diff options
-rwxr-xr-x | configure | 18 | ||||
-rw-r--r-- | configure.ac | 2 | ||||
-rw-r--r-- | src/firejail/profile.c | 11 | ||||
-rw-r--r-- | src/man/firejail-login.txt | 2 | ||||
-rw-r--r-- | src/man/firejail-profile.txt | 24 | ||||
-rw-r--r-- | src/man/firejail.txt | 2 | ||||
-rw-r--r-- | src/man/firemon.txt | 2 |
7 files changed, 42 insertions, 19 deletions
@@ -1,6 +1,6 @@ | |||
1 | #! /bin/sh | 1 | #! /bin/sh |
2 | # Guess values for system-dependent variables and create Makefiles. | 2 | # Guess values for system-dependent variables and create Makefiles. |
3 | # Generated by GNU Autoconf 2.69 for firejail 0.9.28. | 3 | # Generated by GNU Autoconf 2.69 for firejail 0.9.29-github. |
4 | # | 4 | # |
5 | # Report bugs to <netblue30@yahoo.com>. | 5 | # Report bugs to <netblue30@yahoo.com>. |
6 | # | 6 | # |
@@ -580,8 +580,8 @@ MAKEFLAGS= | |||
580 | # Identity of this package. | 580 | # Identity of this package. |
581 | PACKAGE_NAME='firejail' | 581 | PACKAGE_NAME='firejail' |
582 | PACKAGE_TARNAME='firejail' | 582 | PACKAGE_TARNAME='firejail' |
583 | PACKAGE_VERSION='0.9.28' | 583 | PACKAGE_VERSION='0.9.29-github' |
584 | PACKAGE_STRING='firejail 0.9.28' | 584 | PACKAGE_STRING='firejail 0.9.29-github' |
585 | PACKAGE_BUGREPORT='netblue30@yahoo.com' | 585 | PACKAGE_BUGREPORT='netblue30@yahoo.com' |
586 | PACKAGE_URL='http://firejail.sourceforge.net' | 586 | PACKAGE_URL='http://firejail.sourceforge.net' |
587 | 587 | ||
@@ -1236,7 +1236,7 @@ if test "$ac_init_help" = "long"; then | |||
1236 | # Omit some internal or obsolete options to make the list less imposing. | 1236 | # Omit some internal or obsolete options to make the list less imposing. |
1237 | # This message is too long to be a string in the A/UX 3.1 sh. | 1237 | # This message is too long to be a string in the A/UX 3.1 sh. |
1238 | cat <<_ACEOF | 1238 | cat <<_ACEOF |
1239 | \`configure' configures firejail 0.9.28 to adapt to many kinds of systems. | 1239 | \`configure' configures firejail 0.9.29-github to adapt to many kinds of systems. |
1240 | 1240 | ||
1241 | Usage: $0 [OPTION]... [VAR=VALUE]... | 1241 | Usage: $0 [OPTION]... [VAR=VALUE]... |
1242 | 1242 | ||
@@ -1297,7 +1297,7 @@ fi | |||
1297 | 1297 | ||
1298 | if test -n "$ac_init_help"; then | 1298 | if test -n "$ac_init_help"; then |
1299 | case $ac_init_help in | 1299 | case $ac_init_help in |
1300 | short | recursive ) echo "Configuration of firejail 0.9.28:";; | 1300 | short | recursive ) echo "Configuration of firejail 0.9.29-github:";; |
1301 | esac | 1301 | esac |
1302 | cat <<\_ACEOF | 1302 | cat <<\_ACEOF |
1303 | 1303 | ||
@@ -1386,7 +1386,7 @@ fi | |||
1386 | test -n "$ac_init_help" && exit $ac_status | 1386 | test -n "$ac_init_help" && exit $ac_status |
1387 | if $ac_init_version; then | 1387 | if $ac_init_version; then |
1388 | cat <<\_ACEOF | 1388 | cat <<\_ACEOF |
1389 | firejail configure 0.9.28 | 1389 | firejail configure 0.9.29-github |
1390 | generated by GNU Autoconf 2.69 | 1390 | generated by GNU Autoconf 2.69 |
1391 | 1391 | ||
1392 | Copyright (C) 2012 Free Software Foundation, Inc. | 1392 | Copyright (C) 2012 Free Software Foundation, Inc. |
@@ -1688,7 +1688,7 @@ cat >config.log <<_ACEOF | |||
1688 | This file contains any messages produced by compilers while | 1688 | This file contains any messages produced by compilers while |
1689 | running configure, to aid debugging if configure makes a mistake. | 1689 | running configure, to aid debugging if configure makes a mistake. |
1690 | 1690 | ||
1691 | It was created by firejail $as_me 0.9.28, which was | 1691 | It was created by firejail $as_me 0.9.29-github, which was |
1692 | generated by GNU Autoconf 2.69. Invocation command line was | 1692 | generated by GNU Autoconf 2.69. Invocation command line was |
1693 | 1693 | ||
1694 | $ $0 $@ | 1694 | $ $0 $@ |
@@ -4087,7 +4087,7 @@ cat >>$CONFIG_STATUS <<\_ACEOF || ac_write_fail=1 | |||
4087 | # report actual input values of CONFIG_FILES etc. instead of their | 4087 | # report actual input values of CONFIG_FILES etc. instead of their |
4088 | # values after options handling. | 4088 | # values after options handling. |
4089 | ac_log=" | 4089 | ac_log=" |
4090 | This file was extended by firejail $as_me 0.9.28, which was | 4090 | This file was extended by firejail $as_me 0.9.29-github, which was |
4091 | generated by GNU Autoconf 2.69. Invocation command line was | 4091 | generated by GNU Autoconf 2.69. Invocation command line was |
4092 | 4092 | ||
4093 | CONFIG_FILES = $CONFIG_FILES | 4093 | CONFIG_FILES = $CONFIG_FILES |
@@ -4141,7 +4141,7 @@ _ACEOF | |||
4141 | cat >>$CONFIG_STATUS <<_ACEOF || ac_write_fail=1 | 4141 | cat >>$CONFIG_STATUS <<_ACEOF || ac_write_fail=1 |
4142 | ac_cs_config="`$as_echo "$ac_configure_args" | sed 's/^ //; s/[\\""\`\$]/\\\\&/g'`" | 4142 | ac_cs_config="`$as_echo "$ac_configure_args" | sed 's/^ //; s/[\\""\`\$]/\\\\&/g'`" |
4143 | ac_cs_version="\\ | 4143 | ac_cs_version="\\ |
4144 | firejail config.status 0.9.28 | 4144 | firejail config.status 0.9.29-github |
4145 | configured by $0, generated by GNU Autoconf 2.69, | 4145 | configured by $0, generated by GNU Autoconf 2.69, |
4146 | with options \\"\$ac_cs_config\\" | 4146 | with options \\"\$ac_cs_config\\" |
4147 | 4147 | ||
diff --git a/configure.ac b/configure.ac index 9e34aec20..8c5a65397 100644 --- a/configure.ac +++ b/configure.ac | |||
@@ -1,5 +1,5 @@ | |||
1 | AC_PREREQ([2.68]) | 1 | AC_PREREQ([2.68]) |
2 | AC_INIT(firejail, 0.9.28, netblue30@yahoo.com, , http://firejail.sourceforge.net) | 2 | AC_INIT(firejail, 0.9.29-github, netblue30@yahoo.com, , http://firejail.sourceforge.net) |
3 | AC_CONFIG_SRCDIR([src/firejail/main.c]) | 3 | AC_CONFIG_SRCDIR([src/firejail/main.c]) |
4 | #AC_CONFIG_HEADERS([config.h]) | 4 | #AC_CONFIG_HEADERS([config.h]) |
5 | 5 | ||
diff --git a/src/firejail/profile.c b/src/firejail/profile.c index 343907584..877428637 100644 --- a/src/firejail/profile.c +++ b/src/firejail/profile.c | |||
@@ -415,9 +415,18 @@ void profile_read(const char *fname, const char *skip1, const char *skip2) { | |||
415 | p++; | 415 | p++; |
416 | } | 416 | } |
417 | 417 | ||
418 | // expand ${HOME}/ in front of the new profile file | ||
419 | char *newprofile2 = NULL; | ||
420 | if (strncmp(newprofile, "${HOME}", 7) == 0) { | ||
421 | if (asprintf(&newprofile2, "%s%s", cfg.homedir, newprofile + 7) == -1) | ||
422 | errExit("asprintf"); | ||
423 | } | ||
424 | |||
418 | // recursivity | 425 | // recursivity |
419 | profile_read(newprofile, newskip1, newskip2); | 426 | profile_read((newprofile2)? newprofile2:newprofile, newskip1, newskip2); |
420 | include_level--; | 427 | include_level--; |
428 | if (newprofile2) | ||
429 | free(newprofile2); | ||
421 | free(ptr); | 430 | free(ptr); |
422 | continue; | 431 | continue; |
423 | } | 432 | } |
diff --git a/src/man/firejail-login.txt b/src/man/firejail-login.txt index 6613dc044..768896872 100644 --- a/src/man/firejail-login.txt +++ b/src/man/firejail-login.txt | |||
@@ -1,4 +1,4 @@ | |||
1 | .TH man 5 "MONTH YEAR" "VERSION" "firejail login.users man page" | 1 | .TH FIREJAIL-LOGIN 5 "MONTH YEAR" "VERSION" "firejail login.users man page" |
2 | .SH NAME | 2 | .SH NAME |
3 | login.users \- Login file syntax for Firejail | 3 | login.users \- Login file syntax for Firejail |
4 | 4 | ||
diff --git a/src/man/firejail-profile.txt b/src/man/firejail-profile.txt index 46da19ecd..f85e10171 100644 --- a/src/man/firejail-profile.txt +++ b/src/man/firejail-profile.txt | |||
@@ -1,4 +1,4 @@ | |||
1 | .TH man 5 "MONTH YEAR" "VERSION" "firejail profiles man page" | 1 | .TH FIREJAIL-PROFILE 5 "MONTH YEAR" "VERSION" "firejail profiles man page" |
2 | .SH NAME | 2 | .SH NAME |
3 | profile \- Profile file syntax for Firejail | 3 | profile \- Profile file syntax for Firejail |
4 | 4 | ||
@@ -15,8 +15,19 @@ directory and ~/.config/firejail directory. | |||
15 | Include and comment support: | 15 | Include and comment support: |
16 | 16 | ||
17 | .TP | 17 | .TP |
18 | \f\include other.profile | 18 | \f\include other.profile exclude-token |
19 | Include other.profile file. | 19 | Include other.profile file. exclued-token disables blacklist commands in other.profile |
20 | if exclude-token word is found in the name section of blacklist command. | ||
21 | exclude-tyoken is optional. | ||
22 | |||
23 | Example: "include /etc/firejail/disable-common.inc .filezilla" | ||
24 | loads disable-common.inc file disables "blacklist ${HOME}/.filezilla" command in this file. | ||
25 | |||
26 | other.profile file name can be prefixed with ${HOME}. This will force Firejail to look for the | ||
27 | file in user home directory. | ||
28 | |||
29 | Example: "include ${HOME}/myprofiles/profile1" will load "~/myprofiles/profile1" file. | ||
30 | |||
20 | .TP | 31 | .TP |
21 | # this is a comment | 32 | # this is a comment |
22 | 33 | ||
@@ -81,14 +92,17 @@ Enable default Linux capabilities filter. | |||
81 | caps.drop all | 92 | caps.drop all |
82 | Blacklist all Linux capabilities. | 93 | Blacklist all Linux capabilities. |
83 | .TP | 94 | .TP |
84 | caps.drop capability,capability,capability | 95 | caps.keep capability,capability,capability |
85 | Blacklist Linux capabilities filter. | 96 | Blacklist Linux capabilities filter. |
86 | .TP | 97 | .TP |
87 | caps.drop capability,capability,capability | 98 | caps.drop capability,capability,capability |
88 | Whitelist Linux capabilities filter. | 99 | Whitelist Linux capabilities filter. |
89 | .TP | 100 | .TP |
90 | \f\seccomp | 101 | \f\seccomp |
91 | Enable default seccomp filter. | 102 | Enable default seccomp filter. The default list is as follows: |
103 | mount, umount2, ptrace, kexec_load, open_by_handle_at, init_module, finit_module, delete_module, | ||
104 | iopl, ioperm, swapon, swapoff, mknode, syslog, process_vm_readv and process_vm_writev, | ||
105 | sysfs,_sysctl, adjtimex, clock_adjtime, lookup_dcookie, perf_event_open, fanotify_init and kcmp. | ||
92 | .TP | 106 | .TP |
93 | \f\seccomp syscall,syscall,syscall | 107 | \f\seccomp syscall,syscall,syscall |
94 | Enable seccomp filter and blacklist the system calls in the list on top of default seccomp filter. | 108 | Enable seccomp filter and blacklist the system calls in the list on top of default seccomp filter. |
diff --git a/src/man/firejail.txt b/src/man/firejail.txt index 51f21975e..4e8d96d31 100644 --- a/src/man/firejail.txt +++ b/src/man/firejail.txt | |||
@@ -1,4 +1,4 @@ | |||
1 | .TH man 1 "MONTH YEAR" "VERSION" "firejail man page" | 1 | .TH FIREJAIL 1 "MONTH YEAR" "VERSION" "firejail man page" |
2 | .SH NAME | 2 | .SH NAME |
3 | Firejail \- Linux namespaces sandbox program | 3 | Firejail \- Linux namespaces sandbox program |
4 | .SH SYNOPSIS | 4 | .SH SYNOPSIS |
diff --git a/src/man/firemon.txt b/src/man/firemon.txt index b6010f46e..293547a3b 100644 --- a/src/man/firemon.txt +++ b/src/man/firemon.txt | |||
@@ -1,4 +1,4 @@ | |||
1 | .TH man 1 "MONTH YEAR" "VERSION" "firemon man page" | 1 | .TH FIREMON 1 "MONTH YEAR" "VERSION" "firemon man page" |
2 | .SH NAME | 2 | .SH NAME |
3 | Firemon \- Monitoring program for processes started in a Firejail sandbox. | 3 | Firemon \- Monitoring program for processes started in a Firejail sandbox. |
4 | .SH SYNOPSIS | 4 | .SH SYNOPSIS |