diff options
-rw-r--r-- | README.md | 9 | ||||
-rw-r--r-- | RELNOTES | 4 | ||||
-rw-r--r-- | etc/profile-a-l/dino.profile | 11 | ||||
-rw-r--r-- | etc/profile-m-z/man.profile | 2 | ||||
-rw-r--r-- | etc/profile-m-z/onionshare-cli.profile | 12 | ||||
-rw-r--r-- | etc/profile-m-z/onionshare.profile | 11 | ||||
-rw-r--r-- | etc/profile-m-z/wireshark.profile | 4 | ||||
-rw-r--r-- | src/firecfg/firecfg.config | 2 | ||||
-rw-r--r-- | src/firejail/firejail.h | 1 | ||||
-rw-r--r-- | src/firejail/fs_home.c | 4 | ||||
-rw-r--r-- | src/firejail/main.c | 3 | ||||
-rw-r--r-- | src/firejail/profile.c | 4 | ||||
-rw-r--r-- | src/firejail/usage.c | 2 | ||||
-rw-r--r-- | src/man/firejail.txt | 7 | ||||
-rwxr-xr-x | test/fs/fs.sh | 3 | ||||
-rwxr-xr-x | test/fs/tab.exp | 46 | ||||
-rw-r--r-- | test/fs/tab.profile | 1 |
17 files changed, 122 insertions, 4 deletions
@@ -213,6 +213,14 @@ We also keep a list of profile fixes for previous released versions in [etc-fixe | |||
213 | 213 | ||
214 | Milestone page: https://github.com/netblue30/firejail/milestone/1 | 214 | Milestone page: https://github.com/netblue30/firejail/milestone/1 |
215 | 215 | ||
216 | ### Shell tab completion | ||
217 | ``` | ||
218 | --tab Enable bash completion in sandboxes using private or whitelisted | ||
219 | home directories. | ||
220 | |||
221 | $ firejail --private --tab | ||
222 | ``` | ||
223 | |||
216 | ### Profile Statistics | 224 | ### Profile Statistics |
217 | 225 | ||
218 | A small tool to print profile statistics. Compile and install as usual. The tool is installed in /usr/lib/firejail directory. | 226 | A small tool to print profile statistics. Compile and install as usual. The tool is installed in /usr/lib/firejail directory. |
@@ -251,3 +259,4 @@ Stats: | |||
251 | 259 | ||
252 | ### New profiles: | 260 | ### New profiles: |
253 | 261 | ||
262 | onionshare, onionshare-cli | ||
@@ -1,6 +1,10 @@ | |||
1 | firejail (0.9.69) baseline; urgency=low | 1 | firejail (0.9.69) baseline; urgency=low |
2 | * work in progress | 2 | * work in progress |
3 | * bugfix: --private-cwd not expanding macros, broken hyperrogue (#4910) | 3 | * bugfix: --private-cwd not expanding macros, broken hyperrogue (#4910) |
4 | * bugfix: nogroups + wrc prints confusing messages (#4930 #4933) | ||
5 | * ci: replace centos (EOL) with almalinux (#4912) | ||
6 | * docs: Refer to firejail.config in configuration files (#4916) | ||
7 | * new profiles: onionshare, onionshare-cli | ||
4 | -- netblue30 <netblue30@yahoo.com> Mon, 7 Feb 2022 09:00:00 -0500 | 8 | -- netblue30 <netblue30@yahoo.com> Mon, 7 Feb 2022 09:00:00 -0500 |
5 | 9 | ||
6 | firejail (0.9.68) baseline; urgency=low | 10 | firejail (0.9.68) baseline; urgency=low |
diff --git a/etc/profile-a-l/dino.profile b/etc/profile-a-l/dino.profile index 3c5a64215..77fc98223 100644 --- a/etc/profile-a-l/dino.profile +++ b/etc/profile-a-l/dino.profile | |||
@@ -44,4 +44,13 @@ private-dev | |||
44 | # private-etc alternatives,ca-certificates,crypto-policies,fonts,pki,ssl -- breaks server connection | 44 | # private-etc alternatives,ca-certificates,crypto-policies,fonts,pki,ssl -- breaks server connection |
45 | private-tmp | 45 | private-tmp |
46 | 46 | ||
47 | dbus-system none | 47 | dbus-user filter |
48 | # Integration with notification and other desktop environment functionalities | ||
49 | dbus-user.own im.dino.Dino | ||
50 | # dconf integration | ||
51 | dbus-user.talk ca.desrt.dconf | ||
52 | # Notification support | ||
53 | dbus-user.talk org.freedesktop.Notifications | ||
54 | dbus-system filter | ||
55 | # Integration with systemd-logind or elogind | ||
56 | dbus-system.talk org.freedesktop.login1 | ||
diff --git a/etc/profile-m-z/man.profile b/etc/profile-m-z/man.profile index 9c5959091..2e28423f7 100644 --- a/etc/profile-m-z/man.profile +++ b/etc/profile-m-z/man.profile | |||
@@ -66,4 +66,4 @@ dbus-system none | |||
66 | 66 | ||
67 | memory-deny-write-execute | 67 | memory-deny-write-execute |
68 | read-only ${HOME} | 68 | read-only ${HOME} |
69 | read-only /tmp | 69 | #read-only /tmp # breaks mandoc (see #4927) |
diff --git a/etc/profile-m-z/onionshare-cli.profile b/etc/profile-m-z/onionshare-cli.profile new file mode 100644 index 000000000..2e2331351 --- /dev/null +++ b/etc/profile-m-z/onionshare-cli.profile | |||
@@ -0,0 +1,12 @@ | |||
1 | # Firejail profile for onionshare-cli | ||
2 | # Description: Share a file over Tor Hidden Services anonymously and securely (CLI) | ||
3 | # This file is overwritten after every install/update | ||
4 | quiet | ||
5 | # Persistent local customizations | ||
6 | include onionshare-cli.local | ||
7 | # Persistent global definitions | ||
8 | # added by included profile | ||
9 | #include globals.local | ||
10 | |||
11 | # Redirect | ||
12 | include onionshare-gui.profile | ||
diff --git a/etc/profile-m-z/onionshare.profile b/etc/profile-m-z/onionshare.profile new file mode 100644 index 000000000..b0390d392 --- /dev/null +++ b/etc/profile-m-z/onionshare.profile | |||
@@ -0,0 +1,11 @@ | |||
1 | # Firejail profile for onionshare | ||
2 | # Description: Share a file over Tor Hidden Services anonymously and securely (GUI) | ||
3 | # This file is overwritten after every install/update | ||
4 | # Persistent local customizations | ||
5 | include onionshare.local | ||
6 | # Persistent global definitions | ||
7 | # added by included profile | ||
8 | #include globals.local | ||
9 | |||
10 | # Redirect | ||
11 | include onionshare-gui.profile | ||
diff --git a/etc/profile-m-z/wireshark.profile b/etc/profile-m-z/wireshark.profile index 16875ad9b..8806695f6 100644 --- a/etc/profile-m-z/wireshark.profile +++ b/etc/profile-m-z/wireshark.profile | |||
@@ -45,7 +45,9 @@ tracelog | |||
45 | 45 | ||
46 | # private-bin wireshark | 46 | # private-bin wireshark |
47 | private-cache | 47 | private-cache |
48 | private-dev | 48 | # private-dev prevents (some) interfaces from being shown. |
49 | # Add the below line to your wirehsark.local if you only want to inspect pcap files. | ||
50 | #private-dev | ||
49 | # private-etc alternatives,ca-certificates,crypto-policies,fonts,group,hosts,machine-id,passwd,pki,ssl | 51 | # private-etc alternatives,ca-certificates,crypto-policies,fonts,group,hosts,machine-id,passwd,pki,ssl |
50 | private-tmp | 52 | private-tmp |
51 | 53 | ||
diff --git a/src/firecfg/firecfg.config b/src/firecfg/firecfg.config index 77f233bce..21fcbe1f4 100644 --- a/src/firecfg/firecfg.config +++ b/src/firecfg/firecfg.config | |||
@@ -608,6 +608,8 @@ odt2txt | |||
608 | oggsplt | 608 | oggsplt |
609 | okular | 609 | okular |
610 | onboard | 610 | onboard |
611 | onionshare | ||
612 | onionshare-cli | ||
611 | onionshare-gui | 613 | onionshare-gui |
612 | ooffice | 614 | ooffice |
613 | ooviewdoc | 615 | ooviewdoc |
diff --git a/src/firejail/firejail.h b/src/firejail/firejail.h index f1fa66707..316518534 100644 --- a/src/firejail/firejail.h +++ b/src/firejail/firejail.h | |||
@@ -365,6 +365,7 @@ extern DbusPolicy arg_dbus_system; // --dbus-system | |||
365 | extern int arg_dbus_log_user; | 365 | extern int arg_dbus_log_user; |
366 | extern int arg_dbus_log_system; | 366 | extern int arg_dbus_log_system; |
367 | extern const char *arg_dbus_log_file; | 367 | extern const char *arg_dbus_log_file; |
368 | extern int arg_tab; | ||
368 | 369 | ||
369 | extern int login_shell; | 370 | extern int login_shell; |
370 | extern int parent_to_child_fds[2]; | 371 | extern int parent_to_child_fds[2]; |
diff --git a/src/firejail/fs_home.c b/src/firejail/fs_home.c index 6a554dc89..061461590 100644 --- a/src/firejail/fs_home.c +++ b/src/firejail/fs_home.c | |||
@@ -34,8 +34,10 @@ | |||
34 | #endif | 34 | #endif |
35 | 35 | ||
36 | static void disable_tab_completion(const char *homedir) { | 36 | static void disable_tab_completion(const char *homedir) { |
37 | char *fname; | 37 | if (arg_tab) |
38 | return; | ||
38 | 39 | ||
40 | char *fname; | ||
39 | if (asprintf(&fname, "%s/.inputrc", homedir) == -1) | 41 | if (asprintf(&fname, "%s/.inputrc", homedir) == -1) |
40 | errExit("asprintf"); | 42 | errExit("asprintf"); |
41 | 43 | ||
diff --git a/src/firejail/main.c b/src/firejail/main.c index d614ae1ac..4b01ea0a5 100644 --- a/src/firejail/main.c +++ b/src/firejail/main.c | |||
@@ -155,6 +155,7 @@ DbusPolicy arg_dbus_system = DBUS_POLICY_ALLOW; // --dbus-system | |||
155 | const char *arg_dbus_log_file = NULL; | 155 | const char *arg_dbus_log_file = NULL; |
156 | int arg_dbus_log_user = 0; | 156 | int arg_dbus_log_user = 0; |
157 | int arg_dbus_log_system = 0; | 157 | int arg_dbus_log_system = 0; |
158 | int arg_tab = 0; | ||
158 | int login_shell = 0; | 159 | int login_shell = 0; |
159 | 160 | ||
160 | int parent_to_child_fds[2]; | 161 | int parent_to_child_fds[2]; |
@@ -2798,6 +2799,8 @@ int main(int argc, char **argv, char **envp) { | |||
2798 | else if (strcmp(argv[i], "--deterministic-shutdown") == 0) { | 2799 | else if (strcmp(argv[i], "--deterministic-shutdown") == 0) { |
2799 | arg_deterministic_shutdown = 1; | 2800 | arg_deterministic_shutdown = 1; |
2800 | } | 2801 | } |
2802 | else if (strcmp(argv[i], "--tab") == 0) | ||
2803 | arg_tab = 1; | ||
2801 | else { | 2804 | else { |
2802 | // double dash - positional params to follow | 2805 | // double dash - positional params to follow |
2803 | if (strcmp(argv[i], "--") == 0) { | 2806 | if (strcmp(argv[i], "--") == 0) { |
diff --git a/src/firejail/profile.c b/src/firejail/profile.c index 794668dc6..0b258e6bb 100644 --- a/src/firejail/profile.c +++ b/src/firejail/profile.c | |||
@@ -389,6 +389,10 @@ int profile_check_line(char *ptr, int lineno, const char *fname) { | |||
389 | #endif | 389 | #endif |
390 | return 0; | 390 | return 0; |
391 | } | 391 | } |
392 | else if (strcmp(ptr, "tab") == 0) { | ||
393 | arg_tab = 1; | ||
394 | return 0; | ||
395 | } | ||
392 | else if (strcmp(ptr, "private-cwd") == 0) { | 396 | else if (strcmp(ptr, "private-cwd") == 0) { |
393 | cfg.cwd = NULL; | 397 | cfg.cwd = NULL; |
394 | arg_private_cwd = 1; | 398 | arg_private_cwd = 1; |
diff --git a/src/firejail/usage.c b/src/firejail/usage.c index 0b24467be..2dd913b5e 100644 --- a/src/firejail/usage.c +++ b/src/firejail/usage.c | |||
@@ -245,6 +245,8 @@ static char *usage_str = | |||
245 | " --shell=none - run the program directly without a user shell.\n" | 245 | " --shell=none - run the program directly without a user shell.\n" |
246 | " --shell=program - set default user shell.\n" | 246 | " --shell=program - set default user shell.\n" |
247 | " --shutdown=name|pid - shutdown the sandbox identified by name or PID.\n" | 247 | " --shutdown=name|pid - shutdown the sandbox identified by name or PID.\n" |
248 | " --tab - enable shell tab completion in sandboxes using private or\n" | ||
249 | "\twhitelisted home directories.\n" | ||
248 | " --timeout=hh:mm:ss - kill the sandbox automatically after the time\n" | 250 | " --timeout=hh:mm:ss - kill the sandbox automatically after the time\n" |
249 | "\thas elapsed.\n" | 251 | "\thas elapsed.\n" |
250 | " --tmpfs=dirname - mount a tmpfs filesystem on directory dirname.\n" | 252 | " --tmpfs=dirname - mount a tmpfs filesystem on directory dirname.\n" |
diff --git a/src/man/firejail.txt b/src/man/firejail.txt index 4cbe7f13d..e4aac6b1c 100644 --- a/src/man/firejail.txt +++ b/src/man/firejail.txt | |||
@@ -2683,6 +2683,13 @@ $ firejail \-\-list | |||
2683 | .br | 2683 | .br |
2684 | $ firejail \-\-shutdown=3272 | 2684 | $ firejail \-\-shutdown=3272 |
2685 | .TP | 2685 | .TP |
2686 | \fB\-\-tab | ||
2687 | Enable shell tab completion in sandboxes using private or whitelisted home directories. | ||
2688 | .br | ||
2689 | |||
2690 | .br | ||
2691 | $ firejail \-\-private --tab | ||
2692 | .TP | ||
2686 | \fB\-\-timeout=hh:mm:ss | 2693 | \fB\-\-timeout=hh:mm:ss |
2687 | Kill the sandbox automatically after the time has elapsed. The time is specified in hours/minutes/seconds format. | 2694 | Kill the sandbox automatically after the time has elapsed. The time is specified in hours/minutes/seconds format. |
2688 | .br | 2695 | .br |
diff --git a/test/fs/fs.sh b/test/fs/fs.sh index 0ec714ffa..b49e447b7 100755 --- a/test/fs/fs.sh +++ b/test/fs/fs.sh | |||
@@ -10,6 +10,9 @@ export LC_ALL=C | |||
10 | # These directories are required by some tests: | 10 | # These directories are required by some tests: |
11 | mkdir -p ~/Desktop ~/Documents ~/Downloads ~/Music ~/Pictures ~/Videos | 11 | mkdir -p ~/Desktop ~/Documents ~/Downloads ~/Music ~/Pictures ~/Videos |
12 | 12 | ||
13 | echo "TESTING: tab completion (test/fs/tab.exp)" | ||
14 | ./tab.exp | ||
15 | |||
13 | rm -fr ~/_firejail_test_* | 16 | rm -fr ~/_firejail_test_* |
14 | echo "TESTING: mkdir/mkfile (test/fs/mkdir_mkfile.exp)" | 17 | echo "TESTING: mkdir/mkfile (test/fs/mkdir_mkfile.exp)" |
15 | ./mkdir_mkfile.exp | 18 | ./mkdir_mkfile.exp |
diff --git a/test/fs/tab.exp b/test/fs/tab.exp new file mode 100755 index 000000000..cc9e11ed5 --- /dev/null +++ b/test/fs/tab.exp | |||
@@ -0,0 +1,46 @@ | |||
1 | #!/usr/bin/expect -f | ||
2 | # This file is part of Firejail project | ||
3 | # Copyright (C) 2014-2022 Firejail Authors | ||
4 | # License GPL v2 | ||
5 | |||
6 | set timeout 10 | ||
7 | spawn $env(SHELL) | ||
8 | match_max 100000 | ||
9 | |||
10 | |||
11 | send -- "firejail --private ls -al\r" | ||
12 | expect { | ||
13 | timeout {puts "TESTING ERROR 0\n";exit} | ||
14 | -re "Child process initialized in \[0-9\]+.\[0-9\]+ ms" | ||
15 | } | ||
16 | expect { | ||
17 | timeout {puts "TESTING ERROR 1\n";exit} | ||
18 | ".inputrc" | ||
19 | } | ||
20 | sleep 1 | ||
21 | |||
22 | send -- "firejail --private --tab ls -al\r" | ||
23 | expect { | ||
24 | timeout {puts "TESTING ERROR 2\n";exit} | ||
25 | -re "Child process initialized in \[0-9\]+.\[0-9\]+ ms" | ||
26 | } | ||
27 | expect { | ||
28 | timeout {puts "TESTING ERROR 3\n";exit} | ||
29 | ".inputrc" {puts "TESTING ERROR 4\n";exit} | ||
30 | "Parent is shutting down" | ||
31 | } | ||
32 | sleep 1 | ||
33 | |||
34 | send -- "firejail --private --profile=tab.profile ls -al\r" | ||
35 | expect { | ||
36 | timeout {puts "TESTING ERROR 5\n";exit} | ||
37 | -re "Child process initialized in \[0-9\]+.\[0-9\]+ ms" | ||
38 | } | ||
39 | expect { | ||
40 | timeout {puts "TESTING ERROR 6\n";exit} | ||
41 | ".inputrc" {puts "TESTING ERROR 7\n";exit} | ||
42 | "Parent is shutting down" | ||
43 | } | ||
44 | sleep 1 | ||
45 | |||
46 | puts "\nall done\n" | ||
diff --git a/test/fs/tab.profile b/test/fs/tab.profile new file mode 100644 index 000000000..8cc35a3d5 --- /dev/null +++ b/test/fs/tab.profile | |||
@@ -0,0 +1 @@ | |||
tab | |||