diff options
-rw-r--r-- | README | 4 | ||||
-rw-r--r-- | README.md | 1 | ||||
-rw-r--r-- | RELNOTES | 5 | ||||
-rw-r--r-- | src/fbuilder/build_fs.c | 129 | ||||
-rw-r--r-- | src/fbuilder/build_profile.c | 23 |
5 files changed, 119 insertions, 43 deletions
@@ -278,6 +278,7 @@ David Thole (https://github.com/TheDarkTrumpet) | |||
278 | Davide Beatrici (https://github.com/davidebeatrici) | 278 | Davide Beatrici (https://github.com/davidebeatrici) |
279 | - steam.profile: correctly blacklist unneeded directories in user's home | 279 | - steam.profile: correctly blacklist unneeded directories in user's home |
280 | - minetest fixes | 280 | - minetest fixes |
281 | - map /dev/input with "--private-dev", add "--no-input" option to disable it | ||
281 | David Hyrule (https://github.com/Svaag) | 282 | David Hyrule (https://github.com/Svaag) |
282 | - remove nou2f in ssh profile | 283 | - remove nou2f in ssh profile |
283 | Deelvesh Bunjun (https://github.com/DeelveshBunjun) | 284 | Deelvesh Bunjun (https://github.com/DeelveshBunjun) |
@@ -553,6 +554,7 @@ Kishore96in (https://github.com/Kishore96in) | |||
553 | - okular profile fixes | 554 | - okular profile fixes |
554 | - jitsi-meet-desktop profile | 555 | - jitsi-meet-desktop profile |
555 | - konversatin profile fix | 556 | - konversatin profile fix |
557 | - added Neochat profile | ||
556 | KOLANICH (https://github.com/KOLANICH) | 558 | KOLANICH (https://github.com/KOLANICH) |
557 | - added symlink fixer fix_private-bin.py in contrib section | 559 | - added symlink fixer fix_private-bin.py in contrib section |
558 | - update fix_private-bin.py | 560 | - update fix_private-bin.py |
@@ -619,6 +621,8 @@ Melvin Vermeeren (https://github.com/melvinvermeeren) | |||
619 | - added --noautopulse command line option | 621 | - added --noautopulse command line option |
620 | Michael Haas (https://github.com/mhaas) | 622 | Michael Haas (https://github.com/mhaas) |
621 | - bugfixes | 623 | - bugfixes |
624 | Michael Hoffmann (https://github.com/brisad) | ||
625 | - added support for subdirs in private-etc | ||
622 | Mike Frysinger (vapier@gentoo.org) | 626 | Mike Frysinger (vapier@gentoo.org) |
623 | - Gentoo compile patch | 627 | - Gentoo compile patch |
624 | mirabellette (https://github.com/mirabellette) | 628 | mirabellette (https://github.com/mirabellette) |
@@ -336,3 +336,4 @@ pcsxr, PPSSPPSDL, openmw, openmw-launcher, jami-gnome, PCSX2, bcompare, b2sum, c | |||
336 | sha256sum, sha384sum, sha512sum, sum, librewold-nightly, Quodlibet, tmux, sway, alienarena, alienarena-wrapper, | 336 | sha256sum, sha384sum, sha512sum, sum, librewold-nightly, Quodlibet, tmux, sway, alienarena, alienarena-wrapper, |
337 | ballbuster, ballbuster-wrapper, colorful, colorful-wrapper, gl-117, gl-117-wrapper, glaxium, glaxium-wrapper, | 337 | ballbuster, ballbuster-wrapper, colorful, colorful-wrapper, gl-117, gl-117-wrapper, glaxium, glaxium-wrapper, |
338 | pinball, pinball-wrapper, etr-wrapper, neverball-wrapper, neverputt-wrapper, supertuxkart-wrapper, firedragon | 338 | pinball, pinball-wrapper, etr-wrapper, neverball-wrapper, neverputt-wrapper, supertuxkart-wrapper, firedragon |
339 | neochat | ||
@@ -12,6 +12,8 @@ firejail (0.9.65) baseline; urgency=low | |||
12 | * compile time: --enable-force-nonewprivs | 12 | * compile time: --enable-force-nonewprivs |
13 | * compile time: --disable-output | 13 | * compile time: --disable-output |
14 | * compile time: --enable-lts | 14 | * compile time: --enable-lts |
15 | * subdirs support in private-etc | ||
16 | * input devices support in private-dev, --no-input | ||
15 | * new profiles: vmware-view, display-im6.q16, ipcalc, ipcalc-ng | 17 | * new profiles: vmware-view, display-im6.q16, ipcalc, ipcalc-ng |
16 | * ebook-convert, ebook-edit, ebook-meta, ebook-polish, lzop, | 18 | * ebook-convert, ebook-edit, ebook-meta, ebook-polish, lzop, |
17 | * avidemux, calligragemini, vmware-player, vmware-workstation | 19 | * avidemux, calligragemini, vmware-player, vmware-workstation |
@@ -22,7 +24,8 @@ firejail (0.9.65) baseline; urgency=low | |||
22 | * alienarena, alienarena-wrapper, ballbuster, ballbuster-wrapper, | 24 | * alienarena, alienarena-wrapper, ballbuster, ballbuster-wrapper, |
23 | * colorful, colorful-wrapper, gl-117, gl-117-wrapper, glaxium, | 25 | * colorful, colorful-wrapper, gl-117, gl-117-wrapper, glaxium, |
24 | * glaxium-wrapper, pinball, pinball-wrapper, etr-wrapper, firedragon | 26 | * glaxium-wrapper, pinball, pinball-wrapper, etr-wrapper, firedragon |
25 | * neverball-wrapper, neverputt-wrapper, supertuxkart-wrapper | 27 | * neverball-wrapper, neverputt-wrapper, supertuxkart-wrapper, |
28 | * neochat | ||
26 | -- netblue30 <netblue30@yahoo.com> Tue, 9 Feb 2021 09:00:00 -0500 | 29 | -- netblue30 <netblue30@yahoo.com> Tue, 9 Feb 2021 09:00:00 -0500 |
27 | 30 | ||
28 | firejail (0.9.64.4) baseline; urgency=low | 31 | firejail (0.9.64.4) baseline; urgency=low |
diff --git a/src/fbuilder/build_fs.c b/src/fbuilder/build_fs.c index ac0cd455a..b35380b96 100644 --- a/src/fbuilder/build_fs.c +++ b/src/fbuilder/build_fs.c | |||
@@ -177,6 +177,74 @@ void build_var(const char *fname, FILE *fp) { | |||
177 | //******************************************* | 177 | //******************************************* |
178 | // usr/share directory | 178 | // usr/share directory |
179 | //******************************************* | 179 | //******************************************* |
180 | // todo: load the list from whitelist-usr-share-common.inc | ||
181 | static char *share_skip[] = { | ||
182 | "/usr/share/alsa", | ||
183 | "/usr/share/applications", | ||
184 | "/usr/share/ca-certificates", | ||
185 | "/usr/share/crypto-policies", | ||
186 | "/usr/share/cursors", | ||
187 | "/usr/share/dconf", | ||
188 | "/usr/share/distro-info", | ||
189 | "/usr/share/drirc.d", | ||
190 | "/usr/share/enchant", | ||
191 | "/usr/share/enchant-2", | ||
192 | "/usr/share/file", | ||
193 | "/usr/share/fontconfig", | ||
194 | "/usr/share/fonts", | ||
195 | "/usr/share/fonts-config", | ||
196 | "/usr/share/gir-1.0", | ||
197 | "/usr/share/gjs-1.0", | ||
198 | "/usr/share/glib-2.0", | ||
199 | "/usr/share/glvnd", | ||
200 | "/usr/share/gtk-2.0", | ||
201 | "/usr/share/gtk-3.0", | ||
202 | "/usr/share/gtk-engines", | ||
203 | "/usr/share/gtksourceview-3.0", | ||
204 | "/usr/share/gtksourceview-4", | ||
205 | "/usr/share/hunspell", | ||
206 | "/usr/share/hwdata", | ||
207 | "/usr/share/icons", | ||
208 | "/usr/share/icu", | ||
209 | "/usr/share/knotifications5", | ||
210 | "/usr/share/kservices5", | ||
211 | "/usr/share/Kvantum", | ||
212 | "/usr/share/kxmlgui5", | ||
213 | "/usr/share/libdrm", | ||
214 | "/usr/share/libthai", | ||
215 | "/usr/share/locale", | ||
216 | "/usr/share/mime", | ||
217 | "/usr/share/misc", | ||
218 | "/usr/share/Modules", | ||
219 | "/usr/share/myspell", | ||
220 | "/usr/share/p11-kit", | ||
221 | "/usr/share/perl", | ||
222 | "/usr/share/perl5", | ||
223 | "/usr/share/pixmaps", | ||
224 | "/usr/share/pki", | ||
225 | "/usr/share/plasma", | ||
226 | "/usr/share/publicsuffix", | ||
227 | "/usr/share/qt", | ||
228 | "/usr/share/qt4", | ||
229 | "/usr/share/qt5", | ||
230 | "/usr/share/qt5ct", | ||
231 | "/usr/share/sounds", | ||
232 | "/usr/share/tcl8.6", | ||
233 | "/usr/share/tcltk", | ||
234 | "/usr/share/terminfo", | ||
235 | "/usr/share/texlive", | ||
236 | "/usr/share/texmf", | ||
237 | "/usr/share/themes", | ||
238 | "/usr/share/thumbnail.so", | ||
239 | "/usr/share/uim", | ||
240 | "/usr/share/vulkan", | ||
241 | "/usr/share/X11", | ||
242 | "/usr/share/xml", | ||
243 | "/usr/share/zenity", | ||
244 | "/usr/share/zoneinfo", | ||
245 | NULL | ||
246 | }; | ||
247 | |||
180 | static FileDB *share_out = NULL; | 248 | static FileDB *share_out = NULL; |
181 | static void share_callback(char *ptr) { | 249 | static void share_callback(char *ptr) { |
182 | // extract the directory: | 250 | // extract the directory: |
@@ -195,8 +263,17 @@ static void share_callback(char *ptr) { | |||
195 | if (p2) | 263 | if (p2) |
196 | *p2 = '\0'; | 264 | *p2 = '\0'; |
197 | 265 | ||
198 | // store the file | 266 | int i = 0; |
199 | share_out = filedb_add(share_out, ptr); | 267 | int found = 0; |
268 | while (share_skip[i]) { | ||
269 | if (strncmp(ptr, share_skip[i], strlen(share_skip[i])) == 0) { | ||
270 | found = 1; | ||
271 | break; | ||
272 | } | ||
273 | i++; | ||
274 | } | ||
275 | if (!found) | ||
276 | share_out = filedb_add(share_out, ptr); | ||
200 | } | 277 | } |
201 | 278 | ||
202 | void build_share(const char *fname, FILE *fp) { | 279 | void build_share(const char *fname, FILE *fp) { |
@@ -252,40 +329,36 @@ void build_tmp(const char *fname, FILE *fp) { | |||
252 | // dev directory | 329 | // dev directory |
253 | //******************************************* | 330 | //******************************************* |
254 | static char *dev_skip[] = { | 331 | static char *dev_skip[] = { |
332 | "/dev/stdin", | ||
333 | "/dev/stdout", | ||
334 | "/dev/stderr", | ||
255 | "/dev/zero", | 335 | "/dev/zero", |
256 | "/dev/null", | 336 | "/dev/null", |
257 | "/dev/full", | 337 | "/dev/full", |
258 | "/dev/random", | 338 | "/dev/random", |
259 | "/dev/urandom", | 339 | "/dev/urandom", |
340 | "/dev/sr0", | ||
341 | "/dev/cdrom", | ||
342 | "/dev/cdrw", | ||
343 | "/dev/dvd", | ||
344 | "/dev/dvdrw", | ||
345 | "/dev/fd", | ||
346 | "/dev/pts", | ||
347 | "/dev/ptmx", | ||
348 | "/dev/log", | ||
349 | |||
350 | "/dev/aload", // old ALSA devices, not covered in private-dev | ||
351 | "/dev/dsp", // old OSS device, deprecated | ||
352 | |||
260 | "/dev/tty", | 353 | "/dev/tty", |
261 | "/dev/snd", | 354 | "/dev/snd", |
262 | "/dev/dri", | 355 | "/dev/dri", |
263 | "/dev/pts", | 356 | "/dev/nvidia", |
264 | "/dev/nvidia0", | 357 | "/dev/video", |
265 | "/dev/nvidia1", | ||
266 | "/dev/nvidia2", | ||
267 | "/dev/nvidia3", | ||
268 | "/dev/nvidia4", | ||
269 | "/dev/nvidia5", | ||
270 | "/dev/nvidia6", | ||
271 | "/dev/nvidia7", | ||
272 | "/dev/nvidia8", | ||
273 | "/dev/nvidia9", | ||
274 | "/dev/nvidiactl", | ||
275 | "/dev/nvidia-modeset", | ||
276 | "/dev/nvidia-uvm", | ||
277 | "/dev/video0", | ||
278 | "/dev/video1", | ||
279 | "/dev/video2", | ||
280 | "/dev/video3", | ||
281 | "/dev/video4", | ||
282 | "/dev/video5", | ||
283 | "/dev/video6", | ||
284 | "/dev/video7", | ||
285 | "/dev/video8", | ||
286 | "/dev/video9", | ||
287 | "/dev/dvb", | 358 | "/dev/dvb", |
288 | "/dev/sr0", | 359 | "/dev/hidraw", |
360 | "/dev/usb", | ||
361 | "/dev/input", | ||
289 | NULL | 362 | NULL |
290 | }; | 363 | }; |
291 | 364 | ||
@@ -295,7 +368,7 @@ static void dev_callback(char *ptr) { | |||
295 | int i = 0; | 368 | int i = 0; |
296 | int found = 0; | 369 | int found = 0; |
297 | while (dev_skip[i]) { | 370 | while (dev_skip[i]) { |
298 | if (strcmp(ptr, dev_skip[i]) == 0) { | 371 | if (strncmp(ptr, dev_skip[i], strlen(dev_skip[i])) == 0) { |
299 | found = 1; | 372 | found = 1; |
300 | break; | 373 | break; |
301 | } | 374 | } |
diff --git a/src/fbuilder/build_profile.c b/src/fbuilder/build_profile.c index 0c1b57384..100630eb9 100644 --- a/src/fbuilder/build_profile.c +++ b/src/fbuilder/build_profile.c | |||
@@ -160,24 +160,21 @@ void build_profile(int argc, char **argv, int index, FILE *fp) { | |||
160 | 160 | ||
161 | fprintf(fp, "### home directory whitelisting\n"); | 161 | fprintf(fp, "### home directory whitelisting\n"); |
162 | build_home(trace_output, fp); | 162 | build_home(trace_output, fp); |
163 | fprintf(fp, "\n"); | ||
164 | 163 | ||
165 | fprintf(fp, "### filesystem\n"); | 164 | fprintf(fp, "\n### /usr/share:\n"); |
166 | fprintf(fp, "### /usr/share:\n"); | ||
167 | build_share(trace_output, fp); | 165 | build_share(trace_output, fp); |
168 | fprintf(fp, "### /var:\n"); | 166 | fprintf(fp, "\n### /var:\n"); |
169 | build_var(trace_output, fp); | 167 | build_var(trace_output, fp); |
170 | fprintf(fp, "### /bin:\n"); | 168 | fprintf(fp, "\n### /bin:\n"); |
171 | build_bin(trace_output, fp); | 169 | build_bin(trace_output, fp); |
172 | fprintf(fp, "### /dev:\n"); | 170 | fprintf(fp, "\n### /dev:\n"); |
173 | build_dev(trace_output, fp); | 171 | build_dev(trace_output, fp); |
174 | fprintf(fp, "### /etc:\n"); | 172 | fprintf(fp, "\n### /etc:\n"); |
175 | build_etc(trace_output, fp); | 173 | build_etc(trace_output, fp); |
176 | fprintf(fp, "### /tmp:\n"); | 174 | fprintf(fp, "\n### /tmp:\n"); |
177 | build_tmp(trace_output, fp); | 175 | build_tmp(trace_output, fp); |
178 | fprintf(fp, "\n"); | ||
179 | 176 | ||
180 | fprintf(fp, "### security filters\n"); | 177 | fprintf(fp, "\n### security filters\n"); |
181 | fprintf(fp, "caps.drop all\n"); | 178 | fprintf(fp, "caps.drop all\n"); |
182 | fprintf(fp, "nonewprivs\n"); | 179 | fprintf(fp, "nonewprivs\n"); |
183 | fprintf(fp, "seccomp\n"); | 180 | fprintf(fp, "seccomp\n"); |
@@ -189,13 +186,11 @@ void build_profile(int argc, char **argv, int index, FILE *fp) { | |||
189 | fprintf(fp, "# Yama security module prevents creation of a whitelisted seccomp filter\n"); | 186 | fprintf(fp, "# Yama security module prevents creation of a whitelisted seccomp filter\n"); |
190 | else | 187 | else |
191 | build_seccomp(strace_output, fp); | 188 | build_seccomp(strace_output, fp); |
192 | fprintf(fp, "\n"); | ||
193 | 189 | ||
194 | fprintf(fp, "### network\n"); | 190 | fprintf(fp, "\n### network\n"); |
195 | build_protocol(trace_output, fp); | 191 | build_protocol(trace_output, fp); |
196 | fprintf(fp, "\n"); | ||
197 | 192 | ||
198 | fprintf(fp, "### environment\n"); | 193 | fprintf(fp, "\n### environment\n"); |
199 | fprintf(fp, "shell none\n"); | 194 | fprintf(fp, "shell none\n"); |
200 | 195 | ||
201 | if (!arg_debug) { | 196 | if (!arg_debug) { |