diff options
335 files changed, 1976 insertions, 1483 deletions
diff --git a/.github/ISSUE_TEMPLATE/bug_report.md b/.github/ISSUE_TEMPLATE/bug_report.md index 3700dac20..eb485b8a2 100644 --- a/.github/ISSUE_TEMPLATE/bug_report.md +++ b/.github/ISSUE_TEMPLATE/bug_report.md | |||
@@ -7,54 +7,83 @@ assignees: '' | |||
7 | 7 | ||
8 | --- | 8 | --- |
9 | 9 | ||
10 | Write clear, concise and in textual form. | 10 | <!-- |
11 | See the following links for help with formatting: | ||
11 | 12 | ||
12 | ### Bug and expected behavior | 13 | https://guides.github.com/features/mastering-markdown/ |
14 | https://docs.github.com/en/github/writing-on-github/getting-started-with-writing-and-formatting-on-github/basic-writing-and-formatting-syntax | ||
15 | --> | ||
13 | 16 | ||
14 | - Describe the bug. | 17 | ### Description |
15 | - What did you expect to happen? | ||
16 | 18 | ||
17 | ### No profile and disabling firejail | 19 | _Describe the bug_ |
18 | 20 | ||
19 | - What changed calling `firejail --noprofile /path/to/program` in a terminal? | 21 | ### Steps to Reproduce |
20 | - What changed calling the program by path (e.g. `/usr/bin/vlc`)? | ||
21 | 22 | ||
22 | ### Reproduce | 23 | _Steps to reproduce the behavior_ |
23 | 24 | ||
24 | Steps to reproduce the behavior: | 25 | 1. Run in bash `LC_ALL=C firejail PROGRAM` (`LC_ALL=C` to get a consistent output in English that can be understood by everybody) |
26 | 2. Click on '....' | ||
27 | 3. Scroll down to '....' | ||
28 | 4. See error `ERROR` | ||
25 | 29 | ||
26 | 1. Run in bash `firejail PROGRAM` | 30 | ### Expected behavior |
27 | 2. See error `ERROR` | ||
28 | 3. Click on '....' | ||
29 | 4. Scroll down to '....' | ||
30 | 31 | ||
31 | ### Environment | 32 | _What you expected to happen_ |
33 | |||
34 | ### Actual behavior | ||
35 | |||
36 | _What actually happened_ | ||
32 | 37 | ||
33 | - Linux distribution and version (ie output of `lsb_release -a`, `screenfetch` or `cat /etc/os-release`) | 38 | ### Behavior without a profile |
34 | - Firejail version (output of `firejail --version`) exclusive or used git commit (`git rev-parse HEAD`) | 39 | |
40 | _What changed calling `LC_ALL=C firejail --noprofile /path/to/program` in a terminal?_ | ||
35 | 41 | ||
36 | ### Additional context | 42 | ### Additional context |
37 | 43 | ||
38 | Other context about the problem like related errors to understand the problem. | 44 | _Any other detail that may help to understand/debug the problem_ |
45 | |||
46 | ### Environment | ||
47 | |||
48 | - Linux distribution and version (e.g. "Ubuntu 20.04" or "Arch Linux") | ||
49 | - Firejail version (`firejail --version`). | ||
50 | - If you use a development version of firejail, also the commit from which it was compiled (`git rev-parse HEAD`). | ||
39 | 51 | ||
40 | ### Checklist | 52 | ### Checklist |
41 | 53 | ||
42 | - [ ] The profile (and redirect profile if exists) hasn't already been fixed [upstream](https://github.com/netblue30/firejail/tree/master/etc). | 54 | <!-- |
55 | Note: Items are checked with an "x", like so: | ||
56 | |||
57 | - [x] This is a checked item. | ||
58 | --> | ||
59 | |||
60 | - [ ] The issues is caused by firejail (i.e. running the program by path (e.g. `/usr/bin/vlc`) "fixes" it). | ||
61 | - [ ] I can reproduce the issue without custom modifications (e.g. globals.local). | ||
43 | - [ ] The program has a profile. (If not, request one in `https://github.com/netblue30/firejail/issues/1139`) | 62 | - [ ] The program has a profile. (If not, request one in `https://github.com/netblue30/firejail/issues/1139`) |
63 | - [ ] The profile (and redirect profile if exists) hasn't already been fixed [upstream](https://github.com/netblue30/firejail/tree/master/etc). | ||
44 | - [ ] I have performed a short search for similar issues (to avoid opening a duplicate). | 64 | - [ ] I have performed a short search for similar issues (to avoid opening a duplicate). |
45 | - [ ] If it is a AppImage, `--profile=PROFILENAME` is used to set the right profile. | 65 | - [ ] I'm aware of `browser-allow-drm yes`/`browser-disable-u2f no` in `firejail.config` to allow DRM/U2F in browsers. |
46 | - [ ] Used `LC_ALL=en_US.UTF-8 LANG=en_US.UTF-8 PROGRAM` to get english error-messages. | 66 | - [ ] I used `--profile=PROFILENAME` to set the right profile. (Only relevant for AppImages) |
47 | - [ ] I'm aware of `browser-allow-drm yes`/`browser-disable-u2f no` in `firejail.config` to allow DRM/U2F in browsers. | ||
48 | - [ ] This is not a question. Questions should be asked in https://github.com/netblue30/firejail/discussions. | ||
49 | 67 | ||
50 | ### Log | 68 | ### Log |
51 | 69 | ||
52 | <details> | 70 | <details> |
53 | <summary>debug output</summary> | 71 | <summary>Output of <code>LC_ALL=C firejail /path/to/program</code></summary> |
72 | <p> | ||
73 | |||
74 | ``` | ||
75 | output goes here | ||
76 | ``` | ||
77 | |||
78 | </p> | ||
79 | </details> | ||
80 | |||
81 | <details> | ||
82 | <summary>Output of <code>LC_ALL=C firejail --debug /path/to/program</code></summary> | ||
54 | <p> | 83 | <p> |
55 | 84 | ||
56 | ``` | 85 | ``` |
57 | OUTPUT OF `firejail --debug PROGRAM` | 86 | output goes here |
58 | ``` | 87 | ``` |
59 | 88 | ||
60 | </p> | 89 | </p> |
diff --git a/.github/ISSUE_TEMPLATE/config.yml b/.github/ISSUE_TEMPLATE/config.yml new file mode 100644 index 000000000..b8fe40acd --- /dev/null +++ b/.github/ISSUE_TEMPLATE/config.yml | |||
@@ -0,0 +1,5 @@ | |||
1 | blank_issues_enabled: true | ||
2 | contact_links: | ||
3 | - name: Question | ||
4 | url: https://github.com/netblue30/firejail/discussions | ||
5 | about: For questions you should use GitHub Discussions. | ||
diff --git a/.github/ISSUE_TEMPLATE/feature_request.md b/.github/ISSUE_TEMPLATE/feature_request.md new file mode 100644 index 000000000..a723cdbde --- /dev/null +++ b/.github/ISSUE_TEMPLATE/feature_request.md | |||
@@ -0,0 +1,23 @@ | |||
1 | --- | ||
2 | name: Feature request | ||
3 | about: Suggest an idea for this project | ||
4 | title: '' | ||
5 | labels: '' | ||
6 | assignees: '' | ||
7 | --- | ||
8 | |||
9 | ### Is your feature request related to a problem? Please describe. | ||
10 | |||
11 | _A clear and concise description of what the problem is. Ex. I'm always frustrated when [...]_ | ||
12 | |||
13 | ### Describe the solution you'd like | ||
14 | |||
15 | _A clear and concise description of what you want to happen._ | ||
16 | |||
17 | ### Describe alternatives you've considered | ||
18 | |||
19 | _A clear and concise description of any alternative solutions or features you've considered._ | ||
20 | |||
21 | ### Additional context | ||
22 | |||
23 | _Add any other context or screenshots about the feature request here._ | ||
diff --git a/.github/pull_request_template.md b/.github/pull_request_template.md index 57ac2e9c4..7cb92a938 100644 --- a/.github/pull_request_template.md +++ b/.github/pull_request_template.md | |||
@@ -1,4 +1,3 @@ | |||
1 | |||
2 | If your PR isn't about profiles or you have no idea how to do one of these, skip the following and go ahead with this PR. | 1 | If your PR isn't about profiles or you have no idea how to do one of these, skip the following and go ahead with this PR. |
3 | 2 | ||
4 | If you submit a PR for new profiles or changing profiles, please do the following: | 3 | If you submit a PR for new profiles or changing profiles, please do the following: |
diff --git a/.github/workflows/sort.yml b/.github/workflows/sort.yml index f3ded0f22..cfa40d2d2 100644 --- a/.github/workflows/sort.yml +++ b/.github/workflows/sort.yml | |||
@@ -19,4 +19,3 @@ jobs: | |||
19 | - uses: actions/checkout@v2 | 19 | - uses: actions/checkout@v2 |
20 | - name: check profiles | 20 | - name: check profiles |
21 | run: ./contrib/sort.py etc/*/{*.inc,*.profile} | 21 | run: ./contrib/sort.py etc/*/{*.inc,*.profile} |
22 | |||
@@ -1,12 +1,12 @@ | |||
1 | GNU GENERAL PUBLIC LICENSE | 1 | GNU GENERAL PUBLIC LICENSE |
2 | Version 2, June 1991 | 2 | Version 2, June 1991 |
3 | 3 | ||
4 | Copyright (C) 1989, 1991 Free Software Foundation, Inc. | 4 | Copyright (C) 1989, 1991 Free Software Foundation, Inc., |
5 | 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA | 5 | 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA |
6 | Everyone is permitted to copy and distribute verbatim copies | 6 | Everyone is permitted to copy and distribute verbatim copies |
7 | of this license document, but changing it is not allowed. | 7 | of this license document, but changing it is not allowed. |
8 | 8 | ||
9 | Preamble | 9 | Preamble |
10 | 10 | ||
11 | The licenses for most software are designed to take away your | 11 | The licenses for most software are designed to take away your |
12 | freedom to share and change it. By contrast, the GNU General Public | 12 | freedom to share and change it. By contrast, the GNU General Public |
@@ -15,7 +15,7 @@ software--to make sure the software is free for all its users. This | |||
15 | General Public License applies to most of the Free Software | 15 | General Public License applies to most of the Free Software |
16 | Foundation's software and to any other program whose authors commit to | 16 | Foundation's software and to any other program whose authors commit to |
17 | using it. (Some other Free Software Foundation software is covered by | 17 | using it. (Some other Free Software Foundation software is covered by |
18 | the GNU Library General Public License instead.) You can apply it to | 18 | the GNU Lesser General Public License instead.) You can apply it to |
19 | your programs, too. | 19 | your programs, too. |
20 | 20 | ||
21 | When we speak of free software, we are referring to freedom, not | 21 | When we speak of free software, we are referring to freedom, not |
@@ -55,8 +55,8 @@ patent must be licensed for everyone's free use or not licensed at all. | |||
55 | 55 | ||
56 | The precise terms and conditions for copying, distribution and | 56 | The precise terms and conditions for copying, distribution and |
57 | modification follow. | 57 | modification follow. |
58 | 58 | ||
59 | GNU GENERAL PUBLIC LICENSE | 59 | GNU GENERAL PUBLIC LICENSE |
60 | TERMS AND CONDITIONS FOR COPYING, DISTRIBUTION AND MODIFICATION | 60 | TERMS AND CONDITIONS FOR COPYING, DISTRIBUTION AND MODIFICATION |
61 | 61 | ||
62 | 0. This License applies to any program or other work which contains | 62 | 0. This License applies to any program or other work which contains |
@@ -110,7 +110,7 @@ above, provided that you also meet all of these conditions: | |||
110 | License. (Exception: if the Program itself is interactive but | 110 | License. (Exception: if the Program itself is interactive but |
111 | does not normally print such an announcement, your work based on | 111 | does not normally print such an announcement, your work based on |
112 | the Program is not required to print an announcement.) | 112 | the Program is not required to print an announcement.) |
113 | 113 | ||
114 | These requirements apply to the modified work as a whole. If | 114 | These requirements apply to the modified work as a whole. If |
115 | identifiable sections of that work are not derived from the Program, | 115 | identifiable sections of that work are not derived from the Program, |
116 | and can be reasonably considered independent and separate works in | 116 | and can be reasonably considered independent and separate works in |
@@ -168,7 +168,7 @@ access to copy from a designated place, then offering equivalent | |||
168 | access to copy the source code from the same place counts as | 168 | access to copy the source code from the same place counts as |
169 | distribution of the source code, even though third parties are not | 169 | distribution of the source code, even though third parties are not |
170 | compelled to copy the source along with the object code. | 170 | compelled to copy the source along with the object code. |
171 | 171 | ||
172 | 4. You may not copy, modify, sublicense, or distribute the Program | 172 | 4. You may not copy, modify, sublicense, or distribute the Program |
173 | except as expressly provided under this License. Any attempt | 173 | except as expressly provided under this License. Any attempt |
174 | otherwise to copy, modify, sublicense or distribute the Program is | 174 | otherwise to copy, modify, sublicense or distribute the Program is |
@@ -225,7 +225,7 @@ impose that choice. | |||
225 | 225 | ||
226 | This section is intended to make thoroughly clear what is believed to | 226 | This section is intended to make thoroughly clear what is believed to |
227 | be a consequence of the rest of this License. | 227 | be a consequence of the rest of this License. |
228 | 228 | ||
229 | 8. If the distribution and/or use of the Program is restricted in | 229 | 8. If the distribution and/or use of the Program is restricted in |
230 | certain countries either by patents or by copyrighted interfaces, the | 230 | certain countries either by patents or by copyrighted interfaces, the |
231 | original copyright holder who places the Program under this License | 231 | original copyright holder who places the Program under this License |
@@ -255,7 +255,7 @@ make exceptions for this. Our decision will be guided by the two goals | |||
255 | of preserving the free status of all derivatives of our free software and | 255 | of preserving the free status of all derivatives of our free software and |
256 | of promoting the sharing and reuse of software generally. | 256 | of promoting the sharing and reuse of software generally. |
257 | 257 | ||
258 | NO WARRANTY | 258 | NO WARRANTY |
259 | 259 | ||
260 | 11. BECAUSE THE PROGRAM IS LICENSED FREE OF CHARGE, THERE IS NO WARRANTY | 260 | 11. BECAUSE THE PROGRAM IS LICENSED FREE OF CHARGE, THERE IS NO WARRANTY |
261 | FOR THE PROGRAM, TO THE EXTENT PERMITTED BY APPLICABLE LAW. EXCEPT WHEN | 261 | FOR THE PROGRAM, TO THE EXTENT PERMITTED BY APPLICABLE LAW. EXCEPT WHEN |
@@ -277,4 +277,63 @@ YOU OR THIRD PARTIES OR A FAILURE OF THE PROGRAM TO OPERATE WITH ANY OTHER | |||
277 | PROGRAMS), EVEN IF SUCH HOLDER OR OTHER PARTY HAS BEEN ADVISED OF THE | 277 | PROGRAMS), EVEN IF SUCH HOLDER OR OTHER PARTY HAS BEEN ADVISED OF THE |
278 | POSSIBILITY OF SUCH DAMAGES. | 278 | POSSIBILITY OF SUCH DAMAGES. |
279 | 279 | ||
280 | END OF TERMS AND CONDITIONS | 280 | END OF TERMS AND CONDITIONS |
281 | |||
282 | How to Apply These Terms to Your New Programs | ||
283 | |||
284 | If you develop a new program, and you want it to be of the greatest | ||
285 | possible use to the public, the best way to achieve this is to make it | ||
286 | free software which everyone can redistribute and change under these terms. | ||
287 | |||
288 | To do so, attach the following notices to the program. It is safest | ||
289 | to attach them to the start of each source file to most effectively | ||
290 | convey the exclusion of warranty; and each file should have at least | ||
291 | the "copyright" line and a pointer to where the full notice is found. | ||
292 | |||
293 | <one line to give the program's name and a brief idea of what it does.> | ||
294 | Copyright (C) <year> <name of author> | ||
295 | |||
296 | This program is free software; you can redistribute it and/or modify | ||
297 | it under the terms of the GNU General Public License as published by | ||
298 | the Free Software Foundation; either version 2 of the License, or | ||
299 | (at your option) any later version. | ||
300 | |||
301 | This program is distributed in the hope that it will be useful, | ||
302 | but WITHOUT ANY WARRANTY; without even the implied warranty of | ||
303 | MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the | ||
304 | GNU General Public License for more details. | ||
305 | |||
306 | You should have received a copy of the GNU General Public License along | ||
307 | with this program; if not, write to the Free Software Foundation, Inc., | ||
308 | 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA. | ||
309 | |||
310 | Also add information on how to contact you by electronic and paper mail. | ||
311 | |||
312 | If the program is interactive, make it output a short notice like this | ||
313 | when it starts in an interactive mode: | ||
314 | |||
315 | Gnomovision version 69, Copyright (C) year name of author | ||
316 | Gnomovision comes with ABSOLUTELY NO WARRANTY; for details type `show w'. | ||
317 | This is free software, and you are welcome to redistribute it | ||
318 | under certain conditions; type `show c' for details. | ||
319 | |||
320 | The hypothetical commands `show w' and `show c' should show the appropriate | ||
321 | parts of the General Public License. Of course, the commands you use may | ||
322 | be called something other than `show w' and `show c'; they could even be | ||
323 | mouse-clicks or menu items--whatever suits your program. | ||
324 | |||
325 | You should also get your employer (if you work as a programmer) or your | ||
326 | school, if any, to sign a "copyright disclaimer" for the program, if | ||
327 | necessary. Here is a sample; alter the names: | ||
328 | |||
329 | Yoyodyne, Inc., hereby disclaims all copyright interest in the program | ||
330 | `Gnomovision' (which makes passes at compilers) written by James Hacker. | ||
331 | |||
332 | <signature of Ty Coon>, 1 April 1989 | ||
333 | Ty Coon, President of Vice | ||
334 | |||
335 | This General Public License does not permit incorporating your program into | ||
336 | proprietary programs. If your program is a subroutine library, you may | ||
337 | consider it more useful to permit linking proprietary applications with the | ||
338 | library. If this is what you want to do, use the GNU Lesser General | ||
339 | Public License instead of this License. | ||
@@ -1,13 +1,13 @@ | |||
1 | Firejail is a SUID sandbox program that reduces the risk of security | 1 | Firejail is a SUID sandbox program that reduces the risk of security |
2 | breaches by restricting the running environment of untrusted applications | 2 | breaches by restricting the running environment of untrusted applications |
3 | using Linux namespaces and seccomp-bpf. It includes sandbox profiles for | 3 | using Linux namespaces and seccomp-bpf. It includes sandbox profiles for |
4 | Iceweasel/Mozilla Firefox, Chromium, Midori, Opera, Evince, Transmission, | 4 | Iceweasel/Mozilla Firefox, Chromium, Midori, Opera, Evince, Transmission, |
5 | VLC, Audacious, Clementine, Rhythmbox, Totem, Deluge, qBittorrent. | 5 | VLC, Audacious, Clementine, Rhythmbox, Totem, Deluge, qBittorrent. |
6 | DeaDBeeF, Dropbox, Empathy, FileZilla, IceCat, Thunderbird/Icedove, | 6 | DeaDBeeF, Dropbox, Empathy, FileZilla, IceCat, Thunderbird/Icedove, |
7 | Pidgin, Quassel, and XChat. | 7 | Pidgin, Quassel, and XChat. |
8 | 8 | ||
9 | Firejail also expands the restricted shell facility found in bash by adding | 9 | Firejail also expands the restricted shell facility found in bash by adding |
10 | Linux namespace support. It supports sandboxing specific users upon login. | 10 | Linux namespace support. It supports sandboxing specific users upon login. |
11 | 11 | ||
12 | Download: https://sourceforge.net/projects/firejail/files/ | 12 | Download: https://sourceforge.net/projects/firejail/files/ |
13 | Build and install: ./configure && make && sudo make install | 13 | Build and install: ./configure && make && sudo make install |
@@ -68,6 +68,8 @@ Firejail Authors (alphabetical order) | |||
68 | - fix flameshot raw screenshots | 68 | - fix flameshot raw screenshots |
69 | 1dnrr (https://github.com/1dnrr) | 69 | 1dnrr (https://github.com/1dnrr) |
70 | - add pybitmessage profile | 70 | - add pybitmessage profile |
71 | a1346054 (https://github.com/a1346054) | ||
72 | - add missing final newlines in various files | ||
71 | Ádler Jonas Gross (https://github.com/adgross) | 73 | Ádler Jonas Gross (https://github.com/adgross) |
72 | - AppArmor fix | 74 | - AppArmor fix |
73 | Adrian L. Shaw (https://github.com/adrianlshaw) | 75 | Adrian L. Shaw (https://github.com/adrianlshaw) |
@@ -221,6 +223,8 @@ Carlo Abelli (https://github.com/carloabelli) | |||
221 | - fixed simple-scan | 223 | - fixed simple-scan |
222 | Cat (https://github.com/ecat3) | 224 | Cat (https://github.com/ecat3) |
223 | - prevent tmux connecting to an existing session | 225 | - prevent tmux connecting to an existing session |
226 | cayday (https://github.com/caydey) | ||
227 | - added ~/Private blacklist in disable-common.inc | ||
224 | Christian Pinedo (https://github.com/chrpinedo) | 228 | Christian Pinedo (https://github.com/chrpinedo) |
225 | - added nicotine profile | 229 | - added nicotine profile |
226 | - allow python3 in totem profile | 230 | - allow python3 in totem profile |
@@ -246,6 +250,8 @@ crass (https://github.com/crass) | |||
246 | - extract_command_name fixes | 250 | - extract_command_name fixes |
247 | - update appimage size calculation to newest code from libappimage | 251 | - update appimage size calculation to newest code from libappimage |
248 | - firejail should look for processes with names exactly named | 252 | - firejail should look for processes with names exactly named |
253 | croket (https://github.com/crocket) | ||
254 | - fix librewolf profile | ||
249 | curiosity-seeker (https://github.com/curiosity-seeker - old) | 255 | curiosity-seeker (https://github.com/curiosity-seeker - old) |
250 | curiosityseeker (https://github.com/curiosityseeker - new) | 256 | curiosityseeker (https://github.com/curiosityseeker - new) |
251 | - tightening unbound and dnscrypt-proxy profiles | 257 | - tightening unbound and dnscrypt-proxy profiles |
@@ -304,6 +310,8 @@ DiGitHubCap (https://github.com/DiGitHubCap) | |||
304 | - fix qt5ct colour schemes and QSS | 310 | - fix qt5ct colour schemes and QSS |
305 | Disconnect3d (https://github.com/disconnect3d) | 311 | Disconnect3d (https://github.com/disconnect3d) |
306 | - code cleanup | 312 | - code cleanup |
313 | dm9pZCAq (https://github.com/dm9pZCAq) | ||
314 | - fix for compilation under musl | ||
307 | dmfreemon (https://github.com/dmfreemon) | 315 | dmfreemon (https://github.com/dmfreemon) |
308 | - add sandbox name or name of private directory to the window title when xpra is used | 316 | - add sandbox name or name of private directory to the window title when xpra is used |
309 | - handle malloc() failures; use gnu_basename() instead of basenaem() | 317 | - handle malloc() failures; use gnu_basename() instead of basenaem() |
@@ -454,7 +462,7 @@ hawkey116477 (https://github.com/hawkeye116477) | |||
454 | Helmut Grohne (https://github.com/helmutg) | 462 | Helmut Grohne (https://github.com/helmutg) |
455 | - compiler support in the build system - Debian bug #869707 | 463 | - compiler support in the build system - Debian bug #869707 |
456 | hhzek0014 (https://github.com/hhzek0014) | 464 | hhzek0014 (https://github.com/hhzek0014) |
457 | - updated bibletime.profile | 465 | - updated bibletime.profile |
458 | hlein (https://github.com/hlein) | 466 | hlein (https://github.com/hlein) |
459 | - strip out \r's from jail prober | 467 | - strip out \r's from jail prober |
460 | Holger Heinz (https://github.com/hheinz) | 468 | Holger Heinz (https://github.com/hheinz) |
@@ -490,6 +498,10 @@ James Elford (https://github.com/jelford) | |||
490 | - removed shell none from ssh-agent configuration, fixing the infinite loop | 498 | - removed shell none from ssh-agent configuration, fixing the infinite loop |
491 | - added gcloud profile | 499 | - added gcloud profile |
492 | - blacklist sensitive cloud provider files in disable-common | 500 | - blacklist sensitive cloud provider files in disable-common |
501 | Jan-Niclas (https://github.com/0x6a61) | ||
502 | - moved rules from firefox-common.profile to firefox.profile | ||
503 | - blacklist /*firefox* except for firefox itself | ||
504 | - fix Firefox 'Profile not found' - whitelist /run/user/xxx/firefox | ||
493 | Jean Lucas (https://github.com/flacks) | 505 | Jean Lucas (https://github.com/flacks) |
494 | - fix Discord profile | 506 | - fix Discord profile |
495 | - add AnyDesk profile | 507 | - add AnyDesk profile |
@@ -526,6 +538,7 @@ John Mullee (https://github.com/jmullee) | |||
526 | Jonas Heinrich (https://github.com/onny) | 538 | Jonas Heinrich (https://github.com/onny) |
527 | - added signal-desktop profile | 539 | - added signal-desktop profile |
528 | - fixed franz profile | 540 | - fixed franz profile |
541 | - remove /etc/hosts is_link check for NixOS | ||
529 | Jose Riha (https://github.com/jose1711) | 542 | Jose Riha (https://github.com/jose1711) |
530 | - added meteo-qt profile | 543 | - added meteo-qt profile |
531 | - created qgis, links, xlinks profiles | 544 | - created qgis, links, xlinks profiles |
@@ -568,7 +581,7 @@ Kishore96in (https://github.com/Kishore96in) | |||
568 | - added falkon profile | 581 | - added falkon profile |
569 | - kxmlgui fixes | 582 | - kxmlgui fixes |
570 | - okular profile fixes | 583 | - okular profile fixes |
571 | - jitsi-meet-desktop profile | 584 | - jitsi-meet-desktop profile |
572 | - konversatin profile fix | 585 | - konversatin profile fix |
573 | - added Neochat profile | 586 | - added Neochat profile |
574 | - added whitelist-1793-workaround.inc | 587 | - added whitelist-1793-workaround.inc |
@@ -595,6 +608,9 @@ Laurent Declercq (https://github.com/nuxwin) | |||
595 | - fixed test for shell interpreter in chroots | 608 | - fixed test for shell interpreter in chroots |
596 | LaurentGH (https://github.com/LaurentGH) | 609 | LaurentGH (https://github.com/LaurentGH) |
597 | - allow private-bin parameters to be absolute paths | 610 | - allow private-bin parameters to be absolute paths |
611 | lecso7 (https://github.com/lecso7) | ||
612 | - added goldendict profile | ||
613 | - allow evince to read .cbz file format | ||
598 | Loïc Damien (https://github.com/dzamlo) | 614 | Loïc Damien (https://github.com/dzamlo) |
599 | - small fixes | 615 | - small fixes |
600 | Liorst4 (https://github.com/Liorst4) | 616 | Liorst4 (https://github.com/Liorst4) |
@@ -627,6 +643,8 @@ Martin Carpenter (https://github.com/mcarpenter) | |||
627 | Martin Dosch (spam-debian@mdosch.de) | 643 | Martin Dosch (spam-debian@mdosch.de) |
628 | - support for gnome-shell integration addon in Firefox | 644 | - support for gnome-shell integration addon in Firefox |
629 | (Bug-Debian: https://bugs.debian.org/872720) | 645 | (Bug-Debian: https://bugs.debian.org/872720) |
646 | Martynas Janonis (https://github.com/mjanonis) | ||
647 | - update wrc for Arch Linux | ||
630 | Matt Parnell (https://github.com/ilikenwf) | 648 | Matt Parnell (https://github.com/ilikenwf) |
631 | - whitelisting for core firefox related functionality | 649 | - whitelisting for core firefox related functionality |
632 | Mattias Wadman (https://github.com/wader) | 650 | Mattias Wadman (https://github.com/wader) |
@@ -699,7 +717,7 @@ Ondra Nekola (https://github.com/satai) | |||
699 | OndrejMalek (https://github.com/OndrejMalek) | 717 | OndrejMalek (https://github.com/OndrejMalek) |
700 | - various manpage fixes | 718 | - various manpage fixes |
701 | Ondřej Nový (https://github.com/onovy) | 719 | Ondřej Nový (https://github.com/onovy) |
702 | - allow video for Signal profile | 720 | - allow video for Signal profile |
703 | - added Mattermost desktop profile | 721 | - added Mattermost desktop profile |
704 | - hardened Zoom profile | 722 | - hardened Zoom profile |
705 | - hardened Signal desktop profile | 723 | - hardened Signal desktop profile |
@@ -716,7 +734,7 @@ Patrick Toomey (https://sourceforge.net/u/ptoomey/profile/) | |||
716 | Paul Moore <pmoore@redhat.com> | 734 | Paul Moore <pmoore@redhat.com> |
717 | -src/fsec-print/print.c extracted from libseccomp software package | 735 | -src/fsec-print/print.c extracted from libseccomp software package |
718 | Paupiah Yash (https://github.com/CaffeinatedStud) | 736 | Paupiah Yash (https://github.com/CaffeinatedStud) |
719 | - gzip profile | 737 | - gzip profile |
720 | Pawel (https://github.com/grimskies) | 738 | Pawel (https://github.com/grimskies) |
721 | - make --join return exit code of the invoked program | 739 | - make --join return exit code of the invoked program |
722 | Peter Millerchip (https://github.com/pmillerchip) | 740 | Peter Millerchip (https://github.com/pmillerchip) |
@@ -944,7 +962,7 @@ SYN-cook (https://github.com/SYN-cook) | |||
944 | - gnome-calculator changes | 962 | - gnome-calculator changes |
945 | startx2017 (https://github.com/startx2017) | 963 | startx2017 (https://github.com/startx2017) |
946 | - syscall list update | 964 | - syscall list update |
947 | - updated default seccomp filters - added bpf, clock_settime, personality, process_vm_writev, query_module, | 965 | - updated default seccomp filters - added bpf, clock_settime, personality, process_vm_writev, query_module, |
948 | settimeofday, stime, umount, userfaultfd, ustat, vm86, and vm86old | 966 | settimeofday, stime, umount, userfaultfd, ustat, vm86, and vm86old |
949 | - enable/disable join support in /etc/firejail/firejail.config | 967 | - enable/disable join support in /etc/firejail/firejail.config |
950 | - firecfg fix: create ~/.local/share/applications directory if it doesn't exist | 968 | - firecfg fix: create ~/.local/share/applications directory if it doesn't exist |
@@ -995,10 +1013,11 @@ Topi Miettinen (https://github.com/topimiettinen) | |||
995 | - improve loading of seccomp filter and memory-deny-write-execute feature | 1013 | - improve loading of seccomp filter and memory-deny-write-execute feature |
996 | - private-lib feature | 1014 | - private-lib feature |
997 | - make --nodbus block also system D-Bus socket | 1015 | - make --nodbus block also system D-Bus socket |
998 | Ted Robertson (https://github.com/tredondo) | 1016 | Ted Robertson (https://github.com/tredondo) |
999 | - webstorm profile fixes | 1017 | - webstorm profile fixes |
1000 | - added bcompare profile | 1018 | - added bcompare profile |
1001 | - various documentation fixes | 1019 | - various documentation fixes |
1020 | - blacklist Exodus wallet | ||
1002 | user1024 (user1024@tut.by) | 1021 | user1024 (user1024@tut.by) |
1003 | - electron profile whitelisting | 1022 | - electron profile whitelisting |
1004 | - fixed Rocket.Chat profile | 1023 | - fixed Rocket.Chat profile |
@@ -1054,7 +1073,7 @@ vismir2 (https://github.com/vismir2) | |||
1054 | - feh, ranger, 7z, keepass, keepassx and zathura profiles | 1073 | - feh, ranger, 7z, keepass, keepassx and zathura profiles |
1055 | - claws-mail, mutt, git, emacs, vim profiles | 1074 | - claws-mail, mutt, git, emacs, vim profiles |
1056 | - lots of profile fixes | 1075 | - lots of profile fixes |
1057 | - support for truecrypt and zuluCrypt | 1076 | - support for truecrypt and zuluCrypt |
1058 | viq (https://github.com/viq) | 1077 | viq (https://github.com/viq) |
1059 | - discord-canary profile | 1078 | - discord-canary profile |
1060 | Vladimir Gorelov (https://github.com/larkvirtual) | 1079 | Vladimir Gorelov (https://github.com/larkvirtual) |
@@ -1062,11 +1081,12 @@ Vladimir Gorelov (https://github.com/larkvirtual) | |||
1062 | Vladimir Schowalter (https://github.com/VladimirSchowalter20) | 1081 | Vladimir Schowalter (https://github.com/VladimirSchowalter20) |
1063 | - apparmor profile enhancements | 1082 | - apparmor profile enhancements |
1064 | - various KDE profile enhancements | 1083 | - various KDE profile enhancements |
1065 | read-only kde5 services directory | 1084 | - read-only kde5 services directory |
1066 | Vladislav Nepogodin (https://github.com/vnepogodin) | 1085 | Vladislav Nepogodin (https://github.com/vnepogodin) |
1067 | - added Librewolf profiles | 1086 | - added Librewolf profiles |
1068 | - added Sway profile | 1087 | - added Sway profile |
1069 | - fix CLion profile | 1088 | - fix CLion profile |
1089 | - fixes for disable-programs.inc | ||
1070 | xee5ch (https://github.com/xee5ch) | 1090 | xee5ch (https://github.com/xee5ch) |
1071 | - skypeforlinux profile | 1091 | - skypeforlinux profile |
1072 | Ypnose (https://github.com/Ypnose) | 1092 | Ypnose (https://github.com/Ypnose) |
@@ -22,43 +22,23 @@ implemented directly in Linux kernel and available on any Linux computer. | |||
22 | <table><tr> | 22 | <table><tr> |
23 | 23 | ||
24 | <td> | 24 | <td> |
25 | <a href="http://www.youtube.com/watch?feature=player_embedded&v=8jfXL0ePV7U | 25 | <a href="https://www.brighteon.com/1928415c-2bce-40b2-a81f-7861a3734913" target="_blank"> |
26 | " target="_blank"><img src="http://img.youtube.com/vi/8jfXL0ePV7U/0.jpg" | 26 | <img src="https://video.brighteon.com/file/Brighteon-staging/thumbnail/682ae17c-3fd8-4813-9c4e-6917c7cd2a5c.0000001.jpg" |
27 | alt="Firejail Introduction" width="240" height="180" border="10" /><br/>Firejail Intro</a> | 27 | alt="Introduction" width="240" height="142" border="10" /><br/>Introduction</a> |
28 | </td> | 28 | </td> |
29 | 29 | ||
30 | <td> | 30 | <td> |
31 | <a href="http://www.youtube.com/watch?feature=player_embedded&v=J1ZsXrpAgBU | 31 | <a href="https://www.brighteon.com/c20c32ac-1953-438f-8640-a414dcb318d6" target="_blank"> |
32 | " target="_blank"><img src="http://img.youtube.com/vi/J1ZsXrpAgBU/0.jpg" | 32 | <img src="https://photos.brighteon.com/thumbnail/ecd8b0ca-7564-4993-a676-bbe4aa21cffc" |
33 | alt="Firejail Demo" width="240" height="180" border="10" /><br/>Firejail Demo</a> | 33 | alt="Technology" width="240" height="142" border="10" /><br/>Technology</a> |
34 | </td> | 34 | </td> |
35 | 35 | ||
36 | <td> | 36 | <td> |
37 | <a href="http://www.youtube.com/watch?feature=player_embedded&v=EyEz65RYfw4 | 37 | <a href="https://www.brighteon.com/94ae1731-2352-4cda-bb48-7cc7a6ad32f8" target="_blank"> |
38 | " target="_blank"><img src="http://img.youtube.com/vi/EyEz65RYfw4/0.jpg" | 38 | <img src="https://photos.brighteon.com/thumbnail/5c90254c-61f3-4927-ac57-ae279dc543cf" |
39 | alt="Debian Install" width="240" height="180" border="10" /><br/>Debian Install</a> | 39 | alt="Deep Dive" width="240" height="142" border="10" /><br/>Deep Dive</a> |
40 | </td> | 40 | </td> |
41 | 41 | ||
42 | |||
43 | </tr><tr> | ||
44 | <td> | ||
45 | <a href="http://www.youtube.com/watch?feature=player_embedded&v=Uy2ZTHc4s0w | ||
46 | " target="_blank"><img src="http://img.youtube.com/vi/Uy2ZTHc4s0w/0.jpg" | ||
47 | alt="Arch Linux Install" width="240" height="180" border="10" /><br/>Arch Linux Install</a> | ||
48 | |||
49 | </td> | ||
50 | <td> | ||
51 | <a href="http://www.youtube.com/watch?feature=player_embedded&v=xuMxRx0zSfQ | ||
52 | " target="_blank"><img src="http://img.youtube.com/vi/xuMxRx0zSfQ/0.jpg" | ||
53 | alt="Disable Network Access" width="240" height="180" border="10" /><br/>Disable Network Access</a> | ||
54 | |||
55 | </td> | ||
56 | <td> | ||
57 | <a href="http://www.youtube.com/watch?feature=player_embedded&v=N-Mso2bSr3o | ||
58 | " target="_blank"><img src="http://img.youtube.com/vi/N-Mso2bSr3o/0.jpg" | ||
59 | alt="Firejail Security Deep Dive" width="240" height="180" border="10" /><br/>Firejail Security Deep Dive</a> | ||
60 | |||
61 | </td> | ||
62 | </tr></table> | 42 | </tr></table> |
63 | 43 | ||
64 | Project webpage: https://firejail.wordpress.com/ | 44 | Project webpage: https://firejail.wordpress.com/ |
@@ -239,32 +219,33 @@ A small tool to print profile statistics. Compile as usual and run in /etc/profi | |||
239 | $ sudo cp src/profstats/profstats /etc/firejail/. | 219 | $ sudo cp src/profstats/profstats /etc/firejail/. |
240 | $ cd /etc/firejail | 220 | $ cd /etc/firejail |
241 | $ ./profstats *.profile | 221 | $ ./profstats *.profile |
242 | profiles 1150 | 222 | profiles 1167 |
243 | include local profile 1150 (include profile-name.local) | 223 | include local profile 1167 (include profile-name.local) |
244 | include globals 1120 (include globals.local) | 224 | include globals 1136 (include globals.local) |
245 | blacklist ~/.ssh 1026 (include disable-common.inc) | 225 | blacklist ~/.ssh 1042 (include disable-common.inc) |
246 | seccomp 1050 | 226 | seccomp 1062 |
247 | capabilities 1146 | 227 | capabilities 1163 |
248 | noexec 1030 (include disable-exec.inc) | 228 | noexec 1049 (include disable-exec.inc) |
249 | noroot 959 | 229 | noroot 971 |
250 | memory-deny-write-execute 253 | 230 | memory-deny-write-execute 256 |
251 | apparmor 681 | 231 | apparmor 693 |
252 | private-bin 667 | 232 | private-bin 677 |
253 | private-dev 1009 | 233 | private-dev 1027 |
254 | private-etc 523 | 234 | private-etc 532 |
255 | private-tmp 883 | 235 | private-tmp 897 |
256 | whitelist home directory 547 | 236 | whitelist home directory 557 |
257 | whitelist var 818 (include whitelist-var-common.inc) | 237 | whitelist var 836 (include whitelist-var-common.inc) |
258 | whitelist run/user 616 (include whitelist-runuser-common.inc | 238 | whitelist run/user 1137 (include whitelist-runuser-common.inc |
259 | or blacklist ${RUNUSER}) | 239 | or blacklist ${RUNUSER}) |
260 | whitelist usr/share 591 (include whitelist-usr-share-common.inc | 240 | whitelist usr/share 609 (include whitelist-usr-share-common.inc |
261 | net none 391 | 241 | net none 396 |
262 | dbus-user none 641 | 242 | dbus-user none 656 |
263 | dbus-user filter 105 | 243 | dbus-user filter 108 |
264 | dbus-system none 792 | 244 | dbus-system none 808 |
265 | dbus-system filter 7 | 245 | dbus-system filter 10 |
266 | ``` | 246 | ``` |
267 | 247 | ||
268 | ### New profiles: | 248 | ### New profiles: |
269 | 249 | ||
270 | clion-eap, lifeograph, io.github.lainsce.Notejot, rednotebook, zim, microsoft-edge-beta, ncdu2, gallery-dl, yt-dlp | 250 | clion-eap, lifeograph, io.github.lainsce.Notejot, rednotebook, zim, microsoft-edge-beta, ncdu2, gallery-dl, yt-dlp, goldendict, bundle, |
251 | cmake, make, meson, pip, codium | ||
@@ -1,13 +1,16 @@ | |||
1 | firejail (0.9.67) baseline; urgency=low | 1 | firejail (0.9.67) baseline; urgency=low |
2 | * work in progress | 2 | * work in progress |
3 | * exit code: distinguish fatal signals by adding 128 | ||
3 | * deprecated --disable-whitelist at compile time | 4 | * deprecated --disable-whitelist at compile time |
4 | * deprecated whitelist=yes/no in /etc/firejail/firejail.config | 5 | * deprecated whitelist=yes/no in /etc/firejail/firejail.config |
6 | * new condition: ALLOW_TRAY | ||
5 | * remove (some) environment variables with auth-tokens | 7 | * remove (some) environment variables with auth-tokens |
6 | * new includes: whitelist-run-common.inc, disable-X11.inc | 8 | * new includes: whitelist-run-common.inc, disable-X11.inc |
7 | * removed includes: disable-passwordmgr.inc | 9 | * removed includes: disable-passwordmgr.inc |
8 | * new profiles: microsoft-edge-beta, clion-eap, lifeograph, zim | 10 | * new profiles: microsoft-edge-beta, clion-eap, lifeograph, zim |
9 | * new profiles: io.github.lainsce.Notejot, rednotebook, gallery-dl | 11 | * new profiles: io.github.lainsce.Notejot, rednotebook, gallery-dl |
10 | * new profiles: yt-dlp | 12 | * new profiles: yt-dlp, goldendict, goldendict, bundle, cmake |
13 | * new profiles: make, meson, pip, codium | ||
11 | -- netblue30 <netblue30@yahoo.com> Thu, 29 Jul 2021 09:00:00 -0500 | 14 | -- netblue30 <netblue30@yahoo.com> Thu, 29 Jul 2021 09:00:00 -0500 |
12 | 15 | ||
13 | firejail (0.9.66) baseline; urgency=low | 16 | firejail (0.9.66) baseline; urgency=low |
@@ -59,7 +62,7 @@ firejail (0.9.64.4) baseline; urgency=low | |||
59 | 62 | ||
60 | firejail (0.9.64.2) baseline; urgency=low | 63 | firejail (0.9.64.2) baseline; urgency=low |
61 | * allow --tmpfs inside $HOME for unprivileged users | 64 | * allow --tmpfs inside $HOME for unprivileged users |
62 | * --disable-usertmpfs compile time option | 65 | * --disable-usertmpfs compile time option |
63 | * allow AF_BLUETOOTH via --protocol=bluetooth | 66 | * allow AF_BLUETOOTH via --protocol=bluetooth |
64 | * Setup guide for new users: contrib/firejail-welcome.sh | 67 | * Setup guide for new users: contrib/firejail-welcome.sh |
65 | * implement netns in profiles | 68 | * implement netns in profiles |
@@ -566,7 +569,7 @@ firejail (0.9.44) baseline; urgency=low | |||
566 | * feature: disable 3D hardware acceleration (--no3d) | 569 | * feature: disable 3D hardware acceleration (--no3d) |
567 | * feature: x11 xpra, x11 xephyr, x11 block, allusers, no3d profile commands | 570 | * feature: x11 xpra, x11 xephyr, x11 block, allusers, no3d profile commands |
568 | * feature: move files in sandbox (--put) | 571 | * feature: move files in sandbox (--put) |
569 | * feature: accept wildcard patterns in user name field of restricted | 572 | * feature: accept wildcard patterns in user name field of restricted |
570 | shell login feature | 573 | shell login feature |
571 | * new profiles: qpdfview, mupdf, Luminance HDR, Synfig Studio, Gimp, Inkscape | 574 | * new profiles: qpdfview, mupdf, Luminance HDR, Synfig Studio, Gimp, Inkscape |
572 | * new profiles: feh, ranger, zathura, 7z, keepass, keepassx, | 575 | * new profiles: feh, ranger, zathura, 7z, keepass, keepassx, |
@@ -608,7 +611,7 @@ firejail (0.9.42) baseline; urgency=low | |||
608 | * compile time: disable whitelisting (--disable-whitelist) | 611 | * compile time: disable whitelisting (--disable-whitelist) |
609 | * compile time: disable global config (--disable-globalcfg) | 612 | * compile time: disable global config (--disable-globalcfg) |
610 | * run time: enable/disable overlayfs (overlayfs yes/no) | 613 | * run time: enable/disable overlayfs (overlayfs yes/no) |
611 | * run time: enable/disable quiet as default (quiet-by-default yes/no) | 614 | * run time: enable/disable quiet as default (quiet-by-default yes/no) |
612 | * run time: user-defined network filter (netfilter-default) | 615 | * run time: user-defined network filter (netfilter-default) |
613 | * run time: enable/disable whitelisting (whitelist yes/no) | 616 | * run time: enable/disable whitelisting (whitelist yes/no) |
614 | * run time: enable/disable remounting of /proc and /sys | 617 | * run time: enable/disable remounting of /proc and /sys |
@@ -706,7 +709,7 @@ firejail (0.9.38) baseline; urgency=low | |||
706 | -- netblue30 <netblue30@yahoo.com> Tue, 2 Feb 2016 10:00:00 -0500 | 709 | -- netblue30 <netblue30@yahoo.com> Tue, 2 Feb 2016 10:00:00 -0500 |
707 | 710 | ||
708 | firejail (0.9.36) baseline; urgency=low | 711 | firejail (0.9.36) baseline; urgency=low |
709 | * added unbound, dnscrypt-proxy, BitlBee, HexChat, WeeChat, | 712 | * added unbound, dnscrypt-proxy, BitlBee, HexChat, WeeChat, |
710 | parole and rtorrent profiles | 713 | parole and rtorrent profiles |
711 | * Google Chrome profile rework | 714 | * Google Chrome profile rework |
712 | * added google-chrome-stable profile | 715 | * added google-chrome-stable profile |
diff --git a/SECURITY.md b/SECURITY.md index 92204da0a..ef9b9b5fb 100644 --- a/SECURITY.md +++ b/SECURITY.md | |||
@@ -2,23 +2,24 @@ | |||
2 | 2 | ||
3 | ## Supported Versions | 3 | ## Supported Versions |
4 | 4 | ||
5 | | Version | Supported by us | EOL | Supported by distribution | | 5 | | Version | Supported by us | EOL | Supported by distribution | |
6 | | ------- | ------------------ | ---- | --------------------------- | 6 | | ------- | ------------------ | ------------------ | --------------------------------------------------------------------------------- | |
7 | | 0.9.64 | :heavy_check_mark: | | :white_check_mark: Debian 10 **backports**, Debian 11 **backports**, Debian 12 (testing/unstable) | 7 | | 0.9.66 | :heavy_check_mark: | | :white_check_mark: Debian 11 **backports**, Debian 12 (testing/unstable) | |
8 | | 0.9.62 | :x: | | :white_check_mark: Ubuntu 20.04 LTS, Ubuntu 20.10 | 8 | | 0.9.64 | :x: | | :white_check_mark: Debian 10 **backports**, Debian 11, Ubuntu 21.04, Ubuntu 21.10 | |
9 | | 0.9.60 | :x: | 29 Dec 2019 | | 9 | | 0.9.62 | :x: | | :white_check_mark: Ubuntu 20.04 LTS, Ubuntu 20.10 | |
10 | | 0.9.58 | :x: | | :white_check_mark: Debian 9 **backports**, Debian 10 | 10 | | 0.9.60 | :x: | 29 Dec 2019 | | |
11 | | 0.9.56 | :x: | 27 Jan 2019 | | 11 | | 0.9.58 | :x: | | :white_check_mark: Debian 9 **backports**, Debian 10 | |
12 | | 0.9.54 | :x: | 18 Sep 2018 | | 12 | | 0.9.56 | :x: | 27 Jan 2019 | | |
13 | | 0.9.52 | :x: | | :white_check_mark: Ubuntu 18.04 LTS | 13 | | 0.9.54 | :x: | 18 Sep 2018 | | |
14 | | 0.9.50 | :x: | 12 Dec 2017 | | 14 | | 0.9.52 | :x: | | :white_check_mark: Ubuntu 18.04 LTS | |
15 | | 0.9.48 | :x: | 09 Sep 2017 | | 15 | | 0.9.50 | :x: | 12 Dec 2017 | | |
16 | | 0.9.46 | :x: | 12 Jun 2017 | | 16 | | 0.9.48 | :x: | 09 Sep 2017 | | |
17 | | 0.9.44 | :x: | | :white_check_mark: Debian 9 | 17 | | 0.9.46 | :x: | 12 Jun 2017 | | |
18 | | 0.9.42 | :x: | 22 Oct 2016 | | 18 | | 0.9.44 | :x: | | :white_check_mark: Debian 9 | |
19 | | 0.9.40 | :x: | 09 Sep 2016 | | 19 | | 0.9.42 | :x: | 22 Oct 2016 | | |
20 | | 0.9.38 | :x: | | :white_check_mark: Ubuntu 16.04 LTS | 20 | | 0.9.40 | :x: | 09 Sep 2016 | | |
21 | | <0.9.38 | :x: | Before 05 Feb 2016 | | 21 | | 0.9.38 | :x: | | :white_check_mark: Ubuntu 16.04 LTS | |
22 | | <0.9.38 | :x: | Before 05 Feb 2016 | | | ||
22 | 23 | ||
23 | ## Security vulnerabilities | 24 | ## Security vulnerabilities |
24 | 25 | ||
@@ -711,6 +711,7 @@ ac_subst_files='' | |||
711 | ac_user_opts=' | 711 | ac_user_opts=' |
712 | enable_option_checking | 712 | enable_option_checking |
713 | enable_analyzer | 713 | enable_analyzer |
714 | enable_sanitizer | ||
714 | enable_apparmor | 715 | enable_apparmor |
715 | enable_selinux | 716 | enable_selinux |
716 | enable_dbusproxy | 717 | enable_dbusproxy |
@@ -1368,6 +1369,8 @@ Optional Features: | |||
1368 | --disable-FEATURE do not include FEATURE (same as --enable-FEATURE=no) | 1369 | --disable-FEATURE do not include FEATURE (same as --enable-FEATURE=no) |
1369 | --enable-FEATURE[=ARG] include FEATURE [ARG=yes] | 1370 | --enable-FEATURE[=ARG] include FEATURE [ARG=yes] |
1370 | --enable-analyzer enable GCC static analyzer | 1371 | --enable-analyzer enable GCC static analyzer |
1372 | --enable-sanitizer=[address | memory | undefined] | ||
1373 | enable a compiler-based sanitizer (debug) | ||
1371 | --enable-apparmor enable apparmor | 1374 | --enable-apparmor enable apparmor |
1372 | --enable-selinux SELinux labeling support | 1375 | --enable-selinux SELinux labeling support |
1373 | --disable-dbusproxy disable dbus proxy | 1376 | --disable-dbusproxy disable dbus proxy |
@@ -3294,6 +3297,57 @@ if test "x$enable_analyzer" = "xyes"; then : | |||
3294 | 3297 | ||
3295 | fi | 3298 | fi |
3296 | 3299 | ||
3300 | # Check whether --enable-sanitizer was given. | ||
3301 | if test "${enable_sanitizer+set}" = set; then : | ||
3302 | enableval=$enable_sanitizer; | ||
3303 | else | ||
3304 | enable_sanitizer=no | ||
3305 | fi | ||
3306 | |||
3307 | if test "x$enable_sanitizer" != "xno" ; then : | ||
3308 | as_CACHEVAR=`$as_echo "ax_cv_check_cflags__-fsanitize=$enable_sanitizer" | $as_tr_sh` | ||
3309 | { $as_echo "$as_me:${as_lineno-$LINENO}: checking whether C compiler accepts -fsanitize=$enable_sanitizer" >&5 | ||
3310 | $as_echo_n "checking whether C compiler accepts -fsanitize=$enable_sanitizer... " >&6; } | ||
3311 | if eval \${$as_CACHEVAR+:} false; then : | ||
3312 | $as_echo_n "(cached) " >&6 | ||
3313 | else | ||
3314 | |||
3315 | ax_check_save_flags=$CFLAGS | ||
3316 | CFLAGS="$CFLAGS -fsanitize=$enable_sanitizer" | ||
3317 | cat confdefs.h - <<_ACEOF >conftest.$ac_ext | ||
3318 | /* end confdefs.h. */ | ||
3319 | |||
3320 | int | ||
3321 | main () | ||
3322 | { | ||
3323 | |||
3324 | ; | ||
3325 | return 0; | ||
3326 | } | ||
3327 | _ACEOF | ||
3328 | if ac_fn_c_try_compile "$LINENO"; then : | ||
3329 | eval "$as_CACHEVAR=yes" | ||
3330 | else | ||
3331 | eval "$as_CACHEVAR=no" | ||
3332 | fi | ||
3333 | rm -f core conftest.err conftest.$ac_objext conftest.$ac_ext | ||
3334 | CFLAGS=$ax_check_save_flags | ||
3335 | fi | ||
3336 | eval ac_res=\$$as_CACHEVAR | ||
3337 | { $as_echo "$as_me:${as_lineno-$LINENO}: result: $ac_res" >&5 | ||
3338 | $as_echo "$ac_res" >&6; } | ||
3339 | if eval test \"x\$"$as_CACHEVAR"\" = x"yes"; then : | ||
3340 | |||
3341 | EXTRA_CFLAGS="$EXTRA_CFLAGS -fsanitize=$enable_sanitizer -fno-omit-frame-pointer" | ||
3342 | EXTRA_LDFLAGS="$EXTRA_LDFLAGS -fsanitize=$enable_sanitizer" | ||
3343 | |||
3344 | else | ||
3345 | as_fn_error $? "sanitizer not supported: $enable_sanitizer" "$LINENO" 5 | ||
3346 | |||
3347 | fi | ||
3348 | |||
3349 | fi | ||
3350 | |||
3297 | HAVE_APPARMOR="" | 3351 | HAVE_APPARMOR="" |
3298 | # Check whether --enable-apparmor was given. | 3352 | # Check whether --enable-apparmor was given. |
3299 | if test "${enable_apparmor+set}" = set; then : | 3353 | if test "${enable_apparmor+set}" = set; then : |
@@ -3549,7 +3603,7 @@ if test "x$enable_dbusproxy" != "xno"; then : | |||
3549 | 3603 | ||
3550 | fi | 3604 | fi |
3551 | 3605 | ||
3552 | # overlayfs features temporarely disabled pending fixes | 3606 | # overlayfs features temporarily disabled pending fixes |
3553 | HAVE_OVERLAYFS="" | 3607 | HAVE_OVERLAYFS="" |
3554 | 3608 | ||
3555 | # | 3609 | # |
diff --git a/configure.ac b/configure.ac index 7879a5239..fc5823143 100644 --- a/configure.ac +++ b/configure.ac | |||
@@ -45,6 +45,15 @@ AS_IF([test "x$enable_analyzer" = "xyes"], [ | |||
45 | EXTRA_CFLAGS="$EXTRA_CFLAGS -fanalyzer -Wno-analyzer-malloc-leak" | 45 | EXTRA_CFLAGS="$EXTRA_CFLAGS -fanalyzer -Wno-analyzer-malloc-leak" |
46 | ]) | 46 | ]) |
47 | 47 | ||
48 | AC_ARG_ENABLE([sanitizer], | ||
49 | AS_HELP_STRING([--enable-sanitizer=@<:@address | memory | undefined@:>@], [enable a compiler-based sanitizer (debug)]), [], [enable_sanitizer=no]) | ||
50 | AS_IF([test "x$enable_sanitizer" != "xno" ], | ||
51 | [AX_CHECK_COMPILE_FLAG([-fsanitize=$enable_sanitizer], [ | ||
52 | EXTRA_CFLAGS="$EXTRA_CFLAGS -fsanitize=$enable_sanitizer -fno-omit-frame-pointer" | ||
53 | EXTRA_LDFLAGS="$EXTRA_LDFLAGS -fsanitize=$enable_sanitizer" | ||
54 | ], [AC_MSG_ERROR([sanitizer not supported: $enable_sanitizer])] | ||
55 | )]) | ||
56 | |||
48 | HAVE_APPARMOR="" | 57 | HAVE_APPARMOR="" |
49 | AC_ARG_ENABLE([apparmor], | 58 | AC_ARG_ENABLE([apparmor], |
50 | AS_HELP_STRING([--enable-apparmor], [enable apparmor])) | 59 | AS_HELP_STRING([--enable-apparmor], [enable apparmor])) |
@@ -76,7 +85,7 @@ AS_IF([test "x$enable_dbusproxy" != "xno"], [ | |||
76 | AC_SUBST(HAVE_DBUSPROXY) | 85 | AC_SUBST(HAVE_DBUSPROXY) |
77 | ]) | 86 | ]) |
78 | 87 | ||
79 | # overlayfs features temporarely disabled pending fixes | 88 | # overlayfs features temporarily disabled pending fixes |
80 | HAVE_OVERLAYFS="" | 89 | HAVE_OVERLAYFS="" |
81 | AC_SUBST(HAVE_OVERLAYFS) | 90 | AC_SUBST(HAVE_OVERLAYFS) |
82 | # | 91 | # |
diff --git a/contrib/fix_private-bin.py b/contrib/fix_private-bin.py index 12b596749..961646aa4 100755 --- a/contrib/fix_private-bin.py +++ b/contrib/fix_private-bin.py | |||
@@ -164,7 +164,7 @@ def printHelp(): | |||
164 | 164 | ||
165 | 165 | ||
166 | def main() -> None: | 166 | def main() -> None: |
167 | """The main function. Parses the commandline args, shows messages and calles the function actually doing the work.""" | 167 | """The main function. Parses the commandline args, shows messages and calls the function actually doing the work.""" |
168 | if len(sys.argv) > 2 or (len(sys.argv) == 2 and | 168 | if len(sys.argv) > 2 or (len(sys.argv) == 2 and |
169 | (sys.argv[1] == "-h" or sys.argv[1] == "--help")): | 169 | (sys.argv[1] == "-h" or sys.argv[1] == "--help")): |
170 | printHelp() | 170 | printHelp() |
diff --git a/contrib/gdb-firejail.sh b/contrib/gdb-firejail.sh index 941fc45ef..686bdc2c0 100755 --- a/contrib/gdb-firejail.sh +++ b/contrib/gdb-firejail.sh | |||
@@ -21,4 +21,4 @@ else | |||
21 | fi | 21 | fi |
22 | 22 | ||
23 | bash -c "kill -STOP \$\$; exec \"\$0\" \"\$@\"" "$@" & | 23 | bash -c "kill -STOP \$\$; exec \"\$0\" \"\$@\"" "$@" & |
24 | sudo gdb -e "$FIREJAIL" -p "$!" | 24 | sudo gdb -e "$FIREJAIL" -p "$!" |
diff --git a/contrib/sort.py b/contrib/sort.py index d7a2cd05d..4af9c674c 100755 --- a/contrib/sort.py +++ b/contrib/sort.py | |||
@@ -34,7 +34,7 @@ def sort_alphabetical(raw_items): | |||
34 | 34 | ||
35 | 35 | ||
36 | def sort_protocol(protocols): | 36 | def sort_protocol(protocols): |
37 | """sort the given protocole into this scheme: unix,inet,inet6,netlink,packet,bluetooth""" | 37 | """sort the given protocols into this scheme: unix,inet,inet6,netlink,packet,bluetooth""" |
38 | 38 | ||
39 | # shortcut for common protocol lines | 39 | # shortcut for common protocol lines |
40 | if protocols in ("unix", "unix,inet,inet6"): | 40 | if protocols in ("unix", "unix,inet,inet6"): |
diff --git a/contrib/vim/syntax/firejail.vim b/contrib/vim/syntax/firejail.vim index d07690ee2..fa80a9c00 100644 --- a/contrib/vim/syntax/firejail.vim +++ b/contrib/vim/syntax/firejail.vim | |||
@@ -72,7 +72,7 @@ syn match fjCommandNoCond /quiet$/ contained | |||
72 | 72 | ||
73 | " Conditionals grabbed from: src/firejail/profile.c | 73 | " Conditionals grabbed from: src/firejail/profile.c |
74 | " Generate list with: awk -- 'BEGIN {process=0;} /^Cond conditionals\[\] = \{$/ {process=1;} /\t*\{"[^"]+".*/ { if (process) {print gensub(/^\t*\{"([^"]+)".*$/, "\\1", 1);} } /^\t\{ NULL, NULL \}$/ {process=0;}' src/firejail/profile.c | sort -u | tr $'\n' '|' | 74 | " Generate list with: awk -- 'BEGIN {process=0;} /^Cond conditionals\[\] = \{$/ {process=1;} /\t*\{"[^"]+".*/ { if (process) {print gensub(/^\t*\{"([^"]+)".*$/, "\\1", 1);} } /^\t\{ NULL, NULL \}$/ {process=0;}' src/firejail/profile.c | sort -u | tr $'\n' '|' |
75 | syn match fjConditional /\v\?(BROWSER_ALLOW_DRM|BROWSER_DISABLE_U2F|HAS_APPIMAGE|HAS_NET|HAS_NODBUS|HAS_NOSOUND|HAS_X11) ?:/ nextgroup=fjCommand skipwhite contained | 75 | syn match fjConditional /\v\?(ALLOW_TRAY|BROWSER_ALLOW_DRM|BROWSER_DISABLE_U2F|HAS_APPIMAGE|HAS_NET|HAS_NODBUS|HAS_NOSOUND|HAS_X11) ?:/ nextgroup=fjCommand skipwhite contained |
76 | 76 | ||
77 | " A line is either a command, a conditional or a comment | 77 | " A line is either a command, a conditional or a comment |
78 | syn match fjStatement /^/ nextgroup=fjCommand,fjCommandNoCond,fjConditional,fjComment | 78 | syn match fjStatement /^/ nextgroup=fjCommand,fjCommandNoCond,fjConditional,fjComment |
diff --git a/etc-fixes/0.9.58/atom.profile b/etc-fixes/0.9.58/atom.profile index 9bc35da5a..1cc9b0116 100644 --- a/etc-fixes/0.9.58/atom.profile +++ b/etc-fixes/0.9.58/atom.profile | |||
@@ -1,4 +1,3 @@ | |||
1 | |||
2 | # Firejail profile for atom | 1 | # Firejail profile for atom |
3 | # Description: A hackable text editor for the 21st Century | 2 | # Description: A hackable text editor for the 21st Century |
4 | # This file is overwritten after every install/update | 3 | # This file is overwritten after every install/update |
diff --git a/etc-fixes/seccomp-join-bug/README b/etc-fixes/seccomp-join-bug/README index 9f85a0e00..15596eca7 100644 --- a/etc-fixes/seccomp-join-bug/README +++ b/etc-fixes/seccomp-join-bug/README | |||
@@ -8,4 +8,3 @@ on May 21, 2019: | |||
8 | 8 | ||
9 | The original discussion thread: https://github.com/netblue30/firejail/issues/2718 | 9 | The original discussion thread: https://github.com/netblue30/firejail/issues/2718 |
10 | The fix on mainline: https://github.com/netblue30/firejail/commit/eecf35c2f8249489a1d3e512bb07f0d427183134 | 10 | The fix on mainline: https://github.com/netblue30/firejail/commit/eecf35c2f8249489a1d3e512bb07f0d427183134 |
11 | |||
diff --git a/etc/apparmor/firejail-default b/etc/apparmor/firejail-default index ca32f5b0d..a7044152e 100644 --- a/etc/apparmor/firejail-default +++ b/etc/apparmor/firejail-default | |||
@@ -129,7 +129,7 @@ signal (receive), | |||
129 | ########## | 129 | ########## |
130 | # The list of recognized capabilities varies from one apparmor version to another. | 130 | # The list of recognized capabilities varies from one apparmor version to another. |
131 | # For example on Debian 10 (apparmor 2.13.2) checkpoint_restore, perfmon, bpf are not available | 131 | # For example on Debian 10 (apparmor 2.13.2) checkpoint_restore, perfmon, bpf are not available |
132 | # We allow all caps by default and remove the ones we don't like: | 132 | # We allow all caps by default and remove the ones we don't like: |
133 | capability, | 133 | capability, |
134 | deny capability audit_write, | 134 | deny capability audit_write, |
135 | deny capability audit_control, | 135 | deny capability audit_control, |
diff --git a/etc/firejail.config b/etc/firejail.config index 2e355586b..7912b746c 100644 --- a/etc/firejail.config +++ b/etc/firejail.config | |||
@@ -2,6 +2,9 @@ | |||
2 | # keyword-argument pairs, one per line. Most features are enabled by default. | 2 | # keyword-argument pairs, one per line. Most features are enabled by default. |
3 | # Use 'yes' or 'no' as configuration values. | 3 | # Use 'yes' or 'no' as configuration values. |
4 | 4 | ||
5 | # Allow programs to display a tray icon | ||
6 | # allow-tray no | ||
7 | |||
5 | # Enable AppArmor functionality, default enabled. | 8 | # Enable AppArmor functionality, default enabled. |
6 | # apparmor yes | 9 | # apparmor yes |
7 | 10 | ||
@@ -63,7 +66,7 @@ | |||
63 | # a file argument, the default filter is hardcoded (see man 1 firejail). This | 66 | # a file argument, the default filter is hardcoded (see man 1 firejail). This |
64 | # configuration entry allows the user to change the default by specifying | 67 | # configuration entry allows the user to change the default by specifying |
65 | # a file containing the filter configuration. The filter file format is the | 68 | # a file containing the filter configuration. The filter file format is the |
66 | # format of iptables-save and iptable-restore commands. Example: | 69 | # format of iptables-save and iptables-restore commands. Example: |
67 | # netfilter-default /etc/iptables.iptables.rules | 70 | # netfilter-default /etc/iptables.iptables.rules |
68 | 71 | ||
69 | # Enable or disable networking features, default enabled. | 72 | # Enable or disable networking features, default enabled. |
diff --git a/etc/inc/allow-common-devel.inc b/etc/inc/allow-common-devel.inc index 011bbe226..4e460fc10 100644 --- a/etc/inc/allow-common-devel.inc +++ b/etc/inc/allow-common-devel.inc | |||
@@ -27,5 +27,8 @@ noblacklist ${HOME}/.python-history | |||
27 | noblacklist ${HOME}/.python_history | 27 | noblacklist ${HOME}/.python_history |
28 | noblacklist ${HOME}/.pythonhist | 28 | noblacklist ${HOME}/.pythonhist |
29 | 29 | ||
30 | # Ruby | ||
31 | noblacklist ${HOME}/.bundle | ||
32 | |||
30 | # Rust | 33 | # Rust |
31 | noblacklist ${HOME}/.cargo/* | 34 | noblacklist ${HOME}/.cargo |
diff --git a/etc/inc/allow-ruby.inc b/etc/inc/allow-ruby.inc index a8c701219..00276cac7 100644 --- a/etc/inc/allow-ruby.inc +++ b/etc/inc/allow-ruby.inc | |||
@@ -4,3 +4,4 @@ include allow-ruby.local | |||
4 | 4 | ||
5 | noblacklist ${PATH}/ruby | 5 | noblacklist ${PATH}/ruby |
6 | noblacklist /usr/lib/ruby | 6 | noblacklist /usr/lib/ruby |
7 | noblacklist /usr/lib64/ruby | ||
diff --git a/etc/inc/disable-devel.inc b/etc/inc/disable-devel.inc index e74b1b40b..98bf5ecc8 100644 --- a/etc/inc/disable-devel.inc +++ b/etc/inc/disable-devel.inc | |||
@@ -60,9 +60,7 @@ blacklist /usr/lib/tcc | |||
60 | blacklist ${PATH}/valgrind* | 60 | blacklist ${PATH}/valgrind* |
61 | blacklist /usr/lib/valgrind | 61 | blacklist /usr/lib/valgrind |
62 | 62 | ||
63 | |||
64 | # Source-Code | 63 | # Source-Code |
65 | |||
66 | blacklist /usr/src | 64 | blacklist /usr/src |
67 | blacklist /usr/local/src | 65 | blacklist /usr/local/src |
68 | blacklist /usr/include | 66 | blacklist /usr/include |
diff --git a/etc/inc/disable-interpreters.inc b/etc/inc/disable-interpreters.inc index 5d8a236fb..804869e2a 100644 --- a/etc/inc/disable-interpreters.inc +++ b/etc/inc/disable-interpreters.inc | |||
@@ -48,6 +48,7 @@ blacklist /usr/share/php* | |||
48 | # Ruby | 48 | # Ruby |
49 | blacklist ${PATH}/ruby | 49 | blacklist ${PATH}/ruby |
50 | blacklist /usr/lib/ruby | 50 | blacklist /usr/lib/ruby |
51 | blacklist /usr/lib64/ruby | ||
51 | 52 | ||
52 | # Programs using python: deluge, firefox addons, filezilla, cherrytree, xchat, hexchat, libreoffice, scribus | 53 | # Programs using python: deluge, firefox addons, filezilla, cherrytree, xchat, hexchat, libreoffice, scribus |
53 | # Python 2 | 54 | # Python 2 |
diff --git a/etc/inc/disable-programs.inc b/etc/inc/disable-programs.inc index 444446156..6734e220a 100644 --- a/etc/inc/disable-programs.inc +++ b/etc/inc/disable-programs.inc | |||
@@ -49,8 +49,9 @@ blacklist ${HOME}/.bibletime | |||
49 | blacklist ${HOME}/.bitcoin | 49 | blacklist ${HOME}/.bitcoin |
50 | blacklist ${HOME}/.blobby | 50 | blacklist ${HOME}/.blobby |
51 | blacklist ${HOME}/.bogofilter | 51 | blacklist ${HOME}/.bogofilter |
52 | blacklist ${HOME}/.bundle | ||
52 | blacklist ${HOME}/.bzf | 53 | blacklist ${HOME}/.bzf |
53 | blacklist ${HOME}/.cargo/* | 54 | blacklist ${HOME}/.cargo |
54 | blacklist ${HOME}/.claws-mail | 55 | blacklist ${HOME}/.claws-mail |
55 | blacklist ${HOME}/.cliqz | 56 | blacklist ${HOME}/.cliqz |
56 | blacklist ${HOME}/.clion* | 57 | blacklist ${HOME}/.clion* |
@@ -77,6 +78,7 @@ blacklist ${HOME}/.config/Element | |||
77 | blacklist ${HOME}/.config/Element (Riot) | 78 | blacklist ${HOME}/.config/Element (Riot) |
78 | blacklist ${HOME}/.config/Enox | 79 | blacklist ${HOME}/.config/Enox |
79 | blacklist ${HOME}/.config/Epic | 80 | blacklist ${HOME}/.config/Epic |
81 | blacklist ${HOME}/.config/Exodus | ||
80 | blacklist ${HOME}/.config/Ferdi | 82 | blacklist ${HOME}/.config/Ferdi |
81 | blacklist ${HOME}/.config/Flavio Tordini | 83 | blacklist ${HOME}/.config/Flavio Tordini |
82 | blacklist ${HOME}/.config/Franz | 84 | blacklist ${HOME}/.config/Franz |
@@ -141,6 +143,7 @@ blacklist ${HOME}/.config/SubDownloader | |||
141 | blacklist ${HOME}/.config/Thunar | 143 | blacklist ${HOME}/.config/Thunar |
142 | blacklist ${HOME}/.config/Twitch | 144 | blacklist ${HOME}/.config/Twitch |
143 | blacklist ${HOME}/.config/Unknown Organization | 145 | blacklist ${HOME}/.config/Unknown Organization |
146 | blacklist ${HOME}/.config/VSCodium | ||
144 | blacklist ${HOME}/.config/VirtualBox | 147 | blacklist ${HOME}/.config/VirtualBox |
145 | blacklist ${HOME}/.config/Whalebird | 148 | blacklist ${HOME}/.config/Whalebird |
146 | blacklist ${HOME}/.config/Wire | 149 | blacklist ${HOME}/.config/Wire |
@@ -495,12 +498,14 @@ blacklist ${HOME}/.frogatto | |||
495 | blacklist ${HOME}/.frozen-bubble | 498 | blacklist ${HOME}/.frozen-bubble |
496 | blacklist ${HOME}/.funnyboat | 499 | blacklist ${HOME}/.funnyboat |
497 | blacklist ${HOME}/.gallery-dl.conf | 500 | blacklist ${HOME}/.gallery-dl.conf |
501 | blacklist ${HOME}/.geekbench5 | ||
498 | blacklist ${HOME}/.gimp* | 502 | blacklist ${HOME}/.gimp* |
499 | blacklist ${HOME}/.gist | 503 | blacklist ${HOME}/.gist |
500 | blacklist ${HOME}/.gitconfig | 504 | blacklist ${HOME}/.gitconfig |
501 | blacklist ${HOME}/.gl-117 | 505 | blacklist ${HOME}/.gl-117 |
502 | blacklist ${HOME}/.glaxiumrc | 506 | blacklist ${HOME}/.glaxiumrc |
503 | blacklist ${HOME}/.gnome/gnome-schedule | 507 | blacklist ${HOME}/.gnome/gnome-schedule |
508 | blacklist ${HOME}/.goldendict | ||
504 | blacklist ${HOME}/.googleearth | 509 | blacklist ${HOME}/.googleearth |
505 | blacklist ${HOME}/.gradle | 510 | blacklist ${HOME}/.gradle |
506 | blacklist ${HOME}/.gramps | 511 | blacklist ${HOME}/.gramps |
@@ -966,6 +971,7 @@ blacklist ${HOME}/.cache/Enpass | |||
966 | blacklist ${HOME}/.cache/Ferdi | 971 | blacklist ${HOME}/.cache/Ferdi |
967 | blacklist ${HOME}/.cache/Flavio Tordini | 972 | blacklist ${HOME}/.cache/Flavio Tordini |
968 | blacklist ${HOME}/.cache/Franz | 973 | blacklist ${HOME}/.cache/Franz |
974 | blacklist ${HOME}/.cache/GoldenDict | ||
969 | blacklist ${HOME}/.cache/INRIA | 975 | blacklist ${HOME}/.cache/INRIA |
970 | blacklist ${HOME}/.cache/INRIA/Natron | 976 | blacklist ${HOME}/.cache/INRIA/Natron |
971 | blacklist ${HOME}/.cache/KDE/neochat | 977 | blacklist ${HOME}/.cache/KDE/neochat |
diff --git a/etc/inc/whitelist-run-common.inc b/etc/inc/whitelist-run-common.inc index 224d21064..0d87657a9 100644 --- a/etc/inc/whitelist-run-common.inc +++ b/etc/inc/whitelist-run-common.inc | |||
@@ -7,5 +7,6 @@ whitelist /run/cups/cups.sock | |||
7 | whitelist /run/dbus/system_bus_socket | 7 | whitelist /run/dbus/system_bus_socket |
8 | whitelist /run/media | 8 | whitelist /run/media |
9 | whitelist /run/resolvconf/resolv.conf | 9 | whitelist /run/resolvconf/resolv.conf |
10 | whitelist /run/shm | ||
10 | whitelist /run/systemd/resolve/resolv.conf | 11 | whitelist /run/systemd/resolve/resolv.conf |
11 | whitelist /run/systemd/resolve/stub-resolv.conf | 12 | whitelist /run/systemd/resolve/stub-resolv.conf |
diff --git a/etc/profile-a-l/Books.profile b/etc/profile-a-l/Books.profile index 76fd21d32..a256e942f 100644 --- a/etc/profile-a-l/Books.profile +++ b/etc/profile-a-l/Books.profile | |||
@@ -1,5 +1,10 @@ | |||
1 | # Firejail profile for gnome-books | 1 | # Firejail profile for gnome-books |
2 | # This file is overwritten after every install/update | 2 | # This file is overwritten after every install/update |
3 | # Persistent local customizations | ||
4 | include Books.local | ||
5 | # Persistent global definitions | ||
6 | # added by included profile | ||
7 | #include globals.local | ||
3 | 8 | ||
4 | 9 | ||
5 | # Temporary fix for https://github.com/netblue30/firejail/issues/2624 | 10 | # Temporary fix for https://github.com/netblue30/firejail/issues/2624 |
diff --git a/etc/profile-a-l/abiword.profile b/etc/profile-a-l/abiword.profile index 005a502c4..256e2115a 100644 --- a/etc/profile-a-l/abiword.profile +++ b/etc/profile-a-l/abiword.profile | |||
@@ -42,7 +42,7 @@ tracelog | |||
42 | private-bin abiword | 42 | private-bin abiword |
43 | private-cache | 43 | private-cache |
44 | private-dev | 44 | private-dev |
45 | private-etc fonts,gtk-3.0,passwd | 45 | private-etc fonts,gtk-3.0,ld.so.preload,passwd |
46 | private-tmp | 46 | private-tmp |
47 | 47 | ||
48 | # dbus-user none | 48 | # dbus-user none |
diff --git a/etc/profile-a-l/agetpkg.profile b/etc/profile-a-l/agetpkg.profile index fea25fd58..8652ae5f1 100644 --- a/etc/profile-a-l/agetpkg.profile +++ b/etc/profile-a-l/agetpkg.profile | |||
@@ -50,7 +50,7 @@ tracelog | |||
50 | private-bin agetpkg,python3 | 50 | private-bin agetpkg,python3 |
51 | private-cache | 51 | private-cache |
52 | private-dev | 52 | private-dev |
53 | private-etc ca-certificates,crypto-policies,pki,resolv.conf,ssl | 53 | private-etc ca-certificates,crypto-policies,ld.so.preload,pki,resolv.conf,ssl |
54 | private-tmp | 54 | private-tmp |
55 | 55 | ||
56 | dbus-user none | 56 | dbus-user none |
diff --git a/etc/profile-a-l/alacarte.profile b/etc/profile-a-l/alacarte.profile index 69b499c74..9b74b4d29 100644 --- a/etc/profile-a-l/alacarte.profile +++ b/etc/profile-a-l/alacarte.profile | |||
@@ -53,7 +53,7 @@ disable-mnt | |||
53 | # private-bin alacarte,bash,python*,sh | 53 | # private-bin alacarte,bash,python*,sh |
54 | private-cache | 54 | private-cache |
55 | private-dev | 55 | private-dev |
56 | private-etc alternatives,dconf,fonts,gtk-3.0,locale.alias,locale.conf,login.defs,mime.types,nsswitch.conf,passwd,pki,X11,xdg | 56 | private-etc alternatives,dconf,fonts,gtk-3.0,ld.so.preload,locale.alias,locale.conf,login.defs,mime.types,nsswitch.conf,passwd,pki,X11,xdg |
57 | private-tmp | 57 | private-tmp |
58 | 58 | ||
59 | dbus-user none | 59 | dbus-user none |
diff --git a/etc/profile-a-l/amarok.profile b/etc/profile-a-l/amarok.profile index e7b78f7d0..7d8ec481d 100644 --- a/etc/profile-a-l/amarok.profile +++ b/etc/profile-a-l/amarok.profile | |||
@@ -39,7 +39,7 @@ dbus-user.own org.kde.amarok | |||
39 | dbus-user.own org.mpris.amarok | 39 | dbus-user.own org.mpris.amarok |
40 | dbus-user.own org.mpris.MediaPlayer2.amarok | 40 | dbus-user.own org.mpris.MediaPlayer2.amarok |
41 | dbus-user.talk org.freedesktop.Notifications | 41 | dbus-user.talk org.freedesktop.Notifications |
42 | dbus-user.talk org.kde.StatusNotifierWatcher | 42 | ?ALLOW_TRAY: dbus-user.talk org.kde.StatusNotifierWatcher |
43 | # If you're not on kde-plasma add the next lines to your amarok.local. | 43 | # If you're not on kde-plasma add the next lines to your amarok.local. |
44 | #dbus-user.own org.kde.kded | 44 | #dbus-user.own org.kde.kded |
45 | #dbus-user.own org.kde.klauncher | 45 | #dbus-user.own org.kde.klauncher |
diff --git a/etc/profile-a-l/amule.profile b/etc/profile-a-l/amule.profile index 3ce05c5bc..e82c145d1 100644 --- a/etc/profile-a-l/amule.profile +++ b/etc/profile-a-l/amule.profile | |||
@@ -32,6 +32,7 @@ nosound | |||
32 | notv | 32 | notv |
33 | nou2f | 33 | nou2f |
34 | novideo | 34 | novideo |
35 | # Add netlink protocol to use UPnP | ||
35 | protocol unix,inet,inet6 | 36 | protocol unix,inet,inet6 |
36 | seccomp | 37 | seccomp |
37 | shell none | 38 | shell none |
diff --git a/etc/profile-a-l/anki.profile b/etc/profile-a-l/anki.profile index fa4dfbb6f..b6e931be5 100644 --- a/etc/profile-a-l/anki.profile +++ b/etc/profile-a-l/anki.profile | |||
@@ -50,7 +50,7 @@ disable-mnt | |||
50 | private-bin anki,python* | 50 | private-bin anki,python* |
51 | private-cache | 51 | private-cache |
52 | private-dev | 52 | private-dev |
53 | private-etc alternatives,ca-certificates,fonts,gtk-2.0,hostname,hosts,machine-id,pki,resolv.conf,ssl,Trolltech.conf | 53 | private-etc alternatives,ca-certificates,fonts,gtk-2.0,hostname,hosts,ld.so.preload,machine-id,pki,resolv.conf,ssl,Trolltech.conf |
54 | private-tmp | 54 | private-tmp |
55 | 55 | ||
56 | dbus-user none | 56 | dbus-user none |
diff --git a/etc/profile-a-l/aria2c.profile b/etc/profile-a-l/aria2c.profile index 737cf3095..e96def048 100644 --- a/etc/profile-a-l/aria2c.profile +++ b/etc/profile-a-l/aria2c.profile | |||
@@ -45,7 +45,7 @@ private-bin aria2c,gzip | |||
45 | # Add 'private-cache' to your aria2c.local if you don't use Lutris/winetricks (see issue #2772). | 45 | # Add 'private-cache' to your aria2c.local if you don't use Lutris/winetricks (see issue #2772). |
46 | #private-cache | 46 | #private-cache |
47 | private-dev | 47 | private-dev |
48 | private-etc alternatives,ca-certificates,crypto-policies,groups,login.defs,machine-id,nsswitch.conf,passwd,pki,resolv.conf,ssl | 48 | private-etc alternatives,ca-certificates,crypto-policies,groups,ld.so.preload,login.defs,machine-id,nsswitch.conf,passwd,pki,resolv.conf,ssl |
49 | private-lib libreadline.so.* | 49 | private-lib libreadline.so.* |
50 | private-tmp | 50 | private-tmp |
51 | 51 | ||
diff --git a/etc/profile-a-l/arm.profile b/etc/profile-a-l/arm.profile index 3253fb586..98ae01950 100644 --- a/etc/profile-a-l/arm.profile +++ b/etc/profile-a-l/arm.profile | |||
@@ -43,6 +43,6 @@ tracelog | |||
43 | disable-mnt | 43 | disable-mnt |
44 | private-bin arm,bash,ldconfig,lsof,ps,python*,sh,tor | 44 | private-bin arm,bash,ldconfig,lsof,ps,python*,sh,tor |
45 | private-dev | 45 | private-dev |
46 | private-etc alternatives,ca-certificates,crypto-policies,passwd,pki,ssl,tor | 46 | private-etc alternatives,ca-certificates,crypto-policies,ld.so.preload,passwd,pki,ssl,tor |
47 | private-tmp | 47 | private-tmp |
48 | 48 | ||
diff --git a/etc/profile-a-l/artha.profile b/etc/profile-a-l/artha.profile index 8d74b6ba4..adf4e16ee 100644 --- a/etc/profile-a-l/artha.profile +++ b/etc/profile-a-l/artha.profile | |||
@@ -56,7 +56,7 @@ disable-mnt | |||
56 | private-bin artha,enchant,notify-send | 56 | private-bin artha,enchant,notify-send |
57 | private-cache | 57 | private-cache |
58 | private-dev | 58 | private-dev |
59 | private-etc alternatives,fonts,machine-id | 59 | private-etc alternatives,fonts,ld.so.preload,machine-id |
60 | private-lib libnotify.so.* | 60 | private-lib libnotify.so.* |
61 | private-tmp | 61 | private-tmp |
62 | 62 | ||
diff --git a/etc/profile-a-l/atool.profile b/etc/profile-a-l/atool.profile index e377de2c8..272f9906d 100644 --- a/etc/profile-a-l/atool.profile +++ b/etc/profile-a-l/atool.profile | |||
@@ -13,7 +13,7 @@ include allow-perl.inc | |||
13 | noroot | 13 | noroot |
14 | 14 | ||
15 | # without login.defs atool complains and uses UID/GID 1000 by default | 15 | # without login.defs atool complains and uses UID/GID 1000 by default |
16 | private-etc alternatives,group,login.defs,passwd | 16 | private-etc alternatives,group,ld.so.preload,login.defs,passwd |
17 | private-tmp | 17 | private-tmp |
18 | 18 | ||
19 | # Redirect | 19 | # Redirect |
diff --git a/etc/profile-a-l/atril.profile b/etc/profile-a-l/atril.profile index f7c62926f..264bc0215 100644 --- a/etc/profile-a-l/atril.profile +++ b/etc/profile-a-l/atril.profile | |||
@@ -42,7 +42,7 @@ tracelog | |||
42 | 42 | ||
43 | private-bin 7z,7za,7zr,atril,atril-previewer,atril-thumbnailer,sh,tar,unrar,unzip,zipnote | 43 | private-bin 7z,7za,7zr,atril,atril-previewer,atril-thumbnailer,sh,tar,unrar,unzip,zipnote |
44 | private-dev | 44 | private-dev |
45 | private-etc alternatives,fonts,ld.so.cache | 45 | private-etc alternatives,fonts,ld.so.cache,ld.so.preload |
46 | # atril uses webkit gtk to display epub files | 46 | # atril uses webkit gtk to display epub files |
47 | # waiting for globbing support in private-lib; for now hardcoding it to webkit2gtk-4.0 | 47 | # waiting for globbing support in private-lib; for now hardcoding it to webkit2gtk-4.0 |
48 | #private-lib webkit2gtk-4.0 - problems on Arch with the new version of WebKit | 48 | #private-lib webkit2gtk-4.0 - problems on Arch with the new version of WebKit |
diff --git a/etc/profile-a-l/authenticator-rs.profile b/etc/profile-a-l/authenticator-rs.profile index 411c5f4d3..8fefc1eb7 100644 --- a/etc/profile-a-l/authenticator-rs.profile +++ b/etc/profile-a-l/authenticator-rs.profile | |||
@@ -47,7 +47,7 @@ disable-mnt | |||
47 | private-bin authenticator-rs | 47 | private-bin authenticator-rs |
48 | private-cache | 48 | private-cache |
49 | private-dev | 49 | private-dev |
50 | private-etc alternatives,ca-certificates,crypto-policies,dconf,fonts,gtk-2.0,gtk-3.0,pki,resolv.conf,ssl,xdg | 50 | private-etc alternatives,ca-certificates,crypto-policies,dconf,fonts,gtk-2.0,gtk-3.0,ld.so.preload,pki,resolv.conf,ssl,xdg |
51 | private-tmp | 51 | private-tmp |
52 | 52 | ||
53 | dbus-user filter | 53 | dbus-user filter |
diff --git a/etc/profile-a-l/authenticator.profile b/etc/profile-a-l/authenticator.profile index 0f0fb7ceb..f9a03ca68 100644 --- a/etc/profile-a-l/authenticator.profile +++ b/etc/profile-a-l/authenticator.profile | |||
@@ -39,7 +39,7 @@ shell none | |||
39 | disable-mnt | 39 | disable-mnt |
40 | # private-bin authenticator,python* | 40 | # private-bin authenticator,python* |
41 | private-dev | 41 | private-dev |
42 | private-etc alternatives,ca-certificates,crypto-policies,fonts,ld.so.cache,pki,resolv.conf,ssl | 42 | private-etc alternatives,ca-certificates,crypto-policies,fonts,ld.so.cache,ld.so.preload,pki,resolv.conf,ssl |
43 | private-tmp | 43 | private-tmp |
44 | 44 | ||
45 | # makes settings immutable | 45 | # makes settings immutable |
diff --git a/etc/profile-a-l/balsa.profile b/etc/profile-a-l/balsa.profile index 197f787ca..2080aad62 100644 --- a/etc/profile-a-l/balsa.profile +++ b/etc/profile-a-l/balsa.profile | |||
@@ -66,7 +66,7 @@ tracelog | |||
66 | private-bin balsa,balsa-ab,gpg,gpg-agent,gpg2,gpgsm | 66 | private-bin balsa,balsa-ab,gpg,gpg-agent,gpg2,gpgsm |
67 | private-cache | 67 | private-cache |
68 | private-dev | 68 | private-dev |
69 | private-etc alternatives,ca-certificates,crypto-policies,dconf,fonts,gcrypt,groups,gtk-2.0,gtk-3.0,hostname,hosts,mailname,passwd,pki,resolv.conf,selinux,ssl,xdg | 69 | private-etc alternatives,ca-certificates,crypto-policies,dconf,fonts,gcrypt,groups,gtk-2.0,gtk-3.0,hostname,hosts,ld.so.preload,mailname,passwd,pki,resolv.conf,selinux,ssl,xdg |
70 | private-tmp | 70 | private-tmp |
71 | writable-run-user | 71 | writable-run-user |
72 | writable-var | 72 | writable-var |
@@ -79,4 +79,4 @@ dbus-user.talk org.freedesktop.secrets | |||
79 | dbus-user.talk org.gnome.keyring.SystemPrompter | 79 | dbus-user.talk org.gnome.keyring.SystemPrompter |
80 | dbus-system none | 80 | dbus-system none |
81 | 81 | ||
82 | read-only ${HOME}/.mozilla/firefox/profiles.ini \ No newline at end of file | 82 | read-only ${HOME}/.mozilla/firefox/profiles.ini |
diff --git a/etc/profile-a-l/bibletime.profile b/etc/profile-a-l/bibletime.profile index 0104dc181..24db11c7e 100644 --- a/etc/profile-a-l/bibletime.profile +++ b/etc/profile-a-l/bibletime.profile | |||
@@ -52,7 +52,7 @@ disable-mnt | |||
52 | # private-bin bibletime,qt5ct | 52 | # private-bin bibletime,qt5ct |
53 | private-cache | 53 | private-cache |
54 | private-dev | 54 | private-dev |
55 | private-etc alternatives,ca-certificates,crypto-policies,fonts,login.defs,machine-id,passwd,pki,resolv.conf,ssl,sword,sword.conf | 55 | private-etc alternatives,ca-certificates,crypto-policies,fonts,ld.so.preload,login.defs,machine-id,passwd,pki,resolv.conf,ssl,sword,sword.conf |
56 | private-tmp | 56 | private-tmp |
57 | 57 | ||
58 | dbus-user none | 58 | dbus-user none |
diff --git a/etc/profile-a-l/bitwarden.profile b/etc/profile-a-l/bitwarden.profile index ba2eb2ea7..91ce57966 100644 --- a/etc/profile-a-l/bitwarden.profile +++ b/etc/profile-a-l/bitwarden.profile | |||
@@ -23,7 +23,7 @@ no3d | |||
23 | nosound | 23 | nosound |
24 | 24 | ||
25 | ?HAS_APPIMAGE: ignore private-dev | 25 | ?HAS_APPIMAGE: ignore private-dev |
26 | private-etc alternatives,ca-certificates,crypto-policies,fonts,hosts,nsswitch.conf,pki,resolv.conf,ssl | 26 | private-etc alternatives,ca-certificates,crypto-policies,fonts,hosts,ld.so.preload,nsswitch.conf,pki,resolv.conf,ssl |
27 | private-opt Bitwarden | 27 | private-opt Bitwarden |
28 | 28 | ||
29 | # Redirect | 29 | # Redirect |
diff --git a/etc/profile-a-l/bless.profile b/etc/profile-a-l/bless.profile index 61d1c3a1e..8d8787174 100644 --- a/etc/profile-a-l/bless.profile +++ b/etc/profile-a-l/bless.profile | |||
@@ -35,7 +35,7 @@ shell none | |||
35 | # private-bin bash,bless,mono,sh | 35 | # private-bin bash,bless,mono,sh |
36 | private-cache | 36 | private-cache |
37 | private-dev | 37 | private-dev |
38 | private-etc alternatives,fonts,mono | 38 | private-etc alternatives,fonts,ld.so.preload,mono |
39 | private-tmp | 39 | private-tmp |
40 | 40 | ||
41 | dbus-user none | 41 | dbus-user none |
diff --git a/etc/profile-a-l/blobby.profile b/etc/profile-a-l/blobby.profile index 11d705c5b..7179bf4a5 100644 --- a/etc/profile-a-l/blobby.profile +++ b/etc/profile-a-l/blobby.profile | |||
@@ -41,7 +41,7 @@ tracelog | |||
41 | disable-mnt | 41 | disable-mnt |
42 | private-bin blobby | 42 | private-bin blobby |
43 | private-dev | 43 | private-dev |
44 | private-etc alsa,alternatives,asound.conf,drirc,group,hosts,login.defs,machine-id,passwd,pulse | 44 | private-etc alsa,alternatives,asound.conf,drirc,group,hosts,ld.so.preload,login.defs,machine-id,passwd,pulse |
45 | private-lib | 45 | private-lib |
46 | private-tmp | 46 | private-tmp |
47 | 47 | ||
diff --git a/etc/profile-a-l/blobwars.profile b/etc/profile-a-l/blobwars.profile index 6e3d4256c..683a7858b 100644 --- a/etc/profile-a-l/blobwars.profile +++ b/etc/profile-a-l/blobwars.profile | |||
@@ -43,7 +43,7 @@ disable-mnt | |||
43 | private-bin blobwars | 43 | private-bin blobwars |
44 | private-cache | 44 | private-cache |
45 | private-dev | 45 | private-dev |
46 | private-etc machine-id | 46 | private-etc ld.so.preload,machine-id |
47 | private-tmp | 47 | private-tmp |
48 | 48 | ||
49 | dbus-user none | 49 | dbus-user none |
diff --git a/etc/profile-a-l/bsdtar.profile b/etc/profile-a-l/bsdtar.profile index d731a6a6e..dbfc90996 100644 --- a/etc/profile-a-l/bsdtar.profile +++ b/etc/profile-a-l/bsdtar.profile | |||
@@ -6,7 +6,7 @@ include bsdtar.local | |||
6 | # Persistent global definitions | 6 | # Persistent global definitions |
7 | include globals.local | 7 | include globals.local |
8 | 8 | ||
9 | private-etc alternatives,group,localtime,passwd | 9 | private-etc alternatives,group,ld.so.preload,localtime,passwd |
10 | 10 | ||
11 | # Redirect | 11 | # Redirect |
12 | include archiver-common.profile | 12 | include archiver-common.profile |
diff --git a/etc/profile-a-l/build-systems-common.profile b/etc/profile-a-l/build-systems-common.profile new file mode 100644 index 000000000..1b199d612 --- /dev/null +++ b/etc/profile-a-l/build-systems-common.profile | |||
@@ -0,0 +1,66 @@ | |||
1 | # Firejail profile for build-systems-common | ||
2 | # This file is overwritten after every install/update | ||
3 | # Persistent local customizations | ||
4 | include build-systems-common.local | ||
5 | # Persistent global definitions | ||
6 | # added by caller profile | ||
7 | #include globals.local | ||
8 | |||
9 | ignore noexec ${HOME} | ||
10 | ignore noexec /tmp | ||
11 | |||
12 | # Allow /bin/sh (blacklisted by disable-shell.inc) | ||
13 | include allow-bin-sh.inc | ||
14 | |||
15 | # Allows files commonly used by IDEs | ||
16 | include allow-common-devel.inc | ||
17 | |||
18 | # Allow ssh (blacklisted by disable-common.inc) | ||
19 | #include allow-ssh.inc | ||
20 | |||
21 | blacklist ${RUNUSER} | ||
22 | |||
23 | include disable-common.inc | ||
24 | include disable-exec.inc | ||
25 | include disable-interpreters.inc | ||
26 | include disable-programs.inc | ||
27 | include disable-shell.inc | ||
28 | include disable-X11.inc | ||
29 | include disable-xdg.inc | ||
30 | |||
31 | #whitelist ${HOME}/Projects | ||
32 | #include whitelist-common.inc | ||
33 | |||
34 | whitelist /usr/share/pkgconfig | ||
35 | include whitelist-run-common.inc | ||
36 | include whitelist-usr-share-common.inc | ||
37 | include whitelist-var-common.inc | ||
38 | |||
39 | caps.drop all | ||
40 | ipc-namespace | ||
41 | machine-id | ||
42 | # net none | ||
43 | netfilter | ||
44 | no3d | ||
45 | nodvd | ||
46 | nogroups | ||
47 | noinput | ||
48 | nonewprivs | ||
49 | noroot | ||
50 | nosound | ||
51 | notv | ||
52 | nou2f | ||
53 | novideo | ||
54 | protocol unix,inet,inet6 | ||
55 | seccomp | ||
56 | seccomp.block-secondary | ||
57 | shell none | ||
58 | tracelog | ||
59 | |||
60 | disable-mnt | ||
61 | private-cache | ||
62 | private-dev | ||
63 | private-tmp | ||
64 | |||
65 | dbus-user none | ||
66 | dbus-system none | ||
diff --git a/etc/profile-a-l/bundle.profile b/etc/profile-a-l/bundle.profile new file mode 100644 index 000000000..bb82022b1 --- /dev/null +++ b/etc/profile-a-l/bundle.profile | |||
@@ -0,0 +1,23 @@ | |||
1 | # Firejail profile for bundle | ||
2 | # Description: Ruby Dependency Management | ||
3 | # This file is overwritten after every install/update | ||
4 | quiet | ||
5 | # Persistent local customizations | ||
6 | include bundle.local | ||
7 | # Persistent global definitions | ||
8 | include globals.local | ||
9 | |||
10 | noblacklist ${HOME}/.bundle | ||
11 | |||
12 | # Allow ruby (blacklisted by disable-interpreters.inc) | ||
13 | include allow-ruby.inc | ||
14 | |||
15 | #whitelist ${HOME}/.bundle | ||
16 | #whitelist ${HOME}/.gem | ||
17 | #whitelist ${HOME}/.local/share/gem | ||
18 | whitelist /usr/share/gems | ||
19 | whitelist /usr/share/ruby | ||
20 | whitelist /usr/share/rubygems | ||
21 | |||
22 | # Redirect | ||
23 | include build-systems-common.profile | ||
diff --git a/etc/profile-a-l/cameramonitor.profile b/etc/profile-a-l/cameramonitor.profile index ae9e0f1d2..d3c25d451 100644 --- a/etc/profile-a-l/cameramonitor.profile +++ b/etc/profile-a-l/cameramonitor.profile | |||
@@ -46,7 +46,7 @@ tracelog | |||
46 | disable-mnt | 46 | disable-mnt |
47 | private-bin cameramonitor,python* | 47 | private-bin cameramonitor,python* |
48 | private-cache | 48 | private-cache |
49 | private-etc alternatives,fonts | 49 | private-etc alternatives,fonts,ld.so.preload |
50 | private-tmp | 50 | private-tmp |
51 | 51 | ||
52 | # dbus-user none | 52 | # dbus-user none |
diff --git a/etc/profile-a-l/cargo.profile b/etc/profile-a-l/cargo.profile index ff46cd429..4c8afd895 100644 --- a/etc/profile-a-l/cargo.profile +++ b/etc/profile-a-l/cargo.profile | |||
@@ -7,66 +7,18 @@ include cargo.local | |||
7 | # Persistent global definitions | 7 | # Persistent global definitions |
8 | include globals.local | 8 | include globals.local |
9 | 9 | ||
10 | ignore noexec ${HOME} | 10 | ignore read-only ${HOME}/.cargo/bin |
11 | ignore noexec /tmp | ||
12 | |||
13 | blacklist /tmp/.X11-unix | ||
14 | blacklist ${RUNUSER} | ||
15 | 11 | ||
16 | noblacklist ${HOME}/.cargo/credentials | 12 | noblacklist ${HOME}/.cargo/credentials |
17 | noblacklist ${HOME}/.cargo/credentials.toml | 13 | noblacklist ${HOME}/.cargo/credentials.toml |
18 | 14 | ||
19 | # Allows files commonly used by IDEs | ||
20 | include allow-common-devel.inc | ||
21 | |||
22 | # Allow ssh (blacklisted by disable-common.inc) | ||
23 | #include allow-ssh.inc | ||
24 | |||
25 | include disable-common.inc | ||
26 | include disable-exec.inc | ||
27 | include disable-interpreters.inc | ||
28 | include disable-programs.inc | ||
29 | include disable-xdg.inc | ||
30 | |||
31 | #mkdir ${HOME}/.cargo | ||
32 | #whitelist ${HOME}/YOUR_CARGO_PROJECTS | ||
33 | #whitelist ${HOME}/.cargo | 15 | #whitelist ${HOME}/.cargo |
34 | #whitelist ${HOME}/.rustup | 16 | #whitelist ${HOME}/.rustup |
35 | #include whitelist-common.inc | ||
36 | whitelist /usr/share/pkgconfig | ||
37 | include whitelist-runuser-common.inc | ||
38 | include whitelist-usr-share-common.inc | ||
39 | include whitelist-var-common.inc | ||
40 | 17 | ||
41 | caps.drop all | ||
42 | ipc-namespace | ||
43 | machine-id | ||
44 | netfilter | ||
45 | no3d | ||
46 | nodvd | ||
47 | nogroups | ||
48 | noinput | ||
49 | nonewprivs | ||
50 | noroot | ||
51 | nosound | ||
52 | notv | ||
53 | nou2f | ||
54 | novideo | ||
55 | protocol unix,inet,inet6 | ||
56 | seccomp | ||
57 | seccomp.block-secondary | ||
58 | shell none | ||
59 | tracelog | ||
60 | |||
61 | disable-mnt | ||
62 | #private-bin cargo,rustc | 18 | #private-bin cargo,rustc |
63 | private-cache | ||
64 | private-dev | ||
65 | private-etc alternatives,ca-certificates,crypto-policies,group,host.conf,hostname,hosts,ld.so.cache,ld.so.conf,ld.so.conf.d,ld.so.preload,locale,locale.alias,locale.conf,localtime,magic,magic.mgc,nsswitch.conf,passwd,pki,protocols,resolv.conf,rpc,services,ssl | 19 | private-etc alternatives,ca-certificates,crypto-policies,group,host.conf,hostname,hosts,ld.so.cache,ld.so.conf,ld.so.conf.d,ld.so.preload,locale,locale.alias,locale.conf,localtime,magic,magic.mgc,nsswitch.conf,passwd,pki,protocols,resolv.conf,rpc,services,ssl |
66 | private-tmp | ||
67 | |||
68 | dbus-user none | ||
69 | dbus-system none | ||
70 | 20 | ||
71 | memory-deny-write-execute | 21 | memory-deny-write-execute |
72 | read-write ${HOME}/.cargo/bin | 22 | |
23 | # Redirect | ||
24 | include build-systems-common.profile | ||
diff --git a/etc/profile-a-l/cawbird.profile b/etc/profile-a-l/cawbird.profile index 78df5af83..ceba03269 100644 --- a/etc/profile-a-l/cawbird.profile +++ b/etc/profile-a-l/cawbird.profile | |||
@@ -39,7 +39,7 @@ disable-mnt | |||
39 | private-bin cawbird | 39 | private-bin cawbird |
40 | private-cache | 40 | private-cache |
41 | private-dev | 41 | private-dev |
42 | private-etc alternatives,ca-certificates,crypto-policies,fonts,gtk-2.0,gtk-3.0,host.conf,hostname,hosts,mime.types,nsswitch.conf,pki,resolv.conf,ssl,X11,xdg | 42 | private-etc alternatives,ca-certificates,crypto-policies,fonts,gtk-2.0,gtk-3.0,host.conf,hostname,hosts,ld.so.preload,mime.types,nsswitch.conf,pki,resolv.conf,ssl,X11,xdg |
43 | private-tmp | 43 | private-tmp |
44 | 44 | ||
45 | # dbus-user none | 45 | # dbus-user none |
diff --git a/etc/profile-a-l/celluloid.profile b/etc/profile-a-l/celluloid.profile index 0beeaafdd..1a9340632 100644 --- a/etc/profile-a-l/celluloid.profile +++ b/etc/profile-a-l/celluloid.profile | |||
@@ -53,7 +53,7 @@ tracelog | |||
53 | 53 | ||
54 | private-bin celluloid,env,gnome-mpv,python*,youtube-dl | 54 | private-bin celluloid,env,gnome-mpv,python*,youtube-dl |
55 | private-cache | 55 | private-cache |
56 | private-etc alternatives,ca-certificates,crypto-policies,dconf,drirc,fonts,gtk-3.0,hosts,ld.so.cache,libva.conf,localtime,machine-id,pkcs11,pki,resolv.conf,selinux,ssl,xdg | 56 | private-etc alternatives,ca-certificates,crypto-policies,dconf,drirc,fonts,gtk-3.0,hosts,ld.so.cache,ld.so.preload,libva.conf,localtime,machine-id,pkcs11,pki,resolv.conf,selinux,ssl,xdg |
57 | private-dev | 57 | private-dev |
58 | private-tmp | 58 | private-tmp |
59 | 59 | ||
diff --git a/etc/profile-a-l/cheese.profile b/etc/profile-a-l/cheese.profile index c2fc064f3..978d727f4 100644 --- a/etc/profile-a-l/cheese.profile +++ b/etc/profile-a-l/cheese.profile | |||
@@ -9,17 +9,24 @@ include globals.local | |||
9 | noblacklist ${VIDEOS} | 9 | noblacklist ${VIDEOS} |
10 | noblacklist ${PICTURES} | 10 | noblacklist ${PICTURES} |
11 | 11 | ||
12 | include allow-python3.inc | ||
13 | |||
12 | include disable-common.inc | 14 | include disable-common.inc |
13 | include disable-devel.inc | 15 | include disable-devel.inc |
14 | include disable-exec.inc | 16 | include disable-exec.inc |
15 | include disable-interpreters.inc | 17 | include disable-interpreters.inc |
16 | include disable-programs.inc | 18 | include disable-programs.inc |
19 | include disable-shell.inc | ||
17 | include disable-xdg.inc | 20 | include disable-xdg.inc |
18 | 21 | ||
19 | whitelist ${VIDEOS} | 22 | whitelist ${VIDEOS} |
20 | whitelist ${PICTURES} | 23 | whitelist ${PICTURES} |
24 | whitelist /run/udev/data | ||
25 | whitelist /usr/libexec/gstreamer-1.0/gst-plugin-scanner | ||
21 | whitelist /usr/share/gnome-video-effects | 26 | whitelist /usr/share/gnome-video-effects |
27 | whitelist /usr/share/gstreamer-1.0 | ||
22 | include whitelist-common.inc | 28 | include whitelist-common.inc |
29 | include whitelist-run-common.inc | ||
23 | include whitelist-runuser-common.inc | 30 | include whitelist-runuser-common.inc |
24 | include whitelist-usr-share-common.inc | 31 | include whitelist-usr-share-common.inc |
25 | include whitelist-var-common.inc | 32 | include whitelist-var-common.inc |
@@ -30,21 +37,26 @@ machine-id | |||
30 | net none | 37 | net none |
31 | nodvd | 38 | nodvd |
32 | nogroups | 39 | nogroups |
40 | noinput | ||
33 | nonewprivs | 41 | nonewprivs |
34 | noroot | 42 | noroot |
43 | nosound | ||
35 | notv | 44 | notv |
36 | nou2f | 45 | nou2f |
37 | protocol unix | 46 | protocol unix |
38 | seccomp | 47 | seccomp |
48 | seccomp.block-secondary | ||
39 | shell none | 49 | shell none |
40 | tracelog | 50 | tracelog |
41 | 51 | ||
42 | disable-mnt | 52 | disable-mnt |
43 | private-bin cheese | 53 | private-bin cheese |
44 | private-cache | 54 | private-cache |
45 | private-etc alternatives,clutter-1.0,dconf,drirc,fonts,gtk-3.0 | 55 | private-dev |
56 | private-etc alternatives,clutter-1.0,dconf,drirc,fonts,gtk-3.0,ld.so.preload | ||
46 | private-tmp | 57 | private-tmp |
47 | 58 | ||
48 | dbus-user filter | 59 | dbus-user filter |
60 | dbus-user.own org.gnome.Cheese | ||
49 | dbus-user.talk ca.desrt.dconf | 61 | dbus-user.talk ca.desrt.dconf |
50 | dbus-system none | 62 | dbus-system none |
diff --git a/etc/profile-a-l/clawsker.profile b/etc/profile-a-l/clawsker.profile index 8ccf67ba1..5eb2cb621 100644 --- a/etc/profile-a-l/clawsker.profile +++ b/etc/profile-a-l/clawsker.profile | |||
@@ -44,7 +44,7 @@ disable-mnt | |||
44 | private-bin bash,clawsker,perl,sh,which | 44 | private-bin bash,clawsker,perl,sh,which |
45 | private-cache | 45 | private-cache |
46 | private-dev | 46 | private-dev |
47 | private-etc alternatives,fonts | 47 | private-etc alternatives,fonts,ld.so.preload |
48 | private-lib girepository-1.*,libdbus-glib-1.so.*,libetpan.so.*,libgirepository-1.*,libgtk-3.so.*,libgtk-x11-2.0.so.*,libstartup-notification-1.so.*,perl* | 48 | private-lib girepository-1.*,libdbus-glib-1.so.*,libetpan.so.*,libgirepository-1.*,libgtk-3.so.*,libgtk-x11-2.0.so.*,libstartup-notification-1.so.*,perl* |
49 | private-tmp | 49 | private-tmp |
50 | 50 | ||
diff --git a/etc/profile-a-l/cmake.profile b/etc/profile-a-l/cmake.profile new file mode 100644 index 000000000..26cc2a00a --- /dev/null +++ b/etc/profile-a-l/cmake.profile | |||
@@ -0,0 +1,13 @@ | |||
1 | # Firejail profile for cargo | ||
2 | # Description: The Rust package manager | ||
3 | # This file is overwritten after every install/update | ||
4 | quiet | ||
5 | # Persistent local customizations | ||
6 | include cargo.local | ||
7 | # Persistent global definitions | ||
8 | include globals.local | ||
9 | |||
10 | memory-deny-write-execute | ||
11 | |||
12 | # Redirect | ||
13 | include build-systems-common.profile | ||
diff --git a/etc/profile-a-l/cmus.profile b/etc/profile-a-l/cmus.profile index 19a30e694..e51dd6bed 100644 --- a/etc/profile-a-l/cmus.profile +++ b/etc/profile-a-l/cmus.profile | |||
@@ -27,4 +27,4 @@ seccomp | |||
27 | shell none | 27 | shell none |
28 | 28 | ||
29 | private-bin cmus | 29 | private-bin cmus |
30 | private-etc alternatives,asound.conf,ca-certificates,crypto-policies,group,machine-id,pki,pulse,resolv.conf,ssl | 30 | private-etc alternatives,asound.conf,ca-certificates,crypto-policies,group,ld.so.preload,machine-id,pki,pulse,resolv.conf,ssl |
diff --git a/etc/profile-a-l/codium.profile b/etc/profile-a-l/codium.profile new file mode 100644 index 000000000..9ff87ed8a --- /dev/null +++ b/etc/profile-a-l/codium.profile | |||
@@ -0,0 +1,10 @@ | |||
1 | # Firejail profile alias for VSCodium | ||
2 | # This file is overwritten after every install/update | ||
3 | # Persistent local customizations | ||
4 | include codium.local | ||
5 | # Persistent global definitions | ||
6 | # added by included profile | ||
7 | #include globals.local | ||
8 | |||
9 | # Redirect | ||
10 | include vscodium.profile | ||
diff --git a/etc/profile-a-l/cola.profile b/etc/profile-a-l/cola.profile index e5debfd82..97bf6d394 100644 --- a/etc/profile-a-l/cola.profile +++ b/etc/profile-a-l/cola.profile | |||
@@ -7,4 +7,4 @@ include cola.local | |||
7 | include globals.local | 7 | include globals.local |
8 | 8 | ||
9 | # Redirect | 9 | # Redirect |
10 | include git-cola.profile \ No newline at end of file | 10 | include git-cola.profile |
diff --git a/etc/profile-a-l/com.github.bleakgrey.tootle.profile b/etc/profile-a-l/com.github.bleakgrey.tootle.profile index 8d9de93bb..6f08bc378 100644 --- a/etc/profile-a-l/com.github.bleakgrey.tootle.profile +++ b/etc/profile-a-l/com.github.bleakgrey.tootle.profile | |||
@@ -45,7 +45,7 @@ disable-mnt | |||
45 | private-bin com.github.bleakgrey.tootle | 45 | private-bin com.github.bleakgrey.tootle |
46 | private-cache | 46 | private-cache |
47 | private-dev | 47 | private-dev |
48 | private-etc alsa,alternatives,asound.conf,ca-certificates,crypto-policies,dconf,fonts,gtk-2.0,gtk-3.0,host.conf,hostname,hosts,machine-id mime.types,nsswitch.conf,pki,pulse,resolv.conf,ssl,X11,xdg | 48 | private-etc alsa,alternatives,asound.conf,ca-certificates,crypto-policies,dconf,fonts,gtk-2.0,gtk-3.0,host.conf,hostname,hosts,ld.so.preload,machine-id mime.types,nsswitch.conf,pki,pulse,resolv.conf,ssl,X11,xdg |
49 | private-tmp | 49 | private-tmp |
50 | 50 | ||
51 | # Settings are immutable | 51 | # Settings are immutable |
diff --git a/etc/profile-a-l/com.github.dahenson.agenda.profile b/etc/profile-a-l/com.github.dahenson.agenda.profile index e7aa32be9..d33b89e7c 100644 --- a/etc/profile-a-l/com.github.dahenson.agenda.profile +++ b/etc/profile-a-l/com.github.dahenson.agenda.profile | |||
@@ -52,7 +52,7 @@ disable-mnt | |||
52 | private-bin com.github.dahenson.agenda | 52 | private-bin com.github.dahenson.agenda |
53 | private-cache | 53 | private-cache |
54 | private-dev | 54 | private-dev |
55 | private-etc dconf,fonts,gtk-3.0 | 55 | private-etc dconf,fonts,gtk-3.0,ld.so.preload |
56 | private-tmp | 56 | private-tmp |
57 | 57 | ||
58 | dbus-user filter | 58 | dbus-user filter |
diff --git a/etc/profile-a-l/com.github.johnfactotum.Foliate.profile b/etc/profile-a-l/com.github.johnfactotum.Foliate.profile index aa9a19fcb..c75a09a51 100644 --- a/etc/profile-a-l/com.github.johnfactotum.Foliate.profile +++ b/etc/profile-a-l/com.github.johnfactotum.Foliate.profile | |||
@@ -55,7 +55,7 @@ disable-mnt | |||
55 | private-bin com.github.johnfactotum.Foliate,gjs | 55 | private-bin com.github.johnfactotum.Foliate,gjs |
56 | private-cache | 56 | private-cache |
57 | private-dev | 57 | private-dev |
58 | private-etc dconf,fonts,gconf,gtk-3.0 | 58 | private-etc dconf,fonts,gconf,gtk-3.0,ld.so.preload |
59 | private-tmp | 59 | private-tmp |
60 | 60 | ||
61 | read-only ${HOME} | 61 | read-only ${HOME} |
diff --git a/etc/profile-a-l/coyim.profile b/etc/profile-a-l/coyim.profile index 03218d85a..1d623fa09 100644 --- a/etc/profile-a-l/coyim.profile +++ b/etc/profile-a-l/coyim.profile | |||
@@ -40,7 +40,7 @@ tracelog | |||
40 | disable-mnt | 40 | disable-mnt |
41 | private-cache | 41 | private-cache |
42 | private-dev | 42 | private-dev |
43 | private-etc alternatives,ca-certificates,crypto-policies,fonts,machine-id,pki,ssl | 43 | private-etc alternatives,ca-certificates,crypto-policies,fonts,ld.so.preload,machine-id,pki,ssl |
44 | private-tmp | 44 | private-tmp |
45 | 45 | ||
46 | dbus-user none | 46 | dbus-user none |
diff --git a/etc/profile-a-l/crow.profile b/etc/profile-a-l/crow.profile index 177abf829..deb2c0ef8 100644 --- a/etc/profile-a-l/crow.profile +++ b/etc/profile-a-l/crow.profile | |||
@@ -39,7 +39,7 @@ shell none | |||
39 | disable-mnt | 39 | disable-mnt |
40 | private-bin crow | 40 | private-bin crow |
41 | private-dev | 41 | private-dev |
42 | private-etc alternatives,asound.conf,ca-certificates,crypto-policies,dconf,fonts,machine-id,nsswitch.conf,pki,pulse,resolv.conf,ssl | 42 | private-etc alternatives,asound.conf,ca-certificates,crypto-policies,dconf,fonts,ld.so.preload,machine-id,nsswitch.conf,pki,pulse,resolv.conf,ssl |
43 | private-opt none | 43 | private-opt none |
44 | private-tmp | 44 | private-tmp |
45 | private-srv none | 45 | private-srv none |
diff --git a/etc/profile-a-l/d-feet.profile b/etc/profile-a-l/d-feet.profile index 0e4b8d475..0e754c448 100644 --- a/etc/profile-a-l/d-feet.profile +++ b/etc/profile-a-l/d-feet.profile | |||
@@ -50,7 +50,7 @@ disable-mnt | |||
50 | private-bin d-feet,python* | 50 | private-bin d-feet,python* |
51 | private-cache | 51 | private-cache |
52 | private-dev | 52 | private-dev |
53 | private-etc alternatives,dbus-1,fonts,machine-id | 53 | private-etc alternatives,dbus-1,fonts,ld.so.preload,machine-id |
54 | private-tmp | 54 | private-tmp |
55 | 55 | ||
56 | #memory-deny-write-execute - breaks on Arch (see issue #1803) | 56 | #memory-deny-write-execute - breaks on Arch (see issue #1803) |
diff --git a/etc/profile-a-l/dbus-send.profile b/etc/profile-a-l/dbus-send.profile index 768f1ac2c..c2532ed3b 100644 --- a/etc/profile-a-l/dbus-send.profile +++ b/etc/profile-a-l/dbus-send.profile | |||
@@ -51,7 +51,7 @@ private | |||
51 | private-bin dbus-send | 51 | private-bin dbus-send |
52 | private-cache | 52 | private-cache |
53 | private-dev | 53 | private-dev |
54 | private-etc alternatives,dbus-1 | 54 | private-etc alternatives,dbus-1,ld.so.preload |
55 | private-lib libpcre* | 55 | private-lib libpcre* |
56 | private-tmp | 56 | private-tmp |
57 | 57 | ||
diff --git a/etc/profile-a-l/dconf-editor.profile b/etc/profile-a-l/dconf-editor.profile index f57063ab6..2b43c5ea3 100644 --- a/etc/profile-a-l/dconf-editor.profile +++ b/etc/profile-a-l/dconf-editor.profile | |||
@@ -43,7 +43,7 @@ disable-mnt | |||
43 | private-bin dconf-editor | 43 | private-bin dconf-editor |
44 | private-cache | 44 | private-cache |
45 | private-dev | 45 | private-dev |
46 | private-etc alternatives,dconf,fonts,gtk-3.0,machine-id | 46 | private-etc alternatives,dconf,fonts,gtk-3.0,ld.so.preload,machine-id |
47 | private-lib | 47 | private-lib |
48 | private-tmp | 48 | private-tmp |
49 | 49 | ||
diff --git a/etc/profile-a-l/dconf.profile b/etc/profile-a-l/dconf.profile index 8b7c86789..1cbeee763 100644 --- a/etc/profile-a-l/dconf.profile +++ b/etc/profile-a-l/dconf.profile | |||
@@ -46,7 +46,7 @@ disable-mnt | |||
46 | private-bin dconf,gsettings | 46 | private-bin dconf,gsettings |
47 | private-cache | 47 | private-cache |
48 | private-dev | 48 | private-dev |
49 | private-etc alternatives,dconf | 49 | private-etc alternatives,dconf,ld.so.preload |
50 | private-lib | 50 | private-lib |
51 | private-tmp | 51 | private-tmp |
52 | 52 | ||
diff --git a/etc/profile-a-l/ddgtk.profile b/etc/profile-a-l/ddgtk.profile index 701755d93..0669a5a6c 100644 --- a/etc/profile-a-l/ddgtk.profile +++ b/etc/profile-a-l/ddgtk.profile | |||
@@ -45,7 +45,7 @@ tracelog | |||
45 | disable-mnt | 45 | disable-mnt |
46 | private-bin bash,dd,ddgtk,grep,lsblk,python*,sed,sh,tr | 46 | private-bin bash,dd,ddgtk,grep,lsblk,python*,sed,sh,tr |
47 | private-cache | 47 | private-cache |
48 | private-etc alternatives,fonts | 48 | private-etc alternatives,fonts,ld.so.preload |
49 | private-tmp | 49 | private-tmp |
50 | 50 | ||
51 | dbus-user none | 51 | dbus-user none |
diff --git a/etc/profile-a-l/devhelp.profile b/etc/profile-a-l/devhelp.profile index a416bc27e..562f6b105 100644 --- a/etc/profile-a-l/devhelp.profile +++ b/etc/profile-a-l/devhelp.profile | |||
@@ -42,7 +42,7 @@ disable-mnt | |||
42 | private-bin devhelp | 42 | private-bin devhelp |
43 | private-cache | 43 | private-cache |
44 | private-dev | 44 | private-dev |
45 | private-etc alternatives,dconf,fonts,ld.so.cache,machine-id,ssl | 45 | private-etc alternatives,dconf,fonts,ld.so.cache,ld.so.preload,machine-id,ssl |
46 | private-tmp | 46 | private-tmp |
47 | 47 | ||
48 | # makes settings immutable | 48 | # makes settings immutable |
diff --git a/etc/profile-a-l/devilspie.profile b/etc/profile-a-l/devilspie.profile index 89c8e1ae8..19b6cffaf 100644 --- a/etc/profile-a-l/devilspie.profile +++ b/etc/profile-a-l/devilspie.profile | |||
@@ -48,7 +48,7 @@ disable-mnt | |||
48 | private-bin devilspie | 48 | private-bin devilspie |
49 | private-cache | 49 | private-cache |
50 | private-dev | 50 | private-dev |
51 | private-etc alternatives | 51 | private-etc alternatives,ld.so.preload |
52 | private-lib gconv | 52 | private-lib gconv |
53 | private-tmp | 53 | private-tmp |
54 | 54 | ||
diff --git a/etc/profile-a-l/discord-common.profile b/etc/profile-a-l/discord-common.profile index 2613027ba..c04e38899 100644 --- a/etc/profile-a-l/discord-common.profile +++ b/etc/profile-a-l/discord-common.profile | |||
@@ -24,7 +24,7 @@ whitelist ${HOME}/.config/BetterDiscord | |||
24 | whitelist ${HOME}/.local/share/betterdiscordctl | 24 | whitelist ${HOME}/.local/share/betterdiscordctl |
25 | 25 | ||
26 | private-bin bash,cut,echo,egrep,electron,electron[0-9],electron[0-9][0-9],fish,grep,head,sed,sh,tclsh,tr,xdg-mime,xdg-open,zsh | 26 | private-bin bash,cut,echo,egrep,electron,electron[0-9],electron[0-9][0-9],fish,grep,head,sed,sh,tclsh,tr,xdg-mime,xdg-open,zsh |
27 | private-etc alternatives,ca-certificates,crypto-policies,fonts,group,ld.so.cache,localtime,login.defs,machine-id,password,pki,pulse,resolv.conf,ssl | 27 | private-etc alternatives,ca-certificates,crypto-policies,fonts,group,ld.so.cache,ld.so.preload,localtime,login.defs,machine-id,password,pki,pulse,resolv.conf,ssl |
28 | 28 | ||
29 | join-or-start discord | 29 | join-or-start discord |
30 | 30 | ||
diff --git a/etc/profile-a-l/display.profile b/etc/profile-a-l/display.profile index 0f134bd87..6eff39d40 100644 --- a/etc/profile-a-l/display.profile +++ b/etc/profile-a-l/display.profile | |||
@@ -40,7 +40,7 @@ shell none | |||
40 | private-bin display,python* | 40 | private-bin display,python* |
41 | private-dev | 41 | private-dev |
42 | # On Debian-based systems, display is a symlink in /etc/alternatives | 42 | # On Debian-based systems, display is a symlink in /etc/alternatives |
43 | private-etc alternatives | 43 | private-etc alternatives,ld.so.preload |
44 | private-tmp | 44 | private-tmp |
45 | 45 | ||
46 | dbus-user none | 46 | dbus-user none |
diff --git a/etc/profile-a-l/drawio.profile b/etc/profile-a-l/drawio.profile index 6d5e2501f..253f5643e 100644 --- a/etc/profile-a-l/drawio.profile +++ b/etc/profile-a-l/drawio.profile | |||
@@ -45,7 +45,7 @@ shell none | |||
45 | private-bin drawio | 45 | private-bin drawio |
46 | private-cache | 46 | private-cache |
47 | private-dev | 47 | private-dev |
48 | private-etc alternatives,fonts | 48 | private-etc alternatives,fonts,ld.so.preload |
49 | private-tmp | 49 | private-tmp |
50 | 50 | ||
51 | dbus-user none | 51 | dbus-user none |
diff --git a/etc/profile-a-l/easystroke.profile b/etc/profile-a-l/easystroke.profile index fd7f252b6..0345f2b24 100644 --- a/etc/profile-a-l/easystroke.profile +++ b/etc/profile-a-l/easystroke.profile | |||
@@ -45,7 +45,7 @@ disable-mnt | |||
45 | #private-bin bash,easystroke,sh | 45 | #private-bin bash,easystroke,sh |
46 | private-cache | 46 | private-cache |
47 | private-dev | 47 | private-dev |
48 | private-etc alternatives,fonts,group,passwd | 48 | private-etc alternatives,fonts,group,ld.so.preload,passwd |
49 | # breaks custom shell command functionality | 49 | # breaks custom shell command functionality |
50 | #private-lib gdk-pixbuf-2.*,gio,gvfs/libgvfscommon.so,libgconf-2.so.*,librsvg-2.so.* | 50 | #private-lib gdk-pixbuf-2.*,gio,gvfs/libgvfscommon.so,libgconf-2.so.*,librsvg-2.so.* |
51 | private-tmp | 51 | private-tmp |
diff --git a/etc/profile-a-l/electron-mail.profile b/etc/profile-a-l/electron-mail.profile index 9aac3f570..e472f57b6 100644 --- a/etc/profile-a-l/electron-mail.profile +++ b/etc/profile-a-l/electron-mail.profile | |||
@@ -45,7 +45,7 @@ shell none | |||
45 | private-bin electron-mail | 45 | private-bin electron-mail |
46 | private-cache | 46 | private-cache |
47 | private-dev | 47 | private-dev |
48 | private-etc alternatives,ca-certificates,crypto-policies,fonts,gtk-2.0,gtk-3.0,nsswitch.conf,pki,resolv.conf,selinux,ssl,xdg | 48 | private-etc alternatives,ca-certificates,crypto-policies,fonts,gtk-2.0,gtk-3.0,ld.so.preload,nsswitch.conf,pki,resolv.conf,selinux,ssl,xdg |
49 | private-opt ElectronMail | 49 | private-opt ElectronMail |
50 | private-tmp | 50 | private-tmp |
51 | 51 | ||
diff --git a/etc/profile-a-l/electrum.profile b/etc/profile-a-l/electrum.profile index 1647f2bc4..8cfc9f797 100644 --- a/etc/profile-a-l/electrum.profile +++ b/etc/profile-a-l/electrum.profile | |||
@@ -47,7 +47,7 @@ private-bin electrum,python* | |||
47 | private-cache | 47 | private-cache |
48 | ?HAS_APPIMAGE: ignore private-dev | 48 | ?HAS_APPIMAGE: ignore private-dev |
49 | private-dev | 49 | private-dev |
50 | private-etc alternatives,ca-certificates,crypto-policies,dconf,fonts,machine-id,pki,resolv.conf,ssl | 50 | private-etc alternatives,ca-certificates,crypto-policies,dconf,fonts,ld.so.preload,machine-id,pki,resolv.conf,ssl |
51 | private-tmp | 51 | private-tmp |
52 | 52 | ||
53 | # dbus-user none | 53 | # dbus-user none |
diff --git a/etc/profile-a-l/email-common.profile b/etc/profile-a-l/email-common.profile index 03fd9033a..8673b65ca 100644 --- a/etc/profile-a-l/email-common.profile +++ b/etc/profile-a-l/email-common.profile | |||
@@ -12,7 +12,7 @@ noblacklist ${HOME}/.gnupg | |||
12 | noblacklist ${HOME}/.mozilla | 12 | noblacklist ${HOME}/.mozilla |
13 | noblacklist ${HOME}/.signature | 13 | noblacklist ${HOME}/.signature |
14 | # when storing mail outside the default ${HOME}/Mail path, 'noblacklist' the custom path in your email-common.local | 14 | # when storing mail outside the default ${HOME}/Mail path, 'noblacklist' the custom path in your email-common.local |
15 | # and 'blacklist' it in your disable-common.local too so it is kept hidden from other applications | 15 | # and 'blacklist' it in your disable-common.local too so it is kept hidden from other applications |
16 | noblacklist ${HOME}/Mail | 16 | noblacklist ${HOME}/Mail |
17 | 17 | ||
18 | noblacklist ${DOCUMENTS} | 18 | noblacklist ${DOCUMENTS} |
@@ -66,7 +66,7 @@ tracelog | |||
66 | # disable-mnt | 66 | # disable-mnt |
67 | private-cache | 67 | private-cache |
68 | private-dev | 68 | private-dev |
69 | private-etc alternatives,ca-certificates,crypto-policies,dconf,fonts,gcrypt,gnupg,groups,gtk-2.0,gtk-3.0,hostname,hosts,hosts.conf,mailname,nsswitch.conf,passwd,pki,resolv.conf,selinux,ssl,xdg | 69 | private-etc alternatives,ca-certificates,crypto-policies,dconf,fonts,gcrypt,gnupg,groups,gtk-2.0,gtk-3.0,hostname,hosts,hosts.conf,ld.so.preload,mailname,nsswitch.conf,passwd,pki,resolv.conf,selinux,ssl,xdg |
70 | private-tmp | 70 | private-tmp |
71 | # encrypting and signing email | 71 | # encrypting and signing email |
72 | writable-run-user | 72 | writable-run-user |
diff --git a/etc/profile-a-l/enchant.profile b/etc/profile-a-l/enchant.profile index dc383984e..0a2e23996 100644 --- a/etc/profile-a-l/enchant.profile +++ b/etc/profile-a-l/enchant.profile | |||
@@ -48,7 +48,7 @@ x11 none | |||
48 | private-bin enchant,enchant-* | 48 | private-bin enchant,enchant-* |
49 | private-cache | 49 | private-cache |
50 | private-dev | 50 | private-dev |
51 | private-etc alternatives | 51 | private-etc alternatives,ld.so.preload |
52 | private-lib | 52 | private-lib |
53 | private-tmp | 53 | private-tmp |
54 | 54 | ||
diff --git a/etc/profile-a-l/eo-common.profile b/etc/profile-a-l/eo-common.profile index 02112ef20..ddc0ce0b9 100644 --- a/etc/profile-a-l/eo-common.profile +++ b/etc/profile-a-l/eo-common.profile | |||
@@ -47,6 +47,6 @@ tracelog | |||
47 | 47 | ||
48 | private-cache | 48 | private-cache |
49 | private-dev | 49 | private-dev |
50 | private-etc alternatives,dconf,fonts,gtk-3.0 | 50 | private-etc alternatives,dconf,fonts,gtk-3.0,ld.so.preload |
51 | private-lib eog,eom,gdk-pixbuf-2.*,gio,girepository-1.*,gvfs,libgconf-2.so.* | 51 | private-lib eog,eom,gdk-pixbuf-2.*,gio,girepository-1.*,gvfs,libgconf-2.so.* |
52 | private-tmp | 52 | private-tmp |
diff --git a/etc/profile-a-l/eog.profile b/etc/profile-a-l/eog.profile index 5892374bd..65e5c6e69 100644 --- a/etc/profile-a-l/eog.profile +++ b/etc/profile-a-l/eog.profile | |||
@@ -18,7 +18,7 @@ whitelist /usr/share/eog | |||
18 | 18 | ||
19 | private-bin eog | 19 | private-bin eog |
20 | 20 | ||
21 | # broken on Debian 10 (buster) running LXDE got the folowing error: | 21 | # broken on Debian 10 (buster) running LXDE got the following error: |
22 | # Failed to register: GDBus.Error:org.freedesktop.DBus.Error.ServiceUnknown: org.freedesktop.DBus.Error.ServiceUnknown | 22 | # Failed to register: GDBus.Error:org.freedesktop.DBus.Error.ServiceUnknown: org.freedesktop.DBus.Error.ServiceUnknown |
23 | #dbus-user filter | 23 | #dbus-user filter |
24 | #dbus-user.own org.gnome.eog | 24 | #dbus-user.own org.gnome.eog |
diff --git a/etc/profile-a-l/equalx.profile b/etc/profile-a-l/equalx.profile index 7566f7b50..fe7b912bd 100644 --- a/etc/profile-a-l/equalx.profile +++ b/etc/profile-a-l/equalx.profile | |||
@@ -54,7 +54,7 @@ disable-mnt | |||
54 | private-bin equalx,gs,pdflatex,pdftocairo | 54 | private-bin equalx,gs,pdflatex,pdftocairo |
55 | private-cache | 55 | private-cache |
56 | private-dev | 56 | private-dev |
57 | private-etc equalx,equalx.conf,fonts,gtk-2.0,latexmk.conf,machine-id,papersize,passwd,texlive,Trolltech.conf | 57 | private-etc equalx,equalx.conf,fonts,gtk-2.0,latexmk.conf,ld.so.preload,machine-id,papersize,passwd,texlive,Trolltech.conf |
58 | private-tmp | 58 | private-tmp |
59 | 59 | ||
60 | dbus-user none | 60 | dbus-user none |
diff --git a/etc/profile-a-l/evince.profile b/etc/profile-a-l/evince.profile index 77fb458ca..63e456488 100644 --- a/etc/profile-a-l/evince.profile +++ b/etc/profile-a-l/evince.profile | |||
@@ -54,9 +54,9 @@ tracelog | |||
54 | private-bin evince,evince-previewer,evince-thumbnailer | 54 | private-bin evince,evince-previewer,evince-thumbnailer |
55 | private-cache | 55 | private-cache |
56 | private-dev | 56 | private-dev |
57 | private-etc alternatives,fonts,group,ld.so.cache,machine-id,passwd | 57 | private-etc alternatives,fonts,group,ld.so.cache,ld.so.preload,machine-id,passwd |
58 | # private-lib might break two-page-view on some systems | 58 | # private-lib might break two-page-view on some systems |
59 | private-lib evince,gcc/*/*/libgcc_s.so.*,gcc/*/*/libstdc++.so.*,gconv,gdk-pixbuf-2.*,gio,gvfs/libgvfscommon.so,libdjvulibre.so.*,libgconf-2.so.*,libgraphite2.so.*,libpoppler-glib.so.*,librsvg-2.so.*,libspectre.so.* | 59 | private-lib evince,gcc/*/*/libgcc_s.so.*,gcc/*/*/libstdc++.so.*,gconv,gdk-pixbuf-2.*,gio,gvfs/libgvfscommon.so,libarchive.so.*,libdjvulibre.so.*,libgconf-2.so.*,libgraphite2.so.*,libpoppler-glib.so.*,librsvg-2.so.*,libspectre.so.* |
60 | private-tmp | 60 | private-tmp |
61 | 61 | ||
62 | # dbus-user filtering might break two-page-view on some systems | 62 | # dbus-user filtering might break two-page-view on some systems |
diff --git a/etc/profile-a-l/exiftool.profile b/etc/profile-a-l/exiftool.profile index 49a16f2f2..12c22ba5b 100644 --- a/etc/profile-a-l/exiftool.profile +++ b/etc/profile-a-l/exiftool.profile | |||
@@ -48,7 +48,7 @@ x11 none | |||
48 | #private-bin exiftool,perl | 48 | #private-bin exiftool,perl |
49 | private-cache | 49 | private-cache |
50 | private-dev | 50 | private-dev |
51 | private-etc alternatives | 51 | private-etc alternatives,ld.so.preload |
52 | private-tmp | 52 | private-tmp |
53 | 53 | ||
54 | dbus-user none | 54 | dbus-user none |
diff --git a/etc/profile-a-l/falkon.profile b/etc/profile-a-l/falkon.profile index 3911a8c75..62ea449a6 100644 --- a/etc/profile-a-l/falkon.profile +++ b/etc/profile-a-l/falkon.profile | |||
@@ -46,7 +46,7 @@ disable-mnt | |||
46 | # private-bin falkon | 46 | # private-bin falkon |
47 | private-cache | 47 | private-cache |
48 | private-dev | 48 | private-dev |
49 | private-etc adobe,alternatives,asound.conf,ati,ca-certificates,crypto-policies,dconf,drirc,fonts,group,gtk-2.0,gtk-3.0,hostname,hosts,localtime,machine-id,mailcap,mime.types,nsswitch.conf,pango,passwd,pki,pulse,resolv.conf,selinux,ssl,xdg | 49 | private-etc adobe,alternatives,asound.conf,ati,ca-certificates,crypto-policies,dconf,drirc,fonts,group,gtk-2.0,gtk-3.0,hostname,hosts,ld.so.preload,localtime,machine-id,mailcap,mime.types,nsswitch.conf,pango,passwd,pki,pulse,resolv.conf,selinux,ssl,xdg |
50 | private-tmp | 50 | private-tmp |
51 | 51 | ||
52 | # dbus-user filter | 52 | # dbus-user filter |
diff --git a/etc/profile-a-l/feh-network.inc.profile b/etc/profile-a-l/feh-network.inc.profile index 690b39171..f9b3d58c9 100644 --- a/etc/profile-a-l/feh-network.inc.profile +++ b/etc/profile-a-l/feh-network.inc.profile | |||
@@ -5,4 +5,4 @@ include feh-network.inc.local | |||
5 | ignore net none | 5 | ignore net none |
6 | netfilter | 6 | netfilter |
7 | protocol unix,inet,inet6 | 7 | protocol unix,inet,inet6 |
8 | private-etc ca-certificates,crypto-policies,hosts,pki,resolv.conf,ssl | 8 | private-etc ca-certificates,crypto-policies,hosts,ld.so.preload,pki,resolv.conf,ssl |
diff --git a/etc/profile-a-l/feh.profile b/etc/profile-a-l/feh.profile index 0fdb1d3d3..f2770f294 100644 --- a/etc/profile-a-l/feh.profile +++ b/etc/profile-a-l/feh.profile | |||
@@ -36,7 +36,7 @@ shell none | |||
36 | private-bin feh,jpegexiforient,jpegtran | 36 | private-bin feh,jpegexiforient,jpegtran |
37 | private-cache | 37 | private-cache |
38 | private-dev | 38 | private-dev |
39 | private-etc alternatives,feh | 39 | private-etc alternatives,feh,ld.so.preload |
40 | private-tmp | 40 | private-tmp |
41 | 41 | ||
42 | dbus-user none | 42 | dbus-user none |
diff --git a/etc/profile-a-l/ffplay.profile b/etc/profile-a-l/ffplay.profile index 04134cbf4..2284ccbe4 100644 --- a/etc/profile-a-l/ffplay.profile +++ b/etc/profile-a-l/ffplay.profile | |||
@@ -14,7 +14,7 @@ ignore nogroups | |||
14 | ignore nosound | 14 | ignore nosound |
15 | 15 | ||
16 | private-bin ffplay | 16 | private-bin ffplay |
17 | private-etc alsa,asound.conf,group | 17 | private-etc alsa,asound.conf,group,ld.so.preload |
18 | 18 | ||
19 | # Redirect | 19 | # Redirect |
20 | include ffmpeg.profile | 20 | include ffmpeg.profile |
diff --git a/etc/profile-a-l/file-roller.profile b/etc/profile-a-l/file-roller.profile index 434466139..54fa7dfa7 100644 --- a/etc/profile-a-l/file-roller.profile +++ b/etc/profile-a-l/file-roller.profile | |||
@@ -43,7 +43,7 @@ tracelog | |||
43 | private-bin 7z,7za,7zr,ar,arj,atool,bash,brotli,bsdtar,bzip2,compress,cp,cpio,dpkg-deb,file-roller,gtar,gzip,isoinfo,lha,lrzip,lsar,lz4,lzip,lzma,lzop,mv,p7zip,rar,rm,rzip,sh,tar,unace,unalz,unar,uncompress,unrar,unsquashfs,unstuff,unzip,unzstd,xz,xzdec,zip,zoo,zstd | 43 | private-bin 7z,7za,7zr,ar,arj,atool,bash,brotli,bsdtar,bzip2,compress,cp,cpio,dpkg-deb,file-roller,gtar,gzip,isoinfo,lha,lrzip,lsar,lz4,lzip,lzma,lzop,mv,p7zip,rar,rm,rzip,sh,tar,unace,unalz,unar,uncompress,unrar,unsquashfs,unstuff,unzip,unzstd,xz,xzdec,zip,zoo,zstd |
44 | private-cache | 44 | private-cache |
45 | private-dev | 45 | private-dev |
46 | private-etc dconf,fonts,gtk-3.0,xdg | 46 | private-etc dconf,fonts,gtk-3.0,ld.so.preload,xdg |
47 | # private-tmp | 47 | # private-tmp |
48 | 48 | ||
49 | dbus-system none | 49 | dbus-system none |
diff --git a/etc/profile-a-l/flameshot.profile b/etc/profile-a-l/flameshot.profile index e9241efc3..862ef6ab6 100644 --- a/etc/profile-a-l/flameshot.profile +++ b/etc/profile-a-l/flameshot.profile | |||
@@ -52,7 +52,7 @@ tracelog | |||
52 | disable-mnt | 52 | disable-mnt |
53 | private-bin flameshot | 53 | private-bin flameshot |
54 | private-cache | 54 | private-cache |
55 | private-etc alternatives,ca-certificates,crypto-policies,fonts,ld.so.conf,machine-id,pki,resolv.conf,ssl | 55 | private-etc alternatives,ca-certificates,crypto-policies,fonts,ld.so.conf,ld.so.preload,machine-id,pki,resolv.conf,ssl |
56 | private-dev | 56 | private-dev |
57 | #private-tmp | 57 | #private-tmp |
58 | 58 | ||
@@ -63,6 +63,6 @@ dbus-user.talk org.freedesktop.Notifications | |||
63 | dbus-user.talk org.freedesktop.portal.Desktop | 63 | dbus-user.talk org.freedesktop.portal.Desktop |
64 | dbus-user.talk org.gnome.Shell | 64 | dbus-user.talk org.gnome.Shell |
65 | dbus-user.talk org.kde.KWin | 65 | dbus-user.talk org.kde.KWin |
66 | dbus-user.talk org.kde.StatusNotifierWatcher | 66 | ?ALLOW_TRAY: dbus-user.talk org.kde.StatusNotifierWatcher |
67 | dbus-user.own org.kde.* | 67 | ?ALLOW_TRAY: dbus-user.own org.kde.* |
68 | dbus-system none | 68 | dbus-system none |
diff --git a/etc/profile-a-l/freetube.profile b/etc/profile-a-l/freetube.profile index 7beb2bcba..aeed313c8 100644 --- a/etc/profile-a-l/freetube.profile +++ b/etc/profile-a-l/freetube.profile | |||
@@ -16,7 +16,7 @@ mkdir ${HOME}/.config/FreeTube | |||
16 | whitelist ${HOME}/.config/FreeTube | 16 | whitelist ${HOME}/.config/FreeTube |
17 | 17 | ||
18 | private-bin electron,electron[0-9],electron[0-9][0-9],freetube,sh | 18 | private-bin electron,electron[0-9],electron[0-9][0-9],freetube,sh |
19 | private-etc alsa,alternatives,asound.conf,ca-certificates,crypto-policies,fonts,gtk-2.0,gtk-3.0,host.conf,hostname,hosts,mime.types,nsswitch.conf,pki,pulse,resolv.conf,ssl,X11,xdg | 19 | private-etc alsa,alternatives,asound.conf,ca-certificates,crypto-policies,fonts,gtk-2.0,gtk-3.0,host.conf,hostname,hosts,ld.so.preload,mime.types,nsswitch.conf,pki,pulse,resolv.conf,ssl,X11,xdg |
20 | 20 | ||
21 | # Redirect | 21 | # Redirect |
22 | include electron.profile | 22 | include electron.profile |
diff --git a/etc/profile-a-l/frogatto.profile b/etc/profile-a-l/frogatto.profile index fa08b4956..efd5246d6 100644 --- a/etc/profile-a-l/frogatto.profile +++ b/etc/profile-a-l/frogatto.profile | |||
@@ -45,7 +45,7 @@ disable-mnt | |||
45 | private-bin frogatto,sh | 45 | private-bin frogatto,sh |
46 | private-cache | 46 | private-cache |
47 | private-dev | 47 | private-dev |
48 | private-etc machine-id | 48 | private-etc ld.so.preload,machine-id |
49 | private-tmp | 49 | private-tmp |
50 | 50 | ||
51 | dbus-user none | 51 | dbus-user none |
diff --git a/etc/profile-a-l/gajim.profile b/etc/profile-a-l/gajim.profile index b0d017db9..6d764a0f9 100644 --- a/etc/profile-a-l/gajim.profile +++ b/etc/profile-a-l/gajim.profile | |||
@@ -59,7 +59,7 @@ disable-mnt | |||
59 | private-bin bash,gajim,gajim-history-manager,gpg,gpg2,paplay,python*,sh,zsh | 59 | private-bin bash,gajim,gajim-history-manager,gpg,gpg2,paplay,python*,sh,zsh |
60 | private-cache | 60 | private-cache |
61 | private-dev | 61 | private-dev |
62 | private-etc alsa,alternatives,asound.conf,ca-certificates,crypto-policies,fonts,group,hostname,hosts,ld.so.cache,ld.so.conf,localtime,machine-id,passwd,pki,pulse,resolv.conf,ssl,xdg | 62 | private-etc alsa,alternatives,asound.conf,ca-certificates,crypto-policies,fonts,group,hostname,hosts,ld.so.cache,ld.so.conf,ld.so.preload,localtime,machine-id,passwd,pki,pulse,resolv.conf,ssl,xdg |
63 | private-tmp | 63 | private-tmp |
64 | writable-run-user | 64 | writable-run-user |
65 | 65 | ||
diff --git a/etc/profile-a-l/galculator.profile b/etc/profile-a-l/galculator.profile index 50b1c319c..c6280c488 100644 --- a/etc/profile-a-l/galculator.profile +++ b/etc/profile-a-l/galculator.profile | |||
@@ -43,7 +43,7 @@ tracelog | |||
43 | private-bin galculator | 43 | private-bin galculator |
44 | private-cache | 44 | private-cache |
45 | private-dev | 45 | private-dev |
46 | private-etc alternatives,fonts | 46 | private-etc alternatives,fonts,ld.so.preload |
47 | private-lib | 47 | private-lib |
48 | private-tmp | 48 | private-tmp |
49 | 49 | ||
diff --git a/etc/profile-a-l/gallery-dl.profile b/etc/profile-a-l/gallery-dl.profile index 9c8200dc4..a31dde21c 100644 --- a/etc/profile-a-l/gallery-dl.profile +++ b/etc/profile-a-l/gallery-dl.profile | |||
@@ -12,7 +12,7 @@ noblacklist ${HOME}/.config/gallery-dl | |||
12 | noblacklist ${HOME}/.gallery-dl.conf | 12 | noblacklist ${HOME}/.gallery-dl.conf |
13 | 13 | ||
14 | private-bin gallery-dl | 14 | private-bin gallery-dl |
15 | private-etc gallery-dl.conf | 15 | private-etc gallery-dl.conf,ld.so.preload |
16 | 16 | ||
17 | # Redirect | 17 | # Redirect |
18 | include youtube-dl.profile | 18 | include youtube-dl.profile |
diff --git a/etc/profile-a-l/gapplication.profile b/etc/profile-a-l/gapplication.profile index 8263423a0..e9eb55709 100644 --- a/etc/profile-a-l/gapplication.profile +++ b/etc/profile-a-l/gapplication.profile | |||
@@ -49,7 +49,7 @@ private | |||
49 | private-bin gapplication | 49 | private-bin gapplication |
50 | private-cache | 50 | private-cache |
51 | private-dev | 51 | private-dev |
52 | private-etc none | 52 | private-etc ld.so.preload,none |
53 | private-tmp | 53 | private-tmp |
54 | 54 | ||
55 | # Add the next line to your gapplication.local to filter D-Bus names. | 55 | # Add the next line to your gapplication.local to filter D-Bus names. |
diff --git a/etc/profile-a-l/gcloud.profile b/etc/profile-a-l/gcloud.profile index 388f4c0df..297e5d345 100644 --- a/etc/profile-a-l/gcloud.profile +++ b/etc/profile-a-l/gcloud.profile | |||
@@ -36,7 +36,7 @@ tracelog | |||
36 | 36 | ||
37 | disable-mnt | 37 | disable-mnt |
38 | private-dev | 38 | private-dev |
39 | private-etc alternatives,ca-certificates,crypto-policies,hosts,ld.so.cache,localtime,nsswitch.conf,pki,resolv.conf,ssl | 39 | private-etc alternatives,ca-certificates,crypto-policies,hosts,ld.so.cache,ld.so.preload,localtime,nsswitch.conf,pki,resolv.conf,ssl |
40 | private-tmp | 40 | private-tmp |
41 | 41 | ||
42 | dbus-user none | 42 | dbus-user none |
diff --git a/etc/profile-a-l/gconf.profile b/etc/profile-a-l/gconf.profile index b01d88f80..6532d85f0 100644 --- a/etc/profile-a-l/gconf.profile +++ b/etc/profile-a-l/gconf.profile | |||
@@ -54,7 +54,7 @@ disable-mnt | |||
54 | private-bin gconf-editor,gconf-merge-*,gconfpkg,gconftool-2,gsettings-*-convert,python2* | 54 | private-bin gconf-editor,gconf-merge-*,gconfpkg,gconftool-2,gsettings-*-convert,python2* |
55 | private-cache | 55 | private-cache |
56 | private-dev | 56 | private-dev |
57 | private-etc alternatives,fonts,gconf | 57 | private-etc alternatives,fonts,gconf,ld.so.preload |
58 | private-lib GConf,libpython*,python2* | 58 | private-lib GConf,libpython*,python2* |
59 | private-tmp | 59 | private-tmp |
60 | 60 | ||
diff --git a/etc/profile-a-l/geary.profile b/etc/profile-a-l/geary.profile index 29c620556..b78f7e647 100644 --- a/etc/profile-a-l/geary.profile +++ b/etc/profile-a-l/geary.profile | |||
@@ -70,7 +70,7 @@ tracelog | |||
70 | private-bin geary | 70 | private-bin geary |
71 | private-cache | 71 | private-cache |
72 | private-dev | 72 | private-dev |
73 | private-etc alternatives,ca-certificates,crypto-policies,fonts,hostname,hosts,pki,resolv.conf,ssl,xdg | 73 | private-etc alternatives,ca-certificates,crypto-policies,fonts,hostname,hosts,ld.so.preload,pki,resolv.conf,ssl,xdg |
74 | private-tmp | 74 | private-tmp |
75 | 75 | ||
76 | dbus-user filter | 76 | dbus-user filter |
diff --git a/etc/profile-a-l/geekbench.profile b/etc/profile-a-l/geekbench.profile index f0e17963c..4812e1368 100644 --- a/etc/profile-a-l/geekbench.profile +++ b/etc/profile-a-l/geekbench.profile | |||
@@ -6,6 +6,10 @@ include geekbench.local | |||
6 | # Persistent global definitions | 6 | # Persistent global definitions |
7 | include globals.local | 7 | include globals.local |
8 | 8 | ||
9 | noblacklist ${HOME}/.geekbench5 | ||
10 | noblacklist /sbin | ||
11 | noblacklist /usr/sbin | ||
12 | |||
9 | include disable-common.inc | 13 | include disable-common.inc |
10 | include disable-devel.inc | 14 | include disable-devel.inc |
11 | include disable-exec.inc | 15 | include disable-exec.inc |
@@ -13,6 +17,8 @@ include disable-interpreters.inc | |||
13 | include disable-programs.inc | 17 | include disable-programs.inc |
14 | include disable-xdg.inc | 18 | include disable-xdg.inc |
15 | 19 | ||
20 | mkdir ${HOME}/.geekbench5 | ||
21 | whitelist ${HOME}/.geekbench5 | ||
16 | include whitelist-common.inc | 22 | include whitelist-common.inc |
17 | include whitelist-usr-share-common.inc | 23 | include whitelist-usr-share-common.inc |
18 | include whitelist-var-common.inc | 24 | include whitelist-var-common.inc |
@@ -39,16 +45,14 @@ shell none | |||
39 | tracelog | 45 | tracelog |
40 | 46 | ||
41 | disable-mnt | 47 | disable-mnt |
42 | private-bin bash,geekbenc*,sh | 48 | #private-bin bash,geekbench*,sh -- #4576 |
43 | private-cache | 49 | private-cache |
44 | private-dev | 50 | private-dev |
45 | private-etc alternatives,group,lsb-release,passwd | 51 | private-etc alternatives,group,ld.so.preload,lsb-release,passwd |
46 | private-lib gcc/*/*/libstdc++.so.* | ||
47 | private-opt none | ||
48 | private-tmp | 52 | private-tmp |
49 | 53 | ||
50 | dbus-user none | 54 | dbus-user none |
51 | dbus-system none | 55 | dbus-system none |
52 | 56 | ||
53 | #memory-deny-write-execute - breaks on Arch (see issue #1803) | ||
54 | read-only ${HOME} | 57 | read-only ${HOME} |
58 | read-write ${HOME}/.geekbench5 | ||
diff --git a/etc/profile-a-l/gget.profile b/etc/profile-a-l/gget.profile index b2adaa8e4..d8ca4ae41 100644 --- a/etc/profile-a-l/gget.profile +++ b/etc/profile-a-l/gget.profile | |||
@@ -49,7 +49,7 @@ disable-mnt | |||
49 | private-bin gget | 49 | private-bin gget |
50 | private-cache | 50 | private-cache |
51 | private-dev | 51 | private-dev |
52 | private-etc alternatives,ca-certificates,crypto-policies,pki,resolv.conf,ssl | 52 | private-etc alternatives,ca-certificates,crypto-policies,ld.so.preload,pki,resolv.conf,ssl |
53 | private-lib | 53 | private-lib |
54 | private-tmp | 54 | private-tmp |
55 | 55 | ||
diff --git a/etc/profile-a-l/gist.profile b/etc/profile-a-l/gist.profile index 80fa18119..010cdae06 100644 --- a/etc/profile-a-l/gist.profile +++ b/etc/profile-a-l/gist.profile | |||
@@ -52,7 +52,7 @@ tracelog | |||
52 | disable-mnt | 52 | disable-mnt |
53 | private-cache | 53 | private-cache |
54 | private-dev | 54 | private-dev |
55 | private-etc alternatives | 55 | private-etc alternatives,ld.so.preload |
56 | private-tmp | 56 | private-tmp |
57 | 57 | ||
58 | dbus-user none | 58 | dbus-user none |
diff --git a/etc/profile-a-l/git-cola.profile b/etc/profile-a-l/git-cola.profile index f77adef63..c13273321 100644 --- a/etc/profile-a-l/git-cola.profile +++ b/etc/profile-a-l/git-cola.profile | |||
@@ -70,7 +70,7 @@ tracelog | |||
70 | private-bin basename,bash,cola,envsubst,gettext,git,git-cola,git-dag,git-gui,gitk,gpg,gpg-agent,nano,ps,python*,sh,ssh,ssh-agent,tclsh,tr,wc,which,xed | 70 | private-bin basename,bash,cola,envsubst,gettext,git,git-cola,git-dag,git-gui,gitk,gpg,gpg-agent,nano,ps,python*,sh,ssh,ssh-agent,tclsh,tr,wc,which,xed |
71 | private-cache | 71 | private-cache |
72 | private-dev | 72 | private-dev |
73 | private-etc alternatives,ca-certificates,crypto-policies,dconf,fonts,gcrypt,gitconfig,gtk-2.0,gtk-3.0,host.conf,hostname,hosts,localtime,login.defs,machine-id,mime.types,nsswitch.conf,passwd,pki,resolv.conf,selinux,ssh,ssl,X11,xdg | 73 | private-etc alternatives,ca-certificates,crypto-policies,dconf,fonts,gcrypt,gitconfig,gtk-2.0,gtk-3.0,host.conf,hostname,hosts,ld.so.preload,localtime,login.defs,machine-id,mime.types,nsswitch.conf,passwd,pki,resolv.conf,selinux,ssh,ssl,X11,xdg |
74 | private-tmp | 74 | private-tmp |
75 | writable-run-user | 75 | writable-run-user |
76 | 76 | ||
diff --git a/etc/profile-a-l/gitter.profile b/etc/profile-a-l/gitter.profile index 5dfb48189..36b016e02 100644 --- a/etc/profile-a-l/gitter.profile +++ b/etc/profile-a-l/gitter.profile | |||
@@ -37,7 +37,7 @@ shell none | |||
37 | 37 | ||
38 | disable-mnt | 38 | disable-mnt |
39 | private-bin bash,env,gitter | 39 | private-bin bash,env,gitter |
40 | private-etc alternatives,ca-certificates,crypto-policies,fonts,pki,pulse,resolv.conf,ssl | 40 | private-etc alternatives,ca-certificates,crypto-policies,fonts,ld.so.preload,pki,pulse,resolv.conf,ssl |
41 | private-opt Gitter | 41 | private-opt Gitter |
42 | private-dev | 42 | private-dev |
43 | private-tmp | 43 | private-tmp |
diff --git a/etc/profile-a-l/gmpc.profile b/etc/profile-a-l/gmpc.profile index 4aa4b6c20..0a1264888 100644 --- a/etc/profile-a-l/gmpc.profile +++ b/etc/profile-a-l/gmpc.profile | |||
@@ -44,7 +44,7 @@ tracelog | |||
44 | disable-mnt | 44 | disable-mnt |
45 | #private-bin gmpc | 45 | #private-bin gmpc |
46 | private-cache | 46 | private-cache |
47 | private-etc alternatives,fonts | 47 | private-etc alternatives,fonts,ld.so.preload |
48 | private-tmp | 48 | private-tmp |
49 | writable-run-user | 49 | writable-run-user |
50 | 50 | ||
diff --git a/etc/profile-a-l/gnome-calendar.profile b/etc/profile-a-l/gnome-calendar.profile index c8903a991..2c1dee50c 100644 --- a/etc/profile-a-l/gnome-calendar.profile +++ b/etc/profile-a-l/gnome-calendar.profile | |||
@@ -45,7 +45,7 @@ private | |||
45 | private-bin gnome-calendar | 45 | private-bin gnome-calendar |
46 | private-cache | 46 | private-cache |
47 | private-dev | 47 | private-dev |
48 | private-etc ca-certificates,crypto-policies,dconf,fonts,gtk-3.0,localtime,nsswitch.conf,pki,resolv.conf,ssl | 48 | private-etc ca-certificates,crypto-policies,dconf,fonts,gtk-3.0,ld.so.preload,localtime,nsswitch.conf,pki,resolv.conf,ssl |
49 | private-tmp | 49 | private-tmp |
50 | 50 | ||
51 | dbus-user filter | 51 | dbus-user filter |
diff --git a/etc/profile-a-l/gnome-chess.profile b/etc/profile-a-l/gnome-chess.profile index d038d775a..6261fcc27 100644 --- a/etc/profile-a-l/gnome-chess.profile +++ b/etc/profile-a-l/gnome-chess.profile | |||
@@ -50,5 +50,5 @@ disable-mnt | |||
50 | private-bin fairymax,gnome-chess,gnuchess,hoichess | 50 | private-bin fairymax,gnome-chess,gnuchess,hoichess |
51 | private-cache | 51 | private-cache |
52 | private-dev | 52 | private-dev |
53 | private-etc alternatives,dconf,fonts,gnome-chess,gtk-3.0 | 53 | private-etc alternatives,dconf,fonts,gnome-chess,gtk-3.0,ld.so.preload |
54 | private-tmp | 54 | private-tmp |
diff --git a/etc/profile-a-l/gnome-clocks.profile b/etc/profile-a-l/gnome-clocks.profile index 96a39f6ce..7d33ac94e 100644 --- a/etc/profile-a-l/gnome-clocks.profile +++ b/etc/profile-a-l/gnome-clocks.profile | |||
@@ -42,6 +42,6 @@ disable-mnt | |||
42 | private-bin gnome-clocks,gsound-play | 42 | private-bin gnome-clocks,gsound-play |
43 | private-cache | 43 | private-cache |
44 | private-dev | 44 | private-dev |
45 | private-etc alternatives,ca-certificates,crypto-policies,dconf,fonts,gtk-3.0,hosts,localtime,machine-id,pkcs11,pki,ssl | 45 | private-etc alternatives,ca-certificates,crypto-policies,dconf,fonts,gtk-3.0,hosts,ld.so.preload,localtime,machine-id,pkcs11,pki,ssl |
46 | private-tmp | 46 | private-tmp |
47 | 47 | ||
diff --git a/etc/profile-a-l/gnome-hexgl.profile b/etc/profile-a-l/gnome-hexgl.profile index 19a4bc5c7..28c7e3346 100644 --- a/etc/profile-a-l/gnome-hexgl.profile +++ b/etc/profile-a-l/gnome-hexgl.profile | |||
@@ -42,7 +42,7 @@ private | |||
42 | private-bin gnome-hexgl | 42 | private-bin gnome-hexgl |
43 | private-cache | 43 | private-cache |
44 | private-dev | 44 | private-dev |
45 | private-etc alsa,asound.conf,machine-id,pulse | 45 | private-etc alsa,asound.conf,ld.so.preload,machine-id,pulse |
46 | private-tmp | 46 | private-tmp |
47 | 47 | ||
48 | dbus-user none | 48 | dbus-user none |
diff --git a/etc/profile-a-l/gnome-latex.profile b/etc/profile-a-l/gnome-latex.profile index 26c2c4409..1d2366365 100644 --- a/etc/profile-a-l/gnome-latex.profile +++ b/etc/profile-a-l/gnome-latex.profile | |||
@@ -48,6 +48,6 @@ tracelog | |||
48 | private-cache | 48 | private-cache |
49 | private-dev | 49 | private-dev |
50 | # passwd,login.defs,firejail are a temporary workaround for #2877 and can be removed once it is fixed | 50 | # passwd,login.defs,firejail are a temporary workaround for #2877 and can be removed once it is fixed |
51 | private-etc alternatives,dconf,fonts,gtk-3.0,latexmk.conf,login.defs,passwd,texlive | 51 | private-etc alternatives,dconf,fonts,gtk-3.0,latexmk.conf,ld.so.preload,login.defs,passwd,texlive |
52 | 52 | ||
53 | dbus-system none | 53 | dbus-system none |
diff --git a/etc/profile-a-l/gnome-logs.profile b/etc/profile-a-l/gnome-logs.profile index 2c15f7592..3d8218e99 100644 --- a/etc/profile-a-l/gnome-logs.profile +++ b/etc/profile-a-l/gnome-logs.profile | |||
@@ -40,7 +40,7 @@ disable-mnt | |||
40 | private-bin gnome-logs | 40 | private-bin gnome-logs |
41 | private-cache | 41 | private-cache |
42 | private-dev | 42 | private-dev |
43 | private-etc alternatives,fonts,localtime,machine-id | 43 | private-etc alternatives,fonts,ld.so.preload,localtime,machine-id |
44 | private-lib gdk-pixbuf-2.*,gio,gvfs/libgvfscommon.so,libgconf-2.so.*,librsvg-2.so.* | 44 | private-lib gdk-pixbuf-2.*,gio,gvfs/libgvfscommon.so,libgconf-2.so.*,librsvg-2.so.* |
45 | private-tmp | 45 | private-tmp |
46 | writable-var-log | 46 | writable-var-log |
diff --git a/etc/profile-a-l/gnome-music.profile b/etc/profile-a-l/gnome-music.profile index a00edfa37..fe8268530 100644 --- a/etc/profile-a-l/gnome-music.profile +++ b/etc/profile-a-l/gnome-music.profile | |||
@@ -42,6 +42,6 @@ tracelog | |||
42 | # private-bin calls a file manager - whatever is installed! | 42 | # private-bin calls a file manager - whatever is installed! |
43 | #private-bin env,gio-launch-desktop,gnome-music,python*,yelp | 43 | #private-bin env,gio-launch-desktop,gnome-music,python*,yelp |
44 | private-dev | 44 | private-dev |
45 | private-etc alternatives,asound.conf,dconf,fonts,fonts,gtk-3.0,machine-id,pulse,selinux,xdg | 45 | private-etc alternatives,asound.conf,dconf,fonts,fonts,gtk-3.0,ld.so.preload,machine-id,pulse,selinux,xdg |
46 | private-tmp | 46 | private-tmp |
47 | 47 | ||
diff --git a/etc/profile-a-l/gnome-passwordsafe.profile b/etc/profile-a-l/gnome-passwordsafe.profile index b69899c70..bdc09b5ac 100644 --- a/etc/profile-a-l/gnome-passwordsafe.profile +++ b/etc/profile-a-l/gnome-passwordsafe.profile | |||
@@ -53,7 +53,7 @@ disable-mnt | |||
53 | private-bin gnome-passwordsafe,python3* | 53 | private-bin gnome-passwordsafe,python3* |
54 | private-cache | 54 | private-cache |
55 | private-dev | 55 | private-dev |
56 | private-etc dconf,fonts,gtk-3.0,passwd | 56 | private-etc dconf,fonts,gtk-3.0,ld.so.preload,passwd |
57 | private-tmp | 57 | private-tmp |
58 | 58 | ||
59 | dbus-user filter | 59 | dbus-user filter |
diff --git a/etc/profile-a-l/gnome-pie.profile b/etc/profile-a-l/gnome-pie.profile index 3ab2e4aad..fb108ee97 100644 --- a/etc/profile-a-l/gnome-pie.profile +++ b/etc/profile-a-l/gnome-pie.profile | |||
@@ -34,7 +34,7 @@ shell none | |||
34 | disable-mnt | 34 | disable-mnt |
35 | private-cache | 35 | private-cache |
36 | private-dev | 36 | private-dev |
37 | private-etc alternatives,fonts,machine-id | 37 | private-etc alternatives,fonts,ld.so.preload,machine-id |
38 | private-lib gdk-pixbuf-2.*,gio,gvfs/libgvfscommon.so,libgconf-2.so.*,librsvg-2.so.* | 38 | private-lib gdk-pixbuf-2.*,gio,gvfs/libgvfscommon.so,libgconf-2.so.*,librsvg-2.so.* |
39 | private-tmp | 39 | private-tmp |
40 | 40 | ||
diff --git a/etc/profile-a-l/gnome-recipes.profile b/etc/profile-a-l/gnome-recipes.profile index 01162b552..9a5f878fc 100644 --- a/etc/profile-a-l/gnome-recipes.profile +++ b/etc/profile-a-l/gnome-recipes.profile | |||
@@ -47,7 +47,7 @@ shell none | |||
47 | disable-mnt | 47 | disable-mnt |
48 | private-bin gnome-recipes,tar | 48 | private-bin gnome-recipes,tar |
49 | private-dev | 49 | private-dev |
50 | private-etc alternatives,ca-certificates,crypto-policies,fonts,pki,ssl | 50 | private-etc alternatives,ca-certificates,crypto-policies,fonts,ld.so.preload,pki,ssl |
51 | private-lib gdk-pixbuf-2.0,gio,gvfs/libgvfscommon.so,libgconf-2.so.*,libgnutls.so.*,libjpeg.so.*,libp11-kit.so.*,libproxy.so.*,librsvg-2.so.* | 51 | private-lib gdk-pixbuf-2.0,gio,gvfs/libgvfscommon.so,libgconf-2.so.*,libgnutls.so.*,libjpeg.so.*,libp11-kit.so.*,libproxy.so.*,librsvg-2.so.* |
52 | private-tmp | 52 | private-tmp |
53 | 53 | ||
diff --git a/etc/profile-a-l/gnome-screenshot.profile b/etc/profile-a-l/gnome-screenshot.profile index f5afa9fb3..a4e4ae38a 100644 --- a/etc/profile-a-l/gnome-screenshot.profile +++ b/etc/profile-a-l/gnome-screenshot.profile | |||
@@ -42,7 +42,7 @@ tracelog | |||
42 | disable-mnt | 42 | disable-mnt |
43 | private-bin gnome-screenshot | 43 | private-bin gnome-screenshot |
44 | private-dev | 44 | private-dev |
45 | private-etc dconf,fonts,gtk-3.0,localtime,machine-id | 45 | private-etc dconf,fonts,gtk-3.0,ld.so.preload,localtime,machine-id |
46 | private-tmp | 46 | private-tmp |
47 | 47 | ||
48 | dbus-user filter | 48 | dbus-user filter |
diff --git a/etc/profile-a-l/gnome-sound-recorder.profile b/etc/profile-a-l/gnome-sound-recorder.profile index 159145b1b..859d56bd9 100644 --- a/etc/profile-a-l/gnome-sound-recorder.profile +++ b/etc/profile-a-l/gnome-sound-recorder.profile | |||
@@ -40,5 +40,5 @@ tracelog | |||
40 | disable-mnt | 40 | disable-mnt |
41 | private-cache | 41 | private-cache |
42 | private-dev | 42 | private-dev |
43 | private-etc alsa,asound.conf,dconf,fonts,gtk-2.0,gtk-3.0,machine-id,openal,pango,pulse,xdg | 43 | private-etc alsa,asound.conf,dconf,fonts,gtk-2.0,gtk-3.0,ld.so.preload,machine-id,openal,pango,pulse,xdg |
44 | private-tmp | 44 | private-tmp |
diff --git a/etc/profile-a-l/gnome-system-log.profile b/etc/profile-a-l/gnome-system-log.profile index 3f9497e80..addd76f7f 100644 --- a/etc/profile-a-l/gnome-system-log.profile +++ b/etc/profile-a-l/gnome-system-log.profile | |||
@@ -43,7 +43,7 @@ disable-mnt | |||
43 | private-bin gnome-system-log | 43 | private-bin gnome-system-log |
44 | private-cache | 44 | private-cache |
45 | private-dev | 45 | private-dev |
46 | private-etc alternatives,fonts,localtime,machine-id | 46 | private-etc alternatives,fonts,ld.so.preload,localtime,machine-id |
47 | private-lib | 47 | private-lib |
48 | private-tmp | 48 | private-tmp |
49 | writable-var-log | 49 | writable-var-log |
diff --git a/etc/profile-a-l/gnome-todo.profile b/etc/profile-a-l/gnome-todo.profile index 4640f7f43..e7615e4f2 100644 --- a/etc/profile-a-l/gnome-todo.profile +++ b/etc/profile-a-l/gnome-todo.profile | |||
@@ -46,7 +46,7 @@ disable-mnt | |||
46 | private-bin gnome-todo | 46 | private-bin gnome-todo |
47 | private-cache | 47 | private-cache |
48 | private-dev | 48 | private-dev |
49 | private-etc dconf,fonts,gtk-3.0,localtime,passwd,xdg | 49 | private-etc dconf,fonts,gtk-3.0,ld.so.preload,localtime,passwd,xdg |
50 | private-tmp | 50 | private-tmp |
51 | 51 | ||
52 | dbus-user filter | 52 | dbus-user filter |
diff --git a/etc/profile-a-l/gnome_games-common.profile b/etc/profile-a-l/gnome_games-common.profile index 4ad39a988..a76fbbb2c 100644 --- a/etc/profile-a-l/gnome_games-common.profile +++ b/etc/profile-a-l/gnome_games-common.profile | |||
@@ -41,7 +41,7 @@ tracelog | |||
41 | disable-mnt | 41 | disable-mnt |
42 | private-cache | 42 | private-cache |
43 | private-dev | 43 | private-dev |
44 | private-etc dconf,fonts,gconf,gtk-2.0,gtk-3.0,machine-id,pango,passwd,X11 | 44 | private-etc dconf,fonts,gconf,gtk-2.0,gtk-3.0,ld.so.preload,machine-id,pango,passwd,X11 |
45 | private-tmp | 45 | private-tmp |
46 | 46 | ||
47 | dbus-user filter | 47 | dbus-user filter |
diff --git a/etc/profile-a-l/gnote.profile b/etc/profile-a-l/gnote.profile index 2d4ce2437..deda06f8e 100644 --- a/etc/profile-a-l/gnote.profile +++ b/etc/profile-a-l/gnote.profile | |||
@@ -51,7 +51,7 @@ disable-mnt | |||
51 | private-bin gnote | 51 | private-bin gnote |
52 | private-cache | 52 | private-cache |
53 | private-dev | 53 | private-dev |
54 | private-etc dconf,fonts,gtk-3.0,pango,X11 | 54 | private-etc dconf,fonts,gtk-3.0,ld.so.preload,pango,X11 |
55 | private-tmp | 55 | private-tmp |
56 | 56 | ||
57 | dbus-user filter | 57 | dbus-user filter |
diff --git a/etc/profile-a-l/gnubik.profile b/etc/profile-a-l/gnubik.profile index 902e76416..e2e154216 100644 --- a/etc/profile-a-l/gnubik.profile +++ b/etc/profile-a-l/gnubik.profile | |||
@@ -43,7 +43,7 @@ private | |||
43 | private-bin gnubik | 43 | private-bin gnubik |
44 | private-cache | 44 | private-cache |
45 | private-dev | 45 | private-dev |
46 | private-etc drirc,fonts,gtk-2.0 | 46 | private-etc drirc,fonts,gtk-2.0,ld.so.preload |
47 | private-tmp | 47 | private-tmp |
48 | 48 | ||
49 | dbus-user none | 49 | dbus-user none |
diff --git a/etc/profile-a-l/godot.profile b/etc/profile-a-l/godot.profile index b3c19e97f..f33f63497 100644 --- a/etc/profile-a-l/godot.profile +++ b/etc/profile-a-l/godot.profile | |||
@@ -38,7 +38,7 @@ tracelog | |||
38 | # private-bin godot | 38 | # private-bin godot |
39 | private-cache | 39 | private-cache |
40 | private-dev | 40 | private-dev |
41 | private-etc alsa,alternatives,asound.conf,ca-certificates,crypto-policies,drirc,fonts,machine-id,mono,nsswitch.conf,openal,pki,pulse,resolv.conf,ssl | 41 | private-etc alsa,alternatives,asound.conf,ca-certificates,crypto-policies,drirc,fonts,ld.so.preload,machine-id,mono,nsswitch.conf,openal,pki,pulse,resolv.conf,ssl |
42 | private-tmp | 42 | private-tmp |
43 | 43 | ||
44 | dbus-user none | 44 | dbus-user none |
diff --git a/etc/profile-a-l/goldendict.profile b/etc/profile-a-l/goldendict.profile new file mode 100644 index 000000000..59a572319 --- /dev/null +++ b/etc/profile-a-l/goldendict.profile | |||
@@ -0,0 +1,57 @@ | |||
1 | # Firejail profile for goldendict | ||
2 | # This file is overwritten after every install/update | ||
3 | # Persistent local customizations | ||
4 | include goldendict.local | ||
5 | # Persistent global definitions | ||
6 | include globals.local | ||
7 | |||
8 | noblacklist ${HOME}/.goldendict | ||
9 | noblacklist ${HOME}/.cache/GoldenDict | ||
10 | |||
11 | include disable-common.inc | ||
12 | include disable-devel.inc | ||
13 | include disable-exec.inc | ||
14 | include disable-interpreters.inc | ||
15 | include disable-programs.inc | ||
16 | include disable-shell.inc | ||
17 | include disable-xdg.inc | ||
18 | |||
19 | mkdir ${HOME}/.goldendict | ||
20 | mkdir ${HOME}/.cache/GoldenDict | ||
21 | whitelist ${HOME}/.goldendict | ||
22 | whitelist ${HOME}/.cache/GoldenDict | ||
23 | # The default path of dictionaries | ||
24 | whitelist /usr/share/stardict/dic | ||
25 | include whitelist-common.inc | ||
26 | include whitelist-runuser-common.inc | ||
27 | include whitelist-usr-share-common.inc | ||
28 | include whitelist-var-common.inc | ||
29 | |||
30 | apparmor | ||
31 | caps.drop all | ||
32 | netfilter | ||
33 | # no3d leads to the libGL MESA-LOADER errors | ||
34 | #no3d | ||
35 | nodvd | ||
36 | nogroups | ||
37 | noinput | ||
38 | nonewprivs | ||
39 | noroot | ||
40 | notv | ||
41 | nou2f | ||
42 | novideo | ||
43 | protocol unix,inet,inet6,netlink | ||
44 | seccomp | ||
45 | seccomp.block-secondary | ||
46 | shell none | ||
47 | tracelog | ||
48 | |||
49 | disable-mnt | ||
50 | private-bin goldendict | ||
51 | private-cache | ||
52 | private-dev | ||
53 | private-etc ca-certificates,crypto-policies,fonts,ld.so.preload,machine-id,nsswitch.conf,pki,resolv.conf,ssl | ||
54 | private-tmp | ||
55 | |||
56 | dbus-user none | ||
57 | dbus-system none | ||
diff --git a/etc/profile-a-l/googler-common.profile b/etc/profile-a-l/googler-common.profile index b8e2b04df..a37c7ad77 100644 --- a/etc/profile-a-l/googler-common.profile +++ b/etc/profile-a-l/googler-common.profile | |||
@@ -54,7 +54,7 @@ disable-mnt | |||
54 | private-bin env,python3*,sh,w3m | 54 | private-bin env,python3*,sh,w3m |
55 | private-cache | 55 | private-cache |
56 | private-dev | 56 | private-dev |
57 | private-etc ca-certificates,crypto-policies,host.conf,hostname,hosts,nsswitch.conf,pki,protocols,resolv.conf,rpc,services,ssl | 57 | private-etc ca-certificates,crypto-policies,host.conf,hostname,hosts,ld.so.preload,nsswitch.conf,pki,protocols,resolv.conf,rpc,services,ssl |
58 | private-tmp | 58 | private-tmp |
59 | 59 | ||
60 | dbus-user none | 60 | dbus-user none |
diff --git a/etc/profile-a-l/gpicview.profile b/etc/profile-a-l/gpicview.profile index 9a782b238..436134e1b 100644 --- a/etc/profile-a-l/gpicview.profile +++ b/etc/profile-a-l/gpicview.profile | |||
@@ -41,7 +41,7 @@ tracelog | |||
41 | private-bin gpicview | 41 | private-bin gpicview |
42 | private-cache | 42 | private-cache |
43 | private-dev | 43 | private-dev |
44 | private-etc alternatives,fonts,group,passwd | 44 | private-etc alternatives,fonts,group,ld.so.preload,passwd |
45 | private-lib | 45 | private-lib |
46 | private-tmp | 46 | private-tmp |
47 | 47 | ||
diff --git a/etc/profile-a-l/gpredict.profile b/etc/profile-a-l/gpredict.profile index 54e52d695..e421c6a0b 100644 --- a/etc/profile-a-l/gpredict.profile +++ b/etc/profile-a-l/gpredict.profile | |||
@@ -36,6 +36,6 @@ tracelog | |||
36 | 36 | ||
37 | private-bin gpredict | 37 | private-bin gpredict |
38 | private-dev | 38 | private-dev |
39 | private-etc alternatives,ca-certificates,crypto-policies,fonts,pki,resolv.conf,ssl | 39 | private-etc alternatives,ca-certificates,crypto-policies,fonts,ld.so.preload,pki,resolv.conf,ssl |
40 | private-tmp | 40 | private-tmp |
41 | 41 | ||
diff --git a/etc/profile-a-l/gradio.profile b/etc/profile-a-l/gradio.profile index 31f95fb80..efb6b39c6 100644 --- a/etc/profile-a-l/gradio.profile +++ b/etc/profile-a-l/gradio.profile | |||
@@ -45,7 +45,7 @@ disable-mnt | |||
45 | private-bin gradio | 45 | private-bin gradio |
46 | private-cache | 46 | private-cache |
47 | private-dev | 47 | private-dev |
48 | private-etc alternatives,asound.conf,ca-certificates,crypto-policies,fonts,gtk-3.0,host.conf,hostname,hosts,machine-id,pki,pulse,resolv.conf,ssl,xdg | 48 | private-etc alternatives,asound.conf,ca-certificates,crypto-policies,fonts,gtk-3.0,host.conf,hostname,hosts,ld.so.preload,machine-id,pki,pulse,resolv.conf,ssl,xdg |
49 | private-tmp | 49 | private-tmp |
50 | 50 | ||
51 | dbus-user filter | 51 | dbus-user filter |
diff --git a/etc/profile-a-l/gravity-beams-and-evaporating-stars.profile b/etc/profile-a-l/gravity-beams-and-evaporating-stars.profile index c5bcc85f3..10d41735a 100644 --- a/etc/profile-a-l/gravity-beams-and-evaporating-stars.profile +++ b/etc/profile-a-l/gravity-beams-and-evaporating-stars.profile | |||
@@ -40,7 +40,7 @@ private | |||
40 | private-bin gravity-beams-and-evaporating-stars | 40 | private-bin gravity-beams-and-evaporating-stars |
41 | private-cache | 41 | private-cache |
42 | private-dev | 42 | private-dev |
43 | private-etc fonts,machine-id | 43 | private-etc fonts,ld.so.preload,machine-id |
44 | private-tmp | 44 | private-tmp |
45 | 45 | ||
46 | dbus-user none | 46 | dbus-user none |
diff --git a/etc/profile-a-l/gtk-update-icon-cache.profile b/etc/profile-a-l/gtk-update-icon-cache.profile index 3231374b7..c6347efdf 100644 --- a/etc/profile-a-l/gtk-update-icon-cache.profile +++ b/etc/profile-a-l/gtk-update-icon-cache.profile | |||
@@ -46,7 +46,7 @@ disable-mnt | |||
46 | private-bin gtk-update-icon-cache | 46 | private-bin gtk-update-icon-cache |
47 | private-cache | 47 | private-cache |
48 | private-dev | 48 | private-dev |
49 | private-etc none | 49 | private-etc ld.so.preload,none |
50 | private-lib | 50 | private-lib |
51 | private-tmp | 51 | private-tmp |
52 | 52 | ||
diff --git a/etc/profile-a-l/gwenview.profile b/etc/profile-a-l/gwenview.profile index 8c4453a8b..8becf6d84 100644 --- a/etc/profile-a-l/gwenview.profile +++ b/etc/profile-a-l/gwenview.profile | |||
@@ -46,7 +46,7 @@ shell none | |||
46 | 46 | ||
47 | private-bin gimp*,gwenview,kbuildsycoca4,kdeinit4 | 47 | private-bin gimp*,gwenview,kbuildsycoca4,kdeinit4 |
48 | private-dev | 48 | private-dev |
49 | private-etc alternatives,fonts,gimp,gtk-2.0,kde4rc,kde5rc,ld.so.cache,machine-id,passwd,pulse,xdg | 49 | private-etc alternatives,fonts,gimp,gtk-2.0,kde4rc,kde5rc,ld.so.cache,ld.so.preload,machine-id,passwd,pulse,xdg |
50 | 50 | ||
51 | # dbus-user none | 51 | # dbus-user none |
52 | # dbus-system none | 52 | # dbus-system none |
diff --git a/etc/profile-a-l/hyperrogue.profile b/etc/profile-a-l/hyperrogue.profile index f210a264f..0baebdae1 100644 --- a/etc/profile-a-l/hyperrogue.profile +++ b/etc/profile-a-l/hyperrogue.profile | |||
@@ -44,7 +44,7 @@ private-bin hyperrogue | |||
44 | private-cache | 44 | private-cache |
45 | private-cwd ${HOME} | 45 | private-cwd ${HOME} |
46 | private-dev | 46 | private-dev |
47 | private-etc fonts,machine-id | 47 | private-etc fonts,ld.so.preload,machine-id |
48 | private-tmp | 48 | private-tmp |
49 | 49 | ||
50 | dbus-user none | 50 | dbus-user none |
diff --git a/etc/profile-a-l/i2prouter.profile b/etc/profile-a-l/i2prouter.profile index c875cad72..200b4c8b1 100644 --- a/etc/profile-a-l/i2prouter.profile +++ b/etc/profile-a-l/i2prouter.profile | |||
@@ -68,5 +68,5 @@ shell none | |||
68 | disable-mnt | 68 | disable-mnt |
69 | private-cache | 69 | private-cache |
70 | private-dev | 70 | private-dev |
71 | private-etc alternatives,ca-certificates,crypto-policies,dconf,group,hostname,hosts,i2p,java-10-openjdk,java-11-openjdk,java-12-openjdk,java-13-openjdk,java-8-openjdk,java-9-openjdk,java-openjdk,ld.so.cache,localtime,machine-id,nsswitch.conf,passwd,pki,resolv.conf,ssl | 71 | private-etc alternatives,ca-certificates,crypto-policies,dconf,group,hostname,hosts,i2p,java-10-openjdk,java-11-openjdk,java-12-openjdk,java-13-openjdk,java-8-openjdk,java-9-openjdk,java-openjdk,ld.so.cache,ld.so.preload,localtime,machine-id,nsswitch.conf,passwd,pki,resolv.conf,ssl |
72 | private-tmp | 72 | private-tmp |
diff --git a/etc/profile-a-l/inkscape.profile b/etc/profile-a-l/inkscape.profile index 5e54b5441..e0015e69a 100644 --- a/etc/profile-a-l/inkscape.profile +++ b/etc/profile-a-l/inkscape.profile | |||
@@ -1,6 +1,7 @@ | |||
1 | # Firejail profile for inkscape | 1 | # Firejail profile for inkscape |
2 | # Description: Vector-based drawing program | 2 | # Description: Vector-based drawing program |
3 | # This file is overwritten after every install/update | 3 | # This file is overwritten after every install/update |
4 | quiet | ||
4 | # Persistent local customizations | 5 | # Persistent local customizations |
5 | include inkscape.local | 6 | include inkscape.local |
6 | # Persistent global definitions | 7 | # Persistent global definitions |
diff --git a/etc/profile-a-l/ipcalc.profile b/etc/profile-a-l/ipcalc.profile index ea4ee5ae1..2997328e8 100644 --- a/etc/profile-a-l/ipcalc.profile +++ b/etc/profile-a-l/ipcalc.profile | |||
@@ -50,7 +50,7 @@ private-bin bash,ipcalc,ipcalc-ng,perl,sh | |||
50 | # private-cache | 50 | # private-cache |
51 | private-dev | 51 | private-dev |
52 | # empty etc directory | 52 | # empty etc directory |
53 | private-etc none | 53 | private-etc ld.so.preload,none |
54 | private-lib | 54 | private-lib |
55 | private-opt none | 55 | private-opt none |
56 | private-tmp | 56 | private-tmp |
diff --git a/etc/profile-a-l/jerry.profile b/etc/profile-a-l/jerry.profile index 1209c5e11..59260dc64 100644 --- a/etc/profile-a-l/jerry.profile +++ b/etc/profile-a-l/jerry.profile | |||
@@ -34,7 +34,7 @@ tracelog | |||
34 | 34 | ||
35 | private-bin bash,jerry,sh,stockfish | 35 | private-bin bash,jerry,sh,stockfish |
36 | private-dev | 36 | private-dev |
37 | private-etc fonts,gtk-2.0,gtk-3.0 | 37 | private-etc fonts,gtk-2.0,gtk-3.0,ld.so.preload |
38 | private-tmp | 38 | private-tmp |
39 | 39 | ||
40 | dbus-user none | 40 | dbus-user none |
diff --git a/etc/profile-a-l/jumpnbump.profile b/etc/profile-a-l/jumpnbump.profile index 77d3f6bf4..b9bc8f219 100644 --- a/etc/profile-a-l/jumpnbump.profile +++ b/etc/profile-a-l/jumpnbump.profile | |||
@@ -42,7 +42,7 @@ disable-mnt | |||
42 | private-bin jumpnbump | 42 | private-bin jumpnbump |
43 | private-cache | 43 | private-cache |
44 | private-dev | 44 | private-dev |
45 | private-etc none | 45 | private-etc ld.so.preload,none |
46 | private-tmp | 46 | private-tmp |
47 | 47 | ||
48 | dbus-user none | 48 | dbus-user none |
diff --git a/etc/profile-a-l/kalgebra.profile b/etc/profile-a-l/kalgebra.profile index 210b7cf03..5253a78b0 100644 --- a/etc/profile-a-l/kalgebra.profile +++ b/etc/profile-a-l/kalgebra.profile | |||
@@ -42,7 +42,7 @@ disable-mnt | |||
42 | private-bin kalgebra,kalgebramobile | 42 | private-bin kalgebra,kalgebramobile |
43 | private-cache | 43 | private-cache |
44 | private-dev | 44 | private-dev |
45 | private-etc fonts,machine-id | 45 | private-etc fonts,ld.so.preload,machine-id |
46 | private-tmp | 46 | private-tmp |
47 | 47 | ||
48 | dbus-user none | 48 | dbus-user none |
diff --git a/etc/profile-a-l/kazam.profile b/etc/profile-a-l/kazam.profile index 7b990bf41..d88631005 100644 --- a/etc/profile-a-l/kazam.profile +++ b/etc/profile-a-l/kazam.profile | |||
@@ -49,7 +49,7 @@ disable-mnt | |||
49 | # private-bin kazam,python* | 49 | # private-bin kazam,python* |
50 | private-cache | 50 | private-cache |
51 | private-dev | 51 | private-dev |
52 | private-etc alsa,alternatives,asound.conf,dconf,fonts,gtk-2.0,gtk-3.0,machine-id,pulse,selinux,X11,xdg | 52 | private-etc alsa,alternatives,asound.conf,dconf,fonts,gtk-2.0,gtk-3.0,ld.so.preload,machine-id,pulse,selinux,X11,xdg |
53 | private-tmp | 53 | private-tmp |
54 | 54 | ||
55 | dbus-system none | 55 | dbus-system none |
diff --git a/etc/profile-a-l/kcalc.profile b/etc/profile-a-l/kcalc.profile index 46e8ccb82..c551dbdbe 100644 --- a/etc/profile-a-l/kcalc.profile +++ b/etc/profile-a-l/kcalc.profile | |||
@@ -55,7 +55,7 @@ disable-mnt | |||
55 | private-bin kcalc | 55 | private-bin kcalc |
56 | private-cache | 56 | private-cache |
57 | private-dev | 57 | private-dev |
58 | private-etc alternatives,fonts,ld.so.cache,locale,locale.conf | 58 | private-etc alternatives,fonts,ld.so.cache,ld.so.preload,locale,locale.conf |
59 | # private-lib - problems on Arch | 59 | # private-lib - problems on Arch |
60 | private-tmp | 60 | private-tmp |
61 | 61 | ||
diff --git a/etc/profile-a-l/kdiff3.profile b/etc/profile-a-l/kdiff3.profile index 7c9be2bcc..fa50b0a20 100644 --- a/etc/profile-a-l/kdiff3.profile +++ b/etc/profile-a-l/kdiff3.profile | |||
@@ -48,7 +48,7 @@ shell none | |||
48 | tracelog | 48 | tracelog |
49 | 49 | ||
50 | disable-mnt | 50 | disable-mnt |
51 | private-bin kdiff3 | 51 | private-bin kdiff3 |
52 | private-cache | 52 | private-cache |
53 | private-dev | 53 | private-dev |
54 | 54 | ||
diff --git a/etc/profile-a-l/keepassx.profile b/etc/profile-a-l/keepassx.profile index 768a3cef0..616b87d7e 100644 --- a/etc/profile-a-l/keepassx.profile +++ b/etc/profile-a-l/keepassx.profile | |||
@@ -41,7 +41,7 @@ tracelog | |||
41 | 41 | ||
42 | private-bin keepassx,keepassx2 | 42 | private-bin keepassx,keepassx2 |
43 | private-dev | 43 | private-dev |
44 | private-etc alternatives,fonts,machine-id | 44 | private-etc alternatives,fonts,ld.so.preload,machine-id |
45 | private-tmp | 45 | private-tmp |
46 | 46 | ||
47 | dbus-user none | 47 | dbus-user none |
diff --git a/etc/profile-a-l/keepassxc.profile b/etc/profile-a-l/keepassxc.profile index b915f6202..45a707071 100644 --- a/etc/profile-a-l/keepassxc.profile +++ b/etc/profile-a-l/keepassxc.profile | |||
@@ -88,7 +88,7 @@ tracelog | |||
88 | 88 | ||
89 | private-bin keepassxc,keepassxc-cli,keepassxc-proxy | 89 | private-bin keepassxc,keepassxc-cli,keepassxc-proxy |
90 | private-dev | 90 | private-dev |
91 | private-etc alternatives,fonts,ld.so.cache,machine-id | 91 | private-etc alternatives,fonts,ld.so.cache,ld.so.preload,machine-id |
92 | private-tmp | 92 | private-tmp |
93 | 93 | ||
94 | dbus-user filter | 94 | dbus-user filter |
@@ -98,11 +98,10 @@ dbus-user.talk org.freedesktop.ScreenSaver | |||
98 | dbus-user.talk org.gnome.ScreenSaver | 98 | dbus-user.talk org.gnome.ScreenSaver |
99 | dbus-user.talk org.gnome.SessionManager | 99 | dbus-user.talk org.gnome.SessionManager |
100 | dbus-user.talk org.xfce.ScreenSaver | 100 | dbus-user.talk org.xfce.ScreenSaver |
101 | ?ALLOW_TRAY: dbus-user.talk org.kde.StatusNotifierWatcher | ||
102 | ?ALLOW_TRAY: dbus-user.own org.kde.* | ||
101 | # Add the next line to your keepassxc.local to allow notifications. | 103 | # Add the next line to your keepassxc.local to allow notifications. |
102 | #dbus-user.talk org.freedesktop.Notifications | 104 | #dbus-user.talk org.freedesktop.Notifications |
103 | # Add the next line to your keepassxc.local to allow the tray menu. | ||
104 | #dbus-user.talk org.kde.StatusNotifierWatcher | ||
105 | #dbus-user.own org.kde.* | ||
106 | dbus-system filter | 105 | dbus-system filter |
107 | dbus-system.talk org.freedesktop.login1 | 106 | dbus-system.talk org.freedesktop.login1 |
108 | 107 | ||
diff --git a/etc/profile-a-l/kid3.profile b/etc/profile-a-l/kid3.profile index e66716eeb..8b35a8946 100644 --- a/etc/profile-a-l/kid3.profile +++ b/etc/profile-a-l/kid3.profile | |||
@@ -37,7 +37,7 @@ tracelog | |||
37 | 37 | ||
38 | private-cache | 38 | private-cache |
39 | private-dev | 39 | private-dev |
40 | private-etc alternatives,ca-certificates,crypto-policies,dconf,drirc,fonts,gtk-3.0,hostname,hosts,kde5rc,machine-id,pki,pulse,resolv.conf,ssl | 40 | private-etc alternatives,ca-certificates,crypto-policies,dconf,drirc,fonts,gtk-3.0,hostname,hosts,kde5rc,ld.so.preload,machine-id,pki,pulse,resolv.conf,ssl |
41 | private-tmp | 41 | private-tmp |
42 | private-opt none | 42 | private-opt none |
43 | private-srv none | 43 | private-srv none |
diff --git a/etc/profile-a-l/kiwix-desktop.profile b/etc/profile-a-l/kiwix-desktop.profile index 968402a8a..837ea9e36 100644 --- a/etc/profile-a-l/kiwix-desktop.profile +++ b/etc/profile-a-l/kiwix-desktop.profile | |||
@@ -44,7 +44,7 @@ shell none | |||
44 | disable-mnt | 44 | disable-mnt |
45 | private-cache | 45 | private-cache |
46 | private-dev | 46 | private-dev |
47 | private-etc alsa,alternatives,asound.conf,ca-certificates,crypto-policies,fonts,hostname,hosts,ld.so.cache,machine-id,pki,pulse,resolv.conf,ssl | 47 | private-etc alsa,alternatives,asound.conf,ca-certificates,crypto-policies,fonts,hostname,hosts,ld.so.cache,ld.so.preload,machine-id,pki,pulse,resolv.conf,ssl |
48 | private-tmp | 48 | private-tmp |
49 | 49 | ||
50 | dbus-user none | 50 | dbus-user none |
diff --git a/etc/profile-a-l/klavaro.profile b/etc/profile-a-l/klavaro.profile index f733fa42c..964175274 100644 --- a/etc/profile-a-l/klavaro.profile +++ b/etc/profile-a-l/klavaro.profile | |||
@@ -45,7 +45,7 @@ disable-mnt | |||
45 | private-bin bash,klavaro,sh,tclsh,tclsh* | 45 | private-bin bash,klavaro,sh,tclsh,tclsh* |
46 | private-cache | 46 | private-cache |
47 | private-dev | 47 | private-dev |
48 | private-etc alternatives,fonts | 48 | private-etc alternatives,fonts,ld.so.preload |
49 | private-tmp | 49 | private-tmp |
50 | private-opt none | 50 | private-opt none |
51 | private-srv none | 51 | private-srv none |
diff --git a/etc/profile-a-l/ktouch.profile b/etc/profile-a-l/ktouch.profile index 051782172..78eb2e8f5 100644 --- a/etc/profile-a-l/ktouch.profile +++ b/etc/profile-a-l/ktouch.profile | |||
@@ -46,7 +46,7 @@ disable-mnt | |||
46 | private-bin ktouch | 46 | private-bin ktouch |
47 | private-cache | 47 | private-cache |
48 | private-dev | 48 | private-dev |
49 | private-etc alternatives,fonts,kde5rc,machine-id | 49 | private-etc alternatives,fonts,kde5rc,ld.so.preload,machine-id |
50 | private-tmp | 50 | private-tmp |
51 | 51 | ||
52 | dbus-user none | 52 | dbus-user none |
diff --git a/etc/profile-a-l/kube.profile b/etc/profile-a-l/kube.profile index 262ffb532..ad6b2f5fe 100644 --- a/etc/profile-a-l/kube.profile +++ b/etc/profile-a-l/kube.profile | |||
@@ -68,7 +68,7 @@ tracelog | |||
68 | private-bin kube,sink_synchronizer | 68 | private-bin kube,sink_synchronizer |
69 | private-cache | 69 | private-cache |
70 | private-dev | 70 | private-dev |
71 | private-etc alternatives,ca-certificates,crypto-policies,fonts,gcrypt,gtk-2.0,gtk-3.0,hostname,hosts,pki,resolv.conf,selinux,ssl,xdg | 71 | private-etc alternatives,ca-certificates,crypto-policies,fonts,gcrypt,gtk-2.0,gtk-3.0,hostname,hosts,ld.so.preload,pki,resolv.conf,selinux,ssl,xdg |
72 | private-tmp | 72 | private-tmp |
73 | writable-run-user | 73 | writable-run-user |
74 | 74 | ||
diff --git a/etc/profile-a-l/kwin_x11.profile b/etc/profile-a-l/kwin_x11.profile index 5bbadfc73..32e9870e5 100644 --- a/etc/profile-a-l/kwin_x11.profile +++ b/etc/profile-a-l/kwin_x11.profile | |||
@@ -42,5 +42,5 @@ tracelog | |||
42 | disable-mnt | 42 | disable-mnt |
43 | private-bin kwin_x11 | 43 | private-bin kwin_x11 |
44 | private-dev | 44 | private-dev |
45 | private-etc alternatives,drirc,fonts,kde5rc,ld.so.cache,machine-id,xdg | 45 | private-etc alternatives,drirc,fonts,kde5rc,ld.so.cache,ld.so.preload,machine-id,xdg |
46 | private-tmp | 46 | private-tmp |
diff --git a/etc/profile-a-l/kwrite.profile b/etc/profile-a-l/kwrite.profile index 682c7782d..cd5ce7034 100644 --- a/etc/profile-a-l/kwrite.profile +++ b/etc/profile-a-l/kwrite.profile | |||
@@ -46,7 +46,7 @@ tracelog | |||
46 | 46 | ||
47 | private-bin kbuildsycoca4,kdeinit4,kwrite | 47 | private-bin kbuildsycoca4,kdeinit4,kwrite |
48 | private-dev | 48 | private-dev |
49 | private-etc alternatives,fonts,kde4rc,kde5rc,ld.so.cache,machine-id,pulse,xdg | 49 | private-etc alternatives,fonts,kde4rc,kde5rc,ld.so.cache,ld.so.preload,machine-id,pulse,xdg |
50 | private-tmp | 50 | private-tmp |
51 | 51 | ||
52 | # dbus-user none | 52 | # dbus-user none |
diff --git a/etc/profile-a-l/librewolf.profile b/etc/profile-a-l/librewolf.profile index c9f5221f7..ebffbbabf 100644 --- a/etc/profile-a-l/librewolf.profile +++ b/etc/profile-a-l/librewolf.profile | |||
@@ -36,6 +36,7 @@ include whitelist-usr-share-common.inc | |||
36 | #private-etc librewolf | 36 | #private-etc librewolf |
37 | 37 | ||
38 | dbus-user filter | 38 | dbus-user filter |
39 | dbus-user.own org.mozilla.librewolf.* | ||
39 | # Add the next line to your librewolf.local to enable native notifications. | 40 | # Add the next line to your librewolf.local to enable native notifications. |
40 | #dbus-user.talk org.freedesktop.Notifications | 41 | #dbus-user.talk org.freedesktop.Notifications |
41 | # Add the next line to your librewolf.local to allow inhibiting screensavers. | 42 | # Add the next line to your librewolf.local to allow inhibiting screensavers. |
diff --git a/etc/profile-a-l/links-common.profile b/etc/profile-a-l/links-common.profile index bd28f25d6..dac3eaee3 100644 --- a/etc/profile-a-l/links-common.profile +++ b/etc/profile-a-l/links-common.profile | |||
@@ -47,11 +47,11 @@ shell none | |||
47 | tracelog | 47 | tracelog |
48 | 48 | ||
49 | disable-mnt | 49 | disable-mnt |
50 | # Add 'private-bin PROGRAM1,PROGRAM2' to your links-common.local if you want to use user-configured programs. | 50 | # Add 'private-bin PROGRAM1,PROGRAM2' to your links-common.local if you want to use user-configured programs. |
51 | private-bin sh | 51 | private-bin sh |
52 | private-cache | 52 | private-cache |
53 | private-dev | 53 | private-dev |
54 | private-etc alternatives,ca-certificates,crypto-policies,nsswitch.conf,pki,resolv.conf,ssl | 54 | private-etc alternatives,ca-certificates,crypto-policies,ld.so.preload,nsswitch.conf,pki,resolv.conf,ssl |
55 | # Add the next line to your links-common.local to allow external media players. | 55 | # Add the next line to your links-common.local to allow external media players. |
56 | # private-etc alsa,asound.conf,machine-id,openal,pulse | 56 | # private-etc alsa,asound.conf,machine-id,openal,pulse |
57 | private-tmp | 57 | private-tmp |
diff --git a/etc/profile-a-l/lollypop.profile b/etc/profile-a-l/lollypop.profile index a187ca0fc..a590c5fb7 100644 --- a/etc/profile-a-l/lollypop.profile +++ b/etc/profile-a-l/lollypop.profile | |||
@@ -37,6 +37,6 @@ seccomp | |||
37 | shell none | 37 | shell none |
38 | 38 | ||
39 | private-dev | 39 | private-dev |
40 | private-etc alternatives,asound.conf,ca-certificates,crypto-policies,fonts,gtk-3.0,host.conf,hostname,hosts,machine-id,pki,pulse,resolv.conf,ssl,xdg | 40 | private-etc alternatives,asound.conf,ca-certificates,crypto-policies,fonts,gtk-3.0,host.conf,hostname,hosts,ld.so.preload,machine-id,pki,pulse,resolv.conf,ssl,xdg |
41 | private-tmp | 41 | private-tmp |
42 | 42 | ||
diff --git a/etc/profile-a-l/lyx.profile b/etc/profile-a-l/lyx.profile index fa69463d1..3213f3674 100644 --- a/etc/profile-a-l/lyx.profile +++ b/etc/profile-a-l/lyx.profile | |||
@@ -32,7 +32,7 @@ apparmor | |||
32 | machine-id | 32 | machine-id |
33 | 33 | ||
34 | # private-bin atril,dvilualatex,env,latex,lua*,luatex,lyx,lyxclient,okular,pdf2latex,pdflatex,pdftex,perl*,python*,qpdf,qpdfview,sh,tex2lyx,texmf,xelatex | 34 | # private-bin atril,dvilualatex,env,latex,lua*,luatex,lyx,lyxclient,okular,pdf2latex,pdflatex,pdftex,perl*,python*,qpdf,qpdfview,sh,tex2lyx,texmf,xelatex |
35 | private-etc alternatives,dconf,fonts,gtk-2.0,gtk-3.0,locale,locale.alias,locale.conf,lyx,machine-id,mime.types,passwd,texmf,X11,xdg | 35 | private-etc alternatives,dconf,fonts,gtk-2.0,gtk-3.0,ld.so.preload,locale,locale.alias,locale.conf,lyx,machine-id,mime.types,passwd,texmf,X11,xdg |
36 | 36 | ||
37 | # Redirect | 37 | # Redirect |
38 | include latex-common.profile | 38 | include latex-common.profile |
diff --git a/etc/profile-m-z/QOwnNotes.profile b/etc/profile-m-z/QOwnNotes.profile index 15cb931dd..235640eeb 100644 --- a/etc/profile-m-z/QOwnNotes.profile +++ b/etc/profile-m-z/QOwnNotes.profile | |||
@@ -50,6 +50,6 @@ tracelog | |||
50 | disable-mnt | 50 | disable-mnt |
51 | private-bin gio,QOwnNotes | 51 | private-bin gio,QOwnNotes |
52 | private-dev | 52 | private-dev |
53 | private-etc alternatives,ca-certificates,crypto-policies,fonts,host.conf,hosts,ld.so.cache,machine-id,nsswitch.conf,pki,pulse,resolv.conf,ssl | 53 | private-etc alternatives,ca-certificates,crypto-policies,fonts,host.conf,hosts,ld.so.cache,ld.so.preload,machine-id,nsswitch.conf,pki,pulse,resolv.conf,ssl |
54 | private-tmp | 54 | private-tmp |
55 | 55 | ||
diff --git a/etc/profile-m-z/Viber.profile b/etc/profile-m-z/Viber.profile index 866d57e67..ca7165a5d 100644 --- a/etc/profile-m-z/Viber.profile +++ b/etc/profile-m-z/Viber.profile | |||
@@ -33,5 +33,5 @@ shell none | |||
33 | 33 | ||
34 | disable-mnt | 34 | disable-mnt |
35 | private-bin awk,bash,dig,sh,Viber | 35 | private-bin awk,bash,dig,sh,Viber |
36 | private-etc alternatives,asound.conf,ca-certificates,crypto-policies,fonts,hosts,localtime,machine-id,mailcap,nsswitch.conf,pki,proxychains.conf,pulse,resolv.conf,ssl,X11 | 36 | private-etc alternatives,asound.conf,ca-certificates,crypto-policies,fonts,hosts,ld.so.preload,localtime,machine-id,mailcap,nsswitch.conf,pki,proxychains.conf,pulse,resolv.conf,ssl,X11 |
37 | private-tmp | 37 | private-tmp |
diff --git a/etc/profile-m-z/Xvfb.profile b/etc/profile-m-z/Xvfb.profile index 1acd43023..722e12d9c 100644 --- a/etc/profile-m-z/Xvfb.profile +++ b/etc/profile-m-z/Xvfb.profile | |||
@@ -43,5 +43,5 @@ private | |||
43 | # private-bin sh,xkbcomp,Xvfb | 43 | # private-bin sh,xkbcomp,Xvfb |
44 | # private-bin bash,cat,ls,sh,strace,xkbcomp,Xvfb | 44 | # private-bin bash,cat,ls,sh,strace,xkbcomp,Xvfb |
45 | private-dev | 45 | private-dev |
46 | private-etc alternatives,gai.conf,host.conf,hostname,hosts,ld.so.cache,ld.so.conf,nsswitch.conf,resolv.conf | 46 | private-etc alternatives,gai.conf,host.conf,hostname,hosts,ld.so.cache,ld.so.conf,ld.so.preload,nsswitch.conf,resolv.conf |
47 | private-tmp | 47 | private-tmp |
diff --git a/etc/profile-m-z/magicor.profile b/etc/profile-m-z/magicor.profile index fc5ae3ee9..b7cba2421 100644 --- a/etc/profile-m-z/magicor.profile +++ b/etc/profile-m-z/magicor.profile | |||
@@ -45,7 +45,7 @@ disable-mnt | |||
45 | private-bin magicor,python2* | 45 | private-bin magicor,python2* |
46 | private-cache | 46 | private-cache |
47 | private-dev | 47 | private-dev |
48 | private-etc machine-id | 48 | private-etc ld.so.preload,machine-id |
49 | private-tmp | 49 | private-tmp |
50 | 50 | ||
51 | dbus-user none | 51 | dbus-user none |
diff --git a/etc/profile-m-z/make.profile b/etc/profile-m-z/make.profile new file mode 100644 index 000000000..7e9638fe4 --- /dev/null +++ b/etc/profile-m-z/make.profile | |||
@@ -0,0 +1,13 @@ | |||
1 | # Firejail profile for make | ||
2 | # Description: GNU make utility to maintain groups of programs | ||
3 | # This file is overwritten after every install/update | ||
4 | quiet | ||
5 | # Persistent local customizations | ||
6 | include make.local | ||
7 | # Persistent global definitions | ||
8 | include globals.local | ||
9 | |||
10 | memory-deny-write-execute | ||
11 | |||
12 | # Redirect | ||
13 | include build-systems-common.profile | ||
diff --git a/etc/profile-m-z/man.profile b/etc/profile-m-z/man.profile index b2f761230..b6038cc91 100644 --- a/etc/profile-m-z/man.profile +++ b/etc/profile-m-z/man.profile | |||
@@ -58,7 +58,7 @@ disable-mnt | |||
58 | #private-bin apropos,bash,cat,catman,col,gpreconv,groff,grotty,gunzip,gzip,less,man,most,nroff,preconv,sed,sh,tbl,tr,troff,whatis,which,xtotroff,zcat,zsoelim | 58 | #private-bin apropos,bash,cat,catman,col,gpreconv,groff,grotty,gunzip,gzip,less,man,most,nroff,preconv,sed,sh,tbl,tr,troff,whatis,which,xtotroff,zcat,zsoelim |
59 | private-cache | 59 | private-cache |
60 | private-dev | 60 | private-dev |
61 | private-etc alternatives,fonts,groff,locale,locale.alias,locale.conf,man_db.conf,manpath.config,selinux,sysless,xdg | 61 | private-etc alternatives,fonts,groff,ld.so.preload,locale,locale.alias,locale.conf,man_db.conf,manpath.config,selinux,sysless,xdg |
62 | #private-tmp | 62 | #private-tmp |
63 | 63 | ||
64 | dbus-user none | 64 | dbus-user none |
diff --git a/etc/profile-m-z/masterpdfeditor.profile b/etc/profile-m-z/masterpdfeditor.profile index e61578ffe..dc2088a18 100644 --- a/etc/profile-m-z/masterpdfeditor.profile +++ b/etc/profile-m-z/masterpdfeditor.profile | |||
@@ -36,6 +36,6 @@ tracelog | |||
36 | 36 | ||
37 | private-cache | 37 | private-cache |
38 | private-dev | 38 | private-dev |
39 | private-etc alternatives,fonts | 39 | private-etc alternatives,fonts,ld.so.preload |
40 | private-tmp | 40 | private-tmp |
41 | 41 | ||
diff --git a/etc/profile-m-z/mate-calc.profile b/etc/profile-m-z/mate-calc.profile index 64b184482..cb14c6584 100644 --- a/etc/profile-m-z/mate-calc.profile +++ b/etc/profile-m-z/mate-calc.profile | |||
@@ -42,7 +42,7 @@ shell none | |||
42 | 42 | ||
43 | disable-mnt | 43 | disable-mnt |
44 | private-bin mate-calc,mate-calculator | 44 | private-bin mate-calc,mate-calculator |
45 | private-etc alternatives,dconf,fonts,gtk-3.0 | 45 | private-etc alternatives,dconf,fonts,gtk-3.0,ld.so.preload |
46 | private-dev | 46 | private-dev |
47 | private-opt none | 47 | private-opt none |
48 | private-tmp | 48 | private-tmp |
diff --git a/etc/profile-m-z/mate-color-select.profile b/etc/profile-m-z/mate-color-select.profile index a6b49315c..97793abd5 100644 --- a/etc/profile-m-z/mate-color-select.profile +++ b/etc/profile-m-z/mate-color-select.profile | |||
@@ -33,7 +33,7 @@ shell none | |||
33 | 33 | ||
34 | disable-mnt | 34 | disable-mnt |
35 | private-bin mate-color-select | 35 | private-bin mate-color-select |
36 | private-etc alternatives,fonts | 36 | private-etc alternatives,fonts,ld.so.preload |
37 | private-dev | 37 | private-dev |
38 | private-lib | 38 | private-lib |
39 | private-tmp | 39 | private-tmp |
diff --git a/etc/profile-m-z/mate-dictionary.profile b/etc/profile-m-z/mate-dictionary.profile index 3f3d027b9..cb0002af6 100644 --- a/etc/profile-m-z/mate-dictionary.profile +++ b/etc/profile-m-z/mate-dictionary.profile | |||
@@ -37,7 +37,7 @@ shell none | |||
37 | 37 | ||
38 | disable-mnt | 38 | disable-mnt |
39 | private-bin mate-dictionary | 39 | private-bin mate-dictionary |
40 | private-etc alternatives,ca-certificates,crypto-policies,fonts,pki,resolv.conf,ssl | 40 | private-etc alternatives,ca-certificates,crypto-policies,fonts,ld.so.preload,pki,resolv.conf,ssl |
41 | private-opt mate-dictionary | 41 | private-opt mate-dictionary |
42 | private-dev | 42 | private-dev |
43 | private-tmp | 43 | private-tmp |
diff --git a/etc/profile-m-z/mcabber.profile b/etc/profile-m-z/mcabber.profile index 7592d879c..87083f1e3 100644 --- a/etc/profile-m-z/mcabber.profile +++ b/etc/profile-m-z/mcabber.profile | |||
@@ -31,4 +31,4 @@ shell none | |||
31 | 31 | ||
32 | private-bin mcabber | 32 | private-bin mcabber |
33 | private-dev | 33 | private-dev |
34 | private-etc alternatives,ca-certificates,crypto-policies,pki,ssl | 34 | private-etc alternatives,ca-certificates,crypto-policies,ld.so.preload,pki,ssl |
diff --git a/etc/profile-m-z/mdr.profile b/etc/profile-m-z/mdr.profile index 08d56ede5..da5e0ffa8 100644 --- a/etc/profile-m-z/mdr.profile +++ b/etc/profile-m-z/mdr.profile | |||
@@ -45,7 +45,7 @@ disable-mnt | |||
45 | private-bin mdr | 45 | private-bin mdr |
46 | private-cache | 46 | private-cache |
47 | private-dev | 47 | private-dev |
48 | private-etc none | 48 | private-etc ld.so.preload,none |
49 | private-lib | 49 | private-lib |
50 | private-tmp | 50 | private-tmp |
51 | 51 | ||
diff --git a/etc/profile-m-z/mediainfo.profile b/etc/profile-m-z/mediainfo.profile index 7597d4067..9403321e2 100644 --- a/etc/profile-m-z/mediainfo.profile +++ b/etc/profile-m-z/mediainfo.profile | |||
@@ -42,7 +42,7 @@ x11 none | |||
42 | private-bin mediainfo | 42 | private-bin mediainfo |
43 | private-cache | 43 | private-cache |
44 | private-dev | 44 | private-dev |
45 | private-etc alternatives | 45 | private-etc alternatives,ld.so.preload |
46 | private-tmp | 46 | private-tmp |
47 | 47 | ||
48 | dbus-user none | 48 | dbus-user none |
diff --git a/etc/profile-m-z/menulibre.profile b/etc/profile-m-z/menulibre.profile index 4845e9cce..f9f7db3cb 100644 --- a/etc/profile-m-z/menulibre.profile +++ b/etc/profile-m-z/menulibre.profile | |||
@@ -52,7 +52,7 @@ tracelog | |||
52 | disable-mnt | 52 | disable-mnt |
53 | private-cache | 53 | private-cache |
54 | private-dev | 54 | private-dev |
55 | private-etc alternatives,dconf,fonts,gtk-3.0,locale.alias,locale.conf,mime.types,nsswitch.conf,passwd,pki,selinux,X11,xdg | 55 | private-etc alternatives,dconf,fonts,gtk-3.0,ld.so.preload,locale.alias,locale.conf,mime.types,nsswitch.conf,passwd,pki,selinux,X11,xdg |
56 | private-tmp | 56 | private-tmp |
57 | 57 | ||
58 | dbus-user none | 58 | dbus-user none |
diff --git a/etc/profile-m-z/meson.profile b/etc/profile-m-z/meson.profile new file mode 100644 index 000000000..b4909a9d8 --- /dev/null +++ b/etc/profile-m-z/meson.profile | |||
@@ -0,0 +1,14 @@ | |||
1 | # Firejail profile for meson | ||
2 | # Description: A high productivity build system | ||
3 | # This file is overwritten after every install/update | ||
4 | quiet | ||
5 | # Persistent local customizations | ||
6 | include meson.local | ||
7 | # Persistent global definitions | ||
8 | include globals.local | ||
9 | |||
10 | # Allow python3 (blacklisted by disable-interpreters.inc) | ||
11 | include allow-python3.inc | ||
12 | |||
13 | # Redirect | ||
14 | include build-systems-common.profile | ||
diff --git a/etc/profile-m-z/microsoft-edge-beta.profile b/etc/profile-m-z/microsoft-edge-beta.profile index 34d9f470a..095038f08 100644 --- a/etc/profile-m-z/microsoft-edge-beta.profile +++ b/etc/profile-m-z/microsoft-edge-beta.profile | |||
@@ -17,4 +17,4 @@ whitelist ${HOME}/.config/microsoft-edge-beta | |||
17 | private-opt microsoft | 17 | private-opt microsoft |
18 | 18 | ||
19 | # Redirect | 19 | # Redirect |
20 | include chromium-common.profile \ No newline at end of file | 20 | include chromium-common.profile |
diff --git a/etc/profile-m-z/mindless.profile b/etc/profile-m-z/mindless.profile index ad7e40b12..bcc7b232b 100644 --- a/etc/profile-m-z/mindless.profile +++ b/etc/profile-m-z/mindless.profile | |||
@@ -42,7 +42,7 @@ private | |||
42 | private-bin mindless | 42 | private-bin mindless |
43 | private-cache | 43 | private-cache |
44 | private-dev | 44 | private-dev |
45 | private-etc fonts | 45 | private-etc fonts,ld.so.preload |
46 | private-tmp | 46 | private-tmp |
47 | 47 | ||
48 | dbus-user none | 48 | dbus-user none |
diff --git a/etc/profile-m-z/mirrormagic.profile b/etc/profile-m-z/mirrormagic.profile index c47a16ffd..133a17350 100644 --- a/etc/profile-m-z/mirrormagic.profile +++ b/etc/profile-m-z/mirrormagic.profile | |||
@@ -44,7 +44,7 @@ private | |||
44 | private-bin mirrormagic | 44 | private-bin mirrormagic |
45 | private-cache | 45 | private-cache |
46 | private-dev | 46 | private-dev |
47 | private-etc machine-id | 47 | private-etc ld.so.preload,machine-id |
48 | private-tmp | 48 | private-tmp |
49 | 49 | ||
50 | dbus-user none | 50 | dbus-user none |
diff --git a/etc/profile-m-z/mocp.profile b/etc/profile-m-z/mocp.profile index dbc3c1d40..79f603f92 100644 --- a/etc/profile-m-z/mocp.profile +++ b/etc/profile-m-z/mocp.profile | |||
@@ -42,7 +42,7 @@ tracelog | |||
42 | private-bin mocp | 42 | private-bin mocp |
43 | private-cache | 43 | private-cache |
44 | private-dev | 44 | private-dev |
45 | private-etc alternatives,asound.conf,ca-certificates,crypto-policies,group,machine-id,pki,pulse,resolv.conf,ssl | 45 | private-etc alternatives,asound.conf,ca-certificates,crypto-policies,group,ld.so.preload,machine-id,pki,pulse,resolv.conf,ssl |
46 | private-tmp | 46 | private-tmp |
47 | 47 | ||
48 | dbus-user none | 48 | dbus-user none |
diff --git a/etc/profile-m-z/mp3splt-gtk.profile b/etc/profile-m-z/mp3splt-gtk.profile index f0063d250..445691f6a 100644 --- a/etc/profile-m-z/mp3splt-gtk.profile +++ b/etc/profile-m-z/mp3splt-gtk.profile | |||
@@ -37,7 +37,7 @@ tracelog | |||
37 | private-bin mp3splt-gtk | 37 | private-bin mp3splt-gtk |
38 | private-cache | 38 | private-cache |
39 | private-dev | 39 | private-dev |
40 | private-etc alsa,alternatives,asound.conf,dconf,fonts,gtk-3.0,machine-id,openal,pulse | 40 | private-etc alsa,alternatives,asound.conf,dconf,fonts,gtk-3.0,ld.so.preload,machine-id,openal,pulse |
41 | private-tmp | 41 | private-tmp |
42 | 42 | ||
43 | dbus-user none | 43 | dbus-user none |
diff --git a/etc/profile-m-z/mp3splt.profile b/etc/profile-m-z/mp3splt.profile index 400d8a6b6..4d6109250 100644 --- a/etc/profile-m-z/mp3splt.profile +++ b/etc/profile-m-z/mp3splt.profile | |||
@@ -44,7 +44,7 @@ disable-mnt | |||
44 | private-bin flacsplt,mp3splt,mp3wrap,oggsplt | 44 | private-bin flacsplt,mp3splt,mp3wrap,oggsplt |
45 | private-cache | 45 | private-cache |
46 | private-dev | 46 | private-dev |
47 | private-etc alternatives | 47 | private-etc alternatives,ld.so.preload |
48 | private-tmp | 48 | private-tmp |
49 | 49 | ||
50 | memory-deny-write-execute | 50 | memory-deny-write-execute |
diff --git a/etc/profile-m-z/mpDris2.profile b/etc/profile-m-z/mpDris2.profile index 10964ef24..597390914 100644 --- a/etc/profile-m-z/mpDris2.profile +++ b/etc/profile-m-z/mpDris2.profile | |||
@@ -49,7 +49,7 @@ shell none | |||
49 | private-bin mpDris2,notify-send,python* | 49 | private-bin mpDris2,notify-send,python* |
50 | private-cache | 50 | private-cache |
51 | private-dev | 51 | private-dev |
52 | private-etc alternatives,hosts,nsswitch.conf | 52 | private-etc alternatives,hosts,ld.so.preload,nsswitch.conf |
53 | private-lib libdbus-1.so.*,libdbus-glib-1.so.*,libgirepository-1.0.so.*,libnotify.so.*,libpython*,python2*,python3* | 53 | private-lib libdbus-1.so.*,libdbus-glib-1.so.*,libgirepository-1.0.so.*,libnotify.so.*,libpython*,python2*,python3* |
54 | private-tmp | 54 | private-tmp |
55 | 55 | ||
diff --git a/etc/profile-m-z/mpv.profile b/etc/profile-m-z/mpv.profile index fa433b672..74402a8de 100644 --- a/etc/profile-m-z/mpv.profile +++ b/etc/profile-m-z/mpv.profile | |||
@@ -11,7 +11,7 @@ include globals.local | |||
11 | # edit ~/.config/mpv/foobar.conf: | 11 | # edit ~/.config/mpv/foobar.conf: |
12 | # screenshot-directory=~/Pictures | 12 | # screenshot-directory=~/Pictures |
13 | 13 | ||
14 | # Mpv has a powerfull lua-API, some off these lua-scripts interact | 14 | # Mpv has a powerful lua-API, some off these lua-scripts interact |
15 | # with external resources which are blocked by firejail. In such cases | 15 | # with external resources which are blocked by firejail. In such cases |
16 | # you need to allow these resources by | 16 | # you need to allow these resources by |
17 | # - adding additional binaries to private-bin | 17 | # - adding additional binaries to private-bin |
diff --git a/etc/profile-m-z/mrrescue.profile b/etc/profile-m-z/mrrescue.profile index 530e779fc..16dc97d0c 100644 --- a/etc/profile-m-z/mrrescue.profile +++ b/etc/profile-m-z/mrrescue.profile | |||
@@ -53,7 +53,7 @@ disable-mnt | |||
53 | private-bin love,mrrescue,sh | 53 | private-bin love,mrrescue,sh |
54 | private-cache | 54 | private-cache |
55 | private-dev | 55 | private-dev |
56 | private-etc machine-id | 56 | private-etc ld.so.preload,machine-id |
57 | private-tmp | 57 | private-tmp |
58 | 58 | ||
59 | dbus-user none | 59 | dbus-user none |
diff --git a/etc/profile-m-z/ms-office.profile b/etc/profile-m-z/ms-office.profile index ad12f53a4..7b4a305e9 100644 --- a/etc/profile-m-z/ms-office.profile +++ b/etc/profile-m-z/ms-office.profile | |||
@@ -35,7 +35,7 @@ tracelog | |||
35 | 35 | ||
36 | disable-mnt | 36 | disable-mnt |
37 | private-bin bash,env,fonts,jak,ms-office,python*,sh | 37 | private-bin bash,env,fonts,jak,ms-office,python*,sh |
38 | private-etc alternatives,ca-certificates,crypto-policies,pki,resolv.conf,ssl | 38 | private-etc alternatives,ca-certificates,crypto-policies,ld.so.preload,pki,resolv.conf,ssl |
39 | private-dev | 39 | private-dev |
40 | private-tmp | 40 | private-tmp |
41 | 41 | ||
diff --git a/etc/profile-m-z/mupdf-x11-curl.profile b/etc/profile-m-z/mupdf-x11-curl.profile index a04d386a2..b95ab2194 100644 --- a/etc/profile-m-z/mupdf-x11-curl.profile +++ b/etc/profile-m-z/mupdf-x11-curl.profile | |||
@@ -12,7 +12,7 @@ ignore net none | |||
12 | netfilter | 12 | netfilter |
13 | protocol unix,inet,inet6 | 13 | protocol unix,inet,inet6 |
14 | 14 | ||
15 | private-etc ca-certificates,crypto-policies,hosts,nsswitch.conf,pki,resolv.conf,ssl | 15 | private-etc ca-certificates,crypto-policies,hosts,ld.so.preload,nsswitch.conf,pki,resolv.conf,ssl |
16 | 16 | ||
17 | # Redirect | 17 | # Redirect |
18 | include mupdf.profile | 18 | include mupdf.profile |
diff --git a/etc/profile-m-z/musixmatch.profile b/etc/profile-m-z/musixmatch.profile index 07661cac8..aab2ac19d 100644 --- a/etc/profile-m-z/musixmatch.profile +++ b/etc/profile-m-z/musixmatch.profile | |||
@@ -29,9 +29,9 @@ notv | |||
29 | nou2f | 29 | nou2f |
30 | novideo | 30 | novideo |
31 | protocol unix,inet,inet6,netlink | 31 | protocol unix,inet,inet6,netlink |
32 | seccomp | 32 | seccomp !chroot |
33 | 33 | ||
34 | disable-mnt | 34 | disable-mnt |
35 | private-dev | 35 | private-dev |
36 | private-etc alternatives,asound.conf,ca-certificates,crypto-policies,machine-id,pki,pulse,ssl | 36 | private-etc alternatives,asound.conf,ca-certificates,crypto-policies,ld.so.preload,machine-id,pki,pulse,ssl |
37 | 37 | ||
diff --git a/etc/profile-m-z/mutt.profile b/etc/profile-m-z/mutt.profile index c4d96711c..fb923051f 100644 --- a/etc/profile-m-z/mutt.profile +++ b/etc/profile-m-z/mutt.profile | |||
@@ -134,7 +134,7 @@ tracelog | |||
134 | # disable-mnt | 134 | # disable-mnt |
135 | private-cache | 135 | private-cache |
136 | private-dev | 136 | private-dev |
137 | private-etc alternatives,ca-certificates,crypto-policies,fonts,gai.conf,gcrypt,gnupg,gnutls,hostname,hosts,hosts.conf,mail,mailname,Mutt,Muttrc,Muttrc.d,nntpserver,nsswitch.conf,passwd,pki,resolv.conf,ssl,terminfo,xdg | 137 | private-etc alternatives,ca-certificates,crypto-policies,fonts,gai.conf,gcrypt,gnupg,gnutls,hostname,hosts,hosts.conf,ld.so.preload,mail,mailname,Mutt,Muttrc,Muttrc.d,nntpserver,nsswitch.conf,passwd,pki,resolv.conf,ssl,terminfo,xdg |
138 | private-tmp | 138 | private-tmp |
139 | writable-run-user | 139 | writable-run-user |
140 | writable-var | 140 | writable-var |
diff --git a/etc/profile-m-z/mypaint.profile b/etc/profile-m-z/mypaint.profile index 1b4fc4346..bf01aaa0e 100644 --- a/etc/profile-m-z/mypaint.profile +++ b/etc/profile-m-z/mypaint.profile | |||
@@ -43,7 +43,7 @@ tracelog | |||
43 | 43 | ||
44 | private-cache | 44 | private-cache |
45 | private-dev | 45 | private-dev |
46 | private-etc alternatives,dconf,fonts,gtk-3.0 | 46 | private-etc alternatives,dconf,fonts,gtk-3.0,ld.so.preload |
47 | private-tmp | 47 | private-tmp |
48 | 48 | ||
49 | dbus-user none | 49 | dbus-user none |
diff --git a/etc/profile-m-z/nano.profile b/etc/profile-m-z/nano.profile index 996a1722a..23a30bf97 100644 --- a/etc/profile-m-z/nano.profile +++ b/etc/profile-m-z/nano.profile | |||
@@ -49,7 +49,7 @@ private-dev | |||
49 | # Add the next lines to your nano.local if you want to edit files in /etc directly. | 49 | # Add the next lines to your nano.local if you want to edit files in /etc directly. |
50 | #ignore private-etc | 50 | #ignore private-etc |
51 | #writable-etc | 51 | #writable-etc |
52 | private-etc alternatives,nanorc | 52 | private-etc alternatives,ld.so.preload,nanorc |
53 | # Add the next line to your nano.local if you want to edit files in /var directly. | 53 | # Add the next line to your nano.local if you want to edit files in /var directly. |
54 | #writable-var | 54 | #writable-var |
55 | 55 | ||
diff --git a/etc/profile-m-z/neochat.profile b/etc/profile-m-z/neochat.profile index 58cc716d9..0f55b674f 100644 --- a/etc/profile-m-z/neochat.profile +++ b/etc/profile-m-z/neochat.profile | |||
@@ -60,6 +60,6 @@ private-tmp | |||
60 | dbus-user filter | 60 | dbus-user filter |
61 | dbus-user.own org.kde.neochat | 61 | dbus-user.own org.kde.neochat |
62 | dbus-user.talk org.freedesktop.Notifications | 62 | dbus-user.talk org.freedesktop.Notifications |
63 | dbus-user.talk org.kde.StatusNotifierWatcher | 63 | ?ALLOW_TRAY: dbus-user.talk org.kde.StatusNotifierWatcher |
64 | dbus-user.talk org.kde.kwalletd5 | 64 | dbus-user.talk org.kde.kwalletd5 |
65 | dbus-system none | 65 | dbus-system none |
diff --git a/etc/profile-m-z/neomutt.profile b/etc/profile-m-z/neomutt.profile index 7e627a52e..1e59a1490 100644 --- a/etc/profile-m-z/neomutt.profile +++ b/etc/profile-m-z/neomutt.profile | |||
@@ -137,7 +137,7 @@ tracelog | |||
137 | # disable-mnt | 137 | # disable-mnt |
138 | private-cache | 138 | private-cache |
139 | private-dev | 139 | private-dev |
140 | private-etc alternatives,ca-certificates,crypto-policies,dconf,fonts,gcrypt,gnupg,hostname,hosts,hosts.conf,mail,mailname,Mutt,Muttrc,Muttrc.d,neomuttrc,neomuttrc.d,nntpserver,nsswitch.conf,passwd,pki,resolv.conf,ssl,xdg | 140 | private-etc alternatives,ca-certificates,crypto-policies,dconf,fonts,gcrypt,gnupg,hostname,hosts,hosts.conf,ld.so.preload,mail,mailname,Mutt,Muttrc,Muttrc.d,neomuttrc,neomuttrc.d,nntpserver,nsswitch.conf,passwd,pki,resolv.conf,ssl,xdg |
141 | private-tmp | 141 | private-tmp |
142 | writable-run-user | 142 | writable-run-user |
143 | writable-var | 143 | writable-var |
diff --git a/etc/profile-m-z/netactview.profile b/etc/profile-m-z/netactview.profile index 1bcc6a962..57f026a0b 100644 --- a/etc/profile-m-z/netactview.profile +++ b/etc/profile-m-z/netactview.profile | |||
@@ -45,7 +45,7 @@ disable-mnt | |||
45 | private-bin netactview,netactview_polkit | 45 | private-bin netactview,netactview_polkit |
46 | private-cache | 46 | private-cache |
47 | private-dev | 47 | private-dev |
48 | private-etc alternatives,fonts | 48 | private-etc alternatives,fonts,ld.so.preload |
49 | private-lib | 49 | private-lib |
50 | private-tmp | 50 | private-tmp |
51 | 51 | ||
diff --git a/etc/profile-m-z/newsboat.profile b/etc/profile-m-z/newsboat.profile index fa4ccea7c..34c6110cf 100644 --- a/etc/profile-m-z/newsboat.profile +++ b/etc/profile-m-z/newsboat.profile | |||
@@ -53,7 +53,7 @@ disable-mnt | |||
53 | private-bin gzip,lynx,newsboat,sh,w3m | 53 | private-bin gzip,lynx,newsboat,sh,w3m |
54 | private-cache | 54 | private-cache |
55 | private-dev | 55 | private-dev |
56 | private-etc alternatives,ca-certificates,crypto-policies,lynx.cfg,lynx.lss,pki,resolv.conf,ssl,terminfo | 56 | private-etc alternatives,ca-certificates,crypto-policies,ld.so.preload,lynx.cfg,lynx.lss,pki,resolv.conf,ssl,terminfo |
57 | private-tmp | 57 | private-tmp |
58 | 58 | ||
59 | dbus-user none | 59 | dbus-user none |
diff --git a/etc/profile-m-z/nextcloud.profile b/etc/profile-m-z/nextcloud.profile index cb499ba34..354d3351e 100644 --- a/etc/profile-m-z/nextcloud.profile +++ b/etc/profile-m-z/nextcloud.profile | |||
@@ -61,12 +61,11 @@ tracelog | |||
61 | disable-mnt | 61 | disable-mnt |
62 | private-bin nextcloud,nextcloud-desktop | 62 | private-bin nextcloud,nextcloud-desktop |
63 | private-cache | 63 | private-cache |
64 | private-etc alternatives,ca-certificates,crypto-policies,drirc,fonts,gcrypt,host.conf,hosts,ld.so.cache,machine-id,Nextcloud,nsswitch.conf,os-release,passwd,pki,pulse,resolv.conf,selinux,ssl,xdg | 64 | private-etc alternatives,ca-certificates,crypto-policies,drirc,fonts,gcrypt,host.conf,hosts,ld.so.cache,ld.so.preload,machine-id,Nextcloud,nsswitch.conf,os-release,passwd,pki,pulse,resolv.conf,selinux,ssl,xdg |
65 | private-dev | 65 | private-dev |
66 | private-tmp | 66 | private-tmp |
67 | 67 | ||
68 | dbus-user filter | 68 | dbus-user filter |
69 | dbus-user.talk org.freedesktop.secrets | 69 | dbus-user.talk org.freedesktop.secrets |
70 | # Add the next line to your nextcloud.local for tray icon support | 70 | ?ALLOW_TRAY: dbus-user.talk org.kde.StatusNotifierWatcher |
71 | #dbus-user.talk org.kde.StatusNotifierWatcher | ||
72 | dbus-system none | 71 | dbus-system none |
diff --git a/etc/profile-m-z/nheko.profile b/etc/profile-m-z/nheko.profile index 035ad086a..89a146a09 100644 --- a/etc/profile-m-z/nheko.profile +++ b/etc/profile-m-z/nheko.profile | |||
@@ -51,11 +51,9 @@ private-dev | |||
51 | private-etc alsa,alternatives,asound.conf,ca-certificates,crypto-policies,fonts,gtk-2.0,gtk-3.0,host.conf,hostname,hosts,ld.so.cache,ld.so.conf,ld.so.conf.d,ld.so.preload,locale,locale.alias,locale.conf,mime.types,nsswitch.conf,pki,pulse,resolv.conf,selinux,ssl,X11,xdg | 51 | private-etc alsa,alternatives,asound.conf,ca-certificates,crypto-policies,fonts,gtk-2.0,gtk-3.0,host.conf,hostname,hosts,ld.so.cache,ld.so.conf,ld.so.conf.d,ld.so.preload,locale,locale.alias,locale.conf,mime.types,nsswitch.conf,pki,pulse,resolv.conf,selinux,ssl,X11,xdg |
52 | private-tmp | 52 | private-tmp |
53 | 53 | ||
54 | 54 | dbus-user filter | |
55 | # Add the next lines to your nheko.local to enable notification support. | 55 | dbus-user.talk org.freedesktop.secrets |
56 | #ignore dbus-user none | 56 | ?ALLOW_TRAY: dbus-user.talk org.kde.StatusNotifierWatcher |
57 | #dbus-user filter | 57 | # Add the next line to your nheko.local to enable notification support. |
58 | #dbus-user.talk org.freedesktop.Notifications | 58 | #dbus-user.talk org.freedesktop.Notifications |
59 | #dbus-user.talk org.kde.StatusNotifierWatcher | ||
60 | dbus-user none | ||
61 | dbus-system none | 59 | dbus-system none |
diff --git a/etc/profile-m-z/nitroshare.profile b/etc/profile-m-z/nitroshare.profile index d5dd4ca95..d6234cd04 100644 --- a/etc/profile-m-z/nitroshare.profile +++ b/etc/profile-m-z/nitroshare.profile | |||
@@ -42,7 +42,7 @@ disable-mnt | |||
42 | private-bin awk,grep,nitroshare,nitroshare-cli,nitroshare-nmh,nitroshare-send,nitroshare-ui | 42 | private-bin awk,grep,nitroshare,nitroshare-cli,nitroshare-nmh,nitroshare-send,nitroshare-ui |
43 | private-cache | 43 | private-cache |
44 | private-dev | 44 | private-dev |
45 | private-etc alternatives,ca-certificates,dconf,fonts,hostname,hosts,ld.so.cache,machine-id,nsswitch.conf,ssl | 45 | private-etc alternatives,ca-certificates,dconf,fonts,hostname,hosts,ld.so.cache,ld.so.preload,machine-id,nsswitch.conf,ssl |
46 | # private-lib libnitroshare.so.*,libqhttpengine.so.*,libqmdnsengine.so.*,nitroshare | 46 | # private-lib libnitroshare.so.*,libqhttpengine.so.*,libqmdnsengine.so.*,nitroshare |
47 | private-tmp | 47 | private-tmp |
48 | 48 | ||
diff --git a/etc/profile-m-z/nomacs.profile b/etc/profile-m-z/nomacs.profile index b044fb879..0bed12b1f 100644 --- a/etc/profile-m-z/nomacs.profile +++ b/etc/profile-m-z/nomacs.profile | |||
@@ -41,5 +41,5 @@ tracelog | |||
41 | #private-bin nomacs | 41 | #private-bin nomacs |
42 | private-cache | 42 | private-cache |
43 | private-dev | 43 | private-dev |
44 | private-etc alternatives,ca-certificates,crypto-policies,dconf,drirc,fonts,gtk-3.0,hosts,login.defs,machine-id,pki,resolv.conf,ssl | 44 | private-etc alternatives,ca-certificates,crypto-policies,dconf,drirc,fonts,gtk-3.0,hosts,ld.so.preload,login.defs,machine-id,pki,resolv.conf,ssl |
45 | private-tmp | 45 | private-tmp |
diff --git a/etc/profile-m-z/notify-send.profile b/etc/profile-m-z/notify-send.profile index 5caf3374d..a7bb93a02 100644 --- a/etc/profile-m-z/notify-send.profile +++ b/etc/profile-m-z/notify-send.profile | |||
@@ -49,7 +49,7 @@ private | |||
49 | private-bin notify-send | 49 | private-bin notify-send |
50 | private-cache | 50 | private-cache |
51 | private-dev | 51 | private-dev |
52 | private-etc none | 52 | private-etc ld.so.preload,none |
53 | private-tmp | 53 | private-tmp |
54 | 54 | ||
55 | dbus-user filter | 55 | dbus-user filter |
diff --git a/etc/profile-m-z/nuclear.profile b/etc/profile-m-z/nuclear.profile index 886403b9e..9e3093ea7 100644 --- a/etc/profile-m-z/nuclear.profile +++ b/etc/profile-m-z/nuclear.profile | |||
@@ -18,7 +18,7 @@ whitelist ${HOME}/.config/nuclear | |||
18 | no3d | 18 | no3d |
19 | 19 | ||
20 | # private-bin nuclear | 20 | # private-bin nuclear |
21 | private-etc alsa,alternatives,asound.conf,ca-certificates,crypto-policies,fonts,gtk-2.0,gtk-3.0,host.conf,hostname,hosts,mime.types,nsswitch.conf,pki,pulse,resolv.conf,selinux,ssl,X11,xdg | 21 | private-etc alsa,alternatives,asound.conf,ca-certificates,crypto-policies,fonts,gtk-2.0,gtk-3.0,host.conf,hostname,hosts,ld.so.preload,mime.types,nsswitch.conf,pki,pulse,resolv.conf,selinux,ssl,X11,xdg |
22 | private-opt nuclear | 22 | private-opt nuclear |
23 | 23 | ||
24 | # Redirect | 24 | # Redirect |
diff --git a/etc/profile-m-z/nyx.profile b/etc/profile-m-z/nyx.profile index 460a580b3..9b431d76d 100644 --- a/etc/profile-m-z/nyx.profile +++ b/etc/profile-m-z/nyx.profile | |||
@@ -45,7 +45,7 @@ disable-mnt | |||
45 | private-bin nyx,python* | 45 | private-bin nyx,python* |
46 | private-cache | 46 | private-cache |
47 | private-dev | 47 | private-dev |
48 | private-etc alternatives,fonts,passwd,tor | 48 | private-etc alternatives,fonts,ld.so.preload,passwd,tor |
49 | private-opt none | 49 | private-opt none |
50 | private-srv none | 50 | private-srv none |
51 | private-tmp | 51 | private-tmp |
diff --git a/etc/profile-m-z/ocenaudio.profile b/etc/profile-m-z/ocenaudio.profile index 8e87f1d5d..0bfb35333 100644 --- a/etc/profile-m-z/ocenaudio.profile +++ b/etc/profile-m-z/ocenaudio.profile | |||
@@ -45,7 +45,7 @@ tracelog | |||
45 | private-bin ocenaudio | 45 | private-bin ocenaudio |
46 | private-cache | 46 | private-cache |
47 | private-dev | 47 | private-dev |
48 | private-etc alternatives,asound.conf,fonts,ld.so.cache,pulse | 48 | private-etc alternatives,asound.conf,fonts,ld.so.cache,ld.so.preload,pulse |
49 | private-tmp | 49 | private-tmp |
50 | 50 | ||
51 | # breaks preferences | 51 | # breaks preferences |
diff --git a/etc/profile-m-z/odt2txt.profile b/etc/profile-m-z/odt2txt.profile index 22cec475b..7d2374ccf 100644 --- a/etc/profile-m-z/odt2txt.profile +++ b/etc/profile-m-z/odt2txt.profile | |||
@@ -38,7 +38,7 @@ x11 none | |||
38 | private-bin odt2txt | 38 | private-bin odt2txt |
39 | private-cache | 39 | private-cache |
40 | private-dev | 40 | private-dev |
41 | private-etc alternatives | 41 | private-etc alternatives,ld.so.preload |
42 | private-tmp | 42 | private-tmp |
43 | 43 | ||
44 | dbus-user none | 44 | dbus-user none |
diff --git a/etc/profile-m-z/okular.profile b/etc/profile-m-z/okular.profile index 84edc65ef..0a200b46e 100644 --- a/etc/profile-m-z/okular.profile +++ b/etc/profile-m-z/okular.profile | |||
@@ -61,7 +61,7 @@ tracelog | |||
61 | 61 | ||
62 | private-bin kbuildsycoca4,kdeinit4,lpr,okular,unar,unrar | 62 | private-bin kbuildsycoca4,kdeinit4,lpr,okular,unar,unrar |
63 | private-dev | 63 | private-dev |
64 | private-etc alternatives,cups,fonts,kde4rc,kde5rc,ld.so.cache,machine-id,passwd,xdg | 64 | private-etc alternatives,cups,fonts,kde4rc,kde5rc,ld.so.cache,ld.so.preload,machine-id,passwd,xdg |
65 | # private-tmp - on KDE we need access to the real /tmp for data exchange with email clients | 65 | # private-tmp - on KDE we need access to the real /tmp for data exchange with email clients |
66 | 66 | ||
67 | # dbus-user none | 67 | # dbus-user none |
diff --git a/etc/profile-m-z/onboard.profile b/etc/profile-m-z/onboard.profile index b0ffba19c..e70e5e81e 100644 --- a/etc/profile-m-z/onboard.profile +++ b/etc/profile-m-z/onboard.profile | |||
@@ -50,7 +50,7 @@ disable-mnt | |||
50 | private-cache | 50 | private-cache |
51 | private-bin onboard,python*,tput | 51 | private-bin onboard,python*,tput |
52 | private-dev | 52 | private-dev |
53 | private-etc alternatives,dbus-1,dconf,fonts,gtk-2.0,gtk-3.0,locale,locale.alias,locale.conf,mime.types,selinux,X11,xdg | 53 | private-etc alternatives,dbus-1,dconf,fonts,gtk-2.0,gtk-3.0,ld.so.preload,locale,locale.alias,locale.conf,mime.types,selinux,X11,xdg |
54 | private-tmp | 54 | private-tmp |
55 | 55 | ||
56 | dbus-system none | 56 | dbus-system none |
diff --git a/etc/profile-m-z/openarena.profile b/etc/profile-m-z/openarena.profile index 076a655a1..de334defd 100644 --- a/etc/profile-m-z/openarena.profile +++ b/etc/profile-m-z/openarena.profile | |||
@@ -43,7 +43,7 @@ disable-mnt | |||
43 | private-bin bash,cut,glxinfo,grep,head,openarena,openarena_ded,quake3,zenity | 43 | private-bin bash,cut,glxinfo,grep,head,openarena,openarena_ded,quake3,zenity |
44 | private-cache | 44 | private-cache |
45 | private-dev | 45 | private-dev |
46 | private-etc drirc,machine-id,openal,passwd,selinux,udev,xdg | 46 | private-etc drirc,ld.so.preload,machine-id,openal,passwd,selinux,udev,xdg |
47 | private-tmp | 47 | private-tmp |
48 | 48 | ||
49 | dbus-user none | 49 | dbus-user none |
diff --git a/etc/profile-m-z/pandoc.profile b/etc/profile-m-z/pandoc.profile index 2595d8a8f..460f60beb 100644 --- a/etc/profile-m-z/pandoc.profile +++ b/etc/profile-m-z/pandoc.profile | |||
@@ -11,6 +11,8 @@ blacklist ${RUNUSER} | |||
11 | 11 | ||
12 | noblacklist ${DOCUMENTS} | 12 | noblacklist ${DOCUMENTS} |
13 | 13 | ||
14 | include allow-bin-sh.inc | ||
15 | |||
14 | include disable-common.inc | 16 | include disable-common.inc |
15 | include disable-devel.inc | 17 | include disable-devel.inc |
16 | include disable-exec.inc | 18 | include disable-exec.inc |
@@ -19,6 +21,7 @@ include disable-programs.inc | |||
19 | include disable-shell.inc | 21 | include disable-shell.inc |
20 | include disable-xdg.inc | 22 | include disable-xdg.inc |
21 | 23 | ||
24 | include whitelist-runuser-common.inc | ||
22 | # breaks pdf output | 25 | # breaks pdf output |
23 | #include whitelist-var-common.inc | 26 | #include whitelist-var-common.inc |
24 | 27 | ||
@@ -39,15 +42,15 @@ nou2f | |||
39 | novideo | 42 | novideo |
40 | protocol unix | 43 | protocol unix |
41 | seccomp | 44 | seccomp |
45 | seccomp.block-secondary | ||
42 | shell none | 46 | shell none |
43 | tracelog | 47 | tracelog |
44 | x11 none | 48 | x11 none |
45 | 49 | ||
46 | disable-mnt | 50 | disable-mnt |
47 | private-bin context,latex,mktexfmt,pandoc,pdflatex,pdfroff,prince,weasyprint,wkhtmltopdf | ||
48 | private-cache | 51 | private-cache |
49 | private-dev | 52 | private-dev |
50 | private-etc alternatives,texlive,texmf | 53 | private-etc alternatives,ld.so.preload,texlive,texmf |
51 | private-tmp | 54 | private-tmp |
52 | 55 | ||
53 | dbus-user none | 56 | dbus-user none |
diff --git a/etc/profile-m-z/parole.profile b/etc/profile-m-z/parole.profile index 33d75f0d2..a4737d388 100644 --- a/etc/profile-m-z/parole.profile +++ b/etc/profile-m-z/parole.profile | |||
@@ -27,4 +27,4 @@ shell none | |||
27 | 27 | ||
28 | private-bin dbus-launch,parole | 28 | private-bin dbus-launch,parole |
29 | private-cache | 29 | private-cache |
30 | private-etc alternatives,asound.conf,ca-certificates,crypto-policies,fonts,group,machine-id,passwd,pki,pulse,ssl | 30 | private-etc alternatives,asound.conf,ca-certificates,crypto-policies,fonts,group,ld.so.preload,machine-id,passwd,pki,pulse,ssl |
diff --git a/etc/profile-m-z/pavucontrol.profile b/etc/profile-m-z/pavucontrol.profile index 0bd14e88e..76f1c9704 100644 --- a/etc/profile-m-z/pavucontrol.profile +++ b/etc/profile-m-z/pavucontrol.profile | |||
@@ -45,7 +45,7 @@ disable-mnt | |||
45 | private-bin pavucontrol | 45 | private-bin pavucontrol |
46 | private-cache | 46 | private-cache |
47 | private-dev | 47 | private-dev |
48 | private-etc alternatives,asound.conf,avahi,fonts,machine-id,pulse | 48 | private-etc alternatives,asound.conf,avahi,fonts,ld.so.preload,machine-id,pulse |
49 | private-lib | 49 | private-lib |
50 | private-tmp | 50 | private-tmp |
51 | 51 | ||
diff --git a/etc/profile-m-z/pdfchain.profile b/etc/profile-m-z/pdfchain.profile index bebd4ba44..400fc3d77 100644 --- a/etc/profile-m-z/pdfchain.profile +++ b/etc/profile-m-z/pdfchain.profile | |||
@@ -34,7 +34,7 @@ shell none | |||
34 | 34 | ||
35 | private-bin pdfchain,pdftk,sh | 35 | private-bin pdfchain,pdftk,sh |
36 | private-dev | 36 | private-dev |
37 | private-etc alternatives,dconf,fonts,gtk-3.0,xdg | 37 | private-etc alternatives,dconf,fonts,gtk-3.0,ld.so.preload,xdg |
38 | private-tmp | 38 | private-tmp |
39 | 39 | ||
40 | dbus-user none | 40 | dbus-user none |
diff --git a/etc/profile-m-z/pdftotext.profile b/etc/profile-m-z/pdftotext.profile index 0cb08aa74..b1c2dfb1c 100644 --- a/etc/profile-m-z/pdftotext.profile +++ b/etc/profile-m-z/pdftotext.profile | |||
@@ -48,7 +48,7 @@ x11 none | |||
48 | private-bin pdftotext | 48 | private-bin pdftotext |
49 | private-cache | 49 | private-cache |
50 | private-dev | 50 | private-dev |
51 | private-etc alternatives | 51 | private-etc alternatives,ld.so.preload |
52 | private-tmp | 52 | private-tmp |
53 | 53 | ||
54 | dbus-user none | 54 | dbus-user none |
diff --git a/etc/profile-m-z/peek.profile b/etc/profile-m-z/peek.profile index a8f925313..e216742a4 100644 --- a/etc/profile-m-z/peek.profile +++ b/etc/profile-m-z/peek.profile | |||
@@ -48,7 +48,7 @@ tracelog | |||
48 | disable-mnt | 48 | disable-mnt |
49 | private-bin bash,convert,ffmpeg,firejail,fish,peek,sh,which,zsh | 49 | private-bin bash,convert,ffmpeg,firejail,fish,peek,sh,which,zsh |
50 | private-dev | 50 | private-dev |
51 | private-etc dconf,firejail,fonts,gtk-3.0,login.defs,pango,passwd,X11 | 51 | private-etc dconf,firejail,fonts,gtk-3.0,ld.so.preload,login.defs,pango,passwd,X11 |
52 | private-tmp | 52 | private-tmp |
53 | 53 | ||
54 | dbus-user filter | 54 | dbus-user filter |
diff --git a/etc/profile-m-z/photoflare.profile b/etc/profile-m-z/photoflare.profile index c012504c4..c0d0ae4df 100644 --- a/etc/profile-m-z/photoflare.profile +++ b/etc/profile-m-z/photoflare.profile | |||
@@ -43,7 +43,7 @@ disable-mnt | |||
43 | private-bin photoflare | 43 | private-bin photoflare |
44 | private-cache | 44 | private-cache |
45 | private-dev | 45 | private-dev |
46 | private-etc alternatives,fonts,locale,locale.alias,locale.conf,mime.types,X11 | 46 | private-etc alternatives,fonts,ld.so.preload,locale,locale.alias,locale.conf,mime.types,X11 |
47 | private-tmp | 47 | private-tmp |
48 | 48 | ||
49 | dbus-user none | 49 | dbus-user none |
diff --git a/etc/profile-m-z/pingus.profile b/etc/profile-m-z/pingus.profile index 5b2d7a5a4..fb50e66ca 100644 --- a/etc/profile-m-z/pingus.profile +++ b/etc/profile-m-z/pingus.profile | |||
@@ -50,7 +50,7 @@ disable-mnt | |||
50 | private-bin pingus,pingus.bin,sh | 50 | private-bin pingus,pingus.bin,sh |
51 | private-cache | 51 | private-cache |
52 | private-dev | 52 | private-dev |
53 | private-etc machine-id | 53 | private-etc ld.so.preload,machine-id |
54 | private-tmp | 54 | private-tmp |
55 | 55 | ||
56 | dbus-user none | 56 | dbus-user none |
diff --git a/etc/profile-m-z/pip.profile b/etc/profile-m-z/pip.profile new file mode 100644 index 000000000..a0926371f --- /dev/null +++ b/etc/profile-m-z/pip.profile | |||
@@ -0,0 +1,18 @@ | |||
1 | # Firejail profile for pip | ||
2 | # Description: package manager for Python packages | ||
3 | # This file is overwritten after every install/update | ||
4 | quiet | ||
5 | # Persistent local customizations | ||
6 | include meson.local | ||
7 | # Persistent global definitions | ||
8 | include globals.local | ||
9 | |||
10 | ignore read-only ${HOME}/.local/lib | ||
11 | |||
12 | # Allow python3 (blacklisted by disable-interpreters.inc) | ||
13 | include allow-python3.inc | ||
14 | |||
15 | #whitelist ${HOME}/.local/lib/python* | ||
16 | |||
17 | # Redirect | ||
18 | include build-systems-common.profile | ||
diff --git a/etc/profile-m-z/pkglog.profile b/etc/profile-m-z/pkglog.profile index c2707dac4..23e21f347 100644 --- a/etc/profile-m-z/pkglog.profile +++ b/etc/profile-m-z/pkglog.profile | |||
@@ -44,7 +44,7 @@ private | |||
44 | private-bin pkglog,python* | 44 | private-bin pkglog,python* |
45 | private-cache | 45 | private-cache |
46 | private-dev | 46 | private-dev |
47 | private-etc alternatives | 47 | private-etc alternatives,ld.so.preload |
48 | private-opt none | 48 | private-opt none |
49 | private-tmp | 49 | private-tmp |
50 | writable-var-log | 50 | writable-var-log |
diff --git a/etc/profile-m-z/plv.profile b/etc/profile-m-z/plv.profile index 80f768170..a6b0768f1 100644 --- a/etc/profile-m-z/plv.profile +++ b/etc/profile-m-z/plv.profile | |||
@@ -46,7 +46,7 @@ disable-mnt | |||
46 | private-bin plv | 46 | private-bin plv |
47 | private-cache | 47 | private-cache |
48 | private-dev | 48 | private-dev |
49 | private-etc alternatives,fonts | 49 | private-etc alternatives,fonts,ld.so.preload |
50 | private-opt none | 50 | private-opt none |
51 | private-tmp | 51 | private-tmp |
52 | writable-var-log | 52 | writable-var-log |
diff --git a/etc/profile-m-z/pngquant.profile b/etc/profile-m-z/pngquant.profile index 0b3d2b44c..534cc5943 100644 --- a/etc/profile-m-z/pngquant.profile +++ b/etc/profile-m-z/pngquant.profile | |||
@@ -47,7 +47,7 @@ x11 none | |||
47 | private-bin pngquant | 47 | private-bin pngquant |
48 | private-cache | 48 | private-cache |
49 | private-dev | 49 | private-dev |
50 | private-etc alternatives | 50 | private-etc alternatives,ld.so.preload |
51 | private-tmp | 51 | private-tmp |
52 | 52 | ||
53 | dbus-user none | 53 | dbus-user none |
diff --git a/etc/profile-m-z/pragha.profile b/etc/profile-m-z/pragha.profile index bc0ff0e85..c9793433e 100644 --- a/etc/profile-m-z/pragha.profile +++ b/etc/profile-m-z/pragha.profile | |||
@@ -33,6 +33,6 @@ seccomp | |||
33 | shell none | 33 | shell none |
34 | 34 | ||
35 | private-dev | 35 | private-dev |
36 | private-etc alternatives,asound.conf,ca-certificates,crypto-policies,fonts,gtk-3.0,host.conf,hostname,hosts,machine-id,pki,pulse,resolv.conf,ssl,xdg | 36 | private-etc alternatives,asound.conf,ca-certificates,crypto-policies,fonts,gtk-3.0,host.conf,hostname,hosts,ld.so.preload,machine-id,pki,pulse,resolv.conf,ssl,xdg |
37 | private-tmp | 37 | private-tmp |
38 | 38 | ||
diff --git a/etc/profile-m-z/profanity.profile b/etc/profile-m-z/profanity.profile index 705af370b..af0ca5d8f 100644 --- a/etc/profile-m-z/profanity.profile +++ b/etc/profile-m-z/profanity.profile | |||
@@ -44,7 +44,7 @@ shell none | |||
44 | private-bin profanity | 44 | private-bin profanity |
45 | private-cache | 45 | private-cache |
46 | private-dev | 46 | private-dev |
47 | private-etc alternatives,ca-certificates,crypto-policies,localtime,mime.types,nsswitch.conf,pki,resolv.conf,ssl | 47 | private-etc alternatives,ca-certificates,crypto-policies,ld.so.preload,localtime,mime.types,nsswitch.conf,pki,resolv.conf,ssl |
48 | private-tmp | 48 | private-tmp |
49 | 49 | ||
50 | dbus-user none | 50 | dbus-user none |
diff --git a/etc/profile-m-z/psi.profile b/etc/profile-m-z/psi.profile index 450bb10c7..99a72adee 100644 --- a/etc/profile-m-z/psi.profile +++ b/etc/profile-m-z/psi.profile | |||
@@ -71,7 +71,7 @@ disable-mnt | |||
71 | private-bin getopt,psi | 71 | private-bin getopt,psi |
72 | private-cache | 72 | private-cache |
73 | private-dev | 73 | private-dev |
74 | private-etc alsa,alternatives,asound.conf,ca-certificates,crypto-policies,drirc,fonts,gcrypt,group,hostname,hosts,ld.so.cache,ld.so.conf,machine-id,passwd,pki,pulse,resolv.conf,selinux,ssl,xdg | 74 | private-etc alsa,alternatives,asound.conf,ca-certificates,crypto-policies,drirc,fonts,gcrypt,group,hostname,hosts,ld.so.cache,ld.so.conf,ld.so.preload,machine-id,passwd,pki,pulse,resolv.conf,selinux,ssl,xdg |
75 | private-tmp | 75 | private-tmp |
76 | 76 | ||
77 | dbus-user none | 77 | dbus-user none |
diff --git a/etc/profile-m-z/qgis.profile b/etc/profile-m-z/qgis.profile index 3dc232b55..4ebd556d6 100644 --- a/etc/profile-m-z/qgis.profile +++ b/etc/profile-m-z/qgis.profile | |||
@@ -52,7 +52,7 @@ tracelog | |||
52 | disable-mnt | 52 | disable-mnt |
53 | private-cache | 53 | private-cache |
54 | private-dev | 54 | private-dev |
55 | private-etc alternatives,ca-certificates,crypto-policies,fonts,machine-id,pki,QGIS,QGIS.conf,resolv.conf,ssl,Trolltech.conf | 55 | private-etc alternatives,ca-certificates,crypto-policies,fonts,ld.so.preload,machine-id,pki,QGIS,QGIS.conf,resolv.conf,ssl,Trolltech.conf |
56 | private-tmp | 56 | private-tmp |
57 | 57 | ||
58 | dbus-user none | 58 | dbus-user none |
diff --git a/etc/profile-m-z/qnapi.profile b/etc/profile-m-z/qnapi.profile index 4eee0df5f..89cb5baa8 100644 --- a/etc/profile-m-z/qnapi.profile +++ b/etc/profile-m-z/qnapi.profile | |||
@@ -47,7 +47,7 @@ tracelog | |||
47 | private-bin 7z,qnapi | 47 | private-bin 7z,qnapi |
48 | private-cache | 48 | private-cache |
49 | private-dev | 49 | private-dev |
50 | private-etc alternatives,fonts | 50 | private-etc alternatives,fonts,ld.so.preload |
51 | private-opt none | 51 | private-opt none |
52 | private-tmp | 52 | private-tmp |
53 | 53 | ||
diff --git a/etc/profile-m-z/qrencode.profile b/etc/profile-m-z/qrencode.profile index 7ef676068..691449b9f 100644 --- a/etc/profile-m-z/qrencode.profile +++ b/etc/profile-m-z/qrencode.profile | |||
@@ -47,7 +47,7 @@ disable-mnt | |||
47 | private-bin qrencode | 47 | private-bin qrencode |
48 | private-cache | 48 | private-cache |
49 | private-dev | 49 | private-dev |
50 | private-etc none | 50 | private-etc ld.so.preload,none |
51 | private-lib libpcre* | 51 | private-lib libpcre* |
52 | private-tmp | 52 | private-tmp |
53 | 53 | ||
diff --git a/etc/profile-m-z/qtox.profile b/etc/profile-m-z/qtox.profile index bae802cc6..60e1539fa 100644 --- a/etc/profile-m-z/qtox.profile +++ b/etc/profile-m-z/qtox.profile | |||
@@ -43,7 +43,7 @@ disable-mnt | |||
43 | private-bin qtox | 43 | private-bin qtox |
44 | private-cache | 44 | private-cache |
45 | private-dev | 45 | private-dev |
46 | private-etc alternatives,ca-certificates,crypto-policies,fonts,ld.so.cache,localtime,machine-id,pki,pulse,resolv.conf,ssl | 46 | private-etc alternatives,ca-certificates,crypto-policies,fonts,ld.so.cache,ld.so.preload,localtime,machine-id,pki,pulse,resolv.conf,ssl |
47 | private-tmp | 47 | private-tmp |
48 | 48 | ||
49 | dbus-user none | 49 | dbus-user none |
diff --git a/etc/profile-m-z/regextester.profile b/etc/profile-m-z/regextester.profile index 1de59bc7c..6b9144791 100644 --- a/etc/profile-m-z/regextester.profile +++ b/etc/profile-m-z/regextester.profile | |||
@@ -43,7 +43,7 @@ disable-mnt | |||
43 | private-bin regextester | 43 | private-bin regextester |
44 | private-cache | 44 | private-cache |
45 | private-dev | 45 | private-dev |
46 | private-etc alternatives,fonts | 46 | private-etc alternatives,fonts,ld.so.preload |
47 | private-lib libgranite.so.* | 47 | private-lib libgranite.so.* |
48 | private-tmp | 48 | private-tmp |
49 | 49 | ||
diff --git a/etc/profile-m-z/rsync-download_only.profile b/etc/profile-m-z/rsync-download_only.profile index 23a65f54a..e49f10b7b 100644 --- a/etc/profile-m-z/rsync-download_only.profile +++ b/etc/profile-m-z/rsync-download_only.profile | |||
@@ -49,7 +49,7 @@ disable-mnt | |||
49 | private-bin rsync | 49 | private-bin rsync |
50 | private-cache | 50 | private-cache |
51 | private-dev | 51 | private-dev |
52 | private-etc alternatives,ca-certificates,crypto-policies,host.conf,hostname,hosts,nsswitch.conf,pki,protocols,resolv.conf,rpc,services,ssl | 52 | private-etc alternatives,ca-certificates,crypto-policies,host.conf,hostname,hosts,ld.so.preload,nsswitch.conf,pki,protocols,resolv.conf,rpc,services,ssl |
53 | private-tmp | 53 | private-tmp |
54 | 54 | ||
55 | dbus-user none | 55 | dbus-user none |
diff --git a/etc/profile-m-z/scorchwentbonkers.profile b/etc/profile-m-z/scorchwentbonkers.profile index 1069c34ea..d256b2efe 100644 --- a/etc/profile-m-z/scorchwentbonkers.profile +++ b/etc/profile-m-z/scorchwentbonkers.profile | |||
@@ -43,7 +43,7 @@ disable-mnt | |||
43 | private-bin scorchwentbonkers | 43 | private-bin scorchwentbonkers |
44 | private-cache | 44 | private-cache |
45 | private-dev | 45 | private-dev |
46 | private-etc alsa,asound.conf,machine-id,pulse | 46 | private-etc alsa,asound.conf,ld.so.preload,machine-id,pulse |
47 | private-tmp | 47 | private-tmp |
48 | 48 | ||
49 | dbus-user none | 49 | dbus-user none |
diff --git a/etc/profile-m-z/seahorse-adventures.profile b/etc/profile-m-z/seahorse-adventures.profile index af7d5eeac..cb3378597 100644 --- a/etc/profile-m-z/seahorse-adventures.profile +++ b/etc/profile-m-z/seahorse-adventures.profile | |||
@@ -48,7 +48,7 @@ private | |||
48 | private-bin bash,dash,python*,seahorse-adventures,sh | 48 | private-bin bash,dash,python*,seahorse-adventures,sh |
49 | private-cache | 49 | private-cache |
50 | private-dev | 50 | private-dev |
51 | private-etc machine-id | 51 | private-etc ld.so.preload,machine-id |
52 | private-tmp | 52 | private-tmp |
53 | 53 | ||
54 | dbus-user none | 54 | dbus-user none |
diff --git a/etc/profile-m-z/seahorse-tool.profile b/etc/profile-m-z/seahorse-tool.profile index 96ff74edf..f08b852db 100644 --- a/etc/profile-m-z/seahorse-tool.profile +++ b/etc/profile-m-z/seahorse-tool.profile | |||
@@ -8,7 +8,7 @@ include seahorse-tool.local | |||
8 | #include globals.local | 8 | #include globals.local |
9 | 9 | ||
10 | # private-etc workaround for: #2877 | 10 | # private-etc workaround for: #2877 |
11 | private-etc firejail,login.defs,passwd | 11 | private-etc firejail,ld.so.preload,login.defs,passwd |
12 | private-tmp | 12 | private-tmp |
13 | 13 | ||
14 | # Redirect | 14 | # Redirect |
diff --git a/etc/profile-m-z/shotwell.profile b/etc/profile-m-z/shotwell.profile index b6a828636..304a1cda2 100644 --- a/etc/profile-m-z/shotwell.profile +++ b/etc/profile-m-z/shotwell.profile | |||
@@ -49,7 +49,7 @@ tracelog | |||
49 | private-bin shotwell | 49 | private-bin shotwell |
50 | private-cache | 50 | private-cache |
51 | private-dev | 51 | private-dev |
52 | private-etc alternatives,fonts,machine-id | 52 | private-etc alternatives,fonts,ld.so.preload,machine-id |
53 | private-opt none | 53 | private-opt none |
54 | private-tmp | 54 | private-tmp |
55 | 55 | ||
diff --git a/etc/profile-m-z/slack.profile b/etc/profile-m-z/slack.profile index 51f6c8b00..a511ebb1c 100644 --- a/etc/profile-m-z/slack.profile +++ b/etc/profile-m-z/slack.profile | |||
@@ -26,7 +26,7 @@ mkdir ${HOME}/.config/Slack | |||
26 | whitelist ${HOME}/.config/Slack | 26 | whitelist ${HOME}/.config/Slack |
27 | 27 | ||
28 | private-bin electron,electron[0-9],electron[0-9][0-9],locale,sh,slack | 28 | private-bin electron,electron[0-9],electron[0-9][0-9],locale,sh,slack |
29 | private-etc alternatives,asound.conf,ca-certificates,crypto-policies,debian_version,fedora-release,fonts,group,ld.so.cache,ld.so.conf,localtime,machine-id,os-release,passwd,pki,pulse,redhat-release,resolv.conf,ssl,system-release,system-release-cpe | 29 | private-etc alternatives,asound.conf,ca-certificates,crypto-policies,debian_version,fedora-release,fonts,group,ld.so.cache,ld.so.conf,ld.so.preload,localtime,machine-id,os-release,passwd,pki,pulse,redhat-release,resolv.conf,ssl,system-release,system-release-cpe |
30 | 30 | ||
31 | # Redirect | 31 | # Redirect |
32 | include electron.profile | 32 | include electron.profile |
diff --git a/etc/profile-m-z/smuxi-frontend-gnome.profile b/etc/profile-m-z/smuxi-frontend-gnome.profile index 31d14924c..0cdb5537e 100644 --- a/etc/profile-m-z/smuxi-frontend-gnome.profile +++ b/etc/profile-m-z/smuxi-frontend-gnome.profile | |||
@@ -48,7 +48,7 @@ disable-mnt | |||
48 | private-bin bash,mono,mono-sgen,sh,smuxi-frontend-gnome | 48 | private-bin bash,mono,mono-sgen,sh,smuxi-frontend-gnome |
49 | private-cache | 49 | private-cache |
50 | private-dev | 50 | private-dev |
51 | private-etc alsa,alternatives,asound.conf,ca-certificates,crypto-policies,fonts,hostname,hosts,ld.so.cache,ld.so.conf,machine-id,mono,passwd,pki,pulse,resolv.conf,selinux,ssl,xdg | 51 | private-etc alsa,alternatives,asound.conf,ca-certificates,crypto-policies,fonts,hostname,hosts,ld.so.cache,ld.so.conf,ld.so.preload,machine-id,mono,passwd,pki,pulse,resolv.conf,selinux,ssl,xdg |
52 | private-tmp | 52 | private-tmp |
53 | 53 | ||
54 | dbus-user none | 54 | dbus-user none |
diff --git a/etc/profile-m-z/softmaker-common.profile b/etc/profile-m-z/softmaker-common.profile index ebdd5c1f8..47468a531 100644 --- a/etc/profile-m-z/softmaker-common.profile +++ b/etc/profile-m-z/softmaker-common.profile | |||
@@ -6,9 +6,9 @@ include softmaker-common.local | |||
6 | # added by caller profile | 6 | # added by caller profile |
7 | #include globals.local | 7 | #include globals.local |
8 | 8 | ||
9 | # The offical packages install the desktop file under /usr/local/share/applications | 9 | # The official packages install the desktop file under /usr/local/share/applications |
10 | # with an absolute Exec line. These files are NOT handelt by firecfg, | 10 | # with an absolute Exec line. These files are NOT handled by firecfg, |
11 | # therefore you must manualy copy them in you home and remove '/usr/bin/'. | 11 | # therefore you must manually copy them in you home and remove '/usr/bin/'. |
12 | 12 | ||
13 | noblacklist ${HOME}/SoftMaker | 13 | noblacklist ${HOME}/SoftMaker |
14 | 14 | ||
diff --git a/etc/profile-m-z/spectacle.profile b/etc/profile-m-z/spectacle.profile index d803fa5ce..fc4ae2b04 100644 --- a/etc/profile-m-z/spectacle.profile +++ b/etc/profile-m-z/spectacle.profile | |||
@@ -22,7 +22,7 @@ include disable-interpreters.inc | |||
22 | include disable-programs.inc | 22 | include disable-programs.inc |
23 | include disable-xdg.inc | 23 | include disable-xdg.inc |
24 | 24 | ||
25 | mkfile ${HOME}/.config/spectaclerc | 25 | mkfile ${HOME}/.config/spectaclerc |
26 | whitelist ${HOME}/.config/spectaclerc | 26 | whitelist ${HOME}/.config/spectaclerc |
27 | whitelist ${PICTURES} | 27 | whitelist ${PICTURES} |
28 | whitelist /usr/share/kconf_update/spectacle_newConfig.upd | 28 | whitelist /usr/share/kconf_update/spectacle_newConfig.upd |
@@ -56,7 +56,7 @@ disable-mnt | |||
56 | private-bin spectacle | 56 | private-bin spectacle |
57 | private-cache | 57 | private-cache |
58 | private-dev | 58 | private-dev |
59 | private-etc alternatives,fonts,ld.so.cache,ld.so.conf,ld.so.conf.d | 59 | private-etc alternatives,fonts,ld.so.cache,ld.so.conf,ld.so.conf.d,ld.so.preload |
60 | private-tmp | 60 | private-tmp |
61 | 61 | ||
62 | dbus-user filter | 62 | dbus-user filter |
diff --git a/etc/profile-m-z/spectral.profile b/etc/profile-m-z/spectral.profile index 5f17b73dc..3f7f68009 100644 --- a/etc/profile-m-z/spectral.profile +++ b/etc/profile-m-z/spectral.profile | |||
@@ -49,10 +49,8 @@ private-dev | |||
49 | private-etc alsa,alternatives,asound.conf,ca-certificates,crypto-policies,fonts,gtk-2.0,gtk-3.0,host.conf,hostname,hosts,ld.so.cache,ld.so.conf,ld.so.conf.d,ld.so.preload,locale,locale.alias,locale.conf,mime.types,nsswitch.conf,pki,pulse,resolv.conf,selinux,ssl,X11,xdg | 49 | private-etc alsa,alternatives,asound.conf,ca-certificates,crypto-policies,fonts,gtk-2.0,gtk-3.0,host.conf,hostname,hosts,ld.so.cache,ld.so.conf,ld.so.conf.d,ld.so.preload,locale,locale.alias,locale.conf,mime.types,nsswitch.conf,pki,pulse,resolv.conf,selinux,ssl,X11,xdg |
50 | private-tmp | 50 | private-tmp |
51 | 51 | ||
52 | dbus-user none | 52 | dbus-user filter |
53 | # Add the next lines to your spectral.local to enable notification support. | 53 | ?ALLOW_TRAY: dbus-user.talk org.kde.StatusNotifierWatcher |
54 | #ignore dbus-user none | 54 | # Add the next line to your spectral.local to enable notification support. |
55 | #dbus-user filter | ||
56 | #dbus-user.talk org.freedesktop.Notifications | 55 | #dbus-user.talk org.freedesktop.Notifications |
57 | #dbus-user.talk org.kde.StatusNotifierWatcher | ||
58 | dbus-system none | 56 | dbus-system none |
diff --git a/etc/profile-m-z/spotify.profile b/etc/profile-m-z/spotify.profile index ffee76d23..0ce918161 100644 --- a/etc/profile-m-z/spotify.profile +++ b/etc/profile-m-z/spotify.profile | |||
@@ -44,7 +44,7 @@ disable-mnt | |||
44 | private-bin bash,cat,dirname,find,grep,head,rm,sh,spotify,tclsh,touch,zenity | 44 | private-bin bash,cat,dirname,find,grep,head,rm,sh,spotify,tclsh,touch,zenity |
45 | private-dev | 45 | private-dev |
46 | # If you want to see album covers or want to use the radio, add 'ignore private-etc' to your spotify.local. | 46 | # If you want to see album covers or want to use the radio, add 'ignore private-etc' to your spotify.local. |
47 | private-etc alternatives,ca-certificates,crypto-policies,fonts,group,host.conf,hosts,ld.so.cache,machine-id,nsswitch.conf,pki,pulse,resolv.conf,ssl | 47 | private-etc alternatives,ca-certificates,crypto-policies,fonts,group,host.conf,hosts,ld.so.cache,ld.so.preload,machine-id,nsswitch.conf,pki,pulse,resolv.conf,ssl |
48 | private-opt spotify | 48 | private-opt spotify |
49 | private-srv none | 49 | private-srv none |
50 | private-tmp | 50 | private-tmp |
diff --git a/etc/profile-m-z/sqlitebrowser.profile b/etc/profile-m-z/sqlitebrowser.profile index e35f74404..21a77a0d1 100644 --- a/etc/profile-m-z/sqlitebrowser.profile +++ b/etc/profile-m-z/sqlitebrowser.profile | |||
@@ -42,7 +42,7 @@ shell none | |||
42 | private-bin sqlitebrowser | 42 | private-bin sqlitebrowser |
43 | private-cache | 43 | private-cache |
44 | private-dev | 44 | private-dev |
45 | private-etc alternatives,ca-certificates,crypto-policies,fonts,group,machine-id,passwd,pki,ssl | 45 | private-etc alternatives,ca-certificates,crypto-policies,fonts,group,ld.so.preload,machine-id,passwd,pki,ssl |
46 | private-tmp | 46 | private-tmp |
47 | 47 | ||
48 | # breaks proxy creation | 48 | # breaks proxy creation |
diff --git a/etc/profile-m-z/standardnotes-desktop.profile b/etc/profile-m-z/standardnotes-desktop.profile index d54ddacdd..7a59274bf 100644 --- a/etc/profile-m-z/standardnotes-desktop.profile +++ b/etc/profile-m-z/standardnotes-desktop.profile | |||
@@ -38,7 +38,7 @@ seccomp !chroot | |||
38 | disable-mnt | 38 | disable-mnt |
39 | private-dev | 39 | private-dev |
40 | private-tmp | 40 | private-tmp |
41 | private-etc alternatives,ca-certificates,crypto-policies,fonts,host.conf,hostname,hosts,ld.so.cache,pki,resolv.conf,ssl,xdg | 41 | private-etc alternatives,ca-certificates,crypto-policies,fonts,host.conf,hostname,hosts,ld.so.cache,ld.so.preload,pki,resolv.conf,ssl,xdg |
42 | 42 | ||
43 | dbus-user none | 43 | dbus-user none |
44 | dbus-system none | 44 | dbus-system none |
diff --git a/etc/profile-m-z/straw-viewer.profile b/etc/profile-m-z/straw-viewer.profile index d73927f2a..513abc21b 100644 --- a/etc/profile-m-z/straw-viewer.profile +++ b/etc/profile-m-z/straw-viewer.profile | |||
@@ -18,4 +18,4 @@ whitelist ${HOME}/.config/straw-viewer | |||
18 | private-bin gtk-straw-viewer,straw-viewer | 18 | private-bin gtk-straw-viewer,straw-viewer |
19 | 19 | ||
20 | # Redirect | 20 | # Redirect |
21 | include youtube-viewers-common.profile \ No newline at end of file | 21 | include youtube-viewers-common.profile |
diff --git a/etc/profile-m-z/strawberry.profile b/etc/profile-m-z/strawberry.profile index dfb0a3e3b..50ecc3432 100644 --- a/etc/profile-m-z/strawberry.profile +++ b/etc/profile-m-z/strawberry.profile | |||
@@ -43,7 +43,7 @@ disable-mnt | |||
43 | private-bin strawberry,strawberry-tagreader | 43 | private-bin strawberry,strawberry-tagreader |
44 | private-cache | 44 | private-cache |
45 | private-dev | 45 | private-dev |
46 | private-etc ca-certificates,crypto-policies,fonts,host.conf,hostname,hosts,nsswitch.conf,pki,resolv.conf,ssl | 46 | private-etc ca-certificates,crypto-policies,fonts,host.conf,hostname,hosts,ld.so.preload,nsswitch.conf,pki,resolv.conf,ssl |
47 | private-tmp | 47 | private-tmp |
48 | 48 | ||
49 | dbus-system none | 49 | dbus-system none |
diff --git a/etc/profile-m-z/subdownloader.profile b/etc/profile-m-z/subdownloader.profile index 100ac9d14..65cb678d0 100644 --- a/etc/profile-m-z/subdownloader.profile +++ b/etc/profile-m-z/subdownloader.profile | |||
@@ -44,7 +44,7 @@ tracelog | |||
44 | 44 | ||
45 | private-cache | 45 | private-cache |
46 | private-dev | 46 | private-dev |
47 | private-etc alternatives,fonts | 47 | private-etc alternatives,fonts,ld.so.preload |
48 | private-tmp | 48 | private-tmp |
49 | 49 | ||
50 | dbus-user none | 50 | dbus-user none |
diff --git a/etc/profile-m-z/supertux2.profile b/etc/profile-m-z/supertux2.profile index 0e9113821..323849e35 100644 --- a/etc/profile-m-z/supertux2.profile +++ b/etc/profile-m-z/supertux2.profile | |||
@@ -45,7 +45,7 @@ tracelog | |||
45 | disable-mnt | 45 | disable-mnt |
46 | # private-bin supertux2 | 46 | # private-bin supertux2 |
47 | private-cache | 47 | private-cache |
48 | private-etc machine-id | 48 | private-etc ld.so.preload,machine-id |
49 | private-dev | 49 | private-dev |
50 | private-tmp | 50 | private-tmp |
51 | 51 | ||
diff --git a/etc/profile-m-z/supertuxkart.profile b/etc/profile-m-z/supertuxkart.profile index 7ba7e7023..5b5b4aae5 100644 --- a/etc/profile-m-z/supertuxkart.profile +++ b/etc/profile-m-z/supertuxkart.profile | |||
@@ -54,7 +54,7 @@ private-bin supertuxkart | |||
54 | private-cache | 54 | private-cache |
55 | # Add the next line to your supertuxkart.local if you do not need controller support. | 55 | # Add the next line to your supertuxkart.local if you do not need controller support. |
56 | #private-dev | 56 | #private-dev |
57 | private-etc alternatives,ca-certificates,crypto-policies,drirc,hosts,machine-id,openal,pki,resolv.conf,ssl | 57 | private-etc alternatives,ca-certificates,crypto-policies,drirc,hosts,ld.so.preload,machine-id,openal,pki,resolv.conf,ssl |
58 | private-tmp | 58 | private-tmp |
59 | private-opt none | 59 | private-opt none |
60 | private-srv none | 60 | private-srv none |
diff --git a/etc/profile-m-z/surf.profile b/etc/profile-m-z/surf.profile index 7c092fccc..cfecb6f62 100644 --- a/etc/profile-m-z/surf.profile +++ b/etc/profile-m-z/surf.profile | |||
@@ -34,6 +34,6 @@ tracelog | |||
34 | disable-mnt | 34 | disable-mnt |
35 | private-bin bash,curl,dmenu,ls,printf,sed,sh,sleep,st,stterm,surf,xargs,xprop | 35 | private-bin bash,curl,dmenu,ls,printf,sed,sh,sleep,st,stterm,surf,xargs,xprop |
36 | private-dev | 36 | private-dev |
37 | private-etc alternatives,ca-certificates,crypto-policies,fonts,group,hosts,machine-id,passwd,pki,resolv.conf,ssl | 37 | private-etc alternatives,ca-certificates,crypto-policies,fonts,group,hosts,ld.so.preload,machine-id,passwd,pki,resolv.conf,ssl |
38 | private-tmp | 38 | private-tmp |
39 | 39 | ||
diff --git a/etc/profile-m-z/sway.profile b/etc/profile-m-z/sway.profile index 4637419bf..046d1b4be 100644 --- a/etc/profile-m-z/sway.profile +++ b/etc/profile-m-z/sway.profile | |||
@@ -1,5 +1,5 @@ | |||
1 | # Firejail profile for Sway | 1 | # Firejail profile for Sway |
2 | # Description: i3-compatible Wayland compositor | 2 | # Description: i3-compatible Wayland compositor |
3 | # This file is overwritten after every install/update | 3 | # This file is overwritten after every install/update |
4 | # Persistent local customizations | 4 | # Persistent local customizations |
5 | include sway.local | 5 | include sway.local |
diff --git a/etc/profile-m-z/sysprof.profile b/etc/profile-m-z/sysprof.profile index ac4a380bb..c7119ae0f 100644 --- a/etc/profile-m-z/sysprof.profile +++ b/etc/profile-m-z/sysprof.profile | |||
@@ -63,7 +63,7 @@ disable-mnt | |||
63 | #private-bin sysprof - breaks help menu | 63 | #private-bin sysprof - breaks help menu |
64 | private-cache | 64 | private-cache |
65 | private-dev | 65 | private-dev |
66 | private-etc alternatives,fonts,ld.so.cache,machine-id,ssl | 66 | private-etc alternatives,fonts,ld.so.cache,ld.so.preload,machine-id,ssl |
67 | # private-lib - breaks help menu | 67 | # private-lib - breaks help menu |
68 | #private-lib gdk-pixbuf-2.*,gio,gtk3,gvfs/libgvfscommon.so,libgconf-2.so.*,librsvg-2.so.*,libsysprof-2.so,libsysprof-ui-2.so | 68 | #private-lib gdk-pixbuf-2.*,gio,gtk3,gvfs/libgvfscommon.so,libgconf-2.so.*,librsvg-2.so.*,libsysprof-2.so,libsysprof-ui-2.so |
69 | private-tmp | 69 | private-tmp |
diff --git a/etc/profile-m-z/tar.profile b/etc/profile-m-z/tar.profile index 0d3a900e9..388805f31 100644 --- a/etc/profile-m-z/tar.profile +++ b/etc/profile-m-z/tar.profile | |||
@@ -14,7 +14,7 @@ ignore include disable-shell.inc | |||
14 | # all capabilities this is automatically read-only. | 14 | # all capabilities this is automatically read-only. |
15 | noblacklist /var/lib/pacman | 15 | noblacklist /var/lib/pacman |
16 | 16 | ||
17 | private-etc alternatives,group,localtime,login.defs,passwd | 17 | private-etc alternatives,group,ld.so.preload,localtime,login.defs,passwd |
18 | #private-lib libfakeroot,liblzma.so.*,libreadline.so.* | 18 | #private-lib libfakeroot,liblzma.so.*,libreadline.so.* |
19 | # Debian based distributions need this for 'dpkg --unpack' (incl. synaptic) | 19 | # Debian based distributions need this for 'dpkg --unpack' (incl. synaptic) |
20 | writable-var | 20 | writable-var |
diff --git a/etc/profile-m-z/teams-for-linux.profile b/etc/profile-m-z/teams-for-linux.profile index c97921d92..310c440b1 100644 --- a/etc/profile-m-z/teams-for-linux.profile +++ b/etc/profile-m-z/teams-for-linux.profile | |||
@@ -20,7 +20,7 @@ mkdir ${HOME}/.config/teams-for-linux | |||
20 | whitelist ${HOME}/.config/teams-for-linux | 20 | whitelist ${HOME}/.config/teams-for-linux |
21 | 21 | ||
22 | private-bin bash,cut,echo,egrep,electron,electron[0-9],electron[0-9][0-9],grep,head,sed,sh,teams-for-linux,tr,xdg-mime,xdg-open,zsh | 22 | private-bin bash,cut,echo,egrep,electron,electron[0-9],electron[0-9][0-9],grep,head,sed,sh,teams-for-linux,tr,xdg-mime,xdg-open,zsh |
23 | private-etc ca-certificates,crypto-policies,fonts,ld.so.cache,localtime,machine-id,pki,resolv.conf,ssl | 23 | private-etc ca-certificates,crypto-policies,fonts,ld.so.cache,ld.so.preload,localtime,machine-id,pki,resolv.conf,ssl |
24 | 24 | ||
25 | # Redirect | 25 | # Redirect |
26 | include electron.profile | 26 | include electron.profile |
diff --git a/etc/profile-m-z/telegram.profile b/etc/profile-m-z/telegram.profile index 115be54eb..dc1f77664 100644 --- a/etc/profile-m-z/telegram.profile +++ b/etc/profile-m-z/telegram.profile | |||
@@ -41,16 +41,16 @@ seccomp.block-secondary | |||
41 | shell none | 41 | shell none |
42 | 42 | ||
43 | disable-mnt | 43 | disable-mnt |
44 | #private-bin telegram,Telegram,telegram-desktop | 44 | private-bin telegram,Telegram,telegram-desktop |
45 | private-cache | 45 | private-cache |
46 | private-dev | 46 | private-dev |
47 | private-etc alsa,alternatives,ca-certificates,crypto-policies,fonts,group,ld.so.cache,localtime,machine-id,os-release,passwd,pki,pulse,resolv.conf,ssl,xdg | 47 | private-etc alsa,alternatives,ca-certificates,crypto-policies,fonts,group,ld.so.cache,ld.so.preload,localtime,machine-id,os-release,passwd,pki,pulse,resolv.conf,ssl,xdg |
48 | private-tmp | 48 | private-tmp |
49 | 49 | ||
50 | dbus-user filter | 50 | dbus-user filter |
51 | dbus-user.own org.telegram.desktop.* | 51 | dbus-user.own org.telegram.desktop.* |
52 | dbus-user.talk org.freedesktop.Notifications | 52 | dbus-user.talk org.freedesktop.Notifications |
53 | dbus-user.talk org.kde.StatusNotifierWatcher | 53 | ?ALLOW_TRAY: dbus-user.talk org.kde.StatusNotifierWatcher |
54 | dbus-user.talk org.gnome.Mutter.IdleMonitor | 54 | dbus-user.talk org.gnome.Mutter.IdleMonitor |
55 | dbus-user.talk org.freedesktop.ScreenSaver | 55 | dbus-user.talk org.freedesktop.ScreenSaver |
56 | dbus-system none | 56 | dbus-system none |
diff --git a/etc/profile-m-z/tilp.profile b/etc/profile-m-z/tilp.profile index 7c18aab50..07212a452 100644 --- a/etc/profile-m-z/tilp.profile +++ b/etc/profile-m-z/tilp.profile | |||
@@ -30,6 +30,6 @@ tracelog | |||
30 | disable-mnt | 30 | disable-mnt |
31 | private-bin tilp | 31 | private-bin tilp |
32 | private-cache | 32 | private-cache |
33 | private-etc alternatives,fonts | 33 | private-etc alternatives,fonts,ld.so.preload |
34 | private-tmp | 34 | private-tmp |
35 | 35 | ||
diff --git a/etc/profile-m-z/tin.profile b/etc/profile-m-z/tin.profile index 039063c1e..a43e53aae 100644 --- a/etc/profile-m-z/tin.profile +++ b/etc/profile-m-z/tin.profile | |||
@@ -58,7 +58,7 @@ disable-mnt | |||
58 | private-bin rtin,tin | 58 | private-bin rtin,tin |
59 | private-cache | 59 | private-cache |
60 | private-dev | 60 | private-dev |
61 | private-etc passwd,resolv.conf,terminfo,tin | 61 | private-etc ld.so.preload,passwd,resolv.conf,terminfo,tin |
62 | private-lib terminfo | 62 | private-lib terminfo |
63 | private-tmp | 63 | private-tmp |
64 | 64 | ||
diff --git a/etc/profile-m-z/tor.profile b/etc/profile-m-z/tor.profile index 08e949309..312123f59 100644 --- a/etc/profile-m-z/tor.profile +++ b/etc/profile-m-z/tor.profile | |||
@@ -46,6 +46,6 @@ private | |||
46 | private-bin bash,tor | 46 | private-bin bash,tor |
47 | private-cache | 47 | private-cache |
48 | private-dev | 48 | private-dev |
49 | private-etc alternatives,ca-certificates,crypto-policies,passwd,pki,ssl,tor | 49 | private-etc alternatives,ca-certificates,crypto-policies,ld.so.preload,passwd,pki,ssl,tor |
50 | private-tmp | 50 | private-tmp |
51 | writable-var | 51 | writable-var |
diff --git a/etc/profile-m-z/transgui.profile b/etc/profile-m-z/transgui.profile index 2b63f6448..0e23b7843 100644 --- a/etc/profile-m-z/transgui.profile +++ b/etc/profile-m-z/transgui.profile | |||
@@ -45,7 +45,7 @@ tracelog | |||
45 | private-bin geoiplookup,geoiplookup6,transgui | 45 | private-bin geoiplookup,geoiplookup6,transgui |
46 | private-cache | 46 | private-cache |
47 | private-dev | 47 | private-dev |
48 | private-etc alternatives,fonts | 48 | private-etc alternatives,fonts,ld.so.preload |
49 | private-lib libgdk_pixbuf-2.0.so.*,libGeoIP.so*,libgthread-2.0.so.*,libgtk-x11-2.0.so.*,libX11.so.* | 49 | private-lib libgdk_pixbuf-2.0.so.*,libGeoIP.so*,libgthread-2.0.so.*,libgtk-x11-2.0.so.*,libX11.so.* |
50 | private-tmp | 50 | private-tmp |
51 | 51 | ||
diff --git a/etc/profile-m-z/transmission-cli.profile b/etc/profile-m-z/transmission-cli.profile index 486be5fe6..b3fab083c 100644 --- a/etc/profile-m-z/transmission-cli.profile +++ b/etc/profile-m-z/transmission-cli.profile | |||
@@ -8,7 +8,7 @@ include transmission-cli.local | |||
8 | include globals.local | 8 | include globals.local |
9 | 9 | ||
10 | private-bin transmission-cli | 10 | private-bin transmission-cli |
11 | private-etc alternatives,ca-certificates,crypto-policies,nsswitch.conf,pki,resolv.conf,ssl | 11 | private-etc alternatives,ca-certificates,crypto-policies,ld.so.preload,nsswitch.conf,pki,resolv.conf,ssl |
12 | 12 | ||
13 | # Redirect | 13 | # Redirect |
14 | include transmission-common.profile | 14 | include transmission-common.profile |
diff --git a/etc/profile-m-z/transmission-daemon.profile b/etc/profile-m-z/transmission-daemon.profile index 348d3cb80..9d91b8b81 100644 --- a/etc/profile-m-z/transmission-daemon.profile +++ b/etc/profile-m-z/transmission-daemon.profile | |||
@@ -17,7 +17,7 @@ caps.keep ipc_lock,net_bind_service,setgid,setuid,sys_chroot | |||
17 | protocol packet | 17 | protocol packet |
18 | 18 | ||
19 | private-bin transmission-daemon | 19 | private-bin transmission-daemon |
20 | private-etc alternatives,ca-certificates,crypto-policies,nsswitch.conf,pki,resolv.conf,ssl | 20 | private-etc alternatives,ca-certificates,crypto-policies,ld.so.preload,nsswitch.conf,pki,resolv.conf,ssl |
21 | 21 | ||
22 | read-write /var/lib/transmission | 22 | read-write /var/lib/transmission |
23 | writable-var-log | 23 | writable-var-log |
diff --git a/etc/profile-m-z/transmission-remote-gtk.profile b/etc/profile-m-z/transmission-remote-gtk.profile index a6400e2c0..20d54500f 100644 --- a/etc/profile-m-z/transmission-remote-gtk.profile +++ b/etc/profile-m-z/transmission-remote-gtk.profile | |||
@@ -12,7 +12,7 @@ noblacklist ${HOME}/.config/transmission-remote-gtk | |||
12 | mkdir ${HOME}/.config/transmission-remote-gtk | 12 | mkdir ${HOME}/.config/transmission-remote-gtk |
13 | whitelist ${HOME}/.config/transmission-remote-gtk | 13 | whitelist ${HOME}/.config/transmission-remote-gtk |
14 | 14 | ||
15 | private-etc fonts,hostname,hosts,resolv.conf | 15 | private-etc fonts,hostname,hosts,ld.so.preload,resolv.conf |
16 | # Problems with private-lib (see issue #2889) | 16 | # Problems with private-lib (see issue #2889) |
17 | ignore private-lib | 17 | ignore private-lib |
18 | 18 | ||
diff --git a/etc/profile-m-z/transmission-remote.profile b/etc/profile-m-z/transmission-remote.profile index fee4999e6..ad4ad2172 100644 --- a/etc/profile-m-z/transmission-remote.profile +++ b/etc/profile-m-z/transmission-remote.profile | |||
@@ -8,7 +8,7 @@ include transmission-remote.local | |||
8 | include globals.local | 8 | include globals.local |
9 | 9 | ||
10 | private-bin transmission-remote | 10 | private-bin transmission-remote |
11 | private-etc alternatives,hosts,nsswitch.conf | 11 | private-etc alternatives,hosts,ld.so.preload,nsswitch.conf |
12 | 12 | ||
13 | # Redirect | 13 | # Redirect |
14 | include transmission-common.profile | 14 | include transmission-common.profile |
diff --git a/etc/profile-m-z/transmission-show.profile b/etc/profile-m-z/transmission-show.profile index 5a3c83f58..822a368da 100644 --- a/etc/profile-m-z/transmission-show.profile +++ b/etc/profile-m-z/transmission-show.profile | |||
@@ -8,7 +8,7 @@ include transmission-show.local | |||
8 | include globals.local | 8 | include globals.local |
9 | 9 | ||
10 | private-bin transmission-show | 10 | private-bin transmission-show |
11 | private-etc alternatives,hosts,nsswitch.conf | 11 | private-etc alternatives,hosts,ld.so.preload,nsswitch.conf |
12 | 12 | ||
13 | # Redirect | 13 | # Redirect |
14 | include transmission-common.profile | 14 | include transmission-common.profile |
diff --git a/etc/profile-m-z/trojita.profile b/etc/profile-m-z/trojita.profile index 41426c606..1959aee1e 100644 --- a/etc/profile-m-z/trojita.profile +++ b/etc/profile-m-z/trojita.profile | |||
@@ -54,7 +54,7 @@ tracelog | |||
54 | private-bin trojita | 54 | private-bin trojita |
55 | private-cache | 55 | private-cache |
56 | private-dev | 56 | private-dev |
57 | private-etc alternatives,ca-certificates,crypto-policies,fonts,hostname,hosts,pki,resolv.conf,selinux,ssl,xdg | 57 | private-etc alternatives,ca-certificates,crypto-policies,fonts,hostname,hosts,ld.so.preload,pki,resolv.conf,selinux,ssl,xdg |
58 | private-tmp | 58 | private-tmp |
59 | 59 | ||
60 | dbus-user filter | 60 | dbus-user filter |
diff --git a/etc/profile-m-z/twitch.profile b/etc/profile-m-z/twitch.profile index d767b4c9d..bd2f1bcf9 100644 --- a/etc/profile-m-z/twitch.profile +++ b/etc/profile-m-z/twitch.profile | |||
@@ -18,7 +18,7 @@ mkdir ${HOME}/.config/Twitch | |||
18 | whitelist ${HOME}/.config/Twitch | 18 | whitelist ${HOME}/.config/Twitch |
19 | 19 | ||
20 | private-bin electron,electron[0-9],electron[0-9][0-9],twitch | 20 | private-bin electron,electron[0-9],electron[0-9][0-9],twitch |
21 | private-etc alsa,alternatives,asound.conf,ati,bumblebee,ca-certificates,crypto-policies,drirc,fonts,gtk-2.0,gtk-3.0,host.conf,hostname,hosts,mime.types,nsswitch.conf,nvidia,pki,pulse,resolv.conf,selinux,ssl,X11,xdg | 21 | private-etc alsa,alternatives,asound.conf,ati,bumblebee,ca-certificates,crypto-policies,drirc,fonts,gtk-2.0,gtk-3.0,host.conf,hostname,hosts,ld.so.preload,mime.types,nsswitch.conf,nvidia,pki,pulse,resolv.conf,selinux,ssl,X11,xdg |
22 | private-opt Twitch | 22 | private-opt Twitch |
23 | 23 | ||
24 | # Redirect | 24 | # Redirect |
diff --git a/etc/profile-m-z/unf.profile b/etc/profile-m-z/unf.profile index 212e6d181..685e74e25 100644 --- a/etc/profile-m-z/unf.profile +++ b/etc/profile-m-z/unf.profile | |||
@@ -49,7 +49,7 @@ private-bin unf | |||
49 | private-cache | 49 | private-cache |
50 | ?HAS_APPIMAGE: ignore private-dev | 50 | ?HAS_APPIMAGE: ignore private-dev |
51 | private-dev | 51 | private-dev |
52 | private-etc alternatives | 52 | private-etc alternatives,ld.so.preload |
53 | private-lib gcc/*/*/libgcc_s.so.* | 53 | private-lib gcc/*/*/libgcc_s.so.* |
54 | private-tmp | 54 | private-tmp |
55 | 55 | ||
diff --git a/etc/profile-m-z/unrar.profile b/etc/profile-m-z/unrar.profile index 9d3d9b40e..761ee91c5 100644 --- a/etc/profile-m-z/unrar.profile +++ b/etc/profile-m-z/unrar.profile | |||
@@ -8,7 +8,7 @@ include unrar.local | |||
8 | include globals.local | 8 | include globals.local |
9 | 9 | ||
10 | private-bin unrar | 10 | private-bin unrar |
11 | private-etc alternatives,group,localtime,passwd | 11 | private-etc alternatives,group,ld.so.preload,localtime,passwd |
12 | private-tmp | 12 | private-tmp |
13 | 13 | ||
14 | # Redirect | 14 | # Redirect |
diff --git a/etc/profile-m-z/unzip.profile b/etc/profile-m-z/unzip.profile index 0231e3dba..981826b16 100644 --- a/etc/profile-m-z/unzip.profile +++ b/etc/profile-m-z/unzip.profile | |||
@@ -10,7 +10,7 @@ include globals.local | |||
10 | # GNOME Shell integration (chrome-gnome-shell) | 10 | # GNOME Shell integration (chrome-gnome-shell) |
11 | noblacklist ${HOME}/.local/share/gnome-shell | 11 | noblacklist ${HOME}/.local/share/gnome-shell |
12 | 12 | ||
13 | private-etc alternatives,group,localtime,passwd | 13 | private-etc alternatives,group,ld.so.preload,localtime,passwd |
14 | 14 | ||
15 | # Redirect | 15 | # Redirect |
16 | include archiver-common.profile | 16 | include archiver-common.profile |
diff --git a/etc/profile-m-z/utox.profile b/etc/profile-m-z/utox.profile index b164494fa..5a867a683 100644 --- a/etc/profile-m-z/utox.profile +++ b/etc/profile-m-z/utox.profile | |||
@@ -43,7 +43,7 @@ disable-mnt | |||
43 | private-bin utox | 43 | private-bin utox |
44 | private-cache | 44 | private-cache |
45 | private-dev | 45 | private-dev |
46 | private-etc alternatives,ca-certificates,crypto-policies,fonts,ld.so.cache,localtime,machine-id,openal,pki,pulse,resolv.conf,ssl | 46 | private-etc alternatives,ca-certificates,crypto-policies,fonts,ld.so.cache,ld.so.preload,localtime,machine-id,openal,pki,pulse,resolv.conf,ssl |
47 | private-tmp | 47 | private-tmp |
48 | 48 | ||
49 | memory-deny-write-execute | 49 | memory-deny-write-execute |
diff --git a/etc/profile-m-z/viewnior.profile b/etc/profile-m-z/viewnior.profile index 469e65542..ed2f0103b 100644 --- a/etc/profile-m-z/viewnior.profile +++ b/etc/profile-m-z/viewnior.profile | |||
@@ -43,7 +43,7 @@ tracelog | |||
43 | private-bin viewnior | 43 | private-bin viewnior |
44 | private-cache | 44 | private-cache |
45 | private-dev | 45 | private-dev |
46 | private-etc alternatives,fonts,machine-id | 46 | private-etc alternatives,fonts,ld.so.preload,machine-id |
47 | private-tmp | 47 | private-tmp |
48 | 48 | ||
49 | dbus-user none | 49 | dbus-user none |
diff --git a/etc/profile-m-z/virtualbox.profile b/etc/profile-m-z/virtualbox.profile index 6ab9aa15b..a6d3eaafd 100644 --- a/etc/profile-m-z/virtualbox.profile +++ b/etc/profile-m-z/virtualbox.profile | |||
@@ -45,7 +45,7 @@ tracelog | |||
45 | #disable-mnt | 45 | #disable-mnt |
46 | #private-bin awk,basename,bash,env,gawk,grep,ps,readlink,sh,virtualbox,VirtualBox,VBox*,vbox*,whoami | 46 | #private-bin awk,basename,bash,env,gawk,grep,ps,readlink,sh,virtualbox,VirtualBox,VBox*,vbox*,whoami |
47 | private-cache | 47 | private-cache |
48 | private-etc alsa,asound.conf,ca-certificates,conf.d,crypto-policies,dconf,fonts,hostname,hosts,ld.so.cache,localtime,machine-id,pki,pulse,resolv.conf,ssl | 48 | private-etc alsa,asound.conf,ca-certificates,conf.d,crypto-policies,dconf,fonts,hostname,hosts,ld.so.cache,ld.so.preload,localtime,machine-id,pki,pulse,resolv.conf,ssl |
49 | private-tmp | 49 | private-tmp |
50 | 50 | ||
51 | dbus-user none | 51 | dbus-user none |
diff --git a/etc/profile-m-z/vmware.profile b/etc/profile-m-z/vmware.profile index cb85836b7..8e25daee0 100644 --- a/etc/profile-m-z/vmware.profile +++ b/etc/profile-m-z/vmware.profile | |||
@@ -38,6 +38,6 @@ tracelog | |||
38 | #disable-mnt | 38 | #disable-mnt |
39 | # Add the next line to your vmware.local to enable private-bin. | 39 | # Add the next line to your vmware.local to enable private-bin. |
40 | #private-bin env,bash,sh,ovftool,vmafossexec,vmaf_*,vmnet-*,vmplayer,vmrest,vmrun,vmss2core,vmstat,vmware,vmware-* | 40 | #private-bin env,bash,sh,ovftool,vmafossexec,vmaf_*,vmnet-*,vmplayer,vmrest,vmrun,vmss2core,vmstat,vmware,vmware-* |
41 | private-etc alsa,asound.conf,ca-certificates,conf.d,crypto-policies,dconf,fonts,gtk-2.0,gtk-3.0,hostname,hosts,ld.so.cache,localtime,machine-id,passwd,pki,pulse,resolv.conf,ssl,vmware,vmware-installer,vmware-vix | 41 | private-etc alsa,asound.conf,ca-certificates,conf.d,crypto-policies,dconf,fonts,gtk-2.0,gtk-3.0,hostname,hosts,ld.so.cache,ld.so.preload,localtime,machine-id,passwd,pki,pulse,resolv.conf,ssl,vmware,vmware-installer,vmware-vix |
42 | dbus-user none | 42 | dbus-user none |
43 | dbus-system none | 43 | dbus-system none |
diff --git a/etc/profile-m-z/vscodium.profile b/etc/profile-m-z/vscodium.profile index a4a4fb7d8..9c0a887b2 100644 --- a/etc/profile-m-z/vscodium.profile +++ b/etc/profile-m-z/vscodium.profile | |||
@@ -1,4 +1,4 @@ | |||
1 | # Firejail profile alias for Visual Studio Code | 1 | # Firejail profile alias for VSCodium |
2 | # This file is overwritten after every install/update | 2 | # This file is overwritten after every install/update |
3 | # Persistent local customizations | 3 | # Persistent local customizations |
4 | include vscodium.local | 4 | include vscodium.local |
@@ -7,6 +7,8 @@ include vscodium.local | |||
7 | #include globals.local | 7 | #include globals.local |
8 | 8 | ||
9 | noblacklist ${HOME}/.VSCodium | 9 | noblacklist ${HOME}/.VSCodium |
10 | noblacklist ${HOME}/.config/VSCodium | ||
11 | noblacklist ${HOME}/.vscode-oss | ||
10 | 12 | ||
11 | # Redirect | 13 | # Redirect |
12 | include code.profile | 14 | include code.profile |
diff --git a/etc/profile-m-z/w3m.profile b/etc/profile-m-z/w3m.profile index 81c8a2f5c..d2e30e824 100644 --- a/etc/profile-m-z/w3m.profile +++ b/etc/profile-m-z/w3m.profile | |||
@@ -62,7 +62,7 @@ disable-mnt | |||
62 | private-bin perl,sh,w3m | 62 | private-bin perl,sh,w3m |
63 | private-cache | 63 | private-cache |
64 | private-dev | 64 | private-dev |
65 | private-etc alternatives,ca-certificates,crypto-policies,mailcap,nsswitch.conf,pki,resolv.conf,ssl | 65 | private-etc alternatives,ca-certificates,crypto-policies,ld.so.preload,mailcap,nsswitch.conf,pki,resolv.conf,ssl |
66 | private-tmp | 66 | private-tmp |
67 | 67 | ||
68 | dbus-user none | 68 | dbus-user none |
diff --git a/etc/profile-m-z/warmux.profile b/etc/profile-m-z/warmux.profile index 92e0e7a83..fc59b7239 100644 --- a/etc/profile-m-z/warmux.profile +++ b/etc/profile-m-z/warmux.profile | |||
@@ -49,7 +49,7 @@ disable-mnt | |||
49 | private-bin warmux | 49 | private-bin warmux |
50 | private-cache | 50 | private-cache |
51 | private-dev | 51 | private-dev |
52 | private-etc ca-certificates,crypto-policies,host.conf,hostname,hosts,machine-id,nsswitch.conf,pki,protocols,resolv.conf,rpc,services,ssl | 52 | private-etc ca-certificates,crypto-policies,host.conf,hostname,hosts,ld.so.preload,machine-id,nsswitch.conf,pki,protocols,resolv.conf,rpc,services,ssl |
53 | private-tmp | 53 | private-tmp |
54 | 54 | ||
55 | dbus-user none | 55 | dbus-user none |
diff --git a/etc/profile-m-z/whalebird.profile b/etc/profile-m-z/whalebird.profile index 2f26bf14c..ae3944561 100644 --- a/etc/profile-m-z/whalebird.profile +++ b/etc/profile-m-z/whalebird.profile | |||
@@ -21,7 +21,7 @@ whitelist ${HOME}/.config/Whalebird | |||
21 | no3d | 21 | no3d |
22 | 22 | ||
23 | private-bin electron,electron[0-9],electron[0-9][0-9],whalebird | 23 | private-bin electron,electron[0-9],electron[0-9][0-9],whalebird |
24 | private-etc fonts,machine-id | 24 | private-etc fonts,ld.so.preload,machine-id |
25 | 25 | ||
26 | # Redirect | 26 | # Redirect |
27 | include electron.profile | 27 | include electron.profile |
diff --git a/etc/profile-m-z/whois.profile b/etc/profile-m-z/whois.profile index 755e62f60..0650e41ad 100644 --- a/etc/profile-m-z/whois.profile +++ b/etc/profile-m-z/whois.profile | |||
@@ -47,7 +47,7 @@ private | |||
47 | private-bin bash,sh,whois | 47 | private-bin bash,sh,whois |
48 | private-cache | 48 | private-cache |
49 | private-dev | 49 | private-dev |
50 | private-etc alternatives,hosts,jwhois.conf,resolv.conf,services,whois.conf | 50 | private-etc alternatives,hosts,jwhois.conf,ld.so.preload,resolv.conf,services,whois.conf |
51 | private-lib gconv | 51 | private-lib gconv |
52 | private-tmp | 52 | private-tmp |
53 | 53 | ||
diff --git a/etc/profile-m-z/wire-desktop.profile b/etc/profile-m-z/wire-desktop.profile index 151cd2adb..eebad4a19 100644 --- a/etc/profile-m-z/wire-desktop.profile +++ b/etc/profile-m-z/wire-desktop.profile | |||
@@ -26,7 +26,7 @@ mkdir ${HOME}/.config/Wire | |||
26 | whitelist ${HOME}/.config/Wire | 26 | whitelist ${HOME}/.config/Wire |
27 | 27 | ||
28 | private-bin bash,electron,electron[0-9],electron[0-9][0-9],env,sh,wire-desktop | 28 | private-bin bash,electron,electron[0-9],electron[0-9][0-9],env,sh,wire-desktop |
29 | private-etc alternatives,ca-certificates,crypto-policies,fonts,machine-id,pki,resolv.conf,ssl | 29 | private-etc alternatives,ca-certificates,crypto-policies,fonts,ld.so.preload,machine-id,pki,resolv.conf,ssl |
30 | 30 | ||
31 | # Redirect | 31 | # Redirect |
32 | include electron.profile | 32 | include electron.profile |
diff --git a/etc/profile-m-z/wordwarvi.profile b/etc/profile-m-z/wordwarvi.profile index b2f3341ee..374290ed0 100644 --- a/etc/profile-m-z/wordwarvi.profile +++ b/etc/profile-m-z/wordwarvi.profile | |||
@@ -45,7 +45,7 @@ private | |||
45 | private-bin wordwarvi | 45 | private-bin wordwarvi |
46 | private-cache | 46 | private-cache |
47 | private-dev | 47 | private-dev |
48 | private-etc alsa,asound.conf,machine-id,pulse | 48 | private-etc alsa,asound.conf,ld.so.preload,machine-id,pulse |
49 | private-tmp | 49 | private-tmp |
50 | 50 | ||
51 | dbus-user none | 51 | dbus-user none |
diff --git a/etc/profile-m-z/xbill.profile b/etc/profile-m-z/xbill.profile index c9e408ccd..738b5ca13 100644 --- a/etc/profile-m-z/xbill.profile +++ b/etc/profile-m-z/xbill.profile | |||
@@ -44,7 +44,7 @@ private | |||
44 | private-bin xbill | 44 | private-bin xbill |
45 | private-cache | 45 | private-cache |
46 | private-dev | 46 | private-dev |
47 | private-etc none | 47 | private-etc ld.so.preload,none |
48 | private-tmp | 48 | private-tmp |
49 | 49 | ||
50 | dbus-user none | 50 | dbus-user none |
diff --git a/etc/profile-m-z/xfce4-mixer.profile b/etc/profile-m-z/xfce4-mixer.profile index 05c46dffb..21857dbe6 100644 --- a/etc/profile-m-z/xfce4-mixer.profile +++ b/etc/profile-m-z/xfce4-mixer.profile | |||
@@ -46,7 +46,7 @@ disable-mnt | |||
46 | private-bin xfce4-mixer,xfconf-query | 46 | private-bin xfce4-mixer,xfconf-query |
47 | private-cache | 47 | private-cache |
48 | private-dev | 48 | private-dev |
49 | private-etc alternatives,asound.conf,fonts,machine-id,pulse | 49 | private-etc alternatives,asound.conf,fonts,ld.so.preload,machine-id,pulse |
50 | private-tmp | 50 | private-tmp |
51 | 51 | ||
52 | dbus-user filter | 52 | dbus-user filter |
diff --git a/etc/profile-m-z/xfce4-screenshooter.profile b/etc/profile-m-z/xfce4-screenshooter.profile index b869ae005..ad3058ce2 100644 --- a/etc/profile-m-z/xfce4-screenshooter.profile +++ b/etc/profile-m-z/xfce4-screenshooter.profile | |||
@@ -42,7 +42,7 @@ tracelog | |||
42 | disable-mnt | 42 | disable-mnt |
43 | private-bin xfce4-screenshooter,xfconf-query | 43 | private-bin xfce4-screenshooter,xfconf-query |
44 | private-dev | 44 | private-dev |
45 | private-etc ca-certificates,crypto-policies,dconf,fonts,gtk-3.0,pki,resolv.conf,ssl | 45 | private-etc ca-certificates,crypto-policies,dconf,fonts,gtk-3.0,ld.so.preload,pki,resolv.conf,ssl |
46 | private-tmp | 46 | private-tmp |
47 | 47 | ||
48 | dbus-user none | 48 | dbus-user none |
diff --git a/etc/profile-m-z/xiphos.profile b/etc/profile-m-z/xiphos.profile index 070e5e0f7..9b7a006d2 100644 --- a/etc/profile-m-z/xiphos.profile +++ b/etc/profile-m-z/xiphos.profile | |||
@@ -47,5 +47,5 @@ disable-mnt | |||
47 | private-bin xiphos | 47 | private-bin xiphos |
48 | private-cache | 48 | private-cache |
49 | private-dev | 49 | private-dev |
50 | private-etc alternatives,ca-certificates,crypto-policies,fonts,pki,resolv.conf,ssli,sword,sword.conf | 50 | private-etc alternatives,ca-certificates,crypto-policies,fonts,ld.so.preload,pki,resolv.conf,ssli,sword,sword.conf |
51 | private-tmp | 51 | private-tmp |
diff --git a/etc/profile-m-z/xlinks.profile b/etc/profile-m-z/xlinks.profile index d5e25cfe7..1c9310986 100644 --- a/etc/profile-m-z/xlinks.profile +++ b/etc/profile-m-z/xlinks.profile | |||
@@ -14,7 +14,7 @@ include whitelist-common.inc | |||
14 | # if you want to use user-configured programs add 'private-bin PROGRAM1,PROGRAM2' | 14 | # if you want to use user-configured programs add 'private-bin PROGRAM1,PROGRAM2' |
15 | # to your xlinks.local or append 'PROGRAM1,PROGRAM2' to this private-bin line | 15 | # to your xlinks.local or append 'PROGRAM1,PROGRAM2' to this private-bin line |
16 | private-bin xlinks | 16 | private-bin xlinks |
17 | private-etc fonts | 17 | private-etc fonts,ld.so.preload |
18 | 18 | ||
19 | # Redirect | 19 | # Redirect |
20 | include links.profile | 20 | include links.profile |
diff --git a/etc/profile-m-z/xlinks2 b/etc/profile-m-z/xlinks2 index 1ae6a60ca..bbf660e29 100644 --- a/etc/profile-m-z/xlinks2 +++ b/etc/profile-m-z/xlinks2 | |||
@@ -14,7 +14,7 @@ include whitelist-common.inc | |||
14 | # if you want to use user-configured programs add 'private-bin PROGRAM1,PROGRAM2' | 14 | # if you want to use user-configured programs add 'private-bin PROGRAM1,PROGRAM2' |
15 | # to your xlinks.local or append 'PROGRAM1,PROGRAM2' to this private-bin line | 15 | # to your xlinks.local or append 'PROGRAM1,PROGRAM2' to this private-bin line |
16 | private-bin xlinks2 | 16 | private-bin xlinks2 |
17 | private-etc fonts | 17 | private-etc fonts,ld.so.preload |
18 | 18 | ||
19 | # Redirect | 19 | # Redirect |
20 | include links2.profile | 20 | include links2.profile |
diff --git a/etc/profile-m-z/xmr-stak.profile b/etc/profile-m-z/xmr-stak.profile index 8179e8d76..2a9fbf171 100644 --- a/etc/profile-m-z/xmr-stak.profile +++ b/etc/profile-m-z/xmr-stak.profile | |||
@@ -38,7 +38,7 @@ disable-mnt | |||
38 | private ${HOME}/.xmr-stak | 38 | private ${HOME}/.xmr-stak |
39 | private-bin xmr-stak | 39 | private-bin xmr-stak |
40 | private-dev | 40 | private-dev |
41 | private-etc alternatives,ca-certificates,crypto-policies,nsswitch.conf,pki,resolv.conf,ssl | 41 | private-etc alternatives,ca-certificates,crypto-policies,ld.so.preload,nsswitch.conf,pki,resolv.conf,ssl |
42 | #private-lib libxmrstak_opencl_backend,libxmrstak_cuda_backend | 42 | #private-lib libxmrstak_opencl_backend,libxmrstak_cuda_backend |
43 | private-opt cuda | 43 | private-opt cuda |
44 | private-tmp | 44 | private-tmp |
diff --git a/etc/profile-m-z/xournal.profile b/etc/profile-m-z/xournal.profile index e4282a125..fe7395078 100644 --- a/etc/profile-m-z/xournal.profile +++ b/etc/profile-m-z/xournal.profile | |||
@@ -43,7 +43,7 @@ tracelog | |||
43 | private-bin xournal | 43 | private-bin xournal |
44 | private-cache | 44 | private-cache |
45 | private-dev | 45 | private-dev |
46 | private-etc alternatives,fonts,group,machine-id,passwd | 46 | private-etc alternatives,fonts,group,ld.so.preload,machine-id,passwd |
47 | # TODO should use private-lib | 47 | # TODO should use private-lib |
48 | private-tmp | 48 | private-tmp |
49 | 49 | ||
diff --git a/etc/profile-m-z/xreader.profile b/etc/profile-m-z/xreader.profile index f59adc6e2..8b880426f 100644 --- a/etc/profile-m-z/xreader.profile +++ b/etc/profile-m-z/xreader.profile | |||
@@ -39,7 +39,7 @@ tracelog | |||
39 | 39 | ||
40 | private-bin xreader,xreader-previewer,xreader-thumbnailer | 40 | private-bin xreader,xreader-previewer,xreader-thumbnailer |
41 | private-dev | 41 | private-dev |
42 | private-etc alternatives,fonts,ld.so.cache | 42 | private-etc alternatives,fonts,ld.so.cache,ld.so.preload |
43 | private-tmp | 43 | private-tmp |
44 | 44 | ||
45 | memory-deny-write-execute | 45 | memory-deny-write-execute |
diff --git a/etc/profile-m-z/yelp.profile b/etc/profile-m-z/yelp.profile index 2a6dbe1bf..c5e44c6b4 100644 --- a/etc/profile-m-z/yelp.profile +++ b/etc/profile-m-z/yelp.profile | |||
@@ -56,7 +56,7 @@ disable-mnt | |||
56 | private-bin groff,man,tbl,troff,yelp | 56 | private-bin groff,man,tbl,troff,yelp |
57 | private-cache | 57 | private-cache |
58 | private-dev | 58 | private-dev |
59 | private-etc alsa,alternatives,asound.conf,crypto-policies,cups,dconf,drirc,fonts,gcrypt,groff,gtk-3.0,machine-id,man_db.conf,openal,os-release,pulse,sgml,xml | 59 | private-etc alsa,alternatives,asound.conf,crypto-policies,cups,dconf,drirc,fonts,gcrypt,groff,gtk-3.0,ld.so.preload,machine-id,man_db.conf,openal,os-release,pulse,sgml,xml |
60 | private-tmp | 60 | private-tmp |
61 | 61 | ||
62 | dbus-user filter | 62 | dbus-user filter |
diff --git a/etc/profile-m-z/youtube-dl-gui.profile b/etc/profile-m-z/youtube-dl-gui.profile index 5d6fb47c1..94f37a92b 100644 --- a/etc/profile-m-z/youtube-dl-gui.profile +++ b/etc/profile-m-z/youtube-dl-gui.profile | |||
@@ -49,7 +49,7 @@ disable-mnt | |||
49 | private-bin atomicparsley,ffmpeg,ffprobe,python*,youtube-dl-gui | 49 | private-bin atomicparsley,ffmpeg,ffprobe,python*,youtube-dl-gui |
50 | private-cache | 50 | private-cache |
51 | private-dev | 51 | private-dev |
52 | private-etc alternatives,ca-certificates,crypto-policies,dconf,fonts,gtk-2.0,gtk-3.0,hostname,hosts,ld.so.cache,locale,locale.conf,passwd,pki,resolv.conf,ssl | 52 | private-etc alternatives,ca-certificates,crypto-policies,dconf,fonts,gtk-2.0,gtk-3.0,hostname,hosts,ld.so.cache,ld.so.preload,locale,locale.conf,passwd,pki,resolv.conf,ssl |
53 | private-tmp | 53 | private-tmp |
54 | 54 | ||
55 | dbus-user none | 55 | dbus-user none |
diff --git a/etc/profile-m-z/youtube-dl.profile b/etc/profile-m-z/youtube-dl.profile index 145e565fd..71e50ab11 100644 --- a/etc/profile-m-z/youtube-dl.profile +++ b/etc/profile-m-z/youtube-dl.profile | |||
@@ -58,7 +58,7 @@ tracelog | |||
58 | private-bin env,ffmpeg,python*,youtube-dl | 58 | private-bin env,ffmpeg,python*,youtube-dl |
59 | private-cache | 59 | private-cache |
60 | private-dev | 60 | private-dev |
61 | private-etc alternatives,ca-certificates,crypto-policies,hostname,hosts,ld.so.cache,mime.types,pki,resolv.conf,ssl,youtube-dl.conf | 61 | private-etc alternatives,ca-certificates,crypto-policies,hostname,hosts,ld.so.cache,ld.so.preload,mime.types,pki,resolv.conf,ssl,youtube-dl.conf |
62 | private-tmp | 62 | private-tmp |
63 | 63 | ||
64 | dbus-user none | 64 | dbus-user none |
diff --git a/etc/profile-m-z/youtube-viewer.profile b/etc/profile-m-z/youtube-viewer.profile index b54dd37ad..825599fcc 100644 --- a/etc/profile-m-z/youtube-viewer.profile +++ b/etc/profile-m-z/youtube-viewer.profile | |||
@@ -18,4 +18,4 @@ whitelist ${HOME}/.config/youtube-viewer | |||
18 | private-bin gtk-youtube-viewer,gtk2-youtube-viewer,gtk3-youtube-viewer,youtube-viewer | 18 | private-bin gtk-youtube-viewer,gtk2-youtube-viewer,gtk3-youtube-viewer,youtube-viewer |
19 | 19 | ||
20 | # Redirect | 20 | # Redirect |
21 | include youtube-viewers-common.profile \ No newline at end of file | 21 | include youtube-viewers-common.profile |
diff --git a/etc/profile-m-z/youtube-viewers-common.profile b/etc/profile-m-z/youtube-viewers-common.profile index a05f05c51..3224f8fc6 100644 --- a/etc/profile-m-z/youtube-viewers-common.profile +++ b/etc/profile-m-z/youtube-viewers-common.profile | |||
@@ -53,7 +53,7 @@ disable-mnt | |||
53 | private-bin bash,ffmpeg,ffprobe,firefox,mpv,perl,python*,sh,smplayer,stty,wget,which,xterm,youtube-dl,yt-dlp | 53 | private-bin bash,ffmpeg,ffprobe,firefox,mpv,perl,python*,sh,smplayer,stty,wget,which,xterm,youtube-dl,yt-dlp |
54 | private-cache | 54 | private-cache |
55 | private-dev | 55 | private-dev |
56 | private-etc alsa,alternatives,asound.conf,ca-certificates,crypto-policies,fonts,gtk-2.0,gtk-3.0,host.conf,hostname,hosts,machine-id,mime.types,nsswitch.conf,passwd,pki,pulse,resolv.conf,ssl,X11,xdg | 56 | private-etc alsa,alternatives,asound.conf,ca-certificates,crypto-policies,fonts,gtk-2.0,gtk-3.0,host.conf,hostname,hosts,ld.so.preload,machine-id,mime.types,nsswitch.conf,passwd,pki,pulse,resolv.conf,ssl,X11,xdg |
57 | private-tmp | 57 | private-tmp |
58 | 58 | ||
59 | dbus-user none | 59 | dbus-user none |
diff --git a/etc/profile-m-z/youtube.profile b/etc/profile-m-z/youtube.profile index efb001ee6..c7dbec968 100644 --- a/etc/profile-m-z/youtube.profile +++ b/etc/profile-m-z/youtube.profile | |||
@@ -17,7 +17,7 @@ mkdir ${HOME}/.config/Youtube | |||
17 | whitelist ${HOME}/.config/Youtube | 17 | whitelist ${HOME}/.config/Youtube |
18 | 18 | ||
19 | private-bin electron,electron[0-9],electron[0-9][0-9],youtube | 19 | private-bin electron,electron[0-9],electron[0-9][0-9],youtube |
20 | private-etc alsa,alternatives,asound.conf,ati,bumblebee,ca-certificates,crypto-policies,drirc,fonts,gtk-2.0,gtk-3.0,host.conf,hostname,hosts,mime.types,nsswitch.conf,nvidia,pki,pulse,resolv.conf,selinux,ssl,X11,xdg | 20 | private-etc alsa,alternatives,asound.conf,ati,bumblebee,ca-certificates,crypto-policies,drirc,fonts,gtk-2.0,gtk-3.0,host.conf,hostname,hosts,ld.so.preload,mime.types,nsswitch.conf,nvidia,pki,pulse,resolv.conf,selinux,ssl,X11,xdg |
21 | private-opt Youtube | 21 | private-opt Youtube |
22 | 22 | ||
23 | # Redirect | 23 | # Redirect |
diff --git a/etc/profile-m-z/youtubemusic-nativefier.profile b/etc/profile-m-z/youtubemusic-nativefier.profile index ce7161a70..35ecf059d 100644 --- a/etc/profile-m-z/youtubemusic-nativefier.profile +++ b/etc/profile-m-z/youtubemusic-nativefier.profile | |||
@@ -14,7 +14,7 @@ mkdir ${HOME}/.config/youtubemusic-nativefier-040164 | |||
14 | whitelist ${HOME}/.config/youtubemusic-nativefier-040164 | 14 | whitelist ${HOME}/.config/youtubemusic-nativefier-040164 |
15 | 15 | ||
16 | private-bin electron,electron[0-9],electron[0-9][0-9],youtubemusic-nativefier | 16 | private-bin electron,electron[0-9],electron[0-9][0-9],youtubemusic-nativefier |
17 | private-etc alsa,alternatives,asound.conf,ati,bumblebee,ca-certificates,crypto-policies,drirc,fonts,gtk-2.0,gtk-3.0,host.conf,hostname,hosts,mime.types,nsswitch.conf,nvidia,pki,pulse,resolv.conf,selinux,ssl,X11,xdg | 17 | private-etc alsa,alternatives,asound.conf,ati,bumblebee,ca-certificates,crypto-policies,drirc,fonts,gtk-2.0,gtk-3.0,host.conf,hostname,hosts,ld.so.preload,mime.types,nsswitch.conf,nvidia,pki,pulse,resolv.conf,selinux,ssl,X11,xdg |
18 | private-opt youtubemusic-nativefier | 18 | private-opt youtubemusic-nativefier |
19 | 19 | ||
20 | # Redirect | 20 | # Redirect |
diff --git a/etc/profile-m-z/yt-dlp.profile b/etc/profile-m-z/yt-dlp.profile index 1c3382a08..bfb24b488 100644 --- a/etc/profile-m-z/yt-dlp.profile +++ b/etc/profile-m-z/yt-dlp.profile | |||
@@ -13,7 +13,7 @@ noblacklist ${HOME}/.config/yt-dlp | |||
13 | noblacklist ${HOME}/yt-dlp.conf | 13 | noblacklist ${HOME}/yt-dlp.conf |
14 | 14 | ||
15 | private-bin yt-dlp | 15 | private-bin yt-dlp |
16 | private-etc yt-dlp.conf | 16 | private-etc ld.so.preload,yt-dlp.conf |
17 | 17 | ||
18 | # Redirect | 18 | # Redirect |
19 | include youtube-dl.profile | 19 | include youtube-dl.profile |
diff --git a/etc/profile-m-z/ytmdesktop.profile b/etc/profile-m-z/ytmdesktop.profile index ab46fccc2..84f2f3cb2 100644 --- a/etc/profile-m-z/ytmdesktop.profile +++ b/etc/profile-m-z/ytmdesktop.profile | |||
@@ -14,7 +14,7 @@ mkdir ${HOME}/.config/youtube-music-desktop-app | |||
14 | whitelist ${HOME}/.config/youtube-music-desktop-app | 14 | whitelist ${HOME}/.config/youtube-music-desktop-app |
15 | 15 | ||
16 | # private-bin env,ytmdesktop | 16 | # private-bin env,ytmdesktop |
17 | private-etc alsa,alternatives,asound.conf,ati,bumblebee,ca-certificates,crypto-policies,drirc,fonts,gtk-2.0,gtk-3.0,host.conf,hostname,hosts,mime.types,nsswitch.conf,nvidia,pki,pulse,resolv.conf,selinux,ssl,X11,xdg | 17 | private-etc alsa,alternatives,asound.conf,ati,bumblebee,ca-certificates,crypto-policies,drirc,fonts,gtk-2.0,gtk-3.0,host.conf,hostname,hosts,ld.so.preload,mime.types,nsswitch.conf,nvidia,pki,pulse,resolv.conf,selinux,ssl,X11,xdg |
18 | # private-opt | 18 | # private-opt |
19 | 19 | ||
20 | # Redirect | 20 | # Redirect |
diff --git a/etc/profile-m-z/zulip.profile b/etc/profile-m-z/zulip.profile index 604da4c8e..c1c94d74f 100644 --- a/etc/profile-m-z/zulip.profile +++ b/etc/profile-m-z/zulip.profile | |||
@@ -44,5 +44,5 @@ disable-mnt | |||
44 | private-bin locale,zulip | 44 | private-bin locale,zulip |
45 | private-cache | 45 | private-cache |
46 | private-dev | 46 | private-dev |
47 | private-etc asound.conf,fonts,machine-id | 47 | private-etc asound.conf,fonts,ld.so.preload,machine-id |
48 | private-tmp | 48 | private-tmp |
diff --git a/etc/templates/profile.template b/etc/templates/profile.template index 049a41328..44197b547 100644 --- a/etc/templates/profile.template +++ b/etc/templates/profile.template | |||
@@ -205,7 +205,7 @@ include globals.local | |||
205 | 205 | ||
206 | # Since 0.9.63 also a more granular control of dbus is supported. | 206 | # Since 0.9.63 also a more granular control of dbus is supported. |
207 | # To get the dbus-addresses an application needs access to you can | 207 | # To get the dbus-addresses an application needs access to you can |
208 | # check with flatpak (when the application is distriputed that way): | 208 | # check with flatpak (when the application is distributed that way): |
209 | # flatpak remote-info --show-metadata flathub <APP-ID> | 209 | # flatpak remote-info --show-metadata flathub <APP-ID> |
210 | # Notes: | 210 | # Notes: |
211 | # - flatpak implicitly allows an app to own <APP-ID> on the session bus | 211 | # - flatpak implicitly allows an app to own <APP-ID> on the session bus |
@@ -24,8 +24,8 @@ gcov_init() { | |||
24 | } | 24 | } |
25 | 25 | ||
26 | generate() { | 26 | generate() { |
27 | lcov -q --capture -d src/firejail -d src/firemon -d src/faudit -d src/fbuilder -d src/fcopy -d src/fnetfilter -d src/fsec-print -d src/fsec-optimize -d src/fseccomp -d src/fnet -d src/ftee -d src/lib -d src/firecfg -d src/fldd --output-file gcov-file-new | 27 | lcov -q --capture -d src/firejail -d src/firemon -d src/faudit -d src/fbuilder -d src/fcopy -d src/fnetfilter -d src/fsec-print -d src/fsec-optimize -d src/fseccomp -d src/fnet -d src/ftee -d src/lib -d src/firecfg -d src/fldd --output-file gcov-file-new |
28 | lcov --add-tracefile gcov-file-old --add-tracefile gcov-file-new --output-file gcov-file | 28 | lcov --add-tracefile gcov-file-old --add-tracefile gcov-file-new --output-file gcov-file |
29 | rm -fr gcov-dir | 29 | rm -fr gcov-dir |
30 | genhtml -q gcov-file --output-directory gcov-dir | 30 | genhtml -q gcov-file --output-directory gcov-dir |
31 | sudo rm `find . -name *.gcda` | 31 | sudo rm `find . -name *.gcda` |
@@ -35,7 +35,7 @@ generate() { | |||
35 | 35 | ||
36 | 36 | ||
37 | gcov_init | 37 | gcov_init |
38 | lcov -q --capture -d src/firejail -d src/firemon -d src/faudit -d src/fbuilder -d src/fcopy -d src/fnetfilter -d src/fsec-print -d src/fsec-optimize -d src/fseccomp -d src/fnet -d src/ftee -d src/lib -d src/firecfg -d src/fldd --output-file gcov-file-old | 38 | lcov -q --capture -d src/firejail -d src/firemon -d src/faudit -d src/fbuilder -d src/fcopy -d src/fnetfilter -d src/fsec-print -d src/fsec-optimize -d src/fseccomp -d src/fnet -d src/ftee -d src/lib -d src/firecfg -d src/fldd --output-file gcov-file-old |
39 | 39 | ||
40 | #make test-utils | 40 | #make test-utils |
41 | #generate | 41 | #generate |
diff --git a/linecnt.sh b/linecnt.sh index ccce2da82..86bccbc07 100755 --- a/linecnt.sh +++ b/linecnt.sh | |||
@@ -26,6 +26,6 @@ gcov_init() { | |||
26 | rm -fr gcov-dir | 26 | rm -fr gcov-dir |
27 | gcov_init | 27 | gcov_init |
28 | lcov -q --capture -d src/firejail -d src/firemon -d src/faudit -d src/fbuilder \ | 28 | lcov -q --capture -d src/firejail -d src/firemon -d src/faudit -d src/fbuilder \ |
29 | -d src/fcopy -d src/fnetfilter -d src/fsec-print -d src/fsec-optimize -d src/fseccomp \ | 29 | -d src/fcopy -d src/fnetfilter -d src/fsec-print -d src/fsec-optimize -d src/fseccomp \ |
30 | -d src/fnet -d src/ftee -d src/lib -d src/firecfg -d src/fldd --output-file gcov-file | 30 | -d src/fnet -d src/ftee -d src/lib -d src/firecfg -d src/fldd --output-file gcov-file |
31 | genhtml -q gcov-file --output-directory gcov-dir | 31 | genhtml -q gcov-file --output-directory gcov-dir |
diff --git a/src/bash_completion/firejail.bash_completion.in b/src/bash_completion/firejail.bash_completion.in index f68edf380..ff411c807 100644 --- a/src/bash_completion/firejail.bash_completion.in +++ b/src/bash_completion/firejail.bash_completion.in | |||
@@ -5,7 +5,7 @@ | |||
5 | # http://bash-completion.alioth.debian.org | 5 | # http://bash-completion.alioth.debian.org |
6 | #******************************************************************* | 6 | #******************************************************************* |
7 | 7 | ||
8 | __interfaces(){ | 8 | __interfaces() { |
9 | cut -f 1 -d ':' /proc/net/dev | tail -n +3 | grep -v lo | xargs | 9 | cut -f 1 -d ':' /proc/net/dev | tail -n +3 | grep -v lo | xargs |
10 | } | 10 | } |
11 | 11 | ||
@@ -90,11 +90,11 @@ _firejail() | |||
90 | _filedir | 90 | _filedir |
91 | return 0 | 91 | return 0 |
92 | ;; | 92 | ;; |
93 | --net) | 93 | --net) |
94 | comps=$(__interfaces) | 94 | comps=$(__interfaces) |
95 | COMPREPLY=( $(compgen -W '$comps' -- "$cur") ) | 95 | COMPREPLY=( $(compgen -W '$comps' -- "$cur") ) |
96 | return 0 | 96 | return 0 |
97 | ;; | 97 | ;; |
98 | esac | 98 | esac |
99 | 99 | ||
100 | $split && return 0 | 100 | $split && return 0 |
diff --git a/src/fbuilder/build_fs.c b/src/fbuilder/build_fs.c index 019c3ac5a..a1847284c 100644 --- a/src/fbuilder/build_fs.c +++ b/src/fbuilder/build_fs.c | |||
@@ -182,12 +182,12 @@ static void var_callback(char *ptr) { | |||
182 | void build_var(const char *fname, FILE *fp) { | 182 | void build_var(const char *fname, FILE *fp) { |
183 | assert(fname); | 183 | assert(fname); |
184 | 184 | ||
185 | var_skip = filedb_load_whitelist(var_skip, "whitelist-var-common.inc", "allow /var/"); | 185 | var_skip = filedb_load_whitelist(var_skip, "whitelist-var-common.inc", "whitelist /var/"); |
186 | process_files(fname, "/var", var_callback); | 186 | process_files(fname, "/var", var_callback); |
187 | 187 | ||
188 | // always whitelist /var | 188 | // always whitelist /var |
189 | if (var_out) | 189 | if (var_out) |
190 | filedb_print(var_out, "allow /var/", fp); | 190 | filedb_print(var_out, "whitelist /var/", fp); |
191 | fprintf(fp, "include whitelist-var-common.inc\n"); | 191 | fprintf(fp, "include whitelist-var-common.inc\n"); |
192 | } | 192 | } |
193 | 193 | ||
@@ -222,12 +222,12 @@ static void share_callback(char *ptr) { | |||
222 | void build_share(const char *fname, FILE *fp) { | 222 | void build_share(const char *fname, FILE *fp) { |
223 | assert(fname); | 223 | assert(fname); |
224 | 224 | ||
225 | share_skip = filedb_load_whitelist(share_skip, "whitelist-usr-share-common.inc", "allow /usr/share/"); | 225 | share_skip = filedb_load_whitelist(share_skip, "whitelist-usr-share-common.inc", "whitelist /usr/share/"); |
226 | process_files(fname, "/usr/share", share_callback); | 226 | process_files(fname, "/usr/share", share_callback); |
227 | 227 | ||
228 | // always whitelist /usr/share | 228 | // always whitelist /usr/share |
229 | if (share_out) | 229 | if (share_out) |
230 | filedb_print(share_out, "allow /usr/share/", fp); | 230 | filedb_print(share_out, "whitelist /usr/share/", fp); |
231 | fprintf(fp, "include whitelist-usr-share-common.inc\n"); | 231 | fprintf(fp, "include whitelist-usr-share-common.inc\n"); |
232 | } | 232 | } |
233 | 233 | ||
@@ -236,9 +236,6 @@ void build_share(const char *fname, FILE *fp) { | |||
236 | //******************************************* | 236 | //******************************************* |
237 | static FileDB *tmp_out = NULL; | 237 | static FileDB *tmp_out = NULL; |
238 | static void tmp_callback(char *ptr) { | 238 | static void tmp_callback(char *ptr) { |
239 | // skip strace file | ||
240 | if (strncmp(ptr, "/tmp/firejail-strace", 20) == 0) | ||
241 | return; | ||
242 | if (strncmp(ptr, "/tmp/runtime-", 13) == 0) | 239 | if (strncmp(ptr, "/tmp/runtime-", 13) == 0) |
243 | return; | 240 | return; |
244 | if (strcmp(ptr, "/tmp") == 0) | 241 | if (strcmp(ptr, "/tmp") == 0) |
diff --git a/src/fbuilder/build_home.c b/src/fbuilder/build_home.c index c85474779..0fe0ffef6 100644 --- a/src/fbuilder/build_home.c +++ b/src/fbuilder/build_home.c | |||
@@ -140,7 +140,7 @@ void build_home(const char *fname, FILE *fp) { | |||
140 | assert(fname); | 140 | assert(fname); |
141 | 141 | ||
142 | // load whitelist common | 142 | // load whitelist common |
143 | db_skip = filedb_load_whitelist(db_skip, "whitelist-common.inc", "allow ${HOME}/"); | 143 | db_skip = filedb_load_whitelist(db_skip, "whitelist-common.inc", "whitelist ${HOME}/"); |
144 | 144 | ||
145 | // find user home directory | 145 | // find user home directory |
146 | struct passwd *pw = getpwuid(getuid()); | 146 | struct passwd *pw = getpwuid(getuid()); |
@@ -168,7 +168,7 @@ void build_home(const char *fname, FILE *fp) { | |||
168 | 168 | ||
169 | // print the out list if any | 169 | // print the out list if any |
170 | if (db_out) { | 170 | if (db_out) { |
171 | filedb_print(db_out, "allow ${HOME}/", fp); | 171 | filedb_print(db_out, "whitelist ${HOME}/", fp); |
172 | fprintf(fp, "include whitelist-common.inc\n"); | 172 | fprintf(fp, "include whitelist-common.inc\n"); |
173 | } | 173 | } |
174 | else | 174 | else |
diff --git a/src/fbuilder/build_profile.c b/src/fbuilder/build_profile.c index 0b9a99739..c945d7253 100644 --- a/src/fbuilder/build_profile.c +++ b/src/fbuilder/build_profile.c | |||
@@ -92,7 +92,7 @@ void build_profile(int argc, char **argv, int index, FILE *fp) { | |||
92 | 92 | ||
93 | if (WIFEXITED(status) && WEXITSTATUS(status) == 0) { | 93 | if (WIFEXITED(status) && WEXITSTATUS(status) == 0) { |
94 | if (fp == stdout) | 94 | if (fp == stdout) |
95 | printf("--- Built profile beings after this line ---\n"); | 95 | printf("--- Built profile begins after this line ---\n"); |
96 | fprintf(fp, "# Save this file as \"application.profile\" (change \"application\" with the\n"); | 96 | fprintf(fp, "# Save this file as \"application.profile\" (change \"application\" with the\n"); |
97 | fprintf(fp, "# program name) in ~/.config/firejail directory. Firejail will find it\n"); | 97 | fprintf(fp, "# program name) in ~/.config/firejail directory. Firejail will find it\n"); |
98 | fprintf(fp, "# automatically every time you sandbox your application.\n#\n"); | 98 | fprintf(fp, "# automatically every time you sandbox your application.\n#\n"); |
diff --git a/src/fcopy/main.c b/src/fcopy/main.c index 31810de9a..f279af89f 100644 --- a/src/fcopy/main.c +++ b/src/fcopy/main.c | |||
@@ -88,7 +88,8 @@ static void selinux_relabel_path(const char *path, const char *inside_path) { | |||
88 | if (arg_debug) | 88 | if (arg_debug) |
89 | printf("Relabeling %s as %s (%s)\n", path, inside_path, fcon); | 89 | printf("Relabeling %s as %s (%s)\n", path, inside_path, fcon); |
90 | 90 | ||
91 | setfilecon_raw(procfs_path, fcon); | 91 | if (setfilecon_raw(procfs_path, fcon) != 0 && arg_debug) |
92 | printf("Cannot relabel %s: %s\n", path, strerror(errno)); | ||
92 | } | 93 | } |
93 | freecon(fcon); | 94 | freecon(fcon); |
94 | close: | 95 | close: |
diff --git a/src/fids/fids.h b/src/fids/fids.h index a2e2886fe..eaf2bbd29 100644 --- a/src/fids/fids.h +++ b/src/fids/fids.h | |||
@@ -48,4 +48,4 @@ int db_exclude_check(const char *fname); | |||
48 | //#define KEY_SIZE 512 | 48 | //#define KEY_SIZE 512 |
49 | int blake2b(void *out, size_t outlen, const void *in, size_t inlen); | 49 | int blake2b(void *out, size_t outlen, const void *in, size_t inlen); |
50 | 50 | ||
51 | #endif \ No newline at end of file | 51 | #endif |
diff --git a/src/firecfg/firecfg.config b/src/firecfg/firecfg.config index 698630180..aad22ec7a 100644 --- a/src/firecfg/firecfg.config +++ b/src/firecfg/firecfg.config | |||
@@ -151,6 +151,7 @@ clocks | |||
151 | cmus | 151 | cmus |
152 | code | 152 | code |
153 | code-oss | 153 | code-oss |
154 | codium | ||
154 | cola | 155 | cola |
155 | colorful | 156 | colorful |
156 | com.github.bleakgrey.tootle | 157 | com.github.bleakgrey.tootle |
@@ -348,6 +349,7 @@ gnome-weather | |||
348 | gnote | 349 | gnote |
349 | gnubik | 350 | gnubik |
350 | godot | 351 | godot |
352 | goldendict | ||
351 | goobox | 353 | goobox |
352 | google-chrome | 354 | google-chrome |
353 | google-chrome-beta | 355 | google-chrome-beta |
diff --git a/src/firejail/cgroup.c b/src/firejail/cgroup.c index e7ffbca36..38b3c32d3 100644 --- a/src/firejail/cgroup.c +++ b/src/firejail/cgroup.c | |||
@@ -18,7 +18,8 @@ | |||
18 | * 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA. | 18 | * 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA. |
19 | */ | 19 | */ |
20 | #include "firejail.h" | 20 | #include "firejail.h" |
21 | #include <sys/stat.h> | 21 | #include <sys/wait.h> |
22 | #include <errno.h> | ||
22 | 23 | ||
23 | #define MAXBUF 4096 | 24 | #define MAXBUF 4096 |
24 | 25 | ||
@@ -68,52 +69,60 @@ errout: | |||
68 | fclose(fp); | 69 | fclose(fp); |
69 | } | 70 | } |
70 | 71 | ||
72 | static int is_cgroup_path(const char *fname) { | ||
73 | // path starts with /sys/fs/cgroup | ||
74 | if (strncmp(fname, "/sys/fs/cgroup", 14) != 0) | ||
75 | return 0; | ||
71 | 76 | ||
72 | void set_cgroup(const char *path) { | 77 | // no .. traversal |
73 | EUID_ASSERT(); | 78 | char *ptr = strstr(fname, ".."); |
79 | if (ptr) | ||
80 | return 0; | ||
74 | 81 | ||
75 | invalid_filename(path, 0); // no globbing | 82 | return 1; |
83 | } | ||
76 | 84 | ||
77 | // path starts with /sys/fs/cgroup | 85 | void check_cgroup_file(const char *fname) { |
78 | if (strncmp(path, "/sys/fs/cgroup", 14) != 0) | 86 | assert(fname); |
79 | goto errout; | 87 | invalid_filename(fname, 0); // no globbing |
80 | 88 | ||
81 | // path ends in tasks | 89 | if (!is_cgroup_path(fname)) |
82 | char *ptr = strstr(path, "tasks"); | ||
83 | if (!ptr) | ||
84 | goto errout; | ||
85 | if (*(ptr + 5) != '\0') | ||
86 | goto errout; | 90 | goto errout; |
87 | 91 | ||
88 | // no .. traversal | 92 | const char *base = gnu_basename(fname); |
89 | ptr = strstr(path, ".."); | 93 | if (strcmp(base, "tasks") != 0 && // cgroup v1 |
90 | if (ptr) | 94 | strcmp(base, "cgroup.procs") != 0) |
91 | goto errout; | 95 | goto errout; |
92 | 96 | ||
93 | // tasks file exists | 97 | if (access(fname, W_OK) == 0) |
94 | FILE *fp = fopen(path, "ae"); | 98 | return; |
95 | if (!fp) | ||
96 | goto errout; | ||
97 | // task file belongs to the user running the sandbox | ||
98 | int fd = fileno(fp); | ||
99 | if (fd == -1) | ||
100 | errExit("fileno"); | ||
101 | struct stat s; | ||
102 | if (fstat(fd, &s) == -1) | ||
103 | errExit("fstat"); | ||
104 | if (s.st_uid != getuid() && s.st_gid != getgid()) | ||
105 | goto errout2; | ||
106 | // add the task to cgroup | ||
107 | pid_t pid = getpid(); | ||
108 | int rv = fprintf(fp, "%d\n", pid); | ||
109 | (void) rv; | ||
110 | fclose(fp); | ||
111 | return; | ||
112 | 99 | ||
113 | errout: | 100 | errout: |
114 | fprintf(stderr, "Error: invalid cgroup\n"); | 101 | fprintf(stderr, "Error: invalid cgroup\n"); |
115 | exit(1); | 102 | exit(1); |
116 | errout2: | 103 | } |
117 | fprintf(stderr, "Error: you don't have permissions to use this control group\n"); | 104 | |
118 | exit(1); | 105 | static void do_set_cgroup(const char *fname, pid_t pid) { |
106 | FILE *fp = fopen(fname, "ae"); | ||
107 | if (!fp) { | ||
108 | fwarning("cannot open %s for writing: %s\n", fname, strerror(errno)); | ||
109 | return; | ||
110 | } | ||
111 | |||
112 | int rv = fprintf(fp, "%d\n", pid); | ||
113 | (void) rv; | ||
114 | fclose(fp); | ||
115 | } | ||
116 | |||
117 | void set_cgroup(const char *fname, pid_t pid) { | ||
118 | pid_t child = fork(); | ||
119 | if (child < 0) | ||
120 | errExit("fork"); | ||
121 | if (child == 0) { | ||
122 | drop_privs(0); | ||
123 | |||
124 | do_set_cgroup(fname, pid); | ||
125 | _exit(0); | ||
126 | } | ||
127 | waitpid(child, NULL, 0); | ||
119 | } | 128 | } |
diff --git a/src/firejail/checkcfg.c b/src/firejail/checkcfg.c index 06e6f0ccb..e5d837bbb 100644 --- a/src/firejail/checkcfg.c +++ b/src/firejail/checkcfg.c | |||
@@ -58,6 +58,7 @@ int checkcfg(int val) { | |||
58 | cfg_val[CFG_XPRA_ATTACH] = 0; | 58 | cfg_val[CFG_XPRA_ATTACH] = 0; |
59 | cfg_val[CFG_SECCOMP_ERROR_ACTION] = -1; | 59 | cfg_val[CFG_SECCOMP_ERROR_ACTION] = -1; |
60 | cfg_val[CFG_BROWSER_ALLOW_DRM] = 0; | 60 | cfg_val[CFG_BROWSER_ALLOW_DRM] = 0; |
61 | cfg_val[CFG_ALLOW_TRAY] = 0; | ||
61 | 62 | ||
62 | // open configuration file | 63 | // open configuration file |
63 | const char *fname = SYSCONFDIR "/firejail.config"; | 64 | const char *fname = SYSCONFDIR "/firejail.config"; |
@@ -122,6 +123,7 @@ int checkcfg(int val) { | |||
122 | PARSE_YESNO(CFG_XPRA_ATTACH, "xpra-attach") | 123 | PARSE_YESNO(CFG_XPRA_ATTACH, "xpra-attach") |
123 | PARSE_YESNO(CFG_BROWSER_DISABLE_U2F, "browser-disable-u2f") | 124 | PARSE_YESNO(CFG_BROWSER_DISABLE_U2F, "browser-disable-u2f") |
124 | PARSE_YESNO(CFG_BROWSER_ALLOW_DRM, "browser-allow-drm") | 125 | PARSE_YESNO(CFG_BROWSER_ALLOW_DRM, "browser-allow-drm") |
126 | PARSE_YESNO(CFG_ALLOW_TRAY, "allow-tray") | ||
125 | #undef PARSE_YESNO | 127 | #undef PARSE_YESNO |
126 | 128 | ||
127 | // netfilter | 129 | // netfilter |
diff --git a/src/firejail/chroot.c b/src/firejail/chroot.c index 37ec22117..9425638ea 100644 --- a/src/firejail/chroot.c +++ b/src/firejail/chroot.c | |||
@@ -86,7 +86,7 @@ static void update_file(int parentfd, const char *relpath) { | |||
86 | if (arg_debug) | 86 | if (arg_debug) |
87 | printf("Updating chroot /%s\n", relpath); | 87 | printf("Updating chroot /%s\n", relpath); |
88 | unlinkat(parentfd, relpath, 0); | 88 | unlinkat(parentfd, relpath, 0); |
89 | int out = openat(parentfd, relpath, O_WRONLY|O_CREAT|O_EXCL|O_CLOEXEC, S_IRUSR | S_IWRITE | S_IRGRP | S_IROTH); | 89 | int out = openat(parentfd, relpath, O_WRONLY|O_CREAT|O_EXCL|O_CLOEXEC, S_IRUSR | S_IWUSR | S_IRGRP | S_IROTH); |
90 | if (out == -1) { | 90 | if (out == -1) { |
91 | close(in); | 91 | close(in); |
92 | goto errout; | 92 | goto errout; |
diff --git a/src/firejail/env.c b/src/firejail/env.c index f5e9dd980..4c0d729a1 100644 --- a/src/firejail/env.c +++ b/src/firejail/env.c | |||
@@ -22,6 +22,7 @@ | |||
22 | #include <sys/stat.h> | 22 | #include <sys/stat.h> |
23 | #include <unistd.h> | 23 | #include <unistd.h> |
24 | #include <dirent.h> | 24 | #include <dirent.h> |
25 | #include <limits.h> | ||
25 | 26 | ||
26 | typedef struct env_t { | 27 | typedef struct env_t { |
27 | struct env_t *next; | 28 | struct env_t *next; |
@@ -262,7 +263,7 @@ static const char * const env_whitelist[] = { | |||
262 | "LANG", | 263 | "LANG", |
263 | "LANGUAGE", | 264 | "LANGUAGE", |
264 | "LC_MESSAGES", | 265 | "LC_MESSAGES", |
265 | "PATH", | 266 | // "PATH", |
266 | "DISPLAY" // required by X11 | 267 | "DISPLAY" // required by X11 |
267 | }; | 268 | }; |
268 | 269 | ||
@@ -311,6 +312,10 @@ void env_apply_whitelist(void) { | |||
311 | errExit("clearenv"); | 312 | errExit("clearenv"); |
312 | 313 | ||
313 | env_apply_list(env_whitelist, ARRAY_SIZE(env_whitelist)); | 314 | env_apply_list(env_whitelist, ARRAY_SIZE(env_whitelist)); |
315 | |||
316 | // hardcoding PATH | ||
317 | if (setenv("PATH", "/usr/local/bin:/usr/bin:/bin:/usr/local/sbin:/usr/sbin:/sbin", 1) < 0) | ||
318 | errExit("setenv"); | ||
314 | } | 319 | } |
315 | 320 | ||
316 | // Filter env variables for a sbox app | 321 | // Filter env variables for a sbox app |
diff --git a/src/firejail/firejail.h b/src/firejail/firejail.h index 2a7d88575..a6924b830 100644 --- a/src/firejail/firejail.h +++ b/src/firejail/firejail.h | |||
@@ -22,6 +22,7 @@ | |||
22 | #include "../include/common.h" | 22 | #include "../include/common.h" |
23 | #include "../include/euid_common.h" | 23 | #include "../include/euid_common.h" |
24 | #include "../include/rundefs.h" | 24 | #include "../include/rundefs.h" |
25 | #include <linux/limits.h> // Note: Plain limits.h may break ARG_MAX (see #4583) | ||
25 | #include <stdarg.h> | 26 | #include <stdarg.h> |
26 | #include <sys/stat.h> | 27 | #include <sys/stat.h> |
27 | 28 | ||
@@ -433,13 +434,15 @@ void fs_proc_sys_dev_boot(void); | |||
433 | void disable_config(void); | 434 | void disable_config(void); |
434 | // build a basic read-only filesystem | 435 | // build a basic read-only filesystem |
435 | void fs_basic_fs(void); | 436 | void fs_basic_fs(void); |
436 | // mount overlayfs on top of / directory | ||
437 | char *fs_check_overlay_dir(const char *subdirname, int allow_reuse); | ||
438 | void fs_overlayfs(void); | ||
439 | void fs_private_tmp(void); | 437 | void fs_private_tmp(void); |
440 | void fs_private_cache(void); | 438 | void fs_private_cache(void); |
441 | void fs_mnt(const int enforce); | 439 | void fs_mnt(const int enforce); |
442 | 440 | ||
441 | // fs_overlayfs.c | ||
442 | char *fs_check_overlay_dir(const char *subdirname, int allow_reuse); | ||
443 | void fs_overlayfs(void); | ||
444 | int remove_overlay_directory(void); | ||
445 | |||
443 | // chroot.c | 446 | // chroot.c |
444 | // chroot into an existing directory; mount existing /dev and update /etc/resolv.conf | 447 | // chroot into an existing directory; mount existing /dev and update /etc/resolv.conf |
445 | void fs_check_chroot_dir(void); | 448 | void fs_check_chroot_dir(void); |
@@ -516,6 +519,7 @@ void touch_file_as_user(const char *fname, mode_t mode); | |||
516 | int is_dir(const char *fname); | 519 | int is_dir(const char *fname); |
517 | int is_link(const char *fname); | 520 | int is_link(const char *fname); |
518 | char *realpath_as_user(const char *fname); | 521 | char *realpath_as_user(const char *fname); |
522 | ssize_t readlink_as_user(const char *fname, char *buf, size_t sz); | ||
519 | int stat_as_user(const char *fname, struct stat *s); | 523 | int stat_as_user(const char *fname, struct stat *s); |
520 | int lstat_as_user(const char *fname, struct stat *s); | 524 | int lstat_as_user(const char *fname, struct stat *s); |
521 | void trim_trailing_slash_or_dot(char *path); | 525 | void trim_trailing_slash_or_dot(char *path); |
@@ -529,8 +533,7 @@ void update_map(char *mapping, char *map_file); | |||
529 | void wait_for_other(int fd); | 533 | void wait_for_other(int fd); |
530 | void notify_other(int fd); | 534 | void notify_other(int fd); |
531 | uid_t pid_get_uid(pid_t pid); | 535 | uid_t pid_get_uid(pid_t pid); |
532 | uid_t get_group_id(const char *group); | 536 | gid_t get_group_id(const char *groupname); |
533 | int remove_overlay_directory(void); | ||
534 | void flush_stdin(void); | 537 | void flush_stdin(void); |
535 | int create_empty_dir_as_user(const char *dir, mode_t mode); | 538 | int create_empty_dir_as_user(const char *dir, mode_t mode); |
536 | void create_empty_dir_as_root(const char *dir, mode_t mode); | 539 | void create_empty_dir_as_root(const char *dir, mode_t mode); |
@@ -563,8 +566,8 @@ typedef struct { | |||
563 | 566 | ||
564 | // mountinfo.c | 567 | // mountinfo.c |
565 | MountData *get_last_mount(void); | 568 | MountData *get_last_mount(void); |
566 | int get_mount_id(const char *path); | 569 | int get_mount_id(int fd); |
567 | char **build_mount_array(const int mount_id, const char *path); | 570 | char **build_mount_array(const int mountid, const char *path); |
568 | 571 | ||
569 | // fs_var.c | 572 | // fs_var.c |
570 | void fs_var_log(void); // mounting /var/log | 573 | void fs_var_log(void); // mounting /var/log |
@@ -621,7 +624,8 @@ void caps_print_filter(pid_t pid) __attribute__((noreturn)); | |||
621 | void caps_drop_dac_override(void); | 624 | void caps_drop_dac_override(void); |
622 | 625 | ||
623 | // fs_trace.c | 626 | // fs_trace.c |
624 | void fs_trace_preload(void); | 627 | void fs_trace_touch_preload(void); |
628 | void fs_trace_touch_or_store_preload(void); | ||
625 | void fs_tracefile(void); | 629 | void fs_tracefile(void); |
626 | void fs_trace(void); | 630 | void fs_trace(void); |
627 | 631 | ||
@@ -644,7 +648,8 @@ void cpu_print_filter(pid_t pid) __attribute__((noreturn)); | |||
644 | // cgroup.c | 648 | // cgroup.c |
645 | void save_cgroup(void); | 649 | void save_cgroup(void); |
646 | void load_cgroup(const char *fname); | 650 | void load_cgroup(const char *fname); |
647 | void set_cgroup(const char *path); | 651 | void check_cgroup_file(const char *fname); |
652 | void set_cgroup(const char *fname, pid_t pid); | ||
648 | 653 | ||
649 | // output.c | 654 | // output.c |
650 | void check_output(int argc, char **argv); | 655 | void check_output(int argc, char **argv); |
@@ -801,6 +806,7 @@ enum { | |||
801 | CFG_NAME_CHANGE, | 806 | CFG_NAME_CHANGE, |
802 | CFG_SECCOMP_ERROR_ACTION, | 807 | CFG_SECCOMP_ERROR_ACTION, |
803 | // CFG_FILE_COPY_LIMIT - file copy limit handled using setenv/getenv | 808 | // CFG_FILE_COPY_LIMIT - file copy limit handled using setenv/getenv |
809 | CFG_ALLOW_TRAY, | ||
804 | CFG_MAX // this should always be the last entry | 810 | CFG_MAX // this should always be the last entry |
805 | }; | 811 | }; |
806 | extern char *xephyr_screen; | 812 | extern char *xephyr_screen; |
diff --git a/src/firejail/fs.c b/src/firejail/fs.c index 5ac2da164..9c1b889ed 100644 --- a/src/firejail/fs.c +++ b/src/firejail/fs.c | |||
@@ -20,10 +20,7 @@ | |||
20 | #include "firejail.h" | 20 | #include "firejail.h" |
21 | #include "../include/gcov_wrapper.h" | 21 | #include "../include/gcov_wrapper.h" |
22 | #include <sys/mount.h> | 22 | #include <sys/mount.h> |
23 | #include <sys/stat.h> | ||
24 | #include <sys/statvfs.h> | 23 | #include <sys/statvfs.h> |
25 | #include <sys/wait.h> | ||
26 | #include <linux/limits.h> | ||
27 | #include <fnmatch.h> | 24 | #include <fnmatch.h> |
28 | #include <glob.h> | 25 | #include <glob.h> |
29 | #include <dirent.h> | 26 | #include <dirent.h> |
@@ -35,7 +32,7 @@ | |||
35 | #endif | 32 | #endif |
36 | 33 | ||
37 | #define MAX_BUF 4096 | 34 | #define MAX_BUF 4096 |
38 | #define EMPTY_STRING ("") | 35 | |
39 | // check noblacklist statements not matched by a proper blacklist in disable-*.inc files | 36 | // check noblacklist statements not matched by a proper blacklist in disable-*.inc files |
40 | //#define TEST_NO_BLACKLIST_MATCHING | 37 | //#define TEST_NO_BLACKLIST_MATCHING |
41 | 38 | ||
@@ -108,7 +105,7 @@ static void disable_file(OPERATION op, const char *filename) { | |||
108 | } | 105 | } |
109 | 106 | ||
110 | // check for firejail executable | 107 | // check for firejail executable |
111 | // we migth have a file found in ${PATH} pointing to /usr/bin/firejail | 108 | // we might have a file found in ${PATH} pointing to /usr/bin/firejail |
112 | // blacklisting it here will end up breaking situations like user clicks on a link in Thunderbird | 109 | // blacklisting it here will end up breaking situations like user clicks on a link in Thunderbird |
113 | // and expects Firefox to open in the same sandbox | 110 | // and expects Firefox to open in the same sandbox |
114 | if (strcmp(BINDIR "/firejail", fname) == 0) { | 111 | if (strcmp(BINDIR "/firejail", fname) == 0) { |
@@ -200,8 +197,6 @@ static void disable_file(OPERATION op, const char *filename) { | |||
200 | } | 197 | } |
201 | 198 | ||
202 | fs_tmpfs(fname, uid); | 199 | fs_tmpfs(fname, uid); |
203 | EUID_USER(); // fs_tmpfs returns with EUID 0 | ||
204 | |||
205 | selinux_relabel_path(fname, fname); | 200 | selinux_relabel_path(fname, fname); |
206 | } | 201 | } |
207 | else | 202 | else |
@@ -282,6 +277,8 @@ static void globbing(OPERATION op, const char *pattern, const char *noblacklist[ | |||
282 | 277 | ||
283 | // blacklist files or directories by mounting empty files on top of them | 278 | // blacklist files or directories by mounting empty files on top of them |
284 | void fs_blacklist(void) { | 279 | void fs_blacklist(void) { |
280 | EUID_ASSERT(); | ||
281 | |||
285 | ProfileEntry *entry = cfg.profile; | 282 | ProfileEntry *entry = cfg.profile; |
286 | if (!entry) | 283 | if (!entry) |
287 | return; | 284 | return; |
@@ -293,7 +290,6 @@ void fs_blacklist(void) { | |||
293 | if (noblacklist == NULL) | 290 | if (noblacklist == NULL) |
294 | errExit("failed allocating memory for noblacklist entries"); | 291 | errExit("failed allocating memory for noblacklist entries"); |
295 | 292 | ||
296 | EUID_USER(); | ||
297 | while (entry) { | 293 | while (entry) { |
298 | OPERATION op = OPERATION_MAX; | 294 | OPERATION op = OPERATION_MAX; |
299 | char *ptr; | 295 | char *ptr; |
@@ -469,8 +465,6 @@ void fs_blacklist(void) { | |||
469 | for (i = 0; i < noblacklist_c; i++) | 465 | for (i = 0; i < noblacklist_c; i++) |
470 | free(noblacklist[i]); | 466 | free(noblacklist[i]); |
471 | free(noblacklist); | 467 | free(noblacklist); |
472 | |||
473 | EUID_ROOT(); | ||
474 | } | 468 | } |
475 | 469 | ||
476 | //*********************************************** | 470 | //*********************************************** |
@@ -479,7 +473,7 @@ void fs_blacklist(void) { | |||
479 | 473 | ||
480 | // mount a writable tmpfs on directory; requires a resolved path | 474 | // mount a writable tmpfs on directory; requires a resolved path |
481 | void fs_tmpfs(const char *dir, unsigned check_owner) { | 475 | void fs_tmpfs(const char *dir, unsigned check_owner) { |
482 | EUID_USER(); | 476 | EUID_ASSERT(); |
483 | assert(dir); | 477 | assert(dir); |
484 | if (arg_debug) | 478 | if (arg_debug) |
485 | printf("Mounting tmpfs on %s, check owner: %s\n", dir, (check_owner)? "yes": "no"); | 479 | printf("Mounting tmpfs on %s, check owner: %s\n", dir, (check_owner)? "yes": "no"); |
@@ -504,12 +498,13 @@ void fs_tmpfs(const char *dir, unsigned check_owner) { | |||
504 | errExit("fstatvfs"); | 498 | errExit("fstatvfs"); |
505 | unsigned long flags = buf.f_flag & ~(MS_RDONLY|MS_BIND|MS_REMOUNT); | 499 | unsigned long flags = buf.f_flag & ~(MS_RDONLY|MS_BIND|MS_REMOUNT); |
506 | // mount via the symbolic link in /proc/self/fd | 500 | // mount via the symbolic link in /proc/self/fd |
507 | EUID_ROOT(); | ||
508 | char *proc; | 501 | char *proc; |
509 | if (asprintf(&proc, "/proc/self/fd/%d", fd) == -1) | 502 | if (asprintf(&proc, "/proc/self/fd/%d", fd) == -1) |
510 | errExit("asprintf"); | 503 | errExit("asprintf"); |
504 | EUID_ROOT(); | ||
511 | if (mount("tmpfs", proc, "tmpfs", flags|MS_NOSUID|MS_NODEV, options) < 0) | 505 | if (mount("tmpfs", proc, "tmpfs", flags|MS_NOSUID|MS_NODEV, options) < 0) |
512 | errExit("mounting tmpfs"); | 506 | errExit("mounting tmpfs"); |
507 | EUID_USER(); | ||
513 | // check the last mount operation | 508 | // check the last mount operation |
514 | MountData *mdata = get_last_mount(); | 509 | MountData *mdata = get_last_mount(); |
515 | if (strcmp(mdata->fstype, "tmpfs") != 0 || strcmp(mdata->dir, dir) != 0) | 510 | if (strcmp(mdata->fstype, "tmpfs") != 0 || strcmp(mdata->dir, dir) != 0) |
@@ -635,40 +630,37 @@ out: | |||
635 | } | 630 | } |
636 | 631 | ||
637 | // remount recursively; requires a resolved path | 632 | // remount recursively; requires a resolved path |
638 | static void fs_remount_rec(const char *dir, OPERATION op) { | 633 | static void fs_remount_rec(const char *path, OPERATION op) { |
639 | EUID_ASSERT(); | 634 | EUID_ASSERT(); |
640 | assert(dir); | 635 | assert(op < OPERATION_MAX); |
636 | assert(path); | ||
641 | 637 | ||
642 | struct stat s; | 638 | // no need to search /proc/self/mountinfo for submounts if not a directory |
643 | if (stat(dir, &s) != 0) | 639 | int fd = open(path, O_PATH|O_DIRECTORY|O_NOFOLLOW|O_CLOEXEC); |
644 | return; | 640 | if (fd < 0) { |
645 | if (!S_ISDIR(s.st_mode)) { | 641 | fs_remount_simple(path, op); |
646 | // no need to search in /proc/self/mountinfo for submounts if not a directory | ||
647 | fs_remount_simple(dir, op); | ||
648 | return; | 642 | return; |
649 | } | 643 | } |
650 | // get mount point of the directory | 644 | |
651 | int mountid = get_mount_id(dir); | 645 | // get mount id of the directory |
652 | if (mountid == -1) | 646 | int mountid = get_mount_id(fd); |
653 | return; | 647 | close(fd); |
654 | if (mountid == -2) { | 648 | if (mountid < 0) { |
655 | // falling back to a simple remount on old kernels | 649 | // falling back to a simple remount |
656 | static int mount_warning = 0; | 650 | fwarning("%s %s not applied recursively\n", opstr[op], path); |
657 | if (!mount_warning) { | 651 | fs_remount_simple(path, op); |
658 | fwarning("read-only, read-write and noexec options are not applied recursively\n"); | ||
659 | mount_warning = 1; | ||
660 | } | ||
661 | fs_remount_simple(dir, op); | ||
662 | return; | 652 | return; |
663 | } | 653 | } |
654 | |||
664 | // build array with all mount points that need to get remounted | 655 | // build array with all mount points that need to get remounted |
665 | char **arr = build_mount_array(mountid, dir); | 656 | char **arr = build_mount_array(mountid, path); |
666 | assert(arr); | 657 | if (!arr) |
658 | return; | ||
667 | // remount | 659 | // remount |
668 | char **tmp = arr; | 660 | int i; |
669 | while (*tmp) { | 661 | for (i = 0; arr[i]; i++) { |
670 | fs_remount_simple(*tmp, op); | 662 | fs_remount_simple(arr[i], op); |
671 | free(*tmp++); | 663 | free(arr[i]); |
672 | } | 664 | } |
673 | free(arr); | 665 | free(arr); |
674 | } | 666 | } |
@@ -903,367 +895,6 @@ void fs_basic_fs(void) { | |||
903 | } | 895 | } |
904 | 896 | ||
905 | 897 | ||
906 | |||
907 | #ifdef HAVE_OVERLAYFS | ||
908 | char *fs_check_overlay_dir(const char *subdirname, int allow_reuse) { | ||
909 | assert(subdirname); | ||
910 | EUID_ASSERT(); | ||
911 | struct stat s; | ||
912 | char *dirname; | ||
913 | |||
914 | if (asprintf(&dirname, "%s/.firejail", cfg.homedir) == -1) | ||
915 | errExit("asprintf"); | ||
916 | // check if ~/.firejail already exists | ||
917 | if (lstat(dirname, &s) == 0) { | ||
918 | if (!S_ISDIR(s.st_mode)) { | ||
919 | if (S_ISLNK(s.st_mode)) | ||
920 | fprintf(stderr, "Error: %s is a symbolic link\n", dirname); | ||
921 | else | ||
922 | fprintf(stderr, "Error: %s is not a directory\n", dirname); | ||
923 | exit(1); | ||
924 | } | ||
925 | if (s.st_uid != getuid()) { | ||
926 | fprintf(stderr, "Error: %s is not owned by the current user\n", dirname); | ||
927 | exit(1); | ||
928 | } | ||
929 | } | ||
930 | else { | ||
931 | // create ~/.firejail directory | ||
932 | create_empty_dir_as_user(dirname, 0700); | ||
933 | if (stat(dirname, &s) == -1) { | ||
934 | fprintf(stderr, "Error: cannot create directory %s\n", dirname); | ||
935 | exit(1); | ||
936 | } | ||
937 | } | ||
938 | free(dirname); | ||
939 | |||
940 | // check overlay directory | ||
941 | if (asprintf(&dirname, "%s/.firejail/%s", cfg.homedir, subdirname) == -1) | ||
942 | errExit("asprintf"); | ||
943 | if (lstat(dirname, &s) == 0) { | ||
944 | if (!S_ISDIR(s.st_mode)) { | ||
945 | if (S_ISLNK(s.st_mode)) | ||
946 | fprintf(stderr, "Error: %s is a symbolic link\n", dirname); | ||
947 | else | ||
948 | fprintf(stderr, "Error: %s is not a directory\n", dirname); | ||
949 | exit(1); | ||
950 | } | ||
951 | if (s.st_uid != 0) { | ||
952 | fprintf(stderr, "Error: overlay directory %s is not owned by the root user\n", dirname); | ||
953 | exit(1); | ||
954 | } | ||
955 | if (allow_reuse == 0) { | ||
956 | fprintf(stderr, "Error: overlay directory exists, but reuse is not allowed\n"); | ||
957 | exit(1); | ||
958 | } | ||
959 | } | ||
960 | |||
961 | return dirname; | ||
962 | } | ||
963 | |||
964 | |||
965 | |||
966 | // mount overlayfs on top of / directory | ||
967 | // mounting an overlay and chrooting into it: | ||
968 | // | ||
969 | // Old Ubuntu kernel | ||
970 | // # cd ~ | ||
971 | // # mkdir -p overlay/root | ||
972 | // # mkdir -p overlay/diff | ||
973 | // # mount -t overlayfs -o lowerdir=/,upperdir=/root/overlay/diff overlayfs /root/overlay/root | ||
974 | // # chroot /root/overlay/root | ||
975 | // to shutdown, first exit the chroot and then unmount the overlay | ||
976 | // # exit | ||
977 | // # umount /root/overlay/root | ||
978 | // | ||
979 | // Kernels 3.18+ | ||
980 | // # cd ~ | ||
981 | // # mkdir -p overlay/root | ||
982 | // # mkdir -p overlay/diff | ||
983 | // # mkdir -p overlay/work | ||
984 | // # mount -t overlay -o lowerdir=/,upperdir=/root/overlay/diff,workdir=/root/overlay/work overlay /root/overlay/root | ||
985 | // # cat /etc/mtab | grep overlay | ||
986 | // /root/overlay /root/overlay/root overlay rw,relatime,lowerdir=/,upperdir=/root/overlay/diff,workdir=/root/overlay/work 0 0 | ||
987 | // # chroot /root/overlay/root | ||
988 | // to shutdown, first exit the chroot and then unmount the overlay | ||
989 | // # exit | ||
990 | // # umount /root/overlay/root | ||
991 | |||
992 | |||
993 | // to do: fix the code below; also, it might work without /dev, but consider keeping /dev/shm; add locking mechanism for overlay-clean | ||
994 | #include <sys/utsname.h> | ||
995 | void fs_overlayfs(void) { | ||
996 | struct stat s; | ||
997 | |||
998 | // check kernel version | ||
999 | struct utsname u; | ||
1000 | int rv = uname(&u); | ||
1001 | if (rv != 0) | ||
1002 | errExit("uname"); | ||
1003 | int major; | ||
1004 | int minor; | ||
1005 | if (2 != sscanf(u.release, "%d.%d", &major, &minor)) { | ||
1006 | fprintf(stderr, "Error: cannot extract Linux kernel version: %s\n", u.version); | ||
1007 | exit(1); | ||
1008 | } | ||
1009 | |||
1010 | if (arg_debug) | ||
1011 | printf("Linux kernel version %d.%d\n", major, minor); | ||
1012 | int oldkernel = 0; | ||
1013 | if (major < 3) { | ||
1014 | fprintf(stderr, "Error: minimum kernel version required 3.x\n"); | ||
1015 | exit(1); | ||
1016 | } | ||
1017 | if (major == 3 && minor < 18) | ||
1018 | oldkernel = 1; | ||
1019 | |||
1020 | // mounting an overlayfs on top of / seems to be broken for kernels > 4.19 | ||
1021 | // we disable overlayfs for now, pending fixing | ||
1022 | if (major >= 4 &&minor >= 19) { | ||
1023 | fprintf(stderr, "Error: OverlayFS disabled for Linux kernels 4.19 and newer, pending fixing.\n"); | ||
1024 | exit(1); | ||
1025 | } | ||
1026 | |||
1027 | char *oroot = RUN_OVERLAY_ROOT; | ||
1028 | mkdir_attr(oroot, 0755, 0, 0); | ||
1029 | |||
1030 | // set base for working and diff directories | ||
1031 | char *basedir = RUN_MNT_DIR; | ||
1032 | int basefd = -1; | ||
1033 | |||
1034 | if (arg_overlay_keep) { | ||
1035 | basedir = cfg.overlay_dir; | ||
1036 | assert(basedir); | ||
1037 | // get a file descriptor for ~/.firejail, fails if there is any symlink | ||
1038 | char *firejail; | ||
1039 | if (asprintf(&firejail, "%s/.firejail", cfg.homedir) == -1) | ||
1040 | errExit("asprintf"); | ||
1041 | int fd = safer_openat(-1, firejail, O_PATH|O_DIRECTORY|O_NOFOLLOW|O_CLOEXEC); | ||
1042 | if (fd == -1) | ||
1043 | errExit("safer_openat"); | ||
1044 | free(firejail); | ||
1045 | // create basedir if it doesn't exist | ||
1046 | // the new directory will be owned by root | ||
1047 | const char *dirname = gnu_basename(basedir); | ||
1048 | if (mkdirat(fd, dirname, 0755) == -1 && errno != EEXIST) { | ||
1049 | perror("mkdir"); | ||
1050 | fprintf(stderr, "Error: cannot create overlay directory %s\n", basedir); | ||
1051 | exit(1); | ||
1052 | } | ||
1053 | // open basedir | ||
1054 | basefd = openat(fd, dirname, O_PATH|O_DIRECTORY|O_NOFOLLOW|O_CLOEXEC); | ||
1055 | close(fd); | ||
1056 | } | ||
1057 | else { | ||
1058 | basefd = open(basedir, O_PATH|O_DIRECTORY|O_NOFOLLOW|O_CLOEXEC); | ||
1059 | } | ||
1060 | if (basefd == -1) { | ||
1061 | perror("open"); | ||
1062 | fprintf(stderr, "Error: cannot open overlay directory %s\n", basedir); | ||
1063 | exit(1); | ||
1064 | } | ||
1065 | |||
1066 | // confirm once more base is owned by root | ||
1067 | if (fstat(basefd, &s) == -1) | ||
1068 | errExit("fstat"); | ||
1069 | if (s.st_uid != 0) { | ||
1070 | fprintf(stderr, "Error: overlay directory %s is not owned by the root user\n", basedir); | ||
1071 | exit(1); | ||
1072 | } | ||
1073 | // confirm permissions of base are 0755 | ||
1074 | if (((S_IRWXU|S_IRGRP|S_IXGRP|S_IROTH|S_IXOTH) & s.st_mode) != (S_IRWXU|S_IRGRP|S_IXGRP|S_IROTH|S_IXOTH)) { | ||
1075 | fprintf(stderr, "Error: invalid permissions on overlay directory %s\n", basedir); | ||
1076 | exit(1); | ||
1077 | } | ||
1078 | |||
1079 | // create diff and work directories inside base | ||
1080 | // no need to check arg_overlay_reuse | ||
1081 | char *odiff; | ||
1082 | if (asprintf(&odiff, "%s/odiff", basedir) == -1) | ||
1083 | errExit("asprintf"); | ||
1084 | // the new directory will be owned by root | ||
1085 | if (mkdirat(basefd, "odiff", 0755) == -1 && errno != EEXIST) { | ||
1086 | perror("mkdir"); | ||
1087 | fprintf(stderr, "Error: cannot create overlay directory %s\n", odiff); | ||
1088 | exit(1); | ||
1089 | } | ||
1090 | ASSERT_PERMS(odiff, 0, 0, 0755); | ||
1091 | |||
1092 | char *owork; | ||
1093 | if (asprintf(&owork, "%s/owork", basedir) == -1) | ||
1094 | errExit("asprintf"); | ||
1095 | // the new directory will be owned by root | ||
1096 | if (mkdirat(basefd, "owork", 0755) == -1 && errno != EEXIST) { | ||
1097 | perror("mkdir"); | ||
1098 | fprintf(stderr, "Error: cannot create overlay directory %s\n", owork); | ||
1099 | exit(1); | ||
1100 | } | ||
1101 | ASSERT_PERMS(owork, 0, 0, 0755); | ||
1102 | |||
1103 | // mount overlayfs | ||
1104 | if (arg_debug) | ||
1105 | printf("Mounting OverlayFS\n"); | ||
1106 | char *option; | ||
1107 | if (oldkernel) { // old Ubuntu/OpenSUSE kernels | ||
1108 | if (arg_overlay_keep) { | ||
1109 | fprintf(stderr, "Error: option --overlay= not available for kernels older than 3.18\n"); | ||
1110 | exit(1); | ||
1111 | } | ||
1112 | if (asprintf(&option, "lowerdir=/,upperdir=%s", odiff) == -1) | ||
1113 | errExit("asprintf"); | ||
1114 | if (mount("overlayfs", oroot, "overlayfs", MS_MGC_VAL, option) < 0) | ||
1115 | errExit("mounting overlayfs"); | ||
1116 | } | ||
1117 | else { // kernel 3.18 or newer | ||
1118 | if (asprintf(&option, "lowerdir=/,upperdir=%s,workdir=%s", odiff, owork) == -1) | ||
1119 | errExit("asprintf"); | ||
1120 | if (mount("overlay", oroot, "overlay", MS_MGC_VAL, option) < 0) { | ||
1121 | fprintf(stderr, "Debug: running on kernel version %d.%d\n", major, minor); | ||
1122 | errExit("mounting overlayfs"); | ||
1123 | } | ||
1124 | |||
1125 | //*************************** | ||
1126 | // issue #263 start code | ||
1127 | // My setup has a separate mount point for /home. When the overlay is mounted, | ||
1128 | // the overlay does not contain the original /home contents. | ||
1129 | // I added code to create a second overlay for /home if the overlay home dir is empty and this seems to work | ||
1130 | // @dshmgh, Jan 2016 | ||
1131 | { | ||
1132 | char *overlayhome; | ||
1133 | struct stat s; | ||
1134 | char *hroot; | ||
1135 | char *hdiff; | ||
1136 | char *hwork; | ||
1137 | |||
1138 | // dons add debug | ||
1139 | if (arg_debug) printf ("DEBUG: chroot dirs are oroot %s odiff %s owork %s\n",oroot,odiff,owork); | ||
1140 | |||
1141 | // BEFORE NEXT, WE NEED TO TEST IF /home has any contents or do we need to mount it? | ||
1142 | // must create var for oroot/cfg.homedir | ||
1143 | if (asprintf(&overlayhome, "%s%s", oroot, cfg.homedir) == -1) | ||
1144 | errExit("asprintf"); | ||
1145 | if (arg_debug) printf ("DEBUG: overlayhome var holds ##%s##\n", overlayhome); | ||
1146 | |||
1147 | // if no homedir in overlay -- create another overlay for /home | ||
1148 | if (stat(cfg.homedir, &s) == 0 && stat(overlayhome, &s) == -1) { | ||
1149 | |||
1150 | // no need to check arg_overlay_reuse | ||
1151 | if (asprintf(&hdiff, "%s/hdiff", basedir) == -1) | ||
1152 | errExit("asprintf"); | ||
1153 | // the new directory will be owned by root | ||
1154 | if (mkdirat(basefd, "hdiff", 0755) == -1 && errno != EEXIST) { | ||
1155 | perror("mkdir"); | ||
1156 | fprintf(stderr, "Error: cannot create overlay directory %s\n", hdiff); | ||
1157 | exit(1); | ||
1158 | } | ||
1159 | ASSERT_PERMS(hdiff, 0, 0, 0755); | ||
1160 | |||
1161 | // no need to check arg_overlay_reuse | ||
1162 | if (asprintf(&hwork, "%s/hwork", basedir) == -1) | ||
1163 | errExit("asprintf"); | ||
1164 | // the new directory will be owned by root | ||
1165 | if (mkdirat(basefd, "hwork", 0755) == -1 && errno != EEXIST) { | ||
1166 | perror("mkdir"); | ||
1167 | fprintf(stderr, "Error: cannot create overlay directory %s\n", hwork); | ||
1168 | exit(1); | ||
1169 | } | ||
1170 | ASSERT_PERMS(hwork, 0, 0, 0755); | ||
1171 | |||
1172 | // no homedir in overlay so now mount another overlay for /home | ||
1173 | if (asprintf(&hroot, "%s/home", oroot) == -1) | ||
1174 | errExit("asprintf"); | ||
1175 | if (asprintf(&option, "lowerdir=/home,upperdir=%s,workdir=%s", hdiff, hwork) == -1) | ||
1176 | errExit("asprintf"); | ||
1177 | if (mount("overlay", hroot, "overlay", MS_MGC_VAL, option) < 0) | ||
1178 | errExit("mounting overlayfs for mounted home directory"); | ||
1179 | |||
1180 | printf("OverlayFS for /home configured in %s directory\n", basedir); | ||
1181 | free(hroot); | ||
1182 | free(hdiff); | ||
1183 | free(hwork); | ||
1184 | |||
1185 | } // stat(overlayhome) | ||
1186 | free(overlayhome); | ||
1187 | } | ||
1188 | // issue #263 end code | ||
1189 | //*************************** | ||
1190 | } | ||
1191 | fmessage("OverlayFS configured in %s directory\n", basedir); | ||
1192 | close(basefd); | ||
1193 | |||
1194 | // /dev, /run and /tmp are not covered by the overlay | ||
1195 | // mount-bind dev directory | ||
1196 | if (arg_debug) | ||
1197 | printf("Mounting /dev\n"); | ||
1198 | char *dev; | ||
1199 | if (asprintf(&dev, "%s/dev", oroot) == -1) | ||
1200 | errExit("asprintf"); | ||
1201 | if (mount("/dev", dev, NULL, MS_BIND|MS_REC, NULL) < 0) | ||
1202 | errExit("mounting /dev"); | ||
1203 | fs_logger("whitelist /dev"); | ||
1204 | |||
1205 | // mount-bind run directory | ||
1206 | if (arg_debug) | ||
1207 | printf("Mounting /run\n"); | ||
1208 | char *run; | ||
1209 | if (asprintf(&run, "%s/run", oroot) == -1) | ||
1210 | errExit("asprintf"); | ||
1211 | if (mount("/run", run, NULL, MS_BIND|MS_REC, NULL) < 0) | ||
1212 | errExit("mounting /run"); | ||
1213 | fs_logger("whitelist /run"); | ||
1214 | |||
1215 | // mount-bind tmp directory | ||
1216 | if (arg_debug) | ||
1217 | printf("Mounting /tmp\n"); | ||
1218 | char *tmp; | ||
1219 | if (asprintf(&tmp, "%s/tmp", oroot) == -1) | ||
1220 | errExit("asprintf"); | ||
1221 | if (mount("/tmp", tmp, NULL, MS_BIND|MS_REC, NULL) < 0) | ||
1222 | errExit("mounting /tmp"); | ||
1223 | fs_logger("whitelist /tmp"); | ||
1224 | |||
1225 | // chroot in the new filesystem | ||
1226 | __gcov_flush(); | ||
1227 | |||
1228 | if (chroot(oroot) == -1) | ||
1229 | errExit("chroot"); | ||
1230 | |||
1231 | // mount a new proc filesystem | ||
1232 | if (arg_debug) | ||
1233 | printf("Mounting /proc filesystem representing the PID namespace\n"); | ||
1234 | if (mount("proc", "/proc", "proc", MS_NOSUID | MS_NOEXEC | MS_NODEV | MS_REC, NULL) < 0) | ||
1235 | errExit("mounting /proc"); | ||
1236 | |||
1237 | // update /var directory in order to support multiple sandboxes running on the same root directory | ||
1238 | // if (!arg_private_dev) | ||
1239 | // fs_dev_shm(); | ||
1240 | fs_var_lock(); | ||
1241 | if (!arg_keep_var_tmp) | ||
1242 | fs_var_tmp(); | ||
1243 | if (!arg_writable_var_log) | ||
1244 | fs_var_log(); | ||
1245 | fs_var_lib(); | ||
1246 | fs_var_cache(); | ||
1247 | fs_var_utmp(); | ||
1248 | fs_machineid(); | ||
1249 | |||
1250 | // don't leak user information | ||
1251 | restrict_users(); | ||
1252 | |||
1253 | // when starting as root, firejail config is not disabled; | ||
1254 | if (getuid() != 0) | ||
1255 | disable_config(); | ||
1256 | |||
1257 | // cleanup and exit | ||
1258 | free(option); | ||
1259 | free(odiff); | ||
1260 | free(owork); | ||
1261 | free(dev); | ||
1262 | free(run); | ||
1263 | free(tmp); | ||
1264 | } | ||
1265 | #endif | ||
1266 | |||
1267 | // this function is called from sandbox.c before blacklist/whitelist functions | 898 | // this function is called from sandbox.c before blacklist/whitelist functions |
1268 | void fs_private_tmp(void) { | 899 | void fs_private_tmp(void) { |
1269 | EUID_ASSERT(); | 900 | EUID_ASSERT(); |
@@ -1287,7 +918,6 @@ void fs_private_tmp(void) { | |||
1287 | 918 | ||
1288 | // whitelist x11 directory | 919 | // whitelist x11 directory |
1289 | profile_add("whitelist /tmp/.X11-unix"); | 920 | profile_add("whitelist /tmp/.X11-unix"); |
1290 | // read-only x11 directory | ||
1291 | profile_add("read-only /tmp/.X11-unix"); | 921 | profile_add("read-only /tmp/.X11-unix"); |
1292 | 922 | ||
1293 | // whitelist sndio directory | 923 | // whitelist sndio directory |
diff --git a/src/firejail/fs_dev.c b/src/firejail/fs_dev.c index 8cc3ecc62..694d0a379 100644 --- a/src/firejail/fs_dev.c +++ b/src/firejail/fs_dev.c | |||
@@ -20,7 +20,6 @@ | |||
20 | #include "firejail.h" | 20 | #include "firejail.h" |
21 | #include <sys/mount.h> | 21 | #include <sys/mount.h> |
22 | #include <sys/stat.h> | 22 | #include <sys/stat.h> |
23 | #include <linux/limits.h> | ||
24 | #include <glob.h> | 23 | #include <glob.h> |
25 | #include <dirent.h> | 24 | #include <dirent.h> |
26 | #include <fcntl.h> | 25 | #include <fcntl.h> |
@@ -330,8 +329,10 @@ void fs_dev_disable_sound(void) { | |||
330 | } | 329 | } |
331 | 330 | ||
332 | // disable all jack sockets in /dev/shm | 331 | // disable all jack sockets in /dev/shm |
332 | EUID_USER(); | ||
333 | glob_t globbuf; | 333 | glob_t globbuf; |
334 | int globerr = glob("/dev/shm/jack*", GLOB_NOSORT, NULL, &globbuf); | 334 | int globerr = glob("/dev/shm/jack*", GLOB_NOSORT, NULL, &globbuf); |
335 | EUID_ROOT(); | ||
335 | if (globerr) | 336 | if (globerr) |
336 | return; | 337 | return; |
337 | 338 | ||
diff --git a/src/firejail/fs_home.c b/src/firejail/fs_home.c index 0ed476063..8d8530d81 100644 --- a/src/firejail/fs_home.c +++ b/src/firejail/fs_home.c | |||
@@ -19,7 +19,6 @@ | |||
19 | */ | 19 | */ |
20 | #include "firejail.h" | 20 | #include "firejail.h" |
21 | #include <sys/mount.h> | 21 | #include <sys/mount.h> |
22 | #include <linux/limits.h> | ||
23 | #include <dirent.h> | 22 | #include <dirent.h> |
24 | #include <errno.h> | 23 | #include <errno.h> |
25 | #include <sys/stat.h> | 24 | #include <sys/stat.h> |
@@ -395,14 +394,16 @@ void fs_private(void) { | |||
395 | } | 394 | } |
396 | if (chown(homedir, u, g) < 0) | 395 | if (chown(homedir, u, g) < 0) |
397 | errExit("chown"); | 396 | errExit("chown"); |
398 | |||
399 | fs_logger2("mkdir", homedir); | 397 | fs_logger2("mkdir", homedir); |
400 | fs_logger2("tmpfs", homedir); | 398 | fs_logger2("tmpfs", homedir); |
401 | } | 399 | } |
402 | else | 400 | else { |
403 | // mask user home directory | 401 | // mask user home directory |
404 | // the directory should be owned by the current user | 402 | // the directory should be owned by the current user |
403 | EUID_USER(); | ||
405 | fs_tmpfs(homedir, 1); | 404 | fs_tmpfs(homedir, 1); |
405 | EUID_ROOT(); | ||
406 | } | ||
406 | 407 | ||
407 | selinux_relabel_path(homedir, homedir); | 408 | selinux_relabel_path(homedir, homedir); |
408 | } | 409 | } |
@@ -564,12 +565,13 @@ void fs_private_home_list(void) { | |||
564 | int xflag = store_xauthority(); | 565 | int xflag = store_xauthority(); |
565 | int aflag = store_asoundrc(); | 566 | int aflag = store_asoundrc(); |
566 | 567 | ||
567 | // create /run/firejail/mnt/home directory | ||
568 | EUID_ROOT(); | 568 | EUID_ROOT(); |
569 | // create /run/firejail/mnt/home directory | ||
569 | mkdir_attr(RUN_HOME_DIR, 0755, uid, gid); | 570 | mkdir_attr(RUN_HOME_DIR, 0755, uid, gid); |
570 | selinux_relabel_path(RUN_HOME_DIR, homedir); | 571 | selinux_relabel_path(RUN_HOME_DIR, homedir); |
571 | 572 | ||
572 | fs_logger_print(); // save the current log | 573 | // save the current log |
574 | fs_logger_print(); | ||
573 | EUID_USER(); | 575 | EUID_USER(); |
574 | 576 | ||
575 | // copy the list of files in the new home directory | 577 | // copy the list of files in the new home directory |
diff --git a/src/firejail/fs_hostname.c b/src/firejail/fs_hostname.c index 1a9a78ceb..8b7e94f51 100644 --- a/src/firejail/fs_hostname.c +++ b/src/firejail/fs_hostname.c | |||
@@ -20,7 +20,6 @@ | |||
20 | #include "firejail.h" | 20 | #include "firejail.h" |
21 | #include <sys/mount.h> | 21 | #include <sys/mount.h> |
22 | #include <sys/stat.h> | 22 | #include <sys/stat.h> |
23 | #include <linux/limits.h> | ||
24 | #include <glob.h> | 23 | #include <glob.h> |
25 | #include <dirent.h> | 24 | #include <dirent.h> |
26 | #include <fcntl.h> | 25 | #include <fcntl.h> |
@@ -33,7 +32,7 @@ void fs_hostname(const char *hostname) { | |||
33 | if (arg_debug) | 32 | if (arg_debug) |
34 | printf("Creating a new /etc/hostname file\n"); | 33 | printf("Creating a new /etc/hostname file\n"); |
35 | 34 | ||
36 | create_empty_file_as_root(RUN_HOSTNAME_FILE, S_IRUSR | S_IWRITE | S_IRGRP | S_IROTH); | 35 | create_empty_file_as_root(RUN_HOSTNAME_FILE, S_IRUSR | S_IWUSR | S_IRGRP | S_IROTH); |
37 | 36 | ||
38 | // bind-mount the file on top of /etc/hostname | 37 | // bind-mount the file on top of /etc/hostname |
39 | if (mount(RUN_HOSTNAME_FILE, "/etc/hostname", NULL, MS_BIND|MS_REC, NULL) < 0) | 38 | if (mount(RUN_HOSTNAME_FILE, "/etc/hostname", NULL, MS_BIND|MS_REC, NULL) < 0) |
@@ -75,7 +74,7 @@ void fs_hostname(const char *hostname) { | |||
75 | } | 74 | } |
76 | fclose(fp1); | 75 | fclose(fp1); |
77 | // mode and owner | 76 | // mode and owner |
78 | SET_PERMS_STREAM(fp2, 0, 0, S_IRUSR | S_IWRITE | S_IRGRP | S_IROTH); | 77 | SET_PERMS_STREAM(fp2, 0, 0, S_IRUSR | S_IWUSR | S_IRGRP | S_IROTH); |
79 | fclose(fp2); | 78 | fclose(fp2); |
80 | 79 | ||
81 | // bind-mount the file on top of /etc/hostname | 80 | // bind-mount the file on top of /etc/hostname |
@@ -93,10 +92,6 @@ char *fs_check_hosts_file(const char *fname) { | |||
93 | invalid_filename(fname, 0); // no globbing | 92 | invalid_filename(fname, 0); // no globbing |
94 | char *rv = expand_macros(fname); | 93 | char *rv = expand_macros(fname); |
95 | 94 | ||
96 | // no a link | ||
97 | if (is_link(rv)) | ||
98 | goto errexit; | ||
99 | |||
100 | // the user has read access to the file | 95 | // the user has read access to the file |
101 | if (access(rv, R_OK)) | 96 | if (access(rv, R_OK)) |
102 | goto errexit; | 97 | goto errexit; |
@@ -119,9 +114,6 @@ void fs_mount_hosts_file(void) { | |||
119 | struct stat s; | 114 | struct stat s; |
120 | if (stat("/etc/hosts", &s) == -1) | 115 | if (stat("/etc/hosts", &s) == -1) |
121 | goto errexit; | 116 | goto errexit; |
122 | // not a link | ||
123 | if (is_link("/etc/hosts")) | ||
124 | goto errexit; | ||
125 | // owned by root | 117 | // owned by root |
126 | if (s.st_uid != 0) | 118 | if (s.st_uid != 0) |
127 | goto errexit; | 119 | goto errexit; |
diff --git a/src/firejail/fs_lib.c b/src/firejail/fs_lib.c index 9d7a17cf3..848c186fa 100644 --- a/src/firejail/fs_lib.c +++ b/src/firejail/fs_lib.c | |||
@@ -195,6 +195,11 @@ void fslib_mount_libs(const char *full_path, unsigned user) { | |||
195 | assert(full_path); | 195 | assert(full_path); |
196 | // if library/executable does not exist or the user does not have read access to it | 196 | // if library/executable does not exist or the user does not have read access to it |
197 | // print a warning and exit the function. | 197 | // print a warning and exit the function. |
198 | if (access(full_path, F_OK)) { | ||
199 | if (arg_debug || arg_debug_private_lib) | ||
200 | printf("Cannot find %s, skipping...\n", full_path); | ||
201 | return; | ||
202 | } | ||
198 | if (user && access(full_path, R_OK)) { | 203 | if (user && access(full_path, R_OK)) { |
199 | if (arg_debug || arg_debug_private_lib) | 204 | if (arg_debug || arg_debug_private_lib) |
200 | printf("Cannot read %s, skipping...\n", full_path); | 205 | printf("Cannot read %s, skipping...\n", full_path); |
diff --git a/src/firejail/fs_lib2.c b/src/firejail/fs_lib2.c index c69bf7c98..a347b380c 100644 --- a/src/firejail/fs_lib2.c +++ b/src/firejail/fs_lib2.c | |||
@@ -143,7 +143,7 @@ static void fdir(void) { | |||
143 | NULL, | 143 | NULL, |
144 | }; | 144 | }; |
145 | 145 | ||
146 | // need to parse as root user, unprivileged users have no read permission on executables | 146 | // need to parse as root user, unprivileged users have no read permission on some of these binaries |
147 | int i; | 147 | int i; |
148 | for (i = 0; fbin[i]; i++) | 148 | for (i = 0; fbin[i]; i++) |
149 | fslib_mount_libs(fbin[i], 0); | 149 | fslib_mount_libs(fbin[i], 0); |
@@ -153,7 +153,9 @@ void fslib_install_firejail(void) { | |||
153 | timetrace_start(); | 153 | timetrace_start(); |
154 | // bring in firejail executable libraries, in case we are redirected here | 154 | // bring in firejail executable libraries, in case we are redirected here |
155 | // by a firejail symlink from /usr/local/bin/firejail | 155 | // by a firejail symlink from /usr/local/bin/firejail |
156 | fslib_mount_libs(PATH_FIREJAIL, 1); // parse as user | 156 | // fldd might have no read permission on the firejail executable |
157 | // parse as root in order to support these setups | ||
158 | fslib_mount_libs(PATH_FIREJAIL, 0); | ||
157 | 159 | ||
158 | // bring in firejail directory | 160 | // bring in firejail directory |
159 | fdir(); | 161 | fdir(); |
diff --git a/src/firejail/fs_overlayfs.c b/src/firejail/fs_overlayfs.c new file mode 100644 index 000000000..fe3761cb6 --- /dev/null +++ b/src/firejail/fs_overlayfs.c | |||
@@ -0,0 +1,470 @@ | |||
1 | /* | ||
2 | * Copyright (C) 2014-2021 Firejail Authors | ||
3 | * | ||
4 | * This file is part of firejail project | ||
5 | * | ||
6 | * This program is free software; you can redistribute it and/or modify | ||
7 | * it under the terms of the GNU General Public License as published by | ||
8 | * the Free Software Foundation; either version 2 of the License, or | ||
9 | * (at your option) any later version. | ||
10 | * | ||
11 | * This program is distributed in the hope that it will be useful, | ||
12 | * but WITHOUT ANY WARRANTY; without even the implied warranty of | ||
13 | * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the | ||
14 | * GNU General Public License for more details. | ||
15 | * | ||
16 | * You should have received a copy of the GNU General Public License along | ||
17 | * with this program; if not, write to the Free Software Foundation, Inc., | ||
18 | * 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA. | ||
19 | */ | ||
20 | |||
21 | #ifdef HAVE_OVERLAYFS | ||
22 | #include "firejail.h" | ||
23 | #include "../include/gcov_wrapper.h" | ||
24 | #include <sys/mount.h> | ||
25 | #include <sys/wait.h> | ||
26 | #include <ftw.h> | ||
27 | #include <errno.h> | ||
28 | |||
29 | #include <fcntl.h> | ||
30 | #ifndef O_PATH | ||
31 | #define O_PATH 010000000 | ||
32 | #endif | ||
33 | |||
34 | |||
35 | char *fs_check_overlay_dir(const char *subdirname, int allow_reuse) { | ||
36 | assert(subdirname); | ||
37 | EUID_ASSERT(); | ||
38 | struct stat s; | ||
39 | char *dirname; | ||
40 | |||
41 | if (asprintf(&dirname, "%s/.firejail", cfg.homedir) == -1) | ||
42 | errExit("asprintf"); | ||
43 | // check if ~/.firejail already exists | ||
44 | if (lstat(dirname, &s) == 0) { | ||
45 | if (!S_ISDIR(s.st_mode)) { | ||
46 | if (S_ISLNK(s.st_mode)) | ||
47 | fprintf(stderr, "Error: %s is a symbolic link\n", dirname); | ||
48 | else | ||
49 | fprintf(stderr, "Error: %s is not a directory\n", dirname); | ||
50 | exit(1); | ||
51 | } | ||
52 | if (s.st_uid != getuid()) { | ||
53 | fprintf(stderr, "Error: %s is not owned by the current user\n", dirname); | ||
54 | exit(1); | ||
55 | } | ||
56 | } | ||
57 | else { | ||
58 | // create ~/.firejail directory | ||
59 | create_empty_dir_as_user(dirname, 0700); | ||
60 | if (stat(dirname, &s) == -1) { | ||
61 | fprintf(stderr, "Error: cannot create directory %s\n", dirname); | ||
62 | exit(1); | ||
63 | } | ||
64 | } | ||
65 | free(dirname); | ||
66 | |||
67 | // check overlay directory | ||
68 | if (asprintf(&dirname, "%s/.firejail/%s", cfg.homedir, subdirname) == -1) | ||
69 | errExit("asprintf"); | ||
70 | if (lstat(dirname, &s) == 0) { | ||
71 | if (!S_ISDIR(s.st_mode)) { | ||
72 | if (S_ISLNK(s.st_mode)) | ||
73 | fprintf(stderr, "Error: %s is a symbolic link\n", dirname); | ||
74 | else | ||
75 | fprintf(stderr, "Error: %s is not a directory\n", dirname); | ||
76 | exit(1); | ||
77 | } | ||
78 | if (s.st_uid != 0) { | ||
79 | fprintf(stderr, "Error: overlay directory %s is not owned by the root user\n", dirname); | ||
80 | exit(1); | ||
81 | } | ||
82 | if (allow_reuse == 0) { | ||
83 | fprintf(stderr, "Error: overlay directory exists, but reuse is not allowed\n"); | ||
84 | exit(1); | ||
85 | } | ||
86 | } | ||
87 | |||
88 | return dirname; | ||
89 | } | ||
90 | |||
91 | |||
92 | // mount overlayfs on top of / directory | ||
93 | // mounting an overlay and chrooting into it: | ||
94 | // | ||
95 | // Old Ubuntu kernel | ||
96 | // # cd ~ | ||
97 | // # mkdir -p overlay/root | ||
98 | // # mkdir -p overlay/diff | ||
99 | // # mount -t overlayfs -o lowerdir=/,upperdir=/root/overlay/diff overlayfs /root/overlay/root | ||
100 | // # chroot /root/overlay/root | ||
101 | // to shutdown, first exit the chroot and then unmount the overlay | ||
102 | // # exit | ||
103 | // # umount /root/overlay/root | ||
104 | // | ||
105 | // Kernels 3.18+ | ||
106 | // # cd ~ | ||
107 | // # mkdir -p overlay/root | ||
108 | // # mkdir -p overlay/diff | ||
109 | // # mkdir -p overlay/work | ||
110 | // # mount -t overlay -o lowerdir=/,upperdir=/root/overlay/diff,workdir=/root/overlay/work overlay /root/overlay/root | ||
111 | // # cat /etc/mtab | grep overlay | ||
112 | // /root/overlay /root/overlay/root overlay rw,relatime,lowerdir=/,upperdir=/root/overlay/diff,workdir=/root/overlay/work 0 0 | ||
113 | // # chroot /root/overlay/root | ||
114 | // to shutdown, first exit the chroot and then unmount the overlay | ||
115 | // # exit | ||
116 | // # umount /root/overlay/root | ||
117 | |||
118 | // to do: fix the code below | ||
119 | #include <sys/utsname.h> | ||
120 | void fs_overlayfs(void) { | ||
121 | struct stat s; | ||
122 | |||
123 | // check kernel version | ||
124 | struct utsname u; | ||
125 | int rv = uname(&u); | ||
126 | if (rv != 0) | ||
127 | errExit("uname"); | ||
128 | int major; | ||
129 | int minor; | ||
130 | if (2 != sscanf(u.release, "%d.%d", &major, &minor)) { | ||
131 | fprintf(stderr, "Error: cannot extract Linux kernel version: %s\n", u.version); | ||
132 | exit(1); | ||
133 | } | ||
134 | |||
135 | if (arg_debug) | ||
136 | printf("Linux kernel version %d.%d\n", major, minor); | ||
137 | int oldkernel = 0; | ||
138 | if (major < 3) { | ||
139 | fprintf(stderr, "Error: minimum kernel version required 3.x\n"); | ||
140 | exit(1); | ||
141 | } | ||
142 | if (major == 3 && minor < 18) | ||
143 | oldkernel = 1; | ||
144 | |||
145 | // mounting an overlayfs on top of / seems to be broken for kernels > 4.19 | ||
146 | // we disable overlayfs for now, pending fixing | ||
147 | if (major >= 4 &&minor >= 19) { | ||
148 | fprintf(stderr, "Error: OverlayFS disabled for Linux kernels 4.19 and newer, pending fixing.\n"); | ||
149 | exit(1); | ||
150 | } | ||
151 | |||
152 | char *oroot = RUN_OVERLAY_ROOT; | ||
153 | mkdir_attr(oroot, 0755, 0, 0); | ||
154 | |||
155 | // set base for working and diff directories | ||
156 | char *basedir = RUN_MNT_DIR; | ||
157 | int basefd = -1; | ||
158 | |||
159 | if (arg_overlay_keep) { | ||
160 | basedir = cfg.overlay_dir; | ||
161 | assert(basedir); | ||
162 | // get a file descriptor for ~/.firejail, fails if there is any symlink | ||
163 | char *firejail; | ||
164 | if (asprintf(&firejail, "%s/.firejail", cfg.homedir) == -1) | ||
165 | errExit("asprintf"); | ||
166 | int fd = safer_openat(-1, firejail, O_PATH|O_DIRECTORY|O_NOFOLLOW|O_CLOEXEC); | ||
167 | if (fd == -1) | ||
168 | errExit("safer_openat"); | ||
169 | free(firejail); | ||
170 | // create basedir if it doesn't exist | ||
171 | // the new directory will be owned by root | ||
172 | const char *dirname = gnu_basename(basedir); | ||
173 | if (mkdirat(fd, dirname, 0755) == -1 && errno != EEXIST) { | ||
174 | perror("mkdir"); | ||
175 | fprintf(stderr, "Error: cannot create overlay directory %s\n", basedir); | ||
176 | exit(1); | ||
177 | } | ||
178 | // open basedir | ||
179 | basefd = openat(fd, dirname, O_PATH|O_DIRECTORY|O_NOFOLLOW|O_CLOEXEC); | ||
180 | close(fd); | ||
181 | } | ||
182 | else { | ||
183 | basefd = open(basedir, O_PATH|O_DIRECTORY|O_NOFOLLOW|O_CLOEXEC); | ||
184 | } | ||
185 | if (basefd == -1) { | ||
186 | perror("open"); | ||
187 | fprintf(stderr, "Error: cannot open overlay directory %s\n", basedir); | ||
188 | exit(1); | ||
189 | } | ||
190 | |||
191 | // confirm once more base is owned by root | ||
192 | if (fstat(basefd, &s) == -1) | ||
193 | errExit("fstat"); | ||
194 | if (s.st_uid != 0) { | ||
195 | fprintf(stderr, "Error: overlay directory %s is not owned by the root user\n", basedir); | ||
196 | exit(1); | ||
197 | } | ||
198 | // confirm permissions of base are 0755 | ||
199 | if (((S_IRWXU|S_IRGRP|S_IXGRP|S_IROTH|S_IXOTH) & s.st_mode) != (S_IRWXU|S_IRGRP|S_IXGRP|S_IROTH|S_IXOTH)) { | ||
200 | fprintf(stderr, "Error: invalid permissions on overlay directory %s\n", basedir); | ||
201 | exit(1); | ||
202 | } | ||
203 | |||
204 | // create diff and work directories inside base | ||
205 | // no need to check arg_overlay_reuse | ||
206 | char *odiff; | ||
207 | if (asprintf(&odiff, "%s/odiff", basedir) == -1) | ||
208 | errExit("asprintf"); | ||
209 | // the new directory will be owned by root | ||
210 | if (mkdirat(basefd, "odiff", 0755) == -1 && errno != EEXIST) { | ||
211 | perror("mkdir"); | ||
212 | fprintf(stderr, "Error: cannot create overlay directory %s\n", odiff); | ||
213 | exit(1); | ||
214 | } | ||
215 | ASSERT_PERMS(odiff, 0, 0, 0755); | ||
216 | |||
217 | char *owork; | ||
218 | if (asprintf(&owork, "%s/owork", basedir) == -1) | ||
219 | errExit("asprintf"); | ||
220 | // the new directory will be owned by root | ||
221 | if (mkdirat(basefd, "owork", 0755) == -1 && errno != EEXIST) { | ||
222 | perror("mkdir"); | ||
223 | fprintf(stderr, "Error: cannot create overlay directory %s\n", owork); | ||
224 | exit(1); | ||
225 | } | ||
226 | ASSERT_PERMS(owork, 0, 0, 0755); | ||
227 | |||
228 | // mount overlayfs | ||
229 | if (arg_debug) | ||
230 | printf("Mounting OverlayFS\n"); | ||
231 | char *option; | ||
232 | if (oldkernel) { // old Ubuntu/OpenSUSE kernels | ||
233 | if (arg_overlay_keep) { | ||
234 | fprintf(stderr, "Error: option --overlay= not available for kernels older than 3.18\n"); | ||
235 | exit(1); | ||
236 | } | ||
237 | if (asprintf(&option, "lowerdir=/,upperdir=%s", odiff) == -1) | ||
238 | errExit("asprintf"); | ||
239 | if (mount("overlayfs", oroot, "overlayfs", MS_MGC_VAL, option) < 0) | ||
240 | errExit("mounting overlayfs"); | ||
241 | } | ||
242 | else { // kernel 3.18 or newer | ||
243 | if (asprintf(&option, "lowerdir=/,upperdir=%s,workdir=%s", odiff, owork) == -1) | ||
244 | errExit("asprintf"); | ||
245 | if (mount("overlay", oroot, "overlay", MS_MGC_VAL, option) < 0) { | ||
246 | fprintf(stderr, "Debug: running on kernel version %d.%d\n", major, minor); | ||
247 | errExit("mounting overlayfs"); | ||
248 | } | ||
249 | |||
250 | //*************************** | ||
251 | // issue #263 start code | ||
252 | // My setup has a separate mount point for /home. When the overlay is mounted, | ||
253 | // the overlay does not contain the original /home contents. | ||
254 | // I added code to create a second overlay for /home if the overlay home dir is empty and this seems to work | ||
255 | // @dshmgh, Jan 2016 | ||
256 | { | ||
257 | char *overlayhome; | ||
258 | struct stat s; | ||
259 | char *hroot; | ||
260 | char *hdiff; | ||
261 | char *hwork; | ||
262 | |||
263 | // dons add debug | ||
264 | if (arg_debug) printf ("DEBUG: chroot dirs are oroot %s odiff %s owork %s\n",oroot,odiff,owork); | ||
265 | |||
266 | // BEFORE NEXT, WE NEED TO TEST IF /home has any contents or do we need to mount it? | ||
267 | // must create var for oroot/cfg.homedir | ||
268 | if (asprintf(&overlayhome, "%s%s", oroot, cfg.homedir) == -1) | ||
269 | errExit("asprintf"); | ||
270 | if (arg_debug) printf ("DEBUG: overlayhome var holds ##%s##\n", overlayhome); | ||
271 | |||
272 | // if no homedir in overlay -- create another overlay for /home | ||
273 | if (stat(cfg.homedir, &s) == 0 && stat(overlayhome, &s) == -1) { | ||
274 | |||
275 | // no need to check arg_overlay_reuse | ||
276 | if (asprintf(&hdiff, "%s/hdiff", basedir) == -1) | ||
277 | errExit("asprintf"); | ||
278 | // the new directory will be owned by root | ||
279 | if (mkdirat(basefd, "hdiff", 0755) == -1 && errno != EEXIST) { | ||
280 | perror("mkdir"); | ||
281 | fprintf(stderr, "Error: cannot create overlay directory %s\n", hdiff); | ||
282 | exit(1); | ||
283 | } | ||
284 | ASSERT_PERMS(hdiff, 0, 0, 0755); | ||
285 | |||
286 | // no need to check arg_overlay_reuse | ||
287 | if (asprintf(&hwork, "%s/hwork", basedir) == -1) | ||
288 | errExit("asprintf"); | ||
289 | // the new directory will be owned by root | ||
290 | if (mkdirat(basefd, "hwork", 0755) == -1 && errno != EEXIST) { | ||
291 | perror("mkdir"); | ||
292 | fprintf(stderr, "Error: cannot create overlay directory %s\n", hwork); | ||
293 | exit(1); | ||
294 | } | ||
295 | ASSERT_PERMS(hwork, 0, 0, 0755); | ||
296 | |||
297 | // no homedir in overlay so now mount another overlay for /home | ||
298 | if (asprintf(&hroot, "%s/home", oroot) == -1) | ||
299 | errExit("asprintf"); | ||
300 | if (asprintf(&option, "lowerdir=/home,upperdir=%s,workdir=%s", hdiff, hwork) == -1) | ||
301 | errExit("asprintf"); | ||
302 | if (mount("overlay", hroot, "overlay", MS_MGC_VAL, option) < 0) | ||
303 | errExit("mounting overlayfs for mounted home directory"); | ||
304 | |||
305 | printf("OverlayFS for /home configured in %s directory\n", basedir); | ||
306 | free(hroot); | ||
307 | free(hdiff); | ||
308 | free(hwork); | ||
309 | |||
310 | } // stat(overlayhome) | ||
311 | free(overlayhome); | ||
312 | } | ||
313 | // issue #263 end code | ||
314 | //*************************** | ||
315 | } | ||
316 | fmessage("OverlayFS configured in %s directory\n", basedir); | ||
317 | close(basefd); | ||
318 | |||
319 | // /dev, /run and /tmp are not covered by the overlay | ||
320 | // mount-bind dev directory | ||
321 | if (arg_debug) | ||
322 | printf("Mounting /dev\n"); | ||
323 | char *dev; | ||
324 | if (asprintf(&dev, "%s/dev", oroot) == -1) | ||
325 | errExit("asprintf"); | ||
326 | if (mount("/dev", dev, NULL, MS_BIND|MS_REC, NULL) < 0) | ||
327 | errExit("mounting /dev"); | ||
328 | fs_logger("whitelist /dev"); | ||
329 | |||
330 | // mount-bind run directory | ||
331 | if (arg_debug) | ||
332 | printf("Mounting /run\n"); | ||
333 | char *run; | ||
334 | if (asprintf(&run, "%s/run", oroot) == -1) | ||
335 | errExit("asprintf"); | ||
336 | if (mount("/run", run, NULL, MS_BIND|MS_REC, NULL) < 0) | ||
337 | errExit("mounting /run"); | ||
338 | fs_logger("whitelist /run"); | ||
339 | |||
340 | // mount-bind tmp directory | ||
341 | if (arg_debug) | ||
342 | printf("Mounting /tmp\n"); | ||
343 | char *tmp; | ||
344 | if (asprintf(&tmp, "%s/tmp", oroot) == -1) | ||
345 | errExit("asprintf"); | ||
346 | if (mount("/tmp", tmp, NULL, MS_BIND|MS_REC, NULL) < 0) | ||
347 | errExit("mounting /tmp"); | ||
348 | fs_logger("whitelist /tmp"); | ||
349 | |||
350 | // chroot in the new filesystem | ||
351 | __gcov_flush(); | ||
352 | |||
353 | if (chroot(oroot) == -1) | ||
354 | errExit("chroot"); | ||
355 | |||
356 | // mount a new proc filesystem | ||
357 | if (arg_debug) | ||
358 | printf("Mounting /proc filesystem representing the PID namespace\n"); | ||
359 | if (mount("proc", "/proc", "proc", MS_NOSUID | MS_NOEXEC | MS_NODEV | MS_REC, NULL) < 0) | ||
360 | errExit("mounting /proc"); | ||
361 | |||
362 | // update /var directory in order to support multiple sandboxes running on the same root directory | ||
363 | // if (!arg_private_dev) | ||
364 | // fs_dev_shm(); | ||
365 | fs_var_lock(); | ||
366 | if (!arg_keep_var_tmp) | ||
367 | fs_var_tmp(); | ||
368 | if (!arg_writable_var_log) | ||
369 | fs_var_log(); | ||
370 | fs_var_lib(); | ||
371 | fs_var_cache(); | ||
372 | fs_var_utmp(); | ||
373 | fs_machineid(); | ||
374 | |||
375 | // don't leak user information | ||
376 | restrict_users(); | ||
377 | |||
378 | // when starting as root, firejail config is not disabled; | ||
379 | if (getuid() != 0) | ||
380 | disable_config(); | ||
381 | |||
382 | // cleanup and exit | ||
383 | free(option); | ||
384 | free(odiff); | ||
385 | free(owork); | ||
386 | free(dev); | ||
387 | free(run); | ||
388 | free(tmp); | ||
389 | } | ||
390 | |||
391 | |||
392 | static int remove_callback(const char *fpath, const struct stat *sb, int typeflag, struct FTW *ftwbuf) { | ||
393 | (void) sb; | ||
394 | (void) typeflag; | ||
395 | (void) ftwbuf; | ||
396 | assert(fpath); | ||
397 | |||
398 | if (strcmp(fpath, ".") == 0) // rmdir would fail with EINVAL | ||
399 | return 0; | ||
400 | |||
401 | if (remove(fpath)) { // removes the link not the actual file | ||
402 | fprintf(stderr, "Error: cannot remove file: %s\n", strerror(errno)); | ||
403 | exit(1); | ||
404 | } | ||
405 | |||
406 | return 0; | ||
407 | } | ||
408 | |||
409 | int remove_overlay_directory(void) { | ||
410 | EUID_ASSERT(); | ||
411 | sleep(1); | ||
412 | |||
413 | char *path; | ||
414 | if (asprintf(&path, "%s/.firejail", cfg.homedir) == -1) | ||
415 | errExit("asprintf"); | ||
416 | |||
417 | if (access(path, F_OK) == 0) { | ||
418 | pid_t child = fork(); | ||
419 | if (child < 0) | ||
420 | errExit("fork"); | ||
421 | if (child == 0) { | ||
422 | // open ~/.firejail | ||
423 | int fd = safer_openat(-1, path, O_PATH|O_NOFOLLOW|O_CLOEXEC); | ||
424 | if (fd == -1) { | ||
425 | fprintf(stderr, "Error: cannot open %s\n", path); | ||
426 | exit(1); | ||
427 | } | ||
428 | struct stat s; | ||
429 | if (fstat(fd, &s) == -1) | ||
430 | errExit("fstat"); | ||
431 | if (!S_ISDIR(s.st_mode)) { | ||
432 | if (S_ISLNK(s.st_mode)) | ||
433 | fprintf(stderr, "Error: %s is a symbolic link\n", path); | ||
434 | else | ||
435 | fprintf(stderr, "Error: %s is not a directory\n", path); | ||
436 | exit(1); | ||
437 | } | ||
438 | if (s.st_uid != getuid()) { | ||
439 | fprintf(stderr, "Error: %s is not owned by the current user\n", path); | ||
440 | exit(1); | ||
441 | } | ||
442 | // chdir to ~/.firejail | ||
443 | if (fchdir(fd) == -1) | ||
444 | errExit("fchdir"); | ||
445 | close(fd); | ||
446 | |||
447 | EUID_ROOT(); | ||
448 | // FTW_PHYS - do not follow symbolic links | ||
449 | if (nftw(".", remove_callback, 64, FTW_DEPTH | FTW_PHYS) == -1) | ||
450 | errExit("nftw"); | ||
451 | |||
452 | EUID_USER(); | ||
453 | // remove ~/.firejail | ||
454 | if (rmdir(path) == -1) | ||
455 | errExit("rmdir"); | ||
456 | |||
457 | __gcov_flush(); | ||
458 | |||
459 | _exit(0); | ||
460 | } | ||
461 | // wait for the child to finish | ||
462 | waitpid(child, NULL, 0); | ||
463 | // check if ~/.firejail was deleted | ||
464 | if (access(path, F_OK) == 0) | ||
465 | return 1; | ||
466 | } | ||
467 | return 0; | ||
468 | } | ||
469 | |||
470 | #endif // HAVE_OVERLAYFS | ||
diff --git a/src/firejail/fs_trace.c b/src/firejail/fs_trace.c index 475a391ec..17a7b3d23 100644 --- a/src/firejail/fs_trace.c +++ b/src/firejail/fs_trace.c | |||
@@ -20,25 +20,31 @@ | |||
20 | #include "firejail.h" | 20 | #include "firejail.h" |
21 | #include <sys/mount.h> | 21 | #include <sys/mount.h> |
22 | #include <sys/stat.h> | 22 | #include <sys/stat.h> |
23 | #include <linux/limits.h> | ||
24 | #include <glob.h> | 23 | #include <glob.h> |
25 | #include <dirent.h> | 24 | #include <dirent.h> |
26 | #include <fcntl.h> | 25 | #include <fcntl.h> |
27 | #include <pwd.h> | 26 | #include <pwd.h> |
28 | 27 | ||
29 | void fs_trace_preload(void) { | 28 | // create an empty /etc/ld.so.preload |
29 | void fs_trace_touch_preload(void) { | ||
30 | create_empty_file_as_root("/etc/ld.so.preload", S_IRUSR | S_IWUSR | S_IRGRP | S_IROTH); | ||
31 | } | ||
32 | |||
33 | void fs_trace_touch_or_store_preload(void) { | ||
30 | struct stat s; | 34 | struct stat s; |
31 | 35 | ||
32 | // create an empty /etc/ld.so.preload | 36 | if (stat("/etc/ld.so.preload", &s) != 0) { |
33 | if (stat("/etc/ld.so.preload", &s)) { | 37 | fs_trace_touch_preload(); |
34 | if (arg_debug) | 38 | return; |
35 | printf("Creating an empty /etc/ld.so.preload file\n"); | 39 | } |
36 | FILE *fp = fopen("/etc/ld.so.preload", "wxe"); | 40 | |
37 | if (!fp) | 41 | if (s.st_size == 0) |
38 | errExit("fopen"); | 42 | return; |
39 | SET_PERMS_STREAM(fp, 0, 0, S_IRUSR | S_IWRITE | S_IRGRP | S_IROTH); | 43 | |
40 | fclose(fp); | 44 | // create a copy of /etc/ld.so.preload |
41 | fs_logger("touch /etc/ld.so.preload"); | 45 | if (copy_file("/etc/ld.so.preload", RUN_LDPRELOAD_FILE, 0, 0, S_IRUSR | S_IWUSR | S_IRGRP | S_IROTH)) { |
46 | fprintf(stderr, "Error: cannot copy /etc/ld.so.preload file\n"); | ||
47 | exit(1); | ||
42 | } | 48 | } |
43 | } | 49 | } |
44 | 50 | ||
@@ -47,7 +53,7 @@ void fs_tracefile(void) { | |||
47 | if (arg_debug) | 53 | if (arg_debug) |
48 | printf("Creating an empty trace log file: %s\n", arg_tracefile); | 54 | printf("Creating an empty trace log file: %s\n", arg_tracefile); |
49 | EUID_USER(); | 55 | EUID_USER(); |
50 | int fd = open(arg_tracefile, O_CREAT|O_WRONLY|O_CLOEXEC, S_IRUSR | S_IWRITE | S_IRGRP | S_IROTH); | 56 | int fd = open(arg_tracefile, O_CREAT|O_WRONLY|O_CLOEXEC, S_IRUSR | S_IWUSR | S_IRGRP | S_IROTH); |
51 | if (fd == -1) { | 57 | if (fd == -1) { |
52 | perror("open"); | 58 | perror("open"); |
53 | fprintf(stderr, "Error: cannot open trace log file %s for writing\n", arg_tracefile); | 59 | fprintf(stderr, "Error: cannot open trace log file %s for writing\n", arg_tracefile); |
@@ -83,7 +89,7 @@ void fs_trace(void) { | |||
83 | if (arg_debug) | 89 | if (arg_debug) |
84 | printf("Create the new ld.so.preload file\n"); | 90 | printf("Create the new ld.so.preload file\n"); |
85 | 91 | ||
86 | FILE *fp = fopen(RUN_LDPRELOAD_FILE, "we"); | 92 | FILE *fp = fopen(RUN_LDPRELOAD_FILE, "ae"); |
87 | if (!fp) | 93 | if (!fp) |
88 | errExit("fopen"); | 94 | errExit("fopen"); |
89 | const char *prefix = RUN_FIREJAIL_LIB_DIR; | 95 | const char *prefix = RUN_FIREJAIL_LIB_DIR; |
@@ -100,7 +106,7 @@ void fs_trace(void) { | |||
100 | fmessage("Post-exec seccomp protector enabled\n"); | 106 | fmessage("Post-exec seccomp protector enabled\n"); |
101 | } | 107 | } |
102 | 108 | ||
103 | SET_PERMS_STREAM(fp, 0, 0, S_IRUSR | S_IWRITE | S_IRGRP | S_IROTH); | 109 | SET_PERMS_STREAM(fp, 0, 0, S_IRUSR | S_IWUSR | S_IRGRP | S_IROTH); |
104 | fclose(fp); | 110 | fclose(fp); |
105 | 111 | ||
106 | // mount the new preload file | 112 | // mount the new preload file |
diff --git a/src/firejail/fs_var.c b/src/firejail/fs_var.c index 20e262d80..e19d0df96 100644 --- a/src/firejail/fs_var.c +++ b/src/firejail/fs_var.c | |||
@@ -20,7 +20,6 @@ | |||
20 | #include "firejail.h" | 20 | #include "firejail.h" |
21 | #include <sys/mount.h> | 21 | #include <sys/mount.h> |
22 | #include <sys/stat.h> | 22 | #include <sys/stat.h> |
23 | #include <linux/limits.h> | ||
24 | #include <glob.h> | 23 | #include <glob.h> |
25 | #include <dirent.h> | 24 | #include <dirent.h> |
26 | #include <fcntl.h> | 25 | #include <fcntl.h> |
@@ -129,7 +128,7 @@ void fs_var_log(void) { | |||
129 | /* coverity[toctou] */ | 128 | /* coverity[toctou] */ |
130 | FILE *fp = fopen("/var/log/wtmp", "wxe"); | 129 | FILE *fp = fopen("/var/log/wtmp", "wxe"); |
131 | if (fp) { | 130 | if (fp) { |
132 | SET_PERMS_STREAM(fp, 0, wtmp_group, S_IRUSR | S_IWRITE | S_IRGRP | S_IWGRP | S_IROTH); | 131 | SET_PERMS_STREAM(fp, 0, wtmp_group, S_IRUSR | S_IWUSR | S_IRGRP | S_IWGRP | S_IROTH); |
133 | fclose(fp); | 132 | fclose(fp); |
134 | } | 133 | } |
135 | fs_logger("touch /var/log/wtmp"); | 134 | fs_logger("touch /var/log/wtmp"); |
@@ -137,7 +136,7 @@ void fs_var_log(void) { | |||
137 | // create an empty /var/log/btmp file | 136 | // create an empty /var/log/btmp file |
138 | fp = fopen("/var/log/btmp", "wxe"); | 137 | fp = fopen("/var/log/btmp", "wxe"); |
139 | if (fp) { | 138 | if (fp) { |
140 | SET_PERMS_STREAM(fp, 0, wtmp_group, S_IRUSR | S_IWRITE | S_IRGRP | S_IWGRP); | 139 | SET_PERMS_STREAM(fp, 0, wtmp_group, S_IRUSR | S_IWUSR | S_IRGRP | S_IWGRP); |
141 | fclose(fp); | 140 | fclose(fp); |
142 | } | 141 | } |
143 | fs_logger("touch /var/log/btmp"); | 142 | fs_logger("touch /var/log/btmp"); |
@@ -314,7 +313,7 @@ void fs_var_utmp(void) { | |||
314 | // save new utmp file | 313 | // save new utmp file |
315 | int rv = fwrite(&u_boot, sizeof(u_boot), 1, fp); | 314 | int rv = fwrite(&u_boot, sizeof(u_boot), 1, fp); |
316 | (void) rv; | 315 | (void) rv; |
317 | SET_PERMS_STREAM(fp, 0, utmp_group, S_IRUSR | S_IWRITE | S_IRGRP | S_IWGRP | S_IROTH); | 316 | SET_PERMS_STREAM(fp, 0, utmp_group, S_IRUSR | S_IWUSR | S_IRGRP | S_IWGRP | S_IROTH); |
318 | fclose(fp); | 317 | fclose(fp); |
319 | 318 | ||
320 | // mount the new utmp file | 319 | // mount the new utmp file |
diff --git a/src/firejail/fs_whitelist.c b/src/firejail/fs_whitelist.c index 943f275de..7afebed1f 100644 --- a/src/firejail/fs_whitelist.c +++ b/src/firejail/fs_whitelist.c | |||
@@ -105,6 +105,7 @@ static int whitelist_mkpath(const char* path, mode_t mode) { | |||
105 | } | 105 | } |
106 | 106 | ||
107 | static void whitelist_file(int dirfd, const char *relpath, const char *path) { | 107 | static void whitelist_file(int dirfd, const char *relpath, const char *path) { |
108 | EUID_ASSERT(); | ||
108 | assert(relpath && path); | 109 | assert(relpath && path); |
109 | 110 | ||
110 | // open mount source, using a file descriptor that refers to the | 111 | // open mount source, using a file descriptor that refers to the |
@@ -130,12 +131,9 @@ static void whitelist_file(int dirfd, const char *relpath, const char *path) { | |||
130 | } | 131 | } |
131 | 132 | ||
132 | // create mount target as root, except if inside home or run/user/$UID directory | 133 | // create mount target as root, except if inside home or run/user/$UID directory |
133 | int userprivs = 0; | 134 | if ((strncmp(path, cfg.homedir, homedir_len) != 0 || path[homedir_len] != '/') && |
134 | if ((strncmp(path, cfg.homedir, homedir_len) == 0 && path[homedir_len] == '/') || | 135 | (strncmp(path, runuser, runuser_len) != 0 || path[runuser_len] != '/')) |
135 | (strncmp(path, runuser, runuser_len) == 0 && path[runuser_len] == '/')) { | 136 | EUID_ROOT(); |
136 | EUID_USER(); | ||
137 | userprivs = 1; | ||
138 | } | ||
139 | 137 | ||
140 | // create path of the mount target | 138 | // create path of the mount target |
141 | int fd2 = whitelist_mkpath(path, 0755); | 139 | int fd2 = whitelist_mkpath(path, 0755); |
@@ -146,8 +144,7 @@ static void whitelist_file(int dirfd, const char *relpath, const char *path) { | |||
146 | if (arg_debug || arg_debug_whitelists) | 144 | if (arg_debug || arg_debug_whitelists) |
147 | printf("Debug %d: skip whitelist %s\n", __LINE__, path); | 145 | printf("Debug %d: skip whitelist %s\n", __LINE__, path); |
148 | close(fd); | 146 | close(fd); |
149 | if (userprivs) | 147 | EUID_USER(); |
150 | EUID_ROOT(); | ||
151 | return; | 148 | return; |
152 | } | 149 | } |
153 | 150 | ||
@@ -166,8 +163,7 @@ static void whitelist_file(int dirfd, const char *relpath, const char *path) { | |||
166 | } | 163 | } |
167 | close(fd); | 164 | close(fd); |
168 | close(fd2); | 165 | close(fd2); |
169 | if (userprivs) | 166 | EUID_USER(); |
170 | EUID_ROOT(); | ||
171 | return; | 167 | return; |
172 | } | 168 | } |
173 | fd3 = openat(fd2, file, O_PATH|O_DIRECTORY|O_NOFOLLOW|O_CLOEXEC); | 169 | fd3 = openat(fd2, file, O_PATH|O_DIRECTORY|O_NOFOLLOW|O_CLOEXEC); |
@@ -184,19 +180,17 @@ static void whitelist_file(int dirfd, const char *relpath, const char *path) { | |||
184 | } | 180 | } |
185 | close(fd); | 181 | close(fd); |
186 | close(fd2); | 182 | close(fd2); |
187 | if (userprivs) | 183 | EUID_USER(); |
188 | EUID_ROOT(); | ||
189 | return; | 184 | return; |
190 | } | 185 | } |
191 | |||
192 | close(fd2); | 186 | close(fd2); |
193 | if (userprivs) | ||
194 | EUID_ROOT(); | ||
195 | 187 | ||
196 | if (arg_debug || arg_debug_whitelists) | 188 | if (arg_debug || arg_debug_whitelists) |
197 | printf("Whitelisting %s\n", path); | 189 | printf("Whitelisting %s\n", path); |
190 | EUID_ROOT(); | ||
198 | if (bind_mount_by_fd(fd, fd3)) | 191 | if (bind_mount_by_fd(fd, fd3)) |
199 | errExit("mount bind"); | 192 | errExit("mount bind"); |
193 | EUID_USER(); | ||
200 | // check the last mount operation | 194 | // check the last mount operation |
201 | MountData *mptr = get_last_mount(); // will do exit(1) if the mount cannot be found | 195 | MountData *mptr = get_last_mount(); // will do exit(1) if the mount cannot be found |
202 | #ifdef TEST_MOUNTINFO | 196 | #ifdef TEST_MOUNTINFO |
@@ -219,22 +213,19 @@ static void whitelist_file(int dirfd, const char *relpath, const char *path) { | |||
219 | } | 213 | } |
220 | 214 | ||
221 | static void whitelist_symlink(const char *link, const char *target) { | 215 | static void whitelist_symlink(const char *link, const char *target) { |
216 | EUID_ASSERT(); | ||
222 | assert(link && target); | 217 | assert(link && target); |
223 | 218 | ||
224 | // create files as root, except if inside home or run/user/$UID directory | 219 | // create files as root, except if inside home or run/user/$UID directory |
225 | int userprivs = 0; | 220 | if ((strncmp(link, cfg.homedir, homedir_len) != 0 || link[homedir_len] != '/') && |
226 | if ((strncmp(link, cfg.homedir, homedir_len) == 0 && link[homedir_len] == '/') || | 221 | (strncmp(link, runuser, runuser_len) != 0 || link[runuser_len] != '/')) |
227 | (strncmp(link, runuser, runuser_len) == 0 && link[runuser_len] == '/')) { | 222 | EUID_ROOT(); |
228 | EUID_USER(); | ||
229 | userprivs = 1; | ||
230 | } | ||
231 | 223 | ||
232 | int fd = whitelist_mkpath(link, 0755); | 224 | int fd = whitelist_mkpath(link, 0755); |
233 | if (fd == -1) { | 225 | if (fd == -1) { |
234 | if (arg_debug || arg_debug_whitelists) | 226 | if (arg_debug || arg_debug_whitelists) |
235 | printf("Debug %d: cannot create symbolic link %s\n", __LINE__, link); | 227 | printf("Debug %d: cannot create symbolic link %s\n", __LINE__, link); |
236 | if (userprivs) | 228 | EUID_USER(); |
237 | EUID_ROOT(); | ||
238 | return; | 229 | return; |
239 | } | 230 | } |
240 | 231 | ||
@@ -252,8 +243,7 @@ static void whitelist_symlink(const char *link, const char *target) { | |||
252 | printf("Created symbolic link %s -> %s\n", link, target); | 243 | printf("Created symbolic link %s -> %s\n", link, target); |
253 | 244 | ||
254 | close(fd); | 245 | close(fd); |
255 | if (userprivs) | 246 | EUID_USER(); |
256 | EUID_ROOT(); | ||
257 | } | 247 | } |
258 | 248 | ||
259 | static void globbing(const char *pattern) { | 249 | static void globbing(const char *pattern) { |
@@ -330,10 +320,11 @@ static void tmpfs_topdirs(const TopDir *topdirs) { | |||
330 | // init tmpfs | 320 | // init tmpfs |
331 | if (strcmp(topdirs[i].path, "/run") == 0) { | 321 | if (strcmp(topdirs[i].path, "/run") == 0) { |
332 | // restore /run/firejail directory | 322 | // restore /run/firejail directory |
333 | if (mkdir(RUN_FIREJAIL_DIR, 0755) == -1) | 323 | EUID_ROOT(); |
334 | errExit("mkdir"); | 324 | mkdir_attr(RUN_FIREJAIL_DIR, 0755, 0, 0); |
335 | if (bind_mount_fd_to_path(fd, RUN_FIREJAIL_DIR)) | 325 | if (bind_mount_fd_to_path(fd, RUN_FIREJAIL_DIR)) |
336 | errExit("mount bind"); | 326 | errExit("mount bind"); |
327 | EUID_USER(); | ||
337 | close(fd); | 328 | close(fd); |
338 | fs_logger2("whitelist", RUN_FIREJAIL_DIR); | 329 | fs_logger2("whitelist", RUN_FIREJAIL_DIR); |
339 | 330 | ||
@@ -351,12 +342,14 @@ static void tmpfs_topdirs(const TopDir *topdirs) { | |||
351 | errExit("asprintf"); | 342 | errExit("asprintf"); |
352 | if (strcmp(env, pamtmpdir) == 0) { | 343 | if (strcmp(env, pamtmpdir) == 0) { |
353 | // create empty user-owned /tmp/user/$UID directory | 344 | // create empty user-owned /tmp/user/$UID directory |
345 | EUID_ROOT(); | ||
354 | mkdir_attr("/tmp/user", 0711, 0, 0); | 346 | mkdir_attr("/tmp/user", 0711, 0, 0); |
355 | selinux_relabel_path("/tmp/user", "/tmp/user"); | 347 | selinux_relabel_path("/tmp/user", "/tmp/user"); |
356 | fs_logger("mkdir /tmp/user"); | 348 | fs_logger("mkdir /tmp/user"); |
357 | mkdir_attr(pamtmpdir, 0700, getuid(), 0); | 349 | mkdir_attr(pamtmpdir, 0700, getuid(), 0); |
358 | selinux_relabel_path(pamtmpdir, pamtmpdir); | 350 | selinux_relabel_path(pamtmpdir, pamtmpdir); |
359 | fs_logger2("mkdir", pamtmpdir); | 351 | fs_logger2("mkdir", pamtmpdir); |
352 | EUID_USER(); | ||
360 | } | 353 | } |
361 | free(pamtmpdir); | 354 | free(pamtmpdir); |
362 | } | 355 | } |
@@ -374,11 +367,8 @@ static void tmpfs_topdirs(const TopDir *topdirs) { | |||
374 | } | 367 | } |
375 | 368 | ||
376 | // user home directory | 369 | // user home directory |
377 | if (tmpfs_home) { | 370 | if (tmpfs_home) |
378 | EUID_USER(); | ||
379 | fs_private(); // checks owner if outside /home | 371 | fs_private(); // checks owner if outside /home |
380 | EUID_ROOT(); | ||
381 | } | ||
382 | 372 | ||
383 | // /run/user/$UID directory | 373 | // /run/user/$UID directory |
384 | if (tmpfs_runuser) { | 374 | if (tmpfs_runuser) { |
@@ -402,6 +392,7 @@ static int reject_topdir(const char *dir) { | |||
402 | // keep track of whitelist top level directories by adding them to an array | 392 | // keep track of whitelist top level directories by adding them to an array |
403 | // open each directory | 393 | // open each directory |
404 | static TopDir *add_topdir(const char *dir, TopDir *topdirs, const char *path) { | 394 | static TopDir *add_topdir(const char *dir, TopDir *topdirs, const char *path) { |
395 | EUID_ASSERT(); | ||
405 | assert(dir && path); | 396 | assert(dir && path); |
406 | 397 | ||
407 | // /proc and /sys are not allowed | 398 | // /proc and /sys are not allowed |
@@ -516,6 +507,8 @@ static char *extract_topdir(const char *path) { | |||
516 | } | 507 | } |
517 | 508 | ||
518 | void fs_whitelist(void) { | 509 | void fs_whitelist(void) { |
510 | EUID_ASSERT(); | ||
511 | |||
519 | ProfileEntry *entry = cfg.profile; | 512 | ProfileEntry *entry = cfg.profile; |
520 | if (!entry) | 513 | if (!entry) |
521 | return; | 514 | return; |
@@ -536,7 +529,6 @@ void fs_whitelist(void) { | |||
536 | errExit("calloc"); | 529 | errExit("calloc"); |
537 | 530 | ||
538 | // verify whitelist files, extract symbolic links, etc. | 531 | // verify whitelist files, extract symbolic links, etc. |
539 | EUID_USER(); | ||
540 | while (entry) { | 532 | while (entry) { |
541 | int nowhitelist_flag = 0; | 533 | int nowhitelist_flag = 0; |
542 | 534 | ||
@@ -630,7 +622,7 @@ void fs_whitelist(void) { | |||
630 | if (!fname) { | 622 | if (!fname) { |
631 | if (arg_debug || arg_debug_whitelists) { | 623 | if (arg_debug || arg_debug_whitelists) { |
632 | printf("Removed path: %s\n", entry->data); | 624 | printf("Removed path: %s\n", entry->data); |
633 | printf("\texpanded: %s\n", new_name); | 625 | printf("\tnew_name: %s\n", new_name); |
634 | printf("\trealpath: (null)\n"); | 626 | printf("\trealpath: (null)\n"); |
635 | printf("\t%s\n", strerror(errno)); | 627 | printf("\t%s\n", strerror(errno)); |
636 | } | 628 | } |
@@ -712,7 +704,6 @@ void fs_whitelist(void) { | |||
712 | free(nowhitelist); | 704 | free(nowhitelist); |
713 | 705 | ||
714 | // mount tmpfs on all top level directories | 706 | // mount tmpfs on all top level directories |
715 | EUID_ROOT(); | ||
716 | tmpfs_topdirs(topdirs); | 707 | tmpfs_topdirs(topdirs); |
717 | 708 | ||
718 | // go through profile rules again, and interpret whitelist commands | 709 | // go through profile rules again, and interpret whitelist commands |
diff --git a/src/firejail/ids.c b/src/firejail/ids.c index 59acdb1fe..a9ff59be4 100644 --- a/src/firejail/ids.c +++ b/src/firejail/ids.c | |||
@@ -86,4 +86,4 @@ void run_ids(int argc, char **argv) { | |||
86 | fprintf(stderr, "Error: unrecognized IDS command\n"); | 86 | fprintf(stderr, "Error: unrecognized IDS command\n"); |
87 | 87 | ||
88 | exit(0); | 88 | exit(0); |
89 | } \ No newline at end of file | 89 | } |
diff --git a/src/firejail/join.c b/src/firejail/join.c index 394bbb528..0e76fd944 100644 --- a/src/firejail/join.c +++ b/src/firejail/join.c | |||
@@ -45,7 +45,7 @@ static unsigned display = 0; | |||
45 | static void signal_handler(int sig){ | 45 | static void signal_handler(int sig){ |
46 | flush_stdin(); | 46 | flush_stdin(); |
47 | 47 | ||
48 | exit(sig); | 48 | exit(128 + sig); |
49 | } | 49 | } |
50 | 50 | ||
51 | static void install_handler(void) { | 51 | static void install_handler(void) { |
@@ -431,7 +431,7 @@ void join(pid_t pid, int argc, char **argv, int index) { | |||
431 | 431 | ||
432 | // set cgroup | 432 | // set cgroup |
433 | if (cfg.cgroup) // not available for uid 0 | 433 | if (cfg.cgroup) // not available for uid 0 |
434 | set_cgroup(cfg.cgroup); | 434 | set_cgroup(cfg.cgroup, getpid()); |
435 | 435 | ||
436 | // join namespaces | 436 | // join namespaces |
437 | if (arg_join_network) { | 437 | if (arg_join_network) { |
@@ -536,7 +536,6 @@ void join(pid_t pid, int argc, char **argv, int index) { | |||
536 | prctl(PR_SET_PDEATHSIG, SIGKILL, 0, 0, 0); | 536 | prctl(PR_SET_PDEATHSIG, SIGKILL, 0, 0, 0); |
537 | 537 | ||
538 | #ifdef HAVE_APPARMOR | 538 | #ifdef HAVE_APPARMOR |
539 | // add apparmor confinement after the execve | ||
540 | set_apparmor(); | 539 | set_apparmor(); |
541 | #endif | 540 | #endif |
542 | 541 | ||
@@ -552,10 +551,6 @@ void join(pid_t pid, int argc, char **argv, int index) { | |||
552 | if (cfg.cpus) // not available for uid 0 | 551 | if (cfg.cpus) // not available for uid 0 |
553 | set_cpu_affinity(); | 552 | set_cpu_affinity(); |
554 | 553 | ||
555 | // set nice value | ||
556 | if (arg_nice) | ||
557 | set_nice(cfg.nice); | ||
558 | |||
559 | // add x11 display | 554 | // add x11 display |
560 | if (display) { | 555 | if (display) { |
561 | char *display_str; | 556 | char *display_str; |
@@ -574,6 +569,11 @@ void join(pid_t pid, int argc, char **argv, int index) { | |||
574 | dbus_set_system_bus_env(); | 569 | dbus_set_system_bus_env(); |
575 | #endif | 570 | #endif |
576 | 571 | ||
572 | // set nice and rlimits | ||
573 | if (arg_nice) | ||
574 | set_nice(cfg.nice); | ||
575 | set_rlimits(); | ||
576 | |||
577 | start_application(0, shfd, NULL); | 577 | start_application(0, shfd, NULL); |
578 | 578 | ||
579 | __builtin_unreachable(); | 579 | __builtin_unreachable(); |
@@ -596,15 +596,17 @@ void join(pid_t pid, int argc, char **argv, int index) { | |||
596 | 596 | ||
597 | // end of signal-safe code | 597 | // end of signal-safe code |
598 | //***************************** | 598 | //***************************** |
599 | flush_stdin(); | ||
600 | 599 | ||
601 | if (WIFEXITED(status)) { | 600 | if (WIFEXITED(status)) { |
601 | // if we had a proper exit, return that exit status | ||
602 | status = WEXITSTATUS(status); | 602 | status = WEXITSTATUS(status); |
603 | } else if (WIFSIGNALED(status)) { | 603 | } else if (WIFSIGNALED(status)) { |
604 | status = WTERMSIG(status); | 604 | // distinguish fatal signals by adding 128 |
605 | status = 128 + WTERMSIG(status); | ||
605 | } else { | 606 | } else { |
606 | status = 0; | 607 | status = -1; |
607 | } | 608 | } |
608 | 609 | ||
610 | flush_stdin(); | ||
609 | exit(status); | 611 | exit(status); |
610 | } | 612 | } |
diff --git a/src/firejail/ls.c b/src/firejail/ls.c index 70985ba9e..53e918dde 100644 --- a/src/firejail/ls.c +++ b/src/firejail/ls.c | |||
@@ -305,7 +305,7 @@ void sandboxfs(int op, pid_t pid, const char *path1, const char *path2) { | |||
305 | } | 305 | } |
306 | // create destination file if necessary | 306 | // create destination file if necessary |
307 | EUID_ASSERT(); | 307 | EUID_ASSERT(); |
308 | int fd = open(dest_fname, O_WRONLY|O_CREAT|O_CLOEXEC, S_IRUSR | S_IWRITE); | 308 | int fd = open(dest_fname, O_WRONLY|O_CREAT|O_CLOEXEC, S_IRUSR | S_IWUSR); |
309 | if (fd == -1) { | 309 | if (fd == -1) { |
310 | fprintf(stderr, "Error: cannot open %s for writing\n", dest_fname); | 310 | fprintf(stderr, "Error: cannot open %s for writing\n", dest_fname); |
311 | exit(1); | 311 | exit(1); |
diff --git a/src/firejail/main.c b/src/firejail/main.c index e0bf44f62..c5b3d5739 100644 --- a/src/firejail/main.c +++ b/src/firejail/main.c | |||
@@ -32,7 +32,8 @@ | |||
32 | #include <dirent.h> | 32 | #include <dirent.h> |
33 | #include <pwd.h> | 33 | #include <pwd.h> |
34 | #include <errno.h> | 34 | #include <errno.h> |
35 | //#include <limits.h> | 35 | |
36 | #include <limits.h> | ||
36 | #include <sys/file.h> | 37 | #include <sys/file.h> |
37 | #include <sys/prctl.h> | 38 | #include <sys/prctl.h> |
38 | #include <signal.h> | 39 | #include <signal.h> |
@@ -189,13 +190,15 @@ static void my_handler(int s) { | |||
189 | logsignal(s); | 190 | logsignal(s); |
190 | 191 | ||
191 | if (waitpid(child, NULL, WNOHANG) == 0) { | 192 | if (waitpid(child, NULL, WNOHANG) == 0) { |
192 | if (has_handler(child, s)) // signals are not delivered if there is no handler yet | 193 | // child is pid 1 of a pid namespace: |
194 | // signals are not delivered if there is no handler yet | ||
195 | if (has_handler(child, s)) | ||
193 | kill(child, s); | 196 | kill(child, s); |
194 | else | 197 | else |
195 | kill(child, SIGKILL); | 198 | kill(child, SIGKILL); |
196 | waitpid(child, NULL, 0); | 199 | waitpid(child, NULL, 0); |
197 | } | 200 | } |
198 | myexit(s); | 201 | myexit(128 + s); |
199 | } | 202 | } |
200 | 203 | ||
201 | static void install_handler(void) { | 204 | static void install_handler(void) { |
@@ -1263,9 +1266,9 @@ int main(int argc, char **argv, char **envp) { | |||
1263 | arg_debug = 1; | 1266 | arg_debug = 1; |
1264 | arg_quiet = 0; | 1267 | arg_quiet = 0; |
1265 | } | 1268 | } |
1266 | else if (strcmp(argv[i], "--debug-deny") == 0) | 1269 | else if (strcmp(argv[i], "--debug-blacklists") == 0) |
1267 | arg_debug_blacklists = 1; | 1270 | arg_debug_blacklists = 1; |
1268 | else if (strcmp(argv[i], "--debug-allow") == 0) | 1271 | else if (strcmp(argv[i], "--debug-whitelists") == 0) |
1269 | arg_debug_whitelists = 1; | 1272 | arg_debug_whitelists = 1; |
1270 | else if (strcmp(argv[i], "--debug-private-lib") == 0) | 1273 | else if (strcmp(argv[i], "--debug-private-lib") == 0) |
1271 | arg_debug_private_lib = 1; | 1274 | arg_debug_private_lib = 1; |
@@ -1526,15 +1529,16 @@ int main(int argc, char **argv, char **envp) { | |||
1526 | else if (strncmp(argv[i], "--cgroup=", 9) == 0) { | 1529 | else if (strncmp(argv[i], "--cgroup=", 9) == 0) { |
1527 | if (checkcfg(CFG_CGROUP)) { | 1530 | if (checkcfg(CFG_CGROUP)) { |
1528 | if (option_cgroup) { | 1531 | if (option_cgroup) { |
1529 | fprintf(stderr, "Error: only a cgroup can be defined\n"); | 1532 | fprintf(stderr, "Error: only one cgroup can be defined\n"); |
1530 | exit(1); | 1533 | exit(1); |
1531 | } | 1534 | } |
1532 | |||
1533 | option_cgroup = 1; | ||
1534 | cfg.cgroup = strdup(argv[i] + 9); | 1535 | cfg.cgroup = strdup(argv[i] + 9); |
1535 | if (!cfg.cgroup) | 1536 | if (!cfg.cgroup) |
1536 | errExit("strdup"); | 1537 | errExit("strdup"); |
1537 | set_cgroup(cfg.cgroup); | 1538 | |
1539 | check_cgroup_file(cfg.cgroup); | ||
1540 | set_cgroup(cfg.cgroup, getpid()); | ||
1541 | option_cgroup = 1; | ||
1538 | } | 1542 | } |
1539 | else | 1543 | else |
1540 | exit_err_feature("cgroup"); | 1544 | exit_err_feature("cgroup"); |
@@ -3216,10 +3220,11 @@ printf("link #%s#\n", prf->link); | |||
3216 | if (WIFEXITED(status)){ | 3220 | if (WIFEXITED(status)){ |
3217 | myexit(WEXITSTATUS(status)); | 3221 | myexit(WEXITSTATUS(status)); |
3218 | } else if (WIFSIGNALED(status)) { | 3222 | } else if (WIFSIGNALED(status)) { |
3219 | myexit(WTERMSIG(status)); | 3223 | // distinguish fatal signals by adding 128 |
3224 | myexit(128 + WTERMSIG(status)); | ||
3220 | } else { | 3225 | } else { |
3221 | myexit(0); | 3226 | myexit(1); |
3222 | } | 3227 | } |
3223 | 3228 | ||
3224 | return 0; | 3229 | return 1; |
3225 | } | 3230 | } |
diff --git a/src/firejail/mountinfo.c b/src/firejail/mountinfo.c index 64a94bd84..ee437e10b 100644 --- a/src/firejail/mountinfo.c +++ b/src/firejail/mountinfo.c | |||
@@ -19,6 +19,7 @@ | |||
19 | */ | 19 | */ |
20 | 20 | ||
21 | #include "firejail.h" | 21 | #include "firejail.h" |
22 | #include <errno.h> | ||
22 | 23 | ||
23 | #include <fcntl.h> | 24 | #include <fcntl.h> |
24 | #ifndef O_PATH | 25 | #ifndef O_PATH |
@@ -32,43 +33,38 @@ static MountData mdata; | |||
32 | 33 | ||
33 | 34 | ||
34 | // Convert octal escape sequence to decimal value | 35 | // Convert octal escape sequence to decimal value |
35 | static int read_oct(const char *path) { | 36 | static unsigned read_oct(char *s) { |
36 | int dec = 0; | 37 | assert(s[0] == '\\'); |
37 | int digit, i; | 38 | s++; |
38 | // there are always exactly three octal digits | 39 | |
39 | for (i = 1; i < 4; i++) { | 40 | int i; |
40 | digit = *(path + i); | 41 | for (i = 0; i < 3; i++) |
41 | if (digit < '0' || digit > '7') { | 42 | assert(s[i] >= '0' && s[i] <= '7'); |
42 | fprintf(stderr, "Error: cannot read /proc/self/mountinfo\n"); | 43 | |
43 | exit(1); | 44 | return ((s[0] - '0') << 6 | |
44 | } | 45 | (s[1] - '0') << 3 | |
45 | dec = (dec << 3) + (digit - '0'); | 46 | (s[2] - '0') << 0); |
46 | } | ||
47 | return dec; | ||
48 | } | 47 | } |
49 | 48 | ||
50 | // Restore empty spaces in pathnames extracted from /proc/self/mountinfo | 49 | // Restore empty spaces in pathnames extracted from /proc/self/mountinfo |
51 | static void unmangle_path(char *path) { | 50 | static void unmangle_path(char *path) { |
52 | char *p = strchr(path, '\\'); | 51 | char *r = strchr(path, '\\'); |
53 | if (p && read_oct(p) == ' ') { | 52 | if (!r) |
54 | *p = ' '; | 53 | return; |
55 | int i = 3; | 54 | |
56 | do { | 55 | char *w = r; |
57 | p++; | 56 | do { |
58 | if (*(p + i) == '\\' && read_oct(p + i) == ' ') { | 57 | while (*r == '\\') { |
59 | *p = ' '; | 58 | *w++ = read_oct(r); |
60 | i += 3; | 59 | r += 4; |
61 | } | 60 | } |
62 | else | 61 | *w++ = *r; |
63 | *p = *(p + i); | 62 | } while (*r++); |
64 | } while (*p); | ||
65 | } | ||
66 | } | 63 | } |
67 | 64 | ||
68 | // Parse a line from /proc/self/mountinfo, | 65 | // Parse a line from /proc/self/mountinfo, |
69 | // the function does an exit(1) if anything goes wrong. | 66 | // the function does an exit(1) if anything goes wrong. |
70 | static void parse_line(char *line, MountData *output) { | 67 | static void parse_line(char *line, MountData *output) { |
71 | assert(line && output); | ||
72 | memset(output, 0, sizeof(*output)); | 68 | memset(output, 0, sizeof(*output)); |
73 | // extract mount id, filesystem name, directory and filesystem types | 69 | // extract mount id, filesystem name, directory and filesystem types |
74 | // examples: | 70 | // examples: |
@@ -86,8 +82,6 @@ static void parse_line(char *line, MountData *output) { | |||
86 | char *ptr = strtok(line, " "); | 82 | char *ptr = strtok(line, " "); |
87 | if (!ptr) | 83 | if (!ptr) |
88 | goto errexit; | 84 | goto errexit; |
89 | if (ptr != line) | ||
90 | goto errexit; | ||
91 | output->mountid = atoi(ptr); | 85 | output->mountid = atoi(ptr); |
92 | int cnt = 1; | 86 | int cnt = 1; |
93 | 87 | ||
@@ -108,10 +102,9 @@ static void parse_line(char *line, MountData *output) { | |||
108 | ptr = strtok(NULL, " "); | 102 | ptr = strtok(NULL, " "); |
109 | if (!ptr) | 103 | if (!ptr) |
110 | goto errexit; | 104 | goto errexit; |
111 | output->fstype = ptr++; | 105 | output->fstype = ptr; |
112 | |||
113 | 106 | ||
114 | if (output->mountid == 0 || | 107 | if (output->mountid < 0 || |
115 | output->fsname == NULL || | 108 | output->fsname == NULL || |
116 | output->dir == NULL || | 109 | output->dir == NULL || |
117 | output->fstype == NULL) | 110 | output->fstype == NULL) |
@@ -151,111 +144,117 @@ MountData *get_last_mount(void) { | |||
151 | return &mdata; | 144 | return &mdata; |
152 | } | 145 | } |
153 | 146 | ||
154 | // Extract the mount id from /proc/self/fdinfo and return it. | 147 | // Returns mount id, or -1 if fd refers to a procfs or sysfs file |
155 | int get_mount_id(const char *path) { | 148 | static int get_mount_id_from_handle(int fd) { |
156 | EUID_ASSERT(); | 149 | EUID_ASSERT(); |
157 | assert(path); | ||
158 | 150 | ||
159 | int fd = open(path, O_PATH|O_CLOEXEC); | 151 | char *proc; |
160 | if (fd == -1) | 152 | if (asprintf(&proc, "/proc/self/fd/%d", fd) == -1) |
161 | return -1; | 153 | errExit("asprintf"); |
154 | struct file_handle *fh = malloc(sizeof *fh); | ||
155 | if (!fh) | ||
156 | errExit("malloc"); | ||
157 | fh->handle_bytes = 0; | ||
158 | |||
159 | int rv = -1; | ||
160 | int tmp; | ||
161 | if (name_to_handle_at(-1, proc, fh, &tmp, AT_SYMLINK_FOLLOW) != -1) { | ||
162 | fprintf(stderr, "Error: unexpected result from name_to_handle_at\n"); | ||
163 | exit(1); | ||
164 | } | ||
165 | if (errno == EOVERFLOW && fh->handle_bytes) | ||
166 | rv = tmp; | ||
167 | |||
168 | free(proc); | ||
169 | free(fh); | ||
170 | return rv; | ||
171 | } | ||
172 | |||
173 | // Returns mount id, or -1 on kernels < 3.15 | ||
174 | static int get_mount_id_from_fdinfo(int fd) { | ||
175 | EUID_ASSERT(); | ||
176 | int rv = -1; | ||
162 | 177 | ||
163 | char *fdinfo; | 178 | char *proc; |
164 | if (asprintf(&fdinfo, "/proc/self/fdinfo/%d", fd) == -1) | 179 | if (asprintf(&proc, "/proc/self/fdinfo/%d", fd) == -1) |
165 | errExit("asprintf"); | 180 | errExit("asprintf"); |
166 | EUID_ROOT(); | 181 | EUID_ROOT(); |
167 | FILE *fp = fopen(fdinfo, "re"); | 182 | FILE *fp = fopen(proc, "re"); |
168 | EUID_USER(); | 183 | EUID_USER(); |
169 | free(fdinfo); | ||
170 | if (!fp) | 184 | if (!fp) |
171 | goto errexit; | 185 | goto errexit; |
172 | 186 | ||
173 | // read the file | ||
174 | char buf[MAX_BUF]; | 187 | char buf[MAX_BUF]; |
175 | if (fgets(buf, MAX_BUF, fp) == NULL) | 188 | while (fgets(buf, MAX_BUF, fp)) { |
176 | goto errexit; | ||
177 | do { | ||
178 | if (strncmp(buf, "mnt_id:", 7) == 0) { | 189 | if (strncmp(buf, "mnt_id:", 7) == 0) { |
179 | char *ptr = buf + 7; | 190 | if (sscanf(buf + 7, "%d", &rv) == 1) |
180 | while (*ptr != '\0' && (*ptr == ' ' || *ptr == '\t')) { | 191 | break; |
181 | ptr++; | 192 | goto errexit; |
182 | } | ||
183 | if (*ptr == '\0') | ||
184 | goto errexit; | ||
185 | fclose(fp); | ||
186 | close(fd); | ||
187 | return atoi(ptr); | ||
188 | } | 193 | } |
189 | } while (fgets(buf, MAX_BUF, fp)); | 194 | } |
190 | 195 | ||
191 | // fallback, kernels older than 3.15 don't expose the mount id in this place | 196 | free(proc); |
192 | fclose(fp); | 197 | fclose(fp); |
193 | close(fd); | 198 | return rv; |
194 | return -2; | ||
195 | 199 | ||
196 | errexit: | 200 | errexit: |
197 | fprintf(stderr, "Error: cannot read proc file\n"); | 201 | fprintf(stderr, "Error: cannot read proc file\n"); |
198 | exit(1); | 202 | exit(1); |
199 | } | 203 | } |
200 | 204 | ||
205 | int get_mount_id(int fd) { | ||
206 | int rv = get_mount_id_from_fdinfo(fd); | ||
207 | if (rv < 0) | ||
208 | rv = get_mount_id_from_handle(fd); | ||
209 | return rv; | ||
210 | } | ||
211 | |||
201 | // Check /proc/self/mountinfo if path contains any mounts points. | 212 | // Check /proc/self/mountinfo if path contains any mounts points. |
202 | // Returns an array that can be iterated over for recursive remounting. | 213 | // Returns an array that can be iterated over for recursive remounting. |
203 | char **build_mount_array(const int mount_id, const char *path) { | 214 | char **build_mount_array(const int mountid, const char *path) { |
204 | assert(path); | 215 | assert(path); |
205 | 216 | ||
206 | // open /proc/self/mountinfo | ||
207 | FILE *fp = fopen("/proc/self/mountinfo", "re"); | 217 | FILE *fp = fopen("/proc/self/mountinfo", "re"); |
208 | if (!fp) { | 218 | if (!fp) { |
209 | fprintf(stderr, "Error: cannot read /proc/self/mountinfo\n"); | 219 | fprintf(stderr, "Error: cannot read /proc/self/mountinfo\n"); |
210 | exit(1); | 220 | exit(1); |
211 | } | 221 | } |
212 | 222 | ||
213 | // array to be returned | 223 | // try to find line with mount id |
214 | size_t cnt = 0; | 224 | int found = 0; |
225 | MountData mntp; | ||
226 | char line[MAX_BUF]; | ||
227 | while (fgets(line, MAX_BUF, fp)) { | ||
228 | parse_line(line, &mntp); | ||
229 | if (mntp.mountid == mountid) { | ||
230 | found = 1; | ||
231 | break; | ||
232 | } | ||
233 | } | ||
234 | |||
235 | if (!found) { | ||
236 | fclose(fp); | ||
237 | return NULL; | ||
238 | } | ||
239 | |||
240 | // allocate array | ||
215 | size_t size = 32; | 241 | size_t size = 32; |
216 | char **rv = malloc(size * sizeof(*rv)); | 242 | char **rv = malloc(size * sizeof(*rv)); |
217 | if (!rv) | 243 | if (!rv) |
218 | errExit("malloc"); | 244 | errExit("malloc"); |
219 | 245 | ||
220 | // read /proc/self/mountinfo | 246 | // add directory itself |
221 | size_t pathlen = strlen(path); | 247 | size_t cnt = 0; |
222 | char buf[MAX_BUF]; | 248 | rv[cnt] = strdup(path); |
223 | MountData mntp; | 249 | if (rv[cnt] == NULL) |
224 | int found = 0; | 250 | errExit("strdup"); |
225 | 251 | ||
226 | if (fgets(buf, MAX_BUF, fp) == NULL) { | 252 | // and add all following mountpoints contained in this directory |
227 | fprintf(stderr, "Error: cannot read /proc/self/mountinfo\n"); | 253 | size_t pathlen = strlen(path); |
228 | exit(1); | 254 | while (fgets(line, MAX_BUF, fp)) { |
229 | } | 255 | parse_line(line, &mntp); |
230 | do { | 256 | if (strncmp(mntp.dir, path, pathlen) == 0 && mntp.dir[pathlen] == '/') { |
231 | parse_line(buf, &mntp); | 257 | if (++cnt == size) { |
232 | // find mount point with mount id | ||
233 | if (!found) { | ||
234 | if (mntp.mountid == mount_id) { | ||
235 | // give up if mount id has been reassigned, | ||
236 | // don't remount blacklisted path | ||
237 | if (strncmp(mntp.dir, path, strlen(mntp.dir)) || | ||
238 | strstr(mntp.fsname, "firejail.ro.dir") || | ||
239 | strstr(mntp.fsname, "firejail.ro.file")) | ||
240 | break; | ||
241 | |||
242 | rv[cnt] = strdup(path); | ||
243 | if (rv[cnt] == NULL) | ||
244 | errExit("strdup"); | ||
245 | cnt++; | ||
246 | found = 1; | ||
247 | continue; | ||
248 | } | ||
249 | continue; | ||
250 | } | ||
251 | // from here on add all mount points below path, | ||
252 | // don't remount blacklisted paths | ||
253 | if (strncmp(mntp.dir, path, pathlen) == 0 && | ||
254 | mntp.dir[pathlen] == '/' && | ||
255 | strstr(mntp.fsname, "firejail.ro.dir") == NULL && | ||
256 | strstr(mntp.fsname, "firejail.ro.file") == NULL) { | ||
257 | |||
258 | if (cnt == size) { | ||
259 | size *= 2; | 258 | size *= 2; |
260 | rv = realloc(rv, size * sizeof(*rv)); | 259 | rv = realloc(rv, size * sizeof(*rv)); |
261 | if (!rv) | 260 | if (!rv) |
@@ -264,18 +263,17 @@ char **build_mount_array(const int mount_id, const char *path) { | |||
264 | rv[cnt] = strdup(mntp.dir); | 263 | rv[cnt] = strdup(mntp.dir); |
265 | if (rv[cnt] == NULL) | 264 | if (rv[cnt] == NULL) |
266 | errExit("strdup"); | 265 | errExit("strdup"); |
267 | cnt++; | ||
268 | } | 266 | } |
269 | } while (fgets(buf, MAX_BUF, fp)); | 267 | } |
268 | fclose(fp); | ||
270 | 269 | ||
271 | if (cnt == size) { | 270 | // end of array |
272 | size++; | 271 | if (++cnt == size) { |
272 | ++size; | ||
273 | rv = realloc(rv, size * sizeof(*rv)); | 273 | rv = realloc(rv, size * sizeof(*rv)); |
274 | if (!rv) | 274 | if (!rv) |
275 | errExit("realloc"); | 275 | errExit("realloc"); |
276 | } | 276 | } |
277 | rv[cnt] = NULL; // end of the array | 277 | rv[cnt] = NULL; |
278 | |||
279 | fclose(fp); | ||
280 | return rv; | 278 | return rv; |
281 | } | 279 | } |
diff --git a/src/firejail/profile.c b/src/firejail/profile.c index b7c7185a6..9d92b6199 100644 --- a/src/firejail/profile.c +++ b/src/firejail/profile.c | |||
@@ -175,6 +175,10 @@ static int check_allow_drm(void) { | |||
175 | return checkcfg(CFG_BROWSER_ALLOW_DRM) != 0; | 175 | return checkcfg(CFG_BROWSER_ALLOW_DRM) != 0; |
176 | } | 176 | } |
177 | 177 | ||
178 | static int check_allow_tray(void) { | ||
179 | return checkcfg(CFG_ALLOW_TRAY) != 0; | ||
180 | } | ||
181 | |||
178 | Cond conditionals[] = { | 182 | Cond conditionals[] = { |
179 | {"HAS_APPIMAGE", check_appimage}, | 183 | {"HAS_APPIMAGE", check_appimage}, |
180 | {"HAS_NET", check_netoptions}, | 184 | {"HAS_NET", check_netoptions}, |
@@ -184,6 +188,7 @@ Cond conditionals[] = { | |||
184 | {"HAS_X11", check_x11}, | 188 | {"HAS_X11", check_x11}, |
185 | {"BROWSER_DISABLE_U2F", check_disable_u2f}, | 189 | {"BROWSER_DISABLE_U2F", check_disable_u2f}, |
186 | {"BROWSER_ALLOW_DRM", check_allow_drm}, | 190 | {"BROWSER_ALLOW_DRM", check_allow_drm}, |
191 | {"ALLOW_TRAY", check_allow_tray}, | ||
187 | { NULL, NULL } | 192 | { NULL, NULL } |
188 | }; | 193 | }; |
189 | 194 | ||
@@ -630,7 +635,7 @@ int profile_check_line(char *ptr, int lineno, const char *fname) { | |||
630 | #endif | 635 | #endif |
631 | return 0; | 636 | return 0; |
632 | } | 637 | } |
633 | else if (strncmp(ptr, "netns ", 6) == 0) { | 638 | else if (strncmp(ptr, "netns ", 6) == 0) { |
634 | #ifdef HAVE_NETWORK | 639 | #ifdef HAVE_NETWORK |
635 | if (checkcfg(CFG_NETWORK)) { | 640 | if (checkcfg(CFG_NETWORK)) { |
636 | arg_netns = ptr + 6; | 641 | arg_netns = ptr + 6; |
@@ -981,10 +986,10 @@ int profile_check_line(char *ptr, int lineno, const char *fname) { | |||
981 | warning_feature_disabled("seccomp"); | 986 | warning_feature_disabled("seccomp"); |
982 | return 0; | 987 | return 0; |
983 | } | 988 | } |
984 | if (strncmp(ptr, "seccomp.32.drop ", 13) == 0) { | 989 | if (strncmp(ptr, "seccomp.32.drop ", 16) == 0) { |
985 | if (checkcfg(CFG_SECCOMP)) { | 990 | if (checkcfg(CFG_SECCOMP)) { |
986 | arg_seccomp32 = 1; | 991 | arg_seccomp32 = 1; |
987 | cfg.seccomp_list_drop32 = seccomp_check_list(ptr + 13); | 992 | cfg.seccomp_list_drop32 = seccomp_check_list(ptr + 16); |
988 | } | 993 | } |
989 | else | 994 | else |
990 | warning_feature_disabled("seccomp"); | 995 | warning_feature_disabled("seccomp"); |
@@ -1001,10 +1006,10 @@ int profile_check_line(char *ptr, int lineno, const char *fname) { | |||
1001 | warning_feature_disabled("seccomp"); | 1006 | warning_feature_disabled("seccomp"); |
1002 | return 0; | 1007 | return 0; |
1003 | } | 1008 | } |
1004 | if (strncmp(ptr, "seccomp.32.keep ", 13) == 0) { | 1009 | if (strncmp(ptr, "seccomp.32.keep ", 16) == 0) { |
1005 | if (checkcfg(CFG_SECCOMP)) { | 1010 | if (checkcfg(CFG_SECCOMP)) { |
1006 | arg_seccomp32 = 1; | 1011 | arg_seccomp32 = 1; |
1007 | cfg.seccomp_list_keep32 = seccomp_check_list(ptr + 13); | 1012 | cfg.seccomp_list_keep32 = seccomp_check_list(ptr + 16); |
1008 | } | 1013 | } |
1009 | else | 1014 | else |
1010 | warning_feature_disabled("seccomp"); | 1015 | warning_feature_disabled("seccomp"); |
@@ -1124,8 +1129,14 @@ int profile_check_line(char *ptr, int lineno, const char *fname) { | |||
1124 | 1129 | ||
1125 | // cgroup | 1130 | // cgroup |
1126 | if (strncmp(ptr, "cgroup ", 7) == 0) { | 1131 | if (strncmp(ptr, "cgroup ", 7) == 0) { |
1127 | if (checkcfg(CFG_CGROUP)) | 1132 | if (checkcfg(CFG_CGROUP)) { |
1128 | set_cgroup(ptr + 7); | 1133 | cfg.cgroup = strdup(ptr + 7); |
1134 | if (!cfg.cgroup) | ||
1135 | errExit("strdup"); | ||
1136 | |||
1137 | check_cgroup_file(cfg.cgroup); | ||
1138 | set_cgroup(cfg.cgroup, getpid()); | ||
1139 | } | ||
1129 | else | 1140 | else |
1130 | warning_feature_disabled("cgroup"); | 1141 | warning_feature_disabled("cgroup"); |
1131 | return 0; | 1142 | return 0; |
@@ -1938,7 +1949,7 @@ char *profile_list_compress(char *list) | |||
1938 | /* Include non-empty item */ | 1949 | /* Include non-empty item */ |
1939 | if (!*item) | 1950 | if (!*item) |
1940 | in[i] = 0; | 1951 | in[i] = 0; |
1941 | /* Remove all allready included items */ | 1952 | /* Remove all already included items */ |
1942 | for (k = 0; k < i; ++k) | 1953 | for (k = 0; k < i; ++k) |
1943 | in[k] = 0; | 1954 | in[k] = 0; |
1944 | break; | 1955 | break; |
diff --git a/src/firejail/restrict_users.c b/src/firejail/restrict_users.c index 6f17231a4..59077dada 100644 --- a/src/firejail/restrict_users.c +++ b/src/firejail/restrict_users.c | |||
@@ -21,7 +21,6 @@ | |||
21 | #include "../include/firejail_user.h" | 21 | #include "../include/firejail_user.h" |
22 | #include <sys/mount.h> | 22 | #include <sys/mount.h> |
23 | #include <sys/stat.h> | 23 | #include <sys/stat.h> |
24 | #include <linux/limits.h> | ||
25 | #include <fnmatch.h> | 24 | #include <fnmatch.h> |
26 | #include <glob.h> | 25 | #include <glob.h> |
27 | #include <dirent.h> | 26 | #include <dirent.h> |
diff --git a/src/firejail/sandbox.c b/src/firejail/sandbox.c index 59ddfb855..d66b6c573 100644 --- a/src/firejail/sandbox.c +++ b/src/firejail/sandbox.c | |||
@@ -87,9 +87,9 @@ static void sandbox_handler(int sig){ | |||
87 | 87 | ||
88 | // broadcast a SIGKILL | 88 | // broadcast a SIGKILL |
89 | kill(-1, SIGKILL); | 89 | kill(-1, SIGKILL); |
90 | flush_stdin(); | ||
91 | 90 | ||
92 | exit(sig); | 91 | flush_stdin(); |
92 | exit(128 + sig); | ||
93 | } | 93 | } |
94 | 94 | ||
95 | static void install_handler(void) { | 95 | static void install_handler(void) { |
@@ -204,7 +204,7 @@ static void save_umask(void) { | |||
204 | } | 204 | } |
205 | 205 | ||
206 | static char *create_join_file(void) { | 206 | static char *create_join_file(void) { |
207 | int fd = open(RUN_JOIN_FILE, O_RDWR|O_CREAT|O_EXCL|O_CLOEXEC, S_IRUSR | S_IWRITE | S_IRGRP | S_IROTH); | 207 | int fd = open(RUN_JOIN_FILE, O_RDWR|O_CREAT|O_EXCL|O_CLOEXEC, S_IRUSR | S_IWUSR | S_IRGRP | S_IROTH); |
208 | if (fd == -1) | 208 | if (fd == -1) |
209 | errExit("open"); | 209 | errExit("open"); |
210 | if (ftruncate(fd, 1) == -1) | 210 | if (ftruncate(fd, 1) == -1) |
@@ -798,7 +798,7 @@ int sandbox(void* sandbox_arg) { | |||
798 | 798 | ||
799 | // trace pre-install | 799 | // trace pre-install |
800 | if (need_preload) | 800 | if (need_preload) |
801 | fs_trace_preload(); | 801 | fs_trace_touch_or_store_preload(); |
802 | 802 | ||
803 | // store hosts file | 803 | // store hosts file |
804 | if (cfg.hosts_file) | 804 | if (cfg.hosts_file) |
@@ -814,8 +814,11 @@ int sandbox(void* sandbox_arg) { | |||
814 | //**************************** | 814 | //**************************** |
815 | // trace pre-install, this time inside chroot | 815 | // trace pre-install, this time inside chroot |
816 | //**************************** | 816 | //**************************** |
817 | if (need_preload) | 817 | if (need_preload) { |
818 | fs_trace_preload(); | 818 | int rv = unlink(RUN_LDPRELOAD_FILE); |
819 | (void) rv; | ||
820 | fs_trace_touch_or_store_preload(); | ||
821 | } | ||
819 | } | 822 | } |
820 | else | 823 | else |
821 | #endif | 824 | #endif |
@@ -992,7 +995,7 @@ int sandbox(void* sandbox_arg) { | |||
992 | 995 | ||
993 | // create /etc/ld.so.preload file again | 996 | // create /etc/ld.so.preload file again |
994 | if (need_preload) | 997 | if (need_preload) |
995 | fs_trace_preload(); | 998 | fs_trace_touch_preload(); |
996 | 999 | ||
997 | // openSUSE configuration is split between /etc and /usr/etc | 1000 | // openSUSE configuration is split between /etc and /usr/etc |
998 | // process private-etc a second time | 1001 | // process private-etc a second time |
@@ -1004,10 +1007,12 @@ int sandbox(void* sandbox_arg) { | |||
1004 | // apply the profile file | 1007 | // apply the profile file |
1005 | //**************************** | 1008 | //**************************** |
1006 | // apply all whitelist commands ... | 1009 | // apply all whitelist commands ... |
1010 | EUID_USER(); | ||
1007 | fs_whitelist(); | 1011 | fs_whitelist(); |
1008 | 1012 | ||
1009 | // ... followed by blacklist commands | 1013 | // ... followed by blacklist commands |
1010 | fs_blacklist(); // mkdir and mkfile are processed all over again | 1014 | fs_blacklist(); // mkdir and mkfile are processed all over again |
1015 | EUID_ROOT(); | ||
1011 | 1016 | ||
1012 | //**************************** | 1017 | //**************************** |
1013 | // nosound/no3d/notv/novideo and fix for pulseaudio 7.0 | 1018 | // nosound/no3d/notv/novideo and fix for pulseaudio 7.0 |
@@ -1243,7 +1248,6 @@ int sandbox(void* sandbox_arg) { | |||
1243 | 1248 | ||
1244 | if (app_pid == 0) { | 1249 | if (app_pid == 0) { |
1245 | #ifdef HAVE_APPARMOR | 1250 | #ifdef HAVE_APPARMOR |
1246 | // add apparmor confinement after the execve | ||
1247 | set_apparmor(); | 1251 | set_apparmor(); |
1248 | #endif | 1252 | #endif |
1249 | 1253 | ||
@@ -1258,13 +1262,17 @@ int sandbox(void* sandbox_arg) { | |||
1258 | munmap(set_sandbox_status, 1); | 1262 | munmap(set_sandbox_status, 1); |
1259 | 1263 | ||
1260 | int status = monitor_application(app_pid); // monitor application | 1264 | int status = monitor_application(app_pid); // monitor application |
1261 | flush_stdin(); | ||
1262 | 1265 | ||
1263 | if (WIFEXITED(status)) { | 1266 | if (WIFEXITED(status)) { |
1264 | // if we had a proper exit, return that exit status | 1267 | // if we had a proper exit, return that exit status |
1265 | return WEXITSTATUS(status); | 1268 | status = WEXITSTATUS(status); |
1269 | } else if (WIFSIGNALED(status)) { | ||
1270 | // distinguish fatal signals by adding 128 | ||
1271 | status = 128 + WTERMSIG(status); | ||
1266 | } else { | 1272 | } else { |
1267 | // something else went wrong! | 1273 | status = -1; |
1268 | return -1; | ||
1269 | } | 1274 | } |
1275 | |||
1276 | flush_stdin(); | ||
1277 | return status; | ||
1270 | } | 1278 | } |
diff --git a/src/firejail/selinux.c b/src/firejail/selinux.c index 6969e7a3d..fa59882ed 100644 --- a/src/firejail/selinux.c +++ b/src/firejail/selinux.c | |||
@@ -21,6 +21,7 @@ | |||
21 | #include "firejail.h" | 21 | #include "firejail.h" |
22 | #include <sys/types.h> | 22 | #include <sys/types.h> |
23 | #include <sys/stat.h> | 23 | #include <sys/stat.h> |
24 | #include <errno.h> | ||
24 | 25 | ||
25 | #include <fcntl.h> | 26 | #include <fcntl.h> |
26 | #ifndef O_PATH | 27 | #ifndef O_PATH |
@@ -57,7 +58,17 @@ void selinux_relabel_path(const char *path, const char *inside_path) | |||
57 | 58 | ||
58 | /* Open the file as O_PATH, to pin it while we determine and adjust the label | 59 | /* Open the file as O_PATH, to pin it while we determine and adjust the label |
59 | * Defeat symlink races by not allowing symbolic links */ | 60 | * Defeat symlink races by not allowing symbolic links */ |
61 | int called_as_root = 0; | ||
62 | if (geteuid() == 0) | ||
63 | called_as_root = 1; | ||
64 | if (called_as_root) | ||
65 | EUID_USER(); | ||
66 | |||
60 | fd = safer_openat(-1, path, O_NOFOLLOW|O_CLOEXEC|O_PATH); | 67 | fd = safer_openat(-1, path, O_NOFOLLOW|O_CLOEXEC|O_PATH); |
68 | |||
69 | if (called_as_root) | ||
70 | EUID_ROOT(); | ||
71 | |||
61 | if (fd < 0) | 72 | if (fd < 0) |
62 | return; | 73 | return; |
63 | if (fstat(fd, &st) < 0) | 74 | if (fstat(fd, &st) < 0) |
@@ -68,8 +79,16 @@ void selinux_relabel_path(const char *path, const char *inside_path) | |||
68 | if (arg_debug) | 79 | if (arg_debug) |
69 | printf("Relabeling %s as %s (%s)\n", path, inside_path, fcon); | 80 | printf("Relabeling %s as %s (%s)\n", path, inside_path, fcon); |
70 | 81 | ||
71 | setfilecon_raw(procfs_path, fcon); | 82 | if (!called_as_root) |
83 | EUID_ROOT(); | ||
84 | |||
85 | if (setfilecon_raw(procfs_path, fcon) != 0 && arg_debug) | ||
86 | printf("Cannot relabel %s: %s\n", path, strerror(errno)); | ||
87 | |||
88 | if (!called_as_root) | ||
89 | EUID_USER(); | ||
72 | } | 90 | } |
91 | |||
73 | freecon(fcon); | 92 | freecon(fcon); |
74 | close: | 93 | close: |
75 | close(fd); | 94 | close(fd); |
diff --git a/src/firejail/usage.c b/src/firejail/usage.c index d843c74ae..43f862b9d 100644 --- a/src/firejail/usage.c +++ b/src/firejail/usage.c | |||
@@ -28,7 +28,6 @@ static char *usage_str = | |||
28 | "\n" | 28 | "\n" |
29 | "Options:\n" | 29 | "Options:\n" |
30 | " -- - signal the end of options and disables further option processing.\n" | 30 | " -- - signal the end of options and disables further option processing.\n" |
31 | " --allow=filename - allow file system access.\n" | ||
32 | " --allow-debuggers - allow tools such as strace and gdb inside the sandbox.\n" | 31 | " --allow-debuggers - allow tools such as strace and gdb inside the sandbox.\n" |
33 | " --allusers - all user home directories are visible inside the sandbox.\n" | 32 | " --allusers - all user home directories are visible inside the sandbox.\n" |
34 | " --apparmor - enable AppArmor confinement.\n" | 33 | " --apparmor - enable AppArmor confinement.\n" |
@@ -39,12 +38,13 @@ static char *usage_str = | |||
39 | #endif | 38 | #endif |
40 | " --bind=dirname1,dirname2 - mount-bind dirname1 on top of dirname2.\n" | 39 | " --bind=dirname1,dirname2 - mount-bind dirname1 on top of dirname2.\n" |
41 | " --bind=filename1,filename2 - mount-bind filename1 on top of filename2.\n" | 40 | " --bind=filename1,filename2 - mount-bind filename1 on top of filename2.\n" |
42 | " --build - build a profile for the application.\n" | 41 | " --blacklist=filename - blacklist directory or file.\n" |
43 | " --build=filename - build a profile for the application.\n" | 42 | " --build - build a whitelisted profile for the application.\n" |
43 | " --build=filename - build a whitelisted profile for the application.\n" | ||
44 | " --caps - enable default Linux capabilities filter.\n" | 44 | " --caps - enable default Linux capabilities filter.\n" |
45 | " --caps.drop=all - drop all capabilities.\n" | 45 | " --caps.drop=all - drop all capabilities.\n" |
46 | " --caps.drop=capability,capability - drop capabilities.\n" | 46 | " --caps.drop=capability,capability - blacklist capabilities filter.\n" |
47 | " --caps.keep=capability,capability - allow capabilities.\n" | 47 | " --caps.keep=capability,capability - whitelist capabilities filter.\n" |
48 | " --caps.print=name|pid - print the caps filter.\n" | 48 | " --caps.print=name|pid - print the caps filter.\n" |
49 | #ifdef HAVE_FILE_TRANSFER | 49 | #ifdef HAVE_FILE_TRANSFER |
50 | " --cat=name|pid filename - print content of file from sandbox container.\n" | 50 | " --cat=name|pid filename - print content of file from sandbox container.\n" |
@@ -75,18 +75,17 @@ static char *usage_str = | |||
75 | " --dbus-user.talk=name - allow talking to name on the session DBus.\n" | 75 | " --dbus-user.talk=name - allow talking to name on the session DBus.\n" |
76 | #endif | 76 | #endif |
77 | " --debug - print sandbox debug messages.\n" | 77 | " --debug - print sandbox debug messages.\n" |
78 | " --debug-allow - debug file system access.\n" | 78 | " --debug-blacklists - debug blacklisting.\n" |
79 | " --debug-deny - debug file system access.\n" | ||
80 | " --debug-caps - print all recognized capabilities.\n" | 79 | " --debug-caps - print all recognized capabilities.\n" |
81 | " --debug-errnos - print all recognized error numbers.\n" | 80 | " --debug-errnos - print all recognized error numbers.\n" |
82 | " --debug-private-lib - debug for --private-lib option.\n" | 81 | " --debug-private-lib - debug for --private-lib option.\n" |
83 | " --debug-protocols - print all recognized protocols.\n" | 82 | " --debug-protocols - print all recognized protocols.\n" |
84 | " --debug-syscalls - print all recognized system calls.\n" | 83 | " --debug-syscalls - print all recognized system calls.\n" |
85 | " --debug-syscalls32 - print all recognized 32 bit system calls.\n" | 84 | " --debug-syscalls32 - print all recognized 32 bit system calls.\n" |
85 | " --debug-whitelists - debug whitelisting.\n" | ||
86 | #ifdef HAVE_NETWORK | 86 | #ifdef HAVE_NETWORK |
87 | " --defaultgw=address - configure default gateway.\n" | 87 | " --defaultgw=address - configure default gateway.\n" |
88 | #endif | 88 | #endif |
89 | " --deny=filename - deny access to directory or file.\n" | ||
90 | " --deterministic-exit-code - always exit with first child's status code.\n" | 89 | " --deterministic-exit-code - always exit with first child's status code.\n" |
91 | " --dns=address - set DNS server.\n" | 90 | " --dns=address - set DNS server.\n" |
92 | " --dns.print=name|pid - print DNS configuration.\n" | 91 | " --dns.print=name|pid - print DNS configuration.\n" |
@@ -147,14 +146,13 @@ static char *usage_str = | |||
147 | " --netfilter6=filename - enable IPv6 firewall.\n" | 146 | " --netfilter6=filename - enable IPv6 firewall.\n" |
148 | " --netfilter6.print=name|pid - print the IPv6 firewall.\n" | 147 | " --netfilter6.print=name|pid - print the IPv6 firewall.\n" |
149 | " --netmask=address - define a network mask when dealing with unconfigured\n" | 148 | " --netmask=address - define a network mask when dealing with unconfigured\n" |
150 | "\tparrent interfaces.\n" | 149 | "\tparent interfaces.\n" |
151 | " --netns=name - Run the program in a named, persistent network namespace.\n" | 150 | " --netns=name - Run the program in a named, persistent network namespace.\n" |
152 | " --netstats - monitor network statistics.\n" | 151 | " --netstats - monitor network statistics.\n" |
153 | #endif | 152 | #endif |
154 | " --nice=value - set nice value.\n" | 153 | " --nice=value - set nice value.\n" |
155 | " --no3d - disable 3D hardware acceleration.\n" | 154 | " --no3d - disable 3D hardware acceleration.\n" |
156 | " --noallow=filename - disable allow command for file or directory.\n" | 155 | " --noblacklist=filename - disable blacklist for file or directory.\n" |
157 | " --nodeny=filename - disable deny command for file or directory.\n" | ||
158 | " --nodbus - disable D-Bus access.\n" | 156 | " --nodbus - disable D-Bus access.\n" |
159 | " --nodvd - disable DVD and audio CD devices.\n" | 157 | " --nodvd - disable DVD and audio CD devices.\n" |
160 | " --noexec=filename - remount the file or directory noexec nosuid and nodev.\n" | 158 | " --noexec=filename - remount the file or directory noexec nosuid and nodev.\n" |
@@ -169,6 +167,7 @@ static char *usage_str = | |||
169 | " --noautopulse - disable automatic ~/.config/pulse init.\n" | 167 | " --noautopulse - disable automatic ~/.config/pulse init.\n" |
170 | " --novideo - disable video devices.\n" | 168 | " --novideo - disable video devices.\n" |
171 | " --nou2f - disable U2F devices.\n" | 169 | " --nou2f - disable U2F devices.\n" |
170 | " --nowhitelist=filename - disable whitelist for file or directory.\n" | ||
172 | #ifdef HAVE_OUTPUT | 171 | #ifdef HAVE_OUTPUT |
173 | " --output=logfile - stdout logging and log rotation.\n" | 172 | " --output=logfile - stdout logging and log rotation.\n" |
174 | " --output-stderr=logfile - stdout and stderr logging and log rotation.\n" | 173 | " --output-stderr=logfile - stdout and stderr logging and log rotation.\n" |
@@ -225,14 +224,14 @@ static char *usage_str = | |||
225 | #ifdef HAVE_NETWORK | 224 | #ifdef HAVE_NETWORK |
226 | " --scan - ARP-scan all the networks from inside a network namespace.\n" | 225 | " --scan - ARP-scan all the networks from inside a network namespace.\n" |
227 | #endif | 226 | #endif |
228 | " --seccomp - enable seccomp filter and drop the default syscalls.\n" | 227 | " --seccomp - enable seccomp filter and apply the default blacklist.\n" |
229 | " --seccomp=syscall,syscall,syscall - enable seccomp filter, drop the\n" | 228 | " --seccomp=syscall,syscall,syscall - enable seccomp filter, blacklist the\n" |
230 | "\tdefault syscall list and the syscalls specified by the command.\n" | 229 | "\tdefault syscall list and the syscalls specified by the command.\n" |
231 | " --seccomp.block-secondary - build only the native architecture filters.\n" | 230 | " --seccomp.block-secondary - build only the native architecture filters.\n" |
232 | " --seccomp.drop=syscall,syscall,syscall - enable seccomp filter, and\n" | 231 | " --seccomp.drop=syscall,syscall,syscall - enable seccomp filter, and\n" |
233 | "\tdrop the syscalls specified by the command.\n" | 232 | "\tblacklist the syscalls specified by the command.\n" |
234 | " --seccomp.keep=syscall,syscall,syscall - enable seccomp filter, and\n" | 233 | " --seccomp.keep=syscall,syscall,syscall - enable seccomp filter, and\n" |
235 | "\tallow the syscalls specified by the command.\n" | 234 | "\twhitelist the syscalls specified by the command.\n" |
236 | " --seccomp.print=name|pid - print the seccomp filter for the sandbox\n" | 235 | " --seccomp.print=name|pid - print the seccomp filter for the sandbox\n" |
237 | "\tidentified by name or PID.\n" | 236 | "\tidentified by name or PID.\n" |
238 | " --seccomp.32[.drop,.keep][=syscall] - like above but for 32 bit architecture.\n" | 237 | " --seccomp.32[.drop,.keep][=syscall] - like above but for 32 bit architecture.\n" |
@@ -247,7 +246,7 @@ static char *usage_str = | |||
247 | " --top - monitor the most CPU-intensive sandboxes.\n" | 246 | " --top - monitor the most CPU-intensive sandboxes.\n" |
248 | " --trace - trace open, access and connect system calls.\n" | 247 | " --trace - trace open, access and connect system calls.\n" |
249 | " --tracelog - add a syslog message for every access to files or\n" | 248 | " --tracelog - add a syslog message for every access to files or\n" |
250 | "\tdirectories dropped by the security profile.\n" | 249 | "\tdirectories blacklisted by the security profile.\n" |
251 | " --tree - print a tree of all sandboxed processes.\n" | 250 | " --tree - print a tree of all sandboxed processes.\n" |
252 | " --tunnel[=devname] - connect the sandbox to a tunnel created by\n" | 251 | " --tunnel[=devname] - connect the sandbox to a tunnel created by\n" |
253 | "\tfiretunnel utility.\n" | 252 | "\tfiretunnel utility.\n" |
@@ -255,6 +254,7 @@ static char *usage_str = | |||
255 | #ifdef HAVE_NETWORK | 254 | #ifdef HAVE_NETWORK |
256 | " --veth-name=name - use this name for the interface connected to the bridge.\n" | 255 | " --veth-name=name - use this name for the interface connected to the bridge.\n" |
257 | #endif | 256 | #endif |
257 | " --whitelist=filename - whitelist directory or file.\n" | ||
258 | " --writable-etc - /etc directory is mounted read-write.\n" | 258 | " --writable-etc - /etc directory is mounted read-write.\n" |
259 | " --writable-run-user - allow access to /run/user/$UID/systemd and\n" | 259 | " --writable-run-user - allow access to /run/user/$UID/systemd and\n" |
260 | "\t/run/user/$UID/gnupg.\n" | 260 | "\t/run/user/$UID/gnupg.\n" |
diff --git a/src/firejail/util.c b/src/firejail/util.c index 094a68c60..55dcdc246 100644 --- a/src/firejail/util.c +++ b/src/firejail/util.c | |||
@@ -20,8 +20,6 @@ | |||
20 | #define _XOPEN_SOURCE 500 | 20 | #define _XOPEN_SOURCE 500 |
21 | #include "firejail.h" | 21 | #include "firejail.h" |
22 | #include "../include/gcov_wrapper.h" | 22 | #include "../include/gcov_wrapper.h" |
23 | #include <ftw.h> | ||
24 | #include <sys/stat.h> | ||
25 | #include <sys/mount.h> | 23 | #include <sys/mount.h> |
26 | #include <syslog.h> | 24 | #include <syslog.h> |
27 | #include <errno.h> | 25 | #include <errno.h> |
@@ -32,9 +30,6 @@ | |||
32 | #include <sys/wait.h> | 30 | #include <sys/wait.h> |
33 | #include <limits.h> | 31 | #include <limits.h> |
34 | 32 | ||
35 | #include <string.h> | ||
36 | #include <ctype.h> | ||
37 | |||
38 | #include <fcntl.h> | 33 | #include <fcntl.h> |
39 | #ifndef O_PATH | 34 | #ifndef O_PATH |
40 | #define O_PATH 010000000 | 35 | #define O_PATH 010000000 |
@@ -459,31 +454,21 @@ int is_dir(const char *fname) { | |||
459 | if (*fname == '\0') | 454 | if (*fname == '\0') |
460 | return 0; | 455 | return 0; |
461 | 456 | ||
462 | int called_as_root = 0; | ||
463 | if (geteuid() == 0) | ||
464 | called_as_root = 1; | ||
465 | |||
466 | if (called_as_root) | ||
467 | EUID_USER(); | ||
468 | |||
469 | // if fname doesn't end in '/', add one | 457 | // if fname doesn't end in '/', add one |
470 | int rv; | 458 | int rv; |
471 | struct stat s; | 459 | struct stat s; |
472 | if (fname[strlen(fname) - 1] == '/') | 460 | if (fname[strlen(fname) - 1] == '/') |
473 | rv = stat(fname, &s); | 461 | rv = stat_as_user(fname, &s); |
474 | else { | 462 | else { |
475 | char *tmp; | 463 | char *tmp; |
476 | if (asprintf(&tmp, "%s/", fname) == -1) { | 464 | if (asprintf(&tmp, "%s/", fname) == -1) { |
477 | fprintf(stderr, "Error: cannot allocate memory, %s:%d\n", __FILE__, __LINE__); | 465 | fprintf(stderr, "Error: cannot allocate memory, %s:%d\n", __FILE__, __LINE__); |
478 | errExit("asprintf"); | 466 | errExit("asprintf"); |
479 | } | 467 | } |
480 | rv = stat(tmp, &s); | 468 | rv = stat_as_user(tmp, &s); |
481 | free(tmp); | 469 | free(tmp); |
482 | } | 470 | } |
483 | 471 | ||
484 | if (called_as_root) | ||
485 | EUID_ROOT(); | ||
486 | |||
487 | if (rv == -1) | 472 | if (rv == -1) |
488 | return 0; | 473 | return 0; |
489 | 474 | ||
@@ -499,13 +484,6 @@ int is_link(const char *fname) { | |||
499 | if (*fname == '\0') | 484 | if (*fname == '\0') |
500 | return 0; | 485 | return 0; |
501 | 486 | ||
502 | int called_as_root = 0; | ||
503 | if (geteuid() == 0) | ||
504 | called_as_root = 1; | ||
505 | |||
506 | if (called_as_root) | ||
507 | EUID_USER(); | ||
508 | |||
509 | // remove trailing '/' if any | 487 | // remove trailing '/' if any |
510 | char *tmp = strdup(fname); | 488 | char *tmp = strdup(fname); |
511 | if (!tmp) | 489 | if (!tmp) |
@@ -513,12 +491,9 @@ int is_link(const char *fname) { | |||
513 | trim_trailing_slash_or_dot(tmp); | 491 | trim_trailing_slash_or_dot(tmp); |
514 | 492 | ||
515 | char c; | 493 | char c; |
516 | ssize_t rv = readlink(tmp, &c, 1); | 494 | ssize_t rv = readlink_as_user(tmp, &c, 1); |
517 | free(tmp); | 495 | free(tmp); |
518 | 496 | ||
519 | if (called_as_root) | ||
520 | EUID_ROOT(); | ||
521 | |||
522 | return (rv != -1); | 497 | return (rv != -1); |
523 | } | 498 | } |
524 | 499 | ||
@@ -540,6 +515,24 @@ char *realpath_as_user(const char *fname) { | |||
540 | return rv; | 515 | return rv; |
541 | } | 516 | } |
542 | 517 | ||
518 | ssize_t readlink_as_user(const char *fname, char *buf, size_t sz) { | ||
519 | assert(fname && buf && sz); | ||
520 | |||
521 | int called_as_root = 0; | ||
522 | if (geteuid() == 0) | ||
523 | called_as_root = 1; | ||
524 | |||
525 | if (called_as_root) | ||
526 | EUID_USER(); | ||
527 | |||
528 | ssize_t rv = readlink(fname, buf, sz); | ||
529 | |||
530 | if (called_as_root) | ||
531 | EUID_ROOT(); | ||
532 | |||
533 | return rv; | ||
534 | } | ||
535 | |||
543 | int stat_as_user(const char *fname, struct stat *s) { | 536 | int stat_as_user(const char *fname, struct stat *s) { |
544 | assert(fname); | 537 | assert(fname); |
545 | 538 | ||
@@ -974,12 +967,9 @@ uid_t pid_get_uid(pid_t pid) { | |||
974 | } | 967 | } |
975 | 968 | ||
976 | 969 | ||
977 | 970 | gid_t get_group_id(const char *groupname) { | |
978 | |||
979 | uid_t get_group_id(const char *group) { | ||
980 | // find tty group id | ||
981 | gid_t gid = 0; | 971 | gid_t gid = 0; |
982 | struct group *g = getgrnam(group); | 972 | struct group *g = getgrnam(groupname); |
983 | if (g) | 973 | if (g) |
984 | gid = g->gr_gid; | 974 | gid = g->gr_gid; |
985 | 975 | ||
@@ -987,86 +977,6 @@ uid_t get_group_id(const char *group) { | |||
987 | } | 977 | } |
988 | 978 | ||
989 | 979 | ||
990 | static int remove_callback(const char *fpath, const struct stat *sb, int typeflag, struct FTW *ftwbuf) { | ||
991 | (void) sb; | ||
992 | (void) typeflag; | ||
993 | (void) ftwbuf; | ||
994 | assert(fpath); | ||
995 | |||
996 | if (strcmp(fpath, ".") == 0) | ||
997 | return 0; | ||
998 | |||
999 | if (remove(fpath)) { // removes the link not the actual file | ||
1000 | perror("remove"); | ||
1001 | fprintf(stderr, "Error: cannot remove file from user .firejail directory: %s\n", fpath); | ||
1002 | exit(1); | ||
1003 | } | ||
1004 | |||
1005 | return 0; | ||
1006 | } | ||
1007 | |||
1008 | |||
1009 | int remove_overlay_directory(void) { | ||
1010 | EUID_ASSERT(); | ||
1011 | sleep(1); | ||
1012 | |||
1013 | char *path; | ||
1014 | if (asprintf(&path, "%s/.firejail", cfg.homedir) == -1) | ||
1015 | errExit("asprintf"); | ||
1016 | |||
1017 | if (access(path, F_OK) == 0) { | ||
1018 | pid_t child = fork(); | ||
1019 | if (child < 0) | ||
1020 | errExit("fork"); | ||
1021 | if (child == 0) { | ||
1022 | // open ~/.firejail | ||
1023 | int fd = safer_openat(-1, path, O_PATH|O_NOFOLLOW|O_CLOEXEC); | ||
1024 | if (fd == -1) { | ||
1025 | fprintf(stderr, "Error: cannot open %s\n", path); | ||
1026 | exit(1); | ||
1027 | } | ||
1028 | struct stat s; | ||
1029 | if (fstat(fd, &s) == -1) | ||
1030 | errExit("fstat"); | ||
1031 | if (!S_ISDIR(s.st_mode)) { | ||
1032 | if (S_ISLNK(s.st_mode)) | ||
1033 | fprintf(stderr, "Error: %s is a symbolic link\n", path); | ||
1034 | else | ||
1035 | fprintf(stderr, "Error: %s is not a directory\n", path); | ||
1036 | exit(1); | ||
1037 | } | ||
1038 | if (s.st_uid != getuid()) { | ||
1039 | fprintf(stderr, "Error: %s is not owned by the current user\n", path); | ||
1040 | exit(1); | ||
1041 | } | ||
1042 | // chdir to ~/.firejail | ||
1043 | if (fchdir(fd) == -1) | ||
1044 | errExit("fchdir"); | ||
1045 | close(fd); | ||
1046 | |||
1047 | EUID_ROOT(); | ||
1048 | // FTW_PHYS - do not follow symbolic links | ||
1049 | if (nftw(".", remove_callback, 64, FTW_DEPTH | FTW_PHYS) == -1) | ||
1050 | errExit("nftw"); | ||
1051 | |||
1052 | EUID_USER(); | ||
1053 | // remove ~/.firejail | ||
1054 | if (rmdir(path) == -1) | ||
1055 | errExit("rmdir"); | ||
1056 | |||
1057 | __gcov_flush(); | ||
1058 | |||
1059 | _exit(0); | ||
1060 | } | ||
1061 | // wait for the child to finish | ||
1062 | waitpid(child, NULL, 0); | ||
1063 | // check if ~/.firejail was deleted | ||
1064 | if (access(path, F_OK) == 0) | ||
1065 | return 1; | ||
1066 | } | ||
1067 | return 0; | ||
1068 | } | ||
1069 | |||
1070 | // flush stdin if it is connected to a tty and has input | 980 | // flush stdin if it is connected to a tty and has input |
1071 | void flush_stdin(void) { | 981 | void flush_stdin(void) { |
1072 | if (!isatty(STDIN_FILENO)) | 982 | if (!isatty(STDIN_FILENO)) |
@@ -1095,31 +1005,33 @@ int create_empty_dir_as_user(const char *dir, mode_t mode) { | |||
1095 | assert(dir); | 1005 | assert(dir); |
1096 | mode &= 07777; | 1006 | mode &= 07777; |
1097 | 1007 | ||
1098 | if (access(dir, F_OK) != 0) { | 1008 | if (access(dir, F_OK) == 0) |
1009 | return 0; | ||
1010 | |||
1011 | pid_t child = fork(); | ||
1012 | if (child < 0) | ||
1013 | errExit("fork"); | ||
1014 | if (child == 0) { | ||
1015 | // drop privileges | ||
1016 | drop_privs(0); | ||
1017 | |||
1099 | if (arg_debug) | 1018 | if (arg_debug) |
1100 | printf("Creating empty %s directory\n", dir); | 1019 | printf("Creating empty %s directory\n", dir); |
1101 | pid_t child = fork(); | 1020 | if (mkdir(dir, mode) == 0) { |
1102 | if (child < 0) | 1021 | int err = chmod(dir, mode); |
1103 | errExit("fork"); | 1022 | (void) err; |
1104 | if (child == 0) { | 1023 | } |
1105 | // drop privileges | 1024 | else if (arg_debug) |
1106 | drop_privs(0); | 1025 | printf("Directory %s not created: %s\n", dir, strerror(errno)); |
1107 | |||
1108 | if (mkdir(dir, mode) == 0) { | ||
1109 | int err = chmod(dir, mode); | ||
1110 | (void) err; | ||
1111 | } | ||
1112 | else if (arg_debug) | ||
1113 | printf("Directory %s not created: %s\n", dir, strerror(errno)); | ||
1114 | 1026 | ||
1115 | __gcov_flush(); | 1027 | __gcov_flush(); |
1116 | 1028 | ||
1117 | _exit(0); | 1029 | _exit(0); |
1118 | } | ||
1119 | waitpid(child, NULL, 0); | ||
1120 | if (access(dir, F_OK) == 0) | ||
1121 | return 1; | ||
1122 | } | 1030 | } |
1031 | waitpid(child, NULL, 0); | ||
1032 | |||
1033 | if (access(dir, F_OK) == 0) | ||
1034 | return 1; | ||
1123 | return 0; | 1035 | return 0; |
1124 | } | 1036 | } |
1125 | 1037 | ||
@@ -1509,7 +1421,7 @@ static int has_link(const char *dir) { | |||
1509 | void check_homedir(const char *dir) { | 1421 | void check_homedir(const char *dir) { |
1510 | assert(dir); | 1422 | assert(dir); |
1511 | if (dir[0] != '/') { | 1423 | if (dir[0] != '/') { |
1512 | fprintf(stderr, "Error: invalid user directory \"%s\"\n", cfg.homedir); | 1424 | fprintf(stderr, "Error: invalid user directory \"%s\"\n", dir); |
1513 | exit(1); | 1425 | exit(1); |
1514 | } | 1426 | } |
1515 | // symlinks are rejected in many places | 1427 | // symlinks are rejected in many places |
diff --git a/src/jailcheck/jailcheck.h b/src/jailcheck/jailcheck.h index be3104da3..3f8c89bfb 100644 --- a/src/jailcheck/jailcheck.h +++ b/src/jailcheck/jailcheck.h | |||
@@ -61,4 +61,4 @@ char *get_homedir(const char *user, uid_t *uid, gid_t *gid); | |||
61 | int find_child(pid_t pid); | 61 | int find_child(pid_t pid); |
62 | pid_t switch_to_child(pid_t pid); | 62 | pid_t switch_to_child(pid_t pid); |
63 | 63 | ||
64 | #endif \ No newline at end of file | 64 | #endif |
diff --git a/src/jailcheck/noexec.c b/src/jailcheck/noexec.c index 7f994d6a1..be18ac109 100644 --- a/src/jailcheck/noexec.c +++ b/src/jailcheck/noexec.c | |||
@@ -110,4 +110,4 @@ void noexec_test(const char *path) { | |||
110 | wait(&status); | 110 | wait(&status); |
111 | int rv = unlink(fname); | 111 | int rv = unlink(fname); |
112 | (void) rv; | 112 | (void) rv; |
113 | } \ No newline at end of file | 113 | } |
diff --git a/src/libtrace/libtrace.c b/src/libtrace/libtrace.c index d88512b0a..319902ff7 100644 --- a/src/libtrace/libtrace.c +++ b/src/libtrace/libtrace.c | |||
@@ -18,12 +18,12 @@ | |||
18 | * 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA. | 18 | * 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA. |
19 | */ | 19 | */ |
20 | #define _GNU_SOURCE | 20 | #define _GNU_SOURCE |
21 | #include <errno.h> | ||
21 | #include <stdio.h> | 22 | #include <stdio.h> |
22 | #include <stdlib.h> | 23 | #include <stdlib.h> |
23 | #include <string.h> | 24 | #include <string.h> |
24 | #include <dlfcn.h> | 25 | #include <dlfcn.h> |
25 | #include <sys/types.h> | 26 | #include <sys/types.h> |
26 | #include <limits.h> | ||
27 | #include <unistd.h> | 27 | #include <unistd.h> |
28 | #include <sys/socket.h> | 28 | #include <sys/socket.h> |
29 | #include <netinet/in.h> | 29 | #include <netinet/in.h> |
@@ -706,10 +706,14 @@ __attribute__((constructor)) | |||
706 | static void log_exec(int argc, char** argv) { | 706 | static void log_exec(int argc, char** argv) { |
707 | (void) argc; | 707 | (void) argc; |
708 | (void) argv; | 708 | (void) argv; |
709 | static char buf[PATH_MAX + 1]; | 709 | char *buf = realpath("/proc/self/exe", NULL); |
710 | int rv = readlink("/proc/self/exe", buf, PATH_MAX); | 710 | if (buf == NULL) { |
711 | if (rv != -1) { | 711 | if (errno == ENOMEM) { |
712 | buf[rv] = '\0'; // readlink does not add a '\0' at the end | 712 | tprintf(ftty, "realpath: %s\n", strerror(errno)); |
713 | exit(1); | ||
714 | } | ||
715 | } else { | ||
713 | tprintf(ftty, "%u:%s:exec %s:0\n", mypid, myname, buf); | 716 | tprintf(ftty, "%u:%s:exec %s:0\n", mypid, myname, buf); |
717 | free(buf); | ||
714 | } | 718 | } |
715 | } | 719 | } |
diff --git a/src/man/firejail-profile.txt b/src/man/firejail-profile.txt index 6280026e6..a1eccaa5e 100644 --- a/src/man/firejail-profile.txt +++ b/src/man/firejail-profile.txt | |||
@@ -78,7 +78,7 @@ in your desktop environment copy the profile file in ~/.config/firejail director | |||
78 | Several command line options can be passed to the program using | 78 | Several command line options can be passed to the program using |
79 | profile files. Firejail chooses the profile file as follows: | 79 | profile files. Firejail chooses the profile file as follows: |
80 | 80 | ||
81 | \fB1.\fR If a profile file is provided by the user with \-\-profile option, the profile file is loaded. If a profile name is given, it is searched for first in the ~/.config/firejail directory and if not found then in /etc/firejail directory. Profile names do not include the .profile suffix. | 81 | \fB1.\fR If a profile file is provided by the user with \-\-profile option, the profile file is loaded. If a profile name is given, it is searched for first in the ~/.config/firejail directory and if not found then in /etc/firejail directory. Profile names do not include the .profile suffix. |
82 | Example: | 82 | Example: |
83 | .PP | 83 | .PP |
84 | .RS | 84 | .RS |
@@ -156,7 +156,7 @@ Scripting commands: | |||
156 | \fBFile and directory names | 156 | \fBFile and directory names |
157 | File and directory names containing spaces are supported. The space character ' ' should not be escaped. | 157 | File and directory names containing spaces are supported. The space character ' ' should not be escaped. |
158 | 158 | ||
159 | Example: "deny ~/My Virtual Machines" | 159 | Example: "blacklist ~/My Virtual Machines" |
160 | 160 | ||
161 | .TP | 161 | .TP |
162 | \fB# this is a comment | 162 | \fB# this is a comment |
@@ -170,11 +170,11 @@ net none # this command creates an empty network namespace | |||
170 | \fB?CONDITIONAL: profile line | 170 | \fB?CONDITIONAL: profile line |
171 | Conditionally add profile line. | 171 | Conditionally add profile line. |
172 | 172 | ||
173 | Example: "?HAS_APPIMAGE: allow ${HOME}/special/appimage/dir" | 173 | Example: "?HAS_APPIMAGE: whitelist ${HOME}/special/appimage/dir" |
174 | 174 | ||
175 | This example will load the profile line only if the \-\-appimage option has been specified on the command line. | 175 | This example will load the whitelist profile line only if the \-\-appimage option has been specified on the command line. |
176 | 176 | ||
177 | Currently the only conditionals supported this way are HAS_APPIMAGE, HAS_NET, HAS_NODBUS, HAS_NOSOUND, HAS_PRIVATE and HAS_X11. The conditionals BROWSER_DISABLE_U2F and BROWSER_ALLOW_DRM | 177 | Currently the only conditionals supported this way are HAS_APPIMAGE, HAS_NET, HAS_NODBUS, HAS_NOSOUND, HAS_PRIVATE and HAS_X11. The conditionals ALLOW_TRAY, BROWSER_DISABLE_U2F and BROWSER_ALLOW_DRM |
178 | can be enabled or disabled globally in Firejail's configuration file. | 178 | can be enabled or disabled globally in Firejail's configuration file. |
179 | 179 | ||
180 | The profile line may be any profile line that you would normally use in a profile \fBexcept\fR for "quiet" and "include" lines. | 180 | The profile line may be any profile line that you would normally use in a profile \fBexcept\fR for "quiet" and "include" lines. |
@@ -205,16 +205,16 @@ storing modifications to the persistent configuration. Persistent .local files | |||
205 | are included at the start of regular profile files. | 205 | are included at the start of regular profile files. |
206 | 206 | ||
207 | .TP | 207 | .TP |
208 | \fBnoallow file_name | 208 | \fBnoblacklist file_name |
209 | If the file name matches file_name, the file will not be allowed in any allow commands that follow. | 209 | If the file name matches file_name, the file will not be blacklisted in any blacklist commands that follow. |
210 | 210 | ||
211 | Example: "nowhitelist ~/.config" | 211 | Example: "noblacklist ${HOME}/.mozilla" |
212 | 212 | ||
213 | .TP | 213 | .TP |
214 | \fBnodeny file_name | 214 | \fBnowhitelist file_name |
215 | If the file name matches file_name, the file will not be denied any deny commands that follow. | 215 | If the file name matches file_name, the file will not be whitelisted in any whitelist commands that follow. |
216 | 216 | ||
217 | Example: "nodeny ${HOME}/.mozilla" | 217 | Example: "nowhitelist ~/.config" |
218 | 218 | ||
219 | .TP | 219 | .TP |
220 | \fBignore | 220 | \fBignore |
@@ -242,17 +242,19 @@ HOME directories are searched, see the \fBfirejail\f(1) \fBFILE GLOBBING\fR sect | |||
242 | for more details. | 242 | for more details. |
243 | Examples: | 243 | Examples: |
244 | .TP | 244 | .TP |
245 | \fBallow file_or_directory | 245 | \fBblacklist file_or_directory |
246 | Allow directory or file. A temporary file system is mounted on the top directory, and the | 246 | Blacklist directory or file. Examples: |
247 | allowed files are mount-binded inside. Modifications to allowd files are persistent, | ||
248 | everything else is discarded when the sandbox is closed. The top directory can be | ||
249 | all directories in / (except /proc and /sys), /sys/module, /run/user/$UID, $HOME and | ||
250 | all directories in /usr. | ||
251 | .br | 247 | .br |
252 | 248 | ||
253 | .br | 249 | .br |
254 | Symbolic link handling: with the exception of user home, both the link and the real file should be in | 250 | blacklist /usr/bin |
255 | the same top directory. For user home, both the link and the real file should be owned by the user. | 251 | .br |
252 | blacklist /usr/bin/gcc* | ||
253 | .br | ||
254 | blacklist ${PATH}/ifconfig | ||
255 | .br | ||
256 | blacklist ${HOME}/.ssh | ||
257 | |||
256 | .TP | 258 | .TP |
257 | \fBblacklist-nolog file_or_directory | 259 | \fBblacklist-nolog file_or_directory |
258 | When --tracelog flag is set, blacklisting generates syslog messages if the sandbox tries to access the file or directory. | 260 | When --tracelog flag is set, blacklisting generates syslog messages if the sandbox tries to access the file or directory. |
@@ -271,20 +273,6 @@ Mount-bind directory1 on top of directory2. This option is only available when r | |||
271 | \fBbind file1,file2 | 273 | \fBbind file1,file2 |
272 | Mount-bind file1 on top of file2. This option is only available when running as root. | 274 | Mount-bind file1 on top of file2. This option is only available when running as root. |
273 | .TP | 275 | .TP |
274 | \fBdeny file_or_directory | ||
275 | Deny access to directory or file. Examples: | ||
276 | .br | ||
277 | |||
278 | .br | ||
279 | deny /usr/bin | ||
280 | .br | ||
281 | deny /usr/bin/gcc* | ||
282 | .br | ||
283 | deny ${PATH}/ifconfig | ||
284 | .br | ||
285 | deny ${HOME}/.ssh | ||
286 | |||
287 | .TP | ||
288 | \fBdisable-mnt | 276 | \fBdisable-mnt |
289 | Disable /mnt, /media, /run/mount and /run/media access. | 277 | Disable /mnt, /media, /run/mount and /run/media access. |
290 | .TP | 278 | .TP |
@@ -304,7 +292,7 @@ The directory is created if it doesn't already exist. | |||
304 | .br | 292 | .br |
305 | 293 | ||
306 | .br | 294 | .br |
307 | Use this command for allowed directories you need to preserve | 295 | Use this command for whitelisted directories you need to preserve |
308 | when the sandbox is closed. Without it, the application will create the directory, and the directory | 296 | when the sandbox is closed. Without it, the application will create the directory, and the directory |
309 | will be deleted when the sandbox is closed. Subdirectories are recursively created. Example from | 297 | will be deleted when the sandbox is closed. Subdirectories are recursively created. Example from |
310 | firefox profile: | 298 | firefox profile: |
@@ -317,7 +305,7 @@ whitelist ~/.mozilla | |||
317 | .br | 305 | .br |
318 | mkdir ~/.cache/mozilla/firefox | 306 | mkdir ~/.cache/mozilla/firefox |
319 | .br | 307 | .br |
320 | allow ~/.cache/mozilla/firefox | 308 | whitelist ~/.cache/mozilla/firefox |
321 | .br | 309 | .br |
322 | 310 | ||
323 | .br | 311 | .br |
@@ -336,16 +324,16 @@ Remount the file or the directory noexec, nodev and nosuid. | |||
336 | #ifdef HAVE_OVERLAYFS | 324 | #ifdef HAVE_OVERLAYFS |
337 | .TP | 325 | .TP |
338 | \fBoverlay | 326 | \fBoverlay |
339 | Mount a filesystem overlay on top of the current filesystem. | 327 | Mount a filesystem overlay on top of the current filesystem. |
340 | The overlay is stored in $HOME/.firejail/<PID> directory. | 328 | The overlay is stored in $HOME/.firejail/<PID> directory. |
341 | .TP | 329 | .TP |
342 | \fBoverlay-named name | 330 | \fBoverlay-named name |
343 | Mount a filesystem overlay on top of the current filesystem. | 331 | Mount a filesystem overlay on top of the current filesystem. |
344 | The overlay is stored in $HOME/.firejail/name directory. | 332 | The overlay is stored in $HOME/.firejail/name directory. |
345 | .TP | 333 | .TP |
346 | \fBoverlay-tmpfs | 334 | \fBoverlay-tmpfs |
347 | Mount a filesystem overlay on top of the current filesystem. | 335 | Mount a filesystem overlay on top of the current filesystem. |
348 | All filesystem modifications are discarded when the sandbox is closed. | 336 | All filesystem modifications are discarded when the sandbox is closed. |
349 | #endif | 337 | #endif |
350 | .TP | 338 | .TP |
351 | \fBprivate | 339 | \fBprivate |
@@ -423,7 +411,7 @@ expressed as foo/bar -- is disallowed). | |||
423 | All modifications are discarded when the sandbox is closed. | 411 | All modifications are discarded when the sandbox is closed. |
424 | .TP | 412 | .TP |
425 | \fBprivate-tmp | 413 | \fBprivate-tmp |
426 | Mount an empty temporary filesystem on top of /tmp directory allowing /tmp/.X11-unix. | 414 | Mount an empty temporary filesystem on top of /tmp directory whitelisting /tmp/.X11-unix. |
427 | .TP | 415 | .TP |
428 | \fBread-only file_or_directory | 416 | \fBread-only file_or_directory |
429 | Make directory or file read-only. | 417 | Make directory or file read-only. |
@@ -435,13 +423,25 @@ Make directory or file read-write. | |||
435 | Mount an empty tmpfs filesystem on top of directory. Directories outside user home or not owned by the user are not allowed. Sandboxes running as root are exempt from these restrictions. | 423 | Mount an empty tmpfs filesystem on top of directory. Directories outside user home or not owned by the user are not allowed. Sandboxes running as root are exempt from these restrictions. |
436 | .TP | 424 | .TP |
437 | \fBtracelog | 425 | \fBtracelog |
438 | File system deny violations logged to syslog. | 426 | Blacklist violations logged to syslog. |
427 | .TP | ||
428 | \fBwhitelist file_or_directory | ||
429 | Whitelist directory or file. A temporary file system is mounted on the top directory, and the | ||
430 | whitelisted files are mount-binded inside. Modifications to whitelisted files are persistent, | ||
431 | everything else is discarded when the sandbox is closed. The top directory can be | ||
432 | all directories in / (except /proc and /sys), /sys/module, /run/user/$UID, $HOME and | ||
433 | all directories in /usr. | ||
434 | .br | ||
435 | |||
436 | .br | ||
437 | Symbolic link handling: with the exception of user home, both the link and the real file should be in | ||
438 | the same top directory. For user home, both the link and the real file should be owned by the user. | ||
439 | .TP | 439 | .TP |
440 | \fBwritable-etc | 440 | \fBwritable-etc |
441 | Mount /etc directory read-write. | 441 | Mount /etc directory read-write. |
442 | .TP | 442 | .TP |
443 | \fBwritable-run-user | 443 | \fBwritable-run-user |
444 | Disable the default denying of run/user/$UID/systemd and /run/user/$UID/gnupg. | 444 | Disable the default blacklisting of run/user/$UID/systemd and /run/user/$UID/gnupg. |
445 | .TP | 445 | .TP |
446 | \fBwritable-var | 446 | \fBwritable-var |
447 | Mount /var directory read-write. | 447 | Mount /var directory read-write. |
@@ -455,7 +455,7 @@ The following security filters are currently implemented: | |||
455 | 455 | ||
456 | .TP | 456 | .TP |
457 | \fBallow-debuggers | 457 | \fBallow-debuggers |
458 | Allow tools such as strace and gdb inside the sandbox by allowing system calls ptrace and process_vm_readv. | 458 | Allow tools such as strace and gdb inside the sandbox by whitelisting system calls ptrace and process_vm_readv. |
459 | #ifdef HAVE_APPARMOR | 459 | #ifdef HAVE_APPARMOR |
460 | .TP | 460 | .TP |
461 | \fBapparmor | 461 | \fBapparmor |
@@ -466,13 +466,13 @@ Enable AppArmor confinement. | |||
466 | Enable default Linux capabilities filter. | 466 | Enable default Linux capabilities filter. |
467 | .TP | 467 | .TP |
468 | \fBcaps.drop capability,capability,capability | 468 | \fBcaps.drop capability,capability,capability |
469 | Deny given Linux capabilities. | 469 | Blacklist given Linux capabilities. |
470 | .TP | 470 | .TP |
471 | \fBcaps.drop all | 471 | \fBcaps.drop all |
472 | Deny all Linux capabilities. | 472 | Blacklist all Linux capabilities. |
473 | .TP | 473 | .TP |
474 | \fBcaps.keep capability,capability,capability | 474 | \fBcaps.keep capability,capability,capability |
475 | Allow given Linux capabilities. | 475 | Whitelist given Linux capabilities. |
476 | .TP | 476 | .TP |
477 | \fBmemory-deny-write-execute | 477 | \fBmemory-deny-write-execute |
478 | Install a seccomp filter to block attempts to create memory mappings | 478 | Install a seccomp filter to block attempts to create memory mappings |
@@ -487,42 +487,42 @@ does not result in an increase of privilege. | |||
487 | #ifdef HAVE_USERNS | 487 | #ifdef HAVE_USERNS |
488 | .TP | 488 | .TP |
489 | \fBnoroot | 489 | \fBnoroot |
490 | Use this command to enable an user namespace. The namespace has only one user, the current user. | 490 | Use this command to enable an user namespace. The namespace has only one user, the current user. |
491 | There is no root account (uid 0) defined in the namespace. | 491 | There is no root account (uid 0) defined in the namespace. |
492 | #endif | 492 | #endif |
493 | .TP | 493 | .TP |
494 | \fBprotocol protocol1,protocol2,protocol3 | 494 | \fBprotocol protocol1,protocol2,protocol3 |
495 | Enable protocol filter. The filter is based on seccomp and checks the | 495 | Enable protocol filter. The filter is based on seccomp and checks the |
496 | first argument to socket system call. Recognized values: \fBunix\fR, | 496 | first argument to socket system call. Recognized values: \fBunix\fR, |
497 | \fBinet\fR, \fBinet6\fR, \fBnetlink\fR, \fBpacket\fR and \fBbluetooth\fR. | 497 | \fBinet\fR, \fBinet6\fR, \fBnetlink\fR, \fBpacket\fR and \fBbluetooth\fR. |
498 | .TP | 498 | .TP |
499 | \fBseccomp | 499 | \fBseccomp |
500 | Enable seccomp filter and deny the syscalls in the default list. See man 1 firejail for more details. | 500 | Enable seccomp filter and blacklist the syscalls in the default list. See man 1 firejail for more details. |
501 | .TP | 501 | .TP |
502 | \fBseccomp.32 | 502 | \fBseccomp.32 |
503 | Enable seccomp filter and deny the syscalls in the default list for 32 bit system calls on a 64 bit architecture system. | 503 | Enable seccomp filter and blacklist the syscalls in the default list for 32 bit system calls on a 64 bit architecture system. |
504 | .TP | 504 | .TP |
505 | \fBseccomp syscall,syscall,syscall | 505 | \fBseccomp syscall,syscall,syscall |
506 | Enable seccomp filter and deny the system calls in the list on top of default seccomp filter. | 506 | Enable seccomp filter and blacklist the system calls in the list on top of default seccomp filter. |
507 | .TP | 507 | .TP |
508 | \fBseccomp.32 syscall,syscall,syscall | 508 | \fBseccomp.32 syscall,syscall,syscall |
509 | Enable seccomp filter and deny the system calls in the list on top of default seccomp filter for 32 bit system calls on a 64 bit architecture system. | 509 | Enable seccomp filter and blacklist the system calls in the list on top of default seccomp filter for 32 bit system calls on a 64 bit architecture system. |
510 | .TP | 510 | .TP |
511 | \fBseccomp.block-secondary | 511 | \fBseccomp.block-secondary |
512 | Enable seccomp filter and filter system call architectures | 512 | Enable seccomp filter and filter system call architectures |
513 | so that only the native architecture is allowed. | 513 | so that only the native architecture is allowed. |
514 | .TP | 514 | .TP |
515 | \fBseccomp.drop syscall,syscall,syscall | 515 | \fBseccomp.drop syscall,syscall,syscall |
516 | Enable seccomp filter and deny the system calls in the list. | 516 | Enable seccomp filter and blacklist the system calls in the list. |
517 | .TP | 517 | .TP |
518 | \fBseccomp.32.drop syscall,syscall,syscall | 518 | \fBseccomp.32.drop syscall,syscall,syscall |
519 | Enable seccomp filter and deny the system calls in the list for 32 bit system calls on a 64 bit architecture system. | 519 | Enable seccomp filter and blacklist the system calls in the list for 32 bit system calls on a 64 bit architecture system. |
520 | .TP | 520 | .TP |
521 | \fBseccomp.keep syscall,syscall,syscall | 521 | \fBseccomp.keep syscall,syscall,syscall |
522 | Enable seccomp filter and allow the system calls in the list. | 522 | Enable seccomp filter and whitelist the system calls in the list. |
523 | .TP | 523 | .TP |
524 | \fBseccomp.32.keep syscall,syscall,syscall | 524 | \fBseccomp.32.keep syscall,syscall,syscall |
525 | Enable seccomp filter and allow the system calls in the list for 32 bit system calls on a 64 bit architecture system. | 525 | Enable seccomp filter and whitelist the system calls in the list for 32 bit system calls on a 64 bit architecture system. |
526 | .TP | 526 | .TP |
527 | \fBseccomp-error-action kill | log | ERRNO | 527 | \fBseccomp-error-action kill | log | ERRNO |
528 | Return a different error instead of EPERM to the process, kill it when | 528 | Return a different error instead of EPERM to the process, kill it when |
@@ -534,7 +534,7 @@ attempt. | |||
534 | Enable X11 sandboxing. | 534 | Enable X11 sandboxing. |
535 | .TP | 535 | .TP |
536 | \fBx11 none | 536 | \fBx11 none |
537 | Deny access to /tmp/.X11-unix directory, ${HOME}/.Xauthority and file specified in ${XAUTHORITY} environment variable. | 537 | Blacklist /tmp/.X11-unix directory, ${HOME}/.Xauthority and file specified in ${XAUTHORITY} environment variable. |
538 | Remove DISPLAY and XAUTHORITY environment variables. | 538 | Remove DISPLAY and XAUTHORITY environment variables. |
539 | Stop with error message if X11 abstract socket will be accessible in jail. | 539 | Stop with error message if X11 abstract socket will be accessible in jail. |
540 | .TP | 540 | .TP |
@@ -606,7 +606,7 @@ Allow the application to see but not talk to the name org.freedesktop.Notificati | |||
606 | Allow the application to call methods of the interface org.freedesktop.Notifications of the object exposed at the path /org/freedesktop/Notifications by the client owning the bus name org.freedesktop.Notifications on the system DBus. | 606 | Allow the application to call methods of the interface org.freedesktop.Notifications of the object exposed at the path /org/freedesktop/Notifications by the client owning the bus name org.freedesktop.Notifications on the system DBus. |
607 | .TP | 607 | .TP |
608 | \fBdbus-system.broadcast org.freedesktop.Notifications=org.freedesktop.Notifications.*@/org/freedesktop/Notifications | 608 | \fBdbus-system.broadcast org.freedesktop.Notifications=org.freedesktop.Notifications.*@/org/freedesktop/Notifications |
609 | Allow the application to receive broadcast signals from the the interface org.freedesktop.Notifications of the object exposed at the path /org/freedesktop/Notifications by the client owning the bus name org.freedesktop.Notifications on the system DBus. | 609 | Allow the application to receive broadcast signals from the interface org.freedesktop.Notifications of the object exposed at the path /org/freedesktop/Notifications by the client owning the bus name org.freedesktop.Notifications on the system DBus. |
610 | .TP | 610 | .TP |
611 | \fBdbus-user filter | 611 | \fBdbus-user filter |
612 | Enable filtered access to the session DBus. Filters can be specified with the dbus-user.talk and dbus-user.own commands. | 612 | Enable filtered access to the session DBus. Filters can be specified with the dbus-user.talk and dbus-user.own commands. |
@@ -873,8 +873,8 @@ a DHCP client and releasing the lease manually. | |||
873 | 873 | ||
874 | .TP | 874 | .TP |
875 | \fBiprange address,address | 875 | \fBiprange address,address |
876 | Assign an IP address in the provided range to the last network | 876 | Assign an IP address in the provided range to the last network |
877 | interface defined by a net command. A default gateway is assigned by default. | 877 | interface defined by a net command. A default gateway is assigned by default. |
878 | .br | 878 | .br |
879 | 879 | ||
880 | .br | 880 | .br |
diff --git a/src/man/firejail.txt b/src/man/firejail.txt index 498ff9aa9..e724e4bb9 100644 --- a/src/man/firejail.txt +++ b/src/man/firejail.txt | |||
@@ -45,7 +45,7 @@ firejail {\-? | \-\-debug-caps | \-\-debug-errnos | \-\-debug-syscalls | \-\-deb | |||
45 | #ifdef HAVE_LTS | 45 | #ifdef HAVE_LTS |
46 | This is Firejail long-term support (LTS), an enterprise focused version of the software, | 46 | This is Firejail long-term support (LTS), an enterprise focused version of the software, |
47 | LTS is usually supported for two or three years. | 47 | LTS is usually supported for two or three years. |
48 | During this time only bugs and the occasional documentation problems are fixed. | 48 | During this time only bugs and the occasional documentation problems are fixed. |
49 | The attack surface of the SUID executable was greatly reduced by removing some of the features. | 49 | The attack surface of the SUID executable was greatly reduced by removing some of the features. |
50 | .br | 50 | .br |
51 | 51 | ||
@@ -99,40 +99,6 @@ $ firejail [OPTIONS] firefox # starting Mozilla Firefox | |||
99 | \fB\-\- | 99 | \fB\-\- |
100 | Signal the end of options and disables further option processing. | 100 | Signal the end of options and disables further option processing. |
101 | .TP | 101 | .TP |
102 | \fB\-\-allow=dirname_or_filename | ||
103 | Allow access to a directory or file. A temporary file system is mounted on the top directory, and the | ||
104 | allowed files are mount-binded inside. Modifications to allowed files are persistent, | ||
105 | everything else is discarded when the sandbox is closed. The top directory can be | ||
106 | all directories in / (except /proc and /sys), /sys/module, /run/user/$UID, $HOME and | ||
107 | all directories in /usr. | ||
108 | .br | ||
109 | |||
110 | .br | ||
111 | Symbolic link handling: with the exception of user home, both the link and the real file should be in | ||
112 | the same top directory. For user home, both the link and the real file should be owned by the user. | ||
113 | .br | ||
114 | |||
115 | .br | ||
116 | File globbing is supported, see \fBFILE GLOBBING\fR section for more details. | ||
117 | .br | ||
118 | |||
119 | .br | ||
120 | Example: | ||
121 | .br | ||
122 | $ firejail \-\-noprofile \-\-allow=~/.mozilla | ||
123 | .br | ||
124 | $ firejail \-\-allow=/tmp/.X11-unix --allow=/dev/null | ||
125 | .br | ||
126 | $ firejail "\-\-allow=/home/username/My Virtual Machines" | ||
127 | .br | ||
128 | $ firejail \-\-allow=~/work* \-\-allow=/var/backups* | ||
129 | |||
130 | |||
131 | |||
132 | |||
133 | |||
134 | |||
135 | .TP | ||
136 | \fB\-\-allow-debuggers | 102 | \fB\-\-allow-debuggers |
137 | Allow tools such as strace and gdb inside the sandbox by whitelisting | 103 | Allow tools such as strace and gdb inside the sandbox by whitelisting |
138 | system calls ptrace and process_vm_readv. This option is only | 104 | system calls ptrace and process_vm_readv. This option is only |
@@ -143,7 +109,7 @@ ptrace system call allows a full bypass of the seccomp filter. | |||
143 | .br | 109 | .br |
144 | Example: | 110 | Example: |
145 | .br | 111 | .br |
146 | $ firejail --allow-debuggers --profile=/etc/firejail/firefox.profile strace -f firefox | 112 | $ firejail --allow-debuggers --profile=/etc/firejail/firefox.profile strace -f firefox |
147 | .TP | 113 | .TP |
148 | \fB\-\-allusers | 114 | \fB\-\-allusers |
149 | All directories under /home are visible inside the sandbox. By default, only current user home directory is visible. | 115 | All directories under /home are visible inside the sandbox. By default, only current user home directory is visible. |
@@ -203,6 +169,21 @@ Example: | |||
203 | .br | 169 | .br |
204 | # firejail \-\-bind=/config/etc/passwd,/etc/passwd | 170 | # firejail \-\-bind=/config/etc/passwd,/etc/passwd |
205 | .TP | 171 | .TP |
172 | \fB\-\-blacklist=dirname_or_filename | ||
173 | Blacklist directory or file. File globbing is supported, see \fBFILE GLOBBING\fR section for more details. | ||
174 | .br | ||
175 | |||
176 | .br | ||
177 | Example: | ||
178 | .br | ||
179 | $ firejail \-\-blacklist=/sbin \-\-blacklist=/usr/sbin | ||
180 | .br | ||
181 | $ firejail \-\-blacklist=~/.mozilla | ||
182 | .br | ||
183 | $ firejail "\-\-blacklist=/home/username/My Virtual Machines" | ||
184 | .br | ||
185 | $ firejail \-\-blacklist=/home/username/My\\ Virtual\\ Machines | ||
186 | .TP | ||
206 | \fB\-\-build | 187 | \fB\-\-build |
207 | The command builds a whitelisted profile. The profile is printed on the screen. If /usr/bin/strace is installed on the system, it also | 188 | The command builds a whitelisted profile. The profile is printed on the screen. If /usr/bin/strace is installed on the system, it also |
208 | builds a whitelisted seccomp profile. The program is run in a very relaxed sandbox, | 189 | builds a whitelisted seccomp profile. The program is run in a very relaxed sandbox, |
@@ -262,7 +243,7 @@ $ firejail \-\-caps.drop=all warzone2100 | |||
262 | 243 | ||
263 | .TP | 244 | .TP |
264 | \fB\-\-caps.drop=capability,capability,capability | 245 | \fB\-\-caps.drop=capability,capability,capability |
265 | Define a custom Linux capabilities filter. | 246 | Define a custom blacklist Linux capabilities filter. |
266 | .br | 247 | .br |
267 | 248 | ||
268 | .br | 249 | .br |
@@ -309,8 +290,8 @@ $ firejail \-\-caps.print=3272 | |||
309 | Print content of file from sandbox container, see FILE TRANSFER section for more details. | 290 | Print content of file from sandbox container, see FILE TRANSFER section for more details. |
310 | #endif | 291 | #endif |
311 | .TP | 292 | .TP |
312 | \fB\-\-cgroup=tasks-file | 293 | \fB\-\-cgroup=file |
313 | Place the sandbox in the specified control group. tasks-file is the full path of cgroup tasks file. | 294 | Place the sandbox in the specified control group. file is the full path of a tasks or cgroup.procs file. |
314 | .br | 295 | .br |
315 | 296 | ||
316 | .br | 297 | .br |
@@ -329,6 +310,11 @@ regular user, nonewprivs and a default capabilities filter are enabled. | |||
329 | Example: | 310 | Example: |
330 | .br | 311 | .br |
331 | $ firejail \-\-chroot=/media/ubuntu warzone2100 | 312 | $ firejail \-\-chroot=/media/ubuntu warzone2100 |
313 | .br | ||
314 | |||
315 | .br | ||
316 | For automatic mounting of X11 and PulseAudio sockets set environment variables | ||
317 | FIREJAIL_CHROOT_X11 and FIREJAIL_CHROOT_PULSE. | ||
332 | #endif | 318 | #endif |
333 | .TP | 319 | .TP |
334 | \fB\-\-cpu=cpu-number,cpu-number,cpu-number | 320 | \fB\-\-cpu=cpu-number,cpu-number,cpu-number |
@@ -643,14 +629,14 @@ Example: | |||
643 | $ firejail \-\-debug firefox | 629 | $ firejail \-\-debug firefox |
644 | 630 | ||
645 | .TP | 631 | .TP |
646 | \fB\-\-debug-allow\fR | 632 | \fB\-\-debug-blacklists\fR |
647 | Debug file system access. | 633 | Debug blacklisting. |
648 | .br | 634 | .br |
649 | 635 | ||
650 | .br | 636 | .br |
651 | Example: | 637 | Example: |
652 | .br | 638 | .br |
653 | $ firejail \-\-debug-allow firefox | 639 | $ firejail \-\-debug-blacklists firefox |
654 | 640 | ||
655 | .TP | 641 | .TP |
656 | \fB\-\-debug-caps | 642 | \fB\-\-debug-caps |
@@ -663,16 +649,6 @@ Example: | |||
663 | $ firejail \-\-debug-caps | 649 | $ firejail \-\-debug-caps |
664 | 650 | ||
665 | .TP | 651 | .TP |
666 | \fB\-\-debug-deny\fR | ||
667 | Debug file access. | ||
668 | .br | ||
669 | |||
670 | .br | ||
671 | Example: | ||
672 | .br | ||
673 | $ firejail \-\-debug-deny firefox | ||
674 | |||
675 | .TP | ||
676 | \fB\-\-debug-errnos | 652 | \fB\-\-debug-errnos |
677 | Print all recognized error numbers in the current Firejail software build and exit. | 653 | Print all recognized error numbers in the current Firejail software build and exit. |
678 | .br | 654 | .br |
@@ -706,44 +682,33 @@ $ firejail \-\-debug-syscalls | |||
706 | \fB\-\-debug-syscalls32 | 682 | \fB\-\-debug-syscalls32 |
707 | Print all recognized 32 bit system calls in the current Firejail software build and exit. | 683 | Print all recognized 32 bit system calls in the current Firejail software build and exit. |
708 | .br | 684 | .br |
709 | |||
710 | #ifdef HAVE_NETWORK | ||
711 | .TP | 685 | .TP |
712 | \fB\-\-defaultgw=address | 686 | \fB\-\-debug-whitelists\fR |
713 | Use this address as default gateway in the new network namespace. | 687 | Debug whitelisting. |
714 | .br | 688 | .br |
715 | 689 | ||
716 | .br | 690 | .br |
717 | Example: | 691 | Example: |
718 | .br | 692 | .br |
719 | $ firejail \-\-net=eth0 \-\-defaultgw=10.10.20.1 firefox | 693 | $ firejail \-\-debug-whitelists firefox |
720 | #endif | 694 | #ifdef HAVE_NETWORK |
721 | |||
722 | .TP | 695 | .TP |
723 | \fB\-\-deny=dirname_or_filename | 696 | \fB\-\-defaultgw=address |
724 | Deny access to directory or file. File globbing is supported, see \fBFILE GLOBBING\fR section for more details. | 697 | Use this address as default gateway in the new network namespace. |
725 | .br | 698 | .br |
726 | 699 | ||
727 | .br | 700 | .br |
728 | Example: | 701 | Example: |
729 | .br | 702 | .br |
730 | $ firejail \-\-deny=/sbin \-\-deny=/usr/sbin | 703 | $ firejail \-\-net=eth0 \-\-defaultgw=10.10.20.1 firefox |
731 | .br | 704 | #endif |
732 | $ firejail \-\-deny=~/.mozilla | ||
733 | .br | ||
734 | $ firejail "\-\-deny=/home/username/My Virtual Machines" | ||
735 | .br | ||
736 | $ firejail \-\-deny=/home/username/My\\ Virtual\\ Machines | ||
737 | |||
738 | |||
739 | |||
740 | .TP | 705 | .TP |
741 | \fB\-\-deterministic-exit-code | 706 | \fB\-\-deterministic-exit-code |
742 | Always exit firejail with the first child's exit status. The default behavior is to use the exit status of the final child to exit, which can be nondeterministic. | 707 | Always exit firejail with the first child's exit status. The default behavior is to use the exit status of the final child to exit, which can be nondeterministic. |
743 | .br | 708 | .br |
744 | .TP | 709 | .TP |
745 | \fB\-\-disable-mnt | 710 | \fB\-\-disable-mnt |
746 | Deny access to /mnt, /media, /run/mount and /run/media. | 711 | Blacklist /mnt, /media, /run/mount and /run/media access. |
747 | .br | 712 | .br |
748 | 713 | ||
749 | .br | 714 | .br |
@@ -987,7 +952,7 @@ $ firejail \-\-net=eth0 \-\-\iprange=192.168.1.100,192.168.1.150 | |||
987 | 952 | ||
988 | .TP | 953 | .TP |
989 | \fB\-\-ipc-namespace | 954 | \fB\-\-ipc-namespace |
990 | Enable a new IPC namespace if the sandbox was started as a regular user. IPC namespace is enabled by default | 955 | Enable a new IPC namespace if the sandbox was started as a regular user. IPC namespace is enabled by default |
991 | for sandboxes started as root. | 956 | for sandboxes started as root. |
992 | .br | 957 | .br |
993 | 958 | ||
@@ -1054,7 +1019,7 @@ $ sudo firejail --join-network=browser /sbin/iptables -vL | |||
1054 | .br | 1019 | .br |
1055 | 1020 | ||
1056 | .br | 1021 | .br |
1057 | # verify IP addresses | 1022 | # verify IP addresses |
1058 | .br | 1023 | .br |
1059 | $ sudo firejail --join-network=browser ip addr | 1024 | $ sudo firejail --join-network=browser ip addr |
1060 | .br | 1025 | .br |
@@ -1511,16 +1476,12 @@ Example: | |||
1511 | $ firejail --no3d firefox | 1476 | $ firejail --no3d firefox |
1512 | 1477 | ||
1513 | .TP | 1478 | .TP |
1514 | \fB\-\-noallow=dirname_or_filename | ||
1515 | Disable \-\-allow for this directory or file. | ||
1516 | |||
1517 | .TP | ||
1518 | \fB\-\-noautopulse \fR(deprecated) | 1479 | \fB\-\-noautopulse \fR(deprecated) |
1519 | See --keep-config-pulse. | 1480 | See --keep-config-pulse. |
1520 | 1481 | ||
1521 | .TP | 1482 | .TP |
1522 | \fB\-\-nodeny=dirname_or_filename | 1483 | \fB\-\-noblacklist=dirname_or_filename |
1523 | Disable \-\-deny for this directory or file. | 1484 | Disable blacklist for this directory or file. |
1524 | .br | 1485 | .br |
1525 | 1486 | ||
1526 | .br | 1487 | .br |
@@ -1536,7 +1497,7 @@ $ exit | |||
1536 | .br | 1497 | .br |
1537 | 1498 | ||
1538 | .br | 1499 | .br |
1539 | $ firejail --nodeny=/bin/nc | 1500 | $ firejail --noblacklist=/bin/nc |
1540 | .br | 1501 | .br |
1541 | $ nc dict.org 2628 | 1502 | $ nc dict.org 2628 |
1542 | .br | 1503 | .br |
@@ -1710,6 +1671,10 @@ $ firejail \-\-nou2f | |||
1710 | Disable video devices. | 1671 | Disable video devices. |
1711 | .br | 1672 | .br |
1712 | 1673 | ||
1674 | .TP | ||
1675 | \fB\-\-nowhitelist=dirname_or_filename | ||
1676 | Disable whitelist for this directory or file. | ||
1677 | |||
1713 | #ifdef HAVE_OUTPUT | 1678 | #ifdef HAVE_OUTPUT |
1714 | .TP | 1679 | .TP |
1715 | \fB\-\-output=logfile | 1680 | \fB\-\-output=logfile |
@@ -2174,7 +2139,7 @@ Use k(ilobyte), m(egabyte) or g(igabyte) for size suffix (base 1024). | |||
2174 | .TP | 2139 | .TP |
2175 | \fB\-\-rlimit-cpu=number | 2140 | \fB\-\-rlimit-cpu=number |
2176 | Set the maximum limit, in seconds, for the amount of CPU time each | 2141 | Set the maximum limit, in seconds, for the amount of CPU time each |
2177 | sandboxed process can consume. When the limit is reached, the processes are killed. | 2142 | sandboxed process can consume. When the limit is reached, the processes are killed. |
2178 | 2143 | ||
2179 | The CPU limit is a limit on CPU seconds rather than elapsed time. CPU seconds is basically how many seconds | 2144 | The CPU limit is a limit on CPU seconds rather than elapsed time. CPU seconds is basically how many seconds |
2180 | the CPU has been in use and does not necessarily directly relate to the elapsed time. Linux kernel keeps | 2145 | the CPU has been in use and does not necessarily directly relate to the elapsed time. Linux kernel keeps |
@@ -2218,7 +2183,7 @@ $ firejail \-\-net=eth0 \-\-scan | |||
2218 | .TP | 2183 | .TP |
2219 | \fB\-\-seccomp | 2184 | \fB\-\-seccomp |
2220 | Enable seccomp filter and blacklist the syscalls in the default list, | 2185 | Enable seccomp filter and blacklist the syscalls in the default list, |
2221 | which is @default-nodebuggers unless \-\-allow-debuggers is specified, | 2186 | which is @default-nodebuggers unless \-\-allow-debuggers is specified, |
2222 | then it is @default. | 2187 | then it is @default. |
2223 | 2188 | ||
2224 | .br | 2189 | .br |
@@ -2232,6 +2197,11 @@ More information about groups can be found in /usr/share/doc/firejail/syscalls.t | |||
2232 | .br | 2197 | .br |
2233 | 2198 | ||
2234 | .br | 2199 | .br |
2200 | The default list can be customized, see \-\-seccomp= for a description. | ||
2201 | It can be customized also globally in /etc/firejail/firejail.config file. | ||
2202 | .br | ||
2203 | |||
2204 | .br | ||
2235 | System architecture is strictly imposed only if flag | 2205 | System architecture is strictly imposed only if flag |
2236 | \-\-seccomp.block-secondary is used. The filter is applied at run time | 2206 | \-\-seccomp.block-secondary is used. The filter is applied at run time |
2237 | only if the correct architecture was detected. For the case of I386 | 2207 | only if the correct architecture was detected. For the case of I386 |
@@ -2246,11 +2216,7 @@ Firejail will print seccomp violations to the audit log if the kernel was compil | |||
2246 | Example: | 2216 | Example: |
2247 | .br | 2217 | .br |
2248 | $ firejail \-\-seccomp | 2218 | $ firejail \-\-seccomp |
2249 | .br | ||
2250 | 2219 | ||
2251 | .br | ||
2252 | The default list can be customized, see \-\-seccomp= for a description. It can be customized | ||
2253 | also globally in /etc/firejail/firejail.config file. | ||
2254 | 2220 | ||
2255 | .TP | 2221 | .TP |
2256 | \fB\-\-seccomp=syscall,@group,!syscall2 | 2222 | \fB\-\-seccomp=syscall,@group,!syscall2 |
@@ -2773,6 +2739,34 @@ Example: | |||
2773 | .br | 2739 | .br |
2774 | $ firejail \-\-net=br0 --veth-name=if0 | 2740 | $ firejail \-\-net=br0 --veth-name=if0 |
2775 | #endif | 2741 | #endif |
2742 | .TP | ||
2743 | \fB\-\-whitelist=dirname_or_filename | ||
2744 | Whitelist directory or file. A temporary file system is mounted on the top directory, and the | ||
2745 | whitelisted files are mount-binded inside. Modifications to whitelisted files are persistent, | ||
2746 | everything else is discarded when the sandbox is closed. The top directory can be | ||
2747 | all directories in / (except /proc and /sys), /sys/module, /run/user/$UID, $HOME and | ||
2748 | all directories in /usr. | ||
2749 | .br | ||
2750 | |||
2751 | .br | ||
2752 | Symbolic link handling: with the exception of user home, both the link and the real file should be in | ||
2753 | the same top directory. For user home, both the link and the real file should be owned by the user. | ||
2754 | .br | ||
2755 | |||
2756 | .br | ||
2757 | File globbing is supported, see \fBFILE GLOBBING\fR section for more details. | ||
2758 | .br | ||
2759 | |||
2760 | .br | ||
2761 | Example: | ||
2762 | .br | ||
2763 | $ firejail \-\-noprofile \-\-whitelist=~/.mozilla | ||
2764 | .br | ||
2765 | $ firejail \-\-whitelist=/tmp/.X11-unix --whitelist=/dev/null | ||
2766 | .br | ||
2767 | $ firejail "\-\-whitelist=/home/username/My Virtual Machines" | ||
2768 | .br | ||
2769 | $ firejail \-\-whitelist=~/work* \-\-whitelist=/var/backups* | ||
2776 | 2770 | ||
2777 | .TP | 2771 | .TP |
2778 | \fB\-\-writable-etc | 2772 | \fB\-\-writable-etc |
@@ -2877,7 +2871,7 @@ and it is installed by default on most Linux distributions. It provides support | |||
2877 | connection model. Untrusted clients are restricted in certain ways to prevent them from reading window | 2871 | connection model. Untrusted clients are restricted in certain ways to prevent them from reading window |
2878 | contents of other clients, stealing input events, etc. | 2872 | contents of other clients, stealing input events, etc. |
2879 | 2873 | ||
2880 | The untrusted mode has several limitations. A lot of regular programs assume they are a trusted X11 clients | 2874 | The untrusted mode has several limitations. A lot of regular programs assume they are a trusted X11 clients |
2881 | and will crash or lock up when run in untrusted mode. Chromium browser and xterm are two examples. | 2875 | and will crash or lock up when run in untrusted mode. Chromium browser and xterm are two examples. |
2882 | Firefox and transmission-gtk seem to be working fine. | 2876 | Firefox and transmission-gtk seem to be working fine. |
2883 | A network namespace is not required for this option. | 2877 | A network namespace is not required for this option. |
@@ -3268,7 +3262,7 @@ The owner of the sandbox. | |||
3268 | .SH RESTRICTED SHELL | 3262 | .SH RESTRICTED SHELL |
3269 | To configure a restricted shell, replace /bin/bash with /usr/bin/firejail in | 3263 | To configure a restricted shell, replace /bin/bash with /usr/bin/firejail in |
3270 | /etc/passwd file for each user that needs to be restricted. Alternatively, | 3264 | /etc/passwd file for each user that needs to be restricted. Alternatively, |
3271 | you can specify /usr/bin/firejail in adduser command: | 3265 | you can specify /usr/bin/firejail in adduser command: |
3272 | 3266 | ||
3273 | adduser \-\-shell /usr/bin/firejail username | 3267 | adduser \-\-shell /usr/bin/firejail username |
3274 | 3268 | ||
@@ -3278,7 +3272,7 @@ Additional arguments passed to firejail executable upon login are declared in /e | |||
3278 | Several command line options can be passed to the program using | 3272 | Several command line options can be passed to the program using |
3279 | profile files. Firejail chooses the profile file as follows: | 3273 | profile files. Firejail chooses the profile file as follows: |
3280 | 3274 | ||
3281 | 1. If a profile file is provided by the user with --profile=FILE option, the profile FILE is loaded. If a profile name is given, it is searched for first in the ~/.config/firejail directory and if not found then in /etc/firejail directory. Profile names do not include the .profile suffix. If there is a file with the same name as the given profile name, it will be used instead of doing the profile search. To force a profile search, prefix the profile name with a colon (:), eg. --profile=:PROFILE_NAME. | 3275 | 1. If a profile file is provided by the user with --profile=FILE option, the profile FILE is loaded. If a profile name is given, it is searched for first in the ~/.config/firejail directory and if not found then in /etc/firejail directory. Profile names do not include the .profile suffix. If there is a file with the same name as the given profile name, it will be used instead of doing the profile search. To force a profile search, prefix the profile name with a colon (:), eg. --profile=:PROFILE_NAME. |
3282 | Example: | 3276 | Example: |
3283 | .PP | 3277 | .PP |
3284 | .RS | 3278 | .RS |
diff --git a/src/man/firemon.txt b/src/man/firemon.txt index 76b2f7be2..c4e6e15b3 100644 --- a/src/man/firemon.txt +++ b/src/man/firemon.txt | |||
@@ -56,7 +56,7 @@ Print route table for each sandbox. | |||
56 | Print seccomp configuration for each sandbox. | 56 | Print seccomp configuration for each sandbox. |
57 | .TP | 57 | .TP |
58 | \fB\-\-top | 58 | \fB\-\-top |
59 | Monitor the most CPU-intensive sandboxes. This command is similar to | 59 | Monitor the most CPU-intensive sandboxes. This command is similar to |
60 | the regular UNIX top command, however it applies only to sandboxes. | 60 | the regular UNIX top command, however it applies only to sandboxes. |
61 | .TP | 61 | .TP |
62 | \fB\-\-tree | 62 | \fB\-\-tree |
diff --git a/src/tools/profcleaner.c b/src/tools/profcleaner.c index 93bb3f73d..beff93199 100644 --- a/src/tools/profcleaner.c +++ b/src/tools/profcleaner.c | |||
@@ -72,4 +72,4 @@ int main(int argc, char **argv) { | |||
72 | } | 72 | } |
73 | 73 | ||
74 | return 0; | 74 | return 0; |
75 | } \ No newline at end of file | 75 | } |
diff --git a/src/zsh_completion/_firejail.in b/src/zsh_completion/_firejail.in index 666dfd4c2..c7f6ee3f1 100644 --- a/src/zsh_completion/_firejail.in +++ b/src/zsh_completion/_firejail.in | |||
@@ -218,7 +218,7 @@ _firejail_args=( | |||
218 | '--netfilter.print=-[print the firewall name|pid]: :_all_firejails' | 218 | '--netfilter.print=-[print the firewall name|pid]: :_all_firejails' |
219 | '--netfilter6=-[enable IPv6 firewall]: :' | 219 | '--netfilter6=-[enable IPv6 firewall]: :' |
220 | '--netfilter6.print=-[print the IPv6 firewall name|pid]: :_all_firejails' | 220 | '--netfilter6.print=-[print the IPv6 firewall name|pid]: :_all_firejails' |
221 | '--netmask=-[define a network mask when dealing with unconfigured parrent interfaces]: :' | 221 | '--netmask=-[define a network mask when dealing with unconfigured parent interfaces]: :' |
222 | '--netns=-[Run the program in a named, persistent network namespace]: :' | 222 | '--netns=-[Run the program in a named, persistent network namespace]: :' |
223 | '--netstats[monitor network statistics]' | 223 | '--netstats[monitor network statistics]' |
224 | '--interface=-[move interface in sandbox]: :' | 224 | '--interface=-[move interface in sandbox]: :' |
diff --git a/test/environment/environment.sh b/test/environment/environment.sh index 152975c9d..1e1dd549b 100755 --- a/test/environment/environment.sh +++ b/test/environment/environment.sh | |||
@@ -112,14 +112,17 @@ echo "TESTING: rlimit (test/environment/rlimit.exp)" | |||
112 | echo "TESTING: rlimit profile (test/environment/rlimit-profile.exp)" | 112 | echo "TESTING: rlimit profile (test/environment/rlimit-profile.exp)" |
113 | ./rlimit-profile.exp | 113 | ./rlimit-profile.exp |
114 | 114 | ||
115 | echo "TESTING: rlimit join (test/environment/rlimit-join.exp)" | ||
116 | ./rlimit-join.exp | ||
117 | |||
115 | echo "TESTING: rlimit errors (test/environment/rlimit-bad.exp)" | 118 | echo "TESTING: rlimit errors (test/environment/rlimit-bad.exp)" |
116 | ./rlimit-bad.exp | 119 | ./rlimit-bad.exp |
117 | 120 | ||
118 | echo "TESTING: rlimit errors profile (test/environment/rlimit-bad-profile.exp)" | 121 | echo "TESTING: rlimit errors profile (test/environment/rlimit-bad-profile.exp)" |
119 | ./rlimit-bad-profile.exp | 122 | ./rlimit-bad-profile.exp |
120 | 123 | ||
121 | echo "TESTING: deterministic exit code (test/environment/deterministic-exit-code.exp" | 124 | echo "TESTING: deterministic exit code (test/environment/deterministic-exit-code.exp)" |
122 | ./deterministic-exit-code.exp | 125 | ./deterministic-exit-code.exp |
123 | 126 | ||
124 | echo "TESTING: retain umask (test/environment/umask.exp" | 127 | echo "TESTING: retain umask (test/environment/umask.exp)" |
125 | (umask 123 && ./umask.exp) | 128 | (umask 123 && ./umask.exp) |
diff --git a/test/environment/rlimit-join.exp b/test/environment/rlimit-join.exp new file mode 100755 index 000000000..aa8a203c0 --- /dev/null +++ b/test/environment/rlimit-join.exp | |||
@@ -0,0 +1,36 @@ | |||
1 | #!/usr/bin/expect -f | ||
2 | # This file is part of Firejail project | ||
3 | # Copyright (C) 2014-2021 Firejail Authors | ||
4 | # License GPL v2 | ||
5 | |||
6 | set timeout 10 | ||
7 | cd /home | ||
8 | spawn $env(SHELL) | ||
9 | match_max 100000 | ||
10 | |||
11 | send -- "firejail --noprofile --name=\"rlimit testing\"\r" | ||
12 | expect { | ||
13 | timeout {puts "TESTING ERROR 0\n";exit} | ||
14 | "Child process initialized" | ||
15 | } | ||
16 | sleep 1 | ||
17 | |||
18 | spawn $env(SHELL) | ||
19 | send -- "firejail --rlimit-nofile=1234 --join=\"rlimit testing\"\r" | ||
20 | expect { | ||
21 | timeout {puts "TESTING ERROR 1\n";exit} | ||
22 | "Switching to pid" | ||
23 | } | ||
24 | sleep 1 | ||
25 | |||
26 | send -- "cat /proc/self/limits\r" | ||
27 | expect { | ||
28 | timeout {puts "TESTING ERROR 2\n";exit} | ||
29 | "Max open files 1234 1234" | ||
30 | } | ||
31 | after 100 | ||
32 | |||
33 | send -- "exit\r" | ||
34 | after 100 | ||
35 | |||
36 | puts "\nall done\n" | ||
diff --git a/test/utils/build.exp b/test/utils/build.exp index 104ac037c..b9733c137 100755 --- a/test/utils/build.exp +++ b/test/utils/build.exp | |||
@@ -13,7 +13,7 @@ after 100 | |||
13 | send -- "firejail --build cat ~/_firejail-test-file\r" | 13 | send -- "firejail --build cat ~/_firejail-test-file\r" |
14 | expect { | 14 | expect { |
15 | timeout {puts "TESTING ERROR 0\n";exit} | 15 | timeout {puts "TESTING ERROR 0\n";exit} |
16 | "allow $\{HOME\}/_firejail-test-file" | 16 | "whitelist $\{HOME\}/_firejail-test-file" |
17 | } | 17 | } |
18 | expect { | 18 | expect { |
19 | timeout {puts "TESTING ERROR 1\n";exit} | 19 | timeout {puts "TESTING ERROR 1\n";exit} |