diff options
-rw-r--r-- | Makefile.in | 1 | ||||
-rw-r--r-- | README | 2 | ||||
-rw-r--r-- | README.md | 29 | ||||
-rw-r--r-- | RELNOTES | 11 | ||||
-rwxr-xr-x | configure | 18 | ||||
-rw-r--r-- | configure.ac | 2 | ||||
-rw-r--r-- | etc/disable-common.inc | 2 | ||||
-rw-r--r-- | etc/disable-programs.inc | 1 | ||||
-rw-r--r-- | etc/eom.profile | 20 | ||||
-rw-r--r-- | etc/pidgin.profile | 10 | ||||
-rw-r--r-- | etc/snap.profile | 1 | ||||
-rw-r--r-- | platform/debian/conffiles | 1 | ||||
-rw-r--r-- | src/bash_completion/firejail.bash_completion | 4 | ||||
-rw-r--r-- | src/faudit/dbus.c | 4 | ||||
-rw-r--r-- | src/faudit/dev.c | 47 | ||||
-rw-r--r-- | src/faudit/faudit.h | 3 | ||||
-rw-r--r-- | src/faudit/main.c | 11 | ||||
-rw-r--r-- | src/firecfg/firecfg.config | 5 | ||||
-rw-r--r-- | src/firejail/firejail.h | 4 | ||||
-rw-r--r-- | src/firejail/fs.c | 41 | ||||
-rw-r--r-- | src/firejail/fs_rdwr.c | 93 | ||||
-rw-r--r-- | src/firejail/fs_whitelist.c | 28 | ||||
-rw-r--r-- | src/firejail/main.c | 8 | ||||
-rw-r--r-- | src/firejail/profile.c | 12 | ||||
-rw-r--r-- | src/man/firejail.txt | 23 | ||||
-rwxr-xr-x | test/features/1.2.exp | 6 | ||||
-rwxr-xr-x | test/features/1.8.exp | 18 | ||||
-rwxr-xr-x | test/features/3.5.exp | 10 | ||||
-rwxr-xr-x | test/private_dir.exp | 2 | ||||
-rwxr-xr-x | test/private_dir_profile.exp | 2 | ||||
-rwxr-xr-x | test/test.sh | 3 | ||||
-rw-r--r-- | todo | 85 |
32 files changed, 314 insertions, 193 deletions
diff --git a/Makefile.in b/Makefile.in index db326d2db..c6147cee7 100644 --- a/Makefile.in +++ b/Makefile.in | |||
@@ -223,6 +223,7 @@ realinstall: | |||
223 | install -c -m 0644 .etc/atom-beta.profile $(DESTDIR)/$(sysconfdir)/firejail/. | 223 | install -c -m 0644 .etc/atom-beta.profile $(DESTDIR)/$(sysconfdir)/firejail/. |
224 | install -c -m 0644 .etc/atom.profile $(DESTDIR)/$(sysconfdir)/firejail/. | 224 | install -c -m 0644 .etc/atom.profile $(DESTDIR)/$(sysconfdir)/firejail/. |
225 | install -c -m 0644 .etc/jitsi.profile $(DESTDIR)/$(sysconfdir)/firejail/. | 225 | install -c -m 0644 .etc/jitsi.profile $(DESTDIR)/$(sysconfdir)/firejail/. |
226 | install -c -m 0644 .etc/eom.profile $(DESTDIR)/$(sysconfdir)/firejail/. | ||
226 | sh -c "if [ ! -f $(DESTDIR)/$(sysconfdir)/firejail/login.users ]; then install -c -m 0644 etc/login.users $(DESTDIR)/$(sysconfdir)/firejail/.; fi;" | 227 | sh -c "if [ ! -f $(DESTDIR)/$(sysconfdir)/firejail/login.users ]; then install -c -m 0644 etc/login.users $(DESTDIR)/$(sysconfdir)/firejail/.; fi;" |
227 | install -c -m 0644 etc/firejail.config $(DESTDIR)/$(sysconfdir)/firejail/. | 228 | install -c -m 0644 etc/firejail.config $(DESTDIR)/$(sysconfdir)/firejail/. |
228 | rm -fr .etc | 229 | rm -fr .etc |
@@ -58,6 +58,8 @@ Fred-Barclay (https://github.com/Fred-Barclay) | |||
58 | - tightened 0ad, atril, evince, gthumb, pix, qtox, and xreader profiles. | 58 | - tightened 0ad, atril, evince, gthumb, pix, qtox, and xreader profiles. |
59 | - several private-bin conversions | 59 | - several private-bin conversions |
60 | - added jitsi profile | 60 | - added jitsi profile |
61 | - pidgin private-bin conversion | ||
62 | - added eom profile | ||
61 | Jaykishan Mutkawoa (https://github.com/jmutkawoa) | 63 | Jaykishan Mutkawoa (https://github.com/jmutkawoa) |
62 | - cpio profile | 64 | - cpio profile |
63 | Paupiah Yash (https://github.com/CaffeinatedStud) | 65 | Paupiah Yash (https://github.com/CaffeinatedStud) |
@@ -34,12 +34,31 @@ FAQ: https://firejail.wordpress.com/support/frequently-asked-questions/ | |||
34 | ````` | 34 | ````` |
35 | 35 | ||
36 | ````` | 36 | ````` |
37 | # Current development version: 0.9.41 | 37 | # Current development version: 0.9.42~rc2 |
38 | |||
39 | Version 0.9.41~rc1 was released. | ||
38 | 40 | ||
39 | ## Deprecated --user | 41 | ## Deprecated --user |
40 | 42 | ||
41 | --user option was deprecated, please use "sudo -u username firejail application" instead. | 43 | --user option was deprecated, please use "sudo -u username firejail application" instead. |
42 | 44 | ||
45 | ## --whitelist rework | ||
46 | |||
47 | Symlinks outside user home directories are allowed: | ||
48 | ````` | ||
49 | --whitelist=dirname_or_filename | ||
50 | Whitelist directory or file. This feature is implemented only | ||
51 | for user home, /dev, /media, /opt, /var, and /tmp directories. | ||
52 | With the exeception of user home, both the link and the real | ||
53 | file should be in the same top directory. | ||
54 | |||
55 | Example: | ||
56 | $ firejail --noprofile --whitelist=~/.mozilla | ||
57 | $ firejail --whitelist=/tmp/.X11-unix --whitelist=/dev/null | ||
58 | $ firejail "--whitelist=/home/username/My Virtual Machines" | ||
59 | ````` | ||
60 | |||
61 | |||
43 | ## AppImage | 62 | ## AppImage |
44 | 63 | ||
45 | AppImage (http://appimage.org/) is a distribution-agnostic packaging format. | 64 | AppImage (http://appimage.org/) is a distribution-agnostic packaging format. |
@@ -119,11 +138,11 @@ BitTorrent: deluge, qbittorrent, rtorrent, transmission-gtk, transmission-qt, ug | |||
119 | 138 | ||
120 | File transfer: filezilla | 139 | File transfer: filezilla |
121 | 140 | ||
122 | Media: vlc, mpv, gnome-mplayer, audacity, rhythmbox, spotify, xplayer, xviewer | 141 | Media: vlc, mpv, gnome-mplayer, audacity, rhythmbox, spotify, xplayer, xviewer, eom |
123 | 142 | ||
124 | Office: evince, gthumb, fbreader, pix, atril, xreader | 143 | Office: evince, gthumb, fbreader, pix, atril, xreader, |
125 | 144 | ||
126 | Chat/messaging: qtox, gitter | 145 | Chat/messaging: qtox, gitter, pidgin |
127 | 146 | ||
128 | Games: warzone2100 | 147 | Games: warzone2100 |
129 | 148 | ||
@@ -135,5 +154,5 @@ Browsers: Palemoon | |||
135 | 154 | ||
136 | ## New security profiles | 155 | ## New security profiles |
137 | 156 | ||
138 | Gitter, gThumb, mpv, Franz messenger, LibreOffice, pix, audacity, strings, xz, xzdec, gzip, cpio, less, Atom Beta, Atom, jitsi | 157 | Gitter, gThumb, mpv, Franz messenger, LibreOffice, pix, audacity, strings, xz, xzdec, gzip, cpio, less, Atom Beta, Atom, jitsi, eom |
139 | 158 | ||
@@ -1,20 +1,21 @@ | |||
1 | firejail (0.9.41) baseline; urgency=low | 1 | firejail (0.9.42~rc1) baseline; urgency=low |
2 | * work in progress... | ||
3 | * deprecated --user option, please use "sudo -u username firejail" instead | 2 | * deprecated --user option, please use "sudo -u username firejail" instead |
3 | * --read-write option rework | ||
4 | * allow symlinks in home directory for --whitelist option | ||
4 | * AppImage support (--appimage) | 5 | * AppImage support (--appimage) |
5 | * Sandbox auditing support (--audit) | 6 | * Sandbox auditing support (--audit) |
6 | * remove environment variable (--rmenv) | 7 | * remove environment variable (--rmenv) |
7 | * noexec support (--noexec) | 8 | * noexec support (--noexec) |
9 | * Ubuntu snap support | ||
8 | * include /dev/snd in --private-dev | 10 | * include /dev/snd in --private-dev |
9 | * added mkfile profile command | 11 | * added mkfile profile command |
10 | * seccomp filter updated | 12 | * seccomp filter updated |
11 | * compile time and run time support to disable whitelists | 13 | * compile time and run time support to disable whitelists |
12 | * compile time support to disable global configuration file | 14 | * compile time support to disable global configuration file |
13 | * some profiles have been converted to private-bin | ||
14 | * new profiles: Gitter, gThumb, mpv, Franz messenger, LibreOffice | 15 | * new profiles: Gitter, gThumb, mpv, Franz messenger, LibreOffice |
15 | * new profiles: pix, audacity, strings, xz, xzdec, gzip, cpio, less | 16 | * new profiles: pix, audacity, strings, xz, xzdec, gzip, cpio, less |
16 | * new profiles: Atom Beta, Atom, jitsi | 17 | * new profiles: Atom Beta, Atom, jitsi, eom |
17 | -- netblue30 <netblue30@yahoo.com> Tue, 31 May 2016 08:00:00 -0500 | 18 | -- netblue30 <netblue30@yahoo.com> Thu, 21 Jul 2016 08:00:00 -0500 |
18 | 19 | ||
19 | firejail (0.9.40) baseline; urgency=low | 20 | firejail (0.9.40) baseline; urgency=low |
20 | * added --nice option | 21 | * added --nice option |
@@ -1,6 +1,6 @@ | |||
1 | #! /bin/sh | 1 | #! /bin/sh |
2 | # Guess values for system-dependent variables and create Makefiles. | 2 | # Guess values for system-dependent variables and create Makefiles. |
3 | # Generated by GNU Autoconf 2.69 for firejail 0.9.41. | 3 | # Generated by GNU Autoconf 2.69 for firejail 0.9.42~rc2. |
4 | # | 4 | # |
5 | # Report bugs to <netblue30@yahoo.com>. | 5 | # Report bugs to <netblue30@yahoo.com>. |
6 | # | 6 | # |
@@ -580,8 +580,8 @@ MAKEFLAGS= | |||
580 | # Identity of this package. | 580 | # Identity of this package. |
581 | PACKAGE_NAME='firejail' | 581 | PACKAGE_NAME='firejail' |
582 | PACKAGE_TARNAME='firejail' | 582 | PACKAGE_TARNAME='firejail' |
583 | PACKAGE_VERSION='0.9.41' | 583 | PACKAGE_VERSION='0.9.42~rc2' |
584 | PACKAGE_STRING='firejail 0.9.41' | 584 | PACKAGE_STRING='firejail 0.9.42~rc2' |
585 | PACKAGE_BUGREPORT='netblue30@yahoo.com' | 585 | PACKAGE_BUGREPORT='netblue30@yahoo.com' |
586 | PACKAGE_URL='http://firejail.wordpress.com' | 586 | PACKAGE_URL='http://firejail.wordpress.com' |
587 | 587 | ||
@@ -1250,7 +1250,7 @@ if test "$ac_init_help" = "long"; then | |||
1250 | # Omit some internal or obsolete options to make the list less imposing. | 1250 | # Omit some internal or obsolete options to make the list less imposing. |
1251 | # This message is too long to be a string in the A/UX 3.1 sh. | 1251 | # This message is too long to be a string in the A/UX 3.1 sh. |
1252 | cat <<_ACEOF | 1252 | cat <<_ACEOF |
1253 | \`configure' configures firejail 0.9.41 to adapt to many kinds of systems. | 1253 | \`configure' configures firejail 0.9.42~rc2 to adapt to many kinds of systems. |
1254 | 1254 | ||
1255 | Usage: $0 [OPTION]... [VAR=VALUE]... | 1255 | Usage: $0 [OPTION]... [VAR=VALUE]... |
1256 | 1256 | ||
@@ -1311,7 +1311,7 @@ fi | |||
1311 | 1311 | ||
1312 | if test -n "$ac_init_help"; then | 1312 | if test -n "$ac_init_help"; then |
1313 | case $ac_init_help in | 1313 | case $ac_init_help in |
1314 | short | recursive ) echo "Configuration of firejail 0.9.41:";; | 1314 | short | recursive ) echo "Configuration of firejail 0.9.42~rc2:";; |
1315 | esac | 1315 | esac |
1316 | cat <<\_ACEOF | 1316 | cat <<\_ACEOF |
1317 | 1317 | ||
@@ -1410,7 +1410,7 @@ fi | |||
1410 | test -n "$ac_init_help" && exit $ac_status | 1410 | test -n "$ac_init_help" && exit $ac_status |
1411 | if $ac_init_version; then | 1411 | if $ac_init_version; then |
1412 | cat <<\_ACEOF | 1412 | cat <<\_ACEOF |
1413 | firejail configure 0.9.41 | 1413 | firejail configure 0.9.42~rc2 |
1414 | generated by GNU Autoconf 2.69 | 1414 | generated by GNU Autoconf 2.69 |
1415 | 1415 | ||
1416 | Copyright (C) 2012 Free Software Foundation, Inc. | 1416 | Copyright (C) 2012 Free Software Foundation, Inc. |
@@ -1712,7 +1712,7 @@ cat >config.log <<_ACEOF | |||
1712 | This file contains any messages produced by compilers while | 1712 | This file contains any messages produced by compilers while |
1713 | running configure, to aid debugging if configure makes a mistake. | 1713 | running configure, to aid debugging if configure makes a mistake. |
1714 | 1714 | ||
1715 | It was created by firejail $as_me 0.9.41, which was | 1715 | It was created by firejail $as_me 0.9.42~rc2, which was |
1716 | generated by GNU Autoconf 2.69. Invocation command line was | 1716 | generated by GNU Autoconf 2.69. Invocation command line was |
1717 | 1717 | ||
1718 | $ $0 $@ | 1718 | $ $0 $@ |
@@ -4217,7 +4217,7 @@ cat >>$CONFIG_STATUS <<\_ACEOF || ac_write_fail=1 | |||
4217 | # report actual input values of CONFIG_FILES etc. instead of their | 4217 | # report actual input values of CONFIG_FILES etc. instead of their |
4218 | # values after options handling. | 4218 | # values after options handling. |
4219 | ac_log=" | 4219 | ac_log=" |
4220 | This file was extended by firejail $as_me 0.9.41, which was | 4220 | This file was extended by firejail $as_me 0.9.42~rc2, which was |
4221 | generated by GNU Autoconf 2.69. Invocation command line was | 4221 | generated by GNU Autoconf 2.69. Invocation command line was |
4222 | 4222 | ||
4223 | CONFIG_FILES = $CONFIG_FILES | 4223 | CONFIG_FILES = $CONFIG_FILES |
@@ -4271,7 +4271,7 @@ _ACEOF | |||
4271 | cat >>$CONFIG_STATUS <<_ACEOF || ac_write_fail=1 | 4271 | cat >>$CONFIG_STATUS <<_ACEOF || ac_write_fail=1 |
4272 | ac_cs_config="`$as_echo "$ac_configure_args" | sed 's/^ //; s/[\\""\`\$]/\\\\&/g'`" | 4272 | ac_cs_config="`$as_echo "$ac_configure_args" | sed 's/^ //; s/[\\""\`\$]/\\\\&/g'`" |
4273 | ac_cs_version="\\ | 4273 | ac_cs_version="\\ |
4274 | firejail config.status 0.9.41 | 4274 | firejail config.status 0.9.42~rc2 |
4275 | configured by $0, generated by GNU Autoconf 2.69, | 4275 | configured by $0, generated by GNU Autoconf 2.69, |
4276 | with options \\"\$ac_cs_config\\" | 4276 | with options \\"\$ac_cs_config\\" |
4277 | 4277 | ||
diff --git a/configure.ac b/configure.ac index 470c55d37..c22228d0f 100644 --- a/configure.ac +++ b/configure.ac | |||
@@ -1,5 +1,5 @@ | |||
1 | AC_PREREQ([2.68]) | 1 | AC_PREREQ([2.68]) |
2 | AC_INIT(firejail, 0.9.41, netblue30@yahoo.com, , http://firejail.wordpress.com) | 2 | AC_INIT(firejail, 0.9.42~rc2, netblue30@yahoo.com, , http://firejail.wordpress.com) |
3 | AC_CONFIG_SRCDIR([src/firejail/main.c]) | 3 | AC_CONFIG_SRCDIR([src/firejail/main.c]) |
4 | #AC_CONFIG_HEADERS([config.h]) | 4 | #AC_CONFIG_HEADERS([config.h]) |
5 | 5 | ||
diff --git a/etc/disable-common.inc b/etc/disable-common.inc index 17f37c5cc..d18ee0287 100644 --- a/etc/disable-common.inc +++ b/etc/disable-common.inc | |||
@@ -20,6 +20,8 @@ blacklist ${HOME}/.config/lxsession/LXDE/autostart | |||
20 | blacklist ${HOME}/.fluxbox/startup | 20 | blacklist ${HOME}/.fluxbox/startup |
21 | blacklist ${HOME}/.config/openbox/autostart | 21 | blacklist ${HOME}/.config/openbox/autostart |
22 | blacklist ${HOME}/.config/openbox/environment | 22 | blacklist ${HOME}/.config/openbox/environment |
23 | blacklist ${HOME}/.gnomerc | ||
24 | blacklist /etc/X11/Xsession.d/ | ||
23 | 25 | ||
24 | # VirtualBox | 26 | # VirtualBox |
25 | blacklist ${HOME}/.VirtualBox | 27 | blacklist ${HOME}/.VirtualBox |
diff --git a/etc/disable-programs.inc b/etc/disable-programs.inc index 837ac1e4c..0f155351d 100644 --- a/etc/disable-programs.inc +++ b/etc/disable-programs.inc | |||
@@ -20,6 +20,7 @@ blacklist ${HOME}/.config/xreader | |||
20 | blacklist ${HOME}/.config/xviewer | 20 | blacklist ${HOME}/.config/xviewer |
21 | blacklist ${HOME}/.config/libreoffice | 21 | blacklist ${HOME}/.config/libreoffice |
22 | blacklist ${HOME}/.config/pix | 22 | blacklist ${HOME}/.config/pix |
23 | blacklist ${HOME}/.config/mate/eom | ||
23 | blacklist ${HOME}/.kde/share/apps/okular | 24 | blacklist ${HOME}/.kde/share/apps/okular |
24 | blacklist ${HOME}/.kde/share/config/okularrc | 25 | blacklist ${HOME}/.kde/share/config/okularrc |
25 | blacklist ${HOME}/.kde/share/config/okularpartrc | 26 | blacklist ${HOME}/.kde/share/config/okularpartrc |
diff --git a/etc/eom.profile b/etc/eom.profile new file mode 100644 index 000000000..81d993e96 --- /dev/null +++ b/etc/eom.profile | |||
@@ -0,0 +1,20 @@ | |||
1 | # Firejail profile for Eye of Mate (eom) | ||
2 | noblacklist ~/.config/mate/eom | ||
3 | |||
4 | include /etc/firejail/disable-common.inc | ||
5 | include /etc/firejail/disable-programs.inc | ||
6 | include /etc/firejail/disable-devel.inc | ||
7 | include /etc/firejail/disable-passwdmgr.inc | ||
8 | |||
9 | caps.drop all | ||
10 | nogroups | ||
11 | nonewprivs | ||
12 | noroot | ||
13 | nosound | ||
14 | protocol unix | ||
15 | seccomp | ||
16 | shell none | ||
17 | tracelog | ||
18 | |||
19 | private-bin eom | ||
20 | private-dev | ||
diff --git a/etc/pidgin.profile b/etc/pidgin.profile index 091456d76..3df2cafa6 100644 --- a/etc/pidgin.profile +++ b/etc/pidgin.profile | |||
@@ -2,11 +2,19 @@ | |||
2 | noblacklist ${HOME}/.purple | 2 | noblacklist ${HOME}/.purple |
3 | 3 | ||
4 | include /etc/firejail/disable-common.inc | 4 | include /etc/firejail/disable-common.inc |
5 | include /etc/firejail/disable-programs.inc | ||
6 | include /etc/firejail/disable-devel.inc | 5 | include /etc/firejail/disable-devel.inc |
6 | include /etc/firejail/disable-passwdmgr.inc | ||
7 | include /etc/firejail/disable-programs.inc | ||
7 | 8 | ||
8 | caps.drop all | 9 | caps.drop all |
10 | netfilter | ||
9 | nonewprivs | 11 | nonewprivs |
12 | nogroups | ||
10 | noroot | 13 | noroot |
11 | protocol unix,inet,inet6 | 14 | protocol unix,inet,inet6 |
12 | seccomp | 15 | seccomp |
16 | shell none | ||
17 | tracelog | ||
18 | |||
19 | private-bin pidgin | ||
20 | private-dev | ||
diff --git a/etc/snap.profile b/etc/snap.profile index b7e6d9b19..270fdf1a5 100644 --- a/etc/snap.profile +++ b/etc/snap.profile | |||
@@ -6,6 +6,7 @@ include /etc/firejail/disable-programs.inc | |||
6 | include /etc/firejail/disable-passwdmgr.inc | 6 | include /etc/firejail/disable-passwdmgr.inc |
7 | 7 | ||
8 | whitelist ~/snap | 8 | whitelist ~/snap |
9 | whitelist ${DOWNLOADS} | ||
9 | include /etc/firejail/whitelist-common.inc | 10 | include /etc/firejail/whitelist-common.inc |
10 | 11 | ||
11 | caps.keep chown,sys_admin | 12 | caps.keep chown,sys_admin |
diff --git a/platform/debian/conffiles b/platform/debian/conffiles index 3bbd93d3c..24884228e 100644 --- a/platform/debian/conffiles +++ b/platform/debian/conffiles | |||
@@ -129,3 +129,4 @@ | |||
129 | /etc/firejail/atom-beta.profile | 129 | /etc/firejail/atom-beta.profile |
130 | /etc/firejail/atom.profile | 130 | /etc/firejail/atom.profile |
131 | /etc/firejail/jitsi.profile | 131 | /etc/firejail/jitsi.profile |
132 | /etc/firejail/eom.profile | ||
diff --git a/src/bash_completion/firejail.bash_completion b/src/bash_completion/firejail.bash_completion index 78bd622fc..d3dcd57d0 100644 --- a/src/bash_completion/firejail.bash_completion +++ b/src/bash_completion/firejail.bash_completion | |||
@@ -47,6 +47,10 @@ _firejail() | |||
47 | _filedir | 47 | _filedir |
48 | return 0 | 48 | return 0 |
49 | ;; | 49 | ;; |
50 | --read-write) | ||
51 | _filedir | ||
52 | return 0 | ||
53 | ;; | ||
50 | --bind) | 54 | --bind) |
51 | _filedir | 55 | _filedir |
52 | return 0 | 56 | return 0 |
diff --git a/src/faudit/dbus.c b/src/faudit/dbus.c index 1ead2aa38..1edce5802 100644 --- a/src/faudit/dbus.c +++ b/src/faudit/dbus.c | |||
@@ -42,7 +42,7 @@ void check_session_bus(const char *sockfile) { | |||
42 | printf("GOOD: I cannot connect to session bus. If the application misbehaves, please log a bug with the application developer.\n"); | 42 | printf("GOOD: I cannot connect to session bus. If the application misbehaves, please log a bug with the application developer.\n"); |
43 | } | 43 | } |
44 | else { | 44 | else { |
45 | printf("MAYBE: I can connect to session bus. It could be a good idea to create a new network namespace using \"--net=none\" or \"--net=eth0\".\n"); | 45 | printf("MAYBE: I can connect to session bus. It could be a good idea to disable it by creating a new network namespace using \"--net=none\" or \"--net=eth0\".\n"); |
46 | } | 46 | } |
47 | 47 | ||
48 | close(sock); | 48 | close(sock); |
@@ -65,8 +65,8 @@ void dbus_test(void) { | |||
65 | check_session_bus(sockfile); | 65 | check_session_bus(sockfile); |
66 | 66 | ||
67 | sockfile -= 13; | 67 | sockfile -= 13; |
68 | free(sockfile); | ||
69 | } | 68 | } |
69 | free(bus); | ||
70 | } | 70 | } |
71 | } | 71 | } |
72 | 72 | ||
diff --git a/src/faudit/dev.c b/src/faudit/dev.c new file mode 100644 index 000000000..92f615958 --- /dev/null +++ b/src/faudit/dev.c | |||
@@ -0,0 +1,47 @@ | |||
1 | /* | ||
2 | * Copyright (C) 2014-2016 Firejail Authors | ||
3 | * | ||
4 | * This file is part of firejail project | ||
5 | * | ||
6 | * This program is free software; you can redistribute it and/or modify | ||
7 | * it under the terms of the GNU General Public License as published by | ||
8 | * the Free Software Foundation; either version 2 of the License, or | ||
9 | * (at your option) any later version. | ||
10 | * | ||
11 | * This program is distributed in the hope that it will be useful, | ||
12 | * but WITHOUT ANY WARRANTY; without even the implied warranty of | ||
13 | * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the | ||
14 | * GNU General Public License for more details. | ||
15 | * | ||
16 | * You should have received a copy of the GNU General Public License along | ||
17 | * with this program; if not, write to the Free Software Foundation, Inc., | ||
18 | * 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA. | ||
19 | */ | ||
20 | #include "faudit.h" | ||
21 | #include <dirent.h> | ||
22 | |||
23 | void dev_test(void) { | ||
24 | DIR *dir; | ||
25 | if (!(dir = opendir("/dev"))) { | ||
26 | fprintf(stderr, "Error: cannot open /dev directory\n"); | ||
27 | return; | ||
28 | } | ||
29 | |||
30 | struct dirent *entry; | ||
31 | printf("INFO: files visible in /dev directory: "); | ||
32 | int cnt = 0; | ||
33 | while ((entry = readdir(dir)) != NULL) { | ||
34 | if (strcmp(entry->d_name, ".") == 0 || strcmp(entry->d_name, "..") == 0) | ||
35 | continue; | ||
36 | |||
37 | printf("%s, ", entry->d_name); | ||
38 | cnt++; | ||
39 | } | ||
40 | printf("\n"); | ||
41 | |||
42 | if (cnt > 20) | ||
43 | printf("MAYBE: /dev directory seems to be fully populated. Use --private-dev or --whitelist to restrict the access.\n"); | ||
44 | else | ||
45 | printf("GOOD: Access to /dev directory is restricted.\n"); | ||
46 | closedir(dir); | ||
47 | } | ||
diff --git a/src/faudit/faudit.h b/src/faudit/faudit.h index 3c08a3eab..93fb4b709 100644 --- a/src/faudit/faudit.h +++ b/src/faudit/faudit.h | |||
@@ -58,4 +58,7 @@ void network_test(void); | |||
58 | // dbus.c | 58 | // dbus.c |
59 | void dbus_test(void); | 59 | void dbus_test(void); |
60 | 60 | ||
61 | // dev.c | ||
62 | void dev_test(void); | ||
63 | |||
61 | #endif | 64 | #endif |
diff --git a/src/faudit/main.c b/src/faudit/main.c index 14794719d..6ff938d98 100644 --- a/src/faudit/main.c +++ b/src/faudit/main.c | |||
@@ -38,8 +38,9 @@ int main(int argc, char **argv) { | |||
38 | // extract program name | 38 | // extract program name |
39 | prog = realpath(argv[0], NULL); | 39 | prog = realpath(argv[0], NULL); |
40 | if (prog == NULL) { | 40 | if (prog == NULL) { |
41 | fprintf(stderr, "Error: cannot extract the path of the audit program\n"); | 41 | prog = strdup("faudit"); |
42 | return 1; | 42 | if (!prog) |
43 | errExit("strdup"); | ||
43 | } | 44 | } |
44 | printf("INFO: starting %s.\n", prog); | 45 | printf("INFO: starting %s.\n", prog); |
45 | 46 | ||
@@ -67,7 +68,11 @@ int main(int argc, char **argv) { | |||
67 | // dbus | 68 | // dbus |
68 | dbus_test(); | 69 | dbus_test(); |
69 | printf("\n"); | 70 | printf("\n"); |
70 | 71 | ||
72 | // /dev test | ||
73 | dev_test(); | ||
74 | printf("\n"); | ||
75 | |||
71 | free(prog); | 76 | free(prog); |
72 | printf("--------------------------------------------------------------------------------\n"); | 77 | printf("--------------------------------------------------------------------------------\n"); |
73 | 78 | ||
diff --git a/src/firecfg/firecfg.config b/src/firecfg/firecfg.config index ba975c4b4..48e205a58 100644 --- a/src/firecfg/firecfg.config +++ b/src/firecfg/firecfg.config | |||
@@ -40,6 +40,7 @@ midori | |||
40 | netsurf | 40 | netsurf |
41 | opera-beta | 41 | opera-beta |
42 | opera | 42 | opera |
43 | palemoon | ||
43 | qutebrowser | 44 | qutebrowser |
44 | seamonkey | 45 | seamonkey |
45 | seamonkey-bin | 46 | seamonkey-bin |
@@ -98,6 +99,7 @@ totem | |||
98 | vlc | 99 | vlc |
99 | xplayer | 100 | xplayer |
100 | xviewer | 101 | xviewer |
102 | eom | ||
101 | 103 | ||
102 | # news readers | 104 | # news readers |
103 | quiterss | 105 | quiterss |
@@ -110,10 +112,11 @@ fbreader | |||
110 | gwenview | 112 | gwenview |
111 | gthumb | 113 | gthumb |
112 | libreoffice | 114 | libreoffice |
115 | localc | ||
113 | lodraw | 116 | lodraw |
114 | loffice | 117 | loffice |
115 | lofromtemplate | 118 | lofromtemplate |
116 | loimpres | 119 | loimpress |
117 | lomath | 120 | lomath |
118 | loweb | 121 | loweb |
119 | lowriter | 122 | lowriter |
diff --git a/src/firejail/firejail.h b/src/firejail/firejail.h index 8856986e6..29bb6c494 100644 --- a/src/firejail/firejail.h +++ b/src/firejail/firejail.h | |||
@@ -584,10 +584,6 @@ extern char *xephyr_screen; | |||
584 | extern char *xephyr_extra_params; | 584 | extern char *xephyr_extra_params; |
585 | int checkcfg(int val); | 585 | int checkcfg(int val); |
586 | 586 | ||
587 | // fs_rdwr.c | ||
588 | void fs_rdwr_add(const char *path); | ||
589 | void fs_rdwr(void); | ||
590 | |||
591 | // appimage.c | 587 | // appimage.c |
592 | void appimage_set(const char *appimage_path); | 588 | void appimage_set(const char *appimage_path); |
593 | void appimage_clear(void); | 589 | void appimage_clear(void); |
diff --git a/src/firejail/fs.c b/src/firejail/fs.c index 4b2b91b17..630458549 100644 --- a/src/firejail/fs.c +++ b/src/firejail/fs.c | |||
@@ -27,6 +27,8 @@ | |||
27 | #include <fcntl.h> | 27 | #include <fcntl.h> |
28 | #include <errno.h> | 28 | #include <errno.h> |
29 | 29 | ||
30 | static void fs_rdwr(const char *dir); | ||
31 | |||
30 | static void create_empty_dir(void) { | 32 | static void create_empty_dir(void) { |
31 | struct stat s; | 33 | struct stat s; |
32 | 34 | ||
@@ -229,6 +231,7 @@ typedef enum { | |||
229 | MOUNT_READONLY, | 231 | MOUNT_READONLY, |
230 | MOUNT_TMPFS, | 232 | MOUNT_TMPFS, |
231 | MOUNT_NOEXEC, | 233 | MOUNT_NOEXEC, |
234 | MOUNT_RDWR, | ||
232 | OPERATION_MAX | 235 | OPERATION_MAX |
233 | } OPERATION; | 236 | } OPERATION; |
234 | 237 | ||
@@ -331,6 +334,12 @@ static void disable_file(OPERATION op, const char *filename) { | |||
331 | fs_rdonly(fname); | 334 | fs_rdonly(fname); |
332 | // todo: last_disable = SUCCESSFUL; | 335 | // todo: last_disable = SUCCESSFUL; |
333 | } | 336 | } |
337 | else if (op == MOUNT_RDWR) { | ||
338 | if (arg_debug) | ||
339 | printf("Mounting read-only %s\n", fname); | ||
340 | fs_rdwr(fname); | ||
341 | // todo: last_disable = SUCCESSFUL; | ||
342 | } | ||
334 | else if (op == MOUNT_NOEXEC) { | 343 | else if (op == MOUNT_NOEXEC) { |
335 | if (arg_debug) | 344 | if (arg_debug) |
336 | printf("Mounting noexec %s\n", fname); | 345 | printf("Mounting noexec %s\n", fname); |
@@ -492,6 +501,10 @@ void fs_blacklist(void) { | |||
492 | ptr = entry->data + 10; | 501 | ptr = entry->data + 10; |
493 | op = MOUNT_READONLY; | 502 | op = MOUNT_READONLY; |
494 | } | 503 | } |
504 | else if (strncmp(entry->data, "read-write ", 11) == 0) { | ||
505 | ptr = entry->data + 11; | ||
506 | op = MOUNT_RDWR; | ||
507 | } | ||
495 | else if (strncmp(entry->data, "noexec ", 7) == 0) { | 508 | else if (strncmp(entry->data, "noexec ", 7) == 0) { |
496 | ptr = entry->data + 7; | 509 | ptr = entry->data + 7; |
497 | op = MOUNT_NOEXEC; | 510 | op = MOUNT_NOEXEC; |
@@ -560,6 +573,29 @@ void fs_rdonly(const char *dir) { | |||
560 | } | 573 | } |
561 | } | 574 | } |
562 | 575 | ||
576 | static void fs_rdwr(const char *dir) { | ||
577 | assert(dir); | ||
578 | // check directory exists | ||
579 | struct stat s; | ||
580 | int rv = stat(dir, &s); | ||
581 | if (rv == 0) { | ||
582 | // if the file is outside /home directory, allow only root user | ||
583 | uid_t u = getuid(); | ||
584 | if (u != 0 && s.st_uid != u) { | ||
585 | fprintf(stderr, "Warning: you are not allowed to change %s to read-write\n", dir); | ||
586 | return; | ||
587 | } | ||
588 | |||
589 | // mount --bind /bin /bin | ||
590 | if (mount(dir, dir, NULL, MS_BIND|MS_REC, NULL) < 0) | ||
591 | errExit("mount read-write"); | ||
592 | // mount --bind -o remount,rw /bin | ||
593 | if (mount(NULL, dir, NULL, MS_BIND|MS_REMOUNT|MS_REC, NULL) < 0) | ||
594 | errExit("mount read-write"); | ||
595 | fs_logger2("read-write", dir); | ||
596 | } | ||
597 | } | ||
598 | |||
563 | void fs_noexec(const char *dir) { | 599 | void fs_noexec(const char *dir) { |
564 | assert(dir); | 600 | assert(dir); |
565 | // check directory exists | 601 | // check directory exists |
@@ -757,9 +793,6 @@ void fs_basic_fs(void) { | |||
757 | // firejail sandboxes (firejail --force) | 793 | // firejail sandboxes (firejail --force) |
758 | if (getuid() != 0) | 794 | if (getuid() != 0) |
759 | disable_firejail_config(); | 795 | disable_firejail_config(); |
760 | |||
761 | if (getuid() == 0) | ||
762 | fs_rdwr(); | ||
763 | } | 796 | } |
764 | 797 | ||
765 | 798 | ||
@@ -1093,7 +1126,7 @@ void fs_chroot(const char *rootdir) { | |||
1093 | if (asprintf(&newx11, "%s/tmp/.X11-unix", rootdir) == -1) | 1126 | if (asprintf(&newx11, "%s/tmp/.X11-unix", rootdir) == -1) |
1094 | errExit("asprintf"); | 1127 | errExit("asprintf"); |
1095 | if (arg_debug) | 1128 | if (arg_debug) |
1096 | printf("Mounting /tmp/.X11-unix on %s\n", newdev); | 1129 | printf("Mounting /tmp/.X11-unix on %s\n", newx11); |
1097 | if (mount("/tmp/.X11-unix", newx11, NULL, MS_BIND|MS_REC, NULL) < 0) | 1130 | if (mount("/tmp/.X11-unix", newx11, NULL, MS_BIND|MS_REC, NULL) < 0) |
1098 | errExit("mounting /tmp/.X11-unix"); | 1131 | errExit("mounting /tmp/.X11-unix"); |
1099 | free(newx11); | 1132 | free(newx11); |
diff --git a/src/firejail/fs_rdwr.c b/src/firejail/fs_rdwr.c deleted file mode 100644 index 68df6465f..000000000 --- a/src/firejail/fs_rdwr.c +++ /dev/null | |||
@@ -1,93 +0,0 @@ | |||
1 | /* | ||
2 | * Copyright (C) 2014-2016 Firejail Authors | ||
3 | * | ||
4 | * This file is part of firejail project | ||
5 | * | ||
6 | * This program is free software; you can redistribute it and/or modify | ||
7 | * it under the terms of the GNU General Public License as published by | ||
8 | * the Free Software Foundation; either version 2 of the License, or | ||
9 | * (at your option) any later version. | ||
10 | * | ||
11 | * This program is distributed in the hope that it will be useful, | ||
12 | * but WITHOUT ANY WARRANTY; without even the implied warranty of | ||
13 | * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the | ||
14 | * GNU General Public License for more details. | ||
15 | * | ||
16 | * You should have received a copy of the GNU General Public License along | ||
17 | * with this program; if not, write to the Free Software Foundation, Inc., | ||
18 | * 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA. | ||
19 | */ | ||
20 | #include "firejail.h" | ||
21 | #include <sys/mount.h> | ||
22 | #include <sys/stat.h> | ||
23 | #include <sys/types.h> | ||
24 | #include <sys/wait.h> | ||
25 | #include <unistd.h> | ||
26 | |||
27 | typedef struct rdwr_t { | ||
28 | struct rdwr_t *next; | ||
29 | const char *path; | ||
30 | } RDWR; | ||
31 | |||
32 | RDWR *rdwr = NULL; | ||
33 | |||
34 | void fs_rdwr_add(const char *path) { | ||
35 | // verify path | ||
36 | if (*path != '/') { | ||
37 | fprintf(stderr, "Error: invalid path for read-write command\n"); | ||
38 | exit(1); | ||
39 | } | ||
40 | invalid_filename(path); | ||
41 | if (is_link(path)) { | ||
42 | fprintf(stderr, "Error: invalid symbolic link for read-write command\n"); | ||
43 | exit(1); | ||
44 | } | ||
45 | if (strstr(path, "..")) { | ||
46 | fprintf(stderr, "Error: invalid path for read-write command\n"); | ||
47 | exit(1); | ||
48 | } | ||
49 | |||
50 | // print warning if the file doesn't exist | ||
51 | struct stat s; | ||
52 | if (stat(path, &s) == -1) { | ||
53 | fprintf(stderr, "Warning: %s not found, skipping read-write command\n", path); | ||
54 | return; | ||
55 | } | ||
56 | |||
57 | // build list entry | ||
58 | RDWR *r = malloc(sizeof(RDWR)); | ||
59 | if (!r) | ||
60 | errExit("malloc"); | ||
61 | memset(r, 0, sizeof(RDWR)); | ||
62 | r->path = path; | ||
63 | |||
64 | // add | ||
65 | r->next = rdwr; | ||
66 | rdwr = r; | ||
67 | } | ||
68 | |||
69 | static void mount_rdwr(const char *path) { | ||
70 | assert(path); | ||
71 | // check directory exists | ||
72 | struct stat s; | ||
73 | int rv = stat(path, &s); | ||
74 | if (rv == 0) { | ||
75 | // mount --bind /bin /bin | ||
76 | if (mount(path, path, NULL, MS_BIND|MS_REC, NULL) < 0) | ||
77 | errExit("mount read-write"); | ||
78 | // mount --bind -o remount,rw /bin | ||
79 | if (mount(NULL, path, NULL, MS_BIND|MS_REMOUNT|MS_REC, NULL) < 0) | ||
80 | errExit("mount read-write"); | ||
81 | fs_logger2("read-write", path); | ||
82 | } | ||
83 | } | ||
84 | |||
85 | void fs_rdwr(void) { | ||
86 | RDWR *ptr = rdwr; | ||
87 | |||
88 | while (ptr) { | ||
89 | mount_rdwr(ptr->path); | ||
90 | ptr = ptr->next; | ||
91 | } | ||
92 | } | ||
93 | |||
diff --git a/src/firejail/fs_whitelist.c b/src/firejail/fs_whitelist.c index ba6c8cd74..926e5415c 100644 --- a/src/firejail/fs_whitelist.c +++ b/src/firejail/fs_whitelist.c | |||
@@ -181,11 +181,15 @@ static void whitelist_path(ProfileEntry *entry) { | |||
181 | char *wfile = NULL; | 181 | char *wfile = NULL; |
182 | 182 | ||
183 | if (entry->home_dir) { | 183 | if (entry->home_dir) { |
184 | fname = path + strlen(cfg.homedir); | 184 | if (strncmp(path, cfg.homedir, strlen(cfg.homedir)) == 0) { |
185 | if (*fname == '\0') { | 185 | fname = path + strlen(cfg.homedir); |
186 | fprintf(stderr, "Error: file %s is not in user home directory, exiting...\n", path); | 186 | if (*fname == '\0') { |
187 | exit(1); | 187 | fprintf(stderr, "Error: file %s is not in user home directory, exiting...\n", path); |
188 | exit(1); | ||
189 | } | ||
188 | } | 190 | } |
191 | else | ||
192 | fname = path; | ||
189 | 193 | ||
190 | if (asprintf(&wfile, "%s/%s", RUN_WHITELIST_HOME_USER_DIR, fname) == -1) | 194 | if (asprintf(&wfile, "%s/%s", RUN_WHITELIST_HOME_USER_DIR, fname) == -1) |
191 | errExit("asprintf"); | 195 | errExit("asprintf"); |
@@ -248,9 +252,6 @@ static void whitelist_path(ProfileEntry *entry) { | |||
248 | printf("Whitelisting %s\n", path); | 252 | printf("Whitelisting %s\n", path); |
249 | } | 253 | } |
250 | else { | 254 | else { |
251 | if (arg_debug || arg_debug_whitelists) { | ||
252 | fprintf(stderr, "Warning (whitelisting): %s is an invalid file, skipping...\n", path); | ||
253 | } | ||
254 | return; | 255 | return; |
255 | } | 256 | } |
256 | 257 | ||
@@ -390,13 +391,14 @@ void fs_whitelist(void) { | |||
390 | 391 | ||
391 | entry->home_dir = 1; | 392 | entry->home_dir = 1; |
392 | home_dir = 1; | 393 | home_dir = 1; |
394 | if (arg_debug) | ||
395 | fprintf(stderr, "Debug %d: fname #%s#, cfg.homedir #%s#\n", | ||
396 | __LINE__, fname, cfg.homedir); | ||
397 | |||
393 | // both path and absolute path are under /home | 398 | // both path and absolute path are under /home |
394 | if (strncmp(fname, cfg.homedir, strlen(cfg.homedir)) != 0) { | 399 | // if (strncmp(fname, cfg.homedir, strlen(cfg.homedir)) != 0) { |
395 | if (arg_debug) | 400 | // goto errexit; |
396 | fprintf(stderr, "Debug %d: fname #%s#, cfg.homedir #%s#\n", | 401 | // } |
397 | __LINE__, fname, cfg.homedir); | ||
398 | goto errexit; | ||
399 | } | ||
400 | } | 402 | } |
401 | else if (strncmp(new_name, "/tmp/", 5) == 0) { | 403 | else if (strncmp(new_name, "/tmp/", 5) == 0) { |
402 | entry->tmp_dir = 1; | 404 | entry->tmp_dir = 1; |
diff --git a/src/firejail/main.c b/src/firejail/main.c index 4f1c81e2b..cbc3d57cf 100644 --- a/src/firejail/main.c +++ b/src/firejail/main.c | |||
@@ -1206,7 +1206,7 @@ int main(int argc, char **argv) { | |||
1206 | errExit("asprintf"); | 1206 | errExit("asprintf"); |
1207 | 1207 | ||
1208 | profile_check_line(line, 0, NULL); // will exit if something wrong | 1208 | profile_check_line(line, 0, NULL); // will exit if something wrong |
1209 | // profile_add(line); is not necessary | 1209 | profile_add(line); |
1210 | } | 1210 | } |
1211 | else if (strcmp(argv[i], "--overlay") == 0) { | 1211 | else if (strcmp(argv[i], "--overlay") == 0) { |
1212 | if (cfg.chrootdir) { | 1212 | if (cfg.chrootdir) { |
@@ -2142,8 +2142,6 @@ int main(int argc, char **argv) { | |||
2142 | fprintf(stderr, "Warning: default profile disabled by --chroot option\n"); | 2142 | fprintf(stderr, "Warning: default profile disabled by --chroot option\n"); |
2143 | else if (arg_overlay) | 2143 | else if (arg_overlay) |
2144 | fprintf(stderr, "Warning: default profile disabled by --overlay option\n"); | 2144 | fprintf(stderr, "Warning: default profile disabled by --overlay option\n"); |
2145 | // else if (cfg.home_private_keep) | ||
2146 | // fprintf(stderr, "Warning: default profile disabled by --private-home option\n"); | ||
2147 | else { | 2145 | else { |
2148 | // try to load a default profile | 2146 | // try to load a default profile |
2149 | char *profile_name = DEFAULT_USER_PROFILE; | 2147 | char *profile_name = DEFAULT_USER_PROFILE; |
@@ -2166,6 +2164,10 @@ int main(int argc, char **argv) { | |||
2166 | else | 2164 | else |
2167 | custom_profile = profile_find(profile_name, SYSCONFDIR); | 2165 | custom_profile = profile_find(profile_name, SYSCONFDIR); |
2168 | } | 2166 | } |
2167 | if (!custom_profile) { | ||
2168 | fprintf(stderr, "Error: no default.profile installed\n"); | ||
2169 | exit(1); | ||
2170 | } | ||
2169 | 2171 | ||
2170 | if (custom_profile && !arg_quiet) | 2172 | if (custom_profile && !arg_quiet) |
2171 | printf("\n** Note: you can use --noprofile to disable %s.profile **\n\n", profile_name); | 2173 | printf("\n** Note: you can use --noprofile to disable %s.profile **\n\n", profile_name); |
diff --git a/src/firejail/profile.c b/src/firejail/profile.c index 40e2e4330..46ef0921d 100644 --- a/src/firejail/profile.c +++ b/src/firejail/profile.c | |||
@@ -716,16 +716,6 @@ int profile_check_line(char *ptr, int lineno, const char *fname) { | |||
716 | return 0; | 716 | return 0; |
717 | } | 717 | } |
718 | 718 | ||
719 | // read-write | ||
720 | if (strncmp(ptr, "read-write ", 11) == 0) { | ||
721 | if (getuid() != 0) { | ||
722 | fprintf(stderr, "Error: read-write command is available only for root user\n"); | ||
723 | exit(1); | ||
724 | } | ||
725 | fs_rdwr_add(ptr + 11); | ||
726 | return 0; | ||
727 | } | ||
728 | |||
729 | // rest of filesystem | 719 | // rest of filesystem |
730 | if (strncmp(ptr, "blacklist ", 10) == 0) | 720 | if (strncmp(ptr, "blacklist ", 10) == 0) |
731 | ptr += 10; | 721 | ptr += 10; |
@@ -747,6 +737,8 @@ int profile_check_line(char *ptr, int lineno, const char *fname) { | |||
747 | } | 737 | } |
748 | else if (strncmp(ptr, "read-only ", 10) == 0) | 738 | else if (strncmp(ptr, "read-only ", 10) == 0) |
749 | ptr += 10; | 739 | ptr += 10; |
740 | else if (strncmp(ptr, "read-write ", 11) == 0) | ||
741 | ptr += 11; | ||
750 | else if (strncmp(ptr, "noexec ", 7) == 0) | 742 | else if (strncmp(ptr, "noexec ", 7) == 0) |
751 | ptr += 7; | 743 | ptr += 7; |
752 | else if (strncmp(ptr, "tmpfs ", 6) == 0) { | 744 | else if (strncmp(ptr, "tmpfs ", 6) == 0) { |
diff --git a/src/man/firejail.txt b/src/man/firejail.txt index cd9ea6a8a..fed573e6c 100644 --- a/src/man/firejail.txt +++ b/src/man/firejail.txt | |||
@@ -1184,16 +1184,23 @@ A short note about mixing \-\-whitelist and \-\-read-only options. Whitelisted d | |||
1184 | should be made read-only independently. Making a parent directory read-only, will not | 1184 | should be made read-only independently. Making a parent directory read-only, will not |
1185 | make the whitelist read-only. Example: | 1185 | make the whitelist read-only. Example: |
1186 | .br | 1186 | .br |
1187 | |||
1188 | .br | ||
1187 | $ firejail --whitelist=~/work --read-only=~ --read-only=~/work | 1189 | $ firejail --whitelist=~/work --read-only=~ --read-only=~/work |
1188 | 1190 | ||
1189 | .TP | 1191 | .TP |
1190 | \fB\-\-read-write=dirname_or_filename | 1192 | \fB\-\-read-write=dirname_or_filename |
1191 | By default, the sandbox mounts system directories read-only. | 1193 | Set directory or file read-write. Only files or directories belonging to the current user are allowed for |
1192 | These directories are /etc, /var, /usr, /bin, /sbin, /lib, /lib32, /libx32 and /lib64. | 1194 | this operation. Example: |
1193 | Use this option to mount read-write files or directories inside the system directories. | 1195 | .br |
1196 | |||
1197 | .br | ||
1198 | $ mkdir ~/test | ||
1199 | .br | ||
1200 | $ touch ~/test/a | ||
1201 | .br | ||
1202 | $ firejail --read-only=~/test --read-write=~/test/a | ||
1194 | 1203 | ||
1195 | This option is available only to root user. It has no effect when --chroot or --overlay are also set. In these | ||
1196 | cases the system directories are mounted read-write. | ||
1197 | 1204 | ||
1198 | .TP | 1205 | .TP |
1199 | \fB\-\-rlimit-fsize=number | 1206 | \fB\-\-rlimit-fsize=number |
@@ -1515,14 +1522,14 @@ firejail version 0.9.27 | |||
1515 | .TP | 1522 | .TP |
1516 | \fB\-\-whitelist=dirname_or_filename | 1523 | \fB\-\-whitelist=dirname_or_filename |
1517 | Whitelist directory or file. This feature is implemented only for user home, /dev, /media, /opt, /var, and /tmp directories. | 1524 | Whitelist directory or file. This feature is implemented only for user home, /dev, /media, /opt, /var, and /tmp directories. |
1518 | When whitlisting symbolic links, both the link and the real file should be in the same top directory | 1525 | With the exeception of user home, both the link and the real file should be in |
1519 | (home user, /media, /var etc.) | 1526 | the same top directory. |
1520 | .br | 1527 | .br |
1521 | 1528 | ||
1522 | .br | 1529 | .br |
1523 | Example: | 1530 | Example: |
1524 | .br | 1531 | .br |
1525 | $ firejail \-\-whitelist=~/.mozilla \-\-whitelist=~/Downloads | 1532 | $ firejail \-\-noprofile \-\-whitelist=~/.mozilla |
1526 | .br | 1533 | .br |
1527 | $ firejail \-\-whitelist=/tmp/.X11-unix --whitelist=/dev/null | 1534 | $ firejail \-\-whitelist=/tmp/.X11-unix --whitelist=/dev/null |
1528 | .br | 1535 | .br |
diff --git a/test/features/1.2.exp b/test/features/1.2.exp index 6f7cae888..685acf737 100755 --- a/test/features/1.2.exp +++ b/test/features/1.2.exp | |||
@@ -34,7 +34,7 @@ expect { | |||
34 | } | 34 | } |
35 | expect { | 35 | expect { |
36 | timeout {puts "TESTING ERROR 1.4\n";exit} | 36 | timeout {puts "TESTING ERROR 1.4\n";exit} |
37 | "proc /proc/sysrq-trigger proc" | 37 | "/proc/sysrq-trigger" |
38 | } | 38 | } |
39 | #expect { | 39 | #expect { |
40 | # timeout {puts "TESTING ERROR 1.5\n";exit} | 40 | # timeout {puts "TESTING ERROR 1.5\n";exit} |
@@ -42,11 +42,11 @@ expect { | |||
42 | #} | 42 | #} |
43 | expect { | 43 | expect { |
44 | timeout {puts "TESTING ERROR 1.6\n";exit} | 44 | timeout {puts "TESTING ERROR 1.6\n";exit} |
45 | "proc /proc/irq proc" | 45 | "/proc/irq" |
46 | } | 46 | } |
47 | expect { | 47 | expect { |
48 | timeout {puts "TESTING ERROR 1.7\n";exit} | 48 | timeout {puts "TESTING ERROR 1.7\n";exit} |
49 | "proc /proc/bus proc" | 49 | "/proc/bus" |
50 | } | 50 | } |
51 | after 100 | 51 | after 100 |
52 | send -- "exit\r" | 52 | send -- "exit\r" |
diff --git a/test/features/1.8.exp b/test/features/1.8.exp index 493a87328..4c6d3f3dc 100755 --- a/test/features/1.8.exp +++ b/test/features/1.8.exp | |||
@@ -20,12 +20,6 @@ expect { | |||
20 | } | 20 | } |
21 | sleep 1 | 21 | sleep 1 |
22 | 22 | ||
23 | send -- "ls /etc/firejail\r" | ||
24 | expect { | ||
25 | timeout {puts "TESTING ERROR 1\n";exit} | ||
26 | "Permission denied" | ||
27 | } | ||
28 | after 100 | ||
29 | send -- "ls ~/.config/firejail\r" | 23 | send -- "ls ~/.config/firejail\r" |
30 | expect { | 24 | expect { |
31 | timeout {puts "TESTING ERROR 1.1\n";exit} | 25 | timeout {puts "TESTING ERROR 1.1\n";exit} |
@@ -77,12 +71,6 @@ if { $overlay == "overlay" } { | |||
77 | "Child process initialized" {puts "normal system\n"} | 71 | "Child process initialized" {puts "normal system\n"} |
78 | } | 72 | } |
79 | sleep 1 | 73 | sleep 1 |
80 | send -- "ls /etc/firejail\r" | ||
81 | expect { | ||
82 | timeout {puts "TESTING ERROR 3\n";exit} | ||
83 | "Permission denied" | ||
84 | } | ||
85 | after 100 | ||
86 | send -- "ls ~/.config/firejail\r" | 74 | send -- "ls ~/.config/firejail\r" |
87 | expect { | 75 | expect { |
88 | timeout {puts "TESTING ERROR 3.1\n";exit} | 76 | timeout {puts "TESTING ERROR 3.1\n";exit} |
@@ -134,12 +122,6 @@ if { $chroot == "chroot" } { | |||
134 | "Child process initialized" | 122 | "Child process initialized" |
135 | } | 123 | } |
136 | sleep 1 | 124 | sleep 1 |
137 | send -- "ls /etc/firejail\r" | ||
138 | expect { | ||
139 | timeout {puts "TESTING ERROR 5\n";exit} | ||
140 | "Permission denied" | ||
141 | } | ||
142 | after 100 | ||
143 | send -- "ls ~/.config/firejail\r" | 125 | send -- "ls ~/.config/firejail\r" |
144 | expect { | 126 | expect { |
145 | timeout {puts "TESTING ERROR 5.1\n";exit} | 127 | timeout {puts "TESTING ERROR 5.1\n";exit} |
diff --git a/test/features/3.5.exp b/test/features/3.5.exp index aed5fe836..f4b544b3d 100755 --- a/test/features/3.5.exp +++ b/test/features/3.5.exp | |||
@@ -22,8 +22,8 @@ sleep 1 | |||
22 | send -- "ls -l /dev | wc -l\r" | 22 | send -- "ls -l /dev | wc -l\r" |
23 | expect { | 23 | expect { |
24 | timeout {puts "TESTING ERROR 1.1\n";exit} | 24 | timeout {puts "TESTING ERROR 1.1\n";exit} |
25 | "12" { puts "Debian\n"} | 25 | "13" { puts "Debian\n"} |
26 | "11" { puts "Centos\n"} | 26 | "12" { puts "Centos\n"} |
27 | } | 27 | } |
28 | 28 | ||
29 | after 100 | 29 | after 100 |
@@ -45,8 +45,8 @@ if { $overlay == "overlay" } { | |||
45 | send -- "ls -l /dev | wc -l\r" | 45 | send -- "ls -l /dev | wc -l\r" |
46 | expect { | 46 | expect { |
47 | timeout {puts "TESTING ERROR 3.1\n";exit} | 47 | timeout {puts "TESTING ERROR 3.1\n";exit} |
48 | "12" { puts "Debian\n"} | 48 | "13" { puts "Debian\n"} |
49 | "11" { puts "Centos\n"} | 49 | "12" { puts "Centos\n"} |
50 | } | 50 | } |
51 | 51 | ||
52 | after 100 | 52 | after 100 |
@@ -68,7 +68,7 @@ if { $chroot == "chroot" } { | |||
68 | send -- "ls -l /dev | wc -l\r" | 68 | send -- "ls -l /dev | wc -l\r" |
69 | expect { | 69 | expect { |
70 | timeout {puts "TESTING ERROR 5.1\n";exit} | 70 | timeout {puts "TESTING ERROR 5.1\n";exit} |
71 | "11" | 71 | "12" |
72 | } | 72 | } |
73 | 73 | ||
74 | after 100 | 74 | after 100 |
diff --git a/test/private_dir.exp b/test/private_dir.exp index 9dfb2ea9f..a4beeba27 100755 --- a/test/private_dir.exp +++ b/test/private_dir.exp | |||
@@ -42,7 +42,7 @@ expect { | |||
42 | send -- "ls -al | wc -l;pwd\r" | 42 | send -- "ls -al | wc -l;pwd\r" |
43 | expect { | 43 | expect { |
44 | timeout {puts "TESTING ERROR 1\n";exit} | 44 | timeout {puts "TESTING ERROR 1\n";exit} |
45 | "7" {puts "normal system\n";} | 45 | "6" {puts "normal system\n";} |
46 | "5" {puts "OpenSUSE\n";} | 46 | "5" {puts "OpenSUSE\n";} |
47 | } | 47 | } |
48 | expect { | 48 | expect { |
diff --git a/test/private_dir_profile.exp b/test/private_dir_profile.exp index 5b38ad0bb..8d1c74444 100755 --- a/test/private_dir_profile.exp +++ b/test/private_dir_profile.exp | |||
@@ -42,7 +42,7 @@ expect { | |||
42 | send -- "ls -al | wc -l;pwd\r" | 42 | send -- "ls -al | wc -l;pwd\r" |
43 | expect { | 43 | expect { |
44 | timeout {puts "TESTING ERROR 1\n";exit} | 44 | timeout {puts "TESTING ERROR 1\n";exit} |
45 | "7" {puts "normal system\n";} | 45 | "6" {puts "normal system\n";} |
46 | "5" {puts "OpenSUSE\n";} | 46 | "5" {puts "OpenSUSE\n";} |
47 | } | 47 | } |
48 | expect { | 48 | expect { |
diff --git a/test/test.sh b/test/test.sh index 71e2c6720..4b7d5bb6d 100755 --- a/test/test.sh +++ b/test/test.sh | |||
@@ -62,9 +62,6 @@ echo "TESTING: overlayfs (fs_overlay.exp)" | |||
62 | echo "TESTING: login SSH (login_ssh.exp)" | 62 | echo "TESTING: login SSH (login_ssh.exp)" |
63 | ./login_ssh.exp | 63 | ./login_ssh.exp |
64 | 64 | ||
65 | echo "TESTING: DNS (dns.exp)" | ||
66 | ./dns.exp | ||
67 | |||
68 | echo "TESTING: firemon --arp (firemon-arp.exp)" | 65 | echo "TESTING: firemon --arp (firemon-arp.exp)" |
69 | ./firemon-arp.exp | 66 | ./firemon-arp.exp |
70 | 67 | ||
@@ -161,3 +161,88 @@ To disable Vsync | |||
161 | 161 | ||
162 | $ vblank_mode=0 glxgears | 162 | $ vblank_mode=0 glxgears |
163 | 163 | ||
164 | 18. Bring in nvidia drives in private-dev | ||
165 | |||
166 | /dev/nvidia[0-9], /dev/nvidiactl, /dev/nvidia-modset and /dev/nvidia-uvm | ||
167 | |||
168 | 19. testing snaps | ||
169 | |||
170 | Install firejail from official repository | ||
171 | sudo apt-get install firejail | ||
172 | |||
173 | Check firejail version | ||
174 | firejail --version | ||
175 | |||
176 | Above command outputs: firejail version 0.9.38 | ||
177 | |||
178 | Search the snap 'ubuntu clock' application | ||
179 | sudo snap find ubuntu-clock-app | ||
180 | |||
181 | Install 'ubuntu clock' application using snap | ||
182 | sudo snap install ubuntu-clock-app | ||
183 | |||
184 | Ubuntu snap packages are installed in /snap/// directory and can be executed from /snap/bin/ | ||
185 | cd /snap/bin/ | ||
186 | ls -l | ||
187 | |||
188 | Note: We see application name is: ubuntu-clock-app.clock | ||
189 | |||
190 | Run application | ||
191 | /snap/bin/ubuntu-clock-app.clock | ||
192 | |||
193 | Note: Application starts-up without a problem and clock is displayed. | ||
194 | |||
195 | Close application using mouse. | ||
196 | |||
197 | Now try to firejail the application. | ||
198 | firejail /snap/bin/ubuntu-clock-app.clock | ||
199 | |||
200 | -------- Error message -------- | ||
201 | Reading profile /etc/firejail/generic.profile | ||
202 | Reading profile /etc/firejail/disable-mgmt.inc | ||
203 | Reading profile /etc/firejail/disable-secret.inc | ||
204 | Reading profile /etc/firejail/disable-common.inc | ||
205 | |||
206 | ** Note: you can use --noprofile to disable generic.profile ** | ||
207 | |||
208 | Parent pid 3770, child pid 3771 | ||
209 | |||
210 | Child process initialized | ||
211 | need to run as root or suid | ||
212 | |||
213 | parent is shutting down, bye... | ||
214 | -------- End of Error message -------- | ||
215 | |||
216 | Try running as root as message instructs. | ||
217 | sudo firejail /snap/bin/ubuntu-clock-app.clock | ||
218 | |||
219 | extract env for process | ||
220 | ps e -p <pid> | sed 's/ /\n/g' | ||
221 | |||
222 | |||
223 | 20. check default disable - from grsecurity | ||
224 | |||
225 | GRKERNSEC_HIDESYM | ||
226 | /proc/kallsyms and other files | ||
227 | |||
228 | GRKERNSEC_PROC_USER | ||
229 | If you say Y here, non-root users will only be able to view their own | ||
230 | processes, and restricts them from viewing network-related information, | ||
231 | and viewing kernel symbol and module information. | ||
232 | |||
233 | GRKERNSEC_PROC_ADD | ||
234 | If you say Y here, additional restrictions will be placed on | ||
235 | /proc that keep normal users from viewing device information and | ||
236 | slabinfo information that could be useful for exploits. | ||
237 | |||
238 | 21. Core Infrastructure Initiative (CII) Best Practices | ||
239 | |||
240 | Proposal | ||
241 | |||
242 | Someone closely involved with the project could go thought the criteria and keep them up-to-date. | ||
243 | References | ||
244 | |||
245 | https://bestpractices.coreinfrastructure.org | ||
246 | https://twit.tv/shows/floss-weekly/episodes/389 | ||
247 | |||
248 | 22. add support for read-write and noexec to Firetools | ||