diff options
-rw-r--r-- | .github/workflows/build-extra.yml | 23 | ||||
-rw-r--r-- | .github/workflows/build.yml | 8 | ||||
-rw-r--r-- | .github/workflows/codeql-analysis.yml | 18 | ||||
-rw-r--r-- | .github/workflows/profile-checks.yml | 8 | ||||
-rw-r--r-- | README.md | 1 | ||||
-rw-r--r-- | RELNOTES | 7 | ||||
-rwxr-xr-x | contrib/sort.py | 91 | ||||
-rw-r--r-- | etc/profile-a-l/cinelerra-gg | 10 | ||||
-rw-r--r-- | etc/profile-a-l/deluge.profile | 2 | ||||
-rw-r--r-- | etc/profile-a-l/godot3.profile | 11 | ||||
-rw-r--r-- | etc/profile-m-z/nicotine.profile | 7 | ||||
-rw-r--r-- | etc/profile-m-z/youtube-viewers-common.profile | 12 | ||||
-rw-r--r-- | src/firecfg/firecfg.config | 2 | ||||
-rw-r--r-- | src/man/firejail-profile.txt | 9 | ||||
-rw-r--r-- | src/man/firejail.txt | 17 |
15 files changed, 177 insertions, 49 deletions
diff --git a/.github/workflows/build-extra.yml b/.github/workflows/build-extra.yml index 8c318ded8..c0e0062cd 100644 --- a/.github/workflows/build-extra.yml +++ b/.github/workflows/build-extra.yml | |||
@@ -32,10 +32,18 @@ on: | |||
32 | - '.github/ISSUE_TEMPLATE/*' | 32 | - '.github/ISSUE_TEMPLATE/*' |
33 | - '.github/pull_request_template.md' | 33 | - '.github/pull_request_template.md' |
34 | 34 | ||
35 | permissions: # added using https://github.com/step-security/secure-workflows | ||
36 | contents: read | ||
37 | |||
35 | jobs: | 38 | jobs: |
36 | build-clang: | 39 | build-clang: |
37 | runs-on: ubuntu-22.04 | 40 | runs-on: ubuntu-22.04 |
38 | steps: | 41 | steps: |
42 | - name: Harden Runner | ||
43 | uses: step-security/harden-runner@ebacdc22ef6c2cfb85ee5ded8f2e640f4c776dd5 | ||
44 | with: | ||
45 | egress-policy: audit # TODO: change to 'egress-policy: block' after couple of runs | ||
46 | |||
39 | - uses: actions/checkout@93ea575cb5d8a053eaa0ac8fa3b40d7e05a33cc8 | 47 | - uses: actions/checkout@93ea575cb5d8a053eaa0ac8fa3b40d7e05a33cc8 |
40 | - name: install dependencies | 48 | - name: install dependencies |
41 | run: sudo apt-get install libapparmor-dev libselinux1-dev | 49 | run: sudo apt-get install libapparmor-dev libselinux1-dev |
@@ -50,6 +58,11 @@ jobs: | |||
50 | scan-build: | 58 | scan-build: |
51 | runs-on: ubuntu-22.04 | 59 | runs-on: ubuntu-22.04 |
52 | steps: | 60 | steps: |
61 | - name: Harden Runner | ||
62 | uses: step-security/harden-runner@ebacdc22ef6c2cfb85ee5ded8f2e640f4c776dd5 | ||
63 | with: | ||
64 | egress-policy: audit # TODO: change to 'egress-policy: block' after couple of runs | ||
65 | |||
53 | - uses: actions/checkout@93ea575cb5d8a053eaa0ac8fa3b40d7e05a33cc8 | 66 | - uses: actions/checkout@93ea575cb5d8a053eaa0ac8fa3b40d7e05a33cc8 |
54 | - name: install clang-tools-14 and dependencies | 67 | - name: install clang-tools-14 and dependencies |
55 | run: sudo apt-get install clang-tools-14 libapparmor-dev libselinux1-dev | 68 | run: sudo apt-get install clang-tools-14 libapparmor-dev libselinux1-dev |
@@ -60,6 +73,11 @@ jobs: | |||
60 | cppcheck: | 73 | cppcheck: |
61 | runs-on: ubuntu-22.04 | 74 | runs-on: ubuntu-22.04 |
62 | steps: | 75 | steps: |
76 | - name: Harden Runner | ||
77 | uses: step-security/harden-runner@ebacdc22ef6c2cfb85ee5ded8f2e640f4c776dd5 | ||
78 | with: | ||
79 | egress-policy: audit # TODO: change to 'egress-policy: block' after couple of runs | ||
80 | |||
63 | - uses: actions/checkout@93ea575cb5d8a053eaa0ac8fa3b40d7e05a33cc8 | 81 | - uses: actions/checkout@93ea575cb5d8a053eaa0ac8fa3b40d7e05a33cc8 |
64 | - name: install cppcheck | 82 | - name: install cppcheck |
65 | run: sudo apt-get install cppcheck | 83 | run: sudo apt-get install cppcheck |
@@ -70,6 +88,11 @@ jobs: | |||
70 | cppcheck_old: | 88 | cppcheck_old: |
71 | runs-on: ubuntu-20.04 | 89 | runs-on: ubuntu-20.04 |
72 | steps: | 90 | steps: |
91 | - name: Harden Runner | ||
92 | uses: step-security/harden-runner@ebacdc22ef6c2cfb85ee5ded8f2e640f4c776dd5 | ||
93 | with: | ||
94 | egress-policy: audit # TODO: change to 'egress-policy: block' after couple of runs | ||
95 | |||
73 | - uses: actions/checkout@93ea575cb5d8a053eaa0ac8fa3b40d7e05a33cc8 | 96 | - uses: actions/checkout@93ea575cb5d8a053eaa0ac8fa3b40d7e05a33cc8 |
74 | - name: install cppcheck | 97 | - name: install cppcheck |
75 | run: sudo apt-get install cppcheck | 98 | run: sudo apt-get install cppcheck |
diff --git a/.github/workflows/build.yml b/.github/workflows/build.yml index 74f4375c9..6612e256d 100644 --- a/.github/workflows/build.yml +++ b/.github/workflows/build.yml | |||
@@ -24,10 +24,18 @@ on: | |||
24 | - RELNOTES | 24 | - RELNOTES |
25 | - SECURITY.md | 25 | - SECURITY.md |
26 | 26 | ||
27 | permissions: # added using https://github.com/step-security/secure-workflows | ||
28 | contents: read | ||
29 | |||
27 | jobs: | 30 | jobs: |
28 | build_and_test: | 31 | build_and_test: |
29 | runs-on: ubuntu-22.04 | 32 | runs-on: ubuntu-22.04 |
30 | steps: | 33 | steps: |
34 | - name: Harden Runner | ||
35 | uses: step-security/harden-runner@ebacdc22ef6c2cfb85ee5ded8f2e640f4c776dd5 | ||
36 | with: | ||
37 | egress-policy: audit # TODO: change to 'egress-policy: block' after couple of runs | ||
38 | |||
31 | - uses: actions/checkout@93ea575cb5d8a053eaa0ac8fa3b40d7e05a33cc8 | 39 | - uses: actions/checkout@93ea575cb5d8a053eaa0ac8fa3b40d7e05a33cc8 |
32 | - name: update package information | 40 | - name: update package information |
33 | run: sudo apt-get update | 41 | run: sudo apt-get update |
diff --git a/.github/workflows/codeql-analysis.yml b/.github/workflows/codeql-analysis.yml index e7129aae5..2190c9a1d 100644 --- a/.github/workflows/codeql-analysis.yml +++ b/.github/workflows/codeql-analysis.yml | |||
@@ -34,8 +34,15 @@ on: | |||
34 | schedule: | 34 | schedule: |
35 | - cron: '0 7 * * 2' | 35 | - cron: '0 7 * * 2' |
36 | 36 | ||
37 | permissions: # added using https://github.com/step-security/secure-workflows | ||
38 | contents: read | ||
39 | |||
37 | jobs: | 40 | jobs: |
38 | analyze: | 41 | analyze: |
42 | permissions: | ||
43 | actions: read # for github/codeql-action/init to get workflow details | ||
44 | contents: read # for actions/checkout to fetch code | ||
45 | security-events: write # for github/codeql-action/autobuild to send a status report | ||
39 | name: Analyze | 46 | name: Analyze |
40 | runs-on: ubuntu-latest | 47 | runs-on: ubuntu-latest |
41 | 48 | ||
@@ -48,12 +55,17 @@ jobs: | |||
48 | # https://docs.github.com/en/free-pro-team@latest/github/finding-security-vulnerabilities-and-errors-in-your-code/configuring-code-scanning#changing-the-languages-that-are-analyzed | 55 | # https://docs.github.com/en/free-pro-team@latest/github/finding-security-vulnerabilities-and-errors-in-your-code/configuring-code-scanning#changing-the-languages-that-are-analyzed |
49 | 56 | ||
50 | steps: | 57 | steps: |
58 | - name: Harden Runner | ||
59 | uses: step-security/harden-runner@ebacdc22ef6c2cfb85ee5ded8f2e640f4c776dd5 | ||
60 | with: | ||
61 | egress-policy: audit # TODO: change to 'egress-policy: block' after couple of runs | ||
62 | |||
51 | - name: Checkout repository | 63 | - name: Checkout repository |
52 | uses: actions/checkout@93ea575cb5d8a053eaa0ac8fa3b40d7e05a33cc8 | 64 | uses: actions/checkout@93ea575cb5d8a053eaa0ac8fa3b40d7e05a33cc8 |
53 | 65 | ||
54 | # Initializes the CodeQL tools for scanning. | 66 | # Initializes the CodeQL tools for scanning. |
55 | - name: Initialize CodeQL | 67 | - name: Initialize CodeQL |
56 | uses: github/codeql-action/init@cc7986c02bac29104a72998e67239bb5ee2ee110 | 68 | uses: github/codeql-action/init@c3b6fce4ee2ca25bc1066aa3bf73962fda0e8898 |
57 | with: | 69 | with: |
58 | languages: ${{ matrix.language }} | 70 | languages: ${{ matrix.language }} |
59 | # If you wish to specify custom queries, you can do so here or in a config file. | 71 | # If you wish to specify custom queries, you can do so here or in a config file. |
@@ -64,7 +76,7 @@ jobs: | |||
64 | # Autobuild attempts to build any compiled languages (C/C++, C#, or Java). | 76 | # Autobuild attempts to build any compiled languages (C/C++, C#, or Java). |
65 | # If this step fails, then you should remove it and run the build manually (see below) | 77 | # If this step fails, then you should remove it and run the build manually (see below) |
66 | - name: Autobuild | 78 | - name: Autobuild |
67 | uses: github/codeql-action/autobuild@cc7986c02bac29104a72998e67239bb5ee2ee110 | 79 | uses: github/codeql-action/autobuild@c3b6fce4ee2ca25bc1066aa3bf73962fda0e8898 |
68 | 80 | ||
69 | # âšī¸ Command-line programs to run using the OS shell. | 81 | # âšī¸ Command-line programs to run using the OS shell. |
70 | # đ https://git.io/JvXDl | 82 | # đ https://git.io/JvXDl |
@@ -78,4 +90,4 @@ jobs: | |||
78 | # make release | 90 | # make release |
79 | 91 | ||
80 | - name: Perform CodeQL Analysis | 92 | - name: Perform CodeQL Analysis |
81 | uses: github/codeql-action/analyze@cc7986c02bac29104a72998e67239bb5ee2ee110 | 93 | uses: github/codeql-action/analyze@c3b6fce4ee2ca25bc1066aa3bf73962fda0e8898 |
diff --git a/.github/workflows/profile-checks.yml b/.github/workflows/profile-checks.yml index a530cdff5..d36d050ab 100644 --- a/.github/workflows/profile-checks.yml +++ b/.github/workflows/profile-checks.yml | |||
@@ -16,10 +16,18 @@ on: | |||
16 | - 'src/firecfg/firecfg.config' | 16 | - 'src/firecfg/firecfg.config' |
17 | - 'contrib/sort.py' | 17 | - 'contrib/sort.py' |
18 | 18 | ||
19 | permissions: # added using https://github.com/step-security/secure-workflows | ||
20 | contents: read | ||
21 | |||
19 | jobs: | 22 | jobs: |
20 | profile-checks: | 23 | profile-checks: |
21 | runs-on: ubuntu-latest | 24 | runs-on: ubuntu-latest |
22 | steps: | 25 | steps: |
26 | - name: Harden Runner | ||
27 | uses: step-security/harden-runner@ebacdc22ef6c2cfb85ee5ded8f2e640f4c776dd5 | ||
28 | with: | ||
29 | egress-policy: audit # TODO: change to 'egress-policy: block' after couple of runs | ||
30 | |||
23 | - uses: actions/checkout@93ea575cb5d8a053eaa0ac8fa3b40d7e05a33cc8 | 31 | - uses: actions/checkout@93ea575cb5d8a053eaa0ac8fa3b40d7e05a33cc8 |
24 | - name: sort.py | 32 | - name: sort.py |
25 | run: ./ci/check/profiles/sort.py etc/inc/*.inc etc/{profile-a-l,profile-m-z}/*.profile | 33 | run: ./ci/check/profiles/sort.py etc/inc/*.inc etc/{profile-a-l,profile-m-z}/*.profile |
@@ -336,3 +336,4 @@ Stats: | |||
336 | ### New profiles: | 336 | ### New profiles: |
337 | 337 | ||
338 | onionshare, onionshare-cli, opera-developer, songrec, gdu, makedeb, lbry-viewer, tuir, | 338 | onionshare, onionshare-cli, opera-developer, songrec, gdu, makedeb, lbry-viewer, tuir, |
339 | cinelerra-gg | ||
@@ -2,6 +2,8 @@ firejail (0.9.71) baseline; urgency=low | |||
2 | * work in progress | 2 | * work in progress |
3 | * feature: On failing to remount a fuse filesystem, give warning instead of | 3 | * feature: On failing to remount a fuse filesystem, give warning instead of |
4 | erroring out (#5240 #5242) | 4 | erroring out (#5240 #5242) |
5 | * feature: Update syscall tables and seccomp groups (#5188) | ||
6 | * feature: improve force-nonewprivs security guarantees (#5217 #5271) | ||
5 | * feature: restrict namespaces (--restrict-namespaces) implemented as | 7 | * feature: restrict namespaces (--restrict-namespaces) implemented as |
6 | a seccomp filter for both 64 and 32 bit architectures (#4939 #5259) | 8 | a seccomp filter for both 64 and 32 bit architectures (#4939 #5259) |
7 | * feature: support for custom AppArmor profiles (--apparmor=) (#5274 #5316 | 9 | * feature: support for custom AppArmor profiles (--apparmor=) (#5274 #5316 |
@@ -26,8 +28,9 @@ firejail (0.9.71) baseline; urgency=low | |||
26 | * build: add autoconf auto-generation comment to input files (#5251) | 28 | * build: add autoconf auto-generation comment to input files (#5251) |
27 | * build: Add files make uninstall forgot to remove (#5283) | 29 | * build: Add files make uninstall forgot to remove (#5283) |
28 | * build: add and use TARNAME instead of NAME for paths (#5310) | 30 | * build: add and use TARNAME instead of NAME for paths (#5310) |
29 | * build: only install ids.config when --enable-ids is set (#5357) | 31 | * build: only install ids.config when --enable-ids is set (#5356 #5357) |
30 | * build: Remove deprecated syntax and modernize shell test scripts (#5370) | 32 | * build: Remove deprecated syntax and modernize shell test scripts (#5370) |
33 | * build: Fix musl warnings (#5421 #5431) | ||
31 | * ci: bump ubuntu to 22.04 and use newer compilers / analyzers (#5275) | 34 | * ci: bump ubuntu to 22.04 and use newer compilers / analyzers (#5275) |
32 | * ci: ignore git-related paths and the project license (#5249) | 35 | * ci: ignore git-related paths and the project license (#5249) |
33 | * docs: mention risk of SUID binaries and also firejail-users(5) (#5288 | 36 | * docs: mention risk of SUID binaries and also firejail-users(5) (#5288 |
@@ -37,6 +40,8 @@ firejail (0.9.71) baseline; urgency=low | |||
37 | * docs: Add IRC channel info to README.md (#5361) | 40 | * docs: Add IRC channel info to README.md (#5361) |
38 | * docs: man: Note that some commands can be disabled in firejail.config | 41 | * docs: man: Note that some commands can be disabled in firejail.config |
39 | (#5366) | 42 | (#5366) |
43 | * docs: Add gist note to bug_report.md (#5398) | ||
44 | * docs: clarify that --appimage should appear before --profile (#5402 #5451) | ||
40 | -- netblue30 <netblue30@yahoo.com> Sat, 11 Jun 2022 09:00:00 -0500 | 45 | -- netblue30 <netblue30@yahoo.com> Sat, 11 Jun 2022 09:00:00 -0500 |
41 | 46 | ||
42 | firejail (0.9.70) baseline; urgency=low | 47 | firejail (0.9.70) baseline; urgency=low |
diff --git a/contrib/sort.py b/contrib/sort.py index 6f21370ec..638f14516 100755 --- a/contrib/sort.py +++ b/contrib/sort.py | |||
@@ -2,48 +2,61 @@ | |||
2 | # This file is part of Firejail project | 2 | # This file is part of Firejail project |
3 | # Copyright (C) 2014-2022 Firejail Authors | 3 | # Copyright (C) 2014-2022 Firejail Authors |
4 | # License GPL v2 | 4 | # License GPL v2 |
5 | """ | ||
6 | Sort the items of multi-item options in profiles, the following options are supported: | ||
7 | private-bin, private-etc, private-lib, caps.drop, caps.keep, seccomp.drop, seccomp.drop, protocol | ||
8 | 5 | ||
9 | Usage: | 6 | # Requirements: |
10 | $ ./sort.py /path/to/profile [ /path/to/profile2 /path/to/profile3 ... ] | 7 | # python >= 3.6 |
8 | from os import path | ||
9 | from sys import argv, exit as sys_exit, stderr | ||
10 | |||
11 | __doc__ = f"""\ | ||
12 | Sort the arguments of commands in profiles. | ||
13 | |||
14 | Usage: {path.basename(argv[0])} [/path/to/profile ...] | ||
15 | |||
16 | The following commands are supported: | ||
17 | |||
18 | private-bin, private-etc, private-lib, caps.drop, caps.keep, seccomp.drop, | ||
19 | seccomp.drop, protocol | ||
20 | |||
21 | Note that this is only applicable to commands that support multiple arguments. | ||
22 | |||
11 | Keep in mind that this will overwrite your profile(s). | 23 | Keep in mind that this will overwrite your profile(s). |
12 | 24 | ||
13 | Examples: | 25 | Examples: |
14 | $ ./sort.py MyAwesomeProfile.profile | 26 | $ {argv[0]} MyAwesomeProfile.profile |
15 | $ ./sort.py new_profile.profile second_new_profile.profile | 27 | $ {argv[0]} new_profile.profile second_new_profile.profile |
16 | $ ./sort.py ~/.config/firejail/*.{profile,inc,local} | 28 | $ {argv[0]} ~/.config/firejail/*.{{profile,inc,local}} |
17 | $ sudo ./sort.py /etc/firejail/*.{profile,inc,local} | 29 | $ sudo {argv[0]} /etc/firejail/*.{{profile,inc,local}} |
18 | 30 | ||
19 | Exit-Codes: | 31 | Exit Codes: |
20 | 0: No Error; No Profile Fixed. | 32 | 0: Success: No profiles needed fixing. |
21 | 1: Error, one or more profiles were not processed correctly. | 33 | 1: Error: One or more profiles could not be processed correctly. |
22 | 101: No Error; One or more profile were fixed. | 34 | 2: Error: Missing arguments. |
35 | 101: Info: One or more profiles were fixed. | ||
23 | """ | 36 | """ |
24 | 37 | ||
25 | # Requirements: | ||
26 | # python >= 3.6 | ||
27 | from sys import argv, exit as sys_exit | ||
28 | |||
29 | 38 | ||
30 | def sort_alphabetical(raw_items): | 39 | def sort_alphabetical(original_items): |
31 | items = raw_items.split(",") | 40 | items = original_items.split(",") |
32 | items.sort(key=lambda s: s.casefold()) | 41 | items.sort(key=str.casefold) |
33 | return ",".join(items) | 42 | return ",".join(items) |
34 | 43 | ||
35 | 44 | ||
36 | def sort_protocol(protocols): | 45 | def sort_protocol(original_protocols): |
37 | """sort the given protocols into this scheme: unix,inet,inet6,netlink,packet,bluetooth""" | 46 | """ |
47 | Sort the given protocols into the following order: | ||
48 | |||
49 | unix,inet,inet6,netlink,packet,bluetooth | ||
50 | """ | ||
38 | 51 | ||
39 | # shortcut for common protocol lines | 52 | # shortcut for common protocol lines |
40 | if protocols in ("unix", "unix,inet,inet6"): | 53 | if original_protocols in ("unix", "unix,inet,inet6"): |
41 | return protocols | 54 | return original_protocols |
42 | 55 | ||
43 | fixed_protocols = "" | 56 | fixed_protocols = "" |
44 | for protocol in ("unix", "inet", "inet6", "netlink", "packet", "bluetooth"): | 57 | for protocol in ("unix", "inet", "inet6", "netlink", "packet", "bluetooth"): |
45 | for prefix in ("", "-", "+", "="): | 58 | for prefix in ("", "-", "+", "="): |
46 | if f",{prefix}{protocol}," in f",{protocols},": | 59 | if f",{prefix}{protocol}," in f",{original_protocols},": |
47 | fixed_protocols += f"{prefix}{protocol}," | 60 | fixed_protocols += f"{prefix}{protocol}," |
48 | return fixed_protocols[:-1] | 61 | return fixed_protocols[:-1] |
49 | 62 | ||
@@ -53,7 +66,7 @@ def fix_profile(filename): | |||
53 | lines = profile.read().split("\n") | 66 | lines = profile.read().split("\n") |
54 | was_fixed = False | 67 | was_fixed = False |
55 | fixed_profile = [] | 68 | fixed_profile = [] |
56 | for lineno, line in enumerate(lines): | 69 | for lineno, line in enumerate(lines, 1): |
57 | if line[:12] in ("private-bin ", "private-etc ", "private-lib "): | 70 | if line[:12] in ("private-bin ", "private-etc ", "private-lib "): |
58 | fixed_line = f"{line[:12]}{sort_alphabetical(line[12:])}" | 71 | fixed_line = f"{line[:12]}{sort_alphabetical(line[12:])}" |
59 | elif line[:13] in ("seccomp.drop ", "seccomp.keep "): | 72 | elif line[:13] in ("seccomp.drop ", "seccomp.keep "): |
@@ -69,8 +82,8 @@ def fix_profile(filename): | |||
69 | if fixed_line != line: | 82 | if fixed_line != line: |
70 | was_fixed = True | 83 | was_fixed = True |
71 | print( | 84 | print( |
72 | f"{filename}:{lineno + 1}:-{line}\n" | 85 | f"{filename}:{lineno}:-{line}\n" |
73 | f"{filename}:{lineno + 1}:+{fixed_line}" | 86 | f"{filename}:{lineno}:+{fixed_line}" |
74 | ) | 87 | ) |
75 | fixed_profile.append(fixed_line) | 88 | fixed_profile.append(fixed_line) |
76 | if was_fixed: | 89 | if was_fixed: |
@@ -84,22 +97,30 @@ def fix_profile(filename): | |||
84 | 97 | ||
85 | 98 | ||
86 | def main(args): | 99 | def main(args): |
100 | if len(args) < 1: | ||
101 | print(__doc__, file=stderr) | ||
102 | return 2 | ||
103 | |||
104 | print(f"sort.py: checking {len(args)} profile(s)...") | ||
105 | |||
87 | exit_code = 0 | 106 | exit_code = 0 |
88 | print(f"sort.py: checking {len(args)} {'profiles' if len(args) != 1 else 'profile'}...") | ||
89 | for filename in args: | 107 | for filename in args: |
90 | try: | 108 | try: |
91 | if exit_code not in (1, 101): | 109 | if exit_code not in (1, 101): |
92 | exit_code = fix_profile(filename) | 110 | exit_code = fix_profile(filename) |
93 | else: | 111 | else: |
94 | fix_profile(filename) | 112 | fix_profile(filename) |
95 | except FileNotFoundError: | 113 | except FileNotFoundError as err: |
96 | print(f"[ Error ] Can't find `{filename}'") | 114 | print(f"[ Error ] {err}", file=stderr) |
97 | exit_code = 1 | 115 | exit_code = 1 |
98 | except PermissionError: | 116 | except PermissionError as err: |
99 | print(f"[ Error ] Can't read/write `{filename}'") | 117 | print(f"[ Error ] {err}", file=stderr) |
100 | exit_code = 1 | 118 | exit_code = 1 |
101 | except Exception as err: | 119 | except Exception as err: |
102 | print(f"[ Error ] An error occurred while processing `{filename}': {err}") | 120 | print( |
121 | f"[ Error ] An error occurred while processing '{filename}': {err}", | ||
122 | file=stderr, | ||
123 | ) | ||
103 | exit_code = 1 | 124 | exit_code = 1 |
104 | return exit_code | 125 | return exit_code |
105 | 126 | ||
diff --git a/etc/profile-a-l/cinelerra-gg b/etc/profile-a-l/cinelerra-gg new file mode 100644 index 000000000..ccb9fe04b --- /dev/null +++ b/etc/profile-a-l/cinelerra-gg | |||
@@ -0,0 +1,10 @@ | |||
1 | # Firejail profile alias for cin | ||
2 | # This file is overwritten after every install/update | ||
3 | # Persistent local customizations | ||
4 | include cinelerra-gg.local | ||
5 | # Persistent global definitions | ||
6 | # added by included profile | ||
7 | #include globals.local | ||
8 | |||
9 | # Redirect | ||
10 | include cin.profile | ||
diff --git a/etc/profile-a-l/deluge.profile b/etc/profile-a-l/deluge.profile index fddd613e2..d8a27da62 100644 --- a/etc/profile-a-l/deluge.profile +++ b/etc/profile-a-l/deluge.profile | |||
@@ -36,7 +36,7 @@ nosound | |||
36 | notv | 36 | notv |
37 | nou2f | 37 | nou2f |
38 | novideo | 38 | novideo |
39 | protocol unix,inet,inet6 | 39 | protocol unix,inet,inet6,netlink |
40 | seccomp | 40 | seccomp |
41 | 41 | ||
42 | # deluge is using python on Debian | 42 | # deluge is using python on Debian |
diff --git a/etc/profile-a-l/godot3.profile b/etc/profile-a-l/godot3.profile new file mode 100644 index 000000000..90d1b15b7 --- /dev/null +++ b/etc/profile-a-l/godot3.profile | |||
@@ -0,0 +1,11 @@ | |||
1 | # Firejail profile for godot | ||
2 | # Description: multi-platform 2D and 3D game engine with a feature-rich editor | ||
3 | # This file is overwritten after every install/update | ||
4 | # Persistent local customizations | ||
5 | include godot3.local | ||
6 | # Persistent global definitions | ||
7 | # added by included profile | ||
8 | #include globals.local | ||
9 | |||
10 | # Redirect | ||
11 | include godot.profile | ||
diff --git a/etc/profile-m-z/nicotine.profile b/etc/profile-m-z/nicotine.profile index bb2a41457..22c8b1782 100644 --- a/etc/profile-m-z/nicotine.profile +++ b/etc/profile-m-z/nicotine.profile | |||
@@ -8,8 +8,12 @@ include globals.local | |||
8 | 8 | ||
9 | noblacklist ${HOME}/.nicotine | 9 | noblacklist ${HOME}/.nicotine |
10 | 10 | ||
11 | # Allow /bin/sh (blacklisted by disable-shell.inc) | ||
12 | include allow-bin-sh.inc | ||
13 | |||
11 | # Allow python (blacklisted by disable-interpreters.inc) | 14 | # Allow python (blacklisted by disable-interpreters.inc) |
12 | include allow-python2.inc | 15 | include allow-python2.inc |
16 | include allow-python3.inc | ||
13 | 17 | ||
14 | include disable-common.inc | 18 | include disable-common.inc |
15 | include disable-devel.inc | 19 | include disable-devel.inc |
@@ -37,6 +41,7 @@ nodvd | |||
37 | nogroups | 41 | nogroups |
38 | noinput | 42 | noinput |
39 | nonewprivs | 43 | nonewprivs |
44 | noprinters | ||
40 | noroot | 45 | noroot |
41 | nosound | 46 | nosound |
42 | notv | 47 | notv |
@@ -47,7 +52,7 @@ seccomp | |||
47 | tracelog | 52 | tracelog |
48 | 53 | ||
49 | disable-mnt | 54 | disable-mnt |
50 | private-bin nicotine,python2* | 55 | #private-bin nicotine,python2* |
51 | private-cache | 56 | private-cache |
52 | private-dev | 57 | private-dev |
53 | private-tmp | 58 | private-tmp |
diff --git a/etc/profile-m-z/youtube-viewers-common.profile b/etc/profile-m-z/youtube-viewers-common.profile index 8582e2462..28c219377 100644 --- a/etc/profile-m-z/youtube-viewers-common.profile +++ b/etc/profile-m-z/youtube-viewers-common.profile | |||
@@ -19,6 +19,13 @@ include allow-perl.inc | |||
19 | include allow-python2.inc | 19 | include allow-python2.inc |
20 | include allow-python3.inc | 20 | include allow-python3.inc |
21 | 21 | ||
22 | # The lines below are needed to find the default Firefox profile name, to allow | ||
23 | # opening links in an existing instance of Firefox (note that it still fails if | ||
24 | # there isn't a Firefox instance running with the default profile; see #5352) | ||
25 | noblacklist ${HOME}/.mozilla | ||
26 | whitelist ${HOME}/.mozilla/firefox/profiles.ini | ||
27 | read-only ${HOME}/.mozilla/firefox/profiles.ini | ||
28 | |||
22 | include disable-common.inc | 29 | include disable-common.inc |
23 | include disable-devel.inc | 30 | include disable-devel.inc |
24 | include disable-exec.inc | 31 | include disable-exec.inc |
@@ -55,5 +62,8 @@ private-dev | |||
55 | private-etc alsa,alternatives,asound.conf,ca-certificates,crypto-policies,fonts,gtk-2.0,gtk-3.0,host.conf,hostname,hosts,ld.so.cache,ld.so.preload,machine-id,mime.types,nsswitch.conf,passwd,pki,pulse,resolv.conf,ssl,X11,xdg | 62 | private-etc alsa,alternatives,asound.conf,ca-certificates,crypto-policies,fonts,gtk-2.0,gtk-3.0,host.conf,hostname,hosts,ld.so.cache,ld.so.preload,machine-id,mime.types,nsswitch.conf,passwd,pki,pulse,resolv.conf,ssl,X11,xdg |
56 | private-tmp | 63 | private-tmp |
57 | 64 | ||
58 | dbus-user none | 65 | dbus-user filter |
66 | # allow D-Bus communication with firefox for opening links | ||
67 | dbus-user.talk org.mozilla.* | ||
68 | |||
59 | dbus-system none | 69 | dbus-system none |
diff --git a/src/firecfg/firecfg.config b/src/firecfg/firecfg.config index 72a33ed5a..17563cde3 100644 --- a/src/firecfg/firecfg.config +++ b/src/firecfg/firecfg.config | |||
@@ -137,6 +137,7 @@ chromium-browser-privacy | |||
137 | chromium-freeworld | 137 | chromium-freeworld |
138 | cin | 138 | cin |
139 | cinelerra | 139 | cinelerra |
140 | cinelerra-gg | ||
140 | clamdscan | 141 | clamdscan |
141 | clamdtop | 142 | clamdtop |
142 | clamscan | 143 | clamscan |
@@ -355,6 +356,7 @@ gnome-weather | |||
355 | gnote | 356 | gnote |
356 | gnubik | 357 | gnubik |
357 | godot | 358 | godot |
359 | godot3 | ||
358 | goldendict | 360 | goldendict |
359 | goobox | 361 | goobox |
360 | google-chrome | 362 | google-chrome |
diff --git a/src/man/firejail-profile.txt b/src/man/firejail-profile.txt index 138aae8af..7fa677ae5 100644 --- a/src/man/firejail-profile.txt +++ b/src/man/firejail-profile.txt | |||
@@ -14,7 +14,7 @@ Using a specific profile: | |||
14 | .br | 14 | .br |
15 | Example: | 15 | Example: |
16 | .br | 16 | .br |
17 | $ firejail --profile=/etc/firejail/kdenlive.profile --appimage kdenlive.appimage | 17 | $ firejail --appimage --profile=/etc/firejail/kdenlive.profile kdenlive.appimage |
18 | .br | 18 | .br |
19 | 19 | ||
20 | .br | 20 | .br |
@@ -25,7 +25,7 @@ $ firejail --profile=/etc/firejail/kdenlive.profile --appimage kdenlive.appimage | |||
25 | .br | 25 | .br |
26 | Example: | 26 | Example: |
27 | .br | 27 | .br |
28 | $ firejail --profile=kdenlive --appimage kdenlive.appimage | 28 | $ firejail --appimage --profile=kdenlive kdenlive.appimage |
29 | .br | 29 | .br |
30 | 30 | ||
31 | .br | 31 | .br |
@@ -179,6 +179,11 @@ can be enabled or disabled globally in Firejail's configuration file. | |||
179 | 179 | ||
180 | The profile line may be any profile line that you would normally use in a profile \fBexcept\fR for "quiet" and "include" lines. | 180 | The profile line may be any profile line that you would normally use in a profile \fBexcept\fR for "quiet" and "include" lines. |
181 | 181 | ||
182 | Note: When using one or more conditionals and \fB--profile\fR, it is | ||
183 | recommended that the relevant option(s) (such as \fB--appimage\fR) be specified | ||
184 | before \fB--profile\fR, so that their respective conditional(s) (such as | ||
185 | \fB?HAS_APPIMAGE\fR) inside of the profile evaluate to true. | ||
186 | |||
182 | .TP | 187 | .TP |
183 | \fBinclude other.profile | 188 | \fBinclude other.profile |
184 | Include other.profile file. | 189 | Include other.profile file. |
diff --git a/src/man/firejail.txt b/src/man/firejail.txt index b4be1cd62..39c81312c 100644 --- a/src/man/firejail.txt +++ b/src/man/firejail.txt | |||
@@ -11,7 +11,7 @@ firejail [OPTIONS] [program and arguments] | |||
11 | Start an AppImage program: | 11 | Start an AppImage program: |
12 | .PP | 12 | .PP |
13 | .RS | 13 | .RS |
14 | firejail [OPTIONS] --appimage [appimage-file and arguments] | 14 | firejail [OPTIONS] --appimage [OPTIONS] [appimage-file and arguments] |
15 | .RE | 15 | .RE |
16 | .PP | 16 | .PP |
17 | #ifdef HAVE_FILE_TRANSFER | 17 | #ifdef HAVE_FILE_TRANSFER |
@@ -164,15 +164,22 @@ private-bin and private-lib are disabled by default when running appimages. | |||
164 | .br | 164 | .br |
165 | Example: | 165 | Example: |
166 | .br | 166 | .br |
167 | $ firejail --profile=krita --appimage krita-3.0-x86_64.appimage | 167 | $ firejail --appimage --profile=krita krita-3.0-x86_64.appimage |
168 | .br | 168 | .br |
169 | $ firejail --private --profile=krita --appimage krita-3.0-x86_64.appimage | 169 | $ firejail --quiet --appimage --private --profile=krita krita-3.0-x86_64.appimage |
170 | .br | 170 | .br |
171 | #ifdef HAVE_X11 | 171 | #ifdef HAVE_X11 |
172 | $ firejail --net=none --x11 --profile=krita --appimage krita-3.0-x86_64.appimage | 172 | $ firejail --appimage --net=none --x11 --profile=krita krita-3.0-x86_64.appimage |
173 | #endif | 173 | #endif |
174 | .TP | 174 | .br |
175 | |||
176 | .br | ||
177 | Note: When using both \fB--appimage\fR and \fB--profile\fR, it is recommended | ||
178 | to always specify the former before the latter, so that any \fB?HAS_APPIMAGE\fR | ||
179 | conditionals inside of the profile evaluate to true (see \fB?CONDITIONAL\fR in | ||
180 | firejail-profile(5)). | ||
175 | #ifdef HAVE_NETWORK | 181 | #ifdef HAVE_NETWORK |
182 | .TP | ||
176 | \fB\-\-bandwidth=name|pid | 183 | \fB\-\-bandwidth=name|pid |
177 | Set bandwidth limits for the sandbox identified by name or PID, see \fBTRAFFIC SHAPING\fR section for more details. | 184 | Set bandwidth limits for the sandbox identified by name or PID, see \fBTRAFFIC SHAPING\fR section for more details. |
178 | #endif | 185 | #endif |