diff options
-rw-r--r-- | README.md | 22 | ||||
-rw-r--r-- | chromium-whitelist.png | bin | 0 -> 47978 bytes | |||
-rw-r--r-- | etc/chromium.profile | 5 | ||||
-rw-r--r-- | etc/firefox.profile | 4 | ||||
-rw-r--r-- | src/firejail/protocol.c | 5 | ||||
-rw-r--r-- | src/firejail/usage.c | 9 | ||||
-rw-r--r-- | src/man/firejail.txt | 22 |
7 files changed, 56 insertions, 11 deletions
@@ -51,17 +51,35 @@ whitelist ~/Downloads | |||
51 | whitelist ~/dwhelper | 51 | whitelist ~/dwhelper |
52 | whitelist ~/.zotero | 52 | whitelist ~/.zotero |
53 | whitelist ~/.lastpass | 53 | whitelist ~/.lastpass |
54 | whitelist ~/.gtkrc-2.0 | ||
55 | whitelist ~/.vimperatorrc | ||
56 | whitelist ~/.vimperator | ||
54 | ````` | 57 | ````` |
55 | 58 | ||
56 | I intend to bring in all files and directories used by Firefox addons and plugins. So far I have | 59 | I intend to bring in all files and directories used by Firefox addons and plugins. So far I have |
57 | [Video DownloadHelper](https://addons.mozilla.org/en-US/firefox/addon/video-downloadhelper/), | 60 | [Video DownloadHelper](https://addons.mozilla.org/en-US/firefox/addon/video-downloadhelper/), |
58 | [Zotero](https://www.zotero.org/download/) and | 61 | [Zotero](https://www.zotero.org/download/) |
59 | [LastPass](https://addons.mozilla.org/en-US/firefox/addon/lastpass-password-manager/). | 62 | [LastPass](https://addons.mozilla.org/en-US/firefox/addon/lastpass-password-manager/), |
63 | and [Vimperator](https://addons.mozilla.org/en-US/firefox/addon/vimperator/) | ||
60 | If you're using a anything else, please let me know. | 64 | If you're using a anything else, please let me know. |
61 | 65 | ||
66 | ### Whitelisting in default Cromium profile | ||
67 | |||
68 | ![Whitelisted home directory](chromium-whitelist.png?raw=true) | ||
69 | |||
62 | ### --ignore option | 70 | ### --ignore option |
63 | 71 | ||
64 | Ignore commands in profile files. Example: | 72 | Ignore commands in profile files. Example: |
65 | ````` | 73 | ````` |
66 | $ firejail --ignore=seccomp wine | 74 | $ firejail --ignore=seccomp wine |
67 | ````` | 75 | ````` |
76 | |||
77 | ### --protocol option | ||
78 | |||
79 | Enable protocol filter. The filter is based on seccomp and the first argument to socket system call. | ||
80 | Recognized values: unix, inet, inet6, netlink and packet. Example: | ||
81 | ````` | ||
82 | $ firejail --protocol=unix,inet,inet6 firefox | ||
83 | ````` | ||
84 | |||
85 | |||
diff --git a/chromium-whitelist.png b/chromium-whitelist.png new file mode 100644 index 000000000..a90f2aa1f --- /dev/null +++ b/chromium-whitelist.png | |||
Binary files differ | |||
diff --git a/etc/chromium.profile b/etc/chromium.profile index f493e1b96..a66578436 100644 --- a/etc/chromium.profile +++ b/etc/chromium.profile | |||
@@ -5,6 +5,5 @@ include /etc/firejail/disable-secret.inc | |||
5 | include /etc/firejail/disable-common.inc | 5 | include /etc/firejail/disable-common.inc |
6 | include /etc/firejail/disable-history.inc | 6 | include /etc/firejail/disable-history.inc |
7 | netfilter | 7 | netfilter |
8 | 8 | whitelist ~/Downloads | |
9 | 9 | whitelist ~/.config/chromium | |
10 | |||
diff --git a/etc/firefox.profile b/etc/firefox.profile index aee97073d..d81f6a9e1 100644 --- a/etc/firefox.profile +++ b/etc/firefox.profile | |||
@@ -16,7 +16,3 @@ whitelist ~/.lastpass | |||
16 | whitelist ~/.gtkrc-2.0 | 16 | whitelist ~/.gtkrc-2.0 |
17 | whitelist ~/.vimperatorrc | 17 | whitelist ~/.vimperatorrc |
18 | whitelist ~/.vimperator | 18 | whitelist ~/.vimperator |
19 | |||
20 | |||
21 | |||
22 | |||
diff --git a/src/firejail/protocol.c b/src/firejail/protocol.c index 5f730afef..8e75277c2 100644 --- a/src/firejail/protocol.c +++ b/src/firejail/protocol.c | |||
@@ -74,6 +74,11 @@ static struct sock_filter *find_protocol_domain(const char *p) { | |||
74 | 74 | ||
75 | // --debug-protocols | 75 | // --debug-protocols |
76 | void protocol_list(void) { | 76 | void protocol_list(void) { |
77 | #ifndef SYS_socket | ||
78 | fprintf(stderr, "Warning: --protocol not supported on this platform\n"); | ||
79 | return; | ||
80 | #endif | ||
81 | |||
77 | int i = 0; | 82 | int i = 0; |
78 | while (protocol[i] != NULL) { | 83 | while (protocol[i] != NULL) { |
79 | printf("%s, ", protocol[i]); | 84 | printf("%s, ", protocol[i]); |
diff --git a/src/firejail/usage.c b/src/firejail/usage.c index d3cad1e63..c829b94f2 100644 --- a/src/firejail/usage.c +++ b/src/firejail/usage.c | |||
@@ -70,6 +70,8 @@ void usage(void) { | |||
70 | printf("\t\tFirejail software build and exit.\n\n"); | 70 | printf("\t\tFirejail software build and exit.\n\n"); |
71 | printf("\t--debug-errnos - print all recognized error numbres in the current\n"); | 71 | printf("\t--debug-errnos - print all recognized error numbres in the current\n"); |
72 | printf("\t\tFirejail software build and exit.\n\n"); | 72 | printf("\t\tFirejail software build and exit.\n\n"); |
73 | printf("\t--debug-protocols - print all recognized protocols in the current\n"); | ||
74 | printf("\t\tFirejail software build and exit.\n\n"); | ||
73 | printf("\t--debug-syscalls - print all recognized system calls in the current\n"); | 75 | printf("\t--debug-syscalls - print all recognized system calls in the current\n"); |
74 | printf("\t\tFirejail software build and exit.\n\n"); | 76 | printf("\t\tFirejail software build and exit.\n\n"); |
75 | printf("\t--defaultgw=address - use this address as default gateway in the new\n"); | 77 | printf("\t--defaultgw=address - use this address as default gateway in the new\n"); |
@@ -192,6 +194,10 @@ void usage(void) { | |||
192 | printf("\t\tAll modifications are discarded when the sandbox is closed.\n\n"); | 194 | printf("\t\tAll modifications are discarded when the sandbox is closed.\n\n"); |
193 | 195 | ||
194 | printf("\t--profile=filename - use a custom profile.\n\n"); | 196 | printf("\t--profile=filename - use a custom profile.\n\n"); |
197 | |||
198 | printf("\t--protocol=protocol,protocol,protocol - enable protocol filter.\n"); | ||
199 | printf("\t\tProtocol values: unix, inet, inet6, netlink, packet.\n\n"); | ||
200 | |||
195 | printf("\t--quiet - turn off Firejail's output.\n\n"); | 201 | printf("\t--quiet - turn off Firejail's output.\n\n"); |
196 | printf("\t--read-only=dirname_or_filename - set directory or file read-only.\n\n"); | 202 | printf("\t--read-only=dirname_or_filename - set directory or file read-only.\n\n"); |
197 | printf("\t--rlimit-fsize=number - set the maximum file size that can be created\n"); | 203 | printf("\t--rlimit-fsize=number - set the maximum file size that can be created\n"); |
@@ -218,7 +224,8 @@ void usage(void) { | |||
218 | printf("\t\tkeyctl, uselib, acct, modify_ldt, pivot_root, io_setup,\n"); | 224 | printf("\t\tkeyctl, uselib, acct, modify_ldt, pivot_root, io_setup,\n"); |
219 | printf("\t\tio_destroy, io_getevents, io_submit, io_cancel,\n"); | 225 | printf("\t\tio_destroy, io_getevents, io_submit, io_cancel,\n"); |
220 | printf("\t\tremap_file_pages, mbind, get_mempolicy, set_mempolicy,\n"); | 226 | printf("\t\tremap_file_pages, mbind, get_mempolicy, set_mempolicy,\n"); |
221 | printf("\t\tmigrate_pages, move_pages, vmsplice, and perf_event_open.\n\n"); | 227 | printf("\t\tmigrate_pages, move_pages, vmsplice, perf_event_open and\n"); |
228 | printf("\t\tkexec_file_load.\n\n"); | ||
222 | 229 | ||
223 | printf("\t--seccomp=syscall,syscall,syscall - enable seccomp filter, blacklist the\n"); | 230 | printf("\t--seccomp=syscall,syscall,syscall - enable seccomp filter, blacklist the\n"); |
224 | printf("\t\tdefault syscall list and the syscalls specified by the command.\n\n"); | 231 | printf("\t\tdefault syscall list and the syscalls specified by the command.\n\n"); |
diff --git a/src/man/firejail.txt b/src/man/firejail.txt index 12c32f4c7..52b75afaa 100644 --- a/src/man/firejail.txt +++ b/src/man/firejail.txt | |||
@@ -23,7 +23,7 @@ firejail {\-\-list | \-\-netstats | \-\-top | \-\-tree} | |||
23 | Miscellaneous: | 23 | Miscellaneous: |
24 | .PP | 24 | .PP |
25 | .RS | 25 | .RS |
26 | firejail {\-? | \-\-debug-caps | \-\-debug-errnos | \-\-debug-syscalls | \-\-help | \-\-version} | 26 | firejail {\-? | \-\-debug-caps | \-\-debug-errnos | \-\-debug-syscalls | \-\-debug-protocols | \-\-help | \-\-version} |
27 | .RE | 27 | .RE |
28 | .SH DESCRIPTION | 28 | .SH DESCRIPTION |
29 | Firejail is a SUID sandbox program that reduces the risk of security breaches by | 29 | Firejail is a SUID sandbox program that reduces the risk of security breaches by |
@@ -258,6 +258,15 @@ Example: | |||
258 | .br | 258 | .br |
259 | $ firejail \-\-debug-errnos | 259 | $ firejail \-\-debug-errnos |
260 | .TP | 260 | .TP |
261 | \fB\-\-debug-protocols | ||
262 | Print all recognized protocols in the current Firejail software build and exit. | ||
263 | .br | ||
264 | |||
265 | .br | ||
266 | Example: | ||
267 | .br | ||
268 | $ firejail \-\-debug-protocols | ||
269 | .TP | ||
261 | \fB\-\-debug-syscalls | 270 | \fB\-\-debug-syscalls |
262 | Print all recognized system calls in the current Firejail software build and exit. | 271 | Print all recognized system calls in the current Firejail software build and exit. |
263 | .br | 272 | .br |
@@ -842,6 +851,17 @@ For more information, see SECURITY PROFILES section below. | |||
842 | Example: | 851 | Example: |
843 | .br | 852 | .br |
844 | $ firejail \-\-profile=myprofile | 853 | $ firejail \-\-profile=myprofile |
854 | |||
855 | .TP | ||
856 | \fB\-\-protocol=protocol,protocol,protocol | ||
857 | Enable protocol filter. The filter is based on seccomp and the first argument to socket system call. | ||
858 | Recognized values: unix, inet, inet6, netlink and packet. | ||
859 | .br | ||
860 | |||
861 | .br | ||
862 | Example: | ||
863 | .br | ||
864 | $ firejail \-\-protocol=unix,inet,inet6 firefox | ||
845 | .TP | 865 | .TP |
846 | \fB\-\-quiet | 866 | \fB\-\-quiet |
847 | Turn off Firejail's output. | 867 | Turn off Firejail's output. |