diff options
36 files changed, 163 insertions, 71 deletions
diff --git a/.gitlab-ci.yml b/.gitlab-ci.yml index 19dd2b320..cc3614c99 100644 --- a/.gitlab-ci.yml +++ b/.gitlab-ci.yml | |||
@@ -20,12 +20,12 @@ build_debian_package: | |||
20 | - apt-get install -y -qq build-essential lintian pkg-config | 20 | - apt-get install -y -qq build-essential lintian pkg-config |
21 | - ./configure --prefix=/usr && make deb && dpkg -i firejail*.deb | 21 | - ./configure --prefix=/usr && make deb && dpkg -i firejail*.deb |
22 | 22 | ||
23 | build_redhat_package: | 23 | #build_redhat_package: |
24 | image: centos:latest | 24 | # image: centos:latest |
25 | script: | 25 | # script: |
26 | - yum update -y | 26 | # - yum update -y |
27 | - yum install -y rpm-build gcc make | 27 | # - yum install -y rpm-build gcc make |
28 | - ./configure --prefix=/usr && make rpms && yum install -y firejail*.rpm | 28 | # - ./configure --prefix=/usr && make rpms && yum install -y firejail*.rpm |
29 | 29 | ||
30 | build_fedora_package: | 30 | build_fedora_package: |
31 | image: fedora:latest | 31 | image: fedora:latest |
@@ -74,6 +74,7 @@ debian_ci: | |||
74 | - git config user.email "$GITLAB_USER_NAME" && git config user.name "$GITLAB_USER_EMAIL" | 74 | - git config user.email "$GITLAB_USER_NAME" && git config user.name "$GITLAB_USER_EMAIL" |
75 | - cd $CI_PROJECT_DIR/.. && (apt-get source --download-only -t experimental firejail || apt-get source --download-only firejail) | 75 | - cd $CI_PROJECT_DIR/.. && (apt-get source --download-only -t experimental firejail || apt-get source --download-only firejail) |
76 | - cd $CI_PROJECT_DIR && tar xf ../firejail_*.debian.tar.* | 76 | - cd $CI_PROJECT_DIR && tar xf ../firejail_*.debian.tar.* |
77 | - rm -rf debian/patches/ | ||
77 | - VERSION=$(grep ^PACKAGE_VERSION= configure | cut -d"'" -f2) && dch -v ${VERSION}-0.1~ci "Non-maintainer upload." && git archive -o ../firejail_${VERSION}.orig.tar.gz HEAD && pristine-tar commit ../firejail_${VERSION}.orig.tar.gz ci_build && git branch -m pristine-tar origin/pristine-tar | 78 | - VERSION=$(grep ^PACKAGE_VERSION= configure | cut -d"'" -f2) && dch -v ${VERSION}-0.1~ci "Non-maintainer upload." && git archive -o ../firejail_${VERSION}.orig.tar.gz HEAD && pristine-tar commit ../firejail_${VERSION}.orig.tar.gz ci_build && git branch -m pristine-tar origin/pristine-tar |
78 | - git add debian && git commit -m "add debian/" | 79 | - git add debian && git commit -m "add debian/" |
79 | - export CI_COMMIT_SHA=$(git rev-parse HEAD) | 80 | - export CI_COMMIT_SHA=$(git rev-parse HEAD) |
diff --git a/Makefile.in b/Makefile.in index e065741f5..0285d8592 100644 --- a/Makefile.in +++ b/Makefile.in | |||
@@ -195,7 +195,7 @@ uninstall: | |||
195 | rm -f $(DESTDIR)/$(datarootdir)/bash-completion/completions/firecfg | 195 | rm -f $(DESTDIR)/$(datarootdir)/bash-completion/completions/firecfg |
196 | @echo "If you want to install a different version of firejail, you might also need to run 'rm -fr $(DESTDIR)/$(sysconfdir)/firejail', see #2038." | 196 | @echo "If you want to install a different version of firejail, you might also need to run 'rm -fr $(DESTDIR)/$(sysconfdir)/firejail', see #2038." |
197 | 197 | ||
198 | DISTFILES = "src etc platform contrib configure configure.ac dummy.c Makefile.in install.sh mkman.sh mketc.sh mkdeb.sh mkdeb-apparmor.sh COPYING README RELNOTES" | 198 | DISTFILES = "src etc m4 platform contrib configure configure.ac dummy.c Makefile.in install.sh mkman.sh mketc.sh mkdeb.sh mkdeb-apparmor.sh COPYING README RELNOTES" |
199 | DISTFILES_TEST = "test/apps test/apps-x11 test/apps-x11-xorg test/root test/fcopy test/environment test/profiles test/utils test/compile test/filters test/network test/arguments test/fs test/sysutils test/chroot" | 199 | DISTFILES_TEST = "test/apps test/apps-x11 test/apps-x11-xorg test/root test/fcopy test/environment test/profiles test/utils test/compile test/filters test/network test/arguments test/fs test/sysutils test/chroot" |
200 | 200 | ||
201 | dist: | 201 | dist: |
@@ -53,7 +53,7 @@ Committers | |||
53 | 53 | ||
54 | Firejail Authors (alphabetical order) | 54 | Firejail Authors (alphabetical order) |
55 | 55 | ||
56 | 7twin (https://github.com/7twin_ | 56 | 7twin (https://github.com/7twin_) |
57 | - fix typos | 57 | - fix typos |
58 | - fix flameshot raw screenshots | 58 | - fix flameshot raw screenshots |
59 | 1dnrr (https://github.com/1dnrr) | 59 | 1dnrr (https://github.com/1dnrr) |
@@ -565,6 +565,8 @@ PizzaDude (https://github.com/pizzadude) | |||
565 | - added profile for torbrowser-launcher | 565 | - added profile for torbrowser-launcher |
566 | - added profile for sayonara and qmmp | 566 | - added profile for sayonara and qmmp |
567 | - remove tracelog from Firefox profile | 567 | - remove tracelog from Firefox profile |
568 | polyzen (https://github.com/polyzen) | ||
569 | - fixed wusc issue with mpv/Vulkan | ||
568 | probonopd (https://github.com/probonopd) | 570 | probonopd (https://github.com/probonopd) |
569 | - automatic build on Travis CI | 571 | - automatic build on Travis CI |
570 | pshpsh (https://github.com/pshpsh) | 572 | pshpsh (https://github.com/pshpsh) |
diff --git a/etc/allow-ruby.inc b/etc/allow-ruby.inc new file mode 100644 index 000000000..3165a981a --- /dev/null +++ b/etc/allow-ruby.inc | |||
@@ -0,0 +1,2 @@ | |||
1 | noblacklist ${PATH}/ruby | ||
2 | noblacklist /usr/lib/ruby | ||
diff --git a/etc/aria2c.profile b/etc/aria2c.profile index 72e577d56..2fb6dd25f 100644 --- a/etc/aria2c.profile +++ b/etc/aria2c.profile | |||
@@ -8,6 +8,8 @@ include globals.local | |||
8 | 8 | ||
9 | noblacklist ${HOME}/.aria2 | 9 | noblacklist ${HOME}/.aria2 |
10 | 10 | ||
11 | blacklist /tmp/.X11-unix | ||
12 | |||
11 | include disable-common.inc | 13 | include disable-common.inc |
12 | include disable-devel.inc | 14 | include disable-devel.inc |
13 | include disable-exec.inc | 15 | include disable-exec.inc |
@@ -39,7 +41,7 @@ private-bin aria2c,gzip | |||
39 | # Uncomment the next line (or put 'private-cache' in your aria2c.local) if you don't use Lutris/winetricks (see issue #2772) | 41 | # Uncomment the next line (or put 'private-cache' in your aria2c.local) if you don't use Lutris/winetricks (see issue #2772) |
40 | #private-cache | 42 | #private-cache |
41 | private-dev | 43 | private-dev |
42 | private-etc alternatives,ca-certificates,crypto-policies,nsswitch.conf,pki,resolv.conf,ssl | 44 | private-etc alternatives,ca-certificates,crypto-policies,groups,login.defs,machine-id,nsswitch.conf,passwd,pki,resolv.conf,ssl |
43 | private-lib libreadline.so.* | 45 | private-lib libreadline.so.* |
44 | private-tmp | 46 | private-tmp |
45 | 47 | ||
diff --git a/etc/artha.profile b/etc/artha.profile index f1d30a415..31f8887c4 100644 --- a/etc/artha.profile +++ b/etc/artha.profile | |||
@@ -7,22 +7,28 @@ include artha.local | |||
7 | include globals.local | 7 | include globals.local |
8 | 8 | ||
9 | noblacklist ${HOME}/.config/artha.conf | 9 | noblacklist ${HOME}/.config/artha.conf |
10 | noblacklist ${HOME}/.config/artha.log | ||
10 | noblacklist ${HOME}/.config/enchant | 11 | noblacklist ${HOME}/.config/enchant |
11 | 12 | ||
13 | blacklist /tmp/.X11-unix | ||
14 | |||
12 | include disable-common.inc | 15 | include disable-common.inc |
13 | include disable-devel.inc | 16 | include disable-devel.inc |
14 | include disable-exec.inc | 17 | include disable-exec.inc |
15 | include disable-interpreters.inc | 18 | include disable-interpreters.inc |
16 | include disable-passwdmgr.inc | 19 | include disable-passwdmgr.inc |
17 | include disable-programs.inc | 20 | include disable-programs.inc |
21 | include disable-xdg.inc | ||
18 | 22 | ||
19 | mkdir ${HOME}/.config/artha.conf | 23 | # whitelisting in ${HOME} makes settings immutable, see #3112 |
20 | mkdir ${HOME}/.config/enchant | 24 | #mkfile ${HOME}/.config/artha.conf |
21 | whitelist ${HOME}/.config/artha.conf | 25 | #mkdir ${HOME}/.config/enchant |
22 | whitelist ${HOME}/.config/enchant | 26 | #whitelist ${HOME}/.config/artha.conf |
27 | #whitelist ${HOME}/.config/artha.log | ||
28 | #whitelist ${HOME}/.config/enchant | ||
23 | whitelist /usr/share/artha | 29 | whitelist /usr/share/artha |
24 | whitelist /usr/share/wordnet | 30 | whitelist /usr/share/wordnet |
25 | include whitelist-common.inc | 31 | #include whitelist-common.inc |
26 | include whitelist-usr-share-common.inc | 32 | include whitelist-usr-share-common.inc |
27 | include whitelist-var-common.inc | 33 | include whitelist-var-common.inc |
28 | 34 | ||
@@ -43,6 +49,7 @@ novideo | |||
43 | protocol unix | 49 | protocol unix |
44 | seccomp | 50 | seccomp |
45 | shell none | 51 | shell none |
52 | tracelog | ||
46 | 53 | ||
47 | disable-mnt | 54 | disable-mnt |
48 | private-bin artha,enchant,notify-send | 55 | private-bin artha,enchant,notify-send |
diff --git a/etc/baobab.profile b/etc/baobab.profile index 79d4b23f9..e8287b448 100644 --- a/etc/baobab.profile +++ b/etc/baobab.profile | |||
@@ -16,7 +16,7 @@ include disable-passwdmgr.inc | |||
16 | caps.drop all | 16 | caps.drop all |
17 | net none | 17 | net none |
18 | no3d | 18 | no3d |
19 | nodbus | 19 | #nodbus |
20 | nodvd | 20 | nodvd |
21 | nogroups | 21 | nogroups |
22 | nonewprivs | 22 | nonewprivs |
diff --git a/etc/barrier.profile b/etc/barrier.profile new file mode 100644 index 000000000..a35bb1e09 --- /dev/null +++ b/etc/barrier.profile | |||
@@ -0,0 +1,45 @@ | |||
1 | # Firejail profile for barrier | ||
2 | # Description: Keyboard and mouse sharing application | ||
3 | # This file is overwritten after every install/update | ||
4 | # Persistent local customizations | ||
5 | include barrier.local | ||
6 | # Persistent global definitions | ||
7 | include globals.local | ||
8 | |||
9 | noblacklist ${HOME}/.config/Debauchee/Barrier.conf | ||
10 | noblacklist ${HOME}/.local/share/barrier | ||
11 | noblacklist ${PATH}/openssl | ||
12 | |||
13 | include disable-common.inc | ||
14 | include disable-devel.inc | ||
15 | include disable-exec.inc | ||
16 | include disable-interpreters.inc | ||
17 | include disable-passwdmgr.inc | ||
18 | include disable-programs.inc | ||
19 | include disable-xdg.inc | ||
20 | |||
21 | include whitelist-var-common.inc | ||
22 | |||
23 | caps.drop all | ||
24 | machine-id | ||
25 | netfilter | ||
26 | no3d | ||
27 | nodvd | ||
28 | nogroups | ||
29 | nonewprivs | ||
30 | noroot | ||
31 | nosound | ||
32 | notv | ||
33 | nou2f | ||
34 | novideo | ||
35 | protocol unix,inet,inet6,netlink | ||
36 | seccomp | ||
37 | shell none | ||
38 | tracelog | ||
39 | |||
40 | disable-mnt | ||
41 | private-dev | ||
42 | private-cache | ||
43 | private-tmp | ||
44 | |||
45 | memory-deny-write-execute | ||
diff --git a/etc/celluloid.profile b/etc/celluloid.profile index 6b7db6b44..ab68c7f13 100644 --- a/etc/celluloid.profile +++ b/etc/celluloid.profile | |||
@@ -29,7 +29,7 @@ include whitelist-var-common.inc | |||
29 | apparmor | 29 | apparmor |
30 | caps.drop all | 30 | caps.drop all |
31 | netfilter | 31 | netfilter |
32 | nodbus | 32 | # nodbus -- uses dconf |
33 | nogroups | 33 | nogroups |
34 | nonewprivs | 34 | nonewprivs |
35 | noroot | 35 | noroot |
@@ -41,7 +41,7 @@ tracelog | |||
41 | 41 | ||
42 | private-bin celluloid,env,gnome-mpv,python*,youtube-dl | 42 | private-bin celluloid,env,gnome-mpv,python*,youtube-dl |
43 | private-cache | 43 | private-cache |
44 | private-etc alternatives,ca-certificates,crypto-policies,dconf,drirc,fonts,gtk-3.0,hosts,libva.conf,localtime,machine-id,pkcs11,pki,resolv.conf,selinux,ssl,xdg | 44 | private-etc alternatives,ca-certificates,crypto-policies,dconf,drirc,fonts,gtk-3.0,hosts,ld.so.cache,libva.conf,localtime,machine-id,pkcs11,pki,resolv.conf,selinux,ssl,xdg |
45 | private-dev | 45 | private-dev |
46 | private-tmp | 46 | private-tmp |
47 | 47 | ||
diff --git a/etc/claws-mail.profile b/etc/claws-mail.profile index 33c0a3369..f07e2039b 100644 --- a/etc/claws-mail.profile +++ b/etc/claws-mail.profile | |||
@@ -9,6 +9,9 @@ include globals.local | |||
9 | noblacklist ${HOME}/.claws-mail | 9 | noblacklist ${HOME}/.claws-mail |
10 | noblacklist ${HOME}/.gnupg | 10 | noblacklist ${HOME}/.gnupg |
11 | noblacklist ${HOME}/.signature | 11 | noblacklist ${HOME}/.signature |
12 | # when storing mail outside the default ${HOME}/Mail path, 'noblacklist' the custom path in your claws-mail.local | ||
13 | # and 'blacklist' it in your disable-common.local too so it is kept hidden from other applications | ||
14 | noblacklist ${HOME}/Mail | ||
12 | 15 | ||
13 | include disable-common.inc | 16 | include disable-common.inc |
14 | include disable-devel.inc | 17 | include disable-devel.inc |
@@ -16,7 +19,7 @@ include disable-interpreters.inc | |||
16 | include disable-passwdmgr.inc | 19 | include disable-passwdmgr.inc |
17 | include disable-programs.inc | 20 | include disable-programs.inc |
18 | 21 | ||
19 | whitelist /usr/share/doc | 22 | whitelist /usr/share/doc/claws-mail |
20 | whitelist /usr/share/gnupg | 23 | whitelist /usr/share/gnupg |
21 | whitelist /usr/share/gnupg2 | 24 | whitelist /usr/share/gnupg2 |
22 | include whitelist-usr-share-common.inc | 25 | include whitelist-usr-share-common.inc |
diff --git a/etc/disable-common.inc b/etc/disable-common.inc index 16f231108..f50e10a00 100644 --- a/etc/disable-common.inc +++ b/etc/disable-common.inc | |||
@@ -230,6 +230,7 @@ read-only ${HOME}/.bash_login | |||
230 | read-only ${HOME}/.bash_logout | 230 | read-only ${HOME}/.bash_logout |
231 | read-only ${HOME}/.bash_profile | 231 | read-only ${HOME}/.bash_profile |
232 | read-only ${HOME}/.bashrc | 232 | read-only ${HOME}/.bashrc |
233 | read-only ${HOME}/.config/environment.d | ||
233 | read-only ${HOME}/.config/fish | 234 | read-only ${HOME}/.config/fish |
234 | read-only ${HOME}/.csh_files | 235 | read-only ${HOME}/.csh_files |
235 | read-only ${HOME}/.cshrc | 236 | read-only ${HOME}/.cshrc |
diff --git a/etc/disable-programs.inc b/etc/disable-programs.inc index b1605e757..1c97ed8d6 100644 --- a/etc/disable-programs.inc +++ b/etc/disable-programs.inc | |||
@@ -71,6 +71,7 @@ blacklist ${HOME}/.config/Code | |||
71 | blacklist ${HOME}/.config/Code - OSS | 71 | blacklist ${HOME}/.config/Code - OSS |
72 | blacklist ${HOME}/.config/Code Industry | 72 | blacklist ${HOME}/.config/Code Industry |
73 | blacklist ${HOME}/.config/Cryptocat | 73 | blacklist ${HOME}/.config/Cryptocat |
74 | blacklist ${HOME}/.config/Debauchee/Barrier.conf | ||
74 | blacklist ${HOME}/.config/Enox | 75 | blacklist ${HOME}/.config/Enox |
75 | blacklist ${HOME}/.config/Franz | 76 | blacklist ${HOME}/.config/Franz |
76 | blacklist ${HOME}/.config/FreeCAD | 77 | blacklist ${HOME}/.config/FreeCAD |
@@ -119,6 +120,7 @@ blacklist ${HOME}/.config/ardour4 | |||
119 | blacklist ${HOME}/.config/ardour5 | 120 | blacklist ${HOME}/.config/ardour5 |
120 | blacklist ${HOME}/.config/arkrc | 121 | blacklist ${HOME}/.config/arkrc |
121 | blacklist ${HOME}/.config/artha.conf | 122 | blacklist ${HOME}/.config/artha.conf |
123 | blacklist ${HOME}/.config/artha.log | ||
122 | blacklist ${HOME}/.config/asunder | 124 | blacklist ${HOME}/.config/asunder |
123 | blacklist ${HOME}/.config/atril | 125 | blacklist ${HOME}/.config/atril |
124 | blacklist ${HOME}/.config/audacious | 126 | blacklist ${HOME}/.config/audacious |
@@ -487,6 +489,7 @@ blacklist ${HOME}/.local/share/apps/korganizer | |||
487 | blacklist ${HOME}/.local/share/aspyr-media | 489 | blacklist ${HOME}/.local/share/aspyr-media |
488 | blacklist ${HOME}/.local/share/autokey | 490 | blacklist ${HOME}/.local/share/autokey |
489 | blacklist ${HOME}/.local/share/baloo | 491 | blacklist ${HOME}/.local/share/baloo |
492 | blacklist ${HOME}/.local/share/barrier | ||
490 | blacklist ${HOME}/.local/share/bibletime | 493 | blacklist ${HOME}/.local/share/bibletime |
491 | blacklist ${HOME}/.local/share/caja-python | 494 | blacklist ${HOME}/.local/share/caja-python |
492 | blacklist ${HOME}/.local/share/cantata | 495 | blacklist ${HOME}/.local/share/cantata |
diff --git a/etc/evince.profile b/etc/evince.profile index 0ace1dc3e..570d7d63d 100644 --- a/etc/evince.profile +++ b/etc/evince.profile | |||
@@ -46,7 +46,7 @@ tracelog | |||
46 | private-bin evince,evince-previewer,evince-thumbnailer | 46 | private-bin evince,evince-previewer,evince-thumbnailer |
47 | private-cache | 47 | private-cache |
48 | private-dev | 48 | private-dev |
49 | private-etc alternatives,fonts,group,machine-id,passwd | 49 | private-etc alternatives,fonts,group,ld.so.cache,machine-id,passwd |
50 | # private-lib might break two-page-view on some systems | 50 | # private-lib might break two-page-view on some systems |
51 | private-lib evince,gconv,gdk-pixbuf-2.*,gio,gvfs/libgvfscommon.so,libdjvulibre.so.*,libgconf-2.so.*,libgraphite2.so.*,libpoppler-glib.so.*,librsvg-2.so.*,libspectre.so.* | 51 | private-lib evince,gcc/*/*/libgcc_s.so.*,gcc/*/*/libstdc++.so.*,gconv,gdk-pixbuf-2.*,gio,gvfs/libgvfscommon.so,libdjvulibre.so.*,libgconf-2.so.*,libgraphite2.so.*,libpoppler-glib.so.*,librsvg-2.so.*,libspectre.so.* |
52 | private-tmp | 52 | private-tmp |
diff --git a/etc/exiftool.profile b/etc/exiftool.profile index e455d32c7..e9c7d290a 100644 --- a/etc/exiftool.profile +++ b/etc/exiftool.profile | |||
@@ -17,6 +17,7 @@ include disable-passwdmgr.inc | |||
17 | include disable-programs.inc | 17 | include disable-programs.inc |
18 | 18 | ||
19 | whitelist /usr/share/perl5 | 19 | whitelist /usr/share/perl5 |
20 | whitelist /usr/share/perl-image-exiftool | ||
20 | include whitelist-usr-share-common.inc | 21 | include whitelist-usr-share-common.inc |
21 | 22 | ||
22 | apparmor | 23 | apparmor |
diff --git a/etc/gedit.profile b/etc/gedit.profile index 837396654..7dd6f270e 100644 --- a/etc/gedit.profile +++ b/etc/gedit.profile | |||
@@ -42,6 +42,6 @@ tracelog | |||
42 | 42 | ||
43 | # private-bin gedit | 43 | # private-bin gedit |
44 | private-dev | 44 | private-dev |
45 | private-lib aspell,gconv,gedit,libgspell-1.so.*,libreadline.so.*,libtinfo.so.* | 45 | private-lib aspell,gconv,gedit,libgspell-1.so.*,libgtksourceview-*,libpeas-gtk-1.0.so.*,libreadline.so.*,libtinfo.so.* |
46 | private-tmp | 46 | private-tmp |
47 | 47 | ||
diff --git a/etc/gnome-builder.profile b/etc/gnome-builder.profile index 726a74089..eaf48931d 100644 --- a/etc/gnome-builder.profile +++ b/etc/gnome-builder.profile | |||
@@ -31,5 +31,4 @@ protocol unix,inet,inet6 | |||
31 | seccomp | 31 | seccomp |
32 | shell none | 32 | shell none |
33 | 33 | ||
34 | private-cache | ||
35 | private-dev | 34 | private-dev |
diff --git a/etc/gnome-maps.profile b/etc/gnome-maps.profile index a625db948..78f5ddc3a 100644 --- a/etc/gnome-maps.profile +++ b/etc/gnome-maps.profile | |||
@@ -28,6 +28,7 @@ whitelist ${HOME}/.local/share/maps-places.json | |||
28 | whitelist ${DOWNLOADS} | 28 | whitelist ${DOWNLOADS} |
29 | whitelist ${PICTURES} | 29 | whitelist ${PICTURES} |
30 | whitelist /usr/share/gnome-maps | 30 | whitelist /usr/share/gnome-maps |
31 | whitelist /usr/share/libgweather | ||
31 | include whitelist-common.inc | 32 | include whitelist-common.inc |
32 | include whitelist-usr-share-common.inc | 33 | include whitelist-usr-share-common.inc |
33 | include whitelist-var-common.inc | 34 | include whitelist-var-common.inc |
@@ -55,4 +56,3 @@ private-bin gjs,gnome-maps | |||
55 | private-dev | 56 | private-dev |
56 | private-etc alternatives,ca-certificates,clutter-1.0,crypto-policies,dconf,drirc,fonts,gconf,gcrypt,gtk-3.0,host.conf,hostname,hosts,ld.so.cache,ld.so.conf,ld.so.conf.d,ld.so.preload,locale,locale.alias,locale.conf,localtime,mime.types,nsswitch.conf,pango,pkcs11,pki,protocols,resolv.conf,rpc,services,ssl,X11,xdg | 57 | private-etc alternatives,ca-certificates,clutter-1.0,crypto-policies,dconf,drirc,fonts,gconf,gcrypt,gtk-3.0,host.conf,hostname,hosts,ld.so.cache,ld.so.conf,ld.so.conf.d,ld.so.preload,locale,locale.alias,locale.conf,localtime,mime.types,nsswitch.conf,pango,pkcs11,pki,protocols,resolv.conf,rpc,services,ssl,X11,xdg |
57 | private-tmp | 58 | private-tmp |
58 | |||
diff --git a/etc/hexchat.profile b/etc/hexchat.profile index d032c93e6..7723cbd6b 100644 --- a/etc/hexchat.profile +++ b/etc/hexchat.profile | |||
@@ -19,6 +19,7 @@ include disable-exec.inc | |||
19 | include disable-interpreters.inc | 19 | include disable-interpreters.inc |
20 | include disable-passwdmgr.inc | 20 | include disable-passwdmgr.inc |
21 | include disable-programs.inc | 21 | include disable-programs.inc |
22 | include disable-xdg.inc | ||
22 | 23 | ||
23 | mkdir ${HOME}/.config/hexchat | 24 | mkdir ${HOME}/.config/hexchat |
24 | whitelist ${HOME}/.config/hexchat | 25 | whitelist ${HOME}/.config/hexchat |
@@ -26,14 +27,13 @@ include whitelist-common.inc | |||
26 | include whitelist-var-common.inc | 27 | include whitelist-var-common.inc |
27 | 28 | ||
28 | caps.drop all | 29 | caps.drop all |
29 | machine-id | 30 | #machine-id -- breaks sound |
30 | netfilter | 31 | netfilter |
31 | no3d | 32 | no3d |
32 | nodvd | 33 | nodvd |
33 | nogroups | 34 | nogroups |
34 | nonewprivs | 35 | nonewprivs |
35 | noroot | 36 | noroot |
36 | nosound | ||
37 | notv | 37 | notv |
38 | nou2f | 38 | nou2f |
39 | novideo | 39 | novideo |
diff --git a/etc/mpv.profile b/etc/mpv.profile index 6e587fc6a..56cd66199 100644 --- a/etc/mpv.profile +++ b/etc/mpv.profile | |||
@@ -27,6 +27,7 @@ include disable-passwdmgr.inc | |||
27 | include disable-programs.inc | 27 | include disable-programs.inc |
28 | include disable-xdg.inc | 28 | include disable-xdg.inc |
29 | 29 | ||
30 | whitelist /usr/share/vulkan | ||
30 | include whitelist-usr-share-common.inc | 31 | include whitelist-usr-share-common.inc |
31 | include whitelist-var-common.inc | 32 | include whitelist-var-common.inc |
32 | 33 | ||
diff --git a/etc/mupdf.profile b/etc/mupdf.profile index 673c9fd0b..99945bdc9 100644 --- a/etc/mupdf.profile +++ b/etc/mupdf.profile | |||
@@ -32,14 +32,13 @@ nou2f | |||
32 | novideo | 32 | novideo |
33 | protocol unix | 33 | protocol unix |
34 | seccomp | 34 | seccomp |
35 | # seccomp.keep access,arch_prctl,brk,clone,close,connect,execve,exit_group,fchmod,fchown,fcntl,fstat,futex,getcwd,getpeername,getrlimit,getsockname,getsockopt,lseek,lstat,mlock,mmap,mprotect,mremap,munmap,nanosleep,open,poll,prctl,read,recvfrom,recvmsg,restart_syscall,rt_sigaction,rt_sigprocmask,select,sendmsg,set_robust_list,set_tid_address,setresgid,setresuid,shmat,shmctl,shmget,shutdown,socket,stat,sysinfo,uname,unshare,wait4,write,writev | ||
36 | shell none | 35 | shell none |
37 | tracelog | 36 | tracelog |
38 | 37 | ||
39 | # private-bin mupdf,rm,sh,tempfile | 38 | # private-bin mupdf,rm,sh,tempfile |
40 | private-dev | 39 | private-dev |
41 | private-etc alternatives,fonts | 40 | private-etc alternatives,fonts,ld.so.cache,ld.so.conf,ld.so.conf.d,ld.so.preload |
42 | private-tmp | 41 | private-tmp |
43 | 42 | ||
44 | memory-deny-write-execute | 43 | # memory-deny-write-execute |
45 | read-only ${HOME} | 44 | read-only ${HOME} |
diff --git a/etc/neverputt.profile b/etc/neverputt.profile index 93fb14e07..d370d1218 100644 --- a/etc/neverputt.profile +++ b/etc/neverputt.profile | |||
@@ -5,5 +5,7 @@ include neverputt.local | |||
5 | # added by included profile | 5 | # added by included profile |
6 | #include globals.local | 6 | #include globals.local |
7 | 7 | ||
8 | private-bin neverputt | ||
9 | |||
8 | # Redirect | 10 | # Redirect |
9 | include neverball.profile | 11 | include neverball.profile |
diff --git a/etc/openshot.profile b/etc/openshot.profile index 0222243ed..116cb56e4 100644 --- a/etc/openshot.profile +++ b/etc/openshot.profile | |||
@@ -24,7 +24,7 @@ include whitelist-var-common.inc | |||
24 | 24 | ||
25 | apparmor | 25 | apparmor |
26 | caps.drop all | 26 | caps.drop all |
27 | netfilter | 27 | net none |
28 | nodbus | 28 | nodbus |
29 | nodvd | 29 | nodvd |
30 | nogroups | 30 | nogroups |
@@ -32,9 +32,10 @@ nonewprivs | |||
32 | noroot | 32 | noroot |
33 | notv | 33 | notv |
34 | nou2f | 34 | nou2f |
35 | protocol unix,inet,inet6,netlink | 35 | protocol unix,netlink |
36 | seccomp | 36 | seccomp |
37 | shell none | 37 | shell none |
38 | tracelog | ||
38 | 39 | ||
39 | private-dev | 40 | private-dev |
40 | private-tmp | 41 | private-tmp |
diff --git a/etc/pavucontrol.profile b/etc/pavucontrol.profile index 5bbe1386f..0ae9f08af 100644 --- a/etc/pavucontrol.profile +++ b/etc/pavucontrol.profile | |||
@@ -16,11 +16,12 @@ include disable-passwdmgr.inc | |||
16 | include disable-programs.inc | 16 | include disable-programs.inc |
17 | include disable-xdg.inc | 17 | include disable-xdg.inc |
18 | 18 | ||
19 | mkfile ${HOME}/.config/pavucontrol.ini | 19 | # whitelisting in ${HOME} is broken, see #3112 |
20 | whitelist ${HOME}/.config/pavucontrol.ini | 20 | #mkfile ${HOME}/.config/pavucontrol.ini |
21 | #whitelist ${HOME}/.config/pavucontrol.ini | ||
21 | whitelist /usr/share/pavucontrol | 22 | whitelist /usr/share/pavucontrol |
22 | whitelist /usr/share/pavucontrol-qt | 23 | whitelist /usr/share/pavucontrol-qt |
23 | include whitelist-common.inc | 24 | #include whitelist-common.inc |
24 | include whitelist-usr-share-common.inc | 25 | include whitelist-usr-share-common.inc |
25 | include whitelist-var-common.inc | 26 | include whitelist-var-common.inc |
26 | 27 | ||
@@ -39,6 +40,7 @@ novideo | |||
39 | protocol unix,inet,inet6 | 40 | protocol unix,inet,inet6 |
40 | seccomp | 41 | seccomp |
41 | shell none | 42 | shell none |
43 | tracelog | ||
42 | 44 | ||
43 | disable-mnt | 45 | disable-mnt |
44 | private-bin pavucontrol | 46 | private-bin pavucontrol |
@@ -48,4 +50,5 @@ private-etc alternatives,asound.conf,avahi,fonts,machine-id,pulse | |||
48 | private-lib | 50 | private-lib |
49 | private-tmp | 51 | private-tmp |
50 | 52 | ||
51 | #memory-deny-write-execute - breaks on Arch (see issue #1803) | 53 | # mdwe is broken under Wayland, but works under Xorg. |
54 | #memory-deny-write-execute | ||
diff --git a/etc/qutebrowser.profile b/etc/qutebrowser.profile index 95c189458..fc910b589 100644 --- a/etc/qutebrowser.profile +++ b/etc/qutebrowser.profile | |||
@@ -36,5 +36,5 @@ noroot | |||
36 | notv | 36 | notv |
37 | protocol unix,inet,inet6,netlink | 37 | protocol unix,inet,inet6,netlink |
38 | # blacklisting of chroot system calls breaks qt webengine | 38 | # blacklisting of chroot system calls breaks qt webengine |
39 | seccomp !chroot | 39 | seccomp !chroot,!name_to_handle_at |
40 | # tracelog | 40 | # tracelog |
diff --git a/etc/sylpheed.profile b/etc/sylpheed.profile index 64de64eb4..8e99fe1d6 100644 --- a/etc/sylpheed.profile +++ b/etc/sylpheed.profile | |||
@@ -4,29 +4,17 @@ | |||
4 | # Persistent local customizations | 4 | # Persistent local customizations |
5 | include sylpheed.local | 5 | include sylpheed.local |
6 | # Persistent global definitions | 6 | # Persistent global definitions |
7 | include globals.local | 7 | # added by included profile |
8 | #include globals.local | ||
8 | 9 | ||
9 | noblacklist ${HOME}/.sylpheed-2.0 | 10 | noblacklist ${HOME}/.sylpheed-2.0 |
11 | # when storing mail outside the default ${HOME}/Mail path, 'noblacklist' the custom path in your sylpheed.local | ||
12 | # and 'blacklist' it in your disable-common.local too so it is kept hidden from other applications | ||
10 | 13 | ||
11 | include disable-common.inc | 14 | blacklist ${HOME}/.claws-mail |
12 | include disable-devel.inc | ||
13 | include disable-interpreters.inc | ||
14 | include disable-passwdmgr.inc | ||
15 | include disable-programs.inc | ||
16 | 15 | ||
17 | caps.drop all | 16 | nowhitelist /usr/share/doc/claws-mail |
18 | netfilter | 17 | whitelist /usr/share/sylpheed |
19 | nodvd | ||
20 | nogroups | ||
21 | nonewprivs | ||
22 | noroot | ||
23 | nosound | ||
24 | notv | ||
25 | nou2f | ||
26 | novideo | ||
27 | protocol unix,inet,inet6 | ||
28 | seccomp | ||
29 | shell none | ||
30 | 18 | ||
31 | private-dev | 19 | # Redirect |
32 | private-tmp | 20 | include claws-mail.profile |
diff --git a/etc/templates/profile.template b/etc/templates/profile.template index dcf6dd201..7bfc3cf0d 100644 --- a/etc/templates/profile.template +++ b/etc/templates/profile.template | |||
@@ -87,6 +87,9 @@ include globals.local | |||
87 | # Allow lua (blacklisted by disable-interpreters.inc) | 87 | # Allow lua (blacklisted by disable-interpreters.inc) |
88 | #include allow-lua.inc | 88 | #include allow-lua.inc |
89 | 89 | ||
90 | # Allow ruby (blacklisted by disable-interpreters.inc) | ||
91 | #include allow-ruby.inc | ||
92 | |||
90 | # Allows files commonly used by IDEs | 93 | # Allows files commonly used by IDEs |
91 | #include allow-common-devel.inc | 94 | #include allow-common-devel.inc |
92 | 95 | ||
diff --git a/etc/torbrowser-launcher.profile b/etc/torbrowser-launcher.profile index 1183cd2f7..be03afdb5 100644 --- a/etc/torbrowser-launcher.profile +++ b/etc/torbrowser-launcher.profile | |||
@@ -48,7 +48,7 @@ shell none | |||
48 | #tracelog | 48 | #tracelog |
49 | 49 | ||
50 | disable-mnt | 50 | disable-mnt |
51 | private-bin bash,cat,cp,cut,dirname,env,expr,file,gpg,grep,gxmessage,kdialog,ln,mkdir,mv,python*,rm,sed,sh,tail,tar,tclsh,test,tor-browser,tor-browser-en,torbrowser-launcher,update-desktop-database,xmessage,xz,zenity | 51 | private-bin bash,cat,cp,cut,dirname,env,expr,file,gpg,grep,gxmessage,id,kdialog,ln,mkdir,mv,python*,rm,sed,sh,tail,tar,tclsh,test,tor-browser,tor-browser-en,torbrowser-launcher,update-desktop-database,xmessage,xz,zenity |
52 | private-dev | 52 | private-dev |
53 | private-etc alsa,alternatives,asound.conf,ca-certificates,crypto-policies,fonts,ld.so.cache,machine-id,pki,pulse,resolv.conf,ssl | 53 | private-etc alsa,alternatives,asound.conf,ca-certificates,crypto-policies,fonts,ld.so.cache,machine-id,pki,pulse,resolv.conf,ssl |
54 | private-tmp | 54 | private-tmp |
diff --git a/etc/weechat.profile b/etc/weechat.profile index a94275c2c..cc340124d 100644 --- a/etc/weechat.profile +++ b/etc/weechat.profile | |||
@@ -11,6 +11,7 @@ noblacklist ${HOME}/.weechat | |||
11 | include disable-common.inc | 11 | include disable-common.inc |
12 | include disable-programs.inc | 12 | include disable-programs.inc |
13 | 13 | ||
14 | whitelist /usr/share/perl5 | ||
14 | include whitelist-usr-share-common.inc | 15 | include whitelist-usr-share-common.inc |
15 | 16 | ||
16 | caps.drop all | 17 | caps.drop all |
diff --git a/etc/wget.profile b/etc/wget.profile index 4bf354652..c1f7dfc3f 100644 --- a/etc/wget.profile +++ b/etc/wget.profile | |||
@@ -7,18 +7,28 @@ include wget.local | |||
7 | # Persistent global definitions | 7 | # Persistent global definitions |
8 | include globals.local | 8 | include globals.local |
9 | 9 | ||
10 | noblacklist ${HOME}/.netrc | ||
10 | noblacklist ${HOME}/.wget-hsts | 11 | noblacklist ${HOME}/.wget-hsts |
11 | noblacklist ${HOME}/.wgetrc | 12 | noblacklist ${HOME}/.wgetrc |
12 | 13 | ||
14 | blacklist /tmp/.X11-unix | ||
15 | |||
13 | include disable-common.inc | 16 | include disable-common.inc |
17 | include disable-devel.inc | ||
14 | include disable-exec.inc | 18 | include disable-exec.inc |
19 | include disable-interpreters.inc | ||
15 | include disable-passwdmgr.inc | 20 | include disable-passwdmgr.inc |
16 | include disable-programs.inc | 21 | include disable-programs.inc |
22 | # depending on workflow you can uncomment the below or put 'include disable-xdg.inc' in your wget.local | ||
23 | #include disable-xdg.inc | ||
17 | 24 | ||
18 | include whitelist-usr-share-common.inc | 25 | include whitelist-usr-share-common.inc |
19 | include whitelist-var-common.inc | 26 | include whitelist-var-common.inc |
20 | 27 | ||
21 | caps.drop all | 28 | caps.drop all |
29 | ipc-namespace | ||
30 | machine-id | ||
31 | nodbus | ||
22 | netfilter | 32 | netfilter |
23 | no3d | 33 | no3d |
24 | nodvd | 34 | nodvd |
@@ -32,9 +42,13 @@ novideo | |||
32 | protocol unix,inet,inet6 | 42 | protocol unix,inet,inet6 |
33 | seccomp | 43 | seccomp |
34 | shell none | 44 | shell none |
45 | tracelog | ||
35 | 46 | ||
36 | # private-bin wget | 47 | private-bin wget |
48 | private-cache | ||
37 | private-dev | 49 | private-dev |
38 | # private-etc alternatives,ca-certificates,crypto-policie,pki,resolv.conf,ssl | 50 | # depending on workflow you can uncomment the below or put this private-etc in your wget.local |
39 | # private-tmp | 51 | #private-etc alternatives,ca-certificates,crypto-policies,pki,resolv.conf,ssl,wgetrc |
52 | #private-tmp | ||
40 | 53 | ||
54 | memory-deny-write-execute | ||
diff --git a/etc/whois.profile b/etc/whois.profile index fed3709e5..bd0870bea 100644 --- a/etc/whois.profile +++ b/etc/whois.profile | |||
@@ -7,19 +7,23 @@ include whois.local | |||
7 | # Persistent global definitions | 7 | # Persistent global definitions |
8 | include globals.local | 8 | include globals.local |
9 | 9 | ||
10 | blacklist /tmp/.X11-unix | ||
11 | |||
10 | include disable-common.inc | 12 | include disable-common.inc |
11 | # include disable-devel.inc | 13 | include disable-devel.inc |
12 | include disable-exec.inc | 14 | include disable-exec.inc |
13 | # include disable-interpreters.inc | 15 | include disable-interpreters.inc |
14 | include disable-passwdmgr.inc | 16 | include disable-passwdmgr.inc |
15 | include disable-programs.inc | 17 | include disable-programs.inc |
16 | #include disable-xdg.inc | 18 | include disable-xdg.inc |
17 | 19 | ||
18 | include whitelist-usr-share-common.inc | 20 | include whitelist-usr-share-common.inc |
19 | include whitelist-var-common.inc | 21 | include whitelist-var-common.inc |
20 | 22 | ||
21 | caps.drop all | 23 | caps.drop all |
22 | # ipc-namespace | 24 | hostname whois |
25 | ipc-namespace | ||
26 | machine-id | ||
23 | netfilter | 27 | netfilter |
24 | no3d | 28 | no3d |
25 | nodbus | 29 | nodbus |
@@ -34,13 +38,14 @@ novideo | |||
34 | protocol inet,inet6 | 38 | protocol inet,inet6 |
35 | seccomp | 39 | seccomp |
36 | shell none | 40 | shell none |
41 | tracelog | ||
37 | 42 | ||
38 | disable-mnt | 43 | disable-mnt |
39 | private | 44 | private |
40 | private-bin bash,sh,whois | 45 | private-bin bash,sh,whois |
41 | private-cache | 46 | private-cache |
42 | private-dev | 47 | private-dev |
43 | # private-etc alternatives,hosts,services,whois.conf | 48 | private-etc alternatives,hosts,jwhois.conf,services,whois.conf |
44 | private-lib | 49 | private-lib |
45 | private-tmp | 50 | private-tmp |
46 | 51 | ||
diff --git a/etc/youtube-dl.profile b/etc/youtube-dl.profile index 74c07d96b..5fa72c9dc 100644 --- a/etc/youtube-dl.profile +++ b/etc/youtube-dl.profile | |||
@@ -56,7 +56,7 @@ tracelog | |||
56 | private-bin env,ffmpeg,python*,youtube-dl | 56 | private-bin env,ffmpeg,python*,youtube-dl |
57 | private-cache | 57 | private-cache |
58 | private-dev | 58 | private-dev |
59 | private-etc alternatives,ca-certificates,crypto-policies,hostname,hosts,mime.types,pki,resolv.conf,ssl,youtube-dl.conf | 59 | private-etc alternatives,ca-certificates,crypto-policies,hostname,hosts,ld.so.cache,mime.types,pki,resolv.conf,ssl,youtube-dl.conf |
60 | private-tmp | 60 | private-tmp |
61 | 61 | ||
62 | #memory-deny-write-execute - breaks on Arch (see issue #1803) | 62 | #memory-deny-write-execute - breaks on Arch (see issue #1803) |
diff --git a/src/firecfg/firecfg.config b/src/firecfg/firecfg.config index 96a755904..011d6c7e1 100644 --- a/src/firecfg/firecfg.config +++ b/src/firecfg/firecfg.config | |||
@@ -67,6 +67,7 @@ aweather | |||
67 | baloo_file | 67 | baloo_file |
68 | baloo_filemetadata_temp_extractor | 68 | baloo_filemetadata_temp_extractor |
69 | baobab | 69 | baobab |
70 | barrier | ||
70 | basilisk | 71 | basilisk |
71 | beaker | 72 | beaker |
72 | bibletime | 73 | bibletime |
diff --git a/src/man/firejail.txt b/src/man/firejail.txt index 47f5ecbdf..32ac07d72 100644 --- a/src/man/firejail.txt +++ b/src/man/firejail.txt | |||
@@ -1772,7 +1772,7 @@ system call groups are defined: @aio, @basic-io, @chown, @clock, | |||
1772 | @file-system, @io-event, @ipc, @keyring, @memlock, @module, @mount, | 1772 | @file-system, @io-event, @ipc, @keyring, @memlock, @module, @mount, |
1773 | @network-io, @obsolete, @privileged, @process, @raw-io, @reboot, | 1773 | @network-io, @obsolete, @privileged, @process, @raw-io, @reboot, |
1774 | @resources, @setuid, @swap, @sync, @system-service and @timer. | 1774 | @resources, @setuid, @swap, @sync, @system-service and @timer. |
1775 | More informations about groups can be found in /usr/share/doc/firejail/syscalls.txt | 1775 | More information about groups can be found in /usr/share/doc/firejail/syscalls.txt |
1776 | 1776 | ||
1777 | In addition, a system call can be specified by its number instead of | 1777 | In addition, a system call can be specified by its number instead of |
1778 | name with prefix $, so for example $165 would be equal to mount on i386. | 1778 | name with prefix $, so for example $165 would be equal to mount on i386. |
diff --git a/test/fs/whitelist-dev.exp b/test/fs/whitelist-dev.exp index 1df8c361c..09448e03a 100755 --- a/test/fs/whitelist-dev.exp +++ b/test/fs/whitelist-dev.exp | |||
@@ -23,17 +23,17 @@ after 100 | |||
23 | send -- "exit\r" | 23 | send -- "exit\r" |
24 | sleep 1 | 24 | sleep 1 |
25 | 25 | ||
26 | send -- "firejail --whitelist=/dev/null --whitelist=/dev/shm --whitelist=/dev/random\r" | 26 | send -- "firejail --whitelist=/dev/null --whitelist=/dev/random\r" |
27 | expect { | 27 | expect { |
28 | timeout {puts "TESTING ERROR 2\n";exit} | 28 | timeout {puts "TESTING ERROR 2\n";exit} |
29 | "Child process initialized" | 29 | "Child process initialized" |
30 | } | 30 | } |
31 | sleep 1 | 31 | sleep 1 |
32 | 32 | ||
33 | send -- "find /dev | wc -l\r" | 33 | send -- "ls /dev | wc -l\r" |
34 | expect { | 34 | expect { |
35 | timeout {puts "TESTING ERROR 3\n";exit} | 35 | timeout {puts "TESTING ERROR 3\n";exit} |
36 | "1" | 36 | "2" |
37 | } | 37 | } |
38 | after 100 | 38 | after 100 |
39 | send -- "exit\r" | 39 | send -- "exit\r" |
diff --git a/test/utils/audit.exp b/test/utils/audit.exp index 49d08d22d..15400da31 100755 --- a/test/utils/audit.exp +++ b/test/utils/audit.exp | |||
@@ -32,6 +32,10 @@ expect { | |||
32 | timeout {puts "TESTING ERROR 5\n";exit} | 32 | timeout {puts "TESTING ERROR 5\n";exit} |
33 | "dev directory seems to be fully populated" | 33 | "dev directory seems to be fully populated" |
34 | } | 34 | } |
35 | expect { | ||
36 | timeout {puts "TESTING ERROR 5.1\n";exit} | ||
37 | "Parent is shutting down, bye..." | ||
38 | } | ||
35 | after 100 | 39 | after 100 |
36 | 40 | ||
37 | 41 | ||
@@ -60,6 +64,10 @@ expect { | |||
60 | timeout {puts "TESTING ERROR 11\n";exit} | 64 | timeout {puts "TESTING ERROR 11\n";exit} |
61 | "dev directory seems to be fully populated" | 65 | "dev directory seems to be fully populated" |
62 | } | 66 | } |
67 | expect { | ||
68 | timeout {puts "TESTING ERROR 11.1\n";exit} | ||
69 | "Parent is shutting down, bye..." | ||
70 | } | ||
63 | after 100 | 71 | after 100 |
64 | 72 | ||
65 | send -- "firejail --audit=blablabla\r" | 73 | send -- "firejail --audit=blablabla\r" |
diff --git a/test/utils/shutdown.exp b/test/utils/shutdown.exp index eb691bbf8..0d5ec5d63 100755 --- a/test/utils/shutdown.exp +++ b/test/utils/shutdown.exp | |||
@@ -41,7 +41,7 @@ expect { | |||
41 | } | 41 | } |
42 | after 100 | 42 | after 100 |
43 | 43 | ||
44 | send -- "firejail --shutdown=10\r" | 44 | send -- "firejail --shutdown=1\r" |
45 | expect { | 45 | expect { |
46 | timeout {puts "TESTING ERROR 5\n";exit} | 46 | timeout {puts "TESTING ERROR 5\n";exit} |
47 | "this is not a firejail sandbox" | 47 | "this is not a firejail sandbox" |