-qt.exp | |||
@@ -1,6 +1,6 @@ | |||
1 | #!/usr/bin/expect -f | 1 | #!/usr/bin/expect -f |
2 | # This file is part of Firejail project | 2 | # This file is part of Firejail project |
3 | # Copyright (C) 2014-2016 Firejail Authors | 3 | # Copyright (C) 2014-2017 Firejail Authors |
4 | # License GPL v2 | 4 | # License GPL v2 |
5 | 5 | ||
6 | set timeout 10 | 6 | set timeout 10 |
diff --git a/test/apps/uget-gtk.exp b/test/apps/uget-gtk.exp index 22c2a0831..10a14e11a 100755 --- a/test/apps/uget-gtk.exp +++ b/test/apps/uget-gtk.exp | |||
@@ -1,6 +1,6 @@ | |||
1 | #!/usr/bin/expect -f | 1 | #!/usr/bin/expect -f |
2 | # This file is part of Firejail project | 2 | # This file is part of Firejail project |
3 | # Copyright (C) 2014-2016 Firejail Authors | 3 | # Copyright (C) 2014-2017 Firejail Authors |
4 | # License GPL v2 | 4 | # License GPL v2 |
5 | 5 | ||
6 | set timeout 10 | 6 | set timeout 10 |
diff --git a/test/apps/vlc.exp b/test/apps/vlc.exp index b94ef8e12..a1d4cc6b2 100755 --- a/test/apps/vlc.exp +++ b/test/apps/vlc.exp | |||
@@ -1,6 +1,6 @@ | |||
1 | #!/usr/bin/expect -f | 1 | #!/usr/bin/expect -f |
2 | # This file is part of Firejail project | 2 | # This file is part of Firejail project |
3 | # Copyright (C) 2014-2016 Firejail Authors | 3 | # Copyright (C) 2014-2017 Firejail Authors |
4 | # License GPL v2 | 4 | # License GPL v2 |
5 | 5 | ||
6 | set timeout 10 | 6 | set timeout 10 |
diff --git a/test/apps/wine.exp b/test/apps/wine.exp index a2f465acb..fc181c0cc 100755 --- a/test/apps/wine.exp +++ b/test/apps/wine.exp | |||
@@ -1,6 +1,6 @@ | |||
1 | #!/usr/bin/expect -f | 1 | #!/usr/bin/expect -f |
2 | # This file is part of Firejail project | 2 | # This file is part of Firejail project |
3 | # Copyright (C) 2014-2016 Firejail Authors | 3 | # Copyright (C) 2014-2017 Firejail Authors |
4 | # License GPL v2 | 4 | # License GPL v2 |
5 | 5 | ||
6 | set timeout 10 | 6 | set timeout 10 |
diff --git a/test/apps/xchat.exp b/test/apps/xchat.exp index f3284caf7..8df9f8925 100755 --- a/test/apps/xchat.exp +++ b/test/apps/xchat.exp | |||
@@ -1,6 +1,6 @@ | |||
1 | #!/usr/bin/expect -f | 1 | #!/usr/bin/expect -f |
2 | # This file is part of Firejail project | 2 | # This file is part of Firejail project |
3 | # Copyright (C) 2014-2016 Firejail Authors | 3 | # Copyright (C) 2014-2017 Firejail Authors |
4 | # License GPL v2 | 4 | # License GPL v2 |
5 | 5 | ||
6 | set timeout 10 | 6 | set timeout 10 |
diff --git a/test/chroot/chroot.sh b/test/chroot/chroot.sh index 34bff2a67..e7911caa0 100755 --- a/test/chroot/chroot.sh +++ b/test/chroot/chroot.sh | |||
@@ -1,6 +1,6 @@ | |||
1 | #!/bin/bash | 1 | #!/bin/bash |
2 | # This file is part of Firejail project | 2 | # This file is part of Firejail project |
3 | # Copyright (C) 2014-2016 Firejail Authors | 3 | # Copyright (C) 2014-2017 Firejail Authors |
4 | # License GPL v2 | 4 | # License GPL v2 |
5 | 5 | ||
6 | export MALLOC_CHECK_=3 | 6 | export MALLOC_CHECK_=3 |
diff --git a/test/environment/csh.exp b/test/environment/csh.exp index 46e4bb3ca..bd0cf8c86 100755 --- a/test/environment/csh.exp +++ b/test/environment/csh.exp | |||
@@ -1,6 +1,6 @@ | |||
1 | #!/usr/bin/expect -f | 1 | #!/usr/bin/expect -f |
2 | # This file is part of Firejail project | 2 | # This file is part of Firejail project |
3 | # Copyright (C) 2014-2016 Firejail Authors | 3 | # Copyright (C) 2014-2017 Firejail Authors |
4 | # License GPL v2 | 4 | # License GPL v2 |
5 | 5 | ||
6 | set timeout 10 | 6 | set timeout 10 |
diff --git a/test/environment/env.exp b/test/environment/env.exp index 8f72400b0..9e2ba1e1c 100755 --- a/test/environment/env.exp +++ b/test/environment/env.exp | |||
@@ -1,6 +1,6 @@ | |||
1 | #!/usr/bin/expect -f | 1 | #!/usr/bin/expect -f |
2 | # This file is part of Firejail project | 2 | # This file is part of Firejail project |
3 | # Copyright (C) 2014-2016 Firejail Authors | 3 | # Copyright (C) 2014-2017 Firejail Authors |
4 | # License GPL v2 | 4 | # License GPL v2 |
5 | 5 | ||
6 | set timeout 10 | 6 | set timeout 10 |
diff --git a/test/environment/environment.sh b/test/environment/environment.sh index 2bb5a249e..e2b9cb9d4 100755 --- a/test/environment/environment.sh +++ b/test/environment/environment.sh | |||
@@ -1,6 +1,6 @@ | |||
1 | #!/bin/bash | 1 | #!/bin/bash |
2 | # This file is part of Firejail project | 2 | # This file is part of Firejail project |
3 | # Copyright (C) 2014-2016 Firejail Authors | 3 | # Copyright (C) 2014-2017 Firejail Authors |
4 | # License GPL v2 | 4 | # License GPL v2 |
5 | 5 | ||
6 | export MALLOC_CHECK_=3 | 6 | export MALLOC_CHECK_=3 |
diff --git a/test/environment/firejail-in-firejail.exp b/test/environment/firejail-in-firejail.exp index 2b851ee72..c2e2be596 100755 --- a/test/environment/firejail-in-firejail.exp +++ b/test/environment/firejail-in-firejail.exp | |||
@@ -1,6 +1,6 @@ | |||
1 | #!/usr/bin/expect -f | 1 | #!/usr/bin/expect -f |
2 | # This file is part of Firejail project | 2 | # This file is part of Firejail project |
3 | # Copyright (C) 2014-2016 Firejail Authors | 3 | # Copyright (C) 2014-2017 Firejail Authors |
4 | # License GPL v2 | 4 | # License GPL v2 |
5 | 5 | ||
6 | set timeout 10 | 6 | set timeout 10 |
diff --git a/test/environment/firejail-in-firejail2.exp b/test/environment/firejail-in-firejail2.exp index 330e5e372..db64d59ed 100755 --- a/test/environment/firejail-in-firejail2.exp +++ b/test/environment/firejail-in-firejail2.exp | |||
@@ -1,6 +1,6 @@ | |||
1 | #!/usr/bin/expect -f | 1 | #!/usr/bin/expect -f |
2 | # This file is part of Firejail project | 2 | # This file is part of Firejail project |
3 | # Copyright (C) 2014-2016 Firejail Authors | 3 | # Copyright (C) 2014-2017 Firejail Authors |
4 | # License GPL v2 | 4 | # License GPL v2 |
5 | 5 | ||
6 | set timeout 10 | 6 | set timeout 10 |
diff --git a/test/environment/nice.exp b/test/environment/nice.exp index 2e0e95ea1..2c00d1485 100755 --- a/test/environment/nice.exp +++ b/test/environment/nice.exp | |||
@@ -1,6 +1,6 @@ | |||
1 | #!/usr/bin/expect -f | 1 | #!/usr/bin/expect -f |
2 | # This file is part of Firejail project | 2 | # This file is part of Firejail project |
3 | # Copyright (C) 2014-2016 Firejail Authors | 3 | # Copyright (C) 2014-2017 Firejail Authors |
4 | # License GPL v2 | 4 | # License GPL v2 |
5 | 5 | ||
6 | set timeout 10 | 6 | set timeout 10 |
diff --git a/test/environment/quiet.exp b/test/environment/quiet.exp index 8d7c8d4c0..bab395f71 100755 --- a/test/environment/quiet.exp +++ b/test/environment/quiet.exp | |||
@@ -1,6 +1,6 @@ | |||
1 | #!/usr/bin/expect -f | 1 | #!/usr/bin/expect -f |
2 | # This file is part of Firejail project | 2 | # This file is part of Firejail project |
3 | # Copyright (C) 2014-2016 Firejail Authors | 3 | # Copyright (C) 2014-2017 Firejail Authors |
4 | # License GPL v2 | 4 | # License GPL v2 |
5 | 5 | ||
6 | set timeout 4 | 6 | set timeout 4 |
diff --git a/test/environment/shell-none.exp b/test/environment/shell-none.exp index 8f3df794f..69c8db067 100755 --- a/test/environment/shell-none.exp +++ b/test/environment/shell-none.exp | |||
@@ -1,6 +1,6 @@ | |||
1 | #!/usr/bin/expect -f | 1 | #!/usr/bin/expect -f |
2 | # This file is part of Firejail project | 2 | # This file is part of Firejail project |
3 | # Copyright (C) 2014-2016 Firejail Authors | 3 | # Copyright (C) 2014-2017 Firejail Authors |
4 | # License GPL v2 | 4 | # License GPL v2 |
5 | 5 | ||
6 | set timeout 10 | 6 | set timeout 10 |
diff --git a/test/environment/sound.exp b/test/environment/sound.exp index dd55add89..f1a251f34 100755 --- a/test/environment/sound.exp +++ b/test/environment/sound.exp | |||
@@ -1,6 +1,6 @@ | |||
1 | #!/usr/bin/expect -f | 1 | #!/usr/bin/expect -f |
2 | # This file is part of Firejail project | 2 | # This file is part of Firejail project |
3 | # Copyright (C) 2014-2016 Firejail Authors | 3 | # Copyright (C) 2014-2017 Firejail Authors |
4 | # License GPL v2 | 4 | # License GPL v2 |
5 | 5 | ||
6 | 6 | ||
diff --git a/test/environment/zsh.exp b/test/environment/zsh.exp index 578951ce0..4380f476c 100755 --- a/test/environment/zsh.exp +++ b/test/environment/zsh.exp | |||
@@ -1,6 +1,6 @@ | |||
1 | #!/usr/bin/expect -f | 1 | #!/usr/bin/expect -f |
2 | # This file is part of Firejail project | 2 | # This file is part of Firejail project |
3 | # Copyright (C) 2014-2016 Firejail Authors | 3 | # Copyright (C) 2014-2017 Firejail Authors |
4 | # License GPL v2 | 4 | # License GPL v2 |
5 | 5 | ||
6 | set timeout 10 | 6 | set timeout 10 |
diff --git a/test/fcopy/cmdline.exp b/test/fcopy/cmdline.exp index 24bb19351..10dd8da58 100755 --- a/test/fcopy/cmdline.exp +++ b/test/fcopy/cmdline.exp | |||
@@ -1,6 +1,6 @@ | |||
1 | #!/usr/bin/expect -f | 1 | #!/usr/bin/expect -f |
2 | # This file is part of Firejail project | 2 | # This file is part of Firejail project |
3 | # Copyright (C) 2014-2016 Firejail Authors | 3 | # Copyright (C) 2014-2017 Firejail Authors |
4 | # License GPL v2 | 4 | # License GPL v2 |
5 | 5 | ||
6 | set timeout 10 | 6 | set timeout 10 |
@@ -10,7 +10,7 @@ match_max 100000 | |||
10 | send -- "/usr/lib/firejail/fcopy\r" | 10 | send -- "/usr/lib/firejail/fcopy\r" |
11 | expect { | 11 | expect { |
12 | timeout {puts "TESTING ERROR 0\n";exit} | 12 | timeout {puts "TESTING ERROR 0\n";exit} |
13 | "files missing" | 13 | "arguments missing" |
14 | } | 14 | } |
15 | expect { | 15 | expect { |
16 | timeout {puts "TESTING ERROR 1\n";exit} | 16 | timeout {puts "TESTING ERROR 1\n";exit} |
@@ -21,7 +21,7 @@ after 100 | |||
21 | send -- "/usr/lib/firejail/fcopy foo\r" | 21 | send -- "/usr/lib/firejail/fcopy foo\r" |
22 | expect { | 22 | expect { |
23 | timeout {puts "TESTING ERROR 2\n";exit} | 23 | timeout {puts "TESTING ERROR 2\n";exit} |
24 | "files missing" | 24 | "arguments missing" |
25 | } | 25 | } |
26 | expect { | 26 | expect { |
27 | timeout {puts "TESTING ERROR 3\n";exit} | 27 | timeout {puts "TESTING ERROR 3\n";exit} |
@@ -32,14 +32,14 @@ after 100 | |||
32 | send -- "/usr/lib/firejail/fcopy f%oo1 foo2\r" | 32 | send -- "/usr/lib/firejail/fcopy f%oo1 foo2\r" |
33 | expect { | 33 | expect { |
34 | timeout {puts "TESTING ERROR 4\n";exit} | 34 | timeout {puts "TESTING ERROR 4\n";exit} |
35 | "invalid file name" | 35 | "invalid source file name" |
36 | } | 36 | } |
37 | after 100 | 37 | after 100 |
38 | 38 | ||
39 | send -- "/usr/lib/firejail/fcopy foo1 f,oo2\r" | 39 | send -- "/usr/lib/firejail/fcopy foo1 f,oo2\r" |
40 | expect { | 40 | expect { |
41 | timeout {puts "TESTING ERROR 5\n";exit} | 41 | timeout {puts "TESTING ERROR 5\n";exit} |
42 | "invalid file name" | 42 | "invalid dest file name" |
43 | } | 43 | } |
44 | after 100 | 44 | after 100 |
45 | 45 | ||
diff --git a/test/fcopy/dircopy.exp b/test/fcopy/dircopy.exp index dc8c80569..a0fd409a6 100755 --- a/test/fcopy/dircopy.exp +++ b/test/fcopy/dircopy.exp | |||
@@ -1,6 +1,6 @@ | |||
1 | #!/usr/bin/expect -f | 1 | #!/usr/bin/expect -f |
2 | # This file is part of Firejail project | 2 | # This file is part of Firejail project |
3 | # Copyright (C) 2014-2016 Firejail Authors | 3 | # Copyright (C) 2014-2017 Firejail Authors |
4 | # License GPL v2 | 4 | # License GPL v2 |
5 | 5 | ||
6 | # | 6 | # |
diff --git a/test/fcopy/fcopy.sh b/test/fcopy/fcopy.sh index dcda5ca31..0ae50399a 100755 --- a/test/fcopy/fcopy.sh +++ b/test/fcopy/fcopy.sh | |||
@@ -1,6 +1,6 @@ | |||
1 | #!/bin/bash | 1 | #!/bin/bash |
2 | # This file is part of Firejail project | 2 | # This file is part of Firejail project |
3 | # Copyright (C) 2014-2016 Firejail Authors | 3 | # Copyright (C) 2014-2017 Firejail Authors |
4 | # License GPL v2 | 4 | # License GPL v2 |
5 | 5 | ||
6 | export MALLOC_CHECK_=3 | 6 | export MALLOC_CHECK_=3 |
diff --git a/test/fcopy/filecopy.exp b/test/fcopy/filecopy.exp index d1f0a4424..a89eaf40f 100755 --- a/test/fcopy/filecopy.exp +++ b/test/fcopy/filecopy.exp | |||
@@ -1,6 +1,6 @@ | |||
1 | #!/usr/bin/expect -f | 1 | #!/usr/bin/expect -f |
2 | # This file is part of Firejail project | 2 | # This file is part of Firejail project |
3 | # Copyright (C) 2014-2016 Firejail Authors | 3 | # Copyright (C) 2014-2017 Firejail Authors |
4 | # License GPL v2 | 4 | # License GPL v2 |
5 | 5 | ||
6 | # | 6 | # |
diff --git a/test/fcopy/linkcopy.exp b/test/fcopy/linkcopy.exp index 9927e18fe..beceb3675 100755 --- a/test/fcopy/linkcopy.exp +++ b/test/fcopy/linkcopy.exp | |||
@@ -1,6 +1,6 @@ | |||
1 | #!/usr/bin/expect -f | 1 | #!/usr/bin/expect -f |
2 | # This file is part of Firejail project | 2 | # This file is part of Firejail project |
3 | # Copyright (C) 2014-2016 Firejail Authors | 3 | # Copyright (C) 2014-2017 Firejail Authors |
4 | # License GPL v2 | 4 | # License GPL v2 |
5 | 5 | ||
6 | # | 6 | # |
diff --git a/test/filters/caps-print.exp b/test/filters/caps-print.exp index d9d662239..605041e22 100755 --- a/test/filters/caps-print.exp +++ b/test/filters/caps-print.exp | |||
@@ -1,6 +1,6 @@ | |||
1 | #!/usr/bin/expect -f | 1 | #!/usr/bin/expect -f |
2 | # This file is part of Firejail project | 2 | # This file is part of Firejail project |
3 | # Copyright (C) 2014-2016 Firejail Authors | 3 | # Copyright (C) 2014-2017 Firejail Authors |
4 | # License GPL v2 | 4 | # License GPL v2 |
5 | 5 | ||
6 | set timeout 10 | 6 | set timeout 10 |
diff --git a/test/filters/caps.exp b/test/filters/caps.exp index 2954f2e58..aff5f03c2 100755 --- a/test/filters/caps.exp +++ b/test/filters/caps.exp | |||
@@ -1,6 +1,6 @@ | |||
1 | #!/usr/bin/expect -f | 1 | #!/usr/bin/expect -f |
2 | # This file is part of Firejail project | 2 | # This file is part of Firejail project |
3 | # Copyright (C) 2014-2016 Firejail Authors | 3 | # Copyright (C) 2014-2017 Firejail Authors |
4 | # License GPL v2 | 4 | # License GPL v2 |
5 | 5 | ||
6 | set timeout 10 | 6 | set timeout 10 |
diff --git a/test/filters/filters.sh b/test/filters/filters.sh index fea4a0296..73e0e4d5c 100755 --- a/test/filters/filters.sh +++ b/test/filters/filters.sh | |||
@@ -1,6 +1,6 @@ | |||
1 | #!/bin/bash | 1 | #!/bin/bash |
2 | # This file is part of Firejail project | 2 | # This file is part of Firejail project |
3 | # Copyright (C) 2014-2016 Firejail Authors | 3 | # Copyright (C) 2014-2017 Firejail Authors |
4 | # License GPL v2 | 4 | # License GPL v2 |
5 | 5 | ||
6 | export MALLOC_CHECK_=3 | 6 | export MALLOC_CHECK_=3 |
diff --git a/test/filters/fseccomp.exp b/test/filters/fseccomp.exp index 8a9a8f9dc..4d876df08 100755 --- a/test/filters/fseccomp.exp +++ b/test/filters/fseccomp.exp | |||
@@ -1,6 +1,6 @@ | |||
1 | #!/usr/bin/expect -f | 1 | #!/usr/bin/expect -f |
2 | # This file is part of Firejail project | 2 | # This file is part of Firejail project |
3 | # Copyright (C) 2014-2016 Firejail Authors | 3 | # Copyright (C) 2014-2017 Firejail Authors |
4 | # License GPL v2 | 4 | # License GPL v2 |
5 | 5 | ||
6 | set timeout 10 | 6 | set timeout 10 |
diff --git a/test/filters/noroot.exp b/test/filters/noroot.exp index b011f2bf9..2c7218c87 100755 --- a/test/filters/noroot.exp +++ b/test/filters/noroot.exp | |||
@@ -1,6 +1,6 @@ | |||
1 | #!/usr/bin/expect -f | 1 | #!/usr/bin/expect -f |
2 | # This file is part of Firejail project | 2 | # This file is part of Firejail project |
3 | # Copyright (C) 2014-2016 Firejail Authors | 3 | # Copyright (C) 2014-2017 Firejail Authors |
4 | # License GPL v2 | 4 | # License GPL v2 |
5 | 5 | ||
6 | set timeout 10 | 6 | set timeout 10 |
diff --git a/test/filters/protocol.exp b/test/filters/protocol.exp index 835f645b2..71f54b08a 100755 --- a/test/filters/protocol.exp +++ b/test/filters/protocol.exp | |||
@@ -1,6 +1,6 @@ | |||
1 | #!/usr/bin/expect -f | 1 | #!/usr/bin/expect -f |
2 | # This file is part of Firejail project | 2 | # This file is part of Firejail project |
3 | # Copyright (C) 2014-2016 Firejail Authors | 3 | # Copyright (C) 2014-2017 Firejail Authors |
4 | # License GPL v2 | 4 | # License GPL v2 |
5 | 5 | ||
6 | set timeout 10 | 6 | set timeout 10 |
diff --git a/test/filters/seccomp-bad-empty.exp b/test/filters/seccomp-bad-empty.exp index 1bd9c9b1f..9cfbac109 100755 --- a/test/filters/seccomp-bad-empty.exp +++ b/test/filters/seccomp-bad-empty.exp | |||
@@ -1,6 +1,6 @@ | |||
1 | #!/usr/bin/expect -f | 1 | #!/usr/bin/expect -f |
2 | # This file is part of Firejail project | 2 | # This file is part of Firejail project |
3 | # Copyright (C) 2014-2016 Firejail Authors | 3 | # Copyright (C) 2014-2017 Firejail Authors |
4 | # License GPL v2 | 4 | # License GPL v2 |
5 | 5 | ||
6 | set timeout 10 | 6 | set timeout 10 |
diff --git a/test/filters/seccomp-chmod-profile.exp b/test/filters/seccomp-chmod-profile.exp index 463ce05e9..22615420d 100755 --- a/test/filters/seccomp-chmod-profile.exp +++ b/test/filters/seccomp-chmod-profile.exp | |||
@@ -1,6 +1,6 @@ | |||
1 | #!/usr/bin/expect -f | 1 | #!/usr/bin/expect -f |
2 | # This file is part of Firejail project | 2 | # This file is part of Firejail project |
3 | # Copyright (C) 2014-2016 Firejail Authors | 3 | # Copyright (C) 2014-2017 Firejail Authors |
4 | # License GPL v2 | 4 | # License GPL v2 |
5 | 5 | ||
6 | set timeout 10 | 6 | set timeout 10 |
diff --git a/test/filters/seccomp-chmod.exp b/test/filters/seccomp-chmod.exp index b17990e3a..35c6f69c2 100755 --- a/test/filters/seccomp-chmod.exp +++ b/test/filters/seccomp-chmod.exp | |||
@@ -1,6 +1,6 @@ | |||
1 | #!/usr/bin/expect -f | 1 | #!/usr/bin/expect -f |
2 | # This file is part of Firejail project | 2 | # This file is part of Firejail project |
3 | # Copyright (C) 2014-2016 Firejail Authors | 3 | # Copyright (C) 2014-2017 Firejail Authors |
4 | # License GPL v2 | 4 | # License GPL v2 |
5 | 5 | ||
6 | set timeout 10 | 6 | set timeout 10 |
diff --git a/test/filters/seccomp-chown.exp b/test/filters/seccomp-chown.exp index a54d279f1..7d9da5e5a 100755 --- a/test/filters/seccomp-chown.exp +++ b/test/filters/seccomp-chown.exp | |||
@@ -1,6 +1,6 @@ | |||
1 | #!/usr/bin/expect -f | 1 | #!/usr/bin/expect -f |
2 | # This file is part of Firejail project | 2 | # This file is part of Firejail project |
3 | # Copyright (C) 2014-2016 Firejail Authors | 3 | # Copyright (C) 2014-2017 Firejail Authors |
4 | # License GPL v2 | 4 | # License GPL v2 |
5 | 5 | ||
6 | set timeout 10 | 6 | set timeout 10 |
diff --git a/test/filters/seccomp-debug.exp b/test/filters/seccomp-debug.exp index dbc0d37a9..a95f3bd23 100755 --- a/test/filters/seccomp-debug.exp +++ b/test/filters/seccomp-debug.exp | |||
@@ -1,6 +1,6 @@ | |||
1 | #!/usr/bin/expect -f | 1 | #!/usr/bin/expect -f |
2 | # This file is part of Firejail project | 2 | # This file is part of Firejail project |
3 | # Copyright (C) 2014-2016 Firejail Authors | 3 | # Copyright (C) 2014-2017 Firejail Authors |
4 | # License GPL v2 | 4 | # License GPL v2 |
5 | 5 | ||
6 | set timeout 10 | 6 | set timeout 10 |
diff --git a/test/filters/seccomp-dualfilter.exp b/test/filters/seccomp-dualfilter.exp index 958dab528..abf093201 100755 --- a/test/filters/seccomp-dualfilter.exp +++ b/test/filters/seccomp-dualfilter.exp | |||
@@ -1,6 +1,6 @@ | |||
1 | #!/usr/bin/expect -f | 1 | #!/usr/bin/expect -f |
2 | # This file is part of Firejail project | 2 | # This file is part of Firejail project |
3 | # Copyright (C) 2014-2016 Firejail Authors | 3 | # Copyright (C) 2014-2017 Firejail Authors |
4 | # License GPL v2 | 4 | # License GPL v2 |
5 | 5 | ||
6 | set timeout 1 | 6 | set timeout 1 |
diff --git a/test/filters/seccomp-empty.exp b/test/filters/seccomp-empty.exp index d150dac7d..2cd316953 100755 --- a/test/filters/seccomp-empty.exp +++ b/test/filters/seccomp-empty.exp | |||
@@ -1,6 +1,6 @@ | |||
1 | #!/usr/bin/expect -f | 1 | #!/usr/bin/expect -f |
2 | # This file is part of Firejail project | 2 | # This file is part of Firejail project |
3 | # Copyright (C) 2014-2016 Firejail Authors | 3 | # Copyright (C) 2014-2017 Firejail Authors |
4 | # License GPL v2 | 4 | # License GPL v2 |
5 | 5 | ||
6 | set timeout 10 | 6 | set timeout 10 |
diff --git a/test/filters/seccomp-errno.exp b/test/filters/seccomp-errno.exp index c3af2fbe9..eeb0824f2 100755 --- a/test/filters/seccomp-errno.exp +++ b/test/filters/seccomp-errno.exp | |||
@@ -1,6 +1,6 @@ | |||
1 | #!/usr/bin/expect -f | 1 | #!/usr/bin/expect -f |
2 | # This file is part of Firejail project | 2 | # This file is part of Firejail project |
3 | # Copyright (C) 2014-2016 Firejail Authors | 3 | # Copyright (C) 2014-2017 Firejail Authors |
4 | # License GPL v2 | 4 | # License GPL v2 |
5 | 5 | ||
6 | set timeout 10 | 6 | set timeout 10 |
diff --git a/test/filters/seccomp-ptrace.exp b/test/filters/seccomp-ptrace.exp index bb87b96ea..2c6d9d25e 100755 --- a/test/filters/seccomp-ptrace.exp +++ b/test/filters/seccomp-ptrace.exp | |||
@@ -1,6 +1,6 @@ | |||
1 | #!/usr/bin/expect -f | 1 | #!/usr/bin/expect -f |
2 | # This file is part of Firejail project | 2 | # This file is part of Firejail project |
3 | # Copyright (C) 2014-2016 Firejail Authors | 3 | # Copyright (C) 2014-2017 Firejail Authors |
4 | # License GPL v2 | 4 | # License GPL v2 |
5 | 5 | ||
6 | set timeout 10 | 6 | set timeout 10 |
diff --git a/test/filters/seccomp-su.exp b/test/filters/seccomp-su.exp index 3feabc20f..62135abb8 100755 --- a/test/filters/seccomp-su.exp +++ b/test/filters/seccomp-su.exp | |||
@@ -1,6 +1,6 @@ | |||
1 | #!/usr/bin/expect -f | 1 | #!/usr/bin/expect -f |
2 | # This file is part of Firejail project | 2 | # This file is part of Firejail project |
3 | # Copyright (C) 2014-2016 Firejail Authors | 3 | # Copyright (C) 2014-2017 Firejail Authors |
4 | # License GPL v2 | 4 | # License GPL v2 |
5 | 5 | ||
6 | set timeout 10 | 6 | set timeout 10 |
diff --git a/test/filters/syscall_test.c b/test/filters/syscall_test.c index 422af619d..48e8f29f5 100644 --- a/test/filters/syscall_test.c +++ b/test/filters/syscall_test.c | |||
@@ -1,5 +1,5 @@ | |||
1 | // This file is part of Firejail project | 1 | // This file is part of Firejail project |
2 | // Copyright (C) 2014-2016 Firejail Authors | 2 | // Copyright (C) 2014-2017 Firejail Authors |
3 | // License GPL v2 | 3 | // License GPL v2 |
4 | 4 | ||
5 | #include <stdlib.h> | 5 | #include <stdlib.h> |
diff --git a/test/fs/fs.sh b/test/fs/fs.sh index 611b62b09..85eeaaf81 100755 --- a/test/fs/fs.sh +++ b/test/fs/fs.sh | |||
@@ -1,6 +1,6 @@ | |||
1 | #!/bin/bash | 1 | #!/bin/bash |
2 | # This file is part of Firejail project | 2 | # This file is part of Firejail project |
3 | # Copyright (C) 2014-2016 Firejail Authors | 3 | # Copyright (C) 2014-2017 Firejail Authors |
4 | # License GPL v2 | 4 | # License GPL v2 |
5 | 5 | ||
6 | export MALLOC_CHECK_=3 | 6 | export MALLOC_CHECK_=3 |
diff --git a/test/fs/fs_dev_shm.exp b/test/fs/fs_dev_shm.exp index 8150dfa61..1d810084c 100755 --- a/test/fs/fs_dev_shm.exp +++ b/test/fs/fs_dev_shm.exp | |||
@@ -1,6 +1,6 @@ | |||
1 | #!/usr/bin/expect -f | 1 | #!/usr/bin/expect -f |
2 | # This file is part of Firejail project | 2 | # This file is part of Firejail project |
3 | # Copyright (C) 2014-2016 Firejail Authors | 3 | # Copyright (C) 2014-2017 Firejail Authors |
4 | # License GPL v2 | 4 | # License GPL v2 |
5 | 5 | ||
6 | set timeout 10 | 6 | set timeout 10 |
diff --git a/test/fs/fs_var_lock.exp b/test/fs/fs_var_lock.exp index 5879dca52..919b75f34 100755 --- a/test/fs/fs_var_lock.exp +++ b/test/fs/fs_var_lock.exp | |||
@@ -1,6 +1,6 @@ | |||
1 | #!/usr/bin/expect -f | 1 | #!/usr/bin/expect -f |
2 | # This file is part of Firejail project | 2 | # This file is part of Firejail project |
3 | # Copyright (C) 2014-2016 Firejail Authors | 3 | # Copyright (C) 2014-2017 Firejail Authors |
4 | # License GPL v2 | 4 | # License GPL v2 |
5 | 5 | ||
6 | set timeout 10 | 6 | set timeout 10 |
diff --git a/test/fs/fs_var_tmp.exp b/test/fs/fs_var_tmp.exp index a3bc5afe2..50679db6d 100755 --- a/test/fs/fs_var_tmp.exp +++ b/test/fs/fs_var_tmp.exp | |||
@@ -1,6 +1,6 @@ | |||
1 | #!/usr/bin/expect -f | 1 | #!/usr/bin/expect -f |
2 | # This file is part of Firejail project | 2 | # This file is part of Firejail project |
3 | # Copyright (C) 2014-2016 Firejail Authors | 3 | # Copyright (C) 2014-2017 Firejail Authors |
4 | # License GPL v2 | 4 | # License GPL v2 |
5 | 5 | ||
6 | set timeout 10 | 6 | set timeout 10 |
diff --git a/test/fs/invalid_filename.exp b/test/fs/invalid_filename.exp index a6efc24b6..db15bb6ba 100755 --- a/test/fs/invalid_filename.exp +++ b/test/fs/invalid_filename.exp | |||
@@ -1,6 +1,6 @@ | |||
1 | #!/usr/bin/expect -f | 1 | #!/usr/bin/expect -f |
2 | # This file is part of Firejail project | 2 | # This file is part of Firejail project |
3 | # Copyright (C) 2014-2016 Firejail Authors | 3 | # Copyright (C) 2014-2017 Firejail Authors |
4 | # License GPL v2 | 4 | # License GPL v2 |
5 | 5 | ||
6 | set timeout 10 | 6 | set timeout 10 |
diff --git a/test/fs/kmsg.exp b/test/fs/kmsg.exp index abc711aee..9d9467eac 100755 --- a/test/fs/kmsg.exp +++ b/test/fs/kmsg.exp | |||
@@ -1,6 +1,6 @@ | |||
1 | #!/usr/bin/expect -f | 1 | #!/usr/bin/expect -f |
2 | # This file is part of Firejail project | 2 | # This file is part of Firejail project |
3 | # Copyright (C) 2014-2016 Firejail Authors | 3 | # Copyright (C) 2014-2017 Firejail Authors |
4 | # License GPL v2 | 4 | # License GPL v2 |
5 | 5 | ||
6 | set timeout 10 | 6 | set timeout 10 |
diff --git a/test/fs/mkdir_mkfile.exp b/test/fs/mkdir_mkfile.exp index 98163bf77..e2e7d3ef0 100755 --- a/test/fs/mkdir_mkfile.exp +++ b/test/fs/mkdir_mkfile.exp | |||
@@ -1,6 +1,6 @@ | |||
1 | #!/usr/bin/expect -f | 1 | #!/usr/bin/expect -f |
2 | # This file is part of Firejail project | 2 | # This file is part of Firejail project |
3 | # Copyright (C) 2014-2016 Firejail Authors | 3 | # Copyright (C) 2014-2017 Firejail Authors |
4 | # License GPL v2 | 4 | # License GPL v2 |
5 | 5 | ||
6 | set timeout 10 | 6 | set timeout 10 |
diff --git a/test/fs/option_blacklist.exp b/test/fs/option_blacklist.exp index 6554d438f..dcdf5facc 100755 --- a/test/fs/option_blacklist.exp +++ b/test/fs/option_blacklist.exp | |||
@@ -1,6 +1,6 @@ | |||
1 | #!/usr/bin/expect -f | 1 | #!/usr/bin/expect -f |
2 | # This file is part of Firejail project | 2 | # This file is part of Firejail project |
3 | # Copyright (C) 2014-2016 Firejail Authors | 3 | # Copyright (C) 2014-2017 Firejail Authors |
4 | # License GPL v2 | 4 | # License GPL v2 |
5 | 5 | ||
6 | set timeout 10 | 6 | set timeout 10 |
diff --git a/test/fs/option_blacklist_glob.exp b/test/fs/option_blacklist_glob.exp index 5a96cacc9..f682ed619 100755 --- a/test/fs/option_blacklist_glob.exp +++ b/test/fs/option_blacklist_glob.exp | |||
@@ -1,6 +1,6 @@ | |||
1 | #!/usr/bin/expect -f | 1 | #!/usr/bin/expect -f |
2 | # This file is part of Firejail project | 2 | # This file is part of Firejail project |
3 | # Copyright (C) 2014-2016 Firejail Authors | 3 | # Copyright (C) 2014-2017 Firejail Authors |
4 | # License GPL v2 | 4 | # License GPL v2 |
5 | 5 | ||
6 | set timeout 10 | 6 | set timeout 10 |
diff --git a/test/fs/private-bin.exp b/test/fs/private-bin.exp index f7181d218..b8722130a 100755 --- a/test/fs/private-bin.exp +++ b/test/fs/private-bin.exp | |||
@@ -1,6 +1,6 @@ | |||
1 | #!/usr/bin/expect -f | 1 | #!/usr/bin/expect -f |
2 | # This file is part of Firejail project | 2 | # This file is part of Firejail project |
3 | # Copyright (C) 2014-2016 Firejail Authors | 3 | # Copyright (C) 2014-2017 Firejail Authors |
4 | # License GPL v2 | 4 | # License GPL v2 |
5 | 5 | ||
6 | set timeout 10 | 6 | set timeout 10 |
diff --git a/test/fs/private-etc-empty.exp b/test/fs/private-etc-empty.exp index 5ddce8678..b91da07f3 100755 --- a/test/fs/private-etc-empty.exp +++ b/test/fs/private-etc-empty.exp | |||
@@ -1,6 +1,6 @@ | |||
1 | #!/usr/bin/expect -f | 1 | #!/usr/bin/expect -f |
2 | # This file is part of Firejail project | 2 | # This file is part of Firejail project |
3 | # Copyright (C) 2014-2016 Firejail Authors | 3 | # Copyright (C) 2014-2017 Firejail Authors |
4 | # License GPL v2 | 4 | # License GPL v2 |
5 | 5 | ||
6 | set timeout 10 | 6 | set timeout 10 |
diff --git a/test/fs/private-etc.exp b/test/fs/private-etc.exp index 36b5d247c..c4b0da7b2 100755 --- a/test/fs/private-etc.exp +++ b/test/fs/private-etc.exp | |||
@@ -1,6 +1,6 @@ | |||
1 | #!/usr/bin/expect -f | 1 | #!/usr/bin/expect -f |
2 | # This file is part of Firejail project | 2 | # This file is part of Firejail project |
3 | # Copyright (C) 2014-2016 Firejail Authors | 3 | # Copyright (C) 2014-2017 Firejail Authors |
4 | # License GPL v2 | 4 | # License GPL v2 |
5 | 5 | ||
6 | set timeout 10 | 6 | set timeout 10 |
diff --git a/test/fs/private-home-dir.exp b/test/fs/private-home-dir.exp index f85a939b1..77baeeb5f 100755 --- a/test/fs/private-home-dir.exp +++ b/test/fs/private-home-dir.exp | |||
@@ -1,6 +1,6 @@ | |||
1 | #!/usr/bin/expect -f | 1 | #!/usr/bin/expect -f |
2 | # This file is part of Firejail project | 2 | # This file is part of Firejail project |
3 | # Copyright (C) 2014-2016 Firejail Authors | 3 | # Copyright (C) 2014-2017 Firejail Authors |
4 | # License GPL v2 | 4 | # License GPL v2 |
5 | 5 | ||
6 | set timeout 10 | 6 | set timeout 10 |
diff --git a/test/fs/private-home.exp b/test/fs/private-home.exp index 3840d1cb8..259eb4f9e 100755 --- a/test/fs/private-home.exp +++ b/test/fs/private-home.exp | |||
@@ -1,6 +1,6 @@ | |||
1 | #!/usr/bin/expect -f | 1 | #!/usr/bin/expect -f |
2 | # This file is part of Firejail project | 2 | # This file is part of Firejail project |
3 | # Copyright (C) 2014-2016 Firejail Authors | 3 | # Copyright (C) 2014-2017 Firejail Authors |
4 | # License GPL v2 | 4 | # License GPL v2 |
5 | 5 | ||
6 | set timeout 10 | 6 | set timeout 10 |
@@ -89,7 +89,7 @@ expect { | |||
89 | "Child process initialized" | 89 | "Child process initialized" |
90 | } | 90 | } |
91 | after 100 | 91 | after 100 |
92 | send -- "file file ~/_firejail_test_link2\r" | 92 | send -- "file ~/_firejail_test_link2\r" |
93 | expect { | 93 | expect { |
94 | timeout {puts "TESTING ERROR 11\n";exit} | 94 | timeout {puts "TESTING ERROR 11\n";exit} |
95 | "broken symbolic link" | 95 | "broken symbolic link" |
diff --git a/test/fs/private-homedir.exp b/test/fs/private-homedir.exp index 35085948a..4a8cf8369 100755 --- a/test/fs/private-homedir.exp +++ b/test/fs/private-homedir.exp | |||
@@ -1,6 +1,6 @@ | |||
1 | #!/usr/bin/expect -f | 1 | #!/usr/bin/expect -f |
2 | # This file is part of Firejail project | 2 | # This file is part of Firejail project |
3 | # Copyright (C) 2014-2016 Firejail Authors | 3 | # Copyright (C) 2014-2017 Firejail Authors |
4 | # License GPL v2 | 4 | # License GPL v2 |
5 | 5 | ||
6 | set timeout 10 | 6 | set timeout 10 |
diff --git a/test/fs/private-whitelist.exp b/test/fs/private-whitelist.exp index 6a1ad535c..0e75868b3 100755 --- a/test/fs/private-whitelist.exp +++ b/test/fs/private-whitelist.exp | |||
@@ -1,6 +1,6 @@ | |||
1 | #!/usr/bin/expect -f | 1 | #!/usr/bin/expect -f |
2 | # This file is part of Firejail project | 2 | # This file is part of Firejail project |
3 | # Copyright (C) 2014-2016 Firejail Authors | 3 | # Copyright (C) 2014-2017 Firejail Authors |
4 | # License GPL v2 | 4 | # License GPL v2 |
5 | 5 | ||
6 | set timeout 10 | 6 | set timeout 10 |
diff --git a/test/fs/private.exp b/test/fs/private.exp index 8114ee45d..c7059079d 100755 --- a/test/fs/private.exp +++ b/test/fs/private.exp | |||
@@ -1,6 +1,6 @@ | |||
1 | #!/usr/bin/expect -f | 1 | #!/usr/bin/expect -f |
2 | # This file is part of Firejail project | 2 | # This file is part of Firejail project |
3 | # Copyright (C) 2014-2016 Firejail Authors | 3 | # Copyright (C) 2014-2017 Firejail Authors |
4 | # License GPL v2 | 4 | # License GPL v2 |
5 | 5 | ||
6 | set timeout 10 | 6 | set timeout 10 |
diff --git a/test/fs/read-write.exp b/test/fs/read-write.exp index 19a915f66..c648f83dd 100755 --- a/test/fs/read-write.exp +++ b/test/fs/read-write.exp | |||
@@ -1,6 +1,6 @@ | |||
1 | #!/usr/bin/expect -f | 1 | #!/usr/bin/expect -f |
2 | # This file is part of Firejail project | 2 | # This file is part of Firejail project |
3 | # Copyright (C) 2014-2016 Firejail Authors | 3 | # Copyright (C) 2014-2017 Firejail Authors |
4 | # License GPL v2 | 4 | # License GPL v2 |
5 | 5 | ||
6 | set timeout 10 | 6 | set timeout 10 |
diff --git a/test/fs/sys_fs.exp b/test/fs/sys_fs.exp index f512776d9..8f63aedf7 100755 --- a/test/fs/sys_fs.exp +++ b/test/fs/sys_fs.exp | |||
@@ -1,6 +1,6 @@ | |||
1 | #!/usr/bin/expect -f | 1 | #!/usr/bin/expect -f |
2 | # This file is part of Firejail project | 2 | # This file is part of Firejail project |
3 | # Copyright (C) 2014-2016 Firejail Authors | 3 | # Copyright (C) 2014-2017 Firejail Authors |
4 | # License GPL v2 | 4 | # License GPL v2 |
5 | 5 | ||
6 | set timeout 10 | 6 | set timeout 10 |
diff --git a/test/fs/whitelist-dev.exp b/test/fs/whitelist-dev.exp index 827f32126..213542c88 100755 --- a/test/fs/whitelist-dev.exp +++ b/test/fs/whitelist-dev.exp | |||
@@ -1,6 +1,6 @@ | |||
1 | #!/usr/bin/expect -f | 1 | #!/usr/bin/expect -f |
2 | # This file is part of Firejail project | 2 | # This file is part of Firejail project |
3 | # Copyright (C) 2014-2016 Firejail Authors | 3 | # Copyright (C) 2014-2017 Firejail Authors |
4 | # License GPL v2 | 4 | # License GPL v2 |
5 | 5 | ||
6 | set timeout 10 | 6 | set timeout 10 |
diff --git a/test/fs/whitelist-double.exp b/test/fs/whitelist-double.exp index fc05f9322..dd2336ce1 100755 --- a/test/fs/whitelist-double.exp +++ b/test/fs/whitelist-double.exp | |||
@@ -1,6 +1,6 @@ | |||
1 | #!/usr/bin/expect -f | 1 | #!/usr/bin/expect -f |
2 | # This file is part of Firejail project | 2 | # This file is part of Firejail project |
3 | # Copyright (C) 2014-2016 Firejail Authors | 3 | # Copyright (C) 2014-2017 Firejail Authors |
4 | # License GPL v2 | 4 | # License GPL v2 |
5 | 5 | ||
6 | set timeout 10 | 6 | set timeout 10 |
diff --git a/test/fs/whitelist-downloads.exp b/test/fs/whitelist-downloads.exp index 6af318d2b..f3eb0d6a2 100755 --- a/test/fs/whitelist-downloads.exp +++ b/test/fs/whitelist-downloads.exp | |||
@@ -1,6 +1,6 @@ | |||
1 | #!/usr/bin/expect -f | 1 | #!/usr/bin/expect -f |
2 | # This file is part of Firejail project | 2 | # This file is part of Firejail project |
3 | # Copyright (C) 2014-2016 Firejail Authors | 3 | # Copyright (C) 2014-2017 Firejail Authors |
4 | # License GPL v2 | 4 | # License GPL v2 |
5 | 5 | ||
6 | set timeout 10 | 6 | set timeout 10 |
diff --git a/test/fs/whitelist-empty.exp b/test/fs/whitelist-empty.exp index 71bb8f914..e1c3ffb4a 100755 --- a/test/fs/whitelist-empty.exp +++ b/test/fs/whitelist-empty.exp | |||
@@ -1,6 +1,6 @@ | |||
1 | #!/usr/bin/expect -f | 1 | #!/usr/bin/expect -f |
2 | # This file is part of Firejail project | 2 | # This file is part of Firejail project |
3 | # Copyright (C) 2014-2016 Firejail Authors | 3 | # Copyright (C) 2014-2017 Firejail Authors |
4 | # License GPL v2 | 4 | # License GPL v2 |
5 | 5 | ||
6 | set timeout 30 | 6 | set timeout 30 |
diff --git a/test/fs/whitelist.exp b/test/fs/whitelist.exp index 9b631b884..20492c739 100755 --- a/test/fs/whitelist.exp +++ b/test/fs/whitelist.exp | |||
@@ -1,6 +1,6 @@ | |||
1 | #!/usr/bin/expect -f | 1 | #!/usr/bin/expect -f |
2 | # This file is part of Firejail project | 2 | # This file is part of Firejail project |
3 | # Copyright (C) 2014-2016 Firejail Authors | 3 | # Copyright (C) 2014-2017 Firejail Authors |
4 | # License GPL v2 | 4 | # License GPL v2 |
5 | 5 | ||
6 | set timeout 10 | 6 | set timeout 10 |
diff --git a/test/network/4bridges_arp.exp b/test/network/4bridges_arp.exp index 6383aad5e..80760eb3a 100755 --- a/test/network/4bridges_arp.exp +++ b/test/network/4bridges_arp.exp | |||
@@ -1,6 +1,6 @@ | |||
1 | #!/usr/bin/expect -f | 1 | #!/usr/bin/expect -f |
2 | # This file is part of Firejail project | 2 | # This file is part of Firejail project |
3 | # Copyright (C) 2014-2016 Firejail Authors | 3 | # Copyright (C) 2014-2017 Firejail Authors |
4 | # License GPL v2 | 4 | # License GPL v2 |
5 | 5 | ||
6 | set timeout 10 | 6 | set timeout 10 |
diff --git a/test/network/4bridges_ip.exp b/test/network/4bridges_ip.exp index e762ac285..5e136926b 100755 --- a/test/network/4bridges_ip.exp +++ b/test/network/4bridges_ip.exp | |||
@@ -1,6 +1,6 @@ | |||
1 | #!/usr/bin/expect -f | 1 | #!/usr/bin/expect -f |
2 | # This file is part of Firejail project | 2 | # This file is part of Firejail project |
3 | # Copyright (C) 2014-2016 Firejail Authors | 3 | # Copyright (C) 2014-2017 Firejail Authors |
4 | # License GPL v2 | 4 | # License GPL v2 |
5 | 5 | ||
6 | set timeout 10 | 6 | set timeout 10 |
diff --git a/test/network/bandwidth.exp b/test/network/bandwidth.exp index 8a2e46e04..25845c728 100755 --- a/test/network/bandwidth.exp +++ b/test/network/bandwidth.exp | |||
@@ -1,6 +1,6 @@ | |||
1 | #!/usr/bin/expect -f | 1 | #!/usr/bin/expect -f |
2 | # This file is part of Firejail project | 2 | # This file is part of Firejail project |
3 | # Copyright (C) 2014-2016 Firejail Authors | 3 | # Copyright (C) 2014-2017 Firejail Authors |
4 | # License GPL v2 | 4 | # License GPL v2 |
5 | 5 | ||
6 | set timeout 10 | 6 | set timeout 10 |
diff --git a/test/network/firemon-interfaces.exp b/test/network/firemon-interfaces.exp index deb8594af..7a95ccb18 100755 --- a/test/network/firemon-interfaces.exp +++ b/test/network/firemon-interfaces.exp | |||
@@ -1,6 +1,6 @@ | |||
1 | #!/usr/bin/expect -f | 1 | #!/usr/bin/expect -f |
2 | # This file is part of Firejail project | 2 | # This file is part of Firejail project |
3 | # Copyright (C) 2014-2016 Firejail Authors | 3 | # Copyright (C) 2014-2017 Firejail Authors |
4 | # License GPL v2 | 4 | # License GPL v2 |
5 | 5 | ||
6 | set timeout 10 | 6 | set timeout 10 |
diff --git a/test/network/hostname.exp b/test/network/hostname.exp index 73d06725f..0acb6a5ac 100755 --- a/test/network/hostname.exp +++ b/test/network/hostname.exp | |||
@@ -1,6 +1,6 @@ | |||
1 | #!/usr/bin/expect -f | 1 | #!/usr/bin/expect -f |
2 | # This file is part of Firejail project | 2 | # This file is part of Firejail project |
3 | # Copyright (C) 2014-2016 Firejail Authors | 3 | # Copyright (C) 2014-2017 Firejail Authors |
4 | # License GPL v2 | 4 | # License GPL v2 |
5 | 5 | ||
6 | set timeout 10 | 6 | set timeout 10 |
diff --git a/test/network/ip6.exp b/test/network/ip6.exp index 1db16c28a..d03cb7c37 100755 --- a/test/network/ip6.exp +++ b/test/network/ip6.exp | |||
@@ -1,6 +1,6 @@ | |||
1 | #!/usr/bin/expect -f | 1 | #!/usr/bin/expect -f |
2 | # This file is part of Firejail project | 2 | # This file is part of Firejail project |
3 | # Copyright (C) 2014-2016 Firejail Authors | 3 | # Copyright (C) 2014-2017 Firejail Authors |
4 | # License GPL v2 | 4 | # License GPL v2 |
5 | 5 | ||
6 | set timeout 10 | 6 | set timeout 10 |
diff --git a/test/network/iprange.exp b/test/network/iprange.exp index a1b2ccab4..d37a44e4f 100755 --- a/test/network/iprange.exp +++ b/test/network/iprange.exp | |||
@@ -1,6 +1,6 @@ | |||
1 | #!/usr/bin/expect -f | 1 | #!/usr/bin/expect -f |
2 | # This file is part of Firejail project | 2 | # This file is part of Firejail project |
3 | # Copyright (C) 2014-2016 Firejail Authors | 3 | # Copyright (C) 2014-2017 Firejail Authors |
4 | # License GPL v2 | 4 | # License GPL v2 |
5 | 5 | ||
6 | set timeout 10 | 6 | set timeout 10 |
diff --git a/test/network/net_arp.exp b/test/network/net_arp.exp index fdd30f218..98ed8d9f1 100755 --- a/test/network/net_arp.exp +++ b/test/network/net_arp.exp | |||
@@ -1,6 +1,6 @@ | |||
1 | #!/usr/bin/expect -f | 1 | #!/usr/bin/expect -f |
2 | # This file is part of Firejail project | 2 | # This file is part of Firejail project |
3 | # Copyright (C) 2014-2016 Firejail Authors | 3 | # Copyright (C) 2014-2017 Firejail Authors |
4 | # License GPL v2 | 4 | # License GPL v2 |
5 | 5 | ||
6 | set timeout 10 | 6 | set timeout 10 |
diff --git a/test/network/net_badip.exp b/test/network/net_badip.exp index d13a6144e..2467b3ef2 100755 --- a/test/network/net_badip.exp +++ b/test/network/net_badip.exp | |||
@@ -1,6 +1,6 @@ | |||
1 | #!/usr/bin/expect -f | 1 | #!/usr/bin/expect -f |
2 | # This file is part of Firejail project | 2 | # This file is part of Firejail project |
3 | # Copyright (C) 2014-2016 Firejail Authors | 3 | # Copyright (C) 2014-2017 Firejail Authors |
4 | # License GPL v2 | 4 | # License GPL v2 |
5 | 5 | ||
6 | set timeout 10 | 6 | set timeout 10 |
diff --git a/test/network/net_defaultgw.exp b/test/network/net_defaultgw.exp index 6291ae5ba..c7178616a 100755 --- a/test/network/net_defaultgw.exp +++ b/test/network/net_defaultgw.exp | |||
@@ -1,6 +1,6 @@ | |||
1 | #!/usr/bin/expect -f | 1 | #!/usr/bin/expect -f |
2 | # This file is part of Firejail project | 2 | # This file is part of Firejail project |
3 | # Copyright (C) 2014-2016 Firejail Authors | 3 | # Copyright (C) 2014-2017 Firejail Authors |
4 | # License GPL v2 | 4 | # License GPL v2 |
5 | 5 | ||
6 | set timeout 10 | 6 | set timeout 10 |
diff --git a/test/network/net_defaultgw2.exp b/test/network/net_defaultgw2.exp index 7620e4899..088dfeee8 100755 --- a/test/network/net_defaultgw2.exp +++ b/test/network/net_defaultgw2.exp | |||
@@ -1,6 +1,6 @@ | |||
1 | #!/usr/bin/expect -f | 1 | #!/usr/bin/expect -f |
2 | # This file is part of Firejail project | 2 | # This file is part of Firejail project |
3 | # Copyright (C) 2014-2016 Firejail Authors | 3 | # Copyright (C) 2014-2017 Firejail Authors |
4 | # License GPL v2 | 4 | # License GPL v2 |
5 | 5 | ||
6 | set timeout 10 | 6 | set timeout 10 |
diff --git a/test/network/net_defaultgw3.exp b/test/network/net_defaultgw3.exp index a47324adc..bf5d00b34 100755 --- a/test/network/net_defaultgw3.exp +++ b/test/network/net_defaultgw3.exp | |||
@@ -1,6 +1,6 @@ | |||
1 | #!/usr/bin/expect -f | 1 | #!/usr/bin/expect -f |
2 | # This file is part of Firejail project | 2 | # This file is part of Firejail project |
3 | # Copyright (C) 2014-2016 Firejail Authors | 3 | # Copyright (C) 2014-2017 Firejail Authors |
4 | # License GPL v2 | 4 | # License GPL v2 |
5 | 5 | ||
6 | set timeout 10 | 6 | set timeout 10 |
diff --git a/test/network/net_ip.exp b/test/network/net_ip.exp index 0fa84243a..c6b84781c 100755 --- a/test/network/net_ip.exp +++ b/test/network/net_ip.exp | |||
@@ -1,6 +1,6 @@ | |||
1 | #!/usr/bin/expect -f | 1 | #!/usr/bin/expect -f |
2 | # This file is part of Firejail project | 2 | # This file is part of Firejail project |
3 | # Copyright (C) 2014-2016 Firejail Authors | 3 | # Copyright (C) 2014-2017 Firejail Authors |
4 | # License GPL v2 | 4 | # License GPL v2 |
5 | 5 | ||
6 | set timeout 10 | 6 | set timeout 10 |
diff --git a/test/network/net_local.exp b/test/network/net_local.exp index d58135785..4e0cef329 100755 --- a/test/network/net_local.exp +++ b/test/network/net_local.exp | |||
@@ -1,6 +1,6 @@ | |||
1 | #!/usr/bin/expect -f | 1 | #!/usr/bin/expect -f |
2 | # This file is part of Firejail project | 2 | # This file is part of Firejail project |
3 | # Copyright (C) 2014-2016 Firejail Authors | 3 | # Copyright (C) 2014-2017 Firejail Authors |
4 | # License GPL v2 | 4 | # License GPL v2 |
5 | 5 | ||
6 | set timeout 10 | 6 | set timeout 10 |
diff --git a/test/network/net_mac.exp b/test/network/net_mac.exp index d3cd8163f..dd3391d8e 100755 --- a/test/network/net_mac.exp +++ b/test/network/net_mac.exp | |||
@@ -1,6 +1,6 @@ | |||
1 | #!/usr/bin/expect -f | 1 | #!/usr/bin/expect -f |
2 | # This file is part of Firejail project | 2 | # This file is part of Firejail project |
3 | # Copyright (C) 2014-2016 Firejail Authors | 3 | # Copyright (C) 2014-2017 Firejail Authors |
4 | # License GPL v2 | 4 | # License GPL v2 |
5 | 5 | ||
6 | set timeout 10 | 6 | set timeout 10 |
diff --git a/test/network/net_macvlan2.exp b/test/network/net_macvlan2.exp index 7f21fc083..b6cab7c7b 100755 --- a/test/network/net_macvlan2.exp +++ b/test/network/net_macvlan2.exp | |||
@@ -1,6 +1,6 @@ | |||
1 | #!/usr/bin/expect -f | 1 | #!/usr/bin/expect -f |
2 | # This file is part of Firejail project | 2 | # This file is part of Firejail project |
3 | # Copyright (C) 2014-2016 Firejail Authors | 3 | # Copyright (C) 2014-2017 Firejail Authors |
4 | # License GPL v2 | 4 | # License GPL v2 |
5 | 5 | ||
6 | set timeout 10 | 6 | set timeout 10 |
diff --git a/test/network/net_mtu.exp b/test/network/net_mtu.exp index eb9c5d08c..6748d9ec5 100755 --- a/test/network/net_mtu.exp +++ b/test/network/net_mtu.exp | |||
@@ -1,6 +1,6 @@ | |||
1 | #!/usr/bin/expect -f | 1 | #!/usr/bin/expect -f |
2 | # This file is part of Firejail project | 2 | # This file is part of Firejail project |
3 | # Copyright (C) 2014-2016 Firejail Authors | 3 | # Copyright (C) 2014-2017 Firejail Authors |
4 | # License GPL v2 | 4 | # License GPL v2 |
5 | 5 | ||
6 | set timeout 10 | 6 | set timeout 10 |
diff --git a/test/network/net_netfilter.exp b/test/network/net_netfilter.exp index 737485d07..3c43a481f 100755 --- a/test/network/net_netfilter.exp +++ b/test/network/net_netfilter.exp | |||
@@ -1,6 +1,6 @@ | |||
1 | #!/usr/bin/expect -f | 1 | #!/usr/bin/expect -f |
2 | # This file is part of Firejail project | 2 | # This file is part of Firejail project |
3 | # Copyright (C) 2014-2016 Firejail Authors | 3 | # Copyright (C) 2014-2017 Firejail Authors |
4 | # License GPL v2 | 4 | # License GPL v2 |
5 | 5 | ||
6 | set timeout 10 | 6 | set timeout 10 |
diff --git a/test/network/net_noip.exp b/test/network/net_noip.exp index b557d116c..dfe0abb66 100755 --- a/test/network/net_noip.exp +++ b/test/network/net_noip.exp | |||
@@ -1,6 +1,6 @@ | |||
1 | #!/usr/bin/expect -f | 1 | #!/usr/bin/expect -f |
2 | # This file is part of Firejail project | 2 | # This file is part of Firejail project |
3 | # Copyright (C) 2014-2016 Firejail Authors | 3 | # Copyright (C) 2014-2017 Firejail Authors |
4 | # License GPL v2 | 4 | # License GPL v2 |
5 | 5 | ||
6 | set timeout 10 | 6 | set timeout 10 |
diff --git a/test/network/net_noip2.exp b/test/network/net_noip2.exp index c86ea4900..b6f725523 100755 --- a/test/network/net_noip2.exp +++ b/test/network/net_noip2.exp | |||
@@ -1,6 +1,6 @@ | |||
1 | #!/usr/bin/expect -f | 1 | #!/usr/bin/expect -f |
2 | # This file is part of Firejail project | 2 | # This file is part of Firejail project |
3 | # Copyright (C) 2014-2016 Firejail Authors | 3 | # Copyright (C) 2014-2017 Firejail Authors |
4 | # License GPL v2 | 4 | # License GPL v2 |
5 | 5 | ||
6 | set timeout 10 | 6 | set timeout 10 |
diff --git a/test/network/net_none.exp b/test/network/net_none.exp index 1761eb423..0d3701f22 100755 --- a/test/network/net_none.exp +++ b/test/network/net_none.exp | |||
@@ -1,6 +1,6 @@ | |||
1 | #!/usr/bin/expect -f | 1 | #!/usr/bin/expect -f |
2 | # This file is part of Firejail project | 2 | # This file is part of Firejail project |
3 | # Copyright (C) 2014-2016 Firejail Authors | 3 | # Copyright (C) 2014-2017 Firejail Authors |
4 | # License GPL v2 | 4 | # License GPL v2 |
5 | 5 | ||
6 | set timeout 10 | 6 | set timeout 10 |
diff --git a/test/network/net_profile.exp b/test/network/net_profile.exp index 29008d811..febbcfcd7 100755 --- a/test/network/net_profile.exp +++ b/test/network/net_profile.exp | |||
@@ -1,6 +1,6 @@ | |||
1 | #!/usr/bin/expect -f | 1 | #!/usr/bin/expect -f |
2 | # This file is part of Firejail project | 2 | # This file is part of Firejail project |
3 | # Copyright (C) 2014-2016 Firejail Authors | 3 | # Copyright (C) 2014-2017 Firejail Authors |
4 | # License GPL v2 | 4 | # License GPL v2 |
5 | 5 | ||
6 | set timeout 10 | 6 | set timeout 10 |
diff --git a/test/network/net_scan.exp b/test/network/net_scan.exp index 5afbbeea6..bb46f9c60 100755 --- a/test/network/net_scan.exp +++ b/test/network/net_scan.exp | |||
@@ -1,6 +1,6 @@ | |||
1 | #!/usr/bin/expect -f | 1 | #!/usr/bin/expect -f |
2 | # This file is part of Firejail project | 2 | # This file is part of Firejail project |
3 | # Copyright (C) 2014-2016 Firejail Authors | 3 | # Copyright (C) 2014-2017 Firejail Authors |
4 | # License GPL v2 | 4 | # License GPL v2 |
5 | 5 | ||
6 | set timeout 10 | 6 | set timeout 10 |
diff --git a/test/network/net_veth.exp b/test/network/net_veth.exp index 04091047b..e31f5da55 100755 --- a/test/network/net_veth.exp +++ b/test/network/net_veth.exp | |||
@@ -1,6 +1,6 @@ | |||
1 | #!/usr/bin/expect -f | 1 | #!/usr/bin/expect -f |
2 | # This file is part of Firejail project | 2 | # This file is part of Firejail project |
3 | # Copyright (C) 2014-2016 Firejail Authors | 3 | # Copyright (C) 2014-2017 Firejail Authors |
4 | # License GPL v2 | 4 | # License GPL v2 |
5 | 5 | ||
6 | set timeout 10 | 6 | set timeout 10 |
diff --git a/test/network/netstats.exp b/test/network/netstats.exp index 41232061d..2e6649ae3 100755 --- a/test/network/netstats.exp +++ b/test/network/netstats.exp | |||
@@ -1,6 +1,6 @@ | |||
1 | #!/usr/bin/expect -f | 1 | #!/usr/bin/expect -f |
2 | # This file is part of Firejail project | 2 | # This file is part of Firejail project |
3 | # Copyright (C) 2014-2016 Firejail Authors | 3 | # Copyright (C) 2014-2017 Firejail Authors |
4 | # License GPL v2 | 4 | # License GPL v2 |
5 | 5 | ||
6 | set timeout 10 | 6 | set timeout 10 |
diff --git a/test/network/network.sh b/test/network/network.sh index 94df9935e..2c60be0a5 100755 --- a/test/network/network.sh +++ b/test/network/network.sh | |||
@@ -1,6 +1,6 @@ | |||
1 | #!/bin/bash | 1 | #!/bin/bash |
2 | # This file is part of Firejail project | 2 | # This file is part of Firejail project |
3 | # Copyright (C) 2014-2016 Firejail Authors | 3 | # Copyright (C) 2014-2017 Firejail Authors |
4 | # License GPL v2 | 4 | # License GPL v2 |
5 | 5 | ||
6 | export MALLOC_CHECK_=3 | 6 | export MALLOC_CHECK_=3 |
diff --git a/test/network/veth-name.exp b/test/network/veth-name.exp index 36ed41d92..ccfb208ff 100755 --- a/test/network/veth-name.exp +++ b/test/network/veth-name.exp | |||
@@ -1,6 +1,6 @@ | |||
1 | #!/usr/bin/expect -f | 1 | #!/usr/bin/expect -f |
2 | # This file is part of Firejail project | 2 | # This file is part of Firejail project |
3 | # Copyright (C) 2014-2016 Firejail Authors | 3 | # Copyright (C) 2014-2017 Firejail Authors |
4 | # License GPL v2 | 4 | # License GPL v2 |
5 | 5 | ||
6 | set timeout 10 | 6 | set timeout 10 |
diff --git a/test/overlay/firefox-x11-xorg.exp b/test/overlay/firefox-x11-xorg.exp index 76c0e55fc..723431baa 100755 --- a/test/overlay/firefox-x11-xorg.exp +++ b/test/overlay/firefox-x11-xorg.exp | |||
@@ -1,6 +1,6 @@ | |||
1 | #!/usr/bin/expect -f | 1 | #!/usr/bin/expect -f |
2 | # This file is part of Firejail project | 2 | # This file is part of Firejail project |
3 | # Copyright (C) 2014-2016 Firejail Authors | 3 | # Copyright (C) 2014-2017 Firejail Authors |
4 | # License GPL v2 | 4 | # License GPL v2 |
5 | 5 | ||
6 | set timeout 10 | 6 | set timeout 10 |
diff --git a/test/overlay/firefox-x11.exp b/test/overlay/firefox-x11.exp index aa248f328..982bd8149 100755 --- a/test/overlay/firefox-x11.exp +++ b/test/overlay/firefox-x11.exp | |||
@@ -1,6 +1,6 @@ | |||
1 | #!/usr/bin/expect -f | 1 | #!/usr/bin/expect -f |
2 | # This file is part of Firejail project | 2 | # This file is part of Firejail project |
3 | # Copyright (C) 2014-2016 Firejail Authors | 3 | # Copyright (C) 2014-2017 Firejail Authors |
4 | # License GPL v2 | 4 | # License GPL v2 |
5 | 5 | ||
6 | set timeout 10 | 6 | set timeout 10 |
diff --git a/test/overlay/firefox.exp b/test/overlay/firefox.exp index 6ef23558d..5614198cd 100755 --- a/test/overlay/firefox.exp +++ b/test/overlay/firefox.exp | |||
@@ -1,6 +1,6 @@ | |||
1 | #!/usr/bin/expect -f | 1 | #!/usr/bin/expect -f |
2 | # This file is part of Firejail project | 2 | # This file is part of Firejail project |
3 | # Copyright (C) 2014-2016 Firejail Authors | 3 | # Copyright (C) 2014-2017 Firejail Authors |
4 | # License GPL v2 | 4 | # License GPL v2 |
5 | 5 | ||
6 | set timeout 10 | 6 | set timeout 10 |
diff --git a/test/overlay/overlay.sh b/test/overlay/overlay.sh index 4c9ebe5b0..94ad6a3cd 100755 --- a/test/overlay/overlay.sh +++ b/test/overlay/overlay.sh | |||
@@ -1,6 +1,6 @@ | |||
1 | #!/bin/bash | 1 | #!/bin/bash |
2 | # This file is part of Firejail project | 2 | # This file is part of Firejail project |
3 | # Copyright (C) 2014-2016 Firejail Authors | 3 | # Copyright (C) 2014-2017 Firejail Authors |
4 | # License GPL v2 | 4 | # License GPL v2 |
5 | 5 | ||
6 | export MALLOC_CHECK_=3 | 6 | export MALLOC_CHECK_=3 |
diff --git a/test/profiles/ignore.exp b/test/profiles/ignore.exp index 0c5691e9a..cdb38e97b 100755 --- a/test/profiles/ignore.exp +++ b/test/profiles/ignore.exp | |||
@@ -1,6 +1,6 @@ | |||
1 | #!/usr/bin/expect -f | 1 | #!/usr/bin/expect -f |
2 | # This file is part of Firejail project | 2 | # This file is part of Firejail project |
3 | # Copyright (C) 2014-2016 Firejail Authors | 3 | # Copyright (C) 2014-2017 Firejail Authors |
4 | # License GPL v2 | 4 | # License GPL v2 |
5 | 5 | ||
6 | set timeout 10 | 6 | set timeout 10 |
diff --git a/test/profiles/profile_syntax.exp b/test/profiles/profile_syntax.exp index d1be2074a..74b0d5a53 100755 --- a/test/profiles/profile_syntax.exp +++ b/test/profiles/profile_syntax.exp | |||
@@ -1,6 +1,6 @@ | |||
1 | #!/usr/bin/expect -f | 1 | #!/usr/bin/expect -f |
2 | # This file is part of Firejail project | 2 | # This file is part of Firejail project |
3 | # Copyright (C) 2014-2016 Firejail Authors | 3 | # Copyright (C) 2014-2017 Firejail Authors |
4 | # License GPL v2 | 4 | # License GPL v2 |
5 | 5 | ||
6 | set timeout 10 | 6 | set timeout 10 |
diff --git a/test/profiles/profile_syntax2.exp b/test/profiles/profile_syntax2.exp index 9dca35ca2..5726c0408 100755 --- a/test/profiles/profile_syntax2.exp +++ b/test/profiles/profile_syntax2.exp | |||
@@ -1,6 +1,6 @@ | |||
1 | #!/usr/bin/expect -f | 1 | #!/usr/bin/expect -f |
2 | # This file is part of Firejail project | 2 | # This file is part of Firejail project |
3 | # Copyright (C) 2014-2016 Firejail Authors | 3 | # Copyright (C) 2014-2017 Firejail Authors |
4 | # License GPL v2 | 4 | # License GPL v2 |
5 | 5 | ||
6 | set timeout 10 | 6 | set timeout 10 |
diff --git a/test/profiles/profiles.sh b/test/profiles/profiles.sh index ca0b9fb29..3be10bedd 100755 --- a/test/profiles/profiles.sh +++ b/test/profiles/profiles.sh | |||
@@ -1,6 +1,6 @@ | |||
1 | #!/bin/bash | 1 | #!/bin/bash |
2 | # This file is part of Firejail project | 2 | # This file is part of Firejail project |
3 | # Copyright (C) 2014-2016 Firejail Authors | 3 | # Copyright (C) 2014-2017 Firejail Authors |
4 | # License GPL v2 | 4 | # License GPL v2 |
5 | 5 | ||
6 | export MALLOC_CHECK_=3 | 6 | export MALLOC_CHECK_=3 |
diff --git a/test/profiles/test-profile.exp b/test/profiles/test-profile.exp index a6b4a5aad..6bc47f33f 100755 --- a/test/profiles/test-profile.exp +++ b/test/profiles/test-profile.exp | |||
@@ -1,6 +1,6 @@ | |||
1 | #!/usr/bin/expect -f | 1 | #!/usr/bin/expect -f |
2 | # This file is part of Firejail project | 2 | # This file is part of Firejail project |
3 | # Copyright (C) 2014-2016 Firejail Authors | 3 | # Copyright (C) 2014-2017 Firejail Authors |
4 | # License GPL v2 | 4 | # License GPL v2 |
5 | 5 | ||
6 | set timeout 10 | 6 | set timeout 10 |
diff --git a/test/root/firecfg.exp b/test/root/firecfg.exp index b4864988d..c9085e8c8 100755 --- a/test/root/firecfg.exp +++ b/test/root/firecfg.exp | |||
@@ -1,6 +1,6 @@ | |||
1 | #!/usr/bin/expect -f | 1 | #!/usr/bin/expect -f |
2 | # This file is part of Firejail project | 2 | # This file is part of Firejail project |
3 | # Copyright (C) 2014-2016 Firejail Authors | 3 | # Copyright (C) 2014-2017 Firejail Authors |
4 | # License GPL v2 | 4 | # License GPL v2 |
5 | 5 | ||
6 | set timeout 10 | 6 | set timeout 10 |
diff --git a/test/root/join.exp b/test/root/join.exp index e4a4e87af..c70fff93d 100755 --- a/test/root/join.exp +++ b/test/root/join.exp | |||
@@ -1,6 +1,6 @@ | |||
1 | #!/usr/bin/expect -f | 1 | #!/usr/bin/expect -f |
2 | # This file is part of Firejail project | 2 | # This file is part of Firejail project |
3 | # Copyright (C) 2014-2016 Firejail Authors | 3 | # Copyright (C) 2014-2017 Firejail Authors |
4 | # License GPL v2 | 4 | # License GPL v2 |
5 | 5 | ||
6 | set timeout 10 | 6 | set timeout 10 |
diff --git a/test/root/private.exp b/test/root/private.exp index 9ce9716f9..479d7afb1 100755 --- a/test/root/private.exp +++ b/test/root/private.exp | |||
@@ -1,6 +1,6 @@ | |||
1 | #!/usr/bin/expect -f | 1 | #!/usr/bin/expect -f |
2 | # This file is part of Firejail project | 2 | # This file is part of Firejail project |
3 | # Copyright (C) 2014-2016 Firejail Authors | 3 | # Copyright (C) 2014-2017 Firejail Authors |
4 | # License GPL v2 | 4 | # License GPL v2 |
5 | 5 | ||
6 | set timeout 10 | 6 | set timeout 10 |
diff --git a/test/root/seccomp-chmod.exp b/test/root/seccomp-chmod.exp index b17990e3a..35c6f69c2 100755 --- a/test/root/seccomp-chmod.exp +++ b/test/root/seccomp-chmod.exp | |||
@@ -1,6 +1,6 @@ | |||
1 | #!/usr/bin/expect -f | 1 | #!/usr/bin/expect -f |
2 | # This file is part of Firejail project | 2 | # This file is part of Firejail project |
3 | # Copyright (C) 2014-2016 Firejail Authors | 3 | # Copyright (C) 2014-2017 Firejail Authors |
4 | # License GPL v2 | 4 | # License GPL v2 |
5 | 5 | ||
6 | set timeout 10 | 6 | set timeout 10 |
diff --git a/test/root/seccomp-chown.exp b/test/root/seccomp-chown.exp index a54d279f1..7d9da5e5a 100755 --- a/test/root/seccomp-chown.exp +++ b/test/root/seccomp-chown.exp | |||
@@ -1,6 +1,6 @@ | |||
1 | #!/usr/bin/expect -f | 1 | #!/usr/bin/expect -f |
2 | # This file is part of Firejail project | 2 | # This file is part of Firejail project |
3 | # Copyright (C) 2014-2016 Firejail Authors | 3 | # Copyright (C) 2014-2017 Firejail Authors |
4 | # License GPL v2 | 4 | # License GPL v2 |
5 | 5 | ||
6 | set timeout 10 | 6 | set timeout 10 |
diff --git a/test/root/seccomp-umount.exp b/test/root/seccomp-umount.exp index c441c5fc4..90e240e74 100755 --- a/test/root/seccomp-umount.exp +++ b/test/root/seccomp-umount.exp | |||
@@ -1,6 +1,6 @@ | |||
1 | #!/usr/bin/expect -f | 1 | #!/usr/bin/expect -f |
2 | # This file is part of Firejail project | 2 | # This file is part of Firejail project |
3 | # Copyright (C) 2014-2016 Firejail Authors | 3 | # Copyright (C) 2014-2017 Firejail Authors |
4 | # License GPL v2 | 4 | # License GPL v2 |
5 | 5 | ||
6 | set timeout 10 | 6 | set timeout 10 |
diff --git a/test/root/whitelist.exp b/test/root/whitelist.exp index f6936c048..06a9a5419 100755 --- a/test/root/whitelist.exp +++ b/test/root/whitelist.exp | |||
@@ -1,6 +1,6 @@ | |||
1 | #!/usr/bin/expect -f | 1 | #!/usr/bin/expect -f |
2 | # This file is part of Firejail project | 2 | # This file is part of Firejail project |
3 | # Copyright (C) 2014-2016 Firejail Authors | 3 | # Copyright (C) 2014-2017 Firejail Authors |
4 | # License GPL v2 | 4 | # License GPL v2 |
5 | 5 | ||
6 | set timeout 10 | 6 | set timeout 10 |
diff --git a/test/stress/net_macvlan.exp b/test/stress/net_macvlan.exp index 6ea4a6adf..187b5c39f 100755 --- a/test/stress/net_macvlan.exp +++ b/test/stress/net_macvlan.exp | |||
@@ -1,6 +1,6 @@ | |||
1 | #!/usr/bin/expect -f | 1 | #!/usr/bin/expect -f |
2 | # This file is part of Firejail project | 2 | # This file is part of Firejail project |
3 | # Copyright (C) 2014-2016 Firejail Authors | 3 | # Copyright (C) 2014-2017 Firejail Authors |
4 | # License GPL v2 | 4 | # License GPL v2 |
5 | 5 | ||
6 | set timeout 10 | 6 | set timeout 10 |
diff --git a/test/stress/stress.sh b/test/stress/stress.sh index 35c846071..96bbaf61b 100755 --- a/test/stress/stress.sh +++ b/test/stress/stress.sh | |||
@@ -1,6 +1,6 @@ | |||
1 | #!/bin/bash | 1 | #!/bin/bash |
2 | # This file is part of Firejail project | 2 | # This file is part of Firejail project |
3 | # Copyright (C) 2014-2016 Firejail Authors | 3 | # Copyright (C) 2014-2017 Firejail Authors |
4 | # License GPL v2 | 4 | # License GPL v2 |
5 | 5 | ||
6 | export MALLOC_CHECK_=3 | 6 | export MALLOC_CHECK_=3 |
diff --git a/test/sysutils/cpio.exp b/test/sysutils/cpio.exp index 9755d8737..e7e69df45 100755 --- a/test/sysutils/cpio.exp +++ b/test/sysutils/cpio.exp | |||
@@ -1,6 +1,6 @@ | |||
1 | #!/usr/bin/expect -f | 1 | #!/usr/bin/expect -f |
2 | # This file is part of Firejail project | 2 | # This file is part of Firejail project |
3 | # Copyright (C) 2014-2016 Firejail Authors | 3 | # Copyright (C) 2014-2017 Firejail Authors |
4 | # License GPL v2 | 4 | # License GPL v2 |
5 | 5 | ||
6 | set timeout 10 | 6 | set timeout 10 |
diff --git a/test/sysutils/file.exp b/test/sysutils/file.exp index a8ad84d12..c220ab82e 100755 --- a/test/sysutils/file.exp +++ b/test/sysutils/file.exp | |||
@@ -1,6 +1,6 @@ | |||
1 | #!/usr/bin/expect -f | 1 | #!/usr/bin/expect -f |
2 | # This file is part of Firejail project | 2 | # This file is part of Firejail project |
3 | # Copyright (C) 2014-2016 Firejail Authors | 3 | # Copyright (C) 2014-2017 Firejail Authors |
4 | # License GPL v2 | 4 | # License GPL v2 |
5 | 5 | ||
6 | set timeout 10 | 6 | set timeout 10 |
diff --git a/test/sysutils/gzip.exp b/test/sysutils/gzip.exp index ab0e727de..b56c27ceb 100755 --- a/test/sysutils/gzip.exp +++ b/test/sysutils/gzip.exp | |||
@@ -1,6 +1,6 @@ | |||
1 | #!/usr/bin/expect -f | 1 | #!/usr/bin/expect -f |
2 | # This file is part of Firejail project | 2 | # This file is part of Firejail project |
3 | # Copyright (C) 2014-2016 Firejail Authors | 3 | # Copyright (C) 2014-2017 Firejail Authors |
4 | # License GPL v2 | 4 | # License GPL v2 |
5 | 5 | ||
6 | set timeout 10 | 6 | set timeout 10 |
diff --git a/test/sysutils/less.exp b/test/sysutils/less.exp index 720830304..5ff11174d 100755 --- a/test/sysutils/less.exp +++ b/test/sysutils/less.exp | |||
@@ -1,6 +1,6 @@ | |||
1 | #!/usr/bin/expect -f | 1 | #!/usr/bin/expect -f |
2 | # This file is part of Firejail project | 2 | # This file is part of Firejail project |
3 | # Copyright (C) 2014-2016 Firejail Authors | 3 | # Copyright (C) 2014-2017 Firejail Authors |
4 | # License GPL v2 | 4 | # License GPL v2 |
5 | 5 | ||
6 | set timeout 10 | 6 | set timeout 10 |
diff --git a/test/sysutils/strings.exp b/test/sysutils/strings.exp index 1fd0f5dc0..0d18b8079 100755 --- a/test/sysutils/strings.exp +++ b/test/sysutils/strings.exp | |||
@@ -1,6 +1,6 @@ | |||
1 | #!/usr/bin/expect -f | 1 | #!/usr/bin/expect -f |
2 | # This file is part of Firejail project | 2 | # This file is part of Firejail project |
3 | # Copyright (C) 2014-2016 Firejail Authors | 3 | # Copyright (C) 2014-2017 Firejail Authors |
4 | # License GPL v2 | 4 | # License GPL v2 |
5 | 5 | ||
6 | set timeout 10 | 6 | set timeout 10 |
diff --git a/test/sysutils/sysutils.sh b/test/sysutils/sysutils.sh index 99939133d..02eb0f41d 100755 --- a/test/sysutils/sysutils.sh +++ b/test/sysutils/sysutils.sh | |||
@@ -1,6 +1,6 @@ | |||
1 | #!/bin/bash | 1 | #!/bin/bash |
2 | # This file is part of Firejail project | 2 | # This file is part of Firejail project |
3 | # Copyright (C) 2014-2016 Firejail Authors | 3 | # Copyright (C) 2014-2017 Firejail Authors |
4 | # License GPL v2 | 4 | # License GPL v2 |
5 | 5 | ||
6 | export MALLOC_CHECK_=3 | 6 | export MALLOC_CHECK_=3 |
diff --git a/test/sysutils/tar.exp b/test/sysutils/tar.exp index f41d67d6f..989f9ada2 100755 --- a/test/sysutils/tar.exp +++ b/test/sysutils/tar.exp | |||
@@ -1,6 +1,6 @@ | |||
1 | #!/usr/bin/expect -f | 1 | #!/usr/bin/expect -f |
2 | # This file is part of Firejail project | 2 | # This file is part of Firejail project |
3 | # Copyright (C) 2014-2016 Firejail Authors | 3 | # Copyright (C) 2014-2017 Firejail Authors |
4 | # License GPL v2 | 4 | # License GPL v2 |
5 | 5 | ||
6 | set timeout 10 | 6 | set timeout 10 |
diff --git a/test/sysutils/xz.exp b/test/sysutils/xz.exp index 11d0e560c..13ae6007b 100755 --- a/test/sysutils/xz.exp +++ b/test/sysutils/xz.exp | |||
@@ -1,6 +1,6 @@ | |||
1 | #!/usr/bin/expect -f | 1 | #!/usr/bin/expect -f |
2 | # This file is part of Firejail project | 2 | # This file is part of Firejail project |
3 | # Copyright (C) 2014-2016 Firejail Authors | 3 | # Copyright (C) 2014-2017 Firejail Authors |
4 | # License GPL v2 | 4 | # License GPL v2 |
5 | 5 | ||
6 | set timeout 10 | 6 | set timeout 10 |
diff --git a/test/sysutils/xzdec.exp b/test/sysutils/xzdec.exp index 0ea6f5fb0..e60c1af64 100755 --- a/test/sysutils/xzdec.exp +++ b/test/sysutils/xzdec.exp | |||
@@ -1,6 +1,6 @@ | |||
1 | #!/usr/bin/expect -f | 1 | #!/usr/bin/expect -f |
2 | # This file is part of Firejail project | 2 | # This file is part of Firejail project |
3 | # Copyright (C) 2014-2016 Firejail Authors | 3 | # Copyright (C) 2014-2017 Firejail Authors |
4 | # License GPL v2 | 4 | # License GPL v2 |
5 | 5 | ||
6 | set timeout 10 | 6 | set timeout 10 |
diff --git a/test/test.sh b/test/test.sh index 4b7d5bb6d..f0330e139 100755 --- a/test/test.sh +++ b/test/test.sh | |||
@@ -1,6 +1,6 @@ | |||
1 | #!/bin/bash | 1 | #!/bin/bash |
2 | # This file is part of Firejail project | 2 | # This file is part of Firejail project |
3 | # Copyright (C) 2014-2016 Firejail Authors | 3 | # Copyright (C) 2014-2017 Firejail Authors |
4 | # License GPL v2 | 4 | # License GPL v2 |
5 | 5 | ||
6 | ./chk_config.exp | 6 | ./chk_config.exp |
diff --git a/test/utils/audit.exp b/test/utils/audit.exp index 931b46981..566493947 100755 --- a/test/utils/audit.exp +++ b/test/utils/audit.exp | |||
@@ -1,6 +1,6 @@ | |||
1 | #!/usr/bin/expect -f | 1 | #!/usr/bin/expect -f |
2 | # This file is part of Firejail project | 2 | # This file is part of Firejail project |
3 | # Copyright (C) 2014-2016 Firejail Authors | 3 | # Copyright (C) 2014-2017 Firejail Authors |
4 | # License GPL v2 | 4 | # License GPL v2 |
5 | 5 | ||
6 | set timeout 10 | 6 | set timeout 10 |
diff --git a/test/utils/caps-print.exp b/test/utils/caps-print.exp index fa5239da2..d9d48bd50 100755 --- a/test/utils/caps-print.exp +++ b/test/utils/caps-print.exp | |||
@@ -1,6 +1,6 @@ | |||
1 | #!/usr/bin/expect -f | 1 | #!/usr/bin/expect -f |
2 | # This file is part of Firejail project | 2 | # This file is part of Firejail project |
3 | # Copyright (C) 2014-2016 Firejail Authors | 3 | # Copyright (C) 2014-2017 Firejail Authors |
4 | # License GPL v2 | 4 | # License GPL v2 |
5 | 5 | ||
6 | set timeout 10 | 6 | set timeout 10 |
diff --git a/test/utils/cpu-print.exp b/test/utils/cpu-print.exp index 0a6f46102..f639f7c9f 100755 --- a/test/utils/cpu-print.exp +++ b/test/utils/cpu-print.exp | |||
@@ -1,6 +1,6 @@ | |||
1 | #!/usr/bin/expect -f | 1 | #!/usr/bin/expect -f |
2 | # This file is part of Firejail project | 2 | # This file is part of Firejail project |
3 | # Copyright (C) 2014-2016 Firejail Authors | 3 | # Copyright (C) 2014-2017 Firejail Authors |
4 | # License GPL v2 | 4 | # License GPL v2 |
5 | 5 | ||
6 | set timeout 10 | 6 | set timeout 10 |
diff --git a/test/utils/dns-print.exp b/test/utils/dns-print.exp index 406ab5149..461231735 100755 --- a/test/utils/dns-print.exp +++ b/test/utils/dns-print.exp | |||
@@ -1,6 +1,6 @@ | |||
1 | #!/usr/bin/expect -f | 1 | #!/usr/bin/expect -f |
2 | # This file is part of Firejail project | 2 | # This file is part of Firejail project |
3 | # Copyright (C) 2014-2016 Firejail Authors | 3 | # Copyright (C) 2014-2017 Firejail Authors |
4 | # License GPL v2 | 4 | # License GPL v2 |
5 | 5 | ||
6 | set timeout 10 | 6 | set timeout 10 |
diff --git a/test/utils/firemon-caps.exp b/test/utils/firemon-caps.exp index 76aa13725..dd02611df 100755 --- a/test/utils/firemon-caps.exp +++ b/test/utils/firemon-caps.exp | |||
@@ -1,6 +1,6 @@ | |||
1 | #!/usr/bin/expect -f | 1 | #!/usr/bin/expect -f |
2 | # This file is part of Firejail project | 2 | # This file is part of Firejail project |
3 | # Copyright (C) 2014-2016 Firejail Authors | 3 | # Copyright (C) 2014-2017 Firejail Authors |
4 | # License GPL v2 | 4 | # License GPL v2 |
5 | 5 | ||
6 | set timeout 10 | 6 | set timeout 10 |
diff --git a/test/utils/firemon-cgroup.exp b/test/utils/firemon-cgroup.exp index b1ab083ae..156edaa8f 100755 --- a/test/utils/firemon-cgroup.exp +++ b/test/utils/firemon-cgroup.exp | |||
@@ -1,6 +1,6 @@ | |||
1 | #!/usr/bin/expect -f | 1 | #!/usr/bin/expect -f |
2 | # This file is part of Firejail project | 2 | # This file is part of Firejail project |
3 | # Copyright (C) 2014-2016 Firejail Authors | 3 | # Copyright (C) 2014-2017 Firejail Authors |
4 | # License GPL v2 | 4 | # License GPL v2 |
5 | 5 | ||
6 | set timeout 10 | 6 | set timeout 10 |
diff --git a/test/utils/firemon-cpu.exp b/test/utils/firemon-cpu.exp index 00156c909..7cb20105f 100755 --- a/test/utils/firemon-cpu.exp +++ b/test/utils/firemon-cpu.exp | |||
@@ -1,6 +1,6 @@ | |||
1 | #!/usr/bin/expect -f | 1 | #!/usr/bin/expect -f |
2 | # This file is part of Firejail project | 2 | # This file is part of Firejail project |
3 | # Copyright (C) 2014-2016 Firejail Authors | 3 | # Copyright (C) 2014-2017 Firejail Authors |
4 | # License GPL v2 | 4 | # License GPL v2 |
5 | 5 | ||
6 | set timeout 10 | 6 | set timeout 10 |
diff --git a/test/utils/firemon-interface.exp b/test/utils/firemon-interface.exp index edafd1639..8fbdf7740 100755 --- a/test/utils/firemon-interface.exp +++ b/test/utils/firemon-interface.exp | |||
@@ -1,6 +1,6 @@ | |||
1 | #!/usr/bin/expect -f | 1 | #!/usr/bin/expect -f |
2 | # This file is part of Firejail project | 2 | # This file is part of Firejail project |
3 | # Copyright (C) 2014-2016 Firejail Authors | 3 | # Copyright (C) 2014-2017 Firejail Authors |
4 | # License GPL v2 | 4 | # License GPL v2 |
5 | 5 | ||
6 | set timeout 10 | 6 | set timeout 10 |
diff --git a/test/utils/firemon-name.exp b/test/utils/firemon-name.exp index c5dbfabab..dc7cbee99 100755 --- a/test/utils/firemon-name.exp +++ b/test/utils/firemon-name.exp | |||
@@ -1,6 +1,6 @@ | |||
1 | #!/usr/bin/expect -f | 1 | #!/usr/bin/expect -f |
2 | # This file is part of Firejail project | 2 | # This file is part of Firejail project |
3 | # Copyright (C) 2014-2016 Firejail Authors | 3 | # Copyright (C) 2014-2017 Firejail Authors |
4 | # License GPL v2 | 4 | # License GPL v2 |
5 | 5 | ||
6 | set timeout 10 | 6 | set timeout 10 |
diff --git a/test/utils/firemon-seccomp.exp b/test/utils/firemon-seccomp.exp index 26c478344..56727a0be 100755 --- a/test/utils/firemon-seccomp.exp +++ b/test/utils/firemon-seccomp.exp | |||
@@ -1,6 +1,6 @@ | |||
1 | #!/usr/bin/expect -f | 1 | #!/usr/bin/expect -f |
2 | # This file is part of Firejail project | 2 | # This file is part of Firejail project |
3 | # Copyright (C) 2014-2016 Firejail Authors | 3 | # Copyright (C) 2014-2017 Firejail Authors |
4 | # License GPL v2 | 4 | # License GPL v2 |
5 | 5 | ||
6 | set timeout 10 | 6 | set timeout 10 |
diff --git a/test/utils/firemon-version.exp b/test/utils/firemon-version.exp index 639c15c29..c297bec43 100755 --- a/test/utils/firemon-version.exp +++ b/test/utils/firemon-version.exp | |||
@@ -1,6 +1,6 @@ | |||
1 | #!/usr/bin/expect -f | 1 | #!/usr/bin/expect -f |
2 | # This file is part of Firejail project | 2 | # This file is part of Firejail project |
3 | # Copyright (C) 2014-2016 Firejail Authors | 3 | # Copyright (C) 2014-2017 Firejail Authors |
4 | # License GPL v2 | 4 | # License GPL v2 |
5 | 5 | ||
6 | set timeout 10 | 6 | set timeout 10 |
diff --git a/test/utils/fs-print.exp b/test/utils/fs-print.exp index 4d4ceb718..11b4c9b7e 100755 --- a/test/utils/fs-print.exp +++ b/test/utils/fs-print.exp | |||
@@ -1,6 +1,6 @@ | |||
1 | #!/usr/bin/expect -f | 1 | #!/usr/bin/expect -f |
2 | # This file is part of Firejail project | 2 | # This file is part of Firejail project |
3 | # Copyright (C) 2014-2016 Firejail Authors | 3 | # Copyright (C) 2014-2017 Firejail Authors |
4 | # License GPL v2 | 4 | # License GPL v2 |
5 | 5 | ||
6 | set timeout 10 | 6 | set timeout 10 |
diff --git a/test/utils/help.exp b/test/utils/help.exp index 5b9864578..4c3aede9b 100755 --- a/test/utils/help.exp +++ b/test/utils/help.exp | |||
@@ -1,6 +1,6 @@ | |||
1 | #!/usr/bin/expect -f | 1 | #!/usr/bin/expect -f |
2 | # This file is part of Firejail project | 2 | # This file is part of Firejail project |
3 | # Copyright (C) 2014-2016 Firejail Authors | 3 | # Copyright (C) 2014-2017 Firejail Authors |
4 | # License GPL v2 | 4 | # License GPL v2 |
5 | 5 | ||
6 | set timeout 10 | 6 | set timeout 10 |
diff --git a/test/utils/join.exp b/test/utils/join.exp index 79fe99f2d..b74b0b17a 100755 --- a/test/utils/join.exp +++ b/test/utils/join.exp | |||
@@ -1,6 +1,6 @@ | |||
1 | #!/usr/bin/expect -f | 1 | #!/usr/bin/expect -f |
2 | # This file is part of Firejail project | 2 | # This file is part of Firejail project |
3 | # Copyright (C) 2014-2016 Firejail Authors | 3 | # Copyright (C) 2014-2017 Firejail Authors |
4 | # License GPL v2 | 4 | # License GPL v2 |
5 | 5 | ||
6 | set timeout 10 | 6 | set timeout 10 |
diff --git a/test/utils/join2.exp b/test/utils/join2.exp index 5895eb730..b7d1f345f 100755 --- a/test/utils/join2.exp +++ b/test/utils/join2.exp | |||
@@ -1,6 +1,6 @@ | |||
1 | #!/usr/bin/expect -f | 1 | #!/usr/bin/expect -f |
2 | # This file is part of Firejail project | 2 | # This file is part of Firejail project |
3 | # Copyright (C) 2014-2016 Firejail Authors | 3 | # Copyright (C) 2014-2017 Firejail Authors |
4 | # License GPL v2 | 4 | # License GPL v2 |
5 | 5 | ||
6 | set timeout 10 | 6 | set timeout 10 |
diff --git a/test/utils/join3.exp b/test/utils/join3.exp index 3ccc47bf9..c0cc7c2e4 100755 --- a/test/utils/join3.exp +++ b/test/utils/join3.exp | |||
@@ -1,6 +1,6 @@ | |||
1 | #!/usr/bin/expect -f | 1 | #!/usr/bin/expect -f |
2 | # This file is part of Firejail project | 2 | # This file is part of Firejail project |
3 | # Copyright (C) 2014-2016 Firejail Authors | 3 | # Copyright (C) 2014-2017 Firejail Authors |
4 | # License GPL v2 | 4 | # License GPL v2 |
5 | 5 | ||
6 | set timeout 10 | 6 | set timeout 10 |
diff --git a/test/utils/join4.exp b/test/utils/join4.exp index c367dd770..c953320e0 100755 --- a/test/utils/join4.exp +++ b/test/utils/join4.exp | |||
@@ -1,6 +1,6 @@ | |||
1 | #!/usr/bin/expect -f | 1 | #!/usr/bin/expect -f |
2 | # This file is part of Firejail project | 2 | # This file is part of Firejail project |
3 | # Copyright (C) 2014-2016 Firejail Authors | 3 | # Copyright (C) 2014-2017 Firejail Authors |
4 | # License GPL v2 | 4 | # License GPL v2 |
5 | 5 | ||
6 | set timeout 10 | 6 | set timeout 10 |
diff --git a/test/utils/list.exp b/test/utils/list.exp index 69db1f568..321f2bc50 100755 --- a/test/utils/list.exp +++ b/test/utils/list.exp | |||
@@ -1,6 +1,6 @@ | |||
1 | #!/usr/bin/expect -f | 1 | #!/usr/bin/expect -f |
2 | # This file is part of Firejail project | 2 | # This file is part of Firejail project |
3 | # Copyright (C) 2014-2016 Firejail Authors | 3 | # Copyright (C) 2014-2017 Firejail Authors |
4 | # License GPL v2 | 4 | # License GPL v2 |
5 | 5 | ||
6 | set timeout 10 | 6 | set timeout 10 |
diff --git a/test/utils/man.exp b/test/utils/man.exp index d29f760b0..a28370c65 100755 --- a/test/utils/man.exp +++ b/test/utils/man.exp | |||
@@ -1,6 +1,6 @@ | |||
1 | #!/usr/bin/expect -f | 1 | #!/usr/bin/expect -f |
2 | # This file is part of Firejail project | 2 | # This file is part of Firejail project |
3 | # Copyright (C) 2014-2016 Firejail Authors | 3 | # Copyright (C) 2014-2017 Firejail Authors |
4 | # License GPL v2 | 4 | # License GPL v2 |
5 | 5 | ||
6 | set timeout 10 | 6 | set timeout 10 |
diff --git a/test/utils/protocol-print.exp b/test/utils/protocol-print.exp index b4b94ea93..12ad98a41 100755 --- a/test/utils/protocol-print.exp +++ b/test/utils/protocol-print.exp | |||
@@ -1,6 +1,6 @@ | |||
1 | #!/usr/bin/expect -f | 1 | #!/usr/bin/expect -f |
2 | # This file is part of Firejail project | 2 | # This file is part of Firejail project |
3 | # Copyright (C) 2014-2016 Firejail Authors | 3 | # Copyright (C) 2014-2017 Firejail Authors |
4 | # License GPL v2 | 4 | # License GPL v2 |
5 | 5 | ||
6 | set timeout 10 | 6 | set timeout 10 |
diff --git a/test/utils/seccomp-print.exp b/test/utils/seccomp-print.exp index f6ff1e721..5a76d7fcc 100755 --- a/test/utils/seccomp-print.exp +++ b/test/utils/seccomp-print.exp | |||
@@ -1,6 +1,6 @@ | |||
1 | #!/usr/bin/expect -f | 1 | #!/usr/bin/expect -f |
2 | # This file is part of Firejail project | 2 | # This file is part of Firejail project |
3 | # Copyright (C) 2014-2016 Firejail Authors | 3 | # Copyright (C) 2014-2017 Firejail Authors |
4 | # License GPL v2 | 4 | # License GPL v2 |
5 | 5 | ||
6 | set timeout 10 | 6 | set timeout 10 |
diff --git a/test/utils/shutdown.exp b/test/utils/shutdown.exp index 1ab231bf4..eb87c5d4f 100755 --- a/test/utils/shutdown.exp +++ b/test/utils/shutdown.exp | |||
@@ -1,6 +1,6 @@ | |||
1 | #!/usr/bin/expect -f | 1 | #!/usr/bin/expect -f |
2 | # This file is part of Firejail project | 2 | # This file is part of Firejail project |
3 | # Copyright (C) 2014-2016 Firejail Authors | 3 | # Copyright (C) 2014-2017 Firejail Authors |
4 | # License GPL v2 | 4 | # License GPL v2 |
5 | 5 | ||
6 | set timeout 10 | 6 | set timeout 10 |
diff --git a/test/utils/shutdown2.exp b/test/utils/shutdown2.exp index 777a73ec9..f92c8b2b1 100755 --- a/test/utils/shutdown2.exp +++ b/test/utils/shutdown2.exp | |||
@@ -1,6 +1,6 @@ | |||
1 | #!/usr/bin/expect -f | 1 | #!/usr/bin/expect -f |
2 | # This file is part of Firejail project | 2 | # This file is part of Firejail project |
3 | # Copyright (C) 2014-2016 Firejail Authors | 3 | # Copyright (C) 2014-2017 Firejail Authors |
4 | # License GPL v2 | 4 | # License GPL v2 |
5 | 5 | ||
6 | set timeout 10 | 6 | set timeout 10 |
diff --git a/test/utils/shutdown3.exp b/test/utils/shutdown3.exp index a74fb3386..4c2c616b2 100755 --- a/test/utils/shutdown3.exp +++ b/test/utils/shutdown3.exp | |||
@@ -1,6 +1,6 @@ | |||
1 | #!/usr/bin/expect -f | 1 | #!/usr/bin/expect -f |
2 | # This file is part of Firejail project | 2 | # This file is part of Firejail project |
3 | # Copyright (C) 2014-2016 Firejail Authors | 3 | # Copyright (C) 2014-2017 Firejail Authors |
4 | # License GPL v2 | 4 | # License GPL v2 |
5 | 5 | ||
6 | set timeout 10 | 6 | set timeout 10 |
diff --git a/test/utils/shutdown4.exp b/test/utils/shutdown4.exp index 2942ba3d5..7d3c27164 100755 --- a/test/utils/shutdown4.exp +++ b/test/utils/shutdown4.exp | |||
@@ -1,6 +1,6 @@ | |||
1 | #!/usr/bin/expect -f | 1 | #!/usr/bin/expect -f |
2 | # This file is part of Firejail project | 2 | # This file is part of Firejail project |
3 | # Copyright (C) 2014-2016 Firejail Authors | 3 | # Copyright (C) 2014-2017 Firejail Authors |
4 | # License GPL v2 | 4 | # License GPL v2 |
5 | 5 | ||
6 | set timeout 10 | 6 | set timeout 10 |
diff --git a/test/utils/top.exp b/test/utils/top.exp index d530e5a85..7117cb883 100755 --- a/test/utils/top.exp +++ b/test/utils/top.exp | |||
@@ -1,6 +1,6 @@ | |||
1 | #!/usr/bin/expect -f | 1 | #!/usr/bin/expect -f |
2 | # This file is part of Firejail project | 2 | # This file is part of Firejail project |
3 | # Copyright (C) 2014-2016 Firejail Authors | 3 | # Copyright (C) 2014-2017 Firejail Authors |
4 | # License GPL v2 | 4 | # License GPL v2 |
5 | 5 | ||
6 | set timeout 10 | 6 | set timeout 10 |
diff --git a/test/utils/trace.exp b/test/utils/trace.exp index eedc0f23f..614580016 100755 --- a/test/utils/trace.exp +++ b/test/utils/trace.exp | |||
@@ -1,6 +1,6 @@ | |||
1 | #!/usr/bin/expect -f | 1 | #!/usr/bin/expect -f |
2 | # This file is part of Firejail project | 2 | # This file is part of Firejail project |
3 | # Copyright (C) 2014-2016 Firejail Authors | 3 | # Copyright (C) 2014-2017 Firejail Authors |
4 | # License GPL v2 | 4 | # License GPL v2 |
5 | 5 | ||
6 | set timeout 30 | 6 | set timeout 30 |
diff --git a/test/utils/tree.exp b/test/utils/tree.exp index a8ef763f1..53f8cf795 100755 --- a/test/utils/tree.exp +++ b/test/utils/tree.exp | |||
@@ -1,6 +1,6 @@ | |||
1 | #!/usr/bin/expect -f | 1 | #!/usr/bin/expect -f |
2 | # This file is part of Firejail project | 2 | # This file is part of Firejail project |
3 | # Copyright (C) 2014-2016 Firejail Authors | 3 | # Copyright (C) 2014-2017 Firejail Authors |
4 | # License GPL v2 | 4 | # License GPL v2 |
5 | 5 | ||
6 | set timeout 10 | 6 | set timeout 10 |
diff --git a/test/utils/utils.sh b/test/utils/utils.sh index 04702597f..751f1f8e7 100755 --- a/test/utils/utils.sh +++ b/test/utils/utils.sh | |||
@@ -1,6 +1,6 @@ | |||
1 | #!/bin/bash | 1 | #!/bin/bash |
2 | # This file is part of Firejail project | 2 | # This file is part of Firejail project |
3 | # Copyright (C) 2014-2016 Firejail Authors | 3 | # Copyright (C) 2014-2017 Firejail Authors |
4 | # License GPL v2 | 4 | # License GPL v2 |
5 | 5 | ||
6 | export MALLOC_CHECK_=3 | 6 | export MALLOC_CHECK_=3 |
diff --git a/test/utils/version.exp b/test/utils/version.exp index 2ce6f1680..261e40466 100755 --- a/test/utils/version.exp +++ b/test/utils/version.exp | |||
@@ -1,6 +1,6 @@ | |||
1 | #!/usr/bin/expect -f | 1 | #!/usr/bin/expect -f |
2 | # This file is part of Firejail project | 2 | # This file is part of Firejail project |
3 | # Copyright (C) 2014-2016 Firejail Authors | 3 | # Copyright (C) 2014-2017 Firejail Authors |
4 | # License GPL v2 | 4 | # License GPL v2 |
5 | 5 | ||
6 | set timeout 10 | 6 | set timeout 10 |
diff --git a/video.png b/video.png new file mode 100644 index 000000000..f9642f466 --- /dev/null +++ b/video.png | |||
Binary files differ | |||