diff options
-rw-r--r-- | README | 5 | ||||
-rw-r--r-- | README.md | 34 | ||||
-rw-r--r-- | RELNOTES | 5 | ||||
-rwxr-xr-x | configure | 18 | ||||
-rw-r--r-- | configure.ac | 2 | ||||
-rw-r--r-- | etc/QMediathekView.profile | 54 | ||||
-rw-r--r-- | etc/aria2c.profile | 45 | ||||
-rw-r--r-- | etc/authenticator.profile | 49 | ||||
-rw-r--r-- | etc/checkbashisms.profile | 49 | ||||
-rw-r--r-- | etc/claws-mail.profile | 5 | ||||
-rw-r--r-- | etc/desktop.profile | 44 | ||||
-rw-r--r-- | etc/devilspie.profile | 49 | ||||
-rw-r--r-- | etc/devilspie2.profile | 49 | ||||
-rw-r--r-- | etc/disable-programs.inc | 8 | ||||
-rw-r--r-- | etc/easystroke.profile | 45 | ||||
-rw-r--r-- | etc/file.profile | 4 | ||||
-rw-r--r-- | etc/strings.profile | 4 | ||||
-rw-r--r-- | src/firecfg/firecfg.config | 4 | ||||
-rw-r--r-- | src/firejail/firejail.h | 2 | ||||
-rw-r--r-- | src/firejail/fs.c | 22 | ||||
-rw-r--r-- | src/firejail/sandbox.c | 6 |
21 files changed, 481 insertions, 22 deletions
@@ -33,14 +33,15 @@ Maintainer: | |||
33 | - netblue30 (netblue30@yahoo.com) | 33 | - netblue30 (netblue30@yahoo.com) |
34 | 34 | ||
35 | Committers | 35 | Committers |
36 | - chiraag-nataraj (https://github.com/chiraag-nataraj) | ||
37 | - crass (https://github.com/crass) | ||
36 | - Fred-Barclay (https://github.com/Fred-Barclay) | 38 | - Fred-Barclay (https://github.com/Fred-Barclay) |
37 | - Reiner Herrmann (https://github.com/reinerh - Debian/Ubuntu maintainer) | 39 | - Reiner Herrmann (https://github.com/reinerh - Debian/Ubuntu maintainer) |
38 | - smithsohu (https://github.com/smitsohu) | 40 | - smithsohu (https://github.com/smitsohu) |
39 | - SkewedZeppelin (https://github.com/SkewedZeppelin) | 41 | - SkewedZeppelin (https://github.com/SkewedZeppelin) |
40 | - startx2017 (https://github.com/startx2017) - 0.9.38-LTS and *bugfixes branches maintainer) | 42 | - startx2017 (https://github.com/startx2017) - LTS and *bugfixes branches maintainer) |
41 | - Topi Miettinen (https://github.com/topimiettinen) | 43 | - Topi Miettinen (https://github.com/topimiettinen) |
42 | - Vincent43 (https://github.com/Vincent43) | 44 | - Vincent43 (https://github.com/Vincent43) |
43 | - chiraag-nataraj (https://github.com/chiraag-nataraj) | ||
44 | - netblue30 (netblue30@yahoo.com) | 45 | - netblue30 (netblue30@yahoo.com) |
45 | 46 | ||
46 | 47 | ||
@@ -98,4 +98,36 @@ We also keep a list of profile fixes for previous released versions in [etc-fixe | |||
98 | ````` | 98 | ````` |
99 | 99 | ||
100 | ````` | 100 | ````` |
101 | # Current development version: 0.9.57 | 101 | # Current development version: 0.9.56.1 |
102 | |||
103 | This is probably a bugfix release: fixes, small features, new profiles. If we end up implementing something major | ||
104 | we'll switch to a regular 0.9.57 release. | ||
105 | |||
106 | # New Long Term Support (LTS) version | ||
107 | |||
108 | We are rebasing our Long Term Support branch of Firejail. The current LTS version (0.9.38.x) is more than two years old. | ||
109 | The new version updates the code base to 0.9.56. We target a reduction of approx. 40% of the code by removing rarely | ||
110 | used features (chroot, overlay, rlimits, cgroups), incomplete features (private-bin, private-lib), | ||
111 | and a lot of instrumentation (build profile feature, tracing, auditing, etc). Sandbox-specific security features such as | ||
112 | seccomp, capabilities, filesystem whitelist/blacklist and networking are updated and hardened. | ||
113 | |||
114 | We have an rc1 release out, the final version will follow in the next few weeks: | ||
115 | ````` | ||
116 | firejail (0.9.56-LTS~rc1) baseline; urgency=low | ||
117 | * code based on Firejail version 0.9.56 | ||
118 | * much smaller code base for SUID executable | ||
119 | * command line options removed: | ||
120 | --audit, --build, --cgroup, --chroot, --get, --ls, --output, | ||
121 | --output-stderr, --overlay, --overlay-named, --overlay-tmpfs, | ||
122 | --overlay-clean, --private-home, --private-bin, --private-etc, | ||
123 | --private-opt, --private-srv, --put, --rlimit*, --trace, --tracelog, | ||
124 | --x11*, --xephyr* | ||
125 | * compile-time options: --enable-apparmor, --disable-seccomp, | ||
126 | --disable-globalcfg, --disable-network, --disable-userns, | ||
127 | --disable-whitelist, --disable-suid, --enable-fatal-warnings, | ||
128 | --enable-busybox-workaround | ||
129 | -- netblue30 <netblue30@yahoo.com> Wed, 3 Oct 2018 08:00:00 -0500 | ||
130 | ````` | ||
131 | |||
132 | The new LTS branch is here: https://github.com/netblue30/firejail/tree/LTSbase | ||
133 | |||
@@ -1,3 +1,8 @@ | |||
1 | firejail (0.9.56.1) baseline; urgency=low | ||
2 | * work in progress | ||
3 | * --disable-mnt rework | ||
4 | -- netblue30 <netblue30@yahoo.com> Thu, 11 Oct 2018 08:00:00 -0500 | ||
5 | |||
1 | firejail (0.9.56) baseline; urgency=low | 6 | firejail (0.9.56) baseline; urgency=low |
2 | * modif: removed CFG_CHROOT_DESKTOP configuration option | 7 | * modif: removed CFG_CHROOT_DESKTOP configuration option |
3 | * modif: removed compile time --enable-network=restricted | 8 | * modif: removed compile time --enable-network=restricted |
@@ -1,6 +1,6 @@ | |||
1 | #! /bin/sh | 1 | #! /bin/sh |
2 | # Guess values for system-dependent variables and create Makefiles. | 2 | # Guess values for system-dependent variables and create Makefiles. |
3 | # Generated by GNU Autoconf 2.69 for firejail 0.9.57. | 3 | # Generated by GNU Autoconf 2.69 for firejail 0.9.56.1. |
4 | # | 4 | # |
5 | # Report bugs to <netblue30@yahoo.com>. | 5 | # Report bugs to <netblue30@yahoo.com>. |
6 | # | 6 | # |
@@ -580,8 +580,8 @@ MAKEFLAGS= | |||
580 | # Identity of this package. | 580 | # Identity of this package. |
581 | PACKAGE_NAME='firejail' | 581 | PACKAGE_NAME='firejail' |
582 | PACKAGE_TARNAME='firejail' | 582 | PACKAGE_TARNAME='firejail' |
583 | PACKAGE_VERSION='0.9.57' | 583 | PACKAGE_VERSION='0.9.56.1' |
584 | PACKAGE_STRING='firejail 0.9.57' | 584 | PACKAGE_STRING='firejail 0.9.56.1' |
585 | PACKAGE_BUGREPORT='netblue30@yahoo.com' | 585 | PACKAGE_BUGREPORT='netblue30@yahoo.com' |
586 | PACKAGE_URL='https://firejail.wordpress.com' | 586 | PACKAGE_URL='https://firejail.wordpress.com' |
587 | 587 | ||
@@ -1275,7 +1275,7 @@ if test "$ac_init_help" = "long"; then | |||
1275 | # Omit some internal or obsolete options to make the list less imposing. | 1275 | # Omit some internal or obsolete options to make the list less imposing. |
1276 | # This message is too long to be a string in the A/UX 3.1 sh. | 1276 | # This message is too long to be a string in the A/UX 3.1 sh. |
1277 | cat <<_ACEOF | 1277 | cat <<_ACEOF |
1278 | \`configure' configures firejail 0.9.57 to adapt to many kinds of systems. | 1278 | \`configure' configures firejail 0.9.56.1 to adapt to many kinds of systems. |
1279 | 1279 | ||
1280 | Usage: $0 [OPTION]... [VAR=VALUE]... | 1280 | Usage: $0 [OPTION]... [VAR=VALUE]... |
1281 | 1281 | ||
@@ -1337,7 +1337,7 @@ fi | |||
1337 | 1337 | ||
1338 | if test -n "$ac_init_help"; then | 1338 | if test -n "$ac_init_help"; then |
1339 | case $ac_init_help in | 1339 | case $ac_init_help in |
1340 | short | recursive ) echo "Configuration of firejail 0.9.57:";; | 1340 | short | recursive ) echo "Configuration of firejail 0.9.56.1:";; |
1341 | esac | 1341 | esac |
1342 | cat <<\_ACEOF | 1342 | cat <<\_ACEOF |
1343 | 1343 | ||
@@ -1442,7 +1442,7 @@ fi | |||
1442 | test -n "$ac_init_help" && exit $ac_status | 1442 | test -n "$ac_init_help" && exit $ac_status |
1443 | if $ac_init_version; then | 1443 | if $ac_init_version; then |
1444 | cat <<\_ACEOF | 1444 | cat <<\_ACEOF |
1445 | firejail configure 0.9.57 | 1445 | firejail configure 0.9.56.1 |
1446 | generated by GNU Autoconf 2.69 | 1446 | generated by GNU Autoconf 2.69 |
1447 | 1447 | ||
1448 | Copyright (C) 2012 Free Software Foundation, Inc. | 1448 | Copyright (C) 2012 Free Software Foundation, Inc. |
@@ -1744,7 +1744,7 @@ cat >config.log <<_ACEOF | |||
1744 | This file contains any messages produced by compilers while | 1744 | This file contains any messages produced by compilers while |
1745 | running configure, to aid debugging if configure makes a mistake. | 1745 | running configure, to aid debugging if configure makes a mistake. |
1746 | 1746 | ||
1747 | It was created by firejail $as_me 0.9.57, which was | 1747 | It was created by firejail $as_me 0.9.56.1, which was |
1748 | generated by GNU Autoconf 2.69. Invocation command line was | 1748 | generated by GNU Autoconf 2.69. Invocation command line was |
1749 | 1749 | ||
1750 | $ $0 $@ | 1750 | $ $0 $@ |
@@ -4379,7 +4379,7 @@ cat >>$CONFIG_STATUS <<\_ACEOF || ac_write_fail=1 | |||
4379 | # report actual input values of CONFIG_FILES etc. instead of their | 4379 | # report actual input values of CONFIG_FILES etc. instead of their |
4380 | # values after options handling. | 4380 | # values after options handling. |
4381 | ac_log=" | 4381 | ac_log=" |
4382 | This file was extended by firejail $as_me 0.9.57, which was | 4382 | This file was extended by firejail $as_me 0.9.56.1, which was |
4383 | generated by GNU Autoconf 2.69. Invocation command line was | 4383 | generated by GNU Autoconf 2.69. Invocation command line was |
4384 | 4384 | ||
4385 | CONFIG_FILES = $CONFIG_FILES | 4385 | CONFIG_FILES = $CONFIG_FILES |
@@ -4433,7 +4433,7 @@ _ACEOF | |||
4433 | cat >>$CONFIG_STATUS <<_ACEOF || ac_write_fail=1 | 4433 | cat >>$CONFIG_STATUS <<_ACEOF || ac_write_fail=1 |
4434 | ac_cs_config="`$as_echo "$ac_configure_args" | sed 's/^ //; s/[\\""\`\$]/\\\\&/g'`" | 4434 | ac_cs_config="`$as_echo "$ac_configure_args" | sed 's/^ //; s/[\\""\`\$]/\\\\&/g'`" |
4435 | ac_cs_version="\\ | 4435 | ac_cs_version="\\ |
4436 | firejail config.status 0.9.57 | 4436 | firejail config.status 0.9.56.1 |
4437 | configured by $0, generated by GNU Autoconf 2.69, | 4437 | configured by $0, generated by GNU Autoconf 2.69, |
4438 | with options \\"\$ac_cs_config\\" | 4438 | with options \\"\$ac_cs_config\\" |
4439 | 4439 | ||
diff --git a/configure.ac b/configure.ac index d1b827fef..2084b66f1 100644 --- a/configure.ac +++ b/configure.ac | |||
@@ -1,5 +1,5 @@ | |||
1 | AC_PREREQ([2.68]) | 1 | AC_PREREQ([2.68]) |
2 | AC_INIT(firejail, 0.9.57, netblue30@yahoo.com, , https://firejail.wordpress.com) | 2 | AC_INIT(firejail, 0.9.56.1, netblue30@yahoo.com, , https://firejail.wordpress.com) |
3 | AC_CONFIG_SRCDIR([src/firejail/main.c]) | 3 | AC_CONFIG_SRCDIR([src/firejail/main.c]) |
4 | #AC_CONFIG_HEADERS([config.h]) | 4 | #AC_CONFIG_HEADERS([config.h]) |
5 | 5 | ||
diff --git a/etc/QMediathekView.profile b/etc/QMediathekView.profile new file mode 100644 index 000000000..558f62f0e --- /dev/null +++ b/etc/QMediathekView.profile | |||
@@ -0,0 +1,54 @@ | |||
1 | # Firejail profile for QMediathekView | ||
2 | # Description: Search, download or stream files from mediathek.de | ||
3 | # This file is overwritten after every install/update | ||
4 | # Persistent local customizations | ||
5 | include /etc/firejail/QMediathekView.local | ||
6 | # Persistent global definitions | ||
7 | include /etc/firejail/globals.local | ||
8 | |||
9 | noblacklist ${HOME}/.config/QMediathekView | ||
10 | noblacklist ${HOME}/.local/share/QMediathekView | ||
11 | |||
12 | noblacklist ${HOME}/.config/mpv | ||
13 | noblacklist ${HOME}/.config/smplayer | ||
14 | noblacklist ${HOME}/.config/totem | ||
15 | noblacklist ${HOME}/.config/vlc | ||
16 | noblacklist ${HOME}/.config/xplayer | ||
17 | noblacklist ${HOME}/.local/share/totem | ||
18 | noblacklist ${HOME}/.local/share/xplayer | ||
19 | noblacklist ${HOME}/.mplayer | ||
20 | |||
21 | include /etc/firejail/disable-common.inc | ||
22 | include /etc/firejail/disable-devel.inc | ||
23 | include /etc/firejail/disable-interpreters.inc | ||
24 | include /etc/firejail/disable-passwdmgr.inc | ||
25 | include /etc/firejail/disable-programs.inc | ||
26 | |||
27 | include /etc/firejail/whitelist-var-common.inc | ||
28 | |||
29 | caps.drop all | ||
30 | netfilter | ||
31 | # no3d | ||
32 | # nodbus | ||
33 | nodvd | ||
34 | nogroups | ||
35 | nonewprivs | ||
36 | noroot | ||
37 | notv | ||
38 | nou2f | ||
39 | protocol unix,inet,inet6 | ||
40 | seccomp | ||
41 | shell none | ||
42 | tracelog | ||
43 | |||
44 | disable-mnt | ||
45 | private-bin QMediathekView,mplayer,mpv,smplayer,totem,vlc,xplayer | ||
46 | private-cache | ||
47 | private-dev | ||
48 | # private-etc none | ||
49 | # private-lib | ||
50 | private-tmp | ||
51 | |||
52 | # memory-deny-write-execute - breaks on Arch | ||
53 | noexec ${HOME} | ||
54 | noexec /tmp | ||
diff --git a/etc/aria2c.profile b/etc/aria2c.profile new file mode 100644 index 000000000..4231c58ff --- /dev/null +++ b/etc/aria2c.profile | |||
@@ -0,0 +1,45 @@ | |||
1 | # Firejail profile for aria2c | ||
2 | # Description: Download utility that supports HTTP(S), FTP, BitTorrent and Metalink | ||
3 | # This file is overwritten after every install/update | ||
4 | # Persistent local customizations | ||
5 | include /etc/firejail/aria2c.local | ||
6 | # Persistent global definitions | ||
7 | include /etc/firejail/globals.local | ||
8 | |||
9 | noblacklist ${HOME}/.aria2 | ||
10 | |||
11 | include /etc/firejail/disable-common.inc | ||
12 | include /etc/firejail/disable-devel.inc | ||
13 | include /etc/firejail/disable-interpreters.inc | ||
14 | include /etc/firejail/disable-passwdmgr.inc | ||
15 | include /etc/firejail/disable-programs.inc | ||
16 | include /etc/firejail/disable-xdg.inc | ||
17 | |||
18 | caps.drop all | ||
19 | ipc-namespace | ||
20 | netfilter | ||
21 | no3d | ||
22 | nodbus | ||
23 | nodvd | ||
24 | nogroups | ||
25 | nonewprivs | ||
26 | noroot | ||
27 | nosound | ||
28 | notv | ||
29 | novideo | ||
30 | protocol unix,inet,inet6 | ||
31 | seccomp | ||
32 | shell none | ||
33 | |||
34 | disable-mnt | ||
35 | # private | ||
36 | private-bin aria2c,gzip | ||
37 | private-cache | ||
38 | private-dev | ||
39 | private-etc ca-certificates,ssl | ||
40 | private-lib libreadline.so.* | ||
41 | private-tmp | ||
42 | |||
43 | memory-deny-write-execute | ||
44 | noexec ${HOME} | ||
45 | noexec /tmp | ||
diff --git a/etc/authenticator.profile b/etc/authenticator.profile new file mode 100644 index 000000000..f10abdda8 --- /dev/null +++ b/etc/authenticator.profile | |||
@@ -0,0 +1,49 @@ | |||
1 | # Firejail profile for authenticator | ||
2 | # Description: 2FA code generator for GNOME | ||
3 | # This file is overwritten after every install/update | ||
4 | # Persistent local customizations | ||
5 | include /etc/firejail/authenticator.local | ||
6 | # Persistent global definitions | ||
7 | include /etc/firejail/globals.local | ||
8 | |||
9 | # blacklisted in 'disable-programs.local' | ||
10 | noblacklist ${HOME}/.config/Authenticator | ||
11 | |||
12 | # Allow python 3.x (blacklisted by disable-interpreters.inc) | ||
13 | noblacklist ${PATH}/python3* | ||
14 | noblacklist /usr/lib/python3* | ||
15 | |||
16 | include /etc/firejail/disable-common.inc | ||
17 | include /etc/firejail/disable-devel.inc | ||
18 | include /etc/firejail/disable-interpreters.inc | ||
19 | include /etc/firejail/disable-passwdmgr.inc | ||
20 | include /etc/firejail/disable-programs.inc | ||
21 | |||
22 | # apparmor | ||
23 | caps.drop all | ||
24 | net none | ||
25 | no3d | ||
26 | # nodbus - makes settings immutable | ||
27 | nodvd | ||
28 | nogroups | ||
29 | nonewprivs | ||
30 | noroot | ||
31 | nosound | ||
32 | notv | ||
33 | # novideo | ||
34 | nou2f | ||
35 | protocol unix | ||
36 | seccomp | ||
37 | shell none | ||
38 | |||
39 | disable-mnt | ||
40 | # private-bin authenticator | ||
41 | private-cache | ||
42 | private-dev | ||
43 | private-etc fonts,ld.so.cache | ||
44 | # private-lib | ||
45 | private-tmp | ||
46 | |||
47 | # memory-deny-write-execute - breaks on Arch | ||
48 | noexec ${HOME} | ||
49 | noexec /tmp | ||
diff --git a/etc/checkbashisms.profile b/etc/checkbashisms.profile new file mode 100644 index 000000000..c8b8be04e --- /dev/null +++ b/etc/checkbashisms.profile | |||
@@ -0,0 +1,49 @@ | |||
1 | # Firejail profile for checkbashisms | ||
2 | # Description: Lint tool for shell scripts | ||
3 | # This file is overwritten after every install/update | ||
4 | quiet | ||
5 | # Persistent local customizations | ||
6 | include /etc/firejail/checkbashisms.local | ||
7 | # Persistent global definitions | ||
8 | include /etc/firejail/globals.local | ||
9 | |||
10 | noblacklist ${DOCUMENTS} | ||
11 | |||
12 | # Allow perl (blacklisted by disable-interpreters.inc) | ||
13 | noblacklist ${PATH}/cpan* | ||
14 | noblacklist ${PATH}/core_perl | ||
15 | noblacklist ${PATH}/perl | ||
16 | noblacklist /usr/lib/perl* | ||
17 | noblacklist /usr/share/perl* | ||
18 | |||
19 | include /etc/firejail/disable-common.inc | ||
20 | include /etc/firejail/disable-devel.inc | ||
21 | include /etc/firejail/disable-interpreters.inc | ||
22 | include /etc/firejail/disable-passwdmgr.inc | ||
23 | include /etc/firejail/disable-programs.inc | ||
24 | include /etc/firejail/disable-xdg.inc | ||
25 | |||
26 | include /etc/firejail/whitelist-var-common.inc | ||
27 | |||
28 | caps.drop all | ||
29 | ipc-namespace | ||
30 | net none | ||
31 | no3d | ||
32 | nodbus | ||
33 | nodvd | ||
34 | nogroups | ||
35 | nonewprivs | ||
36 | noroot | ||
37 | nosound | ||
38 | notv | ||
39 | novideo | ||
40 | protocol unix | ||
41 | seccomp | ||
42 | shell none | ||
43 | |||
44 | private-dev | ||
45 | private-tmp | ||
46 | |||
47 | memory-deny-write-execute | ||
48 | noexec ${HOME} | ||
49 | noexec /tmp | ||
diff --git a/etc/claws-mail.profile b/etc/claws-mail.profile index cb8ae6a80..0274fd66b 100644 --- a/etc/claws-mail.profile +++ b/etc/claws-mail.profile | |||
@@ -16,19 +16,24 @@ include /etc/firejail/disable-interpreters.inc | |||
16 | include /etc/firejail/disable-passwdmgr.inc | 16 | include /etc/firejail/disable-passwdmgr.inc |
17 | include /etc/firejail/disable-programs.inc | 17 | include /etc/firejail/disable-programs.inc |
18 | 18 | ||
19 | include /etc/firejail/whitelist-common.inc | ||
20 | |||
19 | caps.drop all | 21 | caps.drop all |
20 | netfilter | 22 | netfilter |
23 | no3d | ||
21 | nodvd | 24 | nodvd |
22 | nogroups | 25 | nogroups |
23 | nonewprivs | 26 | nonewprivs |
24 | noroot | 27 | noroot |
25 | nosound | 28 | nosound |
26 | notv | 29 | notv |
30 | nou2f | ||
27 | novideo | 31 | novideo |
28 | protocol unix,inet,inet6 | 32 | protocol unix,inet,inet6 |
29 | seccomp | 33 | seccomp |
30 | shell none | 34 | shell none |
31 | 35 | ||
36 | private-cache | ||
32 | private-dev | 37 | private-dev |
33 | private-tmp | 38 | private-tmp |
34 | 39 | ||
diff --git a/etc/desktop.profile b/etc/desktop.profile new file mode 100644 index 000000000..8bfa885a3 --- /dev/null +++ b/etc/desktop.profile | |||
@@ -0,0 +1,44 @@ | |||
1 | # Firejail profile for desktop | ||
2 | # Description: Extend your GitHub workflow beyond your browser with GitHub Desktop | ||
3 | # This file is overwritten after every install/update | ||
4 | # Persistent local customizations | ||
5 | include /etc/firejail/github-desktop.local | ||
6 | # Persistent global definitions | ||
7 | include /etc/firejail/globals.local | ||
8 | |||
9 | whitelist ${HOME}/.gitconfig | ||
10 | whitelist ${HOME}/.config/GitHub Desktop | ||
11 | |||
12 | include /etc/firejail/disable-common.inc | ||
13 | include /etc/firejail/disable-passwdmgr.inc | ||
14 | include /etc/firejail/disable-programs.inc | ||
15 | include /etc/firejail/disable-devel.inc | ||
16 | include /etc/firejail/disable-interpreters.inc | ||
17 | |||
18 | include /etc/firejail/whitelist-common.inc | ||
19 | |||
20 | caps.drop all | ||
21 | netfilter | ||
22 | # no3d | ||
23 | nodvd | ||
24 | nogroups | ||
25 | nonewprivs | ||
26 | noroot | ||
27 | nosound | ||
28 | notv | ||
29 | nou2f | ||
30 | novideo | ||
31 | protocol unix,inet,inet6,netlink | ||
32 | seccomp | ||
33 | |||
34 | disable-mnt | ||
35 | # private-bin Atom,desktop | ||
36 | # private-cache | ||
37 | # private-dev | ||
38 | # private-etc none | ||
39 | # private-lib | ||
40 | # private-tmp | ||
41 | |||
42 | # memory-deny-write-execute | ||
43 | # noexec ${HOME} | ||
44 | # noexec /tmp | ||
diff --git a/etc/devilspie.profile b/etc/devilspie.profile new file mode 100644 index 000000000..dbfb05798 --- /dev/null +++ b/etc/devilspie.profile | |||
@@ -0,0 +1,49 @@ | |||
1 | # Firejail profile for devilspie | ||
2 | # Description: Window matching daemon | ||
3 | # This file is overwritten after every install/update | ||
4 | # Persistent local customizations | ||
5 | include /etc/firejail/devilspie.local | ||
6 | # Persistent global definitions | ||
7 | include /etc/firejail/globals.local | ||
8 | |||
9 | noblacklist ${HOME}/.devilspie | ||
10 | |||
11 | include /etc/firejail/disable-common.inc | ||
12 | include /etc/firejail/disable-devel.inc | ||
13 | include /etc/firejail/disable-interpreters.inc | ||
14 | include /etc/firejail/disable-passwdmgr.inc | ||
15 | include /etc/firejail/disable-programs.inc | ||
16 | |||
17 | caps.drop all | ||
18 | ipc-namespace | ||
19 | machine-id | ||
20 | net none | ||
21 | no3d | ||
22 | nodbus | ||
23 | nodvd | ||
24 | nogroups | ||
25 | nonewprivs | ||
26 | noroot | ||
27 | nosound | ||
28 | notv | ||
29 | nou2f | ||
30 | novideo | ||
31 | protocol unix | ||
32 | seccomp | ||
33 | shell none | ||
34 | tracelog | ||
35 | |||
36 | disable-mnt | ||
37 | private-bin devilspie | ||
38 | private-cache | ||
39 | private-dev | ||
40 | private-etc none | ||
41 | private-lib gconv | ||
42 | private-tmp | ||
43 | |||
44 | memory-deny-write-execute | ||
45 | noexec ${HOME} | ||
46 | noexec /tmp | ||
47 | |||
48 | # devilspie will never write anything | ||
49 | read-only ${HOME} | ||
diff --git a/etc/devilspie2.profile b/etc/devilspie2.profile new file mode 100644 index 000000000..3a9a9659a --- /dev/null +++ b/etc/devilspie2.profile | |||
@@ -0,0 +1,49 @@ | |||
1 | # Firejail profile for devilspie2 | ||
2 | # Description: Window matching daemon (Lua) | ||
3 | # This file is overwritten after every install/update | ||
4 | # Persistent local customizations | ||
5 | include /etc/firejail/devilspie2.local | ||
6 | # Persistent global definitions | ||
7 | include /etc/firejail/globals.local | ||
8 | |||
9 | noblacklist ${HOME}/.config/devilspie2 | ||
10 | |||
11 | include /etc/firejail/disable-common.inc | ||
12 | include /etc/firejail/disable-devel.inc | ||
13 | include /etc/firejail/disable-interpreters.inc | ||
14 | include /etc/firejail/disable-passwdmgr.inc | ||
15 | include /etc/firejail/disable-programs.inc | ||
16 | |||
17 | caps.drop all | ||
18 | ipc-namespace | ||
19 | machine-id | ||
20 | net none | ||
21 | no3d | ||
22 | nodbus | ||
23 | nodvd | ||
24 | nogroups | ||
25 | nonewprivs | ||
26 | noroot | ||
27 | nosound | ||
28 | notv | ||
29 | nou2f | ||
30 | novideo | ||
31 | protocol unix | ||
32 | seccomp | ||
33 | shell none | ||
34 | tracelog | ||
35 | |||
36 | disable-mnt | ||
37 | private-bin devilspie2 | ||
38 | private-cache | ||
39 | private-dev | ||
40 | private-etc none | ||
41 | private-lib gconv | ||
42 | private-tmp | ||
43 | |||
44 | memory-deny-write-execute | ||
45 | noexec ${HOME} | ||
46 | noexec /tmp | ||
47 | |||
48 | # devilspie2 will never write anything | ||
49 | read-only ${HOME} | ||
diff --git a/etc/disable-programs.inc b/etc/disable-programs.inc index f0da93f57..6fa0eed26 100644 --- a/etc/disable-programs.inc +++ b/etc/disable-programs.inc | |||
@@ -32,6 +32,7 @@ blacklist ${HOME}/.aMule | |||
32 | blacklist ${HOME}/.android | 32 | blacklist ${HOME}/.android |
33 | blacklist ${HOME}/.anydesk | 33 | blacklist ${HOME}/.anydesk |
34 | blacklist ${HOME}/.arduino15 | 34 | blacklist ${HOME}/.arduino15 |
35 | blacklist ${HOME}/.aria2 | ||
35 | blacklist ${HOME}/.arm | 36 | blacklist ${HOME}/.arm |
36 | blacklist ${HOME}/.asunder_album_genre | 37 | blacklist ${HOME}/.asunder_album_genre |
37 | blacklist ${HOME}/.asunder_album_title | 38 | blacklist ${HOME}/.asunder_album_title |
@@ -46,6 +47,7 @@ blacklist ${HOME}/.config/0ad | |||
46 | blacklist ${HOME}/.config/2048-qt | 47 | blacklist ${HOME}/.config/2048-qt |
47 | blacklist ${HOME}/.config/Atom | 48 | blacklist ${HOME}/.config/Atom |
48 | blacklist ${HOME}/.config/Audaciousrc | 49 | blacklist ${HOME}/.config/Audaciousrc |
50 | blacklist ${HOME}/.config/Authenticator | ||
49 | blacklist ${HOME}/.config/Beaker Browser | 51 | blacklist ${HOME}/.config/Beaker Browser |
50 | blacklist ${HOME}/.config/Brackets | 52 | blacklist ${HOME}/.config/Brackets |
51 | blacklist ${HOME}/.config/Clementine | 53 | blacklist ${HOME}/.config/Clementine |
@@ -55,6 +57,7 @@ blacklist ${HOME}/.config/Franz | |||
55 | blacklist ${HOME}/.config/FreeCAD | 57 | blacklist ${HOME}/.config/FreeCAD |
56 | blacklist ${HOME}/.config/Fritzing | 58 | blacklist ${HOME}/.config/Fritzing |
57 | blacklist ${HOME}/.config/GIMP | 59 | blacklist ${HOME}/.config/GIMP |
60 | blacklist ${HOME}/.config/GitHub Desktop | ||
58 | blacklist ${HOME}/.config/Gitter | 61 | blacklist ${HOME}/.config/Gitter |
59 | blacklist ${HOME}/.config/Google | 62 | blacklist ${HOME}/.config/Google |
60 | blacklist ${HOME}/.config/Google Play Music Desktop Player | 63 | blacklist ${HOME}/.config/Google Play Music Desktop Player |
@@ -71,6 +74,7 @@ blacklist ${HOME}/.config/MuseScore | |||
71 | blacklist ${HOME}/.config/MusicBrainz | 74 | blacklist ${HOME}/.config/MusicBrainz |
72 | blacklist ${HOME}/.config/Nylas Mail | 75 | blacklist ${HOME}/.config/Nylas Mail |
73 | blacklist ${HOME}/.config/Qlipper | 76 | blacklist ${HOME}/.config/Qlipper |
77 | blacklist ${HOME}/.config/QMediathekView | ||
74 | blacklist ${HOME}/.config/QuiteRss | 78 | blacklist ${HOME}/.config/QuiteRss |
75 | blacklist ${HOME}/.config/QuiteRssrc | 79 | blacklist ${HOME}/.config/QuiteRssrc |
76 | blacklist ${HOME}/.config/Rambox | 80 | blacklist ${HOME}/.config/Rambox |
@@ -112,6 +116,7 @@ blacklist ${HOME}/.config/corebird | |||
112 | blacklist ${HOME}/.config/darktable | 116 | blacklist ${HOME}/.config/darktable |
113 | blacklist ${HOME}/.config/deadbeef | 117 | blacklist ${HOME}/.config/deadbeef |
114 | blacklist ${HOME}/.config/deluge | 118 | blacklist ${HOME}/.config/deluge |
119 | blacklist ${HOME}/.config/devilspie2 | ||
115 | blacklist ${HOME}/.config/digikam | 120 | blacklist ${HOME}/.config/digikam |
116 | blacklist ${HOME}/.config/digikamrc | 121 | blacklist ${HOME}/.config/digikamrc |
117 | blacklist ${HOME}/.config/discord | 122 | blacklist ${HOME}/.config/discord |
@@ -253,11 +258,13 @@ blacklist ${HOME}/.config/zoomus.conf | |||
253 | blacklist ${HOME}/.conkeror.mozdev.org | 258 | blacklist ${HOME}/.conkeror.mozdev.org |
254 | blacklist ${HOME}/.curlrc | 259 | blacklist ${HOME}/.curlrc |
255 | blacklist ${HOME}/.dashcore | 260 | blacklist ${HOME}/.dashcore |
261 | blacklist ${HOME}/.devilspie | ||
256 | blacklist ${HOME}/.dia | 262 | blacklist ${HOME}/.dia |
257 | blacklist ${HOME}/.dillo | 263 | blacklist ${HOME}/.dillo |
258 | blacklist ${HOME}/.dooble | 264 | blacklist ${HOME}/.dooble |
259 | blacklist ${HOME}/.dosbox | 265 | blacklist ${HOME}/.dosbox |
260 | blacklist ${HOME}/.dropbox* | 266 | blacklist ${HOME}/.dropbox* |
267 | blacklist ${HOME}/.easystroke | ||
261 | blacklist ${HOME}/.electron-cache | 268 | blacklist ${HOME}/.electron-cache |
262 | blacklist ${HOME}/.electrum* | 269 | blacklist ${HOME}/.electrum* |
263 | blacklist ${HOME}/.elinks | 270 | blacklist ${HOME}/.elinks |
@@ -361,6 +368,7 @@ blacklist ${HOME}/.local/share/3909/PapersPlease | |||
361 | blacklist ${HOME}/.local/share/Empathy | 368 | blacklist ${HOME}/.local/share/Empathy |
362 | blacklist ${HOME}/.local/share/JetBrains | 369 | blacklist ${HOME}/.local/share/JetBrains |
363 | blacklist ${HOME}/.local/share/Mumble | 370 | blacklist ${HOME}/.local/share/Mumble |
371 | blacklist ${HOME}/.local/share/QMediathekView | ||
364 | blacklist ${HOME}/.local/share/QuiteRss | 372 | blacklist ${HOME}/.local/share/QuiteRss |
365 | blacklist ${HOME}/.local/share/Ricochet | 373 | blacklist ${HOME}/.local/share/Ricochet |
366 | blacklist ${HOME}/.local/share/Steam | 374 | blacklist ${HOME}/.local/share/Steam |
diff --git a/etc/easystroke.profile b/etc/easystroke.profile new file mode 100644 index 000000000..6fac08a5d --- /dev/null +++ b/etc/easystroke.profile | |||
@@ -0,0 +1,45 @@ | |||
1 | # Firejail profile for easystroke | ||
2 | # Description: Control your desktop using mouse gestures | ||
3 | # This file is overwritten after every install/update | ||
4 | # Persistent local customizations | ||
5 | include /etc/firejail/easystroke.local | ||
6 | # Persistent global definitions | ||
7 | include /etc/firejail/globals.local | ||
8 | |||
9 | noblacklist ${HOME}/.easystroke | ||
10 | |||
11 | include /etc/firejail/disable-common.inc | ||
12 | include /etc/firejail/disable-devel.inc | ||
13 | include /etc/firejail/disable-interpreters.inc | ||
14 | include /etc/firejail/disable-passwdmgr.inc | ||
15 | include /etc/firejail/disable-programs.inc | ||
16 | |||
17 | caps.drop all | ||
18 | ipc-namespace | ||
19 | machine-id | ||
20 | net none | ||
21 | no3d | ||
22 | # nodbus | ||
23 | nodvd | ||
24 | nogroups | ||
25 | nonewprivs | ||
26 | noroot | ||
27 | nosound | ||
28 | notv | ||
29 | nou2f | ||
30 | novideo | ||
31 | protocol unix | ||
32 | seccomp | ||
33 | shell none | ||
34 | |||
35 | disable-mnt | ||
36 | private-bin easystroke | ||
37 | private-cache | ||
38 | private-dev | ||
39 | private-etc fonts | ||
40 | private-lib gdk-pixbuf-2.*,gio,gvfs/libgvfscommon.so,libgconf-2.so.*,librsvg-2.so.* | ||
41 | private-tmp | ||
42 | |||
43 | memory-deny-write-execute | ||
44 | noexec ${HOME} | ||
45 | noexec /tmp | ||
diff --git a/etc/file.profile b/etc/file.profile index 5d1227520..00e18de20 100644 --- a/etc/file.profile +++ b/etc/file.profile | |||
@@ -30,10 +30,12 @@ shell none | |||
30 | tracelog | 30 | tracelog |
31 | x11 none | 31 | x11 none |
32 | 32 | ||
33 | private-bin file | 33 | #private-bin file |
34 | private-cache | ||
34 | private-dev | 35 | private-dev |
35 | private-etc magic.mgc,magic,localtime | 36 | private-etc magic.mgc,magic,localtime |
36 | private-lib | 37 | private-lib |
38 | private-tmp | ||
37 | 39 | ||
38 | memory-deny-write-execute | 40 | memory-deny-write-execute |
39 | noexec ${HOME} | 41 | noexec ${HOME} |
diff --git a/etc/strings.profile b/etc/strings.profile index 5bea9525f..ae2fbf18f 100644 --- a/etc/strings.profile +++ b/etc/strings.profile | |||
@@ -21,9 +21,13 @@ shell none | |||
21 | tracelog | 21 | tracelog |
22 | 22 | ||
23 | private-bin strings | 23 | private-bin strings |
24 | private-cache | ||
24 | private-dev | 25 | private-dev |
26 | private-etc none | ||
25 | private-lib | 27 | private-lib |
26 | 28 | ||
27 | memory-deny-write-execute | 29 | memory-deny-write-execute |
30 | noexec ${HOME} | ||
31 | noexec /tmp | ||
28 | 32 | ||
29 | include /etc/firejail/default.profile | 33 | include /etc/firejail/default.profile |
diff --git a/src/firecfg/firecfg.config b/src/firecfg/firecfg.config index d54ca4d68..2190f133d 100644 --- a/src/firecfg/firecfg.config +++ b/src/firecfg/firecfg.config | |||
@@ -10,9 +10,11 @@ Discord | |||
10 | DiscordCanary | 10 | DiscordCanary |
11 | FossaMail | 11 | FossaMail |
12 | Fritzing | 12 | Fritzing |
13 | GitHub Desktop | ||
13 | JDownloader | 14 | JDownloader |
14 | Mathematica | 15 | Mathematica |
15 | Natron | 16 | Natron |
17 | QMediathekView | ||
16 | Telegram | 18 | Telegram |
17 | Viber | 19 | Viber |
18 | VirtualBox | 20 | VirtualBox |
@@ -85,6 +87,7 @@ clipit | |||
85 | cliqz | 87 | cliqz |
86 | cmus | 88 | cmus |
87 | code | 89 | code |
90 | com.github.bilelmoussaoui.Authenticator | ||
88 | conkeror | 91 | conkeror |
89 | conky | 92 | conky |
90 | corebird | 93 | corebird |
@@ -111,6 +114,7 @@ dooble-qt4 | |||
111 | dosbox | 114 | dosbox |
112 | dragon | 115 | dragon |
113 | dropbox | 116 | dropbox |
117 | easystroke | ||
114 | ebook-viewer | 118 | ebook-viewer |
115 | electrum | 119 | electrum |
116 | elinks | 120 | elinks |
diff --git a/src/firejail/firejail.h b/src/firejail/firejail.h index 40155b155..1d74dc8dc 100644 --- a/src/firejail/firejail.h +++ b/src/firejail/firejail.h | |||
@@ -453,7 +453,7 @@ void fs_chroot(const char *rootdir); | |||
453 | void fs_check_chroot_dir(const char *rootdir); | 453 | void fs_check_chroot_dir(const char *rootdir); |
454 | void fs_private_tmp(void); | 454 | void fs_private_tmp(void); |
455 | void fs_private_cache(void); | 455 | void fs_private_cache(void); |
456 | void fs_mnt(void); | 456 | void fs_mnt(const int enforce); |
457 | 457 | ||
458 | // profile.c | 458 | // profile.c |
459 | // find and read the profile specified by name from dir directory | 459 | // find and read the profile specified by name from dir directory |
diff --git a/src/firejail/fs.c b/src/firejail/fs.c index 83830cff6..b958df81a 100644 --- a/src/firejail/fs.c +++ b/src/firejail/fs.c | |||
@@ -545,11 +545,23 @@ void fs_noexec(const char *dir) { | |||
545 | } | 545 | } |
546 | 546 | ||
547 | // Disable /mnt, /media, /run/mount and /run/media access | 547 | // Disable /mnt, /media, /run/mount and /run/media access |
548 | void fs_mnt(void) { | 548 | void fs_mnt(const int enforce) { |
549 | disable_file(BLACKLIST_FILE, "/mnt"); | 549 | if (enforce) { |
550 | disable_file(BLACKLIST_FILE, "/media"); | 550 | // disable-mnt set in firejail.config |
551 | disable_file(BLACKLIST_FILE, "/run/mount"); | 551 | // overriding with noblacklist is not possible in this case |
552 | disable_file(BLACKLIST_FILE, "//run/media"); | 552 | disable_file(BLACKLIST_FILE, "/mnt"); |
553 | disable_file(BLACKLIST_FILE, "/media"); | ||
554 | disable_file(BLACKLIST_FILE, "/run/mount"); | ||
555 | disable_file(BLACKLIST_FILE, "/run/media"); | ||
556 | } | ||
557 | else { | ||
558 | EUID_USER(); | ||
559 | profile_add("blacklist /mnt"); | ||
560 | profile_add("blacklist /media"); | ||
561 | profile_add("blacklist /run/mount"); | ||
562 | profile_add("blacklist /run/media"); | ||
563 | EUID_ROOT(); | ||
564 | } | ||
553 | } | 565 | } |
554 | 566 | ||
555 | 567 | ||
diff --git a/src/firejail/sandbox.c b/src/firejail/sandbox.c index 5441522ab..8eede6f93 100644 --- a/src/firejail/sandbox.c +++ b/src/firejail/sandbox.c | |||
@@ -923,8 +923,10 @@ int sandbox(void* sandbox_arg) { | |||
923 | //**************************** | 923 | //**************************** |
924 | // handle /mnt and /media | 924 | // handle /mnt and /media |
925 | //**************************** | 925 | //**************************** |
926 | if (arg_disable_mnt || checkcfg(CFG_DISABLE_MNT)) | 926 | if (checkcfg(CFG_DISABLE_MNT)) |
927 | fs_mnt(); | 927 | fs_mnt(1); |
928 | else if (arg_disable_mnt) | ||
929 | fs_mnt(0); | ||
928 | 930 | ||
929 | //**************************** | 931 | //**************************** |
930 | // apply the profile file | 932 | // apply the profile file |