diff options
51 files changed, 418 insertions, 283 deletions
diff --git a/.gitignore b/.gitignore index 1285dea92..5e26f1711 100644 --- a/.gitignore +++ b/.gitignore | |||
@@ -14,6 +14,7 @@ firejail-*.tar.xz | |||
14 | firejail-login.5 | 14 | firejail-login.5 |
15 | firejail-profile.5 | 15 | firejail-profile.5 |
16 | firejail-config.5 | 16 | firejail-config.5 |
17 | firejail-users.5 | ||
17 | firejail.1 | 18 | firejail.1 |
18 | firemon.1 | 19 | firemon.1 |
19 | firecfg.1 | 20 | firecfg.1 |
diff --git a/Makefile.in b/Makefile.in index 135b0a37c..ce79a1181 100644 --- a/Makefile.in +++ b/Makefile.in | |||
@@ -25,8 +25,8 @@ HAVE_SUID=@HAVE_SUID@ | |||
25 | uids.h:; ./mkuid.sh | 25 | uids.h:; ./mkuid.sh |
26 | 26 | ||
27 | .PHONY: mylibs $(MYLIBS) | 27 | .PHONY: mylibs $(MYLIBS) |
28 | mylibs: $(MYLIBS) uids.h | 28 | mylibs: $(MYLIBS) |
29 | $(MYLIBS): | 29 | $(MYLIBS): uids.h |
30 | $(MAKE) -C $@ | 30 | $(MAKE) -C $@ |
31 | 31 | ||
32 | .PHONY: apps $(APPS) | 32 | .PHONY: apps $(APPS) |
@@ -84,6 +84,7 @@ announ (https://github.com/announ) | |||
84 | - mpv and youtube-dl profile fixes | 84 | - mpv and youtube-dl profile fixes |
85 | Antonio Russo (https://github.com/aerusso) | 85 | Antonio Russo (https://github.com/aerusso) |
86 | - enumerate root directories in apparmor profile | 86 | - enumerate root directories in apparmor profile |
87 | - fix join-or-start | ||
87 | Austin S. Hemmelgarn (https://github.com/Ferroin) | 88 | Austin S. Hemmelgarn (https://github.com/Ferroin) |
88 | - unbound profile update | 89 | - unbound profile update |
89 | avoidr (https://github.com/avoidr) | 90 | avoidr (https://github.com/avoidr) |
@@ -251,6 +252,11 @@ glitsj16 (https://github.com/glitsj16) | |||
251 | - gunzip, bunzip2 profiles | 252 | - gunzip, bunzip2 profiles |
252 | - enchant, enchat-2, enchant-lsmod, enchant-lsmod-2 profiles | 253 | - enchant, enchat-2, enchant-lsmod, enchant-lsmod-2 profiles |
253 | - atool, soundconvertor, mpd, gnome-calculator, makepkg profile fixes | 254 | - atool, soundconvertor, mpd, gnome-calculator, makepkg profile fixes |
255 | - acat, adiff, als, apack, arepack, aunpack profiles, | ||
256 | - fix sqlitebrowser blacklist | ||
257 | - spelling fixes | ||
258 | - bitblbee profile fixes | ||
259 | - fix firefox common addons | ||
254 | graywolf (https://github.com/graywolf) | 260 | graywolf (https://github.com/graywolf) |
255 | - spelling fix | 261 | - spelling fix |
256 | greigdp (https://github.com/greigdp) | 262 | greigdp (https://github.com/greigdp) |
@@ -295,6 +301,8 @@ James Elford (https://github.com/jelford) | |||
295 | - removed shell none from ssh-agent configuration, fixing the infinit loop | 301 | - removed shell none from ssh-agent configuration, fixing the infinit loop |
296 | - added gcloud profile | 302 | - added gcloud profile |
297 | - blacklist sensitive cloud provider files in disable-common | 303 | - blacklist sensitive cloud provider files in disable-common |
304 | Jean Lucas (https://github.com/flacks) | ||
305 | - fix Discord profile | ||
298 | Jericho (https://github.com/attritionorg) | 306 | Jericho (https://github.com/attritionorg) |
299 | - spelling | 307 | - spelling |
300 | Jesse Smith (https://github.com/slicer69) | 308 | Jesse Smith (https://github.com/slicer69) |
@@ -367,5 +367,6 @@ Basilisk browser, Tor Browser language packs, PlayOnLinux, sylpheed, discord-can | |||
367 | pycharm-community, pycharm-professional, Pitivi, OnionShare, Fritzing, Kaffeine, pdfchain, | 367 | pycharm-community, pycharm-professional, Pitivi, OnionShare, Fritzing, Kaffeine, pdfchain, |
368 | tilp, vivaldi-snapshot, bitcoin-qt, VS Code, falkon, gnome-builder, lobase, asunder, | 368 | tilp, vivaldi-snapshot, bitcoin-qt, VS Code, falkon, gnome-builder, lobase, asunder, |
369 | gnome-recipes, akonadi_control, evince-previewer, evince-thumbnailer, blender-2.8, | 369 | gnome-recipes, akonadi_control, evince-previewer, evince-thumbnailer, blender-2.8, |
370 | thunderbird-beta, ncdu, gnome-logs, gcloud, musixmatch, gunzip, bunzip2, | 370 | thunderbird-beta, ncdu, gnome-logs, gcloud, musixmatch, gunzip, bunzip2, enchant, |
371 | enchant, enchant-2, enchant-lsmod, enchant-lsmod-2 | 371 | enchant-2, enchant-lsmod, enchant-lsmod-2, Discord, acat, adiff, als, apack, arepack, |
372 | aunpack profiles, ppsspp, scallion, clion, baloo_filemetadata_temp_extractor | ||
@@ -1,7 +1,9 @@ | |||
1 | firejail (0.9.53) baseline; urgency=low | 1 | firejail (0.9.53) baseline; urgency=low |
2 | * work in progress | 2 | * work in progress |
3 | * modif: --force depercated | 3 | * modif: --force removed |
4 | * modif: --git-install and --git-uninstall deprecated | 4 | * modif: --csh, --zsh removed |
5 | * modif: --debug-check-filename removed | ||
6 | * modif: --git-install and --git-uninstall removed | ||
5 | * modif: support for private-bin, private-lib and shell none has been | 7 | * modif: support for private-bin, private-lib and shell none has been |
6 | disabled while running AppImage archives in order to be able to use | 8 | disabled while running AppImage archives in order to be able to use |
7 | our regular profile files with AppImages. | 9 | our regular profile files with AppImages. |
@@ -35,11 +37,13 @@ firejail (0.9.53) baseline; urgency=low | |||
35 | * new profiles: basilisk, Tor Browser language packs, PlayOnLinux, sylpheed, | 37 | * new profiles: basilisk, Tor Browser language packs, PlayOnLinux, sylpheed, |
36 | * new profiles: discord-canary, pycharm-community, pycharm-professional, | 38 | * new profiles: discord-canary, pycharm-community, pycharm-professional, |
37 | * new profiles: pdfchain, tilp, vivaldi-snapshot, bitcoin-qt, kaffeine, | 39 | * new profiles: pdfchain, tilp, vivaldi-snapshot, bitcoin-qt, kaffeine, |
38 | * new profiles: falkon, gnome-builder, asunder, VS Code, gnome-recipes | 40 | * new profiles: falkon, gnome-builder, asunder, VS Code, gnome-recipes, |
39 | * new profiles: akonadi_controle, evince-previewer, evince-thumbnailer, | 41 | * new profiles: akonadi_controle, evince-previewer, evince-thumbnailer, |
40 | * new profiles: blender-2.8, thunderbird-beta, ncdu, gnome-logs, gcloud | 42 | * new profiles: blender-2.8, thunderbird-beta, ncdu, gnome-logs, gcloud, |
41 | * new profiles: musixmatch, gunzip, bunzip2, enchant-lsmod, enchant-lsmod-2 | 43 | * new profiles: musixmatch, gunzip, bunzip2, enchant-lsmod, enchant-lsmod-2, |
42 | * new profiles: enchant, enchant-2 | 44 | * new profiles: enchant, enchant-2, Discord, acat, adiff, als, apack, |
45 | * new profiles: arepack, aunpack profiles, ppsspp, scallion, clion, | ||
46 | * new profiles: baloo_filemetadata_temp_extractor | ||
43 | -- netblue30 <netblue30@yahoo.com> Thu, 1 Mar 2018 08:00:00 -0500 | 47 | -- netblue30 <netblue30@yahoo.com> Thu, 1 Mar 2018 08:00:00 -0500 |
44 | 48 | ||
45 | firejail (0.9.52) baseline; urgency=low | 49 | firejail (0.9.52) baseline; urgency=low |
diff --git a/etc/baloo_file.profile b/etc/baloo_file.profile index b71f66ba5..240573f44 100644 --- a/etc/baloo_file.profile +++ b/etc/baloo_file.profile | |||
@@ -35,7 +35,7 @@ seccomp.drop @cpu-emulation,@debug,@obsolete,@privileged,@resources,add_key,fano | |||
35 | shell none | 35 | shell none |
36 | # x11 xorg | 36 | # x11 xorg |
37 | 37 | ||
38 | private-bin baloo_file,baloo_file_extractor,kbuildsycoca4 | 38 | private-bin baloo_file,baloo_file_extractor,baloo_filemetadata_temp_extractor,kbuildsycoca4 |
39 | private-dev | 39 | private-dev |
40 | private-tmp | 40 | private-tmp |
41 | 41 | ||
diff --git a/etc/baloo_filemetadata_temp_extractor.profile b/etc/baloo_filemetadata_temp_extractor.profile new file mode 100644 index 000000000..6d09ecf40 --- /dev/null +++ b/etc/baloo_filemetadata_temp_extractor.profile | |||
@@ -0,0 +1,11 @@ | |||
1 | # Firejail profile for baloo_filemetadata_temp_extractor | ||
2 | # This file is overwritten after every install/update | ||
3 | # Persistent local customizations | ||
4 | quiet | ||
5 | include /etc/firejail/baloo_filemetadata_temp_extractor.local | ||
6 | # Persistent global definitions | ||
7 | include /etc/firejail/globals.local | ||
8 | |||
9 | |||
10 | # Redirect | ||
11 | include /etc/firejail/baloo_file.profile | ||
diff --git a/etc/bitlbee.profile b/etc/bitlbee.profile index b6baa66bc..1cd5d6a69 100644 --- a/etc/bitlbee.profile +++ b/etc/bitlbee.profile | |||
@@ -28,7 +28,6 @@ seccomp | |||
28 | disable-mnt | 28 | disable-mnt |
29 | private | 29 | private |
30 | private-dev | 30 | private-dev |
31 | private-dev | ||
32 | private-tmp | 31 | private-tmp |
33 | read-write /var/lib/bitlbee | 32 | read-write /var/lib/bitlbee |
34 | 33 | ||
diff --git a/etc/clion.profile b/etc/clion.profile new file mode 100644 index 000000000..115df72c4 --- /dev/null +++ b/etc/clion.profile | |||
@@ -0,0 +1,34 @@ | |||
1 | # Firejail profile for CLion | ||
2 | # This file is overwritten after every install/update | ||
3 | # Persistent local customizations | ||
4 | include /etc/firejail/clion.local | ||
5 | # Persistent global definitions | ||
6 | include /etc/firejail/globals.local | ||
7 | |||
8 | noblacklist ${HOME}/.CLion* | ||
9 | noblacklist ${HOME}/.gitconfig | ||
10 | noblacklist ${HOME}/.java | ||
11 | noblacklist ${HOME}/.local/share/JetBrains | ||
12 | noblacklist ${HOME}/.ssh | ||
13 | noblacklist ${HOME}/.tooling | ||
14 | |||
15 | include /etc/firejail/disable-common.inc | ||
16 | include /etc/firejail/disable-passwdmgr.inc | ||
17 | include /etc/firejail/disable-programs.inc | ||
18 | |||
19 | caps.drop all | ||
20 | netfilter | ||
21 | nodvd | ||
22 | nogroups | ||
23 | nonewprivs | ||
24 | noroot | ||
25 | notv | ||
26 | novideo | ||
27 | protocol unix,inet,inet6 | ||
28 | seccomp | ||
29 | shell none | ||
30 | |||
31 | private-dev | ||
32 | # private-tmp | ||
33 | |||
34 | noexec /tmp | ||
diff --git a/etc/disable-common.inc b/etc/disable-common.inc index ff5dc7b6b..71d4ad97b 100644 --- a/etc/disable-common.inc +++ b/etc/disable-common.inc | |||
@@ -116,6 +116,10 @@ blacklist /run/user/*/kdeinit5__* | |||
116 | # blacklist /tmp/ksocket-*/kdeinit4__* | 116 | # blacklist /tmp/ksocket-*/kdeinit4__* |
117 | # - causes issues when kdeinit4 gets killed; enable on KDE Plasma 4 | 117 | # - causes issues when kdeinit4 gets killed; enable on KDE Plasma 4 |
118 | 118 | ||
119 | # gnome | ||
120 | # contains extensions, last used times of applications, and notifications | ||
121 | blacklist ${HOME}/.local/share/gnome-shell | ||
122 | |||
119 | # systemd | 123 | # systemd |
120 | blacklist ${HOME}/.config/systemd | 124 | blacklist ${HOME}/.config/systemd |
121 | blacklist ${HOME}/.local/share/systemd | 125 | blacklist ${HOME}/.local/share/systemd |
@@ -160,7 +164,7 @@ blacklist /var/lib/mysql/mysql.sock | |||
160 | blacklist /var/lib/mysqld/mysql.sock | 164 | blacklist /var/lib/mysqld/mysql.sock |
161 | blacklist /var/lib/pacman | 165 | blacklist /var/lib/pacman |
162 | blacklist /var/lib/upower | 166 | blacklist /var/lib/upower |
163 | # blacklist /var/log - a virtual /var/log directory (mostly empty) is buid up by default for | 167 | # blacklist /var/log - a virtual /var/log directory (mostly empty) is build up by default for |
164 | # every sandbox, unless --writeble-var-log switch is activated | 168 | # every sandbox, unless --writeble-var-log switch is activated |
165 | blacklist /var/mail | 169 | blacklist /var/mail |
166 | blacklist /var/opt | 170 | blacklist /var/opt |
diff --git a/etc/disable-programs.inc b/etc/disable-programs.inc index b68dde0c4..d3dc87089 100644 --- a/etc/disable-programs.inc +++ b/etc/disable-programs.inc | |||
@@ -8,6 +8,7 @@ blacklist ${HOME}/.*coin | |||
8 | blacklist ${HOME}/.8pecxstudios | 8 | blacklist ${HOME}/.8pecxstudios |
9 | blacklist ${HOME}/.AndroidStudio* | 9 | blacklist ${HOME}/.AndroidStudio* |
10 | blacklist ${HOME}/.Atom | 10 | blacklist ${HOME}/.Atom |
11 | blacklist ${HOME}/.CLion* | ||
11 | blacklist ${HOME}/.FBReader | 12 | blacklist ${HOME}/.FBReader |
12 | blacklist ${HOME}/.FontForge | 13 | blacklist ${HOME}/.FontForge |
13 | blacklist ${HOME}/.IdeaIC* | 14 | blacklist ${HOME}/.IdeaIC* |
@@ -188,6 +189,7 @@ blacklist ${HOME}/.config/Pinta | |||
188 | blacklist ${HOME}/.config/pitivi | 189 | blacklist ${HOME}/.config/pitivi |
189 | blacklist ${HOME}/.config/pix | 190 | blacklist ${HOME}/.config/pix |
190 | blacklist ${HOME}/.config/pluma | 191 | blacklist ${HOME}/.config/pluma |
192 | blacklist ${HOME}/.config/ppsspp | ||
191 | blacklist ${HOME}/.config/psi+ | 193 | blacklist ${HOME}/.config/psi+ |
192 | blacklist ${HOME}/.config/qBittorrent | 194 | blacklist ${HOME}/.config/qBittorrent |
193 | blacklist ${HOME}/.config/qBittorrentrc | 195 | blacklist ${HOME}/.config/qBittorrentrc |
@@ -429,6 +431,7 @@ blacklist ${HOME}/.local/share/telepathy | |||
429 | blacklist ${HOME}/.local/share/terasology | 431 | blacklist ${HOME}/.local/share/terasology |
430 | blacklist ${HOME}/.local/share/torbrowser | 432 | blacklist ${HOME}/.local/share/torbrowser |
431 | blacklist ${HOME}/.local/share/totem | 433 | blacklist ${HOME}/.local/share/totem |
434 | blacklist ${HOME}/.local/share/uzbl | ||
432 | blacklist ${HOME}/.local/share/vlc | 435 | blacklist ${HOME}/.local/share/vlc |
433 | blacklist ${HOME}/.local/share/vpltd | 436 | blacklist ${HOME}/.local/share/vpltd |
434 | blacklist ${HOME}/.local/share/vulkan | 437 | blacklist ${HOME}/.local/share/vulkan |
diff --git a/etc/discord.profile b/etc/discord.profile index bb59ed42d..40deae2fc 100644 --- a/etc/discord.profile +++ b/etc/discord.profile | |||
@@ -24,9 +24,9 @@ novideo | |||
24 | protocol unix,inet,inet6,netlink | 24 | protocol unix,inet,inet6,netlink |
25 | seccomp | 25 | seccomp |
26 | 26 | ||
27 | private-bin discord,sh,xdg-mime | 27 | private-bin discord,sh,xdg-mime,tr,sed,echo,head,cut,xdg-open,grep,egrep |
28 | private-dev | 28 | private-dev |
29 | private-etc fonts | 29 | private-etc fonts,machine-id |
30 | private-tmp | 30 | private-tmp |
31 | 31 | ||
32 | noexec ${HOME} | 32 | noexec ${HOME} |
diff --git a/etc/firefox-common-addons.inc b/etc/firefox-common-addons.inc index b237c3c05..f5fd4aa5b 100644 --- a/etc/firefox-common-addons.inc +++ b/etc/firefox-common-addons.inc | |||
@@ -16,7 +16,6 @@ noblacklist ${HOME}/.kde4/share/apps/okular | |||
16 | noblacklist ${HOME}/.kde4/share/config/kgetrc | 16 | noblacklist ${HOME}/.kde4/share/config/kgetrc |
17 | noblacklist ${HOME}/.kde4/share/config/okularpartrc | 17 | noblacklist ${HOME}/.kde4/share/config/okularpartrc |
18 | noblacklist ${HOME}/.kde4/share/config/okularrc | 18 | noblacklist ${HOME}/.kde4/share/config/okularrc |
19 | # noblacklist ${HOME}/.local/share/gnome-shell/extensions | ||
20 | noblacklist ${HOME}/.local/share/kget | 19 | noblacklist ${HOME}/.local/share/kget |
21 | noblacklist ${HOME}/.local/share/okular | 20 | noblacklist ${HOME}/.local/share/okular |
22 | noblacklist ${HOME}/.local/share/qpdfview | 21 | noblacklist ${HOME}/.local/share/qpdfview |
@@ -41,7 +40,6 @@ whitelist ${HOME}/.kde4/share/config/okularpartrc | |||
41 | whitelist ${HOME}/.kde4/share/config/okularrc | 40 | whitelist ${HOME}/.kde4/share/config/okularrc |
42 | whitelist ${HOME}/.keysnail.js | 41 | whitelist ${HOME}/.keysnail.js |
43 | whitelist ${HOME}/.lastpass | 42 | whitelist ${HOME}/.lastpass |
44 | whitelist ${HOME}/.local/share/gnome-shell/extensions | ||
45 | whitelist ${HOME}/.local/share/kget | 43 | whitelist ${HOME}/.local/share/kget |
46 | whitelist ${HOME}/.local/share/okular | 44 | whitelist ${HOME}/.local/share/okular |
47 | whitelist ${HOME}/.local/share/qpdfview | 45 | whitelist ${HOME}/.local/share/qpdfview |
@@ -53,3 +51,14 @@ whitelist ${HOME}/.wine-pipelight | |||
53 | whitelist ${HOME}/.wine-pipelight64 | 51 | whitelist ${HOME}/.wine-pipelight64 |
54 | whitelist ${HOME}/.zotero | 52 | whitelist ${HOME}/.zotero |
55 | whitelist ${HOME}/dwhelper | 53 | whitelist ${HOME}/dwhelper |
54 | |||
55 | # GNOME Shell integration (chrome-gnome-shell) needs dbus and python 3 (blacklisted by disable-interpreters.inc) | ||
56 | noblacklist ${HOME}/.local/share/gnome-shell | ||
57 | whitelist ${HOME}/.local/share/gnome-shell | ||
58 | ignore nodbus | ||
59 | noblacklist ${PATH}/python3* | ||
60 | noblacklist /usr/lib/python3* | ||
61 | |||
62 | # Flash plugin | ||
63 | # private-etc must first be enabled in firefox-common.profile and in profiles including it. | ||
64 | #private-etc adobe | ||
diff --git a/etc/firejail-default b/etc/firejail-default index 2e48439f5..5cfb1b5ea 100644 --- a/etc/firejail-default +++ b/etc/firejail-default | |||
@@ -21,10 +21,10 @@ profile firejail-default flags=(attach_disconnected,mediate_deleted) { | |||
21 | #dbus, | 21 | #dbus, |
22 | 22 | ||
23 | ########## | 23 | ########## |
24 | # Allows to attach to a running program and modify the process memory. | 24 | # With ptrace it is possible to inspect and hijack running programs. Usually this |
25 | # May be needed by chromium crash handler. Uncomment if you need it. | 25 | # is needed only for debugging. To allow ptrace, uncomment the following line |
26 | ########## | 26 | ########## |
27 | #ptrace (trace tracedby), | 27 | #ptrace, |
28 | 28 | ||
29 | ########## | 29 | ########## |
30 | # Line starting with /run/firejail/mnt/oroot deal with --overlay sandboxes | 30 | # Line starting with /run/firejail/mnt/oroot deal with --overlay sandboxes |
@@ -133,8 +133,8 @@ network raw, | |||
133 | signal, | 133 | signal, |
134 | 134 | ||
135 | ########## | 135 | ########## |
136 | # We let Firejail deal with capabilities, | 136 | # We let Firejail deal with capabilities, but ensure that |
137 | # but mac_admin should be dropped in any case. | 137 | # some AppArmor related capabilities will not be available. |
138 | ########## | 138 | ########## |
139 | capability chown, | 139 | capability chown, |
140 | capability dac_override, | 140 | capability dac_override, |
diff --git a/etc/flowblade.profile b/etc/flowblade.profile index bad8538cf..e06107f0f 100644 --- a/etc/flowblade.profile +++ b/etc/flowblade.profile | |||
@@ -8,6 +8,12 @@ include /etc/firejail/globals.local | |||
8 | noblacklist ${HOME}/.config/flowblade | 8 | noblacklist ${HOME}/.config/flowblade |
9 | noblacklist ${HOME}/.flowblade | 9 | noblacklist ${HOME}/.flowblade |
10 | 10 | ||
11 | # Allow python (blacklisted by disable-interpreters.inc) | ||
12 | noblacklist ${PATH}/python2* | ||
13 | noblacklist ${PATH}/python3* | ||
14 | noblacklist /usr/lib/python2* | ||
15 | noblacklist /usr/lib/python3* | ||
16 | |||
11 | include /etc/firejail/disable-common.inc | 17 | include /etc/firejail/disable-common.inc |
12 | include /etc/firejail/disable-devel.inc | 18 | include /etc/firejail/disable-devel.inc |
13 | include /etc/firejail/disable-interpreters.inc | 19 | include /etc/firejail/disable-interpreters.inc |
diff --git a/etc/less.profile b/etc/less.profile index e2616ba4f..9b04329f2 100644 --- a/etc/less.profile +++ b/etc/less.profile | |||
@@ -20,7 +20,7 @@ shell none | |||
20 | tracelog | 20 | tracelog |
21 | writable-var-log | 21 | writable-var-log |
22 | 22 | ||
23 | # The user can have a custom coloring scritps configured in ${HOME}/.lessfilter. | 23 | # The user can have a custom coloring script configured in ${HOME}/.lessfilter. |
24 | # Enable private-bin and private-lib if you are not using any filter. | 24 | # Enable private-bin and private-lib if you are not using any filter. |
25 | # private-bin less | 25 | # private-bin less |
26 | # private-lib | 26 | # private-lib |
diff --git a/etc/musixmatch.profile b/etc/musixmatch.profile index 1a3ee5e6f..fce60e89e 100644 --- a/etc/musixmatch.profile +++ b/etc/musixmatch.profile | |||
@@ -24,7 +24,6 @@ notv | |||
24 | novideo | 24 | novideo |
25 | protocol unix,inet,inet6,netlink | 25 | protocol unix,inet,inet6,netlink |
26 | seccomp | 26 | seccomp |
27 | shell none | ||
28 | 27 | ||
29 | disable-mnt | 28 | disable-mnt |
30 | private-dev | 29 | private-dev |
diff --git a/etc/openshot.profile b/etc/openshot.profile index 114580f1e..832008564 100644 --- a/etc/openshot.profile +++ b/etc/openshot.profile | |||
@@ -8,6 +8,12 @@ include /etc/firejail/globals.local | |||
8 | noblacklist ${HOME}/.openshot | 8 | noblacklist ${HOME}/.openshot |
9 | noblacklist ${HOME}/.openshot_qt | 9 | noblacklist ${HOME}/.openshot_qt |
10 | 10 | ||
11 | # Allow python (blacklisted by disable-interpreters.inc) | ||
12 | noblacklist ${PATH}/python2* | ||
13 | noblacklist ${PATH}/python3* | ||
14 | noblacklist /usr/lib/python2* | ||
15 | noblacklist /usr/lib/python3* | ||
16 | |||
11 | include /etc/firejail/disable-common.inc | 17 | include /etc/firejail/disable-common.inc |
12 | include /etc/firejail/disable-devel.inc | 18 | include /etc/firejail/disable-devel.inc |
13 | include /etc/firejail/disable-interpreters.inc | 19 | include /etc/firejail/disable-interpreters.inc |
diff --git a/etc/ppsspp.profile b/etc/ppsspp.profile new file mode 100644 index 000000000..e19a7b42a --- /dev/null +++ b/etc/ppsspp.profile | |||
@@ -0,0 +1,42 @@ | |||
1 | # Firejail profile for ppsspp | ||
2 | # This file is overwritten after every install/update | ||
3 | # Persistent local customizations | ||
4 | include /etc/firejail/ppsspp.local | ||
5 | # Persistent global definitions | ||
6 | include /etc/firejail/globals.local | ||
7 | |||
8 | noblacklist ${HOME}/.config/ppsspp | ||
9 | # with >=llvm-4 mesa drivers need llvm stuff | ||
10 | noblacklist /usr/lib/llvm* | ||
11 | |||
12 | include /etc/firejail/disable-common.inc | ||
13 | include /etc/firejail/disable-devel.inc | ||
14 | include /etc/firejail/disable-interpreters.inc | ||
15 | include /etc/firejail/disable-passwdmgr.inc | ||
16 | include /etc/firejail/disable-programs.inc | ||
17 | |||
18 | include /etc/firejail/whitelist-var-common.inc | ||
19 | |||
20 | caps.drop all | ||
21 | ipc-namespace | ||
22 | netfilter | ||
23 | net none | ||
24 | nodbus | ||
25 | nodvd | ||
26 | nogroups | ||
27 | nonewprivs | ||
28 | noroot | ||
29 | notv | ||
30 | novideo | ||
31 | protocol unix,netlink | ||
32 | seccomp | ||
33 | shell none | ||
34 | |||
35 | # private-dev is disabled to allow controller support | ||
36 | #private-dev | ||
37 | private-etc asound.conf,ca-certificates,drirc,fonts,group,host.conf,hostname,hosts,ld.so.cache,ld.so.preload,localtime,nsswitch.conf,passwd,pulse,resolv.conf,ssl,pki,crypto-policies | ||
38 | private-opt ppsspp | ||
39 | private-tmp | ||
40 | |||
41 | noexec ${HOME} | ||
42 | noexec /tmp | ||
diff --git a/etc/ranger.profile b/etc/ranger.profile index 94b282669..ff65a057b 100644 --- a/etc/ranger.profile +++ b/etc/ranger.profile | |||
@@ -5,11 +5,19 @@ include /etc/firejail/ranger.local | |||
5 | # Persistent global definitions | 5 | # Persistent global definitions |
6 | include /etc/firejail/globals.local | 6 | include /etc/firejail/globals.local |
7 | 7 | ||
8 | noblacklist ${HOME}/.config/ranger | ||
9 | |||
10 | # Allow python (blacklisted by disable-interpreters.inc) | ||
11 | noblacklist ${PATH}/python2* | ||
12 | noblacklist ${PATH}/python3* | ||
13 | noblacklist /usr/lib/python2* | ||
14 | noblacklist /usr/lib/python3* | ||
15 | |||
16 | # Allow perl | ||
8 | # noblacklist ${PATH}/cpan* | 17 | # noblacklist ${PATH}/cpan* |
9 | noblacklist ${PATH}/perl | 18 | noblacklist ${PATH}/perl |
10 | noblacklist /usr/lib/perl* | 19 | noblacklist /usr/lib/perl* |
11 | noblacklist /usr/share/perl* | 20 | noblacklist /usr/share/perl* |
12 | noblacklist ${HOME}/.config/ranger | ||
13 | 21 | ||
14 | include /etc/firejail/disable-common.inc | 22 | include /etc/firejail/disable-common.inc |
15 | include /etc/firejail/disable-devel.inc | 23 | include /etc/firejail/disable-devel.inc |
diff --git a/etc/scallion.profile b/etc/scallion.profile new file mode 100644 index 000000000..645f0423c --- /dev/null +++ b/etc/scallion.profile | |||
@@ -0,0 +1,42 @@ | |||
1 | # Firejail profile for scallion | ||
2 | # This file is overwritten after every install/update | ||
3 | quiet | ||
4 | # Persistent local customizations | ||
5 | include /etc/firejail/scallion.local | ||
6 | # Persistent global definitions | ||
7 | include /etc/firejail/globals.local | ||
8 | |||
9 | noblacklist ${PATH}/llvm* | ||
10 | noblacklist /usr/lib/llvm* | ||
11 | noblacklist ${PATH}/openssl | ||
12 | noblacklist ${PATH}/openssl-1.0 | ||
13 | |||
14 | include /etc/firejail/disable-common.inc | ||
15 | include /etc/firejail/disable-interpreters.inc | ||
16 | include /etc/firejail/disable-passwdmgr.inc | ||
17 | include /etc/firejail/disable-programs.inc | ||
18 | |||
19 | include /etc/firejail/whitelist-var-common.inc | ||
20 | |||
21 | caps.drop all | ||
22 | ipc-namespace | ||
23 | net none | ||
24 | nodbus | ||
25 | nodvd | ||
26 | nogroups | ||
27 | nonewprivs | ||
28 | noroot | ||
29 | nosound | ||
30 | notv | ||
31 | novideo | ||
32 | protocol unix | ||
33 | seccomp | ||
34 | shell none | ||
35 | |||
36 | disable-mnt | ||
37 | private | ||
38 | private-dev | ||
39 | private-tmp | ||
40 | |||
41 | noexec ${HOME} | ||
42 | noexec /tmp | ||
diff --git a/etc/skypeforlinux.profile b/etc/skypeforlinux.profile index 015709247..c2270ce39 100644 --- a/etc/skypeforlinux.profile +++ b/etc/skypeforlinux.profile | |||
@@ -25,7 +25,7 @@ seccomp | |||
25 | shell none | 25 | shell none |
26 | 26 | ||
27 | disable-mnt | 27 | disable-mnt |
28 | #private-dev | 28 | # private-dev - needs /dev/disk |
29 | private-tmp | 29 | private-tmp |
30 | 30 | ||
31 | noexec ${HOME} | 31 | noexec ${HOME} |
diff --git a/etc/uzbl-browser.profile b/etc/uzbl-browser.profile index 0a3549c97..b8a3fa497 100644 --- a/etc/uzbl-browser.profile +++ b/etc/uzbl-browser.profile | |||
@@ -7,6 +7,13 @@ include /etc/firejail/globals.local | |||
7 | 7 | ||
8 | noblacklist ${HOME}/.config/uzbl | 8 | noblacklist ${HOME}/.config/uzbl |
9 | noblacklist ${HOME}/.gnupg | 9 | noblacklist ${HOME}/.gnupg |
10 | noblacklist ${HOME}/.local/share/uzbl | ||
11 | |||
12 | # Allow python (blacklisted by disable-interpreters.inc) | ||
13 | noblacklist ${PATH}/python2* | ||
14 | noblacklist ${PATH}/python3* | ||
15 | noblacklist /usr/lib/python2* | ||
16 | noblacklist /usr/lib/python3* | ||
10 | 17 | ||
11 | include /etc/firejail/disable-common.inc | 18 | include /etc/firejail/disable-common.inc |
12 | include /etc/firejail/disable-devel.inc | 19 | include /etc/firejail/disable-devel.inc |
diff --git a/etc/zathura.profile b/etc/zathura.profile index b47aeb0da..028e15ef5 100644 --- a/etc/zathura.profile +++ b/etc/zathura.profile | |||
@@ -15,6 +15,7 @@ include /etc/firejail/disable-passwdmgr.inc | |||
15 | include /etc/firejail/disable-programs.inc | 15 | include /etc/firejail/disable-programs.inc |
16 | 16 | ||
17 | caps.drop all | 17 | caps.drop all |
18 | machine-id | ||
18 | # net none | 19 | # net none |
19 | # nodbus | 20 | # nodbus |
20 | nodvd | 21 | nodvd |
@@ -29,7 +30,7 @@ shell none | |||
29 | 30 | ||
30 | private-bin zathura | 31 | private-bin zathura |
31 | private-dev | 32 | private-dev |
32 | private-etc fonts | 33 | private-etc fonts,machine-id |
33 | private-tmp | 34 | private-tmp |
34 | 35 | ||
35 | read-only ${HOME}/ | 36 | read-only ${HOME}/ |
@@ -6,15 +6,15 @@ echo "#define FIREJAIL_UIDS_H" >> uids.h | |||
6 | 6 | ||
7 | if [ -r /etc/login.defs ] | 7 | if [ -r /etc/login.defs ] |
8 | then | 8 | then |
9 | echo "// using values extracted from /etc/login.defs" >> uids.h | ||
10 | UID_MIN=`awk '/^\s*UID_MIN\s*([0-9]*).*?$/ {print $2}' /etc/login.defs` | 9 | UID_MIN=`awk '/^\s*UID_MIN\s*([0-9]*).*?$/ {print $2}' /etc/login.defs` |
11 | GID_MIN=`awk '/^\s*GID_MIN\s*([0-9]*).*?$/ {print $2}' /etc/login.defs` | 10 | GID_MIN=`awk '/^\s*GID_MIN\s*([0-9]*).*?$/ {print $2}' /etc/login.defs` |
12 | echo "#define UID_MIN $UID_MIN" >> uids.h | ||
13 | echo "#define GID_MIN $GID_MIN" >> uids.h | ||
14 | else | ||
15 | echo "// using default values" >> uids.h | ||
16 | echo "#define UID_MIN 1000" >> uids.h | ||
17 | echo "#define GID_MIN 1000" >> uids.h | ||
18 | fi | 11 | fi |
19 | 12 | ||
13 | # use default values if not found | ||
14 | [ -z "$UID_MIN" ] && UID_MIN="1000" | ||
15 | [ -z "$GID_MIN" ] && GID_MIN="1000" | ||
16 | |||
17 | echo "#define UID_MIN $UID_MIN" >> uids.h | ||
18 | echo "#define GID_MIN $GID_MIN" >> uids.h | ||
19 | |||
20 | echo "#endif" >> uids.h | 20 | echo "#endif" >> uids.h |
diff --git a/src/firecfg/desktop_files.c b/src/firecfg/desktop_files.c index 49e58528c..eb3794d3f 100644 --- a/src/firecfg/desktop_files.c +++ b/src/firecfg/desktop_files.c | |||
@@ -163,8 +163,6 @@ void fix_desktop_files(char *homedir) { | |||
163 | // skip links | 163 | // skip links |
164 | if (is_link(filename)) | 164 | if (is_link(filename)) |
165 | continue; | 165 | continue; |
166 | if (stat(filename, &sb) == -1) | ||
167 | errExit("stat"); | ||
168 | 166 | ||
169 | // no profile in /etc/firejail, no desktop file fixing | 167 | // no profile in /etc/firejail, no desktop file fixing |
170 | if (!have_profile(filename, homedir)) | 168 | if (!have_profile(filename, homedir)) |
@@ -173,23 +171,33 @@ void fix_desktop_files(char *homedir) { | |||
173 | //**************************************************** | 171 | //**************************************************** |
174 | // load the file in memory and do some basic checking | 172 | // load the file in memory and do some basic checking |
175 | //**************************************************** | 173 | //**************************************************** |
176 | /* coverity[toctou] */ | 174 | FILE *fp = fopen(filename, "r"); |
177 | int fd = open(filename, O_RDONLY); | 175 | if (!fp) { |
178 | if (fd == -1) { | ||
179 | fprintf(stderr, "Warning: cannot open /usr/share/applications/%s\n", filename); | 176 | fprintf(stderr, "Warning: cannot open /usr/share/applications/%s\n", filename); |
180 | continue; | 177 | continue; |
181 | } | 178 | } |
182 | 179 | ||
183 | char *buf = mmap(NULL, sb.st_size + 1, PROT_READ | PROT_WRITE, MAP_PRIVATE, fd, 0); | 180 | fseek(fp, 0, SEEK_END); |
184 | if (buf == MAP_FAILED) | 181 | size_t size = ftell(fp); |
185 | errExit("mmap"); | 182 | fseek(fp, 0, SEEK_SET); |
186 | close(fd); | 183 | char *buf = malloc(size + 1); |
184 | if (!buf) | ||
185 | errExit("malloc"); | ||
186 | |||
187 | size_t loaded = fread(buf, size, 1, fp); | ||
188 | fclose(fp); | ||
189 | if (loaded != 1) { | ||
190 | fprintf(stderr, "Warning: cannot read /usr/share/applications/%s\n", filename); | ||
191 | free(buf); | ||
192 | continue; | ||
193 | } | ||
194 | buf[size] = '\0'; | ||
187 | 195 | ||
188 | // check format | 196 | // check format |
189 | if (strstr(buf, "[Desktop Entry]\n") == NULL) { | 197 | if (strstr(buf, "[Desktop Entry]\n") == NULL) { |
190 | if (arg_debug) | 198 | if (arg_debug) |
191 | printf(" %s - skipped: wrong format?\n", filename); | 199 | printf(" %s - skipped: wrong format?\n", filename); |
192 | munmap(buf, sb.st_size + 1); | 200 | free(buf); |
193 | continue; | 201 | continue; |
194 | } | 202 | } |
195 | 203 | ||
@@ -198,7 +206,7 @@ void fix_desktop_files(char *homedir) { | |||
198 | if (!ptr || strlen(ptr) < 7) { | 206 | if (!ptr || strlen(ptr) < 7) { |
199 | if (arg_debug) | 207 | if (arg_debug) |
200 | printf(" %s - skipped: wrong format?\n", filename); | 208 | printf(" %s - skipped: wrong format?\n", filename); |
201 | munmap(buf, sb.st_size + 1); | 209 | free(buf); |
202 | continue; | 210 | continue; |
203 | } | 211 | } |
204 | 212 | ||
@@ -207,7 +215,7 @@ void fix_desktop_files(char *homedir) { | |||
207 | if (execname[0] == '"') { | 215 | if (execname[0] == '"') { |
208 | if (arg_debug) | 216 | if (arg_debug) |
209 | printf(" %s - skipped: path quoting unsupported\n", filename); | 217 | printf(" %s - skipped: path quoting unsupported\n", filename); |
210 | munmap(buf, sb.st_size + 1); | 218 | free(buf); |
211 | continue; | 219 | continue; |
212 | } | 220 | } |
213 | 221 | ||
@@ -241,12 +249,9 @@ void fix_desktop_files(char *homedir) { | |||
241 | } | 249 | } |
242 | } | 250 | } |
243 | 251 | ||
244 | if (change_exec == NULL && change_dbus == 0) { | 252 | free(buf); |
245 | munmap(buf, sb.st_size + 1); | 253 | if (change_exec == NULL && change_dbus == 0) |
246 | continue; | 254 | continue; |
247 | } | ||
248 | |||
249 | munmap(buf, sb.st_size + 1); | ||
250 | 255 | ||
251 | //**************************************************** | 256 | //**************************************************** |
252 | // generate output file | 257 | // generate output file |
diff --git a/src/firecfg/firecfg.config b/src/firecfg/firecfg.config index e34ac786c..1835502a4 100644 --- a/src/firecfg/firecfg.config +++ b/src/firecfg/firecfg.config | |||
@@ -40,6 +40,7 @@ audacious | |||
40 | audacity | 40 | audacity |
41 | aweather | 41 | aweather |
42 | baloo_file | 42 | baloo_file |
43 | baloo_filemetadata_temp_extractor | ||
43 | baobab | 44 | baobab |
44 | basilisk | 45 | basilisk |
45 | bibletime | 46 | bibletime |
@@ -306,6 +307,7 @@ pix | |||
306 | playonlinux | 307 | playonlinux |
307 | pluma | 308 | pluma |
308 | polari | 309 | polari |
310 | ppsspp | ||
309 | psi-plus | 311 | psi-plus |
310 | # pycharm-community - FB note: may enable later | 312 | # pycharm-community - FB note: may enable later |
311 | # pycharm-professional | 313 | # pycharm-professional |
diff --git a/src/firejail/Makefile.in b/src/firejail/Makefile.in index 48d985d73..d0f43041c 100644 --- a/src/firejail/Makefile.in +++ b/src/firejail/Makefile.in | |||
@@ -2,7 +2,7 @@ all: firejail | |||
2 | 2 | ||
3 | include ../common.mk | 3 | include ../common.mk |
4 | 4 | ||
5 | %.o : %.c $(H_FILE_LIST) ../include/common.h ../include/euid_common.h ../include/pid.h ../include/seccomp.h ../include/syscall.h ../include/firejail_user.h | 5 | %.o : %.c $(H_FILE_LIST) ../include/common.h ../include/ldd_utils.h ../include/euid_common.h ../include/pid.h ../include/seccomp.h ../include/syscall.h ../include/firejail_user.h |
6 | $(CC) $(CFLAGS) $(EXTRA_CFLAGS) $(INCLUDE) -c $< -o $@ | 6 | $(CC) $(CFLAGS) $(EXTRA_CFLAGS) $(INCLUDE) -c $< -o $@ |
7 | 7 | ||
8 | firejail: $(OBJS) ../lib/libnetlink.o ../lib/common.o ../lib/ldd_utils.o ../lib/firejail_user.o | 8 | firejail: $(OBJS) ../lib/libnetlink.o ../lib/common.o ../lib/ldd_utils.o ../lib/firejail_user.o |
diff --git a/src/firejail/checkcfg.c b/src/firejail/checkcfg.c index 7b0ae30b6..f8094e893 100644 --- a/src/firejail/checkcfg.c +++ b/src/firejail/checkcfg.c | |||
@@ -166,10 +166,6 @@ int checkcfg(int val) { | |||
166 | else | 166 | else |
167 | goto errout; | 167 | goto errout; |
168 | } | 168 | } |
169 | // follow symlink in private-bin command | ||
170 | else if (strncmp(ptr, "follow-symlink-private-bin ", 27) == 0) { | ||
171 | fwarning("follow-symlink-private-bin from firejail.config was deprecated\n"); | ||
172 | } | ||
173 | // nonewprivs | 169 | // nonewprivs |
174 | else if (strncmp(ptr, "force-nonewprivs ", 17) == 0) { | 170 | else if (strncmp(ptr, "force-nonewprivs ", 17) == 0) { |
175 | if (strcmp(ptr + 17, "yes") == 0) | 171 | if (strcmp(ptr + 17, "yes") == 0) |
@@ -311,9 +307,6 @@ int checkcfg(int val) { | |||
311 | else | 307 | else |
312 | goto errout; | 308 | goto errout; |
313 | } | 309 | } |
314 | else if (strncmp(ptr, "remount-proc-sys ", 17) == 0) { | ||
315 | fwarning("remount-proc-sys from firejail.config was deprecated\n"); | ||
316 | } | ||
317 | else if (strncmp(ptr, "overlayfs ", 10) == 0) { | 310 | else if (strncmp(ptr, "overlayfs ", 10) == 0) { |
318 | if (strcmp(ptr + 10, "yes") == 0) | 311 | if (strcmp(ptr + 10, "yes") == 0) |
319 | cfg_val[CFG_OVERLAYFS] = 1; | 312 | cfg_val[CFG_OVERLAYFS] = 1; |
diff --git a/src/firejail/env.c b/src/firejail/env.c index 73d68724e..a09be8a77 100644 --- a/src/firejail/env.c +++ b/src/firejail/env.c | |||
@@ -52,6 +52,8 @@ static void env_add(Env *env) { | |||
52 | 52 | ||
53 | // load IBUS env variables | 53 | // load IBUS env variables |
54 | void env_ibus_load(void) { | 54 | void env_ibus_load(void) { |
55 | EUID_ASSERT(); | ||
56 | |||
55 | // check ~/.config/ibus/bus directory | 57 | // check ~/.config/ibus/bus directory |
56 | char *dirname; | 58 | char *dirname; |
57 | if (asprintf(&dirname, "%s/.config/ibus/bus", cfg.homedir) == -1) | 59 | if (asprintf(&dirname, "%s/.config/ibus/bus", cfg.homedir) == -1) |
@@ -101,9 +103,7 @@ void env_ibus_load(void) { | |||
101 | *ptr = '\0'; | 103 | *ptr = '\0'; |
102 | if (arg_debug) | 104 | if (arg_debug) |
103 | printf("%s\n", buf); | 105 | printf("%s\n", buf); |
104 | EUID_USER(); | ||
105 | env_store(buf, SETENV); | 106 | env_store(buf, SETENV); |
106 | EUID_ROOT(); | ||
107 | } | 107 | } |
108 | 108 | ||
109 | fclose(fp); | 109 | fclose(fp); |
diff --git a/src/firejail/firejail.h b/src/firejail/firejail.h index 4fd11ab4f..0df832c09 100644 --- a/src/firejail/firejail.h +++ b/src/firejail/firejail.h | |||
@@ -309,7 +309,6 @@ static inline int any_interface_configured(void) { | |||
309 | extern int arg_private; // mount private /home | 309 | extern int arg_private; // mount private /home |
310 | extern int arg_private_template; // private /home template | 310 | extern int arg_private_template; // private /home template |
311 | extern int arg_debug; // print debug messages | 311 | extern int arg_debug; // print debug messages |
312 | extern int arg_debug_check_filename; // print debug messages for filename checking | ||
313 | extern int arg_debug_blacklists; // print debug messages for blacklists | 312 | extern int arg_debug_blacklists; // print debug messages for blacklists |
314 | extern int arg_debug_whitelists; // print debug messages for whitelists | 313 | extern int arg_debug_whitelists; // print debug messages for whitelists |
315 | extern int arg_debug_private_lib; // print debug messages for private-lib | 314 | extern int arg_debug_private_lib; // print debug messages for private-lib |
@@ -577,9 +576,6 @@ void caps_keep_list(const char *clist); | |||
577 | void caps_print_filter(pid_t pid); | 576 | void caps_print_filter(pid_t pid); |
578 | void caps_drop_dac_override(void); | 577 | void caps_drop_dac_override(void); |
579 | 578 | ||
580 | // syscall.c | ||
581 | const char *syscall_find_nr(int nr); | ||
582 | |||
583 | // fs_trace.c | 579 | // fs_trace.c |
584 | void fs_trace_preload(void); | 580 | void fs_trace_preload(void); |
585 | void fs_trace(void); | 581 | void fs_trace(void); |
@@ -647,12 +643,6 @@ void env_ibus_load(void); | |||
647 | // fs_whitelist.c | 643 | // fs_whitelist.c |
648 | void fs_whitelist(void); | 644 | void fs_whitelist(void); |
649 | 645 | ||
650 | // errno.c | ||
651 | int errno_highest_nr(void); | ||
652 | int errno_find_name(const char *name); | ||
653 | char *errno_find_nr(int nr); | ||
654 | void errno_print(void); | ||
655 | |||
656 | // pulseaudio.c | 646 | // pulseaudio.c |
657 | void pulseaudio_init(void); | 647 | void pulseaudio_init(void); |
658 | void pulseaudio_disable(void); | 648 | void pulseaudio_disable(void); |
@@ -681,7 +671,7 @@ void fs_logger_change_owner(void); | |||
681 | void fs_logger_print_log(pid_t pid); | 671 | void fs_logger_print_log(pid_t pid); |
682 | 672 | ||
683 | // run_symlink.c | 673 | // run_symlink.c |
684 | void run_symlink(int argc, char **argv); | 674 | void run_symlink(int argc, char **argv, int run_as_is); |
685 | 675 | ||
686 | // paths.c | 676 | // paths.c |
687 | char **build_paths(void); | 677 | char **build_paths(void); |
@@ -795,10 +785,6 @@ void build_appimage_cmdline(char **command_line, char **window_title, int argc, | |||
795 | // run sbox | 785 | // run sbox |
796 | int sbox_run(unsigned filter, int num, ...); | 786 | int sbox_run(unsigned filter, int num, ...); |
797 | 787 | ||
798 | // git.c | ||
799 | void git_install(); | ||
800 | void git_uninstall(); | ||
801 | |||
802 | // run_files.c | 788 | // run_files.c |
803 | void delete_run_files(pid_t pid); | 789 | void delete_run_files(pid_t pid); |
804 | void delete_bandwidth_run_file(pid_t pid); | 790 | void delete_bandwidth_run_file(pid_t pid); |
diff --git a/src/firejail/fs.c b/src/firejail/fs.c index 29cca0761..c9158ebd5 100644 --- a/src/firejail/fs.c +++ b/src/firejail/fs.c | |||
@@ -29,6 +29,11 @@ | |||
29 | #include <fcntl.h> | 29 | #include <fcntl.h> |
30 | #include <errno.h> | 30 | #include <errno.h> |
31 | 31 | ||
32 | // check noblacklist statements not matched by a proper blacklist in disable-*.inc files | ||
33 | //#define TEST_NO_BLACKLIST_MATCHING | ||
34 | |||
35 | |||
36 | |||
32 | static void fs_rdwr(const char *dir); | 37 | static void fs_rdwr(const char *dir); |
33 | 38 | ||
34 | 39 | ||
@@ -183,15 +188,17 @@ static void disable_file(OPERATION op, const char *filename) { | |||
183 | free(fname); | 188 | free(fname); |
184 | } | 189 | } |
185 | 190 | ||
186 | // check noblacklist statements not matched by a proper blacklist in disable-*.inc files | 191 | #ifdef TEST_NO_BLACKLIST_MATCHING |
187 | static int nbcheck_start = 0; | 192 | static int nbcheck_start = 0; |
188 | static size_t nbcheck_size = 0; | 193 | static size_t nbcheck_size = 0; |
189 | static int *nbcheck = NULL; | 194 | static int *nbcheck = NULL; |
195 | #endif | ||
190 | 196 | ||
191 | // Treat pattern as a shell glob pattern and blacklist matching files | 197 | // Treat pattern as a shell glob pattern and blacklist matching files |
192 | static void globbing(OPERATION op, const char *pattern, const char *noblacklist[], size_t noblacklist_len) { | 198 | static void globbing(OPERATION op, const char *pattern, const char *noblacklist[], size_t noblacklist_len) { |
193 | assert(pattern); | 199 | assert(pattern); |
194 | 200 | ||
201 | #ifdef TEST_NO_BLACKLIST_MATCHING | ||
195 | if (nbcheck_start == 0) { | 202 | if (nbcheck_start == 0) { |
196 | nbcheck_start = 1; | 203 | nbcheck_start = 1; |
197 | nbcheck_size = noblacklist_len; | 204 | nbcheck_size = noblacklist_len; |
@@ -200,6 +207,7 @@ static void globbing(OPERATION op, const char *pattern, const char *noblacklist[ | |||
200 | errExit("malloc"); | 207 | errExit("malloc"); |
201 | memset(nbcheck, 0, sizeof(int) * noblacklist_len); | 208 | memset(nbcheck, 0, sizeof(int) * noblacklist_len); |
202 | } | 209 | } |
210 | #endif | ||
203 | 211 | ||
204 | glob_t globbuf; | 212 | glob_t globbuf; |
205 | // Profiles contain blacklists for files that might not exist on a user's machine. | 213 | // Profiles contain blacklists for files that might not exist on a user's machine. |
@@ -226,8 +234,10 @@ static void globbing(OPERATION op, const char *pattern, const char *noblacklist[ | |||
226 | continue; | 234 | continue; |
227 | else if (result == 0) { | 235 | else if (result == 0) { |
228 | okay_to_blacklist = false; | 236 | okay_to_blacklist = false; |
237 | #ifdef TEST_NO_BLACKLIST_MATCHING | ||
229 | if (j < nbcheck_size) // noblacklist checking | 238 | if (j < nbcheck_size) // noblacklist checking |
230 | nbcheck[j] = 1; | 239 | nbcheck[j] = 1; |
240 | #endif | ||
231 | break; | 241 | break; |
232 | } | 242 | } |
233 | else { | 243 | else { |
@@ -419,6 +429,7 @@ void fs_blacklist(void) { | |||
419 | } | 429 | } |
420 | 430 | ||
421 | size_t i; | 431 | size_t i; |
432 | #ifdef TEST_NO_BLACKLIST_MATCHING | ||
422 | // noblacklist checking | 433 | // noblacklist checking |
423 | for (i = 0; i < nbcheck_size; i++) | 434 | for (i = 0; i < nbcheck_size; i++) |
424 | if (!arg_quiet && !nbcheck[i]) | 435 | if (!arg_quiet && !nbcheck[i]) |
@@ -431,6 +442,7 @@ void fs_blacklist(void) { | |||
431 | nbcheck = NULL; | 442 | nbcheck = NULL; |
432 | nbcheck_size = 0; | 443 | nbcheck_size = 0; |
433 | } | 444 | } |
445 | #endif | ||
434 | for (i = 0; i < noblacklist_c; i++) | 446 | for (i = 0; i < noblacklist_c; i++) |
435 | free(noblacklist[i]); | 447 | free(noblacklist[i]); |
436 | free(noblacklist); | 448 | free(noblacklist); |
diff --git a/src/firejail/join.c b/src/firejail/join.c index c303d3fb8..d4a2389c6 100644 --- a/src/firejail/join.c +++ b/src/firejail/join.c | |||
@@ -292,6 +292,8 @@ void join(pid_t pid, int argc, char **argv, int index) { | |||
292 | } | 292 | } |
293 | 293 | ||
294 | prctl(PR_SET_PDEATHSIG, SIGKILL, 0, 0, 0); // kill the child in case the parent died | 294 | prctl(PR_SET_PDEATHSIG, SIGKILL, 0, 0, 0); // kill the child in case the parent died |
295 | |||
296 | EUID_USER(); | ||
295 | if (chdir("/") < 0) | 297 | if (chdir("/") < 0) |
296 | errExit("chdir"); | 298 | errExit("chdir"); |
297 | if (homedir) { | 299 | if (homedir) { |
@@ -308,6 +310,7 @@ void join(pid_t pid, int argc, char **argv, int index) { | |||
308 | set_cpu_affinity(); | 310 | set_cpu_affinity(); |
309 | 311 | ||
310 | // set caps filter | 312 | // set caps filter |
313 | EUID_ROOT(); | ||
311 | if (apply_caps == 1) // not available for uid 0 | 314 | if (apply_caps == 1) // not available for uid 0 |
312 | caps_set(caps); | 315 | caps_set(caps); |
313 | #ifdef HAVE_SECCOMP | 316 | #ifdef HAVE_SECCOMP |
@@ -347,6 +350,8 @@ void join(pid_t pid, int argc, char **argv, int index) { | |||
347 | } | 350 | } |
348 | 351 | ||
349 | // set environment, add x11 display | 352 | // set environment, add x11 display |
353 | EUID_USER(); | ||
354 | |||
350 | env_defaults(); | 355 | env_defaults(); |
351 | if (display) { | 356 | if (display) { |
352 | char *display_str; | 357 | char *display_str; |
diff --git a/src/firejail/main.c b/src/firejail/main.c index e676bbd7c..9a013989a 100644 --- a/src/firejail/main.c +++ b/src/firejail/main.c | |||
@@ -47,7 +47,6 @@ Config cfg; // configuration | |||
47 | int arg_private = 0; // mount private /home and /tmp directoryu | 47 | int arg_private = 0; // mount private /home and /tmp directoryu |
48 | int arg_private_template = 0; // mount private /home using a template | 48 | int arg_private_template = 0; // mount private /home using a template |
49 | int arg_debug = 0; // print debug messages | 49 | int arg_debug = 0; // print debug messages |
50 | int arg_debug_check_filename = 0; // print debug messages for filename checking | ||
51 | int arg_debug_blacklists = 0; // print debug messages for blacklists | 50 | int arg_debug_blacklists = 0; // print debug messages for blacklists |
52 | int arg_debug_whitelists = 0; // print debug messages for whitelists | 51 | int arg_debug_whitelists = 0; // print debug messages for whitelists |
53 | int arg_debug_private_lib = 0; // print debug messages for private-lib | 52 | int arg_debug_private_lib = 0; // print debug messages for private-lib |
@@ -162,37 +161,47 @@ static void my_handler(int s){ | |||
162 | myexit(1); | 161 | myexit(1); |
163 | } | 162 | } |
164 | 163 | ||
165 | static pid_t extract_pid(const char *name) { | 164 | // return 1 if error, 0 if a valid pid was found |
165 | static int extract_pid(const char *name, pid_t *pid) { | ||
166 | int retval = 0; | ||
166 | EUID_ASSERT(); | 167 | EUID_ASSERT(); |
167 | if (!name || strlen(name) == 0) { | 168 | if (!name || strlen(name) == 0) { |
168 | fprintf(stderr, "Error: invalid sandbox name\n"); | 169 | fprintf(stderr, "Error: invalid sandbox name\n"); |
169 | exit(1); | 170 | exit(1); |
170 | } | 171 | } |
171 | 172 | ||
172 | pid_t pid; | ||
173 | EUID_ROOT(); | 173 | EUID_ROOT(); |
174 | if (name2pid(name, &pid)) { | 174 | if (name2pid(name, pid)) { |
175 | fprintf(stderr, "Error: cannot find sandbox %s\n", name); | 175 | retval = 1; |
176 | exit(1); | ||
177 | } | 176 | } |
178 | EUID_USER(); | 177 | EUID_USER(); |
179 | return pid; | 178 | return retval; |
180 | } | 179 | } |
181 | 180 | ||
182 | 181 | // return 1 if error, 0 if a valid pid was found | |
183 | static pid_t read_pid(const char *str) { | 182 | static int read_pid(const char *name, pid_t *pid) { |
184 | char *endptr; | 183 | char *endptr; |
185 | errno = 0; | 184 | errno = 0; |
186 | long int pidtmp = strtol(str, &endptr, 10); | 185 | long int pidtmp = strtol(name, &endptr, 10); |
187 | if ((errno == ERANGE && (pidtmp == LONG_MAX || pidtmp == LONG_MIN)) | 186 | if ((errno == ERANGE && (pidtmp == LONG_MAX || pidtmp == LONG_MIN)) |
188 | || (errno != 0 && pidtmp == 0)) { | 187 | || (errno != 0 && pidtmp == 0)) { |
189 | return extract_pid(str); | 188 | return extract_pid(name,pid); |
190 | } | 189 | } |
191 | // endptr points to '\0' char in str if the entire string is valid | 190 | // endptr points to '\0' char in name if the entire string is valid |
192 | if (endptr == NULL || endptr[0]!='\0') { | 191 | if (endptr == NULL || endptr[0]!='\0') { |
193 | return extract_pid(str); | 192 | return extract_pid(name,pid); |
194 | } | 193 | } |
195 | return (pid_t)pidtmp; | 194 | *pid =(pid_t)pidtmp; |
195 | return 0; | ||
196 | } | ||
197 | |||
198 | static pid_t require_pid(const char *name) { | ||
199 | pid_t pid; | ||
200 | if (read_pid(name,&pid)) { | ||
201 | fprintf(stderr, "Error: cannot find sandbox %s\n", name); | ||
202 | exit(1); | ||
203 | } | ||
204 | return pid; | ||
196 | } | 205 | } |
197 | 206 | ||
198 | // init configuration | 207 | // init configuration |
@@ -230,12 +239,15 @@ static void init_cfg(int argc, char **argv) { | |||
230 | } | 239 | } |
231 | cfg.cwd = getcwd(NULL, 0); | 240 | cfg.cwd = getcwd(NULL, 0); |
232 | 241 | ||
233 | // chack user database | 242 | // check user database |
234 | if (!firejail_user_check(cfg.username)) { | 243 | if (!firejail_user_check(cfg.username)) { |
235 | fprintf(stderr, "Error: the user is not allowed to use Firejail. " | 244 | fprintf(stderr, "Error: the user is not allowed to use Firejail. " |
236 | "Please add the user in %s/firejail.users file, " | 245 | "Please add the user in %s/firejail.users file, " |
237 | "either by running \"sudo firecfg\", or by editing the file directly." | 246 | "either by running \"sudo firecfg\", or by editing the file directly.\n" |
238 | "See \"man firejail-users\" for more details.\n", SYSCONFDIR); | 247 | "See \"man firejail-users\" for more details.\n", SYSCONFDIR); |
248 | |||
249 | // attempt to run the program as is | ||
250 | run_symlink(argc, argv, 1); | ||
239 | exit(1); | 251 | exit(1); |
240 | } | 252 | } |
241 | 253 | ||
@@ -412,7 +424,7 @@ static void run_cmd_and_exit(int i, int argc, char **argv) { | |||
412 | } | 424 | } |
413 | 425 | ||
414 | // extract pid or sandbox name | 426 | // extract pid or sandbox name |
415 | pid_t pid = read_pid(argv[i] + 12); | 427 | pid_t pid = require_pid(argv[i] + 12); |
416 | bandwidth_pid(pid, cmd, dev, down, up); | 428 | bandwidth_pid(pid, cmd, dev, down, up); |
417 | } | 429 | } |
418 | else | 430 | else |
@@ -421,13 +433,13 @@ static void run_cmd_and_exit(int i, int argc, char **argv) { | |||
421 | } | 433 | } |
422 | else if (strncmp(argv[i], "--netfilter.print=", 18) == 0) { | 434 | else if (strncmp(argv[i], "--netfilter.print=", 18) == 0) { |
423 | // extract pid or sandbox name | 435 | // extract pid or sandbox name |
424 | pid_t pid = read_pid(argv[i] + 18); | 436 | pid_t pid = require_pid(argv[i] + 18); |
425 | netfilter_print(pid, 0); | 437 | netfilter_print(pid, 0); |
426 | exit(0); | 438 | exit(0); |
427 | } | 439 | } |
428 | else if (strncmp(argv[i], "--netfilter6.print=", 19) == 0) { | 440 | else if (strncmp(argv[i], "--netfilter6.print=", 19) == 0) { |
429 | // extract pid or sandbox name | 441 | // extract pid or sandbox name |
430 | pid_t pid = read_pid(argv[i] + 19); | 442 | pid_t pid = require_pid(argv[i] + 19); |
431 | netfilter_print(pid, 1); | 443 | netfilter_print(pid, 1); |
432 | exit(0); | 444 | exit(0); |
433 | } | 445 | } |
@@ -456,7 +468,7 @@ static void run_cmd_and_exit(int i, int argc, char **argv) { | |||
456 | else if (strncmp(argv[i], "--seccomp.print=", 16) == 0) { | 468 | else if (strncmp(argv[i], "--seccomp.print=", 16) == 0) { |
457 | if (checkcfg(CFG_SECCOMP)) { | 469 | if (checkcfg(CFG_SECCOMP)) { |
458 | // print seccomp filter for a sandbox specified by pid or by name | 470 | // print seccomp filter for a sandbox specified by pid or by name |
459 | pid_t pid = read_pid(argv[i] + 16); | 471 | pid_t pid = require_pid(argv[i] + 16); |
460 | seccomp_print_filter(pid); | 472 | seccomp_print_filter(pid); |
461 | } | 473 | } |
462 | else | 474 | else |
@@ -470,7 +482,7 @@ static void run_cmd_and_exit(int i, int argc, char **argv) { | |||
470 | else if (strncmp(argv[i], "--protocol.print=", 17) == 0) { | 482 | else if (strncmp(argv[i], "--protocol.print=", 17) == 0) { |
471 | if (checkcfg(CFG_SECCOMP)) { | 483 | if (checkcfg(CFG_SECCOMP)) { |
472 | // print seccomp filter for a sandbox specified by pid or by name | 484 | // print seccomp filter for a sandbox specified by pid or by name |
473 | pid_t pid = read_pid(argv[i] + 17); | 485 | pid_t pid = require_pid(argv[i] + 17); |
474 | protocol_print_filter(pid); | 486 | protocol_print_filter(pid); |
475 | } | 487 | } |
476 | else | 488 | else |
@@ -479,7 +491,7 @@ static void run_cmd_and_exit(int i, int argc, char **argv) { | |||
479 | } | 491 | } |
480 | #endif | 492 | #endif |
481 | else if (strncmp(argv[i], "--profile.print=", 16) == 0) { | 493 | else if (strncmp(argv[i], "--profile.print=", 16) == 0) { |
482 | pid_t pid = read_pid(argv[i] + 16); | 494 | pid_t pid = require_pid(argv[i] + 16); |
483 | 495 | ||
484 | // print /run/firejail/profile/<PID> file | 496 | // print /run/firejail/profile/<PID> file |
485 | char *fname; | 497 | char *fname; |
@@ -500,13 +512,13 @@ static void run_cmd_and_exit(int i, int argc, char **argv) { | |||
500 | } | 512 | } |
501 | else if (strncmp(argv[i], "--cpu.print=", 12) == 0) { | 513 | else if (strncmp(argv[i], "--cpu.print=", 12) == 0) { |
502 | // join sandbox by pid or by name | 514 | // join sandbox by pid or by name |
503 | pid_t pid = read_pid(argv[i] + 12); | 515 | pid_t pid = require_pid(argv[i] + 12); |
504 | cpu_print_filter(pid); | 516 | cpu_print_filter(pid); |
505 | exit(0); | 517 | exit(0); |
506 | } | 518 | } |
507 | else if (strncmp(argv[i], "--apparmor.print=", 12) == 0) { | 519 | else if (strncmp(argv[i], "--apparmor.print=", 12) == 0) { |
508 | // join sandbox by pid or by name | 520 | // join sandbox by pid or by name |
509 | pid_t pid = read_pid(argv[i] + 17); | 521 | pid_t pid = require_pid(argv[i] + 17); |
510 | char *pidstr; | 522 | char *pidstr; |
511 | if (asprintf(&pidstr, "%u", pid) == -1) | 523 | if (asprintf(&pidstr, "%u", pid) == -1) |
512 | errExit("asprintf"); | 524 | errExit("asprintf"); |
@@ -516,19 +528,19 @@ static void run_cmd_and_exit(int i, int argc, char **argv) { | |||
516 | } | 528 | } |
517 | else if (strncmp(argv[i], "--caps.print=", 13) == 0) { | 529 | else if (strncmp(argv[i], "--caps.print=", 13) == 0) { |
518 | // join sandbox by pid or by name | 530 | // join sandbox by pid or by name |
519 | pid_t pid = read_pid(argv[i] + 13); | 531 | pid_t pid = require_pid(argv[i] + 13); |
520 | caps_print_filter(pid); | 532 | caps_print_filter(pid); |
521 | exit(0); | 533 | exit(0); |
522 | } | 534 | } |
523 | else if (strncmp(argv[i], "--fs.print=", 11) == 0) { | 535 | else if (strncmp(argv[i], "--fs.print=", 11) == 0) { |
524 | // join sandbox by pid or by name | 536 | // join sandbox by pid or by name |
525 | pid_t pid = read_pid(argv[i] + 11); | 537 | pid_t pid = require_pid(argv[i] + 11); |
526 | fs_logger_print_log(pid); | 538 | fs_logger_print_log(pid); |
527 | exit(0); | 539 | exit(0); |
528 | } | 540 | } |
529 | else if (strncmp(argv[i], "--dns.print=", 12) == 0) { | 541 | else if (strncmp(argv[i], "--dns.print=", 12) == 0) { |
530 | // join sandbox by pid or by name | 542 | // join sandbox by pid or by name |
531 | pid_t pid = read_pid(argv[i] + 12); | 543 | pid_t pid = require_pid(argv[i] + 12); |
532 | net_dns_print(pid); | 544 | net_dns_print(pid); |
533 | exit(0); | 545 | exit(0); |
534 | } | 546 | } |
@@ -593,7 +605,7 @@ static void run_cmd_and_exit(int i, int argc, char **argv) { | |||
593 | } | 605 | } |
594 | 606 | ||
595 | // get file | 607 | // get file |
596 | pid_t pid = read_pid(argv[i] + 6); | 608 | pid_t pid = require_pid(argv[i] + 6); |
597 | sandboxfs(SANDBOX_FS_GET, pid, path, NULL); | 609 | sandboxfs(SANDBOX_FS_GET, pid, path, NULL); |
598 | exit(0); | 610 | exit(0); |
599 | } | 611 | } |
@@ -623,7 +635,7 @@ static void run_cmd_and_exit(int i, int argc, char **argv) { | |||
623 | } | 635 | } |
624 | 636 | ||
625 | // get file | 637 | // get file |
626 | pid_t pid = read_pid(argv[i] + 6); | 638 | pid_t pid = require_pid(argv[i] + 6); |
627 | sandboxfs(SANDBOX_FS_PUT, pid, path1, path2); | 639 | sandboxfs(SANDBOX_FS_PUT, pid, path1, path2); |
628 | exit(0); | 640 | exit(0); |
629 | } | 641 | } |
@@ -647,7 +659,7 @@ static void run_cmd_and_exit(int i, int argc, char **argv) { | |||
647 | } | 659 | } |
648 | 660 | ||
649 | // list directory contents | 661 | // list directory contents |
650 | pid_t pid = read_pid(argv[i] + 5); | 662 | pid_t pid = require_pid(argv[i] + 5); |
651 | sandboxfs(SANDBOX_FS_LS, pid, path, NULL); | 663 | sandboxfs(SANDBOX_FS_LS, pid, path, NULL); |
652 | exit(0); | 664 | exit(0); |
653 | } | 665 | } |
@@ -671,7 +683,7 @@ static void run_cmd_and_exit(int i, int argc, char **argv) { | |||
671 | cfg.shell = guess_shell(); | 683 | cfg.shell = guess_shell(); |
672 | 684 | ||
673 | // join sandbox by pid or by name | 685 | // join sandbox by pid or by name |
674 | pid_t pid = read_pid(argv[i] + 7); | 686 | pid_t pid = require_pid(argv[i] + 7); |
675 | join(pid, argc, argv, i + 1); | 687 | join(pid, argc, argv, i + 1); |
676 | exit(0); | 688 | exit(0); |
677 | } | 689 | } |
@@ -692,17 +704,15 @@ static void run_cmd_and_exit(int i, int argc, char **argv) { | |||
692 | cfg.original_program_index = i + 1; | 704 | cfg.original_program_index = i + 1; |
693 | } | 705 | } |
694 | 706 | ||
695 | #if 0 // todo: redo it | ||
696 | // try to join by name only | 707 | // try to join by name only |
697 | pid_t pid; | 708 | pid_t pid; |
698 | if (!name2pid(argv[i] + 16, &pid)) { | 709 | if (!read_pid(argv[i] + 16, &pid)) { |
699 | if (!cfg.shell && !arg_shell_none) | 710 | if (!cfg.shell && !arg_shell_none) |
700 | cfg.shell = guess_shell(); | 711 | cfg.shell = guess_shell(); |
701 | 712 | ||
702 | join(pid, argc, argv, i + 1); | 713 | join(pid, argc, argv, i + 1); |
703 | exit(0); | 714 | exit(0); |
704 | } | 715 | } |
705 | #endif | ||
706 | // if there no such sandbox continue argument processing | 716 | // if there no such sandbox continue argument processing |
707 | } | 717 | } |
708 | #ifdef HAVE_NETWORK | 718 | #ifdef HAVE_NETWORK |
@@ -719,7 +729,7 @@ static void run_cmd_and_exit(int i, int argc, char **argv) { | |||
719 | cfg.shell = guess_shell(); | 729 | cfg.shell = guess_shell(); |
720 | 730 | ||
721 | // join sandbox by pid or by name | 731 | // join sandbox by pid or by name |
722 | pid_t pid = read_pid(argv[i] + 15); | 732 | pid_t pid = require_pid(argv[i] + 15); |
723 | join(pid, argc, argv, i + 1); | 733 | join(pid, argc, argv, i + 1); |
724 | } | 734 | } |
725 | else | 735 | else |
@@ -739,7 +749,7 @@ static void run_cmd_and_exit(int i, int argc, char **argv) { | |||
739 | cfg.shell = guess_shell(); | 749 | cfg.shell = guess_shell(); |
740 | 750 | ||
741 | // join sandbox by pid or by name | 751 | // join sandbox by pid or by name |
742 | pid_t pid = read_pid(argv[i] + 18); | 752 | pid_t pid = require_pid(argv[i] + 18); |
743 | join(pid, argc, argv, i + 1); | 753 | join(pid, argc, argv, i + 1); |
744 | exit(0); | 754 | exit(0); |
745 | } | 755 | } |
@@ -747,7 +757,7 @@ static void run_cmd_and_exit(int i, int argc, char **argv) { | |||
747 | logargs(argc, argv); | 757 | logargs(argc, argv); |
748 | 758 | ||
749 | // shutdown sandbox by pid or by name | 759 | // shutdown sandbox by pid or by name |
750 | pid_t pid = read_pid(argv[i] + 11); | 760 | pid_t pid = require_pid(argv[i] + 11); |
751 | shut(pid); | 761 | shut(pid); |
752 | exit(0); | 762 | exit(0); |
753 | } | 763 | } |
@@ -907,7 +917,7 @@ int main(int argc, char **argv) { | |||
907 | 917 | ||
908 | // check argv[0] symlink wrapper if this is not a login shell | 918 | // check argv[0] symlink wrapper if this is not a login shell |
909 | if (*argv[0] != '-') | 919 | if (*argv[0] != '-') |
910 | run_symlink(argc, argv); // if symlink detected, this function will not return | 920 | run_symlink(argc, argv, 0); // if symlink detected, this function will not return |
911 | 921 | ||
912 | // check if we already have a sandbox running | 922 | // check if we already have a sandbox running |
913 | // If LXC is detected, start firejail sandbox | 923 | // If LXC is detected, start firejail sandbox |
@@ -1051,8 +1061,6 @@ int main(int argc, char **argv) { | |||
1051 | 1061 | ||
1052 | if (strcmp(argv[i], "--debug") == 0 && !arg_quiet) | 1062 | if (strcmp(argv[i], "--debug") == 0 && !arg_quiet) |
1053 | arg_debug = 1; | 1063 | arg_debug = 1; |
1054 | else if (strcmp(argv[i], "--debug-check-filename") == 0) | ||
1055 | arg_debug_check_filename = 1; | ||
1056 | else if (strcmp(argv[i], "--debug-blacklists") == 0) | 1064 | else if (strcmp(argv[i], "--debug-blacklists") == 0) |
1057 | arg_debug_blacklists = 1; | 1065 | arg_debug_blacklists = 1; |
1058 | else if (strcmp(argv[i], "--debug-whitelists") == 0) | 1066 | else if (strcmp(argv[i], "--debug-whitelists") == 0) |
@@ -1439,9 +1447,6 @@ int main(int argc, char **argv) { | |||
1439 | custom_profile = 1; | 1447 | custom_profile = 1; |
1440 | free(ppath); | 1448 | free(ppath); |
1441 | } | 1449 | } |
1442 | else if (strncmp(argv[i], "--profile-path=", 15) == 0) { | ||
1443 | fwarning("--profile-path has been deprecated\n"); | ||
1444 | } | ||
1445 | else if (strcmp(argv[i], "--noprofile") == 0) { | 1450 | else if (strcmp(argv[i], "--noprofile") == 0) { |
1446 | if (custom_profile) { | 1451 | if (custom_profile) { |
1447 | fprintf(stderr, "Error: --profile and --noprofile options are mutually exclusive\n"); | 1452 | fprintf(stderr, "Error: --profile and --noprofile options are mutually exclusive\n"); |
@@ -1541,9 +1546,6 @@ int main(int argc, char **argv) { | |||
1541 | else if (strcmp(argv[i], "--machine-id") == 0) { | 1546 | else if (strcmp(argv[i], "--machine-id") == 0) { |
1542 | arg_machineid = 1; | 1547 | arg_machineid = 1; |
1543 | } | 1548 | } |
1544 | else if (strcmp(argv[i], "--allow-private-blacklist") == 0) { | ||
1545 | fwarning("--allow-private-blacklist was deprecated\n"); | ||
1546 | } | ||
1547 | else if (strcmp(argv[i], "--private") == 0) { | 1549 | else if (strcmp(argv[i], "--private") == 0) { |
1548 | arg_private = 1; | 1550 | arg_private = 1; |
1549 | } | 1551 | } |
@@ -2117,29 +2119,6 @@ int main(int argc, char **argv) { | |||
2117 | } | 2119 | } |
2118 | else if (strcmp(argv[i], "--appimage") == 0) | 2120 | else if (strcmp(argv[i], "--appimage") == 0) |
2119 | arg_appimage = 1; | 2121 | arg_appimage = 1; |
2120 | else if (strcmp(argv[i], "--csh") == 0) { | ||
2121 | if (arg_shell_none) { | ||
2122 | |||
2123 | fprintf(stderr, "Error: --shell=none was already specified.\n"); | ||
2124 | return 1; | ||
2125 | } | ||
2126 | if (cfg.shell) { | ||
2127 | fprintf(stderr, "Error: only one default user shell can be specified\n"); | ||
2128 | return 1; | ||
2129 | } | ||
2130 | cfg.shell = "/bin/csh"; | ||
2131 | } | ||
2132 | else if (strcmp(argv[i], "--zsh") == 0) { | ||
2133 | if (arg_shell_none) { | ||
2134 | fprintf(stderr, "Error: --shell=none was already specified.\n"); | ||
2135 | return 1; | ||
2136 | } | ||
2137 | if (cfg.shell) { | ||
2138 | fprintf(stderr, "Error: only one default user shell can be specified\n"); | ||
2139 | return 1; | ||
2140 | } | ||
2141 | cfg.shell = "/bin/zsh"; | ||
2142 | } | ||
2143 | else if (strcmp(argv[i], "--shell=none") == 0) { | 2122 | else if (strcmp(argv[i], "--shell=none") == 0) { |
2144 | arg_shell_none = 1; | 2123 | arg_shell_none = 1; |
2145 | if (cfg.shell) { | 2124 | if (cfg.shell) { |
diff --git a/src/firejail/no_sandbox.c b/src/firejail/no_sandbox.c index ba955bcca..5bd3f7e09 100644 --- a/src/firejail/no_sandbox.c +++ b/src/firejail/no_sandbox.c | |||
@@ -167,9 +167,7 @@ void run_no_sandbox(int argc, char **argv) { | |||
167 | for (i = 0; i < argc; i++) { | 167 | for (i = 0; i < argc; i++) { |
168 | if (strcmp(argv[i], "--debug") == 0) | 168 | if (strcmp(argv[i], "--debug") == 0) |
169 | arg_debug = 1; | 169 | arg_debug = 1; |
170 | else if (strcmp(argv[i], "--csh") == 0 || | 170 | else if (strcmp(argv[i], "--shell=none") == 0 || |
171 | strcmp(argv[i], "--zsh") == 0 || | ||
172 | strcmp(argv[i], "--shell=none") == 0 || | ||
173 | strncmp(argv[i], "--shell=", 8) == 0) | 171 | strncmp(argv[i], "--shell=", 8) == 0) |
174 | fwarning("shell-related command line options are disregarded - using SHELL environment variable\n"); | 172 | fwarning("shell-related command line options are disregarded - using SHELL environment variable\n"); |
175 | } | 173 | } |
diff --git a/src/firejail/profile.c b/src/firejail/profile.c index 3ef9a1856..156ffa24a 100644 --- a/src/firejail/profile.c +++ b/src/firejail/profile.c | |||
@@ -257,10 +257,6 @@ int profile_check_line(char *ptr, int lineno, const char *fname) { | |||
257 | arg_nodbus = 1; | 257 | arg_nodbus = 1; |
258 | return 0; | 258 | return 0; |
259 | } | 259 | } |
260 | else if (strcmp(ptr, "allow-private-blacklist") == 0) { | ||
261 | fmessage("--allow-private-blacklist was deprecated\n"); | ||
262 | return 0; | ||
263 | } | ||
264 | else if (strcmp(ptr, "netfilter") == 0) { | 260 | else if (strcmp(ptr, "netfilter") == 0) { |
265 | #ifdef HAVE_NETWORK | 261 | #ifdef HAVE_NETWORK |
266 | if (checkcfg(CFG_NETWORK)) | 262 | if (checkcfg(CFG_NETWORK)) |
diff --git a/src/firejail/run_symlink.c b/src/firejail/run_symlink.c index 5d59afad4..2bb4a2ed7 100644 --- a/src/firejail/run_symlink.c +++ b/src/firejail/run_symlink.c | |||
@@ -22,7 +22,7 @@ | |||
22 | #include <sys/stat.h> | 22 | #include <sys/stat.h> |
23 | #include <unistd.h> | 23 | #include <unistd.h> |
24 | 24 | ||
25 | void run_symlink(int argc, char **argv) { | 25 | void run_symlink(int argc, char **argv, int run_as_is) { |
26 | EUID_ASSERT(); | 26 | EUID_ASSERT(); |
27 | 27 | ||
28 | char *program = strrchr(argv[0], '/'); | 28 | char *program = strrchr(argv[0], '/'); |
@@ -33,6 +33,12 @@ void run_symlink(int argc, char **argv) { | |||
33 | if (strcmp(program, "firejail") == 0) // this is a regular "firejail program" sandbox starting | 33 | if (strcmp(program, "firejail") == 0) // this is a regular "firejail program" sandbox starting |
34 | return; | 34 | return; |
35 | 35 | ||
36 | // drop privileges | ||
37 | if (setgid(getgid()) < 0) | ||
38 | errExit("setgid/getgid"); | ||
39 | if (setuid(getuid()) < 0) | ||
40 | errExit("setuid/getuid"); | ||
41 | |||
36 | // find the real program by looking in PATH | 42 | // find the real program by looking in PATH |
37 | char *p = getenv("PATH"); | 43 | char *p = getenv("PATH"); |
38 | if (!p) { | 44 | if (!p) { |
@@ -84,20 +90,13 @@ void run_symlink(int argc, char **argv) { | |||
84 | free(selfpath); | 90 | free(selfpath); |
85 | 91 | ||
86 | // desktop integration is not supported for root user; instead, the original program is started | 92 | // desktop integration is not supported for root user; instead, the original program is started |
87 | if (getuid() == 0) { | 93 | if (getuid() == 0 || run_as_is) { |
88 | argv[0] = program; | 94 | argv[0] = program; |
89 | execv(program, argv); | 95 | execv(program, argv); |
90 | exit(1); | 96 | exit(1); |
91 | } | 97 | } |
92 | 98 | ||
93 | // start the argv[0] program in a new sandbox | 99 | // start the argv[0] program in a new sandbox |
94 | // drop privileges | ||
95 | if (setgid(getgid()) < 0) | ||
96 | errExit("setgid/getgid"); | ||
97 | if (setuid(getuid()) < 0) | ||
98 | errExit("setuid/getuid"); | ||
99 | |||
100 | // run command | ||
101 | char *a[3 + argc]; | 100 | char *a[3 + argc]; |
102 | a[0] =PATH_FIREJAIL; | 101 | a[0] =PATH_FIREJAIL; |
103 | a[1] = program; | 102 | a[1] = program; |
diff --git a/src/firejail/sandbox.c b/src/firejail/sandbox.c index e0cecda1b..8abdf6b2c 100644 --- a/src/firejail/sandbox.c +++ b/src/firejail/sandbox.c | |||
@@ -668,8 +668,11 @@ int sandbox(void* sandbox_arg) { | |||
668 | if (arg_nonetwork || any_bridge_configured() || any_interface_configured()) { | 668 | if (arg_nonetwork || any_bridge_configured() || any_interface_configured()) { |
669 | // do nothing - there are problems with ibus version 1.5.11 | 669 | // do nothing - there are problems with ibus version 1.5.11 |
670 | } | 670 | } |
671 | else | 671 | else { |
672 | EUID_USER(); | ||
672 | env_ibus_load(); | 673 | env_ibus_load(); |
674 | EUID_ROOT(); | ||
675 | } | ||
673 | 676 | ||
674 | //**************************** | 677 | //**************************** |
675 | // fs pre-processing: | 678 | // fs pre-processing: |
@@ -925,6 +928,8 @@ int sandbox(void* sandbox_arg) { | |||
925 | // set application environment | 928 | // set application environment |
926 | //**************************** | 929 | //**************************** |
927 | prctl(PR_SET_PDEATHSIG, SIGKILL, 0, 0, 0); // kill the child in case the parent died | 930 | prctl(PR_SET_PDEATHSIG, SIGKILL, 0, 0, 0); // kill the child in case the parent died |
931 | |||
932 | EUID_USER(); | ||
928 | int cwd = 0; | 933 | int cwd = 0; |
929 | if (cfg.cwd) { | 934 | if (cfg.cwd) { |
930 | if (chdir(cfg.cwd) == 0) | 935 | if (chdir(cfg.cwd) == 0) |
@@ -951,7 +956,7 @@ int sandbox(void* sandbox_arg) { | |||
951 | } | 956 | } |
952 | } | 957 | } |
953 | 958 | ||
954 | 959 | EUID_ROOT(); | |
955 | // set nice | 960 | // set nice |
956 | if (arg_nice) { | 961 | if (arg_nice) { |
957 | errno = 0; | 962 | errno = 0; |
@@ -980,7 +985,9 @@ int sandbox(void* sandbox_arg) { | |||
980 | // set cpu affinity | 985 | // set cpu affinity |
981 | if (cfg.cpus) { | 986 | if (cfg.cpus) { |
982 | save_cpu(); // save cpu affinity mask to CPU_CFG file | 987 | save_cpu(); // save cpu affinity mask to CPU_CFG file |
988 | EUID_USER(); | ||
983 | set_cpu_affinity(); | 989 | set_cpu_affinity(); |
990 | EUID_ROOT(); | ||
984 | } | 991 | } |
985 | 992 | ||
986 | // save cgroup in CGROUP_CFG file | 993 | // save cgroup in CGROUP_CFG file |
diff --git a/src/firejail/usage.c b/src/firejail/usage.c index effbf3751..742fc0465 100644 --- a/src/firejail/usage.c +++ b/src/firejail/usage.c | |||
@@ -29,8 +29,6 @@ static char *usage_str = | |||
29 | "Options:\n" | 29 | "Options:\n" |
30 | " -- - signal the end of options and disables further option processing.\n" | 30 | " -- - signal the end of options and disables further option processing.\n" |
31 | " --allow-debuggers - allow tools such as strace and gdb inside the sandbox.\n" | 31 | " --allow-debuggers - allow tools such as strace and gdb inside the sandbox.\n" |
32 | " --allow-private-blacklist - allow blacklisting files in private\n" | ||
33 | "\thome directories.\n" | ||
34 | " --allusers - all user home directories are visible inside the sandbox.\n" | 32 | " --allusers - all user home directories are visible inside the sandbox.\n" |
35 | " --apparmor - enable AppArmor confinement.\n" | 33 | " --apparmor - enable AppArmor confinement.\n" |
36 | " --apparmor.print=name|pid - print apparmor status.\n" | 34 | " --apparmor.print=name|pid - print apparmor status.\n" |
@@ -58,11 +56,9 @@ static char *usage_str = | |||
58 | #endif | 56 | #endif |
59 | " --cpu=cpu-number,cpu-number - set cpu affinity.\n" | 57 | " --cpu=cpu-number,cpu-number - set cpu affinity.\n" |
60 | " --cpu.print=name|pid - print the cpus in use.\n" | 58 | " --cpu.print=name|pid - print the cpus in use.\n" |
61 | " --csh - use /bin/csh as default shell.\n" | ||
62 | " --debug - print sandbox debug messages.\n" | 59 | " --debug - print sandbox debug messages.\n" |
63 | " --debug-blacklists - debug blacklisting.\n" | 60 | " --debug-blacklists - debug blacklisting.\n" |
64 | " --debug-caps - print all recognized capabilities.\n" | 61 | " --debug-caps - print all recognized capabilities.\n" |
65 | " --debug-check-filename - debug filename checking.\n" | ||
66 | " --debug-errnos - print all recognized error numbers.\n" | 62 | " --debug-errnos - print all recognized error numbers.\n" |
67 | " --debug-private-lib - debug for --private-lib option.\n" | 63 | " --debug-private-lib - debug for --private-lib option.\n" |
68 | " --debug-protocols - print all recognized protocols.\n" | 64 | " --debug-protocols - print all recognized protocols.\n" |
@@ -77,7 +73,9 @@ static char *usage_str = | |||
77 | " --dns.print=name|pid - print DNS configuration.\n" | 73 | " --dns.print=name|pid - print DNS configuration.\n" |
78 | " --env=name=value - set environment variable.\n" | 74 | " --env=name=value - set environment variable.\n" |
79 | " --fs.print=name|pid - print the filesystem log.\n" | 75 | " --fs.print=name|pid - print the filesystem log.\n" |
76 | #ifdef HAVE_FILE_TRANSFER | ||
80 | " --get=name|pid filename - get a file from sandbox container.\n" | 77 | " --get=name|pid filename - get a file from sandbox container.\n" |
78 | #endif | ||
81 | " --help, -? - this help screen.\n" | 79 | " --help, -? - this help screen.\n" |
82 | " --hostname=name - set sandbox hostname.\n" | 80 | " --hostname=name - set sandbox hostname.\n" |
83 | " --hosts-file=file - use file as /etc/hosts.\n" | 81 | " --hosts-file=file - use file as /etc/hosts.\n" |
@@ -97,7 +95,9 @@ static char *usage_str = | |||
97 | #endif | 95 | #endif |
98 | " --join-or-start=name|pid - join the sandbox or start a new one.\n" | 96 | " --join-or-start=name|pid - join the sandbox or start a new one.\n" |
99 | " --list - list all sandboxes.\n" | 97 | " --list - list all sandboxes.\n" |
98 | #ifdef HAVE_FILE_TRANSFER | ||
100 | " --ls=name|pid dir_or_filename - list files in sandbox container.\n" | 99 | " --ls=name|pid dir_or_filename - list files in sandbox container.\n" |
100 | #endif | ||
101 | #ifdef HAVE_NETWORK | 101 | #ifdef HAVE_NETWORK |
102 | " --mac=xx:xx:xx:xx:xx:xx - set interface MAC address.\n" | 102 | " --mac=xx:xx:xx:xx:xx:xx - set interface MAC address.\n" |
103 | #endif | 103 | #endif |
@@ -159,13 +159,16 @@ static char *usage_str = | |||
159 | "\tfilesystem, and copy the files and directories in the list.\n" | 159 | "\tfilesystem, and copy the files and directories in the list.\n" |
160 | " --private-tmp - mount a tmpfs on top of /tmp directory.\n" | 160 | " --private-tmp - mount a tmpfs on top of /tmp directory.\n" |
161 | " --private-opt=file,directory - build a new /opt in a temporary filesystem.\n" | 161 | " --private-opt=file,directory - build a new /opt in a temporary filesystem.\n" |
162 | " --private-srv=file,directory - build a new /srv in a temporary filesystem.\n" | ||
162 | " --profile=filename - use a custom profile.\n" | 163 | " --profile=filename - use a custom profile.\n" |
163 | " --profile.print=name|pid - print the name of profile file.\n" | 164 | " --profile.print=name|pid - print the name of profile file.\n" |
164 | " --profile-path=directory - use this directory to look for profile files.\n" | 165 | " --profile-path=directory - use this directory to look for profile files.\n" |
165 | " --protocol=protocol,protocol,protocol - enable protocol filter.\n" | 166 | " --protocol=protocol,protocol,protocol - enable protocol filter.\n" |
166 | " --protocol.print=name|pid - print the protocol filter.\n" | 167 | " --protocol.print=name|pid - print the protocol filter.\n" |
168 | #ifdef HAVE_FILE_TRANSFER | ||
167 | " --put=name|pid src-filename dest-filename - put a file in sandbox\n" | 169 | " --put=name|pid src-filename dest-filename - put a file in sandbox\n" |
168 | "\tcontainer.\n" | 170 | "\tcontainer.\n" |
171 | #endif | ||
169 | " --quiet - turn off Firejail's output.\n" | 172 | " --quiet - turn off Firejail's output.\n" |
170 | " --read-only=filename - set directory or file read-only..\n" | 173 | " --read-only=filename - set directory or file read-only..\n" |
171 | " --read-write=filename - set directory or file read-write.\n" | 174 | " --read-write=filename - set directory or file read-write.\n" |
@@ -230,7 +233,6 @@ static char *usage_str = | |||
230 | " --x11=xvfb - enable Xvfb X11 server.\n" | 233 | " --x11=xvfb - enable Xvfb X11 server.\n" |
231 | " --xephyr-screen=WIDTHxHEIGHT - set screen size for --x11=xephyr.\n" | 234 | " --xephyr-screen=WIDTHxHEIGHT - set screen size for --x11=xephyr.\n" |
232 | #endif | 235 | #endif |
233 | " --zsh - use /usr/bin/zsh as default shell.\n" | ||
234 | "\n" | 236 | "\n" |
235 | "Examples:\n" | 237 | "Examples:\n" |
236 | " $ firejail firefox\n" | 238 | " $ firejail firefox\n" |
diff --git a/src/firejail/util.c b/src/firejail/util.c index 3437d495f..a44e52e98 100644 --- a/src/firejail/util.c +++ b/src/firejail/util.c | |||
@@ -800,9 +800,6 @@ void invalid_filename(const char *fname, int globbing) { | |||
800 | assert(fname); | 800 | assert(fname); |
801 | const char *ptr = fname; | 801 | const char *ptr = fname; |
802 | 802 | ||
803 | if (arg_debug_check_filename) | ||
804 | printf("Checking filename %s\n", fname); | ||
805 | |||
806 | if (strncmp(ptr, "${HOME}", 7) == 0) | 803 | if (strncmp(ptr, "${HOME}", 7) == 0) |
807 | ptr = fname + 7; | 804 | ptr = fname + 7; |
808 | else if (strncmp(ptr, "${PATH}", 7) == 0) | 805 | else if (strncmp(ptr, "${PATH}", 7) == 0) |
diff --git a/src/firejail/x11.c b/src/firejail/x11.c index 7040dea18..8cf4fccf3 100644 --- a/src/firejail/x11.c +++ b/src/firejail/x11.c | |||
@@ -1078,7 +1078,7 @@ void x11_xorg(void) { | |||
1078 | // check xauth utility is present in the system | 1078 | // check xauth utility is present in the system |
1079 | struct stat s; | 1079 | struct stat s; |
1080 | if (stat("/usr/bin/xauth", &s) == -1) { | 1080 | if (stat("/usr/bin/xauth", &s) == -1) { |
1081 | fprintf(stderr, "Error: xauth utility not found in PATH. Please install it:\n" | 1081 | fprintf(stderr, "Error: xauth utility not found in /usr/bin. Please install it:\n" |
1082 | " Debian/Ubuntu/Mint: sudo apt-get install xauth\n"); | 1082 | " Debian/Ubuntu/Mint: sudo apt-get install xauth\n"); |
1083 | exit(1); | 1083 | exit(1); |
1084 | } | 1084 | } |
diff --git a/src/firemon/usage.c b/src/firemon/usage.c index 37bd4e874..a4d642d66 100644 --- a/src/firemon/usage.c +++ b/src/firemon/usage.c | |||
@@ -43,6 +43,7 @@ static char *help_str = | |||
43 | "\t--tree - print a tree of all sandboxed processes.\n\n" | 43 | "\t--tree - print a tree of all sandboxed processes.\n\n" |
44 | "\t--top - monitor the most CPU-intensive sandboxes.\n\n" | 44 | "\t--top - monitor the most CPU-intensive sandboxes.\n\n" |
45 | "\t--version - print program version and exit.\n\n" | 45 | "\t--version - print program version and exit.\n\n" |
46 | "\t--x11 - print X11 display number.\n\n" | ||
46 | 47 | ||
47 | "Without any options, firemon monitors all fork, exec, id change, and exit\n" | 48 | "Without any options, firemon monitors all fork, exec, id change, and exit\n" |
48 | "events in the sandbox. Monitoring a specific PID is also supported.\n\n" | 49 | "events in the sandbox. Monitoring a specific PID is also supported.\n\n" |
diff --git a/src/lib/firejail_user.c b/src/lib/firejail_user.c index 5d92aa133..09a4da0e7 100644 --- a/src/lib/firejail_user.c +++ b/src/lib/firejail_user.c | |||
@@ -28,6 +28,7 @@ | |||
28 | #include "../include/common.h" | 28 | #include "../include/common.h" |
29 | #include <sys/types.h> | 29 | #include <sys/types.h> |
30 | #include <pwd.h> | 30 | #include <pwd.h> |
31 | #include "../../uids.h" | ||
31 | 32 | ||
32 | #define MAXBUF 4098 | 33 | #define MAXBUF 4098 |
33 | static inline char *get_fname(void) { | 34 | static inline char *get_fname(void) { |
@@ -41,10 +42,14 @@ static inline char *get_fname(void) { | |||
41 | int firejail_user_check(const char *name) { | 42 | int firejail_user_check(const char *name) { |
42 | assert(name); | 43 | assert(name); |
43 | 44 | ||
44 | // root allowed by default | 45 | // root is allowed to run firejail by default |
45 | if (strcmp(name, "root") == 0) | 46 | if (strcmp(name, "root") == 0) |
46 | return 1; | 47 | return 1; |
47 | 48 | ||
49 | // other system users will run the program as is | ||
50 | if (getuid() < UID_MIN || strcmp(name, "nobody") == 0) | ||
51 | return 0; | ||
52 | |||
48 | // check file existence | 53 | // check file existence |
49 | char *fname = get_fname(); | 54 | char *fname = get_fname(); |
50 | if (access(fname, F_OK)) { | 55 | if (access(fname, F_OK)) { |
diff --git a/src/man/firejail-profile.txt b/src/man/firejail-profile.txt index b529f63e3..0217e1353 100644 --- a/src/man/firejail-profile.txt +++ b/src/man/firejail-profile.txt | |||
@@ -223,7 +223,8 @@ Build a new /bin in a temporary filesystem, and copy the programs in the list. | |||
223 | The same directory is also bind-mounted over /sbin, /usr/bin and /usr/sbin. | 223 | The same directory is also bind-mounted over /sbin, /usr/bin and /usr/sbin. |
224 | .TP | 224 | .TP |
225 | \fBprivate-dev | 225 | \fBprivate-dev |
226 | Create a new /dev directory. Only dri, null, full, zero, tty, pts, ptmx, random, urandom, log and shm devices are available. | 226 | Create a new /dev directory. Only disc, dri, null, full, zero, tty, pts, ptmx, |
227 | random, snd, urandom, video, log and shm devices are available. | ||
227 | .TP | 228 | .TP |
228 | \fBprivate-etc file,directory | 229 | \fBprivate-etc file,directory |
229 | Build a new /etc in a temporary | 230 | Build a new /etc in a temporary |
@@ -448,6 +449,12 @@ Run the program directly, without a shell. | |||
448 | \fBipc-namespace | 449 | \fBipc-namespace |
449 | Enable IPC namespace. | 450 | Enable IPC namespace. |
450 | .TP | 451 | .TP |
452 | \fBnodbus | ||
453 | Disable D-Bus access. Only the regular UNIX socket is handled by | ||
454 | this command. To disable the abstract socket, you would need to | ||
455 | request a new network namespace using the net command. Another | ||
456 | option is to remove unix from protocol set. | ||
457 | .TP | ||
451 | \fBnosound | 458 | \fBnosound |
452 | Disable sound system. | 459 | Disable sound system. |
453 | .TP | 460 | .TP |
diff --git a/src/man/firejail-users.txt b/src/man/firejail-users.txt index fcc0f914b..c29de0705 100644 --- a/src/man/firejail-users.txt +++ b/src/man/firejail-users.txt | |||
@@ -5,7 +5,11 @@ firejail.users \- Firejail user access database | |||
5 | .SH DESCRIPTION | 5 | .SH DESCRIPTION |
6 | /etc/firejail/firejail.users lists the users allowed to run firejail SUID executable. | 6 | /etc/firejail/firejail.users lists the users allowed to run firejail SUID executable. |
7 | If the file is not present in the system, all users are allowed to use the sandbox. | 7 | If the file is not present in the system, all users are allowed to use the sandbox. |
8 | root user is allowed by default. | 8 | root user is allowed by default. Other system users (users with an ID below UID_MIN value |
9 | defined in /etc/login.defs, typically 1000) are not allowed to start the sandbox. | ||
10 | |||
11 | If the user is not allowed to start the sandbox, Firejail will attempt to run the | ||
12 | program without sandboxing it. | ||
9 | 13 | ||
10 | Example: | 14 | Example: |
11 | 15 | ||
diff --git a/src/man/firejail.txt b/src/man/firejail.txt index 6e8e4eb2c..d8fed1f31 100644 --- a/src/man/firejail.txt +++ b/src/man/firejail.txt | |||
@@ -314,15 +314,6 @@ $ firejail \-\-list | |||
314 | $ firejail \-\-cpu.print=3272 | 314 | $ firejail \-\-cpu.print=3272 |
315 | 315 | ||
316 | .TP | 316 | .TP |
317 | \fB\-\-csh | ||
318 | Use /bin/csh as default user shell. | ||
319 | .br | ||
320 | |||
321 | .br | ||
322 | Example: | ||
323 | .br | ||
324 | $ firejail \-\-csh | ||
325 | .TP | ||
326 | \fB\-\-debug\fR | 317 | \fB\-\-debug\fR |
327 | Print debug messages. | 318 | Print debug messages. |
328 | .br | 319 | .br |
@@ -351,15 +342,6 @@ Print all recognized capabilities in the current Firejail software build and exi | |||
351 | Example: | 342 | Example: |
352 | .br | 343 | .br |
353 | $ firejail \-\-debug-caps | 344 | $ firejail \-\-debug-caps |
354 | .TP | ||
355 | \fB\-\-debug-check-filename\fR | ||
356 | Debug filename checking. | ||
357 | .br | ||
358 | |||
359 | .br | ||
360 | Example: | ||
361 | .br | ||
362 | $ firejail \-\-debug-check-filename firefox | ||
363 | 345 | ||
364 | .TP | 346 | .TP |
365 | \fB\-\-debug-errnos | 347 | \fB\-\-debug-errnos |
@@ -1620,20 +1602,16 @@ $ firejail \-\-net=eth0 \-\-scan | |||
1620 | .TP | 1602 | .TP |
1621 | \fB\-\-seccomp | 1603 | \fB\-\-seccomp |
1622 | Enable seccomp filter and blacklist the syscalls in the default list (@default). The default list is as follows: | 1604 | Enable seccomp filter and blacklist the syscalls in the default list (@default). The default list is as follows: |
1623 | mount, umount2, ptrace, kexec_load, kexec_file_load, name_to_handle_at, open_by_handle_at, create_module, init_module, finit_module, delete_module, | 1605 | _sysctl, acct, add_key, adjtimex, afs_syscall, bdflush, bpf, break, chroot, clock_adjtime, clock_settime, |
1624 | iopl, ioperm, ioprio_set, swapon, swapoff, syslog, process_vm_readv, process_vm_writev, | 1606 | create_module, delete_module, fanotify_init, finit_module, ftime, get_kernel_syms, getpmsg, gtty, init_module, |
1625 | sysfs,_sysctl, adjtimex, clock_adjtime, lookup_dcookie, perf_event_open, fanotify_init, kcmp, | 1607 | io_cancel, io_destroy, io_getevents, io_setup, io_submit, ioperm, iopl, ioprio_set, kcmp, kexec_file_load, |
1626 | add_key, request_key, keyctl, uselib, acct, modify_ldt, pivot_root, io_setup, | 1608 | kexec_load, keyctl, lock, lookup_dcookie, mbind, mfsservctl, migrate_pages, modify_ldt, mount, move_pages, mpx, |
1627 | io_destroy, io_getevents, io_submit, io_cancel, | 1609 | name_to_handle_at, open_by_handle_at, pciconfig_iobase, pciconfig_read, pciconfig_write, perf_event_open, |
1628 | remap_file_pages, mbind, set_mempolicy, | 1610 | personality, pivot_root, process_vm_readv, process_vm_writev, process_vm_writev, prof, profil, ptrace, putpmsg, |
1629 | migrate_pages, move_pages, vmsplice, chroot, | 1611 | query_module, reboot, remap_file_pages, request_key, rtas, s390_mmio_read, s390_mmio_write, s390_runtime_instr, |
1630 | tuxcall, reboot, mfsservctl, get_kernel_syms, | 1612 | security, set_mempolicy, setdomainname, sethostname, settimeofday, sgetmask, ssetmask, stime, stty, subpage_prot, |
1631 | bpf, clock_settime, personality, process_vm_writev, query_module, | 1613 | swapoff, swapon, switch_endian, sysfs, syslog, tuxcall, ulimit, umount, umount2, uselib, userfaultfd, ustat, vhangup, |
1632 | settimeofday, stime, umount, userfaultfd, ustat, vm86, vm86old, | 1614 | vm86, vm86old, vmsplice and vserver. |
1633 | afs_syscall, bdflush, break, ftime, getpmsg, gtty, lock, mpx, pciconfig_iobase, pciconfig_read, | ||
1634 | pciconfig_write, prof, profil, putpmsg, rtas, s390_runtime_instr, s390_mmio_read, s390_mmio_write, | ||
1635 | security, setdomainname, sethostname, sgetmask, ssetmask, stty, subpage_prot, switch_endian, | ||
1636 | ulimit, vhangup and vserver. | ||
1637 | 1615 | ||
1638 | .br | 1616 | .br |
1639 | To help creating useful seccomp filters more easily, the following | 1617 | To help creating useful seccomp filters more easily, the following |
@@ -1716,7 +1694,7 @@ Bad system call | |||
1716 | .br | 1694 | .br |
1717 | 1695 | ||
1718 | .TP | 1696 | .TP |
1719 | \fB\-\-seccomp.block_secondary | 1697 | \fB\-\-seccomp.block-secondary |
1720 | Enable seccomp filter and filter system call architectures so that | 1698 | Enable seccomp filter and filter system call architectures so that |
1721 | only the native architecture is allowed. For example, on amd64, i386 | 1699 | only the native architecture is allowed. For example, on amd64, i386 |
1722 | and x32 system calls are blocked as well as changing the execution | 1700 | and x32 system calls are blocked as well as changing the execution |
@@ -1949,8 +1927,7 @@ $ firejail \-\-shell=none script.sh | |||
1949 | \fB\-\-shell=program | 1927 | \fB\-\-shell=program |
1950 | Set default user shell. Use this shell to run the application using \-c shell option. | 1928 | Set default user shell. Use this shell to run the application using \-c shell option. |
1951 | For example "firejail \-\-shell=/bin/dash firefox" will start Mozilla Firefox as "/bin/dash \-c firefox". | 1929 | For example "firejail \-\-shell=/bin/dash firefox" will start Mozilla Firefox as "/bin/dash \-c firefox". |
1952 | By default Bash shell (/bin/bash) is used. Options such as \-\-zsh and \-\-csh can also set the default | 1930 | By default Bash shell (/bin/bash) is used. |
1953 | shell. | ||
1954 | .br | 1931 | .br |
1955 | 1932 | ||
1956 | .br | 1933 | .br |
@@ -2324,16 +2301,6 @@ Example: | |||
2324 | $ firejail --net=eth0 --x11=xephyr --xephyr-screen=640x480 firefox | 2301 | $ firejail --net=eth0 --x11=xephyr --xephyr-screen=640x480 firefox |
2325 | .br | 2302 | .br |
2326 | 2303 | ||
2327 | .TP | ||
2328 | \fB\-\-zsh | ||
2329 | Use /usr/bin/zsh as default user shell. | ||
2330 | .br | ||
2331 | |||
2332 | .br | ||
2333 | Example: | ||
2334 | .br | ||
2335 | $ firejail \-\-zsh | ||
2336 | |||
2337 | .SH DESKTOP INTEGRATION | 2304 | .SH DESKTOP INTEGRATION |
2338 | A symbolic link to /usr/bin/firejail under the name of a program, will start the program in Firejail sandbox. | 2305 | A symbolic link to /usr/bin/firejail under the name of a program, will start the program in Firejail sandbox. |
2339 | The symbolic link should be placed in the first $PATH position. On most systems, a good place | 2306 | The symbolic link should be placed in the first $PATH position. On most systems, a good place |
diff --git a/test/appimage/appimage-args.exp b/test/appimage/appimage-args.exp index dcf16452f..0ec07c1ad 100755 --- a/test/appimage/appimage-args.exp +++ b/test/appimage/appimage-args.exp | |||
@@ -56,7 +56,7 @@ expect { | |||
56 | sleep 2 | 56 | sleep 2 |
57 | 57 | ||
58 | spawn $env(SHELL) | 58 | spawn $env(SHELL) |
59 | send -- "firemon --seccomp\r" | 59 | send -- "firemon --seccomp --nowrap\r" |
60 | expect { | 60 | expect { |
61 | timeout {puts "TESTING ERROR 8\n";exit} | 61 | timeout {puts "TESTING ERROR 8\n";exit} |
62 | "need to be root" {puts "/proc mounted as hidepid, exiting...\n"; exit} | 62 | "need to be root" {puts "/proc mounted as hidepid, exiting...\n"; exit} |
@@ -71,7 +71,7 @@ expect { | |||
71 | "name=blablabla" | 71 | "name=blablabla" |
72 | } | 72 | } |
73 | after 100 | 73 | after 100 |
74 | send -- "firemon --caps\r" | 74 | send -- "firemon --caps --nowrap\r" |
75 | expect { | 75 | expect { |
76 | timeout {puts "TESTING ERROR 11\n";exit} | 76 | timeout {puts "TESTING ERROR 11\n";exit} |
77 | "appimage Leafpad" | 77 | "appimage Leafpad" |
diff --git a/test/appimage/appimage-v1.exp b/test/appimage/appimage-v1.exp index 073c32dab..90b13b9ff 100755 --- a/test/appimage/appimage-v1.exp +++ b/test/appimage/appimage-v1.exp | |||
@@ -44,7 +44,7 @@ expect { | |||
44 | sleep 2 | 44 | sleep 2 |
45 | 45 | ||
46 | spawn $env(SHELL) | 46 | spawn $env(SHELL) |
47 | send -- "firemon --seccomp\r" | 47 | send -- "firemon --seccomp --nowrap\r" |
48 | expect { | 48 | expect { |
49 | timeout {puts "TESTING ERROR 5\n";exit} | 49 | timeout {puts "TESTING ERROR 5\n";exit} |
50 | "need to be root" {puts "/proc mounted as hidepid, exiting...\n"; exit} | 50 | "need to be root" {puts "/proc mounted as hidepid, exiting...\n"; exit} |
@@ -59,7 +59,7 @@ expect { | |||
59 | "name=blablabla" | 59 | "name=blablabla" |
60 | } | 60 | } |
61 | after 100 | 61 | after 100 |
62 | send -- "firemon --caps\r" | 62 | send -- "firemon --caps --nowrap\r" |
63 | expect { | 63 | expect { |
64 | timeout {puts "TESTING ERROR 6\n";exit} | 64 | timeout {puts "TESTING ERROR 6\n";exit} |
65 | "appimage Leafpad" | 65 | "appimage Leafpad" |
diff --git a/test/environment/csh.exp b/test/environment/csh.exp index 10a278ebc..7b5ab9b33 100755 --- a/test/environment/csh.exp +++ b/test/environment/csh.exp | |||
@@ -1,49 +1,31 @@ | |||
1 | #!/usr/bin/expect -f | 1 | #!/usr/bin/expect -f |
2 | # This file is part of Firejail project | ||
3 | # Copyright (C) 2014-2018 Firejail Authors | ||
4 | # License GPL v2 | ||
5 | 2 | ||
6 | set timeout 10 | 3 | set timeout 10 |
4 | cd /home | ||
7 | spawn $env(SHELL) | 5 | spawn $env(SHELL) |
8 | match_max 100000 | 6 | match_max 100000 |
9 | 7 | ||
10 | send -- "firejail --private --tracelog --csh\r" | 8 | send -- "firejail --private --shell=/bin/csh\r" |
11 | expect { | 9 | expect { |
12 | timeout {puts "TESTING ERROR 0\n";exit} | 10 | timeout {puts "TESTING ERROR 0\n";exit} |
13 | "Child process initialized" | 11 | "Child process initialized" |
14 | } | 12 | } |
15 | sleep 1 | 13 | sleep 1 |
16 | 14 | ||
17 | send -- "find ~\r" | 15 | send -- "env | grep SHELL;pwd\r" |
18 | expect { | 16 | expect { |
19 | timeout {puts "TESTING ERROR 1\n";exit} | 17 | timeout {puts "TESTING ERROR 1\n";exit} |
20 | ".cshrc" | 18 | "SHELL" |
21 | } | ||
22 | |||
23 | send -- "env | grep SHELL\r" | ||
24 | expect { | ||
25 | timeout {puts "TESTING ERROR 2\n";exit} | ||
26 | "SHELL" | ||
27 | } | 19 | } |
28 | expect { | 20 | expect { |
29 | timeout {puts "TESTING ERROR 2.1\n";exit} | 21 | timeout {puts "TESTING ERROR 2\n";exit} |
30 | "/bin/csh" | 22 | "/bin/csh" |
31 | } | 23 | } |
32 | send -- "exit\r" | ||
33 | sleep 1 | ||
34 | |||
35 | send -- "firejail --shell=none --csh\r" | ||
36 | expect { | 24 | expect { |
37 | timeout {puts "TESTING ERROR 3\n";exit} | 25 | timeout {puts "TESTING ERROR 3\n";exit} |
38 | "shell=none was already specified" | 26 | "home" |
39 | } | ||
40 | after 100 | ||
41 | |||
42 | send -- "firejail --csh --shell=none\r" | ||
43 | expect { | ||
44 | timeout {puts "TESTING ERROR 4\n";exit} | ||
45 | "a shell was already specified" | ||
46 | } | 27 | } |
28 | send -- "exit\r" | ||
47 | after 100 | 29 | after 100 |
48 | 30 | ||
49 | puts "\n" | 31 | puts "\nall done\n" |
diff --git a/test/environment/zsh.exp b/test/environment/zsh.exp index e7f610e98..a1b94a326 100755 --- a/test/environment/zsh.exp +++ b/test/environment/zsh.exp | |||
@@ -1,49 +1,31 @@ | |||
1 | #!/usr/bin/expect -f | 1 | #!/usr/bin/expect -f |
2 | # This file is part of Firejail project | ||
3 | # Copyright (C) 2014-2018 Firejail Authors | ||
4 | # License GPL v2 | ||
5 | 2 | ||
6 | set timeout 10 | 3 | set timeout 10 |
4 | cd /home | ||
7 | spawn $env(SHELL) | 5 | spawn $env(SHELL) |
8 | match_max 100000 | 6 | match_max 100000 |
9 | 7 | ||
10 | send -- "firejail --private --tracelog --zsh\r" | 8 | send -- "firejail --private --shell=/bin/zsh\r" |
11 | expect { | 9 | expect { |
12 | timeout {puts "TESTING ERROR 0\n";exit} | 10 | timeout {puts "TESTING ERROR 0\n";exit} |
13 | "Child process initialized" | 11 | "Child process initialized" |
14 | } | 12 | } |
15 | sleep 1 | 13 | sleep 1 |
16 | 14 | ||
17 | send -- "find ~\r" | ||
18 | expect { | ||
19 | timeout {puts "TESTING ERROR 1\n";exit} | ||
20 | ".zshrc" | ||
21 | } | ||
22 | |||
23 | send -- "env | grep SHELL;pwd\r" | 15 | send -- "env | grep SHELL;pwd\r" |
24 | expect { | 16 | expect { |
25 | timeout {puts "TESTING ERROR 2\n";exit} | 17 | timeout {puts "TESTING ERROR 1\n";exit} |
26 | "SHELL" | 18 | "SHELL" |
27 | } | 19 | } |
28 | expect { | 20 | expect { |
29 | timeout {puts "TESTING ERROR 2.1\n";exit} | 21 | timeout {puts "TESTING ERROR 2\n";exit} |
30 | "/bin/zsh" | 22 | "/bin/zsh" |
31 | } | 23 | } |
32 | send -- "exit\r" | ||
33 | sleep 1 | ||
34 | |||
35 | send -- "firejail --shell=none --zsh\r" | ||
36 | expect { | 24 | expect { |
37 | timeout {puts "TESTING ERROR 3\n";exit} | 25 | timeout {puts "TESTING ERROR 3\n";exit} |
38 | "shell=none was already specified" | 26 | "home" |
39 | } | ||
40 | after 100 | ||
41 | |||
42 | send -- "firejail --zsh --shell=none\r" | ||
43 | expect { | ||
44 | timeout {puts "TESTING ERROR 4\n";exit} | ||
45 | "a shell was already specified" | ||
46 | } | 27 | } |
28 | send -- "exit\r" | ||
47 | after 100 | 29 | after 100 |
48 | 30 | ||
49 | puts "\nall done\n" | 31 | puts "\nall done\n" |
diff --git a/test/root/private.exp b/test/root/private.exp index 784761fc8..e3d3245ae 100755 --- a/test/root/private.exp +++ b/test/root/private.exp | |||
@@ -54,6 +54,21 @@ expect { | |||
54 | after 100 | 54 | after 100 |
55 | send -- "exit\r" | 55 | send -- "exit\r" |
56 | sleep 1 | 56 | sleep 1 |
57 | send -- "firejail --whitelist=/opt/firejail-test-file --whitelist=/opt/firejail-test-dir --debug\r" | ||
58 | expect { | ||
59 | timeout {puts "TESTING ERROR 3.1\n";exit} | ||
60 | "Child process initialized" | ||
61 | } | ||
62 | sleep 1 | ||
63 | |||
64 | send -- "find /opt | wc -l\r" | ||
65 | expect { | ||
66 | timeout {puts "TESTING ERROR 4.1\n";exit} | ||
67 | "4" | ||
68 | } | ||
69 | after 100 | ||
70 | send -- "exit\r" | ||
71 | sleep 1 | ||
57 | 72 | ||
58 | 73 | ||
59 | send -- "touch /srv/firejail-test-file\r" | 74 | send -- "touch /srv/firejail-test-file\r" |
@@ -77,14 +92,20 @@ expect { | |||
77 | after 100 | 92 | after 100 |
78 | send -- "exit\r" | 93 | send -- "exit\r" |
79 | sleep 1 | 94 | sleep 1 |
95 | send -- "firejail --whitelist=/srv/firejail-test-file --whitelist=/srv/firejail-test-dir --debug\r" | ||
96 | expect { | ||
97 | timeout {puts "TESTING ERROR 5.1\n";exit} | ||
98 | "Child process initialized" | ||
99 | } | ||
100 | sleep 1 | ||
80 | 101 | ||
81 | 102 | send -- "find /srv | wc -l\r" | |
82 | 103 | expect { | |
83 | 104 | timeout {puts "TESTING ERROR 6.1\n";exit} | |
84 | 105 | "4" | |
85 | 106 | } | |
86 | 107 | after 100 | |
87 | 108 | send -- "exit\r" | |
88 | 109 | sleep 1 | |
89 | 110 | ||
90 | puts "\nall done\n" | 111 | puts "\nall done\n" |