diff options
-rw-r--r-- | README.md | 23 | ||||
-rw-r--r-- | RELNOTES | 9 | ||||
-rw-r--r-- | src/firejail/main.c | 31 | ||||
-rw-r--r-- | src/firejail/usage.c | 1 | ||||
-rw-r--r-- | src/man/firejail-profile.txt | 88 | ||||
-rw-r--r-- | src/man/firejail.txt | 30 |
6 files changed, 135 insertions, 47 deletions
@@ -112,4 +112,25 @@ Dec 3 11:43:25 debian firejail[70]: blacklist violation - sandbox 26370, exe fi | |||
112 | Dec 3 11:46:17 debian firejail[70]: blacklist violation - sandbox 26370, exe firefox, | 112 | Dec 3 11:46:17 debian firejail[70]: blacklist violation - sandbox 26370, exe firefox, |
113 | syscall opendir, path /boot | 113 | syscall opendir, path /boot |
114 | [...] | 114 | [...] |
115 | ````` \ No newline at end of file | 115 | ````` |
116 | |||
117 | ### --profile-path | ||
118 | For various reasons some users might want to keep the profile files in | ||
119 | a different directory. Using --profile-path command line option, | ||
120 | Firejail can be instructed to look for profiles into this directory. | ||
121 | |||
122 | This is an example of relocating the profile files into a new directory, | ||
123 | /home/netblue/myprofiles. Start by creating the new directory and | ||
124 | copy all the profile files in: | ||
125 | ````` | ||
126 | $ mkdir ~/myprofiles && cd ~/myprofiles && cp /etc/firejail/* . | ||
127 | ````` | ||
128 | Using sed utility, modify the absolute paths for include commands: | ||
129 | ````` | ||
130 | $ sed -i "s/\/etc\/firejail/\/home\/netblue\/myprofiles/g" *.profile | ||
131 | $ sed -i "s/\/etc\/firejail/\/home\/netblue\/myprofiles/g" *.inc | ||
132 | ````` | ||
133 | Start Firejail using the new path: | ||
134 | ````` | ||
135 | $ firejail --profile-path=~/myprofile | ||
136 | ````` | ||
@@ -8,16 +8,19 @@ firejail (0.9.35) baseline; urgency=low | |||
8 | * Opera profile rework | 8 | * Opera profile rework |
9 | * added opera-beta profile | 9 | * added opera-beta profile |
10 | * added --noblacklist option | 10 | * added --noblacklist option |
11 | * added --profile-path option | ||
11 | * whitelist command enhancements | 12 | * whitelist command enhancements |
12 | * prevent user name enumeration | 13 | * prevent user name enumeration |
13 | * added /etc/firejail/nolocal.net network filter | 14 | * added /etc/firejail/nolocal.net network filter |
14 | * added /etc/firejail/webserver.net network filter | 15 | * added /etc/firejail/webserver.net network filter |
15 | * manipulation of firejail configuration disabled by default | 16 | * blacklisting firejail configuration by default |
16 | * added automated feature testing framework | ||
17 | * alow default gateway configuration for --interface option | 17 | * alow default gateway configuration for --interface option |
18 | * --debug enhancements | 18 | * --debug enhancements |
19 | * filesystem log | 19 | * filesystem log |
20 | * libtrace enhancements | 20 | * libtrace enhancements, tracing opendir call |
21 | * added --tracelog option | ||
22 | * added "hostname" command to profile files | ||
23 | * added automated feature testing framework | ||
21 | * bugfixes | 24 | * bugfixes |
22 | -- netblue30 <netblue30@yahoo.com> ongoing development | 25 | -- netblue30 <netblue30@yahoo.com> ongoing development |
23 | 26 | ||
diff --git a/src/firejail/main.c b/src/firejail/main.c index c1cd9564e..eecb5b0a0 100644 --- a/src/firejail/main.c +++ b/src/firejail/main.c | |||
@@ -414,6 +414,7 @@ int main(int argc, char **argv) { | |||
414 | int arg_ipc = 0; | 414 | int arg_ipc = 0; |
415 | int arg_cgroup = 0; | 415 | int arg_cgroup = 0; |
416 | int custom_profile = 0; // custom profile loaded | 416 | int custom_profile = 0; // custom profile loaded |
417 | char *custom_profile_dir = NULL; // custom profile directory | ||
417 | int arg_noprofile = 0; // use generic.profile if none other found/specified | 418 | int arg_noprofile = 0; // use generic.profile if none other found/specified |
418 | #ifdef HAVE_SECCOMP | 419 | #ifdef HAVE_SECCOMP |
419 | int highest_errno = errno_highest_nr(); | 420 | int highest_errno = errno_highest_nr(); |
@@ -739,6 +740,25 @@ int main(int argc, char **argv) { | |||
739 | profile_read(argv[i] + 10); | 740 | profile_read(argv[i] + 10); |
740 | custom_profile = 1; | 741 | custom_profile = 1; |
741 | } | 742 | } |
743 | else if (strncmp(argv[i], "--profile-path=", 15) == 0) { | ||
744 | if (arg_noprofile) { | ||
745 | fprintf(stderr, "Error: --noprofile and --profile-path options are mutually exclusive\n"); | ||
746 | exit(1); | ||
747 | } | ||
748 | custom_profile_dir = expand_home(argv[i] + 15, cfg.homedir); | ||
749 | invalid_filename(custom_profile_dir); | ||
750 | char *ptr = argv[i] + 15; | ||
751 | if (!is_dir(custom_profile_dir) || is_link(custom_profile_dir) || strstr(custom_profile_dir, "..")) { | ||
752 | fprintf(stderr, "Error: invalid profile path\n"); | ||
753 | exit(1); | ||
754 | } | ||
755 | |||
756 | // access call checks as real UID/GID, not as effective UID/GID | ||
757 | if (access(custom_profile_dir, R_OK)) { | ||
758 | fprintf(stderr, "Error: cannot access profile directory\n"); | ||
759 | return 1; | ||
760 | } | ||
761 | } | ||
742 | else if (strcmp(argv[i], "--noprofile") == 0) { | 762 | else if (strcmp(argv[i], "--noprofile") == 0) { |
743 | if (custom_profile) { | 763 | if (custom_profile) { |
744 | fprintf(stderr, "Error: --profile and --noprofile options are mutually exclusive\n"); | 764 | fprintf(stderr, "Error: --profile and --noprofile options are mutually exclusive\n"); |
@@ -1245,7 +1265,11 @@ int main(int argc, char **argv) { | |||
1245 | } | 1265 | } |
1246 | if (!custom_profile) { | 1266 | if (!custom_profile) { |
1247 | // look for a user profile in /etc/firejail directory | 1267 | // look for a user profile in /etc/firejail directory |
1248 | int rv = profile_find(cfg.command_name, SYSCONFDIR); | 1268 | int rv; |
1269 | if (custom_profile_dir) | ||
1270 | rv = profile_find(cfg.command_name, custom_profile_dir); | ||
1271 | else | ||
1272 | rv = profile_find(cfg.command_name, SYSCONFDIR); | ||
1249 | custom_profile = rv; | 1273 | custom_profile = rv; |
1250 | } | 1274 | } |
1251 | } | 1275 | } |
@@ -1275,7 +1299,10 @@ int main(int argc, char **argv) { | |||
1275 | 1299 | ||
1276 | if (!custom_profile) { | 1300 | if (!custom_profile) { |
1277 | // look for the profile in /etc/firejail directory | 1301 | // look for the profile in /etc/firejail directory |
1278 | custom_profile = profile_find(profile_name, SYSCONFDIR); | 1302 | if (custom_profile_dir) |
1303 | custom_profile = profile_find(profile_name, custom_profile_dir); | ||
1304 | else | ||
1305 | custom_profile = profile_find(profile_name, SYSCONFDIR); | ||
1279 | } | 1306 | } |
1280 | 1307 | ||
1281 | if (custom_profile && !arg_quiet) | 1308 | if (custom_profile && !arg_quiet) |
diff --git a/src/firejail/usage.c b/src/firejail/usage.c index d060af5eb..9d5549a77 100644 --- a/src/firejail/usage.c +++ b/src/firejail/usage.c | |||
@@ -201,6 +201,7 @@ void usage(void) { | |||
201 | printf("\t\tAll modifications are discarded when the sandbox is closed.\n\n"); | 201 | printf("\t\tAll modifications are discarded when the sandbox is closed.\n\n"); |
202 | 202 | ||
203 | printf("\t--profile=filename - use a custom profile.\n\n"); | 203 | printf("\t--profile=filename - use a custom profile.\n\n"); |
204 | printf("\t--profile-path=directory - use this directory to look for profile files.\n\n"); | ||
204 | 205 | ||
205 | printf("\t--protocol=protocol,protocol,protocol - enable protocol filter.\n"); | 206 | printf("\t--protocol=protocol,protocol,protocol - enable protocol filter.\n"); |
206 | printf("\t\tProtocol values: unix, inet, inet6, netlink, packet.\n\n"); | 207 | printf("\t\tProtocol values: unix, inet, inet6, netlink, packet.\n\n"); |
diff --git a/src/man/firejail-profile.txt b/src/man/firejail-profile.txt index 1713b74dd..91c151fe8 100644 --- a/src/man/firejail-profile.txt +++ b/src/man/firejail-profile.txt | |||
@@ -81,7 +81,7 @@ file in user home directory. | |||
81 | Example: "include ${HOME}/myprofiles/profile1" will load "~/myprofiles/profile1" file. | 81 | Example: "include ${HOME}/myprofiles/profile1" will load "~/myprofiles/profile1" file. |
82 | 82 | ||
83 | .TP | 83 | .TP |
84 | \f\noblacklist file_name | 84 | \f\ noblacklist file_name |
85 | If the file name matches file_name, the file will not be blacklisted in any blacklist commands that follow. | 85 | If the file name matches file_name, the file will not be blacklisted in any blacklist commands that follow. |
86 | 86 | ||
87 | Example: "noblacklist ${HOME}/.mozilla" | 87 | Example: "noblacklist ${HOME}/.mozilla" |
@@ -102,37 +102,31 @@ Use \fBprivate\fR to set private mode. | |||
102 | File globbing is supported, and PATH and HOME directories are searched. | 102 | File globbing is supported, and PATH and HOME directories are searched. |
103 | Examples: | 103 | Examples: |
104 | .TP | 104 | .TP |
105 | \f\blacklist /usr/bin | 105 | \f\blacklist file_or_directory |
106 | Remove /usr/bin directory. | 106 | Blacklist directory or file. Examples: |
107 | .TP | 107 | .br |
108 | \f\blacklist /etc/passwd | 108 | |
109 | Remove /etc/passwd file. | 109 | .br |
110 | .TP | 110 | blacklist /usr/bin |
111 | \f\read-only /etc/passwd | 111 | .br |
112 | Read-only /etc/passwd file. | 112 | blacklist /usr/bin/gcc* |
113 | .TP | 113 | .br |
114 | tmpfs /etc | 114 | blacklist ${PATH}/ifconfig |
115 | Mount an empty tmpfs filesystem on top of /etc directory. | 115 | .br |
116 | .TP | 116 | blacklist ${HOME}/.ssh |
117 | bind /root/config/ssh,/etc/ssh | 117 | |
118 | Mount-bind /root/config/ssh on /etc/ssh. | ||
119 | .TP | 118 | .TP |
120 | \f\blacklist /usr/bin/gcc* | 119 | \f\read-only file_or_directory |
121 | Remove all gcc files in /usr/bin (file globbing). | 120 | Make directory or file read-only. |
122 | .TP | 121 | .TP |
123 | \f\blacklist ${PATH}/ifconfig | 122 | \f\ tmpfs directory |
124 | Remove ifconfig command from the regular path directories. | 123 | Mount an empty tmpfs filesystem on top of directory. |
125 | .TP | 124 | .TP |
126 | \f\blacklist ${HOME}/.ssh | 125 | \f\bind directory1,directory2 |
127 | Remove .ssh directory from user home directory. | 126 | Mount-bind directory1 on top of directory2. This option is only available when running as root. |
128 | .TP | 127 | .TP |
129 | \f\noblacklist ${HOME}/config/evince | 128 | \f\bind file1,file2 |
130 | Prevent any new blacklist commands from blacklisting | 129 | Mount-bind file1 on top of file2. This option is only available when running as root. |
131 | config/evince in the user home directory. Useful for defining | ||
132 | exceptions before including a large blacklist from a file. Note | ||
133 | that blacklisting ${HOME}/config can still make | ||
134 | ${HOME}/config/evince effectively unreachable through filesystem | ||
135 | traversal. | ||
136 | .TP | 130 | .TP |
137 | \f\private | 131 | \f\private |
138 | Mount new /root and /home/user directories in temporary | 132 | Mount new /root and /home/user directories in temporary |
@@ -153,7 +147,7 @@ new home. All modifications are discarded when the sandbox is | |||
153 | closed. | 147 | closed. |
154 | .TP | 148 | .TP |
155 | \f\private-dev | 149 | \f\private-dev |
156 | Create a new /dev directory. Only null, full, zero, tty, pts, ptmx, random, urandom and shm devices are available. | 150 | Create a new /dev directory. Only dri, null, full, zero, tty, pts, ptmx, random, urandom, log and shm devices are available. |
157 | .TP | 151 | .TP |
158 | \f\private-etc file,directory | 152 | \f\private-etc file,directory |
159 | Build a new /etc in a temporary | 153 | Build a new /etc in a temporary |
@@ -240,10 +234,8 @@ The sandbox is placed in g1 control group. | |||
240 | .SH User Environment | 234 | .SH User Environment |
241 | 235 | ||
242 | .TP | 236 | .TP |
243 | env LD_LIBRARY_PATH=/opt/test/lib | 237 | env name=value |
244 | Set environment variable. | 238 | Set environment variable. Examples: |
245 | .br | ||
246 | Examples: | ||
247 | .br | 239 | .br |
248 | 240 | ||
249 | .br | 241 | .br |
@@ -284,6 +276,36 @@ Set a DNS server for the sandbox. Up to three DNS servers can be defined. | |||
284 | hostname name | 276 | hostname name |
285 | Set a hostname for the sandbox. | 277 | Set a hostname for the sandbox. |
286 | 278 | ||
279 | .SH RELOCATING PROFILES | ||
280 | For various reasons some users might want to keep the profile files in a different directory. | ||
281 | Using \fB--profile-path\fR command line option, Firejail can be instructed to look for profiles | ||
282 | into this directory. | ||
283 | |||
284 | This is an example of relocating the profile files into a new | ||
285 | directory, /home/netblue/myprofiles. Start by creating the new directory and copy all | ||
286 | the profile files in: | ||
287 | .br | ||
288 | |||
289 | .br | ||
290 | $ mkdir ~/myprofiles && cd ~/myprofiles && cp /etc/firejail/* . | ||
291 | .br | ||
292 | |||
293 | .br | ||
294 | Using \fBsed\fR utility, modify the absolute paths for \fBinclude\fR commands: | ||
295 | .br | ||
296 | |||
297 | .br | ||
298 | $ sed -i "s/\\/etc\\/firejail/\\/home\\/netblue\\/myprofiles/g" *.profile | ||
299 | .br | ||
300 | $ sed -i "s/\\/etc\\/firejail/\\/home\\/netblue\\/myprofiles/g" *.inc | ||
301 | .br | ||
302 | |||
303 | .br | ||
304 | Start Firejail using the new path: | ||
305 | .br | ||
306 | |||
307 | .br | ||
308 | $ firejail --profile-path=~/myprofile | ||
287 | 309 | ||
288 | .SH FILES | 310 | .SH FILES |
289 | /etc/firejail/filename.profile, $HOME/.config/firejail/filename.profile | 311 | /etc/firejail/filename.profile, $HOME/.config/firejail/filename.profile |
diff --git a/src/man/firejail.txt b/src/man/firejail.txt index 62225c407..e2382eb9f 100644 --- a/src/man/firejail.txt +++ b/src/man/firejail.txt | |||
@@ -52,7 +52,7 @@ Only /home and /tmp are writable. | |||
52 | As it starts up, Firejail tries to find a security profile based on the name of the application. | 52 | As it starts up, Firejail tries to find a security profile based on the name of the application. |
53 | If an appropriate profile is not found, Firejail will use a default profile. | 53 | If an appropriate profile is not found, Firejail will use a default profile. |
54 | The default profile is quite restrictive. In case the application doesn't work, use --noprofile option | 54 | The default profile is quite restrictive. In case the application doesn't work, use --noprofile option |
55 | to disable it. For more information, please see SECURITY PROFILES section. | 55 | to disable it. For more information, please see \fBSECURITY PROFILES\fR section. |
56 | .PP | 56 | .PP |
57 | If a program argument is not specified, Firejail starts /bin/bash shell. | 57 | If a program argument is not specified, Firejail starts /bin/bash shell. |
58 | Examples: | 58 | Examples: |
@@ -69,10 +69,10 @@ $ firejail [OPTIONS] firefox # starting Mozilla Firefox | |||
69 | Signal the end of options and disables further option processing. | 69 | Signal the end of options and disables further option processing. |
70 | .TP | 70 | .TP |
71 | \fB\-\-bandwidth=name | 71 | \fB\-\-bandwidth=name |
72 | Set bandwidth limits for the sandbox identified by name, see TRAFFIC SHAPING section for more details. | 72 | Set bandwidth limits for the sandbox identified by name, see \fBTRAFFIC SHAPING\fR section for more details. |
73 | .TP | 73 | .TP |
74 | \fB\-\-bandwidth=pid | 74 | \fB\-\-bandwidth=pid |
75 | Set bandwidth limits for the sandbox identified by PID, see TRAFFIC SHAPING section for more details. | 75 | Set bandwidth limits for the sandbox identified by PID, see \fBTRAFFIC SHAPING\fR section for more details. |
76 | .TP | 76 | .TP |
77 | \fB\-\-bind=dirname1,dirname2 | 77 | \fB\-\-bind=dirname1,dirname2 |
78 | Mount-bind dirname1 on top of dirname2. This option is only available when running the sandbox as root. | 78 | Mount-bind dirname1 on top of dirname2. This option is only available when running the sandbox as root. |
@@ -478,7 +478,7 @@ $ firejail \-\-join=3272 | |||
478 | 478 | ||
479 | .TP | 479 | .TP |
480 | \fB\-\-list | 480 | \fB\-\-list |
481 | List all sandboxes, see MONITORING section for more details. | 481 | List all sandboxes, see \fBMONITORING\fR section for more details. |
482 | .br | 482 | .br |
483 | 483 | ||
484 | .br | 484 | .br |
@@ -645,7 +645,7 @@ $ firejail --netfilter=/etc/firejail/nolocal.net \\ | |||
645 | --net=eth0 firefox | 645 | --net=eth0 firefox |
646 | .TP | 646 | .TP |
647 | \fB\-\-netstats | 647 | \fB\-\-netstats |
648 | Monitor network namespace statistics, see MONITORING section for more details. | 648 | Monitor network namespace statistics, see \fBMONITORING\fR section for more details. |
649 | .br | 649 | .br |
650 | 650 | ||
651 | .br | 651 | .br |
@@ -919,7 +919,7 @@ nsswitch.conf,passwd,resolv.conf | |||
919 | .TP | 919 | .TP |
920 | \fB\-\-profile=filename | 920 | \fB\-\-profile=filename |
921 | Load a custom security profile from filename. For filename use an absolute path or a path relative to the current path. | 921 | Load a custom security profile from filename. For filename use an absolute path or a path relative to the current path. |
922 | For more information, see SECURITY PROFILES section below. | 922 | For more information, see \fBSECURITY PROFILES\fR section below. |
923 | .br | 923 | .br |
924 | 924 | ||
925 | .br | 925 | .br |
@@ -928,6 +928,20 @@ Example: | |||
928 | $ firejail \-\-profile=myprofile | 928 | $ firejail \-\-profile=myprofile |
929 | 929 | ||
930 | .TP | 930 | .TP |
931 | \fB\-\-profile-path=directory | ||
932 | Use this directory to look for profile files. Use an absolute path or a path in the home directory starting with ~/. | ||
933 | For more information, see \fBSECURITY PROFILES\fR section below and \fBRELOCATING PROFILE FILES\fR in | ||
934 | \fBman 5 firejail-profile\fR. | ||
935 | .br | ||
936 | |||
937 | .br | ||
938 | Example: | ||
939 | .br | ||
940 | $ firejail \-\-profile-path=~/myprofiles | ||
941 | .br | ||
942 | $ firejail \-\-profile-path=/home/netblue/myprofiles | ||
943 | |||
944 | .TP | ||
931 | \fB\-\-protocol=protocol,protocol,protocol | 945 | \fB\-\-protocol=protocol,protocol,protocol |
932 | Enable protocol filter. The filter is based on seccomp and the first argument to socket system call. | 946 | Enable protocol filter. The filter is based on seccomp and the first argument to socket system call. |
933 | Recognized values: unix, inet, inet6, netlink and packet. | 947 | Recognized values: unix, inet, inet6, netlink and packet. |
@@ -1255,7 +1269,7 @@ Example: | |||
1255 | $ firejail \-\-tmpfs=/var | 1269 | $ firejail \-\-tmpfs=/var |
1256 | .TP | 1270 | .TP |
1257 | \fB\-\-top | 1271 | \fB\-\-top |
1258 | Monitor the most CPU-intensive sandboxes, see MONITORING section for more details. | 1272 | Monitor the most CPU-intensive sandboxes, see \fBMONITORING\fR section for more details. |
1259 | .br | 1273 | .br |
1260 | 1274 | ||
1261 | .br | 1275 | .br |
@@ -1321,7 +1335,7 @@ Dec 3 11:46:17 debian firejail[70]: blacklist violation - sandbox 26370, exe fi | |||
1321 | [...] | 1335 | [...] |
1322 | .TP | 1336 | .TP |
1323 | \fB\-\-tree | 1337 | \fB\-\-tree |
1324 | Print a tree of all sandboxed processes, see MONITORING section for more details. | 1338 | Print a tree of all sandboxed processes, see \fBMONITORING\fR section for more details. |
1325 | .br | 1339 | .br |
1326 | 1340 | ||
1327 | .br | 1341 | .br |