diff options
37 files changed, 277 insertions, 67 deletions
diff --git a/.github/workflows/codeql-analysis.yml b/.github/workflows/codeql-analysis.yml index 4f8f7e4fc..66ca0d321 100644 --- a/.github/workflows/codeql-analysis.yml +++ b/.github/workflows/codeql-analysis.yml | |||
@@ -53,7 +53,7 @@ jobs: | |||
53 | 53 | ||
54 | # Initializes the CodeQL tools for scanning. | 54 | # Initializes the CodeQL tools for scanning. |
55 | - name: Initialize CodeQL | 55 | - name: Initialize CodeQL |
56 | uses: github/codeql-action/init@0c670bbf0414f39666df6ce8e718ec5662c21e03 | 56 | uses: github/codeql-action/init@c7f292ea4f542c473194b33813ccd4c207a6c725 |
57 | with: | 57 | with: |
58 | languages: ${{ matrix.language }} | 58 | languages: ${{ matrix.language }} |
59 | # If you wish to specify custom queries, you can do so here or in a config file. | 59 | # If you wish to specify custom queries, you can do so here or in a config file. |
@@ -64,7 +64,7 @@ jobs: | |||
64 | # Autobuild attempts to build any compiled languages (C/C++, C#, or Java). | 64 | # Autobuild attempts to build any compiled languages (C/C++, C#, or Java). |
65 | # If this step fails, then you should remove it and run the build manually (see below) | 65 | # If this step fails, then you should remove it and run the build manually (see below) |
66 | - name: Autobuild | 66 | - name: Autobuild |
67 | uses: github/codeql-action/autobuild@0c670bbf0414f39666df6ce8e718ec5662c21e03 | 67 | uses: github/codeql-action/autobuild@c7f292ea4f542c473194b33813ccd4c207a6c725 |
68 | 68 | ||
69 | # ℹ️ Command-line programs to run using the OS shell. | 69 | # ℹ️ Command-line programs to run using the OS shell. |
70 | # 📚 https://git.io/JvXDl | 70 | # 📚 https://git.io/JvXDl |
@@ -78,4 +78,4 @@ jobs: | |||
78 | # make release | 78 | # make release |
79 | 79 | ||
80 | - name: Perform CodeQL Analysis | 80 | - name: Perform CodeQL Analysis |
81 | uses: github/codeql-action/analyze@0c670bbf0414f39666df6ce8e718ec5662c21e03 | 81 | uses: github/codeql-action/analyze@c7f292ea4f542c473194b33813ccd4c207a6c725 |
@@ -124,8 +124,8 @@ ifeq ($(HAVE_CONTRIB_INSTALL),yes) | |||
124 | install -m 0644 contrib/vim/syntax/firejail.vim $(DESTDIR)$(datarootdir)/vim/vimfiles/syntax | 124 | install -m 0644 contrib/vim/syntax/firejail.vim $(DESTDIR)$(datarootdir)/vim/vimfiles/syntax |
125 | endif | 125 | endif |
126 | # documents | 126 | # documents |
127 | install -m 0755 -d $(DESTDIR)$(DOCDIR) | 127 | install -m 0755 -d $(DESTDIR)$(docdir) |
128 | install -m 0644 -t $(DESTDIR)$(DOCDIR) COPYING README RELNOTES etc/templates/* | 128 | install -m 0644 -t $(DESTDIR)$(docdir) COPYING README RELNOTES etc/templates/* |
129 | # profiles and settings | 129 | # profiles and settings |
130 | install -m 0755 -d $(DESTDIR)$(sysconfdir)/firejail | 130 | install -m 0755 -d $(DESTDIR)$(sysconfdir)/firejail |
131 | install -m 0644 -t $(DESTDIR)$(sysconfdir)/firejail src/firecfg/firecfg.config | 131 | install -m 0644 -t $(DESTDIR)$(sysconfdir)/firejail src/firecfg/firecfg.config |
@@ -179,8 +179,8 @@ uninstall: config.mk | |||
179 | rm -f $(DESTDIR)$(bindir)/firejail | 179 | rm -f $(DESTDIR)$(bindir)/firejail |
180 | rm -f $(DESTDIR)$(bindir)/firemon | 180 | rm -f $(DESTDIR)$(bindir)/firemon |
181 | rm -f $(DESTDIR)$(bindir)/firecfg | 181 | rm -f $(DESTDIR)$(bindir)/firecfg |
182 | rm -f $(DESTDIR)$(bindir)/jailcheck | ||
182 | rm -fr $(DESTDIR)$(libdir)/firejail | 183 | rm -fr $(DESTDIR)$(libdir)/firejail |
183 | rm -fr $(DESTDIR)$(libdir)/jailcheck | ||
184 | rm -fr $(DESTDIR)$(datarootdir)/doc/firejail | 184 | rm -fr $(DESTDIR)$(datarootdir)/doc/firejail |
185 | for man in $(MANPAGES); do \ | 185 | for man in $(MANPAGES); do \ |
186 | rm -f $(DESTDIR)$(mandir)/man5/$$man*; \ | 186 | rm -f $(DESTDIR)$(mandir)/man5/$$man*; \ |
@@ -189,6 +189,9 @@ uninstall: config.mk | |||
189 | rm -f $(DESTDIR)$(datarootdir)/bash-completion/completions/firejail | 189 | rm -f $(DESTDIR)$(datarootdir)/bash-completion/completions/firejail |
190 | rm -f $(DESTDIR)$(datarootdir)/bash-completion/completions/firemon | 190 | rm -f $(DESTDIR)$(datarootdir)/bash-completion/completions/firemon |
191 | rm -f $(DESTDIR)$(datarootdir)/bash-completion/completions/firecfg | 191 | rm -f $(DESTDIR)$(datarootdir)/bash-completion/completions/firecfg |
192 | rm -f $(DESTDIR)$(datarootdir)/zsh/site-functions/_firejail | ||
193 | rm -f $(DESTDIR)$(datarootdir)/vim/vimfiles/ftdetect/firejail.vim | ||
194 | rm -f $(DESTDIR)$(datarootdir)/vim/vimfiles/syntax/firejail.vim | ||
192 | @echo "If you want to install a different version of firejail, you might also need to run 'rm -fr $(DESTDIR)$(sysconfdir)/firejail', see #2038." | 195 | @echo "If you want to install a different version of firejail, you might also need to run 'rm -fr $(DESTDIR)$(sysconfdir)/firejail', see #2038." |
193 | 196 | ||
194 | DISTFILES = \ | 197 | DISTFILES = \ |
@@ -218,14 +221,14 @@ dist: config.mk | |||
218 | make distclean | 221 | make distclean |
219 | mv config.status.old config.status | 222 | mv config.status.old config.status |
220 | mv config.sh.old config.sh | 223 | mv config.sh.old config.sh |
221 | rm -fr $(NAME)-$(VERSION) $(NAME)-$(VERSION).tar.xz | 224 | rm -fr $(TARNAME)-$(VERSION) $(TARNAME)-$(VERSION).tar.xz |
222 | mkdir -p $(NAME)-$(VERSION)/test | 225 | mkdir -p $(TARNAME)-$(VERSION)/test |
223 | cp -a $(DISTFILES) $(NAME)-$(VERSION) | 226 | cp -a $(DISTFILES) $(TARNAME)-$(VERSION) |
224 | cp -a $(DISTFILES_TEST) $(NAME)-$(VERSION)/test | 227 | cp -a $(DISTFILES_TEST) $(TARNAME)-$(VERSION)/test |
225 | rm -rf $(NAME)-$(VERSION)/src/tools | 228 | rm -rf $(TARNAME)-$(VERSION)/src/tools |
226 | find $(NAME)-$(VERSION) -name .svn -delete | 229 | find $(TARNAME)-$(VERSION) -name .svn -delete |
227 | tar -cJvf $(NAME)-$(VERSION).tar.xz $(NAME)-$(VERSION) | 230 | tar -cJvf $(TARNAME)-$(VERSION).tar.xz $(TARNAME)-$(VERSION) |
228 | rm -fr $(NAME)-$(VERSION) | 231 | rm -fr $(TARNAME)-$(VERSION) |
229 | 232 | ||
230 | asc: config.mk | 233 | asc: config.mk |
231 | ./mkasc.sh $(VERSION) | 234 | ./mkasc.sh $(VERSION) |
@@ -237,11 +240,11 @@ deb-apparmor: dist config.sh | |||
237 | ./mkdeb.sh -apparmor --enable-apparmor | 240 | ./mkdeb.sh -apparmor --enable-apparmor |
238 | 241 | ||
239 | test-compile: dist config.mk | 242 | test-compile: dist config.mk |
240 | cd test/compile; ./compile.sh $(NAME)-$(VERSION) | 243 | cd test/compile; ./compile.sh $(TARNAME)-$(VERSION) |
241 | 244 | ||
242 | .PHONY: rpms | 245 | .PHONY: rpms |
243 | rpms: src/man config.mk | 246 | rpms: src/man config.mk |
244 | ./platform/rpm/mkrpm.sh $(NAME) $(VERSION) | 247 | ./platform/rpm/mkrpm.sh $(TARNAME) $(VERSION) |
245 | 248 | ||
246 | extras: all | 249 | extras: all |
247 | $(MAKE) -C extras/firetools | 250 | $(MAKE) -C extras/firetools |
@@ -182,6 +182,8 @@ avoidr (https://github.com/avoidr) | |||
182 | - added mcabber profile | 182 | - added mcabber profile |
183 | - fixed mpv profile | 183 | - fixed mpv profile |
184 | - various other fixes | 184 | - various other fixes |
185 | Азалия Смарагдова/ChrysoliteAzalea (https://github.com/ChrysoliteAzalea) | ||
186 | - add support for custom AppArmor profiles (--apparmor=) | ||
185 | backspac (https://github.com/backspac) | 187 | backspac (https://github.com/backspac) |
186 | - firecfg fixes | 188 | - firecfg fixes |
187 | - add steam-runtime alias | 189 | - add steam-runtime alias |
@@ -856,11 +858,15 @@ pszxzsd (https://github.com/pszxzsd) | |||
856 | -uGet profile | 858 | -uGet profile |
857 | pwnage-pineapple (https://github.com/pwnage-pineapple) | 859 | pwnage-pineapple (https://github.com/pwnage-pineapple) |
858 | - update Okular profile | 860 | - update Okular profile |
861 | Quentin Retornaz (https://github.com/qretornaz-adapei42) | ||
862 | - microsoft-edge profiles fixes | ||
859 | Quentin Minster (https://github.com/laomaiweng) | 863 | Quentin Minster (https://github.com/laomaiweng) |
860 | - propagate --quiet to children Firejail'ed processes | 864 | - propagate --quiet to children Firejail'ed processes |
861 | - nodbus enhancements/bugfixes | 865 | - nodbus enhancements/bugfixes |
862 | - added vim syntax and ftdetect files | 866 | - added vim syntax and ftdetect files |
863 | - Allow exec from /usr/libexec & co. with AppArmor | 867 | - Allow exec from /usr/libexec & co. with AppArmor |
868 | ra1nb0w (https://github.com/ra1nb0w) | ||
869 | - fix vmware profile | ||
864 | Rafael Cavalcanti (https://github.com/rccavalcanti) | 870 | Rafael Cavalcanti (https://github.com/rccavalcanti) |
865 | - chromium profile fixes for Arch Linux | 871 | - chromium profile fixes for Arch Linux |
866 | Rahiel Kasim (https://github.com/rahiel) | 872 | Rahiel Kasim (https://github.com/rahiel) |
@@ -182,6 +182,43 @@ We also keep a list of profile fixes for previous released versions in [etc-fixe | |||
182 | 182 | ||
183 | Milestone page: https://github.com/netblue30/firejail/milestone/1 | 183 | Milestone page: https://github.com/netblue30/firejail/milestone/1 |
184 | 184 | ||
185 | ### Restrict namespaces | ||
186 | |||
187 | ````` | ||
188 | --restrict-namespaces | ||
189 | Install a seccomp filter that blocks attempts to create new | ||
190 | cgroup, ipc, net, mount, pid, time, user or uts namespaces. | ||
191 | |||
192 | Example: | ||
193 | $ firejail --restrict-namespaces | ||
194 | |||
195 | --restrict-namespaces=cgroup,ipc,net,mnt,pid,time,user,uts | ||
196 | Install a seccomp filter that blocks attempts to create any of | ||
197 | the specified namespaces. The filter examines the arguments of | ||
198 | clone, unshare and setns system calls and returns error EPERM to | ||
199 | the process (or kills it or logs the attempt, see --seccomp-er‐ | ||
200 | ror-action below) if necessary. Note that the filter is not able | ||
201 | to examine the arguments of clone3 system calls, and always re‐ | ||
202 | sponds to these calls with error ENOSYS. | ||
203 | |||
204 | Example: | ||
205 | $ firejail --restrict-namespaces=user,net | ||
206 | ````` | ||
207 | |||
208 | #### Support for custom AppArmor profiles | ||
209 | |||
210 | ````` | ||
211 | --apparmor | ||
212 | Enable AppArmor confinement with the "firejail-default" AppArmor | ||
213 | profile. For more information, please see APPARMOR section be‐ | ||
214 | low. | ||
215 | |||
216 | --apparmor=profile_name | ||
217 | Enable AppArmor confinement with a custom AppArmor profile. | ||
218 | Note that profile in question must already be loaded into the | ||
219 | kernel. For more information, please see APPARMOR section be‐ | ||
220 | ````` | ||
221 | |||
185 | ### Profile Statistics | 222 | ### Profile Statistics |
186 | 223 | ||
187 | A small tool to print profile statistics. Compile and install as usual. The tool is installed in /usr/lib/firejail directory. | 224 | A small tool to print profile statistics. Compile and install as usual. The tool is installed in /usr/lib/firejail directory. |
@@ -221,4 +258,4 @@ Stats: | |||
221 | 258 | ||
222 | ### New profiles: | 259 | ### New profiles: |
223 | 260 | ||
224 | onionshare, onionshare-cli, opera-developer, songrec | 261 | onionshare, onionshare-cli, opera-developer, songrec, gdu, makedeb |
@@ -1,13 +1,23 @@ | |||
1 | firejail (0.9.71) baseline; urgency=low | 1 | firejail (0.9.71) baseline; urgency=low |
2 | * work in progress | 2 | * work in progress |
3 | * feat: On failing to remount a fuse filesystem, give warning instead of | 3 | * feature: On failing to remount a fuse filesystem, give warning instead of |
4 | * erroring out (#5240 #5242) | 4 | erroring out (#5240 #5242) |
5 | * build: deduplicate configure-time vars into new config files (#5140) | 5 | * feature: restrict namespaces (--restrict-namespaces) implemented as |
6 | a seccomp filter for both 64 and 32 bit architectures (#4939 #5259) | ||
7 | * feature: support for custom AppArmor profiles (--apparmor=) (#5274 #5316 | ||
8 | #5317) | ||
9 | * bugfix: Flood of seccomp audit log entries (#5207) | ||
10 | * build: deduplicate configure-time vars into new config files (#5140 #5284) | ||
6 | * build: fix file mode of shell scripts (644 -> 755) (#5206) | 11 | * build: fix file mode of shell scripts (644 -> 755) (#5206) |
7 | * build: reduce autoconf input files from 32 to 2 (#5219) | 12 | * build: reduce autoconf input files from 32 to 2 (#5219) |
8 | * build: add dist build directory to .gitignore (#5248) | 13 | * build: add dist build directory to .gitignore (#5248) |
9 | * build: add autoconf auto-generation comment to input files (#5251) | 14 | * build: add autoconf auto-generation comment to input files (#5251) |
15 | * build: Add files make uninstall forgot to remove (#5283) | ||
16 | * build: add and use TARNAME instead of NAME for paths (#5310) | ||
10 | * ci: ignore git-related paths and the project license (#5249) | 17 | * ci: ignore git-related paths and the project license (#5249) |
18 | * docs: mention risk of SUID binaries and also firejail-users(5) (#5288 | ||
19 | #5290) | ||
20 | * docs: set vim filetype on man pages for syntax highlighting (#5296) | ||
11 | -- netblue30 <netblue30@yahoo.com> Sat, 11 Jun 2022 09:00:00 -0500 | 21 | -- netblue30 <netblue30@yahoo.com> Sat, 11 Jun 2022 09:00:00 -0500 |
12 | 22 | ||
13 | firejail (0.9.70) baseline; urgency=low | 23 | firejail (0.9.70) baseline; urgency=low |
diff --git a/config.mk.in b/config.mk.in index e0be0e656..9973b7eaa 100644 --- a/config.mk.in +++ b/config.mk.in | |||
@@ -7,19 +7,20 @@ | |||
7 | # up overriding the includer's intended default target (which by default is the | 7 | # up overriding the includer's intended default target (which by default is the |
8 | # first target encountered). | 8 | # first target encountered). |
9 | 9 | ||
10 | CC=@CC@ | 10 | NAME=@PACKAGE_NAME@ |
11 | TARNAME=@PACKAGE_TARNAME@ | ||
12 | PACKAGE_TARNAME=@PACKAGE_TARNAME@ # needed by docdir | ||
13 | VERSION=@PACKAGE_VERSION@ | ||
14 | |||
11 | prefix=@prefix@ | 15 | prefix=@prefix@ |
12 | exec_prefix=@exec_prefix@ | 16 | exec_prefix=@exec_prefix@ |
13 | bindir=@bindir@ | 17 | bindir=@bindir@ |
14 | libdir=@libdir@ | 18 | libdir=@libdir@ |
15 | datarootdir=@datarootdir@ | 19 | datarootdir=@datarootdir@ |
20 | docdir=@docdir@ | ||
16 | mandir=@mandir@ | 21 | mandir=@mandir@ |
17 | sysconfdir=@sysconfdir@ | 22 | sysconfdir=@sysconfdir@ |
18 | 23 | ||
19 | VERSION=@PACKAGE_VERSION@ | ||
20 | NAME=@PACKAGE_NAME@ | ||
21 | PACKAGE_TARNAME=@PACKAGE_TARNAME@ | ||
22 | DOCDIR=@docdir@ | ||
23 | HAVE_APPARMOR=@HAVE_APPARMOR@ | 24 | HAVE_APPARMOR=@HAVE_APPARMOR@ |
24 | HAVE_CONTRIB_INSTALL=@HAVE_CONTRIB_INSTALL@ | 25 | HAVE_CONTRIB_INSTALL=@HAVE_CONTRIB_INSTALL@ |
25 | BUSYBOX_WORKAROUND=@BUSYBOX_WORKAROUND@ | 26 | BUSYBOX_WORKAROUND=@BUSYBOX_WORKAROUND@ |
@@ -50,6 +51,7 @@ HAVE_ONLY_SYSCFG_PROFILES=@HAVE_ONLY_SYSCFG_PROFILES@ | |||
50 | 51 | ||
51 | MANFLAGS = $(HAVE_LTS) $(HAVE_OUTPUT) $(HAVE_X11) $(HAVE_PRIVATE_HOME) $(HAVE_APPARMOR) $(HAVE_IDS) $(HAVE_OVERLAYFS) $(HAVE_USERTMPFS) $(HAVE_DBUSPROXY) $(HAVE_FIRETUNNEL) $(HAVE_GLOBALCFG) $(HAVE_CHROOT) $(HAVE_NETWORK) $(HAVE_USERNS) $(HAVE_FILE_TRANSFER) $(HAVE_SELINUX) $(HAVE_SUID) $(HAVE_FORCE_NONEWPRIVS) $(HAVE_ONLY_SYSCFG_PROFILES) | 52 | MANFLAGS = $(HAVE_LTS) $(HAVE_OUTPUT) $(HAVE_X11) $(HAVE_PRIVATE_HOME) $(HAVE_APPARMOR) $(HAVE_IDS) $(HAVE_OVERLAYFS) $(HAVE_USERTMPFS) $(HAVE_DBUSPROXY) $(HAVE_FIRETUNNEL) $(HAVE_GLOBALCFG) $(HAVE_CHROOT) $(HAVE_NETWORK) $(HAVE_USERNS) $(HAVE_FILE_TRANSFER) $(HAVE_SELINUX) $(HAVE_SUID) $(HAVE_FORCE_NONEWPRIVS) $(HAVE_ONLY_SYSCFG_PROFILES) |
52 | 53 | ||
54 | CC=@CC@ | ||
53 | CFLAGS=@CFLAGS@ | 55 | CFLAGS=@CFLAGS@ |
54 | 56 | ||
55 | ifdef NO_EXTRA_CFLAGS | 57 | ifdef NO_EXTRA_CFLAGS |
diff --git a/config.sh.in b/config.sh.in index 3d54ff189..0a91c68f2 100644 --- a/config.sh.in +++ b/config.sh.in | |||
@@ -1,3 +1,8 @@ | |||
1 | # @configure_input@ | 1 | # @configure_input@ |
2 | NAME=@PACKAGE_NAME@ | 2 | # |
3 | VERSION=@PACKAGE_VERSION@ | 3 | # shellcheck shell=sh |
4 | # shellcheck disable=SC2034 | ||
5 | |||
6 | NAME="@PACKAGE_NAME@" | ||
7 | TARNAME="@PACKAGE_TARNAME@" | ||
8 | VERSION="@PACKAGE_VERSION@" | ||
diff --git a/contrib/vim/syntax/firejail.vim b/contrib/vim/syntax/firejail.vim index 9099a0808..0c8ebdbd8 100644 --- a/contrib/vim/syntax/firejail.vim +++ b/contrib/vim/syntax/firejail.vim | |||
@@ -52,7 +52,7 @@ syn match fjVar /\v\$\{(CFG|DESKTOP|DOCUMENTS|DOWNLOADS|HOME|MUSIC|PATH|PICTURES | |||
52 | 52 | ||
53 | " Commands grabbed from: src/firejail/profile.c | 53 | " Commands grabbed from: src/firejail/profile.c |
54 | " Generate list with: { rg -o 'strn?cmp\(ptr, "([^"]+) "' -r '$1' src/firejail/profile.c; echo private-lib; } | grep -vEx '(include|ignore|caps\.drop|caps\.keep|protocol|restrict-namespaces|seccomp|seccomp\.drop|seccomp\.keep|env|rmenv|net|ip)' | sort -u | tr $'\n' '|' # private-lib is special-cased in the code and doesn't match the regex; grep-ed patterns are handled later with 'syn match nextgroup=' directives (except for include which is special-cased as a fjCommandNoCond keyword) | 54 | " Generate list with: { rg -o 'strn?cmp\(ptr, "([^"]+) "' -r '$1' src/firejail/profile.c; echo private-lib; } | grep -vEx '(include|ignore|caps\.drop|caps\.keep|protocol|restrict-namespaces|seccomp|seccomp\.drop|seccomp\.keep|env|rmenv|net|ip)' | sort -u | tr $'\n' '|' # private-lib is special-cased in the code and doesn't match the regex; grep-ed patterns are handled later with 'syn match nextgroup=' directives (except for include which is special-cased as a fjCommandNoCond keyword) |
55 | syn match fjCommand /\v(bind|blacklist|blacklist-nolog|cpu|defaultgw|dns|hostname|hosts-file|ip6|iprange|join-or-start|mac|mkdir|mkfile|mtu|name|netfilter|netfilter6|netmask|nice|noblacklist|noexec|nowhitelist|overlay-named|private|private-bin|private-cwd|private-etc|private-home|private-lib|private-opt|private-srv|read-only|read-write|rlimit-as|rlimit-cpu|rlimit-fsize|rlimit-nofile|rlimit-nproc|rlimit-sigpending|timeout|tmpfs|veth-name|whitelist|xephyr-screen) / skipwhite contained | 55 | syn match fjCommand /\v(apparmor|bind|blacklist|blacklist-nolog|cpu|defaultgw|dns|hostname|hosts-file|ip6|iprange|join-or-start|mac|mkdir|mkfile|mtu|name|netfilter|netfilter6|netmask|nice|noblacklist|noexec|nowhitelist|overlay-named|private|private-bin|private-cwd|private-etc|private-home|private-lib|private-opt|private-srv|read-only|read-write|rlimit-as|rlimit-cpu|rlimit-fsize|rlimit-nofile|rlimit-nproc|rlimit-sigpending|timeout|tmpfs|veth-name|whitelist|xephyr-screen) / skipwhite contained |
56 | " Generate list with: rg -o 'strn?cmp\(ptr, "([^ "]*[^ ])"' -r '$1' src/firejail/profile.c | grep -vEx '(include|rlimit|quiet)' | sed -e 's/\./\\./' | sort -u | tr $'\n' '|' # include/rlimit are false positives, quiet is special-cased below | 56 | " Generate list with: rg -o 'strn?cmp\(ptr, "([^ "]*[^ ])"' -r '$1' src/firejail/profile.c | grep -vEx '(include|rlimit|quiet)' | sed -e 's/\./\\./' | sort -u | tr $'\n' '|' # include/rlimit are false positives, quiet is special-cased below |
57 | syn match fjCommand /\v(allow-debuggers|allusers|apparmor|caps|deterministic-exit-code|deterministic-shutdown|disable-mnt|ipc-namespace|keep-config-pulse|keep-dev-shm|keep-fd|keep-var-tmp|machine-id|memory-deny-write-execute|netfilter|no3d|noautopulse|nodbus|nodvd|nogroups|noinput|nonewprivs|noprinters|noroot|nosound|notv|nou2f|novideo|overlay|overlay-tmpfs|private|private-cache|private-cwd|private-dev|private-lib|private-tmp|seccomp|seccomp\.32|seccomp\.block-secondary|tracelog|writable-etc|writable-run-user|writable-var|writable-var-log|x11)$/ contained | 57 | syn match fjCommand /\v(allow-debuggers|allusers|apparmor|caps|deterministic-exit-code|deterministic-shutdown|disable-mnt|ipc-namespace|keep-config-pulse|keep-dev-shm|keep-fd|keep-var-tmp|machine-id|memory-deny-write-execute|netfilter|no3d|noautopulse|nodbus|nodvd|nogroups|noinput|nonewprivs|noprinters|noroot|nosound|notv|nou2f|novideo|overlay|overlay-tmpfs|private|private-cache|private-cwd|private-dev|private-lib|private-tmp|seccomp|seccomp\.32|seccomp\.block-secondary|tracelog|writable-etc|writable-run-user|writable-var|writable-var-log|x11)$/ contained |
58 | syn match fjCommand /ignore / nextgroup=fjCommand,fjCommandNoCond skipwhite contained | 58 | syn match fjCommand /ignore / nextgroup=fjCommand,fjCommandNoCond skipwhite contained |
diff --git a/etc/apparmor/firejail-default b/etc/apparmor/firejail-default index b4e7f642a..3cc771ed7 100644 --- a/etc/apparmor/firejail-default +++ b/etc/apparmor/firejail-default | |||
@@ -33,6 +33,7 @@ owner /{,var/}run/firejail/dbus/[0-9]*/[0-9]*-user w, | |||
33 | #ptrace, | 33 | #ptrace, |
34 | # Allow obtaining some process information, but not ptrace(2) | 34 | # Allow obtaining some process information, but not ptrace(2) |
35 | ptrace (read,readby) peer=@{profile_name}, | 35 | ptrace (read,readby) peer=@{profile_name}, |
36 | ptrace (read,readby) peer=@{profile_name}//&unconfined, | ||
36 | 37 | ||
37 | ########## | 38 | ########## |
38 | # Allow read access to whole filesystem and control it from firejail. | 39 | # Allow read access to whole filesystem and control it from firejail. |
@@ -123,6 +124,7 @@ network packet, | |||
123 | ########## | 124 | ########## |
124 | # There is no equivalent in Firejail for filtering signals. | 125 | # There is no equivalent in Firejail for filtering signals. |
125 | ########## | 126 | ########## |
127 | signal (send) peer=@{profile_name}//&unconfined, | ||
126 | signal (send) peer=@{profile_name}, | 128 | signal (send) peer=@{profile_name}, |
127 | signal (receive), | 129 | signal (receive), |
128 | 130 | ||
diff --git a/etc/inc/disable-programs.inc b/etc/inc/disable-programs.inc index 79da8d5f5..7ad491460 100644 --- a/etc/inc/disable-programs.inc +++ b/etc/inc/disable-programs.inc | |||
@@ -156,6 +156,7 @@ blacklist ${HOME}/.cache/liferea | |||
156 | blacklist ${HOME}/.cache/lutris | 156 | blacklist ${HOME}/.cache/lutris |
157 | blacklist ${HOME}/.cache/marker | 157 | blacklist ${HOME}/.cache/marker |
158 | blacklist ${HOME}/.cache/matrix-mirage | 158 | blacklist ${HOME}/.cache/matrix-mirage |
159 | blacklist ${HOME}/.cache/microsoft-edge | ||
159 | blacklist ${HOME}/.cache/microsoft-edge-beta | 160 | blacklist ${HOME}/.cache/microsoft-edge-beta |
160 | blacklist ${HOME}/.cache/microsoft-edge-dev | 161 | blacklist ${HOME}/.cache/microsoft-edge-dev |
161 | blacklist ${HOME}/.cache/midori | 162 | blacklist ${HOME}/.cache/midori |
@@ -522,6 +523,7 @@ blacklist ${HOME}/.config/meld | |||
522 | blacklist ${HOME}/.config/menulibre.cfg | 523 | blacklist ${HOME}/.config/menulibre.cfg |
523 | blacklist ${HOME}/.config/meteo-qt | 524 | blacklist ${HOME}/.config/meteo-qt |
524 | blacklist ${HOME}/.config/mfusion | 525 | blacklist ${HOME}/.config/mfusion |
526 | blacklist ${HOME}/.config/microsoft-edge | ||
525 | blacklist ${HOME}/.config/microsoft-edge-beta | 527 | blacklist ${HOME}/.config/microsoft-edge-beta |
526 | blacklist ${HOME}/.config/microsoft-edge-dev | 528 | blacklist ${HOME}/.config/microsoft-edge-dev |
527 | blacklist ${HOME}/.config/midori | 529 | blacklist ${HOME}/.config/midori |
@@ -622,6 +624,7 @@ blacklist ${HOME}/.config/tox | |||
622 | blacklist ${HOME}/.config/transgui | 624 | blacklist ${HOME}/.config/transgui |
623 | blacklist ${HOME}/.config/transmission | 625 | blacklist ${HOME}/.config/transmission |
624 | blacklist ${HOME}/.config/truecraft | 626 | blacklist ${HOME}/.config/truecraft |
627 | blacklist ${HOME}/.config/tuir | ||
625 | blacklist ${HOME}/.config/tuta_integration | 628 | blacklist ${HOME}/.config/tuta_integration |
626 | blacklist ${HOME}/.config/tutanota-desktop | 629 | blacklist ${HOME}/.config/tutanota-desktop |
627 | blacklist ${HOME}/.config/tvbrowser | 630 | blacklist ${HOME}/.config/tvbrowser |
@@ -995,6 +998,7 @@ blacklist ${HOME}/.local/share/telepathy | |||
995 | blacklist ${HOME}/.local/share/terasology | 998 | blacklist ${HOME}/.local/share/terasology |
996 | blacklist ${HOME}/.local/share/torbrowser | 999 | blacklist ${HOME}/.local/share/torbrowser |
997 | blacklist ${HOME}/.local/share/totem | 1000 | blacklist ${HOME}/.local/share/totem |
1001 | blacklist ${HOME}/.local/share/tuir | ||
998 | blacklist ${HOME}/.local/share/uzbl | 1002 | blacklist ${HOME}/.local/share/uzbl |
999 | blacklist ${HOME}/.local/share/vlc | 1003 | blacklist ${HOME}/.local/share/vlc |
1000 | blacklist ${HOME}/.local/share/vpltd | 1004 | blacklist ${HOME}/.local/share/vpltd |
diff --git a/etc/profile-a-l/audacity.profile b/etc/profile-a-l/audacity.profile index b517620db..2831fec72 100644 --- a/etc/profile-a-l/audacity.profile +++ b/etc/profile-a-l/audacity.profile | |||
@@ -20,7 +20,8 @@ include disable-xdg.inc | |||
20 | 20 | ||
21 | include whitelist-var-common.inc | 21 | include whitelist-var-common.inc |
22 | 22 | ||
23 | apparmor | 23 | ## Enabling App Armor appears to break some Fedora / Arch installs |
24 | #apparmor | ||
24 | caps.drop all | 25 | caps.drop all |
25 | net none | 26 | net none |
26 | no3d | 27 | no3d |
diff --git a/etc/profile-a-l/gdu.profile b/etc/profile-a-l/gdu.profile new file mode 100644 index 000000000..783183bea --- /dev/null +++ b/etc/profile-a-l/gdu.profile | |||
@@ -0,0 +1,46 @@ | |||
1 | # Firejail profile for gdu | ||
2 | # Description: Fast disk usage analyzer with console interface | ||
3 | # This file is overwritten after every install/update | ||
4 | quiet | ||
5 | # Persistent local customizations | ||
6 | include gdu.local | ||
7 | # Persistent global definitions | ||
8 | include globals.local | ||
9 | |||
10 | blacklist ${RUNUSER}/wayland-* | ||
11 | |||
12 | include disable-exec.inc | ||
13 | |||
14 | apparmor | ||
15 | caps.drop all | ||
16 | ipc-namespace | ||
17 | machine-id | ||
18 | net none | ||
19 | no3d | ||
20 | nodvd | ||
21 | nogroups | ||
22 | noinput | ||
23 | nonewprivs | ||
24 | noroot | ||
25 | nosound | ||
26 | notv | ||
27 | nou2f | ||
28 | novideo | ||
29 | # block the socket syscall to simulate an be empty protocol line, see #639 | ||
30 | seccomp socket | ||
31 | seccomp.block-secondary | ||
32 | x11 none | ||
33 | |||
34 | private-dev | ||
35 | |||
36 | dbus-user none | ||
37 | dbus-system none | ||
38 | |||
39 | memory-deny-write-execute | ||
40 | |||
41 | # gdu has built-in delete (d), empty (e) dir/file support and shell spawning (b) features. | ||
42 | # Depending on workflow and use case the sandbox can be hardened by adding the | ||
43 | # lines below to your gdu.local if you don't need/want these functionalities. | ||
44 | #include disable-shell.inc | ||
45 | #private-bin gdu | ||
46 | #read-only ${HOME} | ||
diff --git a/etc/profile-m-z/makedeb.profile b/etc/profile-m-z/makedeb.profile new file mode 100644 index 000000000..f45bfca3a --- /dev/null +++ b/etc/profile-m-z/makedeb.profile | |||
@@ -0,0 +1,13 @@ | |||
1 | # Firejail profile for makedeb | ||
2 | # Description: A utility to automate the building of Debian packages | ||
3 | # This file is overwritten after every install/update | ||
4 | quiet | ||
5 | # Persistent local customizations | ||
6 | include makedeb.local | ||
7 | # Persistent global definitions | ||
8 | #include globals.local | ||
9 | |||
10 | ignore noblacklist /var/lib/pacman | ||
11 | |||
12 | # Redirect | ||
13 | include makepkg.profile | ||
diff --git a/etc/profile-m-z/makepkg.profile b/etc/profile-m-z/makepkg.profile index dd2f0b318..4ec6ef82e 100644 --- a/etc/profile-m-z/makepkg.profile +++ b/etc/profile-m-z/makepkg.profile | |||
@@ -1,4 +1,5 @@ | |||
1 | # Firejail profile for makepkg | 1 | # Firejail profile for makepkg |
2 | # Description: A utility to automate the building of Arch Linux packages | ||
2 | # This file is overwritten after every install/update | 3 | # This file is overwritten after every install/update |
3 | quiet | 4 | quiet |
4 | # Persistent local customizations | 5 | # Persistent local customizations |
diff --git a/etc/profile-m-z/man.profile b/etc/profile-m-z/man.profile index bdc6e3451..b8d221dc3 100644 --- a/etc/profile-m-z/man.profile +++ b/etc/profile-m-z/man.profile | |||
@@ -56,7 +56,7 @@ disable-mnt | |||
56 | #private-bin apropos,bash,cat,catman,col,gpreconv,groff,grotty,gunzip,gzip,less,man,most,nroff,preconv,sed,sh,tbl,tr,troff,whatis,which,xtotroff,zcat,zsoelim | 56 | #private-bin apropos,bash,cat,catman,col,gpreconv,groff,grotty,gunzip,gzip,less,man,most,nroff,preconv,sed,sh,tbl,tr,troff,whatis,which,xtotroff,zcat,zsoelim |
57 | private-cache | 57 | private-cache |
58 | private-dev | 58 | private-dev |
59 | private-etc alternatives,fonts,groff,ld.so.cache,ld.so.preload,locale,locale.alias,locale.conf,man_db.conf,manpath.config,selinux,sysless,xdg | 59 | private-etc alternatives,fonts,groff,group,ld.so.cache,ld.so.preload,locale,locale.alias,locale.conf,login.defs,man_db.conf,manpath.config,passwd,selinux,sysless,xdg |
60 | #private-tmp | 60 | #private-tmp |
61 | 61 | ||
62 | dbus-user none | 62 | dbus-user none |
diff --git a/etc/profile-m-z/microsoft-edge-beta.profile b/etc/profile-m-z/microsoft-edge-beta.profile index 095038f08..63844ad70 100644 --- a/etc/profile-m-z/microsoft-edge-beta.profile +++ b/etc/profile-m-z/microsoft-edge-beta.profile | |||
@@ -14,7 +14,7 @@ mkdir ${HOME}/.config/microsoft-edge-beta | |||
14 | whitelist ${HOME}/.cache/microsoft-edge-beta | 14 | whitelist ${HOME}/.cache/microsoft-edge-beta |
15 | whitelist ${HOME}/.config/microsoft-edge-beta | 15 | whitelist ${HOME}/.config/microsoft-edge-beta |
16 | 16 | ||
17 | private-opt microsoft | 17 | whitelist /opt/microsoft/msedge-beta |
18 | 18 | ||
19 | # Redirect | 19 | # Redirect |
20 | include chromium-common.profile | 20 | include chromium-common.profile |
diff --git a/etc/profile-m-z/microsoft-edge-dev.profile b/etc/profile-m-z/microsoft-edge-dev.profile index 039cd36a8..b01fd7c25 100644 --- a/etc/profile-m-z/microsoft-edge-dev.profile +++ b/etc/profile-m-z/microsoft-edge-dev.profile | |||
@@ -14,7 +14,7 @@ mkdir ${HOME}/.config/microsoft-edge-dev | |||
14 | whitelist ${HOME}/.cache/microsoft-edge-dev | 14 | whitelist ${HOME}/.cache/microsoft-edge-dev |
15 | whitelist ${HOME}/.config/microsoft-edge-dev | 15 | whitelist ${HOME}/.config/microsoft-edge-dev |
16 | 16 | ||
17 | private-opt microsoft | 17 | whitelist /opt/microsoft/msedge-dev |
18 | 18 | ||
19 | # Redirect | 19 | # Redirect |
20 | include chromium-common.profile | 20 | include chromium-common.profile |
diff --git a/etc/profile-m-z/microsoft-edge.profile b/etc/profile-m-z/microsoft-edge.profile index f427507d1..4cd8c85a5 100644 --- a/etc/profile-m-z/microsoft-edge.profile +++ b/etc/profile-m-z/microsoft-edge.profile | |||
@@ -1,11 +1,20 @@ | |||
1 | # Firejail profile for Microsoft Edge | 1 | # Firejail profile for Microsoft Edge |
2 | # Description: Web browser from Microsoft | 2 | # Description: Web browser from Microsoft,stable channel |
3 | # This file is overwritten after every install/update | 3 | # This file is overwritten after every install/update |
4 | # Persistent local customizations | 4 | # Persistent local customizations |
5 | include microsoft-edge.local | 5 | include microsoft-edge.local |
6 | # Persistent global definitions | 6 | # Persistent global definitions |
7 | # added by included profile | 7 | include globals.local |
8 | #include globals.local | 8 | |
9 | noblacklist ${HOME}/.cache/microsoft-edge | ||
10 | noblacklist ${HOME}/.config/microsoft-edge | ||
11 | |||
12 | mkdir ${HOME}/.cache/microsoft-edge | ||
13 | mkdir ${HOME}/.config/microsoft-edge | ||
14 | whitelist ${HOME}/.cache/microsoft-edge | ||
15 | whitelist ${HOME}/.config/microsoft-edge | ||
16 | |||
17 | whitelist /opt/microsoft/msedge | ||
9 | 18 | ||
10 | # Redirect | 19 | # Redirect |
11 | include microsoft-edge-dev.profile | 20 | include chromium-common.profile |
diff --git a/etc/profile-m-z/neomutt.profile b/etc/profile-m-z/neomutt.profile index 5d482adca..9000b7972 100644 --- a/etc/profile-m-z/neomutt.profile +++ b/etc/profile-m-z/neomutt.profile | |||
@@ -50,31 +50,11 @@ include disable-programs.inc | |||
50 | include disable-xdg.inc | 50 | include disable-xdg.inc |
51 | 51 | ||
52 | mkdir ${HOME}/.Mail | 52 | mkdir ${HOME}/.Mail |
53 | mkdir ${HOME}/.bogofilter | ||
54 | mkdir ${HOME}/.config/mutt | ||
55 | mkdir ${HOME}/.config/nano | ||
56 | mkdir ${HOME}/.config/neomutt | ||
57 | mkdir ${HOME}/.elinks | ||
58 | mkdir ${HOME}/.emacs.d | ||
59 | mkdir ${HOME}/.gnupg | ||
60 | mkdir ${HOME}/.mail | 53 | mkdir ${HOME}/.mail |
61 | mkdir ${HOME}/.mutt | ||
62 | mkdir ${HOME}/.neomutt | ||
63 | mkdir ${HOME}/.vim | ||
64 | mkdir ${HOME}/.w3m | ||
65 | mkdir ${HOME}/Mail | 54 | mkdir ${HOME}/Mail |
66 | mkdir ${HOME}/mail | 55 | mkdir ${HOME}/mail |
67 | mkdir ${HOME}/postponed | 56 | mkdir ${HOME}/postponed |
68 | mkdir ${HOME}/sent | 57 | mkdir ${HOME}/sent |
69 | mkfile ${HOME}/.emacs | ||
70 | mkfile ${HOME}/.mailcap | ||
71 | mkfile ${HOME}/.msmtprc | ||
72 | mkfile ${HOME}/.muttrc | ||
73 | mkfile ${HOME}/.nanorc | ||
74 | mkfile ${HOME}/.neomuttrc | ||
75 | mkfile ${HOME}/.signature | ||
76 | mkfile ${HOME}/.viminfo | ||
77 | mkfile ${HOME}/.vimrc | ||
78 | whitelist ${DOCUMENTS} | 58 | whitelist ${DOCUMENTS} |
79 | whitelist ${DOWNLOADS} | 59 | whitelist ${DOWNLOADS} |
80 | whitelist ${HOME}/.Mail | 60 | whitelist ${HOME}/.Mail |
diff --git a/etc/profile-m-z/steam.profile b/etc/profile-m-z/steam.profile index 30f9aafcb..5e5a8e9bb 100644 --- a/etc/profile-m-z/steam.profile +++ b/etc/profile-m-z/steam.profile | |||
@@ -156,7 +156,10 @@ protocol unix,inet,inet6,netlink | |||
156 | # seccomp sometimes causes issues (see #2951, #3267). | 156 | # seccomp sometimes causes issues (see #2951, #3267). |
157 | # Add 'ignore seccomp' to your steam.local if you experience this. | 157 | # Add 'ignore seccomp' to your steam.local if you experience this. |
158 | # mount, name_to_handle_at, pivot_root and umount2 are used by Proton >= 5.13 | 158 | # mount, name_to_handle_at, pivot_root and umount2 are used by Proton >= 5.13 |
159 | # (see #4366). | ||
159 | seccomp !chroot,!mount,!name_to_handle_at,!pivot_root,!ptrace,!umount2 | 160 | seccomp !chroot,!mount,!name_to_handle_at,!pivot_root,!ptrace,!umount2 |
161 | # process_vm_readv is used by GE-Proton7-18 (see #5185). | ||
162 | seccomp.32 !process_vm_readv | ||
160 | # tracelog breaks integrated browser | 163 | # tracelog breaks integrated browser |
161 | #tracelog | 164 | #tracelog |
162 | 165 | ||
diff --git a/etc/profile-m-z/tuir.profile b/etc/profile-m-z/tuir.profile new file mode 100644 index 000000000..b441503c6 --- /dev/null +++ b/etc/profile-m-z/tuir.profile | |||
@@ -0,0 +1,23 @@ | |||
1 | # Firejail profile for tuir | ||
2 | # Description: Browse Reddit from your terminal (rtv fork) | ||
3 | # This file is overwritten after every install/update | ||
4 | # Persistent local customizations | ||
5 | include tuir.local | ||
6 | # Persistent global definitions | ||
7 | #include globals.local | ||
8 | |||
9 | ignore mkdir ${HOME}/.config/rtv | ||
10 | ignore mkdir ${HOME}/.local/share/rtv | ||
11 | |||
12 | noblacklist ${HOME}/.config/tuir | ||
13 | noblacklist ${HOME}/.local/share/tuir | ||
14 | |||
15 | mkdir ${HOME}/.config/tuir | ||
16 | mkdir ${HOME}/.local/share/tuir | ||
17 | whitelist ${HOME}/.config/tuir | ||
18 | whitelist ${HOME}/.local/share/tuir | ||
19 | |||
20 | private-bin tuir | ||
21 | |||
22 | # Redirect | ||
23 | include rtv.profile | ||
diff --git a/etc/profile-m-z/vmware.profile b/etc/profile-m-z/vmware.profile index 627bb57a8..74c951fe6 100644 --- a/etc/profile-m-z/vmware.profile +++ b/etc/profile-m-z/vmware.profile | |||
@@ -38,6 +38,6 @@ tracelog | |||
38 | #disable-mnt | 38 | #disable-mnt |
39 | # Add the next line to your vmware.local to enable private-bin. | 39 | # Add the next line to your vmware.local to enable private-bin. |
40 | #private-bin env,bash,sh,ovftool,vmafossexec,vmaf_*,vmnet-*,vmplayer,vmrest,vmrun,vmss2core,vmstat,vmware,vmware-* | 40 | #private-bin env,bash,sh,ovftool,vmafossexec,vmaf_*,vmnet-*,vmplayer,vmrest,vmrun,vmss2core,vmstat,vmware,vmware-* |
41 | private-etc alsa,alternatives,asound.conf,ca-certificates,conf.d,crypto-policies,dconf,fonts,gtk-2.0,gtk-3.0,hostname,hosts,ld.so.cache,ld.so.preload,localtime,machine-id,passwd,pki,pulse,resolv.conf,ssl,vmware,vmware-installer,vmware-vix | 41 | private-etc alsa,alternatives,asound.conf,ca-certificates,conf.d,crypto-policies,dconf,fonts,gtk-2.0,gtk-3.0,hostname,hosts,ld.so.cache,ld.so.preload,localtime,machine-id,mtab,passwd,pki,pulse,resolv.conf,ssl,vmware,vmware-installer,vmware-vix |
42 | dbus-user none | 42 | dbus-user none |
43 | dbus-system none | 43 | dbus-system none |
@@ -14,8 +14,8 @@ EXTRA_VERSION=$1 | |||
14 | 14 | ||
15 | test "$#" -gt 0 && shift | 15 | test "$#" -gt 0 && shift |
16 | 16 | ||
17 | CODE_ARCHIVE="$NAME-$VERSION.tar.xz" | 17 | CODE_ARCHIVE="$TARNAME-$VERSION.tar.xz" |
18 | CODE_DIR="$NAME-$VERSION" | 18 | CODE_DIR="$TARNAME-$VERSION" |
19 | INSTALL_DIR="${INSTALL_DIR}${CODE_DIR}/debian" | 19 | INSTALL_DIR="${INSTALL_DIR}${CODE_DIR}/debian" |
20 | DEBIAN_CTRL_DIR="${DEBIAN_CTRL_DIR}${CODE_DIR}/debian/DEBIAN" | 20 | DEBIAN_CTRL_DIR="${DEBIAN_CTRL_DIR}${CODE_DIR}/debian/DEBIAN" |
21 | 21 | ||
diff --git a/src/firecfg/firecfg.config b/src/firecfg/firecfg.config index a7a1351ff..1de107a03 100644 --- a/src/firecfg/firecfg.config +++ b/src/firecfg/firecfg.config | |||
@@ -289,6 +289,7 @@ gapplication | |||
289 | gcalccmd | 289 | gcalccmd |
290 | gcloud | 290 | gcloud |
291 | gconf-editor | 291 | gconf-editor |
292 | gdu | ||
292 | geany | 293 | geany |
293 | geary | 294 | geary |
294 | gedit | 295 | gedit |
@@ -842,6 +843,7 @@ tremulous | |||
842 | trojita | 843 | trojita |
843 | truecraft | 844 | truecraft |
844 | tshark | 845 | tshark |
846 | tuir | ||
845 | tutanota-desktop | 847 | tutanota-desktop |
846 | tuxguitar | 848 | tuxguitar |
847 | tvbrowser | 849 | tvbrowser |
diff --git a/src/firejail/firejail.h b/src/firejail/firejail.h index 167b6a843..0a4dffb75 100644 --- a/src/firejail/firejail.h +++ b/src/firejail/firejail.h | |||
@@ -338,6 +338,7 @@ extern int arg_writable_run_user; // writable /run/user | |||
338 | extern int arg_writable_var_log; // writable /var/log | 338 | extern int arg_writable_var_log; // writable /var/log |
339 | extern int arg_appimage; // appimage | 339 | extern int arg_appimage; // appimage |
340 | extern int arg_apparmor; // apparmor | 340 | extern int arg_apparmor; // apparmor |
341 | extern char *apparmor_profile; // apparmor profile | ||
341 | extern int arg_allow_debuggers; // allow debuggers | 342 | extern int arg_allow_debuggers; // allow debuggers |
342 | extern int arg_x11_block; // block X11 | 343 | extern int arg_x11_block; // block X11 |
343 | extern int arg_x11_xorg; // use X11 security extension | 344 | extern int arg_x11_xorg; // use X11 security extension |
diff --git a/src/firejail/main.c b/src/firejail/main.c index 55f623138..29c25dfc5 100644 --- a/src/firejail/main.c +++ b/src/firejail/main.c | |||
@@ -133,6 +133,7 @@ int arg_writable_run_user = 0; // writable /run/user | |||
133 | int arg_writable_var_log = 0; // writable /var/log | 133 | int arg_writable_var_log = 0; // writable /var/log |
134 | int arg_appimage = 0; // appimage | 134 | int arg_appimage = 0; // appimage |
135 | int arg_apparmor = 0; // apparmor | 135 | int arg_apparmor = 0; // apparmor |
136 | char *apparmor_profile = NULL; // apparmor profile | ||
136 | int arg_allow_debuggers = 0; // allow debuggers | 137 | int arg_allow_debuggers = 0; // allow debuggers |
137 | int arg_x11_block = 0; // block X11 | 138 | int arg_x11_block = 0; // block X11 |
138 | int arg_x11_xorg = 0; // use X11 security extension | 139 | int arg_x11_xorg = 0; // use X11 security extension |
@@ -1287,8 +1288,14 @@ int main(int argc, char **argv, char **envp) { | |||
1287 | // filtering | 1288 | // filtering |
1288 | //************************************* | 1289 | //************************************* |
1289 | #ifdef HAVE_APPARMOR | 1290 | #ifdef HAVE_APPARMOR |
1290 | else if (strcmp(argv[i], "--apparmor") == 0) | 1291 | else if (strcmp(argv[i], "--apparmor") == 0) { |
1291 | arg_apparmor = 1; | 1292 | arg_apparmor = 1; |
1293 | apparmor_profile = "firejail-default"; | ||
1294 | } | ||
1295 | else if (strncmp(argv[i], "--apparmor=", 11) == 0) { | ||
1296 | arg_apparmor = 1; | ||
1297 | apparmor_profile = argv[i] + 11; | ||
1298 | } | ||
1292 | #endif | 1299 | #endif |
1293 | else if (strncmp(argv[i], "--protocol=", 11) == 0) { | 1300 | else if (strncmp(argv[i], "--protocol=", 11) == 0) { |
1294 | if (checkcfg(CFG_SECCOMP)) { | 1301 | if (checkcfg(CFG_SECCOMP)) { |
diff --git a/src/firejail/profile.c b/src/firejail/profile.c index dc1aff49a..f406e2c53 100644 --- a/src/firejail/profile.c +++ b/src/firejail/profile.c | |||
@@ -939,6 +939,17 @@ int profile_check_line(char *ptr, int lineno, const char *fname) { | |||
939 | if (strcmp(ptr, "apparmor") == 0) { | 939 | if (strcmp(ptr, "apparmor") == 0) { |
940 | #ifdef HAVE_APPARMOR | 940 | #ifdef HAVE_APPARMOR |
941 | arg_apparmor = 1; | 941 | arg_apparmor = 1; |
942 | apparmor_profile = "firejail-default"; | ||
943 | #endif | ||
944 | return 0; | ||
945 | } | ||
946 | |||
947 | if (strncmp(ptr, "apparmor ", 9) == 0) { | ||
948 | #ifdef HAVE_APPARMOR | ||
949 | arg_apparmor = 1; | ||
950 | apparmor_profile = strdup(ptr + 9); | ||
951 | if (!apparmor_profile) | ||
952 | errExit("strdup"); | ||
942 | #endif | 953 | #endif |
943 | return 0; | 954 | return 0; |
944 | } | 955 | } |
diff --git a/src/firejail/sandbox.c b/src/firejail/sandbox.c index b1b3407b4..9299268a3 100644 --- a/src/firejail/sandbox.c +++ b/src/firejail/sandbox.c | |||
@@ -130,7 +130,7 @@ static void set_caps(void) { | |||
130 | static void set_apparmor(void) { | 130 | static void set_apparmor(void) { |
131 | EUID_ASSERT(); | 131 | EUID_ASSERT(); |
132 | if (checkcfg(CFG_APPARMOR) && arg_apparmor) { | 132 | if (checkcfg(CFG_APPARMOR) && arg_apparmor) { |
133 | if (aa_change_onexec("firejail-default")) { | 133 | if (aa_stack_onexec(apparmor_profile)) { |
134 | fwarning("Cannot confine the application using AppArmor.\n" | 134 | fwarning("Cannot confine the application using AppArmor.\n" |
135 | "Maybe firejail-default AppArmor profile is not loaded into the kernel.\n" | 135 | "Maybe firejail-default AppArmor profile is not loaded into the kernel.\n" |
136 | "As root, run \"aa-enforce firejail-default\" to load it.\n"); | 136 | "As root, run \"aa-enforce firejail-default\" to load it.\n"); |
diff --git a/src/firejail/usage.c b/src/firejail/usage.c index c3c17393c..e11081eed 100644 --- a/src/firejail/usage.c +++ b/src/firejail/usage.c | |||
@@ -30,7 +30,9 @@ static char *usage_str = | |||
30 | " -- - signal the end of options and disables further option processing.\n" | 30 | " -- - signal the end of options and disables further option processing.\n" |
31 | " --allow-debuggers - allow tools such as strace and gdb inside the sandbox.\n" | 31 | " --allow-debuggers - allow tools such as strace and gdb inside the sandbox.\n" |
32 | " --allusers - all user home directories are visible inside the sandbox.\n" | 32 | " --allusers - all user home directories are visible inside the sandbox.\n" |
33 | " --apparmor - enable AppArmor confinement.\n" | 33 | " --apparmor - enable AppArmor confinement with the default profile.\n" |
34 | " --apparmor=profile_name - enable AppArmor confinement with a\n" | ||
35 | "\tcustom profile.\n" | ||
34 | " --apparmor.print=name|pid - print apparmor status.\n" | 36 | " --apparmor.print=name|pid - print apparmor status.\n" |
35 | " --appimage - sandbox an AppImage application.\n" | 37 | " --appimage - sandbox an AppImage application.\n" |
36 | #ifdef HAVE_NETWORK | 38 | #ifdef HAVE_NETWORK |
diff --git a/src/man/firecfg.txt b/src/man/firecfg.txt index 280a4aff1..42add6a41 100644 --- a/src/man/firecfg.txt +++ b/src/man/firecfg.txt | |||
@@ -146,3 +146,4 @@ Homepage: https://firejail.wordpress.com | |||
146 | .BR firejail-login (5), | 146 | .BR firejail-login (5), |
147 | .BR firejail-users (5), | 147 | .BR firejail-users (5), |
148 | .BR jailcheck (1) | 148 | .BR jailcheck (1) |
149 | .\" vim: set filetype=groff : | ||
diff --git a/src/man/firejail-login.txt b/src/man/firejail-login.txt index 05afd55b5..f03fc3c37 100644 --- a/src/man/firejail-login.txt +++ b/src/man/firejail-login.txt | |||
@@ -40,3 +40,4 @@ Homepage: https://firejail.wordpress.com | |||
40 | .BR firejail-profile (5), | 40 | .BR firejail-profile (5), |
41 | .BR firejail-users (5), | 41 | .BR firejail-users (5), |
42 | .BR jailcheck (1) | 42 | .BR jailcheck (1) |
43 | .\" vim: set filetype=groff : | ||
diff --git a/src/man/firejail-profile.txt b/src/man/firejail-profile.txt index be1f55f0f..138aae8af 100644 --- a/src/man/firejail-profile.txt +++ b/src/man/firejail-profile.txt | |||
@@ -478,7 +478,11 @@ Allow tools such as strace and gdb inside the sandbox by whitelisting system cal | |||
478 | #ifdef HAVE_APPARMOR | 478 | #ifdef HAVE_APPARMOR |
479 | .TP | 479 | .TP |
480 | \fBapparmor | 480 | \fBapparmor |
481 | Enable AppArmor confinement. | 481 | Enable AppArmor confinement with the "firejail-default" AppArmor profile. |
482 | .TP | ||
483 | \fBapparmor profile_name | ||
484 | Enable AppArmor confinement with a custom AppArmor profile. | ||
485 | Note that the profile in question must already be loaded into the kernel. | ||
482 | #endif | 486 | #endif |
483 | .TP | 487 | .TP |
484 | \fBcaps | 488 | \fBcaps |
@@ -1031,3 +1035,4 @@ Homepage: https://firejail.wordpress.com | |||
1031 | 1035 | ||
1032 | .UR https://github.com/netblue30/firejail/wiki/Creating-Profiles | 1036 | .UR https://github.com/netblue30/firejail/wiki/Creating-Profiles |
1033 | .UE | 1037 | .UE |
1038 | .\" vim: set filetype=groff : | ||
diff --git a/src/man/firejail-users.txt b/src/man/firejail-users.txt index e3cce7ed5..7aa151680 100644 --- a/src/man/firejail-users.txt +++ b/src/man/firejail-users.txt | |||
@@ -60,3 +60,4 @@ Homepage: https://firejail.wordpress.com | |||
60 | .BR firejail-profile (5), | 60 | .BR firejail-profile (5), |
61 | .BR firejail-login (5), | 61 | .BR firejail-login (5), |
62 | .BR jailcheck (1) | 62 | .BR jailcheck (1) |
63 | .\" vim: set filetype=groff : | ||
diff --git a/src/man/firejail.txt b/src/man/firejail.txt index 087d1c85a..1dd5508b3 100644 --- a/src/man/firejail.txt +++ b/src/man/firejail.txt | |||
@@ -67,6 +67,17 @@ Firejail allows the user to manage application security using security profiles. | |||
67 | Each profile defines a set of permissions for a specific application or group | 67 | Each profile defines a set of permissions for a specific application or group |
68 | of applications. The software includes security profiles for a number of more common | 68 | of applications. The software includes security profiles for a number of more common |
69 | Linux programs, such as Mozilla Firefox, Chromium, VLC, Transmission etc. | 69 | Linux programs, such as Mozilla Firefox, Chromium, VLC, Transmission etc. |
70 | .\" TODO: Explain the security/usability tradeoffs from #4601. | ||
71 | .PP | ||
72 | Firejail is currently implemented as an SUID binary, which means that if a | ||
73 | malicious or compromised user account manages to exploit a bug in Firejail, | ||
74 | that could ultimately lead to a privilege escalation to root. | ||
75 | To mitigate this, it is recommended to only allow trusted users to run firejail | ||
76 | (see firejail-users(5) for details on how to achieve that). | ||
77 | For more details on the security/usability tradeoffs of Firejail, see: | ||
78 | .UR https://github.com/netblue30/firejail/discussions/4601 | ||
79 | #4601 | ||
80 | .UE | ||
70 | .PP | 81 | .PP |
71 | Alternative sandbox technologies like snap (https://snapcraft.io/) and flatpak (https://flatpak.org/) | 82 | Alternative sandbox technologies like snap (https://snapcraft.io/) and flatpak (https://flatpak.org/) |
72 | are not supported. Snap and flatpak packages have their own native management tools and will | 83 | are not supported. Snap and flatpak packages have their own native management tools and will |
@@ -122,7 +133,13 @@ $ firejail --allusers | |||
122 | #ifdef HAVE_APPARMOR | 133 | #ifdef HAVE_APPARMOR |
123 | .TP | 134 | .TP |
124 | \fB\-\-apparmor | 135 | \fB\-\-apparmor |
125 | Enable AppArmor confinement. For more information, please see \fBAPPARMOR\fR section below. | 136 | Enable AppArmor confinement with the "firejail-default" AppArmor profile. |
137 | For more information, please see \fBAPPARMOR\fR section below. | ||
138 | .TP | ||
139 | \fB\-\-apparmor=profile_name | ||
140 | Enable AppArmor confinement with a custom AppArmor profile. | ||
141 | Note that profile in question must already be loaded into the kernel. | ||
142 | For more information, please see \fBAPPARMOR\fR section below. | ||
126 | .TP | 143 | .TP |
127 | \fB\-\-apparmor.print=name|pid | 144 | \fB\-\-apparmor.print=name|pid |
128 | Print the AppArmor confinement status for the sandbox identified by name or by PID. | 145 | Print the AppArmor confinement status for the sandbox identified by name or by PID. |
@@ -174,6 +191,13 @@ Blacklist directory or file. File globbing is supported, see \fBFILE GLOBBING\fR | |||
174 | .br | 191 | .br |
175 | 192 | ||
176 | .br | 193 | .br |
194 | Symbolic link handling: Blacklisting a path that is a symbolic link will also | ||
195 | blacklist the path that it points to. | ||
196 | For example, if ~/foo is blacklisted and it points to /foo, then /foo will also | ||
197 | be blacklisted. | ||
198 | .br | ||
199 | |||
200 | .br | ||
177 | Example: | 201 | Example: |
178 | .br | 202 | .br |
179 | $ firejail \-\-blacklist=/sbin \-\-blacklist=/usr/sbin | 203 | $ firejail \-\-blacklist=/sbin \-\-blacklist=/usr/sbin |
@@ -2905,8 +2929,14 @@ all directories in /usr. | |||
2905 | .br | 2929 | .br |
2906 | 2930 | ||
2907 | .br | 2931 | .br |
2908 | Symbolic link handling: with the exception of user home, both the link and the real file should be in | 2932 | Symbolic link handling: Whitelisting a path that is a symbolic link will also |
2909 | the same top directory. For user home, both the link and the real file should be owned by the user. | 2933 | whitelist the path that it points to. |
2934 | For example, if ~/foo is whitelisted and it points to ~/bar, then ~/bar will | ||
2935 | also be whitelisted. | ||
2936 | Restrictions: With the exception of the user home directory, both the link and | ||
2937 | the real file should be in the same top directory. | ||
2938 | For symbolic links in the user home directory, both the link and the real file | ||
2939 | should be owned by the user. | ||
2910 | .br | 2940 | .br |
2911 | 2941 | ||
2912 | .br | 2942 | .br |
@@ -3611,3 +3641,4 @@ Homepage: https://firejail.wordpress.com | |||
3611 | .UE , | 3641 | .UE , |
3612 | .UR https://github.com/netblue30/firejail | 3642 | .UR https://github.com/netblue30/firejail |
3613 | .UE | 3643 | .UE |
3644 | .\" vim: set filetype=groff : | ||
diff --git a/src/man/firemon.txt b/src/man/firemon.txt index fd58a7168..9d0785a4a 100644 --- a/src/man/firemon.txt +++ b/src/man/firemon.txt | |||
@@ -118,3 +118,4 @@ Homepage: https://firejail.wordpress.com | |||
118 | .BR firejail-login (5), | 118 | .BR firejail-login (5), |
119 | .BR firejail-users (5), | 119 | .BR firejail-users (5), |
120 | .BR jailcheck (1) | 120 | .BR jailcheck (1) |
121 | .\" vim: set filetype=groff : | ||
diff --git a/src/man/jailcheck.txt b/src/man/jailcheck.txt index 483f47fb9..e889ea91b 100644 --- a/src/man/jailcheck.txt +++ b/src/man/jailcheck.txt | |||
@@ -115,3 +115,4 @@ Homepage: https://firejail.wordpress.com | |||
115 | .BR firejail-profile (5), | 115 | .BR firejail-profile (5), |
116 | .BR firejail-login (5), | 116 | .BR firejail-login (5), |
117 | .BR firejail-users (5), | 117 | .BR firejail-users (5), |
118 | .\" vim: set filetype=groff : | ||
diff --git a/src/zsh_completion/_firejail.in b/src/zsh_completion/_firejail.in index 605000e31..2b67c2a00 100644 --- a/src/zsh_completion/_firejail.in +++ b/src/zsh_completion/_firejail.in | |||
@@ -171,7 +171,8 @@ _firejail_args=( | |||
171 | '--writable-var-log[use the real /var/log directory, not a clone]' | 171 | '--writable-var-log[use the real /var/log directory, not a clone]' |
172 | 172 | ||
173 | #ifdef HAVE_APPARMOR | 173 | #ifdef HAVE_APPARMOR |
174 | '--apparmor[enable AppArmor confinement]' | 174 | '--apparmor[enable AppArmor confinement with the default profile]' |
175 | '--apparmor=-[enable AppArmor confinement with a custom profile]: :' | ||
175 | '--apparmor.print=-[print apparmor status name|pid]:firejail:_all_firejails' | 176 | '--apparmor.print=-[print apparmor status name|pid]:firejail:_all_firejails' |
176 | #endif | 177 | #endif |
177 | 178 | ||